secure data aggregation in wireless sensor network: a survey
TRANSCRIPT
Secure Data Aggregation in Wireless Sensor
Network: a survey
Hani Alzaid Ernest Foo Juan Gonzalez Nieto
Information Security InstituteQeensland University of Technology,
PO Box 2434, Brisbane, Queensland 4001,Email: [email protected] , {e.foo,j.gonzaleznieto}@qut.edu.au
Abstract
Recent advances in wireless sensor networks(WSNs) have led to many new promising applica-tions including habitat monitoring and target track-ing. However, data communication between nodesconsumes a large portion of the total energy con-sumption of the WSNs. Consequently, data aggrega-tion techniques can greatly help to reduce the energyconsumption by eliminating redundant data travel-ing back to the base station. The security issuessuch as data integrity, confidentiality, and freshnessin data aggregation become crucial when the WSNis deployed in a remote or hostile environment wheresensors are prone to node failures and compromises.There is currently research potential in securing dataaggregation in the WSN. With this in mind, the se-curity issues in data aggregation for the WSN will bediscussed in this paper. Then, the adversarial modelthat can be used in any aggregation scheme will beexplained. After that, the ”state-of-the-art” proposedsecure data aggregation schemes will be surveyed andthen classified into two categories based on the num-ber of aggregator nodes and the existence of the verifi-cation phase. Finally, a conceptual framework will beproposed to provide new designs with the minimumsecurity requirements against certain type of adver-sary. This framework gives a better understanding ofthose schemes and facilitates the evaluation process.
Keywords: security, aggregation, wireless sensor net-works, survey.
1 Introduction
The WSN is defined as highly distributed net-works of small, lightweight wireless nodes, deployedin large numbers to mentor the environment orsystem by the measurement of physical parameterssuch as temperature, pressure, or relative humidity(Murthy & Manoj 2004, p 647). Sensor nodes aredeployed in large numbers and they collaborate toform an ad-hoc network capable of reporting to adata collection sink. Recently, WSN networks havebeen used in many promising applications includinghabitat monitoring (Mainwaring et al. 2002) andtarget tracking (He et al. 2006). However, WSNsare resource constrained with limited energy life-time, slow computation, small memory, and limitedcommunication capabilities. The current version ofsensors such as mica2 (Corporation 2006) uses a 16
Copyright c©2007, Australian Computer Society, Inc. This pa-per appeared at the Australasian Information Security Confer-ence (ACSC2008), Wollongong, Australia, January 2008. Con-ferences in Research and Practice in Information Technology(CRPIT), Vol. 81, Ljiljana Brankovic and Mirka Miller, Ed.Reproduction for academic, not-for profit purposes permittedprovided this text is included.
bit, 8MHz Texas Instruments MSP430 microcon-troller with only 10 KB RAM, 48KB Program space,1024 KB External flash, and is powered by twoAA batteries. Therefore, the energy impact of theadded security feature should be considered whenimplementing a cryptographic technique for securingdata aggregation in the WSN. For example, dataauthentication in TinyOS increases the consumedenergy by almost 3% while data authentication andencryption puts 14% (Guimaraes et al. 2005). Fur-thermore, the embedded processors in sensor nodesare generally not as powerful as those in the nodesof a wired network. As such, complex cryptographicalgorithms are impractical for WSNs.
Not only the resources limitations affect theWSN performance but the deployment nature doesalso. Most of the WSNs are deployed in remoteor hostile environments and then nodes cannot beprotected from physical attacks since anyone canaccess the deployment area. Moreover, the only wayto manage and control the network is via wirelesscommunication which makes any physical operationsuch as battery replacement difficult. Another factorthat affects the WSN performance is communicationinstability. For example, if two sensors that havesame aggregator node start sending packets at thesame time, conflicts will occur near the aggregatornode and the transfer process will fail. In addition,packets might get dropped at highly congestednodes, since the packet based routing of the WSN isconnectionless, which is inherently unreliable. As aresult, any proposed protocol might also lose criticalsecurity packets such as keys, if it does not maintaina reasonable channel error rate.
Due to these limitations, devising securityprotocols for the WSN is complicated and may not besuccessfully accomplished by the simple adaptationof security solutions designed for wired networks.Studies such as Wagner (2004) and Krishnamachariet al. (2002) show that data transmission con-sumes much more energy than computation. Datatransmission accounts for 70% of the energy costof computation and communication for the SNEPprotocol (Perrig et al. 2002). Data aggregation cangreatly help to reduce this consumption by elimi-nating redundant data. However, the aggregatorsare vulnerable to attack especially they are notequipped with tamper-resistant hardware. Whenan aggregator node is compromised, it is easy forthe adversary to change the aggregation resultand inject false data into the WSNs. Unfortu-nately, the security mechanisms that are used in asimilar network environment are not appropriatefor the WSN since they are based on public keycrytpography which is too expensive for sensor nodes.
Figure 1: An aggregation scenario using sum function.
The only existing survey on secure data aggre-gation schemes, which is done by Sang et al. (2006),classifies them into: hop-by-hop and end-to-end en-crypted data aggregation. However, this classificationdoes not detail the security analysis of these schemesnor their performance. They are classified here basedon how many times the data is aggregated when ittravels to the base station.
Our contributions in this paper include the fol-lowing:
• The security issues in data aggregation for theWSN are discussed and then secure data aggre-gation is defined informally.
• An adversarial model is proposed that can beexpected in any secure data aggregation scheme.This model covers different types of adversarieswhere the computational strength, the networkaccess, and node’s secrets access may vary.
• A survey of the ”state-of-the-art” existing securedata aggregation schemes is presented and thenclassified into two groups according to the num-ber of aggregator nodes and whether the integrityof the aggregated result is considered or not.
• Finally a conceptual secure data aggregationframework is proposed to help in comparing se-cure data aggregation schemes.
The rest of the paper is organized as follows: Insection 2, data aggregation is explained In section 3,the expected attacks that threaten secure data ag-gregation schemes in the WSN is discussed. Then,different types of attacks are listed. In section 4, theexpected adversary in any secure aggregation schemeis classified. In section 5, the current research is sur-veyed and classified into two models. Then in sec-tion 6, the discussed secure schemes are comparedand then a conceptual framework is given.Finally, sec-tion 7 concludes the paper.
2 Data Aggregation in the WSN
Typically, there are three types of nodes inWSN: normal sensor nodes, aggregators, and aquerier. The aggregators collect data from a subsetof the network, aggregate the data using a suitableaggregation function and then transmit the aggre-gated result to an upper aggregator or to the querier
who generates the query. The querier is entrustedwith the task of processing the received sensor dataand derives meaningful information reflecting theevents in the target field. It can be the base stationor sometimes an external user who has permission tointeract with the network depending of the networkarchitecture. Data communication between sensors,aggregators and the querier consumes a large portionof the total energy consumption of the WSN. TheWSN in figure 1 contains 16 sensor nodes and usesSUM function to minimize the energy consumptionby reducing the number of bits reported to thebase station. Node 7, 10-16 are normal nodes thatare collecting data and reporting them back to theupper nodes whereas nodes 1-6, 8, 9 are aggregatorsthat perform sensing and aggregating at the sametime. In this example 16 packets traveled withinthe network and only one packet is transmitted tothe base station. However, the number of travelingpackets would increase to 50 packets if no dataaggregation exists. This number of packets has beencomputed for one query.
Most existing proposals for data aggregation aresubject to attack (Wagner 2004). Once a single nodeis compromised, it is easy for an adversary to injectfalse data into the network and mislead the aggrega-tor to accept false readings. Because of this, the needfor secure data aggregation is raised and its impor-tance needs to be highlighted. However, it was foundthat the design principles of secure data aggregationschemes have no standard and sometimes are poorlyunderstood. Moreover, there is no clear definition ofwhat secure data aggregation should mean and whatrequirements they should have. These proposalsmight have one or more of the security requirementsthat are discussed in section 2.1 depending on howthe secure aggregation looks like to the authors.Unfortunately, following this method to address thesecurity in data aggregation is not practical andhas several problems. For example, secure dataaggregation has been addressed in (Przydatek et al.2003) from the point of view of detecting forged dataaggregation values. This does not cover securityissues such as how to elect aggregators or how to setup trust between aggregators and sensor nodes. Someproposed protocols provide more security require-ments than others, or send more bits than others asseen in section 6. How to compare between them?Are they all called secure data aggregation protocols?
A general definition for secure data aggregationis the efficient delivery of the summary of sensor read-ings that are reported to an off-site user in such a waythat ensures these reported readings have not beenaltered (Przydatek et al. 2003). They consider an ag-gregation application where the querier is located out-side the WSN and the base station acts as an aggrega-tor. Moreover, a detailed definition of secure data ag-gregation is proposed as the process of obtaining a rel-ative estimate of the sensor readings with the abilityto detect and reject reported data that is significantlydistorted by corrupted nodes or injected by maliciousnodes (Shi & Perrig 2004). However, rejecting re-ported data that is injected by malicious nodes con-sumes the network resources, specifically the nodes’batteries, since each time the suspicious packet willbe processed at the aggregator point. The dam-age caused by malicious nodes or compromised nodesshould be reduced by adding a self-healing propertyto the network. This property helps the network inlearning how to handle new threats through extensivemonitoring of network events, machine learning andnetwork behavior modeling. Consequently, it is be-lieved that a secure data aggregation scheme for theWSN should have the following properties:
• Fair approximation of the sensor readings al-though a limited number of nodes are compro-mised.
• Ability to reduce the size of the data transmittedthrough the network.
• Data freshness and integrity are important andshould be included in the scheme. However, theapplication type of the WSN affects the schemedesigner’s decision regarding whether to add thedata confidentiality and availability or not.
• Dynamic response to attack activities by execut-ing of a self-healing mechanism.
• Dynamic aggregator election/rotation mecha-nism to balance the workload at aggregators.
These properties should work together to pro-vide accurate aggregation results securely without ex-hausting the network.
2.1 Requirements for Data Aggregation Se-curity
Since WSNs share some properties with thetraditional wireless networks, the data securityrequirements in the WSNs are similar to those intraditional networks (Perrig et al. 2002, Shi & Perrig2004). However, there are some unique specificationsthat can only be found in WSNs, as discussedin Section 1, that require more attention duringdesign process. In this section the required securityproperties to strengthen the security in aggregationschemes will be defined.
• Data Confidentiality: ensures that informa-tion content is never revealed to anyone who isnot authorized to receive it. It can be divided(in secure data aggregation schemes) into a hop-by-hop basis and an end-to-end basis. In thehop-by-hop basis, any aggregator point needs todecrypt the received encrypted data, apply somesort of aggregation function, encrypt the aggre-gated data, and send it to the upper aggregatorpoint. This kind of confidentiality implementa-tion is not practical for the WSN since it requires
extra computation. On the other basis, the ag-gregator does not need to decrypt and encryptdata and instead of this, it needs to apply theaggregation functions directly on the encrypteddata by using homomorphic encryption (West-hoff et al. 2006). The interested reader in homo-morphic encryption is referred to Appendix A.
• Data Integrity: ensures that the content ofa message has not been altered, either mali-ciously or by accident, during transmission pro-cess. Confidentiality itself is not enough since anadversary is still able to change the data althoughit knows nothing about it. Suppose a securedata aggregation scheme focuses only on dataconfidentiality. An adversary near the aggrega-tor point will be able to change the aggregatedresult sent to the base station by adding somefragments or manipulating the packet’s contentwithout detection. Moreover, even without theexistence of an adversary, data might be dam-aged or lost due to the wireless environment.
• Data Freshness ensures that the data are re-cent and that no old messages have been replayedto protect data aggregation schemes against re-play attacks. In this kind of attack, it is notenough that these schemes only focus on dataconfidentiality and integrity because a passiveadversary is able to listen to even encrypted mes-sages transmitted between sensor nodes can re-play them later on and disrupt the data aggrega-tion results. More importantly when the adver-sary can replay the distributed shared key andmislead the sensor about the current key.
• Data Availability ensures that the network isalive and that data are accessible. It is highlyrecommended in the presence of compromisednodes to achieve network degradation by elim-inating these bad nodes. Once an attacker getsinto the WSN by compromising a node, the at-tack will affect the network services and dataavailability especially in those parts of the net-work where the attack has been launched. More-over, the data aggregation security requirementsshould be carefully implemented to avoid extraenergy consumption. If no more energy is left,the data will no longer be available. When theadversary is getting stronger, it is necessary thata secure data aggregation scheme contains someof the following mechanisms to ensure reasonablelevel of data availability in the network:
– Self-healing that can diagnose, and reactto the attacker’s activities especially whenhe gets into the network and then start cor-rective actions based on defined policies torecover the network or a node.
– Aggregator rotation that rotates the ag-gregation duties between honest nodes tobalance the energy consumption in WSN.
• Authentication: There are two types of au-thentication; entity authentication, and data au-thentication. Entity authentication allows thereceiver to verify if the message is sent by theclaimed sender or not. Therefore, by applyingauthentication in the WSNs, an adversary willnot be able to participate and inject data intothe network unless it has valid authenticationkeys. On the other hand, data authenticationguarantees that the reported data is the sameas the original one. In a secure data aggrega-tion, both entity and data authentication are im-portant since entity authentication ensures that
some exchanged data between sensors. For in-stance, electing an aggregator point or reportinginvalid aggregated results are authenticated us-ing their identity while data authentication en-sures that raw data are received at the aggrega-tors at the same time as they are being sensed.
• Non-repudiation: ensures that a transferedpacket has been sent and received by the personclaiming to have sent and received the packet.In secure aggregation schemes, once the aggrega-tor sends the aggregation results, it should notbe able to deny sending them. This gives thebase station the opportunity to determine whatcauses the changes in the aggregation results.
• Data Accuracy: One major outcome of anyaggregation scheme is to provide an aggregateddata as accurately as possible since it is worthnothing to reduce the number of bits in the aggre-gated data but with very low data accuracy. Atrade-off between data accuracy and aggregateddata size should be considered at the design stagebecause higher accuracy requires sending morebits and thus needs more power.
3 Types of Attacks on WSN Aggregation
WSNs are vulnerable to different types of attacks(Roosta et al. 2006) due to the nature of the trans-mission medium (broadcast), remote and hostile de-ployment location, and the lack of physical security ineach node. However, the damage caused by these at-tacks varies from scheme to scheme according to theassumed adversarial model (to be discussed in sec-tion 4) which is assumed by the scheme’s designers.In this section, these attacks that might affect theaggregation in the WSN are discussed.
• Denial of Service Attack(DoS): is a standardattack on the WSN by transmitting radio signalsthat interfere with the radio frequencies used bythe WSN and is sometimes called jamming. Asthe adversary capability increases, it can affectlarger portions of the network. In the aggrega-tion context, an example of the DoS can be anaggregator that refuses to aggregate and preventsdata from traveling into the higher levels.
• Node Compromise: is where the adversary isable to reach any deployed sensor and extractthe information stored on it which is some timescalled supervision attack. Considering the dataaggregation scenario, once a node has been takenover, all the secret information stored on it canbe extracted.
• Sybil Attack: is where the attacker is able topresent more than one identity within the net-work. It affects aggregation schemes in differentways. Firstly, an adversary may create multi-ple identities to generate additional votes in theaggregator election phase and select a maliciousnode to be the aggregator. Secondly, the aggre-gated result may be affected if the adversary isable to generate multiple entries with differentreadings. Thirdly, some schemes use witnessesto validate the aggregated data and the data isonly valid if n out of m witnesses agreed on theaggregation results. However, an adversary canlaunch a Sybil attack and generate n or morewitness identities to make the base station ac-cept the aggregation results.
• Selective Forwarding Attack: With no con-sideration about security, it is assumed in the
WSN that each node will accurately forward re-ceived messages. However, a compromised nodemay refuse to do so. It is up to the adversarythat is controlling the compromised node to ei-ther forward the received messages or not. Inthe aggregation context, any compromised inter-mediate nodes have the ability to launch the se-lective forwarding attack and this subsequentlyaffects the aggregation results.
• Replay Attack: In this case an attacker recordssome traffic from the network without even un-derstanding its content and replays them later onto mislead the aggregator and consequently theaggregation results will be affected.
• Stealthy Attack: The adversary aims to injectfalse data into the network without revealing itsexistence. In a data aggregation scenario, the in-jected false data value leads to a false aggregationresult. A compromised node can report signifi-cantly biased or fictitious values, and perform aSybil attack to affect the aggregation result.
4 Adversarial Model
In this section, we describe the different capabil-ities that an adversary may have against the WSN.
4.1 Adversary Type
Secure data aggregation schemes are threaten bytwo types of adversaries: passive and active. Pas-sive adversary affects the data confidentiality prop-erty while active adversary affects data integrity prop-erty.
• Passive Adversary: is the adversary that takesadvantage from the communication nature ofthe wireless (broadcasting) and eavesdrop onthe traffic to obtain any important informationabout the sensed data. For example, if the ad-versary is able to hear the traffic near the aggre-gator point, it can gain some knowledge aboutthe aggregated result especially if the secure dataaggregation scheme does not ensure data confi-dentiality.
• Active Adversary: is the adversary that inter-acts with the WSN by injecting packets, destroy-ing nodes, stopping/delaying packets from beingdelivered to the querier, compromising nodes andextracting sensitive data, etc.
4.2 Network Access
Each WSN has three different types of compo-nents: sensor, aggregator, and base station with dif-ferent functionalities and capabilities. In this section,the adversary ability to compromise these three ele-ments is discussed.
• Total Access: The adversary that has total ac-cess to the network is powerful and has access tothe whole WSN. If the adversary is passive, thismeans that he can listen to all communicationsbetween nodes. On the other hand, if the ad-versary is active, this means that he can interactwith all types of components in the WSN.
• Partial Access: The adversary in this type hasless power compared to the previous one. Itsgoal is to listen to communications between asubset of nodes in the network, if the adversaryis passive. On the other hand, if the adversary isactive, this means that he can only interact witha subset of nodes in the WSN.
Table 1: Adversarial Models in the Aggregation schemesAdv. Type Network Access Secrets Access Adv. Classification
Active Passive Total Partial Total No Strong Med Light
CDA x x x xSDA x x x xSIA x x x xSHDA x x x xRA x x x xWDA x x x xSecureDAV x x x xSRDA x x x xSDAP x x x xESA x x x xEDA x x x x
4.3 Access to Secret Data
This refers to the sensitive information kept inthe nodes. Based on the assumptions made by thedesigners, each scheme considers an adversary withdifferent access levels to the secrets that are kept onthe sensors.
• Total Access: The adversary that has total ac-cess to the node’s secrets is able to extract all thesensitive information that is stored in the sensor’smemory and then harm the aggregation results.
• Partial Access: The adversary with this typeof access is able to only extract some of the secretdata that is stored in the sensor’s memory.
4.4 Adversary Classification
Table 1 summaries the adversary types that areexist in different secure aggregation proposals basedon the designers’ assumptions. It is concluded thatthe existing adversaries can be divided into threetypes:
• Strong Adversary: refers to an active adver-sary that has the ability to compromise any com-ponent in the WSN. In other words, it can be de-scribed as an active adversary with no limitationon its network access and its ability to extractsecret data on sensor’s memory since the aggre-gated data are highly important to the adversary.
• Medium Adversary: refers to an active ad-versary that has low computational strength tolaunch an attack against the secure system be-cause the aggregated data are not that impor-tant as in the previous type and also because thenetwork access is limited.
• Light Adversary: refers to a passive adversarywith limited access to the network and it is inter-ested to reveal the encrypted aggregated data.
It is believed that this adversary classificationshould help in the better evaluation of the proposedschemes and facilitate making decisions on whichscheme is more suitable for specific conditions (as de-scribed in section 6).
5 Classification of Existing Secure Data Ag-gregation Schemes
This section classifies the proposed secure dataaggregation schemes into two models: the one ag-gregator model and the multiple aggregator model.Under each model, each scheme is examined to seewhether it has a verification phase or not.
Figure 2: Sketch of single and multi aggregatormodel.
5.1 Single Aggregator Model
In this model, the aggregation process takes placeonce between the sensing nodes and the base stationor the external user. In other words, all individualcollected data in the WSN travels to only one aggre-gator point in the network before reaching the querier.This aggregator node should be powerful enough toperform the expected high computation and commu-nication. The main role of the data aggregation mightnot be satisfied fully since redundant data will stilltravel in the network for a while until they reach theaggregator as in Figure 2-a. This model is useful whenthe network is small or when the querier is not in thesame network. However, large networks are not suit-able places to implement this model especially whendata redundancy at the lower levels is high. The dataaggregation schemes that fit in this model can be di-vided into two categories: whether they have a veri-fication phase or not.
• Verification Phase: informs on the secure dataaggregation schemes that aggregate data once inits way to the querier. This phase enhances thequerier’s ability to distinguish between the validand invalid aggregated readings.
• No Verification Phase: informs on the securedata aggregation scheme that does not contain averification phase because data integrity has notbeen considered by the scheme’s designers. Inother words, the type of expecting adversary ishonest but has some interest in knowing about
sensitive information while the one in the pre-vious phase is not honest and can inject falsereadings.
5.2 Multiple Aggregator Model
In this model, collected data in the WSN are ag-gregated more than one time before reaching the lastdestination (querier). This model achieves greater re-duction in the number of bits transmitted within thenetwork especially in the large WSNs, as illustratedin Figure 1. A sketch of the multi-aggregator modelcan be found in Figure 2-b. The importance of thismodel appears as the network size is getting biggerespecially when data redundancy at the lower levelsis high. The data aggregation schemes that fit in thismodel can be divided into two categories: whetherthey have a verification phase or not.
• Verification Phase: Secure data aggregationscheme that contains a verification phase to en-hance the querier ability in distinguishing be-tween the valid and invalid aggregated readings.This phase is more complicated than the samephase in the single aggregator model since thedata is aggregated many times at different aggre-gation points. The querier is interested to knowwhether the final aggregated result is altered ornot by one of these points.
• No Verification Phase: informs on the securedata aggregation scheme that does not contain averification phase because data integrity has notbeen considered by the scheme’s designers.
6 Comparison of the secure aggregationschemes
This section, attempts to compare the securedata aggregation schemes that were reviewed in sec-tion 5. Comparisons of security schemes can be diffi-cult since the designers solve secure aggregation fromdifferent angles. Therefore, these schemes are com-pared in a number of different ways: security servicesprovided, cryptographic primitives used, resilienceagainst attacks described in section 3, and the num-ber of bits transmitted in the aggregation phase. Foreach method an attempt is made to show the differ-ences between these secure aggregation schemes.
6.1 Description of Existing Schemes
The first secure data aggregation (SDA) wasproposed by Hu & Evans (2003) who studied theproblem of data aggregation once one node is com-promised. This protocol achieves resilience againsta node compromise by delaying the aggregation andauthentication at the upper levels. Therefore, sensorsmeasurements are forwarded unchanged and thenaggregated at the second hop instead of aggregatingthem at the immediate next hop. Thus, the sensorneeds to buffer the data to authenticate it once theshared key is revealed by the base station. Moreover,the proposed scheme only offers data integrity, fresh-ness and authentication. Even though it increasesthe confidence in the sensor readings integrity thedata can be altered once a parent and child in the hi-erarchy are compromised. Once a compromised nodeis detected, no practical action is taken to reduce thedamage caused by this compromise which affects thedata availability in the network. Much worse, oncea grandfather node detects a node compromise, itcould not decide whether the cheating node is thechild or the grandchild.
Figure 3: Classification of Existing Secure Data Ag-gregation Schemes.
In addition, SDA scheme is improved in ESA byJadia & Mathuria (2004). Instead of using µTESLAto authenticate the base station’s broadcast in thevalidation process to reveal the shared key withsensors, the authors used one-hop pairwise keys (toencrypt data between a node and its parent) andtwo-hop pairwise keys (to encrypt data between anode and its grandparent). This will improve thesecure aggregation scheme by adding data confiden-tiality and reducing the memory overhead since datadoes not need to be stored until the key is revealed.However, the system will still break as soon as twoconsecutive nodes in the hierarchy are compromised.
Przydatek et al. (2003) proposed a secureinformation aggregation (SIA) framework for WSNscalled aggregate-commit-prove. This frameworkprovides resistance against a special type of attackcalled stealthy attacks aggregate manipulation wherethe attacker’s goal is to make the user accept falseaggregation results without revealing its presenceto the user. It consists of three node categories: ahome server, a base station, and sensor nodes. SIAassumes that each sensor has a unique identifierand shares a separate secret cryptographic key withboth the home server and the aggregator. The keysenable message authentication and encryption if dataconfidentiality is required. Moreover, it assumesthat the home server and base station can use amechanism, such as µTESLA (Perrig et al. 2002),to broadcast authentic messages. SIA consists ofthree parts: collecting data from sensors and locallycomputing the aggregation result, committing to thecollected data, and reporting the aggregation resultwhile proving the correctness of the result. SIA offersdata integrity, authentication, data freshness, andconfidentiality (if required).
Wagner (2004) proposed a mathematical frame-work (RA) for evaluating the security of severalresilient aggregation techniques. The paper mea-sures how much damage an adversary can cause bycompromising a number of nodes and then usingthem to inject erroneous data. Wagner describeda number of better methods for securing the dataaggregation such as how the median function isa good way to summaries statistics. Furthermore,Wagner claimed that trimming and truncation can beused to strengthen the security of many aggregationprimitives by eliminating possible outliers. However,this work only focused on examining the receivedaggregated data (at the base station) without
Table 2: Attacks Against Existing Aggregation Schemes.
Scheme Denial of Node Sybil Selective Replay Stealthy Adversaryservices compromise forwarding Classification
CDA x x lightSDA x x x x medSIA x x x highSHDA x x x highWDA x x x x x x medSecureDAV x x x x x medSRDA x lightSDAP x x x x medESA x x x x medEDA x light
studying how these data are aggregated. Thus,when the network size increases, the communicationcost will be very high for the transmission of allthe sensor readings to the base station. Moreover,eliminating abnormal data with no further reasoningis impractical especially for applications such asmonitoring bush-fire.
A witness based data aggregation (WDA)scheme for the WSN is being proposed by Du et al.(2003) to assure the validation of the data sent froman aggregator node to the base station. In orderto prove the validity of the aggregated result, theaggregator node has to provide proofs from severalwitnesses. A witness is one who also performs dataaggregation like the aggregator node, but does notforward its result to the base station. Instead, eachwitness computes the message authentication code(MAC) of the result and then sends it to the aggrega-tor node which must forward the proofs to the basestation. WDA offers only integrity property to thedata aggregation security and this is required to sendmultiple copies similar to the original aggregatedresult, to the aggregator point. Thus, the aggregatorpoint must forward these reports as well as theaggregated result to the base station. Since theaggregator point is fixed and responsible to handleso much traffic, the aggregator resources will not lastlong.
Moreover, SecureDAV (Mahimkar & Rappaport2004) improved the data integrity vulnerability inSDA and ESA by signing the aggregated data. InSecureDAV, each sensor within a cluster will have itsshare of its secret cluster key and then it will be ableto generate a partial signature on the aggregateddata. Once an aggregator receives sensor readings inthe same cluster, it aggregates them and broadcaststhe average value of the readings. Each sensor in thecluster compares its reading with the average valuereceived from the aggregator. Then, it partially signsthe average value only and only if the differencebetween the received average value and its readingis less than a certain value (threshold). Then, theaggregator (cluster-head) combines partial signaturesto form a full signature of the aggregated results andsends it to the base station. SecureDAV providesdata confidentiality, data integrity, and authentica-tion. The drawbacks of this scheme are: it requireshigh communication costs on data validation, andsupports only the AVG aggregation function.
Yang et al. (2006) proposed a secure hop-by-hop data aggregation protocol (SDAP) that cantolerate more than one compromised node. SDAPis based on two principles: divide-and-conquer andcommit-and-attest. In order to reduce the damagecaused by compromising an aggregator at a highlevel in the per-hop aggregation scheme, SDAPuses the divide-and-conquer principle to divide thenetwork tree into multiple logical subtrees whichincreases the number of aggregators and reduces thenumber of nodes in each subtree. Consequently, thedamage caused by compromising an aggregator ofa subtree is reduced. The other principle, that iscommit-and-attest, enhances the ordinary hop-by-hop aggregation scheme by adding a commitmentproperty, and helps the base station to prove the cor-rectness of the aggregated data. Once an aggregatorof a logical subtree commits its aggregation result, itcan not deny it later on. This scheme needs to sendmuch data to ensure reasonable level of security (asexplained in Appendix B).
Furthermore, Chan et al. (2006) extended thework in SIA by applying the aggregate-commit-proveframework in fully a distributed network instead ofsingle aggregator model. In general, this scheme(SHDA) offers exactly what the SIA does dataintegrity, authentication, and confidentiality. Eachparent sensor performs an aggregation functionwhenever it has heard from its child nodes. Inaddition, it has to create a commitment to the setof the input used to compute the aggregated resultby using a merkle hash tree. Then, it forwards theaggregated data and the commitment to its parentuntil it reaches the base station. Once the basestation received the final commitment values, itrebroadcasts them into the rest of the network in anauthenticated broadcast. Each node is responsiblefor checking whether its contribution was added tothe aggregated data or not. Once its readings areadded, it sends an authentication code to the basestation where the authentication code for node R isMACKR(N‖OK). For communication efficiency, theauthentication codes are aggregated along the wayto the base station. However, missing one authenti-cation code for any reason leads the base station toreject the aggregated result. Furthermore, noticeabledelay, too much transmission and computation willbe added as consequences of adding security to thescheme.
Sanli et al. (2004) developed a new data aggre-
Table 3: Comparison between different secure data aggregation schemes
Scheme Confidentiality Integrity Freshness Availability Authentication
CDA xSDA x x xSIA x x x xSHDA x x xWDA x xSecureDAV x x xSRDA x xSDAP x x x xESA x x x xEDA x
gation technique called the Secure Reference-BasedData Aggregation scheme (SRDA) that sends onlythe difference between sensed data and the referencevalue (called differential value) instead of raw data.Deference value is taken as the average value ofprevious sensor readings. In SRDA scheme, eachsensor computes the differential data (sensed data -reference value), encrypts it, and then sends it to thecluster-head. The authors claim that the securitylevel of the network should be gradually increasedas the data is traveled to higher level cluster-heads.Therefore, they suggest using a cryptographic al-gorithm (RC6) with adjustable parameters such asthe number of rounds, to achieve different level ofsecurity in the WSN. Increasing or decreasing thenumber of rounds changes the security strengthof the RC6 that can be measured by the securitymargin. The security margin is the deviation of theactual number of rounds from the minimum numberof rounds for which the algorithm is considered to besecured. The SRDA uses a higher security marginat higher level cluster-heads compared to low levelcluster-heads.
Moreover, the problem of aggregating encrypteddata in the WSN is being addressed in (Westhoffet al. 2006). The proposed protocol, called Con-cealed Data Aggregation (CDA), uses an additiveand multiplicative homomorphic encryption schemethat allows the aggregator to aggregate encrypteddata. In this paper, the authors argued that thesecurity level is still reasonable and the privacy ho-momorphism (PH) (Domingo-Ferrer 2002) helps toimplement encryption in the WSN, although Wagner(2003) proved that PH is unsecure against chosenplain text attacks. However, they admitted thatthe encryption in CDA is very expensive and addsbetween 0%-22% additional data overhead comparedto RC5 which increases the power consumption ofthe sending node. Genrally speaking, CDA ensuresonly data confidentiality.
Furthermore, a new secure data aggregationscheme based on homomorphic encryption (EDA) isproposed by (Castelluccia et al. 2005) This allows anaggregator to execute the aggregation function andaggregate the encrypted data that are received fromits children with no need for decryption and to re-cover the original messages. It uses a modular addi-tion instead of the xor (Exclusive-OR) operation thatis found in the stream ciphers. Thus, even if an ag-gregator is being compromised, original messages cannot be revealed by an attacker. The authors claimed
that the provided privacy protection by this schemeis comparable to the privacy protection that is pro-vided by a scheme that performs end-to-end encryp-tion with no aggregation. However, they admit thattheir proposed scheme generates significant overheadif the network is unreliable since sensors’ identities ofnon-responding nodes must be sent together with theaggregated result to the base station. More impor-tantly, this scheme concerns only one security prop-erty which is data confidentiality.
6.2 Security Services Provided
Since the considered type of adversary variesfrom one scheme to another, each proposed schemehas different requirements. Data authentication is amust in each secure scheme that defeats against anytype of active adversary. Table 3 shows that dataconfidentiality is the minimum security requirementthat should be provided when a light type of adver-sary is considered. Once the adversary capabilityincreases and reaches the medium type, some of theproposed schemes protect against it by providing dataintegrity and authentication. However, the mediumadversary type is able to at least launch the replayattack. It is believed that the minimum securityrequirements that provide reasonable security levelsagainst this type of adversary should include datafreshness too. As the adversary is getting stronger,a combination of data confidentiality, data integrity,authentication, and data freshness should exist inthe proposed scheme. If the network lifetime is aconcern for the designers, then the data availabilityshould be provided as well. However, none of theexisting proposals consider the data availability evenwhen a strong adversary exists.
As a conclusion, the CDA, EDA, and SRDA havemet the minimum security requirements when a lighttype of adversary is around. When the medium typeis considered, the SDA, ESA, and SDAP have metthe minimum requirements. However, the WDA andSecureDAV have not met the minimum requirementsbecause they did not offer data freshness. Finally,the minimum requirements have been met in the SIAand SHDA when an adversary with strong capabilityis considered.
6.3 Cryptographic Primitives Used
The cryptographic primitives used in each of theproposed schemes are varied according to how the au-thors employ different primitives to achieve a certain
Table 4: Cryptographic primitives used
Scheme Message Digital Symmetric Public Readings Privacy Broadcast Inter- Votingauthen- signa- key key commit- homom- authen-. active sche-tication ture ment orphic tication protocol em
CDA x xSDA x x xSIA x x x x xSHDA x x x x xRAWDA x x xSecureDAV x x xSRDA xSDAP x x x x xESA x xEDA x x
service. Table 4 shows that most of these schemesuse a message authentication code (MAC) to excludeunauthorized parties from sending forged aggregateddata. However, SecureDAV uses a digital signatureinstead. Furthermore, the MAC is used to protect theoriginal message from being altered. Symmetric andpublic keys have been used to achieve hop-by-hop orend-to-end encryptions which prevent the passive ad-versary from eavesdropping on the traffic. Moreover,a verification process in these schemes has been setup in different ways, such as: using interactive proto-cols, broadcast authentication by the base station, orvoting system.
6.4 Attacks Existence
This section analyses the secure aggregationschemes described in Section 5 and investigateswhether they are vulnerable to types of attacks de-scribed in section 3 or not. Table 2 shows that allthese schemes are vulnerable to DoS and Physical at-tacks as long as the existence of at least the light typeof adversary. As the capability of the adversary variesfrom light to strong, the damage caused by these at-tacks varies, too. The stronger adversary can jama wider range of the network, while the light adver-sary can jam only a limited area. Moreover, since thelight type of adversary is not interested in affectingthe data integrity of the system, the adversary willnot be interested in launching Sybil, Replay, Selec-tive forwarding, stealthy, and Spoofed-altered attackssuch as in CDA. Replay attack may be launched inthese schemes by the medium type of adversary orabove, unless these schemes provide data freshness(Table 3). For example, the WDA and SecureDAVschemes are vulnerable to replay attack. This type ofadversary, can also launch Sybil attack in secure ag-gregation schemes unless the identity is checked uponreceiving any message.
6.5 Framework for Evaluation New Schemes
Based on the analyses in the previous sections,a conceptual framework, helps the new schemes de-signers to strengthen their proposed scheme againstthe considered adversarial model. As far as is knownthis work is the first that tries to build such a frame-work that can suggest the minimum security require-ments that should exist in any scheme according toits specifications. It is believed that the security levelcan be determined by considering one of the adver-
sarial models (discussed in section 4). Then, the net-work size helps the designers to choose the properaggregation model. Figure 4 shows that the mini-mum requirements for a proposed secure scheme toresist against the light adversary are data confiden-tiality and freshness. It is suggested that these re-quirements be offered in the single aggregator modelif the network size is small, otherwise, in the multi-ple aggregator model. The minimum security servicesthat are required to resist against the medium adver-sary are data integrity, authentication, and freshness,while the required services to resist against the strongadversary needs data confidentiality as well as.
7 Conclusion and Future Work
By reviewing the existing data aggregation se-curity in the WSN, an adversarial model that canthreaten any secure aggregation scheme has been pro-posed. Consequently, these schemes were classifiedinto two groups: the one aggregator model, and themultiple aggregator model. Based on this classifica-tion and the adversarial model, a conceptual frame-work that leads to better evaluation of secure aggre-gation schemes was also proposed. In the future, it isplanned to evaluate more secure schemes and extendthe framework if necessary.
References
Castelluccia, C., Mykletun, E. & Tsudik, G. (2005),Efficient Aggregation of Encrypted Data in Wire-less Sensor Networks., in ‘MobiQuitous’, IEEEComputer Society, pp. 109–117.
Chan, H., Perrig, A. & Song, D. (2006), Secure hierar-chical in-network aggregation in sensor networks.,in A. Juels, R. N. Wright & S. D. C. di Vimercati,eds, ‘ACM Conference on Computer and Commu-nications Security’, ACM, pp. 278–287.
Corporation, C. (2006), ‘Mica2 datasheet’.Reviewed 10th of October 2007, http://www.xbow.com/Products/Product_pdf_files/Wireless_pdf/MICA2_Datasheet.pdf.
Domingo-Ferrer, J. (2002), A provably secure addi-tive and multiplicative privacy homomorphism., inA. H. Chan & V. D. Gligor, eds, ‘ISC’, Vol. 2433of Lecture Notes in Computer Science, Springer,pp. 471–483.
Figure 4: Framework for Evaluation New Schemes.
Du, W., Deng, J., Han, Y. S. & Varshney, P. (2003),A witness-based approach for data fusion assurancein wireless sensor networks, in ‘IEEE Global Com-munications Conference (GLOBECOM)’, Vol. 3,pp. 1435– 1439.
Grigoriev, D. & Ponomarenko, I. V. (2003), ‘Homo-morphic public-key cryptosystems over groups andrings’, CoRR cs.CR/0309010.
Guimaraes, G., Souto, E., Sadok, D. F. H.& Kelner, J. (2005), Evaluation of securitymechanisms in wireless sensor networks., in‘ICW/ICHSN/ICMCS/SENET’, IEEE ComputerSociety, pp. 428–433.
He, T., Vicaire, P., Yan, T., Luo, L., Gu, L., Zhou,G., Stoleru, R., Cao, Q., Stankovic, J. A. & Ab-delzaher, T. F. (2006), Achieving real-time targettracking usingwireless sensor networks., in ‘IEEEReal Time Technology and Applications Sympo-sium’, IEEE Computer Society, pp. 37–48.
Hu, L. & Evans, D. (2003), Secure aggregation forwireless network., in ‘SAINT Workshops’, IEEEComputer Society, pp. 384–394.
Jadia, P. & Mathuria, A. (2004), Efficient secure ag-gregation in sensor networks., in L. Bouge & V. K.Prasanna, eds, ‘HiPC’, Vol. 3296 of Lecture Notesin Computer Science, Springer, pp. 40–49.
Krishnamachari, B., Estrin, D. & Wicker, S. B.(2002), The impact of data aggregation in wire-less sensor networks., in ‘ICDCS Workshops’, IEEEComputer Society, pp. 575–578.
Mahimkar, A. & Rappaport, T. S. (2004), Secure-DAV: A secure data aggregation and verificationprotocol for sensor networks., in ‘Global Telecom-munications Conference’, Vol. 4, pp. 2175– 2179.
Mainwaring, A. M., Culler, D. E., Polastre, J.,Szewczyk, R. & Anderson, J. (2002), Wirelesssensor networks for habitat monitoring., in C. S.Raghavendra & K. M. Sivalingam, eds, ‘WSNA’,ACM, pp. 88–97.
Murthy, C. S. R. & Manoj, B. (2004), Ad Hoc Wire-less Sensor Networks Architectures and Protocols,Prentice Hall PTR, Upper Saddle River, NJ, USA.
Perrig, A., Szewczyk, R., Tygar, J. D., Wen, V. &Culler, D. E. (2002), ‘SPINS: Security Protocolsfor Sensor Networks.’, Wireless Network 8(5), 521–534.
Przydatek, B., Song, D. X. & Perrig, A. (2003), SIA:Secure Information Aggregation in Sensor Net-works., in I. F. Akyildiz, D. Estrin, D. E. Culler& M. B. Srivastava, eds, ‘SenSys’, ACM, pp. 255–265.
Rivest, R. L., Shamir, A. & Adleman, L. M.(1978), ‘A Method for Obtaining Digital Signaturesand Public-Key Cryptosystems.’, Communication.ACM 21(2), 120–126.
Roosta, T., Shieh, S. & Sastry, S. (2006), Taxonomyof security attacks in sensor networks, in ‘The FirstIEEE International Conference on System Integra-tion and Reliability Improvements’, IEEE Interna-tional, Washington, DC, USA.
Sang, Y., Shen, H., Inoguchi, Y., Tan, Y. & Xiong, N.(2006), Secure data aggregation in wireless sensornetworks: A survey, in ‘Proceedings of the Sev-enth International Conference on Parallel and Dis-tributed Computing, Applications and Technolo-gies (PDCAT ’06)’, IEEE Computer Society, Wash-ington, DC, USA, pp. 315–320.
Sanli, H. O., Ozdemir, S. & Cam, H. (2004), SRDA:Secure reference-based data aggregation protocolfor wireless sensor networks, in ‘Vehicular Technol-ogy Conference’, pp. 4650– 4654.
Shi, E. & Perrig, A. (2004), ‘Designing secure sen-sor networks.’, IEEE Personal Communications11(6), 38–43.
Wagner, D. (2003), Cryptanalysis of an algebraic pri-vacy homomorphism., in C. Boyd & W. Mao, eds,‘ISC’, Vol. 2851 of Lecture Notes in Computer Sci-ence, Springer, pp. 234–239.
Wagner, D. (2004), Resilient aggregation in sensornetworks., in S. Setia & V. Swarup, eds, ‘SASN’,ACM, pp. 78–87.
Westhoff, D., Girao, J. & Acharya, M. (2006), ‘Con-cealed data aggregation for reverse multicast traf-fic in sensor networks: Encryption, key distribu-tion, and routing adaptation’, IEEE Transactionson Mobile Computing 05(10), 1417–1431.
Yang, Y., Wang, X., Zhu, S. & Cao, G. (2006), SDAP:a secure hop-by-hop data aggregation protocol forsensor networks., in ‘Proceedings of the 7th ACMInterational Symposium on Mobile Ad Hoc Net-working and Computing, MobiHoc 2006, Florence,Italy, May 22-25, 2006’, ACM, pp. 356–367.
Appendix A: Homomorphic Cryptosystems
During the last few years homomorphic en-cryption schemes have been studied extensively sincethey are proved to be useful in many cryptographicprotocols such as electronic elections (Grigoriev& Ponomarenko 2003), sensor networks (Westhoffet al. 2006, Castelluccia et al. 2005) and so on.Homomorphic cryptosystem is a cryptosystem thatallows direct computation on encrypted data byusing an efficient scheme. It is an important toolthat can be used in a secure aggregation scheme toprovide end to end privacy if needed. The scheme iscalled additively homomorphic if the message space(M) is an additive while it is called multiplicativehomomorphic if M is a multiplicative. Moreover, theencryption algorithm (E) is called probabilistic if itgets a uniform random number as an input otherwiseit is called deterministic.
The classical RSA scheme (Rivest et al. 1978)is a good example of a deterministic, multiplicativehomomorphic cryptosystem on M = /N whereN is the product of two large primes. Thus, C =
/N is the ciphertext space while the key space is
K = {(ke, kd) = ((N, e), d) | N = pq,
ed ≡ 1 mod ϕ(N)}
The encryption of any message m ∈ M is definedas:
Eke(m) = me mod N
while the decryption of any ciphertext c ∈ C is definedas:
Dke,kd(c) = cd mod N = m mod N
Obviously, the encryption of the product of twomessages m1,m2 ∈ M can be computed by multiply-ing the corresponding ciphertexts:
Eke(m1 · m2) = (m1 m2)e mod N
= (me1 mod N) (me
2 mod N)
= Eke (m1) · Eke(m2)
Appendix B: Performance Analysis
A Notations
For simplicity to perform our calculations in thefollowing sections, we only consider the case whichthe leaf nodes transmit their readings and no read-ings are expected from aggregator nodes. We assumea general tree hierarchy in which every node has bchildren and the depth of the tree is d as in figure 5.This means the distance between the base station andthe leaf nodes are d. Therefore, this kind of tree hasbd leaf nodes. In single aggregator model we considerthe root of the tree to be the aggregator. Let us de-note the length in bits of reported message from theleaf nodes toward upper level as x where x can beraw data or encrypted data. The sensor node ID inbits will be denoted as y. Also, we denote the MAC’slength in bits as z. Also, let us denote query nonceas qn. Since TinyOS packet is pre-configured with amaximum size of 36 byte, 29 byte payload and 6 byteheader, we denote header as oh to compute the over-head bits transmitted within the network. Finally,the total number of nodes N in this type of tree is nbits long and can be computed as
(
bd+1 − 1
b − 1
)
(1)
11 2b2 b
Aggregator point
Base Station
1 b2.........
d
......... .........
Figure 5: Tree model used to analyze the performanceof schemes.
B Number of transmitted bits
First, we start analyzing the number of trans-mitted bits by considering the situation where no ag-gregation and no security are used. In this case eachsensor forwards data as soon as it receives it. Sup-pose each node at level d sends its ID and sensed datatoward its parents which are x+ y + oh bits long. So,the total number of bits generated at level d will bebd(x+y +oh). Since each intermediate node needs toforward b(x+y) bits which adds oh bits as header intoeach transmission , the total number of bits traveledwithin the network is approximately
(d + 1)bd(x + y + oh) (2)
Next, SDA as being discussed in section 5.2achieves resilient against a node compromise by delay-ing the aggregation and authentication at the upperlevels. So, each leaf node (at depth d) needs to sendits ID, data, and one message authentication code to-ward its parent. The length of this message in bitswill be x+ y + z + oh. Therefore, the total number ofbits sent by all the leaf nodes is bd(x+y+z+oh). Also,each node at depth d-1 needs to forward the receiveddata unchanged and add one MAC. Thus, the lengthof this message in bits will be b(x+y+z)+z+oh andthe total number of bits sent by all the nodes at leveld-1 should be bd−1[b(x + y + z) + z + oh]. We com-pute the length of transmitted message at level d-2,d-3, and so on till we reach the base station. The ap-proximate number of transmitted bits in this schemeis
bd(x+y+z+oh)+
(
bd − b
b − 1+ 1
)
[b(x+y+z)+z+oh]
(3)
However, the improvement in ESA that adds con-fidentiality requires each node to add one more mes-sage authentication into the message. So, instead ofsending x + y + z + oh bits in SDA at each node atdepth d, x+ y +2z + oh bits are needed to be sent byESA. The total number of bits sent by all leaf nodes isbd(x+y+2z+oh) and consequently the total numberof bits sent by ESA will be approximately
bd(x+y+2z+oh)+
(
bd − b
b − 1+ 1
)
[b(x+y+z)+z+oh]
(4)
Table 5: Number of bytes transmitted within WSNb=2 b=3 b=4
d=2 d=3 d=4 d=2 d=3 d=4 d=2 d=3 d=4
No Aggregation 180 480 1200 405 1620 6075 720 3840 19200SDA 210 462 966 399 1155 3423 546 2226 8946ESA 234 510 1062 471 1470 4467 792 2520 13032SDAP 289 623 1334 636 1722 6374 1119 4704 19709CDA 91 248 512 215 660 1997 347 1403 5627SIA 261 709 1829 541 2305 9109 933 5413 28709WDA 825 2265 5865 1725 7395 29265 2985 17385 92265
In SDAP, it uses divide-and-conquer principleto divide the network tree into multiple logical sub-trees which increases the number of aggregators andreduces the number of nodes in each subtree. For sim-plicity, we assume each subtree has an average size ofs and therefore the number of subtrees is (N/s) + 1considering the base station as a subtree. Also, thehight of a subtree can be approximated by d/2 andthe distance from each subtree’s leader and the basestation is d/2. Each leaf node needs to send its ID,aggregation flag (one bit), an encrypted sensed datathat is concatenated with a MAC. This transmissionis about x + y + z + 1 + oh bits long. Thus, the to-tal number of bits transmitted by all nodes at leveld is bd(x + y + z + 1 + oh) and consequently thenumber of bits reaches the subtree’s leader is around(s−1)bd(x+y+z+1+oh). Next, each subtree’s leaderwill forward the aggregation result toward the basestation and this increases the number of traveled bitswithin the network by (N/s)(d/2)(x+ y + z +1+ oh)bits. Therefore, the total number of bits is approxi-mated by
bd(s−1)(x+y+z+1+oh)+
(
N
s
d
2
)
(x+y+z+1+oh)
(x + y + z + 1 + oh)[bd(s − 1) +
(
Nd
2s
)
] (5)
Moreover, the authors of CDA admitted that theencryption in CDA is very expensive and adds be-tween 0%-22% additional data overhead compared toRC5 which increase the power consumption of thesending node. For example, the size of encrypted oneByte sensed data will increase to 9 Bytes by usingRC5 while the size will range between 9 - 11 Bytes byusing PH encryption (Westhoff et al. 2006). In otherwords, we can assume that the ecypted data has cxbits where c is constant that represent the overheadcaused by encrypting 1 bit using PH. This means, thetotal encrypted messages in bits is approximatetly
N(cx + oh) (6)
It obvious that the number of bits is increasedlinearly with the plain-text size (raw sensed data atthe leaf nodes) and the number of leaf nodes. Conse-quently, the power consumption will increase linearly.
Subsequently, SIA proposed a secure informationaggregation framework for WSNs called aggregate-commit-prove. In the aggregate phase, each leaf sen-sor needs to send its ID, data, query nonce, and
two message authentication codes with two sharedkeys between the sensor and the aggregator and thebase station. The length of this message in bits isx + y + qn + 2z + oh. This message travels all theway toward the aggregator that is d hops away in ourexample. Therefore, the total number of bits trav-eled within the network till the sensed data reachesthe aggregator is dbd(x + y + qn + 2z + oh) in eachevent. Then in the commit phase, the aggregator con-structs a merkle hash tree of the received messagesand sends the root of this tree as a commitment value,the number of leaves of the hash tree (the number ofleaf nodes), and aggregated result. Let us assumefor simplicity the length of the commitment value is(x + y + qn + 2z) bits long and the length of the ag-gregated result as long as the reported data x. Thus,the total number of bits sent to the remote user bythe aggregator is n+2x+y + qn+2z +oh. Thus, thetotal number of traveled bits within the network willbe
dbd(x+y+qn+2z+oh)+n+2x+y+qn+2z+oh (7)
In WDA, authors assume that leave nodes arehonest and the sensed data reaches the aggregatorand wetnesses correctly. Let us assume that each sen-sor needs to send at least its ID and sensed data. Thelength of this message in bits is x+y+oh. Therefore,dbd(x + y + oh) bits needs to be traveled withing thenetwork to reach the aggregator for each event. Also,the same number of bits goes to each witness (w)and consequently the total number of traveled bitsis wdbd(x + y + oh). Each witness computes the ag-gregated data and send message authentication code(MAC) contains its ID, aggregation result, and itsshared key with the base station and sends its MACto the aggregator. Finally, the aggregator forwardsits ID, aggregation result computed by him, and allMACs received from the witnesses. Therefore, thetotal number of traveled bits is
dbd(x+y+oh)+wdbd(x+y+oh)+w(z+oh)+(x+y+wz+oh)
dbd(x+y +oh)(1+w)+2wz +x+y +oh(w +1) (8)
C Example
In this section, we give an example with numbersto give a better understanding about the previousequations in section B. Let us select x, y, z, w tobe 7 bytes, 2 bytes, 6 bytes, 5 witnesses respectively.We compute the number of bytes that each secureaggregation scheme transmits to achieve the aggre-gation result with no consideration about the extra
overhead comes from the verification process (ifexist) since not all of the schemes cover this process.
In Tabel 5, we investigate some of proposedsecure data aggregation schemes in the context of thenumber of transmitted bits during the aggregationphase. We started with a system that has no aggre-gation to be as a reference in our comparison. CDAneeds to send less number of bits compared to thesystem with no aggregation because it assumes lightadversary type and performs multiple aggregation be-fore sending the readings into the base station. As-suming light adversary means less security servicesprovided which leads to less number of bits must besent. Also, performing multiple aggregation helps thescheme to minimize the transmitted bits by removingredundant data and also removing the extra bits suchas headers. As the adversary capability increases, thenumber of bits increases as well to provide reasonablelevel of security. For example, when the designersconsider medium type of adversary, the security ser-vices provided should be different to those in the lighttype. From Tabel 5, SDA, ESA, SDAP, and WDAconsider medium adversary type and send more bitsthan schemes that assumed to defeat against lightadversary such as CDA. The reason that WDA sendsmore bits than other schemes, that defeat against thesame type of adversary, is because it belongs to theone aggregator model. Finally, SIA considers highadversary type and can achieve its security goals bytransmitting number of bits within the results of othersecure proposals that defeat against medium type ofadversary.