Ecient and Provably Secure Aggregation of Encrypted

Data in Wireless Sensor Networks

CLAUDE CASTELLUCCIA
INRIA
ALDAR C-F. CHAN
National University of Singapore
EINAR MYKLETUN, GENE TSUDIK
University of California, Irvine
Wireless sensor networks (WSNs) are multi-hop networks composed of tiny devices with lim-
ited computation and energy capacities. For such devices, data transmission is a very energy-
consuming operation. It thus becomes essential to the lifetime of a WSN to minimize the number
of bits sent by each device. One well-known approach is to aggregate sensor data (e.g., by adding)
along the path from sensors to the sink. Aggregation becomes especially challenging if end-to-end
privacy between sensors and the sink or aggregate integrity is required. In this paper, we propose
a simple and provably secure encryption scheme that allows ecient (additive) aggregation of
encrypted data. Only one modular addition is necessary for ciphertext aggregation. The secu-
rity of the scheme is based on the indistinguishability property of a pseudorandom function, a
standard cryptographic primitive. We show that aggregation based on this scheme can be used
to eciently compute statistical values such as mean, variance and standard deviation of sensed
data, while achieving signicant bandwidth gain. To protect the integrity of data incorporated in
an aggregate, we also give an end-to-end aggregate authentication scheme which is secure against
outsider-only attacks based on the indistinguishability property of a pseudorandom function.
Categories and Subject Descriptors: C.2.0 [Computer-Communication Networks]:
GeneralSecurity and Protection; C.2.1 [Computer-Communication Networks]:
Network Architecture and DesignWireless Sensor Networks
General Terms: Security, Design
Additional Key Words and Phrases: Wireless Sensor Networks, Secure Data Aggregation, Stream
Ciphers, Privacy, Authentication
Some of our preliminary results were originally published in [Castelluccia et al. 2005]. The present paper
represents a reworked and extended version of [Castelluccia et al. 2005]. Major new components include the
security analysis and the technique for authentication of encrypted aggregated data.
Part of this work was done while Claude Castelluccia was visiting at the University of California, Irvine
Authors address:
Claude Castelluccia, INRIA, Zirst - 655 avenue de lEurope, 38334 Saint Ismier Cedex, France. Email:
[email protected]
Aldar C-F. Chan, Department of Computer Science, School of Computing, National University of Singapore,
Singapore 117543. Email: [email protected]
Einar Mykletun, Gene Tsudik, Computer Science Department, School of Information and Computer Science,
University of California, Irvine. Email: {mykletun, gts}@ics.uci.edu
Permission to make digital/hard copy of all or part of this material without fee for personal or classroom use pro-
vided that the copies are not made or distributed for prot or commercial advantage, the ACM copyright/server
notice, the title of the publication, and its date appear, and notice is given that copying is by permission of the
ACM, Inc. To copy otherwise, to republish, to post on servers, or to redistribute to lists requires prior specic
permission and/or a fee.
c 20YY ACM 0730-0301/20YY/0100-0001 $5.00
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY, Pages 10??.
2
1. INTRODUCTION
Wireless sensor networks (WSNs) are becoming increasingly popular in many spheres of life.
Application domains include monitoring of the environment (such as temperature, humidity and
seismic activity) as well as numerous other ecological, law enforcement and military settings.
Regardless of the application, most WSNs have two notable properties in common: (1)
the networks overall goal is typically to reach a collective conclusion regarding the outside
environment, which requires detection and coordination at the sensor level, and (2) WSNs act
under severe technological constraints: individual sensors have severely limited computation,
communication and power (battery) resources and need to operate in settings with great spatial
and temporal variability
At the same time, WSNs are often deployed in public or otherwise untrusted and even hostile
environments, which prompts a number of security issues. These include the usual topics, e.g.,
key management, privacy, access control, authentication and DoS-resistance, among others.
What exacerbates and distinguishes security issues in WSNs is the need to miniaturize all
security services so as to minimize security-induced overhead. In other words, if security is
a necessary hindrance in other (e.g., wired or MANET) types of networks, it is much more
so in WSNs. For example, public key cryptography is typically ruled out
1
as are relatively
heavy-weight conventional encryption methods.
Security in WSNs is a popular research topic and many advances have been reported on in
recent years. Most prior work has focused on ultra-ecient key management, authentication,
routing and DoS resistance [Eschenauer and Gligor 2000; Zhu et al. 2004; Karlof and Wagner
2003; Wood and Stankovic 2002]. An overview of security related issues and services required
for WSNs is provided by Perrig, et al. in [Perrig et al. 2004].
On the other hand, a lot of attention has been devoted to communication eciency issues.
Since data transmission is a very energy-consuming operation, in order to maximize sensor
lifetime, it is essential to minimize the sheer number of bits sent by each sensor device. One
natural and well-known approach involves aggregating sensor data as it propagates along the
path from the sensors to the so-called sink a node that collects sensed data. Of course, aggre-
gating data is not quite equivalent to collecting individual sensor readings. In some applications,
e.g., perimeter control, aggregation is not applicable since only individual sensor readings are of
interest. However, many WSN scenarios that monitor an entire micro-environment (e.g., tem-
perature or seismic activity) do not require information from individual sensors but, instead,
put more emphasis on statistical quantities, such as mean, median and variance.
End-to-end privacy and aggregate integrity/authenticity are the two major security goals of
a secure WSN. Regardless of information leakage due to the correlation among sensor measure-
ments, end-to-end privacy ensures that nobody other than the sink could learn considerable
information about the nal aggregate even if he might control any subset of sensor nodes. Infor-
mally speaking, aggregate authentication provides assurance that the nal aggregate does not
deviate too far away from what can be achieved at the sink when all sensor nodes act honestly
and nobody has tampered the data en route, or the deviation will be detected at the sink.
Although simple and well-understood, aggregation becomes problematic if end-to-end pri-
vacy between sensors and the sink is required. If we assume that all sensors are trusted, sensors
could encrypt data on a hop-by-hop basis. For an intermediate sensor (i.e., one that receives
1
While many sensor devices could have sucient computation power to perform operations in public key cryptog-
raphy, transmitting a ciphertext (from public-key cryptography) could be overwhelming to most sensor devices.
Note that typical ciphertext size in a practical public-key cryptosystem is about 1024 bits or more.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
3
and forwards data), this would entail: 1) sharing a key with each neighboring sensor, 2) de-
crypting encrypted messages received from each child, 3) aggregating all received values, and
4) encrypting the result for transmission to its father. Though viable, this approach is fairly
expensive and complicated, the former because of having to decrypt each received value before
aggregation and the latter due to the overhead imposed by key management. Furthermore,
hop-by-hop encryption assumes that all sensors are trusted with the authenticity and privacy
of other sensors data. This assumption may be altogether unrealistic in some setting, whereas,
in others, trust can be partial, i.e., intermediate nodes are trusted with only authenticity or
only privacy.
Alternatively, if a single global key was used by all sensors, by subverting a single sensor
node the adversary could learn measured values of any and all nodes in the network. Since
only the sink should gain an overview of WSN measurements, this approach is not attractive.
Nevertheless, we do not rule out using a single global key for message authentication (of the
aggregate), which is another challenging security goal in WSNs. In fact, aggregate authentica-
tion against outsider-only attacks might be the best one can achieve for end-to-end integrity in
the WSN scenario. In other words, additive aggregate authentication secure against malicious
insiders might not be achievable without using leverage like outlier detection or range checking.
These techniques have to be based on a stronger assumption that the statistical distribution
of measurements is known (partially or completely) beforehand; note that they are essentially
data/aggregate plausibility checks [Wagner 2004]. When an attacker can inject a contribution
of arbitrary value into an additive aggregate through compromised insiders, he can actually
manipulate the nal aggregate by any amount of deviation he likes without being detected.
Contributions: In this paper, we focus on ecient, bandwidth-conserving privacy in WSNs.
More specically, we blend inexpensive encryption techniques with simple aggregation methods
to achieve very ecient aggregation of encrypted data. To assess the practicality of proposed
techniques, we evaluate them and present very encouraging results which clearly demonstrate
appreciable bandwidth conservation and small overhead stemming from both encryption and ag-
gregation operations. We also provide a security argument of the proposed encryption scheme.
More specically, we prove that the proposed scheme achieves semantic security if the encryp-
tion keys are generated by a good pseudorandom function family. With a view to supporting
aggregate integrity, we also extend the proposed encryption scheme to provide end-to-end ag-
gregate authentication which is provably secure against outsider-only attacks.
Organization: In the next section we discuss some background and the assumptions about
our system model. Then, Section 3 describes the problem statement along with the security
model. Next, Section 4 describes our homomorphic encryption scheme, followed by Section 5
which describes how to utilize this encryption scheme in a WSN. We give a security proof of
the proposed scheme in Section 6. Performance is analyzed and results are discussed in Section
7. The aggregate authentication scheme and its security analysis is given in Section 8. Related
work is summarized in Section 9 and Section 10 concludes this paper.
2. BACKGROUND
In this section we describe the key features of, and assumptions about, the network and provide
an overview of aggregation techniques.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
4
2.1 Wireless Sensor Networks (WSNs)
A WSN is a multi-hop network composed of a multitude of tiny devices with limited com-
putation and energy capacities. One commonly cited WSN application is monitoring the en-
vironment. This may include sensing motion, measuring temperature, humidity, etc. Data
monitored by the sensors is sent to a sink (usually a more powerful device), that is responsible
for collecting the information.
The multi-hop nature of a WSN implies that sensors are also used in the network infrastruc-
ture, i.e., not just sending their own data and receiving direct instructions but also forwarding
data for other sensors. When sensors are deployed, a delivery tree is often built from the sink to
all sensors. Packets sent by a sensor are forwarded to the sink by the sensors along the delivery
tree.
Sensor nodes come in various shapes and forms, however, they are generally assumed to be
resource-limited with respect to computation power, storage, memory and, especially, battery
life. A popular example is the Berkeley mote [Madden et al. 2002]. One common sensor feature
is the disproportionately high cost of transmitting information as compared to performing local
computation. For example, a Berkeley mote spends approximately the same amount of energy
to compute 800 instructions as it does in sending a single bit of data [Madden et al. 2002]. It
thus becomes essential to reduce the number of bits forwarded by intermediate nodes, in order
to extend the entire networks lifetime. The sink node acts as a bridge between the WSN and
the outside world. It is typically a relatively powerful device, such as a laptop computer.
2.2 Aggregation in WSN
Aggregation techniques are used to reduce the amount of data communicated within a WSN
and thus conserves battery power. Periodically, as measurements are recorded by individual
sensors, they need to be collected and processed to produce data representative of the entire
WSN, such as average and/or variance of the temperature or humidity within an area. One
natural approach is for sensors to send their values to certain special nodes, i.e., aggregating
nodes. Each aggregating node then condenses the data prior to sending it on. In terms of
bandwidth and energy consumption, aggregation is benecial as long as the aggregation process
is not too CPU-intensive.
The aggregating nodes can either be special (more powerful) nodes or regular sensors nodes.
In this paper, we assume that all nodes are potential aggregating nodes and that data gets
aggregated as they propagate towards the sink. In this setting, since sensors have very limited
capabilities, aggregation must be simple and not involve any expensive or complex computa-
tions. Ideally, it would require only a few simple arithmetic operations, such as additions or
multiplications.
2
.
We note that aggregation requires all sensors to send their data to the sink within the same
sampling period. This either requires the sensors to have (at least loosely) synchronized clocks
or the ability to respond to explicit queries issued by the sink.
One natural and common way to aggregate data is to simply add up values as they are
forwarded towards the sink. Of course, this type of aggregation is useful when the sink is only
interested in certain statistical measurements, e.g., the mean or variance of all measured data.
As noted in Section 1, some WSN applications require all sensor data and therefore can not
benet from aggregation techniques. Similarly, applications requiring boundary values, e.g.,
2
This is indeed what we achieve in this work.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
5
min and/or max, are obviously not a good match for additive aggregation.
With additive aggregation, each sensor sums all values, x
i
, it receives from its k children (in
the sink-rooted spanning tree) and forwards the sum to its parent. Eventually, the sink obtains
the sum of all values sent by all n sensors. By dividing the sum by n, i.e., the total numbers of
sensors, it computes the average of all measured data.
This simple aggregation is very ecient since each aggregating node only performs k arith-
metic additions
3
. It is also robust since there is no requirement for all sensors to participate as
long as the sink gets the total number of sensors that actually provided a measurement.
Additive aggregation can be also used to compute the variance, standard deviation and any
other moments on the measured data. For example, in case of variance, each aggregating node
not only computes the sum, S =

k
i=1
x
i
, of the individual values sent by its k children, but
also the sum of their squares: V =

k
i=1
x
2
i
. Eventually, the sink obtains two values: the sum
of the actual samples which it can use to compute the mean and the sum of the squares which
it can use to compute the variance:
V ar = E(x
2
) E(x)
2
; where
E(x
2
) = (

n
i=1
x
2
i
)/n and E(x) = (

n
i=1
x
i
)/n
3. GOALS AND SECURITY MODEL
To provide data privacy, our goal is to prevent an attacker from gaining any information about
sensor data beside what can be inferred by the measurements done directly by the attacker.
We dene the privacy goal by the standard notion of semantic security in this work.
An attacker is assumed to be global, i.e., able to monitor any location in the network or
even the entire WSN. Furthermore, we assume the attacker is able to read the internal state
of some sensors. The attacker is also supposed to be able to corrupt a subset of sensor nodes.
We assume the attacker can launch chosen plaintext attacks only. That is, the attacker is
able to obtain the ciphertext of any plaintext of his choice. In the real situation, this means
the attacker could manipulate the sensing environment and obtain the desired ciphertext by
eavesdropping.
In light of our requirement for end-to-end privacy between the sensors and the sink, additive
aggregation, although otherwise simple, becomes problematic. This is largely because popular
block and stream ciphers, such as AES [NIST 2001] or RC5 [Rivest 1995], are not additively
homomorphic. In other words, the summation of encrypted values does not allow for the
retrieval of the sum of the plaintext values.
To minimize trust assumptions, we assume that each of the n sensors shares a distinct long-
term key with the sink, called the encryption key. This key is originally derived, using a
pseudo-random function (PRF), from the master secret, which is only known to the sink. We
denote the sinks master secret as K and the long-term sensor/sink shared key as ek
i
, where
the subscript 0 < i n uniquely identies a particular sensor. This way, the sink only needs
to store a single master secret and all long-term keys can be recomputed as needed.
As opposed to encryption, authentication schemes that allow for aggregation seem to be very
dicult, and perhaps impossible, to design. It should be noted that the problem of aggregate
authentication considered in this paper is dierent from the problem considered in aggregate
signatures [Boneh et al. 2003]; more precisely, the latter should be called aggregatable signa-
3
We assume that an aggregating node has its own measurement to contribute; thus k additions are needed.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
6
tures instead. In aggregate authentication, it is the messages themselves being aggregated and
hence the original messages are not available for verication, whereas, in aggregate signatures,
the signatures for dierent messages are aggregated and all the signed messages have to be dis-
tinct and available to the verication algorithm in order to verify the validity of an aggregate
signature. Consequently, it is fair to say there could be no secure aggregate authentication
scheme (which is existentially unforgeable against chosen message attacks) in the literature. As
explained in [Wagner 2004], other techniques are likely needed to verify the plausibility of the
resulting aggregate and to increase the aggregation resiliency.
In WSNs, providing end-to-end aggregate authentication seems to be dicult since messages
lose their entropies through aggregation, rendering it dicult to verify the validity of a given
aggregate. But it is still possible to prevent unauthorized nodes from injecting fake packets in
the networks. That is, groupwise message authentication can be achieved in which only nodes
knowing a common group key can contribute to an aggregate and produce valid authentication
tags that would pass a prescribed verication test at the sink. Note that the scheme would
be vulnerable to compromised nodes. We give an end-to-end message authentication scheme
providing such access control assuming outsider-only attacks.
4. ADDITIVELY AGGREGATE ENCRYPTION
Encrypted data aggregation or aggregate encryption is sometimes called concealed data aggre-
gation (CDA), a term coined by Westho et. al. [Westho et al. 2006]. Appendix A gives an
abstract description of CDA showing the desired functionalities.
In this section we describe the notion of homomorphic encryption and provide an example.
Our notion is a generalized version of the widely used one for homomorphic encryption we
allow the homomorphism be under dierent keys while the homomorphism in common notions is
usually under the same key. We then proceed to present our additively homomorphic encryption
scheme whose security analysis is given in Section 6 and Appendix B. The encryption technique
is very well-suited for privacy-preserving additive aggregation. For the sake of clarity, in Section
4.2, we will rst describe a basic scheme assuming the encryption keys are randomly picked in
each session (which is the same scheme as given in our earlier work [Castelluccia et al. 2005]);
the header part is also excluded in the discussion. Then we will give a concrete construction
in which the session keys and the encryption keys are derived using a pseudorandom function
family. The concrete construction can be proved to be semantically secure in the CDA model
[Chan and Castelluccia 2007], the details of which are given in Appendix A. Compared to our
earlier work [Castelluccia et al. 2005], this paper provides the details of a concrete construction
using a pseudorandom function in Section 4.3, with the security requirements on the used
components specied.
Our scheme can be considered as a practical, tailored modication of the Vernam cipher
[Vernam 1926], the well-known one-time pad, to allow plaintext addition to be done in the
ciphertext domain. Basically, there are two modications. First, the exclusive-OR operation is
replaced by an addition operation. By choosing a proper modulus, multiplicative aggregation
is also possible.
4
Second, instead of uniformly picking a key at random from the key space,
the key is generated by a certain deterministic algorithm (with an unknown seed) such as a
pseudorandom function [Goldreich 2001]; this modication is actually the same as that in a
4
Our construction can achieve either additive or multiplicative aggregation but not both at the same time.
Besides, multiplication aggregation seems to bear no advantage as the size of a multiplicative aggregate is the
same as the sum of the size of its inputs.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
7
stream cipher. As a result, the information-theoretic security (which requires the key be at
least as long as the plaintext) in the Vernam cipher is replaced with a security guarantee in the
computational-complexity theoretic setting in our construction.
4.1 Homomorphic Encryption
A homomorphic encryption scheme allows arithmetic operations to be performed on cipher-
texts. One example is a multiplicatively homomorphic scheme, whereby the multiplication of
two ciphertexts followed by a decryption operation yields the same result as, say, the mul-
tiplication of the two corresponding plaintext values. Homomorphic encryption schemes are
especially useful in scenarios where someone who does not have decryption keys needs to per-
form arithmetic operations on a set of ciphertexts. A more formal description of homomorphic
encryptions schemes is as follows.
Let Enc() denote a probabilistic encryption scheme. Let M be the message space and C the
ciphertext space such that M is a group under operation and Enc() is a -homomorphic
encryption scheme if for any instance Enc() of the encryption scheme, given c
1
= Enc
k1
(m
1
)
and c
2
= Enc
k2
(m
2
) for some m
1
, m
2
M, there exists an ecient algorithm which can
generate from c
1
and c
2
a valid ciphertext c
3
C for some key k
3
such that
c
3
= Enc
k3
(m
1
m
2
)
In other words, decrypting c
3
with k
3
would yield m
1
m
2
. In this paper, we mainly consider
additive homomorphism, i.e. is the + operation. We do not restrict k
1
, k
2
, k
3
to be the same
despite that they are usually equal in common homomorphic encryption schemes. Since k
3
could be dierent from k
1
, k
2
, some identifying information, say, denoted by hdr, needs to be
attached to a ciphertext to indicate which keys are required to decrypt the ciphertext.
A good example is the RSA cryptosystem[Rivest et al. 1978] which is multiplicatively homo-
morphic under a single key. The RSA encryption function is Enc(m) = m
e
= c (mod n) and
the corresponding decryption function is Dec(c) = c
d
= m (mod n) where n is a product of two
suitably large primes (p and q), e and d are encryption and decryption exponents, respectively,
such that e d = 1 (mod (p 1)(q 1)).
Given two RSA ciphertexts c
1
and c
2
, corresponding to respective plaintexts m
1
and m
2
,
it is easy to see that c
1
c
2
m
e
1
m
e
2
(m
1
m
2
)
e
(mod n). Hence, one can easily compute the
multiplication of the ciphertexts (c
1
c
2
) to obtain the ciphertext corresponding to the plaintext
m = m
1
m
2
(mod n). Note that c
1
, c
2
and the resulting ciphertext after multiplication are all
under the same decryption key d and no hdr is thus needed.
4.2 Basic Encryption Scheme using Random Keys
We now introduce a simple additively homomorphic encryption technique. The main idea of
our scheme is to replace the xor (Exclusive-OR) operation typically found in stream ciphers
with modular addition (+). For the sake of clarity, the inclusion of hdr (the information to
identify decryption keys) and pseudorandom functions is deferred to the discussion in Section
4.3. The basic scheme is as follows.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
8
Basic Additively Homomorphic Encryption Scheme
Encryption:
(1) Represent message m as an integer m [0, M1] where M is the modulus
of arithmetics.
(2) Let k be a randomly generated keystream, where k [0, M 1].
(3) Compute c = Enc
k
(m) = m + k mod M.
Decryption:
(1) Dec
k
(c) = c k mod M.
Addition of Ciphertexts:
(1) Let c1 = Enc
k
1
(m1) and c2 = Enc
k
2
(m2).
(2) The aggregated ciphertext is: c
l
= c1 + c2 mod M = Enc
k
(m1 + m2)
where k = k1 + k2 mod M.
The correctness of the aggregation is assured if M is suciently large. The explanation
is as follows: c
1
= m
1
+ k
1
mod M and c
2
= m
2
+ k
2
mod M, then c
l
= c
1
+ c
2
mod M =
(m
1
+m
2
)+(k
1
+k
2
) mod M = Enc
k1+k2
(m
1
+m
2
). For k = k
1
+k
2
, Dec
k
(c
l
) = c
l
k mod M =
(m
1
+m
2
) + (k
1
+k
2
) (k
1
+k
2
) mod M = m
1
+m
2
mod M.
We assume that 0 m < M. Note that if n dierent ciphers c
i
are added together, then
M must be larger than

n
i=1
m
i
, otherwise correctness is not provided. In fact if

n
i=1
m
i
is larger than M, decryption will result in a value m

that is smaller than M. In practice, if

t = max
i
m
i
, then M should be selected as M = 2
log2(tn)
. That is, the required length of
M should be at least the sum of the length of t and the length of n.
Note that this basic scheme is only for illustration purposes and is not the actual construction.
Since the encryption key k is assumed to be randomly picked (as in the one-time pad) by the
sensor node in each reporting session, a secure channel has to be maintained at all time between
each sensor node and the sink. In the actual construction (given in Section 4.3), such a secure
channel is not required.
4.3 Encryption Scheme using Keys generated by a Pseudorandom Function Family
The main dierence between the actual construction and the basic encryption scheme is that the
encryption keys in each session are now generated by a pseudorandom function instead of being
randomly picked. Two components are used in the constructions, namely, a pseudorandom
function f and a length-matching hash function h. Their details are as follows.
4.3.1 Pseudorandom Functions. A pseudorandom function is used for deriving secret keys.
For details on pseudorandom functions, [Goldreich 2001] has a comprehensive description. Let
F = F

N
be a pseudorandom function family where F

= f
s
: 0, 1

0, 1

s{0,1}

is a collection of functions indexed by a key s 0, 1

. Loosely speaking, given a function f

s
from a pseudorandomfunction ensemble with unknown key s, any PPTdistinguishing procedure
allowed to get the values of f
s
() at (polynomially many) arguments of its choice should not be
able to tell (with non-negligible advantage in ) whether the answer of a new query is supplied
by f
s
or randomly picked from 0, 1

.
Most provably secure pseudorandom functions such as [Naor et al. 2002] are based on the
hardness of some number-theoretic problems. However, these constructions are usually com-
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
9
putationally expensive for sensor nodes. Instead, key derivation in practice is usually based
on functions with conjectured or assumed pseudorandomness, that is, pseudorandomness or
unpredictability is inherently assumed in the construction rather than proven to follow from
the hardness of some computational problems. One typical example is the use of cryptographic
hash functions for key derivation such as [Perrig et al. 2001]. Even HMAC [Bellare et al. 1996]
and OMAC [Iwata and Kurosawa 2003] are constructed based on assumed pseudorandomness,
with the former assuming the underlying hash function in the construction has a certain pseu-
dorandomness property and the latter assuming the block cipher in use is a pseudorandom
permutation.
The proposed additive aggregate encryption scheme in this paper does not pose a restriction
on which type of pseudorandom functions should be used. A conjectured pseudorandom func-
tion can be used for the sake of eciency. The security guarantee provided by the proposed
construction holds as long as the underlying pseudorandom function has the widely dened
property of pseudorandomness or indistinguishability. If such an indistinguishability property
no longer holds or is broken for the pseudorandom function in use, we can simply replace it with
a better pseudorandom function (with its indistinguishability property yet to be broken) for the
proposed aggregate encryption to remain secure. It should be emphasized that the mentioned
indistinguishability or pseudorandomness property is also an inherent requirement on the hash
function to be used as a key derivation function [Perrig et al. 2001; Bellare et al. 1996] which
is also used in the IPSec standard. That is, if a given hash is not suitable for the proposed
aggregate encryption scheme due to its weakness, the same weakness would also undermine the
security foundation of these key derivation functions.
4.3.2 Length-matching Hash Function. The length-matching hash function h : 0, 1

0, 1
l
matches the length of the output of the pseudorandom function f to the modulus size
of M, that is, M is assumed to be l bits long. The purpose of h is to shorten a long bit-string
rather than to produce a ngerprint of a message; hence, unlike cryptographic hash functions,
h is not required to be collision resistant. The only requirement on h is: t 0, 1

: h(t)
has a uniform distribution over 0, 1
l
. That is, by uniformly picking an input from the domain
of h, the resulting output distribution is uniform over the range of h.
This requirement is pretty loose and many compression maps from 0, 1

to 0, 1
l
work.
For instance, h can be implemented by truncating the output of the pseudorandom function
and taking the least signicant l bits as output. The suciency of this requirement on h is
based on the assumption that an ideal pseudorandom function is used. For such a function,
without knowledge of the seed key, it is unpredictable whether an output bit is 0 or 1 for
all input. In practice, key derivation is usually based on conjectured pseudorandom functions
with unproven pseudorandomness; for example, a collision resistant hash function is commonly
used for deriving secret keys from a seed [Perrig et al. 2001; Bellare et al. 1996]. Hence, it
might be the case that, for some input to these conjectured pseudorandom functions, there
is a higher chance (greater than
1
2
) to predict some output bit successfully. To tolerate the
imperfectness of conjectured pseudorandom functions, if l[, a better construction could be as
follows: truncate the output of the pseudorandom function into smaller strings of length l and
then take exclusive-OR on all these strings and use it as the output of h.
Assume there is a sink and n nodes in the system. In the following description, f is a
pseudorandom function for key stream generation and h is a length-matching hash function.
The details of the proposed aggregate encryption scheme are as follows.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
10
Additively Homomorphic Encryption Scheme using a Pseudorandom Function Family
Assume the modulus is M.
Key Generation:
(1) Randomly pick K {0, 1}

and set it as the decryption key for the sink.

(2) For each i [1, n], set the encryption key for node i as eki = fK(i).
Encryption:
(1) Given an encryption key eki, a plaintext data mi and a nonce r, output ci =
Enc
ek
i
(mi) = mi + h(f
ek
i
(r)) mod M.
(2) Set the header hdri = {i}.
(3) Output (hdri, ci) as the ciphertext.
Decryption:
(1) Given the ciphertext (hdr, c) of an aggregate and a nonce r used in the encryption,
generate eki = fK(i), i hdr.
(2) Compute x = DecK(c) = (c

ihdr
h(f
ek
i
(r))) mod M (where K =

ihdr
h(f
ek
i
(r))), and output the plaintext aggregate x.
Addition of Ciphertexts:
(1) Given two CDA ciphertexts (hdri, ci) and (hdrj, cj), compute c
l
= (ci +cj) mod M
(2) Set hdr
l
= hdri hdrj.
(3) Output (hdr
l
, c
l
).
The keystream for a node is now generated from its secret key ek
i
and a unique message ID
or nonce r. No randomness in the nonce is needed. This secret key is pre-computed and shared
between the node and the sink, while the nonce can either be included in the query from the
sink or derived from the time period in which the node is sending its values in (assuming some
form of synchronization).
5. AGGREGATION OF ENCRYPTED DATA
As previously noted, ecient aggregation in WSNs becomes very challenging when end-to-end
privacy of data is required. One solution is to disregard aggregation altogether in favor of
privacy, i.e., for sensor nodes to forward to their parents their own encrypted measurements,
as well as measurements received from their children. The sink, upon receiving as many data
packets as there are responding sensors, proceeds to decrypt all ciphertexts and sums them up
in order to compute the desired statistical measurements. We term this approach as No-Agg.
This approach has two obvious disadvantages. First, because all packets are forwarded towards
the sink, a lot of bandwidth (and hence power) is consumed. Second, as illustrated later in
Section 7.2, there is an extreme imbalance between sensors in terms of the amount of data
communicated. Sensors closer to the sink send and receive up to several orders of magnitude
more bits than those on the periphery of the spanning tree.
A second approach, that does not achieve end-to-end privacy but does aggregate data, is a
hop-by-hop (HBH) encryption method, which is also used for comparison between aggregation
methods in [Girao et al. 2004]. In HBH all nodes create pair-wise keys with their parents and
children during a boot strapping phase. When answering a query, nodes decrypt any packets
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
11
sent to them, aggregate this data together with their own before re-encrypting the aggregated
result and forwarding this to their parent. This approach is obviously more bandwidth ecient
than No-Agg, as no packet is sent twice. However, there is an associated cost involved with the
decryption and encryption performed at every non-leaf node in the WSN which increases their
energy consumption (see [Girao et al. 2004]). More importantly, from a privacy perspective,
the HBH scheme leaves nodes vulnerable to attacks because their aggregated data will appear
in plaintext (i.e., no end-to-end privacy). Especially nodes closer to the sink become attractive
targets for an attacker, as their aggregated values represent a large portion of the data in the
WSN.
We instead propose an end-to-end privacy preserving aggregation approach (denoted as AGG)
in which each sensor encrypts their sensed data using the encryption scheme presented in Section
4.3. Since this scheme is additively homomorphic, values can be added (aggregated) as they
are forwarded towards the sink. The sink can then retrieve from the aggregate it receives the
sum of the samples and derive certain statistical data. AGG retains the positive qualities of
both the No-Agg (end-to-end privacy) and HBH (energy ecient) solutions. Note that a piece
of identifying information is needed for each ciphertext in No-Agg to allow the sink to decide
which key to use for decrypting a particular ciphertext in the list of received ciphertexts. This
identifying information has roughly the same size as hdr in AGG.
5.1 Computing Statistical Data
In this section, we show how the new additively homomorphic encryption scheme can be used
to aggregate encrypted data such that the sink can still compute the average and variance.
Since multiple moduli may be used for dierent instances of the aggregate encryption scheme
in the following discussion, the modulus used for encryption and decryption will be explicitly
specied in the notation for clarity. For example, Enc
k
(x; M) means encrypting x using key k
with public parameter M (the modulus).
5.1.1 Computing the Average. When using our scheme, each sensor encrypts its data x
i
to
obtain c
xi
= Enc
ki
(x
i
; M). M needs to be chosen large enough to prevent an overow so it
is set as M = n t, where t is the range of possible measurement values and n is the number
sensor nodes. Each ciphertext c
xi
is therefore log(M) = log(t) +log(n) bits long.
The sensor then forwards c
xi
along with the key identifying information hdr
xi
to its par-
ent, who aggregates all the c
xj
s of its k children by simply adding them up (this addition is
performed modulo M). The resulting value is then forwarded. The sink ends up with value
C
x
=

n
i=1
c
xi
mod M associated with hdr which indicates the key set k
1
, ..., k
i
, ..., k
n
. It
can then compute S
x
= Dec
K
(C
x
; M) = C
x
K mod M, where K =

n
i=1
k
i
, and derive the
average as follows: Avg = S
x
/n.
5.1.2 Computing the Variance. As mentioned previously, our scheme can also be used to
derive the variance of the measured data. Two moduli will be used, M for the sum of values
and M

for the sum of squares.

In this case, each sensor i must compute y
i
= x
2
i
, where x
i
is the measured sample, and
encrypts y
i
to obtain c
yi
= Enc
k

i
(y
i
; M

). It must also encrypt x

i
as explained in the previous
section. M

needs to be chosen large enough to prevent an overow so it is set to M

= n t
2
.
Each ciphertext c
yi
is therefore log(M

) = 2 log(t) + log(n) bits long. The sensor forwards

c
yi
, together with c
xi
, to its parent. The size of the resulting data is 3 log(t) +2 log(n). The
parent aggregates all the c
yj
of its k children by simply adding them up. It also aggregates,
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
12
separately, the c
xj
, as explained in the previous section. The two resulting values are then
forwarded. The sink ends up with values C
x
and C
y
=

n
i=1
c
yi
mod M. C
x
is used to
compute the average Av. C
y
is used to compute the variance as follows: The sink computes
V
x
= Dec
K
(C
y
; M

) = C
y
K

mod M

, where K

n
i=1
k

i
. The variance is then equal to
V
x
/n Av
2
.
5.2 Robustness
s
i+1
s
i+2
s
i+k
Sink
...
s
j+1
s
j+2
s
j+k
...
s
m+1
s
m+k
... ...
...
Fig. 1. Multi-level WSN model with nodes of degree k
An important consequence of using our proposed encryption scheme for aggregation in WSNs
is that the sink node needs to be aware of the encryptors ids such that it can regenerate the
correct keystream for decryption purposes.
Because WSNs are not always reliable, it cannot be expected that all nodes reply to all
requests. Therefore there needs to be a mechanism for communicating the ids of the non-
responding nodes to the base station. The simplest approach, and the one we used in our
evaluation, is for the sensors to append their respective node ids to their messages
5
.
6. SECURITY ANALYSIS
We use the CDA security model in [Chan and Castelluccia 2007] to analyze the concrete con-
struction in Section 4. For completeness, the security model is given in Appendix A. As usual,
the adversary is assumed to be probabilistic polynomial time (PPT) in the security model.
In the model, the adversary can choose to compromise a subset of nodes and obtain all the
secret information of these nodes. With oracle access, he can also obtain from any of the un-
compromised nodes the ciphertext of any plaintext he chooses. The security goal is that the
adversary cannot extract in polynomial time any information about the plaintext from a given
ciphertext. This is the well known notion of semantic security [Goldwasser and Micali 1984].
Formally dened, the security model is described as a game in Appendix A.
5
Depending on the number of nodes that respond to a query, it could be more ecient to communicate the ids
of nodes that successfully reported values
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
13
The concrete construction in Section 4.3 can be shown to achieve semantic security or indis-
tinguishability against chosen plaintext attacks (IND-CPA), an equivalent notion of semantic
security [Goldwasser and Micali 1984], if the underlying key generation function is from a
pseudorandom function family. The security can be summarized by the following theorem.
Theorem 1. The concrete construction is semantically secure against any collusion with at
most (n 1) compromised nodes (where n is the total number of nodes), assuming F

= f
s
:
0, 1

0, 1

s{0,1}
is a pseudorandom function and h : 0, 1

0, 1
l
satises the
requirement that t 0, 1

: h(t) has a uniform distribution over 0, 1

l
.
Proof Sketch: Detailed proof is given in Appendix B. The basic idea is that we assume there
exists a PPT adversary which can break the semantic security of the proposed encryption
scheme, and then we show how this adversary can be used to break the indistinguishability
property of the underlying pseudorandom function. By a contrapositive argument, we can
say that if the pseudorandom function has the described indistinguishability property briey
described in Section 4.3, then the proposed encryption is semantically secure.
6
Note the standard security goal for encryption is indistinguishability against chosen ciphertext
attacks in which the adversary is allowed to obtain the plaintext of any ciphertext of his choice
[Naor and Yung 1990; Katz and Yung 2006]. If a stateful decryption mechanism is assumed,
that is, the decryption algorithm keeps track of all the nonces previously used, our scheme
could also be proved to be secure against chosen ciphertext attacks. But the resulting scheme
might be inecient. Nevertheless, it could still be practical since in usual situation only the
sink would perform decryption. Since the aggregation functionality allows ciphertexts to be
modied in some way without invalidating them, achieving chosen ciphertext security (more
specically, indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2)) with
a stateless decryption mechanism may be impossible in this scenario.
7. OVERHEAD ANALYSIS
In this section, we compare the bandwidth of our proposed AGG protocol with the No-Agg
(forwarding data packets) and HBH (hop-by-hop encryption and aggregation) approaches, as
described in section 5. The overall bandwidth in the WSN and the number of bits sent by
individual nodes are measured for dierent WSN tree like topologies. Below we describe the
specic network model that we use in our measurements. The comparisons will be made for
the two following cases: (1) the sink is only interested in the average value and (2) the sink is
interested in the average and variance values.
7.1 Network Model
We envision a multi-level network tree in which there exist numerous sensor nodes and only
one sink node. To simplify the model, we assume a balanced k-ary tree, as depicted in gure
1. Let t denote the range of possible measurement values collected by a sensor (i.e., if a sensor
can measure temperatures between 0 and 99 Fahrenheit, then t = 100).
We will analyze the communication bandwidth in the proposed WSN model from two per-
spectives: (1) the number of bits sent per node at dierent levels in a 3-ary tree and (2) the
total number of bits transmitted throughout the WSN for 3-ary trees of various height. These
6
Formal details of the indistinguishability property of the pseudorandom function can be found in Appendix B.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
14
measurements will be carried out for the three models that we are considering, namely No-Agg,
HBH and AGG.
Next we describe how to calculate the number of bits (header and payload) sent per node for
each of these schemes. We choose the packet format used in TinyOS [Karlof et al. 2004] which
is the operating system running on the Berkeley motes that we envision as the sensor platform.
The packet header is 56 bits and the maximum supported data payload is 232 bits.
For the No-Agg scheme, a node only needs log(t) bits to encode its sensed data. In addition,
all internal nodes need to forward the packets sent to them by their children, and the number
of packets received grows exponentially (in k) as we move higher in the tree (i.e. closer to the
sink).
In the HBH approach, the number of bits sent depends upon the nodes level in the WSN
tree. Leaf nodes only send log(t) bits (same as in No-Agg), while nodes higher up in the tree
will have aggregated data and therefore need to send more bits. Additionally, when the variance
is also requested, the aggregating nodes need to keep track of this value separately, and use
approximately log(n

t) bits to encode the value, where n

is the number of nodes aggregated so

far.
With our AGG scheme, the number of bits sent by a node depends on the size of the modulus
M used in the additive encryption scheme. Its size can be computed as the maximum possible
aggregate value, which in this model turns out to be M = nt, i.e. all sensors measure the largest
possible reading. Therefore, when encoding the average, each node uses log(M) = log(t)+log(n)
bits. When the variance is also desired, a node needs to send the ciphertext corresponding to
x
2
. This requires an extra log(n t
2
) = 2 log(t) + log(n) bits. Additionally, an aggregator
needs to append to the aggregate the ids of its children that did not reply to the query. These
ids have to be propagated up to the sink along with the aggregate.
7.2 Numerical Results
In this section, we compare the performance of the No-Agg, HBH and AGG according to the
following two criteria: (1) The forwarding cost per node i.e. the number of bits forwarded by
node at each level of the delivery tree. (2) The overall bandwidth gain achieved by HBH and
AGG over the No-Agg scheme.
Levels Num Nodes A (0%) A (10%) A (30%) AV (0%) AV (10%) AV (30%) HBH-A HBH-AV No-Agg
1 3 75 950 2700 100 975 2725 73 97 68859
2 9 75 366 950 100 392 975 72 94 22932
3 27 75 172 366 100 197 392 70 91 7623
4 81 75 107 172 100 132 197 68 87 2520
5 243 75 85 108 100 111 132 67 84 819
6 729 75 78 85 100 103 110 65 81 252
7 2187 75 75 75 100 100 100 63 63 63
Table I. Number of bits sent per node for each level in a 3-tree of depth 7, where the measured value range of
2
7
.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
15
Forwarding Cost per node (fairness). Table I shows the number of bits sent per node at
each level in a 3-degree tree of height
7
7 when t = 128 (the network is for example monitoring
temperatures that range between 0 and 127 degrees).
For the No-Agg approach it becomes obvious from the results that there is a widely diering
data communication load amongst sensors at dierent levels (nodes at level 7 send 3 orders of
magnitude less data than those at level 1). Because the nodes closer to the sink have to send
such signicantly larger amounts of data than their descendants, they use up their batteries
and die sooner. Should a level of nodes in the tree stop functioning, then the whole WSN
stops functioning as well. Therefore, nodes would have to either be swapped around manually
or replaced upon failure, both tasks being quite impractical when considering the number of
nodes at the various levels.
The table shows a steady increase of bits per node for the HBH approach, both for the
average (HBH-A) as well as the average and variance data (HBH-AV). Notice the relatively
dramatic increase in bits transmitted between nodes at level 7 and 6 for HBH-AV. This is due
to that the leaf nodes need not send a ciphertext representing x
2
(needed for the computation of
the variance), where x represent their measured value, as it can be computed by their parents.
Because packets are not forwarded as in No-Agg, we observe a signicant reduction in bits sent
per node at all non-leaf levels.
For the AGG we considered three scenarios: (1) all the nodes reply
8
, (2) 90% of the nodes
reply
9
and (3) 70% of the nodes reply
10
).
In the rst scenario, there is a constant number of bits sent by each node at each level in the
tree. However, this number of bits is larger than even the maximum for any HBH approach,
due to the size of the modulus M. As previously explained, the number of bits sent by the
leaves is larger with the aggregation methods (AGG-A: 56+log(t)+log(n) = 75 bits, AGG-AV:
56 +3 log(t) +2 log(n) = 100 bits) than when no aggregation is used (56 +log(t) = 63 bits).
However, aggregation distributes the load evenly over all nodes, regardless of their distance to
the sink. We believe this to be an attractive property in WSNs. In the second and the third
scenarios, the number of bits processed by each node gets larger the closer it gets is to the sink.
This is the result of appending the ids of the non-responding children to the aggregate. As we
move up the tree the list of non-responding nodes increases. If we assume that x% of the total
nodes do not participate, an aggregator A must append to the aggregated message, the id of
x% of all its children (i.e of all the nodes in the subtree rooted at A). If, for example, A is at
level 3 and x = 30, there are 3
4
= 81 children and A has to append 81 0.3 i.e. 25 ids. The
total size of the aggregated message is then 63 + 25 12 = 366 bits as shown in the table I.
Bandwidth Gain. Table II displays the bandwidth transmission gain of the HBH and AGG
schemes over the No-Agg scheme using a 3-degree WSNs of various heights. We consider
the gains when (1) only the average is computed and (2) both the average and variance are
7
The sink is at level 0 in the tree
8
Referred to in the tables as A(0%) when only the average is computed and as AV (0%) when the average and
variance are computed.
9
Referred in the table as A(10%) when only the average is computed and as AV (10%) when the average and
variance are computed.
10
Referred in the table as A(30%) when only the average is computed and as AV (30%) when the average and
variance are computed.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
16
Levels Num Nodes A (0%) A (10%) A (30%) HBH-A AV(0) AV(10) AV(30) HBH-AV
3 40 2.42 2.39 2.34 2.58 1.89 1.87 1.84 2.24
4 121 3.20 3.13 3.01 3.50 2.46 2.40 2.37 3.02
5 364 3.96 3.82 3.6 4.46 3.03 2.98 2.84 3.84
7 3280 5.46 5.13 4.58 6.41 4.1 3.9 3.6 5.52
8 9841 6.22 5.72 4.95 7.39 4.59 4.3 3.85 6.37
Table II. WSN bandwidth performance gain of the AGG and HBH schemes when aggregating the (1) Average
and (2) Average and Variance for a 3-tree and t = 2
7
= 128.
computed
11
. These gains are obtained by computing the total bandwidth costs, C
HBH
, C
AGG
and C
NoAgg
, by adding, for each of these schemes, the total number of bits forwarded by
each node of the network. The bandwidth gain of HBH and AGG are respectively dened as
C
NoAgg
/C
HBH
and C
NoAgg
/C
AGG
.
For example, in a 3-tree of height 5, there are 364 nodes, and when only computing the
average value, AGG-A achieves a factor of 3.96 speedup over No-Agg, i.e. approximately 4
times less bits are sent across the network. As expected, HBH-A and HBH-AV have better
performance than both AGG-A and AGG-AV, respectively, although they both outperform
No-Agg. The biggest draw for using AGG over HBH is that of end-to-end privacy. With
HBH, it is enough for an attacker to compromise one node close to the sink to gain a large
picture of the aggregated data in the WSN. This is because each node in HBH stores the secret
key needed for decryption (and encryption), leaving them vulnerable. On the other hand, nodes
in AGG do not store sensitive key material and the only data an attacker can learn is a single
sensors individual reading.
The results shown in this section are very encouraging since they conrm that aggregation is
a useful technique for reducing the total bandwidth usage and can therefore extend the overall
lifetime of the network.
7.3 Computational Costs
This section discusses the computation costs of the proposed scheme and the issues related
to implementation. Let t
add
and t
multi
respectively denote the cost of an addition and a
multiplication operation in mod M. Note that the cost of performing a subtraction is also t
add
.
Let t
prf
and t
h
denote the costs of evaluating an instance of a certain pseudorandom function
and a length-matching hash function respectively. Let t
ce
and t
cd
denote the costs of running
one encryption and one decryption of a particular cipher used in the hop-by-hop approach. The
overall computation costs for the proposed protocols are depicted below, assuming L reporting
nodes, i.e. [hdr[ = L. For the aggregation operation, the calculations assume each aggregation
involves only two inputs. The computation costs are summarized by the following table.
The aggregate encryption scheme places all the decryption computation tasks at the sink
while the hop-by-hop scheme distributes the decryption cost over all the aggregating nodes in
the network. Hence, a sensor device may need to perform more computation than the sink
in the hop-by-hop approach. Since the sink is usually a more powerful device, the aggregate
encryption approach could be preferable in the WSN scenario.
In the aggregate encryption scheme, each node only needs to perform one evaluation of
11
We remind the reader of that in the No-Agg scheme, no extra values need to be sent when the variance needs
to be computed.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
17
Hop-by-hop Encryption (HBH) Aggregate Encryption (AGG)
Encryption tce t
prf
+t
h
+t
add
Decryption t
cd
2L t
prf
+L t
h
+L t
add
Aggregation (per 2 inputs) 2 t
cd
+tce +t
add
t
add
Table III. A comparison of computation costs.
the underlying pseudorandom function and one evaluation of the length-matching hash and
one addition mod M for encryption and one addition for aggregation. Aggregation is pretty
ecient in the aggregate encryption scheme. If the hash is implemented by bit truncation,
the computation cost is negligible compared to that of an addition operation. If the hash is
implemented by truncation combined with exclusive-OR, the computation cost is of the same
order as the cost of an addition operation. We could thus say the cost of evaluating h can be
neglected in the calculation of the overall computation cost of encryption without much loss
of accuracy. As a result, the cost for encryption is dominated by the cost of evaluating one
instance of the pseudorandom function.
As mentioned in Section 4.3, a collision resistant hash can be used in place of a number-theory
based pseudorandom function for key derivation if its assumed pseudorandomness is acceptable
for an application. [Perrig et al. 2001] shows an example of such usage in sensor networks and
demonstrates its feasibility in terms of computation complexity. Hence, the computation cost
of the proposed aggregate encryption scheme should be reasonable for most WSN applications.
8. AGGREGATE AUTHENTICATION AGAINST OUTSIDER-ONLY ATTACKS
While the aggregate encryption given in this paper could provide good end-to-end privacy, like
any data aggregation over plaintexts such as [Madden et al. 2002], it is vulnerable to false data
injection attacks. In its current form, even an external attacker can add an arbitrary value as
his contribution to an aggregate ciphertext in the encryption scheme in Section 4.3.
The aggregate encryption scheme is complementary to most authentication techniques in the
literature including [Chan et al. 2006; Yang et al. 2006; Przydatek et al. 2003; Hu and Evans
2003]; hence, these techniques can be added as plug-ins to the proposed aggregate encryption.
It should be noted that all these techniques are not end-to-end, namely, some kind of call-backs
to the aggregating nodes (after the sink receives the aggregate) are necessary. This section
provides an end-to-end alternative to aggregate authentication but it can only guard against an
external attacker without knowledge of a secret group key; the existence of any compromised
nodes would imply a total breath of security.
A general application scenario in which such an aggregate authentication scheme would be
useful is as follows: Suppose during the deployment of a sensor network, physical captures of
nodes are not possible, say, the network is deployed in an inaccessible area (such as an accident
scene inside a nuclear reactor or a bush re scene) or not unattended (for instance, guarded by
a team for under-sea terrain surveying). But part of the communication over the network (say
close to the sink or collecting point) can be eavesdropped or manipulated without going inside
the scene during its deployment. The proposed aggregate authentication scheme can provide
sucient integrity protection during deployment since no compromised node can be assumed.
However, after the task is complete, the sensor devices may be disposed of on the spot due to
the diculty of recalling. An adversary might then be able to obtain some of the sensor devices
(say, after a long enough period of time since a nuclear accident). Combined with previously
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
18
recorded messages eavesdropped from the network, the adversary might be able to recover part
or even all of the previously protected communication. Hence, a stronger privacy protection
scheme is needed. Under-sea terrain surveying and resource exploration could be examples
of this scenario.
12
In summary, a scheme providing strong privacy with integrity protection
against outsider-only attacks could nd applications in scenarios where physical captures of
sensor devices are not possible during deployment but could be achievable after deployment.
In [Chan and Castelluccia 2008], the notion of aggregate message authentication codes
(AMAC) is proposed as a natural extension of one-to-one message authentication codes (MAC)
and it is shown that no scheme can be designed to achieve such a notion. Since the proposed
notion is not a contrived one, it could be fair to say no scheme may be constructed to provide
end-to-end aggregate integrity against chosen message attacks in the presence of compromised
nodes.
Even with call-backs, say in [Chan et al. 2006], the only guarantee provided so far is that an
adversary cannot manipulate an aggregation result by an amount beyond what can be achieved
through data injection at the compromised nodes unless prior knowledge of the statistical
distribution of the data is utilized for outlier detection at the sink. In the context of additive
aggregation without requesting each sensor to provide a range proof on its contribution, the
impact of a compromised node in [Chan et al. 2006] (regarding manipulation of an aggregation
result) is essentially the same as its counterpart in our proposed aggregate authentication
scheme. Indeed, range proving requires prior knowledge of the statistical distribution of data.
When there is no compromised node, our scheme assures that no data can be injected into
an aggregate without being detected. The basic idea of our scheme is to add to each nodes
data a keyed, aggregatable checksum the computation of which requires the knowledge of a
shared group key. Without knowledge of the group key, it would be a dicult task for an
external attacker to compute a valid checksum for any modied data. It should be noted that
compromising any one of the nodes (and hence the group key) would cause a complete security
breach of the authentication scheme. Nevertheless, this could be the best one can achieve for
end-to-end aggregate authentication.
8.1 Details of the Protocol
The details of the aggregate authentication protocol are as follows.
12
Suppose there are two conicting, neighboring countries, A and B, with overlapping Exclusive Economic Zone
(EEZ). They both claim possession of a certain under-sea oil eld. Country A, which is more technologically
advanced, sends out an exploration sensor network to measure the under-sea terrain and related data to prepare
for oil exploitation in the near future. Country B is supposed not to be able to make such exploration but wants
to eavesdrop the data collected by country A for its own exploitation. In order to protect its own interests,
country A would wish to ensure long-term privacy of the measured exploration data since an exploitation project
may last for a decade or so. Since an exploration team is usually close to the deployed sensor network in usual
practice and the sensor devices (deep under sea) are inaccessible, so no physical capture of sensor devices can be
assumed. Authentication against outsider-only attacks is thus sucient when the network is not unattended.
However, once the exploration job is completed, the sensor devices will be left unattended due to the high cost
of recalling or post-deployment guarding. As the network stops operating, some devices may be drifted by sea
waves and current and oats up to the surface. These devices may then be captured by country B. Privacy
against compromised nodes is therefore deemed as needed.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
19
Combined Encryption and Aggregate Authentication Scheme
Key Distribution:
Each sensor node i is given 3 secret keys (ki, k

i
, k). They can be generated from three
independent master keys using a pseudorandom function as in the basic scheme. The sink
keeps all the three master keys. ki and k

i
correspond to the encryption key eki in the
basic scheme. Each node should receive a distinct pair of (ki, k

i
) while getting a common
group key k.
Encryption + Checksum Computation:
Let M be the modulus of the arithmetics. For an arbitrary reporting epoch r.
(1) Each node i generates the session keys (k
(r)
i
, k
(r)

i
, k
(r)
) from its secret keys (ki, k

i
, k)
using a pseudorandom function and the length-matching hash function as in the basic
scheme. (i.e. k
(r)
i
= h(f
k
i
(Nr)), k
(r)

i
= h(f
k

i
(Nr)), and k
(r)
= h(f
k
(Nr)) where f()
is the pseudorandom function used, h() is the length-matching hash function and Nr
is the nonce used for epoch r.)
(2) For a plaintext message mi [0, M 1], encrypt mi using k
(r)
i
to obtain the
ciphertext xi = mi + k
(r)
i
mod M.
(3) Compute the checksum: yi = mi k
(r)
+ k
(r)

i
mod M.
(4) The ciphertext and checksum is: (hdr, xi, yi) where hdr = {i}.
Decryption + Verication:
(1) Given a ciphertext (hdr, x, y), generate the session keys (k
(r)
i
, k
(r)

i
, k
(r)
) for each
i hdr.
(2) Compute m = x

ihdr
k
(r)
i
mod M. m is the decrypted plaintext.
(3) Check y
?
=

ihdr
k
(r)

i
+ k
(r)
m mod M. If yes, set b = 1, otherwise, set b = 0.
(4) Return (m, b). Note that b = 0 indicates a verication failure.
Addition of Ciphertexts: Given two ciphertexts (hdri, xi, yi) and (hdrj, xj, yj),
(1) Compute hdr
l
= hdri hdrj.
(2) Compute x
l
= xi + xj mod M.
(3) Compute y
l
= yi + yj mod M.
(4) The aggregated ciphertext is: (hdr
l
, x
l
, y
l
).
The nal aggregated ciphertext (hdr, x, y) received at the sink can be expressed as two
equations:

x = K
(r)
1
+m
y = K
(r)
2
+K
(r)
m
(1)
where m is the nal aggregate of the plaintext data and K
(r)
1
, K
(r)
2
, K
(r)
are two sums of node
keys and the common group key (for epoch r) given by the following expressions:
K
(r)
1
=

ihdr
k
(r)
i
, K
(r)
2
=

ihdr
k
(r)

i
, and K
(r)
= k
(r)
.
Equation (1) can be viewed as a set of constraint equations (for a particular hdr) that a
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
20
correct pair (x, y) should satisfy. For each epoch, hdr is part of the input to the verication
process to dene the coecients K
(r)
1
, K
(r)
2
, K
(r)
of the constraint equations in (1); hdr uniquely
species a subset of nodes whose data are supposed to have been incorporated in (x, y).
If (x, y) has not been tampered with, the plaintext aggregate m extracted from the rst
constraint equation in (1) should satisfy the second constraint equation in (1); m is a correct
aggregate of the data contributed by the nodes in hdr when they all act honestly. The goal of
an external adversary is thus to nd a dierent valid pair (x

, y

) for the same hdr such that

= K
(r)
1
+m

= K
(r)
2
+K
(r)
m

for some m

,= m and m

is not necessarily known by the adversary. Note that the coecients

K
(r)
1
, K
(r)
2
, K
(r)
have to be the same as that in the equations for (x, y) for a successful forgery.
Without knowledge of K
(r)
, the probability for any PPT adversary to nd such a valid pair
(x

, y

) for the given hdr should be negligibly small. The proposed protocol guarantees with
high probability that, for an epoch r, any pair (x, y) which passes the verication test for a
given hdr has to allow the recovery of a correct aggregate whose contributions can only come
from nodes in hdr with knowledge of K
(r)
(with exactly one contribution from each node in
hdr).
In any epoch, by passively observing transmissions from honest nodes in a network, an
adversary without knowledge of K
(r)
can still create multiple tuples of the form (hdr, x, y),
each with a distinct hdr, to pass the verication test of Equation (1). This can be achieved by
simply aggregating valid ciphertext-checksum pairs eavesdropped in the transmissions of the
honest nodes. However, it should be noted that, for each hdr, there is at most one such tuple
and the corresponding pair of (x, y) is indeed a correct ciphertext-checksum pair for hdr in the
sense that this pair of (x, y), upon verication, can recover an aggregate m the contributions of
which only originate from the honest nodes specied in hdr, that is, m =

ihdr
m
i
where m
i
is
the measurement of node i. In other words, in the set ( of ciphertext-checksum pairs obtained
by combining eavesdropped pairs through the aggregation functionality, if a pair (x, y) (
passes the verication equations in (1) for hdr, any pair (x

, y

) ( which can satisfy the

same set of equations (i.e. with the same set of coecients) has to be equal to (x, y). Hence,
any external attacker without knowledge of K
(r)
still cannot inject its data into an aggregate
ciphertext pair (x, y) which satises the constraint equations in (1) even though he may be
able to create such a pair from the ciphertext-checksum pairs obtained from eavesdropping the
transmissions of honest nodes; neither can the attacker modify an existing valid pair of (x, y)
to pass the verication test for the same hdr but produce a dierent aggregate output except
with a negligibly small probability.
13
It is thus fair to say the best that an external adversary without knowledge of K
(r)
can
achieve in breaking the proposed scheme is essentially limited to excluding the contributions of
some honest nodes from being incorporated into an aggregate. Such exclusion would usually
have slight impact in the calculation of mean and variance unless the exclusion makes up a
pretty large fraction of nodes in which case it would make the sink suspect the occurrence of a
possible attack. It should be emphasized that, to achieve so with impact, the adversary must
be capable to intercept and modify a considerable portion of the transmissions in the entire
network, which is normally hard for an attacker to achieve.
13
An adversary may be able to obtain another valid (x, y) pair but it is valid only for a dierent hdr.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
21
8.2 Security Analysis
Recall that the goal of the proposed extension of aggregate authentication is to guard against
any external attackers (without knowledge of the keys) from injecting data into an aggregate.
The security of the proposed scheme is summarized by the following theorem.
Theorem 2. Given a genuine ciphertext-checksum pair (x, y) corresponding to an aggregate m
which incorporates data from a group of nodes specied by hdr and all other communication
transcripts between nodes, the probability of successfully forging a valid pair (x

, y

) ,= (x, y) for
some m

,= m to pass the verication test of the aggregate authentication scheme for the same
hdr is negligible for any external PPT (Probabilistic Poly-Time) adversary without knowing
K, assuming the encryption keys and the group key are generated by a pseudorandom function
based on dierent seed keys.
Proof: Assume the pseudorandom function has some indistinguishability property as usual. We
prove by contradiction, showing that a PPT adversary which can forge a valid pair (x

, y

) can
also break the indistinguishability property of the underlying pseudorandom function. We show
the reduction
14
in two steps: rst, we show that a forging algorithm to nd (x

, y

) can be used
as a sub-routine to solve a newly dened problem called Under-determined Equation Set with
Pseudorandom Unknowns (UESPU); then we show that the UESPU problem is computation-
ally hard if the underlying pseudorandom function has the usual indistinguishability property.
The UESPU problem is dened as follows:
Under-determined Equation Set with Pseudorandom Unknowns (UESPU) Problem Suppose
K
1
, K
2
, K are independent random seeds. Let K
(r)
1
, K
(r)
2
and K
(r)
denote the hashed outputs
of a pseudorandom function f at input r corresponding to seed keys K
1
, K
2
and K.
15
Given
a 3-tuple (m, x, y) where x = K
(r)
1
+ m and y = K
(r)
2
+ K
(r)
m, nd (K
(r)
1
, K
(r)
2
, K
(r)
) while
allowed to evaluate the pseudorandom function at any input r

,= r.
16
Without loss of generality, in the UESPU problem, each of K
(r)
1
, K
(r)
2
and K
(r)
is treated
as a single hashed output of f. In the proposed aggregate authentication, they are the sums
of hashed outputs of f. If they are represented as the sums of hashed output of f instead, the
modied problem would remain hard if f is a pseudorandom function.
Solving the UESPU problem using a forger of (x

, y

).
Suppose there exists a PPT adversary / which can forge a valid pair (x

, y

) at an epoch with
nonce r with non-negligible probability p
f
. Using / as a subroutine, we can construct another
algorithm /

to nd (K
(r)
1
, K
(r)
2
, K
(r)
) from (m, x, y) with probability p
f
in any instance of the
14
The reduction of the problem of breaking the indistinguishability of the pseudorandom function to the problem
of forging a valid (x

, y

) pair.
15
That is, K
(r)
1
= h(f
K
1
(r)), K
(r)
2
= h(f
K
2
(r)), and K
(r)
= h(f
K
(r)) where h is the length-matching hash
function.
16
The UESPU problem is typically hard if f is a pseudorandom function. More formally dened, given that
l is the key length of the pseudorandom function f and h is a length-matching hash function, the following
probability is negligible in l for any PPT algorithm A.
Pr

K
1
{0, 1}
l
; K
2
{0, 1}
l
; K {0, 1}
l
; r {0, 1}
l
;
K
(r)
1
= h(f
K
1
(r)); K
(r)
2
= h(f
K
2
(r)); K
(r)
= h(f
K
(r));
m Z
M
; x = K
(r)
1
+m; y = K
(r)
2
+ K
(r)
m
: A
f
(m, x, y) = (K
(r)
1
, K
(r)
2
, K
(r)
)

ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.

22
UESPU problem. Note that /

should be able to answer queries from / for any r

,= r by
passing the queries to its challenger.
The construction of /

is as follows: Give / the pair (x, y). When / returns a pair (x

, y

) ,=
(x, y), we can determine K
(r)
1
, K
(r)
2
, K
(r)
from the resulting set of equations. The explanation
is as follows:
Note that
x = K
(r)
1
+m
y = K
(r)
2
+K
(r)
m.
So we have two equations and 3 unknowns. If (x

, y

) is a valid forgery, then it must satisfy the

following two equations (with the same K
(r)
1
, K
(r)
2
and K
(r)
) in order to pass the verication
test:
x

= K
(r)
1
+m

= K
(r)
2
+K
(r)
m

for some unknown value m

,= m.
The pair (x

, y

) adds in two new equations and one unknown m

. Since (x

, y

) ,= (x, y)
and m

,= m, it can be assured that the four equations are independent. Hence, there are four
independent equations and four unknowns in total and it should be easy to solve for K
(r)
1
, K
(r)
2
,
K
(r)
(a contradiction to the UESPU assumption). The probability of solving the problem in
the UESPU assumption is hence p
f
.
Suppose there are n reporting nodes. The communication transcripts can be simulated easily
by randomly picking (n1) random pairs of ciphertext-checksum (x
i
, y
i
) and subtracting them
from (x, y) to obtain the n-th pair. Since / does not have any knowledge about the node keys,
real pairs of (x
i
, y
i
) should look random to /. Hence, / could not distinguish its view in the
simulation and that in the real attack. On the other hand, it could be concluded that knowing
(x
i
, y
i
) without knowing the node keys would not help in creating a valid forgery. In the above
discussion, we treat K
(r)
1
, K
(r)
2
, K
(r)
as a single output of a pseudorandom function for the
sake of clarity and easy comprehension; more precisely, in the aggregate authentication scheme,
each one of them is the sum of outputs of a pseudorandom function seeded with distinct keys
(one from each sensor node). Nonetheless, the above arguments and conclusion apply to both
cases.
A distinguisher for the pseudorandom function using an algorithm which solves
the UESPU problem.
The UESPU problem is hard if K
(r)
1
, K
(r)
2
, K
(r)
are generated by a pseudorandom function.
Obviously, m and x can uniquely determine K
(r)
1
. But the equation y = K
(r)
2
+ K
(r)
m has
two unknowns, which cannot be uniquely determined. It could be shown that if there exists an
algorithm /

solving in poly-time K
(r)
2
and K
(r)
from m and y, then the indistinguishability
property of the underlying pseudorandom function is broken.
The idea is as follows: assume the seed key for generating K
(r)
is unknown but the seed key
for generating K
(r)
2
is known. That is, we can generate K
(r

)
2
for any r

. When a challenge K
(r)
is received, we have to determine whether it is randomly picked from a uniform distribution or
generated by the pseudorandom function with an unknown seed key. We generate K
(r)
2
from
the known seed key. Then we pass y = K
(r)
2
+K
(r)
m to /

. If the solution from /

does not
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
23
match the generated K
(r)
2
, we reply that K
(r)
is randomly picked, otherwise, it is generated
from the pseudorandom function. If /

has non-negligible probability of breaking the UESPU

assumption, the above construction would also has a non-negligible advantage of breaking the
indistinguishability property of the underlying pseudorandom function. Note that all queries
from /

could be answered by sending queries to the challenger and running the pseudorandom
function with the known key.
8.3 Additional Overheads
The aggregate authentication extension leads to additional costs in both communication and
computation. For the communication cost, the length of each ciphertext is now increased by [M[
(where M is the modulus of the arithmetics in use). This is the size of the added checksum. For
the computation cost, the notations of Section 7.3 are used. The additional computation costs
needed for checksum generation and verication are summarized as follows. In the calculation
of verication cost, the cost of a comparison operation in mod M is assumed similar to the cost
of an addition operation in mod M.
Additional Computation Costs
Checksum Generation 2 t
prf
+ 2 t
h
+t
add
+t
multi
Checksum Verication (2L + 1) t
prf
+ (L + 1) t
h
+ (L + 1) t
add
+t
multi
Table IV. Additional computation costs of the extension of aggregate authentication (assuming L is the number
of nodes contributing to an aggregate).
9. RELATED WORK
The problem of aggregating encrypted data in WSNs was partially explored in [Girao et al.
2004]. In this paper, the authors propose to use an additive and multiplicative homomorphic
encryption scheme to allows aggregation of encrypted data. While this work is very interesting,
it has several important limitations. Firstly, it is not clear how secure the encryption scheme
really is. Secondly, as acknowledged by the authors, the encryption and aggregation opera-
tions are very expensive and therefore require quite powerful sensors. Finally, in the proposed
scheme, the encryption expands the packet size signicantly. Given all these drawbacks, it
is questionable whether aggregation is still benecial. In contrast, our encryption scheme is
proven to be secure and is very ecient. Encryption and aggregation only requires a small
number of single-precision additions. Furthermore, our encryption scheme only expands packet
sizes by a small number of bits. As a result, it is well adapted to WSNs consisting of very
resource constrained sensors.
In [Hu and Evans 2003], Hu and Evans propose a protocol to securely aggregate data. The
paper presents a way to aggregate MACs (message authentication code) of individuals packets
such that the sink can eventually detects non-authorized inputs. This problem is actually
complementary to the problem of aggregating encrypted data, we are considering in this paper.
The proposed solution introduces signicant bandwidth overhead per packet. Furthermore, it
requires the sink to broadcast n keys, where n is the number of nodes in the network, at each
sampling period. This makes the proposed scheme non-practical.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
24
Although not related to data privacy, in [Przydatek et al. 2003] Przydatek, et al. present
ecient mechanism for detecting forged aggregation values (min, max, median, average and
count). In their setting, a trusted outside user can query the WSN. The authors then look into
how to reduce the trust placed in the sink node (base station) while ensuring correctness of the
query response. Another work by Wagner [Wagner 2004] examines security of aggregation in
WSNs, describing attacks against existing aggregation schemes before providing a framework
in which to evaluate such a schemes security.
10. CONCLUSION
This paper proposes a new homomorphic encryption scheme that allows intermediate sensors
(aggregators) to aggregate the encrypted data of their children without having to decrypt them.
As a result, even if an aggregator gets compromised, the attacker wont be able to eavesdrop on
the data and aggregate, resulting in much stronger privacy than an aggregation scheme relying
on by hop-by-hop encryption.
We show that if the key streams used in our scheme are derived using a pseudorandom
function, our scheme can achieve semantic security against any collusion of size less than the
total number of nodes.
We evaluate the performance of our scheme. We show, as expected, that our scheme is
slightly less bandwidth ecient than the hop-by-hop aggregation scheme described previously.
However it provides a much stronger level of security. The privacy protection provided by
our scheme is in fact comparable to the privacy protection provided by a scheme that would
use end-to-end encryption and no aggregation (i.e. the aggregation is performed at the base
station). We show that our scheme is not only much more bandwidth-ecient than such an
approach, but it also distributes the communication load more evenly amongst the network
nodes, resulting in an extended longevity of the WSN.
Finally, we extend our scheme to provide end-to-end aggregate authentication. Without
knowledge of a group key, an external attacker has negligible probability of tampering the
aggregate without being detected in the extension.
In conclusion, we give ecient, provably secure solutions to provide end-to-end privacy and
authenticity (with reasonably good security assurance) for WSNs while en-route aggregation is
supported. The presented scheme only supports mean and variance computation. However, we
shown in [Castelluccia and Soriente 2008] that our construction could be used as a building block
for other aggregation schemes to support more functions (such as medium, mode, range,...).
REFERENCES
Bellare, M., Canetti, R., and Krawczyk, H. 1996. Keying hash functions for message authentication. In
Advances in Cryptology CRYPTO 1996, Springer-Verlag LNCS vol. 1109. 115.
Boneh, D., Gentry, C., Lynn, B., and Shacham, H. 2003. Aggregate and veriably encrypted signatures
from bilinear maps. In Advances in Cryptology EUROCRYPT 2003, Springer-Verlag LNCS vol. 2656.
416432.
Castelluccia, C., Mykletun, E., and Tsudik, G. 2005. Ecient aggregation of encrypted data in wireless
sensor networks. In the Proceedings of MobiQuitous05. 19.
Castelluccia, C. and Soriente, C. 2008. ABBA: Secure aggregation in wsns - a bins and balls approach.
6th International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks
(WiOpt).
Chan, A. C.-F. and Castelluccia, C. 2007. On the privacy of concealed data aggregation. In ESORICS
2007, Springer-Verlag LNCS vol. 4734. 390405.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
25
Chan, A. C.-F. and Castelluccia, C. 2008. On the (im)possibility of aggregate message authentication codes.
ePrint Archive, Report 2008-. http://.
Chan, H., Perrig, A., and Song, D. 2006. Secure hierarchical in-network aggregation in sensor networks. In
ACM Conference on Computer and Communication Security (CCS 06). 278287.
Eschenauer, L. and Gligor, V. D. 2000. A key management scheme for distributed sensor networks. ACM
CCS, 4147.
Girao, J., Westhoff, D., and Schneider, M. 2004. CDA: Concealed data aggregation in wireless sensor
networks. ACM WiSe 2004.
Goldreich, O. 2001. Foundations of Cryptography: Part 1. Cambridge University Press.
Goldwasser, S. and Micali, S. 1984. Probabilistic encryption. Journal of Computer and System Sci-
ences 28, 2, 270299.
Goldwasser, S., Micali, S., and Rivest, R. 1988. A secure signature scheme secure against adaptive chosen-
message attacks. SIAM Journal on Computing 17, 2, 281308.
Hu, L. and Evans, D. 2003. Secure aggregation for wireless networks. Workshop on Security and Assurance
in Ad hoc Networks.
Iwata, T. and Kurosawa, K. 2003. OMAC: One-key CBC MAC. In Fast Software Encryption (FSE 2003),
Springer-Verlag LNCS vol. 2887. 129153.
Karlof, C., Sastry, N., and Wagner, D. 2004. Tinysec: a link layer security architecture for wireless sensor
networks. Embedded Networked Sensor Systems, 162175.
Karlof, C. and Wagner, D. 2003. Secure routing in wireless sensor networks: Attacks and countermeasures.
Workshop on Sensor Network Protocols and Applications.
Katz, J. and Yung, M. 2006. Characterization of security notions for probabilistic private-key encryption.
Journal of Cryptology 19, 1, 6795.
Madden, S. R., Franklin, M. J., Hellerstein, J. M., and Hong, W. 2002. TAG: a Tiny AGgregation service
for ad-hoc sensor networks. Fith Annual Symposium on Operating Systems Design and Implementation, 131
146.
Naor, M., Reingold, O., and Rosen, A. 2002. Pseudorandom functions and factoring. SIAM Journal on
Computing 31, 5, 13831404.
Naor, M. and Yung, M. 1990. Public-key cryptosystems provably secure against chosen-ciphertext attacks.
In ACM Symposium on Theory of Computing (STOC 1990). 427437.
NIST. 2001. Advanced encryption standard. NIST (National Institute of Standards and Technology) FIPS
PUB 197.
Perrig, A., Stankovic, J., and Wagner, D. 2004. Security in wireless sensor networks. Communications of
the ACM 47, 5357.
Perrig, A., Szewczyk, R., Wen, V., Culler, D., and Tygar, D. 2001. SPINS: Security protocols for sensor
networks. In the Proceedings of ACM MOBICOM 2001. 189199.
Przydatek, B., Song, D., and Perrig, A. 2003. SIA: Secure information aggregation in sensor networks.
ACM SENSYS, 255265.
Rivest, R. L. 1995. The RC5 encryption algorithm. Dr. Dobbs Journal 1008.
Rivest, R. L., Shamir, A., and Adleman, L. M. 1978. A Method for Obtaining Digital Signatures and
Public-Key Cryptosystems. Communications of the ACM 21, 120126.
Vernam, G. S. 1926. Cipher printing telegraph systems for secret wire and radio telegraphic communications.
Journal of the American Institute of Electrical Engineers 45, 105115. See also US patent #1,310,719.
Wagner, D. 2004. Resilient aggregation in sensor networks. Workshop on Security of Ad Hoc and Sensor
Networks.
Westhoff, D., Girao, J., and Acharya, M. 2006. Concealed data aggregation for reverse multicast traf-
c in sensor networks: Encryption, key distribution, and routing adaption. IEEE Transactions on Mobile
Computing 5, 10, 14171431.
Wood, A. D. and Stankovic, J. A. 2002. Denial of service in sensor networks. IEEE Computer 35, 5462.
Yang, Y., Wang, X., Zhu, S., and Cao, G. 2006. SDAP: A secure hop-by-hop data aggregation protocol for
sensor networks. In the Proceedings of ACM Internation Symposium on Mobile Ad Hoc Networking and
Computing (MobiHoc) 2006.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
26
Zhu, S., Setia, S., Jajodia, S., and Ning, P. 2004. An interleaved hop-by-hop authentication scheme for
ltering false data in sensor networks. IEEE Symposium on Security and Privacy.
Appendix A: Semantic Security of Concealed Data Aggregation (CDA) [Chan and Castelluccia 2007]
Notation
We follow the notations for algorithms and probabilistic experiments that originate in [Gold-
wasser et al. 1988]. A detailed exposition can be found there. We denote by z A(x, y, . . .)
the experiment of running probabilistic algorithm A on inputs x, y . . ., generating output z. We
denote by A(x, y, . . .) the probability distribution induced by the output of A. The notations
x T and x
R
T are equivalent and mean randomly picking a sample x from the probability
distribution T; if no probability function is specied for T, we assume x is uniformly picked
from the sample space. We denote by N the set of non-negative integers. As usual, PPT denote
probabilistic polynomial time. An empty set is always denoted by .
CDA Syntax
A typical CDA scheme includes a sink R and a set U of n source nodes (which are usually
sensor nodes) where U = s
i
: 1 i n. Denote the set of source identities by ID; in the
simplest case, ID = [1, n]. In the following discussion, hdr ID is a header indicating the
source nodes contributing to an encrypted aggregate. A source node i has the encryption key
ek
i
while the sink keeps the decryption key dk from which all ek
i
s can be computed. Given a
security parameter , a CDA scheme consists of the following polynomial time algorithms.
Key Generation (KG). Let KG(1

, n) (dk, ek
1
, ek
2
, . . . , ek
n
) be a probabilistic algorithm.
Then, ek
i
(with 1 i n) is the encryption key assigned to source node s
i
and dk is the
corresponding decryption key given to the sink R.
Encryption (E). E
eki
(m
i
) (hdr
i
, c
i
) is a probabilistic encryption algorithm taking a plain-
text m
i
and an encryption key ek
i
as input to generate a ciphertext c
i
and a header hdr
i
ID.
Here hdr
i
indicates the identity of the source node performing the encryption; if the identity
is i, then hdr
i
= i. Sometimes the encryption function is denoted by E
eki
(m
i
; r) to explicitly
show by a string r the random coins used in the encryption process.
Decryption (D). Given an encrypted aggregate c and its header hdr ID (which indicates
the source nodes included in the aggregation), D
dk
(hdr, c) m/ is a deterministic algorithm
which takes the decryption key dk, hdr and c as inputs and returns the plaintext aggregate m
or possibly if c is an invalid ciphertext.
Aggregation (Agg). With a specied aggregation function f such as additive aggregation
considered in this paper, Agg
f
(hdr
i
, hdr
j
, c
i
, c
j
) (hdr
l
, c
l
) aggregates two encrypted aggre-
gates c
i
and c
j
with headers hdr
i
and hdr
j
respectively (where hdr
i
hdr
j
= ) to create
a combined aggregate c
l
and a new header hdr
l
= hdr
i
hdr
j
. Suppose c
i
and c
j
are the
ciphertexts for plaintext aggregates m
i
and m
j
respectively. The output c
l
is the cipher-
text for the aggregate f(m
i
, m
j
), namely, D
dk
(hdr
l
, c
l
) f(m
i
, m
j
). This paper considers
f(m
i
+m
j
) = m
i
+m
j
mod M. Note that the aggregation algorithm does not need the decryp-
tion key dk or any of the encryption keys ek
i
as input; it is a public algorithm.
It is intentional to include the description of the header hdr in the security model to make it
as general as possible (to cover schemes requiring headers in their operations). hdr is needed
in some schemes to identify the set of decryption keys required to decrypt a certain ciphertext.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
27
Nonetheless, generating headers or including headers as input to algorithms should not be
treated as a requirement in the actual construction or implementation of CDA algorithms. For
constructions which do not need headers, all hdrs can simply be treated as the empty set in
the security model.
The Notion of Semantic Security
Only one type of oracle queries (adversary interaction with the system) is allowed in the security
model, namely, the encryption oracle O
E
. The details are as follows:
Encryption Oracle O
E
(i, m, r).. For xed encryption and decryption keys, on input an en-
cryption query i, m, r), the encryption oracle retrieves s
i
s encryption key ek
i
and runs the
encryption algorithm on m and replies with the ciphertext E
eki
(m) and its header hdr. The
random coins or nonce r is part of the query input to O
E
.
The encryption oracle is needed in the security model since the encryption algorithm uses
private keys.
To dene security (more specically, indistinguishability) against chosen plaintext attacks
(IND-CPA), we use the following game played between a challenger and an adversary, assuming
there is a set U of n source nodes. If no PPT adversary, even in collusion with at most t
compromised nodes, can win the game with non-negligible advantage (as dened below), we
say the CDA scheme is t-secure. The adversary is allowed to freely choose parameters n and t.
Definition 3. A CDA scheme is t-secure (indistinguishable) against adaptive chosen plaintext
attacks if the advantage of winning the following game is negligible in the security parameter
for all PPT adversaries.
Collusion Choice. The adversary chooses to corrupt t source nodes. Denote the set of these
t corrupted nodes and the set of their identities by S

and I

respectively.
Setup. The challenger runs the key generation algorithm KG to generate a decryption key dk
and n encryption keys ek
i
: 1 i n, and gives the subset of t encryption keys ek
j
: s
j

S

to the adversary but keeps the decryption key dk and the other (n t) encryption keys
ek
j
: s
j
US

.
Query 1. The adversary can issue to the challenger one type of queries:
- Encryption Query i
j
, m
j
, r
j
). The challenger responds with E
ei
j
(m
j
) using random coins
r
j
. The adversary is allowed to choose and submit his choices of random coins for encryption
queries.
Challenge. Once the adversary decides that the rst query phase is over, it selects a subset
S of d source nodes (whose identities are in the set I) such that [SS

[ > 0, and outputs two

dierent sets of plaintexts M
0
= m
0k
: k I and M
1
= m
1k
: k I to be challenged. The
only constraint is that the two resulting plaintext aggregates x
0
and x
1
are not equal where
x
0
= f(. . . , m
0k
, . . .) and x
1
= f(. . . , m
1k
, . . .).
The challenger ips a coin b 0, 1 to select between x
0
and x
1
. The challenger then en-
crypts each m
bk
M
b
with ek
k
and aggregates the resulting ciphertexts in the set E
ek
k
(m
bk
) :
k I to form the ciphertext C of the aggregate, that is, C = E
{ek
k
:kI}
(x
b
), and gives C
to the adversary. The challenger chooses and passes the nonce to the adversary. The global
random coins should be chosen dierent from those used in the Query 1 phase and no query
on them should be allowed in the Query 2 phase.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
28
Query 2. The adversary is allowed to make more queries as previously done in Query 1 phase.
Guess. Finally, the adversary outputs a guess b

0, 1 for b.
Result. The adversary wins the game if b

= b. The advantage of the adversary is dened as:

Adv
A
=

Pr[b

= b]
1
2

.
Note that in CDA what the adversary is interested in is the information about the nal
aggregate. Consequently, in the above game, the adversary is asked to distinguish between the
ciphertexts of two dierent aggregates x
0
and x
1
as the challenge, rather than to distinguish
the two sets of plaintexts M
0
and M
1
. Allowing the adversary to choose the two sets M
0
, M
1
is to give him more exibility in launching attacks.
Appendix B: Proof of Theorem 1
Proof: For the sake of clarity, we rst prove the security of a version without using the hash
function h. Then we show why the proof also works for the hashed version. The reduction
is based on the indistinguishability property of a pseudorandom function which is stated as
follows:
Indistinguishability Property of a Pseudorandom Function.
Assume f is taken from a pseudorandom function. Then for a xed input argument x
and an unknown, randomly picked key K, the following two distributions are computationally
indistinguishable provided that polynomially many evaluations of f
K
() have been queried:
y = f
K
(x) : y, y 0, 1

: y.
That is, the output f
K
(x) is computationally indistinguishable from a randomly picked number
from 0, 1

to any PPT distinguisher who has knowledge of the input argument x and a
set of polynomially many 2-tuples (x
i
, f
K
(x
i
)) where x
i
,= x. More formally, for any PPT
distinguisher T,
[Pr[y = f
K
(x) : T(x, y) = 1] Pr[y 0, 1

: T(x, y) = 1][ < ()

where () is a negligible function in .
Proof for the Non-hashed Scheme.
Without loss of generality, we prove the security of a modied version of the construction
in which each encryption key is uniformly picked from 0, 1

, compared with keys generated

by a pseudorandom function in the actual scheme. We then provide a justication why the
inference applies to the actual implementation.
Suppose there exists a PPT adversary D which can break the semantic security of the scheme
with non-negligible advantage Adv
CMT
D
. We show in the following how D can be used to
construct an algorithm D

which can distinguish the above distributions with non-negligible

advantage. Assume the key K in question is unknown to D

.
Algorithm D

Setup. Allow the adversary D to choose any n 1 sources to corrupt. Randomly pick n 1
encryption keys ek
i

R
0, 1

and pass them to the adversary. Assume node n is uncorrupted.

The encryption key for node n is taken to be K, the key of the pseudorandom function D

is
being challenged with.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
29
Query. Upon receiving an encryption query i
j
, m
j
, r
j
) with nonce r
j
, return c
j
= (f
eki
j
(r
j
)+
m
j
) mod M if i
j
,= n. Otherwise, pass r
j
to query the pseudorandom function to get back
f
K
(r
j
) and reply with c
j
= (f
K
(r
j
) +m
j
) mod M.
Challenge. In the challenge phase, receive from D two sets of plaintext messages M
0
=
m
01
, m
02
, . . . , m
0n
and M
1
= m
11
, m
12
, . . . , m
1n
.
Randomly pick a number w and output it to the pseudorandom function challenger to ask
for a challenge. Note w is the nonce used for CDA encryption in the challenge for D. The
pseudorandom function challenger ips a coin b 0, 1 and returns t
b
, which is f
K
(w) when
b = 0 and randomly picked from 0, 1

when b = 1. These two cases corresponds to the two

distributions discussed above.
Randomly ip a coin d 0, 1, and return the challenge ciphertext c
d
to D where c
d
=

n
i=1
m
di
+

n1
i=1
f
eki
(w) +t
b
.
Guess. D returns its guess b

. Return b

which is 0 when b

= d and 1 otherwise.
Obviously, if D is PPT, then D

is also PPT. Denoting the expression

n
i=1
m
di
+

n1
i=1
f
eki
(w)
by X
d
, the challenge passed to D can be expressed as c
d
= X
d
+t
b
. When b = 0, t
b
= f
K
(w);
when b = 1, t
b
is a randomly picked number from0, 1

. In the following discussion, we denote

the output of D on input c
d
by D(c
d
). The probability of success for D

to distinguish between
f
K
(w) and a random number is:
Pr
PRF
D
[Success] = Pr[b

= b]
=
1
2
Pr[b

= 0[b = 0] +Pr[b

= 1[b = 1]
=
1
4
Pr[b

= 0[b = 0, d = 0] +Pr[b

= 0[b = 0, d = 1]
+Pr[b

= 1[b = 1, d = 0] +Pr[b

= 1[b = 1, d = 1]
=
1
4
Pr[D(t
0
+X
0
) = 0] +Pr[D(t
0
+X
1
) = 1]
+Pr[D(t
1
+X
0
) = 0] +Pr[D(t
1
+X
1
) = 1]
=
1
4
Pr[D(t
0
+X
0
) = 0] +Pr[D(t
0
+X
1
) = 1]
+1 Pr[D(t
1
+X
0
) = 1] +Pr[D(t
1
+X
1
) = 1]
=
1
4
2Pr
CMT
D
[Success] + 1 (Pr[D(t
1
+X
0
) = 1] Pr[D(t
1
+X
1
) = 1]).
Note that t
0
+ X
0
and t
0
+ X
1
are valid ciphertexts for the two challenges plaintext sets M
0
and M
1
respectively. In the last step, we make use of the fact that the probability of success
for D to break the semantic security of the scheme is given by:
Pr
CMT
D
[Success] =
1
2
Pr[D(t
0
+X
0
) = 0] +
1
2
Pr[D(t
0
+X
1
) = 1].
Rearranging terms, we have
4Pr
PRF
D
[Success] +Pr[D(t
1
+X
0
) = 1] Pr[D(t
1
+X
1
) = 1] = 2Pr
CMT
D
[Success] + 1
4(Pr
PRF
D
[Success]
1
2
) +Pr[D(t
1
+X
0
) = 1]
Pr[D(t
1
+X
1
) = 1]
= 2(Pr
CMT
D
[Success]
1
2
).
Taking absolute value on both sides and substitute Adv
PRF
D
= [Pr
PRF
D
[Success]
1
2
[ and
Adv
CMT
D
= [Pr
CMT
D
[Success]
1
2
[, we have
2Adv
PRF
D
+
1
2
[Pr[D(t
1
+X
0
) = 1] Pr[D(t
1
+X
1
) = 1][ Adv
CMT
D
.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
30
Since t
1
is a randomly picked number, t
1
+ X
0
and t
1
+ X
1
are identically distributed.
That is, for any PPT algorithm D, Pr[D(t
1
+X
0
) = 1] = Pr[D(t
1
+X
1
) = 1]. Hence,
2Adv
PRF
D
() Adv
CMT
D
().
Note also that:

Pr[x 0, 1

; y = f
K
(x) : D

(y) = 1] Pr[y 0, 1

: D

(y) = 1]

> 2Adv
PRF
D
().
If Adv
CMT
D
is non-negligible in , then so is Adv
PRF
D
. As a result, if D can break the semantic
security of the scheme with non-negligible advantage, D

could distinguish between the out-

put of pseudorandom function f and a random number. Equivalently, [Pr[x 0, 1

; y =
f
K
(x) : D

(y) = 1] Pr[y 0, 1

: D

(y) = 1][ is non-negligible (a contradiction to the

indistinguishability property of a pseudorandom function).
The above security argument applies to the actual implementation since the view of the
adversary D in the above simulation is in essence the same as that in the actual scheme. For
each one of the n 1 corrupted node, the encryption key is f
K
(i) ( 1 i n 1) for
some randomly picked master key K

. By the property of pseudorandom function, f

K
(i) is
indistinguishable from a randomly picked key (as used in the above simulation game) for all PPT
distinguisher algorithms. For the uncorrupted node, its output for encryption is now f
f
K
(n)
(x)
instead of f
K
(x) (with randomly picked K) as used in the above simulation game. It can be
shown by a contrapositive argument that, for xed n, the two distributions are computationally
indistinguishable, that is,

0, 1

; x 0, 1

: f
f
K
(n)
(x)

K 0, 1

; x 0, 1

: f
K
(x)

.
The argument is as follows: Assume f is a pseudorandom function. That is, A = K

0, 1

: f
K
(n) is indistinguishable from B = K 0, 1

: K for all PPT distinguishers.

If there exists a PPT distinguisher D which can distinguish between X = K

0, 1

; x
0, 1

: f
f
K
(n)
(x) and Y = K 0, 1

; x 0, 1

: f
K
(x), we can use D to distinguish
between A and B. The idea is when we receive a challenge s which could be from A or B, we
send f
s
(x) as a challenge for D. If s belongs to A, f
s
(x) belongs to X, and if s belongs to B,
f
s
(x) belongs to Y . We could thus distinguish X from Y (a contradiction).
Security of the Hashed Version.
Only a few modications to the security proof above are needed in order to prove the security
of the hashed variant.
First, in the algorithm D

, all ciphertexts are now generated using the hashed values of the
pseudorandom function outputs or replies from the challenger of D

. With such changes, we

now denote the expression

n
i=1
m
di
+

n1
i=1
h(f
eki
(w)) by X
d
. Of course, the modulus size
would be l instead of .
Second, the challenge passed to D would be: c
d
= X
d
+ h(t
b
). Then the derivation for the
advantage expressions is essentially the same as that for the non-hashed scheme.
Third, the security proof of the non-hashed scheme relies on the fact that t
1
0, 1

:
t
1
+X
0
and t
1
0, 1

: t
1
+X
1
are identical distribution. On the contrary, to prove the
security of hashed scheme, we need the following distributions to be identical:
t
1
0, 1

: h(t
1
) +X
0
, t
1
0, 1

: h(t
1
) +X
1
.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.
31
If h fullls the requirement mentioned above, then t
1
0, 1

: h(t
1
) is the uniform
distribution over 0, 1
l
. Consequently, the above two distributions are identical. This thus
concludes the proof that hashed scheme is semantically secure.
ACM Transactions on Sensor Networks, Vol. V, No. N, Month 20YY.