Efficient and Robust Secure Aggregation of Encrypted Data in Wireless Sensor Networks

(1)

Efficient and Robust Secure Aggregation of Encrypted Data in Wireless Sensor Networks

J. M. BAHI, C. GUYEUX, and A. MAKHOUL

Computer Science Laboratory LIFC University of Franche-Comté

Journée thématique PHC/ResCom June 25th 2010, Bayonne, France

J. M. BAHI, C. GUYEUX, and A. MAKHOUL Secure Aggregation in WSN 1 / 28

(2)

Synopsis

1 Introduction

2 Secure Aggregation Model

3 Simulation Results

4 Conclusion

(3)

Introduction Secure Aggregation Model Simulation Results Conclusion

Secure Data Aggregation in WSN The Problem : Requirements, and Solutions

Synopsis

1 Introduction

Secure Data Aggregation in WSN

The Problem : Requirements, and Solutions

4 Conclusion

(4)

Introduction

Wireless Sensor Networks (WSN)

WSN are used to monitor regions, detect events, acquire information...

Illustrating Example

Sensor nodes Sink

(5)

Introduction

WSN are used to monitor regions, detect events, acquire information...

An aggregation approach can be applied.

Illustrating Example

Collecting data Aggregation Aggregation Aggregation

Normal Sensors Aggregators Aggregators

Sink (base station)

(6)

Introduction

Usually the carried information contains confidential data.

An end-to-end secure aggregation approach is then required.

Possible solution : end-to-end encryption schemes that support operations over cipher-text.

(7)

Secure data aggregation in WSN

Collecting data & Encryption Aggregation over cypher−text Aggregation over cypher−text Decryption & Aggregation

Normal Sensors Aggregators Aggregators

Sink (base station)

(8)

The Problem : requirements

The Problem : reasonable needs

1 Security and privacy are required during communications.

2 These security and privacy must be guaranteed (proven).

3 A wide range of aggregation functions should be offered.

4 The aggregation must not raise any security issues.

5 Computation and communication costs must be low.

(9)

The Problem : our solution

A possible solution

1 Encryption ⇒ security and privacy for communications.

2 Encryptionover elliptic curves(ECC) ⇒ low costs for computations and communications.

3 Homomorphicencryption over elliptic curves ⇒ secure aggregation.

4 Fullyhomomorphic encryption over elliptic curves ⇒ wide range of aggregation functions.

5 Fully homomorphic ECCwith a proven security (and which has not been cryptanalyzed)⇒ a solution.

Until now, the sole candidate is the cryptosystem of Boneh et al. [1].

(10)

The Problem : our solution

A possible solution

(11)

The Problem : our solution

A possible solution

(12)

The Problem : our solution

A possible solution

(13)

The Problem : our solution

A possible solution

(14)

The Problem : our solution

A possible solution

(15)

Offline (sink level)

Encryption (sensor nodes level) Secure Aggregation (aggregator level) Decryption (sink level)

Synopsis

1 Introduction

2 Secure Aggregation Model Offline (sink level)

4 Conclusion

(16)

Preliminaries (sink level)

Offline operations

For each aggregator, public and private keys are generated by the sink.

Each aggregator node embeds its public key.

Thus, sensor nodes and aggregators are deployed.

Various clustering methods are possible : homogeneous, by using a distance, etc.

Sensor nodes take their public key from their aggregator.

Public keys can be updated online.

(17)

Generating the private key (sink level)

Generation stages

Let τ > 0 be an integer called “security parameter”.

Generate two τ -bits prime numbers : q1and q2.

Let n = q1q2and l denotes the smallest positive integer such that :

p = l × n − 1 is prime, p = 2 (mod 3).

Private key

The private key is q1.

(18)

Generating the public key (sink level)

Generation stages

Let H be the group of points of the super-singular elliptic curve y²=x³+1 defined over Fp.

H consists of p + 1 = n × l points, and thus has a subgroup of order n, we call it G.

Let g and u denote two generators of G and h = q2× u.

Public key

The public key is the tuple : (n, G, g, h).

(19)

Key size

Comparison of the key sizes

For being secure until 2020, a cryptosystem [3] : must have p ≈ 2¹⁶¹, for EC systems over Fp,

must satisfy p ≈ 2¹⁸⁸¹for classical asymmetric systems, such as RSA or ElGamal on Fp.

(20)

Encryption of a data (sensor level)

The encryption of a value

The message space is the set M = {0, 1, ..., T }, where T < q2. To encrypt m ∈ M :

1 Pick an integer r into [0, n − 1].

2 Compute the cipher-text :

C = m × g + r × h ∈ G.

(21)

Size of the cryptograms

How to reduce the size of the cryptograms

We suppose that messages are constituted by 40 bits.

The cryptogram is an element (x , y ) of E, so it has an average of 160 bits.

y²=x³+1, so the cryptogram (x , y ) can be compressed to (x , y mod 2)).

We obtain cryptograms with an average of 81 bits long.

(22)

Additions over cipher-texts (aggregator level)

The addition over cipher-texts

let m1and m2be two messages and C1,C2their cipher-texts.

The sum C of C1and C2, is equal to C1+C2+r × h where : r is an integer randomly chosen in [0, n − 1],

h = q₂× u as presented in the previous section.

Decryption stage

The decryption of C is equal to m₁+m₂.

The addition operation can be done several times over cipher-texts.

(23)

Multiplication of two cipher-texts (aggregator level)

The multiplication of two cipher-texts Let :

g, h be the points of G as defined previously,

E denotes the well-known Weil pairing (Miller’s algorithm), e(P, Q) = E (x × P, Q) the modified Weil pairing, where x is a root of X³− 1 on Fp².

The multiplication Cmof two encrypted messages C1,C2is equal to e(C1,C2) +r × h1, where :

h₁=e(g, h),

r is a random integer pick in [1, n].

(24)

Examples of use

Examples of aggregation functions through cipher-texts Arithmetic and weighted mean.

Variance.

Multiplication ⇒ weighting.

etc.

(25)

Decryption of cipher-texts

Decryption stages (sink level) To decrypt C :

Compute log_q₁_×gq1× C, to obtain m.

(q1is the private key, log the discrete logarithm).

Decryption complexity

Decryption takes expected time√

T using Pollard’s lambda method.

This can be speed-up by precomputing a table of powers of q1× g.

(26)

Decryption of an encrypted product (sink level)

Decryption stage

The cipher-text of a product does not live on the same space than other cipher-texts.

So the sink can determine whether a product has been achieved, or not.

The decryption of C_mis equal to the discrete logarithm of q₁× C_mto the base q₁× g₁:

m1m2=log_q₁_∗g₁(q1× C_m.) where g1=e(g, g).

(27)

Experimental Protocol Experimental Results

Synopsis

1 Introduction

3 Simulation Results Experimental Protocol Experimental Results

4 Conclusion

(28)

Experimental configuration

Experimental protocol

The SAGE library has been used for elliptic curve.

The cryptosystem has been computed with Python 2.6.

The sensor network has been implemented with Python : A first layer of 500 sensors, a second one of 50

aggregators.

Sensors are randomly associated with aggregators.

Each sensor has a battery of 100 units, each aggregator of 1000 units.

Energy consumption is supposed to be proportional to time computation.

(29)

Energy consumption of sensors to encrypt data

Encryption in our approach

Security level Size of the key E = λt (battery units)

1 85 0.05%

2 125 0.07%

3 167 0.10%

Encryption in RSA based approach

1 945 0.53 %

2 1416 1.63 %

3 1891 3.63 %

(30)

Energy consumption at the aggregation stage

Aggregation in our approach

Security level Size p of the key E = λt (battery units)

1 85 0.04 %

2 125 0.07 %

3 167 0.10 %

Aggregation in RSA based approach

1 945 8.09 %

2 1416 24.74 %

3 1891 56.27 %

(31)

Comparison of energy consumption

0 10 20 30 40 50

0 Time 20 40 60 80 100

Energy

Agregator's energy evolution

EC 46 EC 85 RSA 472 RSA 945

(32)

Synopsis

1 Introduction

4 Conclusion

Conclusion and future work Bibliography

(33)

Conclusion and future work Bibliography

Conclusion and future work

Conclusion

High level of security (cipher-texts are never decrypted).

Public key encryption.

Various aggregation capabilities.

Low computation coast.

Future work

Authentication through cipher-texts.

Compression (aggregation).

More simulation results.

(34)

Bibliography

References

1 D. Boneh, E.-J. Goh, and K. Nissim. Evaluating 2-dnf formulas on ciphertexts. Theory of Cryptography, LNCS, pages 325-341, 2005.

2 J. Domingo-Ferrer. A provably secure additive and

multiplicative privacy homomorphism. 6th ISC conference, pages 471-483, 2003.

3 A.K. Lenstra and E.R. Verheul. Selecting cryptographic key sizes. Jour. of the International Association for Cryptologic Research, 14(4) :255-293, 2001.