Copyright © 2006 IEEE. Reprinted from
International Conference on Parallel and Distributed Computing,
Applications and Technologies (2006 : Taipei, Taiwan)
This material is posted here with permission of the IEEE. Such
permission of the IEEE does not in any way imply IEEE endorsement of
any of the University of Adelaide's products or services. Internal or
personal use of this material is permitted. However, permission to
reprint/republish this material for advertising or promotional purposes or
for creating new collective works for resale or redistribution must be
obtained from the IEEE by writing to pubs-permissions@ieee.org.
By choosing to view this document, you agree to all provisions of the
copyright laws protecting it.
Secure Data Aggregation in Wireless Sensor Networks: A Survey
Yingpeng Sang
School of Information Science
Japan Advanced Institute of Science and Technology
Asahidai, Tatsunokuchi, Ishikawa, Japan, 923-1211
{yingpeng}@jaist.ac.jp
Hong Shen
School of Computer Science
The University of Adelaide
SA 5005, Australia
Yasushi Inoguchi, Yasuo Tan, Naixue Xiong
Japan Advanced Institute of Science and Technology
{inoguchi, ytan, naixue}@jaist.ac.jp
Abstract
Data aggregation is a widely used technique in wireless
sensor networks. The security issues, data confidentiality
and integrity, in data aggregation become vital when the
sensor network is deployed in a hostile environment. There
has been many related work proposed to address these secu-
rity issues. In this paper we survey these work and classify
them into two cases: hop-by-hop encrypted data aggrega-
tion and end-to-end encrypted data aggregation. We also
propose two general frameworks for the two cases respec-
tively. The framework for end-to-end encrypted data aggre-
gation has higher computation cost on the sensor nodes, but
achieves stronger security, in comparison with the frame-
work for hop-by-hop encrypted data aggregation.
1. Introduction
Wireless sensor networks (WSN) consist of a great deal
of sensor nodes with limited power, computation, storage,
sensing and communication capabilities. Sensors are be-
coming more and more inexpensive due to the advancement
of the relevant technologies, so WSN will have broad ap-
plications in either controlled environments (such as home,
office, warehouse, etc) or uncontrolled environments (such
as hostile or disaster areas, toxic regions, etc). WSN can
be looked as an event-based system with one “sink” sub-
scribing to specific data streams by expressing interest and
queries. The remaining sensors act as “sources” to report
environmental events to the subscriber sink. To save en-
ergy, Data aggregation is put forward as an in-network pro-
cessing which is conducted on the aggregator nodes ([13]).
An aggregator can compute the sum, average, minimum or
maximum of the data from its children sensors, and send
the aggregation results to a higher-level aggregator. WSN
can choose its aggregators dynamically according to their
power remnant to optimize the total power consumption of
the aggregation, which is outside the scope of this paper.
In this paper, we will consider the security issues in the
data aggregation of WSN. Specifically, the fundamental se-
curity issue is data confidentiality ([17]), which protects
the sensitive transmitted data from passive attacks, such as
eavesdropping. Data confidentiality is especially vital in a
hostile environment, where the wireless channel is vulnera-
ble to eavesdropping. Though there are plenty of methods
provided by cryptography, the complicated encryption and
decryption operations, such as modular multiplications of
large numbers in public key based cryptosystems, can use
up the sensor’s power quickly ([20]).
The other security issue is data integrity, which prevents
the compromised source nodes or aggregator nodes from
significantly altering the final aggregation value ([12]). Sen-
sor nodes are easy to be compromised because they lack
expensive tampering-resistant hardware, and even those
tampering-resistant hardware might not always be reliable
(as pointed in [1]). A compromised node can modify, forge
or discard messages.
Generally, two methods can be used for secure data ag-
gregation in WSN: hop-by-hop encrypted data aggregation
and end-to-end encrypted data aggregation. In the former,
data is encrypted by the sensing nodes and decrypted by the
aggregator nodes. The aggregator nodes then aggregate the
data and encrypt the aggregation result again. At last the
sink node gets the final encrypted aggregation result and
decrypt it. In the latter, the intermediate aggregator nodes
haven’t decryption keys and can only do aggregations on
the encrypted data.
Our Contributions: Our contributions in this paper
include the following:
Proceedings of the Seventh International Conference on
Parallel and Distributed Computing,Applications and Technologies (PDCAT'06)
0-7695-2736-1/06 $20.00 © 2006
1) We respectively survey the work for hop-by-hop
and end-to-end encrypted data aggregation in WSN.
There has been some survey work for key distribu-
tion s chemes in WSN, e.g., [4], but our view on these
schemes is their utilities for data aggregation. What’s
more, we also survey the integrity protection work for
WSN.
2) We propose security frameworks respectively for hop-
by-hop and end-to-end encrypted data aggregation in
WSN. The previous work merely emphasized either
protecting confidentiality or protecting integrity, but
our frameworks s ystematically address both confiden-
tiality and integrity issues.
The remainder of the paper is organized as follows: Sec-
tion 2 models the network and attacks, defines the security
goals and aggregation functions. Section 3 surveys the re-
lated work for hop-by-hop encrypted data aggregation in
WSN. Section 4 surveys the related work for end-to-end en-
crypted data aggregation in WSN. Section 5 proposes and
analyzes the security frameworks respectively for the two
types of encrypted data aggregation. Section 6 concludes
the whole paper.
2. Background
Network Model We consider a similar model with
[19] in which the nodes in the WSN can be divided into four
sets S, A, F and R:1)S is the set of sensing nodes, which
sense their environment; 2) A is the set of aggregator nodes,
which combine the sensing values from S by aggregation
functions; 3) F is the set of forwarders, which transfer the
aggregation results from A towards R hop-by-hop; 4) R is
the set of readers of the WSN, which may be base stations,
or merely the sinks which provide an access to the outside
for the WSN. It should be pointed out that S, A, F, R may
change over time and their intersections may not be φ.
Our network model can represent both the Hierarchical
WSN (HWSN) and Distributed WSN (DWSN). In HWSN,
nodes are deployed hierarchically according to their capa-
bilities. The whole network is composed of base stations
(∈R), cluster heads (∈A∪F) and sensor nodes (∈S). In
DWSN, nodes are deployed randomly in the environment.
After nodes are deployed, a transmission structure should
be constructed to aggregate data. For example, in [24] a
minimum spanning tree (MST) is constructed to gather data
with minimum energy cost in WSN. In the MST, the root
node (sink) is in the reader set R, every node in the WSN
is in S, every non-leaf node is in the aggregator set A and
the forwarder set F. The non-leaf nodes aggregate the data
they received with their own sensing data.
Attack model We assume there is only one adversary
in the WSN, it is a polynomial-time bounded probabilistic
Turing machine, it can physically access the sensors and
read their internal values. The adversary is also assumed
to be restricted in one region, so it can only compromise a
small number of sensors.
Security requirements In the data aggregation of
WSN, two security requirements, confidentiality and in-
tegrity, should be fulfilled. An adversary can breach the
data confidentiality by the following attacks: 1) eavesdrop-
ping the messages in the wireless channel; 2) compromising
a node and obtaining all keys stored in it; 3) using the com-
promised node’s keys to deduce the keys employed else-
where in the network; 4) using the compromised node’s
keys to inject unauthorized malicious sensor nodes in the
network.
The adversary can also spoil the data integrity by the fol-
lowing attacks: 1)injecting arbitrary chosen malicious data
into the compromised sensing nodes in the set S; 2)modi-
fying, forging, or discarding messages in the compromised
aggregator nodes in A and compromised forwarder nodes
in F.
Aggregation functions Given the sensing data s
i
from the sensing node S
i
in S for i =1, ..., n,thefol-
lowing aggregation function f(s
1
, ..., s
n
) can be calculated
in the WSN: 1) the Sum: f (s
1
, ..., s
n
)=
n
i=1
s
i
.2)
the Average:f(s
1
, ..., s
n
)=
n
i=1
s
i
/n.3)theMedian:
f(s
1
, ..., s
n
)=s
(r)
, r =(n +1)/2, s
(1)
, ..., s
(n)
is an
sorted order of s
1
, ..., s
n
.4)theMinimum: f (s
1
, ..., s
n
)=
min{s
i
|i =1, ..., n}.5)theMaximum: f (s
1
, ..., s
n
)=
max{s
i
|i =1, ..., n}.6)theCount: f(s
1
, ..., s
n
)=
|{s
i
|i =1, ..., n}|.
3. Hop-by-hop Encrypted Data Aggregation in
WSN
The general idea of hop-by-hop encrypted data aggrega-
tion in WSN is : 1) bootstrapping secure links among the
nodes; 2) aggregating data inside the network; 3) authenti-
cating the integrity of aggregation results.
3.1. Security Bootstrapping
The bootstrapping problem ([7]) is to establish a secure
communication infrastructure from a collection of sensor
nodes which may have been initialized with some secret in-
formation but have had no prior direct contact with each
other. The bootstrapping of hop-by-hop encryption can
be realized by two methods: 1) pair-wise key distribution
among each pair of sensor nodes; 2) group-wise key dis-
tribution among a cluster of sensor nodes. In DWSN data
confidentiality in aggregation can be protected by pair-wise
key distribution schemes. In HWSN data confidentiality in
aggregation can be protected by group-wise key distribution
schemes.
Proceedings of the Seventh International Conference on
Parallel and Distributed Computing,Applications and Technologies (PDCAT'06)
0-7695-2736-1/06 $20.00 © 2006
Pair − wise Key Distribution Schemes The
common way for pair-wise key distribution is key pre-
distribution, i.e., keys are stored in sensors before sensors
are deployed. After the deployment, each sensor establishes
a secret link with its neighbour using a common pair-wise
key which has been stored in it. Key connectivity, the
probability of one sensor node finds a common key with
its neighbour, is an important factor to be considered in the
pair-wise key distribution schemes.
Master key based solution: A simple solution is to store
a master key in all the sensor nodes ([14]). After they are
deployed, each pair of sensor nodes uses this master key
to achieve a new pair-wise key. This scheme has low re-
silience because the compromising of one node will lead to
the compromising of the whole network.
Pair-wise key pre-distribution solution: There is another
straightforward solution in which each sensor node stores
N − 1 secret pair-wise keys, each of them is known only to
this sensor node and one of the other N − 1 sensor nodes.
This solution has good resilience but is impractical because
a sensor node has limited storage and the size of the network
(N) could be very large. What’s more, this solution isn’t
scalable to accept new nodes after the deployment of the
network because the deployed nodes may haven’t the keys
of the new node.
Random key pre-distribution solutions: A basic ran-
dom key pre-distribution scheme is proposed in [10]: in
the key-predistribution phase, each sensor node receives
a random subset of k keys from a large key pool of K
keys. In the shared-key discovery phase, to agree on a
key for communication, two nodes find one common key
within their subsets and use this key as their shared se-
cret key. The probability of key share among two sensor
nodes is
((K−k)!)
2
(K−2k)!K!
.Inthepath-key establishment phase,
any pair of nodes (i, j) can securely establish a pair-wise
key K
i,j
through a path i, v
1
, ..., v
n
,j, ordinally by sending
E
K
i,v
1
(K
i,j
),E
K
v
1
,v
2
(K
i,j
)..., E
K
v
n
,j
(K
i,j
).
This scheme is improved in [7]: a random set of (N −
1)p (0 <p<1) pair-wise keys is stored in each sensor
node. The key connectivity becomes p because with proba-
bility p two nodes can be connected. The memory required
for storing keys is decreased and good resilience is kept.
Key pre-distribution schemes with deployment knowl-
edge: A location-based scheme is proposed in [15] to im-
prove the work in [10]: it assumes that each sensor node
has an expected location that can be predicted. Then each
sensor is preloaded with the pair-wise keys of its c closest
neighbours. This solution has low memory usage but good
connectivity.
Another work in [8] divides sensor nodes into t × n
groups, and deploys sensors in each group by Gaussian
distribution. Compared with [10], key connectivity is im-
proved while keeping good resilience.
Other solutions: There are also a few key pre-
distribution schemes based on other techniques. The
scheme in [5] is based on block design in combinatorial de-
sign theory. In [9], each pair of nodes can calculate corre-
sponding field of the key matrix and use it as the pair-wise
key. The scheme in [16] uses the evaluation of symmetric
polynomial P(x, y)(P (x, y)=P (y, x)) at the ID of each
nodes pair (i, j) to get a pair-wise key K
i,j
= P (i, j).
Group − wise Key Distribution Schemes
Group-wise Key Distribution Schemes are mainly used for
HWSN. There are two types of distributions:
Symmetric group-wise key distribution: In [2], a sym-
metric key can be generated among t nodes by evaluating
a symmetric multivariate polynomial P (x
1
, ..., x
t
) at each
node.
Asymmetric group-wise key distribution: In [18], the
memory of each sensor node is pre-loaded with the ECC
(elliptic curve cryptography) domain parameters. After de-
ployment, each sensor will compute its EC-public/private
key pair and broadcast its public key to all nodes within the
cluster. According to their comparisons, the computation
complexity of ECC is lower than DSA/RSA cryptosystem,
but higher than the symmetric cryptosystem.
3.2. Data Integrity
A few related work assumes that hop-by-hop data con-
fidentiality has been protected by some key distribution
schemes, and proposes independent schemes from those
schemes for data confidentiality to protect data integrity.
In [12], the data integrity protection scheme assumes
that each node (e.g., node A) is initialized before deploy-
ment with a symmetric pair-wise key, e.g., K
AS
, shared
with the base station S. A secure self-organizing proto-
col is also assumed to be used to form a routing hierar-
chy where each node has an immediate parent. In the i-th
data transmission phase, a leaf node A computes a tempo-
rary key K
i
AS
(= E(K
AS
,i)) based on K
AS
, sends its data
reading R
A
, node id ID
A
and message authentication code
MAC(K
i
AS
,R
A
) on R
A
to its parent. The parent node
B calculates the aggregation of its children nodes readings,
sends the result Aggr, node id ID
B
and message authenti-
cation code MAC(K
i
BS
, Aggr) on Aggr to its parent. The
final aggregation and its MAC is sent to the base station.
In the data validation phase, the base station verifies the fi-
nal aggregation, and broadcasts the temporary keys (K
i
AS
,
K
i
BS
, ...). Using these pair-wise keys, the intermediate ag-
gregation results can be verified by the intermediate aggre-
gators. This scheme has low communication cost because
the data readings of each sensor node isn’t needed to be
transmitted to the base s tation, but is vulnerable because the
intermediate aggregation is easy to tamper if a parent and a
child node in their hierarchy are compromised.
Proceedings of the Seventh International Conference on
Parallel and Distributed Computing,Applications and Technologies (PDCAT'06)
0-7695-2736-1/06 $20.00 © 2006
The vulnerability of [12] is improved in [18]. The in-
tegrity of sensor readings is ensured with the help of a
Merkle Hash Tree. In the data transmission phase, the sen-
sors transmit the encrypted value of their readings along
with its hash to the cluster-head, and the cluster-head builds
a Merkle Hash Tree based on the hash values of the read-
ings. In the data validation phase, the base station queries
to the cluster-head on the individual readings. The draw-
back of this scheme is its high communication cost on data
validation.
The work in [21] proposes an efficient way to verify the
data integrity. After the aggregator sends the aggregation
results and the commitment of the sensor readings based on
Merkel Hash Tree, the base station needn’t to repetitively
query the aggregator of the sensor readings. It can engage
an interactive proof with the aggregator and checks whether
the aggregation result is correct. The communication cost is
lower than [18] because the interactive proof achieves sub-
linear communication complexity.
4. End-to-end Encrypted Data Aggregation in
WSN
Hop-by-hop encrypted data aggregation leaves aggrega-
tor nodes vulnerable to attacks because the sensor read-
ings will be decrypted on those aggregators. End-to-end
encrypted data aggregation is an alternative to address this
vulnerability issue. It provides end-to-end privacy between
sensor nodes and the sink. The aggregators aggregate the
encrypted sensor readings without decrypting them, so the
end-to-end privacy should be realized by homomorphic
cryptosystems.
4.1. Network-wise Key Distribution
End-to-end privacy needs to establish a network-wise
key between the sink and all the sensor nodes. Network-
wise key distribution schemes include the master key based
and public key based solution.
Master key based solution: In [6] and [11], it’s assumed
that the sensor nodes share a common secret key K with the
sink, but the aggregator nodes haven’t this key. Modular ad-
dition and Domingo-Ferrer’s scheme are used respectively
by them to encrypt data, and both of them are additive ho-
momorphic. Sensor nodes S
i
(1 ≤ i ≤ n) sends their en-
crypted readings E
K
(R
i
) to the aggregator node. The lat-
ter calculates the encrypted aggregation E
K
(f(R
1
, ..., R
n
))
based on E
K
(R
i
) and sends it to the sink. The s ink de-
crypts E
K
(f(R
1
, ..., R
n
)) and gets the aggregation result.
The limitation is that the whole network will be compro-
mised if K on one sensor node is compromised.
Public key based solution: In [19], each sensor node
uses the public key of the base station to encrypt its read-
ing employing some homomorphic public key encryption
schemes. The base station is assumed to have strong relia-
bility so that it’s not easy to be compromised. The public
key encryption schemes are constructed on elliptic curves
in [19], but computation requirement in encryption is still
high for the sensor nodes.
4.2. Data Integrity
Compared with hop-by-hop encrypted data aggregation,
there isn’t any more efficient way proposed to protect data
integrity in end-to-end encrypted data aggregation. In [23],
it is assumed that there isn’t any aggregator node inside the
WSN. Each sensor node sends its reading to the sink using
end-to-end encryption. The sink employs truncation and
trimming on the readings to achieve robust aggregation re-
sult against spoofed sensor readings. But when the network
size is very large, the communication cost will be very high
for the transmission of all sensor readings to the sink.
5. Two Frameworks for Data Aggregation in
WSN
As pointed out in Section 3, security requirements in data
aggregation include data confidentiality and integrity, but
by the survey in Section 3 and 4, related work focuses only
on either one of the two requirements. In this section we
proposes two frameworks respectively for hop-by-hop and
end-to-end encrypted data aggregation in WSN, aiming at
systematically tackling the attacks on both data confiden-
tiality and integrity.
5.1. Framework 1: Hop-by-hop Encrypted
Data Aggregation
1) the bootstrapping phase: For controlled environment,
HWSN can be constructed and a group-wise key can
be generated for all nodes within each cluster. For
uncontrolled environment, DWSN can be constructed
and pair-wise keys can be distributed among each pair
of sensor node.
2) the aggregator selection phase: Thesinkorbasesta-
tion can select aggregators to construct a transmission
structure with minimum energy cost (e.g., using the
technique in [24]). The transmission structure is com-
posed of S, A, F, R as defined in the network model
of section 2.
3) the data aggregation phase: Suppose n is the num-
ber of the children of an aggregator A, the children
nodes S
i
(1 ≤ i ≤ n) encrypt their readings x
i
as
E
K
S
i
,A
(x
i
), and sends it to A. K
S
i
,A
is the pair-wise
Proceedings of the Seventh International Conference on
Parallel and Distributed Computing,Applications and Technologies (PDCAT'06)
0-7695-2736-1/06 $20.00 © 2006