Privacy Preserving Data Aggregation for Smart Grid with User Anonymity and Designated Recipients

Abstract

Smart grids integrate modern Internet of Things technologies with the traditional grid systems, aiming to achieve effective and reliable electricity distribution as well as promote clean energy development. Nowadays, it is an indispensable infrastructure for smart homes, wisdom medical, intelligent transportation, and various other services. However, when smart meters transmit users’ power consumption data to the control center, sensitive information may be leaked or tampered. Moreover, distributed architecture, fine-grained access control, and user anonymity are also desirable in real-world applications. In this paper, we propose a privacy-preserving data aggregation scheme for a smart grid with user anonymity and designated recipients. Smart meters collect users’ power consumption data, encrypt it using homomorphic re-encryption, and then transmit the ciphertexts anonymously. Afterward, proxies re-encrypt the aggregated data in a distributed fashion so that only the designated recipients can decrypt it. Therefore, our proposed scheme provides a more secure and flexible solution for privacy-preserving data aggregation in smart grids. Security analyses prove that our scheme achieves all the above-mentioned security requirements, and efficiency analyses demonstrate that it is efficient and suitable for real-world applications.

1. Introduction

Electricity is important for modern civilization. However, power outages occur from time to time across the world, causing significant economic losses and social impacts. For example, in 2019, the Guri Hydropower Station, which provides 80% of Venezuela’s electricity, was maliciously attacked, causing 21 out of the 23 states to experience power outages [1]. At the same year, a large-scale power outage also occurred in South America, affecting more than 40 million people in Argentina, Brazil, Uruguay, and Chile. When such an accident occurs, the traffic lights ceased operation and all public transportation was suspended, making the affected cities into chaos [2]. One of the main reasons for this catastrophe is that the traditional power grid was designed more than a century ago and its effectiveness and robustness are far from satisfactory in the modern era [3].

In 2001, the concept of “smart grid” was introduced, expecting to enhance the traditional power grid using some latest information technologies, such as the Internet of Things (IoT) and computer networks [4]. In the smart grid, power transmission can be scheduled more intelligent and reliable thanks to the digitization and standardization of information [5]. Moreover, through two-way communications, the power grid can be continuously monitored in real-time, reducing the probability of power outages. To alleviate the phenomenon of isolated data islands, various cryptographic primitives, such as symmetric and asymmetric ciphers, have been employed to realize privacy-preserving and authentication in data sharing. Therefore, not only the desirable security requirements can be guaranteed for users’ personal data, but also the whole society can benefit from more effective information utilization. Nowadays, many countries have adopted the development of smart grids as a national strategy.

As shown in Figure 1, the smart grid generally consists of three layers [6]. At the bottom layer, smart meters collect users’ power consumption data and upload it into the grid system regularly. Based on this data, the electricity company can charge the users for power usage. This information also can be used to set-up flexible price packages to smooth the power usage, e.g., higher prices in the peak period and lower prices in the other periods, enhancing the reliability and effectiveness of the smart grid system. At the middle layer, the cloud is responsible for forwarding the aggregated power consumption data to the power station. During this process, individual users’ power consumption data must be kept secret from the cloud. Otherwise, users’ living habits, as well as some other private information, may be leaked. Moreover, if a malicious attacker tampers or forges the power consumption data during transmission, it will not only cause economic losses to the electricity company but also affect the power distribution of the entire grid. At the top level, the power station generates electricity based on demands and the power is distributed through the substations. As it is expensive to store electricity, it requires that the amount of electricity generated by the power station roughly matches the real-time demands. Otherwise, it will reduce the reliability of the smart grid or even cause catastrophic events.

At present, the design and implementation of a smart grid need to consider the following security features:

• Confidentiality: The data collected by the smart meters may contain users’ sensitive information. If an attacker obtains this data, users’ living habits could be leaked, so the power consumption data must be protected.
• Authentication: Power consumption data transmitted in the smart grid can be tampered with by a malicious adversary, so it is necessary to ensure that the adversary cannot modify, fabricate or delete the transmitted data without being detected.
• User anonymity: The power consumption data is normally sent with the user’s identity. When the cloud collects the data, users’ identities may be exposed to the cloud. In many circumstances, such exposure is undesirable and users’ identities should also be protected.
• No single point of trust: The decryption power should not be possessed by a single party. Otherwise, it could become a single point of trust in the system. For example, if this party is compromised, all sensitive information within the system can be read or leaked by this party. Instead, a distributed architecture should be employed.
• Designated recipients: Based on the minimum disclosure principle, fine-grained access control should be posed on the aggregated power consumption data, e.g., its access should be strictly restricted to the designated recipients.

To address the above problems, this paper proposes a privacy-preserving data aggregation scheme with user anonymity and designated recipients. In our proposed scheme, smart meters first collect users’ power consumption data, encrypt it using homomorphic re-encryption and then send the ciphertexts anonymously. The control centers aggregate the received data and re-encrypt it in a distributed fashion so that only the designated recipients can decrypt it. Moreover, novel verification techniques are employed to ensure that only legitimate users’ data is accepted and an adversary cannot tamper with this data during transmission. Our main contributions can be summarized as follows.

1.

Apart from the traditional security requirements, such as confidentiality and authentication, our proposed scheme also achieves user anonymity and no single point of trust. Moreover, it can ensure that the aggregated data can only be accessed by the designated recipients, realizing fine-grained access control. Therefore, it provides a more secure and flexible solution for privacy-preserving data aggregation in smart grid.

2.

Security analyses prove that our scheme achieves all these desirable security requirements, and efficiency analyses demonstrate that it is efficient to be implemented in real-world applications.

The rest of the paper is organized as follows. In Section 2, we briefly review some related works in the literature. The notations and preliminaries are outlined in Section 3. In Section 4, models and definitions are described. Then, our proposed scheme is introduced in Section 5, and its security and efficiency analyses are presented in Section 6 and Section 7, respectively. Finally, we conclude in Section 8.

2. Related Works

Nowadays, it is widely accepted that smart grids are a fundamental infrastructure for renewable energy [7]. Smart meters are important devices to realize two-way communication in smart grids, so they are vulnerable targets for attackers [8,9]. Hence, it is worth investigating methods that securely transmit information within smart grids and build a flexible smart grid architecture [10,11]. It is necessary to build a security model to meet the security demands of a smart grid [12,13]. To address this issue, various privacy-preserving data aggregation schemes have been proposed in the literature [14,15,16]. Moreover, these works can be divided into two main categories: one protects users’ power consumption data and the other protects users’ identities.

In the first category, homomorphic encryption [17] is used as a popular building block, thanks to its feature of allowing operations on the ciphertexts. Lu et al. [18] have proposed a data aggregation scheme EPPA that uses hyper-increasing sequences to record the multi-dimensional data and Paillier encryption to encrypt the data. The local gateway aggregates the encrypted data and sends it to the control center, which can then decrypt the aggregated data without learning any individual data. Later, Shen et al. [19] have proposed a modified data aggregation scheme in which the aggregated data of different regions can be aggregated in a hierarchical manner. Ding et al. [20] have proposed a novel encryption scheme that supports homomorphic re-encryption, in which the ciphertexts can be either decrypted or re-encrypted, both requiring two parties to operate in a distributed fashion. However, the majority of existing data aggregation solutions need to employ a trusted third party (TTP) [21,22,23,24]. To address this issue, Liu et al. [25] have proposed a scheme without a TTP. The trick is to select some users to construct a virtual aggregation area to mask the power consumption data of a particular user. Xue et al. [26] have proposed another data aggregation scheme without a TTP using secret sharing. However, it suffers heavy communication overheads and it is vulnerable to the man-in-the-middle attack. To improve efficiency of data sharing in smart grids, Zhao et al. [27] have introduced a fog-assisted data aggregation scheme that can reduce network bandwidth and realize smart pricing. Su et al. [28] proposed a lightweight data aggregation scheme for smart grid with forwarding secrecy. However, its limitation is that if any user’s data is missing, the aggregated data will become unreadable. To solve this issue, Huang et al. [29] have proposed a lightweight data aggregation scheme with fault tolerance. Xu et al. [30] have proposed a similar scheme that allows collusion between the aggregator and some entities, achieving a high level of fault tolerance. Although the above-mentioned schemes can achieve privacy protection for individual users’ power consumption data, very few have considered fine-grained access control for the aggregated data.

In the second category, smart meters have to send the power consumption data anonymously. A pseudonym is a common technique used to achieve user anonymity. Tan et al. [31] suggest using pseudo IDs instead of real identities, where these pseudo IDs are generated using a function with inputs of the group key, the time, and the number of smart meters. To hide the relationship between a user’s identity and her pseudonym, Guan et al. [32] suggested using the user’s public key as her pseudonym. Each user can be associated with many pseudonyms, and the Bloom filter is used to verify the validity of a user’s pseudonym. Liu et al. [33] have proposed a solution using a blind signature, but it has not considered the protection of individual user’s power consumption data. Sui et al. [34] have proposed a method to realize strong anonymity through anonymous networks. Moreover, a reward mechanism is designed where the user who requests a reduction in power usage can revoke her anonymity and gets some rewards. Yu et al. [35] have proposed a privacy-preserving power request scheme. Each smart meter is associated with a unique identifier, and a ring signature is used to protect their identities. Cheung et al. [36] have proposed a scheme achieve user privacy and data authentication, in which users generate a group of credentials and the control center signs them blindly. However, as the control center needs to generate many signatures, its computational overheads are very high.

3. Notations and Preliminaries

In this section, we describe the notations and briefly review some cryptographic primitives, such as ElGamal encryption, Schnorr signature, and Homomorphic re-encryption.

3.1. Notations

The notations used in the proposed scheme and their meanings are outlined in

Table 1. Some notations.

Notations	Meaning
p,q	Two large primes such that q|p–1
G	A finite cyclic group with order q
g	The generator of group G
$Z_p^{*}$	A multiplicative group modulo p
H	A collision resistant hash function
PK	The public key
mi	User’s power consumption data
Mi	The power consumption data recorded by RMMi
M	The total amount of power usage across all areas
ℓ,S	The number of SMi in each area and RMMi
RID	The smart meter’s real identity
T*	The current time stamp of the RMMi
ΔT	The allowed time delay in the system
CID	Computation identifier
L(*)	Bit length of the input data
||	The message concatenation operation

.

3.2. Preliminaries

3.2.1. ElGamal Encryption

• Setup: Randomly choose $x\in {\mathbb{Z}}_q$ and compute $y\equiv g^x(modp)$. The public key is $(y,p,g)$ and the private key is x.
• Encryption: Given the plaintext m, randomly choose a value $r\in {\mathbb{Z}}_q$ and calculate the ciphertext as $C=(C_1,C_2)=(g^r,m·y^r)$.
• Decryption: The entity with the private key x can decrypt the ciphertext as:

  $$m=\frac{C_2}{C_1^x}=\frac{m·y^r}{g^{rx}}=\frac{m·y^r}{y^r}(modp)$$

3.2.2. Schnorr Signature

• KeyGen: Randomly choose $x\in {\mathbb{Z}}_q$ and compute $y\equiv g^x(modp)$. The public key is $(y,p,g)$ and the private key is x.
• Signing: Given the message m, the signer randomly selects $k\in {\mathbb{Z}}_q$ and computes $r\equiv g^k(modp)$, $e=H(r,m)$ and $s=xe+k(modq)$. Now, $(e,s)$ is the signature for m.
• Verifying: After receiving the signature $(e,s)$, the verifier computes $r^{\prime }\equiv g^s{y}^{-e}(modp)$ and $H(r^{\prime },m)$. Then the following equation is verified:

  $$Ver(y,(e,s),m)=True\iff H(r^{\prime },m)=e$$

3.2.3. Homomorphic Re-Encryption

The ciphertext can be either decrypted or re-encrypted, while both operations need two entities to collaborate. The homomorphic property permits users to perform computations on the encrypted data. The computation results are left in encrypted form. But when decrypted, the value is identical as the operations are performed on the plaintext data. The re-encryption property allows the ciphertext to be re-encrypted to another one containing the same plaintext but under a different public key. Note that the re-encryption operation ensures that only the designated recipients can derive the plaintext. Its operation works as follows:

• Setup:$p^{\prime }$ and $q^{\prime }$ are two safe primes, where $p^{\prime }=2p^{\prime \prime }+1,q^{\prime }=2q^{\prime \prime }+1$ and $n=p^{\prime }·q^{\prime }$. Denote $\mathsf{QR}$ as the cyclic group of quadratic residues in ${\mathbb{Z}}_{n^2}^{*}$, and g is a generator of $\mathsf{QR}$.
• KeyGen: The data center $\left(DC\right)$ and the access control server $\left(ACS\right)$ generate their public and private key pairs $({SK}_{DC}=a,{PK}_{DC}=g^a)$ and $({SK}_{ACS}=b,{PK}_{ACS}=g^b)$. These two parties execute the Diffie-Hellman key exchange to obtain the system public key $PK={PK}_{DC}^{{SK}_{ACS}}={PK}_{ACS}^{{SK}_{DC}}=g^{ab}$. Every designated recipient generates its public and private key pair $\left({sk}_i=k_i,{pk}_i=g^{k_i}\right)$.
• Encryption: Given a message $m_i\in {\mathbb{Z}}_n$, one randomly chooses $r\in [1,\frac{n}{4})$ and generates the ciphertext as

  $$\begin{array}{ccc}\hfill {\left[m_i\right]}_{PK}& =& \left(T_i,T_i^{\prime }\right)\hfill \\ & =& \{(1+m_i·n)·{PK}^r,g^r\}(mod{n}^2)\hfill \end{array}$$
• Re-Encryption Phase I: DC chooses and publishes a computation identifier $CID$. It then computes $h_1=H\left({\left({pk}_j\right)}^{{SK}_{DC}}\left|\right|CID\right)$ and re-encrypt the ciphertext as

  $${\left[m_i\right]}_{+}=\left(\widehat{T_i},\widehat{T_i^{\prime }}\right)=\left\{T_i,{\left(T_i^{\prime }\right)}^{{SK}_{DC}}·g^{h_1}\right\}$$
• Re-Encryption Phase II: ACS calculates $h_2=H\left({\left({pk}_j\right)}^{{SK}_{ACS}}\left|\right|CID\right)$ after receiving ${\left[m_i\right]}_{+}$. It then re-encrypts the ciphertext as

  $${\left[m_i\right]}_{{pk}_j}=\left(\overline{T_i},\overline{T_i^{\prime }}\right)=\left\{\widehat{T_i},{\left(\widehat{T_i^{\prime }}\right)}^{{SK}_{ACS}}·g^{h_2}\right\}$$
• Decryption: The designated recipient can decrypt the ciphertext ${\left[m_i\right]}_{{pk}_j}$ as

  $$\begin{array}{ccc}\hfill {h_1}^{\prime }& =& H\left({\left({PK}_{DC}\right)}^{s{k}_j}\left|\right|CID\right)\hfill \\ \hfill {h_2}^{\prime }& =& H\left({\left({PK}_{ACS}\right)}^{s{k}_j}\left|\right|CID\right)\hfill \\ \hfill m_i& =& L\left(\frac{\overline{T_i}·{PK}_{ACS}^{h_1^{\prime }}·g^{h_2^{\prime }}}{\overline{T_i^{\prime }}}(mod{n}^2)\right)\hfill \end{array}$$

  where $L\left(u\right)=\frac{u-1}{n}$.

4. Models and Definitions

In this section, we describe the system model, adversary model, and security requirements.

4.1. System Model

Our proposed system, as shown in Figure 2, consists of five types of participants: smart meters (SM), regional master meters (RMM), grid company (GC), operation center (OC), and power transmission units (PTU).

1.

SM: It collects user power consumption data and sends it to the RMM regularly. Note that this data needs to be sent anonymously in our proposed scheme. Moreover, each SM is assumed to contain some tamper-proof device, and its internal states can be protected.

2.

RMM: It is responsible for aggregating users’ power consumption data in some regions and it will forward the aggregated result to the GC.

3.

GC: Once it receives the aggregated power consumption data from the RMMs, it aggregates the received data again and then performs the first phase of proxy re-encryption.

4.

OC: It executes the second phase of proxy re-encryption and sends the outputs to the designated recipients.

5.

PTU: They are the designated recipients of power usage data, such as power plants and data analysts. Each of them will use its private key to decrypt the received ciphertexts.

4.2. Communication Model

We assume that public channels are used to transmit data from SMs to RMMs and from RMMs to the GC. Moreover, we assume that a secure channel exists between the GC and the OC, and authenticated channels are used to transmit data from the OC to PTUs. In smart grids, there might be a large number of SMs and RMMs. Hence, it is impractical to assume that secure channels or authenticated channels exist among them. Moreover, as there is only one GC, one OC, and a few PTUs, the assumption of a secure channel between the GC and the OC, and some authenticated channels from the OC to PTUs is feasible. Note that the assumption of these channels allows us to focus on the protocol design without digging into the low level of technical details. It is well known how these channels can be implemented in practice using standard cryptographic primitives, e.g., encryption and digital signatures.

4.3. Adversary Model

In our proposed scheme, we assume that all participants are honest-but-curious. In other words, these participants will follow the protocol, but they will try to learn some sensitive information beyond their authorization. Moreover, we assume that the GC and the OC will not collude. The adversary $\mathcal{A}$ can eavesdrop on the exchanged messages through the public channel and the authenticated channel. In addition, it can also tamper with the data through the public channel but it neither intercepts nor falsifies the data through the secure channel.

4.4. Security Requirements

Under the above models, our design goal is to develop a privacy-preserving data aggregation scheme for smart grids with user anonymity and designated recipients. Specifically, the following security requirements are considered.

1.

Correctness: If all participants follow the protocol, it will output the correct aggregated power consumption data to the designated recipients.

2.

Confidentiality: The adversary $\mathcal{A}$ cannot learn the power consumption data of any individual user.

3.

Authentication: Only data from legitimate participants will be accepted. If the data is tampered with during transmission, it can be detected.

4.

User anonymity and un-linkability: The adversary $\mathcal{A}$ cannot extract the real identities of the smart meters. Moreover, $\mathcal{A}$ cannot link two messages that are sent by the same smart meter.

5.

No single point of trust: The secret key is distributed among multiple entities, i.e., no single party can decrypt or leak sensitive information within the smart grid.

6.

Designated recipients: The aggregated power consumption data can only be accessed by the designated recipients but no one else.

5. The Proposed Scheme

In this section, the privacy-preserving data aggregation scheme with user anonymity and designated recipients is introduced, which mainly consists of the following six algorithms: initialization, key generation, identity anonymization and encryption, verification and aggregation, proxy re-encryption, and decryption.

5.1. Initialisation

In this phase, GC generates the system parameters. It first randomly chooses two large primes $p^{\prime }$ and $q^{\prime }$, and then computes $n=p^{\prime }·q^{\prime }$. Denote G as a cyclic group of quadratic residues modulo $n^2$, and g as a generator of G. GC also selects a secure hash function H: ${\{0,1\}}^{*}$→ G.

5.2. KeyGen

All entities generate their own public and private key pairs. In addition, GC and OC jointly negotiate a key using Diffie–Hellman key exchange.

1.

GC and OC randomly chooses $\alpha$ and $\beta$ respectively as its private key. Their public and private key pairs are $({SK}_{GC}=\alpha ,{PK}_{GC}=g^{\alpha })$ and $({SK}_{OC}=\beta ,{PK}_{OC}=g^{\beta })$.

2.

Each power transmission unit ${PTU}_j$ generates its public and private key pair $({sk}_j=d_j,{pk}_j=g^{d_j})$.

3.

OC negotiates the key with GC to obtain the system public key:

$$PK={PK}_{OC}^{S{K}_{GC}}=P{K}_{GC}^{{SK}_{OC}}=g^{\alpha \beta }(mod{n}^2)$$

(1)

4.

Finally, the system parameters $pp=(g,G,PK)$ are made public.

5.3. Identity Anonymization and Encryption

In this phase, the smart meter encrypts its real identity and then sends the anonymous identity, power consumption data, and digital signature to the RMM. The following steps are executed during this phase.

1.

Before smart meter ${SM}_i$ sending the power consumption data $m_i$ to ${RMM}_i$, ${SM}_i$ needs to encrypt the data $m_i$ and hide its real identity. And ${SM}_i$ generates its public and private key pair $({sk}_i=x_i,{pk}_i=g^{x_i})$.

2.

In each period, ${SM}_i$ randomly chooses ${\eta }_i\in Z_q$ and calculates ${HID}_{i,1}=g^{{\eta }_i}(modp)$, ${HID}_{i,2}=RID*{\left({PK}_{GC}\right)}^{{\eta }_i}$. Then $S{M}_i$ uses the public key PK to encrypt data and sign, $C_{m_i}={Enc}_{PK}\left(m_i\right)=\{(1+m_i·n)·{PK}^r,g^r\}(mod{n}^2)$, ${\sigma }_i={\eta }_i+x_i·H({HID}_i\left|\right|T_i\left|\right|C_{m_i})$, where $T_i$ is the current timestamp and ${HID}_i=\{{HID}_{i,1},{HID}_{i,2}\}$. Then ${SM}_i$ sends the message $\{C_{m_i},{\sigma }_i,{HID}_i,T_i\}$ to ${RMM}_i$.

5.4. Batch Verification and Aggregation

In this phase, ${RMM}_i$ checks the validity of received messages. In addition to the traditional verification methods, it also allows a batch of data to be verified simultaneously.

1.

Traditional verification:

(a)

Once the message $\{C_{m_i},{\sigma }_i,{HID}_i,T_i\}$ from ${SM}_i$ is received, ${RMM}_i$ checks the validity of $T_i$ first. If $T^{*}-T_i>\Delta T$, ${RMM}_i$ will reject the message.

(b)

${RMM}_i$ checks the validity of ${\sigma }_i$ using the following equation:

$$g^{{\sigma }_i}={HID}_{i,1}·{{pk}_i}^{H\left({HID}_i\right|\left|T_i\right|\left|C_{m_i}\right)}$$

(2)

2.

Batch Verification: The above verification can be made more efficient using the small exponent test technology [37].

(a)

Upon receiving multiple data $\{C_{m_1},{\sigma }_1,{HID}_1,T_1\}$, $\{C_{m_2},{\sigma }_2,{HID}_2,T_2\},\dots ,$$\{C_{m_{\ell }},{\sigma }_{\ell },{HID}_{\ell },T_{\ell }\}$ sent by some ${SM}_i$, ${RMM}_i$ checks the freshness of $T_i$, where $i=1,2,\dots ,\ell$. When the check fails, ${RMM}_i$ rejects the message.

(b)

${RMM}_i$ selects a random vector $v=v_1,v_2,\dots ,v_{\ell }$, where $v_i$ is a small random integer in $[1,2^t]$ and t is a small integer. Then, ${RMM}_i$ verifies through the following equation:

$$\sum _{i=1}^{\ell }{\left(g^{{\sigma }_i}\right)}^{v_i}=\sum _{i=1}^{\ell }{({HID}_{i,1}·p{k}_i^{H\left({HID}_i\right|\left|T_i\right|\left|C_{m_i}\right)})}^{v_i}$$

(3)

If the above equation does not hold, ${RMM}_i$ rejects the messages.

3.

Aggregation:${RMM}_i$ aggregates the encrypted data $C_{m_i}$ by calculating $C_{M_i}={\prod }_{i=1}^{\ell }{C}_{m_i}$, where ℓ is the number of ${SM}_i$ in the current area. Finally, ${RMM}_i$ sends $C_{M_i}$ and its corresponding signature and current timestamp $T_j$ to GC.

$$\begin{array}{ccc}\hfill C_{M_i}& =& \{C_1,C_2\}\hfill \\ & =& \{{\left({PK}^r\right)}^{\ell }(1+n·\sum _{i=1}^{\ell }{m}_i),{\left(g^r\right)}^{\ell }\}\hfill \\ & & (mod{n}^2)\hfill \end{array}$$

(4)

5.5. Proxy Re-Encryption

After receiving the message, GC first verifies the freshness and validity of the signature. It then aggregates and stores the received power consumption data. When a designated recipient requests electricity data, proxy re-encryption is performed.

1.

GC verifies the freshness and correctness of the received data $C_{M_i}$ and it then aggregates them:

$$\begin{array}{ccc}\hfill C_M& =& \{A,B\}=\prod _{i=1}^S{C}_{M_i}\hfill \\ & =& \{{\left({PK}^{r\ell }\right)}^S(1+n·\sum _{i=1}^S{M}_i),{\left(g^{r\ell }\right)}^S\}\hfill \\ & & (mod{n}^2)\hfill \end{array}$$

(5)

2.

The $PT{U}_j$ issues a request to the electricity data. After verifying that it is a legitimate designated recipient, the proxy re-encryption will be performed as follows:

(a)

GC calculates $h_1=H({\left(p{k}_j\right)}^{S{K}_{GC}}\left|\right|CID)$. Then it converts $C_M$ to $C_M^{\prime }$ and send it to OC, where $C_M^{\prime }=\{A^{\prime },B^{\prime }\}=\{A,g^{h_1}·B^{{SK}_{GC}}\}$.

(b)

OC calculates $h_2=H({\left(p{k}_j\right)}^{S{K}_{OC}}\left|\right|CID)$. Then computes $C_M^{\prime \prime }$ and sends it to $PT{U}_j$, where $C_M^{\prime \prime }=\{A^{\prime \prime },B^{\prime \prime }\}=\{A^{\prime },g^{h_2}·{\left(B^{\prime }\right)}^{{SK}_{GC}}\}$.

5.6. Decryption

Once the $PT{U}_j$ has received the $C_M^{\prime \prime }$ from OC, it can be decrypted using its private key.

1.

$PT{U}_j$ first calculates

$$h_1^{\prime }=H({\left({PK}_{GC}\right)}^{{sk}_j}\left|\right|CID)=H(g^{\alpha ·{sk}_j}\left|\right|CID)=h_1$$

$$h_2^{\prime }=H({\left({PK}_{OC}\right)}^{{sk}_j}\left|\right|CID)=H(g^{\beta ·{sk}_j}\left|\right|CID)=h_2$$

2.

The aggregated electricity data M can be decrypted as follows:

$$M=L\left(\frac{A^{\prime \prime }·{PK}_{OC}^{h_1^{\prime }}·g^{h_2^{\prime }}}{B^{{}^{\prime \prime }}}(mod{n}^2)\right)$$

(6)

3.

Once ${PTU}_j$ obtains the aggregated power consumption data M, it can perform dynamic power distribution according to the power consumption across the area.

6. Security Analyses

In this section, we analyze the security properties of the proposed scheme, proving that it meets the aforementioned security requirements.

6.1. Correctness

Theorem 1.

If the data sent by the ${SM}_i$ were not tampered by the adversary $\mathcal{A}$, the ${RMM}_i$ would accept it.

Proof 1.

Once the ${RMM}_i$ receives the message $\{C_{m_i},{\sigma }_i,{HID}_i,T_i\}$ from the ${SM}_i$, it can verify its authenticity using the following equation. Therefore, if the data sent by the ${SM}_i$ was not tampered by the adversary $\mathcal{A}$, the ${RMM}_i$ will accept it.

$$\begin{array}{ccc}\hfill g^{{\sigma }_i}& =& g^{{\eta }_i+x_i·H({HID}_i\left|\right|T_i\left|\right|C_{m_i})}\hfill \\ & =& g^{{\eta }_i}·g^{x_i·H({HID}_i\left|\right|T_i\left|\right|C_{m_i})}\hfill \\ & =& {HID}_{i,1}·{pk}_i^{H\left({HID}_i\right|\left|T_i\right|\left|C_{m_i}\right)}\hfill \end{array}$$

(7)

□

Theorem 2.

Given multiple messages and their corresponding valid signatures ${\left\{{\sigma }_i\right\}}_{1\le i\le n}$ from different smart meters, the batch verification technique (3) can be used to verify their authenticity simultaneously.

Proof 2.

The correctness of Equation (3) can be proved as follows:

$$\begin{array}{ccc}\hfill \sum _{i=1}^{\ell }{\left(g^{{\sigma }_i}\right)}^{v_i}& =& \sum _{i=1}^{\ell }{g}^{v_i({\eta }_i+x_i·H({HID}_i\left|\right|T_i\left|\right|C_{m_i}\left)\right)}\hfill \\ & =& \sum _{i=1}^{\ell }(g^{v_i·{\eta }_i}·g^{v_i·x_i·H({HID}_i\left|\right|T_i\left|\right|C_{m_i})})\hfill \\ & =& \sum _{i=1}^{\ell }{({HID}_{i,1}·p{k}_i^{H\left({HID}_i\right|\left|T_i\right|\left|C_{m_i}\right)})}^{v_i}\hfill \end{array}$$

(8)

□

Theorem 3.

The designated recipients can decrypt the received message with their own private key to obtain the correct electricity data.

Proof 3.

The correctness of Equation (6) can be proved as follows:

$$\begin{array}{ccc}\hfill M& =& L\left(\frac{A^{\prime \prime }·{PK}_{OC}^{h_1^{\prime }}·g^{h_2^{\prime }}}{B^{\prime }}(mod{n}^2)\right)\hfill \\ & =& L\left(\frac{{\left({PK}^{r\ell }\right)}^S(1+n·{\sum }_{i=1}^S{M}_i)·{\left(g^{\beta }\right)}^{{h_1}^{\prime }}·g^{{h_2}^{\prime }}}{g^{h_2}·{(g^{h_1}·{\left(g^{r\ell S}\right)}^{{SK}_{GC}})}^{{SK}_{OC}}}(mod{n}^2)\right)\hfill \\ & =& L\left((1+n·\sum _{i=1}^S{M}_i)(mod{n}^2)\right)\hfill \\ & =& \sum _{i=1}^S{M}_i\hfill \end{array}$$

(9)

□

6.2. User Anonymity and Un-Linkability

Theorem 4.

Our proposed scheme achieves user anonymity and un-linkability, i.e., the adversary $\mathcal{A}$ with probability polynomial-time resources cannot link the identity sent by the same smart meter.

Proof 4.

When a ${SM}_i$ sends its power consumption data to ${RMM}_i$, it firstly hides its identity $RID$ to achieve anonymous transmission ${HID}_i$, where ${HID}_i=\left\{{HID}_{i,1},{HID}_{i,2}\right\}=\left\{g^{{\eta }_i},RID·{\left({PK}_{GC}\right)}^{{\eta }_i}\right\}$. As the ElGamal encryption is semantic secure, i.e., the adversary cannot learn any plaintext information from the given ciphertext. Hence, $\mathcal{A}$ cannot learn the real identity of the smart meter. Moreover, the ElGamal ciphertext, which encodes the pseudo-identity, can be re-encrypted. The re-encryption can be performed multiple times, and it does not require the knowledge of the private key. After re-encryption, the ciphertext appears random and it cannot be linked to its previous form because ElGamal encryption is semantic secure. Therefore, if this pseudo-identity is refreshed regularly, $\mathcal{A}$ cannot link the identity to the same smart meter. □

6.3. Confidentiality

In our scheme, all transmissions are encrypted, so the adversary $\mathcal{A}$ cannot eavesdrop on the smart meter to get electricity data.

Theorem 5.

If the semantic security of the encryption scheme [38] holds, our proposed scheme satisfies confidentiality against malicious GC or OC.

Proof 5.

Assume that there is a probabilistic polynomial-time adversary $\mathcal{A}$ that can break the confidentiality of our proposed scheme. Our goal is to use $\mathcal{A}$ to construct an algorithm $\mathcal{S}$ to break the semantic security of the encryption scheme in [38]. $\mathcal{S}$ is given the public parameters $(n,g,p{k}_2=g^a(mod{n}^2))$, the adversary $\mathcal{A}$ can construct $p{k}_1=g^b$. Then the adversary $\mathcal{A}$ choose two messages of the same length $m_0$ and $m_1$, we randomly select $\beta \leftarrow \{0,1\}$ and encrypt $m_{\beta }$ as follow: $Enc\left(m_{\beta }\right)=\{(1+m_{\beta }·n){\left(p{k}_2\right)}^r,g^r\}mod{n}^2$. The The encrypted ciphertext is sent to the adversary $\mathcal{A}$. Adversary $\mathcal{A}$ performs further calculations as follows:

1.

$A={\left\{(1+m_{\beta }·n){\left(p{k}_2\right)}^r\right\}}^{b}mod{n}^2=\left\{{\left(g^{ab}\right)}^r(1+b·m_{\beta }·n)\right\}mod{n}^2,B=g^r$;

2.

Based on $(A,B)$, $\mathcal{A}$ further construct a re-encryption ciphertext $(A^{\prime },B^{\prime })$, where $A^{\prime }=A·g^{h_1}=\{{\left(g^{ab}\right)}^r(1+b·m_{\beta }·n)·g^{h_1}\}mod{n}^2,h_1=H({\left(p{k}_1\right)}^a\left|\right|CID),B^{\prime }=B.$

We can observe that adversary $\mathcal{A}$ can obtain two raw data ${m_0}^{\prime }=b·m_0$ and ${m_1}^{\prime }=b·m_1$. We set ${m_{\beta }}^{\prime }=b·m_{\beta }$. We can observe that $(A^{\prime },B^{\prime })$ is one HRES ciphertext. It has already been proved that if the encryption scheme is semantically secure, then the HRES scheme is also semantically secure. Because the HRES is semantically secure, adversary $\mathcal{A}$ cannot guess the value of ${\beta }^{\prime }$. Hence, our proposed scheme satisfies confidentiality. □

6.4. No Single Point of Trust

The secret key of the system is shared by the GC and OC, and it is assumed that these two participants will not collude. Hence, neither of them can obtain the sensitive information within the system that is encrypted under the corresponding public key.

6.5. Designated Recipients

In the decryption phase, only the designated recipients can decrypt the ciphertext outputted by OC. The designated recipients have the private key ${sk}_j$ to compute $h_1^{\prime }=H({\left({PK}_{GC}\right)}^{{sk}_j}\left|\right|CID)$ and $h_2^{\prime }=H({\left({PK}_{OC}\right)}^{{sk}_j}\left|\right|CID)$. Hence, designated recipients can obtain the aggregated power consumption data M. Although $A^{\prime \prime }$ and $B^{\prime \prime }$ are transmitted over the communication network, and the adversary $\mathcal{A}$ is assumed to be able to intercept this information, $\mathcal{A}$ cannot decrypt $C_M^{\prime \prime }$ because it cannot calculate $h_1^{\prime }=h_1$ and $h_2^{\prime }=h_2$. Therefore, only the designated recipients can obtain the computational results, but no one else.

6.6. Comparison of Security Properties

Our proposed scheme is compared with several related schemes, such as [20,33,34,35]. The following table presents the comparison results. As shown in

Table 2. Comparison with Existing Related Schemes.

Schemes	Ding [20]	Liu [33]	Sui [34]	Yu [35]	Ours
Anonymity	N	Y	Y	Y	Y
Un-linkability	N	N	N	N	Y
Confidentiality	Y	N	N	N	Y
Correctness	Y	Y	Y	Y	Y
Designated recipients	Y	N	N	N	Y

, our scheme is the only one that can satisfy all of the desirable security properties, such as user anonymity, un-linkability, confidentiality, correctness, and designated recipients.

7. Efficiency Analyses

In this section, we evaluate the performance of our proposed scheme in terms of computation and communication.

7.1. Computation Costs

The following notations are used to denote different operations in our scheme. Let $C_e,C_m$ and $C_H$ denote one exponentiation operation, one multiplication operation, and a hash function, respectively. The bilinear pairing $C_p$ incurs the most computation costs. The other operations are much faster, such as the hash operation and the addition operation. ℓ is the number of ${SM}_i$ in each area. S is the number of the regional master meters. In

Table 3. Comparison of Computation Costs.

Schemes	Our Scheme	EPPA [18]	Guan [21]	Shen [39]
SM	$2C_e+C_m$	$l{C}_e+C_m+4C_p$	$4C_e+3C_m$	$2C_e+C_m$
RMM/GW	$l{C}_e+l{C}_m$	$w{C}_p+C_m$	$3C_e+2lS{C}_m$	$n_i{C}_p+(n-n_i)C_e+C_m$
GC	$5C_e+2C_m$	-	-	$(S+2)C_p+C_m$
OC	$3C_e+C_m$	-	-	-
PTU/OA/CC	$4C_e+3C_m$	$2C_p+C_e+4C_m$	$3C_e+2C_m$	$2C_p$

, the computation cost of all entities are listed, where “-”, GW, OA and CC denote non-considered, gateway, trusted operation organization and control center, respectively.

When smart meter ${SM}_i$ generates power consumption data $\{C_{m_i},{\sigma }_i,{HID}_i,T_i\}$, the computational costs of user anonymity are considered negligibly. Then, 2 exponentiation operations and a multiplication operation are required to encrypt electricity data, and a hash operation are required to generate ${\sigma }_i$. Thus, the computation costs of a smart meter is $2C_e+C_m+C_H$. After receiving the power consumption data from ℓ smart meters, the RMM first verifies the received data by performing a batch verification, including ℓ exponentiation operations, ℓ multiplication operations, and ℓ hash operations. In addition, the RMM should aggregate the data from different ${SM}_i$ and encrypt the data, in which the computation costs are $2C_e+C_m$. As follows, the GC aggregates the data from different RMM, which costs $2C_e+C_m$.

When a designated recipient requests electricity data from the OC, OC forwards the request to the GC. It costs 3 exponentiation, a multiplication, and a hash operation. Then OC also needs to perform 3 exponentiation, a multiplication and a hash operation. After the designated recipient receives the data, it needs to spend $4C_e+3C_m+2C_H$ to perform the decryption operation. As hash function can be computed much faster than the other computations, we will ignore the computational costs of hash function evaluation.

7.2. Communication Costs

The communication overheads of our proposed scheme can be divided into two parts, power consumption data transmission, and electricity data request. In Figure 3, we compare the communication overheads of our scheme with some related schemes, such as EPPA [18], Shen’s scheme [39], and Jo’s scheme [40].

We first consider power consumption data transmission phase, where smart meters transmit the power consumption data to the RMM. The data is in the form of $\{C_{m_i},{\sigma }_i,{HID}_i,T_i\}$. Thus, the size of power consumption data is $S_s=|C_{m_i}|+|{\sigma }_i|+|{HID}_i|+|T_i|$. The group element in G is of 160 bits and $Z_p^{*}$ contains elements of 160 bits. Each ciphertext is composed of two parts, we have $4L\left(n\right)=4096$ bits if we choose 1024-bit n. When we set $|T_i|$ = 100-bit length, the communication overheads of ${SM}_i$-to-$RMM$ are $S_s$ = 4516 bits. Then the communication overheads of $RMM$-to-$GC$ is $S_R=|C_{m_i}|+|\sigma |+|T_j|$ = 4356 bits.

Next, we consider the electricity data request phase. Electricity data sent by GC to OC is in ciphertext, so the size of the communication overheads are $S_G=4096$ bits. OC still sends ${PTU}_j$ encrypted data after re-encrypting. Thus the communication overheads are also $S_O=4096$ bits.

In Figure 3a,b, we plot the communication overheads versus the number of smart meters. We set the number of smart meters from 1 to 1000 and increased it by an interval of 100. As shown in Figure 3a,b, the communication overheads in the grid increase linearly with the number of smart meters. In Figure 4, we present a graph of the relationship between the number of regions and the communication overheads. In our scheme, the encryption mode with long ciphertext length is used, so the communication overheads of our scheme are about twice compared with the scheme proposed by Shen et al. [39]. However, the increase in the number of regions does not affect the communication overheads sent by the OC to the designated recipients.

8. Conclusions

In this paper, we have proposed a privacy-preserving data aggregation scheme for smart grids with user anonymity and designated recipients. The smart meters collect users’ power consumption data but this data is encrypted using homomorphic re-encryption so that the adversary cannot intercept it and only the designated recipients can obtain the aggregated results. Moreover, users’ identities are protected and there is no single point of trust. Therefore, it provides a more secure and flexible solution for privacy-preserving data aggregation in the smart grid. Performance analysis demonstrates that it is generally as efficient as the existing related schemes, achieving more desirable security features.

In future work, we would like to investigate further how to remove the assumption that all participants are honest-but-curious, and introduce novel verification techniques to ensure those dishonest participants can be detected and identified. Moreover, the security proof for the authentication property suffers a loose security reduction because security arguments for the Schnorr signature require to use the Forking Lemma. In the future, we would like to explore efficient authentication techniques with a tight security reduction.