Sage Journals: Discover world-class research

Abstract

As a convergence of traditional power system engineering and information technology, smart grid, which can provide convenient environment of operation and management for the power provider, has attracted considerable interest recently. However, the flourish of smart grid is still facing many challenges in data security and privacy preservation. In this paper, we propose an efficient privacy-preserving multidimensional aggregation scheme for smart grid, called PAS. Without disclosing the privacy-sensitive information (e.g., identity and power consumption) of users, the operation center can obtain the number of users and power consumption at each step in different dimensions. Based on an improved Paillier cryptosystem, the operation center can acquire more valid information to regulate the generated energy, and an efficient anonymous authentication scheme is employed to protect the privacy of user's identity from the regional center. Detailed security analysis shows the security and privacy-preserving ability of PAS. In addition, performance evaluations via extensive simulations demonstrate that PAS is implemented with great efficiency for smart grid in terms of computation and communication overhead.

1. Introduction

The 22nd world energy congress under the theme of “Securing Tomorrow's Energy Today” was held on October 13, 2013, in Daegu, South Korea [1], which offered a unique opportunity for participants to get a better understanding of energy issues and solutions from a global perspective. Simultaneously, the optimization of energy structure and the improvement of energy utilization were taken into consideration inevitably. Especially in the electric area, the lack of reasonable electrical structure to meet growing demands has stretched the power grid to its limits. Furthermore, in the past 100 years, there has been no dramatic change in the basic structure of electrical power grid. Experience has shown that the hierarchical, centrally controlled power grid cannot meet the growing demands of the 21st century [2]. Therefore, researching for a new power grid, which can support the new power system and enhance the efficiency of power consumption, is currently an emergency for most countries.

Recently the appearance of smart grid has attracted plenty of countries' interest and has been regarded as the next generation of power grid [3–8]. Compared with traditional grid, smart grid supports centralized two-way transmission and efficiency-driven response. Besides, smart grid relies on cyber-physical systems or the Internet of Things to provide intelligent scheduling for power transmission and distribution [9]. For instance, smart meter equipped with network interfaces (e.g., wireless sensors) reports power consumption to the operation center via the advanced meter controlled by the regional center, as shown in Figure 1. The operation center spans different geographic regions and can transmit the result of data analysis to the power supplier in a distributed way, whose responsibility is to adjust power supply dynamically to meet demands and detect and respond to the weaknesses or failures of power system in real time.

Figure 1

The conceptual architecture of smart grid.

Smart meter (SM) which is two-way communication device and deployed at users premise is indispensable component in the smart grid, since it can record real-time power consumption periodically. With SM, smart grid is capable of collecting real-time information about grid operations and status at the operation center. SM will send the encrypted power consumption to the regional center after being authorized. Through the regional center, smart grid can transmit the user's detailed electricity information to the operation center, which may then change electricity price accordingly or even adjust user's usage. However, if there is an adversary in the regional area, he/she may infer user's physical activities based on the power consumption of a family. For instance, unusual low daily power consumption of a household indicates that the home owners are probably away from home. Therefore, such privacy-sensitive information must be protected from unauthorized access [10, 11].

However, the majority of existing schemes [12–15] can offer total power consumption to the power supplier; this user-centric information is far from enough for the service provider (e.g., the electric company) to allocate power resource. For example, many service providers adopt the multistep electricity pricing policy [16] where the price of electricity is based on the user's power consumption. In order to utilize and dispatch different kinds of step electricity for service providers, more information related to users (e.g., the number of users and power consumption at each step, etc.) is required. With regard to the power supplier, not only can it classify users depending on the power consumption, but also it works out a practical and reasonable business strategy.

In this paper, from the perspective of power supplier, under the promise of protecting the confidentiality of user's identity and power consumption, we propose an efficient privacy-preserving multidimensional aggregation scheme for smart grid, called PAS. The characteristics of proposed PAS are offering more valid user information to the power supplier and achieving user's identity privacy and data confidentiality. The main contributions of this paper are threefold. (i)

First, PAS provides more valid user information without disclosing user's data and identity privacy. Upon the employment of an improved Paillier cryptosystem [17] technique, the operation center can acquire both the number of users and power consumption at each step by decrypting the preliminary aggregations from the regional center. Simultaneously, compared with the existing aggregation schemes [18–20], PAS provides more effective information to the power supplier to make more planed electricity strategy.

(ii)

Second, PAS can guarantee fine-grained privacy preserving. Although the aggregation scheme [12] can guarantee the privacy of user's information, the authenticator still knows the identity which corresponds to the signature. However, in our scheme, the improved group signature [21] scheme makes user's identity unrecognized by the regional center. Meanwhile, data privacy preservation requirements can be achieved through the improved Paillier cryptosystem.

(iii)

Third, PAS achieves the traceable anonymity of smart grid. We employ a specific group signature scheme between the smart grid and the regional center, which can obtain the authentication and traceability of message. The regional center checks out the message and signature without knowing the smart grid's identity. But if the smart grid's signature is proved to be invalid, the identity of malicious smart grid could be ferreted out with the help of TA.

The remainder of this paper is organized as follows. In Section 2, we formalize the system model and security requirements and identify our design goal. Then, we recall the discrete logarithm and Paillier cryptosystem as the preliminaries in Section 3. Then, we present our PAS scheme in Section 4, followed by the security analysis and performance evaluation in Sections 5 and 6, respectively. We also discuss some related works in Section 7. Finally, we draw our conclusions and identify some future work in Section 8.

2. System Model, Security Requirements, and Design Goal

In this section, we formalize the system model and security requirements and identify our design goal.

2.1. System Model

In our system model, we mainly focus on how to report user's privacy-preserving power consumption information to the operation center. Specifically, the system consists of four parts: trusted authority (TA), residential area (RA), operation center (OC), and regional center (RC), as shown in Figure 2.

Figure 2

System model under consideration.

TA: the trusted authority is fully trustable in the whole system, whose duty is to bootstrap the system initialization and distribute secret keys to the SM, RC, and OC (some parameters must be kept private, while others are public). In addition to system initialization, TA is offline in other phases. Only in the case that errors exist in the process of authentication, TA can respond to it in time; for example, when errors arise in the authentication, TA can recover the malicious identity of SM based on the group signature scheme. Therefore, TA is an indispensable part in this system.

RA: we consider a typical residential area, which mainly consists of a connection with RC and a great number of users that are equipped with smart meters $\{S M_{1}, S M_{2}, \dots, S M_{n}\}$ . $S M_{i}$ records the real-time data about power consumption, and the data will be reported to RC in a certain period.

RC: RC is a powerful workshop, which mainly performs three functions: authentication, aggregation, and relaying. Some authentication operations must be performed to guarantee the privacy of user's identity before SM transmits user's encrypted data to RC. The aggregation component is responsible for aggregating user's multidimensional power consumption into a compressed one. The relaying component transmits aggregation data to OC.

OC: the responsibility of OC is to analyze the aggregated regional data. It can supply power supplier with valid user information which includes the number of users and power consumption at each step, so as to carry out the dynamic step tariff and locate the trouble spot.

2.2. Security Requirements

In our security model, we consider RA (e.g., a typical residential area) mainly consists of a connection with RC (e.g., the property management) and a great number of users that are equipped with SM. OC (e.g., the electric company) spans different RC and analyzes the aggregation regional data. Specifically, we assume that RC and OC are not in collusion with each other and both of them are honest but curious. That is, RC and OC aggregate the encrypted data from SM exactly, but it is curious to SM's real-time data and identity. In addition, the confidentiality and the integrity of data need be guaranteed. Therefore, in order to prevent the user's data in RC and OC, PAS must satisfy the following three security requirements. (i)

Confidentiality. The scheme should protect user's data from being analyzed by RC, and guarantee the user's identity privacy. Though RC has all the data from $S M_{i}$ , it cannot identify the contents of reports, neither can it distinguish any user's data. In such a way, our system model can meet the privacy-preserving requirements of user's data.

(ii)

Authentication. The scheme should guarantee that an encrypted report at RC is really sent by a legitimate residential user and has not been transformed during the transmission to RC; that is, if the adversary forges or modifies a report, the malicious operations should be detected at RC. Thus, only the correct user information can be received by RC.

(iii)

Anonymity. The identity of user should be unknown in the scheme. On one hand, when RC receives the messages from $S M_{i}$ , the signature could be checked without disclosing the identity of $S M_{i}$ . On the other hand, OC can acquire the number of users at each step without knowing the users' identities. Under this circumstance, the identity of user is kept secret from RC and OC.

2.3. Design Goal

According to the aforementioned system model and security requirements, our design goal is to develop an efficient privacy-preserving multidimensional aggregation scheme for smart grid. Specifically, the following three objectives should be achieved. (i)

The scheme should provide more effective information to the power supplier and satisfy a classified management. The power supplier should obtain the total power usage information that is the number of users and power consumption at each step. With these valid data, not only can it develop a reasonable step tariff strategy, but also the power consumption in one RA can realize load balancing. Through the implementation of step tariff strategy, we can get energy conservation to some extent. Therefore, compared with electric energy production, system engineers can discover the trouble spot in the process of power transport.

(ii)

The confidentiality of user's identity and power consumption should be guaranteed. If the smart grid does not take the security of user information into account, the residential user's privacy information would be revealed, and the real-time power consumption data could be modified. Therefore, the proposed scheme should achieve identity and data privacy preservation requirements simultaneously.

(iii)

The proposed PAS scheme should be effective and practical to the smart grid. Although the performance of smart grid is continuously improved today, it still cannot afford the high computational overhead. The proposed scheme should also consider the effectiveness in terms of computation and communication to be acceptable to smart grid.

3. Preliminaries

In this section, we review the discrete logarithm problem and the Paillier cryptosystem [17], which support the security of signature and can serve as the basis of proposed PAS scheme.

3.1. Discrete Logarithm Problem

The difficulty of computing discrete logarithms [22] is the basic problem underlying the results of this thesis.

Definition 1.

Let G be a finite cyclic group and let $g^{'} \in G$ be a generator of G. Given an element $a \in G$ , the discrete logarithm to the base $g^{'}$ of a in the group G is the unique integer b ( $0 \leq b \leq |G|$ ) such that $a = g^{' b}$ .

Usually, the discrete logarithm is also called index of an element a. If $g^{'}$ is not a generator, the notion of discrete logarithm of a to the base $g^{'}$ is extended to be the smallest integer b, such that $a = g^{' b}$ , if it exists.

Definition 2.

The discrete logarithm problem (DLP) is stated as follows: given a finite cyclic group G, a generator $g^{'}$ , and an element a of G, to find the integer b ( $0 \leq b \leq |G| - 1$ ) such that $a = g^{' b}$ .

Definition 3 (computational Diffie-Hellman (CDH)).

Let p and q be primes such that $q | (p - 1)$ . Suppose g is an element selected from $Z_{q}^{*}$ with order q. Let $B$ be an attacker. $B$ tries to solve the following problem: given $(g, g^{a}, g^{b})$ for uniformly chosen $a, b \in Z_{q}^{*}$ at random, compute $g^{a b}$ . We define $B$ 's advantage in solving the CDH problem by $A d v (B) = P r [B (g, g^{a}, g^{b}) = g^{a b}]$ .

3.2. Paillier Cryptosystem

The Paillier cryptosystem is widely used in privacy-preserving applications [23, 24], which can achieve the privacy-preserving properties. Specifically, the Paillier cryptosystem is comprised of three parts: key generation, encryption, and decryption. (i)

Key generation ( $G e n (k_{1})$ ): given a security parameter $k_{1}$ , then system selects two large primes $p_{1}, p_{2} (|p_{1}| = |p_{2}| = k_{1})$ . Then, the RSA modulus $n = p_{1} \cdot p_{2}$ and $λ = lc m (p_{1} - 1, p_{2} - 1)$ are achieved. Define a function $L (u) = (u - 1) / n$ , and after choosing a generator $g \in Z_{n^{2}}^{*}$ , $μ = {(L (g^{λ} \mod n^{2}))}^{- 1}$ will be calculated. Finally, the public key is $p k = (n, g)$ and the corresponding private key is $s k = (λ, μ)$ .

(ii)

Encryption: given a user's data $m \in Z_{n}$ , choose a random number $r \in z_{n}^{*}$ , and the ciphertext can be expressed as $c = E (m) = g^{m} r^{n} \mod n^{2}$ .

(iii)

Decryption: given the ciphertext $c \in Z_{n^{2}}^{*}$ , the corresponding data can be recovered as $m = D (c) = L (c^{λ \mod n^{2}}) \cdot μ \mod n$ .

4. Proposed Schemes

In this section, we propose the efficient privacy-preserving multidimensional aggregation scheme for smart grid, called PAS, which mainly consists of the following four parts: system initialization, user data acquisition, privacy-preserving regional aggregation, and data analysis. For easier expression, we give the description of notations used in PAS in the following notations.

Notations Used in PAS

$A$ : the large prime added to the last step of consumption,

$p_{1}, p_{2}, f, p_{1}^{'}, p_{2}^{'}$ : five big primes, and $p_{1} = 2 f p_{1}^{'} + 1$ ; $p_{2} = 2 f p_{2}^{'} + 1$ ,

$(n = p_{1} \cdot p_{2}, g)$ : the public key of holomorphic encryption,

$g^{'}$ : $g^{'} \in Z_{n}^{*}$ , $〈g^{'}〉$ generates a circle group with the order f,

g: $g \in Z_{n^{2}}^{*}$ , a generator in the Paillier cryptosystem,

$h ()$ : $h ()$ is a secure cryptographic hash function,

$x_{T A}$ : $x_{T A} \in Z_{n}^{*}$ , the private key of TA,

$y_{T A}$ : $y_{T A} = g^{{' x}_{T A}}$ , the authentication public key of TA,

$I D_{T A}$ : $I D_{T A} \in Z_{n}^{*}$ , TA's identity number,

$(e, d)$ : $d \cdot e = 1 \mod ϕ (n)$ ,

k: a security parameter k for $G e n ()$ ,

$k_{i}$ : $k_{i} \in Z_{n}^{*}$ , the private key of SM,

$r_{i}$ : a random number $r_{i} \in Z_{n}^{*}$ chosen by $S M_{i}$ ,

$x_{R C}$ : $x_{R C} \in Z_{n}^{*}$ , the private key of RC,

$(n, g^{'}, y_{R C})$ : the public key of RC, $y_{R C} = g^{' x_{R C}} (\mod n)$ ,

$(λ, μ)$ : the private key in the Paillier cryptosystem,

ω: the maximum number of households in a residential area,

l: the number of step electricity,

$(T_{1}, T_{2}, \dots, T_{l})$ : the power consumption at each step, and $T_{1}$ is the basic step,

$d_{2}$ : the value of each type $T_{i}$ is less than a constant $d_{2}$ ,

$\vec{a} = (a_{1}, a_{2}, \dots, a_{l})$ : $(a_{2}, \dots, a_{l})$ are big prime numbers,

$\vec{g} = (g_{1}, g_{2}, \dots, g_{l})$ : $g_{i} = g^{a_{i}}$ $(f o r i = 1,2, \dots, l)$ .

4.1. System Initialization

For a single authority smart grid system under consideration, a trusted TA bootstraps the whole system which is responsible for distributing secret keys to SM, RC, and OC. In particular, TA first chooses a security parameter k to obtain the Paillier cryptosystem's key $(g, μ, λ, p_{1}, p_{2}, n = p_{1} \cdot p_{2})$ by running $G e n (k)$ , where $p k = (n, g)$ and $s k = (λ, μ)$ are the public key and the corresponding private key, respectively, and then selects $g^{'} \in Z_{n}^{*}$ , where $〈g^{'}〉$ generates a circle group with the order f. Afterwards, TA chooses a secure cryptographic hash function $h ()$ , where $h : {0,1}^{*} \to Z_{n}^{*}$ .

Assuming that the maximum number of SM in RC is less than ω, the power consumption at each step is $(T_{1}, T_{2}, \dots, T_{l})$ in which $T_{1}$ is the basic step and the value of each type $T_{i}$ is less than a constant $d_{2}$ . A big prime vector $\vec{a} = (a_{1} = 1, a_{2}, \dots, a_{l})$ satisfies that the length $|a_{i}| \geq k$ , $\sum_{j = 1}^{i - 1} a_{j} \cdot ω \cdot d_{2} < a_{i}$ $(i = 2, \dots, l)$ , and $\sum_{i = 1}^{l} a_{j} \cdot ω \cdot d_{2} < n$ , and then the vector $\vec{g} = (g_{1}, g_{2}, \dots, g_{l})$ is calculated as $g_{i} = g^{a_{i}}$ $(f o r i = 1,2, \dots, l)$ . TA chooses an integer number e which satisfies $\gcd (e, ϕ (n)) = 1$ and calculates the corresponding d according to $d \cdot e = 1 \mod ϕ (n)$ . At the same time, TA selects a large prime $A$ whose length is 30 bits less than q and $A$ is much larger than the total power consumption of users in 15 minutes. In addition, TA chooses a random number $x_{T A} \in Z_{n}^{*}$ as its private key and calculates the corresponding public key $y_{T A} = g^{' x_{T A}}$ . RC chooses a random number $x_{R C} \in Z_{n}^{*}$ as its private key and calculates the corresponding public key $y_{R C} = g^{' x_{R C}}$ .

When a local $S M_{i}$ in the residential area registers in the system, firstly $S M_{i}$ chooses a random number $k_{i}$ $(k_{i} \in Z_{n}^{*})$ as its private key and calculates $I D_{i} = g^{' k_{i}} \mod n$ and then transmits $I D_{i}$ to TA. Once getting the $I D_{i}$ of SM, TA chooses a random number $α \in Z_{n}^{*}$ and calculates $r = g^{' α} \mod n$ , $s = α + {r x}_{T A} h (I D_{i}) \mod f$ , and $w = {(I D_{T A} {r y}_{T A}^{r h (I D_{i})} I D_{i})}^{- d} \mod n$ . TA stores the qualification certificate of $S M_{i} (r, s, w, I D_{i})$ in the regional database.

Finally, TA sends $〈r, s, w〉$ and Paillier cryptosystem's key $〈λ, μ〉$ to the registered $S M_{i}$ and OC, respectively, by a secure channel, keeps $〈x_{T A}, q_{1}, q_{2}〉$ secretly, and publishes the system parameters $〈n, g, g^{'}, G, h (), \vec{a}, \vec{g}, A, y_{T A}〉$ .

4.2. User Data Acquisition

In order to achieve the nearly real-time user's power consumption at every 15 minutes, each user in the regional area equips a $S M_{i}$ to collect l types of data $(d_{i 1}, d_{i 2}, \dots, d_{i l})$ which is the power consumption at each step $(T_{1}, T_{2}, \dots, T_{l})$ . And then $S M_{i}$ calculates the encrypted data $c_{i}$ and signature of $S M_{i}$ as follows.

Step 1.

$S M_{i}$ gets the power consumption $m_{i}$ , which is located at two-step interval $[k, k + 1]$ , and computes the real power consumption $(d t_{i 1}, d t_{i 2}, \dots, d t_{i l})$ at each step where $d t_{i 1} = T_{1}$ , $d t_{i j} = T_{j} - T_{j - 1} (f o r 2 \leq j \leq k)$ , $d t_{i (k + 1)} = m_{i} - T_{k}$ , and $d t_{i j} = 0 (f o r k + 1 < j \leq l)$ . Then $S M_{i}$ obtains $(d_{i 1}, d_{i 2}, \dots, d_{i l})$ , where $d_{i m} = d t_{i m} (m = 1, 2, \dots, k, k + 2, \dots, l)$ and $d_{i (k + 1)} = d t_{i (k + 1)} + A$ .

Step 2.

$S M_{i}$ chooses a random number $r_{i} \in Z_{n}^{*}$ and then calculates the encrypted power consumption $c_{i} = \prod_{j = 1}^{l} g_{j}^{d_{i j}} r_{i}^{n} \mod n^{2}$ .

Step 3.

$S M_{i}$ selects two random numbers $q_{1}, q_{2} \in Z_{n}^{*}$ and uses the private key $k_{i}$ to make the signature $S i g_{S M_{i}} = (u, v_{1}, v_{2}, T S)$ as

\begin{matrix} z = q_{2}^{e} g^{' q_{1}} \mod n, \\ u = h (z, c_{i}, T S), \\ v_{1} = q_{1} + (s + k_{i}) u, \\ v_{2} = q_{2} w^{u} \mod n \end{matrix}

(1)

in which the TS is the current time stamp.

Step 4.

$S M_{i}$ sends the encrypted power consumption and the signature $〈c_{i}, S i g_{S M_{i}}〉$ to RC.

4.3. Privacy-Preserving Regional Aggregation

While receiving $〈c_{i}, S i g_{S M_{i}}〉$ ( $i = 1, 2, \dots, ω$ ) at time ${T S}^{'}$ , RC first checks the validity of time stamp TS in order to resist the replaying attack. If $|{T S}^{'} - T S| \leq Δ T$ , where $Δ T$ denotes the excepted valid time interval for transmission delay, the TS is accepted. Then, RC computes $z^{'} = I D_{T A}^{u} g^{{' v}_{1}} v_{2}^{e} \mod n$ , $u^{'} = h (z^{'}, c_{i}, T S)$ and checks whether $u = u^{'}$ . If it does hold, the signature is accepted, since

\begin{matrix} z^{'} = I D_{T A}^{u} g^{' v_{1}} v_{2}^{e} \mod n = I D_{T A}^{u} g^{{' q}_{1} + (s + k_{i})} {(q_{2} w^{u})}^{e} \mod n = I D_{T A}^{u} g^{{' q}_{1}} {(r y_{T A}^{r h (I D_{i})})}^{u} I D_{i}^{u} q_{2}^{e} {(I D_{T A} r y_{T A}^{r h (I D_{i})} {I D}_{i})}^{- u} \mod n = q_{2}^{e} g^{{' q}_{1}} \mod n = z \\ u^{'} = h (z^{'}, c_{i}, T S) . \end{matrix}

(2)

If the validity is checked, RC performs the following steps to achieve the privacy-preserving data aggregation.

Step 1.

RC computes the aggregated and encrypted data C as $C = \prod_{i = 1}^{ω} c_{i} \mod n^{2}$ .

Step 2.

RC chooses a random number $t \in Z_{n}^{*}$ , which satisfies $\gcd (t, n - 1) = 1$ , and then uses private key $x_{R C}$ to make a signature $S i g_{R C} = (T S_{R C}, R_{R C}, S_{R C})$ as $H_{R C} = h (C, T S, R C_{i})$ , $R_{R C} = g^{' t} (\mod n)$ , and $S_{R C} = (H_{R C} - x_{R C} R_{R C}) t^{- 1} (\mod (n - 1))$ , where $T S_{R C}$ is the current time stamp.

Step 3.

RC sends the preliminary aggregation data and the signature $〈C, S i g_{R C}〉$ to OC.

If the above verification fails, RC will verify the signature with the help of TA and announce the malicious $I D_{i}$ . In this case, TA uses the unaccepted signature $〈c_{i}, S i g_{S M_{i}}〉$ to compute $η = u^{- 1} \mod ϕ (n)$ and $δ = I D_{T A}^{u} g^{{' v}_{1}} \mod n$ and then contrasts the stored $(g^{' s}, w, I D_{i})$ in the regional database to reveal the malicious identity $I D_{i}$ that sent the unaccepted message as $I D_{i} = (g^{{' v}_{1}} (δ g^{' s \cdot u})^{- 1})^{η} w^{- e} \mod n = I D_{T A}^{- 1} g^{' - s} (I D_{T A} g^{α + x_{T A} r h (I D_{i})} I D_{i})$ . By doing this, RC can achieve the tracking of malicious operations.

4.4. Data Analysis

After receiving the message $〈C, S i g_{R C}〉$ from RC, OC first checks the validity of time stamp $T S_{R C}$ with the receiving time $T S_{R C}^{'}$ . If $| T S_{R C}^{'} - T S_{R C} | \leq Δ T$ , the $T S_{R C}$ is accepted. Then RC uses the public key of RC $y_{R C}$ to verify the signature $S i g_{R C}$ by checking whether $y_{R C}^{R_{R C}} R_{R C}^{S_{R C}} = g^{' h (C, T S, R C_{i})} \mod n$ . If it does hold, OC will decrypt the aggregated cipher report C as follows:

\begin{matrix} C = \prod_{i = 1}^{ω} c_{i} \mod n^{2} = \prod_{i = 1}^{ω} g_{1}^{d_{i 1}} g_{2}^{d_{i 2}} \dots g_{l}^{d_{i l}} \cdot r_{i}^{n} \mod n^{2} = g_{1}^{\sum_{i = 1}^{ω} d_{i 1}} g_{2}^{\sum_{i = 1}^{ω} d_{i 2}} \dots g_{l}^{\sum_{i = 1}^{ω} d_{i l}} \prod_{i = 1}^{ω} r_{i}^{n} \mod n^{2} = g^{a_{1} \sum_{i = 1}^{ω} d_{i 1}} g^{a_{2} \sum_{i = 1}^{ω} d_{i 2}} \dots g^{a_{l} \sum_{i = 1}^{ω} d_{i l}} \prod_{i = 1}^{ω} r_{i}^{n} \mod n^{2} = g^{a_{1} \sum_{i = 1}^{ω} d_{i 1} + a_{2} \sum_{i = 1}^{ω} d_{i 2} + \dots + a_{l} \sum_{i = 1}^{ω} d_{i l}} \prod_{i = 1}^{ω} r_{i}^{n} \mod n^{2} . \end{matrix}

(3)

Step 1.

Let M and R be $a_{1} \sum_{i = 1}^{ω} d_{i 1} + a_{2} \sum_{i = 1}^{ω} d_{i 2} + \dots + a_{l} \sum_{i = 1}^{ω} d_{i l} \mod n$ and $\prod_{i = 1}^{ω} r_{i}$ , respectively, and $C = g^{M} \cdot R^{n} \mod n^{2}$ . According to $M = L (C^{λ \mod n^{2}}) \cdot μ \mod n$ , OC recovers M by the master key $(λ, μ)$ .

Step 2.

By executing Algorithm 1, OC can recover the aggregated data $(D_{1}, D_{2}, \dots, D_{l})$ , where $D_{j} = \sum_{i = 1}^{ω} d_{i j}$ is the power information at the jth step.

Algorithm 1: Recover the aggregated data.

Procedure: RECOVER THE AGGREGATED DATA

Input: $\vec{a} = (a_{1} = 1, a_{2}, \dots, a_{l})$ and M

Output: $(D_{1}, D_{2}, \dots, D_{l})$

set $X_{l + 1} = M$

for $j = 1$ to l do

$X_{j} = X_{j + 1} \mod a_{j}$

$D_{j} = X_{j + 1} - X_{j} / a_{j} \mod q$

end for

return $(D_{1}, D_{2}, \dots, D_{l})$

end procedure

Step 3.

After OC achieving power information at each step, OC invokes Algorithm 2 to obtain the real power consumption $D T_{j}$ and the number of SM $n_{j}$ ( $j = 1,2, \dots, l$ ) at each step, respectively.

Algorithm 2: Recover the power consumption.

Procedure: RECOVER THE POWER CONSUMPTION

Input: $(D_{1}, D_{2}, \dots, D_{l})$

Output: $(n_{1}, n_{2}, \dots, n_{l})$ and $(D T_{1}, D T_{2}, \dots, D T_{l})$

set $(D T_{1}, D T_{2}, \dots, D T_{l}) = (D_{1}, D_{2}, \dots, D_{l})$

for $j = 1$ to l do

$D T_{j} = D_{j} \mod A$

$n_{j} = (D_{j} - D T_{j}) / A$

end for

return $(n_{1}, n_{2}, \dots, n_{l})$ and $(D T_{1}, D T_{2}, \dots, D T_{l})$

end procedure

Since $D_{j} = \sum_{i = 1}^{ω} d_{i j} = n_{j} A + \sum_{i = 1}^{ω} d t_{i j}$ ( $\sum_{i = 1}^{ω} d t_{i j}$ is real power consumption at jth step), $D T_{j} = D_{j} \mod A = \sum_{i = 1}^{ω} d t_{i j}$ , and $n_{j} = (D_{j} - D T_{j}) / A$ , the correctness of Algorithm 2 is shown.

Finally, OC can obtain the valid information, which contains the true power consumption $(D T_{1}, D T_{2}, \dots, D T_{l})$ and the number of SM $(n_{1}, n_{2}, \dots, n_{l})$ at each step without knowing any private information of SM, and simultaneously OC accomplishes data interaction with power supplier.

5. Security Analysis

In this section, we analyze the security properties of PAS scheme. According to the security requirements discussed earlier, our analysis will focus on how PAS can achieve the privacy preservation of user's data and identity.

(i) The Confidentiality of User's Data and the Aggregated Data Are Obtained. In the proposed PAS scheme, each $S M_{i}$ 's power consumption data $(d_{i 1}, d_{i 2}, \dots, d_{i l})$ are formed as a Paillier cryptosystem [17] ciphertext $c_{i} = g_{1}^{d_{i 1}} \cdot g_{2}^{d_{i 2}} \dots g_{l}^{d_{i l}} \cdot r_{i}^{n} \mod n^{2}$ , which can be implicitly expressed as $c_{i} = g^{a_{1} d_{i 1} + a_{2} d_{i 2} + \dots + a_{l} d_{i l}} \cdot r_{i}^{n} \mod n^{2}$ . Let $m_{i}$ be $a_{1} d_{i 1} + a_{2} d_{i 2} + \dots + a_{l} d_{i l}$ , and then the data $(d_{i 1}, d_{i 2}, \dots, d_{i l})$ in $c_{i} = g^{m_{i}} \cdot r_{i}^{n} \mod n^{2}$ is also semantically secure and privacy preserving. Therefore, although an adversary M eavesdrops $c_{i}$ , he/she still cannot recognize the unencrypted contents. After collecting all reports $(c_{1}, c_{2}, \dots, c_{ω})$ from the residential users, RC does not recover each report; instead, it just computes $C = \prod_{i = 1}^{ω} c_{i} \mod n^{2}$ to perform report aggregation. Therefore, even if the adversary $M$ intrudes in RC's database, he/she cannot obtain the individual report $(d_{i 1}, d_{i 2}, \dots, d_{i l})$ either. Finally, after receiving $C = \prod_{i = 1}^{ω} c_{i} \mod n^{2}$ from RC, OC recovers C as $(D_{1}, D_{2}, \dots, D_{l})$ . However, since each $D_{j} = \sum_{j = 1}^{ω} d_{i} = n_{j} A + \sum_{i = 1}^{ω} d t_{i j}$ is an aggregated result, OC still cannot obtain the user $S M_{i}$ 's data $(d_{i 1}, d_{i 2}, \dots, d_{i l})$ . Therefore, from the above analysis, the user's data is privacy preserving in the proposed PAS scheme.

(ii) The Authentication of User's Data and the Aggregated Data Are Achieved. In the proposed PAS scheme, each user's data and the aggregated data are signed by an improved group signature algorithm.

Definition 4 (the improved efficient group signature scheme).

The improved efficient group signature scheme is defined by the following algorithms.

Setup. Providing some security parameter k as input, the key generation center (KGC) runs this algorithm to create a master key $x_{T A}$ and a list of public parameters params.

SetSecretValue. Taking params as input, this algorithm picks $k_{i} \in_{R} Z_{n}^{*}$ and outputs the secret value $k_{i}$ .

SetPublicKey. Providing params and $k_{i}$ as input, the user (the owner of $k_{i}$ ) runs this algorithm to set a public key $I D_{i}$ .

PartialPrivateKeyExtract. Providing params and $I D_{i}$ as input, KGC runs this algorithm to set $(r, s, w)$ and sends to user by a secure channel.

Sign. Providing params, $(r, s, w, I D_{i})$ , $k_{i}$ , and a message M as input, any entity runs this algorithm to create a signature $S i g = (u, v_{1}, v_{2}, M)$ .

Verify. Providing params, $x_{T A}$ , $S i g$ , and $I D_{i}$ , the receiver run this algorithm to verify the signature.

Definition 5 (security of the signature scheme).

A signature scheme is said to achieve unforgeability against a chosen message attack (UF-CMA secure) if no polynomials bounded adversary $M$ has a nonnegligible advantage in the following game.

Setup. The challenger runs setup by taking a security parameter k as input to generate a master key $x_{T A}$ and a list of public parameters params. It gives params to adversary $M$ and keeps $x_{T A}$ secret.

SecretValue Request. The challenger runs SetSecretValue to generate the secret value $k_{i}$ and return it to adversary $M$ .

PartialPrivateKey Request. The challenger runs PartialPrivateKeyExtract to generate the private key $(r, s, w)$ and return it to adversary $M$ .

PublicKeyReplacement. The adversary $M$ can repeatedly replace the public key for any entity with any value of its choice. The current value of an entity's public key is used by the challenger in any computation or response to the adversary's requests.

Verify Queries. The challenger runs Verify with $x_{T A}$ and $S i g$ as input and returns the verification result to adversary $M$ .

Sign Queries. The challenger runs Sign with $(r, s, w, I D_{i})$ , $k_{i}$ , and a message M as input to generate the $S i g$ and then return it to adversary $M$ .

Challenge Phase. Once $M$ decides that above is over, it outputs the challenge identity ${I D}^{*}$ and two equal-length messages $M_{0}$ , $M_{1}$ . Note that ${I D}^{*}$ has not been queried to extract a partial private key nor a private key at any time. The challenger picks $β \in_{R} \{0,1\}$ and creates a target signature ${S i g}^{*}$ of $M_{β}$ under the current public key $P K_{{I D}^{*}}$ . The challenger returns ${S i g}^{*}$ to $M$ .

Guess. $M$ outputs its guess $β^{'} \in \{0,1\}$ for β.

We define $M$ 's advantage in the above game by $A d v (M) = 2 (P r [β^{'} = β] - 1 / 2)$ . A scheme is said to be UF-CMA secure if no probabilistic polynomial-time adversary has nonnegligible advantage in the above games.

Then, we analyze the security of the improved group signature.

Theorem 6.

One's improved efficient signature scheme is EUF-CMA secure in the random oracle model, assuming that the CDH problem is intractable.

The above theorem is obtained by combining Lemma 7.

Lemma 7.

Suppose $H_{1}$ , $H_{2}$ are random oracles and there exists a UF-CMA adversary $M$ against the signature scheme with advantage ε when making $q_{p v}$ PrivateValue requests, $q_{p p k}$ PartialPrivateKey queries, $q_{p k r}$ PublicKeyReplacement queries, $q_{s}$ Sign queries, $q_{v}$ Verify queries, and q_i random oracle queries to $H_{i}$ ( $i = 1 o r 2$ ). Then, for any $0 \leq ν \leq ε$ there exists either an algorithm $B$ to solve the CDH problem with advantage $ε^{'} \geq (ε - ν) / q_{2}$ or an attacker that breaks the UF-CMA security of the RSA signature with advantage ν.

Proof.

To prove the lemma, we first assume that the RSA signature scheme is UF-CMA secure with advantage ν $(0 \leq ν \leq ε)$ within time $t^{'}$ .

Let $M$ be an adversary against the signature scheme. We show how to construct an algorithm $B$ to solve the CDH problem.

$B$ is given a random instance $(g, g^{a}, g^{b})$ of the CDH problem. $B$ sets $y_{T A} = g^{a}$ and simulates the Setup algorithm of the signature scheme by supplying $M$ with $〈n, e, g, H_{1} (), H_{2} (), y_{T A}〉$ as public parameters, where $H_{1}$ , $H_{2}$ are random oracles controlled by $B$ . $B$ chooses a random I, $1 \leq I \leq n$ .

$M$ may make queries to random oracles $H_{i}$ $(i = 1 o r 2)$ at any time during its attack and $B$ responds as follows.

H ₁ Queries. $B$ maintains a $H_{1}$ list of tuples $〈(i, I D_{i}), e_{i}〉$ . On receiving such a query on i, $B$ does the following.

If there is a tuple $〈(i, I D_{i}), e_{i}〉$ on the $H_{1}$ list, $B$ returns $e_{i}$ as answer.

Otherwise, $B$ chooses $e_{i} \in_{R} Z_{q}^{*}$ , adds $〈i, I D_{i}, e_{i}〉$ to the $H_{1}$ list, and returns $e_{i}$ as answer.

H ₂ Queries. $B$ maintains a $H_{2}$ list of tuples $〈(z_{i}, M_{i}), u_{i}〉$ . On receiving such a query on $(z_{i}, M_{i})$ , if there is a tuple $〈(z_{i}, M_{i}), u_{i}〉$ on the $H_{2}$ list, $B$ returns u as answer. Otherwise, $B$ picks $u_{i} \in_{R} Z_{q}^{*}$ , adds $〈(z_{i}, M_{i}), u_{i}〉$ to the $H_{2}$ list, and returns $u_{i}$ as answer.

SecretValue Request. $B$ maintains a SecretValue list of tuples $〈i, I D_{i}, k_{i}〉$ . On receiving such a query on i, $B$ responds as follows.

If $i \neq I$ , chooses $k_{i} \in_{R} Z_{n}^{*}$ and computes public key $I D_{i} = g^{k_{i}}$ . Then $B$ adds $〈i, I D_{i}, k_{i}〉$ to the public key list. Return $k_{i}$ as answer.

Otherwise ( $i = I$ ), $B$ aborts.

PartialPrivateKey Request. $B$ maintains a PartialPrivateKey list of tuples $〈i, I D_{i}, (r, s, w)〉$ . On receiving such a query on $I D_{i}$ , $B$ responds as follows.

If $i \neq I$ , $B$ searches the $H_{1}$ list for $〈i, I D_{i}, k_{i}〉$ , chooses a random number $α \in Z_{n}^{*}$ , and calculates $r = g^{' α} \mod n$ , $s = α + {r x}_{T A} h (I D_{i}) \mod f$ , and $w = {(I D_{T A} {r y}_{T A}^{r h (I D_{i})} I D_{i})}^{- d} \mod n$ . Then $B$ adds $(r, s, w)$ to the PartialPrivateKey list and returns it as answer.

Otherwise ( $i = I$ ), $B$ aborts.

Public Key Replacement. $M$ may replace the public key $I D_{i}$ for any entity i with any value $I D_{i}^{'}$ of its choice. $B$ records the change.

Verify Queries. Suppose the request is to verify signature $S i g = (u, v_{1}, v_{2}, M)$ for $I D_{i}$ . $B$ searches the public key for $I D_{G}$ . Then $B$ does the following. (1)

If the public key has not been replaced and $i \neq I$ , $B$ searches the PartialPrivateKey list for a tuple $〈i, I D_{i}, (r, s, w)〉$ and computes $z = I D_{T A}^{u} g^{v_{1}} v_{2}^{e} \mod n$ . If $u = h (z_{i}, M_{i}, T S)$ , return Y. Otherwise, output ⊥.

(2)

Otherwise, search the $H_{2}$ list for a tuple $〈(z_{i}, M_{i}), u_{i}〉$ satisfying $u = u_{i}$ , $z_{i} = I D_{T A}^{u} g^{v_{1}} v_{2}^{e} \mod n$ . Return Y if such a tuple exists. Otherwise, output ⊥.

Signature Queries. $M$ outputs ${I D}^{*}$ and two messages $M_{0}$ , $M_{1}$ on which it wishes to be challenged. Upon receiving ${I D}^{*}$ , $B$ searches the public key list for the tuple $〈i, I D_{i}, k_{i}〉$ and then conducts the following: (1)

picks $q_{1}^{*}, q_{2}^{*} \in_{R} Z_{n}^{*}$ , $β \in_{R} \{0,1\}$ , $I D_{i} \in_{R}$ ,

(2)

sets $v_{1}^{*} = q_{1}^{*} + (s^{*} + k_{i}^{*}) b$ and $s^{*} = H_{1} ({I D}^{*})$ , $v_{2}^{*} = q_{2}^{*} w^{*^{b}} \mod n$ ,

(3)

defines $b = H_{2} (z^{*}, M_{β})$ and $z^{*} = q_{2}^{*^{e^{*}}} g^{q_{1}^{*}} \mod n$ ,

(4)

computes ${S i g}^{*} = (u^{*}, v_{1}^{*}, v_{2}^{*}, M_{β}^{*})$ as the challenge signature.

$B$ continues to respond to $M$ 's requests in the same way as it did above. Note that $M$ cannot make a private key extraction query on ${I D}^{*}$ .

Guess. Eventually, $M$ outputs its guess $β^{'}$ . If $β^{'} = β$ , $B$ chooses a random pair $〈I D_{i}, e_{i}〉$ from $H_{1}$ list and outputs ${(g^{v_{1}^{*} - q_{1}^{*}} / {I D}^{*} r^{*})}^{1 / b e^{*} r^{*}}$ as the solution to the CDH problem. Otherwise, $B$ cannot solve the CDH problem.

Analysis. We first evaluate the simulations of the random oracles. From the construction of $H_{1}$ , it is clear that the simulation of $H_{1}$ is perfect. And as long as $M$ does not query $(z^{*}, M_{β})$ to $H_{2}$ , the simulation of $H_{2}$ is perfect. Let $A s k H_{2}^{*}$ denote the event that $(z^{*}, M_{β})$ has been queried to $H_{2}$ . Let $\neg A b o r t$ denote the event that $B$ do not abort. Let $E = A s k H_{2}^{*} | \neg A b o r t$ . It is clear that if E does not happen during the simulation, $B$ will not gain any advantage greater than 1/2 to guess β. Namely, $P r [β^{'} = β | E] \leq 1 / 2$ . We obtain $P r [β^{'} = β] = P r [β^{'} = β | E] P r [E] + P r [β^{'} = β | \neg E] P r [\neg E]$ .

By definition of ε, we have $ε - ν \leq (ε - ν) / (1 - ν) \leq P r [E] \leq P r [A s k H_{2}^{*}] / P r [\neg A b o r t]$ , $P r [\neg A b o r t] \geq 1 / q_{2}$ . Hence, it is not difficult for us to reach $P r [A s k H_{2}^{*}] \geq (ε - ν) P r [\neg A b o r t] \geq (ε - ν) / q_{2}$ . The advantage for $B$ to solve the CDH problem is $ε^{'} \geq (ε - ν) / q_{2}$ .

The running time of the CDH bounded by $t^{'} \leq t + (q_{1} + q_{2}) O (1) + q_{p p k} (2 T_{e x} + O (1)) + (q_{s} + q_{v}) (3 T_{e x} + O (1))$ , where $T_{e x}$ donates the time for computing exponentiation in $Z_{n}^{*}$ .

(iii) The Anonymity of Users and Traceability Can Be Guaranteed. In the proposed PAS scheme, each user's data is signed by an improved group signature.

Theorem 8.

Our improved efficient signature scheme satisfies the anonymity and traceability.

Proof.

Assume that the $H_{1}$ and $H_{2}$ are random functions. Given a valid signature $S i g_{S M_{i}} = (u, v_{1}, v_{2}, T S)$ , identifying the actual signer is computationally hard for everyone but the group manager (KGC). Deciding whether some group member with certificate originated requires computing the discrete logarithms $l o g_{g} y_{T A}$ . This is assumed to be infeasible under DLP and hence anonymity is guaranteed.

The group manager (KGC) is able to open any valid group signature and provably identify the actual signer: assuming that the signature is valid, this implies that $u, v_{1}, v_{2}$ , are of the required form and so $I D_{i}$ can be uniquely recovered as $I D_{i} = (g^{{' v}_{1}} (δ g^{' s \cdot u})^{- 1})^{η} w^{- e} \mod n$ .

According to the anonymity, it is impossible for the regional center to recognize user's identity. And if there are any errors in the process of verification, TA can recover the malicious SM's identity. Therefore, the identify privacy of user can be guaranteed.

From the above analysis, we can see that the proposed PAS scheme is secure and privacy preserving and achieves our security design goal.

6. Performance Evaluation

In this section, we evaluate the performance of proposed PAS scheme in terms of the computation complexity and overhead of the SM, RC, and OC using a simulator built in Java. We run it on a workstation with 2.0 GHz 6-core processor, 64 GB RAM. Concretely, with the parameter setting $|n| = 1024$ , we give that each RC includes 100 users and the number of RC is 10.

6.1. Computation Complexity

We evaluate the proposed PAS scheme in the computation complexity of SM, RC, and OC. Above all, we denote the computation overhead of an exponentiation operation in $Z_{n^{2}}$ , a multiplication operation in $Z_{n^{2}}$ , an exponentiation operation in $Z_{n}$ , a multiplication operation in $Z_{n}$ , and a multiplication operation in $Z_{n - 1}$ by $C_{1}^{e}$ , $C_{1}^{m}$ , $C_{2}^{e}$ , $C_{2}^{m}$ , and $C_{3}^{m}$ , respectively.

In the proposed PAS scheme, $S M_{i}$ generates the encrypted power consumption $c_{i}$ and the signature $S i g_{S M_{i}}$ as shown in Section 4.2, which includes $(l + 1) * C_{1}^{e}$ and $3 * C_{2}^{m}$ . As shown in Section 4.2, after receiving the ciphertext from ω users, RC first verifies the received data from different users, then aggregates it, and makes a signature $S i g_{R C}$ . The computation complexity of RC is $(3 ω + 1) * C_{2}^{e} + 3 * C_{2}^{m} + (ω - 1) * C_{1}^{m} + C_{3}^{m}$ . With regard to OC, it verifies the aggregated data from RC and obtains valid user information by the Paillier decryption, which includes $3 C_{2}^{e}$ and $C_{1}^{e}$ .

Comparing with the EPPA [12], the proposed PAS scheme enables acquiring more effective information and guarantees the anonymity of user's identify simultaneously and has similar computation overhead as shown in Table 1, while $C_{m}$ , $C_{e t}$ , $C_{p}$ represent a multiplication operation in G, an exponentiation operation in $G_{T}$ , and a pairing operation, respectively.

Table 1

Comparisons between PAS and EPPA scheme.

	PAS	EPPA
Smart meter	$(l + 1) * C_{1}^{e} + 3 * C_{2}^{m}$	$(l + 1) * C_{1}^{e} + C_{m} + 4 * C_{p}$
Regional center	$(3 ω + 1) * C_{2}^{e} + 3 * C_{2}^{m} + (ω - 1) * C_{1}^{m} + C_{3}^{m}$	$(ω + 3) * C_{p} + C_{m}$
Operation center	$3 C_{2}^{e} + C_{1}^{e}$	$2 * C_{p} + C_{1}^{e} + 4 * C_{m} + C_{et}$

6.2. Simulation Results

According to the algorithms in our scheme, there are two factors that may affect the computation overhead. One is the number of users whose power consumption exceeds the basic step in RC which is denoted by r and the other is the number of step electricity l. Therefore, r and l are chosen to illustrate the computation overhead of SM, RC, and OC, and we present the comparison between PAS and EPPA. Note that EPPA cannot disclose users' identify and cannot provide the detailed information (e.g., users' numbers and power consumptions at each step in different dimensions).

For the comparison with EPPA, we plot the computation overhead of SM, RC, and OC in basic step with 10 different r from 0 to 50 in Figures 3(a), 3(b), and 3(c). They have shown that both PAS's and EPPA's processing times increase negligibly with the increase of r. The average processing times of SM and RC in PAS are 16 ms and 460 ms, respectively, which are a little less than those in EPPA. Then, we consider the processing time of OC. The time used to recover M of OC in PAS approaches to 17 ms which is higher than in EPPA. From the figure, we can see that, by increasing r, the average processing times of SM, RC, and OC are barely growing, which means r has a little influence on the computation overhead of SM, RC, and OC.

Figure 3

The computation overhead of SM, RC, and OC.

As shown in Figures 3(d), 3(e), and 3(f), we plot the PAS and EPPA's computation overhead of SM, RC, and OC with the number of step consumption l selected from 1 to 10. We can see that, with the increase of l, the average processing times of SM also increase in PAS and EPPA. The reason is that SM's power consumption may be in a higher step with l becoming larger and the SM will take more calculation on average. Afterwards, the average processing times of RC and OC are given, and by increasing l, the average operation times of RC and OC are barely growing. Thus, the number of step consumption l has a great influence on SM, but little on RC and OC. It is shown that the average processing times of SM and RC in PAS are a little less than that in EPPA, but the average processing time of OC in PAS is higher than that of EPPA.

From the evaluation results above, the PAS scheme has similar computation overhead with the EPPA scheme. Furthermore, the processing time of users is less than 20 ms which is acceptable to SM. And for RC and OC, they only need 400 ms and 18 ms, respectively, which is very efficient. The results of experiment show that our proposed PAS scheme is not only privacy preserving but also efficient and has stable computation performance.

7. Related Works

The study of privacy-preserving multidimensional aggregation for smart grid has gained great interest from the research community recently, and we briefly review some of them closely related to ours.

Part of the existing schemes needs to decrypt the received data before aggregating them and then encrypt the aggregated result before forwarding it. This process is fairly expensive and risky when aggregator is not trusted. Castelluccia et al. [25] designed a symmetric-key aggregation scheme that blends inexpensive encryption techniques with simple aggregation methods to achieve very efficient aggregation of encrypted data. Although the aggregator is under attack, the adversary cannot acquire any privacy-sensitive information about residents.

Then, differential privacy techniques are introduced to achieve multidimensional aggregation in smart grid without decrypting data, and the middle aggregator can be untrusted [26, 27]. Shi et al. [26] proposed a construction that could allow a group of participants to periodically upload encrypted values to a data aggregator. First, it utilizes applied cryptographic techniques to allow the aggregator to decrypt the sum from multiple ciphertexts encrypted under different users' keys. Second, it describes a distributed data randomization procedure that guarantees the differential privacy of outcome statistic, even when a subset of participants might be compromised. Chan et al. [27] offered a protocol with an untrusted aggregator as well. Specifically, the protocol builds a binary interval tree over n users and allows the aggregator to estimate the sum of contiguous intervals of users represented by nodes in the interval tree. In order to achieve multidimensional privacy-preserving data aggregation, Kursawe et al. [14] designed a protocol that can be employed to compute aggregate meter measurements over defined sets of meters, allowing for fraud and leakage detection as well as further statistical processing of meter measurements, without revealing any additional information about the individual meter readings. Lin et al. [28] proposed a scheme to achieve privacy-preserving aggregation that can integrate the superincreasing sequence and perturbation techniques into compressed data aggregation and has the ability to combine more than one aggregated piece of data into one. Jia et al. [29] proposed a novel privacy-preserving data aggregation scheme which could support efficient data aggregation for time-series metering data without leaking the individual value. It could also thwart HAD attack by introducing some randomness to the aggregation result without affecting the aggregation utility. Lu et al. [12] thought the scheme in [28] is not practical to deploy and manage thousands of keys for users and RC and proposed the EPPA based on public cryptograph system.

However, almost all the existing aggregation schemes focus on the privacy of users' information, cannot afford more valid information to the service provider (e.g., the power supplier) for allocating resources, and neglect the anonymity of user's identify. In this paper, we propose an efficient privacy-preserving multidimensional aggregation scheme, which can achieve more information from the aggregation data without disclosing user's identity. Specifically, the employment of superincreasing sequence techniques and the importation of a big prime in the Paillier cryptosystem ensure that the scheme provides more effective information, and a group signature algorithm is adopted to protect the user's identify from RC.

8. Conclusions

In this paper, we propose an efficient privacy-preserving multidimensional aggregation scheme for smart grid, named PAS. Without disclosing the privacy of user, we can acquire more valid information about the number of users and power consumption at each step after the detailed analysis of preliminary aggregated data by the operation center. Specifically, we employ an improved Paillier cryptosystem technique to obtain more information at the operation center and an efficient anonymous authentication scheme to protect the privacy of user's identity from the regional center. Detailed security analysis shows the security strength and privacy-preserving ability of PAS. Moreover, with reasonable computation overhead, PAS can satisfy the high-frequency multidimensional data collection requirements in smart grid. For the future work, we will focus on reducing the computation overhead of smart meter and achieving a more efficient security scheme for smart grid.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This research was supported by National Natural Science Foundation of China (nos. 61303218 and 61272457), Huawei Innovation Research Program, and the 111 Project (B08038).

References

The 22th World Energy Congress, 2015, http://www.worldenergy.org/

Güngör

V. C.

Sahin

Kocak

Ergüt

Buccella

Cecati

Hancke

G. P.

Smart grid technologies: communication technologies and standards

IEEE Transactions on Industrial Informatics 2011 7 4 529 539

10.1109/tii.2011.2166794

2-s2.0-81255129687

Qiao

Sun

Wan

Wang

Xia

Zhang

Smart transmission grid: vision and framework

IEEE Transactions on Smart Grid 2010 1 2 168 177

10.1109/tsg.2010.2053726

2-s2.0-77956064262

Moslehi

Kumar

A reliability perspective of the smart grid

IEEE Transactions on Smart Grid 2010 1 1 57 64

10.1109/TSG.2010.2046346

2-s2.0-77955696530

Niyato

Xiao

Wang

Machine-to-machine communications for home energy management system in smart grid

IEEE Communications Magazine 2011 49 4 53 59

10.1109/MCOM.2011.5741146

2-s2.0-79953788803

Fadlullah

Z. M.

Fouda

M. M.

Kato

Takeuchi

Iwasaki

Nozaki

Toward intelligent machine-to-machine communications in smart grid

IEEE Communications Magazine 2011 49 4 60 65

10.1109/MCOM.2011.5741147

2-s2.0-79953792812

Liang

Choi

B. J.

Zhuang

Shen

Towards optimal energy store-carry-and-deliver for PHEVs via V2G system

Proceedings of the IEEE Conference on Computer Communications (INFOCOM ′12)

March 2012

Orlando, Fla, USA

1674 1682

10.1109/infcom.2012.6195538

2-s2.0-84861608803

Gungor

V. C.

Sahin

Kocak

Ergut

Buccella

Cecati

Hancke

G. P.

A survey on smart grid potential applications and communication requirements

IEEE Transactions on Industrial Informatics 2013 9 1 28 42

10.1109/tii.2012.2218253

2-s2.0-84871778402

Goguri

Hall

Mudumbai

Dasgupta

A distributed, real-time and non-parametric approach to demand response in the smart grid

Proceedings of the 49th Annual Conference on Information Sciences and Systems (CISS ′15)

March 2015

Baltimore, Md, USA

1 5

10.1109/ciss.2015.7086882

10.

Zhu

Liu

Wei

PPAS: privacy protection authentication scheme for VANET

Cluster Computing 2013 16 4 873 886

10.1007/s10586-013-0260-0

2-s2.0-84888854666

11.

Lin

Shi

Shen

X. S.

A lightweight conditional privacy-preservation protocol for vehicular traffic monitoring systems

IEEE Intelligent Systems 2013 28 3 62 65

10.1109/mis.2013.56

2-s2.0-84884179626

12.

Liang

Lin

Shen

EPPA: an efficient and privacy-preserving aggregation scheme for secure smart grid communications

IEEE Transactions on Parallel and Distributed Systems 2012 23 9 1621 1632

10.1109/tpds.2012.86

2-s2.0-84864583229

13.

Luo

Liu

Secure information aggregation for smart grids using homomorphic encryption

Proceedings of the 1st IEEE International Conference on Smart Grid Communications (SmartGridComm ′10)

October 2010

Gaithersburg, Md, USA

IEEE

327 332

10.1109/smartgrid.2010.5622064

14.

Kursawe

Danezis

Kohlweiss

Privacy-friendly aggregation for the smart-grid

Privacy Enhancing Technologies 2011 6794

Berlin, Germany

Springer

175 191 Lecture Notes in Computer Science

10.1007/978-3-642-22263-4_10

15.

Yan

Qian

Sharif

A secure data aggregation and dispatch scheme for home area networks in smart grid

Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM ′11)

December 2011

Houston, Tex, USA

1 6

10.1109/glocom.2011.6133655

2-s2.0-84857204628

16.

Spanos

C. J.

Distributed energy consumption control via real-time pricing feedback in smart grid

IEEE Transactions on Control Systems Technology 2014 22 5 1907 1914

10.1109/tcst.2014.2299959

2-s2.0-84905383544

17.

Paillier

Public-key cryptosystems based on composite degree residuosity classes

Proceedings of the 17th International Conference on Theory and Application of Cryptographic Techniques (EUROCRYPT ′99)

May 1999

Prague, Czech Republic

223 238

18.

Castelluccia

Chan

A. C.-F.

Mykletun

Tsudik

Efficient and provably secure aggregation of encrypted data in wireless sensor networks

ACM Transactions on Sensor Networks 2009 5 3

10.1145/1525856.1525858

2-s2.0-67651030465

19.

Westhoff

Girao

Acharya

Concealed data aggregation for reverse multicast traffic in sensor networks: encryption, key distribution, and routing adaptation

IEEE Transactions on Mobile Computing 2006 5 10 1417 1431

10.1109/tmc.2006.144

2-s2.0-33748351402

20.

Shi

Zhang

Liu

Zhang

PriSense: privacy-preserving data aggregation in people-centric urban sensing systems

Proceedings of the IEEE (INFOCOM ′10)

March 2010

San Diego, Calif, USA

758 766

10.1109/infcom.2010.5462147

2-s2.0-77953308558

21.

G.-D.

Y.-P.

Xiao

G.-Z.

An improvement on group signature

Journal of Xidian University 2007 34 1 106 121

2-s2.0-34047276326

22.

Camenisch

Groth

Group signatures: better efficiency and new theoretical aspects

Security in Communication Networks (SCN ′04) 2005

Springer

120 133

23.

Sang

Shen

Tian

Privacy-preserving tuple matching in distributed databases

IEEE Transactions on Knowledge and Data Engineering 2009 21 12 1767 1782

10.1109/tkde.2009.39

2-s2.0-70350675296

24.

Zhong

Privacy-preserving algorithms for distributed mining of frequent itemsets

Information Sciences 2007 177 2 490 503

10.1016/j.ins.2006.08.010

ZBL1142.68488

2-s2.0-33750333499

25.

Castelluccia

Mykletun

Tsudik

Efficient aggregation of encrypted data in wireless sensor networks

Proceedings of the 2nd Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services (MobiQuitous ′05)

July 2005

109 117

10.1109/mobiquitous.2005.25

2-s2.0-33749525209

26.

Shi

Chan

Rieffel

E. G.

Chow

Song

Privacy-preserving aggregation of time-series data

Proceedings of the Network and Distributed System Security Symposium (NDSS ′11)

February 2011

San Diego, Calif, USA

27.

Chan

T.-H. H.

Shi

Song

Privacy-preserving stream aggregation with fault tolerance

Financial Cryptography and Data Security 2012

Berlin, Germany

Springer

200 214

10.1007/978-3-642-32946-3_15

28.

Lin

Shen

X. S.

MDPA: multidimensional privacy-preserving aggregation scheme for wireless sensor networks

Wireless Communications and Mobile Computing 2010 10 6 843 856

10.1002/wcm.796

2-s2.0-77952053188

29.

Jia

Zhu

Cao

Dong

Xiao

Human-factor-aware privacy-preserving aggregation in smart grid

IEEE Systems Journal 2014 8 2 598 607

10.1109/jsyst.2013.2260937

2-s2.0-84902299754

PAS: An Efficient Privacy-Preserving Multidimensional Aggregation Scheme for Smart Grid

Abstract

1. Introduction

2. System Model, Security Requirements, and Design Goal

2.1. System Model

2.2. Security Requirements

2.3. Design Goal

3. Preliminaries

3.1. Discrete Logarithm Problem

Definition 1.

Definition 2.

Definition 3 (computational Diffie-Hellman (CDH)).

3.2. Paillier Cryptosystem

4. Proposed Schemes

4.1. System Initialization

4.2. User Data Acquisition

Step 1.

Step 2.

Step 3.

Step 4.

4.3. Privacy-Preserving Regional Aggregation

Step 1.

Step 2.

Step 3.

4.4. Data Analysis

Step 1.

Step 2.

Algorithm 1: Recover the aggregated data.

Step 3.

Algorithm 2: Recover the power consumption.

5. Security Analysis

Definition 4 (the improved efficient group signature scheme).

Definition 5 (security of the signature scheme).

Theorem 6.

Lemma 7.

Proof.

Theorem 8.

Proof.

6. Performance Evaluation

6.1. Computation Complexity

6.2. Simulation Results

7. Related Works

8. Conclusions

Footnotes

Conflict of Interests

Acknowledgments

References