Secure and collusion-resistant data aggregation from convertible tags

The progress in communication and hardware technology increases the computational capabilities of personal devices. Aggregators, acting as third parties, are interested in learning a statistical function as the sum over a census of data. Users are reluctant to reveal their information in cleartext, since it is treated as personal sensitive information. The paradoxical paradigm of preserving the privacy of individual data while granting an untrusted third party to learn in cleartext a function thereof, is partially addressed by the current privacy-preserving aggregation protocols. Current solutions are either focused on an honest-but-curious Aggregator who is trusted to follow the rules of the protocol or model a malicious Aggregator with trustworthy users. In this paper, we are the first to propose a protocol with fully malicious users who collude with a malicious Aggregator in order to forge a message of a trusted user. We introduce the new cryptographic primitive of convertible tag, that consists of a two-layer authentication tag. Users first tag their data with their secret key and then an untrusted Converter converts the first layer tags in a second layer. The final tags allow the Aggregator to produce a proof for the correctness of a computation over users' data. Security and privacy of the scheme is preserved against the Converter and the Aggregator, under the notions of Aggregator obliviousness and Aggregate unforgeability security definitions, augmented with malicious users. Our protocol is provably secure, and experimental evaluations demonstrate its practicality.