The progress in communication and hardware technology increases the computational capabilities of personal devices. Aggregators, acting as third parties, are interested in learning a statistical function as the sum over a census of data. Users are reluctant to reveal their information in cleartext, since it is treated as personal sensitive information. The paradoxical paradigm of preserving the privacy of individual data while granting an untrusted third party to learn in cleartext a function thereof, is partially addressed by the current privacy-preserving aggregation protocols. Current solutions are either focused on an honest-but-curious Aggregator who is trusted to follow the rules of the protocol or model a malicious Aggregator with trustworthy users. In this paper, we are the first to propose a protocol with fully malicious users who collude with a malicious Aggregator in order to forge a message of a trusted user. We introduce the new cryptographic primitive of convertible tag, that consists of a two-layer authentication tag. Users first tag their data with their secret key and then an untrusted Converter converts the first layer tags in a second layer. The final tags allow the Aggregator to produce a proof for the correctness of a computation over users’ data. Security and privacy of the scheme is preserved against the Converter and the Aggregator, under the notions of Aggregator obliviousness and Aggregate unforgeability security definitions, augmented with malicious users. Our protocol is provably secure, and experimental evaluations demonstrate its practicality.

通信和硬件技术的进步提高了个人设备的计算能力。充当第三方的聚合器有兴趣了解统计功能作为数据普查的总和。用户不愿意以明文形式透露其信息，因为该信息被视为个人敏感信息。当前的隐私保护聚合协议部分地解决了在保留单个数据的隐私同时允许不可信的第三方以明文形式学习其功能的矛盾范式。当前的解决方案要么专注于诚实但好奇的聚合器，该聚合器被信任遵循协议规则，要么使用可信赖的用户对恶意聚合器进行建模。在本文中，我们是第一个提出针对完全恶意用户的协议，这些用户与恶意聚合器合谋以伪造受信任用户的消息。我们介绍了新的加密原语可转换标签，由两层身份验证标签组成。用户首先用他们的秘密密钥标记他们的数据，然后不受信任的转换器将第一层标记转换为第二层。最终标签允许聚合器针对用户数据生成计算正确性的证明。在聚合器遗忘和聚合不可伪造安全性定义的概念下，针对转换器和聚合器，保留了方案的安全性和隐私性，并增加了恶意用户。我们的协议可证明是安全的，实验评估证明了它的实用性。