Sage Journals: Discover world-class research

Abstract

As a typical and promising application of the Internet of things, smart grid will play an increasingly important role in the future power system. However, security and privacy issues in smart grids need to be addressed. If the user’s electricity consumption is transmitted in plaintext, the data may be used by some illegal users. At the same time, malicious users may send false data such that the control center makes a wrong power resource scheduling. In addition, efficiency issues should be taken into account in Internet of things applications. To overcome these challenges, an efficient and privacy-preserving certificateless data aggregation scheme is proposed for Internet of things–enabled smart grids. The confidentiality and integrity of data can be guaranteed, and the identity of users can be hidden in our scheme. In particular, if some users have malicious behaviors, they will be tracked. The proposed scheme can resist replay attacks, modification attacks, and impersonation attacks. In the process of collecting data, computation of encryption and signature generation do not need expensive bilinear pairings. Furthermore, batch verification is used to improve efficiency of verification. It is demonstrated that the security, privacy, and efficiency issues in smart grid are addressed based on security and performance analysis.

Keywords

Internet of things smart grid data aggregation batch verification privacy

Introduction

Internet of things (IoT) enables distant objects to exchange information through the Internet,^1,2 which makes IoT play an important role in e-health monitoring, environment monitoring, smart grid, and so on. As the key solution of next generation power system, smart grids provide two-way data exchange,³ which makes smart grids report users’ power consumption in real time and have control center (CC) quickly make a reasonable power resource scheduling.⁴ However, smart grids can greatly improve the utilization of resources and avoid some accidents caused by power resource scheduling.

Each user will install a smart meter (SM), which periodically reports electricity consumption to gateways. In practical applications, efficiency has to be considered, which involves user experience. For example, in the electronic payment scenario of blockchains, Zhang et al.^5,6 proposed two blockchain-based fair payment protocols called BPay and BCPay for outsourcing services in cloud computing. The protocol BPay⁵ is compatible with the Bitcoin blockchain based on an iterative all-or-nothing checking-proof protocol and a top-down checking method. However, the performance remains to be improved. At the cost of losing the compatibility with the Bitcoin blockchain, the protocol BCPay⁶ realizes robust fair payment based on a one round all-or-nothing checking-proof protocol and hence is very efficient in terms of the computation cost and the number of transactions. In addition, it is reasonable to think that the computing power of SMs and gateways is limited. Fortunately, aggregation technology can be used in smart grids, which can greatly reduce the computational load of gateways. However, it is also a very challenging problem to reduce the calculation of SMs.

Users’ electricity consumption involves the user’s personal privacy.⁷ For example, if an adversary knows that a user’s electricity consumption has been zero for a long time, he may engage in criminal activities by revealing lifestyle habits of a user.⁸ Therefore, users’ electricity consumption and user’s identity should be protected. If the user’s identity is disguised during transmission, the user’s privacy will be further improved. Meanwhile, malicious users should be able to be tracked if they transmit malicious data. Besides, users may modify data to avoid payment. Adversaries may modify data to have the CC make a wrong power resource scheduling. Therefore, in practical applications, the confidentiality and integrity of electricity data are essential.⁹ Generally speaking, the encryption mechanism and authentication mechanism are suitable for solving the confidentiality and integrity of data.

To overcome the aforementioned challenges, an efficient and privacy-preserving certificateless data aggregation scheme is presented for IoT-enabled smart grids. The scheme has the following advantages:

The proposed scheme can simultaneously guarantee the confidentiality and integrity of data and the privacy of user identity.

When some users have malicious behaviors, they will be tracked. In addition, the scheme can resist replay attacks, modification attacks, and impersonation attacks.

In the process of collecting data, the computation of encryption and signature generation do not need expensive bilinear pairings. Furthermore, batch verification is used to improve efficiency of verification. The proposed scheme is secure under the random oracle model, and the scheme is efficient because it does not involve bilinear pairings.

Related works

Efficiency and security have always been the concern of academia and industry. Lightweight signature schemes^10,11 and efficient encryption schemes^12,13 have always been the focus of research. Zhang et al.¹⁰ presented a certificateless signature scheme for data crowdsensing in cloud-assisted industrial IoT. The scheme only needs public channels and is proven secure in the standard model. Karati et al.¹¹ proposed a new pairing-based certificateless signature scheme without map-to-point function and random oracle model. A framework for constructing efficient code-based encryption schemes was proposed in Aguilar-Melchor et al.,¹² which do not hide any structure in their public matrix. Preprocessing technology is applied in Zhang et al.,¹³ which improves the efficiency of ciphertext generation.

In order to tackle the security issue in smart grids, the key management scheme,¹⁴ key distribution scheme,¹⁵ and authentication scheme¹⁶ have been introduced. However, these schemes do not protect the privacy of users’ electricity consumption. In order to protect the privacy of users’ electricity consumption, users’ electricity consumption can be encrypted in the process of transmission. In order to improve efficiency, data aggregation technology^17–19 has been used in smart grids. The encrypted data are aggregated by the gateway and then transmitted to the CC. However, in the stage of power collection, SMs need a lot of calculation, which is because there are many linear pairings that need to be computed. In data aggregation, some homomorphic encryption schemes^20,21 are proposed. Gateway can aggregate ciphertext without decrypting ciphertext.

The organization of this article

This article is organized through the following structure: the preliminary of the article is first introduced; then, the model of the scheme is defined; after that, the concrete scheme and security proof as well as analysis are given; next, the performance analysis of the scheme is presented; and finally, the summary of the article is arrived.

Preliminary

The elliptic curve cryptosystem (ECC), elliptic curve discrete logarithm problem (ECDLP), and computational Diffie–Hellman problem (CDHP) assumptions are introduced in this section. ECC is widely used in cryptographic algorithms because of its low computational and communication costs.

Suppose that a prime number $p$ generates a finite field $F_{p}$ . $E$ be a set of points over $F_{p}$ , whose elements comes from an elliptic curve $E$ . $E$ is defined by equation $y^{2} = x^{3} + ax + b$ mod $p$ , where $a$ and $b$ are selected from $F_{p}$ and satisfy the equation $(4 a^{3} + 27 b^{2})$ mod $p \neq 0$ . Let the infinite point be 0. Next, 0 and other points on $E$ form an additive group, whose order is $q$ and generator is $P$ . The more concise description is as follows:

Let 0 be an infinite point, such that it satisfies equation $0 + 0 = 0$ and $P + 0 = P$ , where $P$ is any point on $E$ . $P \neq Q$ and $Q \neq 0$ will be assumed below.

If $P$ and $Q$ are the negative elements of each other, equation $Q = - P$ and $P + Q = P - P = 0$ hold.

If $- R$ , where $P + Q = - R$ , is another point on $E$ , then $- R$ is opposite to the point $R$ .

Scalar multiplication on elliptic curves $E$ is defined as $mP = P + P + \dots + P$ ( $m$ times), where the positive $m$ is selected from $Z_{q}^{*}$ .

Definition 1

ECDLP is defined as follows: two random points $P$ and $Q$ on an elliptic curve $E$ satisfy equation $Q = xP$ . It is difficult to calculate $x$ from $Q$ .

Definition 2

CDHP is defined as follows: two random points $R$ and $Q$ on an elliptic curve $E$ are chosen, where $R = xP$ and $Q = yP$ . It is difficult to calculate $xyP$ from $R$ and $Q$ , where $x$ and $y$ are unknown.

System model

In this section, the system architecture, security model, and design goal are introduced as follows.

System architecture

Our scheme involves four entities as Figure 1 whose roles are as follows:

Key generation center (KGC): the KGC generates the partial secret key for each SM and gateway (GW). In addition, KGC is credible.

CC: the CC has powerful computing power, and can verify and decrypt the data from GWs. Then, some analysis and decisions can be made by analyzing data. In addition, CC can generate the pseudoidentity for SM and GW. In addition, CC is credible.

GW: the GW validates the data sent by SMs and aggregates data from SMs, then signs the aggregated data and sends the aggregated data and its signature to CC.

SM: every user is equipped with an SM. SM is used to collect users’ electricity consumption, encrypt and sign it, and periodically reports them to GW. Each user in the system installs an SM, so the users and SMs are the same.

Figure 1.

System architecture.

Security model

In our security model, KGC and CC are trusted because the system is initialized by them. GW is honest but curious, which follows protocols honestly and is curious about the data privacy of SM. Suppose that the time of participants in the system is synchronous.

There is an adversary $A$ that can eavesdrop data between SM and GW and between GW and CC, who tries to destroy the confidentiality and integrity of data. The adversary $A$ may also be an unauthorized SM or an unauthorized GW, which sends some false data to receivers.

Design goal

In order to prevent the adversary from destroying the integrity and confidentiality of data and some wrong operations. The following security requirements should be met:

Confidentiality and integrity of data: in order to ensure the confidentiality and integrity of any data, no adversaries can know the user’s electricity consumption. In order to ensure the integrity of the data, accepted data should be validated.

Identity privacy preservation: user’s identity should be confidential and receivers cannot judge the owner of the data by analyzing the received data.

Traceability and unlinkability: although the user’s identity is hidden, CC can trace the user’s real identity under certain conditions.

Resistance to attacks: the proposed scheme should be able to resist replay attacks, modification attacks, and impersonation attacks.

Proposed scheme

Overview

Our scheme consists of the following algorithms: System initialization, Pseudoidentity generation, Partial secret key generation, Secret key generation, Individual encryption and signing, Data aggregation, and Data decryption. KGC and CC initialize the system by calling System initialization algorithm. Then, the system parameters are published and the main secret keys are kept by themselves. Next, SM interacts with CC to obtain the pseudoidentity in the process of Pseudoidentity generation algorithm. After that, SM sends the pseudoidentity to KGC to obtain the partial secret key in the process of Partial secret key generation algorithm. Finally, the user generates the secret key on the client side by executing Secret key generation algorithm. In Individual encryption and signing phase, when SM collects data, the data are encrypted and the ciphertext is signed. Next, the ciphertext and signature are sent to GW. In Data aggregation phase, after GW receives the data from SMs, it first verifies data. Then, legitimate data are accepted and aggregated. After the aggregated data are signed, the aggregated data and signature will be sent to CC. In Data decryption phase, CC verifies the received data and decrypts it if data are legal.

System initialization

System initialization is executed by KGC and CC through the following steps:

Given a security parameter $l$ , KGC outputs two large prime numbers $p$ , $q$ and an elliptic curve $E : y^{2} = x^{3} + ax + b$ mod $p$ ; $a, b \in F_{p}$ .

KGC picks up a point $P$ from the elliptic curve $E$ and generates a group $G$ by $P$ with order $q$ . Next, KGC randomly selects a number $α \in Z_{q}^{*}$ as the master secret key of KGC and calculates $P_{KGC} = α P$ as the public key of KGC.

CC picks up a point $P$ from the elliptic curve $E$ and generates a group $G$ by $P$ with order $q$ . After that, CC randomly selects a number $β \in Z_{q}^{*}$ as the master secret key of CC and calculates $P_{CC} = β P$ as the public key of CC.

KGC selects three anti-collision hash functions: $H_{1} : G \to Z_{q}^{*}$ , $H_{2} : {0, 1}^{*} \to Z_{q}^{*}$ , and $H_{3} : {0, 1}^{*} \to Z_{q}^{*}$ . Then, the system parameters $params = (P, p, q, E, G, H_{1}, H_{2}, H_{3}, P_{KGC}, P_{CC})$ are published.

Pseudoidentity generation

$S M_{i}$ randomly generates a number $k_{i} \in Z_{q}^{*}$ and computes $I D_{i, 1} = k_{i} P$ . Then, $(RI D_{i}, I D_{i, 1})$ is sent to CC through a secure channel, where $RI D_{i}$ is the real identity of $S M_{i}$ .

When CC receives $(RI D_{i}, I D_{i, 1})$ from $S M_{i}$ , CC computes $I D_{i, 2} = RI D_{i} \oplus H_{1} (β \cdot I D_{i, 1}, T_{i}, P_{CC})$ , where $T_{i}$ is the valid period of the pseudoidentity. Finally, the pseudoidentity $I D_{i} = (I D_{i, 1}, I D_{i, 2}, T_{i})$ is sent to $S M_{i}$ through a secure channel.

Through the above steps, $G W_{i}$ can receive the the pseudoidentity $G W_{i} = (G W_{i, 1}, G W_{i, 2}, T_{i})$ from CC.

Partial secret key generation

$S M_{i}$ sends the pseudoidentity $I D_{i} = (I D_{i, 1}, I D_{i, 2}, T_{i})$ to KGC. After receiving $I D_{i}$ , KGC randomly chooses a number $d_{i} \in Z_{q}^{*}$ , then computes $Q_{I D_{i}} = d_{i} P$ and $ps k_{I D_{i}} = d_{i} + H_{2} (I D_{i}, Q_{I D_{i}}) \cdot α$ mod $q$ . Finally, the partial secret key $(Q_{I D_{i}}, ps k_{I D_{i}})$ is returned to $S M_{i}$ via a secure channel.

Through the above steps, $G W_{i}$ can receive the partial secret key $(Q_{G W_{i}}, ps k_{G W_{i}})$ from KGC.

Secret key generation

After receiving $(Q_{I D_{i}}, ps k_{I D_{i}})$ , $S M_{i}$ randomly generates a number $x_{I D_{i}} \in Z_{q}^{*}$ as the secret key $vs k_{I D_{i}}$ and computes $vp k_{I D_{i}} = x_{I D_{i}} P$ . Finally, $S M_{i}$ gets a public–private key pair for signature $(S_{p k_{i}}, S_{s k_{i}}) = ((Q_{I D_{i}}, vp k_{I D_{i}}), (ps k_{I D_{i}}, vs k_{I D_{i}}))$ .

After receiving $(Q_{G W_{i}}, ps k_{G W_{i}})$ , $G W_{i}$ randomly generates a number $x_{G W_{i}} \in Z_{q}^{*}$ as the secret key $vs k_{G W_{i}}$ and computes $vp k_{G W_{i}} = x_{G W_{i}} P$ . Finally, $G W_{i}$ gets a public–private key pair for signature $(W_{p k_{i}}, W_{s k_{i}}) = ((Q_{G W_{i}}, vp k_{G W_{i}}), (ps k_{G W_{i}}, vs k_{G W_{i}}))$ .

Individual encryption and signing

After collecting data $m_{i}$ , $S M_{i}$ can get the ciphertext $c_{i}$ by encrypting $m_{i}$ with the ElGamal encryption scheme. After that, $S M_{i}$ signs $c_{i}$ . The concrete steps are as follows:

Individual encryption: after collecting data $m_{i}$ , $S M_{i}$ randomly generates a number $r_{i} \in Z_{q}^{*}$ and computes $c_{i} = (c_{i, 1}, c_{i, 2}) = (r_{i} P, r_{i} P_{CC} + m_{i})$ .

Data signature: $S M_{i}$ selects randomly a number $y_{i} \in Z_{q}^{*}$ and computes $R_{i} = y_{i} P$ ; $h_{i} = H_{3} (c_{i}, I D_{i}, vp k_{I D_{i}}, R_{i}, t_{i})$ ; and $S_{i} = h_{i} y_{i} + ps k_{I D_{i}}$ mod $q$ , where $t_{i}$ is the current time stamp used to resist the replay attack.

Sending data: $σ_{i} = (R_{i}, S_{i})$ is the signature on the message $m_{i}$ and the latest timestamp $t_{i}$ for $S M_{i}$ . Finally, $S M_{i}$ sends $dat a_{i} = (I D_{i}, vp k_{I D_{i}}, c_{i}, t_{i}, σ_{i})$ to GW.

Data aggregation

After receiving the data $(dat a_{1}, dat a_{2}, \dots, dat a_{n})$ from $(S M_{1}, S M_{2}, \dots, S M_{n})$ , $G W_{i}$ first verifies $dat a_{i}$ , then aggregates the $dat a_{i}$ , and signs and sends aggregated data to CC.

Single verification: after receiving data $dat a_{i}$ , $G W_{i}$ first checks the timestamp $t_{i}$ . If $t_{i}$ is valid, the collector calculates $h_{i, 0} = H_{2} (I D_{i}, Q_{I D_{i}})$ and $h_{i} = H_{3} (c_{i}, I D_{i}, vp k_{I D_{i}}, R_{i}, t_{i})$ . If the equation $S_{i} P = h_{i} R_{i} + Q_{I D_{i}} + h_{i, 0} P_{KGC}$ holds, $G W_{i}$ accepts $dat a_{i}$ .

Batch verification: to improve the efficiency of verification, $G W_{i}$ can execute the batch verification by the equation $(Σ_{i = 1}^{n} v_{i} S_{i}) P = Σ_{i = 1}^{n} (v_{i} h_{i} R_{i}) + Σ_{i = 1}^{n} (v_{i} Q_{I D_{i}}) + (Σ_{i = 1}^{n} v_{i} h_{i, 0}) P_{KGC}$ , where $v = (v_{1}, v_{2}, \dots, v_{n})$ is randomly choosed in $[1, 2^{t}]$ and $t$ is a very small integer.

Aggregating individual data: after the validity check, $G W_{i}$ generates the aggregate ciphertext $C T_{i} = (C_{1}, C_{2}) = (Σ_{i = 1}^{n} c_{i, 1}, Σ_{i = 1}^{n} c_{i, 2}) = (Σ_{i = 1}^{n} r_{i} P, Σ_{i = 1}^{n} (r_{i} P_{CC} + m_{i}))$ .

Signature of aggregated data: $G W_{i}$ selects randomly a number $y_{i}^{'} \in Z_{q}^{*}$ and computes $R_{i}^{'} = y_{i}^{'} P$ , $h_{i}^{'} = H_{3} (C T_{i}, G W_{i}, vp k_{G W_{i}}, R_{i}^{'}, t_{i}^{'})$ , and $S_{i}^{'} = h_{i}^{'} y_{i}^{'} + ps k_{G W_{i}}$ mod $q$ , where $t_{i}^{'}$ is the current time stamp used to resist the replay attack.

Sending aggregated data: $σ_{i}^{'} = (R_{i}^{'}, S_{i}^{'})$ is the signature on the message $C T_{i}$ for $G W_{i}$ . Finally, $G W_{i}$ sends ${data}_{i}^{'} = (G W_{i}, vp k_{G W_{i}}, C T_{i}, t_{i}^{'}, σ_{i}^{'})$ to CC.

Data decryption

After receiving the data $({data}_{1}^{'}, {data}_{2}^{'}, \dots, {data}_{n}^{'})$ from $(G W_{1}, G W_{2}, \dots, G W_{n})$ , the CC first verifies data ${data}_{i}^{'}$ and then decrypts data $C T_{i}$ as follows:

Single verification: after receiving data ${data}_{i}^{'}$ , CC first checks the timestamp $t_{i}^{'}$ . If $t_{i}^{'}$ is valid, CC calculates $h_{i, 0}^{'} = H_{2} (G W_{i}, Q_{G W_{i}})$ and $h_{i}^{'} = H_{3} (C T_{i}, G W_{i}, vp k_{G W_{i}}, R_{i}^{'}, t_{i}^{'})$ . If the equation $S_{i}^{'} P = h_{i}^{'} R_{i}^{'} + Q_{G W_{i}} + h_{i, 0}^{'} P_{KGC}$ holds, CC accepts ${data}_{i}^{'}$ .

Batch verification: to improve the efficiency of verification, CC can execute the batch verification by the equation $(Σ_{i = 1}^{n} v_{i}^{'} S_{i}^{'}) P = Σ_{i = 1}^{n} (v_{i}^{'} h_{i}^{'} R_{i}^{'}) + Σ_{i = 1}^{n} (v_{i}^{'} Q_{G W_{i}}) + (Σ_{i = 1}^{n} v_{i}^{'} h_{i, 0}^{'}) P_{KGC}$ , where $v^{'} = (v_{1}^{'}, v_{2}^{'}, \dots, v_{n}^{'})$ is randomly choosed in $[1, 2^{t}]$ and $t$ is a very small integer.

Data decryption: if ${data}_{i}^{'}$ is accepted, CC accepts ${data}_{i}^{'}$ by the equation $C_{2} - x C_{1} = Σ_{i = 1}^{n} m_{i}$ .

Security proof

The security proof of the scheme is given in this section. In our scheme, the confidentiality of data is guaranteed by the ElGamal encryption mechanism. Data integrity is guaranteed by signature mechanism. As long as the signature cannot be forged, our scheme will be secure. So, here we only prove that the signature is unforgeable, and the details can be referred to the scheme.²² The unforgeability of the scheme is proved as follows.

Theorem 1

In the random oracle model, the certificateless signature scheme is unforgeable under the ECDLP assumption.

Lemma 1

Under the random oracle model, a polynomial time adversary $A$ forges a signature after making $q_{H_{i}}$ queries, $q_{SM}$ queries, $q_{pk}$ queries, $q_{se}$ queries, and $q_{sig}$ queries to random oracles $H_{i}$ for i = 2, 3, the Create-User oracle, the Partial-Secret-Key oracle, the Secret-Key oracle, and the Sign oracle, respectively. The ECDLP assumption can be solved.

Proof

Suppose an adversary $A$ can forge message $(I D_{i}, vp k_{i}, C T_{i}, t_{i}, σ_{i})$ after $A$ is given an ECDLP sample $(P, Q = sP)$ , where $P$ and $Q$ are chosen from the elliptic curve $E$ . The adversary $A$ and simulator $B$ can play the following games:

Setup: $B$ randomly chooses a number $α \in Z_{q}^{*}$ as its private key and calculates $P_{pp} = α P$ as its public key. Then, the system parameters $pp = (P, p, q, E, G, H_{1}, H_{2}, H_{3}, P_{KGC}, P_{CC})$ are sent to $A$ .

$H_{2}$ hash query: when $B$ receives an $H_{2}$ query from the adversary $A$ on the parameter $(I D_{i}, Q_{I D_{i}})$ , $B$ checks whether $τ_{H_{2}}$ is in the hash list $L_{H_{2}}$ . If $τ_{H_{2}}$ exists, $τ_{H_{2}}$ is returned to $A$ . If $τ_{H_{2}}$ is not present, a random number $τ_{H_{2}} \in Z_{q}^{*}$ is selected and $(I D_{i}, Q_{I D_{i}}, τ_{H_{2}})$ is stored in the hash list $L_{H_{2}}$ . Finally, $τ_{H_{2}}$ is returned to $A$ .

$H_{3}$ hash query: when $B$ receives an $H_{3}$ query from the adversary $A$ on the parameter $(C T_{i}, I D_{i}, vp k_{I D_{i}}, R_{i}, t_{i})$ , $B$ checks whether $(C T_{i}, I D_{i}, vp k_{I D_{i}}, R_{i}, t_{i}, τ_{H_{3}})$ is in the hash list $L_{H_{3}}$ . If $τ_{H_{3}}$ exists, $τ_{H_{3}}$ is returned to $A$ . If $τ_{H_{3}}$ is not present, a random number $τ_{H_{3}} \in Z_{q}^{*}$ is selected and $(C T_{i}, I D_{i}, vp k_{I D_{i}}, R_{i}, t_{i}, τ_{H_{3}})$ is stored in the hash list $L_{H_{3}}$ . Finally, $(C T_{i}, I D_{i}, vp k_{I D_{i}}, R_{i}, t_{i}, τ_{H_{3}})$ is returned to $A$ .

Partial-Secret-Key query: when $B$ receives a partial-secret-key query from the adversary $A$ on a pseudoidentity $I D_{i}$ , $B$ computes $Q_{I D_{i}} = r_{i} P$ , where $r_{i}$ is randomly selected from $Z_{q}^{*}$ . Next, $B$ checks whether $(I D_{i}, Q_{I D_{i}}, τ_{H_{2}})$ exists in the hash list $L_{H_{2}}$ . If $(I D_{i}, Q_{I D_{i}}, τ_{H_{2}})$ does not exist, then $B$ terminates the algorithm. Otherwise, $B$ computes $ps k_{I D_{i}} = r_{i} + H_{2} (I D_{i}, Q_{I D_{i}}) \cdot α$ mod $q$ and sends $ps k_{I D_{i}}$ to $A$ . Notice that $ps k_{I D_{i}}$ on the targeted user cannot be queried by $A$ .

Create-User query: suppose that the adversary $A$ makes the query on a pseudoidentity $I D_{i}$ :

When $(I D_{i}, vp k_{I D_{i}}, vs k_{I D_{i}})$ is included in the list $L$ , $B$ checks whether $vp k_{I D_{i}} = ⊥$ . If so, a random number $v_{i}$ is chosen as $vs k_{I D_{i}}$ and $vs k_{I D_{i}} = v_{i} P$ is computed as $vp k_{I D_{i}}$ . $(I D_{i}, vp k_{I D_{i}}, vs k_{I D_{i}})$ is stored in the List $L$ by $B$ , and $vp k_{I D_{i}}$ is sent to $A$ . If not, $vp k_{I D_{i}}$ is sent to $A$ .

When $(I D_{i}, vp k_{I D_{i}}, vs k_{I D_{i}})$ is not included in the list $L$ , $vp k_{I D_{i}} = ⊥$ is set. Then, a random number $v_{i}$ is chosen as $vs k_{I D_{i}}$ and $vs k_{I D_{i}} = v_{i} P$ is computed as $vp k_{I D_{i}}$ . $(I D_{i}, vp k_{I D_{i}}, vs k_{I D_{i}})$ is stored in the List $L$ by $B$ , and $vp k_{I D_{i}}$ is sent to $A$ .

Secret-Key query: suppose that the adversary $A$ makes the query on a pseudoidentity $I D_{i}$ :

When $(I D_{i}, vp k_{I D_{i}}, vs k_{I D_{i}})$ is included in the list $L$ , $B$ checks whether $vp k_{I D_{i}} = ⊥$ . If so, the Secret-Key query is made by $B$ to generate $vp k_{I D_{i}} = v_{i} P$ and $vs k_{I D_{i}} = v_{i}$ . $(vp k_{I D_{i}}, vs k_{I D_{i}})$ is stored in the List $L$ by $B$ , and $vs k_{I D_{i}}$ is sent to $A$ . If not, $vs k_{I D_{i}}$ is sent to $A$ .

When $(I D_{i}, vp k_{I D_{i}}, vs k_{I D_{i}})$ is not included in the list $L$ , the Secret-Key query is made by $B$ to generate $vp k_{I D_{i}}$ and $vs k_{I D_{i}}$ . $(vp k_{I D_{i}}, vs k_{I D_{i}})$ is stored in the List $L$ by $B$ , and $vs k_{I D_{i}}$ is sent to $A$ .

Sign query: when the signature on the message $C T_{i}$ about the pseudoidentity $I D_{i}$ is queried, $B$ first checks $(I D_{i}, Q_{I D_{i}}, τ_{H_{2}})$ from the hash list $L_{H_{2}}$ according to $(I D_{i}, Q_{I D_{i}})$ . Then, gets $τ_{H_{2}}$ from $(I D_{i}, Q_{I D_{i}}, τ_{H_{2}})$ . Next, the random numbers $d_{i}$ , $h_{i}$ , $s_{i}$ , and $u_{i}$ are selected. In addition, $R_{i} = h_{i}^{- 1} s_{i} P - Q$ is calculated and $S_{i} = s_{i}$ is set. Finally, $(C T_{i}, I D_{i}, vp k_{I D_{i}}, R_{i}, t_{i}, τ_{H_{3}})$ is stored in the List $L_{H_{3}}$ , and $(R_{i}, S_{i})$ is sent to $A$ .

According to the Forking Lemma,²³ $B$ can achieve two valid signatures $σ_{i} = (R_{i}, S_{i})$ and $σ_{i}^{'} = (R_{i}^{'}, S_{i}^{'})$ by running $A$ as a subroutine within a polynomial time, where $S_{i} = h_{i} d_{i} + ps k_{I D_{i}}$ mod $q$ and $S_{i}^{'} = h_{i}^{'} d_{i} + ps k_{I D_{i}}$ mod $q$ by calculating

\begin{matrix} \frac{h_{i}^{'} S_{i} - h_{i} S_{i}^{'}}{h_{i}^{'} - h_{i}} \mod q = \frac{h_{i}^{'} h_{i} d_{i} + h_{i}^{'} ps k_{I D_{i}} - h_{i} h_{i}^{'} d_{i} - h_{i} ps k_{I D_{i}}}{h_{i}^{'} - h_{i}} \\ \mod q = ps k_{I D_{i}} \end{matrix}

As a result, the ECDLP assumption can be broken by $B$ within a polynomial time. However, solving ECDLP is difficulty. Therefore, our scheme can resist a forgery attack.

Security analysis

In the section, the security analysis of the scheme is given as follows:

Confidentiality and integrity of data: in the last section, the signature’s unforgeability on ciphertext has been proved, which guarantees the integrity of the ciphertext. The confidentiality of ciphertext is guaranteed by the ElGamal encryption mechanism.

Identity privacy preservation: in the proposed scheme, the pseudonym mechanism is used, and the receivers cannot judge the owner of the data by the received data.

Traceability and unlinkability: CC can trace the real identity of GW according to the pseudoidentity $(G W_{i, 1}, G W_{i, 2}, T_{i})$ by the equation $G W_{i, 2} = RI D_{i} \oplus H_{1} (β \cdot G W_{i, 1}, T_{i}, P_{CC})$ . In addition, GW can also send the tracked pseudoidentity $I D_{i} = (I D_{i, 1}, I D_{i, 2}, T_{i})$ to CC. Then, CC traces the pseudoidentity of SM to the real identity by the equation $I D_{i, 2} = RI D_{i} \oplus H_{1} (β \cdot I D_{i, 1}, T_{i}, P_{CC})$ .

Resistance to attacks: our scheme can resist replay attacks, modification attacks, and impersonation attacks. Because the timestamp is included in the message $(I D_{i}, vp k_{I D_{i}}, c_{i}, t_{i}, σ_{i})$ and $(G W_{i}, vp k_{G W_{i}}, C T_{i}, t_{i}^{'}, σ_{i}^{'})$ , receivers can check whether the timestamp is fresh to resist the replay attack. Besides, when the message $(I D_{i}, vp k_{I D_{i}}, c_{i}, t_{i}, σ_{i})$ and $(G W_{i}, vp k_{G W_{i}}, C T_{i}, t_{i}^{'}, σ_{i}^{'})$ are modified, the validated equation $S_{i} P = h_{i} R_{i} +$ $Q_{I D_{i}} + h_{i, 0} P_{K G C}$ and $S_{i}^{'} P = h_{i}^{'} R_{i}^{'} + Q_{G W_{i}} +$ $h_{i, 0}^{'} P_{KGC}$ will not hold. In addition, because adversary cannot forge two legal signatures, our scheme can resist impersonation attacks.

Performance analysis

In the section, we compare our scheme with data aggregation schemes^24,25 in terms of computational efficiency. It is reasonable to believe that CC and KGC have powerful computing power and storage capability, SM has limited computation power, and GW has stronger computing power than SM. Therefore, only the individual encryption and signing phase and the data aggregation phase are compared. For convenience, the time of some operations is marked in Table 1.

Table 1.

Definition of notation.

Notation	Definition
$T_{em}$	A scale multiplication operation on ECC.
$T_{esm}$	A small scale multiplication operation on ECC.
$T_{ea}$	A point addition operation on ECC.
$T_{m}$	A multiplication operation in $G$ .
$T_{e}$	An exponentiation operation in $G$ .
$T_{mt}$	A multiplication operation in $G_{T}$ .
$T_{et}$	An exponentiation operation in $G_{T}$ .
$T_{p}$	A bilinear pairing operation.
$T_{h}$	A one-way hash operation.

ECC: elliptic curve cryptosystem.

The comparisons on the individual encryption and signing phase and the data aggregation phase between our scheme and schemes secure privacy-preserving data aggregation (SPPDA)²⁴ and efficient and privacy-preserving data aggregation (EPPDA)²⁵ are shown in Table 2.

Table 2.

Comparison of computational costs in the individual operation phase and the data aggregation phase.

Schemes	Individual encryption and signing	Data aggregation (batch verification)
SPPDA	$2 T_{e} + T_{et} + T_{em} + T_{h}$	$(n + 1) T_{p} + (2 n - 2) T_{m} + (n - 1) T_{em} + n T_{h}$
EPPDA	$4 T_{e} + 2 T_{h}$	$(2 n + 3) T_{e} + n T_{h}$
Our scheme	$3 T_{em} + 2 T_{ea} + T_{h}$	$(2 n + 3) T_{em} + (2 n + 2) T_{ea} + n T_{esm} + (2 n + 1) T_{h}$

SPPDA: secure privacy-preserving data aggregation; EPPDA: efficient and privacy-preserving data aggregation.

In order to be more intuitive and accurate, performance evaluation is implemented on a unified platform, where the security parameter of elliptic curve is 256 bits and the prime number of the small scalar multiplication on the elliptic curve is 80 bits. As can be shown from Figures 2 and 3, our scheme outperforms aggregation schemes^24,25 in the individual encryption and signing phase and the data aggregation phase. That is because there are no linear pairing and exponential operations involved in our scheme. Based on the above analysis, it can seen that the presented scheme is efficient. Therefore, our scheme has great application prospects in resource-constrained smart grid terminals.

Figure 2.

Comparison of computational costs in the individual encryption and signing phase.

Figure 3.

Comparison of computational costs in the data aggregation phase.

Conclusion

As the key solution of next generation power system, smart grid can bring great convenience to our life. However, in the deployment of smart grid, security and efficiency issues have to face challenges. In this article, an efficient and privacy-preserving certificateless data aggregation scheme is presented for IoT-enabled smart grids to tackle the security, privacy, and efficiency problems in smart grids. Security proof and analysis show that the presented scheme achieves the design goals. At the same time, the performance analysis shows that the performance of the scheme is excellent.

In the next work, we are going to improve the communication cost of the system. Smaller computation and lower communication costs will be more conducive to the deployment of smart grids.

Footnotes

Handling Editor: Ximeng Liu

Declaration of conflicting interests

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work is supported by Science and Technology Achievements Promotion Project in Shaanxi Province (No. 2018CG-007).

Funding

The author(s) received no financial support for the research, authorship, and/or publication of this article.

ORCID iDs

Axin Wu

Xiaokun Zheng

Fangyuan Ren

References

Gubbi

Buyya

Marusic

et al . Internet of things (IoT): a vision, architectural elements, and future directions. Future Gener Comp Sy 2013; 29(7): 1645–1660.

Atzori

Iera

Morabito

The Internet of things: a survey. Comp Netw 2010; 54(15): 2787–2805.

Fan

Kalogridis

Efthymiou

et al . The new frontier of communications research: smart grid and smart metering. In: Proceedings of the 1st international conference on energy-efficient computing and networking, Passau, 13–15 April 2010, pp.115–118. New York: ACM.

Erol-Kantarci

Mouftah

HT.

Energy-efficient information and communication infrastructures in the smart grid: a survey on interactions and open issues. IEEE Commun Surv Tut 2015; 17(1): 179–197.

Zhang

Deng

Liu

et al . Outsourcing service fair payment based on blockchain and its applications in cloud computing. IEEE T Serv Comput. Epub ahead of print 7 August 2018. DOI: 10.1109/TSC.2018.2864191.

Zhang

Deng

Liu

et al . Blockchain based efficient and robust fair payment for outsourcing services in cloud computing. Inform Sciences 2018; 462: 262–277.

Liang

et al . Securing smart grid: cyber attacks, countermeasures, and challenges. IEEE Commun Mag 2012; 50(8): 38–25.

Deng

Yang

Chow

et al . A survey on demand response in smart grids: mathematical models and approaches. IEEE T Ind Inform 2015; 11(3): 570–582.

Liu

Xiao

et al . Cyber security and privacy issues in smart grids. IEEE Commun Surv Tutor 2012; 14(4): 981–997.

10.

Zhang

Deng

Zheng

et al . Efficient and robust certificateless signature for data crowdsensing in cloud-assisted industrial IoT. IEEE T Ind Inform. Epub ahead of print 18 January 2019. DOI: 10.1109/TII.2019.2894108.

11.

Karati

Islam

SKH

Karuppiah

Provably secure and lightweight certificateless signature scheme for IIoT environments. IEEE T Ind Inform 2018; 14(8): 3701–3711.

12.

Aguilar-Melchor

Blazy

Deneuville

et al . Efficient encryption from random quasi-cyclic codes. IEEE T Inform Theory 2018; 64(5): 3927–3943.

13.

Zhang

Zheng

Efficient and privacy-aware attribute-based data sharing in mobile cloud computing. J Amb Intel Hum Comp 2018; 9(4): 1039–1048.

14.

Wan

Wang

Yang

et al . SKM: scalable key management for advanced metering infrastructure in smart grids. IEEE T Ind Electron 2014; 61(12): 7055–7066.

15.

Tsai

NW.

Secure anonymous key distribution scheme for smart grid. IEEE T Smart Grid 2016; 7(2): 906–914.

16.

Zhou

et al . An efficient merkle-tree-based authentication scheme for smart grid. IEEE Syst J 2014; 8(2): 655–663.

17.

Bao

Privacy-enhanced data aggregation scheme against internal attackers in smart grid. IEEE T Ind Inform 2016; 12(1): 2–5.

18.

Kumar

Lee

JH.

Privacy-preserving data aggregation scheme against internal attackers in smart grids. Wirel Netw 2016; 22(2): 491–502.

19.

Zhang

Zheng

et al . Privacy-preserving communication and power injection over vehicle networks and 5G smart grid slice. J Netw Comp Appl 2018; 122: 50–60.

20.

Liang

et al . EPPA: an efficient and privacy-preserving aggregation scheme for secure smart grid communications. IEEE T Parall Distr Syst 2012; 23(9): 1621–1631.

21.

Lin

Yang

et al . EPPDR: an efficient privacy-preserving demand response scheme with adaptive key evolution in smart grid. IEEE T Parall Distr 2014; 25(8): 2053–2064.

22.

Cui

Zhang

Zhong

et al . An efficient certificateless aggregate signature without pairings for vehicular ad hoc networks. Inform Sci 2018; 451: 1–15.

23.

Pointcheval

Stern

Security arguments for digital signatures and blind signatures. J Cryptol 2000; 13(3): 361–396.

24.

Ara

Al-Rodhaan

Tian

et al . A secure privacy-preserving data aggregation scheme based on bilinear ElGamal cryptosystem for remote health monitoring systems. IEEE Access 2017; 5: 12601–12617.

25.

Kumar

Zeadally

et al . Efficient and privacy-preserving data aggregation scheme for smart grid against internal adversaries. IEEE T Smart Grid 2017; 8(5): 2411–2419.

Efficient and privacy-preserving certificateless data aggregation in Internet of things–enabled smart grid

Abstract

Keywords

Introduction

Related works

The organization of this article

Preliminary

Definition 1

Definition 2

System model

System architecture

Security model

Design goal

Proposed scheme

Overview

System initialization

Pseudoidentity generation

Partial secret key generation

Secret key generation

Individual encryption and signing

Data aggregation

Data decryption

Security proof

Theorem 1

Lemma 1

Proof

Security analysis

Performance analysis

Conclusion

Footnotes

Declaration of conflicting interests

Funding

ORCID iDs

References