secure aggregation in a publish-subscribe system
DESCRIPTION
Secure Aggregation in a Publish-subscribe system. Kazuhiro Minami *, Adam Lee**, Marianne Winslett *, and Nikita Borisov * *University of Illinois at Urbana-Champaign **University of Pittsburgh. Publish-subscribe System for Wide-area Control Systems. Door card reader. Building - PowerPoint PPT PresentationTRANSCRIPT
Secure Aggregationin a Publish-subscribe system
Kazuhiro Minami*, Adam Lee**, Marianne Winslett*, and Nikita Borisov*
*University of Illinois at Urbana-Champaign**University of Pittsburgh
Publish-subscribe System for Wide-area Control Systems
Publish-subscribe overlay networkPublishers Subscribers
Routing nodes
Door cardreader
Motionsensor
BuildingManagement
systemPhasor measurement
units
Powermeters
PowerGrid
Monitor
Information Infrastructure Needs• Scalability
– Keep up with the increase of the number of installed sensors and devices publishing events frequently
• Communication bandwidth and latency– Reducing the bandwidth requirements will help to
reduce the deployment cost of wide-area control systems
• Flexibility– Accommodate the diverse security requirements of
different entities
In-network Aggregation
Application-levelaggregation
In-network aggregation
Publishers Subscribers
Subscriber & publisher
Routingnode
In-network aggregation could reduce bandwidth requirementsfurther.
x1
x2
x3
f(x1,x2,x3)
x1x2
x3
f(x1,x2,x3)
Routingnode
Goals of Secure Aggregation
• Confidentiality – Publish aggregated data only to authorized
subscribers while protecting the confidentiality of individual raw data
• Integrity – Subscribers can verify the authenticity and
integrity of aggregated data
Routing nodes
Publishers Subscribers
Security manager
2. Subscriptionrequests
3. Routing path
1. Confidentialitypolicies
4. Publicationrequests
5. Raw data 6. Aggregated
data
Publish-subscribe system
System Model
Our Assumptions
PublishersSubcribers
Routingnodes
Pub-sub system
Do not trust
In terms of confidentiality
of private input
Do not trust
in term
s of in
tegrity of
aggregate
Public KeyInfrastructure
Send secretssecurely
No more than m parties
collude
Supporting Additive Aggregation as a First Step
• Compute the sum of multiple values published by different publishers
• Can support other functions such as– COUNT, AVERAGE, STD, etc.
Confidentiality Requirement• Allow publishers to disclose aggregated data
only to authorized subscribers while keeping raw data private
v1
v2
P1
P2
PsubPsub acl(v1)
Psub acl(v2)
Psub acl(P1.v1+P2.v2)
Psub acl(P1.v1+P2.v2)
Pub-subsystem
v1
v2
v1, v2
v1+v2
Publishers
Subscriber
Pub-sub system should read neither
v1, v2, nor v1+v2.
Naive Approach 1• Use additively homomorphic encryption
(i.e., E(v1+v2) = E(v1) + E(v2) ) to protect raw data from untrusted routing nodes
Publishers
Routingnode
Subscriber
v1
v2
E(v1)P1
P2
PsubR
E(v2)
E(v1+v2)
E(v1)v1+v2
E(v1+v2)= E(v1)+E(v2)
v1
AdversaryViolation of P1’s confidentiality
policy
Naive Approach 1• Use additively homomorphic encryption
(i.e., E(v1+v2) = E(v1) + E(v2) ) to protect raw data from untrusted routing nodes
Publishers
Routingnode
Subscriber
v1
v2
E(v1)P1
P2
PsubR
E(v2)
E(v1+v2)
E(v1)v1+v2
E(v1+v2)= E(v1)+E(v2)
E(v1+2*v2)
v1
Adversary
V1+ 2*V2
Violation of Psub’s integrity
policy
Naive Approach 2• Attach raw data and its digital signatures
to verify the integrity and authenticity of the data
Publishers
Routingnode
Subscriber
v1
v2
E(v1), Sig1(E(v1))P1
P2
PsubR
E(v2), Sig2(E(v2))
E(v1+v2), E(v1), E(v2),Sig1(E(v1)), Sig2(E(v2))
Too many data to send!
Our approach
• Secret splitting to protect confidential data• Homomorphic message authentication
code (MAC) to ensure the integrity of aggregated data
– MAC(v, g) = gv (mod p) where p is a large prime such that:
MAC(v1, g) * MAC(v2, g) = MAC(v1+v2, g)
Protocol Sketch: Initial Secret Sharing
P1
P2
PsubRr1, q1
r1, q1
r2, q2
1. Publishers and subscribers share a secret generator g of group Gp
2. Publisher Pi sends secrets ri and qi to a subscriber
g
g
g
R
Rv1
v2 r2, q2
Out-of-bound channel
Protocol Sketch: Publication of data
P1
P2
R
R
R
v’1,1, c1
v’2,1, c2
v’1,2v’2,2
Psub
1. Publisher Pi split vi – qi into v’i,1 and v’i,22. Publisher Pi computes ci = MAC(vi + ri, g) = gvi+ri
Necessary to protect sum v1+v2 from the root
routing node
Necessary to protect generator g from a
known-plaintext attack
v’1,1, v’1,2
v’2,1, v’2,2
c1
c2
Protocol Sketch: Publication of data
P1
P2
R
R
R
v’1,1, c1
v’2,1, c2
v’1,2v’2,2
Psub
1. Aggregator R computes the sum v’sum of input shares and the product csum of input MACs
2. Aggregator R publishes v’sum and csum
v’1,1+v’2,2 , c1
v’sum ≡ v’1,1+v’2,2 + v’1,1+v’2,2, csum ≡ c1*c2
v’ 1,1+v’ 2,2
, c 2
Protocol Sketch: Verification
P1
P2
R
R
R
v’1,1, c1
v’2,1, c2
v’1,2v’2,2
Psub
1. Subscriber Psub computes the real sum vsum = v’sum+q1+q2
2. Psub checks whether csum = MAC(vsum + r1 + r2, g)
v’1,1+v’2,2 , c1
v’sum ≡ v’1,1+v’2,2 + v’1,1+v’2,2, csum ≡ c1*c2
v’ 1,1+v’ 2,2
, c 2
r1, q1
g
r2, q2
Security Properties
Confidentiality of aggregate sum– No coalition of routing nodes can obtain the sum
Confidentiality of individual data– No colluding parties of up to size m can obtain
any publisher Pi’s input data vi
Integrity of aggregate sum– The probability that subscriber Psub accepts an
incorrect sum is no more than 1/p where p is the prime order of group Gp
Related work
• Secure aggregation in sensor networks – Integrity
• Chan [CCS06], Przydatek [SenSys03]– Confidentiality
• Castelluccia [Mobiquitous05], Girao [ICC06], He [INFOCOM07], Hu [SAINT03 Workshop]
• Verification of aggregated query– Integrity
• Haber [TR HPL06]
Summary
• Secure additive aggregation protocol under the presence of untrusted routing nodes– Protect publishers’ private data with secret
splitting– Homomorphic MAC scheme ensures the
integrity of aggregate sum• Future work includes fault tolerance
mechanisms for handling the failure of publisher nodes
Thanks!
Publishers
Routingnode
Subscribers
Securitymanager
Authentication of Aggregated MAC
Future work• Formal safety proof of our algorithm• Incorporate a fault tolerant mechanism using
threshold sharing scheme– Disclose the sum with m publishers out of n publishers if m
is great than threshold k• Experiments with a prototype system
– Performance overhead of our scheme• Support other aggregate functions such as MAX/MIN