TY - JOUR
AU - Suzuki,, Tatsuya
AB - Abstract Aggregator oblivious encryption was proposed by Shi et al. (NDSS 2011). In this method, an aggregator can compute an aggregated sum of data and is unable to learn anything else (aggregator obliviousness). Since the aggregator does not learn individual data that may reveal users’ habits and behaviors, several applications including privacy-preserving smart metering have been considered. In this paper, we propose an aggregator oblivious encryption scheme with public verifiability where the aggregator is required to generate a proof of an aggregated sum, and anyone can verify whether the aggregated sum has been correctly computed by the aggregator. Although Leontiadis et al. (CANS 2015) considered verifiability, their scheme requires an interactive complexity assumption to provide the unforgeability of the proof. Our scheme is proven to be unforgeable under a static and simple assumption (a variant of the Computational Diffie–Hellman assumption). Moreover, our scheme inherits the tightness of the reduction of the Benhamouda et al. scheme (ACM TISSEC 2016) for proving aggregator obliviousness. This tight reduction allows us to employ elliptic curves of a smaller order and leads to efficient implementation. Specifically, for 112-bit security, we can employ Barreto–Naehrig (BN) curves with a 383-bit prime order, whereas we need to employ curves with a 1031-bit prime order to implement the Leontiadis et al. scheme. We give implementations of two schemes and evaluate their performances under those curves. We employ a Raspberry-Pi as a power-constrained device such as a smart meter. Consequently, we demonstrate that the running time of the data encryption, data aggregation and verification in our scheme are reduced by approximately 74%, 64% and 89%, respectively, compared to those of the Leontiadis et al. scheme. 1. INTRODUCTION 1.1. Aggregator oblivious encryption Aggregator oblivious encryption was proposed by Shi et al. [1], where an aggregated sum of n users’ data (such as energy consumption from smart meters) can be computed in a privacy-preserving manner. In brief, an honest dealer generates secret keys for users and an aggregator. A user i encrypts data xi,t at time t and sends the ciphertext ci,t to the aggregator. The aggregator can compute the aggregated sum Xt=∑i=1nxi,t from {ci,t}i∈[1,n] and sends Xt to a data analyzer (such as an energy provider). It is particularly worth noting that the aggregator learns Xt and nothing else and this security notion has been formalized as aggregator obliviousness. Note that if homomorphic encryption [2, 3] is simply employed, then the aggregator has the capability to decrypt each ci,t and can obtain xi,t ⁠. Since xi,t may reveal consumer habits and behaviors, e.g. when a certain consumer turns the air conditioner on, it may appear when the consumer returns home, aggregator oblivious encryption is better to preserve the privacy of users. Moreover, the aggregator is not required to be a fully trusted authority and is modeled as honest-but-curious. That is, the data analyzer can collect the aggregated sum of xi,t via the aggregator in a privacy-preserving manner. In addition, only a unidirectional channel is required from each user to the aggregator. This could be an advantage compared to the schemes that require bidirectional channels between the smart meters and the aggregator [4–6]. Though the Shi et al. scheme is not tolerant of user failures (i.e. if even a single user fails to respond in a certain aggregation round, the aggregation algorithm does not work), Chan et al. [7] proposed a fault-tolerant solution such that the aggregator can still compute the aggregated sum from the remaining users. The Shi et al. scheme is aggregator obliviousness under the Decisional Diffie–Hellman (DDH) assumption in the random oracle model. They employed the lifted ElGamal encryption approach [8] and therefore Xt=∑i=1nxi,t needs to be suitably small since the aggregator is required to solve the discrete logarithm gXt with respect to basis g ⁠. Later, Joye and Libert [9] proposed an aggregator oblivious encryption scheme with large plaintext spaces by employing the Paillier-type homomorphic operation [3]. The Joye–Libert scheme is aggregator obliviousness under the Decision Composite Residuosity (DCR) assumption in the random oracle model. Both schemes [9, 1] were generalized by Benhamouda, Joye, and Libert (BJL) [10]. They gave a generic construction of aggregator oblivious encryption from smooth projective hash functions [11] with an extra additively homomorphic property over the key space, with both DDH and DCR-based instantiations. An attractive point of the BJL construction is its tight reduction. Namely, the reduction loss is O(tmax) whereas that of the Shi et al. scheme [1] is O(tmaxn3) where tmax is the maximum time to be supported by the system and n is the number of users. If we consider the exact security [12, 13], then tight reduction is important. As in Benhamouda et al. [10], we set that n=tmax=220≈106 which approximately allows the computation of an aggregation every 15 min for 30 years throughout a city like Paris. Then, the security loss of the Shi et al. scheme is approximately 280 ⁠. That is, for achieving 112-bit security, the Shi et al. scheme requires approximately 7680-bit public key or elliptic curves with 384–511-bit order, which is recommended by NIST [14] for achieving 192-bit security. On the other hand, the security loss of the Benhamouda et al. scheme is approximately 220 ⁠, and to achieve 112-bit security, approximately 3072-bit public key or elliptic curves with 256–383-bit order is required. This key-length is recommended by NIST [14] for achieving 128-bit security. To be precise, the Benhamouda et al. scheme archives 108-bit security under this key length. Thus, more precisely, a slightly longer key is required to achieve 112-bit security. 1.2. Aggregator oblivious encryption with public verifiability As mentioned above, the aggregator is modeled as honest-but-curious and is assumed to output Xt correctly. For stronger security, Leontiadis, Elkhiyaoui, Önen and Molva (LEOM) [15] considered a new model: a user i produces a tag σi,t in addition to ci,t ⁠, and sends (ci,t,σi,t) to the aggregator, and the aggregator is required to generate a publicly verifiable proof σt that proves the decryption result of {ci,t}i∈[1,n] is exactly Xt ⁠. Of course, it is required that the aggregator cannot produce a forged σt for some Xt≠∑i=1nxi,t ⁠, and this security notion is formalized as aggregator unforgeability. Since the data analyzer can recognize whether the aggregator correctly computed the aggregated sum, this functionality can be seen as a kind of verifiable computation [16, 17]. Though the Leontiadis et al. approach is interesting, one drawback of their construction is the underlying complexity assumption. They introduced an interactive assumption called the LEOM assumption for proving aggregator unforgeability (we introduce the LEOM assumption in the Appendix). However, as explained by Naor [18], it is better to avoid interactive assumptions as much as possible to prevent circular arguments. Making cryptographic primitives secure under weak assumptions is one of the important topics of cryptography. To name a few, verifiable random functions [19, 20], group signatures [21, 22], structure-preserving signatures [23], identity-based encryption [24], attribute-based encryption [25, 26], oblivious transfer [27] and so on, and constructing an aggregator oblivious encryption scheme with public verifiability from static and simple assumptions are still left as open problems. 1.3. Our contribution In this paper, we propose an aggregator oblivious encryption scheme with public verifiability from static and simple assumptions. We newly introduce a variant of the Computational Diffie–Hellman (CDH) assumption, which we call the modified CDH (mCDH) assumption, and argue about its plausibility in the Uber assumption framework [30]. See Table 1 for detailed comparisons. Table 1. Comparison of DL-based aggregator oblivious encryption. Scheme Ciphertext size (ci,t) Tag size (σi,t) Secret key size Public parameter size (𝗉arams) Public parameter size (𝗏𝗄) BJL (DDH) [10] ∣G1∣ – 2∣Zp∣ ∣G1∣+ two hash – LEOM [15] ∣G1∣ ∣G1∣ 2∣Zp∣+∣G1∣ ∣G1∣+∣G2∣ + one hash 2∣G2∣ Our scheme ∣G1∣ ∣G1∣ 3∣Zp∣+∣G1∣ ∣G1∣+∣G2∣+∣GT∣ + 6 hash tmax∣G2∣a Scheme Ciphertext size (ci,t) Tag size (σi,t) Secret key size Public parameter size (𝗉arams) Public parameter size (𝗏𝗄) BJL (DDH) [10] ∣G1∣ – 2∣Zp∣ ∣G1∣+ two hash – LEOM [15] ∣G1∣ ∣G1∣ 2∣Zp∣+∣G1∣ ∣G1∣+∣G2∣ + one hash 2∣G2∣ Our scheme ∣G1∣ ∣G1∣ 3∣Zp∣+∣G1∣ ∣G1∣+∣G2∣+∣GT∣ + 6 hash tmax∣G2∣a Scheme ∣p∣‡ Reduction loss AO/AUb Aggregator unforgeability Complexity assumptions for proving AO/AUb BJL (DDH) [10] 256 O(tmax)/- – DDH/– LEOM [15] 1031 O(tmaxn3)/O(1) Full DDH/LEOMc Our scheme 383 O(tmax)/O(1) Weak DDH/mCDHd Scheme ∣p∣‡ Reduction loss AO/AUb Aggregator unforgeability Complexity assumptions for proving AO/AUb BJL (DDH) [10] 256 O(tmax)/- – DDH/– LEOM [15] 1031 O(tmaxn3)/O(1) Full DDH/LEOMc Our scheme 383 O(tmax)/O(1) Weak DDH/mCDHd † ∣Zp∣ ⁠, ∣G1∣ ⁠, ∣G2∣ and ∣GT∣ denote the bit-length of an element of Zp ⁠, G1 ⁠, G2 and GT ⁠, respectively. ‡ ∣p∣ denotes the bit-length of p for 112-bit security. Here, we set n=t𝗆𝖺𝗑=220 [10]. For the BJL scheme, we refer the NIST recommendation [14] since the BJL scheme is pairing-free. For the LEOM and our schemes, we refer the result by Menezes, Sarkar and Singh [28] who re-evaluated parameters of pairing-friendly elliptic curves by considering the result by Kim and Barbulescu [29]. aRemark that users and the aggregator do not have to have the large-size verification key. bAO/AU, aggregator obliviousness/aggregator unforgeability. cLEOM, Leontiadis–Elkhiyaoui–Önen–Molva. An interactive complexity assumption. dmCDH, modified computational Diffie–Hellman. A static complexity assumption. View Large Table 1. Comparison of DL-based aggregator oblivious encryption. Scheme Ciphertext size (ci,t) Tag size (σi,t) Secret key size Public parameter size (𝗉arams) Public parameter size (𝗏𝗄) BJL (DDH) [10] ∣G1∣ – 2∣Zp∣ ∣G1∣+ two hash – LEOM [15] ∣G1∣ ∣G1∣ 2∣Zp∣+∣G1∣ ∣G1∣+∣G2∣ + one hash 2∣G2∣ Our scheme ∣G1∣ ∣G1∣ 3∣Zp∣+∣G1∣ ∣G1∣+∣G2∣+∣GT∣ + 6 hash tmax∣G2∣a Scheme Ciphertext size (ci,t) Tag size (σi,t) Secret key size Public parameter size (𝗉arams) Public parameter size (𝗏𝗄) BJL (DDH) [10] ∣G1∣ – 2∣Zp∣ ∣G1∣+ two hash – LEOM [15] ∣G1∣ ∣G1∣ 2∣Zp∣+∣G1∣ ∣G1∣+∣G2∣ + one hash 2∣G2∣ Our scheme ∣G1∣ ∣G1∣ 3∣Zp∣+∣G1∣ ∣G1∣+∣G2∣+∣GT∣ + 6 hash tmax∣G2∣a Scheme ∣p∣‡ Reduction loss AO/AUb Aggregator unforgeability Complexity assumptions for proving AO/AUb BJL (DDH) [10] 256 O(tmax)/- – DDH/– LEOM [15] 1031 O(tmaxn3)/O(1) Full DDH/LEOMc Our scheme 383 O(tmax)/O(1) Weak DDH/mCDHd Scheme ∣p∣‡ Reduction loss AO/AUb Aggregator unforgeability Complexity assumptions for proving AO/AUb BJL (DDH) [10] 256 O(tmax)/- – DDH/– LEOM [15] 1031 O(tmaxn3)/O(1) Full DDH/LEOMc Our scheme 383 O(tmax)/O(1) Weak DDH/mCDHd † ∣Zp∣ ⁠, ∣G1∣ ⁠, ∣G2∣ and ∣GT∣ denote the bit-length of an element of Zp ⁠, G1 ⁠, G2 and GT ⁠, respectively. ‡ ∣p∣ denotes the bit-length of p for 112-bit security. Here, we set n=t𝗆𝖺𝗑=220 [10]. For the BJL scheme, we refer the NIST recommendation [14] since the BJL scheme is pairing-free. For the LEOM and our schemes, we refer the result by Menezes, Sarkar and Singh [28] who re-evaluated parameters of pairing-friendly elliptic curves by considering the result by Kim and Barbulescu [29]. aRemark that users and the aggregator do not have to have the large-size verification key. bAO/AU, aggregator obliviousness/aggregator unforgeability. cLEOM, Leontiadis–Elkhiyaoui–Önen–Molva. An interactive complexity assumption. dmCDH, modified computational Diffie–Hellman. A static complexity assumption. View Large For aggregator obliviousness, our scheme is tightly reduced to the BJL scheme. That is, our scheme inherits the tightness of the reduction of the Benhamouda et al. scheme. On the other hand, the LEOM scheme is reduced to the Shi et al. scheme and has a loose reduction. Note that Benhamouda et al. [10] also showed that a degradation factor of at least Ω(n2) is unavoidable in the Shi et al. scheme. They showed that any blackbox non-rewinding reduction from the Shi et al. scheme to a non-interactive problem loses a factor of at least n2 ⁠. That is, this bound cannot be improved in the Shi et al. scheme, or the LEOM scheme. This tight reduction allows us to employ elliptic curves of a smaller order and leads to efficient implementation. Specifically, for 112-bit security, we can employ Barreto–Naehrig (BN) curves [31] with a 383-bit prime order, whereas we need to employ curves with a 1031-bit prime order to implement the LEOM scheme. For aggregator unforgeability, our scheme provides weak aggregator unforgeability, where an adversary can obtain ciphertexts and tags {(ci,t,σi,t)}i=1n of xi,t chosen by the encryption oracle. Note that in the smart meter setting, xi,t (such as power consumption) is measured by the meter. Thus, we believe that weak aggregator unforgeability is still meaningful in actual usage. One drawback to our scheme, besides weak aggregator unforgeability, is the large-size verification key 𝗏𝗄={𝗏𝗄t≔g2∑i=1nvi,t}t∈[1,tmax] where tmax is the maximum time to be supported by the system. If we employ BN curves with a 383-bit order, then approximately 200 MByte-sized verification keys need to be published when tmax=220≈106 [10]. Note that the user is not required to have a large-size verification key. Moreover, verification keys for past times can be removed. In addition, if we assume that these keys are updated by the dealer every time over a certain time period (i.e. periodic inspection of meters every 1–2 years), or if we can set a relatively small tmax ⁠, then we can significantly reduce the size of the keys to be stored. Note that, if a user manages all vi,t as its secret key, then the secret key size also depends on tmax ⁠. To avoid such a large-size secret key, we additionally introduce a hash function H and a time-independent secret key vi ⁠, and we compute vi,t=H(vi,t) ⁠. This helps us to reduce the secret key size. For weak aggregator unforgeability, our scheme provides a tight reduction loss from the advantage of the mCDH problem. We also explain implementations of our scheme and the LEOM scheme. We employ the PBC library [32] and OpenSSL [33]. Our scheme and the LEOM scheme employ the lifted ElGamal encryption approach [8], and thus Xt=∑i=1nxi,t needs to be suitably small since the aggregator is required to solve the discrete logarithm gXt with respect to basis g ⁠. To solve the elliptic curve discrete logarithm problem (ECDLP), we employ the Baby-Step Giant-Step (BSGS) algorithm. We evaluate their performances under BN curves with 383-bit and 1031-bit prime orders, respectively. Since these BN curves are not contained in the PBC library, we generate parameters for such BN curves by using the PairingParametersGenerator API supported by jPBC [34]. We confirm that both schemes complete all procedures (i.e. data encryption, data aggregation and verification) within 15 min using Benhamouda et al.’s setting (⁠ n=tmax=220 ⁠). This is important since the setting approximately allows the computation of an aggregation every 15 min for 30 years throughout a city like Paris. As an encryption device, we employ a Raspberry-Pi as a power-constrained device such as a smart meter, and also set the message space by considering the capability of a commercially available smart meter. As the aggregator’s device, we employ a somewhat rich machine, and as the data analyzer’s device, we employ a typical laptop PC. See Section 5 for details. Owing to the curve selections, we demonstrate that the running time of data encryption, data aggregation and verification in our scheme are reduced by approximately 74%, 64% and 89%, respectively, compared to those of the LEOM scheme. 1.4. Related work Aggregator oblivious encryption considers collecting the aggregated sum of users (e.g. the total consumption of customers) in a certain region for each time period. This could be employed for privacy-preserving energy management systems. On the other hand, collecting the aggregated sum of a particular user might be desired for a certain reason. For example, if an energy provider would like to send an invoice to a customer and would like to know the total amount of the consumption of the customer. This could be employed for privacy-preserving supplier billing systems [35, 36]. Some schemes support both billing and energy management functionality [37–39]. Ohara et al. [38] in particular proposed such a smart metering scheme with verifiability of the integrity of the total amount of consumption or the billing price. In our setting (as in [1, 9, 10, 15]), the number of users n is selected and fixed during the setup phase. Some papers considered dynamic joins and leaves [7, 40, 41, 42]. Chan et al. [7] proposed a binary interval tree technique that reduces the communication cost for joins and leaves, and Jawurek et al. [41] further improved the communication overhead of the Chan et al. scheme. Although the Chan et al. and Jawurek et al. schemes require public key settings, Li and Cao [40] proposed a more efficient scheme that only requires symmetric key settings. Though these schemes assume an honest dealer that issues keys to the users and the aggregator via a secure channel, Leontiadis et al. [42] proposed a key update mechanism that does not require any trusted dealer. They introduced an additional semi-trusted party called the collector that collects partial key information from users via a secure channel. Grining et al. [43] mentioned that the Chan et al. scheme [7] unacceptably low accuracy of aggregated data for a wide range of assumed parameters, and proposed a precise data aggregation protocol that provides provable level of security even facing massive failures of nodes. Datta and Joye [44] showed that a protocol for computing an aggregate sum proposed by Jung, Li and Wan [45] is universally breakable, where anyone can recover private data from ciphertexts. Some schemes employ bilinear groups with composite order N=pq [46, 47]. This could be a bottleneck since we need to assume that N is difficult to be factorized and is selected as sufficiently large. In the meantime, our schemes are constructed over bilinear groups with a prime order. Becker et al. [48] proposed a lattice-based AOE scheme which supports a large plaintext space. Moreover, they eliminated the encrypt-once model that has been widely employed in previous works and ours. Zhuo et al. [49] proposed a privacy-preserving verifiable data aggregation. They employed homomorphic encryption [50]. As in our scheme, the correctness of computation results can be verified. However, no formal security definition is given (especially unforgeability of the computation results), and thus its security is not analyzed in the sense of provable security. Jung et al. [51] proposed a privacy-preserving data analytics framework which they call PDA, where a third-party aggregator conducts private data records provided by a dynamic sub-group of users. Corrigan-Gibbs and Boneh [52] proposed a privacy-preserving system for computing aggregate statistics, which they call Prio. Though there is a single aggregator in aggregator oblivious encryption, whereas in the Prio system, a set of servers compute statistical functions over the values of all clients. It is assumed that at least one server is honest. Then, the servers learn nothing about the clients private data except information obtained from the aggregate statistics. Benhamouda et al. [10] mentioned that multi-input functional encryption [53] implies aggregator oblivious encryption. Since Badrinarayanan et al. [54] proposed verifiable functional encryption and also considered its multi-input setting, we might be able to construct verifiable aggregator oblivious encryption from verifiable multi-input functional encryption. Though, as in Benhamouda et al., we leave this attempt in this paper due to the efficiency point of view. To support rich functions towards summation, Jung et al. [55] extended the Shi et al. scheme that supports multivariate polynomial evaluation. Derler et al. [56] proposed homomorphic proxy re-authenticators, where distinct senders authenticate data under their own keys, and the aggregator transform these message authentication codes (MACs) to a singe MAC under a receiver’s key without knowing it. The aggregator can evaluate arithmetic circuits (functions) on the inputs and the resulting MAC corresponds to the evaluation of the respective function. Beimel et al. [57] proposed non-interactive secure multiparty computation (NIMPC), and they mentioned that NIMPC can be viewed as a simplified and restricted form of multi-input functional encryption. Moreover, they also gave a NIMPC protocol for summation (in a group G ⁠). The construction idea is essentially the same as that of the Shi et al. aggregator oblivious encryption scheme. Briefly, R1,…,Rn are randomly chosen from G ⁠, and set Rn=−∑i=1n−1Ri ⁠. Each user encrypts a value xi∈G such that Mi≔xi+Ri ⁠, and the summation can be computed by ∑i=1nMi ⁠. In the Shi et al. scheme, the randomness is prepared by a hash function and a secret key, i.e. Ri at time t can be seen as log(H(t)𝗌ki) ⁠, and thus the randomness is not required to be distributed at each time. 1.5. Differences from the proceedings version An extended abstract appears in the 22nd Australasian Conference on Information Security and Privacy (ACISP 2017) [58] (and its ePrint version [59]). As for additional content, we provide implementations of our scheme and the LEOM scheme. As mentioned above, we employ BN curves with a 383-bit prime order to implement our scheme owing to its tight reduction, whereas we need to employ curves with a 1031-bit prime order to implement the LEOM scheme. To the best of our knowledge, no implementation has been reported for elliptic curves with such relatively large orders, especially, for a power-constrained device. Since these BN curves are not contained in the PBC library, we generate parameters for such BN curves by using the PairingParametersGenerator API supported by jPBC (See Section 5.2). We employ a Raspberry-Pi as the power-constrained device, and confirm that data encryption procedures are run for 83.5 ms (our scheme) and 328.1 ms (the LEOM scheme), respectively. That is, we can reduce the running time of data encryption in our scheme by approximately 74% compared to that of the LEOM scheme. We can also reduce the running time of data aggregation and verification in our scheme by approximately 64% and 89%, respectively, compared to those of the LEOM scheme. See Section 5 for details. In the proceeding versions [58, 59], we introduced two schemes. The first is the same as the proposed scheme in this paper, which provides weak aggregator unforgeability and has a large-size verification key. The second scheme solves the large-size key problem by choosing vi,t on the fly. That is, in the second scheme, a user i chooses vi,t in the encryption phase, whereas in the first scheme all keys are generated by an honest dealer, as in previous works [1, 9, 10, 15]. Although the 𝖤nc algorithm becomes probabilistic, this strategy allows us to prove that the scheme provides aggregator unforgeability with semi-adaptive chosen message attacks where an adversary can obtain ciphertexts and tags {(ci,t,σi,t)}i=1n of xi,t chosen by the adversary. Here, semi-adaptive means that the adversary is required to send all {xi,t}i=1n and obtains the corresponding {(ci,t,σi,t)}i=1n ⁠. Although 𝗏𝗄 can be removed from the public value, a drawback of the second scheme is that a malicious aggregator can modify 𝗏𝗄 ⁠. Thus, we additionally need to introduce public channels equipped with memory, such as a bulletin board [60] that is publicly readable and that every user can write to, but that nobody can delete from. Another drawback of the second scheme is its reduction loss. Although the aggregator obliviousness of the second scheme is tightly reduced to the BJL scheme (this requires O(tmax) reduction loss from the advantage of the DDH problem), semi-adaptive aggregator unforgeability of the second scheme requires additional reduction loss. Concretely, O(tmax2) reduction loss from the advantage of the DDH problem. Thus, we need to employ elliptic curves with a relatively large order. Since the bulletin board assumption is not fully reasonable and we believe that weak aggregator unforgeability is still meaningful in actual usage, e.g. smart metering, we choose the first scheme in this paper. 2. PRELIMINARIES Let p is a λ-bit prime, G1,G2 and GT are groups of order p ⁠, e:G1×G2→GT is a bilinear map, and g1 and g2 are generators of G1 and G2 ⁠, respectively. We use the (type 3) asymmetric setting, i.e. G1≠G2 ⁠, and no efficient isomorphism between G1 and G2 is known. Next, we define the Decisional Diffie–Hellman (DDH) assumption on G1 as follows. Definition 2.1 (DDH assumption) Let D≔(p,e,g1,g2,G1,G2,GT)and a,b,c←$Zp*where c≠ab ⁠. We say that the DDH assumption holds on G1if for any PPT adversary A ⁠, the advantage AdvDDH(λ)≔∣Pr[A(D,g1a,g1b,g1c)→true]−Pr[A(D,g1a,g1b,g1ab)→true]∣is negligible. Next, we define a new complexity assumption. This is a variant of the Computational Diffie–Hellman (CDH) assumption. We call this assumption the modified CDH (mCDH) assumption.3 Definition 2.2 (Modified CDH assumption) Let D≔(p,e,g1,g2,G1,G2,GT) ⁠, and a,b←$Zp* ⁠. We say that the modified CDH assumption holds if for any PPT adversary A ⁠, the advantage AdvmCDH(λ)≔Pr[A(D,g1a,g11/a,g1b,g2a)→g1ab]is negligible. We can check that the mCDH assumption holds in the generic bilinear group model by reducing the mCDH problem to the following problem: given (g1,g1a,g1a2,g1b,g2,g2a)∈G14×G22 for random a,b∈Zp ⁠, compute e(g1,g2)a2b ⁠. We can assume that the problem is difficult to be solved since it belongs to the Uber assumption family [30]. This reduction can be easily done by setting g1′≔g11/a and B≔ab ⁠. Then, an instance of the mCDH problem (g1,g1a,g11/a,g1b,g2,g2a) is represented as: given (g1′a,g1′a2,g1′,g1′B,g2,g2a) ⁠, compute g1ab=g1′a2b=g1′aB ⁠. We rewrite it: given (g1,g1a,g1a2,g1b,g2,g2a) ⁠, compute g1ab ⁠. That is, if the mCDH problem can be solved, then we can compute e(g1ab,g2a)=e(g1,g2)a2b ⁠. 3. DEFINITIONS OF VERIFIABLE AGGREGATOR OBLIVIOUS ENCRYPTION In this section, we give the syntax of verifiable aggregator oblivious encryption and its security definitions (aggregator obliviousness and aggregator unforgeability), and introduce the DDH-based BJL scheme [10]. As in Shi et al. we consider encrypt-once security where each user only encrypts once at each time t ⁠. 3.1. Syntax of verifiable aggregator oblivious encryption Definition 3.1 (Verifiable aggregator oblivious encryption [15]) 𝖲𝖾𝗍𝗎𝗉 ⁠: The setup algorithm takes as input a security parameter λ ⁠, and outputs a public parameter 𝗉aram and a secret key of aggregator 𝗌𝗄A ⁠, a set of user secret keys {𝗌ki}i=1n ⁠, and the aggregate verification key 𝗏𝗄 ⁠. We assume that the maximum time tmax is contained in 𝗉aram ⁠, and tmax is a polynomial of the security parameter. We assume that t∈[1,tmax] and the verification key at t 𝗏𝗄t is contained in 𝗏𝗄 ⁠. 𝖤𝗇𝖼 ⁠: The encryption algorithm takes as input 𝗉aram ⁠, t ⁠, a value xi,t∈ZM ⁠, and 𝗌ki ⁠, and outputs a ciphertext ci,t and a tag σi,t ⁠. Here, M is some fixed integer contained in 𝗉aram ⁠. 𝖠𝗀𝗀𝗋𝖣𝖾𝖼 ⁠: The aggregation and decryption algorithm takes as input 𝗉aram ⁠, t ⁠, and a set of ciphertexts and tags {(ci,t,σi,t)}i=1n ⁠, and 𝗌kA ⁠, and outputs Xt≔∑i=1nxi,tmodM ⁠, and the proof σt ⁠. 𝖵𝖾𝗋𝗂𝖿𝗒𝖲𝗎𝗆 ⁠: The verification of aggregation algorithm takes as input 𝗉aram ⁠, t ⁠, 𝗏𝗄t and (Xt,σt) ⁠, and outputs one or 0. We require the following correctness. For all (𝗉𝖺𝗋𝖺𝗆,𝗌𝗄A,{𝗌𝗄i}i=1n,𝗏𝗄)←𝖲𝖾𝗍𝗎𝗉(1λ) ⁠, and (ci,t,σi,t)←𝖤𝗇𝖼(𝗉𝖺𝗋𝖺𝗆,t,xi,t,𝗌𝗄i) ⁠, and (Xt,σt)←𝖠𝗀𝗀𝗋𝖣𝖾𝖼(𝗉𝖺𝗋𝖺𝗆,t,{(ci,t,σi,t)}i=1n,𝗌𝗄A) ⁠, 𝖵𝖾𝗋𝗂𝖿𝗒𝖲𝗎𝗆(𝗉𝖺𝗋𝖺𝗆,t,Xt,σt,𝗏𝗄t)=1 and Xt=∑i=1nxi,tmodM hold. Let us introduce the entities of the system and how to run the algorithms above as follows. We consider four entities, a trusted dealer, an aggregator, users and a data analyzer. First, the dealer runs (𝗉𝖺𝗋𝖺𝗆,𝗌𝗄A,{𝗌𝗄i}i=1n,𝗏𝗄)←𝖲𝖾𝗍𝗎𝗉(1λ) ⁠, and issues 𝗌𝗄A to the aggregator and 𝗌𝗄i to the user i ⁠, respectively, and publishes (𝗉𝖺𝗋𝖺𝗆,𝗏𝗄) ⁠.4 At time t ⁠, each user i encrypts xi,t such that (ci,t,σi,t)←𝖤𝗇𝖼(𝗉𝖺𝗋𝖺𝗆,t,xi,t,𝗌𝗄i) ⁠, and sends (ci,t,σi,t) to the aggregator. The aggregator runs (Xt,σt)←𝖠𝗀𝗀𝗋𝖣𝖾𝖼(𝗉𝖺𝗋𝖺𝗆,t,{(ci,t,σi,t)}i=1n,𝗌𝗄A) ⁠, and sends (Xt,σt) to the data analyzer. The data analyzer checks whether the computed aggregated sum Xt is correct by running 1/0←𝖵𝖾𝗋𝗂𝖿𝗒𝖲𝗎𝗆(𝗉𝖺𝗋𝖺𝗆,t,Xt,σt,𝗏𝗄t) ⁠. 3.2. Security definitions Next, we define aggregator obliviousness. This requires that the aggregator cannot learn anything more than the aggregate value Xt for each time t ⁠. We additionally require that tags σi,t do not affect the security. Let st be state information that A can preserve any information, and st is used for transferring state information to the other stage. Let U be the whole set of users for which, at the end of the game, no encryption queries have been made on t* and no corruption queries have been made. The adversary indicates St*⊆U and obtains (ci,t*,σi,t*) for all i∈St* ⁠. Definition 3.2 (Aggregator obliviousness [10, 15]) For any PPT adversary Aand a security parameter λ∈N ⁠, we define the experiment ExpAAO(λ)as follows. If 𝗌𝗄Ais compromised at the end of the game and St*=U ⁠, then it is required that ∑i∈St*xi,t*(0)modM=∑i∈St*xi,t*(1)modM ⁠. ExpAAO(λ):(𝗉𝖺𝗋𝖺𝗆,𝗌𝗄A,{𝗌𝗄i}i=1n,𝗏𝗄)←𝖲𝖾𝗍𝗎𝗉(1λ)(St*,t*,{(xi,t*(0),xi,t*(1))}i∈St*)←AO𝖾nc,O𝖼orrupt(𝗉𝖺𝗋𝖺𝗆,𝗏𝗄,st);St*⊆Ub←${0,1}Foralli∈St*(ci,t*,σi,t*)←𝖤𝗇𝖼(𝗉𝖺𝗋𝖺𝗆,t,xi,t*(b),𝗌𝗄i)b′←AO𝖾nc,O𝖼orrupt({(ci,t*,σi,t*)}i∈St*,st)Ifb=b′,thenreturn1and0otherwise O𝖾nc ⁠: This encryption oracle takes as input a tuple (i,t,xi,t) ⁠, and returns (ci,t,σi,t)←𝖤𝗇𝖼(𝗉𝖺𝗋𝖺𝗆,t,xi,t,𝗌𝗄i) ⁠. Note that Ais not allowed to input (i,t*,·)where i∈St*to this oracle. O𝖼orrupt ⁠: This corruption oracle takes as input i∈[0,n] ⁠, and returns 𝗌𝗄i ⁠. If i=0 ⁠, then the oracle returns 𝗌𝗄A ⁠. Note that Ais not allowed to input i∈St*to this oracle.We say that an encryption scheme is aggregator obliviousness if the advantage AdvAAO(λ)≔2∣Pr[ExpAAO(λ)=1]−1/2∣is negligible for any PPT adversary A ⁠. Remark that the 𝖠𝗀𝗀𝗋𝖣𝖾𝖼 algorithm works only when all ciphertexts are collected. That is, if St* is a proper subset of U (⁠ St*⊊U ⁠), then there exist at least one ciphertext ci,t* such that i∈U⧹St* ⁠. In this case, the adversary cannot run the 𝖠𝗀𝗀𝗋𝖣𝖾𝖼 algorithm. Thus, as in the definition of Benhamouda et al. [10] and Shi et al. [1], we require that ∑i∈St*xi,t*(0)modM=∑i∈St*xi,t*(1)modM must be hold if 𝗌𝗄A is compromised by the adversary and St*=U ⁠. Though in the definition of Leontiadis et al. [15], 𝗌𝗄A is always given to the adversary and always the condition ∑i∈St*xi,t*(0)modM=∑i∈St*xi,t*(1)modM is required, we follow the definition given in [10, 1] where the adversary is allowed to select whether the adversary compromises 𝗌𝗄A or not. Next, we define aggregator unforgeability. This requires that an adversary (modeled as the malicious aggregator) cannot produce a forged tag σt that is accepted by the 𝖵erifySum algorithm. As in the definition of unforgeability given by Leontiadis et al. [15], we consider two cases: either the adversary does not obtain ciphertexts and tags at the challenge time t* (type I forgery) or the adversary has obtained all ciphertexts and tags {(ci,t*,σi,t*)}i=1n (type II forgery). In the type II forgery case, it is assumed that ciphertexts and tags are honestly generated, and A obtains ciphertexts and tags of all users in the system. Type I adversary captures the case that the aggregator tries to generate a forged tag σt at a future time t (i.e. users have not generated (ci,t,σi,t) ⁠). Type II adversary captures the case that the aggregator tries to generate a forged tag σt at a past/current time t (i.e. users have generated (ci,t,σi,t) ⁠). Definition 3.3 (Aggregator unforgeability [15]) For any PPT adversary Aand a security parameter λ∈N ⁠, we define the experiment ExpAAU(λ)as follows. ExpAAU(λ):(𝗉𝖺𝗋𝖺𝗆,𝗌𝗄A,{𝗌𝗄i}i=1n,𝗏𝗄)←𝖲𝖾𝗍𝗎𝗉(1λ)(t*,Xt*,σt*)←AO𝖾nc(𝗉𝖺𝗋𝖺𝗆,𝗌𝗄A,𝗏𝗄)Ifoneofthefollowingshold,thenreturn1and0otherwise(TypeI):𝖵𝖾𝗋𝗂𝖿𝗒𝖲𝗎𝗆(𝗉𝖺𝗋𝖺𝗆,t*,Xt*,σt*,𝗏𝗄t*)=1∧Noencryptionoracleiscalledatt*(TypeII):𝖵𝖾𝗋𝗂𝖿𝗒𝖲𝗎𝗆(𝗉𝖺𝗋𝖺𝗆,t*,Xt*,σt*,𝗏𝗄t*)=1∧Xt*≠∑i=1nxi,t*modM O𝖾𝗇𝖼 ⁠: This encryption oracle takes as input a tuple (i,t,xi,t) ⁠, and returns (ci,t,σi,t)←𝖤𝗇𝖼(𝗉𝖺𝗋𝖺𝗆,t,xi,t,𝗌𝗄i) ⁠.We say that an encryption scheme is aggregator unforgeable if the advantage AdvAAU(λ)≔Pr[ExpAAU(λ)=1]is negligible for any PPT adversary A ⁠. Next, we slightly weaken the definition of Leontiadis et al. in the following. In their definition, the adversary (modeled as the malicious aggregator) can adaptively choose xi,t and can obtain the corresponding (ci,t,σi,t) from the encryption oracle. This definition is an analogy of Existential Unforgeability against Chosen Message Attack (EUF-CMA) in the signature context where an adversary is allowed to obtain signatures on messages which are (adaptively) chosen by the adversary. However, in the actual situation, the aggregator does not decide xi,t ⁠, and just receives ci,t sent from users. Actually, in the smart meter setting, xi,t (such as power consumption) is measured by the meter. Thus, it seems reasonable to propose that the adversary just queries (i,t) to the encryption oracle, and the oracle chooses xi,t and returns the corresponding (ci,t,σi,t) to the adversary. Our definition is an analogy of Existential Unforgeability against Random Message Attack (EUF-RMA) in the signature context where an adversary is given signatures on randomly chosen messages. Definition 3.4 (Weak aggregator unforgeability) For any PPT adversary Aand a security parameter λ∈N ⁠, the experiment ExpAwAU(λ)is the same as ExpAAU(λ)except O𝖾𝗇𝖼 ⁠. O𝖾𝗇𝖼 ⁠: This encryption oracle takes as input a tuple (i,t) ⁠. The oracle chooses xi,tand returns (ci,t,σi,t)←𝖤𝗇𝖼(𝗉𝖺𝗋𝖺𝗆,t,xi,t,𝗌𝗄i) ⁠.We say that an encryption scheme is weakly aggregator unforgeable if the advantage AdvAwAU(λ)≔Pr[ExpAwAU(λ)=1]is negligible for any PPT adversary A ⁠. Regarding message space: As in the definition of previous works [1, 10, 15], for some fixed integer M ⁠, we assume that xi,t∈ZM and aggregator obliviousness requires the condition ∑i∈St*xi,t*(0)modM=∑i∈St*xi,t*(1)modM (when St*=U and 𝗌𝗄A is compromised). Since M=p ⁠, xi,t might be a large value even its summation is required to be sufficiently small for solving the discrete logarithm problem. In the definitions of aggregator obliviousness and aggregator unforgeability, an adversary chooses xi,t ⁠, and thus selecting such a large xi,t is acceptable (since this is just a strategy of the adversary). On the other hand, in the definition of weak aggregator unforgeability, the encryption oracle randomly chooses xi,t from ZM ⁠. If it is desirable to restrict xi,t to be small, then we can modify the definition of the encryption oracle such that the encryption oracle randomly chooses xi,t from a small message space. Then, each xi,t is not rounded up when its summation is computed by modulo p ⁠. Remark that this modification requires an additional reduction loss O(t𝗆𝖺𝗑) ⁠. In the security proof of the weak aggregator unforgeability, a part of mCDH instance a is embedded into xi,t ⁠, and thus xi,t is a random value of Zp ⁠. So, we need to define sequential of games, and replace ciphertexts and tags of xi,t to those of ri,t∈Zp or ∑i=1nxi,t−∑i=1n−1ri,t ⁠. This requires O(tmax) reduction loss, and requires O(tmax2) reduction loss from the advantage of the DDH problem in total. In this paper, we leave this additional reduction loss for selecting the underlying elliptic curve. 3.3. The DDH-based BJL scheme Benhamouda, Joye and Libert (BJL) [10] gave a generic construction of aggregator oblivious encryption from smooth projective hash functions [11]. Here, we introduce its DDH instantiation. The underlying idea is essentially the same as that of the She et al. aggregator oblivious encryption. The aggregator has keys (s0,t0) where s0+∑i=1nsi=0 and t0+∑i=1nti=0 ⁠, and this structure allows the aggregator to cancel out a part of ciphertext H1(t)∑i=1nsi and H2(t)∑i=1nti ⁠: 𝖲𝖾𝗍𝗎𝗉 ⁠: Let G1 be a DDH-hard group with λ-bit prime order p=M and g1 be a generator of G1 ⁠. Let Hi:Z→G1 (i=1,2) be hash functions. Choose s1,…,sn,t1,…,tn←$Zp ⁠, set s0=−∑i=1nsi and t0=−∑i=1nti ⁠. Output 𝗉𝖺𝗋𝖺𝗆=((p,g1,G1),H1,H2) ⁠, 𝗌𝗄A=(s0,t0) and 𝗌𝗄i=(si,ti) ⁠. 𝖤𝗇𝖼 ⁠: Parse 𝗌𝗄i=(si,ti) ⁠. For xi,t∈Zp ⁠, compute ci,t=g1xi,tH1(t)siH2(t)ti and output ci,t ⁠. 𝖠𝗀𝗀𝗋𝖣𝖾𝖼 ⁠: Parse 𝗌𝗄A=(s0,t0) ⁠. Compute Vt=H1(t)s0H2(t)t0∏i=1nci,t=g1Xt where Xt=∑i=1nxi,t ⁠, and solve the discrete logarithm Vt with respect to basis g1 ⁠. Output Xt ⁠. 4. PROPOSED CONSTRUCTION In this section, we give our scheme. For aggregator obliviousness, our scheme is tightly reduced to the DDH-based BJL scheme, and provides weak aggregator unforgeability. The unforgeability of our scheme relies on the mCDH assumption. 4.1. High-level description Aggregator obliviousness: We employ (Type 3) elliptic curves where G1≠G2 and no efficient isomorphism between G1 and G2 is known. Then, we run the BJL scheme [10] over the DDH-hard group G1 ⁠, and borrow the ciphertext form ci,t and secret keys 𝗌𝗄A and 𝗌𝗄i ⁠. Since the BJL scheme provides aggregator obliviousness under the DDH assumption, we can expect that our scheme is also aggregator obliviousness. In order to directly reduce the aggregator obliviousness of our scheme to that of the BJL scheme, we independently prepare the verification part. That is, we introduce vi,t for each user i and in the security proof, vi,t can be chosen independently from the BJL scheme. This setting allows us to compute the tag σi,t from ci,t and vi,t in the security proof. More precisely, the challenge ciphertexts and tags of our scheme {(ci,t*,σi,t*)}i∈St* can be constructed from the challenge ciphertext of the BJL scheme {ci,t*}i∈St* and the corresponding vi,t ⁠. Thus, we can construct an algorithm that breaks the aggregator obliviousness of the BJL scheme by using an adversary of our scheme. Remark that σi,t has the similar form of ci,t in our scheme due to this reason. This strategy has been considered by Leontiadis et al. [15]. They provided a reduction of their scheme to the Shi et al. scheme [1]. However, as mentioned by Benhamouda et al. [10], the security loss is O(tmaxn3) in the Shi et al. scheme, whereas it is O(tmax) in the BJL scheme. Thus, we have chosen the BJL scheme as the underlying scheme in this paper. Aggregator unforgeability: For public verification, we pay attention to that the form of the ciphertext ci,t of the BJL scheme is similar to a decryption key of the Boneh–Boyen identity-based encryption (IBE) scheme [62].5 Due to the above reason, the tag σi,t has the similar form of ci,t in our schemes. Since secure IBE implies a signature [63] (informally, ID is regarded as a message to be signed, and its decryption key is regarded as a signature), we can expect that σi,t is unforgeable. However, to utilize the Boneh–Boyen technique, Xt needs to be embedded into 𝗏𝗄 in the security proof. Here, we have two choices: whether 𝗏𝗄 is fixed in the setup phase or not. If 𝗏𝗄 is chosen by the honest dealer and is fixed in the setup phase, Xt is also required to be fixed in the setup phase (to utilize the security proof technique of selective-ID security of Boney–Boyen IBE), and therefore only weak aggregator unforgeability is provided. Moreover, since one Xt is embedded with one 𝗏𝗄 ⁠, long verification keys is also required where the size lineally depends on tmax ⁠. We set 𝗏𝗄={𝗏𝗄t}t∈[1,tmax] and 𝗏𝗄t≔g2∑i=1nvi,t for t∈[1,tmax] ⁠. We remark that no user is required to have the large-size verification key. Moreover, if a user i manages all vi,t for t∈[1,tmax] as its secret key 𝗌𝗄i ⁠, the secret key size also depends on tmax ⁠. To avoid such a large-size secret key, we additionally introduce a hash function H and a time-independent secret key vi ⁠, and we compute vi,t=H(vi,t) ⁠. That is, in the scheme vi,t is computed by H(vi,t) whereas in the security proof, vi,t is selected so as to utilize the Boneh–Boyen technique, and set H(vi,t)≔vi,t ⁠. This helps us to reduce the secret key size. 4.2. The proposed scheme The proposed scheme is given as follows. 𝖲𝖾𝗍𝗎𝗉(1λ) ⁠: Choose (p,e,g1,g2,G1,G2,GT) where G1 ⁠, G2 and GT are groups of λ-bit prime order p=M ⁠, g1∈G1 and g2∈G2 are generators, and e:G1×G2→GT is a bilinear map. Let H:Zp×[1,tmax]→Zp and Hi:Z→G1 (i=1,2,3,4,5) be hash functions. Choose γ,s1,…,sn,t1,…,tn,v1,…,vn←$Zp ⁠, compute vi,t=H(vi,t) for all i∈[1,n] and t∈[1,tmax] and set s0=−∑i=1nsi ⁠, t0=−∑i=1nti ⁠, h=g1γ ⁠, and Z=e(h,g2) ⁠. Output 𝗉𝖺𝗋𝖺𝗆=((p,e,g1,g2,G1,G2,GT),Z,H,H1,H2,H3,H4,H5) ⁠, 𝗌𝗄A=(s0,t0) ⁠, 𝗌𝗄i=(si,ti,vi,h) ⁠, and 𝗏𝗄={𝗏𝗄t}t∈[1,tmax] where 𝗏𝗄t=g2∑i=1nvi,t ⁠. 𝖤𝗇𝖼(𝗉𝖺𝗋𝖺𝗆,t,xi,t,𝗌𝗄i) ⁠: Parse 𝗌𝗄i=(si,ti,vi,h) ⁠. Compute vi,t=H(vi,t),ci,t=g1xi,tH1(t)siH2(t)ti and σi,t=hxi,tH3(t)siH4(t)tiH5(t)vi,t and output (ci,t,σi,t) ⁠. 𝖠𝗀𝗀𝗋𝖣𝖾𝖼(𝗉𝖺𝗋𝖺𝗆,t,{(ci,t,σi,t)}i=1n,𝗌𝗄A) ⁠: Parse 𝗌𝗄A=(s0,t0) ⁠. Compute Vt=H1(t)s0H2(t)t0∏i=1nci,t=g1Xt where Xt=∑i=1nxi,t ⁠, and solve the discrete logarithm Vt with respect to basis g1 ⁠. Moreover, compute σt=H3(t)s0H4(t)t0∏i=1nσi,t Output (Xt,σt) ⁠. 𝖵𝖾𝗋𝗂𝖿𝗒𝖲𝗎𝗆(𝗉𝖺𝗋𝖺𝗆,t,Xt,σt,𝗏𝗄t) ⁠: Output one if e(σt,g2)e(H5(t),𝗏𝗄t)=ZXt holds. Otherwise, output 0. The correctness clearly holds from the following equations: H1(t)s0H2(t)t0∏i=1nci,t=H1(t)s0H2(t)t0∏i=1ng1xi,tH1(t)siH2(t)ti=H1(t)s0−∑i=1nsiH2(t)t0−∑i=1ntig1∑i=1nxi,t=g1Xtσt=H3(t)s0H4(t)t0∏i=1nσi,t=H3(t)s0H4(t)t0∏i=1nhxi,tH3(t)siH4(t)tiH5(t)vi,t=hXtH5(t)∑i=1nvi,te(σt,g2)=e(hXtH5(t)∑i=1nvi,t,g2)=e(h,g2)Xte(H5(t),g2∑i=1nvi,t)=ZXte(H5(t),𝗏𝗄t) 4.3. Security proofs Theorem 4.1 Our scheme provides aggregator obliviousness under the DDH assumption on G1 in the random oracle model. We consider the following two games. Game 0 is the original game. Game one is the same as Game 0 except that H3 and H4 are computed as H3(t)=H1(t)γ and H4(t)=H2(t)γ for some γ∈Zp ⁠. Since (H1(t),H2(t),H3(t),H4(t)) is a DDH tuple, this modification does not affect the security under the DDH assumption on G1 ⁠. Briefly, let (g1,g1′,g1r1,g1′r2)∈G14 be an DDH instance on G1 ⁠. For t∈[1,tmax] ⁠, choose t˜1,t˜2←$Zp ⁠, and set H1(t)≔g1t˜1 ⁠, H2(t)≔g1′t˜2 ⁠, H3(t)≔(g1r1)t˜1 ⁠, and H4(t)≔(g1′r2)t˜2 ⁠. Clearly, if the instance is not a DDH tuple, i.e. r1≠r2 ⁠, then we simulate Game 0, and if the instance is a DDH tuple, i.e. r1=r2 ⁠, then we simulate Game 1. In Game 1, we construct an algorithm B that breaks aggregator obliviousness of the BJL scheme as follows. Proof Let A be the adversary of our scheme, and C be the challenger of the BJL scheme. We construct an algorithm B that breaks aggregator obliviousness of the BJL scheme as follows. First, C prepares (p,e,g1,g2,G1,G2,GT,H1,H2) and sends it to B ⁠. B chooses γ,v1,…,vn,v1,1,…,vn,tmax←$Zp ⁠. B computes h=g1γ ⁠, Z=e(h,g2) ⁠, 𝗏𝗄i,t=g2vi,t for i∈[1,n] and t∈[1,tmax] ⁠, and 𝗏𝗄t=g2∑i=1nvi,t ⁠. B sets H(vi,t)≔vi,t for i∈[1,n] and t∈[1,tmax] ⁠. Remark that if A sends a hash query t ⁠, then B forwards it to C when A requests H1(t) or H2(t) ⁠. For H3 and H4 ⁠, B sets H3(t)=H1(t)γ and H4(t)=H2(t)γ ⁠, and returns the hash values. For H5 ⁠, B just returns a random value. B sends 𝗉𝖺𝗋𝖺𝗆=((p,e,g1,g2,G1,G2,GT),Z,H,H1,H2,H3,H4,H5) ⁠, {𝗏𝗄t}t∈[1,tmax] ⁠, and 𝗏𝗄 to A ⁠. If A sends an encryption query (i,t,xi,t) to B ⁠, then B forwards it to C as an encryption oracle, and obtains ci,t ⁠. B computes ci,tγH5(t)vi,t=hxi,tH3(t)siH4(t)tiH5(t)vi,t ⁠, and returns (ci,t,σi,t) to A ⁠. If A sends a corruption query i∈[0,n] to B ⁠, B forwards it to C as a corruption query, and obtains 𝗌𝗄A (if i=0 ⁠) or (si,ti) (if i∈[1,n] ⁠). If i=0 ⁠, then B returns 𝗌𝗄A to A ⁠. If i∈[1,n] ⁠, then B sets 𝗌𝗄i=(si,ti,vi,h) ⁠, and returns 𝗌𝗄i to A ⁠. We remark that if A sends a hash query (vi,t) ⁠, then B responds vi,t to A ⁠. In the challenge phase, A sends (St*,t*,{(xi,t*(0),xi,t*(1))}i∈St*) to B ⁠. Then, B forwards it to C as the challenge, and obtains {ci,t*}i∈St* ⁠. As in the response of encryption queries, B computes σi,t*=ci,t*γH5(t)vi,t* for i∈St* ⁠, and returns {(ci,t*,σi,t*)}i∈St* to A ⁠. B responds queries sent from A as in the previous phase. Finally, A outputs a bit b′ ⁠. B outputs b′ and then B can break aggregator obliviousness of the BJL scheme with the same advantage of A ⁠. This concludes the proof since the BJL scheme provides aggregator obliviousness under the DDH assumption on G1 in the random oracle model.□ Theorem 4.2 Our scheme is weakly aggregator unforgeable under the mCDH assumption in the random oracle model. For the proof of Type II forgery, our proof strategy is explained as follows. Again, (σt*,Xt*) must satisfy σt*=H5(t*)∑i=1nvi,thXt* ⁠. Though Z=e(h,g2) is published, h itself is not published (contained in 𝗌𝗄i ⁠). Thus, we set h=g1ab and simulate the encryption oracle by using the Boneh–Boyen technique. We embed 1/a to xi,t such that xi,t≔xi,t′/a for xi,t′∈Zp ⁠. This setting helps us to compute hxi,t=(g1ab)xi,t′/a=(g1b)xi,t′ without knowing h=g1ab ⁠. Remark that ciphertexts {ci,t} must be decryptable by the adversary, i.e., the discrete logarithm logg1Vt must be sufficiently small. If all xi,t are related to 1/a as above, then logg1Vt*=(∑i=1nxi,t′)/a is not computable. Thus, for relatively small Xt′ ⁠, we set xi,t≔xi,t′/a for i∈[1,n−1] and set xn,t≔Xt′−∑i=1n−1xi,t′/a ⁠. Then, ∑i=1nxi,t=Xt′ holds and logg1Vt=Xt′ is computable by the adversary as in the scheme. For simulation, we need to decide each Xt′ in the setup phase, and embed it to vn,t for utilizing the Boneh–Boyen technique. This is the reason why our scheme is weak aggregator unforgeable (⁠ xi,t is chosen by the oracle), and the size of verification keys linearly depend on t𝗆𝖺𝗑 ⁠. Remark that we can achieve a tight reduction (i.e., O(1) reduction loss) from the advantage of the mCDH problem, and this proof also works well for Type I forgery. That is, simply we assume that the encryption oracle at t* is not sent from A ⁠, choose Xt*′ randomly, and Xt*≠Xt*′ holds with overwhelming probability 1−1/p ⁠. Thus, we omit the proof for Type I forgery. Proof Let (p,e,g1,g2,G1,G2,GT,(g1a,g1b,g11/a,g2a)) be an instance of the modified CDH problem. We construct an algorithm B that computes g1ab by using an adversary A that breaks weak aggregator unforgeability of our scheme as follows. B sets 𝗉𝖺𝗋𝖺𝗆=(p,e,g1,g2,G1,G2,GT) ⁠, chooses γ ⁠, si ⁠, ti ⁠, 𝗌𝗄A ⁠, and vi,t for i=[1,n−1] and t∈[1,tmax] as usual. For t∈[1,tmax] ⁠, B chooses vn,t′←$Zp ⁠, and also chooses Xt′←$Zp such that the size of Xt′ is sufficiently small where the discrete logarithm problem g1Xt with respect to basis g1 can be solved. This is the necessary condition that ciphertexts can be decrypted by the adversary as in the scheme. For t∈[1,tmax] ⁠, B chooses t˜←$Zp and sets H5(t) as (g1b)t˜ ⁠. B implicitly sets vn,t=vn,t′+(−aXt′)/t˜ ⁠. B computes 𝗏𝗄t=(g2a)−Xt′/t˜g2vn,t′+∑i=1n−1vi,t ⁠. B implicitly sets h=g1ab and computes Z=e(g1b,g2a)=e(h,g2) ⁠. B sends (𝗉arams,𝗌𝗄A,𝗏𝗄={𝗏𝗄t}t∈[1,tmax]) to A ⁠. For responding an encryption query (i,t) ⁠, B computes (ci,t,σi,t) as follows. B chooses xi,t′←$Zp for i∈[1,n−1] and implicitly sets xi,t as xi,t=xi,t′/a(i∈[1,n−1])Xt′−∑i=1n−1xi,t′/a(i=n) and computes i∈[1,n−1]:ci,t=(g11/a)xi,t′H1(t)siH2(t)ti=g1xi,t′/aH1(t)siH2(t)ti=g1xi,tH1(t)siH2(t)tii=n:ci,t=g1Xt′(g11/a)−∑i=1n−1xi,t′H1(t)siH2(t)ti=g1Xt′−∑i=1n−1xi,t′/aH1(t)siH2(t)ti=g1xi,tH1(t)siH2(t)ti and i∈[1,n−1]:σi,t=(g1b)xi,t′H3(t)siH4(t)tiH5(t)vi,t=(g1ab)xi,t′/aH3(t)siH4(t)tiH5(t)vi,t=hxi,tH3(t)siH4(t)tiH5(t)vi,ti=n:σi,t=(g1b)−∑i=1n−1xi,t′+t˜vn,t′H3(t)siH4(t)ti=(g1ab)Xt′(g1b)−∑i=1n−1xi,t′(g1−ab)Xt′(g1b)t˜vn,t′×H3(t)siH4(t)ti=(g1ab)Xt′(g1ab)−∑i=1n−1xi,t′/a(g1−ab)Xt′(g1b)t˜vn,t′×H3(t)siH4(t)ti=(g1ab)Xt′−∑i=1n−1xi,t′/aH3(t)siH4(t)ti×((g1b)t˜)vn,t′+(−aXt′)/t˜=hxi,tH3(t)siH4(t)tiH5(t)vi,t Remark that ∑i=1nxi,t=Xt′ and {ci,t}i∈[1,n] can be decrypted by the adversary who has 𝗌𝗄A ⁠. Finally, A outputs (t*,Xt*,σt*) where t*∈[1,t𝗆𝖺𝗑] and Xt*≠Xt*′ ⁠. From the verification equation, (σt*,Xt*) must satisfy σt*=H5(t*)∑i=1nvi,t*hXt* ⁠. Here, σt*=H5(t*)∑i=1nvi,t*hXt*=((g1b)t*˜)vn,t*′+(−aXt*′/t*˜)+∑i=1n−1vi,t*(g1ab)Xt*=(g1ab)Xt*−Xt*′(g1b)t*˜(vn,t*′+∑i=1n−1vi,t*) holds. B computes (σt*/(g1b)t*˜(vn,t*′+∑i=1n−1vi,t*))1/(Xt*−Xt*′)=g1ab and solves the mCDH problem.□ 5. IMPLEMENTATION In this section, we give our implementation results. 5.1. Selection of message spaces and devices Our scheme and the LEOM scheme employ the lifted ElGamal encryption approach [8], and therefore Xt=∑i=1nxi,t needs to be suitably small since the aggregator is required to solve the discrete logarithm gXt with respect to basis g ⁠. More specifically, in the 𝖠ggrDec algorithm, the aggregator is required to solve the ECDLP. Thus, before selecting devices, we need to decide how to adequately select message space. We set the message space by considering the capability of a commercially available smart meter. Specifically, we adopt a smart meter produced by Mitsubishi Electric (M5KM-RL) that displays a six-digit decimal number. Thus, we assume that the size of the message space is 220 which is enough to express 6-digit decimal number, and assume that xi,t is less than 220 ⁠. Moreover, since we set n=t𝗆𝖺𝗑=220 as in Benhamouda et al. [10], the size of Xt=∑i=1nxi,t can be approximately 240 ⁠. In conclusion, we select a Raspberry-Pi as the users’ device, a somewhat rich machine (workstation) as the aggregator’s device to solve the ECDLP, and a typical laptop PC as the data analyzer’s devices. See Table 2 for details. Table 2. Devices. Raspberry-Pi (user) CPU ARMv7 Processor rev 4 (v7l) Memory 1GB OS Linux version 4.4.50-v7+ Library PBC (ver. pbc-0.5.14), OpenSSL (ver. 1.0.1 t) Workstation (Aggregator) CPU intel Core i7-6950X (3.00 GHz) Memory 64GB OS Linux version 3.16.0-4-amd64 Library PBC (ver pbc-0.5.14), OpenSSL (ver. 1.0.1 t) Laptop (Data Analyzer) CPU Intel Core i5-5200U (2.20 GHz) Memory 16GB OS Linux version 3.16.0-4-amd64 Library PBC (ver pbc-0.5.14), OpenSSL (ver. 1.0.1k) Raspberry-Pi (user) CPU ARMv7 Processor rev 4 (v7l) Memory 1GB OS Linux version 4.4.50-v7+ Library PBC (ver. pbc-0.5.14), OpenSSL (ver. 1.0.1 t) Workstation (Aggregator) CPU intel Core i7-6950X (3.00 GHz) Memory 64GB OS Linux version 3.16.0-4-amd64 Library PBC (ver pbc-0.5.14), OpenSSL (ver. 1.0.1 t) Laptop (Data Analyzer) CPU Intel Core i5-5200U (2.20 GHz) Memory 16GB OS Linux version 3.16.0-4-amd64 Library PBC (ver pbc-0.5.14), OpenSSL (ver. 1.0.1k) View Large Table 2. Devices. Raspberry-Pi (user) CPU ARMv7 Processor rev 4 (v7l) Memory 1GB OS Linux version 4.4.50-v7+ Library PBC (ver. pbc-0.5.14), OpenSSL (ver. 1.0.1 t) Workstation (Aggregator) CPU intel Core i7-6950X (3.00 GHz) Memory 64GB OS Linux version 3.16.0-4-amd64 Library PBC (ver pbc-0.5.14), OpenSSL (ver. 1.0.1 t) Laptop (Data Analyzer) CPU Intel Core i5-5200U (2.20 GHz) Memory 16GB OS Linux version 3.16.0-4-amd64 Library PBC (ver pbc-0.5.14), OpenSSL (ver. 1.0.1k) Raspberry-Pi (user) CPU ARMv7 Processor rev 4 (v7l) Memory 1GB OS Linux version 4.4.50-v7+ Library PBC (ver. pbc-0.5.14), OpenSSL (ver. 1.0.1 t) Workstation (Aggregator) CPU intel Core i7-6950X (3.00 GHz) Memory 64GB OS Linux version 3.16.0-4-amd64 Library PBC (ver pbc-0.5.14), OpenSSL (ver. 1.0.1 t) Laptop (Data Analyzer) CPU Intel Core i5-5200U (2.20 GHz) Memory 16GB OS Linux version 3.16.0-4-amd64 Library PBC (ver pbc-0.5.14), OpenSSL (ver. 1.0.1k) View Large 5.2. Parameters In this section, we generate parameters for BN curves with a 383-bit prime order (Table 3) and a 1031-bit prime order (Table 4) by using the PairingParametersGenerator API supported by jPBC [34]. BN curves are categorized as ‘Type F’ in the PBC library. Let q be a prime number such that the curve y2=x3+b is defined over Fq ⁠, p is the order of the curve, β is a quadratic non-residue in Fq that is used in a quadratic extension, and α0 and α1 are required to satisfy the condition that x6+α0+α1β is irreducible, which is used in a sextic extension. We note that although ‘ r’ is used as the order of the curve in the manual of the PBC library, we use p in this paper to fit our notation. Table 3. A BN curve with 383-bit prime order. q 554 0907 1213 6797 3639 2267 4084 5203 0718 3891 9652 3719 5712 1012 1879 9754 9061 4888 8465 8969 7278 4536 0561 7394 8422 5463 1639 0767 3623 p 554 0907 1213 6797 3639 2267 4084 5203 0718 3891 9652 3719 5712 1012 1856 4363 5910 7188 7937 2531 3066 3505 8112 5891 5063 3675 4804 2612 0049 b 199 7204 2896 1505 7743 9108 1856 6993 7137 7669 9607 8645 6725 5276 7806 1315 4205 1293 2651 0703 0364 6929 5659 6378 9382 7436 8048 3689 7887 β 334 0266 5960 6719 7980 2871 5438 7947 7228 1833 7211 8015 6272 4530 4189 8183 7208 0724 5546 3700 4534 0012 1513 4585 1823 6246 2475 4093 1158 α0 527 3826 8730 3625 0969 1428 5472 6290 9215 5341 1171 9191 2570 9965 5330 7951 9819 9007 5035 5032 9492 5270 5514 8765 6564 3889 6535 1039 5601 α1 197 3328 7850 2583 3036 3192 8783 9206 2652 8419 5921 5771 2523 0362 1672 5786 2037 6060 5025 7517 3657 8582 6365 5915 5099 0899 0403 6264 6691 q 554 0907 1213 6797 3639 2267 4084 5203 0718 3891 9652 3719 5712 1012 1879 9754 9061 4888 8465 8969 7278 4536 0561 7394 8422 5463 1639 0767 3623 p 554 0907 1213 6797 3639 2267 4084 5203 0718 3891 9652 3719 5712 1012 1856 4363 5910 7188 7937 2531 3066 3505 8112 5891 5063 3675 4804 2612 0049 b 199 7204 2896 1505 7743 9108 1856 6993 7137 7669 9607 8645 6725 5276 7806 1315 4205 1293 2651 0703 0364 6929 5659 6378 9382 7436 8048 3689 7887 β 334 0266 5960 6719 7980 2871 5438 7947 7228 1833 7211 8015 6272 4530 4189 8183 7208 0724 5546 3700 4534 0012 1513 4585 1823 6246 2475 4093 1158 α0 527 3826 8730 3625 0969 1428 5472 6290 9215 5341 1171 9191 2570 9965 5330 7951 9819 9007 5035 5032 9492 5270 5514 8765 6564 3889 6535 1039 5601 α1 197 3328 7850 2583 3036 3192 8783 9206 2652 8419 5921 5771 2523 0362 1672 5786 2037 6060 5025 7517 3657 8582 6365 5915 5099 0899 0403 6264 6691 View Large Table 3. A BN curve with 383-bit prime order. q 554 0907 1213 6797 3639 2267 4084 5203 0718 3891 9652 3719 5712 1012 1879 9754 9061 4888 8465 8969 7278 4536 0561 7394 8422 5463 1639 0767 3623 p 554 0907 1213 6797 3639 2267 4084 5203 0718 3891 9652 3719 5712 1012 1856 4363 5910 7188 7937 2531 3066 3505 8112 5891 5063 3675 4804 2612 0049 b 199 7204 2896 1505 7743 9108 1856 6993 7137 7669 9607 8645 6725 5276 7806 1315 4205 1293 2651 0703 0364 6929 5659 6378 9382 7436 8048 3689 7887 β 334 0266 5960 6719 7980 2871 5438 7947 7228 1833 7211 8015 6272 4530 4189 8183 7208 0724 5546 3700 4534 0012 1513 4585 1823 6246 2475 4093 1158 α0 527 3826 8730 3625 0969 1428 5472 6290 9215 5341 1171 9191 2570 9965 5330 7951 9819 9007 5035 5032 9492 5270 5514 8765 6564 3889 6535 1039 5601 α1 197 3328 7850 2583 3036 3192 8783 9206 2652 8419 5921 5771 2523 0362 1672 5786 2037 6060 5025 7517 3657 8582 6365 5915 5099 0899 0403 6264 6691 q 554 0907 1213 6797 3639 2267 4084 5203 0718 3891 9652 3719 5712 1012 1879 9754 9061 4888 8465 8969 7278 4536 0561 7394 8422 5463 1639 0767 3623 p 554 0907 1213 6797 3639 2267 4084 5203 0718 3891 9652 3719 5712 1012 1856 4363 5910 7188 7937 2531 3066 3505 8112 5891 5063 3675 4804 2612 0049 b 199 7204 2896 1505 7743 9108 1856 6993 7137 7669 9607 8645 6725 5276 7806 1315 4205 1293 2651 0703 0364 6929 5659 6378 9382 7436 8048 3689 7887 β 334 0266 5960 6719 7980 2871 5438 7947 7228 1833 7211 8015 6272 4530 4189 8183 7208 0724 5546 3700 4534 0012 1513 4585 1823 6246 2475 4093 1158 α0 527 3826 8730 3625 0969 1428 5472 6290 9215 5341 1171 9191 2570 9965 5330 7951 9819 9007 5035 5032 9492 5270 5514 8765 6564 3889 6535 1039 5601 α1 197 3328 7850 2583 3036 3192 8783 9206 2652 8419 5921 5771 2523 0362 1672 5786 2037 6060 5025 7517 3657 8582 6365 5915 5099 0899 0403 6264 6691 View Large Table 4. A BN curve with 1031-bit prime order. q 64 7169 5285 5043 3726 7825 4986 8684 0489 0410 2471 7124 1923 0366 1843 4829 2167 8376 3319 3067 3038 3374 8313 0909 9469 9536 8499 0764 4319 6544 2244 0319 5468 0981 7995 1279 6113 8401 3950 2686 8742 4299 9848 3061 7610 3702 7360 2345 1331 8562 4880 5022 2078 4772 1760 7189 2478 6452 2888 9704 0871 8165 6129 7640 4511 9813 9137 0555 8616 6381 2366 6664 1958 9764 9462 5397 7403 2973 p 64 7169 5285 5043 3726 7825 4986 8684 0489 0410 2471 7124 1923 0366 1843 4829 2167 8376 3319 3067 3038 3374 8313 0909 9469 9536 8499 0764 4319 6544 2244 0319 5468 0981 7995 1279 6113 8401 3950 1882 4057 6720 3292 4802 0166 2202 8436 7268 3683 0942 9956 9478 6051 8430 8074 0956 1894 4465 6008 0323 8945 6964 8331 4933 0285 2007 0619 5629 4405 3891 2534 0957 2614 3378 1207 4293 0487 1477 b 9 3201 3979 4183 5371 5104 9485 3394 1014 1304 6177 3902 9076 0038 5001 1954 6179 9111 1434 9459 1621 7661 1511 4200 3023 5782 1102 8941 6012 0389 2609 9385 1323 9839 1378 1023 3215 9656 6441 6649 9045 4101 1122 6489 7346 8852 3667 6328 0501 2014 3509 7740 6311 3824 7068 0290 7823 5268 3675 4712 6205 4142 9721 5845 0883 5779 0405 6351 9242 0206 3902 0779 3279 7597 8696 4220 3025 7827 β 47 9706 1105 3414 7850 6474 1897 4025 3155 9392 6096 4509 5940 4432 3584 5388 7120 1193 6179 8567 2612 6240 2542 6897 5492 5537 8963 9260 6599 3978 0867 5424 4669 8360 8138 6539 3586 6332 2291 8832 6097 4428 8452 0019 0232 2912 6602 8063 2534 0030 4974 5592 0508 3317 9746 5387 8453 7936 4861 4213 5627 3149 3904 6263 8091 8436 5493 1807 0751 4863 3746 7588 5948 6206 0169 4444 7873 9946 α0 6 9721 3980 3945 4066 3515 5014 6512 5255 7850 0911 0129 3974 5703 3183 9686 1383 7950 5815 0718 2501 2961 7891 1946 3104 9827 2068 9379 6120 4147 5717 7965 0110 6264 6644 2215 5604 0593 0989 5959 5305 6963 5790 5998 4200 8873 6791 8797 2630 2603 4579 1373 2637 9172 5869 0407 6168 1589 0408 9934 2301 1259 3014 8305 5903 2925 2295 0204 2324 7775 5158 3458 8105 1668 0885 6520 1195 8333 α1 40 8162 9392 2549 2286 5703 1423 1664 2566 2410 3291 2364 2484 8660 4172 3069 1630 5512 0129 3939 2739 0786 6762 3524 2855 8366 8495 0406 9937 7964 6000 6078 6515 0387 8920 3423 4055 9893 8099 6989 8454 2185 3921 5602 3999 9052 2665 5453 6485 2992 2590 1176 6690 6325 3020 6627 2422 9248 5114 8619 2852 9965 7434 5557 2043 1680 1676 6152 6316 3074 1705 6935 8978 8184 9544 6016 3792 7526 q 64 7169 5285 5043 3726 7825 4986 8684 0489 0410 2471 7124 1923 0366 1843 4829 2167 8376 3319 3067 3038 3374 8313 0909 9469 9536 8499 0764 4319 6544 2244 0319 5468 0981 7995 1279 6113 8401 3950 2686 8742 4299 9848 3061 7610 3702 7360 2345 1331 8562 4880 5022 2078 4772 1760 7189 2478 6452 2888 9704 0871 8165 6129 7640 4511 9813 9137 0555 8616 6381 2366 6664 1958 9764 9462 5397 7403 2973 p 64 7169 5285 5043 3726 7825 4986 8684 0489 0410 2471 7124 1923 0366 1843 4829 2167 8376 3319 3067 3038 3374 8313 0909 9469 9536 8499 0764 4319 6544 2244 0319 5468 0981 7995 1279 6113 8401 3950 1882 4057 6720 3292 4802 0166 2202 8436 7268 3683 0942 9956 9478 6051 8430 8074 0956 1894 4465 6008 0323 8945 6964 8331 4933 0285 2007 0619 5629 4405 3891 2534 0957 2614 3378 1207 4293 0487 1477 b 9 3201 3979 4183 5371 5104 9485 3394 1014 1304 6177 3902 9076 0038 5001 1954 6179 9111 1434 9459 1621 7661 1511 4200 3023 5782 1102 8941 6012 0389 2609 9385 1323 9839 1378 1023 3215 9656 6441 6649 9045 4101 1122 6489 7346 8852 3667 6328 0501 2014 3509 7740 6311 3824 7068 0290 7823 5268 3675 4712 6205 4142 9721 5845 0883 5779 0405 6351 9242 0206 3902 0779 3279 7597 8696 4220 3025 7827 β 47 9706 1105 3414 7850 6474 1897 4025 3155 9392 6096 4509 5940 4432 3584 5388 7120 1193 6179 8567 2612 6240 2542 6897 5492 5537 8963 9260 6599 3978 0867 5424 4669 8360 8138 6539 3586 6332 2291 8832 6097 4428 8452 0019 0232 2912 6602 8063 2534 0030 4974 5592 0508 3317 9746 5387 8453 7936 4861 4213 5627 3149 3904 6263 8091 8436 5493 1807 0751 4863 3746 7588 5948 6206 0169 4444 7873 9946 α0 6 9721 3980 3945 4066 3515 5014 6512 5255 7850 0911 0129 3974 5703 3183 9686 1383 7950 5815 0718 2501 2961 7891 1946 3104 9827 2068 9379 6120 4147 5717 7965 0110 6264 6644 2215 5604 0593 0989 5959 5305 6963 5790 5998 4200 8873 6791 8797 2630 2603 4579 1373 2637 9172 5869 0407 6168 1589 0408 9934 2301 1259 3014 8305 5903 2925 2295 0204 2324 7775 5158 3458 8105 1668 0885 6520 1195 8333 α1 40 8162 9392 2549 2286 5703 1423 1664 2566 2410 3291 2364 2484 8660 4172 3069 1630 5512 0129 3939 2739 0786 6762 3524 2855 8366 8495 0406 9937 7964 6000 6078 6515 0387 8920 3423 4055 9893 8099 6989 8454 2185 3921 5602 3999 9052 2665 5453 6485 2992 2590 1176 6690 6325 3020 6627 2422 9248 5114 8619 2852 9965 7434 5557 2043 1680 1676 6152 6316 3074 1705 6935 8978 8184 9544 6016 3792 7526 View Large Table 4. A BN curve with 1031-bit prime order. q 64 7169 5285 5043 3726 7825 4986 8684 0489 0410 2471 7124 1923 0366 1843 4829 2167 8376 3319 3067 3038 3374 8313 0909 9469 9536 8499 0764 4319 6544 2244 0319 5468 0981 7995 1279 6113 8401 3950 2686 8742 4299 9848 3061 7610 3702 7360 2345 1331 8562 4880 5022 2078 4772 1760 7189 2478 6452 2888 9704 0871 8165 6129 7640 4511 9813 9137 0555 8616 6381 2366 6664 1958 9764 9462 5397 7403 2973 p 64 7169 5285 5043 3726 7825 4986 8684 0489 0410 2471 7124 1923 0366 1843 4829 2167 8376 3319 3067 3038 3374 8313 0909 9469 9536 8499 0764 4319 6544 2244 0319 5468 0981 7995 1279 6113 8401 3950 1882 4057 6720 3292 4802 0166 2202 8436 7268 3683 0942 9956 9478 6051 8430 8074 0956 1894 4465 6008 0323 8945 6964 8331 4933 0285 2007 0619 5629 4405 3891 2534 0957 2614 3378 1207 4293 0487 1477 b 9 3201 3979 4183 5371 5104 9485 3394 1014 1304 6177 3902 9076 0038 5001 1954 6179 9111 1434 9459 1621 7661 1511 4200 3023 5782 1102 8941 6012 0389 2609 9385 1323 9839 1378 1023 3215 9656 6441 6649 9045 4101 1122 6489 7346 8852 3667 6328 0501 2014 3509 7740 6311 3824 7068 0290 7823 5268 3675 4712 6205 4142 9721 5845 0883 5779 0405 6351 9242 0206 3902 0779 3279 7597 8696 4220 3025 7827 β 47 9706 1105 3414 7850 6474 1897 4025 3155 9392 6096 4509 5940 4432 3584 5388 7120 1193 6179 8567 2612 6240 2542 6897 5492 5537 8963 9260 6599 3978 0867 5424 4669 8360 8138 6539 3586 6332 2291 8832 6097 4428 8452 0019 0232 2912 6602 8063 2534 0030 4974 5592 0508 3317 9746 5387 8453 7936 4861 4213 5627 3149 3904 6263 8091 8436 5493 1807 0751 4863 3746 7588 5948 6206 0169 4444 7873 9946 α0 6 9721 3980 3945 4066 3515 5014 6512 5255 7850 0911 0129 3974 5703 3183 9686 1383 7950 5815 0718 2501 2961 7891 1946 3104 9827 2068 9379 6120 4147 5717 7965 0110 6264 6644 2215 5604 0593 0989 5959 5305 6963 5790 5998 4200 8873 6791 8797 2630 2603 4579 1373 2637 9172 5869 0407 6168 1589 0408 9934 2301 1259 3014 8305 5903 2925 2295 0204 2324 7775 5158 3458 8105 1668 0885 6520 1195 8333 α1 40 8162 9392 2549 2286 5703 1423 1664 2566 2410 3291 2364 2484 8660 4172 3069 1630 5512 0129 3939 2739 0786 6762 3524 2855 8366 8495 0406 9937 7964 6000 6078 6515 0387 8920 3423 4055 9893 8099 6989 8454 2185 3921 5602 3999 9052 2665 5453 6485 2992 2590 1176 6690 6325 3020 6627 2422 9248 5114 8619 2852 9965 7434 5557 2043 1680 1676 6152 6316 3074 1705 6935 8978 8184 9544 6016 3792 7526 q 64 7169 5285 5043 3726 7825 4986 8684 0489 0410 2471 7124 1923 0366 1843 4829 2167 8376 3319 3067 3038 3374 8313 0909 9469 9536 8499 0764 4319 6544 2244 0319 5468 0981 7995 1279 6113 8401 3950 2686 8742 4299 9848 3061 7610 3702 7360 2345 1331 8562 4880 5022 2078 4772 1760 7189 2478 6452 2888 9704 0871 8165 6129 7640 4511 9813 9137 0555 8616 6381 2366 6664 1958 9764 9462 5397 7403 2973 p 64 7169 5285 5043 3726 7825 4986 8684 0489 0410 2471 7124 1923 0366 1843 4829 2167 8376 3319 3067 3038 3374 8313 0909 9469 9536 8499 0764 4319 6544 2244 0319 5468 0981 7995 1279 6113 8401 3950 1882 4057 6720 3292 4802 0166 2202 8436 7268 3683 0942 9956 9478 6051 8430 8074 0956 1894 4465 6008 0323 8945 6964 8331 4933 0285 2007 0619 5629 4405 3891 2534 0957 2614 3378 1207 4293 0487 1477 b 9 3201 3979 4183 5371 5104 9485 3394 1014 1304 6177 3902 9076 0038 5001 1954 6179 9111 1434 9459 1621 7661 1511 4200 3023 5782 1102 8941 6012 0389 2609 9385 1323 9839 1378 1023 3215 9656 6441 6649 9045 4101 1122 6489 7346 8852 3667 6328 0501 2014 3509 7740 6311 3824 7068 0290 7823 5268 3675 4712 6205 4142 9721 5845 0883 5779 0405 6351 9242 0206 3902 0779 3279 7597 8696 4220 3025 7827 β 47 9706 1105 3414 7850 6474 1897 4025 3155 9392 6096 4509 5940 4432 3584 5388 7120 1193 6179 8567 2612 6240 2542 6897 5492 5537 8963 9260 6599 3978 0867 5424 4669 8360 8138 6539 3586 6332 2291 8832 6097 4428 8452 0019 0232 2912 6602 8063 2534 0030 4974 5592 0508 3317 9746 5387 8453 7936 4861 4213 5627 3149 3904 6263 8091 8436 5493 1807 0751 4863 3746 7588 5948 6206 0169 4444 7873 9946 α0 6 9721 3980 3945 4066 3515 5014 6512 5255 7850 0911 0129 3974 5703 3183 9686 1383 7950 5815 0718 2501 2961 7891 1946 3104 9827 2068 9379 6120 4147 5717 7965 0110 6264 6644 2215 5604 0593 0989 5959 5305 6963 5790 5998 4200 8873 6791 8797 2630 2603 4579 1373 2637 9172 5869 0407 6168 1589 0408 9934 2301 1259 3014 8305 5903 2925 2295 0204 2324 7775 5158 3458 8105 1668 0885 6520 1195 8333 α1 40 8162 9392 2549 2286 5703 1423 1664 2566 2410 3291 2364 2484 8660 4172 3069 1630 5512 0129 3939 2739 0786 6762 3524 2855 8366 8495 0406 9937 7964 6000 6078 6515 0387 8920 3423 4055 9893 8099 6989 8454 2185 3921 5602 3999 9052 2665 5453 6485 2992 2590 1176 6690 6325 3020 6627 2422 9248 5114 8619 2852 9965 7434 5557 2043 1680 1676 6152 6316 3074 1705 6935 8978 8184 9544 6016 3792 7526 View Large For the curve with a 383-bit order, the sizes of an element in G1 ⁠, an element in G2 ⁠, and an element in GT are 96 bytes, 192 bytes and 576 bytes. For the curve with a 1031-bit order, the sizes of an element in G1 ⁠, an element in G2 ⁠, and an element in GT are 258 bytes, 516 bytes and 1548 bytes. 5.3. Benchmarks We list benchmarks for each device in Table 5. For our scheme and the LEOM scheme, we employ the parameters presented in Tables 3 and 4, respectively. Here, Map to Point indicates a running time of hash functions H1,…,H5 whose range is G1 ⁠. Hash is the running time of the hash function H whose range is Zp ⁠. EXP stands for exponentiation, and MUL stands for multiplication. In terms of the size of a for computing g1a ⁠, we distinguish two cases. If a is randomly chosen from Zp ⁠, then we denote ‘EXP in G1 (random)’. If a belongs to [1,220] ⁠, then we denote ‘EXP in G1 (small)’. This computation appears when a user computes g1xi,t and hxi,t ⁠. If a belongs to [1,240] ⁠, then we denote ‘EXP in G1 (large)’. This computation appears in the verification algorithm in the LEOM scheme. To solve the ECDLP problem, we employ the Baby-Step Giant-Step (BSGS) algorithm. Since we can assume that Xt is sufficiently small and we set n=220 and assume that xi,t is less than 220 ⁠, we set ∣Xmax∣=240 in our implementation where Xmax is the maximum size of the solution of the ECDLP problem. This setting allows us to reduce the size of the table to be searched. Table 5. Benchmarks (ms). Devices Operations LEOM Our scheme Raspberry-Pi Map to Point 13.528 0.618 (User) Hash – 0.066 EXP in G1 (random) 153.952 15.688 EXP in G1 (small) 3.243 0.867 MUL in G1 0.106 0.028 Workstation Map to Point 0.808 0.053 (Aggregator) EXP in G1 (random) 17.033 5.690 MUL in G1 0.012 0.004 BSGS (n=220) 30 034.493 11 176.742 Laptop Map to Point 0.894 0.048 (Data analyzer) Pairing 454.386 71.669 EXP in G1 (large) 0.783 – EXP in GT – 1.519 MUL in GT 0.079 0.035 Devices Operations LEOM Our scheme Raspberry-Pi Map to Point 13.528 0.618 (User) Hash – 0.066 EXP in G1 (random) 153.952 15.688 EXP in G1 (small) 3.243 0.867 MUL in G1 0.106 0.028 Workstation Map to Point 0.808 0.053 (Aggregator) EXP in G1 (random) 17.033 5.690 MUL in G1 0.012 0.004 BSGS (n=220) 30 034.493 11 176.742 Laptop Map to Point 0.894 0.048 (Data analyzer) Pairing 454.386 71.669 EXP in G1 (large) 0.783 – EXP in GT – 1.519 MUL in GT 0.079 0.035 View Large Table 5. Benchmarks (ms). Devices Operations LEOM Our scheme Raspberry-Pi Map to Point 13.528 0.618 (User) Hash – 0.066 EXP in G1 (random) 153.952 15.688 EXP in G1 (small) 3.243 0.867 MUL in G1 0.106 0.028 Workstation Map to Point 0.808 0.053 (Aggregator) EXP in G1 (random) 17.033 5.690 MUL in G1 0.012 0.004 BSGS (n=220) 30 034.493 11 176.742 Laptop Map to Point 0.894 0.048 (Data analyzer) Pairing 454.386 71.669 EXP in G1 (large) 0.783 – EXP in GT – 1.519 MUL in GT 0.079 0.035 Devices Operations LEOM Our scheme Raspberry-Pi Map to Point 13.528 0.618 (User) Hash – 0.066 EXP in G1 (random) 153.952 15.688 EXP in G1 (small) 3.243 0.867 MUL in G1 0.106 0.028 Workstation Map to Point 0.808 0.053 (Aggregator) EXP in G1 (random) 17.033 5.690 MUL in G1 0.012 0.004 BSGS (n=220) 30 034.493 11 176.742 Laptop Map to Point 0.894 0.048 (Data analyzer) Pairing 454.386 71.669 EXP in G1 (large) 0.783 – EXP in GT – 1.519 MUL in GT 0.079 0.035 View Large 5.4. Implementation results and comparison Here, we compare the efficiency of our scheme with that of the LEOM scheme.6 We list the numbers of operations in Table 6. As the table shows, our scheme requires more operations compared to the LEOM scheme. However, as the benchmarks (Table 5) show, the running time of each operation in the curve with a 383-bit order is faster than that in the curve with a 1031-bit order. Thus, we can expect that our scheme is more efficient than the LEOM scheme. We confirm that our expectation is correct by listing our implementation results in Table 7. Consequently, we demonstrate that the running time of the data encryption, data aggregation and verification in our scheme are reduced by approximately 74%, 64% and 89%, respectively, compared to those of the LEOM scheme. Moreover, we confirm that both schemes complete all procedures (i.e. data encryption, data aggregation and verification) within 15 min which is required when using Benhamouda et al.’s setting. Table 6. The number of operations. Entity Operations LEOM Our scheme User Map to Point 1 5 (⁠ 𝖤𝗇𝖼 ⁠) Hash – 1 EXP in G1 (random) 2 5 EXP in G1 (small) 2 2 MUL in G1 2 5 Aggregator Map to Point 1 5 (⁠ 𝖠ggrDec ⁠) EXP in G1 (random) 1 4 MUL in G1 2 n − 1 2 n + 2 Data Analyzer Map to Point 1 1 (⁠ 𝖵𝖾𝗋𝗂𝖿𝗒𝖲𝗎𝗆 ⁠) Pairing 3 2 EXP in G1 (large) 1 – EXP in GT – 1 MUL in GT 1 1 Entity Operations LEOM Our scheme User Map to Point 1 5 (⁠ 𝖤𝗇𝖼 ⁠) Hash – 1 EXP in G1 (random) 2 5 EXP in G1 (small) 2 2 MUL in G1 2 5 Aggregator Map to Point 1 5 (⁠ 𝖠ggrDec ⁠) EXP in G1 (random) 1 4 MUL in G1 2 n − 1 2 n + 2 Data Analyzer Map to Point 1 1 (⁠ 𝖵𝖾𝗋𝗂𝖿𝗒𝖲𝗎𝗆 ⁠) Pairing 3 2 EXP in G1 (large) 1 – EXP in GT – 1 MUL in GT 1 1 View Large Table 6. The number of operations. Entity Operations LEOM Our scheme User Map to Point 1 5 (⁠ 𝖤𝗇𝖼 ⁠) Hash – 1 EXP in G1 (random) 2 5 EXP in G1 (small) 2 2 MUL in G1 2 5 Aggregator Map to Point 1 5 (⁠ 𝖠ggrDec ⁠) EXP in G1 (random) 1 4 MUL in G1 2 n − 1 2 n + 2 Data Analyzer Map to Point 1 1 (⁠ 𝖵𝖾𝗋𝗂𝖿𝗒𝖲𝗎𝗆 ⁠) Pairing 3 2 EXP in G1 (large) 1 – EXP in GT – 1 MUL in GT 1 1 Entity Operations LEOM Our scheme User Map to Point 1 5 (⁠ 𝖤𝗇𝖼 ⁠) Hash – 1 EXP in G1 (random) 2 5 EXP in G1 (small) 2 2 MUL in G1 2 5 Aggregator Map to Point 1 5 (⁠ 𝖠ggrDec ⁠) EXP in G1 (random) 1 4 MUL in G1 2 n − 1 2 n + 2 Data Analyzer Map to Point 1 1 (⁠ 𝖵𝖾𝗋𝗂𝖿𝗒𝖲𝗎𝗆 ⁠) Pairing 3 2 EXP in G1 (large) 1 – EXP in GT – 1 MUL in GT 1 1 View Large Table 7. Our implementation (⁠ n=tmax=220 ⁠) (ms). Entity Operation LEOM Our scheme User Compute ci,t 171.5 36.9 (⁠ 𝖤𝗇𝖼 ⁠) Compute σi,t 157.9 49.4 Total 329.4 86.4 (74%)† Compute Xt 43,469.8 16,014.2 Aggregator (BSGS) (29,953.4) (11,457.4) (⁠ 𝖠ggrDec ⁠) Compute σt 13,567.3 4547.7 Total 57,037.1 20,561.9 (64% )† Data Analyzer Verify σt 1400.3 158.3 (⁠ 𝖵𝖾𝗋𝗂𝖿𝗒𝖲𝗎𝗆 ⁠) Total 1400.3 158.3 (89%)† Entity Operation LEOM Our scheme User Compute ci,t 171.5 36.9 (⁠ 𝖤𝗇𝖼 ⁠) Compute σi,t 157.9 49.4 Total 329.4 86.4 (74%)† Compute Xt 43,469.8 16,014.2 Aggregator (BSGS) (29,953.4) (11,457.4) (⁠ 𝖠ggrDec ⁠) Compute σt 13,567.3 4547.7 Total 57,037.1 20,561.9 (64% )† Data Analyzer Verify σt 1400.3 158.3 (⁠ 𝖵𝖾𝗋𝗂𝖿𝗒𝖲𝗎𝗆 ⁠) Total 1400.3 158.3 (89%)† †We denote the ratio that shows how much we can reduce the running time compared to that of the LEOM scheme for each algorithm. View Large Table 7. Our implementation (⁠ n=tmax=220 ⁠) (ms). Entity Operation LEOM Our scheme User Compute ci,t 171.5 36.9 (⁠ 𝖤𝗇𝖼 ⁠) Compute σi,t 157.9 49.4 Total 329.4 86.4 (74%)† Compute Xt 43,469.8 16,014.2 Aggregator (BSGS) (29,953.4) (11,457.4) (⁠ 𝖠ggrDec ⁠) Compute σt 13,567.3 4547.7 Total 57,037.1 20,561.9 (64% )† Data Analyzer Verify σt 1400.3 158.3 (⁠ 𝖵𝖾𝗋𝗂𝖿𝗒𝖲𝗎𝗆 ⁠) Total 1400.3 158.3 (89%)† Entity Operation LEOM Our scheme User Compute ci,t 171.5 36.9 (⁠ 𝖤𝗇𝖼 ⁠) Compute σi,t 157.9 49.4 Total 329.4 86.4 (74%)† Compute Xt 43,469.8 16,014.2 Aggregator (BSGS) (29,953.4) (11,457.4) (⁠ 𝖠ggrDec ⁠) Compute σt 13,567.3 4547.7 Total 57,037.1 20,561.9 (64% )† Data Analyzer Verify σt 1400.3 158.3 (⁠ 𝖵𝖾𝗋𝗂𝖿𝗒𝖲𝗎𝗆 ⁠) Total 1400.3 158.3 (89%)† †We denote the ratio that shows how much we can reduce the running time compared to that of the LEOM scheme for each algorithm. View Large 6. CONCLUSION AND AN OPEN PROBLEM In this paper, we propose an aggregator oblivious encryption scheme with public verifiability from static and simple assumptions, and give its implementation. We demonstrate that our scheme has better performance compared to the LEOM scheme. Remark that our scheme provides weak aggregator unforgeability whereas the LEOM scheme provides aggregator unforgeability but an interactive assumption is required. Thus, proposing a verifiable aggregator oblivious encryption scheme with aggregator unforgeability from static and simple assumptions are left as an open problem. In our scheme, a value h is shared by all users as their secret key. The value has a crucial role for providing unforgeability. Obviously, if h is revealed, then anyone can easily produce a forged tag. That is, our scheme is vulnerable against corruption attacks where an adversary (modeled as a malicious aggregator) obtains secret keys of corrupted users. Thus, it is desirable to provide unforgeability with collusion resistance. Moreover, as in [10], proposing a generic construction of aggregator oblivious encryption with public verifiability (containing a Paillier-type instantiation) can also be an interesting open problem. Since we consider summation as the aggregation function, constructing (verifiable) aggregator oblivious encryption with rich aggregation functions from (verifiable) multi-input functional encryption [53, 54, 64–66] can also be an interesting open problem. FUNDING This work was partially supported by JSPS KAKENHI Grant Numbers JP16K00198, JP15K00185 and JP16H02808, and MIC/SCOPE 162108102. REFERENCES 1 Shi , E. , Chan , T.H. , Rieffel , E.G. , Chow , R. and Song , D. ( 2011 ) Privacy-Preserving Aggregation of Time-Series Data. Proc. Network and Distributed System Security Symposium, NDSS 2011, San Diego, CA, USA, 6 February–9 February 2011. The Internet Society. 2 Gentry , C. ( 2009 ) Fully Homomorphic Encryption Using Ideal Lattices. Proc. 41st Annu. ACM Sympos. Theory of Computing, STOC 2009, Bethesda, MD, USA, May 31–June 2, 2009, pp. 169–178. ACM, New York, NY, USA. 3 Paillier , P. ( 1999 ) Public-Key Cryptosystems based on Composite Degree Residuosity Classes. Adv. Cryptology – EUROCRYPT ‘99, Int. Conf. Theory and Application of Cryptographic Techniques, Prague, Czech Republic, May 2–6, 1999, Proceeding, pp. 223–238. Springer-Verlag, Berlin, Heidelberg. 4 Rastogi , V. and Nath , S. ( 2010 ) Differentially Private Aggregation of Distributed Time-Series with Transformation and Encryption. Proc. ACM SIGMOD Int. Conf. Management of Data, SIGMOD 2010, Indianapolis, IN, USA, June 6–10, 2010, pp. 735–746. ACM, New York, NY, USA. 5 Garcia , F.D. and Jacobs , B. ( 2010 ) Privacy-Friendly Energy-Metering via Homomorphic Encryption. Security and Trust Management – 6th Int. Workshop, STM 2010, Athens, Greece, September 23–24, 2010, Revised Selected Papers, pp. 226–238. Springer-Verlag, Berlin, Heidelberg. 6 Gong , X. , Hua , Q.-S. , Qian , L. , Yu , D. and Jin , H. ( 2018 ) Communication-Efficient and Privacy-Preserving Data Aggregation without Trusted Authority. Proc. IEEE INFOCOM 2018, Honolulu,, USA, April 15–19, 2018, pp. 1–9. IEEE ComputerSociety, Los Alamitos, CA, USA. 7 Chan , T.H. , Shi , E. and Song , D. ( 2012 ) Privacy-Preserving Stream Aggregation with Fault Tolerance. Financial Cryptography and Data Security – 16th Int. Conf., FC 2012, Kralendijk, Bonaire, February 27–March 2, 2012, Revised Selected Papers, pp. 200–214. Springer-Verlag, Berlin, Heidelberg. 8 Cramer , R. , Gennaro , R. and Schoenmakers , B. ( 1997 ) A Secure and Optimally Efficient Multi-Authority Election Scheme. Advances in Cryptology – EUROCRYPT ‘97, Int. Conf. Theory and Application of Cryptographic Techniques, Konstanz, Germany, May 11–15, 1997, Proceeding, pp. 103–118. Springer-Verlag, Berlin, Heidelberg. 9 Joye , M. and Libert , B. ( 2013 ) A Scalable Scheme for Privacy-Preserving Aggregation of Time-Series Data. Financial Cryptography and Data Security – 17th Int. Conf., FC 2013, Okinawa, Japan, April 1–5, 2013, Revised Selected Papers, pp. 111–125. Springer-Verlag, Berlin, Heidelberg. 10 Benhamouda , F. , Joye , M. and Libert , B. ( 2016 ) A new framework for privacy-preserving aggregation of time-series data . ACM Trans. Inf. Syst. Secur. , 18 , 10 . Google Scholar Crossref Search ADS 11 Cramer , R. and Shoup , V. ( 2002 ) Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption. Advances in Cryptology – EUROCRYPT 2002, Int. Conf. Theory and Applications of Cryptographic Techniques, Amsterdam, The Netherlands, April 28–May 2, 2002, Proceedings, pp. 45–64. Springer-Verlag, Berlin, Heidelberg. 12 Bellare , M. and Rogaway , P. ( 1996 ) The Exact Security of Digital Signatures – How to Sign with RSA and Rabin. Advances in Cryptology – EUROCRYPT ‘96, Int. Conf. Theory and Application of Cryptographic Techniques, Saragossa, Spain, May 12–16, 1996, Proceeding, pp. 399–416. Springer-Verlag, Berlin, Heidelberg. 13 Micali , S. and Reyzin , L. ( 2002 ) Improving the exact security of digital signature schemes . J. Cryptology , 15 , 1 – 18 . Google Scholar Crossref Search ADS 14 Barker , E. ( 2016 ). NIST Special Publication 800-57 Part 1, Revision 4. Available at http://dx.doi.org/10.6028/NIST.SP.800-57pt1r4. 15 Leontiadis , I. , Elkhiyaoui , K. , Önen , M. and Molva , R. ( 2015 ) PUDA – Privacy and Unforgeability for Data Aggregation. Cryptology and Network Security – 14th Int. Conf., CANS 2015, Marrakesh, Morocco, December 10–12, 2015, Proceedings, pp. 3–18. Springer-Verlag, Berlin, Heidelberg. 16 Backes , M. , Fiore , D. and Reischuk , R.M. ( 2013 ) Verifiable Delegation of Computation on Outsourced Data. 2013 ACM SIGSAC Conf. Computer and Communications Security, CCS’13, Berlin, Germany, November 4–8, 2013, pp. 863–874. ACM, New York, NY, USA. 17 Fiore , D. , Gennaro , R. and Pastro , V. ( 2014 ) Efficiently Verifiable Computation on Encrypted Data. Proc. 2014 ACM SIGSAC Conf. Computer and Communications Security, Scottsdale, AZ, USA, November 3–7, 2014, pp. 844–855. ACM, New York, NY, USA. 18 Naor , M. ( 2003 ) On Cryptographic Assumptions and Challenges. Advances in Cryptology – CRYPTO 2003, 23rd Annu. Int. Cryptol. Conf., Santa Barbara, CA, USA, August 17–21, 2003, Proceedings, pp. 96–109. Springer-Verlag, Berlin, Heidelberg. 19 Hofheinz , D. and Jager , T. ( 2016 ) Verifiable Random Functions from Standard Assumptions. Theory of Cryptography – 13th Int. Conf., TCC 2016-A, Tel Aviv, Israel, January 10–13, 2016, Proceedings, Part I, pp. 336–362. Springer-Verlag, Berlin, Heidelberg. 20 Jager , T. ( 2015 ) Verifiable Random Functions from Weaker Assumptions. Theory of Cryptography – 12th Theory of Cryptography Conf., TCC 2015, Warsaw, Poland, March 23–25, 2015, Proceedings, Part II, pp. 121–143. Springer-Verlag, Berlin, Heidelberg. 21 Libert , B. , Mouhartem , F. , Peters , T. and Yung , M. ( 2016 ) Practical Signatures with Efficient Protocols’ from Simple Assumptions. Proc. 11th ACM on Asia Conf. Computer and Communications Security, AsiaCCS 2016, Xi’an, China, May 30–June 3, 2016, pp. 511–522. ACM, New York, NY, USA. 22 Libert , B. , Peters , T. and Yung , M. ( 2015 ) Short Group Signatures via Structure-Preserving Signatures: Standard Model Security from Simple Assumptions. Advances in Cryptology – CRYPTO 2015 – 35th Annu. Cryptol. Conf., Santa Barbara, CA, USA, August 16–20, 2015, Proceedings, Part II, pp. 296–316. Springer-Verlag, Berlin, Heidelberg. 23 Abe , M. , Chase , M. , David , B. , Kohlweiss , M. , Nishimaki , R. and Ohkubo , M. ( 2016 ) Constant-size structure-preserving signatures: generic constructions and simple assumptions . J. Cryptology , 29 , 833 – 878 . Google Scholar Crossref Search ADS 24 Waters , B. ( 2009 ) Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions. Advances in Cryptology – CRYPTO 2009, 29th Annu. Int. Cryptol. Conf., Santa Barbara, CA, USA, August 16–20, 2009. Proceedings, pp. 619–636. Springer-Verlag, Berlin, Heidelberg. 25 Okamoto , T. and Takashima , K. ( 2010 ) Fully Secure Functional Encryption with General Relations from the Decisional Linear Assumption. Advances in Cryptology – CRYPTO 2010, 30th Annu. Cryptol. Conf., Santa Barbara, CA, USA, August 15–19, 2010. Proceedings, pp. 191–208. Springer-Verlag, Berlin, Heidelberg. 26 Takashima , K. ( 2014 ) Expressive Attribute-Based Encryption with Constant-Size Ciphertexts from the Decisional Linear Assumption. Security and Cryptography for Networks – 9th Int. Conf., SCN 2014, Amalfi, Italy, September 3–5, 2014. Proceedings, pp. 298–317. Springer-Verlag, Berlin, Heidelberg. 27 Green , M. and Hohenberger , S. ( 2011 ) Practical Adaptive Oblivious Transfer from Simple Assumptions. Theory of Cryptography – 8th Theory Cryptogr. Conf., TCC 2011, Providence, RI, USA, March 28–30, 2011. Proceedings, pp. 347–363. Springer-Verlag, Berlin, Heidelberg. 28 Menezes , A. , Sarkar , P. and Singh , S. ( 2016 ) Challenges with Assessing the Impact of NFS Advances on the Security of Pairing-Based Cryptography. Paradigms in Cryptology – Mycrypt 2016. Malicious and Exploratory Cryptology – Second Int. Conf., Mycrypt 2016, Kuala Lumpur, Malaysia, December 1–2, 2016, Revised Selected Papers, pp. 83–108. Springer-Verlag, Berlin, Heidelberg. 29 Kim , T. and Barbulescu , R. ( 2016 ) Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case. Advances in Cryptology – CRYPTO 2016 – 36th Annu. Int. Cryptol. Conf., Santa Barbara, CA, USA, August 14–18, 2016, Proceedings, Part I, pp. 543–571. Springer-Verlag, Berlin, Heidelberg. 30 Boyen , X. ( 2008 ) The Uber-Assumption Family. Pairing-Based Cryptography – Pairing 2008, Second Int. Conf., Egham, UK, September 1–3, 2008. Proceedings, pp. 39–56. Springer-Verlag, Berlin, Heidelberg. 31 Barreto , P.S.L.M. and Naehrig , M. ( 2005 ) Pairing-Friendly Elliptic Curves of Prime Order. Selected Areas in Cryptography, 12th Int. Workshop, SAC 2005, Kingston, ON, Canada, August 11–12, 2005, Revised Selected Papers, pp. 319–331. Springer-Verlag, Berlin, Heidelberg. 32 The PBC (pairing-based cryptography) library . Available at http://crypto.stanford.edu/pbc/. 33 OpenSSL Project . OpenSSL: Cryptography and SSL/TLS Toolkit. Available at https://www.openssl.org. 34 De Caro , A. and Iovino , V. ( 2011 ) jPBC: Java Pairing Based Cryptography. ISCC, pp. 850–855. IEEE Computer Society, Los Alamitos, CA, USA. 35 Jawurek , M. , Johns , M. and Kerschbaum , F. ( 2011 ) Plug-In Privacy for Smart Metering Billing. Privacy Enhancing Technologies – 11th Int. Sympos., PETS 2011, Waterloo, ON, Canada, July 27–29, 2011. Proceedings, pp. 192–210. Springer-Verlag, Berlin, Heidelberg. 36 Rial , A. and Danezis , G. ( 2011 ) Privacy-Preserving Smart Metering. Proc. 10th Annu. ACM Workshop on Privacy in the Electronic Society, WPES 2011, Chicago, IL, USA, October 17, 2011, pp. 49–60. ACM, New York, NY, USA. 37 Barthe , G. , Danezis , G. , Grégoire , B. , Kunz , C. and Béguelin , S.Z. ( 2013 ) Verified Computational Differential Privacy with Applications to Smart Metering. 2013 IEEE 26th Comput. Secur. Found. Sympos., New Orleans, LA, USA, June 26–28, 2013, pp. 287–301. IEEE Computer Society, Los Alamitos, CA, USA. 38 Ohara , K. , Sakai , Y. , Yoshida , F. , Iwamoto , M. and Ohta , K. ( 2014 ) Privacy-Preserving Smart Metering with Verifiability for Both Billing and Energy Management. ASIAPKC’14, Proc. 2nd ACM Workshop on ASIA Public-Key Cryptography, June 3, 2014, Kyoto, Japan, pp. 23–32. ACM, New York, NY, USA. 39 Danezis , G. , Fournet , C. , Kohlweiss , M. and Béguelin , S.Z. ( 2013 ) Smart Meter Aggregation via Secret-Sharing. SEGS’13, Proc. 2013 ACM Workshop on Smart Energy Grid Security, Co-located with CCS 2013, November 8, 2013, Berlin, Germany, pp. 75–80. ACM, New York, NY, USA. 40 Li , Q. and Cao , G. ( 2013 ) Efficient Privacy-Preserving Stream Aggregation in Mobile Sensing with Low Aggregation Error. Privacy Enhancing Technologies – 13th Int. Sympos., PETS 2013, Bloomington, IN, USA, July 10–12, 2013. Proceedings, pp. 60–81. Springer-Verlag, Berlin, Heidelberg. 41 Jawurek , M. and Kerschbaum , F. ( 2012 ) Fault-Tolerant Privacy-Preserving Statistics. Privacy Enhancing Technologies – 12th Int. Sympos., PETS 2012, Vigo, Spain, July 11–13, 2012. Proceedings, pp. 221–238. Springer-Verlag, Berlin, Heidelberg. 42 Leontiadis , I. , Elkhiyaoui , K. and Molva , R. ( 2014 ) Private and dynamic time-series data aggregation with trust relaxation. Cryptology and Network Security – 13th Int. Conf., CANS 2014, Heraklion, Crete, Greece, October 22–24, 2014. Proceedings, pp. 305–320. Springer-Verlag, Berlin, Heidelberg. 43 Grining , K. , Klonowski , M. and Syga , P. ( 2016 ) Practical Fault-Tolerant Data Aggregation. Applied Cryptography and Network Security – 14th Int. Conf., ACNS 2016, Guildford, UK, June 19–22, 2016. Proceedings, pp. 386–404. Springer-Verlag, Berlin, Heidelberg. 44 Datta , A. and Joye , M. ( 2017 ) Cryptanalysis of a privacy-preserving aggregation protocol . IEEE Trans. Dependable Sec. Comput. , 14 , 693 – 694 . Google Scholar Crossref Search ADS 45 Jung , T. , Li , X. and Wan , M. ( 2015 ) Collusion-tolerable privacy-preserving sum and product calculation without secure channel . IEEE Trans. Dependable Sec. Comput. , 12 , 45 – 57 . Google Scholar Crossref Search ADS 46 Lu , R. , Liang , X. , Li , X. , Lin , X. and Shen , X. ( 2012 ) EPPA: an efficient and privacy-preserving aggregation scheme for secure smart grid communications . IEEE Trans. Parallel Distrib. Syst. , 23 , 1621 – 1631 . Google Scholar Crossref Search ADS 47 Fan , C. , Huang , S. and Lai , Y. ( 2014 ) Privacy-enhanced data aggregation scheme against internal attackers in smart grid . IEEE Trans. Ind. Inform. , 10 , 666 – 675 . Google Scholar Crossref Search ADS 48 Becker , D. , Guajardo , J. and Zimmermann , K.-H. ( 2018 ) Revisiting Private Stream Aggregation: Lattice-Based PSA. Proc. Network and Distributed System Security Sympos., NDSS 2018, San Diego, CA, USA, 18 February–21 February 2018. The Internet Society. 49 Zhuo , G. , Jia , Q. , Guo , L. , Li , M. and Li , P. ( 2016 ) Privacy-Preserving Verifiable Data Aggregation and Analysis for Cloud-Assisted Mobile Crowdsourcing. 35th Annu. IEEE Int. Conf. Computer Communications, INFOCOM 2016, San Francisco, CA, USA, April 10–14, 2016, pp. 1–9. IEEE Computer Society, Los Alamitos, CA, USA. 50 Brakerski , Z. and Vaikuntanathan , V. ( 2011 ) Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages. Advances in Cryptology – CRYPTO 2011 – 31st Annu. Cryptol. Conf., Santa Barbara, CA, USA, August 14–18, 2011. Proceedings, pp. 505–524. Springer-Verlag, Berlin, Heidelberg. 51 Jung , T. , Han , J. and Li , X. ( 2018 ) PDA: semantically secure time-series data analytics with dynamic user groups . IEEE Trans. Dependable Sec. Comput. , 15 , 260 – 274 . Google Scholar Crossref Search ADS 52 Corrigan-Gibbs , H. and Boneh , D. ( 2017 ) Prio: Private, Robust, and Scalable Computation of Aggregate Statistics. 14th USENIX Sympos. Networked Systems Design and Implementation, NSDI 2017, Boston, MA, USA, March 27–29, 2017, pp. 259–282. USENIX Association. 53 Goldwasser , S. , Gordon , S.D. , Goyal , V. , Jain , A. , Katz , J. , Liu , F. , Sahai , A. , Shi , E. and Zhou , H. ( 2014 ) Multi-Input Functional Encryption. Advances in Cryptology – EUROCRYPT 2014 – 33rd Annu. Int. Conf. Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11–15, 2014. Proceedings, pp. 578–602. Springer-Verlag, Berlin, Heidelberg. 54 Badrinarayanan , S. , Goyal , V. , Jain , A. and Sahai , A. ( 2016 ) Verifiable Functional Encryption. Advances in Cryptology – ASIACRYPT 2016 – 22nd Int. Conf. Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part II, pp. 557–587. Springer-Verlag, Berlin, Heidelberg. 55 Jung , T. , Mao , X. , Li , X. , Tang , S. , Gong , W. and Zhang , L. ( 2013 ) Privacy-Preserving Data Aggregation without Secure Channel: Multivariate Polynomial Evaluation. Proc. IEEE INFOCOM 2013, Turin, Italy, April 14–19, 2013, pp. 2634–2642. IEEE ComputerSociety, Los Alamitos, CA, USA. 56 Derler , D. , Ramacher , S. and Slamanig , D. ( 2017 ) Homomorphic Proxy Re-authenticators and Applications to Verifiable Multi-user Data Aggregation. Financial Cryptography and Data Security – 21st Int. Conf., FC 2017, Sliema, Malta, April 3–7, 2017, Revised Selected Papers, pp. 124–142. Springer-Verlag, Berlin, Heidelberg. 57 Beimel , A. , Gabizon , A. , Ishai , Y. , Kushilevitz , E. , Meldgaard , S. and Paskin-Cherniavsky , A. ( 2014 ) Non-interactive Secure Multiparty Computation. Advances in Cryptology – CRYPTO 2014 – 34th Annu. Cryptol. Conf., Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part II, pp. 387–404. Springer-Verlag, Berlin, Heidelberg. 58 Emura , K. ( 2017 ) Privacy-Preserving Aggregation of Time-Series Data with Public Verifiability from Simple Assumptions. Information Security and Privacy – 22nd Austral. Conf., ACISP 2017, Auckland, New Zealand, July 3–5, 2017, Proceedings, Part II, pp. 193–213. Springer-Verlag, Berlin, Heidelberg. 59 Emura , K. ( 2017 ) Privacy-Preserving Aggregation of Time-Series Data with Public Verifiability from Simple Assumptions. IACR Cryptology ePrint Archive, 2017, 479. 60 Hirt , M. and Sako , K. ( 2000 ) Efficient Receipt-Free Voting based on Homomorphic Encryption. Advances in Cryptology – EUROCRYPT 2000, Int. Conf. Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14–18, 2000, Proceeding, pp. 539–556. Springer-Verlag, Berlin, Heidelberg. 61 Kiltz , E. and Vahlis , Y. ( 2008 ) CCA2 secure IBE: Standard Model Efficiency Through Authenticated Symmetric Encryption. Topics in Cryptology – CT-RSA 2008, The Cryptographers’ Track at the RSA Conf. 2008, San Francisco, CA, USA, April 8–11, 2008. Proceedings, pp. 221–238. Springer-Verlag, Berlin, Heidelberg. 62 Boneh , D. and Boyen , X. ( 2004 ) Efficient Selective-id Secure Identity-Based Encryption Without Random Oracles. Advances in Cryptology – EUROCRYPT 2004, Int. Conf. Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, May 2–6, 2004, Proceedings, pp. 223–238. Springer-Verlag, Berlin, Heidelberg. 63 Cui , Y. , Fujisaki , E. , Hanaoka , G. , Imai , H. and Zhang , R. ( 2009 ) Formal security treatments for IBE-to-signature transformation: Relations among security notions . IEICE Trans. , 92-A , 53 – 66 . Google Scholar Crossref Search ADS 64 Abdalla , M. , Gay , R. , Raykova , M. and Wee , H. ( 2017 ) Multi-input Inner-Product Functional Encryption from Pairings. Advances in Cryptology – EUROCRYPT 2017 – 36th Annu. Int. Conf. Theory and Applications of Cryptographic Techniques, Paris, France, April 30–May 4, 2017, Proceedings, Part I, pp. 601–626. Springer-Verlag, Berlin, Heidelberg. 65 Brakerski , Z. , Komargodski , I. and Segev , G. ( 2016 ) Multi-input Functional Encryption in the Private-Key Setting: Stronger Security from Weaker Assumptions. Advances in Cryptology – EUROCRYPT 2016 – 35th Annu. Int. Conf. Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8–12, 2016, Proceedings, Part II, pp. 852–880. Springer-Verlag, Berlin, Heidelberg. 66 Chotard , J. , Sans , E.D. , Gay , R. , Phan , D.H. and Pointcheval , D. ( 2017 ) Decentralized Multi-client Functional Encryption for Inner Product. IACR Cryptology ePrint Archive, 2017, 989. The LEOM assumption is defined as follows. Definition A.1 (LEOM assumption [15]) Let D=(p,e,g1,g2,G1,G2,GT)be bilinear groups. Choose α←$G1and δ,γ1,…,γn←$Zpand set Γ=g2γand Δ=g2∑i=1nγi ⁠. The LEOM oracle O𝖫EOMtakes as input (t,{xi,t}i=1n) ⁠, chooses βt←$G1 ⁠, and returns (α,βt,{βtγiαδxi,t}i=1n) ⁠. If a query at tcontains i′∈[1,n]such that xi,t≠xi,t′ ⁠, then O𝖫EOMreturns ⊥ ⁠. Assume that O𝖫EOMis called once at each t ⁠. We say that the LEOM assumption holds if for any probabilistic polynomial time (PPT) adversary A ⁠, the advantage AdvLEOM(λ)≔Pr[AO𝖫EOM(·,·)(D,Γ,Δ)→(t,z,c)]is negligible where Ahas queried (t,{xi,t}i=1n)and z≠∑i=1nxi,tand c=βt∑i=1nγiαzδholds. We present the LEOM scheme as follows: 𝖲𝖾𝗍𝗎𝗉(1λ) ⁠: Choose (p,e,g1,g2,G1,G2,GT) where G1 ⁠, G2 and GT are groups of λ-bit prime order p=M ⁠, g1∈G1 and g2∈G2 are generators, and e:G1×G2→GT is a bilinear map. Let H:{0,1}*→Zp be a hash function. Choose γ,s1,…,sn,t1,…,tn←$Zp ⁠, compute h=g1γ ⁠, (𝗏𝗄1,𝗏𝗄2)=(g2∑i=1nti,g2γ) ⁠, and set s0=−∑i=1nsi ⁠. Output 𝗉𝖺𝗋𝖺𝗆=((p,e,g1,g2,G1,G2,GT),H) ⁠, 𝗌𝗄A=s0 ⁠, 𝗌𝗄i=(si,ti,h) ⁠, and 𝗏𝗄=(𝗏𝗄1,𝗏𝗄2) ⁠. 𝖤𝗇𝖼(𝗉𝖺𝗋𝖺𝗆,t,xi,t,𝗌𝗄i) ⁠: Parse 𝗌𝗄i=(si,ti,h) ⁠. Compute ci,t=g1xi,tH(t)si and σi,t=hxi,tH(t)ti ⁠. Output (ci,t,σi,t) ⁠. 𝖠𝗀𝗀𝗋𝖣𝖾𝖼(𝗉𝖺𝗋𝖺𝗆,t,{(ci,t,σi,t)}i=1n,𝗌𝗄A) ⁠: Parse 𝗌𝗄A=s0 ⁠. Compute Vt=H(t)s0∏i=1nci,t=g1Xt where Xt=∑i=1nxi,t ⁠, and solve the discrete logarithm Vt with respect to basis g1 ⁠. Moreover, compute σt=∏i=1nσi,t Output (Xt,σt) ⁠. 𝖵𝖾𝗋𝗂𝖿𝗒𝖲𝗎𝗆(𝗉𝖺𝗋𝖺𝗆,t,Xt,σt,𝗏𝗄t) ⁠: Output one if e(σt,g2)e(H(t),𝗏𝗄1)=e(g1Xt,𝗏𝗄2) holds. Otherwise, output 0. Footnotes 3 Kiltz and Vahlis [61] defined the modified Decisional Bilinear Diffie–Hellman (mDBDH) assumption where given (g,gx,gy,gy2,gz,Z) decide whether Z=e(g,g)xyz or not. That is, compared to the original DBDH assumption, the element gy2 is additionally given to the adversary. In our assumption, if we set g11/a≔g1′ then (g11/a,g1,g1a) can be seen as (g1′,g1′a,g1′a2) ⁠. That is, the element g1′a2 is added to an instance of the CDH assumption. Hence, we call the assumption mCDH. 4 In the definition of Leontiadis et al. [15], each user i chooses a tag value 𝗍ki and sends its encoding value to the dealer in the 𝖲𝖾𝗍𝗎𝗉 phase. The dealer computes 𝗏𝗄 from all 𝗍ki ⁠. Here we simply assume that 𝗏𝗄 is generated by the dealer since the dealer is modeled as a trusted entity. Later, we consider the case that 𝗏𝗄 is generated by users in the encryption phase. 5 A decryption key of the Boneh–Boyen IBE scheme is informally described as (gαH𝖡B(ID)r,gr) for a master key α and a random r ⁠, the Boneh–Boyen hash H𝖡B ⁠. In our construction, α ⁠, ID ⁠, and r are regarded as xi,t ⁠, t ⁠, and vi,t respectively. Thus, the number of verification keys depends on tmax ⁠. 6 For the sake of clarity, we give the LEOM scheme in the Appendix. © The British Computer Society 2018. All rights reserved. For permissions, please e-mail: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/open_access/funder_policies/chorus/standard_publication_model)
TI - Privacy-Preserving Aggregation of Time-Series Data with Public Verifiability from Simple Assumptions and Its Implementations
JF - The Computer Journal
DO - 10.1093/comjnl/bxy135
DA - 2019-04-01
UR - https://www.deepdyve.com/lp/oxford-university-press/privacy-preserving-aggregation-of-time-series-data-with-public-Mjg63yJO1m
SP - 614
VL - 62
IS - 4
DP - DeepDyve
ER -