research article an efficient data aggregation protocol...

10
Hindawi Publishing Corporation International Journal of Distributed Sensor Networks Volume 2013, Article ID 256852, 9 pages http://dx.doi.org/10.1155/2013/256852 Research Article An Efficient Data Aggregation Protocol Concentrated on Data Integrity in Wireless Sensor Networks Liehuang Zhu, Zhen Yang, Meng Li, and Dan Liu Beijing Engineering Research Center of Massive Language Information Processing and Cloud Computing Application, School of Computer Science and Technology, Beijing Institute of Technology, Beijing 100081, China Correspondence should be addressed to Liehuang Zhu; [email protected] Received 5 March 2013; Accepted 30 April 2013 Academic Editor: Yulong Shen Copyright © 2013 Liehuang Zhu et al. is is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Wireless sensor networks consist of a great number of sensor nodes with strictly limited computation capability, storage, communication resources, and battery power. Because they are deployed in remote and hostile environments and hence are vulnerable to physical attacks, sensor networks face many practical challenges. Data confidentiality, data integrity, source authentication, and availability are all major security concerns. In this paper, we focus on the very problem of preserving data integrity and propose an Efficient Integrity-Preserving Data Aggregation Protocol (EIPDAP) to guarantee the integrity of aggregation result through aggregation in sensor networks. In EIPDAP, base station can immediately verify the integrity of aggregation result aſter receiving the aggregation result and corresponding authentication information. However, to check integrity, most existing protocols need an additional phase which will consume a lot of energy and cause network delay. Compared with other related schemes, EIPDAP reduces the communication overhead per node to (Δ), where Δ is the degree of the aggregation tree for the network. To the best of our knowledge, EIPDAP has the most optimal upper bound on solving the integrity-preserving data aggregation problem. 1. Introduction Wireless sensor networks (WSNs) have many security-critical applications such as real-time traffic monitoring, wildfire tracking, or military surveillance. In a sensor network, thousands of low-cost sensor nodes collectively monitor an area within a certain range and report their own data to the base station which distributes a data query. However, this would incur high communication overhead which cannot be afforded by sensor nodes. Data aggregation [1, 2] mechanisms are proposed to reduce the power consumption. Data aggre- gation poses security threat; many secure data aggregation protocols [3, 4] have been emerging over these years, which prove to be secure and considerably improve the resource utilization. Although data confidentiality could guarantee that legal parties obtain plain data without being leaked out to adver- saries, it does not protect data from being altered [57]. In this paper, we focus on the problem of preserving data integrity through aggregation in sensor networks. Message authenti- cation codes (MACs) are used in [8] to protect data integrity, while causing other problems, such as high communication overhead. In this paper, we present a provably secure sensor network integrity-preserving aggregation protocol based on the elliptic curve discrete logarithm problem for general networks with hierarchical aggregator topologies, assuming that adversaries are able to corrupt a (small) fraction of sensors. With the increasing of sensor node’s computation capacity, public key cryptography, such as elliptic curve cryptosystems (ECC), is suitable for constrained environ- ments such as WSN. In [9], authors propose secure data aggregation schemes using ECC to obtain data confidentiality and integrity in the data aggregation because of their smaller key size, faster computations, and reductions in processing power, storage space, and bandwidth. TinyECC is proposed by Liu and Ning [10] which provides ECC-based operations that can be flexibly configured and integrated into WSN applications.

Upload: vodang

Post on 13-Jul-2018

215 views

Category:

Documents


0 download

TRANSCRIPT

Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2013 Article ID 256852 9 pageshttpdxdoiorg1011552013256852

Research ArticleAn Efficient Data Aggregation Protocol Concentrated onData Integrity in Wireless Sensor Networks

Liehuang Zhu Zhen Yang Meng Li and Dan Liu

Beijing Engineering Research Center of Massive Language Information Processing and Cloud Computing ApplicationSchool of Computer Science and Technology Beijing Institute of Technology Beijing 100081 China

Correspondence should be addressed to Liehuang Zhu liehuangzbiteducn

Received 5 March 2013 Accepted 30 April 2013

Academic Editor Yulong Shen

Copyright copy 2013 Liehuang Zhu et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Wireless sensor networks consist of a great number of sensor nodes with strictly limited computation capability storagecommunication resources and battery power Because they are deployed in remote and hostile environments and hence arevulnerable to physical attacks sensor networks face many practical challenges Data confidentiality data integrity sourceauthentication and availability are all major security concerns In this paper we focus on the very problem of preservingdata integrity and propose an Efficient Integrity-Preserving Data Aggregation Protocol (EIPDAP) to guarantee the integrity ofaggregation result through aggregation in sensor networks In EIPDAP base station can immediately verify the integrity ofaggregation result after receiving the aggregation result and corresponding authentication information However to check integritymost existing protocols need an additional phase which will consume a lot of energy and cause network delay Compared with otherrelated schemes EIPDAP reduces the communication overhead per node to119874(Δ) where Δ is the degree of the aggregation tree forthe network To the best of our knowledge EIPDAP has the most optimal upper bound on solving the integrity-preserving dataaggregation problem

1 Introduction

Wireless sensor networks (WSNs) havemany security-criticalapplications such as real-time traffic monitoring wildfiretracking or military surveillance In a sensor networkthousands of low-cost sensor nodes collectively monitor anarea within a certain range and report their own data to thebase station which distributes a data query However thiswould incur high communication overhead which cannot beafforded by sensor nodes Data aggregation [1 2]mechanismsare proposed to reduce the power consumption Data aggre-gation poses security threat many secure data aggregationprotocols [3 4] have been emerging over these years whichprove to be secure and considerably improve the resourceutilization

Although data confidentiality could guarantee that legalparties obtain plain data without being leaked out to adver-saries it does not protect data frombeing altered [5ndash7] In thispaper we focus on the problem of preserving data integrity

through aggregation in sensor networks Message authenti-cation codes (MACs) are used in [8] to protect data integritywhile causing other problems such as high communicationoverhead In this paper we present a provably secure sensornetwork integrity-preserving aggregation protocol based onthe elliptic curve discrete logarithm problem for generalnetworks with hierarchical aggregator topologies assumingthat adversaries are able to corrupt a (small) fraction ofsensors With the increasing of sensor nodersquos computationcapacity public key cryptography such as elliptic curvecryptosystems (ECC) is suitable for constrained environ-ments such as WSN In [9] authors propose secure dataaggregation schemes using ECC to obtain data confidentialityand integrity in the data aggregation because of their smallerkey size faster computations and reductions in processingpower storage space and bandwidth TinyECC is proposedby Liu and Ning [10] which provides ECC-based operationsthat can be flexibly configured and integrated into WSNapplications

2 International Journal of Distributed Sensor Networks

An adversary can perform a variety of attacks For exam-ple a denial-of-service (DoS) attack can totally block thecommunication between sensor nodes and the base stationHowever this attack is not concerned because it is detectableby the querier and solutions can be implemented to remedythis situation In stealthy attack [4] the attackerrsquos goal is tomake the base station accept false aggregation results whichare significantly different from the true results determinedby the measure values while not being detected by the basestation Our goal is to prevent this kind of attack even whenhigh-level aggregator is corrupted

A number of protocols [11ndash13] have been proposed whichfocus on the problem that how can the base station obtaina good approximation of the aggregation result and how toobtain data integrity when a fraction of sensor nodes arecompromised One common sensor feature is the dispropor-tionately high cost of transmitting information as comparedto performing local computation For example a Berkeleymote spends approximately the same amount of energy tocompute 800 instructions as it does in sending a single bitof data It thus becomes essential to reduce the number ofbits forwarded by intermediate nodes in order to extend theentire networkrsquos lifetime [14] All the above schemes needto verify the integrity of aggregation result in an additionalphase which consumes a lot of energy and causes networkdelay

In this paper we propose EIPDAPwhich can immediatelyverify the integrity of aggregation result after receiving theaggregation result and corresponding authentication infor-mation hence significantly reducing energy consumptionand communication delay which will be caused if the veri-fication process is done through another query-and-forwardphase

The rest of the paper is organized as follows in Section 2we describe a survey of other approaches to integrity-preserving aggregation in sensor networks in Section 3moredetails about the problemwe are trying to solve are discussedin Section 4 we describe a new scheme that is the centerpieceof our work and in Section 5 the security properties andperformance of our scheme are analyzed

2 Related Work

There has been a number of works on preserving integrity inaggregation protocols for sensor networks Many protocolshave been proposed for the single-aggregator model [4 1315] But the aggregator in these schemes suffers from signifi-cantly high congestion and only reduces communications onthe link between the aggregator and the base station So thismodel is not scalable to large multihop sensor deployments

Another significant work is introduced in [11] The mainidea of this approach is that each node sends its valuecomplement and commitment up the aggregation tree andthen a commitment would pass down the tree for a node toverify that if its value was added into the SUM aggregationand the complement of its data value was added into theCOMPLEMENT aggregation However the scheme requiresthree phases The delay aggregation strategy used in the sec-ond phase increases communication from 119874(1) to 119874(log 119899)

computation from 119874(1) to 119874(119902 log 119899) where 119899 is the numberof nodes in the network and 119902 is the number of forests in thecommitment treeThe result-checking phase costs119874(Δlog2119899)congestion Frikken and Dougherty in [12] improves Chanrsquosapproach by reducing the maximum communication to119874(Δ log 119899)

A secure hop-by-hop data aggregation protocol SDAPfor sensor networks is proposed in [13] The authors believethat we should be more concerned about high-level nodessince these nodes represent a large portion of the finalresult delivered to base station and there would be morecatastrophic consequences if they are compromised HenceSDAP dynamically partitions the topology tree into multiplelogical groups of similar sizes using a probabilistic approachfollowing the divide-and-conquer principle In this wayfewer nodes are located under a high-level sensor nodein a logical subtree resulting in reduced potential securitythreat by a compromised high-level node SDAP introducesprobability and attestation to the data result-checking thecommunication required per node is 119874(log (119899119899

119892)) Because

SDAP just let part nodes be attested attestation algorithmcannot find all compromised nodes By adding attestationpaths can increase the detection probability but it willincrease communication cost

Aggregate message authentication codes introduced byKatz and Lindell (CT-RSA 2008) [8] provided a new perspec-tive of preserving integrity In their construction aggregatingMAC simply computes the XOR of all the MACs into onevalue the size of which is the same as an ordinaryMAC Afterreceiving all the data and the final aggregate MAC the basestation uses secret keys shared with each node to compute anew aggregate MAC from these data and compares it withthe received aggregateMAC Although it remarkably reducescommunication overhead we have seen in former protocols[11ndash13] and is easy to perform it suffers from the ldquomix-and-matchrdquo attacks [16] in which the adversary can easily forgeseveral types of aggregate combinations

In [9] the authors proposed a new algorithm usinghomomorphic encryption and additive digital signaturesto achieve confidentiality integrity and availability for in-network aggregation in WSN However the protocol cannotresist stealthy attack We discuss concrete attack on theprotocol due to Albath and Madria [9] in the appendix

Besides there have been several protocols designed forpreserving the confidentiality of the aggregation results [17ndash19]This issue is orthogonal to our work and is not consideredin this paper

3 Problem Model

This section contains the definitions of basic problems andincludes discussion on the nodesrsquo setup the security infras-tructure and the attack model

31 Network Assumptions We assume a query-based sensornetwork with a large number of sensors and a powerful basestation with transmission ranges covering the whole wirelesssensor network can broadcast messages to all nodes directly

International Journal of Distributed Sensor Networks 3

Before aggregation process sensors will form a tree topologywhere base station locates at the root

We further assume that the base station would broadcastan authenticated query before collecting data If there is noaggregation tree then an aggregation tree should be formedas the query has been sent to all nodes Our protocol takesthe structure of the aggregation tree as given One methodfor constructing an aggregation tree is described in TaG [20]

Each node is sensing an integer value 119903 that is in the range(0 V] (we rule out ldquo0rdquo in defense of 120579

119894which we will explain

later) for some application-based value VThe goal is to returnthe SUM result with two tags proving that the SUM result hasnot been forged (even in the presence of malicious nodes)Due to resource constrains all readings need to be aggregatedby aggregators while being transmitted over a multihop path

32 Security Infrastructure We assume that each node 119894 hasa unique identifier 119904

119894 private keys 119903

119894 119897119894isin 119885119901and shares a

private key 119904119896119894and a private point 120579

119894isin cyclic elliptic group

119864(119885119901) with base station ECC domain parameters including

the generator point 119866 isin 119864(119885119901) are preloaded in all nodes In

each node 119894 we set two parameters 120572119894and 120573

119894which will be

used later

120572119894= 119903119894119866

120573119894= 119903119894120572119894

(1)

33 Attack Model and Security Goals We consider a settingwith a polynomially bounded adversary which can physicallyaccess the sensors and read their interval values The adver-sary is also restricted to corrupt a (small) fraction of nodesincluding the aggregators

Once the adversary compromises a sensor node it canobtain all the nodersquos secret keys An adversary can modifyforge or discard messages or simply transmit false aggregateresults and its goal is to forge valid aggregate result to beaccepted by the base stationThe higher false aggregate resultlevel is more catastrophic consequence will be caused

In this setting we focus on stealthy attacks [4] wherethe attackerrsquos goal is to make the base station accept falseaggregate results while not being detected by base stationAnd our security goal is to prevent stealthy attacks Inparticular wewant to guarantee that once the aggregate resulthas been accepted by the base station it is indeed the realresult aggregated by honest nodes

Definition 1 (integrity-preserving aggregation algorithm)An aggregation algorithm is integrity-preserving if by tam-pering with the aggregation process an adversary is unable toinduce the base station to accept any forged aggregate result

Since if a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected In thispaper we will focus on the situation where an aggregator iscompromised and see whether it can forge a valid aggregateresult

In this paper however we do not address the denial-of-service attack where the adversary prevents the querier

from getting any aggregation result at all because nodesrsquo notresponding queries clearly indicate that something is wrongand solutions can be implemented to remedy this situation

4 Our Work

In this section we present a new approach especially aimingto preserve integrity of the aggregation resultWe first give anoverview of this approach and then present the details

41 Overview The design of our algorithm is based on theelliptic curve discrete logarithm problem The overall algo-rithm consists of three main phases query disseminationaggregation-commit and result-checking

In query dissemination phase the base station broadcaststhe query to the network An aggregation tree or a directedspanning tree over the network topologywith the base stationat the root is formed as the query sent to all the nodes ifone is not already present in the network Then the path-keys and edge-key for each node encrypted with the secretkey shared between base station and node are sent to thecorresponding node Path-key and edge-key are calculated bythe base station according to the network topology We showthe detail of the calculation of the path-key in Section 42

In aggregation-commit phase each sensor node collectsraw data and computes two corresponding tags beforesending them to their own parent node in the aggregationtree After receiving all the messages from all child nodesaggregator performs modulo addition operations over thethree items and forwards the result to high-level aggregatorsuntil the base station

In the result-checking phase the base station verifiesthe integrity of the SUM aggregation with two aggregationtags Compared with Chanrsquos and Keithrsquos approach ours doesnot require any dissemination from top root node down tothe leaf nodes which causes congestion 119874(Δlog2119899) in Chanrsquosapproach and 119874(Δ log 119899) in Keithrsquos approach and energy costin this phase

42 The SUM Approach

421 Query Dissemination Phase Before aggregation thebase station broadcasts an authenticated query to the net-work The query request message contains a nonce 119873 toprevent replay attack [1] If there is no aggregation tree anaggregation tree with the base station at the root will beformed as the query has been sent to all nodes Then the treeinformation will be reported back to the base station Afterthe base station receives the tree information it calculatesthe path-key for each node for each aggregator or sensornode 119894 base station generates a key bs and calculates edgekey according to one-way hash function 119865 where

119896119894minus119895

= 119865bs (119904119894 119904119895 119873) (2)

and node 119894 is the parent of node 119895 119904119894and 119904

119895are unique

identifiers of node 119894 and node 119895

4 International Journal of Distributed Sensor Networks

3 5

8

10

4

1 2

9

6 7

bs

1205721

1205731= 11989711205721

1205722

1205732= 11989721205722

1205724

1205734= 11989741205724

1205725

1205735= 11989751205725

1205726

1205736= 11989761205726

1205727

1205737= 11989771205727119909

1= 119909

1

120572

1= 119909

111989611+ 119909

1120573111989612

11205731+ 120579

1

119909

2= 119909

2

120572

2= 119909

211989621+ 119909

2120573211989622

21205732+ 120579

2

119909

3= 119909

998400

3+ 119909

1+ 119909

2

120572

3= 120572

998400

3+ 119896

31120572

1+ 119896

32120572

2

119865(119904bs 11990410 119873)

11989610-8= 119891(119904

10 1199048 119873)

11989610-9= 119891(119904

10 1199049 119873)

1198968-3= 119891(119904

8 1199043 119873)

120573

3= 120573

1+ 120573

2+ 120573

998400

3

120573

1= 119909 120573

2= 119909

119909998400

3= 119909

3

120572998400

3= 119909

311989631+ 119909

3120573311989632

120573998400

3= 119909

31205733+ 120579

3

119896bs-10 =

Figure 1 Aggregation phaseThe nodes 1 2 3 4 5 6 and 7 are sensor nodes and the nodes 8 9 and 10 are aggregators while node 3 works asboth sensor node and aggregator Without losing generality we assume that every intermediate node is able to sense raw data and performsaggregation like node 3 does

For each sensor node 119894 base station also calculates twopath-keys 119896

1198941and 1198961198942

as follows

1198961198941=

120579

119896path (3)

1198961198942=

119897

119896path (4)

where 120579 is a point in 119864(119885119901) 119897 is an integer and they are both

chosen by base station to enable data aggregation and preventstealthyreplay attacks

If the path from base station to sensor node 119894 is 1-2-3-119894then 119896path = 1198961-21198962-31198963-119894

Finally the base stationwith transmission ranges coveringthewholewireless sensor network directly broadcasts to node119894 the path-keys and edge-keys encrypted with the secret key119904119896119894

422 Data Aggregation Phase In the query disseminationphase each node has already identified their parents and thebase station has the overall view of the aggregation tree

In Figure 1 take paths BS-10-8-3-1 and BS-10-8-3-2 forinstance as sensor node nodes 3 1 and 2 each has a message

that is to be passed to their parents And the message has thefollowing format

⟨119909119894 120572

119894 120573

119894⟩ (5)

where 119909119894is the SUM aggregation over all sensor nodes in the

subtree 120572119894and 120573

119894are the first and second tag respectively

For nodes 1 and 2

1199091= 1199091 119909

2= 1199092

1205721= 119909111989611+ 1199091120573111989612

1205722= 119909211989621+ 1199092120573211989622

1205731= 11990911205731+ 1205791 120573

3= 11990931205733+ 1205793

(6)

For aggregatorsensor node 3 with data 1199093 it first com-

putes 12057210158403and 1205731015840

3as a sensor node

1199091015840

3= 1199093 120572

1015840

3= 119909311989631+ 1199093120573311989632

1205731015840

3= 11990931205733+ 1205793

(7)

International Journal of Distributed Sensor Networks 5

Then node 1 and 2 send their data and tags to node 3 Afterreceiving all messages from its subtree node 3 works asaggregator to perform aggregation

1199093= 1199091+ 1199092+ 1199091015840

3

1205723= 1198963-1120572

1+ 1198963-2120572

2+ 1205721015840

3

1205733= 1205731015840

1+ 1205731015840

2+ 1205731015840

3

(8)

and sends ⟨1199093 120572

3 120573

3⟩ to node 8

Aggregators 8 and 10 perform corresponding tasks

1199098= 1199093+ 1199094+ 1199095 119909

10= 119909

8+ 119909

9

1205728= 1198968-3120572

3+ 1198968-4120572

4+ 1198968-5120572

5

12057210= 11989610-8120572

8+ 11989610-9120572

9

1205738= 120573

3+ 120573

4+ 1205735 120573

10= 120573

8+ 120573

9

(9)

where node 8 sends ⟨1199098 120572

8 120573

8⟩ to node 10 and node 10 sends

⟨11990910 120572

10 120573

10⟩ to base station

423 Result-Checking Phase The purpose of result-checkingphase is to enable base station to verify that the integrity ofSUM 119909

10has not been violatedThe verification is performed

as followsBase station checks if

12057310minus 119897minus1119896bs-10120572

8= sum120579

119894minus 119897minus1120579119909

10 (10)

where ⟨11990910 120572

10 120573

10⟩ is sent by node 10 to base station 120579 119897

119896bs-10 120579119894 (119894 from 1 to 7) are only known to base station and 119897minus1

is the inverse of 119897 modulo which is the order 119902 of the ellipticcurve group 119864(119885

119901)

Since

12057310= 120573

8+ 120573

9

= 1205731015840

3+ 120573

4+ 120573

5+ 120573

6+ 120573

7

= 1205731+ 120573

2+ 120573

3+ 120573

4+ 120573

5+ 120573

6+ 120573

7

=11990911205731+ 1205791+ 11990921205732+ 1205792+ 11990931205733+ 1205793+ 11990941205734

+ 1205794+ 11990951205735+ 1205795+ 11990961205736+ 1205796+ 11990971205737+ 1205797

= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)

+ (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)

119897minus1119896bs-10120572

10

= 119897minus1119896bs-10 (11989610-8120572

8+ 11989610-9120572

9)

= 119897minus1119896bs-10

times (11989610-8 (1198968-3120572

3+ 1198968-4120572

4+ 1198968-5120572

5)

+ 11989610-9 (1198969-6120572

6+ 1198969-7120572

7))

= 119897minus1119896bs-10

times (11989610-8 (1198968-3 (120572

1015840

3+ 1198963-1120572

1+ 1198963-2120572

2)

+ 1198968-4120572

4+ 1198968-4120572

5)

+ 11989610-9 (1198969-6120572

6+ 1198969-7120572

7))

= 119897minus1119896bs-1011989610-81198968-3

times (1198963-1 (

119897

119896bs-1011989610-81198968-31198963-1)11990911205731

+ 1198963-2 (

119897

119896bs-1011989610-81198968-31198963-2)11990921205732

+(119897

119896bs-1011989610-81198968-3)11990931205733)

+ 119897minus1119896bs-1011989610-8

times (1198968-4 (

119897

119896bs-1011989610-81198968-4)11990941205734

+ 1198968-5 (

119897

119896bs-1011989610-81198968-5)11990951205735)

+ 119897minus1119896bs-1011989610-9

times (1198969-6 (

119897

119896bs-1011989610-91198969-6)11990961205736

+ 1198969-7 (

119897

119896bs-1011989610-91198969-7)11990971205737)

= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)

+ 119897minus1120579 (1199091+ 1199092+ 1199093+ 1199094+ 1199095+ 1199096+ 1199097)

(11)

We can say that base station accepts the SUM aggregation11990910 or the two tags will only verify if all tags are generated

by honest nodes and aggregated correctly along the pathAgain note that 119897minus1 is the inverse of 119897 modulo 119902 which is

the order of the elliptic curve group 119864(119885119901) and 120579 119897 119896bs-10 are

only known to base station

5 Analysis

This section discusses the security and congestion complexityof EIPDAP

51 Overview Once a node has been compromised it isunder the full control of the adversary which can record andinject messages as will We also assume that the adversarycan only corrupt a (small) fraction of nodes including theaggregators Also we do not concern denial-of-service attackThe following is the proof for security of EIPDAP

6 International Journal of Distributed Sensor Networks

Definition 2 (sensor node inconsistency) Let ⟨119909119905 120572

119905 120573

119905⟩ be

a message sent by sensor node 119905 There is an inconsistency atnode 119905 if either

(1) 120572119905= 1199091199051198961199051+ 1199091199051205731199051198961199052

or

(2) 120573119905= 119909119905120573119905+ 120579119905

Definition 3 (sensor node forgery) An adversary eavesdrop-ping on sensor node 119894 successfully forges a new message⟨119909lowast

119894 120572lowast

119894 120573lowast

119894⟩ if

(1) 119909lowast119894

= 119909119894

(2) 120572lowast119894= 119909lowast

1198941198961198941+ 119909lowast

1198941205731198941198961198942

(3) 120573119894= 119909lowast

119894120573119894+ 120579119894

Since once a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected howeverwe do not address this kind of forgery here

Lemma 4 Let the final SUM aggregation received by the basestation be 119909

119891119894119899119886119897 then 119878

119871+ 120583 le 119909

119891119894119899119886119897

le 119878119871+ 120583V where 119878

119871is the

sum of the data values of all the legitimate nodes and 120583 is thetotal number of corrupted nodes

Proof As the conclusion is obvious here so we do not provein detail

Lemma 5 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid message as an honestsensor node for all eavesdropping probabilistic polynomialadversaries

Proof Let ⟨119909119894 120572

119894 120573

119894⟩ be an internal message sent by sensor

node 119894 to its parentSay adversary is eavesdropping on node 119894 In order to

forge a valid message ⟨119909lowast

119894 120572lowast

119894 120573lowast

119894⟩ for 119909

lowast

119894 119860 can easily

compute a valid 120572lowast119894= 119909lowast

119894119909minus1119894120572119894

As 120573119894= 119909119894120573119894+ 120579119894= 119909119894119910119866 for some integer 119910 a valid 120573lowast

119894

should be computed as

120573lowast

119894= 119909lowast

119894120573119894+ 120579119894= 119909lowast

119894119910lowast119866

= 119909lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866

(12)

Due to 120579119894and 120573

119894 adversary cannot forge 120573lowast

119894directly from

119909lowast

119894120573119894+ 120579119894but to compute 119909lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866 119860 has 119909lowast

119894 119909119894 120573119894

and 119866 the factors it lack are 119910 and 119910lowastCalculating 119910 from 120573

119894= 119909119894119910119866 and 119910lowast from 120573

lowast

119894= 119909lowast

119894119910lowast119866

is ECDLP which means calculating 120573lowast119894from 119909

lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866

is hardAnother concern rises when adversary keeps eavesdrop-

ping on sensor node 119894 and records the messages sent by 119894Assume that adversary has

⟨119909119894119895 120572

119894119895 120573

119894119895⟩ | 119895 isin [1 119899] (13)

where ⟨119909119894119895 120572

119894119895 120573

119894119895⟩ represents the message ⟨119909

119894 120572

119894 120573

119894⟩

node 119894 sends to parent in the 119895th query and 119899 is the number of

queries Note that in each query every sensor node 119894 choosesa new secret key 119897

119894

For all 119895 isin [1 119899] adversary has

120573119894119895 = 120573119894119895119909

119894119895 + 120579119894 (14)

Because the number of variable is the number of equationsplus one so adversary cannot solve equations in (14) to obtain120573119894119895 or 120579119894In conclusion the probability of an adversary successfully

forging a new message ⟨119909lowast119894 120572lowast

119894 120573lowast

119894⟩ when eavesdropping on

sensor node 119894 is negligible completing the proof

Definition 6 (aggregator inconsistency) Let ⟨119909119905 120572

119905 120573

119905⟩ be an

internal message aggregated by node 119905 with two children 119906and V Let ⟨119909

119906 120572

119906 120573

119906⟩ and ⟨119909V 120572

V 120573

V⟩ be two messages from

119906 and V There is an inconsistency at node 119905 if

(1) 119909119905= 1199091015840

119905+ 119909

119906+ 119909

V or

(2) 120572119905= 1205721015840

119905+ 120572

119906+ 120572

119905or

(3) 120573119905= 1205731015840

119906+ 120573

119906+ 120573

119905

Definition 7 (compromised aggregator forgery) An adver-sary which compromised a aggregator 119895 successfully forgesa new aggregate result ⟨119909lowast

119895 120572lowast

119895 120573lowast

119895⟩ if

(1) 119909lowast119895

= 119909119895

(2) 120572lowast119895= 1205721015840

119895+ 119896119895minus11205721198951+ 119896119895minus21205721198952+ sdot sdot sdot + 119896

119895minus119897120572119895119897(1205721015840119895= 0 if 119895

does not sense data)(3) 120573119895= 1205731015840

119895+ 120573

1198951+ 120573

1198952+ sdot sdot sdot + 120573

119895119897(1205731015840119895= 0 if 119895 does

not sense data) assuming aggregator 119895 has 119897 children1198951 1198952 119895119897

Lemma 8 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid aggregate result for allprobabilistic polynomial adversaries even when a high-levelaggregator is compromised

Proof We assume that aggregator 10 has been compromisedwhere an adversary is in complete control of node 10obtaining all secret keys of node 10 Now an adversaryattempts to forge SUM aggregation and two correspondingtags after eavesdropping several aggregations and records

⟨11990910119894 120572

10119894 120573

10119894⟩ | 119894 isin [1 119899] (15)

where ⟨11990910119894 120572

10119894 120573

10119894⟩ represents the message ⟨119909

10 120572

10

12057310⟩ node 10 sends to base station in the 119894th query and 119899 is

the number of queries Note that in each query every sensornode 119895 chooses a new secret key 119897

119895

For all 119894 isin [1 119899] adversary has

12057310119894 = 119897

minus1119896bs-10120572

10119894

= (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)

minus 119897minus1120579119909

10119894

(16)

International Journal of Distributed Sensor Networks 7

Now adversary tries to forge a new message ⟨119909lowast10 120572lowast

10 120573lowast

10⟩

which satisfies (14) Since node 10 is compromised adversaryhas 1199098 119909

9 119909

10 11989610-8 11989610-9 120572

8 120572

9 120573

8 120573

9in each query and the

knowledge of the elliptic curve group 119864(119885119901)

Case 1 Intuitively adversary tries to obtain 119897 119896bs-10 120579 andsum120579119894(119894 from 1 to 7) However this requires a powerful

adversary which we do not concern here

Case 2 Adversary tries to compute 119897minus1120579 by multiplying

1198961198941

(equals 120579119896path) and the inverse of 1198961198941

(equals 119897119896path)However all path-keys and temporal key are encrypted beforeforwarding to nodes so adversary cannot compute 119897minus1120579whennode 10 only works as an aggregator

Case 3 Aggregator 10 also senses data So adversary cancompute 119897minus1120579 as in Case 2 and 119897minus1119896bs-10 which is the inverse of119897119896bs-10 modulo 119902 Now adversary has

12057310minus 120572

10

= 1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797minus 119909

10

997904rArr 12057310

= 1199101(1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797) = 1199102119866

(17)

for some integer 1199102 Similar to Lemma 4 since sum120579

119894(119894 from

1 to 7) is kept secret from adversary and computing 1199102from

1205733= 1199102119866 is ECDLP then 120573

10cannot be forged either

In all cases adversary can only forge a new message⟨119909lowast

10 120572lowast

10 120573lowast

10⟩ with negligible probability completing the

proof

Theorem 9 EIPDAP is integrity-preserving

Proof From Lemmas 5 and 8 we know that EIPDAP issecure against sensor node forgery in the presence of aneavesdropper and aggregator forgery when an aggregator iscompromised Thus EIPDAP is integrity-preserving com-pleting the proof

52 Congestion Complexity The computational and memorycosts are likely to be insignificant compared to communica-tion [3 14] Higher computation surely causes more energybut a Berkeley mote spends approximately the same amountof energy to compute 800 instructions as it does in sending asingle bit of data [13 20] in WSN

Unlike general hard problems there is no sub-exponential algorithm is known to solve the elliptic curvediscrete logarithm problem (ECDLP) meaning that smallerparameters can be used in ECC than in other systems likeRSA andDSA but with equivalent level of security Because oftheir smaller key size faster computations and reductions inprocessing power storage space and bandwidth ECC is idealfor WSN Although the use of elliptic curve cryptographyincurs higher computational overhead than symmetric-keycryptography our protocol is mainly designed to save energy

In query dissemination phase the base station collectsaggregation tree information and broadcasts edge keys and

Table 1 Edge congestion in the aggregation tree comparison 119899 isthe number of the nodes and 119899

119892is the group size

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(1) 119874(log 119899) 119874(log2119899)Keithrsquos scheme 119874(1) 119874(log 119899) 119874(log 119899)SDAP 119874(1) 119874(Δ log (119899119899

119892)) 119874(Δ log (119899119899

119892))

EIPDAP 119874(1) 119874(1) 0

Table 2 Node congestion in the aggregation tree comparison Δ isthe degree of the aggregation tree

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δlog2119899)Keithrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δ log 119899)SDAP 119874(Δ) 119874(Δ log (119899119899

119892)) 119874(Δ log (119899119899

119892))

EIPDAP 119874(Δ) 119874(Δ) 0

Table 3 Aggregation tree congestion comparison

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log2119899)Keithrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log 119899)SDAP 119874(119899) 119874(119899) 119874(119899 log 119899)EIPDAP 119874(119899) 119874(119899) 0

path keys directly to the corresponding nodes Collectingaggregation tree information costs each edge 119874(1) conges-tion and there is no congestion for sensor nodes and aggre-gators in broadcasting keys In aggregation phase each nodeforwards a message The edge congestion in the aggregationtree is 119874(1) In result-checking phase all operations aredone in the base station so there is no congestion in theaggregation tree Congestion complexity comparisons withChanrsquos scheme Keithrsquos scheme and SDAP are shown inTables1 2 and 3

By the comparison we can conclude that EIPDAP hasthe minimum congestion and is much more energy efficientTherefore it is much more suitable for power limited sensornetworks

6 Conclusion and Future Work

Protecting hierarchical data aggregation from losing integrityis a challenging problem in sensor networks In this paperwe focus on the very problem of preserving data integrityand propose a novel approach to guarantee the integrity ofaggregation result through aggregation in sensor networksThemain algorithm is based on performingmodulo additionoperation using ECC

EIPDAP can immediately verify the integrity of aggre-gation result after receiving the aggregation result and cor-responding authentication information hence significantly

8 International Journal of Distributed Sensor Networks

reducing energy consumption and communication delaywhichwill be caused if the verification phrase is done throughanother query-and-forward phase

Compared with the other related schemes our schemereduces the communication required per node to 119874(Δ)where Δ is the degree of the aggregation tree for the networkTo the best of our knowledge our scheme has the mostoptimal upper bound on solving the integrity-preserving dataaggregation problem Based on the elliptic curve discretelogarithm problem we prove that EIPDAP is integrity-preserving

In the future we will first further enrich EIPDAP indetail Second we will focus on the possibility of reducing thenumber of secret keys shared between sensor nodes and basestation or the keys broadcast to all nodesThird based on theproposed algorithm we may consider meeting other securityrequirements like data confidentiality source authenticationand availability

We anticipate that our work provides new perspective onpreserving integrity of hierarchical aggregation and encour-ages other researchers to consider this approach

Appendix

Attack on the Julia-Sanjay Scheme

If the adversary has compromised a sensor node then itcan obtain the network wide integer 119896 With the 119896 it canmodify any aggregated data received from its child nodesFor example say the adversary has compromised a node withmessage ⟨119904

119894 enc(119898

119894)⟩ received from its child 119894 In order to

modify119898119894to1198981015840119894= 119898119894+119898forge the adversary can easily forge

an encrypted message

enc (1198981015840119894) = enc (119898

119894+ 119898forge) = ⟨119906119894 V119894 + 119898forge⟩ (A1)

given as 119890nc(119898119894) = ⟨119906

119894 V119894⟩ And it is also easy to forge a valid

signature

1199041015840

119894= 119896minus1(119898119894+ 119898forge + 119911119894 lowast 119903 (119909)) mod 119901 (A2)

If the compromised node is in high level this will cause moreserious effects on the aggregation result since the aggregateresult it handles represents large portions of the overall datain the WSN

Acknowledgments

The authors would like to thank the anonymous reviewersand their coworkers for their valuable comments and usefulsuggestions

References

[1] J Yick B Mukherjee and D Ghosal ldquoWireless sensor networksurveyrdquoComputerNetworks vol 52 no 12 pp 2292ndash2330 2008

[2] K Akkaya M Demirbas and R S Aygun ldquoThe impact of dataaggregation on the performance of wireless sensor networksrdquoWireless Communications and Mobile Computing vol 8 no 2pp 171ndash193 2008

[3] L Hu and D Evans ldquoSecure aggregation for wireless networksrdquoin Proceedings of the Workshop on Security and Assurance in AdHoc Networks Orlando Fla USA January 2003

[4] B Przydatek D Song and A Perrig ldquoSIA Secure informationaggregation in sensor networksrdquo in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys rsquo03) pp 255ndash265 November 2003

[5] W He X Liu H Nguyen K Nahrstedt and T AbdelzaherldquoPda privacy-preserving data aggregation in wireless sensornetworksrdquo in Proceedings of the 26th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo07) pp 2045ndash2053 2007

[6] T Feng C Wang W Zhang and L Ruan ldquoConfidentialityprotection for distributed sensor data aggregationrdquo in Proceed-ings of the 27th IEEE Communications Society Conference onComputer Communications (INFOCOM rsquo07) pp 475ndash483April2007

[7] J Shi R Zhang Y Liu and Y Zhang ldquoPriSense privacy-preserving data aggregation in people-centric urban sensingsystemsrdquo in Proceedings of the 29th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo10) pp 758ndash766 IEEE March 2010

[8] J Katz and A Y Lindell ldquoAggregate message authenticationcodes Topics in cryptologyrdquo in Proceedings of the Cryptogra-phersrsquo Track at the RSA Conference (CT-RSA rsquo08) Lecture Notesin Computer Science pp 155ndash169 Springer 2008

[9] J Albath and S Madria ldquoSecure hierarchical data aggregationin wireless sensor networksrdquo in Proceedings of the IEEEWirelessCommunications and Networking Conference (WCNC rsquo09) pp1ndash6 April 2009

[10] A Liu and P Ning ldquoTinyECC a configurable library for ellipticcurve cryptography in wireless sensor networksrdquo in Proceedingsof the International Conference on Information Processing inSensor Networks (IPSN rsquo08) pp 245ndash256 April 2008

[11] H Chan A Perrig and D Song ldquoSecure hierarchical in-network aggregation in sensor networksrdquo in Proceedings ofthe 13th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo06) pp 278ndash287 ACM Press Alexandria VaUSA November 2006

[12] K B Frikken and J A Dougherty ldquoAn efficient integrity-preserving scheme for hierarchical sensor aggregationrdquo inProceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 68ndash76 ACM Press Alexandria VaUSA April 2008

[13] Y Yang X Wang S Zhu and G Cao ldquoSDAP a Secure hop-by-hop Data Aggregation Protocol for sensor networksrdquo inProceedings of the 7th ACM International Symposium on MobileAd Hoc Networking and Computing (MOBIHOC rsquo06) pp 356ndash367 ACM Press Florence Italy May 2006

[14] C Castelluccia A C F Chan E Mykletun and G TsudikldquoEfficient and provably secure aggregation of encrypted datain wireless sensor networksrdquo ACM Transactions on SensorNetworks vol 5 no 3 pp 1ndash36 2009

[15] W Du J Deng Y S Han and P K Varshney ldquoA witness-basedapproach for data fusion assurance inwireless sensor networksrdquoin Proceedings of the Global Telecommunications Conference(GLOBECOM rsquo03) vol 3 pp 1435ndash1439 IEEE December 2003

[16] O Eikemeier M Fischlin J-F Gotzmann et al ldquoHistory-freeaggregate message authentication codesrdquo in Proceedings of the7th International Conference on Security and Cryptography forNetworks vol 6280 of Lecture Notes in Computer Science pp309ndash328 Amalfi Italy 2010

International Journal of Distributed Sensor Networks 9

[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004

[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005

[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006

[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

2 International Journal of Distributed Sensor Networks

An adversary can perform a variety of attacks For exam-ple a denial-of-service (DoS) attack can totally block thecommunication between sensor nodes and the base stationHowever this attack is not concerned because it is detectableby the querier and solutions can be implemented to remedythis situation In stealthy attack [4] the attackerrsquos goal is tomake the base station accept false aggregation results whichare significantly different from the true results determinedby the measure values while not being detected by the basestation Our goal is to prevent this kind of attack even whenhigh-level aggregator is corrupted

A number of protocols [11ndash13] have been proposed whichfocus on the problem that how can the base station obtaina good approximation of the aggregation result and how toobtain data integrity when a fraction of sensor nodes arecompromised One common sensor feature is the dispropor-tionately high cost of transmitting information as comparedto performing local computation For example a Berkeleymote spends approximately the same amount of energy tocompute 800 instructions as it does in sending a single bitof data It thus becomes essential to reduce the number ofbits forwarded by intermediate nodes in order to extend theentire networkrsquos lifetime [14] All the above schemes needto verify the integrity of aggregation result in an additionalphase which consumes a lot of energy and causes networkdelay

In this paper we propose EIPDAPwhich can immediatelyverify the integrity of aggregation result after receiving theaggregation result and corresponding authentication infor-mation hence significantly reducing energy consumptionand communication delay which will be caused if the veri-fication process is done through another query-and-forwardphase

The rest of the paper is organized as follows in Section 2we describe a survey of other approaches to integrity-preserving aggregation in sensor networks in Section 3moredetails about the problemwe are trying to solve are discussedin Section 4 we describe a new scheme that is the centerpieceof our work and in Section 5 the security properties andperformance of our scheme are analyzed

2 Related Work

There has been a number of works on preserving integrity inaggregation protocols for sensor networks Many protocolshave been proposed for the single-aggregator model [4 1315] But the aggregator in these schemes suffers from signifi-cantly high congestion and only reduces communications onthe link between the aggregator and the base station So thismodel is not scalable to large multihop sensor deployments

Another significant work is introduced in [11] The mainidea of this approach is that each node sends its valuecomplement and commitment up the aggregation tree andthen a commitment would pass down the tree for a node toverify that if its value was added into the SUM aggregationand the complement of its data value was added into theCOMPLEMENT aggregation However the scheme requiresthree phases The delay aggregation strategy used in the sec-ond phase increases communication from 119874(1) to 119874(log 119899)

computation from 119874(1) to 119874(119902 log 119899) where 119899 is the numberof nodes in the network and 119902 is the number of forests in thecommitment treeThe result-checking phase costs119874(Δlog2119899)congestion Frikken and Dougherty in [12] improves Chanrsquosapproach by reducing the maximum communication to119874(Δ log 119899)

A secure hop-by-hop data aggregation protocol SDAPfor sensor networks is proposed in [13] The authors believethat we should be more concerned about high-level nodessince these nodes represent a large portion of the finalresult delivered to base station and there would be morecatastrophic consequences if they are compromised HenceSDAP dynamically partitions the topology tree into multiplelogical groups of similar sizes using a probabilistic approachfollowing the divide-and-conquer principle In this wayfewer nodes are located under a high-level sensor nodein a logical subtree resulting in reduced potential securitythreat by a compromised high-level node SDAP introducesprobability and attestation to the data result-checking thecommunication required per node is 119874(log (119899119899

119892)) Because

SDAP just let part nodes be attested attestation algorithmcannot find all compromised nodes By adding attestationpaths can increase the detection probability but it willincrease communication cost

Aggregate message authentication codes introduced byKatz and Lindell (CT-RSA 2008) [8] provided a new perspec-tive of preserving integrity In their construction aggregatingMAC simply computes the XOR of all the MACs into onevalue the size of which is the same as an ordinaryMAC Afterreceiving all the data and the final aggregate MAC the basestation uses secret keys shared with each node to compute anew aggregate MAC from these data and compares it withthe received aggregateMAC Although it remarkably reducescommunication overhead we have seen in former protocols[11ndash13] and is easy to perform it suffers from the ldquomix-and-matchrdquo attacks [16] in which the adversary can easily forgeseveral types of aggregate combinations

In [9] the authors proposed a new algorithm usinghomomorphic encryption and additive digital signaturesto achieve confidentiality integrity and availability for in-network aggregation in WSN However the protocol cannotresist stealthy attack We discuss concrete attack on theprotocol due to Albath and Madria [9] in the appendix

Besides there have been several protocols designed forpreserving the confidentiality of the aggregation results [17ndash19]This issue is orthogonal to our work and is not consideredin this paper

3 Problem Model

This section contains the definitions of basic problems andincludes discussion on the nodesrsquo setup the security infras-tructure and the attack model

31 Network Assumptions We assume a query-based sensornetwork with a large number of sensors and a powerful basestation with transmission ranges covering the whole wirelesssensor network can broadcast messages to all nodes directly

International Journal of Distributed Sensor Networks 3

Before aggregation process sensors will form a tree topologywhere base station locates at the root

We further assume that the base station would broadcastan authenticated query before collecting data If there is noaggregation tree then an aggregation tree should be formedas the query has been sent to all nodes Our protocol takesthe structure of the aggregation tree as given One methodfor constructing an aggregation tree is described in TaG [20]

Each node is sensing an integer value 119903 that is in the range(0 V] (we rule out ldquo0rdquo in defense of 120579

119894which we will explain

later) for some application-based value VThe goal is to returnthe SUM result with two tags proving that the SUM result hasnot been forged (even in the presence of malicious nodes)Due to resource constrains all readings need to be aggregatedby aggregators while being transmitted over a multihop path

32 Security Infrastructure We assume that each node 119894 hasa unique identifier 119904

119894 private keys 119903

119894 119897119894isin 119885119901and shares a

private key 119904119896119894and a private point 120579

119894isin cyclic elliptic group

119864(119885119901) with base station ECC domain parameters including

the generator point 119866 isin 119864(119885119901) are preloaded in all nodes In

each node 119894 we set two parameters 120572119894and 120573

119894which will be

used later

120572119894= 119903119894119866

120573119894= 119903119894120572119894

(1)

33 Attack Model and Security Goals We consider a settingwith a polynomially bounded adversary which can physicallyaccess the sensors and read their interval values The adver-sary is also restricted to corrupt a (small) fraction of nodesincluding the aggregators

Once the adversary compromises a sensor node it canobtain all the nodersquos secret keys An adversary can modifyforge or discard messages or simply transmit false aggregateresults and its goal is to forge valid aggregate result to beaccepted by the base stationThe higher false aggregate resultlevel is more catastrophic consequence will be caused

In this setting we focus on stealthy attacks [4] wherethe attackerrsquos goal is to make the base station accept falseaggregate results while not being detected by base stationAnd our security goal is to prevent stealthy attacks Inparticular wewant to guarantee that once the aggregate resulthas been accepted by the base station it is indeed the realresult aggregated by honest nodes

Definition 1 (integrity-preserving aggregation algorithm)An aggregation algorithm is integrity-preserving if by tam-pering with the aggregation process an adversary is unable toinduce the base station to accept any forged aggregate result

Since if a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected In thispaper we will focus on the situation where an aggregator iscompromised and see whether it can forge a valid aggregateresult

In this paper however we do not address the denial-of-service attack where the adversary prevents the querier

from getting any aggregation result at all because nodesrsquo notresponding queries clearly indicate that something is wrongand solutions can be implemented to remedy this situation

4 Our Work

In this section we present a new approach especially aimingto preserve integrity of the aggregation resultWe first give anoverview of this approach and then present the details

41 Overview The design of our algorithm is based on theelliptic curve discrete logarithm problem The overall algo-rithm consists of three main phases query disseminationaggregation-commit and result-checking

In query dissemination phase the base station broadcaststhe query to the network An aggregation tree or a directedspanning tree over the network topologywith the base stationat the root is formed as the query sent to all the nodes ifone is not already present in the network Then the path-keys and edge-key for each node encrypted with the secretkey shared between base station and node are sent to thecorresponding node Path-key and edge-key are calculated bythe base station according to the network topology We showthe detail of the calculation of the path-key in Section 42

In aggregation-commit phase each sensor node collectsraw data and computes two corresponding tags beforesending them to their own parent node in the aggregationtree After receiving all the messages from all child nodesaggregator performs modulo addition operations over thethree items and forwards the result to high-level aggregatorsuntil the base station

In the result-checking phase the base station verifiesthe integrity of the SUM aggregation with two aggregationtags Compared with Chanrsquos and Keithrsquos approach ours doesnot require any dissemination from top root node down tothe leaf nodes which causes congestion 119874(Δlog2119899) in Chanrsquosapproach and 119874(Δ log 119899) in Keithrsquos approach and energy costin this phase

42 The SUM Approach

421 Query Dissemination Phase Before aggregation thebase station broadcasts an authenticated query to the net-work The query request message contains a nonce 119873 toprevent replay attack [1] If there is no aggregation tree anaggregation tree with the base station at the root will beformed as the query has been sent to all nodes Then the treeinformation will be reported back to the base station Afterthe base station receives the tree information it calculatesthe path-key for each node for each aggregator or sensornode 119894 base station generates a key bs and calculates edgekey according to one-way hash function 119865 where

119896119894minus119895

= 119865bs (119904119894 119904119895 119873) (2)

and node 119894 is the parent of node 119895 119904119894and 119904

119895are unique

identifiers of node 119894 and node 119895

4 International Journal of Distributed Sensor Networks

3 5

8

10

4

1 2

9

6 7

bs

1205721

1205731= 11989711205721

1205722

1205732= 11989721205722

1205724

1205734= 11989741205724

1205725

1205735= 11989751205725

1205726

1205736= 11989761205726

1205727

1205737= 11989771205727119909

1= 119909

1

120572

1= 119909

111989611+ 119909

1120573111989612

11205731+ 120579

1

119909

2= 119909

2

120572

2= 119909

211989621+ 119909

2120573211989622

21205732+ 120579

2

119909

3= 119909

998400

3+ 119909

1+ 119909

2

120572

3= 120572

998400

3+ 119896

31120572

1+ 119896

32120572

2

119865(119904bs 11990410 119873)

11989610-8= 119891(119904

10 1199048 119873)

11989610-9= 119891(119904

10 1199049 119873)

1198968-3= 119891(119904

8 1199043 119873)

120573

3= 120573

1+ 120573

2+ 120573

998400

3

120573

1= 119909 120573

2= 119909

119909998400

3= 119909

3

120572998400

3= 119909

311989631+ 119909

3120573311989632

120573998400

3= 119909

31205733+ 120579

3

119896bs-10 =

Figure 1 Aggregation phaseThe nodes 1 2 3 4 5 6 and 7 are sensor nodes and the nodes 8 9 and 10 are aggregators while node 3 works asboth sensor node and aggregator Without losing generality we assume that every intermediate node is able to sense raw data and performsaggregation like node 3 does

For each sensor node 119894 base station also calculates twopath-keys 119896

1198941and 1198961198942

as follows

1198961198941=

120579

119896path (3)

1198961198942=

119897

119896path (4)

where 120579 is a point in 119864(119885119901) 119897 is an integer and they are both

chosen by base station to enable data aggregation and preventstealthyreplay attacks

If the path from base station to sensor node 119894 is 1-2-3-119894then 119896path = 1198961-21198962-31198963-119894

Finally the base stationwith transmission ranges coveringthewholewireless sensor network directly broadcasts to node119894 the path-keys and edge-keys encrypted with the secret key119904119896119894

422 Data Aggregation Phase In the query disseminationphase each node has already identified their parents and thebase station has the overall view of the aggregation tree

In Figure 1 take paths BS-10-8-3-1 and BS-10-8-3-2 forinstance as sensor node nodes 3 1 and 2 each has a message

that is to be passed to their parents And the message has thefollowing format

⟨119909119894 120572

119894 120573

119894⟩ (5)

where 119909119894is the SUM aggregation over all sensor nodes in the

subtree 120572119894and 120573

119894are the first and second tag respectively

For nodes 1 and 2

1199091= 1199091 119909

2= 1199092

1205721= 119909111989611+ 1199091120573111989612

1205722= 119909211989621+ 1199092120573211989622

1205731= 11990911205731+ 1205791 120573

3= 11990931205733+ 1205793

(6)

For aggregatorsensor node 3 with data 1199093 it first com-

putes 12057210158403and 1205731015840

3as a sensor node

1199091015840

3= 1199093 120572

1015840

3= 119909311989631+ 1199093120573311989632

1205731015840

3= 11990931205733+ 1205793

(7)

International Journal of Distributed Sensor Networks 5

Then node 1 and 2 send their data and tags to node 3 Afterreceiving all messages from its subtree node 3 works asaggregator to perform aggregation

1199093= 1199091+ 1199092+ 1199091015840

3

1205723= 1198963-1120572

1+ 1198963-2120572

2+ 1205721015840

3

1205733= 1205731015840

1+ 1205731015840

2+ 1205731015840

3

(8)

and sends ⟨1199093 120572

3 120573

3⟩ to node 8

Aggregators 8 and 10 perform corresponding tasks

1199098= 1199093+ 1199094+ 1199095 119909

10= 119909

8+ 119909

9

1205728= 1198968-3120572

3+ 1198968-4120572

4+ 1198968-5120572

5

12057210= 11989610-8120572

8+ 11989610-9120572

9

1205738= 120573

3+ 120573

4+ 1205735 120573

10= 120573

8+ 120573

9

(9)

where node 8 sends ⟨1199098 120572

8 120573

8⟩ to node 10 and node 10 sends

⟨11990910 120572

10 120573

10⟩ to base station

423 Result-Checking Phase The purpose of result-checkingphase is to enable base station to verify that the integrity ofSUM 119909

10has not been violatedThe verification is performed

as followsBase station checks if

12057310minus 119897minus1119896bs-10120572

8= sum120579

119894minus 119897minus1120579119909

10 (10)

where ⟨11990910 120572

10 120573

10⟩ is sent by node 10 to base station 120579 119897

119896bs-10 120579119894 (119894 from 1 to 7) are only known to base station and 119897minus1

is the inverse of 119897 modulo which is the order 119902 of the ellipticcurve group 119864(119885

119901)

Since

12057310= 120573

8+ 120573

9

= 1205731015840

3+ 120573

4+ 120573

5+ 120573

6+ 120573

7

= 1205731+ 120573

2+ 120573

3+ 120573

4+ 120573

5+ 120573

6+ 120573

7

=11990911205731+ 1205791+ 11990921205732+ 1205792+ 11990931205733+ 1205793+ 11990941205734

+ 1205794+ 11990951205735+ 1205795+ 11990961205736+ 1205796+ 11990971205737+ 1205797

= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)

+ (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)

119897minus1119896bs-10120572

10

= 119897minus1119896bs-10 (11989610-8120572

8+ 11989610-9120572

9)

= 119897minus1119896bs-10

times (11989610-8 (1198968-3120572

3+ 1198968-4120572

4+ 1198968-5120572

5)

+ 11989610-9 (1198969-6120572

6+ 1198969-7120572

7))

= 119897minus1119896bs-10

times (11989610-8 (1198968-3 (120572

1015840

3+ 1198963-1120572

1+ 1198963-2120572

2)

+ 1198968-4120572

4+ 1198968-4120572

5)

+ 11989610-9 (1198969-6120572

6+ 1198969-7120572

7))

= 119897minus1119896bs-1011989610-81198968-3

times (1198963-1 (

119897

119896bs-1011989610-81198968-31198963-1)11990911205731

+ 1198963-2 (

119897

119896bs-1011989610-81198968-31198963-2)11990921205732

+(119897

119896bs-1011989610-81198968-3)11990931205733)

+ 119897minus1119896bs-1011989610-8

times (1198968-4 (

119897

119896bs-1011989610-81198968-4)11990941205734

+ 1198968-5 (

119897

119896bs-1011989610-81198968-5)11990951205735)

+ 119897minus1119896bs-1011989610-9

times (1198969-6 (

119897

119896bs-1011989610-91198969-6)11990961205736

+ 1198969-7 (

119897

119896bs-1011989610-91198969-7)11990971205737)

= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)

+ 119897minus1120579 (1199091+ 1199092+ 1199093+ 1199094+ 1199095+ 1199096+ 1199097)

(11)

We can say that base station accepts the SUM aggregation11990910 or the two tags will only verify if all tags are generated

by honest nodes and aggregated correctly along the pathAgain note that 119897minus1 is the inverse of 119897 modulo 119902 which is

the order of the elliptic curve group 119864(119885119901) and 120579 119897 119896bs-10 are

only known to base station

5 Analysis

This section discusses the security and congestion complexityof EIPDAP

51 Overview Once a node has been compromised it isunder the full control of the adversary which can record andinject messages as will We also assume that the adversarycan only corrupt a (small) fraction of nodes including theaggregators Also we do not concern denial-of-service attackThe following is the proof for security of EIPDAP

6 International Journal of Distributed Sensor Networks

Definition 2 (sensor node inconsistency) Let ⟨119909119905 120572

119905 120573

119905⟩ be

a message sent by sensor node 119905 There is an inconsistency atnode 119905 if either

(1) 120572119905= 1199091199051198961199051+ 1199091199051205731199051198961199052

or

(2) 120573119905= 119909119905120573119905+ 120579119905

Definition 3 (sensor node forgery) An adversary eavesdrop-ping on sensor node 119894 successfully forges a new message⟨119909lowast

119894 120572lowast

119894 120573lowast

119894⟩ if

(1) 119909lowast119894

= 119909119894

(2) 120572lowast119894= 119909lowast

1198941198961198941+ 119909lowast

1198941205731198941198961198942

(3) 120573119894= 119909lowast

119894120573119894+ 120579119894

Since once a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected howeverwe do not address this kind of forgery here

Lemma 4 Let the final SUM aggregation received by the basestation be 119909

119891119894119899119886119897 then 119878

119871+ 120583 le 119909

119891119894119899119886119897

le 119878119871+ 120583V where 119878

119871is the

sum of the data values of all the legitimate nodes and 120583 is thetotal number of corrupted nodes

Proof As the conclusion is obvious here so we do not provein detail

Lemma 5 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid message as an honestsensor node for all eavesdropping probabilistic polynomialadversaries

Proof Let ⟨119909119894 120572

119894 120573

119894⟩ be an internal message sent by sensor

node 119894 to its parentSay adversary is eavesdropping on node 119894 In order to

forge a valid message ⟨119909lowast

119894 120572lowast

119894 120573lowast

119894⟩ for 119909

lowast

119894 119860 can easily

compute a valid 120572lowast119894= 119909lowast

119894119909minus1119894120572119894

As 120573119894= 119909119894120573119894+ 120579119894= 119909119894119910119866 for some integer 119910 a valid 120573lowast

119894

should be computed as

120573lowast

119894= 119909lowast

119894120573119894+ 120579119894= 119909lowast

119894119910lowast119866

= 119909lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866

(12)

Due to 120579119894and 120573

119894 adversary cannot forge 120573lowast

119894directly from

119909lowast

119894120573119894+ 120579119894but to compute 119909lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866 119860 has 119909lowast

119894 119909119894 120573119894

and 119866 the factors it lack are 119910 and 119910lowastCalculating 119910 from 120573

119894= 119909119894119910119866 and 119910lowast from 120573

lowast

119894= 119909lowast

119894119910lowast119866

is ECDLP which means calculating 120573lowast119894from 119909

lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866

is hardAnother concern rises when adversary keeps eavesdrop-

ping on sensor node 119894 and records the messages sent by 119894Assume that adversary has

⟨119909119894119895 120572

119894119895 120573

119894119895⟩ | 119895 isin [1 119899] (13)

where ⟨119909119894119895 120572

119894119895 120573

119894119895⟩ represents the message ⟨119909

119894 120572

119894 120573

119894⟩

node 119894 sends to parent in the 119895th query and 119899 is the number of

queries Note that in each query every sensor node 119894 choosesa new secret key 119897

119894

For all 119895 isin [1 119899] adversary has

120573119894119895 = 120573119894119895119909

119894119895 + 120579119894 (14)

Because the number of variable is the number of equationsplus one so adversary cannot solve equations in (14) to obtain120573119894119895 or 120579119894In conclusion the probability of an adversary successfully

forging a new message ⟨119909lowast119894 120572lowast

119894 120573lowast

119894⟩ when eavesdropping on

sensor node 119894 is negligible completing the proof

Definition 6 (aggregator inconsistency) Let ⟨119909119905 120572

119905 120573

119905⟩ be an

internal message aggregated by node 119905 with two children 119906and V Let ⟨119909

119906 120572

119906 120573

119906⟩ and ⟨119909V 120572

V 120573

V⟩ be two messages from

119906 and V There is an inconsistency at node 119905 if

(1) 119909119905= 1199091015840

119905+ 119909

119906+ 119909

V or

(2) 120572119905= 1205721015840

119905+ 120572

119906+ 120572

119905or

(3) 120573119905= 1205731015840

119906+ 120573

119906+ 120573

119905

Definition 7 (compromised aggregator forgery) An adver-sary which compromised a aggregator 119895 successfully forgesa new aggregate result ⟨119909lowast

119895 120572lowast

119895 120573lowast

119895⟩ if

(1) 119909lowast119895

= 119909119895

(2) 120572lowast119895= 1205721015840

119895+ 119896119895minus11205721198951+ 119896119895minus21205721198952+ sdot sdot sdot + 119896

119895minus119897120572119895119897(1205721015840119895= 0 if 119895

does not sense data)(3) 120573119895= 1205731015840

119895+ 120573

1198951+ 120573

1198952+ sdot sdot sdot + 120573

119895119897(1205731015840119895= 0 if 119895 does

not sense data) assuming aggregator 119895 has 119897 children1198951 1198952 119895119897

Lemma 8 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid aggregate result for allprobabilistic polynomial adversaries even when a high-levelaggregator is compromised

Proof We assume that aggregator 10 has been compromisedwhere an adversary is in complete control of node 10obtaining all secret keys of node 10 Now an adversaryattempts to forge SUM aggregation and two correspondingtags after eavesdropping several aggregations and records

⟨11990910119894 120572

10119894 120573

10119894⟩ | 119894 isin [1 119899] (15)

where ⟨11990910119894 120572

10119894 120573

10119894⟩ represents the message ⟨119909

10 120572

10

12057310⟩ node 10 sends to base station in the 119894th query and 119899 is

the number of queries Note that in each query every sensornode 119895 chooses a new secret key 119897

119895

For all 119894 isin [1 119899] adversary has

12057310119894 = 119897

minus1119896bs-10120572

10119894

= (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)

minus 119897minus1120579119909

10119894

(16)

International Journal of Distributed Sensor Networks 7

Now adversary tries to forge a new message ⟨119909lowast10 120572lowast

10 120573lowast

10⟩

which satisfies (14) Since node 10 is compromised adversaryhas 1199098 119909

9 119909

10 11989610-8 11989610-9 120572

8 120572

9 120573

8 120573

9in each query and the

knowledge of the elliptic curve group 119864(119885119901)

Case 1 Intuitively adversary tries to obtain 119897 119896bs-10 120579 andsum120579119894(119894 from 1 to 7) However this requires a powerful

adversary which we do not concern here

Case 2 Adversary tries to compute 119897minus1120579 by multiplying

1198961198941

(equals 120579119896path) and the inverse of 1198961198941

(equals 119897119896path)However all path-keys and temporal key are encrypted beforeforwarding to nodes so adversary cannot compute 119897minus1120579whennode 10 only works as an aggregator

Case 3 Aggregator 10 also senses data So adversary cancompute 119897minus1120579 as in Case 2 and 119897minus1119896bs-10 which is the inverse of119897119896bs-10 modulo 119902 Now adversary has

12057310minus 120572

10

= 1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797minus 119909

10

997904rArr 12057310

= 1199101(1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797) = 1199102119866

(17)

for some integer 1199102 Similar to Lemma 4 since sum120579

119894(119894 from

1 to 7) is kept secret from adversary and computing 1199102from

1205733= 1199102119866 is ECDLP then 120573

10cannot be forged either

In all cases adversary can only forge a new message⟨119909lowast

10 120572lowast

10 120573lowast

10⟩ with negligible probability completing the

proof

Theorem 9 EIPDAP is integrity-preserving

Proof From Lemmas 5 and 8 we know that EIPDAP issecure against sensor node forgery in the presence of aneavesdropper and aggregator forgery when an aggregator iscompromised Thus EIPDAP is integrity-preserving com-pleting the proof

52 Congestion Complexity The computational and memorycosts are likely to be insignificant compared to communica-tion [3 14] Higher computation surely causes more energybut a Berkeley mote spends approximately the same amountof energy to compute 800 instructions as it does in sending asingle bit of data [13 20] in WSN

Unlike general hard problems there is no sub-exponential algorithm is known to solve the elliptic curvediscrete logarithm problem (ECDLP) meaning that smallerparameters can be used in ECC than in other systems likeRSA andDSA but with equivalent level of security Because oftheir smaller key size faster computations and reductions inprocessing power storage space and bandwidth ECC is idealfor WSN Although the use of elliptic curve cryptographyincurs higher computational overhead than symmetric-keycryptography our protocol is mainly designed to save energy

In query dissemination phase the base station collectsaggregation tree information and broadcasts edge keys and

Table 1 Edge congestion in the aggregation tree comparison 119899 isthe number of the nodes and 119899

119892is the group size

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(1) 119874(log 119899) 119874(log2119899)Keithrsquos scheme 119874(1) 119874(log 119899) 119874(log 119899)SDAP 119874(1) 119874(Δ log (119899119899

119892)) 119874(Δ log (119899119899

119892))

EIPDAP 119874(1) 119874(1) 0

Table 2 Node congestion in the aggregation tree comparison Δ isthe degree of the aggregation tree

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δlog2119899)Keithrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δ log 119899)SDAP 119874(Δ) 119874(Δ log (119899119899

119892)) 119874(Δ log (119899119899

119892))

EIPDAP 119874(Δ) 119874(Δ) 0

Table 3 Aggregation tree congestion comparison

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log2119899)Keithrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log 119899)SDAP 119874(119899) 119874(119899) 119874(119899 log 119899)EIPDAP 119874(119899) 119874(119899) 0

path keys directly to the corresponding nodes Collectingaggregation tree information costs each edge 119874(1) conges-tion and there is no congestion for sensor nodes and aggre-gators in broadcasting keys In aggregation phase each nodeforwards a message The edge congestion in the aggregationtree is 119874(1) In result-checking phase all operations aredone in the base station so there is no congestion in theaggregation tree Congestion complexity comparisons withChanrsquos scheme Keithrsquos scheme and SDAP are shown inTables1 2 and 3

By the comparison we can conclude that EIPDAP hasthe minimum congestion and is much more energy efficientTherefore it is much more suitable for power limited sensornetworks

6 Conclusion and Future Work

Protecting hierarchical data aggregation from losing integrityis a challenging problem in sensor networks In this paperwe focus on the very problem of preserving data integrityand propose a novel approach to guarantee the integrity ofaggregation result through aggregation in sensor networksThemain algorithm is based on performingmodulo additionoperation using ECC

EIPDAP can immediately verify the integrity of aggre-gation result after receiving the aggregation result and cor-responding authentication information hence significantly

8 International Journal of Distributed Sensor Networks

reducing energy consumption and communication delaywhichwill be caused if the verification phrase is done throughanother query-and-forward phase

Compared with the other related schemes our schemereduces the communication required per node to 119874(Δ)where Δ is the degree of the aggregation tree for the networkTo the best of our knowledge our scheme has the mostoptimal upper bound on solving the integrity-preserving dataaggregation problem Based on the elliptic curve discretelogarithm problem we prove that EIPDAP is integrity-preserving

In the future we will first further enrich EIPDAP indetail Second we will focus on the possibility of reducing thenumber of secret keys shared between sensor nodes and basestation or the keys broadcast to all nodesThird based on theproposed algorithm we may consider meeting other securityrequirements like data confidentiality source authenticationand availability

We anticipate that our work provides new perspective onpreserving integrity of hierarchical aggregation and encour-ages other researchers to consider this approach

Appendix

Attack on the Julia-Sanjay Scheme

If the adversary has compromised a sensor node then itcan obtain the network wide integer 119896 With the 119896 it canmodify any aggregated data received from its child nodesFor example say the adversary has compromised a node withmessage ⟨119904

119894 enc(119898

119894)⟩ received from its child 119894 In order to

modify119898119894to1198981015840119894= 119898119894+119898forge the adversary can easily forge

an encrypted message

enc (1198981015840119894) = enc (119898

119894+ 119898forge) = ⟨119906119894 V119894 + 119898forge⟩ (A1)

given as 119890nc(119898119894) = ⟨119906

119894 V119894⟩ And it is also easy to forge a valid

signature

1199041015840

119894= 119896minus1(119898119894+ 119898forge + 119911119894 lowast 119903 (119909)) mod 119901 (A2)

If the compromised node is in high level this will cause moreserious effects on the aggregation result since the aggregateresult it handles represents large portions of the overall datain the WSN

Acknowledgments

The authors would like to thank the anonymous reviewersand their coworkers for their valuable comments and usefulsuggestions

References

[1] J Yick B Mukherjee and D Ghosal ldquoWireless sensor networksurveyrdquoComputerNetworks vol 52 no 12 pp 2292ndash2330 2008

[2] K Akkaya M Demirbas and R S Aygun ldquoThe impact of dataaggregation on the performance of wireless sensor networksrdquoWireless Communications and Mobile Computing vol 8 no 2pp 171ndash193 2008

[3] L Hu and D Evans ldquoSecure aggregation for wireless networksrdquoin Proceedings of the Workshop on Security and Assurance in AdHoc Networks Orlando Fla USA January 2003

[4] B Przydatek D Song and A Perrig ldquoSIA Secure informationaggregation in sensor networksrdquo in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys rsquo03) pp 255ndash265 November 2003

[5] W He X Liu H Nguyen K Nahrstedt and T AbdelzaherldquoPda privacy-preserving data aggregation in wireless sensornetworksrdquo in Proceedings of the 26th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo07) pp 2045ndash2053 2007

[6] T Feng C Wang W Zhang and L Ruan ldquoConfidentialityprotection for distributed sensor data aggregationrdquo in Proceed-ings of the 27th IEEE Communications Society Conference onComputer Communications (INFOCOM rsquo07) pp 475ndash483April2007

[7] J Shi R Zhang Y Liu and Y Zhang ldquoPriSense privacy-preserving data aggregation in people-centric urban sensingsystemsrdquo in Proceedings of the 29th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo10) pp 758ndash766 IEEE March 2010

[8] J Katz and A Y Lindell ldquoAggregate message authenticationcodes Topics in cryptologyrdquo in Proceedings of the Cryptogra-phersrsquo Track at the RSA Conference (CT-RSA rsquo08) Lecture Notesin Computer Science pp 155ndash169 Springer 2008

[9] J Albath and S Madria ldquoSecure hierarchical data aggregationin wireless sensor networksrdquo in Proceedings of the IEEEWirelessCommunications and Networking Conference (WCNC rsquo09) pp1ndash6 April 2009

[10] A Liu and P Ning ldquoTinyECC a configurable library for ellipticcurve cryptography in wireless sensor networksrdquo in Proceedingsof the International Conference on Information Processing inSensor Networks (IPSN rsquo08) pp 245ndash256 April 2008

[11] H Chan A Perrig and D Song ldquoSecure hierarchical in-network aggregation in sensor networksrdquo in Proceedings ofthe 13th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo06) pp 278ndash287 ACM Press Alexandria VaUSA November 2006

[12] K B Frikken and J A Dougherty ldquoAn efficient integrity-preserving scheme for hierarchical sensor aggregationrdquo inProceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 68ndash76 ACM Press Alexandria VaUSA April 2008

[13] Y Yang X Wang S Zhu and G Cao ldquoSDAP a Secure hop-by-hop Data Aggregation Protocol for sensor networksrdquo inProceedings of the 7th ACM International Symposium on MobileAd Hoc Networking and Computing (MOBIHOC rsquo06) pp 356ndash367 ACM Press Florence Italy May 2006

[14] C Castelluccia A C F Chan E Mykletun and G TsudikldquoEfficient and provably secure aggregation of encrypted datain wireless sensor networksrdquo ACM Transactions on SensorNetworks vol 5 no 3 pp 1ndash36 2009

[15] W Du J Deng Y S Han and P K Varshney ldquoA witness-basedapproach for data fusion assurance inwireless sensor networksrdquoin Proceedings of the Global Telecommunications Conference(GLOBECOM rsquo03) vol 3 pp 1435ndash1439 IEEE December 2003

[16] O Eikemeier M Fischlin J-F Gotzmann et al ldquoHistory-freeaggregate message authentication codesrdquo in Proceedings of the7th International Conference on Security and Cryptography forNetworks vol 6280 of Lecture Notes in Computer Science pp309ndash328 Amalfi Italy 2010

International Journal of Distributed Sensor Networks 9

[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004

[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005

[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006

[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

International Journal of Distributed Sensor Networks 3

Before aggregation process sensors will form a tree topologywhere base station locates at the root

We further assume that the base station would broadcastan authenticated query before collecting data If there is noaggregation tree then an aggregation tree should be formedas the query has been sent to all nodes Our protocol takesthe structure of the aggregation tree as given One methodfor constructing an aggregation tree is described in TaG [20]

Each node is sensing an integer value 119903 that is in the range(0 V] (we rule out ldquo0rdquo in defense of 120579

119894which we will explain

later) for some application-based value VThe goal is to returnthe SUM result with two tags proving that the SUM result hasnot been forged (even in the presence of malicious nodes)Due to resource constrains all readings need to be aggregatedby aggregators while being transmitted over a multihop path

32 Security Infrastructure We assume that each node 119894 hasa unique identifier 119904

119894 private keys 119903

119894 119897119894isin 119885119901and shares a

private key 119904119896119894and a private point 120579

119894isin cyclic elliptic group

119864(119885119901) with base station ECC domain parameters including

the generator point 119866 isin 119864(119885119901) are preloaded in all nodes In

each node 119894 we set two parameters 120572119894and 120573

119894which will be

used later

120572119894= 119903119894119866

120573119894= 119903119894120572119894

(1)

33 Attack Model and Security Goals We consider a settingwith a polynomially bounded adversary which can physicallyaccess the sensors and read their interval values The adver-sary is also restricted to corrupt a (small) fraction of nodesincluding the aggregators

Once the adversary compromises a sensor node it canobtain all the nodersquos secret keys An adversary can modifyforge or discard messages or simply transmit false aggregateresults and its goal is to forge valid aggregate result to beaccepted by the base stationThe higher false aggregate resultlevel is more catastrophic consequence will be caused

In this setting we focus on stealthy attacks [4] wherethe attackerrsquos goal is to make the base station accept falseaggregate results while not being detected by base stationAnd our security goal is to prevent stealthy attacks Inparticular wewant to guarantee that once the aggregate resulthas been accepted by the base station it is indeed the realresult aggregated by honest nodes

Definition 1 (integrity-preserving aggregation algorithm)An aggregation algorithm is integrity-preserving if by tam-pering with the aggregation process an adversary is unable toinduce the base station to accept any forged aggregate result

Since if a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected In thispaper we will focus on the situation where an aggregator iscompromised and see whether it can forge a valid aggregateresult

In this paper however we do not address the denial-of-service attack where the adversary prevents the querier

from getting any aggregation result at all because nodesrsquo notresponding queries clearly indicate that something is wrongand solutions can be implemented to remedy this situation

4 Our Work

In this section we present a new approach especially aimingto preserve integrity of the aggregation resultWe first give anoverview of this approach and then present the details

41 Overview The design of our algorithm is based on theelliptic curve discrete logarithm problem The overall algo-rithm consists of three main phases query disseminationaggregation-commit and result-checking

In query dissemination phase the base station broadcaststhe query to the network An aggregation tree or a directedspanning tree over the network topologywith the base stationat the root is formed as the query sent to all the nodes ifone is not already present in the network Then the path-keys and edge-key for each node encrypted with the secretkey shared between base station and node are sent to thecorresponding node Path-key and edge-key are calculated bythe base station according to the network topology We showthe detail of the calculation of the path-key in Section 42

In aggregation-commit phase each sensor node collectsraw data and computes two corresponding tags beforesending them to their own parent node in the aggregationtree After receiving all the messages from all child nodesaggregator performs modulo addition operations over thethree items and forwards the result to high-level aggregatorsuntil the base station

In the result-checking phase the base station verifiesthe integrity of the SUM aggregation with two aggregationtags Compared with Chanrsquos and Keithrsquos approach ours doesnot require any dissemination from top root node down tothe leaf nodes which causes congestion 119874(Δlog2119899) in Chanrsquosapproach and 119874(Δ log 119899) in Keithrsquos approach and energy costin this phase

42 The SUM Approach

421 Query Dissemination Phase Before aggregation thebase station broadcasts an authenticated query to the net-work The query request message contains a nonce 119873 toprevent replay attack [1] If there is no aggregation tree anaggregation tree with the base station at the root will beformed as the query has been sent to all nodes Then the treeinformation will be reported back to the base station Afterthe base station receives the tree information it calculatesthe path-key for each node for each aggregator or sensornode 119894 base station generates a key bs and calculates edgekey according to one-way hash function 119865 where

119896119894minus119895

= 119865bs (119904119894 119904119895 119873) (2)

and node 119894 is the parent of node 119895 119904119894and 119904

119895are unique

identifiers of node 119894 and node 119895

4 International Journal of Distributed Sensor Networks

3 5

8

10

4

1 2

9

6 7

bs

1205721

1205731= 11989711205721

1205722

1205732= 11989721205722

1205724

1205734= 11989741205724

1205725

1205735= 11989751205725

1205726

1205736= 11989761205726

1205727

1205737= 11989771205727119909

1= 119909

1

120572

1= 119909

111989611+ 119909

1120573111989612

11205731+ 120579

1

119909

2= 119909

2

120572

2= 119909

211989621+ 119909

2120573211989622

21205732+ 120579

2

119909

3= 119909

998400

3+ 119909

1+ 119909

2

120572

3= 120572

998400

3+ 119896

31120572

1+ 119896

32120572

2

119865(119904bs 11990410 119873)

11989610-8= 119891(119904

10 1199048 119873)

11989610-9= 119891(119904

10 1199049 119873)

1198968-3= 119891(119904

8 1199043 119873)

120573

3= 120573

1+ 120573

2+ 120573

998400

3

120573

1= 119909 120573

2= 119909

119909998400

3= 119909

3

120572998400

3= 119909

311989631+ 119909

3120573311989632

120573998400

3= 119909

31205733+ 120579

3

119896bs-10 =

Figure 1 Aggregation phaseThe nodes 1 2 3 4 5 6 and 7 are sensor nodes and the nodes 8 9 and 10 are aggregators while node 3 works asboth sensor node and aggregator Without losing generality we assume that every intermediate node is able to sense raw data and performsaggregation like node 3 does

For each sensor node 119894 base station also calculates twopath-keys 119896

1198941and 1198961198942

as follows

1198961198941=

120579

119896path (3)

1198961198942=

119897

119896path (4)

where 120579 is a point in 119864(119885119901) 119897 is an integer and they are both

chosen by base station to enable data aggregation and preventstealthyreplay attacks

If the path from base station to sensor node 119894 is 1-2-3-119894then 119896path = 1198961-21198962-31198963-119894

Finally the base stationwith transmission ranges coveringthewholewireless sensor network directly broadcasts to node119894 the path-keys and edge-keys encrypted with the secret key119904119896119894

422 Data Aggregation Phase In the query disseminationphase each node has already identified their parents and thebase station has the overall view of the aggregation tree

In Figure 1 take paths BS-10-8-3-1 and BS-10-8-3-2 forinstance as sensor node nodes 3 1 and 2 each has a message

that is to be passed to their parents And the message has thefollowing format

⟨119909119894 120572

119894 120573

119894⟩ (5)

where 119909119894is the SUM aggregation over all sensor nodes in the

subtree 120572119894and 120573

119894are the first and second tag respectively

For nodes 1 and 2

1199091= 1199091 119909

2= 1199092

1205721= 119909111989611+ 1199091120573111989612

1205722= 119909211989621+ 1199092120573211989622

1205731= 11990911205731+ 1205791 120573

3= 11990931205733+ 1205793

(6)

For aggregatorsensor node 3 with data 1199093 it first com-

putes 12057210158403and 1205731015840

3as a sensor node

1199091015840

3= 1199093 120572

1015840

3= 119909311989631+ 1199093120573311989632

1205731015840

3= 11990931205733+ 1205793

(7)

International Journal of Distributed Sensor Networks 5

Then node 1 and 2 send their data and tags to node 3 Afterreceiving all messages from its subtree node 3 works asaggregator to perform aggregation

1199093= 1199091+ 1199092+ 1199091015840

3

1205723= 1198963-1120572

1+ 1198963-2120572

2+ 1205721015840

3

1205733= 1205731015840

1+ 1205731015840

2+ 1205731015840

3

(8)

and sends ⟨1199093 120572

3 120573

3⟩ to node 8

Aggregators 8 and 10 perform corresponding tasks

1199098= 1199093+ 1199094+ 1199095 119909

10= 119909

8+ 119909

9

1205728= 1198968-3120572

3+ 1198968-4120572

4+ 1198968-5120572

5

12057210= 11989610-8120572

8+ 11989610-9120572

9

1205738= 120573

3+ 120573

4+ 1205735 120573

10= 120573

8+ 120573

9

(9)

where node 8 sends ⟨1199098 120572

8 120573

8⟩ to node 10 and node 10 sends

⟨11990910 120572

10 120573

10⟩ to base station

423 Result-Checking Phase The purpose of result-checkingphase is to enable base station to verify that the integrity ofSUM 119909

10has not been violatedThe verification is performed

as followsBase station checks if

12057310minus 119897minus1119896bs-10120572

8= sum120579

119894minus 119897minus1120579119909

10 (10)

where ⟨11990910 120572

10 120573

10⟩ is sent by node 10 to base station 120579 119897

119896bs-10 120579119894 (119894 from 1 to 7) are only known to base station and 119897minus1

is the inverse of 119897 modulo which is the order 119902 of the ellipticcurve group 119864(119885

119901)

Since

12057310= 120573

8+ 120573

9

= 1205731015840

3+ 120573

4+ 120573

5+ 120573

6+ 120573

7

= 1205731+ 120573

2+ 120573

3+ 120573

4+ 120573

5+ 120573

6+ 120573

7

=11990911205731+ 1205791+ 11990921205732+ 1205792+ 11990931205733+ 1205793+ 11990941205734

+ 1205794+ 11990951205735+ 1205795+ 11990961205736+ 1205796+ 11990971205737+ 1205797

= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)

+ (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)

119897minus1119896bs-10120572

10

= 119897minus1119896bs-10 (11989610-8120572

8+ 11989610-9120572

9)

= 119897minus1119896bs-10

times (11989610-8 (1198968-3120572

3+ 1198968-4120572

4+ 1198968-5120572

5)

+ 11989610-9 (1198969-6120572

6+ 1198969-7120572

7))

= 119897minus1119896bs-10

times (11989610-8 (1198968-3 (120572

1015840

3+ 1198963-1120572

1+ 1198963-2120572

2)

+ 1198968-4120572

4+ 1198968-4120572

5)

+ 11989610-9 (1198969-6120572

6+ 1198969-7120572

7))

= 119897minus1119896bs-1011989610-81198968-3

times (1198963-1 (

119897

119896bs-1011989610-81198968-31198963-1)11990911205731

+ 1198963-2 (

119897

119896bs-1011989610-81198968-31198963-2)11990921205732

+(119897

119896bs-1011989610-81198968-3)11990931205733)

+ 119897minus1119896bs-1011989610-8

times (1198968-4 (

119897

119896bs-1011989610-81198968-4)11990941205734

+ 1198968-5 (

119897

119896bs-1011989610-81198968-5)11990951205735)

+ 119897minus1119896bs-1011989610-9

times (1198969-6 (

119897

119896bs-1011989610-91198969-6)11990961205736

+ 1198969-7 (

119897

119896bs-1011989610-91198969-7)11990971205737)

= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)

+ 119897minus1120579 (1199091+ 1199092+ 1199093+ 1199094+ 1199095+ 1199096+ 1199097)

(11)

We can say that base station accepts the SUM aggregation11990910 or the two tags will only verify if all tags are generated

by honest nodes and aggregated correctly along the pathAgain note that 119897minus1 is the inverse of 119897 modulo 119902 which is

the order of the elliptic curve group 119864(119885119901) and 120579 119897 119896bs-10 are

only known to base station

5 Analysis

This section discusses the security and congestion complexityof EIPDAP

51 Overview Once a node has been compromised it isunder the full control of the adversary which can record andinject messages as will We also assume that the adversarycan only corrupt a (small) fraction of nodes including theaggregators Also we do not concern denial-of-service attackThe following is the proof for security of EIPDAP

6 International Journal of Distributed Sensor Networks

Definition 2 (sensor node inconsistency) Let ⟨119909119905 120572

119905 120573

119905⟩ be

a message sent by sensor node 119905 There is an inconsistency atnode 119905 if either

(1) 120572119905= 1199091199051198961199051+ 1199091199051205731199051198961199052

or

(2) 120573119905= 119909119905120573119905+ 120579119905

Definition 3 (sensor node forgery) An adversary eavesdrop-ping on sensor node 119894 successfully forges a new message⟨119909lowast

119894 120572lowast

119894 120573lowast

119894⟩ if

(1) 119909lowast119894

= 119909119894

(2) 120572lowast119894= 119909lowast

1198941198961198941+ 119909lowast

1198941205731198941198961198942

(3) 120573119894= 119909lowast

119894120573119894+ 120579119894

Since once a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected howeverwe do not address this kind of forgery here

Lemma 4 Let the final SUM aggregation received by the basestation be 119909

119891119894119899119886119897 then 119878

119871+ 120583 le 119909

119891119894119899119886119897

le 119878119871+ 120583V where 119878

119871is the

sum of the data values of all the legitimate nodes and 120583 is thetotal number of corrupted nodes

Proof As the conclusion is obvious here so we do not provein detail

Lemma 5 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid message as an honestsensor node for all eavesdropping probabilistic polynomialadversaries

Proof Let ⟨119909119894 120572

119894 120573

119894⟩ be an internal message sent by sensor

node 119894 to its parentSay adversary is eavesdropping on node 119894 In order to

forge a valid message ⟨119909lowast

119894 120572lowast

119894 120573lowast

119894⟩ for 119909

lowast

119894 119860 can easily

compute a valid 120572lowast119894= 119909lowast

119894119909minus1119894120572119894

As 120573119894= 119909119894120573119894+ 120579119894= 119909119894119910119866 for some integer 119910 a valid 120573lowast

119894

should be computed as

120573lowast

119894= 119909lowast

119894120573119894+ 120579119894= 119909lowast

119894119910lowast119866

= 119909lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866

(12)

Due to 120579119894and 120573

119894 adversary cannot forge 120573lowast

119894directly from

119909lowast

119894120573119894+ 120579119894but to compute 119909lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866 119860 has 119909lowast

119894 119909119894 120573119894

and 119866 the factors it lack are 119910 and 119910lowastCalculating 119910 from 120573

119894= 119909119894119910119866 and 119910lowast from 120573

lowast

119894= 119909lowast

119894119910lowast119866

is ECDLP which means calculating 120573lowast119894from 119909

lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866

is hardAnother concern rises when adversary keeps eavesdrop-

ping on sensor node 119894 and records the messages sent by 119894Assume that adversary has

⟨119909119894119895 120572

119894119895 120573

119894119895⟩ | 119895 isin [1 119899] (13)

where ⟨119909119894119895 120572

119894119895 120573

119894119895⟩ represents the message ⟨119909

119894 120572

119894 120573

119894⟩

node 119894 sends to parent in the 119895th query and 119899 is the number of

queries Note that in each query every sensor node 119894 choosesa new secret key 119897

119894

For all 119895 isin [1 119899] adversary has

120573119894119895 = 120573119894119895119909

119894119895 + 120579119894 (14)

Because the number of variable is the number of equationsplus one so adversary cannot solve equations in (14) to obtain120573119894119895 or 120579119894In conclusion the probability of an adversary successfully

forging a new message ⟨119909lowast119894 120572lowast

119894 120573lowast

119894⟩ when eavesdropping on

sensor node 119894 is negligible completing the proof

Definition 6 (aggregator inconsistency) Let ⟨119909119905 120572

119905 120573

119905⟩ be an

internal message aggregated by node 119905 with two children 119906and V Let ⟨119909

119906 120572

119906 120573

119906⟩ and ⟨119909V 120572

V 120573

V⟩ be two messages from

119906 and V There is an inconsistency at node 119905 if

(1) 119909119905= 1199091015840

119905+ 119909

119906+ 119909

V or

(2) 120572119905= 1205721015840

119905+ 120572

119906+ 120572

119905or

(3) 120573119905= 1205731015840

119906+ 120573

119906+ 120573

119905

Definition 7 (compromised aggregator forgery) An adver-sary which compromised a aggregator 119895 successfully forgesa new aggregate result ⟨119909lowast

119895 120572lowast

119895 120573lowast

119895⟩ if

(1) 119909lowast119895

= 119909119895

(2) 120572lowast119895= 1205721015840

119895+ 119896119895minus11205721198951+ 119896119895minus21205721198952+ sdot sdot sdot + 119896

119895minus119897120572119895119897(1205721015840119895= 0 if 119895

does not sense data)(3) 120573119895= 1205731015840

119895+ 120573

1198951+ 120573

1198952+ sdot sdot sdot + 120573

119895119897(1205731015840119895= 0 if 119895 does

not sense data) assuming aggregator 119895 has 119897 children1198951 1198952 119895119897

Lemma 8 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid aggregate result for allprobabilistic polynomial adversaries even when a high-levelaggregator is compromised

Proof We assume that aggregator 10 has been compromisedwhere an adversary is in complete control of node 10obtaining all secret keys of node 10 Now an adversaryattempts to forge SUM aggregation and two correspondingtags after eavesdropping several aggregations and records

⟨11990910119894 120572

10119894 120573

10119894⟩ | 119894 isin [1 119899] (15)

where ⟨11990910119894 120572

10119894 120573

10119894⟩ represents the message ⟨119909

10 120572

10

12057310⟩ node 10 sends to base station in the 119894th query and 119899 is

the number of queries Note that in each query every sensornode 119895 chooses a new secret key 119897

119895

For all 119894 isin [1 119899] adversary has

12057310119894 = 119897

minus1119896bs-10120572

10119894

= (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)

minus 119897minus1120579119909

10119894

(16)

International Journal of Distributed Sensor Networks 7

Now adversary tries to forge a new message ⟨119909lowast10 120572lowast

10 120573lowast

10⟩

which satisfies (14) Since node 10 is compromised adversaryhas 1199098 119909

9 119909

10 11989610-8 11989610-9 120572

8 120572

9 120573

8 120573

9in each query and the

knowledge of the elliptic curve group 119864(119885119901)

Case 1 Intuitively adversary tries to obtain 119897 119896bs-10 120579 andsum120579119894(119894 from 1 to 7) However this requires a powerful

adversary which we do not concern here

Case 2 Adversary tries to compute 119897minus1120579 by multiplying

1198961198941

(equals 120579119896path) and the inverse of 1198961198941

(equals 119897119896path)However all path-keys and temporal key are encrypted beforeforwarding to nodes so adversary cannot compute 119897minus1120579whennode 10 only works as an aggregator

Case 3 Aggregator 10 also senses data So adversary cancompute 119897minus1120579 as in Case 2 and 119897minus1119896bs-10 which is the inverse of119897119896bs-10 modulo 119902 Now adversary has

12057310minus 120572

10

= 1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797minus 119909

10

997904rArr 12057310

= 1199101(1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797) = 1199102119866

(17)

for some integer 1199102 Similar to Lemma 4 since sum120579

119894(119894 from

1 to 7) is kept secret from adversary and computing 1199102from

1205733= 1199102119866 is ECDLP then 120573

10cannot be forged either

In all cases adversary can only forge a new message⟨119909lowast

10 120572lowast

10 120573lowast

10⟩ with negligible probability completing the

proof

Theorem 9 EIPDAP is integrity-preserving

Proof From Lemmas 5 and 8 we know that EIPDAP issecure against sensor node forgery in the presence of aneavesdropper and aggregator forgery when an aggregator iscompromised Thus EIPDAP is integrity-preserving com-pleting the proof

52 Congestion Complexity The computational and memorycosts are likely to be insignificant compared to communica-tion [3 14] Higher computation surely causes more energybut a Berkeley mote spends approximately the same amountof energy to compute 800 instructions as it does in sending asingle bit of data [13 20] in WSN

Unlike general hard problems there is no sub-exponential algorithm is known to solve the elliptic curvediscrete logarithm problem (ECDLP) meaning that smallerparameters can be used in ECC than in other systems likeRSA andDSA but with equivalent level of security Because oftheir smaller key size faster computations and reductions inprocessing power storage space and bandwidth ECC is idealfor WSN Although the use of elliptic curve cryptographyincurs higher computational overhead than symmetric-keycryptography our protocol is mainly designed to save energy

In query dissemination phase the base station collectsaggregation tree information and broadcasts edge keys and

Table 1 Edge congestion in the aggregation tree comparison 119899 isthe number of the nodes and 119899

119892is the group size

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(1) 119874(log 119899) 119874(log2119899)Keithrsquos scheme 119874(1) 119874(log 119899) 119874(log 119899)SDAP 119874(1) 119874(Δ log (119899119899

119892)) 119874(Δ log (119899119899

119892))

EIPDAP 119874(1) 119874(1) 0

Table 2 Node congestion in the aggregation tree comparison Δ isthe degree of the aggregation tree

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δlog2119899)Keithrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δ log 119899)SDAP 119874(Δ) 119874(Δ log (119899119899

119892)) 119874(Δ log (119899119899

119892))

EIPDAP 119874(Δ) 119874(Δ) 0

Table 3 Aggregation tree congestion comparison

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log2119899)Keithrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log 119899)SDAP 119874(119899) 119874(119899) 119874(119899 log 119899)EIPDAP 119874(119899) 119874(119899) 0

path keys directly to the corresponding nodes Collectingaggregation tree information costs each edge 119874(1) conges-tion and there is no congestion for sensor nodes and aggre-gators in broadcasting keys In aggregation phase each nodeforwards a message The edge congestion in the aggregationtree is 119874(1) In result-checking phase all operations aredone in the base station so there is no congestion in theaggregation tree Congestion complexity comparisons withChanrsquos scheme Keithrsquos scheme and SDAP are shown inTables1 2 and 3

By the comparison we can conclude that EIPDAP hasthe minimum congestion and is much more energy efficientTherefore it is much more suitable for power limited sensornetworks

6 Conclusion and Future Work

Protecting hierarchical data aggregation from losing integrityis a challenging problem in sensor networks In this paperwe focus on the very problem of preserving data integrityand propose a novel approach to guarantee the integrity ofaggregation result through aggregation in sensor networksThemain algorithm is based on performingmodulo additionoperation using ECC

EIPDAP can immediately verify the integrity of aggre-gation result after receiving the aggregation result and cor-responding authentication information hence significantly

8 International Journal of Distributed Sensor Networks

reducing energy consumption and communication delaywhichwill be caused if the verification phrase is done throughanother query-and-forward phase

Compared with the other related schemes our schemereduces the communication required per node to 119874(Δ)where Δ is the degree of the aggregation tree for the networkTo the best of our knowledge our scheme has the mostoptimal upper bound on solving the integrity-preserving dataaggregation problem Based on the elliptic curve discretelogarithm problem we prove that EIPDAP is integrity-preserving

In the future we will first further enrich EIPDAP indetail Second we will focus on the possibility of reducing thenumber of secret keys shared between sensor nodes and basestation or the keys broadcast to all nodesThird based on theproposed algorithm we may consider meeting other securityrequirements like data confidentiality source authenticationand availability

We anticipate that our work provides new perspective onpreserving integrity of hierarchical aggregation and encour-ages other researchers to consider this approach

Appendix

Attack on the Julia-Sanjay Scheme

If the adversary has compromised a sensor node then itcan obtain the network wide integer 119896 With the 119896 it canmodify any aggregated data received from its child nodesFor example say the adversary has compromised a node withmessage ⟨119904

119894 enc(119898

119894)⟩ received from its child 119894 In order to

modify119898119894to1198981015840119894= 119898119894+119898forge the adversary can easily forge

an encrypted message

enc (1198981015840119894) = enc (119898

119894+ 119898forge) = ⟨119906119894 V119894 + 119898forge⟩ (A1)

given as 119890nc(119898119894) = ⟨119906

119894 V119894⟩ And it is also easy to forge a valid

signature

1199041015840

119894= 119896minus1(119898119894+ 119898forge + 119911119894 lowast 119903 (119909)) mod 119901 (A2)

If the compromised node is in high level this will cause moreserious effects on the aggregation result since the aggregateresult it handles represents large portions of the overall datain the WSN

Acknowledgments

The authors would like to thank the anonymous reviewersand their coworkers for their valuable comments and usefulsuggestions

References

[1] J Yick B Mukherjee and D Ghosal ldquoWireless sensor networksurveyrdquoComputerNetworks vol 52 no 12 pp 2292ndash2330 2008

[2] K Akkaya M Demirbas and R S Aygun ldquoThe impact of dataaggregation on the performance of wireless sensor networksrdquoWireless Communications and Mobile Computing vol 8 no 2pp 171ndash193 2008

[3] L Hu and D Evans ldquoSecure aggregation for wireless networksrdquoin Proceedings of the Workshop on Security and Assurance in AdHoc Networks Orlando Fla USA January 2003

[4] B Przydatek D Song and A Perrig ldquoSIA Secure informationaggregation in sensor networksrdquo in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys rsquo03) pp 255ndash265 November 2003

[5] W He X Liu H Nguyen K Nahrstedt and T AbdelzaherldquoPda privacy-preserving data aggregation in wireless sensornetworksrdquo in Proceedings of the 26th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo07) pp 2045ndash2053 2007

[6] T Feng C Wang W Zhang and L Ruan ldquoConfidentialityprotection for distributed sensor data aggregationrdquo in Proceed-ings of the 27th IEEE Communications Society Conference onComputer Communications (INFOCOM rsquo07) pp 475ndash483April2007

[7] J Shi R Zhang Y Liu and Y Zhang ldquoPriSense privacy-preserving data aggregation in people-centric urban sensingsystemsrdquo in Proceedings of the 29th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo10) pp 758ndash766 IEEE March 2010

[8] J Katz and A Y Lindell ldquoAggregate message authenticationcodes Topics in cryptologyrdquo in Proceedings of the Cryptogra-phersrsquo Track at the RSA Conference (CT-RSA rsquo08) Lecture Notesin Computer Science pp 155ndash169 Springer 2008

[9] J Albath and S Madria ldquoSecure hierarchical data aggregationin wireless sensor networksrdquo in Proceedings of the IEEEWirelessCommunications and Networking Conference (WCNC rsquo09) pp1ndash6 April 2009

[10] A Liu and P Ning ldquoTinyECC a configurable library for ellipticcurve cryptography in wireless sensor networksrdquo in Proceedingsof the International Conference on Information Processing inSensor Networks (IPSN rsquo08) pp 245ndash256 April 2008

[11] H Chan A Perrig and D Song ldquoSecure hierarchical in-network aggregation in sensor networksrdquo in Proceedings ofthe 13th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo06) pp 278ndash287 ACM Press Alexandria VaUSA November 2006

[12] K B Frikken and J A Dougherty ldquoAn efficient integrity-preserving scheme for hierarchical sensor aggregationrdquo inProceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 68ndash76 ACM Press Alexandria VaUSA April 2008

[13] Y Yang X Wang S Zhu and G Cao ldquoSDAP a Secure hop-by-hop Data Aggregation Protocol for sensor networksrdquo inProceedings of the 7th ACM International Symposium on MobileAd Hoc Networking and Computing (MOBIHOC rsquo06) pp 356ndash367 ACM Press Florence Italy May 2006

[14] C Castelluccia A C F Chan E Mykletun and G TsudikldquoEfficient and provably secure aggregation of encrypted datain wireless sensor networksrdquo ACM Transactions on SensorNetworks vol 5 no 3 pp 1ndash36 2009

[15] W Du J Deng Y S Han and P K Varshney ldquoA witness-basedapproach for data fusion assurance inwireless sensor networksrdquoin Proceedings of the Global Telecommunications Conference(GLOBECOM rsquo03) vol 3 pp 1435ndash1439 IEEE December 2003

[16] O Eikemeier M Fischlin J-F Gotzmann et al ldquoHistory-freeaggregate message authentication codesrdquo in Proceedings of the7th International Conference on Security and Cryptography forNetworks vol 6280 of Lecture Notes in Computer Science pp309ndash328 Amalfi Italy 2010

International Journal of Distributed Sensor Networks 9

[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004

[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005

[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006

[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

4 International Journal of Distributed Sensor Networks

3 5

8

10

4

1 2

9

6 7

bs

1205721

1205731= 11989711205721

1205722

1205732= 11989721205722

1205724

1205734= 11989741205724

1205725

1205735= 11989751205725

1205726

1205736= 11989761205726

1205727

1205737= 11989771205727119909

1= 119909

1

120572

1= 119909

111989611+ 119909

1120573111989612

11205731+ 120579

1

119909

2= 119909

2

120572

2= 119909

211989621+ 119909

2120573211989622

21205732+ 120579

2

119909

3= 119909

998400

3+ 119909

1+ 119909

2

120572

3= 120572

998400

3+ 119896

31120572

1+ 119896

32120572

2

119865(119904bs 11990410 119873)

11989610-8= 119891(119904

10 1199048 119873)

11989610-9= 119891(119904

10 1199049 119873)

1198968-3= 119891(119904

8 1199043 119873)

120573

3= 120573

1+ 120573

2+ 120573

998400

3

120573

1= 119909 120573

2= 119909

119909998400

3= 119909

3

120572998400

3= 119909

311989631+ 119909

3120573311989632

120573998400

3= 119909

31205733+ 120579

3

119896bs-10 =

Figure 1 Aggregation phaseThe nodes 1 2 3 4 5 6 and 7 are sensor nodes and the nodes 8 9 and 10 are aggregators while node 3 works asboth sensor node and aggregator Without losing generality we assume that every intermediate node is able to sense raw data and performsaggregation like node 3 does

For each sensor node 119894 base station also calculates twopath-keys 119896

1198941and 1198961198942

as follows

1198961198941=

120579

119896path (3)

1198961198942=

119897

119896path (4)

where 120579 is a point in 119864(119885119901) 119897 is an integer and they are both

chosen by base station to enable data aggregation and preventstealthyreplay attacks

If the path from base station to sensor node 119894 is 1-2-3-119894then 119896path = 1198961-21198962-31198963-119894

Finally the base stationwith transmission ranges coveringthewholewireless sensor network directly broadcasts to node119894 the path-keys and edge-keys encrypted with the secret key119904119896119894

422 Data Aggregation Phase In the query disseminationphase each node has already identified their parents and thebase station has the overall view of the aggregation tree

In Figure 1 take paths BS-10-8-3-1 and BS-10-8-3-2 forinstance as sensor node nodes 3 1 and 2 each has a message

that is to be passed to their parents And the message has thefollowing format

⟨119909119894 120572

119894 120573

119894⟩ (5)

where 119909119894is the SUM aggregation over all sensor nodes in the

subtree 120572119894and 120573

119894are the first and second tag respectively

For nodes 1 and 2

1199091= 1199091 119909

2= 1199092

1205721= 119909111989611+ 1199091120573111989612

1205722= 119909211989621+ 1199092120573211989622

1205731= 11990911205731+ 1205791 120573

3= 11990931205733+ 1205793

(6)

For aggregatorsensor node 3 with data 1199093 it first com-

putes 12057210158403and 1205731015840

3as a sensor node

1199091015840

3= 1199093 120572

1015840

3= 119909311989631+ 1199093120573311989632

1205731015840

3= 11990931205733+ 1205793

(7)

International Journal of Distributed Sensor Networks 5

Then node 1 and 2 send their data and tags to node 3 Afterreceiving all messages from its subtree node 3 works asaggregator to perform aggregation

1199093= 1199091+ 1199092+ 1199091015840

3

1205723= 1198963-1120572

1+ 1198963-2120572

2+ 1205721015840

3

1205733= 1205731015840

1+ 1205731015840

2+ 1205731015840

3

(8)

and sends ⟨1199093 120572

3 120573

3⟩ to node 8

Aggregators 8 and 10 perform corresponding tasks

1199098= 1199093+ 1199094+ 1199095 119909

10= 119909

8+ 119909

9

1205728= 1198968-3120572

3+ 1198968-4120572

4+ 1198968-5120572

5

12057210= 11989610-8120572

8+ 11989610-9120572

9

1205738= 120573

3+ 120573

4+ 1205735 120573

10= 120573

8+ 120573

9

(9)

where node 8 sends ⟨1199098 120572

8 120573

8⟩ to node 10 and node 10 sends

⟨11990910 120572

10 120573

10⟩ to base station

423 Result-Checking Phase The purpose of result-checkingphase is to enable base station to verify that the integrity ofSUM 119909

10has not been violatedThe verification is performed

as followsBase station checks if

12057310minus 119897minus1119896bs-10120572

8= sum120579

119894minus 119897minus1120579119909

10 (10)

where ⟨11990910 120572

10 120573

10⟩ is sent by node 10 to base station 120579 119897

119896bs-10 120579119894 (119894 from 1 to 7) are only known to base station and 119897minus1

is the inverse of 119897 modulo which is the order 119902 of the ellipticcurve group 119864(119885

119901)

Since

12057310= 120573

8+ 120573

9

= 1205731015840

3+ 120573

4+ 120573

5+ 120573

6+ 120573

7

= 1205731+ 120573

2+ 120573

3+ 120573

4+ 120573

5+ 120573

6+ 120573

7

=11990911205731+ 1205791+ 11990921205732+ 1205792+ 11990931205733+ 1205793+ 11990941205734

+ 1205794+ 11990951205735+ 1205795+ 11990961205736+ 1205796+ 11990971205737+ 1205797

= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)

+ (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)

119897minus1119896bs-10120572

10

= 119897minus1119896bs-10 (11989610-8120572

8+ 11989610-9120572

9)

= 119897minus1119896bs-10

times (11989610-8 (1198968-3120572

3+ 1198968-4120572

4+ 1198968-5120572

5)

+ 11989610-9 (1198969-6120572

6+ 1198969-7120572

7))

= 119897minus1119896bs-10

times (11989610-8 (1198968-3 (120572

1015840

3+ 1198963-1120572

1+ 1198963-2120572

2)

+ 1198968-4120572

4+ 1198968-4120572

5)

+ 11989610-9 (1198969-6120572

6+ 1198969-7120572

7))

= 119897minus1119896bs-1011989610-81198968-3

times (1198963-1 (

119897

119896bs-1011989610-81198968-31198963-1)11990911205731

+ 1198963-2 (

119897

119896bs-1011989610-81198968-31198963-2)11990921205732

+(119897

119896bs-1011989610-81198968-3)11990931205733)

+ 119897minus1119896bs-1011989610-8

times (1198968-4 (

119897

119896bs-1011989610-81198968-4)11990941205734

+ 1198968-5 (

119897

119896bs-1011989610-81198968-5)11990951205735)

+ 119897minus1119896bs-1011989610-9

times (1198969-6 (

119897

119896bs-1011989610-91198969-6)11990961205736

+ 1198969-7 (

119897

119896bs-1011989610-91198969-7)11990971205737)

= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)

+ 119897minus1120579 (1199091+ 1199092+ 1199093+ 1199094+ 1199095+ 1199096+ 1199097)

(11)

We can say that base station accepts the SUM aggregation11990910 or the two tags will only verify if all tags are generated

by honest nodes and aggregated correctly along the pathAgain note that 119897minus1 is the inverse of 119897 modulo 119902 which is

the order of the elliptic curve group 119864(119885119901) and 120579 119897 119896bs-10 are

only known to base station

5 Analysis

This section discusses the security and congestion complexityof EIPDAP

51 Overview Once a node has been compromised it isunder the full control of the adversary which can record andinject messages as will We also assume that the adversarycan only corrupt a (small) fraction of nodes including theaggregators Also we do not concern denial-of-service attackThe following is the proof for security of EIPDAP

6 International Journal of Distributed Sensor Networks

Definition 2 (sensor node inconsistency) Let ⟨119909119905 120572

119905 120573

119905⟩ be

a message sent by sensor node 119905 There is an inconsistency atnode 119905 if either

(1) 120572119905= 1199091199051198961199051+ 1199091199051205731199051198961199052

or

(2) 120573119905= 119909119905120573119905+ 120579119905

Definition 3 (sensor node forgery) An adversary eavesdrop-ping on sensor node 119894 successfully forges a new message⟨119909lowast

119894 120572lowast

119894 120573lowast

119894⟩ if

(1) 119909lowast119894

= 119909119894

(2) 120572lowast119894= 119909lowast

1198941198961198941+ 119909lowast

1198941205731198941198961198942

(3) 120573119894= 119909lowast

119894120573119894+ 120579119894

Since once a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected howeverwe do not address this kind of forgery here

Lemma 4 Let the final SUM aggregation received by the basestation be 119909

119891119894119899119886119897 then 119878

119871+ 120583 le 119909

119891119894119899119886119897

le 119878119871+ 120583V where 119878

119871is the

sum of the data values of all the legitimate nodes and 120583 is thetotal number of corrupted nodes

Proof As the conclusion is obvious here so we do not provein detail

Lemma 5 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid message as an honestsensor node for all eavesdropping probabilistic polynomialadversaries

Proof Let ⟨119909119894 120572

119894 120573

119894⟩ be an internal message sent by sensor

node 119894 to its parentSay adversary is eavesdropping on node 119894 In order to

forge a valid message ⟨119909lowast

119894 120572lowast

119894 120573lowast

119894⟩ for 119909

lowast

119894 119860 can easily

compute a valid 120572lowast119894= 119909lowast

119894119909minus1119894120572119894

As 120573119894= 119909119894120573119894+ 120579119894= 119909119894119910119866 for some integer 119910 a valid 120573lowast

119894

should be computed as

120573lowast

119894= 119909lowast

119894120573119894+ 120579119894= 119909lowast

119894119910lowast119866

= 119909lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866

(12)

Due to 120579119894and 120573

119894 adversary cannot forge 120573lowast

119894directly from

119909lowast

119894120573119894+ 120579119894but to compute 119909lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866 119860 has 119909lowast

119894 119909119894 120573119894

and 119866 the factors it lack are 119910 and 119910lowastCalculating 119910 from 120573

119894= 119909119894119910119866 and 119910lowast from 120573

lowast

119894= 119909lowast

119894119910lowast119866

is ECDLP which means calculating 120573lowast119894from 119909

lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866

is hardAnother concern rises when adversary keeps eavesdrop-

ping on sensor node 119894 and records the messages sent by 119894Assume that adversary has

⟨119909119894119895 120572

119894119895 120573

119894119895⟩ | 119895 isin [1 119899] (13)

where ⟨119909119894119895 120572

119894119895 120573

119894119895⟩ represents the message ⟨119909

119894 120572

119894 120573

119894⟩

node 119894 sends to parent in the 119895th query and 119899 is the number of

queries Note that in each query every sensor node 119894 choosesa new secret key 119897

119894

For all 119895 isin [1 119899] adversary has

120573119894119895 = 120573119894119895119909

119894119895 + 120579119894 (14)

Because the number of variable is the number of equationsplus one so adversary cannot solve equations in (14) to obtain120573119894119895 or 120579119894In conclusion the probability of an adversary successfully

forging a new message ⟨119909lowast119894 120572lowast

119894 120573lowast

119894⟩ when eavesdropping on

sensor node 119894 is negligible completing the proof

Definition 6 (aggregator inconsistency) Let ⟨119909119905 120572

119905 120573

119905⟩ be an

internal message aggregated by node 119905 with two children 119906and V Let ⟨119909

119906 120572

119906 120573

119906⟩ and ⟨119909V 120572

V 120573

V⟩ be two messages from

119906 and V There is an inconsistency at node 119905 if

(1) 119909119905= 1199091015840

119905+ 119909

119906+ 119909

V or

(2) 120572119905= 1205721015840

119905+ 120572

119906+ 120572

119905or

(3) 120573119905= 1205731015840

119906+ 120573

119906+ 120573

119905

Definition 7 (compromised aggregator forgery) An adver-sary which compromised a aggregator 119895 successfully forgesa new aggregate result ⟨119909lowast

119895 120572lowast

119895 120573lowast

119895⟩ if

(1) 119909lowast119895

= 119909119895

(2) 120572lowast119895= 1205721015840

119895+ 119896119895minus11205721198951+ 119896119895minus21205721198952+ sdot sdot sdot + 119896

119895minus119897120572119895119897(1205721015840119895= 0 if 119895

does not sense data)(3) 120573119895= 1205731015840

119895+ 120573

1198951+ 120573

1198952+ sdot sdot sdot + 120573

119895119897(1205731015840119895= 0 if 119895 does

not sense data) assuming aggregator 119895 has 119897 children1198951 1198952 119895119897

Lemma 8 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid aggregate result for allprobabilistic polynomial adversaries even when a high-levelaggregator is compromised

Proof We assume that aggregator 10 has been compromisedwhere an adversary is in complete control of node 10obtaining all secret keys of node 10 Now an adversaryattempts to forge SUM aggregation and two correspondingtags after eavesdropping several aggregations and records

⟨11990910119894 120572

10119894 120573

10119894⟩ | 119894 isin [1 119899] (15)

where ⟨11990910119894 120572

10119894 120573

10119894⟩ represents the message ⟨119909

10 120572

10

12057310⟩ node 10 sends to base station in the 119894th query and 119899 is

the number of queries Note that in each query every sensornode 119895 chooses a new secret key 119897

119895

For all 119894 isin [1 119899] adversary has

12057310119894 = 119897

minus1119896bs-10120572

10119894

= (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)

minus 119897minus1120579119909

10119894

(16)

International Journal of Distributed Sensor Networks 7

Now adversary tries to forge a new message ⟨119909lowast10 120572lowast

10 120573lowast

10⟩

which satisfies (14) Since node 10 is compromised adversaryhas 1199098 119909

9 119909

10 11989610-8 11989610-9 120572

8 120572

9 120573

8 120573

9in each query and the

knowledge of the elliptic curve group 119864(119885119901)

Case 1 Intuitively adversary tries to obtain 119897 119896bs-10 120579 andsum120579119894(119894 from 1 to 7) However this requires a powerful

adversary which we do not concern here

Case 2 Adversary tries to compute 119897minus1120579 by multiplying

1198961198941

(equals 120579119896path) and the inverse of 1198961198941

(equals 119897119896path)However all path-keys and temporal key are encrypted beforeforwarding to nodes so adversary cannot compute 119897minus1120579whennode 10 only works as an aggregator

Case 3 Aggregator 10 also senses data So adversary cancompute 119897minus1120579 as in Case 2 and 119897minus1119896bs-10 which is the inverse of119897119896bs-10 modulo 119902 Now adversary has

12057310minus 120572

10

= 1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797minus 119909

10

997904rArr 12057310

= 1199101(1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797) = 1199102119866

(17)

for some integer 1199102 Similar to Lemma 4 since sum120579

119894(119894 from

1 to 7) is kept secret from adversary and computing 1199102from

1205733= 1199102119866 is ECDLP then 120573

10cannot be forged either

In all cases adversary can only forge a new message⟨119909lowast

10 120572lowast

10 120573lowast

10⟩ with negligible probability completing the

proof

Theorem 9 EIPDAP is integrity-preserving

Proof From Lemmas 5 and 8 we know that EIPDAP issecure against sensor node forgery in the presence of aneavesdropper and aggregator forgery when an aggregator iscompromised Thus EIPDAP is integrity-preserving com-pleting the proof

52 Congestion Complexity The computational and memorycosts are likely to be insignificant compared to communica-tion [3 14] Higher computation surely causes more energybut a Berkeley mote spends approximately the same amountof energy to compute 800 instructions as it does in sending asingle bit of data [13 20] in WSN

Unlike general hard problems there is no sub-exponential algorithm is known to solve the elliptic curvediscrete logarithm problem (ECDLP) meaning that smallerparameters can be used in ECC than in other systems likeRSA andDSA but with equivalent level of security Because oftheir smaller key size faster computations and reductions inprocessing power storage space and bandwidth ECC is idealfor WSN Although the use of elliptic curve cryptographyincurs higher computational overhead than symmetric-keycryptography our protocol is mainly designed to save energy

In query dissemination phase the base station collectsaggregation tree information and broadcasts edge keys and

Table 1 Edge congestion in the aggregation tree comparison 119899 isthe number of the nodes and 119899

119892is the group size

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(1) 119874(log 119899) 119874(log2119899)Keithrsquos scheme 119874(1) 119874(log 119899) 119874(log 119899)SDAP 119874(1) 119874(Δ log (119899119899

119892)) 119874(Δ log (119899119899

119892))

EIPDAP 119874(1) 119874(1) 0

Table 2 Node congestion in the aggregation tree comparison Δ isthe degree of the aggregation tree

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δlog2119899)Keithrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δ log 119899)SDAP 119874(Δ) 119874(Δ log (119899119899

119892)) 119874(Δ log (119899119899

119892))

EIPDAP 119874(Δ) 119874(Δ) 0

Table 3 Aggregation tree congestion comparison

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log2119899)Keithrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log 119899)SDAP 119874(119899) 119874(119899) 119874(119899 log 119899)EIPDAP 119874(119899) 119874(119899) 0

path keys directly to the corresponding nodes Collectingaggregation tree information costs each edge 119874(1) conges-tion and there is no congestion for sensor nodes and aggre-gators in broadcasting keys In aggregation phase each nodeforwards a message The edge congestion in the aggregationtree is 119874(1) In result-checking phase all operations aredone in the base station so there is no congestion in theaggregation tree Congestion complexity comparisons withChanrsquos scheme Keithrsquos scheme and SDAP are shown inTables1 2 and 3

By the comparison we can conclude that EIPDAP hasthe minimum congestion and is much more energy efficientTherefore it is much more suitable for power limited sensornetworks

6 Conclusion and Future Work

Protecting hierarchical data aggregation from losing integrityis a challenging problem in sensor networks In this paperwe focus on the very problem of preserving data integrityand propose a novel approach to guarantee the integrity ofaggregation result through aggregation in sensor networksThemain algorithm is based on performingmodulo additionoperation using ECC

EIPDAP can immediately verify the integrity of aggre-gation result after receiving the aggregation result and cor-responding authentication information hence significantly

8 International Journal of Distributed Sensor Networks

reducing energy consumption and communication delaywhichwill be caused if the verification phrase is done throughanother query-and-forward phase

Compared with the other related schemes our schemereduces the communication required per node to 119874(Δ)where Δ is the degree of the aggregation tree for the networkTo the best of our knowledge our scheme has the mostoptimal upper bound on solving the integrity-preserving dataaggregation problem Based on the elliptic curve discretelogarithm problem we prove that EIPDAP is integrity-preserving

In the future we will first further enrich EIPDAP indetail Second we will focus on the possibility of reducing thenumber of secret keys shared between sensor nodes and basestation or the keys broadcast to all nodesThird based on theproposed algorithm we may consider meeting other securityrequirements like data confidentiality source authenticationand availability

We anticipate that our work provides new perspective onpreserving integrity of hierarchical aggregation and encour-ages other researchers to consider this approach

Appendix

Attack on the Julia-Sanjay Scheme

If the adversary has compromised a sensor node then itcan obtain the network wide integer 119896 With the 119896 it canmodify any aggregated data received from its child nodesFor example say the adversary has compromised a node withmessage ⟨119904

119894 enc(119898

119894)⟩ received from its child 119894 In order to

modify119898119894to1198981015840119894= 119898119894+119898forge the adversary can easily forge

an encrypted message

enc (1198981015840119894) = enc (119898

119894+ 119898forge) = ⟨119906119894 V119894 + 119898forge⟩ (A1)

given as 119890nc(119898119894) = ⟨119906

119894 V119894⟩ And it is also easy to forge a valid

signature

1199041015840

119894= 119896minus1(119898119894+ 119898forge + 119911119894 lowast 119903 (119909)) mod 119901 (A2)

If the compromised node is in high level this will cause moreserious effects on the aggregation result since the aggregateresult it handles represents large portions of the overall datain the WSN

Acknowledgments

The authors would like to thank the anonymous reviewersand their coworkers for their valuable comments and usefulsuggestions

References

[1] J Yick B Mukherjee and D Ghosal ldquoWireless sensor networksurveyrdquoComputerNetworks vol 52 no 12 pp 2292ndash2330 2008

[2] K Akkaya M Demirbas and R S Aygun ldquoThe impact of dataaggregation on the performance of wireless sensor networksrdquoWireless Communications and Mobile Computing vol 8 no 2pp 171ndash193 2008

[3] L Hu and D Evans ldquoSecure aggregation for wireless networksrdquoin Proceedings of the Workshop on Security and Assurance in AdHoc Networks Orlando Fla USA January 2003

[4] B Przydatek D Song and A Perrig ldquoSIA Secure informationaggregation in sensor networksrdquo in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys rsquo03) pp 255ndash265 November 2003

[5] W He X Liu H Nguyen K Nahrstedt and T AbdelzaherldquoPda privacy-preserving data aggregation in wireless sensornetworksrdquo in Proceedings of the 26th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo07) pp 2045ndash2053 2007

[6] T Feng C Wang W Zhang and L Ruan ldquoConfidentialityprotection for distributed sensor data aggregationrdquo in Proceed-ings of the 27th IEEE Communications Society Conference onComputer Communications (INFOCOM rsquo07) pp 475ndash483April2007

[7] J Shi R Zhang Y Liu and Y Zhang ldquoPriSense privacy-preserving data aggregation in people-centric urban sensingsystemsrdquo in Proceedings of the 29th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo10) pp 758ndash766 IEEE March 2010

[8] J Katz and A Y Lindell ldquoAggregate message authenticationcodes Topics in cryptologyrdquo in Proceedings of the Cryptogra-phersrsquo Track at the RSA Conference (CT-RSA rsquo08) Lecture Notesin Computer Science pp 155ndash169 Springer 2008

[9] J Albath and S Madria ldquoSecure hierarchical data aggregationin wireless sensor networksrdquo in Proceedings of the IEEEWirelessCommunications and Networking Conference (WCNC rsquo09) pp1ndash6 April 2009

[10] A Liu and P Ning ldquoTinyECC a configurable library for ellipticcurve cryptography in wireless sensor networksrdquo in Proceedingsof the International Conference on Information Processing inSensor Networks (IPSN rsquo08) pp 245ndash256 April 2008

[11] H Chan A Perrig and D Song ldquoSecure hierarchical in-network aggregation in sensor networksrdquo in Proceedings ofthe 13th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo06) pp 278ndash287 ACM Press Alexandria VaUSA November 2006

[12] K B Frikken and J A Dougherty ldquoAn efficient integrity-preserving scheme for hierarchical sensor aggregationrdquo inProceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 68ndash76 ACM Press Alexandria VaUSA April 2008

[13] Y Yang X Wang S Zhu and G Cao ldquoSDAP a Secure hop-by-hop Data Aggregation Protocol for sensor networksrdquo inProceedings of the 7th ACM International Symposium on MobileAd Hoc Networking and Computing (MOBIHOC rsquo06) pp 356ndash367 ACM Press Florence Italy May 2006

[14] C Castelluccia A C F Chan E Mykletun and G TsudikldquoEfficient and provably secure aggregation of encrypted datain wireless sensor networksrdquo ACM Transactions on SensorNetworks vol 5 no 3 pp 1ndash36 2009

[15] W Du J Deng Y S Han and P K Varshney ldquoA witness-basedapproach for data fusion assurance inwireless sensor networksrdquoin Proceedings of the Global Telecommunications Conference(GLOBECOM rsquo03) vol 3 pp 1435ndash1439 IEEE December 2003

[16] O Eikemeier M Fischlin J-F Gotzmann et al ldquoHistory-freeaggregate message authentication codesrdquo in Proceedings of the7th International Conference on Security and Cryptography forNetworks vol 6280 of Lecture Notes in Computer Science pp309ndash328 Amalfi Italy 2010

International Journal of Distributed Sensor Networks 9

[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004

[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005

[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006

[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

International Journal of Distributed Sensor Networks 5

Then node 1 and 2 send their data and tags to node 3 Afterreceiving all messages from its subtree node 3 works asaggregator to perform aggregation

1199093= 1199091+ 1199092+ 1199091015840

3

1205723= 1198963-1120572

1+ 1198963-2120572

2+ 1205721015840

3

1205733= 1205731015840

1+ 1205731015840

2+ 1205731015840

3

(8)

and sends ⟨1199093 120572

3 120573

3⟩ to node 8

Aggregators 8 and 10 perform corresponding tasks

1199098= 1199093+ 1199094+ 1199095 119909

10= 119909

8+ 119909

9

1205728= 1198968-3120572

3+ 1198968-4120572

4+ 1198968-5120572

5

12057210= 11989610-8120572

8+ 11989610-9120572

9

1205738= 120573

3+ 120573

4+ 1205735 120573

10= 120573

8+ 120573

9

(9)

where node 8 sends ⟨1199098 120572

8 120573

8⟩ to node 10 and node 10 sends

⟨11990910 120572

10 120573

10⟩ to base station

423 Result-Checking Phase The purpose of result-checkingphase is to enable base station to verify that the integrity ofSUM 119909

10has not been violatedThe verification is performed

as followsBase station checks if

12057310minus 119897minus1119896bs-10120572

8= sum120579

119894minus 119897minus1120579119909

10 (10)

where ⟨11990910 120572

10 120573

10⟩ is sent by node 10 to base station 120579 119897

119896bs-10 120579119894 (119894 from 1 to 7) are only known to base station and 119897minus1

is the inverse of 119897 modulo which is the order 119902 of the ellipticcurve group 119864(119885

119901)

Since

12057310= 120573

8+ 120573

9

= 1205731015840

3+ 120573

4+ 120573

5+ 120573

6+ 120573

7

= 1205731+ 120573

2+ 120573

3+ 120573

4+ 120573

5+ 120573

6+ 120573

7

=11990911205731+ 1205791+ 11990921205732+ 1205792+ 11990931205733+ 1205793+ 11990941205734

+ 1205794+ 11990951205735+ 1205795+ 11990961205736+ 1205796+ 11990971205737+ 1205797

= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)

+ (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)

119897minus1119896bs-10120572

10

= 119897minus1119896bs-10 (11989610-8120572

8+ 11989610-9120572

9)

= 119897minus1119896bs-10

times (11989610-8 (1198968-3120572

3+ 1198968-4120572

4+ 1198968-5120572

5)

+ 11989610-9 (1198969-6120572

6+ 1198969-7120572

7))

= 119897minus1119896bs-10

times (11989610-8 (1198968-3 (120572

1015840

3+ 1198963-1120572

1+ 1198963-2120572

2)

+ 1198968-4120572

4+ 1198968-4120572

5)

+ 11989610-9 (1198969-6120572

6+ 1198969-7120572

7))

= 119897minus1119896bs-1011989610-81198968-3

times (1198963-1 (

119897

119896bs-1011989610-81198968-31198963-1)11990911205731

+ 1198963-2 (

119897

119896bs-1011989610-81198968-31198963-2)11990921205732

+(119897

119896bs-1011989610-81198968-3)11990931205733)

+ 119897minus1119896bs-1011989610-8

times (1198968-4 (

119897

119896bs-1011989610-81198968-4)11990941205734

+ 1198968-5 (

119897

119896bs-1011989610-81198968-5)11990951205735)

+ 119897minus1119896bs-1011989610-9

times (1198969-6 (

119897

119896bs-1011989610-91198969-6)11990961205736

+ 1198969-7 (

119897

119896bs-1011989610-91198969-7)11990971205737)

= (11990911205731+ 11990921205732+ 11990931205733+ 11990941205734+ 11990951205735+ 11990961205736+ 11990971205737)

+ 119897minus1120579 (1199091+ 1199092+ 1199093+ 1199094+ 1199095+ 1199096+ 1199097)

(11)

We can say that base station accepts the SUM aggregation11990910 or the two tags will only verify if all tags are generated

by honest nodes and aggregated correctly along the pathAgain note that 119897minus1 is the inverse of 119897 modulo 119902 which is

the order of the elliptic curve group 119864(119885119901) and 120579 119897 119896bs-10 are

only known to base station

5 Analysis

This section discusses the security and congestion complexityof EIPDAP

51 Overview Once a node has been compromised it isunder the full control of the adversary which can record andinject messages as will We also assume that the adversarycan only corrupt a (small) fraction of nodes including theaggregators Also we do not concern denial-of-service attackThe following is the proof for security of EIPDAP

6 International Journal of Distributed Sensor Networks

Definition 2 (sensor node inconsistency) Let ⟨119909119905 120572

119905 120573

119905⟩ be

a message sent by sensor node 119905 There is an inconsistency atnode 119905 if either

(1) 120572119905= 1199091199051198961199051+ 1199091199051205731199051198961199052

or

(2) 120573119905= 119909119905120573119905+ 120579119905

Definition 3 (sensor node forgery) An adversary eavesdrop-ping on sensor node 119894 successfully forges a new message⟨119909lowast

119894 120572lowast

119894 120573lowast

119894⟩ if

(1) 119909lowast119894

= 119909119894

(2) 120572lowast119894= 119909lowast

1198941198961198941+ 119909lowast

1198941205731198941198961198942

(3) 120573119894= 119909lowast

119894120573119894+ 120579119894

Since once a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected howeverwe do not address this kind of forgery here

Lemma 4 Let the final SUM aggregation received by the basestation be 119909

119891119894119899119886119897 then 119878

119871+ 120583 le 119909

119891119894119899119886119897

le 119878119871+ 120583V where 119878

119871is the

sum of the data values of all the legitimate nodes and 120583 is thetotal number of corrupted nodes

Proof As the conclusion is obvious here so we do not provein detail

Lemma 5 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid message as an honestsensor node for all eavesdropping probabilistic polynomialadversaries

Proof Let ⟨119909119894 120572

119894 120573

119894⟩ be an internal message sent by sensor

node 119894 to its parentSay adversary is eavesdropping on node 119894 In order to

forge a valid message ⟨119909lowast

119894 120572lowast

119894 120573lowast

119894⟩ for 119909

lowast

119894 119860 can easily

compute a valid 120572lowast119894= 119909lowast

119894119909minus1119894120572119894

As 120573119894= 119909119894120573119894+ 120579119894= 119909119894119910119866 for some integer 119910 a valid 120573lowast

119894

should be computed as

120573lowast

119894= 119909lowast

119894120573119894+ 120579119894= 119909lowast

119894119910lowast119866

= 119909lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866

(12)

Due to 120579119894and 120573

119894 adversary cannot forge 120573lowast

119894directly from

119909lowast

119894120573119894+ 120579119894but to compute 119909lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866 119860 has 119909lowast

119894 119909119894 120573119894

and 119866 the factors it lack are 119910 and 119910lowastCalculating 119910 from 120573

119894= 119909119894119910119866 and 119910lowast from 120573

lowast

119894= 119909lowast

119894119910lowast119866

is ECDLP which means calculating 120573lowast119894from 119909

lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866

is hardAnother concern rises when adversary keeps eavesdrop-

ping on sensor node 119894 and records the messages sent by 119894Assume that adversary has

⟨119909119894119895 120572

119894119895 120573

119894119895⟩ | 119895 isin [1 119899] (13)

where ⟨119909119894119895 120572

119894119895 120573

119894119895⟩ represents the message ⟨119909

119894 120572

119894 120573

119894⟩

node 119894 sends to parent in the 119895th query and 119899 is the number of

queries Note that in each query every sensor node 119894 choosesa new secret key 119897

119894

For all 119895 isin [1 119899] adversary has

120573119894119895 = 120573119894119895119909

119894119895 + 120579119894 (14)

Because the number of variable is the number of equationsplus one so adversary cannot solve equations in (14) to obtain120573119894119895 or 120579119894In conclusion the probability of an adversary successfully

forging a new message ⟨119909lowast119894 120572lowast

119894 120573lowast

119894⟩ when eavesdropping on

sensor node 119894 is negligible completing the proof

Definition 6 (aggregator inconsistency) Let ⟨119909119905 120572

119905 120573

119905⟩ be an

internal message aggregated by node 119905 with two children 119906and V Let ⟨119909

119906 120572

119906 120573

119906⟩ and ⟨119909V 120572

V 120573

V⟩ be two messages from

119906 and V There is an inconsistency at node 119905 if

(1) 119909119905= 1199091015840

119905+ 119909

119906+ 119909

V or

(2) 120572119905= 1205721015840

119905+ 120572

119906+ 120572

119905or

(3) 120573119905= 1205731015840

119906+ 120573

119906+ 120573

119905

Definition 7 (compromised aggregator forgery) An adver-sary which compromised a aggregator 119895 successfully forgesa new aggregate result ⟨119909lowast

119895 120572lowast

119895 120573lowast

119895⟩ if

(1) 119909lowast119895

= 119909119895

(2) 120572lowast119895= 1205721015840

119895+ 119896119895minus11205721198951+ 119896119895minus21205721198952+ sdot sdot sdot + 119896

119895minus119897120572119895119897(1205721015840119895= 0 if 119895

does not sense data)(3) 120573119895= 1205731015840

119895+ 120573

1198951+ 120573

1198952+ sdot sdot sdot + 120573

119895119897(1205731015840119895= 0 if 119895 does

not sense data) assuming aggregator 119895 has 119897 children1198951 1198952 119895119897

Lemma 8 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid aggregate result for allprobabilistic polynomial adversaries even when a high-levelaggregator is compromised

Proof We assume that aggregator 10 has been compromisedwhere an adversary is in complete control of node 10obtaining all secret keys of node 10 Now an adversaryattempts to forge SUM aggregation and two correspondingtags after eavesdropping several aggregations and records

⟨11990910119894 120572

10119894 120573

10119894⟩ | 119894 isin [1 119899] (15)

where ⟨11990910119894 120572

10119894 120573

10119894⟩ represents the message ⟨119909

10 120572

10

12057310⟩ node 10 sends to base station in the 119894th query and 119899 is

the number of queries Note that in each query every sensornode 119895 chooses a new secret key 119897

119895

For all 119894 isin [1 119899] adversary has

12057310119894 = 119897

minus1119896bs-10120572

10119894

= (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)

minus 119897minus1120579119909

10119894

(16)

International Journal of Distributed Sensor Networks 7

Now adversary tries to forge a new message ⟨119909lowast10 120572lowast

10 120573lowast

10⟩

which satisfies (14) Since node 10 is compromised adversaryhas 1199098 119909

9 119909

10 11989610-8 11989610-9 120572

8 120572

9 120573

8 120573

9in each query and the

knowledge of the elliptic curve group 119864(119885119901)

Case 1 Intuitively adversary tries to obtain 119897 119896bs-10 120579 andsum120579119894(119894 from 1 to 7) However this requires a powerful

adversary which we do not concern here

Case 2 Adversary tries to compute 119897minus1120579 by multiplying

1198961198941

(equals 120579119896path) and the inverse of 1198961198941

(equals 119897119896path)However all path-keys and temporal key are encrypted beforeforwarding to nodes so adversary cannot compute 119897minus1120579whennode 10 only works as an aggregator

Case 3 Aggregator 10 also senses data So adversary cancompute 119897minus1120579 as in Case 2 and 119897minus1119896bs-10 which is the inverse of119897119896bs-10 modulo 119902 Now adversary has

12057310minus 120572

10

= 1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797minus 119909

10

997904rArr 12057310

= 1199101(1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797) = 1199102119866

(17)

for some integer 1199102 Similar to Lemma 4 since sum120579

119894(119894 from

1 to 7) is kept secret from adversary and computing 1199102from

1205733= 1199102119866 is ECDLP then 120573

10cannot be forged either

In all cases adversary can only forge a new message⟨119909lowast

10 120572lowast

10 120573lowast

10⟩ with negligible probability completing the

proof

Theorem 9 EIPDAP is integrity-preserving

Proof From Lemmas 5 and 8 we know that EIPDAP issecure against sensor node forgery in the presence of aneavesdropper and aggregator forgery when an aggregator iscompromised Thus EIPDAP is integrity-preserving com-pleting the proof

52 Congestion Complexity The computational and memorycosts are likely to be insignificant compared to communica-tion [3 14] Higher computation surely causes more energybut a Berkeley mote spends approximately the same amountof energy to compute 800 instructions as it does in sending asingle bit of data [13 20] in WSN

Unlike general hard problems there is no sub-exponential algorithm is known to solve the elliptic curvediscrete logarithm problem (ECDLP) meaning that smallerparameters can be used in ECC than in other systems likeRSA andDSA but with equivalent level of security Because oftheir smaller key size faster computations and reductions inprocessing power storage space and bandwidth ECC is idealfor WSN Although the use of elliptic curve cryptographyincurs higher computational overhead than symmetric-keycryptography our protocol is mainly designed to save energy

In query dissemination phase the base station collectsaggregation tree information and broadcasts edge keys and

Table 1 Edge congestion in the aggregation tree comparison 119899 isthe number of the nodes and 119899

119892is the group size

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(1) 119874(log 119899) 119874(log2119899)Keithrsquos scheme 119874(1) 119874(log 119899) 119874(log 119899)SDAP 119874(1) 119874(Δ log (119899119899

119892)) 119874(Δ log (119899119899

119892))

EIPDAP 119874(1) 119874(1) 0

Table 2 Node congestion in the aggregation tree comparison Δ isthe degree of the aggregation tree

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δlog2119899)Keithrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δ log 119899)SDAP 119874(Δ) 119874(Δ log (119899119899

119892)) 119874(Δ log (119899119899

119892))

EIPDAP 119874(Δ) 119874(Δ) 0

Table 3 Aggregation tree congestion comparison

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log2119899)Keithrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log 119899)SDAP 119874(119899) 119874(119899) 119874(119899 log 119899)EIPDAP 119874(119899) 119874(119899) 0

path keys directly to the corresponding nodes Collectingaggregation tree information costs each edge 119874(1) conges-tion and there is no congestion for sensor nodes and aggre-gators in broadcasting keys In aggregation phase each nodeforwards a message The edge congestion in the aggregationtree is 119874(1) In result-checking phase all operations aredone in the base station so there is no congestion in theaggregation tree Congestion complexity comparisons withChanrsquos scheme Keithrsquos scheme and SDAP are shown inTables1 2 and 3

By the comparison we can conclude that EIPDAP hasthe minimum congestion and is much more energy efficientTherefore it is much more suitable for power limited sensornetworks

6 Conclusion and Future Work

Protecting hierarchical data aggregation from losing integrityis a challenging problem in sensor networks In this paperwe focus on the very problem of preserving data integrityand propose a novel approach to guarantee the integrity ofaggregation result through aggregation in sensor networksThemain algorithm is based on performingmodulo additionoperation using ECC

EIPDAP can immediately verify the integrity of aggre-gation result after receiving the aggregation result and cor-responding authentication information hence significantly

8 International Journal of Distributed Sensor Networks

reducing energy consumption and communication delaywhichwill be caused if the verification phrase is done throughanother query-and-forward phase

Compared with the other related schemes our schemereduces the communication required per node to 119874(Δ)where Δ is the degree of the aggregation tree for the networkTo the best of our knowledge our scheme has the mostoptimal upper bound on solving the integrity-preserving dataaggregation problem Based on the elliptic curve discretelogarithm problem we prove that EIPDAP is integrity-preserving

In the future we will first further enrich EIPDAP indetail Second we will focus on the possibility of reducing thenumber of secret keys shared between sensor nodes and basestation or the keys broadcast to all nodesThird based on theproposed algorithm we may consider meeting other securityrequirements like data confidentiality source authenticationand availability

We anticipate that our work provides new perspective onpreserving integrity of hierarchical aggregation and encour-ages other researchers to consider this approach

Appendix

Attack on the Julia-Sanjay Scheme

If the adversary has compromised a sensor node then itcan obtain the network wide integer 119896 With the 119896 it canmodify any aggregated data received from its child nodesFor example say the adversary has compromised a node withmessage ⟨119904

119894 enc(119898

119894)⟩ received from its child 119894 In order to

modify119898119894to1198981015840119894= 119898119894+119898forge the adversary can easily forge

an encrypted message

enc (1198981015840119894) = enc (119898

119894+ 119898forge) = ⟨119906119894 V119894 + 119898forge⟩ (A1)

given as 119890nc(119898119894) = ⟨119906

119894 V119894⟩ And it is also easy to forge a valid

signature

1199041015840

119894= 119896minus1(119898119894+ 119898forge + 119911119894 lowast 119903 (119909)) mod 119901 (A2)

If the compromised node is in high level this will cause moreserious effects on the aggregation result since the aggregateresult it handles represents large portions of the overall datain the WSN

Acknowledgments

The authors would like to thank the anonymous reviewersand their coworkers for their valuable comments and usefulsuggestions

References

[1] J Yick B Mukherjee and D Ghosal ldquoWireless sensor networksurveyrdquoComputerNetworks vol 52 no 12 pp 2292ndash2330 2008

[2] K Akkaya M Demirbas and R S Aygun ldquoThe impact of dataaggregation on the performance of wireless sensor networksrdquoWireless Communications and Mobile Computing vol 8 no 2pp 171ndash193 2008

[3] L Hu and D Evans ldquoSecure aggregation for wireless networksrdquoin Proceedings of the Workshop on Security and Assurance in AdHoc Networks Orlando Fla USA January 2003

[4] B Przydatek D Song and A Perrig ldquoSIA Secure informationaggregation in sensor networksrdquo in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys rsquo03) pp 255ndash265 November 2003

[5] W He X Liu H Nguyen K Nahrstedt and T AbdelzaherldquoPda privacy-preserving data aggregation in wireless sensornetworksrdquo in Proceedings of the 26th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo07) pp 2045ndash2053 2007

[6] T Feng C Wang W Zhang and L Ruan ldquoConfidentialityprotection for distributed sensor data aggregationrdquo in Proceed-ings of the 27th IEEE Communications Society Conference onComputer Communications (INFOCOM rsquo07) pp 475ndash483April2007

[7] J Shi R Zhang Y Liu and Y Zhang ldquoPriSense privacy-preserving data aggregation in people-centric urban sensingsystemsrdquo in Proceedings of the 29th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo10) pp 758ndash766 IEEE March 2010

[8] J Katz and A Y Lindell ldquoAggregate message authenticationcodes Topics in cryptologyrdquo in Proceedings of the Cryptogra-phersrsquo Track at the RSA Conference (CT-RSA rsquo08) Lecture Notesin Computer Science pp 155ndash169 Springer 2008

[9] J Albath and S Madria ldquoSecure hierarchical data aggregationin wireless sensor networksrdquo in Proceedings of the IEEEWirelessCommunications and Networking Conference (WCNC rsquo09) pp1ndash6 April 2009

[10] A Liu and P Ning ldquoTinyECC a configurable library for ellipticcurve cryptography in wireless sensor networksrdquo in Proceedingsof the International Conference on Information Processing inSensor Networks (IPSN rsquo08) pp 245ndash256 April 2008

[11] H Chan A Perrig and D Song ldquoSecure hierarchical in-network aggregation in sensor networksrdquo in Proceedings ofthe 13th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo06) pp 278ndash287 ACM Press Alexandria VaUSA November 2006

[12] K B Frikken and J A Dougherty ldquoAn efficient integrity-preserving scheme for hierarchical sensor aggregationrdquo inProceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 68ndash76 ACM Press Alexandria VaUSA April 2008

[13] Y Yang X Wang S Zhu and G Cao ldquoSDAP a Secure hop-by-hop Data Aggregation Protocol for sensor networksrdquo inProceedings of the 7th ACM International Symposium on MobileAd Hoc Networking and Computing (MOBIHOC rsquo06) pp 356ndash367 ACM Press Florence Italy May 2006

[14] C Castelluccia A C F Chan E Mykletun and G TsudikldquoEfficient and provably secure aggregation of encrypted datain wireless sensor networksrdquo ACM Transactions on SensorNetworks vol 5 no 3 pp 1ndash36 2009

[15] W Du J Deng Y S Han and P K Varshney ldquoA witness-basedapproach for data fusion assurance inwireless sensor networksrdquoin Proceedings of the Global Telecommunications Conference(GLOBECOM rsquo03) vol 3 pp 1435ndash1439 IEEE December 2003

[16] O Eikemeier M Fischlin J-F Gotzmann et al ldquoHistory-freeaggregate message authentication codesrdquo in Proceedings of the7th International Conference on Security and Cryptography forNetworks vol 6280 of Lecture Notes in Computer Science pp309ndash328 Amalfi Italy 2010

International Journal of Distributed Sensor Networks 9

[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004

[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005

[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006

[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

6 International Journal of Distributed Sensor Networks

Definition 2 (sensor node inconsistency) Let ⟨119909119905 120572

119905 120573

119905⟩ be

a message sent by sensor node 119905 There is an inconsistency atnode 119905 if either

(1) 120572119905= 1199091199051198961199051+ 1199091199051205731199051198961199052

or

(2) 120573119905= 119909119905120573119905+ 120579119905

Definition 3 (sensor node forgery) An adversary eavesdrop-ping on sensor node 119894 successfully forges a new message⟨119909lowast

119894 120572lowast

119894 120573lowast

119894⟩ if

(1) 119909lowast119894

= 119909119894

(2) 120572lowast119894= 119909lowast

1198941198961198941+ 119909lowast

1198941205731198941198961198942

(3) 120573119894= 119909lowast

119894120573119894+ 120579119894

Since once a sensor node is compromised the adversary canobtain all its confidential information (eg cryptographickeys) and send false data without being detected howeverwe do not address this kind of forgery here

Lemma 4 Let the final SUM aggregation received by the basestation be 119909

119891119894119899119886119897 then 119878

119871+ 120583 le 119909

119891119894119899119886119897

le 119878119871+ 120583V where 119878

119871is the

sum of the data values of all the legitimate nodes and 120583 is thetotal number of corrupted nodes

Proof As the conclusion is obvious here so we do not provein detail

Lemma 5 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid message as an honestsensor node for all eavesdropping probabilistic polynomialadversaries

Proof Let ⟨119909119894 120572

119894 120573

119894⟩ be an internal message sent by sensor

node 119894 to its parentSay adversary is eavesdropping on node 119894 In order to

forge a valid message ⟨119909lowast

119894 120572lowast

119894 120573lowast

119894⟩ for 119909

lowast

119894 119860 can easily

compute a valid 120572lowast119894= 119909lowast

119894119909minus1119894120572119894

As 120573119894= 119909119894120573119894+ 120579119894= 119909119894119910119866 for some integer 119910 a valid 120573lowast

119894

should be computed as

120573lowast

119894= 119909lowast

119894120573119894+ 120579119894= 119909lowast

119894119910lowast119866

= 119909lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866

(12)

Due to 120579119894and 120573

119894 adversary cannot forge 120573lowast

119894directly from

119909lowast

119894120573119894+ 120579119894but to compute 119909lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866 119860 has 119909lowast

119894 119909119894 120573119894

and 119866 the factors it lack are 119910 and 119910lowastCalculating 119910 from 120573

119894= 119909119894119910119866 and 119910lowast from 120573

lowast

119894= 119909lowast

119894119910lowast119866

is ECDLP which means calculating 120573lowast119894from 119909

lowast

119894119910lowast119909minus1

119894119910minus1120573119894119866

is hardAnother concern rises when adversary keeps eavesdrop-

ping on sensor node 119894 and records the messages sent by 119894Assume that adversary has

⟨119909119894119895 120572

119894119895 120573

119894119895⟩ | 119895 isin [1 119899] (13)

where ⟨119909119894119895 120572

119894119895 120573

119894119895⟩ represents the message ⟨119909

119894 120572

119894 120573

119894⟩

node 119894 sends to parent in the 119895th query and 119899 is the number of

queries Note that in each query every sensor node 119894 choosesa new secret key 119897

119894

For all 119895 isin [1 119899] adversary has

120573119894119895 = 120573119894119895119909

119894119895 + 120579119894 (14)

Because the number of variable is the number of equationsplus one so adversary cannot solve equations in (14) to obtain120573119894119895 or 120579119894In conclusion the probability of an adversary successfully

forging a new message ⟨119909lowast119894 120572lowast

119894 120573lowast

119894⟩ when eavesdropping on

sensor node 119894 is negligible completing the proof

Definition 6 (aggregator inconsistency) Let ⟨119909119905 120572

119905 120573

119905⟩ be an

internal message aggregated by node 119905 with two children 119906and V Let ⟨119909

119906 120572

119906 120573

119906⟩ and ⟨119909V 120572

V 120573

V⟩ be two messages from

119906 and V There is an inconsistency at node 119905 if

(1) 119909119905= 1199091015840

119905+ 119909

119906+ 119909

V or

(2) 120572119905= 1205721015840

119905+ 120572

119906+ 120572

119905or

(3) 120573119905= 1205731015840

119906+ 120573

119906+ 120573

119905

Definition 7 (compromised aggregator forgery) An adver-sary which compromised a aggregator 119895 successfully forgesa new aggregate result ⟨119909lowast

119895 120572lowast

119895 120573lowast

119895⟩ if

(1) 119909lowast119895

= 119909119895

(2) 120572lowast119895= 1205721015840

119895+ 119896119895minus11205721198951+ 119896119895minus21205721198952+ sdot sdot sdot + 119896

119895minus119897120572119895119897(1205721015840119895= 0 if 119895

does not sense data)(3) 120573119895= 1205731015840

119895+ 120573

1198951+ 120573

1198952+ sdot sdot sdot + 120573

119895119897(1205731015840119895= 0 if 119895 does

not sense data) assuming aggregator 119895 has 119897 children1198951 1198952 119895119897

Lemma 8 If elliptic curve discrete logarithm problem is hardthen it is not possible to forge a valid aggregate result for allprobabilistic polynomial adversaries even when a high-levelaggregator is compromised

Proof We assume that aggregator 10 has been compromisedwhere an adversary is in complete control of node 10obtaining all secret keys of node 10 Now an adversaryattempts to forge SUM aggregation and two correspondingtags after eavesdropping several aggregations and records

⟨11990910119894 120572

10119894 120573

10119894⟩ | 119894 isin [1 119899] (15)

where ⟨11990910119894 120572

10119894 120573

10119894⟩ represents the message ⟨119909

10 120572

10

12057310⟩ node 10 sends to base station in the 119894th query and 119899 is

the number of queries Note that in each query every sensornode 119895 chooses a new secret key 119897

119895

For all 119894 isin [1 119899] adversary has

12057310119894 = 119897

minus1119896bs-10120572

10119894

= (1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797)

minus 119897minus1120579119909

10119894

(16)

International Journal of Distributed Sensor Networks 7

Now adversary tries to forge a new message ⟨119909lowast10 120572lowast

10 120573lowast

10⟩

which satisfies (14) Since node 10 is compromised adversaryhas 1199098 119909

9 119909

10 11989610-8 11989610-9 120572

8 120572

9 120573

8 120573

9in each query and the

knowledge of the elliptic curve group 119864(119885119901)

Case 1 Intuitively adversary tries to obtain 119897 119896bs-10 120579 andsum120579119894(119894 from 1 to 7) However this requires a powerful

adversary which we do not concern here

Case 2 Adversary tries to compute 119897minus1120579 by multiplying

1198961198941

(equals 120579119896path) and the inverse of 1198961198941

(equals 119897119896path)However all path-keys and temporal key are encrypted beforeforwarding to nodes so adversary cannot compute 119897minus1120579whennode 10 only works as an aggregator

Case 3 Aggregator 10 also senses data So adversary cancompute 119897minus1120579 as in Case 2 and 119897minus1119896bs-10 which is the inverse of119897119896bs-10 modulo 119902 Now adversary has

12057310minus 120572

10

= 1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797minus 119909

10

997904rArr 12057310

= 1199101(1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797) = 1199102119866

(17)

for some integer 1199102 Similar to Lemma 4 since sum120579

119894(119894 from

1 to 7) is kept secret from adversary and computing 1199102from

1205733= 1199102119866 is ECDLP then 120573

10cannot be forged either

In all cases adversary can only forge a new message⟨119909lowast

10 120572lowast

10 120573lowast

10⟩ with negligible probability completing the

proof

Theorem 9 EIPDAP is integrity-preserving

Proof From Lemmas 5 and 8 we know that EIPDAP issecure against sensor node forgery in the presence of aneavesdropper and aggregator forgery when an aggregator iscompromised Thus EIPDAP is integrity-preserving com-pleting the proof

52 Congestion Complexity The computational and memorycosts are likely to be insignificant compared to communica-tion [3 14] Higher computation surely causes more energybut a Berkeley mote spends approximately the same amountof energy to compute 800 instructions as it does in sending asingle bit of data [13 20] in WSN

Unlike general hard problems there is no sub-exponential algorithm is known to solve the elliptic curvediscrete logarithm problem (ECDLP) meaning that smallerparameters can be used in ECC than in other systems likeRSA andDSA but with equivalent level of security Because oftheir smaller key size faster computations and reductions inprocessing power storage space and bandwidth ECC is idealfor WSN Although the use of elliptic curve cryptographyincurs higher computational overhead than symmetric-keycryptography our protocol is mainly designed to save energy

In query dissemination phase the base station collectsaggregation tree information and broadcasts edge keys and

Table 1 Edge congestion in the aggregation tree comparison 119899 isthe number of the nodes and 119899

119892is the group size

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(1) 119874(log 119899) 119874(log2119899)Keithrsquos scheme 119874(1) 119874(log 119899) 119874(log 119899)SDAP 119874(1) 119874(Δ log (119899119899

119892)) 119874(Δ log (119899119899

119892))

EIPDAP 119874(1) 119874(1) 0

Table 2 Node congestion in the aggregation tree comparison Δ isthe degree of the aggregation tree

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δlog2119899)Keithrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δ log 119899)SDAP 119874(Δ) 119874(Δ log (119899119899

119892)) 119874(Δ log (119899119899

119892))

EIPDAP 119874(Δ) 119874(Δ) 0

Table 3 Aggregation tree congestion comparison

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log2119899)Keithrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log 119899)SDAP 119874(119899) 119874(119899) 119874(119899 log 119899)EIPDAP 119874(119899) 119874(119899) 0

path keys directly to the corresponding nodes Collectingaggregation tree information costs each edge 119874(1) conges-tion and there is no congestion for sensor nodes and aggre-gators in broadcasting keys In aggregation phase each nodeforwards a message The edge congestion in the aggregationtree is 119874(1) In result-checking phase all operations aredone in the base station so there is no congestion in theaggregation tree Congestion complexity comparisons withChanrsquos scheme Keithrsquos scheme and SDAP are shown inTables1 2 and 3

By the comparison we can conclude that EIPDAP hasthe minimum congestion and is much more energy efficientTherefore it is much more suitable for power limited sensornetworks

6 Conclusion and Future Work

Protecting hierarchical data aggregation from losing integrityis a challenging problem in sensor networks In this paperwe focus on the very problem of preserving data integrityand propose a novel approach to guarantee the integrity ofaggregation result through aggregation in sensor networksThemain algorithm is based on performingmodulo additionoperation using ECC

EIPDAP can immediately verify the integrity of aggre-gation result after receiving the aggregation result and cor-responding authentication information hence significantly

8 International Journal of Distributed Sensor Networks

reducing energy consumption and communication delaywhichwill be caused if the verification phrase is done throughanother query-and-forward phase

Compared with the other related schemes our schemereduces the communication required per node to 119874(Δ)where Δ is the degree of the aggregation tree for the networkTo the best of our knowledge our scheme has the mostoptimal upper bound on solving the integrity-preserving dataaggregation problem Based on the elliptic curve discretelogarithm problem we prove that EIPDAP is integrity-preserving

In the future we will first further enrich EIPDAP indetail Second we will focus on the possibility of reducing thenumber of secret keys shared between sensor nodes and basestation or the keys broadcast to all nodesThird based on theproposed algorithm we may consider meeting other securityrequirements like data confidentiality source authenticationand availability

We anticipate that our work provides new perspective onpreserving integrity of hierarchical aggregation and encour-ages other researchers to consider this approach

Appendix

Attack on the Julia-Sanjay Scheme

If the adversary has compromised a sensor node then itcan obtain the network wide integer 119896 With the 119896 it canmodify any aggregated data received from its child nodesFor example say the adversary has compromised a node withmessage ⟨119904

119894 enc(119898

119894)⟩ received from its child 119894 In order to

modify119898119894to1198981015840119894= 119898119894+119898forge the adversary can easily forge

an encrypted message

enc (1198981015840119894) = enc (119898

119894+ 119898forge) = ⟨119906119894 V119894 + 119898forge⟩ (A1)

given as 119890nc(119898119894) = ⟨119906

119894 V119894⟩ And it is also easy to forge a valid

signature

1199041015840

119894= 119896minus1(119898119894+ 119898forge + 119911119894 lowast 119903 (119909)) mod 119901 (A2)

If the compromised node is in high level this will cause moreserious effects on the aggregation result since the aggregateresult it handles represents large portions of the overall datain the WSN

Acknowledgments

The authors would like to thank the anonymous reviewersand their coworkers for their valuable comments and usefulsuggestions

References

[1] J Yick B Mukherjee and D Ghosal ldquoWireless sensor networksurveyrdquoComputerNetworks vol 52 no 12 pp 2292ndash2330 2008

[2] K Akkaya M Demirbas and R S Aygun ldquoThe impact of dataaggregation on the performance of wireless sensor networksrdquoWireless Communications and Mobile Computing vol 8 no 2pp 171ndash193 2008

[3] L Hu and D Evans ldquoSecure aggregation for wireless networksrdquoin Proceedings of the Workshop on Security and Assurance in AdHoc Networks Orlando Fla USA January 2003

[4] B Przydatek D Song and A Perrig ldquoSIA Secure informationaggregation in sensor networksrdquo in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys rsquo03) pp 255ndash265 November 2003

[5] W He X Liu H Nguyen K Nahrstedt and T AbdelzaherldquoPda privacy-preserving data aggregation in wireless sensornetworksrdquo in Proceedings of the 26th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo07) pp 2045ndash2053 2007

[6] T Feng C Wang W Zhang and L Ruan ldquoConfidentialityprotection for distributed sensor data aggregationrdquo in Proceed-ings of the 27th IEEE Communications Society Conference onComputer Communications (INFOCOM rsquo07) pp 475ndash483April2007

[7] J Shi R Zhang Y Liu and Y Zhang ldquoPriSense privacy-preserving data aggregation in people-centric urban sensingsystemsrdquo in Proceedings of the 29th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo10) pp 758ndash766 IEEE March 2010

[8] J Katz and A Y Lindell ldquoAggregate message authenticationcodes Topics in cryptologyrdquo in Proceedings of the Cryptogra-phersrsquo Track at the RSA Conference (CT-RSA rsquo08) Lecture Notesin Computer Science pp 155ndash169 Springer 2008

[9] J Albath and S Madria ldquoSecure hierarchical data aggregationin wireless sensor networksrdquo in Proceedings of the IEEEWirelessCommunications and Networking Conference (WCNC rsquo09) pp1ndash6 April 2009

[10] A Liu and P Ning ldquoTinyECC a configurable library for ellipticcurve cryptography in wireless sensor networksrdquo in Proceedingsof the International Conference on Information Processing inSensor Networks (IPSN rsquo08) pp 245ndash256 April 2008

[11] H Chan A Perrig and D Song ldquoSecure hierarchical in-network aggregation in sensor networksrdquo in Proceedings ofthe 13th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo06) pp 278ndash287 ACM Press Alexandria VaUSA November 2006

[12] K B Frikken and J A Dougherty ldquoAn efficient integrity-preserving scheme for hierarchical sensor aggregationrdquo inProceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 68ndash76 ACM Press Alexandria VaUSA April 2008

[13] Y Yang X Wang S Zhu and G Cao ldquoSDAP a Secure hop-by-hop Data Aggregation Protocol for sensor networksrdquo inProceedings of the 7th ACM International Symposium on MobileAd Hoc Networking and Computing (MOBIHOC rsquo06) pp 356ndash367 ACM Press Florence Italy May 2006

[14] C Castelluccia A C F Chan E Mykletun and G TsudikldquoEfficient and provably secure aggregation of encrypted datain wireless sensor networksrdquo ACM Transactions on SensorNetworks vol 5 no 3 pp 1ndash36 2009

[15] W Du J Deng Y S Han and P K Varshney ldquoA witness-basedapproach for data fusion assurance inwireless sensor networksrdquoin Proceedings of the Global Telecommunications Conference(GLOBECOM rsquo03) vol 3 pp 1435ndash1439 IEEE December 2003

[16] O Eikemeier M Fischlin J-F Gotzmann et al ldquoHistory-freeaggregate message authentication codesrdquo in Proceedings of the7th International Conference on Security and Cryptography forNetworks vol 6280 of Lecture Notes in Computer Science pp309ndash328 Amalfi Italy 2010

International Journal of Distributed Sensor Networks 9

[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004

[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005

[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006

[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

International Journal of Distributed Sensor Networks 7

Now adversary tries to forge a new message ⟨119909lowast10 120572lowast

10 120573lowast

10⟩

which satisfies (14) Since node 10 is compromised adversaryhas 1199098 119909

9 119909

10 11989610-8 11989610-9 120572

8 120572

9 120573

8 120573

9in each query and the

knowledge of the elliptic curve group 119864(119885119901)

Case 1 Intuitively adversary tries to obtain 119897 119896bs-10 120579 andsum120579119894(119894 from 1 to 7) However this requires a powerful

adversary which we do not concern here

Case 2 Adversary tries to compute 119897minus1120579 by multiplying

1198961198941

(equals 120579119896path) and the inverse of 1198961198941

(equals 119897119896path)However all path-keys and temporal key are encrypted beforeforwarding to nodes so adversary cannot compute 119897minus1120579whennode 10 only works as an aggregator

Case 3 Aggregator 10 also senses data So adversary cancompute 119897minus1120579 as in Case 2 and 119897minus1119896bs-10 which is the inverse of119897119896bs-10 modulo 119902 Now adversary has

12057310minus 120572

10

= 1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797minus 119909

10

997904rArr 12057310

= 1199101(1205791+ 1205792+ 1205793+ 1205794+ 1205795+ 1205796+ 1205797) = 1199102119866

(17)

for some integer 1199102 Similar to Lemma 4 since sum120579

119894(119894 from

1 to 7) is kept secret from adversary and computing 1199102from

1205733= 1199102119866 is ECDLP then 120573

10cannot be forged either

In all cases adversary can only forge a new message⟨119909lowast

10 120572lowast

10 120573lowast

10⟩ with negligible probability completing the

proof

Theorem 9 EIPDAP is integrity-preserving

Proof From Lemmas 5 and 8 we know that EIPDAP issecure against sensor node forgery in the presence of aneavesdropper and aggregator forgery when an aggregator iscompromised Thus EIPDAP is integrity-preserving com-pleting the proof

52 Congestion Complexity The computational and memorycosts are likely to be insignificant compared to communica-tion [3 14] Higher computation surely causes more energybut a Berkeley mote spends approximately the same amountof energy to compute 800 instructions as it does in sending asingle bit of data [13 20] in WSN

Unlike general hard problems there is no sub-exponential algorithm is known to solve the elliptic curvediscrete logarithm problem (ECDLP) meaning that smallerparameters can be used in ECC than in other systems likeRSA andDSA but with equivalent level of security Because oftheir smaller key size faster computations and reductions inprocessing power storage space and bandwidth ECC is idealfor WSN Although the use of elliptic curve cryptographyincurs higher computational overhead than symmetric-keycryptography our protocol is mainly designed to save energy

In query dissemination phase the base station collectsaggregation tree information and broadcasts edge keys and

Table 1 Edge congestion in the aggregation tree comparison 119899 isthe number of the nodes and 119899

119892is the group size

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(1) 119874(log 119899) 119874(log2119899)Keithrsquos scheme 119874(1) 119874(log 119899) 119874(log 119899)SDAP 119874(1) 119874(Δ log (119899119899

119892)) 119874(Δ log (119899119899

119892))

EIPDAP 119874(1) 119874(1) 0

Table 2 Node congestion in the aggregation tree comparison Δ isthe degree of the aggregation tree

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δlog2119899)Keithrsquos scheme 119874(Δ) 119874(Δ log 119899) 119874(Δ log 119899)SDAP 119874(Δ) 119874(Δ log (119899119899

119892)) 119874(Δ log (119899119899

119892))

EIPDAP 119874(Δ) 119874(Δ) 0

Table 3 Aggregation tree congestion comparison

Querydissemination

Dataaggregation Result-checking

Chanrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log2119899)Keithrsquos scheme 119874(119899) 119874(119899 log 119899) 119874(119899 log 119899)SDAP 119874(119899) 119874(119899) 119874(119899 log 119899)EIPDAP 119874(119899) 119874(119899) 0

path keys directly to the corresponding nodes Collectingaggregation tree information costs each edge 119874(1) conges-tion and there is no congestion for sensor nodes and aggre-gators in broadcasting keys In aggregation phase each nodeforwards a message The edge congestion in the aggregationtree is 119874(1) In result-checking phase all operations aredone in the base station so there is no congestion in theaggregation tree Congestion complexity comparisons withChanrsquos scheme Keithrsquos scheme and SDAP are shown inTables1 2 and 3

By the comparison we can conclude that EIPDAP hasthe minimum congestion and is much more energy efficientTherefore it is much more suitable for power limited sensornetworks

6 Conclusion and Future Work

Protecting hierarchical data aggregation from losing integrityis a challenging problem in sensor networks In this paperwe focus on the very problem of preserving data integrityand propose a novel approach to guarantee the integrity ofaggregation result through aggregation in sensor networksThemain algorithm is based on performingmodulo additionoperation using ECC

EIPDAP can immediately verify the integrity of aggre-gation result after receiving the aggregation result and cor-responding authentication information hence significantly

8 International Journal of Distributed Sensor Networks

reducing energy consumption and communication delaywhichwill be caused if the verification phrase is done throughanother query-and-forward phase

Compared with the other related schemes our schemereduces the communication required per node to 119874(Δ)where Δ is the degree of the aggregation tree for the networkTo the best of our knowledge our scheme has the mostoptimal upper bound on solving the integrity-preserving dataaggregation problem Based on the elliptic curve discretelogarithm problem we prove that EIPDAP is integrity-preserving

In the future we will first further enrich EIPDAP indetail Second we will focus on the possibility of reducing thenumber of secret keys shared between sensor nodes and basestation or the keys broadcast to all nodesThird based on theproposed algorithm we may consider meeting other securityrequirements like data confidentiality source authenticationand availability

We anticipate that our work provides new perspective onpreserving integrity of hierarchical aggregation and encour-ages other researchers to consider this approach

Appendix

Attack on the Julia-Sanjay Scheme

If the adversary has compromised a sensor node then itcan obtain the network wide integer 119896 With the 119896 it canmodify any aggregated data received from its child nodesFor example say the adversary has compromised a node withmessage ⟨119904

119894 enc(119898

119894)⟩ received from its child 119894 In order to

modify119898119894to1198981015840119894= 119898119894+119898forge the adversary can easily forge

an encrypted message

enc (1198981015840119894) = enc (119898

119894+ 119898forge) = ⟨119906119894 V119894 + 119898forge⟩ (A1)

given as 119890nc(119898119894) = ⟨119906

119894 V119894⟩ And it is also easy to forge a valid

signature

1199041015840

119894= 119896minus1(119898119894+ 119898forge + 119911119894 lowast 119903 (119909)) mod 119901 (A2)

If the compromised node is in high level this will cause moreserious effects on the aggregation result since the aggregateresult it handles represents large portions of the overall datain the WSN

Acknowledgments

The authors would like to thank the anonymous reviewersand their coworkers for their valuable comments and usefulsuggestions

References

[1] J Yick B Mukherjee and D Ghosal ldquoWireless sensor networksurveyrdquoComputerNetworks vol 52 no 12 pp 2292ndash2330 2008

[2] K Akkaya M Demirbas and R S Aygun ldquoThe impact of dataaggregation on the performance of wireless sensor networksrdquoWireless Communications and Mobile Computing vol 8 no 2pp 171ndash193 2008

[3] L Hu and D Evans ldquoSecure aggregation for wireless networksrdquoin Proceedings of the Workshop on Security and Assurance in AdHoc Networks Orlando Fla USA January 2003

[4] B Przydatek D Song and A Perrig ldquoSIA Secure informationaggregation in sensor networksrdquo in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys rsquo03) pp 255ndash265 November 2003

[5] W He X Liu H Nguyen K Nahrstedt and T AbdelzaherldquoPda privacy-preserving data aggregation in wireless sensornetworksrdquo in Proceedings of the 26th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo07) pp 2045ndash2053 2007

[6] T Feng C Wang W Zhang and L Ruan ldquoConfidentialityprotection for distributed sensor data aggregationrdquo in Proceed-ings of the 27th IEEE Communications Society Conference onComputer Communications (INFOCOM rsquo07) pp 475ndash483April2007

[7] J Shi R Zhang Y Liu and Y Zhang ldquoPriSense privacy-preserving data aggregation in people-centric urban sensingsystemsrdquo in Proceedings of the 29th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo10) pp 758ndash766 IEEE March 2010

[8] J Katz and A Y Lindell ldquoAggregate message authenticationcodes Topics in cryptologyrdquo in Proceedings of the Cryptogra-phersrsquo Track at the RSA Conference (CT-RSA rsquo08) Lecture Notesin Computer Science pp 155ndash169 Springer 2008

[9] J Albath and S Madria ldquoSecure hierarchical data aggregationin wireless sensor networksrdquo in Proceedings of the IEEEWirelessCommunications and Networking Conference (WCNC rsquo09) pp1ndash6 April 2009

[10] A Liu and P Ning ldquoTinyECC a configurable library for ellipticcurve cryptography in wireless sensor networksrdquo in Proceedingsof the International Conference on Information Processing inSensor Networks (IPSN rsquo08) pp 245ndash256 April 2008

[11] H Chan A Perrig and D Song ldquoSecure hierarchical in-network aggregation in sensor networksrdquo in Proceedings ofthe 13th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo06) pp 278ndash287 ACM Press Alexandria VaUSA November 2006

[12] K B Frikken and J A Dougherty ldquoAn efficient integrity-preserving scheme for hierarchical sensor aggregationrdquo inProceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 68ndash76 ACM Press Alexandria VaUSA April 2008

[13] Y Yang X Wang S Zhu and G Cao ldquoSDAP a Secure hop-by-hop Data Aggregation Protocol for sensor networksrdquo inProceedings of the 7th ACM International Symposium on MobileAd Hoc Networking and Computing (MOBIHOC rsquo06) pp 356ndash367 ACM Press Florence Italy May 2006

[14] C Castelluccia A C F Chan E Mykletun and G TsudikldquoEfficient and provably secure aggregation of encrypted datain wireless sensor networksrdquo ACM Transactions on SensorNetworks vol 5 no 3 pp 1ndash36 2009

[15] W Du J Deng Y S Han and P K Varshney ldquoA witness-basedapproach for data fusion assurance inwireless sensor networksrdquoin Proceedings of the Global Telecommunications Conference(GLOBECOM rsquo03) vol 3 pp 1435ndash1439 IEEE December 2003

[16] O Eikemeier M Fischlin J-F Gotzmann et al ldquoHistory-freeaggregate message authentication codesrdquo in Proceedings of the7th International Conference on Security and Cryptography forNetworks vol 6280 of Lecture Notes in Computer Science pp309ndash328 Amalfi Italy 2010

International Journal of Distributed Sensor Networks 9

[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004

[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005

[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006

[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

8 International Journal of Distributed Sensor Networks

reducing energy consumption and communication delaywhichwill be caused if the verification phrase is done throughanother query-and-forward phase

Compared with the other related schemes our schemereduces the communication required per node to 119874(Δ)where Δ is the degree of the aggregation tree for the networkTo the best of our knowledge our scheme has the mostoptimal upper bound on solving the integrity-preserving dataaggregation problem Based on the elliptic curve discretelogarithm problem we prove that EIPDAP is integrity-preserving

In the future we will first further enrich EIPDAP indetail Second we will focus on the possibility of reducing thenumber of secret keys shared between sensor nodes and basestation or the keys broadcast to all nodesThird based on theproposed algorithm we may consider meeting other securityrequirements like data confidentiality source authenticationand availability

We anticipate that our work provides new perspective onpreserving integrity of hierarchical aggregation and encour-ages other researchers to consider this approach

Appendix

Attack on the Julia-Sanjay Scheme

If the adversary has compromised a sensor node then itcan obtain the network wide integer 119896 With the 119896 it canmodify any aggregated data received from its child nodesFor example say the adversary has compromised a node withmessage ⟨119904

119894 enc(119898

119894)⟩ received from its child 119894 In order to

modify119898119894to1198981015840119894= 119898119894+119898forge the adversary can easily forge

an encrypted message

enc (1198981015840119894) = enc (119898

119894+ 119898forge) = ⟨119906119894 V119894 + 119898forge⟩ (A1)

given as 119890nc(119898119894) = ⟨119906

119894 V119894⟩ And it is also easy to forge a valid

signature

1199041015840

119894= 119896minus1(119898119894+ 119898forge + 119911119894 lowast 119903 (119909)) mod 119901 (A2)

If the compromised node is in high level this will cause moreserious effects on the aggregation result since the aggregateresult it handles represents large portions of the overall datain the WSN

Acknowledgments

The authors would like to thank the anonymous reviewersand their coworkers for their valuable comments and usefulsuggestions

References

[1] J Yick B Mukherjee and D Ghosal ldquoWireless sensor networksurveyrdquoComputerNetworks vol 52 no 12 pp 2292ndash2330 2008

[2] K Akkaya M Demirbas and R S Aygun ldquoThe impact of dataaggregation on the performance of wireless sensor networksrdquoWireless Communications and Mobile Computing vol 8 no 2pp 171ndash193 2008

[3] L Hu and D Evans ldquoSecure aggregation for wireless networksrdquoin Proceedings of the Workshop on Security and Assurance in AdHoc Networks Orlando Fla USA January 2003

[4] B Przydatek D Song and A Perrig ldquoSIA Secure informationaggregation in sensor networksrdquo in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys rsquo03) pp 255ndash265 November 2003

[5] W He X Liu H Nguyen K Nahrstedt and T AbdelzaherldquoPda privacy-preserving data aggregation in wireless sensornetworksrdquo in Proceedings of the 26th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo07) pp 2045ndash2053 2007

[6] T Feng C Wang W Zhang and L Ruan ldquoConfidentialityprotection for distributed sensor data aggregationrdquo in Proceed-ings of the 27th IEEE Communications Society Conference onComputer Communications (INFOCOM rsquo07) pp 475ndash483April2007

[7] J Shi R Zhang Y Liu and Y Zhang ldquoPriSense privacy-preserving data aggregation in people-centric urban sensingsystemsrdquo in Proceedings of the 29th IEEE International Confer-ence on Computer Communications (INFOCOM rsquo10) pp 758ndash766 IEEE March 2010

[8] J Katz and A Y Lindell ldquoAggregate message authenticationcodes Topics in cryptologyrdquo in Proceedings of the Cryptogra-phersrsquo Track at the RSA Conference (CT-RSA rsquo08) Lecture Notesin Computer Science pp 155ndash169 Springer 2008

[9] J Albath and S Madria ldquoSecure hierarchical data aggregationin wireless sensor networksrdquo in Proceedings of the IEEEWirelessCommunications and Networking Conference (WCNC rsquo09) pp1ndash6 April 2009

[10] A Liu and P Ning ldquoTinyECC a configurable library for ellipticcurve cryptography in wireless sensor networksrdquo in Proceedingsof the International Conference on Information Processing inSensor Networks (IPSN rsquo08) pp 245ndash256 April 2008

[11] H Chan A Perrig and D Song ldquoSecure hierarchical in-network aggregation in sensor networksrdquo in Proceedings ofthe 13th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo06) pp 278ndash287 ACM Press Alexandria VaUSA November 2006

[12] K B Frikken and J A Dougherty ldquoAn efficient integrity-preserving scheme for hierarchical sensor aggregationrdquo inProceedings of the 1st ACM Conference on Wireless NetworkSecurity (WiSec rsquo08) pp 68ndash76 ACM Press Alexandria VaUSA April 2008

[13] Y Yang X Wang S Zhu and G Cao ldquoSDAP a Secure hop-by-hop Data Aggregation Protocol for sensor networksrdquo inProceedings of the 7th ACM International Symposium on MobileAd Hoc Networking and Computing (MOBIHOC rsquo06) pp 356ndash367 ACM Press Florence Italy May 2006

[14] C Castelluccia A C F Chan E Mykletun and G TsudikldquoEfficient and provably secure aggregation of encrypted datain wireless sensor networksrdquo ACM Transactions on SensorNetworks vol 5 no 3 pp 1ndash36 2009

[15] W Du J Deng Y S Han and P K Varshney ldquoA witness-basedapproach for data fusion assurance inwireless sensor networksrdquoin Proceedings of the Global Telecommunications Conference(GLOBECOM rsquo03) vol 3 pp 1435ndash1439 IEEE December 2003

[16] O Eikemeier M Fischlin J-F Gotzmann et al ldquoHistory-freeaggregate message authentication codesrdquo in Proceedings of the7th International Conference on Security and Cryptography forNetworks vol 6280 of Lecture Notes in Computer Science pp309ndash328 Amalfi Italy 2010

International Journal of Distributed Sensor Networks 9

[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004

[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005

[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006

[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

International Journal of Distributed Sensor Networks 9

[17] J Girao D Westhoff and M Schneider ldquoCDA concealed dataaggregation in wireless sensor networksrdquo in Proceedings of theACM Workshop on Wireless Security (WiSe rsquo04) ACM PressPhiladelphia Pa USA 2004

[18] C Castelluccia E Mykletun and G Tsudik ldquoEfficient aggrega-tion of encrypted data in wireless sensor networksrdquo in Proceed-ings of the 2nd Annual International Conference on Mobile andUbiquitous Systems -Networking and Services (MobiQuitous rsquo05)pp 109ndash117 IEEEComputer Society SanDiego Calif USA July2005

[19] H Cam S Ozdemir P Nair D Muthuavinashiappan andH Ozgur Sanli ldquoEnergy-efficient secure pattern based dataaggregation for wireless sensor networksrdquo Computer Commu-nications vol 29 no 4 pp 446ndash455 2006

[20] S Madden M J Franklin J M Hellerstein and W HongldquoTAG a tiny aggregation service for ad-hoc sensor networksrdquoSIGOPS Operating Systems Review vol 36 pp 131ndash146 2002

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Active and Passive Electronic Components

Control Scienceand Engineering

Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

International Journal of

RotatingMachinery

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Shock and Vibration

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation httpwwwhindawicom

Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

Navigation and Observation

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014

DistributedSensor Networks

International Journal of