Preserving the Location Privacy of Secondary Users in Cooperative Spectrum Sensing
Abstract
Cooperative spectrum sensing, despite its effectiveness in enabling dynamic spectrum access, suffers from location privacy threats, merely because Secondary Users (s)’ sensing reports that need to be shared with a fusion center to make spectrum availability decisions are highly correlated to the users’ locations. It is therefore important that cooperative spectrum sensing schemes be empowered with privacy preserving capabilities so as to provide s with incentives for participating in the sensing task. In this paper, we propose privacy preserving protocols that make use of various cryptographic mechanisms to preserve the location privacy of s while performing reliable and efficient spectrum sensing. We also present costperformance tradeoffs. The first consists on using an additional architectural entity at the benefit of incurring lower computation overhead by relying only on symmetric cryptography. The second consists on using an additional secure comparison protocol at the benefit of incurring lesser architectural cost by not requiring extra entities. Our schemes can also adapt to the case of a malicious Fusion Center () as we discuss in this paper. We also show that not only are our proposed schemes secure and more efficient than existing alternatives, but also achieve fault tolerance and are robust against sporadic network topological changes.
I Introduction
Cooperative spectrum sensing is a key component of cognitive radio networks (s) essential for enabling dynamic and opportunistic spectrum access [1, 2, 3]. It consists of having secondary users (s) sense the licensed channels on a regular basis and collaboratively decide whether a channel is available prior to using it so as to avoid harming primary users (s). One of the most popular spectrum sensing techniques is energy detection, thanks to its simplicity and ease of implementation, which essentially detects the presence of ’s signal by measuring and relying on the energy strength of the sensed signal, commonly known as the received signal strength () [4].
^{†}^{†}
Digital Object Identifier 10.1109/TIFS.2016.2622000
Broadly speaking, cooperative spectrum sensing techniques can be classified into two categories: centralized and distributed [1]. In centralized techniques, a central entity called fusion center () orchestrates the sensing operations as follows. It selects one channel for sensing and, through a control channel, requests that each perform local sensing on that channel and send its sensing report (e.g., the observed value) back to it. It then combines the received sensing reports, makes a decision about the channel availability, and diffuses the decision back to the s. In distributed sensing techniques, s do not rely on a for making channel availability decisions. They instead exchange sensing information among one another to come to a unified decision [1].
Despite its usefulness and effectiveness in promoting dynamic spectrum access, cooperative spectrum sensing suffers from serious security and privacy threats. One big threat to s, which we tackle in this work, is location privacy, which can easily be compromised due to the wireless nature of the signals communicated by s during the cooperative sensing process. In fact, it has been shown that values of s are highly correlated to their physical locations [5], thus making it easy to compromise the location privacy of s when sending out their sensing reports. The finegrained location, when combined with other publicly available information, could easily be exploited to infer private information about users [6]. Examples of such private information are shopping patterns, user preferences, and user beliefs, just to name a few [6]. With such privacy threats and concerns, s may refuse to participate in the cooperative sensing tasks. It is therefore imperative that cooperative sensing schemes be enabled with privacy preserving capabilities that protect the location privacy of s, thereby encouraging them to participate in such a key function, the spectrum sensing.
In this paper, we propose two efficient privacypreserving schemes with several variants for cooperative spectrum sensing. These schemes exploit various cryptographic mechanisms to preserve the location privacy of s while performing the cooperative sensing task reliably and efficiently.
In addition, we study the costperformance tradeoffs of the proposed schemes, and show that higher privacy and better performance can be achieved, but at the cost of deploying an additional architectural entity in the system. We show that our proposed schemes are secure and more efficient than their existing counterparts, and are robust against sporadic topological changes and network dynamism.
Ia Related Work
Security and privacy in s have gained some attention recently. Adem et al. [7] addressed jamming attacks in s. Yan et al. [8] discussed security issues in fully distributed cooperative sensing. Qin et al.[9] proposed a privacypreserving protocol for transactions using a commitment scheme and zeroknowledge proof. Wang et al. [10] proposed a privacy preserving framework for collaborative spectrum sensing in the context of multiple service providers.
Location privacy, though well studied in the context of locationbased services (LBS) [11, 12], has received little attention in the context of s [13, 14, 5]. Some works focused on location privacy but not in the context of cooperative spectrum sensing (e.g., databasedriven spectrum sensing [15, 13] and dynamic spectrum auction [14]) and are skipped since they are not within this paper’s scope.
In the context of cooperative spectrum sensing, Shuai et al. [5] showed that s’ locations can easily be inferred from their reports, and called this the SRLP (single report location privacy) attack. They also identified the DLP (differential location privacy) attack, where a malicious entity can estimate the (and hence the location) of a leaving/joining user from the variations in the final aggregated measurements before and after user’s joining/leaving of the network. They finally proposed to address these two attacks. Despite its merits, has several limitations: (i) It needs to collect all the sensing reports in order to decode the aggregated result. This is not fault tolerant, since some reports may be missing due, for example, to the unreliable nature of wireless channels. (ii) It cannot handle dynamism if multiple users join or leave the network simultaneously. (iii) The pairwise secret sharing requirement incurs extra communication overhead and delay. (iv) The underlying encryption scheme requires solving the Discrete Logarithm Problem, which is possible only for very small plaintext space and can be extremely costly. Chen et al. [16] proposed , a faulttolerant and privacypreserving data aggregation scheme for smart grid communications. , though proposed in the context of smart grids, is suitable for cooperative sensing schemes. But unlike , relies on an additional semitrusted entity, called gateway, and like other aggregation based methods, is prone to the DLP attack. In our previous work [17] we proposed an efficient scheme called to overcome the limitations that existent approaches suffer from. combines order preserving encryption and yao’s millionaire protocol to provide a high location privacy to the users while enabling an efficient sensing performance.
IB Our Contribution
In this paper, we propose two location privacypreserving schemes for cooperative spectrum sensing that achieve:

Location privacy of secondary users while performing the cooperative spectrum sensing effectively and reliably.

Fault tolerance and robustness against network dynamism (e.g., multiple s join/leave the network) and failures (e.g., missed sensing reports).

Reliability and resiliency against malicious users via an efficient reputation mechanism.

Accurate spectrum availability decisions via halfvoting rules while incurring minimum communication and computation overhead.
Compared to our preliminary works [18] and [17], this paper provides a more efficient version of [17], referred to as LP2PSS in this paper, that is also robust against malicious users and adapted to a stronger threat model for . Besides, this paper provides another variant of LP3PSS [18] that improves the crytpographic endtoend delay. Finally, this paper provides an improved security analysis and more comprehensive performance analysis.
The reason why we present two variants is to give more options to system designers to decide which topology and which approach is more suitable to their specific requirements. There are tradeoffs between the two options. While LP2PSS provides location privacy guarantees without needing to introduce an extra architectural entity, it requires relatively high computational overhead due to the use of the Yao’s millionaires’ protocol. On the other hand, LP3PSS provides stronger privacy guarantees (as the private inputs are shared among 3 noncolluding entities) and reduces the computational overhead substantially when compared to LP2PSS, but at the cost of introducing an extra architectural entity.
The remainder of this paper is organized as follows. Section II provides our system and security threat models. Section III presents our preliminary concepts and definitions. Section IV and V provide an extensive explanation of the proposed schemes. Section VI gives the security analysis of these schemes. Section VII presents their performance analysis and a comparison with existent approaches. Finally, Section VIII concludes this work.
Ii System and Security Threat Models
Iia System Model
We consider a cooperative spectrum sensing architecture that consists of a and a set of s.
Each is assumed to be capable of measuring on any channel by means of an energy detection method [4]. In this cooperative sensing architecture, the combines the sensing observations collected from the s, decides about the spectrum availability, and broadcasts the decision back to the s through a control channel. This could typically be done via either hard or soft decision rules. The most common soft decision rule is aggregation, where collects the values from the s and compares their average to a predefined threshold, , to decide on the channel availability.
In hard decision rules, e.g. voting, combines votes instead of values. Here, each compares its value with , makes a local decision (available or not), and then sends to the its onebit local decision/vote instead of sending its value. applies then a voting rule on the collected votes to make a channel availability decision. However, for security reasons to be discussed shortly, it may not be desirable to share with s. In this case, can instead collect the values from the s, make a vote for each separately, and then combine all votes to decide about the availability of the channel.
In this work, we opted for the votingbased decision rule, with is not to be shared with the s, over the aggregationbased rule. Two reasons for why choosing voting over aggregation: One, aggregation methods are more prone to sensing errors; for example, receiving some erroneous measurements that are far off from the average of the values can skew the computed average, thus leading to wrong decision. Two, voting does not expose users to the DLP attack [5] (which was identified earlier in Section IA). We chose not to share with the s because doing so limits the action scope of malicious users that may want to report falsified values for malicious and/or selfish purposes.
In this paper, in addition to this 2party (i.e., and s) cooperative sensing architecture that we just described above, we investigate a 3party cooperative sensing architecture, where a third entity, called gateway (), is incorporated along with the and s to cooperate with them in performing the sensing task. As we show later, this gateway allows to achieve higher privacy and lesser computational overhead, but of course at its cost.
IiB Security Threat Models and Objectives
We make the following security assumptions:
Security Assumptions 1.
(i) may modify the value of in different sensing periods to extract information about the values of s; (ii) executes the protocol honestly but shows interest in learning information about the other parties; (iii) does not collude with s; and (iv) does not collude with s or .
We aim to achieve the following security objectives:
Security Objectives 1.
(i) Keep value of each confidential; and (ii) Keep confidential. This should hold during all sensing periods and for any network membership change.
Iii Preliminaries
Iiia HalfVoting Availability Decision Rule
Our proposed schemes use the halfvoting decision rule, shown to be optimal in [19], and for completeness, we here highlight its main idea. Details can be found in [19].
Let and be the spectrum sensing hypothesis that is absent and present, respectively. Let , and denote the probabilities of false alarm, detection, and missed detection, respectively, of one ; i.e., , , and .
collects the 1bit decision from each and fuses them together according to the following fusion rule [19]:
(1) 
infers that is present, i.e. , when at least s are inferring . Otherwise, decides that is absent, i.e. . Note that the OR fusion rule, in which decides if at least one of the decisions from the s is , corresponds to the case where . The AND fusion rule, in which decides if and only if all decisions from the s are , corresponds to the case where . The cooperative spectrum sensing false alarm probability, , and missed detection probability, , are: and .
Letting be the number of s, the optimal value of that minimizes is , where and denotes the ceiling function. The value of comes from the halfvoting rule presented in [19]. We use it since it was proven in [19] to provide the best sensing performance in voting based cooperative sensing. For simplicity, is denoted as throughout this paper.
IiiB Reputation Mechanism
To make the voting rule more reliable, we incorporate a reputation mechanism that allows to progressively eliminate faulty and malicious s. It does so by updating and maintaining a reputation score for each that reflects its level of reliability. Our proposed schemes incorporate the Beta Reputation mechanism [20]. For completeness, we highlight its key features next; more details can be found in [20] from which all computations in this subsection are based.
At the end of each sensing period , obtains a decision vector, with , where (resp. ) means that the spectrum is reported to be free (resp. busy) by user . then makes a global decision using the fusion rule as follows:
(2) 
where is the weight vector calculated by based on the credibility score of each user, as will be shown shortly, and is the voting threshold determined by the Halfvoting rule [19], as presented in Section IIIA.
For each , maintains positive and negative rating coefficients, and , that are updated every sensing period as: and , where and are calculated as
Here, (resp. ) reflects the number of times ’s observation, , agrees (resp. disagrees) with the ’s global decision, (t).
computes then ’s credibility score, (t), and contribution weight, (t), at sensing period as suggested in [20]:
(3) 
(4) 
IiiC Cryptographic Building Blocks
Our schemes use a few known cryptographic building blocks, which we define next before using them in the next sections when describing our schemes so as to ease the presentation.
Definition 1.
Order Preserving Encryption : is a deterministic symmetric encryption scheme whose encryption preserves the numerical ordering of the plaintexts, i.e. for any two messages and , we have [21], with is order preserving encryption of a message under key , where is the block size of .
Definition 2.
Yao’s Millionaires’ Protocol [22]: is a Secure Comparison protocol that enables two parties to execute ”the greaterthan” function, , without disclosing any other information apart from the outcome.
Definition 3.
Treebased Group Elliptic Curve DiffieHellman [23]: is a dynamic and contributory group key establishment protocol that permits multiple users to collaboratively establish and update a group key .
Definition 4.
Group Key independence: given a subset of previous keys, an attacker cannot know any other group key.
Definition 5.
Elliptic Curve Discrete Logarithm Problem given an elliptic curve over and points , find an integer , if any exists, s.t. .
Definition 6.
Digital Signature: A digital signature scheme is used to validate the authenticity and integrity of a message . It contains three components defined as follows:
Key generation algorithm (): returns a private/public key pair given a security parameter , .
Signing algorithm (): takes as input a message and the secret key and returns a signature , .
Verification algorithm (): takes as input the public key , and . It returns if valid and if invalid, .
Note that communications are made over a secure (authenticated) channel maintained with a symmetric key (e.g., via SSL/TLS) to ensure confidentiality and authentication. For the sake of brevity, we will only write encryptions but not the authentication tags (e.g., Message Authentication Codes [24]) for the rest of the paper.
In the following we present the two schemes that we propose in this paper. For convenience and before getting into the details of the proposed approaches, we have summarized the different notations that we use in the remaining parts of this paper in Table I.
Secondary user  

Fusion center  
Gateway  
Received signal strength  
Average number of s per sensing period  
Set of all s in the system  
Optimal voting threshold  
Energy sensing threshold  
Large prime number for  
Elliptic curve over a finite field  
Outcome of between and  
Final decision made by  
Group key established by s  
Digital signature  
Vector of weights assigned to s  
Table of ciphertexts exchanged in  
Public key used for the digital signature  
Secret key used for the digital signature  
Secret key established between  
Secret key established between  
Secret key established between  
encryptiondecryption for  
INDCPA secure block cipher encryptiondecryption  
encryption  
Secure authenticated channel between and  
History list including all values learned by  
History list including all values learned by  
History list including all values learned by  
Average number of s joining the at  
Average of the membership change process 
Iv Lp2pss
We now present our first proposed scheme, which is a votingbased approach designed for the 2party cooperative spectrum sensing network, consisting of one and a set of s. Throughout, we refer to this scheme by LP2PSS (location privacy for 2party spectrum sensing architecture). LP2PSS achieves the aforementioned security objectives via an innovative integration of the , and protocols. Votingbased spectrum sensing offers several advantages over its aggregationbased counterparts as discussed in Section III, but requires comparing ’s threshold and s’ s, thereby forcing at least one of the parties to expose its information to the other. One solution is to use a secure comparison protocol, such as , between and each , which permits to learn the total number of s above/below but nothing else. However, secure comparison protocols involve several costly public key crypto operations (e.g., modular exponentiation), and therefore invocations of such a protocol per sensing period, thus incurring prohibitive computational and communication overhead.
Intuition: The key observation that led us to overcome this challenge is the following: If we enable to learn the relative order of values but nothing else, then the number of invocations can be reduced drastically. That is, the knowledge of relative order permits to execute protocol at worstcase by utilizing a binarysearch type approach, as opposed to running with each user in total overhead. This is where comes into play. The crux of our idea is to make users encrypt their values under a group key , which is derived via at the beginning of the protocol. This allows to learn the relative order of encrypted values but nothing else (and users do not learn each others’ values, as they are sent to over a pairwise secure channel). then uses this knowledge to run protocol by utilizing a binarysearch strategy, which enables it to identify the total number of users above/below and then compares it to . As may try to maliciously modify the value of as stated in Security Assumption 1, this makes it easier for it to infer the values of s, thus their location. We rely on digital signatures to overcome this limitation. A digital signature is used by s to verify the integrity of the information that was sent by during the execution of protocol and signed by the service operator as we explain in more details next. This strategy makes LP2PSS achieve s’ location privacy with efficient spectrum sensing, faulttolerance and network dynamism simultaneously.
Before we describe our protocol in more details, we first highlight how we improve the protocol proposed in [25] as shown next.
Iva Our Improved Scheme
To achieve high efficiency, we improve the protocol in [25], in which only the initiator of the protocol learns the outcome, and call this improved scheme . , described next, is used by our proposed LP2PSS to perform secure comparisons. Our secure comparison scheme improves protocol proposed in [25] in two aspects: (i) We adapt it to work with additive homomorphic encryption (specifically ) to enable compact comparison operations in Elliptic Curves (EC) domain. (ii) The final stage of requires solving (Definition 5), which is only possible with small plaintext domains, and this is the case for our 8bit encoded RSS values required by IEEE 802.22 standard [26]. However, despite small plaintext domain, solving with bruteforce is still costly. We improve this step by adapting PollardLambda method [27] to solve the for the reverse map, which offers decryption efficiency and compactness. The PollardLambda method is designed to solve the for points that are known to lie in a small interval, which is the case for values [27]. Below, we outline our optimized .
Notation: Let denote the size in bits of the value of a and of to be privately compared. Also, let denote the average number of s per sensing period, be a large prime number, an elliptic curve over a finite field , a point on the curve with prime order . is a private/public key pair of Elliptic Curve ElGamal () encryption [28], generated under . Let be parameters generated by which is the initiator of the protocol. returns , where if and otherwise. Only learns but learn nothing else. For simplicity during the description of , we denote as and as .
, as in , is based on the fact that is greater than and have a common element where and are the 1encoding of and the 0encoding of respectively. The 0encoding of a binary string is given by and the 1encoding of is given by . For example, if we have a string , then and . If we want to compare two values and , we need first to construct and . Since , then .
with a private input generates for encryption and decryption then prepares a table , such that and for a random in the subgroup and finally sends to . with private input computes for each as follows
(5) 
with denotes Elliptic Curve point addition operations ( replaces in the original scheme). then prepares random encryptions and permutes ’s and ’s to obtain which are sent back to that decrypts , via PollardLambda algorithm [27] and decides some ( in the original ). The different steps of this protocol are summarized in Figure 1.
IvB Lp2pss Descitpion
Next we describe our proposed scheme LP2PSS whose main steps are outlined in Algorithm 1.
Initialization: The service operator sets up the value of energy threshold . sets up crypto parameters, voting threshold and users reputation weights values. Initially, all the users are considered credible so the weight vector is constituted of ones. , then, constructs the table used in protocol as described in Section IVA with as input using the ’s public key . Notice here that since the same is always used during different sensing periods, the table can be precomputed during the Initialization phase. This considerably reduces this protocol’s computational overhead. Then the service operator that manages the network signs using a digital signature scheme with secret key . This digital signature is used to make sure that does not maliciously modify the value of to learn values of users and thus infer their locations. The service operator then shares the public key with s to use it for verifying the integrity of and thus of . s establish a group key via , with which they encrypt their values during the private sensing. also establishes a secure channel with each user .
Private Sensing: Each encrypts its with group key and sends ciphertext to over . then sorts ciphertexts as (as all s are encrypted under the same ) without learning corresponding values, and the secure channel protects the communication of from other users as well as from outside attackers. then initiates first with the that has the highest value . If it is smaller than energy sensing threshold , then the channel is free. Otherwise, initiates with the user that has . If it is greater than , then the channel is busy. Otherwise, to make the final decision based on the optimal sensing threshold , runs according to the binarysearch strategy which guarantees the decision at the worst invocations. Note that before participating in , each first verifies the integrity of using the digital signature that was provided by the service operator as indicated in Steps 14, 20 29. A that detects a change in the value of refuses to participate in the sensing to prevent from learning any sensitive information regarding its location. In that case the system stops and the malicious intents of are detected.
In Steps 18, 24 33 of Algorithm 1, constructs the vector of local decisions of s after running the private comparisons between and values. Based on the decision vector and the weights vector that was computed previously, computes in Step 34 using Equation 2 to finally make the final decision using voting threshold . then computes the credibility score and the weights that will be given to all users in the next sensing period. If has a decision , its assigned weight decreases. But if a makes the same decision as , it is assigned the highest weight. The main steps of the private sensing phase are summarized in Figure 2.
Update after Membership Changes or Breakdown: At the beginning of , if membership status of changes, a new group key is formed via , and then updates . If some s breakdown and fail to sense or send their measurements, also must be updated. In new sensing period, Algorithm 1 is executed with new parameters and group key.
Choice of digital signature
Choosing the right digital signature scheme depends on the network and users constraints. In the following we briefly discuss some of the schemes that could be applied in LP2PSS.
One scheme that could be used is RSA [29] which is one of the first and most popular digital signature schemes. RSA has a very large signature but offers a fast signature verification. However, newer schemes outperform it in terms of signature and key size and/or computational efficiency.
Another scheme could be ECDSA [30] which is an elliptic curve analogue of the DSA [31] digital signature scheme. It provides more compact signatures than its counterparts thanks to the use of Elliptic Curve crypto. It has a moderate speed, though, in terms of verification and encryption compared to RSA. It is more suitable for situations where the communication overhead is the main concern.
Onetime signatures, e.g. [32] and its variants [33, 34], are digital signatures that are based on oneway functions without a trapdoor which makes them much faster than commonly used digital signatures, like RSA. The main drawbacks of this kind of digital signatures are their large size and the complexity of their ”onetimedness” which requires a new call to the key generation algorithm for each use. In our context, we should not worry about the latter since we sign only once so we don’t have to regenerate the keys. In that case, onetime signatures may be the best option when computation speed at s is the main concern.
NTRU [35] signature could also be applied here. It provides a tradeoff between signature size and computational efficiency. Indeed it has a moderate signature size that is larger than the one of ECDSA but it is faster than both ECDSA and RSA in key generation, signing and verification.
V Lp3pss
We now present an alternative scheme that we call LP3PSS (location privacy for 3party spectrum sensing architecture), which offers higher privacy and significantly better performance than that of LP2PSS, but at the cost of deploying an additional entity in the network, referred to as Gateway () (thus ”3P” refers to the 3 parties: s, , and ).
enables a higher privacy by preventing from even learning the order of encrypted values of s (as in LP2PSS). also learns nothing but secure comparison outcome of a values and , as in but only using . Thus, no entity learns any information on or beyond a pairwise secure comparison, which is the minimum information required for a votingbased decision.
Intuition: The main idea behind LP3PSS is simple yet very powerful: We enable to privately compare distinct encryptions of and values, which were computed under pairwise keys established between and s. These encrypted pairs permit to learn the comparison outcomes without deducing any other information. then sends these comparison results to to make the final decision. learns no information on values and s cannot obtain the value of , which complies with our Security Objectives 1. Note that LP3PSS relies only on symmetric cryptography to guarantee the location privacy of s. Hence, it is the most computationally efficient and compact scheme among all alternatives but with an additional entity in the system. LP3PSS is described in Algorithm 2 and outlined below.
Initialization: Service operator and set up spectrum sensing and crypto parameters. Let be INDCPA secure [24] block cipher (e.g. ) encryption/decryption operations. establishes a secret key with each and . establishes a secret key with each . encrypts with using , . then encrypts ciphertexts with using and sends these s to , . Since these encryptions are done offline at the beginning of the protocol, they do not impact the online private sensing phase. may also precompute a few extra encrypted values in the case of new users joining the sensing.
Private Sensing: Each encrypts with using , which was used by to encrypt value. then encrypts this ciphertext with using key , and sends the final ciphertext to . decrypts ciphertexts s and s with using and , which yields encrypted values. then compares each encryption of with its corresponding encryption of . Since both were encrypted with the same key, can compare them and conclude which one is greater as in Step 12. stores the outcome of each comparison in a binary vector , encrpyts and sends it to . Finally, compares the summation of votes to the optimal voting threshold to make the final decision about spectrum availability and updates the reputation scores of the users.
Update after Membership Changes or Breakdown: Each new user joining the sensing just establishes a pairwise secret key with and . This has no impact on existing users. If some users leave the network, and remove their secret keys, which also has no impact on existing users. In both cases, and also in the case of a breakdown or failure, must be updated accordingly.
Remark 1.
A malicious in LP3PSS following Security Assumption 1 may want to maliciously modify the value of . But since is the one that performs the comparison between values and , changing maliciously has almost no benefit to as it does not have access to individual comparison outcomes. This makes LP3PSS robust against this malicious .
It is worth iterating that the only needs to perform simple comparison operations between the values of the s and the energy sensing threshold of the as we explained earlier. Thus, such an entity does not interfere with the spectrum sensing process in the . Moreover, it does not need to be provided with large computational resources as these comparisons are very simple and fast to perform. It could be a standalone entity, one of the s that is dedicated to perform the tasks of the or even a secure hardware that is deployed inside the itself as we discuss next. This gives multiple options to system designers. If FCC’s regulation allows introducing an additional entity to the , then could be deployed without any concern. If not, system designers could consider introducing a secure hardware within or dedicating one of the s to perform the tasks of .
Lp3pss with Secure Hardware
LP3PSS could also be implemented in a slightly different way by relying on a secure hardware deployed within the itself instead of using a dedicated gateway. All the computation that is performed by could be relayed to this hardware. This secure hardware, which is referred to as secure coprocessor () or as trusted platform module (TPM) in the literature, is physically shielded from penetration, and the I/O interface to the module is the only way to access the internal state of the module [36]. An that meets the FIPS 1402 level 4 [37] physical security requirements guarantees that cannot tamper with its computation. Any attempt to tamper with this from that results somehow in penetrating the shield, leads to the automatic erasure of sensitive memory areas containing critical secrets.
The SCPU may provide several benefits to the network. First, there is no need anymore of adding a new standalone entity managed by a third party to the network as was the case with . Also, despite its high cost, having an deployed within itself may reduce the communication latency that is incurred by having a gateway that needs to communicate with and with every user in the network.
In terms of performance, it was proven in [38] that at a large scale the computation inside an is orders of magnitude cheaper than equivalent cryptography that is performed on an unsecured server hardware, despite the overall greater acquisition cost of secure hardware.
All of this makes using an SCPU a good alternative to using a dedicated gateway in the network thanks to its performance and the security guarantees that it provides.
Vi Security Analysis
We first describe the underlying security primitives, on which our schemes rely, and then precisely quantify the information leakage of our schemes, which we prove to achieve our Security Objectives 1. At the end of this section, we discuss the security of the modified versions of our schemes.
Fact 1.
Fact 2.
Let and be INDCPA secure [24] and INDOCPA secure symmetric ciphers, respectively. are values and of each and for sensing periods in a group . are history lists, which include all values learned by entities , and , respectively, during the execution of the protocol for all sensing periods and membership status of . Vector is a list of INDCPA secure values transmitted over secure (authenticated) channels. may be publicly observed by all entities including external attacker . Hence, is a part of all lists . Values (jointly) generated by an entity such as cryptographic keys or variables stored only by the entity itself (e.g., , ) are not included in history lists for the sake of brevity. Moreover, information exchanged during the execution of protocol are not included in history lists, since they do not leak any information by Fact 2.
Theorem 1.
Under Security Assumptions 1, LP2PSS leaks no information on beyond INDCPA secure , INDOCPA secure order of tuple and to .
Proof: at Step 6 of Algorithm 1. History lists are as follows for each sensing period :
where are the outcomes of protocol (Steps 13, 19 & 28 of Algorithm 1). By Fact 2, protocol leaks no information beyond to and no information to anyone else. Variables in are INDCPA and INDOCPA secure, and therefore leak no information beyond the order of tuples in to by Fact 1.
Any membership status update on requires an execution of protocol, which generates a new group key . By Fact 3, guarantees key independence property (Definition 4), and therefore is only available to new members and is independent from previous keys. Hence, history lists are computed identically as described above for the new membership status of but with , which are INDCPA secure and INDOCPA secure.
Using a digital signature gives s the possibility to learn the intentions of and detect whether it is trying to locate them. Since no wants its location to be revealed, s will simply refuse to participate in the sensing upon detection of malicious activity of by verifying the signed messages. The only way that can learn the location of a in this case is when this continues to participate in the sensing even after detecting the malicious intents of .
Theorem 2.
Under Security Assumptions 1, LP3PSS leaks no information on beyond INDCPA secure , INDOCPA secure pairwise order