Privacy-Preserving and Lightweight Selective Aggregation with Fault-Tolerance for Edge Computing-Enhanced IoT

Edge computing has been introduced to the Internet of Things (IoT) to meet the requirements of IoT applications. At the same time, data aggregation is widely used in data processing to reduce the communication overhead and energy consumption in IoT. Most existing schemes aggregate the overall data without filtering. In addition, aggregation schemes also face huge challenges, such as the privacy of the individual IoT device’s data or the fault-tolerant and lightweight requirements of the schemes. In this paper, we present a privacy-preserving and lightweight selective aggregation scheme with fault tolerance (PLSA-FT) for edge computing-enhanced IoT. In PLSA-FT, selective aggregation can be achieved by constructing Boolean responses and numerical responses according to specific query conditions of the cloud center. Furthermore, we modified the basic Paillier homomorphic encryption to guarantee data privacy and support fault tolerance of IoT devices’ malfunctions. An online/offline signature mechanism is utilized to reduce computation costs. The system characteristic analyses prove that the PLSA-FT scheme achieves confidentiality, privacy preservation, source authentication, integrity verification, fault tolerance, and dynamic membership management. Moreover, performance evaluation results show that PLSA-FT is lightweight with low computation costs and communication overheads.


Introduction
The rapid development of Internet of Things (IoT) technology has made a considerable impact on our lives, such as smart home [1], smart healthcare [2], and smart grid [3]. More and more IoT devices connect to the Internet, and the cloud center analyzes all sensing data in traditional cloud computing, wherein it is difficult to provide real-time services to meet the requirements of IoT applications [4]. Edge computing is used to preprocess the data at the network edge and then transmit these preprocessed data to the cloud center [5]. Thus, it is introduced into IoT to overcome the bottleneck mentioned above (also regarded as an edge computing-enhanced IoT system) [6]. Owing to the distributed architecture of edge computing, sensitive information can be directly stored and processed on edge devices. Nevertheless, the capacity of the edge device is limited, and edge devices are easily captured by adversaries, resulting in the unreliability of edge devices [7]. Therefore, edge computing may increase the possibility of sensitive information leakage [8].
As an essential data processing technique, data aggregation can reduce energy and bandwidth consumption and gain accurate information by merging redundancy data. Although data aggregation is beneficial to edge computing-enhanced IoT, the adversaries can eavesdrop on messages during the transmission between the entities, and even modify messages and forge signatures. Consequently, the authenticity of aggregated data cannot be guaranteed, and the decision of the cloud center may be disturbed. Therefore, privacypreserving data aggregation (PPDA) has emerged as a significant research area [9].
Most existing aggregation schemes do not process data before the aggregation to avoid revealing data privacy, i.e., overall aggregation [10][11][12][13][14][15]. However, the overall aggregation will aggregate massive unrelated data, which increases the difficulty of both data analysis and data storage. Aggregating the data selectively within the scope of the query will be more beneficial to reduce response latency. Therefore, many selective aggregation schemes have already been proposed [16][17][18][19][20][21][22]. Nonetheless, both overall aggregation and selective aggregation schemes face the following challenges. Firstly, the accuracy of the aggregated data is likely to have a decrease since some unrelated data are also involved in the data aggregation and influence the final decisions. Secondly, a few schemes do not achieve source authentication and integrity verification, and the messages and signatures may be modified or tempered. Thirdly, the huge computation costs bring challenges to resourceconstrained IoT devices. Fourthly, fault tolerance should be taken into account to enhance the availability of the aggregation schemes.
We present PLSA-FT, a privacy-preserving and lightweight selective aggregation scheme with fault tolerance for edge computing-enhanced IoT. Our main contributions are as follows: • In PLSA-FT, the cloud center can set filtering conditions for the data source to avoid aggregating unrelated data. Hence, selective data aggregation can be achieved by constructing Boolean responses and numerical responses according to the attributes of the data source.

•
We have constructed the encryption, the aggregation, and the decryption process on the basis of the modified Paillier homomorphic cryptosystem to ensure the confidentiality and privacy of the individual IoT device's data.

•
The PLSA-FT is fault-tolerant, which means that the cloud center could obtain the aggregated data uploaded by all the working IoT devices, even if some IoT devices fail to upload reports.

•
We have analyzed the system characteristics to prove that the PLSA-FT scheme achieves confidentiality, privacy preservation, source authentication, integrity verification, fault tolerance, and dynamic membership management. Furthermore, we have evaluated the performance of the scheme to show that the PLSA-FT is lightweight.
The outline of this paper is as follows. The Section 2 introduces related works. The Section 3 presents the system model, the security model, and design goals. In the Section 4, we describe the proposed PLSA-FT scheme in detail. The Section 5 and the Section 6 demonstrate the system characteristic analyses and the performance evaluation. Finally, we provide a conclusion in the Section 7.
In [15], Guan et al. utilized pseudonyms and pseudonym certificates to perform secure data aggregation and guaranteed the anonymity of the devices. Nonetheless, the certificate generations and updates were time-consuming. Qian et al. [17] adopted the differential privacy technique to ensure vital privacy preservation and supported selective aggregation to provide online user behavior analysis based on the BGN homomorphic cryptosystem. Mahdikhani et al. [18] employed the Paillier homomorphic encryption to encrypt the reports to avoid the leakage of sensitive information. Moreover, selective aggregation was achieved by computing the inner product similarity to identify the aggregation subset. Zhang et al. [24] constructed a lightweight and verifiable PPDA scheme, called LVPDA, which was proved to be existentially unforgeable under the chosen message attack. LVPDA introduced the edge computing paradigm for efficient data storage and computing services. Nonetheless, the overall interaction of the scheme was complicated, and the signature verification did not support batch verification. In [32], Wang et al. proposed the first anonymous and secure aggregation scheme. In this scheme, the introduction of fog computing transferred storage and computing from the cloud center to fog nodes in order to solve high latency and lack of support for mobility. Moreover, pseudonyms were used for protecting the identities of terminal devices, and homomorphic encryption was employed for guaranteeing data security in fog-based public cloud computing. However, a large number of time-consuming bilinear pairs were used for signature verification, which leads to relatively large computation costs. The security model of this scheme considered that the cloud center was entirely believable, and that the assumption of security needed to be lowered in future work.
However, these schemes mainly focused on privacy, anonymity, and selective aggregation, while the fault tolerance of the scheme was ignored. This could be a large problem because IoT devices are prone to malfunctions. The fault tolerance characteristic was especially significant in [28,29]. Li et al. [28] set the sum of all devices' secret parameter π ij to 0 in order to enhance the security of plaintext m ij . Nonetheless, CC would not be able to decrypt the aggregated ciphertexts if one or more IoT devices malfunctioned, since the sum of π ij was no longer 0.
Shi et al. [31] proposed a fault-tolerant protocol based on diverse groups. Grining et al. [35] proposed a provable level of privacy even if massive devices malfunctioned. Nonetheless, the above traditional PPDA schemes did not adopt the architecture of edgecomputing/fog-computing and suffered from latency problems.
Lu et al. proposed a lightweight PPDA scheme to achieve data aggregation and filter fake data, based on the Paillier homomorphic cryptosystem and the Chinese Remainder Theorem [13]. Even if some devices were malfunctioning, their scheme could support fault tolerance. In [30], Zeng et al. presented a data aggregation scheme, which could support column aggregation and support an additional row aggregation. Furthermore, MMDA was fault-tolerant. However, not all the data was useful, as the aggregation of multidimensional data from two directions exacerbated the waste of resources. The schemes mentioned above took advantage of the computational capacity of fog computing/edge computing, whereas selective aggregation was not considered. Selective aggregation was beneficial to the recourse-constrained IoT because it could avoid spending massive resources on the aggregation and storage of unrelated data. However, there is seldom any work aiming to support the fault tolerance for selective data aggregation schemes.
In addition to fault tolerance and selective aggregation, dynamic membership management was also significant for practical application scenarios. In schemes without dynamic membership management, all the entities should be reset when there is any membership updating. It would cost considerable computation and communication overheads. Hence, we proposed the PLSA-FT system to aggregate data according to data source attributes and support the IoT devices' dynamic membership.

System Model
In our scheme, we consider a trusted third party, a cloud center, m edge devices, and m × l IoT, which are shown in Figure 1.
The trusted third-party TTP: The TTP is responsible for initialization and assigning keys for all entities in a secure way. If an IoT device participates in or exits the system, the value of the secret parameter θ in the TTP's database will update. TTP also helps in case of IoT devices' malfunctioning.
IoT devices TD = TD 11 , TD 12 , · · · , TD m(l−1) , TD ml : TD ij generates responses according to collected data and sends encrypted reports to the corresponding edge device ED i .
Edge devices ED = {ED 1 , ED 2 · · · ED m }: The ED i generally refers to the edge server. Specifically, ED i transmits messages between the cloud center and IoT devices.
Cloud center CC: The CC broadcasts queries to TD s via corresponding edge devices, aggregates ciphertexts from ED s, and analyzes data after decryption. Specifically, i ED transmits messages between the cloud center and IoT devices.
Cloud center C C : The C C broadcasts queries to TD s via corresponding edge devices, aggregates ciphertexts from ED s, and analyzes data after decryption.

Security Model
We assume that the trusted third-party TTP is fully trusted, while the cloud center and edge devices are honest but curious, which means that the cloud center and edge devices would try to gain information by analyzing received data without any modification. Each IoT device is considered to be honest in our scheme.
We considered an external adversary who may eavesdrop on the sensitive information during data transmission, initiate reply attacks, and launch active attacks to modify the messages or forge the signatures. Note that PPDA is the focus of this paper. Other active attacks, i.e., denial of service (DoS) attacks and internal adversaries, are beyond the scope of this paper.

Design Goals
The main goal of our scheme is to aggregate data without revealing individual IoT device's data. At the same time, we hope that the scheme supports fault tolerance and dynamic membership management. Specifically, the design goals can be summarized as follows: Confidentiality and privacy preservation: Adversaries cannot infer any data from ciphertexts without the decryption key. The cloud center can only recover all IoT devices' aggregated data, and the individual IoT device's data are protected.
Source authentication and integrity verification: Every legal entity has a unique identity, and the reports generated from illegal devices could be detected. Meanwhile, if the adversaries modify the data or forge signatures, malicious operations would be detected.

Security Model
We assume that the trusted third-party TTP is fully trusted, while the cloud center and edge devices are honest but curious, which means that the cloud center and edge devices would try to gain information by analyzing received data without any modification. Each IoT device is considered to be honest in our scheme.
We considered an external adversary who may eavesdrop on the sensitive information during data transmission, initiate reply attacks, and launch active attacks to modify the messages or forge the signatures. Note that PPDA is the focus of this paper. Other active attacks, i.e., denial of service (DoS) attacks and internal adversaries, are beyond the scope of this paper.

Design Goals
The main goal of our scheme is to aggregate data without revealing individual IoT device's data. At the same time, we hope that the scheme supports fault tolerance and dynamic membership management. Specifically, the design goals can be summarized as follows: Confidentiality and privacy preservation: Adversaries cannot infer any data from ciphertexts without the decryption key. The cloud center can only recover all IoT devices' aggregated data, and the individual IoT device's data are protected.
Source authentication and integrity verification: Every legal entity has a unique identity, and the reports generated from illegal devices could be detected. Meanwhile, if the adversaries modify the data or forge signatures, malicious operations would be detected.
Fault tolerance: Even if one or more IoT devices malfunction, the proposed PLSA-FT scheme can still work as usual.
Dynamic membership management: When new IoT devices join or old ones exit the system, any parameters of other devices need not be updated.

System Initialization
We assume that the TTP will bootstrap the whole system. Given two security parameters k 1 , k 2 , TTP first chooses two random large prime numbers p 1 , q 1 with k 1 − bit length and |p 1 | = |q 1 | = k 1 . Then, let n = p 1 · q 1 , choose a generator g 1 = n + 1 and g 1 ∈ Z * n 2 . Then, define a function L(x) = (x − 1)/n, output public key pk = n, and private key sk = λ for encryption and decryption. Then, TTP generates a bilinear map e : G 1 × G 1 = G 2 of prime order q, where |q| = k 2 . Then, TTP chooses four secure hash Finally, the TTP publishes the public parameters {q, e, G 1 , G 2 , H, H 1 , H 2 , H 3 , H CH , n, g 1 } to all entities in the system, and keeps sk = λ available to CC.

Registration
The TTP chooses a random number x ∈ Z * q as CC's private key and computes Y = g x . Then, the TTP publishes the public key Y and sends the private key x to CC, and CC keeps its private key secretly. Similarly, TTP selects an identity ID ED i and a random number Only the TTP and IoT devices know the private key x ij . The TTP also computes the corresponding Y ij = g x ij for each IoT device in the system and stores ID TD ij , Y ij in the CC's database and in the corresponding ED i 's database. When an IoT device joins in the system, it should apply the registration to TTP. When an IoT device exits the system, it should send a message to notify TTP to update the value of secret parameter θ. TTP also regularly inquires of edge devices to obtain the information of working IoT devices to avoid that TTP does not receive the message from the IoT device because of power outages or network fadings. TD ij further chooses w ij , y ij , z ij , s ij , t ij ∈ Z * q and computes TD ij stores the personal information PI = r ij , s ij , t ij , where s ij and t ij are trapdoor keys. Then, TD ij calculates and the offline signature significantly reducing the computation costs of ED i . If the equation holds, TD ij is valid. Otherwise, TD ij is invalid and ED i rejects TD ij 's responses later.

Query Broadcasting
Whenever CC desires, it broadcasts query Q to all IoT devices via intermediate edge devices. The query Q is formally defined as Q = (A B), where A = {a 1 , a 2 , . . . , a k } contains all query conditions a i of the data source attributes in the current query, B denotes CC's basic query condition, and denotes the concatenation function. A query Q 1 is defined as Q 1 = {A = ( f emale & age > 60) B = heart rate}, whose query conditions of Sensors 2021, 21, 5369 6 of 17 the data source attribute are "female" and "age > 60", and the basic query condition is "heart rate". CC uses its private key x to sign query Q as (5) to guarantee that the query Q is not altered, where TS q denotes the current timestamp. Then, CC sends Q, TS q , σ to all IoT devices via corresponding edge devices.

IoT Devices Responses
After each IoT device receives the query, it first checks the freshness of TS q . Then, each IoT device checks the validity of signature σ through the equation e Y, H 1 Q TS q = e(g, σ). The query is accepted when the equation holds. Otherwise, the signature is invalid, and the query is rejected. If the query is accepted, each IoT device TD ij constructs the response R ij on the basis of query Q. Each TD ij 's response R ij is formally defined as RB ij can be computed as RB ij =(b 1 &b 2 & · · · &b k ), and b i is the Boolean response to the corresponding query condition of the data source attribute a i . RN ij denotes numerical response to basic query condition B. Each TD ij runs the Algorithm 1 to obtaian the output R ij = RB ij RN ij . We define R = max{R 11 , R 12 , · · · , R ml }. Note that, the range [0, R] is still a small message space in comparison with Z n .

Algorithm 1: IoT devices responses
Input: TD ij 's Boolean response (b 1 , b 2 , · · · , b k ) and numerical response RN ij Output: R ij = RB ij RN ij 1: for each TD ij do 2: if RB ij = 1 then 4: RN ij = RN ij 5: else 6: RN ij = 0 7: end if 8: end for 9: return R ij = RB ij RN ij TD ij computes where TS denotes the current timestamp. When H(TS) x ij ·n is computed in advance, TD ij only needs to perform multiplication operations. Then, TD ij computes online signature on the basis of PI = r ij , s ij , t ij as follows: TD ij randomly chooses t * ij ∈ Z * q , and the online signature sig on ij = t * ij , s * ij is formed. Finally, TD ij sends message ID TD ij , TS, C ij , sig on ij to ED i .

Edge Device Aggregation
Upon receiving the message from TD ij , ED i first checks the timestamp TS and the validity of ID TD ij . Then, ED i uses verification key ( f , g, h) to check if The correctness of above equation can be proved as follows: If the equation holds, the message sent by TD ij is valid. Otherwise, the message is invalid. If the message is valid, ED i aggregates the ciphertext by computing Then, ED i calculates signature Finally, ED i sends message ID ED i , TS, C i , sig i to CC. Note that if the setTD ⊂ TD indicates that the devices in the set do not upload the reports, ED i computes (13) and the corresponding signature is Finally, ED i sends message ID ED i , TS, C i , sig i to CC.

Edge Device Aggregation
After receiving the message packet from ED i , CC first checks the validity of ID ED i and the freshness of the timestamps TS. Then, CC performs batch verification e(g, ∏ m i=1 sig i )? = ∏ m i=1 e Y i , H 1 ID ED i TS C i , which significantly reduces the computation costs of CC. If the equation holds, ED i is valid. Otherwise, ED i is invalid and CC checks e(g, sig i )? = e Y i , H 1 ID ED i TS C i to identify the invalid message.
If the message is valid, CC sends decryption requirements to TTP, TTP returns H(TS) n·θ to CC. Then, CC aggregates the ciphertexts by computing CC can obtain the aggregated plaintext ∑ m i=1 ∑ l j=1 R ij by computing ∑ {RB ij =1} RB ij counts the number of IoT devices that satisfy CC's query conditions. ∑ {RN ij =0} RN ij denotes the sum of numerical responses that satisfy CC's query conditions. CC can further gain the mean m of aggregated data by computing The correctness of the ciphertext's aggregation can be proved as follows:

Fault Tolerance Handling
If some IoT deviceTD ⊂ TD cannot work, CC aggregates the ciphertexts as follows:

Even if the equation H(TS)
(∑ TD ij ∈TD\TD x ij +θ)·n ≡ 1 mod n 2 does not hold, CC can still use private key λ to obtain aggregated plaintexts ∑ TD ij ∈TD\TD R ij . CC computeŝ The aggregated plaintexts can be recovered by Similarly, CC can obtain the corresponding mean m.

Extension to Support Dynamic Membership
Since the IoT devices in the edge computing-enhanced IoT system may change, our scheme can provide dynamic membership management. If some new IoT devices TD ∈ A participate in the system or some old ones TD ∈ B exit, TTP will update the value of θ and replace θ with θ . θ can be computed as If some new IoT devices participate in the system, they need to apply the registration to TTP, and the detailed registration operations are described in Section 4.2. If some old IoT devices exit, TTP needs to notify CC and the corresponding ED i to delete the corresponding record ID TD ij , Y ij . The cost of our extension is much less than that of other schemes, which need to update IoT device's private key.
The high-level description of the main phase of the PLSA-FT scheme is shown in Figure 2. Y . The cost of our extension is much less than that of other schemes, which need to update IoT device's private key. The high-level description of the main phase of the PLSA-FT scheme is shown in Figure 2.   We also show the main phases of our proposed PLSA-FA scheme in Table 1. Computes C ij = E R ij = 1 + R ij · n · H(TS) x ij ·n and generates a random number

Aggregation
Aggregates the reports C i = ∏ l j=1 C ij and generates the signature Sends the decryption requirements to TTP to get H(TS) n·θ Aggregates the reports If some IoT devicesTD ⊂ TD do not work, ED i aggregates the reports C i = ∏ TD ij ∈TD/TD C ij and generates the signature

Confidentiality and Privacy Preservation
Theorem 1. The privacy of the individual IoT device's data R ij cannot be compromised by an external adversary.
Proof of Theorem 1. If an external adversary eavesdrops on the communication between TD ij and ED i to obtain the report C ij . In PLSA-FT, the TD ij reports its data in the form of C ij = E R ij = 1 + R ij · n · H(TS) x ij ·n modn 2 . According to the property under Module n 2 , i.e., (1 + n) x ≡ (1 + n · x)modn 2 , C ij will become (1 + n) R ij · H(TS) x ij ·n modn 2 . If we let r = H(TS) x ij , g = (1 + n), and g ∈ Z * n 2 , then the ciphertext C ij will become C ij = g R ij · r n modn 2 and is still a valid Paillier ciphertext. Since the Paillier encryption algorithm has been proved to be semantically secure against chosen plaintext attacks, an external adversary cannot gain R ij without private key λ. Theorem 2. The privacy of remaining IoT devices is protected, even if a set of IoT devices is comprised.
Proof of Theorem 2. If a set of IoT devices are compromised, their corresponding secret keys x ij will be leaked. In PLSA-FT, the TTP randomly generates secret parameters x ij ∈ Z * q , i = 1, 2 · · · m, j = 1, 2 · · · l and there is no correlation between them. In other words, even if an adversary compromises some IoT devices, it has no chance to reveal the secret keys of the remaining IoT devices and the privacy of the remaining IoT devices' data.
In an extreme case, an adversary successfully compromises m × l − 1 IoT devices and obtains their corresponding secret keys x 11 ,x 12 ,· · · x ml−1 (i = 1, 2 · · · m, j = 1, 2 · · · l). Recalling Equation (1), the expression for all IoT devices can be expressed in the form of ∑ m i=1 ∑ l j=1 x ij + θ ≡ 0modλ. If we let ∑ x ij denote the obtained secret keys, then the above equation will become ∑ x ij + x ml + θ ≡ 0modλ. This means that only when the adversary obtains the secret parameter θ and the secret key λ of CC will it be able to gain x ml . Therefore, we can conclude that, no matter how many IoT devices are compromised, the privacy of other IoT devices is protected.

Theorem 3.
If the ED i is compromised, the privacy of individual IoT device's data R ij and aggregated data ∑ l j=1 R ij is preserved.

Proof of Theorem 3.
If the ED i is compromised, the adversary can obtain multiple TD ij 's ciphertexts C ij = E R ij = 1 + R ij · n · H(TS) x ij ·n modn 2 . Similarly, the adversary can obtain the aggregated ciphertext C i = 1 + ∑ l j=1 R ij · n · H(TS) ∑ l j=1 x ij ·n modn 2 . According to the proof of Theorem 1, both the ciphertext C ij and the aggregated ciphertext C i are valid Paillier ciphertexts, which are indistinguishable under chosen plaintext attacks. The ED i does not have the Paillier algorithm's secret key λ to perform the decryption. Thus, even if the adversary has compromised ED i , the privacy of the individual device's data R ij and the privacy of the aggregated data ∑ l j=1 R ij are both protected.

Theorem 4.
If CC is compromised, the privacy of the individual IoT device's data R ij is protected.
Proof of Theorem 4. If a strong adversary compromises the CC, it can only reveal the aggregated data. Since CC can only obtain aggregated ciphertexts from ED s, the adversary cannot infer the individual IoT device's data from the aggregated data. Therefore, even though the adversary compromised the CC, the privacy of the individual IoT device is still preserved.

Source Authentication and Data Integrity
Theorem 5. Source authentication and integrity verification of the data are guaranteed in proposed PLSA-FT scheme.
Proof of Theorem 5. After ED i receives the message packet ID TD ij , TS, C ij , sig on ij from TD ij , ED i first checks the freshness of timestamp TS and the validity of ID TD ij . ED i can confirm the message packet generated from which TD ij and further check if the entity is legal. Then, ED i checks if the equation H CH ij r ij , s ij , t ij = H CH ij C ij , s * ij , t * ij holds to verify the integrity of data. In our scheme, an online/offline signature is adopted, which has been proved to be is existential unforgeable under chosen message attacks in [24]. Only the adversary with trapdoor keys y ij , z ij can easily achieve the collision according to the trapdoor collision property [36]. Thus, an adversary cannot pass ED i 's integrity verification without trapdoor keys.
In addition, after CC receives the message packet ID ED i , TS, C i , sig i from ED i , CC first checks the freshness of timestamp TS and the validity of ID ED i . Therefore, CC can confirm the message packet generated from which ED i and further verify if the entity is legal. This ensures that every packet is from a legal entity and cannot be tampered. CC can performs batch verification e(g, ∏ m i=1 sig i )? = ∏ m i=1 e Y i , H 1 ID ED i TS C i , which greatly reduces the CC's computation costs. If the above equation does not hold, at least one message reported by ED i is invalid, and CC can check e(g, sig i )? = e Y i , H 1 ID ED i TS C i to find invalid messages. If an adversary modifies or forges the data, the above equation would not hold. Thereby, our scheme ensures the source authentication and integrity verification of the data.

Fault Tolerance
Theorem 6. Suppose at some time slot, certain IoT devices cannot successfully upload the reports, CC can still obtain aggregated data of the rest of normal IoT devices.
Proof of Theorem 6. In case certain IoT devicesTD in subset TD are malfunctioning, these devices cannot successfully upload the reports to the corresponding ED i . After aggregating the reports from ED s, the CC can obtain the aggregated report C, which only includes the normal IoT devices' reports. Even if the equation H(TS) (∑ TD ij ∈TD\TD x ij +θ)·n ≡ 1 mod n 2 does not hold, the CC can still perform the decryption to obtain aggregated data by computing L Ĉ λ .

Dynamic Membership Management
In PLSA-FT, when a new IoT device TD ij joins in the system, the IoT device applies to TTP. Then, TTP assigns the IoT device a secret key x ij and updates the value of secret parameter θ to θ , which can be computed as θ = θ − x ij modλ. When TD ij exits the system, TTP updates the value of secret parameter θ to θ , which can be computed as θ = θ + x ij modλ. At the same time, TTP needs to notify the CC and the corresponding ED i to delete the record ID TD ij , Y ij .
It can be seen that the joining or exit of IoT devices does not concern other IoT devices, which requires low computation and communication costs.

Performance Evaluation
We evaluated the performance of the proposed PLSA-FT scheme in the aspects of the computation costs and the communication overheads. We considered other related aggregation schemes [24,25,30,32] as a comparison. We adopted the Java Pairing Based Cryptography Library (JPBC) to estimate the time costs. We used the Type-A curves as defined in the PBC library for the implementation because the Type-A curves offer the highest efficiency among all types of curves. Table 2 shows the symbol and the meaning of the operations and corresponding time costs. The security parameter q is 160 bits, and the RSA modulus n is set to 1024 bits. In addition, we considered that there are m ED s and each ED corresponds to l TD s. Additionally, the length of timestamp TS and identity ID are all 160 bits. All experiments were implemented on Intel Core i7-4790 CPU @ 2.5 GHz, with 4 GB memory with Ubuntu16.04 operating system.

Computation Costs
In PLSA-FT, TD ij requires one exponentiation operation in Z n 2 , one hash operation, and three multiplication operations to generate the ciphertext and three multiplication operations in G 1 to calculate the signature. ED i requires 3l exponentiation operations in G 1 and 2l multiplication operations to verify the signature sig on ij and l multiplication operations in G 1 to aggregate ciphertext C i , one exponentiation operation, and a hash operation in G 1 to generate signature sig i . CC requires (3m + 1) multiplication operations (m + 1) bilinear pairing operations, (m + 1) hash operations, and one exponentiation operation in G 1 to verify the signatures and recover the plaintexts. We list a comparative summary of overall computation costs for five schemes in Table 3. From Table 3, we can find that our scheme requires the least T p operations that are the most time-consuming operations. When the number of edge devices increases, the cloud center needs to verify a large number of signatures; thus, the advantage of our scheme will become more evident. Figure 3 shows that the comparison of overall computation costs in terms of the number of TD per ED(l) and the number of ED(m). It shows that our proposed PLSA-FA scheme greatly reduced the overall communication costs. Although the overall computation costs of the scheme [24] are fewer than that of our scheme, our scheme provides more functional properties than that of the scheme [24]. Table 4 further shows the comparison of functionalities achieved by five schemes.
We also compared the computation costs during the aggregation phase in Figure 4a. It can be seen that our scheme requires the least computation costs during aggregation phrase. Figure 4b further depicts the signature and verification costs in terms of the number of TD per ED(l) and the number of ED(m). The time costs of the signature and verification in our proposed PLSA-FA scheme were found to be the least among the four schemes discussed. Table 3. The overall computation costs comparison.

Communication Overheads
The communication process of PLSA-FT consists of two processes. One is the communication process from TD ij to ED i , and the other one is the communication process from ED i to CC. In the phase of IoT devices responses, each TD ij sent a message packet ID TD ij , TS, C ij , sig on ij to ED i , and the corresponding communication overheads were 160 + 160 + 2048 + 160 = 2528 bits. Moreover, in the phase of edge device aggregation, each ED i sent message packet ID ED i , TS, C i , sig i to CC, and the corresponding communication overheads were 160 + 160 + 2048 + 160 = 2528 bits. Considering that there were m edge devices and each ED i corresponded to l IoT devices, the total communication overheads in the scheme were 2528ml+ 2528m bits. Figure 5 shows the comparison of total communication overheads among four schemes. We can conclude that the PLSA-FT scheme requires the least communication overheads.  Figure 5 shows the comparison of total communication overheads among four schemes. We can conclude that the PLSA-FT scheme requires the least communication overheads.

Conclusions
In this paper, we present a privacy-preserving and lightweight selective aggregation scheme with fault tolerance (PLSA-FT) for edge computing-enhanced IoT. PLSA-FT can filter data according to data source attribute to achieve selective aggregation and provide fault tolerance and dynamic membership management. Moreover, benefiting from edge

Conclusions
In this paper, we present a privacy-preserving and lightweight selective aggregation scheme with fault tolerance (PLSA-FT) for edge computing-enhanced IoT. PLSA-FT can filter data according to data source attribute to achieve selective aggregation and provide fault tolerance and dynamic membership management. Moreover, benefiting from edge computing, PLSA-FT transfers time-consuming operations to edge devices while reducing the online computatiDon costs. Detailed system characteristic analyses illustrate that the proposed PLSA-FT scheme is secure. Moreover, performance analysis results showed that it is lightweight in both computation costs and communication overheads. However, PLSA-FT is vulnerable to the collusion attacks of edge devices and malicious IoT devices, which exposes the data privacy of a single IoT device. In our future work, we plan to extend our scheme to cope with collusion attacks. Moreover, we also prepare to improve the security properties under more powerful adversaries and active attack models.