Efficient L_p Distance Computation Using Function-Hiding Inner Product Encryption for Privacy-Preserving Anomaly Detection

Abstract

In Internet of Things (IoT) systems in which a large number of IoT devices are connected to each other and to third-party servers, it is crucial to verify whether each device operates appropriately. Although anomaly detection can help with this verification, individual devices cannot afford this process because of resource constraints. Therefore, it is reasonable to outsource anomaly detection to servers; however, sharing device state information with outside servers may raise privacy concerns. In this paper, we propose a method to compute the $L_p$ distance privately for even $p>2$ using inner product functional encryption and we use this method to compute an advanced metric, namely p-powered error, for anomaly detection in a privacy-preserving manner. We demonstrate implementations on both a desktop computer and Raspberry Pi device to confirm the feasibility of our method. The experimental results demonstrate that the proposed method is sufficiently efficient for use in real-world IoT devices. Finally, we suggest two possible applications of the proposed computation method for $L_p$ distance for privacy-preserving anomaly detection, namely smart building management and remote device diagnosis.

1. Introduction

Anomaly detection is defined as the identification of abnormal data, events, or phenomena that deviate significantly from common observations and cannot be described using any well-known notion of normal behavior [1]. Since its first appearance as an intrusion detection system in 1987 [2], anomaly detection has evolved in several fields, including statistics, medicine, manufacturing processes, machine learning, cyber security, and computer vision.

In particular, in Internet of Things (IoT) ecosystems, where a large number of IoT devices are connected and communicate with each other and third-party servers, it is crucial to verify whether each device operates appropriately [3]. IoT devices may malfunction because of initial faults during the manufacturing process, software bugs, mechanical failures of parts during operation, extreme changes in the surrounding environment, and malicious attacks by attackers. In real-world scenarios, an IoT ecosystem comprises of servers and several IoT devices, and it is reasonable to assume that servers are responsible for detecting such anomalous states in IoT devices because most IoT devices do not have sufficient computational resources to detect failures and recover from abnormal states. In this setup, all the normal-state information of each device, such as power consumption, network connections, and temperature, should be maintained in safe storage, and servers may periodically check whether the current state of each device is significantly different from the stored normal state. Mean absolute error and mean squared error are commonly considered to evaluate the difference (and similarity) between two state vectors. However, in 2018, Shalyga et al. [4] showed that the mean p-powered error is more effective in predicting short-term anomalies when p is greater than two on the SWaT dataset [5]. Here, the mean p-powered error is defined as $\frac{1}{n}{\sum }_{i=1}^n{|x_i-y_i|}^p$, where $\mathbf{x}=(x_1,\dots ,x_n)$ and $\mathbf{y}=(x_1,\dots ,x_n)$ are the normal state vector and the current state vector, respectively, with dimension n. According to the experiments in [4], the best choice for p is $p=6$.

Meanwhile, privacy concerns regarding IoT devices have arisen over the past decades as IoT ecosystems rapidly expand to industries, cities, houses, and personal wearable devices [6,7,8]. Sensor data are highly detailed, precise, and personal. Furthermore, the combination of data from multiple sensors may allow attackers to infer additional information more accurately, which is not possible with a single sensor [9]. In 2017, Nesa et al. showed that the occupancy of a room can be determined by fusing data, such as humidity, temperature, illumination level, and CO₂ [10] with very high accuracy (up to 99.09%). This prediction becomes more precise as the number of fusion parameters increases. Therefore, privacy protection must be considered in IoT ecosystems. A recent controversy at Carnegie Mellon University over super-sensing IoT devices called Mites demonstrated potentially serious privacy concerns with IoT-based smart building management systems [11].

To protect the privacy of IoT devices, all the information collected from IoT devices must be encrypted before being transmitted to the anomaly detection server. In addition, it is desirable that an anomaly detection process should be conducted on the encrypted data instead of the original data. Furthermore, the encryption operations must be sufficiently lightweight to be run on IoT devices.

To satisfy the aforementioned requirements, we consider functional encryption (FE); we provide a formal definition of FE in the following section. FE is a special type of encryption algorithm that satisfies the following properties: let m be a plaintext and E(m) be a ciphertext of m. Given E(m), an individual with additional information, that is, a secret key bound to a function f, can only obtain $f\left(m\right)$, whereas they cannot learn the original plaintext m. Inner product encryption (IPE) is a special form of FE whose function is the inner product, and both the ciphertext and secret key are associated with vectors. Given a secret key for the coefficient vector $\mathbf{y}$ and ciphertext for the plaintext vector $\mathbf{x}$, we can obtain only the inner product values $\langle \mathbf{x},\mathbf{y}\rangle$ through decryption but no further information about $\mathbf{x}$. We say that there is a function-hiding property when information about $\mathbf{y}$ is protected, as well as that about $\mathbf{x}$. In 2018, Kim et al. [12] proposed a practical function-hiding IPE (FHIPE) scheme. In [12] and several related works, such as [13], FHIPE was used to compute vector-related metrics, such as $L_1$ distance and $L_2$ distance, in a privacy-preserving manner. These metrics have been used for biometric authentication, nearest neighbor (NN) searches on encrypted data, and secure linear regression. However, the general $L_p$ distance ($p>2$), which is necessary for evaluating the mean p-powered error for advanced anomaly detection [4], has not been considered in previous studies.

In this study, we generalize the $L_p$ distance over the FHIPE scheme as a new distance metric for privacy-preserving anomaly detection, where $p>2$ denotes an even number. To be precise, our problem statement is as follows: Given a ciphertext E$\left(\mathbf{x}\right)$ for a vector $\mathbf{x}=(x_1,\dots ,x_n)$ and a secret key bound to a vector $\mathbf{y}=(x_1,\dots ,x_n)$, compute the $L_p$ distance, ${\sum }_{i=1}^n{|x_i-y_i|}^p$ for even p, using the FHIPE scheme (the mean p-powered error computation needs an additional operation, division by n. For simplicity, we omit this throughout the paper, as its computation is trivial.). Our experimental results indicate that the computation of this new metric in the ciphertext domain is efficient and applicable to highly resource-constrained IoT devices. We also suggest two applications using our method for privacy-preserving anomaly detection, i.e., smart building management and remote device diagnosis.

1.1. Related Works

Several applications, including biometric authentication, location-based services, data mining, and anomaly detection, encode data into vectors and then measure the distance or similarity between the vectors [13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29]. The vectors used in these applications may contain sensitive information. Therefore, extensive research has been conducted to measure the distance between two vectors while maintaining data privacy. Wang et al. [17] and Im, Jeon, and Lee [16] have proposed methods that encrypt a vector representing a facial image using homomorphic encryption (HE) and calculated the Euclidean distance between the encrypted vectors without decrypting them. Kang et al. [30] have shown that HE can be used to outsource a service that remotely detects whether a component of an industrial machine has diverted from its normal operating condition, without disclosing the private information of the data owner. Several previous studies used FE instead of HE. Kim et al. [12] proposed a biometric authentication method based on Hamming distance and nearest neighbor search based on $L_2$ distance using FHIPE. Zhou and Ren [14] proposed a biometric authentication method, called Passbio, that supports both Hamming distance and Euclidean distance. Their method does not reveal the actual distance, but only indicates whether the distance is within a predefined threshold. Kwon and Lee [31] commented on two vulnerabilities of Passbio and proposed a countermeasure against these vulnerabilities. Lee et al. [15] proposed an efficient biometric authentication method specialized for Hamming distance. Li and Jung [18] used HE and FE to encrypt geometric locations. The aforementioned applications use the Euclidean distance to evaluate the similarity between two vectors. In other applications, distance metrics, such as the Hamming distance, cosine similarity, and Mahalanobis distance, have also been used [29]. For example, the data-mining applications proposed in [20,21,22,32] calculated the cosine similarity in a privacy-preserving manner using HE, secure multiparty computation, and oblivious transfer. In studies on anomaly detection, HE and differential privacy were used to construct privacy-preserving anomaly detection systems. Alabdulatif et al. [23,24] proposed cloud-based anomaly detection systems for IoT using HE. Mehnaz and Bertino [25] also proposed a cloud-based anomaly detection system using HE. They adopted the edge computing approach in one of the stages comprising anomaly detection and used additive HE for secure aggregation of individual values from edge devices. Lyu et al. [26] proposed a privacy-preserving collaborative anomaly detection method with differential privacy. However, to the best of our knowledge, this study is the first work on general $L_p$ distance calculations in a privacy-preserving manner.

1.2. Contributions

• We propose a method to compute the $L_p$ distance for an even number $p>2$ over FHIPE. We use this $L_p$ distance to compute the mean p-powered error for anomaly detection.
• To demonstrate the feasibility for IoT ecosystems, we implement the proposed method in C++ and conduct experiments on a prototype system composed of a desktop computer (as a server) and the Raspberry Pi (as an IoT device) system. The experimental result shows that the proposed method is sufficiently efficient to be applied to IoT ecosystems in terms of execution times and memory usage.
• We present two possible applications of the proposed $L_p$ distance computation method for privacy-preserving anomaly detection, i.e., smart building management and remote device diagnosis. Accordingly, we suggest a protocol involving multiple IoT devices and two servers.

In the remainder of this paper, Section 2 describes the preliminaries of the proposed work. Section 3 explains the proposed method on how to compute the $L_p$ distance over FHIPE for an even number p. Section 4 provides the performance analysis. Section 5 describes a general framework for privacy-preserving anomaly detection for IoT systems. Section 6 discusses the limitation of the proposed method and presents a future research direction. Conclusions are given in Section 7.

2. Preliminaries

2.1. Barreto–Naehrig Curve (BN Curve)

If computations in the extension ${\mathbb{F}}_{r^k}$ of the prime field ${\mathbb{F}}_r$ are feasible, an elliptical curve defined over ${\mathbb{F}}_r$ is known as a pairing-friendly curve [33]. Specifically, the elliptical curve over ${\mathbb{F}}_r$ should be non-supersingular and contain a subgroup whose embedding degree k is not considerably large. Barreto and Naehrig proposed a method for constructing pairing-friendly elliptical curves with an embedding degree $k=12$ [33]. This is can be expressed as: $E\left({\mathbb{F}}_r\right):y^2=x^3+b$ for nonzero b. For $t\ne 0$, they parameterized the order q of the elliptical curve group and the characteristic r as follows:

$$q=36t^4+36t^3+18t^2+6t+1,$$

(1)

$$r=36t^4+36t^3+24t^2+6t+1.$$

(2)

2.2. Cryptographic Pairing

Let ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ be additive groups of prime order q and $g_1$ and $g_2$ be generators of ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$, respectively. Subsequently, a mapping function is defined as $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$, which is used to map the elements of ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ onto ${\mathbb{G}}_T$, which is a multiplicative group of prime order q. $0_{{\mathbb{G}}_1}$, $0_{{\mathbb{G}}_2}$, and $1_{{\mathbb{G}}_T}$ denote the identity elements of ${\mathbb{G}}_1$, ${\mathbb{G}}_2$, and ${\mathbb{G}}_T$, respectively. We define the map e as a cryptographic pairing when the tuple (q, ${\mathbb{G}}_1$, ${\mathbb{G}}_2$, ${\mathbb{G}}_T$, e) satisfies the following properties [34]:

• The map e and group operations in ${\mathbb{G}}_1$, ${\mathbb{G}}_2$, and ${\mathbb{G}}_T$ are efficiently computable.
• The map e is bilinear for all $g_1\in {\mathbb{G}}_1$, $g_2\in {\mathbb{G}}_2$ and a, b∈${\mathbb{Z}}_q$. That is,

  $$e(\left[a\right]g_1,\left[b\right]g_2)=e{(g_1,g_2)}^{ab}.$$

  (3)
• The map e is nondegenerate for $g_1\ne 0_{{\mathbb{G}}_1}$, $g_2\ne 0_{{\mathbb{G}}_2}$. That is,

  $$e(g_1,g_2)\ne 1_{{\mathbb{G}}_T}.$$

  (4)

Generally, cryptographic pairings that satisfy these three properties consist of group operations on elliptical curves and finite fields. Specifically, ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ are asymmetric, that is, ${\mathbb{G}}_1\ne {\mathbb{G}}_2$, and they are elliptical curve subgroups of prime order q. ${\mathbb{G}}_T$ is a subgroup of the finite field ${\mathbb{F}}_{r^k}$ for the embedding degree k, and its order is q. In this study, we use a cryptographic pairing on the BN curve, and a bilinear environment is defined as a tuple $(q,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,g_1,g_2,e)$ [34]. For notational convenience, we also define a pairing-product operation. Given $\mathbf{P}=(P_1,P_2,\dots ,P_n)\in {\mathbb{G}}_1^n$ and $\mathbf{Q}=(Q_1,Q_2,\dots ,Q_n)\in {\mathbb{G}}_2^n$, the product of the pairings for the two vectors $\mathbf{P}$ and $\mathbf{Q}$ is defined as follows:

$$e_{prod}(\mathbf{P},\mathbf{Q})={\Pi }_{i=1}^{n}e(P_i,Q_i).$$

(5)

2.3. FHIPE

In this study, we used the FHIPE scheme ${\prod }_{IPE}$ proposed by Kim et al. [12]. ${\prod }_{IPE}$ is defined as $(IPE.Setup,IPE.KeyGen,IPE.Encrypt,IPE.Decrypt)$. The dimensions n of vectors $\mathbf{x}$ and $\mathbf{y}$ are given as parameters, and S is a subset of ${\mathbb{Z}}_q$, which specifies the possible range of the inner product.

• $IPE.Setup(1^{\lambda },S)$

  1.

  Select a bilinear environment $(q,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,g_1,g_2,e)$ according to the security parameter $\lambda$.

  2.

  Choose a matrix $\mathbf{B}\leftarrow {\mathbb{GL}}_n\left({\mathbb{Z}}_q\right)$, where ${\mathbb{GL}}_n\left({\mathbb{Z}}_q\right)$ refers to a group of $n\times n$ square matrices whose elements belong to the finite field ${\mathbb{Z}}_q$ and an inverse matrix exists.

  3.

  Compute ${\mathbf{B}}^{★}\leftarrow \mathsf{det}\left(\mathbf{B}\right)·{\left({\mathbf{B}}^{-1}\right)}^{\top }$.

  4.

  Output the public parameter $pp=(q,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,e,S)$ and master secret key $msk=(pp,g_1,g_2,\mathbf{B},{\mathbf{B}}^{★})$.

• $IPE.KeyGen(msk,\mathbf{y})$

  1.

  Choose a uniformly random element $\alpha \stackrel{R}{\leftarrow }{\mathbb{Z}}_q$.

  2.

  Using the master key $msk$ and vector $\mathbf{y}\in {\mathbb{Z}}_q^n$, output the secret key $sk=(K_1,{\mathit{K}}_{\mathbf{2}})=([\alpha ·\mathsf{det}\left(\mathbf{B}\right)]g_1,[\alpha ·\mathbf{y}·\mathbf{B}]g_1)$ such that ${\mathit{K}}_{\mathbf{2}}\in {\mathbb{G}}_1^n$.

• $IPE.Encrypt(msk,\mathbf{x})$

  2.

  Choose a uniformly random element $\beta \stackrel{R}{\leftarrow }{\mathbb{Z}}_q$.

  2.

  Using the master key $msk$ and vector $\mathbf{x}\in {\mathbb{Z}}_q^n$, output the ciphertext $ct=(C_1,{\mathit{C}}_{\mathbf{2}})=(\left[\beta \right]g_2,[\beta ·\mathbf{x}·{\mathbf{B}}^{★}]g_2)$ such that ${\mathit{C}}_{\mathbf{2}}\in {\mathbb{G}}_2^n$.

• $IPE.Decrypt(pp,sk,ct)$

  1.

  Using the public parameter $pp$, secret $sk=(K_1,{\mathit{K}}_{\mathbf{2}})$, and ciphertext $ct=(C_1,{\mathit{C}}_{\mathbf{2}})$, compute $D_1=e(K_1,C_1)$ and $D_2=e_{prod}({\mathit{K}}_{\mathbf{2}},{\mathit{C}}_{\mathbf{2}})$.

  2.

  Find a solution $z\in S$ for $D_1^z=D_2$. If z exists, it is the inner product of $\mathbf{x}$ and $\mathbf{y}$, denoted as $z=\langle \mathbf{x},\mathbf{y}\rangle$. Output z if it exists; otherwise, output ⊥, which indicates that no solution exists.

2.4. $L_1$ and $L_2$ Distances over FHIPE

Kim et al. [12] proposed an encoding method based on the FHIPE scheme to compute the $L_1$ distance (Hamming distance) between two binary vectors. Given two binary vectors $\mathbf{x},\mathbf{y}\in {\{0,1\}}^n$, vectors $\mathbf{x}$ and $\mathbf{y}$ are encoded as ${\mathbf{x}}^{\prime }$ and ${\mathbf{y}}^{\prime }$$\in {\{-1,1\}}^n$ by changing the zeroes in $\mathbf{x}$ and $\mathbf{y}$ to $-1$. Subsequently, the Hamming distance between $\mathbf{x}$ and $\mathbf{y}$ is $d(\mathbf{x},\mathbf{y})=\left(n-\langle {\mathbf{x}}^{\prime },{\mathbf{y}}^{\prime }\rangle \right)/2$.

Jeon and Lee [13] used the square of the $L_2$ distance (squared Euclidean distance) as a metric of similarity in a face authentication system. They designed three operations, namely, $EncodeX$, $EncodeY$, and $Euclid$, using the encoding method proposed by Kim et al. [12]:

• $EncodeX(msk,\mathbf{x})$

  1.

  Construct an $(n+2)$-dimensional vector ${\mathbf{x}}^{\prime }={(\parallel \mathbf{x}\parallel }^2,-2x_1,-2x_2,\cdots ,-2x_n,1)$ from $\mathbf{x}=(x_1,\dots ,x_n)$.

  2.

  Output $ct=IPE.Encrypt(msk,{\mathbf{x}}^{\prime })$.

• $EncodeY(msk,\mathbf{y})$

  1.

  Construct an $(n+2)$-dimensional vector ${\mathbf{y}}^{\prime }=(1,y_1,y_2,\cdots ,y_n{,\parallel \mathbf{y}\parallel }^2)$ from $\mathbf{y}=(y_1,\dots ,y_n)$.

  2.

  Output $sk=IPE.KeyGen(msk,{\mathbf{y}}^{\prime })$.

• $Euclid(pp,sk,ct)$

  1.

  Calculate $z=IPE.Decrypt(pp,sk,ct)$.

  2.

  Output z. z satisfies $z=\langle {\mathbf{x}}^{\prime },{\mathbf{y}}^{\prime }\rangle ={(\parallel \mathbf{x}\parallel }^2-2x_1{y}_1-2x_2{y}_2-\cdots -2x_n{y}_n+{\parallel \mathbf{y}\parallel }^2{)=(\parallel \mathbf{x}\parallel }^2-2\langle \mathbf{x},\mathbf{y}\rangle +{\parallel \mathbf{y}\parallel }^2{)=\parallel \mathbf{x}-\mathbf{y}\parallel }^2.$

3. Proposed Method

We present a method for computing the $L_p$ distance over FHIPE for an even number p. Technically, we compute the p-powered $L_p$ distance. However, computing the $L_p$ distance as the p-th root from the p-powered $L_p$ distance is trivial.

Given two vectors $\mathbf{x}\in {\mathbb{Z}}_q^n$ and $\mathbf{y}\in {\mathbb{Z}}_q^n$, the p-powered $L_p$ distance can be calculated as follows:

$$L_p^p(\mathbf{x},\mathbf{y})={\parallel \mathbf{x}-\mathbf{y}\parallel }_p^p=\sum _{i=1}^n{\left|x_i-y_i\right|}^p=\sum _{i=1}^n{\left(x_i-y_i\right)}^p,$$

(6)

where the last equality comes from the fact that p is even. For the two n-dimensional vectors $\mathbf{u}$ and $\mathbf{v}$, the ⊙ operator denotes element-wise multiplication, i.e., $\mathbf{u}\odot \mathbf{v}=(u_1{v}_1,\dots ,u_n{v}_n)$, and ${\mathbf{v}}^{\left(t\right)}$ denotes the t-th Hadamard power of $\mathbf{v}$ for any $t\ge 0$, i.e., ${\mathbf{v}}^{\left(0\right)}=(1,\dots ,1)$ and ${\mathbf{v}}^{\left(t\right)}={\mathbf{v}}^{(t-1)}\odot \mathbf{v}$ for $t\ge 1$ [35]. Note that $L_p^p(\mathbf{x},\mathbf{y})$ in (6) is expressed as a sum of p-th powers of binomial $\left(x_i-y_i\right)$. Therefore, we can apply the binomial theorem, ${\left(x_i-y_i\right)}^p={\sum }_{j=0}^p\left(\genfrac{}{}{0pt}{}{p}{j}\right){x_i}^j{(-y_i)}^{p-j}={\sum }_{j=0}^p\left(\genfrac{}{}{0pt}{}{p}{j}\right){(-1)}^{p-j}{x_i}^j{y}_i^{p-j}$, to each term ${\left(x_i-y_i\right)}^p$. Consequently, $L_p^p(\mathbf{x},\mathbf{y})={\sum }_{i=1}^n{\sum }_{j=0}^p\left(\genfrac{}{}{0pt}{}{p}{j}\right){(-1)}^{p-j}{x_i}^j{y}_i^{p-j}$, and we obtain:

$$L_p^p(\mathbf{x},\mathbf{y})=\sum _{i=0}^p\left(\genfrac{}{}{0pt}{}{p}{i}\right){(-1)}^{p-i}\langle {\mathbf{x}}^{\left(i\right)},{\mathbf{y}}^{(p-i)}\rangle .$$

(7)

We encode $\mathbf{x}$ and $\mathbf{y}$ to ${\mathbf{x}}^{\prime }\in {\mathbb{Z}}_q^{(p-1)n+2}$ and ${\mathbf{y}}^{\prime }\in {\mathbb{Z}}_q^{(p-1)n+2}$ over a ring ${\mathbb{Z}}_q$ as follows:

$${\mathbf{x}}^{\prime }=({\alpha }_0{\parallel \mathbf{x}\parallel }_p^p,{\alpha }_1{\mathbf{x}}^{(p-1)},{\alpha }_2{\mathbf{x}}^{(p-2)},\cdots ,{\alpha }_{p-1}{\mathbf{x}}^{\left(1\right)},{\alpha }_p),$$

(8)

$${\mathbf{y}}^{\prime }=(1,{\mathbf{y}}^{\left(1\right)},{\mathbf{y}}^{\left(2\right)},\cdots ,{\mathbf{y}}^{(p-2)},{\mathbf{y}}^{(p-1)}{,\parallel \mathbf{y}\parallel }_p^p),$$

(9)

where ${\alpha }_i=\left(\genfrac{}{}{0pt}{}{p}{i}\right){(-1)}^i$ for $i=0,\dots ,p$. Thus, we observe that:

$$L_p^p(\mathbf{x},\mathbf{y})=\langle {\mathbf{x}}^{\prime },{\mathbf{y}}^{\prime }\rangle .$$

(10)

Accordingly, a generalized form of the p-powered $L_p$ distance computation protocol over FHIPE is defined as ${\prod }_{PDIST}$=$(Setup$, $EncodeX$, $EncodeY$, $GetDistance)$, which is obtained from using ${\prod }_{IPE}$ for a security parameter $\lambda \in \mathbb{N}$, degree $p\in 2\mathbb{N}$, the dimension $n\in \mathbb{N}$ of the input vectors, and the range S of the inner product. These four operations are defined as follows:

• $Setup(1^{\lambda },S)$

  1.

  Select a bilinear environment $(q,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,g_1,g_2,e)$ according to the security parameter $\lambda$.

  2.

  Choose a matrix ${\mathbf{B}}^{\prime }\leftarrow {\mathbb{GL}}_l\left({\mathbb{Z}}_q\right)$ for $l=(p-1)n+2$, where ${\mathbb{GL}}_l\left({\mathbb{Z}}_q\right)$ is a group of $l\times l$ square matrices whose elements belong to the finite field ${\mathbb{Z}}_q$ and an inverse matrix exists.

  3.

  Compute ${{\mathbf{B}}^{\prime }}^{★}\leftarrow \mathsf{det}\left({\mathbf{B}}^{\prime }\right)·{\left({\mathbf{B}}^{\prime }-1\right)}^{\top }$.

  4.

  Output the public parameter $p{p}^{\prime }=({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,q,e,S,p)$ and master secret key $ms{k}^{\prime }=(p{p}^{\prime },g_1,g_2,{\mathbf{B}}^{\prime },{{\mathbf{B}}^{\prime }}^{★})$.

• $EncodeX(ms{k}^{\prime },\mathbf{x})$

  1.

  Construct a vector ${\mathbf{x}}^{\prime }\in {\mathbb{Z}}_q^l$ as described previously (8).

  2.

  Output $c{t}^{\prime }=IPE.Encrypt(ms{k}^{\prime },{\mathbf{x}}^{\prime })$.

• $EncodeY(ms{k}^{\prime },\mathbf{y})$

  1.

  Construct a vector ${\mathbf{y}}^{\prime }\in {\mathbb{Z}}_q^l$ as described previously (9).

  2.

  Output $s{k}^{\prime }=IPE.KeyGen(ms{k}^{\prime },{\mathbf{y}}^{\prime })$.

• $GetDistance(p{p}^{\prime },s{k}^{\prime },c{t}^{\prime })$

  1.

  Calculate $z=IPE.Decrypt(pp,s{k}^{\prime },c{t}^{\prime })\in S$.

  2.

  Output z. z satisfies $z=\langle {\mathbf{x}}^{\prime },{\mathbf{y}}^{\prime }\rangle =L_p^p(\mathbf{x},\mathbf{y})$.

4. Performance Analysis

To verify the feasibility of the proposed method, we implemented ${\prod }_{PDIST}$ in C++ using the FHIPE library developed in a previous study [13] (our algorithm and code are available at https://github.com/inhaislab/FHIPE-Lp-Distance (accessed on 19 April 2023)). As shown in

Table 1. Experimental setup for performance analysis.

	Desktop Computer	Raspberry Pi
CPU	AMD Ryzen5 3600 6-Core @ 3.60 GHz	ARM Cortex-A7 4-Core @ 900 MHz
Memory	16 GB	1 GB
OS	Ubuntu 20.04 (using Windows 11 Pro WSL2)	Raspbian
language	C++11
SW library	FHIPE library [13], NTL 11.3.2 [36], MCL 1.51 [37], GMP 6.1.2 [38]

, we also used NTL 11.3.2 [36] for integer, vector, and matrix arithmetic, MCL 1.51 [37] for pairing-based cryptography, and GMP 6.1.2 [38] for big number arithmetic. We applied ${\prod }_{PDIST}$ to our testing programs on desktop PC and Raspberry Pi. The programs were run on a desktop computer with 16 GB main memory, an AMD Ryzen5 3600 6-Core processor @ 3.60 GHz, and Ubuntu 20.04 (using Windows 11 Pro WSL2), and on a Raspberry Pi 2 model B with 1 GB RAM and a quad-core ARM Cortex-A7 processor @ 900 MHz. MCL 1.51 [37] provides various parameter sets for bilinear environments. Among these, we selected SNARK1, which is one of the most frequently used parameter sets for Ethereum.

We measured the execution times for the four operations of ${\prod }_{PDIST}$ with $n=\{8,16,32,64,128\}$ and $p=\{2,4,6,8,10\}$. For each combination, 100 measurements were averaged. Figure 1 shows the experimental results on the desktop PC. The exact numerical data are given in the Appendix A (See

Table A1. Execution time (ms) of $PDIST.Setup$ operation on desktop PC.

n	$\mathit{p}=$ 2	$\mathit{p}=$ 4	$\mathit{p}=$ 6	$\mathit{p}=$ 8	$\mathit{p}=$ 10
8	0.2829	1.3004	4.0788	9.1245	17.5512
16	0.7050	6.2276	23.2380	57.6781	116.7271
32	2.7922	38.1033	157.1521	409.0067	847.1027
64	13.4316	262.8206	1154.1302	3169.3995	6654.9266
128	84.3335	1996.4130	9102.0401	24,568.7575	51,736.9127

,

Table A2. Execution time (ms) of $PDIST.EncodeX$ operation on desktop PC.

n	$\mathit{p}=$ 2	$\mathit{p}=$ 4	$\mathit{p}=$ 6	$\mathit{p}=$ 8	$\mathit{p}=$ 10
8	0.5360	1.0178	1.4379	1.9993	2.3923
16	0.6928	1.5539	2.4909	3.3429	4.2303
32	1.0629	2.7375	4.5277	6.6077	9.3979
64	1.9716	5.4832	10.7796	17.2424	24.8129
128	3.6427	13.8724	28.8228	57.3657	100.5351

,

Table A3. Execution time (ms) of $PDIST.EncodeY$ operation on desktop PC.

n	$\mathit{p}=$ 2	$\mathit{p}=$ 4	$\mathit{p}=$ 6	$\mathit{p}=$ 8	$\mathit{p}=$ 10
8	0.4172	0.6683	0.9487	1.3669	1.6381
16	0.4990	1.0367	1.7212	2.2604	3.1142
32	0.7689	2.1281	3.5350	5.6405	8.2282
64	1.3513	4.3957	9.2588	15.2354	21.8299
128	2.7581	12.0748	25.7857	51.5276	84.5382

and

Table A4. Execution time (ms) of $PDIST.GetDistance$ operation on desktop PC.

n	$\mathit{p}=$ 2	$\mathit{p}=$ 4	$\mathit{p}=$ 6	$\mathit{p}=$ 8	$\mathit{p}=$ 10
8	3.9364	25.9514	209.0308	1943.1150	21,997.1054
16	5.5135	33.2946	273.7545	3005.3176	28,656.2952
32	7.1317	51.0461	422.1917	3934.5410	44,462.6137
64	11.1817	67.7086	555.1111	6066.4581	57,326.4031
128	15.8210	105.7101	856.1863	7930.5029	89,076.5944

.) Based on the results, it can be deduced that $Setup$ and $GetDistance$ are the dominant operations. In particular, the execution time for $GetDistance$ increases exponentially as p increases. For example, it took 0.01 s, 0.07 s, 0.56 s, 6.07 s, 57.3 s for $p=2,4,6,8,10$, respectively, when n is 64. Notably, the main operation in $GetDistance$ is the discrete logarithm (DL) computation. The complexity of solving a DL problem is $O\left(\sqrt{S}\right)$ when a well-known general method is used, that is, the baby-step giant-step method. It must be noted that S, which is the range of the solution of the DL problem, satisfies $S=n·m^p$, where m is the maximum difference between the two vector elements $x_i$ and $y_i$. This explains the exponential growth in execution time with an increase in p. We also observe that the time increases slowly as n increases because the execution time is proportional to $\sqrt{n}$. $Setup$ also consumes a significant amount of time, for example, 6.65 s on average when n = 64 and p = 10, because it involves complex matrix operations, such as inverse computation. However, $EncodeX$ and $EncodeY$ consume negligible time compared with $Setup$ and $GetDistance$. For example, they only took 24.77 ms and 21.80 ms, respectively, when n = 64. This is because they involve relatively lower cost operations, such as matrix-vector multiplication and elliptical-curve point multiplication.

We also measured the execution time on the Raspberry Pi. $Setup$ and $GetDistance$ were not considered in this experiment because these operations are expected to run not on IoT devices but on high-end servers. Thus, the implementation on an IoT device, that is, Raspberry Pi, requires only $EncodeX$ and $EncodeY$. Figure 2 shows the experimental results for these operations. The exact numerical data are provided in the Appendix A. (See

Table A5. Execution time (sec) of $PDIST.EncodeX$ operation on Raspberry Pi.

n	$\mathit{p}=$ 2	$\mathit{p}=$ 4	$\mathit{p}=$ 6	$\mathit{p}=$ 8	$\mathit{p}=$ 10
8	0.0334	0.0681	0.1046	0.1382	0.1752
16	0.0515	0.1202	0.1906	0.2638	0.3386
32	0.0855	0.2281	0.3780	0.5351	0.6965
64	0.1560	0.4553	0.7879	1.1443	1.5455
128	0.3026	0.9714	1.7483	2.6981	3.8167

and

Table A6. Execution time (sec) of $PDIST.EncodeY$ operation on Raspberry Pi.

n	$\mathit{p}=$ 2	$\mathit{p}=$ 4	$\mathit{p}=$ 6	$\mathit{p}=$ 8	$\mathit{p}=$ 10
8	0.0162	0.0332	0.0512	0.0687	0.0866
16	0.0249	0.0596	0.0951	0.1337	0.1732
32	0.0419	0.1143	0.1944	0.2809	0.3765
64	0.0770	0.2376	0.4298	0.6494	0.9114
128	0.1534	0.5407	1.0486	1.7215	2.5846

.) The overall tendencies of $EncodeX$ and $EncodeY$ on the Raspberry Pi were similar to those of the previous experiment on the desktop PC. Between the two operations, $EncodeY$ required slightly shorter execution times than $EncodeX$ on both the desktop and Raspberry Pi, up to approximately 33% on the desktop and approximately 50% on the Raspberry Pi. Notably, even a combination of the largest parameters, that is, $(n,p)=(128,10)$, requires only a few seconds for execution. To be precise, the execution times were 3.82 s and 2.58 s for $EncodeX$ and $EncodeY$, respectively. Under typical settings with $p=6$ [4], the time required was less than a second.

Finally, we compared the proposed method with previous privacy-preserving anomaly detection methods. In particular, we focused on the distance metric to identify anomaly.

Table 2. Comparison of privacy-preserving anomaly detection methods (* computed in plaintext).

Method	Cryptographic Primitive	Protection	Metric	p
[23]	HE	Client data	Euclidean distance	2
[24]	HE	Client data	Euclidean distance	2
[25]	HE (Additive only)	Client data	Q-function * (customized metric)	–
[26]	Differential Privacy	Train data	Mean absolute error *	1
Proposed	FE	Client data	$L_p$ distance	any even p

demonstrates that all the previous privacy-preserving anomaly detection methods were based on either Euclidean distance ($L_2$ distance) or absolute error ($L_1$ distance). Even though a customized nonlinear metric based on Gaussian distribution was used in [25], it was computed on plaintext. Therefore, it cannot be directly compared with the proposed method. By examining the distance metric as a quantitative property, we can see that the proposed method is the first anomaly detection method that performs distance computation over ciphertext using the $L_p$ distance metric for $p>2$.

5. Applications

In this section, we propose a general framework for privacy-preserving anomaly detection in IoT systems. We present two examples of this framework: smart building management and remote device diagnosis. Our basic assumption is that each IoT device has several normal states defined by its specifications. Each of these states can be represented as a latent vector, that is, a feature vector, by applying a neural network model as a feature extractor. The normal-state vectors are stored, and anomaly detection is performed by comparing the current state with the normal states. An anomaly is defined as an event in which the current feature vectors are not sufficiently close to any of the stored normal feature vectors in terms of the $L_p$ distance metric. We used ${\prod }_{PDIST}$ as a building block for privacy-preserving anomaly detection.

As shown in Figure 3,the framework is composed of two servers and several IoT devices. $Serve{r}_{setup}$ denotes the set up server. We assume that the normal-state vectors ${\mathbf{x}}_{\mathbf{1}},\dots ,{\mathbf{x}}_{\mathbf{M}}$ are provided to $Serve{r}_{setup}$ as a specification of each target device. In the device registration stage, $Serve{r}_{setup}$ performs $Setup$ for that device, encrypts ${\mathbf{x}}_{\mathbf{1}},\dots ,{\mathbf{x}}_{\mathbf{M}}$ into $c{t}_1^{\prime },\dots ,c{t}_M^{\prime }$ using $EncodeX$ with the corresponding $ms{k}^{\prime }$ of the device, and transfers the results to an anomaly detection server $Serve{r}_{detect}$ for registration. $Serve{r}_{setup}$ stores $ms{k}^{\prime }$ for each device, and $Serve{r}_{detect}$ stores $c{t}_1^{\prime },\dots ,c{t}_M^{\prime }$ for each device. When a device must be analyzed for an anomaly, it obtains temporal access to $ms{k}^{\prime }$ in $Serve{r}_{setup}$ after it passes proper authentication. It encrypts the state vector $\mathbf{y}$ into $s{k}^{\prime }$ using $EncodeY$ and sends the results to $Serve{r}_{detect}$ with a request for an anomaly detection service. Upon receiving this request, $Serve{r}_{detect}$ determines whether the device is currently in a normal state based on an NN search using the $L_p$ distance. Thus, $Serve{r}_{detect}$ computes $GetDistance(p{p}^{\prime },s{k}^{\prime },c{t}_i^{\prime })$ for $i=1$ to M for this device and checks whether at least one of these distances is smaller than a predefined threshold. Otherwise, an anomaly is asserted.

To verify the feasibility of the above-mentioned application framework, we conducted additional experiments on the Secure Water Treatment (SWaT) dataset [5]. SWaT is a time series anomaly dataset provided by iTrust of Singapore University of Technology and Design (SUTD). The data in SWaT were collected using 24 sensors and 27 actuators on the water treatment testbed over 11 days through six steps: water storing, pre-treatment and chemical dosing, fine filtration, dechlorination, removing inorganic impurities, and water storing for distribution. Therefore, the SWaT dataset can be interpreted as a 51-dimensional time series dataset. Each time series is composed of numerical sensor and actuator values measured every second. We can model the water treatment application considered in the SWaT dataset using the components in Figure 3 as follows: the $Serve{r}_{setup}$ and $Serve{r}_{detect}$ are the third party participants that are in charge of detecting anomalies in the entire water treatment system, and each IoT device in Figure 3 represents a water treatment plant. In each individual water treatment plant, a feature vector is created through a neural network-based feature extractor. Feature extraction is essentially a dimensionality reduction process. For this purpose, we used an encoder with three hidden fully connected layers of dimensions $4n$, $2n$, and n, respectively. This encoder can be viewed as the encoding layers of an autoencoder. Using an autoencoder is a well-established approach in the literature in time series anomaly detection [39]. We considered a hyperparameter n to represent the size of the final latent vectors, i.e., feature vectors. We tested $n=8,16$, and 32. This n corresponds to the vector size, n, in the experiment in Section 4. Among the 51 sensors and actuators, we removed six unstable data columns as in [39]. To represent the short-term temporal behavior of each sensor and actuator, we considered 60 consecutive measurements, i.e., 60 s for each sensor or actuator. Consequently, an input for the feature extractor consists of 45 time series with each series containing 60 measurements. In other words, a single input is a 60 × 45 matrix and the output is an n-dimensional feature vector. The feature vector is encrypted through the $EncodeX$ and $EncodeY$ operations for registration and anomaly detection, respectively.

For our experiment, we used the same experimental setup as that in Section 4 (see Table 1). The feature extractor was implemented in C++ to extract feature vectors. Then, each IoT device conducted feature extraction followed by $EncodeX$ (or $EncodeY$). The experimental results measured at the anomaly detection stage, i.e., the time for feature extraction plus $EncodeY$ is presented in Figure 4. According to the results, the time required for feature extraction was roughly on the same order as that for $EncodeY$. Note that the total computation time on Raspberry Pi was only 0.6396 s even for the combination of largest hyperparameters, that is, $p=10$ and $n=32$.

5.1. Smart Building Management

The first application scenario involves smart building management. As already discussed in Section 1, IoT-based smart building management systems can cause serious privacy issues if the collected data are not properly protected [11]. We assume that $Serve{r}_{setup}$ belongs to the facility management department in a campus comprising several buildings, and $Serve{r}_{detect}$ belongs to another department. Managers should be responsible for managing the IoT devices of their department, which is accomplished by observing the measured status.

An IoT device must be registered in advance using the following procedure. The device manager requests that the facility management department register the IoT device. The department then issues a unique device id $devic{e}_i$ and conducts $Setup$ for the device to create its $ms{k}_i^{\prime }$. Referring to the device specifications, $Serve{r}_{setup}$ obtains the normal-state vectors ${\mathbf{x}}_{\mathbf{1}}, \dots ,\begin{array}{c}\hfill {\mathbf{x}}_{\mathbf{M}}\end{array}$ and encrypts them into $c{t}_{i1}^{\prime }, \dots ,c{t}_{iM}^{\prime }$ using $EncodeX$ with $ms{k}_i^{\prime }$. The manager then stores $c{t}_{i1}^{\prime },\dots ,c{t}_{iM}^{\prime }$ in the department database for $Serve{r}_{detect}$.

Subsequently, anomaly detection is performed as follows: a manager who wants to investigate a suspicious $devic{e}_i$ in their department requests temporal access from $ms{k}_i$ to $Serve{r}_{setup}$. After authenticating this request, $Serve{r}_{setup}$ sends ($ms{k}_i^{\prime }$, $sessionId$) to $devic{e}_i$ and ($devic{e}_i$, $sessionId$) to $Serve{r}_{detect}$. Device $devic{e}_i$ executes $EncodeY$ using $ms{k}_i^{\prime }$ with the current feature vector ${\mathbf{y}}_i$ to output $s{k}_i^{\prime }$. Subsequently, $devic{e}_i$ sends ($devic{e}_i$, $sessionId$, $s{k}_i^{\prime }$) to $Serve{r}_{detect}$ in the department. $Serve{r}_{detect}$ validates the session and solves an encrypted NN search problem to obtain the minimum mean p-powered error by calculating $GetDistance(p{p}^{\prime },s{k}_i^{\prime },c{t}_{ij}^{\prime })$ for $j=1, \dots ,M$. If the error is below a certain threshold, the device is considered healthy.

5.2. Remote Device Diagnosis

The second application scenario is remote device diagnosis. We assume that an IoT appliance manufacturing company provides self-diagnosis services to its clients and that the company knows the normal states of its devices before release. The company configures $Serve{r}_{setup}$ and $Serve{r}_{detect}$ such that all $ms{k}^{\prime }$s for the devices are stored in $Serve{r}_{setup}$ and not shared with $Serve{r}_{detect}$ and ensures that all the encrypted normal-state vectors of each device are stored in $Serve{r}_{detect}$.

When a user of $devic{e}_i$ wants to know whether their IoT appliance is working well, the user allows the device to initiate an anomaly detection protocol in a manner similar to that described in Section 5.1. The device pulls $ms{k}_i^{\prime }$ from $Serve{r}_{setup}$ and uses $ms{k}_i^{\prime }$ to encrypt the current state in $c{t}_i^{\prime }$ and sends it to $Serve{r}_{detect}$. Finally, the device displays the result received from $Serve{r}_{detect}$ to the user.

5.3. Possible Attacks and Mitigation on Our Systems

In this subsection, we address the possible attacks against each component of our system.

• Attack to devices: an attacker may attempt to extract either the state vector or $ms{k}^{\prime }$ by observing the memory of a device while encryption is performed with $ms{k}^{\prime }$. However, this type of physical threat can be mitigated using a a trusted execution environment.
• Network attack: attackers may attempt to sniff the communication between a device and servers or steal the normal-state vectors stored in the database. As the vectors are encrypted by $EncodeX$ and $EncodeY$, attackers learn no information about the vectors, even when they obtain the encrypted vectors. Attackers may attempt to perform replay attacks and man-in-the-middle attacks on the communication between a device and servers to manipulate data. These attacks can be prevented by marking with a timestamp and authenticating with a message authentication code or digital signature of the server on every request and response.
• Attack to servers: if $Serve{r}_{setup}$ is compromised, $ms{k}^{\prime }$s for all devices may be leaked. Therefore, we assume that $Serve{r}_{setup}$ is protected with a proper mechanism. We also assume that $Serve{r}_{setup}$ is trustworthy. In other words, it does not attempt to recover the device information with $ms{k}^{\prime }$. Under this assumption, the only concern involves $Serve{r}_{detect}$, which may want to recover any useful information from its database of encrypted feature vectors. (This also includes the case where $Serve{r}_{detect}$ is compromised from outside attackers.) However, this is prevented by the security property of FHIPE. For this, however, $Serve{r}_{setup}$ and $Serve{r}_{detect}$ must be strictly separated to ensure that they do not share $ms{k}^{\prime }s$ with each other.

6. Limitation

The proposed method works only when the degree p is even. In (6), the $L_p$ distance is composed of terms that are p-powers of $|x_i-y_i|$. Since it is not possible to compute an absolute value using FHIPE, we replaced $|x_i-y_i{|}^p$ with ${(x_i-y_i)}^p$. This is only possible when p is even. To be precise, $|x_i-y_i{|}^p=\left(\right|x_i-y_i{{|}^2)}^{p/2}={\left({(x_i-y_i)}^2\right)}^{p/2}={(x_i-y_i)}^p$. However when p is odd, this equality does not hold. To resolve this issue, we may consider a naive method for odd p as follows: given a maximum difference m between two vector elements $x_i\in {\mathbb{Z}}_q$ and $y_i\in {\mathbb{Z}}_q$, we can compute $x_i-y_i$ by computing the inner product of $(x_i,-1)$ and $(1,y_i)$ using FHIPE. If $x_i-y_i\le m$, then $|x_i-y_i|=x_i-y_i$. Otherwise, if $x_i-y_i>m$, this implies that $y_i$ is actually greater than $x_i$ and $x_i-y_i=q-m^{\prime }$ for $y_i-x_i=m^{\prime }\le m$. Therefore, the actual absolute value can be computed as $q-(x_i-y_i)=m^{\prime }$. However, the above approach requires FHIPE Setup, KeyGen, Encrypt, and Decrypt for each absolute value term $|x_i-y_i|$ separately. This may raise both performance and security issues. Therefore, a more advanced solution is required for odd p, which will be a future research direction.

7. Conclusions

In this study, we developed a method to compute the $L_p$ distance privately using FHIPE for even $p>2$. The proposed method is the first anomaly detection method that performs distance computation over ciphertext using the $L_p$ distance metric for $p>2$. Our experimental results demonstrate that the proposed method is sufficiently efficient for use in real-world IoT devices. For example, $EncodeX$ and $EncodeY$ require only 787 ms and 430 ms, respectively, for a typical setting with $p=6$ and $n=64$ on a Raspberry Pi IoT device according to the experimental results in Section 4. Based on additional experiments using the SWaT dataset in Section 5, the time required to extract a 32-dimensional feature vector from a 60 × 45 input matrix using a three-layer fully connected neural network is 0.2604 s. If a typical setting is considered with $p=6$ [4], the time for $EncodeY$ on the Raspberry Pi side is 0.1944 s and the time for $GetDistance$ on the server side is 0.4222 s. Therefore, the total computation time for anomaly detection is $(0.2604+0.1944+0.4222M)$ s when there are M possibilities for normal states. Assuming that M is not very large, e.g., $M<10$, the overall anomaly detection operation can be completed in a few seconds in a typical setting with $p=6$. Therefore, the $L_p$ distance can be used to compute the mean p-powered error for anomaly detection without revealing the actual state of IoT devices. Even though the anomaly detection server computes the distance between encoded state vectors of an IoT device, it never sees the actual values of these vectors. Thus, the proposed method is expected to be useful for outsourcing anomaly detection in a privacy-preserving manner. We suggest two practical scenarios for privacy-preserving anomaly detection: a smart building management system and remote device diagnosis.