SP 2 DAS: Self-certified PKC-Based Privacy-Preserving Data Aggregation Scheme in Smart Grid

Abstract

Smart grid is a network of computers and power infrastructures that monitor and control energy usage by collecting data from the power grid. It can gather and distribute information about the behavior of all consumers in order to improve the efficiency, reliability, economics, safety, and sustainability of electricity services. In this paper, we propose a self-certified PKC-based privacy-preserving data aggregation scheme in smart grid to increase computation efficiency and achieve privacy protection of end users. To realize the anonymous aggregation of multidimensional data, we adopt the Chinese Remainder Theorem and homomorphic property of Paillier cryptosystem to achieve it. Comparing our scheme with Lu et al.'s scheme, the result shows that our scheme has more advantages over Lu et al.'s scheme in terms of computational costs of the user, GW, and OA. After adopting batch verification technique, the computational cost of GW is constant in our scheme, however, that of GW is linear with the number of the users in Lu et al.'s scheme. Furthermore, our scheme also supports the anonymity of the user's identity. It indicates that the local gateway GW does not know the real identity of the resident user such that the privacy of the user is better protected.

1. Introduction

Power electric systems in most countries have became old and inefficient. It might result in potential safety hazards. The Northeast blackout of 2003 was worth to be pondered. In this accident, about 200,000 people were affected, and 265 power plants were shut down during the outage. Investigations report found that the reason of blackout was due to human error and equipment failures. And this report indicated that this blackout could have been prevented and that immediate actions must be taken in both the United States and Canada to ensure that our electric system was more reliable. It puts forth a challenge for us. When a problem appears, how should we find it and solve it in time?

To overcome the problems caused by aging power grids, smart grid is developed. The earlier emerging smart grid technologies are electronic control, metering, and monitoring. The term smart grid has been used since at least 2005, when it appeared in [1]. There are many smart grid definitions in the recent literature in different flavors. However, a common factor in these definitions is the application of digital processing and communications to the power grid, making data flow and information management central to the smart grid.

The objective of smart grid is to provide end users or consumers with power in a more flexible, stable, and reliable manner. It makes end users know real-time electricity usage so as to actively adjust use of electricity. Therefore, the smart grid is characterized by a two-way flow of electricity and information between the provider and consumer of electric power. It achieves an automated, distributed energy delivery network and helps end users to balance power supply and demand by distributed computing and communications to deliver real-time information. Meanwhile, it also can detect and respond to weaknesses or failures in the power system in real time such that potential dangers are prevented.

Communication framework in smart grid is shown in Figure 1, where power transmission and distribution systems are separated from the communication system. In the communication system in smart grid, smart meter is an important component in smart grid it can record consumption of electric energy in a time interval and communicate the information back to the utility for monitoring and billing purposes. However, current smart metering technologies which are applied in smart meters may result in privacy leak issues because they depend upon centralizing personal consumption information of the consumers at their smart meters. In 2009, The Netherlands enacted relevant laws to force to consider privacy issues in case of using smart meters [2]. Similarly, in the United States, NIST dictated that there privacy issues be taken into account in the design of smart grid communications [3]. These privacy concerns may be addressed by adequately authenticating the smart meters. However, smart meter is a rather limited resources device with low memory and computational capacity. Thus, we cannot put too much burden on the constrained smart metering resources in the time of designing an authentication mechanism for smart grid communication.

Figure 1

The conceptual architecture of smart grid.

Because communication in smart grid is based on the public data communication networks such as Internet. there exist a wide variety of malicious attacks, such as replay, eavesdropper, tamper of data, traffic analysis, tracing of the locations, and denial of service (DOS) attacks. Thus, before putting the application of smart grid into practice, the corresponding security and privacy issues must be resolved. For example, without the security and privacy guarantees, an adversary in smart grid can forge a fraudulent electricity usage data or breakdown information to mislead operation center. In terms of end users, privacy is a most concerned problem. It includes privacy of identity and privacy of data. Power-consuming data may reveal family income and physical activities. For example, power consumption of a household in a certain time is very low or zero; it implies that no one is at home. The user's identity is sensitive information. If it is leaked, it may result in potential unsafe factor. Then home address and the number of apartments of the user are known. Thus, this privacy-sensitive information must be anonymous.

To achieve data privacy, encryption algorithm is used to ensure the safety of data. However, it may result in data expansion. How do we resist data expansion in the case of keeping data privacy? It brings a challenge to the smart meter with constraint resource. To solve this issue, we adopt homomorphic encryption technique [4] since it can achieve data aggregation under the condition that the data is encrypted. In other words, data can be aggregated in the ciphertext form. In 2005, Castelluccia et al. [5] adopted homomorphic encryption techniques to realize the aggregation of encrypted data without decryption at intermediate nodes. Subsequently, Westhoff et al. showed that the scheme [6] may result in an increased message overhead in per monitoring node since the ID list of the encrypting nodes must be transmitted when every node used different keys. Thus, a symmetric homomorphic encryption technique was applied to increase the efficiency in [6]. In [7], Shi et al. was based on Castelluccia's scheme to put forth a privacy-preserving data aggregation scheme to preserve user privacy. Most of the previous works mainly focus on one-dimensional data. Recently, Lu et al. proposed a multidimensional data aggregation approach based on the homomorphic Paillier cryptosystem by using superincreasing sequence [8]. However, the computation overhead of local gateway is rather high. And the identity of end user is revealed in the communication between user and local gateway. According to [9], the memory size of the local GW is up to 128 KB random access memory (RAM), 1 MB flash memory, and 160 MHz CPU. Thus, the computational cost of the local gateway should be low as soon as possible.

Since the communication between the end user and the local gateway (GW) usually adopts wireless technology, it makes the end user suffer from the different attacks due to the open wireless network. Privacy protection of the end user's identity is particularly important. To guarantee end user's privacy, two important approaches are pseudonym mechanisms and group signature technique. The pseudonymity-based approach needs to periodically change a pseudonym. The group signature-based approach results in longer length of a signature than that of original signature, and computation cost of verifying a signature is very large. These approaches are suitable for smart metering with limited resource.

Self-certified public key cryptosystem was introduced by Marc [10]. In the self-certified public key system, verification and management of certificates are not required, and the key escrow problem can also be eliminated. The main idea is that certificate of public key is replaced by a witness, and the public key is implicitly embedded in it. Anyone who holds a witness along with an attributive identity can recover the corresponding public key to verify a signature. Thus, it leads to the reduction of communication, computation, and storage amount.

Our Contributions. To construct a scheme which is suitable for the device with low communication and computation resources in smart grid and achieve privacy protection of the end user's identity, in this paper, we propose a novel self-certified PKC privacy-preserving data aggregation (SP²DA) scheme. This scheme supports the aggregation of multidimensional power usage data by converting multidimensional data into a single-dimensional data. The main works of this paper are three-fold. (1)

To support aggregation of multidimensional data, we adopt the Chinese Remainder Theorem to achieve the conversion of multidimensional data to single-dimensional data.

(2)

To support privacy of identity, the scheme adopts self-certified public key cryptography to achieve it. It makes the scheme have the following advantages: short length of the signature and low computation.

(3)

In the scheme, we realize that the computational cost of the local gateway is constant. It makes our scheme have more advantage over Lu et al.'s scheme [8] in terms of computational cost.

2. Communication System Model in Smart Grid

In the following, we give formal communication system model, security requirements, and our design goals.

2.1. Communication Model

The communication model, it mainly consists of operation center and local area network (LAN). Operation center is responsible for dynamically balancing power supply. In general, a trusted operation authority (OA) manages it at operation center. All residential users in a special residential area (RA) and the local gateway (GW) form an LAN. Smart appliances and smart meters form a home area network (HAN). The communication between the user and the local gateway is achieved by the communication between smart meters in an HAN and the local gateway. Smart meters transmit the collected real-time electricity usage data to the local gateway. After aggregating all electricity usage data, the local gateway reports the result to operation authority. On receiving the reports from the local gateway in the residential area RA, the OA analyzes the received reports and sends the corresponding to feedback information to the local gateway in the residential area. Then the local gateway broadcasts the feedback information to all users in the residential area. Finally, the users dynamically adjusts power consumption of smart appliance.

2.2. Security Requirements

Security protection is essential in smart grid communication. It is an important condition before deploying smart grid. In the security model, the main aim is to ensure integrity and validity of the transmitted data and the privacy of user's identity.

Here, we assume that the OA is trustable and the local gateway GW is semitrustable, and the users $U = (U_{1}, U_{2}, \dots, U_{w})$ in the residential area are honest. Because the connection of local gateway with the users adopts wireless techniques, there may exist an adversary 𝒜 to eavesdrop the residential users' communication to obtain message. In addition, we allow the adversary 𝒜 to launch active attacks on the residential users. To resist attacks of the adversary 𝒜, we require that the communication in smart grid should satisfy the following security requirements. (1)

Authentication: it includes authentication of the user identity and message integrity. The user identity authentication means that the encrypted report is from a legal user. Message integrity authentication means that the transmitted data has not been altered. Any tempered data can be detected.

(2)

Private: it also includes two points. The first point indicates that the data which is sent by the residential user is private since it is encrypted and the final data is aggregated. Only the operation authority OA can recover it. The other point indicates that the identity of the residential user is privacy for the local gateway. Any one cannot obtain the relevant information to the identity of the user from the transmitted data. Even the OA cannot also obtain any relevant information to the user from the aggregated data.

2.3. Design Goal

Based on the previous communication model and security requirements, our design goal is to construct an efficient data aggregation protocol to achieve the following three objectives. (1)

Multidimensional data aggregation: in smart grid, the data which smart meters collect includes various types, such as the amount of the consumed power, and temperature and so on. The data in each dimension do not reflect the use of the global situation; thus, we must take into account all the dimensions in order to realize finer-grained control and optimization. At the same time, smart meters of hundred and thousand residential users periodically send the multidimensional data. To efficiently deal with the huge communication cost and multidimensional data, we need to construct an efficient aggregation scheme to support multidata aggregation.

(2)

Global security. The smart meter-generated data should be authenticated to guarantee that they are from real sources and have not been tampered with during transmission. A tampered fraudulent data must be caught by the OA.

(3)

Privacy of the residential user: if a residential user behaves honestly and follows the protocol, its identity privacy should be guaranteed against attackers who can eavesdrop communication in smart grid. It means that the identities of the residential users were not revealed during the transmission of the data. However the OA cannot also obtain the identity information of the residential users from the transmitted real-time reports.

3. Preliminaries

In the following, we first review the bilinear pairing technique [11] and the Paillier Cryptosystem [9] as well as some mathematics problems. They are the basis of the proposed SP²DA scheme. Then some security assumptions which are the basis of security proof are given.

3.1. Bilinear Map and Paillier Cryptosystem

In this subsection, we briefly review the properties of the bilinear pairings.

Let $𝔾_{1}$ , $𝔾_{2}$ , and $𝔾_{T}$ be three cyclic multiplicative groups with the prime order q. Let $g_{1}$ , and $g_{2}$ be the generator of groups $𝔾_{1}$ and $𝔾_{2}$ . An admissible pairing $e :$ $𝔾_{1} \times 𝔾_{2} \to 𝔾_{T}$ , which satisfies the following three properties: (i)

bilinear: if $u \in 𝔾_{1}, v \in 𝔾_{2}$ and $a, b \in Z_{q}^{*}$ , then $e (u^{a}, v^{b}) = e (u, v)^{a b}$ ;

(ii)

nondegenerate: there exists a $g_{1} \in 𝔾_{1}, g_{2} \in 𝔾_{2}$ such that $e (g_{1}, g_{2}) \neq 1$ ;

(iii)

computable: if $u \in 𝔾_{1}, v \in 𝔾_{2}$ , one can compute $e (u, v) \in 𝔾_{T}$ in polynomial time.

The modified Weil pairing and the Tate pairing are admissible maps of this kind. Please the interested readers refer to [12] for the details.

The Paillier Cryptosystem [9] is a classic homomorphic encryption. Its homomorphic property takes advantage of the homomorphic property of the exponentiation function and makes an encryption of message $m_{1} + m_{2}$ be obtained from any encryption of messages $m_{1}$ and $m_{2}$ , as $E (m_{1}, r_{1}) E (m_{2}, r_{2}) = E (m_{1} + m_{2}, r_{1} r_{2})$ . And the security of the scheme is based on a discrete logarithm trapdoor modulo a large integer. In the following, we briefly review it. (1)

Key generation phase: let $N = p_{1} q_{1}$ be an RSA modulus where $p_{1}$ , and $q_{1}$ are two large prime numbers. Let g be an element of order at least N in the multiplicative group $Z_{N^{2}}$ . Then the public key is $pk = (N, g)$ , and the corresponding private key is $(p_{1}, q_{1})$

(2)

Encryption phase: let m be an encrypted message and $m \in Z_{N}$ , and randomly choose $r \in Z_{N}$ to compute a ciphertext $C = E (m) = g^{m} r^{N} \mod N^{2}$ .

(3)

Decryption phase: given a ciphertext $C \in Z_{N^{2}}$ , the corresponding plaintext $m = D (C)$ can be recovered by the private key $(p_{1}, q_{1})$ . Please refer to [4] for the detailed process.

3.2. Security Assumption

Decisional Bilinear Diffie-Hellman Problem (DBDH). The DBDH problem in $(𝔾_{1}$ , $𝔾_{2}$ , $𝔾_{T})$ is stated as follows: given four elements

\begin{matrix} (g_{2}, g_{2}^{a}, g_{2}^{b}, g_{2}^{c}) \in 𝔾_{2}^{4} \end{matrix}

(1)

for unknown

a, b, c \in Z_{q}

, and

Z \in 𝔾_{T}

, determine whether

Z = ? = e (g_{1}, g_{2})^{a b c}

The Weak Computational Diffie-Hellman Problem (WCDH). Let $𝔾_{1}$ be a multiplicative cyclic group of order q; $g_{1}$ is a generator of group $𝔾_{1}$ . $Z_{q}$ is a finite field. Given $k + 1$ values $(g_{1}, g_{1}^{a}, g_{1}^{a^{2}}, \dots, g_{1}^{a^{k}})$ , where k is an integer and $a \in Z_{q}$ , the goal of k-weak CDH problem is to compute $g_{1}^{a^{- 1}}$ .

The k-wCDH problem is $(t, ϵ)$ -hard, if there is no PPT algorithm 𝒜 that can solve the k-wCDH problem in time at most t with probability ϵ if

\begin{matrix} A d v_{k, 𝒜} = Pr [g_{1}^{a^{- 1}} ⟵ 𝒜 (g_{1}, g_{1}^{a}, \dots, g_{1}^{a^{k}}) : a \in_{R} Z_{q}] \geq ϵ . \end{matrix}

(2)

The k-wCDH problem is a new hard problem. The hardness of the problem is based on the difficulty of solving Collusion Attack Algorithm with k traitors.

The $k + 1$ Exponent Problem (EP). Let $𝔾_{1}$ be a multiplicative cyclic group of order q; $g_{1}$ is a generator of group $𝔾_{1}$ . $Z_{q}$ is a finite field. Given $k + 1$ values $(g_{1}, g_{1}^{a}, g_{1}^{a^{2}}, \dots, g_{1}^{a^{k}})$ , where k is an integer and $a \in Z_{q}$ , its goal is to compute $g_{1}^{a^{k + 1}}$ .

The $k + 1$ EP is $(t, ϵ)$ -hard, if there is no PPT algorithm 𝒜 can solve the $k + 1$ EP in time at most t with probability ϵ if

\begin{matrix} A d v_{k, 𝒜} = Pr [g_{1}^{a^{k + 1}} ⟵ 𝒜 (g_{1}, g_{1}^{a}, \dots, g_{1}^{a^{k}}) : a \in_{R} Z_{q}] \geq ϵ . \end{matrix}

(3)

The hardness of $k + 1$ exponent problem is proved that it is polynomial time equal to the k-wCDHP.

The Extended $k + 1$ Exponent Problem (EP). Let $𝔾_{1}$ and $𝔾_{2}$ be two multiplicative cyclic groups of order q; $g_{2}$ is a generator of group $𝔾_{2}$ . $Z_{q}$ is a finite field, and ψ is a computable isomorphism from group $𝔾_{2}$ onto group $𝔾_{1}$ such that $ψ (g_{2}) = g_{1}$ . Given $k + 1$ values $(g_{2}, g_{2}^{a}, g_{2}^{a^{2}}, \dots, g_{2}^{a^{k}})$ and an isomorphism map ψ, where k is an integer and $a \in Z_{q}$ , its goal is to compute $g_{1}^{a^{k + 1}}$ .

The extended $k + 1$ EP is $(t, ϵ)$ -hard, if there is no PPT algorithm 𝒜 that can solve the extended $k + 1$ EP in time at most t with probability ϵ if

\begin{array}{l} A d v_{k, 𝒜} = Pr [g_{1}^{a^{k + 1}} ⟵ 𝒜 (g_{2}, g_{2}^{a}, \dots, g_{2}^{a^{k}}, g_{1} = ψ (g_{2})) \\ : a \in_{R} Z_{q}, ψ (\cdot)] \geq ϵ \end{array}

(4)

Chinese Remainder Theorem [13]. Suppose

n_{1}, n_{2}, \dots, n_{k}

are positive integers which are pairwise coprime. Then, for any given sequence of integers

a_{1}, a_{2}, \dots, a_{k}

, there exists an integer x solving the following system of simultaneous congruences:

\begin{matrix} x \equiv a_{1} \mod n_{1}, \\ x \equiv a_{2} \mod n_{2}, \\ ⋮ \\ x \equiv a_{k} \mod n_{k} . \end{matrix}

(5)

Let the product

N = n_{1} n_{2} \dots n_{k}

be defined. Then a solution x can be found as follows: For each i, the integers

n_{i}

and

N / n_{i}

are coprime. Using the extended Euclidean algorithm we can find integers

r_{i}

and

s_{i}

such that

r_{i} n_{i} + s_{i} N / n_{i} = 1

. Let

y_{i} = s_{i} N / n_{i}

. Then a solution x is solved as follows:

\begin{matrix} x = \sum_{i = 1}^{k} ‍ a_{i} y_{i} \mod N . \end{matrix}

(6)

4. Our Anonymous Self-Certified Signature Scheme

In this section, we will give a novel self-certified anonymous signature scheme which is the basis to achieve the anonymity of the residential user's identity in our SP²DA scheme.

4.1. System Setup

Let $𝔾_{1}$ , $𝔾_{2}$ , and $𝔾_{T}$ are three cyclic groups with the same prime order p. $e : 𝔾_{1} \times 𝔾_{2} \to 𝔾_{T}$ is a pairing map. $g_{2}$ is a generator of group $𝔾_{2}$ . $ψ : 𝔾_{2} \to 𝔾_{1}$ is an isomorphism map. The TTP chooses two hash functions $H_{1} : {0,1}^{*} \to 𝔾_{1}$ and $H_{2} : {0,1}^{*} \to Z_{p}$ . Then it randomly chooses $α \in Z_{p}$ as his private key $msk = α$ and computes the corresponding public key $mpk = g_{2}^{a}$ . Finally, the system parameters are published as follows:

\begin{matrix} (𝔾_{1}, 𝔾_{2}, 𝔾_{T}, g_{2}, ψ, p, e, H_{1}, H_{2}, mpk) . \end{matrix}

(7)

4.2. KeyGen

For a user with identity ID, it first randomly selects $x \in Z_{p}$ to compute $pk = e (g_{1}, g_{2})^{x}$ . Then the public-private key pair is $(pk, x)$ .

4.3. WitReg

When a user with identity ID wants to register, it computes a proof of zero-knowledge π of its private key $PK {x ∣ v = g_{2}^{α x}}$ and sends $(ID, pk, v, π)$ to the TTP.

The TTP first checks whether $e (g_{1}, v) \overset{?}{=} p k^{α}$ and π is valid. If they hold, then it produces the following witness

\begin{matrix} W = {(v^{1 / α} H_{1} (ID))}^{1 / α} \end{matrix}

(8)

and sends it to the user. Then the user's private key is

(W, x)

4.4. Anonymous Signing

To produce a signature on message m, the user with identity ID computes as follows. (1)

First, it randomly chooses a number $l \in Z_{p}$ to compute $\hat{W} = ψ (W)^{l}$ and $\hat{R} = ψ (H_{1} (ID))^{l}$ in order to conceal the witness $\hat{W}$ of the user and his identity “ID”.

(2)

Then randomly choose $r \in Z_{p}$ to compute

\begin{matrix} \hat{u} = {(g_{1})}^{r}, \hat{t} = \frac{1 - r H_{2} (m ∥ {\hat{u}}_{} ∥ \hat{R} ∥ \hat{W})}{l x} . \end{matrix}

(9)

(3)

Finally, the resultant anonymous signature on message m is $σ = (\hat{W}, \hat{R}, \hat{u}, \hat{t})$ .

4.5. Verifying

After receiving a signature σ on message m, a verifier can execute the following process for each signature. (1)

Firstly, the verifier parses σ into $(\hat{W}, \hat{R}, \hat{u}, \hat{t})$ and computes $h_{2} = H_{2} (m ∥ \hat{u} ∥ \hat{R} ∥ \hat{W})$ .

(2)

Then it checks

\begin{matrix} e ({\hat{W}}^{\hat{t}}, mpk) e ({\hat{u}}^{h_{2}} {\hat{R}}^{- \hat{t}}, g_{2}) = e (g_{1}, g_{2}) . \end{matrix}

(10)

4.6. Security Analysis

In the following, we show that the previously mentioned anonymous self-certified signature scheme is secure against existential universal forgery under adaptive chosen message attack.

Lemma 1.

If there exists an adversary 𝒜 can forge the previous anonymous signature on a message m, then the $k + 1$ EP problem can be solved in the polynomial time.

Proof.

Here, we will show that if an adversary 𝒜 could forge a valid message signature in our scheme, then there exists another adversary ℬ that can solve the $k + 1$ -EP instance $(\hat{h}, h, h^{a}, h^{a^{2}}, h^{a^{3}})$ in groups $𝔾_{1}$ and $𝔾_{2}$ . Let us recall the $k + 1$ EP problem; given $h \in 𝔾_{2}$ , $\hat{h} \in 𝔾_{1}$ and k distinct elements $(h, h^{a}, h^{a^{2}}, \dots, h^{a^{k}}) \in 𝔾_{2}$ where $a \in Z_{q}$ , its goal is to output ${\hat{h}}^{a^{k + 1}} \in 𝔾_{1}$ . In the following, we will give the detailed process.

To answer the different queries from the adversary 𝒜, we need to run ℬ to set up the system parameters. Let $𝔾_{1}$ , $𝔾_{2}$ , and $𝔾_{T}$ be three cyclic groups with order q. $e : 𝔾_{1} \times 𝔾_{2} \to 𝔾_{T}$ is a bilinear pairing map. ℬ sets $g_{2} = h^{a}$ as the generator of group $𝔾_{2}$ and $MPK = h$ as the master public key of the TTP, where the master private key $α = a^{- 1}$ of TTP is unknown. Let ψ be a computable isomorphism from group $𝔾_{2}$ to $𝔾_{1}$ such that $ψ (g_{2}) = g_{1}$ . $H_{1} : {0,1}^{*} \to 𝔾_{2}$ and $H_{2} : 𝔾_{1}^{5} \to Z_{q}$ are two hash functions. Finally, ℬ sends the system parameters $Para = (𝔾_{1}, 𝔾_{2}, e, H_{1}, H_{2}, MPK, g_{2}, ψ (\cdot))$ to the attacker 𝒜.

$H_{1}$ -Oracle. when an adversary 𝒜 makes a query with message $I D_{i}$ , ℬ outputs $H_{1 i} = H_{1} (I D_{i})$ if $I D_{i}$ appears in the list $L_{1}$ which is initially empty. Otherwise, ℬ tosses a coin with the probability $Pr [coi n_{i} = 1] = ζ$ and randomly chooses $b_{i} \in_{R} Z_{q}$ to answer the following query. (1)

If $coi n_{i} = 0$ , then ℬ sets $h_{1 i} = H_{1} (I D_{i}) = h^{a b_{i}}$ .

(2)

If $coi n_{i} = 1$ , then ℬ sets $h_{1 i} = H_{1} (I D_{i}) = h^{a^{3} b_{i}}$ .

Finally, ℬ returns $h_{1 i}$ to the adversary 𝒜 and adds $(I D_{i}, b_{i}, coi n_{i}, h_{1 i})$ in the $L_{1}$ -list.

$H_{2}$ -Oracle: when an adversary makes a query with string $S_{i}$ , ℬ outputs $h_{2 i} = H_{2} (S_{i})$ if $S_{i}$ is in the list $L_{2}$ which is initially empty. Otherwise, ℬ randomly chooses $c_{i} \in Z_{q}$ to set $c_{i} = H_{2} (S_{i})$ and returns $c_{i}$ to the adversary; then it adds $(S_{i}, c_{i})$ to the $L_{2}$ -list.

Corruption Oracle. When 𝒜 makes a corruption query with identity $I D_{i}$ . If $I D_{i}$ exists in the list $L_{c}$ which is initially empty, then ℬ outputs $x_{i}$ . Otherwise, ℬ randomly chooses $x_{i} \in Z_{q}$ to return to 𝒜 and adds $(I D_{i}, x_{i})$ to the list $L_{c}$ .

WitReg Oracle. 𝒜 issues a witness register query on input $(I D_{i}, p k_{i}, v_{i})$ , and ℬ outputs a $W_{i}^{'}$ if $I D_{i}$ is in the List $L_{r}$ which is initially empty. Otherwise, ℬ searches the private key $x_{i}$ in the list $L_{c}$ and $b_{i}$ in the list $L_{1}$ , respectively, and returns the corresponding $x_{i}$ and $b_{i}$ . If $coi n_{i} = 0$ , then ℬ computes the following witness:

\begin{matrix} W_{i}^{'} = h^{a^{2} (x_{i} + b i)} = {({(g_{2}^{x_{i} \cdot α})}^{α^{- 1}} h^{a b_{i}})}^{1 / α} \\ = {(v_{i}^{1 / α} H_{1} (I D_{i}))}^{1 / α}, \end{matrix}

(11)

where

α = a^{- 1}

. Then, ℬ returns

W_{i}^{'}

to the adversary 𝒜 and adds

(I D_{i}, p k_{i}, v_{i}, W_{i}^{'})

in the list

L_{r}

. If

coi n_{i} = 1

, then ℬ claims failure and aborts the simulation.

Anonymous signing oracle. When the adversary 𝒜 issues an anonymous signature query with $(m_{i}, I D_{i})$ . If $I D_{i}$ exists in the lists $L_{r}$ and $L_{c}$ , then ℬ retrieves the corresponding $x_{i}$ and $W_{i}^{'}$ and runs anonymous signing algorithm to produce a signature δ. Otherwise, ℬ executes as follows. (1)

ℬ firstly retrieves $h_{1 i} = H_{1} (I D_{i})$ from the $L_{1}$ -list. Note we assume that $I D_{i}$ is queried for $H_{1}$ -Oracle before other oracles were queried with $I D_{i}$ .

(2)

Then, ℬ randomly picks $d \in Z_{q}$ to set $R = h_{1 i}^{d}$ .

(3)

And ℬ randomly selects $e, f \in Z_{q}$ to compute $W = h^{e^{- 1} f a^{2}}$ and sets $t = e$ .

(4)

ℬ picks at random to compute $u = (h^{(f - 1) a} h_{1 i}^{- d t})^{k^{- 1}}$ .

(5)

ℬ checks whether string $m_{i} ∥ u ∥ R ∥ W$ exists in the $L_{2}$ -list. If it exists, ℬ outputs Fail and aborts it. Otherwise, it sets $k = H_{2} (m_{i} ∥ u ∥ R ∥ W)$ .

(6)

Finally, the resultant signature $δ = (u, R, W, t)$ is returned to 𝒜.

Forgery. Eventually, 𝒜 outputs a forgery $δ^{*} = (u^{*}, R^{*}, W^{*}, t^{*})$ on message $m^{*}$ under the identity $I D^{*}$ . 𝒜 wins the game if and only if the following conditions hold. (1)

$δ^{*} = (u^{*}, R^{*}, W^{*}, t^{*})$ is a valid signature.

(2)

$(m^{*}, I D^{*})$ is never an input of anonymous authentication oracle.

(3)

$I D^{*}$ is not an input of vehicle register oracle.

(4)

The corresponding $coi n_{i^{*}}$ with $I D^{*}$ is equal to 1 in the $L_{1}$ -list.

(5)

The corresponding $x^{*}$ with $I D^{*}$ exists in the $L_{c}$ -list.

According to the forking lemma [14], ℬ makes a replay with the same random tap but different choice of $H_{2}$ ; then it outputs another valid signature $δ^{*} = (u^{' *}, R^{' *}, W^{' *}, t^{' *})$ on the same message $m^{*}$ , where $u^{' *} = u^{*}$ , $R^{*} = R^{' *}$ , and $W^{*} = W^{' *}$ . We assume that $b^{*}$ is in the $L_{1}$ -list. Then we have

\begin{matrix} e ({W^{*}}^{t^{*}}, MPK) e ({u^{*}}^{h_{2}^{*}} {R^{*}}^{- t^{*}}, g_{2}) = e (g_{1}, g_{2}) \\ e ({W^{'}}^{*}^{{t^{'}}^{*}}, MPK) e ({u^{'}}^{*}^{{h^{'}}_{2}^{*}} {R^{*}}^{- {t^{'}}^{*}}, g_{2}) = e (g_{1}, g_{2}), \end{matrix}

(12)

where

h_{2}^{*} = H_{2} (m^{*}, u^{*}, R^{*}, W^{*})

and

h_{2}^{*} = H_{2} (m^{' *}, u^{' *}, R^{' *}, W^{' *})

Thus, we have

\begin{array}{l} e ({W^{*}}^{{h^{'}}_{2}^{*} t^{*} - h_{2}^{*} {t^{'}}^{*}}, MPK) e ({R^{*}}^{- t^{*} {h^{'}}_{2}^{*} + {t^{'}}^{*} h_{2}^{*}}, g_{2}) \\ = e (g_{1}^{{h^{'}}_{2}^{*} - h_{2}^{*}}, g_{2}) \\ ⇕ \\ h^{a^{4}} = {(\frac{{W^{'}}^{*}^{{h^{'}}_{2}^{*} t^{*} - h_{2}^{*} {t^{'}}^{*}}}{ψ {(h^{a^{2}})}^{{h^{'}}_{2}^{*} - h_{2}^{*}}})}^{x^{*} / (b^{*} ({h^{'}}_{2}^{*} - h_{2}^{*}))}, \end{array}

(13)

where

t^{*} h_{2}^{' *} - t^{' *} h_{2}^{*} = (h_{2}^{' *} - h_{2}^{*}) / l x^{*}

and l is an unknown number which is a blinded factor in the signing phase, namely,

R^{*} = H_{1} (I D^{*})^{l}

Lemma 2.

Our signature satisfies anonymity of signer's identity.

Proof.

Given a signature $σ = (\hat{W}, \hat{R}, \hat{u}, \hat{t})$ on message m, we cannot obtain any information of the signer. According to the previous signature scheme, we know that $(W, H_{1} (ID))$ are the relevant identity information of the signer. However, in our signature, W and $H_{1} (ID)$ are blinded by a random number l. Thus, it is impossible to obtain any information of $H_{1} (ID)$ and W from $(\hat{W}, \hat{R})$ of the signature $σ = (\hat{W}, \hat{R}, \hat{u}, \hat{t})$ . Furthermore, W is an unknown number in terms of the attacker; it cannot obtain the relation of $e (\hat{W}, H_{1} (ID))$ and $e (W, \hat{R})$ . For $\hat{u}$ in the signature σ, it does not reveal any information of the signer. For $\hat{t}$ in the signature σ, it is expressed as the following form:

\begin{matrix} \hat{t} = \frac{1 - r H_{2} (m ∥ {\hat{u}}_{} ∥ \hat{R} ∥ \hat{W})}{l x} . \end{matrix}

(14)

Although the private key x of the signer is included, x is randomized by two random numbers l, and r. Thus, t has not also reveal any information of the signer's identity. According to the previous statement, any one cannot obtain the identity of the signer from a signature. Therefore, our scheme achieves anonymity.

5. Our Privacy-Preserving Data Aggregation Scheme

In the following, we will put forth a novel privacy-presrving aggregation scheme in smart by utilizing the proposed self-certified anonymous signature scheme. Three types of entities, That is, the trusted operation authority (OA), a local gateway (GW), and the residential users (U), are involved in the scheme. It mainly consists of the following six phases: system initialization, GW register, user register, user report generation phase, privacy-preserving report aggregation phase, secure report reading, and response phase.

5.1. System Initialization

The trusted operation authority (OA) set up the system as follows. Let $𝔾_{1}$ , $𝔾_{2}$ , and $𝔾_{T}$ be three multiplicative cyclic groups of the same big prime order q. $g_{2} \in 𝔾_{2}$ is a generator of group $𝔾_{2}$ . ψ is a computable isomorphism from group $𝔾_{2}$ onto group $𝔾_{1}$ such that $ψ (g_{2}) = g_{1}$ . $e : 𝔾_{1} \times 𝔾_{2} \to 𝔾_{T}$ is a bilinear map. The trusted operation authority (OA) randomly chooses $α, α_{0} \in Z_{q}^{*}$ as master key; then the corresponding public keys $MPK = g_{2}^{α}$ and $MP K_{0} = g_{2}^{α_{0}}$ are computed. $P_{1}$ is a random element of group $𝔾_{1}$ . And it chooses three collision-resistant hash functions $H : {0,1}^{*} \to G_{1}$ , $H_{1} : {0,1}^{*} \to G_{1}$ , and $H_{2} : {0,1}^{*} \to Z_{q}$ .

In addition, OA initializes Paillier cryptosystem. Therefore, it chooses two large primes $p_{1}$ , and $q_{1}$ with equal length, then it computes RSA modulus $n = p_{1} q_{1}$ and $λ = lcm (p_{1} - 1, q_{1} - 1)$ . Define a function $L (x) = (x - 1) / n$ and choose a generator $g \in Z_{n^{2}}$ . OA computes $μ = (L (g^{λ \mod n^{2}}))^{- 1} \mod n$ . At the same time, we assume that the number of households in a residential area is at most w and l denotes the number of the different type of reported electricity usage data $(d_{1}, \dots, d_{l})$ in smart grid, where $T_{i}$ is less than a constant d. Then, OA chooses l coprime number $(n_{1}, \dots, n_{l})$ . Let $A (a_{1}, \dots, a_{l}) = \sum_{j = 1}^{l} ‍ a_{j} y_{j}$ and $\sum_{j = 1}^{w} ‍ d_{j i} \leq n_{i}$ and $w \cdot d \cdot \sum_{j = 1}^{l} ‍ y_{j} < n$ , where $y_{i}$ is derived by the previous Chinese Remainder Theorem and $d_{j i}$ denotes the ith electricity usage data of the user j. After that, for $i = 1$ to l, OA computes ${\hat{g}}_{i} = g^{y_{i}}$ .

Finally, OA publishes the system parameters

\begin{array}{l} params = (q, 𝔾_{1}, 𝔾_{2}, 𝔾_{T}, e, g_{2}, ψ, MPK, \\ MP K_{0}, H, H_{1}, H_{2}, {\hat{g}}_{1}, \dots, {\hat{g}}_{l}) \end{array}

(15)

and keeps the master keys

(λ, μ, n_{1}, \dots, n_{l}, α)

5.2. GW Registration

When a local gateway (GW) of the residential area wants to register itself in the system, it randomly chooses a number $x_{G}$ as the private key and computes the corresponding public key $Y_{G} = g_{1}^{x_{G}}$ .

5.3. User Registration

When a user $U_{i}$ of residential area wants to join this system, the user $U_{i}$ with real identity $I D_{U}$ must interactively communicate with OA by a confidential channel by the following steps. (1)

The user $U_{i}$ with identity $I D_{i}$ first chooses a $x_{u i} \in Z_{q}$ as his private key $s k_{u i}$ and computes the corresponding public key $p k_{u i} = e (g_{1}, g_{2})^{x_{u i}}$ .

(2)

Then it computes a zero-knowledge proof $ZK P_{0}$ of private key $V = g_{2}^{α x_{u i}}$ and sends $(I D_{i}, V, p k_{u i}, ZK P_{0})$ to OA.

(3)

The OA verifies the validity of $e (V, g) = p k_{u i}^{α}$ and the zero-knowledge proof $ZK P_{0}$ . If they hold, then the OA computes

\begin{matrix} W_{u i}^{'} = {(V^{1 / α} H_{1} (I D_{i}))}^{1 / α}, p r_{i} = H_{1} {(I D_{i})}^{α_{0}} \cdot P_{1}^{α} \end{matrix}

(16)

and returns

(W_{u i}^{'}, p r_{i})

to the resident user i and keeps

(I D_{i}, W_{u i}^{'})

in the database.

(4)

Upon receiving $(I D_{i}, W_{u i}^{'})$ , the user first checks whether it is valid by the following equation:

\begin{matrix} e (ψ (W_{u i}^{'}), MPK) e (ψ (H_{1} {(I D_{i})}^{- 1}), g_{2}) = p k_{u i} . \end{matrix}

(17)

If it is valid, then

(I D_{i}, W_{u i}^{'})

is the membership certificate of the user

U_{i}

, and it is added into the local database.

5.4. User Report Generation

To periodically report electricity usage data of the residential user, each user $U_{i}$ collects l types of data $(d_{i 1}, \dots, d_{i l})$ by using the smart meters to execute the following steps. (1)

Randomly choose $k_{i} \in Z_{n}$ to compute the Paillier encryption

\begin{matrix} C_{i} = {\hat{g}}_{1}^{d_{i 1}} \cdot {\hat{g}}_{2}^{d_{i 2}} \dots {\hat{g}}_{l}^{d_{i l}} \cdot k_{i}^{n} \mod n^{2} . \end{matrix}

(18)

(2)

Then, it randomly chooses $l_{i} \in Z_{q}$ to compute $W_{i} = ψ (W_{u i}^{'})^{l_{i}}$ and $R_{i} = ψ (H_{1} (I D_{u_{i}}))^{l_{u i}}$ in order to conceal the certificate $W_{u i}^{'}$ and his identity $I D_{i}$ of the residential user $U_{i}$ .

(3)

And randomly choose $r_{i} \in Z_{q}$ to compute

\begin{matrix} u_{i} = {(g_{1})}^{r_{i}}, t_{i} = \frac{1 - r_{i} H_{2} (C_{i} ∥ u_{i} ∥ R_{i} ∥ W_{i} T_{i})}{l_{i} x_{u i}}, \end{matrix}

(19)

where

T_{i}

is a timestamp.

(4)

The resultant anonymous signature on message m is $σ_{i} = (W_{i}, R_{i}, u_{i}, t_{i})$ .

(5)

Finally, the encrypted electricity usage data $C_{i} ∣ ∣ T_{i} ∣ ∣ σ_{i} ∣ ∣ RA$ is reported to be the local gateway GW in the residential area RA. Note that the reported electricity usage data of the user $U_{i}$ do not reveal any information of the user's identity.

5.5. Privacy-Preserving Report Verification and Aggregation of GW

After receiving all electricity usage data $C_{i} ∥ T_{i} ∥ σ_{i} ∥ RA$ , $i = 1,2, \dots, w$ from RA, the local gateway GW first checks whether $T_{i}$ belongs to a valid time slots, then it verifies the validity of signature $σ_{i}$ , $(i = 1,2, \dots, w)$ by the following processes. (1)

Firstly, GW parses $σ_{i}$ into $(W_{i}, R_{i}, u_{i}, t_{i})$ and computes $h_{2} = H_{2} (C_{i} ∥ u_{i} ∥ R_{i} ∥ W_{i})$ .

(2)

Then check

\begin{matrix} e (W_{i}^{t_{i}}, MPK) e (u_{i}^{h_{2}} R_{i}^{- t_{i}}, g_{2}) = e (g_{1}, g_{2}) . \end{matrix}

(20)

To increase efficiency of verifying signatures, the local gateway GW can make use of the following batch verification:

\begin{matrix} e (\prod_{i = 1}^{w} W_{i}^{t_{i}}, MPK) e (\prod_{i = 1}^{w} u_{i}^{{\hat{h}}_{2 i}} R_{i}^{- t_{i}}, g_{2}) = e {(g_{1}, g_{2})}^{w}, \end{matrix}

(21)

where

{\hat{h}}_{2 i} = H_{2} (C_{i} ∥ u_{i} ∥ R_{i} ∥ W_{i}), i = 1,2, \dots, w

We can find that the computation overhead in the batch verification is approximate to that in the verification of a signature. It only needs three pairing operations which are the most time-consuming operators.

After all previously mentioned verifying is valid, the gateway GW performs the following aggregation process to aggregate all electricity usage reports. (1)

It aggregates all encrypted data $C_{1}, C_{2}, \dots, C_{w}$ into C by computing

\begin{array}{l} C = \prod_{i = 1}^{w} C_{i} \mod n^{2} = {\hat{g}}_{1}^{\sum_{i = 1}^{w} ‍ d_{i 1}} \\ \cdot {\hat{g}}_{2}^{\sum_{i = 1}^{w} ‍ d_{i 2}} \dots {\hat{g}}_{l}^{\sum_{i = 1}^{w} ‍ d_{i l}} \cdot {(\prod_{i = 1}^{w} k_{i})}^{n} . \end{array}

(22)

(2)

Then, it produces a BLS signature $σ_{G}$ by his private key $x_{G}$ :

\begin{matrix} σ_{G} = H {(C ∥ RA ∥ GW ∥ T_{G})}^{x_{G}}, \end{matrix}

(23)

where

T_{G}

denotes a timestamp.

(3)

Finally, send the aggregated data $C ∥ RA ∥ GW ∥ T_{G} ∥ σ_{G}$ to the operation authority OA.

5.6. Secure Report Reading and Response

After receiving an aggregated σ on message C, the authority operation OA first checks whether the signature $σ_{G}$ is valid by the equation $e (P, σ_{G}) = e (Y_{G}, H (C ∥ RA ∥ GW ∥ T_{G}))$ . Then it decrypts the aggregated and encrypted electricity usage report C by the Paillier decryption algorithm.

Since

\begin{matrix} C = \prod_{i = 1}^{w} C_{i} \mod n^{2} \\ = {\hat{g}}_{1}^{\sum_{i = 1}^{w} ‍ d_{i 1}} \cdot {\hat{g}}_{2}^{\sum_{i = 1}^{w} ‍ d_{i 2}} \dots {\hat{g}}_{l}^{\sum_{i = 1}^{w} ‍ d_{i l}} \cdot {(\prod_{i = 1}^{w} k_{i})}^{n} \\ = g^{y_{1} \sum_{i = 1}^{w} ‍ d_{i 1}} \dots g^{y_{l} \sum_{i = 1}^{w} ‍ d_{l 1}} \cdot {(\prod_{i = 1}^{w} k_{i})}^{n} . \end{matrix}

(24)

then the recovered message is $M = y_{1} \sum_{i = 1}^{w} ‍ d_{i 1} + y_{2} \sum_{i = 1}^{w} ‍ d_{i 2} + \dots + y_{l} \sum_{i = 1}^{w} ‍ d_{i l}$ .

By the Chinese Remainder Theorem, we can obtain the electricity usage data as follows:

for $i = 1$ to l

compute $D_{i} = M \mod n_{i} = \sum_{i = 1}^{w} ‍ d_{i 1} \mod n_{i}$ .

All derived electricity usage data $(D_{1}, D_{2}, \dots, D_{l})$ are the aggregation of w residential user's electricity usage. After analyzing these data, the OA sends the feedback data $m \in 𝔾_{T}$ to notify all residential users in residential area RA for adjusting the usage of electricity quantity. The process is done as follows.

(1)

It randomly chooses $r \in Z_{q}$ to compute $\bar{U} = g_{2}^{r}$ and $\bar{V} = MP K_{0}^{r}$ .

(2)

And it computes $\bar{Z} = m \cdot H (e (P_{1}, MPK)^{r})$ .

(3)

The resultant cipher is $\bar{C} = (\bar{U}, \bar{V}, \bar{Z})$ . In fact, it is a broadcast encryption from Step 1 to Step 3.

(4)

Then the OA produces a BLS signature $\bar{σ} = H (\bar{C} ∥ RA ∥ OA ∥ \bar{T})^{α}$ where $\bar{T}$ is a timestamp and feedback $\bar{C} ∥ \bar{σ}$ to the local gateway GW in the residential area.

(5)

Upon receiving the transmitted $\bar{C} ∥ \bar{σ}$ , the GW can check whether it is valid by the following equation

\begin{matrix} e (\bar{σ}, g_{2}) = e (H (\bar{C} ∥ RA ∥ OA ∥ \bar{T}), MPK) . \end{matrix}

(25)

If is holds, then it broadcasts

\bar{C}

to all residential users in the residential area RA.

(6)

After receiving the broadcasted $\bar{C}$ , each residential user $U_{i}$ can decrypt as follows.

(a)

It computes

\begin{matrix} λ = \frac{e (\bar{U}, p r_{i})}{e (\bar{V}, g_{2})} \\ = \frac{e (\bar{U}, H_{1} {(I D_{i})}^{α_{0}} \cdot P_{1}^{α})}{e (\bar{V}, H_{1} (I D_{i}))} \\ = e {(P_{1}, MPK)}^{r} . \end{matrix}

(26)

(b)

Then it recovers the message m as $m = \bar{Z} / (H (λ))$ .

With the recovered electricity usage feedback report m, the user $U_{i}$ can control power use of household appliances from peak times to nonpeak times for saving electrical energy and rational utilization.

6. Security Analysis

In this section, we show that our scheme satisfies the previous security requirements. (1)

Global security requirement: obviously, this security requirement is satisfied since each user's report is signed by our anonymous signature algorithm and the aggregated report is signed by BLS signature algorithm in our scheme. Furthermore, Lemma 1 shows that our anonymous signature is secure against adaptive chosen message attack, and the BLS short signature is provably secure under the CDH problem. Thus, we can efficiently identify the identity of the resident user, and it is impossible that exists a valid signature on a tempered data.

(2)

Multidimensional data aggregation: in our SP²DA scheme, we adopt the Chinese Remainder Theorem and Paillier Cryptosystem. It can achieve multidimensional data aggregation in the ciphertext form. For a user's transmitted data $(d_{i 1}, \dots, d_{i l})$ , they are represented as

\begin{matrix} C_{i} = {\hat{g}}_{1}^{d_{i 1}} \cdot {\hat{g}}_{2}^{d_{i 2}} \dots {\hat{g}}_{l}^{d_{i l}} \cdot k_{i}^{n} \mod n^{2} \\ = g^{y_{1} d_{i 1}} \cdot g^{y_{2} d_{i 2}} \dots g^{y_{l} d_{i l}} \cdot k_{i}^{n} \mod n^{2} \\ = g^{y_{1} d_{i 1} + \dots + y_{l} d_{i l}} k_{i}^{n} \mod n^{2} . \end{matrix}

(27)

y_{1} d_{i 1} + \dots + y_{l} d_{i l}

can be considered as single-dimensional data to process. When receiving w data

(C_{1}, \dots, C_{w})

, the local gateway GW can aggregate these w data as

\begin{matrix} C = C_{1} \cdot C_{2} \dots C_{w} \\ = g^{y_{1} \sum_{i = 1}^{w} ‍ d_{i 1} + \dots + y_{l} \sum_{i = 1}^{w} ‍ d_{i l}} {(\prod_{i = 1}^{w} k_{i})}^{n} \mod n^{2} . \end{matrix}

(28)

Since for

j = 1

to l, the relation

\sum_{i = 1}^{w} ‍ d_{i j} < n_{j}

holds, thus, the OA can obtain

\sum_{i = 1}^{w} ‍ d_{i j}

by computing

y_{1} \sum_{i = 1}^{w} ‍ d_{i 1} + \dots + y_{l} \sum_{i = 1}^{w} ‍ d_{i l} \mod n_{j}

according to the Chinese Remainder Theorem. Therefore, our scheme can achieve multidimensional data aggregation.

(3)

Privacy of the residential user: Because the transmitted report of the residential user is signed by adopting our anonymous signing algorithm in our SP²DA scheme, each residential user's identity is protected. Furthermore, the transmitted report is encrypted by Paillier Encryption algorithm, it means even if the attacker 𝒜 eavesdrops the transmitted report, it still cannot obtain the individual user's data. For a feedback message m of the OA, OA sends the ciphertext $\bar{C} = (\bar{U}, \bar{V}, \bar{Z})$ of this feedback message m to all residential users in residential area RA by adopting broadcast encryption. Only the residential user in the RA can recover the corresponding feedback message m. In the following security proof, we will show that the confidentiality of the transmitted feedback message m can be achieved.

Lemma 3.

The broadcast encryption scheme in our SP²A scheme is semantic secure against chosen-plaintext attack under the DBDH problem.

Proof.

Suppose that there exists an adversary 𝒜 that can break the broadcast encryption in SP²DA scheme; then we can construct an algorithm ℬ that can solve the DBDH problem with advantage ϵ by using 𝒜 as a subroutine.

Let ℬ be given a DBDH problem instance

\begin{matrix} (g_{2}, g_{2}^{a}, g_{2}^{b}, g_{2}^{c}, Z) . \end{matrix}

(29)

Its goal is to determine

e (g_{1}^{a}, g_{2}^{b})^{c} \overset{?}{=} Z

. ℬ runs 𝒜 as a subroutine to solve the DBDH problem.

ℬ sets $MPK = g_{2}^{a}$ and randomly chooses $f \in Z_{q}$ to set $MP K_{0} = g_{2}^{f}$ . Let $P_{1} = ψ (g_{2}^{c})$ . Then ℬ publishes MPK, $MP K_{0}$ , $P_{1}$ , $g_{1}$ , $g_{2}$ , e and the other system parameters.

In the challenge phase, the adversary 𝒜 chooses two messages $m_{0}$ and $m_{1}$ and sends them to ℬ. ℬ randomly selects a bit $b \in {0,1}$ to produce a ciphertext $C^{*} = ({\hat{U}}^{*}, {\hat{V}}^{*}, {\hat{Z}}^{*})$ of message $m_{b}$ , where

\begin{matrix} {\hat{U}}^{*} = g_{2}^{b}, \\ {\hat{V}}^{*} = {({\hat{U}}^{*})}^{f}, \\ {\hat{Z}}^{*} = m_{b} H (Z) . \end{matrix}

(30)

and sends

C^{*}

to the adversary 𝒜. Finally, the adversary 𝒜 outputs a bit

b^{'}

. If

b^{'} = b

, it means that

Z = e (g_{1}, g_{2})^{a b c}

since

\begin{matrix} {\hat{U}}^{*} = g_{2}^{b}, \end{matrix}

(31)

\begin{matrix} {\hat{Z}}^{*} = m \cdot H (e {(P_{1}, MPK)}^{b}) = m_{b} \cdot H (e {(ψ (g_{2}^{c}), g_{2}^{a})}^{b}) = m_{b} \cdot H (e {(ψ (g_{2})^{c}, g_{2}^{a})}^{b}) = m_{b} \cdot H (e {(g_{1}, g_{2})}^{a b c}) . \end{matrix}

(32)

{\hat{Z}}^{*}

is a valid component of the ciphertext

C^{*}

. In this case, the probability which 𝒜 outputs

b^{'} = b

(1 / 2) + ϵ

. When Z is a random number, to the probability in which 𝒜 outputs

b^{'} = b

1 / 2

. According to the previous statement, we have

\begin{matrix} Pr [ℬ success] = \frac{1}{2} (\frac{1}{2} + ϵ) . \end{matrix}

(33)

It means that, the DBDH problem can be solved in the nonnegligible probability

(1 / 2) ((1 / 2) + ϵ)

. However, it is in contradiction with the difficulty of solving the DBDH problem.

6.1. Efficiency Analysis

Until now, Lu et al.'s scheme [8] is only a privacy-preserving aggregation scheme (EPPA) in smart grid which supports multidimensional data aggregation. In the following table, we give a comparison of our scheme with Lu et al.'s scheme. Let $C_{e}$ , $C_{m}$ , $C_{e t}$ , and $C_{p}$ denote an exponentiation operation in $Z_{n^{2}}$ , a multiplication operation in group $𝔾_{1}$ or $𝔾_{2}$ , an exponentiation operation in group $𝔾_{T}$ , and a pairing operation, respectively. In the whole SP²DA scheme, the computational costs of each user, GW and OA, are shown in Table 1.

Table 1

Comparison of Lu et al.'s scheme [8] with our scheme.

	[8] scheme	Our scheme
Multi-dimension	√	√
Anonymity	×	√
Computation cost of the user	$(l + 1) C_{e} + C_{m} + 4 C_{p}$	$(l + 1) C_{e} + 3 C_{m} + 2 C_{p}$
Computation cost of GW	$(w + 3) C_{p} + C_{m}$	$1 C_{e} + 1 C_{m} + 2 C_{p}$
Computation cost of OA	$3 C_{p} + C_{e} + 4 C_{m} + C_{e t}$	$3 C_{p} + C_{e} + 3 C_{m} + C_{e t}$

If experiments were performed on a Pentium IV personal computer with 3.0 GHz CPU, 512 MB RAM, and window XP operating system, and based on PBC cryptography libraries [12] and MIRACL libraries [15]. The experimental results show that to compute a single exponentiation operation in $Z_{n^{2}}$ $(| n | = 1024)$ , a single multiplication operation in $𝔾_{2}$ or $𝔾_{1}$ , and pairing operation needs 12.4 ms, 6.4 ms, and 20 ms, respectively. In Figure 2, we discuss the variation of computational cost in terms of l and w. Obviously, from the figure we can find that our scheme has more advantages over Lu et al.'s scheme in terms of computational cost of the user and the GW. It is more suitable for the real-time data process for the local gateway GW and the residential user.

Figure 2

Computational costs of users and GW.

6.2. Communication Overhead

According to the afarementioned communication construction, the whole communication is divided into user-to-GW communication, GW-to-OA communication, and OA-to-GW communication. In the user-to-GW communication, the reported data is the form of $C_{i} | | T_{i} | | δ_{i} | | RA$ . Because type 2 pairing is adopted in the proposed scheme, its length is $L_{u 2 g} = 2048 + | RA | + | T_{i} | + 640$ if we choose 1,024-bit n, 160-bit prime p, and 160-bit $𝔾_{1}$ . However, a symmetric pairing is used in Lu et al.'s scheme [8]; the length of element in 𝔾 will be 512 bits long under the same security strength. Thus, the length is $L_{u 2 g} = 2048 + | RA | + | T_{i} | + 512$ bits. In the GW-to-OA communication, the aggregated report to the OA by GW is in the form of $C ∣ ∣ RA ∣ ∣ GW ∣ ∣ T_{G} ∣ ∣ δ_{G}$ , and its length is $L_{g 2 o} = 2048 + | RA | + | GW | + | T_{G} | + 160$ bits. It is the same as that of Lu et al.'s scheme bits when the system parameters are used. In the OA-to-GW communication, OA needs bits to send back a responding message which is in the form of $\bar{C} ∣ ∣ δ$ , and its length is $3 | G_{1} | + 160$ . However, the length of the responding message in Lu et al.'s scheme is $4 | G_{1} | + 160$ . According to the previous statement, communication overhead in Lu et al.'s scheme is slightly more efficient than that of our scheme in the user-to-GW communication. However, communication overhead in our scheme is slightly more efficient than that of Lu et al.'s scheme in the OA-to-GW communication.

7. Conclusion

In this paper, we have proposed an efficient self-certified PKC-based privacy-preserving data aggregation scheme to satisfy the requirement of efficiency in smart grid communication. By adopting the Chinese Remainder Theorem technique and homomorphic property of Paillier cryptosystem, it achieves a multidimensional data aggregation approach under the ciphertext form. And it applies our proposed anonymous signature scheme to achieve anonymity of the real identities of end users in end-user-to-GW communication. It efficiently resists the end user's identity leakage problem which is not considered in other literatures. Compared with Lu et al.'s multidimensional data aggregation scheme, our scheme can significantly reduce computational cost of the local gateway GW. And we have also provided security analysis to demonstrate that the proposed scheme can satisfy the desirable security requirements. It is a future work to trace the malicious behavior of a dishonest residential user (end user) in a residential area.

Footnotes

Acknowledgments

This work was supported partly by Beijing Natural Science Foundation (no. 4122024 and 4132056), the Importation and Development of High-Caliber Talents Project of Beijing Municipal Institutions, and the New Star Plan Project of Beijing Science and Technology (no. 2007B001).

References

Amin

S. M.

Wollenberg

B. F.

Toward a smart grid

IEEE Power and Energy Magazine 2005 3 5 34 41

2-s2.0-27744595750

10.1109/MPAE.2005.1507024

Cuijpers

Koops

B. J.

Het Wetsvoorstel, Slimme Meters: Een Privacytoets op Basis van art. 8 Evrm 2008

Tilburg, The Netherlands

Tilburg University

U.S. National Institute for Standards and Technology (NIST)

The smart grid interoperability panel cyber security working group: smart grid cybersecurity strategy and requirements

http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol2.pdf

Paillier

Public-key cryptosystems based on composite degree residuosity classes

Proceedings of the 17th international conference on Theory and application of cryptographic techniques (EURO-CRYPT′99)

1999

223 238

Castelluccia

Mykletun

Tsudik

Efficient aggregation of encrypted data in wireless sensor networks

Proceedings of the 2nd Annual International Conference on Mobile and Ubiquitous Systems-Networking and Services (MobiQuitous′05)

July 2005

109 117

2-s2.0-33749525209

10.1109/MOBIQUITOUS.2005.25

Westhoff

Girao

Acharya

Concealed data aggregation for reverse multicast traffic in sensor networks: encryption, key distribution, and routing adaptation

IEEE Transactions on Mobile Computing 2006 5 10 1417 1431

2-s2.0-33748351402

10.1109/TMC.2006.144

Shi

Zhang

Liu

Zhang

Prisense: privacy-preserving data aggregation in people-centric urban sensing systems

Proceedings of the International Conference on Computer Communications (IEEE INFOCOM ′10)

March 2010

758 766

2-s2.0-77953308558

10.1109/INFCOM.2010.5462147

Liang

Lin

Shen

EPPA: an efficient and privacy-preserving aggregation scheme for secure smart grid communications

IEEE Transactions on Parallel and Distributed Systems 2012 23 9 1621 1631

MSP430 for utility metering applications

http://focus.ti.com/mcu/docs/mcuorphan.tsp?contentId=31498

10.

Marc

Self-certifed public key

547

Advances in Cryptology—EUROCRYPT ′91

1991

490 497 Lecture Notes in Computer Science

11.

Boneh

Lynn

Shacham

Short signatures from the weil pairing

2248

Proceedings of Asiacrypt 2001

2001

Springer

514 532 Lecture Notes in Computer Science

12.

Lynn

On the implementation of pairing-based cryptogra-phy

http://crypto.stanford.edu/pbc/thesis.html

13.

http://en.wikipedia.org/wiki/Chinese-remainder-theorem

14.

C. T.

Hwang

M. S.

Chu

Y. P.

Further improvement on a novel privacy preserving authentication and access control scheme for pervasive computing environments

Computer Communications 2008 31 18 4255 4258

2-s2.0-57049115409

10.1016/j.comcom.2008.06.002

15.

Multiprecision integer and rational arithmetic c/c++ library

http://www.shamus.ie/