Collusion-Tolerable and EfficientPrivacy-Preserving Time-Series Data

Aggregation Protocol

Yongkai Li, Shubo Liu ?, Jun Wang, and Mengjun Liu

School of Computer, Key Laboratory of Aerospace Information Security and TrustedComputing, Ministry of Education Wuhan University Wuhan, China

whu_lyk@foxmail.com,liu.shubo@whu.edu.cn,

jameswang@whu.edu.cn,mengjun@hawaii.edu

Abstract. Many miraculous ideas have been proposed to deal withthe privacy-preserving time-series data aggregation problem in perva-sive computing applications, such as mobile cloud computing. The mainchallenge consists in computing the global statistics of individual inputsthat are protected by some confidentiality mechanism. However, thoseworks either suffer from collusive attack or require a time-consuming ini-tialization at every aggregation request. In this paper, we proposed anefficient aggregation protocol which tolerates up to k passive adversarieswho do not try to tamper the computation. The proposed protocol doesnot require a trusted key dealer and needs only one initialization dur-ing the whole time-series data aggregation. We formally analyzed thesecurity of our protocol and results showed that the protocol is secureif the Computational Diffie-Hellman (CDH) problem is intractable. Fur-thermore, the implementation showed that the proposed protocol can beefficient for the time-series data aggregation.

Keywords: aggregation protocol,time-series data,privacy-preserving,collusion-tolerable,CDH problem

1 Introduction

The security and privacy issue in pervasive computing applications, such as mo-bile cloud computing, crowd sourcing and smart metering, has long been a hotresearch topic in the field of applied cryptography. In numerous real life applica-tions, individuals need to provide their sensitive data (e.g., personal-information-related) to receive specific services from the entire system (e.g., mobile basedsocial networking services). An adversary may infringe customers’ privacy inpervasive computing environment since they are “smart” enough to recordingone’s preferences or habits. For example, smart meters report consumption forusers at high frequency (e.g., once per minute) and in real time. This level ofmonitoring can reveal much private information about users’ habits and subjec-t the users to many loathsome outcomes [1, 2], e.g., whether they often watch

? Corresponding Author.

2 Y. Li et al.

TV (discriminating pricing of health insurance), or even stealthy surveillance ingeneral [3]. For another example, mobile users report their locations, speeds, mo-bility to a GPS service provider at real-time. The aggregated data, for instance,the number of users at each region during each time period, can be mined forcongestion patterns on the roads[4, 5]. However, the individual information aboveneeds to be protected in the privacy consideration.

In this paper, we focus on the privacy-preserving aggregation problem oftime-series data without a trusted third party. We use a new additive homo-morphic encryption as the cryptographic primitive to handle this aggregationproblem. Jung and Li had pointed out that the trusted or semi-trusted key is-suers could be a security hole since the security of those schemes relies on theassumption that keys are disclosed to authorized participants only [6]. There-fore, the proposed scheme is not initialized by requesting keys from trusted orsemi-trusted key issuers via secure channel. Meanwhile, we do not require thatparticipants are able to communicate with their neighbors via wireless communi-cation channel. This requirement is expensive and somewhat difficult to actualizein large area situations, so we simply assume that each participant only has abi-directional communication channel with the aggregator. Besides the aforemen-tioned drawbacks, a large number of aggregation protocols are proposed underthe weak security assumption that all the participants are semi-trusted and donot collude with the aggregator. To sum up, the goal of this paper is to design aprivacy-preserving time-series data aggregation protocol which is robust againstup to k colluding passive adversaries who do not try to tamper the computation.

The main contributions of this paper are: (1) We propose a privacy-preservingtime-series data aggregation protocol without trusted central key issuer and itonly needs one initialization for the participants to acquire their encryption keys;(2) Security and complexity analyses of the proposed protocol are given and theproposed protocol is showed to be efficient and scalable and also it is proved totolerate up to k colluding passive adversaries; (3) A method which allows theparticipant and aggregator to verify any individual input or the accumulation ofinputs is proposed and the performance evaluations is given in this paper.

The remainder of this paper is structured as follows. The related work isdetailed in Section 2. We present the system model and necessary background inSection 3. Subsequently, the construction of our scheme is described in Section 4and, thereafter, security analysis in Section 5. The complexity analysis and per-formance evaluation are reported in Section 6. Section 7 presents the conclusionsof this research.

2 Related Work

Many papers have been done in the fields of privacy preserving data aggregationfor many application scenarios. We present the most relevant work to our contri-bution in this paper. A Paillier’s encryption scheme based privacy-enhancing pro-tocol was proposed by Li et al. [7]. Subsequently, Li and Luo introduced the useof homomorphic signature allowing verification to confirm the data aggregation

Collusion-Tolerable Privacy-Preserving Aggregation Protocol 3

was correct in [8].Garcia and Jacobs proposed an aggregation scheme for securecommunication with smart meters [9], where a combination of Pailliers additivehomomorphic encryption and additive secret sharing have been used. Daneziset. al. [10] proposed an aggregation scheme based on secret-sharing and securemulti-party computation techniques. Shi et al. [11] proposed a Diffie-Hellmanbased encryption scheme that participants periodically upload encrypted valuesto an aggregator, and the aggregator computes the sum of those values withoutlearning anything else. It uses brute-force search or Pollard’s lambda method tofind the exact sum. This kind of brute-force decryption limits its usage restrictedto small plaintext spaces due to the hardness of the discrete logarithm problem.Joye et al. [12] proposed a solution to efficiently decrypt the sum based on theidea of splitting the exponent. Leontiadis et al.[13] introduced a secure protocolfor aggregation of time-series data that is based on the Joye’s scheme[12] andthe requirements for key updates and for the trusted dealer are eliminated. Themain idea of it is to introduce a semi-trusted collector which plays the role of anintermediary between the users and the aggregator.

Recently, Li et al.[14] introduced an efficient protocol to obtain the sum ag-gregate, which employs an additive homomorphic encryption to support largeplaintext space. But this scheme relies on trusted key dealers who distribute thekeys via secure channel. Marmol et al. [15] proposed a protocol in which eachparticipant adds its key to its measurement and sends the result to the aggre-gator, but their scheme needs a previous aggregation before getting the exactsum. In [16], Borges and Muhlhauser proposed an efficient privacy-preservingprotocol for smart metering systems based on Paillier’s scheme. However, theyassume smart meters in the neighborhood communicate with a collector througha wireless mesh network and the collector further communicates with the centralmanagement facility through wired communication in the initial set up. Theirscheme has the common problem that it will fail if the collector device colludeswith the aggregator. Jung and Li [6] presented an advanced protocol which tol-erates up to k passive adversaries who did not try to tamper the computationwithout secure channel. Their protocol needs to initialize for every round ofaggregation, so both the communication and computation overheads are too ex-travagant in time-series data aggregation. Table 1 summarizes our protocol withmajor related protocols in the literatures. Besides, there are also several work-s [17–22] on privacy-preserving aggregation of time-series data. Some of themleverage the differential privacy [23] in various ways to achieve privacy as well ascollusion (or fault) tolerance. Our scheme can also achieve differentially privacyby simply adding the noises that follows diluted geometric distribution to eachmeter’s data [11].

In our scheme, the trusted key dealer in [14, 18] and [21] is removed sincethe aforementioned security loophole. Unlike [14] and [17], we assume insecurechannels between most participants while the secure channels are establishedbased on public key encryption among a small fraction of participants in thesame subgroup, which enabled us to implement the proposed scheme in thereal cloud environments easily. In this paper, we also take a small fraction of

4 Y. Li et al.

Table 1. Comparison between the proposed protocols and related aggregation proto-cols.

No Trusted Key-Dealer No Previous Collusion-Tolerable No Neighborhood Setup Once for AllAggregation Communication

Marmol et al.[15]√

×√

× ×Li et al.[14] ×

√ √ √ √

Jung and Li[6]√ √ √ √

×EPPP4SMS[16]

√ √× ×

√

Our Scheme√ √ √ √ √

the participants colluding with the curious aggregator into consideration as [6]and [17] do. Our scheme is also based on the hardness of the discrete logarithmproblem like [11], and we employ an efficient method to calculate the sum insteadof employing brute-force manner in decryption.

3 System Model

3.1 Problem Definition and Threat Model

Assume that there areN participants with equivalent number of IDs {1, 2, ......, N}in the system considered in this paper and there is an aggregator who wants toget the sum aggregate of N participants periodically. In this paper, the aggrega-tor may be the service supplier or the cloud. The system is shown in Figure 1. Ata time stamp t, each participant i produces a privately known data point xi(t)from Z. The privacy-preserving data aggregation problem is to compute the sumof xi(t) by the aggregator while preserving the data privacy, i.e., the objectiveof the aggregator is to compute the following polynomial without knowing thevalue of xi(t):

SUM(x(t)) =

N∑i=1

xi(t), (1)

where vector x(t) = (x1(t), x2(t), ......, xN (t)). Here, we assume that the finalresult SUM(x(t)) is positive and bounded from above by a large prime numberP .

We assume that participants have a bi-directional communication channelwith the aggregator like [17]. The participants are not connected to each otherdirectly, but they can exchange encrypted messages among themselves via theaggregator or intermediate routers. Similar to [6], the communication channels inthe system are insecure. Anyone can easily eavesdrop them and/or intercept thedata being transferred. In this paper, the aggregator is untrusted so that a cu-rious aggregator may try to compromise someone’s private information throughthe aggregation protocol. A small fraction of the participants may collude withthe aggregator, say at most k participants. Similar to [11], we assume that thesystem has a priori estimate over the upper bound of k. Participants will ingeneral hide the information they have before reporting it to the aggregator. Toassist the curious aggregator, however, colluders may deviate from the protocolby providing their own information in the clear to the aggregator. We further

Collusion-Tolerable Privacy-Preserving Aggregation Protocol 5

Fig. 1. The system model.

assume the participants and aggregator may be passively adversarial, i.e.,they will not falsify the computation, but they may try to manipulate theircalculation to infer others, private information.

3.2 Security Model

To address the challenges of insecure communication channel, we assume thatthe following CDH problem is computationally intractable, i.e., any probabilisticpolynomial time adversary has negligible chance to solve the following problem:

Definition 1. (CDH Problem in G). The Computational Diffie-Hellman prob-lem in a multiplicative group G with generator g is defined as follows: given onlyg, ga, gb ∈ G where a, b ∈ Z, compute gab without knowing a or b.

According to [6], we define the security of our proposed scheme as follows.

Definition 2. (CDH-Security in G). We say our privacy-preserving sum calcu-lation is CDH-secure in G if any Probabilistic Polynomial Time Adversary (PP-TA) who cannot solve the CDH problem with non-negligible chance has negligiblechance to infer any honest participant,s private value in G, i.e., any PPTA,sprobability to solve the CDH problem ε satisfies ε < | 1

(p(κ) | for any polynomial

p(·) where κ is the order of the group G defined in the CDH problem.Informally, we opine that our calculation is CDH-secure in G if illegally

inferring an honest participant’s private value during our calculation is at leastas hard as CDH problem in G.

3.3 Some Definitions

The group G is selected as follows. Two large prime numbers p and q are chosensuch that p = kcq+ 1, where kc is an integer. Then the q-order cyclic multiplica-tive group G is defined as 〈g〉 where the generator g is selected with a randomnumber r ∈ Zp as:

g = rp(p−1)/q mod p2s.t. g 6= 1 mod p2. (2)

6 Y. Li et al.

In this system, the aggregator intends to compute the sum∑ni=1 xi(t) without

knowing any individual xi(t). For simplicity, we index the aggregator with num-ber 0. In our scheme, the aggregator has the capability k0,1 and k0,2 to decryptthe encrypted sum. Nevertheless, each participant i has also its permanent pri-vate key ki,1 and time-dependent private key ki,2 to encrypt its data. Likewise,[16], we define the encryption function Enc as:

Zp2 ×G×G→ Zp2

Enci(m,h, g) 7−→ (1 +mp) · hki,1 · gki,2 mod p2 (3)

Here, h is a nonce over Zp2 and ki,1, ki,2 are nonces over Z∗p. We can assume theexistence of a secure hash function H and define h = H(t), H : Z→ G, where tis the timestamp. The time-dependent private key ki,2 is defined on the base ofa pseudorandom function (PRF) family F = {fk : Z → Zq}k∈G with the seedk, and we set ki,2 = fk(t)− fk′(t), where fk, fk′ ∈ F. Note that the timestamp tcannot be repeated, so the hash function and the nonce ki,2 ensure that previousencrypted data points will not be correlated to obtain information.

Subsequently we introduce the decryption mechanism behind the encryptionfunction. Obviously, the Enc function defined here is an additive homomorphicencryption, i.e.,

Enci(m1, h, g)Encj(m2, h, g)= Enci+j(m1 +m2, h

′, g) mod p2

Given the family of encryption functions from (3), each participant i encryptsits data xi(t) and gets Enci(xi(t), h, g). Then participant i sends Enci(xi(t), h, g)to the aggregator. To decrypt the consolidated summation, the aggregator needsto multiply all encrypted data computing:

N∏i=1

Enc(xi(t), h, g)

=

(1 + p

N∑i=1

xi(t)

)H(t)

∑Ni=1 ki,1g

∑Ni=1 ki,2 mod p2.

If the aggregator has capability k0,1 and k0,2, s.t. k0,j+∑Ni=1 ki,j = 0, j = 1, 2,

then the aggregator only needs to compute

(H(t)k0,2 · g(t)k0,2 ·∏ni=1 Enc(xi(t), h, g)− 1) mod p2

p

to get the decryption sum∑Ni=1 xi(t) because H(t) and g are cancelled when

H(t)k0,1 and g(t)k0,2 are multiplied to the encryption result. The detailed con-struction of our aggregation scheme will be shown in the next section.

4 Our Construction

Jung and Li’s scheme [6] includes an advanced protocol which tolerates up tok passive adversaries who do not try to tamper the computation. But the com-munication and computation overheads are large for participant since it needs

Collusion-Tolerable Privacy-Preserving Aggregation Protocol 7

to exchange k + 1 rounds of messages and to compute its private encryptionkey every time when a new sum is desired. In this section, we propose a securekey assignment protocol to initialize our scheme and to distribute secret keysamong the participants and the aggregator. Even though the communicationand computation overheads might be large in our initial setup, our aggregationscheme can perform effectively after setup for only one encryption and one com-munication with the aggregator in the following aggregations. Before detailingthe description of our solution, we first give a brief overview of Jung and Li’sscheme.

4.1 Jung and Li’s scheme

– Setup. The participant i picks a secret number ri ∈ Zp, and calculates apublic parameter Yi = gri . Then, each participant i shares Yi with partic-ipants i − k, i + 1 and i + 2. After a round of exchanges, the participanti+1 computes Y ′i=1 = ( g

ri+k+1

gri−1 )ri+1 and sends Y ′i+1 to i+2. After the second

round of exchanges, the participant i + 2 computes Y ′i+2 = (Y ′i+1)ri+2 andsends it to participant i + 3. In general, when there are k colluding adver-saries, it needs k + 1 rounds of exchanges such that i gets its randomizerRi = ( g

ri+k+1

gri−1 )ri+kri+k−1......ri+1ri mod p.

– Encrypt. Every participant i calculates Ci = (1 + xi(t)p) ·Ri mod p2. Then,it sends Ci to the aggregator.

– Sum. After receiving the ciphertexts from all of the participants, the aggre-gator calculates

∏Ni=1 Ci(t) mod p2 = (1 +p

∑Ni=1 xi(t)) mod p2. And the

aggregator calculates (C(t)− 1)/p =∑Ni=1 xi(t) to recover the final sum.

It is obvious that the randomizer Ri should change at every timestamp t, so Jungand Li’s scheme has to setup for every aggregation request. The successive time-consuming setup phase makes the above scheme inapplicable for the aggregationof time-series data.

4.2 Protocol Description

Similarly, our scheme of privacy preserving sum calculation for time-series datahas the three phases: Setup, Encrypt, Sum.

Setup A. Phase 1 In our construction, the aggregator needs to get the capabil-ity k0,1 = −

∑Ni=1 ki,1 such that the H(t) in the encrypted sum can be cancelled

in decryption. Here we propose a secure and privacy-preventing sum aggregationprotocol without trusted key dealers based on Shamir’s secret sharing [24] andDiffie-Hellman key agreement protocol. As is assumed in the previous, the num-ber of compromised nodes is at most k, thus we divide all the N participants intoa series of subgroups that contains at least k+2 participants firstly. For simplic-ity, we set n ≥ k + 2. Here we consider the naıve division that every subgrouphas n participants and the participant with identity number i belongs to the

8 Y. Li et al.

[i/n]-th subgroup (the participants in the first subgroup can be reused if thereare not enough participants in the last subgroup). We assume the participant ihas an auxiliary identity number mi ∈ [n] in its subgroup, i.e., the participantswill get an auxiliary identity number mi from 1 to n according to its identitynumber i in proper order.

At first, every participant and the aggregator choose a private number tosetup the secure channel based on Diffie-Hellman key agreement protocol. Takeparticipants in the m-th subgroup as the example. Here each participant i hasan auxiliary identity number mi ∈ [n] in this subgroup. At first, each participanti chooses a random number ri ∈ Zq computing its public parameter gi = gri

and sends gi to the aggregator. After receiving messages from participants, theaggregator uses its privately known number r0 to compute s0,i = gr0i = gr0ri

and sends its public parameter g0 = gr0 and all the other gj(i 6= j) to eachparticipant i, here participant j is also in the m-th subgroup. After that eachparticipant i computes si,0 = gri0 = gr0ri and all si,j = grij = grjri(i 6= j). Thus,all the participants in the m-th subgroup and the aggregator share a privatesession key with each other in the above way.

After the session keys in the subgroup are established, each participant ichooses a private number pi and generates a random polynomial wi over Z∗qof order n − 1, such that wi(0) = pi. Then each participant i computes theshare of participant j which belongs to the same subgroup as wi,mj

= wi(mj)for mj ∈ [n]. Then, each participant i store share wi,mi

itself and all the othershares wi,mj (mj = 1, 2, 3, ...,mi − 1,mi + 1, ..., n) is sent to the aggregator af-ter encrypted with the symmetric cryptography(for example, AES in this paperand we use AES(wi,mj

) to denote the ciphertext of wi,mjunder AES cryptog-

raphy with symmetric key derived from si,j). Then the aggregator distributesthe encrypted AES(wj,mi

) to the participant i. After participant i gets all theencrypted shares wj,mi(i 6= j) from participant j via the aggregator, it de-crypts the messages with corresponding symmetric keys and computes the sumWi =

∑j wj,mi

, where participant j is in the m-th subgroup. After that partic-ipant i encrypts Wi as AES(Wi) with the secret key derived from si,0. Finally,the aggregator collects and decrypts the messages from the entire N partici-pants, computes the sum Ws =

∑mj=s

Wj for s = 1, 2, ...n, interpolates a n− 1

order polynomial∑Ni=1 wi, and gets the sum

∑Ni=1 pi =

∑Ni=1 wi(0). Thus the

participant i’s permanent private key ki,1 is selected as pi, and the aggregator’sfirst capability k0,1 is equal to −

∑i pi mod q.

Here we do not use the method that participant i slices its private numberpi into n pieces and sends the corresponding pieces to its subgroup mates inciphertext, since the aggregator may use exhaustive search to find the unknownsmall pieces when k participants in this subgroup collude with him.

B. Phase 2

The capability k0,2 is established in a simple way. As mentioned above, eachparticipant i(i = 1, 2, ..., N) has chosen a privately known number ri and itspublic parameter gi = gri has been sent to the aggregator. Then, the aggregatordistributes gi− 1 and gi+1 (here gN+1 = g0) to the participant i and participant

Collusion-Tolerable Privacy-Preserving Aggregation Protocol 9

i computes si,i−1 = grii−1 and si,i+1 = grii+1. Note that the process has been donepartially in the Phase 1 in each subgroup, therefore the aggregator only needs todistributes one message gi−1 or gi+1 to participant i if i and i−1(or i+1) belongto different subgroups. Thus, the time-dependent private key ki,2 for participanti is:

ki,2 = fk(t)− fk′(t) = fsi,i−1(t)− fsi,i+1(t)

Similarly, the aggregator’s second capability k0,2 = fs0,N (t)− fs0,1(t).

Encrypt The participants do not need to repeat the exchanges to get newrandom numbers to encrypt their data after setup, so our protocol is more com-munication and computation efficient than Jung and Li’s scheme. For a queriedtimestamp t, each participant i calculates 1 + xi(t)p firstly. Then, it multiplies

the secret parameters H(t)pi and gfsi−1(t)−fsi+1

(t) with 1 + xi(t)p to get theciphertext Ci(t) ∈ Zp2 :

Ci(t) = (1 + xi(t)p) ·H(t)pi · gfsi,i−1(t)−fsi,i+1

(t) mod p2

Note that, a small fraction of participants (reused participants) will be divid-ed into two subgroups, thus it has two permanent private keys pi and p′i. In orderto get the right sum, these reused participants should compute the ciphertextC ′i(t) ∈ Zp2 as

C ′i(t) = (1 + xi(t)p) ·H(t)pi+p′i · gfsi,i−1

(t)−fsi,i+1(t) mod p2

We will omit the p′i in the following by adding p′i to pi, i.e., pi ← pi + p′i. Afterall, the participants send their ciphertexts to the aggregator. In addition, theEncrypt scheme can be efficiently encrypted “on-the-fly”. Namely, exponenti-ations H(t)pi mod p2 and gfsi,i−1

(t)−fsi,i+1(t) mod p2 can be pre-computed in

such a way that, when the plaintext xi(t) is known, the participant only has tocompute a modular multiplication to get Ci(t).

Sum The aggregator, after receiving the ciphertexts Ci(t) from all participants,calculates C(t) ∈ Zp2 as:

C(t) = H(t)k0,1 · gk0,2 ·N∏i=1

Ci(t) mod p2

=N∏i=1

(1 + xi(t)p) ·H(t)pi · gfsi,i−1(t)−fsi,i+1

(t) mod p2

= (1 + pN∑i=1

xi(t)) ·H(t)k0,1+∑N

i=1 pi

·gfs0,N(t)−fs0,1

(t)+fs1,0(t)−fsN,0

(t) mod p2

= (1 + p∑Ni=1 xi(t)) mod p2 (Here p >

∑Ni=1 xi(t))

Then, the aggregator calculates (C(t) − 1)/p =∑Ni=1 xi(t) to recover the final

sum.

10 Y. Li et al.

Leaving of existing participant Suppose that participant i decides to leavethe network with effect at timestamp t. The aggregator should assign a reusedparticipant i′ to hold the auxiliary identity number mi in the corresponding sub-group at timestamp t. Then the aggregator sends gi and the public parametersof all the other n− 1 members in that subgroup to participant i′ and vice versa.Therefore, the secure session keys are established among participant i, i′ and allthe other n− 1 members of that subgroup. Each participant j (including partic-ipant i′) in that subgroup generates a random number rmj

∈ Z∗q and sends itsencryption to participant i. Participant i uses respective session key to decryptsthe received key rmj

and generates the equality using the received key and itspermanent key randomly as pi +

∑nmj=1 rmj =

∑nmj=1 p

imj

mod q, and then

sends pimjencrypted under the shared symmetric key. So, the reused participant

i′ updates pi′ as pi′ − rmimod q and sets the reused permanent key p′i′ = pimi

.The other member j of that subgroup updates its permanent private key byadding the previous one to the received number and subtracting its randomnumber rmj

soon afterwards, i.e., pj ← (pj +pimj−rmj

) mod q. To deal with thetime-dependent private key, participant i should do nothing but the aggregatordistributes the public parameters gi−1 and gi+1 to participant i+ 1 and partici-pant i−1 correspondingly. When participant i−1 and i+1 receive gi+1 or gi−1,they correspondingly compute si−1,i+1 = g

ri−1

i+1 and si+1,i−1 = gri+1

i−1 . So theirtime-dependent private keys are denoted as ki−1,2 = fsi−1,i−2

(t) − fsi−1,i+1(t)

and ki+1,2 = fsi−1,i−2(t)− fsi−1,i+2

(t).

Joining of new participant Assume that a participant, say i, joins just beforetime slot t and participants i−1 and i+1 hold their time-dependent private keysas ki−1,2 = fsi−1,i−2

(t)−fsi−1,i+1(t) and ki+1,2 = fsi−1,i−2

(t)−fsi−1,i+2(t). Partici-

pant i has to share a session key si,0 with the aggregator using Diffie-Hellman keyagreement protocol at first. Then the aggregator should assign the participant ian auxiliary identity number mi which holds by a reused participant j previouslyin the corresponding subgroup. The aggregator sends gi and gj to participant jand i, correspondingly. Hence, participants i and j share a secure session key byraising the message to the power of its private number. Then, Participant j sendsits reused permanent private key p′j encrypted under the shared symmetric keyto participant i. Participant i will get p′j by decrypting the message of j. Thenthe aggregator sends gi to all the other n − 1 members within that subgroupand vice versa to establish the secure session key among i and all the others inthat subgroup. Participant i slices p′j =

∑nmj=1 p

imj

mod q randomly and eachparticipant j in this subgroup generates a random number rmj

simultaneously.Then participant i sends the slice pimj

(mj 6= mi) encrypted under the sharedsymmetric key between participant i and j to participant j and rmj is sent toparticipant i in encryption as aforementioned. After decrypting the message rmj ,participant i gets its permanent private key pi = pimi

+∑nmj=1,j 6=i rmj

mod q.Then, the participant j in this subgroup updates its permanent private key aspj + pimj

− rmjmod q. To reassign the time-dependent private key, the aggre-

gator distributes gi−1 and gi+1 to participant i and gi to participant i + 1 and

Collusion-Tolerable Privacy-Preserving Aggregation Protocol 11

i − 1. By the way mentioned earlier, participants i − 1, i and i + 1 gets itstime-dependent private key as fsi−1,i−2

(t) − fsi−1,i(t), fsi,i−1

(t) − fsi,i+1(t) and

fsi+1,i(t)− fsi+1,i+2

(t), correspondingly.

5 Protocol Analysis

When p is chosen large enough to hold the inequality p >∑Ni=1 xi(t), the cor-

rectness of the proposed scheme is proved in the section Sum. In this section,we present the property of verification which can be used by the participantsand the aggregator. The analyses of privacy and security about our aggregationscheme are also presented.

5.1 Verification Properties

If a participant did not send its data or sent an invalid message, the aggregatorcannot read consolidated summation, i.e., the exact sum. Obviously, neighboringparticipants and participants in the same subgroup can cooperate to disclose thekey of the damaged participant. But this can result in the privacy disclosure ofthe damaged one. A better solution is to generate new keys for nondamagedparticipants. As the benefits of our subgroup method, the aggregator can knowthe exact sum of one subgroup’s permanent private keys. Therefore, only nparticipants need to change their permanent private keys and two participantsneed to regenerate their time-dependent private keys.

The aggregator can ask for verification when the sum is different from theexpected. If the aggregator asks for verification to identify that something iswrong, a participant i can reveal its proof of the timestamp t without disclosingits actual reading. To perform verification over a sent encrypted value Ci of theparticipant i, the aggregator sends a request to i, and then the participant mightsend Ri(t) = (1 + xi(t)p) ·H(t)pi mod p2 and Vi(t) = gfsi,i−1

(t)−fsi,i+1(t) mod p2

to the aggregator. Therefore, the sent encrypted value can be verified by Ci(t) ? =Ri(t)·Vi(t) mod p2. Note that the accumulation of participant’s inputs during thetime period from t0 to t0+d (for example, one day) can be verified in the following

way. The aggregator computes OCi(t) =∏t0+dt=t0

Ci(t) mod p2 by multiplyingall the d + 1 encrypted inputs and the participant i sends the sum ORi(t) =∏t0+dt=t0

xi(t) and the product OVi(t) =∏t0+dt=t0

H(t)pigfsi,i−1(t)−fsi,i+1

(t) modp2

to the aggregator. If OCi(t) = (1+ORi(t)·p)·OVi(t) mod p2, then the participantproves the accumulation result is correct. The later verification property can beused to invoice the billing information in many realistic applications, such assmart grids.

5.2 Security Analysis

Since our aggregator scheme includes three steps: Setup, Encrypt, and Sum, andthe Setup is the foundation of our construction, we will give the security proofof Setup at first.

12 Y. Li et al.

Theorem 1. Our Phase 1 of Setup in the aggregation scheme is CDH-secure inG.

Proof. The symmetric cryptography AES is used in our Setup phase as wellas Shamir’s secret sharing scheme and Diffie-Hellman key agreement protocol.As mentioned in [25], a 128-bit AES key demands a DH key size of 3072 bitsfor equivalent security. Thus, the security level mainly depends on the DH keyagreement protocol. In a nutshell, we show that any PPTA who has significantchance to infer private values in our Setup phase has non-negligible advantageto solve the CDH problem, which is a contradiction to our security assumptionthat CDH problem is intractable.

Since the communication channel is insecure, any adversary has the sameview unless it can collude with some adversarial participants. In the worst case,the aggregator can collude with n − 2 adversarial participants in one subgroupand at least participants i and j are uncompromised. If the aggregator wants toinfer the permanent private key pi of participant i, it has to get wi,mj and wi,mi .Because even if the aggregator gets another n−2 shares of i, it cannot reconstructthe n−1 order polynomial wi to get pi. If all the symmetric session keys are gottenby the aggregator, it can recover wi,mj

by decrypting the corresponding messageand wi,mi

by subtracting∑k wk,mi

(k 6= i) from Wi. When the aggregator getsall the n shares of participant i, it interpolates a n − 1 order polynomial wi tocalculate pi = wi(0). Note that any PPTA is only given gi = gri and gj = grj

from the insecure communication channel, so a PPTA has to solve the CDHProblem in G to get the unknown symmetric session keys. However, this isexactly the CDH problem, which is assumed to be intractable. That is, inferringpermanent private key during Setup is at least as hard as a CDH problem in Gfor any Probabilistic Polynomial Time Adversary.

The time-dependent private key in Phase 2 of Setup is aimed not only toenhance the security but also to reduce the probability that aggregator can getthe sum of one subgroup. Without the time-dependent private key, it is easy foraggregator to compute the sum of one subgroup. As Enc is constructed, aggre-gator can get the sum of a subgroup only if the first and the last participants inits neighboring subgroups are colluded with the aggregator with a probability of(n−2)(n−3)

N2 . The time-dependent private key can confuse the outside adversariesbut will fail in collusion attacks. The security of our scheme mainly depends onthe permanent private key. Then we will give the security proof of the proposedaggregation process.

Theorem 2. Our proposed aggregation protocol is CDH-secure in G.

Proof. To infer xi(t) given Ci(t) = (1+xi(t)p)·H(t)pi ·gfsi,i−1(t)−fsi,i+1

(t) mod p2,

any adversary has to solve the secret randomizer H(t)pi ·gfsi,i−1(t)−fsi,i+1

(t) modp2. In the worst case, the participants i−1 and i+1 collude with the aggregatorand there are also another n− 4 participants are compromised. Thus, the aggre-gator knows the participant i′s time-dependent private key fsi,i−1(t)−fsi,i+1(t).It has been shown that inferring permanent private key during Setup is at least

Collusion-Tolerable Privacy-Preserving Aggregation Protocol 13

as hard as a CDH problem in G for any PPTA, thus the aggregator has tosolve the secret randomizer H(t)pi mod p2. Denote H(t) = gh, the aggregatorhas to compute the discrete logarithms to get h and hpi. Assume there is aPPTA who can solve the discrete logarithm problems, so it also solves the CD-H problem defined in our group G. However, the CDH problem is intractable,therefore the adversary has a negligible advantage to solve the secret randomizerH(t)pi mod p2. That is, inferring private values during the aggregation schemeis at least as hard as a CDH problem in G for any PPTA.

Theorem 3. Our proposed aggregation protocol is aggregator obliviousness, i.e.,a party without the aggregator capability learns nothing.

Proof. To infer∑Ni=1 xi(t) given

C′(t) = (1 + p

N∑i=1

xi(t))H(t)∑N

i=1 pigfs0,1

(t)−fs0,N(t)

mod p2,

any PPTA has to solve the secret randomizer H(t)∑N

i=1 pigfs0,1(t)−fs0,N

(t) firstly.Note that any PPTA is only given H(t) and g from the insecure communica-tion channel, the PPTA has to compute the discrete logarithms to cancel theexponent of g. That is, inferring the aggregation results without the aggregatorcapability is at least as hard as a CDH problem in G for any PPTA.

The security proof of the Leaving or Joining process is omitted. However,these two processes are CDH-secure in G.

6 Performance Evaluation

6.1 Complexity

In this section, we will discuss the computation and communication complexitiesof the proposed aggregation scheme. For the sake of simplicity, we denote thatthe computation complexity of encryption or decryption in 128-bit AES is O(1)and we also assume that there is no reused participants.

Setup process In Phase 1, it is easy to see that the participant needs tocompute one public parameter, n symmetric session keys, n secret shares, andto encrypt and decrypt n − 1 shares. Therefore, the computation complexityof each participant is O(4n − 1). Since the aggregator needs to compute onepublic parameter, N symmetric session keys, N decryption and n Lagrange basispolynomials, the computation complexity of the aggregator is O(2N + n+ 1).Inaddition, the participant i in subgroup boundary(i.e. i = kn and i = kn + 1,i 6= 1, N) will need an extra computation of symmetric session key in Phase 2while others do not need any computations.

In Phase 1, every participant exchanges public parameter with its groupmatesin the subgroup via the aggregator, which incurs communication of O(2|p|) bits,where |p| represents the bit length of p. The participant needs to exchange the

14 Y. Li et al.

Table 2. Complexity of our scheme.

Per Meter Computation Communication

Setup O(n) O(n|p| + n|q|)Encrypt O(1) O(|p|)

Aggregator Computation Communication

Setup O(N) O(Nn|q| + Nn|p|)Sum O(N) O(N |p|)

Meter Leaving \ O(n|p| + n|q|)Meter Joining O(1) O(n|p| + n|q|)

Leaving/Joining Meter Computation Communication

Meter Leaving O(n) O(n|q|)Meter Joining O(n) O(n|p| + n|q|)

Subgroup Mates Computation Communication

Meter Leaving O(1) O(|p| + |q|)Meter Joining O(1) O(|p| + |q|)Reused Meter Computation Communication

Meter Leaving O(n) O(n|p|)Meter Joining O(1) O(|p| + |q|)

secret shares with its partners and the communication overhead is O(n|q|). Sincethe aggregator needs to send all messages to N participants, its communicationoverhead is O(2N(n − 1)|q| + N(n − 1)|p|). In Phase 2, there is no extra com-munication overhead for the participants, and the aggregator only needs to sendabout O(4|q|N/n) messages.

Encrypt and Sum processes In Encrypt process, it is easy to see that ev-ery participant has a communication overhead of O(2|p|) and a computationcomplexity of O(1). In Sum process, the aggregator’s computation overhead isO(N + 1).

Leaving of existing participant In this process, the assigned participanti′ needs to compute n symmetric session keys and every participant in thissubgroup has a computation overhead of O(2) to compute the symmetric sessionkey with i′ and to update its permanent private key. Moreover, each one ofthese participants should compute one AES encryption and decryption. Theleaving participant needs to compute one symmetric session key, one equalityand n 128-bit AES encryptions and decryptions, so its computation overheadis O(4n + 1). In addition, each adjacent neighbor of i(For example, participanti + 1 or participant i − 1) has to change its time-dependent private key withthe computation overhead of O(2). As we can see, the leaving participant i hasa communication overhead of O(2n|q|) and the reused participant i′ has that

Collusion-Tolerable Privacy-Preserving Aggregation Protocol 15

of O(2(n + 1)|p| + 2|q|). The aggregator sends 2n public parameters and 2nencrypted messages to the subgroup and two public parameters to the adjacentneighbors of leaving participant, therefore the communication overhead of theaggregator is about O(4n|p|+ 4n|q|).

Joining of new participant. The joining participant has to compute its publicparameter at first, and then it needs to compute n session keys and to decryptand encrypt n messages. In addition, the joining participant needs to computetwo equalities and two session keys to get its time-dependent private key. Thus,the computation complexity of i is O(4n − 1). Other members in its subgroupneed to compute one session key, to decrypt and encrypt a single message andto update the permanent private key. So, the computation complexity is O(4).Note that the adjacent neighbors of joining participant need to take an extracomputation to update their time-dependent private key. To our understanding,the joining participant has a communication overhead of O(2n|p|+ 2(n− 1)|q|)and the reused participant has that of O(2|p|+ 2|q|). And we conclude that theaggregator’s communication overhead is also O(4n|p| + 4n|q|). Thus, the totalcomplexity of aggregator and participants are summarized in Table 2.

6.2 Evaluation by Implementation

The Encrypt process may be run by the participant with constrained resourcesand the sum is run on the aggregation side. So the performance of encryption ismore important in the aggregation protocols. As is pointed out, EPPP4SMS ismuch faster in encryption than many protocols that use Paillier’s scheme [15].Therefore, in this simulation, we only compare the performance of our protocolwith other two existing aggregation protocols in [6] (specifically, Jung’s advancedprotocol) and [15] (EPPP4SMS). To simulate and measure the computationoverhead, the aggregation protocols are all implemented in Java in a computerwith Intel i3-2100 CPU @ 3.10 GHz and 3GB of RAM, and each result is theaverage time measured in the 1,000 times of executions. Also, the input dataxi is a random number less than 100,000. In our protocol and Jung’s advancedsum protocol, q is of 512-bit length, and p is roughly of 520-bit length whileEPPP4SMS uses 512 bits for the exponents and primes with 512 bits. Thus, theciphertexts in these protocols are roughly of 1024-bit length.

First of all, we compared the participant’s computation overhead in setup ofour sum protocol and Jung’s protocol. We do not simulate the setup phase ofEPPP4SMS for the reason that it does not cover the same security assumptionwith ours and Jung’s protocol. It is clear that the computation overhead ofeach participant in setup phase only depends on the number of colluders if thelength of ciphertext is fixed. We measured the total computation time of eachparticipant spent in calculating its final encryption keys with different numberof colluders and the results are showed in Fig.2. As we can see in Fig.2 (A), thesetup time for each participant of our protocol in the first aggregation is almostsame with Jung’s protocol. However, as aforementioned, Jung’s protocol needs

16 Y. Li et al.

Fig. 2. The time spent in setup phase.(A) The dependence of number of colluders andsetup time for each participant in the first aggregation.(B) The dependence of numberof aggregations and the total time for setup for each participant(Here the number ofcolluders is set to 800).

Collusion-Tolerable Privacy-Preserving Aggregation Protocol 17

to setup for every round of aggregations while our scheme only needs one setupduring all of the aggregations. Obviously, our protocol is much more efficient forthe time-series data aggregation and the conclusion is in accordance with thesimulation results in Fig.2 (B).

Fig. 3. The independence of computation time of encryption (decryption) for eachparticipant (aggregator) and the number of colluders. (A) encryption;(B)decryption.

The independence of computation time of encryption (decryption) for eachparticipant (aggregator) and the number of colluders is shown in Fig.3. In Fig.3,we set the total number of participants to 2,000 while the number of colludersranges from 50 to 400. Fig.3A suggests that the number of colluders has a negli-gible influence on the computation times of each participant spent in encryptionand Fig.3B indicates that the number of colluders does not effect significantly onthe decryption time of aggregator. In addition, Fig.3 shows that the encryptionefficiency can be improved by around 300 times (from about 15 ms to 0.05 ms)

when exponentiations H(t)pi mod p2 and gfsi,i−1(t)−fsi,i+1

(t) are pre-computed.Thus, we assume the number of coconspirators is 50 for our and Jung’s protocolsin the following simulations. The independence of total number of participantsand encryption time for each participant is showed in Fig.4. As suggested inFig.4 (A), our protocol is faster than EPPP4SMS in encryption if they have thesame length of ciphertexts. The simulation of our protocol ran in a mean timeof 15.69 ms, while the EPPP4SMS ran in 17.30 for encryption. Because Jung’sprotocol only computes two modular multiplications in encryption, it has themost efficient encryption ran in about 0.016 ms. Moreover, our protocol takes

18 Y. Li et al.

Fig. 4. The dependence of total number of participants and decryption time for aggre-gator.

Collusion-Tolerable Privacy-Preserving Aggregation Protocol 19

0.05 ms after deploying the ‘on-the-fly’ method and EPPP4SMS has that of 0.38ms in average. Nevertheless, Jung’s protocol needs to recall a time consuminginitialization for every aggregation, it turns out to be the most inefficient onefor the time-series data aggregation. The dependence of total number of partic-ipants and decryption time for aggregator is showed in Fig.5. It indicates thatthe decryption time for the aggregator grows linearly with the number of par-ticipants. We can also see that EPPP4SMS has the most inefficient decryptionwhen the total number of participants is small and these three schemes have analmost similar decryption time for large number of participants.

Fig. 5. The independence of the total number of participants and encryption timefor each participant. (A) the encryption time of our scheme and EPPP4SMS. (B) the’on-the-fly’ encryption time and the encryption time of Jung’s protocol.

7 Conclusion

In this paper, we proposed a privacy-preserving aggregation scheme for time-series data without trusted key dealers. Our proposed scheme is experimentallyshown to be scalable and faster in the encryption and decryption than somePaillier’s cryptosystem based protocols are. The reason of the outwardly in-efficient setup in our scheme is that no trusted or semi-trusted key dealer is

20 Y. Li et al.

assigned in the system and the communication channels between the partici-pants and the aggregator are not secure. However, our scheme is shown to bemuch more efficient than Jung and Li’s protocol in Ref.[6] with the same securityassumption because Jung and Li’s protocol is not the time-series data and itsinitialization should be repeated every time when a new sum is desired. In theproposed scheme, the aggregation results can be calculated efficiently after setupand each participant takes the same processing time independent of the numberof participants considered in the aggregation.

The scheme is proposed to tolerate up to k collusive adversaries who willnot tamper the computation but try to manipulate their parameters to inferothers’ private values. And the security of our scheme is formally analyzed andit is showed that the scheme is secure if the CDH problem is assumed to beintractable. Our proposed scheme provides verification as well as scalable en-cryption because the processing time of the encryption does not depend on thenumber of participants. The implementations of our scheme suggest that theproposed aggregation protocol is efficient for time-series data.

Acknowledgement

This work was supported by the National Natural Science Foundation of Chi-na (Grant no. 41371402); the National Basic Research Program of China (973Program) (Grant no. 2011CB302306); the Fundamental Research Funds for theCentral Universities under Grant no. 2015211020201.

References

1. M. A. Lisovich, D. K. Mulligan, and S.B. Wicker. Inferring personal informationfrom demand-response systems. IEEE Security and Privacy ,8(1),Jan.–Feb.2010.

2. E. L. Quinn. Smart metering and privacy: Existing law and competing policies. Areport for the Colorado Public Utilities Commission, 2009.

3. G.W.Hart. Residential energy monitoring and computerized surveillance via utilitypower flows. IEEE Technology and Society Magazine, June 1989.

4. Fan L, Xiong L. An adaptive approach to real-time aggregate monitoring withdifferential privacy[J]. Knowledge and Data Engineering, IEEE Transactions on,2014, 26(9): 2094-2106.

5. Li H, Xiong L, Jiang X, et al. Differentially Private Histogram Publication ForDynamic Datasets: An Adaptive Sampling Approach.in Proceedings of the 24thACM International on Conference on Information and Knowledge Management.ACM, 2015: 1001-1010.

6. T. Jung and X.Y. Li, ”Collusion-Tolerable Privacy-Preserving Sum and Produc-t Calculation without Secure Channel.” IEEE Transactions on Dependable andSecure Computing, Feb. 2014, doi: 10.1109/TDSC.2014.2309134

7. F. Li, B. Luo, and P. Liu, “Secure information aggregation for smart grids usinghomomorphic encryption,” in Proc. 1st IEEE Int. Conf. Smart Grid Commun.(SmartGridComm), Gaithersburg, MD, USA, Oct. 2010, pp. 327–332.

Collusion-Tolerable Privacy-Preserving Aggregation Protocol 21

8. F . Li and B. Luo, “Preserving data inte grity for smart grid data aggregation,”in Proc. 3rd IEEE Int. Conf. Smart Grid Commun. (SmartGridComm), 2012, pp.366–371.

9. Garcia F D, Jacobs B. “Privacy-friendly energy-metering via homomorphic en-cryption”in Security and Trust Management. Springer Berlin Heidelberg, 2011:226-238.

10. Danezis G, Fournet C, ”Kohlweiss M, et al. Smart meter aggregation via secret-sharing” in Proceedings of the first ACM workshop on Smart energy grid security.ACM, 2013: 75-80

11. E.Shi,T.-H. H.Chan,E. G.Rieffel, R.Chow,and D.Song,“Privacy-preserving aggre-gation oftime-series data,” in Proc. Netw. Distrib.Syst. Security Symp.(NDSS),2011,p.17.

12. M. Joye and B. Libert, “A scalable scheme for privacy-preserving aggregation oftime-series data,” in Financial Cryptography and Data Security (FC). IFCA, 2013.

13. Leontiadis I, Elkhiyaoui K, Molva R. Private and Dynamic Time-Series Data Ag-gregation with Trust Relaxation[J]. Lecture Notes in Computer Science, 2014:305-320.

14. Q. Li, G.Cao, and T. Porta, ”Efficient and Privacy-Aware Data Aggregation in Mo-bile Sensing,” IEEE Transactions on Dependable and Secure Computing (TDSC),Vol. 11, No. 2, pp. 115-129, 2014.

15. F. Marmol, C. Sorge, O. Ugus, and G. Perez, “Do not snoop my habits: Preservingprivacy in the smart grid,” IEEE Commun. Mag., vol. 50, no. 5, pp. 166–172, May2012.

16. F. Borges and M. Muhlhauser, “EPPP4SMS: Efficient privacy-preserving proto-col for smart metering systems and its simulation using real-world data, ” IEEETransactions on Smart Grid, Vol.5(6), pp.2701-2708, November 2014.

17. Won, Jongho, et al. ”Proactive fault-tolerant aggregation protocol for privacy-assured smart metering.” INFOCOM, 2014 Proceedings IEEE. IEEE, 2014:2804 -2812.

18. C. Castelluccia, A. Chan, E. Mykletun, and G. Tsudik, “Efficient and provablysecure aggregation of encrypted data in wireless sensor networks,” Transactions onSensor Networks (TOSN), 2009.

19. R.Lu,X.Liang,X.Li,X.Lin,andX.Shen,“EPPA: An efficient and privacy-preservingaggregation scheme for secure smart grid communications,” IEEE Trans. ParallelDistrib. Syst., vol. 23, no. 9, pp. 1621–1631, Sep. 2012.

20. M. Jawurek and F. Kerschbaum, “Fault-tolerant privacy-preserving statistics,” inPETS. Springer, 2012.

21. Q. Li and G. Cao, “Efficient privacy-preserving stream aggregation in mobile sens-ing with low aggregation error,” in PETS. Springer, 2013.

22. Marmol F G, Sorge C, Petrlic R, et al. Privacy-enhanced architecture for smartmetering[J]. International Journal of Information Security, 2013, 12(2):67-82.

23. C. Dwork, “Differential privacy,” in Automata, languages and programming.Springer, 2006.

24. S. Goryczka, L. Xiong, and V. Sunderam, “Secure multiparty aggregation withdifferential privacy: a comparative study,” in Proceedings of the Joint EDBT/ICDT2013 Workshops. ACM, 2013.

25. Vanstone, Scott A. ”Next generation security for wireless: elliptic curve cryptog-raphy.” Computers & Security, 22(5): 412-415,2003.