Abstract

Smart grid aims to improve the reliability, efficiency, and security of the traditional grid, which allows two-way transmission and efficiency-driven response. However, a main concern of this new technique is that the fine-grained metering data may leak the personal privacy information of the customers. Thus, the data aggregation mechanism for privacy protection is required for the meter report protocol in smart grid. In this paper, we propose an efficient privacy-preserving meter report protocol for the isolated smart grid devices. Our protocol consists of an encryption scheme with additively homomorphic property and a linearly homomorphic signature scheme, where the linearly homomorphic signature scheme is suitable for privacy-preserving data aggregation. We also provide security analysis of our protocol in the context of some typical attacks in smart grid. The implementation of our protocol on the Intel Edison platform shows that our protocol is efficient enough for the physical constrained devices, like smart meters.

1. Introduction

While the swift advances in smart grid are triggering radical innovations in this field, today’s power grid is widely different from the traditional grid [14]. Traditional grid has the characteristic of centralized one-way transmission, which only transmits electricity from the generation plants to customers. Smart grid is featured with intelligent transmission (decentralized two-way transmission) and distribution networks, which combines the traditional grid and the new information processing technologies. On the one hand, smart grid integrates more green energies such as solar and wind power into energy supply; on the other hand, it improves the reliability, security, and efficiency of electric system by two-way communication of consumption data and other electric system’s operations. In general, smart grid can realize the intelligent electricity generation, resource allocation, and dynamic pricing.

In this system, smart grid devices such as smart meters play an important role for collecting the power usage data and the status data. Such data are generated by some plug-in monitor sensors. In general, the smart grid data communication network can be divided into four layers [5] as Figure 1 shows. Various sensors and other smart grid devices consisting of a home area network are the first layer. Then, the smart meters and a neighborhood gateway which form a neighborhood area network are the second layer. Furthermore, all the neighborhood gateways connecting each other consist of the third layer network. Moreover, the forth layer network is a high speed public network through fiber gateways which is responsible for transfer all the data to the data center in electricity service provider (ESP).

However, not all smart grid devices are connected to the smart grid data communication network, due to the network outrage or opt-out agreement between the customers and the ESP. According to the utility-scale smart meter deployments report [6] published by Electric Innovation at Edison Foundation, the smart meters only cover 43% US homes. Some smart grid devices are located sparsely and far away from the data center of ESP. Thus, it would be a heavy cost to extend the smart grid data communication network for covering such isolated smart grid devices. Moreover, some in-network smart grid devices also will be disconnected from the smart grid network due to the natural disasters such as tornado and earthquake. Thus, for such isolated smart grid devices, the ESP may send a worker to the location of them and read the power usage data by using the handhold smart meter reader.

In general, several protocols are used in smart grid communication network [7], for the propose of authentication, power allocation, meter reporting, and so on. The meter report protocol is used to calculate the total monthly power consumption data for each individual customers. For the isolated smart grid device, a smart reader device should be used as a bridge between the ESP and it as Figure 2 shows. Although the smart reader device needs to read the smart meter more frequently for monitoring the energy supply, the ESP only needs to obtain the total long-term consumption data for the energy forecast.

Up to now, several privacy-protection aggregation schemes have been proposed. Li et al. [8] constructed an incremental aggregation scheme based on a virtual aggregation tree which relies on the topology of network. Garcia and Jacobs [7] proposed an aggregation scheme combined with additive secret sharing. Lu et al. [9] proposed an efficient privacy-preserving scheme for multidimensional data structure. The three schemes are all based on Pallier’s homomorphic encryption technology. Fan et al. [10] proposed data aggregations scheme based on the subgroup indistinguishability assumption. All the above aggregation schemes are designed for the in-network smart grid devices, and they are used to aggregate individual usage date from different customers. For the isolate smart grid devices, Sha et al. [5] proposed a secure and efficient authentication protocol, but their meter report protocol did not provide a data aggregation mechanism for privacy-preserving. For the isolated smart grid devices, there exists the same drawback as in-network devices that fine-grained power usage data may leak the personal privacy information [11, 12]. If a corrupted worker in the ESP can obtain the fine-grained power usage data, then he can analyze the daily activities of the customer. Thus, a secure data aggregation mechanism for privacy protection is also required for isolated smart grid devices. The fine-grained power usage data should be protected in the reader device and cannot be leaked to anyone else.

This paper aims to propose an efficient privacy-preserving meter report protocol for the isolate smart grid devices. The protocol not only contains an additively homomorphic encryption scheme used to aggregate the encrypted data but also includes a linearly homomorphic signature scheme [13, 14] for protection against unintentional errors and altering messages in malicious. Furthermore, both the isolated smart grid devices and the reader devices have only restricted resources, and thus both the encryption and signature schemes should provide the high performance in terms of efficiency.

The contributions of this paper can be listed as follows: (1) We propose an encryption scheme with additively homomorphic property to aggregate the encrypted metering data. To be compatible with the data aggregation, we also propose a linearly homomorphic signature scheme which is used to sign the ciphertext of metering data. The signatures will be aggregated along with the ciphertexts stored in the reader device. This allows the ESP to verify the correctness of aggregated result by checking the aggregation signature. (2) We provide a security analysis to our meter report protocol in context of several typical attacks in smart grid. (3) To evaluate the appropriacy of our meter report protocol for the resource-constrained devices, we implement our protocol on the Intel Edison platform which is a development system for Internet of Things (IoT) devices.

Organization. Related mathematical concepts to our construction and proofs are reviewed in Section 2. The privacy-preserving meter report protocol for isolated smart grid devices is proposed in Section 3. We analyze our protocol against several typical attacks in Section 4. Section 5 discusses the performance of our protocol on the platform of MacBook Pro and Edison. Finally, we conclude our paper in Section 6.

2. Preliminary

In this section, we review related mathematical concepts for our construction and proofs.

Assuming that and are two cyclic groups with the prime order , we define to be the bilinear map as it has the following properties:(1)Bilinear: , , .(2)Nondegenerate: , .(3)Efficient computability: there exists an efficient algorithm to compute for all .

We define the -strong Diffie-Hellman (-SDH) assumption over as follows.

Definition 1 (-SDH assumption). Let be a group generation algorithm that takes a security parameter as input and outputs a description of a prime order group . The -SDH assumption over group states that, for any probabilistic polynomial-time (PPT) attackers, given a tuple for randomly chosen and , the advantage for obtaining a solution is negligible in , where .

Next, we define two composite order groups with order , where and are distinct large primes. Thus, is a product of two groups , and their orders are and , respectively. In essence, the subgroup indistinguishability assumption is that an element in group is computationally indistinguishable from a random element in or . Let be a generator of . We define a nongenerate and efficiently computable bilinear map over and . The subgroup indistinguishability assumption [15] can be described as follows.

Definition 2 (subgroup indistinguishability assumption). Let be a group generation algorithm that takes a security parameter as input and outputs a description of a multiplicative group , where . The subgroup indistinguishability assumption over group states that, for any PPT attackers, the advantage is negligible in .

3. Design of Meter Report Protocol

3.1. System Model

There are three parties including electricity service provider (ESP), reader, and isolated smart grid device in the system model of the proposed protocol. The ESP and the isolated smart grid device should setup their public/secret key pairs and other public information. When the reader tries to frequently collect the encrypted metering data from the isolated smart grid device, several attacks may be possible. Firstly, an attacker may listen to the communications between the reader and the isolated smart grid device to obtain the metering data or alter the messages. Secondly, a corrupted reader may be used to obtain the power usage data. Thirdly, a corrupted reader may provide an incorrect total power usage data to the ESP. Finally, a fake ESP worker may analyze the power usage data with fine granularity to identify the daily activities of the customer.

In the meter report model as Figure 2 shows, the reader needs to much more frequently read from the smart grid device for monitoring the energy supply. Each time the reader reads, the smart grid device encrypts its metering data with a random number and signs it before he sends it to the reader. After a long term, the ESP can only obtain the total power usage data of the customer.

3.2. Construction

The proposed protocol consists of four phases, which will be described in detail as follows. Some notations can be defined here.(i) is a one-way hash function.(ii) is the tag of currently regular period.(iii) is the identity information of electricity service provider.(iv) is the th random number chosen by smart grid device.(v) is the sum of random numbers .(vi) is the secret key of isolated smart grid device.(vii) is the public key of isolated smart grid device.

(1) Setup Phase(i)ESP: the ESP randomly chooses two distinct large primes and computes the RSA parameter (example initiation: let , , and be distinct large primes such that . Obviously, is a quadratic residue group with order . can be denoted as , where and are both prime order cyclic groups. Gonzalez et al. proved that the subgroup decision assumption over holds if the factoring problem over is hard). It generates in group with order and produces a generator of the subgroup . Then, it computes , which is an element in subgroup . Finally, the ESP publishes the public parameters where is its identity information and keeps as the secret information.(ii)Isolated smart grid device: the isolated smart grid device randomly chooses as its secret key and publishes the public key . Then, let denote the identity of ESP who is the customer’s energy supplier.

(2) Reading Phase(i)Isolated smart grid device: when the reader needs to read the metering data for the th time in a long term, the isolated smart grid device chooses randomly and computes a ciphertext . We assume that reader reads the metering data times during such a long term. There is a limitation that should not be a large number. Then, the smart grid device computes a signature where is the tag of currently regular period. Finally, it sends to the reader.(ii)Reader: after receiving , the reader verifies identity of its ESP and the currently long term by checking . Here, the reader verifies the smart grid device’s first signature component to assure that who is its ESP and to avoid that the customer will make payments for an improper ESP. If the signature is true, then the reader stores .

(3) Aggregation Phase(i)Isolated smart grid device: at the end of a long term, the isolated smart grid device encrypts as with a random number and sends it to the reader.(ii)Reader: after receiving , the reader needs to aggregate the total power usage data of the isolated smart grid device. We assume that the reader has read the smart grid device times during this long term, and thus ciphertext/signature pairs have been stored in the reader. Then, the reader computes and , and reports to the ESP.

(4) Decryption and Verification Phase(i)ESP: when the ESP receives , it firstly verifies its identity information and the currently long term by checking and then computes and . Since is not a large number, the ESP can compute the discrete log of on the base of by using Pollard’s lambda method [16] in polynomial time. Then, the ESP computes . Since the total power usage data is also not a large number, the ESP can compute the discrete log of on the base of . Finally, the ESP computes and verifies by checking .

The correctness of the above formulas can be depicted as follows.

Authentication of Its ESP

Ciphertext Decryption

Aggregate Signature Verification

Thus,

4. Security Analysis

Our privacy-preserving meter report protocol is proposed not only to prevent the unauthorized parties to read or alter the metering data from the isolated smart grid devices, but also to securely aggregate the fine-grained power usage data in a long term. Here, we show the security properties of our scheme in context of six typical attacks in smart grid.

4.1. Against External Attack

The external attackers can eavesdrop on the communication channels to obtain the unauthorized information. In our protocol, all the metering data are encrypted, which provide strong protection to the external attackers. The proof of Theorem A.2 in Appendix shows that our encryption scheme satisfies the CPA secure under the subgroup indistinguishability assumption. The external attackers also cannot alter a metering data of the isolated smart grid device, since they cannot forge a valid signature. Theorems A.4 and A.5 in Appendix show that our linearly homomorphic signature schemes are unforgeable under the -SDH assumption and Boneh and Boyen signature.

4.2. Against Smart Grid Device Attack

A smart grid device attack is that a fake smart grid device aims to mimic a legitimate device. In our design, we use the signature technology to prevent a fake smart grid device from authenticating with the reader and ESP. Moreover, a fake smart grid device may want to let the customer to pay for an improper ESP, but our design can also avoid this situation, since the first component of linearly homomorphic signature is a signature of the proper ESP’s identity, and its unforgeable security is under Boneh and Boyen signature (the security proof of Theorem A.4 can be seen in Appendix).

4.3. Against Internal (Reader) Attack

An attacker may use a lost legitimate reader to obtain the unauthorized information or maliciously alter total the power usage data of a smart grid device, which is called the internal (reader) attack. In reading phase, the legitimate reader only can verify the signature of device’s identity. But the power usage data cannot be recovered from the ciphertext , since the reader cannot get the ESP’s secret key . In aggregation phase, the reader also cannot decrypts to get and obtains the total power usage data. On the other hand, the linearly homomorphic signature and the encryption of prevent the reader from altering the total power usage data, since it does not know the secret key of the isolated smart grid device. The unforgeability of our linearly homomorphic signature scheme has been proved by Theorems A.4 and A.5. The properties of linearly homomorphic signature also protect the correctness and integrity of the total power usage data.

4.4. Against Internal (ESP) Attack

We assume that the legitimate workers of ESP make the malicious attacks. After receiving the ciphertext/signature pair from the reader, the ESP can compute to recover the total power usage data. However, the ESP cannot decrypt the individual metering data from and , since it does not know each corresponding random number .

4.5. Against Man-In-The-Middle Attack

A Man-In-The-Middle attacker aims to mimic the right person to fool one side by using the information from another side. In reader-device and ESP-device authentication, a public key based linearly homomorphic signature scheme is used to authenticate the device’s identity and the ciphertexts. It provides the strong defense for the Man-In-The-Middle attacks, since the attacker cannot convince the reader and ESP to accept its public key.

4.6. Against Replay Attack

If an attacker obtains the information between the communication of two sides, then he intercepts the communication and replays the information maliciously, which is called replay attack. In our designing, we use the tag of currently term to prevent the replay attack from different terms. If the attacker wants to modify in device’s signature for the replay attack, then he should get the device’s secret key . However, it is almost impossible to guess the device’s secret key. If an attacker wants to make replay attack in the same period, then it should modify in ciphertext that is also impossible.

5. Performance Analysis

Let denote the pairing computation cost, denote the exponent cost, and denote the point multiplication. Table 1 shows the computational complexity of our protocol.

Following the theoretical analysis, we test our scheme on two different platforms, where one is a normal personal computer, and the other is a resource-constrained device. We implement our protocol in C with the pairing based cryptography (PBC) library [17] for the underlying arithmetic and pairing operations. We use the Type-A curves as defined in PBC library for the implementation, since the Type-A curves offers the highest efficiency among all the three types of curves.

The first test machine is MacBook Pro with Intel core i5 CPU (2.5 GHz) running Os X 10.9.3, which RAM is 4 GB. The second test machine is Intel Edison development platform, which is designed to rapidly prototype and produce Internet of Things (IoT) products. Since the isolated smart grid device and reader device are usually resource-constrained devices, we test our protocol on this platform. We use Edison platform with a dual-core, dual-threaded Intel Atom CPU at 500 MHz and 1 GB RAM, running Yocto Linux v1.6.

Table 2 shows the time cost of reading phase for smart grid device and reader. We compute the average value on 100 randomized runs. The time cost of isolated smart grid device is about 0.43 seconds, if our protocol is run over the Edison platform. For the reader, it needs 0.42 seconds to verify the signature, while the protocol is run over the Edison platform. In aggregation phase, the time cost of isolated device is about 1.5 milliseconds on the Edison platform, while it needs about 0.06 milliseconds over MacBook Pro. Figure 3 shows the time cost of reader in aggregation phase. We can see that the time consuming of reader is increased by the number of ciphertext/signature pairs to be aggregated. The time cost of decryption for the ESP is about 77 milliseconds. Although the total power usage data is increased by the number of individual consumption data , the computation of the discrete log of is very slightly raised.

6. Conclusion

In practical, the fine-grained individual power consumption data may leak the personal privacy information of the users. Thus, in order to protect the personal privacy, data aggregation mechanism should be designed in the meter report protocol. In this paper, we propose an efficient privacy-preserving meter report protocol for the isolated smart grid devices, which consists of an encryption scheme with additively homomorphic property and a linearly homomorphic signature scheme. To prevent unauthorized seeing the intermediate metering data, the metering data should be encrypted by using the encryption scheme with additively homomorphic property and aggregated using such a property. Besides the encryption scheme, a linearly homomorphic signature scheme which is compatible with data aggregation is also designed in our protocol for verifying the correctness and integrity of the aggregation result. We give security analysis to our protocol in context of six typical attacks in smart grid. The implementation of our protocol on the Edison platform shows that our protocol is efficient enough for the resource-constrained devices.

Appendix

Here, we provide the security proofs to the encryption scheme and the linearly homomorphic signature scheme used in the proposed meter report protocol.

Definition A.1. A public key encryption scheme is CPA secure, if for all the advantage of any PPT attacker A in the following game is negligible in the security parameter .
Setup. The challenger obtains the public/secret key pair by running and sends to the attacker, where the public key includes a message space and a ciphertext space . The challenger sets as an encryption algorithm.
Challenge. The attacker sends two messages and with the same length to the challenger. Then, the challenger responds the challenge ciphertext under a random bit .
Output. The attacker outputs its guess to . If , then the attacker wins the game.

Theorem A.2. If the subgroup indistinguishability assumption holds on , then the above encryption scheme is CPA secure.

Proof. We assume that there exists an attacker which can break the above encryption scheme with nonnegligible probability and a challenger that takes an instance of subgroup indistinguishability assumption. We will prove the theorem by an interaction game between and .
Setup. The challenger is given an instance of subgroup indistinguishability assumption and generates a generator . Then, it sends the public parameters to the attacker .
Challenge. chooses two messages and with the same length and then sends them to . chooses a random number and returns the challenger ciphertext , where is a random bit.
Output. outputs its guess to , and if , then wins the game and outputs that “ is uniformly in ”. Otherwise, outputs that “ is uniformly in ”.
If is uniformly in , then the challenge ciphertext is randomly in , which is independent of . Thus, in this case. However, if is uniformly in , then in this case since can break the above encryption scheme with the probability of . The probability difference of these two cases is , which is nonnegligible in our assumption. But it contradicts that the subgroup indistinguishability assumption is hard. Thus, our assumption is not correct, and the encryption scheme is CPA secure.

Our linearly homomorphic signature scheme is based on Boneh and Boyen signature [18], which has been proved strongly unforgeability against a weak attacker under the -SDH assumption. Here, we will firstly provide the security definition of linearly homomorphic signature.

Definition A.3. An linearly homomorphic signature scheme is simply unforgeable, if for all the advantage of any PPT attacker in the following game is negligible in the security parameter .
Setup. The challenger obtains the public/secret key pair by running and sends to the attacker, where the public key includes a message space and a signature space . The challenger sets as the signing algorithm and as the verification algorithm.
Queries. The attacker sends a random number and a message to the challenger for a signature query. Then, if is the first query for , the challenger randomly chooses a tag and gives it to the attacker. Otherwise, the challenger looks up the previously chosen . The challenger then returns the signature . This query can be repeated for a polynomial times; however there is a restriction that at most message can be queried for one tag . We let denote the set of elements queried for .
Output. The attacker outputs a tag , a message , and a signature . The attacker wins if and satisfies one of the following conditions (the type 2 forgery can be split into 2 subtypes):Type 1: for all queried by attacker (a type 1 forgery).Type 2: for one pair of , and , where (a type 2 forgery).Type 2(a): the first element of signature output by the attacker is not equal to the signature computed by the challenger.Type 2(b): the first element of signature output by the attacker equals the signature computed by the challenger.The advantage of the attacker is the probability that the attacker wins the game.
We can show that type 1 and type 2(a) forgery in our linearly homomorphic signature scheme will lead to a forgery of the underlying Boneh and Boyen (BB) signature.

Theorem A.4. Our linearly homomorphic signature scheme is secure against type 1 and type 2(a) forgeries, if BB signature is strong unforgeable against a weak attacker.

Proof.
Sketch. The challenger simulates the public key of our scheme by using the public key of BB signature and the element . For responding the signature query on in our scheme, the challenger queries to the challenger of BB signature and obtains . Then, the challenger returns for a random number . Finally, if the attacker of our scheme outputs a valid forgery , then the first component of is a valid forgery of BB signature.

Theorem A.5. Our linearly homomorphic signature scheme is secure against type 2(b) forgeries, if q-SDH assumption holds.

Proof.
Sketch. The challenger of our scheme takes as input an instance of the -SDH assumption and forms the polynomial for the distinct tags queried by the attacker. Let and randomly chosen by the challenger. Then, the challenger constructs , , and , which can be used to respond to the signature queries from the attacker. Finally, when the attacker returns the forged signature on and , the challenger computes . If the forged signature is valid, then .
Let , where is a polynomial over . Thus, . Then, is a solution to the -SDH assumption.

Conflicts of Interest

The authors declare that they have no conflicts of interest.