PUDA – Privacy and Unforgeability for Data Aggregation

Abstract

Existing work on secure data collection and secure aggregation is mainly focused on confidentiality issues. That is, ensuring that the untrusted Aggregator learns only the aggregation result without divulging individual data inputs. In this paper however we consider a malicious Aggregator which is not only interested in compromising users’ privacy but also is interested in providing bogus aggregate values. More concretely, we extend existing security models with the requirement of aggregate unforgeability. Moreover, we instantiate an efficient protocol for private and unforgeable data aggregation that allows the Aggregator to compute the sum of users’ inputs without learning individual values and constructs a proof of correct computation that can be verified by any third party. The proposed protocol is provably secure and its communication and computation overhead is minimal.

Appendices

A Security Evidence for the \(\mathsf {LEOM}\) Assumption

In this section we provide security evidence for the hardness of the new \(\mathsf {LEOM}\) assumption by presenting bounds on the success probabilities of an adversary \(\mathcal{A}\) which presumably breaks the assumption. We follow the theoretical generic group model (GGM) as presented in [18]. Namely under the GGM framework an adversary \(\mathcal{A}\) has access to a black box that conceptualizes the underlying mathematical group \(\mathbb {G}\) that the assumption takes place. \(\mathcal{A}\) without knowing any details about the underlying group apart from its order p is asking for encodings of its choice and the black box replies through a random encoding function \(\xi _c\) that maps elements in \(\mathbb {G}_c \rightarrow \{0,1\}^{\lceil {\log _2p}\rceil }\) to represent element in \(\mathbb {G}_c, c\in [1,2,T]\).

Theorem 5

Suppose \(\mathcal{A}\) is a polynomial probabilistic time adversary that breaks the \(\mathsf {LEOM}\) assumption, making at most \(q_G\) oracle queries for the underlying group operations on \(\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T\) and the \(\mathcal {O}_{\mathsf {LEOM}}\) oracle, all counted together. Then the probability \(\epsilon _2\) that \(\mathcal{A}\) breaks the \(\mathsf {LEOM}\) assumption is bounded as follows:

$$\epsilon _2 \le \frac{(q_G)^2}{p}.$$

Due to space limitations we include the proof in the full version [14].

B Aggregate Unforgeability

Theorem 3

Our scheme achieves Aggregate Unforgeability for a Type I Forgery under \(\mathsf {BCDH}\) assumption in the random oracle model.

Proof

We show how to build an adversary \({\mathcal {B}}\) that solves \(\mathsf {BCDH}\) in (\(\mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T\)). Let \(g_1\) and \(g_2\) be two generators for \(\mathbb {G}_1\) and \(\mathbb {G}_2\) respectively. \({\mathcal {B}}\) receives the challenge \((g_1,g_2,g_1^a,g_1^b,g_1^c,g_2^a,g_2^b)\) from the \(\mathsf {BCDH}\) oracle \(\mathcal {O}_\mathsf{{\mathsf {BCDH}}}\) and is asked to output \(e(g_1,g_2)^{abc} \in \mathbb {G}_T\). \({\mathcal {B}}\) simulates the interaction with \(\mathcal{A}\) in the Learning phase as follows:

Setup:

• To simulate the \(\mathcal {O}_\mathsf{{Setup}}\) oracle \({\mathcal {B}}\) selects uniformly at random 2n keys \(\{\mathsf {ek}_i\}_{i=1}^n\), \(\{\mathsf {tk}_i\}_{i=1}^n \in \mathbb {Z}_p\) and outputs the public parameters \(\mathcal {P}=(\kappa ,p,g_1,g_2,\mathbb {G}_1,\mathbb {G}_2)\) the verification key \(\mathsf {VK}=(\mathsf {vk}_1,\mathsf {vk}_2)=(g_2^{b\sum _{i=1}^n{\mathsf {tk}_i}},g_2^a)\) and the secret key of the Aggregator \(\mathsf {SK}_A=-\sum _{i=1}^n\mathsf{{ek}_i}\).

Learning Phase

• \(\mathcal{A}\) is allowed to query the random oracle H for any time interval . \({\mathcal {B}}\) constructs a \(\mathtt {H-list}\) and responds to \(\mathcal{A}\) query as follows:

  1. 1.

     If query t already appears in a tuple H-tuple\(\langle t: r_t,\mathsf {coin}(t),H(t)\rangle \) of the \(\mathtt {H-list}\) it responds to \(\mathcal{A}\) with H(t).

  2. 2.

     Otherwise it selects a random number \(r_t \in \mathbb {Z}_p\) and flips a random \(\mathsf {coin} {\,\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}\,}\{0,1\}\). With probability \(\pi \), \(\mathsf {coin}(t)=0\) and \({\mathcal {B}}\) answers with \(H(t)=g_1^{r_t}\). Otherwise if \(\mathsf {coin}(t)=1\) then \({\mathcal {B}}\) responds with \(H(t)=g_1^{cr_t}\) and updates the \(\mathtt {H-list}\) with the new tuple H-tuple\(\langle t: r_t,\mathsf {coin}(t),H(t)\rangle \).

• Whenever \(\mathcal{A}\) submits a query (\(t,\mathsf {uid}_i,x_{i,t}\)) to the \(\mathcal {O}_\mathsf{{EncTag}}^{\mathcal{A}}\), \({\mathcal {B}}\) responds as follows:

  1. 1.

     \({\mathcal {B}}\) calls the simulated random oracle, receives the result for H(t) and appends the tuple H-tuple\(\langle t: r_t,\mathsf {coin}(t),H(t)\rangle \) to the \(\mathtt {H-list}\).

  2. 2.

     If \(\mathsf {coin}(t)=1\) then \({\mathcal {B}}\) stops the simulation.

  3. 3.

     Otherwise it chooses the secret tag key \(\mathsf {tk}_i\) where \(i=\mathsf {uid}_i\) to be used as secret tag key from the set of \(\{\mathsf {tk}_i\}\) keys, chosen by \({\mathcal {B}}\) in the Setup phase.

  4. 4.

     \({\mathcal {B}}\) sends to \(\mathcal{A}\) the tag \({\mathsf {\sigma }}_{i,t}=g_1^{r_tb\mathsf {tk}_i}g_1^{ax_{i,t}}=H(t)^{b\mathsf {tk}_i}g_1^{ax_{i,t}}\), which is a valid tag for the value \(x_{i,t}\). Notice that \({\mathcal {B}}\) can correctly compute the tag without knowing a and b from the \(\mathsf {BCDH}\) problem parameters \(g_1^a, g_1^b\).

  5. 5

     \({\mathcal {B}}\) chooses also a secret encryption key \(\mathsf {ek}_i \in \{\mathsf {ek}_i\}_{i=1}^n \in \mathbb {Z}_p\) and computes the ciphertext as \(c_{i,t}=H(t)^{\mathsf {ek}_i} g_1^{x_{i,t}}\). The simulation is correct since \(\mathcal{A}\) can check that the sum \(\sum _{i=1}^n{x_{i,t}}\) corresponds to the ciphertexts given by \({\mathcal {B}}\) with its decryption key \(\mathsf {SK}_A=-\sum _{i=1}^n\mathsf{{ek}_i}\), considering the adversary has made distinct encryption queries for all the n users in the scheme at a time interval t.

Now, when \({\mathcal {B}}\) receives the forgery \((\mathsf{sum_{t}}^*,{\mathsf {\sigma _t}}^*)\) at time interval \(t \ne t^*\), it continues if \(\mathsf{sum_{t}}^* \ne \Sigma _t\). \({\mathcal {B}}\) first queries the H-tuple for time \(t^*\) in order to fetch the appropriate tuple.

• If \(\mathsf {coin}(t^*)=0\) then \({\mathcal {B}}\) aborts.

• If \(\mathsf {coin}(t^*)=1\) then since \(\mathcal{A}\) outputs a valid forged \({\mathsf {\sigma _t}}^*\) at \(t^*\), it is true that the following equation should hold:

  $$\begin{aligned} e({\mathsf {\sigma _t}}^*,g_2)=e(H(t^*),\mathsf {vk}_1)e(g_1^{\mathsf{sum_{t}}^*},\mathsf {vk}_2) \end{aligned}$$

  which is true when \(\mathcal{A}\) makes n queries for time interval \(t^*\) for distinct users to the \(\mathcal {O}_{\mathsf {EncTag}}^{\mathcal{A}}\) oracle during the Learning phase. As such \({\mathsf {\sigma _t}}^*=g_1^{cr_tb\sum {\mathsf {tk}_i}}g_1^{a\mathsf{sum_{t}}^*}\). Finally \({\mathcal {B}}\) outputs:

  $$\begin{aligned} e((\frac{{\mathsf {\sigma _t}}^*}{g_1^{a\mathsf{sum_{t}}^*}})^{\frac{1}{r_t\sum {\mathsf {tk}_i}}},g_2^a)&=e((\frac{g_1^{cr_tb\sum {\mathsf {tk}_i}}g_1^{a\mathsf{sum_{t}}^*}}{g_1^{a\mathsf{sum_{t}}^*}})^{\frac{1}{r_t\sum {\mathsf {tk}_i}}},g_2^a)=\\ e((g_1^{cr_tb\sum {\mathsf {tk}_i}})^{\frac{1}{r_t\sum {\mathsf {tk}_i}}},g_2^a)&= e(g_1^{bc},g_2^a)=e(g_1,g_2)^{abc} \end{aligned}$$

Let \(\mathcal{A}^{\mathbf {AU1}}\) be the event when \(\mathcal{A}\) successfully forges a Type I forgery \({\mathsf {\sigma _t}}\) for our PUDA protocol that happens with some non-negligible probability \(\epsilon '\). \(\mathtt {event_0}\) is the event when \(\mathsf {coin}=0\) in the learning phase and \(\mathtt {event_1}\) is the event when \(\mathsf {coin}=1\) in the challenge phase. Then , for \(\mathtt {q_H}\) random oracle queries with the probability \(\Pr [\mathsf {coin}(t)=0]=\pi \). As such we ended up in a contradiction assuming the hardness of the \(\mathsf {BCDH}\) assumption and finally \(\Pr [\mathcal{A}^{\mathbf {AU1}}]\le \epsilon _1\), where \(\epsilon _1\) is a negligible function.

Theorem 4

Our scheme guarantees aggregate unforgeability against a Type II Forgery under the \(\mathsf {LEOM}\) assumption.

Proof

(Sketch). Here we show how an adversary \({\mathcal {B}}\) breaks the \(\mathsf {LEOM}\) assumption by using an Aggregator \(\mathcal{A}\) that provides a Type II Forgery with a non-negligible probability. Notably, adversary \({\mathcal {B}}\) simulates oracle \(\mathcal {O}_\mathsf{{Setup}}\) as follows: It first picks secret encryptions keys \(\{\mathsf {ek}_i\}_{i=1}^n\) and sets the corresponding decryption key \(\mathsf {SK}_A=-\sum _{i=1}^n{\mathsf {ek}_i}\). Then, it forwards to \(\mathcal{A}\) the public parameters \(\mathcal {P}=(p,g_1,g_2,\mathbb {G}_1,\mathbb {G}_2)\), the public key \((\mathsf {vk}_1, \mathsf{vk}_2)= (g_2^{\sum _{i=1}^n{k_i}}, g_2^{a})\) of the \(\mathcal {O}_{\mathsf {LEOM}}\) oracle and the secret key \(\mathsf {SK}_A=-\sum _{i=1}^n{\mathsf {ek}_i}\).

Afterwards, when adversary \({\mathcal {B}}\) receives a query \((t, \mathsf{uid}_i, x_{i, t})\) for oracle \(\mathcal {O}_\mathsf{{EncTag}}\), adversary \({\mathcal {B}}\) calls oracle \(\mathcal {O}_{\mathsf {LEOM}}\) with the pair \((h_t = H(t), i, x_{i,t})\). Oracle \(\mathcal {O}_{\mathsf {LEOM}}\) accordingly returns \(h_t^{k_i}g_1^{ax_{i, t}}\) and adversary \({\mathcal {B}}\) outputs \(\sigma _{i, t} = h_t^{k_i}g_1^{ax_{i, t}}\). Note that if we define the tag key \(\mathsf{tk}_i\) of user \(\mathcal {U}_i\) as \(k_i\), then the tag \({\mathsf {\sigma }}_{i,t}=h_t^{k_i}g_1^{a x_{i,t}}\) is computed correctly.

Eventually with a non-negligible advantage, Aggregator \(\mathcal{A}\) outputs a Type II Forgery \((t^*, \mathsf{sum}_{t^*}, \sigma _{t^*})\) that verifies:

$$e(\sigma _{t^*}, g_2) = e(H(t^*), \mathsf{vk}_1)e(g_1^{\mathsf{sum}_{t^*}}, \mathsf{vk}_2) $$

where \(t^*\) is previously queried by Aggregator \(\mathcal{A}\) and \(\mathsf{sum}_{t^*} \ne \sum _{i=1}^n x_{(i, t^*)}\).

It follows that \({\mathcal {B}}\) breaks the \(\mathsf {LEOM}\) assumption with a non-negligible probability by outputting the tuple \((H(t^*), \mathsf{sum}_{t^*}, \sigma _{t^*})\). This leads to a contradiction under the \(\mathsf {LEOM}\) assumption. We conclude that our scheme guarantees aggregate unforgeability for a Type II Forgery under the \(\mathsf {LEOM}\) assumption.