Integrity assured multi-functional multi-application secure data aggregation in wireless sensor networks (IAMFMA-SDA)

Abstract

Industrial revolutions and demand of novel applications drive the development of sensors which offer continuous monitoring of remote hostile areas by collecting accurate measurement of physical phenomena. Data aggregation is considered as one of the significant energy-saving mechanism of resource constraint Wireless Sensor Networks (WSNs) which reduces bandwidth consumption by eliminating redundant data. Novel applications demand WSN to provide information about the monitoring region in multiple aspects in large scale. To meet this requirement, different kinds of sensors of different parameters are deployed in the same region which in turn demands the aggregator node to integrate diverse data in a smooth and secure manner. Novelty in applications also requires Base station (BS) to apply multiple statistical functions. Hence, we propose to develop a novel secure cost-efficient data aggregation scheme based on asymmetric privacy homomorphism to aggregate data of multiple parameters and facilitate the BS to compute multiple functions in one round of data collection by providing elaborated view of monitoring region. To meet the claim of large scale WSN which requires dynamic change in size, vector-based data collection method is adopted in our proposed scheme. The security aspect is strengthened by allowing BS to verify the authenticity of source node and validity of data received. The performance of the system is analyzed in terms of computation and communication overhead using the mathematical model and simulation results.

Keywords

Wireless sensor networks secured data aggregation privacy homomorphism

1 Introduction

Wireless Sensor Network (WSN) is a network of miniature sensor devices mostly deployed in remote hostile areas to spy over the environment by measuring physical parameters such as temperature, pressure, sound, vibration, humidity level etc. The sensor devices are mainly equipped with sensing and processing units to capture the changes in the environment and produce measurable output about the parameter being monitored and it is communicated in collaboration with other connected nodes to the base station for analysis. Moreover, the monitoring process of sensor nodes can be configured either to be continuous or event driven. This enormous potential makes WSNs popular. It is increasingly gaining impact in our routine life and becoming ubiquitous. WSNs are successfully applied in widespread applications in various domains such as military, healthcare, agriculture, weather monitoring, industrial monitoring and automation etc. But the miniature characteristics left the sensor nodes with less computing power, less storage and battery power supply which make them suffer from resource starvation.

For the WSNs deployed in remote hostile area, it is very difficult to replace or recharge the drained battery. Hence increasing the life span of power constraint WSNs is one of the major problems. Research in [19, 20] shows that data transmission is the more energy consuming factor than computation. Hence Data aggregation (DA) becomes an important primitive [21] which helps to minimize the data transmission by eliminating redundancy. This is normally carried out by an intermediate node called aggregator which integrates the multiple data entities coming from sensor nodes in to a single entity and reduces the overall hops required for the data to reach the destination sink.

Because of the hostile and inaccessible nature of deployed region, the data being communicated in WSNs are prone to attack. The intruders can affect the confidentially and integrity of the data by illegally taping or making unauthorized changes in the data. Hence secure data communication is another important issue of WSNs. One of the popular mechanisms to achieve confidentiality is converting the data into non understandable format using encryption mechanism. To achieve bandwidth reduction with confidentiality, Data aggregation schemes are implemented either by hop-by-hop encryption or by end-to-end encryption [9]. In hop-by-hop based encryption schemes [22], the aggregator decrypts the cipher text and applies integration function over the plain text and then encrypts the aggregated data. This makes the scheme more vulnerable to attack when the aggregator node is compromised. This problem is addressed and end to end confidentiality is guaranteed by employing privacy preserving homomorphism (PH) based encryption mechanism which allows aggregator to apply aggregation function over the cipher text instead of plain text. Based on the kind of keys employed these PH based encryption schemes are classified in to Symmetric PH schemes and Asymmetric PH schemes.

In the region where the sensor nodes are deployed in dense and enrolled to measure different physical parameters of the same region, data aggregation has to be implemented parameter wise. This increases the bandwidth consumption. It can be minimized by aggregating data of different parameters together as single data unit as shown in Fig. 2 by reducing the overall hops needed for data communication. In Fig. 1, the data are aggregated parameter wise. Hence three aggregated data units are generated by aggregator with the total hops of 9. These 9 hops are reduced to 7 in Fig. 2 by using multi parameter aggregation. But the key challenge of multi parameter aggregation is to mix the data of multi parameters efficiently in such a way that the BS should be able to extract parameter wise data smoothly from the aggregate. In [1], Boneh’s et al proposed an asymmetric PH based encryption scheme with the property of bilinear map. This is extended in [2] referred to as CDAMA, by assigning separate key for each application and utilizing additive homomorphism of [1] to aggregate cipher text of different applications. The same concept is also applied in [4] referred to as IPHCDA, but for aggregating data from multiple regions by assigning different keys for each region. In both [2, 4], the BS is enabled to extract application wise and region wise data from the aggregate. The BS can get only the application specific or region wise summation of sensed values. No other statistical functions can be applied by the BS over the extracted data.

Fig. 1

Single parameter aggregation.

Fig. 2

Multi parameter aggregation.

In [5] referred to as ASAHS, the authors proposed a secure imprecise interval-based data aggregation scheme which allows BS to compute many statistical functions like minimum, maximum, average, etc by collecting number of occurrences based on value range. Another scheme proposed by P.Zhang et al [23] is based on the concept of collecting number of occurrences of specific value but not the range as in [5] and supports the BS to perform multi functions over the extracted data.

In this paper, we propose to develop a scheme called Integrity Assured Multi Functional Multi Application Secure Data Aggregation (IAMFMA-SDA) based on additive asymmetric homomorphic encryption for WSNs deployed in cluster topology. The scheme enables secure aggregation of multiple parameters (like temperature, humidity, pressure and etc.) measured from the same deployed region and extraction of parameter wise elaborated view from the aggregate to enable computation of multiple queries in one round of data collection. The main contributions of this paper are listed as follows.

First, we give the system an ability to achieve end to end confidentiality by adapting public key based homomorphic encryption scheme. Also, we enable the cluster head to perform additive aggregation of the cipher text. The information about the plain text is semantically secured by keeping the probability of deciding correct plain text from the cipher text less than half. Also, the value of actual sensed value is hidden from the intruder as well as from the aggregator by assigning different benchmark for each physical parameter which is known only to the sensor node and BS.

Second, we design the scheme in such a way that it is suitable for multi parameter - WSNs. The sensor nodes with the ability of sensing different physical parameters can be deployed in the same region and enjoy the benefit of data aggregation. Also, the scheme includes the flexibility of fixing different value range for each parameter and the occurrences of all parameters whose value fall within these specified range are securely aggregated

Third, we enable the BS to obtain parameter wise comprehensive view and compute any statistical functions over the parameter specific data sent by sensor nodes in one round of data collection. Example of these functions includes average, minimum maximum, etc.

Fourth, we enhance the security of our scheme by ensuring integrity of the data and authenticity of source nodes. Integrity is verified by two mechanisms. One by value-based hash function and another one by comparing active participating sensor nodes with the total occurrence count. Authenticity of source node is ensured both at CH and at BS.

Then we minimize the communication cost between the sensor node and cluster head by keeping the vector size as two and security is ensured by introducing randomness in the selection of vector elements pairs.

Finally, we present the performance analysis using simulated data set.

The remainder of this paper is organized as follows. Section 2 discusses the related work. Section 3 provides the system model and security model of the proposed scheme. Section 4 explains the preliminaries. Our IAMFMA-SDA scheme is described in Section 5. Security analysis is presented in Section 6. Section 7 gives the performance and comparative analysis of IAMFMA-SDA. Finally we conclude our IAMFMA-SDA in Section 8.

2 Related works

The authors in [5] proposed a scalable scheme for aggregating data of single physical parameter and ensured security through asymmetric PH scheme [13] which is probabilistic and additive homomorphic. The security is strengthened by storing two public key parameters in encrypted form generated using the node ID in each node. This also helps the BS to verify the consistency of the received data. It uses an array of cipher texts whose index represents an interval of values, and cipher text carries the number of occurrences of sensed values which falls within this interval. Instead of sending the actual sensed value each node sends this array by incrementing one of index to which the sensed value belongs to. Because of this concept, the scheme is able to achieve scalability and allows the BS to apply some set of mathematical functions over the data. Concepts of interval-based data collection makes this scheme suffers from loss of accuracy. Also, it requires the BS to keep track of active nodes to verify the integrity of the data. In [3] referred to as RCDA, data aggregation of single physical parameter scheme using EC-EG homomorphic encryption is proposed. Here aggregation is done by concatenating the cipher texts. This enables the BS to recover all sensed data and apply multiple statistical functions over the data. Also, it verifies the collective integrity of the received data by attaching a signature generated using [24] which supports aggregation of signature. But false data due to replay attack cannot be captured by this integrity verification. This is addressed in our scheme by adding value-based hash as well as by tracing the active nodes participating in data gathering. Also, aggregation by concatenation limits the message space by cluster size. To address the problem collective integrity verification which results in the rejection of whole received data slice based discrete integrity verification is proposed in [33]. In [34], the secure data aggregation scheme for the WSN using the hybrid topology is proposed. The deployed region is split into equal parts where all the nodes are structured into stars. Tree topology is established by attaching a parent with each node. Security is enforced using symmetric encryption. The authors of [4] proposed a data aggregation scheme which safely aggregates data from multiple regions and enable BS to extract region wise data from the aggregate. By assigning different parameters to different regions multi parameter aggregation can be achieved. Concealed data aggregation and multi parameter support is achieved by adapting the APH scheme which is the extension of [1]. But as discussed in Section 1, BS is not allowed to apply different query. It supports integrity verification only at region level. But impurity due to replay attack and active attack within a cluster cannot be verified at BS. In [6], the authors proposed a scheme referred to as SASPKE for secure aggregation of single parameter by employing StPKE [28] and homomorphic encryption scheme [29]. It enables the BS to apply many functions over the received data by applying encoding mechanism as in RCDA [3] and data integrity is verified by using hash based message authentication code. The same is also used for verifying the authentication of the node. The authors in [7] referred to as MRCDA, proposed an end-to-end secured data aggregation scheme using EC-EG encryption and integrity of the data is verified at CH as well as at BS by employing two different MACs(Message Authentication Code). One is generated using pair wise symmetric key and another one is by using homomorphism. Fully homomorphic encryption based aggregation scheme proposed in [30] referred to as FESA, ensures end to end confidentiality and allows the detection of false data en route by verifying the integrity during aggregation as well as forwarding towards BS. In [31] referred to as SPPDABEC, a secure data aggregation scheme for Wireless Body Area network is proposed and it ensures the confidentiality between source and destination by applying Bilinear ElGamal cryptosystem for generating cipher text and verifies the integrity at both aggregator and BS by generating signature using [24] as in [3]. The multiplicative nature of the employed cryptosystem makes this scheme more costly. In [32], the authors proposed a data aggregation scheme by slicing the data into fragments. Number of slices are minimized by adopting Euclidean based disintegration. But support of dynamic functions in a single query is not possible in this scheme. In [35], the authors proposed EC-EG based secure data aggregation for WSN by dynamically selecting the CH based on the location and energy level to improve the lifespan of WSN. In [37], the authors enhances the security by including temporal parameters associated with the data transmission ability of sensing nodes. Except [2, 4], all the other existing schemes like [3, 5–7, 23, 35, 37] are having the ability of aggregating only the data of single parameter. But in both [2, 4], the BS can get only one aggregate view of each parameter. In [36] referred to as MFMDSDA, proposed a scheme for aggregating data of different parameter by encoding the data using Chinese Remainder Theorem (CRT). The CRT consumes processor cycle for converting vector to large integer and requires analytical center with high computing power for supporting multiple functionalities.

In real time scenario, it is required to collect information about multiple physical parameters from the monitoring region and apply more statistical functions at the base station. Also, the nature of these deployed regions invites more security attacks and makes it necessary to ensure confidentiality and integrity of the received data. It is important to differentiate valid users from adversaries. Moreover in some real time applications, it becomes necessary to extend the size of the network dynamically after deployment. By considering all these requirements we propose to develop a cost efficient secure data aggregation scheme which can aggregate multiple parameters with an ability of ensuring confidentiality, integrity, scalability and support of multi functionality.

3 System model and security model

The major requirements of WSN are how efficiently and securely the data can be gathered and transmitted to Base station(BS). In our system for efficient transmission data aggregation of multiple parameters is considered. In WSN, it is important to ensure the confidentiality and integrity of the data. Hence our system focuses on privacy and integrity protection of data from multiple parameters. In this section we present the system model and security model.

3.1 System model

In our system, WSN is modeled as a group of clusters organized as tree (Fig. 3). Each cluster comprises of sensors and cluster head (CH). Senor node with the capability of high computation and communication range is designated as cluster head. The CH broadcast Build_Cluster message to all the nearby members. The members compute the distance with all the CH from which Build_Cluster message is received and send the Cluster_Join message to the CH which is close to it. Based on the number of Cluster_Join message received, the CH decides and give Build_Accept message to the cluster member and form the cluster. In our system, the CH shares unique symmetric key with each cluster member for secure communication. After receiving data from all the sensors, CH performs aggregation and forwards it to BS. The sensors may be deputed to measure different physical parameters. Each sensor is deployed with public key, encryption algorithm and parameter specific details known only to BS.

Fig. 3

WSN for multiple parameters.

3.2 Security model

As most of the WSN applications are targeting remote hostile areas, they are prone to attack which mainly affects the confidentiality and integrity of the data. By considering this and the ability of adversary, we define the attack model as follows.

End to End Confidentiality: Without compromising the sensor node and CH, the adversary sitting between them can simply over hear the message and try to decrypt the cipher text using the cipher text only attack, known plain text attack and chosen plain text attack. In cipher text only attack, confidentiality is compromised only by analyzing the encrypted message. But in known plain text attack and chosen plain text attack, the intruders try to gain information about the key and decipher the cipher text using the known plain text and their cipher text.

Chosen Cipher Text Attack: In this model, the attacker try to gain information about the cipher text by collecting decipher text of chosen cipher text. The homomorphic characteristic of encryption schemes makes them vulnerable to chosen cipher text attack.

Malicious attack: The intruder can behave like one of the valid sensor nodes and introduce malicious effect in the aggregated value by injecting false data. The asymmetric encryption schemes are more viable to this attack as public keys are common and whoever obtains this key can easily launch malicious attack.

Cluster Head Compromise Attack: By compromising the cluster head, the intruder try to obtain the information about plain text and inject forged values by performing unauthorized aggregation.

Replay attack: The validity of the data can be impacted by resending the already transmitted data and this affects the duplicate sensitive operations like summation, average and count in Base station.

The ability of our proposed scheme to defend against the above-mentioned attacks are discussed in Section 6.

4 Preliminaries

4.1 Privacy homomorphic (PH) encryption schemes

Homomorphic encryption is the form of encryption with the capability of applying computation over the encrypted data. Effect of this computation is same as that of performing the same on plain text. This ensures privacy while outsourcing data and does analysis without affecting the confidentiality.

Definition (Homomorphic property): Let the plain text be $m_{1}, m_{2} \in M$ and $M$ be the message space. Cipher text C₁ = Enc_k (m₁) and Cipher text C₂ = Enc_k (m₂) then Enc_k ( m₁° m₂) = C₁° C₂.

Because of homomorphic property the operation ° on the plain text is mapped with the operation on cipher text. This operation may be additive or multiplicative. The homomorphic property allows the intermediate node sitting between source and destination can perform aggregation of ciphered text without obtaining the plain text through decryption.In turn end to end confidentially is maintained. The key k used for encryption (Enc_k) is either symmetric or public key. The symmetric key based PH schemes such as Domingo-Ferrer scheme [10] and Castelluccia (CMT) et all’s scheme [11] have less computation and communication overhead. But the requirement of sharing key information between the sender and receiver makes these schemes comparatively less secure than asymmetric PH schemes. The Elliptic curve cryptography (ECC) which enjoys the same level of security as that of RSA cryptosystem with trapdoor function and smaller key size at high speed makes ECC based asymmetric PH schemes more popular. The security level of 256 bit ECC based cryptosystem is same that of 3072 bit RSA system [12]. The hardness of the ECC based PH schemes lies on Elliptic Curve Discrete Log Problem which is defined as finding the multiplicand is computationally difficult when the product and multiplier is given. Paillier in [14] proposed three probabilistic elliptic curve based crypto systems. The first cryptosystem called Elliptic curve Naccahe Stern (n = pq) is semantically se and its security is based on the intractable residuality problem. This is the variant of [15] and is defined over the elliptic curve ɛ_n where n = pq and p and q are chosen as congruent to 2 mod 3. The second cryptosystem is called Elliptic curve Okamoto-Uchiyama (n = p²q). This is the extension of [13]. The third cryptosystem is designed by extending the previous two schemes. All these three schemes are probabilistic and based on recovering discrete logarithms othree different types of curves. Also, their defending power depends on residuosity problem. Mykletun et al [16] proposed an Elliptic Curve- ElGamal Cryptosystem by converting the cipher system proposed in [17] into additive group. Boneh’s et al. [1] proposed another elliptic curve based cryptosystem that allows computation over the data encrypted using different keys and this is adapted in our proposed scheme.

4.2 Boneh’s encryption scheme

Here we discuss the encryption scheme proposed by Boneh’s et al. in [1] to evaluate the disjunctive normal form of 2 literals given the cipher form of n variables. This is an asymmetric PH scheme with the property of doubly homomorpohic. That is the encryption scheme supports homomorphism of both addition and multiplication over the cipher text. It resembles the encryption schemes proposed in [18] and [13]. The additive homomorphism is obtained from [18]. By considering the expensive nature of multiplicative homomorphism, [2] and [4] have taken advantage of only additive homomorphic property of [1]. Both [2, 4] utilized this property of [1] which enables computation over the data encrypted using different keys. The same modification is adapted in our proposed scheme to support aggregation of data of multiple parameters as in [2].

Boneh’s et al. [1] described three algorithms for generating keys, cipher text and decryption.

KeyGeneration(τ): Using the security parameter (τ), compute a tuple $(p_{1}, p_{2}, 𝔾_{1}, 𝔾_{2}, ɛ, e)$ such that n = p₁p₂ and ɛ is set of points on the elliptic curve (y² = x³ + 1) which forms a cyclic group. The order of ɛ is n. Here $𝔾_{1}$ is a subgroup of points on the curve with the order of ‘n’. The ‘e’ is bilinear map $e : 𝔾_{1} * 𝔾_{1} \to 𝔾_{2}$ . Select two random generators $g, u \overset{R}{\leftarrow} 𝔾_{1}$ and another generator h = u^{p
₂} of subgroup of $𝔾_{1}$ of order p₁. The public key is $(n, 𝔾_{1}, 𝔾_{2}, ɛ, e, g, h)$ and private key is p₁.

Encryption(m): let the message space is ${1, 2, \dots . M}$ and $M < p_{2}$ Cipher text $C = g^{m} \cdot h^{r} \in 𝔾_{1}$ where. refers to addition of elliptic curve points and g^m , h^r refers to the slarplicion or the elliptic curve points. ‘r’ is selected in random ie ∈ { 0, 1, 2, …, n - 1 }.

Decryption(C): cipher text is deciphered using the private key p₁. $\begin{matrix} plain text m = Dlo g_{b} C^{p_{1}} = Dlo g_{b} {(g^{m} \cdot h^{r})}^{p_{1}} \\ = Dlo g_{b} {(g^{m})}^{p_{1}} \end{matrix}$

Here the base b = g^{p
₁} and the discrete log can be solved in with $O \sqrt[n]{M}$ using pollards lambda method.

Aggregation: Additive homomorphic nature enables aggregation of k cipher texts C₁, C₂, … C_k. $\begin{matrix} C_{1} + C_{2} + \dots + C_{k} = \sum_{i = 1}^{k} g^{m_{i}} \cdot \\ h^{r_{i}} = g^{m_{1} + m_{2} + \dots + m_{k}} \cdot h^{R} \end{matrix}$

5 Proposed scheme IMFMA-SDA

In this section, we present our scheme for secure aggregation of multiple parameters which enables BS to extract parameter wise data and apply various statistical queries over the gathered data. Then we show how the BS can verify authentication of participating nodes and integrity of the received data. The major phases of our proposed scheme are setup phase, formation of secured vector, aggregation phase and operations at BS.

5.1 Setup

During setup procedure the wireless sensor network is organized as hierarchical clusters of nodes and encryption scheme is initialized. Our scheme assumes encryption based on asymmetric PH proposed by Boneh et al [1] and the updated version of the same as in [2].The BS calls an algorithm namely KG(τ) using the security parameter τ. KG generates separate public key for each parameter and private key. These parameter specific public keys are stored in sensor nodes before deployment. The number of public keys per sensor depends upon the number of parameters the sensor node is deputed for. Private key is kept secret in the base station for decrypting parameter specific data. The details of KG(τ) are given below. Along with the encryption details, in each sensor node the BS stores node ID, parameter specific benchmark (β_a), range factor $g$ in encrypted form generated using symmetric key which is shared only between sensor node and BS. This benchmark and range factor helps to fix different range value for each parameter. Also, it helps the BS to change the benchmark dynamically by analyzing past values collected from sensors and multicast new benchmark to all sensors dynamically as per the need. To secure the communication within the cluster, the CH shares a unique pair wise symmetric key between all cluster members.

Algorithm 1: Key generation - KG(τ)
1. Compute random τ bit primes p₁, p₂, … . p_j+1 such that $n = \prod_{i = 1}^{j + 1} p_{i} \in ℤ$ and an elliptic curve E defined over for a smallest integer $ℓ \in ℤ^{+}$ and form a cyclic group with the order(n)
2. Randomly take j + 1 generators $𝔾_{1}, 𝔾_{2}, \dots 𝔾_{j + 1} \in E$ such that order ( $𝔾_{i}$ )=n for all i = 1 to j + 1
3. Calculate a point $Q_{k} = (\prod_{i = 1, i \neq k}^{j + 1} p_{i}) * 𝔾_{k}$ such that order $(Q_{k}) = p_{k}$ for k = 1,2, \dots j + 1
4. Let $M_{i}$ (i=1,2,..j) be product of maximum number of sensors sending information per physical parameter in a single cluster and height of cluster tree topology
Output:
5. Public key $P B_{i} = (n, E, Q_{i}, Q_{j + 1,} M_{i})$ for i = 1 to j
6. Private key $P R_{k} = \prod_{i = 1, i \neq k}^{j + 1} p_{i}$ k = 1,2,..j

5.2 Formation of secured vector

The operation in each sensor node to form the secured vector is designed in such a way that it enables the BS to attain different statistics of each parameter using one query. Each sensor node x_ia creates a vector of encrypted values using the sensed raw data $r_{ia}$ of parameter (a) for which it is deputed. Here the symbol i refers to the node ID. The size of the vector is $2 g + 2$ for some integer ‘ $g$ ’. It is same for all sensors. The vector index ranges from $- g$ to $+ g$ . The position of each encrypted value in the vector (v_i) refers to the distance between the current sensed values and the parameter specific benchmark (β_a) except the last index ( $g + 1$ ). Each sensor stores the encrypted value of 1 in the vector index ‘t’ which represents $r_{ia} - β_{a}$ . Also, stores encrypted value of zero in all the other index positions.

Algorithm 2: Formation of Sered Vtor
1. Let the sensed raw data be $r_{ia}$ where a= 1, 2, … j, i = 1, 2, … s and j is number of parameters
2. $t = r_{ia} - β_{a}$
3. $v_{ik} = {\begin{matrix} Enc (1, P B_{a}) if t \leq g and t \geq - g and k = t \\ Enc (0, P B_{a}) if t \leq g and t \geq - g and k \neq t \\ Enc (1, P B_{a}) if t > g and t < - g and k = g + 1 \end{matrix}$ where k = - $g to g + 1$ .
4. $v_{ihash} = {\begin{matrix} H (r_{ia}) + H (I D_{i}) if t \leq g and t \geq - g and k \neq g + 1 \\ H (β_{a} + k) + H (I D_{i}) if t > g and t < - g and k = g + 1 \end{matrix}$
Enc(M, PB_a)
1. Input: M(plain text), PB_a
2. Select R ∈ { 0, 1, 2, …, n - 1 } in random
3. Cipher text $C = M * Q_{a}, + R * Q_{j + 1,}$

When the sensed raw data falls outside the expected range $((β_{a} - g)$ to $(β + g))$ the encrypted value of 1 is stored in the index of $g + 1$ . Hence, from the final aggregate, number of sensed data that falls outside the range can be extracted parameter wise and benchmark/threshold for each parameter can be adjusted. The values are enciphered using parameter specific key. All the sensor nodes record their participation in data gathering by storing hash of sensed value in v_ihash. For the values falling outside the range, hash of benchmark plus $g + 1$ is stored. The v_ihash also includes the hash of node ID. The encrypted values in all the index are computed using one point addition and two scalar point multiplications over the two points $Q_{i}$ (parameter specific) & $Q_{j + 1}$ (common point). Steps to create the secured vector are available in algorithm 2. This secured vector carries encryption of one in index position t whereas all the other positions hold the encryption of zero. To eliminate this redundancy the algorithm 2 generates only two vector elements one with Enc (1, PB_a) and another element with Enc (0, PB_a) chosen in random from the remaining index positions which is not equal to t. All the sensor nodes forward these two vector elements v_{ik
₁}, v_{ik
₂} along with v_ihash, Pos_i1, Pos_i2 to the cluster head for aggregation. Here k₁ = t and k₂ = index of Enc ( 0, PB_a) chosen in random. Pos₁, Pos₂ hold the encrypted form of k₁, k₂ generated ung the symmetric key shared with CH. Any lightweight symmetric encryption scheme can be adapted for the secure communication of k₁, k₂ between sensor node and CH. Confidentiality of vector element communication is ensured bthe subgroup decision problem of [1]. Also, since same vector is used for carrying data of j parameters with different benchmark β_a and one node can contribute for more than one parameter, it is difficult for the intruder to retrieve parameter specific information.

5.3 Aggregation

The CH of each cluster aggregates the secured vector elements received from all its cluster members and forward this vector aggregate to next CH enroute to the BS. The data in the vector ipositioned using the difference between the sensed value and benchmark. Hence vector elements coming from different nodes of various parameters can be aggregated based on their index position. By leveraging the additive homomorphism of encryption scheme [1, 2], the aggregator can sum up the encrypted values at each index and createaaggregated vector. The aggregated value in each index represents the number of sensors whose measured value has same positional difference in the scale with respect to benchmark independent of parameters.

Consider cluster ‘c’ of size ‘m’. The aggregator vector aggv_c of cluster ‘c’ is created using the following steps

$aggPos = ⋃_{i = 1}^{m} {D (Po s_{i 1}), D (Po s_{i 2})}$ where D refers decryption at CH and ‘i’ refers to cluster member ID

For each vector index k ∈ { aggPos } do aggv_ck = ∑v_ik where i ∈ { 1, 2, . . m } andk = D (Pos_i1) or D (Pos_i2)

$aggHash = \sum_{i = 1}^{m} v_{ihash}$

The size of aggv_c of cluster ‘c’ depends upon the number of positions in aggPos. This aggv_c is forwarded to BS along with encrypted value of all the position in aggPos and aggHash. As already mentioned, the positions are communicated between nodes and CH and between CH and BS using any suitable light weight symmetric encryption scheme.

5.4 Operations at base station

The value of different applications are mixed by using points for eacapplication with different order [1] to extract the scalar of one parameter point from the aggregated cipher text. The aggregated vue in each index represents the number of sensors whose measured value has same positional difference in the scale with respect to benchmark independent of parameters. The ciphered aggregated value in aggregated vector at index ‘ is given as follows $\begin{matrix} \begin{matrix} agg v_{i} \\ (i = - g to g + 1) \end{matrix} = [\sum_{k = 1}^{j} ((\sum M_{k}) * Q_{k})] \\ + [(\sum R_{i}) * Q_{j + 1}] where \end{matrix}$ $\begin{matrix} (\sum M_{k}) is the number of nodes sensed a data \\ whose positional difference from β_{k} is i . \end{matrix}$

From aggv_i, (∑M_k) can be extracted by finding discrete logarithm of $(\prod_{i = 1, i \neq k}^{j + 1} p_{i}) * agg v_{i}$ to the base of $(\prod_{i = 1, i \neq k}^{j + 1} p_{i}) * Q_{k}$ . By extracting the number of sensors contributed for a point of particular parameter at each index of the vector, The BS creates a $j * (2 g + 1)$ matrix representation for each received aggregated vector. By summing up these matrixes, BS can find the total occurrences of all values within a range for each parameter. Algorithm3 gives the steps for creating sum matrix (MatC^sum).

The structure of the Sum Matrix created using the algorithm 3 is given below. Column index is from $- g$ to $g + 1$ and the row index is from 1 to j where j is number of parameters. The matrix element t₂₁ refers to the number of occurrences of the value $β_{2} - g$ of parameter2. $\begin{matrix} \begin{matrix} - g & - g + 1 \dots & g + 1 \end{matrix} \\ [\begin{matrix} t_{11} t_{12} \dots t_{1 c} \\ t_{21} t_{22} \dots t_{2 c} \\ ⋮ \\ t_{j 1} t_{j 2} \dots t_{jc} \end{matrix}] \\ Structure of Sum Matrix (Mat C^{sum}) \end{matrix}$

Algorithm 3: Formation of Sum Matrix and Integrity Vector
1. Let the clusters which send aggregated vectors to BS be {C₁, C₂, … C_m }. The aggregated vectors sent by them are {aggvC₁, aggvC₂, … aggvC_m }.
2. Let the number of parameters be ‘j’. The benchmark for the parameters are {β₁, β₂, … β_j }.
3. Value range of each parameter is ${(β_{l} - g) to (β_{l} + g)}$ for all 1 in {1,2,..j}
4. $aggPosBS = ⋃_{i = 1}^{m} {Dec (aggPo s_{i})}$ where Dec returns decrypted position of all the encrypted index received from CH of cluster i
5. For each aggregated vector aggvC_a received, the BS creates a matrix ( ${MatC}_{ki}^{a}$ ) by repeating steps 6. Index ‘k’ refers to parameter, ‘i’ refers to vector index and a ∈ {1,2,..m}
6. For each i ∈ aggPosBS do
For each k=1 to j do
${MatC}_{ki}^{a} = {log}_{b} (P R_{k} * aggv C_{ai})$ where $P R_{k} = \prod_{i = 1, i \neq k}^{j + 1} p_{i}$ and $b = (\prod_{i = 1, i \neq k}^{j + 1} p_{i}) * Q_{k}$
7. $aggHashBS = \sum_{i = 1}^{m} aggHas h_{i}$
8. MatC^sum = MatC¹ + MatC² + … MatC^m

5.5 Integrity verification of aggregated data

The adversary enroute may manipulate the data and falsify the vector btting either between sensor and CH or CH tand CH or CH and BS. Hence, we intend to verify the integrity of the final extracted information from the vector aggregate and prevent BS from accepting any falsified data, as part of the security.

Whenever any sensor is participating in data gathering, the sensor generates a value by applying one way hash function over β_a + k. These hashes are aggregated at CH as well as at BS. The BS computes new hash using Algorithm 4 with the help of MatC^sum and benchmark of each parameter. Integrity of the extracted information is verified by comparing the new computed hash aggregate with sum of received hash aggregate. If both are same, verification test is succeeded. Step 5 in algorithm 4 updates the new hash aggregation by applying hash function $H$ over the ID of all participating node s. Hence it also ensures the authentication of every source node.

5.6 Authentication of nodes

In our IAMFMA-SDA the authentication is ensured in two levels. In the first level the authentication is ensured using symmetric key based transmission in all single hop communication between nodes inside the cluster and between CH. Because, in symmetric key based communication nodes without valid symmetric key cannot participate in the message transmission. In the second level, the BS verifies the identification of all participating nodes in collective manner using algorithm 4 with the help of value and ID based hash value. This ID based hash value allows only the nodes holding the valid ID to do the communication.

Algorithm 4: Integrity and authenticity verification
1. $newaggHashBS = \sum_{y = 1}^{s} H (I D_{y})$ where ‘s’ is number of active nodes
2. For each $k in - g to g + 1$ repeat step 3
3. For each i in 1 to j repeat step 4 &5
4. $c = {MatC}_{ik}^{sum}$
5. $newaggHashBS = newaggHashBS + \sum_{d = 1}^{c} H (β_{i} + k)$
6. if newaggHashBS = = aggHashBS, verification succeeds else it fails

5.7 A descriptive example

This section provides an example to demonstrate the capability of our scheme to aggregate data of multiple parameters from different sensors in such a way that from the aggregated vector the BS can get the detailed view of all the occurrences of different parameter values within a specified value range. Also allows the BS to verify the integrity of the received details. We have taken the instance of WSN as shown in Fig. 4. The WSN has 12 sensor nodes grouped into three clusters. The cluster may include sensors of three different parameters. Sensors A,D,G,F belongs to parameter 1, B,H,J,L belongs to parameter 2 whereas C,E,I,K belongs to parameter 3.

Fig. 4

Demonstrative example.

Sensors E, F, K act as aggregator for each cluster respectively. F forwards its aggregated vector to E.E, K to BS. The public key of parameter 1 is PB₁ = (n, E, Q₁, Q₄, 4) and for parameter 2 is PB₂ = (n, E, Q₂, Q₄, 4) and for parameter 3 is PB₃ = (n, E, Q₃, Q₄, 4). To make the example simple, we assume small values to the order of Q₁, Q₂, Q₃, Q₄. That is order (Q₁) = p₁ = 11, order (Q₂) = p₂ = 13, order (Q₃) = p₃ = 17, order (Q₄) = p₄ = 19 and n = p₁p₂p₃p₄ = 46189. We set the benchmark of each parameter as β₁ = 75, β₂ = 63, β₃ = 30. The range factor is set as g = 2 which is common for all parameters. The vectors coming out of each sensor is given in the Table 1. After receiving the vector aggregate from cluster head E and K, the BS creates MatC¹ and MatC² respectively. To show the extraction of parameter wise data, we have taken the value 0Q₁ + 1Q₂ + 2Q₃ + 29763Q₄ in AggC³ at index 0 as sample. To extract number of occurrence of parameter 3, compute p₁p₂p₄ * (0Q₁ + 1Q₂ + 2Q₃ + 29763Q₄) = 2717 Q₂ + 5434Q₃ + 80866071Q₄ + 5434Q₃ + 11Q₃.

Table 1

Vectors and Matrix computation

Vector index	Vectors of Sensors at Cluster 1					AggC ¹
	A₁ = 76	B₂ = 62	C₃ = 28	D₁ = 75	E₃ = 29
-2			1Q₃ + 26Q₄			0Q₁ + 0Q₂ + 1Q₃ + 26Q₄
-1		1Q₂ + 27Q₄	0Q₃ + 206Q₄		1Q₃ + 206Q₄	0Q₁ + 1Q₂ + 1Q₃ + 439Q₄
0	0Q₁ + 26Q₄	0Q₂ + 261Q₄		1Q₁ + 22Q₄	0Q₃ + 76Q₄	1Q₁ + 0Q₂ + 0Q₃ + 385Q₄
1	1Q₁ + 33Q₄			0Q₁ + 36Q₄		1Q₁ + 0Q₂ + 0Q₃ + 69Q₄

Vector index	Vectors of Sensors at Cluster 2			AggC ²
	F₁ = 74	H₂ = 63	G₁ = 75
-2		0Q₂ + 296Q₄		0Q₁ + 0Q₂ + 0Q₃ + 296Q₄
-1	1Q₁ + 34Q₄			1Q₁ + 0Q₂ + 0Q₃ + 34Q₄
0		1Q₂ + 4261Q₄	1Q₁ + 1022Q₄	1Q₁ + 1Q₂ + 0Q₃ + 5283Q₄
1	0Q₁ + 533Q₄			0Q₁ + 0Q₂ + 0Q₃ + 533Q₄
2			0Q₁ + 8796Q₄	0Q₁ + 0Q₂ + 0Q₃ + 8796Q₄

Vector index	Vectors of Sensors at Cluster 3				AggC ³
	J₂ = 62	L₂ = 63	I₃ = 30	K₃ = 30
-2				0Q₃ + 2676Q₄	0Q₁ + 0Q₂ + 0Q₃ + 2676Q₄
-1	1Q₂ + 924Q₄		0Q₃ + 20006Q₄		0Q₁ + 1Q₂ + 0Q₃ + 20930Q₄
0		1Q₂ + 21461Q₄	1Q₃ + 1176Q₄	1Q₃ + 7126Q₄	0Q₁ + 1Q₂ + 2Q₃ + 29763Q₄
1	0Q₂ + 2333Q₄	0Q₂ + 28446Q₄			0Q₁ + 0Q₂ + 0Q₃ + 30779Q₄

Vector index	AggC¹ + AggC²	Matrix &integrity vector
		MatC ¹	MatC ²	MatC ^sum
-2	0Q₁ + 0Q₂ + 1Q₃ + 322Q₄	$[\begin{matrix} 0 & 1 & 2 & 1 & 0 & 0 \\ 0 & 1 & 1 & 0 & 0 & 0 \\ 1 & 1 & 0 & 0 & 0 & 0 \end{matrix}]$	$[\begin{matrix} 0 & 0 & 0 & 0 & 0 & 0 \\ 0 & 1 & 1 & 0 & 0 & 0 \\ 0 & 0 & 2 & 0 & 0 & 0 \end{matrix}]$	$[\begin{matrix} 0 & 1 & 2 & 1 & 0 & 0 \\ 0 & 2 & 2 & 0 & 0 & 0 \\ 1 & 1 & 2 & 0 & 0 & 0 \end{matrix}]$
-1	1Q₁ + 1Q₂ + 1Q₃ + 473Q₄
0	2Q₁ + 1Q₂ + 0Q₃ + 5668Q₄
1	1Q₁ + 0Q₂ + 0Q₃ + 602Q₄
2	0Q₁ + 0Q₂ + 0Q₃ + 8796Q₄

Because 19Q₄ =∞, 13Q₂ =∞. The count of parameter 3 can be obtained by computing discrete log of 11Q₃ to the base p₁p₂p₄ * Q₃. In same way count of other parameters are extracted and matrix is constructed. Finally, MatC^sum is constructed which gives the details of all occurrences of values parameter wise. Using the benchmark β₁ = 75 and $g = 2$ for parameter 1, from the MatC^sum the BS could find the details of all occurrences ie number of occurrence (73)=0, occurrence(74)=1, occurrence(75)=2, occurrence(76)=1, occurrence(77)=0, occurrence(>77 &<73)=0.

6 Security analysis

In this section, we present the security analysis of our scheme and show its resistance against various attacks.

6.1 End to end confidentiality

The proposed scheme ensures the end to end confidentiality of the data by preventing the intruder from obtaining the actual measured value. The term end to end confidentiality actually implies that privacy is guaranteed along the path connecting the source node and BS which includes the hops between node and CH & between CH and BS

6.1.1 Confidentiality between node and CH

The data being transmitted by the node is not the actual measured value. It is actually the Boolean representation of occurrence of value that is either zero or one. Confidentiality of this Boolean value is ensured by enciphering it using elliptic curve cryptography based cipher system. The hardness of this cryptography scheme is based on the factorization of group order n. Let n=P₁P₂ where P₁, P₂ are large primes. The hardness says that given (n, E, $𝔾, 𝔾 ’, M$ ) and element e ∈ $𝔾$ , deciding the order of ‘e’ ie element ‘e’ is in subgroup of $𝔾$ is infeasible. This is called subgroup decision problem. This hardness provides shield from outside intruders who is not aware of the possible values being encrypted. Theorem 1 shows the ability to defend privacy from inside attacker using indistinguishability-based definition.

Theorem 1: Semantic Security: Given public key $P B_{i} = (n, E, Q_{i}, Q_{j + 1,} M_{i})$ of any parameter i, and ciphertext v_{ik
₁}, v_{ik
₂}, Pr [Adversaryoutputs v_{ik
₁} = Enc (m₀) , v_{ik
₂} = Enc (m₁) ] - Pr [Adversary outputs v_{ik
₁} = Enc (m₁) , v_{ik
₂} = $Enc (m_{0})] \leq \frac{1}{2} + Negligible (n)$ .

To prove that our encryption scheme is semantically secure, here we consider the scenario that the node is sending cipher text of either m₀ or m₁ and the computationally bounded aeary who is aware of this not able to identify that cipher text is whether the encryption of m₀ or the encryption m₁ wh the probability better than half. That is the cipher text m₀ is indistinguishable from the cipher text of m₁. The data atted fm the node to CH includes two cipher texts v_{ik
₁}, v_{ik
₂} and v_ihash, Pos_i1, Pos_i2. Both v_{ik
₁}, v_{ik
₂} may contain either the encryption of m₀ or m₁. Here m₀, m₁ refers to zero and one. Probability that the inside attacker correctly identifies what has been encrypted in v_{ik
₁}, v_{ik
₂} is upper bounded by half plus negligible. This probability is over the randomness of index of vector element which is chosen to hide the position of vector element holding the encryption of 1. Hence $\begin{matrix} P r [Adversary outputs v_{i k_{1}} = Enc (m_{0}), \\ v_{i k_{2}} = Enc (m_{1})] \end{matrix}$ $\begin{matrix} - P r [Adversary outputs v_{i k_{1}} = Enc (m_{1}), \\ v_{i k_{2}} = Enc (m_{0})] \leq \frac{1}{2} + Negligible (n) \end{matrix}$

Here, the ‘n’ refers to the security parameter. The running time of computationally bounded adversary is upper bounded by polynomial function of this security parameter ‘n’. This makes our encryption process semantically secure in the Cipher text Only Attack model and Chosen Plain text Attack model.

6.1.2 Confidentiality between CH and BS

All the security mechanism discussed in Section 6.1.1 is also applicable for the communication taking place between cluster head and base station. The way the data related to multiple parameters are mixed smoothly and communicated to BS from CH strengthen the resistance of our scheme against attack. Resistance is provided in 3 levels. At level 1, the data is communicated in encrypted form whose security is based on subgroup decisional problem. At level 2, the data communicated is not the actual measured value. Instead, it is the count of instance of values whose positional difference from the benchmark is given by the index. This count is the mixture of different parameter instances. Also, the benchmark is different for each parameter. This makes it very difficult for the attacker to retrieve parameter specific measured value without knowing the benchmark, index and parameter specific count and factorization of group order.

6.2 Chosen Cipher Text Attack (CCA)

Homomorphic nature which allows computation over the encrypted text makes the schemes to suffer from chosen cipher text attack [2]. But it requires the adversary to have the capability to decrypt some cipher text and this makes it hard to launch this attack in WSN. The nature of our proposed scheme provides additional shield against these highly capable adversaries. Because the information obtained by the adversary through CCA is only the number of occurrences not the exact value measured by the sensor. Benchmark and positional value are also needed to obtain the exact measured value. But this benchmark is known only to sender and base station. Positional value is communicated in cipher form using symmetric key. Hence without compromising sender and receiver, it is difficult for the intruder to perform CCA.

6.3 Malicious attack

Malicious adversaries are more a concern in the public key crypto system compared to symmetric environment. In symmetric key cryptosystem, the receiver is intended to communicate only with a single sender using a specific secret key. Hence for a malicious attacker without the symmetric key shared between sender and receiver, it is very unlikely to come up with a valid cipher text and communicate with receiver on behalf of sender. In our proposed scheme, the index of the vector elements is communicated between sender and receiver in cipher form encrypted using symmetric key. This reduces the possibility of malicious intruder contaminating the aggregated value at cluster head by passing wrong data. The integrity verification at BS also prevents it from accepting data falsified by this attack.

6.4 Cluster head compromised attack

The adversary, who got the privilege to compromise cluster head, can only obtain the vector elements and their position in cipher form. Though the adversary can get the actual position value using the symmetric key shared between CH and cluster member, it is difficult to obtain the vector elements plain text whose defense is based on subgroup decision problem. Also, the plaintext enclosed in the ciphered vector is semantically secured by upper bounding the probability of deciding correct plain text to half plus negligible. $\begin{matrix} \Pr [Adversary outputs v_{i k_{1}} = Enc (m_{0}), \\ v_{i k_{2}} = Enc (m_{1})] < \frac{1}{2} + negligible (n) \end{matrix}$

Also, for the intruder who is privileged to break the semantic security, cannot obtain the actual measured value without knowing the benchmark which is different for each parameter and available only with sensor and BS. And false aggregation introduced at CH can be detected by the BS by verifying the integrity as mentioned in Section 5.5. Thus the design of our proposed scheme provides protection against cluster head comised attack.

6.5 Replay attack

The aggregated value can be contaminated by resending the already transmitted value by the intruder. Our proposed scheme cannot prevent this malicious effect. But enables the BS to identify this effect and filter out this attack. This is because the sum of all the elements of MatC^sum gives the total number of nodes participated in the current data acquiring round. If $\sum_{k = - g}^{g + 1} \sum_{i = 1}^{j} {MatC}_{ik}^{sum} \neq number of active nodes$ , the BS will detect the replay attack. The BS can identify the active nodes by periodically collecting acknowledgement of multicast message [8].

6.6 Malleability attack

Homomorphic encryptions are more vulnerable for malleability attack as the attacker can do any unwanted modification in the cipher text with no knowledge of keys and plain text. IAMFMA-SDA sends v_hash generated using one way hash function over the sensed value and ID along with the vector elements and get aggregated enroute. Integrity of the final received values is verified by BS using Algorithm 4 and failure of integrity verification enables BS to detect malleability attack.

7 Performance analysis and comparison

The performance of our proposed scheme is analyzed by measuring the communication cost and computation cost. By the term communication cost we refer both the number of hops required for the gathered information to reach the BS and message size. The computation cost is analyzed by measuring the various kind of computations required to perform encryption at sensor node level, aggregation at cluster head and decryption at Base station. The major goal of the proposed scheme is to aggregate the data of multiple parameters and enable the BS to extract parameter wise data from the aggregate, to do integrity verification and also to provide BS the ability to apply dynamic query over the received data. Hence we consider the asymmetric PH based data aggregation schemes ASAHS [5], SASPKE [6], CDAMA [2], IPHCDA [4], RCDA [3], MRCDA [7], FESA [30], SPPDABEC [31] and MFMDSDA [36] as more suitable candidate for comparison and perform the analysis by keeping integrity, authentication, scalability, multiple parameters and dynamic query as major quality factors along with computation and communication overhead.

7.1 Simulated scenario

The simulated scenario is created in NS2 with a WSN of varying network size ‘N’. The ‘N’ is varied as 100,150,200,260, and 300. A bounded area of 2000×2000 sqm is utilised for positioning the nodes. Initial energy level of these nodes is set to 100J with transmission range of 50 m. The receiving and transmission power of the nodes are set to 0.01J and 0.02 J. The simulation is done to aggregate two different parameters. For simulated analysis, the size of vector is set as 8 for both the proposed scheme and ASAHS. For IPHCDA, the region size ‘a’ is kept to the minimum of two.

7.2 Communication cost

To analyze the communication overhead, we consider the number of hops occurred during the execution of schemes and the message size as two key factors.

Hop refers to the movement of a single packet from one node to another node. Since the major concern of data aggregation is energy saving through hop reduction, the number of hops required for the data to reach BS from the sensor nodes is analyzed. Inside each cluster, the data packets from cluster members reach the CH in single hop. So the total hops in each clusters with size ‘s’ is O (s). The hops required for the packet to reach BS from CH is one as packets from the CH get aggregated in every hop with that of other CH in the path towards the BS. Hence the total hops required for packets to reach from CH to BS are O (c) for the WSNs with c clusters. The final Communication cost based on hop count is O (c . s ) + O (c).

Now we analyze the communication cost based on the size of cipher text. In our scheme, cipher text is the result of 2 scalar multiplications and one scalar addition over elliptic curve points. Since multiplication of an integer with a point and addition of 2 points over the elliptic curve results another point on the same curve, cipher text in our scheme is defined as pair of elliptic curve affine points. A point on an elliptic curve is represented using pair of coordinates x and y. Also, the size of x and y equals to the modulus [16] that is the order of elliptic curve. Using point compression mechanism, the point can be represented using only by x coordinate plus one or more bits of y coordinate. Hence for an elliptic curve defined over the finite field $F_{n}$ , the size of the cipher tt is |n| + 1 in bits [2]. Our scheme IAMFMA-SDA is the extended version of CDAMA which is based on [1] and uses an elliptic curve of order ‘n’ which is equal to $\prod_{i = 1}^{j + 1} p_{i}$ that is the product of j + 1 prime numbers of equal bit length. The number of physical parameters aggregated is ‘j’. Hence the size of one cipher text size in IAMFMA-SDA is σ = (j + 1) * |n| + 1 and it is in proportional to the number of physical parameters. Inside each cluster the data packet carries exactly two enciphered vector element along with their index value. Hence the communication cost for all clusteris O (c . s . [2 . σ + |v_ihash| + 2 |Pos|]) and between CH and BS the communication cost if O (c . [ρ . σ + |v_hash| + ρ |Pos|]) where ρ refers the amount of increase in the number of vector elements bounded by the $2 g + 2$ . This ρ minimized by reducing the number of levels in hierarchical topology. The security level of cipher text depends on |n|. Hence reduction in cipher text size will results in the compromise of security. This tradeoff between cipher text size and security level which is the issue faced by [2, 4] is addressed in our scheme by adding relaxation in |n| and by keeping the benchmark for each property secret between sensor and BS. Hence it is very difficult to get the sensed value of each sensor without benchmark.

Secured data aggregation and region wise integrity protection is implemented in [4] using APH of [1]. Hence, the size of single cipher text is same as that of our scheme. The same methodology is also adopted in [2] but it supports aggregation of multiple application and smooth extraction of application wise data by BS. Since the focus is only on aggregation, the cipher text size remains same in all the communication between all nodes in [2] and [4]. In RCDA [3], the size of data packet from each node is size of one cipher text plus the size of signature. Aggregation by concatenating the message limits the message space by the cluster size. This is addressed in our scheme by using parameter wise benchmark and encapsulating only the occurrence in the cipher text. In ASAHS [5] the data packet moving between nodes deployed in tree topology carries q vector element enciphered using Okamoto-Uchiyama (OU) encryption scheme [13] whose cipher text size is equal to modulus used in encryption [16]. Hence, the size of data packets is proportional to the vector size and remains same between all nodes. It requires one hop for each sensor as the aggregation is taking place at every hop enroute to BS. Added to this cost, before the commencement of data collection, the BS has to transmit vector data packet to each sensor node which has same size as that from nodes. This additional communication overhead between nodes and CH is eliminated and size of vector is reduced to 2 in our proposed scheme. In MFMDSDA [36], the size is based on the Pailliers cryptosystem [14] which suffers from message expansion problem as it increases the communication overhead. Formulas used to calculate the communication cost based on number of hops and bit length is given Table 2.

Table 2
Communication cost

Schemes Topology APH Encryption scheme Size of one Cipher text size (σ) Size of data packets Total communication cost based on hops and packet size

ASAHS Tree OU |n| q . |n| (bw all nodes) m . q . |n| + m . h . q . |n|

RCDA Cluster EC-EG 2|n| + 2 2|n| + 2 + Signature_size (c . s + c) [2|n| + 2 + Signature_size]

IPHCDA Cluster Boneh σ = (j + 1) * |n| + 1 (j + 1) * |n| + 1 (bw node and CH) c . s . [(j+ 1) * |n| + 1] +c[(j + 1) * |n| + 1 + MAC_size]

[(j + 1) * |n| + 1] + MAC_size (bw CH and BS)

CDAMA Cluster Boneh σ = (j + 1) * |n| + 1 σ = (j + 1) * |n| + 1 c . [s + 1] . [(j + 1) * |n| + 1]

MFMDSDA Cluster Paillier |n| |n| + Signature_size (c . s + c) (|n| + Signature_size)

IAMFMA-SDA Cluster Boneh σ = (j + 1) * |n| + 1 [2 . σ + |v_ihash| + 2 |Pos|] (bw node and CH) c . s . [2 . σ + |v_ihash| + 2 |Pos|] + c . [ρ . σ + |v_hash| + ρ |Pos|]

[ρ . σ + |v_hash| + ρ |Pos|]

(bw CH and BS)

m : number of node in WSN h : hops needed to reach node from BS

n : modulus used in encryption q : vector size

Schemes	Topology	APH Encryption scheme	Size of one Cipher text size (σ)	Size of data packets	Total communication cost based on hops and packet size
ASAHS	Tree	OU	\|n\|	q . \|n\| (bw all nodes)	m . q . \|n\| + m . h . q . \|n\|
RCDA	Cluster	EC-EG	2\|n\| + 2	2\|n\| + 2 + Signature_size	(c . s + c) [2\|n\| + 2 + Signature_size]
IPHCDA	Cluster	Boneh	σ = (j + 1) * \|n\| + 1	(j + 1) * \|n\| + 1 (bw node and CH)	c . s . [(j+ 1) * \|n\| + 1] +c[(j + 1) * \|n\| + 1 + MAC_size]
				[(j + 1) * \|n\| + 1] + MAC_size (bw CH and BS)
CDAMA	Cluster	Boneh	σ = (j + 1) * \|n\| + 1	σ = (j + 1) * \|n\| + 1	c . [s + 1] . [(j + 1) * \|n\| + 1]
MFMDSDA	Cluster	Paillier	\|n\|	\|n\| + Signature_size	(c . s + c) (\|n\| + Signature_size)
IAMFMA-SDA	Cluster	Boneh	σ = (j + 1) * \|n\| + 1	[2 . σ + \|v_ihash\| + 2 \|Pos\|] (bw node and CH)	c . s . [2 . σ + \|v_ihash\| + 2 \|Pos\|] + c . [ρ . σ + \|v_hash\| + ρ \|Pos\|]
				[ρ . σ + \|v_hash\| + ρ \|Pos\|]
				(bw CH and BS)
m : number of node in WSN	h : hops needed to reach node from BS
n : modulus used in encryption	q : vector size

The number of bits generated per source node including the 802.11 header (11 bytes) along with the total number of bits transmitted and received during one round of data collection is tabulated in the Table 3 and the comparative analysis is given in Figs. 5 and 6.

Table 3

Communication cost

Schemes	Payload size	Bits generated per Node (payload+header)	Transmitted Bits (TB)	Received Bits (RB)
MRCDA	2\|n\| + 2 + MAC_size	544	544s	544(s-C)
RCDA	2\|n\| + 2 + Signature_size	542	542s	542(s-C)
ASAHS	q . \|n\| .	1392	1392s	1392(s-C)
IPHCDA	(j + 1) * \|n\| + 1	578	5)+706C	578(s-C)
MFMDSDA	j * \|n\| + Signature_size	1370	10s	(s-C)
IAMFMA-SDA	2 . σ + \|v_ihash\| + 2 \|Pos\|	1346	$1346 (s - C) + \sum_{i = i}^{C} (565 ρ_{i} + 216)$	1346(s-C)

s: WSN Size C: Number of clusters

Fig. 5

Number of bits transmitted.

Fig. 6

Number of bits received.

The total energy for transmitting and receiving the bits is computed. Comparative analysis based on the simulation results are graphically illustrated in Fig. 7. The communication overhead is 5.62% less than that of ASAHS and 60.8%, and 58.2% more than that of RCDA and CDAMA respectively. The extra communication overhead is acceptable in terms of support of the multiple queries in one data acquiring round compared to CDAMA. To find min, max, avg occurrence of the sensed values, minimum 3 rounds of data collection is carried out and the total energy consumption is measured as 495.19mJ for network of size 150 nodes. But in the proposed scheme the energy consumption for one round of data gathering is 317.45mJ which is 35.89% less. In RCDA and MRCDA, three rounds of data gatherings are required to obtain the details of three different physical parameters with an energy consumption of 530.37 mJ which is 17.5% more than that of the proposed scheme. Also, RCDA and MRCDA schemes are suitable only for the network with a maximum of 2 hop distance from the BS. This issue is addressed in our proposed scheme by supporting the network to grow vertically. This is aided by the smooth aggregation of multiple parameters at every hop. In MFMDSDA, due to message expansion problem the communication cost is 5.03% more than that of the proposed scheme.

Fig. 7

Energy consumption.

7.3 Computation cost

To perform computation analysis, the various operations done by sensor nodes during message generation and aggregation as well as the operations done by BS during data extraction and data validation process are considered.

The computation overhead of message generation process mainly depends on the encryption scheme. In our scheme, the cipher text is generated using $C = M * Q_{1} + R * Q_{2}$ which involves one scalar addition and two scalar multiplications over elliptic curve points. Addition of 2 points X, Y over the curve $E_{p}$ is computation on negation of another point Z at which the curve $E_{p}$ and the straight line connecting X, Y intersects. This requires 6 scalar subtractions, 2 scalar multiplications and 1 scalar division over integer [25]. The simplest way of multiplying a point $Q$ by a scalar M is repeated addition using doubling-and-add method [26] whicheires |p| iterations of point doubling and $\frac{| p |}{2}$ additions. Each point doubling requires 5 scalar muiplications, 1 scar an, 1 scalar division, 4 scalar subtractions. Totally the computation cost of one point multiplicatn iere point addition pa = [2 sm + 1 sd + 6 ss]. Hence the computation overhead for encryption is 2pm + pa. To generate a complete message in our proposed scheme, it requires the computation overhead of 2 cipher text, 1 hash and 2 symmetric encryptions. The computation cost of aggregating two cipher texts equal to the cost of one point addition ie pa and the overall cost at aggregator node is α . pa + m . ha + σ . se where ha stands for hash addition, α is the repetition of vector position received from m cluster members, σ is the number of positions aggregated and se refers symmetric encryption. The BS can extract the plain text of each parameter from the cipher text using one point multiplication and discrete logarithm which can be solved by Pollard’s kangaroo algorithm also known as Pollard’s lambda algorithm with the efficiency of $O M$ where $M$ refers message space [27].

Table 4 gives the formula to calculate the computation overhead of candidate schemes for message generation at each sensor node, aggregation at each CH, message extraction and validation at BS. Computation overhead includes all operations done by the sensor node and CH to generate the complete data packet which contains cipher text, data validation details etc. Among the candidate schemes we consider MFMDSDA [36], ASAHS [5] and RCDA [3] as more suitable since they allow BS to extract elaborated view of all possible values sensed by sensors and allow it to perform multiple statistical functions over the extracted information which is not supported by the other schemes [2, 4]. The Comparison results are given below. Figure 8 shows the comparison based on the computation done by sensor nodes. It shows that the operational overhead increases with the network size in all the 3 schemes.

Table 4
Computation cost

Schemes Encryption for one cipher text Message generation Aggregation Message extraction Validation

ASAHS 2gm + ga. 1hg + gm . [q + 1]. [q . child] . gm. [q . c] . gm + q . [gm + ss + sd] +s . hg + s . sa + q . sm + q . ss. 3omparisons+ q .[gm + ss + sd] + s . hg + s . sa + q . sm + q . ss + 2q . sa

CDAMA 2pm + pa 2pm + pa m . pa j . [pm + Dlog] –

IPHCDA 2pm + pa 2pm + pa m . pa + mg. j . [pm + Dlog]. j . mg + 1 comparison.

RCDA 2pm + pa + map. encoding + 2pm + pa. +map + hg + sm. 2 . m . pa + m sa. pm + pa + rmap s . [2ss + 2sm] + s . [hg + sm].+1 comparison

MFMDSDA 2pm + pa + 2 pow + mod. j (2pm + pa + 3pow + 2mod + 1hg + 2sm + ss + sa) m . hsa + m . hsm. 2 pow + 2 mod + 1sm + 1ss + 1sd. w + 1 hg + sm

IAMFMA-SDA 2pm + pa. 2 . [2pm + pa] + 1 hg + 2se. α . pa + m . ha + σ . se |aggPoS| . j .[pm + Dlog]+ |MatC^sum| . hg . ha + 1comparison

hg: hash generation mg: MAC generation pa: point addition

pm: point multiplication se: symmetric encryption ss: scalar subtraction

s: number of sensor nodes ga: scalar addition using generator sa: scalar addition

sd: scalar division sm: scalar multiplication gm: scalar multiplication using generator

q: vector size j: number of a physical parameters C: number of CH communicated with BS

map: mapping function to map plain value on to curve child: number of children of each aggregator

hsm: Homomorphic scalar multiplication hsa: Homomorphic scalar addition

rmap: reverse mapping function to get plain value from curve |aggPosBS|: number of positions received at B

Schemes	Encryption for one cipher text	Message generation	Aggregation	Message extraction	Validation
ASAHS	2gm + ga.	1hg + gm . [q + 1].	[q . child] . gm.	[q . c] . gm + q . [gm + ss + sd] +s . hg + s . sa + q . sm + q . ss.	3omparisons+ q .[gm + ss + sd] + s . hg + s . sa + q . sm + q . ss + 2q . sa
CDAMA	2pm + pa	2pm + pa	m . pa	j . [pm + Dlog]	–
IPHCDA	2pm + pa	2pm + pa	m . pa + mg.	j . [pm + Dlog].	j . mg + 1 comparison.
RCDA	2pm + pa + map.	encoding + 2pm + pa. +map + hg + sm.	2 . m . pa + m sa.	pm + pa + rmap	s . [2ss + 2sm] + s . [hg + sm].+1 comparison
MFMDSDA	2pm + pa + 2 pow + mod.	j (2pm + pa + 3pow + 2mod + 1hg + 2sm + ss + sa)	m . hsa + m . hsm.	2 pow + 2 mod + 1sm + 1ss + 1sd.	w + 1 hg + sm
IAMFMA-SDA	2pm + pa.	2 . [2pm + pa] + 1 hg + 2se.	α . pa + m . ha + σ . se	\|aggPoS\| . j .[pm + Dlog]+	\|MatC^sum\| . hg . ha + 1comparison
hg: hash generation	mg: MAC generation	pa: point addition
pm: point multiplication	se: symmetric encryption	ss: scalar subtraction
s: number of sensor nodes	ga: scalar addition using generator	sa: scalar addition
sd: scalar division	sm: scalar multiplication	gm: scalar multiplication using generator
q: vector size	j: number of a physical parameters	C: number of CH communicated with BS
map: mapping function to map plain value on to curve	child: number of children of each aggregator
hsm: Homomorphic scalar multiplication	hsa: Homomorphic scalar addition
rmap: reverse mapping function to get plain value from curve	\|aggPosBS\|: number of positions received at B

Fig. 8

Computation cost at sensor nodes by varying WSN size.

Comparison of proposed scheme with all candidate schemes based on the overall computation cost is given in Fig. 10. Compare to ASAHS [5] the computation cost of our scheme is less 22.95%. But it is more than that of RCDA [3]. While analyzing the computation by keeping the WSN size fixed and varying the value range ie vector size q, the operations done by sensors increase proportionally with vector size in ASAHS, but variation in q does not have any impact in our scheme (refer Fig. 9). This is because in our scheme the number of cipher text processed in each sensor node is fixed to two independents of the value range. While analyzing the computation happening at CH, RCDA and our scheme have shown better performance compare to ASAHS. In both RCDA and our scheme, the number of cipher text processed by CH is less than that in ASAHS. While comparing the performance with RCDA, In RCDA, the overall computation required to generate the data packet is 25.07 % less than that of our proposed scheme. This difference is the result of additional computations required for generating two vector elements to support the elaborated aggregated view of data. But RCDA is not suitable for aggregating data of multiple parameters with a different value range. Compare to MFMDSDA which support multiple function and multiple parameter aggregation the computation cost at sensor node is 14.22% less due to the novelty adopted in the formation of secured vector in our proposed scheme.

Fig. 10

Computation cost at CH by varying network size.

Fig. 9

Computation cost at sensor nodes by varying q.

7.4 Comparison

The comparison of existing Asymmetric PH based schemes with IAMFMA-SDA using the key Quality of Service(QoS) measures is given in Table 5. The entire candidate schemes compared in this section ensures end to end confidentiality using asymmetric PH based encryption by applying aggregation function over cipher text. The truthfulness of received data are verified based on the values in [3, 6, 7, 30, 31, 36]. But the schemes [5] and [4] verify the integrity of the data on the basis of number of active nodes participated in data gathering. IAMFMA-SDA supports both value based and active nodes based integrity verification. This provides protection against malleability and replay attack. No integrity verification is provided in [3]. But it offers the support of multiple parameter integration. The same is implemented for region wise data aggregation in [4]. But both supports only one kind of query at BS and fails to provide detailed view of the data gathered by all sensor nodes and hence does not support multi functionality as in IAMFMA-SDA and [3, 5, 6].

Table 5
Comparison

Scheme EM AU IT SL MP MF Attacks

ASAHS [5] APH- OK-UC Yes Yes Yes No yes Eavesdropping attack, malleability, node compromised attack, replay attack,

SASPKE [6] Hybrid PH Yes Yes No No Yes Eavesdropping attack, malleability, node compromised attack, replay attack,

CDAMA [2] APH with EC No No No Yes No Eavesdropping attack, known plain text attack, Chosen plaintext attacks, forgery attack, node compromised attack

IPHCDA [4] Additive PH with EC Yes Yes No Yes No Eavesdropping attack, forgery attack, known plain text attack, malleability, node capturing attack, replay attack

RCDA [3] EC_EG based PH, fully homomorphic Yes Yes No No Yes Eavesdropping attack, forgery attack, known plain text attack

MRCDA [7] Hybrid PH Yes Yes No No No Eavesdropping attack, known plain text attack, malleability, node capturing attack, replay attack

FESA [30] APH with fully homomorphic No Yes No No No Eavesdropping attack, known plain text attack, Node compromising attack

SPPDABEC [31] Bilinear Elgamal cryptosystem Yes Yes No No No Eavesdropping attack, malleability, replay attack

MFMDSDA [36] Linear Homomorphic Encryption Yes Yes Yes Yes Yes Eavesdropping attack, malleability

IAMFMA-SDA (our scheme) APH with EC Yes Yes Yes Yes Yes Eavesdropping attack, known plain text attack, Chosen plaintext attacks, replay attack, Malleability, node compromised attack

Scheme	EM	AU	IT	SL	MP	MF	Attacks
ASAHS [5]	APH- OK-UC	Yes	Yes	Yes	No	yes	Eavesdropping attack, malleability, node compromised attack, replay attack,
SASPKE [6]	Hybrid PH	Yes	Yes	No	No	Yes	Eavesdropping attack, malleability, node compromised attack, replay attack,
CDAMA [2]	APH with EC	No	No	No	Yes	No	Eavesdropping attack, known plain text attack, Chosen plaintext attacks, forgery attack, node compromised attack
IPHCDA [4]	Additive PH with EC	Yes	Yes	No	Yes	No	Eavesdropping attack, forgery attack, known plain text attack, malleability, node capturing attack, replay attack
RCDA [3]	EC_EG based PH, fully homomorphic	Yes	Yes	No	No	Yes	Eavesdropping attack, forgery attack, known plain text attack
MRCDA [7]	Hybrid PH	Yes	Yes	No	No	No	Eavesdropping attack, known plain text attack, malleability, node capturing attack, replay attack
FESA [30]	APH with fully homomorphic	No	Yes	No	No	No	Eavesdropping attack, known plain text attack, Node compromising attack
SPPDABEC [31]	Bilinear Elgamal cryptosystem	Yes	Yes	No	No	No	Eavesdropping attack, malleability, replay attack
MFMDSDA [36]	Linear Homomorphic Encryption	Yes	Yes	Yes	Yes	Yes	Eavesdropping attack, malleability
IAMFMA-SDA (our scheme)	APH with EC	Yes	Yes	Yes	Yes	Yes	Eavesdropping attack, known plain text attack, Chosen plaintext attacks, replay attack, Malleability, node compromised attack

EM: Encryption method AU: Authentication IT: Integrity MP: Multi parameter support MF: Multi Functionality support SL: Scalability

The authentication of participating nodes is confirmed only at BS in [3, 5, 6]. The detection of unauthorized communication both at cluster level and at BS level is provided in IAMFMA-SDA and in [4, 7, 31]. Early detection at CH level prevents the propagation of attack. Also, the support for dynamic scaling of network size is given in IAMFMA-SDA and [5] by representing the sensed value as number of occurrences. While comparing defending mechanism against attack, malleability attack is detected through integrity verification by the schemes [3–7, 30, 31] and IAMFMA-SDA. Attack as a result of replaying the packets is detected by analyzing the number of participating nodes in [3, 5, 6] and IAMFMA-SDA. The same is prevented in [4, 31] by attaching the time stamp with all data packets. In [7] it is thwarted by maintaining a cipher text counter pair. Nature of homomorphism in all the discussed schemes makes them vulnerable to chosen cipher text attack [2] but it requires the attacker to have an ability to decrypt chosen cipher text. In our scheme IAMFMA-SDA the stability against this attack is strengthened. To conclude the comparison shows that IAMFMA-SDA is the scheme which provides support for all the key QoS measures like confidentiality, integrity, authentication, support of multi parameters, scalability and multi functionality with reduced computation cost.

8 Conclusion

In this paper, we present a scalable secure multi parameter aggregation scheme for wireless sensor network in cluster topology. The proposed scheme offers a special feature to aggregate data of multiple parameters and to enable secure recovery of elaborated information about sensing data parameter wise in round of data collection. The BS is allowed to compute multiple mathematical functions like sum, median, max, min over the received data of different parameters using a single query. Confidentiality between source end and destination end is provided using public key based homomorphic encryption. Integrity of the data received and authentication of source node is ensured at BS. Also, the proposed scheme is secure against eavesdropping attack, node compromising attack, chosen cipher text attack, replay attack, malleability. A comparison of communication overhead and computation cost with respect to existing schemes shows the practicality and efficiency of the proposed system while achieving all the considerable quality measures (support of multi parameter aggregation, multi functionality using single query, scalability, integrity and authentication) on resource constraint WSN. To the best of our knowledge, our proposed scheme is the first to meet all the above-mentioned quality measures with a feasible performance.

Footnotes

Declaration of interests

None.

References

Boneh Dan , Goh Eu-Jin and Nissim Kobbi , Evaluating 2-DNF Formulas on Ciphertexts, Proc. Second Int’l Conf. Theory of Cryptography (TCC) 3378 (2005), 325–341.

Lin Yue-Hsun , Chang Shih-Ying and Sun Hung-Min , CDAMA: Concealed Data Aggregation Scheme for Multiple Applications in Wireless Sensor Networks, IEEE Transactions on Knowledge and Data Engineering 25(7) (2013) 1483–1483, doi : 10.1109/TKDE.2012.94

Chen Chien-Ming , Lin Yue-Hsun and Sun Hung-Min , RCDA: Recoverable Concealed Data Aggregation for Data Integrity in Wireless Sensor Networks, IEEE Transaction on Parallel and Distributed Systems 23(4) (2012), doi : 10.1109/TPDS.2011.219.

Ozdemir Suat and Xiao Yang , Integrity protecting hierarchical concealed data aggregation for wireless sensor networks, Computer Networks 55 (2011) 1735–1746, doi: 10.1016/j.comnet.2011.01.006.

Viejo Alexandre , Wu Qianhong and Domingo-Ferrer Josep , Asymmetric homomorphisms for secure aggregation in heterogeneous scenarios, Information Fusion 13 (2012), 285–295, Elsevier, doi: 10.1016/j.inffus.2011.03.002

Rafik Omar , Boudia Merad , Senouci Sidi Mohammed and Fehama Mohammed , A novel secure aggregation scheme for wireless sensor networks using stateful public key cryptography, Ad Hoc Networks 32 (2015) 98–113, https://dx-doi-org.web.bisu.edu.cn/10.1016/j.adhoc.2015.01.002.

Parmar Keyur and Jinwala Devesh

, Malleability Resilient Concealed Data Aggregation in Wireless Sensor Networks, Wireless Pers Commun 87 (2016), 971. https://doi.org/10.1007/s11277-015-2633-6.

Nicolosi

and Mazieres

Secure acknowledgment of multicast messages in open peer-to-peer networks, in: Proceedings of the 3rd International Workshop on Peer-to-Peer Systems, 2004.

Vinodha

and MaryAnita

E.A.

Secure Data Aggregation Techniques for Wireless Sensor Networks: A Review. Archives of Computational Methods in Engineering (Springer) ISSN 1134-3060, 2018, https://doi.org/10.1007/s1181-018-9267-2

10.

Domingo-Ferrer Josep , A Provably Secure Additive and Multiplicative Privacy Homomorphism”, ISC 2002, LNCS 2433, pp. 471–483, 2002. Springer-Verlag

Berlin Heidelberg

11.

Castelluccia

, Mykletun

and Tsudik

, Efficient Aggregation of Encrypted Data in Wireless Sensor Networks, The Second Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services (MobiQuitous 2005) July 2005. Doi: 10.1109/MOBIQUITOUS.2005.25.

12.

Barker Elaine , Recommendation for Key Management, Part 1: General, NIST Special Publication 800-57 Part 1, Revision 4, July 2015. Doi: http://dx.org/10.6028/NIST.SP.800-57pt1r4.

13.

Okamoto

and Uchiyama

, A New Public Key Cryptosystem as Secure as Factoring. In Advances in Cryptology, Proceedings of Eurocrypt ’98,LNCS 1403, Springer Verlag, pp. 308–318, 1998.

14.

“Trapdooring Discrete Logarithms on Elliptic Curves over Rings “, Paillier

Pascal

, Okamoto

(Ed.): ASIACRYPT LNCS pp. 573–584, 2000.Springer-Verlag

Berlin Heidelberg

2000.

15.

Naccache

and Stern

A New Cryptosystem based on Higher Residues. In Proceedings of the 5th CCCS, ACM Press, pp. 59–66, 1998.

16.

Mykletun

, Girao

and Westhoff

, Public Key Based Cryptoschemes for Data Concealment in Wireless Sensor Networks, 2006 IEEE International Conference on Communications, Istanbul, (2006), pp. –2288–2295.

17.

ElGamal

, A public key cryptosystem and a signature scheme based on discrete logarithms, CRYPTO IT-31(4) (1985), 469–472.

18.

Pallier

, Public-key cryptosystems based on composite degree residuosity classes. In J. Stern, editor, Proceedings of Eurocrypt 1999, volume 1592 of LNCS, pages 223–238. Springer-Verlag, May 1999.

19.

Pottie

and Kaiser

, Wireless integrated network sensors, Commun. ACM 43(5) (2000), 51–58.

20.

Raghunathan

, Schurghers

, Park

and Srivastava

, Energy-aware wireless microsensor networks, IEEE Signal Process. Mag. 19(2) (2002), 40–50.

21.

Intanagonwiwat

, Estrin

, Govindan

and Heidemann

, Impact of network density on data aggregation in wireless sensor networks, Proceedings of the 22nd International Conference on Distributed Computing Systems, July, (2002) pp. 575–578.

22.

Cam Suat Ozdemir Hasan , Integration of false data detection with data aggregation and confidential transmission in wireless sensor networks, IEEE/ACM Trans. Netw. 18 (2010), 736–749, doi: 10.1109/TNET.2009.2032910.

23.

Zhang Ping , Wang Jianxin , Guo Kehua , Wu Fan and Min Geyong , Multi-functional secure data aggregation schemes for WSNs, Ad Hoc Networks 69 (2018), 86–99, https://doi.org/10.1016/j.adhoc.2017.11.004.

24.

Boneh

, Gentry

, Lynn

and Shacham

, Aggregate and Verifiably Encrypted Signatures from Bilinear Maps, Proc. 22nd International Conference on the Theory and Applications of Cryptographic Techniques (Eurocrypt) (2003), pp. 416–432. doi: 10.1007/3-540-39200-9_26.

25.

https://en.wikipedia.org/wiki/Elliptic_curve_point_multipl-ication

26.

Darrel Hankerson ; Scott Vanstone and Alfred Menezes , Guide to Elliptic Curve Cryptography. Springer Professional Computing. New York: Springer-Verlag. (2004) doi: 10.1007/b9764891 (inactive 2019-12-10). ISBN0-387-95273-X.

27.

Pollard

, Monte Carlo methods for index computation (mod p), Mathematics of Computation Volume 32, 1978.

28.

Bellare

, Kohno

and Shoup

Stateful public-key cryptosystems: how to encrypt with one 160-bit exponentiation, Proceeding of the 13th ACM Conference on Computer and Communications Security, October 2006, ACM, Alexandria, VA, pp. 380–389.

29.

Castelluccia

, Mykletun

, Tsudik

Efficient aggregation of encrypted data in wireless sensor networks, Proceeding of the Second Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services (MobiQuitous), IEEE, San Diego, 2005 pp. 109–117.

30.

Li Xing , Chen Dexin , Li Chunyan and Wang Liangmin , Secure data aggregation with fully homomorphic encryption in large-scale wireless sensor networks, Sensors 15 (2015), 15952–15973; doi: 10.3390/s150715952 Message space of RCDA ie EC-EG has to be verified.

31.

Al-Rodhaan Mznah , Tian Yuan and Al-Dhelaan Abdullah , A secure privacy-preserving data aggregation scheme based on bilinear elgamal cryptosystem for remote health monitoring systems, IEEE Access 5 (2017) 12601–12617, DOI 10.1109/ACCESS.2017.2716439.

32.

Liu

, Yu

, Zhang

and Fu

, Energy-efficient privacy-preserving data aggregation protocols based on slicing, EURASIP Journal on Wireless Communications and Networking 2020(1) (2020).

33.

Vinodha

and Anita Mary

E.A.

, Discrete Integrity Assuring Slice-Based Secured Data Aggregation Scheme for Wireless Sensor Network (DIA-SSDAS), Wireless Communications and Mobile Computing 2021, (2021) 17, Article ID 8824220, https://doi.org/10.1155/2021/8824220.

34.

Naghibi

and Barati

, SHSDA: secure hybrid structure data aggregation method in wireless sensor networks, Journal of Ambient Intelligence and Humanized Computing 12(2021), 10769–10788. https://doi.org/10.1007/s12652-020-02751-z.

35.

Murugeshwari

, Sabatini Aminta

Jose Lovelit and Padmapriya

, Effective Data Aggregation in WSN for Enhanced Security and Data Privacy, SSRG International Journal of Electrical and Electronics Engineering, 9(11) 2022 1–10, ISSN: 2348-8379/ https://doi.org/10.14445/23488379/IJEEE-V9I11P101

36.

Peng

, Luo

, Vijayakumar

, He

, Said

and Tolba

, Multifunctional and Multidimensional Secure Data Aggregation Scheme in WSNs, in IEEE Internet of Things Journal 9(4) (2022), 2657–2668, doi:10.1109/JIOT.2021.3077866.

37.

Mathapati

, Kumaran

T.S.

, Prasad

K.H.S.

et al. Framework with temporal attribute for secure data aggregation in sensor network, SN Appl. Sci. 2 (2022) 1975. https://doi.org/10.1007/s42452-020-03773-0.