Abstract
Existing work on secure data collection and secure aggregation is mainly focused on confidentiality issues. That is, ensuring that the untrusted Aggregator learns only the aggregation result without divulging individual data inputs. In this paper however we consider a malicious Aggregator which is not only interested in compromising users’ privacy but also is interested in providing bogus aggregate values. More concretely, we extend existing security models with the requirement of aggregate unforgeability. Moreover, we instantiate an efficient protocol for private and unforgeable data aggregation that allows the Aggregator to compute the sum of users’ inputs without learning individual values and constructs a proof of correct computation that can be verified by any third party. The proposed protocol is provably secure and its communication and computation overhead is minimal.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Akinyele, J.A., Green, M., Rubin, A.D.: Charm: a tool for rapid cryptographic prototyping. http://www.charm-crypto.com/Main.html
Akinyele, J.A., Green, M., Rubin, A.D.: Charm: a framework for rapidly prototyping cryptosystems. IACR Cryptology ePrint Archive, 2011:617 (2011). http://eprint.iacr.org/2011/617.pdf
Backes, M., Fiore, D., Reischuk, R.M.: Verifiable delegation of computation on outsourced data. In: ACM Conference on Computer and Communications Security, pp. 863–874 (2013)
Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: EUROCRYPT, pp. 416–432 (2003)
Camenisch, J.L., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 56–72. Springer, Heidelberg (2004)
Catalano, D., Fiore, D.: Practical homomorphic MACs for arithmetic circuits. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 336–352. Springer, Heidelberg (2013)
Catalano, D., Fiore, D., Warinschi, B.: Homomorphic signatures with efficient verification for polynomial functions. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 371–389. Springer, Heidelberg (2014)
Catalano, D., Marcedone, A., Puglisi, O.: Authenticating Computation on Groups: New Homomorphic Primitives and Applications. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 193–212. Springer, Heidelberg (2014)
Choi, S.G., Katz, J., Kumaresan, R., Cid, C.: Multi-client non-interactive verifiable computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 499–518. Springer, Heidelberg (2013)
Freeman, D.M.: Improved security for linearly homomorphic signatures: a generic framework. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 697–714. Springer, Heidelberg (2012)
Joye, M., Libert, B.: A scalable scheme for privacy-preserving aggregation of time-series data. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 111–125. Springer, Heidelberg (2013)
Kursawe, K., Danezis, G., Kohlweiss, M.: Privacy-friendly aggregation for the smart-grid. In: Fischer-Hübner, S., Hopper, N. (eds.) PETS 2011. LNCS, vol. 6794, pp. 175–191. Springer, Heidelberg (2011)
Leontiadis, I., Elkhiyaoui, K., Molva, R.: Private and dynamic time-series data aggregation with trust relaxation. In: Gritzalis, D., Kiayias, A., Askoxylakis, I. (eds.) CANS 2014. LNCS, vol. 8813, pp. 305–320. Springer, Heidelberg (2014)
Leontiadis, I., Elkhyaoui, K., Önen, M., Molva, R.: Private and unforgeable data aggregation. IACR Cryptology ePrint Archive (2015). http://eprint.iacr.org/2015/562.pdf
Lynn, B.: The stanford pairing based crypto library. http://crypto.stanford.edu/pbc
Lysyanskaya, A., Rivest, R., Sahai, A., Wolf, S.: Pseudonym systems. In: Heys, H., Adams, C. (eds.) Selected Areas in Cryptography. LNCS, vol. 1758, pp. 184–199. Springer, Berlin Heidelberg (2000)
Shi, E., Chan, T.-H.H., Rieffel, E.G., Chow, R., Song, D.: Privacy-preserving aggregation of time-series data. In: NDSS (2011)
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997)
Sun, H.-M., Lin, Y.-H., Hsiao, Y.-C., Chen, C.-M.: An efficient and verifiable concealed data aggregation scheme in wireless sensor networks. In: International Conference on Embedded Software and Systems, ICESS 2008, pp. 19–26, July 2008
Acknowledgments
We thank the anonymous reviewers for their suggestions for improving this paper. The research leading to these results was partially funded by the FP7-USERCENTRICNETWORKING european ICT project under the grant number 611001.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Security Evidence for the \(\mathsf {LEOM}\) Assumption
In this section we provide security evidence for the hardness of the new \(\mathsf {LEOM}\) assumption by presenting bounds on the success probabilities of an adversary \(\mathcal{A}\) which presumably breaks the assumption. We follow the theoretical generic group model (GGM) as presented in [18]. Namely under the GGM framework an adversary \(\mathcal{A}\) has access to a black box that conceptualizes the underlying mathematical group \(\mathbb {G}\) that the assumption takes place. \(\mathcal{A}\) without knowing any details about the underlying group apart from its order p is asking for encodings of its choice and the black box replies through a random encoding function \(\xi _c\) that maps elements in \(\mathbb {G}_c \rightarrow \{0,1\}^{\lceil {\log _2p}\rceil }\) to represent element in \(\mathbb {G}_c, c\in [1,2,T]\).
Theorem 5
Suppose \(\mathcal{A}\) is a polynomial probabilistic time adversary that breaks the \(\mathsf {LEOM}\) assumption, making at most \(q_G\) oracle queries for the underlying group operations on \(\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T\) and the \(\mathcal {O}_{\mathsf {LEOM}}\) oracle, all counted together. Then the probability \(\epsilon _2\) that \(\mathcal{A}\) breaks the \(\mathsf {LEOM}\) assumption is bounded as follows:
Due to space limitations we include the proof in the full version [14].
B Aggregate Unforgeability
Theorem 3
Our scheme achieves Aggregate Unforgeability for a Type I Forgery under \(\mathsf {BCDH}\) assumption in the random oracle model.
Proof
We show how to build an adversary \({\mathcal {B}}\) that solves \(\mathsf {BCDH}\) in (\(\mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T\)). Let \(g_1\) and \(g_2\) be two generators for \(\mathbb {G}_1\) and \(\mathbb {G}_2\) respectively. \({\mathcal {B}}\) receives the challenge \((g_1,g_2,g_1^a,g_1^b,g_1^c,g_2^a,g_2^b)\) from the \(\mathsf {BCDH}\) oracle \(\mathcal {O}_\mathsf{{\mathsf {BCDH}}}\) and is asked to output \(e(g_1,g_2)^{abc} \in \mathbb {G}_T\). \({\mathcal {B}}\) simulates the interaction with \(\mathcal{A}\) in the Learning phase as follows:
Setup:
-
To simulate the \(\mathcal {O}_\mathsf{{Setup}}\) oracle \({\mathcal {B}}\) selects uniformly at random 2n keys \(\{\mathsf {ek}_i\}_{i=1}^n\), \(\{\mathsf {tk}_i\}_{i=1}^n \in \mathbb {Z}_p\) and outputs the public parameters \(\mathcal {P}=(\kappa ,p,g_1,g_2,\mathbb {G}_1,\mathbb {G}_2)\) the verification key \(\mathsf {VK}=(\mathsf {vk}_1,\mathsf {vk}_2)=(g_2^{b\sum _{i=1}^n{\mathsf {tk}_i}},g_2^a)\) and the secret key of the Aggregator \(\mathsf {SK}_A=-\sum _{i=1}^n\mathsf{{ek}_i}\).
Learning Phase
-
\(\mathcal{A}\) is allowed to query the random oracle H for any time interval . \({\mathcal {B}}\) constructs a \(\mathtt {H-list}\) and responds to \(\mathcal{A}\) query as follows:
-
1.
If query t already appears in a tuple H-tuple\(\langle t: r_t,\mathsf {coin}(t),H(t)\rangle \) of the \(\mathtt {H-list}\) it responds to \(\mathcal{A}\) with H(t).
-
2.
Otherwise it selects a random number \(r_t \in \mathbb {Z}_p\) and flips a random \(\mathsf {coin} {\,\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\,}\{0,1\}\). With probability \(\pi \), \(\mathsf {coin}(t)=0\) and \({\mathcal {B}}\) answers with \(H(t)=g_1^{r_t}\). Otherwise if \(\mathsf {coin}(t)=1\) then \({\mathcal {B}}\) responds with \(H(t)=g_1^{cr_t}\) and updates the \(\mathtt {H-list}\) with the new tuple H-tuple\(\langle t: r_t,\mathsf {coin}(t),H(t)\rangle \).
-
1.
-
Whenever \(\mathcal{A}\) submits a query (\(t,\mathsf {uid}_i,x_{i,t}\)) to the \(\mathcal {O}_\mathsf{{EncTag}}^{\mathcal{A}}\), \({\mathcal {B}}\) responds as follows:
-
1.
\({\mathcal {B}}\) calls the simulated random oracle, receives the result for H(t) and appends the tuple H-tuple\(\langle t: r_t,\mathsf {coin}(t),H(t)\rangle \) to the \(\mathtt {H-list}\).
-
2.
If \(\mathsf {coin}(t)=1\) then \({\mathcal {B}}\) stops the simulation.
-
3.
Otherwise it chooses the secret tag key \(\mathsf {tk}_i\) where \(i=\mathsf {uid}_i\) to be used as secret tag key from the set of \(\{\mathsf {tk}_i\}\) keys, chosen by \({\mathcal {B}}\) in the Setup phase.
-
4.
\({\mathcal {B}}\) sends to \(\mathcal{A}\) the tag \({\mathsf {\sigma }}_{i,t}=g_1^{r_tb\mathsf {tk}_i}g_1^{ax_{i,t}}=H(t)^{b\mathsf {tk}_i}g_1^{ax_{i,t}}\), which is a valid tag for the value \(x_{i,t}\). Notice that \({\mathcal {B}}\) can correctly compute the tag without knowing a and b from the \(\mathsf {BCDH}\) problem parameters \(g_1^a, g_1^b\).
-
5
\({\mathcal {B}}\) chooses also a secret encryption key \(\mathsf {ek}_i \in \{\mathsf {ek}_i\}_{i=1}^n \in \mathbb {Z}_p\) and computes the ciphertext as \(c_{i,t}=H(t)^{\mathsf {ek}_i} g_1^{x_{i,t}}\). The simulation is correct since \(\mathcal{A}\) can check that the sum \(\sum _{i=1}^n{x_{i,t}}\) corresponds to the ciphertexts given by \({\mathcal {B}}\) with its decryption key \(\mathsf {SK}_A=-\sum _{i=1}^n\mathsf{{ek}_i}\), considering the adversary has made distinct encryption queries for all the n users in the scheme at a time interval t.
-
1.
Now, when \({\mathcal {B}}\) receives the forgery \((\mathsf{sum_{t}}^*,{\mathsf {\sigma _t}}^*)\) at time interval \(t \ne t^*\), it continues if \(\mathsf{sum_{t}}^* \ne \Sigma _t\). \({\mathcal {B}}\) first queries the H-tuple for time \(t^*\) in order to fetch the appropriate tuple.
-
If \(\mathsf {coin}(t^*)=0\) then \({\mathcal {B}}\) aborts.
-
If \(\mathsf {coin}(t^*)=1\) then since \(\mathcal{A}\) outputs a valid forged \({\mathsf {\sigma _t}}^*\) at \(t^*\), it is true that the following equation should hold:
$$\begin{aligned} e({\mathsf {\sigma _t}}^*,g_2)=e(H(t^*),\mathsf {vk}_1)e(g_1^{\mathsf{sum_{t}}^*},\mathsf {vk}_2) \end{aligned}$$which is true when \(\mathcal{A}\) makes n queries for time interval \(t^*\) for distinct users to the \(\mathcal {O}_{\mathsf {EncTag}}^{\mathcal{A}}\) oracle during the Learning phase. As such \({\mathsf {\sigma _t}}^*=g_1^{cr_tb\sum {\mathsf {tk}_i}}g_1^{a\mathsf{sum_{t}}^*}\). Finally \({\mathcal {B}}\) outputs:
$$\begin{aligned} e((\frac{{\mathsf {\sigma _t}}^*}{g_1^{a\mathsf{sum_{t}}^*}})^{\frac{1}{r_t\sum {\mathsf {tk}_i}}},g_2^a)&=e((\frac{g_1^{cr_tb\sum {\mathsf {tk}_i}}g_1^{a\mathsf{sum_{t}}^*}}{g_1^{a\mathsf{sum_{t}}^*}})^{\frac{1}{r_t\sum {\mathsf {tk}_i}}},g_2^a)=\\ e((g_1^{cr_tb\sum {\mathsf {tk}_i}})^{\frac{1}{r_t\sum {\mathsf {tk}_i}}},g_2^a)&= e(g_1^{bc},g_2^a)=e(g_1,g_2)^{abc} \end{aligned}$$
Let \(\mathcal{A}^{\mathbf {AU1}}\) be the event when \(\mathcal{A}\) successfully forges a Type I forgery \({\mathsf {\sigma _t}}\) for our PUDA protocol that happens with some non-negligible probability \(\epsilon '\). \(\mathtt {event_0}\) is the event when \(\mathsf {coin}=0\) in the learning phase and \(\mathtt {event_1}\) is the event when \(\mathsf {coin}=1\) in the challenge phase. Then , for \(\mathtt {q_H}\) random oracle queries with the probability \(\Pr [\mathsf {coin}(t)=0]=\pi \). As such we ended up in a contradiction assuming the hardness of the \(\mathsf {BCDH}\) assumption and finally \(\Pr [\mathcal{A}^{\mathbf {AU1}}]\le \epsilon _1\), where \(\epsilon _1\) is a negligible function.
Theorem 4
Our scheme guarantees aggregate unforgeability against a Type II Forgery under the \(\mathsf {LEOM}\) assumption.
Proof
(Sketch). Here we show how an adversary \({\mathcal {B}}\) breaks the \(\mathsf {LEOM}\) assumption by using an Aggregator \(\mathcal{A}\) that provides a Type II Forgery with a non-negligible probability. Notably, adversary \({\mathcal {B}}\) simulates oracle \(\mathcal {O}_\mathsf{{Setup}}\) as follows: It first picks secret encryptions keys \(\{\mathsf {ek}_i\}_{i=1}^n\) and sets the corresponding decryption key \(\mathsf {SK}_A=-\sum _{i=1}^n{\mathsf {ek}_i}\). Then, it forwards to \(\mathcal{A}\) the public parameters \(\mathcal {P}=(p,g_1,g_2,\mathbb {G}_1,\mathbb {G}_2)\), the public key \((\mathsf {vk}_1, \mathsf{vk}_2)= (g_2^{\sum _{i=1}^n{k_i}}, g_2^{a})\) of the \(\mathcal {O}_{\mathsf {LEOM}}\) oracle and the secret key \(\mathsf {SK}_A=-\sum _{i=1}^n{\mathsf {ek}_i}\).
Afterwards, when adversary \({\mathcal {B}}\) receives a query \((t, \mathsf{uid}_i, x_{i, t})\) for oracle \(\mathcal {O}_\mathsf{{EncTag}}\), adversary \({\mathcal {B}}\) calls oracle \(\mathcal {O}_{\mathsf {LEOM}}\) with the pair \((h_t = H(t), i, x_{i,t})\). Oracle \(\mathcal {O}_{\mathsf {LEOM}}\) accordingly returns \(h_t^{k_i}g_1^{ax_{i, t}}\) and adversary \({\mathcal {B}}\) outputs \(\sigma _{i, t} = h_t^{k_i}g_1^{ax_{i, t}}\). Note that if we define the tag key \(\mathsf{tk}_i\) of user \(\mathcal {U}_i\) as \(k_i\), then the tag \({\mathsf {\sigma }}_{i,t}=h_t^{k_i}g_1^{a x_{i,t}}\) is computed correctly.
Eventually with a non-negligible advantage, Aggregator \(\mathcal{A}\) outputs a Type II Forgery \((t^*, \mathsf{sum}_{t^*}, \sigma _{t^*})\) that verifies:
where \(t^*\) is previously queried by Aggregator \(\mathcal{A}\) and \(\mathsf{sum}_{t^*} \ne \sum _{i=1}^n x_{(i, t^*)}\).
It follows that \({\mathcal {B}}\) breaks the \(\mathsf {LEOM}\) assumption with a non-negligible probability by outputting the tuple \((H(t^*), \mathsf{sum}_{t^*}, \sigma _{t^*})\). This leads to a contradiction under the \(\mathsf {LEOM}\) assumption. We conclude that our scheme guarantees aggregate unforgeability for a Type II Forgery under the \(\mathsf {LEOM}\) assumption.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Leontiadis, I., Elkhiyaoui, K., Önen, M., Molva, R. (2015). PUDA – Privacy and Unforgeability for Data Aggregation. In: Reiter, M., Naccache, D. (eds) Cryptology and Network Security. CANS 2015. Lecture Notes in Computer Science(), vol 9476. Springer, Cham. https://doi.org/10.1007/978-3-319-26823-1_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-26823-1_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26822-4
Online ISBN: 978-3-319-26823-1
eBook Packages: Computer ScienceComputer Science (R0)