Sage Journals: Discover world-class research

Abstract

To address the problem of storage nodes in wireless sensor networks being vulnerable to attack, this article proposes a new range query protocol, WQuery, based on multidimensional data privacy and integrity protection. To ensure the privacy of multidimensional data, the WQuery protocol encodes multidimensional sensing data and user query requests based on a bucket-partitioning scheme and sequential encryption mechanism at the sensor node and sink node. Therefore, the storage nodes cannot sense the real value of sensing data and query requests under the premise of correctly executing the request. To ensure the integrity of the multidimensional data query results, WQuery includes an integrity verification scheme based on the new tree-to-destination data structure. The scheme translates the actual query scope of a user request into a matched set of bucket labels and verifies the integrity of query results through the tree-to-destination data structure. Simulation results show that the tree-to-destination scheme is flexible, easy to implement, and highly secure, thereby effectively reducing energy consumption.

Keywords

Two-tiered sensor network multidimensional data range query privacy preservation integrity verification

Introduction

Wireless sensor networks (WSNs) play important roles in healthcare, geological detection, military defense, and other fields.^1–3 Yet, the practical use of WSNs can present serious concerns regarding privacy disclosure. Attackers may obtain sensitive information by hacking, forging, or otherwise attacking unauthorized sensor nodes. In the medical field, patients’ private information can be swiftly disclosed if their medical data are hacked.¹ In military applications, grave consequences can follow from adversarial access to important data such as event locations. Therefore, the question of how to guarantee the privacy and integrity of data in WSNs has become a major research focus.

Traditional WSNs consist of many sensor nodes deployed in a specific area. Given budgetary constraints related to calculation, storage, and energy recourse, sensor nodes can only communicate with neighboring nodes via a rather simple multihop communication structure. Sensor nodes cooperate with each other to complete a query request based on the query protocol. In a traditional two-tiered WSN, storage nodes (SNs) comprise the middle tier of the Internet. SNs are obligated to collect and save data gathered by perception nodes; the upper network, made of sensor nodes, collaborates on query instructions from the sink. These two schemes differ substantially. In a traditional WSN, sensor nodes are responsible for data collection and storage within a given time period. The nodes also correspond to and perform query instructions from the sink in a two-tiered WSN. However, the sensor nodes are only obligated to collect data to be sent to the SN to store. The SN is in charge of query requests rather than the sensor nodes. Therefore, the network lifespan of the two-tiered WSN is longer than that of a traditional WSN, and the two-tiered WSN is steadier under identical conditions.

In a two-tiered WSN, the lower network tier consists of sensor nodes with limited computational ability, and the upper tier consists of few SNs with sufficient resources. The advantages of bringing the SN into the sensor network are as follows: (1) prolonged Internet lifespan (sensor nodes can transmit data to the nearest SN by one or multiple hops instead of sending data to a distant sink, thereby decreasing the hops needed to transmit data packets while also reducing Internet communication consumption); (2) increased query efficiency, such that the SN can better perform complicated query operations and effectively reduce the response delay; and (3) improved flexibility (the SN can simplify the management operation of Internet topology when nodes increase or decrease). Although SN makes the data storage and query process more convenient in WSNs, it also increases the risk of privacy disclosure. The two-tiered WSN adopts wireless communication that allows attackers to more easily attack communication links and capture nodes, as deployed sensor nodes are not monitored. Because the SN stores a large amount of perception data from sensor nodes, which is crucial for managing data queries, the SN is a key target of attack. An attacked SN poses a severe threat to Internet data security.

The two-tiered WSN is a distributed sensor network with many query modes including range query, top-k query, maximum or minimum value query, and space-time query.^4–7 The current research focuses on the range query, which can serve as a guide for other queries. This article specifically examines a multidimensional data range query based on WSNs and proposes a query method (WQuery) to verify privacy protection and the multidimensional data range query method. The main contributions of this article are as follows:

It proposes a new scheme for secure data storage and query processing of range query data using bucket label retrieval.

It proposes a highly efficient tree-to-destination (T2D) data structure to verify the integrity of results.

Compared with current schemes, the proposed method does not require data to be saved, thus enhancing data privacy.

The proposed scheme offers advantages related to energy consumption and storage overhead.

Theoretical analysis and simulation experiments analyze and verify the security and effectiveness of the scheme.

The remainder of this article is organized as follows. Section “Relevant background” outlines relevant research. Research models and secure targets are presented in section “Model.” Section “Data privacy protocol” explains the encryption process for multidimensional data. Section “System analysis” presents privacy and integrity analysis. Section “Experimental analysis” carries out the simulation analysis. Finally, conclusions are offered in section “Conclusion.”

Relevant background

In WSN research, the privacy and integrity protection of multidimensional range queries is a common focus,^8–10 especially pertaining to data privacy and integrity in the two-tiered WSN model. The current secure query scheme mainly solves security problems introduced by SN capture. These problems can be classified into two types: privacy attack and integrity attack. In privacy attacks, attackers obtain clear data through captured nodes while still following the network protocol. In integrity attacks, attackers pretend to be legal nodes and release false data by inserting, modifying, or deleting data to destroy the query integrity, leading to incomplete or false query results.

Sheng and Li¹¹ and others have applied a bucket-partitioning scheme for data privacy protection in a security range query for WSNs and proposed an encoding number scheme to verify the integrity of results. Shi et al.¹² further optimized a bucket-partitioning scheme to solve the problem of communication waste resulting from edge mistakes and then proposed a spatiotemporal crosscheck verification method, but it is not suitable for multidimensional data. Zhang et al.¹³ further developed the approach introduced in Shi et al.¹² and proposed a secure scheme that leveraged a bitmap scheme to realize spatiotemporal crosscheck verification. The scheme was then applied to multidimensional data range queries to reduce the cost of data communication in networks and save energy. The above works mainly focus on the privacy protection scope query, but ignores the destruction of the collusion attack, the probabilistic attack, and the differential attack. Zeng et al.¹⁴ proposed the energy-saving and multidimensional range query protocol PERQ. Considering these kinds of attacks, the generalized distance and modular operation range query mechanism is used to improve the security, but also increases the energy consumption.¹⁵ Reference bucket-partitioning and symmetric encryption technology, using hash-based message authentication coding (HMAC) method, to construct code information for checking the integrity verification of query results, and fusion processing of range query according to bucket label, reducing data communication costs. In this article, the bucket-partitioning¹⁵ scheme is used to perform WQuery queries to ensure the privacy of data.

However, the attacker may estimate the perceived data and query results by capturing the SN to destroy the integrity of the data. To address this problem, a prefix code validation scheme was proposed in Chen and Liu^16,17 to provide SafeQ (Secure and Efficient Query processing). This scheme demonstrated acceptable security and performed quite well in storage overhead but carried a high communication cost. To rectify these issues, the scheme used the bloom filter mechanism to optimize query processing. As SafeQ adopts the prefix code scheme, sensor nodes are required to transfer substantial code data, allowing for further optimization of energy consumption. Tsou et al.¹⁸ proposed the use of the XOR linked list (X2L) data structure, allowing the queryer to verify the integrity of the retrieved data by means of so-called verification information, that is, to store the neighborhood differences in an efficient way, to ensure safe range query, but in the linked list. The amount of data is increased during the construction process.

The literature^10,19 adopts the concept of value chain and the encryption constraint chain model to verify the integrity of the query results and effectively reduce the amount of data added during the prefix encoding process, but it will generate a lot of energy consumption when querying multidimensional sensory data. To this end, Bu et al.²⁰ gives a VQuery protocol for privacy protection single-dimensional and multidimensional range query. VQuery encodes the data range and query conditions based on polynomial technology to hide the real sensitive information, complete the result integrity authentication based on the watermark chain, and propose multidimensional interval tree structure to represent multidimensional data, effectively reducing communication overhead. The above research effectively solves the accurate query and verification of small- and medium-sized WSNs network data. R Li et al.²¹ implement data privacy protection based on pseudo-random hash function and Bloom filter and uses data partitioning algorithm to achieve complete query results. Sexual detection proposed a solution for large network sizes.

This article realizes the goals of privacy protection and integrity verification for a multidimensional range query by using the order encryption mechanism (OEM). OEM technology allows SNs to complete a range query by matching stored encrypted data blocks and the query command of an encrypted state and to some extent prevents the data leakage of the captured SN. To verify the integrity of the query results, a new T2D data structure based on a bucket-partitioning scheme is proposed to transform sensed data and data in the upper and lower bounds of the query range into corresponding bucket labels. The perceived data reduce the communication overhead by reducing the data search time. The solution proposed in this article has good performance in ensuring data security and integrity. This article verifies the performance of our method in section “Experimental analysis.”

Model

Network model

In traditional WSNs, users collect all perception data gathered by the sensor nodes and complete local queries, an approach suitable for small-scale networks but one that consumes excessive energy (i.e. adjacent nodes requiring more energy consume energy quickly).²¹ Meanwhile, maintaining a real-time communication path between sensor nodes and sink nodes in a distant or unfavorable environment is difficult. Given these conditions, an in-network storage sensor node model is proposed in this article. The two-tiered WSN is intended to help realize in-network storage. In this model, sensor nodes store continuous data in the interior part of an SN, which users can visit.²²

The two-tiered sensor network²³ has a simple topological structure, high query efficiency, and stable link quality as displayed in Figure 1. The network is divided into several cells, and each unit consists of sensor nodes, an SN, and a sink, denoted as $cell = (SN, {s_{1}, s_{2}, \dots, s_{i}})$ . Sensors are a form of microequipment; they possess weak processing, storage, and communication abilities but offer low cost and energy consumption. They are often deployed in monitoring areas to process periodic sampling and send collected perception data regularly to the owner cells. A network can contain thousands or more sensor nodes. The SN serves as a bridge between sensor nodes and the sink, providing data storage service for neighboring sensors and processing queries from the sink. First, the sink receives query commands from users and sends them to the SN after processing. The SN then returns satisfactory commands to the sink in accordance with the query commands. Finally, the sink verifies the integrity of the returned query results and returns final results to users.

Figure 1.

Two-tiered wireless sensor node network model.

The sensor nodes, SN, and sink are assumed to be loosely in sync, meaning their time does not overlap. Every sensor node collects $m$ data in the time cycle. The data collected by sensor $s_{i}$ is denoted as $(i, t, {d_{1}, d_{2}, \dots, d_{m}})$ , in which $i$ is the number of sensor nodes, $t$ is a periodic sequence, and $t$ is the data gathered by sensor node $s_{i}$ in periodic sequence $t$ . This article focuses on the range query in a cell $cell = (SN, {s_{1}, s_{2}, \dots, s_{i}})$ in a periodic sequence. For a range query with multiple cells and more than one periodic sequence, the subqueries in each time sequence in each query cell must first be processed; then, all subseries query results can be combined to obtain overall query results.

Attack model and secure objectives

WSN is the physical sensor part of data collection and processing in the Internet of Things (IoT) system,²⁴ mainly in the sensing layer of the IoT system, used to perform different measurements (i.e. temperature, acceleration, humidity) and functions. Due to limited node resources and distributed organizational structure, the main security threats from the WSNs are as follows.

Attack of the sensor node. This type of attack is mainly concentrated on the hardware components of the system. There are two main types of attacks: (1) physical attacks. An attacker may access the system by physically replacing the entire node or part of its hardware to change sensitive information (such as a shared encryption key) or by physically injecting malicious code to attack the node to cause damage to the sensor node. (2) Simulated attacks and denial of service (DoS) attacks. An attacker exploits the node’s limited processing power to make a node unusable or allows a malicious node to use a fake identity for a malicious or conspiracy attack.

Data transmission attacks. Various attacks on confidentiality and integrity during data transmission.

For the above two types of attacks, we will analyze in detail in the privacy protection section of section “System analysis.”

In the two-tiered WSN attack model, attacks on the privacy and integrity of perception data can be categorized as either exterior or interior. An exterior attack is one in which attackers outside the WSN infer corresponding perception data without obtaining keys by capturing the encrypted text between the wirelessly transmitted sensor nodes and SN. An interior attack is one in which the attackers infer clear data while collecting an encrypted text index, querying, and comparing by attacking single or multisensor nodes. For collusion attacks, attackers obtain sensitive data information by colluding with the SN and sensor nodes. Collusion attacks among sensor nodes only disclose information about captured data, exerting a minor impact on the entire Internet. However, collusion attacks among the SN and sensor nodes could potentially disclose all data information on the SN, causing serious damage.

Sensor nodes and sinks are assumed to be reliable. The number of sensor nodes subject to attack is limited because when the number of attacked nodes reaches a certain threshold, the network ceases to function normally. Sensor nodes are indeed vulnerable to attack, but for the whole sensor node network, the data collected by a single sensor among all sensors are negligible. Thus, attacks on sensor nodes are not considered in this article. In contrast to sensors, the SN stores extensive sensor node data and facilitates query processing. When an SN is captured, attackers can access vast perception data to either forge false query results or provide users with incomplete query results. Attackers can infer clear data by collecting the encrypted text index, querying, and comparing, which infringes on data privacy and may compromise query range privacy as well. Meanwhile, a captured SN can destroy data integrity by distorting or deleting query results. In distortion, the captured SN falsifies data that do not satisfy the query range and returns them to users. In deletion, the captured SN returns partial data as query results, ignoring the sensor nodes satisfying the query range intentionally; this attack reduces the integrity of the results. Once an SN is attacked, consequences are much more serious than when a sensor node is captured. As such, this article focuses on the scenario in which an SN is under attack.

The primary security objectives of two-tiered sensor networks are as follows:

Data privacy and query privacy. Data privacy indicates that an SN cannot access the actual value of data collected by sensor nodes, guaranteeing that attackers will not understand data stored in a damaged SN. Query privacy indicates that the SN cannot access the actual value from the sink, guaranteeing that attackers will not understand or infer query commands from a damaged SN.

Data integrity. Perception data collected by sensor nodes may be transmitted by other middle nodes and could require minimal calculation from data collection to the base stations. Integrity requires that data be transmitted truthfully and calculated accurately. Integrity has a direct impact on query results; in this sense, integrity refers to result integrity such that the final results received by base stations should consist of true results, excluding those containing maliciously distorted and deleted information.

Data privacy protocol

Bucket-partitioning scheme

Based on a bucket-partitioning scheme,²⁵ this article effectively realizes data privacy and query privacy and verifies the integrity of query results. A bucket-partitioning scheme divides a value range into many continuous ranges. Each range is called a bucket, and each bucket is assigned a unique label. Bucket-partitioning schemes are shared between sensor nodes and the sink. Before sensor nodes send perception data to a SN, sensor nodes label each datum based on the sub-bucket to which it belongs. Data with the same label are encrypted into a data block. Meanwhile, the sink transforms query commands into a series of label values based on the same bucket-partitioning scheme and sends these labels as query commands to SNs. The SNs query labels in the query range and their corresponding encrypted values in the collected data blocks before sending these values to the sink. The sink shares secret keys with sensor nodes and encodes encrypted data to obtain query results.

The bucketing scheme needs to be adapted to the data range query, and the selection of the step size optimal value is beneficial to better ensure the privacy of the data. Assuming that the data generated by each sensor follows the same distribution, the optimal parameters can be obtained from the theoretical model¹⁵ or empirical data, but the query characteristics, that is, the range specification and the query frequency, need to be considered. Assume that the query in the full scope query set is represented as

$\begin{matrix} q_{i} = t_{i}, [a_{i}, a_{i}], a_{i} \in [d_{\min}, d_{\max}], b_{i} \in [a_{i}, d_{\max}] \end{matrix}$ (1)

where $d_{\min}$ and $d_{\max}$ are the minimum and maximum values of the collected data, and t_i represents a certain moment, and there is no other $q_{j}$ such that $a_{i} = a_{j}$ and $b_{i} = b_{j}$ . Let $L$ be the value range, $L = d_{\min} - d_{\max} + 1$ . Therefore, there are $L (L + 1) / 2$ possible ranges in this group.

Assume that the data collected by sensors are discrete and limited, such that $Data \in [d_{\min}, d_{\max}]$ . $d_{\min}$ is the lower limit of the range and $d_{\max}$ is the upper limit. We define step size $λ$ and divide the data into various continuous buckets of the same length. Neighboring buckets do not overlap. This article assigns each bucket a unique bucket label $T_{l} (1 \leq l \leq γ)$ , in which $γ = ⌈ (d_{\max} - d_{\min}) / λ ⌉$ is the total number of buckets and “⌈⌉” denotes rounding up to an integer. Sensor-collected data can be divided by the following bucket range in equation (2)

$\begin{matrix} [d_{\min}, d_{\min} + λ), [d_{\min} + λ, d_{\min} + 2 λ), \\ [d_{\min} + 2 λ, d_{\min} + 3 λ), \dots, [d_{\min} + (r - 1) λ, d_{\max}] \end{matrix}$ (2)

Then, one-dimensional data can be expanded into multidimensional data where users define different dimensions of $z$ -dimensional data by step size $λ {λ_{1}, λ_{2}, \dots, λ_{z}}$ , in which $λ_{j}$ $(1 \leq j \leq z)$ is the step size of $j th$ dimension. Sensor nodes complete bucket partitioning for the data of each dimension and allocate bucket label $T_{l}^{j} (1 \leq l \leq γ_{j})$ , in which $γ_{j} = (d_{\max}^{j} - d_{\min}^{j}) / λ_{j}$ is the total number of $j th$ dimensional bucket. $z$ -dimensional data collected by sensors are divided by the following bucket range in equation (3)

$\begin{matrix} [d_{\min}^{j}, d_{\min}^{j} + λ_{j}), [d_{\min}^{j} + λ_{j}, d_{\min}^{j} + 2 λ_{j}), \\ [d_{\min}^{j} + 2 λ_{j}, d_{\min}^{j} + 3 λ_{j}), \dots, [d_{\min}^{j} + (r_{j} - 1) λ_{j}, d_{\max}^{j}] \end{matrix}$ (3)

OEM encryption scheme

To protect data privacy, sensor nodes are required to encrypt gathered data to prevent sensitive data disclosure. This article uses a secure OEM²⁶ to realize one-dimensional data privacy protection. The OEM is then expanded to privacy protection of multidimensional data.

Assume that $s_{i}$ collects $m$ perception data $(d_{1}, d_{2}, \dots, d_{m})$ in time sequence $t$ , in which $d_{\min} (1 \leq num \leq m)$ is displayed by an $n$ -bit binary system, the corresponding encrypted text of ${d_{num}}_{num = 1}^{m}$ is $P_{k_{num}} (d_{num})$ , and $P_{k_{num}} (.)$ is a symmetric encrypted function. OEM supports the decomposition property $P_{k} (d_{1} | d_{2} |, \dots, d_{m}) = P_{k_{1}} (d_{1}) | P_{k_{2}} (d_{2}) | \dots | P_{k_{m}} (d_{m})$ , in which “|” is a joint operation.

OEM consists of order mapping and data encryption. During order mapping, $s_{i}$ maps collected $m$ data values to a corresponding bucket. If no data exist in a certain bucket, then “ $ϕ$ ” is used to label that bucket. Every bucket $T_{l}$ can be assigned a secret $k_{l}$ , which is shared by $s_{i}$ and the sink. Let set $K = {k_{l}}_{l = 1}^{γ}$ , in which $k_{l}$ is the parameter used to generate an $n$ -digit key stream (KS) at the initial stage, and the KS is used to encrypt the data in that area. For instance, assume data range [1,10] is divided into five equivalent, continuous, nonoverlapping areas; the key set from generator ${k_{l}}_{l = 1}$ consists of five keys: $k_{1}$ , $k_{2}$ , $k_{3}$ , $k_{4}$ , and $k_{5}$ .

For the sake of precise monitoring, sensors in a natural environment generally monitor various data, such as temperature, humidity, and light intensity. Sensor-collected data are multidimensional in this case. This article expands OEM to privacy protection for multidimensional data. Assume that the n-dimensional data items collected by sensor nodes are $D = (d^{1}, \dots, D^{z})$ , in which $D^{j} (1 \leq j \leq z)$ means $m^{j}$ data exist in the $j th$ dimension, such that $D^{j} = (d_{1}^{j}, \dots, D_{m^{j}}^{j})$ . Then, the data in $D^{j}$ will be applied to the corresponding bucket $T_{l}^{j}$ .

Figure 2 illustrates an encryption process for multidimensional data. First, a finite state machine is used to generate perception data collected by sensors into an n-bit initial value (IV). Second, the bucket-partitioning encryptor is used to generate a KS to encode the sub-bucket keys. To make the length of the KS equal to that of perception data $d_{num}^{j} (1 \leq num \leq m^{j})$ , $k_{l}^{j}$ are used as input parameters of the sub-bucket key encryptor in which $K = {k_{l}^{j}}_{l = 1}^{γ}$ to ensure that the cipher text of the same perception data differs after each encryption, that is, to satisfy semantic security.¹⁸ This article uses a nonrepetitive counter as the input IV in the encryption process. In this process, XOR is performed between each perception data $d_{num}^{j}$ and the KS, and then, an n $n$ -bit encryption data value $P_{k_{l}^{j}} (d_{num}^{j})$ is obtained randomly. Thus, the cipher text of multidimensional data after encryption is as shown in equation (4)

$P_{k_{1}^{j}} (T_{1}^{j}), P_{k_{1}^{j}} (d_{1}^{j}), \dots, P_{k_{1}^{j}} (d_{num}^{j}), P_{k_{2}^{j}} (T_{2}^{j}), P_{k_{2}^{j}} (d_{num + 1}^{j}), \dots, P_{k_{γ j}^{j}} (T_{γ j}^{j}), \dots, P_{k_{γ j}^{j}} (d_{m^{j}}^{j})$ (4)

Figure 2.

Encrypted sensor data.

A symmetric function will be the barrel label, with all sensory data of the $l th$ barrel label of the $j th$ dimensionality calculated as follows

$\begin{matrix} P_{k_{l}^{j}} (T_{l}^{j} | d_{l_{1}}^{j} | d_{l_{2}}^{j} | \dots | d_{l_{num}}^{j}) = P_{k_{l}^{j}} (T_{l}^{j}) | P_{k_{l}^{j}} (d_{l_{1}}^{j}) | \\ P_{k_{l}^{j}} (d_{l_{2}}^{j}) | \dots | P_{k_{l}^{j}} (d_{l_{num}}^{j}) \end{matrix}$ (5)

and $1 \leq l_{num} \leq m^{j}$ .

Then, the multidimensional data collected by $s_{i}$ in time $t$ will be presented to the SN in the units in equation (6)

$〈 \begin{matrix} i, t, P_{k_{1}^{1}} (T_{1}^{1} | d_{1}^{1} | \dots | d_{num}^{1}), P_{k_{2}^{1}} (T_{2}^{1} | d_{num + 1}^{1} | \dots), \dots, P_{k_{γ 1}^{1}} (T_{γ 1}^{1} | \dots | d_{m^{1}}^{1}), \dots, \\ P_{k_{1}^{z}} (T_{1}^{z} | d_{1}^{z} | \dots | d_{num}^{z}), P_{k_{2}^{z}} (T_{2}^{z} | d_{num + 1}^{z} | \dots), \dots, P_{k_{γ z}^{z}} (T_{γ z}^{1} | \dots | d_{m^{z}}^{1}) \end{matrix} 〉$ (6)

The process of multidimensional data privacy protection can be explained through the following example as shown in Figure 3(a). Sensor $s_{1}$ collects five pieces of two-dimensional data in time $t = 2$ : $(1, 12)$ , $(3, 5)$ , $(7, 8)$ , $(2, 1)$ , and $(10, 4)$ with $γ_{1} = 5$ and $γ_{2} = 4$ from the user-defined step size $λ_{1} = 2$ , $λ_{2} = 3$ . The corresponding KS is used to encrypt each data item in the two-dimensional perception data $D_{1} = (1, 2, 3, 7, 10)$ , $D_{2} = (1, 4, 5, 8, 12)$ . The sensor nodes directly map the two-dimensional data $D_{1}$ and $D_{2}$ to the corresponding bucket range as shown in Step 1 of Figure 3. The one-dimensional data item $D_{1}$ corresponds to bucket label $(T_{1}^{1}, T_{2}^{1}, T_{4}^{1}, T_{5}^{1})$ . The two-dimensional data $D_{2}$ corresponds to bucket label $(T_{1}^{2}, T_{2}^{2}, T_{3}^{2}, T_{4}^{2})$ . $D_{1}$ data after encryption are $P_{k_{1}^{1}} (T_{1}^{1} | 1 | 2), P_{k_{2}^{1}} (T_{2}^{1} | 3), P_{k_{3}^{1}} (T_{3}^{1} | ϕ),$ $P_{k_{4}^{1}} (T_{4}^{1} | 7), P_{k_{5}^{1}} (T_{5}^{1} | 10)$ and $D_{2}$ data after encryption are $P_{k_{1}^{2}} (T_{1}^{2} | 1)$ , $P_{k_{2}^{1}} (T_{2}^{2} | 4 | 5)$ , $P_{k_{3}^{1}} (T_{3}^{2} | 8)$ , and $P_{k_{4}^{1}} (T_{4}^{2} | 12)$ . Finally, sensor nodes present the encrypted data of $D_{1}$ and $D_{2}$ and bucket labels to the SN as in equation (7)

$〈 1, 2, P_{k_{1}^{1}} (T_{1}^{1} | 1 | 2), P_{k_{2}^{1}} (T_{2}^{1} | 3), P_{k_{3}^{1}} (T_{3}^{1} | ϕ), P_{k_{4}^{1}} (T_{4}^{1} | 7), P_{k_{5}^{1}} (T_{5}^{1} | 10), P_{k_{1}^{2}} (T_{1}^{2} | 1), P_{k_{2}^{1}} (T_{2}^{2} | 4 | 5), P_{k_{3}^{1}} (T_{3}^{2} | 8), P_{k_{4}^{1}} (T_{4}^{2} | 12) 〉$ (7)

Figure 3.

Data query model: (a) mapping of sensor node, (b) processing of storage node, and (c) mapping of sink.

Sink to SN

If users query the perception data of sensor node $s_{i}$ within the range $Q_{t} = {[a^{1}, b^{1}], [a^{2}, b^{2}], \dots, [a^{z}, b^{z}]}$ in time $t$ , users should first send data packet ${i, t, [a^{1}, b^{1}], [a^{2}, b^{2}], \dots, [a^{z}, b^{z}]}$ to that sink to query the original data in time $t$ . Then, the sink can transform query request $Q_{t}$ into the label range of storage bucket set $[T_{l_{1}}^{1}, T_{l_{1} + \frac{⌈ b^{1} - a^{1} ⌉}{λ_{1}}}^{1}]$ , $[T_{l_{2}}^{2}, T_{l_{2} + \frac{⌈ b^{2} - a^{2} ⌉}{λ_{2}}}^{2}]$ , …, $[T_{l_{z}}^{z}, T_{l_{z} + \frac{⌈ b^{z} - a^{z} ⌉}{λ_{z}}}^{z}]$ , in which the bucket label in the $j th$ dimension of $[a^{j}, b^{j}]$ is $[T_{l_{j}}^{j}, T_{l_{j} + \frac{⌈ b^{j} - a^{j} ⌉}{λ_{j}}}^{j}]$ , where the subscript index is the corresponding bucket range label of the $j th$ dimensional query’s left boundary value. The transformed label list can be written as in equation (8)

$T_{l_{1}}^{1}, T_{l_{1} + 1}^{1}, \dots, T_{l_{1} + \frac{⌈ b^{1} - a^{1} ⌉}{λ_{1}}}^{1}, T_{l_{2}}^{2}, T_{l_{2} + 1}^{2}, \dots, T_{l_{2} + \frac{⌈ b^{2} - a^{2} ⌉}{λ_{2}}}^{2}, \dots, T_{l_{z}}^{z}, T_{l_{z} + 1}^{z}, \dots, T_{l_{z} + \frac{⌈ b^{z} - a^{z} ⌉}{λ_{z}}}^{z}}$ (8)

Therefore, during a multidimensional query, the sink should send the query to the SN using equation (9)

$sink \to SN : i, t, {\begin{matrix} P_{k_{l_{1}}^{1}} (T_{l_{1}}^{1}), & P_{k_{l_{1} + 1}^{1}} (T_{l_{1} + 1}^{1}), & \dots, & k_{l_{1} + ⌈ \frac{b^{1} - a^{1}}{λ_{1}} ⌉}^{1} (T_{l_{1} + ⌈ \frac{b^{1} - a^{1}}{λ_{1}} ⌉}^{1}) \\ P_{k_{l_{2}}^{2}} (T_{l_{2}}^{2}), & P_{k_{l_{2} + 1}^{2}} (T_{l_{2} + 1}^{2}), & \dots, & k_{l_{2} + ⌈ \frac{b^{2} - a^{2}}{λ_{2}} ⌉}^{2} (T_{l_{2} + ⌈ \frac{b^{2} - a^{2}}{λ_{2}} ⌉}^{2}) \\ \dots \\ P_{k_{l_{z}}^{z}} (T_{l_{z}}^{z}), & P_{k_{l_{z} + 1}^{z}} (T_{l_{z} + 1}^{z}), & \dots, & k_{l_{z} + ⌈ \frac{b^{z} - a^{z}}{λ_{z}} ⌉}^{z} (T_{l_{z} + ⌈ \frac{b^{z} - a^{z}}{λ_{z}} ⌉}^{z}) \end{matrix}}$ (9)

In Figure 3(c), when the sink deals with query request $([2, 7], [3, 8])$ in the one-dimensional data query [2,7], $a^{1} = 2$ , $b^{1} = 7$ , $a^{1} \in (0, 2]$ , $b^{1} \in (6, 8]$ , the corresponding bucket label range is $[T_{1}^{1}, T_{4}^{1}]$ , and the encrypted bucket label range is $[P_{k_{1}^{1}} (T_{1}^{1}), P_{k_{4}^{1}} (T_{4}^{1})]$ . In the two-dimensional data query [3,8], $a^{2} = 3$ , $b^{2} = 8$ , $a^{2} \in (0, 3]$ , and $b^{2} \in (6, 9]$ ; the corresponding bucket label range is $[T_{1}^{2}, T_{3}^{2}]$ ; and the encrypted bucket label is $[P_{k_{1}^{1}} (T_{1}^{1}), P_{k_{4}^{1}} (T_{4}^{1})]$ . The sink then sends the query data packet $〈 1, 2, P_{k} T_{1}^{1} | | T_{4}^{1}), P_{k} (T_{1}^{2} | T_{2}^{2} | T_{3}^{2}) 〉$ to the SN.

SN to sink

When the SN receives query requests from the sink, it will divide the requests into various bucket labels using $n$ bit as the unit length and will then take bucket labels to query data in the databank. If a data block matches a bucket label in the databank, then that data block conforms to the query request; the data blocks conforming to the requery in $j th$ dimension are packed to $Q R^{j}$ , which is depicted as

$Q R^{j} = {\begin{matrix} P_{k_{h}^{j}} (T_{h}^{j} | d_{h_{1}}^{j} | d_{h_{2}}^{j} | \dots | d_{h_{num}}^{j}) \\ P_{k_{h + 1}^{j}} (T_{h + 1}^{j} | d_{h_{{(h + 1)}_{1}}}^{j} | d_{h_{{(h + 1)}_{2}}}^{j} | \dots | d_{h_{{(h + 1)}_{num}}}^{j}) \\ \dots \\ P_{k_{l}^{j}} (T_{l}^{j} | d_{l_{1}}^{j} | d_{l_{2}}^{j} | \dots | d_{l_{num}}^{j}) \end{matrix}}$ (10)

in which $1 \leq h \leq h + 1 \leq \dots \leq l \leq γ_{j}$ , $1 \leq h_{num} \leq l_{num} \leq m^{j}$ . Finally, the SN returns all data $QR = Q R^{1} \cup \dots \cup Q R^{j}$ conforming to query requests to the sink.

In Figure 3(b), when the SN receives query requests $〈 1, 2, P_{k} (T_{1}^{1} | T_{2}^{1} | T_{3}^{1} | T_{4}^{1}), P_{k} (T_{1}^{2} | T_{2}^{2} | T_{3}^{2}) 〉$ , it divides the requests into ${P_{k_{1}^{1}} (T_{1}^{1}), P_{k_{2}^{1}} (T_{2}^{1}), P_{k_{3}^{1}} (T_{3}^{1}), P_{k_{4}^{1}} (T_{4}^{1}), P_{k_{1}^{2}} (T_{1}^{2}), P_{k_{2}^{2}} (T_{2}^{2}), P_{k_{3}^{2}} (T_{3}^{2})}$ and uses these encrypted bucket labels to match the data in the databank. According to the results of a query

$\begin{matrix} Q R^{1} = {P_{k_{1}^{1}} (T_{1}^{1} | 1 | 2), P_{k_{2}^{1}} (T_{2}^{1} | 3), P_{k_{3}^{1}} (T_{3}^{1} | ϕ), P_{k_{4}^{1}} (T_{4}^{1} | 7)} \\ Q R^{2} = {P_{k_{1}^{2}} (T_{1}^{2} | 1), P_{k_{2}^{1}} (T_{2}^{2} | 4 | 5), P_{k_{3}^{1}} (T_{3}^{2} | 8)} \end{matrix}$ (11)

and

$\begin{matrix} QR = Q R^{1} \cup Q R^{2} \\ = {\begin{matrix} P_{k_{1}^{1}} (T_{1}^{1} | 1 | 2), P_{k_{2}^{1}} (T_{2}^{1} | 3), P_{k_{3}^{1}} (T_{3}^{1} | ϕ), P_{k_{4}^{1}} (T_{4}^{1} | 7), \\ P_{k_{1}^{2}} (T_{1}^{2} | 1), P_{k_{2}^{1}} (T_{2}^{2} | 4 | 5), P_{k_{3}^{1}} (T_{3}^{2} | 8)} \end{matrix}} \end{matrix}$ (12)

Finally, the SN returns the query result to the sink.

System analysis

Given the premise of reliable sensor nodes, for perception data collected by any sensor node, perception data are considered to have secure privacy only when the query methods can guarantee that the SNs will not obtain actual values of any perception data. To prevent perception data and query requests from being obtained by attackers, this article uses an OEM KS to encrypt data. In addition, this article proposes a T2D data structure based on the bucket mechanism to verify the integrity of query results.

Privacy analysis

In sum, WQuery can effectively realize a range query and protect the privacy of perception data and the query range. Based on the Internet model, attack model, and secure objectives discussed in section “Model,” the security analysis of WQuery is as follows.

Privacy protection. First, this article briefly introduces the concept of a negligible function. In security analysis, a negligible function is used to demonstrate the possibility of an attacker decoding encrypted schemes.^27–29 For every polynomial $p (.)$ , if function $f (.)$ is negligible, then there is a $ℵ$ . For every integer, $n > ℵ$ and $f (n) < 1 / p (n)$ . According to modern cryptography,²⁸ highly improbable events are negligible.¹⁸ In security analysis, the security of a key-length encrypted scheme is often decided by parameter $n$ . The probability of decoding encrypted schemes declines rapidly as $n$ increases. In other words, if $n \in [128, + \infty)$ , then attackers cannot infer perception data by decoding keys using computation.

Proof

For any polynomial $p$ , when A is sufficiently large, $f (n) < 1 / p (n)$ is correct.

Set $d$ as the degree of $p$ and assume that attackers violate the secure conditions of $f (n) : = (1 / 2)^{n}$ .

Then

$lim_{n \to \infty} \frac{f (n)}{1 / p (n)} = lim_{n \to \infty} \frac{p (n)}{2^{n}} \overset{Δ}{=} lim_{n \to \infty} \frac{\partial^{d} p (n)}{\partial^{d} 2^{n}} = 0$ (13)

$\overset{Δ}{=}$ is the repetitive use of L’Hopital rule. As $f (n) / 1$ $/ p (n)$ converges to 0 and $p$ is positive, if $n \in [128, + \infty)$ ,^28,29 $f (n) < 1 / p (n)$ ; thus, $f$ is a negligible function.

2. Anticollusion attacks. Attackers can obtain shared key $k_{l}^{j}$ by capturing ordinary sensor node $s_{i}$ to get its time and collude with its SN to infer the perception data $d_{l}^{j}$ through $k_{l}^{j}$ and $P_{k_{l}^{j}} (T_{l}^{j} | d_{l_{1}}^{j} | d_{l_{2}}^{j} | \dots | d_{l_{num}}^{j})$ . If the order of an encrypted function is irreversible, then even if attackers obtain key $k_{l}^{j}$ , they cannot acquire clear data through encrypted data constructed by an order-encrypted function. Therefore, when an ordinary sensor node is attacked and captured, the attackers cannot destroy other sensor nodes. The node can hence resist a collusion attack on data privacy compared to the bucket-partitioning scheme and SafeQ scheme.

3. Resistance to external and captured SNs.

The proposed WQuery protocol transforms users’ actual query range [a, b] into a matched bucket label set. SNs can judge correctly by comparing query bucket labels without decoding. Meanwhile, if the $f (.)$ function is irreversible, even if anterior attackers or SNs obtain a bucket label set processed by $f (.)$ and the KS, they cannot reverse to infer clear data. Thus, attackers cannot infer clear multidimensional text data through encrypted text $P_{k_{l}^{j}} (T_{l}^{j} | d_{l_{1}}^{j} | d_{l_{2}}^{j} | \dots | d_{l_{num}}^{j})$ and cannot infer the upper and lower limits of a query range through the encrypted bucket labels of query range [a, b].

Integrity analysis

The integrity protection results of a multidimensional data query are required to verify whether the result has been forged and whether satisfactory data have been deleted. To verify the integrity result of a multidimensional data query, this article proposes a T2D data structure to protect the integrity of multidimensional data. Based on the encrypted scheme in this article, the sink decodes the corresponding KS when receiving $QR = (Q R^{1} \cup Q R^{2} \cup L \cup Q R^{j}) (1 \leq j \leq z)$ . If $QR$ is not forged or deleted, then $QR$ can be decoded, and the result maintains integrity.

For example, at time $t = 2$ , the sink receives the query result $QR = (Q R^{1} \cup Q R^{2})$ from which the following can be obtained: $Q R^{1} = {P_{k_{1}^{1}} (T_{1}^{1} | 1 | 2), P_{k_{2}^{1}} (T_{2}^{1} | 3), P_{k_{3}^{1}} (T_{3}^{1} | ϕ), P_{k_{4}^{1}} (T_{4}^{1} | 7)}$ and $Q R^{2} = {P_{k_{1}^{2}} (T_{1}^{2} | 1), P_{k_{2}^{1}} (T_{2}^{2} | 4 | 5), P_{k_{3}^{1}} (T_{3}^{2} | 8)}$ . After decoding this using the corresponding KS, the data block after decoding is $QR = {(T_{1}^{1} | 1 | 2), (T_{2}^{1} | 3) (T_{3}^{1} | ϕ), (T_{4}^{1} | 7), (T_{2}^{2} | 4), (T_{3}^{2} | 8)}$ .

Generally, when sensor nodes send encrypted data that satisfy a query range, if attackers falsify a data item, the sink can detect it without knowing the keys. Thus, this article conducts integrity analysis on decoded data under the following three conditions.

Bucket loss. If data $P_{k_{l}^{j}} (T_{l}^{j} | d_{l_{1}}^{j} | d_{l_{2}}^{j} | \dots | d_{l_{num}}^{j})$ , $(1 \leq j \leq z, 1 \leq l_{num} \leq m^{j})$ belonging to the $j th$ dimension in $l$ bucket are lost, the sink can easily locate the lost data by comparing the query request and queries. In Figure 3(b), if $P_{k_{3}^{1}} (T_{3}^{1} | ϕ)$ is lost, the actual received query request can be identified as having lost the data in bucket $T_{3}^{1}$ after comparing the decoded ${(T_{1}^{1} | 1 | 2), (T_{2}^{1} | 3), (T_{4}^{1} | 7), (T_{1}^{2} | 1), (T_{2}^{2} | 4), (T_{3}^{2} | 8)}$ and query ${(T_{1}^{1} | T_{2}^{1} | T_{3}^{1} | T_{4}^{1}), (T_{1}^{2} | T_{2}^{2} | T_{3}^{2})}$ .

Data deleted. If data $P_{k_{l}^{j}} (d_{l_{num}}^{j})$ , $(1 \leq j \leq z, 1 \leq l_{num} \leq m^{j})$ are deleted in $T_{l}^{j}$ , the sink can detect these deleted data because it cannot use the corresponding KS to decode the query request. In Figure 3(b), if $P_{k_{1}^{1}} (1)$ in $T_{1}^{1}$ is deleted, it is not possible to decode the modified $QR = {P_{k_{1}^{1}} (T_{1}^{1} | 2), P_{k_{2}^{1}} (T_{2}^{1} | 3), P_{k_{4}^{1}} (T_{4}^{1} | 7), P_{k_{1}^{2}} (T_{1}^{2} | 1), P_{k_{2}^{2}} (T_{2}^{2} | 4), P_{k_{3}^{2}} (T_{3}^{2} | 8)}$ .

Data added. If data $P_{k_{l}^{j}} (d_{l_{num + 1}}^{j})$ , $(1 \leq j \leq z, l_{num + 1} \notin (1, m^{j}))$ are added in $T_{l}^{j}$ , the sink can detect these added data because it cannot use the corresponding KS to decode the query request.

Experimental analysis

Based on the current secure range query protocol and models presented in sections “Relevant background” and “Model,” this article compares the WQuery protocol with current protocols from the aspects of privacy protection and integrity verification. First, the privacy protection scheme, respectively, evaluates EQ, SafeQ, $V P^{2} RQ$ , and the bucket-partitioning scheme based on ordinary sensor nodes and SN consumption followed by integrity verification. As the verification process requires the involvement of sensor nodes as well as the SN, this section respectively evaluates WQuery, EQ, $V P^{2} RQ$ , and SafeQ from the total consumption of the two kinds of nodes. This article does not compare the encrypted link scheme in the SafeQ protocol, as it connects integrity work with the turn-in of encrypted data perception and has analyzed the possibility of attacks on integrity verification in other works. The efficiency of the T2D integrity verification scheme in the WQuery protocol is closely related to actual network communication; its common sensor nodes should communicate with SNs and other nodes in query units. Therefore, its communication amount is theoretically far beyond that of WQuery in this article. This article thus does not compare T2D integrity verification to the WQuery scheme.

This study used original data to conduct a simulation experiment with WQuery on the MATLAB platform and compared it with the SafeQ in literature,¹⁶ the EQ protocol in literature,18 and the $V P^{2} RQ$ protocol in literature.¹⁵

The experimental environment for this study consisted of Intel i5-2467M, CPU (quad core, 1.6 GHz), and 8GB memory. The software environment included a Windows 10 operating system and MATLAB. Assume the following: the sensor node network coverage area is 100–1000 m, 100 sensor nodes are randomly distributed in the sensor network, four SNs are evenly distributed in the network, the network includes sink nodes, and in one time unit the sensor nodes collect 10 pieces of perception data with a key length of 128 bits, encrypted by OEM.

The effective transmission distance between sensor nodes is 75 m. Sensor nodes take 1.8 jumps on average to transmit data to SNs, and every node has 25 neighboring nodes on average. The routing path was established using the Tiny AGgregation Service (TAG) for ad hoc sensor networks.³⁰ Sensor nodes were not considered in the simulation; the experiment focused primarily on energy consumption for the sensors to present data along with SN energy consumption. The simulation experiment only considered the independent data distribution, ignoring relevant and irrelevant data distribution.

In two-tiered WSNs, the SN has sufficient energy conservation, and the energy consumption of sensor nodes is therefore analyzed in detail. In the WQuery protocol, a sensor node mainly includes two forms of energy consumption: (1) energy consumption generated by sending and receiving information and (2) calculation energy consumption generated by OEM encrypted calculation. Based on the energy consumption of the wireless communication circuit when sending and receiving,³¹ assume that every sensor node sends L digit data with distance $d$ from itself; if so, then its energy consumption $E_{t}$ is

$E_{t} = (\begin{matrix} L \times E_{elect} + L \times ε_{fs} \times d^{2} d < d_{0} \\ L \times E_{elect} + L \times ε_{mp} \times d^{4} d \geq d_{0} \end{matrix}$ (14)

where $d_{0}$ is the shortest distance, $E_{elect}$ is the energy consumption needed by the wireless circuit, and $ϵ_{fs}, ϵ_{mp}$ denote the receiver-relevant parameters.

Assume that every sensor collects 10–128 digits of perception data periodically and regularly sends the data to neighboring SNs; thus, L digit data energy $E_{r}$ of the SNs can be written as $E_{r} = L \times E_{elect}$ .

Experimental results reveal that the WQuery protocol in this article is superior to the SafeQ and EQ and $V P^{2} RQ$ protocol in energy and query consumption. This experiment conducted analyses from the following three aspects: (1) the energy consumption when sending perception data gathered by sensors to SNs; (2) the energy consumption needed for SNs to query; and (3) the energy consumption SNs need to save. The experiment does not compare the schemes in Shi et al.¹² and Chen and Liu¹⁶ as they may introduce serious security problems such that damaged SNs could easily send the wrong bit map and thus destroy network integrity.

Under different time intervals and data lengths, ordinary sensor nodes and the SN consume energy after submitting data. In this case, query time interval $t$ is a dependent variable, and all other parameters retain their initial status. In every time interval, 30 random query ranges are completed, and the energy consumption of sensor nodes in a query range is calculated 30 times. As shown in Figure 4, sensor nodes consumed energy to send multidimensional data to the SNs. The energy consumption of the WQuery protocol was lower than that of the SafeQ, EQ protocols, and $V P^{2} RQ$ protocols. Specifically, the energy consumption of the SafeQ protocol was three times greater than that of the WQuery protocol, and the energy consumption of the EQ protocol is twice that of the WQuery protocol. The SafeQ protocol adopts a prefix member verification strategy that must be hashed, consuming substantial energy. Furthermore, SafeQ must perform many additional hashing operations to get a Bloom filter, thereby requiring more energy. The $V P^{2} RQ$ protocol needs to generate a check code for each empty bucket, and the check code is fused with the same label and then encrypted with the DES encryption algorithm. Therefore, the energy consumption of the sensor submitted data is lower than that of SafeQ and higher than that of the EQ protocol. Based on the bucket-partitioning scheme, the EQ protocol distributes perception data to each bucket range and submits data in the bucket by encryption, such that all perceived data-encrypted text should be submitted to the SN. Therefore, the energy consumption sensor nodes required for data submission were lower than SafeQ and $V P^{2} RQ$ , but higher than WQuery.

Figure 4.

Energy consumption for sensor nodes to present data.

As noted earlier, query time interval $t$ was considered a dependent variable, and all other parameters retained their initial status; 30 fixed-range queries were conducted among 100 sensor nodes in the unit network, and the energy consumption of SNs in the query process was calculated 30 times. Figure 5 displays the query consumption of multidimensional data. The energy consumption of the SNs in WQuery when presenting query results was lower than that of SafeQ and EQ. Specifically, the query consumption of WQuery was 1.5 times lower than that of the SafeQ protocol and slightly lower than that of the EQ and the $V P^{2} RQ$ . The SafeQ protocol uses Merkle HMAC to verify information, which consumes more energy than WQuery; EQ uses XOR linked lists and storage buckets, which also consumed slightly more energy than WQuery. The increasing range of SafeQ was rather large because the SN in the SafeQ scheme expended considerable energy when searching the prefix codes in the entire perception data range twice to obtain the range between the maximum and minimum values of the upper and lower ranges. EQ employs XOR links and a bucket-partitioning scheme in which the SN needs to query labeled encrypted values in all collected encrypted perception data within a query range and then send these encrypted values to the sink to complete the query process. The $V P^{2} RQ$ protocol needs to upload the corresponding encrypted bucket in the bucket label set of interest and upload additional code to verify the query result. Thus, the EQ protocol and the $V P^{2} RQ$ protocol was slightly greater than that of WQuery.

Figure 5.

Query consumption of multidimensional data.

As before, query time interval $t$ was considered a dependent variable, and all other parameters retained their initial status; 30 fixed-range queries were completed among 100 sensor nodes in the unit network, and the energy consumption of the SN in the query process was calculated 30 times. Figure 6 shows the storage space consumption of the SNs, which hold encrypted multidimensional data and verification information. SafeQ uses prefix codes to encrypt perception data and HMAC to provide verification information, which collectively consumed more energy than WQuery. The prefix codes and Merkle Hash in SafeQ also consumed much more storage than the EQ protocol, which is based on a bucket-partitioning scheme and uses the X2L data structure of the XOR operation to query the result of neighborhood differences. As such, the storage consumption of EQ was higher than that of WQuery. With the wide bucket-partitioning strategy such as the $V P^{2} RQ$ protocol, as the number of sensors increases, the tag information uploaded with the encrypted bucket will increase, and the storage space consumption is slightly higher than WQuery.

Figure 6.

Storage space consumption.

To verify data integrity, the scheme in this article processed data collected by sensor nodes based on a bucket-partitioning scheme, matched corresponding bucket labels rather than comparing perception data with the upper and lower limits of the query range, and transformed multidimensional data processing into a problem of union sets without consuming extra space. The T2D data structure effectively reduced the amount of verified information, and the experimental results demonstrate the effectiveness of this scheme.

Conclusion

To investigate the query range problem in two-tiered WSNs, this article proposes a novel multidimensional data range query protocol based on WSNs, called WQuery, to address the drawbacks of some current schemes. This protocol guarantees the privacy of perception data and integrity verification of query results while SNs can manage range queries accurately. To better protect data privacy, this article adopts the OEM method and uses a bucket-partitioning scheme to process multidimensional data collected by sensor nodes. A new T2D scheme is also proposed that transforms the actual user query range into a matched bucket label set and verifies data integrity by comparing the difference between an $f$ query and actual query results. To verify the effectiveness of WQuery, this article tested WQuery on the MATLAB platform and found the proposed protocol to consume less storage space and possess higher query efficiency than SafeQ, $V P^{2} RQ$ , and EQ protocols. However, our method cannot meet the requirements of mobile support and location awareness. In order to overcome these problems, the current research proposes a new paradigm called fog calculation (referred to as fog).³² However, fog can withstand some time delays and provide fast response and low-energy services. We plan to extend our current method by enabling our model suitable to execute more complex operations along with the query of sensor data.

Footnotes

Handling Editor: Giancarlo Fortino

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research,authorship,and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research,authorship,and/or publication of this article: The project is sponsored by the National Natural Science Foundation of China (Nos 61873221 and 61672447),the Natural Science Foundation of Hunan Province (Nos 2018JJ4058,2019JJ70010,and 2017JJ5036),the CERNET Next Generation Internet Technology Innovation Project (Nos NGII20160305 and NGII20170109),the National Scientific Research Foundation of Hunan Province (No. 18B367),the Science Plan Project of Chongqing College of Electronic Engineering (XJPT201707),the 5 batch of excellent talents in universities plan of Chongqing (2017.29),and the National Scientific Research Foundation of Chongqing City (KJQN201803110).

ORCID iD

Sai Zou

References

Maraiya

Kant

Gupta

. Application based study on wireless sensor network. Int J Comput Appl 2011; 21(8): 9–15.

Patel

Jhaveri

Dangarwala

et al . Wireless sensor network: theoretical findings and applications. Int J Comput Appl 2013; 63(10): 25–29.

Solaiman

Sheta

. Computational intelligence for wireless sensor networks: applications and clustering algorithms. Int J Comput Appl 2014; 73(15): 1–8.

Kumaravel

. Energy efficient finite range query scheme for detecting mobile adversary replica nodes in wireless sensor networks. Int J Comput Appl 2012; 44(14): 18–21.

Liu

Liang

et al . Verifiable top-k, query processing in tiered mobile sensor networks. Int J Distrib Sens Netw 2015; 2015(7): 14.

Dai

Yang

Qin

. EMQP: an energy-efficient privacy-preserving MAX/MIN query processing in tiered wireless sensor networks. Int J Distrib Sens Netw 2013; 2013(1): 1492–1519.

Liu

Yao

. Privacy-preserving top-k query in two-tiered wireless sensor networks. Int J Adv Comput Technol 2012; 4: 226–235.

Sheng

. Verifiable privacy-preserving sensor network storage for range query. IEEE T Mobile Comput 2011; 10(9): 1312–1326.

Tsou

et al . Practical and secure multidimensional query framework in tiered sensor networks. IEEE T Inform Foren Sec 2011; 6(2): 241–255.

10.

Ling

Yang

. Secure and low energy consumption range query in tiered sensor networks. Int J Online Eng 2016; 12(7): 4.

11.

Sheng

. Verifiable privacy-preserving range query in two-tiered sensor networks. In: Proceedings of the international conference on computer communications, Phoenix, AZ, 13–18 April 2008, pp.46–50. New York: IEEE.

12.

Shi

Zhang

. A spatiotemporal approach for secure range queries in tiered sensor networks. IEEE T Wirel Commun 2011; 10(1): 264–273.

13.

Zhang

Shi

Zhang

. Secure multidimensional range queries in sensor networks. In: Proceedings of the ACM international symposium on mobile ad hoc networking and computing, New Orleans, LA, 18–21 May 2009, pp.197–206. New York: ACM.

14.

Zeng

Dong

et al . Privacy-preserving and multi-dimensional range query in two-tiered wireless sensor networks. In: Proceedings of the GLOBECOM 2017, Singapore, 4–8 December 2017, pp.1–7. New York: IEEE.

15.

Dai

et al . VP²RQ: efficient verifiable privacy-preserving range query processing in two-tiered wireless sensor networks. Int J Distrib Sens Netw 12(11): 1550147716675627.

16.

Chen

Liu

. Privacy- and integrity-preserving range queries in sensor networks. IEEE/ACM T Netw 2012; 20(6): 1774–1787.

17.

Chen

Liu

. SafeQ: secure and efficient query processing in sensor networks. In: Proceedings of the conference on information communications, 2010, pp.2642–2650. New York: IEEE Press, http://www.cse.msu.edu/~alexliu/publications/SafeQ/SafeQ.pdf

18.

Tsou

Kuo

. Privacy- and integrity-preserving range query in wireless sensor networks. In: Proceedings of the IEEE global communications conference, 2013, pp.328–334, https://www.iis.sinica.edu.tw/papers/lcs/14700-F.pdf

19.

Dai

Yang

et al . CSRQ: communication-efficient secure range queries in two-tiered sensor networks. Sensors 2016; 16(2): 259.

20.

Yin

et al . SEF: a secure, efficient, and flexible range query scheme in two-tiered sensor networks. Int J Distrib Sens Netw 2011; 2011: 876–879.

21.

Liu

Xiao

et al . Privacy and integrity preserving top- query processing for two-tiered sensor networks. IEEE/ACM T Netw 2017; 25(4): 2334–2346.

22.

Zhang

Shi

Zhang

et al . Secure cooperative data storage and query processing in unattended tiered sensor networks. IEEE J Select Area Commun 2012; 30(2): 433–441.

23.

Lee

Mahdavi

Jiang

et al . Sensors and sensor networks in agriculture, architecture, and civil engineering. Int J Distrib Sens Netw 2015; 2015: 9.

24.

Frustaci

Pace

Aloi

et al . Evaluating critical security issues of the IoT world: present and future challenges. IEEE Internet Things J 2018; 5: 2483–2495.

25.

Hakan

Iyer

et al . Executing SQL over encrypted data in the database-service-provider model. In: Proceedings of the ACM SIGMOD international conference on management of data, Madison, WI, 3–6 June 2012, pp.216–227. New York: ACM.

26.

Hore

Mehrotra

Tsudik

. A privacy-preserving index for range queries. In: Proceedings of the thirtieth international conference on very large data bases (VLDB Endowment), 2004, pp.720–731, https://www.academia.edu/5400650/A_Privacy-Preserving_Index_for_Range_Queries

27.

Leiwo

Premkumar

. A study on the security of privacy homomorphism. Int J Netw Secur 2008; 6(1): 33–39.

28.

Varna

. Security analysis for privacy preserving search of multimedia. In: Proceedings of the international conference on image processing, Hong Kong, China, 26–29 September 2010, pp.2093–2096. New York: IEEE.

29.

Stallings

. Cryptography and network security: principles and practice (subscription). Int J Eng Comput Sci 1999; 1(1): 121–136.

30.

Chen

Wang

et al . TinyStream: a lightweight and novel stream cipher scheme for wireless sensor networks. In: Proceedings of the international conference on computational intelligence and security, Nanning, China, 11–14 December 2010, pp.528–532. New York: IEEE.

31.

Madden

Franklin

Hellerstein

et al . TAG: a Tiny AGgregation service for ad-hoc sensor networks. ACM SIGOPS Oper Syst Rev 2002; 36(SI): 131–146.

32.

Zhang

Zhou

Fortino

. Security and trust issues in fog computing: a survey. Future Gener Comput Syst 2018; 88: 16–27.

A novel privacy- and integrity-preserving approach for multidimensional data range queries in two-tiered wireless sensor networks

Abstract

Keywords

Introduction

Relevant background

Model

Network model

Attack model and secure objectives

Data privacy protocol

Bucket-partitioning scheme

OEM encryption scheme

Sink to SN

SN to sink

System analysis

Privacy analysis

Proof

Integrity analysis

Experimental analysis

Conclusion

Footnotes

Declaration of conflicting interests

Funding

ORCID iD

References