Privacy-Preserving Multidimensional Data Aggregation Scheme for Smart Grid

Zhou, Yousheng; Chen, Xinyun; Chen, Meihuan

doi:https://doi.org/10.1155/2020/8845959

Security and Communication Networks

On this page

Abstract Introduction Related Work Preliminaries System Model Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Mathematical Models for New Types of Cyberattack and Associated Defence Strategies

View this Special Issue

Research Article | Open Access

Volume 2020 | Article ID 8845959 | https://doi.org/10.1155/2020/8845959

Privacy-Preserving Multidimensional Data Aggregation Scheme for Smart Grid

Yousheng Zhou,^1,2Xinyun Chen,¹and Meihuan Chen¹

Academic Editor: Luxing Yang

Received13 May 2020

Revised23 Oct 2020

Accepted16 Nov 2020

Published03 Dec 2020

Abstract

In a smart grid, data aggregation is a common method to evaluate regional power consumption. Data leakage in the process of data transmission poses a security threat to the privacy of users. Many existing data aggregation schemes can only aggregate one-dimensional data; however, it is necessary to aggregate multidimensional data in practical smart grid applications. Therefore, this paper proposes a privacy-preserving multidimensional data aggregation scheme, which can aggregate multidimensional data and protect the individual user’s identity and data privacy. The security of the proposed scheme is proved under the random oracle model. The simulation results show that the proposed scheme has great advantages in computing overhead, and the communication overhead also meets the requirements of the smart grid.

1. Introduction

A smart grid is a more efficient and modern grid. “Grid 2030” defines a smart grid as follows: “A fully automatic power transmission network that monitors and controls each user and node to ensure the two-way flow of power and information between power plants and power devices and all nodes between them” [1]. Smart grid consists of seven domains: the generation, transmission, distribution, customer, electricity market, service provider, and operation center domain, as shown in Figure 1.

Based on the real-time information of power consumption, the control center can monitor the power generation and consumption of each area, get the real-time power demand, and then take timely measures to optimize the power generation and distribution strategy. The customer can also get knowledge of current real-time power consumption and adjust his behavior to reduce expenses. In order to make a better transmission and distribution strategy, data aggregation is usually used to evaluate the power usage in a certain area. The purpose of data aggregation in a smart grid is to collect total power consumption data of users in a certain area and protect the power consumption data of an individual user from leakage.

In order to support various network functions, many smart devices such as smart terminals and smart meters have been deployed and used in the smart grid [2]. As wireless networks are increasingly used in smart grids, the communication channel between the smart meter and the control center may be open [3]. Therefore, the attacker can easily intercept, tamper with, or delete the messages in the communication channel, which causes great distress or economic loss. For example, an attacker can track a user’s habits or lifestyle (he or she is at home or not at home) after obtaining his or her power consumption data, thus committing a crime inside a house [4]. An attacker may also cause economic loss to the user or service provider by injecting false information or making unreasonable demands.

With the wide application of the smart home, actual power data is possible to be multidimensional, for example, measuring power data by the type of household appliances such as refrigerators, air conditioners, and washing machines. Therefore, it is necessary to study multidimensional data aggregation in a smart grid.

In this paper, we propose a privacy-preserving multidimensional data aggregation scheme. The characteristics of the proposed scheme are as follows: (1) feasibility: the proposed scheme can aggregate multidimensional data; (2) security: the proposed scheme can protect the user’s identity and data privacy; (3) robustness: the proposed scheme can work normally when any smart meter is off-line or out of order; (4) high efficiency: the proposed scheme adopts EC-ElGamal cryptosystem, and the computation performance is efficient.

The rest of this paper is organized as follows. In Section 2, we review the related works. In Section 3, we describe the preliminaries. In Section 4, we describe the system model and security requirements. We present our proposed scheme in Section 5. We analyze the security and performance in Sections 6 and 7, respectively. Finally, we make some conclusions in Section 8.

Smart meters have three factors: smart meters’ real-time power consumption data, smart meters’ total power consumption data, and smart meters’ identity [5]. In order to achieve the goal of data aggregation and protect the privacy of smart meters, several privacy-preserving one-dimensional data aggregation schemes have been proposed based on homomorphic encryption, blind factors, and Shamir’s secret sharing.

Homomorphic encryption is a classical method for data aggregation. Homomorphic encryption can perform special algebraic operations on two or more ciphertexts to obtain the aggregated ciphertext, and the result of the decrypted aggregated ciphertext is the same as that of performing the same algebraic operation on the plaintext. At present, many privacy-preserving data aggregation schemes have been proposed based on homomorphic encryption (BGN cryptosystem [6], Paillier cryptosystem [7], EC-ElGamal cryptosystem [8], and lattice-based cryptosystem), such as BGN-based schemes [9–11], Paillier-based schemes [12–14], EC-ElGamal-based schemes [15–17], and lattice-based schemes [18].

Homomorphic encryption combined with blind factors (random numbers) is a common method to design data aggregation schemes. The trusted third party predistributes different blind factors to each user and the aggregator. Each user uses its own blind factor to obfuscate the power consumption data. When the aggregator receives data from all users, it can eliminate the blind factors added by all users to obtain aggregated data. Fan et al. [19] proposed the first data aggregation scheme that can resist internal attacks, which uses BGN cryptosystem and blind factors. Bao and Lu [20] found that Fan’s scheme cannot provide data integrity. He et al. also proposed their scheme by using BGN cryptosystem and blind factors in [21], which can protect the integrity of data. The scheme proposed by He et al. [22] and Vahedi et al. [23] uses EC-ElGamal cryptosystem and blind factors and has high computational efficiency. All of the above [19–23] schemes can defend against internal attacks.

The combination of homomorphic encryption and Shamir’s secret sharing is also used to design a data aggregation scheme [24]. For example, the PMDA scheme proposed by He [25] uses Shamir’s secret sharing to allow smart meters to collectively negotiate aggregation parameters and supports multifunctional data aggregation. The 3PDA scheme proposed by Liu et al. [26] uses EC-ElGamal cryptosystem and Shamir’s secret sharing, and users construct a virtual aggregation area to mask single data. The scheme presented in [25, 26] does not rely on a trusted third party. Even if any smart meter is off-line or out of order, the system can work normally. New smart meters can be easily added to the system while the user’s secret share remains the same.

At present, only one-dimensional data is considered in many schemes, but in practical application, power consumption data is usually multidimensional to facilitate fine-grained analysis. Based on the superincreasing sequence and Horner’s rule, some researchers proposed multidimensional data aggregation schemes.

Knapsack cryptosystem based on superincreasing sequence can compress multidimensional data into one-dimensional data. The PPMA scheme proposed by Li et al. [27] uses Paillier cryptosystem and superincreasing sequence to aggregate multidimensional data. The PPMA scheme gives several successive power consumption ranges, divides the regional users into several subsets, and can get the sum of power consumption data of each subset and the number of users. The EPPA scheme proposed by Lu et al. [28] uses a superincreasing sequence to compress multidimensional data into one-dimensional data and then uses Paillier’s cryptosystem to encrypt the compressed data.

The algorithm based on Horner’s rule can also compress multidimensional data into one-dimensional data. The scheme proposed by Shen et al. [29] uses Paillier's cryptosystem and Horner’s rule. Each user constructs Horner polynomial with the first Horner parameter, storing the multidimensional data in a single data. After embedding the second Horner parameter into the polynomial, Paillier’s cryptosystem is used to encrypt the single data.

3. Preliminaries

3.1. Hard Problems

Let be an additive cyclic group with prime order ; then some hard problems in the group are described as follows. Elliptic Curve Discrete Logarithm (DL) Problem. Given points , where , , is unknown. DL problem is to compute the value of . Elliptic Curve Computational Diffie-Hellman (CDH) Problem. Given points , where and , , and are unknown. CDH problem is to compute . CDH assumption holds if there exists no probabilistic polynomial-time adversary that can solve the CDH problem with a nonnegligible advantage. Elliptic Curve Decisional Diffie-Hellman (DDH) Problem. Given a point , where and , , and are unknown. The DDH problem is to determine whether holds. DDH assumption holds if there exists no probabilistic polynomial-time adversary that can solve the DDH problem with a nonnegligible advantage.

3.2. Security Model of Authentication and Key Agreement

Define a probabilistic polynomial-time adversary , which can make a series of queries to simulate real attacks, define a simulator , and define a game played between and . Then, can adaptively make the following queries. : This query simulates an adversary’s hash request for a message . needs to keep a table . When receives the request from , checks if contains a tuple . If so, returns to ; otherwise, randomly chooses , stores in , and returns to . : makes this query to simulate an eavesdropping attack (passive attack). returns a copy of the exchange message executed under the real authentication protocol. : makes this query to simulate an active attack. can query the response information associated with the message . normally performs the steps of the authentication protocol and then returns the corresponding message to . : makes this query to simulate a corrosive attack that can obtain the participant’s private key. returns the relevant private key according to the authentication protocol. : makes this query to simulate a known session key attack. If a valid session exists, returns the session key corresponding to the participant; otherwise, returns . : This query simulates an adversary’s ability to distinguish between a true session key and a random number. When the session key has been defined, chooses a random number . If , returns the true session key to ; if not, returns a random number with the same length of the session key to .

After making the above queries, can make query. The output of query depends only on the value of the bit . The output of is the result of guessing associated with the bit . If , wins the game. Define an event as wins the game. The advantage of breaking the semantic security of the authentication protocol is

Definition 1. The proposed authentication protocol is semantic secure if there exists no probabilistic polynomial-time adversary that can win the above game with a nonnegligible advantage.

3.3. Security Model of Encryption and Signature

The encryption and signature scheme are used in this paper. Therefore, semantic security and unforgeability should be considered in the security model. Define a probabilistic polynomial-time adversary that can make a series of queries to simulate real attacks, define a simulator , and define a game played between and . Then can adaptively make the following queries. : This query simulates an adversary’s request for a message . needs to keep a table . When receives a request from , checks if contains a tuple . If so, returns to ; otherwise, randomly chooses , stores in , and returns to . : This query simulates an adversary’s attack to obtain the smart meter’s public key. needs to keep a table . When receives the request from , checks if table exists in the public key with . If so, returns to ; otherwise, randomly chooses a private key , generates the corresponding public key , stores in , and returns to . : This query simulates an adversary’s attack to obtain the smart meter’s private key. checks if table exists in the private key with . If so, returns to ; otherwise, randomly chooses a private key , generates the corresponding public key , stores in , and returns to : this query simulates an adversary’s encryption request for a message . queries the public key with , uses to encrypt the message , and then returns the ciphertext to . : This query simulates an adversary’s signature request for a message . queries the private key with , uses to sign message , and then returns the message and signature to . : This query simulates an adversary’s request to verify the message ’s signature. queries the public key with and uses to validate the signature of the message .

Definition 2. If there exists no probabilistic polynomial-time adversary that can win the following game with a nonnegligible advantage, the proposed scheme is secure against indistinguishability under the chosen-plaintext attack (IND-CPA). Initialization: runs a key generation algorithm, generates a key pair , sends the public key to , and keeps the private key Phase 1: can access a random oracle to make a series of queries. randomly chooses two plaintexts with the same length and sends them to . Challenge: randomly chooses a bit and sends the ciphertext of the message to . We call the ciphertext the challenging ciphertext Guess: outputs its guess . The advantage of in the above game is defined as follows:

Definition 3. If there exists no probabilistic polynomial-time adversary that can win the following game with a nonnegligible advantage, the proposed scheme is secure against existential unforgeability under the adaptive chosen messages attacks (EUF-CMA). Initialization: runs a key generation algorithm, generates a key pair , sends the public key to (also known as a forger), and keeps the private key . Query 1: queries the hash value of the message , and returns the corresponding hash value to . Query 2: queries the signature of the message , and returns the corresponding signature to . Challenge: forges a message’s signature pair and sends it to . verifies the validity of the signature. If the forged signature is valid, succeeds; otherwise, fails.

4. System Model and Security Requirement

4.1. System Model

In the proposed scheme, the system model for the smart grid consists of four entities: smart meter (SM), aggregator (AGG), control center (CC), and trusted third party (TTP), as shown in Figure 2. SM: It is responsible for regularly collecting real-time power consumption data of the user and sending encrypted data to the aggregator. The smart meter is honest-but-curious. It operates according to the protocol and may infer information from other users. AGG: It is responsible for aggregating the power consumption data of all users and sending the aggregated data to the control center. The aggregator is honest-but-curious. It stores all intermediate computational results and may get users’ privacy information from them CC: It is responsible for decrypting and analyzing aggregated data to obtain the sum of users’ power consumption data for each area and to generate an appropriate response. The control center is fully trusted and may attempt to analyze incoming messages to obtain valuable information. TTP: It is responsible for generating and distributing security parameters for all smart meters. TTP is fully trusted and participate only in the registration process, not in the data aggregation process.

4.2. Security Requirement

According to related works in recent years, the data aggregation scheme in a smart grid should meet three security requirements. We summarize these requirements as follows. Confidentiality: A malicious attacker may intercept information from a user. The leakage of a user’s power consumption data can compromise its privacy. Therefore, it is important to ensure that the attacker cannot obtain the power consumption data of an individual user. Integrity: A malicious attacker may tamper with a message sent by a user, which will affect the normal statistical analysis. Therefore, it is important to ensure that the messages sent by the user are correct. Authentication: A malicious attacker may forge a message and impersonate a real user to send a message, which will affect the normal process of statistical analysis. Therefore, it is important to ensure that the data received by the aggregator is from a legitimate user.

5. Scheme Construction

This section describes the proposed privacy-preserving multidimensional data aggregation scheme. The proposed scheme consists of six steps: system setup, registration and login, authentication and key agreement, data generation, data aggregation, and multidimensional data decryption. We assume that there are users in each residential area. The symbols and their definitions used in this section are shown in Table 1.

5.1. System Setup

The initialization phase is used to generate system public parameters. The smart meter, aggregator, control center, and trusted third party randomly choose an integer from as their private key and compute the corresponding public key , , , .

5.2. Registration and Login

(1)Registration. All smart meters need to register, and each smart meter only needs to register once. The detailed steps for the registration phase are described as follows:(1) submits its identity and password to through a secure channel.(2)After receiving the message , saves the identity and password information and computes , , and . Finally, returns the message to through a secure channel.(3)After receiving the message , saves in its own memory (with some tamper-proof ability).(2)Login. needs to perform a login phase before communicating with the aggregator. The detailed steps of the login phase are described as follows:(1) computes and (2) verifies whether the parameter stored in memory is equal to . If so, the login of succeeds; otherwise, the login of fails

5.3. Authentication and Key Agreement

The goal of the authentication and key agreement phase is for the smart meter to request authentication from the aggregator and establish a session key between the smart meter and the aggregator, as shown in Figure 3. The session key is used by the aggregator to encrypt the response message using a symmetric encryption algorithm when the response message is returned. The detailed steps for authentication and key agreement phase are described as follows.(1) randomly chooses an integer and computes , , and , where is the current timestamp. Finally, sends the message to AGG(2)After receiving the message , computes and checks whether the equation holds. If not, terminates the communication; otherwise, randomly chooses and computes , , , and , where is the session key and is the current timestamp. Finally, returns the message to (3)After receiving the message , computes , and checks whether the equation holds. If not, terminates the communication; otherwise, computes , where is the session key and is the current timestamp. Finally, sends the message to (4) verifies whether holds. If so, the authentication of succeeds; otherwise, the authentication of fails

5.4. Data Generation

Assume that can obtain -dimensional power consumption data . The detailed steps for generating the ciphertext are described as follows.(1) randomly chooses and computes the ciphertext according to(2) randomly chooses and computes its signature according to(3) sends the message to , where is the current timestamp.

5.5. Data Aggregation

After receiving the message , verifies the smart meter’s signature and computes the aggregated ciphertext, as shown in Figure 4. Suppose that there are currently smart meters participating in the data aggregation.(1) verifies signatures of all smart meters according to(2) computes the aggregated ciphertext according to(3) partially decrypts the aggregated ciphertext using the private key according to Therefore, the form of partially decrypted ciphertext is shown in(4) randomly chooses and computes its signature according to(5) sends the message to , where is the current timestamp.

5.6. Data Decryption

After receiving the message , verifies the signature of . After successful verification, decrypts the aggregated ciphertext using its own private key to get the sum of the power consumption data.(1) verifies the signature of according to(2) decrypts the aggregated ciphertext using the private key according to(3)Using Pollard’s lambda algorithm, the sum of the power consumption data for each dimension can be computed, as shown in (12), where represents the total power consumption data of users in the dimension.

6. Security Analysis

6.1. Formal Security Analysis

Theorem 1. Assume that represents the advantage of a probabilistic polynomial-time adversary to break the semantic security of the proposed authentication protocol; then,where represents the size of the identity space, represents the size of the hash function space, is the prime order of group , and , , and represent the number of query, query, and query, respectively.

Proof. Define a series of games . We use to indicate the event that A successfully guesses in query in . : this game simulates real-world attacks by an adversary. The value of is chosen at random. Therefore, according to the authentication and key agreement model, we have : this game uses , , , , and query to simulate real attacks. and are indistinguishable. Therefore, we have : this game simulates all queries in ; the only difference is that will simulate an adversary’s guess attack on the smart meter’s true identity. Since the smart meter’s identity is converted to a pseudonym by a random number during each authentication phase, the adversary is unable to determine the smart meter’s true identity and has no other information to verify the smart meter’s true identity. Therefore, we have : this game simulates all queries in ; the only difference is that will simulate collision attacks that occur on messages , and . Therefore, we have : this game simulates all queries in ; the only difference is that will simulate the adversary’s corrosion attack on the participant. When query is executed, the private key stored in the smart meter and in the aggregator can be extracted by the adversary. However, this information is useless for calculating the session key, because a secret random number that is generated temporarily must be required. Due to the fact that and are randomly selected from , we have : this game simulates all queries in ; the only difference is that other hash functions will be used to compute the temporary session key . That is, instead of using a random oracle, we use to generate the session key. and are indistinguishable unless an event occurs. represents the adversary that makes a query about message to the random oracle. No matter how many queries are made, all results are independently random. Therefore, we have : this game simulates all queries in ; the only difference is that will simulate an event where the adversary breaks CDH problem, randomly choose two integers , given an instance of CDH problem , and compute , ; then, we have . In , the adversary needs to make a query such as , where . Therefore, we have . In addition, we havewhere represents the advantage of to break the CDH problem.
From the above analysis, we haveDue to , we haveTo sum up, the advantage of adversary to break the proposed authentication protocol is negligible, and the proposed authentication protocol is semantic secure.

Theorem 2. The proposed scheme is secure against IND-CPA, if the DDH problem is hard.

Proof. Assume that there exists a probabilistic polynomial-time adversary that can win the game in Definition 2 with a nonnegligible advantage . Then, we can construct a simulator to solve DDH problem with a nonnegligible advantage . The simulator chooses a challenging identity , and the adversary can make the following queries: : needs to keep a table , where . After receiving the hash request from , checks if the tuple exists in . If so, returns to ; otherwise, randomly chooses , stores into , and returns to : needs to keep a table . After receiving the hash request from , checks if exists in . If so, returns to ; otherwise, randomly chooses , stores into , and returns to : needs to keep a table . After receiving the request from , checks if exists in . If so, returns to ; otherwise, randomly chooses , computes , stores into , and returns to : after receiving the request from , first checks whether the identity used by in the query is equivalent to the challenging identity . If so, terminates this game; otherwise, checks if exists in . If so, returns to ; otherwise, makes query to generate the private key and public key and , stores into , and returns to : after receiving the request from , checks if exists in . If so, uses to generate the ciphertext; otherwise, makes query to generate the private key and public key and and then uses to generate the ciphertext

Proof. Assume that the ciphertext is secure against IND-CPA. Define a series of games . With these games, we reduce the instance of the DDH problem. That is, given , determine whether , where , , and and are unknown. chooses a challenging identity . : this game simulates real-world attacks. acts as a smart meter, knowing the public and private key pair . knows the public key and has access to the random oracle. At some point, randomly chooses an identity and two plaintexts with the same length and sends them to for an encryption query. Then, chooses a bit , encrypts the ciphertext , and sends the ciphertext to . Finally, outputs its guess . represents the event in that , and we use symbols to represent the same meaning in any game. Based on Definition 2, we have : in this game, we embed the instance of the DDH problem. When makes query, randomly chooses , sets , saves into , and sends to . Because is evenly distributed in the group , is completely indistinguishable from . Therefore, we have : in this game, replaces the public key with . does not know the private key . Therefore, when makes query, performs the following steps. (1) When , looks for the record in . (2) computes and sends to . (3) Define as event .If event actually occurs, then is a valid ciphertext when public key and holds. Therefore, at this time, can play its ability to guess whether .
However, if event does not occur, can only guess at a random probability of . Therefore, we haveTherefore, based on the above analysis, we can solve the DDH problem with probability .Due to , .
Because the advantage in the previous assumption cannot be ignored, cannot be ignored. That is, a simulator can be constructed to solve the DDH problem. However, DDH problem cannot be solved in practice; then, the conclusion is impossible. Therefore, our assumption does not hold. In other words, the proposed scheme is secure against indistinguishability under the chosen-plaintext attack (IND-CPA).

Theorem 3. The proposed scheme is secure against EUF-CMA, if the discrete logarithm problem is hard.

Proof. Assume that there exists a probabilistic polynomial-time adversary that can win the game in Definition 3 with a nonnegligible advantage . Then, we can construct a simulator to solve the discrete logarithm problem. Given an instance of a discrete logarithm problem, where , the goal of is to find , such that . chooses a challenging identity . can make , , queries as it did in Theorem 2. The adversary can also make other queries as follows: : needs to keep a table . After receiving the request from , first checks if exists in . If so, returns to A; otherwise, checks whether the identity used by is equal to the challenging identity , and if not, generates and according to the proposed scheme; otherwise, sets , stores into , and returns to : after receiving the request from , first checks whether and are equal. If not, generates the signature of the message according to the proposed scheme; otherwise, randomly chooses , computes , sets , stores in , and returns to : verifies the signature of the message according to the proposed schemeFinally, can use to forge a valid signature of the message with the identity . According to the forking lemma, can obtain another valid signature , where and . Therefore, we can obtain two equations:According to the above equations, we have , then .
Finally, gets the solution of the DL problem instance .
To calculate the advantage of solving the discrete logarithm problem, we define the following three events. (1) : does not terminate the game; (2) : and are equal; (3) : outputs a valid signature.
Therefore, we have , , and , where and represent the number of query and query, respectively. Therefore, the probability of solving the discrete logarithm problem isBecause cannot be ignored, the probability of using to solve discrete logarithm problem cannot be ignored. However, in the actual situation, the discrete logarithm problem is unable to solve; therefore, the conclusion cannot hold. As a result, our assumption does not hold. That is, the proposed scheme is secure against existential unforgeability under the adaptive chosen messages attacks (EUF-CMA).

6.2. Informal Security Analysis

(1)The proposed scheme provides anonymity for users. As wireless networks are increasingly used in the smart grid, communication channels may be open. It is easy for adversaries to intercept messages from communication channels. In the proposed authentication protocol, the identity of each smart meter is anonymous. Because the CDH problem is hard, the adversary cannot obtain a true identity without knowing the temporary random number. Therefore, the proposed scheme can protect the identity privacy of users.(2)The proposed scheme ensures the confidentiality of the session key. In the proposed scheme, the session key in the proposed authentication protocol uses random numbers chosen by the smart meter and the aggregator. During each authentication phase, the smart meter and aggregator reselect new random numbers. Even if the adversary eavesdrops on the communication channel, it is difficult for the adversary to guess the session key or to calculate the session key from the messages transmitted over the network. Therefore, the proposed scheme ensures the confidentiality of the session key.(3)The proposed scheme ensures the confidentiality of users’ data. EC-ElGamal cryptosystem is used to encrypt the power consumption data. Assume that the DDH problem is hard, the EC-ElGamal cryptosystem is secure against IND-CPA. Therefore, an external eavesdropper cannot obtain any individual user’s power consumption data. Furthermore, the adversary cannot infer the plaintext of the aggregated data in the aggregator’s database and the control center’s database. Therefore, the proposed scheme ensures the confidentiality of users’ data.(4)The proposed scheme ensures data integrity and authentication. The signature algorithm in the proposed scheme is provable secure. In practice, if an attacker wants to forge a signature, it would have to either crack the hash function or the discrete logarithm problem. In the proposed scheme, the signature algorithm uses a secure hash function and an elliptic curve, so that the possibility of both types of cracking is negligible. Therefore, the proposed scheme provides data integrity and authentication.(5)The proposed scheme is secure under the attack of malware. Suppose an attacker successfully intercepts private information from the aggregator database by deploying malicious software in the aggregator system. Because the aggregator cannot completely decrypt the aggregated ciphertext, the attacker cannot obtain any single user’s power consumption data. In addition, the attacker can also intercept private information from the control center. The decrypted plaintext of the control center is the sum of users’ power consumption data, and the attacker cannot obtain the power consumption data of an individual user. Therefore, the proposed scheme can protect the user’s power consumption data from malicious software.(6)The proposed scheme can resist replay attacks. Because the messages whether in the authentication or data generation phase contain a timestamp, the aggregator can detect any replayed messages by verifying the validity of the timestamp. Therefore, the proposed scheme can resist replay attacks.

7. Performance Analysis

This section presents the performance comparison between the proposed scheme and other similar schemes in the data generation phase and data aggregation phase. Performance includes computation overhead and communication overhead. Experiments were all performed on a personal computer with Intel Core i5-7200U CPU @2.50 GHz, 12.00 GB memory, and Windows 10 operating system, based on the JPBC library.

7.1. Computation Cost

We compare the computation cost of the proposed scheme with that of Li et al. [27], Shen et al. [29], and Lang et al. [30]. For convenience, we define some notations and descriptions as shown in Table 2. Since CC is generally supposed to have enough computing power, we only compare the computation overhead of and .

In Li’s scheme [27], executes two operations, one operation, and one operation. Therefore, the runtime of is . executes one operation, operations, and one operation. Therefore, the runtime of is .

In Shen’s scheme [29], executes two operations and one operation. Therefore, the runtime of is . executes operations and operations. Therefore, the runtime of is .

In Lang’s scheme [30], executes operations and one operation. Therefore, the runtime of is . executes operations. Therefore, the runtime of is .

In our proposed scheme, executes operations. Therefore, the runtime of is . executes operations. Therefore, the runtime of is .

Table 3 and Figure 5 show the computation costs comparisons among Li’s scheme [27], Shen’s scheme [29], Lang’s scheme [30], and our proposed scheme.

7.2. Communication Cost

Because the size of is 512 bits, 512 bits, and 160 bits, respectively, we can know that the size of is 1024 bits, 1024 bits, 160 bits, 160 bits, and 160 bits. Assume that the timestamp and the identity are both 32 bits.

In Li’s scheme [27], sends to , where the length of is 1024 bits and the length of is 512 bits. Thus, the communication cost is bits.

In Shen’s scheme [29], sends to , where the length of is 2048 bits and the length of is 160 bits. Thus, the communication cost is bits.

In Lang’s scheme [30], sends to , where the length of is 4096 bits and the length of is 512 bits when data has seven dimensions. Thus, the communication cost is bits.

In our proposed scheme, sends to , where the length of is 2240 bits and the length of is 512 bits when data has seven dimensions. Thus, the communication cost is bits.

As shown in Figures 5 and 6, the computation overhead in the aggregation phase of our proposed scheme has obvious advantages over Shen et al.’s [29] scheme. The communication cost is at the middle level compared with other schemes. Considering the security and reliability, it is reasonable to increase the communication cost. Therefore, the proposed scheme satisfies the requirement of security and performance for the smart grid.

8. Conclusion

In this paper, we propose a privacy-preserving multidimensional data aggregation scheme for a smart grid, which can aggregate multidimensional data and protect the user’s identity and data privacy. The analysis shows that the proposed scheme is provable secure and efficient. In addition, we will consider a more appropriate method of aggregating multidimensional data to improve the applicability of the proposed scheme in further work.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgments

Our work was jointly supported by the National Natural Science Foundation of China (Nos. 61872051 and 61702067), the Chongqing Natural Science Foundation of China (No. cstc2020jcyj-msxmX0343), and the Venture & Innovation Support Program for Chongqing Overseas Returnees (No. CX2018122). There is no funding available.

References

DOE US, “Grid 2030: a national vision for electricity’s second 100 years,” Tech. Rep., pp. 137–140, DOE US, Washington, DC, USA, 2003, US DOE Report.
View at: Google Scholar
W. Meng, R. Ma, and H.-H. Chen, “Smart grid neighborhood area networks: a survey,” IEEE Network, vol. 28, no. 1, pp. 24–32, 2014.
View at: Publisher Site | Google Scholar
R. Deng, Z. Yang, M.-Y. Chow, and J. Chen, “A survey on demand response in smart grids: mathematical models and approaches,” IEEE Transactions on Industrial Informatics, vol. 11, no. 3, pp. 570–582, 2015.
View at: Publisher Site | Google Scholar
N. Komninos, E. Philippou, and A. Pitsillides, “Survey in smart grid and smart home security: issues, challenges and countermeasures,” IEEE Communications Surveys & Tutorials, vol. 16, no. 4, pp. 1933–1954, 2014.
View at: Publisher Site | Google Scholar
X. Tian, L. Li, C. Sun et al., “Review on privacy protection approaches in smart meter,” Journal of East China Normal University (Natural Science), vol. 2015, no. 5, pp. 46–60, 2015.
View at: Google Scholar
D. Boneh, E. J. Goh, and K. Nissim, “Evaluating 2-DNF formulas on ciphertexts,” in Proceedings of the Theory of Cryptography Conference, pp. 325–333, Springer, Cambridge, MA, USA, February 2005.
View at: Google Scholar
P. Paillier, “Public-key cryptosystems based on composite degree residuosity classes,” in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, pp. 223–238, Springer, Prague, Czech Republic, May 1999.
View at: Google Scholar
N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, no. 177, p. 203, 1987.
View at: Publisher Site | Google Scholar
L. Chen, R. Lu, Z. Cao, K. AlHarbi, and X. Lin, “MuDA: multifunctional data aggregation in privacy-preserving smart grid communications,” Peer-to-Peer Networking and Applications, vol. 8, no. 5, pp. 777–792, 2015.
View at: Publisher Site | Google Scholar
Q. Zhou, G. Yang, and L. He, “A secure-enhanced data aggregation based on ECC in wireless sensor networks,” Sensors, vol. 14, no. 4, pp. 6701–6721, 2014.
View at: Publisher Site | Google Scholar
H. Bao and R. Lu, “A new differentially private data aggregation with fault tolerance for smart grid communications,” IEEE Internet of Things Journal, vol. 2, no. 3, pp. 248–258, 2015.
View at: Publisher Site | Google Scholar
G. Shen, Y. Su, D. Zhang et al., “Secure and fine-grained electricity consumption aggregation scheme for smart grid,” TIIS, vol. 12, no. 4, pp. 1553–1571, 2018.
View at: Publisher Site | Google Scholar
H. J. Jo, I. S. Kim, and D. H. Lee, “Efficient and privacy-preserving metering protocols for smart grid systems,” IEEE Transactions on Smart Grid, vol. 7, no. 3, pp. 1732–1742, 2015.
View at: Publisher Site | Google Scholar
H. Li, X. Lin, H. Yang et al., “EPPDR: an efficient privacy-preserving demand response scheme with adaptive key evolution in smart grid,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 8, pp. 2053–2064, 2013.
View at: Publisher Site | Google Scholar
O. R. M. Boudia, S. M. Senouci, and M. Feham, “Elliptic curve-based secure multidimensional aggregation for smart grid communications,” IEEE Sensors Journal, vol. 17, no. 23, pp. 7750–7757, 2017.
View at: Publisher Site | Google Scholar
S. Fu, J. Ma, H. Li, and Q. Jiang, “A robust and privacy-preserving aggregation scheme for secure smart grid communications in digital communities,” Security and Communication Networks, vol. 9, no. 15, pp. 2779–2788, 2016.
View at: Publisher Site | Google Scholar
X. Liu, Y. Zhang, B. Wang, and H. Wang, “An anonymous data aggregation scheme for smart grid systems,” Security and Communication Networks, vol. 7, no. 3, pp. 602–610, 2014.
View at: Publisher Site | Google Scholar
A. Abdallah and X. S. Shen, “A lightweight lattice-based homomorphic privacy-preserving data aggregation scheme for smart grid,” IEEE Transactions on Smart Grid, vol. 9, no. 1, pp. 396–405, 2016.
View at: Publisher Site | Google Scholar
C. I. Fan, S. Y. Huang, and Y. L. Lai, “Privacy-enhanced data aggregation scheme against internal attackers in smart grid,” IEEE Transactions on Industrial Informatics, vol. 10, no. 1, pp. 666–675, 2013.
View at: Publisher Site | Google Scholar
H. Bao and R. Lu, “Comment on “rivacy-enhanced data aggregation scheme against internal attackers in smart grid,” IEEE Transactions on Industrial Informatics, vol. 12, no. 1, pp. 2–5, 2015.
View at: Publisher Site | Google Scholar
D. He, N. Kumar, S. Zeadally, A. Vinel, and L. T. Yang, “Efficient and privacy-preserving data aggregation scheme for smart grid against internal adversaries,” IEEE Transactions on Smart Grid, vol. 8, no. 5, pp. 2411–2419, 2017.
View at: Publisher Site | Google Scholar
D. He, S. Zeadally, H. Wang, and Q. Liu, “Lightweight data aggregation scheme against internal attackers in smart grid using elliptic curve cryptography,” Wireless Communications and Mobile Computing, vol. 2017, Article ID 3194845, 11 pages, 2017.
View at: Publisher Site | Google Scholar
E. Vahedi, M. Bayat, M. R. Pakravan, and M. R. Aref, “A secure ECC-based privacy preserving data aggregation scheme for smart grids,” Computer Networks, vol. 129, pp. 28–36, 2017.
View at: Publisher Site | Google Scholar
A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612-613, 1979.
View at: Publisher Site | Google Scholar
Z. He, S. Pan, and D. Lin, “PMDA: privacy-preserving multi-functional data aggregation without TTP in smart grid,” in Proceedings of the 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp. 1107–1114, IEEE, New York, NY, USA, August 2018.
View at: Google Scholar
Y. Liu, W. Guo, C. I. Fan et al., “A practical privacy-preserving data aggregation (3PDA) scheme for smart grid,” IEEE Transactions on Industrial Informatics, vol. 15, no. 3, pp. 1767–1774, 2018.
View at: Google Scholar
S. Li, K. Xue, Q. Yang et al., “PPMA: privacy-preserving multisubset data aggregation in smart grid,” IEEE Transactions on Industrial Informatics, vol. 14, no. 2, pp. 462–471, 2017.
View at: Publisher Site | Google Scholar
R. Lu, X. Liang, X. Li et al., “EPPA: an efficient and privacy-preserving aggregation scheme for secure smart grid communications,” IEEE Transactions on Parallel and Distributed Systems, vol. 23, no. 9, pp. 1621–1631, 2012.
View at: Publisher Site | Google Scholar
H. Shen, M. Zhang, and J. Shen, “Efficient privacy-preserving cube-data aggregation scheme for smart grids,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 6, pp. 1369–1381, 2017.
View at: Publisher Site | Google Scholar
B. Lang, J. Wang, and Z. Cao, “Multidimensional data tight aggregation and fine-grained access control in smart grid,” Journal of Information Security and Applications, vol. 40, pp. 156–165, 2018.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2020 Yousheng Zhou et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

703

Downloads

838

Citations

Security and Communication Networks

Mathematical Models for New Types of Cyberattack and Associated Defence Strategies

Privacy-Preserving Multidimensional Data Aggregation Scheme for Smart Grid

Abstract

1. Introduction

2. Related Work

3. Preliminaries

3.1. Hard Problems

3.2. Security Model of Authentication and Key Agreement

3.3. Security Model of Encryption and Signature

4. System Model and Security Requirement

4.1. System Model

4.2. Security Requirement

5. Scheme Construction

5.1. System Setup

5.2. Registration and Login

5.3. Authentication and Key Agreement

5.4. Data Generation

5.5. Data Aggregation

5.6. Data Decryption

6. Security Analysis

6.1. Formal Security Analysis

6.2. Informal Security Analysis

7. Performance Analysis

7.1. Computation Cost

7.2. Communication Cost

8. Conclusion

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright