Image Processing Reference
In-Depth Information
readings
x
i
directly to the base station which will perform the aggregation function
f
.
In case that an attacker succeeds to compromise up to
k
of these sensor readings (e.g., by compromis-
ing sensor nodes, or manipulating their environment regarding the parameter they are measuring),
it is depending on the aggregation function
f
how big the influence α is the attacker can have, where
α is a multiplicative factor describing how much the manipulated aggregated value differs from the
aggregated value in case of no attack. The article describes a mathematical model that is based on
estimation theory. The main findings obtained from this model are that sum, average, minimum,
and maximum are insecure estimation functions, that the average with values being only included in
the aggregation computation if they lie in an a priori known range
(
x
,...,
x
n
)
is problematic, and that the
%-trimmed average (ignoring the lowest and highest % of the readings) performs better, as long as
no more than % of the nodes are compromised. he most resistant aggregation function turns out
to be the median, as it is secure as long as less than % of the nodes are compromised.
Even though Wagner only studied the problem under the assumption that all nodes directly report
tothebasestation(securelybasedonanindividual-sharedkeybetweeneachsensornodeandthebase
station), these results in fact represent rather bad news for all aspirations to perform data aggregation
with data origin authentication and integrity assurance. First, it turns out that unfortunately the more
robust aggregation functions cannot be efficiently computed in a distributed procedure. Second, if
all sensor readings being processed in an aggregation step were to be authenticated with an MAC,
aggregation would not be able to significantly reduce the amount of data to be transmitted to the base
station. Therefore, the compromise of aggregation nodes will give potential attackers an increased
influence on the final aggregated value, as it allows them to manipulate a higher number
k
of sensor
readings.
Concerning confidentiality of sensor readings to be aggregated on their way toward the base sta-
tion, various approaches have been proposed that are based on “privacy homomorphisms” [RAD].
A privacy homomorphism is an encryption transformation that allows direct computation on
encrypted data. Let
Q
and
R
denote two rings,
[
l
,
u
]
denote multiplication on
both rings, and let
K
denote the set of potential encryption keys. An encryption transformation
E
+
denote addition and
×
∶
K
×
Q
→
R
and the corresponding decryption transformation
D
∶
K
×
R
→
Q
arecalleda
privacy homomorphism with respect to
+
,or
×
,respectively,ifgiven
a
,
b
∈
Q
and
k
∈
K
it holds:
a
+
b
=
D
k
(
E
k
(
a
)+
E
k
(
b
))
a
×
b
=
D
k
(
E
k
(
a
)×
E
k
(
b
))
In Ref. [GSW] Girao et al. proposed a “concealed data aggregation (CDA)” scheme that deploys
Domingo-Ferrer's additive and multiplicative privacy homomorphism [Jos], which is based on
modular exponentiation. he scheme allows to perform additive and multiplicative aggregation on
encrypteddataasitlowstowardthebasestationandtoextracttheaggregatedvalueatthebase
station. The operations to be computed for this at encrypting sensor nodes include modular expo-
nentiation, so that this scheme reveals to be rather resource consuming for data sources. Another
drawback of the scheme is that it requires a network-wide encryption key to be known by all sensor
nodes, so that the compromise of a single sensor node is sufficient to defeat the scheme. As further-
more, Wagner has shown in Ref. [Wag] that Domingo-Ferrer's privacy homomorphism is insecure
for some major parameter settings, the scheme cannot be recommended for practical use.
Inspired by the work of Girao et al., various alternative approaches were proposed [HLN
+
,
RKP,CMT]. he approach of He et al. [HLN
+
] is based on the additive property of polynomi-
als as well as basic linear algebra (matrix inversion and multiplication), and it enables cluster-based
joined summation of sensor readings while preserving privacy of individual sensor readings as long
as less than
n
nodes of a cluster of size
n
collude. In the same paper, a second scheme is proposed
that achieves confidentiality of individual sensor readings by partitioning them in
J
individual pieces,
that is representing sensor reading
d
i
of node
i
as a sum of
J
partial terms
x
i
−
J
j
=∑
d
i
,
j
, and sending
=
