CDAMA: Concealed Data Aggregation

Scheme for Multiple Applications

in Wireless Sensor Networks
Yue-Hsun Lin, Shih-Ying Chang, and Hung-Min Sun
AbstractFor wireless sensor networks, data aggregation scheme that reduces a large amount of transmission is the most practical
technique. In previous studies, homomorphic encryptions have been applied to conceal communication during aggregation such that
enciphered data can be aggregated algebraically without decryption. Since aggregators collect data without decryption, adversaries
are not able to forge aggregated results by compromising them. However, these schemes are not satisfy multi-application
environments. Second, these schemes become insecure in case some sensor nodes are compromised. Third, these schemes do not
provide secure counting; thus, they may suffer unauthorized aggregation attacks. Therefore, we propose a new concealed data
aggregation scheme extended from Boneh et al.s homomorphic public encryption system. The proposed scheme has three
contributions. First, it is designed for a multi-application environment. The base station extracts application-specific data from
aggregated ciphertexts. Next, it mitigates the impact of compromising attacks in single application environments. Finally, it degrades
the damage from unauthorized aggregations. To prove the proposed schemes robustness and efficiency, we also conducted the
comprehensive analyses and comparisons in the end.
Index TermsConcealed data aggregation, elliptic curve cryptography, homomorphic encryption, wireless sensor networks

1 INTRODUCTION
W
IRELESS sensor networks (WSNs) consist of thousands
of sensor nodes (SN) that gather data from deployed
environments. Currently, there are plenty of rich applica-
tions proposed for WSNs, such as environment monitoring,
accident reporting, andmilitary investigation [1]. Depending
on the purpose of each application, SN are customized to
read different kinds of data (e.g., temperature, light, or
smoke). Typically, SN are restricted by the resources due to
limited computational power and low battery supply;
thus, energy saving technologies must be considered when
we design the protocols. For a better energy utilization,
cluster-basedWSNs [2] have been proposed. Incluster-based
WSNs, SN resident in nearby area would form a cluster
and select one among themto be their cluster head (CH). The
CH organizes data pieces received from SN into an
aggregated result, and then forwards the result to the base
station based on regular routing paths. Generally, aggrega-
tive operations are algebraic, such as the addition or
multiplication of received data, or statistical operation, such
as a median, a minimum, or a maximum of a data set [3].
Although data aggregation could significantly reduce
transmission, it is vulnerable to some attacks. For instance,
compromising a CH will allow adversaries to forge
aggregated results [4] as similar as compromising all its
cluster members. To solve this problem, several studies,
such as the delay aggregation [5], SIA [3], ESPDA [6], and
SRDA [7], have been proposed.
An alternative approach for this problem is to aggregate
encrypted messages directly from SN, thereby avoiding the
forgery of aggregated result. Since CHs are not capable of
encrypting messages, compromising a CH earns nothing in
forging aggregated results. Based on this concept, Wu et al.
[8] gave the proposal to allow CHs to classify encrypted
data without decrypting them. Following this concept,
Westhoff et al. [9] and Girao et al. [10] proposed concealed
data aggregation (CDA) supporting richer operations
on aggregation. Unlike Wu et al.s work, CDA utilizes
the privacy homomorphism encryption (PH) to facilitate
aggregation in encrypted data. By leveraging the additive
and multiplicative homomorphism properties, CHs are
able to execute algebraic operations on encrypted numeric
data. Further, Mykletun et al. [11] adopted several public-
key-based PH encryptions to construct their systems.
In similar fashion, Girao et al. [12] extended the ElGamal
PH encryption to construct theirs.
In this paper, the proposed scheme, called CDAMA,
provides CDA between multiple groups. Basically, CDA-
MA is a modification from Boneh et al.s [13] PH scheme.
Here, we also suppose three practical application scenarios
for CDAMA, all of which can be realized by only CDAMA.
The first scenario is designed for multi-application
WSNs. In practice, SN having different purposes, e.g.,
smoke alarms and thermometer sensors may be deployed in
IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 25, NO. 7, JULY 2013 1471
. Y.-H. Lin is with CyLab, Carnegie Mellon University, CIC 2313D, 4720
Forbes Ave, Pittsburgh, PA 15213. E-mail: tenma.lin@gmail.com.
. S.-Y. Chang is with Information and Communication Research Labora-
tories, Industrial Technology Research Institute, Rm. 254, Bldg. 11, 2F,
195, Sec. 4, Chung Hsing Rd., Chutung, HsinChu, Taiwan 31040, ROC.
E-mail: godspeed@is.cs.nthu.edu.tw,sychang@is.cs.nthu.edu.tw.
. H.-M. Sun is with the Department of Computer Science, National Tsing
Hua University, 640-2 EECS, No. 101, Section 2, Kuang-Fu Road,
Hsinchu, Taiwan 30013. E-mail: hmsun@cs.nthu.edu.tw.
Manuscript received 22 Nov. 2010; revised 18 July 2011; accepted 23 Apr.
2012; published online 30 Apr. 2012.
Recommended for acceptance by B.C. Ooi.
For information on obtaining reprints of this article, please send e-mail to:
tkde@computer.org, and reference IEEECS Log Number TKDE-2010-11-0615.
Digital Object Identifier no. 10.1109/TKDE.2012.94.
1041-4347/13/$31.00 2013 IEEE Published by the IEEE Computer Society
the same environment. If we apply conventional concealed
data aggregation schemes [9], [10], [11], [12], [14], the
ciphertexts of different applications cannot be aggregated
together; otherwise, the decrypted aggregated result will be
incorrect. The only solution is to aggregate the ciphertexts
of different applications separately. As a result, the
transmission cost grows as the number of the applications
increases. By CDAMA, the ciphertexts from different
applications can be encapsulated into only one ciphertext.
Conversely, the base station can extract application-specific
plaintexts via the corresponding secret keys.
The second scenario is designed for single application
WSNs. Compared with conventional schemes [9], [10], [11],
[12], CDAMA mitigates the impact of compromising SN
through the construction of multiple groups. An adversary
can forge data only in the compromised groups, not the
whole system.
The last scenario is designed for secure counting
capability. In previous schemes, the base station does not
know how many messages are aggregated from the
decrypted aggregated result; leaking count knowledge will
suffer maliciously selective aggregation and repeated
aggregation. In CDAMA, the base station exactly knows
the number of messages aggregated to avoid above attacks.
The remainder of this paper is organized as follows. In
Section 2, the system model is described, including the
aggregation model and the attack model. Section 3 intro-
duces preliminaries for understanding the proposed
scheme, CDAMA. In Section 4, we describe the construction
of CDAMA in detail. In Section 5, we show the potential
applications of CDAMA. In Section 6, we discuss several
practical issues that may occur when applying CDAMA to a
WSN. In Section 7, comparison between CDAMA and other
schemes is given. Section 8 evaluates the performance of
CDAMA. Finally, we conclude CDAMA in Section 9.
2 SYSTEM MODEL
Here, we state two models for further uses, aggregation
model and attack model. The aggregation model defines
how aggregation works; the attack model defines what
kinds of attacks a secure data aggregation scheme should
protect from.
2.1 Aggregation Model
In WSNs, SN collect information from deployed environ-
ments and forward the information back to base station (1o)
via multihop transmission based on a tree or a cluster
topology. The accumulated transmission carries large
energy cost for intermediate nodes. To increase the lifetime,
tree-based or cluster networks force the intermediate nodes
(a subtree node or a cluster head) to perform aggregation,
i.e., to be aggregators (G). After aggregation done, Gs
would forward the results to the next hop. In general,
the data can be aggregated via algebraic operations
(e.g., addition or multiplication) or statistical operations
(e.g., median, minimum, maximum, or mean). For example,
an G can simply forward the sum of numerical data
received instead of forwarding all data to the next hop.
2.2 Attack Model
First of all, we categorize the adversarys abilities as follows:
1. Adversaries can eavesdrop on transmission data in
a WSN.
2. Adversaries can send forged data to any entities in a
WSN (e.g., o`, G, or 1o).
3. Adversaries can compromise secrets in o`s or Gs
through capturing them.
Second, we define the following attacks to qualify the
security strength of a CDA scheme. Part of these attacks
refer to Peter et al.s analysis [15]. Based on adversarys
abilities and purposes, we further classify these attacks into
three categories.
In the first category A, an adversary wants to deduce the
secret key (i.e., decrypting arbitrary ciphertexts). Category A
consists of four attacks that are commonly used in qualifying
an encryption scheme. In practice, the first two attacks are
feasible in WSNs [15]. Here, we use them to qualify the
underlying homomorphic encryption schemes. In category
B, an adversary wants to send the forged messages to cheat
the 1o even though she does not know the secret key. This
category consists of two attacking scenarios based on
specific features deriving from PH schemes. The last
category C consists of three attacks and considers the impact
of node compromising attacks. The first attack is the case of
compromising an G, and the last two attacks are cases of
compromising an o`. We discuss them separately because
they store different secrets in the PH schemes.
A1. Ciphertext only attack. An adversary can deduce the
key from only the encrypted messages.
A2. Known plaintext attack. Given some samples of
plaintext and their ciphertext, an adversary can deduce
the key or decrypt any ciphertext.
A3. Chosen plaintext attack. Given some samples of chosen
plaintext and their ciphertext, an adversary can deduce the
key or decrypt any ciphertext.
A4. Chosen ciphertext attack. Given some samples of chosen
ciphertext and their plaintext, an adversary can deduce the
key or decrypt any ciphertext she has not chosen before. The
model is CCA1, also called lunchtime attacks [16].
B1. Unauthorized aggregation. An adversary can aggregate
sniffed ciphertexts into forged but format-valid ciphertexts.
B2. Malleability. An adversary can alter the content of a
ciphertext.
1
C1. B1/B2 under compromised AG. When an adversary
captures an G and compromises its secret, she can use it to
launch B2/B3 attacks with higher probability of success.
C2. Unauthorized decryption under compromised SN. When
an adversary captures an o` and compromises its secret,
she can decrypt not only the ciphertexts from that o` but
also the ciphertexts from the other remaining o`s.
Asymmetric schemes can defend against unauthorized
decryption under compromised secrets because knowing
the public key is useless for decryption.
1472 IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 25, NO. 7, JULY 2013
1. For example, she can add a numeric value to a ciphertext in such a
way that the corresponding plaintext is increased by the value. Different
from unauthorized aggregation, the value can be chosen arbitrarily, not
limited to the eavesdropped ciphertexts.
C3. Unauthorized encryption under compromised SN. When
an adversary captures an o` and compromises its secret,
she can impersonate not only that o` but also the other
remaining o`s to generate legal ciphertexts.
Based on the above attacks, we analyze all previous CDA
schemes and CDAMA in Section 7.
3 PRELIMINARIES
3.1 Privacy Homomorphic Cryptosystem
Privacy homomorphic encryption (PH) is an encryption
scheme with homomorphic property. The homomorphic
property implies that algebraic operations on plaintexts can
be executed by manipulating the corresponding ciphertexts;
for instance, 1
1
(1
1
(i
1
) 1
1
(i
2
)) = i
1
i
2
, where
1
1
() is the encryption with key 1, 1
1
() is the decryption
with key 1, and and denote operations on ciphertexts
and plaintexts, respectively. In general, operations and
can be addition, multiplication, and so on.
Similar to conventional encryption schemes, PH schemes
are classified to symmetric cryptosystem when the encryp-
tion and decryption keys are identical, or asymmetric
cryptosystem (also called public key cryptosystem) when
the two keys are different. Symmetric PH schemes, such as
Domingo-Ferrer scheme [17] or Castelluccia et al.s scheme,
usually are more competitive in terms of efficiency than
asymmetric schemes. The most notable asymmetric PH
schemes are based on elliptic curve cryptography (ECC).
Compared with RSA cryptosystems, ECC provides the
same security with a shorter key size and shorter
ciphertexts. A 160-bit ECC cryptosystem provides the same
security as a 1,024-bit RSA cryptosystem [18]. In energy-
constraint WSNs, constructing PH via ECC is more efficient.
Up to now, the PH schemes on ECC include elliptic curve
Okamoto-Uchiyama (EC-OU), elliptic curve Naccache-
Stern, elliptic curve Paillier, and elliptic curve ElGamal
Encryption Schemes (EC-EG) [11].
3.2 CDA Based on PH
Conventional hop-by-hop aggregation schemes are insecure
because an adversary is able to forge aggregated results
such as compromising all the Gs child nodes when he
compromises the secret of an G. To diminish this impact,
PH schemes have been applied to WSNs [9], [10], [11], [12],
[14]. By PH schemes, o`s encrypt their sensed readings
and allow Gs to homomorphically aggregate their
ciphertexts without decryption. Therefore, compromising
Gs earns no advantage of forging aggregated results.
Westhoff et al. [9] and Girao et al. [10] proposed CDA
based on symmetric PH to facilitate the aggregation of
encrypted data. In contrast to symmetric PH construction,
Mykletun et al. [11] adopted public-key-based PH to
construct their systems, and Girao et al. [12] extended the
ElGamal PH encryption to construct an aggregation
scheme. In these schemes, because all SN in a network
only share a common key for encryption [9], [10], [11], [12],
an adversary can forge the aggregated results by simply
compromising one o`. To solve this problem, Castelluccia
et al. [14] proposed an encryption scheme similar to one-
time pad. In each transmission, individual o` generates a
temporary key from a pseudo random number generator
(PRNG) and adds its messages with the key under
modulation. The G aggregates those ciphertexts through
modular addition. And the 1o decrypts the ciphertext
received by modular subtraction with all the temporal keys.
If an adversary tries to forge aggregated results, he must
compromise all o`s. However, their scheme cannot
prevent the adversary from injecting forged data packets
into the legitimate data flow. In addition, key synchroniza-
tion must be guaranteed because each o` must rekey after
each encryption.
3.3 BGN Scheme
In 2006, Boneh et al. [13] proposed a public-key PH scheme,
which integrates the Paillier [19] with the Okamoto-
Uchiyama encryption schemes [20]. We call it BGN for
simplicity. BGN provides additive and multiplicative
homomorphism. Since the multiplicative property, based
on the bilinear pairing [13], is much expensive and
inefficient for o`s [21], we only utilize the additive
homomorphism of BGN. In this paper, we first provide a
possible application for BGN, data aggregation. Further-
more, we modify BGN to fit multigroup construction for
stronger security and better applicability in CDA. The detail
of BGN is described in Fig. 1.
BGN is constructed on a cyclic group of elliptic curve
points. Precisely, these points form an algebraic group,
where the identity element of the group is the infinite point,
[22]. Notation ord(1) denotes the order of a point 1.
Supposing ord(1) = , it indicates that is the minimum
integer that satisfies + 1 = . In the KEYGEN function,
the order of 1 is equivalent to the number of points in 1.
The detail construction of 1 is depicted in Section 6.3.
The ENC function is based on point addition and scalar
multiplication over points ( and H. As we can see, the
ciphertext is composed of the message part (the scalar of the
point () and the secure randomness (the scalar of the point
H). Due to homomorphic properties, the AGG function
aggregates ciphertexts via point addition; it is trivial to see
that the scalar values of point ( were added in the end,
yielding the sum of the corresponding message. Conse-
quently, the final result will be the form of `+ ( 1+ H,
where ` is the sum of the messages and 1 is the sum of the
randomness. The DEC function decrypts the aggregated
result to obtain the plaintext value, `. Recall that the order
of points ( and H are different. Hence, the DEC function
removes the randomness of point H by multiplying the
result with the private key (i.e., ord(H)). Now, the cipher
text contains only the product of ( (i.e., ord(H) + ` + ()
such that we can apply the discrete logarithm to retrieve the
value `. In fact, discrete logarithm can be solved by
Pollards ` method whose efficiency is O(

T
_
).
Now, we use a brief instance to explain how BGN works
in CDA. When sensor o
1
gets its sensed reading `
1
, o
1
performs the ENC function to encrypt `
1
as ciphertext C
1
.
After that, o
1
sends C
1
to its aggregator G. Once G
received all ciphertexts C
1
. . . . . C
u
from its child nodes,
o
1
. . . . . o
u
, the G aggregates C
1
to C
u
through executing
recursive (u 1) AGG operations on all ciphertexts re-
ceived, e.g., AGG( AGG(AGG(C
1
. C
2
). C
3
) C
u
). Then,
G sends the aggregated result to the next aggregator.
LIN ET AL.: CDAMA: CONCEALED DATA AGGREGATION SCHEME FOR MULTIPLE APPLICATIONS IN WIRELESS SENSOR NETWORKS 1473
Finally, 1o decrypts the aggregated result through the DEC
function with the private key o1.
4 CDAMA
BGN is implemented by using two points of different orders
so that the effect of one point can be removed by
multiplying the aggregated ciphertext with the order of
the point, and then the scalar of the other point can be
obtained. Based on the same logic of BGN, CDAMA is
designed by using multiple points, each of which has
different order. We can obtain one scalar of the specific
point through removing the effects of remaining points (i.e.,
multiplying the aggregated ciphertext with the product of
the orders of the remaining points). The security of
CDAMA and BGN are based on the hardness assumption
of subgroup decision problem, whereas CDAMA requires
more precise secure analysis for parameter selections,
discussing in Section 6.2. We use CDAMA (/ = 2) to explain
how it works in multiple groups.
4.1 CDAMA (/ = 2 / = 2) Construction
Assume that all o`s are divided into two groups, G

and
G
1
. CDAMA contains four procedures: Key generation,
encryption, aggregation, and decryption, listing in Fig. 2. As
we can see, CDAMA (/ = 2) is implemented by using three
points T. Q, and H whose orders are
1
.
2
, and
3
,
respectively. The scalars of the first two points carry the
aggregated messages in G

and G
1
, respectively, and the
scalar of the third point carries randomness for security. As
shown in the DEC functions, by multiplying the aggregated
ciphertext with
2

3
(i.e., the o1 in G

), the scalar of the

point T carrying the aggregated message in G

can be
obtained. Similarly, by multiplying the aggregated cipher-
text with
1

3
(i.e., the o1 in G
1
), the scalar of the point Q
carrying the aggregated message in G
1
can be obtained. In
this way, the encryptions of messages of two groups can be
aggregated to a single ciphertext, but the aggregated
message of each group can be obtained by decrypting the
ciphertext with the corresponding o1.
Considering deployment, the private keys should be
kept secret and only known by the 1o. o`s in the same
group share the same public key and no other entities
outside the group knows the group public key. How to
securely deliver the public keys to different groups of o`s
will be discussed later in Section 4.4. Another major change
is the decryption procedure. By performing individual
decryption, the 1o extracts individual aggregated results of
different groups from an aggregated ciphertext.
4.2 A Concrete Example
Now, we use an instance to describe how CDAMA (/ = 2)
works. In Fig. 3, a WSN consists of six o`s and four Gs.
After deployments, they form three clusters. Each o`
belongs to either application A or B. Without loss of
generality, sensors
1
,
2
, and
3
perform application A
and keep the public key 11

= (i. 1. T. H. T

). The others,
1
1
, 1
2
, and 1
3
keep 11
1
= (i. 1. Q. H. T
1
). Four aggrega-
tors, G
1
to G
4
are deployed to gather messages from
their child nodes. To simplify the example, we set the order
of T, Q, and H to small numbers. We assume that [
1
[ =
[
2
[ = [
3
[ = 10, e.g., ord(T) =
1
= 521, ord(Q) =
2
=
523,ord (H) =
3
= 541, and i =
1

3
= 147. 413. 303,
where [
i
[ is the bit size of
i
. Moreover, we assume T =
128 and r = 3 such that the maximal sensed value in both
applications is at most 42 (i.e., T

= T
1
= 42).
We assume the messages of these sensors are `

1
=
13. `

2
= 21, `

3
= 10, `
1
1
= 32, `
1
2
= 17, and `
1
3
=
24. They are encrypted to the corresponding ciphertexts.
After the aggregation by the Gs, the 1o receives the
final aggregated result 1
4
whose value is 36T 73Q
195. 121. 825H = 36T 73Q477. 385. 22H. The aggre-
gated result in application A, `

= `
1
`
2
`
3
= 36
can be obtained by decrypting 1
4
using o1

in the
following steps:
1474 IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 25, NO. 7, JULY 2013
Fig. 1. BGN scheme.
1. Compute
2

3
+ 1
4
= 282943 + (36T 73Q477.
385. 22H) = 101. 859. 48T = 398T, where 521T =
523Q = 541H = .
2. `

= log
~
T
(
2

3
+ 1
4
) = log
~
T
398T, where
~
T =

3
+ T = 40T(mod 521) and 521T = . Since
`

= log
~
T
398T, we infer that `

+
~
T = `

+
(40T) = 398T(mod521).
3. Finally, through Pollards ` method, `

= 36 can be
obtained by the 1o.
Similarly, the 1o can extract the aggregated result `
1
in
application B by computing the discrete logarithm of
1

3
+
1
4
to the base point
~
Q =
1

3
+ Q.
4.3 Generalization of CDAMA
CDAMA (/ = 2) can be generalized to CDAMA (/ 2). The
paradigm of generalization uses different generators to
construct different key pairs for groups. The generalized
CDAMA is shown in Fig. 4.
For security reasons, the order of 1 should be large
enough. Therefore, when / becomes large, the length of
ciphertext will also expand. The analysis on this overhead is
stated in Section 6.2. For multi-application WSNs, the o`s
belonging to one specific application are assigned the same
group public key. Under CDAMA, the ciphertexts from
different applications can be aggregated together, but they
are not mixed. The ciphertexts can be integrated into a
ciphertext and transmitted to the 1o. The 1o then
individually decrypts the aggregated ciphertext to extract
the aggregated value of each application.
4.4 Key Distribution
In the end of this section, we briefly address how to
deliver the group public keys to o`s securely. There are
two main approaches.
LIN ET AL.: CDAMA: CONCEALED DATA AGGREGATION SCHEME FOR MULTIPLE APPLICATIONS IN WIRELESS SENSOR NETWORKS 1475
Fig. 3. A concrete example of CDAMA (/ = 2).
Fig. 2. Procedures of CDAMA (/ = 2).
Key predistribution. If we know the locations of deployed
o`s, we can preload necessary keys and functions into o`s
and Gs so that they can work correctly after being spread
out over a geographical region.
Key postdistribution. Before o`s are deployed to their
geographical region, they are capable of nothing about
CDAMA keys. These o`s only load the key shared with
the 1o prior to their deployment, such as the individual
key in LEAP [23] and the master secret key in SPINS [24].
Once these o`s are deployed, they can run the LEACH
protocol [2] to elect the Gs and construct clusters. After
that, the 1o sends the corresponding CDAMA keys,
encrypted by the preshared key, to o`s and Gs.
5 APPLICATIONS
In this section, we propose three applications that are
realized by only CDAMA multigroup construction.
5.1 Multi-Application WSNs
Compared with the multi-application WSNs, the scenario
of a single application is more commonly discussed in
WSNs. However, the scenario of multiple applications
working concurrently is more realistic in most cases. Study
[25] indicates that deploying multiple applications in a
shared WSN can reduce the system cost and improve
system flexibility. The reason is because an o` supports
multiple applications and can be assigned to different
applications dynamically. For example, UC Berkerlys
MICA node is capable of sensing different data, e.g.,
temperature, light, accelerometer, and magnetometer.
For instance, three different kinds of o`s, smoke
detectors, temperature collectors, and light detectors, are
deployed in the same building. Fig. 5 shows this typical
case. Each room contains an G and some o`s. A big
challenge for the Gs, G
1
to G
4
, is to aggregate the
sensed readings from the different applications to a mixed
aggregated result. Unfortunately, two limitations make the
aggregation more difficult:
1. To maintain data privacy and reduce the commu-
nication overhead, sensed reading should be
encrypted by o`s and the corresponding cipher-
texts must be aggregated. The solution satisfying
this requirement has already been proposed, called
CDA.
2. Even if aggregation on ciphertexts is possible,
aggregation of multi-application is still hard because
the decryption cannot extract application-specific
aggregated result from a mixed ciphertext.
We have already shown that the proposed scheme,
CDAMA, meets two requirements mentioned above, in
Section 4. More specifically, CDAMA (/ = /
/
) can support /
/
applications in a WSN.
1476 IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 25, NO. 7, JULY 2013
Fig. 5. A multi-application WSN example.
Fig. 4. Procedures of generalization CDAMA.
5.2 Conventional Aggregation Model with Multiple
Groups
Interestingly, applying CDAMA to the conventional aggre-
gation model can mitigate the impact from compromising
attacks. Fig. 6 shows an example of this case. In Fig. 6, all
o`s are in the same application, e.g., fire alarm, but they
can be arranged into two groups through CDAMA
construction. Each group could be assigned a distinct group
public key. Once an adversary compromised a o` in group
; it only reveals 11

, not 11
1
. Since the adversary can
only forge messages in group , not group 1, the o`s in
group 1 can still communicate safely. The ideal case is that
CDAMA assigns every node for its own group, resulting in
the strongest security CDAMA ever offered. However, this
is impractical because the size of ciphertext becomes
extremely large when we construct groups with a huge
group number. Thus, assigning a reasonable number of
groups for a single application not only keeps the overhead
acceptable but also mitigates the impact of compromising
attacks. Section 6.2 provides a more detailed explanation of
this issue.
5.3 Aggregation with Secure Counting
The main weakness of asymmetric CDA schemes is that an
G can manipulate aggregated results without encryption
capability. An G is able to increase the value of aggregated
result by aggregating the same ciphertext of sensed reading
repeatedly, or decrease the value by selective aggregation.
Since the 1o does not know the exact number of ciphertexts
aggregated (here, we call count), repeated or selective
aggregation may happen (See the details of unauthorized
aggregation in Section 7). To avoid this problem, we adopt
CDAMA (/ = 2) scheme to provide secure counting for
single application case, i.e., the 1o exactly knows how
many sensed readings are aggregated while it receives the
final result. As shown in Fig. 7, the 1o obtains the
aggregated result ` and its count . If a malicious G
launches unauthorized aggregations, such as repeated or
selective aggregation, s value would be changed to a
bigger or smaller value than the reference count (e.g., the
number of deployed sensors). Since the G does not know
the base points T and Q, unauthorized aggregations have to
alter the values of and ` simultaneously; it is impossible
to alter ` without changing . Meanwhile, the 1o knows
the number of deployed sensors through gathering topol-
ogy information, the 1o can detect unauthorized aggrega-
tion based on the value of .
Moreover, the concept can be extended to construct /
/
applications by CDAMA (/ = 2/
/
) system. For each applica-
tion, one group sums its messages and the other group
counts the number of messages aggregated. As a result,
unauthorized aggregation by G can be mitigated.
Although this mechanism will fail after a o` has been
compromised (knowing the base point Q), it nevertheless
mitigates unauthorized aggregation by Gs, where most
asymmetric schemes cannot achieve.
6 DISCUSSION
In this section, we discuss several issues in CDAMA,
including efficient implementation, ciphertext length, and
curve selection. The first is efficient computation. Since a lot
of operations in CDAMA are based on scalar multiplication
on elliptic curve points, skills which accelerate scalar
multiplications can enhance the performance of CDAMA.
LIN ET AL.: CDAMA: CONCEALED DATA AGGREGATION SCHEME FOR MULTIPLE APPLICATIONS IN WIRELESS SENSOR NETWORKS 1477
Fig. 6. Two groups for a single application.
Fig. 7. Secure counting procedures of CDAMA (/ = 2) for a single application.
In addition, the length of ciphertexts is also discussed
because we have to decide the lowest bound of ciphertext
length for sufficient security. The last part describes the
method of generating suitable curves in CDAMA.
6.1 Efficient Scalar Multiplication
In CDAMA, the efficiency of encryption and decryption
depends on the performance of scalar multiplication on
elliptic curves. Decryption is not considered here because a
1o is considering as powerful as a workstation. Given a
random elliptic point T, we calculate / + T with a given
integer / by scalar multiplication. Fortunately, some
previous literatures [26], [27], [28] show that scalar multi-
plication is quite efficient even on o`s. For a 8-MHz 8-bit
processor [26], a single 160-bit scalar multiplication takes
only 93.78 mJ(micro Joule). In addition, there are several
technologies that speed up scalar multiplication [29]. Some
well-known techniques are listed as follows:
1. By using endomorphism structures.
2. By using a different representation of the scalar
multiplicand, like nonadjacent form (NAF).
3. By using different coordinates, such as projective
coordinates.
4. By choosing optimal extension fields.
Through these technologies, encryption operations can
be accelerated.
6.2 Size of Ciphertexts
Size of ciphertexts is another metric for performance and
cost evaluation. In CDAMA, the ciphertext is stored as a
couple of elliptic curve affine points. If the finite field of
elliptic curve is T
j
, the size of ciphertext is [j[ 1 bits
because we only store the r-coordinates of curve points and
the additional one bit for the sign of y-coordinate. On the
other hand, CDAMA requires specific curves of the given
order. If we construct a curve with a given order, how can
we estimate the bit length of the finite field, i.e., [j[ in T
j
?
Based on Theorem 1, the size of finite field of a curve is
bounded by its order.
Theorem 1. (Hasse-Weil Theorem [22]) Let 1 be an elliptic curve
over finite field T
j
. The order of 1, denoted #1(T
j
), is
estimated by
j 1 2

j
_
_ #1(T
j
) _ j 1 2

j
_
.
Theorem 1 also implies the following fact. Given a
specific order `, the finite field T
j
on curve 1 is in the
interval of [` 1 2

`
_
. ` 1 2

`
_
[. Consequently, the
size of the ciphertext is proportion to the order of a curve
since [` 1 2

`
_
[ is almost the same as [`[. The size of
ciphertext is [j[ 1 ~ [`[ 1 bits.
Since CDAMA is a modification of the BGN scheme,
CDAMAs security is based on the hardness of factoring the
order `, which is a product of / 1 prime numbers when
there are / groups. For example, ` is equal to
1

/

/1
,
where
1
. . . . .
/
.
/1
are / 1 different prime numbers.
Without loss of generality, we assume
1
. . . . .
/
.
/1
have
the same bit length. The main question is how to decide the
lowest bound of
i
for sufficient security in CDAMA. For
factorization on big composite integers, the fastest algorithm
is the Number Field Sieve algorithm (NFS); however, NFS
can only factorize effectively composite integers that are
composed of two factors. As suggested by [30], Elliptic
Curve Method (ECM) is the most efficient factorization
algorithm for composite integers which contains more than
two factors. In 2010, the largest factor of a composite integer
in ECM [31] is 73 decimal digits, less than 256 bit. In other
words, if we generate a product of several 256-bit prime
numbers, there is no efficient approach to factor this product.
In CDAMA (/ 2), we chose ` =
1

2

/

/1
, where
[
i
[ _ 256. \i. For instance, if we have three groups, the
order of a curve, `, is set as
1

4
, where
i
are all 256-bit
prime numbers. Hence, ` is approximately a 1,024-bit
composite number. By Theorem 1, the order of a curve is
approximately equal to the size of underlying finite field
T
j
. Therefore, the size of ciphertexts is [j[ 1 = [#1(T
j
)[
1 = 1. 025 bits. We can conclude the size of ciphertexts
equals (/ 1) + 256 1 bits when there are / groups in
CDAMA. In practice, the size of ZigBee payload is at most
102 byte [32]. The ciphertext of CDAMA (/ = 2) can fit into
a single ZigBee packet without fragmentation, whereas the
ciphertext of CDAMA with a greater / has to consider the
extra cost for retransmission of lost fragments.
6.3 Generating Suitable Curves
The main challenge of constructing CDAMA is generating
the set of elliptic curve points with a given order
(generating the curves with given orders). The BGN scheme
adopts pairing-friendly curves (also called super singular
curves) to construct their scheme because bilinear pairing is
necessary under their construction [33]. However, these
curves do not have computational efficiency because the
length of the underlying field doubles; if the given order is
/-bit long, the underlying prime field requires 2/ bits.
In CDAMA, we select different approach because bi-
linear pairing is no longer required and length of the prime
field doubles based on the given order in pairing-friendly
curves. To find suitable curves in CDAMA, we select
Bro kers [34] approaches to generate desired curves.
Generated curves all follow the Hasse-Weil Theorem; the
prime j in finite field T
j
is close to ` 1 2

`
_
, where `
is the given order. Hence, the underlying field j has the
same bit length as the given order `. For generating curves
with given orders, Bro ker provides two methods, heuristic
method and another one based on complex multiplication
(CM). Their performances are similar. To describe the idea,
we show the heuristic method in the supplementary
material, which can be found on the Computer Society
Digital Library at http://doi.ieeecomputersociety.org/
10.1109/TKDE.2012.94.
For instance, we generate a suitable curve for the
example in Section 4.2. The given order ` is 147,413,303.
After running the algorithm, the prime j is 147,401,173 and
the curve construction is: y
2
= r
3
692. 701. 34r 781.
310. 39. This curve contains a group of 147,413,303 points.
7 SECURITY ANALYSIS AND COMPARISON
In this section, we analyze the security of CDAMA and
other conventional schemes. More specifically, we compare
CDAMA with four well-known CDA schemes: CDA [9],
1478 IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 25, NO. 7, JULY 2013
[10], Castelluccia et al.s scheme [14], Mykletun et al.s
scheme [11], and TinyPEDS [12]. In Mykletun et al.s
scheme, the authors applied several well-known public
key PH schemes to WSNs. They recommended two
schemes which are suitable for WSNs, EC-OU and EC-
EG. Since TinyPEDS [12] is the same as the EC-EG scheme
[11], we chose TinyPEDS as a candidate. In addition to
these four schemes, BGNfrom which our proposed
CDAMA is extendedis also analyzed. Consequently,
we analyze CDA, Castelluccia et al.s scheme, TinyPEDS,
EC-OU, BGN, and CDAMA based on the attack model
defined in Section 2.2.
A1. Ciphertext only attack. All schemes can defend against
this basic attack.
A2. Known plaintext attacks. Only CDA based on
Domingo-Ferrer scheme [17] might suffer from this attack
due to improper security parameters indicated by Wag-
ners cryptanalysis [35]. However, the cost of proper
parameters may render CDA infeasible to WSNs. For
Castelluccia et al.s scheme, although the previous encryp-
tion keys can be deduced by the pairs, no research shows
that these keys help the deduction of the present or
subsequent encryption key.
A3. Chosen plaintext attacks. If the scheme suffers from
known plaintext attacks, then it also suffers from chosen
plaintext attacks. Hence, CDA also suffer from this attack.
Other schemes can defend against this attack because they
are probabilistic encryption algorithms. It is hard to decrypt
a ciphertext by finding a match from known samples.
A4. Chosen ciphertext attacks. Unfortunately, all schemes
suffer from this attack due to the homomorphic property.
Assuming that an adversary tries to decrypt the challenged
ciphertext C = 1(`), where 1() is a PHs encryption
function. The adversary can obtain the ciphertext C
//
by
adding C with a ciphertext C
/
= 1(`
/
), where `
/
is known.
After that, she can decrypt C
//
to its plaintext `
//
by
querying the decryption oracle. Consequently, she can
obtain ` by ` = `
//
`
/
. Fortunately, it is difficult to
launch this attack in WSNs because the adversary must
have the ability to decrypt some chosen ciphertexts.
B1. Unauthorized aggregation. Since the aggregation of
CDA requires only modular addition, an adversary may
aggregate ciphertexts without additional information. Un-
like CDA, encryption keys of o`s in Castelluccia et al.s
scheme are generated dynamically for one-time use.
Unauthorized aggregation probably results in an unex-
pected plaintext because the keys involved in these
ciphertexts mismatch with those currently held by the 1o
with high probability. Since unexpected plaintexts can be
observed by the 1o, the impact of unauthorized aggrega-
tion is mitigated. For asymmetric schemes, EC-OU, Tiny-
PEDS, BGN, and CDAMA are based on ECC. To aggregate
ciphertexts, one has to know curve information. If the
public key is preinstalled or delivered in a secure way (see
Section 4.4), aggregation cannot be executed by an adver-
sary without compromising o`s or Gs.
B2. Malleability. Castelluccia et al.s scheme suffers from
this attack because of modular addition-based construction.
For example, addingthe value of plaintext is trivial byadding
a desired numeric value to the corresponding ciphertext
directly. Other scheme based on modular multiplication
(e.g., CDA) or those based on ECC can defend against this
attack.
C1. B1/B2 under compromised AG. For CDA and
Castelluccia et al.s scheme, compromising an G will
disclose the modulus; for ECC-based schemes, this will
disclose the curve information. Except CDAMA, revealing
curve information makes unauthorized aggregation in
other scheme easier (see details in Section 5.3). On the
other hand, nonmalleability is still supported by all ECC-
based schemes because point information stored in o`
are not revealed.
C2. Unauthorized decryption under compromised SN. In
CDA, when compromising an o`, an adversary can
decrypt the aggregated ciphertexts because CDA is a
symmetric scheme. Although Castelluccia et al.s scheme
is also symmetric, it suffers from minor impact because each
node is assigned a distinct key. On the contrary, EC-OU,
TinyPEDS, BGN, and CDAMA do not suffer from this
attack because they are asymmetric schemes.
C3. Unauthorized encryption under compromised SN. This is
the strongest attack against which no schemes can defend.
An adversary encrypts arbitrary values with the compro-
mised secrets and alters the aggregated ciphertext by the
forged values. After aggregation, the polluted messages
aggregated into the result would be difficult to remove or
detect. Castelluccia et al.s scheme can mitigate the impact
because the adversary cannot forge ciphertexts of uncom-
promised o`s. Similarly, CDAMA (/ 1) prohibits adver-
saries to forge ciphertexts of o`s in uncompromised
groups. Supporting more groups (i.e., bigger /) makes
CDAMA more secure even it brings additional cost; the size
of ciphertexts increases linearly. For this issue, ciphertext
expansion has been addressed in Section 6.2.
The comparisons are listed in Table 1. In summary,
Castelluccia et al.s scheme and CDAMA can defend
against more attacks. Although Castelluccia et al.s scheme
is quite efficient in terms of computation and communica-
tion, it suffers from key synchronization issue and severe
malleability problems. On the contrary, the large computa-
tion and communication cost is the major drawback of
CDAMA (the analysis in Section 8). Nevertheless, CDAMA
provides more advantageous in defending against C1
attacks over other asymmetric schemes due to its multi-
group construction.
8 PERFORMANCE EVALUATION AND COMPARISON
8.1 Candidate Schemes for Comparison
We only compare the performance of CDAMA with
TinyPEDS [12] and EC-OU [11] because CDA [9], [10] and
Castelluccia et al.s scheme [14] are both symmetric
schemes; therefore, they are not suitable to compare with
asymmetric schemes. In general, symmetric schemes are
more efficient but less secure than asymmetric ones.
The security properties of CDA and Castelluccia et al.s
scheme have been verified in the previous section. To make
the comparison comprehensive, BGN is also covered.
Consequently, we chose EC-OU over T
j
([j[ = 1. 024-bit),
TinyPEDS over T
j
([j[ = 163-bit), BGN over T
j
([j[ =
1. 024), and CDAMA (/ = 2 ~ 4) over T
j
([j[ = 768. 1. 024,
and 1,280) as candidates.
LIN ET AL.: CDAMA: CONCEALED DATA AGGREGATION SCHEME FOR MULTIPLE APPLICATIONS IN WIRELESS SENSOR NETWORKS 1479
8.2 Evaluation Measurements
For evaluating these schemes, three terms 1, 2, and 3 are
defined. The first two terms are used in measuring the
computation cost, including the encryption cost on o`s and
aggregation cost on Gs. The decryption cost on a 1o is not
measured because 1os are always as powerful as work-
stations. The final term 3 is the communication cost per
application. This term estimates the size of ciphertext
required for an application. Details of these three terms
are listed as follows:
1. The encryption cost on o`. The computation cost of
encryptions. The unit is mJ/per encryption.
2. The aggregation cost on G. The computation cost
of aggregations. The unit is mJ/per aggregation.
3. The communication cost per applications. The
ciphertext size required by an application. The unit
is bits/per application.
8.3 Evaluation Results
To analyze the computation cost, the same metric for all
schemes is required. Since TinyPEDS, EC-OU, BGN, and
CDAMA are all built on elliptic curves, encryption and
aggregation are based on two kinds of operations,
point addition and point scalar multiplication. In elliptic
curve arithmetic, two basic operations are point doubling
and adding. A point adding is computing T Q, where T
and Q are curve points. Point doubling is computing 2T.
Scalar multiplication is to compute i + Q, where i is a
scalar. Based on point adding and doubling, scalar
multiplication is accomplished by the half-and-add algo-
rithm [36]. More specifically, computing i + Q requires
around [i[ doubling and
[i[
2
additions, amounting to about
3[i[
2
point additions [11].
We have shown the cost relation between point addition
and scalar multiplication. Next, we show how to estimate
the cost of scalar multiplication on different finite fields. In
general, the cost depends on the size of the scalar and the
size of underlying finite field. If the size of scalar doubles,
the cost doubles too (i.e., linearly inclining). Moreover, if the
size of the finite field doubles, the computation cost is
almost four times the original (i.e., increasing by a power of
2). Based on these two rules, the cost of scalar multiplication
on a 1,024-bit field is estimated to be 247.84 (i.e., (
1024
163
)
3
)
times greater than that on a 163-bit field, where the scalar is
chosen from the underlying field.
Following the same analysis model in [11], we can
estimate computation costs among these schemes. Let the
base unit be the point addition on 163-bit field. The result is
shown in Table 2, where [i[ is the bit length of messages
and [i[ is the bit length of random nonces.
For encryptions, TinyPEDS is the most efficient one
because their curves are chosen from smaller fields (e.g.,
T
163
). TinyPEDS can be built on smaller fields because its
security is based on the hardness of elliptic curve discrete
logarithm problem (ECDLP). In contrast to TinyPEDS, the
security of EC-OU, BGN, and CDAMA are based on the
hardness of integer factorization problem (IFP). Their
curves have to be chosen from larger fields, resulting in
higher encryption costs. In Table 2, if the size of the message
and random nonce are chosen properly, the encryption cost
can be reduced largely without sacrificing security.
For aggregation, TinyPEDS is still the most efficient
because of smaller fields. Compared with encryption cost,
1480 IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 25, NO. 7, JULY 2013
TABLE 2
Encryption and Aggregation Cost for Data Concealment Schemes
TABLE 1
Achievement of Security Requirements for CDA Schemes, Where Denotes Complete Combating,
Denotes Partial Combating, + Denotes Partial Suffering, and Denotes Complete Suffering
the aggregation cost is quite small because the aggregation
usually requires one or two point additions.
Since we can estimate the number of computations of
these schemes, we convert these estimations to energy
consumption units according to the result of real ECC
implementation. TinyECC [37] is one well-known imple-
mentation of ECC for wireless sensor devices. Their library
has been implemented on physical SN, e.g., MICAz, TelosB,
Imote, and Tmote. They also selected several cryptographic
algorithms, such as encryption, key agreement protocols,
and signature schemes to examine efficiency of the
implementation. Now, we use their experimental results
to estimate the energy consumption of these schemes. For
instance, the energy consumption of point addition over
T
163
in TelosB is about 0.058 iJ. We can infer that the
encryption cost of BGN is about 0.058 5.428 = 314.824 iJ.
In Section 8.4, we use this result to evaluate the perfor-
mance gain from CDAMA too.
For communication cost per application, the commu-
nication cost is measured as the size of a ciphertext over the
number of applications whose messages can be encrypted
in the ciphertext. As we can see, per application cost of
CDAMA is decreased with the value of /. For instance,
when there are four applications, the size of ciphertexts in
TinyPEDS is 328 4 = 1.312 but the size of ciphertexts in
CDAMA (/ = 4) is only 1,281.
To summarize our evaluation, TinyPEDS is the most
efficient one in terms of computation because it is based on
a shorter field. EC-OU, BGN, and CDAMA are relatively
inefficient since they are based on IFP instead of ECDLP. In
terms of communication cost per application, CDAMA is
competitive with TinyPEDS. Furthermore, in terms of
security, CDAMA is superior to the other public-key-based
CDA schemes.
8.4 Performance Gain of CDAMA
In the above analysis, the computation cost of CDAMA is
significantly large. Although data aggregation can reduce
the communication effectively, sensors must pay higher
computation cost for encryption and aggregation. To argue
with this point, we estimate the performance gain from the
whole WSN based on CDAMA.
First of all, we classify sensors in large scale WSNs to
three types by their tasks: Leaf nodes, Gs, and forwarders
(see Fig. 8). Leaf nodes are leaves of a formed topology (e.g.,
a tree); they gather information from the deployed environ-
ment and send the result back the 1o via other nodes. Gs
are the intermediate nodes in the topology, such as parent
nodes or cluster heads; they aggregate the forwarded
messages if possible. Forwarders are the nodes on the path
to the 1o; their main task is to forward the aggregated
result to the 1o without aggregation. Next, we estimate the
energy consumption on different nodes.
We compare CDAMA (/ = 2) with a WSN without data
aggregation (also called Data Forwarding Scheme, DFS). In
DFS, a leaf node encrypts its sensed reading by symmetric
encryption schemes (e.g., AES) and forwards the ciphertext
to its parent G. Gs and forwarders just transmit the
received data without any in-network processing. Both
schemes (rather than hop-by-hop aggregation) provide end-
to-end security, thereby avoiding the forgery of aggregated
result. The result is shown in Table 3. We assume that C
T
and C
1
are the cost of receiving one bit and transmitting
1 bit, respectively. C
11
is the cost of AES encryption, and
C
21
and C
2
are the cost of CDAMA encryption and
aggregation, respectively.
1
and
2
are the bit length of a
ciphertext of AES and CDAMA, respectively. c is the
estimated number of leaf nodes, and u
1
and u
2
are the
estimated numbers of ciphertexts received by an G in DFS
and CDAMA (/ = 2), respectively.
Moreover, we evaluate the result in Table 3 by
substituting variables with practical values. That is to
say, we use the estimated results of energy consumption
on MICAz and TelosB in [38] to analyze the performance
gain. The results are shown in Table 4. We assume that the
deployed topology is a three-layer cluster. In this cluster,
LIN ET AL.: CDAMA: CONCEALED DATA AGGREGATION SCHEME FOR MULTIPLE APPLICATIONS IN WIRELESS SENSOR NETWORKS 1481
Fig. 8. Evaluation network model of a WSN.
TABLE 3
Performance Evaluation for DFS (AES) and
Concealed Data Aggregation (CDAMA)
TABLE 4
Estimated Energy Consumption of MICAz and TelosB for DFS and CDAMA(/ = 2)
one layer-3 G (i.e., L3 Gs) has 10 layer-2 Gs (i.e., L2
Gs); each L2 G has 10 layer-1 Gs (i.e., L1 Gs); each
L1 G has 10 leaf nodes. In this case, the topology has
1,000 leaf nodes in total (i.e., c = 1.000).
For a leaf node, the energy consumption in CDAMA is
several thousands times greater than that in DFS because
the encryption cost of CDAMA is significantly greater than
the cost of AES. For an G, the energy consumption in DFS
is increased tenfold whenever the G reaches to the next
layer, whereas the energy consumption in CDAMA are all
kept the same. The reason for this is because the ith layer
G must forward 10
i
messages in DFS but only 10 messages
in CDAMA. For a forwarder, the main energy consumption
depends on transmission; therefore, CDAMA allows the
forwarder to spend only 1 percent of transmission cost in
DFS. In summary, in contrast to DFS, the closer to the 1o a
node is, the more energy the node can save via CDAMA. As
a result, CDAMA can extend the lifetime of higher layer
Gs and forwarders effectively, but the lifetime of leaf
nodes will be shortened to less than one-thousandth of
original lifetime. Thus, the major challenge in CDAMA is to
reduce the encryption cost.
We appreciate the comprehensive ECC implementations,
TinyECC. By TinyECC, we evaluated the formula by the
results measured in different sensor devices. More specifi-
cally, we estimate the energy consumption of CDAMA
(/ = 2) through measuring the average energy consumption
of point scalar multiplications. The result are summarized
in Table 5. First, due to optimizations adopted in the
implementation, the costs estimated from TinyECC are
20 percent smaller than the cost estimated from [38] on
MICAz devices (See Table 4). Furthermore, the energy
consumption of CDAMA, especially encryption cost, is
decreased significantly with more advanced devices. It
implies that lifetime of a leaf node can be effectively
extended by deploying advanced sensors. For instance,
considering the same available energy, the lifetime of Imote
is 30 times longer than that of MICAz.
Moreover, depending on the result of a MICAz node (8-
bit microcontroller) and TelosB node (16-bit microcontroller)
in [38], TelosB requires approximately
1
4
computation cost of
MICAz to execute the same cryptographic operations, but
the communication cost (receiving/transmitting one bit) in
both devices are almost the same. This suggests that secure
data aggregation schemes that rely on higher computation
ability would be more practical in the near future.
9 CONCLUSION
For a multi-application environment, CDAMA is the first
CDA scheme. Through CDAMA, the ciphertexts from
distinct applications can be aggregated, but not mixed. For
a single-application environment, CDAMA is still more
secure than other CDA schemes. When compromising
attacks occur in WSNs, CDAMA mitigates the impact and
reduces the damage to an acceptable condition. Besides the
above applications, CDAMA is the first CDA scheme that
supports secure counting. The base station would know
the exact number of messages aggregated, making selective
or repeated aggregation attacks infeasible. Finally, the
performance evaluation shows that CDAMA is applicable
on WSNs while the number of groups or applications is
not large.
In the future, we wish to apply CDAMA to realize
aggregation query in Database-As-a-Service (DAS) model
[39], [40]. In DAS model, a client stores her database on an
untrusted service provider. Therefore, the client has to
secure their database through PH schemes because PH
schemes keep utilizable properties than standard ciphers.
Based on PH schemes, the provider can conduct aggrega-
tion queries without decryption. The most important of
all is that we do not have to consider the computation
cost and the impact of compromising secret keys
(i.e., compromising a client in DAS model is harder than
compromising a sensor). Those drawbacks will no longer
be issues in CDAMA.
ACKNOWLEDGMENTS
This research was supported by the National Science
Council under the Grants NSC 101-2917-I-564-059, NSC
100- 2911-I-002-001, and NSC 100-2218-E-007-006.
REFERENCES
[1] I. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, A
Survey on Sensor Networks, IEEE Comm. Magazine, vol. 40, no. 8,
pp. 102-114, Aug. 2002.
[2] R. Min and A. Chandrakasan, Energy-Efficient Communication
for Ad-Hoc Wireless Sensor Networks, Proc. Conf. Record of the
35th Asilomar Conf. Signals, Systems and Computers, vol. 1, 2001.
[3] B. Przydatek, D. Song, and A. Perrig, SIA: Secure Information
Aggregation in Sensor Networks, Proc. First Intl Conf. Embedded
Networked Sensor Systems, pp. 255-265, 2003.
[4] A. Perrig, J. Stankovic, and D. Wagner, Security in Wireless
Sensor Networks, Comm. ACM, vol. 47, no. 6, pp. 53-57, June
2004.
[5] L. Hu and D. Evans, Secure Aggregation for Wireless Networks,
Proc. Symp. Applications and the Internet Workshops, pp. 384-391,
2003.
[6] H. Cam, S. O

zdemir, P. Nair, D. Muthuavinashiappan, and

H.O. Sanli, Energy-Efficient Secure Pattern Based Data Ag-
gregation for Wireless Sensor Networks, Computer Comm.,
vol. 29, no. 4, pp. 446-455, 2006.
[7] H. Sanli, S. Ozdemir, and H. Cam, SRDA: Secure Reference-based
Data Aggregation Protocol for Wireless Sensor Networks, Proc.
IEEE 60th Vehicular Technology Conf. (VTC 04-Fall), vol. 7, 2004.
[8] Y. Wu, D. Ma, T. Li, and R.H. Deng, Classify Encrypted Data in
Wireless Sensor Networks, Proc. IEEE 60th Vehicular Technology
Conf., pp. 3236-3239, 2004.
[9] D. Westhoff, J. Girao, and M. Acharya, Concealed Data
Aggregation for Reverse Multicast Traffic in Sensor Networks:
Encryption, Key Distribution, and Routing Adaptation, IEEE
Trans. Mobile Computing, vol. 5, no. 10, pp. 1417-1431, Oct. 2006.
[10] J. Girao, D. Westhoff, M. Schneider, N. Ltd, and G. Heidelberg,
CDA: Concealed Data Aggregation for Reverse Multicast
Traffic in Wireless Sensor Networks, Proc. IEEE Intl Conf.
Comm. (ICC 05), vol. 5, 2005.
1482 IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 25, NO. 7, JULY 2013
TABLE 5
Estimated Cost of CDAMA (/ = 2) on Different Sensors
[11] E. Mykletun, J. Girao, and D. Westhoff, Public Key Based
Cryptoschemes for Data Concealment in Wireless Sensor Net-
works, Proc. IEEE Intl Conf. Comm. (ICC 06), vol. 5, 2006.
[12] J. Girao, D. Westhoff, E. Mykletun, and T. Araki, Tinypeds: Tiny
Persistent Encrypted Data Storage in Asynchronous Wireless
Sensor Networks, Ad Hoc Networks, vol. 5, no. 7, pp. 1073-1089,
2007.
[13] D. Boneh, E. Goh, and K. Nissim, Evaluating 2-DNF Formulas on
Ciphertexts, Proc. Second Intl Conf. Theory of Cryptography (TCC),
vol. 3378, pp. 325-341, 2005.
[14] C. Castelluccia, E. Mykletun, and G. Tsudik, Efficient Aggrega-
tion of Encrypted Data in Wireless Sensor Networks, Proc. Second
Ann. Intl Conf. Mobile and Ubiquitous Systems: Networking and
Services (MobiQuitous 05), pp. 109-117, 2005.
[15] S. Peter, D. Westhoff, and C. Castelluccia, A Survey on the
Encryption of Convergecast-Traffic with In-Network Processing,
IEEE Trans. Dependable and Secure Computing, vol. 7, no. 1, pp. 20-
34, Jan.-Mar. 2010.
[16] R. Cramer and V. Shoup, A Practical Public Key Cryptosystem
Provably Secure against Adaptive Chosen Ciphertext Attack,
Proc. 18th Ann. Intl Cryptology Conf. Advances in Cryptology, pp. 13-
25, 1998.
[17] J. Domingo-Ferrer, A Provably Secure Additive and Multi-
plicative Privacy Homomorphism, Proc. Fifth Intl Conf. Informa-
tion Security, pp. 471-483, 2002.
[18] N. Koblitz, A. Menezes, and S. Vanstone, The State of Elliptic
Curve Cryptography, Designs, Codes and Cryptography, vol. 19,
no. 2, pp. 173-193, 2000.
[19] P. Paillier, Public-Key Cryptosystems Based on Composite
Degree Residuosity Classes, Proc. 17th Intl Conf. Theory and
Application of Cryptographic Techniques, pp. 223-238, 1999.
[20] T. Okamoto and S. Uchiyama, A New Public-Key Cryptosystem
as Secure as Factoring, Proc. Intl Conf. Theory and Application of
Cryptographic Techniques, pp. 308-318, 1998.
[21] L. Oliveira, D. Aranha, E. Morais, F. Daguano, J. Lopez, and
R. Dahab, TinyTate: Computing the Tate Pairing in Resource-
Constrained Sensor Nodes, Proc. IEEE Sixth Intl Symp.
Network Computing and Applications (NCA 07), pp. 318-323,
2007.
[22] L. Washington, Elliptic Curves: Number Theory and Cryptography.
Chapman & Hall/CRC, 2008.
[23] S. Zhu, S. Setia, and S. Jajodia, LEAP+: Efficient Security
Mechanisms for Large-Scale Distributed Sensor Networks,
ACM Trans. Sensor Networks, vol. 2, no. 4, pp. 500-528, 2006.
[24] A. Perrig, R. Szewczyk, J. Tygar, V. Wen, and D. Culler, SPINS:
Security Protocols for Sensor Networks, Wireless Networks, vol. 8,
no. 5, pp. 521-534, 2002.
[25] S. Bhattacharya, A. Saifullah, C. Lu, and G. Roman, Multi-
Application Deployment in Shared Sensor Networks Based on
Quality of Monitoring, Proc. IEEE 16th Real-Time and Embedded
Technology and Applications Symp., pp. 259-268, 2010.
[26] N. Gura, A. Patel, A. Wander, H. Eberle, and S. Shantz,
Comparing Elliptic Curve Cryptography and Rsa on 8-bit
CPUs, Proc. Sixth Intl Workshop Cryptographic Hardware and
Embedded Systems, pp. 119-132, 2004.
[27] G. Gaubatz, J. Kaps, E. Ozturk, and B. Sunar, State of the Art in
Ultra-Low Power Public Key Cryptography For Wireless Sensor
Networks, Proc. IEEE Third Intl Conf. Pervasive Computing and
Comm. Workshops, pp. 146-150, 2005.
[28] K. McCusker, N. OConnor, and D. Diamond, Low-Energy Finite
Field Arithmetic Primitives for Implementing Security in Wireless
Sensor Networks, Proc. Intl Conf. Comm., Circuits and Systems,
vol. 3, 2006.
[29] D. Hankerson, S. Vanstone, and A. Menezes, Guide to Elliptic Curve
Cryptography. Springer-Verlag, 2004.
[30] D. Boneh and H. Shacham, Fast Variants of RSA, CryptoBytes
(RSA Laboratories), vol. 5, pp. 1-9, 2002.
[31] T. Kleinjung, ECM Factoring Records, http://www.loria.fr/
zimmerma/records/p73, 2010.
[32] IEEE Std 802.15.4-2003, Part 15.4: Wireless Medium Access Control
(MAC) and Physical Layer (PHY) Specifications for Low-Rate Wireless
Personal Area Networks (WPANs), IEEE Standard 802.15 Working
Group, 2003.
[33] D. Boneh, K. Rubin, and A. Silverberg, Finding Composite Order
Ordinary Elliptic Curves Using the Cocks-Pinch Method,
J. Number Theory, vol. 131, pp. 832-841, 2011.
[34] R. Bro ker, Constructing Elliptic Curves of Prescribed Order. VDM
Publishing, 2006.
[35] D. Wagner, Cryptanalysis of an Algebraic Privacy Homomorph-
ism, Proc. Sixth Information Security Conf., pp. 234-239, 2003.
[36] H. Cohen, G. Frey, and R. Avanzi, Handbook of Elliptic and
Hyperelliptic Curve Cryptography. CRC Press, 2006.
[37] A. Liu and P. Ning, TinyECC: A Configurable Library for Elliptic
Curve Cryptography in Wireless Sensor Networks, Proc. Intl
Conf. Information Processing in Sensor Networks (IPSN 08), pp. 245-
256, 2008.
[38] G. De Meulenaer, F. Gosset, F.-X. Standaert, and O. Pereira, On
the Energy Cost of Communication and Cryptography in Wireless
Sensor Networks, Proc. IEEE Intl Conf. Wireless and Mobile
Computing, Networking and Comm., pp. 580-585, 2008.
[39] B. Iyer, C. Li, and S. Mehrotra, Executing Sql over Encrypted
Data in the Database-Service-Provider Model, Proc. ACM
SIGMOD Intl Conf. Management of Data, pp. 216-227, 2002.
[40] H. Hacigu mu s, Efficient Execution of Aggregation Queries
over Encrypted Relational Databases, Proc. Ninth Intl Conf.
Database Systems for Advanced Applications (DASFAA 04), vol. 9,
p. 125, 2004.
Yue-Hsun Lin received the BSdegree in science
education from National Taichung Teachers
College in 2002, and the MS and PhD degrees
in computer science from National Tsing Hua
University in 2005 and 2010, respectively.
Currently, he is a postdoctoral fellow in the
CyLab at Carnegie Mellon University. His re-
search interests include wireless security, wire-
less sensor network, and applied cryptography.
Shih-Ying Chang received the BS degree in
computer science and information engineering
from National Cheng Kung University in 2003,
and the MS and PhD degrees in information
system and application from National Tsing
Hua University in 2005 and 2011, respec-
tively. He is a researcher at Industrial Tech-
nology Research Institute in Taiwan. His
research interests include wireless security
and applied cryptography.
Hung-Min Sun received the BS degree in
applied mathematics from National Chung-Hsing
University in 1988, the MS degree in applied
mathematics from National Cheng-Kung Uni-
versity in 1990, and the PhD degree in computer
science and information engineering from
National Chiao-Tung University in 1995. He
was an associate professor in the Department
of Information Management at Chaoyang Uni-
versity of Technology from 1995 to 1999, and
the Department of Computer Science and Information Engineering at
National Cheng-Kung University from 1999 to 2002. Currently, he is a
professor in the Department of Computer Science at National Tsing Hua
University. His research interests include information security, wireless
network security, cryptography, and multimedia security.
> For more information on this or any other computing topic,
please visit our Digital Library at www.computer.org/publications/dlib.
LIN ET AL.: CDAMA: CONCEALED DATA AGGREGATION SCHEME FOR MULTIPLE APPLICATIONS IN WIRELESS SENSOR NETWORKS 1483