RCDA: Recoverable Concealed Data Aggregation for Data Integrity in Wireless Sensor Networks

eggplantcinnabarMobile - Wireless

Nov 21, 2013 (3 years and 6 months ago)

121 views

W

IEEE

TRANSA
C
TIONS

ON

PARALLEL

AND

DISTR
I
BUTED

SYSTEMS,

VOL.

23,

NO.

4,

APRIL

2012

727



RCDA
:

R
ecoverabl
e

C
onceale
d

Data

Aggregatio
n

fo
r

Dat
a

I
ntegrit
y

i
n

W
ireless

Senso
r

Networks


Chien
-
Min
g

Chen
,

Yue
-
Hsu
n

Lin
,

Ya
-
Chin
g

Lin
,

an
d
Hung
-
M
i
n

S
un



Abstrac
t

Rec
e
ntly,

several

data

aggregation

schemes

based

on

privacy

homo
m
orphism

encrypti
o
n

have

been

proposed

and

investigat
e
d

on

wireless

sensor

networks.

These

data

aggregation

schemes

provide

better

security

compared

with

traditional

ag
gregation

since

cluster

heads

(aggregator)

can

directly

aggregate

the

ciphertexts

without

decryption;

conse
q
uently,

transmiss
i
on

overhead

is

reduced.

However,

the

base

station

only

retrieves

the

aggrega
t
ed

result,

not

individ
u
al

data,

which

causes

tw
o

problems.

First,

the

usage

of

aggrega
t
ion

functions

is

constrained.

For

example,

the

base

station

cannot

retrieve

the

maximum

value

of

all

sensing

data

if

the

aggrega
t
ed

result

is

the

summation

of

sensing

data.

Second,

the

base

station

cannot

c
onfirm

data

integrity

and

authenticity

via

attaching

message

digests

or

signat
u
res

to

each

sensing

sample.

In

this

paper,

we

attempt

to

overcome

the

above

two

drawback
s
.

In

our

design,

the

base

station

can

recover

all
sensing

data

even

these

data

h
as

been

aggregated.

This

property is

called
“recovera
b
le.”
Experiment

results

demonst
r
ate

that

the

transmiss
i
on

overhead

is

still

reduced
even

if

our

approach

is

recoverab
l
e

on

sensing

data.

Furtherm
o
re,

the

design

has

been

generaliz
e
d

and

adopted

on

both

homogene
o
us

and

heterogen
e
ous

wireless

sensor

networks.


Index

Terms

Con
c
ealed

data

aggrega
t
ion,

wireless

sensor

networks,

privacy

homomorphism

encrypti
o
n.

Ç



1


I
NTRODUCTION

IREL
E
SS

sensor

networks

(WSN)

have

been


widely

deployed

in


many

applications,

e.g.,

military


field

surveillance,

health

care,

environment

monitor,


accident

report,

etc.

A

WSN

is

composed

of

a

large


number

of

sensors

which

collaborates

with

each


other.


Each

sensor

detects

a

target

wi
thin

its

radio


range,

performs

simple

computations,

and

communicates

with

other

sensors.

Generally,

sensors

are

constrained

in

battery


power,

c
ommu
n
i
cat
i
o
n,

a
nd

c
omputatio
n

c
apability
;


therefo
r
e
,

reducing

the

power

consumption

is

a

cr
itical

concern

for

a
WSN.

Recently,

a

practical

solution

called


data

aggregation
[1],

[2],

[3]

was

introduced.

The


original

concept

is

to

aggregate

multiple

sensing

data

by

performing

algebraic

or

s
t
atis
t
ica
l

o
p
e
rat
i
on
s

s
u
c
h


a
s

add
i
ti
on
,

m
ul
t
ip
l
ica
t
ion,

median,

minimum,


maximum,

and

mean

of

a

data

set,

etc.

Normally,


data

aggregation

is

performed

by

cluster
heads

if

the


whole

network

is

divided

into

several

groups

known

as

clusters.

For

example,

in

military

field
s,

sensors

are


deployed

to

measure

radiation

or

chemical

pollution.
The

base

station

(sink)

may

require

the

maximum

value

of
all

sensing

data

to

trigger

the

immediate

response;


thus,
each

cluster

head

selects

the

maximum

value

of


multi
ple

sensing

data

of

its

cluster

members

and

sends

the

result

to



.

The

authors

are

with

the

Depart
m
ent

of

Computer

Science,

National

Tsing

Hua

University,

No.

101,

Section

2,

Kuang
-
Fu

Road,


Hsinchu,

Taiwan

30013,

R.O.C.

E
-
mail:

{kkyy,

tenma,

9962
60
2
}@is.cs.nthu
.
edu.tw,

hmsun@cs.
n
thu.edu.tw.

Manuscript received

19

Apr.

2010;

revised

26

Feb.

2011;

accepted

7

Apr.

2011;

publish
e
d online

10

Aug.

2011.

Recommended

fo
r

acceptance

by

X.
-
Y.

Li.

For informati
o
n

on

obtaining

reprints

of

this

article,

please

send

e
-
mail

to:

tpds@compute
r
.org,

and

reference

IEEECS

Log

Number

TPDS
-
2010
-
04
-
0229. Digital

Object Identifier

no.

10.1109/
T
PDS.2011.21
9
.



the

base

station.

Obviously,

communication

cost

is

reduced

since

only

aggregated

results

reach

the

base

station.

Unfortunately,

an

adversary

has

the

ability

to


capture

cluster

heads.

It

would

cause

the

compromise

of

the

whole
clu
ster;

consequently,

several

schemes,

such

as

ESPDA

[4]
a
n
d

S
RD
A

[5]
,

h
av
e

b
ee
n

p
roposed
.


However
,

these

schemes

restrict

the

data

type

of

aggregation

or

cause

extra

t
r
a
n
sm
i
s
si
on

ov
e
rh
e
ad.


B
es
i
d
es,

an

a
d
v
e
rs
a
ry

can

s
t
ill

obtai
n


th
e

s
ens
i
n
g


dat
a

o
f

it
s

cluste
r

member
s

after

capturing

a

cluster

head.

To

solve

above

problems

completely,

two

ideas

are

used

in

recent

research
[6],

[7],

[8].

First,

data

are


encrypted

during

transmission.

Second,

cluster

heads


directly

aggre
-

gate

encrypted

data

without


decryption.


A

well
-
known

approach

named

Concealed

Data

Aggregation

(CDA)

[6]

has

been

proposed

based


on


these

two

ideas.

CDA

provides

both

end
-
to
-
end


encryption

and

in
-
networking

processing

in

WSN.


Since

CDA
applies

privacy

homomorphism

(PH)
encryption
with

additive

homomorphism,
cluster

heads

are
capable

of

executing

addition

operations

on


encrypted

numeric

data.

Later,

several

PH
-
based

data


aggregation

schemes

[7],

[8]

hav
e

been

proposed

to


achieve

higher

security

levels.

In

the

above

PH
-
based

schemes

[6],

[7],

[8],

the

base

station

receives

only

the

aggregated

results.

However,

it

brings

two

prob
l
e
m
s
.

First
,

th
e

usag
e

o
f

a
ggregatio
n


function
s

i
s

constraine
d.

For

example,

these

schemes

only

allow

cluster

heads

to

perform

additive

operations

on

ciphertexts

sent

by

sensors;

therefore,

they

are


ineffective

if

the

base

station
desires

to

query

the


maximum

value

of

all

sensing

data.
Second,

the

base


station

cannot

verify

the

integrity

and

authenticity

of

each

sensing

data.

These

problems

seem

to

be

solved

if

the

base

station

can

receive

all

sensing

data

rather


1045
-
9219/12/$31.
0
0



2012

IEEE

Published

by

the

IEEE

Computer

Society

728


IEEE

TRAN
S
ACTIONS

ON

PARALLEL

AND

DISTRIBUTED

SYSTEMS,


VOL.

23,

NO.

4,

APRIL

2012


than

aggregated

results,

but

this

method
is

in

direct

contra
-


diction

to

the

concept

of

data


aggregation

that


the

base

station

obtains

only

aggregat
ed

results.

Thus,

we

attempt

to

design

an

approach

that

allows

the

base

station

to

receive

all
sensing

data

but

still

reduce

the

transmission

overhead.

Contributions.

In

this

paper,

we

introduce

a


concept

named

Recoverable

Concealed

Data

Aggregation

(RCDA).


In
RCDA
,

a

b
a
s
e

s
t
atio
n

ca
n
recove
r

e
ac
h

s
ensin
g


data

generated

by

all

sensors

even

if

these

data


have


been

a
g
g
r
e
g
a
te
d

by

c
l
u
s
t
e
r

h
e
a
d
s


(
a
g
g
r
e
g
a
t
o
r
s
).

W
i
t
h

t
h
e
se
individual

data,

two

functionalities

are

provide
d.

First,

the
base

station

can

verify

the

integrity

and

authenticity

of

all
sensing

data.


Second,

the

base

station

can

perform

any
aggregation


functions

on

them.

Then,

we

propose


two

RCDA

schemes

named

RCDA
-
HOMO

and


RCDA
-
HETE

for

homogeneous

and

heterogeneous

WSN

respectively.

In
the

security

analysis,

we


demonstrate

that

the

proposed

sc
h
e
m
es

a
r
e

sec
u
re


un
d
e
r

our

at
t
ack

mo
d
e
l
.

T
h
r
o
ugh

experiments, we


show

that

the

performance

of

our

design

is

reasonable


an
d

affordable.

We

also

provide

detailed
comparisons

with

other

schemes.



2


R
ELATED

W
ORKS

Numerous

secure

data

aggregation

schemes

have


been

proposed.

These

schemes

are

designed

for

different

security

requirements.

A

number

of

schemes

[9],

[10]

have

been

proposed

based

on

the

commit
-
and
-
attest

principle.

In

these

schemes,


the
base

station

broadcasts

aggregation

results

to

all


sensors.

Then,

every

sensor

verifies

that

its

sensing

data

were

indeed

counted.

Another

work

[11]

can

a
ctually


count and

sum

even

if

a

few

compromised

sensors


inject false

values.

Yu

[12]

introduces

a

random

sampling

technique

that

enables

aggregation

queries

to


not

only

detect

malicious

sensors,

but

also

to

tolerate

them.

On

the

other

han
d,

several

studies

[6],

[7],

[8]

attempt

to

provide

confidentiality.

That

is,

an

aggregator

can

directly

execute

addition

operations

on

encrypted


numeric

data.

CDA

[6]

places

more

emphasis

on


passive

attacks.

More
specifically,

it

considers

if


adversaries

can

eavesdrop

the

communications

on

the

air.

After

CDA,

succeeding

research

[7],

[8]

have

been


proposed

to

achieve

higher

security

levels.

They


consider

the

following

scenario.

If

sensors

within

the


same

cluster

enc
rypt

their

sensing

data

with

a
common

secret

key,

an

adversary

may

decrypt

or

fake

the
aggregated

ciphertext

by

compromising

only

one


sensor.

Castelluccia

et

al.

[7]

proposed

a

new

PH
-
based

aggregation

scheme

to

overcome

this

security problem

by

generating

a
temporal

key

for

each

transmission.

Although
the

influence

of

compromising
a

sensor

is

actually

reduced,

two

practical

issues

must

be


considered.

First,

rekeying

operations

for
each

sensor

cause

this scheme

to

be

impractical.

Second,


a
synchronization

mechanism

should

be

provided.


Later,

Mykletun

et

al.

[8]

proposed

a

data


aggregation
scheme
based

on

addition

homomorphic


public
-
key

encryption.

It

seems

more

secure

since


every


sensor stores

only

public

key.

The

adversary

cannot

launch

the

same

attack

through

compromising

only

one

sensor.

Nevertheless,

the

adversary

can

still

impersonate
other

legal

sensors
to

send

the

forged
cipertexts

to

the

cluster

head

with

the

same

public


key.

Authenticity

of

data

is

not

supported.

In

our

work,

we

desire

to

design

a

scheme


which

provides

both

integrity

and

confidentiality.



3


P
RELIMINARIES

In

this

section,

we

first

describe

the

network

models


and

define

the

attack

model.

Then,


Mykletun

et

al.’s


[8]

and

Boneh

et

al.’s

schemes

[13]

are

reviewed

since

they

are

the

foundation

of

the

proposed

schemes.


3.1


Ne
t
work

Mod
e
l

A

WSN

is

controlled

by

a

base

station

(
B
S
).

A

BS

has

large

bandwidth,

strong

computing

capability,


suffic
ient

mem
-

ory,

and

stable

power

to

support

the


cryptographic

and
routing

requirements

of

the

whole


WSN.

Besides

the

B
S
,

se
n
s
o
rs

(
S
N

s)

a
re

al
s
o


d
e
p
lo
y
e
d


to

s
e
n
s
e

a
nd

g
a
th
e
r

responsible

results

for


the

B
S
.

Typical

S
N

s

are

small


and

low

cost;

hence,

S
N

s

are

limited

on
computation,

storage,

and

communication

capability.

Generally,

all

S
N

s

in

a

WSN

may

be

divided

into

several

clusters

after

being

deployed.

Several

research


[14],

[15],
[16]

have

shown

that

a

clust
er
-
based

WSN


has

several
advantages

such

as

efficient

energy


management,

better
scalability

of

MAC

(medium

access

control)

or

routing,

etc.

Ea
c
h

c
l
u
s
t
e
r

h
a
s

a

c
l
u
s
t
e
r


h
ea
d

(
C
H
)

r
e
s
p
o
ns
i
b
l
e

f
or
collecting

and

aggregating


sensing

data


from

S
N

s

within

the

same

cluster.

A

C
H


then

sends

the

aggregation

results
to

the

B
S
.

In

a


homogeneous

WSN,

cluster

heads

act

as

normal

S
N

s.


On

the

other

hand,

cluster

heads

act

as

by
powerful

high
-
end

sensors

(H
-
Sensors),

in

a

heterogeneous

W
S
N


w
h
ich

in
c
o
r
po
r
a
t
es

di
f
f
ere
n
t

ty
pe
s

of

S
N

s

w
i
t
h
different

capabilities.


3.2


A
t
tack

Mo
d
el

Th
e

attac
k

m
ode
l

i
s

define
d

base
d

o
n

t
h
e

a
bilit
y


of
adversaries.

Here,

we

consider

the

following

three

cases:


1.


With
out

compromising

any

S
N

or

C
H
.

A
n


adver
-

sary

can

only

eavesdrop

on

packets

in

the

air,

so

he

can

modify

or

inject

the

forged


messages

with

this

public

information.

2.


Compromising

S
N

s.

After

compromising

a

S
N

,

an
adversary

can

obtain

s
ecrets

such

as


encryption/

decryption

keys.

Then,

an


adversary

can

obtain

s
en
s
in
g

dat
a

a
n
d


p
a
cket
s

pa
s
se
d

thr
o
ug
h

t
h
e
cap
t
u
r
e
d

S
N

o
r


imper
s
onat
e

t
hi
s

compromised

sensor

to

forge

malicious

data.

3.


Compromising

C
H
s.

After

compromising

a

C
H

,

an

adversary

can

obtain

the

secrets

and


perform


the

following

attacks.

First,

an

adversary

can

decrypt

the

ciphertex
t

o
f

sensin
g

d
at
a


s
en
t


b
y

it
s

cl
u
s
ter

members.

Second,

an

adversary

can

generate

forged

aggregat
ion

results.


3.3


Myk
l
etun

et

al
.
’s

Enc
r
yption

Sche
m
e

Mykletun

et

al.

[8]

proposed

a

concealed

data

aggregation

s
c
h
e
m
e

ba
s
e
d

on

t
h
e

ellipti
c

c
urv
e


E
l
Gama
l

(EC
-
EG)

cryptosystem.

It

consists

of

four

procedures:

key

generation

(KeyGen),

encry
ption

(Enc),

aggregation

(Agg),

and

decryp
-

tion

(Dec).

Details

are

illustrated

in

Fig.

1.

In

Fig.

1,

symbol
þ

and



denote


addition

and

scalar

multiplication

on
elliptic

curve

points,

respectively.













































































CHEN

ET

AL.:

RCDA:

REC
O
VERABLE

CONCEALED

DATA

AGG
R
EGATION

FOR

DATA

INTE
G
RITY

IN

WIRELESS

SENS
O
R

NETWORKS


729



TABLE

1

Notations

Used

in

RCDA
-
HOMO


























Fig.

2.

Example

of

homogene
o
us

WSN

environm
e
nt.













Fig.

1.

Mykletun

et

al.’s

and Boneh

et

al.’s

schemes
.


3.4


Boneh

et

al.’s

Sign
a
ture

Sche
m
e

Boneh

et

al.

[13]

proposed

an

aggregate

signature


scheme
whic
h

merge
s

a

se
t

o
f
d
istinc
t

s
ign
a
ture
s


int
o

o
n
e

aggregated

signature.

This

scheme

consists


of

five

proce
-

dures:

key

generation

(
KeyGen),

signing


(Sign),

verifying

(
V
erify)
,

ag
g
r
e
g
a
t
io
n

(Agg)
,

an
d


v
eri
f
yin
g

aggrega
t
ed

signature

(Agg
-
Verify).

Details

are

given

in

Fig.

1.

Boneh

et

al.’s

scheme

is

based

on

bilinear

map

e
n


which

is

defined

as

e
n

¼

G
1



G
2

!

G
T

,

where

groups

G
1

,

G
2

,
and

G
T

are

cyclic

groups

of

prime

order

n
.

G
1

and


G
2

are

n
-

torsion

point

groups

on

an

elliptic

curve

E

under

a

finite

f
i
el
d

F

p

,

i
.
e
.
,

n



P

¼

n



Q

¼

1
,


wher
e

8P

2

G
1

and

8Q

2

G
2

.

G
T

i
s

the

group

of

nth

root

of

unity

in


an

extension

field

F

p
k

,

i.e.,

G
T

¼

f
x

2

F

p
k

jx
n

¼

1
T

g
.

The

group

operation

in

G
1

and

G
2

is

point

addition

and

one

in

G
T


is

multiplication

over

a

finite

field.

4


A

RCDA

S
CHEME

FOR

H
OM
OGENEOUS

WSN
(RCDA
-
H
OMO)

In

this

section,

we

propose

a

recoverable

concealed


data
aggregation

scheme

named

RCDA
-
HOMO

for


homoge
-

neous

WSN.

Table

1

lists

the

notations

that

we

will

use

later.


4.1


Con
s
truction

of

RC
D
A
-
HO
M
O

RCD
A
-
HOMO

is

c
om
p
o
s
ed

of

fo
u
r

p
roce
d
u
r
es:


Setu
p
,
Encrypt
-
Sig
n
,

Aggregate,

and

Verify.

The

Setup

procedure

is

to

prepare

and

install

necessary
secrets

for

the

BS

and

each
sensor.

When

a

sensor

decides

to

send


sensing

data

to

its

C
H

,

it

performs

Encrypt
-
Sign

and


sends

the

result

to

the

C
H

.

Once

the

C
H

receives

all

results

from

its

members,

it
activates

Aggregate

to

aggregate

what

it

received,

and

then

sends the

final

results

(aggregated

ciphertext

and

signature)

to

the

B
S
.

The

last

procedure
is

Verify.

The

BS

first

extracts
i
n
d
i
v
i
d
ua
l

s
en
s
i
ng

d
a
t
a

by

d
ec
r
y
pt
i
ng

t
he


a
g
g
r
e
g
a
t
e
d
ciphertext.

Afterward,

the

BS

verifies

the

authenticity

and

integrity

of

the

decrypted

data

based

on

the

corresponding

aggregated

signature.

To

present

RCD
A
-
HOMO

in

a

simple

way,

we


choose

Cluster

1

(see

Fig.

2)

as

an

example.

S
N
!


is

selected

as

CH

of

Cluster

1

which

contains

the

remaindering


sensors,

{
S
N
1

;

..
.

;

S
N
!

1

}.

The

detailed

procedures

are

listed


as

follows:

Setup:

BS
gen
erates

the

following

key

pairs:


1.


(
P
S
N


S
N


i

i

,

R

i

):

For

each

sensor

S
N

,

the

BS


generates


1.

map
ðÞ

maps

a

scalar

value

m

to

a

curve

point

M

.

map
ðÞ

satisfi
e
s

the

addi
t
ive

ho
m
omorphic

p
roperty,


i.e.,


map
ð
m
1


þ


þ

m
n

Þ

¼

ð
m
1


þ


þ

m
n

Þ


G

¼

m
1



G

þ

þ

m
n



G

¼

map
ð
m
1

Þ þ


þ

map
ð
m
n

Þ
.

2.

The

reverse

function

rm
a
p
ðÞ

maps

a

given

point

M

to

the

scalar

value

m

2

F

p

.

rmap
ðÞ

can

be

achieved

by

Pollard
-


method


on

elliptic

cur
v
e

crypto
s
ystems

[8],

[17].

ð
P
S
N
i

;

R
S
N
i

Þ

by

KeyGen

procedure

(see

Boneh

et

al.’s

scheme

in

Fig.

1)

where

P
S
N
i

¼

v
i

and

R
S
N
i

¼

x
i

.

2.

(
P
BS

,

R
BS

):

These

keys

are

generated

by


KeyGen

procedure

(see

Mykletun

et

al.’s

scheme

in

Fig.


1)

where

P
BS

¼

f
Y

;

E
;

p;

G;

ng

and

R
BS

¼



.

Q

Þ

¼


i
¼
1

730


IEEE

TRAN
S
ACTIONS

ON

PARALLEL

AND

DISTRIBUTED

SYSTEMS,


VOL.

23,

NO.

4,

APRIL

2012


After

that,

R
S
N
i

,

P
BS

,

and

H

are

loaded

to

S
N
i

for

all

i.

Finally,

the

BS

keeps

all

public

keys

P
S
N
i

and

its

own

R
BS

in

privacy.

Encrypt
-
Sig
n
:

This

procedure

is

triggered

while

a

sensor

decides

to

send

its

sensing

data

to

the

cluster

head

(
C
H
1


in

Fig.

2).

Detailed

steps

are

listed

as

follows:


1.


Encoding

d
i

:

m
i

¼

d
i

k
0


,

where



¼

l


ð
i



1
Þ
.

2.


After

encoding,

S
N
i

computes:


a.

Signature:


i

¼

x
i



h
i

,

where

h
i

¼

H
ð
d
i

Þ
.

Similarly,

S
N
1

,

S
N
2

,

and

S
N
4

send

their

own

ð
c
i

;

i

Þ

pair

to

the

C
H

.

Note

that

m
1

¼

ð
0101
Þ
2


¼
;

m
2

¼

ð
00110000
Þ
2

, m
4

ð
100000000000000
0
Þ
2

.

Afte
r

gathering

four

pairs of

ð
c
i

;

i

Þ

w
h
e
re

i

¼

1
;

..
.

;

4
,

t
h
e

C
H


a
g
g
r
e
g
a
te
s

ci
p
h
e
r
t
e
x
t
s

a
nd

sig
n
atur
e
s

thr
o
ugh


A
ggr
e
ga
t
e

p
r
oce
d
u
r
e.

The

C
H

then

sends

the

aggregated

result

(
c
^
,


^
)

to

the

B
S
.

After

that,

the

BS

executes

Verify
proc
edure.


1.


BS

decrypts

the

ciphertext

c
^

through

R
BS

.

I
t

obtains

M

0

¼

M
1

þ

M
2

þ

M
3

þ

M
4

an
d

f
u
r
the
r


retrieves

b.


Ciphertext
:

c
i

¼

ð
r
i

;

s
i

Þ

¼

ð
k
i




G;

M
i

þ

k
i




Y

Þ
,
wh
e
re

k
i

is

r
a
n
d
om
l
y

se
le
ct
e
d

from


f
0
;

..
.

;

n



1
g
,

M
i

¼

ma
p
ð
m
i

Þ

¼

m
i



G,

a

n

d

n; G;

Y

2

P
BS

.

3.


At

the

end,

S
N
i

sends

the

pair

ð
c
i

;

i

Þ

to

C
H
1

.

Aggregat
e
: The

Aggregate

procedure

is

launched

after

the

C
H

has

gathered

all

cipertext
-
signaturte

pairs,

i.e.,


C
H
1

m
0

¼

ð
100001110011010
1
Þ
2

.

2.


BS

applie
s

Decod
e
ð
m
0

;

4
;

4
Þ


t
o

obtai
n


i
n
d
i
v
i
d
u
a
l

sen
s

i
n

g

data
,

i.e.
,

d
i

¼

m
0

½
4



ð
i



1
Þ
;

4

i



1

;

8i;

d
1

¼

ð
0101
Þ
2


¼

5
,

d
2

¼

ð
001
1
Þ
2


¼

3
,

d
3

¼

ð
0111
Þ
2


¼

7
,

and

d
4

¼

ð
100
0
Þ
2


¼

8
.

3.


Final
ly,

BS

verifies

the

aggregated

signature


^


by

checking

whether

the

below

equation

holds

or

not:

e
n

ð

^
;

g
2

Þ

¼

4

i¼1

e
n

ð
h

;
P

Þ
,

where

h

¼

H
ð
d

Þ
.

gathered

!



1

pairs

ð
ð
c
1

;

1

Þ
;

..
.

;

ð
c
!

1

;

!

1

ÞÞ

over

a

period

of

time.

Aggregation
operations

are

given

as

follows:

i

i

i

i


1.

Aggregated

ciphertext:




1

c
^

¼

ð
r
^
;

s
^

X

i
¼
1





c
i

¼






1

X


i
¼
1





r
i

;






1

X


i
¼
1



!


s
i


:

5


A

RCDA

S
CHEME

FOR

H
ETEROGENEOUS

WSN

Here,

we

consider

another

environment,


hete
rogeneous

WSN.

A

concealed

data

aggregation


scheme

for

hetero
-


geneous

WSN

has

been


proposed


[18];

however,

their

scheme

does

not


provide

data

integrity

and

recovery.

We
first

propose


n
a
¨
ı
ve RCDA
-
HETE

scheme.

Later,

we

will

2.


Aggregated

signature:


^

¼

P



1



i

.

3.


Send

the

aggregated

result

(
c
^
,


^
)

to

the

B
S
.

Verify:

While

receiving

(
c
^
,

^
)

from

C
H
1

,

BS

can

recover

and

verify

each

sensing

data

via

the

following

s
teps:


1.


BS

obtains

M

0

by

decrypting

c
^

with

R
BS

M

0

¼

t



r
^

þ

s
^

¼

M
1

þ

þ

M
!

1

.

2.


BS

obtains

m
0

from

M

0

through

the

reserve

function

rmap
ð
Þ
:

m
0


¼

rmap
ð
M

0

Þ

¼

m
1

þ

þ

m
!

1

.

3.


BS

obtains

each

sensing

data

from

m
0


by


Decode

fu
n

c
t

i

o

n

:

Decod
e
ð
m
0

;
!



1
;

l
Þ
:


d
i

¼

m
0

½
ð
i



1
Þ


l;

i



l

1

,

where

i

¼

1
;

..
.

;
!



1
.

4.


BS

verifie
s

eac
h

d
i

v
i
a

c
h
e
cki
n
g

w
h
e
t
h
e
r


t
h
e

Q


1

propose

another

scheme

named

RCDA
-
HETE

if

H
-
Sensors

are

designed

to

be

tamper
-
resistant.


5.1


N
a
¨
ı
ve

RCDA
-
HETE

Scheme

Actually, RCDA
-
HOMO

can

be

applied

to


heterogeneous

WSN

without

modification.

We

call


this


approach

n
a
¨
ı
ve

RCD
A
-
H
ET
E
.

S
in
c
e

H
-
S
en
s
o
r
s


a
r
e


ca
p
ab
l
e

of

st
r
o
n
ger

computation

ability

and


stable


power

supply,

they

can

perform

more


complex


tasks

than

L
-
Sensors.

Thus,

H
-

sensors

can


act

as

cluster

heads.

Obviously,

n
a
¨
ı
ve

RCDA
-

HETE

also

achieve

the

Recovery

property.


5.2


RC
D
A
-
HETE

Sche
m
e

Here,

we

attempt

to

fully

exploit

H
-
Sensors

which


have

equation


e
n

ð

^
1

;

g
2

Þ

¼


i¼1

e
n

ð
h
i

;

P
S
N
i

Þ

holds

or


not.


stronger

computing

capability.

Operations

on


L
-
Sensors

Each

element

h
i

is

derived

from

hashing

d
i

,

i.e.,

h
i

¼

H
ð
d
i

Þ
.


Note

that

e
n


is

the

bilinear

map


(see

Section

3.4).

For

all

d
i

,

if

the

equation

holds,


BS

accepts;

otherwise,

BS

rejects.

Similarly,

the

BS

may

receive

other

ciphertext


and

signature

pairs

form

other

clusters.

The

BS
can

recover

all

sensing

data

within

the

whole

WSN.

After


confirming

the

integrity

of

all

data,

the

BS

can

perform

any

operations
if

it

wants

since

all

individual

data

are

reverted.


4.2


A

Concre
t
e

Exa
m
ple

Now

we

give

an

example

to

demonstrate

how


RCDA
-

HO
MO

works.

Assume

that

a

WSN

consists

of

five

sensors

denoted

as

f
S
N
1

;

..
.

;

S
N
5

g

and

S
N
5

is


selected

as

C
H
.

Assume

that

sensing

data

of

each

sensor

are

d
1

¼

5 ,

d
2

¼

3 ,
d
3

¼

7
,

and

d
4

¼

8
.

Length


l

is

set

as

4

since

4

bits

is
sufficient

to

represent

all

sensing

data

in

this

example.

S
N
3

performs

the

Encrypt
-
Sign

procedure

as

follows:


1.


Enc
o
d
e

d
3

:

m
3

¼

d
3

k0


¼

ð
01110000000
0
Þ
2

,

w
h
e
r
e



¼

l


ð
i



1
Þ

¼

4

2

¼

8
.

2.


Compute

ðc
3
;

3

Þ

and

send

it

t
o

C
H

.


could

be

switched
to

H
-
Sensors.

In

addition,

H
-
Sensors

can

be

designed

to

be

tamper
-
resistant,

so

we

may


allow

H
-

Sensors

to

store

the

partial

secret

information


if

required.

With

these

considerations,

we

redesign

an


RCDA

scheme

named

RCDA
-
HETE.

While

the

use

of

tamper
-
resistant

devices

may

rise


the

hardware
cost;

however,
in

a

heterogeneous

WSN,

majority

of

sensors

are

low
-
end

sensors

(L
-
Sensors).

In


our

design,

computation

cost

on

L
-
Sensors

is

switched

to

H
-
Sensors,

so

L
-
Sensors

can

be

very

cheap

and

simple.

In

fact,

the

overall

hardware

cost

is

reduced.

RCDA
-
HETE

is

composed

of

five

procedures:


Setu
p
,

I
n
t
r
a
c
luste
r

Encryp
t
,

Intercl
u
s
te
r

E
n
c
r
yp
t
,

Aggr
e
g
ate
,

a
nd
Verif
y
.

In

the

Setup

procedure,

necessar
y

secrets

are

loaded

to

each

H
-
Sensor

and

L
-
Sensor.

Intracluster


Encrypt

proce
-

dure

involves

when

L
-
Sensors

desire

to

send

their

sensing

data

to

the

corresponding


H
-
Sensor.


In

the

Intercluster

Encrypt

procedure,

each


H
-
Sensor

aggrega
tes

the

received

data

and

then

encrypts

and

signs

the

aggregated

result.

In

addition,

if

an

H
-
Sensor

receives

ciphertexts

and

signatures

from


other

H
-
Sensors

on

its

routing

path,

it
activates

the



















































i

i

i

CHEN

ET

AL.:

RCDA:

REC
O
VERABLE

CONCEALED

DA
TA

AGG
R
EGATION

FOR

DATA

INTE
G
RITY

IN

WIRELESS

SENS
O
R

NETWORKS


731



TABLE

2

Notations

Used

in

RCDA
-
HET
E
*3

















Fig.

3.

An

example

of

heterog
e
neous

WSN.


Aggregate

procedure.

Finally,

the

Verify

procedure


ensures

the

authentic
ity

and

integrity

of

each

aggregated

result.

To

b.


Ciphertext:
c
1

¼

ð
r
1

;

s
1

Þ

¼

ðk
1



G;

M
1

þ

k
1




Y

Þ
,
where

k

is

randomly

selected

from

f
1
;

..
.

;

n
g
,

M
1

¼

ma
p
ð
m
1

Þ

¼

m
1



G,

and

n;

G;

Y


2

P
BS

.

3.


H
1

sends

the

pair

ð
c
1

;

1

Þ

to

H
3

.

Similarly,

each


H
j

also

calculates

ð
c
j

;

j

Þ

from



j

in

other

clusters.

Aggregat
e
: As

an

example shown

in

Fig.

3,

if

H
3


receives

ðc
1

;

1

Þ

from

H
1

and

ðc
2

;

2

Þ

from

H
2

,

H
3

will


execute

this

procedure

to

aggregate

ðc
1
;
1

Þ
,

ð
c
2

;

2

Þ

and

its

own

ðc
3
;
3

Þ

as

follows:

P
3

P
3

e
xplain

RCDA
-
HE
T
E

cl
e
arly,

a

heter
o
gene
o
us

W
S
N


is

given

in

Fig.

3.

The

notations

are

listed

in

Table

2

and

the

1.


Aggregated

ciphertexts:

c
^
3

¼

ð


2.


Aggregated

signature:


^
3

¼

P
3

i¼1

r
i

,

i
¼1

s
i
Þ
.

detailed

procedures

are

described

below.

Setup:

In

the

beginning,

the

BS

generates

the


following

keys:


1.


(
R
H
i

;

P
H
i

):

the

BS

generates
this

key

pair

for

each

H
-

Sensor

according

to

KeyGen

of

Boneh

et

al.’s

scheme

i
¼
1


i

.

Finally,

H
3

sends

(
c
^
3

;

^
3

)

to

H
5

.

Similarly,

H
5

can


also

a
g
g
regat
e

ð
c
4

;

4

Þ
,


ð
c
5

;

5

Þ
,


an
d

(
c
^
3

;

^
3

)

an
d

g
e
t


a


new

aggregated

result

(
c
^
5

;

^
5

)

to

the

B
S
.

Verify:

After

receiving

the

end

result

(
c
^
5

;

^
5

),

BS


will

perform

the

following

steps:

(see

Fig.

1),

i.e.,

R
H
i
¼

x
i

and

P
H
i

¼

v
i

.

2.


(
R
BS

;

P
BS

):

This

key

pair

is

generated

by

KeyGen

of

1.


Obtai
n

M

0

b
y


decrypting

M
1

þ

M
2

þ

þ

M
5

.

c
^
5

:

M

0

¼

t



r

þ

s

¼

Mykletun

et

al.’s

scheme

(see

Fig.

1),

i.e.,

P
BS

¼



¼

f
Y

;

E
;

p;

G;

ng

and

R
BS

¼



.

Then,

the

BS

loads

P
BS

to

all

L
-
Sensors.

On

the


other

hand,

each

H
-
Sensor

is

loaded

its

own

key

pair

(P
H
i

,

R
H
i

), P
BS

and

several

necess
ary

aggregation

functions.

2.

Obtain

m
0


from

M

0

through

the

reserve


function

rmap
ð
Þ
:

m
0


¼

rmap
ð
M

0

Þ

¼

m
1

þ

m
2

þ

þ

m
5

.

3.

Obtai
n


i

fro
m

m
0


usin
g

th
e

Decode


f
u
n
c
t
i
on:

Decod
e
ð
m
0

;

5
;

l
Þ

:


i

¼

m
0

½
ð
i



1
Þ


l;

i


l

1

,

w

h

e

r

e

i

¼

1
;

..
.

;

5
.

In

our

design,

each

L
-
Sensor

is

requiresd

to

share


a

4.


Check

whether

e
n

ð

^
5

;

g
2

Þ

¼

Q
5

n

i

i

pairwise

key

with

its

cluster

head.

For

example,

L
-
Sensor

L
j

would

share

a

key

K
j

with

the

cor
responding

cluster

head

H
j

.
If

the

BS

knows

the

cluster

information

before

deployment,

the

pairwise

keys

can

be

preloaded

to

all

L
-
Sensors

and

H
-

Sensors.

However,

in

most

WSN

environment,

sensors

are

randomly

deployed.

Thus,

we

propose

a

simple

key

e
xchange

scheme.

The

detailed

steps

are

described

in

the

Section

1

of
Supplemental

Material,

which

can

be

found

on

the

Computer

Society

Digital

Library


at


http://doi.ieeecomputersociety.

org/10.1109/TPDS.

2011.219.

Intracluster

Encryp
t
:

This

procedure

ensures

the

establish
-

ment

of

a

secure

channel

between

L
-
Sensors


and

their

H
-

Sensor.

Take

Fig.

3

as

an

example,

L
1

encrypts

d
1

with

K
1

i¼1

e

ð
h

;
P

Þ

holds


or

not
.

Elemen
t

h
i

i
s

d
er
i
ve
d


b
y

h
a
s
h
in
g


i

,


i
.e.,

h
i

¼

H
ð

i

Þ
.


e
n

is

the

bilinear

map. If

the

equation

holds,

accept

all



i

;

otherwise,

reject.

After

checking

the

integrity

of

each



i

,

the

BS

can

further

perform

the

aggregation

function

on

all



i

.


5.3


Rec
o
very

Property

The

Recovery

property

attempts

to

provide

two

functional
-

ities.

First,

BS

can

verify

the

integrity

and

authenticity

of

all

sensing

data.

Second,

BS

can

perform

arbitrary

aggregation

operations

on

these

data.

However,

in

RCDA
-
HETE,

the

BS
on
ly

recovers

individual


aggregated

result

generated

by

each

cluster

rather

than

all

sensing

data.

Now

we

will

show

i

and

sends

E
K
1

ðd
1

Þ

to

H
1

.

After

receiving


E

i

i

1

ðd
1

Þ
,


H
1

that

RCDA
-
HETE

also

provides

these

functional
ities.

i


i

K
i

i

decrypts

the

ciphertexts

to

obtain

the

plaintext

d
1

.

Intercluster

Encrypt:

After

collecting

all

sensing

data

from
all

cluster

members,

an

H
-
Sensor

performs

the


preferred

aggregatio
n

func
t
io
n

o
n

t
hes
e

d
a
t
a

a
s

i
t
s


resul
t
.

For

example,

in

Fig.

3,

H
1

select

d
1

as

the

aggregated

result



1


1.


RCDA
-
HETE

can

verify

each

sensing data


through

the

aid

of

H
-
Sensors.

More

precisely,


Intracluster

Encrypt

procedure

allows

L
-
Sensor

L
j


to

send

not

j


i

only

E
K
j

ð
d
i

Þ
,


but

also

the

MAC

(message


authenti
-

i

i

j

by

predefined

property,

such

as

maximum

or


minimum.

Then,

H
1

performs

the

following

steps:


i

1.


Encoding


1

as

m:

m

¼


1

k
0


,

where



¼

l


ð
i



1
Þ
.

2.


After

encoding,

H
1

com
putes:


a.


Signature:



1
¼

x
1



h
1

,

where

x
1

is

R
H
1


and

h
1

¼

H
ð

i

Þ
.

catio
n

code
)

o
f

E
K
j

ð
d
i

Þ

t
o

it
s

cluste
r

hea
d

H
j

;

therefore,

H
j

can

verify

the

integrity

of

the

data

sent

from

its

cluster

members.

2.


Every

H
-
Sensor

is

loaded

several

necessary

aggrega
-

tion

functions

before

deployment,

so


the

BS

can

command

every

H
-
Sensor

to

perform

the

designated


3.

Notatio
n
s defined

in

Table

1

are

not

repeated

here.

732


IEEE

TRAN
S
ACTIONS

ON

PARALLEL

AND

DISTRIBUTED

SYSTEMS,


VOL.

23,

NO.

4,

APRIL

2012


aggregation

function.

For

example,

if

BS

decides

to

obtain

the

summation

of

all

data,

it


assigns


H
-

Sensors

to

perform

the

addition

operation.
Then,

the
BS

can

perform

the

last


addition

when

i
t

recovers

every

result

from


every

H
-
Sensor.

Similarly,

if

BS
then

decides

to


perform

maximum
-
selection

opera
-

tion,

the

BS


notifies

every

H
-
Sensor

to

select

the
maximum


value

among

the

sensing

data

in

the
Intercluster

Encrypt

proce
dure.


6


Se
CURITY

AND

S
CALABILITY

A
NALYSIS

In

this

section,

we

demonstrate

the

proposed

schemes


are
secure

under

the

attack

model

defined

in

Section

3.2.

More
detailed

security

analysis

and

scalability

analysis


are

de
-

scribed

in

Section

2

of

the

Supplemental

Material

available

online.

We

first

assume

that

an

adversary

does

not

compromise

sensors.

The

proposed

schemes

are

secure

because

sensing

messages

are

encrypted.

In


RCDA
-
HOMO,

each

sensor

encrypts

their

messages


with

P
BS

before

transmitting.

In

RCDA
-
HETE,

intracluster

traffic

is

encrypted

with
pairwise

ke
y
s.


Be
s
ide
s
,

our

d
e
sign

ge
n
e
rat
e
s

t
he
c
orr
e
sp
o
nd
i
ng
signature

for

each

sensing

data.

Consequently,

an

adversary

cannot

modify

messages

and

inject

forged


messages

since

he

cannot

sign

forged

messages

without

private

keys.

If an

adversary

has

the

ability

to

compromise

sensors,

we

consider

the

following

situations.

An

adversary


can


com
-

promise

a

sensor

and

perform

it

as

a

legal


one.

Detecting

com
promised

sensors

that

still

act

normally

is

infeasible

in

all

existing

detection

mechanisms

in

WSN.

Also,

if the

value

of

a

forged

message

is

in

a

reasonable

range,

detecting

it

is
still

infeasible.

An

adversary
can

also

try

to

manipulate the
aggregat
ed

result.

He

may

generate
false

data,

modify

legal
mess
a
ges,

or

impersona
t
e

other

sensors.

The


p
r
oposed

schemes

are

still

secure

against

above


attacks


because

of

the

signature

required

for

each

generated

message.

On

the
other

hand,

we

di
scuss

the


situation

when

an

adversary

compromises

a

cluster


head

in

RCDA
-
HOMO.

First,

he

cannot

decrypt

the

aggregated

ciphertext

or

each

individual

ciphertext

because

no

decryption

private

key

is

stored

in

a
cluster.


Second,

the

compromised

cluster

head

may

selec
-

tively

drop

some

ciphertexts

and

signatures

in

the

Aggregate

procedure.

This

kind

of

attack

which

is


called

selective

forwarding

attack

was

first

described


in


[19].

Fortunately,

previous

research

[20],

[21]

propos
ed

mechanisms

to

defend

against

this

attack.



7


I
MPLEMENTATION

AND

E
VALUATION

In

this

section, the

implementation

of

the

proposed

schemes

is

given

first.

Then,

the

evaluated

results

on


the

proposed

schemes

are

given.


7.1


Implem
e
ntation

The

propo
sed

schemes

were

all

implemented

on


physical

sensors.

For

homogeneous
WSNs,

MICAz

is

selected

as

our

platform.

For

heterogeneous

WSNs,

MICAz

acts

as

L
-
Sensor,

and

SCAN
-
ZB32

[22]

produced


by

ITRI

is

selected

as

H
-

Sensor.

Software

libraries


and


programs

are

implemented

functions from

Mykletun
et

al.’s

(called

MYK

for

short)

and

Boneh

et

al.’s

schemes

(called

BON

for

short).

Functions

in

MYK

all

involve

elliptic

curve

cryptography;

hence,
we


TABLE

3

Performance

and Cost Evaluati
on

of

the

Proposed

Schemes

(L

Denotes

L
-
Sensor,

H

Denotes

H
-
Sensor)





utilize

the

TinyECC

(v1.0)

library

to

implement

MYK.

Since

BON

requires

bilinear

map

construction,

we

adopt

TinyPBC
[23]

to

meets

this

requirement.

For

detailed


description,

pl
e
a
s
e

re
f
e
r

t
o

S
e
c
t
ion

3

of

t
he


S
u
p
p
l
e
m
en
t
al

M
a
t
e
r
i
al

available

online.


7.2


Pe
r
form
a
nce

and

Cost

Eva
l
uation

To

evaluate

the

performance

of

the

proposed


schemes,

execution

time

(or

“delay”)

is

the

main


measurement

of

perfor
m
a
n
ce

e
v
aluati
o
n.

Wit
h
out

loss


of

gen
e
ral
i
ty,

we

define

processing

delay

and

aggregation

delay

for

deployed

sensors.

Processing


delay


indicates

the

execution

time

for

sensors

to

produce

ciphertexts

and

corresponding

signatures

before

transmission.

Agg
regation

delay

is

also

evaluated

by
measuring

time

spent on

processing

time

on


aggregating

ciphertexts

and

signatures

in

the

proposed

schemes.

The

last

delay,

decryption

delay,

is

not


considered

since

the

base

station

is

considerably

powerful

as

a

workstation.

Therefore,

this

delay

is

negligible

and

can

be

ignored.

Another

criterion

is

cost

evaluation.

Cost


evaluation

involves

communication

and

computation

aspects.

Accord
-


ing

to

Wander

et

al.’s

result,

computation


cost

can


be

easily

calculated
based

on

the

wasted


clock

cycles

[24].
They

showed

that

executing

2,090

clock

cycles

equals

approximatel
y

7
:4



J.

F
o
r


com
m
uni
c
ation
,

w
e

choose

Meulenaer

et

al.’s

result


[25].

They

found

that

a

MICA
z

node

consumes

0
:
6


J


to

send

per

bit

and

0
:67



J

to

receive

per

bit


averagely.

After

evaluation

the

proposed

schemes

on


physical

sensors,

results

are

given

in

Table

3.

On

average,

the

processing

delay

on

MICAz

takes

about

3.7

se
cond.

For

cluster

heads,

delay

is

required

since


each
C
H

must

process

and

aggregate

ciphertexts
and

signatures.

A

C
H

needs

73.71

ms

to

aggregate

two


data

from

its

children.

In

other

words,

If

a

C
H

has


10


child

nodes,

it

s
p
e
nd
s

9

73:71

¼

66
3
:39

m
s
.

F
o
r


commu
n
icatio
n

c
ost,

l
e
n
g
th

of

m
e
s
s
a
g
e

i
s

4
7
6

b
i
t
s
,


w
h
i
c
h

c
o
nt
ai
ns

M
Y
K

s

ciphertext

ð
161

2

¼

322

bits
Þ


and

BON’s

signature

(finite

field

3
97

occupies

154

bits).

Plus

802.16

header

(11

bytes),

the

packet

length

is

476

þ

88

¼

564

bits.

Via

Meulenaer

et

al.’s
result,

the

cost

for


sending

a

packet

in

RCDA
-
HOMO

is

564



0
:6

¼

338
:
4


J
,

and

receiving

a

packet

at

a

C
H

is

564



0
:67 ¼

37
7
:
88


J
.


4.

If

a

C
H

has

k

children,

the

aggregation

spen
d
s

(
ð
k



1
Þ

73:71)

m
s
.













CHEN

ET

AL.:

RCDA:

REC
O
VERABLE

CONCEALED

DATA

AGG
R
EGATION

FOR

DATA

INTE
G
RITY

IN

WIRELESS

SENS
O
R

NETWORKS


733



TABLE

4

Comparison

Results

of

Selected

Literatures








In

n
a
¨
ı
ve

RCDA
-
HETE,

MICAz

nodes

act

as


L
-
Sensors

which

gath
er

data

and

perform

Encrypt
-
Sign

the

same

way

as

RCDA
-
HOMO.

Hence,

the

processing


delay

equals

to

the

delay

in

RCDA
-
HOMO.

For

aggregation

delay,

cluster

heads

are

ZB32 nodes,

which

are

more

powerful.

Therefore,

delay

is

reduced

to


3.371


ms.

Com
pared

with

RCDA
-
HOMO,

aggregation

performance

is

approximately

21.9

times

faster
than

in

RCDA
-
HOMO.

The

last

scheme,

RCDA
-
HETE,

has

been

revised


from

n
a
¨
ı
v
e

RCD
A
-
H
ETE

to

en
h
a
n
ce

t
he

p
e
rfo
r
ma
n
ce

of


L
-

Se
n
sor
s

(
se
e

T
abl
e

3)
.

P
r
o
cessin
g

dela
y

o
n


L
-
Sen
s
ors

decreases

(2.97

ms)

since

Intraencrypt


leverages

symmetric

cryptography.

Most

of

computation

cost

has

been

switch

to
H
-
Sensor
s


inste
a
d
.

A
lthoug
h


Inte
r
e
n
c
ryp
t

i
s

simi
l
a
r

t
o
Encrypt
-
Sig
n
,

H
-
Sensors


performs

better

and

saves more

energ
y

tha
n


L
-
Sen
s
ors
.

Anothe
r

i
mprovemen
t

i
s

the

decreased


communication

costs.

Compared

with

RCDA
-

HOMO,

a

MICAz

spends

338.
4

and

37
7
:88



J

while

sending

(as


S
N

)

and

receiving

a

packet

(as

C
H
).

In

RCDA
-
HETE,
payload

is

reduced

to

256

bits

(AES
-
256).

Meanwhile,


the

energy

for

sending

a

packet

on

MICAz

(L
-
Sensor)


is

also

reduced,

153:6


J

.

Since

the

length

of

packet


decreases,

energ
y

consume
d

o
n

receivin
g

i
s

a
ls
o


r
educed
,

o
n
l
y

35
1
:97



J

on

H
-
Sensors.

To
summarize

the

results

from

the

proposed


schemes,

RCDA
-
HETE

utilizes

the

benefits

and


advantages

of

H
-

Sensors. The

n
a
¨
ı
ve

RCDA
-
HETE

reduces

the

corresponding

delays

during

aggregations

compared

with

RCDA
-
HOMO.

However,

H
-
Sensors


require

more

energy

on

communica
-

tion

in

n
a
¨
ı
ve

RCDA
-
HETE.

In

Section

3 of

the

Supplemental

Material

available

online,

we

further

simulate

a

WSN

while
applying

RCDA
-
HOMO,

RCDA
-
HETE,
and


Nonaggregate
model.



8


C
OMPARISONS

We

choose

two

related

literatures,

CDA

and

Mykletun

et

al.’s
scheme,

to

use

as

comparator

for

the

proposed


schemes.

Since

their

schemes

are

adopted

on


homogeneous

WSN,
R
CDA
-
HOMO

is

selected

as

the

candidate

for

comparison.

An

overall

comparison

is

showed

in

Table

4.

Delay
s

o
n

processin
g

an
d

agg
r
e
g
ation
.

Fo
r


n
ode

processing

delay,

CDA

is

the

most

efficient

one

since

it

adopts

symmetric

cryptography.

RC
DA
-
HOMO

and

Myk
-

letun

et

al.’s

scheme

takes

longer

because

of


asymmetric

cryptography.

Delay

in

RCDA
-
HOMO

is


approximately

1.5

times

of

delay

in

Mykletun

et

al.’s

scheme


because

RCDA
-
HOMO

requires

an

additional


operation,


signat
ure

generation.

Considering

aggregation

delay,

CDA

is

still

the

most

effective.

Similarly,

delay

of

RCDA
-
HOMO

is

1.5

times

of

delay

in

Mykletun

et

al.’s

scheme.

Communication

cost

(comm.

cost).

Communication

cost

increases

linearly

when

the

size

of

ciphertext


increases.

Among

them,

CDA

has

the

shortest

length

since


CDA

adopted

RC5

as

its

cipher,

only

128

bits

[6].

The

cost


is

144:72



J

per

transmission

on

a

MICAz

sensor.

On

the

other

hand
,

t
h
e

siz
e

o
f
cip
h
e
r
text
s

i
n


RCDA
-
HOM
O

and

Mykletun

et

al.’s

scheme

require


476

bits

and

322

bits,

respectively.

Therefore,

the


energy

consumed

on

commu
-

nication

increases

to

377.88

and

27
4
:7



J,

respectively.

According

to

the

above

comparisons,


RCDA
-
HOMO

see
ms

to

be

the

worst

in

performance

evaluation.

This


is
be
c
ause

R
C
DA
-
HOMO

p
r
ovi
d
es

be
t
ter

se
c
uri
t
y.


Fo
r
tu
-

nately,

the

overall

cost

in

RCDA
-
HOMO

is

still


affordable

for

WSN.

On

the

other

hand,

CDA

and


Mykletun

et

al.’s
scheme

could


combine

other

secure

mechanisms

to

achieve
the

same

security

level
with

RCDA
-
HOMO.

However,

the

cost

of

involved

mechanisms

is

raised

and

unpredictable.



9


C
ONCLUSION

In

this

paper,

we

have

proposed

recoverable

concealed

data

aggr
e
g
atio
n

s
cheme
s

fo
r


h
omogeneous/het
e
r
ogeneous

WSNs.

A

special

feature

is

that

the

base

station

can

securely

recover

all

sensing

data

rather

than

aggregated

results,

but
the

transmission

overhead

is

still

acceptable.

Moreover,

we
integrate

the


aggregate

signature

scheme

to

ensure

data
auth
e
nt
i
city


a
n
d

in
t
egr
i
t
y

in

the

de
s
ign.

Even


t
hou
g
h

signatures

bring

additional

costs,

the


proposed


schemes

are

still

affordable

for

WSNs

after

evaluation.

Considering

a

large

WSN

(over

100

nodes),


we

als
o

performed

simula
-


tions

on

the

proposed

schemes.

The

results

are

available

in
the

online

Supplemental

Materia
l
.



A
CKNOWLEDGMENTS

The

authors

would

like

to

thank

anonymous

reviewers

for
their

valuable

comments

and

suggestions,

which


certainly

le
d

t
o

improvement
s

o
f

thi
s

paper
.

T
hi
s


w
or
k

w
as

supported
in

part

by

the

National

Science

Council,

Taiwan,

under

Contracts

NSC

99
-
2218
-
E
-
007
-
012

and

NSC

100
-
2218
-

E
-
007
-
006.

The


corresponding

author

is

Professor

Hung
-

Min

Sun.



R
EFERENCES

[1]

R.

Rajagopalan

and

P.

Varshne
y
,


“Data
-
Agg
r
egation


Techniqu
e
s
in

Sensor

Networks:


A

Survey
,


IEEE

Comm.

Surveys

Tutorials,

vol.

8,

no.

4,

pp.

48
-
63,

Oct.
-
Nov.

2006.

[2]

S.
Madden,
M.J.

Frankli
n
,

J.M.

Hellerstein,

and

W.

Hong,

“TAG:

A

Tiny

AGgreg
a
tion

Service

for


Ad
-
Hoc

Sensor

Networks,”

Proc.

Fifth

Symp.

Operating

Systems

Design

and

Implementa
t
ion,

2002.

[3]

J.
-
Y.

Chen,

G.

Panduran
g
an,

and

D.

Xu,

“Robust

Computa
t
ion

of
Aggregates

in

Wirele
s
s

Sensor


Netw
ork
s
:


Distri
b
uted

Rando
-


mized

Algorith
m
s

and

Analysis,”
IEEE

Trans.

Parallel

Distributed
Systems,

vol.

17,

no.

9,

pp.

987
-
1000,

Sept.

2006.

[4]

H.

C
¸

am,

S.

O
¨

zdemir,

P. Nair,

D.


Muthuavin
a
shiappan,

and

H.

Ozgur

Sanli,

“Energy
-
E
fficient

S
ecure
Pattern

Based

Data

Aggre
-

gation

for

Wireless

Sensor

Network
s
,”

J.

Computer

Comm.,

vol.

29,

pp. 446
-
455,

2006.

[5]

H.

Sanli,

S.

Ozdemi
r
,

and H.

Cam,

“SRDA:

Secure

Reference
-


Based

Data

Aggrega
t
ion

Protocol

for

Wireless

Sensor

Network
s,”

Proc.

IEEE

60th


Int’l

Conf.

Vehicular

Technology

(VTC

’04
-
Fall),
vol.

7,

pp.

4650
-
465
4
,

Sept.

2004.

[6]

D
.

Wes
t
hoff
,

J
.

Gi
r
a
o
,

an
d

M
.
A
cha
r
y
a
,



C
once
a
le
d

D
a
t
a

Aggregati
o
n

for

Reverse

Multicast

Traffic

in
Sensor


Networks:

E
ncrypti
o
n,

Key

Distributio
n
,

and


Routing

Adaptation,”

IEEE
Trans.

Mobile

Computing,

vol.

5,

no.

10,

pp.

1417
-
1431,

Oct.

2006.









734


IEEE

TRAN
S
ACTIONS

ON

PARALLEL

AND

DISTRIBUTED

SYSTEMS,


VOL.

23,

NO.

4,

APRIL

2012


[7]

C.

Castellucc
i
a,

E.

Mykle
t
un,

and

G.

Tsudik,

“Efficient

Aggrega
-

tion

of

Encrypted

Data

in

Wireless

Sensor

Networks,”

Proc.
Second

Ann.

Int’l


Conf.

Mobile

and

Ubiquit
o
us

Systems,

pp.

109
-
117,

July

2005.

[8]

E.

Myklet
u
n,

J.

Girao,

and

D.

Westhoff,


“P
ublic


Key

Based

Cryptos
c
hemes

for

Data

Concealm
e
nt

in

Wireless


Sensor

Net
-

works,”

Proc.

IEEE

Int’l

Conf.

Comm.,

vol.

5,

pp.

2288
-
2295,

June

2006.

[9]

H.

Chan,

A.

Perrig,

and

D.

Song,

“Secure

Hierar
c
hical

In
-
Netwo
r
k

Aggrega
t
ion

in

Sensor

N
etworks,”

Proc.

ACM

13th

Conf.

Computer
and

Comm. Security,

pp.

278
-
287,

2006.

[10]

Y.

Yang,

X.

Wang,

S.

Zhu,

and

G.

Cao,

“SDAP:

A

Secure

Hop
-
by
-

Hop

Data

Aggregation

Protocol


for


Sensor

Networks,”

ACM

Trans.

Information


and


System

Secu
rity

(TISSEC),

vol.

11,
no.

4,

pp.

1
-
43,

2008.

[11]

S.

Roy,

S.

Setia,

and

S.

Jajodia,

“Attack
-
Resili
e
nt

Hierarchical

Data

Aggrega
t
ion

in

Sensor

Networks,”


Proc. ACM

Fourth

Workshop

Security

of

Ad

Hoc

and

Sensor

Networks,

pp.

71
-
82,

2006.

[12
]

H.

Yu, “Secure

and

Highly
-
A
vailable

Aggregation


Queri
e
s

in
Large
-
S
c
ale

Sensor

Networks

via

Set


Sampling,”

Proc.

IEEE

Int’l

Conf.

Infor
m
ation

Processing

in

Sensor

Networks,

pp.

1
-
12,

2009.

[13]

D.

Boneh, C.

Gentry,

B.

Lynn,

and

H.

Shacha
m
,

“A
gg
r
egate

and

Verifiably

Encrypted

Signatures

from

Bilinear

Maps,”

Proc.

22nd

Int’l

Conf.

Theory

and

Applications

of

Cryptograph
i
c

Techniques

(Eurocrypt
)
,

pp. 416
-
432,

2003.

[14]

W.

Heinzelman,

A.

Chandrak
a
san,
and

H.


Balakris
h
nan,

“A
n
Applica
t
ion
-
Specific

Protocol

Architectu
r
e

for

Wirele
s
s

Microsen
-

sor

Network
s
,”

IEEE

Trans.

Wireless

Comm.,

vol.

1,

no.

4,

pp.

660
-

670,
Oct.

2002.

[15]

M.

Demirbas,

A.

Arora,

V.

Mittal,

and

V.

Kulath
u
mani,

“A

Fault
-

Local

Self
-
Stabili
z
ing


Clu
stering

Service

for

Wireless

Ad

Hoc

Network
s
,”

IEEE

Trans.

Parallel

Distrib
u
ted

Systems,

vol.

17,

no.

9,

pp.

912
-
922,

Sept.

2006.

[16]

S.

Basagni,

M.

Mastrogiova
n
ni,

A.

Panconesi,


and


C.

Petrioli,


L
o
c
al
i
z
e
d

P
roto
c
o
ls
f
or

A
d


H
o
c

Cl
u
s
t
eri
ng

a
nd

Ba
c
kbo
ne
Formation:

A


Performan
c
e

Comparis
o
n,”

IEEE Trans.

Parallel
Distrib
u
ted

Systems,

vol.

17,

no.

4,

pp. 292
-
306,

Apr.

2006.

[17] J.

Pollard,

“Monte

Carlo

Methods

for

Index


Computation

(mod

p),”

Math.

of

Compu
t
ation,

vol.

3
2,

pp.

918
-
924,

1978.

[18]

S.
Ozdemi
r
,

“Conceal
e
d

Data

Aggregati
o
n

i
n


Heterog
e
neous

Sensor

Networ
k
s

Using

Privacy

Homomo
r
phism,”

Proc.

IEEE Int’l

Conf.

Pervasi
v
e

Services,

pp.

165
-
168,

July

2007.

[19]

C.

Karlof

and

D.

Wagner,

“Secure

Routing

in


Wireless

Sensor

Network
s
:


Attacks

and

Counte
r
measures,”

Proc.

IEEE

First

Int’l

Workshop

Sensor

Network

Protocols

and

Applications,

pp.

113
-
127,

May

2003.

[20]

B.

Yu

and

B.

Xiao,

“Detecting

Selective


Forwarding

Attacks

in Wirele
s
s

Sensor

Networks,”

Proc.

IEEE

20th

Int’l

Symp.

Parallel

and

Distrib
u
ted

Processing

(IPDPS’

06),

Apr.

2006.

[21]

T.H.

Hai

and

E.
-
N.

Huh,

“Detec
t
ing

Selective

Forwarding

Attacks

in

Wireless

Sensor
Networks

Using

Two
-
Hops

Neighbor

Knowl
-

edge,”

Proc.

IEEE


Seventh

Int’l


Symp.

Network

Computing

and

Applicat
i
ons,

pp.

325
-
331,

July

2008.

[22]

W.

Li,

C. Chou,

and

Z.

Lin,

“Design
and


Implement
a
tion

of

a
Zigbee
-
B
a
sed

Communica
t
ion

Substrate

for

Wireless

Sensor

Net
-

works,”

Proc.

Nat’l

Computer

Symp.

Conf.,

2006.

[23]

L.

Oliveira

et

al.,

“TinyPB
C
:

Pairings

for

Authenticated

Identity
-

Based

Non
-
I
n
teractive

Key


Distribution

in

Sensor

Networks,”

Computer

Comm.,

vol.

34,

pp.

485
-
493,

vol.

34,

2010.

[24]

A.

Wande
r
,

N.

Gura,

H.

Eberle,

V.

Gupta,
and

S.

Shantz,

“Energy

Analysis

of

Public
-
K
e
y


Cryptography

for

Wirele
s
s

Sensor

Net
-

works,”

Proc.

IEEE

Third

Int’l

Conf.

Pervasive

Computi
n
g

and

Comm.

(PERCOM

’06),

2005.

[25]

G.

De

Meulenaer,

F.

Gosset,

F.X.

Standaer
t
,

and

L.

Vande
n
d
orpe,

“On

the

Energy

Cost

of

Commu
n
ication

and

Cryptograp
h
y

in

Wirele
s
s


Sensor

Network
s
,”

Proc.

IEEE

Int’l

Conf.

Wireless

and

Mobile

Computing,

Networking

and

Comm.,

pp.

580
-
585,

2008.

Chien
-
Ming

Chen

received

the

BS


and

MS

degrees

in

com
puter


science

and

information
enginee
r
ing


from

Fu
-
Jen

Catholic

Univers
i
ty

in

2001

and

2003,

respective
l
y,

and

the

PhD

degree

in

computer

science


from


National

Thing

Hua

Univers
i
ty

in

2010.

He

is

a

postdoc
t
oral

research
-

er

at

National

Tsing

Hwa

U
niversit
y
.

His

research

interests

include

wireless

sensor
network,

multi
-

media

security, and

applied

cryptography.




Y
ue
-
H
s
u
n

Li
n

rec
e
ive
d

t
h
e

MS


an
d

PhD

degrees

in

computer


science

from

National
Tsin
g

H
u
a


Un
i
v
e
rs
i
t
y

i
n
2
00
5

an
d

2
01
0
,
respectiv
e
ly. Currentl
y
,

he

i
s

a


postdoctor
a
l
rese
a
rc
h
er

at

In
t
el
-
N
TU

C
o
nnec
t
ed

Con
t
ext

Comp
u
ting


Center


at

National

Taiwan

Univer
-

sity.

His

research

interests include


wireless
sensor

network,

network


security,

and

applied

cryptog
r
a
phy.





Ya
-
Chin
g

Li
n

receive
d

th
e

B
S


degr
e
e

i
n
i
n
f
o
r
m
a
t
i
o
n

m
a
n
a
g
e
m
e
n
t


f
r
o
m

t
h
e

N
a
t
i
o
n
a
l
Central

University


in

2004.

Currentl
y
,

she

is
w
o
rk
i
ng


t
o
wa
r
d

t
h
e

gr
a
du
a
te
de
g
r
e
e

i
n

t
h
e
Institute

of

Information

System and


Applicat
ion
at

National

Tsing

Hua


University.

Her

current
resear
c
h


interests

include multime
d
ia

security,
applied

cryptography,

and

broadcast

encrypti
o
n.




H
u
ng
-
M
i
n

S
u
n

rec
e
ive
d

th
e

B
S


a
n
d

MS

degrees

in

applied


mathematics

from

National
C
h
u
n
g
-
Hsi
n
g

U
n
i
versi
t
y


i
n


1
9
8
8


a
n
d

1
9
90,

respectiv
e
ly,

and

the

PhD


degree

in

computer

science

and


informati
o
n

enginee
r
ing

from

Na
-

tional

Chiao
-
Tung

University

in
1995.

He

was

an

a
s
s
o
c
i
a
t
e


p
ro
f
e
s
s
or

w
i
th

t
h
e

D
e
p
a
r
t
me
nt

of
Informat
i
on


M
anage
m
ent,

Chaoyang

Univers
i
ty
of

Technology

from

1995

to

1999,


and

the
Depart
m
ent

of

Comput
e
r


Science

and

Informa
-

tion

Engineer
i
ng,

National

Cheng
-
Ku
n
g

University
from


2000

to

2002,

and

t
he

D
ep
a
r
t
m
ent

of

C
o
m
p
u
ter


Sc
i
en
c
e,

N
a
t
i
o
n
al

C
h
e
n
g
-
K
ung

Univers
i
ty

from

2002

to

2008.

Curren
t
ly,

he

is

working

as

a

full

professor

wi
t
h

t
h
e

D
e
p
artm
e
n
t

o
f

C
om
p
u
t
e
r


Sc
i
en
c
e
,

Nati
o
na
l

Ts
in
g

Hu
a
Univers
i
ty.

He

has


published

more

than

150

interna
t
ional

journal
and
confer
e
nce

papers.


He

was the

program

cochair

of

2001

National
Informat
i
on

Security

Conferenc
e
,

and

the

program

commit
t
ee

members

of many

internatio
n
al

conferen
c
es.

He was

the

honor


chairs

of

2009

Internati
o
nal

Confere
n
ce
on

Computer

and

Automati
o
n


Engineering,

2009

Internation
a
l


Conference

on

Computer

Research


and

Develop
-

ment,

and

2009

Internati
o
nal

Conference

on

Telecom

Technolo
g
y

and

Applicati
o
ns.

He

severs

as

the

editor
-
in
-
chi
e
f

i
n

Internation
a
l

Journal

of

Digital

Content

Technology

and

its

Application
s
,

and

the

editor

members

of

many

international

journals

including


ISRN


Communi
c
ations

and

N
e
tw
o
rk
i
ng
,

a
n
d
I
n
t
e
rn
a
t
i
o
n
a
l

J
o
ur
n
a
l

o
f

S
e
curi
t
y
,


A
dv
ance
s

in

Informat
i
on

Sciences

and

Service


Science
s
:

an

Inte
rnati
o
nal

Journal
of

Research

and

Innovati
o
n
,
International

Journal

of

Intelligent

Informa
-

tion

Processin
g
,

and

Journal

of

Next
Generati
o
n


Informat
i
on

Technol
-

og
y
.

He

won

many

best

pa
p
er


awar
d
s

i
n


acad
e
mic

jo
u
rnal

and

confer
e
nces
,


including


the

annual

best

paper

award

in

Journal

of

Informat
i
on

Science

and

Engineer
i
ng

in

2003,

the

best

paper

award

in
MobiS
y
s09,

NSC0
5
,

NISC06,
NISC07,

CISC09,

and

ICS’2010.

He

won

Y.

Z.

Hsu

Scientific

Paper

Award,

Far

Eastern

Y.

Z
.

Hsu

Science and
Techn
o
logy

Memorial

Founda
t
ion,

2010. His

research

interests

include
network

securit
y
,

cryptogr
a
phy,

and

wireless

networks.




.

For

more

informati
o
n

on

this

or

any

other


computing

topic,

please

visit

our

Digital

Library

at

www.comput
e
r.org/public
a
tions/dlib.