Private Stream Aggregation with Labels in the Standard Model†
Authors: Johannes Ernst (University of St. Gallen (most of the work done while at KIT, Karlsruhe)), Alexander Koch (Competence Center for Applied Security Technology (KASTEL), Karlsruhe Institute of Technology † An extended abstract of this work appeared in [19])
Volume: 2021
Issue: 4
Pages: 117–138
DOI: https://doi.org/10.2478/popets-2021-0063
Abstract: A private stream aggregation (PSA) scheme is a protocol of n clients and one aggregator. At every time step, the clients send an encrypted value to the (untrusted) aggregator, who is able to compute the sum of all client values, but cannot learn the values of individual clients. One possible application of PSA is privacy-preserving smart-metering, where a power supplier can learn the total power consumption, but not the consumption of individual households. We construct a simple PSA scheme that supports labels and which we prove to be secure in the standard model. Labels are useful to restrict the access of the aggregator, because it prevents the aggregator from combining ciphertexts with different labels (or from different timesteps) and thus avoids leaking information about values of individual clients. The scheme is based on key-homomorphic pseudorandom functions (PRFs) as the only primitive, supports a large message space, scales well for a large number of users and has small ciphertexts. We provide an implementation of the scheme with a lattice-based key-homomorphic PRF (secure in the ROM) and measure the performance of the implementation. Furthermore, we discuss practical issues such as how to avoid a trusted party during the setup and how to cope with clients joining or leaving the system.
Keywords: Private Stream Aggregation, Aggregator Obliviousness, Standard Model, Pseudorandom Function, Lattice-Based Cryptography, Learning With Rounding, Smart-Meters
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.