Efficient and Robust Secure Aggregation of Encrypted Data in Wireless Sensor Networks J. M. BAHI, C. GUYEUX, and A. MAKHOUL Computer Science Laboratory LIFC University of Franche-Comté Journée thématique PHC/ResCom June 25th 2010, Bayonne, France J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 1 / 28
Synopsis Introduction 1 Introduction 2 3 4 J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 2 / 28
Synopsis Introduction Secure Data Aggregation in WSN The Problem : Requirements, and Solutions 1 Introduction Secure Data Aggregation in WSN The Problem : Requirements, and Solutions 2 3 4 J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 3 / 28
Introduction Secure Data Aggregation in WSN The Problem : Requirements, and Solutions Wireless Sensor Networks (WSN) WSN are used to monitor regions, detect events, acquire information... Illustrating Example Sink Sensor nodes J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 4 / 28
Introduction Secure Data Aggregation in WSN The Problem : Requirements, and Solutions Wireless Sensor Networks (WSN) WSN are used to monitor regions, detect events, acquire information... An aggregation approach can be applied. Illustrating Example Aggregation Sink (base station) Aggregation Aggregators Aggregation Aggregators Collecting data Normal Sensors J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 4 / 28
Introduction Secure Data Aggregation in WSN The Problem : Requirements, and Solutions Wireless Sensor Networks (WSN) Usually the carried information contains confidential data. An end-to-end secure aggregation approach is then required. Possible solution : end-to-end encryption schemes that support operations over cipher-text. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 5 / 28
Secure data aggregation in WSN Secure Data Aggregation in WSN The Problem : Requirements, and Solutions Decryption & Aggregation Sink (base station) Aggregation over cypher text Aggregators Aggregation over cypher text Aggregators Collecting data & Encryption Normal Sensors J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 6 / 28
The Problem : requirements Secure Data Aggregation in WSN The Problem : Requirements, and Solutions The Problem : reasonable needs 1 Security and privacy are required during communications. 2 These security and privacy must be guaranteed (proven). 3 A wide range of aggregation functions should be offered. 4 The aggregation must not raise any security issues. 5 Computation and communication costs must be low. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 7 / 28
The Problem : our solution Secure Data Aggregation in WSN The Problem : Requirements, and Solutions A possible solution 1 Encryption security and privacy for communications. 2 Encryption over elliptic curves (ECC) low costs for computations and communications. 3 Homomorphic encryption over elliptic curves secure aggregation. 4 Fully homomorphic encryption over elliptic curves wide range of aggregation functions. 5 Fully homomorphic ECC with a proven security (and which has not been cryptanalyzed) a solution. Until now, the sole candidate is the cryptosystem of Boneh et al. [1]. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 8 / 28
The Problem : our solution Secure Data Aggregation in WSN The Problem : Requirements, and Solutions A possible solution 1 Encryption security and privacy for communications. 2 Encryption over elliptic curves (ECC) low costs for computations and communications. 3 Homomorphic encryption over elliptic curves secure aggregation. 4 Fully homomorphic encryption over elliptic curves wide range of aggregation functions. 5 Fully homomorphic ECC with a proven security (and which has not been cryptanalyzed) a solution. Until now, the sole candidate is the cryptosystem of Boneh et al. [1]. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 8 / 28
The Problem : our solution Secure Data Aggregation in WSN The Problem : Requirements, and Solutions A possible solution 1 Encryption security and privacy for communications. 2 Encryption over elliptic curves (ECC) low costs for computations and communications. 3 Homomorphic encryption over elliptic curves secure aggregation. 4 Fully homomorphic encryption over elliptic curves wide range of aggregation functions. 5 Fully homomorphic ECC with a proven security (and which has not been cryptanalyzed) a solution. Until now, the sole candidate is the cryptosystem of Boneh et al. [1]. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 8 / 28
The Problem : our solution Secure Data Aggregation in WSN The Problem : Requirements, and Solutions A possible solution 1 Encryption security and privacy for communications. 2 Encryption over elliptic curves (ECC) low costs for computations and communications. 3 Homomorphic encryption over elliptic curves secure aggregation. 4 Fully homomorphic encryption over elliptic curves wide range of aggregation functions. 5 Fully homomorphic ECC with a proven security (and which has not been cryptanalyzed) a solution. Until now, the sole candidate is the cryptosystem of Boneh et al. [1]. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 8 / 28
The Problem : our solution Secure Data Aggregation in WSN The Problem : Requirements, and Solutions A possible solution 1 Encryption security and privacy for communications. 2 Encryption over elliptic curves (ECC) low costs for computations and communications. 3 Homomorphic encryption over elliptic curves secure aggregation. 4 Fully homomorphic encryption over elliptic curves wide range of aggregation functions. 5 Fully homomorphic ECC with a proven security (and which has not been cryptanalyzed) a solution. Until now, the sole candidate is the cryptosystem of Boneh et al. [1]. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 8 / 28
The Problem : our solution Secure Data Aggregation in WSN The Problem : Requirements, and Solutions A possible solution 1 Encryption security and privacy for communications. 2 Encryption over elliptic curves (ECC) low costs for computations and communications. 3 Homomorphic encryption over elliptic curves secure aggregation. 4 Fully homomorphic encryption over elliptic curves wide range of aggregation functions. 5 Fully homomorphic ECC with a proven security (and which has not been cryptanalyzed) a solution. Until now, the sole candidate is the cryptosystem of Boneh et al. [1]. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 8 / 28
Synopsis Introduction Offline (sink level) Encryption (sensor nodes level) Secure Aggregation (aggregator level) Decryption (sink level) 1 Introduction 2 Offline (sink level) Encryption (sensor nodes level) Secure Aggregation (aggregator level) Decryption (sink level) 3 4 J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 9 / 28
Preliminaries (sink level) Offline (sink level) Encryption (sensor nodes level) Secure Aggregation (aggregator level) Decryption (sink level) Offline operations For each aggregator, public and private keys are generated by the sink. Each aggregator node embeds its public key. Thus, sensor nodes and aggregators are deployed. Various clustering methods are possible : homogeneous, by using a distance, etc. Sensor nodes take their public key from their aggregator. Public keys can be updated online. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 10 / 28
Offline (sink level) Encryption (sensor nodes level) Secure Aggregation (aggregator level) Decryption (sink level) Generating the private key (sink level) Generation stages Let τ > 0 be an integer called security parameter. Generate two τ-bits prime numbers : q 1 and q 2. Let n = q 1 q 2 and l denotes the smallest positive integer such that : p = l n 1 is prime, p = 2 (mod 3). Private key The private key is q 1. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 11 / 28
Offline (sink level) Encryption (sensor nodes level) Secure Aggregation (aggregator level) Decryption (sink level) Generating the public key (sink level) Generation stages Let H be the group of points of the super-singular elliptic curve y 2 = x 3 + 1 defined over F p. H consists of p + 1 = n l points, and thus has a subgroup of order n, we call it G. Let g and u denote two generators of G and h = q 2 u. Public key The public key is the tuple : (n, G, g, h). J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 12 / 28
Key size Introduction Offline (sink level) Encryption (sensor nodes level) Secure Aggregation (aggregator level) Decryption (sink level) Comparison of the key sizes For being secure until 2020, a cryptosystem [3] : must have p 2 161, for EC systems over F p, must satisfy p 2 1881 for classical asymmetric systems, such as RSA or ElGamal on F p. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 13 / 28
Encryption of a data (sensor level) Offline (sink level) Encryption (sensor nodes level) Secure Aggregation (aggregator level) Decryption (sink level) The encryption of a value The message space is the set M = {0, 1,..., T }, where T < q 2. To encrypt m M : 1 Pick an integer r into [0, n 1]. 2 Compute the cipher-text : C = m g + r h G. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 14 / 28
Size of the cryptograms Offline (sink level) Encryption (sensor nodes level) Secure Aggregation (aggregator level) Decryption (sink level) How to reduce the size of the cryptograms We suppose that messages are constituted by 40 bits. The cryptogram is an element (x, y) of E, so it has an average of 160 bits. y 2 = x 3 + 1, so the cryptogram (x, y) can be compressed to (x, y mod 2)). We obtain cryptograms with an average of 81 bits long. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 15 / 28
Offline (sink level) Encryption (sensor nodes level) Secure Aggregation (aggregator level) Decryption (sink level) Additions over cipher-texts (aggregator level) The addition over cipher-texts let m 1 and m 2 be two messages and C 1, C 2 their cipher-texts. The sum C of C 1 and C 2, is equal to C 1 + C 2 + r h where : Decryption stage r is an integer randomly chosen in [0, n 1], h = q 2 u as presented in the previous section. The decryption of C is equal to m 1 + m 2. The addition operation can be done several times over cipher-texts. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 16 / 28
Offline (sink level) Encryption (sensor nodes level) Secure Aggregation (aggregator level) Decryption (sink level) Multiplication of two cipher-texts (aggregator level) The multiplication of two cipher-texts Let : g, h be the points of G as defined previously, E denotes the well-known Weil pairing (Miller s algorithm), e(p, Q) = E(x P, Q) the modified Weil pairing, where x is a root of X 3 1 on F p 2. The multiplication C m of two encrypted messages C 1, C 2 is equal to e(c 1, C 2 ) + r h 1, where : h 1 = e(g, h), r is a random integer pick in [1, n]. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 17 / 28
Examples of use Introduction Offline (sink level) Encryption (sensor nodes level) Secure Aggregation (aggregator level) Decryption (sink level) Examples of aggregation functions through cipher-texts Arithmetic and weighted mean. Variance. Multiplication weighting. etc. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 18 / 28
Decryption of cipher-texts Offline (sink level) Encryption (sensor nodes level) Secure Aggregation (aggregator level) Decryption (sink level) Decryption stages (sink level) To decrypt C : Compute log q1 g q 1 C, to obtain m. (q 1 is the private key, log the discrete logarithm). Decryption complexity Decryption takes expected time T using Pollard s lambda method. This can be speed-up by precomputing a table of powers of q 1 g. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 19 / 28
Offline (sink level) Encryption (sensor nodes level) Secure Aggregation (aggregator level) Decryption (sink level) Decryption of an encrypted product (sink level) Decryption stage The cipher-text of a product does not live on the same space than other cipher-texts. So the sink can determine whether a product has been achieved, or not. The decryption of C m is equal to the discrete logarithm of q 1 C m to the base q 1 g 1 : where g 1 = e(g, g). m 1 m 2 = log q1 g 1 (q 1 C m.) J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 20 / 28
Synopsis Introduction Experimental Protocol Experimental Results 1 Introduction 2 3 Experimental Protocol Experimental Results 4 J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 21 / 28
Experimental configuration Experimental Protocol Experimental Results Experimental protocol The SAGE library has been used for elliptic curve. The cryptosystem has been computed with Python 2.6. The sensor network has been implemented with Python : A first layer of 500 sensors, a second one of 50 aggregators. Sensors are randomly associated with aggregators. Each sensor has a battery of 100 units, each aggregator of 1000 units. Energy consumption is supposed to be proportional to time computation. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 22 / 28
Experimental Protocol Experimental Results Energy consumption of sensors to encrypt data Encryption in our approach Security level Size of the key E = λt (battery units) 1 85 0.05% 2 125 0.07% 3 167 0.10% Encryption in RSA based approach Security level Size of the key E = λt (battery units) 1 945 0.53 % 2 1416 1.63 % 3 1891 3.63 % J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 23 / 28
Experimental Protocol Experimental Results Energy consumption at the aggregation stage Aggregation in our approach Security level Size p of the key E = λt (battery units) 1 85 0.04 % 2 125 0.07 % 3 167 0.10 % Aggregation in RSA based approach Security level Size of the key E = λt (battery units) 1 945 8.09 % 2 1416 24.74 % 3 1891 56.27 % J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 24 / 28
Experimental Protocol Experimental Results Comparison of energy consumption 100 80 Agregator's energy evolution EC 46 EC 85 RSA 472 RSA 945 60 Energy 40 20 0 0 10 20 30 40 50 Time J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 25 / 28
Synopsis Introduction and future work Bibliography 1 Introduction 2 3 4 and future work Bibliography J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 26 / 28
and future work and future work Bibliography High level of security (cipher-texts are never decrypted). Public key encryption. Various aggregation capabilities. Low computation coast. Future work Authentication through cipher-texts. Compression (aggregation). More simulation results. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 27 / 28
Bibliography Introduction and future work Bibliography References 1 D. Boneh, E.-J. Goh, and K. Nissim. Evaluating 2-dnf formulas on ciphertexts. Theory of Cryptography, LNCS, pages 325-341, 2005. 2 J. Domingo-Ferrer. A provably secure additive and multiplicative privacy homomorphism. 6th ISC conference, pages 471-483, 2003. 3 A.K. Lenstra and E.R. Verheul. Selecting cryptographic key sizes. Jour. of the International Association for Cryptologic Research, 14(4) :255-293, 2001. J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 28 / 28