MMDA: Multidimensional and multidirectional data aggregation for edge computing-enhanced IoT

MMDA: Multidimensional and Multidirectional Data Aggregation for Edge Computing-Enhanced IoT

Journal Pre-proof

MMDA: Multidimensional and Multidirectional Data Aggregation for Edge Computing-Enhanced IoT Peng Zeng, Bofeng Pan, Kim-Kwang Raymond Choo, Hong Liu PII: DOI: Reference:

S1383-7621(20)30007-2 https://doi.org/10.1016/j.sysarc.2020.101713 SYSARC 101713

To appear in:

Journal of Systems Architecture

Received date: Revised date: Accepted date:

20 August 2019 8 December 2019 5 January 2020

Please cite this article as: Peng Zeng, Bofeng Pan, Kim-Kwang Raymond Choo, Hong Liu, MMDA: Multidimensional and Multidirectional Data Aggregation for Edge Computing-Enhanced IoT, Journal of Systems Architecture (2020), doi: https://doi.org/10.1016/j.sysarc.2020.101713

This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. © 2020 Published by Elsevier B.V.

MMDA: Multidimensional and Multidirectional Data Aggregation for Edge Computing-Enhanced IoT Peng Zeng1 , Bofeng Pan1 , Kim-Kwang Raymond Choo2 , Hong Liu1 1 Shanghai

Key Laboratory of Trustworthy Computing, East China Normal University, Shanghai, China

2 Department

of Information Systems and Cyber Security, The University of Texas at San Antonio, San Antonio, TX 78249, USA

Abstract In an edge computing-enhanced Internet of Things (IoT) setup, data can be processed closer to the IoT devices (i.e. at the network edge). However, security and privacy remain two key issues that need to be considered. In this paper, we propose the first multidimensional and multidirectional data aggregation (MMDA) scheme for privacy-preserving edge computing-enhanced IoT communications. In MMDA, the data of each IoT device are described as an n-dimensional vector and m IoT devices’ data are listed as a matrix D of order m × n. MMDA enables an edge device (acting as a gateway) to aggregate the multidimensional data of the m IoT devices in two directions: row aggregation and column aggregation. Such data can then be employed to compute the summation of data in each row and each column of D in a privacy-preserving way. Unlike existing multidimensional data aggregation schemes that have only the column aggregation, MMDA allows an additional row aggregation. This allows the capability to provide more statistical information to an IoT control center for analysis and processing. MMDA also adopts the batch verification technology to reduce authentication costs. Extensive analysis shows that MMDA is practicable in terms of computation cost, security, and fault-tolerance. Keywords: Edge computing, Internet of Things, data aggregation, multidimensional, multidirectional, fault-tolerance

1. Introduction Internet of Things (IoT) can be found in a broad range of real-world systems (e.g. smart grid, smart home, smart healthcare, and smart city) with different features. In a typical IoT setup, there is an interconnected network consisting of a number of IoT devices (ranging from tens to hundreds to thousands, depending Email address: [email protected] (Hong Liu1 )

Preprint submitted to Elsevier

January 15, 2020

on the size of the network). These devices are responsible for sensing realtime data and transmitting the raw sensed data to a control center for better and intelligent decisions [1]. Depending on the system setup/configuration, the network traffic (e.g. data sent from thousands of IoT devices to the server for processing) may be large and hence, incurs significant costs. In addition to performance consideration, we need to ensure the security of the data exchange and the privacy of the computation, etc [3, 4]. Edge computing, rooted from the content delivery networks (CDNs) of the late 1990s [5, 6], extends the cloud computing to the edge of the network. By deploying edge devices at the network edge, edge computing can provide low latency, location awareness and improve real-time data and application services to IoT [1, 7, 8] (also referred to as an edge computing-enhanced IoT system). Such properties are particularly crucial in time-sensitive adversarial environment, such as battlefields. Since edge devices are responsible for storing and pre-processing data sent by IoT devices and deployed at the network edge, they are attractive targets to attackers. In addition, to ensure data privacy, edge devices should not be allowed to access individual IoT device’s data; hence, the need for privacy-preserving data aggregation. There are a large number of privacy-preserving data aggregation schemes in the literature [9, 10, 11, 12], which can be deployed in an edge computingenhanced IoT system. These schemes generally support the privacy-preserving property to some extent. However, it is challenging to implement these existing schemes due to their complex computation or high communication requirements. Thus, a number of efficient privacy-preserving data aggregation schemes, such as those reported in [13, 14, 15, 16, 17, 18], have also been proposed. A common drawback in this latter group of schemes is that they consider report data of each IoT device as one-dimensional information. In some IoT applications (e.g. smart grids), however, the report data by each smart meter are usually multidimensional in practice. For examples, the report data can be categorized according to attributes (the quantity of electricity consumed, the time and the intent of consumption, and so on [19, 20]) or electrical appliances (lamp, computer, refrigerator, air-conditioning, and so on [21]). These categories require finer grained control and optimization. Based on a super-increasing sequence and Paillier cryptosystem, Lu et al. [19] proposed the first multidimensional data aggregation scheme for smart grids. Using the bilinear pairing cryptographic technology, Liu et al. [20] also proposed an anonymous multidimensional data aggregation scheme. In 2017, Shen et al. [21] proposed an efficient privacy-preserving cube-data aggregation scheme for smart grids based on Horner’s rule and Paillier cryptosystem. Gonz´ alez-Manzano et al. [22] proposed a privacy-preserving aggregation protocol, PAgIoT, which enables the aggregation of multidimensional data based on attribute queries and Paillier cryptosystem. More recently in 2019, Guan et al.[23] proposed the APPA protocol which provides a solution to aggregation data for different IoT device areas. We note, however, that these multidimensional data aggregation schemes [19, 20, 21, 22, 23] allow the data to be aggregated only in one direction. To explain this, we assume that the data of each 2

IoT device Di is an n-dimensional vector di = (di,1 , di,2 , . . . , di,n ), 1 ≤ i ≤ m, and we treat all the m vectors as an m × n matrix D = (di,j )1≤i≤m,1≤j≤n . In this context, existing multidimensional Pm data aggregation schemes are only able to obtain the data summations i=1 di,j , 1 ≤ j ≤ n, in each column of D in a privacy-preserving Pnway (refer to Figure 1). This is a limitation because such data summations j=1 di,j , 1 ≤ i ≤ m, in each row of D correspond to the total amount of each single device’s data, and are also important to the control center for analysis and processing. D1 D2

Figure 1: Aggregation Direction of Existing Multidimensional Data Aggregation Schemes.

Therefore to address these limitations in the existing schemes, in this paper we propose an efficient multidimensional and multidirectional data aggregation scheme (hereafter referred to as MMDA) following the idea in [24]. MMDA is designed to facilitate privacy-preserving edge computing-enhanced IoT communications. MMDA enables an edge device (acting as a honest-but-curious aggregator) to aggregate the data in D in two directions, namely: row aggregation Pn and column aggregation. They can be used to compute the summations j=1 di,j , Pm 1 ≤ i ≤ m, and i=1 di,j , 1 ≤ j ≤ n, respectively, in a privacy-preserving way (refer to Figure 2). MMDA also uses batch verification technology to reduce the authentication cost and support fault-tolerant. 2. Background Materials In this section, we introduce the mathematical preliminaries and security model required in the understanding of our proposed MMDA scheme. 2.1. Mathematical Preliminaries We list the mathematical preliminaries, which will be used in this paper. Pn • Let p, m1 , m2 , . . . , mn be n + 1 positive integers satisfying i=1 mi < p.

3

D1 D2

Figure 2: Aggregation Directions of Proposed MMDA Scheme.

We have

Qn

i=1 (1

Pn + mi · p) mod p2 = 1 + p · i=1 mi , and thus  n  Q 2 (1 + mi · p) mod p − 1 n X . mi = i=1 p i=1

(1)

• Let G1 be an additive group and G2 a multiplicative group, both of prime order q. A bilinear map (or pairing) is a function e : G1 × G1 → G2 with the three properties [21, 25]: 1. Bilinearity: ∀ P, Q ∈ G1 and ∀ a, b ∈ Z∗q , e(aP, bQ) = e(P, Q)ab . 2. Non-degeneracy: ∀ 1G1 6= P ∈ G1 , e(P, P ) 6= 1G2 .

3. Computability: The map e is efficiently computable.

We use the notation Gen to denote the algorithm that, taken as input a security parameter κ, outputs a tuple (q, P, G1 , G2 , e) as above. • The Lagrange polynomial interpolation [26] is described as follows. 1. Given k different points such as (x1 , y1 ), (x2 , y2 ), . . . , (xk , yk ). 2. We can construct a polynomial P (x) of degree k − 1 by P (x) =

k X j=1

yj

k Y

i=1,i6=j

x − xi xj − xi

satisfying P (xi ) = yi , i = 1, 2, . . . , k. 2.2. Security Model An edge computing-enhanced IoT system comprises of four parts in general, namely: a trusted authority TA, a control center CC, some edge devices ED, and m IoT devices Di , 1 ≤ i ≤ m — see Figure 3. 4

Figure 3: System Model

1. TA is assumed to be trusted and responsible for generating and distributing the secret keys of system participants. Furthermore, TA is able to compute artificial ciphertexts when some IoT devices malfunction or fail. 2. CC is the “nerve” or “brain” of the IoT system, and is generally (under the control of) the utility service provider. CC collects all the IoT data, arranges for the data statistics and analysis. In general CC is honestbut-curious, in the sense that it should perform the specified operations but may attempt to mine information from the collected data in order to increase its financial revenue, etc. 3. ED is an aggregator responsible for aggregating the IoT data collected from IoT devices in ciphertext form. Specifically, IoT devices will first encrypt their data to avoid leakage prior to sending them to ED. ED has the ability to perform computationally expensive computations, executes the aggregation of all received data in different directions, and sends the aggregated data to CC. ED is deployed at network edge and is also honestbut-curious. 4. IoT devices Di , 1 ≤ i ≤ m, are deployed at an area of interest and equipped with sensing and communication functions [1]. Each IoT device automatically collects and encrypts sensing data and reports them in ciphertext form to CC via ED. We assume there is an active attacker A who has the capability to eavesdrop on, inject, and tamper messages during their transit. Similar to the real-world situation, a secure IoT system should fulfill the following requirements, even in the presence of A: 5

1. Data Confidentiality. Data-in-transit (e.g. from IoT devices and other deployed nodes/sensors containing individual sensitive data) may be intercepted by A to investigate a targeted device’s sensitive information. Thus, it is important to ensure the data confidentiality (e.g. by having ED aggregating IoT data in a privacy-preserving way such as using secure encryption). 2. Authentication and Data Integrity. Ensuring a report is generated by a legitimate IoT device is another important requirement in IoT system applications. In other words, it is important to prevent attacks such as false data injection attacks and other opportunistic attacks [27, 28]; otherwise, the statistical analysis and other system functions are likely to be inaccurate. The malicious behaviors should be detected such that ED accepts only data from legitimate IoT devices. Although A intrudes CC’s database, any IoT device’s sensitive data could be kept secretly since the values in the database are not individual IoT device’s data. Then, the data privacy is protected and data integrity is assured. 3. Proposed MMDA Scheme Our proposed MMDA scheme includes five phases, namely: system initialization, key generation, data report generation, secure report aggregation, and secure report reading. As mentioned in Section 1, we assume that there are m IoT devices Di , 1 ≤ i ≤ m, in an IoT system and each device Di generates an n-dimensional data vector di = (di,1 , di,2 , . . . , di,n ), 1 ≤ i ≤ m. Set   d1,1 d1,2 · · · d1,n  d2,1 d2,2 · · · d2,n    D = (di,j )1≤i≤m,1≤j≤n =  . .. ..  . ..  .. . . .  dm,1

dm,2

···

dm,n

Note that for IoT devices in practice, the report data should not be extremely high. Thus, we can make the relational assumptions that n X j=1

di,j < p, 1 ≤ i ≤ m and

m X i=1

di,j < p, 1 ≤ j ≤ n.

(2)

MMDA enables CC to get the data summations of IoT devices in two directions, namely: Pn • row aggregation to obtain the data summations j=1 di,j in the i-th row of D, 1 ≤ i ≤ m, and Pm • column aggregation to obtain the data summations i=1 di,j in the j-th column of D, 1 ≤ j ≤ n (see Figure 2).

6

3.1. System initialization For a given parameter κ, TA selects a prime p with |p| = κ and generates a tuple (q, P, G1 , G2 , e) by calling Gen(κ). Then, TA chooses two secure cryptographic hash functions H1 : {0, 1}∗ → Z∗p and H2 : {0, 1}∗ → G1 . The public system parameters are params := (p, q, P, G1 , G2 , e, H1 , H2 ). 3.2. Key generation TA distributes the necessary keys for the IoT devices and CC during this phase. To this end, TA chooses m · n integers ki,j ∈ Zp uniformly at random, 1 ≤ i ≤ m, 1 ≤ j ≤ n, and treats them as a matrix K of order m × n   k1,1 k1,2 · · · k1,n  k2,1 k2,2 · · · k2,n    K= . .. ..  . ..  .. . . .  km,1

···

km,2

km,n

For 1 ≤ i ≤ m, TA transfers the i-th row ki = (ki,1 , ki,2 , · · · , ki,n ) of K to Di as its secret key via a secure channel. Furthermore, for 1 ≤ i ≤ m, TA computes a Lagrange polynomial Pi (x) of degree n − 1 determined by the n pairs (j, ki,j ), 1 ≤ j ≤ n. That is, Pi (x) =

n X

n Y

ki,j

j=1

s=1,s6=j

x−s , j−s

1 ≤ i ≤ m.

Similarly, TA generates n polynomials P j (x) of degree m − 1 related to the n columns kj = (k1,j , k2,j , . . . , km,j ) of K, 1 ≤ j ≤ n. Concretely, P j (x) =

m X

m Y

ki,j

i=1

s=1,s6=i

x−s , i−s

1 ≤ j ≤ n.

Based on the above m + n Lagrange polynomials Pi (x), 1 ≤ i ≤ m, and P j (x), 1 ≤ j ≤ n, TA computes ki,0 = Pi (0) =

n X

ki,j

j=1

and k0,j = P j (0) =

m X

n Y

s , s−j

1≤i≤m

m Y

s , s−i

1 ≤ j ≤ n.

s=1,s6=j

ki,j

i=1

s=1,s6=i

Q` s For ease of description, we denote µ`t = s=1,s6=t s−t and the above two equations can be written as  n P   ki,j µnj , 1 ≤ i ≤ m;  ki,0 = j=1 (3) m P   ki,j µm  k0,j = i , 1 ≤ j ≤ n. i=1

7

Then TA computes rki = ki,0 +

n X

ki,j µm i ,

1≤i≤m

ki,j µnj ,

1 ≤ j ≤ n.

j=1

and ckj = k0,j +

m X i=1

Next TA transfers secretly rki , 1 ≤ i ≤ m, private keys and saves the matrix  k0,0 k0,1 k0,2  k1,0 k1,1 k1,2  e = K  k2,0 k2,1 k2,2  .. .. ..  . . . km,0

km,1

km,2

and ckj , 1 ≤ j ≤ n, to CC as the ··· ··· ··· .. . ···

 k0,n k1,n   k2,n   ..  .  km,n

of order (m + 1) × (n + 1) in TA’s local database, where k0,0 is a random element in Zp . To ensure the authenticity of data from IoT devices to ED, we need to generate some keys for the authentication between the IoT devices and ED. Therefore, we assume that each IoT device Di owns a public-private key pair (Yi = xi P, xi ), 1 ≤ i ≤ m, and ED owns a public-private key pair (Y = xP, x) in the following, where x, x1 , x2 , . . . , xm ∈ Zq and Y, Y1 , Y2 , . . . , Ym ∈ G1 . 3.3. Data report generation Each IoT device Di (with respective private keys ki = (ki,1 , ki,2 , . . . , ki,n ) and xi ) executes the following steps to get a data report, 1 ≤ i ≤ m. 1. Di uses its private key ki to compute n blinding factors: m

bi,j = H1 (AM R)ki,j ·(µi

+µn j)

,

1 ≤ j ≤ n,

where AM R acts as an arithmometer which increases one for each round of data report generation. 2. For each component di,j of sensing data vector di = (di,1 , di,2 , . . . , di,n ), Di generates a ciphertext ci,j , 1 ≤ j ≤ n, as m

ci,j =(1 + di,j · p) · bi,j = (1 + di,j · p) · H1 (AM R)ki,j ·(µi

+µn j)

mod p2 .

3. Di uses its private key xi to compute a signature σi as σi = xi · H2 (ci,1 || · · · ||ci,n ||idED ||idDi ||AM R),

where || is the concatenation operator and idED and idDi are the identities of ED and Di , respectively. 4. Di sends the encrypted data Ei = (ci,1 , . . . , ci,n , idED , idDi , AM R, σi ) to ED. 8

(4)

3.4. Secure report aggregation After receiving the data Ei = (ci,1 , . . . , ci,n , idED , idDi , AM R, σi ) from m IoT devices Di , 1 ≤ i ≤ m, ED first checks their validity by checking the following equations e(P, σi ) =e(Yi , H2 (ci,1 || · · · ||ci,n ||idED ||idDi ||AM R)), 1 ≤ i ≤ m. If all the m equations hold, then ED accepts the signatures σi , 1 ≤ i ≤ m. To improve verifying efficiency, ED can perform the batch verification by checking the equation e(P,

m X

σi ) =

i=1

m Y

i=1

e(Yi , H2 (ci,1 || · · · ||ci,n ||idED ||idDi ||AM R)),

which reduces the number of the time-consuming bilinear map operations from 2m to m + 1. After the check of data validity, ED extracts the m · n ciphertexts ci,j , 1 ≤ i ≤ m, 1 ≤ j ≤ n, and treats them as the matrix   c1,1 c1,2 · · · c1,n  c2,1 c2,2 · · · c2,n    C= . .. ..  . ..  .. . . .  cm,1

cm,2

···

cm,n

Next, ED (with the private key x) is able to execute the aggregation operations in the two directions:

1. Row aggregation: for any IoT device Di , 1 ≤ i ≤ m, ED calculates the product of the n ciphertexts in the i-th row of C to get Ri =

n Y

ci,j =

j=1

n Y

j=1

m

(1 + di,j · p) · H1 (AM R)ki,j ·(µi

+µn j)

mod p2 .

2. Column aggregation: for any dimension j, 1 ≤ j ≤ n, ED calculates the product of the m ciphertexts in the j-th column of C to get Cj =

m Y

i=1

ci,j =

m Y

i=1

m

(1 + di,j · p) · H1 (AM R)ki,j ·(µi

+µn j)

mod p2 .

After the row aggregation and column aggregation operations, ED computes a signature σ using its private key x as σ = x · H2 (R1 || · · · ||Rm ||C1 || · · · ||Cn ||idCC ||idED ||AM R), where idCC is the identity of CC. Finally, ED sends data RC = (R1 , . . . , Rm , C1 , . . . , Cn , idCC , idED , AM R, σ)

(5)

to CC. The detailed interaction processes among Di , ED and CC are shown in Figure 4. 9

Di

ED m

bi,j = H1 (AM R)ki,j ·(µi

CC

+µn j)

ci,j = (1 + di,j · p) · bi,j mod p2 σi = xi · H2 (ci,j ||idED ||idDi ||AM R) Ei = (ci,1 , . . . , ci,n , idED , idDi , AM R, σi ) Ei

-

Ri = Cj =

Qn

j=1

Qm

i=1

m

(1 + di,j · p) · H1 (AM R)ki,j ·(µi

+µn j)

n ki,j ·(µm i +µj )

(1 + di,j · p) · H1 (AM R)

mod p2 mod p2

σ = x · H2 (R1 || · · · ||Rm ||C1 || · · · ||Cn ||idCC ||idED ||AM R) RC = (R1 , . . . , Rm , C1 , . . . , Cn , idCC , idED , AM R, σ) RC

-

Figure 4: Interaction processes among Di , ED and CC

3.5. Secure report reading After receiving the data RC = (R1 , . . . , Rm , C1 , . . . , Cn , idCC , idED , AM R, σ) from ED, CC first verifies their validity by checking the equation e(P, σ) = e(Y, H2 (R1 || · · · ||Rm ||C1 || · · · ||Cn ||idCC ||idED ||AM R)). If the equation holds, then CC extracts Ri and Cj from RC and decrypts them using its private keys rki and ckj to obtain the corresponding data aggregations of the m IoT devices in two directions (refer to Figure 2).

10

First, for each Ri , i = 1, 2, . . . , m, CC computes Aggi =Ri · H1 (AM R)−rki =

n Y

j=1

=

n Y

j=1

=

n Y

(1 + di,j · p) · H1 (AM R) (1 + di,j · p) (1 + di,j

j=1

=

n Y

j=1

=

n Y

j=1

n ki,j ·(µm i +µj )

! 

n P

· H1 (AM R)j=1

)

! 

−ki,0 −

· H1 (AM R)

n ki,j ·(µm i +µj )

n P

j=1

 

 · H1 (AM R)

ki,j ·µm i

−ki,0 −

j=1

 !  n n P P n ki,j ·µm ki,j ·(µm i i +µj )−ki,0 − j=1  · p) · H1 (AM R)j=1

(1 + di,j · p)

! 

n P

· H1 (AM R)j=1

n P

ki,j ·µm i +

j=1

ki,j ·µn j −ki,0 −

n P

j=1

n P

ki,j ·µm i

 

ki,j ·µm i

 

 

(1 + di,j · p)

=1 + p ·

n X

di,j mod p2 .

j=1

The penultimate equation is due to Eq. (3). With Aggi , CC is able to calcun P Aggi −1 late to obtain di,j according to the Eqs. (1) and (2), which is the p j=1

summation of the n-dimensional data of Di , 1 ≤ i ≤ m. Similarly, for each Cj , j = 1, 2, . . . , n, CC computes Aggj =Cj · H1 (AM R)−ckj =

m Y

i=1

=

m Y

i=1

=

m Y

i=1

= =

m Y

i=1 m Y

i=1

(1 + di,j · p) · H1 (AM R) (1 + di,j · p) (1 + di,j · p) (1 + di,j · p)

!

!

!

n ki,j ·(µm i +µj )

·

H1 (AM R) !

m P

n ki,j ·(µm i +µj )

m P

n ki,j ·(µm i +µj )−k0,j −

m P

ki,j ·µm i +

·

H1 (AM R)

·

H1 (AM R)i=1

·

)

!

i=1

H1 (AM R)i=1

·

m P

i=1

m P

i=1

H1 (AM R) i=1

m P

−k0,j −

ki,j ·µn j

ki,j ·µn j −k0,j −

m P

i=1

ki,j ·µn j

−k0,j −

!

ki,j ·µn j

m P

i=1

!

ki,j ·µn j

!

(1 + di,j · p)

=1 + p ·

m X

di,j mod p2 .

i=1

Using Aggj , CC calculates

Aggj −1 p

to obtain

m P

i=1

11

di,j according to the Eqs. (1)

!

and (2) and it is the summation of the j-th dimensional data of all the m IoT devices, 1 ≤ j ≤ n. 3.6. Fault-tolerance We analyze the fault-tolerance of our MMDA scheme that enables CC to obtain the proper values when some IoT devices fail in some dimensions. Without loss of generality, we assume that an IoT device Dx (1 ≤ x ≤ m) fails at dimension y. In this case, ED receives all mn − 1 correct ciphertext data, with an exception of cx,y . ED first sends the identity idDx , the dimension y, and the proper AM R to TA for an artificial ciphertext. Upon accepting the above request, TA computes m

n

e cx,y = H1 (AM R)kx,y ·(µx +µy ) mod p2

using kx,y and transfers e cx,y back to ED. Then, ED performs the row aggregation as Rx = e cx,y

and

n Y

Ri =

n Y

cx,j mod p2

j=1,j6=y

ci,j mod p2 ,

j=1

1 ≤ i 6= x ≤ m.

Similarly, ED performs the column aggregation as Cy = e cx,y

and

Cj =

m Y

m Y

ci,y mod p2

i=1,i6=x

ci,j mod p2 ,

i=1

1 ≤ j 6= y ≤ n.

After generating all m + n data Ri , 1 ≤ i ≤ m, and Cj , 1 ≤ j ≤ n, ED is able to obtain the correct signature σ and aggregated ciphertext RC using its key x (see Section 3.4), and sends them to CC. We mention that the only difference between e cx,y and cx,y generated by TA and Dx respectively is that the real value dx,y of Dx at dimension y is replaced by zero. Thus CC can obtain the proper aggregation results and this shows that our proposed scheme satisfies the fault-tolerance property. 4. Security Analysis Based on the security model in Section 2.2, we first consider that A eavesdrops on the communication between IoT devices and ED. Then, A is able to obtain m n ci,j := (1 + di,j · p) · H1 (AM R)ki,j ·(µi +µj ) mod p2 , 12

where 1 ≤ i ≤ m, 1 ≤ j ≤ n. If A wishes to infer individual component di,j of Di ’s data vector di = (di,1 , di,2 , . . . , di,n ), A has to remove the blinding factor m n H1 (AM R)ki,j ·(µi +µj ) , which includes a key ki,j of Di for the dimension j. Since ki,j is generated by the trusted TA and transmitted to Di via a secure channel, it should not be revealed to any other entities. Consequently, A is unable to obtain individual component di,j by decrypting ci,j . Similarly, if A eavesdropped on the communication channel between ED and CC, then A can obtain the m + n data Ri =

n Y

(1 + di,j · p) · H1 (AM R)ki,j ·(µi

m Y

(1 + di,j · p) · H1 (AM R)ki,j ·(µi

j=1

and Cj =

i=1

m

+µn j)

mod p2

m

+µn j)

mod p2

where 1 ≤ i ≤ m andP 1 ≤ j ≤ n. AsPshown in Section 3.5, if A wishes to decrypt n m Ri and Cj to obtain j=1 di,j and i=1 di,j , respectively, he/she must have the private keys rki and ckj of CC, i = 1, 2, . . . , m, j = 1, 2, . . . , n. However, the private keys of CC are generated by TA and transmitted to CC in a secure channel; thus, A is not able to obtain the aggregation data. We next consider the potential privacy issues due to the honest-but-curious ED and CC. Recall that ED is allowed to have access to all m · n ciphertexts ci,j , 1 ≤ i ≤ m, 1 ≤ j ≤ n. Further, ED is able to aggregate these ciphertexts into m + n data Ri and Cj , 1 ≤ i ≤ m, 1 ≤ j ≤ n. However, as discussed above, ED is unable to obtain the private key ki,j of Di ; thus, ED is unable to decrypt ci,j and retrieve di,j . Similarly, ED is unable to obtain the private Pn keys rki or ckj of CC and thus unable to decrypt Ri or Cj and retrieve j=1 di,j Pm or i=1 di,j . On the other hand, CC is allowed to own the private keys rki and ckj , which enables CC to decrypt Ri and Cj , respectively, and obtains the aggregation data. However, CC does not have the private keys of any user and thus is unable to decrypt such ciphertext ci,j . As a result, CC does not obtain any individual data and the privacy of each device is preserved. Finally, we consider the authenticity of the messages exchanged in the public channels (i.e. A is an active attacker who can inject and tamper messages). In our proposed MMDA scheme, the messages transmitted from Di to ED are Ei (see Eq. (4)), which include the ciphertexts ci,j , 1 ≤ j ≤ n, and the signature σi . Without the private key xi of Di , A is unable to generate a valid signature σi0 on some selected messages c0i,j , 1 ≤ j ≤ n, satisfying the following equation: e(P, σi0 ) = e(Yi , H2 (c0i,1 || · · · ||c0i,n ||idED ||idDi ||AM R)). This shows that Ei will be accepted by ED only when it is produced by the correct and legitimate Di . Similarly, the messages transmitted from ED to CC are RC (refer to Eq. (5)), which include the aggregated ciphertexts (R1 , . . . , Rm , C1 , . . . , Cn ) and the signature σ. Without the private key x of ED, A is unable to generate a 13

Table 1: A Comparative Summary of Computation Overhead for Single Data Component

Lu et al.’s scheme [1] Our MMDA scheme

One Direction 5 · Tmm + Tme 2 · Tmm + Tme

Two Directions 10 · Tmm + 2 · Tme 2 · Tmm + Tme

valid signature σ 0 on some selected messages Ri0 , 1 ≤ i ≤ m, and Cj0 , 1 ≤ j ≤ n, satisfying the following equation: 0 e(P, σ 0 ) = e(Y, H2 (R10 || · · · ||Rm ||C10 || · · · ||Cn0 ||idCC ||idED ||AM R)).

This demonstrates that there is no attacker who can forge a valid signature σ 0 accepted by CC. In summary, data integrity is guaranteed in MMDA. 5. Performance Evaluation As far as we know, Lu et al.’s scheme [1] is the only existed multidimensional data aggregation scheme for fog computing-enhanced IoT. Thus we evaluate the performance of our proposed MMDA scheme by comparing it with Lu et al.’s data aggregation scheme. For the fairness of comparison, the authentication related overhead is ignored because the latter failed to provide the authentication function. We assume that there are m IoT devices Di , 1 ≤ i ≤ m, and each of them reports an n-dimensional data vector di = (di,1 , di,2 , . . . , di,n ) in the following. 5.1. Computation overhead Let Tmm and Tme denote the computation overheads of a module multiplication operation and a module exponentiation operation, respectively. In Lu et al.’s scheme, the data component di,j of device Di at dimension j is encrypted as the form ci,j = [1 + N · α · (di,j · β + d2i,j )] · H(Tj )N ·si mod N 2 (refer to [1]), which includes five modular multiplication operations and one modular exponentiation operation. This results in a computation overhead of 5 · Tmm + Tme for single data component in Lu et al.’s scheme. In our proposed MMDA scheme, the data m n component di,j is encrypted as ci,j = (1+di,j ·p)·H1 (AM R)ki,j ·(µi +µj ) mod p2 , which has a computation overhead of 2 · Tmm + Tme for single data component. On the other hand, if we consider data aggregation in two directions, then each device in Lu et al.’s scheme has to encrypt the data component twice, which results in a computation overhead of 10 · Tmm + 2 · Tme , i.e. double the aggregation overhead in one direction. For MMDA, however, the computation overhead of each device remains the same 2·Tmm +Tme for single data component in the case of two-direction data aggregation. We list a comparative summary of computation overhead for single data component in Table 1. To visually describe the advantage of our proposed MMDA scheme over Lu et al.’s scheme in computation overheads, we assume that p and N are two 14

integers of the same 1024-bit length for an acceptable security level. Further we set Tmm = 0.765 ms and Tme = 8.44 ms according to the first row of Table I in [29] and the last row of Table I in [30], respectively. Figures 5 and 6 show the overall computation time comparison in terms of the IoT device number m and the data dimension n in one direction and two directions, respectively.

Figure 5: Overall Computation Overhead Comparison in One Direction

Figure 6: Overall Computation Overhead Comparison in Two Directions

5.2. Communication cost The communication cost of our proposed MMDA scheme and Lu et al.’s scheme can be considered in two parts: (1) from IoT device Di , 1 ≤ i ≤ m, to the edge device ED; and (2) from ED to the control center CC. We focus only on the communication cost comparison in two-directional data aggregation. QmIn part (2), ED in Lu et al.’s scheme needs to send the aggregated data Cj = ( i=1 ci,j )· H(Tj )N ·sn+1 mod N 2 , 1 ≤ j ≤ n, twice to CC for a two-dimension aggregation, while Qn the corresponding data in our QmMMDA scheme are the ciphertexts Ri = i=1 ci,j , 1 ≤ j ≤ n. This shows that our j=1 ci,j , 1 ≤ i ≤ m, and Cj = MMDA scheme and Lu et al.’s scheme have a similar communication cost in the part (2). 15

For part (1), each IoT device Di , 1 ≤ i ≤ m, in our MMDA scheme needs to report n ciphertext data ci,j , 1 ≤ j ≤ n, once to ED for a two-directional aggregation. While in Lu et al.’s scheme, the data reported by each IoT device Di , 1 ≤ i ≤ m, to ED are twice the n ciphertext data ci,j , 1 ≤ j ≤ n for a two-directional aggregation. This shows that the communication cost of each IoT device in Lu et al.’s is twice of our MMDA scheme. In view of the limited bandwidth of IoT devices, our MMDA scheme has a higher communication efficiency than Lu et al.’s scheme; thus, it is more suitable to be deployed in practical application. Finally, we consider the overall communication costs of both our MMDA scheme and Lu et al.’s scheme. To simplify the discussion, we assume that each transferred message needs 1024 bits bandwidth in average (i.e. |p| = |N | = 1024 bits). Figure 7 illustrates the overall communication cost comparison in terms of the IoT device number m and the data dimension n between our MMDA scheme and Lu et al.’s scheme, which indicates that our MMDA scheme greatly reduces the overall communication costs, especially in the case that the the parameters m and n are large.

Figure 7: Communication Cost Comparison in Two Directions

6. Conclusion Edge computing-enhanced IoT will be increasing a norm in our society, and there remains a number of research challenges and opportunities to secure our edge computing-enhanced IoT in the fast-paced threat landscape [31, 32]. One particular research challenge is to design secure and efficient privacy-preserving data aggregation scheme for edge computing-enhanced IoT systems, and this is the focus of this paper. Specifically, in this paper, we proposed an efficient multidimensional and multidirectional data aggregation (MMDA) scheme for privacy-preserving edge computing-enhanced IoT communications. Compared with existing multidimensional data aggregation schemes that generally have only one aggregation

16

direction, MMDA enables an IoT control center to aggregate data in two directions. Thus, our scheme allows more statistical information to be provided to the control center that can be used for in-depth analysis and processing. MMDA also adopts the batch verification technology to reduce authentication cost and supports fault-tolerance. Future research includes implementing a prototype of the proposed MMDA scheme in a closed environment, for example in collaboration with a real-world utility service provider. This would allow us to evaluate and refine MMDA in a real-world evaluation. Declaration of Competing Interests The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper. The authors declare the following financial interests/personal relationships which may be considered as potential competing interests: Declarations of interest: none Acknowledgement The work is supported in part by the NSFC-Zhejiang Joint Fund for the Integration of Industrialization and Informatization under Grant No. U1509219, the Shanghai Natural Science Foundation under Grant No. 17ZR1408400, the Key Lab of Information Network Security of Ministry of Public Security (The Third Research Institute of Ministry of Public Security) under Grant No. C18603, the National Key R&D Program of China under Grant No. 2017YFB0802302, and the National Natural Science Foundation of China under Grant Nos. 61601129, 11701179. Bofeng Pan and Hong Liu are joint corresponding authors. References [1] Lu R, Heung K, Lashkari A H, et al. A lightweight privacy-preserving data aggregation scheme for fog computing-enhanced IoT. IEEE Access, 2017, 5: 3302-3312. [2] Sosa-Reyna C M, Tello-Leal E, Lara-Alabazares D. Methodology for the model-driven development of service oriented IoT applications. Journal of Systems Architecture, 2018, 90: 15-22. [3] Wazid M, Das A K, Hussain R, et al. Authentication in cloud-driven IoTbased big data environment: Survey and outlook. Journal of Systems Architecture, 2019, 97: 185-196.

17

[4] Eltayieb N, Elhabob R, Hassan A, et al. An efficient attribute-based online/offline searchable encryption and its application in cloud-based reliable smart grid. Journal of Systems Architecture, 2019, 98: 165-172. [5] Dilley J, Maggs B, Parikh J, et al. Globally distributed content delivery. IEEE Internet Computing, 2002, 6(5): 50–58. [6] Yousefpour A, Fung C, Nguyen T, et al. All one needs to know about fog computing and related edge computing paradigms: A complete survey. Journal of Systems Architecture, 2019. [7] Mahdikhani H, Lu R. Achieving Privacy-Preserving Multi Dot-Product Query in Fog Computing-Enhanced IoT. GLOBECOM 2017-2017 IEEE Global Communications Conference. IEEE, 2017: 1–6. [8] Huang C, Lu R, Choo K K R. Vehicular fog computing: architecture, use case, and security and forensic challenges. IEEE Communications Magazine, 2017, 55(11): 105–111. [9] Hajny J, Dzurenda P, Malina L. Privacy-Enhanced Data Collection Scheme for Smart-Metering. International Conference on Information Security and Cryptology. Springer International Publishing, 2015: 413–429. [10] Jung T, Li X Y, Wan M. Collusion-tolerable privacy-preserving sum and product calculation without secure channel. IEEE Transactions on Dependable and Secure Computing, 2015, 12(1): 45–57. [11] He D, Kumar N, Lee J H. Privacy-preserving data aggregation scheme against internal attackers in smart grids. Wireless Networks, 2016, 22(2): 491–502. [12] Li F, Luo B, Liu P. Secure information aggregation for smart grids using homomorphic encryption. Smart Grid Communications (SmartGridComm), 2010 First IEEE International Conference on. IEEE, 2010: 327–332. [13] Wang H, Wang Z, Domingo-Ferrer J. Anonymous and secure aggregation scheme in fog-based public cloud computing. Future Generation Computer Systems, 2018, 78: 712-719. [14] Sui Z, Niedermeier M, de Meer H. RESA: A Robust and Efficient Secure Aggregation Scheme in Smart Grids. International Conference on Critical Information Infrastructures Security. Springer International Publishing, 2015: 171–182. [15] Ni J, Zhang K, Lin X, et al. EDAT: Efficient data aggregation without TTP for privacy-assured smart metering. Communications (ICC), 2016 IEEE International Conference on. IEEE, 2016: 1–6.

18

[16] Borges F, Volk F, M¨ uhlh¨ auser M. Efficient, verifiable, secure, and privacyfriendly computations for the smart grid. Innovative Smart Grid Technologies Conference (ISGT), 2015 IEEE Power & Energy Society. IEEE, 2015: 1–5. [17] Borges F, M¨ uhlh¨ auser. EPPP4SMS: efficient privacy-preserving protocol for smart metering systems and its simulation using real-world data. IEEE Transactions on Smart Grid, 2014, 5(6): 2701–2708. [18] Erkin Z. Private data aggregation with groups for smart grids in a dynamic setting using CRT, Information Forensics and Security (WIFS), 2015 IEEE International Workshop on. IEEE, 2015: 1–6. [19] Lu R, Liang, X, Li X, Lin X, Shen X. EPPA: An efficient and privacypreserving aggregation scheme for secure smart grid communications, IEEE Trans. Parallel Distrib. Syst., 2012, 23(9): 1621–1631. [20] Liu X, Zhang Y, Wang B, Wang H. An anonymous data aggregation scheme for smart grid systems, Secur. Commun. Netw., 2014, 7(3): 602–610. [21] Shen H, Zhang M, Shen J. Efficient Privacy-Preserving Cube-Data Aggregation Scheme for Smart Grids. IEEE Transactions on Information Forensics and Security, 2017, 12(6): 1369–1381. [22] Gonz´ alez-Manzano L, Fuentes JMD, Pastrana S, Peris-Lopez P, Hern´ andezEncinas L, PAgIoT - Privacy-preserving Aggregation protocol for Internet of Things. Journal of Network and Computer Applications, 2016, 71(C): 59–71. [23] Guan Z, Zhang Y, Wu L, et al. APPA: An anonymous and privacy preserving data aggregation scheme for fog-enhanced IoT. Journal of Network and Computer Applications, 2019, 125: 82-92. [24] Pan B, Zeng P. A New Multidimensional and Fault-Tolerable Data Aggregation Scheme for Privacy-Preserving Smart Grid Communications. 2017 International Conference on Applications and Techniques in Cyber Security and Intelligence (ATCI), 2017: 206-219. [25] Boneh D, Goh E J, Nissim K. Evaluating 2-DNF Formulas on Ciphertexts. TCC. 2005, 3378: 325–341. [26] Shamir A. How to share a secret. Communications of the ACM, 1979, 22(11): 612–613. [27] Li B, Lu R, Wang W, Choo K-K R. DDOA: A Dirichlet-Based Detection Scheme for Opportunistic Attacks in Smart Grid Cyber-Physical System. IEEE Transactions on Information Forensics and Security, 2016, 11(11): 2415–2425.

19

[28] Li B, Lu R, Wang W, Choo K-K R. Distributed host-based collaborative detection for false data injection attacks in smart grid cyber-physical system. Journal of Parallel and Distributed Computing, 2017, 103: 32–41. [29] Wang W, Hu Y, Chen L, et al. Accelerating fully homomorphic encryption using GPU. 2012 IEEE conference on high performance extreme computing. IEEE, 2012: 1-5. [30] da Costa C A, Moreno R L, Carpinteiro O S A, et al. Design of a 1024 bit RSA coprocessor with SPI slave interface. 2014 International Caribbean Conference on Devices, Circuits and Systems (ICCDCS). IEEE, 2014: 1-4. [31] Choo K-K R. The cyber threat landscape: Challenges and future research directions. Computers & Security, 2011, 30(8): 719–731. [32] Choo K-K R, Kermani M M, Azarderakhsh R, Govindarasu M. Emerging Embedded and Cyber Physical System Security Challenges and Innovations. IEEE Transactions on Dependable and Secure Computing, 2017, 14(3): 235–236.

Biography

Peng Zeng received the Ph.D. degree in computer science and technology from Shanghai Jiao Tong University, Shanghai, China, in 2009. He is currently an Associate Professor with East China Normal University, Shanghai. His current research interests include applied cryptography, network information security, and coding theory.

Bofeng Pan received the Bachelor’s degree in computer science from JiangXi Normal University in 2015 and the Master degree in software engineering from East China Normal University, Shanghai, China. His research interests include cryptography, network security, privacy preserve, and IoT system. 20

Kim-Kwang Raymond Choo (SM’15) received the Ph.D. degree in information security from the Queensland University of Technology, Australia, in 2006. He currently holds the Cloud Technology Endowed Professorship with The University of Texas at San Antonio. He is also a fellow of the Australian Computer Society. In 2015, he and his team won the Digital Forensics Research Challenge organized by the Germany’s University of Erlangen-Nuremberg. In 2016, he was named the Cybersecurity Educator of the Year—APAC (Cybersecurity Excellence Awards are produced in cooperation with the Information Security Community on LinkedIn). He was a recipient of the 2008 Australia Day Achievement Medallion, the British Computer Society’s Wilkes Award in 2008, the Fulbright Scholarship in 2009, the 2014 Highly Commended Award by the Australia New Zealand Policing Advisory Agency, and the ESORICS 2015 Best Paper Award.

Hong Liu is an associate professor in the School of Computer Science and Software Engineering, East China Norm al University. She received her Ph.D. degree from the School of Electronic and Information Engineering, Beihang University, China. She focuses on security and privacy issues in edge computing. She has published more than 30 SCI papers, and 1 ESI Highly Cit ed Paper. She has served as a Program Committee member and Workshop Chair in several conferences.

21