Multiple Authorities Attribute-Based Verification Mechanism for Blockchain Mircogrid Transactions

: Recently, advancements in energy distribution models have fulﬁlled the needs of microgrids in ﬁnding a suitable energy distribution model between producer and consumer without the need of central controlling authority. Most of the energy distribution model deals with energy transactions and losses without considering the security aspects such as information tampering. The transaction data could be accessible online to keep track of the energy distribution between the consumer and producer (e.g., online payment records and supplier proﬁles). However this data is prone to modiﬁcation and misuse if a consumer moves from one producer to other. Blockchain is considered to be one solution to allow users to exchange energy related data and keep track of it without exposing it to modiﬁcation. In this paper, electrical transactions embedded in blockchain are validated using the signatures of multiple producers based on their assigned attributes. These signatures are veriﬁed and endorsed by the consumers satisfying those attributes without revealing any information. The public and private keys for these consumers are generated by the producers and endorsement procedure using these keys ensures that these consumers are authorized. This approach does not need any central authority. To resist against collision attacks, producers are given a secret pseudorandom function seed. The comparative analysis shows the efﬁciency of proposed approach over the existing ones.


Introduction
Microgrids act as source of electricity to small geographical region such as healthcare centers, military units, homes etc. [1][2][3]. Microgrids can also be integrated with national power distribution centers and other renewable energy generation sources (e.g., solar, wind etc.). The basic architecture of mircogrid includes (1) electrical load, (2) energy storage unit and (3) a line to and from the main grid. The integration of microgrids with the main grid make them to operate in the connected mode along with their standalone operation capabilities. Hence microgrids first fulfill with the local energy requirements and then provide extra energy to the main grid to facilitate other consumers.
Various microgrid projects in USA use the blockchain technology for managing energy transactions and give an overview about new energy system. New energy system concept is based on distributed generation including renewable sources, energy transmission to consumers/main-grid, communication among various distribution and communication network elements and managing financial transactions. The main stakeholder also tries to reduce the time that spent on managing financial transactions. Consumer might gets energy from multiple distributors and billing server needs a reliable and authentic information. This is made possible by the use of blockchain that offers cryptocurrency for monetary transactions in energy field. Many companies have set up energy exchange platforms to bring the buyers and sellers on one page. For example, dutch company Vandebron [4] offers the possibility to buy energy directly from producers using a central entity that manages the network, prepares bills and checks the balance between production and consumption. In mircogrids, decentralized authorities make the transactions efficiently manageable using blockchain but this approach is very resource consuming considering all the stakeholders in the authentication and information processing. Also each stakeholder must have an access to desire transaction data instead of whole consumers transactions. Each stakeholder must have to verify its authenticity before making any changes to the consumer transactions. In authentication, multiple attribute-based signature is an efficient approach that meets with the requirement of distributed authentication procedure and also protects the consumers privacy [5].
The rest of the paper is organized as follows. A literature survey is provided in Section 2 while an overview of blockchain and attribute-based encryption are discussed in Section 3. Section 4 provides a brief mathematical details of attribute-based algorithms. The proposed security algorithm is discussed in Section 5. The performance evaluation of the proposed algorithm is presented in Section 6. Finally, Section 7 concludes the paper.

Main Contribution
The main contributions of this paper are: 1. develop a framework to keep the record of energy transactions for future use and verification purpose by new consumers 2. hide the actual transaction details while disclosing only the reputation and performance metrics of a mircogrid owners

Literature Survey
Cyber security in smart grids is analyzed in detail in [6]; however, this section only considers the relevant information of that analysis. Authentication in smart grids is one of the main critical security aspect that allows the users to access the its various elements. It is achieved using the digital signatures, username and password approach and hashing functions. In a digital signature, a user first generates the hash of a message using Secure Hash Algorithms (SHA) or Message-Digest algorithm (MD5) and then encrypts it with his private key using RSA. The encrypted hash can only be decrypted with the public key of same user who encrypted it. This ensures the authenticity of the message while the user authentication is achieved by the username and password approach.
Many other security approaches based on one time signature, message authentication code (MAC), RSA encryption are proposed in [7,8]. In one signature approach, each signature is used once to very a message. This helps to avoid the replay attacks as the message will be discarded if received after a threshold time value. Precomputed hashing approach is proposed in [9], however it suffers from a very large computational power to map the messages with the precomputed hashes.
In message authentication code, a single key is shared between the communicating parties to verify and authenticate the received messages. TESLA [7] used the same concept with slight changes. In TESLA, time is divided into slots and for each slot there is one secret key. A message for a particular time slot is encrypted with a key belonging to that slot. The message is then send to the receiver while the key belonging to the message is released after it expiry. Hence a receiver receives the messages, buffered them and wait for the corresponding keys. However this approach has a very high memory requirements as the receiver has to stored all the messages until it receives the keys. This approach is not feasible for the real time applications.
Most of the existing security solutions are proposed for the smart grids communications that are not suitable for the microgrids communications due to different architecture. A detailed security analysis based on the microgrid architecture is presented in [10]. However, this analysis did not address the communication security threats and solutions in mircogrid architecture. Sahai and Waters [11] presented attribute-based framework to build a number of cryptographic primitives. The attribute-based signature scheme allows the user to attest the correctness of information while hiding its original contents from outside world. The signature is only a validation procedure that ensures the message is endorsed by the signer having valid attributes. An attribute-based signature ensures privacy to signer while it ensures unforgeability to the verifier. Khader [12] presented a group signature scheme based on attributes while the formal definition was presented in [5,13]. The security of these protocols were analyzed in only generic group model. A secure forward attribute-based signature schemes were presented in [14,15] however they did not consider the adaptive-predicate privacy and unforgeability. A fully secured attribute-based signature scheme for standard model and other models considering the non-monotone predicate is presented in [16]. However it is not suitable to apply in practice. To improve the efficiency, Chen [17] presented attribute-based short signature scheme but this scheme is based on single authority which does not fit in distributed applications. To improve the computational cost, an efficient attribute-based signature scheme with monotone predicate is presented by Gu [18]. To reduce the dependency on attribute authorities, escrow based attribute-based signature scheme is presented by Cui [19] where users could provide evidence to the verifier about their signature rights. However, these schemes are based on a single authority that is not suitable for distributed systems. In this paper, we propose multiple authorities attribute-based signature scheme for blockchain microgrid architecture that suits the distributed nature of system both in security as well as tamper proof energy transaction record.

Background
This section gives a breif overview of blockchain technology and attribute-based authentication mechanism. These two technologies in later sections are used to describe how user can benefit from them in making a secure and reliable energy transactions in microgrid architecture.

Blockchain
Blockchain technology concept is based on distributed database that keeps the records of all transactions in ordered list in which they are executed without the involvement of central authority (e.g., banks). Bitcoin (also known as crypto currency) is one of the main example that uses blockchain for all transactions without any central authority. Smart contracts are also established using blockchain and execute automatically when they fulfill the required conditions. Hence bloachchain is a distributed ledger that grows continuously with data/transaction record called block. Each individual block in the blockchain is time-stamped, connected with previous block, shared and not modifiable. In this paper, blockchain is used by the users to check and records all the transactions occurred in the network and selects an appropriate microgrid distributor to purchase and deal in energy. A user can verify a copy of blockchain or newly received block and add it into its chain. Once added into chain, block cannot be modified. Any attempt to modify the block in chain results in invalid chain. Blochchain technology has the following main elements: 1. verification mechanism 2. a network to share blocks (ledgers) Including previous block hash into the new block connects them with each other and this enables the user to check the validity of blockchain by only verifying the authenticity of last block in a chain. The network allows each user to share the distributed ledger with other users. Figure 1 gives a pictorial representation of blockchain where each block contains one or more transactions. For example, who is purchasing and selling energy, amount of energy, duration and time-stamp. In this scenario, everyone in the network knows everyone else transaction details and may reveal private information if not secured. To attract the consumers, mircogrid owner also include his/her performance report as a block in chain. This performance report must be verified and attested by the his/her previous consumers.
In this paper, we are addressing the verification and attesting mechanism of such performance report block in blockchain using attribute-based authentication mechanism.  batches of individual transactions and eventually programs. In our scenario the blockchain allows users keeping track of all energy transactions that occur in the network. All users maintain a copy of the blockchain and can verify their blocks. Once transactions are included in blocks, they cannot be modified anymore because any tampering is revealed by the verification mechanism. The blockchain technology is enabled by the following elements: • a verification mechanism; • a data network to share the ledger. Users can check that all blocks have not been subjected to tampering, quickly and efficiently, by checking only the last block. A data network is needed to permit prosumers sharing the distributed ledger. Fig. 1 shows the blockchain as a ledger of blocks, where each block contains one or more transactions. In case of energy purchase or selling, blocks can be organized in tables containing details including source (generator), destination (load), transferred energy [kWh], timestamp, duration, power profile [kW]. We propose to add in the blockchain also presumed and/or measured losses due to non-linear effects and reactive power flows.
Each block in the blockchain contains a header and a data field. The header contains a string that uniquely identifies the block and is obtained from the previous block using the Secure Hash Algorithm SHA256 [5]. This is used to check for validity. The SHA algorithms receives in input a variable length message and produces a message digest, a footprint of the message, that has fixed length, which is indicated in figure as hash. The security of a hash algorithm is that the function is not reversible (i.e. it cannot be traced back to the original message knowing only this data) and it should never be possible to intentionally create two different messages with the same digest. The digest to the SHA256 includes the blockID (for protecting from changes in the order of blocks), a nonce, the timestamp, the transaction(s) and a copy of the hash of the previous block. The nonce n is specifically mined so that the resulting hash verifies specific conditions (e.g. it starts with a given number of zeros). In case one or more blocks get tampered, even in a single bit, the hash changes and the block is not considered valid anymore. With high probability, indeed, the condition on the hash is no more verified. A malicious user could mine the new nonce in order to obtain a valid block, however, its tampering is evident since the hash of such block is not equal to the corresponding hash in the blockchain owned by the majority of users. Besides, blocks are connected, namely chained, so that the hash of block i-1 is included as input to the SHA256 function to obtain the hash of the subsequent i-th block. In this way, any tamper on a block creates an invalid condition over all the following blocks in the chain, as shown in Fig. 2, where invalid blocks are indicated in gray, and the majority of users has a valid blockchain.
This chained setting has two effects: on one hand tampering a past block requires to mine nonces for all successive blocks (it is computationally unfeasible), on the other hand, the validity of the whole chain can be checked by verifying only the hash of the last block. The longer the blockchain is, the more difficult the change of the content as an effect of the computational burden for mining the nonces. A malicious user with large computational power able to mine all nonces would obtain a valid last block. However, even in such highly improbable case, the last hash would not match the one owned by the majority of the users, which are assumed as not colliding. In this largely simplified description, anyone knows about anyone elses transactions, exposing private data about energy generation and consumption. However, blockchains with confidential transactions have recently appeared [6] and provide a solution to such privacy concerns. Further details on the blockchain technology can be found in [7], while [8] provides a comprehensive presentation of the required cryptographic elements.

Attribute-Based Security
In attribute-based security, ciphertext is associated with some label of encryptors called attributes. Each private key is also associated with the access tree known as predicate. The predicate defines the policy how to decrypt the ciphertext with associated keys. Normally the predicate consists of AND, OR and threshold gates [11]. Goyal [20] showed how users can associate and include predicates into their private keys. It has two variants Key-Policy Attribute-Based Encryption (KP-ABE) and Ciphertext-Policy Attribute-Based Encryption (CP-ABE). In KP-ABE, user's secret keys are generated based on an predicate that defines the privileges scope of the concerned user, and data are encrypted over a set of attributes. However, CP-ABE uses predicate to encrypt data and user's secret keys are generated over a set of attributes. In CP-ABE, a user can decrypt the ciphertext if and only if his attribute set satisfies the predicate.
Attribute-based security algorithms consist of mainly four steps: (1) algorithm setup, (2) private key extraction, (3) signing and (4) verification. The universe of attributes is represented by S while predicate over the universe of attributes is a monotone boolean function takes inputs from U. We can say that an attribute set W satisfies a predicate β if β(µ) = 1 (where an input is valid if the corresponding attributes are chosen from U).

Preliminaries
This section describes the notations used in this paper and some definitions as:

Bilinear Mapping
We consider two cyclic groups of prime order q i.e., (G, +) and (G T , ×). (G, +) is additive cyclic group while (G T , ×) is multiplicative cyclic group. Bilinear mapping e : G × G → G T have following properties: 1. Bilinearity: For any X, Y ∈ G and p, q ∈ Z y * , it has e(pX, qY) = e(X, Y) pq 2. Non-degeneracy: For any X, Y ∈ G must satisfy e(X, Y) = 1 G T 3. Computability: For any X, Y ∈ G it is easy to compute e(X, Y)

Computations
We have a finite cyclic group G of order y and p, q, b, n ∈ Z y * are selected randomly. The security of this approach lies in discrete logarithmic problem and computational bilinear diffie hellman problem. These are defined as: Discrete Logarithmic Problem: Given X, Y ∈ G, it is difficult to find the integer n such that Y = nX. Computational Bilinear Diffie Hellman (CBDH) Problem: Given A = pX, B = qX, C = bX ∈ G and bilinear mapping e : G × G → G T , it is difficult to find p, q, b if given e(X, X) pqb .

Predicate
Suppose we have a set of parties X p = {X p 1 , X p 2 , X p 3 , ..., X p n } and monotone access tree structure β ∈ 2 {X p 1 ,X p 2 ,X p 3 ,...,X pn } such that for all I, E ∈ β and I ⊆ E. Also access structure β is a collection of non empty subset of {X p 1 , X p 2 , X p 3 , ..., X p n }. Suppose we have a universe of attributes B and monotone access tree structure over this universe is monotone Boolean function whose inputs are from B. There is another attributes set W ∈ S that satisfies the predicate β if β(W) = 1. As β is a monotone in nature, for any set W ∈ V, β(W) = 1 implies β(V) = 1. In this paper, a microgrid is assigned a set of attributes and the authorized set is also included in monotone access tree structure β. Data verifier (consumer) would be able to verify the signature if and only if the attributes satisfy the access tree structure of the signature.

Multiple Authority Attribute-Based Signature
Multiple authority attribute-based signature scheme in microgrid architecture is split into five steps.

Security Definitions
Unforgeability is one of the main security feature that attribute-based signature scheme provides however it also suffers from the colluding authorities or users. To explain it in a better way, we consider a scenario between a challenger C and a forger F as follows.
Setup: During setup phase, the challenger C generates the public parameters using the using the secret parameter 1 λ and transmits it to F. F then sends the a predicate β * and list of malicious users J A to C. Authority/User Setup: In this phase, the challenger generates the public and private keys (K K , l K ) for the corrupted authorities and sends it to the forger F. Queries: Now the challenger C initializes the integer m = 0 for the list J = {m, B, l U } and allows the forger F to execute the following steps.
Private key extraction oracle: Once the challenger C receives the m and set of attributes B, it returns the secret key l U to the forger F otherwise it generates the l U using the KeyGen algorithm and sends the generated l U to the forger and adds this new entry (m, B, l U ) into list J. Signing oracle: As the challenger receives the message M and predicate β, its generates the signature and sends it back to the forger MA-ABS scheme is perfectly private if all the parameters, messages, attributes sets, all private keys, predicates, distributed signature and actual signatures are equal. Also the signature should not reveal any private information of the signer.

Multi-Authority ABS Scheme
The proposed microgrid system model for transactions and losses records is presented in this section along with the ABS and blockchain.

System Model
The proposed ABS scheme is based on multiple authorities that is applicable to distributed microgrid architecture with blockchain technology. The proposed model consists of the following entities: (1) record server, (2) N authorities, (3) microgrids and (4) verifier (consumer). As shown in Figure 2, record server behaves like a storage server that keeps the copy of all transactions happening in the microgrid network. N authorities consists of various organizations (i.e., banks, consumer registration authority, comsumers). Microgrids normally manage and sign their own transactions records and create their own access policy. The verifier (consumer) accesses these information to ensure their authenticity.

Proposed Approach
For any m ∈ Z y , a set of attributes B whose elements also belongs to Z y , the Lagrange coefficient is defined as The proposed scheme associates each element of Z y with each attribute. Detail description of the proposed scheme is as follows: Setup: During the setup phase, microgrid server chooses two cyclic groups G and G T of prime order d and bilinear mapping function such that e : G × G → G T . Let X be a group generator of G and H : {0, 1} * → Z * y is a collision resistant hash function based on ECDH. Computing r = H(GID) for microgrid global identifier GID. N authorities in the system are represented by A 1 , A 2 , A 3 , ..., A N and each authority has a set of attributes A k = {a k,1 , a k,2 , a k,3 , ..., a k,c k }. Also µ is randomly selected from Z * y and calculated Y as Y = µX. Now the overall public parameters for this system are params = e, d, X, Y, G, G T , H . Authority Setup: Each authority randomly selects α k ∈ Z * y and calculates y k = α k X. Also each authority randomly selects y k ∈ Z * a for each attribute p k,i ∈ A k and calculates T k,n = t k,m X. Two authorities (A k , A n ) select randomly s kn ∈ Z * y and share it with each other as a seed for secret pseudorandom function (PRF) through a secure channel which then sets s kn = s nk . These authority also selects v m , v n ∈ Z * y to define a common PRF as The authority A k outputs the public key as K k = y k , {T k,m } m∈{1,2,3,...,c k } and private key as l k = α k , v k , {s kn } n∈{1,2,3,..,c k } , {t k,m } m∈{1,2,3,...,c k } .
KeyGen: Each microgrid is assigned a set of attributes A U and each authority A k picks a k ∈ Z * y to compute B k,m = a k t k,m for a k,m ∈ A k U where A k U = A U ∩ A k . Each mircogrid U communicates with each authority A k for N − 1 times to finalize and computes the key anonymously as I kn = α k X + a k Y + PRF kn (r) for k > n and I kn = α k X + a k Y − PRF kn (r) for k ≤ n Finally I U = ∑ k,n∈{1,2,...,N}×{1,2,...,N} I kn The public key is declared as K U = {S k,n Y} k∈{1,2,...,N},m∈{1,2,...,c k } and the private key is declared as l U = I U , {B k,n } k∈{1,2,...,N},m∈{1,2,...,c k } Sign: Every message is signed based on the access policy β. To do so, a polynomial d v is selected for each leaf node/authority/party v. The degree of the polynomial is set as k v − 1, where k v is the threshold value of v. Starting from R (i.e., root node), set d R (0) = s. Next another point on the predicate is selected and terminate the polynomial at that point. The microgrid selects randomly f ∈ Z * y and calculates .,N} e(sX, y k ), where p k,m is the value of attributes in access policy β. The final signature is = { 1 , 2 , 3 , 4 , 5 , 6 , 7 } Verify: Each verifier (consumer) has a set of attributes denoted as A IV = {q 1 , q 2 , q 3 , ..., q t }.
If β(A IV ) = 1 then the output is null. Otherwise, the verifier gets the signature and performs the operations on this signature using the public key of microgrid K U and node v from the access policy β as inputs to verify function Veri f yNode( , K U , v). If p k,m / ∈ A U then output of the Veri f yNode( , K U , v) is null.
If node z is a child node of v, then F z = Veri f yNode( , K U , z) is calculated and kept the output result. Suppose B v is any arbitrary k v − sized set of child node z, makes the F z = null. If there is no such set, then F z = null. F x is calculated as shown below where Once all the above conditions are successfully validated then verifier (consumer) Accepts otherwise Rejects.

Performance and Evaluation
The security and performance analysis of the proposed protocol is performed using random oracle model. First security analysis is performed followed performance analysis.

Security Analysis
To evaluate the security of proposed protocol, we consider two authorities A k and A n in our system. These two authorities share secretly a PRF seed s kn . This is important because if other N − 2 authorities get corrupted, the PRF seed share between these two authorities remains un-corrupted. During the process of private key generation, all authorities private keys α m are combined into mircogrid private key I U using the KeyGen function. This approach protects I U from disclosure even if there is only one single honest authority and rest get compromised by an attacker. In this way the protocol resists against collusion attack when there are N − 1 corrupted authorities. In order to protect the privacy of microgrid, its GID is not revealed directly to authorities. Therefore corrupted authorities cannot trace the private record of microgrid.
The proposed MA-ABS security model for microgrid is unforgeable for selective access policy attacks using Computational Bilinear Diffie Hellman (CBDH). Suppose the forger F has some important information that can help the attacker using selective access policy attacks. In this case, the challenger C selects the security parameter 1 λ and runs the setup phase. The public parameters generated by setup phase are sent to the forger. Using the simulator ς that takes the F, public parameters and as inputs to solve the CBDH.
To launch an attack, forger makes d X queries to extract the private keys, d H queries to hash function and d s queries to signing oracle. Now the simulator ς is given X, A = pX, B = qX, C = bX to compute e(X, X) pqb where p, q, b ∈ Z * q . The simulation is performed as: • Setup: The forger F selects the challenger's access policy β * and a set of attributes B * . The forger gives β * and B * along with the list of corrupted authorities J A to the simulator ς and sets Y = (p + µ)X. The simulator returns A, B and C to the forger. • Authority Setup: The simulator selects randomly A * k ∈ {A 1 , A 2 , .., A N } \ J A . If A k ∈ J A then simulator selects f k , w k,m ∈ Z * y randomly and calculates T k,m = w k,m X for p k,m ∈ A k . Then the simulator selects v k ∈ Z * y , a PRF seed s k,n ∈ Z * y for corrupted authorities A k and A n and returns the output f k , w k,m , v k , s kn and y k , T k,m to the forger where y k = f k X.
If A k / ∈ J A , then the simulator selects f k , w k,m ∈ Z * y randomly and calculates T k,m = w k,m X for p k,m ∈ β * and T k,m = w k,m A = w k,m pX for p k,m ∈ β * . If A K = A * K , the simulator sets y k = q f k X. Otherwise it sets Then the simulator randomly selects a PRF seed s kn ∈ Z * y for the honest authorities and returns y k , T k,m to the forger.
• Query: Before starting the query process, simulator creates an empty list J and initialize an integer m = 0. The forger then sends out the query as follow: Otherwise, it simulates the signature on M with β * (B) and calculates Y * = µ(bX) = bY and signature output is as follows: * Final signature returns by the simulator to forger is * = * 1 , * 2 , * 3 , * 4 , * 5 , * 6 , *

7
• Forgery: Once the forger generates the signature * for the message M * with β * (B * ), he/she makes it available to public. If this signature is verified successfully then it means that the forger successfully won the game. Let t S and t B denote the time that is consumed during the scalar multiplication over the elliptic curve group and bilinear pairing respectively. If attacker successfully breaks this algorithm (MA-ABS) in time t, then it is easy to calculate the time t taken by the new algorithm to solve CBDH problem as • Privacy: To ensure and protect the privacy of the signer that has a set of attributes B for access policy β, a valid signature is created using another set of attributes B that satisfies the same access policy β. Signature will not disclose the subset of attributes used to sign the message. This is because, any subset of k elements from a given set of attributes is used to sign the message and produce a valid signature. To ensure the privacy of signer, first the challenger runs the Setup and Authority Setup steps to generate the public parameters, public key K k and the private key l k of the authority for forger. The forger then outputs β, B 0 , B 1 , M * after querying the private key oracle and signing oracle where B 0 ⊇ B and B 1 ⊇ B. Forger also request to challenger to endorse the message M * with respect to β using B 0 or B 1 . The challenger now generates a challenge signature. As B 0 ∩ B = B and B 1 ∩ B = B, the challenger selects randomly a bit b ∈ {0, 1} and outputs a signature * with the private key lB b over the set of attribute B B . Using the Lagrange interpolation, it is observed that * can be generated using l B b or l B 1−b . Hence the forger is not able to steal the signer attributes.

Performance Analysis
In this section, the performance of the proposed algorithm is compared with the existing attribute-based signature approaches. To calculate the time consumption, we consider bilinear pairing operation, scalar multiplication operation, and exponentiation operation without considering the hash functions. T X , T S and T e are the time consumed by these operations respectively. The results in Table 1 shows the effectiveness of the proposed algorithm in distributed environment with multiple authorities. The computational const in SignVerify operation increases linear with the number of authorities and attributes. More specifically, the computational cost in sign operation is (6 + t)T S + NT X while the computational cost of the verify operation is T S + T e + (2tN + 1)T X . The size of the signature depends on the number of attributes and defines the cost of communication overhead. The signature size in proposed algorithm is (6 + t)|G|. Cost of signing (lt + t + 3)T e (7l + 15)T e (6 + 2l + lt)T e (l + t + 16)T e + 3T p (6 + t)T s + NT p Cost of Verifying (2lt + 1)T e + (l + 2 + (t − 1)(l + 1))T p (l + 1)T e + (L + 2)T p (l + 2)T e + (l + 4)T p (2lt + t + 12)T e + (l + 7 + (t − 1)(l + 1))T p T s + T e + (2tN + 1)T p Size of signature (l + t + 2)|G| (7l + 11)|G| (l + t + 2)|G| (l + t + 11)|G| (6 + t)|G|

Conclusions
To protect the privacy of microgrid transactions and losses using blockchain technology, the multiple authority attribute-based signature approach is introduced, which satisfies and meets the distributed requirement of microgrid as well as ensure the anonymity of information. The authorities agree on PRF seed and generates the private key for microgrid. If N − 1 authorities collude, they cannot reveal the private key of microgrid. The security proof of the proposed protocol is discussed using CBDH assumption of unforgeability and privacy. Finally, the comparative analysis showed the effectiveness of the proposed protocol.