Professional Documents
Culture Documents
Sensor readings
9
0
+ + 39
4
2
6
2+
+41
3
haowen chan cmu
Attacker Model
Unsecured deployment area
Sensor nodes not tamper-resistant
Adversary may undetectably take control of
sensor nodes or base station
(( ))
9
0
0
9
3
4
4
3
3
haowen chan cmu
(( ))
15
0
0
15
3
10
4
3
haowen chan cmu
(( ))
100
0
0
100
4
4
3
3
haowen chan cmu
cases
Single malicious node
L. Hu and D. Evans [2003]
P. Jadia and A. Mathuria [2004]
Flat aggregator topology
B. Przydatek, A. Perrig, D. Song [2003]
W. Du, J. Deng, Y. Han, P.K. Varshney [2003]
Probabilistic Detection
B. Przydatek, A. Perrig, D. Song [2003]
Y. Yang, X. Wang, S. Zhu, G. Cao [2006]
haowen chan cmu
Our Algorithm
General hierarchical (tree-based)
aggregation topologies
Multiple (unbounded) number of
compromised nodes
Achieves tightest possible bound on
adversary ability to change aggregation
result
Low communication overhead
2
O(log
n) edge-congestion
Outline
The Secure Aggregation Problem
Algorithm Description
Algorithm Analysis
Proof (sketch) of correctness
Proof (sketch) of overhead bound
Generating Commitments
Require nodes to cryptographically commit to
a single version of the aggregation process
Any aggregation result falsification cause in
an inconsistency in some position in the
commitment structure
Commitment Tree
Aggregation Tree
MR
MAB C D
MAB
MA
D
B
MC
C
ME
MF
MAB
MAB C D
MD
MB
MA
M A = A; vA
M B = B ; vB
MC
vA B
ME
Commitment Tree
M A B = h(M A jjM B ); vA + vB
M A B C D = h(M A B jjM D jjM C );
vA B + vD + vC
haowen chan cmu
Main Idea
Commitment structure is probed to verify
aggregation correctness
Prior work: Querier performs probing
Self-verification
Querier disseminates commitment tree root
MR using authenticated broadcast
are non-negative
Verify that the correct MR can be recomputed
Self-Verification of Node C
MR
ME
MF
MAB
MAB C D
MD
MC
MB
MA
1000
1111
1010
0010
0110
0101
0011
Outline
The Secure Aggregation Problem
Algorithm Description
Algorithm Analysis
Proof (sketch) of correctness
Proof (sketch) of overhead bound
Motivating Observations
Correctness:
Self-verification is cumulative
Net result of all nodes performing independent
self-verification is equivalent to having a central
querier verify every node
Efficiency:
Standard metric: congestion
maximum communication load on any single edge
Self-verification incurs low congestion
Even if every node performs self-verification
haowen chan cmu
Correctness
Lemma: If two legitimate nodes A and B both
pass their verifications, then the SUM
aggregate has value at least vA + vB
Observation: Intermediate sums are non-decreasing.
MAX Y Z
MAX
MA
MX
vA X vA
vA X Y Z vA
MY Z
vY Z 0
vX 0
Correctness
M R vR vA + vB
MC
vX vA M X
MA
vC vA + vB
MY
vY vB
MB
M C : LCA of M A and M B
M X and M Y are distinct
since h is collision-resistant
haowen chan cmu
Correctness
Corollary: If all legitimate nodes pass
their verifications, then the final
aggregation result
is
at
least
X
S=
vi
legit
Upper Bound
Reduce upper bound problem to lower bound
Compute simultaneously the complement sum
aggregate S
S=
S=
Xn
i =1
vi
Xn
(m vi )
i =1
S = nm S
Querier checks:
S
S
Adversary: toSincrease
, must decrease .
S
But neither
Efficiency
Suppose aggregation tree is balanced
When node A self-verifies, it receives all off-path vertices in
(lo
gn
)
Efficiency
Self-verification of other nodes (e.g. node B) does
not increase communication load on any edge of
the path between node A and the root
MYY M
M
MXX
MX
MY
B
haowen chan cmu
Efficiency
Edge congestion in balanced aggregation
trees: O(logn)
For arbitrary unbalanced aggregation
topology:
Conclusion
Secure data aggregation algorithm
Suitable for general tree-based aggregation topologies
Resilient vs multiple malicious nodes
Tightest possible guarantees on adversary detection
(without assuming application knowledge)
2
O(log
n) edge congestion
Low
Limitation: need to know the set of responding nodes
Future Work:
Secure versions of more sophisticated aggregation
functions
Defences vs sensor reading falsification
haowen chan cmu