# Privacy-Enhanced and Multifunctional Health Data Aggregation under Differential Privacy Guarantees

^{1}

^{2}

^{3}

^{4}

^{5}

^{*}

## Abstract

**:**

## 1. Introduction

- First, we propose a basic average aggregation scheme (BAAS) by utilizing the Boneh–Goh–Nissim cryptosystem. Note that, in some scenarios, the data analysts would prefer to acquire the weighted average; because, the weighted average can be more objective to reflect the overall state of all users. Thus, we propose a privacy-preserving weighted average scheme (WAAS) to meet the above requirement. To the best of our knowledge, this paper is the first to discuss the weighted average aggregation. Besides, the final results of both schemes are protected by differential privacy mechanisms [11].
- Second, we provide a privacy-enhanced average aggregation scheme (PAAS) to protect the sum of all of the gathered health data. In [6], one of the working cloud servers is able to obtain the plaintext of the sum. If this server is compromised, it may leak the information to some malicious entities. Therefore, we design a protocol with additional private keys to hide the aggregated data. PAAS hides the sum of the dataset from the cloud servers. It further protects the users’ privacy.
- Finally, we conduct real experiments and compare PMHA-DP with the other scheme [6]. The comparison results show that our non-additive aggregation scheme (NAS) and PAAS lead to less communication overhead than that of another scheme called ${\mathrm{MHDA}}^{\oplus}$ [6]. Besides, PAAS enhances the data privacy with acceptable computational overhead. Moreover, we give a security analysis to show that the proposed scheme preserves data privacy under the given strong adversary model. More importantly, all of the proposed aggregation protocols support fault tolerance.

## 2. Problem Statement

#### 2.1. System Model

- Mobile users (MUs): MUs are the data providers of the cloud-assisted WBAN system, which are denoted as $\mathbb{U}=\{{U}_{1},{U}_{2},...,{U}_{k}\}$. Specifically, ${U}_{i}$ is equipped with some body area sensors to monitor different types of health data. Then, the original health data collected by sensors will be stored in ${U}_{i}$’s smartphone or PDA. For privacy consideration, MUs encrypt the data using the smartphone before reporting them to the cloud servers. Furthermore, MUs report the personal health data according to the aggregation protocols formulated by the trusted authority.
- Cloud servers (CSs): CSs are a group of public cloud servers denoted as $\mathbb{S}=\{{S}_{1},{S}_{2},...,{S}_{n}\}$. In PMHA-DP, multiple servers are necessary for executing the aggregation missions and supporting fault tolerance. A large volume of health data is stored in CSs. The aggregation result will be delivered to the trusted authority instead of healthcare institutions directly. According to the practice, we assume that all of the CSs are honest-but-curious. CSs store and process data honestly, but they may be also curious about individual user’s health data. Thus, CSs only store the ciphertexts of health data received from MUs. Since CSs are powerful, we assume that a strong adversary can compromise or paralyze no more than $l=\lceil n/2\rceil -1$ cloud servers.
- Trusted authority (TA): TA is a powerful data center, which is responsible for assigning aggregation tasks and key management. TA receives different aggregation requests from healthcare institutions, then it bootstraps the whole system. In the initialization phase, TA first generates secret keys and US certificates for each registered user. Besides, keys and certificates are distributed through a secure channel. Meanwhile, TA also generates private keys for cloud servers. If TA wants some statistical information of the health dataset, it will make $l+1$ cloud servers work together to aggregate and decrypt the data. Then, the system randomly selects one of the working cloud servers to send the statistics to TA. At last, TA will calculate the final result and adds noise to it by utilizing differential privacy mechanisms. TA is the only globally-trusted entity of the whole system.
- Healthcare institutions (HIs): HIs represent the organizations (i.e., certified hospital, medicine research center, health departments, etc.) that are interested in the statistical information of a large volume of health data. HIs obtain this information by sending specific requests to TA, and TA returns the final result to HIs.

#### 2.2. Adversary Model

- $\mathbf{Adv}$ may eavesdrop on communication flows.
- $\mathbf{Adv}$ may compromise some users directly.
- $\mathbf{Adv}$ may compromise less than $l=\lceil n/2\rceil -1$ CSs to breach users’ privacy.
- In our privacy-enhanced health data aggregation scheme, $\mathbf{Adv}$ may compromise all of the $l+1$ working cloud servers and obtain the sum of all users’ private data.
- $\mathbf{Adv}$ may launch differential attacks on TA (e.g., $\mathbf{Adv}$ may deduce the newly-added users’ data by asking TA legitimate queries).

#### 2.3. Security and Privacy Requirements

- $\mathbf{Adv}$ cannot reveal users’ private health data, even if the communication flows are intercepted.
- $\mathbf{Adv}$ cannot reveal the uncompromised users’ private health data, even if some users are compromised directly.
- $\mathbf{Adv}$ cannot reveal users’ private health data, even if l cloud servers are compromised.
- $\mathbf{Adv}$ cannot obtain the sum of all of the users’ private data, even if all of the $l+1$ working cloud servers are compromised.
- $\mathbf{Adv}$ cannot deduce any individual user’s health data by launching differential attacks on TA.

## 3. Preliminaries

#### 3.1. Boneh–Goh–Nissim Cryptosystem

- $\mathbf{KeyGen}\left(\tau \right):$ Given a security parameter $\tau \in {\mathbb{Z}}^{+}$, the system runs $Gen\left(\tau \right)$ to acquire a tuple $(p,q,\mathbb{G},{\mathbb{G}}_{1},e)$. Here, $\mathbb{G}$ and ${\mathbb{G}}_{1}$ are two cyclic groups of order $n=pq$. In addition, $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_{1}$ is a bilinear map [15]. Randomly pick two generators $g,u\in \mathbb{G}$, and set $h={u}^{q}$. Then, h is a random generator of the subgroup of $\mathbb{G}$ of order p. The public key is $PK=(n,\mathbb{G},{\mathbb{G}}_{1},e,g,h)$. The private key is $SK=p$.
- $\mathbf{Encrypt}(PK,m):$ Let $m\in \{0,1,...,T\}$ represent a message, and T $(T\ll q)$ is the upper bound of the message space. To encrypt a message m using public key $PK$, the user picks a random number r $(r\in {\mathbb{Z}}_{n})$ and calculates the ciphertext as $C={g}^{m}{h}^{r}\in \mathbb{G}$.
- $\mathbf{Decrypt}(SK,C):$ The system decrypts ciphertext C with private key $SK=p$ through computing ${C}^{p}={\left({g}^{m}{h}^{r}\right)}^{p}={\left({g}^{p}\right)}^{m}$. Let $\widehat{g}={g}^{p}$. Then, the system computes the discrete logarithm of ${C}^{p}$ base $\widehat{g}$ to recover m. The computation takes the expected time $O\left(\sqrt{T}\right)$ using Pollard’s lambda method [16].

- Firstly, the system is clearly additively homomorphic. Given any two ciphertexts ${C}_{1},{C}_{2}\in \mathbb{G}$ of messages ${m}_{1},{m}_{2}\in \{0,1,...,T\}$, respectively, one can obtain the encryption of ${m}_{1}+{m}_{2}$ by computing the product $C={C}_{1}{C}_{2}$.
- Secondly, one can multiply two encrypted messages once using the bilinear map to acquire the product of two messages. Let ${g}_{1}=e(g,g)$, ${h}_{1}=e(g,h)$, and set $h={g}^{\alpha q}$ where $\alpha \in \mathbb{Z}$ is unknown. Suppose that the two given ciphertexts are ${C}_{1}={g}^{{m}_{1}}{h}^{{r}_{1}}\in \mathbb{G}$ and ${C}_{2}={g}^{{m}_{2}}{h}^{{r}_{2}}\in \mathbb{G}$. Then, we have:$$\begin{array}{cc}\hfill C=e({C}_{1},{C}_{2})=e({g}^{{m}_{1}}{h}^{{r}_{1}},{g}^{{m}_{2}}{h}^{{r}_{2}})& ={g}_{1}^{{m}_{1}{m}_{2}}{h}_{1}^{{m}_{1}{r}_{2}+{m}_{2}{r}_{1}+\alpha q{r}_{1}{r}_{2}}\hfill \\ & ={g}_{1}^{{m}_{1}{m}_{2}}{h}_{1}^{\overline{r}}\in {\mathbb{G}}_{1}\hfill \end{array}$$

#### 3.2. Differential Privacy

**Definition**

**1.**

**Definition**

**2.**

**Definition**

**3.**

## 4. Proposed Scheme

#### 4.1. Additive Aggregation of Health Data

#### 4.1.1. System Initialization

#### 4.1.2. Basic Average Aggregation Scheme

- Step 1: ${U}_{i}$ computes the hash value ${\theta}_{o}=H\left({t}_{o}\right)$ at the time point ${t}_{o}$.
- Step 2: ${U}_{i}$ encrypts the message ${m}_{i,o}$ through calculating ${C}_{i,o}={g}^{{m}_{i,o}}{h}^{{\theta}_{o}\xb7{r}_{i,o}}$, where ${r}_{i,o}\in {\mathbb{Z}}_{n}^{+}$ is a random number.
- Step 3: ${U}_{i}$ submits the ciphertext ${C}_{i,o}$ to one of the working cloud servers.

#### 4.1.3. Weighted Average Aggregation Scheme

- Step 1: ${U}_{i}$ computes the hash value ${\theta}_{o}=H\left({t}_{o}\right)$ at the time point ${t}_{o}$.
- Step 2: ${U}_{i}$ encrypts the message ${m}_{i,o}$ through calculating ${C}_{i,o}={g}^{{m}_{i,o}}{h}^{{\theta}_{o}\xb7{r}_{i,o}}$, where ${r}_{i,o}\in {\mathbb{Z}}_{n}^{+}$ is a random number. Furthermore, we set $h={g}^{\alpha q}$ for some (unknown) $\alpha \in Z$.
- Step 3: ${U}_{i}$ submits the ciphertext ${C}_{i,o}\in \mathbb{G}$ to one of the working cloud server.

- Step 1: TA computes the hash value ${\eta}_{o}=H\left({t}_{o}\right)$ at the time point ${t}_{o}$.
- Step 2: TA encrypts the i-th weight ${w}_{i,o}$ through calculating ${\tilde{w}}_{i,o}={g}^{{w}_{i,o}}{h}^{{\eta}_{o}\xb7{\rho}_{i,o}}$, where ${\rho}_{i,o}\in {\mathbb{Z}}_{n}^{+}$ is a random number. Furthermore, we set $h={g}^{\alpha q}$ for some (unknown) $\alpha \in Z$. Thus, the weight vector’s ciphertext is $\tilde{\mathcal{W}}=({\tilde{w}}_{1,o},{\tilde{w}}_{2,o},...,{\tilde{w}}_{k,o})$
- Step 3: TA submits the ciphertext $\tilde{\mathcal{W}}\in \mathbb{G}$ to one of the working cloud server.

#### 4.1.4. Privacy-Enhanced Average Aggregation Scheme

- Step 1: ${U}_{i}$ computes the hash value ${\theta}_{o}=H\left({t}_{o}\right)$ at the time point ${t}_{o}$.
- Step 2: ${U}_{i}$ encrypts ${m}_{i,o}$ through calculating ${\tilde{m}}_{i,o}={g}^{{m}_{i,o}}{h}^{{\theta}_{o}\xb7{r}_{i,o}}$, where ${r}_{i,o}\in {\mathbb{Z}}_{n}^{+}$ is a random number. Furthermore, we set $h={g}^{\alpha q}$ for some (unknown) $\alpha \in Z$. Moreover, private keys $({X}_{i},{Y}_{i})$ are encrypted in the same way ${\tilde{X}}_{i}={g}^{{X}_{i}}{h}^{{\theta}_{o}\xb7{r}_{i,o}},\phantom{\rule{4pt}{0ex}}{\tilde{Y}}_{i}={g}^{{Y}_{i}}{h}^{{\theta}_{o}\xb7{r}_{i,o}}$.
- Step 3: Let ${g}_{1}=e(g,g)$ and ${h}_{1}=e(g,h)$. ${U}_{i}$ creates the ciphertexts $({C}_{i,o,1},{C}_{i,o,2})$ of ${m}_{i,o}$ as follows.$$\left\{\begin{array}{c}{C}_{i,o,1}=e({\tilde{m}}_{i,o},{\tilde{X}}_{i})=e({g}^{{m}_{i,o}}{h}^{{\theta}_{o}\xb7{r}_{i,o}},{g}^{{X}_{i}}{h}^{{\theta}_{o}\xb7{r}_{i,o}})={g}_{1}^{{m}_{i,o}{X}_{i}}\xb7{h}_{1}^{{\overline{r}}_{i,1}}\hfill \\ {C}_{i,o,2}=e({\tilde{m}}_{i,o},{\tilde{Y}}_{i})=e({g}^{{m}_{i,o}}{h}^{{\theta}_{o}\xb7{r}_{i,o}},{g}^{{Y}_{i}}{h}^{{\theta}_{o}\xb7{r}_{i,o}})={g}_{1}^{{m}_{i,o}{Y}_{i}}\xb7{h}_{1}^{{\overline{r}}_{i,2}}\hfill \end{array}\right.$$
- Step 4: ${U}_{i}$ submits the ciphertexts $({C}_{i,o,1},{C}_{i,o,2})$ of ${m}_{i}$ to one working cloud server ${S}_{j}\in \mathbb{S}$.

#### 4.2. Non-Additive Aggregation of Health Data

#### 4.2.1. Hierarchical Method for Histogram

## 5. Security and Privacy Analysis

- The users’ privacy is preserved, even if the communication flows are intercepted by $\mathbf{Adv}$. Specifically, $\mathbf{Adv}$ may eavesdrop on the communication flows from users to the cloud servers. However, the mobile users in WBANs are dynamic, and the number of users is large; it is impractical for $\mathbf{Adv}$ to do so. Even if the data are captured by $\mathbf{Adv}$ at time point ${t}_{o}$, ${U}_{i}$’s message ${m}_{i,o}$ is encrypted as ${g}^{{m}_{i,o}}\xb7{h}^{{\theta}_{o}{r}_{i,o}}$. Thus, $\mathbf{Adv}$ cannot decrypt the ciphertext and obtain the message ${m}_{i,o}$ without private key p. Therefore, we can assert that $\mathbf{Adv}$ cannot reveal the private data, even if the communication flows are intercepted.
- $\mathbf{Adv}$ cannot reveal the uncompromised users’ private health data. Since the amount of mobile users is quite large in the cloud-assisted WBANs system, $\mathbf{Adv}$ would be unlikely to breach users’ privacy through compromising some of the users. We assume that $\mathbf{Adv}$ may try to disclose the uncompromised users’ private health data by utilizing the private information and private keys of the compromised users. Namely, $\mathbf{Adv}$ is able to obtain some of the users’ private keys and their personal data. However, the privacy of uncompromised users is well guaranteed, and the reasons are listed as follows. First, each mobile user’s private key is generated independently; one can deduce nothing about another user from one user’s private key. Second, the sum of all users’ private keys is transparent to $\mathbf{Adv}$. Even if $\mathbf{Adv}$ learns $k-1$ users’ private keys, it still cannot reveal the last user’s private key and health data.
- $\mathbf{Adv}$ cannot obtain users’ private health data and the aggregated data, even if l CSs are compromised. In the system initialization phase, TA distributes the private keys $G\left(j\right),j=1,2,...,l$ to each CS and $l\ge 3$. In this system, the users’ privacy can be protected when no more than $l=\lceil n/2\rceil -1$ CSs are paralyzed or compromised. According to the “all or nothing” property of secret sharing [17], at least $l+1$ CSs are needed to acquire private key p. Therefore, even if $\mathbf{Adv}$ possesses l private keys, it still cannot recover p. Similarly, $\mathbf{Adv}$ only has l decryption shares of CSs at most, which are insufficient to recover the aggregated data either. Therefore, $\mathbf{Adv}$ cannot expose the aggregated data.
- In the privacy-enhanced scheme, $\mathbf{Adv}$ cannot acquire the aggregated data, even if all of the $l+1$ CSs are compromised. First, TA utilizes each user’s $ID$ to generate ${U}_{i}$’s additional private key $({X}_{i},{Y}_{i})$ and distributes them through a secure channel. Then, ${U}_{i}$ encrypts its message ${m}_{i}$ twice by using p and $({X}_{i},{Y}_{i})$. Then, the $l+1$ working CSs calculate two encrypted sums of all of the data. Moreover, $l+1$ working CSs cannot recover the real sum without knowing each user’s additional private key $({X}_{i},{Y}_{i})$ and four randomly generated numbers ${a}_{1},{a}_{2},{b}_{1},{b}_{2}$. Even if all of these secure parameters and two encrypted sums are leaked to $\mathbf{Adv}$, it still does not know how to build an equation group and compute the real sum. Consequently, the aggregated data are well protected even if all of the $l+1$ CSs are compromised by $\mathbf{Adv}$.
- $\mathbf{Adv}$ cannot deduce any individual user’s health data by launching differential attacks on TA. TA is the only entity that can release statistical information to HIs. TA adds Laplace noises to the original aggregated data before release. Therefore, the differential privacy mechanism is only applied on TA. Due to the property of the Laplace mechanism, TA is able to resist differential attacks in each proposed aggregation scheme. The proof of differential privacy is given below.

**Proof**

**(Proof of Differential Privacy).**

**Condition**

**1.**

**Condition**

**2.**

**Condition**

**3.**

**Proof**

**of Differential Privacy.**

## 6. Performance Evaluation

#### 6.1. Functionality

#### 6.2. Computational Overhead

#### 6.3. Communication Overhead

#### 6.4. Error Analysis

## 7. Further Discussion

## 8. Related Work

## 9. Conclusions

## Acknowledgments

## Author Contributions

## Conflicts of Interest

## References

- Wang, P.; Ding, Z.; Jiang, C.; Zhou, M. Design and Implementation of a Web-Service-Based Public-Oriented Personalized Health Care Platform. IEEE Trans. Syst. Man Cybern. Syst.
**2013**, 43, 941–957. [Google Scholar] [CrossRef] - Cavallari, R.; Martelli, F.; Rosini, R.; Buratti, C.; Verdone, R. A Survey on Wireless Body Area Networks: Technologies and Design Challenges. IEEE Commun. Surv. Tutor.
**2014**, 16, 1635–1657. [Google Scholar] [CrossRef] - Movassaghi, S.; Abolhasan, M.; Lipman, J.; Smith, D.; Jamalipour, A. Wireless Body Area Networks: A Survey. IEEE Commun. Surv. Tutor.
**2014**, 16, 1658–1686. [Google Scholar] [CrossRef] - Liu, B.; Yan, Z.; Chen, C.W. MAC protocol in wireless body area networks for E-health: Challenges and a context-aware design. IEEE Wirel. Commun.
**2013**, 20, 64–72. [Google Scholar] - Kline, N.; Snodgrass, R.T. Computing temporal aggregates. In Proceedings of the International Conference on Data Engineering, Taipei, Taiwan, 6–10 March 1995; pp. 222–231.
- Han, S.; Zhao, S.; Li, Q.; Ju, C.; Zhou, W. PPM-HDA: Privacy-preserving and multifunctional health data aggregation with fault tolerance for cloud assisted WBANs. IEEE Trans. Inf. Forensics Secur.
**2015**, 11, 1940–1955. [Google Scholar] [CrossRef] - Jia, W.; Zhu, H.; Cao, Z.; Dong, X.; Xiao, C. Human-Factor-Aware Privacy-Preserving Aggregation in Smart Grid. IEEE Syst. J.
**2014**, 8, 598–607. [Google Scholar] [CrossRef] - Lu, R.; Liang, X.; Li, X.; Lin, X.; Shen, X. EPPA: An Efficient and Privacy-Preserving Aggregation Scheme for Secure Smart Grid Communications. IEEE Trans. Parallel Distrib. Syst.
**2012**, 23, 1621–1631. [Google Scholar] - Chen, L.; Lu, R.; Cao, Z. PDAFT: A privacy-preserving data aggregation scheme with fault tolerance for smart grid communications. Peer-to-Peer Netw. Appl.
**2014**, 8, 1122–1132. [Google Scholar] [CrossRef] - Chen, L.; Lu, R.; Cao, Z.; AlHarbi, K.; Lin, X. MuDA: Multifunctional data aggregation in privacy-preserving smart grid communications. Peer-to-Peer Netw. Appl.
**2014**, 8, 777–792. [Google Scholar] [CrossRef] - Dwork, C. Differential Privacy. In Automata, Languages and Programming; Springer: Berlin, Germany; Heidelberg, Germany, 2006; Volume 4052, pp. 1–12. [Google Scholar]
- Hay, M.; Rastogi, V.; Miklau, G.; Suciu, D. Boosting the accuracy of differentially private histograms through consistency. Proc. VLDB Endow.
**2010**, 3, 1021–1032. [Google Scholar] [CrossRef] - Dwork, C.; McSherry, F.; Nissim, K.; Smith, A. Calibrating noise to sensitivity in private data analysis. In Theory of Cryptography; Springer: Berlin, Germany; Heidelberg, Germany, 2006; pp. 265–284. [Google Scholar]
- Boneh, D.; Goh, E.J.; Nissim, K. Evaluating 2-DNF formulas on ciphertexts. In Theory of Cryptography; Springer: Berlin, Germany; Heidelberg, Germany, 2005; pp. 325–341. [Google Scholar]
- Goyal, V.; Pandey, O.; Sahai, A.; Waters, B. Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 30 October–3 November 2006; pp. 89–98.
- Menezes, A.J.; Van Oorschot, P.C.; Vanstone, S.A. Handbook of Applied Cryptography (Discrete Mathematics and Its Applications); CRC Press: Boca Raton, FL, USA, 1997; Volume 6. [Google Scholar]
- Shamir, A. How to Share a Secret. ACM Commun.
**1979**, 22, 612–613. [Google Scholar] [CrossRef] - Qardaji, W.; Yang, W.; Li, N. Understanding hierarchical methods for differentially private histograms. Proc. VLDB Endow.
**2013**, 6, 1954–1965. [Google Scholar] [CrossRef] - OpenSSL 1.0.2d. Available online: http://www.openssl.org/source/ (accessed on 1 March 2016).
- Liu, A.; Liu, X.; Liu, Y. A comprehensive analysis for fair probability marking based traceback approach in WSNs. In Security and Communication Networks; Wiley Online Library: Hoboken, NJ, USA, 2016; pp. 2448–2475. [Google Scholar]
- Hu, Y.; Liu, A. Improvement the quality of mobile target detection through portion of node with fully duty cycle in WSNs. In Computer Systems Science and Engineering; CRL Publishing: Leicester, UK, 2016; pp. 5–17. [Google Scholar]
- Liu, A.; Hu, Y.; Chen, Z. An Energy-Efficient Mobile Target Detection Scheme with Adjustable Duty Cycles in Wireless Sensor Networks. In International Journal of Ad Hoc and Ubiquitous Computing; Inderscience Publishers: Geneva, Switzerland, 2016; pp. 2448–2475. [Google Scholar]
- Li, H.; Lin, X.; Yang, H.; Liang, X.; Lu, R.; Shen, X. EPPDR: An Efficient Privacy-Preserving Demand Response Scheme with Adaptive Key Evolution in Smart Grid. IEEE Trans. Parallel Distrib. Syst.
**2014**, 25, 2053–2064. [Google Scholar] [CrossRef] - Zhang, Y.; Xu, C.; Yu, S.; Li, H.; Zhang, X. SCLPV: Secure Certificateless Public Verification for Cloud-Based Cyber-Physical-Social Systems Against Malicious Auditors. IEEE Trans. Comput. Social Syst.
**2015**, 2, 159–170. [Google Scholar] [CrossRef] - Li, H.; Liu, D.; Dai, Y.; Luan, T. Engineering Searchable Encryption of Mobile Cloud Networks: When QoE Meets QoP. IEEE Wirel. Commun.
**2015**, 22, 74–80. [Google Scholar] [CrossRef] - Li, H.; Lu, R.; Zhou, L.; Yang, B.; Shen, X. An Efficient Merkle-Tree-Based Authentication Scheme for Smart Grid. IEEE Syst. J.
**2014**, 8, 655–663. [Google Scholar] [CrossRef] - Li, Q.; Cao, G.; Porta, T.L. Efficient and Privacy-Aware Data Aggregation in Mobile Sensing. IEEE Trans. Dependable Secur. Comput.
**2014**, 11, 115–129. [Google Scholar] [CrossRef] - Shi, E.; Chan, T.H.H.; Rieffel, E.G.; Chow, R.; Song, D. Privacy-preserving aggregation of time-serier data. In Proceedings of the 18th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, 6–9 February 2011; Volume 2.
- Blum, A.; Dwork, C.; McSherry, F.; Nissim, K. Practical privacy: The SuLQ framework. In Proceedings of the Twenty-Fourth ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems, Baltimore, MD, USA, 13–16 June 2005; pp. 128–138.
- Dinur, I.; Nissim, K. Revealing information while preserving privacy. In Proceedings of the ACM SIGMOD-SIGACT-SIGART Symposium on PODS, San Diego, CA, USA, 9–12 June 2003; pp. 202–210.
- Dwork, C.; Nissim, K. Privacy-preserving datamining on vertically partitioned databases. In Advances in Cryptology–CRYPTO; Springer: Berlin, Germany; Heidelberg, Germany, 2004; pp. 528–544. [Google Scholar]
- Blum, A.; Ligett, K.; Roth, A. A learning theory approach to noninteractive database privacy. J. ACM
**2013**, 60, 12. [Google Scholar] [CrossRef] - Mohammed, N.; Alhadidi, D.; Fung, B.C.; Debbabi, M. Secure Two-Party Differentially Private Data Release for Vertically Partitioned Data. IEEE Trans. Dependable Secur. Comput.
**2014**, 11, 59–71. [Google Scholar] [CrossRef] - Xu, J.; Zhang, Z.; Xiao, X.; Yang, Y.; Yu, G.; Winslett, M. Differentially private histogram publication. VLDB J.
**2013**, 22, 797–822. [Google Scholar] [CrossRef] - Xiao, Y.; Xiong, L.; Yuan, C. Differentially private data release through multidimensional partitioning. In Secure Data Management; Springer: Berlin, Germany; Heidelberg, Germany, 2010; pp. 150–168. [Google Scholar]
- Li, C.; Hay, M.; Miklau, G.; Wang, Y. A Data- and Workload-Aware Algorithm for Range Queries under Differential Privacy. Proc. VLDB Endow.
**2014**, 7, 341–352. [Google Scholar] [CrossRef] - Barak, B.; Chaudhuri, K.; Dwork, C.; Kale, S.; McSherry, F.; Talwar, K. Privacy, accuracy, and consistency too: A holistic solution to contingency table release. In Proceedings of the 26th ACM SIGMOD-SIGACT-SIGART Symposium on PODS, Beijing, China, 11–14 June 2007; pp. 273–282.
- Lee, J.; Wang, Y.; Kifer, D. Maximum likelihood postprocessing for differential privacy under consistency constraints. In Proceedings of the 21th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Sydney, Australia, 10–13 August 2015; pp. 635–644.

**Figure 1.**System model of privacy-enhanced and multifunctional health data aggregation scheme (PMHA-DP).

Basic Scheme | Weighted Average | Aggregated Data Protection | Differential Privacy | |
---|---|---|---|---|

${\mathrm{MHDA}}^{+}$[6] | √ | × | × | √ |

PMHA-DP | √ | √ | √ | √ |

Max/Min | Median | Hierarchical Method | Post-Processing | Differential Privacy | |
---|---|---|---|---|---|

${\mathrm{MHDA}}^{\oplus}$ [6] | √ | √ | × | × | √ |

PMHA-DP | √ | √ | √ | √ | √ |

Symbols | Meanings |
---|---|

${T}_{exp}$ | time of modular exponential calculation in ${\mathbb{Z}}_{{n}^{2}}$ |

${T}_{mul}$ | time of modular multiplication |

${T}_{bim}$ | time of bilinear map operation |

${T}_{pol}$ | time of using Pollard’s lambda method to compute the discrete logarithm |

k | the number of mobile users |

$l+1$ | the number of working cloud servers |

**Table 4.**Comparison of the computational overhead. BAAS, basic average aggregation scheme; WAAS, weighted average aggregation scheme; PAAS, privacy-enhanced aggregation scheme; MU, mobile user; CS, cloud server; TA, trusted authority.

MU | SP | CSs | TA | |
---|---|---|---|---|

BAAS | $2{T}_{exp}+{T}_{mul}$ | N/A | $(l+1){T}_{exp}+(k+l-1){T}_{mul}+{T}_{pol}$ | N/A |

WAAS | $2{T}_{exp}+{T}_{mul}$ | N/A | $(l+1){T}_{exp}+(k+l-1){T}_{mul}+k{T}_{bim}+{T}_{pol}$ | $2k{T}_{exp}+k{T}_{mul}$ |

PAAS | $6{T}_{exp}+3{T}_{mul}+2{T}_{bim}$ | N/A | $2(l+1){T}_{exp}+2(k+l-1){T}_{mul}+2{T}_{pol}$ | N/A |

${\mathrm{MHDA}}^{+}$ [6] | $2{T}_{exp}+{T}_{mul}$ | $(k-1){T}_{mul}$ | $(l+1){T}_{exp}+l{T}_{mul}+{T}_{pol}$ | N/A |

BAAS | PAAS | WAAS | HMH | ${\mathbf{MHDA}}^{\mathbf{+}}$ | |
---|---|---|---|---|---|

$error$ | $\frac{2{T}^{2}}{{\u03f5}^{2}{(k-1)}^{2}}$ | $\frac{2{T}^{2}}{{\u03f5}^{2}{(k-1)}^{2}}$ | $\frac{2{T}^{2}{w}_{max}^{2}}{{\u03f5}^{2}{({\sum}_{weight}-{w}_{max})}^{2}}$ | $\frac{2m{t}^{2}}{{\u03f5}^{2}}$ | $\frac{2{e}^{\frac{k\u03f5}{T}}}{{e}^{2\frac{k\u03f5}{T}}-2{e}^{\frac{k\u03f5}{T}}+1}$ |

w | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 |
---|---|---|---|---|---|---|---|---|---|---|

k | 10,000 | 20,000 | 30,000 | 40,000 | 50,000 | 60,000 | 70,000 | 80,000 | 90,000 | 100,000 |

BAAS/PAAS | 33.54 | 33.55 | 59.65 | 134.21 | 343.59 | 954.42 | 2804.86 | 8589.90 | 27148.38 | 87960.85 |

${\mathrm{MHDA}}^{+}$ | 33.37 | 33.38 | 59.48 | 134.04 | 343.42 | 954.26 | 2804.69 | 8589.75 | 27148.25 | 87960.80 |

BAAS | PAAS | WAAS | ${\mathbf{MHDA}}^{\mathbf{+}}$ | |
---|---|---|---|---|

$relative\phantom{\rule{4pt}{0ex}}error$ | $\frac{T}{(k-1)M\u03f5}$ | $\frac{T}{(k-1)M\u03f5}$ | $\frac{T{w}_{max}}{({\sum}_{weight}-{w}_{max})M\u03f5}$ | $\frac{2{e}^{-\frac{k\u03f5}{T}}}{M(1-{e}^{-\frac{2k\u03f5}{T}})}$ |

© 2016 by the authors; licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC-BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Ren, H.; Li, H.; Liang, X.; He, S.; Dai, Y.; Zhao, L. Privacy-Enhanced and Multifunctional Health Data Aggregation under Differential Privacy Guarantees. *Sensors* **2016**, *16*, 1463.
https://doi.org/10.3390/s16091463

**AMA Style**

Ren H, Li H, Liang X, He S, Dai Y, Zhao L. Privacy-Enhanced and Multifunctional Health Data Aggregation under Differential Privacy Guarantees. *Sensors*. 2016; 16(9):1463.
https://doi.org/10.3390/s16091463

**Chicago/Turabian Style**

Ren, Hao, Hongwei Li, Xiaohui Liang, Shibo He, Yuanshun Dai, and Lian Zhao. 2016. "Privacy-Enhanced and Multifunctional Health Data Aggregation under Differential Privacy Guarantees" *Sensors* 16, no. 9: 1463.
https://doi.org/10.3390/s16091463