![Page 1: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/1.jpg)
Secure Aggregationin a Publish-subscribe system
Kazuhiro Minami*, Adam Lee**, Marianne Winslett*, and Nikita Borisov*
*University of Illinois at Urbana-Champaign**University of Pittsburgh
![Page 2: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/2.jpg)
Publish-subscribe System for Wide-area Control Systems
Publish-subscribe overlay networkPublishers Subscribers
Routing nodes
Door cardreader
Motionsensor
BuildingManagement
systemPhasor measurement
units
Powermeters
PowerGrid
Monitor
![Page 3: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/3.jpg)
Information Infrastructure Needs• Scalability
– Keep up with the increase of the number of installed sensors and devices publishing events frequently
• Communication bandwidth and latency– Reducing the bandwidth requirements will help to
reduce the deployment cost of wide-area control systems
• Flexibility– Accommodate the diverse security requirements of
different entities
![Page 4: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/4.jpg)
In-network Aggregation
Application-levelaggregation
In-network aggregation
Publishers Subscribers
Subscriber & publisher
Routingnode
In-network aggregation could reduce bandwidth requirementsfurther.
x1
x2
x3
f(x1,x2,x3)
x1x2
x3
f(x1,x2,x3)
Routingnode
![Page 5: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/5.jpg)
Goals of Secure Aggregation
• Confidentiality – Publish aggregated data only to authorized
subscribers while protecting the confidentiality of individual raw data
• Integrity – Subscribers can verify the authenticity and
integrity of aggregated data
![Page 6: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/6.jpg)
Routing nodes
Publishers Subscribers
Security manager
2. Subscriptionrequests
3. Routing path
1. Confidentialitypolicies
4. Publicationrequests
5. Raw data 6. Aggregated
data
Publish-subscribe system
System Model
![Page 7: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/7.jpg)
Our Assumptions
PublishersSubcribers
Routingnodes
Pub-sub system
Do not trust
In terms of confidentiality
of private input
Do not trust
in term
s of in
tegrity of
aggregate
Public KeyInfrastructure
Send secretssecurely
No more than m parties
collude
![Page 8: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/8.jpg)
Supporting Additive Aggregation as a First Step
• Compute the sum of multiple values published by different publishers
• Can support other functions such as– COUNT, AVERAGE, STD, etc.
![Page 9: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/9.jpg)
Confidentiality Requirement• Allow publishers to disclose aggregated data
only to authorized subscribers while keeping raw data private
v1
v2
P1
P2
PsubPsub acl(v1)
Psub acl(v2)
Psub acl(P1.v1+P2.v2)
Psub acl(P1.v1+P2.v2)
Pub-subsystem
v1
v2
v1, v2
v1+v2
Publishers
Subscriber
Pub-sub system should read neither
v1, v2, nor v1+v2.
![Page 10: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/10.jpg)
Naive Approach 1• Use additively homomorphic encryption
(i.e., E(v1+v2) = E(v1) + E(v2) ) to protect raw data from untrusted routing nodes
Publishers
Routingnode
Subscriber
v1
v2
E(v1)P1
P2
PsubR
E(v2)
E(v1+v2)
E(v1)v1+v2
E(v1+v2)= E(v1)+E(v2)
v1
AdversaryViolation of P1’s confidentiality
policy
![Page 11: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/11.jpg)
Naive Approach 1• Use additively homomorphic encryption
(i.e., E(v1+v2) = E(v1) + E(v2) ) to protect raw data from untrusted routing nodes
Publishers
Routingnode
Subscriber
v1
v2
E(v1)P1
P2
PsubR
E(v2)
E(v1+v2)
E(v1)v1+v2
E(v1+v2)= E(v1)+E(v2)
E(v1+2*v2)
v1
Adversary
V1+ 2*V2
Violation of Psub’s integrity
policy
![Page 12: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/12.jpg)
Naive Approach 2• Attach raw data and its digital signatures
to verify the integrity and authenticity of the data
Publishers
Routingnode
Subscriber
v1
v2
E(v1), Sig1(E(v1))P1
P2
PsubR
E(v2), Sig2(E(v2))
E(v1+v2), E(v1), E(v2),Sig1(E(v1)), Sig2(E(v2))
Too many data to send!
![Page 13: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/13.jpg)
Our approach
• Secret splitting to protect confidential data• Homomorphic message authentication
code (MAC) to ensure the integrity of aggregated data
– MAC(v, g) = gv (mod p) where p is a large prime such that:
MAC(v1, g) * MAC(v2, g) = MAC(v1+v2, g)
![Page 14: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/14.jpg)
Protocol Sketch: Initial Secret Sharing
P1
P2
PsubRr1, q1
r1, q1
r2, q2
1. Publishers and subscribers share a secret generator g of group Gp
2. Publisher Pi sends secrets ri and qi to a subscriber
g
g
g
R
Rv1
v2 r2, q2
Out-of-bound channel
![Page 15: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/15.jpg)
Protocol Sketch: Publication of data
P1
P2
R
R
R
v’1,1, c1
v’2,1, c2
v’1,2v’2,2
Psub
1. Publisher Pi split vi – qi into v’i,1 and v’i,22. Publisher Pi computes ci = MAC(vi + ri, g) = gvi+ri
Necessary to protect sum v1+v2 from the root
routing node
Necessary to protect generator g from a
known-plaintext attack
v’1,1, v’1,2
v’2,1, v’2,2
c1
c2
![Page 16: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/16.jpg)
Protocol Sketch: Publication of data
P1
P2
R
R
R
v’1,1, c1
v’2,1, c2
v’1,2v’2,2
Psub
1. Aggregator R computes the sum v’sum of input shares and the product csum of input MACs
2. Aggregator R publishes v’sum and csum
v’1,1+v’2,2 , c1
v’sum ≡ v’1,1+v’2,2 + v’1,1+v’2,2, csum ≡ c1*c2
v’ 1,1+v’ 2,2
, c 2
![Page 17: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/17.jpg)
Protocol Sketch: Verification
P1
P2
R
R
R
v’1,1, c1
v’2,1, c2
v’1,2v’2,2
Psub
1. Subscriber Psub computes the real sum vsum = v’sum+q1+q2
2. Psub checks whether csum = MAC(vsum + r1 + r2, g)
v’1,1+v’2,2 , c1
v’sum ≡ v’1,1+v’2,2 + v’1,1+v’2,2, csum ≡ c1*c2
v’ 1,1+v’ 2,2
, c 2
r1, q1
g
r2, q2
![Page 18: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/18.jpg)
Security Properties
Confidentiality of aggregate sum– No coalition of routing nodes can obtain the sum
Confidentiality of individual data– No colluding parties of up to size m can obtain
any publisher Pi’s input data vi
Integrity of aggregate sum– The probability that subscriber Psub accepts an
incorrect sum is no more than 1/p where p is the prime order of group Gp
![Page 19: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/19.jpg)
Related work
• Secure aggregation in sensor networks – Integrity
• Chan [CCS06], Przydatek [SenSys03]– Confidentiality
• Castelluccia [Mobiquitous05], Girao [ICC06], He [INFOCOM07], Hu [SAINT03 Workshop]
• Verification of aggregated query– Integrity
• Haber [TR HPL06]
![Page 20: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/20.jpg)
Summary
• Secure additive aggregation protocol under the presence of untrusted routing nodes– Protect publishers’ private data with secret
splitting– Homomorphic MAC scheme ensures the
integrity of aggregate sum• Future work includes fault tolerance
mechanisms for handling the failure of publisher nodes
![Page 21: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/21.jpg)
Thanks!
![Page 22: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/22.jpg)
Publishers
Routingnode
Subscribers
Securitymanager
Authentication of Aggregated MAC
![Page 23: Secure Aggregation in a Publish-subscribe system](https://reader035.vdocuments.mx/reader035/viewer/2022062501/56816197550346895dd14541/html5/thumbnails/23.jpg)
Future work• Formal safety proof of our algorithm• Incorporate a fault tolerant mechanism using
threshold sharing scheme– Disclose the sum with m publishers out of n publishers if m
is great than threshold k• Experiments with a prototype system
– Performance overhead of our scheme• Support other aggregate functions such as MAX/MIN