IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO.
4, FEBRUARY 15, 2022
Multifunctional and Multidimensional Secure Data
Aggregation Scheme in WSNs
Cong Peng , Min Luo , Pandi Vijayakumar , Debiao He , Member, IEEE, Omar Said , and Amr Tolba
Abstract—In wireless sensor networks (WSNs), data aggre-
gation (DA) has become one of the most practical techniques
to reduce processing delay and improve energy efficiency. To
support intelligent applications, sensor nodes need to report
heterogeneous and diverse data, which induce the demand for
multidimensional DA and multifunctional data analysis. To solve
the current security problems and functional requirements,
we propose a multifunctional and multidimensional secure DA
scheme to strike the balance between data availability and pri-
vacy. First, we design a Chinese remainder theorem conversion
method with the counter to encode multidimensional data into
large integers, which can be operated by linear homomorphic
encryption schemes. Then, we introduce a multifunctional data
analysis method supporting diversified aggregation functions,
including linear, polynomial, and continuous functions. Moreover,
we demonstrate that the proposed scheme can achieve confiden-
tiality, integrity, authentication, and resistance against false data
injection attacks. The experimental results show that the sup-
ported max dimension of one ciphertext in our scheme is at
least twice that of existing schemes. Thus, in scenarios with high
Manuscript received December 31, 2020; revised March 1, 2021 and
April 5, 2021; accepted May 3, 2021. Date of publication May 6, 2021;
date of current version February 4, 2022. This work was supported in
part by the Taif University Researchers Supporting Project, Taif University,
Taif, Saudi Arabia, under Grant TURSP-2020/60; in part by the Major
Scientific and Technological Innovation Project of Shandong Province
under Grant 2020CXGC010115; in part by the National Natural Science
Foundation of China under Grant 61972294 and Grant 61932016; in part
by the Blockchain Core Technology Strategic Research Program of the
Ministry of Education of China under Grant 2020KJ010301; in part by
the Special Project on Science and Technology Program of Hubei Province
under Grant 2020AEA013; in part by the Natural Science Foundation of
Hubei Province under Grant 2020CFA052; and in part by the Wuhan
Municipal Science and Technology Project under Grant 2020010601012187.
(Corresponding author: Min Luo.)
Cong Peng is with the School of Cyber Science and Engineering and the
School of Mathematics and Statistics, Wuhan University, Wuhan 430072,
China, and also with the Cyberspace Security Research Center, Peng Cheng
Laboratory, Shenzhen 518000, China (e-mail: cpeng@whu.edu.cn).
Min Luo is with the School of Cyber Science and Engineering, Wuhan
University, Wuhan 430072, China, and also with the Shandong Provincial Key
Laboratory of Computer Networks, Qilu University of Technology (Shandong
Academy of Sciences), Jinan 250014, China (e-mail: mluo@whu.edu.cn).
Pandi Vijayakumar is with the Department of Computer Science and
Engineering, University College of Engineering Tindivanam, Tindivanam
604001, India (e-mail: vijibond2000@gmail.com).
Debiao He is with the School of Cyber Science and Engineering, Wuhan
University, Wuhan 430072, China (e-mail: hedebiao@163.com).
Omar Said is with the Department of Information Technology, College of
Computers and Information Technology, Taif University, Taif 21944, Saudi
Arabia, and also with the Mathematics and Computer Science Department,
Faculty of Science, Menoufia University, Shebin El-Kom 32511, Egypt
(e-mail: o.saeed@tu.edu.sa).
Amr Tolba is with the Computer Science Department, Community
College, King Saud University, Riyadh 11437, Saudi Arabia, and also
with the Mathematics and Computer Science Department, Faculty of
Science, Menoufia University, Shebin El-Kom 32511, Egypt (e-mail:
atolba@ksu.edu.sa).
Digital Object Identifier 10.1109/JIOT.2021.3077866
2327-4662 © 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2657
dimensions, our scheme is superior to the existing schemes in
terms of computation and communication costs.
Index Terms—Chinese remainder theorem, homomorphic
encryption, secure data aggregation, wireless sensor networks
(WSNs).
I. I NTRODUCTION
ITH the rapid proliferation of wireless sensor networks
W (WSNs), a large amount of heterogeneous data have
been collected by sensor nodes and consumed by various intel-
ligent services [1], [2]. As shown in Fig. 1, the Internet of
Things (IoT) technology stack consists of three tiers: 1) sen-
sor nodes; 2) gateways; and 3) data analytic center. The sensor
node, equipped with limited resources, acts as the data pro-
ducer to collect raw data and report these data via wireless
networks. The data analytic center, owned powerful compu-
tational ability, acts as the data consumer to analyze these data
and provide intelligent services. The gateway is an important
middleman element that acts as a bridge to connect sensor
nodes and the center. Nowadays, the gateway has become more
intelligent to support additional functionality. Specifically, the
gateway can acts as an aggregator to preprocess raw data and
upload the aggregated data to the center.
Data aggregation (DA) has become one of the most practi-
cal techniques to reduce processing delay and improve energy
efficiency. However, DA at gateways may suffer from some
potential risks on data security and user privacy [3]. First, it is
easily for adversaries to carry out attacks (e.g., eavesdropping,
injection, and tampering) through wireless networks to infringe
data confidentiality and integrity. Second, it is able for adver-
saries to corrupt the gateway for stealing all nodes’ raw data.
Third, it is possible that sensor nodes may send false data and
affect the accuracy of DA due to some malfunctions or attacks.
It is becoming common practice to implement data encryption
so as to prevent malicious attacks. But, traditional encryption
techniques cannot strike the balance between data availabil-
ity and data privacy since ciphertexts are difficult to support
aggregation operations (e.g., add, sum, and average) [4].
To solve the above problems, researchers have consid-
ered to utilize some special cryptographic primitives (e.g.,
homomorphic encryption and aggregate signature) to con-
struct privacy-preserving DA schemes [5]–[15] for single-
dimensional data aggregation. But, in the real-world scenario,
a sensor node usually collects different types of data (e.g.,
temperature, humidity, and wind direction in atmospheric
monitoring). When uploading data to the gateway, the node
will package all types of data into a single message packet
2658
Fig. 1. System model.
and submit it as a report. It is not a wise choice to use
single-dimensional privacy-preserving DA schemes to guaran-
tee the security of multidimensional data, because it will result
in a lot of ciphertext data redundancy and increase communica-
tion costs. Therefore, how to realize efficient multidimensional
secure DA becomes a significant issue for researchers.
Subsequently, many privacy-preserving schemes [16]–[30]
suitable for multidimensional data aggregation have been
proposed. The core idea is to construct a conversion mech-
anism between multidimensional data and large integers, and
then use linear homomorphic encryption to realize encrypted
data aggregation. The superincreasing sequence or the Chinese
remainder theorem (CRT) are two typical conversion meth-
ods used in existing works. But both of them cannot solve
the data overflow problems, so that existing schemes have to
impose strict limits on the input domain of each dimension for
aggregation accuracy. This will open a door for the malicious
attacker to disturb the DA results, as it can instruct a com-
promised sensor node to encrypt and transmit an out-of-range
data (such as very large monitoring values). Thus, it is a major
challenge to to remove these strict limits and resist on false
data attacks.
In practice, the gateway needs to support various aggrega-
tion functions [31], including lower order statistics (e.g., sum,
average, variance, and standard deviation), higher order statis-
tics (e.g., skewness and kurtosis), and other functions (e.g.,
max/min and histogram). For example, the data center can
use the summation, mean, variance, and other indicators to
analyze the distribution of sensed data. However, most secure
DA schemes only support summation-based statistical results
since the underlying homomorphic encryption only supports
the modulus addition operation. Thus, multifunctional secure
DA is another major problem to be solved.
Contributions: This article aims to solve the above
three requirements simultaneously, that is, data privacy
preserving, multidimensional DA, and multifunction data anal-
ysis. Compared with existing schemes, we attempt to enhance
the security of data aggregation, such as resisting false data
attacks from nodes. Also, we attempt to improve the effi-
ciency and functionality of data aggregation, by reducing
the data redundancy of ciphertexts and providing diversified
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022
aggregation functions. The main contributions are listed as
follows.
1) We design a new CRT conversion method with counter
to remove strict limits on the input domain and reduce
data redundancy of ciphertexts.
2) We construct an efficient multifunctional and
multidimensional secure DA scheme based on the
linear homomorphic encryption scheme and the digital
signature scheme, called MMDA, and demonstrate its
security, in terms of the confidentiality, authentication,
integrity, and resistance against false data injection
attacks.
3) We illustrate an data analysis method to support multiple
aggregation functions, including linear functions, poly-
nomial functions, and continuous functions.
4) The performance results show that the max dimension of
one ciphertext in our scheme is at least twice that of the
existing schemes. Thus, in scenarios with high dimen-
sions (such as 20), our scheme is superior to the existing
schemes in terms of computation and communication
costs.
Organizations: The remainder of this article is as follows.
In Sections II and III, the extant literature and related crypto-
graphic primitives are reviewed, respectively. In Section IV,
the system model, attacker model, problem statement, and
design goal are discussed. In Section V, our proposed DA
scheme is presented. The secure analysis and performance
evaluation are given in Sections VI and VII, respectively.
Finally, Section VIII concludes this article.
II. R ELATED W ORKS
In this section, we mainly discuss related works of
multidimensional DA schemes in WSNs and some typically
application areas, such as IoT [32] and smart grid [33].
The comparison of different multidimensional secure DA
schemes [16]–[30] is given in Table I.
Lin et al. [16] integrated the superincreasing sequence and
perturbation techniques to design a novel multidimensional
privacy-preserving DA scheme for wireless sensor networks.
However, the neighbor sensor node shares its private key to
the aggregator node such that the privacy of aggregated data
is vulnerable to disclosure. Lu et al. [17] selected a super-
increasing sequence of large primes and combined it with
Paillier encryption [34] to present an efficient and privacy-
preserving aggregation scheme (EPPA) in smart grid. Besides,
they adopted the multigenerator pattern to accelerate the
multidimensional data encryption process.
Jia et al. [18] utilized secure multiparty computation tech-
niques to construct a human-factor-aware privacy-preserving
aggregation scheme, in which multidimensional data are
encrypted by a randomness Vandermonde matrix and some
secret keys. However, this scheme is insecure since secret
keys can be revealed when different nodes reported the same
multidimensional data. Liu et al. [19] proposed an anony-
mous multidimensional DA scheme based on bilinear pairing
cryptography, in which reported data are aggregated in plain-
text form to support addition and nonaddition functions.
PENG et al.: MULTIFUNCTIONAL AND MULTIDIMENSIONAL SECURE DATA AGGREGATION SCHEME IN WSNs 2659

TABLE I
C OMPARISON OF D IFFERENT M ULTIDIMENSIONAL S ECURE DA S CHEMES

TABLE II
S UMMARY OF N OTATIONS single-dimensional aggregation of the sum of multiple data
actually.
In summary, there are two main problems with those
schemes: 1) cross-dimensional interference or data overflow.
The conversion method of integer vectors does not have an
overflow protection design so that the data results of one
dimension will interfere with other dimensions once they
exceed the limit (see Section IV-C) and 2) supporting few
aggregation functions. All these above schemes are designed
for linear aggregation functions, which are difficult to meet
the requirements in practical use.

III. P RELIMINARIES
A. Notations
For any positive integer N, we write ZN to denote the set
Lu et al. [20] proposed a two-subset DA scheme, which used {0, 1, . . . , N − 1} while Z∗N = {1, . . . , N − 1}. We use x to
the fractional-order group to encrypt different dimensional denote the vector {x1 , x2 , . . . , xt }, where xi is the ith element
data. Subsequently, Li et al. [26] and Wang et al. [29] designed of x. lcm(a, b) refers to the least common multiple of two
an improved multisubset DA scheme using the superincreasing integers a and b. Some notations are listed in Table II.
sequence and multiple fractional-order groups, respectively.
Sui et al. [21] designed a robust and efficient secure aggre- B. Chinese Remainder Theorem
gation scheme that uses ElGamal encryption [35] and the Theorem 1 (Chinese Remainder Theorem): Let
hash-based message authentication code to protect data confi- φ1 , φ2 , . . . , φβ be β integers, which are pairwise co-
dentiality, integrity, and authentication. However, the ElGamal prime, i.e., gcd(φi , φj ) = 1 for all 1 ≤ i = j ≤ β. For any
encryption scheme supporting homomorphic operations needs β-dimensional integer vector a = {a1 , a2 , . . . , aβ } satisfying
to solve the discrete logarithm problem during decryption. 0 ≤ ai < φi for all 1 ≤ i ≤ β, there exists a unique integer A
So, the scheme only supports small range data aggrega- in Z satisfying A = ai mod φi for all i = 1, 2, . . . , β, and
tion. This limited data range is also a problem in other two the integer A can be computed as
schemes [24], [28]. A = a1 1 + a2 2 + · · · + aβ β , mod  (1)
Shen et al. [22] utilized Horner’s rule to encode and β
decode the integer vector and presented a multidimensional where  = i=1 φi and i = /φi · ((/φi )−1 mod φi ) for
DA scheme with Paillier encryption [34] and BLS short signa- all 1 ≤ i ≤ β.
ture [36]. Pan et al. [23], [25] proposed two multidimensional Obviously, the CRT provides an efficient transformation
DA schemes. The first scheme [23] utilized the blind fac- method CRT(·), which converts an integer vector a into a
tor, generated by the shared key between a trusted author- large integer A = CRT(a) to perform addition or mul-
ity and the nodes, to encrypt each message. The second tiplication operations. Assuming a = {a1 , a2 , . . . , aβ } and
scheme [25] used Paillier encryption and the CRT con- b = {b1 , b2 , . . . , bβ }, we have
version method to encrypt multidimensional data without a 
CRT(a) + CRT(b)  = ai + bi , mod φi
trusted third party. Recently, Mohammadali and Haghighi [30] (2)
CRT(a) × CRT(b)  = ai × bi , mod φi .
proposed a homomorphic privacy-preserving DA scheme with
multidimensional and fault tolerance, which only achieved the So, CRT provides a natural approach to process vector data.

Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2660
C. Linear Homomorphic Encryption
Homomorphic encryption is a special encryption method,
which can ensure that some ciphertext operations and plaintext
operations remain homomorphic. For example, additive homo-
morphic encryption makes the homomorphic addition of two
ciphertext homomorphic equals to the sum of their correspond-
ing plaintexts. Generally, the linear homomorphic encryption
consists of five schemes.
1) (pk, sk) → HKGen(κ): Taking a security parameter κ
as input, the key generation algorithm generates a secret
key sk and a public key pk.
2) ci → HEnc(pk, mi ): Taking a public key pk and a mes-
sage mi as inputs, the encryption algorithm generates a
ciphertext ci of mi .
3) mi → HDec(sk, ci ): Taking a secret key sk and a cipher-
text ci as inputs, the decryption algorithm extracts the
plaintext mi hidden in ci .
4) ck → HAdd(ci , cj ): Taking two ciphertexts ci and
cj as inputs, the homomorphic addition algorithm cal-
culates a new ciphertext ck , where HDec(sk, ck ) =
HDec(sk, ci ) + HDec(sk, cj ).
5) ck → HMul(mi , cj ): Taking a plaintext mi and a
ciphertext cj as inputs, the homomorphic scalar multipli-
cation algorithm calculates a new ciphertext ck , where
HDec(sk, ck ) = mi ∗ HDec(sk, cj ).
Namely, linear homomorphism enables ciphertexts to per-
form linear function operations. In our scheme, we utilize the
Paillier encryption scheme [34] to provide the homomorphic
encryption function.
D. Digital Signature
Digital signature can realize the authentication and integrity
protection of data source. Generally, the digital scheme con-
sists of three algorithms.
1) (pk, sk) ← SigKGen(κ): Taking a security parameter κ
as input, the key generation algorithm generates a secret
key sk and a public key pk.
2) σ ← Sig(sk, m): Taking a secret key sk and a message
m as inputs, the signature generation algorithm generates
a signature σ of m.
3) 1/0 ← Vrf(pk, m, σ ): Taking a public key pk and a
message-signature pair (m, σ ) as inputs, the signature
verification algorithm checks the validity of the signature
and returns 1 if valid or 0 otherwise.
Due to the Schnorr signature [37] having a short signature
size and the batch verification method, we utilize it to provide
the digital signature function in our scheme.
IV. S YSTEM D ESIGN
A. System Model
In our system model, we focus on how to securely aggregate
multidimensional data to obtain various linear function results
and provide privacy-preserving data analysis. There are three
roles participated in our scheme: 1) a set of sensor nodes
{N1 , N2 , . . . , Nα }; 2) the gateway GW; and 3) the analytic
center AC, as shown in Fig. 1.
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022
1) N: Each sensor node Ni is equipped with various
sensors and meters to precept and collect real-time
heterogeneous data from the surrounding environment
or device state. Then, Ni encrypts multidimensional data
at once and reports ciphertexts periodically to GW.
2) GW: Acting as a mediator and aggregator, each gate-
way GW is responsible for providing communication
relay to Ni and AC, while implementing localized DA
to reduce communication overhead between itself and
AC. GW provides a variety of DA functions (such as
sum, mean, and variance) and only sends aggregated
ciphertexts to AC.
3) AC: The analytic center AC has powerful computing
power to process and analyze the information uploaded
by gateways. Similarly, it can also perform ciphertext
aggregation function.
Without loss of generality, we assume that each gateway
aggregates β-dimensional data reported by α nodes at a time
slot. For brevity, since the aggregation pattern of AC is con-
sistent with GW, we do not consider its aggregation scenario
in this article.
B. Attacker Model
From the security perspective, we consider AC and GW as
semihonest roles that strictly follow protocol processes but are
also curious about some privacy information. More accurately,
AC is far away from nodes and cannot directly decrypt the
ciphertext reported by nodes. Meanwhile, GW cannot obtain
any decrypted data from AC.
Assume that adversary A has the following attack
capabilities.
1) A can eavesdrop on all communications between nodes,
gateways, and the analytic center for stealing transmitted
data.
2) A can corrupt the gateway to steal all data reported by
nodes.
3) A can corrupt the node or the gateway to inject false
data to compromise the accuracy of results.
C. Problem Statement
Considering homomorphic encryption on multidimensional
data, a straightforward method is encrypting data in each
dimension independently with a ciphertext vector as out-
put. However, computation and communication overhead will
increase linearly with the dimension. Moreover, the plaintext
space of the existing linear homomorphic encryption schemes
is much larger than the range space of the data in practical
applications. If a ciphertext contains only one data, it will
lead to significant data redundancy. The other two ways are
as follows.
Using Superincreasing Sequence: Suppose
{ψ1 , ψ2 , . . . , ψβ } is a superincreasing sequence of inte-
i−1
gers satisfying j=1 ψj · j < ψi for all i = 1, 2, . . . , β, the
β
integer vector a can be converted into A = i=1 ai ψi where
i is the upper bound of ai . Obviously, the limitation of this
approach is that the results of addition and multiplication for
each dimension must be within the range [0, i ]. Otherwise,
PENG et al.: MULTIFUNCTIONAL AND MULTIDIMENSIONAL SECURE DATA AGGREGATION SCHEME IN WSNs
Algorithm 1 Convert an Integer Vector Into a Large Integer
Input: An integer vector a = {a1 , . . . , aβ } and the parameters
ppCRT .
Output: A large integer A in ZN .
1: A ← 0
2: for i = 1 to β do
3: A ← A + ai · i mod N
4: end for
5: return A
there will cause overflow problems affecting the correctness
of the results.
Using CRT: Suppose {φ1 , φ2 , . . . , φβ } are primes, the inte-
ger vector a can be converted into the A = CRT(a). This
approach solves the overflow problem for each dimension
because the results of additions and multiplications are always
in Zφi . Another serious problem is that linear homomorphic
encryption (Paillier encryption or ElGamal encryption) pro-
vides addition or scalar multiplication operations on ZN , not
operations on Z . For this reason, many schemes restrict the
operation result of the converted integer to be less than N.
In practice, however, a malicious adversary can inject some
large converted integers (although less than N) to make the
final results greater than N.
D. Design Goal
Our goal is to design a multifunctional and
multidimensional secure DA scheme. The following properties
should be achieved.
1) Security: The proposed scheme should protect data
confidentiality, integrity, and authentication. It is nec-
essary to prevent nodes’ data or aggregated data from
being leaked to the adversary, and prevent illegal or
false messages from being participated in aggregation
operations.
2) Efficient: The proposed scheme should achieve high
efficient of computation and communication. On the
one hand, it is necessary to avoid using computation-
intensive cryptographic primitives (e.g., bilinear pairing
operations) for design. On the other hand, it is nec-
essary to take advantage of aggregators to minimize
communication overhead.
3) Multidimensional: The proposed scheme should support
the node to report various collected data in one commu-
nication interaction. Specifically, nodes can package and
upload each type of data individually, but this pattern is
very inefficient. The designed scheme needs to be able
to package multidimensional data in a single communi-
cation packet without interfering with subsequent data
analysis.
4) Multifunctional: The proposed scheme should support
various data analysis functions. In general, the aggre-
gation function makes it easy to calculate the sum and
average of reported data. However, the statistical analy-
sis in the actual scenario will require more measurement
indicators, such as quadratic mean, harmonic mean, vari-
ance, and standard deviation. More complicated, AC
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2661
needs calculate some function values for the uploaded
data, such as sin(x), cos(x), ex , etc.
V. M ULTIFUNCTIONAL AND M ULTIDIMENSIONAL
S ECURE DATA AGGREGATION S CHEME
In this section, we first introduce a new CRT-based conver-
sion method with a counter, and then describe details of the
proposed scheme and illustrate its multifunctionality.
A. CRT-Based Conversion Method With Counter
To solve the overflow and modulus conversion problem, we
discuss some properties between the modulus N and .
Theorem 2: Let N and  be two integers, φi be a prime
factor of , and the difference = N −  is not divisible
by φi . For any integer A in the interval [0, φi ·N−1], if knowing
the remainders of A modulo N and φi , i.e., a = A mod N and
ai = A mod φi , then A can be computed as A = s · N + a,
where s = −1 · (ai − a) mod φi .
Proof: Without loss of generality, A can be written in the
form A = s · N + a (0 ≤ s < φi ). Then, we have
A = s · N + a = s · ( + ) + a = s ·  + (s · + a)
⇒ A=s· + a = ai mod φi . (3)
Obviously, has an inverse −1 in Zφi , i.e., · −1 = 1
mod φi . s is less than the prime φi , and s can be uniquely
solved by the formula s = −1 · (ai − a) mod φi .
When  is properly selected, if knowing the remainder of
a larger integer A modulo N and the remainder of A modulo a
prime φi , the integer A can be recovered according to the above
Theorem 2. Based on this feature, we construct a counter each
time encoding the integer vector. After a finite number of oper-
ations, we can restore the original integer according to the
value of the final counter. The specific methods are described
as follows.
Parameter Selection: Given the dimension β and the
modulus N, choose β + 1 primes {φ0 , φ1 , . . . , φβ } such
β
that = N − i=0 φi is not divisible by φ0 . Compute
β
 = i=0 φi and i = /φi · ((/φi )−1 mod φi ) for all
i = 0, 1, . . . , β. The published parameters are ppCRT =
{β, N, , −1 , φ0 , . . . , φβ , 0 , . . . , β }.
Convert an Integer Vector Into a Large Integer (V2I):
Similar to the traditional CRT conversion method, we use
the CRT solution equation (1) to construct the larger integer,
denote as A = V2I(a), as shown in Algorithm 1. The differ-
ence is that we use β+1 primes to transform the β-dimensional
integer vector, and fix the input integer of the first dimension
to be one, i.e., a0 = 1. The setting here is to make it easier
to match the number of subsequent linear operations.
Convert a Large Integer Into an Integer Vector (I2V): If the
linear operation result A is greater than N, the CRT reduction
from A will not be accurate. To recover the integer vector cor-
rectly, we need to derive the integer A before modulus N from
A. Based on Theorem 2, we can calculate s and A as shown
in Algorithm 2, and then get the remainders ai = A mod φi
of different dimensions as output. Denote the j-dimensional
output as aj = I2Vj (A, ctr).
2662
Algorithm 2 Convert a Large Integer Into an Integer Vector
Input: A large integer A in ZN , the counter ctr and the parameters
ppCRT .
Output: An integer vector a = {a1 , . . . , aβ }.
1: A0 ← A mod φ0
2: s ← −1 · (ctr − A0 ) mod φ0
3: A ← s · N + A mod 
4: for i = 1 to β do
5: ai = A mod φi
6: end for
7: return a  = {a1 , . . . , aβ }
Consider the scenario of linear aggregation of α integer
vectors {m1 , m2 , . . . , mα }, {M1 , M2 , . . . , Mα } are the encoding
larger integers, i.e., Mi = V2I(mi ) for i = 1, 2, . . . , α. Let the
linear aggregation function be f (x1 , x2 , . . . , xα ) = αi=1 wi ·xi .
Then, as long as the sum of weightings αi=1 wi is less than
φ0 , the property
 
f m1,j , m2,j , . . . , mα,j , mod φj
 α
 10:
= I2Vj f (M1 , M2 , . . . , Mα ), wi (4)
i=1
holds on each dimension since the final calculation result
f (M1 , M2 , . . . , Mα ) is less than φ0 ·N. In homomorphic encryp-
tion pattern, the plaintext data hidden in each ciphertext is
guaranteed to be less than N. Therefore, the core of overflow
prevention lies in controlling the weight of linear operation,
so that the sum is less than the predetermined prime.
B. Details of the Proposed Scheme
In this part, we give the framework description of our
scheme (as shown in Fig. 2) and instantiate it with the Paillier
encryption scheme [34] and the Schnorr signature scheme [37].
The specific description is as follows.
1) System Initialization: Given a security parameter κ and a
dimension β, the analytic center AC initializes the parameters
of linear homomorphic encryption, digital signature, and CRT-
based conversion method with the counter, and publishes the
parameters pp = {ppLHE , ppSig , ppCRT }.
1) Step 1: AC randomly selects two strong primes u and v,
computes N = uv and λ = lcm(u−1, v−1), and chooses
an element g1 in ZN 2 satisfying gλ1 = 1 mod N 2 . Then,
AC sets the public parameter of linear homomorphic
encryption as ppLHE = pk where the public key pk =
{N, g1 } and keeps the private key sk = λ.
2) Step 2: AC takes the modulus N and the dimension β
as inputs to select parameters ppCRT , as described in
Section V-A.
3) Step 3: AC chooses a cyclic group G of a prime order
q and a generator g2 of G. Also, AC chooses a hash
function H : {0, 1}∗ → Z∗q . AC sets the public parameter
of digital signature as ppSig = {G, q, g2 , H}.
Moreover, each node Ni generates its own signature key
pair (pki = gsk 2 , ski ) and registers pki to its parent gateway
i
GW. Also, GW generates the signature key pair (pkGW =
sk
g2 GW , skGW ) and registers pkGW to AC.
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022
Algorithm 3 Data Generation (Operations on Ni )
Input: β integers {mi,1 , mi,2 , . . . , mi,β } and the parameters pp.
Output: The reported ciphertext {Ci , σi }.
1: Set mi ← {mi,1 , mi,2 , . . . , mi,β }
2: Mi ← V2I(mi )
3: Ci ← HEnc(pk, Mi )
4: σi ← Sig(ski , Ci )
5: return {Ci , σi }
Algorithm 4 DA (Operations on GW)
Input: α integer vectors {C1 , C2 , . . . , Cα }, α signatures
{σ1 , σ2 , . . . , σα }, the weightings {w1 , w2 , . . . , wα }, the
parameters pp.
Output: The aggregated ciphertext {C, σ }.
1: for i = 1 to α do
2: d ← Vrf(pki , Ci , σi )
3: if σi is invalid then
4: reject Ci and exit with error
5: end if
6: end for
7: C ← 0
8: for i = 1 to α do
9: Ci ← HMul(wi , Ci )
C ← HAdd(C, Ci )
11: end for
12: σ ← Sig(skGW , C)
13: return {C, σ }
2) Data Generation: To report β data {mi,1 , mi,2 , . . . , mi,β }
simultaneously, the node Ni follows the steps below to
generate the reported ciphertext, as shown in Algorithm 3.
1) Step 1: Ni arranges the data {mi,1 , mi,2 , . . . , mi,β } into
a vector mi in the predetermined order and encodes the
vector to a large integer Mi = V2I(mi ).
2) Step 2: Ni encrypts Mi as Ci = HEnc(pk, Mi ).
Specifically, Ni randomly picks an integer ri in Z∗N and
computes Ci = (1 + N · Mi ) · gri mod N 2 .
3) Step 3: Ni signs the ciphertext Ci to obtain the sig-
nature σi = Sig(ski , Ci ). Specifically, Ni randomly
picks an integer ki in Z∗q , computes Ki = gk2i ,
hi = H(pki , Ki , Ci ), and si = ki − hi · ski , and sets
σi = (hi , si ).
Then, Ni sends the reported ciphertext {Ci , σi } to GW.
3) Data Aggregation: After receiving α reported cipher-
texts {C1 , σ1 , C2 , σ2 , . . . , Cα , σα }, GW follows the steps
below to aggregate  the reported data with a linear function
f (x1 , x2 , . . . , xα ) = αi=1 wi · xi , as shown in Algorithm 4.
1) Step 1: GW verifies the validity of all signatures
{σ1 , σ2 , . . . , σα }. Specifically, GW computes Ki = gs2i ·
pkihi , checks whether hi equals to H(pki , Ki , Ci ), and
aborts if the check fails.
2) Step 2: GW calculates the linear function of encrypted
data, i.e., C = [w1 ]C1 ⊕ [w2 ]C2 ⊕ · · · ⊕ [wα ]Cα .
Specifically, GW first sets C to be zero, and com-
putes the homomorphic scalar multiplication result Ci =
HMul(wi , Ci ) and the homomorphic addition result C =
HAdd(C, Ci ) for each i = 1, 2, . . . , α.
3) Step 3: GW uses its private key skGW to sign C and
obtain the signature σ = Sig(skGW , C). Specifically,
GW randomly picks an integer k in Z∗q , computes K= gk2 ,
PENG et al.: MULTIFUNCTIONAL AND MULTIDIMENSIONAL SECURE DATA AGGREGATION SCHEME IN WSNs 2663

Fig. 2. Design architecture of the proposed scheme.

Algorithm 5 Data Reading (Operations on AC) according to the properties of linear homomorphic encryption
Input: The aggregated ciphertext (C, σ ), the parameters pp. scheme, we have
Output: An integer vector z = {z1 , . . . , zβ }.
1: d ← Vrf(pkGW , C, σ ) α

2: if σ is invalid then M = wi · Mi , mod N
3: reject C and exit with error i=1
4: end if  α α
5: M ← HDec(sk, C)
 
 ⇒ I2Vj M, wi = wi · Mi , mod φj , 1 ≤ j ≤ β
6: {z1 , z2 , . . . , zβ } ← I2V(M, α i=1 wi )
7: return z = {z1 , z2 , . . . , zβ } as the aggregated plaintext  i=1 i=1

⇒ zj = f m1,j , m2,j , . . . , mα,j , mod φj , 1 ≤ j ≤ β. (5)

Based on Theorem 2, the condition αi=1 wi < φ0 needs to
h = H(pkGW , K, C) and s = k − h · skGW , and sets be satisfied for the aggregation function to be correct. This
σ = (h, s). condition can be easily satisfied since the weightings wi (1 ≤
Then, GW sends the aggregated ciphertext {C, σ } and the i ≤ α) are controlled by GW. Thus, the correctness of DA
counter αi=1 wi to AC. can be guaranteed.
4) Data Reading and Analysis: On  receiving the aggre-
gated ciphertext (C, σ ) and the counter αi=1 wi , AC follows C. Multifunctional Aggregation
the steps below to extract the aggregated data, as shown in In this section, we will show how to implement the proposed
Algorithm 5. scheme to achieve multiple data analysis functions.
1) Step 1: AC verifies the validity of the signature σ . 1) Raw Data Mapping to Available Integer: First, we dis-
Specifically, AC computes K = gs2 · pkGW h , checks
cuss the representation of actual measurements. The input
whether h equals to H(pkGW , K , C), and aborts if the vectors in the above design scheme must be integers, but the
check fails. data detected in a real IoT environment are floats generally.
2) Step 2: AC uses the private key sk to decrypt C and Suppose that xi = {xi,1 , xi,2 , . . .} are the raw data detected by
obtain M = HDec(sk, C). Specifically, AC computes the node Ni and each raw data xi,j belongs to the real domain,
M = ((Cλ mod N 2 ) − 1)/(N · λ) mod N. i.e., xi,j ∈ [LBj , UBj ], where LBj and UBj are the lower and
3) Step 3: AC decodes M to extract the  aggregated plain- upper bounds on the jth dimension, respectively.
text z = {z1 , z2 , . . . , zβ } = I2V(M, αi=1 wi ). Obviously, xi,j cannot be directly converted by CRT meth-
After obtaining the integer vector z, AC can process sub- ods, and we need a linear function R2I(·) to map the raw
sequent data analysis of various functions, which will be data to the integer space. The most common solution is,
discussed in Section V-C. R2I(xi,j ) = (xi,j − LBj )/ACj where ACj is the accuracy on jth
Correctness: First, the correctness of the signature is easy dimension. Its inverse function is I2R(mi,j ) = mi,j · ACj + LBj .
to verify, that is, Ki = gs2i · pkihi = gs2i +hi ·ski = gk2i = Ki . Then, For example, the effective range of sea surface temperature is

Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2664 IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022

[6, 32] °C and the accuracy is 0.01 °C. Assuming the raw data Algorithm 6 Multifunctional Data Analysis
xi,j = 13.72 °C, the converted data are mi,j = R2I(xi,j ) = 772. Input: The vectors mi = {mi,j , m1i,j , m2i,j , m3i,j , · · · }(1 ≤ i ≤ α), the
2) Multifunctional Supporting: Next, we list a few typical counter α and the parameters pp.
instances to illustrate the multifunctionality of our scheme. To Output: Various function results.
support multifunctionality, the following two mechanisms are 1: Encrypt mi to obtain (Ci , σi ) following Algorithm 3
2: Aggregate {C1 , C2 , . . . , Cα } to  obtain C following Algorithm 4
available.
3: Decrypt C to obtain α m , α 1 , α m2 , α m3 ,
i,j
1) The node can pack {xi,j , xi,j 2 , x3 , . . .} into one reported i=1 i=1 mi,j i=1 i,j i=1 i,j
i,j · · · , following Algorithm 5
ciphertext to support polynomial functions. 4: CNT = α
2) The gateway can  compute several linear  aggregation 5: SUM ← α i=1 mi,j
functions {f1 (x) = αi=1 wi1 ·xi , f2 (x) = αi=1 wi2 ·xi , . . .} 6: MEAN ← SUM/CNT
α
on the same α reported ciphertexts x. 7: QMEAN ← 2
i=1 mi,j /CNT
Obviously, if the above mechanisms are used, the dimen- α
8: HMEAN ← CNT/ i=1 m1
i,j
sion of raw data in each ciphertext will decrease, while the 9: VAR ← QMEAN 2 − MEAN 2
√
supported aggregation functions will be much richer. 10: STD ← VAR
For brevity, denote the integer vector as m̄j =  1 α 1 α
11: EXP ← CNT + α 2
i=1 mi,j + 2 i=1 mi,j + · · · + t
t
i=1 mi,j
{m1,j , m2,j , . . . , mα,j } where mi,j is an integer mapped by 12: return SUM, MEAN, VAR, STD, EXP
R2I(xi,j ). As shown in Algorithm 6, the following three types
of functions can be supported by our scheme.
1) Type-1 (Linear Functions Supported by 1-D Data):
Naturally, the proposed scheme can support various such as sin(x), cos(x), ex , and ln(x), can be approxi-
linear functions with 1-D inputs, such as follows. mated by algebraic polynomials, such as linear approx-

a) Linear Weighted Sum: WSUM(m̄j ) = αi=1 wi ·mi,j imation and quadratic approximation using Taylor’s
where the weighting wi is added by the aggregation formula [38]. But it is worth noting that the accuracy
process. of the approximation needs
 to be preset in advance. For
α
example, let Fj (m̄j ) = αi=1 emi,j ; here, e is Euler’s num-
b) Arithmetic α Mean: MEAN(m̄j ) = [( i=1 mi,j )/α]
where i=1 mi,j is decrypted by AC. ber. According to Taylor’s expansion, ex ≈ 1 + x +
c) Quadratic Mean: QMEAN(m̄j ) = (1/2!)x2 +(1/3!)x3 +· · · . Thus,
Fj (m̄j ) canbe computed
α by the results, like αi=1 mi,j , αi=1 m2i,j , αi=1 m3i,j , . . .,
[( i=1 mi,j )/α], where mi,j is encrypted
2 2
 with the corresponding Taylor’s series. In addition,
by Ni and αi=1 m2i,j is decrypted by AC. nodes can also take emi,j as input to provide richer
d) Harmonic Mean: HMEAN(m̄j ) = analysis functions for AC.
α/ αi=1 (1/m  i,j ), where (1/m i,j ) is encrypted In a word, in terms of the analysis function provided
by Ni and αi=1 (1/mi,j ) is decrypted by AC. by AC, our scheme has a very strong supporting capacity.
2) Type-2 (Polynomial Functions Supported by Multiple- The limitation of the scheme is that the sum of weight-
Dimensional Data): Suppose AC wants to get the ings at each gateway aggregation should be less than a
aggregated results of polynomial functions, i.e., predetermined prime φ0 . A simple solution is that we can
α α
    select the larger prime (maybe larger than 264 ) to prevent
Fj m̄j = wi,1 · mi,j + wi,2 · m2i,j this problem. Since φ0 is public, GW can also control this
i=1 i=1 problem.
α

+ ··· + wi,s · msi,j . (6)
i=1
VI. S ECURITY A NALYSIS
If {mi,j , m2i,j , . . . , msi,j } are packed in one reported cipher- In this section, we analyze the security of the proposed
text by Ni , GW can aggregate α reported  ciphertexts scheme. As we discussed in Section IV-B, the powerful adver-
α
to obtainthe encrypted i=1 wi,1 · mi,j , i=1 wi,2 · sary A can eavesdrop on the communication channel between
α
mi,j , . . . , i=1 wi,s · mi,j and upload these ciphertexts to
2 s
Ni , GW, and AC.
AC. Then, AC can calculate the final result by decrypt- Confidentiality: The ith node’s reported data
ing these uploaded ciphertexts. For example, AC can xi = {xi,1 , xi,2 , . . . , xi,β } are formed as Mi =
compute the variance of m̄j as V2I(mi,1 , mi,2 , . . . , mi,β ), where mi,j = R2Ij (xi,j ) for
   2  2
VAR m̄j = QMEAN m̄j − MEAN m̄j j = 1, 2, . . . , β. Then, Ci = HEnc(pk, Mi ) is a valid cipher-
α 2 α 2 text of the linear homomorphic cryptosystem. Specifically,
i=1 mi,j i=1 mi,j Ci = (1 + N · Mi ) · gri mod N 2 is a Paillier cipher-
= − (7)
α α2 text. Since the Paillier encryption scheme is semantic
α α
where i=1 mi,j and i=1 m2i,j can be decrypted from secure against chosen plaintext attacks [34], the adver-
the aggregated ciphertext. Similarly, the standard devia- sary A cannot distinguish the ciphertext between two
tion can be calculated as STD(m̄j ) = VAR(m̄j ). known plaintexts. Although xi may be low entropy,
3) Type-3 (Continuous Functions Supported by Polynomial A cannot find the correct plaintext by exhaustive
Approximation): Mathematically, continuous functions, attacks.

Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
PENG et al.: MULTIFUNCTIONAL AND MULTIDIMENSIONAL SECURE DATA AGGREGATION SCHEME IN WSNs
From the gateway’s perspective, GW can obtain the cipher-
texts {C1 , C2 , . . . , Cα } and C. Similarly, these ciphertexts are
encrypted by a semantic secure homomorphic encryption. The
honest-but-curious gateway has no ability to extract the hid-
den context in ciphertexts. Moreover, if some sensor nodes
are compromised and their reported data are revealed, the
adversary A (or the gateway) also cannot extract the reported
data from safety nodes or the aggregated data in C. Since the
only decryption key is held by AC, nobody could decrypt the
ciphertext except AC.
Authentication and Integrity: In the proposed scheme, the
ciphertexts transmitted in the channel are signed by the sender,
i.e., the node or the gateway. So, as long as the signature
scheme is existential unforgeability against chosen message
attacks, the validity of signatures can guarantee the authen-
tication and integrity of ciphertexts. The security of Schnorr
signature had been discussed in [37]. It concluded that the
Schnorr signature is existential unforgeable against chosen
message attacks in the random oracle model under the discrete
logarithm assumption. So, the authentication and integrity of
reported data and aggregated data can be achieved.
Resistance on Impersonation and Injection Attack: First, the
adversary cannot impersonate a node to send a message to the
gateway, because the gateway must authenticate the data each
time it receives. Obviously, the adversary cannot cheat the
gateway since it cannot obtain the private key. However, the
adversary can compromise some nodes. If this attack happens,
the adversary can control these nodes to send false data to
the gateway. For example, the false data can exceed the range
limits of the scheme (e.g., several hundred degrees Fahrenheit).
Then, two situations may happen as follows.
1) jth-dimensional data mi,j are out of the jth range j .
Actually, the results of jth-dimensional data are always
in Zψj , no matter how many additions have been exe-
cuted.
2) The converted integer Mi is larger than the modulus .
According to the homomorphic operation, the decrypted
data are less than N. That is, even if the data before
encryption are greater than N, the decryption process
performs modular N operations on the original result.
In our assumption, aggregated data can be correctly
restored as long as the counter is less than the prime ψ0 .
At this point, the gateway is easy to control because the
sum of the weights used equals to the counter. Therefore,
the problem of large number overflow can be effectively
solved.
Therefore, our scheme has a good fault-tolerance mechanism
to resist impersonation and injection attack.
VII. P ERFORMANCE E VALUATION
In this section, we measure the performance of our scheme
in terms of computation costs and communication costs. The
performance results are compared with previous schemes, i.e.,
Lu et al.’s scheme EPPA [17], Li et al.’s scheme PPMA [26],
and Ming et al.’s scheme P2 MDA [28].
To be fair, we set the security level to 80 bits and select
the corresponding parameters to initialize those schemes. For
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2665
TABLE III
E XECUTION T IME OF BASIC O PERATIONS W ITH 80-B ITS
S ECURITY L EVEL ( MS )
the Paillier encryption scheme, the length of two basic primes
(u, v) is 512 bits and the length of the modulus N is 1024 bits.
For the elliptic curve group (denoted as G), the prime of the
basic field is selected as a 160 bits prime and the length of
elements in G is 320 bits.
A. Computation Costs
To implement those compared schemes, we utilize the
well-known Relic library [39] to provide basic cryptographic
primitives. The experiments are performed on a Laptop with
Window 10 OS, Intel Core i7-8850U 2.00 GHz and 8-GB
RAM. Table III lists the execution time of basic operations.
Since some operations, e.g., addition in ZN 2 , are considered
negligible compared with exponentiation in ZN 2 and point
multiplication in G. But, we do not ignore multiplication in
ZN 2 since the number of times it appears increases as the num-
ber of nodes increases. Note that when comparing, we will not
compare the computation costs of the signature part, because
some schemes only support homomorphic data aggregation.
Moreover, the Schnorr signature used in our scheme is only
an instance, which can be replaced by other secure signature
schemes.
1) Computation Cost of Sensor Nodes: Denote the dimen-
sion of sensor node’s reported data as β. In our scheme, the
sensor node requires β + β/31 exponentiation operations
and β multiplication operation in ZN 2 , where a 32-bits prime
ψ0 is used for counting. Hence, the total computation cost
in our scheme is (β + β/31)Ten2 + βTmn2 ≈ 0.437β +
0.435(β/31) ms. In scheme [17], the sensor node requires
β + β/16 exponentiation operations in ZN 2 , where the lim-
ited ranges are 64-bits primes. Hence, the total computation
cost in [17] is (β + β/16)Ten2 ≈ 0.435β + 0.435β/16 ms.
In scheme [26], the sensor node requires 2β + β/10,
where the result of each dimension requires 96 bits length
space to prevent overflow. Hence, the total computation cost
in [17] is (2β + β/10)Ten2 ≈ 0.87β + 0.435β/10 ms. In
scheme [28], the sensor node requires 3 · β/2 point multi-
plication in G. Hence, the total computation cost in [17] is
(3 · β/2)Tpm ≈ 0.282β/2 ms.
As shown in Fig. 3, we can see that our scheme is faster than
other schemes based on Paillier encryption with the increase of
dimension. However, compared to the ElGammal encryption
scheme, our scheme is much slower.
2) Computation Cost of the Gateway: Denote the num-
ber of sensor nodes’ reported data as α. In our scheme, the
gateway requires (α − 1) · β/31 multiplication operation in
ZN 2 . In scheme [17], the gateway requires (α − 1) · β/16
2666
Fig. 3. Comparison of computation costs comparison at sensor nodes.
TABLE IV
C OMPUTATIONS C OSTS OF D IFFERENT E NTITIES ( MS )
Fig. 4. Comparison of computation costs at the gateway when β = 16.
multiplication operation in ZN 2 . In scheme [26], the gateway
requires (α − 1) · β/10 multiplication operation in ZN 2 . In
scheme [28], the gateway requires (α−1)·β/2 point addition
in G. The total computation costs of the gateway are listed in
Table IV. Two different dimensions are selected to measure
the computing time of the gateway, as shown in the Figs. 4
and 5. From these two figures, our scheme is more suitable
for scenarios with larger dimensions.
3) Computation Cost of the Analytic Center: For the ana-
lytic center, the computation costs are directly related to the
number of ciphertexts after aggregation. As analyzed in the
previous paragraphs, the center requires β/31 exponentia-
tion operation in ZN 2 in our scheme, while the center requires
β/16 and β/10 exponentiation operation in ZN 2 in other
two schemes [17], [26], respectively. The center requires
β/2 point multiplication in G in scheme [28].
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022
Fig. 5. Comparison of computation costs at the gateway when β = 30.
Fig. 6. Comparison of communication costs with different dimensions.
In general, our scheme is most advantageous at higher
dimensions, because we make full use of the plaintext space of
the encryption scheme. Compared with the ElGammal encryp-
tion scheme, our scheme is slower in the data generation
process, but does not have the problem of solving discrete log-
arithms. Once the data are out of limited bounds, the discrete
logarithm problem is difficult to solve.
B. Communication Costs
First, we consider the size of node’s reported ciphertexts.
Obviously, the communication costs between Ni and GW are
related to the dimension. So, the node sends a β/31|ZN 2 |
bits ciphertext to the gateway in our scheme, which should
be β/16|ZN 2 | bits and β/10|ZN 2 | bits in EPPA [17]
and PPMA [26], respectively. In P2MDA [28], it becomes
β|G| bits. Based on this conclusion, we show the commu-
nication overhead at different dimensions in Fig. 6. At the
gateway, the length of the aggregated ciphertext is the same
as the ciphertext uploaded by the node. Therefore, the com-
munication cost between the gateway and the center is the
same as the communication cost between the gateway and
nodes.
As shown in Fig. 6, the ciphertext length increases the slow-
est with the increase of dimension in our scheme. This further
illustrates the very low data redundancy of our scheme.
PENG et al.: MULTIFUNCTIONAL AND MULTIDIMENSIONAL SECURE DATA AGGREGATION SCHEME IN WSNs
VIII. C ONCLUSION
In this article, we presented a new multifunctional and
multidimensional secure DA scheme for WSNs. On the one
hand, we explained theoretically how to improve the efficiency
of our scheme by reducing the data redundancy in cipher-
texts. On the other hand, through experimental analysis, we
demonstrated that our scheme has the optimal computation
and communication costs when the data dimension is higher.
Therefore, the proposed scheme is more suitable for applica-
tions in WSNs. As future work, we want to further reduce the
computation and communication costs of nodes by using the
homomorphic signcryption mechanism. Also, we may try to
use the zero-knowledge proof to prove that the counter in the
ciphertext meets the requirements of the scheme.
R EFERENCES
[1] L. Zhao and X. Dong, “An Industrial Internet of Things feature selection
method based on potential entropy evaluation criteria,” IEEE Access,
vol. 6, pp. 4608–4617, 2018.
[2] M. Shu, D. Yuan, C. Zhang, Y. Wang, and C. Chen, “A MAC protocol
for medical monitoring applications of wireless body area networks,”
Sensors, vol. 15, no. 6, pp. 12906–12931, 2015.
[3] X. Liu, J. Yu, F. Li, W. Lv, Y. Wang, and X. Cheng, “Data aggregation
in wireless sensor networks: From the perspective of security,” IEEE
Internet Things J., vol. 7, no. 7, pp. 6495–6513, Jul. 2020.
[4] R. Li, C. Sturtivant, J. Yu, and X. Cheng, “A novel secure and efficient
data aggregation scheme for IoT,” IEEE Internet Things J., vol. 6, no. 2,
pp. 1551–1560, Apr. 2019.
[5] W. He, X. Liu, H. Nguyen, K. Nahrstedt, and T. Abdelzaher, “PDA:
Privacy-preserving data aggregation in wireless sensor networks,” in
Proc. IEEE INFOCOM 26th Int. Conf. Comput. Commun., Anchorage,
AK, USA, 2007, pp. 2045–2053.
[6] T. Feng, C. Wang, W. Zhang, and L. Ruan, “Confidentiality protection
for distributed sensor data aggregation,” in Proc. IEEE INFOCOM 27th
Conf. Comput. Commun., Phoenix, AZ, USA, 2008, pp. 56–60.
[7] C.-X. Liu, Y. Liu, Z.-J. Zhang, and Z.-Y. Cheng, “High energy-efficient
and privacy-preserving secure data aggregation for wireless sensor
networks,” Int. J. Commun. Syst., vol. 26, no. 3, pp. 380–394, 2013.
[8] F. Li, B. Luo, and P. Liu, “Secure information aggregation for smart grids
using homomorphic encryption,” in Proc. 1st IEEE Int. Conf. Smart Grid
Commun., Gaithersburg, MD, USA, 2010, pp. 327–332.
[9] J. Lee, K. Kapitanova, and S. H. Son, “The price of security in wireless
sensor networks,” Comput. Netw., vol. 54, no. 17, pp. 2967–2978, 2010.
[10] K. Alharbi and X. Lin, “LPDA: A lightweight privacy-preserving
data aggregation scheme for smart grid,” in Proc. Int. Conf. Wireless
Commun. Signal Process. (WCSP), Huangshan, China, 2012, pp. 1–6.
[11] B. Sun, X. Shan, K. Wu, and Y. Xiao, “Anomaly detection based secure
in-network aggregation for wireless sensor networks,” IEEE Syst. J.,
vol. 7, no. 1, pp. 13–25, Mar. 2013.
[12] S. Roy, M. Conti, S. Setia, and S. Jajodia, “Secure data aggregation in
wireless sensor networks,” IEEE Trans. Inf. Forensics Security, vol. 7,
pp. 1040–1052, 2012.
[13] C. Li, R. Lu, H. Li, L. Chen, and J. Chen, “PDA: A privacy-preserving
dual-functional aggregation scheme for smart grid communications,”
Security Commun. Netw., vol. 8, no. 15, pp. 2494–2506, 2015.
[14] H. Bao and L. Chen, “A lightweight privacy-preserving scheme with
data integrity for smart grid communications,” Concurrency Comput.
Pract. Exp., vol. 28, no. 4, pp. 1094–1110, 2016.
[15] Y. Liu, W. Guo, C.-I. Fan, L. Chang, and C. Cheng, “A practical privacy-
preserving data aggregation (3PDA) scheme for smart grid,” IEEE Trans.
Ind. Informat., vol. 15, no. 3, pp. 1767–1774, Mar. 2019.
[16] X. Lin, R. Lu, and X. Shen, “MDPA: Multidimensional privacy-
preserving aggregation scheme for wireless sensor networks,” Wireless
Commun. Mobile Comput., vol. 10, no. 6, pp. 843–856, 2010.
[17] R. Lu, X. Liang, X. Li, X. Lin, and X. Shen, “EPPA: An effi-
cient and privacy-preserving aggregation scheme for secure smart grid
communications,” IEEE Trans. Parallel Distrib. Syst., vol. 23, no. 9,
pp. 1621–1631, Sep. 2012.
[18] W. Jia, H. Zhu, Z. Cao, X. Dong, and C. Xiao, “Human-factor-aware
privacy-preserving aggregation in smart grid,” IEEE Syst. J., vol. 8, no. 2,
pp. 598–607, Jun. 2014.
[19] X. Liu, Y. Zhang, B. Wang, and H. Wang, “An anonymous data aggre-
gation scheme for smart grid systems,” Security Commun. Netw., vol. 7,
no. 3, pp. 602–610, 2014.
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
2667
[20] R. Lu, K. Alharbi, X. Lin, and C. Huang, “A novel privacy-preserving
set aggregation scheme for smart grid communications,” in Proc. IEEE
Global Commun. Conf. (GLOBECOM), San Diego, CA, USA, 2015,
pp. 1–6.
[21] Z. Sui, M. Niedermeier, and H. de Meer, “RESA: A robust and efficient
secure aggregation scheme in smart grids,” in Proc. Int. Conf. Crit. Inf.
Infrastruct. Security, 2015, pp. 171–182.
[22] H. Shen, M. Zhang, and J. Shen, “Efficient privacy-preserving cube-
data aggregation scheme for smart grids,” IEEE Trans. Inf. Forensics
Security, vol. 12, pp. 1369–1381, 2017.
[23] B. Pan, P. Zeng, and K.-K. R. Choo, “A new multidimensional and
fault-tolerable data aggregation scheme for privacy-preserving smart grid
communications,” in Proc. Int. Conf. Appl. Techn. Cyber Security Intell.,
2017, pp. 206–219.
[24] O. R. M. Boudia, S. M. Senouci, and M. Feham, “Elliptic curve-based
secure multidimensional aggregation for smart grid communications,”
IEEE Sens. J., vol. 17, no. 23, pp. 7750–7757, Dec. 2017.
[25] B. Pan, P. Zeng, and K.-K. R. Choo, “An efficient data aggregation
scheme in privacy-preserving smart grid communications with a high
practicability,” in Proc. Conf. Complex Intell. Softw. Intensive Syst.,
2017, pp. 677–688.
[26] S. Li, K. Xue, Q. Yang, and P. Hong, “Ppma: Privacy-preserving mul-
tisubset data aggregation in smart grid,” IEEE Trans. Ind. Informat.,
vol. 14, no. 2, pp. 462–471, Feb. 2018.
[27] B. Lang, J. Wang, and Z. Cao, “Multidimensional data tight aggregation
and fine-grained access control in smart grid,” J. Inf. Security Appl.,
vol. 40, pp. 156–165, Jun. 2018.
[28] Y. Ming, X. Zhang, and X. Shen, “Efficient privacy-preserving multi-
dimensional data aggregation scheme in smart grid,” IEEE Access, vol. 7,
pp. 32907–32921, 2019.
[29] X. Wang, Y. Liu, and K. Choo, “Fault-tolerant multisubset aggrega-
tion scheme for smart grid,” IEEE Trans. Ind. Informat., vol. 17, no. 6,
pp. 4065–4072, Jun. 2021.
[30] A. Mohammadali and M. S. Haghighi, “A privacy-preserving homomor-
phic scheme with multiple dimensions and fault tolerance for metering
data aggregation in smart grid,” IEEE Trans. Smart Grid, early access,
Jan. 5, 2021, doi: 10.1109/TSG.2021.3049222.
[31] P. Zhang, J. Wang, K. Guo, F. Wu, and G. Min, “Multi-functional secure
data aggregation schemes for WSNs,” Ad Hoc Netw., vol. 69, pp. 86–99,
Feb. 2018.
[32] Z. Guan et al., “APPA: An anonymous and privacy preserving data
aggregation scheme for fog-enhanced IoT,” J. Netw. Comput. Appl.,
vol. 125, pp. 82–92, Jan. 2019.
[33] L. Zhu et al., “Privacy-preserving authentication and data aggregation for
fog-based smart grid,” IEEE Commun. Mag., vol. 57, no. 6, pp. 80–85,
Jun. 2019.
[34] P. Paillier, “Public-key cryptosystems based on composite degree resid-
uosity classes,” in Proc. Int. Conf. Theory Appl. Cryptograph. Techn.,
1999, pp. 223–238.
[35] T. ElGamal, “A public key cryptosystem and a signature scheme based
on discrete logarithms,” IEEE Trans. Inf. Theory, vol. 31, no. 4,
pp. 469–472, Jul. 1985.
[36] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the weil
pairing,” J. Cryptol., vol. 17, no. 4, pp. 297–319, 2004.
[37] C.-P. Schnorr, “Efficient identification and signatures for smart cards,”
in Proc. Conf.. Theory Appl. Cryptol., 1989, pp. 239–252.
[38] P. Benigno and M. Woodford, “Linear-quadratic approximation of
optimal policy problems,” J. Econ. Theory, vol. 147, no. 1, pp. 1–42,
2012.
[39] D. F. Aranha, C. P. L. Gouvêa, T. Markmann, R. S. Wahby, and K. Liao.
RELIC Is an Efficient Library for Cryptography. Accessed: Dec. 7, 2020.
[Online]. Available: https://github.com/relic-toolkit/relic
Cong Peng received the M.S. degree in applied
mathematics from Wuhan University, Wuhan, China,
in 2013, where he is currently pursuing the Ph.D.
degree in applied mathematics.
He is with the School of Cyber Science and
Engineering, Wuhan University and also with the
Cyberspace Security Research Center, Peng Cheng
Laboratory, Shenzhen, China. His major research
interests include elliptic curves, cryptography, and
information security.
2668
Min Luo received the Ph.D. degree in computer
science from Wuhan University, Wuhan, China, in
2003.
He is currently an Associate Professor with the
School of Cyber Science and Engineering, Wuhan
University. He is with the Shandong Provincial Key
Laboratory of Computer Networks, Qilu University
of Technology (Shandong Academy of Sciences),
Jinan, China. His research interests mainly include
applied cryptography and blockchain technology.
Pandi Vijayakumar received the B.E. degree in
computer science and engineering from Madurai
Kamaraj University, Madurai, India, in 2002, the
M.E. degree in computer science and engineer-
ing from the Karunya Institute of Technology,
Coimbatore, India, in 2005, and the Ph.D. degree
in computer science and engineering from Anna
University Chennai, Chennai, India, in 2013.
He is the Former Dean and presently work-
ing as an Assistant Professor with the Department
of Computer Science and Engineering, University
College of Engineering Tindivanam, Tindivanam, India, which is a constituent
college of Anna University Chennai. He has produced four Ph.D. candi-
dates successfully. His current research interests include key management in
network security, VANET security, and multicasting in computer networks.
Debiao He (Member, IEEE) received the Ph.D.
degree in applied mathematics from the School
of Mathematics and Statistics, Wuhan University,
Wuhan, China, in 2009.
He is currently a Professor with the School of
Cyber Science and Engineering, Wuhan University.
His main research interests include cryptogra-
phy and information security, in particular, cryp-
tographic protocols. He has published over 150
research papers in refereed international journals
and conferences, such as the IEEE T RANSACTIONS
ON D EPENDABLE AND S ECURE C OMPUTING , IEEE T RANSACTIONS ON
I NFORMATION S ECURITY AND F ORENSIC, and Usenix Security Symposium.
His work has been cited more than 7000 times at Google Scholar.
Prof. He is the recipient of the 2018 IEEE Sysems Journal Best Paper
Award and the 2019 IET Information Security Best Paper Award. He is with
the editorial board of several international journals, such as the Journal of
Information Security and Applications, Frontiers of Computer Science, and
Human-Centric Computing and Information Sciences.
Authorized licensed use limited to: South Asian University. Downloaded on February 12,2024 at 17:23:40 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 9, NO. 4, FEBRUARY 15, 2022
Omar Said received the Ph.D. degree from
Menoufia University, Shibin el Kom, Egypt, in
2005.
He is currently an Associate Professor with the
Department of Information Technology, College
of Computers and Information Technology, Taif
University, Taif, Saudi Arabia. In addition, he is
an Associate Professor with the Faculty of Science,
Menoufia University. He has authored many arti-
cles at international journals and conferences. His
research areas are Internet of Things, network man-
agement, Internet protocols, routing, multimedia communication, QoS, and
wireless communication.
Amr Tolba received the M.Sc. and Ph.D.
degrees from the Mathematics and Computer
Science Department, Faculty of Science, Menoufia
University, Shibin el Kom, Egypt, in 2002 and 2006,
respectively.
He is currently an Associate Professor with the
Faculty of Science, Menoufia University. He is cur-
rently on leave from Menoufia University to the
Computer Science Department, Community College,
King Saud University, Riyadh, Saudi Arabia. He has
authored/coauthored over 85 scientific papers in top-
ranked (ISI) international journals and conference proceedings. His main
research interests include socially aware networks, vehicular ad hoc networks,
Internet of Things, intelligent systems, big data, recommender systems, and
cloud computing.
Dr. Tolba serves as a technical program committee member of several
conferences.