Download presentation

Presentation is loading. Please wait.

Published byBrady Eckersley Modified over 2 years ago

1
haowen chan cmu Outline The Secure Aggregation Problem Algorithm Description Algorithm Analysis Proof (sketch) of correctness Proof (sketch) of overhead bound

2
haowen chan cmu In-Network Data Aggregation (( )) Q “What is the sum of all the sensor readings?” 2 4 1 3 0 3 2 0 + 4 + 6 + 9 9 + 15 Answer: Sensor readings

3
haowen chan cmu Attacker Model Unsecured deployment area Sensor nodes not tamper-resistant Adversary may undetectably take control of sensor nodes or base station

4
haowen chan cmu Correct Data Aggregation (( )) Q 2 4 1 3 0 3 2 0 4 6 9 9 15 3 0 4 2

5
haowen chan cmu Sensor Reading Falsification (( )) Q 2 4 1 3 0 3 2 0 4 6 15 21 3 0 10 2 Malicious node reports false sensor reading (within legal bounds)

6
haowen chan cmu Sensor Reading Falsification General aggregation problem: Assume no application-specific information Attacker’s data indistinguishable from true data Sensor reading falsification is always possible in any general secure aggregation algorithm Attacker’s ability limited by how many nodes compromised

7
haowen chan cmu Aggregation Result Falsification (( )) Q 2 4 1 3 0 3 2 0 4 6 100 106 3 0 4 2 Malicious node reports false aggregation result

8
haowen chan cmu Aggregation Result Falsification Single malicious node may cause unbounded deviation in query result Secure aggregation problem: Can we restrict the attacker’s ability to falsify aggregation results? Tightest possible restriction without application knowledge: Attacker can only perform sensor reading falsification attacks or equivalent

9
haowen chan cmu Prior Related Work Either probabilistic detection or only for special cases Single malicious node L. Hu and D. Evans [2003] P. Jadia and A. Mathuria [2004] Flat aggregator topology B. Przydatek, A. Perrig, D. Song [2003] W. Du, J. Deng, Y. Han, P.K. Varshney [2003] Probabilistic Detection B. Przydatek, A. Perrig, D. Song [2003] Y. Yang, X. Wang, S. Zhu, G. Cao [2006]

10
haowen chan cmu Our Algorithm General hierarchical (tree-based) aggregation topologies Multiple (unbounded) number of compromised nodes Achieves tightest possible bound on adversary ability to change aggregation result Low communication overhead edge-congestion O ( l og 2 n )

11
haowen chan cmu Outline The Secure Aggregation Problem Algorithm Description Algorithm Analysis Proof (sketch) of correctness Proof (sketch) of overhead bound

12
haowen chan cmu Preventing SUM Result Deflation Consider only the SUM aggregate Straightforward reductions from COUNT, AVG, MEDIAN to SUM Adversary only wishes to reduce the aggregate result Sensor readings are nonnegative: in [0, m] Let the sum of reported sensor readings of all legitimate nodes be S. If adversary reports any S’ < S then we detect its presence. Adversary gains no additional benefit from aggregation result falsification vs. sensor reading falsification

13
haowen chan cmu Generating Commitments Require nodes to cryptographically commit to a single version of the aggregation process Any aggregation result falsification cause in an inconsistency in some position in the commitment structure Verification process can discover inconsistency

14
haowen chan cmu Commitment Tree Aggregation Tree Commitment Tree F E D C B A M A M A M AB M B M AB M C M C … M AB = h ( M A jj M B ) ; v A + v B M D M ABCD M ABCD } v AB M ABCD = h ( M AB jj M D jj M C ) ; v AB + v D + v C … M E M E M F M A = A ; v A M B = B ; v B M R

15
haowen chan cmu Main Idea Commitment structure is probed to verify aggregation correctness Prior work: Querier performs probing Cannot probe every node Too much congestion near base station New idea: Distribute the verification process to the sensor nodes Every sensor node checks that its sensor reading was included in the aggregate

16
haowen chan cmu Self-verification Querier disseminates commitment tree root M R using authenticated broadcast E.g. [Perrig et al. ’01] Node A verifies its own contribution: Node A receives commitment tree root M R Node A requests all off-path vertices for M A Verify that the inputs to each aggregation step are non-negative Verify that the correct M R can be recomputed ¹ TESLA

17
haowen chan cmu Self-Verification of Node C M A M B M AB M C M D M ABCD M E M F R eques t o ® -pa t h ver t i ces f or M C C h ec k t h a t v AB ; v D ; v E ; v F area ll non-nega t i ve M R R ecompu t e M ABCD ; M R

18
haowen chan cmu Aggregating Verification Results Each node shares a secret key with querier Node A ’s “OK” bit phrase for query k : OK bit phrases are aggregated using XOR on the way to the querier Querier verifies that received aggregate bitphrase is XOR of all bit phrases If any node does not respond with OK, this test will fail: aggregation result rejected. MAC K A ( Q uery k ver i ¯ e d OK b yno d e A )

19
haowen chan cmu Aggregating with XOR 0010 0011 0110 1111 0101 1010 1000

20
haowen chan cmu Outline The Secure Aggregation Problem Algorithm Description Algorithm Analysis Proof (sketch) of correctness Proof (sketch) of overhead bound

21
haowen chan cmu Motivating Observations Correctness: Self-verification is cumulative Net result of all nodes performing independent self-verification is equivalent to having a central querier verify every node Efficiency: Standard metric: congestion – maximum communication load on any single edge Self-verification incurs low congestion Even if every node performs self-verification

22
haowen chan cmu Correctness Lemma: If two legitimate nodes A and B both pass their verifications, then the SUM aggregate has value at least v A + v B M A M AX M AXYZ v AX ¸ v A M X v X ¸ 0 M YZ v YZ ¸ 0 Observation: Intermediate sums are non-decreasing. v AXYZ ¸ v A

23
haowen chan cmu Correctness M C M A M B M R M X M Y v Y ¸ v B v X ¸ v A v C ¸ v A + v B v R ¸ v A + v B s i nce h i sco ll i s i on-res i s t an t M X an d M Y are d i s t i nc t M C : LCA o f M A an d M B

24
haowen chan cmu Correctness Corollary: If all legitimate nodes pass their verifications, then the final aggregation result is at least Lower bound: Adversary cannot report result less than sum of legitimate sensor readings. Upper bound? S = X i l eg i t v i

25
haowen chan cmu Upper Bound Reduce upper bound problem to lower bound Compute simultaneously the complement sum aggregate (recall that ) Querier checks: Adversary: to increase, must decrease. But neither nor can be decreased below contribution of legitimate nodes. S = n X i = 1 v i S = n X i = 1 ( m ¡ v i ) v i 2 [ 0 ; m ] S S S SS S = nm ¡ S

26
haowen chan cmu Efficiency Suppose aggregation tree is balanced When node A self-verifies, it receives all off-path vertices in the commitment tree Maximum congestion: leaf edge messages A O ( l ogn ) O ( l ogn )

27
haowen chan cmu Efficiency Self-verification of other nodes (e.g. node B) does not increase communication load on any edge of the path between node A and the root A B C Y X M X M Y M Y M X M Y M X

28
haowen chan cmu Efficiency Edge congestion in balanced aggregation trees: For arbitrary unbalanced aggregation topology: Define a balanced logical aggregation overlay over the physical topology (details in paper) Incurs multiplicative factor Edge congestion for general aggregation trees: O ( l ogn ) l ogn O ( l og 2 n )

29
haowen chan cmu Naive Commitment Tree Aggregation Tree Commitment Tree F E D C B A M A M A M AB M B M AB M C M C M D M ABCD M ABCD M E M E M F M ABCDEF Topology of commitment tree is identical to aggregation tree (with addition of pendant vertices to all internal nodes)

30
haowen chan cmu Balancing the Commitment Tree Aggregation Tree unbalanced Naïve Commitment Tree unbalanced Long paths in commitment tree High communication overhead Idea: Instead of one commitment tree, keep a forest of complete commitment trees Construct this using delayed aggregation )) O ( l ogn )

31
haowen chan cmu Delayed Aggregation Only perform aggregation on subtrees of equal height M A M A D C B A M AB M B M AB M C M AB ; M C M D M CD M ABCD M ABC M ABC

32
haowen chan cmu Delayed Aggregation All trees in commitment forest are complete and have distinct heights Tallest tree has height at most At most trees Each sensor node receives (and transmits) commitment subtree root values edge congestion (proof in paper) l ogn O ( l ogn ) l ogn O ( l og 2 n )

33
haowen chan cmu Congestion Bound Commitment tree overlay network of the aggregation tree Each commitment tree vertex resides at the sensor node that created it For A to self-probe, Send all off-path vertices to its leaf vertex. congestion at leaf edge of MAMA O ( l ogn ) O ( l ogn ) ! M A M A

34
haowen chan cmu Congestion Bound In aggregation tree, each sensor node reports roots of subtrees to its parent Responsible for receiving traffic for parent edges incident to these vertices in the commitment forest edge-congestion in commitment forest edge congestion in aggregation tree. O ( l ogn ) O ( l ogn ) O ( l ogn ) ) O ( l og 2 n )

35
haowen chan cmu Conclusion Secure data aggregation algorithm Suitable for general tree-based aggregation topologies Resilient vs multiple malicious nodes Tightest possible guarantees on adversary detection (without assuming application knowledge) Low edge congestion Limitation: need to know the set of responding nodes Future Work: Secure versions of more sophisticated aggregation functions Defences vs sensor reading falsification O ( l og 2 n )

36
haowen chan cmu Secure Hierarchical In-network Data Aggregation for Sensor Networks Haowen Chan Adrian Perrig and Dawn Song Carnegie Mellon University

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google