Citation
Privacy Preserving Protocols Design in Distributed Computing Environments

Material Information

Title:
Privacy Preserving Protocols Design in Distributed Computing Environments
Creator:
Lin, Huang
Place of Publication:
[Gainesville, Fla.]
Florida
Publisher:
University of Florida
Publication Date:
Language:
english
Physical Description:
1 online resource (106 p.)

Thesis/Dissertation Information

Degree:
Doctorate ( Ph.D.)
Degree Grantor:
University of Florida
Degree Disciplines:
Electrical and Computer Engineering
Committee Chair:
FANG,YUGUANG
Committee Co-Chair:
KHARGONEKAR,PRAMOD P
Committee Members:
WU,DAPENG
CHEN,SHIGANG
Graduation Date:
8/9/2014

Subjects

Subjects / Keywords:
Censuses ( jstor )
Ciphertexts ( jstor )
Cryptography ( jstor )
Data encryption ( jstor )
Decryption ( jstor )
Munchausen syndrome by proxy ( jstor )
Polynomials ( jstor )
Proxy reporting ( jstor )
Proxy statements ( jstor )
Search services ( jstor )
Electrical and Computer Engineering -- Dissertations, Academic -- UF
privacy
Genre:
bibliography ( marcgt )
theses ( marcgt )
government publication (state, provincial, terriorial, dependent) ( marcgt )
born-digital ( sobekcm )
Electronic Thesis or Dissertation
Electrical and Computer Engineering thesis, Ph.D.

Notes

Abstract:
With the wide deployment of mobile devices and the surge of cloud computing and social networks, distributed computing has become increasingly pervasive in today's computing world. This paper focuses on privacy preserving protocols design in various distributed computing settings. The followings are our major contribution in this topic: \begin{itemize} \item Cloud-assisted mobile health (mHealth) monitoring, which applies the prevailing mobile communications and cloud computing technologies to provide feedback decision support, has been considered as a revolutionary approach to improving the quality of healthcare service while lowering the healthcare cost. Unfortunately, it also poses a serious risk on both clients' privacy and intellectual property of monitoring service providers, which could deter the wide adoption of mHealth technology. This paper is to address this important problem and design a cloud-assisted privacy preserving mobile health monitoring system to protect the privacy of the involved parties and their data. Moreover, the outsourcing decryption technique and a newly-proposed key private proxy re-encryption are adapted to shift the computational complexity of the involved parties to the cloud without compromising clients' privacy and service providers' intellectual property. Finally, our security and performance analysis demonstrates the effectiveness of our proposed design. \item In distributed collaborative networks such as peer-to-peer systems, privacy preserving information sharing and dissemination heavily rely on effective trust management. Trust based encryption (TBE) has been proposed to be a solution to enabling privacy preserving information sharing and dissemination for such networks. Unfortunately, the previously proposed schemes are not efficient in terms of communications overhead, and require a constantly online trust authority. In this paper, we propose two trust based encryption schemes with significantly improved efficiency. In the first scheme, we develop a generic transformation approach based on the recently proposed identity based broadcast encryption (IBBE) technique, which can significantly reduce both memory space and communication overhead when static reputation is considered. For the dynamic reputation scenarios, we present a trust based encryption scheme which is based on a recently proposed revocable identity based encryption technique, resulting in significantly reduced communication overhead at the central trust authority. \item The growing population and global warming have been calling for more effective energy usage, which have stimulated the emergence of smart sustainable energy technology. The distinct feature of this newly emerging technology is the incorporation of advanced information and communication technologies (ICT), which collects more detailed information on how energy is generated, distributed, and consumed. Various smart metering technologies have also been proposed to support the optimization on sustainable energy usage. Despite the obvious benefits of these technologies, people may still hesitate to adopt them because of possible privacy breach. On the other hand, we observe that the major target information for making the sustainable energy system smart is the aggregated statistics of energy usage, not the full detailed usage profiles which would compromise customers' privacy. Thus, how to design schemes to collect aggregated statistics while preserving customers' privacy becomes an important research problem. In this paper, we propose two schemes to deal with this problem. The first one can support dynamic profiling, which can extract aggregated statistical information without compromising individual privacy. The second one aims to extract correlation information among various factors for the smart system design and can also be used as an underlying tool for baseline inference and association rule mining. \end{itemize} ( en )
General Note:
In the series University of Florida Digital Collections.
General Note:
Includes vita.
Bibliography:
Includes bibliographical references.
Source of Description:
Description based on online resource; title from PDF title page.
Source of Description:
This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Thesis:
Thesis (Ph.D.)--University of Florida, 2014.
Local:
Adviser: FANG,YUGUANG.
Local:
Co-adviser: KHARGONEKAR,PRAMOD P.
Statement of Responsibility:
by Huang Lin.

Record Information

Source Institution:
UFRGP
Rights Management:
Copyright Lin, Huang. Permission granted to the University of Florida to digitize, archive and distribute this item for non-profit research and educational purposes. Any reuse of this item in excess of fair use or other copyright exemptions requires permission of the copyright holder.
Resource Identifier:
969976977 ( OCLC )
Classification:
LD1780 2014 ( lcc )

Downloads

This item has the following downloads:


Full Text

PAGE 1

PRIVACYPRESERVINGPROTOCOLDESIGNINDISTRIBUTEDCOMPUTINGENVIRONMENTSByHUANGLINAPRESENTEDTOTHEGRADUATESCHOOLOFTHEUNIVERSITYOFFLORIDAINPARTIALFULFILLMENTOFTHEREQUIREMENTSFORTHEDEGREEOFDOCTOROFPHILOSOPHYUNIVERSITYOFFLORIDA2014 1

PAGE 2

c2014HuangLin 2

PAGE 3

Mussessein?Esmusssein–MilanKundera(Beethoven) 3

PAGE 4

ACKNOWLEDGMENTSFirstandforemost,Iwouldliketoexpressmysinceregratitudetomyadvisor,Dr.MichaelFang,forhisinvaluableadvice,supportandsometimesevenindulgence.Thankhimforpro-vidingmegreatacademicfreedomandautonomy,whichunfortunatelyisrarenowadaysevenintheacademicworld.Hispatienthelpwithmywritinghastremendouslyimprovedmycom-municationskill.Hisemphasisonproblemformulationhasinspiredmetosearchforthetrueconnotationofthesetwowords,whichhavetransformedmyunderstandingofwhatgoodresearchreallymeans.Iamdeeplyindebtedtohimforthis.Ialsowouldliketoacknowledgemyothercommitteemembers,Dr.ShigangChen,Dr.PramodKhargonekarand,andDr.OliverWuforservingonmysupervisorycommitteeandfortheirhelpinvariousstagesofmywork.ManythankstoDr.ElisaBertino,Dr.ZhenfuCaoandDr.KuiRenfortheirsupportduringmyjobhunting.IhaveenjoyedmathcoursesfrommathdepartmentduringmyyearsatUFL.IwouldliketothankDr.KeatingandDr.Turullforlettingmeaudittheirawesomeabstractalgebracourseandansweringallmyquestionpatiently.Iwouldnotbeasanegraduatestudentwithoutagroupofgreatfriends.Iwouldliketoextendmythankstoallmycolleaguesfortheircollaborationandinsightfuladvice.IespeciallythankShermanChow,LinkeGuo,YanminGong,YuanxiongGuo,RongshengHuang,XinxinLiu,MortezaShahriariNia,MiaoPan,JunShao,YangSong,KaiheXu,HaoYue,ChiZhang,YanchaoZhang,formanyvaluablediscussionsandallthegoodmemories. 4

PAGE 5

TABLEOFCONTENTS page ACKNOWLEDGMENTS .................................... 4 LISTOFTABLES ....................................... 7 LISTOFFIGURES ....................................... 8 ABSTRACT ........................................... 9 CHAPTER 1INTRODUCTION .................................... 11 1.1DistributedComputingSystem:ABriefIntroduction ............... 11 1.2ThesisOrganization ................................. 11 2CAM:CLOUD-ASSISTEDPRIVACYPRESERVINGMOBILEHEALTHMONI-TORING ......................................... 12 2.1Motivation ...................................... 12 2.2SystemModelandCryptographicBuildingBlocks ................ 16 2.2.1BranchingProgram ............................. 16 2.2.2SystemModelforCAM ........................... 17 2.2.3AdversarialModel .............................. 19 2.2.4ImportantCryptographicBuildingBlocks ................. 20 2.2.4.1Bilinearpairing ......................... 20 2.2.4.2Homomorphicencryption .................... 20 2.2.4.3Multi-dimensionalrangequerybasedonanonymousIBE ... 21 2.2.4.4Decryptionoutsourcing ..................... 23 2.2.4.5Keyprivateproxyre-encryption(PRE) ............. 25 2.3CAMDesign .................................... 28 2.3.1BasicCAM ................................. 28 2.3.2ImprovedCAM:FullPrivacyPreservation ................. 29 2.3.3FinalCAM:FullPrivacyandHighEfciency ............... 32 2.4PerformanceEvaluation ............................... 35 2.4.1Security ................................... 35 2.4.2Efciency .................................. 36 2.4.3MoreRelatedWork ............................. 40 2.5SecurityModelandProof .............................. 41 2.5.0.1IndistinguishabilityofEncryptionsunderChosen-CiphertextAttack .............................. 41 2.5.0.2IndistinguishabilityofKeysunderChosen-CiphertextAttack . 44 2.5.0.3SecurityAnalysis ........................ 45 5

PAGE 6

3EFFICIENTTRUSTBASEDINFORMATIONSHARINGSCHEMESOVERDIS-TRIBUTEDCOLLABORATIVENETWORKS ..................... 50 3.1Motivation ...................................... 50 3.2RelatedWork .................................... 53 3.3ABriefIntroductiontoOriginalTBEScheme ................... 54 3.4SystemModelandDesignGoals .......................... 56 3.5TBESchemefromtheIdentitybasedBroadcastEncryption(IBBE) ....... 57 3.5.1IdentitybasedBroadcastEncryption(IBBE) ................ 57 3.5.2TBESchemefromIBBEScheme:SimpleCase .............. 58 3.5.3GeneralizedTBE .............................. 60 3.6TBESchemefromR-IBEScheme ......................... 61 3.6.1ABriefIntroductiontotheR-IBE ..................... 62 3.6.2TBESchemefromR-IBE .......................... 64 3.7PerformanceEvaluation ............................... 69 4PRIVACY-AWAREPROFILINGANDSTATISTICALDATAEXTRACTIONFORSMARTSUSTAINABLEENERGYSYSTEMS ..................... 74 4.1Motivation ...................................... 74 4.2RelatedWorkandOurContribution ........................ 78 4.3SystemModel .................................... 79 4.4Preliminary:SecretKeyDistribution ........................ 81 4.5GeneralPrivateCensusSchemeforDynamicProling .............. 82 4.6PatternOrientedCensusScheme .......................... 85 4.7ConditionalProbabilityEstimationandAssociationRuleMining ......... 90 4.8CorrectnessofMeteringData ............................ 91 4.9PerformanceAnalysis ................................ 93 5CONCLUSIONS ..................................... 97 REFERENCES ......................................... 98 BIOGRAPHICALSKETCH .................................. 106 6

PAGE 7

LISTOFTABLES Table page 3-1Efciencycomparison ................................... 68 7

PAGE 8

LISTOFFIGURES Figure page 2-1BranchingprograminMediNetproject .......................... 16 2-2SystemarchitectureforCAM ............................... 18 2-3Branchingprogram .................................... 21 2-4TAcomputationforrekeygenerationandoverheadoftheReEncalgorithminthecloud 36 2-5Comparisonofcompanycomputationandcommunicationoverheadsinourtwoim-provedCAMdesigns ................................... 37 2-6Workloadofindividualtokengeneration ......................... 39 2-7Workloadofindividualquery ............................... 39 3-1BasicideaoftheTBEin[1]:ratingsetr=1 8,rangesetfor[0;R]=[0;1 4],u=8 ...... 56 3-2BasicideaofanR-IBE .................................. 64 3-3BasicideaofourTBE-RRscheme ............................ 67 3-4Performancecomparisonwhen=4andn=128 ................... 71 3-5Performancecomparisonwhen=4andn=1024 ................... 71 3-6Performancecomparisonwhen=5andn=128 ................... 72 3-7Performancecomparisonwhen=5andn=1024 ................... 72 4-1Thelossofstatisticalinformationinthegeneralcensusscheme ............. 84 4-2Theindividualcomputingtimeandcommunicationoverhead .............. 95 4-3Theaggregatorcomputingtime .............................. 96 8

PAGE 9

AbstractofPresentedtotheGraduateSchooloftheUniversityofFloridainPartialFulllmentoftheRequirementsfortheDegreeofDoctorofPhilosophyPRIVACYPRESERVINGPROTOCOLDESIGNINDISTRIBUTEDCOMPUTINGENVIRONMENTSByHuangLinAugust2014Chair:Yuguang“Michael”FangMajor:ElectricalandComputerEngineering Withthewidedeploymentofmobiledevicesandthesurgeofcloudcomputingandsocialnetworks,distributedcomputinghasbecomeincreasinglypervasiveintoday'scomputingworld.Thisdissertationfocusesonprivacypreservingprotocolsdesigninvariousdistributedcomputingsettings.Thefollowingsareourmajorcontributioninthistopic: Cloud-assistedmobilehealth(mHealth)monitoring,whichappliestheprevailingmobilecommunicationsandcloudcomputingtechnologiestoprovidefeedbackdecisionsupport,hasbeenconsideredasarevolutionaryapproachtoimprovingthequalityofhealthcareservicewhileloweringthehealthcarecost.Unfortunately,italsoposesaseriousriskonbothclients'privacyandintellectualpropertyofmonitoringserviceproviders,whichcoulddeterthewideadoptionofmHealthtechnology.Thisdissertationistoaddressthisimportantproblemanddesignacloud-assistedprivacypreservingmobilehealthmonitoringsystemtoprotecttheprivacyoftheinvolvedpartiesandtheirdata.Moreover,theoutsourcingdecryptiontechniqueandanewly-proposedkeyprivateproxyre-encryptionareadaptedtoshiftthecomputationalcomplexityoftheinvolvedpartiestothecloudwithoutcompromisingclients'privacyandserviceproviders'intellectualproperty.Finally,oursecurityandperformanceanalysisdemonstratestheeffectivenessofourproposeddesign. Indistributedcollaborativenetworkssuchaspeer-to-peersystems,privacypreservinginformationsharinganddisseminationheavilyrelyoneffectivetrustmanagement.Trustbasedencryption(TBE)hasbeenproposedtobeasolutiontoenablingprivacypreservinginformation 9

PAGE 10

sharinganddisseminationforsuchnetworks.Unfortunately,thepreviouslyproposedschemesarenotefcientintermsofcommunicationsoverhead,andrequireaconstantlyonlinetrustauthority.Inthisdissertation,weproposetwotrustbasedencryptionschemeswithsignicantlyimprovedefciency.Intherstscheme,wedevelopagenerictransformationapproachbasedontherecentlyproposedidentitybasedbroadcastencryption(IBBE)technique,whichcansignicantlyreducebothmemoryspaceandcommunicationoverheadwhenstaticreputationisconsidered.Forthedynamicreputationscenarios,wepresentatrustbasedencryptionschemewhichisbasedonarecentlyproposedrevocableidentitybasedencryptiontechnique,resultinginsignicantlyreducedcommunicationoverheadatthecentraltrustauthority. Thegrowingpopulationandglobalwarminghavebeencallingformoreeffectiveenergyusage,whichhavestimulatedtheemergenceofsmartsustainableenergytechnology.Thedistinctfeatureofthisnewlyemergingtechnologyistheincorporationofadvancedinformationandcommunicationtechnologies(ICT),whichcollectsmoredetailedinformationonhowenergyisgenerated,distributed,andconsumed.Varioussmartmeteringtechnologieshavealsobeenproposedtosupporttheoptimizationonsustainableenergyusage.Despitetheobviousbenetsofthesetechnologies,peoplemaystillhesitatetoadoptthembecauseofpossibleprivacybreach.Ontheotherhand,weobservethatthemajortargetinformationformakingthesustainableenergysystemsmartistheaggregatedstatisticsofenergyusage,notthefulldetailedusageproleswhichwouldcompromisecustomers'privacy.Thus,howtodesignschemestocollectaggregatedstatisticswhilepreservingcustomers'privacybecomesanimportantresearchproblem.Inthisdissertation,weproposetwoschemestodealwiththisproblem.Therstonecansupportdynamicproling,whichcanextractaggregatedstatisticalinformationwithoutcompromisingindividualprivacy.Thesecondoneaimstoextractcorrelationinformationamongvariousfactorsforthesmartsystemdesignandcanalsobeusedasanunderlyingtoolforbaselineinferenceandassociationrulemining. 10

PAGE 11

CHAPTER1INTRODUCTION 1.1DistributedComputingSystem:ABriefIntroduction Adistributedsystemisasysteminwhichcomponentslocatedonnetworkedcomputerscommunicateandcoordinatetheiractionsbypassingmessages.Thecomponentsinteractwitheachotherinordertoachieveacommongoal.Examplesofdistributedcomputingsystemsincludecloudcomputingsystems,peer-to-peernetworks,smartgrid,mobilesocialnetworksetc.Withthewidedeploymentofmobiledevicesandtheemergeofcloudcomputingandsocialnetworks,distributedcomputinghasbecomeadominantmodeintoday'scomputingworlds.Meanwhile,privacyissuesofdistributedcomputingsystemhavebecomeincreasinglychallengingduetotheintricatenatureandsheercomplexityofthecurrentdistributedcomputingsystem.Thisdissertationaimstostudyhowtodesignprivacypreservingprotocolsforvariousdistributedcomputingsettings. 1.2ThesisOrganization Inthesecondchapter,wewilldemonstratehowtodesignaprivacypreservingdiagnosticprogramforcloudassistedmobilehealthmonitoringsystem.Oursystemiscapableofout-sourcingthemajorcomputationoverheadofboththeclientsandcompanytothecloudserverwhilepreservingthedataprivacyoftheirinputdata.Inthethirdchapter,weproposeaprivacypreservingprotocoltoextractstatisticalinformationbasedondatacollectedfromindividualsmartmeteringdeviceinSustainableEnergySystems.Oursystemcanguaranteethatonlythestatisticalinformationisrevealedtothedatacollectorwithnoextrainformationleakageontheindividualuser.Wewillalsopresentasecureinformationsharinganddisseminationschemeforeffectivetrustmanagementindistributedcollaborativenetworksinthefourthchapter.Intheend,wewillconcludewithsomeremarksandfutureworks. 11

PAGE 12

CHAPTER2CAM:CLOUD-ASSISTEDPRIVACYPRESERVINGMOBILEHEALTHMONITORING 2.1Motivation Widedeploymentofmobiledevices,suchassmartphonesequippedwithlowcostsensors,hasalreadyshowngreatpotentialinimprovingthequalityofhealthcareservices.Remotemobilehealthmonitoringhasalreadybeenrecognizedasnotonlyapotential,butalsoasuccessfulexampleofmobilehealth(mHealth)applicationsespeciallyfordevelopingcountries.TheMicrosoftlaunchedproject“MediNet”isdesignedtorealizeremotemonitoringonthehealthstatusofdiabetesandcardiovasculardiseasesinremoteareasinCaribbeancountries[ 2 ].InsucharemotemHealthmonitoringsystem,aclientcoulddeployportablesensorsinwirelessbodysensornetworkstocollectvariousphysiologicaldata,suchasbloodpressure(BP),breathingrate(BR),Electrocardiogram(ECG/EKG),peripheraloxygensaturation(SpO2)andbloodglucose.Suchphysiologicaldatacouldthenbesenttoacentralserver,whichcouldthenrunvariouswebmedicalapplicationsonthesedatatoreturntimelyadvicetotheclient.Theseapplicationsmayhavevariousfunctionalitiesrangingfromsleeppatternanalyzers,exercises,physicalactivityassistants,tocardiacanalysissystems,providingvariousmedicalconsultation[ 3 ].Moreover,astheemergingcloudcomputingtechnologiesevolve,aviablesolutioncanbesoughtbyincorporatingthesoftwareasaservice(SaaS)modelandpay-as-you-gobusinessmodelincloudcomputing,whichwouldallowsmallcompanies(healthcareserviceproviders)toexcelinthishealthcaremarket.Ithasbeenobservedthattheadoptionofautomateddecisionsupportalgorithmsinthecloud-assistedmHealthmonitoringhasbeenconsideredasafuturetrend[ 4 ]. Unfortunately,althoughcloud-assistedmHealthmonitoringcouldofferagreatopportunitytoimprovethequalityofhealthcareservicesandpotentiallyreducehealthcarecosts,thereisastumblingblockinmakingthistechnologyareality.WithoutproperlyaddressingthedatamanagementinanmHealthsystem,clients'privacymaybeseverelybreachedduringthecollection,storage,diagnosis,communicationsandcomputing.Arecentstudyshowsthat75%Americansconsidertheprivacyoftheirhealthinformationimportantorveryimportant[ 5 ].It 12

PAGE 13

hasalsobeenreported[ 6 ]thatpatients'willingnesstogetinvolvedinhealthmonitoringprogramcouldbeseverelyloweredwhenpeopleareconcernedwiththeprivacybreachintheirvoluntarilysubmittedhealthdata.Thisprivacyconcernwillbeexacerbatedduetothegrowingtrendinprivacybreachesonelectronichealthdata. AlthoughtheexistingprivacylawssuchasHIPAA(HealthInsurancePortabilityandAccountabilityAct)providebaselineprotectionforpersonalhealthrecord,theyaregenerallyconsiderednotapplicableortransferabletocloudcomputingenvironments[ 7 ].Besides,thecurrentlawismorefocusedonprotectionagainstadversarialintrusionswhilethereislittleeffortonprotectingclientsfrombusinesscollectingprivateinformation.Meanwhile,manycompanieshavesignicantcommercialinterestsincollectingclients'privatehealthdata[ 8 ]andsharingthemwitheitherinsurancecompanies,researchinstitutionsoreventhegovernmentagencies.Ithasalsobeenindicated[ 9 ]thatprivacylawcouldnotreallyexertanyrealprotectiononclients'dataprivacyunlessthereisaneffectivemechanismtoenforcerestrictionsontheactivitiesofhealthcareserviceproviders. Traditionalprivacyprotectionmechanismsbysimplyremovingclients'personalidentityinformation(suchasnamesorSSN)orbyusinganonymizationtechniquefailstoserveasaneffectivewayindealingwithprivacyofmHealthsystemsduetotheincreasingamountanddi-versityofpersonalidentiableinformation[ 10 ].ItisworthnotingthatthecollectedinformationfromanmHealthmonitoringsystemcouldcontainclients'personalphysicaldatasuchastheirheights,weights,andbloodtypes,oreventheirultimatepersonalidentiableinformationsuchastheirngerprintsandDNAproles[ 11 ].Accordingto[ 12 ],personalidentiableinformation(PII)is“anyinformation,recordedorotherwise,relatingtoanidentiableindividual.Almostanyinformation,iflinkedtoanidentiableindividual,canbecomepersonalinnature,beitbio-graphical,biological,genealogical,historical,transactional,locational,relational,computational,vocational,orreputational”.Inotherwords,thescopeofPIImightnotnecessarilyberestrict-edtoSSN,nameandaddress,whicharegenerallyconsideredasPIIinthetraditionalsense.Indeed,thestateoftheartre-identicationtechniques[ 13 , 14 ]haveshownthatanyattribute 13

PAGE 14

couldbecomepersonalidentiableinformationinpractice[ 10 ].Moreover,itisalsonotedthatalthoughsomeattributemaybeuniquelyidentifyingonitsown,“anyattributecanbeidentifyingincombinationwithothers,whilenosingleelementisa(quasi)-identier,anysufcientlylargesubsetuniquelyidentiestheindividual”[ 13 ].Theproposedmobilehealthmonitoringscenarioprovidesagoodopportunityforadversariestoobtainalargesetofmedicalinformation,whichcouldpotentiallyleadtoidentifyinganindividualuser.Indeed,severalrecentworks[ 15 – 17 ]havealreadyshownthatevenseeminglybenignmedicalinformationsuchasbloodpressurecanbeusedtoidentifyindividualusers.Furthermore,itisalsoobservedthatfuturemobilehealthmonitoringanddecisionsupportsystemsmighthavetodealwithothermuchmoreprivacy-sensitivefeaturessuchasDNAproles[ 18 ],fromwhichanadversarymaybeabletore-identifyanindividualuser[ 19 , 20 ].Traditionally,theprivacyissueistackledwithanonymizationtech-niquesuchask-anonymityorl-diversity.However,ithasbeenindicatedthatthesetechniquesmightbeinsufcienttopreventre-identicationattack[ 10 ].Thethreatofre-identicationissoseriousthatlegalcommunities[ 21 ]havealreadybeencallingformoresophisticatedprotectionmechanisminsteadofmerelyusinganonymization.WebelievethatourproposedcryptographicbasedsystemscouldserveasaviablesolutiontotheprivacyproblemsinmHealthsystems,andalsoasanalternativechoiceforthoseprivacy-awareusers. Anothermajorprobleminaddressingsecurityandprivacyisthecomputationalworkloadinvolvedwiththecryptographictechniques.Withthepresenceofcloudcomputingfacilities,itwillbewisetoshiftintensivecomputationstocloudserversfromresource-constrainedmobiledevices.However,howtoachievethiseffectivelywithoutcompromisingprivacyandsecuritybecomeagreatchallenge,whichshouldbecarefullyinvestigated. Asanimportantremark,ourdesignheremainlyfocusesoninsiderattacks,whichcouldbelaunchedbyeithermaliciousornon-maliciousinsiders.Forinstance,theinsiderscouldbedisgruntledemployeesorhealthcareworkerswhoenterthehealthcarebusinessforcriminalpurpose[ 22 , 23 ].Itwasreportedthat32%ofmedicaldatabreachesinmedicalestablishmentsbetweenJanuary2007andJune2009wereduetoinsiderattacks[ 24 ],andtheincidentrateof 14

PAGE 15

insiderattacksisrapidlyincreasing[ 24 ].Theinsiderattackshavecostthevictimizedinstitutionsmuchmorethanwhatoutsiderattackshavecaused[ 25 ].Furthermore,insiderattackersaregenerallymuchhardertodealwithbecausetheyaregenerallysophisticatedprofessionalsorevencriminalringswhoareadeptatescapingintrusiondetection[ 23 ].Ontheotherhand,whileoutsiderattackscouldbetriviallypreventedbydirectlyadoptingcryptographicmechanismssuchasencryption,itisnon-trivialtodesignaprivacypreservingmechanismagainsttheinsiderattacksbecausewehavetobalancetheprivacyconstraintsandmaintenanceofnormaloperationsofmHealthsystems.Theproblembecomesespeciallytrickierforcloud-assistedmHealthsystemsbecauseweneednotonlytoguaranteetheprivacyofclients'inputhealthdata,butalsothatoftheoutputdecisionresultsfrombothcloudserversandhealthcareserviceproviders(whichwillbereferredtoasthecompanyinthesubsequentdevelopment). Inthisdissertation,wedesignacloud-assistedmHealthmonitoringsystem(CAM).Werstidentifythedesignproblemsonprivacypreservationandthenprovideoursolutions.Toeasetheunderstanding,westartwiththebasicschemesothatwecanidentifythepossibleprivacybreaches.Wethenprovideanimprovedschemebyaddressingtheidentiedprivacyproblems.TheresultingimprovedschemeallowsthemHealthserviceprovider(thecompany)tobeofineafterthesetupstageandenablesittodeliveritsdataorprogramstothecloudsecurely.Toreduceclients'decryptioncomplexity,weincorporatetherecentlyproposedoutsourcingdecryptiontechnique[ 26 ]intotheunderlyingmulti-dimensionalrangequeriessystemtoshiftclients'computationalcomplexitytothecloudwithoutrevealinganyinformationoneitherclients'queryinputorthedecrypteddecisiontothecloud.Torelievethecomputationalcomplexityonthecompany'sside,whichisproportionaltothenumberofclients,weproposeafurtherimprovement,leadingtoournalscheme.Itisbasedonanewvariantofkeyprivateproxyre-encryptionscheme,inwhichthecompanyonlyneedstoaccomplishencryptiononceatthesetupphasewhileshiftingtherestcomputationaltaskstothecloudwithoutcompromisingprivacy,furtherreducingthecomputationalandcommunicationburdenonclientsandthecloud. 15

PAGE 16

2.2SystemModelandCryptographicBuildingBlocks Inthissection,wepresentsystemmodel,adversarialmodelandcryptographictoolswewillusetodesignourCAM. 2.2.1BranchingProgram Figure2-1.BranchingprograminMediNetproject SinceourmHealthmonitoringprogramCAMbuildsuponbranchingprograms[ 27 ],werstillustratehowabranchingtreeworks.WeusethemonitoringprogramintroducedintheMediNetproject[ 2 , 28 ]toconstructabranchingprogramasshowninFig. 2-1 .TheMediNetaimstoprovideautomaticpersonalizedmonitoringserviceforpatientswithdiabetesorcardio-vasculardiseases.Clientsinputtheirrelatedhealthdatasuchassystolicbloodpressure(BP),whethertheymisseddailymedicationsorhaveanabnormaldiet,andtheenergyconsumptionofphysicalactivitytothedecisionsupportsystem,whichwillthenreturnarecommendationonhowtheclientscanimprovetheirconditions.Forinstance,assumeahypertensionpatientinputsanattributevectorconsistingofthefollowingelements“[SystolicBP:150,Missedonemedication=0(indicatinghedidmissthemedication),EnergyExpenditure:900kcal,saltintake:1000milligrams]”andtherespectivethresholdis“t1=130;t2=0;t3=700kcal;t4=1500”.Therecommendationreturnedfromthemonitoringprogram(dashedlineinFig. 2-1 )wouldbe“D4;D5;D6”(byfollowingthepaththroughcomparingeachattributeelementwiththerespec-tivethreshold),whichindicatestheclientneedsto“notifynextkin,modifydailydiet,andtakeregularmedication”. 16

PAGE 17

Aswecanobserve,amonitoringprogramcanbemodeledasabinarydecisiontreebasedontherangeofthemonitoredmeasurement.Wecanrepresentmeasureddataasanattributevectorandthenconstructthebinarybranchingtreewiththeleafnodesasthenalconsultationtodesignthemedicaldecisionsupportsystem.Letv=(v1;;vn)beaclient'sattributevector.Anattributecomponentviisaconcatenationofanattributeindexandtherespectiveattributevalue.Forinstance,AjjKW1mightcorrespondto“bloodpressure:130”,whichmeansthattheclient'sbloodpressure130.EachattributevalueisaC-bitinteger.Inthisproposal,wechooseCtobe32,whichshouldprovideenoughprecisioninmostpracticalscenarios.Abinarybranchingprogramisatriplehfp1;;pkg;L;Ri.Therstelementisasetofnodesinthebranchingtree.Anon-leafnodepiiscalledadecisionnodewhilealeafnodepiiscalledalabelnode.Eachdecisionnodeisapair(ai;ti),whereaiistheattributeindex,andtiisthethresholdvaluewithwhichvaiiscomparedatthisnode.Thesamevalueofaimayoccurinmanynodes,i.e.,thesameattributemaybeevaluatedmorethanonce.Foreachdecisionnodei,L(i)istheindexofthenextnodeifvaiti;R(i)istheindexofthenextnodeifvai>ti.Thelabelnodesareattachedwithclassicationinformation.Toevaluatethebranchingprogramonsomeattributevectorv,startfromp1.Ifva1t1,seth=L(1),elseh=R(1).Repeattheprocessrecursivelyforph,andsoon,untiloneoftheleafnodesisreachedwithdecisioninformation. 2.2.2SystemModelforCAM Withthebinaryprogramsillustratedearlier,wenowhighlightourdesignoftheproposedcloud-assistedmHealthmonitoringsystem(CAM).CAMconsistsoffourparties:thecloudserver(simplythecloud),thecompanywhichprovidesthemHealthmonitoringservice(i.e.,thehealthcareserviceprovider),theindividualclients(simplyclients),andasemi-trustauthority(TA),asshowninFig. 2-2 .Thecompanystoresitsencryptedmonitoringdataorprogram(branchingprogram)inthecloud.Individualclientscollecttheirmedicaldataandstorethemintheirmobiledevices,whichthentransformthedataintoattributevectors.Theattributevectorsaredeliveredasinputstothemonitoringprograminthecloudthroughamobile(orsmart)phone.TAisresponsiblefordistributingprivatekeystoclientsandcollectingservicefeesfromclients 17

PAGE 18

accordingtoacertainbusinessmodelsuchas“pay-per-use”model.TAcanbeconsideredasacollaboratororamanagementagentforacompany(orseveralcompanies)andthussharescertainlevelofmutualbusinessinterestwiththecompany.Inthefollowing,wewillbrieyintroducethefourmajorstepsofCAM:Setup,Store,TokenGenandQuery.Weonlyillustratethefunctionalityofthesecomponentshere.Becausethedetailedinputandoutputofthosestepsmightvaryindifferentschemes,weleavemoredetailswhereverneeded. Figure2-2.SystemarchitectureforCAM Attheinitialphase,TArunstheSetupphaseandpublishesthesystemparameters. Then,thecompanyrstcharacterizestheowchartofanmHealthmonitoringprogramasabranchingprogram,whichisencryptedundertherespectivedirectedbranchingtree.Thenthecompanywilldelivertheresultingciphertextanditscompanyindextothecloud,whichcorrespondstotheStorealgorithminthecontext. WhenaclientwishestoquerythecloudforacertainmHealthmonitoringprogram,thei-thclientandTAruntheTokenGenalgorithm.TheclientsendsthecompanyindextoTA,andtheninputsitsprivatequery(whichistheattributevectorrepresentingthecollectedhealthdata)andTAinputsthemastersecrettothealgorithm.TheclientobtainsthetokencorrespondingtoitsqueryinputwhileTAgetsnousefulinformationontheindividualquery. Atthelastphase,theclientdeliversthetokenforitsquerytothecloud,whichrunstheQueryphase.Thecloudcompletesthemajorcomputationallyintensivetaskfortheclient'sdecryptionandreturnsthepartiallydecryptedciphertexttotheclient.Theclientthencompletestheremainingdecryptiontaskafterreceivingthepartiallydecryptedciphertextandobtainsitsdecryptionresult,whichcorrespondstothedecisionfromthemonitoringprogramontheclient'sinput.Thecloudobtainsnousefulinformationoneithertheclient'sprivatequeryinput 18

PAGE 19

ordecryptionresultafterrunningtheQueryphase.Here,wedistinguishthequeryinputprivacybreachintermsofwhatcanbeinferredfromthecomputationalorcommunicationinformation.CAMcanpreventthecloudfromdeducingusefulinformationonaclient'squeryinputoroutputcorrespondingtothereceivedinformationfromtheclient. 2.2.3AdversarialModel Weassumeaneutralcloudserver,whichmeansitneithercolludeswiththecompanynoraclienttoattacktheother.Thisisareasonablemodelsinceitwouldbeinthebestbusinessinterestofthecloudfornotbeingbiased.Clientsmaycolludewitheachother.Wedonotconsiderthepossibleside-channelattack[ 29 , 30 ]duetotheco-residencyonsharedresourceseitherbecauseitcouldbemitigatedwitheithersystemlevelprotection[ 30 ]orleakageresilientcryptography[ 31 ].Thus,ourCAMdesignassumesanhonestbutcuriousmodel,whichimpliesallpartiesshouldfollowtheprescribedoperationsandcannotbehavearbitrarilymalicious.Moreover,wealsotargetattheinsiderattack,whichcouldbelaunchedbyeithermaliciousornon-maliciousinsiderswhobehavenormally,butintendtodiscoverinformationabouttheothers'information.Forinstance,theinsiderscouldbedisgruntledemployees,orthehealthcareworkerswhohaveenteredthehealthcarebusinesswithcriminalpurposes[ 22 , 23 ].Itwasreportedthat32%ofmedicaldatabreachesinmedicalestablishmentsbetweenJanuary2007andJune2009areduetoinsiderattacks[ 24 ],andtheincidentrateofinsiderattacksisrapidlyincreasing[ 24 ].Theinsiderdatabreachesarealsoreportedtocostthevictimizedinstitutionsmuchmorecomparedwiththebreachesduetooutsiderattacks[ 25 ].Furthermore,insiderattacksaregenerallyconsideredmuchhardertodetectandtracesinceattackersaregenerallysophisticatedprofessionalsorevencriminalringswhoareadeptatmakingvictimsincapableofdetectingthecrimes[ 23 ].Ontheotherhand,whileoutsiderattackscouldbetriviallypreventedbydirectlyadoptingcryptographicmechanismssuchasencryption,itisnon-trivialtodesignaprivacy-preservingmechanismagainstinsiderattacksbecausewehavetobalancetheprivacyrequirementswithnormaloperationsofmHealthmonitoringsystems.Theproblembecomesespeciallytrickyforcloud-assistedmHealthmonitoringsystemsbecauseweneednotonlytoguaranteetheprivacyof 19

PAGE 20

clients'inputhealthdata,butalsothatoftheoutputdecisionresultsfrombothcloudserversandhealthcareserviceproviders. 2.2.4ImportantCryptographicBuildingBlocks Tomeetourdesigngoal,weneedtoexamineafewcryptographictechniques.Consideringthatqueryinginputtoadiagnosticprogramusuallyconsistsofaclient'sIDandattributes,wethinktherecentlyemergedattribute-basedcryptographictechniquesderivedfromID-basedcryptographyshouldprovidesomeviablesolutions.Inthissection,wediscusssomeofthesecuritytoolsandofferthenecessarymodicationstomeetourdesignneeds. 2.2.4.1Bilinearpairing Bilinearpairingiscrucialtoourdesign,whichwouldfurtherserveasthebuildingblockoftheproposedCAM.Basedonpairing,BonehandFranklin[ 32 ]proposedtherstidentitybasedencryption(IBE),whichinitiatedanewresearchdirectionincryptographyinrecentyears.Apairingisanefcientlycomputable,non-degeneratefunction,e:GG!GT,withthebilinearityproperty:e(gr;gs)=e(g;g)rsforanyr;s2Zq,theniteeldmoduloq,whereG,andGTareallmultiplicativegroupsofprimeorderq,generatedbygande(g;g),respectively.IthasbeendemonstratedthattheproposedIBEissecureunderthedecisionalbilinearDife-Hellman(DBDH)assumption(whichstatesthatintheIBEsetting,given(g;ga;gb;gc;S),itiscomputationallydifculttodecidewhetherS=gabc).Detailscanbefoundin[ 32 ].WewillintensivelyusevariantsofBoneh-FranklinIBEinourdesign. 2.2.4.2Homomorphicencryption Anothertechniquewewilluseforoblivioustransferprotocolishomomorphicencryption,whichiswidelyusedasanunderlyingtoolforconstructingsecureprotocolsintheliterature[ 33 , 34 ].CAMadoptsasemanticallysecureadditivelyhomomorphicpublic-keyencryptiontechnique.Intuitively,forhomomorphicencryptionHEnc(),giventwoencryptedmessagesHEnc(m1)andHEnc(m2),theencryptionoftheadditionofthetwounderlyingmessagescanbecomputedasfollows:HEnc(m1+m2)=HEnc(m1)?HEnc(m2),where?isthecorresponding 20

PAGE 21

operationintheciphertextspace.AtypicaladditivelyhomomorphicencryptionschemewasproposedbyPailliercryptosystem[ 35 , 36 ]. 2.2.4.3Multi-dimensionalrangequerybasedonanonymousIBE (a)Genericbranchingprogram (b)BasicideaofMDRQ Figure2-3.Branchingprogram Aswedemonstratedearlier,anmHealthmonitoringprogramcanberepresentedasabinarydecisiontreefromtheattributevectorspace(Fig. 2-3(a) (a)).Thus,anattributevectorcanbeuniquelymappedtoabinarybitblockwithcertainquantizationofthemeasureddata,leadingtoabinarybitrepresentedtree(binarytree)(Fig. 2-3 ).Thus,themulti-dimensionalrangequery(MDRQ)schemecanbeusedtodesignourCAM.MDRQwasrstproposedbyShietal[ 37 ]andwasfurtherimprovedbyus[ 38 ]toconstructareputation-basedencryptionscheme.InMDRQ,asenderencryptsamessageunderarange[r1;r2](orarangeofC-bitblockv),andareceiverwithprivatekeysfallingintothisrange[r1;r2](orarangeofC-bitblockv)candecrypttheunderlyingmessage.Thegeneratedciphertextcanguaranteetheprivacyofbothencryptedmessageandrespectiverange.ThebasicideaofMDRQisasfollows:aC-levelbinarytreeisemployedtorepresenttheC-bitdata(ortherange).Therootofthisbinarytreeis 21

PAGE 22

labeledas?.Theleftchildnodeofanon-leafnodepislabeledasp0andtherightchildnodeislabeledasp1.Asaresult,alltheleavesfromlefttorightwillbelabeledwithabinarystringfrom0;;0to1;;1,whichcorrespondtoallthepossibleC-bitdata.Torepresentarange[r1;r2][0;2C)]TJ /F6 11.955 Tf 12.1 0 Td[(1],aminimumsetofrootsofsubtreescoveringalltheleafnodesinthisrangeisused.Takeasystemwith3-bitdataforinstance(Fig. 3-1 ),theminimumrootsettorepresentarange[001;100]isS[001;100]=f001;01;100g.Apparently,theminimumrootrepresentationsetisuniqueforaspecicrangeandcontainsonlyatmost2C)]TJ /F6 11.955 Tf 12.38 0 Td[(1elements[ 37 ].TorepresentaC-bitdatav,werstndtherespectiveleafnode,thenusethecollectionofallnodesonthepathfromtheroottothisleafnode.AsshowninFig. 3-1 ,thecollectionS010=f?;0;01;010grepresents010.Inordertotestwhether010belongstotheinterval[001;100],oneonlyneedstocheckwhetherthereisanintersectionnodebetweenthesetworepresentationsets. MDRQcanbeconstructedfromananonymousidentity-basedencryption(A-IBE)scheme[ 39 ].ComparedwiththetraditionalIBEschemewhereaciphertextcanonlypreservetheprivacyofanunderlyingmessage,theanonymousIBEschemecanpreservetheprivacyofboththereceiveridentityandtheunderlyingmessage.Toencryptamessagemunderarange[r1;r2](oravectorv),asendertreatseachelementinS[r1;r2](orSv)asanidentityintheidentityspaceintheA-IBEschemeandencryptsmunderallthoseidentitiesonebyone.Thereceiverwithattributevaluefallingintotherange[r1;r2](ortherangeofC-bitdatav)willobtainprivatekeyscorrespondingtoalltheidentitiesinS[r1;r2](orSv)fromTA.Thus,onlywhenareceiver'sid(theattributevalue)fallsintothisrangecanhedecryptthemessagesincethisistheonlycasewhenthereisanintersectionidentityidbetweenS[r1;r2]andSv. MDRQplaysavitalroleinourCAMdesignbecauseallthecomparisonsbetweenaclient'sattributevectorandtherespectivethresholdsatdecisionnodesareimplementedusingMDRQ.Ateachdecisionnodeai,therespectivethresholdtiisrepresentedastwominimumrootsets:[0;ti]and(ti;Max].Forinstance,thesystolicBPthresholdt1=130intheaboveexamplecanberepresentedbythetworootsetsinabinarytreeof8levelsusingtherepresentationapproachintroducedearlier.Theindexofthenextdecisionnode(orthedecisionresultsofthelabel 22

PAGE 23

node)willbeencryptedundertherespectiverange.Meanwhile,therespectiveclientinput,i.e.,BP=150,isrepresentedasapathnodeset.Then,thedecryptionresultofMDRQdeterminestheindexofthenextnode. TobemorespecicforMDRQinourCAMdesign,weadapttheBoneh-FranklinIBE(BF-IBE)scheme[ 32 ]astheunderlyinganonymousIBEschemesinceitisoneofthemostefcientexistinganonymousIBEschemes[ 39 ],whichisbrieydescribedbelow1.AnonSetup(1):ThisalgorithmisperformedbyTA.Upontheinputofthesecurityparameter1,TAoutputsthesystemparameterPP=(G;GT;q;g;y;Hi;i=1;2;3;4),thekeypairofTA(pk;msk)=(gs;s)=(y;s),where(q;g;G;GT;e) BSetup(1),gisarandomgeneratorfromG,sisthemastersecret,andHi;(i=1;2;3;4)arecryptographichashfunctionsasspeciedin[ 39 ].ThesystemparameterPPisincludedinthefollowingalgorithmsimplicitly.AnonExtract(id;msk):ThisalgorithmisperformedbyTA.Upontheinputofanidentityidandtheprivatekeymsk=sofTA,TAoutputstheprivatekeycorrespondingtoid:skid=H1(id)s.AnonEnc(id;PP;m):Thisalgorithmisperformedbytheencryptor.Upontheinputofm2Mandanidentityid,itoutputstheciphertextC=(c1;c2;c3),withr=H3(mjj),c1=gr,c2=H2(e(H1(id);y)r),c3=mH4(),whereisarandomelementfromM.AnonDecryption(C;skid0):Thisalgorithmisperformedbythedecryptor.UponreceivingaciphertextCunderid,andaprivatekeyskid0,thealgorithmisasfollows:Computec2H2(e(skid;c1))=andc3H4()=miffid0=id. 2.2.4.4Decryptionoutsourcing Thepairing-basedIBEsystem[ 32 ]anditsextensionssuchasattribute-basedencryp-tion[ 40 , 41 ]haveareputationofcostlydecryptionduetothebilinearpairingcomputationinthedecryptionsteps.Moreover,thepairingcomputationisconsideredtobeespeciallycompu-tationallyintensiveforresource-constrainedmobilephones.Forexample,forachosenpairing 1Theidentityheremeanstheattributevector(C-bitblockonthebranchingtree)tobeprotect-ed. 23

PAGE 24

function,thecomputationtimeonaPCwith2.40GHzIntel(R)Core2Quad,3GBRAM,andWindows7is14:65mswhilethatonanAndroid2.3.2with1GHzARMCortexA8and512MBRAMisashighas332:9ms.Thus,weneedtoseekdecryptionoutsourcingtoeasethecomputationalcomplexity.Thedecryptionoutsourcinginattribute-basedencryption(ABE)wasrstproposedbyGreenetal[ 26 ].Itenablesaclienttotransformhissecretkeytothetransfor-mationkeyandsothatanyuntrustedserver(e.g.,thecloud)canuseittotransformtheoriginalciphertextintoanElGamalencryptionoftheoriginalmessage.Theclientonlyneedstocomputesimpleexponentiationoperationstoobtaintheunderlyingmessage.InCAM,weintendtoapplytheoutsourcingdecryptiontechniquetoMDRQbasedontheBF-IBEscheme.TheBF-IBEbasedoutsourcingdecryptionisshownbelow.AnonSetup(1):ThisalgorithmisexactlythesameastheoriginalBF-IBE.AnonMaskExtract(id;msk):ThisalgorithmisperformedbyTAandaclient.Theclientchoosesarandomnumberz2Zq,thencomputesH1(id)z,anddeliverH1(id)ztoTA,whowilloutputatransformationkeycorrespondingtoid:tkid=H1(id)zs.Theclientkeepszasitsprivatekeyskid.AnonEnc(id;PP;m):ThisalgorithmisexactlythesameastheoriginalBF-IBEandoutputCid=(c1;c2;c3).Transform(Cid;tkid):Thisalgorithmisperformedbythecloud.ThecloudparsesCid=(c1;c2;c3)andthencomputesw=e(tkid;c1).ThenitoutputsthetransformedciphertextC0id=(c01;c02;c03)=(w;c2;c3). AnonMaskDecryption(C0id;z):Thisalgorithmisperformedbytheclient.UponreceivingtheinputofaciphertextC0idunderidtogetherwithhissecretz,theclientparsesC0id=(c01;c02;c03)andcomputeu=c011=z,thenrecovers=c02H2(u).Thenthemessagemcanbeobtainedbym=c03H4(). Itcanbeeasilyveriedthattheaboveschemeisindeedcorrect.Weobservethatinthisconstructiontheclientonlyneedstocomputeoneexponentiationinordertoobtainthemessage,andthecostlypairingoperationiscompletedbythecloud.Itcanbeshownasdonein[ 26 ]thatourproposedBF-IBEwithoutsourcingdecryptionissecureagainstreplayablechosenciphertext 24

PAGE 25

attack(CCA),whichimpliesthatthefollowingmaskprivacy:TAobtainsnousefulinformationontheclient'sidentityidsinceH1(id)zisjustarandomelementtoTAunderrandomoraclemodel.Neitherdoesthecloudobtainanyusefulinformationontheclient'sdecryptionresultortheclientidentityidsincethetransformationkeytkid=H1(id)zsrevealsnothingonideither. 2.2.4.5Keyprivateproxyre-encryption(PRE) Anothertechniquewewilluseistheproxyre-encryption(PRE)[ 42 , 43 ].Proxyre-encryptionallowsanuntrustedproxyserverwithare-encryptionkey(re-key)rkA!Btotransfor-maciphertext(alsoknownasrstlevelciphertext)encryptedforA(delegator)intoone(secondlevelciphertext)thatcouldbedecryptedbyB(delegatee)withoutleakinganyusefulinformationontheunderlyingmessage.Inourdesign,wewillusethefollowingtwoproperties[ 43 ]:unidi-rectional(delegationfromA!Bdoesnotallowdelegationintheoppositedirection,andkeyprivate[ 44 ](giventherekeyrkA!B,theproxydeducesnoinformationoneithertheidentityofthedelegatororthedelegatee).InCAM,themonitoringprogramdeliveredbythecompanyisen-cryptedusinganMDRQschemeandtheciphertextisstoredintheuntrustedcloud.Thecompanythendeliversseveralre-encryptionkeystothecloud.Thekeyprivatepropertycanguaranteethatnousefulinformationabouttheunderlyingidentities,correspondingtothethresholdsoftheintermediatenodes,isleakedtothecloud.Byadaptingproxyre-encryption,weintendtoreducetheencryptionworkloadonthecompany. Althoughproxyre-encryptionhasbeenrecognizedasanimportanttoolforaccesscontrolonthecloud,webelieveanotherpropertyre-keygenerationefciencyshouldbeaddedtotheproxyre-encryptionschemeinordertorenderitasamoreefcienttoolforoutsourcingencryptiontothecloud.Re-keygenerationefciencymeansthatthecomputationofre-keygenerationshouldbesignicantlylowerthanthatoftherstlevelencryptioninPRE,whichisextremelyusefulwhentheproxyre-encryptionschemeservestooutsourcemassivepublickeyencryptionoperations.Here,weproposeanewID-basedkeyprivateproxyre-encryptionschemewithlowercostofre-keygenerationcomparingwiththeoriginalencryptionalgorithm.Differentfromthetraditionalidentity-basedPREsystem[ 45 ],ourrekeygenerationalgorithmisrunbyTArather 25

PAGE 26

thanthecompany.ThecompanyisrequiredtoobtainthesecretkeysfortheidentityAfromTAinthetraditionalIDbasedPREscheme,whichmeansAisknowntoTA.WefurtherletTAknowtheidentitiesofbothAandB.Asaresult,theimprovedrekeygenerationismuchmoreefcientthanthetraditionalrekeygeneration.Ournewkeyprivateproxyre-encryptionschemeconsistsofthefollowingsixalgorithms.Setup(1):ThisalgorithmisperformedbyTA.Uponreceivingtheinputofthesecurityparameter1,TAoutputsthesystemparameter(G;GT;q;g;Hi;i=1;2;3;4;5),thekeypairforTA(pk;msk)=(y;s)=(gs;s),whereG;GTarebilineargroupsofprimeorderq,gisarandomgeneratorinG,Hi;(i2f1;2;3;4;5g)arecryptographichashfunctions.H1:f0;1g!G,H2:GG!Zq,H3:MM!Zq,H4:GT!MM,andH5:GMM!G.Thesystemparameterisincludedinthefollowingalgorithmsimplicitly.Ext(id;msk):ThisalgorithmisperformedbyTAandaclient.Uponreceivingtheinputofanidentityid,theclientrstpicksarandomnumberz2Zq,computesu1=H1(id)zandsendstoTA.TAoutputsthetransformationkeycorrespondingtoid:u2=us1wheres=mskandsendsitbacktotheclient.Thentheclientcomputeshisprivatekeyskid=u1=z2=H1(id)zsz)]TJ /F12 5.978 Tf 5.75 0 Td[(1=H1(id)s.WenotethatTAobtainsnoinformationontheclientidentitybecauseH1(id)zisjustarandomgroupelementunderrandomoraclemodel.Thetransformationkeycanbepubliclydistributedduetothesamereason[ 26 ].ReKey(id1;id2;msk):ThisalgorithmisperformedbyTA.UponreceivingtherequestfromdelegatorDofre-encryptionfromid1toid2,itrstrunstheExtalgorithmonid2togenerateskid2.Thenitoutputsthere-encryptionkeyfromid1toid2: rkid1;id2=(rk(1)id1;id2;rk(2)id1;id2)=(H1(id1)sgH2(skid2jjNid1;id2);Nid1;id2) whereNid1;id2isarandomelementfromG.Enc(id;m):Thisalgorithmisperformedbythecompany.Uponreceivingtheinputm2M,anidentityid,itoutputstheciphertextC=(c1;c2;c3),wherer=H3(jjm),c1=gr, 26

PAGE 27

c2=(jjm)H4(e(H1(id);y)r),c3=H5(c1jjc2)rwhereisarandomelementfromM,themessagespace.ReEnc(Cid1;rkid1;id2):Thisalgorithmisperformedbytheproxy.UponreceivingtheinputofanoriginalciphertextCid1=(c1;c2;c3)underidentityid1,andare-encryptionkeyrkid1;id2fromid1toid2,ife(c1;H5(c1jjc2))=e(g;c3)holds,thenitoutputsthere-encryptedciphertextCid2=(c01;c2;c03;c4)withc01=e(g;c1),c03=e(c1;rk(1)id1;id2),andc4=rkid1;id2.Otherwise,itoutputs?.Dec(skid;Cid):Thisalgorithmisperformedbyaclient.UponreceivingtheinputofaciphertextCidunderid,andaprivatekeyskid,thealgorithmisshownasfollows. 1)IfCidisanoriginalciphertext(c1;c2;c3),compute c2H4(e(skid;c1))=(jjm)H4(e(H1(id);y)r)H4(e(H1(id)s;gr)=jjm Ifc1=gH3(jjm)andc3=H5(c1jjc2)H3(jjm)bothhold,outputm;otherwise,output?. 2)IfCisare-encryptedciphertext(c01;c2;c03;c4)(assumethatthereceiverofthere-encryptedciphertextisid0),compute H4 c03 c01H2(skid0jjc4)!c2=H4e(y;H1(id)r)e(g;g)rH2(skid0jjNid;id0) (e(g;g)r)H2(skid0jjNid;id0)(jjm)H4(e(H1(id);y)r)=jjm Ifc01=e(g;g)H3(jjm)holds,outputm;otherwise,output?. Wehavealsocarriedoutformalanalysisinthefullversion[ 46 ]toshowthatourproposedkeyprivatere-encryptionschemeisbothsecureandprivacy-preserving.Thesecurityandprivacypreservingpropertiesoftheaboveschemecanbeformulatedasthefollowingtheorem,themoreformaldenitionsandproofsofwhichcanbefoundinthefullversion. 27

PAGE 28

Theorem1 UnderthedecisionalbilinearDife-Hellman(DBDH)assumptionandrandomoracle,neithertheoriginalnorre-encryptedciphertextrevealsanyusefulinformationonthemessageunderchosenciphertextattack,andboththeoriginalciphertextandthere-keypreserveidentityanonymityunderchosenciphertextattack. 2.3CAMDesign WearenowreadytopresentouroveralldesignCAM:cloud-assistedprivacypreservingmHealthmonitoringsystem.Toillustratethefundamentalideabehindthisdesign,westartwiththebasicscheme,andthendemonstratehowimprovementscanbemadestep-by-step.Thesystemtimeisdividedintomultipletimeperiods,calledslots,eachofwhichcanlastaweekoramonthdependingonspecicapplications.ThereisanestimatedmaximumnumberofusersNrequestingaccesstothemonitoringprograminanygivenslot.Whenaclientattemptstoaccesstheprogram,itisassignedwithanindexi2[1;N]byTA. 2.3.1BasicCAM ThefollowingbasicschemerunstheBF-IBEsystemasasub-routineandisthefundamentalbuildingblockinouroveralldesign.Thisintendstohighlightourdesignideas(pleaserefertoFig. 2-2 fortheinvolvedentities).Setup:ThisalgorithmisperformedbyTA,whichpublishesthesystemparametersfortheBF-IBEscheme.Store:Thisalgorithmisperformedbythecompany.Foreachnodepjwhosechildn-odesarenotleafnodes,thecompanyrunsCL(j)=AnonEnc(id;PP;L(j))andCR(j)=AnonEnc(id;PP;R(j))toencryptthechildnodeindicesunderidwitheitherid2S[0;tj]orid2S[tj+1;Max],respectively.Whenthechildnodesofpjareleafnodes,thecompanygeneratestheciphertextasCL(j)=AnonEnc(id;PP;mL(j))andCR(j)=AnonEnc(id;PP;mR(j)),wheremL(j)andmR(j)denotetheattachedinformationatthetwoleafnodes,respectively.Allthegeneratedciphertextsaredeliveredtoandstoredinthecloud.TokenGen:Togeneratetheprivatekeyfortheattributevectorv=(v1;;vn),aclientrstcomputestheidentityrepresentationsetofeachelementinvanddeliversallthenidentity 28

PAGE 29

representationsetstoTA.ThenTArunstheAnonExtract(id;msk)oneachidentityid2Sviintheidentitysetanddeliversalltherespectiveprivatekeysskvitotheclient.Query:AclientdeliverstheprivatekeysetsobtainedfromtheTokenGenalgorithmtothecloud,whichrunstheAnonDecryptionalgorithmontheciphertextgeneratedintheStorealgorithm.Startingfromp1,thedecryptionresultdetermineswhichciphertextshouldbedecryptednext.Forinstance,ifv12[0;t1],thenthedecryptionresultindicatesthenextnodeindexL(i).Thecloudwillthenuseskv(L(i))todecryptthesubsequentciphertextCL(i).Continuethisprocessiterativelyuntilitreachesaleafnodeanddecrypttherespectiveattachedinformation. 2.3.2ImprovedCAM:FullPrivacyPreservation ThebasicCAMhasthefollowingsecurityweaknesses.First,theidentityrepresentationsetforaclient'sattributevectorvisknowntoTA,andhenceTAcaneasilyinfertheclient'sprivateattributevector.Second,theclientcannotprotecthisprivacyfromthecloudeitherbecausethecloudcaneasilyndouttheidentityrepresentationfortheprivatekeyskvi;i2[1;n]byrunningidentitytestinMDRQ.Thecloudcansimplyencryptarandommessageunderanyattributevaluev0untilitcanuseskvitosuccessfullydecrypttheciphertext,whichmeansthereisamatchbetweenv0=viandhenceitsuccessfullyndsoutvi.Third,neithercanthedataprivacyofthecompanybeguaranteedsincetheidentityrepresentationoftherespectiverangeisrevealedtothecloudwheneverthedecryptionissuccessfulduetothematchrevealingproperty(seeSec. 2.2.4.3 )ofMDRQ.Thecloudcannallyndoutthecompany'sbranchingprogramsinceithastheprivatekeysofallthesystemusers. TorectifytheseweaknessesinthebasicCAM,weprovidethefollowingimprovement.Thehighlevelidea(refertoFig. 2-2 )isasfollows:inordertoavoidleakingtheattributevectortoTA,theclientobliviouslysubmitshisattributevectorstoTAsothathecanobtaintherespectiveprivatekeyswithoutlettingTAgetanyusefulinformationonhisprivatevector.TheclientrunstheoutsourcingdecryptionofMDRQtoensurethecloudcompletesthemajorworkloadwhileobtainingnousefulinformationonhisprivatekeys.Ontheotherhand,thecompanywillpermute 29

PAGE 30

andrandomizeitsdatausinghomomorphicencryption2andMDRQsothatneitherthecloudnoraclientcangetanyusefulinformationonitsprivateinformationonbranchingprogramafterasinglequery.Meanwhile,thecompanyisalsorequiredtoincludetherandomnessintherandomizationstepintheencryptionsenttoTAtoensurethatTAcansuccessfullygeneratetokensforclients.TheimprovedCAMconsistsoffourstepsjustasinthebasicCAM.Wewillshowhowthisimprovementmeetsthedesiredsecurityrequirements.Setup:ThisalgorithmisperformedbyTA,whichpublishesthepublicparameterPPfortheanonymousIBE.Store:Thisalgorithmisperformedbythecompany.LetPRF(s;i)beapseudorandomfunction(see[ 47 ]fordetail)whichtakesasinputasecretkeysandani,i.e.,PRF:f0;1g[1;Nk]!f0;1gC+C0,whereNisthemaximumnumberoftheclientsaccessingthecompanybranchingprograminatimeslot. Fori=1toN,thecompanyrstcomputesij=PRF(s;(i)]TJ /F6 11.955 Tf 10.13 0 Td[(1)k+j),wherej2[1;k].Forj2[1;k],thecompanyobtainsalltheidentityrepresentationsetS[0;tj+ij]andS[tj+ij+1;Max0],whereMax0denotesthemaximumnumber,i.e.,(1;:::;1)C+C0. Fori=1toN,letQibearandompermutationof(1;2;;k)withQi[1]=1.Foreachnodepjwhosechildrenarenotleafnodes,thecompanyselectstwosymmetrickeyskQi[L(j)],kQi[R(j)].Then,itrunstheencryptionalgorithmAnonEnc(id1;PP;kQi[L(j)]jjQi[L(j)])andAnonEnc(id2,PP,kQi[R(j)]jjQi[R(j)]),whereid12S[0;tj+ij]andid22S[tj+ij+1;Max0],whichwillresultintwociphertextsetsCQi[L(j)]andCQi[R(j)],respectively.LetTCj=fCQi[L(j)];CQi[R(j)]g.Then,kQi[L(j)]andkQi[R(j)]areusedtoencrypttheciphertextsTCQi[L(j)]andTCQi[R(j)],respec-tively,usingasemanticallysecuresymmetrickeyencryptionscheme3.Thisguaranteesthatthe 2Anencryptionishomomorphicifitpreservestheoperationsintheciphertextspace.3ThesymmetrickeyencryptionschemecanbetheXORresultbetweenthemessageandtheextendedsymmetrickeywhichistheresultofapplyingapseudorandomgeneratorontheinputsymmetrickeykQi[L(j)]orkQi[R(j)]. 30

PAGE 31

clientcouldhavetheopportunitytofurtherqueryoneofthechildnodesonlywhenitsattributevaluefallsintotherespectiverange.Whenpjistheparentnodeofleafnodes,thetwosymmetrickeysareusedtoencrypttheinformationattachedtothetwoleafnodes,respectively. Thecompanydeliversalltheciphertexts,includingthepublickeyandsymmetrickeyciphertextsaccordingtothepermutedorder,tothecloudwhiledeliveringboththepseudorandomfunctionPRF(s;i),therandompermutationfunctionQiandtheconcernedattributesoftheprogram,i.e.,fa1;;akg,toTA.TokenGen:Togeneratetheprivatekeysfortheattributevectorv=(v1;;vn),thei-thclientrstgeneratesapublic/privatekeypairforahomomorphicencryptionscheme,HEnc(),andsendsthepublickeyandHEnc(vj)toTA. Forj2[1;k],TAcomputesHEnc(vaj+ij)fromHEnc(ij)andHEnc(vaj).ThenitappliesthepermutationfunctionQitotheindexsetfa1;;akg,andreturnstheciphertextHEnc(vaj+ij)accordingtothepermutedorder.TheclientdecryptsthereturnedciphertextHEnc(vaj+ij)andobtainsvaj+ijforj2[1;k].WenotethatijstatisticallyhidestherespectivevectorelementvajwhenC0issufcientlylarge[ 27 , 48 ],whichwouldfurtherhidetheconcernedattributesetofthebranchingprogramfromtheclient.TheclientrstdecidestheidentityrepresentationsetSvaj+ij.Foreachidentityid2Svaj+ij,theclientrunsAnonMaskExtract(id;msk)withTAtogeneratethetransformationkeytkid.MultipleinstancesofAnonMaskExtract(id;msk)canberunsimultaneouslyinheretoguaranteeaconstantcommunicationround.ThegeneratedtransformationkeysforSvaj+ijcanbedelivereddirectlytothecloudaccordingtothepermutedorder.NeitherTAnorthecloudcanobtainanyusefulinformationontheunderlyingidentityrepresentationduetothemaskprivacyoftheAnonMaskExtractalgorithminSec. 2.2.4.3 .Query:Startingfromp1,thecloudrunsTransform(Cid;tkid)whereid2St1+i1orS[t1+i1+1;Max0]anddeliversthetransformedciphertextC0idbacktotheclient.ThentheclientrunsAnonMaskDecryption(C0id,z)toobtaintheindexofthesubsequentnode,eitherQi[L(j)]orQi[R(j)]andtherespec-tivesymmetrickeykQi[L(j)]orkQi[R(j)],dependingonwhichrangev1fallsin.Hecanthenuse 31

PAGE 32

thesymmetrickeytodecrypttheunderlyingciphertext,eitherTCQi[L(1)]orTCQi[R(1)],whichwillthenbereturnedtothecloudwiththerespectiveindexQi[L(1)]orQi[R(1)].Thecloudcontinuestotransformthesubsequentciphertextusingthetransformationkeyaccordingtothereturnedindexfromtheclient.Wenotethatthetransformationkeyusedbythecloudandthereturnedciphertextcorrespondtoanidenticalindexsincetheyarebothpermutedbyaniden-ticalpermutationfunctionQi.Theycontinuethisprocessuntiltheclientreachesaleafnodeanddecryptstherespectivedecisionresultataleafnode.ThecloudobtainsnoinformationoneitherthedecryptionresultorthecompanybranchingprogramduetothemaskprivacyoftheAnonMaskDecryptionalgorithmasshowninSec. 2.2.4.3 . Weobservethat,comparingwiththebasicscheme,thecloudobtainsnousefulinformationonthecompany'sbranchingprogram.Duetotheusageofpermutationfunction,ortherespectiverandomizedthresholdsfromthepseudorandomfunction,andthesecurityoftheMDRQsystem,thecloudobtainsnousefulinformationontheorderofthoseintermediatenodeseither.Thecloudcannotndoutthequeryvectorvbyperformingidentitytesteitherbecausethetransformationkeysthecloudobtainsduringthequeryprocesscannotbeusedforidentitytesting.Indeed,thosetransformationkeysleaknoprivateinformationonthequeryvectorvduetothemaskprivacydiscussedinSec. 2.2.4.3 .Thecompanycanprotectthedataprivacyfromaclient,especiallythethresholdsandordersofthosebranchingnodesirrelevanttoaclient'snaldecisionresult,becausetheclientdoesnotevenhaveachancetoperformtherespectivequeriesduetothesemanticsecurityofMDRQandsymmetrickeyencryptionscheme. 2.3.3FinalCAM:FullPrivacyandHighEfciency AlthoughtheaboveimprovedCAMdoesmeetthedesiredsecurityrequirements,thecompanymayneedtocomputealltheciphertextsforeachofNclients,whichimplieshugecomputationaloverheadandmaynotbeeconomicallyfeasibleforsmallmHealthcompanies.Inthissection,weprovideafurtherimprovementtoreduceboththecomputationalburdenonthecompanyandthecommunicationoverheadforthecloud.Thehighlevelidea(refertoFig. 2-2 )isasfollows.Weemployanewlydevelopedkeyprivatere-encryptionscheme(introducedinSec. 32

PAGE 33

2.2.4.5 )asanunderlyingtool.Insteadofcomputingaciphertextforeachclient,thecompanygeneratesonesingleciphertext,whichwillthenbedeliveredtothecloud.ThecompanywillthenobliviouslydelivertheidentityrepresentationsetsforthethresholdsofthedecisionalbranchingnodesandtheindexesoftheconcernedattributestoTAsothatTAcangeneratetherekeyscorrespondingtotherestclientsinthesystemusingthekeyprivatere-encryptionscheme.Thegeneratedrekeysarethendeliveredtothecloud,whichcanthenrunthere-encryptionschemeusingtherekeysandthesingleciphertextdeliveredbythecompanytogeneratetheciphertextsfortherestclients.Theproposedre-encryptionschemeincorporatestheoutsourcingdecryptionsothattheothersecurityandefciencycharacteristicsinthenalCAMshouldbeinheritedhere. Byusingournewly-proposedkeyprivateproxyre-encryption,wearedesignourhighlyefcientCAMwithfullprivacyasfollows.Setup:ThisalgorithmisperformedbyTA,whichrunstheSetupalgorithmoftheproxyre-encryptionschemeandpublishestherespectivesystemparameters.Store:Thisalgorithmisperformedbythecompany.LetPRF(s0;i)andPRF(s1;i)betwopseudorandomfunctionswhichtakeasinputsasecretkeysj;j2f0;1gandani,i.e.,PRF:f0;1g[1;Nk]!f0;1gC+C0,whereNdenotesthemaximumnumberoftheclientsaccessingthecompany'sdatainatimeslot. Thecompanyrstcomputes(0)ij=PRF(s0;(i)]TJ /F6 11.955 Tf 11.92 0 Td[(1)k+j),(1)ij=PRF(s1;(i)]TJ /F6 11.955 Tf 11.92 0 Td[(1)k+j)andij=(1)ij+(0)ij,wherej2[1;k].Forj2[1;k],thecompanyobtainsalltheidentityrepresentationsetS[0;tj+ij]andS[tj+ij+1;Max0]. LetQbearandompermutationoftheset[1;k]=(1;2;;k)withQ[1]=1.ThecompanydeliversPRF(s0;),ftj+ij;ajji2[1;N],j2[1;k]gandQtoTA,whichcomputestheidentityrepresentationsetasthecompanydoes. Forj2[1;k],TArunstheReKey(id1;id2;msk)algorithmonid12S[0;tj+ij]andid22S[0;tj+(i+1)j],orid12S[tj+ij+1;Max0]andid22S[tj+(i+1)j+1;Max0].Althoughtherespectivetworepresentationsetsmightnothavetheidenticalnumberofelements,therekeygenerationprocesscansimplystartfromtherstidentityelementofbothsetsuntilthesetcontainingfewer 33

PAGE 34

identitiesexhaustsallitsidentityelements.TAthenreturnsallthegeneratedrekeysaccordingtothepermutedorderQ[j]tothecloud. Startingwithp1,thecompanyselectstwosymmetrickeyskQ[L(j)],kQ[R(j)]foreachdecisionnodepjwhosechildrenarenotleafnodes.Then,itrunstheencryptionalgorithmEnc(id1,kQ[L(j)]jjQ[L(j)])andEnc(id2;kQ[R(j)]jjQ[R(j)]),whereid12S[0;tj+ij]andid22S[tj+ij+1;Max0],respectively,togeneratetwociphertextsetsCQ[L(j)]andCQ[R(j)].LetTCj=fCQ[L(j)];CQ[R(j)]g.kQ[L(j)]andkQ[R(j)]arethenusedtoencrypttheciphertextsTCQ[L(j)]andTCQ[R(j)]forthetwochildnodes,respectively,usingasemanticallysecuresymmetrickeyencryptionscheme.Whenpjistheparentnodeoftheleafnodes,thetwosymmetrickeysareusedtoencrypttheinformationattachedtothetwoleafnodes,respectively. Thecompanythendeliversalltheresultingciphertextsand(1)ijtothecloud.Alltheciphertextsforeachnode,eitherthepublickeyciphertextgeneratedfromtheproxyre-encryptionschemeorthesymmetrickeyencryptionscheme,willbealignedtothepermutedorderQ[j]inthecloud. Fori2[1;N],thecloudgeneratestheciphertextscorrespondingtothei-thclientasfollows:startingwithp1,thecloudrunstheReEnc(Cid1;rkid1;id2)algorithmtoreencrypttheciphertextsusingtherekeyfromTAwithid12S[0;tj+ij]andid22S[0;tj+(i+1)j],orid12S[tj+ij+1;Max0]andid22S[tj+(i+1)j+1;Max0]here.Theresultingpublickeyciphertextsalongwiththeoriginalsymmetrickeyciphertextsconstitutetheciphertextsetsforthei-thclient.TokenGen:Togeneratetheprivatekeyfortheattributevectorv=(v1;;vn),thei-thclientrstgeneratesapublic/privatekeypairofahomomorphicencryptionscheme,andsendsthepublickeyandHEnc(vj)toTA. TAcomputesHEnc(vaj+(0)ij)fromHEnc((0)ij)andHEnc(vaj).ThenTApermutestheresultingciphertextaccordingtoQandsendsthemaccordingtotheorderofQ[aj],j2[1;k]tothecloud,whichwillthenreturnHEnc(vaj+(0)ij+(1)ij)=HEnc(vaj+ij)totheclient.Theclientthendecryptsthereturnedciphertextandobtainsvaj+ijforj2[1;k].TheclientthendeterminestheidentityrepresentationsetforeachSvaj+ij.Foreachidentityid2Svaj+ij, 34

PAGE 35

theclientrunstheExt(id;msk)withTAtogeneratetherespectivetransformationkey,whichisdirectlydeliveredtothecloud.Query:Theclientdelivershisindexitothecloudwhichwillthenreturntherespectiveciphertex-t.Theclientcaneitherdownloadalltheciphertextsandtransformationkeyandperformtherestdecryptionsteps,orhecouldstarttorunDec(skid;Cid),whereid2S[0;t1+i1]orS[t1+i1+1;Max0]todecryptfromp1andthendownloadtheciphertextandthetransformationkeyforthenextnodeaccordingtothedecryptionresult.Ifhechoosesthelatterapproach,thenheonlyneedstoaccesstheciphertextcorrespondingtoapathfromtherootnodetoaleafnodeinsteadoftheciphertextsforallnodesinthedirectedbranchingtree.However,insodoing,theclienthastoaccessthecloudmultipletimesproportionaltothelengthofthepath.Comparedwiththerstimprovement,theclouddoesnotneedtoperformanycomputationwhenitinteractswiththeclientinthiscasebecausetheclientalonecancompleteallthenecessarydecryptionsteps.Ontheotherhand,theclientdoesnotneedtocomputeanybilinearmapsincethebilinearoperationhasalreadybeencompletedbythecloudduetothepreprocessingstepintheReEnc(Cid1;rkid1;id2)algorithmasshowninsubsection 2.2.4.5 . 2.4PerformanceEvaluation Inthissection,weevaluateourproposedCAM. 2.4.1Security Thecloudobtainsnoinformationoneithertheindividualqueryvectorvorthecompanydiagnosticbranchingprogramasinourrstimprovement.Thecloudobtainsnoinformationonthecompany'sbranchingprogramduetothesemanticsecurityoftheproxyre-encryptionandsymmetrickeyencryptionscheme.Thesecrecyoftheciphertextsintheencryptionschemescanguaranteethatthecloudcanneitherndouttheinformationattachedtotheleafnodesnortheorderorthethresholdsofintermediatebranchingnodes.Thekeyprivacycanguaranteethatthecloudobtainsnousefulinformationonthebranchingprogramwhilecompletingallthecomputationallyintensiveencryptionoperationsforthecompany.Asintherstimprovement, 35

PAGE 36

Figure2-4.TAcomputationforrekeygenerationandoverheadoftheReEncalgorithminthecloud thetransformationkeycontainsnoinformationonaclient'squeryvectorvduetothemaskprivacy,whichdefeatsthecloud'sattackthroughperformingtheidentitytesting. Aclientcanonlygaininformationonhisdecisionresultandcertainsideinformationontherelevantnodesleadingtohisdecisionresultasintherstimprovement,whichweconsidertobereasonablesincewecommonlyknowthatadoctorusuallytellshispatientstheirinformationinreality.Ontheotherhand,thetrustedauthorityandthecompanyhavethemotivationtocolludetoobtaininformationontheclientqueryvectorv.However,thisattackcannotsucceedbecauseTAobtainsnoinformationduringtheprivatekeygenerationprocessasstatedintheExtalgorithmofSec. 2.2.4.5 andalltheindividualdecryptionisdoneonclients'devices.WenotethatTAinournalCAMcanonlyinferfromwhatisdeliveredbythecompanytheindicesofrelevantnodesofthebranchingprogramjustasintherstimprovement. 2.4.2Efciency ToassessourCAM,weconductafewexperiments.Weusedalaptopwitha2.4GHzprocessorwitha4GBofRAMtosimulatethecloudserverandthecompany,and1GHzAMR-basediPhonewith512MBRAMtosimulateaclient.Allthetimingreportedbelowareaveragedover100randomizedruns.Weassumeamaximumofk=1000nodesinthebranchingprogram,whichcanexpressmostcomplicateddecisionsupportsystemscomparedwithwhatisusedintheMediNet[ 2 ]with31nodesasshowninFig. 2-1 .Theattributevectorhasamaximumofn=50 36

PAGE 37

Figure2-5.ComparisonofcompanycomputationandcommunicationoverheadsinourtwoimprovedCAMdesigns attributes,whichcontainmuchricherinformationcomparedwiththeMediNetprojectwithfourattributes.WeusethebenchmarkresultsfromthePBClibrary[ 49 ]forourevaluation. InthenalCAM,allthecostlyoperationsthecompanyneedstocarryoutisthecompu-tationoftheciphertextsdeliveredtothecloudandthenitcouldstayofineuntiltheendofaslot.Allthecompanyneedstodoistherstlevelencryptionintheproxyre-encryptionsandtherestsymmetrickeyencryptions,whichbasicallyconsistofahashcomputationandanXORoperation.Thesymmetrickeyencryptionisfarlesscomputationallyintensivecomparedwiththepublicencryptionscheme,andthecomputationalcostofthecompanyisdeterminedbytherstlevelencryption.Foreachnodepi;i2[1;k],thecompanyisrequiredtogenerateatmost4(log(Max0))]TJ /F6 11.955 Tf 12.21 0 Td[(1)=4(C+C0)]TJ /F6 11.955 Tf 12.22 0 Td[(1)rstlevelciphertextssincethetworandomizedintervalscanberepresentedby4(log(Max0))]TJ /F6 11.955 Tf 12.15 0 Td[(1)identities.AssumingC=32(whichprovideshighenoughprecisionforthemedicalmeasurements),thenC0=80isenoughtostatisticallyhidetheoriginaldata[ 50 ].Foreachnode,thecompanyisrequiredtoperformatmost4(32+80)]TJ /F6 11.955 Tf 12.11 0 Td[(1)=444rstlevelencryptions.EachrstlevelencryptioncontainsonebilinearpairingandtwoexponentiationoperationswhenonlyCPAsecurityisconsidered,whichtakesamodern64-bitPCroughly24ms[ 49 ]tocomplete.Therefore,ittakesroughly10.6sforthecompanytocompleteanencryptionforabranchingnode.Ourbranchingprogramhasamaximumofk=1000nodes,andhenceitwilltakeroughlythreehourstogeneratetheciphertextsfortheentirebranchingprogram.Fig. 2-5 showsthecomparisonbetweenthecomputationofthecompanyinthetwoimproved 37

PAGE 38

CAMdesigns.Thecompany'scomputationislinearlydependentonthenumberofclientswhilethecostinthenalCAMisconstantsinceallthecompanyneedstoaccomplishistheinitialencryption.Thecomputationoverheadofthecompanyisreducedduetotheusageofkeyprivateproxyre-encryptionscheme. TAisrequiredtogeneraterekeysfortheidentityrepresentationsetsfordifferentusers.EachrunofReKey(id1;id2;msk)algorithmcostsTAthreeexponentiationoperations.Togeneraterekeysetsfordifferentusers,TAneedstoperformatmost4(log(Max0))]TJ /F6 11.955 Tf 11.41 0 Td[(1)=4(C+C0)]TJ /F6 11.955 Tf 11.41 0 Td[(1)=444rekeygenerationsforeachnode.TAisrequiredtocomputeatmost41000(C+C0)]TJ /F6 11.955 Tf 12.64 0 Td[(1)3=4000333modularexponentiationsforeachclient,whichtakesroughly399.6s.Fig. 2-4 showsthecomputationofrekeygenerationsofTAdependingonthenumberofbranchingnodes.ThecloudisrequiredtogeneratetheciphertextsforclientsbyrunningtheReEncalgorithm.EachrunofReEncalgorithmcoststhecloudexactlytwopairingcomputations.Foreachclient,thecloudneedstoperformatmost4(log(Max0))]TJ /F6 11.955 Tf 12.17 0 Td[(1)k2=8(C+C0)]TJ /F6 11.955 Tf 12.17 0 Td[(1)kpairingcomputations.Therefore,thecloudneedstoperformatmost8(N)]TJ /F6 11.955 Tf 11.01 0 Td[(1)(C+C0)]TJ /F6 11.955 Tf 11.02 0 Td[(1)kpairingcomputationsinourCAM.Fig. 2-4 showsthecomputationofthecloudinourevaluation. ThecommunicationsbetweenthecompanyandTAislowsincethecompanyonlyneedstodeliverthedescriptionofapseudorandomfunctionandpermutationfunction,andNkran-domizedthresholdstoTA.Thecompanyneedstodelivertwoeldelements(whichareroughly2KBlong),i.e.,theseedsofthepseudorandomfunctionandpermutationfunction,whicharesufcientenoughforthedescriptionofthepseudorandomfunctionassumingtheyhavealreadyagreedonwhichfamilyofpseudorandomfunctionstheyareusing.Eachrandomizedthresholdis112-bitlong,andthecompanyneedstodeliverroughly112KBtoTAforeachclientinCAM.Wenoteallthisworkloadcanbedoneofineandtransparenttoaclient.However,thecompanyneedstogeneratetheciphertextsforallclientsandtransferthemtothecloud.Theindividualciphertextconsistsofatmost4(log(Max0))]TJ /F6 11.955 Tf 12.84 0 Td[(1)k=4(C+C0)kBF-IBEciphertext,eachofwhichiscomposedofthreegroupelements.Therefore,thecommunicationoverheadofthecompanyiscomposedofatmost40001123ngroupelementsintherstimprovementwhile 38

PAGE 39

Figure2-6.Workloadofindividualtokengeneration Figure2-7.Workloadofindividualquery thecompanyonlyneedstodeliveratmost40001123groupelements(fortherstlevelciphertextgenerationatthesetupstage)andtheother112KBforeachclientinthenalCAM.Fig. 2-5 showsthecomparisonbetweenthecompanycommunicationoverheadintwoimprovedCAMdesigns.WeobservethatthecommunicationoverheadissignicantlyreducedinthenalCAM. Eachclientneedstocompletenhomomorphicencryptionsanddecryptionsbeforehecanobtainhisprivatekeyset.Theclientneedstocomputethreemodularexponentiationforeachroundofhomomorphicencryptionanddecryption.Theclientisrequiredtorunatmost2nlog(Max0)=2k(C+C0)instancesofExt(id;msk)algorithm,eachofwhichtakestheclienttwoexponentiationcomputations.Assumingtheidenticalparametersasintheabove,itwilltaketheclient100*112*2+50*3exponentiationcomputationswhenn=50togetalltheprivatekeys,whichtakesroughly18minutestocompletethecomputation.Fig. 2-6 showsthecomputation 39

PAGE 40

andcommunicationoverheadforanindividualclient.Theindividualdecryptiontimeisshortsincetheindividualdecisionprocessgenerallyformsapathfromthetopnodetoone'sleafnode.Therefore,eachclientonlyneedstoperformroughly2log(Max0)logktimesofDec(skid;Cid)algorithm.WhenonlyCPAsecurityisconsidered,eachDec(skid;Cid)algorithmrequiresatmost2log(Max0)logk=2*112*10*0.3ms=0.7stocomplete.Thetotalcomputationtimefortheclientisnomorethan19minutesinoursettingevenwhenn=50andk=1000.Theclientneedstoreceivekrandomizedthresholdsfromthecloudanddeliversatmost2klog(Max0)=2k(C+C0)groupelementstoTA.Thecommunicationoverheadcontainsroughly225MBdataassuminga1024-bitprimemodularisusedfortheunderlyinggroupwhenk=1000.Itonlytakesseveralsecondstodeliverthoseinformationifthecurrent802.11cardsoperateathundredsofMbpsdependingonsignalquality.Fig. 2-7 showstheindividualcomputationandcommunicationoverheadinthenalCAM. 2.4.3MoreRelatedWork Mostofcurrentprivatetelemonitoringschemes[ 51 ]aredependentonanonymizationtechniques,whicharedeemedtobeineffectiveinthetheproposedscenarioaswediscussedbefore.Anotherlineofworkfocusesonprivacypreservingdiagnosticprograms[ 33 , 52 ].Attheendoftheprotocol,aclientobtainsnothingonthediagnosticprogrambutthediagnosticresultwhiletheprogramowner,i.e.,thecompanyobtainsnoinformationontheindividualprivatedata.Alltheexistingsolutionsrequireaclienttorunmultipleinstancesofoblivioustransferprotocolwiththecompanyaftersetupphase,whichmeansthecompanyhastostayonlineconstantly.Allthecurrentsolutions[ 27 , 33 , 52 ]arebasedongarbledcircuits,whichimpliesaclientmustdownloadthewholecircuittohisdeviceandcompletethedecryption.Besides,theprivatecomputationorprocessingofmedicalinformationovercloudhasalsoattractedattentionfromboththesecuritycommunity[ 53 , 54 ]andsignalprocessingcommunity[ 55 , 56 ].Theseworkscanbedividedintotwocategories:providingasolutionforaspecicscenariosuchasprivategenomictest[ 54 ]orprivateclassicationofusers'electrocardiogram(ECG)data[ 55 ];orproposingageneralframeworkforprivateprocessingofmonitoringdata[ 53 ]or 40

PAGE 41

electronichealthrecords[ 56 ].Althoughtheseschemesarebasedoncloudcomputing,theydonotemphasizeonhowtotransfertheworkloadoftheinvolvedpartiestothecloudwithoutviolatingtheprivacyofinvolvedparties.Sinceourapplicationscenarioassumesclientsholdrelativelyresource-constrainedmobiledevicesinacloud-assistedenvironment,itwouldbehelpfulifaclientcouldshiftthecomputationalloadtothecloud.However,thereseemsnotrivialapproachtooutsourcingthedecryptionofgarbledcircuitcurrently.Ourproposedsystemadoptstherecentlyproposeddecryptionoutsourcingtosignicantlyreducetheworkloadofboththecompanyandclientsbyoutsourcingthemajorityofthecomputationaltaskstothecloudwhilekeepingthecompanyofineaftertheinitializationphase. Inthischapter,wedesignacloud-assistedprivacypreservingmobilehealthmonitoringsystem,calledCAM,whichcaneffectivelyprotecttheprivacyofclientsandtheintellectualproertyofmHealthserviceproviders.Toprotecttheclients'privacy,weapplytheanonymousBoneh-Franklinidentity-basedencryption(IBE)inmedicaldiagnosticbranchingprograms.ToreducethedecryptioncomplexityduetotheuseofIBE,weapplyrecentlyproposeddecryptionoutsourcingwithprivacyprotectiontoshiftclients'pairingcomputationtothecloudserver.ToprotectmHeathserviceproviders'programs,weexpandthebranchingprogramtreebyusingtherandompermutationandrandomizethedecisionthresholdsusedatthedecisionbranchingnodes.Finally,toenableresource-constrainedsmallcompaniestoparticipateinmHealthbusiness,ourCAMdesignhelpsthemtoshiftthecomputationalburdentothecloudbyapplyingnewlydevelopedkeyprivateproxyre-encryptiontechnique.OurCAMhasbeenshowntoachievethedesignobjective. 2.5SecurityModelandProof 2.5.0.1IndistinguishabilityofEncryptionsunderChosen-CiphertextAttack TheID-IE-CCAsecurityfortheproposedkeyprivateproxyre-encryptionschemeisdenedbythefollowingchosen-ciphertextattackgameplayedbetweenachallengerCandanadversaryA.Notethatwehavetwotypesofciphertextsintheproposedkeyprivatere-encryptionscheme,andhence,therearetwosituations. 41

PAGE 42

Thechallengeontheoriginalciphertext . Setup:ThechallengerCrunsSetup(1)withthesecurityparameter,andthensendsthesystemparameterandTA'spublickeypktotheadversaryA,butkeepsTA'sprivatekeymsksecret. Phase1:TheadversaryAissuesqueriesq1;;qn1wherequeryqiisoneofthefollowing: ExtractionoracleOsk:OninputidbyA,if(;id)hasnotappearedinanyquerytoOrk,thechallengerreturnsskidbyrunningExt(id;msk);otherwise,thechallengerrefusestorespond,sincewedonotconsidercollusionattackbythedelegateeandtheproxy. Re-encryptionkeygenerationoracleOrk:Oninput(id1;id2)byA,ifid2hasnotap-pearedinanyquerytoOext,thechallengerreturnsthere-encryptionkeyrkid1;id2=ReKey(id1;id2;msk);otherwise,thechallengerrefusestorespond,sincewedonotconsidercollusionattackbythedelegateeandtheproxy. Re-encryptionoracleOre:Oninput(id1;id2;C1)byA,there-encryptedciphertextC2=ReEnc(C1;ReKey(id1;id2;msk)): DecryptionoracleOdec:Oninput(id;C),thechallengerreturnsDec(Ext(id;msk);C). Thesequeriesmaybeconductedadaptively,thatis,eachqueryqimaydependontherepliestoq1;;qi)]TJ /F5 7.97 Tf 6.58 0 Td[(1. Challenge:OncetheadversaryAdecidesthatPhase1isover,itoutputstwoequallengthplaintextsm0andm1fromthemessagespaceM,andanidentityidonwhichitwishestochallenge.TheidentityidhasnotbeenqueriedtoOext.Thechallengerpicksarandombitb2f0;1gandsetsC=Enc(id;mb).ItsendsCasthechallengetoA. Phase2:TheadversaryAissuesmorequeriesqn1+1;;qnwherequeryqiisoneofthefollowing: Oext:OninputidbyA,ifid=id,or(id;id;C)hasbeenqueriedtoOre,thenthechallengeroutputsreject;otherwise,thechallengerrespondsasinPhase1. 42

PAGE 43

Ore:Oninput(id1;id2;C1)byA,if(id1;C1)=(id;C),andid2hasappearedinaquerytoOext,thechallengeroutputsreject;otherwise,thechallengerrespondsasinPhase1. Odec:Oninput(id;C),if(id;C)isaderivative4of(id;C),thechallengeroutputsreject;otherwise,thechallengerrespondsasinPhase1. Thesequeriesmaybealsoconductedadaptively. Guess:Finally,theadversaryAoutputsaguessb02f0;1gandwinsthegameifb=b0. TheadvantageAdvID-IE-CCA-O()isdenedasjPr[b=b0])]TJ /F6 11.955 Tf 12.7 0 Td[(1=2j.Ourproposedkeyprivatere-encryptionschemeissaidtobeID-IE-CCA-OsecureifforallefcientadversariesA,theadvantageAdvID-IE-CCA-O()isnegligible. Thechallengeonthere-encryptedciphertext . Phase1:IdenticaltothatintheID-IE-CCA-Osecurity. Challenge:OncetheadversaryAdecidesthatPhase1isover,itoutputstwoequallengthplaintextsm0andm1fromthemessagespace,twoidentitiesidandidonwhichitwishestochallenge,whereidandidhavenotbeenqueriedtoOext.ThechallengercomputesC=ReEnc(Enc(id;mb);rk),whererkisare-encryptionkeyfromidtoid,andbisarandombit.ItsendsCasthechallengetoA. Phase2:AlmostthesameasthatinID-IE-CCA-Osecurity,exceptthatinOdec:Oninput(id;C),if(id;C)=(id;C),thechallengeroutputs?;otherwise,thechallengerrespondsasinPhase1. Guess:IdenticaltothatinID-IE-CCA-Osecurity. 4Derivativesof(id;C)isadaptedfrom[ 57 ]: 1. (id;C)isaderivativeofitself. 2. IfAhasqueriedOreoninput(id;id;C)andobtained(id;C),then(id;C)isaderivativeof(id;C). 3. IfAhasqueriedOrkoninput(id;id),andC=ReEnc(Ork(id;id);C),then(id;C)isaderivativeof(id;C). 43

PAGE 44

TheadvantageAdvID-IE-CCA-R()isdenedasjPr[b=b0])]TJ /F6 11.955 Tf 12.7 0 Td[(1=2j.Ourproposedkeyprivatere-encryptionschemeissaidtobeID-IE-CCA-RsecureifforallefcientadversariesA,theadvantageAdvID-IE-CCA-R()isnegligible. 2.5.0.2IndistinguishabilityofKeysunderChosen-CiphertextAttack TheID-IK-CCAsecurityforourproposedkeyprivatere-encryptionschemeisdenedbythesamemethodasfortheID-IE-CCAsecurity.Notethatwehavetwotypesofchallenges.Oneisforanoriginalciphertext,theotherisforare-encryptionkey.Theformerisfortheanonymityoftheoriginalciphertext,andthelatterisfortheanonymityofthere-encryptionkey. Thechallengeontheoriginalciphertext . Phase1:IdenticaltothatintheID-IE-CCA-Osecurity. Challenge:OncetheadversaryAdecidesthatPhase1isover,itoutputstwoidentitiesid0andid1,andamessagem,onwhichitwishestochallenge,whereidb(b2f0;1g)hasnotappearedinanyquerytoOext.Thechallengerpicksarandombitb2f0;1gandcomputesC=Enc(idb;m).Atlast,thechallengersendsCasthechallengetoA. Phase2:AlmostthesameasthatintheID-IE-CCA-Osecurity,exceptthatidisreplacedbyidb(b2f0;1g). Guess:IdenticaltothatintheID-IE-CCA-Osecurity. TheadvantageAdvID-IK-CCA-O()isdenedasjPr[b=b0])]TJ /F6 11.955 Tf 12.7 0 Td[(1=2j.Ourproposedkeyprivatere-encryptionschemeissaidtobeID-IK-CCA-OsecureifforallefcientadversariesA,theadvantageAdvID-IK-CCA-O()isnegligible. Thechallengeonthere-encryptionkey . Phase1:IdenticaltothatintheID-IE-CCA-Osecurity. Challenge:OncetheadversaryAdecidesthatPhase1isover,itoutputstwoidentitiesidIandidJ,onwhichitwishestochallenge.TherearetworestrictionsontheidentitiesidIandidJ,whereidIoridJhasnotappearedinanyquerytoOext.Thechallengerpicksarandombitb2f0;1g.Ifb=0,thenitsetsrkidI;idJasarandomkeyfromthere-encryptionkeyspace; 44

PAGE 45

otherwise,itsetsrkidI;idJ=ReKey(idI;idJ;msk).Atlast,thechallengersendsrkidI;idJasthechallengetoA. Phase2:ItrunsalmostthesameasthatinPhase1,butwiththefollowingrestrictions. Oext:AlmostthesameasthatintheID-IE-CCA-Osecurity,exceptthatidisreplacedbyidIandidJ. Odec:Theinput(id;C)cannotsatisfythefollowingsituationssimultaneously: – id=idJ; – Cisare-encryptedciphertextcomputedbythechallengedre-encryptionkey. Guess:Finally,theadversaryAoutputsaguessb02f0;1gandwinsthegameifb=b0. TheadvantageAdvID-IK-CCA-R()isdenedasjPr[b=b0])]TJ /F6 11.955 Tf 12.52 0 Td[(1=2j.TheschemePREissaidtobeID-IK-CCAsecureifallefcientadversariesA,theadvantageAdvID-IK-CCA-R()isnegligible. 2.5.0.3SecurityAnalysis Werstgivethecomputationalcomplexitymodeltobeused.WewillusethedecisionalbilinearDife-Hellman(DBDH)assumptionwhichstatesthatintheIBEsettingSubsection 2.2.4.1 ,given(g;ga;gb;gc;S),itiscomputationallydifculttodecidewhetherS=gabc.Withthisassumption,wenowpresentourmainresults. Theorem2(ID-IE-CCA-OSecurity) Ourproposedkeyprivatere-encryptionschemeisID-IE-CCA-OsecureintherandomoraclemodelundertheDBDHassumption. PROOF1 AssumethereexistsAbreakingtheID-IE-CCA-Osecurityofourproposal,thenwebuildanalgorithmBsolvingtheDBDHproblem,whichstatesthatgiven(g;ga;gb;gc;S),BdecideswhetherS=gabc.Brstsetsy=ga,thendoesthefollowingsteps. Phase1: Hashoracles. – OH1:Oninputidi,Bsearches(idi;(1)i;i)inthequerylist,LH1,tothehashfunctionH1. Ifitexistsandi=1,returng(1)i. 45

PAGE 46

Ifitexistsandi=0,return(gb)(1)i. Ifitdoesnotexist,seti=1withprobability,andchoosearandomnumber(1)ifromZq.Ifi=1,returng(1)i.Atlast,record(idi;(1)i;i)inListLH1. Ifi=0,return(gb)(1)i.Atlast,record(idi;(1)i;i)inListLH1. – OHi(i=2;3;4):Oninputrj,Bsearches(rj;(i)j)inListLHi.Ifthetupleexists,return(i)j;otherwise,choosearandomnumber(i)jfromthecorrespondingspace,return(i)j,andrecord(rj;(i)j)inListLHi. – OH5:Oninputrj,Bsearches(rj;(i)j)inListLHi.Ifthetupleexists,return(i)j;otherwise,choosearandomnumber(i)jfromthecorrespondingspace,returng(i)j,andrecord(rj;(i)j)inListLH5. Oext:Oninputidi,BqueriesOH1withidi,andobtains(idi;(1)i;i).Ifi=1,return(ga)(1)i;otherwise,returnfailureandabort. Ork:Oninput(idi;idi),BqueriesOH1withidi;idj,respectively.ThenBobtains(idi;(1)i;i)and(idj;(1)j;j). – Ifi=j=1,queryOextwithidiandidj,andthenusetheobtainedprivatekeystocomputethecorrespondingre-encryptionkeyrkidi;idjwithReKey. – Otherwise,choosetworandomnumbersR(1)idi;idj;R(2)idi;idjfromGasthere-encryptionkeyrkidi;idj,andrecord(idi;idj;R(1)idi;idj;R(2)idi;idj)inListLrk. Ore:Oninput(idi;idj;Ci),Brstcheckse(c1;H5(c1jjc2))=e(g;c3).Ifitdoesnothold,output?andabort;otherwise,queryOH1withidi;idjtoobtain(idi;(1)i;i)and(idj;(1)j;j),respectively. – Ifi=0andj=1,Bsearches(mi;i;(3))and(R;(4)i)inListsLH3andLH4,suchthatg(3)i=c1and(ijjm)(4)i=c2.Ifsuchtuplesdonotexist,choosetworandomnumbersR(1)idi;idj;R(2)idi;idjfromGasthere-encryptionkeyrkidi;idj,andreturnReEnc(Ci;rkidi;idj);otherwise,choosearandomnumberRfromG,computec01=e(c1;g),c03=e(H1(idi);y)(3)ic01H4((ga)(1)jjjR)andc4=R,andreturn(c01;c2;c03;c4). 46

PAGE 47

– Otherwise,BqueriesOrkwith(idi;idj)toobtainrkidi;idj.Atlast,returnReEnc(Ci;rkidi;idj). Odec:Oninput(idi;Ci),BqueriesOH1withiditoobtain(idi;(1)i;i). – IfCiisanoriginalciphertextande(c1;H5(c1jjc2))=e(g;c3),thenBcanobtainm;asthatintherstcaseofOre.Ifc3=H5(c1jjc2)H3(jjm)holds,outputtheobtainedm;otherwise,output?. – IfCiisare-encryptedciphertext,Bcanobtainm;(ornothing)asthatintherstcaseofOre,andthensearches(idj;idi;R(1)idj;idi;c4)inListLrksuchthatc03=e(c01;R(1)idj;idi).Ifthetupledoesnotexist,output?;otherwise,outputtheobtainedm. Challenge:Oninputid;m0;m1,if=1,Boutputsfailureandaborts;otherwise,Bchoosesarandombitb,andcomputec1=gc;c2=(jjmb)H4(S(1));c3=(gc)(5) whereisarandomnumberfromG,(1)isthecorrespondingvalueinthetuple(id;(1))inListLH1,and(5)isthecorrespondingvalueinthetuple(c1;c2;(5))inListLH5.Atlast,outputthechallengeciphertext. Phase2:AlmostthesameasthatinPhase1,exceptthatspeciedinthesecuritymodel. Guess:Aoutputsb0.Ifb0=b,thenS=gabc;otherwise,S6=gabc. Byusingthesimilarmethodsusedin[ 58 ]wehavethattheabovesimulatorsucceedwithanon-negligibleprobability. Theorem3(ID-IE-CCA-RSecurity) Ourproposedkeyprivatere-encryptionschemeisID-IE-CCA-RsecureintherandomoraclemodelundertheDBDHassumption. PROOF2 AssumethereexistsAbreakingtheID-IE-CCA-Rsecurityofourproposal,thenwebuildanalgorithmBsolvingtheDBDHproblem,whichstatesthatgiven(g;ga;gb;gc;S),BdecideswhetherS=gabc.Brstsetsy=ga,thendoesthefollowingsteps. Phase1:IdenticaltothatintheproofofTheorem 2 47

PAGE 48

Challenge:Oninputid;id,ifandarenotboth0,thenBoutputsfailureandaborts;otherwise,Bchoosesarandombitb,andcomputec01=e(gc;g);c2=(jjmb)H4(S(1));c03=e(gc;R(1)id;id);c4=R(2)id;id whereisarandomelementfromM,R(1)id;id;R(2)id;idarerandomelementsfromG,and(1)isthecorrespondingvalueinthetuple(id;(1))inListLH1.Atlast,outputthechallengeciphertext. Phase2:AlmostthesameasthatinPhase1,exceptthatspeciedinthesecuritymodel. Guess:Theadversaryoutputsb0. WiththesimilarmethodintheproofofTheorem 2 ,weobtainthistheorem. Theorem4(ID-IK-CCA-OSecurity) Ourproposedkeyprivatere-encryptionschemeisID-IK-CCA-OsecureintherandomoraclemodelundertheDBDHassumption. PROOF3 AssumethereexistsAbreakingtheID-IK-CCA-Osecurityofourproposal,thenwebuildanalgorithmBsolvingtheDBDHproblem.Brstsetsy=ga,thendoesthefollowingsteps. Phase1:IdenticaltothatintheproofofTheorem 2 . Challenge:Oninputid0;id1;m,if0and1arenotboth0,Boutputsfailureandaborts;otherwise,Bchoosesarandombitb,andcomputec1=gc;c2=(jjm)H4(S(1)b);c3=(gc)(5) whereisarandomnumberfromM,(1)bisthecorrespondingvalueinthetuple(idb;(1)b)inListLH1,and(5)isthecorrespondingvalueinthetuple(c1;c2;c3;(5))inListLH5.Atlast,outputthechallengeciphertext. Phase2:AlmostthesameasthatinPhase1,exceptthatspeciedinthesecuritymodel. Guess:Theadversaryoutputsb0.Ifb=b0,thenS=gabc;otherwise,S6=gabc. WiththesimilarmethodintheproofofTheorem 2 ,weobtainthistheorem. 48

PAGE 49

Theorem5(ID-IK-CCA-RSecurity) Ourproposedkeyprivatere-encryptionschemeisID-IK-CCA-RsecureintherandomoraclemodelundertheBDHassumption. PROOF4 AssumethereexistsAbreakingtheID-IK-CCA-Rsecurityofourproposal,thenwebuildanalgorithmBsolvingtheBDHproblem,whichstatesthatgiveng;ga;gb,Baimstooutputgab.Brstsetsy=ga,thendoesthefollowingsteps. Phase1:IdenticaltothatintheproofofTheorem 2 Challenge:OninputidI;idJ,ifIandJarenotboth0,thenBoutputsfailureandaborts;otherwise,Bchoosestworandomnumbersrk1andrk2fromG,andreturnsthemtotheadversaryA. Phase2:AlmostthesameasthatinPhase1,exceptthatspeciedinthesecuritymodel. Guess:Theadversaryoutputsb0. Tooutputtherightguessonb,theadversarymustqueryOH2withskidJjjrk2=((gab)(2)Jjjrk2),whichisrecordedinListLH2afterthequery.Hence,BsolvestheBDHproblemwithanon-negligibleprobability. 49

PAGE 50

CHAPTER3EFFICIENTTRUSTBASEDINFORMATIONSHARINGSCHEMESOVERDISTRIBUTEDCOLLABORATIVENETWORKS 3.1Motivation Reputationsystemshaveservedasanimportanttoolinestablishingtrustindistributednetworks,suchaspeer-to-peernetworks.Basedontheirinteractionexperienceinsuchnetworks,userscanoffertheirreputationratingonanetworknode,aserviceoraproduct.Theycanalsoderiveevidencefromothernodes'ratingsorfeedbackandcomeupwiththeirownopiniononhowmuchtheyshouldtrustanodeand/oraservice.Intherecentlyemergingdistributednetworks,suchaspeer-to-peer(P2P)networks,variousratingsystemsbasedonreputationaredesignedtoachievedifferentsecuritygoals.Inalltheexistingreputationbasedsystems,anindividualuserorentitywillbeevaluatedandassignedwithareputationvalue(score)andtreatedaccordingly.Thisbearssomesimilaritiestotherealworldscenarioinwhichpeopletendtohavetrustevaluationonothersandreactdifferently. Reputationsystemshavealsobeenappliedtoaccesscontrolforprivateinformationdisseminationoverotheremergingdistributednetworks,suchasmobilesocialnetworks(MSN).Nowadays,peoplesharevariouspersonalproleinformationwithfriendsorevenstrangersinMSNs.Basedonthedataprivacylevelsoftheproleinformation,differentsecuritylevelscanbedened.Apparently,user'sreputationortrustlevelsbetweendifferentusersgatheredfromusers'interactionsorfeedbackfromotherusers'interactiveexperiencecouldserveasabasetorealizeprivacypreservinginformationsharinganddissemination. Thus,givenareputationsysteminplaceforadistributednetwork,howtoefcientlyenableprivacypreservinginformationsharinganddisseminationbasedonthereputationratingisachallengingproblem.Forinstance,ausermaywishtosharetheprivateinformationwiththosewithreputationlevelhigherthancertainthresholdwhilehidinghisinformationfromthosewithratinglowerthanthethreshold,howcanthisbedoneefciently?Thisproblemisvitalinvariousapplicationscenarios.Forinstance,aserver'smulticast/broadcastservicemightonlybeallowedtobeaccessedbythosewithgoodreputationduringtheservicedelivery.AuserinaP2Pnetwork 50

PAGE 51

mayonlyallowuserswithgoodreputationtoaccessitsuploadles.Theseissueshavebeenposedin[ 1 ],andtrustbasedencryption(TBE)techniquehasbeenusedtodesignasolution.InthisTBEscheme,eachuserisevaluatedandassignedwithareputationratingvalue,say,r,wherer2[0;1)isarationalnumberequivalenttor=a=2;a2[0;2)andu=2isthegranularityofreputationrating.Inthisdissertation,weassumethelowertheuserratingvalue,themoretrustworthythisuseris.Thiscorrespondencecouldvaryaccordingtotheconcreteapplicationscenario.Atrustedauthority(TA)inthissystemisresponsiblefordistributingaprivatekeyforeachuseraccordingtoitsidentityandratingvalue.TheconcreteTBEsystemworksasfollows.SupposeamessagesenderBobwantstocommunicatewithareceiverAlice,hewillencrypthismessageusingAlice'sidentity,areputationrequirement[0;R]andthecurrentcommunicationroundt.TheencryptedmessagecanbesuccessfullydecryptedbyAliceifandonlyifherreputationratingvaluerfallsintotherangerequirement[0;R]incommunicationroundt.Thebasicideadoesyieldasolutionfortheprivacypreservinginformationsharingproblemweraisedbefore. In[ 1 ],Srivatsaet.al.provideseveralvariationsofTBEschemesbasedoneitherthesymmetrickeyorpublickeyframework.However,asalsopointedoutin[ 1 ],TAisrequiredtobeonlineinthesymmetrickeyframeworkinordertodistributefreshprivatekeystonodeswhenevertheywishtocommunicatewitheachother,inducingagreatdealofcommunicationburdentothesystem.Ontheotherhand,allthethreeproposedpublickeyTBEschemes[ 1 ]arebasedonidentitybasedencryption(IBE)technique.TherstschemebasedonbasicIBEtechniquesachievesaO(log(u))=O()sizedprivatekeyandO()sizedciphertext.ThereceiverneedstoobtainafreshprivatekeyaccordingtothecurrentreputationratingvaluefromTAineachcommunicationround.Therefore,thecommunicationtrafcontheTAsideisofsizeO(nT),wherenisthenumberofthesystemusersandTisthemaximumcommunicationroundsbetweenanytwocommunicationpartiesinthesystem.Similarperformanceanalysisresultsalsoapplytothesecondscheme,whichisbasedontheID-basedmulti-receiverkeyencapsulationmechanism(ID-MR-KEM).ThethirdschemeisbasedonthehierarchicalIBE 51

PAGE 52

schemeandachievesconstantsizedciphertextandmuchlargerprivatekeysize,whichmightbelessfavorableformostapplicationscenarios.Thereceiverinboththesecondandthirdschemesisrequiredtogethisupdatedprivatekeyateachcommunicationround. Aswecanobserve,thecommunicationoverheadontheTAsidetendstobelargeintheexistingTBEschemes.Besides,sincetheuserreputationisessentiallydynamic,theTAhastostayonlinemostofthetimeinthecurrentTBEschemes.Thiscontradictstothedistributednatureofdistributedcollaborativenetworks. ThisdissertationaimsnotonlytoimprovetheperformanceofcollaborativenetworksbydevelopingmoreefcientTBEschemes,butalsotodevelopbettertailoredTBEschemesfordis-tributedcollaborativenetworksbyreducingtheinteractionoverheadbetweenanindividualuserandtheTA.Inourrstscheme,weproposeagenerictransformationapproachtotransformingarecentlyproposedidentitybasedbroadcastencryption(IBBE)schemetoaTBEscheme,inwhichboththeciphertextsizeandtheprivatekeysizearereducedfromlogarithmicsizeofthenumberofuserstoconstantsize.ItcansignicantlyimprovetheperformanceofTBEschemewhenstaticreputationvalueisconsidered.Wealsoobservethatthedynamicnatureofreputationvalueisimperativetothepracticalreputationbasedsystemswhereanindividualissolelyjudgedbyitsreputation.Itishighlylikelythattheobsoletereputationvaluescouldbeemployedbymalicioususerstogainimproperadvantageinacollaborativenetworkespeciallywhentheirreputationdrops.However,theexistingschemefailstoserveaneffectivesolutionwhendynamicreputationisconsideredduetoaheavytrafctotheTA,whichalsofurtherimpliesfrequentuserinteractionswithanonlineTA. OursecondTBEscheme,whichintendstoadjusttothedynamicnatureofratingvalues,isbasedontherecentlyproposedrevocableIBEsystem[ 59 ].Atthebeginningofthisscheme,theTAdistributesaprivatekeytoanindividualuser.Then,theupdateinformationwillbepublishedperiodicallybytheTAtorevokethosewhoseratingscoreshavesignicantlychangedduringaprexedtimeperiod.Thesizeofpublishedupdateinformationisdependentonthenumberoftherevokedusers.Thus,insteadofobtainingafreshprivatekeyfromtheTAineach 52

PAGE 53

communicationround,areceivercanrefreshhisprivatekeyusingthepublicupdateinformationwithoutinteractingwiththeTAwhenhisratingscorechanges.Consequently,thecommunicationoverheadfortheTAwillnowdependonthenumberoftherevokedusers.TheTAcanbekeptofineandindividualusersdonotneedtointeractwiththeTAmostofthetimewhencomparedwiththeexistingscheme[ 1 ]. Therestofthedissertationisorganizedasfollows.WewillrstbrieyintroducetheoriginalTBEscheme.Afterthat,wewillshowhowtoimprovetheperformanceoftheTBEschemebasedonidentitybasedbroadcastencryptionschemes,followedbyanotherimprovedTBEschemebasedontherevocableIBEscheme.Finally,wewillconcludethisdissertationinthelastsection. 3.2RelatedWork Identitybasedencryptionhasbeenausefultoolindesigningsecuredistributedcollaborativenetworks.In2008,Srivatsaetal.[ 1 ]builtatrustmanagementparadigmforsecuringpan-organizationalinformationows,addressingthethreatofinformationleakage.TheTAhereisassumedtobeofinewhentheidentitybasedencryptionschemeisadopted.However,thefactthatauserhastocontacttheTAwheneveritsreputationchanges,basicallyrendersanofineTAimpossible.SinceanofineortransparentTAisofparamountimportanceinadistributednetwork,suchasP2Pnetwork,especiallyinmilitaryscenarios[ 1 ],whereminimizingcommunicationcostsinbatterypoweredmobileP2Pnetworksiscritical,howtoprovideamoreexibleandofineTAinthisparadigmremainsachallenge,whichisoneofthemajormotivationsofthischapter. Identitybasedcryptography(IBC)hasbeenadoptedasanunderlyingtooltoprovideasecureincentiveschemetostimulateuserstoforwardpacketsindistributedcollaborativenetworkssuchasthedelaytolerantnetworks[ 60 – 62 ].Mostofthoseschemesassumeanofinesecuritymanager(OSM),whichcanbasicallybeconsideredasaTAinthetraditionalIBC.IBChasalsobeenusedforprovidingwitnessanonymityandrobustcommunicationunderpeer-to-peernetworks[ 63 – 65 ].AnofineTA,i.e.,ofinegroupmanager(OGM)isassumed 53

PAGE 54

inthissetting[ 63 , 65 ].ItwasshownbyButleretal.[ 65 ]thatIBCcombinedwithsymmetriccryptographicapproachcanbeemployedtodesignaneffectivedecentralizedarchitecture,whichcanserveasapracticalsolutiontoSybilattack.Comparedwiththosearchitecturesbasedontraditionalcerticateauthority-basedPKI,ithasbeenpointedout[ 65 ]thattheIBCbasedsystemhasthebenetofnotrequiringcomplicatedcerticatemanagement.However,itisalsonotedthatindividualusershavetoobtaintheirprivatekeysfromtheTA,whichcouldaddexpensivecommunicationandcomputationoverheadtothesystem.Besides,thiscouldleadtoaconstantlyonlinerunningTA,whichisagainstthedistributivenatureofpeer-to-peersystems.Thisissueismoreprominentwhenitcomesdowntothecasewhentheidentityorkeyrevocationistakenintoconsideration.ItcanbeevenmoretrickywhentheIBCtechniqueisappliedtoconstructatrustbasedencryptionschemeinthetrustmanagementparadigm[ 1 ].Neithertheexistingarchitecture[ 65 ]northetrustmanagementparadigm[ 1 ]providesagoodsolutiontothisscenario.OurschemeprovidesacomputationandcommunicationefcientwaytorevokereputationkeysbysystematicallyincorporatingtherevocableIBEtechniquewithtrustencryptionscheme[ 1 ].Asaconsequence,wecanguaranteemuchlessinvolvedTAcomparedwithwhatinthecurrenttrustmanagementparadigm. 3.3ABriefIntroductiontoOriginalTBEScheme Inthissection,webrieyreviewthebasicideaoftheoriginalTBEscheme[ 1 ].SupposethesenderBobspeciesatrustrating(orreputationscore)RwhenencryptingamessageforthereceiverAlice.ThedecryptionissuccessfulifandonlyifthereceiverhasasecretkeycorrespondingtoaratingvaluersuchthatrR.Thesecretkeysarerequiredtobedependentontemporalinformationrelatedtothecommunicationround,identitiesandratingvalue,sothatkeysforonecommunicationroundcannotbeusedforthenextround.AsecurechannelisassumedtoexistbetweentheTAandeachusertoguaranteethesecuredeliveryofuser'ssecretkey. TheTBEschemeisconstructedontheidentitybasedencryption(IBE)system([ 32 , 66 ]),inwhichtherearethreeparties:thePrivateKeyGenerator(PKG),aTAholdingamasterkeymk 54

PAGE 55

andresponsibleforinitializingthesystem,publishingthesystemparameterpkanddistributingaprivatekeyskidforasystemuserwithidentication(ID)idbyrunninganextractionalgorithmthattakesmkandidasinput;amessagesender(orencryptor),whorunsanencryptionalgorithmtakingthemessageM,thereceiveridentityidandthepublickeypkasinputtogenerateaciphertextCid(M).Themessagereceiver(ordecryptor)id0willinputthereceivedciphertextCid(M)andhisprivatekeyskid0tothedecryptionalgorithm.ThealgorithmwilloutputtheoriginalmessageMifandonlyifid=id0and?otherwise. IntheidentitybasedTBEscheme[ 1 ],thereisanonlineTA,fromwhomthereceivercanobtainhisprivatekeyaccordingtohisratingvaluerinthecommunicationroundt.Thebinarytree-basedtechniqueforrangequeriesovertheencrypteddata[ 37 ]isadoptedtogeneratetheprivatekeyswiththedesiredproperty.Therootofabinarytreewithdepthdwillbelabeledas>(whichrepresentsthestringoflength0),aleft-childatnodeswillbelabeledass0,andaright-childnodewillbelabeledass1asshowninFig. 3-1 .Consequently,theleavesarelabeledbyd-bitstringsfromleft-to-right,startingwith00andendingwith11.Eachbinarystringb0bd)]TJ /F5 7.97 Tf 6.58 0 Td[(1uniquelycorrespondstoarealnumberr=P`)]TJ /F5 7.97 Tf 6.59 0 Td[(1i=0bi2)]TJ /F5 7.97 Tf 6.58 0 Td[((i+1)intheinterval[0;1).IntheidentitybasedTBE[ 1 ],theuserwithtrustvaluerofforma=uisassociatedwithanidentitysetSrcoveringtheinterval[a;u),i.e.,aminimalsetofsubtreescoveringtheleavenodesoftherangeatou.Thisidentitysetisdenotedasratingsetinthecontext.Inordertogenerateaciphertextforarange[0;R](representingtherangerequirementR),thesenderrstndsoutallthenodesonthepathfromtheroottotheleafnodeR,underwhichthemessageisencrypted.Alltheidentitynodesonthepathconstitutetherangeset.Forinstance,inFig. 3-1 withr=1=8andR=1=4,theratingsetisf1;01;001gandtherangesetisf>;0;01;010g.Thus,amessageMisencryptedundertheidentitysetfidjj>jjt;idjj0jjt;idjj01jjt;idjj010jjtg,whereidisthereceiveridentity,therespectiveratingvaluerangeis[0;1 4],andtisthecommunicationround.Inotherwords,therespectiveciphertextCid;[0;R];t(M)iscomposedofciphertextCidjj>jjt(M),Cidjj0jjt(M),Cidjj01jjt(M)andCidjj010jjt(M).Theprivatekeyforareceiveridoftheratingvaluer=1 8willbeassignedaccordingtotheidentitysetfidjj1jjt;idjj01jjt;idjj001jjtgsincetheratingsetfor1 8is 55

PAGE 56

Figure3-1.BasicideaoftheTBEin[ 1 ]:ratingsetr=1 8,rangesetfor[0;R]=[0;1 4],u=8 f1;01;001g.Inotherwords,thisreceiverwillobtainaprivatekeycomposedofskidjj1jjt,skidjj01jjtandskidjj001jjt.Thedecryptionissuccessfulbecausethereisanintersectedidentityidjj01jjtbetweentheratingsetandrangeset.ThereceivercansimplyexecutethedecryptionalgorithmontheciphertextCidjj01jjt(M)usinghisprivatekeyskidjj01jjttodecryptthemessageM. 3.4SystemModelandDesignGoals OursystemmodelissimilartotheoriginalTBEsystem[ 1 ].Wealsoassumeascenariowhereauserwishestoshareprivateinformationwithotherusersoveracollaborativedistributednetwork,suchasaP2Pnetwork.Thesenderandthereceivercouldbefamiliarwitheachotherortheymightevenbecompletestrangers.Intherstcase,thereceiver'sidentityisnaturallyknowntothesender.Inthesecondcase,thereceiverneedstonotifythesenderhisidentitywhenheasksforinformationsharing.EachuserinthesystemhasareputationratingvaluerwithasimilarformasintheoriginalTBEscheme,alsoassignedbytheTAaccordingtocertainmetrics.Thedesignoftheunderlyingratingsystemisoutofscopeofthischapterthoughimportant.JustasintheoriginalTBEsystem,weassumetherehavealreadyexistedareputationratingsystemprovidingafairandobjectiveratingvalueforindividualusers.TheTA,equippedwiththereputationsystem,distributessecretkeystousersaccordingtotheiridentitiesandratingvaluessecurely(weassumethereisasecurechannelforonlineprivatekeydistribution).SimilartotheoriginalTBEsystem,amessageisencryptedunderareputationrangerequirement[0;R]andthereceiver'sidentityinourtwoproposedTBEsystems.Thereceiverisonlyallowedtosuccessfullydecryptthecorrespondingciphertextwhentheratingvaluerbelongstotherange[0;R]. OurmajorfocusistoimprovetheperformanceoftheTBEsystems,whichisdeterminedbythecommunicationoverheadandmemorystoragecost.Thecommunicationoverheadis 56

PAGE 57

proportionaltothesizeoftheciphertextfromasendertoareceiverandthecommunicationtrafcbetweenauserandtheTA,whichcanalsobedependentontheprivatekeyssizefromTAtotheuserandthenumberofcommunicationroundsbetweenthem.Thememoryspacecostismainlydependentonthestoragerequirementforareceiver,whichdependsonthesizeofdecryptionkeys.Ourrstschemeistoreduceboththecommunicationoverheadandthememoryspacecostthroughthereductionoftheciphertextsizeandprivatekeysizewhilethetargetofoursecondschemeistoimprovethecommunicationoverheadthroughreducingthenumberofthecommunicationrounds(i.e.,reducingthesignalingtrafccostduetoprivatekeyupdates). 3.5TBESchemefromtheIdentitybasedBroadcastEncryption(IBBE) Inthissection,wepresentourrstTBEscheme.WewillrstprovideabriefintroductiontotheIBBEsystemtobeused,andthendiscusshowanefcientTBEschemecanbebuiltuponthisIBBEscheme. 3.5.1IdentitybasedBroadcastEncryption(IBBE) IBBEcanbeviewedasageneralizationoftraditionalmulticastgroupkeymanagementsystem[ 67 ],whereeachusercanjoinorleaveagroupdynamically.Thetraditionalsystem[ 67 ]adoptsthelogicalkeyhierarchyforefcientkeyassignment.Theparametersoftheseschemesarefurtherimprovedinsubsequentworks[ 68 , 69 ].Thesetraditionalschemesaregenerallysymmetrickeybased,whichmeansthattheTAisrequiredtobeonlineallthetime.ThiscontradictstoourrequirementthattheTAshouldbeofinemostofthetime. IBBEisthecounterpartofthetraditionalgroupkeymanagementschemeintheidentitybasedsetting,onwhichtheTBEisconstructed.Itconsiderstheapplicationscenariowithnusers,whereeachuserhasitsownidentityIDi.AsenderchoosesareceiveridentitysetS=fID1;;IDsg;sn,andencryptsamessageMforthisreceiverset.IfthereceiveridentitybelongstoS,thenthedecryptionwouldbesuccessful,otherwise,thedecryptionfails.EvenifalltheusersoutsideScolludewitheachother,theywillnotgainanyusefulinformationonthecontentofthebroadcastedmessage.InIBBE,eachuserisidentiedwithanarbitrarybinarystring,whichgivesustheroomtoadaptitinthescenarioofTBEsystem. 57

PAGE 58

ThecurrentmostefcientIBBEscheme(Seeappendixfortheconcreteconstruction)[ 70 ]hasconstantsizedprivatekeys.Theciphertextcontainsonlytwogroupelements.Thedecryptionislessefcient,whichisdominatedbysgroupelementmultiplications.Generallyspeaking,IBBEschemeconsistsofthefollowingalgorithms: 1. BE-Setup(;m):ThisalgorithmisrunbytheTA,whichtakesasinputthesecurityparameterandm=max(s),themaximalsizeofthesetofreceiversforoneencryption,andoutputsamastersecretkeyMSKandapublickeyPK.TheTAholdsMSK,andmakesPKpublic. 2. BE-Extract(MSK,IDi):ThealgorithmisalsorunbytheTA.IttakesasinputthemasterkeyMSKandauseridentityIDiandoutputsuserprivatekeyskIDi. 3. BE-Enc(S,M,PK):Thisalgorithmisrunbythesender,whichtakesasinputthepublickeyPK,amessageMandasetofincludedidentitiesS=fID1;;IDsgwithsm,andoutputstheciphertextCS(M). 4. BE-Dec(S,IDj,skIDj,CS(M),PK):Thisalgorithmisrunbythereceiver.IttakesasinputasubsetS=fID1;;IDsg(withsm),anidentityIDjandthecorrespondingprivatekeyskIDj,aciphertextCS(M),andthepublickeyPK.IfIDj2S,thealgorithmoutputsthemessageM.Itwilloutput?otherwise. 3.5.2TBESchemefromIBBEScheme:SimpleCase TheoriginalTBEschemein[ 1 ]consistsoffouralgorithms,Setup,KeyDer,Encrypt,andDecrypt.WecanapplytheIBBEschemediscussedintheprevioussubsectiontodevelopourTBEscheme.Itcanbeconstructedinthefollowingsteps.Atthebeginningofthesystemoper-ation,theSetupalgorithmrunsBE-Setupalgorithmasitssubroutine.Setupalgorithmtakesasinputasecurityparameterandoutputssystemparameters,whichincludethemasterkeyMSKandthepublickeyPKfromtheBE-Setupalgorithm,andalsothespecicationsofmessage,ciphertext,identityandprivatekeymemoryspace,andagranularityparameteru=2.TheTAwillrunKeyDeralgorithmtodistributeprivatekeystoareceiverid.ThisalgorithmwilltakeBE-Extract(MSK,IDi)asitssub-routine,whereIDi=idjjrujjt.ristheratingvalueofidatthe 58

PAGE 59

communicationroundt.TheoutputofBE-Extract(MSK,idjjrujjt)istheprivatekeyskidjjrujjtforreceiverid.EncryptwillrunBE-Enc(S,PK)asitssub-routine.TheinputofEncryptisapair(id,R),systemparameters,andamessageM,whichareinterpretedasthefollowinginputtoalgorithmBE-Enc:thetrustvaluerangerequirement[0;R]andthereceiveridentityidwillbesyntheticallyrepresentedasthefollowingreceiversetS=fidjj0jjt,idjjujjt,idjj2ujjt,,idjjRujjtg.TheoutputofBE-EncistherespectiveciphertextCid;[0;R];t(M)=CS(M).ThereceiveridwitharatingvaluerRcanruntheIBBEdecryptionalgorithmBE-Dec(S,id,skidjjrujjt,Cid;[0;R];t(M),PK)toobtainmessageM.ThedecryptionwillbesuccessfulbecausethereceiveridentityidjjrujjtbelongstothereceiversetSifrR. Complexityanalysis:SinceweuseagenericmethodtotransformanIBBEschemeintoaTBEscheme,wecandevelopanyefcientTBEschemefromthecurrentmostefcientIBBEscheme[ 70 ](seeAppendix).Moreover,thecomplexityforourTBEschemecanbeanalyzedfromthatoftheunderlyingIBBEscheme.Theprivatekeycontainsonlyonegroupelement,whichislessthanO(log(u))=O()groupelementsintheoriginalTBE.Thecommunicationcostisdeterminedbythesizeoftheciphertext,whichcontainsthreegroupelementswhiletheciphertextintheoriginalschemealsocontainsgroupelements. AlthoughIBBEisacryptographicconceptclosetomulti-receiverkeyencapsulationmechanism(MR-KEM)adoptedintheoriginalTBEscheme[ 1 ],thedifferentwaysthesetwocryptographictoolsareutilizedresultsinsignicantperformancegaininourTBEschemes.OneofthemajordifferencesbetweenourTBEschemeandtheoriginalonesisthatweremovethebinarytreeframeworkfromourconstruction.TheminimalprivatekeysizeoftheoriginalTBEschemeshouldbeO()duetothebinarytreestructuretheyused.However,theprivatekeysizecouldpossiblyreachconstantonlywhenwedonotusebinarytreemethodintheTBEscheme.Besides,althoughMR-KEMmechanismalsoconsidersthemulti-receiverscenario,eachreceiverIDiisstilltreatedindependentlyintheoriginalTBEconstructioninthesensethatanencapsulationCiisgeneratedforeachIDi,andthereforethelowerboundofciphertextsizeforthebinarytreestructurebasedTBEschemeshouldbeO(),whichisexactlytheciphertext 59

PAGE 60

sizeoftheoriginalTBEscheme[ 1 ].Apparently,theproposedIBBEbasedapproachnotonlyreachestheoptimalmemorycostfortheconstantsizedprivatekeys,butalsoreachestheoptimalcommunicationcostduetotheconstantsizedciphertext.Asidefromtheremovalofbinarytreestructure,thereasonforthisperformancegaincanalsobeattributedtothatwetreatthereceiverrangesetasawholeandtheciphertextoftheunderlyingIBBEschemeisgeneratedaccordingtothisrangeset. 3.5.3GeneralizedTBE Wecanalsoconsideramoregeneralcasewherethemessageisencryptedunderacollectionof`reputationrangesS=S`i=1[Li;Ri]ratherthanasinglerange[0;R],whereLiandRiarethelowerandupperboundsofi)]TJ /F1 11.955 Tf 9.3 0 Td[(threputationrange.Thisgeneralcaseisusefulbecauseasendermightwishtosendamessagetoagroupofusersfallingintodifferentreputationcategorieswithoutevenconsideringwhotherecipientsreallyare.Forinstance,asenderwitharatingvalue3 4mightwantanyonewhohasareputationclosetohisorhasaverygoodreputationtodecrypthisciphertext.Inreality,thosewithsimilarreputationcouldcorrespondtohisclosefriendsandthosewithgoodreputationmightdenotethestrangerswhoheiswillingtotrustwithhismessage.Inthiscase,therangesetmightbe[1 2;1]S[0;1 4].ThisgeneralizedTBEschemecouldberealizedinasimilarwaycomparedwiththebasicconstructionbecauseweonlyneedtoincludemorerangesetsinthereceiversetStorepresenttheadditionalreputationrangewhilethereceiveridentityidshouldberemovedfromS1.Therestalgorithmsworksimilarlyasforthesimplecaseexceptnowtheconsistencyconditionischangedtobethatanyreceiverwiththeratingvaluefallingintoeitheroneofthesereputationrangescansuccessfullydecrypttheciphertext. Complexityanalysis:Thereductionofthecommunicationcostisevenmorenoticeableinthiscasebecausebothoftheciphertextsizeandprivatekeysizeofourgeneralizedschemeremain 1Thisisbecauseweonlyfocusonthereputationoftheusersrathertheiridentities. 60

PAGE 61

constant2.ThebinarytreemethodintroducedinSec. 3.3 cannotdirectlyrepresentmultiplerangessincethenodesonthepathfromtheroottotheleafnodecouldonlycorrespondtoonesinglereputationrange.Iftheorthogonalrepresentationmethodisadopted,i.e.,usingaminimalnodesetcoveringmultipleleafnodestorepresentmultiplerangesandthenodesonthepathfromtheroottotheleafnodetorepresentreceiverprivatekey,thentheciphertextsizeoftheoriginalTBEschemewillincreasetoO(`),whichisfarlessfavorablecomparedwithourconstantsizeciphertext. Securityanalysis:GiventhefactthatwedirectlyapplytheIBBEschemetotheTBEsystem,thesecurityforourTBEschemeisimpliedbythatoftheunderlyingIBBEscheme,whichcanbeshowntobeselectivelychosenciphertextattacksecure. OurTBEschemecanreachthesamesecuritylevelasthatoftheunderlyingIBBEscheme.Hence,theTBEschemewillbeadaptivelychosenciphertextattacksecureiftheunderlyingIBBEschemeisreplacedwiththeadaptivelysecureIBBEscheme[ 71 ].Intheadaptivemodel,theadversarydoesnotneedtosubmitthetargetidentityatthebeginningofthesimulationintheproof.However,theefciencyofourTBEschemebasedontheadaptivelysecureIBBEscheme[ 71 ]willnotbethatfavorablecomparedwiththatbasedonselectivelysecureone[ 70 ]althoughthesecuritylevelisindeedenhanced. 3.6TBESchemefromR-IBEScheme Intheabovesection,weadopttheIBBEschemeastheunderlyingtooltoreducethememoryspaceandcommunicationoverheadofourTBEschemeintermsoftheciphertextsizeandtheprivatekeysize.Whileinthissection,therevocableidentitybasedencryption(R-IBE)[ 59 ]willserveasanunderlyingtooltoimprovethecommunicationoverheadoftheTBEsystembyreducingthecommunicationtrafcbetweenusersandtheTA. 2WeneglectthecomparisonofcommunicationcostforthedeliveryofreceiversetScon-tainedintheciphertextbecausebothofourproposedschemesandtheoriginalTBEschemeneedstotransmitthesamereceiverset. 61

PAGE 62

Inwhatfollows,werstprovideabriefintroductiontotheR-IBEsystem.WethenshowhowadirectapplicationofR-IBEtodesignourTBEsystemcansignicantlyreducethecommunicationroundsbetweenusersandtheTA. 3.6.1ABriefIntroductiontotheR-IBE RevocableIBEschemewasproposedasasolutiontorealizeefcientidentityrevocationintheIBEsystem.Asusers'privatekeystendtobeeitherstolenorexpiredinpractice,arevocableIBEschemecanpreventthese“corrupted”andthusillegalprivatekeysfrombeingemployedtodecryptciphertext.Theschemedividesthesystemlifetimeintotimeperiods.Atthebeginning,eachindividualuserwillreceiveaprivatekeyfromtheTAforhisidentity.Thesenderencryptsamessageunderthereceiver'sidentityidandthecurrenttimeperiodt.Inordertosuccessfullydecrypttheciphertext,thereceiveridisrequiredtorstderivethedecryptionkeyforthecurrenttimeperiodt.NoticethatthedecryptionkeyandtheprivatekeyaredifferentconceptsinanR-IBEsystem.Ifone'sidentityisrevokedinacertaintimeperiod,adecryptionkeycannotbederivedfromhisprivatekeyforthistimeperiod.Atthebeginningofeachtimeperiod,theTApublishestheupdateinformationonlyallowingtheunrevokeduserstoupdatetheirprivatekeystoderivethedecryptionkeyscorrespondingtothecurrenttimeperiod.Inthisregard,therevokedusers(oridentities)aredeprivedoftheirdecryptionability. TheR-IBEschemeisusuallycomposedofthefollowingsevenalgorithms: 1. R-Setup(1;n):TheTArunsthisalgorithm,takingasecurityparameterandnumbernofthesystemusersasinput.ItalsopublishesthepublickeypkandreturnsamasterkeymskandaninitiallyemptyrevocationlistrlfortheTA. 2. R-PriKeyGen(msk,id):TheTAalsorunsthisalgorithm,whichtakesasinputsanarbitraryidentitystringidandthemasterkeymsk,andoutputstheuserprivatekeyskidfortheuserwithidentityid. 3. R-KeyUpdate(pk,msk,t,rl):TheTArunsthisalgorithmtopublishtheupdateinforma-tionforthetimeperiodt.Thisalgorithmtakesasinputthesystemparameterspublickey 62

PAGE 63

pk,masterkeymsk,keyupdatetimetandrevocationlistrl,andthenoutputsthekeyup-dateinformationkut.Here,therevocationlistrlspeciestherevokeduseridentityidandotherrelatedinformation.Althoughthekeyupdateinformationkutispubliclyaccessible,theyareuselessfortherevokedidentities. 4. R-DecryKeyGen(skid;kut):ThisdecryptionkeygenerationalgorithmisrunbytheunrevokeduserseachtimeaftertheTApublishestheupdateinformationkut.Theunrevokedusersrunthisalgorithmbytakingastheinputtheuserprivatekeyskidandthekeyupdateinformationkut,andthenoutputsthedecryptionkeydkid;t.Itoutputs?ifarevokeduserrunsthisalgorithm. 5. R-Enc(pk,id;t;M):Theencryptionalgorithmisrunbyasender.Ittakesastheinputthepublickeypk,thereceiveridentityid,thecurrenttimeperiodtandthemessageM,andoutputstheciphertextCid;t(M). 6. R-Dec(dkid;t;Cid;t(M)):Thereceiverrunsthisdecryptionalgorithmbyinputtingthedecryptionkeydkid;tandtheciphertextCid;t(M),andoutputsamessageMoraspecialsymbol?.Thecorrectnessofthedecryptionisdenedas:ifthereceiveridentityidisunrevokedatthetimeperiodt,thenthedecryptionalgorithmwilloutputthemessageM,and?otherwisebecausetherespectivedecryptionkeydkid;tcannotbederivedbytherevokeduser. 7. R-Revocation:TherevocationalgorithmisrunbytheTA,whichinputstheidentitytoberevokedidandtherevocationlistrltothealgorithm,whichoutputsanupdatedrevocationlistrl. Thebasicideaofscheme[ 59 ]presentedbyBoldyrevaet.al.istocombinethebinarytreestructureandthefuzzyidentitybasedencryption.TheR-IBEscheme(seeFig. 3-2 )worksasfollows:forasystemwithnusers,abinarytreewithatleastnleafnodesisgeneratedbytheTA.Eachusercorrespondstooneuniqueleafnode.Theuserprivatekeyisassignedaccordingtoanodesetcomposedofallthenodesonthepathfromtheroottoitsownleafnode.Theupdateinformationisgeneratedaccordingtotheminimalnodesetcoveringtheunrevokedusers, 63

PAGE 64

Figure3-2.BasicideaofanR-IBE whichisthereasonwhytheupdateinformationisuselesstothoserevokedusers.Checktheleftsub-gureinFig. 3-2 ,thekeyupdateinformationkutisgeneratedcorrespondingtothebigcirclenodescoveringthepathnodescontainedintheprivatekeynodesetfortheunrevokedusersonly,i.e.fid2;id3;id4g.Itisalsoobservedthatkutdoesnotcoveranyofthepathnodesintheprivatekeynodesetforid1,andhenceisuselesstoid1.TheprivatekeysizeisO(logn)andtheupdateinformationsizeisO(vlog(n=v)),wherevisthenumberoftherevokedusers.Theindividualdecryptionkeysizeremainsconstantevenafterthekeyisupdated.Theconcreteconstructioncanbefoundintheappendix. 3.6.2TBESchemefromR-IBE Asauser'strustratingvalueisuctuatingwithtime,oranode,sotherespectivetrustbasedprivatekey,issubjecttocompromise,theTBEsystemshouldhaveamechanismtorevokeauser'sreputationkeywheneverhisreputationchanges.Althoughagametheoreticmechanism[ 1 ]wasproposedtoensurearationaluserwillhonestlyreporthiscurrentratingvaluetotheTA,thisstillcannotdetertheirrationalusersfromrefusingtoupdatetheirreputationkeysandexploitingtheobsoletereputationkeystoactmaliciously.Besides,reputationkeyrevocationwouldbeanevengreaterchallengewhenthetrustratingmechanismdependsonthecollectiveopinions.ThisistherstreasonwhythereputationrevocationapproachhastobeenforcedinaTBEsystem. 64

PAGE 65

Inordertoavoidtheabuseofobsoletereputationbasedprivatekey,boththeencryptionanddecryptionoftheoriginalTBEschemeisdependentonthecommunicationroundt.Therefore,asecurechannelbetweenareceiverandtheTAmustbeestablishedinordertoguaranteethesecuredeliveryofthefreshdecryptionkeyforeverycommunicationround.Wheneverareceiverwishestocommunicatewithanothernodeoraccesssharedinformationencryptedwithcertaintrustratinglevel,thereceiverhastoobtainafreshprivatekeyfromtheTA,resultinginhugetrafcburdentotheTA(linearlydependentonthenumbersofusersandthecommunicationroundsbetweeneachcommunicationpair).Asaresult,theworkloadatthereceiversidewouldalsobeheavysinceeachtimewhenareceiverobtainstheencryptedprivatedecryptionkeysfromtheTA,theymustdecryptthereceivedmessagefortheupdateddecryptionkeysbeforetheycouldevenproceedtoruntheTBEdecryptionalgorithm. OurTBEschemeadoptstherevocableIBEastheunderlyingtooltomitigatethetrafcbetweennodesandtheTAfortheprivatekeydelivery.IntheproposedTBEwithreputationrevocation(TBE-RR)scheme,thesystemtimeisalsodividedintoxedtimeperiodsjustasintheunderlyingR-IBEsystem.Thelengthoftimeperiodisasystemparameter,whichcanbedependentonthestatisticsforthedynamicrangeoftheuserreputationgatheredfromthereputationsystems[ 1 ].AtthebeginningoftheTBE-RRsystem,eachuserobtainsatrustbasedprivatekeyfromtheTA.ComparedwiththeoriginalTBEscheme,amessagewillnotonlybeencryptedunderthereceiver'sidentityandtherangerequirement,butalsothecurrenttimeperiod.Inonetimeperiod,twocommunicationpartiesmighthavegonethroughseveralcommunicationroundsandthereceivercanusehisdecryptionkeyforthecurrenttimeperiodtodecryptallthereceivedciphertexts.ThedecryptionkeyisalsoconsideredtobeadifferentconceptfromtheprivatekeyasintherevocableIBEscheme.Auserwithavalidprivatekeymightnotbeabletoderiveadecryptionkeyforacertaintimeperiodunlessheisunrevokedinthisverytimeperiod.TheTAperiodicallypublishesupdateinformationsolelyfortheunrevokeduserstogeneratetheupdateddecryptionkeysanddelivertheupdatedprivatekeysfortherevokeduserswhenevernecessary(forinstance,whenthedeliveryisrequestedbytherevokedusers) 65

PAGE 66

suchthatthecostofdistributingtheupdatedprivatekeys(intermsofbothcommunicationsandcomputationoverhead)wouldbereducedfromO(n)toO(v),wherevdenotesthenumberoftherevokedusers. Technically,theproposedTBE-RRschemeisacombinationoftheR-IBEschemeandtheoriginalTBEscheme.AttheinitiationoftheTBE-RRsystem,theTArunsR-SetupalgorithmoftheR-IBEscheme3andconstructsabinarytreewithatleastNleafnodes,whereN=nandnisthenumberofsystemusers.andnarebothassumedtobethepowerof2.AccordingtoSec. 3.3 ,eachuser'sratingvalueisrepresentedbyaratingnodesetcomposedofatmostidentities.Consequently,thebinarytreecoversalltheratingsetsSriforeachsystemuseridi;i2[1;n].TheTAcontrolsthesystempublickeypkandthemasterkeymsk,andreservesthememoryspaceformessages,identity,timeperiodandtheemptyrevocationlistrlafterrunningR-Setupalgorithm.EachuserwillbeassignedwithaprivatekeycomposedofalltheidentitybasedprivatekeysfortherespectivetrustratingsetthroughrunningtheR-PriKeyGen(msk,id)algorithmoneachidentityintheratingset.Forexample,forasystemwithfourusersid1;id2;id3;id4withtheratingvalues1 2,1 8,1 4,and1 4,respectively,theTArstconstructsabinarytreecoveringalltheratingsetasshowninFig. 3-3 .Toassigntheprivatekeyforuserid2witharatingvalue1 8,theTArunsR-PriKeyGen(msk,id)oneachidentityidintheratingsetfid2jj1;id2jj01;id2jj001gtooutputskid2jj1,skid2jj01,andskid2jj001,whichconstitutetheuserprivatekeyskid2jjr=1 8.Inotherwords,theTAdistributeseachidentitybasedprivatekeyaccordingtotheprivatekeynodesetforalltheleafnodes.TheoriginalTBEsystemfunctionsinadifferentmannerbecausethereisnotemporalinformationcontainedintheoriginaluserprivatekeyasdoneinourTBE-RRscheme.Whenthesenderencryptsamessageforreceiverid2withareputationrangerequirement[0;1 4]intimeperiodt,themessagewillbeencryptedundertherangesetfid2jj>;id2jj0;id2jj01;id2jj010gandtimeperiodt.Therefore,thesenderrunsthe 3NoticethatallthealgorithmscontainingaprexR-inthissectionarereferredtothoseintheR-IBEsystemintroducedinSec. 3.6.1 66

PAGE 67

encryptionalgorithmintherevocableIBEschemeR-Enc(pk,id,t,M)oneachidentityidintherangesetfid2jj>;id2jj0;id2jj01;id2jj010gtogeneratetheciphertextfCid2jj>;t(M),Cid2jj0;t(M),Cid2jj01;t(M),Cid2jj010;t(M)g,whichconstitutethenalciphertextCid2;[0;R];t(M). TheupdateinformationkutispublishedbyrunningtheupdatealgorithmR-KeyUpdate(pk,msk,t,rl).Theupdateinformationcanonlybeusedbythosewithunrevokedreputationvalues.Inotherwords,thereceiverid2cansuccessfullyderivethedecryptionkeyintimeperiodtonlywhenitsratingvalueisunrevoked4.Thereceiverid2runsR-DecryKeyGenalgorithm,takingskid2jjrandkeyupdateinformationkutastheinputtooutputtherespectivedecryptionkeydkid2jjr;t.Thedecryptionkeyiscomposedofallthedecryptionkeyscorrespondingtoitsratingset,i.e.,dkid2jj1;t,dkid2jj01;t,dkid2jj001;t.Therefore,thereceivercanexecutetheR-Decalgorithm,takingtheciphertextCid2jj01;t(M)(sinceid2jj01istheintersectionidentitybetweentheratingsetandrangeset)andtherespectivedecryptionkeydkid2jj01;tastheinputinordertodecrypttherespectivemessageM. Figure3-3.BasicideaofourTBE-RRscheme Complexityanalysis:TheproposedschemeresultsinauserprivatekeyofsizeO(log(N)).However,thereceiver,especiallytheonewithconstantreputationovertime,isnotrequired 4Iftheratingvaluerofthisreceiverisrevokedintimeperiodt0,thentheupdateinformationwillonlycovertheleafnodesbuttheratingsetforid2jjr,i.e.,allthetransparentnodes. 67

PAGE 68

tocommunicatewiththeTA.Theonlythingtobedoneistocheckoutthepublishedupdateinformationinordertoderivehisfreshdecryptionkeyforeachtimeperiod.Asaresult,thecommunicationtrafcbetweenusersandtheTAissignicantlyreduced.TheciphertextonlycontainsanextragroupelementcomparedwiththeoriginalTBEschemeifrandomnessreusetechniqueisusedintheencryptionalgorithm[ 72 ].IftheproposedTBE-RRschemeemploysthesameunderlyingIBEtechniqueasintheR-IBEsystem[ 59 ],thenthesenderinourTBE-RRsystemonlyneedstocompleteanadditionalmodularexponentialwhilegeneratingtheciphertextcomparedwiththatoftheoriginalTBEsystem.TheworkloadoftheTAwillmainlybedeterminedbythetaskofdistributingtheupdateinformationanddeliveringtheprivatekeysfortherevokedusers.Thecomputationandcommunicationcostsofbothtasksdependonthenumberoftherevokedusers. Securityanalysis:ThesecurityofourTBE-RRschemecanbereducedtothesecurityoftheunderlyingR-IBEschemegiventhefactthattheconstructionisacombinationoftheR-IBEsystemandthebasicTBEscheme.TheTBEschemecanbeviewedasanIBEsystemwhereanindividualuser'sidentityistheconcatenationoftheoriginalindividualidentityanditsrespectivereputationvalue.Therefore,ourproposedTBE-RRsystemcanbeviewedasarevocableIBEsystemwheretheindividualidentityistheconcatenation.TheR-IBEsystem[ 59 ]weadoptcanbeprovenselectiveIDchosenciphertextsecure,thereforeourproposedTBE-RRsystemcanreachthesamesecuritylevel. Table3-1.Efciencycomparison originalIBBER-IBE.TBEbased-based-. CiphertextsizeO()O(1)O().PrivateKeysO()O(1)O(log(n)).CommunicationroundsO(T)O(T)none.(TAandunrevokedreceiver).(Afterinitialization).CommunicationroundsO(T)O(T)O().(TAandrevokedreceiver).(Afterinitialization).workloadofTAO(nT)O(nT)O(vlog(n)). 68

PAGE 69

3.7PerformanceEvaluation Inthissection,weconductamorecompleteperformanceevaluationonourproposedschemes.InTable 3-1 ,wepresentthecomparisonofthecommunicationoverheadandmemorycostofourproposedschemeswiththatoftheoriginalTBEscheme.LetTdenotethemaximumcommunicationroundsbetweentwocommunicationpartiesinthesystem,anddenotethenum-beroftimeperiodswhichthelifetimeofaTBEsystemisdividedinto.Aswecanobservefromthetable,ourrstschemedoesimprovetheperformancewhenthestaticreputationisconsidered.Inoursecondproposedscheme,thosewithasteadyreputation(correspondingtounrevokedusers)willnotgeneratetrafc,whichwouldbeinevitableintheoriginalTBEscheme,implyingthattheseusersarefreefromthedecryptiontaskafterreceivingtheencryptionoffreshprivatekeysfromtheTAeachcommunicationround(sinceencryptionistheonlywaytoguaranteethesecuredeliveryofthoseprivatekeys),whichwouldsignicantlyreducecommunicationandcomputationoverheads.TheTAonlyneedstoperiodicallypublishsomeupdateinformationanddeliverprivatekeysforthosewhosereputationshavechangedifrequested.Comparably,theTAintheoriginalsystemhastodeliverafreshprivatekeyforeachreceiverineachcommunicationround,whichmeansitisforcedtobeonlinemostofthetime.Sinceonetimeperiodmightcontainmanycommunicationroundsbetweentwocommunicationparties,itisfairtosaythattheworkloadattheTAisalsosignicantlyreduced,whichmeanstheTAcansometimesbekeptofine. ThereisafactorofvintheworkloadofTAinoursecondscheme,whichmeanstheefciencygainofthesecondschemeismoreremarkableforthoseTBEsystemswherethereputationsofmostusersremainsrelativelystableovertimeintermsofreputationdynamics.However,thesecondsystemmightexhibitlesssuperioritywhenthenumberoftherevokedusersisclosetonbecausetheTAwillhavetopublishupdateinformationlinearlydependentonthenumberofsystemusers. WealsoimplementourproposedTBE-RRsystemandtheexistingTBEscheme[ 1 ]inC.Here,weadoptthePairing-BasedCryptography(PBC)Libraryastheunderlyingtool.The 69

PAGE 70

curvewehaveusedforourproposedschemeistypeD.Thecurveofsuchtypehastheformofy2=x3+ax+b.WeuseMNTmethod[ 73 ]togeneratethiscurve.Theorderofthecurveisaround158bits,asisFq,thebaseeld.Ourchoiceofparametersresultsin79-bitbruteforceand953-bitniteeldMOVsecuritylevels[ 74 ].WeadopttheidentitybasedencryptionschemeproposedbyWaters[ 75 ]astheunderlyingtoolforimplementingtheoriginalTBEscheme.TherevocableIBEsystemproposedbyBoldyrevaetal.[ 59 ]isemployedtoimplementourproposedTBE-RRscheme.WenotethattherevocableIBEsystemweadoptcanbeviewedasageneralizationbasedonWaters'IBEscheme.TheyarebothproventobesecureunderthestandarddecisionalbilinearDife-Hellmanassumption,andthushavethesamesecuritylevel.Wechooseanidentityoflength158bitsinbothsystems.Forourexperiments,weuseadesktopmachinewithanIntelCeleron5301.73GHZCPUand1GBofRAM,runningLinux/Ubuntu6.10.Allthetimingreportedbelowareaveragedover100randomizedruns.Weassumealltheindividualusersarecommunicationactive,whichmeanseachoneatleastreceivesoneciphertextfromanotheruseratleastonceinonetimeperiod.Thisisareasonableassumptionassumingthetimeperiodisproperlyset.Fortheeaseofsimulation,weshowtheperformancecomparisonwhenthereisonlyonecommunicationroundforeachindividualuserinonetimeperiod.WenotethatourperformancegainshouldbemoreremarkableifmoreindividualcommunicationroundsinoneperiodareconsideredsincetheworkloadofbothTAandindividualusersintheoriginalschemeisdependentontheindividualcommunicationroundswhiletheperformanceofourproposedschemesisnot. Wecomparetheperformanceoftwosystemsunderdifferentchoicesofthenumberofsystemusersn,thegranularityofthereputationandthenumberofrevokedusersv.Anindividualuserisassignedwitharandomreputationvaluein[0;2],andwealsochooseauniformlyrandomrevokedindexsetconsistingofvrevokedusers.Fig. 3-4 -Fig. 3-7 showthecommunicationoverheadandstoragecostofanindividualuserinthetwoschemesunderdifferentparametersettings.Thesimulationresultsvalidateourperformanceanalysis.OurIBBEbasedimprovementsignicantlyimprovesboththecommunicationoverheadandthestorage 70

PAGE 71

Figure3-4.Performancecomparisonwhen=4andn=128 Figure3-5.Performancecomparisonwhen=4andn=1024 requirementwhenthereputationvalueisstatic.WecanalsoseethattherevocableIBEbasedTBEschemeindeedreducesthecommunicationoverheadwhenthereputationvalueisdynamic.TheprivatekeysizeofrevocableIBEbasedschemeisslightlylargerthanthatintheIBBEbasedschemeandtheoriginalscheme.Hence,therevocableIBEbasedschemeistondatradeoffbetweenthetwoperformanceparameters.However,theinteractiontimesbetweenanindividualuserandtheTAarelinearlyproportionaltothecommunicationoverhead.Hence,itisfairtosaythattheTAisleastinvolvedinthelastimprovementscheme. Inthischapter,wehaveproposedtousetwocryptographictechniques,theidentitybasedbroadcastencryption(IBBE)andrevocableidentitybasedencryption(R-IBE),todeveloptwonoveltrustbasedencryption(TBE)schemesusedininformationsharinganddisseminationto 71

PAGE 72

Figure3-6.Performancecomparisonwhen=5andn=128 Figure3-7.Performancecomparisonwhen=5andn=1024 72

PAGE 73

signicantlyimprovetheefciencyintermsofmemorystoragerequirementsandcommunicationoverheads.WehaveshownthatbothTBEschemesperformmuchbetterthanthepreviouslyknownschemesandcanbeappliedtopeer-to-peernetworkswithreputationbasedmechanismsforinformationsharinganddissemination.OnepotentialfutureresearchistoinvestigatehowtoemploythecombinationofIBBEandR-IBE[ 76 ]tofurtherimprovetheTBEscheme. 73

PAGE 74

CHAPTER4PRIVACY-AWAREPROFILINGANDSTATISTICALDATAEXTRACTIONFORSMARTSUSTAINABLEENERGYSYSTEMS 4.1Motivation Sustainableenergytechnologyhasattractedagreatdealofattentionduetothetremendouspopulationgrowthandglobalwarming.Variousnovelconceptssuchas“smartgrid”,“smarthome”,“smartcity”,etc.,havebeenproposed.Anotablefeatureofthenewlyemerging“smart”sustainableenergytechnologyistheincorporationofadvancedinformationandcommunicationtechnologies(ICT).Inthenewlyproposedsmartgrid,anovelcommunicationnetworksuper-visorycontrolanddataacquisition(SCADA)hasbeenproposedtofacilitatemorene-grainedinformationcollectiononenergyconsumption,andexertmorecontrolontheindividualenergyusage.Thewidedeploymentoflowcostportablesensingandmeteringdevicesandtheadvance-mentsofmobilesmartphonetechnologieswillfurtheracceleratetheincorporationofICTindevelopingefcientsustainableenergysystems.Itisenvisionedthatalargeamountofinfor-mationwillbecollectedandprocessedbyusingthosemeteringandmobilecomputingdevicesdeployedinthesustainableenergyusagesystems,suchashomeenergysystems,microgrids,vehicularstoragesystems,etc.Thecollectedinformationcouldbeeitherrelatedtodetailedindividualenergyconsumptionpatterns[ 77 , 78 ],orinformationonindividualbehavioralpatternssuchasthedetailedpositionorspeedofanindividualvehicle[ 79 , 80 ],orhomeenergyconsump-tionhabitsandproles[ 78 ].Obviously,theICTcannotonlyhelpregularlyandinteractivelyprovideprolingandforecastingforeffectiveenergygenerationanddistributiontooptimizethedemandandresponsematchingintheshortterm,butalsohelpresearchersandfuturedesignersofsustainableenergysystemstobetterunderstandeithertheprosandconsofthecurrentcityplanningsystems[ 80 ]orthepsychologicalandbehavioralrationalesbehindindividualenergyusagepatterns[ 78 , 81 , 82 ],whichcouldfurtherresultinmoreefcientsustainableenergysystemdesignmethodologies. However,despitethepotentialbenetsofthesetechnologies,peoplearestillhesitatinginadoptingthemduetotheconcernofprivacyleakage[ 83 ].Theworryaboutlosingprivacy 74

PAGE 75

ispartlyduetothefactthatthecustomersdonotknowinwhatmannerthedataaggregatordealswiththecollectedindividualdataproleforenergyusage.Ithasbeennotedthatthetargetcollectedinformationusefulforefcientsustainableenergysystemdesignismostlyabouttheaggregatedstatisticaldata,suchastheaggregatedoraveragedata,whichcanalreadyprovidesolidsufcientinformationformakinggooddecisionandimprovingtheeffectivenessofsustainableenergysystems.Forinstance,theknowledgeonthegeneralcorrelationbetweenthehouseholdtemperatureandthecustomerenergyconsumptionisenoughforaregionalmanagerofasmartgridtocapturetheenergyconsumptionuctuationduetothetemperaturechange[ 84 ].Toenablethedesignersofasustainableenergysystemtobetterunderstandtheneeds,attitudes,motivesandbehaviorsofenergyconsumers,researchers[ 85 , 86 ]havealreadyproposedvarioussystemsincollectingstatisticalinformationontherelationshipbetweenthesocialcharacteristicssuchassocio-economicstructure,andtherelevantenergyusagepatterns.Forinstance,researchershaveattemptedtoidentifythecorrelationbetweenthecustomers'socialbackground[ 85 ],suchasincome,age,educationalbackground,familystructure,householdsize,race,userskills,individualhabitsandpoliticalbeliefsandsocialvaluesornormsthecustomerscherishandthelevelof“sustainablelifestyle”theyadopt.Aresearchconductedin2006[ 87 ][ 87 ]attemptedtogureouttheenergy-consciousnessandhowpeoplealternateexactlywhichpartsoftheirhomes,suchastheirbathrooms,orbedrooms,etc.,whentheymoveintotheirnewhomes.Whenanaggregatorattemptstounderstandwhatkindsofsocialnormsorbehavioralpatternsarethedrivingforcesforindividualstodowhatevertheyaredoingwithenergyusage,theprivacyissuesbecomemuchmoreprominentthanever.Peoplearegenerallyreluctanttoletothersdigintotheirmindsanddailylifeandgureoutwhattheyareactuallythinkingaboutwithoutastringentprivacyguarantee[ 82 ].This,combinedwiththesmartmeteringtechnology,whichhasalreadybeendeemedasadangerousprivacybreachofone'sdailylife[ 88 ],makestheprivacy-awareproling(orsimplyprivateproling)andforecastingdesignespeciallychallengingandintriguing. 75

PAGE 76

Sincetheaggregatedstatisticsarereallythetargetforthedesignofsustainableenergysystems,thischapterfocusesonprovidingmoreeffectiveandefcienttechnologyfordynamicprivacy-awareproling,i.e.,collectingthetargetstatisticalinformationwithoutcompromisingtheprivacyoftheindividualswhosubmitinformation.Inotherwords,toovercomethe“fearrootsonignorance”effectonproling,thetargetstatisticalinformationshouldbewelldenedandpubliclyknownbeforetheprolingstarts.Peoplemightbemorewillingtoparticipateintheprolingprocessprovidedthattheyareawareofandhavecontroloverwhatkindofstatis-ticalinformationareleakedtoothers.Thereshouldbeevenmoreincentiveforindividualstoparticipateandprovidehonestresponsesintheprolingespeciallywhenthetargetstatisticalinformationbenetsthem,forexample,thestatisticalinformationwithregardtoenergycon-sumptionbehavioralpatternscouldhelpprovideeducatedadvicesonhowtheycansavetheirenergyconsumptionathome. Duetotheinheritedunpredictabilityofitsvariables,theprolingandforecastingforsustainableenergysystemsarehighlydynamicandthustricky.Indeed,whenthegridoperators[ 83 ]inNetherlandswereaskedtodenetheirgoalsonwhatkindsofinformationtheyrequesttoaccomplishtheirproling,theyfounditverydifculttoprovideaspecicdenition.Theunderlyingreasonisthattheoptimizationofasmartgridsometimesmightdependoncertaininformationwhichisalmostimpossibletopredictsuchastheroomtemperature,orthesocio-economicalbackgroundoffutureresidentsinaconcernedarea[ 77 ].Censusisoneofthemostcommonlyusedformswhenitcomesdowntothesocialoreconomicresearchonthecustomerprolingduetoitsexibilityandabilitytoadjusttoahighlydynamicsystem.Usingcensusallowsadataaggregatortodenetheconcreteprolinggoalonthey.Thequestionsofacensuscanbedesignedindependentlyofthecategoriesofusers,whichisessentiallyhighlydynamicandimpossibletopredict. Theexistingprolingschemesinsustainableenergysystems[ 77 , 83 ]requirethegroupingofmeteringdevicesaccordingtopredeterminedcategories,whicharedifculttoadjusttothe 76

PAGE 77

frequentlychangingandunpredictableattributessuchascustomers'ages,locations,time,demo-graphicsorindividualbehavioralpatterns,orpoliticalbeliefsordynamicenvironmentalfactorssuchasroomtemperatureorhumidity.Thecurrentschemes[ 77 , 83 ]alsofacechallengeswhenthedynamicgroupingofusersrelyonprivatecustomers'socialoreconomicalcharacteristicssuchastheirincomesorlocationswhichcouldraiseseriousprivacyconcernsbecausetheyaredifculttogatherintherstplace,letalonegroupingtheusersaccordingtothosedata.Besides,evenwithoutconsideringthoseissues,therekeyingoperationsforsecureinformationmanage-mentwhenchangingmetergroupsarehighlycostlyinthecurrentschemes,andhencecouldbringsignicantinconveniencetothecustomers,whichwillfurtherlowertheusers'willingnesstoparticipate. Inthischapter,weproposetwoschemestodealwiththisproblem.Ourschemesenableadataaggregatortoextractthestatisticalinformationwithoutrelyingonanyregroupingoperations,andhencearesuitablefordynamicproling.Theproposedschemesemploytheprivacy-awarecensus(orsimplyprivatecensus)[ 89 ]astheunderlyingtool.Therstprivatecensusschemecanenableanaggregatortoextractthesummationinformationfromthesubmittedindividualresponses,whichcouldprivatelyanswerthestatisticalquestionintheformas“Whatisthetotalenergyconsumptionwhenthehometemperatureis25C”.Sincethecorrelationamongvariousvariablesisvitalforthedesignofsustainableenergytechnology[ 84 – 86 ],wefurtherproposethesecondpatternorientedprivacy-awareprolingscheme.Itintendstoefcientlyextracttheintersectioninformation,whichcananswerthequeryintheformasaconjunction“Howmanymorepercentofusersconsumehowmuchenergyonaveragewhentheysatisfyboththefollowingconditions:haveanannualincomelargerthan100;000dollarsANDtheroomtemperatureis25C?”.Thelatterschemecouldfurtherserveasanunderlyingtoolforprivatebaselineinferenceanddataminingassociationrulewhenitiscombinedwiththeformerscheme.AssociateruleminingwasproposedbyAgrawaletal.[ 90 ],whichtargetstodiscoverinterestingrelationshipsbetweenvariablesinlargedatabasestofacilitatemarketerstodevelopcustomized 77

PAGE 78

marketingstrategies[ 91 ].Webelievetheassociateruleminingwillbenettheenergypolicymakersanddesignersinthelongterm. 4.2RelatedWorkandOurContribution Privatesmartmetering.Oneofthemajorfocusesofresearchontheprivacyissueinsmartgridistodesignprivatebillingschemesbasedonthedetailedprivateinformationcollectedfromsmartmeteringdevices.Mostoftheseschemesfocusoncollectingaggregatedenergyconsumptiondatafromanindividualcustomerwithouttheleakageofthedetailedenergyconsumptioninformationofthisconsumer.Thecurrentprivatebillingschemesintendeithertoreducetheimplementationcost[ 92 ]ortointroduceextraprivacymechanismsuchasdifferentialprivacy[ 93 , 94 ]tothebillingsystem.Noneoftheexistingschemesconsidertheprivacy-awareprolingissueacrossdifferentmeteringdevices. Behaviorandsmartgrid.Athoroughsurveyontherelationshipbetweencustomerbehaviorsandthesustainableenergytechnologycanbefoundin[ 82 ].Researchershavemadesignicanteffortsoninvestigatinghowcustomerenergyconsumptionbehaviorscanbeaffectedbytheirpsychologicalandsocio-economicalbackgrounds,andhowthecustomerbehaviorscaninturnaffectsustainableenergysystems.Albeitprivacyissue[ 82 ]hasbeenconsideredimperativewhenthesocialprolingmeetsthesustainableenergytechnology,veryfewresultscanbefoundinthisdirection. PrivateSocialprofilingforsmartgrid.Thewiderangeofimplementationanddeploymentofsmartgridtechnology,suchassmartmetering,expectsmuchmoreinvolvedusersandabetterunderstandingofendusersbehaviors,whichcouldfurtherservesasavitalfeedbackfortheanalysisofsmartgridsystems.AninterestingprivacyfriendlyaggregatedprotocolforsmartgridwasproposedbyKursaweetal[ 77 ].Theproposedprotocolprovidesaprivateaggregationprotocolfordatacollectedfromthesmartmeteringdevices.Theprotocolreliesonapredenedgroupingofusers,whichmightnotbepracticalforcustomerprolingduetopossibleprivacyconcernsandtheessentiallydynamicalandunpredictablenatureofproling.Astatisticallinearregressionscheme[ 77 ]wasmentionedtoestimatetheaggregationdataforan 78

PAGE 79

arbitrarygroup.However,thestatisticalestimationmethodreliesonaprioriknowledgeonsomeunknownparameterssuchastheexactnumberofmeteringdevicesbelongingtoanarbitrarygroup,whichitselfmightbethetargetinformationandthusdifculttoobtainintherstplace.Besides,thestatisticalestimationapproachbasedontheaggregationdataofallsystemusersmightfailtoprovideestimationforaspecicgroupwithenoughaccuracyduetothelimitedinputinformation. OurContribution.Ourprotocolavoidsrelyingonthere-groupingofusersbysimplylettinganaggregatorpublishesaprivatecensuswhichcanadjusttoanykindofinvestigationpurpose,andguaranteetheaggregatorcanonlyextractthetargetedstatisticalinformationwithoutanyextraindividualinformationandthusreducethecumbersomecommunicationoverheadduetorekeyingoperationsforgrouping.Toimprovetheperformanceofageneralcensusscheme,weprovideanimprovedpatternorientedprivacy-awaresurveyschemeaimingtoefcientlyextractthechoicesmadebymostuserssimultaneously.Thesimultaneouslychosenanswercanserveasanimportanttoolforthesystemdesignertodiscovertheunderlyingprinciplethatrunsthewholesustainableenergysystem.Asidefrombeingusefulintheprivateprolinginsmartgrid,theproposedschemecanalsobeappliedtotheprivateinformationaggregationforotherapplications[ 79 ]. 4.3SystemModel Werstpresentthesystemmodelinwhichourprivateprolingschemesaredeveloped.Ourprotocolaimstoprovideprivateprolingsolutionforsmartmeteringassistedsustainableenergysystemssuchashomeelectricity,water,gas,smartvehicles,etc.Wenotethatsmartmeteringdevicescouldeitherrefertohomesmartmeteringdevicesormeteringdevicesattachedtotheirappliances,ortheon-boardunitdevices[ 95 ]connectedtotheGPSinvehicles.Therearethreepartiesinoursystem:meteringdevices,individualusersandaggregators.Theuserisreferringtoauserwithcomputingagentssuchastheuser'ssmartphone,orasoftwareprovidedbyathirdpartytrustedbytheuserjustasinmostoftherecentprivatebillingsystems[ 92 , 96 ]forsmartmetering.Theprotocolguaranteestheindividual'sprivacy,whichmeanstheaggregatorisonly 79

PAGE 80

allowedtocollectstatisticalinformationpredenedandagreeduponbytheinvolvedusersbeforetheprolingsystemisstarted.Thestatisticalinformationshouldnotonlyindicatethespecictargetstatisticalinformation,i.e.,suchas“Howmanymorepercentofusersconsumehowmuchenergyonaveragewhentheysatisfyboththefollowingconditions:haveanannualincomelargerthan100,000dollarsANDtheroomtemperatureis25C?”,butalsohowthereceivedinformationwillbeused,e.g.,whetheritwillbepubliclyreleasedorasareferenceforpolicydecisionmaking.Thelatterinformationcanserveasareferenceforausertodecidewhethertoparticipateintheprolingornot.Thesystemalsoprovidesamechanismtoverifythecorrectnessofusers'responseswhichcanbededucedfromthemeteringdata.Forexample,theintegrityofauser'sresponsecanbeguaranteedwhenheisaskedabouthisenergyconsumptionduringacertaintimeperiodbecausethedatacanbededucedfromthedetailedmeteringdata. Thesystemtimeisdividedintoxedtimeperiods.Atthebeginningofeachperiod,eachuser,eitheranewcustomeroranexistingone,registerstothesystemandobtainsaprivatekeybyrunningthesecretkeydistributionprotocoltobeintroduced.Thetotalnumberofsystemusersisassumedtostayunchangedduringatimeperiod.Duringeachtimeperiod,theaggregatorcanpublishmultiplecensuseseithersimultaneouslyorseparatelytoeachindividualuser,whowillencrypthisresponseunderhisprivatekeyandreturntheciphertexttoallowtheaggregatortoextractthetargetstatisticalinformation.Wenotethataregisteredusercaneitherchoosetoparticipateornot.EachquestioninthepublishedcensuswillbeidentiedbyauniqueindexI,whichispubliclyknowntoeachindividualinthesystem.Theaggregatorcaneitherreleasethestatisticalinformationormakeadecisionbasedonthereceivedinformationaccordingtothepredeneddesignobjective.Comparedwiththeoriginalaggregationprotocol[ 77 ],theproposedmodelhasthebenetthatusersdonothavetoexchangeinformationwitheachothereachtimewhentheaggregatorwishestocollectaggregateddata.Usersonlyneedtocommunicatewithothersatthebeginningofatimeperiod,andthenareonlyrequiredtodelivertheresponsestotheaggregatorfortherestoftimeperiod.Thiswillsavetheuserstremendouseffortsespeciallywhenthecensusisfrequentlyconducted. 80

PAGE 81

4.4Preliminary:SecretKeyDistribution Beforewepresentourschemes,werstbrieydiscussthepreliminarymaterials.Atthebeginningofeachtimeperiod,eachofthenusersgetsaprivatekeyusedforthesubsequentpri-vatecensusschemes.Weprovidetwokindsofsecretkeydistributionmodels:semi-decentralizedmodelandfullydecentralizedmodel.ThesetwomodelscorrespondtotheinteractiveprotocolandtheDife-Hellmankey-exchangebasedprotocolintheoriginalaggregationscheme[ 77 ],respectively. Therstsecretkeydistributionschemeisbasedonsecret-sharingschemeandselects`leaderusers,whoaretrustednottocolludewitheachother.Thenumberofleaderusers1`nisavitalparameter.Wenotethatwhen`=n,theproposedsecretkeydistributionschemecanbeconsideredasajointzerosecretsharingscheme[ 97 ],whichcorrespondstothefullydecentralizedmodel.Thesemi-decentralizedmodelcorrespondstothecasewhen`
PAGE 82

qisaDife-Hellmanprimenumber,whichwillbefurtherusedinthesubsequentprivatecensusschemes. 3. Finally,eachuserujaddsallhissharessj;1,,sj;`ashisprivatekeySKj=sj;1++sj;k.WenotethatPnj=1SKj=0alwaysholds. 4.5GeneralPrivateCensusSchemeforDynamicProling Inthegeneralprivatecensusscheme,anaggregatorpublishesacensusconsistingofNquestionsQI;I2[1;N],theresponsetowhichcouldbeeitherbe0or1,oracertainmeteringdataDIfromacertainmeteringdevice.Thedesignofthecensusquestionsdependsontheconcreteapplicationscenario.Forinstance,whenthequestionintendedtoansweris“Howmuchenergyonaverageisconsumedwhenthehousetemperatureis25C?inthenextthirtyminutes”,thisquestioncanbedividedintotwoquestions“Whatisthetotalenergyconsumptionwhenthehometemperatureis25C”and“Howmanyhomeshaveatemperatureat25C?”.UserujcansimplydelivertheconcretemeteringdataDjashisanswerwhenhishometemperatureisindeedsetat25C,and0otherwise.Forthesecondquestion,hejustanswers1ifhishometemperatureissetat25Cand0otherwise. ujencryptshisanswer(i.e.,response)AIforeachquestionQIasfollows:forthebinaryanswerAj(I)=1,or0,ujsimplyencryptstherespectiveanswerasgAj(I)H(I)SKj,whereHisapublichashfunctionmodeledasarandomoracle.WhentherespectiveanswerisameteringdataAj(I)=DI,theencryptedanswerformsasgDIH(I)SKj.Thereasonforthe“specialtreatment”ofthemeteringdatarelatedanswerwillbeobviouswhentheuserisrequiredtoprovethecorrectnessofhisanswertobeintroducedlater. Fortherstcase,theaggregator,uponreceivingthoseencryptedmessages,willcomputetheaggregatedencryptedanswerasgPjAj(I)H(I)PjSKj=gPjAj(I).ThemaskingvalueduetotheprivatekeyiscanceledoutsincePjSKj=0holds.Forthebinaryanswer,theaggregatorcansimplycomparegPjAj(I)withthenumberin[g1;gn].Fortheanswerrelatedtothemeteringdata,theaggregatorcanstillcomputetheanswerforeachquestionbycomparinggPjDIH(I)PjSKj=gPjDIwiththenumberin[gMin;gnMax],whereMinandMaxdenote 82

PAGE 83

theminimumandmaximumindividualmeteringdata,respectively.WenotethatthedifferencebetweenMinandMaxisassumedtobenottoolargesinceourmajorconcernisonprotectingtheaggregatedindividualdetailedenergyconsumptiondata[ 88 ]inashorttimeinterval,inwhichtheindividualprivacyismostlikelytobebreachedfromhisanswerifwithoutaprotectionmechanism.Hence,PjDIcanbeefcientlycomputedbythecomparisonapproach. Thesecurityofthegeneralcensusschemecanbestatedinthefollowingresult. Theorem6 AssumingthattheDecisionalDife-HellmanassumptionholdsingroupG,andthatthehashfunctionHisarandomoracle,thentheonlyusefulinformationtheaggregatorcanobtainthroughthegeneralcensusschemeisthetargetedaggregatedstatisticalinformationfordynamicproling. PROOF5 Ourproposedgeneralcensusschemecanbeviewedasacombinationoftheun-derlyingsecretkeydistributionschemeandthedistributedsummationprotocol(withouttheadditionalnoiser)proposedbyShietal.[ 94 ].Weguaranteethegeneralcensusschemesatisesthe“Encrypt-oncesecurity”conditionbyusingdifferentindexIforeachquestion.Therefore,wehave8uj;8Aj(I)orDI,thetuple(uj;I;Aj(I)(orDI))wouldnotappeartwiceintheencryptionquery.Ourgeneralcensusschemereplacesthetrustdealerintheoriginalconstruction[ 94 ]bythesecretkeydistributionscheme.Therefore,theproposedgeneralcensusschemecanguaranteetheonlyinformationtheaggregatorobtainsisthetargetedsummationaslongastheunder-lyingsecretkeydistributionissecureandthedistributedsummationprotocolisaggregatorobliviousunderrandomoracle.ThesecurityofbothprotocolcanbereducedtotheDecisionalDife-Hellmanassumption,andhenceconcludetheproof. Thisgeneralcensusschemecanbedirectlyappliedtofacilitatethedynamicproling.Taketheabove“averageenergywhenhometemperatureis25Cinthenext30minutes”asanexample,theexistingdataaggregationschemes[ 77 ]wouldeitherrequirethepre-groupingofusersaccordingtothehouseholdtemperatureorusingstatisticallinearregressionbasedontheaggregateddataofallnusersandthenumberofhomeswithatemperatureat25C.Theformersolutionisbasicallyinfeasiblesincethere-keyingoperationwouldbehighlycostly.Oursolution 83

PAGE 84

Figure4-1.Thelossofstatisticalinformationinthegeneralcensusscheme canprovidetheexactanswerforthistypeofdynamicprolingissuewhiletheaccuracyofthelatterestimationapproachispoor. Althoughthegeneralprivatecensusschemecanserveasapowerfultoolfordynamicproling,itstillleavesalargeamountofinformationoutofthepicture.LetusconsideracensuswiththreebinaryquestionsA,BandC.Adirectapplicationofthegeneralcensusschemecantelltheaggregatoraboutthenumberofuserschoosing1foreachquestion.However,comparedwiththeVenndiagramintherightside,wecanobservethattheinformationrelatedtotheintersectionofthosequestionsareleftoutsideofpicturebythisdirectapplication.Onemightarguethattheaggregatorcansimplypublishfourextraquestionsofconjunctionformsuchas“howmanyuserschoose1forquestionAANDBsimultaneously”or“howmanyuserschoose1forquestionAANDBANDCsimultaneously”tocoverallthecoloredregionsintheVenndiagram.However,thisisapparentlynotapracticalsolutionsincethequestionlistsizecouldexpandexponentially. Wenoticethatthemissinginformationinthegeneralcensusschemeissubstantialforthestudyofrelationshipbetweenvariousvariablesinthesystem.Taketherelationshipbetweenenergyconsumptionandhometemperatureasanexample.Supposethattheaggregatorwishestondoutthemostlikelyenergyintervalwhenthehometemperatureisinacertaininterval.Atrivialsolutionusingthegeneralprivatecensusschemeisshownasfollows:theaggregatorrstdividestheenergyconsumptionrange[Min1;Max1]intoG1intervalsf[L1i;U1i]gG1i=1,andthetemperaturerange[Min2;Max2]intoG2levelsf[L2i;U2i]gG2i=1.Thentheposedquestioncanformas“Isyourenergyconsumptiondatain[L1i;U1i];i2[1;G1]ANDwhenthehometemperatureis[L2j;U2j];j2[1;G2]”.Apparently,therewillbeG1G2questionsintheposted 84

PAGE 85

questions.Thequestionlistwillexpanddramaticallywhenextraprivateordynamicvariablessuchasincomeorlocation,areintroducedintheabovetargetquestion.EvenwithoutconsideringtheconjunctionquestionbetweenvariousvariablesasintroducedintheVenndiagramexample,therearealreadyQiGiwhereGiisthene-grainlevelforeachvariable.Thesizeofthequestionlistwillexpanddramaticallywhentheconjunctionquestionsbetweendifferentvariablesarealsoconsidered.Sincetheindividualoverheadisdependentonthesizeofthequestionlist,whichwouldrenderthetrivialsolutioninfeasibleintheabovescenario. Onemightarguethattheaggregatorcouldsimplychoosetheconjunctionquestionsthathethinksisinterestedintoexertcontrolontheexpansionofthecensusquestionlist.Thisleadstoanotherquestion:howdoestheaggregatorknowwhichquestionsheshouldbeinterestedinwhenhehaslittleorevennoaprioriinformationontheunderlyingpatternofthevariablesinvolved.Inthefollowingsection,weprovideasolutionforthepatternorientedprivatecensusschemeaimingtoextracttheintersectionpatternofthemajorityusers.Theinformationwillserveasareferencetohelptheaggregatortoaccomplishamorethoroughandeffectivepatternprolingcomparedwiththetrivialsolution. 4.6PatternOrientedCensusScheme Thepatternorientedprivatecensusschemeaimstoprovidetheaggregatortheabilitytondoutwhichchoicesinthequestionspacearesimultaneouslyselectedbymultipleusersinthesystem.Werstpresentaschemeinwhichthechoiceswillpopoutintheaggregatedresultwhentheyaresimultaneouslychosenbyallnusers.Thenweshowhowthisschemecanbetransformedintoasysteminwhichtheintersectionofchoicescanbedetectedevenonlymorethanathresholdnumberofusersselectthemsimultaneously.OurproposedpatternorientedprivatecensusschemeismodiedfromtheprivateinformationextractionschemeproposedbyLinetal.[ 89 ].Comparedwiththetrivialsolutionwhichcouldhaveexcessiveoverheads,theproposedpatternorientedcensusschemeonlyhasoverheadoflineargrowth,whichisdependentonthesummationofthene-grainlevelsforallvariables.Inotherwords,theindividualoverheaddependsonPjGj. 85

PAGE 86

Thebasicschemeincorporatesthepolynomialrepresentationtechniquefrom[ 98 ]andthegeneralprivatecensusschemetogether.Wetakethepolynomialrepresentationfortheintersectionoftwosetsasanexampletointroducethebasicideaforpolynomialrepresentationtechnique.GivenasetS1=fajg,S1canberepresentedasapolynomialf1(x)=Q1jk(x)]TJ /F4 11.955 Tf 9.81 0 Td[(aj)inapolynomialringR(x)consistingofallpolynomialswithcoefcientsfromtheringR.Inhere,aappearsinthesetS1iff(x)]TJ /F4 11.955 Tf 12.49 0 Td[(a)jf1(x),where\j00means“divisible”.TheintersectionoftwosetsS1\S2isdenedasthesetinwhicheachelementathatbothappearinS1andS2.LetS1andS2betwosetsofequalsize,andf1andf2betheirpolynomialrepresentations,respectively.ThepolynomialrepresentationofS1\S2as:f1g1+f2g2whereg1;g2 Rdeg(f1)[x],whereRdeg(f1)[x]isthesetofrandompolynomialswithdegreenolowerthanthedegreeoff1anddeg(f1)denotesthedegreeofthepolynomialf1(x).IthasbeenshowninTheorem2in[ 98 ]thatifeachplayerPiinputsapolynomialfirepresentingPi'ssetSi,thenthemereinformationthethirdpartycanextractfromthepolynomialPni=1figiistheintersectioninformationS1\\Sn,wheregiisarandompolynomialwithdegreemaxideg(fi).Inourproposedbasicpatternorientedprivatecensusscheme,eachuserrepresentshischoicesasapolynomialandthenrandomizesthepolynomialrepresentationwitharandompolynomialjustasintheabovepolynomialrepresentationtechnique.Thenhecanencrypttheresultingpolynomialcoefcientsasinthegeneralprivatecensusscheme.Thesecurityofthegeneralprivatecensusschemecanguaranteethattheaggregatorcanonlyobtainthesummationoftherandomizedpolynomial,whichonlyrepresentstheintersectionofchoicesaccordingtoTheorem2in[ 98 ].Theconcreteschemeisformallystatedasfollows. Therearethreephasesinourscheme.Intherstphase,theaggregatorbroadcaststhepatternorientedcensustousers.Weprovideatoyexamplehereforbetterillustrationandthegoaloftheaggregatoristondoutthecorrelationsamongthefollowingthreevariables:“Theaveragehomeenergyconsumptioninacertainregion”,“theincome”,“age”,“education:Collegeornot”.Theaggregatorrstdividestherangeoftheabovevariablesintoseveralintervals.Forexample,hecandividethe“age”into20intervalsas“[15,19]”,“[20,24]”,etc.Herethe 86

PAGE 87

minimumandmaximumare15and114,andthene-grainlevelis20.ThecensusquestionsconsistofalltheintervalsforthosevariablesandtherespectivequestionindexI.Wenotethatthevariablecouldalsobebinarysuchasthequestionwithregardtothelastvariable“education:Collegeornot”isbinary,andtherespectivene-grainlevelis2.However,differentfromthegeneralcensusscheme,theanswertothebinaryquestionshouldbeeitherIor)]TJ /F4 11.955 Tf 9.3 0 Td[(I,whereIisthequestionindex,ratherthanusing1or0asananswer.Thereasonisthattherecouldbemultiplebinaryquestionsandthisistheonlywaytodistinguishtheminthenalaggregatedresult.Thecensuscouldalsoconsistofanotherindependentquestionas“areyouwillingtoparticipateinthisquestion?”,whichwillbeusefulinthethresholddecisioncasetobeintroduced.WenoticethatallthequestionsinthecensusmustbeattachedwithauniqueindexI,andalltheindexesshouldbedifferentfromtheboundsoftheintervalstoavoidconfusion,whichiseasytodo. LetGdenoteacyclicgroupofprimeorderpinwhichDecisionalDife-Hellman(DDH)ishard.LetH:Z!Gdenoteapublichashfunction.AssumingthereareVvariables,eachofwhichwillbeeitherrepresentedasGiintervalchoices[Lj;Uj];j2[1;Gi];i2[1;V]orabinaryquestion.Werstdealwiththescenariowherealltheusersdelivertheirrealanswers. ForquestionQI;I2[1;V],theanswerofuserujcouldbeeitheranintervalAj(I)=[Lj(I);Uj(I)]ortherespectiveindexAj(I)=I,or)]TJ /F4 11.955 Tf 9.3 0 Td[(I.Withoutlossofgenerality,weassumetherstV0questionsarebinaryquestionsandtherestV)]TJ /F4 11.955 Tf 12.38 0 Td[(V0questionsareintervalquestions.TheanswerisrepresentedasasetSj=fAj(I);I2[1;V0];[Lj(I);Uj(I)];I2[V0+1;V]g,andthenujfurthercomputesthepolynomialfi=YAj(I)2Sj;[Lj(I);Uj(I)]2Sj(x)]TJ /F4 11.955 Tf 11.96 0 Td[(Aj(I))(x)]TJ /F4 11.955 Tf 11.96 0 Td[(Lj(I))(x)]TJ /F4 11.955 Tf 11.95 0 Td[(Uj(I)).Thenujchoosesarandom2V)]TJ /F4 11.955 Tf 12.11 0 Td[(V0-degreepolynomialgjovertheringandmultipliestwopoly-nomialsfjgj=4V)]TJ /F5 7.97 Tf 6.59 0 Td[(2V0Pi=0cjixi. Thenforeachcoefcientcji;i2[0;4V)]TJ /F6 11.955 Tf 12.83 0 Td[(2V0],ujcomputesthefollowingciphertextCji=gcjiH(i)SKj,wherei2[0;4V)]TJ /F6 11.955 Tf 12.15 0 Td[(2V0].Attheendofeachround,theindividualciphertextCj=fCji,i2[0;4V)]TJ /F6 11.955 Tf 11.95 0 Td[(2V0]gissubmittedtotheaggregator. Attheendofeachcensus,theaggregatorcollectsalltheindividualciphertextCj=fCji=gcjiH(i)SKj;i2[0;4V)]TJ /F6 11.955 Tf 12.66 0 Td[(2V0]g.Foreachi2[0;4V)]TJ /F6 11.955 Tf 12.66 0 Td[(2V0],itiseasytocompute 87

PAGE 88

Qnj=1gcjiH(i)SKj=Qnj=1gcji.ThetargetpolynomialisF(x)=nPj=1fjgj=4V)]TJ /F5 7.97 Tf 6.59 0 Td[(2V0Pi=0nPj=1cjixi=4V)]TJ /F5 7.97 Tf 6.58 0 Td[(2V0Pi=0eixi.F(x)correspondstothetargetintersectioninformation.IfeveryoneselectsananswerA(I),eitheritisanindexoraninterval,wewouldhave(x)]TJ /F4 11.955 Tf 12.9 0 Td[(A(I))jF(x).InordertondoutwhichchoiceorindexA(I)inthequestionlististheintersectionofchoices,theaggregatoronlyneedstocheckwhether(x)]TJ /F4 11.955 Tf 12.15 0 Td[(A(I))jF(x)holdsasfollows:foreachA(I),givengej;j2[0;4V)]TJ /F6 11.955 Tf 12.26 0 Td[(2V0],theaggregatorcheckswhethergF(a)=4V)]TJ /F5 7.97 Tf 6.59 0 Td[(2V0Qi=0(gei)A(I)=1holds.Indeed,gF(a)=g0=1holdsifandonlyif(x)]TJ /F4 11.955 Tf 11.96 0 Td[(A(I))jF(x)holds. Theaboveschemeonlyrevealstotheaggregatortheintervalsortheindexeswhicharechosenbyalltheusers.Therequirementfortheaboveintersectioninformationmightbetoostringent.Apracticalquestiongenerallyformsas“morethanacertainpercentofusersconsumeacertainamountofenergyonaverageinacertainregionANDhaveanincomeofcertainamountANDtheagerangeANDhavebeeneducatedincollege”.Inotherwords,weneedtoprovidetheaggregatoraboutthepatternofthemajorityusersratherthanalltheusers.Inthefollowingscheme,weassumethereareonlykuserswhowillprovidetheirrealanswers,andtheothersserveastheshadowuserswhosesolefunctionistohidetheidentitiesoftheusersprovidingrealanswersamongthem.Theaboveschemeshouldbemodiedasfollows. Attherststage,thereisanextraquestionintheformas“areyouwillingtoparticipateinthisquestion?”.Thisquestionistreatedasanindependentgeneralcensusquestionattachedtothepatternorientedcensusscheme.Theuserwhoprovidestherealanswergeneratestheanswersetandtherespectivepolynomialrepresentationexactlyasintheabovescheme.However,ujshouldchoosearandom5V0+4PVi=V0+1Gi)]TJ /F6 11.955 Tf 10.33 0 Td[(2V-degreepolynomialovertheringtomasterhis2V)]TJ /F4 11.955 Tf 10.33 0 Td[(V0polynomialrepresentation.Inotherwords,therandomizedpolynomialforeachindividualisofdegree5V0+4PVi=V0+1Gi)]TJ /F6 11.955 Tf 12.66 0 Td[(2V+2V)]TJ /F4 11.955 Tf 12.67 0 Td[(V0=4V0+4PVi=V0+1Gi.Therestshadowusersnotprovidingtherealanswerssimplychooseallindexesandtheintervalsinthequestionlistashisanswer(whosepolynomialrepresentationisofdegree2V0+2PVi=V0+1Gi)andchoosearandom2V0+2PVi=V0+1Gipolynomialasthemaskpolynomial.Sincetheanswerforthose 88

PAGE 89

shadowusersarebasicallythewholequestionspace,thentheintersectionoftheanswersforallthekusersprovidestherealanswerandtheanswersoftheshadowusersarebasicallytheintersectionanswersforthekusers.Wenoteforthegeneralcensusquestion,thoseinthekusersanswer1,andtheotherswillanswer0.Thismodiedpatternorientedcensusschemeprovidestheaggregatoramorerelaxedversionofintersectionanswer,whichonlycorrespondstothekofnsystemusers. Thesecurityoftheproposedpatternorientedprivatecensusschemecanbestatedasfollows. Theorem7 AssumingthattheDecisionalDife-Hellman(DH)assumptionholdsinthegroupG,andthatthehashfunctionHisarandomoracleandtheunderlyingpolynomialrepresentationsecurelyrepresentstheintersectioninformation,thentheproposedpatternorientedprivatecensusschemecanguaranteethattheonlyinformationtheaggregatorobtainsisthetargetedintersectionofanswersofallusersorthekuserswhorespondtothecensus. PROOF6 OurproposedpatternorientedcensusschemecanbeviewedasacombinationoftheunderlyingsecretkeydistributionschemeandtheintersectioninformationextractorproposedbyLinetal.[ 89 ].Weguaranteetheprivatecensusschemesatisesthe“Encrypt-oncesecurity”conditionbyusingdifferentindexiforeachpartialciphertext.Therefore,wehave8uj;8cji,thetuple(uj;i;cji)wouldnotappeartwiceintheencryptionquery.ThiswouldguaranteetheaggregatoronlyobtainsthesummationofthepolynomialcoefcientsaslongasDecisionalDHassumptionholdsintheunderlyinggroup.Bytheidenticalsecurityargumentintheintersectionextractorscheme,theaggregatoronlyobtainsthetargetedintersectioninformationaslongasthepolynomialrepresentationtechniqueissecure.Hence,wecanconcludetheproofiftheunderlyingsecretkeydistributionprotocolisreducedtotheDecisionalDHassumption. Theabovesolutiongivestheaggregatorlittlecontroloverthethresholdksinceittotallydependsonthenumberofuserswillingtoprovidetherealanswers.However,theaggregatormightwishtoexertmorecontrolonk.Weproposeusinganonymouscommunicationasasolutionforthisscenario.Atthebeginningofthesystem,upontheaggregatorpublishinghisprivatepatterncensus,theindividualusercansubmitasignindicatinghiswillingnesstoprovide 89

PAGE 90

therealanswerthroughtheanonymouscommunicationchannel.Theaggregatorcountsthenumberofuserswillingtoanswercorrectlyuntilitreacheshispresetthresholdk,andpublishesamessagestatingthatthenumberofusersisenoughandstopsusersfromsendingmorepositivesign.Thentheyrunthemodiedpatterncensusjustasintroducedintheaboveparagraph.Theuserwhosubmitsapositivesignprovidestherealanswer,whiletheothersactasshadowusers. Thepatternorientedprivatecensusschemecanbeviewedasalterforthesubsequentcensus.Theaggregatorcanroughlyobtainananswertothefollowingconjunctionquestion:“k=npercentofusershaveproperty1ANDproperty2,etc.”throughthemodiedpatternorientedprivatecensusscheme.Usingthisinformationasanindication,theaggregatorcanfurtherdesignamorespeciccensustoinvestigateexactlyhowmuchpercentageoftheusershavethosepropertiessimultaneously.Wenotethatthequestionlistwouldconsistofmuchfewerquestionssincetheaggregatorcannowonlyfocusoninvestigatingasmallportionofintersectionpropertyofmuchmoresignicantimplicationratherthanprobingblindlyinalltheintersectionspacewhichcouldbeofexponentialsize. 4.7ConditionalProbabilityEstimationandAssociationRuleMining Theproposedpatternorientedprivatecensusschemecombinedwiththegeneralcensusschemecanserveasapowerfultoolforcomputingbaselineinferencesuchasconditionalprobabilityandamoresophisticatedapplicationsuchasassociationrulemining. Thethresholdpatternorientedcensusschemeprovidesanaggregatedanswersuchas“morethan30%usersconsume100WperhourinacertainregionANDhavemorethanannualincomeexceeding100;000dollars”.Thegeneralcensusschemeproposedlatercananswerexactlywhatpercentageofusershaveboththeabovetwoproperties,orjustoneoftheproperties.AlltheseanswerscanbepulledtogethertocomputetheconditionalprobabilityusingtheequationP(AjB)=P(ATB)=P(B),whichcouldbevitalforsomeclassicallearningtechniquesuchasBayesianlearning. Theotherapplicationofthepatternorientedcensusschemeisassociationrulemining.Thedenitionforassociationrulecanbefoundin[ 91 ]: 90

PAGE 91

Denition1 LetI=fi1;i2;;ingbeasetofitems.LetDBbeasetoftransactions,whereeachtransactionTisanitemsetsuchthatTI.GivenanitemsetXI,atransactionTcontainsXiffXT.AnassociationruleisanimplicationoftheformX)YwhereXI,YIandXTY=;.TheruleX)YhassupportsinthetransactiondatabaseDBifs%oftransactionsinDBcontainXSY.TheassociationruleholdsinthetransactiondatabaseDBwithconfidencecifc%oftransactionsinDBthatcontainXalsocontainsY. Associationruleminingaimstogureoutallruleswithsupportandcondencehigherthancertainpredenedthresholdsupportandcondence.Theproposedprivatecensusschemescanbeviewedasanapplicationofmulti-partyprivatesetintersectionorunionschemes,whichisgenerallyconsideredasapowerfultoolforassociationrulemining[ 99 ].Hence,ourproposedthresholdprivatepatterncensuscombinedwiththegeneralprivatecensuscanbedirectlyappliedtoconstructaprivateassociationruleminingprotocol.Assumingthecondenceisc,thentheaggregatorcanrunathresholdprivatepatterncensuswiththresholdk=candthusndoutalltheXandYinthequestionlistsuchthatXTY=;andthenumberoftheuserswhochoosetheintersectionofchoicesXANDYisc.Then,theaggregatorcanpublishageneralcensustocalculatethenumberofuserswhochoosethechoicesXSY.TheaggregatorwillthencountalltheXSYwithmorethansnumberofusersassumingsisthethresholdforsupport. 4.8CorrectnessofMeteringData Itiseasytoobservethattheanswersorresponsesrelatedtometeringdataplayanimportantroleintheproling.Itisnecessarytoprovideamechanismtoensureindividualanswersareindeed“correct”accordingtothereturnedmeteringdevicedata.Weproposetousethenon-interactivezeroknowledgeproofcombinedwithhomomorphiccommitmentschemeandaggregatedsignatureastheunderlyingtoolforthevericationonthecorrectnessoftheanswers.Ourschememakesthesameassumptionasmostofthesmartmeteringbasedsystems[ 77 , 92 ]inthesensethatmeteringdevicesaretamper-resistant. Advancedmeteringdevicesaresupposedtodelivermeteringdataineachshortperiodoftime,suchashalfanhour.Thequestioninthecensusrelatedtometeringdatacouldeither 91

PAGE 92

correspondtoasinglemeasurementperiodorKmeasurementperiods.Ameteringdevicecommitstometeringdatadi;i2[1;K]foreachmeteringtimeperiodtandgeneratesasignatureSig(tjjComi)foreachcommitmentComi=gdihr0(WeusePedersen'scommitmentschemeinhere[ 100 ]).Ausercollectsallthecommitmentsandtherespectivesignatures,andgeneratesthecommitmentforthesummationgPKi=1dihrusingtheadditivehomomorphicpropertyofthecommitmentschemeandtheaggregatesignatureASig(ftjjComigKi=1)derivedfromSig(tjjComi),wheretindicatesthegenerationtimeofthemeteringdata,andSig(tjjComi)istheindividualsignatureforeachcommitment. Thevericationapproachcanbedividedintotwocategoriesdependentontheunderlyingsecretkeydistributionprotocols:thesemi-decentralizedmodelandthefullydecentralizedmodel.Thevericationforthesemi-decentralizedmodelisstraightforwardandsimilartothatoftheinteractivemodelin[ 77 ]andthusisomitted.Wemainlyfocusonthevericationmechanismforthefullydecentralizedmodel. Forthegeneralcensusscheme,ujpresentsanon-interactivezero-knowledgeproof(NIZK)asfollows.NIZKf(Aj(I)=PKi=1di;r;SKj):gPKi=1dihr=Com(PKi=1di;r)VgAj(I)H(I)SKj=gPKi=1diH(I)SKjg;whereCom(PKi=1di;r)isacommitmentforPKi=1diandthere-spectiveopenvaluer,andIistherespectivequestionindex.TheaggregatorrstveriesASig(fComigKi=1)correspondingtothemeteringdevicepublickeyPK(m)andthencheckswhetherCom(PKi=1di;r)isindeedthecommitmentforPKi=1diandrusingthehomomorphicpropertyofindividualcommitmentComi,andnallychecksthecorrectnessofNIZK.Thecorrectnessofthesubmittedanswerisveriedwhenalltheabovevericationdoesnotfail. Asforthepatternorientedcensusscheme,thenon-interactivezero-knowledgeproofismodiedasfollows.NIZKf(KPi=1di;r;SKj;R1(x);R2(x);Li6KPi=1di6Ri;Aj(I1)=Li;Aj(I2)=Ri):gPKi=1dihr=Com(KPi=1di;r)^g(x)]TJ /F9 7.97 Tf 6.58 0 Td[(Aj(I1))R1(x)Q4V)]TJ /F5 7.97 Tf 6.59 0 Td[(2V0i=0H(i)SKjxi=Q4V)]TJ /F5 7.97 Tf 6.59 0 Td[(2V0i=0Cxiji^g(x)]TJ /F9 7.97 Tf 6.59 0 Td[(Aj(I2))R2(x)Q4V)]TJ /F5 7.97 Tf 6.59 0 Td[(2V0i=0H(i)SKjxi=Q4V)]TJ /F5 7.97 Tf 6.59 0 Td[(2V0i=0Cxijig,whereCom(PKi=1di;r)isstillacommitmenttoPKi=1diandtherespectiveopenvaluer.R1(x)andR2(x)aretherandomizationpolynomials,respectively.Theaggregatorrstveriestheaggregatesignature 92

PAGE 93

andcommitmentinthesamemannerasinthegeneralcensusscheme,andnallychecksthecorrectnessofNIZK,whichwillguaranteethattheuserindeedchoosesthecorrectintervalwhenheprovidestherealanswer.Boththeabovezero-knowledgeproofschemescanbeefcientlyrealizedbyusingtheefcientnon-interactiveproofschemeproposedin[ 101 ].Theabovevericationstepscanpreventtheuserfrommanipulatingthemeteringdatarelatedanswer.Theanswerforotherpropertiessuchastheindividualsocio-economicbackgroundcanstillbeveriedbyothermechanismsuchasanonymouscredential,whichmightbemorecommunicationandcomputationintensive.However,wearguethattherewouldbelittleincentiveforuserstofabricatemeteringdataorothersocio-economicbackgroundrelateddatabecausetheeffectofindividualdatahasnegligibleimpactontheaggregatedresultconsideringthescaleofthesystem. 4.9PerformanceAnalysis Inthissection,weevaluateourproposedschemes.TheunderlyingsecretkeydistributionprotocolrequiresO(n2)messagestobeexchangedwhenitcorrespondstothefullydecentralizedmodel.EachindividualuserisrequiredtoperformO(n)publickeyencryptionsanddecryptions.Whenitcomestothesemi-decentralizedmodel,theexchangemessagesareofsizeO(n`).AnindividualuserperformsO(`)publickeyencryptions,andtheaggregatorcomputesO(n)publickeydecryptions.Wenotethatthesecretkeydistributionprotocolonlyneedstobeexecutedonceduringthesysteminitializationandmultipleinstancesofprivatecensusschemecanberunafterwards.EachindividualusersendsNgroupelementstotheaggregatorinthegeneralprivatecensusschemewhileisrequiredtosend4V)]TJ /F6 11.955 Tf 12.61 0 Td[(2V0+1groupelementstotheaggregatorinthepatternorientedcensusscheme.Thegeneralprivatecensusschemerequires2NexponentiationsandNmodulemultiplicationsperuserwhilethepatternorientedcensusschemerequires8V)]TJ /F6 11.955 Tf 12.22 0 Td[(4V0+2exponentiationsand4V)]TJ /F6 11.955 Tf 12.23 0 Td[(2V0multiplications.Wenotethatweignorethecomputationalcostforpolynomialmultiplicationintheexponentsinceitisnegligiblecomparedwiththeexponentiationsandmultiplicationsofgroupelements.TheaggregatorinthegeneralprivatecensusschemeisrequiredtoaccomplishO(N(nMax)]TJ /F4 11.955 Tf 12.14 0 Td[(Min))exponentiations,whichcouldbefurtherreducedtoO(Np nMax)]TJ /F4 11.955 Tf 11.96 0 Td[(Min)providedthatthePollard'slambda 93

PAGE 94

methodisapplied.Inthepatternorientedcensusscheme,theaggregatorneedstocomplete(n)]TJ /F6 11.955 Tf 10.89 0 Td[(1)(4V)]TJ /F6 11.955 Tf 10.89 0 Td[(2V0+1)groupelementmultiplicationsand(2V0+2Pi2[V0+1;V]Gi)(4V)]TJ /F6 11.955 Tf 10.89 0 Td[(2V0+1)exponentiations.Itisnoteworthythatthemajorcomputationworkloadfortheaggregatorintroducedbytheexponentiationsdoesnotdependonthenumbernofsystemusers,butmostlydependsonVandV0,whicharefurtherdeterminedbyhowthequestionlistisformed. Weimplementthetwoproposedprivatecensusschemesandtheunderlyingsecretkeydis-tributionprotocol.Weemploytherealdatafromarecentinvestigation[ 102 ]ontherelationshipbetweenenergyconsumptionandtemperatureinSydney,Australiatotesttheperformanceofthegeneralprivatecensusscheme.Therearetotally600householdsinvolvedinthesystem.Ittakesroughly10mstoaccomplishamodularexponentiationof1024bitprimemodularforauserwitha412MHzsmartphone.Intheworstcaseoftheproposedsecretkeydistributionprotocol,eachuserneedstoperform600publickeyencryptions,whichcorrespondstoroughly120010ms=12scomputations.Eachuserdeliverstwogroupelementstotheotheruser,whichisofsize2KB.Weconsidertheaggregationofhourlyenergyconsumptiondataversusthetemperaturevariationinthegeneralprivatecensusscheme.Themaximumhourlyenergyconsumptionforanindividualapplianceis500Wandtheminimumisabout50Waccordingtothedataprovidedbythein-vestigation.Themaximumandminimumtemperatureis10Cand25C,respectively.Inordertoobtaintheaverageenergyconsumptionforeachtemperaturein[10;25],theaggregatorneedstopostacensusconsistingof17questions.Hence,torespondtothecensus,anindividualuserneedstogenerate17answers,whichcorrespondsto172modularexponentiationcomputations,whichtakesabout34*10ms=0.34s.Thedatageneratedbytheindividualuserisofsize341024bits=34KB.TheaggregatorwillneedtoperformnMax)]TJ /F6 11.955 Tf 12.14 0 Td[(Min=600500)]TJ /F6 11.955 Tf 12.13 0 Td[(50=299;950timesofmodularexponentiationstocomputetheaverageenergyconsumptionforallthepossibletemperaturevaluesin[10;25].Theaggregatorcanuseadesktoptocomputetheaverageenergyconsumption,andittakesroughly0:3mstocomputeamodularexponentiationinamodern64-bitdesktop[ 94 ].Therefore,itwouldtakeroughly2999500:3ms=90satmosttocomputetheanswerforeachtemperaturevalue.Itisnoteworthythattheindividualcomputationcostremains 94

PAGE 95

Figure4-2.Theindividualcomputingtimeandcommunicationoverhead constantevenifthesystemusersincreaseswhilethecommunicationoverheaddoesgrowwiththenumberofsystemusers. Fortheproposedpatternorientedcensusscheme,weusetherealdatafromanotherrecentinvestigation[ 103 ]ontherelationshipbetweenthestate(turnonoroff)ofindividualappliancesathomeandtheenergyconsumptionataparticulartimeintervalofaday.Therearevetimeintervalsandsixappliancesaccordingtotheinvestigation.Therefore,therewillbesixbinaryquestionsandveintervalquestionsinordertocalculatethecorrelationshowninTable1in[ 103 ],andhenceV0=6andV=11.Thegrainlevelsforthevetimeintervalsare10,30,15,30,30assumingeachintervalchoiceis[Lj;Lj+1]Wintheinvestigation.Therefore,eachuserneedstocompute8V)]TJ /F6 11.955 Tf 13.01 0 Td[(4V0+2modularexponentiations,whichtakesroughly(811)]TJ /F6 11.955 Tf 11.23 0 Td[(46+2)10ms=0:66sandtheindividualciphertextsizeis(411)]TJ /F6 11.955 Tf 11.23 0 Td[(26+1)1024=2bits=16:5KB.Itwouldtaketheaggregatorroughly(2V0+2Pi2[V0+1;V]Gi)(4V)]TJ /F6 11.955 Tf 12.85 0 Td[(2V0+1)*0:3ms=(26+2(10+30+15+30+30))(411)]TJ /F6 11.955 Tf 11.08 0 Td[(26+1)0:3=1000s=2:3958stocalculatetheintersectionanswer.TheindividualcomputingtimeandcommunicationoverheaddependentonVandV0canbefoundinFig. 4-2 ,andtheaggregatorcomputingtimedependentonVandV0canalsobefoundinFig. 4-3 .However,thetrivialapproachcanonlyrevealtheanswerwhichischosenbyalltheusers.Inordertocalculatetheintersectionanswerchosenbykusers,theindividualuserneedstocompute(4V0+4PVi=V0+1Gi+1)2modularexponentiationsatmost,whichtakesroughly(46+4(10+30+15+30+30)+1)210ms=9:7sandtheciphertextsizeis(46+4(10+30+15+30+30)+1)1024=485KB.Thecomputationtimefortheaggregatorinthiscaseisidenticaltothecasewhenk=n,i.e.,roughly,2:4s. 95

PAGE 96

Figure4-3.Theaggregatorcomputingtime Thischapterproposetwoschemestosupportprivacy-awareandefcientdynamicprolingandstatisticaldataextractionforsmartsustainableenergysystems.Therstschemeenablesanaggregatortoefcientlyextractthesummationinformationfromthesubmittedindividualresponses.Thesecondpatternorientedprivacy-awareprolingschemecanfurtherenabletheaggregatortoefcientlyextracttheintersectioninformation,whichcananswertheconjunctionquery.Wealsodemonstratehowtousethelatterschemetoperformprivatebaselineinferenceandminingassociationrulethroughcombiningwiththerstscheme.Sinceassociaterulemining[ 90 ]candiscoverinterestingrelationshipsbetweenvariablesinlargedatabases[ 91 ],theproposedschemesarebelievedtobebenecialtothesmartgridenergypolicyandmarketingstrategydesigninthelongrun. 96

PAGE 97

CHAPTER5CONCLUSIONS Inthisdissertation,weproposeseveralprivacypreservingprotocolsforvariousdistributedcomputingsettings.Wehavedesignedprivacypreservingprotocolsforcloudassistedmobilehealthmonitoring,smartmeteringdataextractionforsustainableenergysystem,andtrustmanagementinpeer-to-peernetworks.Inthefuture,wewillaimtodesignsecuremultipartycomputationprotocolbasedondeterministicencryption. 97

PAGE 98

REFERENCES [1] M.Srivatsa,S.Balfe,K.G.Paterson,andP.Rohatgi,“Trustmanagementforsecureinformationows,”inACMConferenceonComputerandCommunicationsSecurity,2008,pp.175. [2] P.Mohan,D.Marin,S.Sultan,andA.Deen,“Medinet:personalizingtheself-careprocessforpatientswithdiabetesandcardiovasculardiseaseusingmobiletelephony,”inEngi-neeringinMedicineandBiologySociety,2008.EMBS2008.30thAnnualInternationalConferenceoftheIEEE.IEEE,2008,pp.755. [3] A.Tsanas,M.Little,P.McSharry,andL.Ramig,“Accuratetelemonitoringofparkin-son'sdiseaseprogressionbynoninvasivespeechtests,”BiomedicalEngineering,IEEETransactionson,vol.57,no.4,pp.884,2010. [4] G.CliffordandD.Clifton,“Wirelesstechnologyindiseasemanagementandmedicine,”AnnualReviewofMedicine,vol.63,pp.479,2012. [5] L.PonemonInstitute,“Americans'opinionsonhealthcareprivacy,available:http://tinyurl.com/4atsdlj,”2010. [6] A.V.Dhukaram,C.Baber,L.Elloumi,B.-J.vanBeijnum,andP.D.Stefanis,“End-userperceptiontowardspervasivecardiachealthcareservices:Benets,acceptance,adoption,risks,security,privacyandtrust,”inPervasiveHealth,2011,pp.478. [7] M.Delgado,“Theevolutionofhealthcareit:Arecurrentu.s.privacypoliciesreadyfortheclouds?”inSERVICES,2011,pp.371. [8] N.Singer,“When2+2equalsaprivacyquestion,”NewYorkTimes,2009. [9] E.B.Fernandez,“Securityindataintensivecomputingsystems,”inHandbookofDataIntensiveComputing,2011,pp.447. [10] A.NarayananandV.Shmatikov,“Mythsandfallaciesofpersonallyidentiableinforma-tion,”CommunicationsoftheACM,vol.53,no.6,pp.24,2010. [11] P.Baldi,R.Baronio,E.D.Cristofaro,P.Gasti,andG.Tsudik,“Counteringgattaca:efcientandsecuretestingoffully-sequencedhumangenomes,”inACMConferenceonComputerandCommunicationsSecurity,2011,pp.691. [12] A.Cavoukian,A.Fisher,S.Killen,andD.Hoffman,“Remotehomehealthcaretechnolo-gies:howtoensureprivacy?builditin:Privacybydesign,”IdentityintheInformationSociety,vol.3,no.2,pp.363,2010. [13] A.NarayananandV.Shmatikov,“Robustde-anonymizationoflargesparsedatasets,”inSecurityandPrivacy,2008.SP2008.IEEESymposiumon.IEEE,2008,pp.111. [14] ——,“De-anonymizingsocialnetworks,”inIEEESymposiumonSecurityandPrivacy.IEEEComputerSociety,2009,pp.173. 98

PAGE 99

[15] I.Neamatullah,M.Douglass,L.Lehman,A.Reisner,M.Villarroel,W.Long,P.Szolovits,G.Moody,R.Mark,andG.Clifford,“Automatedde-identicationoffree-textmedicalrecords,”BMCmedicalinformaticsanddecisionmaking,vol.8,no.1,p.32,2008. [16] S.Al-FedaghiandA.Al-Azmi,“Experimentationwithpersonalidentiableinformation,”IntelligentInformationManagement,vol.4,no.4,pp.123,2012. [17] J.Domingo-Ferrer,“Athree-dimensionalconceptualframeworkfordatabaseprivacy,”SecureDataManagement,pp.193,2007. [18] T.Lim,Nanosensors:TheoryandApplicationsinIndustry,Healthcare,andDefense.CRCPress,2011. [19] X.Zhou,B.Peng,Y.Li,Y.Chen,H.Tang,andX.Wang,“Toreleaseornottorelease:evaluatinginformationleaksinaggregatehuman-genomedata,”ComputerSecurity–ESORICS2011,pp.607,2011. [20] R.Wang,Y.Li,X.Wang,H.Tang,andX.Zhou,“Learningyouridentityanddiseasefromresearchpapers:informationleaksingenomewideassociationstudy,”inProceedingsofthe16thACMconferenceonComputerandCommunicationsSecurity.ACM,2009,pp.534. [21] P.Ohm,“Brokenpromisesofprivacy:Respondingtothesurprisingfailureofanonymiza-tion,”UCLALawReview,vol.57,p.1701,2010. [22] P.Institute,“Datalossrisksduringdownsizing,”2009. [23] P.Dixon,“Medicalidentitytheft:Theinformationcrimethatcankillyou,”inTheWorldPrivacyForum,2006,pp.13. [24] K.E.EmamandM.King,“Thedatabreachanalyzer,”2009,[Availableat:http://www.ehealthinformation.ca/dataloss]. [25] E.Shaw,K.Ruby,andJ.Post,“Theinsiderthreattoinformationsystems:Thepsychologyofthedangerousinsider,”SecurityAwarenessBulletin,vol.2,no.98,pp.1,1998. [26] M.Green,S.Hohenberger,andB.Waters,“Outsourcingthedecryptionofabecipher-texts,”inUsenixSecurity,2011. [27] J.Brickell,D.Porter,V.Shmatikov,andE.Witchel,“Privacy-preservingremotediag-nostics,”inProceedingsofthe14thACMconferenceonComputerandCommunicationsSecurity.ACM,2007,pp.498. [28] A.Farmer,O.Gibson,P.Hayton,K.Bryden,C.Dudley,A.Neil,andL.Tarassenko,“Areal-time,mobilephone-basedtelemedicinesystemtosupportyoungadultswithtype1diabetes,”InformaticsinPrimaryCare,vol.13,no.3,pp.171,2005. 99

PAGE 100

[29] Z.Wu,Z.Xu,andH.Wang,“Whispersinthehyper-space:High-speedcovertchan-nelattacksinthecloud,”inProceedingsofthe21stUSENIXConferenceonSecuritySymposium.USENIXAssociation,2012. [30] T.Kim,M.Peinado,andG.Mainar-Ruiz,“Stealthmem:system-levelprotectionagainstcache-basedsidechannelattacksinthecloud,”inProceedingsofthe21stUSENIXConferenceonSecuritySymposium.USENIXAssociation,2012,pp.11. [31] S.DziembowskiandK.Pietrzak,“Leakage-resilientcryptography,”inFoundationsofComputerScience,2008.FOCS'08.IEEE49thAnnualIEEESymposiumon.IEEE,2008,pp.293. [32] D.BonehandM.K.Franklin,“Identity-basedencryptionfromtheweilpairing,”inCRYPTO,2001,pp.213. [33] M.Barni,P.Failla,V.Kolesnikov,R.Lazzeretti,A.Sadeghi,andT.Schneider,“Secureevaluationofprivatelinearbranchingprogramswithmedicalapplications,”ComputerSecurity–ESORICS2009,pp.424,2009. [34] A.C.-C.Yao,“Howtogenerateandexchangesecrets(extendedabstract),”inFOCS.IEEE,1986,pp.162. [35] P.Paillier,“Public-keycryptosystemsbasedoncompositedegreeresiduosityclasses,”inEUROCRYPT,1999,pp.223. [36] I.DamgardandM.Jurik,“Ageneralisation,asimplicationandsomeapplicationsofpaillier'sprobabilisticpublic-keysystem,”inPublicKeyCryptography,ser.LectureNotesinComputerScience,K.Kim,Ed.,vol.1992.Springer,2001,pp.119. [37] E.Shi,J.Bethencourt,H.T.-H.Chan,D.X.Song,andA.Perrig,“Multi-dimensionalrangequeryoverencrypteddata,”inIEEESymposiumonSecurityandPrivacy,2007,pp.350. [38] H.Lin,X.Zhu,Y.Fang,C.Zhang,andZ.Cao,“Efcienttrustbasedinformationsharingschemesoverdistributedcollaborativenetworks,”inMilcom,2011. [39] X.BoyenandB.Waters,“Anonymoushierarchicalidentity-basedencryption(withoutrandomoracles),”inCRYPTO,2006,pp.290. [40] A.SahaiandB.Waters,“Fuzzyidentity-basedencryption,”inEUROCRYPT,2005,pp.457. [41] V.Goyal,O.Pandey,A.Sahai,andB.Waters,“Attribute-basedencryptionforne-grainedaccesscontrolofencrypteddata,”inACMConferenceonComputerandCommunicationsSecurity,2006,pp.89. [42] M.Blaze,G.Bleumer,andM.Strauss,“Divertibleprotocolsandatomicproxycryptogra-phy,”inEUROCRYPT,1998,pp.127. 100

PAGE 101

[43] G.Ateniese,K.Fu,M.Green,andS.Hohenberger,“Improvedproxyre-encryptionschemeswithapplicationstosecuredistributedstorage,”ACMTrans.Inf.Syst.Secur.,vol.9,no.1,pp.1,2006. [44] G.Ateniese,K.Benson,andS.Hohenberger,“Key-privateproxyre-encryption,”inCT-RSA,2009,pp.279. [45] M.GreenandG.Ateniese,“Identity-basedproxyre-encryption,”inACNS,ser.LectureNotesinComputerScience,J.KatzandM.Yung,Eds.,vol.4521.Springer,2007,pp.288. [46] H.Lin,J.Shao,C.Zhang,andY.Fang,“Cam:Cloud-assistedprivacypreservingmobilehealthmonitoring,”http://www.fang.ece.u.edu/drafts/cam.pdf,2013. [47] O.Goldreich,FoundationsofCryptography:aPrimer.NowPublishersInc,2005. [48] I.BlakeandV.Kolesnikov,“Strongconditionaloblivioustransferandcomputingonintervals,”AdvancesinCryptology-ASIACRYPT2004,pp.122,2004. [49] B.Lynn,PBC:Pairing-BasedCryptographyLibrary,2008. [50] I.F.BlakeandV.Kolesnikov,“Strongconditionaloblivioustransferandcomputingonintervals,”inASIACRYPT,ser.LectureNotesinComputerScience,P.J.Lee,Ed.,vol.3329.Springer,2004,pp.515. [51] M.Layouni,K.Verslype,M.Sandkkaya,B.DeDecker,andH.Vangheluwe,“Privacy-preservingtelemonitoringforehealth,”DataandApplicationsSecurityXXIII,pp.95,2009. [52] M.Barni,P.Failla,R.Lazzeretti,A.Sadeghi,andT.Schneider,“Privacy-preservingecgclassicationwithbranchingprogramsandneuralnetworks,”InformationForensicsandSecurity,IEEETransactionson,vol.6,no.2,pp.452,2011. [53] G.DanezisandB.Livshits,“Towardsensuringclient-sidecomputationalintegrity,”inProceedingsofthe3rdACMWorkshoponCloudComputingSecurityWorkshop.ACM,2011,pp.125. [54] E.DeCristofaro,S.Faber,P.Gasti,andG.Tsudik,“Genodroid:areprivacy-preservinggenomictestsreadyforprimetime?”inProceedingsofthe2012ACMworkshoponPrivacyintheElectronicSociety.ACM,2012,pp.97. [55] R.Lagendijk,Z.Erkin,andM.Barni,“Encryptedsignalprocessingforprivacyprotec-tion,”inSignalProcessingMagazine,IEEE.IEEE,2013,pp.82. [56] V.DanilatouandS.Ioannidis,“Securityandprivacyarchitecturesforbiomedicalcloudcomputing,”inInformationTechnologyandApplicationsinBiomedicine(ITAB),201010thIEEEInternationalConferenceon.IEEE,2010,pp.1. 101

PAGE 102

[57] R.CanettiandS.Hohenberger,“Chosen-ciphertextsecureproxyre-encryption,”inACMConferenceonComputerandCommunicationsSecurity,2007,pp.185. [58] E.FujisakiandT.Okamoto,“Secureintegrationofasymmetricandsymmetricencryptionschemes.”inCRYPTO,ser.LectureNotesinComputerScience,M.J.Wiener,Ed.Springer,pp.537. [59] A.Boldyreva,V.Goyal,andV.Kumar,“Identity-basedencryptionwithefcientre-vocation,”inACMConferenceonComputerandCommunicationsSecurity,2008,pp.417. [60] S.Zhong,J.Chen,andY.R.Yang,“Sprite:Asimple,cheat-proof,credit-basedsystemformobilead-hocnetworks,”inINFOCOM,2003. [61] H.Zhu,X.Lin,R.Lu,X.Shen,D.Xing,andZ.Cao,“Anopportunisticbatchbundleauthenticationschemeforenergyconstraineddtns,”inINFOCOM,2010,pp.605. [62] S.-B.Lee,G.Pan,J.-S.Park,M.Gerla,andS.Lu,“Secureincentivesforcommercialaddisseminationinvehicularnetworks,”inMobiHoc,2007,pp.150. [63] B.Zhu,S.Setia,S.Jajodia,andL.Wang,“Providingwitnessanonymityunderpeer-to-peersettings,”IEEETransactionsonInformationForensicsandSecurity,vol.5,no.2,pp.324,2010. [64] M.Young,A.Kate,I.Goldberg,andM.Karsten,“Practicalrobustcommunicationindhtstoleratingabyzantineadversary,”inICDCS,2010,pp.263. [65] K.R.B.Butler,S.Ryu,P.Traynor,andP.D.McDaniel,“Leveragingidentity-basedcryptographyfornodeidassignmentinstructuredp2psystems,”IEEETrans.ParallelDistrib.Syst.,vol.20,no.12,pp.1803,2009. [66] A.Shamir,“Identity-basedcryptosystemsandsignatureschemes,”inCRYPTO,1984,pp.47. [67] C.K.Wong,M.G.Gouda,andS.S.Lam,“Securegroupcommunicationsusingkeygraphs,”inSIGCOMM,1998,pp.68. [68] R.Canetti,J.A.Garay,G.Itkis,D.Micciancio,M.Naor,andB.Pinkas,“Multicastsecurity:Ataxonomyandsomeefcientconstructions.”inINFOCOM,1999,pp.708.[Online].Available: http://dblp.uni-trier.de/db/conf/infocom/infocom1999-2.html#CanettiGIMNP99 [69] A.T.ShermanandD.A.McGrew,“Keyestablishmentinlargedynamicgroupsusingone-wayfunctiontrees,”IEEETrans.SoftwareEng.,vol.29,no.5,pp.444,2003. [70] C.Delerablee,“Identity-basedbroadcastencryptionwithconstantsizeciphertextsandprivatekeys,”inASIACRYPT,2007,pp.200. 102

PAGE 103

[71] C.GentryandB.Waters,“Adaptivesecurityinbroadcastencryptionsystems(withshortciphertexts),”inEUROCRYPT,ser.LectureNotesinComputerScience,A.Joux,Ed.,vol.5479.Springer,2009,pp.171. [72] M.Bellare,A.Boldyreva,andJ.Staddon,“Randomnessre-useinmulti-recipientencryptionschemeas,”inPublicKeyCryptography,2003,pp.85. [73] B.Lynn,“Ontheimplementationofpairing-basedcryptosystems,”inPh.Dthesis,http://crypto.stanford.edu/pbc/thesis.pdf,2008. [74] A.Menezes,T.Okamoto,andS.A.Vanstone,“Reducingellipticcurvelogarithmstologarithmsinaniteeld,”IEEETransactionsonInformationTheory,vol.39,no.5,pp.1639,1993. [75] B.Waters,“Efcientidentity-basedencryptionwithoutrandomoracles,”inEUROCRYPT,2005,pp.114. [76] N.AttrapadungandH.Imai,“Attribute-basedencryptionsupportingdirect/indirectrevocationmodes,”inIMAInt.Conf.,2009,pp.278. [77] K.Kursawe,G.Danezis,andM.Kohlweiss,“Privacy-friendlyaggregationforthesmart-grid,”inPETS,2011,pp.175. [78] Y.Yohanis,J.Mondol,A.Wright,andB.Norton,“Real-lifeenergyuseintheuk:Howoccupancyanddwellingcharacteristicsaffectdomesticelectricityuse,”EnergyandBuildings,vol.40,no.6,pp.1053,2008.[Online].Available: http://linkinghub.elsevier.com/retrieve/pii/S037877880700223X [79] R.A.Popa,A.J.Blumberg,H.Balakrishnan,andF.H.Li,“Privacyandaccount-abilityforlocation-basedaggregatestatistics,”inACMConferenceonComputerandCommunicationsSecurity,2011,pp.653. [80] Y.Zheng,Y.Liu,J.Yuan,andX.Xie,“Urbancomputingwithtaxicabs,”inUbicomp,2011,pp.89. [81] K.Budka,J.Deshpande,J.Hobby,Y.-J.Kim,V.Kolesnikov,W.Lee,T.Reddington,M.Thottan,C.A.White,J.-I.Choi,J.Hong,J.Kim,W.Ko,Y.-W.Nam,andS.-Y.Sohn,“Geri-belllabssmartgridresearchfocus:Economicmodeling,networking,andsecurity&privacy,”inIEEESmartGridComm,2010. [82] A.MarkandyaandI.Galarraga,HandbookofSustainableEnergy.EdwardElgarPublishing,2011. [83] F.D.GarciaandB.Jacobs,“Privacy-friendlyenergy-meteringviahomomorphicencryption,”in6thWorkshoponSecurityandTrustManagement(STM2010),ser.LectureNotesinComputerScience,J.C.etal.,Ed.,vol.6710.SpringerVerlag,2011,pp.226. 103

PAGE 104

[84] K.Herter,P.McAuliffec,andA.Rosenfeld,“Anexploratoryanalysisofcaliforniaresidentialcustomerresponsetocriticalpeakpricingofelectricity,”inEnergy,2007,pp.25. [85] J.Snook,“Drivingsustainablebehaviorinthemainstreamconsumer:Leveragingbehavioraleconomicstominimizehouseholdenergyconsumption,”Ph.D.dissertation,DukeUniversity,2011. [86] I.H.RowlandsandI.M.Furst,“Thecostimpactsofamandatorymovetotime-of-usepricingonresidentialcustomers:anontario(canada)case-study,”inEnergyEfciency,vol.4,2011,pp.571. [87] S.Darby,“Sociallearningandpublicpolicy:Lessonsfromanenergy-consciousvillage,”EnergyPolicy,vol.34,no.17,pp.2929,2006. [88] M.Enev,S.Gupta,T.Kohno,S.N.Patel,andS.N.Patel,“Televisions,videoprivacy,andpowerlineelectromagneticinterference.”inACMConferenceonComputerandCommunicationsSecurity,2011,pp.537. [89] H.Lin,Y.Fang,andZ.Cao,“Privateinformationextractionoveronlinesocialnetworks,”IACRCryptologyePrintArchive,vol.2011,p.446,2011. [90] R.Agrawal,T.Imielinski,andA.N.Swami,“Miningassociationrulesbetweensetsofitemsinlargedatabases,”inProceedingsofthe1993ACMSIGMODInternationalConferenceonManagementofData,Washington,D.C.,May26-28,1993,P.BunemanandS.Jajodia,Eds.ACMPress,1993,pp.207. [91] R.AgrawalandR.Srikant,“Fastalgorithmsforminingassociationrulesinlargedatabases,”inVLDB'94,Proceedingsof20thInternationalConferenceonVeryLargeDataBases,September12-15,1994,SantiagodeChile,Chile,J.B.Bocca,M.Jarke,andC.Zaniolo,Eds.MorganKaufmann,1994,pp.487. [92] A.Molina-Markham,G.Danezis,K.Fu,P.J.Shenoy,andD.E.Irwin,“Designingprivacy-preservingsmartmeterswithlow-costmicrocontrollers,”IACRCryptologyePrintArchive,vol.2011,p.544,2011. [93] G.Danezis,M.Kohlweiss,andA.Rial,“Differentiallyprivatebillingwithrebates,”inInformationHiding,2011,pp.148. [94] E.Shi,T.-H.H.Chan,E.G.Rieffel,R.Chow,andD.Song,“Privacy-preservingaggregationoftime-seriesdata,”inNDSS,2011. [95] J.Balasch,A.Rial,C.Troncoso,B.Preneel,I.Verbauwhede,andC.Geuens,“Pretp:Privacy-preservingelectronictollpricing,”inUSENIXSecuritySymposium,2010,pp.63. [96] A.RialandG.Danezis,“Privacy-preservingsmartmetering,”inWPES,2011,pp.49. 104

PAGE 105

[97] R.Gennaro,S.Jarecki,H.Krawczyk,andT.Rabin,“Robustthresholddsssignatures,”Inf.Comput.,vol.164,no.1,pp.54,2001. [98] L.KissnerandD.X.Song,“Privacy-preservingsetoperations,”inCRYPTO,2005,pp.241. [99] C.Clifton,M.Kantarcioglu,J.Vaidya,X.Lin,andM.Zhu,“Toolsforprivacypreservingdistributeddatamining,”ACMSIGKDDExplorations,vol.4,no.2,2003. [100] T.Pedersen,“Non-interactiveandinformation-theoreticsecureveriablesecretsharing,”inAdvancesinCryptologyCRYPTO91.Springer,1992,pp.129. [101] J.GrothandA.Sahai,“Efcientnon-interactiveproofsystemsforbilineargroups,”ElectronicColloquiumonComputationalComplexity(ECCC),vol.14,no.053,2007. [102] M.HartandR.deDear,“Weathersensitivityinhouseholdapplianceenergyend-use,”Energyandbuilding,vol.36,pp.161,2004. [103] A.Jenny,J.R.D.Lopez,andH.-J.Mosler,“Householdenergyusepatternsandsocialorganisationforoptimalenergymanagementinamulti-usersolarenergysystem,”PROGRESSINPHOTOVOLTAICS:RESEARCHANDAPPLICATIONS,vol.14,pp.353,2006. 105

PAGE 106

BIOGRAPHICALSKETCHHuangLinreceivedhisB.EandM.EdegreesinInstrumentScienceandTechnologyfromHarbinInstituteofTechnology,China,in2004,2006respectively.HeobtainedhisrstPhddegreefromShanghaiJiaoTongUniversityincomputerscienceandengineeringin2010.HehasbeenworkingtowardshissecondPhddegreeinelectricalandcomputerengineeringinUniversityofFloridasinceAugust,2010.Hisresearchinterestsincludesecurity,privacy,andappliedcryptography. 106