CAE: A Collusion Attack against Privacy-preserving Data Aggregation Schemes Wei Yang University of Science and Technology of China (USTC) Contact Me qubit@ustc.edu.cn

Privacy-preserving Data Aggregation Schemes Nowadays, more and more data are generated and accumulated, both from the physical world and from the interactivities between humans. Performing efficient data aggregation while keeping the property of privacy preservation of user-related data is of high concern. Extensive research has been conducted to address this problem in multiple areas. As a fact, the security of a number of privacy-preserving protocols are threatened by collusion between participants. Therefore, security analysis plays a fundamental role in privacy-preserving data aggregation protocols. 2 of 10

Hamburger Attack Model Question: Under what condition can a collusion attack be applied to a privacy-preserving data aggregation protocol? In a previous work of ours, we investigated the degree to which collusion attacks violate privacy under different aggregation protocols. We proposed a new attack model named Hamburger Attack, which involves two participants, top bread and bottom bread. The Hamburger Attack not only breaks the famous data aggregation scheme CPDA, but also breaks some new schemes which are claimed to be of collusion attack resistance. However, the mechanism of the Hamburger Attack is vague. There is no formalized model nor rigorous descriptions about the conditions under which the attack will be successful. Also, it is not clear if the Hamburger Attack can work on other data aggregation schemes or what kind of aggregation schemes it can work on. Here, a natural and important question arises: under what condition can a collusion attack be applied to a privacy-preserving data aggregation protocol? 3 of 10

CAE Model In this work, we tackle this question with the idea of emulation. More specifically, we construct a Collusion Attack Emulator, namely, CAE, for privacy preserving data aggregation schemes. With this new tool, we can check data aggregation protocols and make sure that whether collusion attack can be applied to these privacy preserving aggregation protocols. In addition, if some protocols are identified to be insecure, namely they did not pass the CAE security check, we can design collusion attack strategy pertinent to the CAE procedure more easily. 4 of 10

Key definition 1: Check Points Two key definitions are very helpful in our CAE model. The first is check points. 5 of 10

Key definition 2: Procedure Distinguishability The second key definitions is Procedure Distinguishability. By the above definition, if two outputs of a protocol cannot be distinguished by any computer procedure, they are said to be Procedure Indistinguishable. For example, we have two probability ensembles {Xn} = r and {Yn} = 10r, where r is distributed uniformly and randomly in real number field. Given that Alice outputs a sequence of values using one of {Xn} and {Yn} as the resource, and Bob outputs another sequence using another probability ensemble. Then we cannot distinguish between these two sequences and thus cannot tell which probability ensemble is adopted by Alice, and vice verse. In this situation, we say that these two probability ensembles are Procedure Indistinguishable. On the other hand, if r is distributed uniformly and randomly in integer field, then it is not hard to see that {Xn} = r and {Yn} = 10r are of Procedure Distinguishability, as long as they output enough times (in probabilistic polynomial-time). 6 of 10

The general idea of CAE Model Using a constant number as its input to interact with HA box Judging with whom it is interact In CAE model, an emulator Ei for a participant pi in a privacy-preserving data aggregation scheme has no knowledge about the participant’s private input. Instead, it uses a constant number, which is a value known to all participants in the scheme, as its input. Meanwhile, Ei is assumed to be aware of the whole execution procedure of the data aggregation scheme. The mission for emulator Ei is to emulate the behavior of participant pi. If two colluding participants pa and pb cannot distinguish between Ei and pi, we say that Ei perfectly conceals the private data of pi against collusion attack of pa and pb. However, if Ei cannot pass the CAE check, namely it is identified (by pa and pb) to be using the constant value as its input, then it implies that the private input of pi is vulnerable under collusion attack. 7 of 10

Two functions of CAE Model Explanation Function Blind detection Function An aggregation scheme has been known to be vulnerable under collusion attack and we use CAE to explain why it is insecure. We do not know whether an aggregation protocol is secure in advance, and employ CAE to check its security and (if the protocol cannot pass the CAE test and thus to be insecure) to find its loophole. Proof function. In this work, we demonstrate two helpful functions of our CAE model. The first function is known-attack analysis. That is, the aggregation scheme has been known to be vulnerable under collusion attack and we use CAE to explain why it is insecure. The second function is blind detection, i.e., we do not know whether an aggregation protocol is secure in advance, and employ CAE to check its security and (if the protocol cannot pass the CAE test and thus to be insecure) to find its loophole. 8 of 10

9 of 10

THANK YOU! Contact Me qubit@ustc.edu.cn