Professional Documents
Culture Documents
Sensor readings
9
0
+ + 39
4
2
6
2+
+41
3
haowen chan cmu
Attacker Model
Unsecured deployment area
Sensor nodes not tamper-resistant
Adversary may undetectably take control of
sensor nodes or base station
(( ))
9
0
0
9
3
4
4
3
3
haowen chan cmu
(( ))
15
0
0
15
3
10
4
3
haowen chan cmu
(( ))
100
0
0
100
4
4
3
3
haowen chan cmu
cases
Single malicious node
L. Hu and D. Evans [2003]
P. Jadia and A. Mathuria [2004]
Flat aggregator topology
B. Przydatek, A. Perrig, D. Song [2003]
W. Du, J. Deng, Y. Han, P.K. Varshney [2003]
Probabilistic Detection
B. Przydatek, A. Perrig, D. Song [2003]
Y. Yang, X. Wang, S. Zhu, G. Cao [2006]
haowen chan cmu
Our Algorithm
General hierarchical (tree-based)
aggregation topologies
Multiple (unbounded) number of
compromised nodes
Achieves tightest possible bound on
adversary ability to change aggregation
result
Low communication
overhead
2
O(log n)
edge-congestion
Outline
The Secure Aggregation Problem
Algorithm Description
Algorithm Analysis
Proof (sketch) of correctness
Proof (sketch) of overhead bound
result
Sensor readings are nonnegative: in [0, m]
Let the sum of reported sensor readings
of all legitimate nodes be S.
If adversary reports any S < S then we detect its
presence.
Adversary gains no additional benefit from
aggregation result falsification vs. sensor reading
falsification
Generating Commitments
Require nodes to cryptographically commit to
a single version of the aggregation process
Any aggregation result falsification cause in
an inconsistency in some position in the
commitment structure
Commitment Tree
ME
E
MAB CD
MAB
MA
D
B
A
M A = A; vA
M B = B ; vB
MC
C
Commitment
Tree
M
R
ME
MF
MAB
MA
MAB CD
MD
MB
MC
vA B
M A B = h(M A jjM B ); vA + vB
Aggregation Tree
Main Idea
Commitment structure is probed to verify
aggregation correctness
Prior work: Querier performs probing
Self-verification
Querier disseminates commitment tree root
MR using authenticated broadcast
E.g.
T ESLA
are non-negative
Verify that the correct MR can be recomputed
Self-Verification
of
Node
C
M
R
ME
MF
MAB
MA
MAB CD
MD
MB
MC
1000
1111
1010
0010
0110
0101
0011
Outline
The Secure Aggregation Problem
Algorithm Description
Algorithm Analysis
Proof (sketch) of correctness
Proof (sketch) of overhead bound
Motivating Observations
Correctness:
Self-verification is cumulative
Net result of all nodes performing independent
self-verification is equivalent to having a central
querier verify every node
Efficiency:
Standard metric: congestion
maximum communication load on any single edge
Self-verification incurs low congestion
Even if every node performs self-verification
haowen chan cmu
Correctness
Lemma: If two legitimate nodes A and B both
pass their verifications, then the SUM
vA + vB
aggregate has value at least
Observation: Intermediate sums are non-decreasing.
MAX Y Z
MAX
MA
MX
vA X vA
vA X Y Z vA
MY Z
vY Z 0
vX 0
Correctness
M R vR vA + vB
MC
vC vA + vB
vX vA M X
M Y vY vB
MA
MB
M C : LCA of M A and M B
M X and M Y are dist inct
since h is collision-resist ant
haowen chan cmu
Correctness
Corollary: If all legitimate nodes pass
their verifications, then the final
X is at least
aggregation result
S=
legit
vi
Upper Bound
Reduce upper bound problem to lower bound
Compute simultaneously
the
sum
vi 2complement
[0; m]
S
aggregate
Xn
S=
i= 1
(recall that
vi
S=
Xn
(m vi )
i= 1
S = nm S
Querier checks:
S
S
Adversary: toSincrease
, must decrease .
S
But neither
Efficiency
Suppose aggregation tree is balanced
When node A self-verifies, it receives all off-path
(lo
gn
Maximum
O(log n)congestion: leaf edge
messages
Efficiency
Self-verification of other nodes (e.g. node B) does
not increase communication load on any edge of
the path between node A and the root
MYY M
M
MXX
MX
MY
B
haowen chan cmu
Efficiency
Edge congestion
in balanced aggregation
O(log n)
trees:
For arbitrary unbalanced aggregation
topology:
Edge congestion
for general aggregation
2
O(log n)
trees:
Conclusion
Secure data aggregation algorithm
Suitable for general tree-based aggregation topologies
Resilient vs multiple malicious nodes
Tightest possible guarantees on adversary detection
(without assuming
application knowledge)
2
O(log n)
Low
edge congestion
Limitation: need to know the set of responding nodes
Future Work:
Secure versions of more sophisticated aggregation
functions
Defences vs sensor reading falsification
haowen chan cmu