Sage Journals: Discover world-class research

Abstract

Different from the traditional grid, smart grid builds a real-time connection network between the user and the grid company by smart terminals, which can achieve bidirectional data transmission and information control. In smart grid, the smart meters send various information to the power generators and substations. Frequent data collection meets real-time management, but it tends to raise privacy concerns from the users about privacy information leakage. Based on the blind signature and the key distribution scheme, an efficient and privacy-preserving data collection (EPPDC) scheme is proposed for smart grid to cope with the above problems. In EPPDC scheme, the users' data information is transmitted to the local aggregator by building gateway with privacy preserving. In addition, the security analysis indicates that EPPDC scheme not only can resist replay attack, but also has source authentication and data integrity, confidentiality, unforgeability, nonrepudiation, and evolution of shared keys. Furthermore, performance analysis shows that EPPDC scheme has less computation cost than existing scheme.

1. Introduction

Smart grid is one of the most important public infrastructures for smart cities. It builds a real-time connection network between the user and the grid company by smart terminals and supports bidirectional data transmission and information control. Depending on it, smart cities could ensure resilient supply and delivery of energy, which help smart cities to fulfil many enhanced and innovative functions and even more efficiencies compared with traditional cities. Furthermore, smart grid can also facilitate coordination among people who are responsible for public safety and the public, such as urban officials and infrastructure operators [1]. The advantage of smart grid is attracting more and more attention and research in smart city projects. Currently, around one-third of the smart city projects are primarily focused on smart grid or other energy innovations. Almost half of smart city strategies include energy-focused projects [2].

Smart grid can support the bidirectional information flow between the power consumer and the utility provider [3]. This two-way interaction allows electricity to be generated in real-time based on consumers' demands and power requests. As an important technique in smart cities, the advanced metering will affect not only the power sector but also other utilities such as gas/heating and water which will make use of smart meters to read and process consumption data remotely [4]. In smart cities, each house may contain a smart meter connecting to all electric appliances in the house. The utility transmits requests and commands to the smart meters and gathers and analyzes power usage data responded by each smart meter. If being leaked, that information will indicate not only the amount of energy consumed by each user but also behaviors like when they are at home, at work, or traveling [5]. Furthermore, it is possible to infer what types of home appliances are used by attackers who compromise users' home area networks. If a criminal or malicious attacker can determine when a user is not at home, they may break into his/her house at such a time. And energy information can support burglars or provide business intelligence to competitors [6]. By this information, the users' habits or lifestyles can be tracked. And a series of problems arises in case of information leakage. Thus, authentication and user privacy preservation are two important security issues on the information flow in smart grid.

Thus, there is need to design schemes which can achieve data transmission between smart meters and smart grid provider with privacy preserving. This paper just studies the privacy-preserving data collection scheme for smart grid.

2. Related Works

The proposed privacy-preserving schemes about smart grid are mainly constructed by two kinds of cryptographic tools, homomorphic encryption [7–9] and signcryption [10, 11]. By homomorphic encryption, smart meters (SMs) encrypt the messages and send them to gateway (BGW), but gateway cannot get any users' messages without the system private key. Then, gateway signs encrypted messages and sends them to control center (CC). Based on the property of homomorphic encryption, control center can make use of the system private key to recover every user's messages.

Secure data aggregation schemes in smart grid have been investigated by several researchers. Lu et al. proposed a privacy-preserving aggregation scheme [7], which is based on the homomorphic Paillier cryptosystem. But in [7], it is assumed that the session keys between SM and BGW are unchanged. Once an adversary $A$ compromises the session keys, $A$ can decrypt any previous response message. Based on [7], Li et al. proposed a privacy-preserving demand and response scheme with adaptive key evolution [9]. Both [7, 9] make use of homomorphic encryption to achieve privacy preserving, and they can meet aggregation for some data. In addition, several researchers focused on privacy-preserving aggregation in different conditions by using multiparty computation [12, 13], differential privacy [14], and the aggregated pseudostatus variation [15]. As signcryption based schemes, they can complete digital signature and encryption for a message in one time. In particular, SMs signcrypt the messages and send them to gateway. Gateway cannot get any users' messages from the encrypted messages. Then, gateway signs and sends encrypted messages to control center. Control center can recover every user's messages by the shared key between CC and SMs. In [10], an identity-based signcryption scheme for smart grid was proposed. But in [10], the management of pseudonymous ID is a problem. Reference [11] adopted the pseudonym technology to achieve the user identity anonymity and adopted the signcryption to complete digital signature and encryption in one time in smart grid.

However, the smart grid needs not only to protect users' sensitive information but also to meet their demands for personalized data application with multilevel and multigranularity. Thus many users' messages cannot be aggregated, which should be sent to control center detail by detail. And existing homomorphic encryption to achieve privacy preserving is based on the computational expensive operations [7, 9], which may not be desirable for smart grids with limited resources in terms of both bandwidth and computation. And the existing signcryption based schemes in smart grid [10, 11] cannot meet forward secrecy.

This paper proposes an efficient privacy-preserving data collection scheme for smart grid, which is based on the blind signature and the key distribution scheme. In this scheme, users' data information is transmitted to the local aggregator via gateway, while gateway cannot get any users' messages. Moreover, this scheme can achieve forward secrecy of SM's session key, and evolution of SM's private keys.

The remainder of paper is organized as follows. Section 3 introduces models and design goal. Section 4 describes preliminaries. Section 5 presents the proposed EPPDC scheme. Section 6 shows the security analysis and the computation overhead of the scheme in this paper, respectively. Finally, Section 7 makes a conclusion.

3. Models and Design Goal

In this section, we give the system model, security model, and the design goal.

3.1. System Model

As shown in Figure 1, smart grid is divided into a number of hierarchical networks, which is comprised of control center (CC), district area network (DAN), building area network (BAN), and home area network (HAN). The CC covers $n_{1}$ DANs. For the sake of simplicity, we assume that each DAN comprises $n_{2}$ BANs and each BAN comprises $n_{3}$ HANs. Each HAN is assigned a smart meter (SM) enabling an automated, bidirectional communication between the CC and the HAN users. Meantime, each BAN is equipped with a gateway (BGW) and each DAN is equipped with a local aggregator (LAG). And each SM can directly communicate with LAG via the BGW.

Figure 1

Hierarchical architecture of smart grid.

In this paper, the system model of smart grid contains 5 parties, including trusted authority (TA), central aggregator (CAG), LAG, BGW, and SM. LAG is the entity that can directly communicate with CAG on behalf of those geographically dispersed HANs. TA belongs to some independent organizations like Regional Transmission Organizations (RTO) or Independent System Operators (ISO). TA does the system initiation, such as generating public system parameters and assigning private key for each entity.

Then we give a partial relationship for smart grid in China, which is shown in Figure 2. The provincial operator is viewed as central aggregator CAG, and municipal operator is viewed as LAG. For example, there is focus on the Northwest China. It has a CAG located in Shaanxi and multiple LAGs dispersed in Xi'an, Hanzhong, Yulin, and other towns. And ISO, Northwest China, plays the role of TA. The provincial operator is responsible for generating and transmitting parameters of CAG, predicting flexible power demand and managing renewable generation in its province. Generally, the provincial operator can refer to municipal electricity demand curve to make power supply plan and generation dispatching plan with a day ahead. The municipal operator is responsible for generating networks parameters and aggregating the power demand. At present in China, the communication between the provincial operator and the municipal operator is used by fiber optic link which is assumed to be safe. The municipal operator can refer to load curve. According to preferred load curve, time of use (TOU) prices, and customers demand, each BAN makes bids in the electricity market. Both municipal and BAN operator need real-time communication and data management. Usually, wireless communication is used to transfer data between BGW and SM.

Figure 2

An envisioned relationship diagram for smart grid in China.

3.2. Security Model

In our security model, CAG and LAG are trusted by all parties and are infeasible for any adversary to compromise. BGW can comply with the scheme but with diligent curiosity. Thus BGW possibly gets the user's privacy information in the process of implementing the scheme. We consider the following security goals. (1)

Confidentiality: the messages sent to LAG from SM should be confidential; that is, if an adversary $A$ captures the messages, it cannot identify the encrypted messages.

(2)

Authenticity and data integrity: BGW and HAN users should be authenticated by LAG and BGW each other, respectively. Meanwhile, if an adversary $A$ modifies the messages, the malicious operations can be detected.

(3)

Privacy preservation: the users' electricity information should not be disclosed to the undesirable entities. Privacy preservation should meet the anonymous authentication and data encryption, which make attacker not able to get any information from any of the users. In smart grid, if an adversary $A$ hacks into the database of BGWs, it cannot determine the contents of ciphertexts. In order to protect the users' privacy, even BGW cannot determine the detailed electrical information to certain users.

(4)

Evolution of users' private keys: the evolution of users' private keys should be achieved. If an adversary $A$ compromises any previous private key of a HAN user, $A$ cannot use it currently or in the future.

3.3. Design Goal

Under the above models, our design goal is to develop an efficient privacy-preserving scheme for data collection in smart grid. Specifically, the following two desirable objectives will be achieved. (1)

The proposed privacy-preserving scheme should achieve the message source authentication, data integrity, and the confidentiality of the messages.

(2)

The proposed scheme should be cost-effective in terms of computation and communication overheads.

4. Preliminaries

In this section, we review bilinear pairings, hash function and HMAC [16], group key distribution scheme [17], and Nyberg-Rueppel blind signature technology [18], which will serve as the basis of the proposed scheme.

4.1. Bilinear Pairings

Let $G_{1}$ be a cyclic additive group of prime order q and let $G_{T}$ be a cyclic multiplicative group of the same order. A map e: $G_{1} \times G_{1} \to G_{T}$ is called a bilinear map if it satisfies the following properties:

(1) bilinearity: $e (Q, W + Z) = e (Q, W) e (Q, Z)$ and $e (Q + W, Z) = e (Q, Z) e (W, Z)$ , for all $Q, W, Z \in G_{1}$ ;

(2) nondegeneracy: there exists $P, Q \in G_{1}$ such that $e (P, Q) \neq 1$ ;

(3) computability: there is an efficient algorithm to compute $e (P, Q)$ for $P, Q \in G_{1}$ .

4.2. Hash Function and HMAC

A one-way hash function $h (\cdot)$ is said to be secure if the following properties are satisfied. (1)

$h (\cdot)$ can take a message of arbitrary length as input and produce a message digest of a fixed-length output.

(2)

Given x, it is easy to compute $h (x) = y$ . However, it is hard to compute $h^{- 1} (y) = x$ given y.

(3)

Given x, it is computationally infeasible to find $x^{'} \neq x$ such that $h (x^{'}) = h (x)$ .

Hash-based message authentication code (HMAC) is a specific construction for computing a message authentication code (MAC) using a cryptographic hash function in combination with a secret key. Both data integrity and authenticity of a message can be achieved using such a technique. Due to the property of hash functions, an HMAC value can be computed in a much shorter time than a traditional digital signature. In this paper, we denote the HMAC value on message M is HMAC_K(M) using the secret key K.

4.3. Group Key Distribution Scheme

The purpose of group key distribution is to distribute keys to selected group members so that each of the selected group members shares a distinct personal key with the group manager, but the other group members cannot get any information of the keys. In [17], the group manager broadcasted a message, and all the selected group members could derive their keys from the message. The approach of [17] chose a random t-degree polynomial $f (x)$ from $F_{q} [x]$ and selected $f (i)$ for each group member $U_{i}$ as the shared person key. The group manager constructed a single broadcast polynomial $w (x)$ such that, for a selected group member $U_{i}$ , $f (i)$ could be recovered from the knowledge of $w (x)$ and the personal secret $S_{i}$ . But for any revoked group member, $U_{i^{'}}$ , $f (i^{'})$ could not be determined from $w (x)$ and $S_{i^{'}}$ .

In [17], $w (x) = g (x) f (x) + h (x)$ was constructed by $f (x)$ with the help of a revocation polynomial $g (x)$ and a masking polynomial $h (x)$ . The revocation polynomial $g (x)$ was constructed in such a way that $g (i) \neq 0$ for any selected group member $U_{i}$ , but $g (i^{'}) = 0$ for any revoked group member $U_{i^{'}}$ . During setup phase, each group member $U_{v}$ had its own personal secret $S_{v} = {h (v)}$ , which might be distributed by the group manager through the secure communication channel between each group member and the group manager. Thus, for any selected group member $U_{i}$ , new personal key $f (i)$ could be computed by $f (i) = [w (i) - h (i)] / g (i)$ , but for any revoked group member $U_{i^{'}}$ , new personal key could not be computed because $g (i^{'}) = 0$ . Specific steps were as follows. (1)

Setup: the group manager randomly picked a $2 t$ -degree masking polynomial, $h (x) = h_{0} + h_{1} x + \dots + h_{2 t} x^{2 t}$ , from $F_{q} [x]$ . Each group member $U_{i}$ got the personal secret $S_{i} = {h (i)}$ from the group manager.

(2)

Broadcast: given a set of revoked group members $R = {r_{1}, r_{2}, \dots, r_{w}} (|R| \leq t)$ , the group manager distributed the shares of t-degree polynomial $f (x)$ to nonrevoked group members via the following broadcast message: $B = {R} \cup {w (x) = g (x) f (x) + h (x)}$ , where the revocation polynomial $g (x) = (x - r_{1}) (x - r_{2}) \dots (x - r_{w})$ .

(3)

Personal key recovery: if any nonrevoked group member $U_{i}$ received such a broadcast message, it evaluated the polynomial $w (x)$ at point i and got $w (i) = g (i) f (i) + h (i)$ . Because $U_{i}$ knew $h (i)$ and $g (i) \neq 0$ , it could compute the new personal key $f (i) = [w (i) - h (i)] / g (i)$ .

4.4. Nyberg-Rueppel Blind Signature

Blind signatures enable users to obtain valid signatures on a message without revealing its content to the signer. Nyberg-Rueppel blind signature scheme was proposed by Camenisch et al., which was based on the discrete logarithm problem [18]. The scheme had three parts as follows. (1)

Setup system parameters: the system parameters consisted of a prime p, a prime factor q of $p - 1$ , and an element $g \in Z_{q}^{*}$ of order q. The signer's private key was a random element $x \in Z_{q}^{*}$ , while the corresponding public key was $y = g^{x} (\mod p)$ .

(2)

Sign: Bob could obtain a valid signature on a message m from Alice without revealing its content to Alice.

(a)

Alice randomly selected $k^{'} \in Z_{q}^{*}$ , computed $r^{'} = g^{k^{'}} (\mod p)$ , and sent $r^{'}$ to Bob.

(b)

Bob selected $α, β \in Z_{q}^{*}$ at random and computed $r = m g^{α} r^{' β} (\mod p)$ and $m^{'} = r β^{- 1} (\mod q)$ . Bob checked whether it was satisfied with $m^{'} \in Z_{p}^{*}$ . If this was not the case, a new ( $α, β$ ) would be chosen until it was satisfied with $m^{'} \in Z_{p}^{*}$ . Then, Bob sent $m^{'}$ to Alice.

(c)

Alice computed $s^{'} = m^{'} x + k^{'} (\mod q)$ and sent $s^{'}$ to Bob.

(d)

Bob computed $s = s^{'} β + α (\mod q)$ . $(r, s)$ was the signature of Alice on message m.

(3)

Verify: anyone could verify the validity of the signature ( $r, s$ ) on message m by

\begin{array}{l} g^{- s} y^{r} r = m g^{- s^{'} β - α + x r + k^{'} β + α} \\ = m g^{- m^{'} x β - k^{'} β + x r + k^{'} β} = m (\mod p) . \end{array}

(1)

5. EPPDC Scheme

Based on the blind signature and the key distribution scheme, this section gives the EPPDC scheme for smart grid. This scheme can achieve that the users' data is transmitted to the LAG via BGW with privacy preserving. In this section, we propose the scheme, which consists of five phases: system initialization, certificate issuing, user registration, data collection, and key evolution.

5.1. System Initialization

We assume that TA will initialize the whole system. TA chooses the following: (1)

primes p and q such that $q | p - 1$ , $q \geq 2^{140}$ and $p \geq 2^{512}$ ;

(2)

an element $g \in Z_{p}^{*}$ with order q; that is, $g^{q} = 1 (\mod p)$ , and $g \neq 1$ ;

(3)

a one-way hash function $h : {(0,1)}^{*} \to {(0,1)}^{l}$ ;

(4)

a security parameter $λ \in N$ and bilinear group ( $G, G_{T}$ ) with prime order $p > 2^{λ}$ , which satisfies with g being a generator of G;

(5)

a random number $s \in Z_{q}^{*}$ as TA's private key so that $S K_{TA} = s$ .

Then, TA computes its public key $P K_{TA} = g^{s}$ and publishes the tuple $(p, q, g, h, P K_{TA})$ as the system parameters.

5.2. Certificate Issuing

During this phase, TA verifies the identity and issues the certificate for every entity. These entities include all the CAGs, LAGs, and BGWs. As an example, TA issues the certificate for a certain ${LAG}_{i}$ as follows. (1)

TA chooses a random number $S K_{LA G_{i}} \in Z_{q}^{*}$ as the ${LAG}_{i}$ 's private key and computes the ${LAG}_{i}$ 's public key $P K_{LA G_{i}} = g^{S K_{LA G_{i}}} (\mod p)$ .

(2)

TA generates the signature $σ_{TA, LA G_{i}}$ , where $σ_{TA, LA G_{i}} = Si g_{S K_{TA}} (P K_{LA G_{i}})$ is a signature on $P K_{LA G_{i}}$ using TA's private key SK_TA.

(3)

TA delivers $S K_{LA G_{i}}$ and $Cer t_{LA G_{i}}$ to ${LAG}_{i}$ , where $Cer t_{LA G_{i}} = (P K_{LA G_{i}}, σ_{TA, LA G_{i}})$ . The delivery of $S K_{LA G_{i}}$ must be via a secure channel, such as a Secure Socket Layer.

5.3. User Registration

Before accessing smart grid, every SM needs to get a certificate from TA and register in certain LAG which SM belongs to. Assume $S M_{i - LA G_{i}}$ indicates that a certain SM belongs to ${LAG}_{i}$ . In Figure 3, an example of user registration for $S M_{i - LA G_{i}}$ is as follows.

Figure 3

The flow chart of $S M_{i - LA G_{i}}$ registration.

(1)

After TA verifies the identity of $S M_{i - LA G_{i}}$ , TA delivers the $S K_{S M_{i - LA G_{i}}}$ and certificate $Cer t_{S M_{i - LA G_{i}}}$ to $S M_{i - LA G_{i}}$ , which is the same as the process in Section 5.2.

(2)

$S M_{i - LG A_{i}}$ encrypts the message $Cer t_{S M_{i - LA G_{i}}} ∥ T ∥ Si g_{S K_{S M_{i - LA G_{i}}}} (Cer t_{S M_{i - LA G_{i}}} ∥ T)$ by $P K_{LA G_{i}}$ and sends it to ${LAG}_{i}$ , where T is the current timestamp.

(3)

${LAG}_{i}$ decrypts the received message by its private key $S K_{LA G_{i}}$ . ${LAG}_{i}$ verifies the validity of timestamp T, $Cer t_{S M_{i - LA G_{i}}}$ and $Si g_{S K_{S M_{i - LA G_{i}}}} (Cer t_{S M_{i - LA G_{i}}} ∥ T)$ . If all those are available, go to step (4). Otherwise, go back to Step (2).

(4)

${LAG}_{i}$ chooses a random number $S_{LA G_{i} - S M_{i}} \in Z_{q}^{*}$ and computes $P_{LA G_{i} - S M_{i}} = g^{S_{LA G_{i} - S M_{i}}}$ , $K_{LA G_{i} - S M_{i}} = (P K_{S M_{i - LA G_{i}}})^{S_{LA G_{i} - S M_{i}}}$ , and $H_{LA G_{i} - S M_{i}} = HMA C_{K_{LA G_{i} - S M_{i}}} (P_{LA G_{i} - S M_{i}})$ . Then, ${LAG}_{i}$ sends $P_{LA G_{i} - S M_{i}}$ and $H_{LA G_{i} - S M_{i}}$ to $S M_{i - LA G_{i}}$ .

(5)

$S M_{i - LA G_{i}}$ can get noninteractively shared key $K_{LA G_{i} - S M_{i}} = (P_{LA G_{i} - S M_{i}})^{S K_{S M_{i - LA G_{i}}}}$ and can verify the correctness of $H_{LA G_{i} - S M_{i}}$ . If $H_{LA G_{i} - S M_{i}}$ is consistent, go to Step (6). Otherwise, go back to Step (2).

(6)

$S M_{i - LA G_{i}}$ sends $P_{LA G_{i} - S M_{i}} ∥ TS ∥ Si g_{S K_{S M_{i - LA G_{i}}}} (P_{LA G_{i} - S M_{i}} ∥ TS)$ to ${LAG}_{i}$ , where TS is the current timestamp.

(7)

${LAG}_{i}$ verifies the validity of signature in Step (6). If it is available, go to Step (8). Otherwise, go back to Step (4).

(8)

${LAG}_{i}$ stores the $Cer t_{S M_{i - LA G_{i}}}$ , $S_{LA G_{i} - S M_{i}}$ , and $K_{LA G_{i} - S M_{i}}$ in its database. Then ${LAG}_{i}$ sends the permit defined as $P K_{S M_{i - LA G_{i}}} ∥ T S_{p e r m i t} ∥ d ∥ {Sig}_{S K_{LA G_{i}}} (P K_{S M_{i - LG A_{i}}} ∥ T S_{p e r m i t} ∥ d)$ to $S M_{i - LA G_{i}}$ , where $T S_{p e r m i t}$ is the current timestamp and d is the expiry length of time.

5.4. Data Collection

When a certain ${LAG}_{i}$ needs to make statistical analysis and collect energy information in its DAN, ${LAG}_{i}$ broadcasts the data collection command to its subordinate BGWs_. Similarly, each BGW will broadcast the data collection command to its subordinate SMs. As an example, the process of data collection from $S M_{i - LA G_{i}}$ to ${LAG}_{i}$ is as follows.

(I) Each BGW Collects Eligible SMs' Permits (1)

After receiving the data collection command from $BG W_{j - LA G_{i}}$ , $S M_{i - LA G_{i}}$ chooses a random number $u_{S M_{i} - LA G_{i}} \in Z_{q}^{*}$ and computes $K_{1_{S M_{i - LA G_{i}}}} = g^{u_{S M_{i} - LA G_{i}}}$ . Here $BG W_{j - LA G_{i}}$ is a certain BGW who is ${LAG}_{i}$ 's subordinate and $S M_{i - LA G_{i}}$ 's superior. Then, $S M_{i - LA G_{i}}$ encrypts the message $C_{1_{S M_{i - LA G_{i}}}} = p e r m i t ∥ K_{1_{S M_{i - LA G_{i}}}} ∥ T_{1} ∥ Si g_{S K_{S M_{i - LA G_{i}}}} (p e r m i t ∥ K_{1_{S M_{i - LA G_{i}}}} ∥ T_{1})$ by $P K_{BG W_{j - LA G_{i}}}$ and sends it to $BG W_{j - LA G_{i}}$ , where $T_{1}$ is the current timestamp.

(2)

$BG W_{j - LA G_{i}}$ verifies the validity of $C_{1_{S M_{i - LA G_{i}}}}$ using Algorithm 1. For eligible $S M_{i - LA G_{i}}$ , $BG W_{j - LA G_{i}}$ chooses two random numbers $u_{BG W_{j - LA G_{i}}}$ , $k_{BG W_{j - LA G_{i}}}^{'} \in Z_{q}^{*}$ and computes $r_{BG W_{j - LA G_{i}}}^{'}$ , $K_{2_{BG W_{j - LA G_{i}}}}$ , $K_{S M_{i} - BG W_{j} - LA G_{i}}$ , where $r_{BG W_{j - LA G_{i}}}^{'} = g^{k_{BG W_{j - LA G_{i}}}^{'}} (\mod p)$ , $K_{2_{BG W_{j - LA G_{i}}}} = g^{u_{BG W_{j - LA G_{i}}}} (\mod p)$ , and $K_{S M_{i} - BG W_{j} - LA G_{i}} = {K_{1_{S M_{i - LA G_{i}}}}}^{u_{BG W_{j - LA G_{i}}}} (\mod p)$ .

(3)

$BG W_{j - LA G_{i}}$ sends the message $C_{2_{S M_{i - LA G_{i}}}} = r_{BG W_{j - LA G_{i}}}^{'} ∥ K_{2_{BG W_{j - LA G_{i}}}} ∥ T_{2} ∥ HMA C_{K_{S M_{i} - BG W_{j} - LA G_{i}}} (r_{BG W_{j - LA G_{i}}}^{'} ∥ K_{2_{BG W_{j - LA G_{i}}}} ∥ T_{2})$ to $S M_{i - LA G_{i}}$ , where $T_{2}$ is the current timestamp.

(4)

After receiving $C_{2_{S M_{i - LA G_{i}}}}$ , $S M_{i - LA G_{i}}$ can get noninteractively shared key $K_{S M_{i} - BG W_{j} - LA G_{i}} = {K_{2_{BG W_{j - LA G_{i}}}}}^{u_{S M_{i} - LA G_{i}}} (\mod p)$ and compute $HMA C_{K_{S M_{i} - BG W_{j} - LA G_{i}}} (r_{BG W_{j - LA G_{i}}}^{'} ∥ K_{2_{BG W_{j - LA G_{i}}}} ∥ T_{2})$ .

(5)

If the value of HMAC is consistent, go to Step (5). Otherwise, go back to Step (1).

(6)

$S M_{i - LA G_{i}}$ sends $p e r m i t ∥ T_{3} ∥ HMA C_{K_{S M_{i} - BG W_{j} - LA G_{i}}} (p e r m i t ∥ T_{3})$ to $BG W_{j - LA G_{i}}$ , where $T_{3}$ is the current timestamp.

(7)

When $T_{3} - T_{2} < Δ T$ , $BG W_{j - LA G_{i}}$ verifies the correctness of received messages in Step (5) by HMAC, where $Δ T$ is the limit for time difference. Then, $BG W_{j - LA G_{i}}$ collects all eligible SMs' permits and sends them to ${LAG}_{i}$ .

Algorithm 1: The process of verifying $C_{1_{S M_{i - LA G_{i}}}}$ .

Require: $En c_{P K_{BG W_{j - LA G_{i}}}} {[C}_{1_{S M_{i - LA G_{i}}}}]$

(1) Decrypt $En c_{P K_{BG W_{j - LA G_{i}}}} [C_{1_{S M_{i - LA G_{i}}}}]$ by $BG W_{j - LA G_{i}}$ 's private key $S K_{BG W_{j - LA G_{i}}}$ .

(2) Verify $T_{1}$ − $T S_{p e r m i t}$ < d, d is the expiry length of time.

(3) if $T_{1}$ is valid then

Verify $Si g_{S K_{S M_{i - LA G_{i}}}} (p e r m i t ∥ K_{1_{S M_{i - LA G_{i}}}} ∥ T_{1})$ by $P K_{S M_{i} - LA G_{i}}$ .

if $Si g_{S K_{S M_{i - LA G_{i}}}} (p e r m i t ∥ K_{1_{S M_{i - LA G_{i}}}} ∥ T_{1})$ is valid then

Verify $Si g_{S K_{_{LA G_{i}}}} (P K_{S M_{i - LG A_{i}}} ∥ T S_{p e r m i t} ∥ d)$ by $P K_{LA G_{i}}$ .

if $Si g_{S K_{_{LA G_{i}}}} (P K_{S M_{i - LG A_{i}}} ∥ T S_{p e r m i t} ∥ d)$ is valid then

accept $C_{1_{S M_{i - LA G_{i}}}}$ .

(4) end if

(5) end if

(6) end if

(II) Generate the Shared Blind Factors between LAG and Every SM (1)

After receiving all the permits from $BG W_{j - LA G_{i}}$ , ${LAG}_{i}$ confirms the total of permits as $N_{BG W_{j - LA G_{i}}}$ . Then ${LAG}_{i}$ finds the corresponding $K_{LA G_{i} - S M_{i}}$ in its database, where $K_{LA G_{i} - S M_{i}}$ is the shared key of ${LAG}_{i}$ with $S M_{i - LA G_{i}}$ . And ${LAG}_{i}$ generates the message ${B_{BG W_{j - LA G_{i}}}, K_{3_{BG W_{j - LA G_{i}}}}}$ by using Algorithm 2.

(2)

${LAG}_{i}$ sends message ${B_{BG W_{j - LA G_{i}}}, K_{3_{BG W_{j - LA G_{i}}}}}$ to $BG W_{j - LA G_{i}}$ .

(3)

After receiving the message from ${LAG}_{i}$ , $BG W_{j - LA G_{i}}$ stores $K_{3_{BG W_{j - LA G_{i}}}}$ in its database and broadcasts $B_{BG W_{j - LA G_{i}}}$ to its every subordinate SM. If SM's permit is eligible, SM can recover $K_{LA G_{i} - BG W_{j - LA G_{i}}}^{1}$ and $K_{LA G_{i} - BG W_{j - LA G_{i}}}^{2}$ . As an example, $S M_{i - LA G_{i}}$ can get $K_{LA G_{i} - BG W_{j - LA G_{i}}}^{1} = g_{BG W_{j - LA G_{i}}} (K_{LA G_{i} - S M_{i}})$ + $K_{LA G_{i} - BG W_{j - LA G_{i}}}^{1}$ and $K_{LA G_{i} - BG W_{j - LA G_{i}}}^{2} = g_{BG W_{j - LA G_{i}}} (K_{LA G_{i} - S M_{i}}) + K_{LA G_{i} - BG W_{j - LA G_{i}}}^{2}$ , respectively. In the following, $S M_{i - LA G_{i}}$ is an example of data collection, which is the same as other SMs.

(4)

$S M_{i - LA G_{i}}$ computes two blind factors $α_{LA G_{i} - S M_{i}} = H (K_{LA G_{i} - BG W_{j - LA G_{i}}}^{1} ∥ K_{LA G_{i} - S M_{i}})$ and $β_{LA G_{i} - S M_{i}} = H (K_{LA G_{i} - BG W_{j - LA G_{i}}}^{2} ∥ K_{LA G_{i} - S M_{i}})$ , where H is a one-way hash function.

Algorithm 2: Message generation algorithm for LAG.

Require: g, p, q, $K_{LA G_{i} - S M_{1}}, \dots, K_{LA G_{i} - S M_{N_{BG W_{j - LA G_{i}}}}}$

(1) Construct function $g_{BG W_{j - LA G_{i}}} (x) = (x - K_{LA G_{i} - S M_{1}}) \cdot (x - K_{LA G_{i} - S M_{2}}) \dots (x - K_{LA G_{i} - S M_{N_{BG W_{j - LA G_{i}}}}})$ ,

where from $K_{LA G_{i} - S M_{1}}$ to $K_{LA G_{i} - S M_{N_{BG W_{j - LA G_{i}}}}}$ indicates $N_{BG W_{j - LA G_{i}}}$

shared keys of LAG with SMs which permit past validation.

(2) Select random numbers $K_{LA G_{i} - BG W_{j - LA G_{i}}}^{1} \in$ $Z_{q}^{*}$ and $K_{LA G_{i} - BG W_{j - LA G_{i}}}^{2} \in Z_{q}^{*}$ .

(3) Generate $B_{BG W_{j - LA G_{i}}} = {g_{BG W_{j - LA G_{i}}} (x) + K_{LA G_{i} - BG W_{j - LA G_{i}}}^{1}$ , $g_{BG W_{j - LA G_{i}}} (x) + K_{LA G_{i} - BG W_{j - LA G_{i}}}^{2}}$ .

(4) Select a random number $u_{BG W_{j - LA G_{i}}}^{'} \in Z_{q}^{*}$ .

(5) Compute $K_{3_{BG W_{j - LA G_{i}}}} = g^{u_{BG W_{j - LA G_{i}}}^{'}} (mod p)$ .

Return ${B_{BG W_{j - LA G_{i}}}, K_{3_{BG W_{j - LA G_{i}}}}}$

(III) LAG Collects Data from SM via BGW (1)

$S M_{i - LA G_{i}}$ reads the current electricity information $m_{i - LA G_{i}}$ and computes $r_{i - LA G_{i}} = m_{i - LA G_{i}} g^{α_{LA G_{i} - S M_{i}}} {r_{BG W_{j - LA G_{i}}}^{'}}^{β_{LA G_{i} - S M_{i}}} (\mod p), m_{i - LA G_{i}}^{'} = r_{i - LA G_{i}} β_{LA G_{i} - S M_{i}}^{- 1}$ . $S M_{i - LA G_{i}}$ sends $C_{3_{S M_{i - LA G_{i}}}} = m_{i - LA G_{i}}^{'} ∥ T_{4} ∥ Si g_{S K_{S M_{i - LA G_{i}}}} (m_{i - LA G_{i}}^{'} ∥ T_{4})$ to $BG W_{j - LA G_{i}}$ , where $T_{4}$ is the current timestamp.

(2)

$BG W_{j - LA G_{i}}$ verifies the validity of signature in Step (1). If the signature is valid, go to Step (3). Otherwise, $BG W_{j - LA G_{i}}$ requires $S M_{i - LA G_{i}}$ resending the message as in Step (1) within the valid time range.

(3)

$BG W_{j - LA G_{i}}$ chooses a random number $u_{BG W_{j - LA G_{i}}}^{′′} \in Z_{q}^{*}$ and computes $K_{4_{BG W_{j - LA G_{i}}}}$ = $g^{{u_{BG W_{j - LA G_{i}}}^{′′}}_{}} (\mod p)$ , $K_{S M_{i} - BG W_{j} - LA G_{i}}^{'}$ = ${K_{3_{BG W_{j - LA G_{i}}}}}^{{u_{BG W_{j - LA G_{i}}}^{′′}}_{}} (\mod p)$ . $BG W_{j - LA G_{i}}$ signs the message $m_{i - LA G_{i}}^{'}$ with $s_{S M_{i} - BG W_{j} - LA G_{i}}^{'}$ = $m_{i - LA G_{i}}^{'} S K_{BG W_{j - LA G_{i}}}$ + $k_{BG W_{j - LA G_{i}}}^{'} (\mod p)$ using blind signature.

(4)

$BG W_{j - LA G_{i}}$ sends $C_{4_{S M_{i - LA G_{i}}}} = r_{BG W_{j - LA G_{i}}}^{'} ∥ s_{S M_{i} - BG W_{j} - LA G_{i}}^{'} ∥ P K_{S M_{i - LA G_{i}}} ∥ m_{i - LA G_{i}}^{'} ∥ T_{4} ∥ Si g_{S K_{S M_{i - LA G_{i}}}} (m_{i - LA G_{i}}^{'} ∥ T_{4}) ∥ K_{4_{BG W_{j - LA G_{i}}}} ∥ T_{5}$ and $HMA C_{K_{S M_{i} - BG W_{j} - LA G_{i}}^{'}} (C_{4_{S M_{i - LA G_{i}}}})$ to ${LAG}_{i}$ .

(5)

${LAG}_{i}$ can get $S M_{i - LA G_{i}}$ 's current electricity information $m_{i - LA G_{i}}$ using Algorithm 3.

Algorithm 3: The process of recovering message for LAG.

(1) Verify $T_{5} - T_{4} < Δ T$ , where $Δ T$ is the limit for time difference.

(2) if $T_{5} - T_{4} < Δ T$ then

compute $K_{S M_{i} - BG W_{j - LA G_{i}}}^{'}$ = ${K_{4_{BG W_{j - LA G_{i}}}}}^{u_{BG W_{j - LA G_{i}}}^{'}} (mod p)$ .

(3) Verify the validity of $HMA C_{K_{S M_{i} - BG W_{j - LA G_{i}}}^{'}} (C_{4_{S M_{i - LA G_{i}}}})$ .

(4) if HMAC is valid then

find $K_{LA G_{i} - S M_{i}}$ in its database according to $P K_{S M_{i - LA G_{i}}}$ .

(5) Computes $α_{LA G_{i} - S M_{i}} = H {(K}_{LA G_{i} - BG W_{j - LA G_{i}}}^{1} ∥ K_{LA G_{i} - S M_{i}})$ , $β_{LA G_{i} - S M_{i}} = H {(K}_{LA G_{i} - BG W_{j - LA G_{i}}}^{2} ∥ K_{LA G_{i} - S M_{i}})$ .

(6) Get $s_{S M_{i} - BG W_{j - LA G_{i}}} = s_{S M_{i} - BG W_{j - LA G_{i}}}^{'} β_{LA G_{i} - S M_{i}} + α_{LA G_{i} - S M_{i}}$ ,

$r_{i - LA G_{i}} = {m_{i - LA G_{i}}}^{'} β_{LA G_{i} - S M_{i}}$ ,

$m_{i - LA G_{i}} = r_{i - LA G_{i}} g^{- α_{LA G_{i} - S M_{i}}} {r_{BG W_{j - LA G_{i}}}^{'}}^{- β_{LA G_{i} - S M_{i}}} (\mod p)$ .

(7) Judge $g^{- s_{S M_{i} - BG W_{j - LA G_{i}}}} P {K_{BG W_{j - LA G_{i}}}}^{r_{i - LA G_{i}}} r_{i - LA G_{i}} (\mod p) = m_{i - LA G_{i}}$

if equation holds then

Record the message $m_{i - LA G_{i}}$ and signature ( $s_{S M_{i} - BG W_{j - LA G_{i}}}$ , $r_{i - LA G_{i}}$ ) in the corresponding database.

(8) end if

(9) end if

(10) end if

5.5. Key Evolution

The $SM$ 's permit is only valid from $T S_{p e r m i t}$ to $T S_{p e r m i t} + d$ . After $T S_{p e r m i t} + d$ , the permit is automatically revoked if $SM$ does not apply for a new permit. Assuming $d^{'}$ is the corresponding number of days for d, here we extend the shared key $K_{LAG - SM}$ to $d^{'}$ dimensional vector $K_{LAG - SM} = (K_{1}, K_{2}, \dots, K_{d^{'}})$ . For $d^{'}$ dimensional vector $K_{LAG - SM}$ , $K_{1} = K_{LAG - SM}$ , $K_{2} = H (K_{1})$ , and $K_{3} = H (K_{2}), \dots, K_{d^{'}} = H (K_{d^{'} - 1})$ , where H is a one-way hash function. Note that the extension does not influence the previous EPPDC scheme. Then, both $SM$ and $LAG$ can deduce $d^{'}$ dimensional shared key $K_{LAG - SM} = (K_{1}, K_{2}, \dots, K_{d^{'}})$ within the terms of permit.

Here we assume that every shared key is valid for one day. $d^{'}$ dimensional shared key is valid for $d^{'}$ days during the validity of permit. Accordingly, both $SM$ and $LAG$ can confirm the intraday shared key $K_{LAG - SM}$ from $d^{'}$ dimensional key $K_{LAG - SM}$ .

Every $SM$ only stores the intraday shared key $K_{LAG - SM}$ within permit validity period. The day before the expiration of $p e r m i t$ , $SM$ applies for registration in $LAG$ again. For eligible $SM$ , $LAG$ will issue the new permit and form the new shared key $K_{LAG - SM}$ to $SM$ . When previous permit has expired, $SM$ deletes previous permit and $K_{LAG - SM}$ . Thus, the shared key $K_{LAG - SM}$ evolution is achieved.

6. Security Analysis and Computation Overhead

In this section, we analyze the security properties and the computation of the EPPDC scheme.

6.1. Security Analysis

EPPDC scheme can achieve data collection from $SM$ to $LAG$ via $BGW$ . And EPPDC scheme not only can resist replay attack, but also has source authentication and data integrity, confidentiality, unforgeability, nonrepudiation, and evolution of shared keys.

Property 1 (correctness).

In EPPDC scheme, $LAG$ can verify the blind signature of $BGW$ and recover the message sent by $SM$ .

Proof.

During Stage III of data collection in EPPDC scheme, $BG W_{j - LA G_{i}}$ sends the $(r_{BG W_{j - LA G_{i}}}^{'}, s_{S M_{i} - BG W_{j} - LA G_{i}}^{'})$ message $m_{i - LA G_{i}}^{'}$ and $P K_{S M_{i - LA G_{i}}}$ to $LA G_{i}$ . $LA G_{i}$ can find the corresponding $K_{{LAG}_{i} - {SM}_{i}}$ in its database according to $P K_{S M_{i - LA G_{i}}}$ and the current timestamp. Then, $LA G_{i}$ recovers the current electricity information $m_{i - LA G_{i}}$ using Algorithm 3, which is proved by

\begin{array}{l} r_{i - LA G_{i}} \cdot g^{- α_{LA G_{i} - S M_{i}}} \cdot {r_{BG W_{j - LA G_{i}}}^{'}}^{- β_{LA G_{i} - S M_{i}}} (\mod p) \\ = (m_{i - LA G_{i}} \cdot g^{α_{LA G_{i} - S M_{i}}} \cdot {r_{BG W_{j - LA G_{i}}}^{'}}^{β_{LA G_{i} - S M_{i}}}) \\ \times g^{- α_{LA G_{i} - S M_{i}}} \cdot {r_{BG W_{j - LA G_{i}}}^{'}}^{- β_{LA G_{i} - S M_{i}}} (\mod p) \\ = m_{i - LA G_{i}} . \end{array}

(2)

The $BG W_{j - LA G_{i}}$ 's signature on $m_{i - LA G_{i}}$ is $(s_{S M_{i} - BG W_{j} - LA G_{i}}, r_{i - LA G_{i}})$ , which can be proved by

\begin{array}{l} g^{- (s_{S M_{i} - BG W_{j} - LA G_{i}})} {(P K_{BG W_{j - LA G_{i}}})}^{r_{i - LA G_{i}}} \cdot r_{i - LA G_{i}} (\mod p) \\ = g^{- [(s_{S M_{i} - BG W_{j} - LA G_{i}}^{'}) β_{LA G_{i} - S M_{i}} + α_{LA G_{i} - S M_{i}}]} \cdot \\ g^{S K_{BG W_{j - LA G_{i}}} \cdot {m_{i - LA G_{i}}^{'}}_{} \cdot β_{LA G_{i} - S M_{i}}} \cdot r_{i - LA G_{i}} (\mod p) \\ = g^{- {[{m_{i - LA G_{i}}^{'}}_{} S K_{BG W_{j - LA G_{i}}} + {k_{BG W_{j - LA G_{i}}}^{'}}_{}] \cdot β_{LA G_{i} - S M_{i}} + α_{LA G_{i} - S M_{i}}}} \cdot \\ g^{(S K_{BG W_{j - LA G_{i}}} \cdot {m_{i - LA G_{i}}^{'}}_{} \cdot β_{LA G_{i} - S M_{i}})} \cdot r_{i - LA G_{i}} (\mod p) \\ = g^{- {k_{BG W_{j - LA G_{i}}}^{'}}^{}_{} \cdot β_{LA G_{i} - S M_{i}} - α_{LA G_{i} - S M_{i}}} \cdot r_{i - LA G_{i}} (\mod p) \\ = {r_{BG W_{j - LA G_{i}}}^{'}}_{}^{- β_{LA G_{i} - S M_{i}}} \cdot g^{- α_{LA G_{i} - S M_{i}}} \cdot \\ (m_{i - LA G_{i}} g^{α_{LA G_{i} - S M_{i}}} {r_{BG W_{j - LA G_{i}}}^{'}}^{β_{LA G_{i} - S M_{i}}}) (\mod p) \\ = m_{i - LA G_{i}} . \end{array}

(3)

Property 2 (to resist replay attack).

In EPPDC scheme, we assume that there is an adversary $A$ who can intercept and capture the messages sent by $SM$ s. When adversary $A$ resends the messages, $BGW$ can detect the replay attack based on the $SM$ 's signature or $HMAC$ with the current timestamp. For the same reason, $LAG$ can also detect the replay attack, when an adversary $A$ resends the $BGW$ 's messages.

Property 3 (confidentiality).

In EPPDC scheme, the messages maintain their confidentiality when messages are sent to $LAG$ from $SM$ .

Proof.

During Stage III of data collection in EPPDC scheme, $S M_{i - LA G_{i}}$ has processed the information $m_{i - LA G_{i}}$ into $m_{i - LA G_{i}}^{'}$ by blind factors $α_{LA G_{i} - S M_{i}}$ and $β_{LA G_{i} - S M_{i}}$ , before $S M_{i - LA G_{i}}$ sends the messages to $BG W_{j - LA G_{i}}$ .

We consider the following game played between a challenge $C$ and an adversary $A$ . $C$ runs the system initialization and sends the system parameters to $A$ . $A$ performs a polynomial bounded number of queries (these queries may be made adaptively; that is, each query may depend on the answer to the previous queries). By queries, $A$ can get many couples of $(m_{i - LA G_{i}})^{*}$ and $(m_{i - LA G_{i}}^{'})^{*}$ , where $(m_{i - LA G_{i}})^{*} \neq m_{i - LA G_{i}}$ . Based on discrete logarithm problem, $A$ cannot get the blind factors $α_{LA G_{i} - S M_{i}}$ and $β_{LA G_{i} - S M_{i}}$ from $(m_{i - LA G_{i}})^{*}$ and $(m_{i - LA G_{i}}^{'})^{*}$ . For the same reason, $A$ cannot get $m_{i - LA G_{i}}$ if it does not know $α_{LA G_{i} - S M_{i}}$ and $β_{LA G_{i} - S M_{i}}$ .

Therefore, an adversary $A$ cannot get $m_{i - LA G_{i}}$ , even if $BG W_{j - LA G_{i}}$ cannot get $m_{i - LA G_{i}}$ too. Thus the messages maintain their confidentiality when messages are sent to $LAG$ from $SM$ .

Property 4 (nonrepudiation and unforgeability).

During Stage III of data collection in EPPDC scheme, $S M_{i - LA G_{i}}$ sends $m_{i - LA G_{i}}^{'} ∥ T_{4}$ and its signature to $BG W_{j - LA G_{i}}$ , which is sent to $LA G_{i}$ by $BG W_{j - LA G_{i}}$ at a later step.

We consider the following game played between a challenge $C$ and an adversary $A$ . $A$ performs a polynomial bounded number of adaptive queries. By queries, $A$ can get many couples of $(m_{i - LA G_{i}}^{'} ∥ T_{4})^{*}$ and $Si g_{S K_{S M_{i - LA G_{i}}}} (m_{i - LA G_{i}}^{'} ∥ T_{4})^{*}$ . Based on the properties of signature [19], $A$ cannot forge the $S M_{i - LA G_{i}}$ 's signature $Si g_{S K_{S M_{i - LA G_{i}}}} (m_{i - LA G_{i}}^{'} ∥ T_{4})$ on message $(m_{i - LA G_{i}}^{'} ∥ T_{4})^{*}$ . Thus, $S M_{i - LA G_{i}}$ cannot repudiate $m_{i - LA G_{i}}^{'} ∥ T_{4}$ being sent by himself.

In the following steps, $BG W_{j - LA G_{i}}$ signs the message $m_{i - LA G_{i}}^{'}$ via blind signature with its private key $S K_{BG W_{j - LA G_{i}}}$ . By adaptive queries, $A$ can get many couples of $m_{i - LA G_{i}}^{' *}$ and $(s_{S M_{i} - BG W_{j} - LA G_{i}}^{*}, r_{i - LA G_{i}}^{*})$ . Based on discrete logarithm problem, $A$ cannot get $BG W_{j - LA G_{i}}$ 's private key $S K_{BG W_{j - LA G_{i}}}$ . Based on discrete logarithm problem, if $A$ forges $BG W_{j - LA G_{i}}$ 's blind signature, the signature will not be authenticated by $LA G_{i}$ making use of (3). Thus, $BG W_{j - LA G_{i}}$ cannot repudiate ( $m_{i - LA G_{i}}^{'}, s_{S M_{i} - BG W_{j} - LA G_{i}}, r_{i - LA G_{i}}$ ) being sent by himself.

Furthermore, based on the properties of signature, the messages sent by $S M_{i - LA G_{i}}$ and $BG W_{j - LA G_{i}}$ are provided with the source authentication and data integrity.

Property 5 (forward security).

In EPPDC scheme, the permit has a validity period d. When permit is valid, both $SM$ and $LAG$ can noninteractively share $d^{'}$ dimensional key $K_{LAG - SM} = (K_{1}, K_{2}, \dots, K_{d^{'}})$ , where $d^{'}$ is the corresponding number of days for d. Thereby in $d^{'}$ days, $SM$ and $LAG$ use different shared key every day.

In the key evolution phase, $SM$ deletes the previous shared key after it has computed the new shared key $K_{LAG - SM}$ . If an adversary $A$ compromises a HAN user's $SM$ , it gets the current shared key $H (K_{LAG - SM})$ . Assume that an adversary $A$ can perform a polynomial bounded number of adaptive queries for a challenge $C$ . By queries, $A$ can get many shared keys $K_{LAG - SM}^{*}$ . Based on the property of one-way for hash function, $A$ cannot get any previous shared key $K_{LAG - SM}$ making using of the current shared key $H (K_{LAG - SM})$ . Thus adversary $A$ cannot compute the previous blind factor, and then it cannot get previous message m sent by SM. Therefore, EPPDC scheme provides the evolution and forward secrecy of shared key $K_{LAG - SM}$ .

Finally, we present the comparison results of security levels in Table 1. It can be seen that scheme [7] and scheme [10] achieve confidentiality, authenticity, and data integrity and scheme [9] cannot resist replay attack.

Table 1

Comparison of security level.

	[7]	[9]	[10]	EPPDC
Confidentiality	Yes	Yes	Yes	Yes
Authenticity	Yes	Yes	Yes	Yes
Data integrity	Yes	Yes	Yes	Yes
To resist replay attack	No	No	No	Yes
Forward secrecy	No	Yes	No	Yes
Private key evolution	No	Yes	No	Yes

6.2. Computation Overhead

In EPPDC scheme, every $SM$ sends its processed messages $m^{'}$ and its corresponding signatures to BGW. BGW verifies the validity of SM's signature. For available signature, BGW signs message $m^{'}$ making use of blind signature and sends it to LAG. LAG can verify that the message is indeed sent by BGW and SM. Furthermore, LAG can recover the original message m.

In EPPDC, we assume that the SM's signature can be converted into the same as the existing literatures such as [7–11] using bilinear pairing, which can also perform the bath verification [7]. So here we mainly discuss the computation complexity of messages m turning to $m^{'}$ , the signature of BGW, verification of BGW's signature, and recovery for the original message m. Because the computation complexity is similar in [7, 9] which are both realized by homomorphic encryption, we only consider [7] in the following comparisons.

In EPPDC scheme, $S M_{i - LA G_{i}}$ needs 2 exponentiation operations, 3 multiplication operations, and 1 inverse operation in $Z_{p}^{*}$ to blind message m to $m^{'}$ . In [7], $S M_{i - LA G_{i}}$ needs 2 exponentiation operations and 1 multiplication operation in $Z_{n}^{2}$ to encrypt message m to C using homomorphic encryption. In [10], $S M_{i - LA G_{i}}$ encrypts message m to C making use of AES block cipher.

In EPPDC scheme, BGW can perform the bath verification. BGW makes use of blind signature to sign blinded messages which are authenticated. Here BGW only needs 1 addition operation and 1 multiplication operation in $Z_{p}^{*}$ . In [7], BGW needs 1 multiplication operation in $G_{1}$ and 1 hash operation. In [10], BGW needs 1 addition operation and 2 multiplication operations in $G_{1}$ .

In EPPDC scheme, LAG verifies that the message is indeed sent by BGW and recovers the original message m which needs 4 exponentiation operations, 6 multiplication operations, 1 addition operation, and 2 inverse operations in $Z_{p}^{*}$ . In [7], LAG can verify that the message is indeed sent by BGW and recover the original message m, which needs 1 exponentiation operation, 1 multiplication operation in $Z_{n}^{2}$ , 2 pairing operations, and 1 hash operation. In [10], LAG can verify that the message is indeed sent by BGW and recover the original message m, which needs 2 pairing operations, 1 multiplication operation in $G_{1}$ , 1 exponentiation operation in $G_{T}$ , 2 exponentiation operations in $Z_{p}$ , and AES decryption.

Since the AES encryption or decryption and hash function are negligible compared with exponentiation and pairing operations, here we mainly consider the computation overhead for other operations. Table 2 gives the test time for the involved cryptography operations [20]. The experiments are conducted on a computer with Intel i5-3210-2.5 GHz CPU and 4-GB RAM.

Table 2

Cryptographic operations execution time.

	Denotation	Time (ms)
$T_{EX}$	An exponentiation in $Z_{p}^{*}$	0.067
$T_{Ad}$	An addition in $Z_{p}$	0.001
$T_{Mu}$	A multiplication in $Z_{p}^{*}$	0.001
$T_{In}$	An inverse operation in $Z_{p}^{*}$	0.004
$T_{Add}$	An addition in $G_{1}$	0.038
$T_{PM}$	A multiplication in $G_{1}$	8.006
$T_{Mul}$	A multiplication in $G_{T}$	0.013
$T_{EXp}$	An exponentiation in $G_{T}$	1.882
$T_{P}$	A pairing operation	16.064

When a message is sent by SM, the comparisons of computation complexity for SM, BGW, and LAG are shown in Table 3.

Table 3

The comparisons of computation complexity.

SM	BGW	LAG	Reference
$2 T_{EX}$ + $T_{Mu}$	$T_{PM}$	$T_{EX}$ + $T_{Mu}$ + $2 T_{P}$	[7]
0	$2 T_{PM}$ + $T_{Add}$	$2 T_{EX}$ + $T_{EXp}$ + $T_{PM}$ + $2 T_{P}$	[10]
$2 T_{EX}$ + $3 T_{Mu}$ + $T_{In}$	$T_{Mu}$ + $T_{Ad}$	$4 T_{EX}$ + $6 T_{Mu}$ + $T_{Ad}$ + $2 T_{In}$	This paper

When n messages are sent by different SMs to the same LAG, LAG can make use of the bath verification to reduce pairing operation from $2 n$ to $n + 1$ [7, 10].

With the exact operation costs, we depict the variation of computation costs in terms of the message number n in Figures 4 and 5, which is for BGW and LAG, respectively. From the figures, it can be obviously shown that the EPPDC scheme largely reduces the computation complexity for both BGW and LAG.

Figure 4

Computation cost of BGW.

Figure 5

Computation cost of LAG.

7. Conclusions

This paper proposes an efficient and privacy-preserving data collection scheme for smart grid, which is based on the blind signature and the key distribution scheme. This scheme can achieve that the users' data information is transmitted to the local aggregator through building gateway. And we analyze the EPPDC scheme. The analysis shows that the scheme not only provides privacy preserving but also has less computation cost than existing schemes.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work was supported in part by the Natural Science Foundation of China (61102056, 61201132), Fundamental Research Funds for the Central Universities of China (K5051301013), and the 111 Project of China (B08038).

References

Geisler

The Relationship Between Smart Grids and Smart Cities

2013, http://smartgrid.ieee.org/may-2013/869-the-relationship-between-smart-grids-and-smart-cities

Woods

Why Smart Cities Need Smart Grids

March 2013, http://www.navigantresearch.com/blog/why-smart-cities-need-smart-grids

U.S. Department of Energy The Smart Grid: An Introduction 2008

Washington, DC, USA

U.S. Department of Energy

Bojanić

García

O. N.-T.

Security aspects of advanced metering infrastructures

Proceedings of the 9th Symposium on Industrial Electronics (INDEL '12)

November 2012

Banja Luka, Bosnia and Herzegovina

205 208

Jawurek

Kerschbaum

Danezis

SoK: Privacy Technologies for Smart Grids—A Survey of Options

http://www.research.microsoft.com/pubs/178055/paper.pdf

Cristina

Giacomo

Antonio

Privacy-preserving smart metering with multiple data consumers

Computer Networks 2013 57 7 1699 1713

Liang

Lin

Shen

EPPA: an efficient and privacy-preserving aggregation scheme for secure smart grid communications

IEEE Transactions on Parallel and Distributed Systems 2012 23 9 1621 1632

Saputro

Akkaya

On preserving user privacy in Smart Grid advanced metering infrastructure applications

Security and Communication Networks 2014 7 1 206 220

10.1002/sec.706

2-s2.0-84894094066

Lin

Yang

Liang

Shen

EPPDR: an efficient privacy-preserving demand response scheme with adaptive key evolution in smart grid

IEEE Transactions on Parallel and Distributed Systems 2014 25 8 2053 2064

10.1109/TPDS.2013.124

10.

H. K.-H.

Kwok

S. H. M.

Lam

E. Y.

Lui

K.-S.

Zero-configuration identity-based signcryption scheme for smart grid

Proceedings of the 1st IEEE International Conference on Smart Grid Communications (SmartGridComm '10)

October 2010

321 326

11.

Chen

Zhang

Y. Y.

The scheme of identity-based aggregation signcryption in smart grid

Advanced Materials Research 2014 960-961 832 835

12.

Rottondi

Verticale

Capone

Privacy-preserving smart metering with multiple data consumers

Computer Networks 2013 57 7 1699 1713

13.

Rottondi

Verticale

Krauß

Distributed privacy-preserving aggregation of metering data in smart grids

IEEE Journal on Selected Areas in Communications 2013 31 7 1342 1354

10.1109/JSAC.2013.130716

2-s2.0-84880204032

14.

Jia

Zhu

Cao

Dong

Xiao

Human-factor-aware privacy-preserving aggregation in smart grid

IEEE Systems Journal 2014 8 2 598 607

15.

Liu

Ning

Zhang

Yang

L. T.

Aggregated-proofs based privacy-preserving authentication for V2G networks in the smart grid

IEEE Transactions on Smart Grid 2012 3 4 1722 1733

16.

Krawczyk

Canetti

Bellare

HMAC: keyed-hashing for message authentication

RFC 1997 2104

17.

Liu

Ning

Sun

Efficient self-healing group key distribution with revocation capability

Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS '03)

October 2003

Washington, DC, USA

231 240

18.

Camenisch

J. L.

Piveteau

J.-M.

Stadler

M. A.

Blind signatures based on the discrete logarithm problem

Advances in Cryptology—EUROCRYPT '94 1995 950 428 432 Lecture Notes in Computer Science

10.1007/BFb0053458

19.

Mao

Modern Cryptography: Theory and Practice 2003

Prentice Hall, PTR

20.

PBC Library, http://crypto.stanford.edu/pbc

EPPDC: An Efficient Privacy-Preserving Scheme for Data Collection in Smart Grid

Abstract

1. Introduction

2. Related Works

3. Models and Design Goal

3.1. System Model

3.2. Security Model

3.3. Design Goal

4. Preliminaries

4.1. Bilinear Pairings

4.2. Hash Function and HMAC

4.3. Group Key Distribution Scheme

4.4. Nyberg-Rueppel Blind Signature

5. EPPDC Scheme

5.1. System Initialization

5.2. Certificate Issuing

5.3. User Registration

5.4. Data Collection

Algorithm 1: The process of verifying C 1 S M i - LA G i .

Algorithm 2: Message generation algorithm for LAG.

Algorithm 3: The process of recovering message for LAG.

5.5. Key Evolution

6. Security Analysis and Computation Overhead

6.1. Security Analysis

Property 1 (correctness).

Proof.

Property 2 (to resist replay attack).

Property 3 (confidentiality).

Proof.

Property 4 (nonrepudiation and unforgeability).

Property 5 (forward security).

6.2. Computation Overhead

7. Conclusions

Footnotes

Conflict of Interests

Acknowledgments

References

Algorithm 1: The process of verifying $C_{1_{S M_{i - LA G_{i}}}}$ .