Non-Interactive and Secure Data Aggregation Scheme for Internet of Things

: The popularity of mobile devices in Internet of Things has brought great convenience to the lives of the people. Massive data generated in the IoT are outsourced and stored on cloud platforms so that data aggregation and analysis can be performed on the massive data. However, these data often contain sensitive information of mobile devices, so effective protection of mobile user privacy is the primary condition for further development of IoT. Most of the current data aggregation schemes require a lot of interactions between users, and thus this paper designs a non-interactive secure multidimensional data aggregation scheme. This scheme adopts an additive secret sharing technique to mask the shared data and send it to two non-colluding servers, and then the servers aggregate the ciphertext respectively. Different from the existing schemes, our proposed scheme achieves non-interaction between users, and the aggregation result is kept conﬁdential to the server and supports mobile users ofﬂine. Finally, we perform an experimental evaluation which proves the effectiveness of our scheme.


Introduction
With the rapid development of mobile devices and cloud computing, the IoT has brought great convenience to the lives of people. According to the mobile economy 2020 released by the Global System for Mobile Communications Assembly, the total number of global IoT connections reached 12 billion in 2019, and they will reach 24.6 billion in 2025 [1]. These devices will generate data, which means that the IoT can have a deeper understanding of user behavior, so as to provide users with more convenient and faster services.
The large amount of data generated by the IoT covers various fields, such as medical life services, economy and education, which have promoted the development of human society. However, in the face of these massive amounts of data, the information in their collection, processing and transmission process may be maliciously attacked, which may lead to privacy information leakage. For individuals, smart wearable devices record information about our daily life, including our health status, location, call records, etc. However, the transmission process between the device and the mobile phone is not secure, and once the private information is intercepted by malicious attackers, the consequences are beyond imaginable. For the country, once the confidential national information is stolen by illegal elements, the security is doomed to face huge losses, so the importance is self-evident.
Aggregation technology is a common data processing method in the IoT. Smart devices generate extensive data which are collected and aggregated by cloud servers and applied in learning algorithms such as machine learning and artificial intelligence. The data are analyzed and predicted so as to improve the user experience of using smart devices [2,3], and cloud servers provide basic services for IoT and improve the computing efficiency of smart devices. For example, if you want to know the electricity situation of users in an area, the cloud server will aggregate the electricity information of these users. After that, the electricity service provider could analyze the total electricity consumption, so as to reasonably allocate the electricity resources in this area. However, they are also facing the issue of data privacy leakage, so data security and user privacy have also received great attention [4][5][6][7].
In the existing secure data aggregation research, most of the schemes are able to protect the private data of users well, but they use complex encryption techniques, which leads to high computational overhead and communication costs for users. In addition, due to the complexity of the real environment, mobile devices may drop out at any time during the process of performing aggregation tasks. However, many schemes do not take this problem into consideration.
In order to work out the problem of the huge communication cost, and support users offline and realize the verification of the aggregation results, this paper proposes a noninteractive and secure data aggregation algorithm, which means that the mobile users do not interact with each other. Compared with the previous ones, our algorithm not only reduces the computational complexity of local users from O(n 2 + mn) to O(m), but also reduces the communication cost from 2(3n + 1)m|p| to 3m|p|. In addition, this scheme supports users offline and can effectively verify the aggregation results. Our contributions are as follows: 1.
We design a non-interactive and secure data aggregation scheme that has low communication overheads, which is robust to the exiting users and supports mobile users offline. This scheme uses additive secret sharing to share the original data in two parts, and then masks two shared values with a random number. Finally, the ciphertext is sent to two non-colluding cloud servers separately. Compared with the previous aggregation ones, our scheme reduces the computation and communication costs of users.

2.
In most of the previous schemes, the server can obtain the final aggregation results, and it is possible for the cloud to misuse the aggregation results for malicious analysis and speculation. However, in our scheme, the two cloud servers perform data aggregation with the ciphertext of the aggregation result, and therefore the true aggregation result is well-protected from the servers.

3.
This paper designs a set of algorithms so that the final aggregation result can be efficiently verified. Anyone can check the correctness of the aggregation results with a probability of 1, and it is impossible for an incorrect aggregation result to be successfully verified.
The rest of this paper is organized as follows. In Sections 2 and 3, we first present the related work and preliminaries. The system framework and the non-interactive and secure data aggregation scheme are introduced in Section 4. Privacy and limitations of the paper are discussed in Section 5. The experimental results are presented in Section 6. Finally, we outline the conclusions of the paper in Section 7.

Related Work
In the past few decades, scholars have put forward many secure data aggregation schemes from different applications, mainly on account of secure multi-party computation, differential privacy and homomorphic encryption. Due to the emergence of federated learning, the problem of data islands has been well-resolved. Participants calculate the training gradient locally, then use encryption technology to mask the local gradient before sending the ciphertext to the server. After that, the server aggregates these ciphertexts securely, and then returns the aggregation results to the participants. This process does not require participants to directly share local data, thereby reducing many privacy leaks [8][9][10][11].
In the field of machine learning, Bonawitz et al. [12] provided a double-masked secure aggregation scheme by using key agreement and secret sharing techniques, which not only ensures user input privacy but is also robust to dropped users. However, there are many shortcomings in this scheme, such as the need for continuous interaction between users, the lack of support for offline users and the inability to verify aggregation results. On the basis of the above scheme, Xu et al. [13] proposed a similar scheme based on federated learning which verifies the aggregation results and ensures the correctness of aggregation. Yang et al. [14] achieved an aggregation scheme with paillier homomorphic encryption, which ensures the privacy of user input at the same time. Mandal et al. [15] proposed the practical privacy-preserving federated regressions scheme, which can train regression models in a federated learning environment. At the same time, it ensures data and model privacy. Based on proxy encryption and aggregate signature techniques, Xu et al. [16] designed a multi-party secure learning framework. The main feature of this scheme is to use proxy encryption to realize key transformation, so that the server does not obtain the final aggregation result and only the user can utilize the corresponding private key to decrypt the aggregation result.
In the application of the Internet of Things, secure data aggregation is more widely used. Based on homomorphic encryption technology, Al-Zubaidie et al. [17] used a secure and lightweight signature algorithm to prevent user information leakage. Edemacu et al. [18] proposed a multi-party privacy-preserving logistic regression framework and filtered out low-quality data for data contributors. Yang et al. [19] designed an encryption scheme on account of elliptic curve encryption, which reduces the computation and communication costs. However, it does not propose a verification algorithm to verify the aggregation results. Li et al. [20] put forward an aggregation scheme by using key agreement and a verification algorithm. Although the scheme proposes a verification algorithm for aggregating results, it does not support user drop out, and therefore, once the user drops out, this aggregation protocol will aggregate incorrect results. Based on Bonawitz's scheme, Jiang et al. [21] added the functions of location privacy and multi-dimensional data analysis for mobile users, but the communication cost is still very high and most mobile users must be online.

Preliminaries
This section will introduce some basic concepts, including secure multi-party computation, additive secret sharing, pseudo-random generator, bilinear map and verifiable computation.

Secure Multi-Party Computation
Yao proposed a theoretical framework for secure multi-party computation, which resolves the problem of collaborative computation among a set of mutually distrustful parties in the context of protecting private information without a trusted third party [22].
Afterwards, several papers [23][24][25][26] applied this theory. Secure multi-party computation means the collaborative computation of an agreed function by multiple participants with an untrusted third party. It is also guaranteed that each party only obtains its own calculation results and cannot infer the input and output data of any other party from the interaction data during the calculation. The mathematical formula for multi-party security computation is as follows: f (a 1 , a 2 , . . . , a n ) = (b 1 , b 2 , . . . , b n ) (1) where a 1 , a 2 , . . . , a n are the inputs of each participant, b 1 , b 2 , . . . , b n are the corresponding outputs and f is the computation function agreed by each participant. Each participant can only see their own inputs and outputs in the whole multi-party computation protocol, and cannot know the inputs and outputs of other participants.

Additive Secret Sharing
Inspired by former works [27,28], this paper introduces additive secret sharing to split the data into two parts. We assume a mobile user O i shares the secret u (define < u > as the shared value of u) to server A and server B, then S A and S B obtain < u > A and < u > B , where < u > A + < u > B = u mod p. It is worth noting that S A and S B are non-colluding, so < u > A (< u > B ) is only known to S A (S B ). In order to reconstruct the value of u later, two parties need to send the secret shared value together to obtain u. In our scheme, the data are first split into two secret shared values, which not only protects the original data, but also achieves non-interactivity between the users.

Pseudo-Random Generator
A pseudo-random number generator [29,30] is used to reduce our computational cost in our scheme. A random number seed is used to generate irrelevant random numbers and we use PRG (seed) to represent the output random numbers. Pseudo-random generator: {0, 1} n → {0, 1} l is a deterministic that receives an n-bit binary string as input and outputs an l-bit binary string, where l is much larger than n. The security of a cryptographically strong PRG is defined by the fact that its output is indistinguishable from the bit stream of a true random number.

Bilinear Map
Let G 1 , G 2 and G τ be cyclic groups of order p, where p is a large prime, and g 1 and g 2 are generators of G 1 , G 2 , respectively. e: G 1 × G 2 → G τ is a bilinear map, which satisfies the following conditions [31]:

1.
Bilinearity: For any a, b ∈ Z * p and g ∈ G 1 , h ∈ G 2 , we have e(g a , h b ) = e(g, h) ab .
BDHE assumption: Given g, g a , g b ∈ G 1 , h ∈ G 2 , for any a, b ∈ F * p , if the probability to solve the BDHE problem is negligible, it means that the BDHE assumption holds in G τ .

Verifiable Computation
The verification algorithm is usually used to check the results which are returned by the server. The main purpose of the References [32][33][34][35] is to study verifiable algorithms. Since cloud servers are untrustworthy, Jia et al. [36] and Zhang et al. [37] proposed public verification algorithms supporting large-scale matrix multiplication. In our scheme, the verification algorithm allows the verifier to verify the final result. The algorithm contains the following four sub-algorithms: 1.
KeyGen ( f , λ) → (pk, sk): The inputs to the key generation algorithm are the secure parameter λ and function f , and then the outputs are pk and sk.

2.
ProbGen (sk, x) → (σ x , τ x ): The inputs to the problem generation algorithm are sk and x, and the outputs are σ x , τ x , where σ x is a public value and τ x is a private value kept by the user.

3.
Compute (pk, σ x ) → σ y : The algorithm takes pk and σ x as inputs, and the cloud server computes the output value σ y . 4.
Verify (sk, τ x , σ y ) → y∪ ⊥: The user uses sk and τ x to verify whether σ y is correct; if the verification passes, it will be accepted, otherwise, it will be rejected.

System Framework and Non-Interactive and Secure Data Aggregation Scheme
In this section, the system framework and the non-interactive and secure data aggregation scheme are presented in detail.

System Framework
Here, we introduce the system model, threat model and design goals of this paper.

System Model
The system model consists of four roles: mobile users, two non-colluding aggregation servers, control center and public verifier.
Mobile users: In the system, n mobile users are set up (defined as O = {O 1 , O 2 , . . . , O i , . . . , O n }), and each mobile user holds a local private vector and uses a random number to protect the private vector. At the same time, it also generates a verification key.
Cloud servers: This system consists of two non-colluding servers, S A and S B , mainly to realize non-interactivity between users and keep the aggregation results confidential to the cloud server. They will aggregate these vectors and also generate the corresponding proofs when they receive masking vectors from n mobile users. Then, the aggregation results and proofs are sent to the control center.
Control center: The two aggregation results are added up to obtain the final result after the control center receives the aggregation results from S A and S B , so that the data of these users can be analyzed by the control center.
Public verifier: The verifier usually refers to trusted institutions that can check the final result based on the proofs and verification keys.
As shown in Figure 1, each mobile user first sends the local ciphertexts < c i > A and < c i > B to S A and S B through a secure channel, respectively. Then, the server aggregates the ciphertexts of all users and generates an aggregation value and verification key. Next, the control center computes the final aggregation result. Finally, the public verifier checks the final aggregation result according to the verification keys of the mobile user and the server. In Table 1, we list the main symbols used in this paper, respectively.

Symbols Definition
The shares of x i a i Random vector of the mask selected by user The ciphertexts of shared value < x i > m Dimension of the private vector h Verification vectors PK The public key for verification VK i Authentication key for verification sum Aggregation result σ The proof of computation

Threat Model
In this paper, we assume that mobile users and cloud servers are honest but curious, and the control center is trustworthy.
The mobile users: The mobile users are curious about the private data of others while participating in the aggregation process. However, malicious mobile users may collude with each other to infer private data of others, or use their own private data to collude with cloud servers for the same purpose.
The cloud servers: They may return forged results to the control center, which will lead to wrong results. In addition, the cloud server may also collude with malicious users to infer the private information of other users.

Design Goals
The non-interactive and secure data aggregation scheme proposed in this paper should achieve the following five goals: 1.
Input privacy: The data collected by mobile users are sensitive data. These data should be masked before sending to the server; therefore, in this paper we should ensure that the data input is private.

2.
Output privacy: Since there are two non-colluding servers, they perform aggregation operations without obtaining the final aggregation result; therefore, in this paper we should ensure the output privacy.

3.
Verifiability: The verifier can utilize the verification algorithm to verify whether it is correct when all participants execute the protocol correctly.

4.
Non-interactivity: Our scheme guarantees non-interaction between users, which reduces the communication cost. Due to the non-interactivity between users, it will not affect the normal execution of the protocol even if someone drops out during the aggregation process.

5.
Efficiency: It is experimentally demonstrated that our aggregation scheme can obtain the aggregation result and verify its correctness with a low computation cost.

Non-Interactive and Secure Data Aggregation Scheme
In this section, the non-interactive and secure data aggregation scheme is described in detail. We suppose that there are n mobile users and each mobile user, O i , collects a large amount of private data about themselves, such as identity information, personal assets, health status and so on. The data collected by mobile users are called private data, x i = (x i1 , x i2 , . . . , x im ), where m is the dimension of private data. Firstly, each O i uses additive secret sharing to split x i into two parts: < x i > A and < x i > B , where < x i > A + < x i > B = x i mod p. Then, each O i encrypts < x i > A and < x i > B using its own generated private key respectively, and also generates the relevant verification keys. Finally, the mobile user sends the ciphertexts to S A and S B , respectively. Next, S A and S B aggregate the data from n mobile users, then the aggregation results are sent to the control center for analysis. Meanwhile, the public verifier can also verify the aggregation results, as shown in Algorithm 1, and the specific steps are shown in the following subsections.

Key Generation
The system initialization is performed by the key generation center. e: G 1 × G 2 → G τ is a bilinear map, where G 1 , G 2 and G τ are multiplicative groups of order p, and p is a large prime, and g and g are generators of G 1 and G 2 , respectively. Later, it publishes the public parameters = (G 1 , G 2 , G τ , p, g, g ).

Masking of Private Data
This algorithm is used to blind the private vectors of mobile users. Each mobile user, O i , has private data x i = (x i1 , x i2 , . . . , x ik , . . . , x im ), where x ik represent the k-th dimension data (1 < k < m). In the following steps, this paper will take the k-th dimension data x ik as an example. Firstly, the mobile user O i selects a random vector a = (a i1 , . . . , a ik , . . . , a im ), where a ik ∈ Z * p , and calculates < x ik > A and < x ik > B using the additive secret sharing algorithm. Input a ik into the PRG as a random seed. Subsequently, O i encrypts < x ik > A and < x ik > B respectively, as follows: Then, the mobile user sends the ciphertexts to the cloud server through a secure channel, meanwhile generating public verification keys VK i = (VK i1 , . . . , VK ik , . . . , VK im ). The mobile user provides the verification keys to the verifier so that the verifier can verify the final result.

Verification of the Results
The public verifier can check the each k-th final result and proof after receiving the final result from the control center. The verification formula is as follows: where σ k and sum k are provided by the control center, and VK ik is provided by mobile users.
Theorem 1. According to the verification algorithm, the public verifier can verify the correctness of the final result. Proof.
It can be seen from the above formula that our proposed verification algorithm is correct.

Analysis
We will analyze the non-interactive and secure data aggregation scheme based on input and output privacy, verification algorithm security, robustness analysis and limitations.

Input and Output Privacy
Input privacy: Our scheme first performs additive secret sharing of private data and then masks it by the random number in the masking phase. The random number, a ik , is generated by the user and kept by himself. It must obtain the blinded value a ik if the cloud server receives the ciphertext of each mobile user and wants to recover the personal information. Assume that |p| is the length of the key, then the probability that the cloud server recovers the private data is P r = 2 −|p| . Since the key length is usually very large, the probability is negligible. The server cannot obtain privacy data for the mobile user, and therefore, our scheme guarantees the input privacy.
Output privacy: In our aggregation phase, the server aggregates the ciphertext data from all the mobile users and the output result is a part of the additive secret sharing, which is not the sum of all of the mobile users. Meanwhile, the two servers are non-colluding, honest and curious, so the server does not obtain the final aggregation result and then cannot analyze the data of these mobile users in the aggregation. Moreover, the < σ k > A and < σ k > B are computed by the cloud servers and cannot reveal any private information about them; therefore, our scheme guarantees the output privacy.

Verification Algorithm Security
Theorem 2. Our proposed verification algorithm is secure under the BDHE assumption.
Proof. The reason this paper uses the BDHE assumption is that in the verification phase, the user needs to send the verification key PK x i i = e(g r i , g ) x i to the verifier, which is a BDHE problem. We know that the BDHE assumption is that given g, g ψ , g ω ∈ G, h ∈ G 1 , it is difficult to compute ψ, ω ∈ Z * p . Therefore, this paper assumes that there is an adversary P that can work out this difficult matter by using an efficient algorithm, Θ, with a non-negligible advantage, ε. The steps are indicated as below: The algorithm Θ initializes the system by choosing G 1 , G 2 and G τ as p-order cyclic groups, and g, g are the generating elements of G 1 , G 2 , respectively. Firstly, the algorithm Θ chooses ψ , ω ∈ Z * p randomly, computes g 1 = g ψ and g 1 = (g ω ) δ , and then the common parameters = (G 1 , G 2 , G τ , p, g, g , g 1 , g 1 ) are published. Secondly, PK i = e(g, g )/e(g 1 , g 1 ) is computed. Since the algorithm Θ knows the public parameters and VK ik , then it can obtain e(∏ n i=1 g x ik , g ) = e(∏ n i=1 g c ik Adversary P uses the algorithm Θ to obtain VK ik for each input x ik . Then, adversary P forges the aggregation result k , where result k = result k . Then, the algorithm Θ verifies whether results k = result k . If the verification passes, it implies that the algorithm Θ fails the challenge. Otherwise, it works out the BDHE problem and obtains the following settlement result: From the above equation, it can be seen that our verification algorithm is secure under the BDHE assumption.

Robustness Analysis
In the actual application, mobile users in IoT may drop out at any time due to network and other factors. In the previous schemes, the secret sharing recovery algorithm is usually used to restore the mask values of exiting users, which improves the robustness of their scheme. Some methods [12,21] require a large number of mobile users to be online, and their masking formula is y u = x u + PRG(b u ) + ∑ v∈U:u<v (PRG(s u,v ) − ∑ v∈U:u>v (PRG(s u,v ) mod R. The x u represents the private data of each user and b u is a random number generated by the user who distributes shares of b u to the other users, and s u,v is the agreement key between user u and user v. Assume that there are no user drops out, then the cloud server will correctly compute the aggregation result ∑ n u=1 (y u ), and then the ∑ n u=1 (∑ v∈U:u<v PRG(s u,v ) − ∑ v∈U:u>v PRG(s u,v )) will be zero. Once a user drops out, a large number of users are needed to recover the shared values b u and s u,v by the secret reconstruction algorithm to make ∑ n u=1 (∑ v∈U:u<v PRG(s u,v ) − ∑ v∈U:u>v PRG(s u,v )) zero, so a large number of users need to be online to ensure that the scheme is executed correctly. However, the scheme [20] does not support user drop out. Since the formula of the masking phase is , where x i represents the private data, s i is generated by aggregation and v ij is the agreement key between user i and user j. Assume that once the user drops out, then the y i will not be uploaded to the cloud server, and the formula (∑ n j=i+1 PRG(v ij ) − ∑ i−1 j=1 PRG(v ij )) is not zero, which will produce an incorrect aggregation result.
The scheme in this paper does not require the mobile users to be online all the time. The mobile user sends the ciphertexts < c ik > A =< x ik > A +PRG(a ik ) and < c ik > B =< x ik > B −PRG(a ik ) to the server. Assume that the mobile user O i drops out, then neither < c ik > A nor < c ik > B will be sent to the server, and the data of O i will not have an influence on the aggregation result. Therefore, our scheme is robust as it will not fail to be performed properly even if some mobile users drop out.

Limitations
Reviewing the system framework of this paper, we conclude the limitations. First, all participants in this paper are designed to be honest and curious, except for the control center, and the two cloud servers do not collude. The system designed in this paper allows a small number of mobile users to collude with the cloud server, which does not lead to leakage of the private data of mobile users. However, once two cloud servers collude with each other, the privacy of data may be affected. For example, S A and S B cooperate to calculate the final aggregation result after the ciphertexts of all mobile users are sent to the cloud server, and then the aggregation result will be maliciously analyzed. Due to the high security assumptions in this paper, we will focus on a single cloud server to solve non-interactive issues in the future.

Performance Evaluation
In this section, we evaluate the performance of the non-interactive and secure data aggregation scheme using theoretical and experimental analysis.

Function Analysis
We compare the functions of the non-interactive and secure data aggregation scheme with the previous ones in Table 2. In [12], the authors use a double-mask to ensure data privacy, efficient aggregation and robustness, which does not realize non-interactivity, verification and result privacy. In [13], the authors also use a double-mask to ensure data privacy, efficient aggregation, robustness and verification, which does not realize noninteractivity and result privacy. In [16], the authors propose a multi-party secure computing framework to ensure data privacy, verification, robustness and result privacy, which does not achieve non-interactivity. In [20], the authors propose one mask to ensure data privacy and verification, which does not achieve non-interactivity, robustness and result privacy. It can be seen from Table 2 that the non-interactive and secure data aggregation scheme of this paper achieves these five functions. Compared with the schemes mentioned above, our scheme has certain advantages.  [12] Yes In Table 3, our scheme is compared with the previous ones in terms of computation cost and communication costs, where |p| is the length of security parameter p, and the number of users and the dimension of private data are n and m, respectively. In terms of computation cost, the scheme in [12] has the highest cost since it requires a large number of secret sharing and secret reconstruction operations, which requires O(n 2 + mn). Xu et al. [13] applied the algorithm in [12], so the time complexity of the user side is the same. In [16], the time complexity of generating ciphertext and signature is O(m + n), and in [20], the main computation cost results from computing the verification key and agreement keys, which requires O(m + n). In our method, the computational cost is independent of the number of users and it is only relevant to the size of data vector m, so the cost is the smallest.

Schemes Data Privacy Non-Interactity Verification Roustness Result Privacy
In terms of communication cost, the schemes in [12,13] include key agreement and secret sharing, which require 6(n − 1)m|p|. In [16], the users only need to upload their own encrypted data, which requires m|p|. However, the non-interactive and secure data aggregation scheme makes the communication overhead between users zero. In our scheme, the ciphertexts and verification keys are sent to the server and the verifier, respectively. Then, the communication cost between the mobile user and the server is 2m|p|, and with the verifier is m|p|, so our proposed scheme has the lowest communication cost.  [12] O(n 2 + mn) O(mn 2 ) -6(n − 1)m|p| 7m|p| - [13] O(n 2 + mn) O(mn 2 ) O(m) 6(n − 1)m|p| 8m|p| - [16] O

Experimental Results
We carried out a series of experiments to show the feasibility and efficiency of the scheme. The experiments are based on python language implementation. In the verification part, we used the bilinear map pypbc library, which is a python wrapper for the PBC library, and set p as 1024 bits. All the experiments depend on the computer with Intel(R) Core(TM) i5-10210U CPU @ 1.60 GHz 2.11 GHz 16.0 GB RAM, and run on the Ubuntu 18.04 operating system.
The first experiment was executed to evaluate the efficiency of each sub-algorithm in our scheme. In this experiment, our scheme has four sub-algorithms, including key generation, masking of private data, data aggregation and verification of the results. We defined the following parameters to represent the corresponding operation: T exp , T pair and T mm for modular exponentiation, bilinear pairing and modular multiplication operations, which are 0.16, 23 and 0.02 ms, respectively.
In the key generation phase, the algorithm chooses a random vector r ∈ z * p , and computes g , h i and PK i . Computing g and h i requires one modular exponentiation and n modular exponentiation operations respectively ( where h i = g δ+r i (1 < i < n)), while computing PK i requires n modular exponentiations and one bilinear pairing operation. From this phase, we conclude that the total time cost is (2n + 1)T exp + T pair .
In the masking phase, the main overhead of the mobile user is to compute verification keys VK i . Computing the verification keys require m modular exponentiation operations (where VK ik = PK x ik i (1 < k < m)), so the total computation overhead is mT exp . From this phase, we conclude that the computation overhead of the masking phase has a linear relationship with the data size m.
In the aggregation phase, the servers calculate the aggregation values < sum > A and < sum > B , respectively. However, the servers' main time overhead is to calculate the generation proof < σ > A and < σ > B , which requires 2mn modular exponentiation and 2(n − 1) modular multiplication operations. Therefore, the computational cost is 2mnT exp + 2(n − 1)T mm . From this phase, it displays that the computational cost of the server in the aggregation phase is related to the mobile user n and the size of data m.
In the verification phase, the verifier receives the final result and proofs from the control center, which requires 2m modular exponentiation, two bilinear pairing and n modular multiplication operations. Therefore, the total time cost is nT mm + 2T pair + 2mT exp . This phase displays that the computation cost of the verification phase is related to the mobile user n and the size of data m.
In the proposed aggregation scheme, the mobile users were set from 100 to 600, while the private data dimension is fixed at m = 10. As shown in Figure 2, we compared the relationship between the computational cost of each phase and the number of users n. In the keyGen phase, the main computation overhead is to compute the key of the public verifier, which requires (2n + 1)T exp + T pair . In the masking phase, the main computational cost is to calculate the verification key on the client side, which only requires mT exp and is independent of the number of users. In the verification phase, the verifier mainly verifies the Equation (5), which requires nT mm + 2T pair + 2mT exp . As shown in this paper, n is set from 100 to 600, and m is only set to 10. Therefore the computational cost of key generation is the largest. We can see the computation overhead in the aggregation phase is between 324 and 1944 ms, while that in the verification phase is between 51.2 and 61.2 ms. Then, we change the data dimension when the number of mobile users is fixed (n = 10), and it can be seen that the overhead of each phase increases with the dimensions. It can be seen from Figure 3 that the computational overhead of the key generation phase is independent of the data dimensions when the dimensions are set from 100 to 600. In the masking phase, the time cost of the user is between 16 and 96 ms. In the aggregation phase, the computational cost of the server is between 320.04 and 1920.24 ms, while the computational cost of the verification phase is between 62.02 and 142.02 ms. In the experiments, as shown in Figure 4, we compared the time cost of the user-side of different schemes, which varies with the dimension of the data. Specifically, the number of users is set at n = 10, and the data dimensions vary from 100 to 500. The experiments suppose an ideal situation where no mobile users drop out during the aggregation phase. Since the schemes in [12,13] use secret sharing and the Diffie-Hellman key agreement protocol, the time cost of their schemes is relatively high. However, Ma et al. [16] employ proxy re-encryption and aggregation signatures, which contain modular exponentiation operations, so the computation cost is not large. The scheme in [20] adopts key agreement and the aggregation coefficient to mask the private data, which only contains a small number of modular exponentiation and modular multiplication operations, so the time cost is not large. In the non-interactive and secure data aggregation scheme, the main overhead of mobile users is to calculate the verification key, which only contains a small number of modular exponentiation operations. Therefore, we can see that the computation cost of the other three schemes is much higher than ours.

Conclusions
In this paper, we proposed a non-interactive and secure data aggregation scheme with additive secret sharing for IoT. The mobile users adopt additive secret sharing to split the private data into two parts and then mask them. Then, the ciphertexts are sent to servers for aggregation. The proposed scheme not only protects the private data of mobile users but also the privacy of the final aggregation results. Moreover, it realizes non-interaction between users and supports users offline. Security analysis showed that the proposed scheme protects the privacy of inputs and outputs. Finally, the experimental results show that this scheme is effective and has less computation and communication costs than the previous schemes.
In future work, we will focus on the following two issues: (1) Mobile user identity privacy: in the research of IoT data security aggregation, most of the papers did not protect the identity of mobile users, and we think that the identity of mobile users is as important as private data, and (2) Consider a single cloud service: in future work, we will use a single server to design a non-interactive aggregation scheme to reduce the computation and communication overhead of mobile users.
Funding: This work was supported by the National Natural Science Foundation of China (62072295) and the Natural Science Foundation of Shanghai (20ZR1419700).