#### Abstract

As the next-generation power grid system, the smart grid can realize the balance of supply and demand and help in communication security and privacy protection. However, real-time power consumption data collection might expose the users’ privacy information, such as their living habits and economic conditions. In addition, during the process of data transmission, it may lead to data inconsistency between the user side and the storage side. Blockchain provides tamper-resistant and traceable characteristics for solving these problems, and ring signature schemes provide an anonymous authentication mechanism. Therefore, in this work, we consider the applications of ring signature scheme in smart grid based on blockchain. We introduce the notion of multi-authority traceable ring signature (MA-TRS) scheme for distributed setting. In our scheme, there is an auditing node that can distinguish the identity of the real signer from the ring without any secret information. Last but not least, we prove that the proposed scheme is unforgeable, anonymous, and traceable.

#### 1. Introduction

The rapid development of society and economy has driven the increasing demand for electricity of the people, which requires that the power supply system is more convenient, stable, and secure. However, the traditional power grid system has the problems of load imbalance and lack of effective diagnosis of faults in real time. Therefore, a smart grid emerges to cope up with these problems.

Smart grid, combining the traditional power grid system with state-of-the-art information and communication technology, is considered as one of the most significant trends in the next generation power grids [1–4]. In smart grid, different from the one-way communication of the traditional power grid (which just transmits electricity from generation plants to electricity users), it allows two-way communication, which enables the electricity users to easily get their consumption data and intelligently control their use of the domestic electrical equipment properly [5, 6]. In addition, the electricity company can adjust the plan of the power supply to solve the problem of peak power consumption according to the real-time electricity data collection. Compared with traditional power grids, a smart grid system has a lot of significant advantages. However, some researchers have indicated that the malicious attackers or eavesdroppers can infer the users’ living habits, financial situations, identity information, or even which household equipment is being used during the process of the real-time power data collection [7, 8]. And it will pose a threat to individual and national security. Hence, how to deal with the leakage of power consumption data and identity information has become the focus of researchers [9].

As the underlying core technology of Bitcoin [10], blockchain is a distributed ledger that maintains the sustainable growth of data records list confirmed by all the participating nodes. Blockchain is a promising and powerful technology, which utilizes cryptography, P2P, and so on to guarantee the security of the system. Due to the properties of decentralization, tamper-resistance, and traceability, blockchain is considered as an alternative option for setting up a trustful platform without a trusted third party. In recent years, it has been widely used in diverse industrial areas, including finance [11, 12], artificial intelligence [13, 14], health care [15, 16], and Internet of Things (IoT) [17–19]. Obviously, it is feasible to utilize blockchain technology into the smart grid system to address the above-mentioned weaknesses. Guan et al. [20] proposed a privacy-preserving and efficient data aggregation scheme based on blockchain for power grid communications. In this study, users are divided into different groups and each group possesses a private blockchain. In order to disguise the users’ real identities, every user creates multiple pseudonyms. But this scheme uses a key generation center to generate users’ keys, which will lead to key escrow problem, and it lacks of tracing function when data inconsistency.

Although the properties of blockchain can make users' identities anonymous and protect their privacy, it is far from enough to solve the problem of users’ information privacy. Ring signature is one of the best methods to tackle it. In order to achieve anonymity of users, Rivest et al. [21] formalized the concept of ring signature in 2001, which is one of the digital signature schemes applied in blockchain. Distinct from group signature [22], ring signature has no group manager and allows any member of the ring to sign on behalf of all ring members as well as protecting the real identity of the true signer.

Identity-based cryptosystem was introduced by Shamir [23], allowing the users to utilize their own identities as the public keys. Zhang and Kim [24] constructed an identity-based ring signature (IDRS) scheme, combining the properties of ring signature and identity-based signature. After that, other researchers have come up with their own ID-based signature schemes, such as [25–27]. Ring signature, however, is not always a best option owing to its full anonymity. Therefore, a traceable ring signature (TRS) scheme [28] was proposed for restricting abusing anonymity. As for group signature, it has a strong ability of traceability, and ring signature has a strong ability of full anonymity. Traceable ring signature keeps the balance between group signature and ring signature. To be specific, traceable ring signature has the characteristics of traceability and anonymity. In a traceable ring signature scheme, not only does it provide anonymity for any signer when he/she signs any message but also provides traceability for verifiers to distinguish whether the signatures are produced by the identical signer on the same transaction while the malicious signer abuses anonymity in some situations. Besides, some researchers have proposed the ring signature schemes with anonymity revocation [29, 30], while it is based on single authority, which is not suitable for blockchain applications.

Based on the above analysis, we present a multi-authority traceable ring signature (MA-TRS) scheme for smart grid based on blockchain. The main contributions of this work are listed as follows. (1)The definition of TRS scheme in the multiple authorities setting is formalized. In our definition, there exist key-generation nodes, and the electricity user is supposed to interact with at least out of key-generation nodes to generate his/her own private keys.(2)We construct an MA-TRS scheme for blockchain-based smart grid based on ID-based ring signature. And it has the properties of unforgeability, anonymity, and traceability.(3)In our scheme, the auditing node is responsible for tracing the real signer when the power consumption data of the electricity users is inconsistent with that of the blockchain network, while the auditing node does not possess any secret information.

The rest of this paper is organized as follows. In Section 2, we introduce the preliminary knowledge of our proposed scheme. The system model and security model will be defined in Section 3. Then in Section 4, we present the MA-TRS scheme. In addition, the correctness and security are given in Section 5. Last but not least, we draw a conclusion in Section 6.

#### 2. Preliminaries

In this section, we will introduce the relevant background materials that are utilized in the construction of our scheme.

##### 2.1. Bilinear Map

Let be two multiplicative cyclic groups with the same large prime order and be the generator of . A bilinear map needs to satisfy the following three properties:
(1)*Bilinearity*. For all and , there is (2)*Non-degeneracy*. There is , where is the identity element of the group (3)*Computability*. There is an efficient algorithm to calculate for all

##### 2.2. Complexity Assumption

*Definition 1. *Discrete logarithm problem (DLP): for all , it is difficult to find to satisfy .

*Definition 2. *Computational Diffie-Hellman problem (CDHP): given , it is hard to compute .

#### 3. Definitions

In this section, we will formalize the definition of the system model and the security model in our scheme.

##### 3.1. System Model

In the MA-TRS scheme, we design a smart grid network with traceable anonymous authentication mechanism based on blockchain between electricity company and users, in order to guarantee the data privacy of the users. As depicted in Figure 1, our system model is comprised of eight entities: electricity company (EC), data center (DC), smart meter (SM) in the residential area (RA), registration and authentication node (RAN), key-generation node (KGN), data processing node (DPN), blockchain network (BCN), and auditing node (AN).

###### 3.1.1. Electricity Company

In our scheme, the EC is connected to the smart grid network, analyzes the real-time power consumption data, and responds to the electricity demand of the electricity users for providing them with customized services.

###### 3.1.2. Data Center

The DC is in charge of receiving and storing the data copies uploaded by the DPNs to the blockchain network and providing them to the EC or other scientific research institutions for further scientific researches.

###### 3.1.3. Smart Meter

The SM is equipped in the electricity user’s house in the residential area to collect the electricity consumption data of his/her household electrical appliance regularly and simultaneously (e.g., 15 minutes). Before uploading the power consumption data to the smart grid network, every smart grid needs to register with the RAN to obtain his/her unique identity. After that, when the electricity user logs in to the smart grid system, the RAN will authenticate the unique identity of the electricity user. Then, the user uses the identities of other users in the same residential area to form the identity set , generates the ring signature, and sends the power consumption data to the DNPs in the smart grid network.

###### 3.1.4. Registration and Authentication Node

The RAN is responsible for allocating the unique identity to the electricity user who signs up for the smart grid system and authenticating the legitimacy of the user.

###### 3.1.5. Key-Generation Node

The KGNs jointly generate their own key shares when the system is initialized. The electricity user needs to obtain at least key shares from KGNs to generate his/her private key.

###### 3.1.6. Data Processing Node

The DPN parses the uploaded power consumption data and packages it to generate the blocks as well as storing the data copy to the DC. Especially, in our scheme, the DPN still records some other operations into the block, such as reading and storage. Because of the strict supervision of every operation via blocks, all kinds of operations of every node can be traced and the interaction of data can be protected, which makes our scheme distinct from the traditional smart grid schemes.

###### 3.1.7. Blockchain Network

The BCN stores the event blocks that the DPNs process, which can achieve the function of data tamper resistance.

###### 3.1.8. Auditing Node

When the electricity consumption data of the electricity user is inconsistent with that of the blockchain network, the AN intervenes to trace the real signer, which makes the data traceable.

##### 3.2. Security Model

The security model of our proposed scheme should meet these three security requirements: unforgeability, anonymity, and traceability.
(1)*Unforgeability*. Unforgeability means that no one can generate a valid ring signature for the identity set unless he/she has one of the private keys corresponding to (i)*System Setup*. Challenger runs the system setup algorithm to produce the system public parameters and master key shares for KGNs whose identities are , respectively, then returns to adversary who possesses all of the public keys of users but not any private key(ii)*Queries*. can make the following four kinds of queries to :
(a)*Hash Query*. chooses any value, and returns him/her the corresponding hash value(b)*Master Secret Key Query*. initiates a request for some KGNs for their master key shares. For such a query, transmits to (c)*Key Generation Query*. Upon receiving an identity of a user , then returns the relevant secret key to (d)*Ring Signature Query*. chooses and submits the message and the identity set of users in the same residential area . After that, returns the relevant ring signature to (iii)*Forgery*. At last, outputs the signature of another message and the identity set of users in the same residential area that satisfy the following three conditions:
(a) is a valid signature produced by (b) does not appear in the phase of ring signature query(c) never inquiries the private key of the members of (2)*Anonymity*. Anonymity means that given a signature, no one can determine the real signer unless all of the ring members (the users in the same residential area as the signer) launch collusion attacks(i)*System Setup*. Challenger executes the system setup algorithm to compute the system public parameters and returns it to adversary (ii)*Queries*. adaptively executes polynomial times ring signature queries(iii)*Challenge*. In the phase of challenge, outputs a message , the identity set of users, two different public key , and transmits them to . randomly chooses a bit and runs the signature generation algorithm with the real signer , then returns to (iv)*Queries*. adaptively executes polynomial times ring signature queries(v)*Challenge*. Finally, outputs a bit . will succeed if and only if .(3)*Traceability*. Different from the ring signature schemes [31], whose anonymity cannot be revoked, the property of the anonymity of TRS schemes is conditional. The property of traceability of TRS schemes means that for any valid ring signature, there exists someone who can determine the real signer from the ring (all users in the same residential area including the signer)

*Definition 3. *The MA-TRS scheme is unforgeable for any , because the advantage of him/her is negligible.

*Definition 4. *The advantage of any polynomial time adversary is defined as . We say that an MA-TRS scheme is anonymous if the advantage of is negligible.

#### 4. Multiauthority Traceable Ring Signature Scheme

In this section, we construct a multi-authority traceable ring signature (MA-TRS) scheme for smart grid based on blockchain, which is mainly comprised of the following five parts: system setup, user registration, user report generation, data storage, and user data tracing.

##### 4.1. System Setup

The system setup phase is divided into two subprocesses: system initialization and key-generation nodes initialization. (1)System initialization is responsible for generating all system public parameters by the DPNs(a)The DPNs select two multiplicative cyclic groups and with the same large prime order and define a bilinear map . Let be the generator of (b)The DPNs choose two hash functions: and (c)According to the whole number of KGNs, the DPNs decide the threshold value of KGNs that participate in the generation of user’s secret key(d)The DPNs publish the system public parameters (2)During key-generation nodes initialization subprocess, all the KGNs cooperate with each other to generate their own master key shares(a)Each KGN chooses randomly a polynomial of degree

where . (b)KGN calculates for , then broadcasts (c)KGN computes the subshare for every other KGN for and sends to KGN via secure channel. Simultaneously, KGN computes and keeps for himself/herself(d)Upon receiving the sub-share from all other KGN for , KGN verifies whether the equation holds. If it holds, the sub-share from KGN is valid. Otherwise, KGN broadcasts a complaint against KGN . Then, KGN is obliged to retransmit value that satisfies the equation so as to pass the verification(e)After finishing the above interactions, KGN calculates its own master key share and computes its corresponding public key share . Note that the master secret key can be recovered by at least out of master key shares (f)For the purpose of computing the master public key, any one of the KGNs can select at random out of KGNs’ public key shares. Suppose is the set of qualified KGNs to generate master keys. Therefore, it calculates the master public key as(g)All the KGNs append and their own to as

##### 4.2. User Registration

If the electricity user intends to join the smart grid, he/she is supposed to submit the registration information to the RAN. Then, the RAN will assign him/her a unique identity. After that, the electricity user needs to interact with at least out of KGNs to generate his/her private key. In other words, when there are less than KGNs, the user cannot generate his/her own private key. There do not exist any two of KGNs interacting with each other in this phase. Consequently, the user can choose any KGNs according to his/her preference. After the interaction with KGNs, the user computes his/her own private key with the secret key shares from KGNs. (1)Each user initiates a registration request to the RAN. Subsequently, the RAN allocates him/her a unique identity . Next, the DPNs calculate and publish .(2)Every KGN computes and transmits it to user securely(3)When receiving the secret key share from KGN , user verifies whether the equation holds. If it holds, the secret key share is valid. Conversely, the user discards the invalid secret key share and KGN has to resend the value that satisfies the equation(4)When collecting secret key shares, user can generate his/her secret key as follows:(5)Every user selects a random number , then calculates and . After that, the user keeps as his/her private key and regards as his/her public key. At last, the user broadcasts .

##### 4.3. User Report Generation

In this phase, every electricity user utilizes the SM to collect power consumption data , generates ring signature of it, and sends the data to the smart grid network regularly, e.g., every 15 minutes. Let be the identity set of all users in the same residential area. Assume that the real signer, indexed by , keeps as his/her public key and as his/her private key, where . (1)Signer chooses , respectively, and calculates the following equations:(2)Signer selects a random and computes:

where . If , needs to be reselected. (3)The ring signature of power consumption data signed by signer outputs as(4)The user reports the signed electricity data to the DPN, where is the current time stamp

##### 4.4. Data Storage

Any one of the DPNs can serve as the verifier who verifies the validity of the signature of power consumption data . (1)After receiving the signed electricity data, the DPN computes the following equation if :

where is the current time stamp, and is a predefined time threshold value. (2)The DPN checks the validity of the signature by examining whether

holds. If it holds, accept the signature. Otherwise, reject it. (3)The DPN packages the signed electricity data into block and broadcasts it to other DNPs. After most DNPs verify and accept the block, the DPN uploads it into the blockchain network. At the same time, the DPN sends the data copies to the DC for further scientific researches. Besides, the DPN will also record the operation of uploading data in the blockchain, which makes every operation traceable and data interaction protected

##### 4.5. User Data Tracing

When the user finds that the electricity consumption data is inconsistent with that stored in the blockchain network, he/she can initiate an audit request. Then, the AN intervenes to solve it. During this process, the AN only needs to interact with all the users in the same residential area once to trace the real signer . What the AN executes is as follows. (1)The AN firstly parses the operation recorded in the blockchain to trace which operation of the data inconsistency(2)In accordance with and the set of identities of the electricity users in the same residential area in ring signature , the AN collects the value of from the relevant user in the same residential area by calculating (3)After finishing the collection of all of the , the AN needs to verify the validity of one by one through checking whether the equation holds. On condition that all are true, the AN computes . After that, the real signer can be determined by (4)The AN will solve this problem of data inconsistency according to the tracking results

#### 5. Correctness and Security

This section proves the correctness and security of our proposed scheme.

##### 5.1. Correctness

Theorem 5. *If , the signature of the power consumption data is valid.*

*Proof. *

Theorem 6. *If and , the user data can be traced correctly.*

*Proof. *

##### 5.2. Unforgeability

Theorem 7. *The proposed MA-TRS scheme is unforgeable.*

*Proof. *Because the master secret key is jointly generated by at least key-generation nodes and the private key of the user is produced after interacting with at least key-generation nodes, it is infeasible for anyone who does not belong to the signature ring to obtain the part of the private key of the user. Additionally, another part of user’s private key cannot be computed by due to DLP. Namely, it is difficult to forge any valid private key of the ring members. The values of one signature can be produced by anyone. However, the calculation of the values requires at least one of the private keys of the ring members. According to the security model of unforgeability, the adversary cannot obtain any private key of the ring. And it is impossible to compute by owing to CDHP. Therefore, it is impossible for anyone who is not a member of the ring to forge a valid signature.

##### 5.3. Anonymity

Theorem 8. *The ring signature is anonymity of the signer in our proposed MA-TRS scheme.*

*Proof. *The values of are chosen at random from , so the values of are evenly distributed in the group , and the same is the value of . In addition, the value is selected randomly by the real signer, and the value computed by is evenly distributed. Therefore, the values and will not reveal the information of the signer. In another word, it is computationally distinguishable unless all the ring members cooperate to compute. So, it is anonymous for the signer in our MA-TRS scheme.

##### 5.4. Traceability

Theorem 9. *The proposed MA-TRS scheme can trace the real signer if necessary.*

*Proof. *When the user or the electricity company finds the power consumption data is different from the data stored in the blockchain network, the auditing node will execute the tracing program to trace the real signer. The auditing node can obtain the value of after interacting with every user in the same residential area. After collecting , the auditing node verifies their validity, then traces the real signer by the public parameters. In the whole process of tracing, it is impossible for any member to leak his/her private key. That means the auditing node possesses nothing concerning the secret but the published information. Only the ring member who satisfies the equation is the real signer. Hence, the proposed MA-TRS scheme is traceable.

#### 6. Conclusion

In this paper, we propose a multi-authority traceable ring signature scheme for smart grid based on blockchain, combining ring signature scheme and blockchain technology. In addition, our scheme takes advantage of distributed key generation technology to address the problem of key escrow. A responsible user can generate his/her secret key by interacting with out of key-generation nodes, and no one knows the master secret key. When the power consumption data of the user is inconsistent with that of the blockchain network, the auditing node can trace the real signer and solve this data inconsistency, which makes our scheme different from other smart grid schemes. Compared with other ring signature schemes, our scheme has the properties of unforgeability, anonymity, and traceability. At last, we discuss the security proof of our scheme.

#### Data Availability

No data were used to support this study.

#### Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

#### Acknowledgments

This work was supported in part by the National Natural Science Foundation of China (No. 61702067), and in part by the Natural Science Foundation of Chongqing (No. cstc2020jcyj-msxmX0343).