Large amounts of data are continuously generated by individuals, apps, or dedicated devices. These data can be aggregated to compute useful statistics from multiple sources using data aggregation protocols. However, oftentimes these data contain private information that must be p
...
Large amounts of data are continuously generated by individuals, apps, or dedicated devices. These data can be aggregated to compute useful statistics from multiple sources using data aggregation protocols. However, oftentimes these data contain private information that must be protected from misuse. Privacy-preserving protocols can help to compute the same statistics without revealing the private input data to unauthorized parties. However, most privacy-preserving data aggregation schemes only work in the honest-but-curious model, where participants do not deviate from the protocol. As a result, the computed statistics cannot always be trusted. In particular, the aggregator, which is the party responsible for collecting the data is usually trusted with computing the correct result. However, a compromised aggregator may decide to output any value of its choosing without anyone noticing. Schemes with public verifiability help to counter malicious aggregators who try to falsify the final result by tampering with the inputs of honest users. However, they do not consider cases where both the aggregator and a subset of the users may be malicious, meaning they can deviate from the protocol and collude with each other in order to output results of their choosing. In this work, we develop a privacy-preserving data aggregation protocol to compute the sum of a set of private inputs such that a verifier can efficiently detect tampering even in the face of a malicious aggregator and a subset of malicious users. We also provide two extensions for better performance and for malicious user detection. We show that the scheme achieves the desired properties of confidentiality, integrity, and authenticity. Finally, theoretical and experimental evaluations show that its performance makes it feasible for real-world applications.