Privacy Preserving Techniques in the internet of things

preserving sensor location privacy in internet of things and privacy-preserving security framework for a social-aware internet of things internet of things and privacy preserving technologies
Dr.MohitBansal Profile Pic
Dr.MohitBansal,Canada,Teacher
Published Date:26-10-2017
Your Website URL(Optional)
Comment
Privacy-Preserving Time Series Data Aggregation for Internet of Things15.1 Introduction In recent years, the networking and collaboration among various devices has experienced tremendous growth. To adapt to the trend, the concept of the Inter- net of Things (IoT) has been paid great attention, not only from academia but also from industry. Essentially, the IoT is characterized by a large number of intelligent devices sharing information and making collaborative decisions 1. Due to its potential to support a large number of ubiquitous characteristics and achieve better cost efficiency, the IoT can find many applications in the real world, including eHealthcare systems, smart homes, environmental monitoring, industrial automation, and smart grids, as shown in Table 15.1. The IoT has attracted a lot of attention; and yet, despite all the attention, many security and privacy challenges have remained. Since most devices in the IoT are often deployed in unattended areas, they are vulnerable to physical attacks that are not detected immediately; and the nature of broadcasting using Table 15.1 Typical applications and benefits of the IoT Typical Applications Benefits eHealthcare system Remote patient monitoring for better healthcare Smart home Real-time remote security and surveillance Environmental monitoring Effective monitoring with lower costs Industrial automation Remote equipment management for cost savings Smart grid Smart meters, sensors for real-time monitoring power gridPrivacy-Preserving Time Series Data Aggregation for Internet of Things  387 wireless communication also makes it easy for an attacker to launch an eaves- dropping attack. As many research efforts have been made about IoT security challenges, in this chapter, we mainly focus on addressing privacy challenges in the IoT. To address privacy challenges, that is, to protect an individual device’s data privacy in the IoT, many privacy-preserving data aggregation schemes have been proposed 2, 3, 5, 6, 10, 27–30. However, most of them only support one-dimensional data aggregation, which sometimes cannot meet the accuracy requirements of IoT scenarios. Although our previous work, EPPA deals with multidimensional data aggregation 10, it may not support large-space data aggregation very well. Therefore, aiming at the above challenges, we propose a novel privacy-preserving time series aggregation scheme for the IoT, which is ∗ characterized by exploiting the properties of groupZ to support data aggrega- 2 p tion for both small plaintext space and large plaintext space at the same time, which is thus more efficient than traditional data aggregation. Concretely, the main contributions are threefold.  Firstly, we propose a novel privacy-preserving time series aggregation ∗ scheme based on the groupZ . The proposed scheme can use one single 2 p aggregated piece of data to achieve both small plaintext space aggregation and large plaintext space aggregation in a privacy-preserving way at the same time.  Secondly, with a formal security-proof technique, we show that our proposed scheme can achieve each individual node’s data privacy preservation.  Finally, we implement our proposed scheme in Java and run extensive experiments to validate its efficiency in terms of low computational cost and communication overheads, and discuss the trade-off between utility and differential privacy levels. The remainder of this chapter is organized as follows. In Section 15.2 and we formalize the system model and security model and identify our research goal. We present the detailed design of our privacy-preserving set aggregation scheme in section 15.4, followed by the security analysis and performance evaluation in sections 15.5 and 15.6, respectively. Section 15.7 reviews some related works and section 15.8 closes the chapter with a summary. 15.2 Models and Design Goals In this section, we formalize our system model and security model and identify our design goal on time series aggregation in the IoT.388  Security and Privacy in Internet of Things (IoTs) Trusted authority Control center Gateway N N n 1 N N 2 4 N n–1 N 3 Figure 15.1: System model under consideration 15.2.1 System model In our system model, we focus on a typical stationary IoT scenario, which mainly includes the following entities: one trusted authority, one control center, one gate- way, and a set of nodesN =N ,N ,...,N , as shown in Figure 15.1, where n 1 2 n indicates the number of elements in the setN , and its maximal value is denoted as n . max  Trusted authority (TA): This is a fully trustable entity, whose duty is to manage and distribute key materials to other entities in the system. In general, after key distribution, it will not participate in the subsequent data aggregation process.  Control center: This is the core entity in the system, which is responsible for data collecting, processing, and analyzing the time series data from N for monitoring IoT scenarios.  Gateway: This serves as a relay and aggregator role in the system; that is, it relays information from the control center toN , and at the same time collects and aggregates data fromN and forwards the aggregated data to the control center.  NodesN =N ,N ,...,N : Each node N ∈N is equipped with sensors, 1 2 n i which collect and report the time series data M = (m ,x ), where m is i i i iPrivacy-Preserving Time Series Data Aggregation for Internet of Things  389 a large value while x is a smaller value, to the control center via the i gateway. Differing from those previously reported data aggregation schemes 2, 3, 5, 6, 10, 27–30, the proposed time series aggregation in IoT will enable the con- P n trol center to obtain not only small plaintext space aggregation, that is, x , i i=1 P n but also large plaintext space aggregation, that is, m , which enables the i i=1 control center to carry out more accurate data analytics for the monitoring and controlling of the IoT. 15.2.2 Security model In our security model, we consider a generic adversary A who may compro- mise the privacy of nodes by eavesdropping on the communication data from the nodes to the gateway and those from the gateway to the control center. We also consider that the protocol participants, the control center and the gateway, are honest-but-curious. That is, they are supposed to follow the aggregation proto- col appropriately (“honest”); meanwhile, they also try all sorts of measures to seek and infer knowledge of others (“curious”). In our IoT scenario, honest-but- curious participants will not tamper with the aggregation protocols; they do not maliciously distort or drop any received values and intermediate results, and they keep the system running normally. However, by analyzing messages and values routed through them, they try to infer each individual node’s data. In addition, nodesN =N ,N ,...,N are also honest, that is, no N will report false data 1 2 n i to the control center or collude with the control center to obtain other nodes’ individual data. Note that other types of attack are possible in IoT scenarios; for example, bad data injection attacks 11, DDoS attacks. Since our focus is on privacy-preserving time series aggregation, those attacks are currently beyond the scope of this research. 15.2.3 Design goal Our design goal is to develop an efficient and privacy-preserving time series data aggregation scheme for IoT, such that the control center can obtain more varied and abundant information from one single aggregated piece of data. Specifically, the following two desirable goals should be satisfied.  The proposed scheme should be privacy preserving. Only the con- trol center can read the aggregation results in the proposed scheme, and no one (including the control center) can read each individual user’s data.  The proposed scheme should be efficient. Not only encryption at node side, aggregation at the gateway, but also decryption at the control center390  Security and Privacy in Internet of Things (IoTs) should be efficient in terms of computational cost. In addition, the pro- posed scheme, like other data aggregation schemes 6, 12, 13, 27, should use one single aggregated piece of data for transmission so as to achieve communication efficiency. 15.3 Preliminaries In this section, we first review Shi et al.’s time series data aggregation scheme ∗ 6 and then recall the properties of groupZ , which will serve as the basis of 2 p our proposed aggregation scheme. 15.3.1 Shi et al.’s privacy-preserving time series data aggregation scheme To enable an untrusted data aggregator to achieve some desirable statistics over multiple participants’ data while without compromising each individual’s pri- vacy, Shi et al. 6 present an efficient and privacy-preserving time series data aggregation scheme and its enhanced version with the inclusion of a differen- tial privacy technique. Here, the basic construction of Shi et al.’s scheme will be reviewed, which includes three parts:Setup, NoisyEnc, andAggreDec.  Setup: Given the parameterl , a cyclic groupG of prime order p is first chosen, wherep=l and the decisional Diffie–Hellman problem is hard inG. Then, a trusted dealer chooses a random generator g∈G, and n+ 1 random secrets s ,s ,...,s ∈ Z , such that 0 1 n p s + s +···+ s = 0 mod p (15.1) 0 1 n After that, a trusted dealer sets the public parameters param := (G,g, p,H), where H is a cryptographic hash function, that is, H :Z→G, and assigns the secret key sk = s to the data aggregator, and the secret 0 0 keysk = s to each participant i. i i  NoisyEnc: Let x ˆ be the noisy data of participant i at time step t. Then, i participant i computes the ciphertext as follows, x ˆ s i i c = g · H(t) (15.2) i  AggreDec: After receiving all ciphertexts (c ,c ,...,c ) from the partic- 1 2 n ipants, the data aggregator computes n Y s 0 V = H(t) · c (15.3) i i=1Privacy-Preserving Time Series Data Aggregation for Internet of Things  391 Obviously, because n Y P P n n s x ˆ s 0 i i i=1 i=1 V = H(t) · c = g · H(t) i i=1 P P n n x ˆ 0 x ˆ i i i=1 i=1 = g · H(t) = g (15.4) P n and x ˆ is in a small plaintext space, a brute-force search can be i i=1 P P n n x ˆ i i=1 applied to decrypt x ˆ from g . Assuming that each participant’s i i=1 data is in the range of0,1,...,D, the sum of the participants would be within the range of0,1,...,nD. Then, with Pollard’s method 14, the P √ n x ˆ i i=1 decryption of g can only require O( nD). ∗ 15.3.2 Properties of groupZ 2 p In Shi et al.’s aggregation scheme 6, the groupG is an abstract cyclic group of order p, which thus only supports messages in a small plaintext space. In the ∗ following, we discuss a concrete groupZ , and exploit its properties to enable 2 p us to support both small plaintext spaces and large plaintext spaces at the same time. Given the security parameter l , we choose a safe prime p = 2q+ 1, where p = l and q is also a prime. Then, we can calculate Euler’s totient function 2 φ(p ) as 1 2 2 φ(p )= p (1− )= p(p− 1)= 2pq (15.5) p 2 which shows that there are a total ofφ(p ) = p(p− 1) = 2pq elements in the ∗ ∗ group Z . Let x∈Z be an integer less than p; then, according to Fermat’s 2 p p p−1 Little Theorem, we have x ≡ 1 mod p. That is, p−1 x = 1+ k· p (15.6) for some integer k. We raise both sides of Equation 15.6 to the power of p and 2 with the modulus p , we have   p X p p(p−1) p i 2 x =(1+ k· p) = 1+ (k· p) = 1 mod p (15.7) i i=1 From Equation 15.7, we can see it still holds when k= 1. Therefore, let y= p+1; 2 we then have gcd(y, p )= 1, and   p X p p p i 2 y =(p+ 1) = 1+ p = 1 mod p (15.8) i i=1 ∗ Summarizing the above, we have the following two properties in group Z , 2 p which can provide us with more flexible data aggregation.392  Security and Privacy in Internet of Things (IoTs) ∗ p(p−1) 2 1. ∀x∈Z , we have x = 1 mod p . p p 2 2. For y= p+ 1, we have y = 1 mod p . 15.4 Proposed Time Series Data Aggregation Scheme In this section, we present our new privacy-preserving time series data aggre- gation scheme, which is mainly comprised of four parts: system settings, data encryption at nodes, data aggregation at the gateway, and aggregated decryption at the control center. 15.4.1 System settings Given the security parameterl , a safe prime p= 2q+ 1 is chosen, wherep= ∗ l and q is a prime as well. In addition, a random number g∈Z is chosen p ∗ p 2 as a generator ofZ , h = g mod p is computed, and a secure cryptographic 2 p ∗ ∗ hash function H :0,1 →Z is also selected. Then, the public parameters are p param :=(p,g,h,H). The TA chooses n random numbers s ∈Z , i= 1,2,...,n, and computes i p(p−1) s ,s ∈Z such that c g p(p−1) n X s + s + s = 0 mod p(p− 1) (15.9) c g i i=1 Finally, the TA sends s as the secret key to the control center, s as the secret c g key to the gateway, and s as a secret key to each corresponding node N ∈N = i i N ,N ,...,N via secure channels. 1 2 n 15.4.2 Data encryption at nodes At every time interval t, each node N ∈ N will report two types of data i (m ,x), where the data m lies in a large plaintext space, that is, m ∈ i i i i p 0,1,2,...,⌊ ⌋, where n is the maximal value of the number of nodes max n +1 max n, and the piece of data x is within a small plaintext space0,1,2,...,D. Con- i cretely, each node N uses its secret key s to compute i i m x s 2 i i i c =(p+ 1) · g · H(t) mod p (15.10) i and reports c to the gateway. iPrivacy-Preserving Time Series Data Aggregation for Internet of Things  393 15.4.3 Data aggregation at gateway After receiving all ciphertexts c , i= 1,2,...,n, from nodesN=N ,N ,...,N, i 1 2 n the gateway uses its secret key s to perform the following aggregation operation, g n n Y Y s m x s s 2 g i i i g C= c · H(t) = (p+ 1) · g · H(t) · H(t) mod p i i=1 i=1 P P P n n n m x s +s 2 i i i g i=1 i=1 i=1 =(p+ 1) · g · H(t) mod p (15.11) and sends the result C to the control center. 15.4.4 Aggregated data decryption at control center After receiving the aggregated ciphertext C, the control center performs the fol- lowing steps to recover the aggregated data.  Step 1: The control center uses its secret key s to compute c s 2 c D= C· H(t) mod p P P P n n n m x s +s s 2 i i i g c i=1 i=1 i=1 = (p+ 1) · g · H(t) H(t) mod p P (15.12) n ∵ s +s +s =0 mod p(p−1) i g c i=1 −−−−−−−−−−−−−−−−−→ P P n n m x 2 i i i=1 i=1 = (p+ 1) · g mod p  Step 2: The control center continues to use p to compute p ¯ D= D   P P p n n m x 2 i i i=1 i=1 = (p+ 1) · g mod p (15.13) p 2 ∵(p+1) =1 mod p −−−−−−−−−−−→ P P n n p x 2 x 2 i i i=1 i=1 = g mod p = h mod p P n Because x is still within a small plaintext space 0,1,2,...nD, i i=1 similarly to Shi et al.’s scheme 6, we can also use Pollard’s method to √ P n recover x with the computational complexity O( nD). i i=1 P n  Step 3: After obtaining x , the control center computes i i=1 P P n n m x i i P i=1 i=1 D (p+ 1) · g n m 2 i ˆ i=1 P P D= = =(p+ 1) mod p (15.14) n n x x i i i=1 i=1 g g394  Security and Privacy in Internet of Things (IoTs) P p n Because m ∈0,1,2,...,⌊ ⌋, we have m p. Therefore, we i i i=1 n +1 max have P n m P  i n i=1 n P X X n m i m i i i=1 ˆ i=1 D=(p+ 1) = 1+ p· m + p · i i i=1 i=2 n X 2 = 1+ p· m mod p (15.15) i i=1 P n and thus m can be recovered by computing i i=1 n X ˆ D− 1 m = (15.16) i p i=1 P P n n As a result, two types of aggregated data m , x , respectively i i i=1 i=1 in large plaintext space and small plaintext space, can be obtained by the control center. 15.4.4.1 Discussion on privacy enhancement with differential privacy Differential privacy is a popular privacy-enhancing technique 15, which has been widely discussed in privacy-preserving data statistics. With the differential privacy technique, proper noises, for example, noises extracted from symmet- rical geometric distribution, Laplace distribution, and so on, will be added to the aggregation result, which can make the outputs from similar inputs indistin- guishable. Formally, we say that a randomized algorithm A satisfiese-differential privacy, if for any two data sets D and D differing by a single element, for 1 2 all S⊂ Range(A), PrA(D )∈ S≤ exp(e)· PrA(D )∈ S holds. The adding 1 2 of noises is crucial for differential privacy. As the aggregation data are dis- crete in the proposed scheme, noises extracted from geometric distribution are applied. The noises, generation by the use of geometric distribution was first introduced by Ghosh et al. 16, where the noise is chosen from a symmet- ric geometric distribution Geom(a) with 0≤ a ≤ 1. Then, the Geom(a) can be viewed as a discrete approximation of Laplace distribution Lap(l), where 1 a≈ exp(− ). The probability density function (PDF) of geometric distribution l Geom(a) is 1−a x PrX = x= ·a (15.17) 1+a When the sensitivity of some aggregation function A(D) is DA = max D ,D 1 2 A(D )− A(D ) for all the data sets D and D differing by at most 1 2 1 1 2 one element, then, by adding geometric noise r randomly chosen fromPrivacy-Preserving Time Series Data Aggregation for Internet of Things  395 e Geom(exp(− )) to the original aggregation, the perturbed results can achieve DA e-differential privacy, that is, for any integer k∈ Range(A), PrA(D )+ r = k≤ 1 exp(e)· PrA(D )+ r = k. 2 To enhance privacy in our proposed time series data aggregation, after the gateway aggregates all ciphertexts c ,c ,...,c , it runs the following steps: 1 2 n P n  As the sensitivity of the aggregation x isD, to achievee-differential i i=1 privacy in the scheme, the gateway first extracts a noise x ˜ from the geo- e metric distribution Geom(exp(− )). D p  Although m can support the space 0,⌊ ⌋, we still reasonably con- i n +1 max P n ′ sider the sensitivity of the aggregation m to be D in some real i i=1 application scenarios, which is larger than D, but still far less than P n p ⌊ ⌋. Then, similarly to m , the gateway also extracts a noise i n +1 i=1 max e m ˜ from the geometric distribution Geom(exp(− )). ′ D  Finally, the gateway performs the following aggregation n Y m ˜ x ˜ s g C= c ·(p+ 1) · g · H(t) i i=1 n Y m x s m ˜ x ˜ s 2 i i i g = (p+ 1) · g · H(t) ·(p+ 1) · g · H(t) mod p (15.18) i=1 P P P n n n m +m ˜ x +x ˜ s +s 2 i i i g i=1 i=1 i=1 =(p+ 1) · g · H(t) mod p and sends C to the control center. P n In the end, at control-center side, the aggregated data m + m ˜ and i i=1 P n x + x ˜ can be recovered, which may further enhance each individual node’s i i=1 privacy. 15.4.4.2 Discussion on dynamic node joining and leaving In IoT scenarios, it is very common for nodes to join and leave frequently. There- fore, to deal with this dynamic environment, the following dynamic key manage- ment strategy can be applied by the TA.  Node joining: When a node N joins, the TA randomly chooses a subset j of nodesN ,N ,...,N ofN , where each node N has its secret key a1 a2 az ai s . Then, the TA assigns a random secret key s to the joining node N , ai j j and a new secret key s ¯ to each N such that ai ai z z X X s + s ¯ = s mod p(p− 1) (15.19) j ai ai i=1 i=1 With this strategy, the aggregation at the gateway and the decryption at the control center will not be affected.396  Security and Privacy in Internet of Things (IoTs)  Node leaving: Similarly, when a node N with the secret key s leaves, j j the TA also randomly chooses a subset of nodes N ,N ,...,N of a1 a2 az N , where each node N has its secret key s . Then, the TA assigns a new ai ai secret key s ¯ to each N such that ai ai z z X X s ¯ = s + s mod p(p− 1) (15.20) ai ai j i=1 i=1 Note that the above dynamic key management can also be suitable for multiple users’ joining and leaving cases. 15.5 Security Analysis In this section, we analyze the privacy properties of the proposed time series aggregation scheme. Specifically, following the security model discussed earlier, we will show that each individual node’s data privacy can be preserved. In the proposed aggregation scheme, each node’s data are encrypted in the m x s 2 s i i i i form of c = (p+ 1) · g · H(t) mod p . Without the masking from H(t) , it i is obvious that the plaintext, denoted as M =(m ,x ), can be easily derived from i i i m x i i (p+1) ·g by using the same procedure in the decryption at the control center. s i Therefore, the security of M =(m ,x ) is highly dependent on H(t) . In the fol- i i i lowing, we formally prove that M is indistinguishable during a chosen plaintext i s i attack, even though an adversaryA knows the public key Y = g corresponding i to the secret key s of the node N . i i ∗ Definition 15.1 Computational Diffie–Hellman problem inZ Given a gener- 2 p ∗ a b ab ∗ ator g of groupZ , and g ,g for unknown a,b∈Z , to compute g ∈Z . 2 p(p−1) 2 p p ∗ Definition 15.2 Decisional Diffie–Hellman problem inZ There are two dis- 2 p tributions a b ab ∗ DH =(A,B,C)=(g ,g ,g )g∈Z ,a,b∈Z 2 p(p−1) p (15.21) a b ∗ Rand =(A,B,C)=(g ,g ,R)g,R∈Z ,a,b∈Z 2 p(p−1) p ∗ The decisional Diffie–Hellman (DDH) problem states that, for given(A,B,C)∈Z , 2 p a b ab a b to decide (A,B,C)∈ (g ,g ,g ) or (A,B,C)∈ (g ,g ,R). The advantage of a dis- tinguisher D, denoted by Adv(D), is defined by Adv(D)= PrD(A,B,C)= 1− Pr D(A,B,C)= 1 (15.22) DH RandPrivacy-Preserving Time Series Data Aggregation for Internet of Things  397 For the DDH assumption, we assume there is no probabilistic polynomial time dis- tinguisher D running in timet that has a nonnegligible advantage Adv(D)=e. Theorem 15.1 s i LetA be an adversary against the node N ’s ciphertext c = M · H(t) with time t. i i i After q queries to the random oracles, its advantage is a nonnegligiblee. Then, the h ∗ ′ ′ DDH problem inZ can be solved with another probabilitye with timet , where 2 p e ′ ′ e = , t ≤t+ q · T h h 2 where T denotes the time cost for each hash query. h Proof. Assuming that there is an adversaryA which runs in polynomial time and has a nonneglible advantage e to break the semantic security of the ciphertext s i c = M ·H(t) in the proposed scheme, then we can construct another algorithm i i ′ B which has access to A and achieves a nonneglible advantage e to break a a b DDH problem instance(A= g ,B= g ,C). a Let A= g be the public key of node N corresponding to the secret key s = a, i i a though the value of a is unknown. We make A= g available to the adversaryA, and allowA to make q times hash oracle H() queries, where H() is modeled as h a random oracle 17 on a different time point t . i ∗ Each timeA queries on t ,B randomly chooses a number r ∈Z , stores i i p(p−1) r r i i (t ,r ,B ) in a hash list, and returns H(t)= B toA. Obviously, because H() is i i i modeled as a random oracle, the hash query is indistinguishable from the real world. ∗ At some time point,A chooses two messages M ,M ∈Z for a ciphertext 0 1 2 p ∗ query in time period t , and sends them toB. At this moment,B first retrieves r ∗ ∗ (t ,r ,B ) in a hash list with the search condition t , flips a bit b ∈0,1 and ∗ ∗ ∗ r 2 ∗ generates a ciphertext c = M · H(t )= M · B mod p . Finally,B sends c to i i b b ′ A. After receiving c ,A returnsB a bitb as its guess forb .B then returns 1 for i ′ b =b , and returns 0 otherwise. a b On one hand, if (A = g ,B = g ,C) comes from the random distribution r 2 ∗ Rand, the ciphertext C = M · B mod p is uniformly distributed, hence inde- i b pendently ofb . As a result, 1 ′ Pr B(A,B,C)= 1b =b = (15.23) Rand 2 a b ab On the other hand, when (A = g ,B = g ,C = g ) comes from the Diffie– r 2 ∗ Hellman (DH) distribution, one may remark that C = M · B mod p is a valid i b ciphertext of M , following a uniform distribution among the possible cipher- b texts. Then, 1 e ′ PrB(A,B,C)= 1b =b = + (15.24) DH 2 2398  Security and Privacy in Internet of Things (IoTs) The advantage ofB in distinguishing the DH and Rand distributions is ′ Adv(B)=e = PrB(A,B,C)= 1− Pr B(A,B,C)= 1 DH Rand 1 e 1 e = + − = (15.25) 2 2 2 2 ′ By a simple computation, we can also obtain the claimed bound fort ≤t+ q · h T . Thus, the proof is completed.  h From the above theorem, we can see, under the DDH assumption, each indi- s i vidual node N ’s data is privacy preserving, even though the public key Y = g i i is available to the adversary. Next, we show that our proposed scheme, once enhanced with the differential privacy technique, is also secure against differen- tial attacks. Theorem 15.2 Each node N ’s data is also secure against differential attacks in the enhanced aggre- i gation. Proof. For a given privacy level e, the gateway perturbs the aggregation with- out recovery but adding appropriate geometric noises in the form of ciphertext. In such a way, e-differential privacy can be achieved. Specifically, for data in a small plaintext space, the gateway adds the noise x ¯, which is chosen from e Geom(exp(− )) to the exact aggregation to obtain the perturbed one. We assume D that an adversary is able to gain two perturbed pieces of aggregation data s+ x ¯ s and t+x ¯ , where s and t are aggregations of the two data sets differing by at most t one element, while x ¯ and x ¯ are two corresponding geometric noises. Similarly, s t in 12, sinces−t≤D, for any integer k, we have Prs+ x ¯ = k Prx ¯ = k− s s s t = = Prt+ x ¯ = k Prx ¯ = k−t t t (15.26) 1−a k−s a e 1+a k−s−k−t − D = =a wherea = e 1−a k−t a 1+a Since −s−t≤k− s−k−t≤s−t and 0 a 1 (15.27) we have e e −e − D D s−t −s−t −D − −D e D D e =(e ) =a ≤a ≤t≤a ≤a =(e ) = e (15.28) Similarly, we can also prove that the data in a large plaintext space can also achieve e-differential privacy, when a noise is chosen from the distribution e Geom(exp(− )). This completes the proof.  ′ DPrivacy-Preserving Time Series Data Aggregation for Internet of Things  399 Table 15.2 Parameter settings Parameter Value l l = 1024 ∗ ∗ 2 Z Z is a group orderφ(p )= p(p− 1), wherep=l 2 2 p p n n = 1000 max max n n= 200,400,600,800,1000 D D= 20 e Differential privacy levele = 1,2,3 15.6 Performance Evaluation In this section, we evaluate our proposed privacy-preserving time series aggrega- tion scheme in terms of computational cost and communications overheads, and analyze the utility in a differential privacy enhanced version as well. Concretely, we implement our scheme by Java (JDK 1.8) and run our experiments on a lap- top with a 3.1 GHz processor, 8GB RAM, and Windows 7 platform. The detailed parameter settings are shown in Table 15.2. P n Although the decryption complexity of the small plaintext space data x i i=1 in the proposed scheme is O(nD), and may be accepted by the powerful control center in the IoT, we still build a hash table (stored in a zip file of around 167 KB) to accelerate the decryption lookup process in decryption in our experiment, j where each entry in the hash table is the hash value of h with 0≤ j≤(n +1)· max D. We ran our experiments 10 times, and the average results are reported below. 15.6.1 Computational costs From the experiments, the average encryption at the node only takes 35 ms, which is very efficient for IoT scenarios. Figure 15.2 shows that the computational costs of aggregation at the gateway and decryption at the con- trol center vary with the number of nodes n from 200 to 1000, with an increment of 200. From the figure, we can see that both of them are efficient, and the num- ber of nodes n has little effect on aggregation and decryption, due to the direct aggregation over ciphertexts and a hash table to look up the small plaintext space decryption, built in advance. 15.6.2 Communication costs ∗ Whenp= 1024, any ciphertext (including c and C) in groupZ is less than or i 2 p equal to 2048 bits. 15.6.3 Utility in differential privacy enhanced version The novelty of our proposed scheme for supporting two types of data aggrega- tion makes it suitable for many potential practical scenarios in the IoT. In the400  Security and Privacy in Internet of Things (IoTs) 60 50 40 30 20 10 0 200 300 400 500 600 700 800 900 1000 (a) n 60 50 40 30 20 10 0 200 300 400 500 600 700 800 900 1000 (b) n Figure 15.2: Computational costs of (a) aggregation at the gateway and (b) decryp- tion at the control center varying with n. following, we put emphasis on the evaluation of utility of differential privacy enhanced version. Concretely, we take a smart grid as an example here to elab- orate the advantages and effectiveness of our enhanced version. Differing from t (ms) t (ms)Privacy-Preserving Time Series Data Aggregation for Internet of Things  401 Table 15.3 Parameter settings Description Parameter Value Number of users n 10000 User measurement x .m 0.000, 0.001, 0.002, . . . , i i 29.999, 30.000 Differential privacy level e 1,2,3 – Sensitivity of small plaintext D 30 space data ′ – Sensitivity of large plaintext D 999 space data previously reported aggregation schemes for smart grids, our scheme can sup- port data aggregation of user measurements including not only the integer part (small plaintext data x ∈ 0,30) but also the decimal part (large plaintext data i m ∈0,999). The detailed parameter settings are listed in Table 15.3. i Similar to the aggregation scheme in 18, we implement an electricity con- sumption simulator having the ability to generate realistic 1 min consumption traces synthetically, which is extended from the basic simulator presented in 19. Based on the simulator, we produce traces for 10,000 households, and the dis- tribution of residents in each household follows the U.K. statistics on household sizes in 2011 20. Figures 15.3 and 15.4 illustrate the traces of actual total measurements and noisy total consumption for small and large plaintext space, respectively. We also sete, the differential privacy level, to 1,2,3 for each of the two scenarios. As can be seen from the figures, the largere is, the smaller the noise that will be added, and then the utility is higher; while the smallere is, the larger the noise that will be included, and then a higher level of the privacy can be guaranteed. Compared with the case of e = 3, the utility at e = 1 is lower, but it is still acceptable. Therefore, in real scenarios, there is a trade-off between privacy and utility. 15.7 Related Works In this section, we briefly discuss some other research studies 6, 12, 13, 18, 21– 24, 27 that are closely related to our scheme. Based on BGN homomorphic encryption techniques 25, some data aggregation schemes, for example, 6, 12, have been proposed, which focus on protecting individual users’ privacy. The schemes in both 6 and 12 are secure against differential attack. In addi- tion, multifunction data aggregation is also researched in 12. However, these two schemes can only support one-dimensional data aggregation. Furthermore, since BGN-based 25 aggregation schemes depend on brute-force search tech- niques 14 to be able to decrypt the sum of the plaintext, all of the exist- ing similar schemes have the disadvantage of limiting each user’s reported402  Security and Privacy in Internet of Things (IoTs) measurement in the small plaintext space. Based on Paillier’s homomorphic encryption techniques 26, some privacy-preserving data aggregation schemes 21, 24, 27 have been proposed, which eliminates the small plaintext space lim- itation. However, these proposed Paillier homomorphic-based schemes can only support one-dimensional data aggregation as ever. In addition, some data aggre- gation schemes based on other techniques have been designed. For example, based on modular addition-based encryption, some privacy-preserving aggrega- tion schemes for smart grid communications, for example, 18, 23, have been proposed, which are secure against differential attack by adding Laplace noise to the real measurement. In 22, Jia et al. proposed a privacy-preserving data aggregation scheme in which coefficients of the polynomial are used to hide users’ individual measurements. However, none of the aforementioned schemes can support more than one-dimensional data aggregation simultaneously, which greatly hinders practical applications. Focusing on improving efficiency, we previously proposed an efficient EPPA protocol 13, which supports multidimensional data aggregation. EPPA significantly reduces the computation and communication overheads by encrypt- ing multidimensional data into one single ciphertext. However, because the superincreasing sequence is the key requirement and characteristic of EPPA to support encryption and aggregation of users’ structured data by homomorphic cryptosystem techniques, EPPA may still not support multidimensional large size data aggregation very well. Although our proposed scheme here addresses similar issues, that is, provid- ing efficient, privacy-preserving, and differentially private aggregation in the IoT, in contrast to the above studies, the emphases of our research still have some dif- ferences: (1) Our proposed scheme supports data aggregation of both small and large plaintext space messages (of arbitrary length comparative to the length of the system security parameter) and (2) our proposed scheme is secure against differential attack for both types of data aggregation; thus, it greatly enhances security, and improves efficiency and practicability. 15.8 Summary In this chapter, we have proposed a novel privacy-preserving time series data aggregation scheme for the IoT. The proposed scheme is characterized by ∗ exploiting the properties of groupZ to support data aggregation for both small 2 p and large plaintext spaces at the same time, which thus is more efficient than the traditional one-dimensional data aggregation. Detailed security analysis shows that the proposed scheme is privacy preserving, that is, no one can read each indi- vidual node’s data, and only the control center can read the aggregation results. Furthermore, when the differential privacy technique is applied, the proposed scheme is also secure against differential attacks. Through extensive performancePrivacy-Preserving Time Series Data Aggregation for Internet of Things  403 5 × 10 1.202 1.2015 1.201 1.2005 1.2 1.1995 1.199 1.1985 1.198 Actual data 1.1975 Noisy data (ε = 1) 19:00 19:10 19:20 19:30 19:40 19:50 20:00 (a) Time 5 × 10 1.202 1.2015 1.201 1.2005 1.2 1.1995 1.199 1.1985 1.198 Actual data 1.1975 Noisy data (ε = 2) 19:00 19:10 19:20 19:30 19:40 19:50 20:00 (b) Time 5 × 10 1.202 1.2015 1.201 1.2005 1.2 1.1995 1.199 1.1985 1.198 Actual data 1.1975 Noisy data (ε = 3) 19:00 19:10 19:20 19:30 19:40 19:50 20:00 (c) Time Figure 15.3: Differential privacy for small plaintext space data aggregation; (a) e = 1; (b)e = 2; (c)e = 3. Aggregated sum (kW) Aggregated sum (kW) Aggregated sum (kW)404  Security and Privacy in Internet of Things (IoTs) 6 × 10 6.505 Actual data Noisy data (ε = 1) 6.504 6.503 6.502 6.501 6.5 6.499 6.498 6.497 6.496 6.495 19:00 19:10 19:20 19:30 19:40 19:50 20:00 (a) Time 6 × 10 6.505 Actual data Noisy data (ε = 2) 6.504 6.503 6.502 6.501 6.5 6.499 6.498 6.497 6.496 6.495 19:00 19:10 19:20 19:30 19:40 19:50 20:00 (b) Time 6 × 10 6.505 Actual data Noisy data (ε = 3) 6.504 6.503 6.502 6.501 6.5 6.499 6.498 6.497 6.496 6.495 19:00 19:10 19:20 19:30 19:40 19:50 20:00 (c) Time Figure 15.4: Differential privacy for large plaintext space data aggregation; (a) e e e ee = 1; (b)ee = 2; (c)ee = 3. Aggregated sum (W) Aggregated sum (W) Aggregated sum (W)

Advise: Why You Wasting Money in Costly SEO Tools, Use World's Best Free SEO Tool Ubersuggest.