Next Article in Journal
GMS-RANSAC: A Fast Algorithm for Removing Mismatches Based on ORB-SLAM2
Next Article in Special Issue
TPM-Based Conditional Privacy-Preserving Authentication Protocol in VANETs
Previous Article in Journal
Construction and Demonstration of a 6–18 GHz Microwave Three-Wave Mixing Experiment Using Multiple Synchronized Arbitrary Waveform Generators
Previous Article in Special Issue
A Distributed and Privacy-Preserving Random Forest Evaluation Scheme with Fine Grained Access Control
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Privacy Preserving Data Aggregation for Smart Grid with User Anonymity and Designated Recipients

1
School of Computer Science and Artificial Intelligence, Wuhan University of Technology, Wuhan 430070, China
2
Science and Technology on Communication Security Laboratory, Chengdu 610000, China
*
Author to whom correspondence should be addressed.
Symmetry 2022, 14(5), 847; https://doi.org/10.3390/sym14050847
Submission received: 25 March 2022 / Revised: 8 April 2022 / Accepted: 11 April 2022 / Published: 19 April 2022
(This article belongs to the Special Issue Symmetry and Asymmetry in Securing Data Sharing)

Abstract

:
Smart grids integrate modern Internet of Things technologies with the traditional grid systems, aiming to achieve effective and reliable electricity distribution as well as promote clean energy development. Nowadays, it is an indispensable infrastructure for smart homes, wisdom medical, intelligent transportation, and various other services. However, when smart meters transmit users’ power consumption data to the control center, sensitive information may be leaked or tampered. Moreover, distributed architecture, fine-grained access control, and user anonymity are also desirable in real-world applications. In this paper, we propose a privacy-preserving data aggregation scheme for a smart grid with user anonymity and designated recipients. Smart meters collect users’ power consumption data, encrypt it using homomorphic re-encryption, and then transmit the ciphertexts anonymously. Afterward, proxies re-encrypt the aggregated data in a distributed fashion so that only the designated recipients can decrypt it. Therefore, our proposed scheme provides a more secure and flexible solution for privacy-preserving data aggregation in smart grids. Security analyses prove that our scheme achieves all the above-mentioned security requirements, and efficiency analyses demonstrate that it is efficient and suitable for real-world applications.

1. Introduction

Electricity is important for modern civilization. However, power outages occur from time to time across the world, causing significant economic losses and social impacts. For example, in 2019, the Guri Hydropower Station, which provides 80% of Venezuela’s electricity, was maliciously attacked, causing 21 out of the 23 states to experience power outages [1]. At the same year, a large-scale power outage also occurred in South America, affecting more than 40 million people in Argentina, Brazil, Uruguay, and Chile. When such an accident occurs, the traffic lights ceased operation and all public transportation was suspended, making the affected cities into chaos [2]. One of the main reasons for this catastrophe is that the traditional power grid was designed more than a century ago and its effectiveness and robustness are far from satisfactory in the modern era [3].
In 2001, the concept of “smart grid” was introduced, expecting to enhance the traditional power grid using some latest information technologies, such as the Internet of Things (IoT) and computer networks [4]. In the smart grid, power transmission can be scheduled more intelligent and reliable thanks to the digitization and standardization of information [5]. Moreover, through two-way communications, the power grid can be continuously monitored in real-time, reducing the probability of power outages. To alleviate the phenomenon of isolated data islands, various cryptographic primitives, such as symmetric and asymmetric ciphers, have been employed to realize privacy-preserving and authentication in data sharing. Therefore, not only the desirable security requirements can be guaranteed for users’ personal data, but also the whole society can benefit from more effective information utilization. Nowadays, many countries have adopted the development of smart grids as a national strategy.
As shown in Figure 1, the smart grid generally consists of three layers [6]. At the bottom layer, smart meters collect users’ power consumption data and upload it into the grid system regularly. Based on this data, the electricity company can charge the users for power usage. This information also can be used to set-up flexible price packages to smooth the power usage, e.g., higher prices in the peak period and lower prices in the other periods, enhancing the reliability and effectiveness of the smart grid system. At the middle layer, the cloud is responsible for forwarding the aggregated power consumption data to the power station. During this process, individual users’ power consumption data must be kept secret from the cloud. Otherwise, users’ living habits, as well as some other private information, may be leaked. Moreover, if a malicious attacker tampers or forges the power consumption data during transmission, it will not only cause economic losses to the electricity company but also affect the power distribution of the entire grid. At the top level, the power station generates electricity based on demands and the power is distributed through the substations. As it is expensive to store electricity, it requires that the amount of electricity generated by the power station roughly matches the real-time demands. Otherwise, it will reduce the reliability of the smart grid or even cause catastrophic events.
At present, the design and implementation of a smart grid need to consider the following security features:
  • Confidentiality: The data collected by the smart meters may contain users’ sensitive information. If an attacker obtains this data, users’ living habits could be leaked, so the power consumption data must be protected.
  • Authentication: Power consumption data transmitted in the smart grid can be tampered with by a malicious adversary, so it is necessary to ensure that the adversary cannot modify, fabricate or delete the transmitted data without being detected.
  • User anonymity: The power consumption data is normally sent with the user’s identity. When the cloud collects the data, users’ identities may be exposed to the cloud. In many circumstances, such exposure is undesirable and users’ identities should also be protected.
  • No single point of trust: The decryption power should not be possessed by a single party. Otherwise, it could become a single point of trust in the system. For example, if this party is compromised, all sensitive information within the system can be read or leaked by this party. Instead, a distributed architecture should be employed.
  • Designated recipients: Based on the minimum disclosure principle, fine-grained access control should be posed on the aggregated power consumption data, e.g., its access should be strictly restricted to the designated recipients.
To address the above problems, this paper proposes a privacy-preserving data aggregation scheme with user anonymity and designated recipients. In our proposed scheme, smart meters first collect users’ power consumption data, encrypt it using homomorphic re-encryption and then send the ciphertexts anonymously. The control centers aggregate the received data and re-encrypt it in a distributed fashion so that only the designated recipients can decrypt it. Moreover, novel verification techniques are employed to ensure that only legitimate users’ data is accepted and an adversary cannot tamper with this data during transmission. Our main contributions can be summarized as follows.
1.
Apart from the traditional security requirements, such as confidentiality and authentication, our proposed scheme also achieves user anonymity and no single point of trust. Moreover, it can ensure that the aggregated data can only be accessed by the designated recipients, realizing fine-grained access control. Therefore, it provides a more secure and flexible solution for privacy-preserving data aggregation in smart grid.
2.
Security analyses prove that our scheme achieves all these desirable security requirements, and efficiency analyses demonstrate that it is efficient to be implemented in real-world applications.
The rest of the paper is organized as follows. In Section 2, we briefly review some related works in the literature. The notations and preliminaries are outlined in Section 3. In Section 4, models and definitions are described. Then, our proposed scheme is introduced in Section 5, and its security and efficiency analyses are presented in Section 6 and Section 7, respectively. Finally, we conclude in Section 8.

2. Related Works

Nowadays, it is widely accepted that smart grids are a fundamental infrastructure for renewable energy [7]. Smart meters are important devices to realize two-way communication in smart grids, so they are vulnerable targets for attackers [8,9]. Hence, it is worth investigating methods that securely transmit information within smart grids and build a flexible smart grid architecture [10,11]. It is necessary to build a security model to meet the security demands of a smart grid [12,13]. To address this issue, various privacy-preserving data aggregation schemes have been proposed in the literature [14,15,16]. Moreover, these works can be divided into two main categories: one protects users’ power consumption data and the other protects users’ identities.
In the first category, homomorphic encryption [17] is used as a popular building block, thanks to its feature of allowing operations on the ciphertexts. Lu et al. [18] have proposed a data aggregation scheme EPPA that uses hyper-increasing sequences to record the multi-dimensional data and Paillier encryption to encrypt the data. The local gateway aggregates the encrypted data and sends it to the control center, which can then decrypt the aggregated data without learning any individual data. Later, Shen et al. [19] have proposed a modified data aggregation scheme in which the aggregated data of different regions can be aggregated in a hierarchical manner. Ding et al. [20] have proposed a novel encryption scheme that supports homomorphic re-encryption, in which the ciphertexts can be either decrypted or re-encrypted, both requiring two parties to operate in a distributed fashion. However, the majority of existing data aggregation solutions need to employ a trusted third party (TTP) [21,22,23,24]. To address this issue, Liu et al. [25] have proposed a scheme without a TTP. The trick is to select some users to construct a virtual aggregation area to mask the power consumption data of a particular user. Xue et al. [26] have proposed another data aggregation scheme without a TTP using secret sharing. However, it suffers heavy communication overheads and it is vulnerable to the man-in-the-middle attack. To improve efficiency of data sharing in smart grids, Zhao et al. [27] have introduced a fog-assisted data aggregation scheme that can reduce network bandwidth and realize smart pricing. Su et al. [28] proposed a lightweight data aggregation scheme for smart grid with forwarding secrecy. However, its limitation is that if any user’s data is missing, the aggregated data will become unreadable. To solve this issue, Huang et al. [29] have proposed a lightweight data aggregation scheme with fault tolerance. Xu et al. [30] have proposed a similar scheme that allows collusion between the aggregator and some entities, achieving a high level of fault tolerance. Although the above-mentioned schemes can achieve privacy protection for individual users’ power consumption data, very few have considered fine-grained access control for the aggregated data.
In the second category, smart meters have to send the power consumption data anonymously. A pseudonym is a common technique used to achieve user anonymity. Tan et al. [31] suggest using pseudo IDs instead of real identities, where these pseudo IDs are generated using a function with inputs of the group key, the time, and the number of smart meters. To hide the relationship between a user’s identity and her pseudonym, Guan et al. [32] suggested using the user’s public key as her pseudonym. Each user can be associated with many pseudonyms, and the Bloom filter is used to verify the validity of a user’s pseudonym. Liu et al. [33] have proposed a solution using a blind signature, but it has not considered the protection of individual user’s power consumption data. Sui et al. [34] have proposed a method to realize strong anonymity through anonymous networks. Moreover, a reward mechanism is designed where the user who requests a reduction in power usage can revoke her anonymity and gets some rewards. Yu et al. [35] have proposed a privacy-preserving power request scheme. Each smart meter is associated with a unique identifier, and a ring signature is used to protect their identities. Cheung et al. [36] have proposed a scheme achieve user privacy and data authentication, in which users generate a group of credentials and the control center signs them blindly. However, as the control center needs to generate many signatures, its computational overheads are very high.

3. Notations and Preliminaries

In this section, we describe the notations and briefly review some cryptographic primitives, such as ElGamal encryption, Schnorr signature, and Homomorphic re-encryption.

3.1. Notations

The notations used in the proposed scheme and their meanings are outlined in Table 1.

3.2. Preliminaries

3.2.1. ElGamal Encryption

  • Setup: Randomly choose x Z q and compute y g x ( mod p ) . The public key is ( y , p , g ) and the private key is x.
  • Encryption: Given the plaintext m, randomly choose a value r Z q and calculate the ciphertext as C = ( C 1 , C 2 ) = ( g r , m · y r ) .
  • Decryption: The entity with the private key x can decrypt the ciphertext as:
    m = C 2 C 1 x = m · y r g r x = m · y r y r ( mod p )

3.2.2. Schnorr Signature

  • KeyGen: Randomly choose x Z q and compute y g x ( mod p ) . The public key is ( y , p , g ) and the private key is x.
  • Signing: Given the message m, the signer randomly selects k Z q and computes r g k ( mod p ) , e = H ( r , m ) and s = x e + k ( mod q ) . Now, ( e , s ) is the signature for m.
  • Verifying: After receiving the signature ( e , s ) , the verifier computes r g s y e ( mod p ) and H ( r , m ) . Then the following equation is verified:
    V e r ( y , ( e , s ) , m ) = T r u e H ( r , m ) = e

3.2.3. Homomorphic Re-Encryption

The ciphertext can be either decrypted or re-encrypted, while both operations need two entities to collaborate. The homomorphic property permits users to perform computations on the encrypted data. The computation results are left in encrypted form. But when decrypted, the value is identical as the operations are performed on the plaintext data. The re-encryption property allows the ciphertext to be re-encrypted to another one containing the same plaintext but under a different public key. Note that the re-encryption operation ensures that only the designated recipients can derive the plaintext. Its operation works as follows:
  • Setup: p and q are two safe primes, where p = 2 p + 1 , q = 2 q + 1 and n = p · q . Denote QR as the cyclic group of quadratic residues in Z n 2 * , and g is a generator of QR .
  • KeyGen: The data center ( D C ) and the access control server ( A C S ) generate their public and private key pairs ( S K D C = a , P K D C = g a ) and ( S K A C S = b , P K A C S = g b ) . These two parties execute the Diffie-Hellman key exchange to obtain the system public key P K = P K D C S K A C S = P K A C S S K D C = g a b . Every designated recipient generates its public and private key pair s k i = k i , p k i = g k i .
  • Encryption: Given a message m i Z n , one randomly chooses r [ 1 , n 4 ) and generates the ciphertext as
    m i P K = T i , T i = { ( 1 + m i · n ) · P K r , g r } ( mod n 2 )
  • Re-Encryption Phase I: DC chooses and publishes a computation identifier C I D . It then computes h 1 = H p k j S K D C | | C I D and re-encrypt the ciphertext as
    m i + = T i ^ , T i ^ = T i , T i S K D C · g h 1
  • Re-Encryption Phase II: ACS calculates h 2 = H p k j S K A C S | | C I D after receiving m i + . It then re-encrypts the ciphertext as
    m i p k j = T i ¯ , T i ¯ = T i ^ , T i ^ S K A C S · g h 2
  • Decryption: The designated recipient can decrypt the ciphertext m i p k j as
    h 1 = H P K D C s k j | | C I D h 2 = H P K A C S s k j | | C I D m i = L T i ¯ · P K A C S h 1 · g h 2 T i ¯ ( mod n 2 )
    where L u = u 1 n .

4. Models and Definitions

In this section, we describe the system model, adversary model, and security requirements.

4.1. System Model

Our proposed system, as shown in Figure 2, consists of five types of participants: smart meters (SM), regional master meters (RMM), grid company (GC), operation center (OC), and power transmission units (PTU).
1.
SM: It collects user power consumption data and sends it to the RMM regularly. Note that this data needs to be sent anonymously in our proposed scheme. Moreover, each SM is assumed to contain some tamper-proof device, and its internal states can be protected.
2.
RMM: It is responsible for aggregating users’ power consumption data in some regions and it will forward the aggregated result to the GC.
3.
GC: Once it receives the aggregated power consumption data from the RMMs, it aggregates the received data again and then performs the first phase of proxy re-encryption.
4.
OC: It executes the second phase of proxy re-encryption and sends the outputs to the designated recipients.
5.
PTU: They are the designated recipients of power usage data, such as power plants and data analysts. Each of them will use its private key to decrypt the received ciphertexts.

4.2. Communication Model

We assume that public channels are used to transmit data from SMs to RMMs and from RMMs to the GC. Moreover, we assume that a secure channel exists between the GC and the OC, and authenticated channels are used to transmit data from the OC to PTUs. In smart grids, there might be a large number of SMs and RMMs. Hence, it is impractical to assume that secure channels or authenticated channels exist among them. Moreover, as there is only one GC, one OC, and a few PTUs, the assumption of a secure channel between the GC and the OC, and some authenticated channels from the OC to PTUs is feasible. Note that the assumption of these channels allows us to focus on the protocol design without digging into the low level of technical details. It is well known how these channels can be implemented in practice using standard cryptographic primitives, e.g., encryption and digital signatures.

4.3. Adversary Model

In our proposed scheme, we assume that all participants are honest-but-curious. In other words, these participants will follow the protocol, but they will try to learn some sensitive information beyond their authorization. Moreover, we assume that the GC and the OC will not collude. The adversary A can eavesdrop on the exchanged messages through the public channel and the authenticated channel. In addition, it can also tamper with the data through the public channel but it neither intercepts nor falsifies the data through the secure channel.

4.4. Security Requirements

Under the above models, our design goal is to develop a privacy-preserving data aggregation scheme for smart grids with user anonymity and designated recipients. Specifically, the following security requirements are considered.
1.
Correctness: If all participants follow the protocol, it will output the correct aggregated power consumption data to the designated recipients.
2.
Confidentiality: The adversary A cannot learn the power consumption data of any individual user.
3.
Authentication: Only data from legitimate participants will be accepted. If the data is tampered with during transmission, it can be detected.
4.
User anonymity and un-linkability: The adversary A cannot extract the real identities of the smart meters. Moreover, A cannot link two messages that are sent by the same smart meter.
5.
No single point of trust: The secret key is distributed among multiple entities, i.e., no single party can decrypt or leak sensitive information within the smart grid.
6.
Designated recipients: The aggregated power consumption data can only be accessed by the designated recipients but no one else.

5. The Proposed Scheme

In this section, the privacy-preserving data aggregation scheme with user anonymity and designated recipients is introduced, which mainly consists of the following six algorithms: initialization, key generation, identity anonymization and encryption, verification and aggregation, proxy re-encryption, and decryption.

5.1. Initialisation

In this phase, GC generates the system parameters. It first randomly chooses two large primes p and q , and then computes n = p · q . Denote G as a cyclic group of quadratic residues modulo n 2 , and g as a generator of G. GC also selects a secure hash function H: { 0 , 1 } * G.

5.2. KeyGen

All entities generate their own public and private key pairs. In addition, GC and OC jointly negotiate a key using Diffie–Hellman key exchange.
1.
GC and OC randomly chooses α and β respectively as its private key. Their public and private key pairs are ( S K G C = α , P K G C = g α ) and ( S K O C = β , P K O C = g β ) .
2.
Each power transmission unit P T U j generates its public and private key pair ( s k j = d j , p k j = g d j ) .
3.
OC negotiates the key with GC to obtain the system public key:
P K = P K O C S K G C = P K G C S K O C = g α β ( mod n 2 )
4.
Finally, the system parameters p p = ( g , G , P K ) are made public.

5.3. Identity Anonymization and Encryption

In this phase, the smart meter encrypts its real identity and then sends the anonymous identity, power consumption data, and digital signature to the RMM. The following steps are executed during this phase.
1.
Before smart meter S M i sending the power consumption data m i to R M M i , S M i needs to encrypt the data m i and hide its real identity. And S M i generates its public and private key pair ( s k i = x i , p k i = g x i ) .
2.
In each period, S M i randomly chooses η i Z q and calculates H I D i , 1 = g η i ( mod p ) , H I D i , 2 = R I D * ( P K G C ) η i . Then S M i uses the public key PK to encrypt data and sign, C m i = E n c P K ( m i ) = { ( 1 + m i · n ) · P K r , g r } ( mod n 2 ) , σ i = η i + x i · H ( H I D i | | T i | | C m i ) , where T i is the current timestamp and H I D i = { H I D i , 1 , H I D i , 2 } . Then S M i sends the message { C m i , σ i , H I D i , T i } to R M M i .

5.4. Batch Verification and Aggregation

In this phase, R M M i checks the validity of received messages. In addition to the traditional verification methods, it also allows a batch of data to be verified simultaneously.
1.
Traditional verification:
(a)
Once the message { C m i , σ i , H I D i , T i } from S M i is received, R M M i checks the validity of T i first. If T * T i > Δ T , R M M i will reject the message.
(b)
R M M i checks the validity of σ i using the following equation:
g σ i = H I D i , 1 · p k i H ( H I D i | | T i | | C m i )
2.
Batch Verification: The above verification can be made more efficient using the small exponent test technology [37].
(a)
Upon receiving multiple data { C m 1 , σ 1 , H I D 1 , T 1 } , { C m 2 , σ 2 , H I D 2 , T 2 } , , { C m , σ , H I D , T } sent by some S M i , R M M i checks the freshness of T i , where i = 1 , 2 , , . When the check fails, R M M i rejects the message.
(b)
R M M i selects a random vector v = v 1 , v 2 , , v , where v i is a small random integer in [ 1 , 2 t ] and t is a small integer. Then, R M M i verifies through the following equation:
i = 1 ( g σ i ) v i = i = 1 ( H I D i , 1 · p k i H ( H I D i | | T i | | C m i ) ) v i
If the above equation does not hold, R M M i rejects the messages.
3.
Aggregation: R M M i aggregates the encrypted data C m i by calculating C M i = i = 1 C m i , where is the number of S M i in the current area. Finally, R M M i sends C M i and its corresponding signature and current timestamp T j to GC.
C M i = { C 1 , C 2 } = { ( P K r ) ( 1 + n · i = 1 m i ) , ( g r ) } ( mod n 2 )

5.5. Proxy Re-Encryption

After receiving the message, GC first verifies the freshness and validity of the signature. It then aggregates and stores the received power consumption data. When a designated recipient requests electricity data, proxy re-encryption is performed.
1.
GC verifies the freshness and correctness of the received data C M i and it then aggregates them:
C M = { A , B } = i = 1 S C M i = { ( P K r ) S ( 1 + n · i = 1 S M i ) , ( g r ) S } ( mod n 2 )
2.
The P T U j issues a request to the electricity data. After verifying that it is a legitimate designated recipient, the proxy re-encryption will be performed as follows:
(a)
GC calculates h 1 = H ( ( p k j ) S K G C | | C I D ) . Then it converts C M to C M and send it to OC, where C M = { A , B } = { A , g h 1 · B S K G C } .
(b)
OC calculates h 2 = H ( ( p k j ) S K O C | | C I D ) . Then computes C M and sends it to P T U j , where C M = { A , B } = { A , g h 2 · ( B ) S K G C } .

5.6. Decryption

Once the P T U j has received the C M from OC, it can be decrypted using its private key.
1.
P T U j first calculates
h 1 = H ( ( P K G C ) s k j | | C I D ) = H ( g α · s k j | | C I D ) = h 1
h 2 = H ( ( P K O C ) s k j | | C I D ) = H ( g β · s k j | | C I D ) = h 2
2.
The aggregated electricity data M can be decrypted as follows:
M = L ( A · P K O C h 1 · g h 2 B ( mod n 2 ) )
3.
Once P T U j obtains the aggregated power consumption data M, it can perform dynamic power distribution according to the power consumption across the area.

6. Security Analyses

In this section, we analyze the security properties of the proposed scheme, proving that it meets the aforementioned security requirements.

6.1. Correctness

Theorem 1.
If the data sent by the S M i were not tampered by the adversary A , the R M M i would accept it.
Proof 1.
Once the R M M i receives the message { C m i , σ i , H I D i , T i } from the S M i , it can verify its authenticity using the following equation. Therefore, if the data sent by the S M i was not tampered by the adversary A , the R M M i will accept it.
g σ i = g η i + x i · H ( H I D i | | T i | | C m i ) = g η i · g x i · H ( H I D i | | T i | | C m i ) = H I D i , 1 · p k i H ( H I D i | | T i | | C m i )
Theorem 2.
Given multiple messages and their corresponding valid signatures { σ i } 1 i n from different smart meters, the batch verification technique (3) can be used to verify their authenticity simultaneously.
Proof 2.
The correctness of Equation (3) can be proved as follows:
i = 1 ( g σ i ) v i = i = 1 g v i ( η i + x i · H ( H I D i | | T i | | C m i ) ) = i = 1 ( g v i · η i · g v i · x i · H ( H I D i | | T i | | C m i ) ) = i = 1 ( H I D i , 1 · p k i H ( H I D i | | T i | | C m i ) ) v i
Theorem 3.
The designated recipients can decrypt the received message with their own private key to obtain the correct electricity data.
Proof 3.
The correctness of Equation (6) can be proved as follows:
M = L ( A · P K O C h 1 · g h 2 B ( mod n 2 ) ) = L ( ( P K r ) S ( 1 + n · i = 1 S M i ) · ( g β ) h 1 · g h 2 g h 2 · ( g h 1 · ( g r S ) S K G C ) S K O C ( mod n 2 ) ) = L ( ( 1 + n · i = 1 S M i ) ( mod n 2 ) ) = i = 1 S M i

6.2. User Anonymity and Un-Linkability

Theorem 4.
Our proposed scheme achieves user anonymity and un-linkability, i.e., the adversary A with probability polynomial-time resources cannot link the identity sent by the same smart meter.
Proof 4.
When a S M i sends its power consumption data to R M M i , it firstly hides its identity R I D to achieve anonymous transmission H I D i , where H I D i = H I D i , 1 , H I D i , 2 = g η i , R I D · ( P K G C ) η i . As the ElGamal encryption is semantic secure, i.e., the adversary cannot learn any plaintext information from the given ciphertext. Hence, A cannot learn the real identity of the smart meter. Moreover, the ElGamal ciphertext, which encodes the pseudo-identity, can be re-encrypted. The re-encryption can be performed multiple times, and it does not require the knowledge of the private key. After re-encryption, the ciphertext appears random and it cannot be linked to its previous form because ElGamal encryption is semantic secure. Therefore, if this pseudo-identity is refreshed regularly, A cannot link the identity to the same smart meter. □

6.3. Confidentiality

In our scheme, all transmissions are encrypted, so the adversary A cannot eavesdrop on the smart meter to get electricity data.
Theorem 5.
If the semantic security of the encryption scheme [38] holds, our proposed scheme satisfies confidentiality against malicious GC or OC.
Proof 5.
Assume that there is a probabilistic polynomial-time adversary A that can break the confidentiality of our proposed scheme. Our goal is to use A to construct an algorithm S to break the semantic security of the encryption scheme in [38]. S is given the public parameters ( n , g , p k 2 = g a ( mod n 2 ) ) , the adversary A can construct p k 1 = g b . Then the adversary A choose two messages of the same length m 0 and m 1 , we randomly select β { 0 , 1 } and encrypt m β as follow: E n c ( m β ) = { ( 1 + m β · n ) ( p k 2 ) r , g r } mod n 2 . The The encrypted ciphertext is sent to the adversary A . Adversary A performs further calculations as follows:
1.
A = { ( 1 + m β · n ) ( p k 2 ) r } b mod n 2 = { ( g a b ) r ( 1 + b · m β · n ) } mod n 2 , B = g r ;
2.
Based on ( A , B ) , A further construct a re-encryption ciphertext ( A , B ) , where A = A · g h 1 = { ( g a b ) r ( 1 + b · m β · n ) · g h 1 } mod n 2 , h 1 = H ( ( p k 1 ) a | | C I D ) , B = B .
We can observe that adversary A can obtain two raw data m 0 = b · m 0 and m 1 = b · m 1 . We set m β = b · m β . We can observe that ( A , B ) is one HRES ciphertext. It has already been proved that if the encryption scheme is semantically secure, then the HRES scheme is also semantically secure. Because the HRES is semantically secure, adversary A cannot guess the value of β . Hence, our proposed scheme satisfies confidentiality. □

6.4. No Single Point of Trust

The secret key of the system is shared by the GC and OC, and it is assumed that these two participants will not collude. Hence, neither of them can obtain the sensitive information within the system that is encrypted under the corresponding public key.

6.5. Designated Recipients

In the decryption phase, only the designated recipients can decrypt the ciphertext outputted by OC. The designated recipients have the private key s k j to compute h 1 = H ( ( P K G C ) s k j | | C I D ) and h 2 = H ( ( P K O C ) s k j | | C I D ) . Hence, designated recipients can obtain the aggregated power consumption data M. Although A and B are transmitted over the communication network, and the adversary A is assumed to be able to intercept this information, A cannot decrypt C M because it cannot calculate h 1 = h 1 and h 2 = h 2 . Therefore, only the designated recipients can obtain the computational results, but no one else.

6.6. Comparison of Security Properties

Our proposed scheme is compared with several related schemes, such as [20,33,34,35]. The following table presents the comparison results. As shown in Table 2, our scheme is the only one that can satisfy all of the desirable security properties, such as user anonymity, un-linkability, confidentiality, correctness, and designated recipients.

7. Efficiency Analyses

In this section, we evaluate the performance of our proposed scheme in terms of computation and communication.

7.1. Computation Costs

The following notations are used to denote different operations in our scheme. Let C e , C m and C H denote one exponentiation operation, one multiplication operation, and a hash function, respectively. The bilinear pairing C p incurs the most computation costs. The other operations are much faster, such as the hash operation and the addition operation. is the number of S M i in each area. S is the number of the regional master meters. In Table 3, the computation cost of all entities are listed, where “-”, GW, OA and CC denote non-considered, gateway, trusted operation organization and control center, respectively.
When smart meter S M i generates power consumption data { C m i , σ i , H I D i , T i } , the computational costs of user anonymity are considered negligibly. Then, 2 exponentiation operations and a multiplication operation are required to encrypt electricity data, and a hash operation are required to generate σ i . Thus, the computation costs of a smart meter is 2 C e + C m + C H . After receiving the power consumption data from smart meters, the RMM first verifies the received data by performing a batch verification, including exponentiation operations, multiplication operations, and hash operations. In addition, the RMM should aggregate the data from different S M i and encrypt the data, in which the computation costs are 2 C e + C m . As follows, the GC aggregates the data from different RMM, which costs 2 C e + C m .
When a designated recipient requests electricity data from the OC, OC forwards the request to the GC. It costs 3 exponentiation, a multiplication, and a hash operation. Then OC also needs to perform 3 exponentiation, a multiplication and a hash operation. After the designated recipient receives the data, it needs to spend 4 C e + 3 C m + 2 C H to perform the decryption operation. As hash function can be computed much faster than the other computations, we will ignore the computational costs of hash function evaluation.

7.2. Communication Costs

The communication overheads of our proposed scheme can be divided into two parts, power consumption data transmission, and electricity data request. In Figure 3, we compare the communication overheads of our scheme with some related schemes, such as EPPA [18], Shen’s scheme [39], and Jo’s scheme [40].
We first consider power consumption data transmission phase, where smart meters transmit the power consumption data to the RMM. The data is in the form of { C m i , σ i , H I D i , T i } . Thus, the size of power consumption data is S s = | C m i | + | σ i | + | H I D i | + | T i | . The group element in G is of 160 bits and Z p * contains elements of 160 bits. Each ciphertext is composed of two parts, we have 4 L ( n ) = 4096 bits if we choose 1024-bit n. When we set | T i | = 100-bit length, the communication overheads of S M i -to- R M M are S s = 4516 bits. Then the communication overheads of R M M -to- G C is S R = | C m i | + | σ | + | T j | = 4356 bits.
Next, we consider the electricity data request phase. Electricity data sent by GC to OC is in ciphertext, so the size of the communication overheads are S G = 4096 bits. OC still sends P T U j encrypted data after re-encrypting. Thus the communication overheads are also S O = 4096 bits.
In Figure 3a,b, we plot the communication overheads versus the number of smart meters. We set the number of smart meters from 1 to 1000 and increased it by an interval of 100. As shown in Figure 3a,b, the communication overheads in the grid increase linearly with the number of smart meters. In Figure 4, we present a graph of the relationship between the number of regions and the communication overheads. In our scheme, the encryption mode with long ciphertext length is used, so the communication overheads of our scheme are about twice compared with the scheme proposed by Shen et al. [39]. However, the increase in the number of regions does not affect the communication overheads sent by the OC to the designated recipients.

8. Conclusions

In this paper, we have proposed a privacy-preserving data aggregation scheme for smart grids with user anonymity and designated recipients. The smart meters collect users’ power consumption data but this data is encrypted using homomorphic re-encryption so that the adversary cannot intercept it and only the designated recipients can obtain the aggregated results. Moreover, users’ identities are protected and there is no single point of trust. Therefore, it provides a more secure and flexible solution for privacy-preserving data aggregation in the smart grid. Performance analysis demonstrates that it is generally as efficient as the existing related schemes, achieving more desirable security features.
In future work, we would like to investigate further how to remove the assumption that all participants are honest-but-curious, and introduce novel verification techniques to ensure those dishonest participants can be detected and identified. Moreover, the security proof for the authentication property suffers a loose security reduction because security arguments for the Schnorr signature require to use the Forking Lemma. In the future, we would like to explore efficient authentication techniques with a tight security reduction.

Author Contributions

Conceptualization, L.W., W.Z. (Wenzheng Zhang), and W.Z. (Wei Zhao); methodology, L.W.; software, L.W.; validation, W.Z. (Wenzheng Zhang); formal analysis, W.Z. (Wei Zhao); investigation, W.Z. (Wei Zhao); resources, W.Z. (Wenzheng Zhang); data curation, L.W.; writing—original draft preparation, L.W.; writing—review and editing, W.Z. (Wenzheng Zhang) and W.Z. (Wei Zhao); visualization, L.W.; supervision, W.Z. (Wenzheng Zhang); project administration, W.Z. (Wenzheng Zhang); funding acquisition, W.Z. (Wenzheng Zhang) and W.Z. (Wei Zhao). All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by Science and Technology on Communication Security Lab (Grant No. 6142103010710).

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Fang, L.; Huang, L.; Zhao, Q. Discussion on megalopolis power grid safety from the perspective of Venezuelan blackout. Power Energy 2019, 40, 674–677. [Google Scholar]
  2. Gao, K.; Han, F.; Dong, P.; Xiong, N.; Du, R. Connected vehicle as a mobile sensor for real time queue length at signalized intersections. Sensors 2019, 19, 2059. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  3. Arnold, G.W. Challenges and Opportunities in Smart Grid: A Position Article. Proc. IEEE. 2011, 99, 922–927. [Google Scholar] [CrossRef]
  4. Farhangi, H. The path of the smart grid. IEEE Power Energy Mag. 2010, 8, 18–28. [Google Scholar] [CrossRef]
  5. Liu, H. A Review on Development Practice of Smart Grid Technology in China. IOP Conf. Ser. Mater. Sci. Eng. 2017, 199, 012062. [Google Scholar] [CrossRef]
  6. Northcotegreen, J. Control and Automation of Electrical Power Distribution Systems; CRC Press: Boca Raton, FL, USA, 2007. [Google Scholar]
  7. Sheha, M.; Mohammadi, K.; Powell, K. Solving the duck curve in a smart grid environment using a non-cooperative game theory and dynamic pricing profiles. Energy Convers. Manag. 2020, 220, 113102. [Google Scholar] [CrossRef]
  8. Shen, H.; Liu, Y.; Xia, Z.; Zhang, M. An efficient aggregation scheme resisting on malicious data mining attacks for smart grid. Inf. Sci. 2020, 526, 289–300. [Google Scholar] [CrossRef]
  9. Yang, P.; Xiong, N.; Ren, J. Data security and privacy protection for cloud storage: A survey. IEEE Access 2020, 8, 131723–131740. [Google Scholar] [CrossRef]
  10. Aloqaily, M.; Boukerche, A.; Bouachir, O.; Khalid, F.; Jangsher, S. An energy trade framework using smart contracts: Overview and challenges. IEEE Netw. 2020, 34, 119–125. [Google Scholar] [CrossRef]
  11. Lopez, J.; Rubio, J.E.; Alcaraz, C. A resilient architecture for the smart grid. IEEE Trans. Ind. Inform. 2018, 14, 3745–3753. [Google Scholar] [CrossRef]
  12. Serrano, D.; Ruíz, J.F.; Muñoz, A.; Maña, A.; Armenteros, A.; Crespo, B.G.N. Development of applications based on security patterns. In Proceedings of the 2009 Second International Conference on Dependability, Athens, Greece, 18–23 June 2009; pp. 111–116. [Google Scholar]
  13. Sánchez-Cid, F.; Mana, A.; Spanoudakis, G.; Kloukinas, C.; Serrano, D.; Munoz, A. Representation of security and dependability solutions. In Security and Dependability for Ambient Intelligence; Springer: Boston, MA, USA, 2009; pp. 69–95. [Google Scholar]
  14. Li, S.; Xue, K.; Yang, Q.; Hong, P. PPMA: Privacy-preserving multi-subset aggregation in smart grid. IEEE Trans. Ind. Informat. 2018, 14, 462–471. [Google Scholar] [CrossRef]
  15. Zhang, J.; Zhao, Y.; Wu, J.; Chen, B. LVPDA: A lightweight and verifiable privacy-preserving data aggregation scheme for edge-enabled IoT. IEEE Internet Things J. 2020, 7, 4016–4027. [Google Scholar] [CrossRef]
  16. Ding, Y.; Wang, B.; Wang, Y.; Zhang, K.; Wang, H. Secure metering data aggregation with batch verification in industrial smart grid. IEEE Trans. Ind. Inform. 2020, 16, 6607–6616. [Google Scholar] [CrossRef]
  17. Paillier, P. Public-key cryptosystems based on composite degree residuosity classes. In International Conference on the Theory and Applications of Cryptographic Techniques; Springer: New York, NY, USA, 1999; pp. 223–238. [Google Scholar]
  18. Lu, R.; Liang, X.; Li, X.; Lin, X.; Shen, X. EPPA: An efficient and privacy preserving aggregation scheme for secure smart grid communications. IEEE Trans. Parallel Distrib. Syst. 2012, 23, 1621–1631. [Google Scholar]
  19. Shen, H.; Zhang, M.; Wang, H. A lightweight privacy-preserving fair meeting location determination scheme. IEEE Internet Things J. 2020, 7, 3083–3093. [Google Scholar] [CrossRef] [Green Version]
  20. Ding, W.; Yan, Z.; Deng, R.H. Encrypted data processing with homomorphic re-encryption. Inf. Sci. 2017, 409, 35–55. [Google Scholar] [CrossRef]
  21. Guan, Z.; Zhang, Y.; Zhu, L.; Wu, L.; Yu, S. EFFECT: An efficient flexible privacy-preserving data aggregation scheme with authentication in smart grid. Sci. China Inf. Sci. 2019, 62, 32103. [Google Scholar] [CrossRef] [Green Version]
  22. Li, H.; Lin, X.; Yang, H.; Liang, X.; Lu, R.; Shen, X. EPPDR: An efficient privacy-preserving demand response scheme with adaptive key evolution in smart grid. IEEE Trans. Parallel Distrib. Syst. 2014, 25, 2053–2064. [Google Scholar] [CrossRef] [Green Version]
  23. Zhang, M.; Chen, Y.; Lin, J. A privacy-preserving optimization of neighborhood-based recommendation for medical-aided diagnosis and treatment. IEEE Internet Things J. 2021, 8, 10830–10842. [Google Scholar] [CrossRef]
  24. Zhang, M.; Chen, Y.; Xia, Z.; Du, J.; Susilo, W. PPO-DFK a privacy-preserving optimization of distributed fractional knapsack with application in secure footballer configurations. IEEE Syst. J. 2020, 15, 759–770. [Google Scholar] [CrossRef]
  25. Liu, Y.; Guo, W.; Fan, C.; Chang, L.; Cheng, C. A practical privacy-preserving data aggregation (3pda) scheme for smart grid. IEEE Trans. Ind. Inf. 2019, 15, 1767–1774. [Google Scholar] [CrossRef]
  26. Xue, K.; Zhu, B.; Yang, Q.; Wei, D.S.L.; Guizani, M. An efficient and robust data aggregation scheme without a trusted authority for smart grid. IEEE Internet Things J. 2020, 7, 1949–1959. [Google Scholar] [CrossRef]
  27. Zhao, S.; Li, F.; Li, H.; Lu, R.; Ren, S.; Bao, H.; Lin, J.H.; Han, S. Smart and practical privacy-preserving data aggregation for fog-based smart grids. IEEE Trans. Inf. Forensics Secur. 2021, 16, 521–536. [Google Scholar] [CrossRef]
  28. Su, Y.; Li, Y.; Li, J.; Zhang, K. LCEDA: Lightweight and Communication-Efficient Data Aggregation Scheme for Smart Grid. IEEE Internet Things J. 2021, 8, 15639–15648. [Google Scholar] [CrossRef]
  29. Huang, C.; Wang, X.; Gan, Q.; Huang, D.; Yao, M.; Lin, Y. A lightweight and fault-tolerable data aggregation scheme for privacy-friendly smart grids environment. Clust. Comput. 2021, 24, 3495–3514. [Google Scholar] [CrossRef]
  30. Xu, C.; Zhang, L.; Zhu, L.; Zhang, C.; Du, X.; Guizani, M.; Sharif, K. Aggregate in my way: Privacy-preserving data aggregation without trusted authority in ICN. Future Gener. Comput. Syst. 2020, 111, 107–116. [Google Scholar] [CrossRef]
  31. Tan, X.; Zheng, J.; Zou, C.; Niu, Y. Pseudonym-based privacy-preserving scheme for data collection in smart grid. Int. J. Hoc Ubiquitous Comput. 2016, 22, 120–127. [Google Scholar] [CrossRef]
  32. Guan, Z.; Si, G.; Zhang, X. Privacy-preserving and Efficient Aggregation based on Blockchain for Power Grid Communications in Smart Communities. IEEE Commun. Mag. 2018, 56, 82–88. [Google Scholar] [CrossRef] [Green Version]
  33. Liu, X.; Zhang, Y.; Wang, B.; Wang, H. An anonymous data aggregation scheme for smart grid systems. Secur. Commun. Netw. 2014, 7, 602–610. [Google Scholar] [CrossRef]
  34. Sui, Z.; Alyousef, A.; de Meer, H. IAA: Incentive-based anonymous authentication scheme in smart grids. In International Conference on Internet Science; Springer: Cham, Switzerland, 2015; pp. 133–144. [Google Scholar]
  35. Yu, C.; Chen, C.; Kuo, S.; Chao, H. Privacy-preserving power request in smart grid networks. IEEE Syst. J. 2013, 8, 441–449. [Google Scholar] [CrossRef]
  36. Cheung, J.; Chim, T.; Yiu, S.; Hui, L. Credential-Based Privacy-Preserving Power Request Scheme for Smart Grid Network. In Proceedings of the IEEE Global Telecommunications Conference, Houston, TX, USA, 5–9 December 2011; pp. 1–5. [Google Scholar] [CrossRef] [Green Version]
  37. Hornget, S. b-SPECS+: Batch verification for secure pseudonymous authentication in VANET. IEEE Trans. Inf. Forensics Secur. 2013, 8, 1860–1875. [Google Scholar] [CrossRef]
  38. Bresson, E.; Catalano, D.; Pointcheval, D. A simple public-key cryptosystem with a double trapdoor decryption mechanism and its applications. In Advances in Cryptology-ASIACRYPT; Springer: Berlin/Heidelberg, Germany, 2003; pp. 37–54. [Google Scholar]
  39. Shen, H.; Zhang, M.; Shen, J. Efficient privacy-preserving cube-data aggregation scheme for smart grids. IEEE Trans. Inf. Forensics Secur. 2017, 12, 1369–1381. [Google Scholar] [CrossRef]
  40. Jo, H.; Kim, I.; Lee, D. Efficient and Privacy-Preserving Metering Protocols for Smart Grid Systems. IEEE Trans. Smart Grid 2016, 7, 1732–1742. [Google Scholar] [CrossRef]
Figure 1. The traditional architecture of the smart grid.
Figure 1. The traditional architecture of the smart grid.
Symmetry 14 00847 g001
Figure 2. System model in our scheme.
Figure 2. System model in our scheme.
Symmetry 14 00847 g002
Figure 3. Comparison of the communication overhead. (a) SM-to-RMM. (b) OC-to-PTU.
Figure 3. Comparison of the communication overhead. (a) SM-to-RMM. (b) OC-to-PTU.
Symmetry 14 00847 g003
Figure 4. Communication overhead incurred by regions.
Figure 4. Communication overhead incurred by regions.
Symmetry 14 00847 g004
Table 1. Some notations.
Table 1. Some notations.
NotationsMeaning
p,qTwo large primes such that q|p–1
GA finite cyclic group with order q
gThe generator of group G
Z p * A multiplicative group modulo p
HA collision resistant hash function
PKThe public key
miUser’s power consumption data
MiThe power consumption data recorded by RMMi
MThe total amount of power usage across all areas
,SThe number of SMi in each area and RMMi
RIDThe smart meter’s real identity
T*The current time stamp of the RMMi
ΔTThe allowed time delay in the system
CIDComputation identifier
L(*)Bit length of the input data
||The message concatenation operation
Table 2. Comparison with Existing Related Schemes.
Table 2. Comparison with Existing Related Schemes.
SchemesDing [20]Liu [33]Sui [34]Yu [35]Ours
AnonymityNYYYY
Un-linkabilityNNNNY
ConfidentialityYNNNY
CorrectnessYYYYY
Designated recipientsYNNNY
Table 3. Comparison of Computation Costs.
Table 3. Comparison of Computation Costs.
SchemesOur SchemeEPPA [18]Guan [21]Shen [39]
SM 2 C e + C m l C e + C m + 4 C p 4 C e + 3 C m 2 C e + C m
RMM/GW l C e + l C m w C p + C m 3 C e + 2 l S C m n i C p + ( n n i ) C e + C m
GC 5 C e + 2 C m -- ( S + 2 ) C p + C m
OC 3 C e + C m ---
PTU/OA/CC 4 C e + 3 C m 2 C p + C e + 4 C m 3 C e + 2 C m 2 C p
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Wu, L.; Zhang, W.; Zhao, W. Privacy Preserving Data Aggregation for Smart Grid with User Anonymity and Designated Recipients. Symmetry 2022, 14, 847. https://doi.org/10.3390/sym14050847

AMA Style

Wu L, Zhang W, Zhao W. Privacy Preserving Data Aggregation for Smart Grid with User Anonymity and Designated Recipients. Symmetry. 2022; 14(5):847. https://doi.org/10.3390/sym14050847

Chicago/Turabian Style

Wu, Liang, Wenzheng Zhang, and Wei Zhao. 2022. "Privacy Preserving Data Aggregation for Smart Grid with User Anonymity and Designated Recipients" Symmetry 14, no. 5: 847. https://doi.org/10.3390/sym14050847

APA Style

Wu, L., Zhang, W., & Zhao, W. (2022). Privacy Preserving Data Aggregation for Smart Grid with User Anonymity and Designated Recipients. Symmetry, 14(5), 847. https://doi.org/10.3390/sym14050847

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop