Secure Aggregationin a Publish-subscribe system

Kazuhiro Minami*, Adam Lee**, Marianne Winslett*, and Nikita Borisov*

*University of Illinois at Urbana-Champaign**University of Pittsburgh

Publish-subscribe System for Wide-area Control Systems

Publish-subscribe overlay networkPublishers Subscribers

Routing nodes

Door cardreader

Motionsensor

BuildingManagement

systemPhasor measurement

units

Powermeters

PowerGrid

Monitor

Information Infrastructure Needs• Scalability

– Keep up with the increase of the number of installed sensors and devices publishing events frequently

• Communication bandwidth and latency– Reducing the bandwidth requirements will help to

reduce the deployment cost of wide-area control systems

• Flexibility– Accommodate the diverse security requirements of

different entities

In-network Aggregation

Application-levelaggregation

In-network aggregation

Publishers Subscribers

Subscriber & publisher

Routingnode

In-network aggregation could reduce bandwidth requirementsfurther.

x1

x2

x3

f(x1,x2,x3)

x1x2

x3

f(x1,x2,x3)

Routingnode

Goals of Secure Aggregation

• Confidentiality – Publish aggregated data only to authorized

subscribers while protecting the confidentiality of individual raw data

• Integrity – Subscribers can verify the authenticity and

integrity of aggregated data

Routing nodes

Publishers Subscribers

Security manager

2. Subscriptionrequests

3. Routing path

1. Confidentialitypolicies

4. Publicationrequests

5. Raw data 6. Aggregated

data

Publish-subscribe system

System Model

Our Assumptions

PublishersSubcribers

Routingnodes

Pub-sub system

Do not trust

In terms of confidentiality

of private input

Do not trust

in term

s of in

tegrity of

aggregate

Public KeyInfrastructure

Send secretssecurely

No more than m parties

collude

Supporting Additive Aggregation as a First Step

• Compute the sum of multiple values published by different publishers

• Can support other functions such as– COUNT, AVERAGE, STD, etc.

Confidentiality Requirement• Allow publishers to disclose aggregated data

only to authorized subscribers while keeping raw data private

v1

v2

P1

P2

PsubPsub acl(v1)

Psub acl(v2)

Psub acl(P1.v1+P2.v2)

Psub acl(P1.v1+P2.v2)

Pub-subsystem

v1

v2

v1, v2

v1+v2

Publishers

Subscriber

Pub-sub system should read neither

v1, v2, nor v1+v2.

Naive Approach 1• Use additively homomorphic encryption

(i.e., E(v1+v2) = E(v1) + E(v2) ) to protect raw data from untrusted routing nodes

Publishers

Routingnode

Subscriber

v1

v2

E(v1)P1

P2

PsubR

E(v2)

E(v1+v2)

E(v1)v1+v2

E(v1+v2)= E(v1)+E(v2)

v1

AdversaryViolation of P1’s confidentiality

policy

Naive Approach 1• Use additively homomorphic encryption

(i.e., E(v1+v2) = E(v1) + E(v2) ) to protect raw data from untrusted routing nodes

Publishers

Routingnode

Subscriber

v1

v2

E(v1)P1

P2

PsubR

E(v2)

E(v1+v2)

E(v1)v1+v2

E(v1+v2)= E(v1)+E(v2)

E(v1+2*v2)

v1

Adversary

V1+ 2*V2

Violation of Psub’s integrity

policy

Naive Approach 2• Attach raw data and its digital signatures

to verify the integrity and authenticity of the data

Publishers

Routingnode

Subscriber

v1

v2

E(v1), Sig1(E(v1))P1

P2

PsubR

E(v2), Sig2(E(v2))

E(v1+v2), E(v1), E(v2),Sig1(E(v1)), Sig2(E(v2))

Too many data to send!

Our approach

• Secret splitting to protect confidential data• Homomorphic message authentication

code (MAC) to ensure the integrity of aggregated data

– MAC(v, g) = gv (mod p) where p is a large prime such that:

MAC(v1, g) * MAC(v2, g) = MAC(v1+v2, g)

Protocol Sketch: Initial Secret Sharing

P1

P2

PsubRr1, q1

r1, q1

r2, q2

1. Publishers and subscribers share a secret generator g of group Gp

2. Publisher Pi sends secrets ri and qi to a subscriber

g

g

g

R

Rv1

v2 r2, q2

Out-of-bound channel

Protocol Sketch: Publication of data

P1

P2

R

R

R

v’1,1, c1

v’2,1, c2

v’1,2v’2,2

Psub

1. Publisher Pi split vi – qi into v’i,1 and v’i,22. Publisher Pi computes ci = MAC(vi + ri, g) = gvi+ri

Necessary to protect sum v1+v2 from the root

routing node

Necessary to protect generator g from a

known-plaintext attack

v’1,1, v’1,2

v’2,1, v’2,2

c1

c2

Protocol Sketch: Publication of data

P1

P2

R

R

R

v’1,1, c1

v’2,1, c2

v’1,2v’2,2

Psub

1. Aggregator R computes the sum v’sum of input shares and the product csum of input MACs

2. Aggregator R publishes v’sum and csum

v’1,1+v’2,2 , c1

v’sum ≡ v’1,1+v’2,2 + v’1,1+v’2,2, csum ≡ c1*c2

v’ 1,1+v’ 2,2

, c 2

Protocol Sketch: Verification

P1

P2

R

R

R

v’1,1, c1

v’2,1, c2

v’1,2v’2,2

Psub

1. Subscriber Psub computes the real sum vsum = v’sum+q1+q2

2. Psub checks whether csum = MAC(vsum + r1 + r2, g)

v’1,1+v’2,2 , c1

v’sum ≡ v’1,1+v’2,2 + v’1,1+v’2,2, csum ≡ c1*c2

v’ 1,1+v’ 2,2

, c 2

r1, q1

g

r2, q2

Security Properties

Confidentiality of aggregate sum– No coalition of routing nodes can obtain the sum

Confidentiality of individual data– No colluding parties of up to size m can obtain

any publisher Pi’s input data vi

Integrity of aggregate sum– The probability that subscriber Psub accepts an

incorrect sum is no more than 1/p where p is the prime order of group Gp

Related work

• Secure aggregation in sensor networks – Integrity

• Chan [CCS06], Przydatek [SenSys03]– Confidentiality

• Castelluccia [Mobiquitous05], Girao [ICC06], He [INFOCOM07], Hu [SAINT03 Workshop]

• Verification of aggregated query– Integrity

• Haber [TR HPL06]

Summary

• Secure additive aggregation protocol under the presence of untrusted routing nodes– Protect publishers’ private data with secret

splitting– Homomorphic MAC scheme ensures the

integrity of aggregate sum• Future work includes fault tolerance

mechanisms for handling the failure of publisher nodes

Thanks!

Publishers

Routingnode

Subscribers

Securitymanager

Authentication of Aggregated MAC

Future work• Formal safety proof of our algorithm• Incorporate a fault tolerant mechanism using

threshold sharing scheme– Disclose the sum with m publishers out of n publishers if m

is great than threshold k• Experiments with a prototype system

– Performance overhead of our scheme• Support other aggregate functions such as MAX/MIN