Privacy-Preserving Data Aggregation against False Data Injection Attacks in Fog Computing

Abstract

As an extension of cloud computing, fog computing has received more attention in recent years. It can solve problems such as high latency, lack of support for mobility and location awareness in cloud computing. In the Internet of Things (IoT), a series of IoT devices can be connected to the fog nodes that assist a cloud service center to store and process a part of data in advance. Not only can it reduce the pressure of processing data, but also improve the real-time and service quality. However, data processing at fog nodes suffers from many challenging issues, such as false data injection attacks, data modification attacks, and IoT devices’ privacy violation. In this paper, based on the Paillier homomorphic encryption scheme, we use blinding factors to design a privacy-preserving data aggregation scheme in fog computing. No matter whether the fog node and the cloud control center are honest or not, the proposed scheme ensures that the injection data is from legal IoT devices and is not modified and leaked. The proposed scheme also has fault tolerance, which means that the collection of data from other devices will not be affected even if certain fog devices fail to work. In addition, security analysis and performance evaluation indicate the proposed scheme is secure and efficient.

1. Introduction

In recent years, cloud computing has developed rapidly with its advantages of ultra-large-scale storage, powerful computing power, high scalability, and low cost [1]. Any company or individual can access cloud computing servers through a payment mode [2,3,4,5,6]. At the same time, with the advancement of computer technology and the development of big data, artificial intelligence, and the Internet of Things (IoT), the demand for data interaction analysis for mass terminals has rapidly increased [7,8,9]. Under the circumstances, all data files are uploaded to the cloud for processing, which will be given cost and performance pressures to the network. Especially for IoT, it is difficult to meet the low latency requirements of real-time processing [10,11]. In 2012, Cisco proposed the concept of “fog computing” in [12] to address the high latency, the lack of support for mobility and location awareness of cloud computing. The idea is to transfer some of the storage and calculation operations on the cloud to the infrastructure device, that is, fog node, which belongs to the edge network. In other words, fog computing is an extension of cloud computing. The perfect combination of cloud and fog computing makes the network more efficient.

In the smart grid, Internet of Vehicles (IoV), smart home [13], smart health [14] and other IoT application scenarios [15,16,17,18], these hybrid IoT devices’ data can be sent to the control center through fog nodes. The data often contains user’s privacy [19,20,21,22,23,24]. For instance, heart monitors are related to the life safety of each user [25], and smart meters in smart grid collect power data which reflects users’ daily lives [26,27,28,29]. In smart grid, a power company collects smart meter’s data and analyzes them to ensure that the power system runs efficiently [30].

Because the fog nodes are deployed at the edge of the network and low-traffic nodes, they are more vulnerable to hackers. Once user’s information is leaked, it will have a bad influence [31], and the sensitive data must be encrypted before uploading [32,33]. In addition, when a large number of IoT device data is transmitted to fog nodes, it will not only affect the requirements for a real-time response of IoT, but also cause problems such as network congestion. At this time, the data aggregation based on homomorphic encryption applied to fog devices is particularly important [34,35,36,37]. Specifically, when the fog device sends the aggregated data instead of the data of each IoT device to the control center, the communication overhead will be greatly reduced, although the security and privacy issues are needed to be addressed [38]. In fact, data aggregation technology is widely used in various communication networks to save bandwidth [39,40,41,42,43,44].

In this paper, we propose a privacy-preserving data aggregation scheme based on homomorphic encryption in fog computing (PDAF). At a time slot, each IoT device will report its sensing data to a fog node after the data is blinded by two secret keys and a blinding factor. The data is then collected by the control center so that the entire IoT network runs efficiently. These blinded data are aggregated by fog devices at the edge of the network. All the aggregated values are sent by the fog device to the control center, and the fog device is able to detect faulty IoT devices. Upon receiving the packet, the control center can generate relevant secret keys and get the total amount of IoT devices’ sensing data at each time slot from the aggregated blinded data. For the sake of security, packets transmitted during the communication process should be verified. In the PDAF system, only the control center can know the total amount of IoT devices’ sensing data at each time slot, and individual IoT device data is hidden. Our security and privacy analysis indicates that PDAF is secure against false data injection attacks and data modification and it can protect data privacy. Extensive evaluations show that PDAF is very efficient in terms of the computation and communication cost.

1.1. Related Work

In 2004, the International Telecommunication Union (ITU) expanded the concept of the IoT: Interconnections at any time, anywhere, arbitrary objects, ubiquitous networks and ubiquitous computing [45]. Cisco [12] pointed that the Internet of Things as a delay-sensitive application, which requires high real-time performance. In the era of the Internet of Everything, a new platform called fog computing is needed to support it. The author considered fog computing as a new application and service, and that there is a fruitful interaction between cloud and fog, especially in data management and analysis. In simple terms, the fog is a cloud close to the ground.

In IoT, in order to reduce communication costs, it is essential to aggregate individual IoT device’s data at associated fog device. In the previous researches, some privacy-preserving data aggregation schemes [10,26,27,30,37,46] are related to our PDAF scheme. In addition, blockchain technologies have been used for realizing fair payment in cloud computing and fog computing [47,48,49]. Zhang et al. [27] designed a privacy-preserving communication and power injection scheme over vehicle networks and 5G smart grid slice based on the Paillier encryption. In the scheme, a novel aggregation technique called hash-then-homomorphic is used to aggregate the blinded bids of different time slots. Mahmoud et al. [30] adopted two data different aggregation schemes using point addition and homomorphic encryption. Shen et al. [37] proposed a privacy-preserving multilevel user’s data aggregation and control scheme, it extended the previous one-dimensional data aggregation to two dimensions and is more suitable for practical application environments. Zhou et al. [46] also proposed a multidimensinal data aggregation scheme and is fault-tolerant. However, Zhang et al. [26] considered the EPPI scheme based on point addition is safer and more efficient. In fact, EPPI guarantees that privacy will not be leaked even if all entities in the actual application scene are dishonest. But the EPPI scheme is not fault-tolerant. Although the above schemes are suitable for fog computing-enhanced IoT, they cannot aggregate all hybrid IoT devices’ data into a single ciphertext. For fog computing-enhanced IoT, Lu et al. [10] designed a lightweight privacy-preserving data aggregation scheme which is secure and fault-tolerant, but the third-party trusted authority in this system will inevitably increase the communication overhead of the system. Different from the above schemes, in PDAF, the third-party trusted authority is not needed and data privacy is still preserved. We use the modified Paillier encryption to enable the fog device to aggregate hybrid IoT devices’ data into a single ciphertext and keep it fault-tolerant.

1.2. Our Contribution

In PDAF, we have made improvements based on the Paillier homomorphic encryption scheme, each IoT device can generate two secret key and a blinding factor to mask its sensitive data, and it sends the masked data to the related fog node based on wireless network. Upon receiving packets from all hybrid IoT devices, the control center can only obtain the total within the limited range instead of directly reading data of a single IoT device. Because of the blinding factor, the control center also can correctly decrypt the aggregated data in the event that an IoT device fails to send messages to the fog device. In fact, the proposed PDAF scheme is fault-tolerant. In the second place, the PDAF scheme realizes privacy protection. We notice that the fog device and the control center are curious about the sensitive data to be reported by a single IoT device or the aggregated data by the fog device. In PDAF, the attacker will not get any privacy about the user, nor can it forge or change the ciphertext to be sent to the fog device. In addition, an efficient batch verification method is adopted in order to verify the signatures of multiple users instead of verifying one by one and the computation overhead of the fog device is reduced.

1.3. Organization

The remaining of this paper is organized as follows. In Section 2, we introduce our system model and review some preliminary knowledge. Then, we describe the proposed PDAF scheme in detail in Section 3. Next, we give the security and privacy analysis of the proposed PDAF scheme in Section 4, followed by performance evaluation in Section 5. Finally, in Section 6, we draw our conclusions.

2. Models and Security Requirements

In this section, we formalize our system model, adversary model, security requirements and design goal, and give a brief review on preliminary knowledge which will serve as the building blocks of the proposed PDAF scheme.

2.1. System Model

As shown in Figure 1, the considered system model of PDAF includes a control center, some fog devices at the network edge, and some hybrid IoT devices, which each hybrid IOT device involves a set of heterogeneous IoT devices $U=\{HI{D}_1,HI{D}_2,\dots ,HI{D}_n\}$.

• Control center. During communication, the control center generates system parameters and is responsible for registration of fog devices and IoT devices. It also collects all IoT devices data $(m_1,m_2,\dots ,m_n)$ via fog devices periodically and analyzes the data replied by fog devices. Please note that CC cannot directly get $m_i(1\le i\le n)$ which containing the user’s privacy. In addition, when an IoT device fails to send a message, it is also necessary to make the aggregation of other users’ information unaffected. where, the control center communicates with the IoT devices via the Internet network.
• Fog devices. A fog device is also a fog node and is the most critical part of the fog computing between the hybrid IoT devices and the control center. Fog devices can be memory routers, small servers or smart phones that are deployed at the edge network. In PDAF, the fog device will forward data packets from the control center to IoT devices in their jurisdictions, aggregate all IoT devices’ data, and discover faulty IoT devices and report to control center for countermeasures.
• Hybrid IoT devices. With sensing and communication capabilities, the IoT devices HID${}_i$ ($i=1,2,\dots ,n$) are deployed at an area in need and enable to periodically report its sensing result $m_i$ to control center through the relevant fog device.

2.2. Adversary Model

In the proposed PDAF scheme, we assume all the entities are “honest-but-curious”. More specifically, they can legitimately do their assigned tasks, but are also curious about the privacy of IoT devices, such as the control center that can intercept data from a single IoT device to gain private information about the device owner and other financial benefits information. Please note that although the entities are “curious”, they cannot collude. Similarly, each IoT device also wants to know the data of other IoT devices to determine if it is profitable. In addition, certain IoT devices may fail and stop to report for some time. Here, we assume that each IoT device can only send packets within this fog computing coverage area. It is also possible that an attacker resides between an IoT device and the control center and tries to establish two scert keys such that the IoT device and the control center seems to communication directly. In addition, some IoT attackers and outsiders are also interested in other sensitive information in the fog computing. In PDAF, we focus on the privacy-preserving data aggregation, in which false data injection attacks and data modification can be prevented.

2.3. Security Requirements and Design Goal

Considering the IoT and fog computing practical application environment, in order to prevent from these attackers getting sensitive data of IoT devices, our scheme should meet the following security requirements:

(1)

Privacy Protection. Even if the attacker intercepts the communication data transmitted on the insecure channel, it cannot obtain the sensitive data of the IoT devices. The control center can decrypt the aggregated data but cannot get the individual information of a single device.

(2)

Non-Repudiation and Unforgeability. The control center and the fog devices can verify the received data packets to ensure that the data packets come from the legal unit and has not been tampered, that is, the proposed scheme can defeat the false injection attack and detect the malicious attack. Besides, the adversary should not impersonate the control center, the fog devices, or the IoT devices.

Under the considered system model and security requirements, our design goal is to propose a privacy-preserving data aggregation scheme based on homomorphic encryption in fog computing. First, private data of IoT devices cannot be compromised. Second, the proposed scheme should be fault-tolerant. When certain IoT devices fail to work, they should be detected by the associated fog device and reported to the control center. Third, the control center and the fog device are able to authenticate the received packets to make sure that the packets have not been modified during the transmission and are really from legal IoT devices. Finally, if the proposed scheme effectively reduces the amount of channel transmission and improves the data processing efficiency of each entity, then the proposed scheme will be more practical.

3. Proposed PDAF Scheme

In this section, we propose a privacy-preserving data aggregation scheme based on homomorphic encryption in fog computing, which consists of the following parts: preliminaries, system initialization, data collection request, hybrid IoT devices report, privacy-preserving aggregated data generation, privacy-preserving aggregated data decryption, and fault tolerance mechanism. Figure 2 summarizes the six phases of the proposed scheme. The details are given in the following:

3.1. Preliminaries

In this subsection, we give a brief review of bilinear pairings and the Paillier encryption algorithm.

3.1.1. Bilinear Pairings

Let $G_1$, $G_2$ be a cyclic addition group and a cyclic multiplication group of prime order q and $P_0\in G_1$ be a generator. We call ê a bilinear pairing if ê: $G_1\times G_1\to G_2$ is a map with the following properties:

(1)

Bilinear: For all $a,b\in Z_q^{\ast }$, ê$(a{P}_0,b{P}_0)=$ ê${(P_0,P_0)}^{ab}$.

(2)

Non-degenerate: ê$(P_0,P_0)\ne 1_{G_1}$.

(3)

Computable: For all $P_0,Q\in G_1$, there is an efficient algorithm to compute ê$(P_0,Q)$.

3.1.2. Paillier Encryption Algorithm

Paillier encryption is a homomorphic encryption algorithm that consists of three algorithms: key generation, encryption, and decryption. The special as follow:

• Key Generation: Given a safety parameter $\kappa$, choose two large primes p and q, where $\mid p\mid =\mid q\mid =\kappa$, compute $N=pq$ and $\lambda =lcm(p-1,q-1)$, define the function $L\left(u\right)=\frac{u-1}{N}$, select the generator $g\in Z_{N^2}^{\ast }$ and get the public key $pk=(N,g)$ and the secret key $\lambda$.
• Encryption: Given a message $M\in Z_N$, a random number $r\in Z_N^{\ast }$ and calculate the ciphertext $C=g^M·r^{N}mod{N}^2$.
• Decryption: Given ciphertext $C\in Z_{N^2}^{\ast }$, the corresponding plaintext is $M=\frac{L\left(C^{\lambda }mod{N}^2\right)}{L\left(g^{\lambda }mod{N}^2\right)}modN$.

3.2. Details of PDAF

3.2.1. System Initialization

(1)

System parameters generated: In the system parameters generation stage, the control center (CC) selects the security parameter $\kappa$ and generates $(q,P_0,G_1,G_2,$ê) by running $gen\left(\kappa \right)$. Then, CC selects g as a generator of $Z_{N^2}^{\ast }$, the security parameter ${\kappa }_1$ and two safe large prime numbers $p,q$. Computing a homomorphic encryption public key pair $(N=p_1{q}_1,g)$ and the corresponding private key $\lambda =lcm(p_1-1,q_1-1)$. Next, CC defines a function $L\left(x\right)=\frac{x-1}{N}$ and chooses five secure cryptographic hash functions, $H:{\{0,1\}}^{\ast }\to Z_N^{\ast }$, $H_1:G_2\to Z_q^{\ast }$, $H_2:{\{0,1\}}^{\ast }\to G_1$, $H_3:{\{0,1\}}^{\ast }\to Z_q^{\ast }$, $H_4:G_1\to Z_q^{\ast }$ and a random element $s{k}_{cc}$ as its secret key and calculates $P{K}_{cc}=s{k}_{cc}{P}_0$ as its public key. Finally, CC publishes the public parameters {$(q,P_0,G_1,G_2,$ê$,N,H,H_1,H_2,H_3,H_4$}.

(2)

Registration:

-

Fog Devices Registration.

The fog device (FD) chooses a random element $s{k}_{fd}$ as its secret key and calculates $P{K}_{fd}=s{k}_{fd}{P}_0$ as its public key. Choosing random number $x\in Z_q^{\ast }$ and calculating $\alpha =H_3(x\parallel I{D}_{fd})P_0$, $\beta =H_3(x\parallel I{D}_{fd})-s{k}_{fd}{H}_4\left(\alpha \right)modq$, where, $I{D}_{fd}$ is the identity of the fog device. Then, FD sends the parameters {$P{K}_{fd},\alpha ,\beta ,I{D}_{fd}$} to CC. After receiving the parameters {$P{K}_{fd},\alpha ,\beta ,I{D}_{fd}$}, CC verifies whether the equation $\alpha =\beta P_0+H_4\left(\alpha \right)P{K}_{fd}$ holds. If passed, CC publishes the public parameters {$P{K}_{fd},I{D}_{fd}$}, otherwise, refused to register.

-

Hybrid IoT Devices Registration. HID${}_i(i=1,2,\dots ,n)$ chooses a random element $s{k}_i$ as its secret key and calculates $P{K}_i=s{k}_i{P}_0$ as its public key. HID${}_i$ Chooses random number $x_i\in Z_q^{\ast }$ and calculates ${\alpha }_i=H_3(x_i\parallel I{D}_i)P_0$, ${\beta }_i=H_3(x_i\parallel I{D}_i)-s{k}_i{H}_4\left({\alpha }_i\right)modq$, where, $I{D}_i$ is the identity of the hybrid IoT device. Then, HID${}_i$ sends the parameters {$P{K}_i,{\alpha }_i,\beta ,I{D}_i$} to CC. After receiving the parameters {$P{K}_i,{\alpha }_i,\beta ,I{D}_i$}, CC verifies whether the equation ${\alpha }_i={\beta }_i{P}_0+H_4\left({\alpha }_i\right)P{K}_i$ holds. If passed, CC publishes the public parameters {$P{K}_i,I{D}_i$}, otherwise, refused to register.

(3)

Blinding Factor Generated: After completing the registration, CC runs pseudo-random generator and generates n random numbers ${\varphi }_i\in Z_N$ as a blinding factor for HID${}_i$ under each FD region and computers ${\varphi }_0=-({\varphi }_1+{\varphi }_2+\dots +{\varphi }_{n}modN)$ as FD’s blinding factor. Please note that ${\varphi }_i$ and ${\varphi }_0$ are satisfied ${\sum }_{i=0}^n{\varphi }_i\equiv 0modN$. Then, CC sends ${\varphi }_0$ to the registered FD, and sends ${\varphi }_i$ to the registered HID${}_i$.

3.2.2. Data Collection Request

In PDAF, the control center can collect data from related fog devices during every time slot $T_s$. To be specific, CC sends data collection request (Data_Req) packet that contains parameters {$I{D}_{cc},I{D}_{fd},T_s,r_{cc}{P}_0,TS,{\sigma }_{cc}$} to fog devices. Where, $I{D}_{cc}$ and $I{D}_{fd}$ is the identity of the control center and fog device respectively. Please note that $r_{cc}\in Z_q^{\ast }$ is a random number, each IOT device uses the secret key $r_{cc}{P}_0$ to establish a one-time key shared with the control center. Timestamp TS and ${\sigma }_{cc}=s{k}_{cc}{H}_2(I{D}_{cc}\parallel I{D}_{fd}\parallel T_s\parallel r_{cc}{P}_0\parallel TS)$ will be used for verifying by the fog devices. Then, the fog device runs the following steps after receiving the Data_Req packet:

(1)

According to the difference between the current time and the timestamp TS, FD checks the freshness of Data_Req packet.

(2)

FD verifies the signature by computing if ê $({\sigma }_{cc},P_0)=$ê$(H_2(I{D}_{cc}\parallel I{D}_{fd}\parallel T_s\parallel r_{cc}{P}_0\parallel TS),P{K}_{cc})$ holds.

(3)

If the above equation holds, FD randomly chooses $r_{fd}\in Z_q^{\ast }$, calculates $r_{fd}{P}_0$, puts $r_{fd}{P}_0$ in the packet Data_Req, and broadcasts the packet that contains parameters {$I{D}_{fd},I{D}_{CC},T_s,r_{fd}{P}_0,r_{cc}{P}_0,TS,{\sigma }_{cc}$} in its area. Please note that $r_{fd}{P}_0$ is used by hybrid IOT device HID${}_i$ covered by the fog device in establishing a one-time key shared with the fog device.

3.2.3. Hybrid IoT Devices Report Generation

After receiving the packet Data_Req, hybrid IoT device HID${}_i$ will report its sensing data $m_i$ to fog device at time slot $T_s$. Specific steps are as follows:

(1)

The hybrid IoT device HID${}_i$ chooses $r_i\in z_q^{\ast }$, computers $r_i{P}_0$ which is used by ID${}_{fd}$ in establishing a shared one-time key between itself and the related fog device.

(2)

HID${}_i$ computes two shared keys as $k_i=H_1($ê$(P{K}_{cc},s{k}_i{r}_i{r}_{cc}{P}_0))$, $k_i^{\prime }=H_1($ê$(P{K}_{fd},s{k}_i{r}_i{r}_{fd}{P}_0))$, which will be used for hiding HID${}_i$’s sensing data $m_i$.

(3)

HID${}_i$ masks its sensing data $m_i$ and computes ciphertext $C_i$ and signature ${\sigma }_i$, where

$$C_i=g^{m_i+k_i+k_i^{\prime }}H{\left(T_s\right)}^{{\varphi }_i}mod{N}^2,$$

$${\sigma }_i=s{k}_i{H}_2(C_i\parallel I{D}_i\parallel I{D}_{fd}\parallel T_s\parallel r_i{P}_0\parallel TS).$$

Then HID${}_i$ sends data collection reply Data_Rep packet that contains parameters {$C_i,I{D}_i,I{D}_{fd},T_s,r_i{P}_0,TS,{\sigma }_i$} to fog devices.

3.2.4. Privacy-Preserving Aggregated Data Generation

Upon receiving the Data_Rep packet, the fog device runs the following steps:

(1)

FD verifies n Data_Rep packets received to ensure that the packets are valid and have not been tampered or forged during communication. To improve the verification efficiency, FD randomly divides the Data_Rep packet set $S=(I{D}_i,I{D}_{fd},T_s,r_i{P}_0,TS,{\sigma }_i)$ $(i=1,2,\dots ,n)$. From S, $\lfloor n/2\rfloor$ Data_Rep packets are randomly selected to form the first subset $S_1$, and the remaining $\lceil n/2\rceil$ Data_Rep packets constitute the second subset $S_2$. For ease of description, suppose $S_1$ contains the first $\lfloor n/2\rfloor$ Data_Rep packets and $S_2$ contains the second $\lceil n/2\rceil$ Data_Rep packets. For IOT devices, the Data_Rep packets in $S_1$ are valid if the following equation holds, otherwise the packets are invalid.

$$ê(P_0,\sum _{i=1}^{\lfloor n/2\rfloor }{\sigma }_i)=\prod _{i=1}^{\lfloor n/2\rfloor }ê(P{K}_i,H_2(C_i\parallel I{D}_i\parallel I{D}_{fd}\parallel T_s\parallel r_i{P}_0\parallel TS).$$

Note that using the above verification method, the number of bilinear pairs can be reduced from $2\lfloor n/2\rfloor$ to $\lfloor n/2\rfloor +1$. Similarly, FD verifies the following equation. If it holds, the number of bilinear pairs also drops from $2\lfloor n/2\rfloor$ to $\lfloor n/2\rfloor +1$.

$$\begin{array}{c}\hfill ê(P_0,\sum _{i=\lfloor n/2\rfloor +1}^n{\sigma }_i)=\prod _{i=\lfloor n/2\rfloor +1}^nê(P{K}_i,H_2(C_i\parallel I{D}_i\parallel I{D}_{fd}\parallel T_s\parallel r_i{P}_0\parallel TS).\end{array}$$

(2)

If the step 1 is verified, the fog device calculates

$$\begin{array}{c}\hfill k_i^{\prime }=H_1\left(ê(P{K}_i,s{k}_{fd}{r}_{fd}{r}_i{P}_0)\right)=H_1\left(ê(P{K}_{fd},s{k}_i{r}_i{r}_{fd}{P}_0)\right).\end{array}$$

Then, It runs the following data aggregation operations and get the aggregate ciphertext C and the corresponding signature $\sigma$, the specific process are as follows:

$$\begin{array}{ccc}\hfill C& =& \prod _{i=1}^n(C_i·g^{-k_i^{\prime }})·H{\left(T_s\right)}^{{\varphi }_0}mod{N}^2\hfill \\ \hfill & =& \prod _{i=1}^n(g^{m_i+k_i+k_i^{\prime }}·g^{-k_i^{\prime }})·H{\left(T_s\right)}^{{\varphi }_0}mod{N}^2\hfill \\ \hfill & =& g^{{\sum }_{i=1}^n(m_i+k_i)}·H{\left(T_s\right)}^{{\sum }_{i=0}^n{\varphi }_i}mod{N}^2\hfill \\ \hfill & =& g^{{\sum }_{i=1}^n(m_i+k_i)}·H{\left(T_s\right)}^{\beta N}mod{N}^2,\hfill \\ \hfill \sigma & =& s{k}_{fd}{H}_2(C\parallel I{D}_{fd}\parallel I{D}_{cc}\parallel T_s\parallel r_{fd}{P}_0\parallel TS).\hfill \end{array}$$

where, because ${\sum }_{i=0}^n{\varphi }_i=0modN$, ${\sum }_{i=0}^n{\varphi }_i=\beta N$.

(3)

The fog device sends the Data_Rep packet that contains parameters {$C,I{D}_{cc},I{D}_{fd},T_s,{\left\{r_i{P}_0\right\}}_{1<i<n},TS,\sigma$} to control center.

3.2.5. Privacy-Preserving Aggregated Data Decryption

Upon receiving the fog device reply packet Data_Rep, CC first verifies the Data_Rep to ensure the packets’ authenticity and integrity according to the following equation:

$$ê(P_0,\sigma )=ê(P{K}_{cc},H_2(C\parallel I{D}_{fd}\parallel I{D}_{cc}\parallel T_s\parallel r_{fd}{P}_0\parallel TS).$$

If it does hold, then CC calculates

$$\begin{array}{c}\hfill k_i=H_1\left(ê(P{K}_i,s{k}_{cc}{r}_{cc}{r}_i{P}_0)\right)=H_1\left(ê(P{K}_{fd},s{k}_i{r}_i{r}_{cc}{P}_0)\right).\end{array}$$

Finally, it uses the private key $\lambda$ to decrypt the aggregated ciphertext C by calculating

$$\begin{array}{ccc}\hfill M& =& \frac{L\left(C^{\lambda }mod{N}^2\right)}{L\left(g^{\lambda }mod{N}^2\right)}modN-\sum _{i=1}^n{k}_i\hfill \\ \hfill & =& \sum _{i=1}^n{m}_i.\hfill \end{array}$$

3.2.6. Fault Tolerance Mechanism

If some hybrid IoT devices breakdown, FD will not receive n Data_Rep packets. Then this phenomenon will directly affect the main features of the blinding factor, and ${\sum }_{i\in U_i/U_i^{\prime }}{\varphi }_i+{\varphi }_0\ne 0modN$, which will affect the correctness of the final data decryption. Where, U${}_i$ means the set of all legitimate hybrid IoT devices and ${\mathrm{U}}_i^{\prime }$ means the set of failed hybrid IoT devices (${\mathrm{U}}_i^{\prime }$ ∈ U${}_i$).

FD needs to send the set ${\mathrm{U}}_i^{\prime }$ to control center. After receiving the set ${\mathrm{U}}_i^{\prime }$, CC computes $H^{\prime }\left(T_s\right)=H{\left(T_s\right)}^{{\sum }_{i\in U_i^{\prime }}{\varphi }_i}$ and replies to FD. After receiving $H^{\prime }\left(T_s\right)$, computing

$$\begin{array}{ccc}\hfill C^{\prime }& =& H^{\prime }(T_s)·\prod _{i\in U_i/U_i^{\prime }}(C_i·g^{-k_i^{\prime }}·H{(T_s)}^{{\varphi }_0})mod{N}^2\hfill \\ \hfill & =& H{(T_s)}^{{\sum }_{i\in U_i^{\prime }}{\varphi }_i}·\prod _{i\in U_i/U_i^{\prime }}(g^{m_i+k_i+k_i^{\prime }}·g^{-k_i^{\prime }}·H{(T_s)}^{{\varphi }_0})mod{N}^2\hfill \\ \hfill & =& \prod _{i\in U_i/U_i^{\prime }}{g}^{(m_i+k_i)}·H{(T_s)}^{{\sum }_{i\in U_i^{\prime }}{\varphi }_i+{\sum }_{i\in U_i/U_i^{\prime }}{\varphi }_i+{\varphi }_0}mod{N}^2\hfill \\ \hfill & =& g^{{\sum }_{i\in U_i/U_i^{\prime }}(m_i+k_i)}·H{(T_s)}^{{\sum }_{i=0}^n{\varphi }_i}mod{N}^2\hfill \\ \hfill & =& g^{{\sum }_{i\in U_i/U_i^{\prime }}(m_i+k_i)}·H{(T_s)}^{\beta N}mod{N}^2.\hfill \end{array}$$

At this time, in aggregated data decryption stage, CC uses the private key $\lambda$ to decrypt the aggregated ciphertext C by calculating.

$$\begin{array}{ccc}\hfill M^{\prime }& =& \frac{L\left(C^{\prime \lambda }mod{N}^2\right)}{L\left(g^{\lambda }mod{N}^2\right)}modN-\sum _{i\in U_i/U_i^{\prime }}{k}_i\hfill \\ \hfill & =& \sum _{i\in U_i/U_i^{\prime }}{m}_i.\hfill \end{array}$$

4. Security and Privacy Analysis

In this section, we give the security and privacy analysis of the proposed PDAF scheme.

4.1. Privacy Protection

Based on the Paillier encryption algorithm, in the hybrid IoT devices report generation stage, the sensitive data $m_i$ was blinded and the secret key $k_i$ and $k_i^{\prime }$ were added in the Paillier encryption algorithm to get the ciphertext $C_i=g^{m_i+k_i+k_i^{\prime }}H{\left(T_s\right)}^{{\varphi }_i}mod{N}^2$, HID${}_i$ sends $C_i$ to the associated gateway instead of $m_i$ directly. Without the private key, it is infeasible to decrypt ciphertexts. Even if the adversary gets the data packet sent by tapping the wireless IoT device or the wireless communication channel, without knowing $k_i$, $k_i^{\prime }$ and $\lambda$, the adversary cannot know the sensitive data $m_i$ because of these secret keys cannot be computed. Despite the control center has the secret key $k_i$ and $\lambda$, it cannot get $k_i^{\prime }$, and thus cannot decrypt $C_i$ to recover $m_i$. Similarly, the fog device is also unable to read sensitive data $m_i$ without $k_i$ and $\lambda$. In fact, $k_i=H_1($ê$(P{K}_{cc},s{k}_i{r}_i{r}_{cc}{P}_0))$ and $k_i^{\prime }=H_1($ê$(P{K}_{fd},s{k}_i{r}_i{r}_{fd}{P}_0))$ are computed by HID${}_i$. It is worth noting that the fog device only calculates $k_i^{\prime }=H_1\left(ê(P{K}_i,s{k}_{fd}{r}_{fd}{r}_i{P}_0)\right)=H_1\left(ê(P{K}_{fd},s{k}_i{r}_i{r}_{fd}{P}_0)\right)$ at the privacy-preserving aggregated data generation phase and the control center only calculates $k_i=H_1\left(ê(P{K}_i,s{k}_{cc}{r}_{cc}{r}_i{P}_0)\right)=H_1\left(ê(P{K}_{fd},s{k}_i{r}_i{r}_{cc}{P}_0)\right)$ at the privacy-preserving aggregated data decryption phase.

In the data aggregation stage, the aggregation operation by the fog device is performed in a ciphertext manner. For the control center, it only has the aggregated data $M=\frac{L\left(C^{\lambda }mod{N}^2\right)}{L\left(g^{\lambda }mod{N}^2\right)}modN-{\sum }_{i=1}^n{k}_i$ and just gets the data sum ${\sum }_{i=1}^n{m}_i$. Even if an adversary has intruded into the control center database, privacy of a single device cannot be obtained. Like this, the individual sensing data privacy is still preserved.

4.2. Non-Repudiation and Unforgeability

In the proposed PDAF scheme, the private key is also used to sign the data packet to be sent by each entity before sending the message. Then, the data packet is verified based on the sender’s public key. Although the process can be realized by homomorphic signatures and the verification method used in database [50,51,52,53], the efficiency is very low. In PDAF, it is ensured that adversaries cannot forge a new signature by eavesdropping on signed messages and thus cannot implement forgery attacks. In other words, the entities’ private keys are properly kept by themselves, their messages sent has non-repudiation. Our program has the ability to discover the dishonest behavior of entities.

If the traditional one-to-one verification method is used, assuming that there are k signatures to be verified, a total of $2k$ bilinear pairing operations are required. To improve verification efficiency, we use a batch verification method. As described in step 1 of Section 3.2.4, k signatures are randomly assigned to equal-sized sets $S_1$ and $S_2$, where $|S_1|=\lfloor \frac{k}{2}\rfloor$, $|S_2|=\lceil \frac{k}{2}\rceil$. Then the signatures in $S_1$ and $S_2$ are respectively verified, that is

$$\begin{array}{c}\hfill ê(P_0,\sum _{j\in S_1}{\sigma }_j)=\prod _{j\in S_1}ê(P{K}_j,H_2(C_j\parallel I{D}_{INFORMATION}\parallel TS),\end{array}$$

$$\begin{array}{c}\hfill ê(P_0,\sum _{j\in S_2}{\sigma }_j)=\prod _{j\in S_2}ê(P{K}_j,H_2(C_j\parallel I{D}_{INFORMATION}\parallel TS).\end{array}$$

Based on the above batch verification method, the number of bilinear pairing operations is reduced from $2k$ to $2(\lfloor \frac{k}{2}\rfloor +1)$, and hence the efficiency of the algorithm is improved. Note that, the verification method can resist forgeries. For example, if the adversary aims to generate a forgery by computing

$${\sigma }_i^{\prime }=\left\{\begin{array}{c}{\sigma }_i-a,i=1,2,\dots ,\lfloor \frac{k}{2}\rfloor \hfill \\ {\sigma }_i+a,i=\lfloor \frac{k}{2}\rfloor +1,\lfloor \frac{k}{2}\rfloor +2,\dots ,k.\hfill \end{array}\right.$$

In this case, the greatest probability that the adversary forges a valid signature is

$$C_{k/4}^{k/2}{C}_{k/4}^{k/2}=\frac{(k/2)!}{(k/4)!(k/2-k/4)!}·\frac{(k/2)!}{(k/4)!(k/2-k/4)!}·\frac{(k/2)!(k/2)}{k!}.$$

Obviously, when k is large enough, the above probability is negligible.

5. Performance Evaluation

In this section, the performance of the proposed PDAF scheme is evaluated in terms of the computation costs and communication overhead at the IoT devices, the fog device, and the control center.

5.1. Computation Cost

The proposed PDAF scheme achieves the privacy-preserving aggregation for hybrid IoT devices, in order to analyze this scheme more accurately, in terms of computation costs, we assume that there are n IoT devices associated with a fog device and will focus on measuring the time required for performing the cryptographic operations in the proposed scheme. where, we denote the computation costs of an exponentiation operation in $G_1$, an exponentiation operation in $G_2$, an exponentiation operation in $Z_{N^2}^{\ast }$, a multiplication operation in $Z_{N^2}^{\ast }$, a bilinear pairing operation and a Paillier decryption operation with $T_{e_1}$, $T_{e_2}$, $T_{e_Z}$, $T_{m_Z}$, $T_p$, $T_{pai}$, respectively.

For the control center, in order to generate a data collection request, CC needs to calculate $r_{cc}{P}_0$ and ${\sigma }_{cc}=s{k}_{cc}{H}_2(I{D}_{cc}\parallel I{D}_{fd}\parallel T_s\parallel r_{cc}{P}_0\parallel TS)$ which need $2T_{e_1}$ computation costs. In privacy-preserving aggregated data decryption phase, CC checks if $ê(P_0,\sigma )=ê(P{K}_{cc},H_2(C\parallel I{D}_{fd}\parallel I{D}_{cc}\parallel T_s\parallel r_{fd}{P}_0\parallel TS)$, computers $k_i^{\prime }=H_1\left(ê(P{K}_i,s{k}_{cc}{r}_{cc}{r}_i{P}_0)\right)$ and recovers the aggregated data M respectively involves $2T_p$, $T_p+T_{e_2}$ and $T_{pai}$ computation costs. Therefore, in time slot $T_s$, the computation cost for the control center is $3T_p+2T_{e_1}+T_{e_2}+T_{pai}$. For the fog device, it needs $(n+5)T_p+(n+1)T_{m_Z}+2T_{e_1}+2T_{e_Z}+T_{e_2}$ computation costs. Specifically, FD checks if ê$({\sigma }_{cc},P_0)=$ê$(H_2(I{D}_{cc}\parallel I{D}_{fd}\parallel T_s\parallel r_{cc}{P}_0\parallel TS)$ needs $2T_p+T_{e_1}$. After receiving all the $Data\_Rep$ of HID${}_i,(1\le i\le n)$, the computation of the authenticity and integrity of $nData\_Rep$ based on batch verification involves $(n+2)T_p$. To compute $k_i^{\prime }=H_1\left(ê(P{K}_i,s{k}_{fd}{r}_{fd}{r}_i{P}_0)\right)$, $C={\prod }_{i=1}^n(C_i·g^{-k_i^{\prime }})·H{\left(T_s\right)}^{{\varphi }_0}mod{N}^2$ and $\sigma =s{k}_{fd}{H}_2(C\parallel I{D}_{fd}\parallel I{D}_{cc}\parallel T_s\parallel r_{fd}{P}_0\parallel TS)$, ($T_p+T_{e_2}$), ($(n+1)T_{m_Z}+2T_{e_Z}$) and $T_{e_1}$ are needed respectively. In PDAF, the computation costs for each hybrid IoT device is $2(T_p+T_{e_2}+T_{e_Z}+T_{e_1})$. In fact, the computation costs for the secret key $k_i=H_1($ê$(P{K}_{cc},s{k}_i{r}_i{r}_{cc}{P}_0))$, $k_i^{\prime }=H_1($ê$(P{K}_{fd},s{k}_i{r}_i{r}_{fd}{P}_0))$ involves $2(T_p+T_{e_2})$. To protect private information, HID${}_i$ needs $2T_{e_Z}$ computation costs for the ciphertext $C_i=g^{m_i+k_i+k_i^{\prime }}H{\left(T_s\right)}^{{\varphi }_i}mod{N}^2$. To compute ${\sigma }_i=s{k}_i{H}_2(C_i\parallel I{D}_i\parallel I{D}_{fd}\parallel T_s\parallel r_i{P}_0\parallel TS)$, one $T_{e_1}$ is needed. We represent the computation costs in

Table 1. The computation cost of PDAF.

	Computation Costs
CC	$3T_p+2T_{e_1}+T_{e_2}+T_{pai}$
FD	$(n+5)T_p+(n+1)T_{m_Z}+2T_{e_1}+2T_{e_Z}+T_{e_2}$
HID${}_i$	$2(T_p+T_{e_2}+T_{e_Z}+T_{e_1})$

.

For the comparison with PDAF, in the following, we consider a traditional scheme, where all IoT devices blinded data $C_i$ are not aggregated into a ciphertext C by the fog device. Under this setting, for n IoT device data, the total computation cost of the control center will increase by $(n-1)T_{pai}$ over the PDAF. The computation comparison is shown in Figure 3. Obviously, our PDAF scheme largely reduces the computation cost for the control center.

In addition, in the security model of paper [10], a trusted third party is considered because the control center and fog devices are honest-but-curious which may be affected by malicious attacks. Based on the trusted third party, the security of the system is guaranteed, but the communication and computation overhead is high. In [30], although there is not a trusted third party, we find that the control center may be affected by undetected malwares and hence violates a single user’s data. It is possible to obtain sensitive information based on the private key $\lambda$, and the data aggregation scheme based on Paillier homomorphic encryption cannot completely protect sensitive information because the control center has the private key $\lambda$. In our proposed scheme, it is worth mentioning that the third-party trusted authority is not considered. In fact, the control center and fog device in PDAF are also honest-but-curious, but there is no risk of privacy leakage similar to [30].

5.2. Communication Overhead

In PDAF, we respectively denote the communication overhead of control center to fog devices (CC-to-FD), fog device to hybrid IoT devices (FD-to-HID), hybrid IoT devices to fog device (HID-to-FD) and fog device to control center (FD-to-CC) by $l_{cf},l_{fh},l_{hf}$, and $l_{fc}$. In addition, then, we define the size of each identity as 2 bytes, 4 bytes for $T_s$ or time stamp $TS$, the length of the Paillier ciphertext is 2048 bits. Let $G_1$ be a 160-bit elliptic curve and the length of the signature is 160 bits. Firstly, in the control center to fog device communication, the length of $Data\_Req=\{I{D}_{cc},I{D}_{fd},T_s,r_{cc}{P}_0,TS,{\sigma }_{cc}\}$ is 52 bytes, that is $l_{cf}=52$. In the fog device to hybrid IoT device communication, the $Data\_Req$ packet is of the form $\{I{D}_{fd},I{D}_{cc},T_s,r_{fd}{P}_0,r_{cc}{P}_0,TS,{\sigma }_{cc}\}$ and $l_{fh}=72$. In the hybrid IoT device to fog device communication, the data collection request response $Data\_Rep$ of HID${}_i$($1\le i\le n$) contains $C_i,I{D}_i,I{D}_{fd},T_s,r_i{P}_0,TS,{\sigma }_i$ and it length $l_{hf}=308$ bytes. To reduce the communication overhead, the aggregated signature and ciphertext are sent to the control center by the fog device, which only need 275 bytes. The response message is of the form $\{C,I{D}_{cc},I{D}_{fd},T_s,{\left\{r_i{P}_0\right\}}_{1<i<n},TS,\sigma \}$ and the size is $l_{fc}=288+20n$ bytes where n is the number of hybrid IoT device. The communication overhead is listed in

Table 2. The communication overhead of PDAF.

	Communication Overhead (Bytes)
$l_{cf}$	52
$l_{fh}$	72
$l_{hf}$	308
$l_{fc}$	$288+20n$

. Alternatively, if the traditional scheme is adopted, for n IoT device data, the length of $l_{fc}$ will increase to $288+256n$ bytes. As shown in Figure 4, we further show the change of the communication overhead with the hybrid IoT devices number n. It is shown that the PDAF scheme obviously reduces bandwidth usage and communication overhead for the FD-to-CC communication.

In summary, the proposed PDAF approach is privacy-preserving and efficient in terms of the computation cost and communication overhead.

6. Conclusions

In this paper, we have proposed a privacy-preserving data aggregation scheme based on the Paillier homomorphic encryption in fog computing and called PDAF. The idea realizes many security requirements such as privacy protection, non-repudiation, and unforgeability. The data aggregation technology based on homomorphic encryption not only can effectively protect the privacy of hybrid IoT devices but also can reduce the communication overhead of the system and improve the work efficiency of control centers and fog nodes. To improve the efficiency of data integrity checking, an efficient batch verification technology in use. In addition, blinding factor technology is also applied to our scheme, which makes the idea has better fault tolerance. Through analyzation of security and performance, the proposed scheme is reliable and efficient.