research article an efficient data aggregation protocol...
TRANSCRIPT
Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2013 Article ID 256852 9 pageshttpdxdoiorg1011552013256852
Research ArticleAn Efficient Data Aggregation Protocol Concentrated onData Integrity in Wireless Sensor Networks
Liehuang Zhu Zhen Yang Meng Li and Dan Liu
Beijing Engineering Research Center of Massive Language Information Processing and Cloud Computing ApplicationSchool of Computer Science and Technology Beijing Institute of Technology Beijing 100081 China
Correspondence should be addressed to Liehuang Zhu liehuangzbiteducn
Received 5 March 2013 Accepted 30 April 2013
Academic Editor Yulong Shen
Copyright copy 2013 Liehuang Zhu et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
Wireless sensor networks consist of a great number of sensor nodes with strictly limited computation capability storagecommunication resources and battery power Because they are deployed in remote and hostile environments and hence arevulnerable to physical attacks sensor networks face many practical challenges Data confidentiality data integrity sourceauthentication and availability are all major security concerns In this paper we focus on the very problem of preservingdata integrity and propose an Efficient Integrity-Preserving Data Aggregation Protocol (EIPDAP) to guarantee the integrity ofaggregation result through aggregation in sensor networks In EIPDAP base station can immediately verify the integrity ofaggregation result after receiving the aggregation result and corresponding authentication information However to check integritymost existing protocols need an additional phase which will consume a lot of energy and cause network delay Compared with otherrelated schemes EIPDAP reduces the communication overhead per node to119874(Δ) where Δ is the degree of the aggregation tree forthe network To the best of our knowledge EIPDAP has the most optimal upper bound on solving the integrity-preserving dataaggregation problem
1 Introduction
Wireless sensor networks (WSNs) havemany security-criticalapplications such as real-time traffic monitoring wildfiretracking or military surveillance In a sensor networkthousands of low-cost sensor nodes collectively monitor anarea within a certain range and report their own data to thebase station which distributes a data query However thiswould incur high communication overhead which cannot beafforded by sensor nodes Data aggregation [1 2]mechanismsare proposed to reduce the power consumption Data aggre-gation poses security threat many secure data aggregationprotocols [3 4] have been emerging over these years whichprove to be secure and considerably improve the resourceutilization
Although data confidentiality could guarantee that legalparties obtain plain data without being leaked out to adver-saries it does not protect data frombeing altered [5ndash7] In thispaper we focus on the problem of preserving data integrity
through aggregation in sensor networks Message authenti-cation codes (MACs) are used in [8] to protect data integritywhile causing other problems such as high communicationoverhead In this paper we present a provably secure sensornetwork integrity-preserving aggregation protocol based onthe elliptic curve discrete logarithm problem for generalnetworks with hierarchical aggregator topologies assumingthat adversaries are able to corrupt a (small) fraction ofsensors With the increasing of sensor nodersquos computationcapacity public key cryptography such as elliptic curvecryptosystems (ECC) is suitable for constrained environ-ments such as WSN In [9] authors propose secure dataaggregation schemes using ECC to obtain data confidentialityand integrity in the data aggregation because of their smallerkey size faster computations and reductions in processingpower storage space and bandwidth TinyECC is proposedby Liu and Ning [10] which provides ECC-based operationsthat can be flexibly configured and integrated into WSNapplications
2 International Journal of Distributed Sensor Networks
An adversary can perform a variety of attacks For exam-ple a denial-of-service (DoS) attack can totally block thecommunication between sensor nodes and the base stationHowever this attack is not concerned because it is detectableby the querier and solutions can be implemented to remedythis situation In stealthy attack [4] the attackerrsquos goal is tomake the base station accept false aggregation results whichare significantly different from the true results determinedby the measure values while not being detected by the basestation Our goal is to prevent this kind of attack even whenhigh-level aggregator is corrupted
A number of protocols [11ndash13] have been proposed whichfocus on the problem that how can the base station obtaina good approximation of the aggregation result and how toobtain data integrity when a fraction of sensor nodes arecompromised One common sensor feature is the dispropor-tionately high cost of transmitting information as comparedto performing local computation For example a Berkeleymote spends approximately the same amount of energy tocompute 800 instructions as it does in sending a single bitof data It thus becomes essential to reduce the number ofbits forwarded by intermediate nodes in order to extend theentire networkrsquos lifetime [14] All the above schemes needto verify the integrity of aggregation result in an additionalphase which consumes a lot of energy and causes networkdelay
In this paper we propose EIPDAPwhich can immediatelyverify the integrity of aggregation result after receiving theaggregation result and corresponding authentication infor-mation hence significantly reducing energy consumptionand communication delay which will be caused if the veri-fication process is done through another query-and-forwardphase
The rest of the paper is organized as follows in Section 2we describe a survey of other approaches to integrity-preserving aggregation in sensor networks in Section 3moredetails about the problemwe are trying to solve are discussedin Section 4 we describe a new scheme that is the centerpieceof our work and in Section 5 the security properties andperformance of our scheme are analyzed
2 Related Work
There has been a number of works on preserving integrity inaggregation protocols for sensor networks Many protocolshave been proposed for the single-aggregator model [4 1315] But the aggregator in these schemes suffers from signifi-cantly high congestion and only reduces communications onthe link between the aggregator and the base station So thismodel is not scalable to large multihop sensor deployments
Another significant work is introduced in [11] The mainidea of this approach is that each node sends its valuecomplement and commitment up the aggregation tree andthen a commitment would pass down the tree for a node toverify that if its value was added into the SUM aggregationand the complement of its data value was added into theCOMPLEMENT aggregation However the scheme requiresthree phases The delay aggregation strategy used in the sec-ond phase increases communication from 119874(1) to 119874(log 119899)
computation from 119874(1) to 119874(119902 log 119899) where 119899 is the numberof nodes in the network and 119902 is the number of forests in thecommitment treeThe result-checking phase costs119874(Δlog2119899)congestion Frikken and Dougherty in [12] improves Chanrsquosapproach by reducing the maximum communication to119874(Δ log 119899)
A secure hop-by-hop data aggregation protocol SDAPfor sensor networks is proposed in [13] The authors believethat we should be more concerned about high-level nodessince these nodes represent a large portion of the finalresult delivered to base station and there would be morecatastrophic consequences if they are compromised HenceSDAP dynamically partitions the topology tree into multiplelogical groups of similar sizes using a probabilistic approachfollowing the divide-and-conquer principle In this wayfewer nodes are located under a high-level sensor nodein a logical subtree resulting in reduced potential securitythreat by a compromised high-level node SDAP introducesprobability and attestation to the data result-checking thecommunication required per node is 119874(log (119899119899
119892)) Because
SDAP just let part nodes be attested attestation algorithmcannot find all compromised nodes By adding attestationpaths can increase the detection probability but it willincrease communication cost
Aggregate message authentication codes introduced byKatz and Lindell (CT-RSA 2008) [8] provided a new perspec-tive of preserving integrity In their construction aggregatingMAC simply computes the XOR of all the MACs into onevalue the size of which is the same as an ordinaryMAC Afterreceiving all the data and the final aggregate MAC the basestation uses secret keys shared with each node to compute anew aggregate MAC from these data and compares it withthe received aggregateMAC Although it remarkably reducescommunication overhead we have seen in former protocols[11ndash13] and is easy to perform it suffers from the ldquomix-and-matchrdquo attacks [16] in which the adversary can easily forgeseveral types of aggregate combinations
In [9] the authors proposed a new algorithm usinghomomorphic encryption and additive digital signaturesto achieve confidentiality integrity and availability for in-network aggregation in WSN However the protocol cannotresist stealthy attack We discuss concrete attack on theprotocol due to Albath and Madria [9] in the appendix
Besides there have been several protocols designed forpreserving the confidentiality of the aggregation results [17ndash19]This issue is orthogonal to our work and is not consideredin this paper
3 Problem Model
This section contains the definitions of basic problems andincludes discussion on the nodesrsquo setup the security infras-tructure and the attack model
31 Network Assumptions We assume a query-based sensornetwork with a large number of sensors and a powerful basestation with transmission ranges covering the whole wirelesssensor network can broadcast messages to all nodes directly
International Journal of Distributed Sensor Networks 3
Before aggregation process sensors will form a tree topologywhere base station locates at the root
We further assume that the base station would broadcastan authenticated query before collecting data If there is noaggregation tree then an aggregation tree should be formedas the query has been sent to all nodes Our protocol takesthe structure of the aggregation tree as given One methodfor constructing an aggregation tree is described in TaG [20]
Each node is sensing an integer value 119903 that is in the range(0 V] (we rule out ldquo0rdquo in defense of 120579
119894which we will explain
later) for some application-based value VThe goal is to returnthe SUM result with two tags proving that the SUM result hasnot been forged (even in the presence of malicious nodes)Due to resource constrains all readings need to be aggregatedby aggregators while being transmitted over a multihop path
32 Security Infrastructure We assume that each node 119894 hasa unique identifier 119904
119894 private keys 119903
119894 119897119894isin 119885119901and shares a
private key 119904119896119894and a private point 120579
119894isin cyclic elliptic group
119864(119885119901) with base station ECC domain parameters including
the generator point 119866 isin 119864(119885119901) are preloaded in all nodes In
each node 119894 we set two parameters 120572119894and 120573
119894which will be
used later
120572119894= 119903119894119866
120573119894= 119903119894120572119894
(1)
33 Attack Model and Security Goals We consider a settingwith a polynomially bounded adversary which can physicallyaccess the sensors and read their interval values The adver-sary is also restricted to corrupt a (small) fraction of nodesincluding the aggregators
Once the adversary compromises a sensor node it canobtain all the nodersquos secret keys An adversary can modifyforge or discard messages or simply transmit false aggregateresults and its goal is to forge valid aggregate result to beaccepted by the base stationThe higher false aggregate resultlevel is more catastrophic consequence will be caused
In this setting we focus on stealthy attacks [4] wherethe attackerrsquos goal is to make the base station accept falseaggregate results while not being detected by base stationAnd our security goal is to prevent stealthy attacks Inparticular wewant to guarantee that once the aggregate resulthas been accepted by the base station it is indeed the realresult aggregated by honest nodes
Definition 1 (integrity-preserving aggregation algorithm)An aggregation algorithm is integrity-preserving if by tam-pering with the aggregation process an adversary is unable toinduce the base station to accept any forged aggregate result
Since if a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected In thispaper we will focus on the situation where an aggregator iscompromised and see whether it can forge a valid aggregateresult
In this paper however we do not address the denial-of-service attack where the adversary prevents the querier
from getting any aggregation result at all because nodesrsquo notresponding queries clearly indicate that something is wrongand solutions can be implemented to remedy this situation
4 Our Work
In this section we present a new approach especially aimingto preserve integrity of the aggregation resultWe first give anoverview of this approach and then present the details
41 Overview The design of our algorithm is based on theelliptic curve discrete logarithm problem The overall algo-rithm consists of three main phases query disseminationaggregation-commit and result-checking
In query dissemination phase the base station broadcaststhe query to the network An aggregation tree or a directedspanning tree over the network topologywith the base stationat the root is formed as the query sent to all the nodes ifone is not already present in the network Then the path-keys and edge-key for each node encrypted with the secretkey shared between base station and node are sent to thecorresponding node Path-key and edge-key are calculated bythe base station according to the network topology We showthe detail of the calculation of the path-key in Section 42
In aggregation-commit phase each sensor node collectsraw data and computes two corresponding tags beforesending them to their own parent node in the aggregationtree After receiving all the messages from all child nodesaggregator performs modulo addition operations over thethree items and forwards the result to high-level aggregatorsuntil the base station
In the result-checking phase the base station verifiesthe integrity of the SUM aggregation with two aggregationtags Compared with Chanrsquos and Keithrsquos approach ours doesnot require any dissemination from top root node down tothe leaf nodes which causes congestion 119874(Δlog2119899) in Chanrsquosapproach and 119874(Δ log 119899) in Keithrsquos approach and energy costin this phase
42 The SUM Approach
421 Query Dissemination Phase Before aggregation thebase station broadcasts an authenticated query to the net-work The query request message contains a nonce 119873 toprevent replay attack [1] If there is no aggregation tree anaggregation tree with the base station at the root will beformed as the query has been sent to all nodes Then the treeinformation will be reported back to the base station Afterthe base station receives the tree information it calculatesthe path-key for each node for each aggregator or sensornode 119894 base station generates a key bs and calculates edgekey according to one-way hash function 119865 where
119896119894minus119895
= 119865bs (119904119894 119904119895 119873) (2)
and node 119894 is the parent of node 119895 119904119894and 119904
119895are unique
identifiers of node 119894 and node 119895
4 International Journal of Distributed Sensor Networks
3 5
8
10
4
1 2
9
6 7
bs
1205721
1205731= 11989711205721
1205722
1205732= 11989721205722
1205724
1205734= 11989741205724
1205725
1205735= 11989751205725
1205726
1205736= 11989761205726
1205727
1205737= 11989771205727119909
1= 119909
1
120572
1= 119909
111989611+ 119909
1120573111989612
11205731+ 120579
1
119909
2= 119909
2
120572
2= 119909
211989621+ 119909
2120573211989622
21205732+ 120579
2
119909
3= 119909
998400
3+ 119909
1+ 119909
2
120572
3= 120572
998400
3+ 119896
31120572
1+ 119896
32120572
2
119865(119904bs 11990410 119873)
11989610-8= 119891(119904
10 1199048 119873)
11989610-9= 119891(119904
10 1199049 119873)
1198968-3= 119891(119904
8 1199043 119873)
120573
3= 120573
1+ 120573
2+ 120573
998400
3
120573
1= 119909 120573
2= 119909
119909998400
3= 119909
3
120572998400
3= 119909
311989631+ 119909
3120573311989632
120573998400
3= 119909
31205733+ 120579
3
119896bs-10 =
Figure 1 Aggregation phaseThe nodes 1 2 3 4 5 6 and 7 are sensor nodes and the nodes 8 9 and 10 are aggregators while node 3 works asboth sensor node and aggregator Without losing generality we assume that every intermediate node is able to sense raw data and performsaggregation like node 3 does
For each sensor node 119894 base station also calculates twopath-keys 119896
1198941and 1198961198942
as follows
1198961198941=
120579
119896path (3)
1198961198942=
119897
119896path (4)
where 120579 is a point in 119864(119885119901) 119897 is an integer and they are both
chosen by base station to enable data aggregation and preventstealthyreplay attacks
If the path from base station to sensor node 119894 is 1-2-3-119894then 119896path = 1198961-21198962-31198963-119894
Finally the base stationwith transmission ranges coveringthewholewireless sensor network directly broadcasts to node119894 the path-keys and edge-keys encrypted with the secret key119904119896119894
422 Data Aggregation Phase In the query disseminationphase each node has already identified their parents and thebase station has the overall view of the aggregation tree
In Figure 1 take paths BS-10-8-3-1 and BS-10-8-3-2 forinstance as sensor node nodes 3 1 and 2 each has a message
that is to be passed to their parents And the message has thefollowing format
⟨119909119894 120572
119894 120573
119894⟩ (5)
where 119909119894is the SUM aggregation over all sensor nodes in the
subtree 120572119894and 120573
119894are the first and second tag respectively
For nodes 1 and 2
1199091= 1199091 119909
2= 1199092
1205721= 119909111989611+ 1199091120573111989612
1205722= 119909211989621+ 1199092120573211989622
1205731= 11990911205731+ 1205791 120573
3= 11990931205733+ 1205793
(6)
For aggregatorsensor node 3 with data 1199093 it first com-
putes 12057210158403and 1205731015840
3as a sensor node
1199091015840
3= 1199093 120572
1015840
3= 119909311989631+ 1199093120573311989632
1205731015840
3= 11990931205733+ 1205793
(7)
International Journal of Distributed Sensor Networks 5
Then node 1 and 2 send their data and tags to node 3 Afterreceiving all messages from its subtree node 3 works asaggregator to perform aggregation
1199093= 1199091+ 1199092+ 1199091015840
3
1205723= 1198963-1120572
1+ 1198963-2120572
2+ 1205721015840
3
1205733= 1205731015840
1+ 1205731015840
2+ 1205731015840
3
(8)
and sends ⟨1199093 120572
3 120573
3⟩ to node 8
Aggregators 8 and 10 perform corresponding tasks
1199098= 1199093+ 1199094+ 1199095 119909
10= 119909
8+ 119909
9
1205728= 1198968-3120572
3+ 1198968-4120572
4+ 1198968-5120572
5
12057210= 11989610-8120572
8+ 11989610-9120572
9
1205738= 120573
3+ 120573
4+ 1205735 120573
10= 120573
8+ 120573
9
(9)
where node 8 sends ⟨1199098 120572
8 120573
8⟩ to node 10 and node 10 sends
⟨11990910 120572
10 120573
10⟩ to base station
423 Result-Checking Phase The purpose of result-checkingphase is to enable base station to verify that the integrity ofSUM 119909
10has not been violatedThe verification is performed
as followsBase station checks if
12057310minus 119897minus1119896bs-10120572
8= sum120579
119894minus 119897minus1120579119909
10 (10)
where ⟨11990910 120572
10 120573
10⟩ is sent by node 10 to base station 120579 119897
119896bs-10 120579119894 (119894 from 1 to 7) are only known to base station and 119897minus1
is the inverse of 119897 modulo which is the order 119902 of the ellipticcurve group 119864(119885
119901)
Since
12057310= 120573
8+ 120573
9
= 1205731015840
3+ 120573
4+ 120573
5+ 120573
6+ 120573
7
= 1205731+ 120573
2+ 120573
3+ 120573
4+ 120573
5+ 120573
6+ 120573
7
=11990911205731+ 1205791+ 11990921205732+ 1205792+ 11990931205733+ 1205793+ 11990941205734
+ 1205794+ 11990951205735+ 1205795+ 11990961205736+ 1205796+ 11990971205737+ 1205797
= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)
+ (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)
119897minus1119896bs-10120572
10
= 119897minus1119896bs-10 (11989610-8120572
8+ 11989610-9120572
9)
= 119897minus1119896bs-10
times (11989610-8 (1198968-3120572
3+ 1198968-4120572
4+ 1198968-5120572
5)
+ 11989610-9 (1198969-6120572
6+ 1198969-7120572
7))
= 119897minus1119896bs-10
times (11989610-8 (1198968-3 (120572
1015840
3+ 1198963-1120572
1+ 1198963-2120572
2)
+ 1198968-4120572
4+ 1198968-4120572
5)
+ 11989610-9 (1198969-6120572
6+ 1198969-7120572
7))
= 119897minus1119896bs-1011989610-81198968-3
times (1198963-1 (
119897
119896bs-1011989610-81198968-31198963-1)11990911205731
+ 1198963-2 (
119897
119896bs-1011989610-81198968-31198963-2)11990921205732
+(119897
119896bs-1011989610-81198968-3)11990931205733)
+ 119897minus1119896bs-1011989610-8
times (1198968-4 (
119897
119896bs-1011989610-81198968-4)11990941205734
+ 1198968-5 (
119897
119896bs-1011989610-81198968-5)11990951205735)
+ 119897minus1119896bs-1011989610-9
times (1198969-6 (
119897
119896bs-1011989610-91198969-6)11990961205736
+ 1198969-7 (
119897
119896bs-1011989610-91198969-7)11990971205737)
= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)
+ 119897minus1120579 (1199091+ 1199092+ 1199093+ 1199094+ 1199095+ 1199096+ 1199097)
(11)
We can say that base station accepts the SUM aggregation11990910 or the two tags will only verify if all tags are generated
by honest nodes and aggregated correctly along the pathAgain note that 119897minus1 is the inverse of 119897 modulo 119902 which is
the order of the elliptic curve group 119864(119885119901) and 120579 119897 119896bs-10 are
only known to base station
5 Analysis
This section discusses the security and congestion complexityof EIPDAP
51 Overview Once a node has been compromised it isunder the full control of the adversary which can record andinject messages as will We also assume that the adversarycan only corrupt a (small) fraction of nodes including theaggregators Also we do not concern denial-of-service attackThe following is the proof for security of EIPDAP
6 International Journal of Distributed Sensor Networks
Definition 2 (sensor node inconsistency) Let ⟨119909119905 120572
119905 120573
119905⟩ be
a message sent by sensor node 119905 There is an inconsistency atnode 119905 if either
(1) 120572119905= 1199091199051198961199051+ 1199091199051205731199051198961199052
or
(2) 120573119905= 119909119905120573119905+ 120579119905
Definition 3 (sensor node forgery) An adversary eavesdrop-ping on sensor node 119894 successfully forges a new message⟨119909lowast
119894 120572lowast
119894 120573lowast
119894⟩ if
(1) 119909lowast119894
= 119909119894
(2) 120572lowast119894= 119909lowast
1198941198961198941+ 119909lowast
1198941205731198941198961198942
(3) 120573119894= 119909lowast
119894120573119894+ 120579119894
Since once a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected howeverwe do not address this kind of forgery here
Lemma 4 Let the final SUM aggregation received by the basestation be 119909
119891119894119899119886119897 then 119878
119871+ 120583 le 119909
119891119894119899119886119897
le 119878119871+ 120583V where 119878
119871is the
sum of the data values of all the legitimate nodes and 120583 is thetotal number of corrupted nodes
Proof As the conclusion is obvious here so we do not provein detail
Lemma 5 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid message as an honestsensor node for all eavesdropping probabilistic polynomialadversaries
Proof Let ⟨119909119894 120572
119894 120573
119894⟩ be an internal message sent by sensor
node 119894 to its parentSay adversary is eavesdropping on node 119894 In order to
forge a valid message ⟨119909lowast
119894 120572lowast
119894 120573lowast
119894⟩ for 119909
lowast
119894 119860 can easily
compute a valid 120572lowast119894= 119909lowast
119894119909minus1119894120572119894
As 120573119894= 119909119894120573119894+ 120579119894= 119909119894119910119866 for some integer 119910 a valid 120573lowast
119894
should be computed as
120573lowast
119894= 119909lowast
119894120573119894+ 120579119894= 119909lowast
119894119910lowast119866
= 119909lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866
(12)
Due to 120579119894and 120573
119894 adversary cannot forge 120573lowast
119894directly from
119909lowast
119894120573119894+ 120579119894but to compute 119909lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866 119860 has 119909lowast
119894 119909119894 120573119894
and 119866 the factors it lack are 119910 and 119910lowastCalculating 119910 from 120573
119894= 119909119894119910119866 and 119910lowast from 120573
lowast
119894= 119909lowast
119894119910lowast119866
is ECDLP which means calculating 120573lowast119894from 119909
lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866
is hardAnother concern rises when adversary keeps eavesdrop-
ping on sensor node 119894 and records the messages sent by 119894Assume that adversary has
⟨119909119894119895 120572
119894119895 120573
119894119895⟩ | 119895 isin [1 119899] (13)
where ⟨119909119894119895 120572
119894119895 120573
119894119895⟩ represents the message ⟨119909
119894 120572
119894 120573
119894⟩
node 119894 sends to parent in the 119895th query and 119899 is the number of
queries Note that in each query every sensor node 119894 choosesa new secret key 119897
119894
For all 119895 isin [1 119899] adversary has
120573119894119895 = 120573119894119895119909
119894119895 + 120579119894 (14)
Because the number of variable is the number of equationsplus one so adversary cannot solve equations in (14) to obtain120573119894119895 or 120579119894In conclusion the probability of an adversary successfully
forging a new message ⟨119909lowast119894 120572lowast
119894 120573lowast
119894⟩ when eavesdropping on
sensor node 119894 is negligible completing the proof
Definition 6 (aggregator inconsistency) Let ⟨119909119905 120572
119905 120573
119905⟩ be an
internal message aggregated by node 119905 with two children 119906and V Let ⟨119909
119906 120572
119906 120573
119906⟩ and ⟨119909V 120572
V 120573
V⟩ be two messages from
119906 and V There is an inconsistency at node 119905 if
(1) 119909119905= 1199091015840
119905+ 119909
119906+ 119909
V or
(2) 120572119905= 1205721015840
119905+ 120572
119906+ 120572
119905or
(3) 120573119905= 1205731015840
119906+ 120573
119906+ 120573
119905
Definition 7 (compromised aggregator forgery) An adver-sary which compromised a aggregator 119895 successfully forgesa new aggregate result ⟨119909lowast
119895 120572lowast
119895 120573lowast
119895⟩ if
(1) 119909lowast119895
= 119909119895
(2) 120572lowast119895= 1205721015840
119895+ 119896119895minus11205721198951+ 119896119895minus21205721198952+ sdot sdot sdot + 119896
119895minus119897120572119895119897(1205721015840119895= 0 if 119895
does not sense data)(3) 120573119895= 1205731015840
119895+ 120573
1198951+ 120573
1198952+ sdot sdot sdot + 120573
119895119897(1205731015840119895= 0 if 119895 does
not sense data) assuming aggregator 119895 has 119897 children1198951 1198952 119895119897
Lemma 8 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid aggregate result for allprobabilistic polynomial adversaries even when a high-levelaggregator is compromised
Proof We assume that aggregator 10 has been compromisedwhere an adversary is in complete control of node 10obtaining all secret keys of node 10 Now an adversaryattempts to forge SUM aggregation and two correspondingtags after eavesdropping several aggregations and records
⟨11990910119894 120572
10119894 120573
10119894⟩ | 119894 isin [1 119899] (15)
where ⟨11990910119894 120572
10119894 120573
10119894⟩ represents the message ⟨119909
10 120572
10
12057310⟩ node 10 sends to base station in the 119894th query and 119899 is
the number of queries Note that in each query every sensornode 119895 chooses a new secret key 119897
119895
For all 119894 isin [1 119899] adversary has
12057310119894 = 119897
minus1119896bs-10120572
10119894
= (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)
minus 119897minus1120579119909
10119894
(16)
International Journal of Distributed Sensor Networks 7
Now adversary tries to forge a new message ⟨119909lowast10 120572lowast
10 120573lowast
10⟩
which satisfies (14) Since node 10 is compromised adversaryhas 1199098 119909
9 119909
10 11989610-8 11989610-9 120572
8 120572
9 120573
8 120573
9in each query and the
knowledge of the elliptic curve group 119864(119885119901)
Case 1 Intuitively adversary tries to obtain 119897 119896bs-10 120579 andsum120579119894(119894 from 1 to 7) However this requires a powerful
adversary which we do not concern here
Case 2 Adversary tries to compute 119897minus1120579 by multiplying
1198961198941
(equals 120579119896path) and the inverse of 1198961198941
(equals 119897119896path)However all path-keys and temporal key are encrypted beforeforwarding to nodes so adversary cannot compute 119897minus1120579whennode 10 only works as an aggregator
Case 3 Aggregator 10 also senses data So adversary cancompute 119897minus1120579 as in Case 2 and 119897minus1119896bs-10 which is the inverse of119897119896bs-10 modulo 119902 Now adversary has
12057310minus 120572
10
= 1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797minus 119909
10
997904rArr 12057310
= 1199101(1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797) = 1199102119866
(17)
for some integer 1199102 Similar to Lemma 4 since sum120579
119894(119894 from
1 to 7) is kept secret from adversary and computing 1199102from
1205733= 1199102119866 is ECDLP then 120573
10cannot be forged either
In all cases adversary can only forge a new message⟨119909lowast
10 120572lowast
10 120573lowast
10⟩ with negligible probability completing the
proof
Theorem 9 EIPDAP is integrity-preserving
Proof From Lemmas 5 and 8 we know that EIPDAP issecure against sensor node forgery in the presence of aneavesdropper and aggregator forgery when an aggregator iscompromised Thus EIPDAP is integrity-preserving com-pleting the proof
52 Congestion Complexity The computational and memorycosts are likely to be insignificant compared to communica-tion [3 14] Higher computation surely causes more energybut a Berkeley mote spends approximately the same amountof energy to compute 800 instructions as it does in sending asingle bit of data [13 20] in WSN
Unlike general hard problems there is no sub-exponential algorithm is known to solve the elliptic curvediscrete logarithm problem (ECDLP) meaning that smallerparameters can be used in ECC than in other systems likeRSA andDSA but with equivalent level of security Because oftheir smaller key size faster computations and reductions inprocessing power storage space and bandwidth ECC is idealfor WSN Although the use of elliptic curve cryptographyincurs higher computational overhead than symmetric-keycryptography our protocol is mainly designed to save energy
In query dissemination phase the base station collectsaggregation tree information and broadcasts edge keys and
Table 1 Edge congestion in the aggregation tree comparison 119899 isthe number of the nodes and 119899
119892is the group size
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(1) 119874(log 119899) 119874(log2119899)Keithrsquos scheme 119874(1) 119874(log 119899) 119874(log 119899)SDAP 119874(1) 119874(Δ log (119899119899
119892)) 119874(Δ log (119899119899
119892))
EIPDAP 119874(1) 119874(1) 0
Table 2 Node congestion in the aggregation tree comparison Δ isthe degree of the aggregation tree
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δlog2119899)Keithrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δ log 119899)SDAP 119874(Δ) 119874(Δ log (119899119899
119892)) 119874(Δ log (119899119899
119892))
EIPDAP 119874(Δ) 119874(Δ) 0
Table 3 Aggregation tree congestion comparison
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log2119899)Keithrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log 119899)SDAP 119874(119899) 119874(119899) 119874(119899 log 119899)EIPDAP 119874(119899) 119874(119899) 0
path keys directly to the corresponding nodes Collectingaggregation tree information costs each edge 119874(1) conges-tion and there is no congestion for sensor nodes and aggre-gators in broadcasting keys In aggregation phase each nodeforwards a message The edge congestion in the aggregationtree is 119874(1) In result-checking phase all operations aredone in the base station so there is no congestion in theaggregation tree Congestion complexity comparisons withChanrsquos scheme Keithrsquos scheme and SDAP are shown inTables1 2 and 3
By the comparison we can conclude that EIPDAP hasthe minimum congestion and is much more energy efficientTherefore it is much more suitable for power limited sensornetworks
6 Conclusion and Future Work
Protecting hierarchical data aggregation from losing integrityis a challenging problem in sensor networks In this paperwe focus on the very problem of preserving data integrityand propose a novel approach to guarantee the integrity ofaggregation result through aggregation in sensor networksThemain algorithm is based on performingmodulo additionoperation using ECC
EIPDAP can immediately verify the integrity of aggre-gation result after receiving the aggregation result and cor-responding authentication information hence significantly
8 International Journal of Distributed Sensor Networks
reducing energy consumption and communication delaywhichwill be caused if the verification phrase is done throughanother query-and-forward phase
Compared with the other related schemes our schemereduces the communication required per node to 119874(Δ)where Δ is the degree of the aggregation tree for the networkTo the best of our knowledge our scheme has the mostoptimal upper bound on solving the integrity-preserving dataaggregation problem Based on the elliptic curve discretelogarithm problem we prove that EIPDAP is integrity-preserving
In the future we will first further enrich EIPDAP indetail Second we will focus on the possibility of reducing thenumber of secret keys shared between sensor nodes and basestation or the keys broadcast to all nodesThird based on theproposed algorithm we may consider meeting other securityrequirements like data confidentiality source authenticationand availability
We anticipate that our work provides new perspective onpreserving integrity of hierarchical aggregation and encour-ages other researchers to consider this approach
Appendix
Attack on the Julia-Sanjay Scheme
If the adversary has compromised a sensor node then itcan obtain the network wide integer 119896 With the 119896 it canmodify any aggregated data received from its child nodesFor example say the adversary has compromised a node withmessage ⟨119904
119894 enc(119898
119894)⟩ received from its child 119894 In order to
modify119898119894to1198981015840119894= 119898119894+119898forge the adversary can easily forge
an encrypted message
enc (1198981015840119894) = enc (119898
119894+ 119898forge) = ⟨119906119894 V119894 + 119898forge⟩ (A1)
given as 119890nc(119898119894) = ⟨119906
119894 V119894⟩ And it is also easy to forge a valid
signature
1199041015840
119894= 119896minus1(119898119894+ 119898forge + 119911119894 lowast 119903 (119909)) mod 119901 (A2)
If the compromised node is in high level this will cause moreserious effects on the aggregation result since the aggregateresult it handles represents large portions of the overall datain the WSN
Acknowledgments
The authors would like to thank the anonymous reviewersand their coworkers for their valuable comments and usefulsuggestions
References
[1] J Yick B Mukherjee and D Ghosal ldquoWireless sensor networksurveyrdquoComputerNetworks vol 52 no 12 pp 2292ndash2330 2008
[2] K Akkaya M Demirbas and R S Aygun ldquoThe impact of dataaggregation on the performance of wireless sensor networksrdquoWireless Communications and Mobile Computing vol 8 no 2pp 171ndash193 2008
[3] L Hu and D Evans ldquoSecure aggregation for wireless networksrdquoin Proceedings of the Workshop on Security and Assurance in AdHoc Networks Orlando Fla USA January 2003
[4] B Przydatek D Song and A Perrig ldquoSIA Secure informationaggregation in sensor networksrdquo in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys rsquo03) pp 255ndash265 November 2003
[5] W He X Liu H Nguyen K Nahrstedt and T AbdelzaherldquoPda privacy-preserving data aggregation in wireless sensornetworksrdquo in Proceedings of the 26th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo07) pp 2045ndash2053 2007
[6] T Feng C Wang W Zhang and L Ruan ldquoConfidentialityprotection for distributed sensor data aggregationrdquo in Proceed-ings of the 27th IEEE Communications Society Conference onComputer Communications (INFOCOM rsquo07) pp 475ndash483April2007
[7] J Shi R Zhang Y Liu and Y Zhang ldquoPriSense privacy-preserving data aggregation in people-centric urban sensingsystemsrdquo in Proceedings of the 29th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo10) pp 758ndash766 IEEE March 2010
[8] J Katz and A Y Lindell ldquoAggregate message authenticationcodes Topics in cryptologyrdquo in Proceedings of the Cryptogra-phersrsquo Track at the RSA Conference (CT-RSA rsquo08) Lecture Notesin Computer Science pp 155ndash169 Springer 2008
[9] J Albath and S Madria ldquoSecure hierarchical data aggregationin wireless sensor networksrdquo in Proceedings of the IEEEWirelessCommunications and Networking Conference (WCNC rsquo09) pp1ndash6 April 2009
[10] A Liu and P Ning ldquoTinyECC a configurable library for ellipticcurve cryptography in wireless sensor networksrdquo in Proceedingsof the International Conference on Information Processing inSensor Networks (IPSN rsquo08) pp 245ndash256 April 2008
[11] H Chan A Perrig and D Song ldquoSecure hierarchical in-network aggregation in sensor networksrdquo in Proceedings ofthe 13th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo06) pp 278ndash287 ACM Press Alexandria VaUSA November 2006
[12] K B Frikken and J A Dougherty ldquoAn efficient integrity-preserving scheme for hierarchical sensor aggregationrdquo inProceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 68ndash76 ACM Press Alexandria VaUSA April 2008
[13] Y Yang X Wang S Zhu and G Cao ldquoSDAP a Secure hop-by-hop Data Aggregation Protocol for sensor networksrdquo inProceedings of the 7th ACM International Symposium on MobileAd Hoc Networking and Computing (MOBIHOC rsquo06) pp 356ndash367 ACM Press Florence Italy May 2006
[14] C Castelluccia A C F Chan E Mykletun and G TsudikldquoEfficient and provably secure aggregation of encrypted datain wireless sensor networksrdquo ACM Transactions on SensorNetworks vol 5 no 3 pp 1ndash36 2009
[15] W Du J Deng Y S Han and P K Varshney ldquoA witness-basedapproach for data fusion assurance inwireless sensor networksrdquoin Proceedings of the Global Telecommunications Conference(GLOBECOM rsquo03) vol 3 pp 1435ndash1439 IEEE December 2003
[16] O Eikemeier M Fischlin J-F Gotzmann et al ldquoHistory-freeaggregate message authentication codesrdquo in Proceedings of the7th International Conference on Security and Cryptography forNetworks vol 6280 of Lecture Notes in Computer Science pp309ndash328 Amalfi Italy 2010
International Journal of Distributed Sensor Networks 9
[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004
[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005
[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006
[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
2 International Journal of Distributed Sensor Networks
An adversary can perform a variety of attacks For exam-ple a denial-of-service (DoS) attack can totally block thecommunication between sensor nodes and the base stationHowever this attack is not concerned because it is detectableby the querier and solutions can be implemented to remedythis situation In stealthy attack [4] the attackerrsquos goal is tomake the base station accept false aggregation results whichare significantly different from the true results determinedby the measure values while not being detected by the basestation Our goal is to prevent this kind of attack even whenhigh-level aggregator is corrupted
A number of protocols [11ndash13] have been proposed whichfocus on the problem that how can the base station obtaina good approximation of the aggregation result and how toobtain data integrity when a fraction of sensor nodes arecompromised One common sensor feature is the dispropor-tionately high cost of transmitting information as comparedto performing local computation For example a Berkeleymote spends approximately the same amount of energy tocompute 800 instructions as it does in sending a single bitof data It thus becomes essential to reduce the number ofbits forwarded by intermediate nodes in order to extend theentire networkrsquos lifetime [14] All the above schemes needto verify the integrity of aggregation result in an additionalphase which consumes a lot of energy and causes networkdelay
In this paper we propose EIPDAPwhich can immediatelyverify the integrity of aggregation result after receiving theaggregation result and corresponding authentication infor-mation hence significantly reducing energy consumptionand communication delay which will be caused if the veri-fication process is done through another query-and-forwardphase
The rest of the paper is organized as follows in Section 2we describe a survey of other approaches to integrity-preserving aggregation in sensor networks in Section 3moredetails about the problemwe are trying to solve are discussedin Section 4 we describe a new scheme that is the centerpieceof our work and in Section 5 the security properties andperformance of our scheme are analyzed
2 Related Work
There has been a number of works on preserving integrity inaggregation protocols for sensor networks Many protocolshave been proposed for the single-aggregator model [4 1315] But the aggregator in these schemes suffers from signifi-cantly high congestion and only reduces communications onthe link between the aggregator and the base station So thismodel is not scalable to large multihop sensor deployments
Another significant work is introduced in [11] The mainidea of this approach is that each node sends its valuecomplement and commitment up the aggregation tree andthen a commitment would pass down the tree for a node toverify that if its value was added into the SUM aggregationand the complement of its data value was added into theCOMPLEMENT aggregation However the scheme requiresthree phases The delay aggregation strategy used in the sec-ond phase increases communication from 119874(1) to 119874(log 119899)
computation from 119874(1) to 119874(119902 log 119899) where 119899 is the numberof nodes in the network and 119902 is the number of forests in thecommitment treeThe result-checking phase costs119874(Δlog2119899)congestion Frikken and Dougherty in [12] improves Chanrsquosapproach by reducing the maximum communication to119874(Δ log 119899)
A secure hop-by-hop data aggregation protocol SDAPfor sensor networks is proposed in [13] The authors believethat we should be more concerned about high-level nodessince these nodes represent a large portion of the finalresult delivered to base station and there would be morecatastrophic consequences if they are compromised HenceSDAP dynamically partitions the topology tree into multiplelogical groups of similar sizes using a probabilistic approachfollowing the divide-and-conquer principle In this wayfewer nodes are located under a high-level sensor nodein a logical subtree resulting in reduced potential securitythreat by a compromised high-level node SDAP introducesprobability and attestation to the data result-checking thecommunication required per node is 119874(log (119899119899
119892)) Because
SDAP just let part nodes be attested attestation algorithmcannot find all compromised nodes By adding attestationpaths can increase the detection probability but it willincrease communication cost
Aggregate message authentication codes introduced byKatz and Lindell (CT-RSA 2008) [8] provided a new perspec-tive of preserving integrity In their construction aggregatingMAC simply computes the XOR of all the MACs into onevalue the size of which is the same as an ordinaryMAC Afterreceiving all the data and the final aggregate MAC the basestation uses secret keys shared with each node to compute anew aggregate MAC from these data and compares it withthe received aggregateMAC Although it remarkably reducescommunication overhead we have seen in former protocols[11ndash13] and is easy to perform it suffers from the ldquomix-and-matchrdquo attacks [16] in which the adversary can easily forgeseveral types of aggregate combinations
In [9] the authors proposed a new algorithm usinghomomorphic encryption and additive digital signaturesto achieve confidentiality integrity and availability for in-network aggregation in WSN However the protocol cannotresist stealthy attack We discuss concrete attack on theprotocol due to Albath and Madria [9] in the appendix
Besides there have been several protocols designed forpreserving the confidentiality of the aggregation results [17ndash19]This issue is orthogonal to our work and is not consideredin this paper
3 Problem Model
This section contains the definitions of basic problems andincludes discussion on the nodesrsquo setup the security infras-tructure and the attack model
31 Network Assumptions We assume a query-based sensornetwork with a large number of sensors and a powerful basestation with transmission ranges covering the whole wirelesssensor network can broadcast messages to all nodes directly
International Journal of Distributed Sensor Networks 3
Before aggregation process sensors will form a tree topologywhere base station locates at the root
We further assume that the base station would broadcastan authenticated query before collecting data If there is noaggregation tree then an aggregation tree should be formedas the query has been sent to all nodes Our protocol takesthe structure of the aggregation tree as given One methodfor constructing an aggregation tree is described in TaG [20]
Each node is sensing an integer value 119903 that is in the range(0 V] (we rule out ldquo0rdquo in defense of 120579
119894which we will explain
later) for some application-based value VThe goal is to returnthe SUM result with two tags proving that the SUM result hasnot been forged (even in the presence of malicious nodes)Due to resource constrains all readings need to be aggregatedby aggregators while being transmitted over a multihop path
32 Security Infrastructure We assume that each node 119894 hasa unique identifier 119904
119894 private keys 119903
119894 119897119894isin 119885119901and shares a
private key 119904119896119894and a private point 120579
119894isin cyclic elliptic group
119864(119885119901) with base station ECC domain parameters including
the generator point 119866 isin 119864(119885119901) are preloaded in all nodes In
each node 119894 we set two parameters 120572119894and 120573
119894which will be
used later
120572119894= 119903119894119866
120573119894= 119903119894120572119894
(1)
33 Attack Model and Security Goals We consider a settingwith a polynomially bounded adversary which can physicallyaccess the sensors and read their interval values The adver-sary is also restricted to corrupt a (small) fraction of nodesincluding the aggregators
Once the adversary compromises a sensor node it canobtain all the nodersquos secret keys An adversary can modifyforge or discard messages or simply transmit false aggregateresults and its goal is to forge valid aggregate result to beaccepted by the base stationThe higher false aggregate resultlevel is more catastrophic consequence will be caused
In this setting we focus on stealthy attacks [4] wherethe attackerrsquos goal is to make the base station accept falseaggregate results while not being detected by base stationAnd our security goal is to prevent stealthy attacks Inparticular wewant to guarantee that once the aggregate resulthas been accepted by the base station it is indeed the realresult aggregated by honest nodes
Definition 1 (integrity-preserving aggregation algorithm)An aggregation algorithm is integrity-preserving if by tam-pering with the aggregation process an adversary is unable toinduce the base station to accept any forged aggregate result
Since if a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected In thispaper we will focus on the situation where an aggregator iscompromised and see whether it can forge a valid aggregateresult
In this paper however we do not address the denial-of-service attack where the adversary prevents the querier
from getting any aggregation result at all because nodesrsquo notresponding queries clearly indicate that something is wrongand solutions can be implemented to remedy this situation
4 Our Work
In this section we present a new approach especially aimingto preserve integrity of the aggregation resultWe first give anoverview of this approach and then present the details
41 Overview The design of our algorithm is based on theelliptic curve discrete logarithm problem The overall algo-rithm consists of three main phases query disseminationaggregation-commit and result-checking
In query dissemination phase the base station broadcaststhe query to the network An aggregation tree or a directedspanning tree over the network topologywith the base stationat the root is formed as the query sent to all the nodes ifone is not already present in the network Then the path-keys and edge-key for each node encrypted with the secretkey shared between base station and node are sent to thecorresponding node Path-key and edge-key are calculated bythe base station according to the network topology We showthe detail of the calculation of the path-key in Section 42
In aggregation-commit phase each sensor node collectsraw data and computes two corresponding tags beforesending them to their own parent node in the aggregationtree After receiving all the messages from all child nodesaggregator performs modulo addition operations over thethree items and forwards the result to high-level aggregatorsuntil the base station
In the result-checking phase the base station verifiesthe integrity of the SUM aggregation with two aggregationtags Compared with Chanrsquos and Keithrsquos approach ours doesnot require any dissemination from top root node down tothe leaf nodes which causes congestion 119874(Δlog2119899) in Chanrsquosapproach and 119874(Δ log 119899) in Keithrsquos approach and energy costin this phase
42 The SUM Approach
421 Query Dissemination Phase Before aggregation thebase station broadcasts an authenticated query to the net-work The query request message contains a nonce 119873 toprevent replay attack [1] If there is no aggregation tree anaggregation tree with the base station at the root will beformed as the query has been sent to all nodes Then the treeinformation will be reported back to the base station Afterthe base station receives the tree information it calculatesthe path-key for each node for each aggregator or sensornode 119894 base station generates a key bs and calculates edgekey according to one-way hash function 119865 where
119896119894minus119895
= 119865bs (119904119894 119904119895 119873) (2)
and node 119894 is the parent of node 119895 119904119894and 119904
119895are unique
identifiers of node 119894 and node 119895
4 International Journal of Distributed Sensor Networks
3 5
8
10
4
1 2
9
6 7
bs
1205721
1205731= 11989711205721
1205722
1205732= 11989721205722
1205724
1205734= 11989741205724
1205725
1205735= 11989751205725
1205726
1205736= 11989761205726
1205727
1205737= 11989771205727119909
1= 119909
1
120572
1= 119909
111989611+ 119909
1120573111989612
11205731+ 120579
1
119909
2= 119909
2
120572
2= 119909
211989621+ 119909
2120573211989622
21205732+ 120579
2
119909
3= 119909
998400
3+ 119909
1+ 119909
2
120572
3= 120572
998400
3+ 119896
31120572
1+ 119896
32120572
2
119865(119904bs 11990410 119873)
11989610-8= 119891(119904
10 1199048 119873)
11989610-9= 119891(119904
10 1199049 119873)
1198968-3= 119891(119904
8 1199043 119873)
120573
3= 120573
1+ 120573
2+ 120573
998400
3
120573
1= 119909 120573
2= 119909
119909998400
3= 119909
3
120572998400
3= 119909
311989631+ 119909
3120573311989632
120573998400
3= 119909
31205733+ 120579
3
119896bs-10 =
Figure 1 Aggregation phaseThe nodes 1 2 3 4 5 6 and 7 are sensor nodes and the nodes 8 9 and 10 are aggregators while node 3 works asboth sensor node and aggregator Without losing generality we assume that every intermediate node is able to sense raw data and performsaggregation like node 3 does
For each sensor node 119894 base station also calculates twopath-keys 119896
1198941and 1198961198942
as follows
1198961198941=
120579
119896path (3)
1198961198942=
119897
119896path (4)
where 120579 is a point in 119864(119885119901) 119897 is an integer and they are both
chosen by base station to enable data aggregation and preventstealthyreplay attacks
If the path from base station to sensor node 119894 is 1-2-3-119894then 119896path = 1198961-21198962-31198963-119894
Finally the base stationwith transmission ranges coveringthewholewireless sensor network directly broadcasts to node119894 the path-keys and edge-keys encrypted with the secret key119904119896119894
422 Data Aggregation Phase In the query disseminationphase each node has already identified their parents and thebase station has the overall view of the aggregation tree
In Figure 1 take paths BS-10-8-3-1 and BS-10-8-3-2 forinstance as sensor node nodes 3 1 and 2 each has a message
that is to be passed to their parents And the message has thefollowing format
⟨119909119894 120572
119894 120573
119894⟩ (5)
where 119909119894is the SUM aggregation over all sensor nodes in the
subtree 120572119894and 120573
119894are the first and second tag respectively
For nodes 1 and 2
1199091= 1199091 119909
2= 1199092
1205721= 119909111989611+ 1199091120573111989612
1205722= 119909211989621+ 1199092120573211989622
1205731= 11990911205731+ 1205791 120573
3= 11990931205733+ 1205793
(6)
For aggregatorsensor node 3 with data 1199093 it first com-
putes 12057210158403and 1205731015840
3as a sensor node
1199091015840
3= 1199093 120572
1015840
3= 119909311989631+ 1199093120573311989632
1205731015840
3= 11990931205733+ 1205793
(7)
International Journal of Distributed Sensor Networks 5
Then node 1 and 2 send their data and tags to node 3 Afterreceiving all messages from its subtree node 3 works asaggregator to perform aggregation
1199093= 1199091+ 1199092+ 1199091015840
3
1205723= 1198963-1120572
1+ 1198963-2120572
2+ 1205721015840
3
1205733= 1205731015840
1+ 1205731015840
2+ 1205731015840
3
(8)
and sends ⟨1199093 120572
3 120573
3⟩ to node 8
Aggregators 8 and 10 perform corresponding tasks
1199098= 1199093+ 1199094+ 1199095 119909
10= 119909
8+ 119909
9
1205728= 1198968-3120572
3+ 1198968-4120572
4+ 1198968-5120572
5
12057210= 11989610-8120572
8+ 11989610-9120572
9
1205738= 120573
3+ 120573
4+ 1205735 120573
10= 120573
8+ 120573
9
(9)
where node 8 sends ⟨1199098 120572
8 120573
8⟩ to node 10 and node 10 sends
⟨11990910 120572
10 120573
10⟩ to base station
423 Result-Checking Phase The purpose of result-checkingphase is to enable base station to verify that the integrity ofSUM 119909
10has not been violatedThe verification is performed
as followsBase station checks if
12057310minus 119897minus1119896bs-10120572
8= sum120579
119894minus 119897minus1120579119909
10 (10)
where ⟨11990910 120572
10 120573
10⟩ is sent by node 10 to base station 120579 119897
119896bs-10 120579119894 (119894 from 1 to 7) are only known to base station and 119897minus1
is the inverse of 119897 modulo which is the order 119902 of the ellipticcurve group 119864(119885
119901)
Since
12057310= 120573
8+ 120573
9
= 1205731015840
3+ 120573
4+ 120573
5+ 120573
6+ 120573
7
= 1205731+ 120573
2+ 120573
3+ 120573
4+ 120573
5+ 120573
6+ 120573
7
=11990911205731+ 1205791+ 11990921205732+ 1205792+ 11990931205733+ 1205793+ 11990941205734
+ 1205794+ 11990951205735+ 1205795+ 11990961205736+ 1205796+ 11990971205737+ 1205797
= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)
+ (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)
119897minus1119896bs-10120572
10
= 119897minus1119896bs-10 (11989610-8120572
8+ 11989610-9120572
9)
= 119897minus1119896bs-10
times (11989610-8 (1198968-3120572
3+ 1198968-4120572
4+ 1198968-5120572
5)
+ 11989610-9 (1198969-6120572
6+ 1198969-7120572
7))
= 119897minus1119896bs-10
times (11989610-8 (1198968-3 (120572
1015840
3+ 1198963-1120572
1+ 1198963-2120572
2)
+ 1198968-4120572
4+ 1198968-4120572
5)
+ 11989610-9 (1198969-6120572
6+ 1198969-7120572
7))
= 119897minus1119896bs-1011989610-81198968-3
times (1198963-1 (
119897
119896bs-1011989610-81198968-31198963-1)11990911205731
+ 1198963-2 (
119897
119896bs-1011989610-81198968-31198963-2)11990921205732
+(119897
119896bs-1011989610-81198968-3)11990931205733)
+ 119897minus1119896bs-1011989610-8
times (1198968-4 (
119897
119896bs-1011989610-81198968-4)11990941205734
+ 1198968-5 (
119897
119896bs-1011989610-81198968-5)11990951205735)
+ 119897minus1119896bs-1011989610-9
times (1198969-6 (
119897
119896bs-1011989610-91198969-6)11990961205736
+ 1198969-7 (
119897
119896bs-1011989610-91198969-7)11990971205737)
= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)
+ 119897minus1120579 (1199091+ 1199092+ 1199093+ 1199094+ 1199095+ 1199096+ 1199097)
(11)
We can say that base station accepts the SUM aggregation11990910 or the two tags will only verify if all tags are generated
by honest nodes and aggregated correctly along the pathAgain note that 119897minus1 is the inverse of 119897 modulo 119902 which is
the order of the elliptic curve group 119864(119885119901) and 120579 119897 119896bs-10 are
only known to base station
5 Analysis
This section discusses the security and congestion complexityof EIPDAP
51 Overview Once a node has been compromised it isunder the full control of the adversary which can record andinject messages as will We also assume that the adversarycan only corrupt a (small) fraction of nodes including theaggregators Also we do not concern denial-of-service attackThe following is the proof for security of EIPDAP
6 International Journal of Distributed Sensor Networks
Definition 2 (sensor node inconsistency) Let ⟨119909119905 120572
119905 120573
119905⟩ be
a message sent by sensor node 119905 There is an inconsistency atnode 119905 if either
(1) 120572119905= 1199091199051198961199051+ 1199091199051205731199051198961199052
or
(2) 120573119905= 119909119905120573119905+ 120579119905
Definition 3 (sensor node forgery) An adversary eavesdrop-ping on sensor node 119894 successfully forges a new message⟨119909lowast
119894 120572lowast
119894 120573lowast
119894⟩ if
(1) 119909lowast119894
= 119909119894
(2) 120572lowast119894= 119909lowast
1198941198961198941+ 119909lowast
1198941205731198941198961198942
(3) 120573119894= 119909lowast
119894120573119894+ 120579119894
Since once a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected howeverwe do not address this kind of forgery here
Lemma 4 Let the final SUM aggregation received by the basestation be 119909
119891119894119899119886119897 then 119878
119871+ 120583 le 119909
119891119894119899119886119897
le 119878119871+ 120583V where 119878
119871is the
sum of the data values of all the legitimate nodes and 120583 is thetotal number of corrupted nodes
Proof As the conclusion is obvious here so we do not provein detail
Lemma 5 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid message as an honestsensor node for all eavesdropping probabilistic polynomialadversaries
Proof Let ⟨119909119894 120572
119894 120573
119894⟩ be an internal message sent by sensor
node 119894 to its parentSay adversary is eavesdropping on node 119894 In order to
forge a valid message ⟨119909lowast
119894 120572lowast
119894 120573lowast
119894⟩ for 119909
lowast
119894 119860 can easily
compute a valid 120572lowast119894= 119909lowast
119894119909minus1119894120572119894
As 120573119894= 119909119894120573119894+ 120579119894= 119909119894119910119866 for some integer 119910 a valid 120573lowast
119894
should be computed as
120573lowast
119894= 119909lowast
119894120573119894+ 120579119894= 119909lowast
119894119910lowast119866
= 119909lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866
(12)
Due to 120579119894and 120573
119894 adversary cannot forge 120573lowast
119894directly from
119909lowast
119894120573119894+ 120579119894but to compute 119909lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866 119860 has 119909lowast
119894 119909119894 120573119894
and 119866 the factors it lack are 119910 and 119910lowastCalculating 119910 from 120573
119894= 119909119894119910119866 and 119910lowast from 120573
lowast
119894= 119909lowast
119894119910lowast119866
is ECDLP which means calculating 120573lowast119894from 119909
lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866
is hardAnother concern rises when adversary keeps eavesdrop-
ping on sensor node 119894 and records the messages sent by 119894Assume that adversary has
⟨119909119894119895 120572
119894119895 120573
119894119895⟩ | 119895 isin [1 119899] (13)
where ⟨119909119894119895 120572
119894119895 120573
119894119895⟩ represents the message ⟨119909
119894 120572
119894 120573
119894⟩
node 119894 sends to parent in the 119895th query and 119899 is the number of
queries Note that in each query every sensor node 119894 choosesa new secret key 119897
119894
For all 119895 isin [1 119899] adversary has
120573119894119895 = 120573119894119895119909
119894119895 + 120579119894 (14)
Because the number of variable is the number of equationsplus one so adversary cannot solve equations in (14) to obtain120573119894119895 or 120579119894In conclusion the probability of an adversary successfully
forging a new message ⟨119909lowast119894 120572lowast
119894 120573lowast
119894⟩ when eavesdropping on
sensor node 119894 is negligible completing the proof
Definition 6 (aggregator inconsistency) Let ⟨119909119905 120572
119905 120573
119905⟩ be an
internal message aggregated by node 119905 with two children 119906and V Let ⟨119909
119906 120572
119906 120573
119906⟩ and ⟨119909V 120572
V 120573
V⟩ be two messages from
119906 and V There is an inconsistency at node 119905 if
(1) 119909119905= 1199091015840
119905+ 119909
119906+ 119909
V or
(2) 120572119905= 1205721015840
119905+ 120572
119906+ 120572
119905or
(3) 120573119905= 1205731015840
119906+ 120573
119906+ 120573
119905
Definition 7 (compromised aggregator forgery) An adver-sary which compromised a aggregator 119895 successfully forgesa new aggregate result ⟨119909lowast
119895 120572lowast
119895 120573lowast
119895⟩ if
(1) 119909lowast119895
= 119909119895
(2) 120572lowast119895= 1205721015840
119895+ 119896119895minus11205721198951+ 119896119895minus21205721198952+ sdot sdot sdot + 119896
119895minus119897120572119895119897(1205721015840119895= 0 if 119895
does not sense data)(3) 120573119895= 1205731015840
119895+ 120573
1198951+ 120573
1198952+ sdot sdot sdot + 120573
119895119897(1205731015840119895= 0 if 119895 does
not sense data) assuming aggregator 119895 has 119897 children1198951 1198952 119895119897
Lemma 8 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid aggregate result for allprobabilistic polynomial adversaries even when a high-levelaggregator is compromised
Proof We assume that aggregator 10 has been compromisedwhere an adversary is in complete control of node 10obtaining all secret keys of node 10 Now an adversaryattempts to forge SUM aggregation and two correspondingtags after eavesdropping several aggregations and records
⟨11990910119894 120572
10119894 120573
10119894⟩ | 119894 isin [1 119899] (15)
where ⟨11990910119894 120572
10119894 120573
10119894⟩ represents the message ⟨119909
10 120572
10
12057310⟩ node 10 sends to base station in the 119894th query and 119899 is
the number of queries Note that in each query every sensornode 119895 chooses a new secret key 119897
119895
For all 119894 isin [1 119899] adversary has
12057310119894 = 119897
minus1119896bs-10120572
10119894
= (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)
minus 119897minus1120579119909
10119894
(16)
International Journal of Distributed Sensor Networks 7
Now adversary tries to forge a new message ⟨119909lowast10 120572lowast
10 120573lowast
10⟩
which satisfies (14) Since node 10 is compromised adversaryhas 1199098 119909
9 119909
10 11989610-8 11989610-9 120572
8 120572
9 120573
8 120573
9in each query and the
knowledge of the elliptic curve group 119864(119885119901)
Case 1 Intuitively adversary tries to obtain 119897 119896bs-10 120579 andsum120579119894(119894 from 1 to 7) However this requires a powerful
adversary which we do not concern here
Case 2 Adversary tries to compute 119897minus1120579 by multiplying
1198961198941
(equals 120579119896path) and the inverse of 1198961198941
(equals 119897119896path)However all path-keys and temporal key are encrypted beforeforwarding to nodes so adversary cannot compute 119897minus1120579whennode 10 only works as an aggregator
Case 3 Aggregator 10 also senses data So adversary cancompute 119897minus1120579 as in Case 2 and 119897minus1119896bs-10 which is the inverse of119897119896bs-10 modulo 119902 Now adversary has
12057310minus 120572
10
= 1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797minus 119909
10
997904rArr 12057310
= 1199101(1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797) = 1199102119866
(17)
for some integer 1199102 Similar to Lemma 4 since sum120579
119894(119894 from
1 to 7) is kept secret from adversary and computing 1199102from
1205733= 1199102119866 is ECDLP then 120573
10cannot be forged either
In all cases adversary can only forge a new message⟨119909lowast
10 120572lowast
10 120573lowast
10⟩ with negligible probability completing the
proof
Theorem 9 EIPDAP is integrity-preserving
Proof From Lemmas 5 and 8 we know that EIPDAP issecure against sensor node forgery in the presence of aneavesdropper and aggregator forgery when an aggregator iscompromised Thus EIPDAP is integrity-preserving com-pleting the proof
52 Congestion Complexity The computational and memorycosts are likely to be insignificant compared to communica-tion [3 14] Higher computation surely causes more energybut a Berkeley mote spends approximately the same amountof energy to compute 800 instructions as it does in sending asingle bit of data [13 20] in WSN
Unlike general hard problems there is no sub-exponential algorithm is known to solve the elliptic curvediscrete logarithm problem (ECDLP) meaning that smallerparameters can be used in ECC than in other systems likeRSA andDSA but with equivalent level of security Because oftheir smaller key size faster computations and reductions inprocessing power storage space and bandwidth ECC is idealfor WSN Although the use of elliptic curve cryptographyincurs higher computational overhead than symmetric-keycryptography our protocol is mainly designed to save energy
In query dissemination phase the base station collectsaggregation tree information and broadcasts edge keys and
Table 1 Edge congestion in the aggregation tree comparison 119899 isthe number of the nodes and 119899
119892is the group size
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(1) 119874(log 119899) 119874(log2119899)Keithrsquos scheme 119874(1) 119874(log 119899) 119874(log 119899)SDAP 119874(1) 119874(Δ log (119899119899
119892)) 119874(Δ log (119899119899
119892))
EIPDAP 119874(1) 119874(1) 0
Table 2 Node congestion in the aggregation tree comparison Δ isthe degree of the aggregation tree
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δlog2119899)Keithrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δ log 119899)SDAP 119874(Δ) 119874(Δ log (119899119899
119892)) 119874(Δ log (119899119899
119892))
EIPDAP 119874(Δ) 119874(Δ) 0
Table 3 Aggregation tree congestion comparison
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log2119899)Keithrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log 119899)SDAP 119874(119899) 119874(119899) 119874(119899 log 119899)EIPDAP 119874(119899) 119874(119899) 0
path keys directly to the corresponding nodes Collectingaggregation tree information costs each edge 119874(1) conges-tion and there is no congestion for sensor nodes and aggre-gators in broadcasting keys In aggregation phase each nodeforwards a message The edge congestion in the aggregationtree is 119874(1) In result-checking phase all operations aredone in the base station so there is no congestion in theaggregation tree Congestion complexity comparisons withChanrsquos scheme Keithrsquos scheme and SDAP are shown inTables1 2 and 3
By the comparison we can conclude that EIPDAP hasthe minimum congestion and is much more energy efficientTherefore it is much more suitable for power limited sensornetworks
6 Conclusion and Future Work
Protecting hierarchical data aggregation from losing integrityis a challenging problem in sensor networks In this paperwe focus on the very problem of preserving data integrityand propose a novel approach to guarantee the integrity ofaggregation result through aggregation in sensor networksThemain algorithm is based on performingmodulo additionoperation using ECC
EIPDAP can immediately verify the integrity of aggre-gation result after receiving the aggregation result and cor-responding authentication information hence significantly
8 International Journal of Distributed Sensor Networks
reducing energy consumption and communication delaywhichwill be caused if the verification phrase is done throughanother query-and-forward phase
Compared with the other related schemes our schemereduces the communication required per node to 119874(Δ)where Δ is the degree of the aggregation tree for the networkTo the best of our knowledge our scheme has the mostoptimal upper bound on solving the integrity-preserving dataaggregation problem Based on the elliptic curve discretelogarithm problem we prove that EIPDAP is integrity-preserving
In the future we will first further enrich EIPDAP indetail Second we will focus on the possibility of reducing thenumber of secret keys shared between sensor nodes and basestation or the keys broadcast to all nodesThird based on theproposed algorithm we may consider meeting other securityrequirements like data confidentiality source authenticationand availability
We anticipate that our work provides new perspective onpreserving integrity of hierarchical aggregation and encour-ages other researchers to consider this approach
Appendix
Attack on the Julia-Sanjay Scheme
If the adversary has compromised a sensor node then itcan obtain the network wide integer 119896 With the 119896 it canmodify any aggregated data received from its child nodesFor example say the adversary has compromised a node withmessage ⟨119904
119894 enc(119898
119894)⟩ received from its child 119894 In order to
modify119898119894to1198981015840119894= 119898119894+119898forge the adversary can easily forge
an encrypted message
enc (1198981015840119894) = enc (119898
119894+ 119898forge) = ⟨119906119894 V119894 + 119898forge⟩ (A1)
given as 119890nc(119898119894) = ⟨119906
119894 V119894⟩ And it is also easy to forge a valid
signature
1199041015840
119894= 119896minus1(119898119894+ 119898forge + 119911119894 lowast 119903 (119909)) mod 119901 (A2)
If the compromised node is in high level this will cause moreserious effects on the aggregation result since the aggregateresult it handles represents large portions of the overall datain the WSN
Acknowledgments
The authors would like to thank the anonymous reviewersand their coworkers for their valuable comments and usefulsuggestions
References
[1] J Yick B Mukherjee and D Ghosal ldquoWireless sensor networksurveyrdquoComputerNetworks vol 52 no 12 pp 2292ndash2330 2008
[2] K Akkaya M Demirbas and R S Aygun ldquoThe impact of dataaggregation on the performance of wireless sensor networksrdquoWireless Communications and Mobile Computing vol 8 no 2pp 171ndash193 2008
[3] L Hu and D Evans ldquoSecure aggregation for wireless networksrdquoin Proceedings of the Workshop on Security and Assurance in AdHoc Networks Orlando Fla USA January 2003
[4] B Przydatek D Song and A Perrig ldquoSIA Secure informationaggregation in sensor networksrdquo in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys rsquo03) pp 255ndash265 November 2003
[5] W He X Liu H Nguyen K Nahrstedt and T AbdelzaherldquoPda privacy-preserving data aggregation in wireless sensornetworksrdquo in Proceedings of the 26th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo07) pp 2045ndash2053 2007
[6] T Feng C Wang W Zhang and L Ruan ldquoConfidentialityprotection for distributed sensor data aggregationrdquo in Proceed-ings of the 27th IEEE Communications Society Conference onComputer Communications (INFOCOM rsquo07) pp 475ndash483April2007
[7] J Shi R Zhang Y Liu and Y Zhang ldquoPriSense privacy-preserving data aggregation in people-centric urban sensingsystemsrdquo in Proceedings of the 29th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo10) pp 758ndash766 IEEE March 2010
[8] J Katz and A Y Lindell ldquoAggregate message authenticationcodes Topics in cryptologyrdquo in Proceedings of the Cryptogra-phersrsquo Track at the RSA Conference (CT-RSA rsquo08) Lecture Notesin Computer Science pp 155ndash169 Springer 2008
[9] J Albath and S Madria ldquoSecure hierarchical data aggregationin wireless sensor networksrdquo in Proceedings of the IEEEWirelessCommunications and Networking Conference (WCNC rsquo09) pp1ndash6 April 2009
[10] A Liu and P Ning ldquoTinyECC a configurable library for ellipticcurve cryptography in wireless sensor networksrdquo in Proceedingsof the International Conference on Information Processing inSensor Networks (IPSN rsquo08) pp 245ndash256 April 2008
[11] H Chan A Perrig and D Song ldquoSecure hierarchical in-network aggregation in sensor networksrdquo in Proceedings ofthe 13th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo06) pp 278ndash287 ACM Press Alexandria VaUSA November 2006
[12] K B Frikken and J A Dougherty ldquoAn efficient integrity-preserving scheme for hierarchical sensor aggregationrdquo inProceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 68ndash76 ACM Press Alexandria VaUSA April 2008
[13] Y Yang X Wang S Zhu and G Cao ldquoSDAP a Secure hop-by-hop Data Aggregation Protocol for sensor networksrdquo inProceedings of the 7th ACM International Symposium on MobileAd Hoc Networking and Computing (MOBIHOC rsquo06) pp 356ndash367 ACM Press Florence Italy May 2006
[14] C Castelluccia A C F Chan E Mykletun and G TsudikldquoEfficient and provably secure aggregation of encrypted datain wireless sensor networksrdquo ACM Transactions on SensorNetworks vol 5 no 3 pp 1ndash36 2009
[15] W Du J Deng Y S Han and P K Varshney ldquoA witness-basedapproach for data fusion assurance inwireless sensor networksrdquoin Proceedings of the Global Telecommunications Conference(GLOBECOM rsquo03) vol 3 pp 1435ndash1439 IEEE December 2003
[16] O Eikemeier M Fischlin J-F Gotzmann et al ldquoHistory-freeaggregate message authentication codesrdquo in Proceedings of the7th International Conference on Security and Cryptography forNetworks vol 6280 of Lecture Notes in Computer Science pp309ndash328 Amalfi Italy 2010
International Journal of Distributed Sensor Networks 9
[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004
[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005
[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006
[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 3
Before aggregation process sensors will form a tree topologywhere base station locates at the root
We further assume that the base station would broadcastan authenticated query before collecting data If there is noaggregation tree then an aggregation tree should be formedas the query has been sent to all nodes Our protocol takesthe structure of the aggregation tree as given One methodfor constructing an aggregation tree is described in TaG [20]
Each node is sensing an integer value 119903 that is in the range(0 V] (we rule out ldquo0rdquo in defense of 120579
119894which we will explain
later) for some application-based value VThe goal is to returnthe SUM result with two tags proving that the SUM result hasnot been forged (even in the presence of malicious nodes)Due to resource constrains all readings need to be aggregatedby aggregators while being transmitted over a multihop path
32 Security Infrastructure We assume that each node 119894 hasa unique identifier 119904
119894 private keys 119903
119894 119897119894isin 119885119901and shares a
private key 119904119896119894and a private point 120579
119894isin cyclic elliptic group
119864(119885119901) with base station ECC domain parameters including
the generator point 119866 isin 119864(119885119901) are preloaded in all nodes In
each node 119894 we set two parameters 120572119894and 120573
119894which will be
used later
120572119894= 119903119894119866
120573119894= 119903119894120572119894
(1)
33 Attack Model and Security Goals We consider a settingwith a polynomially bounded adversary which can physicallyaccess the sensors and read their interval values The adver-sary is also restricted to corrupt a (small) fraction of nodesincluding the aggregators
Once the adversary compromises a sensor node it canobtain all the nodersquos secret keys An adversary can modifyforge or discard messages or simply transmit false aggregateresults and its goal is to forge valid aggregate result to beaccepted by the base stationThe higher false aggregate resultlevel is more catastrophic consequence will be caused
In this setting we focus on stealthy attacks [4] wherethe attackerrsquos goal is to make the base station accept falseaggregate results while not being detected by base stationAnd our security goal is to prevent stealthy attacks Inparticular wewant to guarantee that once the aggregate resulthas been accepted by the base station it is indeed the realresult aggregated by honest nodes
Definition 1 (integrity-preserving aggregation algorithm)An aggregation algorithm is integrity-preserving if by tam-pering with the aggregation process an adversary is unable toinduce the base station to accept any forged aggregate result
Since if a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected In thispaper we will focus on the situation where an aggregator iscompromised and see whether it can forge a valid aggregateresult
In this paper however we do not address the denial-of-service attack where the adversary prevents the querier
from getting any aggregation result at all because nodesrsquo notresponding queries clearly indicate that something is wrongand solutions can be implemented to remedy this situation
4 Our Work
In this section we present a new approach especially aimingto preserve integrity of the aggregation resultWe first give anoverview of this approach and then present the details
41 Overview The design of our algorithm is based on theelliptic curve discrete logarithm problem The overall algo-rithm consists of three main phases query disseminationaggregation-commit and result-checking
In query dissemination phase the base station broadcaststhe query to the network An aggregation tree or a directedspanning tree over the network topologywith the base stationat the root is formed as the query sent to all the nodes ifone is not already present in the network Then the path-keys and edge-key for each node encrypted with the secretkey shared between base station and node are sent to thecorresponding node Path-key and edge-key are calculated bythe base station according to the network topology We showthe detail of the calculation of the path-key in Section 42
In aggregation-commit phase each sensor node collectsraw data and computes two corresponding tags beforesending them to their own parent node in the aggregationtree After receiving all the messages from all child nodesaggregator performs modulo addition operations over thethree items and forwards the result to high-level aggregatorsuntil the base station
In the result-checking phase the base station verifiesthe integrity of the SUM aggregation with two aggregationtags Compared with Chanrsquos and Keithrsquos approach ours doesnot require any dissemination from top root node down tothe leaf nodes which causes congestion 119874(Δlog2119899) in Chanrsquosapproach and 119874(Δ log 119899) in Keithrsquos approach and energy costin this phase
42 The SUM Approach
421 Query Dissemination Phase Before aggregation thebase station broadcasts an authenticated query to the net-work The query request message contains a nonce 119873 toprevent replay attack [1] If there is no aggregation tree anaggregation tree with the base station at the root will beformed as the query has been sent to all nodes Then the treeinformation will be reported back to the base station Afterthe base station receives the tree information it calculatesthe path-key for each node for each aggregator or sensornode 119894 base station generates a key bs and calculates edgekey according to one-way hash function 119865 where
119896119894minus119895
= 119865bs (119904119894 119904119895 119873) (2)
and node 119894 is the parent of node 119895 119904119894and 119904
119895are unique
identifiers of node 119894 and node 119895
4 International Journal of Distributed Sensor Networks
3 5
8
10
4
1 2
9
6 7
bs
1205721
1205731= 11989711205721
1205722
1205732= 11989721205722
1205724
1205734= 11989741205724
1205725
1205735= 11989751205725
1205726
1205736= 11989761205726
1205727
1205737= 11989771205727119909
1= 119909
1
120572
1= 119909
111989611+ 119909
1120573111989612
11205731+ 120579
1
119909
2= 119909
2
120572
2= 119909
211989621+ 119909
2120573211989622
21205732+ 120579
2
119909
3= 119909
998400
3+ 119909
1+ 119909
2
120572
3= 120572
998400
3+ 119896
31120572
1+ 119896
32120572
2
119865(119904bs 11990410 119873)
11989610-8= 119891(119904
10 1199048 119873)
11989610-9= 119891(119904
10 1199049 119873)
1198968-3= 119891(119904
8 1199043 119873)
120573
3= 120573
1+ 120573
2+ 120573
998400
3
120573
1= 119909 120573
2= 119909
119909998400
3= 119909
3
120572998400
3= 119909
311989631+ 119909
3120573311989632
120573998400
3= 119909
31205733+ 120579
3
119896bs-10 =
Figure 1 Aggregation phaseThe nodes 1 2 3 4 5 6 and 7 are sensor nodes and the nodes 8 9 and 10 are aggregators while node 3 works asboth sensor node and aggregator Without losing generality we assume that every intermediate node is able to sense raw data and performsaggregation like node 3 does
For each sensor node 119894 base station also calculates twopath-keys 119896
1198941and 1198961198942
as follows
1198961198941=
120579
119896path (3)
1198961198942=
119897
119896path (4)
where 120579 is a point in 119864(119885119901) 119897 is an integer and they are both
chosen by base station to enable data aggregation and preventstealthyreplay attacks
If the path from base station to sensor node 119894 is 1-2-3-119894then 119896path = 1198961-21198962-31198963-119894
Finally the base stationwith transmission ranges coveringthewholewireless sensor network directly broadcasts to node119894 the path-keys and edge-keys encrypted with the secret key119904119896119894
422 Data Aggregation Phase In the query disseminationphase each node has already identified their parents and thebase station has the overall view of the aggregation tree
In Figure 1 take paths BS-10-8-3-1 and BS-10-8-3-2 forinstance as sensor node nodes 3 1 and 2 each has a message
that is to be passed to their parents And the message has thefollowing format
⟨119909119894 120572
119894 120573
119894⟩ (5)
where 119909119894is the SUM aggregation over all sensor nodes in the
subtree 120572119894and 120573
119894are the first and second tag respectively
For nodes 1 and 2
1199091= 1199091 119909
2= 1199092
1205721= 119909111989611+ 1199091120573111989612
1205722= 119909211989621+ 1199092120573211989622
1205731= 11990911205731+ 1205791 120573
3= 11990931205733+ 1205793
(6)
For aggregatorsensor node 3 with data 1199093 it first com-
putes 12057210158403and 1205731015840
3as a sensor node
1199091015840
3= 1199093 120572
1015840
3= 119909311989631+ 1199093120573311989632
1205731015840
3= 11990931205733+ 1205793
(7)
International Journal of Distributed Sensor Networks 5
Then node 1 and 2 send their data and tags to node 3 Afterreceiving all messages from its subtree node 3 works asaggregator to perform aggregation
1199093= 1199091+ 1199092+ 1199091015840
3
1205723= 1198963-1120572
1+ 1198963-2120572
2+ 1205721015840
3
1205733= 1205731015840
1+ 1205731015840
2+ 1205731015840
3
(8)
and sends ⟨1199093 120572
3 120573
3⟩ to node 8
Aggregators 8 and 10 perform corresponding tasks
1199098= 1199093+ 1199094+ 1199095 119909
10= 119909
8+ 119909
9
1205728= 1198968-3120572
3+ 1198968-4120572
4+ 1198968-5120572
5
12057210= 11989610-8120572
8+ 11989610-9120572
9
1205738= 120573
3+ 120573
4+ 1205735 120573
10= 120573
8+ 120573
9
(9)
where node 8 sends ⟨1199098 120572
8 120573
8⟩ to node 10 and node 10 sends
⟨11990910 120572
10 120573
10⟩ to base station
423 Result-Checking Phase The purpose of result-checkingphase is to enable base station to verify that the integrity ofSUM 119909
10has not been violatedThe verification is performed
as followsBase station checks if
12057310minus 119897minus1119896bs-10120572
8= sum120579
119894minus 119897minus1120579119909
10 (10)
where ⟨11990910 120572
10 120573
10⟩ is sent by node 10 to base station 120579 119897
119896bs-10 120579119894 (119894 from 1 to 7) are only known to base station and 119897minus1
is the inverse of 119897 modulo which is the order 119902 of the ellipticcurve group 119864(119885
119901)
Since
12057310= 120573
8+ 120573
9
= 1205731015840
3+ 120573
4+ 120573
5+ 120573
6+ 120573
7
= 1205731+ 120573
2+ 120573
3+ 120573
4+ 120573
5+ 120573
6+ 120573
7
=11990911205731+ 1205791+ 11990921205732+ 1205792+ 11990931205733+ 1205793+ 11990941205734
+ 1205794+ 11990951205735+ 1205795+ 11990961205736+ 1205796+ 11990971205737+ 1205797
= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)
+ (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)
119897minus1119896bs-10120572
10
= 119897minus1119896bs-10 (11989610-8120572
8+ 11989610-9120572
9)
= 119897minus1119896bs-10
times (11989610-8 (1198968-3120572
3+ 1198968-4120572
4+ 1198968-5120572
5)
+ 11989610-9 (1198969-6120572
6+ 1198969-7120572
7))
= 119897minus1119896bs-10
times (11989610-8 (1198968-3 (120572
1015840
3+ 1198963-1120572
1+ 1198963-2120572
2)
+ 1198968-4120572
4+ 1198968-4120572
5)
+ 11989610-9 (1198969-6120572
6+ 1198969-7120572
7))
= 119897minus1119896bs-1011989610-81198968-3
times (1198963-1 (
119897
119896bs-1011989610-81198968-31198963-1)11990911205731
+ 1198963-2 (
119897
119896bs-1011989610-81198968-31198963-2)11990921205732
+(119897
119896bs-1011989610-81198968-3)11990931205733)
+ 119897minus1119896bs-1011989610-8
times (1198968-4 (
119897
119896bs-1011989610-81198968-4)11990941205734
+ 1198968-5 (
119897
119896bs-1011989610-81198968-5)11990951205735)
+ 119897minus1119896bs-1011989610-9
times (1198969-6 (
119897
119896bs-1011989610-91198969-6)11990961205736
+ 1198969-7 (
119897
119896bs-1011989610-91198969-7)11990971205737)
= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)
+ 119897minus1120579 (1199091+ 1199092+ 1199093+ 1199094+ 1199095+ 1199096+ 1199097)
(11)
We can say that base station accepts the SUM aggregation11990910 or the two tags will only verify if all tags are generated
by honest nodes and aggregated correctly along the pathAgain note that 119897minus1 is the inverse of 119897 modulo 119902 which is
the order of the elliptic curve group 119864(119885119901) and 120579 119897 119896bs-10 are
only known to base station
5 Analysis
This section discusses the security and congestion complexityof EIPDAP
51 Overview Once a node has been compromised it isunder the full control of the adversary which can record andinject messages as will We also assume that the adversarycan only corrupt a (small) fraction of nodes including theaggregators Also we do not concern denial-of-service attackThe following is the proof for security of EIPDAP
6 International Journal of Distributed Sensor Networks
Definition 2 (sensor node inconsistency) Let ⟨119909119905 120572
119905 120573
119905⟩ be
a message sent by sensor node 119905 There is an inconsistency atnode 119905 if either
(1) 120572119905= 1199091199051198961199051+ 1199091199051205731199051198961199052
or
(2) 120573119905= 119909119905120573119905+ 120579119905
Definition 3 (sensor node forgery) An adversary eavesdrop-ping on sensor node 119894 successfully forges a new message⟨119909lowast
119894 120572lowast
119894 120573lowast
119894⟩ if
(1) 119909lowast119894
= 119909119894
(2) 120572lowast119894= 119909lowast
1198941198961198941+ 119909lowast
1198941205731198941198961198942
(3) 120573119894= 119909lowast
119894120573119894+ 120579119894
Since once a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected howeverwe do not address this kind of forgery here
Lemma 4 Let the final SUM aggregation received by the basestation be 119909
119891119894119899119886119897 then 119878
119871+ 120583 le 119909
119891119894119899119886119897
le 119878119871+ 120583V where 119878
119871is the
sum of the data values of all the legitimate nodes and 120583 is thetotal number of corrupted nodes
Proof As the conclusion is obvious here so we do not provein detail
Lemma 5 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid message as an honestsensor node for all eavesdropping probabilistic polynomialadversaries
Proof Let ⟨119909119894 120572
119894 120573
119894⟩ be an internal message sent by sensor
node 119894 to its parentSay adversary is eavesdropping on node 119894 In order to
forge a valid message ⟨119909lowast
119894 120572lowast
119894 120573lowast
119894⟩ for 119909
lowast
119894 119860 can easily
compute a valid 120572lowast119894= 119909lowast
119894119909minus1119894120572119894
As 120573119894= 119909119894120573119894+ 120579119894= 119909119894119910119866 for some integer 119910 a valid 120573lowast
119894
should be computed as
120573lowast
119894= 119909lowast
119894120573119894+ 120579119894= 119909lowast
119894119910lowast119866
= 119909lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866
(12)
Due to 120579119894and 120573
119894 adversary cannot forge 120573lowast
119894directly from
119909lowast
119894120573119894+ 120579119894but to compute 119909lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866 119860 has 119909lowast
119894 119909119894 120573119894
and 119866 the factors it lack are 119910 and 119910lowastCalculating 119910 from 120573
119894= 119909119894119910119866 and 119910lowast from 120573
lowast
119894= 119909lowast
119894119910lowast119866
is ECDLP which means calculating 120573lowast119894from 119909
lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866
is hardAnother concern rises when adversary keeps eavesdrop-
ping on sensor node 119894 and records the messages sent by 119894Assume that adversary has
⟨119909119894119895 120572
119894119895 120573
119894119895⟩ | 119895 isin [1 119899] (13)
where ⟨119909119894119895 120572
119894119895 120573
119894119895⟩ represents the message ⟨119909
119894 120572
119894 120573
119894⟩
node 119894 sends to parent in the 119895th query and 119899 is the number of
queries Note that in each query every sensor node 119894 choosesa new secret key 119897
119894
For all 119895 isin [1 119899] adversary has
120573119894119895 = 120573119894119895119909
119894119895 + 120579119894 (14)
Because the number of variable is the number of equationsplus one so adversary cannot solve equations in (14) to obtain120573119894119895 or 120579119894In conclusion the probability of an adversary successfully
forging a new message ⟨119909lowast119894 120572lowast
119894 120573lowast
119894⟩ when eavesdropping on
sensor node 119894 is negligible completing the proof
Definition 6 (aggregator inconsistency) Let ⟨119909119905 120572
119905 120573
119905⟩ be an
internal message aggregated by node 119905 with two children 119906and V Let ⟨119909
119906 120572
119906 120573
119906⟩ and ⟨119909V 120572
V 120573
V⟩ be two messages from
119906 and V There is an inconsistency at node 119905 if
(1) 119909119905= 1199091015840
119905+ 119909
119906+ 119909
V or
(2) 120572119905= 1205721015840
119905+ 120572
119906+ 120572
119905or
(3) 120573119905= 1205731015840
119906+ 120573
119906+ 120573
119905
Definition 7 (compromised aggregator forgery) An adver-sary which compromised a aggregator 119895 successfully forgesa new aggregate result ⟨119909lowast
119895 120572lowast
119895 120573lowast
119895⟩ if
(1) 119909lowast119895
= 119909119895
(2) 120572lowast119895= 1205721015840
119895+ 119896119895minus11205721198951+ 119896119895minus21205721198952+ sdot sdot sdot + 119896
119895minus119897120572119895119897(1205721015840119895= 0 if 119895
does not sense data)(3) 120573119895= 1205731015840
119895+ 120573
1198951+ 120573
1198952+ sdot sdot sdot + 120573
119895119897(1205731015840119895= 0 if 119895 does
not sense data) assuming aggregator 119895 has 119897 children1198951 1198952 119895119897
Lemma 8 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid aggregate result for allprobabilistic polynomial adversaries even when a high-levelaggregator is compromised
Proof We assume that aggregator 10 has been compromisedwhere an adversary is in complete control of node 10obtaining all secret keys of node 10 Now an adversaryattempts to forge SUM aggregation and two correspondingtags after eavesdropping several aggregations and records
⟨11990910119894 120572
10119894 120573
10119894⟩ | 119894 isin [1 119899] (15)
where ⟨11990910119894 120572
10119894 120573
10119894⟩ represents the message ⟨119909
10 120572
10
12057310⟩ node 10 sends to base station in the 119894th query and 119899 is
the number of queries Note that in each query every sensornode 119895 chooses a new secret key 119897
119895
For all 119894 isin [1 119899] adversary has
12057310119894 = 119897
minus1119896bs-10120572
10119894
= (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)
minus 119897minus1120579119909
10119894
(16)
International Journal of Distributed Sensor Networks 7
Now adversary tries to forge a new message ⟨119909lowast10 120572lowast
10 120573lowast
10⟩
which satisfies (14) Since node 10 is compromised adversaryhas 1199098 119909
9 119909
10 11989610-8 11989610-9 120572
8 120572
9 120573
8 120573
9in each query and the
knowledge of the elliptic curve group 119864(119885119901)
Case 1 Intuitively adversary tries to obtain 119897 119896bs-10 120579 andsum120579119894(119894 from 1 to 7) However this requires a powerful
adversary which we do not concern here
Case 2 Adversary tries to compute 119897minus1120579 by multiplying
1198961198941
(equals 120579119896path) and the inverse of 1198961198941
(equals 119897119896path)However all path-keys and temporal key are encrypted beforeforwarding to nodes so adversary cannot compute 119897minus1120579whennode 10 only works as an aggregator
Case 3 Aggregator 10 also senses data So adversary cancompute 119897minus1120579 as in Case 2 and 119897minus1119896bs-10 which is the inverse of119897119896bs-10 modulo 119902 Now adversary has
12057310minus 120572
10
= 1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797minus 119909
10
997904rArr 12057310
= 1199101(1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797) = 1199102119866
(17)
for some integer 1199102 Similar to Lemma 4 since sum120579
119894(119894 from
1 to 7) is kept secret from adversary and computing 1199102from
1205733= 1199102119866 is ECDLP then 120573
10cannot be forged either
In all cases adversary can only forge a new message⟨119909lowast
10 120572lowast
10 120573lowast
10⟩ with negligible probability completing the
proof
Theorem 9 EIPDAP is integrity-preserving
Proof From Lemmas 5 and 8 we know that EIPDAP issecure against sensor node forgery in the presence of aneavesdropper and aggregator forgery when an aggregator iscompromised Thus EIPDAP is integrity-preserving com-pleting the proof
52 Congestion Complexity The computational and memorycosts are likely to be insignificant compared to communica-tion [3 14] Higher computation surely causes more energybut a Berkeley mote spends approximately the same amountof energy to compute 800 instructions as it does in sending asingle bit of data [13 20] in WSN
Unlike general hard problems there is no sub-exponential algorithm is known to solve the elliptic curvediscrete logarithm problem (ECDLP) meaning that smallerparameters can be used in ECC than in other systems likeRSA andDSA but with equivalent level of security Because oftheir smaller key size faster computations and reductions inprocessing power storage space and bandwidth ECC is idealfor WSN Although the use of elliptic curve cryptographyincurs higher computational overhead than symmetric-keycryptography our protocol is mainly designed to save energy
In query dissemination phase the base station collectsaggregation tree information and broadcasts edge keys and
Table 1 Edge congestion in the aggregation tree comparison 119899 isthe number of the nodes and 119899
119892is the group size
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(1) 119874(log 119899) 119874(log2119899)Keithrsquos scheme 119874(1) 119874(log 119899) 119874(log 119899)SDAP 119874(1) 119874(Δ log (119899119899
119892)) 119874(Δ log (119899119899
119892))
EIPDAP 119874(1) 119874(1) 0
Table 2 Node congestion in the aggregation tree comparison Δ isthe degree of the aggregation tree
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δlog2119899)Keithrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δ log 119899)SDAP 119874(Δ) 119874(Δ log (119899119899
119892)) 119874(Δ log (119899119899
119892))
EIPDAP 119874(Δ) 119874(Δ) 0
Table 3 Aggregation tree congestion comparison
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log2119899)Keithrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log 119899)SDAP 119874(119899) 119874(119899) 119874(119899 log 119899)EIPDAP 119874(119899) 119874(119899) 0
path keys directly to the corresponding nodes Collectingaggregation tree information costs each edge 119874(1) conges-tion and there is no congestion for sensor nodes and aggre-gators in broadcasting keys In aggregation phase each nodeforwards a message The edge congestion in the aggregationtree is 119874(1) In result-checking phase all operations aredone in the base station so there is no congestion in theaggregation tree Congestion complexity comparisons withChanrsquos scheme Keithrsquos scheme and SDAP are shown inTables1 2 and 3
By the comparison we can conclude that EIPDAP hasthe minimum congestion and is much more energy efficientTherefore it is much more suitable for power limited sensornetworks
6 Conclusion and Future Work
Protecting hierarchical data aggregation from losing integrityis a challenging problem in sensor networks In this paperwe focus on the very problem of preserving data integrityand propose a novel approach to guarantee the integrity ofaggregation result through aggregation in sensor networksThemain algorithm is based on performingmodulo additionoperation using ECC
EIPDAP can immediately verify the integrity of aggre-gation result after receiving the aggregation result and cor-responding authentication information hence significantly
8 International Journal of Distributed Sensor Networks
reducing energy consumption and communication delaywhichwill be caused if the verification phrase is done throughanother query-and-forward phase
Compared with the other related schemes our schemereduces the communication required per node to 119874(Δ)where Δ is the degree of the aggregation tree for the networkTo the best of our knowledge our scheme has the mostoptimal upper bound on solving the integrity-preserving dataaggregation problem Based on the elliptic curve discretelogarithm problem we prove that EIPDAP is integrity-preserving
In the future we will first further enrich EIPDAP indetail Second we will focus on the possibility of reducing thenumber of secret keys shared between sensor nodes and basestation or the keys broadcast to all nodesThird based on theproposed algorithm we may consider meeting other securityrequirements like data confidentiality source authenticationand availability
We anticipate that our work provides new perspective onpreserving integrity of hierarchical aggregation and encour-ages other researchers to consider this approach
Appendix
Attack on the Julia-Sanjay Scheme
If the adversary has compromised a sensor node then itcan obtain the network wide integer 119896 With the 119896 it canmodify any aggregated data received from its child nodesFor example say the adversary has compromised a node withmessage ⟨119904
119894 enc(119898
119894)⟩ received from its child 119894 In order to
modify119898119894to1198981015840119894= 119898119894+119898forge the adversary can easily forge
an encrypted message
enc (1198981015840119894) = enc (119898
119894+ 119898forge) = ⟨119906119894 V119894 + 119898forge⟩ (A1)
given as 119890nc(119898119894) = ⟨119906
119894 V119894⟩ And it is also easy to forge a valid
signature
1199041015840
119894= 119896minus1(119898119894+ 119898forge + 119911119894 lowast 119903 (119909)) mod 119901 (A2)
If the compromised node is in high level this will cause moreserious effects on the aggregation result since the aggregateresult it handles represents large portions of the overall datain the WSN
Acknowledgments
The authors would like to thank the anonymous reviewersand their coworkers for their valuable comments and usefulsuggestions
References
[1] J Yick B Mukherjee and D Ghosal ldquoWireless sensor networksurveyrdquoComputerNetworks vol 52 no 12 pp 2292ndash2330 2008
[2] K Akkaya M Demirbas and R S Aygun ldquoThe impact of dataaggregation on the performance of wireless sensor networksrdquoWireless Communications and Mobile Computing vol 8 no 2pp 171ndash193 2008
[3] L Hu and D Evans ldquoSecure aggregation for wireless networksrdquoin Proceedings of the Workshop on Security and Assurance in AdHoc Networks Orlando Fla USA January 2003
[4] B Przydatek D Song and A Perrig ldquoSIA Secure informationaggregation in sensor networksrdquo in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys rsquo03) pp 255ndash265 November 2003
[5] W He X Liu H Nguyen K Nahrstedt and T AbdelzaherldquoPda privacy-preserving data aggregation in wireless sensornetworksrdquo in Proceedings of the 26th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo07) pp 2045ndash2053 2007
[6] T Feng C Wang W Zhang and L Ruan ldquoConfidentialityprotection for distributed sensor data aggregationrdquo in Proceed-ings of the 27th IEEE Communications Society Conference onComputer Communications (INFOCOM rsquo07) pp 475ndash483April2007
[7] J Shi R Zhang Y Liu and Y Zhang ldquoPriSense privacy-preserving data aggregation in people-centric urban sensingsystemsrdquo in Proceedings of the 29th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo10) pp 758ndash766 IEEE March 2010
[8] J Katz and A Y Lindell ldquoAggregate message authenticationcodes Topics in cryptologyrdquo in Proceedings of the Cryptogra-phersrsquo Track at the RSA Conference (CT-RSA rsquo08) Lecture Notesin Computer Science pp 155ndash169 Springer 2008
[9] J Albath and S Madria ldquoSecure hierarchical data aggregationin wireless sensor networksrdquo in Proceedings of the IEEEWirelessCommunications and Networking Conference (WCNC rsquo09) pp1ndash6 April 2009
[10] A Liu and P Ning ldquoTinyECC a configurable library for ellipticcurve cryptography in wireless sensor networksrdquo in Proceedingsof the International Conference on Information Processing inSensor Networks (IPSN rsquo08) pp 245ndash256 April 2008
[11] H Chan A Perrig and D Song ldquoSecure hierarchical in-network aggregation in sensor networksrdquo in Proceedings ofthe 13th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo06) pp 278ndash287 ACM Press Alexandria VaUSA November 2006
[12] K B Frikken and J A Dougherty ldquoAn efficient integrity-preserving scheme for hierarchical sensor aggregationrdquo inProceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 68ndash76 ACM Press Alexandria VaUSA April 2008
[13] Y Yang X Wang S Zhu and G Cao ldquoSDAP a Secure hop-by-hop Data Aggregation Protocol for sensor networksrdquo inProceedings of the 7th ACM International Symposium on MobileAd Hoc Networking and Computing (MOBIHOC rsquo06) pp 356ndash367 ACM Press Florence Italy May 2006
[14] C Castelluccia A C F Chan E Mykletun and G TsudikldquoEfficient and provably secure aggregation of encrypted datain wireless sensor networksrdquo ACM Transactions on SensorNetworks vol 5 no 3 pp 1ndash36 2009
[15] W Du J Deng Y S Han and P K Varshney ldquoA witness-basedapproach for data fusion assurance inwireless sensor networksrdquoin Proceedings of the Global Telecommunications Conference(GLOBECOM rsquo03) vol 3 pp 1435ndash1439 IEEE December 2003
[16] O Eikemeier M Fischlin J-F Gotzmann et al ldquoHistory-freeaggregate message authentication codesrdquo in Proceedings of the7th International Conference on Security and Cryptography forNetworks vol 6280 of Lecture Notes in Computer Science pp309ndash328 Amalfi Italy 2010
International Journal of Distributed Sensor Networks 9
[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004
[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005
[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006
[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
4 International Journal of Distributed Sensor Networks
3 5
8
10
4
1 2
9
6 7
bs
1205721
1205731= 11989711205721
1205722
1205732= 11989721205722
1205724
1205734= 11989741205724
1205725
1205735= 11989751205725
1205726
1205736= 11989761205726
1205727
1205737= 11989771205727119909
1= 119909
1
120572
1= 119909
111989611+ 119909
1120573111989612
11205731+ 120579
1
119909
2= 119909
2
120572
2= 119909
211989621+ 119909
2120573211989622
21205732+ 120579
2
119909
3= 119909
998400
3+ 119909
1+ 119909
2
120572
3= 120572
998400
3+ 119896
31120572
1+ 119896
32120572
2
119865(119904bs 11990410 119873)
11989610-8= 119891(119904
10 1199048 119873)
11989610-9= 119891(119904
10 1199049 119873)
1198968-3= 119891(119904
8 1199043 119873)
120573
3= 120573
1+ 120573
2+ 120573
998400
3
120573
1= 119909 120573
2= 119909
119909998400
3= 119909
3
120572998400
3= 119909
311989631+ 119909
3120573311989632
120573998400
3= 119909
31205733+ 120579
3
119896bs-10 =
Figure 1 Aggregation phaseThe nodes 1 2 3 4 5 6 and 7 are sensor nodes and the nodes 8 9 and 10 are aggregators while node 3 works asboth sensor node and aggregator Without losing generality we assume that every intermediate node is able to sense raw data and performsaggregation like node 3 does
For each sensor node 119894 base station also calculates twopath-keys 119896
1198941and 1198961198942
as follows
1198961198941=
120579
119896path (3)
1198961198942=
119897
119896path (4)
where 120579 is a point in 119864(119885119901) 119897 is an integer and they are both
chosen by base station to enable data aggregation and preventstealthyreplay attacks
If the path from base station to sensor node 119894 is 1-2-3-119894then 119896path = 1198961-21198962-31198963-119894
Finally the base stationwith transmission ranges coveringthewholewireless sensor network directly broadcasts to node119894 the path-keys and edge-keys encrypted with the secret key119904119896119894
422 Data Aggregation Phase In the query disseminationphase each node has already identified their parents and thebase station has the overall view of the aggregation tree
In Figure 1 take paths BS-10-8-3-1 and BS-10-8-3-2 forinstance as sensor node nodes 3 1 and 2 each has a message
that is to be passed to their parents And the message has thefollowing format
⟨119909119894 120572
119894 120573
119894⟩ (5)
where 119909119894is the SUM aggregation over all sensor nodes in the
subtree 120572119894and 120573
119894are the first and second tag respectively
For nodes 1 and 2
1199091= 1199091 119909
2= 1199092
1205721= 119909111989611+ 1199091120573111989612
1205722= 119909211989621+ 1199092120573211989622
1205731= 11990911205731+ 1205791 120573
3= 11990931205733+ 1205793
(6)
For aggregatorsensor node 3 with data 1199093 it first com-
putes 12057210158403and 1205731015840
3as a sensor node
1199091015840
3= 1199093 120572
1015840
3= 119909311989631+ 1199093120573311989632
1205731015840
3= 11990931205733+ 1205793
(7)
International Journal of Distributed Sensor Networks 5
Then node 1 and 2 send their data and tags to node 3 Afterreceiving all messages from its subtree node 3 works asaggregator to perform aggregation
1199093= 1199091+ 1199092+ 1199091015840
3
1205723= 1198963-1120572
1+ 1198963-2120572
2+ 1205721015840
3
1205733= 1205731015840
1+ 1205731015840
2+ 1205731015840
3
(8)
and sends ⟨1199093 120572
3 120573
3⟩ to node 8
Aggregators 8 and 10 perform corresponding tasks
1199098= 1199093+ 1199094+ 1199095 119909
10= 119909
8+ 119909
9
1205728= 1198968-3120572
3+ 1198968-4120572
4+ 1198968-5120572
5
12057210= 11989610-8120572
8+ 11989610-9120572
9
1205738= 120573
3+ 120573
4+ 1205735 120573
10= 120573
8+ 120573
9
(9)
where node 8 sends ⟨1199098 120572
8 120573
8⟩ to node 10 and node 10 sends
⟨11990910 120572
10 120573
10⟩ to base station
423 Result-Checking Phase The purpose of result-checkingphase is to enable base station to verify that the integrity ofSUM 119909
10has not been violatedThe verification is performed
as followsBase station checks if
12057310minus 119897minus1119896bs-10120572
8= sum120579
119894minus 119897minus1120579119909
10 (10)
where ⟨11990910 120572
10 120573
10⟩ is sent by node 10 to base station 120579 119897
119896bs-10 120579119894 (119894 from 1 to 7) are only known to base station and 119897minus1
is the inverse of 119897 modulo which is the order 119902 of the ellipticcurve group 119864(119885
119901)
Since
12057310= 120573
8+ 120573
9
= 1205731015840
3+ 120573
4+ 120573
5+ 120573
6+ 120573
7
= 1205731+ 120573
2+ 120573
3+ 120573
4+ 120573
5+ 120573
6+ 120573
7
=11990911205731+ 1205791+ 11990921205732+ 1205792+ 11990931205733+ 1205793+ 11990941205734
+ 1205794+ 11990951205735+ 1205795+ 11990961205736+ 1205796+ 11990971205737+ 1205797
= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)
+ (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)
119897minus1119896bs-10120572
10
= 119897minus1119896bs-10 (11989610-8120572
8+ 11989610-9120572
9)
= 119897minus1119896bs-10
times (11989610-8 (1198968-3120572
3+ 1198968-4120572
4+ 1198968-5120572
5)
+ 11989610-9 (1198969-6120572
6+ 1198969-7120572
7))
= 119897minus1119896bs-10
times (11989610-8 (1198968-3 (120572
1015840
3+ 1198963-1120572
1+ 1198963-2120572
2)
+ 1198968-4120572
4+ 1198968-4120572
5)
+ 11989610-9 (1198969-6120572
6+ 1198969-7120572
7))
= 119897minus1119896bs-1011989610-81198968-3
times (1198963-1 (
119897
119896bs-1011989610-81198968-31198963-1)11990911205731
+ 1198963-2 (
119897
119896bs-1011989610-81198968-31198963-2)11990921205732
+(119897
119896bs-1011989610-81198968-3)11990931205733)
+ 119897minus1119896bs-1011989610-8
times (1198968-4 (
119897
119896bs-1011989610-81198968-4)11990941205734
+ 1198968-5 (
119897
119896bs-1011989610-81198968-5)11990951205735)
+ 119897minus1119896bs-1011989610-9
times (1198969-6 (
119897
119896bs-1011989610-91198969-6)11990961205736
+ 1198969-7 (
119897
119896bs-1011989610-91198969-7)11990971205737)
= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)
+ 119897minus1120579 (1199091+ 1199092+ 1199093+ 1199094+ 1199095+ 1199096+ 1199097)
(11)
We can say that base station accepts the SUM aggregation11990910 or the two tags will only verify if all tags are generated
by honest nodes and aggregated correctly along the pathAgain note that 119897minus1 is the inverse of 119897 modulo 119902 which is
the order of the elliptic curve group 119864(119885119901) and 120579 119897 119896bs-10 are
only known to base station
5 Analysis
This section discusses the security and congestion complexityof EIPDAP
51 Overview Once a node has been compromised it isunder the full control of the adversary which can record andinject messages as will We also assume that the adversarycan only corrupt a (small) fraction of nodes including theaggregators Also we do not concern denial-of-service attackThe following is the proof for security of EIPDAP
6 International Journal of Distributed Sensor Networks
Definition 2 (sensor node inconsistency) Let ⟨119909119905 120572
119905 120573
119905⟩ be
a message sent by sensor node 119905 There is an inconsistency atnode 119905 if either
(1) 120572119905= 1199091199051198961199051+ 1199091199051205731199051198961199052
or
(2) 120573119905= 119909119905120573119905+ 120579119905
Definition 3 (sensor node forgery) An adversary eavesdrop-ping on sensor node 119894 successfully forges a new message⟨119909lowast
119894 120572lowast
119894 120573lowast
119894⟩ if
(1) 119909lowast119894
= 119909119894
(2) 120572lowast119894= 119909lowast
1198941198961198941+ 119909lowast
1198941205731198941198961198942
(3) 120573119894= 119909lowast
119894120573119894+ 120579119894
Since once a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected howeverwe do not address this kind of forgery here
Lemma 4 Let the final SUM aggregation received by the basestation be 119909
119891119894119899119886119897 then 119878
119871+ 120583 le 119909
119891119894119899119886119897
le 119878119871+ 120583V where 119878
119871is the
sum of the data values of all the legitimate nodes and 120583 is thetotal number of corrupted nodes
Proof As the conclusion is obvious here so we do not provein detail
Lemma 5 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid message as an honestsensor node for all eavesdropping probabilistic polynomialadversaries
Proof Let ⟨119909119894 120572
119894 120573
119894⟩ be an internal message sent by sensor
node 119894 to its parentSay adversary is eavesdropping on node 119894 In order to
forge a valid message ⟨119909lowast
119894 120572lowast
119894 120573lowast
119894⟩ for 119909
lowast
119894 119860 can easily
compute a valid 120572lowast119894= 119909lowast
119894119909minus1119894120572119894
As 120573119894= 119909119894120573119894+ 120579119894= 119909119894119910119866 for some integer 119910 a valid 120573lowast
119894
should be computed as
120573lowast
119894= 119909lowast
119894120573119894+ 120579119894= 119909lowast
119894119910lowast119866
= 119909lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866
(12)
Due to 120579119894and 120573
119894 adversary cannot forge 120573lowast
119894directly from
119909lowast
119894120573119894+ 120579119894but to compute 119909lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866 119860 has 119909lowast
119894 119909119894 120573119894
and 119866 the factors it lack are 119910 and 119910lowastCalculating 119910 from 120573
119894= 119909119894119910119866 and 119910lowast from 120573
lowast
119894= 119909lowast
119894119910lowast119866
is ECDLP which means calculating 120573lowast119894from 119909
lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866
is hardAnother concern rises when adversary keeps eavesdrop-
ping on sensor node 119894 and records the messages sent by 119894Assume that adversary has
⟨119909119894119895 120572
119894119895 120573
119894119895⟩ | 119895 isin [1 119899] (13)
where ⟨119909119894119895 120572
119894119895 120573
119894119895⟩ represents the message ⟨119909
119894 120572
119894 120573
119894⟩
node 119894 sends to parent in the 119895th query and 119899 is the number of
queries Note that in each query every sensor node 119894 choosesa new secret key 119897
119894
For all 119895 isin [1 119899] adversary has
120573119894119895 = 120573119894119895119909
119894119895 + 120579119894 (14)
Because the number of variable is the number of equationsplus one so adversary cannot solve equations in (14) to obtain120573119894119895 or 120579119894In conclusion the probability of an adversary successfully
forging a new message ⟨119909lowast119894 120572lowast
119894 120573lowast
119894⟩ when eavesdropping on
sensor node 119894 is negligible completing the proof
Definition 6 (aggregator inconsistency) Let ⟨119909119905 120572
119905 120573
119905⟩ be an
internal message aggregated by node 119905 with two children 119906and V Let ⟨119909
119906 120572
119906 120573
119906⟩ and ⟨119909V 120572
V 120573
V⟩ be two messages from
119906 and V There is an inconsistency at node 119905 if
(1) 119909119905= 1199091015840
119905+ 119909
119906+ 119909
V or
(2) 120572119905= 1205721015840
119905+ 120572
119906+ 120572
119905or
(3) 120573119905= 1205731015840
119906+ 120573
119906+ 120573
119905
Definition 7 (compromised aggregator forgery) An adver-sary which compromised a aggregator 119895 successfully forgesa new aggregate result ⟨119909lowast
119895 120572lowast
119895 120573lowast
119895⟩ if
(1) 119909lowast119895
= 119909119895
(2) 120572lowast119895= 1205721015840
119895+ 119896119895minus11205721198951+ 119896119895minus21205721198952+ sdot sdot sdot + 119896
119895minus119897120572119895119897(1205721015840119895= 0 if 119895
does not sense data)(3) 120573119895= 1205731015840
119895+ 120573
1198951+ 120573
1198952+ sdot sdot sdot + 120573
119895119897(1205731015840119895= 0 if 119895 does
not sense data) assuming aggregator 119895 has 119897 children1198951 1198952 119895119897
Lemma 8 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid aggregate result for allprobabilistic polynomial adversaries even when a high-levelaggregator is compromised
Proof We assume that aggregator 10 has been compromisedwhere an adversary is in complete control of node 10obtaining all secret keys of node 10 Now an adversaryattempts to forge SUM aggregation and two correspondingtags after eavesdropping several aggregations and records
⟨11990910119894 120572
10119894 120573
10119894⟩ | 119894 isin [1 119899] (15)
where ⟨11990910119894 120572
10119894 120573
10119894⟩ represents the message ⟨119909
10 120572
10
12057310⟩ node 10 sends to base station in the 119894th query and 119899 is
the number of queries Note that in each query every sensornode 119895 chooses a new secret key 119897
119895
For all 119894 isin [1 119899] adversary has
12057310119894 = 119897
minus1119896bs-10120572
10119894
= (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)
minus 119897minus1120579119909
10119894
(16)
International Journal of Distributed Sensor Networks 7
Now adversary tries to forge a new message ⟨119909lowast10 120572lowast
10 120573lowast
10⟩
which satisfies (14) Since node 10 is compromised adversaryhas 1199098 119909
9 119909
10 11989610-8 11989610-9 120572
8 120572
9 120573
8 120573
9in each query and the
knowledge of the elliptic curve group 119864(119885119901)
Case 1 Intuitively adversary tries to obtain 119897 119896bs-10 120579 andsum120579119894(119894 from 1 to 7) However this requires a powerful
adversary which we do not concern here
Case 2 Adversary tries to compute 119897minus1120579 by multiplying
1198961198941
(equals 120579119896path) and the inverse of 1198961198941
(equals 119897119896path)However all path-keys and temporal key are encrypted beforeforwarding to nodes so adversary cannot compute 119897minus1120579whennode 10 only works as an aggregator
Case 3 Aggregator 10 also senses data So adversary cancompute 119897minus1120579 as in Case 2 and 119897minus1119896bs-10 which is the inverse of119897119896bs-10 modulo 119902 Now adversary has
12057310minus 120572
10
= 1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797minus 119909
10
997904rArr 12057310
= 1199101(1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797) = 1199102119866
(17)
for some integer 1199102 Similar to Lemma 4 since sum120579
119894(119894 from
1 to 7) is kept secret from adversary and computing 1199102from
1205733= 1199102119866 is ECDLP then 120573
10cannot be forged either
In all cases adversary can only forge a new message⟨119909lowast
10 120572lowast
10 120573lowast
10⟩ with negligible probability completing the
proof
Theorem 9 EIPDAP is integrity-preserving
Proof From Lemmas 5 and 8 we know that EIPDAP issecure against sensor node forgery in the presence of aneavesdropper and aggregator forgery when an aggregator iscompromised Thus EIPDAP is integrity-preserving com-pleting the proof
52 Congestion Complexity The computational and memorycosts are likely to be insignificant compared to communica-tion [3 14] Higher computation surely causes more energybut a Berkeley mote spends approximately the same amountof energy to compute 800 instructions as it does in sending asingle bit of data [13 20] in WSN
Unlike general hard problems there is no sub-exponential algorithm is known to solve the elliptic curvediscrete logarithm problem (ECDLP) meaning that smallerparameters can be used in ECC than in other systems likeRSA andDSA but with equivalent level of security Because oftheir smaller key size faster computations and reductions inprocessing power storage space and bandwidth ECC is idealfor WSN Although the use of elliptic curve cryptographyincurs higher computational overhead than symmetric-keycryptography our protocol is mainly designed to save energy
In query dissemination phase the base station collectsaggregation tree information and broadcasts edge keys and
Table 1 Edge congestion in the aggregation tree comparison 119899 isthe number of the nodes and 119899
119892is the group size
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(1) 119874(log 119899) 119874(log2119899)Keithrsquos scheme 119874(1) 119874(log 119899) 119874(log 119899)SDAP 119874(1) 119874(Δ log (119899119899
119892)) 119874(Δ log (119899119899
119892))
EIPDAP 119874(1) 119874(1) 0
Table 2 Node congestion in the aggregation tree comparison Δ isthe degree of the aggregation tree
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δlog2119899)Keithrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δ log 119899)SDAP 119874(Δ) 119874(Δ log (119899119899
119892)) 119874(Δ log (119899119899
119892))
EIPDAP 119874(Δ) 119874(Δ) 0
Table 3 Aggregation tree congestion comparison
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log2119899)Keithrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log 119899)SDAP 119874(119899) 119874(119899) 119874(119899 log 119899)EIPDAP 119874(119899) 119874(119899) 0
path keys directly to the corresponding nodes Collectingaggregation tree information costs each edge 119874(1) conges-tion and there is no congestion for sensor nodes and aggre-gators in broadcasting keys In aggregation phase each nodeforwards a message The edge congestion in the aggregationtree is 119874(1) In result-checking phase all operations aredone in the base station so there is no congestion in theaggregation tree Congestion complexity comparisons withChanrsquos scheme Keithrsquos scheme and SDAP are shown inTables1 2 and 3
By the comparison we can conclude that EIPDAP hasthe minimum congestion and is much more energy efficientTherefore it is much more suitable for power limited sensornetworks
6 Conclusion and Future Work
Protecting hierarchical data aggregation from losing integrityis a challenging problem in sensor networks In this paperwe focus on the very problem of preserving data integrityand propose a novel approach to guarantee the integrity ofaggregation result through aggregation in sensor networksThemain algorithm is based on performingmodulo additionoperation using ECC
EIPDAP can immediately verify the integrity of aggre-gation result after receiving the aggregation result and cor-responding authentication information hence significantly
8 International Journal of Distributed Sensor Networks
reducing energy consumption and communication delaywhichwill be caused if the verification phrase is done throughanother query-and-forward phase
Compared with the other related schemes our schemereduces the communication required per node to 119874(Δ)where Δ is the degree of the aggregation tree for the networkTo the best of our knowledge our scheme has the mostoptimal upper bound on solving the integrity-preserving dataaggregation problem Based on the elliptic curve discretelogarithm problem we prove that EIPDAP is integrity-preserving
In the future we will first further enrich EIPDAP indetail Second we will focus on the possibility of reducing thenumber of secret keys shared between sensor nodes and basestation or the keys broadcast to all nodesThird based on theproposed algorithm we may consider meeting other securityrequirements like data confidentiality source authenticationand availability
We anticipate that our work provides new perspective onpreserving integrity of hierarchical aggregation and encour-ages other researchers to consider this approach
Appendix
Attack on the Julia-Sanjay Scheme
If the adversary has compromised a sensor node then itcan obtain the network wide integer 119896 With the 119896 it canmodify any aggregated data received from its child nodesFor example say the adversary has compromised a node withmessage ⟨119904
119894 enc(119898
119894)⟩ received from its child 119894 In order to
modify119898119894to1198981015840119894= 119898119894+119898forge the adversary can easily forge
an encrypted message
enc (1198981015840119894) = enc (119898
119894+ 119898forge) = ⟨119906119894 V119894 + 119898forge⟩ (A1)
given as 119890nc(119898119894) = ⟨119906
119894 V119894⟩ And it is also easy to forge a valid
signature
1199041015840
119894= 119896minus1(119898119894+ 119898forge + 119911119894 lowast 119903 (119909)) mod 119901 (A2)
If the compromised node is in high level this will cause moreserious effects on the aggregation result since the aggregateresult it handles represents large portions of the overall datain the WSN
Acknowledgments
The authors would like to thank the anonymous reviewersand their coworkers for their valuable comments and usefulsuggestions
References
[1] J Yick B Mukherjee and D Ghosal ldquoWireless sensor networksurveyrdquoComputerNetworks vol 52 no 12 pp 2292ndash2330 2008
[2] K Akkaya M Demirbas and R S Aygun ldquoThe impact of dataaggregation on the performance of wireless sensor networksrdquoWireless Communications and Mobile Computing vol 8 no 2pp 171ndash193 2008
[3] L Hu and D Evans ldquoSecure aggregation for wireless networksrdquoin Proceedings of the Workshop on Security and Assurance in AdHoc Networks Orlando Fla USA January 2003
[4] B Przydatek D Song and A Perrig ldquoSIA Secure informationaggregation in sensor networksrdquo in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys rsquo03) pp 255ndash265 November 2003
[5] W He X Liu H Nguyen K Nahrstedt and T AbdelzaherldquoPda privacy-preserving data aggregation in wireless sensornetworksrdquo in Proceedings of the 26th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo07) pp 2045ndash2053 2007
[6] T Feng C Wang W Zhang and L Ruan ldquoConfidentialityprotection for distributed sensor data aggregationrdquo in Proceed-ings of the 27th IEEE Communications Society Conference onComputer Communications (INFOCOM rsquo07) pp 475ndash483April2007
[7] J Shi R Zhang Y Liu and Y Zhang ldquoPriSense privacy-preserving data aggregation in people-centric urban sensingsystemsrdquo in Proceedings of the 29th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo10) pp 758ndash766 IEEE March 2010
[8] J Katz and A Y Lindell ldquoAggregate message authenticationcodes Topics in cryptologyrdquo in Proceedings of the Cryptogra-phersrsquo Track at the RSA Conference (CT-RSA rsquo08) Lecture Notesin Computer Science pp 155ndash169 Springer 2008
[9] J Albath and S Madria ldquoSecure hierarchical data aggregationin wireless sensor networksrdquo in Proceedings of the IEEEWirelessCommunications and Networking Conference (WCNC rsquo09) pp1ndash6 April 2009
[10] A Liu and P Ning ldquoTinyECC a configurable library for ellipticcurve cryptography in wireless sensor networksrdquo in Proceedingsof the International Conference on Information Processing inSensor Networks (IPSN rsquo08) pp 245ndash256 April 2008
[11] H Chan A Perrig and D Song ldquoSecure hierarchical in-network aggregation in sensor networksrdquo in Proceedings ofthe 13th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo06) pp 278ndash287 ACM Press Alexandria VaUSA November 2006
[12] K B Frikken and J A Dougherty ldquoAn efficient integrity-preserving scheme for hierarchical sensor aggregationrdquo inProceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 68ndash76 ACM Press Alexandria VaUSA April 2008
[13] Y Yang X Wang S Zhu and G Cao ldquoSDAP a Secure hop-by-hop Data Aggregation Protocol for sensor networksrdquo inProceedings of the 7th ACM International Symposium on MobileAd Hoc Networking and Computing (MOBIHOC rsquo06) pp 356ndash367 ACM Press Florence Italy May 2006
[14] C Castelluccia A C F Chan E Mykletun and G TsudikldquoEfficient and provably secure aggregation of encrypted datain wireless sensor networksrdquo ACM Transactions on SensorNetworks vol 5 no 3 pp 1ndash36 2009
[15] W Du J Deng Y S Han and P K Varshney ldquoA witness-basedapproach for data fusion assurance inwireless sensor networksrdquoin Proceedings of the Global Telecommunications Conference(GLOBECOM rsquo03) vol 3 pp 1435ndash1439 IEEE December 2003
[16] O Eikemeier M Fischlin J-F Gotzmann et al ldquoHistory-freeaggregate message authentication codesrdquo in Proceedings of the7th International Conference on Security and Cryptography forNetworks vol 6280 of Lecture Notes in Computer Science pp309ndash328 Amalfi Italy 2010
International Journal of Distributed Sensor Networks 9
[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004
[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005
[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006
[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 5
Then node 1 and 2 send their data and tags to node 3 Afterreceiving all messages from its subtree node 3 works asaggregator to perform aggregation
1199093= 1199091+ 1199092+ 1199091015840
3
1205723= 1198963-1120572
1+ 1198963-2120572
2+ 1205721015840
3
1205733= 1205731015840
1+ 1205731015840
2+ 1205731015840
3
(8)
and sends ⟨1199093 120572
3 120573
3⟩ to node 8
Aggregators 8 and 10 perform corresponding tasks
1199098= 1199093+ 1199094+ 1199095 119909
10= 119909
8+ 119909
9
1205728= 1198968-3120572
3+ 1198968-4120572
4+ 1198968-5120572
5
12057210= 11989610-8120572
8+ 11989610-9120572
9
1205738= 120573
3+ 120573
4+ 1205735 120573
10= 120573
8+ 120573
9
(9)
where node 8 sends ⟨1199098 120572
8 120573
8⟩ to node 10 and node 10 sends
⟨11990910 120572
10 120573
10⟩ to base station
423 Result-Checking Phase The purpose of result-checkingphase is to enable base station to verify that the integrity ofSUM 119909
10has not been violatedThe verification is performed
as followsBase station checks if
12057310minus 119897minus1119896bs-10120572
8= sum120579
119894minus 119897minus1120579119909
10 (10)
where ⟨11990910 120572
10 120573
10⟩ is sent by node 10 to base station 120579 119897
119896bs-10 120579119894 (119894 from 1 to 7) are only known to base station and 119897minus1
is the inverse of 119897 modulo which is the order 119902 of the ellipticcurve group 119864(119885
119901)
Since
12057310= 120573
8+ 120573
9
= 1205731015840
3+ 120573
4+ 120573
5+ 120573
6+ 120573
7
= 1205731+ 120573
2+ 120573
3+ 120573
4+ 120573
5+ 120573
6+ 120573
7
=11990911205731+ 1205791+ 11990921205732+ 1205792+ 11990931205733+ 1205793+ 11990941205734
+ 1205794+ 11990951205735+ 1205795+ 11990961205736+ 1205796+ 11990971205737+ 1205797
= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)
+ (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)
119897minus1119896bs-10120572
10
= 119897minus1119896bs-10 (11989610-8120572
8+ 11989610-9120572
9)
= 119897minus1119896bs-10
times (11989610-8 (1198968-3120572
3+ 1198968-4120572
4+ 1198968-5120572
5)
+ 11989610-9 (1198969-6120572
6+ 1198969-7120572
7))
= 119897minus1119896bs-10
times (11989610-8 (1198968-3 (120572
1015840
3+ 1198963-1120572
1+ 1198963-2120572
2)
+ 1198968-4120572
4+ 1198968-4120572
5)
+ 11989610-9 (1198969-6120572
6+ 1198969-7120572
7))
= 119897minus1119896bs-1011989610-81198968-3
times (1198963-1 (
119897
119896bs-1011989610-81198968-31198963-1)11990911205731
+ 1198963-2 (
119897
119896bs-1011989610-81198968-31198963-2)11990921205732
+(119897
119896bs-1011989610-81198968-3)11990931205733)
+ 119897minus1119896bs-1011989610-8
times (1198968-4 (
119897
119896bs-1011989610-81198968-4)11990941205734
+ 1198968-5 (
119897
119896bs-1011989610-81198968-5)11990951205735)
+ 119897minus1119896bs-1011989610-9
times (1198969-6 (
119897
119896bs-1011989610-91198969-6)11990961205736
+ 1198969-7 (
119897
119896bs-1011989610-91198969-7)11990971205737)
= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)
+ 119897minus1120579 (1199091+ 1199092+ 1199093+ 1199094+ 1199095+ 1199096+ 1199097)
(11)
We can say that base station accepts the SUM aggregation11990910 or the two tags will only verify if all tags are generated
by honest nodes and aggregated correctly along the pathAgain note that 119897minus1 is the inverse of 119897 modulo 119902 which is
the order of the elliptic curve group 119864(119885119901) and 120579 119897 119896bs-10 are
only known to base station
5 Analysis
This section discusses the security and congestion complexityof EIPDAP
51 Overview Once a node has been compromised it isunder the full control of the adversary which can record andinject messages as will We also assume that the adversarycan only corrupt a (small) fraction of nodes including theaggregators Also we do not concern denial-of-service attackThe following is the proof for security of EIPDAP
6 International Journal of Distributed Sensor Networks
Definition 2 (sensor node inconsistency) Let ⟨119909119905 120572
119905 120573
119905⟩ be
a message sent by sensor node 119905 There is an inconsistency atnode 119905 if either
(1) 120572119905= 1199091199051198961199051+ 1199091199051205731199051198961199052
or
(2) 120573119905= 119909119905120573119905+ 120579119905
Definition 3 (sensor node forgery) An adversary eavesdrop-ping on sensor node 119894 successfully forges a new message⟨119909lowast
119894 120572lowast
119894 120573lowast
119894⟩ if
(1) 119909lowast119894
= 119909119894
(2) 120572lowast119894= 119909lowast
1198941198961198941+ 119909lowast
1198941205731198941198961198942
(3) 120573119894= 119909lowast
119894120573119894+ 120579119894
Since once a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected howeverwe do not address this kind of forgery here
Lemma 4 Let the final SUM aggregation received by the basestation be 119909
119891119894119899119886119897 then 119878
119871+ 120583 le 119909
119891119894119899119886119897
le 119878119871+ 120583V where 119878
119871is the
sum of the data values of all the legitimate nodes and 120583 is thetotal number of corrupted nodes
Proof As the conclusion is obvious here so we do not provein detail
Lemma 5 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid message as an honestsensor node for all eavesdropping probabilistic polynomialadversaries
Proof Let ⟨119909119894 120572
119894 120573
119894⟩ be an internal message sent by sensor
node 119894 to its parentSay adversary is eavesdropping on node 119894 In order to
forge a valid message ⟨119909lowast
119894 120572lowast
119894 120573lowast
119894⟩ for 119909
lowast
119894 119860 can easily
compute a valid 120572lowast119894= 119909lowast
119894119909minus1119894120572119894
As 120573119894= 119909119894120573119894+ 120579119894= 119909119894119910119866 for some integer 119910 a valid 120573lowast
119894
should be computed as
120573lowast
119894= 119909lowast
119894120573119894+ 120579119894= 119909lowast
119894119910lowast119866
= 119909lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866
(12)
Due to 120579119894and 120573
119894 adversary cannot forge 120573lowast
119894directly from
119909lowast
119894120573119894+ 120579119894but to compute 119909lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866 119860 has 119909lowast
119894 119909119894 120573119894
and 119866 the factors it lack are 119910 and 119910lowastCalculating 119910 from 120573
119894= 119909119894119910119866 and 119910lowast from 120573
lowast
119894= 119909lowast
119894119910lowast119866
is ECDLP which means calculating 120573lowast119894from 119909
lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866
is hardAnother concern rises when adversary keeps eavesdrop-
ping on sensor node 119894 and records the messages sent by 119894Assume that adversary has
⟨119909119894119895 120572
119894119895 120573
119894119895⟩ | 119895 isin [1 119899] (13)
where ⟨119909119894119895 120572
119894119895 120573
119894119895⟩ represents the message ⟨119909
119894 120572
119894 120573
119894⟩
node 119894 sends to parent in the 119895th query and 119899 is the number of
queries Note that in each query every sensor node 119894 choosesa new secret key 119897
119894
For all 119895 isin [1 119899] adversary has
120573119894119895 = 120573119894119895119909
119894119895 + 120579119894 (14)
Because the number of variable is the number of equationsplus one so adversary cannot solve equations in (14) to obtain120573119894119895 or 120579119894In conclusion the probability of an adversary successfully
forging a new message ⟨119909lowast119894 120572lowast
119894 120573lowast
119894⟩ when eavesdropping on
sensor node 119894 is negligible completing the proof
Definition 6 (aggregator inconsistency) Let ⟨119909119905 120572
119905 120573
119905⟩ be an
internal message aggregated by node 119905 with two children 119906and V Let ⟨119909
119906 120572
119906 120573
119906⟩ and ⟨119909V 120572
V 120573
V⟩ be two messages from
119906 and V There is an inconsistency at node 119905 if
(1) 119909119905= 1199091015840
119905+ 119909
119906+ 119909
V or
(2) 120572119905= 1205721015840
119905+ 120572
119906+ 120572
119905or
(3) 120573119905= 1205731015840
119906+ 120573
119906+ 120573
119905
Definition 7 (compromised aggregator forgery) An adver-sary which compromised a aggregator 119895 successfully forgesa new aggregate result ⟨119909lowast
119895 120572lowast
119895 120573lowast
119895⟩ if
(1) 119909lowast119895
= 119909119895
(2) 120572lowast119895= 1205721015840
119895+ 119896119895minus11205721198951+ 119896119895minus21205721198952+ sdot sdot sdot + 119896
119895minus119897120572119895119897(1205721015840119895= 0 if 119895
does not sense data)(3) 120573119895= 1205731015840
119895+ 120573
1198951+ 120573
1198952+ sdot sdot sdot + 120573
119895119897(1205731015840119895= 0 if 119895 does
not sense data) assuming aggregator 119895 has 119897 children1198951 1198952 119895119897
Lemma 8 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid aggregate result for allprobabilistic polynomial adversaries even when a high-levelaggregator is compromised
Proof We assume that aggregator 10 has been compromisedwhere an adversary is in complete control of node 10obtaining all secret keys of node 10 Now an adversaryattempts to forge SUM aggregation and two correspondingtags after eavesdropping several aggregations and records
⟨11990910119894 120572
10119894 120573
10119894⟩ | 119894 isin [1 119899] (15)
where ⟨11990910119894 120572
10119894 120573
10119894⟩ represents the message ⟨119909
10 120572
10
12057310⟩ node 10 sends to base station in the 119894th query and 119899 is
the number of queries Note that in each query every sensornode 119895 chooses a new secret key 119897
119895
For all 119894 isin [1 119899] adversary has
12057310119894 = 119897
minus1119896bs-10120572
10119894
= (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)
minus 119897minus1120579119909
10119894
(16)
International Journal of Distributed Sensor Networks 7
Now adversary tries to forge a new message ⟨119909lowast10 120572lowast
10 120573lowast
10⟩
which satisfies (14) Since node 10 is compromised adversaryhas 1199098 119909
9 119909
10 11989610-8 11989610-9 120572
8 120572
9 120573
8 120573
9in each query and the
knowledge of the elliptic curve group 119864(119885119901)
Case 1 Intuitively adversary tries to obtain 119897 119896bs-10 120579 andsum120579119894(119894 from 1 to 7) However this requires a powerful
adversary which we do not concern here
Case 2 Adversary tries to compute 119897minus1120579 by multiplying
1198961198941
(equals 120579119896path) and the inverse of 1198961198941
(equals 119897119896path)However all path-keys and temporal key are encrypted beforeforwarding to nodes so adversary cannot compute 119897minus1120579whennode 10 only works as an aggregator
Case 3 Aggregator 10 also senses data So adversary cancompute 119897minus1120579 as in Case 2 and 119897minus1119896bs-10 which is the inverse of119897119896bs-10 modulo 119902 Now adversary has
12057310minus 120572
10
= 1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797minus 119909
10
997904rArr 12057310
= 1199101(1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797) = 1199102119866
(17)
for some integer 1199102 Similar to Lemma 4 since sum120579
119894(119894 from
1 to 7) is kept secret from adversary and computing 1199102from
1205733= 1199102119866 is ECDLP then 120573
10cannot be forged either
In all cases adversary can only forge a new message⟨119909lowast
10 120572lowast
10 120573lowast
10⟩ with negligible probability completing the
proof
Theorem 9 EIPDAP is integrity-preserving
Proof From Lemmas 5 and 8 we know that EIPDAP issecure against sensor node forgery in the presence of aneavesdropper and aggregator forgery when an aggregator iscompromised Thus EIPDAP is integrity-preserving com-pleting the proof
52 Congestion Complexity The computational and memorycosts are likely to be insignificant compared to communica-tion [3 14] Higher computation surely causes more energybut a Berkeley mote spends approximately the same amountof energy to compute 800 instructions as it does in sending asingle bit of data [13 20] in WSN
Unlike general hard problems there is no sub-exponential algorithm is known to solve the elliptic curvediscrete logarithm problem (ECDLP) meaning that smallerparameters can be used in ECC than in other systems likeRSA andDSA but with equivalent level of security Because oftheir smaller key size faster computations and reductions inprocessing power storage space and bandwidth ECC is idealfor WSN Although the use of elliptic curve cryptographyincurs higher computational overhead than symmetric-keycryptography our protocol is mainly designed to save energy
In query dissemination phase the base station collectsaggregation tree information and broadcasts edge keys and
Table 1 Edge congestion in the aggregation tree comparison 119899 isthe number of the nodes and 119899
119892is the group size
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(1) 119874(log 119899) 119874(log2119899)Keithrsquos scheme 119874(1) 119874(log 119899) 119874(log 119899)SDAP 119874(1) 119874(Δ log (119899119899
119892)) 119874(Δ log (119899119899
119892))
EIPDAP 119874(1) 119874(1) 0
Table 2 Node congestion in the aggregation tree comparison Δ isthe degree of the aggregation tree
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δlog2119899)Keithrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δ log 119899)SDAP 119874(Δ) 119874(Δ log (119899119899
119892)) 119874(Δ log (119899119899
119892))
EIPDAP 119874(Δ) 119874(Δ) 0
Table 3 Aggregation tree congestion comparison
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log2119899)Keithrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log 119899)SDAP 119874(119899) 119874(119899) 119874(119899 log 119899)EIPDAP 119874(119899) 119874(119899) 0
path keys directly to the corresponding nodes Collectingaggregation tree information costs each edge 119874(1) conges-tion and there is no congestion for sensor nodes and aggre-gators in broadcasting keys In aggregation phase each nodeforwards a message The edge congestion in the aggregationtree is 119874(1) In result-checking phase all operations aredone in the base station so there is no congestion in theaggregation tree Congestion complexity comparisons withChanrsquos scheme Keithrsquos scheme and SDAP are shown inTables1 2 and 3
By the comparison we can conclude that EIPDAP hasthe minimum congestion and is much more energy efficientTherefore it is much more suitable for power limited sensornetworks
6 Conclusion and Future Work
Protecting hierarchical data aggregation from losing integrityis a challenging problem in sensor networks In this paperwe focus on the very problem of preserving data integrityand propose a novel approach to guarantee the integrity ofaggregation result through aggregation in sensor networksThemain algorithm is based on performingmodulo additionoperation using ECC
EIPDAP can immediately verify the integrity of aggre-gation result after receiving the aggregation result and cor-responding authentication information hence significantly
8 International Journal of Distributed Sensor Networks
reducing energy consumption and communication delaywhichwill be caused if the verification phrase is done throughanother query-and-forward phase
Compared with the other related schemes our schemereduces the communication required per node to 119874(Δ)where Δ is the degree of the aggregation tree for the networkTo the best of our knowledge our scheme has the mostoptimal upper bound on solving the integrity-preserving dataaggregation problem Based on the elliptic curve discretelogarithm problem we prove that EIPDAP is integrity-preserving
In the future we will first further enrich EIPDAP indetail Second we will focus on the possibility of reducing thenumber of secret keys shared between sensor nodes and basestation or the keys broadcast to all nodesThird based on theproposed algorithm we may consider meeting other securityrequirements like data confidentiality source authenticationand availability
We anticipate that our work provides new perspective onpreserving integrity of hierarchical aggregation and encour-ages other researchers to consider this approach
Appendix
Attack on the Julia-Sanjay Scheme
If the adversary has compromised a sensor node then itcan obtain the network wide integer 119896 With the 119896 it canmodify any aggregated data received from its child nodesFor example say the adversary has compromised a node withmessage ⟨119904
119894 enc(119898
119894)⟩ received from its child 119894 In order to
modify119898119894to1198981015840119894= 119898119894+119898forge the adversary can easily forge
an encrypted message
enc (1198981015840119894) = enc (119898
119894+ 119898forge) = ⟨119906119894 V119894 + 119898forge⟩ (A1)
given as 119890nc(119898119894) = ⟨119906
119894 V119894⟩ And it is also easy to forge a valid
signature
1199041015840
119894= 119896minus1(119898119894+ 119898forge + 119911119894 lowast 119903 (119909)) mod 119901 (A2)
If the compromised node is in high level this will cause moreserious effects on the aggregation result since the aggregateresult it handles represents large portions of the overall datain the WSN
Acknowledgments
The authors would like to thank the anonymous reviewersand their coworkers for their valuable comments and usefulsuggestions
References
[1] J Yick B Mukherjee and D Ghosal ldquoWireless sensor networksurveyrdquoComputerNetworks vol 52 no 12 pp 2292ndash2330 2008
[2] K Akkaya M Demirbas and R S Aygun ldquoThe impact of dataaggregation on the performance of wireless sensor networksrdquoWireless Communications and Mobile Computing vol 8 no 2pp 171ndash193 2008
[3] L Hu and D Evans ldquoSecure aggregation for wireless networksrdquoin Proceedings of the Workshop on Security and Assurance in AdHoc Networks Orlando Fla USA January 2003
[4] B Przydatek D Song and A Perrig ldquoSIA Secure informationaggregation in sensor networksrdquo in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys rsquo03) pp 255ndash265 November 2003
[5] W He X Liu H Nguyen K Nahrstedt and T AbdelzaherldquoPda privacy-preserving data aggregation in wireless sensornetworksrdquo in Proceedings of the 26th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo07) pp 2045ndash2053 2007
[6] T Feng C Wang W Zhang and L Ruan ldquoConfidentialityprotection for distributed sensor data aggregationrdquo in Proceed-ings of the 27th IEEE Communications Society Conference onComputer Communications (INFOCOM rsquo07) pp 475ndash483April2007
[7] J Shi R Zhang Y Liu and Y Zhang ldquoPriSense privacy-preserving data aggregation in people-centric urban sensingsystemsrdquo in Proceedings of the 29th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo10) pp 758ndash766 IEEE March 2010
[8] J Katz and A Y Lindell ldquoAggregate message authenticationcodes Topics in cryptologyrdquo in Proceedings of the Cryptogra-phersrsquo Track at the RSA Conference (CT-RSA rsquo08) Lecture Notesin Computer Science pp 155ndash169 Springer 2008
[9] J Albath and S Madria ldquoSecure hierarchical data aggregationin wireless sensor networksrdquo in Proceedings of the IEEEWirelessCommunications and Networking Conference (WCNC rsquo09) pp1ndash6 April 2009
[10] A Liu and P Ning ldquoTinyECC a configurable library for ellipticcurve cryptography in wireless sensor networksrdquo in Proceedingsof the International Conference on Information Processing inSensor Networks (IPSN rsquo08) pp 245ndash256 April 2008
[11] H Chan A Perrig and D Song ldquoSecure hierarchical in-network aggregation in sensor networksrdquo in Proceedings ofthe 13th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo06) pp 278ndash287 ACM Press Alexandria VaUSA November 2006
[12] K B Frikken and J A Dougherty ldquoAn efficient integrity-preserving scheme for hierarchical sensor aggregationrdquo inProceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 68ndash76 ACM Press Alexandria VaUSA April 2008
[13] Y Yang X Wang S Zhu and G Cao ldquoSDAP a Secure hop-by-hop Data Aggregation Protocol for sensor networksrdquo inProceedings of the 7th ACM International Symposium on MobileAd Hoc Networking and Computing (MOBIHOC rsquo06) pp 356ndash367 ACM Press Florence Italy May 2006
[14] C Castelluccia A C F Chan E Mykletun and G TsudikldquoEfficient and provably secure aggregation of encrypted datain wireless sensor networksrdquo ACM Transactions on SensorNetworks vol 5 no 3 pp 1ndash36 2009
[15] W Du J Deng Y S Han and P K Varshney ldquoA witness-basedapproach for data fusion assurance inwireless sensor networksrdquoin Proceedings of the Global Telecommunications Conference(GLOBECOM rsquo03) vol 3 pp 1435ndash1439 IEEE December 2003
[16] O Eikemeier M Fischlin J-F Gotzmann et al ldquoHistory-freeaggregate message authentication codesrdquo in Proceedings of the7th International Conference on Security and Cryptography forNetworks vol 6280 of Lecture Notes in Computer Science pp309ndash328 Amalfi Italy 2010
International Journal of Distributed Sensor Networks 9
[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004
[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005
[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006
[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
6 International Journal of Distributed Sensor Networks
Definition 2 (sensor node inconsistency) Let ⟨119909119905 120572
119905 120573
119905⟩ be
a message sent by sensor node 119905 There is an inconsistency atnode 119905 if either
(1) 120572119905= 1199091199051198961199051+ 1199091199051205731199051198961199052
or
(2) 120573119905= 119909119905120573119905+ 120579119905
Definition 3 (sensor node forgery) An adversary eavesdrop-ping on sensor node 119894 successfully forges a new message⟨119909lowast
119894 120572lowast
119894 120573lowast
119894⟩ if
(1) 119909lowast119894
= 119909119894
(2) 120572lowast119894= 119909lowast
1198941198961198941+ 119909lowast
1198941205731198941198961198942
(3) 120573119894= 119909lowast
119894120573119894+ 120579119894
Since once a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected howeverwe do not address this kind of forgery here
Lemma 4 Let the final SUM aggregation received by the basestation be 119909
119891119894119899119886119897 then 119878
119871+ 120583 le 119909
119891119894119899119886119897
le 119878119871+ 120583V where 119878
119871is the
sum of the data values of all the legitimate nodes and 120583 is thetotal number of corrupted nodes
Proof As the conclusion is obvious here so we do not provein detail
Lemma 5 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid message as an honestsensor node for all eavesdropping probabilistic polynomialadversaries
Proof Let ⟨119909119894 120572
119894 120573
119894⟩ be an internal message sent by sensor
node 119894 to its parentSay adversary is eavesdropping on node 119894 In order to
forge a valid message ⟨119909lowast
119894 120572lowast
119894 120573lowast
119894⟩ for 119909
lowast
119894 119860 can easily
compute a valid 120572lowast119894= 119909lowast
119894119909minus1119894120572119894
As 120573119894= 119909119894120573119894+ 120579119894= 119909119894119910119866 for some integer 119910 a valid 120573lowast
119894
should be computed as
120573lowast
119894= 119909lowast
119894120573119894+ 120579119894= 119909lowast
119894119910lowast119866
= 119909lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866
(12)
Due to 120579119894and 120573
119894 adversary cannot forge 120573lowast
119894directly from
119909lowast
119894120573119894+ 120579119894but to compute 119909lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866 119860 has 119909lowast
119894 119909119894 120573119894
and 119866 the factors it lack are 119910 and 119910lowastCalculating 119910 from 120573
119894= 119909119894119910119866 and 119910lowast from 120573
lowast
119894= 119909lowast
119894119910lowast119866
is ECDLP which means calculating 120573lowast119894from 119909
lowast
119894119910lowast119909minus1
119894119910minus1120573119894119866
is hardAnother concern rises when adversary keeps eavesdrop-
ping on sensor node 119894 and records the messages sent by 119894Assume that adversary has
⟨119909119894119895 120572
119894119895 120573
119894119895⟩ | 119895 isin [1 119899] (13)
where ⟨119909119894119895 120572
119894119895 120573
119894119895⟩ represents the message ⟨119909
119894 120572
119894 120573
119894⟩
node 119894 sends to parent in the 119895th query and 119899 is the number of
queries Note that in each query every sensor node 119894 choosesa new secret key 119897
119894
For all 119895 isin [1 119899] adversary has
120573119894119895 = 120573119894119895119909
119894119895 + 120579119894 (14)
Because the number of variable is the number of equationsplus one so adversary cannot solve equations in (14) to obtain120573119894119895 or 120579119894In conclusion the probability of an adversary successfully
forging a new message ⟨119909lowast119894 120572lowast
119894 120573lowast
119894⟩ when eavesdropping on
sensor node 119894 is negligible completing the proof
Definition 6 (aggregator inconsistency) Let ⟨119909119905 120572
119905 120573
119905⟩ be an
internal message aggregated by node 119905 with two children 119906and V Let ⟨119909
119906 120572
119906 120573
119906⟩ and ⟨119909V 120572
V 120573
V⟩ be two messages from
119906 and V There is an inconsistency at node 119905 if
(1) 119909119905= 1199091015840
119905+ 119909
119906+ 119909
V or
(2) 120572119905= 1205721015840
119905+ 120572
119906+ 120572
119905or
(3) 120573119905= 1205731015840
119906+ 120573
119906+ 120573
119905
Definition 7 (compromised aggregator forgery) An adver-sary which compromised a aggregator 119895 successfully forgesa new aggregate result ⟨119909lowast
119895 120572lowast
119895 120573lowast
119895⟩ if
(1) 119909lowast119895
= 119909119895
(2) 120572lowast119895= 1205721015840
119895+ 119896119895minus11205721198951+ 119896119895minus21205721198952+ sdot sdot sdot + 119896
119895minus119897120572119895119897(1205721015840119895= 0 if 119895
does not sense data)(3) 120573119895= 1205731015840
119895+ 120573
1198951+ 120573
1198952+ sdot sdot sdot + 120573
119895119897(1205731015840119895= 0 if 119895 does
not sense data) assuming aggregator 119895 has 119897 children1198951 1198952 119895119897
Lemma 8 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid aggregate result for allprobabilistic polynomial adversaries even when a high-levelaggregator is compromised
Proof We assume that aggregator 10 has been compromisedwhere an adversary is in complete control of node 10obtaining all secret keys of node 10 Now an adversaryattempts to forge SUM aggregation and two correspondingtags after eavesdropping several aggregations and records
⟨11990910119894 120572
10119894 120573
10119894⟩ | 119894 isin [1 119899] (15)
where ⟨11990910119894 120572
10119894 120573
10119894⟩ represents the message ⟨119909
10 120572
10
12057310⟩ node 10 sends to base station in the 119894th query and 119899 is
the number of queries Note that in each query every sensornode 119895 chooses a new secret key 119897
119895
For all 119894 isin [1 119899] adversary has
12057310119894 = 119897
minus1119896bs-10120572
10119894
= (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)
minus 119897minus1120579119909
10119894
(16)
International Journal of Distributed Sensor Networks 7
Now adversary tries to forge a new message ⟨119909lowast10 120572lowast
10 120573lowast
10⟩
which satisfies (14) Since node 10 is compromised adversaryhas 1199098 119909
9 119909
10 11989610-8 11989610-9 120572
8 120572
9 120573
8 120573
9in each query and the
knowledge of the elliptic curve group 119864(119885119901)
Case 1 Intuitively adversary tries to obtain 119897 119896bs-10 120579 andsum120579119894(119894 from 1 to 7) However this requires a powerful
adversary which we do not concern here
Case 2 Adversary tries to compute 119897minus1120579 by multiplying
1198961198941
(equals 120579119896path) and the inverse of 1198961198941
(equals 119897119896path)However all path-keys and temporal key are encrypted beforeforwarding to nodes so adversary cannot compute 119897minus1120579whennode 10 only works as an aggregator
Case 3 Aggregator 10 also senses data So adversary cancompute 119897minus1120579 as in Case 2 and 119897minus1119896bs-10 which is the inverse of119897119896bs-10 modulo 119902 Now adversary has
12057310minus 120572
10
= 1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797minus 119909
10
997904rArr 12057310
= 1199101(1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797) = 1199102119866
(17)
for some integer 1199102 Similar to Lemma 4 since sum120579
119894(119894 from
1 to 7) is kept secret from adversary and computing 1199102from
1205733= 1199102119866 is ECDLP then 120573
10cannot be forged either
In all cases adversary can only forge a new message⟨119909lowast
10 120572lowast
10 120573lowast
10⟩ with negligible probability completing the
proof
Theorem 9 EIPDAP is integrity-preserving
Proof From Lemmas 5 and 8 we know that EIPDAP issecure against sensor node forgery in the presence of aneavesdropper and aggregator forgery when an aggregator iscompromised Thus EIPDAP is integrity-preserving com-pleting the proof
52 Congestion Complexity The computational and memorycosts are likely to be insignificant compared to communica-tion [3 14] Higher computation surely causes more energybut a Berkeley mote spends approximately the same amountof energy to compute 800 instructions as it does in sending asingle bit of data [13 20] in WSN
Unlike general hard problems there is no sub-exponential algorithm is known to solve the elliptic curvediscrete logarithm problem (ECDLP) meaning that smallerparameters can be used in ECC than in other systems likeRSA andDSA but with equivalent level of security Because oftheir smaller key size faster computations and reductions inprocessing power storage space and bandwidth ECC is idealfor WSN Although the use of elliptic curve cryptographyincurs higher computational overhead than symmetric-keycryptography our protocol is mainly designed to save energy
In query dissemination phase the base station collectsaggregation tree information and broadcasts edge keys and
Table 1 Edge congestion in the aggregation tree comparison 119899 isthe number of the nodes and 119899
119892is the group size
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(1) 119874(log 119899) 119874(log2119899)Keithrsquos scheme 119874(1) 119874(log 119899) 119874(log 119899)SDAP 119874(1) 119874(Δ log (119899119899
119892)) 119874(Δ log (119899119899
119892))
EIPDAP 119874(1) 119874(1) 0
Table 2 Node congestion in the aggregation tree comparison Δ isthe degree of the aggregation tree
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δlog2119899)Keithrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δ log 119899)SDAP 119874(Δ) 119874(Δ log (119899119899
119892)) 119874(Δ log (119899119899
119892))
EIPDAP 119874(Δ) 119874(Δ) 0
Table 3 Aggregation tree congestion comparison
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log2119899)Keithrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log 119899)SDAP 119874(119899) 119874(119899) 119874(119899 log 119899)EIPDAP 119874(119899) 119874(119899) 0
path keys directly to the corresponding nodes Collectingaggregation tree information costs each edge 119874(1) conges-tion and there is no congestion for sensor nodes and aggre-gators in broadcasting keys In aggregation phase each nodeforwards a message The edge congestion in the aggregationtree is 119874(1) In result-checking phase all operations aredone in the base station so there is no congestion in theaggregation tree Congestion complexity comparisons withChanrsquos scheme Keithrsquos scheme and SDAP are shown inTables1 2 and 3
By the comparison we can conclude that EIPDAP hasthe minimum congestion and is much more energy efficientTherefore it is much more suitable for power limited sensornetworks
6 Conclusion and Future Work
Protecting hierarchical data aggregation from losing integrityis a challenging problem in sensor networks In this paperwe focus on the very problem of preserving data integrityand propose a novel approach to guarantee the integrity ofaggregation result through aggregation in sensor networksThemain algorithm is based on performingmodulo additionoperation using ECC
EIPDAP can immediately verify the integrity of aggre-gation result after receiving the aggregation result and cor-responding authentication information hence significantly
8 International Journal of Distributed Sensor Networks
reducing energy consumption and communication delaywhichwill be caused if the verification phrase is done throughanother query-and-forward phase
Compared with the other related schemes our schemereduces the communication required per node to 119874(Δ)where Δ is the degree of the aggregation tree for the networkTo the best of our knowledge our scheme has the mostoptimal upper bound on solving the integrity-preserving dataaggregation problem Based on the elliptic curve discretelogarithm problem we prove that EIPDAP is integrity-preserving
In the future we will first further enrich EIPDAP indetail Second we will focus on the possibility of reducing thenumber of secret keys shared between sensor nodes and basestation or the keys broadcast to all nodesThird based on theproposed algorithm we may consider meeting other securityrequirements like data confidentiality source authenticationand availability
We anticipate that our work provides new perspective onpreserving integrity of hierarchical aggregation and encour-ages other researchers to consider this approach
Appendix
Attack on the Julia-Sanjay Scheme
If the adversary has compromised a sensor node then itcan obtain the network wide integer 119896 With the 119896 it canmodify any aggregated data received from its child nodesFor example say the adversary has compromised a node withmessage ⟨119904
119894 enc(119898
119894)⟩ received from its child 119894 In order to
modify119898119894to1198981015840119894= 119898119894+119898forge the adversary can easily forge
an encrypted message
enc (1198981015840119894) = enc (119898
119894+ 119898forge) = ⟨119906119894 V119894 + 119898forge⟩ (A1)
given as 119890nc(119898119894) = ⟨119906
119894 V119894⟩ And it is also easy to forge a valid
signature
1199041015840
119894= 119896minus1(119898119894+ 119898forge + 119911119894 lowast 119903 (119909)) mod 119901 (A2)
If the compromised node is in high level this will cause moreserious effects on the aggregation result since the aggregateresult it handles represents large portions of the overall datain the WSN
Acknowledgments
The authors would like to thank the anonymous reviewersand their coworkers for their valuable comments and usefulsuggestions
References
[1] J Yick B Mukherjee and D Ghosal ldquoWireless sensor networksurveyrdquoComputerNetworks vol 52 no 12 pp 2292ndash2330 2008
[2] K Akkaya M Demirbas and R S Aygun ldquoThe impact of dataaggregation on the performance of wireless sensor networksrdquoWireless Communications and Mobile Computing vol 8 no 2pp 171ndash193 2008
[3] L Hu and D Evans ldquoSecure aggregation for wireless networksrdquoin Proceedings of the Workshop on Security and Assurance in AdHoc Networks Orlando Fla USA January 2003
[4] B Przydatek D Song and A Perrig ldquoSIA Secure informationaggregation in sensor networksrdquo in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys rsquo03) pp 255ndash265 November 2003
[5] W He X Liu H Nguyen K Nahrstedt and T AbdelzaherldquoPda privacy-preserving data aggregation in wireless sensornetworksrdquo in Proceedings of the 26th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo07) pp 2045ndash2053 2007
[6] T Feng C Wang W Zhang and L Ruan ldquoConfidentialityprotection for distributed sensor data aggregationrdquo in Proceed-ings of the 27th IEEE Communications Society Conference onComputer Communications (INFOCOM rsquo07) pp 475ndash483April2007
[7] J Shi R Zhang Y Liu and Y Zhang ldquoPriSense privacy-preserving data aggregation in people-centric urban sensingsystemsrdquo in Proceedings of the 29th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo10) pp 758ndash766 IEEE March 2010
[8] J Katz and A Y Lindell ldquoAggregate message authenticationcodes Topics in cryptologyrdquo in Proceedings of the Cryptogra-phersrsquo Track at the RSA Conference (CT-RSA rsquo08) Lecture Notesin Computer Science pp 155ndash169 Springer 2008
[9] J Albath and S Madria ldquoSecure hierarchical data aggregationin wireless sensor networksrdquo in Proceedings of the IEEEWirelessCommunications and Networking Conference (WCNC rsquo09) pp1ndash6 April 2009
[10] A Liu and P Ning ldquoTinyECC a configurable library for ellipticcurve cryptography in wireless sensor networksrdquo in Proceedingsof the International Conference on Information Processing inSensor Networks (IPSN rsquo08) pp 245ndash256 April 2008
[11] H Chan A Perrig and D Song ldquoSecure hierarchical in-network aggregation in sensor networksrdquo in Proceedings ofthe 13th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo06) pp 278ndash287 ACM Press Alexandria VaUSA November 2006
[12] K B Frikken and J A Dougherty ldquoAn efficient integrity-preserving scheme for hierarchical sensor aggregationrdquo inProceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 68ndash76 ACM Press Alexandria VaUSA April 2008
[13] Y Yang X Wang S Zhu and G Cao ldquoSDAP a Secure hop-by-hop Data Aggregation Protocol for sensor networksrdquo inProceedings of the 7th ACM International Symposium on MobileAd Hoc Networking and Computing (MOBIHOC rsquo06) pp 356ndash367 ACM Press Florence Italy May 2006
[14] C Castelluccia A C F Chan E Mykletun and G TsudikldquoEfficient and provably secure aggregation of encrypted datain wireless sensor networksrdquo ACM Transactions on SensorNetworks vol 5 no 3 pp 1ndash36 2009
[15] W Du J Deng Y S Han and P K Varshney ldquoA witness-basedapproach for data fusion assurance inwireless sensor networksrdquoin Proceedings of the Global Telecommunications Conference(GLOBECOM rsquo03) vol 3 pp 1435ndash1439 IEEE December 2003
[16] O Eikemeier M Fischlin J-F Gotzmann et al ldquoHistory-freeaggregate message authentication codesrdquo in Proceedings of the7th International Conference on Security and Cryptography forNetworks vol 6280 of Lecture Notes in Computer Science pp309ndash328 Amalfi Italy 2010
International Journal of Distributed Sensor Networks 9
[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004
[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005
[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006
[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 7
Now adversary tries to forge a new message ⟨119909lowast10 120572lowast
10 120573lowast
10⟩
which satisfies (14) Since node 10 is compromised adversaryhas 1199098 119909
9 119909
10 11989610-8 11989610-9 120572
8 120572
9 120573
8 120573
9in each query and the
knowledge of the elliptic curve group 119864(119885119901)
Case 1 Intuitively adversary tries to obtain 119897 119896bs-10 120579 andsum120579119894(119894 from 1 to 7) However this requires a powerful
adversary which we do not concern here
Case 2 Adversary tries to compute 119897minus1120579 by multiplying
1198961198941
(equals 120579119896path) and the inverse of 1198961198941
(equals 119897119896path)However all path-keys and temporal key are encrypted beforeforwarding to nodes so adversary cannot compute 119897minus1120579whennode 10 only works as an aggregator
Case 3 Aggregator 10 also senses data So adversary cancompute 119897minus1120579 as in Case 2 and 119897minus1119896bs-10 which is the inverse of119897119896bs-10 modulo 119902 Now adversary has
12057310minus 120572
10
= 1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797minus 119909
10
997904rArr 12057310
= 1199101(1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797) = 1199102119866
(17)
for some integer 1199102 Similar to Lemma 4 since sum120579
119894(119894 from
1 to 7) is kept secret from adversary and computing 1199102from
1205733= 1199102119866 is ECDLP then 120573
10cannot be forged either
In all cases adversary can only forge a new message⟨119909lowast
10 120572lowast
10 120573lowast
10⟩ with negligible probability completing the
proof
Theorem 9 EIPDAP is integrity-preserving
Proof From Lemmas 5 and 8 we know that EIPDAP issecure against sensor node forgery in the presence of aneavesdropper and aggregator forgery when an aggregator iscompromised Thus EIPDAP is integrity-preserving com-pleting the proof
52 Congestion Complexity The computational and memorycosts are likely to be insignificant compared to communica-tion [3 14] Higher computation surely causes more energybut a Berkeley mote spends approximately the same amountof energy to compute 800 instructions as it does in sending asingle bit of data [13 20] in WSN
Unlike general hard problems there is no sub-exponential algorithm is known to solve the elliptic curvediscrete logarithm problem (ECDLP) meaning that smallerparameters can be used in ECC than in other systems likeRSA andDSA but with equivalent level of security Because oftheir smaller key size faster computations and reductions inprocessing power storage space and bandwidth ECC is idealfor WSN Although the use of elliptic curve cryptographyincurs higher computational overhead than symmetric-keycryptography our protocol is mainly designed to save energy
In query dissemination phase the base station collectsaggregation tree information and broadcasts edge keys and
Table 1 Edge congestion in the aggregation tree comparison 119899 isthe number of the nodes and 119899
119892is the group size
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(1) 119874(log 119899) 119874(log2119899)Keithrsquos scheme 119874(1) 119874(log 119899) 119874(log 119899)SDAP 119874(1) 119874(Δ log (119899119899
119892)) 119874(Δ log (119899119899
119892))
EIPDAP 119874(1) 119874(1) 0
Table 2 Node congestion in the aggregation tree comparison Δ isthe degree of the aggregation tree
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δlog2119899)Keithrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δ log 119899)SDAP 119874(Δ) 119874(Δ log (119899119899
119892)) 119874(Δ log (119899119899
119892))
EIPDAP 119874(Δ) 119874(Δ) 0
Table 3 Aggregation tree congestion comparison
Querydissemination
Dataaggregation Result-checking
Chanrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log2119899)Keithrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log 119899)SDAP 119874(119899) 119874(119899) 119874(119899 log 119899)EIPDAP 119874(119899) 119874(119899) 0
path keys directly to the corresponding nodes Collectingaggregation tree information costs each edge 119874(1) conges-tion and there is no congestion for sensor nodes and aggre-gators in broadcasting keys In aggregation phase each nodeforwards a message The edge congestion in the aggregationtree is 119874(1) In result-checking phase all operations aredone in the base station so there is no congestion in theaggregation tree Congestion complexity comparisons withChanrsquos scheme Keithrsquos scheme and SDAP are shown inTables1 2 and 3
By the comparison we can conclude that EIPDAP hasthe minimum congestion and is much more energy efficientTherefore it is much more suitable for power limited sensornetworks
6 Conclusion and Future Work
Protecting hierarchical data aggregation from losing integrityis a challenging problem in sensor networks In this paperwe focus on the very problem of preserving data integrityand propose a novel approach to guarantee the integrity ofaggregation result through aggregation in sensor networksThemain algorithm is based on performingmodulo additionoperation using ECC
EIPDAP can immediately verify the integrity of aggre-gation result after receiving the aggregation result and cor-responding authentication information hence significantly
8 International Journal of Distributed Sensor Networks
reducing energy consumption and communication delaywhichwill be caused if the verification phrase is done throughanother query-and-forward phase
Compared with the other related schemes our schemereduces the communication required per node to 119874(Δ)where Δ is the degree of the aggregation tree for the networkTo the best of our knowledge our scheme has the mostoptimal upper bound on solving the integrity-preserving dataaggregation problem Based on the elliptic curve discretelogarithm problem we prove that EIPDAP is integrity-preserving
In the future we will first further enrich EIPDAP indetail Second we will focus on the possibility of reducing thenumber of secret keys shared between sensor nodes and basestation or the keys broadcast to all nodesThird based on theproposed algorithm we may consider meeting other securityrequirements like data confidentiality source authenticationand availability
We anticipate that our work provides new perspective onpreserving integrity of hierarchical aggregation and encour-ages other researchers to consider this approach
Appendix
Attack on the Julia-Sanjay Scheme
If the adversary has compromised a sensor node then itcan obtain the network wide integer 119896 With the 119896 it canmodify any aggregated data received from its child nodesFor example say the adversary has compromised a node withmessage ⟨119904
119894 enc(119898
119894)⟩ received from its child 119894 In order to
modify119898119894to1198981015840119894= 119898119894+119898forge the adversary can easily forge
an encrypted message
enc (1198981015840119894) = enc (119898
119894+ 119898forge) = ⟨119906119894 V119894 + 119898forge⟩ (A1)
given as 119890nc(119898119894) = ⟨119906
119894 V119894⟩ And it is also easy to forge a valid
signature
1199041015840
119894= 119896minus1(119898119894+ 119898forge + 119911119894 lowast 119903 (119909)) mod 119901 (A2)
If the compromised node is in high level this will cause moreserious effects on the aggregation result since the aggregateresult it handles represents large portions of the overall datain the WSN
Acknowledgments
The authors would like to thank the anonymous reviewersand their coworkers for their valuable comments and usefulsuggestions
References
[1] J Yick B Mukherjee and D Ghosal ldquoWireless sensor networksurveyrdquoComputerNetworks vol 52 no 12 pp 2292ndash2330 2008
[2] K Akkaya M Demirbas and R S Aygun ldquoThe impact of dataaggregation on the performance of wireless sensor networksrdquoWireless Communications and Mobile Computing vol 8 no 2pp 171ndash193 2008
[3] L Hu and D Evans ldquoSecure aggregation for wireless networksrdquoin Proceedings of the Workshop on Security and Assurance in AdHoc Networks Orlando Fla USA January 2003
[4] B Przydatek D Song and A Perrig ldquoSIA Secure informationaggregation in sensor networksrdquo in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys rsquo03) pp 255ndash265 November 2003
[5] W He X Liu H Nguyen K Nahrstedt and T AbdelzaherldquoPda privacy-preserving data aggregation in wireless sensornetworksrdquo in Proceedings of the 26th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo07) pp 2045ndash2053 2007
[6] T Feng C Wang W Zhang and L Ruan ldquoConfidentialityprotection for distributed sensor data aggregationrdquo in Proceed-ings of the 27th IEEE Communications Society Conference onComputer Communications (INFOCOM rsquo07) pp 475ndash483April2007
[7] J Shi R Zhang Y Liu and Y Zhang ldquoPriSense privacy-preserving data aggregation in people-centric urban sensingsystemsrdquo in Proceedings of the 29th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo10) pp 758ndash766 IEEE March 2010
[8] J Katz and A Y Lindell ldquoAggregate message authenticationcodes Topics in cryptologyrdquo in Proceedings of the Cryptogra-phersrsquo Track at the RSA Conference (CT-RSA rsquo08) Lecture Notesin Computer Science pp 155ndash169 Springer 2008
[9] J Albath and S Madria ldquoSecure hierarchical data aggregationin wireless sensor networksrdquo in Proceedings of the IEEEWirelessCommunications and Networking Conference (WCNC rsquo09) pp1ndash6 April 2009
[10] A Liu and P Ning ldquoTinyECC a configurable library for ellipticcurve cryptography in wireless sensor networksrdquo in Proceedingsof the International Conference on Information Processing inSensor Networks (IPSN rsquo08) pp 245ndash256 April 2008
[11] H Chan A Perrig and D Song ldquoSecure hierarchical in-network aggregation in sensor networksrdquo in Proceedings ofthe 13th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo06) pp 278ndash287 ACM Press Alexandria VaUSA November 2006
[12] K B Frikken and J A Dougherty ldquoAn efficient integrity-preserving scheme for hierarchical sensor aggregationrdquo inProceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 68ndash76 ACM Press Alexandria VaUSA April 2008
[13] Y Yang X Wang S Zhu and G Cao ldquoSDAP a Secure hop-by-hop Data Aggregation Protocol for sensor networksrdquo inProceedings of the 7th ACM International Symposium on MobileAd Hoc Networking and Computing (MOBIHOC rsquo06) pp 356ndash367 ACM Press Florence Italy May 2006
[14] C Castelluccia A C F Chan E Mykletun and G TsudikldquoEfficient and provably secure aggregation of encrypted datain wireless sensor networksrdquo ACM Transactions on SensorNetworks vol 5 no 3 pp 1ndash36 2009
[15] W Du J Deng Y S Han and P K Varshney ldquoA witness-basedapproach for data fusion assurance inwireless sensor networksrdquoin Proceedings of the Global Telecommunications Conference(GLOBECOM rsquo03) vol 3 pp 1435ndash1439 IEEE December 2003
[16] O Eikemeier M Fischlin J-F Gotzmann et al ldquoHistory-freeaggregate message authentication codesrdquo in Proceedings of the7th International Conference on Security and Cryptography forNetworks vol 6280 of Lecture Notes in Computer Science pp309ndash328 Amalfi Italy 2010
International Journal of Distributed Sensor Networks 9
[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004
[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005
[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006
[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
8 International Journal of Distributed Sensor Networks
reducing energy consumption and communication delaywhichwill be caused if the verification phrase is done throughanother query-and-forward phase
Compared with the other related schemes our schemereduces the communication required per node to 119874(Δ)where Δ is the degree of the aggregation tree for the networkTo the best of our knowledge our scheme has the mostoptimal upper bound on solving the integrity-preserving dataaggregation problem Based on the elliptic curve discretelogarithm problem we prove that EIPDAP is integrity-preserving
In the future we will first further enrich EIPDAP indetail Second we will focus on the possibility of reducing thenumber of secret keys shared between sensor nodes and basestation or the keys broadcast to all nodesThird based on theproposed algorithm we may consider meeting other securityrequirements like data confidentiality source authenticationand availability
We anticipate that our work provides new perspective onpreserving integrity of hierarchical aggregation and encour-ages other researchers to consider this approach
Appendix
Attack on the Julia-Sanjay Scheme
If the adversary has compromised a sensor node then itcan obtain the network wide integer 119896 With the 119896 it canmodify any aggregated data received from its child nodesFor example say the adversary has compromised a node withmessage ⟨119904
119894 enc(119898
119894)⟩ received from its child 119894 In order to
modify119898119894to1198981015840119894= 119898119894+119898forge the adversary can easily forge
an encrypted message
enc (1198981015840119894) = enc (119898
119894+ 119898forge) = ⟨119906119894 V119894 + 119898forge⟩ (A1)
given as 119890nc(119898119894) = ⟨119906
119894 V119894⟩ And it is also easy to forge a valid
signature
1199041015840
119894= 119896minus1(119898119894+ 119898forge + 119911119894 lowast 119903 (119909)) mod 119901 (A2)
If the compromised node is in high level this will cause moreserious effects on the aggregation result since the aggregateresult it handles represents large portions of the overall datain the WSN
Acknowledgments
The authors would like to thank the anonymous reviewersand their coworkers for their valuable comments and usefulsuggestions
References
[1] J Yick B Mukherjee and D Ghosal ldquoWireless sensor networksurveyrdquoComputerNetworks vol 52 no 12 pp 2292ndash2330 2008
[2] K Akkaya M Demirbas and R S Aygun ldquoThe impact of dataaggregation on the performance of wireless sensor networksrdquoWireless Communications and Mobile Computing vol 8 no 2pp 171ndash193 2008
[3] L Hu and D Evans ldquoSecure aggregation for wireless networksrdquoin Proceedings of the Workshop on Security and Assurance in AdHoc Networks Orlando Fla USA January 2003
[4] B Przydatek D Song and A Perrig ldquoSIA Secure informationaggregation in sensor networksrdquo in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys rsquo03) pp 255ndash265 November 2003
[5] W He X Liu H Nguyen K Nahrstedt and T AbdelzaherldquoPda privacy-preserving data aggregation in wireless sensornetworksrdquo in Proceedings of the 26th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo07) pp 2045ndash2053 2007
[6] T Feng C Wang W Zhang and L Ruan ldquoConfidentialityprotection for distributed sensor data aggregationrdquo in Proceed-ings of the 27th IEEE Communications Society Conference onComputer Communications (INFOCOM rsquo07) pp 475ndash483April2007
[7] J Shi R Zhang Y Liu and Y Zhang ldquoPriSense privacy-preserving data aggregation in people-centric urban sensingsystemsrdquo in Proceedings of the 29th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo10) pp 758ndash766 IEEE March 2010
[8] J Katz and A Y Lindell ldquoAggregate message authenticationcodes Topics in cryptologyrdquo in Proceedings of the Cryptogra-phersrsquo Track at the RSA Conference (CT-RSA rsquo08) Lecture Notesin Computer Science pp 155ndash169 Springer 2008
[9] J Albath and S Madria ldquoSecure hierarchical data aggregationin wireless sensor networksrdquo in Proceedings of the IEEEWirelessCommunications and Networking Conference (WCNC rsquo09) pp1ndash6 April 2009
[10] A Liu and P Ning ldquoTinyECC a configurable library for ellipticcurve cryptography in wireless sensor networksrdquo in Proceedingsof the International Conference on Information Processing inSensor Networks (IPSN rsquo08) pp 245ndash256 April 2008
[11] H Chan A Perrig and D Song ldquoSecure hierarchical in-network aggregation in sensor networksrdquo in Proceedings ofthe 13th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo06) pp 278ndash287 ACM Press Alexandria VaUSA November 2006
[12] K B Frikken and J A Dougherty ldquoAn efficient integrity-preserving scheme for hierarchical sensor aggregationrdquo inProceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 68ndash76 ACM Press Alexandria VaUSA April 2008
[13] Y Yang X Wang S Zhu and G Cao ldquoSDAP a Secure hop-by-hop Data Aggregation Protocol for sensor networksrdquo inProceedings of the 7th ACM International Symposium on MobileAd Hoc Networking and Computing (MOBIHOC rsquo06) pp 356ndash367 ACM Press Florence Italy May 2006
[14] C Castelluccia A C F Chan E Mykletun and G TsudikldquoEfficient and provably secure aggregation of encrypted datain wireless sensor networksrdquo ACM Transactions on SensorNetworks vol 5 no 3 pp 1ndash36 2009
[15] W Du J Deng Y S Han and P K Varshney ldquoA witness-basedapproach for data fusion assurance inwireless sensor networksrdquoin Proceedings of the Global Telecommunications Conference(GLOBECOM rsquo03) vol 3 pp 1435ndash1439 IEEE December 2003
[16] O Eikemeier M Fischlin J-F Gotzmann et al ldquoHistory-freeaggregate message authentication codesrdquo in Proceedings of the7th International Conference on Security and Cryptography forNetworks vol 6280 of Lecture Notes in Computer Science pp309ndash328 Amalfi Italy 2010
International Journal of Distributed Sensor Networks 9
[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004
[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005
[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006
[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 9
[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004
[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005
[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006
[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of