Efficient and Privacy-Preserving Data Aggregation in Mobile Sensing

Transcription

1 Efficiet ad Privacy-Preservig Data Aggregatio i Mobile Sesig Qighua Li, Guohog Cao Departmet of Computer Sciece ad Egieerig The Pesylvaia State Uiversity, Uiversity Park {qxl8, gcao}@cse.psu.edu Abstract The proliferatio ad ever-icreasig capabilities of mobile devices such as smart phoes give rise to a variety of mobile sesig applicatios. This paper studies how a utrusted aggregator i mobile sesig ca periodically obtai desired statistics over the data cotributed by multiple mobile users, without compromisig the privacy of each user. Although there are some existig works i this area, they either require bidirectioal commuicatios betwee the aggregator ad mobile users i every aggregatio period, or has high computatio overhead ad caot support large plaitext spaces. Also, they do ot cosider the Mi aggregate which is quite useful i mobile sesig. To address these problems, we propose a efficiet protocol to obtai the Sum aggregate, which employs a additive homomorphic ecryptio ad a ovel key maagemet techique to support large plaitext space. We also exted the sum aggregatio protocol to obtai the Mi aggregate of timeseries data. Evaluatios show that our protocols are orders of magitude faster tha existig solutios. I. INTRODUCTION Mobile devices such as smart phoes are gaiig a evericreasig popularity. Most smart phoes are equipped with a rich set of embedded sesors such as camera, microphoe, GPS, accelerometer, ambiet light sesor, gyroscope, etc. The data geerated by these sesors provides opportuities to make sophisticated ifereces about ot oly people (e.g., huma activity, health, locatio, social evet) but also their surroudig (e.g., pollutio, oise, weather, oxyge level), ad thus ca help improve people s health as well as life. This eables various mobile sesig applicatios such as evirometal moitorig [], traffic moitorig [2], healthcare [3], etc. I may scearios, aggregatio statistics eed to be periodically computed from a stream of data cotributed by mobile users [4], i order to idetify some pheomea or track some importat patters. For example, the average amout of daily exercise (which ca be measured by motio sesors [5]) that people do ca be used to ifer public health coditios. The average or maximum level of air pollutio ad polle cocetratio i a area may be useful for people to pla their outdoor activities. Other statistics of iterests iclude the lowest gasolie price i a city, the highest movig speed of road traffic durig rush hour, etc. Although aggregatio statistics computed from time-series data is very useful, i may scearios, the data from idividual user may be privacy-sesitive, ad users do ot trust ay sigle third-party aggregator to see their data i cleartext. For istace, to moitor the propagatio of a ew flu, the aggregator will cout the umber of users ifected by this flu. owever, a user may ot wat to directly provide her true status ( if beig ifected ad 0 otherwise) if she is ot sure whether the iformatio will be abused by the aggregator. Accordigly, systems that collect users true data values ad compute aggregate statistics over them may ot meet users privacy requiremet [4]. Thus, a importat challege is how to protect the users privacy i mobile sesig, especially whe the aggregator is utrusted. Most previous works o sesor data aggregatio assume a trusted aggregator, ad hece caot protect user privacy agaist a utrusted aggregator i mobile sesig applicatios. Several recet works [6] [9] cosider the aggregatio of timeseries data i the presece of a utrusted aggregator. To protect user privacy, they desig ecryptio schemes i which the aggregator ca oly decrypt the sum of all users data but othig else. Rastogi ad Nath [6] use threshold Paillier cryptosystem [0] to build such a ecryptio scheme. To decrypt the sum, their scheme eeds a extra roud of iteractio betwee the aggregator ad all users i every aggregatio period, which meas high commuicatio cost ad log delay. Moreover, it requires all users to be olie util decryptio is completed, which may ot be practical i may mobile sesig scearios due to user mobility ad the heterogeeity of user coectivity. Rieffel et al. [9] propose a costructio that does ot require bidirectioal commuicatios betwee the aggregator ad the users, but it has high computatio ad storage cost to deal with collusios i a large system. Shi et al. [7], [8] also propose a costructio for sum aggregatio which does ot eed the extra roud of iteractio. owever, the decryptio i their costructio eeds to traverse the possible plaitext space of the aggregated value, which is very expesive for a large system with large plaitext space. I mobile sesig, the plaitext space of some applicatio ca be large. For example, carbo dioxide levels ca rage from 350 ppm outdoors to over 0000 ppm i idustrial workplaces []. ece i applicatios which cotiuously moitor the carbo dioxide levels that people are exposed to i their daily life [2], [3], the plaitext space ca reach 0 4. Uder this plaitext space, for a large system with oe millio users, the costructio i [7] requires 30 secods to decrypt the sum o a moder 64-bit desktop PC. Its computatio overhead is too high for a aggregator to ru realtime moitorig applicatios with short aggregatio itervals ad to collect

2 multiple aggregate statistics simultaeously. Moreover, oe of these existig schemes cosiders the Mi aggregate (i.e., the miimum value) of time-series data, which is also importat i may mobile sesig applicatios. I this paper, we propose a ew protocol for mobile sesig to obtai the sum aggregate of time-series data i the presece of a utrusted aggregator. Our protocol employs a additive homomorphic ecryptio ad a ovel key maagemet scheme based o efficiet MAC to esure that the aggregator ca oly obtai the sum of all users data, without kowig idividual user s data or itermediate result. I our protocol, each user (the aggregator) oly eeds to compute a very small umber of MACs to ecrypt her data (decrypt the sum). ece, the computatio cost is very low, ad the protocol ca scale to large systems with large plaitext spaces, resourcecostraied devices ad high aggregatio loads. Aother ice property of our protocol is that it oly requires a sigle roud of user-to-aggregator commuicatio. Based o the sum aggregatio protocol, we also propose a protocol to obtai the Mi aggregate. To our best kowledge, this is the first privacy-preservig solutio to obtai the Mi of time-series data i mobile sesig with just oe roud of userto-aggregator commuicatio. Our protocols for Sum ad Mi ca be easily adapted to derive may other aggregate statistics such as Cout, Average ad Max. The remaider of this paper is orgaized as follows. Sectio II discusses related work. Sectio III presets system models ad assumptios. Sectio IV ad Sectio V preset our protocols for Sum ad Mi, respectively. Sectio VI evaluates the practical performace ad cost of our solutios. The last two sectios preset discussios ad coclusios. II. RELATED WORK May works have addressed various security ad privacy issues i mobile sesig etworks ad systems (e.g., [4] [8]), but they do ot cosider data aggregatio. There are a lot of existig works (e.g., [9] [22]) o security ad privacypreservig data aggregatio, but most of them assume a trusted aggregator ad caot protect user privacy agaist utrusted aggregators. Yag et al. [23] proposed a ecryptio scheme that allows a utrusted aggregator to obtai the sum of multiple users s data without kowig ay specific user s data. owever, their scheme requires expesive re-keyig operatios to support multiple time steps, ad thus may ot work for time-series data. Shi et al. [24] proposed a privacy-preservig data aggregatio scheme based o data slicig ad mixig techiques. owever, their scheme relies o peer-to-peer commuicatios amog users, which is otrivial i mobile sesig scearios due to the high mobility of users. Also, their scheme does ot work well for time-series data, sice each user may eed to select a ew set of peers i each aggregatio iterval due to mobility. Besides, their scheme for o-additive aggregates (e.g., Max/Mi) requires multiple rouds of bi-directioal commuicatios betwee the aggregator ad mobile users which meas log delays. I cotrast, our scheme obtais those aggregates with just oe roud of ui-directioal commuicatio from users to the aggregator. To achieve privacy-preservig sum aggregatio of timeseries data, Rastogi ad Nath [6] desiged a ecryptio scheme based o threshold Paillier cryptosystem [0], where the decryptio key is divided ito portios ad distributed to the users. The aggregator collects the ciphertexts of users, multiplies them together ad seds the aggregate ciphertext to all users. Each user decrypts a share of the sum aggregate. The aggregator collects all the shares ad gets the fial sum. owever, their scheme requires a extra roud of iteractio betwee the aggregator ad users i every aggregatio period. Based o a efficiet additive homomorphic ecryptio scheme, Rieffel et al. [9] proposed a costructio that does ot require a extra roud of iteractio betwee the aggregator ad the users. I their scheme, the computatio ad storage cost is roughly equal to the umber of colludig users that the system ca tolerate. Thus, their scheme has high overhead to achieve good resistace to collusio, especially whe the system is large ad a large umber of users collude. I cotrast, our scheme tolerates a high fractio of colludig users (e.g., 30%) with very small cost eve whe the system is large. Acs ad Castelluccia [25] also proposed a scheme based o additive homomorphic ecryptio, but i their scheme each ode shares a pairwise key with ay other ode. Shi et al. [7] proposed a costructio for sum aggregatio based o the assumptio that the Decisioal Diffie-ellma problem is hard over fiite cyclic groups. I their costructio, each user seds her ciphertext to the aggregator ad o commuicatio is eeded from the aggregator to the users. To decrypt the sum, their costructio eeds to traverse the possible plaitext space of sum, ad thus it is ot efficiet for a large system with large plaitext spaces. Cha et al. [8] exteded the costructio i [7] with a biary iterval tree techique, but their scheme still has the limitatio i plaitext spaces. Jawurek ad Kerschbaum [26] proposed a scheme which provides differetial privacy for sum. Our aggregatio protocol for sum ca be used as a buildig block of their scheme to improve the computatioal efficiecy. Also, existig works do ot cosider the Mi of time-series data. III. PRELIMINARIES A. Models ad Assumptios Figure shows our system model, which is similar to the model i [7]. A aggregator wishes to get the aggregate statistics of mobile users periodically, e.g., i every hour. The time periods are umbered as, 2, 3,..., etc. I every time period, each user i ecrypts her data x i with key k i ad seds the derived ciphertext to the aggregator. From the ciphertexts, the aggregator decrypts the eeded aggregate statistics usig her aggregator capability k 0. The value of each user s data is a iteger withi rage [0, Δ]. Two types of aggregate statistics are cosidered i this work, which are Sum ad Mi. Sum is defied as the sum of all users data ad Mi is defied as the miimum value of the users data. From Sum ad Mi, may other aggregate statistics ca be easily derived, such as

3 2 users Fig.. c = Ec(k ;x ) c 2 = Ec(k 2 ;x 2 ) c = Ec(k ;x ) aggregator AggrDec(k 0 ;c ;:::;c ) aggregates P i= x i mifx ;:::;x g Our system model of time-series data aggregatio. Cout (i.e., the umber of users that satisfy certai predicate), Average (which is derivable from Sum ad Cout), ad Max (which ca be obtaied from the Mi of Δ x). I each time period, a mobile user seds her ecrypted data to the aggregator via WiFi, 3G or other available access etworks. No peer-to-peer commuicatio is required amog mobile users, sice such commuicatio is otrivial i mobile sesig scearios due to the high mobility of users ad users may ot be aware of each other for privacy reasos. We cosider a utrusted aggregator that is curious about each idividual user s data. The aggregator may eavesdrop all the messages set from/to every user. A umber of users may collude with the aggregator, ad reveal their data to the aggregator. A umber of users may also collude to obtai the aggregate. Similar to [7], we assume that the fractio of users that collude with/agaist the aggregator is at most γ (0 γ<), ad the system has a priori estimate over the upper boud of γ which ca be used i practice. I additio, the aggregator ad users have limited computatio capability. We assume a trusted authority which issues proper keys to the users ad the aggregator via a secure chael. Our goal is to guaratee the privacy of each user s data agaist the utrusted aggregator, i.e., the aggregator obtais the aggregate statistics without kowig ay idividual user s data. Note that we aim to protect the privacy of data cotet ot data source [27]. Also, we aim to guaratee that ay party without a appropriate aggregator capability obtais othig. Malicious users may also perform data pollutio attacks i which they provide false data values i order to sway the fial aggregate statistics. Data pollutio attacks are outside the scope of this paper, ad their ifluece ca be bouded if each user uses a o-iteractive zero-kowledge proof to prove that her data lies i a valid rage. B. Uderlyig Ecryptio Scheme Oe buildig block of our solutio is the additive homomorphic ecryptio scheme proposed by Castelluccia et al. [2], [28]. This scheme works as follows. Ecryptio: ) Represet message m as iteger m [0,M ] where M is a large iteger. 2) Let k be a radomly geerated key, k {0, } λ, where λ is a security parameter. 3) Output ciphertext c =(m + h(f k (r))) mod M, where f k is a pseudoradom fuctio (PRF) that uses k as TABLE I NOTATIONS The umber of users i the system γ The maximum fractio of users that collude Δ The maximum value of ay user s data M M =2 log 2 (Δ) F λ F λ = {f s : {0, } λ {0, } λ } s {0,} λ is a family of pesudoradom fuctios idexed by key s h A legth-matchig hash fuctio, h : {0, } λ {0, } α, where α = log 2 (Δ) k 0 The decryptio key used by the aggregator k i The ecryptio key used by user i l The required security level, e.g., l =80 c The umber of secrets assiged to each user i our protocol q The umber of secrets assiged to the aggregator i our protocol a parameter, h is a legth-matchig hash fuctio (see details below) ad r is a oce for this message. Decryptio: ) Output plaitext m =(c h(f k (r))) mod M. The PRF f k is a fuctio of the PRF family F λ = {f k : {0, } λ {0, } λ } k {0,} λ idexed by k. Sice provably secure PRFs are usually computatioally expesive, Castelluccia et al. [2] advocate usig keyed hash fuctios (e.g., MAC) as PRFs. MAC is a PRF if the uderlyig compressio fuctio of the hash fuctio i use is a PRF [29]. Whe MAC is used, f k (r) is the MAC of r with k as the key. The purpose of h is to shorte a log bit strig. It maps the output of f k to a shorter bit strig of legth α, where α is the modulus size of M (i.e., α = M ). h is ot required to be collisio-cosistet, but its output should be uiformly distributed over {0, } α. A example costructio for h is to trucate the output of f k ito shorter bit strigs of legth α, take exclusive-or o all these strigs ad use it as the output of h. This scheme is proved to be sematically secure [2]. This scheme allows additive homomorphic ecryptio. Give two ciphertexts c = (m + h(f k (r))) mod M ad c 2 =(m 2 + h(f k (r))) mod M, a idividual that kows k ad k ca compute the sum of m ad m 2 directly from the aggregate ciphertext c = c + c 2 : m = m + m 2 =(c h(f k (r)) h(f k (r))) mod M. To correctly compute the sum of messages m, m 2,..., m, M must be larger tha i= m i. I practice, M should be selected as M =2 log 2 (max(mi) ). Table I shows the otatios used i this paper. IV. AGGREGATION PROTOCOL FOR SUM A. Protocol Overview Setup: The trusted authority assigs a set of secret values (secrets for short) to each user ad the aggregator. Ec: I each time period, user i (i [,]) geerates ecryptio key k i usig the secrets that it is assiged. It ecrypts its data x i by computig c i =(k i + x i ) mod M () where M =2 log 2 (Δ). The it seds the ciphertext c i to the aggregator.

4 umbers kow to the aggregator secret mappig sum k aggregator k 0 sum sum k 2 sum user user 2 user Fig. 2. The ituitio behid the straw-ma costructio. The aggregator computes the sum of a set of umbers as the decryptio key. These umbers are secretly allocated to the users, ad each user computes the sum of its allocated umbers as the ecryptio key. The aggregator caot kow ay user s ecryptio key sice it does ot kow the mappig betwee the umbers ad the users. AggrDec: I each time period, the aggregator geerates decryptio key k 0 usig the secrets that it is assiged, ad decrypts the sum aggregate S = i= x i by computig S =( c i k 0 ) mod M. (2) i= The keys are geerated usig a PRF family ad a legthmatchig hash fuctio (see later). Accordig to [28], the aggregator ca get the correct sum so log as the followig equatio holds: k 0 =( k i ) mod M. (3) i= I our protocol, the setup phase oly rus oce. After the setup phase, the trusted authority does ot eed to distribute secrets to the users ad the aggregator agai. I additio, the users ad the aggregator do ot have to sychroize their key geeratios with commuicatios i every time period. These restrictios make it challegig for the users ad the aggregator to geerate their keys such that Equatio 3 holds i every time period ad the ecryptio (decryptio) key used by each user (the aggregator) caot be leared by ay other party besides the trusted authority. We propose a costructio for key geeratios which p- reserves the privacy of each user ad the Sum aggregate efficietly. Before presetig our costructio, we first discuss a straw-ma costructio which is very efficiet for the users but ot efficiet for the aggregator. The we exted this strawma scheme to derive our costructio. Both costructios iclude three processes, which are secret setup, ecryptio key geeratio ad decryptio key geeratio. They proceed i the Setup phase, Ec phase ad AggrDec phase of the aggregatio protocol, respectively. B. A Straw-ma Costructio for Key Geeratio ) Ituitio: Figure 2 shows the ituitio of the strawma costructio. Suppose there are c radom umbers. The aggregator has access to all the umbers, ad it computes the sum of these umbers as the decryptio key k 0. These umbers k TABLE II SECURITY LEVELS OF TE STRAW-MAN CONSTRUCTION WEN γ =0.. =0 2 c p b =0 3 c p b =0 4 c p b =0 5 c p b =0 6 c p b are divided ito radom disjoit subsets, each of size c. These subsets are assiged to the users, where each user has access to oe subset of umbers. User i computes the sum of the umbers assiged to it as the ecryptio key k i. Clearly, Equatio 3 holds. The aggregator caot kow ay user s ecryptio key sice it does ot kow the mappig betwee the umbers ad the users. Whe c is large eough, it is ifeasible for the aggregator to guess the umbers assiged to a particular user with a brute-force method. The aggregator s decryptio key caot be revealed by ay user sice o user kows all the umbers. 2) Costructio: The costructio is as follows: Secret Setup: The trusted authority geerates c radom ad differet secrets s,..., s c. It divides these secrets ito radom disjoit subsets, with c secrets i each subset. Let S deote the set of all secrets, ad let S i deote the i th subset. Clearly, S = i= S i ad i j, S i Sj = φ. The trusted authority seds the secrets i subset S i to user i ad seds all the secrets i S to the aggregator. Ecryptio Key Geeratio: I time period t N, user i geerates its ecryptio key as follows: k i =( h(f s (t))) mod M. (4) s S i Decryptio Key Geeratio: I time period t N, the aggregator geerates the decryptio key as follows: k 0 =( s S h(f s (t))) mod M. (5) I Equatio 4, sice each h(f s (t)) is uiformly distributed over {0, } α, k i is also uiformly distributed over {0, } α. Thus, the ecryptio keys satisfy the security requiremet of the uderlyig cryptosystem. Equatio 3 also holds sice k i = ( h(f s (t))) mod M i= i= s S i = ( h(f s (t))) mod M s S = k 0 mod M. 3) Security level: If the aggregator kows the c secrets used by a user, it ca obtai the ecryptio key of the user. We ca derive the probability that the aggregator fids the c secrets used by a user. Let p b deote the probability that i a sigle

5 TABLE III TE MINIMUM VALUES OF c FOR 80-BIT SECURITY IN TE STRAW-MAN CONSTRUCTION γ =0, 0., 0.2, itegers derived from secrets decryptio key ecryptio keys k itegers derived from secrets decryptio key ecryptio keys k trial the aggregator ca successfully guess the secrets assiged to the user. Recall that γ is the maximal fractio of users that collude with the aggregator. I the worst case, the aggregator kows the γc secrets assiged to the colludig users, but it does ot kow how the remaiig ( γ)c secrets are assiged to other users. There are ( ) ( γ)c c possible secret assigmets for each user. ece we have: p b = ( ( γ)c c ). (6) With a smaller p b, better security ca be achieved. Table II shows the values of p b for varyig parameters ad c. Asc icreases, the security level icreases quickly. Give the umber of users ad a estimate of γ, weca derive the miimum value of c to achieve a certai required security level. (c is miimized to miimize the cost.) For l-bit security (e.g., l =80), c should be selected as the miimum value that satisfies p b 2 l. Table III shows the values of c for 80-bit security. A fractio of users may collude agaist the aggregator to reveal the aggregate. To achieve this goal, they eed to obtai all the secrets that the aggregator has. owever, each participat oly kows a subset of the secrets. So log as ot all users collude, they caot obtai all the secrets. 4) Cost: I each time period, each user computes c PRFs ad the aggregator computes c PRFs. Sice c is small as show i Table III, the computatio cost at each user is very low. owever, whe the umber of users is very large, the computatio cost at the aggregator is high. C. Our Costructio for Key Geeratio Our costructio exteds the straw-ma costructio to reduce the computatio overhead at the aggregator. ) Ituitio: Cosider a equatio: a + a a c = a + a a c. (7) If we remove c q summads from the right side ad subtract them from the left side, the derived equatio a + +a c +( a )+ +( a c q )=a c q+ + +a c (8) is equivalet to the origial equatio. To meet the requiremet of Equatio 3, the straw-ma costructio essetially mimics Equatio 7, i.e., the users collectively geerate the summads o the left side ad add them to the aggregate, while the aggregator aloe geerates the summads o the right side ad subtracts them from the perturbed aggregate (see Figure 3(a)). Each summad is geerated from a secret. Sice Equatio 7 ad 8 are equivalet, we ca remove some summads from the aggregator side ad subtract them from the user side without violatig Equatio k 0 additio k 2 k (a) Straw-ma costructio k 0 additio subtractio k 2 k (b) Our costructio Fig. 3. The ituitio behid our costructio i compariso with the strawma costructio. 3. Now the aggregator has less computatio overhead sice it eeds to geerate less summads. The reduced computatio does ot come for free, as it is amortized amog the users such that each user geerates more summads (see Figure 3(b)). A ice property is that it is ow more difficult to guess the summads geerated by each user ad thus each user has better security. 2) Costructio: The costructio is as follows: Secret Distributio: The trusted authority geerates c radom ad differet secrets s,..., s c. Let S deote the set composed of all the secrets. The trusted authority divides these secrets ito radom disjoit subsets, with c secrets i each subset. For coveiece, we call these subsets additive subsets. Let S i deote the i th additive subset. Clearly, S = i= S i. Out of the c secrets, the trusted authority radomly selects q secrets ad assigs them to the aggregator. Let Ŝ deote the set of secrets assiged to the aggregator. The trusted authority divides the remaiig c q secrets evely ito radom disjoit subsets. Amog them, (c q) c q subsets have c q c q + secrets each, ad the other ( + ) c+q subsets have c q secrets each. For coveiece, we call these subsets subtractive subsets. Let S i deote the i th subtractive subset. Clearly, S =( S i= i ) Ŝ. The trusted authority assigs the secrets i the additive subset S i ad subtractive subset Si to user i. Ecryptio Key Geeratio: I time period t N, user i geerates its ecryptio key by computig k i =( h(f s (t)) h(f s (t))) mod M. (9) s S i s S i Decryptio Key Geeratio: I time period t N, the aggregator geerates the decryptio key by computig k 0 =( s Ŝ h(f s (t))) mod M. (0)

6 TABLE IV TE SECURITY LEVEL OF OUR CONSTRUCTION WEN γ =0.. =0 2 c p b =0 3 c p b =0 4 c p b =0 5 c p b =0 6 c p b The requiremet i Equatio 3 is satisfied sice k i = ( ( h(f s (t)) h(f s (t)))) mod M i= i= s S i s S i = ( h(f s (t)) h(f s (t))) mod M s S s S i= i = ( h(f s (t))) mod M s Ŝ = k 0. 3) Security level: The aggregator caot lear ay user s ecryptio key sice it does ot kow the additive secrets (i.e., secrets i the additive subset) ad the subtractive secrets (i.e., secrets i the subtractive subset) assiged to this user. Each user has c additive secrets ad at least c q subtractive secrets. The aggregator may kow the secrets assiged to itself ad those to its γ colluders, but there are still ( γ)c additive secrets ad at least ( γ) c q subtractive secrets that the aggregator does ot kow how they are assiged to the good users. There are at least ( ) ( ( γ)c ( γ) c q c ) c q possible secret assigmets for each good user. Thus, p b ( ( γ)c c ) ( ( γ) c q c q ). () p b decreases (i.e., the security for the users is better) whe ad c icrease, but p b icreases whe γ icreases. Uder the same total computatio cost, the smaller q is, the more subtractive secrets the users are assiged ad the better security the users have. owever, if q is too small, the secrets (ad hece the decryptio key) used by the aggregator may be leared by a umber of colludig users i the brute-force way. We ca derive the miimum value of q to make it ifeasible for γ fractio of users to collusively obtai the decryptio key. These colluders kow at most γc subtractive secrets, but they do ot kow which q of the remaiig ( γ)c secrets the aggregator has. There are ( ) ( γ)c q possible secret assigmets for the aggregator. Let p c deote the probability that the q secrets assiged to the aggregator ca be guessed i a sigle trial. We have p c ( ( γ)c q ). (2) TABLE V TE VALUES OF c FOR 80-BIT SECURITY IN OUR CONSTRUCTION γ =0, 0., γ = TABLE VI TE VALUES OF q FOR 80-BIT SECURITY IN OUR CONSTRUCTION γ = γ = γ = γ = Whe q icreases, p c decreases which meas better security for the aggregator. 4) Practical cosideratios: To achieve l-bit security for each user ad the aggregator, it is required that p b 2 l ad p c 2 l respectively. Give parameters ad γ, large-eough values should be set for c ad q to meet these requiremets. Sice the values of c ad q deped o each other, which ca be see from Equatio ad 2, they ca be set as follows. First, we assume q (0,]. Uder this assumptio, Equatio ca be rewritte as: p b ( ( γ)c c ) ( ( γ)(c ) c ). (3) We ca derive the miimum value of c that makes the righthad side of Equatio 3 smaller tha 2 l. The we apply the derived value of c to Equatio 2, ad obtai the miimum value of q that makes the right-had side of Equatio 2 smaller tha 2 l. If the obtaied value of q falls ito the assumed rage (0,], the values of c ad q are accepted. Otherwise, we ca icrease the value of c, util the miimum value of q that makes the right-had side of Equatio 2 smaller tha 2 l is ot larger tha. This method of settig c ad q esures that q, ad thus p b is give i Equatio 3. Table IV shows the values of p b whe ad c chage. Table V ad Table VI show the values of c ad q respectively for 80-bit security. It ca be see that both c ad q are very small. 5) Cost: Sice the setup phase is ru oly oce, we aalyze the cost of our costructio i each aggregatio period. The computatio cost is measured by the umber of PRFs computed, sice the legth-matchig hash fuctio (which maily cosists of exclusive-or operatios) ad arithmetic additio are much less expesive i computatio. I each time period, each user computes 2c q PRFs o average, while the aggregator computes q PRFs. As for the storage cost, the trusted authority stores c secrets as well as 2c mappigs betwee the secrets ad the users/aggregator. Each user stores 2c q secrets o average, while the aggregator stores q secrets. Besides sedig the ecrypted data to the aggregator, each user does ot make ay extra commuicatios. 6) Comparisos with the Straw-ma Costructio: Table VII compares our costructio to the straw-ma costructio i security ad cost. Whe the total computatio cost (for users

7 TABLE VII TE SECURITY AND COST OF OUR CONSTRUCTION AND TE STRAW-MAN CONSTRUCTION.FOR COMPUTATION COST, TE VALUE IS TE COST PER TIME PERIOD. Straw-ma Ours p b ( ( γ)c ) ( ( γ)c ) ( ( γ)(c ) ) c c Comp. (total) 2c 2c c Comp. (user) c 2c q Comp. c q(q <) (aggregator) Storage (user) c 2c q Storage c q (aggregator) TABLE VIII TE COMPUTATION COST OF OUR CONSTRUCTION AND TE STRAW-MAN CONSTRUCTION FOR 80-BIT SECURITY WEN γ = User Straw-ma Ours Aggregator Straw-ma Ours ad the aggregator) is the same, our costructio achieves better security. Also, it has smaller computatio cost at the aggregator. Upo iitial ispectio, our costructio may seem to double the computatio cost at each user (i.e., from c to roughly 2c). I practice, however, it ca use a smaller c to achieve the same security level. Table VIII shows the computatio cost of the two costructios at the same security level. For a wide rage of ( ), the computatio cost at each user is slightly higher (i.e., oe or two PRFs) i our costructio, but the computatio cost at the aggregator is orders of magitude smaller. V. AGGREGATION PROTOCOL FOR MIN The Mi aggregate is defied as the miimum value of the users data. This sectio presets a protocol which employs the Sum aggregate to get Mi. A. The Basic Scheme This scheme gets the Mi aggregate of each time period usig Δ+ parallel Sum aggregates i the same time period. The sums used to obtai Mi are based o a umber of -bit derivative data (deoted by d) derived from the users raw data x. Without loss of geerality, we assume that Δ is a power of two. The scheme works as follows. I each time period, each user geerates Δ+ derivative data d[0], d[],..., d[δ], where each derivative data correspods to oe possible data value i the plaitext space. For each j [0, Δ], the user assigs to d[j] if its raw data value is equal to j ad assigs 0 otherwise. For each j [0, Δ], the aggregator ca obtai the Sum aggregate of d[j] usig the sum aggregatio protocol preseted i Sectio IV. The Mi is the smallest j that returs a positive sum. I each time period, each user ivolves i Δ+ sum aggregates over Δ+ derivative data. Note that i the sum aggregatio protocol each user computes 2c PRFs to ecrypt her data. It is iefficiet to compute 2c PRFs for User Derivative data d[] d[2] d[3] d[4] Sum (a) Origial derivative data Fig. 4. data. User 2 3 Sum d[] Derivative data d[2] d[3] d[4] (b) Exteded ad cocateated data A example of sum based o exteded ad cocateated derivative each derivative data. Sice these data are idepedet, we use a more efficiet techique that cocateates multiple data together ad ecrypts them as a whole. This techique exteds each derivative data from oe bit to log ( +) bits by addig log ( +) 0 s o the left, ad the cocateates all exteded derivative data ito a sigle bit strig. The sum of the cocateated strig (iterpreted as a iteger) is obtaied usig the sum aggregatio protocol. The obtaied sum is cosidered as a bit strig, ad split ito substrigs of log ( + ) bits each. Each substrig, whe iterpreted as a iteger, represets the sum of oe derivative data. Note that these substrigs do ot affect each other (i.e., o carries amog them), sice the sum of each derivative data does ot exceed. Figure 4 shows a example of this process. Clearly, the cocateated data has (Δ + ) log ( + ) bits. The ciphertext geerated by each user has α =(Δ+ ) log ( +) bits. If α is larger tha, which is the size of the output geerated by the PRF (i.e., a MAC), we ca (Δ+) log (+) divide the derivative data ito groups ad apply the above techique to each group. Thus, (Δ+) log (+) istaces of the sum aggregatio protocol are eeded i each time period. For example, whe = 000, Δ = 0000 ad SA-52 is used as the hash fuctio of MAC, 96 istaces of the sum aggregatio protocol are eeded. Each user uses just oe set of secrets for all istaces of the sum aggregatio protocol. For istace j, it uses h(f s (j t)) to geerate the ecryptio key istead of usig h(f s (t)) i the origial protocol (see Equatio 9). Similarly, the aggregator also uses just oe set of secrets. Sice the sum aggregatio protocol does ot leak the derivative data of ay user, the aggregator caot kow the data value of ay specific user. B. Low-cost Mi Aggregatio Whe the plaitext space is large, the cost of the basic scheme is high. I some applicatio scearios, it may ot be ecessary to get the exact Mi, but a approximate aswer is good eough. For such scearios, the basic scheme ca be exteded to get a approximate Mi with much smaller cost. Specifically, we wish to obtai a approximate Mi where Exact Mi Approximate Mi the relative error (defied as max{exact Mi,} ) is required to be lower tha 2 (ɛ 0). To meet this requiremet, ɛ the exact value of Mi should be obtaied if Mi is smaller tha or equal to 2 ɛ, ad the ɛ-bit segmet of Mi (whe Mi is iterpreted as a bit strig) that starts from the first bit should be obtaied if Mi is larger tha 2 ɛ. For example, suppose Mi is 42 (00000) out of 8-bit data. To make

8 the relative error smaller tha 2, it is sufficiet to kow 3 that Mi has the bit patter 000xxx. The we ca set the bit that follows the kow bits as ad set other bits as 0. The obtaied approximate Mi is 00000, which is 44. The relative error is 2, which is smaller tha the required 2. 3 To obtai the approximate Mi, each user appeds ɛ + paddig bits to its raw data. If the data value is zero, the first paddig bit is ad the others are 0; otherwise, all the paddig bits are 0. The padded data has log Δ + ɛ +2 bits ad at least oe bit is. The first bit of Mi may appear i ay of the first log Δ + 2 bits of the padded data. I the case it appears at the first paddig bit, Mi is zero. Suppose i the biary represetatio of data value, the weight of bit decreases from the left to the right. Let δ (δ [, log Δ + 2]) deote the locatio (idexed from the left) of the first bit of Mi. Smaller δ meas larger Mi. Let σ deote the value of the (ɛ )-bit segmet of Mi that follows δ. Whe δ is the same, a larger σ meas larger Mi. Clearly, there are 2 ɛ (log Δ + 2) possible combiatios of δ, σ. We map these combiatios to a auxiliary plaitext space 0,,..., 2 ɛ (log Δ+2), such that if oe combiatio meas smaller Mi tha aother combiatio, it is mapped to a smaller value i the auxiliary plaitext space tha that combiatio. Let v[δ, σ] deote the value that combiatio δ, σ maps to. I each time period, each user coverts its padded raw data to a value x i the auxiliary plaitext space as follows: if i its padded raw data the first bit appears at δ ad the value of the (ɛ )-bit segmet that follows the first bit is σ,it sets x = v[δ,σ ]. The aggregator ca get the Mi of x usig the basic scheme, ad reversely map the Mi of x to a pair of δ, σ. It kows that the first bit of the Mi aggregate over padded raw data appears at locatio δ, ad the (ɛ )-bit segmet that follows the first bit is σ. The it sets the bit that follows the (ɛ )-bit segmet as, ad sets the remaiig bits as 0. This derives the Mi aggregate over padded raw data, which has the form {0} δ {} {0, } ɛ {} {0} log Δ+2 δ. From this bit strig, the last ɛ + paddig bits are removed ad the the approximate Mi of users raw data is obtaied. Figure 5 shows a ruig example of this process. I total, this scheme uses 2 ɛ (log Δ + 2) Sum aggregates 2 of -bit derivative data. Thus, ɛ (log Δ+2) istaces of the sum aggregatio protocol are eeded i each time period. For example, whe Δ=0 4, SA-52 is used as the hash fuctio of MAC ad it is required to limit the relative error to % (i.e., ɛ =7), oly 2 istaces are eeded. Table IX summarizes the relative error ad cost of the basic scheme ad the low-cost scheme. VI. EVALUATIONS This sectio evaluates the cost of our aggregatio protocols for Sum ad Mi. We compare our solutio agaist two existig privacy-preservig aggregatio protocols for timeseries data: the protocol proposed i [7] (deoted by EXP) ad CollaPSE [9]. TABLE IX TE RELATIVE ERROR AND COST OF TE BASIC SCEME AND TE LOW-COST SCEME. Basic Low-cost Relative error 0 2 ɛ 2c(Δ+) log (+) 2 Ecryptio (PRFs) ɛ c(log Δ+2) q(δ+) log (+) 2 Decryptio (PRFs) ɛ q(log Δ+2) Ciphertext size (bit) (Δ + ) log ( +) 2 ɛ (log Δ + 2) is the size of the output geerated by the PRF. TABLE X COMPARISONS BETWEEN OUR SUM AGGREGATION PROTOCOL AND EXISTING PROTOCOLS IN COMPUTATION AND STORAGE COST. Ecryptio Decryptio Storage Storage (user) (aggregator) (user) (aggr.) EXP 2 Mod. Exp. Δ Mod. Exp. CollaPSE (γ +) PRFs (γ +) PRFs γ + γ + Ours 2c PRFs q PRFs 2c q Mod. Exp. stads for modular expoetiatios. I practice, MAC ca be used as a pseudoradom fuctio (PRF). Parameters of the three schemes are set to tolerate γ colludig users. I most practical settigs, c 7 ad q 3 (see Table V ad VI). A. Aalytical Comparisos ) Cost of Sum aggregatio: EXP is a Sum aggregatio protocol based o the decisioal Diffie-ellma assumptio (see [7] for details). I EXP, ecryptio maily requires two modular expoetiatios. The aggregator decrypts the sum via a brute-force trial of possible plaitext. It takes oe modular expoetiatio to try each possible plaitext ad a total of Δ modular expoetiatios are eeded. If Pollard s Rho method is used, the decryptio cost ca be reduced to about Δ modular expoetiatios. ere, we use the reduced cost of EXP for compariso, ad later we will show that our solutio ca further reduce the cost. Similar to our protocol, CollaPSE also uses the homomorphic ecryptio scheme proposed i [2] to derive the Sum aggregate, but i a differet way (see [9] for details). I CollaPSE, each user (the aggregator) computes s + PRFs to ecrypt her data (decrypt the sum). ere, s is a system parameter ad it deotes the umber of colludig users that the protocol ca tolerate. Table X shows the computatio ad storage cost of the three aggregatio protocols for Sum, where the cost is derived uder the same coditio that they ca tolerate γ colludig users. Compared with CollaPSE, our protocol has much smaller computatio ad storage cost at both the users ad the aggregator, especially for a large system with possibly may colludig users. Compared with EXP, our protocol has slightly higher storage cost (i.e., aroud 0 secrets each with just tes of bytes), but our computatio overhead is much lower sice PRF (whe implemeted with MAC) ca ru orders of magitude faster tha modular expoetiatio i practice. We elaborate this poit further i Sectio VI-B. 2) Cost of Mi aggregatio: The Mi aggregatio scheme preseted i Sectio V-B derives Mi from 2 ɛ (log Δ + 2) parallel Sum aggregates of -bit data, where each sum is obtaied usig our Sum aggregatio protocol. ere, each sum ca also be obtaied usig EXP, ad we refer to the Mi

9 x =4 x 2 =4 x 3 =3 x 4 = x[] x[2] x[3] x[4] x[5] x[6] x[7] Raw data Paddig bits ± ¾ v[±; ¾] x =4 x 2=4 x 3=3 x 4= Sum (a) Padded raw data (b) Derivative data Fig. 5. A example of the process that obtais a approximate Mi, where Δ=4ad ɛ =3. The four users auxiliary data values are x =2, x 2 =2, x 3 =0ad x 4 =4. The Mi of the auxiliary data is 4, ad it is reversely mapped to δ, σ = 3, 00. Thus, the approximate Mi of padded raw data is After the last four paddig bits are removed, the output is 00. aggregatio scheme that uses EXP as a buildig block as EXP- Mi. I EXP-Mi, each user computes 2 ɛ (log Δ + 2) modular expoetiatios to ecrypt her data, ad the aggregator computes 2 ɛ (log Δ + 2) modular expoetiatios to decrypt the Mi. Similarly, CollaPSE ca also be used as a buildig block of Mi aggregatio, ad the resultig scheme is referred to as CollaPSE-Mi. I CollaPSE-Mi, the computatio cost is 2 ɛ (γ+)(log Δ+2) PRFs for both ecryptio ad decryptio, cosiderig that the cocateatio techique i Sectio V-A also works for CollaPSE. Compared with CollaPSE-Mi, our Mi aggregatio scheme improves the computatio cost of ecryptio ad decryptio by a factor of γ+ 2c ad γ+ q respectively (see Table IX for the cost of our scheme). Our scheme is also much more efficiet tha EXP-Mi i computatio, as show i Sectio VI-B. B. Practical Performaces I Table X, the computatio costs of our Sum aggregatio protocol ad EXP are measured by differet uits, i.e., modular expoetiatio ad PRF ivocatio. ere, we elaborate the compariso betwee them with results i ruig time. Note that PRF ca be implemeted with MAC i practice. Accordig to the bech-markig data reported by ebacs [30], it takes roughly 0.3 ms to compute a modular expoetiatio usig high-speed elliptic curves such as curve2559 o a 64-bit desktop PC, ad it takes roughly 0.26 μs to compute a MAC whe SA-52 is used as the hash fuctio. Based o these umbers, Table XI shows the ruig time of our Sum aggregatio protocol ad EXP. Our protocol is much faster tha EXP i both ecryptio ad decryptio. Specifically, ecryptio is two orders of magitude faster. Whe the plaitext space Δ 0 3, decryptio is at least four orders of magitudes faster. I our protocol, the computatio cost decreases as the system scale icreases, ad it does ot chage with the plaitext space (so log as the size of plaitext data does ot exceed the size of a MAC output). Thus, our protocol ca support large systems ad large plaitext spaces. Table XII shows the ruig time of our Mi aggregatio protocol ad EXP-Mi. ere, the plaitext space is set as Δ= 0 4. The parameters of our protocol are set accordig to Table V ad Table VI whe γ =0.2. I all the show cases, our protocol is at least five (six) orders of magitude faster tha Accordig to ebacs, it takes 0.3 μs to compute oe SA-52. Sice oe MAC maily computes two hashes, we simply double this time to get the ruig time of MAC. TABLE XI TE RUNNING TIME OF OUR PROTOCOL FOR SUM AND TE CONSTRUCTION PROPOSED IN [7] (DENOTED BY EXP ) Ec. Ours 3.μs 2.6μs 2.μs.6μs.6μs EXP 600μs 600μs 600μs 600μs 600μs Dec. Ours 3.3μs 2.μs.6μs.3μs μs EXP(Δ =0 2 ) 30ms 95ms 300ms 950ms 3s EXP(Δ =0 3 ) 95ms 300ms 950ms 3s 9.5s EXP(Δ =0 4 ) 300ms 950ms 3s 9.5s 30s EXP(Δ =0 5 ) 950ms 3s 9.5s 30s 95s Δ is the plaitext space. Each user s data value is from {0,,..., Δ}. EXP-Mi i ecryptio (decryptio). Especially, as the system scale icreases, the ruig time of decryptio i EXP-Mi icreases quickly which shows the poor scalability of EXP- Mi, but the ruig time of our protocol decreases ad is always very low, which shows that our protocol is scalable. VII. DISCUSSIONS More aggregate statistics. I the basic aggregatio scheme for Mi preseted i Sectio V-A, the aggregator ca actually get the umber of times that each possible data value appears, ad derive the accurate distributio of the users data i the plaitext space [0, Δ]. From the distributio, other aggregate statistics such as Media, Percetile ad istogram ca be obtaied. I this process, the aggregator kows othig about each idividual user s data. Differetial privacy for Sum. Differetial privacy [3] provides strog ad provable privacy guaratee for users such that a user s participatio i the system oly leaks egligible iformatio about the user. Our protocol for Sum ca be adapted to provide computatioal differetial privacy [8]. To achieve this goal, a appropriate oise is added to each user s data (e.g., usig the data perturbatio algorithms proposed i [7] or [6]), ad the the sum of oisy data is obtaied usig our protocol. Dyamic jois/leaves ad fault tolerace Whe a user jois or leaves, the trusted authority ca issue a ew set of secrets to every user ad the aggregator. For a large system with high chur, the commuicatio cost caused by dyamic jois or leaves may be high. To reduce the cost, the biary costructio proposed i [8] ca be applied o top of our Sum aggregatio protocol, such that the expesive rekeyig is oly eeded i a small umber of jois or leaves. With data perturbatio [7] ad the biary costructio icorporated, fault tolerace ca also be achieved. Whe a umber of users

10 TABLE XII TE RUNNING TIME OF OUR MIN AGGREGATION PROTOCOL AND EXP-MIN WIC USES EXP AS A BUILDING BLOCK. Ecryptio Decryptio =0 3 =0 4 =0 5 =0 6 =0 3 =0 4 =0 5 =0 6 Relative error < % EXP-Mi 587ms 587ms 587ms 587ms 9.3s 29s 93s 294s Ours 5μs 4μs 3μs 3μs 4μs 3μs 2.5μs 2μs Relative error < 0.% EXP-Mi 4.7s 4.7s 4.7s 4.7s 74s 235s 743s 2348s Ours 40μs 32μs 24μs 24μs 32μs 24μs 20μs 6μs fail (e.g., due to loss of power or etwork coectio), the aggregator ca still get the aggregate statistics of the remaiig users. VIII. CONCLUSIONS To facilitate the collectio of useful aggregate statistics i mobile sesig without leakig mobile users privacy, we proposed a ew privacy-preservig protocol to obtai the Sum aggregate of time-series data. The protocol utilizes additive homomorphic ecryptio ad a ovel, MAC-based key maagemet techique to perform extremely efficiet aggregatio. Comparisos based o bech-markig measuremet data show that operatios at user ad aggregator i our protocol are orders of magitude faster tha existig work. Thus, our protocol ca be applied to a wide rage of mobile sesig systems with various scales, plaitext spaces, aggregatio loads ad resource costraits. Based o the Sum aggregatio protocol, we also proposed two schemes to derive the Mi aggregate of time-series data. Oe scheme ca obtai the accurate Mi while the other oe ca obtai a approximate Mi with provable error guaratee at much lower cost. REFERENCES [] M. Mu, S. Reddy, K. Shilto, N. Yau, J. Burke, D. Estri, M. ase, E. oward, R. West, ad P. Boda, Peir, the persoal evirometal impact report, as a platform for participatory sesig systems research, i Proceedigs of the 7th iteratioal coferece o Mobile systems, applicatios, ad services, ser. MobiSys 09, 2009, pp [2] A. Thiagaraja, L. Ravidraath, K. LaCurts, S. Madde,. Balakrisha, S. Toledo, ad J. Eriksso, Vtrack: accurate, eergy-aware road traffic delay estimatio usig mobile phoes, i Proceedigs of the 7th ACM Coferece o Embedded Networked Sesor Systems, ser. SeSys 09, 2009, pp [3] S. Cosolvo, D. W. McDoald, T. Toscos, M. Y. Che, J. Froehlich, B. arriso, P. Klasja, A. LaMarca, L. LeGrad, R. Libby, I. Smith, ad J. A. Laday, Activity sesig i the wild: a field trial of ubifit garde, i Proceedigs of the twety-sixth aual SIGCI coferece o uma factors i computig systems (CI), 2008, pp [4] J. icks, N. Ramaatha, D. Kim, M. Moibi, J. Selsky, M. ase, ad D. Estri, Adwelless: a ope mobile system for activity ad experiece samplig, i Proc. Wireless ealth, 200, pp [5] N. D. Lae, M. Mohammod, M. Li, X. Yag,. Lu, S. Ali, A. Doryab, E. Berke, T. Choudhury, ad A. Campbell, Bewell: A smartphoe applicatio to moitor, model ad promote wellbeig, i 5th Iteratioal ICST Coferece o Pervasive Computig Techologies for ealthcare, 20. [6] V. Rastogi ad S. Nath, Differetially private aggregatio of distributed time-series with trasformatio ad ecryptio, ACM SIGMOD, 200. [7] E. Shi, T.-.. Cha, E. Rieffel, R. Chow, ad D. Sog, Privacypreservig aggregatio of time-series data, Network ad Distributed System Security Symposium (NDSS), 20. [8] T.-.. Cha, E. Shi, ad D. Sog, Privacy-preservig stream aggregatio with fault tolerace, Fiacial Cryptography ad Data Security (FC), 202. [9] E. G. Rieffel, J. Biehl, W. va Melle, ad A. J. Lee, Secured histories: computig group statistics o ecrypted data while preservig idividual privacy. I submissio, 200. [0] P.-A. Fouque, G. Poupard, ad J. Ster, Sharig decryptio i the cotext of votig or lotteries, i Proceedigs of the 4th Iteratioal Coferece o Fiacial Cryptography, ser. FC 00, 2000, pp [] MNDOLI, Mosha permissible exposure limits, available at [2] S. B. Eisema, E. Miluzzo, N. D. Lae, R. A. Peterso, G.-S. Ah, ad A. T. Campbell, The bikeet mobile sesig system for cyclist experiece mappig, i Proceedigs of the 5th iteratioal coferece o Embedded etworked sesor systems (SeSys), 2007, pp [3] M. G. Apte, W. J. Fisk, ad J. M. Daisey, Idoor carbo dioxide cocetratios ad sbs i office workers, i Proceedigs of ealthy Buildigs, 2000, pp [4] Z. Zhu ad G. Cao, Applaus: A privacy-preservig locatio proof updatig system for locatio-based services, i Proc. IEEE INFOCOM, 20. [5] Q. Li ad G. Cao, Mitigatig routig misbehavior i disruptio tolerat etworks, IEEE Trasactios o Iformatio Foresics ad Security, vol. 7, o. 2, pp , April 202. [6] E. D. Cristofaro ad C. Soriete, Short paper: Pepsi privacy-ehaced participatory sesig ifrastructure, i Proceedigs of the fourth ACM coferece o Wireless etwork security (WiSec), 20, pp [7] Q. Li, S. Zhu, ad G. Cao, Routig i socially selfish delay tolerat etworks, i Proc. IEEE INFOCOM, 200, pp. 9. [8] Q. Li, W. Gao, S. Zhu, ad G. Cao, A routig protocol for socially selfish delay tolerat etworks, Ad oc Networks, vol. 0, o. 8, pp , 202. [9] D. Boet, E.-J. Goh, ad K. Nissim, Evaluatig 2-df formulas o ciphertexts, TCC, [20] C. Getry, Fully homomorphic ecryptio usig ideal lattices, i ACM symposium o Theory of computig (STOC), 2009, pp [2] C. Castelluccia, A. C.-F. Cha, E. Mykletu, ad G. Tsudik, Efficiet ad provably secure aggregatio of ecrypted data i wireless sesor etworks, ACM Trasactios o Sesor Networks (TOSN), vol. 5, o. 3, pp. 20: 20:36, [22] Y. Yag, X. Wag, S. Zhu, ad G. Cao, Sdap: A secure hop-by-hop data aggregatio protocol for sesor etworks, ACM Trasactios o Iformatio ad System Security (TISSEC), vol., o. 4, [23] Z. Yag, S. Zhog, ad R. N. Wright, Privacy-preservig classificatio of customer data without loss of accuracy, i SIAM SDM, 2005, pp [24] J. Shi, R. Zhag, Y. Liu, ad Y. Zhag, Prisese: privacy-preservig data aggregatio i people-cetric urba sesig systems, i Proc. IEEE INFOCOM, 200, pp [25] G. Ács ad C. Castelluccia, I have a dream!: differetially private smart meterig, i Proceedigs of the 3th iteratioal coferece o Iformatio hidig, ser. I, 20, pp [26] M. Jawurek ad F. Kerschbaum, Fault-tolerat privacy-preservig statistics, i The 2th Privacy Ehacig Techologies Symposium (PETS), 202. [27] M. Shao, Y. Yag, S. Zhu, ad G. Cao, Towards statistically strog source aoymity for sesor etworks, i Proc. IEEE INFOCOM, [28] C. Castelluccia, Efficiet aggregatio of ecrypted data i wireless sesor etworks, i I MobiQuitous. IEEE Computer Society, 2005, pp [29] M. Bellare, New proofs for mac ad hmac: security without collisioresistace, i Proceedigs of the 26th aual iteratioal coferece o Advaces i Cryptology, ser. CRYPTO 06. Spriger-Verlag, 2006, pp [30] D. J. Berstei ad T. L. (editors), ebacs: Ecrypt bechmarkig of cryptographic systems, accessed Feb 202. [3] C. Dwork, F. McSherry, K. Nissim, ad A. Smith, Calibratig oise to sesitivity i private data aalysis, TCC, 2006.