Secure Streaming Data Encryption and Query Scheme with Electric Vehicle Key Management

Abstract

The rapid proliferation of Electric Vehicle (EV) infrastructures has led to the massive generation of high-frequency streaming data uploaded to cloud platforms for real-time analysis, while such data supports intelligent energy management and behavioral analytics, it also encapsulates sensitive user information, the disclosure or misuse of which can lead to significant privacy and security threats. This work addresses these challenges by developing a secure and scalable scheme for protecting and verifying streaming data during storage and collaborative analysis. The proposed scheme ensures end-to-end confidentiality, forward security, and integrity verification while supporting efficient encrypted aggregation and fine-grained, time-based authorization. It introduces a lightweight mechanism that hierarchically organizes cryptographic keys and ciphertexts over time, enabling privacy-preserving queries without decrypting individual data points. Building on this foundation, an electric vehicle key management and query system is further designed to integrate the proposed encryption and verification scheme into practical V2X environments. The system supports privacy-preserving data sharing, verifiable statistical analytics, and flexible access control across heterogeneous cloud and edge infrastructures. Analytical and experimental evidence show that the designed system attains rigorous security guarantees alongside excellent efficiency and scalability, rendering it ideal for large-scale electric vehicle data protection and analysis tasks.

1. Introduction

Driven by the digitalization of transportation and the growing penetration of Electric Vehicles (EVs), energy networks are becoming increasingly dependent on real-time vehicular data. The nationwide rollout of charging facilities, expected to exceed 10.6 million units by mid-2024, provides the foundation for intelligent operations such as V2G coordination, demand-response scheduling, and renewable energy integration [1]. Unlike conventional periodic data collection, modern EV systems continuously generate and transmit high-frequency charging data at second-level or even millisecond-level granularity, forming a typical real-time streaming data flow. These data streams record multi-dimensional information, such as charging location, duration, power usage, and driving behavior, across various temporal and spatial domains. Consequently, they contain highly sensitive personal and operational information, including user mobility traces, energy consumption patterns, and behavioral profiles. To support large-scale analytics, model training, and personalized service optimization, such streaming data are often outsourced to cloud or edge servers for long-term storage and computation.

1.1. Motivation

Despite their analytical value, the outsourcing and cross-platform sharing of high-frequency streaming data introduce severe privacy and security risks [2]. Unauthorized access or data correlation may enable adversaries to infer user identities, travel routes, and behavioral habits, leading to substantial privacy leakage. Therefore, it is essential to perform encryption before outsourcing and to enforce access control with fine granularity, traceability, and revocability, ensuring secure and auditable collaboration across multiple stakeholders.

However, encrypting continuous and high-volume streaming data introduces several fundamental challenges. Each data point generated in real time, in principle, requires a distinct cryptographic key, which leads to exponential key growth and significant management overhead. When data consumers are authorized to access information within specific time intervals, conventional key assignment methods often necessitate distributing a large number of keys simultaneously, thereby reducing scalability and increasing computational cost. In addition, supporting real-time analytics or aggregation over encrypted streams demands not only data confidentiality but also verifiable integrity and query efficiency, which traditional encryption mechanisms are unable to achieve concurrently. The concept of deriving per-block encryption keys from a unified master key using PRFs [3,4] has been widely examined as a means to alleviate the challenge of large-scale key storage. Although this technique mitigates part of the management complexity, it remains insufficient for practical scenarios that require both fine-grained access control and efficient, continuous encryption of large-scale streaming data.

To overcome these challenges, we propose a comprehensive secure streaming encryption and query scheme tailored for EV data environments. It allows the data owner to control access granularity flexibly, ensuring that different consumers can obtain only the necessary information within their authorized time windows. The proposed scheme thus provides a scalable, lightweight, and privacy-preserving solution for secure data outsourcing and real-time analytics in cross-platform EV charging and V2G scenarios.

1.2. Contributions

Motivated by the need for scalable, efficient, and privacy-preserving protection of continuous EV data streams, this work contributes four core advancements. It is an extended version of our conference paper presented at DSPP [5], which has been substantially enhanced by incorporating a formal security proof, complete key management, and a comprehensive performance evaluation.

• We construct a scalable hierarchical key management framework by integrating a Key Derivation Tree (KDT) with a Regression Key Chain (RKR), thereby ensuring forward security across temporal data segments. All encryption and authentication keys are derived deterministically from a compact root key, solving the key explosion problem and reducing storage and transmission overhead.
• To secure continuous data streams, we introduce a symmetric additive homomorphic encryption (SAHE) scheme that permits efficient aggregation operations on ciphertexts, providing IND-CPA confidentiality based on the pseudorandom function (PRF) assumption.
• We propose a HomMAC-based integrity scheme that supports algebraic verification for per-chunk and aggregated ciphertexts, ensuring correctness throughout encrypted streams with very low verification cost.
• We implement a Ciphertext Index Tree (CIT) to support encrypted statistical queries and scalable aggregation. The proposed system integrates KDT, RKR, SAHE, and HomMAC, achieving low latency and strong scalability in both server and edge environments compared with EC-ElGamal and Paillier baselines.

The remainder of this paper is organized as follows. Section 2 reviews related work on encrypted stream processing and key management. Section 3 introduces the necessary preliminaries, including the symmetric additive homomorphic encryption (SAHE), pseudorandom functions, and AEAD. Section 4 presents the overall system framework and formal definition of the secure streaming data encryption and query scheme (SSEDQ). Section 5 details the construction and security analysis of SSEDQ. Section 6 describes the electric vehicle key management and query system, including the Ciphertext Index Tree (CIT) and privacy-preserving access policies. Section 7 reports the experimental results and performance analysis on both server and edge platforms. Finally, Section 8 concludes the paper and discusses directions for future work.

2. Related Work

2.1. Encrypted Stream Query Processing

Encryption has become an essential mechanism for safeguarding the confidentiality of streaming data. In recent years, researchers have extensively investigated how to support efficient query processing over encrypted streams without compromising data utility. Liu et al. [6] presented a secure MPC-based protocol that enables DTW queries on encrypted time series. However, the inherent computational complexity of DTW increases with stream length, limiting the scalability of their approach. To improve performance, Liu et al. [7] addressed this performance-security tension by designing PP-Stream, a distributed stream processing system for high-performance privacy-preserving neural network inference.

To further enhance privacy and efficiency, Fang et al. [8] designed a lightweight privacy-preserving data sharing scheme using secret sharing and aggregation, effectively mitigating plaintext leakage during transmission. Wang et al. [9] integrated AES-GCM encryption with trusted execution environments (TEEs) to construct secure Hoeffding tree models for encrypted training and inference. Similarly, Zheng et al. [10] proposed a method supporting similarity search over encrypted temporal streams based on Time-Warp Edit Distance (TWED) and KD-tree indexing under additive encryption. Wang [11] designed GraphGuard, the earliest system that realizes privacy-preserving outsourced detection of temporal patterns in streaming graphs, thus advancing secure analytics toward more dynamic data contexts.

Beyond deterministic encryption, several studies have explored querying over uncertain or incomplete encrypted streams. Chen et al. [12] introduced a probabilistic stream index for managing uncertain data, while Miao et al. [13] investigated privacy-preserving multi-pattern subset subgraph matching. Bai et al. [14] developed skyline query techniques for incomplete streams using range-based indexing and pruning optimizations. In addition, Guan et al. [15] achieved secure maximum aggregation over encrypted streams via Paillier homomorphic encryption combined with block-structured computation. Ouyang [16] advanced privacy-preserving temporal analytics through an efficient and oblivious framework. More recently, Safaee et al. [17] presented StreamFilter, a distributed range query system incorporating role-based access control, although it does not directly conceal the underlying data values. Despite this rich body of work on encrypted stream processing, most existing schemes were not designed for high-frequency, long-term EV telemetry. MPC-based and homomorphic encryption protocols [6,13,15] often incur substantial computational and communication overhead, which limits their practicality for second-level or millisecond-level data streams. TEE-based approaches [9] reduce cryptographic cost but shift trust to additional hardware and usually do not offer cryptographic forward security. Furthermore, many existing methods either focus on similarity search or pattern detection over fixed windows [10,11,16] and do not provide a unified treatment of continuous streaming encryption, ciphertext-domain aggregation, and verifiable integrity for large-scale statistical analytics. In particular, prior systems typically assume static keys or coarse-grained access policies and lack hierarchical, time-based key derivation that can support flexible authorization over arbitrary time intervals in EV scenarios.

2.2. Key Management and Access Control

Beyond encrypted query processing, effective key management and access control are equally essential to ensure secure data outsourcing. Vimercati et al. [18] introduced the concept of Over-encryption, which enforces attribute-based policies by mapping access privileges to hierarchical key trees using symmetric cryptography. Qi et al. [19] proposed CryptDAC, a revocable encryption scheme that maintains file–key associations for dynamic policy enforcement; however, it suffers from high revocation overhead and complex key hierarchy maintenance. Tong et al. [20] developed a secure k-nearest neighbor (k-NN) query scheme supporting multi-user delegation and verifiable result retrieval.

To achieve finer-grained access control, several studies have adopted ABE mechanisms [21,22,23,24], while these schemes enable expressive policy enforcement, they typically require pre-distributed attributes and are not optimized for dynamic, time-dependent query scenarios. Hua et al. [25] proposed a hybrid proxy re-encryption model that transforms ABE ciphertexts into identity-based encryption (IBE) format, thereby protecting lower-layer decryption details from the proxy. Building upon this, Xiong et al. [26] and Ge et al. [27] presented revocable proxy-assisted encryption schemes that allow key revocation without regenerating user credentials. Hierarchical key generation approaches based on data structures [28,29,30] have also been investigated to manage large-scale key hierarchies efficiently. However, such methods often introduce substantial overhead in metadata labeling and key revocation, making them less practical for large, continuously evolving datasets. Existing key management and access-control frameworks are mostly tailored to file-oriented or attribute-oriented data outsourcing, where data items are relatively static and access policies change infrequently. ABE- and proxy re-encryption-based schemes [21,22,23,24,25,26,27] provide expressive policies but suffer from high computation and communication overhead, and revocation typically requires updating many ciphertexts or keys. Tree-based key hierarchies [28,29,30] improve scalability but do not natively address forward security or aggregated queries over continuous data streams. Very few works consider streaming settings in which keys must evolve while supporting both raw and aggregate access for different consumers with verifiable correctness. In contrast, our design combines a GGM-style Key Derivation Tree and hash-based key regression with symmetric additive homomorphic encryption and HomMAC, providing fine-grained, time-based authorization, forward-secure key evolution, and aggregation tailored to EV streaming data.

3. Preliminaries

3.1. Efficient Symmetric Encryption with Additive Homomorphism

The SAHE scheme is a lightweight symmetric encryption method that supports additive homomorphism. SAHE is well-suited for environments with limited computational and energy resources, such as wireless sensor networks. We operate all additive homomorphic encryption directly in the prime field ${\mathbb{Z}}_p$. For plaintexts $m_1,m_2\in {\mathbb{Z}}_p$ and ciphertexts $c_1=\mathrm{Enc}(m_1)$ and $c_2=\mathrm{Enc}(m_2)$, additive homomorphism holds:

$$c_1+c_2=(m_1+k_1+m_2+k_2)modp.$$

3.2. Pseudorandom Functions and Key Derivation

WWe model key material using a secure pseudorandom function (PRF) $F:{\{0,1\}}^{\lambda }\times {\{0,1\}}^{*}\to {\mathbb{Z}}_p$, indistinguishable from a truly random function by any PPT adversary. Following the GGM paradigm, a seed at the tree root expands into per-leaf keys through a binary tree of PRG/PRF evaluations. For domain separation and context binding, we use HKDF to derive independent subkeys from a pseudorandom input K:

$$\mathrm{HKDF}-\mathrm{Expand}(K,\mathsf{info})\Rightarrow K_{\mathsf{info}},$$

where $\mathsf{info}$ is a public label (e.g., ${\mathsf{info}}_{\mathsf{AEAD}}$, ${\mathsf{info}}_{\mathsf{enc}}$, ${\mathsf{info}}_{\mathsf{mac}}$). Different labels yield computationally independent outputs even under key reuse in the extract phase. In our construction, (i) per-chunk keys $k_i$ are derived from the KDT leaf associated with the time window $t{w}_i$; (ii) $pd{k}_i=\mathsf{HKDF}(k_i,{\mathsf{info}}_{\mathsf{AEAD}})$ is used for AEAD; (iii) per-point encryption and MAC subkeys $(s{k}_{i,j},mac{k}_{i,j})$ are derived via HKDF keyed by a one-way hash chain state, ensuring time isolation and forward security.

3.3. AEAD with Associated Data and Nonce Discipline

We employ an authenticated encryption with associated data (AEAD) primitive, instantiated as AES-GCM, to protect each chunk $chun{k}_i$. AEAD takes as input a key $pd{k}_i$, a plaintext $M_i$, a nonce ${\mathsf{nonce}}_i$, and associated data ${\mathsf{aad}}_i$, and outputs $(C_i,{\mathsf{tag}}_i)$:

$$(C_i,{\mathsf{tag}}_i)\leftarrow \mathrm{AEAD}.{\mathrm{Enc}}_{pd{k}_i}(M_i;{\mathsf{nonce}}_i,{\mathsf{aad}}_i),M_i\leftarrow \mathrm{AEAD}.{\mathrm{Dec}}_{pd{k}_i}(C_i,{\mathsf{tag}}_i;{\mathsf{nonce}}_i,{\mathsf{aad}}_i).$$

Security requires (i) nonce uniqueness for each $(pd{k}_i,{\mathsf{nonce}}_i)$ pair and (ii) binding of metadata through ${\mathsf{aad}}_i$. AEAD provides indistinguishability under chosen-plaintext attacks and ciphertext integrity; the ${\mathsf{aad}}_i$ binding prevents cross-context replay or splicing across windows or devices. This layer complements SAHE-based linear aggregation by protecting the raw chunk payload and headers end-to-end.

4. System Framework

Figure 1 depicts the overall framework of our secure and privacy-preserving data collaboration model for vehicle-to-grid (V2G) applications. The proposed secure streaming data encryption and query scheme consists of four primary entities: the Data Owner (DO), the Data Server (DS), the Data Consumer (DC), and the Authorization Manager (AM). Each entity is assigned distinct cryptographic or control-plane responsibilities, collectively ensuring secure data generation, encrypted storage, privacy-preserving query processing, and fine-grained access control across the system.

• Data Owner (DO): The Data Owner is the entity responsible for generating and controlling the raw electric vehicle (EV) telemetry and charging stream data. The DO continuously collects high-frequency measurements and segments them into fixed-size time windows, transforming the data stream into temporally ordered chunks for encryption. It initializes the master secret and derives all subordinate encryption and authentication keys through a hierarchical Key Derivation Tree (KDT) combined with a one-way hash regression chain, thereby achieving forward secrecy and temporal key isolation. For each data chunk, the DO performs authenticated encryption and produces corresponding homomorphic authentication tags before uploading the resulting ciphertext packages to the Data Server for outsourced storage. The DO retains exclusive control of the root key and serves as the sole authority for key delegation. Depending on access policies, it selectively grants fine-grained decryption capabilities by releasing the minimal subset of KDT nodes for raw data access or provides only boundary regression keys for aggregated analytics, ensuring privacy-preserving and policy-compliant data sharing.
• Data Server (DS): The Data Server functions as an untrusted or semi-trusted storage and computation provider. It is responsible for storing uploaded data and maintaining a dynamic Ciphertext Index Tree (CIT) that hierarchically organizes encrypted statistical vectors in chronological order. When new encrypted chunks arrive, the DS updates the CIT and performs ciphertext-domain aggregation at higher levels to maintain compactness and support efficient query processing. Upon receiving a query request over a specific time interval from a Data Consumer, the DS locates the minimal set of CIT nodes covering the requested range and computes the aggregated ciphertext result, which is then returned to the consumer. Throughout this process, the DS neither possesses any decryption keys nor learns any plaintext information; it operates under the honest-but-curious assumption and serves purely as a custodial and computational node enabling scalable, privacy-preserving data outsourcing.
• Data Consumer (DC): The Data Consumer is an authorized entity, such as a grid operator, V2G aggregator, or analytics provider, that queries encrypted EV data for analysis and decision-making. Depending on the access rights granted by the Data Owner (DO), the DC may receive either the Key Derivation Tree (KDT) node subset ${\mathcal{N}}_{[t_s,t_e]}$ for fine-grained raw data decryption or the boundary regression keys $(s{k}_{start},s{k}_{end})$ for aggregated analytics. With these delegated keys, the DC can decrypt the corresponding ciphertexts and verify their integrity using the homomorphic MAC mechanism. After successful decryption and verification, the DC reconstructs statistical indicators such as mean, variance, and standard deviation, enabling privacy-preserving analytics and decision support without revealing any individual EV records.
• Authorization Manager (AM): The Authorization Manager neither generates nor processes any secret keys or ciphertexts. Instead, the AM operates at the control layer to enforce data-sharing policies and coordinate key-release procedures between the DO and the DC. When a DC requests access to a specific time range $[t_s,t_e]$, the AM verifies the request against predefined access policies and triggers the corresponding key-sharing algorithm on behalf of the DO, either $\mathsf{RawShare}([t_s,t_e])$ for fine-grained access or $\mathsf{AggShare}([t_s,t_e])$ for aggregated access. The resulting outputs ${\mathcal{N}}_{[t_s,t_e]}$ or $(s{k}_{start},s{k}_{end})$ are generated by the DO and securely transmitted to the DC via the AM. The AM also records each authorization event for accountability, but cannot compute or derive any cryptographic materials itself.

Definition 1.

A secure streaming data encryption and query scheme $\mathsf{SSEDQ}$ consists of a tuple of seven algorithms $(\mathsf{Setup},\mathsf{KeyGen},\mathsf{Encrypt},\mathsf{Decrypt},\mathsf{Verify},\mathsf{RawShare},\mathsf{AggShare})$, defined as follows:

$\mathsf{Setup}(\Delta t,M)\to (t{w}_i,chun{k}_i)$. The DO executes the $\mathsf{Setup}$. It takes as input the fixed time window $\Delta t$ and message space bound M, continuously collects the streaming data, and partitions it into temporally ordered chunks $\{chun{k}_i\}$ according to $\Delta t$.

$\mathsf{KeyGen}(k_{\mathsf{root}},i,\lambda )\to (k_i,pd{k}_i,{\{s{k}_{i,j}\}}_j,{\{mac{k}_{i,j}\}}_j)$. In this phase, the DO performs the $\mathsf{KeyGen}$. Given the master secret key $k_{\mathsf{root}}$, the chunk index i, and the security parameter λ, the algorithm derives a unique per-chunk key $k_i$, an associated AEAD encryption key $pd{k}_i$, and two corresponding sequences of subkeys ${\{s{k}_{i,j}\}}_j$ and ${\{mac{k}_{i,j}\}}_j$, which are used for encryption and message authentication, respectively.

$\mathsf{Encrypt}(chun{k}_i,pd{k}_i,{\{s{k}_{i,j}\}}_j,{\{mac{k}_{i,j}\}}_j)\to c{c}_i$. The DO executes the $\mathsf{Encrypt}$. It takes as input a data chunk $chun{k}_i$, the AEAD encryption key $pd{k}_i$, and the sets of encryption and authentication subkeys ${\{s{k}_{i,j}\}}_j$ and ${\{mac{k}_{i,j}\}}_j$, and outputs the ciphertext package $c{c}_i$ that includes both the encrypted data and its homomorphic authentication tags.

$\mathsf{Decrypt}(sv{c}_i,{\{s{k}_{i,j}\}}_j)\to ({\{v_{i,j}\}}_j,v^{agg})$. The DC executes the $\mathsf{Decrypt}$. It takes as input the ciphertext vector $sv{c}_i$ and the corresponding decryption subkeys ${\{s{k}_{i,j}\}}_j$, and outputs either the recovered plaintext values $\{v_{i,j}\}$ or the aggregated plaintext $v^{agg}$ over a specified interval.

$\mathsf{Verify}(c,\sigma ,mac{k}_{\mathrm{start}},mac{k}_{\mathrm{end}})\to \{0,1\}$. The DC executes the $\mathsf{Verify}$. It takes as input a ciphertext–tag pair $(c,\sigma )$ and the corresponding authentication keys $(mac{k}_{\mathrm{start}},mac{k}_{\mathrm{end}})$, and outputs 1 if the homomorphic MAC verification equation holds or 0 otherwise.

$\mathsf{RawShare}([t_s,t_e])\to {\mathcal{N}}_{[t_s,t_e]}$. The $\mathsf{RawShare}$ is executed by the DO or coordinated by the AM. It takes as input a query interval $[t_s,t_e]$ and outputs the minimal subset of KDT nodes ${\mathcal{N}}_{[t_s,t_e]}$ whose subtrees cover all chunk keys within this interval, enabling authorized reconstruction of per-chunk decryption keys.

$\mathsf{AggShare}([t_s,t_e])\to (s{k}_{start},s{k}_{end})$. The $\mathsf{AggShare}$ is executed by the DO or coordinated by the AM. It takes as input a query interval $[t_s,t_e]$ and outputs the boundary regression keys $(s{k}_{start},s{k}_{end})$ derived from the one-way hash chain, which allow aggregate decryption without exposing any individual plaintext records.

Correctness and Security Definitions

Definition 2

(Correctness). For any data point $v_{i,j}$ with corresponding ciphertext $c_{i,j}$ and MAC keys ${\mathit{mack}}_{i,j},{\mathit{mack}}_{i,j+1}$ derived from the key generation process, the secure streaming data encryption and query scheme $\mathsf{SSEDQ}$ satisfies correctness if

$$Pr\left[\begin{array}{cc}& (t{w}_i,chun{k}_i)\leftarrow \mathsf{Setup}(\Delta t,M),\hfill \\ & (k_i,pd{k}_i,{\{s{k}_{i,j}\}}_j,{\{{\mathit{mack}}_{i,j}\}}_j)\leftarrow \mathsf{KeyGen}(k_{\mathsf{root}},i,\lambda ),\hfill \\ & c{c}_i=(sv{c}_i,{\sigma }_i,{\mathsf{AEAD}}_i)\leftarrow \mathsf{Encrypt}(chun{k}_i,pd{k}_i,{\{s{k}_{i,j}\}}_j,{\{{\mathit{mack}}_{i,j}\}}_j),\hfill \\ & ({\{v_{i,j}^{\prime }\}}_j,v^{ag{g}^{\prime }})\leftarrow \mathsf{Decrypt}(sv{c}_i,{\{s{k}_{i,j}\}}_j),\hfill \\ & b\leftarrow \mathsf{Verify}(c_{i,j},{\sigma }_{i,j},{\mathit{mack}}_{i,j},{\mathit{mack}}_{i,j+1})\hfill \end{array}\right]=1,$$

where $v_{i,j}^{\prime }=v_{i,j}$, $v^{ag{g}^{\prime }}={\sum }_j{v}_{i,j}modp$, and $b=1$ indicates successful verification. The probability is taken over the internal randomness of $\mathsf{Setup}$, $\mathsf{KeyGen}$ and $\mathsf{Encrypt}$ (e.g., AEAD nonces).

Definition 3.

Consider an execution of $\mathsf{SSEDQ}$ that produces a sequence of secret keys $(s{k}_1, s{k}_2, \dots )$ and ciphertexts $(c_1, c_2, \dots )$ for time windows $t{w}_1, t{w}_2, \dots$. We say that $\mathsf{SSEDQ}$ achieves forward security if for every PPT adversary $\mathsf{Adv}$ and every time index t, the advantage of $\mathsf{Adv}$ in recovering any plaintext from a prior time window after compromising the current key $s{k}_t$ is negligible in the security parameter λ:

$${\mathsf{Adv}}_{\mathsf{Adv}}^{\mathsf{FS}}(\lambda )=Pr\left[\mathsf{Adv}(s{k}_t,c_{\le t})\to v_i\mathit{for}\mathit{some}i<t\right]\le \mathsf{negl}(\lambda ),$$

where $c_{\le t}=(c_1,\dots ,c_t)$ denotes all ciphertexts up to time t. Even if the adversary learns the current key $s{k}_t$, all data encrypted under keys $s{k}_1, \dots , s{k}_{t-1}$ must remain semantically secure.

Definition 4.

Given a security parameter λ, a prime modulus p, and pseudorandom function F, the additive encryption scheme achieves IND-CPA security if every PPT adversary $\mathcal{A}$ has only negligible distinguishing advantage between encryptions of chosen messages.

$${\mathsf{Adv}}_{\mathcal{A}}^{\mathrm{IND}-\mathrm{CPA}}(\lambda )=\left|Pr\left[\mathcal{A}\mathrm{wins}\right]-\frac{1}{2}\right|\le \mathsf{negl}(\lambda ).$$

Definition 5.

In the EUF–CMA game for a homomorphic MAC, an adversary $\mathcal{A}$ may query an oracle that returns honest ciphertext–tag pairs $(c_q,{\sigma }_q)$ for any requested index or interval q. Let $\mathcal{S}$ be the set of all such oracle outputs together with all pairs that $\mathcal{A}$ can generate from them using only the public homomorphic operation $(c,\sigma )\oplus (c^{\prime },{\sigma }^{\prime }):=(c+c^{\prime },\sigma +{\sigma }^{\prime })$ and $\mathcal{A}$ outputs a pair $(q^{★},c^{★},{\sigma }^{★})$. We say that $\mathcal{A}$ forges if $\mathsf{Verify}(c^{★},{\sigma }^{★},\mathsf{aux}(q^{★}))=1$ and $(c^{★},{\sigma }^{★})\notin \mathcal{S}$. The advantage of $\mathcal{A}$ is

$${\mathsf{Adv}}_{\mathcal{A}}^{\mathrm{HomMAC}-\mathrm{EUF}-\mathrm{CMA}}(\lambda )=Pr\left[\mathcal{A}\mathit{forges}\right].$$

The HomMAC scheme is EUF–CMA secure if ${\mathsf{Adv}}_{\mathcal{A}}^{\mathrm{HomMAC}-\mathrm{EUF}-\mathrm{CMA}}(\lambda )$ is negligible in λ.

5. Secure Streaming Data Encryption and Query Scheme

This section formalizes a streaming encryption and query scheme that enables confidentiality, forward security, and verifiable analytics over high-frequency EV telemetry. We first specify the scheme algorithms, then prove correctness, and finally establish security guarantees under standard PRF-based assumptions.

5.1. A Detailed Construction

$\mathsf{Setup}(\Delta t,M)\to (t{w}_{i}chun{k}_i)$. Streaming data are generated continuously in a time-sequential manner. For a given period, each data record is associated with a timestamp, and thus can be denoted as a data point $d{p}_i=(t{s}_i,v_i)$, where i is the index of the data point in the stream. Here, $t{s}_i$ denotes the timestamp and $v_i$ represents the value of the data point. Therefore, the stream can be formally defined as an ordered set of data points:

$$SD=\{d{p}_1, d{p}_2, d{p}_3, \dots , d{p}_i, d{p}_{i+1}, \dots \}.$$

The Data Owner ($DO$) adopts a fixed time window $\Delta t=t_{i+1}-t_i$. The stream is thus transformed into a sequence of temporally ordered chunks:

$$Chunks=\{chun{k}_0, chun{k}_1, \dots , chun{k}_k, \dots \}.$$

Each chunk corresponds to a time window $t{w}_i=[t_i,t_{i+1})$ and contains all data points within that window:

$$chun{k}_i=\{d{p}_{i,j}=(t{s}_{i,j},v_{i,j})\mid t{s}_{i,j}\in t{w}_i\}.$$

$\mathsf{KeyGen}(k_{\mathsf{root}},i,\lambda )\to (k_i,pd{k}_i,{\{s{k}_{i,j}\}}_j,{\{mac{k}_{i,j}\}}_j)$. Let G be a pseudorandom generator that expands a seed of length $\lambda$ into two child keys. The pseudorandom generator $G(k)$ produces a $2\lambda$-bit output, which is divided into two equal halves, expressed as $G(k)=G_0(k)\Vert G_1(k)$. Here, $G_0(k)$ and $G_1(k)$ represent the left and right child keys derived from the seed k, respectively. For any binary sequence $x=x_1{x}_2\dots x_h\in {\{0,1\}}^h$, we recursively define as $F(k,x)=G_{x_h}\left(G_{x_{h-1}}(\cdots G_{x_1}(k)\cdots )\right)$. Let $k_{\mathrm{root}}$ denote the root secret at the top of the key derivation tree. For each data chunk indexed by i, the Data Owner (DO) encodes i as an h-bit binary string $x^{(i)}=x_1^{(i)}{x}_2^{(i)}\dots x_h^{(i)}$ and derives the corresponding leaf key as:

$$k_i=F(k_{\mathrm{root}},x^{(i)})=G_{x_h^{(i)}}\left(G_{x_{h-1}^{(i)}}(\cdots G_{x_1^{(i)}}(k_{\mathrm{root}})\cdots )\right).$$

Figure 2 illustrates that the root key $k_{\mathrm{root}}$ functions as the initial seed in the hierarchy, and each leaf node in the tree represents a distinct data chunk generated through successive key derivations. The height of the tree determines the temporal granularity, and each leaf key $k_i$ can be efficiently mapped to its corresponding time window $t{w}_i=[t_i,t_{i+1})$. For each data chunk, we derive a unique Authenticated Encryption with Associated Data (AEAD) key $pd{k}_i$ from the corresponding hierarchical key $k_i$ using a key derivation function:

$$pd{k}_i=\mathrm{HKDF}(k_i,{\mathsf{info}}_{\mathsf{AEAD}}),$$

where ${\mathsf{info}}_{\mathsf{AEAD}}$ is a public context string that labels this key as the AEAD encryption key for chunk i. To achieve time-continuous authorization and forward security, a regression chain is constructed using a one-way hash function:

$$h_0=H(seed),h_i=H(h_{i-1}),s{k}_i=\mathrm{HKDF}(h_i,{\mathsf{info}}_{\mathsf{enc}}).$$

Here, HKDF (HMAC-based Key Derivation Function) is employed to expand each pseudorandom value $h_i$ into multiple cryptographically independent subkeys, ensuring fine-grained control and key separation across time periods. For data-point or feature-level keying within each chunk, we further derive

$$s{k}_{i,j}=\mathrm{HKDF}(h_i,j\parallel {\mathsf{info}}_{\mathsf{enc}}),mac{k}_{i,j}=\mathrm{HKDF}(h_i,j\parallel {\mathsf{info}}_{\mathsf{mac}}).$$

The parameters ${\mathsf{info}}_{\mathsf{enc}}$ and ${\mathsf{info}}_{\mathsf{mac}}$ are public, fixed context strings used for domain separation between encryption and authentication keys. They do not contain any secret material but guarantee that the keys derived for different purposes remain cryptographically independent.

$\mathsf{Encrypt}(chun{k}_i,pd{k}_i,{\{s{k}_{i,j}\}}_j,{\{mac{k}_{i,j}\}}_j)\to c{c}_i$. Before encryption, the data owner ($DO$) assigns each chunk a unique AEAD key $pd{k}_i$. We instantiate AEAD using the standard AES-GCM mode, which provides both confidentiality and integrity protection in a single operation. For each chunk $chun{k}_i$, the raw payload is sealed as follows:

$${\mathsf{AEAD}}_i={\mathrm{Enc}}_{\mathrm{AES}-\mathrm{GCM}}(chun{k}_i,pd{k}_i;{\mathsf{nonce}}_i,{\mathsf{aad}}_i).$$

Here, ${\mathsf{nonce}}_i$ denotes a unique per-chunk nonce, and ${\mathsf{aad}}_i$ is the associated data bound to the ciphertext (e.g., chunk index or timestamp). For each data value $v_{i,j}$, define the stream-style ciphertext and homomorphic tag:

$$c_{i,j}=(v_{i,j}+s{k}_{i,j}-s{k}_{i,j+1})modp,{\sigma }_{i,j}={\displaystyle \frac{mac{k}_{i,j}-mac{k}_{i,j+1}-c_{i,j}}{X}}modp.$$

(1)

Collect them into vectors:

$$sv{c}_i=\{c_{i,0}, c_{i,1}, \dots \},{\sigma }_i=\{{\sigma }_{i,0}, {\sigma }_{i,1}, \dots \}.$$

Finally, the complete ciphertext package is

$$c{c}_i=(sv{c}_i, {\sigma }_i, {\mathsf{AEAD}}_i),$$

which is uploaded to the data server $DS$ for secure storage.

$\mathsf{Decrypt}(sv{c}_i,{\{s{k}_{i,j}\}}_j)\to \left({\{v_{i,j}\}}_j,v^{agg}\right)$. Given authorized keys, an individual value is recovered by:

$$v_{i,j}=c_{i,j}-s{k}_{i,j}+s{k}_{i,j+1}modp.$$

(2)

For aggregates over an interval $[s,e)$, the telescoping property requires only boundary keys:

$$v^{agg}=\sum _{j=s}^{e-1}{c}_{i,j}-s{k}_{i,s}+s{k}_{i,e}modp.$$

(3)

$\mathsf{Verify}(c, \sigma , mac{k}_{\mathrm{start}}, mac{k}_{\mathrm{end}})\to \{0,1\}$. $(c, \sigma )$ represent either a single pair $(c_{i,j}, {\sigma }_{i,j})$ or an aggregated pair $(c_{agg}, {\sigma }_{agg})$, and the corresponding authentication keys $(mac{k}_{\mathrm{start}}, mac{k}_{\mathrm{end}})$ denote either consecutive or boundary values in the verification chain. The correctness condition is defined as

$$mac{k}_{\mathrm{start}}-mac{k}_{\mathrm{end}}=\sigma ·X+cmodp.$$

(4)

If the equation holds, it outputs 1; otherwise it outputs 0.

$\mathsf{RawShare}([t_s,t_e])\to {\mathcal{N}}_{[t_s,t_e]}$. Given a requested time interval $[t_s,t_e]$, the data owner selects the minimal subset of the Key Derivation Tree (KDT) that enables reconstruction of all chunk keys $\{k_i\}$ whose time windows $t{w}_i$ lie within this range. Formally,

$${\mathcal{N}}_{[t_s,t_e]}={\mathrm{MinCover}}_{{\mathcal{T}}_{\mathrm{KDT}}}\left(\{k_i\mid t{w}_i\subseteq [t_s,t_e]\}\right),$$

where ${\mathrm{MinCover}}_{{\mathcal{T}}_{\mathrm{KDT}}}(·)$ returns the minimal set of internal KDT nodes whose subtrees cover the selected leaves. The consumer can derive all required per-chunk keys $\{k_i\}$ from ${\mathcal{N}}_{[t_s, t_e]}$ to decrypt the corresponding ciphertexts within $[t_s, t_e]$.

$\mathsf{AggShare}([t_s, t_e])\to (s{k}_{start}, s{k}_{end})$. Given a requested time interval $[t_s,t_e]$, the data owner releases only the boundary regression keys corresponding to the start and end of the interval:

$$(s{k}_{start},s{k}_{end})=\left(s{k}_{i_s},s{k}_{i_e}\right),$$

where $s{k}_{i_s}$ and $s{k}_{i_e}$ are derived from the one-way hash chain $h_i=H(h_{i-1})$. These two keys enable the authorized consumer to decrypt aggregated ciphertexts over $[t_s,t_e]$, without exposing individual records.

5.2. Correctness Analysis

We argue that any ciphertext–tag pair produced honestly by the DO will be accepted by the verification function executed by a DC. Fix any chunk index i and position j. The DO derives per-point keys deterministically from $k_i$ as follows:

$$s{k}_{i,j}=\mathsf{HKDF}(k_i,j\Vert {\mathsf{info}}_{\mathsf{enc}}),s{k}_{i,j+1}=\mathsf{HKDF}(k_i,j+1\Vert {\mathsf{info}}_{\mathsf{enc}}),$$

$$mac{k}_{i,j}=\mathsf{HKDF}(k_i,j\Vert {\mathsf{info}}_{\mathsf{mac}}),mac{k}_{i,j+1}=\mathsf{HKDF}(k_i,j+1\Vert {\mathsf{info}}_{\mathsf{mac}}).$$

Given a plaintext value $v_{i,j}$, the stream-style additive encryption computes

$$c_{i,j}\equiv v_{i,j}+s{k}_{i,j}-s{k}_{i,j+1}(modp),$$

(5)

and the HomMAC tag is defined as

$${\sigma }_{i,j}\equiv \left(mac{k}_{i,j}-mac{k}_{i,j+1}-c_{i,j}\right)·X^{-1}(modp),$$

(6)

which is equivalent to ${\sigma }_{i,j}\equiv \left(mac{k}_{i,j}-mac{k}_{i,j+1}-c_{i,j}\right)X^{-1}(modp)$ because $X\in {\mathbb{Z}}_p$ is invertible. The DC’s verification procedure checks

$$mac{k}_{i,j}-mac{k}_{i,j+1}\stackrel{?}{\equiv }{\sigma }_{i,j}·X+c_{i,j}(modp).$$

(7)

Substituting the honest ${\sigma }_{i,j}$ into the verifier’s equation yields

$${\sigma }_{i,j}·X+c_{i,j}\equiv \left(mac{k}_{i,j}-mac{k}_{i,j+1}-c_{i,j}\right)+c_{i,j}\equiv mac{k}_{i,j}-mac{k}_{i,j+1}(modp),$$

(8)

which shows that the check holds identically whenever $(c_{i,j},{\sigma }_{i,j})$ are generated as specified. Because HKDF and all field operations are deterministic given their inputs, the verification outcome is deterministic as well. Hence, an honestly generated pair is accepted with probability 1 over all internal randomness of key derivation and encryption. The same algebra establishes correctness for aggregated pairs produced in the encrypted domain. When a server returns

$$c_{\mathsf{agg}}=\sum _{\ell =s}^{e-1}{c}_{i,\ell }modp,{\sigma }_{\mathsf{agg}}=\sum _{\ell =s}^{e-1}{\sigma }_{i,\ell }modp,$$

(9)

over a contiguous index interval $[s,e)$, the corresponding boundary authentication keys $(mac{k}_{i,s},mac{k}_{i,e})$ satisfy the telescoping identity

$$\sum _{\ell =s}^{e-1}(mac{k}_{i,\ell }-mac{k}_{i,\ell +1})=mac{k}_{i,s}-mac{k}_{i,e}(modp).$$

(10)

Substituting into the verification equation yields

$${\sigma }_{\mathsf{agg}}·X+c_{\mathsf{agg}}\equiv mac{k}_{i,s}-mac{k}_{i,e}(modp),$$

(11)

which shows that aggregated verification is correct for all range queries consisting of consecutive stream indices. The scheme does not attempt to verify arbitrary non-consecutive index sets, as the telescoping property holds only for contiguous intervals.

5.3. Formal Security Analysis

The analysis focuses on two primary aspects: (i) semantic security of the symmetric additive encryption under the pseudorandom function (PRF) assumption, and (ii) integrity, correctness and unforgeability of the HomMAC-based verification mechanism. The former ensures data confidentiality under chosen-plaintext attacks (IND-CPA), while the latter guarantees that no adversary can modify, forge, or inject ciphertext–tag pairs without detection.

Confidentiality

Let F be a secure PRF. The per-point additive encryption in our scheme is defined as:

$$\mathsf{Enc}(v_{i,j})=(v_{i,j}+F(k_{\mathsf{root}},(i,j))-F(k_{\mathsf{root}},(i,j+1)))modp.$$

(12)

For any security parameter $\lambda$, the encryption algorithm uses distinct PRF inputs for every pair $(i,j)$, and each key pair $(s{k}_{i,j},s{k}_{i,j+1})$ is used only once. We emphasize that the only requirement we impose is that each encryption operation uses a unique pair of PRF inputs $(i,j)$, so that the masks $F(k_{\mathsf{root}},(i,j))$ and $F(k_{\mathsf{root}},(i,j+1))$ are never reused. This is the standard non-reuse condition for PRF-based stream encryption and constrains only the generation of one-time pads; it does not restrict how many times a ciphertext or the underlying data point may subsequently be accessed, queried, or aggregated in a streaming analytics setting.

The following theorem establishes semantic security of the encryption layer under this standard non-reuse condition.

Theorem 1.

Given a prime modulus p and a secure PRF F, the proposed symmetric additive encryption scheme achieves indistinguishability under chosen-plaintext attack (IND-CPA) in the stateful streaming setting where the encryption algorithm maintains an internal state and guarantees that each encryption query uses fresh PRF inputs $(i,j)$, i.e., the masks $F(k_{\mathsf{root}},(i,j))$ and $F(k_{\mathsf{root}},(i,j+1))$ are never reused.

Proof. 

We establish the theorem through a hybrid game-based proof, where the adversary’s advantage is analyzed across two indistinguishable experiments.

• Game 0 (Real IND-CPA Experiment).

In the first experiment, denoted as the real-world setting, the challenger $\mathcal{C}$ initializes the system by sampling a master secret key $k_{\mathsf{root}}\leftarrow {\{0,1\}}^{\lambda }$. All encryption queries from the adversary $\mathcal{A}$ are answered using the actual pseudorandom function (PRF) $F(k_{\mathsf{root}},·)$. During the challenge phase, $\mathcal{A}$ submits two plaintext messages $(m_0,m_1)$ associated with a unique index $(i^{★},j^{★})$. The challenger then chooses a random bit $b\in \{0,1\}$ and responds with the ciphertext:

$$c^{★}=m_b+F(k_{\mathsf{root}},(i^{★},j^{★}))-F(k_{\mathsf{root}},(i^{★},j^{★}+1))modp.$$

(13)

Finally, $\mathcal{A}$ outputs a guess $b^{\prime }$ for b, and the corresponding advantage in this game is defined as

$${\mathsf{Adv}}_0=|Pr[b^{\prime }=b]-\frac{1}{2}|.$$

(14)

• Game 1 (Random Function Substitution).

The second experiment follows the same structure as Game 0, except that the challenger replaces the genuine PRF $F(k_{\mathsf{root}},·)$ with a truly random function $R:{\{0,1\}}^{*}\to {\mathbb{Z}}_p$. The function R is lazily sampled and remains consistent for identical inputs. For the challenge ciphertext, the computation proceeds as

$$c^{★}=m_b+R(i^{★},j^{★})-R(i^{★},j^{★}+1)modp.$$

(15)

Let ${\mathsf{Adv}}_1$ denote the adversary’s advantage in distinguishing this game from random guessing.

• Analysis.

By the PRF security assumption, no polynomial-time adversary can distinguish between a real PRF and a truly random function with non-negligible advantage. Therefore,

$$|{\mathsf{Adv}}_0-{\mathsf{Adv}}_1|\le \mathsf{negl}(\lambda ).$$

(16)

When R is truly random, the values $R(i^{★},j^{★})$ and $R(i^{★},j^{★}+1)$ are independent and uniformly distributed over ${\mathbb{Z}}_p$. Thus, their difference $\delta =R(i^{★},j^{★})-R(i^{★},j^{★}+1)modp$ is also uniformly distributed. Hence, the challenge ciphertext

$$c^{★}=m_b+\delta modp$$

(17)

is uniformly random and independent of b. Consequently, in Game 1 the adversary gains no information about b, so

$$Pr[b^{\prime }=b]=\frac{1}{2}\mathrm{and}\mathrm{therefore}{\mathsf{Adv}}_1=0.$$

(18)

Combining the two games, we obtain

$$Ad{v}_{\mathcal{A}}^{\mathsf{IND}-\mathsf{CPA}}=|Pr[b^{\prime }=b]-\frac{1}{2}| \le |{\mathsf{Adv}}_0-{\mathsf{Adv}}_1| + {\mathsf{Adv}}_1\le \mathsf{negl}(\lambda ).$$

(19)

Hence, the additive encryption layer is semantically secure under the PRF assumption. □

• Hybrid Argument for Full-Stream IND-CPA Security.

The IND-CPA proof above analyzes the indistinguishability of a single encrypted position. To extend this guarantee to the entire streaming ciphertext sequence, we employ a standard hybrid argument. Suppose the stream contains N encrypted positions. Define Hybrid $H_0$ as the real encryption experiment where all ciphertexts use PRF-derived masks. For $1\le k\le N$, define Hybrid $H_k$ as the experiment in which the first k masks used in encryption are replaced with independent uniform elements of ${\mathbb{Z}}_p$, while the remaining $N-k$ masks are generated by the PRF. For any k, the difference between $H_{k-1}$ and $H_k$ is exactly one PRF evaluation replaced by uniform randomness. Thus,

$$|Pr\left[H_{k-1}\right]-Pr\left[H_k\right]|\le {\mathsf{Adv}}_F^{\mathrm{PRF}}(\lambda ).$$

(20)

By the hybrid lemma,

$$|Pr\left[H_0\right]-Pr\left[H_N\right]|\le N·{\mathsf{Adv}}_F^{\mathrm{PRF}}(\lambda )=\mathsf{negl}(\lambda ),$$

(21)

since N is a polynomial in the security parameter. Hybrid $H_N$ corresponds to encrypting the entire stream using independent uniform masks and therefore leaks no information about the plaintexts. Consequently, the scheme achieves full-stream IND-CPA security.

• Security of KDT-Derived Keys.

A potential concern is whether keys derived through the KDT preserve the pseudorandomness required by the hybrid argument. Our KDT is built using the GGM construction, where each leaf key is of the form $k_i=F(k_{\mathrm{root}},x^{(i)})$, for a public binary label $x^{(i)}$. By the pseudorandomness of F, each derived key $k_i$ is indistinguishable from a uniformly random $\lambda$-bit string, even given all other node keys in the tree. HKDF is then applied to produce the per-point encryption and authentication keys, and standard domain-separation arguments guarantee that these subkeys behave as independent PRF seeds. Therefore, from the adversary’s perspective, every mask used in encryption is derived from an independent pseudorandom key, and the multi-point hybrid argument applies unchanged to the streaming setting.

Remark 1.

The security of the entire key derivation hierarchy follows directly from the GGM construction of the Key Derivation Tree (KDT). Since the KDT uses a pseudorandom generator (PRG) to expand seeds into child keys, each node key $k_i=F(k_{\mathsf{root}},x^{(i)})$ behaves as a PRF output on input $x^{(i)}$, ensuring pseudorandomness across all derived subkeys. Furthermore, HKDF ensures domain separation between encryption and authentication keys by binding context strings ${\mathsf{info}}_{\mathsf{enc}}$ and ${\mathsf{info}}_{\mathsf{mac}}$, so compromising one type of key does not endanger the other.

5.3.1. Forward Security of the Regression Key Chain

Theorem 2

(Forward Security). Let the regression chain be defined as $h_0=H(seed)$, $h_i=H(h_{i-1})$, $s{k}_i=\mathsf{HKDF}(h_i,{\mathsf{info}}_{\mathsf{enc}})$, where H is a one-way hash function and $\mathsf{HKDF}$ behaves as a secure PRF. For any time t, learning $s{k}_t$ does not enable any PPT adversary to compute any prior key $s{k}_i$ for $i<t$, except with negligible probability in λ.

Proof. 

Suppose, for the sake of contradiction, that there exists a PPT adversary $\mathsf{Adv}$ that, given $s{k}_t$, can compute some $s{k}_i$ for $i<t$ with non-negligible probability. By definition,

$$s{k}_t=\mathsf{HKDF}(h_t,{\mathsf{info}}_{\mathsf{enc}}),h_t=H(h_{t-1})=H(H(\cdots H(h_0)\cdots )).$$

By the PRF security of $\mathsf{HKDF}$, recovering any useful information about $h_t$ from $s{k}_t$ is as hard as breaking the PRF. Thus, if $\mathsf{Adv}$ can compute $s{k}_i$ for some $i<t$, we may assume that $\mathsf{Adv}$ effectively recovers $h_i$ for some $i<t$ given $h_t$. However, the sequence $(h_0,h_1,\dots ,h_t)$ is defined by repeated applications of the one-way function H, i.e., $h_j=H(h_{j-1})$ for all $1\le j\le t$. Computing any $h_i$ with $i<t$ from $h_t$ therefore requires inverting at least one application of H, which contradicts the one-wayness of H. Formally, we can build a reduction that uses $\mathsf{Adv}$ as a subroutine to invert H with non-negligible probability, violating the assumed security of H. Consequently, no such adversary $\mathsf{Adv}$ exists, and the regression key chain ${\{s{k}_i\}}_i$ is forward secure. □

5.3.2. Integrity

The integrity of the encrypted stream is guaranteed by the HomMAC verification mechanism, which enables algebraic consistency checks between ciphertexts and their associated tags. For each data value $v_{i,j}$, the DO computes the homomorphic tag in Equation (6) and the DC verifies each pair $(c_{i,j},{\sigma }_{i,j})$ by checking Equation (7). If the ciphertext and tag are generated honestly, this equation holds identically; otherwise, any modification of $c_{i,j}$ or ${\sigma }_{i,j}$ breaks the equality with probability $1/p$. By the unforgeability of the underlying MAC construction, an adversary who does not know $(mac{k}_{i,j},mac{k}_{i,j+1})$ cannot produce a valid $(c^{\prime },{\sigma }^{\prime })$ satisfying the verification equation except with negligible probability. Therefore, the HomMAC component provides algebraic integrity verification with perfect completeness and computational soundness:

$$Pr[\mathsf{Verify}(c,\sigma ,mac{k}_{\mathrm{start}},mac{k}_{\mathrm{end}})=1]=1$$

(22)

for all honestly generated ciphertexts.

Theorem 3

(EUF–CMA Security of HomMAC). Assume that HKDF, when keyed by a secret master value, behaves as a secure PRF over ${\mathbb{Z}}_p$, where $p\ge 2^{\lambda }$ is a prime. Then the HomMAC scheme defined in Section 5 is existentially unforgeable under chosen-message attacks according to Definition 5, even when the adversary is allowed to freely apply the public homomorphic operation $(c,\sigma )\oplus (c^{\prime },{\sigma }^{\prime })=(c+c^{\prime },\sigma +{\sigma }^{\prime })$.

Proof. 

We follow a standard two-game approach.

Game 0 (Real EUF–CMA experiment).

The challenger derives all $mac{k}_{i,j}=\mathsf{HKDF}(h_i,j\parallel {\mathsf{info}}_{\mathsf{mac}})$ and answers each query with the honest ciphertext–tag pair, while the adversary $\mathcal{A}$ may also form homomorphic combinations of these outputs. Let ${\mathsf{Adv}}_0$ be the probability that $\mathcal{A}$ produces a valid forgery not contained in the homomorphic closure $\mathcal{S}$ (Definition 5).

• Game 1 (HKDF outputs replaced by a random function).

In this game we replace HKDF by a truly random function R; thus all $mac{k}_{i,j}$ become independent uniform elements of ${\mathbb{Z}}_p$. The challenger still answers all queries according to the HomMAC specification. By PRF security of HKDF, the adversary cannot distinguish Game 0 and Game 1 except with negligible probability:

$$|{\mathsf{Adv}}_0-{\mathsf{Adv}}_1| \le \mathsf{negl}(\lambda ),$$

(23)

where ${\mathsf{Adv}}_1$ is $\mathcal{A}$’s success probability in Game 1.

• Analysis of Game 1.

Since the values $\{mac{k}_{i,j}\}$ are independent and uniformly random, each honestly produced pair $(c_{i,j},{\sigma }_{i,j})$ reveals exactly the linear relation

$${\sigma }_{i,j}X+c_{i,j}\equiv mac{k}_{i,j}-mac{k}_{i,j+1}(modp),$$

(24)

and any homomorphically aggregated pair over a contiguous interval $[s,e)$ reveals

$${\sigma }_{\mathsf{agg}}X+c_{\mathsf{agg}}\equiv mac{k}_s-mac{k}_e(modp),$$

(25)

as given by the telescoping identity. Hence, every oracle answer corresponds to a known linear combination of the independent random variables $\{mac{k}_{i,j}\}$. Because the homomorphic operation is linear, the set $\mathcal{S}$ of all derivable ciphertext–tag pairs corresponds exactly to the linear span of the coefficient vectors of previously observed pairs. A forgery $(c^{★},{\sigma }^{★})$ that is not in $\mathcal{S}$ therefore corresponds to a new linear combination of the $mack$-values whose coefficient vector is not in this span. Let this new combination be

$$T^{★}=\sum _{\ell }{\alpha }_{\ell }^{★}mac{k}_{\ell }(modp).$$

(26)

Because the $mac{k}_{\ell }$ are independent uniform elements of ${\mathbb{Z}}_p$ and $({\alpha }_{\ell }^{★})$ is linearly independent of all previously used coefficient vectors, the value $T^{★}$ is itself uniform over ${\mathbb{Z}}_p$ and independent of all information available to $\mathcal{A}$. To succeed, $\mathcal{A}$ must output $(c^{★},{\sigma }^{★})$ satisfying

$${\sigma }^{★}X+c^{★}=T^{★}(modp),$$

(27)

which requires guessing a fresh uniform field element. Thus

$${\mathsf{Adv}}_1\le 1/p\le 2^{-\lambda }.$$

(28)

We conclude

$${\mathsf{Adv}}_{\mathcal{A}}(\lambda )={\mathsf{Adv}}_0\le |{\mathsf{Adv}}_0-{\mathsf{Adv}}_1|+{\mathsf{Adv}}_1\le \mathsf{negl}(\lambda )+2^{-\lambda }.$$

(29)

Hence, the HomMAC scheme is EUF–CMA secure even when the adversary may freely use the homomorphic aggregation property. □

6. Electric Vehicle Key Management and Query System

Building upon the secure streaming data encryption scheme introduced in Section 5, this section presents the complete Electric Vehicle (EV) key management and query system. It incorporates the Ciphertext Index Tree (CIT) for efficient statistical aggregation and defines privacy-preserving data sharing policies enabled by KDT and RKR.

6.1. Encrypted Data Organization and Indexing

The Ciphertext Index Tree (CIT) serves as a hierarchical data structure that organizes encrypted statistical vectors $(sv{c}_i,{\sigma }_i)$ in a time-ordered manner, enabling efficient aggregation directly within the encrypted domain. Each node in the CIT encapsulates an aggregated ciphertext vector $(svc,\sigma )$ together with its corresponding index range $[from,to)$, and maintains pointers to multiple child nodes. This design allows the system to hierarchically summarize encrypted data without decryption, thus supporting scalable analytics on large and continuously updated data streams.

When a new encrypted chunk arrives, the data server dynamically inserts its associated statistical vector into the CIT. If the current leaf node still has capacity, the vector is appended directly. Otherwise, when the leaf is full, a ciphertext aggregation operation is triggered: a set of k ciphertexts are homomorphically summed, their aggregate result is stored at the parent node, and a new leaf node is subsequently opened to accommodate incoming data. Through this process, the CIT remains balanced and compact, while maintaining accurate aggregate representations of encrypted data at multiple levels.

During query processing, when a consumer requests data over a specific time interval $[t_a,t_b)$, the data server traverses the CIT to locate the minimal set of nodes that fully cover this interval. It then performs ciphertext-domain aggregation by summing the encrypted statistical vectors from the selected nodes:

$$sv{c}_{agg}=\sum sv{c}_i,{\sigma }_{agg}=\sum {\sigma }_i.$$

(30)

The aggregated ciphertext pair $(sv{c}_{agg},{\sigma }_{agg})$ is returned to the consumer, who can decrypt and verify the result using authorized keys. After decryption, the consumer reconstructs the plaintext statistical vector and computes essential statistical indicators such as the average, variance, standard deviation, and coefficient of variation:

$$avg={\displaystyle \frac{x_1}{x_0}},var={\displaystyle \frac{x_2}{x_0}}-{\left({\displaystyle \frac{x_1}{x_0}}\right)}^2,sd=\sqrt{var},CV={\displaystyle \frac{sd}{avg}}.$$

(31)

These statistical metrics enable efficient and privacy-preserving electric vehicle (EV) behavioral analytics, offering deep insights into driving patterns and system performance without exposing raw user data.

Theorem 4

(CIT Query Correctness). Let T be a Ciphertext Index Tree (CIT) that maintains the coverage and value invariants after each update. For any query interval $[i_s,i_e)$, the CIT query algorithm returns an aggregated ciphertext vector equal to ${\sum }_{i=i_s}^{i_e-1}sv{c}_i$, independent of the order in which leaves are inserted or internal aggregations are performed.

Proof. 

The CIT has two invariants and each node v stores a contiguous index range $\mathsf{rng}(v)=[a_v,b_v)$ covering exactly the leaf indices under v, and an aggregated ciphertext vector $S_v={\sum }_{{\ell }_i\in v}sv{c}_i$.

• Step 1: Correctness of interval queries.

Given a query $[i_s,i_e)$, the CIT query algorithm selects a set of nodes $\mathcal{V}$ such that: (i) their ranges are pairwise disjoint, and (ii) their union equals $[i_s,i_e)$. Thus, the leaves covered by $\mathcal{V}$ form a partition of $\{{\ell }_i\mid i_s\le i<i_e\}$. Using the value invariant, we have

$$S_{\mathrm{agg}}=\sum _{v\in \mathcal{V}}{S}_v=\sum _{v\in \mathcal{V}}\sum _{{\ell }_i\mathrm{under}v}sv{c}_i=\sum _{i=i_s}^{i_e-1}sv{c}_i.$$

(32)

Since ciphertext addition is associative and commutative, the result depends solely on the set of leaves in the interval, not on the order of intermediate summations.

• Step 2: Invariants hold for any insertion and aggregation order.

We argue that the CIT invariants are preserved under any sequence of leaf insertions and node aggregations. Whenever a new leaf ${\ell }_n$ is inserted, it is assigned $\mathsf{rng}({\ell }_n)=[n,n+1)$ and $S_{{\ell }_n}=sv{c}_n$, which trivially satisfies both invariants. The parent of ${\ell }_n$ then updates its range to the union of its children’s ranges and its stored value to the sum of its children’s values; the same union-and-sum update is propagated up the tree. Because each child already satisfies the invariants, every ancestor updated in this way continues to store exactly the union of its descendant leaf ranges and the corresponding aggregated ciphertext value. Similarly, when a batch of sibling nodes $w_1,\dots ,w_m$ is aggregated into a new parent node v, we define

$$\mathsf{rng}(v)=\bigcup _{j=1}^m\mathsf{rng}(w_j),S_v=\sum _{j=1}^m{S}_{w_j}.$$

(33)

Since each $S_{w_j}$ equals the sum of ciphertexts in $\mathsf{rng}(w_j)$, the value $S_v$ is exactly the sum of ciphertexts in $\mathsf{rng}(v)$. The new range $\mathsf{rng}(v)$ is contiguous because the aggregated children cover adjacent leaf intervals. Replacing $w_j$ by v and updating ancestors via the same union-and-sum rule preserves the invariants throughout the tree. Because this update rule depends only on the sets of child ranges and ciphertext sums, and ciphertext addition is associative and commutative, the final tree structure and all node values are invariant under reordering of insertions and aggregations. □

6.2. Privacy-Preserving Access and Sharing Policies

To achieve flexible yet privacy-preserving access control, the system supports two complementary data-sharing modes: fine-grained (raw) sharing and aggregated sharing. These modes correspond to different privacy levels and analytical requirements, allowing the Data Owner (DO) to control the granularity of information disclosed to consumers.

In the fine-grained sharing mode, the DO grants access to detailed raw data over a selected time interval $[t_s,t_e)$. This is accomplished by releasing the minimal set of Key Derivation Tree (KDT) nodes that cover the requested range. Using these nodes, the authorized consumer can reconstruct the per-chunk keys $\{k_i\}$ and decrypt individual ciphertext packages, thereby obtaining the complete raw chunks $chun{k}_i=\mathrm{Dec}(c{c}_i,k_i)$. This mode is well-suited for diagnostics, auditing, or fine-resolution analytics where detailed temporal information is required. In contrast, the aggregated sharing mode offers stronger privacy guarantees by disclosing only the boundary regression keys $(s{k}_{start},s{k}_{end})$ that correspond to the start and end of the requested time range. With these two keys, the consumer can decrypt only the aggregated ciphertext result:

$$v^{agg}=\sum _j{c}_{i,j}+s{k}_{start}-s{k}_{end}modp.$$

(34)

Since all intermediate keys remain hidden, this mechanism prevents the reconstruction of individual data records, thereby preserving confidentiality while still supporting statistical and aggregate queries. The two-tier policy design provides adaptable access control for various application scenarios, from detailed monitoring to aggregated analytics, without compromising cryptographic soundness or forward security.

7. Experimental Results and Analysis

The experimental results were carried out on two distinct hardware platforms to assess both high-performance and edge-oriented deployment environments comprehensively. For clarity, the plaintext baseline in our experiments refers solely to the computation of statistical vectors (e.g., count, sum, and second-order moments) on raw unencrypted data, without performing any encryption, authentication, or key-handling procedures. It therefore represents the minimal processing cost before any cryptographic operations are applied. The first platform represents a general-purpose computing environment, implemented on a desktop workstation equipped with an Intel Core i7-10700 processor. This setup is intended to emulate the performance level achievable in typical data-center or server-class conditions. The second platform emulates a resource-constrained edge computing device, specifically a Raspberry Pi 4 Model B. This configuration reflects a realistic deployment scenario for low-power IoT or in-vehicle edge environments, where energy and hardware resources are limited. All algorithms, including key generation, encryption, verification, and query processing, were implemented in Java 17 using consistent cryptographic libraries and identical parameter settings across both platforms to ensure fair performance comparison.

We evaluate the efficiency of our schemes by benchmarking their computational overhead against two classical homomorphic encryption baselines: EC-ElGamal [31] and Paillier [32]. The SAHE configuration uses 128-bit keys with a 32-layer hierarchical key derivation tree and pseudorandom key expansion. For consistency, EC-ElGamal is implemented with 256-bit keys, and Paillier with a 2048-bit modulus. The experimental results obtained on a desktop platform (Device1) and a RaspberryPi (Device2) are summarized in

Table 1. Performance comparison of average encryption and decryption latency on two devices.

Platform	Phase	Ours (μs)	SAHE + HomMAC (μs)	EC–ElGamal (ms)	Paillier (ms)
Device 1	Encryption	33.35	33.61	0.501	131
	Decryption	33.44	33.87	0.333	129
Device 2	Encryption	334.42	346.06	4.92	1260
	Decryption	334.84	349.07	3.54	1230

. To ensure fairness, all schemes are benchmarked at comparable classical security levels: SAHE uses 128-bit symmetric keys; EC-ElGamal uses a 256-bit elliptic curve (≈128-bit security); and Paillier uses a 2048-bit modulus (≈112-bit security, the standard parameter most closely aligned with 128-bit symmetric strength).

As shown in Table 1, SAHE achieves the lowest encryption and decryption latency on both platforms, outperforming asymmetric schemes by over an order of magnitude. Device 2 runs about ten times slower than device 1 due to hardware limitations, yet relative performance trends remain consistent. The HomMAC verification adds minimal overhead, confirming that our symmetric, KDT-based design maintains high efficiency and suitability for both server and edge deployments.

The experimental results in Figure 3 compare the chunk encryption time of SAHE-HomMAC, EC-ElGamal, and Paillier under two encryption configurations. Figure 3a,c encrypt statistical vectors only, and Figure 3b,d perform homomorphic encryption with additional AES-GCM encryption of raw data. Device 1 represents a high-performance desktop platform, while Device 2 corresponds to a resource-constrained edge device. On Device 1, SAHE-HomMAC achieves the lowest encryption latency, requiring only 5.91 ms and 13.49 ms for the two scenarios, respectively. This performance is approximately 20× faster than EC-ElGamal and over 3000× faster than Paillier. The inclusion of AES-GCM introduces only a minor increase in runtime, demonstrating that integrating data-point encryption and HomMAC verification incurs negligible computational overhead. On Device 2, although the absolute latency rises due to limited processing power, the relative performance trend remains consistent. SAHE-HomMAC still outperforms EC-ElGamal and Paillier by a large margin, achieving 52.79 ms (vector-only) and 122.19 ms encryption times, compared to over 1 s and 190 s for the asymmetric schemes. The results confirm that the proposed symmetric KDT-based SAHE-HomMAC scheme delivers high efficiency and scalability. Even when combined with AES-GCM encryption for raw data, it maintains low latency, minimal overhead, and excellent suitability for both cloud and edge computing environments.

As shown in Figure 4a,b, the experiment measures the overall processing time for encrypted data streams, including statistical vector computation, encryption, and ciphertext index tree construction. The reported SSEDQ processing time includes both raw chunk encryption (AES-GCM for plaintext payloads together with SAHE for statistical vectors) and all homomorphic aggregation operations performed during CIT maintenance. The aggregation cost grows linearly with the number of chunks because each new chunk requires a single ciphertext-vector addition at the corresponding CIT level. Our proposed SSEDQ scheme is compared with the plaintext baseline and two asymmetric homomorphic encryption schemes, EC-ElGamal and Paillier. In this experiment, each data block represents one minute of streaming data and contains 60 data points, with 100,000 data blocks generated to simulate approximately two months of continuous data. The ciphertext index tree is constructed with a branching factor of 1024. The evaluation is conducted on both Device 1 (desktop) and Device 2 (Raspberry Pi), representing high-performance and lightweight environments, respectively. In Figure 4a, Device 1 achieves an average processing time of 2.68 s under plaintext conditions, while SSEDQ requires 6.04 s to complete statistical computation, encryption, and index tree construction. This corresponds to an additional latency of approximately 0.04 s per minute of streaming data, demonstrating that the scheme can efficiently handle high-throughput data streams. EC-ElGamal and Paillier, however, exhibit significantly higher delays—approximately 20× and 3000× slower than SSEDQ, respectively. Similarly, Figure 4b shows results on Device 2, where the average plaintext processing time is 14.02 s, and SSEDQ requires 54.82 s. Despite limited hardware capability, the performance remains within one order of magnitude, confirming that the scheme introduces only moderate computational overhead. The symmetric design of SSEDQ allows efficient encryption and aggregation even under constrained environments.

Table 2. Scalability of key sharing with respect to the KDT depth on Device 1.

Depth h	Windows $\mathit{T}=2^{\mathit{h}}$	$\overline{|{\mathcal{N}}_{[{\mathit{t}}_{\mathit{s}},{\mathit{t}}_{\mathit{e}}]}|}$	RawShare Latency (μs)	AggShare Latency (μs)
10	1024	7.3	8.41	4.02
12	4096	8.6	10.27	4.11
14	16,384	10.2	14.63	4.19
16	65,536	11.9	18.73	4.24

evaluates the scalability of the key–sharing procedures with respect to the KDT depth h and the corresponding number of time windows $T=2^h$. As the tree becomes deeper, the average size of the minimal cover $\overline{|{\mathcal{N}}_{[t_s,t_e]}|}$ returned by $\mathsf{RawShare}$ increases only mildly, reflecting the expected $O(logT)$ behavior. The $\mathsf{RawShare}$ latency grows slowly with h and remains within a few tens of microseconds, demonstrating that fine-grained key authorization is highly scalable even for large temporal domains. In contrast, $\mathsf{AggShare}$ exhibits nearly constant latency because it always releases only two boundary keys, independent of the KDT depth. These results confirm that both raw and aggregated key–sharing operations scale efficiently as the temporal range expands.

As illustrated in Figure 5, the query latency in the plaintext setting grows almost linearly with the size of the query range. This is because no preprocessing is performed on the plaintext data, and the server must aggregate all values within the queried interval. Although the latency is low for small ranges, it increases significantly for large ranges due to the linear accumulation of operations. When the plaintext index tree is used, the latency for small ranges is slightly higher than in the pure plaintext setting, since the system still needs to traverse tree nodes before performing aggregation. However, for large ranges, the plaintext index tree avoids excessive per-element aggregation and therefore reduces the overall query cost. The ciphertext index tree exhibits the same behavior: the query time depends on which internal nodes are selected to answer the range query. Although some fluctuations appear as the range size changes, the overall latency remains consistently low. This demonstrates that the index-tree structure significantly improves query efficiency, particularly when the data volume is large. In our measurements, the average query time using the plaintext index tree is 39.29 μs, while the SSEDQ scheme achieves an average latency of 125.61 μs. The additional overhead (about a 3.2× increase) is attributable to the decryption and HomMAC verification procedure on the client side, yet the overall latency remains within the same order of magnitude as plaintext. In contrast, the EC–ElGamal-based scheme incurs an average query time exceeding 1 ms, and the Paillier-based scheme reaches 387.89 ms, showing a clear performance disadvantage compared to SSEDQ.

To evaluate both the construction efficiency of the Ciphertext Index Tree (CIT) and the query performance over encrypted statistical vectors, we randomly generated one million statistical vectors and inserted them into the CIT while measuring the total construction time. Furthermore, to assess query efficiency, we randomly selected one statistical vector and a range of 100,000 vectors, and recorded the corresponding query latency. The CIT is a k-ary tree; to examine the influence of different branching factors on performance, we constructed and tested 15 CIT instances with varying values of k. Since CIT construction and query processing are carried out entirely on the data server and do not involve resource-constrained devices, this experiment was conducted only on Device 1. The CIT construction time under different branching factors is reported in Figure 6.

8. Conclusions

The proposed scheme combines hierarchical key derivation and time-continuous key regression to achieve efficient and forward-secure key management. Employing symmetric additive homomorphic encryption with homomorphic message authentication enables confidentiality, verifiable integrity, and ciphertext-domain aggregation without revealing individual records. Furthermore, the Ciphertext Index Tree (CIT) supports scalable and privacy-preserving statistical queries, extending the applicability of the framework to large-scale EV data analytics. Experimental evaluations demonstrate that the proposed approach significantly reduces encryption latency and resource overhead compared with conventional homomorphic schemes, maintaining consistent performance across both cloud and edge platforms. Future work will focus on integrating dynamic multi-user access control, decentralized key management, and cross-domain interoperability to further enhance the practicality of secure EV data sharing and collaboration.