- About this Journal ·
- Abstracting and Indexing ·
- Aims and Scope ·
- Annual Issues ·
- Article Processing Charges ·
- Articles in Press ·
- Author Guidelines ·
- Bibliographic Information ·
- Citations to this Journal ·
- Contact Information ·
- Editorial Board ·
- Editorial Workflow ·
- Free eTOC Alerts ·
- Publication Ethics ·
- Reviewers Acknowledgment ·
- Submit a Manuscript ·
- Table of Contents

International Journal of Distributed Sensor Networks

Volume 2013 (2013), Article ID 457325, 11 pages

http://dx.doi.org/10.1155/2013/457325

## SP^{2}DAS: Self-certified PKC-Based Privacy-Preserving Data Aggregation Scheme in Smart Grid

^{1}College of Science, North China University of Technology, Beijing 100144, China^{2}Department of Mathematics, Handan College, Handan, Hebei 056005, China

Received 2 August 2012; Accepted 10 October 2012

Academic Editor: Shuai Li

Copyright © 2013 Jianhong Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Smart grid is a network of computers and power infrastructures that monitor and control energy usage by collecting data from the power grid. It can gather and distribute information about the behavior of all consumers in order to improve the efficiency, reliability, economics, safety, and sustainability of electricity services. In this paper, we propose a self-certified PKC-based privacy-preserving data aggregation scheme in smart grid to increase computation efficiency and achieve privacy protection of end users. To realize the anonymous aggregation of multidimensional data, we adopt the Chinese Remainder Theorem and homomorphic property of Paillier cryptosystem to achieve it. Comparing our scheme with Lu et al.'s scheme, the result shows that our scheme has more advantages over Lu et al.'s scheme in terms of computational costs of the user, GW, and OA. After adopting batch verification technique, the computational cost of GW is constant in our scheme, however, that of GW is linear with the number of the users in Lu et al.'s scheme. Furthermore, our scheme also supports the anonymity of the user's identity. It indicates that the local gateway GW does not know the real identity of the resident user such that the privacy of the user is better protected.

#### 1. Introduction

Power electric systems in most countries have became old and inefficient. It might result in potential safety hazards. The Northeast blackout of 2003 was worth to be pondered. In this accident, about 200,000 people were affected, and 265 power plants were shut down during the outage. Investigations report found that the reason of blackout was due to human error and equipment failures. And this report indicated that this blackout could have been prevented and that immediate actions must be taken in both the United States and Canada to ensure that our electric system was more reliable. It puts forth a challenge for us. When a problem appears, how should we find it and solve it in time?

To overcome the problems caused by aging power grids, smart grid is developed. The earlier emerging smart grid technologies are electronic control, metering, and monitoring. The term *smart grid* has been used since at least 2005, when it appeared in [1]. There are many smart grid definitions in the recent literature in different flavors. However, a common factor in these definitions is the application of digital processing and communications to the power grid, making data flow and information management central to the smart grid.

The objective of smart grid is to provide end users or consumers with power in a more flexible, stable, and reliable manner. It makes end users know real-time electricity usage so as to actively adjust use of electricity. Therefore, the smart grid is characterized by a two-way flow of electricity and information between the provider and consumer of electric power. It achieves an automated, distributed energy delivery network and helps end users to balance power supply and demand by distributed computing and communications to deliver real-time information. Meanwhile, it also can detect and respond to weaknesses or failures in the power system in real time such that potential dangers are prevented.

Communication framework in smart grid is shown in Figure 1, where power transmission and distribution systems are separated from the communication system. In the communication system in smart grid, smart meter is an important component in smart grid it can record consumption of electric energy in a time interval and communicate the information back to the utility for monitoring and billing purposes. However, current smart metering technologies which are applied in smart meters may result in privacy leak issues because they depend upon centralizing personal consumption information of the consumers at their smart meters. In 2009, The Netherlands enacted relevant laws to force to consider privacy issues in case of using smart meters [2]. Similarly, in the United States, NIST dictated that there privacy issues be taken into account in the design of smart grid communications [3]. These privacy concerns may be addressed by adequately authenticating the smart meters. However, smart meter is a rather limited resources device with low memory and computational capacity. Thus, we cannot put too much burden on the constrained smart metering resources in the time of designing an authentication mechanism for smart grid communication.

Because communication in smart grid is based on the public data communication networks such as Internet. there exist a wide variety of malicious attacks, such as replay, eavesdropper, tamper of data, traffic analysis, tracing of the locations, and denial of service (DOS) attacks. Thus, before putting the application of smart grid into practice, the corresponding security and privacy issues must be resolved. For example, without the security and privacy guarantees, an adversary in smart grid can forge a fraudulent electricity usage data or breakdown information to mislead operation center. In terms of end users, privacy is a most concerned problem. It includes privacy of identity and privacy of data. Power-consuming data may reveal family income and physical activities. For example, power consumption of a household in a certain time is very low or zero; it implies that no one is at home. The user's identity is sensitive information. If it is leaked, it may result in potential unsafe factor. Then home address and the number of apartments of the user are known. Thus, this privacy-sensitive information must be anonymous.

To achieve data privacy, encryption algorithm is used to ensure the safety of data. However, it may result in data expansion. How do we resist data expansion in the case of keeping data privacy? It brings a challenge to the smart meter with constraint resource. To solve this issue, we adopt homomorphic encryption technique [4] since it can achieve data aggregation under the condition that the data is encrypted. In other words, data can be aggregated in the ciphertext form. In 2005, Castelluccia et al*.* [5] adopted homomorphic encryption techniques to realize the aggregation of encrypted data without decryption at intermediate nodes. Subsequently, Westhoff et al. showed that the scheme [6] may result in an increased message overhead in per monitoring node since the ID list of the encrypting nodes must be transmitted when every node used different keys. Thus, a symmetric homomorphic encryption technique was applied to increase the efficiency in [6]. In [7], Shi et al. was based on Castelluccia's scheme to put forth a privacy-preserving data aggregation scheme to preserve user privacy. Most of the previous works mainly focus on one-dimensional data. Recently, Lu et al. proposed a multidimensional data aggregation approach based on the homomorphic Paillier cryptosystem by using superincreasing sequence [8]. However, the computation overhead of local gateway is rather high. And the identity of end user is revealed in the communication between user and local gateway. According to [9], the memory size of the local GW is up to 128 KB random access memory (RAM), 1 MB flash memory, and 160 MHz CPU. Thus, the computational cost of the local gateway should be low as soon as possible.

Since the communication between the end user and the local gateway (GW) usually adopts wireless technology, it makes the end user suffer from the different attacks due to the open wireless network. Privacy protection of the end user's identity is particularly important. To guarantee end user's privacy, two important approaches are pseudonym mechanisms and group signature technique. The pseudonymity-based approach needs to periodically change a pseudonym. The group signature-based approach results in longer length of a signature than that of original signature, and computation cost of verifying a signature is very large. These approaches are suitable for smart metering with limited resource.

Self-certified public key cryptosystem was introduced by Marc [10]. In the self-certified public key system, verification and management of certificates are not required, and the key escrow problem can also be eliminated. The main idea is that certificate of public key is replaced by a witness, and the public key is implicitly embedded in it. Anyone who holds a witness along with an attributive identity can recover the corresponding public key to verify a signature. Thus, it leads to the reduction of communication, computation, and storage amount.

*Our Contributions*. To construct a scheme which is suitable for the device with low communication and computation resources in smart grid and achieve privacy protection of the end user’s identity, in this paper, we propose a novel self-certified PKC privacy-preserving data aggregation (SP^{2}DA) scheme. This scheme supports the aggregation of multidimensional power usage data by converting multidimensional data into a single-dimensional data. The main works of this paper are three-fold. (1)To support aggregation of multidimensional data, we adopt the Chinese Remainder Theorem to achieve the conversion of multidimensional data to single-dimensional data. (2)To support privacy of identity, the scheme adopts self-certified public key cryptography to achieve it. It makes the scheme have the following advantages: short length of the signature and low computation. (3)In the scheme, we realize that the computational cost of the local gateway is constant. It makes our scheme have more advantage over Lu et al.’s scheme [8] in terms of computational cost.

#### 2. Communication System Model in Smart Grid

In the following, we give formal communication system model, security requirements, and our design goals.

##### 2.1. Communication Model

The communication model, it mainly consists of operation center and local area network (LAN). Operation center is responsible for dynamically balancing power supply. In general, a trusted operation authority (OA) manages it at operation center. All residential users in a special residential area (RA) and the local gateway (GW) form an LAN. Smart appliances and smart meters form a home area network (HAN). The communication between the user and the local gateway is achieved by the communication between smart meters in an HAN and the local gateway. Smart meters transmit the collected real-time electricity usage data to the local gateway. After aggregating all electricity usage data, the local gateway reports the result to operation authority. On receiving the reports from the local gateway in the residential area RA, the OA analyzes the received reports and sends the corresponding to feedback information to the local gateway in the residential area. Then the local gateway broadcasts the feedback information to all users in the residential area. Finally, the users dynamically adjusts power consumption of smart appliance.

##### 2.2. Security Requirements

Security protection is essential in smart grid communication. It is an important condition before deploying smart grid. In the security model, the main aim is to ensure integrity and validity of the transmitted data and the privacy of user's identity.

Here, we assume that the OA is trustable and the local gateway GW is semitrustable, and the users in the residential area are honest. Because the connection of local gateway with the users adopts wireless techniques, there may exist an adversary to eavesdrop the residential users’ communication to obtain message. In addition, we allow the adversary to launch active attacks on the residential users. To resist attacks of the adversary , we require that the communication in smart grid should satisfy the following security requirements.(1)Authentication: it includes authentication of the user identity and message integrity. The user identity authentication means that the encrypted report is from a legal user. Message integrity authentication means that the transmitted data has not been altered. Any tempered data can be detected. (2)Private: it also includes two points. The first point indicates that the data which is sent by the residential user is private since it is encrypted and the final data is aggregated. Only the operation authority OA can recover it. The other point indicates that the identity of the residential user is privacy for the local gateway. Any one cannot obtain the relevant information to the identity of the user from the transmitted data. Even the OA cannot also obtain any relevant information to the user from the aggregated data.

##### 2.3. Design Goal

Based on the previous communication model and security requirements, our design goal is to construct an efficient data aggregation protocol to achieve the following three objectives. (1)*Multidimensional data aggregation*: in smart grid, the data which smart meters collect includes various types, such as the amount of the consumed power, and temperature and so on. The data in each dimension do not reflect the use of the global situation; thus, we must take into account all the dimensions in order to realize finer-grained control and optimization. At the same time, smart meters of hundred and thousand residential users periodically send the multidimensional data. To efficiently deal with the huge communication cost and multidimensional data, we need to construct an efficient aggregation scheme to support multidata aggregation. (2)*Global security*. The smart meter-generated data should be authenticated to guarantee that they are from real sources and have not been tampered with during transmission. A tampered fraudulent data must be caught by the OA. (3)*Privacy of the residential user*: if a residential user behaves honestly and follows the protocol, its identity privacy should be guaranteed against attackers who can eavesdrop communication in smart grid. It means that the identities of the residential users were not revealed during the transmission of the data. However the OA cannot also obtain the identity information of the residential users from the transmitted real-time reports.

#### 3. Preliminaries

In the following, we first review the bilinear pairing technique [11] and the Paillier Cryptosystem [9] as well as some mathematics problems. They are the basis of the proposed SP^{2}DA scheme. Then some security assumptions which are the basis of security proof are given.

##### 3.1. Bilinear Map and Paillier Cryptosystem

In this subsection, we briefly review the properties of the bilinear pairings.

Let , , and be three cyclic multiplicative groups with the prime order . Let , and be the generator of groups and . An admissible pairing , which satisfies the following three properties: (i)bilinear: if and , then ; (ii)nondegenerate: there exists a such that ; (iii)computable: if , one can compute in polynomial time.

The modified Weil pairing and the Tate pairing are admissible maps of this kind. Please the interested readers refer to [12] for the details.

The Paillier Cryptosystem [9] is a classic homomorphic encryption. Its homomorphic property takes advantage of the homomorphic property of the exponentiation function and makes an encryption of message be obtained from any encryption of messages and , as . And the security of the scheme is based on a discrete logarithm trapdoor modulo a large integer. In the following, we briefly review it. (1)Key generation phase: let be an RSA modulus where , and are two large prime numbers. Let be an element of order at least in the multiplicative group . Then the public key is , and the corresponding private key is (2)Encryption phase: let be an encrypted message and , and randomly choose to compute a ciphertext . (3)Decryption phase: given a ciphertext , the corresponding plaintext can be recovered by the private key . Please refer to [4] for the detailed process.

##### 3.2. Security Assumption

*Decisional Bilinear Diffie-Hellman Problem (DBDH).* The DBDH problem in , , is stated as follows: given four elements
for unknown , and , determine whether .

*The Weak Computational Diffie-Hellman Problem (WCDH).* Let be a multiplicative cyclic group of order ; is a generator of group . is a finite field. Given values , where is an integer and , the goal of -weak CDH problem is to compute .

The -wCDH problem is -hard, if there is no PPT algorithm that can solve the -wCDH problem in time at most with probability if

The -wCDH problem is a new hard problem. The hardness of the problem is based on the difficulty of solving Collusion Attack Algorithm with traitors.

*The ** Exponent Problem (EP).* Let be a multiplicative cyclic group of order ; is a generator of group . is a finite field. Given values , where is an integer and , its goal is to compute .

The EP is -hard, if there is no PPT algorithm can solve the EP in time at most with probability if

The hardness of exponent problem is proved that it is polynomial time equal to the -wCDHP.

*The Extended ** Exponent Problem (EP). *Let and be two multiplicative cyclic groups of order ; is a generator of group . is a finite field, and is a computable isomorphism from group onto group such that . Given values and an isomorphism map , where is an integer and , its goal is to compute .

The extended EP is -hard, if there is no PPT algorithm that can solve the extended EP in time at most with probability if
*Chinese Remainder Theorem [13]. *Suppose are positive integers which are pairwise coprime. Then, for any given sequence of integers , there exists an integer solving the following system of simultaneous congruences:
Let the product be defined. Then a solution can be found as follows: For each , the integers and are coprime. Using the extended Euclidean algorithm we can find integers and such that . Let . Then a solution is solved as follows:

#### 4. Our Anonymous Self-Certified Signature Scheme

In this section, we will give a novel self-certified anonymous signature scheme which is the basis to achieve the anonymity of the residential user's identity in our SP^{2}DA scheme.

##### 4.1. System Setup

Let , , and are three cyclic groups with the same prime order . is a pairing map. is a generator of group . is an isomorphism map. The TTP chooses two hash functions and . Then it randomly chooses as his private key and computes the corresponding public key . Finally, the system parameters are published as follows:

##### 4.2. KeyGen

For a user with identity , it first randomly selects to compute . Then the public-private key pair is .

##### 4.3. WitReg

When a user with identity wants to register, it computes a proof of zero-knowledge of its private key and sends to the TTP.

The TTP first checks whether and is valid. If they hold, then it produces the following witness and sends it to the user. Then the user's private key is .

##### 4.4. Anonymous Signing

To produce a signature on message , the user with identity computes as follows. (1)First, it randomly chooses a number to compute and in order to conceal the witness of the user and his identity “”. (2)Then randomly choose to compute (3)Finally, the resultant anonymous signature on message is .

##### 4.5. Verifying

After receiving a signature on message , a verifier can execute the following process for each signature.(1)Firstly, the verifier parses into and computes . (2)Then it checks

##### 4.6. Security Analysis

In the following, we show that the previously mentioned anonymous self-certified signature scheme is secure against existential universal forgery under adaptive chosen message attack.

Lemma 1. * If there exists an adversary can forge the previous anonymous signature on a message , then the EP problem can be solved in the polynomial time.*

*Proof. * Here, we will show that if an adversary could forge a valid message signature in our scheme, then there exists another adversary that can solve the -EP instance in groups and . Let us recall the EP problem; given , and distinct elements where , its goal is to output . In the following, we will give the detailed process.

To answer the different queries from the adversary , we need to run to set up the system parameters. Let , , and be three cyclic groups with order . is a bilinear pairing map. sets as the generator of group and as the master public key of the TTP, where the master private key of TTP is unknown. Let be a computable isomorphism from group to such that . and are two hash functions. Finally, sends the system parameters to the attacker .

-Oracle. when an adversary makes a query with message , outputs if appears in the list which is initially empty. Otherwise, tosses a coin with the probability and randomly chooses to answer the following query. (1)If , then sets . (2)If , then sets .

Finally, returns to the adversary and adds in the -list.

-Oracle: when an adversary makes a query with string , outputs if is in the list which is initially empty. Otherwise, randomly chooses to set and returns to the adversary; then it adds to the -list.*Corruption Oracle*. When makes a corruption query with identity . If exists in the list which is initially empty, then outputs . Otherwise, randomly chooses to return to and adds to the list .*WitReg Oracle*. issues a witness register query on input , and outputs a if is in the List which is initially empty. Otherwise, searches the private key in the list and in the list , respectively, and returns the corresponding and . If , then computes the following witness:
where . Then, returns to the adversary and adds in the list . If , then claims failure and aborts the simulation.*Anonymous signing oracle.* When the adversary issues an anonymous signature query with . If exists in the lists and , then retrieves the corresponding and and runs anonymous signing algorithm to produce a signature . Otherwise, executes as follows. (1) firstly retrieves from the -list. Note we assume that is queried for -Oracle before other oracles were queried with . (2)Then, randomly picks to set . (3)And randomly selects to compute and sets . (4) picks at random to compute . (5) checks whether string exists in the -list. If it exists, outputs Fail and aborts it. Otherwise, it sets . (6)Finally, the resultant signature is returned to . *Forgery.* Eventually, outputs a forgery on message under the identity . wins the game if and only if the following conditions hold. (1) is a valid signature. (2) is never an input of anonymous authentication oracle. (3) is not an input of vehicle register oracle. (4)The corresponding with is equal to 1 in the -list. (5)The corresponding with exists in the -list.

According to the forking lemma [14], makes a replay with the same random tap but different choice of ; then it outputs another valid signature on the same message , where , , and . We assume that is in the -list. Then we have
where and .

Thus, we have
where and is an unknown number which is a blinded factor in the signing phase, namely, .

Lemma 2. * Our signature satisfies anonymity of signer's identity. *

*Proof. * Given a signature on message , we cannot obtain any information of the signer. According to the previous signature scheme, we know that are the relevant identity information of the signer. However, in our signature, and are blinded by a random number . Thus, it is impossible to obtain any information of and from of the signature . Furthermore, is an unknown number in terms of the attacker; it cannot obtain the relation of and . For in the signature , it does not reveal any information of the signer. For in the signature , it is expressed as the following form:
Although the private key of the signer is included, is randomized by two random numbers , and . Thus, has not also reveal any information of the signer's identity. According to the previous statement, any one cannot obtain the identity of the signer from a signature. Therefore, our scheme achieves anonymity.

#### 5. Our Privacy-Preserving Data Aggregation Scheme

In the following, we will put forth a novel privacy-presrving aggregation scheme in smart by utilizing the proposed self-certified anonymous signature scheme. Three types of entities, That is, the trusted operation authority (OA), a local gateway (GW), and the residential users (U), are involved in the scheme. It mainly consists of the following six phases: system initialization, GW register, user register, user report generation phase, privacy-preserving report aggregation phase, secure report reading, and response phase.

##### 5.1. System Initialization

The trusted operation authority (OA) set up the system as follows. Let , , and be three multiplicative cyclic groups of the same big prime order . is a generator of group . is a computable isomorphism from group onto group such that . is a bilinear map. The trusted operation authority (OA) randomly chooses as master key; then the corresponding public keys and are computed. is a random element of group . And it chooses three collision-resistant hash functions , , and .

In addition, OA initializes Paillier cryptosystem. Therefore, it chooses two large primes , and with equal length, then it computes RSA modulus and . Define a function and choose a generator . OA computes . At the same time, we assume that the number of households in a residential area is at most and denotes the number of the different type of reported electricity usage data in smart grid, where is less than a constant . Then, chooses coprime number . Let and and , where is derived by the previous Chinese Remainder Theorem and denotes the th electricity usage data of the user . After that, for to , computes .

Finally, OA publishes the system parameters and keeps the master keys .

##### 5.2. GW Registration

When a local gateway (GW) of the residential area wants to register itself in the system, it randomly chooses a number as the private key and computes the corresponding public key .

##### 5.3. User Registration

When a user of residential area wants to join this system, the user with real identity must interactively communicate with OA by a confidential channel by the following steps. (1)The user with identity first chooses a as his private key and computes the corresponding public key . (2)Then it computes a zero-knowledge proof of private key and sends to OA. (3)The OA verifies the validity of and the zero-knowledge proof . If they hold, then the OA computes and returns to the resident user and keeps in the database. (4)Upon receiving , the user first checks whether it is valid by the following equation: If it is valid, then is the membership certificate of the user , and it is added into the local database.

##### 5.4. User Report Generation

To periodically report electricity usage data of the residential user, each user collects types of data by using the smart meters to execute the following steps. (1)Randomly choose to compute the Paillier encryption (2)Then, it randomly chooses to compute and in order to conceal the certificate and his identity of the residential user . (3)And randomly choose to compute where is a timestamp. (4)The resultant anonymous signature on message is . (5)Finally, the encrypted electricity usage data is reported to be the local gateway GW in the residential area RA. Note that the reported electricity usage data of the user do not reveal any information of the user's identity.

##### 5.5. Privacy-Preserving Report Verification and Aggregation of GW

After receiving all electricity usage data , from RA, the local gateway GW first checks whether belongs to a valid time slots, then it verifies the validity of signature , by the following processes.(1)Firstly, GW parses into and computes . (2)Then check

To increase efficiency of verifying signatures, the local gateway GW can make use of the following batch verification: where .

We can find that the computation overhead in the batch verification is approximate to that in the verification of a signature. It only needs three pairing operations which are the most time-consuming operators.

After all previously mentioned verifying is valid, the gateway GW performs the following aggregation process to aggregate all electricity usage reports. (1)It aggregates all encrypted data into by computing (2)Then, it produces a BLS signature by his private key : where denotes a timestamp. (3)Finally, send the aggregated data to the operation authority OA.

##### 5.6. Secure Report Reading and Response

After receiving an aggregated on message , the authority operation OA first checks whether the signature is valid by the equation . Then it decrypts the aggregated and encrypted electricity usage report by the Paillier decryption algorithm.

Since

then the recovered message is .

By the Chinese Remainder Theorem, we can obtain the electricity usage data as follows:

for to

compute .

All derived electricity usage data are the aggregation of residential user's electricity usage. After analyzing these data, the OA sends the feedback data to notify all residential users in residential area RA for adjusting the usage of electricity quantity. The process is done as follows. (1)It randomly chooses to compute and . (2)And it computes . (3)The resultant cipher is . In fact, it is a broadcast encryption from Step 1 to Step 3. (4)Then the OA produces a BLS signature where is a timestamp and feedback to the local gateway GW in the residential area. (5)Upon receiving the transmitted , the GW can check whether it is valid by the following equation If is holds, then it broadcasts to all residential users in the residential area RA. (6)After receiving the broadcasted , each residential user can decrypt as follows. (a)It computes (b)Then it recovers the message as .

With the recovered electricity usage feedback report , the user can control power use of household appliances from peak times to nonpeak times for saving electrical energy and rational utilization.

#### 6. Security Analysis

In this section, we show that our scheme satisfies the previous security requirements.(1)Global security requirement: obviously, this security requirement is satisfied since each user's report is signed by our anonymous signature algorithm and the aggregated report is signed by BLS signature algorithm in our scheme. Furthermore, Lemma 1 shows that our anonymous signature is secure against adaptive chosen message attack, and the BLS short signature is provably secure under the CDH problem. Thus, we can efficiently identify the identity of the resident user, and it is impossible that exists a valid signature on a tempered data. (2)Multidimensional data aggregation: in our SP^{2}DA scheme, we adopt the Chinese Remainder Theorem and Paillier Cryptosystem. It can achieve multidimensional data aggregation in the ciphertext form. For a user's transmitted data , they are represented as
can be considered as single-dimensional data to process. When receiving data , the local gateway GW can aggregate these data as
Since for to , the relation holds, thus, the OA can obtain by computing according to the Chinese Remainder Theorem. Therefore, our scheme can achieve multidimensional data aggregation. (3)Privacy of the residential user: Because the transmitted report of the residential user is signed by adopting our anonymous signing algorithm in our SP^{2}DA scheme, each residential user’s identity is protected. Furthermore, the transmitted report is encrypted by Paillier Encryption algorithm, it means even if the attacker eavesdrops the transmitted report, it still cannot obtain the individual user's data. For a feedback message of the OA, OA sends the ciphertext of this feedback message to all residential users in residential area RA by adopting broadcast encryption. Only the residential user in the RA can recover the corresponding feedback message . In the following security proof, we will show that the confidentiality of the transmitted feedback message can be achieved.

Lemma 3. *The broadcast encryption scheme in our SP ^{2}A scheme is semantic secure against chosen-plaintext attack under the DBDH problem. *

*Proof. *Suppose that there exists an adversary that can break the broadcast encryption in SP^{2}DA scheme; then we can construct an algorithm that can solve the DBDH problem with advantage by using as a subroutine.

Let be given a DBDH problem instance
Its goal is to determine . runs as a subroutine to solve the DBDH problem.

sets and randomly chooses to set . Let . Then publishes , , , , , and the other system parameters.

In the challenge phase, the adversary chooses two messages and and sends them to . randomly selects a bit to produce a ciphertext of message , where
and sends to the adversary . Finally, the adversary outputs a bit . If , it means that since
is a valid component of the ciphertext . In this case, the probability which outputs is . When is a random number, to the probability in which outputs is . According to the previous statement, we have
It means that, the DBDH problem can be solved in the nonnegligible probability . However, it is in contradiction with the difficulty of solving the DBDH problem.

##### 6.1. Efficiency Analysis

Until now, Lu et al.’s scheme [8] is only a privacy-preserving aggregation scheme (EPPA) in smart grid which supports multidimensional data aggregation. In the following table, we give a comparison of our scheme with Lu et al.’s scheme. Let , , , and denote an exponentiation operation in , a multiplication operation in group or , an exponentiation operation in group , and a pairing operation, respectively. In the whole SP^{2}DA scheme, the computational costs of each user, GW and OA, are shown in Table 1.

If experiments were performed on a Pentium IV personal computer with 3.0 GHz CPU, 512 MB RAM, and window XP operating system, and based on PBC cryptography libraries [12] and MIRACL libraries [15]. The experimental results show that to compute a single exponentiation operation in , a single multiplication operation in or , and pairing operation needs 12.4 ms, 6.4 ms, and 20 ms, respectively. In Figure 2, we discuss the variation of computational cost in terms of and . Obviously, from the figure we can find that our scheme has more advantages over Lu et al.’s scheme in terms of computational cost of the user and the GW. It is more suitable for the real-time data process for the local gateway GW and the residential user.

##### 6.2. Communication Overhead

According to the afarementioned communication construction, the whole communication is divided into user-to-GW communication, GW-to-OA communication, and OA-to-GW communication. In the user-to-GW communication, the reported data is the form of . Because type 2 pairing is adopted in the proposed scheme, its length is if we choose 1,024-bit , 160-bit prime , and 160-bit . However, a symmetric pairing is used in Lu et al.’s scheme [8]; the length of element in will be 512 bits long under the same security strength. Thus, the length is bits. In the GW-to-OA communication, the aggregated report to the OA by GW is in the form of , and its length is bits. It is the same as that of Lu et al.’s scheme bits when the system parameters are used. In the OA-to-GW communication, OA needs bits to send back a responding message which is in the form of , and its length is . However, the length of the responding message in Lu et al.’s scheme is . According to the previous statement, communication overhead in Lu et al.’s scheme is slightly more efficient than that of our scheme in the user-to-GW communication. However, communication overhead in our scheme is slightly more efficient than that of Lu et al.’s scheme in the OA-to-GW communication.

#### 7. Conclusion

In this paper, we have proposed an efficient self-certified PKC-based privacy-preserving data aggregation scheme to satisfy the requirement of efficiency in smart grid communication. By adopting the Chinese Remainder Theorem technique and homomorphic property of Paillier cryptosystem, it achieves a multidimensional data aggregation approach under the ciphertext form. And it applies our proposed anonymous signature scheme to achieve anonymity of the real identities of end users in end-user-to-GW communication. It efficiently resists the end user’s identity leakage problem which is not considered in other literatures. Compared with Lu et al.’s multidimensional data aggregation scheme, our scheme can significantly reduce computational cost of the local gateway GW. And we have also provided security analysis to demonstrate that the proposed scheme can satisfy the desirable security requirements. It is a future work to trace the malicious behavior of a dishonest residential user (end user) in a residential area.

#### Acknowledgments

This work was supported partly by Beijing Natural Science Foundation (no. 4122024 and 4132056), the Importation and Development of High-Caliber Talents Project of Beijing Municipal Institutions, and the New Star Plan Project of Beijing Science and Technology (no. 2007B001).

#### References

- S. M. Amin and B. F. Wollenberg, “Toward a smart grid,”
*IEEE Power and Energy Magazine*, vol. 3, no. 5, pp. 34–41, 2005. View at Publisher · View at Google Scholar · View at Scopus - C. Cuijpers and B. J. Koops,
*Het Wetsvoorstel, Slimme Meters: Een Privacytoets op Basis van art. 8 Evrm*, Tilburg University, Tilburg, The Netherlands, 2008. - U.S. National Institute for Standards and Technology (NIST), “The smart grid interoperability panel cyber security working group: smart grid cybersecurity strategy and requirements,” http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol2.pdf.
- P. Paillier, “Public-key cryptosystems based on composite degree residuosity classes,” in
*Proceedings of the 17th international conference on Theory and application of cryptographic techniques (EURO-CRYPT'99)*, pp. 223–238, 1999. - C. Castelluccia, E. Mykletun, and G. Tsudik, “Efficient aggregation of encrypted data in wireless sensor networks,” in
*Proceedings of the 2nd Annual International Conference on Mobile and Ubiquitous Systems-Networking and Services (MobiQuitous'05)*, pp. 109–117, July 2005. View at Publisher · View at Google Scholar · View at Scopus - D. Westhoff, J. Girao, and M. Acharya, “Concealed data aggregation for reverse multicast traffic in sensor networks: encryption, key distribution, and routing adaptation,”
*IEEE Transactions on Mobile Computing*, vol. 5, no. 10, pp. 1417–1431, 2006. View at Publisher · View at Google Scholar · View at Scopus - J. Shi, R. Zhang, Y. Liu, and Y. Zhang, “Prisense: privacy-preserving data aggregation in people-centric urban sensing systems,” in
*Proceedings of the International Conference on Computer Communications (IEEE INFOCOM '10)*, pp. 758–766, March 2010. View at Publisher · View at Google Scholar · View at Scopus - R. Lu, X. Liang, X. Li, X. Lin, and X. Shen, “EPPA: an efficient and privacy-preserving aggregation scheme for secure smart grid communications,”
*IEEE Transactions on Parallel and Distributed Systems*, vol. 23, no. 9, pp. 1621–1631, 2012. View at Google Scholar - “MSP430 for utility metering applications,” http://focus.ti.com/mcu/docs/mcuorphan.tsp?contentId=31498.
- G. Marc, “Self-certifed public key,” in
*Advances in Cryptology—EUROCRYPT '91*, vol. 547 of*Lecture Notes in Computer Science*, pp. 490–497, 1991. - D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the weil pairing,” in
*Proceedings of Asiacrypt 2001*, vol. 2248 of*Lecture Notes in Computer Science*, pp. 514–532, Springer, 2001. - B. Lynn, “On the implementation of pairing-based cryptogra-phy,” http://crypto.stanford.edu/pbc/thesis.html.
- http://en.wikipedia.org/wiki/Chinese-remainder-theorem.
- C. T. Li, M. S. Hwang, and Y. P. Chu, “Further improvement on a novel privacy preserving authentication and access control scheme for pervasive computing environments,”
*Computer Communications*, vol. 31, no. 18, pp. 4255–4258, 2008. View at Publisher · View at Google Scholar · View at Scopus - “Multiprecision integer and rational arithmetic c/c++ library,” http://www.shamus.ie/.