A Hybrid Cryptography Scheme for NILM Data Security

: Using ﬁne-grained data analysis, non-invasive load monitoring (NILM) can reveal the detail of electricity customers’ habits, which is helpful in the improvement of reﬁned management and better user experience. However, the possibility of electricity customers’ privacy leak is also gradually increasing, and the security of NILM data has become a priority problem to be solved. To protect the privacy disclosure of NILM data, this paper analyzes the NILM privacy leak problems and ways in which information leak occurs faced by NILM data. On the basis of the comprehensive survey of cryptographic algorithms to choose the most appropriate data security method for NILM, a hybrid cryptography scheme was proposed to protect the data security. In the scheme, symmetric algorithm AES (Advanced Encryption Standard) was used to encrypt data for high e ﬃ ciency, and asymmetric algorithm RSA (Rivest-Shamir-Adleman) was used to encrypt AES key for identity authentication. The classical algorithm HMAC-SHA1 (Hash Message Authentication Codes-Secure Hash Algorithm 1) was further developed to guarantee the integrity of data. By transplanting the algorithm into STM32 MCU (STMicroelectronics 32 bit Micro Controller Unit) for performance test and using Visual studio 2017 + QT tools to develop the test interface, one optimal operation mode was selected for the scheme. At the same time, the e ﬀ ectiveness of the scheme was veriﬁed, and the scheme computing cost depended on the e ﬃ ciency of encryption and decryption, or signature and veriﬁcation of the RSA algorithm.


Introduction
Non-invasive load monitoring (NILM) was first proposed by Hart in the 1980s, and it only needs to install one monitoring equipment at the power entrance, which can analyze the operation state of all connected electrical devices. By decomposing the electric quantity of the monitored equipment, the type and operation of the single load for each electrical device in the load group can be obtained [1]. Accurate electricity information on each/type of equipment has great significance for power companies to optimize grid planning and operation. It will also help electricity customers to realize intelligent power consumption and the whole society to implement the awareness of ecological civilization into specific actions. Thanks to the advantages of NILM technology, such as convenient implementation, less equipment cost, wide application range, and so on, it has gradually been paid attention to by the power academic and industrial community.
Aiming at the fact that NILM technology is faced with a greater possibility of power consumption information disclosure, this paper used a cryptographic algorithm to implement the data privacy protection scheme suitable for NILM [21,22]. In the scheme, the main technologies of the security algorithm, including key management, identity authentication, and integrity and efficiency, were considered. Through the test of the proposed scheme on STM32 single-chip microcomputer platform, an optimal operation mode was selected for the scheme. The validity and computing cost of the scheme were finally verified.
A. Contributions of the paper At present, NILM technology mostly focuses on the research of power load identification and decomposition, without public literature study on the NILM data security method. The major contributions of this paper can be summarized as follows: • First, we seek a method suitable for NILM data, which mainly belongs to the field of practical engineering application innovation. • Second, after detailed analysis on the different classical cryptography techniques applied to NILM data, we conclude the most suitable scheme for NILM data. • Finally, we present a performance analysis of security algorithms suitable for NILM data through practical examples.
B. Organization of the paper This paper is organized as follows. In Section 2, we analyze the characteristics and application of NILM technology, and point out that its data collection volume is tens of thousands of times of the current smart meter. In Section 3, we analyze the privacy leakage of NILM data and the manner in which hackers attack data. In Section 4, we analyze the application of different encryption and decryption algorithms in data protection from the perspective of cryptography, and proposed one hybrid cryptographic scheme for the application of NILM system. In Section 5, we test the performance of the hybrid cryptographic scheme and verify the effectiveness and the computing cost of the scheme. Section 6 presents the conclusions.

Technology of Non-Intrusive Load Monitoring
In the process of smart grid construction, it is important for reasonable dispatching and efficient utilization of power to get fine-grained data of electricity customers, which is conducive to fine electricity management. As one of fine management key technologies, NILM identifies the type and operation situation of each electrical device in the load concentration group by installing monitoring equipment at the user's power supply entrance to monitor the voltage and current signal and using a pattern recognition algorithm. For example, working period, power size, and electricity consumption of various types of electric load, such as refrigerator, air conditioner, washing machine and so on, can be perceived in real time through NILM. A large number of fine-grained electro-data are transmitted to the data processing center of the power supplier. After data mining, extraction, and analysis, it provides important data support for smart power consumption behavior analysis, energy conservation service demand response, ladder electricity, electricity price system, and other refined power consumption businesses. Moreover, the abnormal power consumption behavior of users can be effectively mined, such as stealing electricity, leakage, abnormal power off, and so on. Thus, the safe operation and economic benefits of the power grid together with the consumer can be ensured. On this basis, electricity users can independently analyze household energy consumption points by feeding back electricity consumption information to power suppliers, and independently adjust and optimize electricity consumption behavior [23,24]. Compared with a traditional intelligent ammeter, which only realizes total active power detection and electric energy measurement, NILM is more intelligent and further optimizes the user's power experience.
Electronics 2020, 9, 1128 4 of 18 NILM can realize the perception of electricity load working state and energy consumption level information by analyzing metering data resources. The NILM field acquisition equipment mostly uses an embedded controller, and its storage space and computing capacity are relatively limited. In order to achieve load type full identification and energy full decomposition, electricity customers should send real-time electro-data to electric power company for operation and management via the communication network, as shown in Figure 1. At present, sampling frequency of real-time data in the NILM system is divided into high frequency and low frequency [25,26]. High frequency usually achieves a better load identification effect, but also puts forward higher requirements for data processing capacity. REDD (reference energy disaggregation dataset) was led and pushed out by Zico Kolter from Massachusetts Institute of Technology (MIT) to analyze the collected data with a high frequency of 16.5 KHz, which was familiar with the industry [27]. Leading high frequency sampling companies, such as Sense energy company, equip high performance sample devices, where the sampling frequency is from KHz to MHz, and collected data in one sinusoidal ac power cycle are as high as 1000. High frequency sampling data of NILM also mean that a large amount of power data will be generated continuously. However, owing to the limited performance of on-site monitoring equipment, these large amounts of data need to be transmitted to remote power companies for processing. In the process of data transmission, it may go through the data collection of multiple different nodes and communication networks.
Electronics 2020, 9, x FOR PEER REVIEW 4 of 19 the NILM system is divided into high frequency and low frequency [25,26]. High frequency usually achieves a better load identification effect, but also puts forward higher requirements for data processing capacity. REDD (reference energy disaggregation dataset) was led and pushed out by Zico Kolter from Massachusetts Institute of Technology (MIT) to analyze the collected data with a high frequency of 16.5 KHz, which was familiar with the industry [27]. Leading high frequency sampling companies, such as Sense energy company, equip high performance sample devices, where the sampling frequency is from KHz to MHz, and collected data in one sinusoidal ac power cycle are as high as 1000. High frequency sampling data of NILM also mean that a large amount of power data will be generated continuously. However, owing to the limited performance of on-site monitoring equipment, these large amounts of data need to be transmitted to remote power companies for processing. In the process of data transmission, it may go through the data collection of multiple different nodes and communication networks.

NILM Data Transmission Security
The process of NILM data transmission from the electricity customers' house to the power company brings a great challenge to network communication transmitting NILM data. On the one hand, the communication network needs to have enough bandwidth to meet the transmission requirements of large NILM data. With the gradual application of 4G, 5G, and other high-speed communication networks, the broadband problem of nm big data is expected to be solved. On the other hand, the security problem in the process of NILM data transmission will become increasingly prominent. The main power grid (namely transmission and substation system) generally adopts an independent power dedicated communication network, which is mainly based on optical fiber network and is not shared with the outside world, so the security of the information transmitted by the dedicated communication network of the main power grid is relatively good. However, because the distribution network has the characteristics of a wide distribution range with too many nodes, the cost of laying a fiber optic network for communication is extremely high. The current solution is to use a flexible communication method by using various networks, including RS 485/422, GPRS (General Packet Radio Service), ZigBee, 4G, and 5G networks. However, it has also brought some problems compared with the use of the power dedicated network; that is, the information security problem of NILM data transmission on the distribution network side is more serious, as shown in the Figure 2.

NILM Data Transmission Security
The process of NILM data transmission from the electricity customers' house to the power company brings a great challenge to network communication transmitting NILM data. On the one hand, the communication network needs to have enough bandwidth to meet the transmission requirements of large NILM data. With the gradual application of 4G, 5G, and other high-speed communication networks, the broadband problem of nm big data is expected to be solved. On the other hand, the security problem in the process of NILM data transmission will become increasingly prominent. The main power grid (namely transmission and substation system) generally adopts an independent power dedicated communication network, which is mainly based on optical fiber network and is not shared with the outside world, so the security of the information transmitted by the dedicated communication network of the main power grid is relatively good. However, because the distribution network has the characteristics of a wide distribution range with too many nodes, the cost of laying a fiber optic network for communication is extremely high. The current solution is to use a flexible communication method by using various networks, including RS 485/422, GPRS (General Packet Radio Service), ZigBee, 4G, and 5G networks. However, it has also brought some problems compared with the use of the power dedicated network; that is, the information security problem of NILM data transmission on the distribution network side is more serious, as shown in the Figure 2. For power application scenarios, power information security mainly includes three important goals, which are availability, integrity, and confidentiality [28,29]. For NILM scenarios, it is only used as a load analysis technology to provide refined power management. The NILM is not directly related to protection, and those control functions affect the stability of the power system. Compared with the protection and control functions of power system, real-time availability demands are relatively low. Integrity guarantees that the data of NILM will not be tampered with, which affects the authenticity and reliability of data. Confidentiality is of significance to NILM. Information leakage and behavior exposure of electricity customers that involves privacy sensitive topics will directly influence the commercial value and business ethics of NILM application. The encryption and decryption methods in cryptography for the confidentiality of NILM data require a lot of computing time, and with the increase of NILM data, the computing time will be multiplied. The monitoring equipment of NILM is mainly composed of embedded chips with relatively limited storage and computing performance, which needs to find an efficient encryption and decryption algorithm on the basis of ensuring the security of NILM data.
Although NILM technology provides convenience for information interaction between electricity customers and power supplier, it is more possible than ever that personal information and privacy will be exposed. With the intelligent development of household appliances, a large number of intelligent household electrical appliance will be accessed in user terminals, more closely connecting electricity customers with the information world. Measurement data of NILM system involves a lot of user privacy, including address, account number, meter data, real-time bill, historical bill, home LAN (local Area Network), and so on [30,31].
However, in the process of collecting and recording the power consumption information of electricity customers and communicating with the power supplier, the privacy information is threatened, as shown in Figure 3. Hackers may attack electro-data from the smart home appliances, the bidirectional network between the user side and the power supply side, and the data collection and processing center on the power supply side. Firstly, it is vulnerable to eavesdropping attacks. By obtaining data content and connecting power use time with different loads through NILM technology, the attacker steals electricity customers' real identity, living habits, and behavior pattern. It seems that electricity customers are activity under the attacker's "monitoring", such as getting up, resting, and watching TV, whether at home, in personnel composition, or in economic situation, and so on. Personal behavior privacy will be exposed to the attacker. Secondly, it is vulnerable to impersonation attack. Through intercepting user identity information, the attacker pretends to be a legal user,  For power application scenarios, power information security mainly includes three important goals, which are availability, integrity, and confidentiality [28,29]. For NILM scenarios, it is only used as a load analysis technology to provide refined power management. The NILM is not directly related to protection, and those control functions affect the stability of the power system. Compared with the protection and control functions of power system, real-time availability demands are relatively low. Integrity guarantees that the data of NILM will not be tampered with, which affects the authenticity and reliability of data. Confidentiality is of significance to NILM. Information leakage and behavior exposure of electricity customers that involves privacy sensitive topics will directly influence the commercial value and business ethics of NILM application. The encryption and decryption methods in cryptography for the confidentiality of NILM data require a lot of computing time, and with the increase of NILM data, the computing time will be multiplied. The monitoring equipment of NILM is mainly composed of embedded chips with relatively limited storage and computing performance, which needs to find an efficient encryption and decryption algorithm on the basis of ensuring the security of NILM data.
Although NILM technology provides convenience for information interaction between electricity customers and power supplier, it is more possible than ever that personal information and privacy will be exposed. With the intelligent development of household appliances, a large number of intelligent household electrical appliance will be accessed in user terminals, more closely connecting electricity customers with the information world. Measurement data of NILM system involves a lot of user privacy, including address, account number, meter data, real-time bill, historical bill, home LAN (local Area Network), and so on [30,31].
However, in the process of collecting and recording the power consumption information of electricity customers and communicating with the power supplier, the privacy information is threatened, as shown in Figure 3. Hackers may attack electro-data from the smart home appliances, the bidirectional network between the user side and the power supply side, and the data collection and processing center on the power supply side. Firstly, it is vulnerable to eavesdropping attacks. By obtaining data content and connecting power use time with different loads through NILM technology, the attacker steals electricity customers' real identity, living habits, and behavior pattern. It seems that electricity customers are activity under the attacker's "monitoring", such as getting up, resting, and watching TV, whether at home, in personnel composition, or in economic situation, and so on. Personal behavior privacy will be exposed to the attacker. Secondly, it is vulnerable to impersonation attack. Through intercepting user identity information, the attacker pretends to be a legal user, accesses the power information system through the transmission channel, and controls the use of power consumption load. Thirdly, it is vulnerable to tampering attack. Illegal users may tamper with electro-data and conduct consumer fraud out of the lure of economic benefits [32].
Electronics 2020, 9, x FOR PEER REVIEW 6 of 19 accesses the power information system through the transmission channel, and controls the use of power consumption load. Thirdly, it is vulnerable to tampering attack. Illegal users may tamper with electro-data and conduct consumer fraud out of the lure of economic benefits [32].  Figure 3. The manner of NILM attack compared with intelligent ammeter.
In order to prevent hacker attacks, to protect the information security of data, to maintain the interests and privacy of electricity consumers, the cryptography technology is widely used to ensure that, even if the information is hijacked, useful information cannot be obtained by the hacker. Intelligent ammeters, which have been gradually applied in the field of electric power, are the closest example to NILM security. For the information security of an intelligent ammeter, AES-128-GCM (Galois/Counter Mode) encryption mode is used to protect the data security and each intelligent ammeter has an authenticated key and a unique PIN (Personal Identification Number) key [33]. At the Cyber Tech 2016 conference, however, Israel's minister of energy and water infrastructure disclosed that Israel's electricity board suffered a serious cyber attack on 25 January 2016. After that, Israeli authorities were forced to shut down the infected computers of electric power facilities [34]. In China, using embedded security module chip ESAM (embedded secure access module), through the hardware integration of the national secret algorithm SM1, data encryption and decryption are realized, which are used to store key data such as remaining meters and rates in the meter [35]. The security policy and function of this mode are relatively fixed, lack of flexibility, and cannot meet the security requirements of NILM large data and fine-grained data. Small-scale pilot verification work has been carried out in Jiangsu, Tianjin, Nanjing, and other places in China for meters with NILM function, but there is still no report on NILM data security research. The security of relevant operational data is facing great challenges, therefore, it is necessary to study a secure transmission scheme of power utility information in NILM environment to provide scheme and technical support for user identity privacy protection and electro-data security. In order to prevent hacker attacks, to protect the information security of data, to maintain the interests and privacy of electricity consumers, the cryptography technology is widely used to ensure that, even if the information is hijacked, useful information cannot be obtained by the hacker. Intelligent ammeters, which have been gradually applied in the field of electric power, are the closest example to NILM security. For the information security of an intelligent ammeter, AES-128-GCM (Galois/Counter Mode) encryption mode is used to protect the data security and each intelligent ammeter has an authenticated key and a unique PIN (Personal Identification Number) key [33]. At the Cyber Tech 2016 conference, however, Israel's minister of energy and water infrastructure disclosed that Israel's electricity board suffered a serious cyber attack on 25 January 2016. After that, Israeli authorities were forced to shut down the infected computers of electric power facilities [34]. In China, using embedded security module chip ESAM (embedded secure access module), through the hardware integration of the national secret algorithm SM1, data encryption and decryption are realized, which are used to store key data such as remaining meters and rates in the meter [35]. The security policy and function of this mode are relatively fixed, lack of flexibility, and cannot meet the security requirements of NILM large data and fine-grained data. Small-scale pilot verification work has been carried out in Jiangsu, Tianjin, Nanjing, and other places in China for meters with NILM function, but there is still no report on NILM data security research. The security of relevant operational data is facing great challenges, therefore, it Electronics 2020, 9, 1128 7 of 18 is necessary to study a secure transmission scheme of power utility information in NILM environment to provide scheme and technical support for user identity privacy protection and electro-data security.

Data Cryptography Technology
Although NILM data information have rich connotations, there are unsafe factors in the transmission course, which can easily divulge users' sensitive information in plain text transmission. Therefore, it is urgent to find a suitable information security method for NILM data. As the most basic security technology, cryptography is an effective method to protect the secure transmission and storage of data. Safe and rational application of cryptographic algorithm can provide core support for the stable and efficient operation of an NILM system. The encryption algorithm for NILM data security should be easy to use, and even transparent to electricity customers. This is important seeing as thousands of electricity customers do not master cryptography technology, and they are not even willing to remember the password generally involved in the cryptography technology. Another important point is that, owing to the large amount of NILM data, the algorithm efficiency based on security is the key point. The most common cryptographic algorithms applied to NILM data can be classified into the following three basic algorithms: symmetric encryption, asymmetric encryption, and hash algorithm, as shown in Figure 4.

Data Cryptography Technology
Although NILM data information have rich connotations, there are unsafe factors in the transmission course, which can easily divulge users' sensitive information in plain text transmission. Therefore, it is urgent to find a suitable information security method for NILM data. As the most basic security technology, cryptography is an effective method to protect the secure transmission and storage of data. Safe and rational application of cryptographic algorithm can provide core support for the stable and efficient operation of an NILM system. The encryption algorithm for NILM data security should be easy to use, and even transparent to electricity customers. This is important seeing as thousands of electricity customers do not master cryptography technology, and they are not even willing to remember the password generally involved in the cryptography technology. Another important point is that, owing to the large amount of NILM data, the algorithm efficiency based on security is the key point. The most common cryptographic algorithms applied to NILM data can be classified into the following three basic algorithms: symmetric encryption, asymmetric encryption, and hash algorithm, as shown in Figure 4.  Symmetric encryption algorithm is also known as shared key encryption. The electricity customers and power supplier use the same key for encryption and decryption. This kind of algorithm is frequently used to encrypt large-scale sensitive data in electric power industry owing to its high efficiency of encryption and decryption [36]. Confidentiality is the foundation of NILM data transmission. As the electricity customers and power supplier use the same key, how to distribute the key to electricity customers is the key to security assurance. In addition, the number of electricity customers will be more and more if the NILM system is widely used. For example, when communicating with one electricity customer using symmetric encryption, the power supplier must use the unique key that is unknown by any other electricity customer. Thus, the number of keys owned by the power supplier will increase at geometric series, and key management will become the burden between the power supplier and electricity customers. Symmetric encryption algorithms mainly include the following: AES, DES, 3DES, RC2, and RC5, among others. Among them, AES, whose safety is higher than that of DES and 3DES, is the standard of electronic data encryption of technology institutes in America. In order to adapt to different requirement and situations, AES Symmetric encryption algorithm is also known as shared key encryption. The electricity customers and power supplier use the same key for encryption and decryption. This kind of algorithm is frequently used to encrypt large-scale sensitive data in electric power industry owing to its high efficiency of encryption and decryption [36]. Confidentiality is the foundation of NILM data transmission. As the electricity customers and power supplier use the same key, how to distribute the key to electricity customers is the key to security assurance. In addition, the number of electricity customers will be more and more if the NILM system is widely used. For example, when communicating with one electricity customer using symmetric encryption, the power supplier must use the unique key that is unknown by any other electricity customer. Thus, the number of keys owned by the power supplier will increase at geometric series, and key management will become the burden between the power supplier and electricity customers. Symmetric encryption algorithms mainly include the following: AES, DES, 3DES, RC2, and RC5, among others. Among them, AES, whose safety is higher than that of DES and 3DES, is the standard of electronic data encryption of technology institutes in America. In order to adapt to different requirement and situations, AES provides five different kinds of working modes, which are ECB (Electronic Code book Book), CBC (Cipher Block Chaining), CTR (Counter), CFB (Cipher Feed Back) and OFB (Output Feed Back), and AES has become the most popular algorithm in the electric power industry [37].
Compared with symmetric encryption technology, asymmetric encryption algorithm does not need to share the common key. Because it belongs to a double key system, and uses a public key and private key, it has two different ciphers for encryption and decryption. When using asymmetric encryption algorithm data, only one matching pair of public key and private key can complete the encryption and decryption of data. The public key can be made public and the private key should be self-reserved. Even if the public key may be intercepted in the transmission and publishing process, it is nonsense for the attacker as there is no private key paired with it. Thus, the distribution and key management of asymmetrical encryption algorithm is relatively simple and easy. However, owing to the complexity of this algorithm, its speed of encryption and decryption is relatively slow. Moreover, the generated keys are complex, so the fixed key mode can only be used and this algorithm is not suitable for NILM system in real-time collection of electronic data. RSA encryption is the representative of asymmetrical encryption algorithm, which is the most influential and most commonly used asymmetric encryption algorithm at present. It is recommended as the asymmetrical encryption standard by ISO (International Organization for Standardization) because it can resist most known cryptographic attacks [38,39].
Digital signature is another application of RSA. Combined with the one-way hash algorithm, it can realize user identity authentication and data integrity calibration by extracting NILM fingerprint information data.

NILM Data Privacy Protection Scheme Based on Hybrid Cipher Algorithm
Encrypting data using cryptographic algorithms is an active safety-protection strategy. Compared with sending plain text directly, sender need a certain amount of system time to encrypt data, and the receiver should also need extra time to decrypt data. Asymmetrical encryption algorithm will increase algorithm size and take up more network resources, so the processing efficiency of the system will be decreased by encryption and decryption. For frequent real-time and interaction in the NILM system, the loss of efficiency should be minimized to the greatest extent. In addition to efficiency loss, the security of the data encryption system is based on key confidentiality. The security of symmetric encryption algorithm is completely dependent on the key and needs a secure channel to distribute. Moreover, electricity customers of an NILM system are very large and key management is complex. Considering the requirements of efficiency, key management, and integrity of NILM system, a new privacy protection scheme of NILM data based on hybrid cipher algorithm was proposed.
Scheme description: (1) Hybrid cipher algorithm. The scheme description is shown in Figure 5. Aiming at the threats of eavesdropping, tampering, and falsification in electro-data, three kinds of encryption algorithms, AES, RSA, and HMAC-SHA1, were used in this scheme. RSA algorithm protects the key of AES algorithm and AES algorithm encrypts the users' large data. It can not only realize the safe and convenient key management, but also ensure the speed of data encryption. However, there are still loopholes in key management of RSA as the public key is public to the outside. If user B masquerades user A to send data to the power supplier by its public key, the power supplier cannot recognize the true identity of the sender. In order to solve this problem, hash algorithm HMAC-SHA1 was introduced. HMAC-SHA1 is a one-way encryption algorithm. Users can generate one unique digital digest with a specific length for real-time electro-data and combine it  (2) Key distribution and management. The electricity customers newly load NILM and both sides conduct network authentication. The power supplier pre-installs the public key (PK) on the user side. NILM has configured factory initialization key (public key = PK11, private key = PS11). The power supplier has the key pairs public key = PK and private key = PS. The key distribution is shown in Figure 6.
A. Power supplier sends the public key PK to electricity consumers. At this time, hackers can intercept PK; B. Electricity customers received PK and compared it with the public key pre-installed by the power supplier in NILM. If they are consistent, the public key is proved to be legal and the next step will be executed. If they are inconsistent, the public key is considered to be illegal and the next step will not be executed; C. Electricity consumers use the public key PK to encrypt the public key PK11 initialized in the NILM device and transmit it to the power supplier. At this time, the hacker can intercept the ciphertext and know that it is encrypted through PK, but because the hacker does not know the private key PS, he cannot decrypt the ciphertext; D. Power supplier receives the ciphertext, decrypts it with private key PS, and gets PK11; E. RSA key pair (public key = PK1, private key = PS1) is randomly generated by the key management center of the power supplier, encrypted with PK11, and transmitted to the user. Even if hackers intercept ciphertext, they cannot decrypt it. Electricity consumers decrypt the ciphertext with PS11 and obtain the public key PK1 and PS1 distributed by power supplier.
The key distribution is complete; F. Electricity consumers need to secure private key PS1, and keep PK and PK1. The power supplier should keep the PS secret and have all users' public key sequences. The key based on AES algorithm is generated randomly every time data are sent, so that it can be used up and discarded without saving and management, which effectively reduces the difficulty of key management. (2) Key distribution and management. The electricity customers newly load NILM and both sides conduct network authentication. The power supplier pre-installs the public key (PK) on the user side. NILM has configured factory initialization key (public key = PK11, private key = PS11).
The power supplier has the key pairs public key = PK and private key = PS. The key distribution is shown in Figure 6.
A. Power supplier sends the public key PK to electricity consumers. At this time, hackers can intercept PK; B.
Electricity customers received PK and compared it with the public key pre-installed by the power supplier in NILM. If they are consistent, the public key is proved to be legal and the next step will be executed. If they are inconsistent, the public key is considered to be illegal and the next step will not be executed; C.
Electricity consumers use the public key PK to encrypt the public key PK11 initialized in the NILM device and transmit it to the power supplier. At this time, the hacker can intercept the ciphertext and know that it is encrypted through PK, but because the hacker does not know the private key PS, he cannot decrypt the ciphertext; D.
Power supplier receives the ciphertext, decrypts it with private key PS, and gets PK11; E.
RSA key pair (public key = PK1, private key = PS1) is randomly generated by the key management center of the power supplier, encrypted with PK11, and transmitted to the user. Even if hackers intercept ciphertext, they cannot decrypt it. Electricity consumers decrypt the ciphertext with PS11 and obtain the public key PK1 and PS1 distributed by power supplier. The key distribution is complete; F.
Electricity consumers need to secure private key PS1, and keep PK and PK1. The power supplier should keep the PS secret and have all users' public key sequences. The key based on AES algorithm is generated randomly every time data are sent, so that it can be used up and discarded without saving and management, which effectively reduces the difficulty of key management. Electronics 2020, 9, x FOR PEER REVIEW 10 of 19 Figure 6. Key distribution and management.
(3) Algorithm flow. After the electricity customer newly installs the non-intrusive load detection device and officially runs online, the power supplier side immediately initializes the electricity customer's meter data, and identifies the electricity customer identity as A. Electricity consumers obtain PS1, PK1, and public key PK sent down by the power supplier. If electricity consumers need to send electricity data (start with identification A) to the power supplier, AES key should be randomly generated to encrypt the plaintext data and generate the ciphertext block of plaintext. Public key PK of power supplier is used to encrypt AES key to get the key ciphertext block. HMAC-SHA1 algorithm generates the digital digest for data, and the PS1 private key of electricity consumers encrypts it to form a digital signature. When the power supplier receives data sent from electricity consumers, the key ciphertext block with private key PS is firstly decrypted to get the AES key. Then, the AES key is used to decrypt the plaintext ciphertext block to obtain plain text. Finally, the AES key is discarded. According to the identification of user A in plain text, choose public key PA of user A to decrypt the digital signature. If there is no solution, it is shown that electricity customers' identity information has been masqueraded and then discarded. Otherwise, extract the corresponding digital summary. The power supplier uses HMAC-SHA1 algorithm to get one new digital digest with the decrypted plain text and compares it with the received digital digest. If the two parts are consistent, it indicates that data integrity is maintained and the data have not been tampered with. The process of data transmission and reception is over. Similarly, if the power supplier needs to send information to the electricity customers, the same process should be adopted. The flow is shown in Figure 7.
Step 1 bidirectional identity authentication Step 2 PK Step 3 Encry(PK11) key=PK Step 4 Encry( PK1 PS1 ) key=PK11 Step  (3) Algorithm flow. After the electricity customer newly installs the non-intrusive load detection device and officially runs online, the power supplier side immediately initializes the electricity customer's meter data, and identifies the electricity customer identity as A. Electricity consumers obtain PS1, PK1, and public key PK sent down by the power supplier. If electricity consumers need to send electricity data (start with identification A) to the power supplier, AES key should be randomly generated to encrypt the plaintext data and generate the ciphertext block of plaintext.
Public key PK of power supplier is used to encrypt AES key to get the key ciphertext block. HMAC-SHA1 algorithm generates the digital digest for data, and the PS1 private key of electricity consumers encrypts it to form a digital signature. When the power supplier receives data sent from electricity consumers, the key ciphertext block with private key PS is firstly decrypted to get the AES key. Then, the AES key is used to decrypt the plaintext ciphertext block to obtain plain text. Finally, the AES key is discarded. According to the identification of user A in plain text, choose public key PA of user A to decrypt the digital signature. If there is no solution, it is shown that electricity customers' identity information has been masqueraded and then discarded. Otherwise, extract the corresponding digital summary. The power supplier uses HMAC-SHA1 algorithm to get one new digital digest with the decrypted plain text and compares it with the received digital digest. If the two parts are consistent, it indicates that data integrity is maintained and the data have not been tampered with. The process of data transmission and reception is over. Similarly, if the power supplier needs to send information to the electricity customers, the same process should be adopted. The flow is shown in Figure 7. Electronics 2020, 9,

Performance Analysis
Because a large amount of NILM data encryption and decryption requires a lot of calculation time, the efficiency of the algorithm proposed in this paper is a key factor to be considered in practice. This paper will establish a test platform to fully verify the efficiency of this method in different cryptography scenarios. At present, one of the most classical platforms for the encryption and decryption algorithm is based on an ARM (Advanced RISC Machine) operating system, such as Linux system. It involves calling OpenSSL library functions to conduct an analysis of encryption and decryption performance. However, there is less analysis of the algorithm running on bare metal alone. To provide a performance reference scheme for bare metal and experimental data for the selection of data encryption card hardware in the NILM system, the cost-effective STM32 MCU was used as the carrier to run mixed encryption algorithm for scheme test [40]. Introduction of the cipher algorithm will lead to extra delay for the transmission of electric data. Therefore, it is necessary to evaluate the efficiency of encryption and decryption of cryptographic algorithms, and to fully consider the computing resources occupied by data encryption and decryption while ensuring data confidentiality. This paper analyzed the performance of the scheme from the computing cost of encryption and decryption. The test scheme is shown in Figure 8 below.

Performance Analysis
Because a large amount of NILM data encryption and decryption requires a lot of calculation time, the efficiency of the algorithm proposed in this paper is a key factor to be considered in practice. This paper will establish a test platform to fully verify the efficiency of this method in different cryptography scenarios. At present, one of the most classical platforms for the encryption and decryption algorithm is based on an ARM (Advanced RISC Machine) operating system, such as Linux system. It involves calling OpenSSL library functions to conduct an analysis of encryption and decryption performance. However, there is less analysis of the algorithm running on bare metal alone. To provide a performance reference scheme for bare metal and experimental data for the selection of data encryption card hardware in the NILM system, the cost-effective STM32 MCU was used as the carrier to run mixed encryption algorithm for scheme test [40]. Introduction of the cipher algorithm will lead to extra delay for the transmission of electric data. Therefore, it is necessary to evaluate the efficiency of encryption and decryption of cryptographic algorithms, and to fully consider the computing resources occupied by data encryption and decryption while ensuring data confidentiality. This paper analyzed the performance of the scheme from the computing cost of encryption and decryption. The test scheme is shown in Figure 8 below.  The test platform was composed of a PC host computer and MCU lower machine hardware platform. (1) The interface of the PC host computer was developed by Visual Studio 2017 and Qt5 tools, whose function was sending commands and receiving feedback information from the lower machine through the serial port. The sending commands included the following: a. encryption algorithm type; b. length of key; and c. electricity data. The received information was the required test performance of various algorithm modes running in MCU under the setting conditions. (2) The MCU platform of the lower computer was established with the ARM chip of STM32H743IIT6 model, which is the high-performance 32 bits ARM Cortex-M7MCU chip. Its working frequency can reach 480 MHz. It involves extracting the relevant encryption algorithms in the OpenSSL function library and transplanting them to the MCU, including AES, RSA, and HMAC-SHA1 algorithm. In this test, the low machine was responsible for running the encryption and decryption algorithm according to the instructions sent by the upper computer, and communicating with the upper computer software through the serial port.

Analysis of Encryption and Decryption Efficiency of AES Algorithm
AES uses a block cipher system. The size of each cipher block is 128 bit and the allowed key length is 128 bit, 192 bit, and 256 bit, respectively. Electric data to be encrypted are changed in real time, and the data format may vary. There are usually five work modes of AES, which are ECB, CBC, The test platform was composed of a PC host computer and MCU lower machine hardware platform. (1) The interface of the PC host computer was developed by Visual Studio 2017 and Qt5 tools, whose function was sending commands and receiving feedback information from the lower machine through the serial port. The sending commands included the following: a. encryption algorithm type; b. length of key; and c. electricity data. The received information was the required test performance of various algorithm modes running in MCU under the setting conditions. (2) The MCU platform of the lower computer was established with the ARM chip of STM32H743IIT6 model, which is the high-performance 32 bits ARM Cortex-M7MCU chip. Its working frequency can reach 480 MHz. It involves extracting the relevant encryption algorithms in the OpenSSL function library and transplanting them to the MCU, including AES, RSA, and HMAC-SHA1 algorithm. In this test, the low machine was responsible for running the encryption and decryption algorithm according to the instructions sent by the upper computer, and communicating with the upper computer software through the serial port.

Analysis of Encryption and Decryption Efficiency of AES Algorithm
AES uses a block cipher system. The size of each cipher block is 128 bit and the allowed key length is 128 bit, 192 bit, and 256 bit, respectively. Electric data to be encrypted are changed in real time, Electronics 2020, 9, 1128 13 of 18 and the data format may vary. There are usually five work modes of AES, which are ECB, CBC, OFB, CFB, and CTR. In order to use AES algorithm safely and efficiently in the NILM system, the correlation among electric data length, key length, and working mode was tested. Among them, data length was at intervals of 5000 byte, and the encryption and decryption computing cost of 29 group data under different modes and different key lengths was recorded. Finally, experimental data were processed and analyzed.

Computing Cost Analysis of Encryption in Different Working Modes
Encryption computing time under different working modes with 128 bit key length is shown in Figure 9 below as an example. In the diagram, computing time under different working modes increased in all cases with the increase of power consumption information, and presented a linear correlation, R 2 = 1. The time cost of CFB1 and CFB8 modes was obviously longer than that of any others. From the calculations, CFB1 was 8 times that of CFB8, and CFB8 was 16 times that of CFB128. As the NILM system needs to transmit data in real time and too long a computing cost will affect the efficiency of the system, the two longer time modes were not selected for use. Except for CTR mode, the testing curves of the other four modes showed a high coincidence and computing cost was the same, while the time of computing cost of the CRT mode was 2.5 ms longer than that of any other mode in the test of 145,000 byte. However, if the NILM system uses low frequency as the frequency of real-time data acquisition, the CTR mode is basically the same as the calculation cost of the other four modes. In the end, the test results show that the trend of encryption computing cost of 192 bit and 256 bit key length was the same as that of 128 bit.
Electronics 2020, 9, x FOR PEER REVIEW  13 of 19 OFB, CFB, and CTR. In order to use AES algorithm safely and efficiently in the NILM system, the correlation among electric data length, key length, and working mode was tested. Among them, data length was at intervals of 5000 byte, and the encryption and decryption computing cost of 29 group data under different modes and different key lengths was recorded. Finally, experimental data were processed and analyzed.

Computing Cost Analysis of Encryption in Different Working Modes
Encryption computing time under different working modes with 128 bit key length is shown in Figure 9 below as an example. In the diagram, computing time under different working modes increased in all cases with the increase of power consumption information, and presented a linear correlation, R 2 = 1. The time cost of CFB1 and CFB8 modes was obviously longer than that of any others. From the calculations, CFB1 was 8 times that of CFB8, and CFB8 was 16 times that of CFB128. As the NILM system needs to transmit data in real time and too long a computing cost will affect the efficiency of the system, the two longer time modes were not selected for use. Except for CTR mode, the testing curves of the other four modes showed a high coincidence and computing cost was the same, while the time of computing cost of the CRT mode was 2.5 ms longer than that of any other mode in the test of 145,000 byte. However, if the NILM system uses low frequency as the frequency of real-time data acquisition, the CTR mode is basically the same as the calculation cost of the other four modes. In the end, the test results show that the trend of encryption computing cost of 192 bit and 256 bit key length was the same as that of 128 bit.  Table 1 showed the comparison and analysis of the computing cost of the encryption and decryption of each mode. From the table, the encryption and decryption computing cost interval of CBC, CBF1, and CFB8 was large, and difference of other modes was less than 0.2 ms. The absolute difference value of CTR mode was 0.01 ms, considering that counting period of the timer in STM32 was set to be 0.01 ms, so the time of encryption and decryption of the CTR mode was the same. According to the principle of the CTR mode, there is no error in encryption. However, the ciphertext data will be distorted if there is a hacker attack or network transmission problem in the network transmission. Because AES is a grouping algorithm, the decryption result will only have errors in the  Table 1 showed the comparison and analysis of the computing cost of the encryption and decryption of each mode. From the table, the encryption and decryption computing cost interval of CBC, CBF1, and CFB8 was large, and difference of other modes was less than 0.2 ms. The absolute difference value of CTR mode was 0.01 ms, considering that counting period of the timer in STM32 was set to be 0.01 ms, so the time of encryption and decryption of the CTR mode was the same. According to the principle of the CTR mode, there is no error in encryption. However, the ciphertext data will be distorted if there is a hacker attack or network transmission problem in the network transmission.

Comparative Analysis of Computing Cost between Encryption and Decryption
Because AES is a grouping algorithm, the decryption result will only have errors in the distorted data blocks, and the decryption result for the blocks without data distortion is consistent with the plaintext. Thus, the CTR mode was selected as the AES encryption and decryption mode in this scheme.  Table 2 shows the encryption and decryption efficiency of different key lengths. From the data in the table, it can be seen that, with the increase of the key length, the encryption and decryption efficiency of AES algorithm was obviously reduced. In the hybrid cryptosystem, AES algorithm is mainly used to encrypt data, thus efficiency is the first factor to be considered. After comprehensive consideration of security, interoperability, and computing cost, AES-128-CTR was selected as the encryption and decryption algorithm in the hybrid cryptosystem.   Table 2 shows the encryption and decryption efficiency of different key lengths. From the data in the table, it can be seen that, with the increase of the key length, the encryption and decryption efficiency of AES algorithm was obviously reduced. In the hybrid cryptosystem, AES algorithm is mainly used to encrypt data, thus efficiency is the first factor to be considered. After comprehensive consideration of security, interoperability, and computing cost, AES-128-CTR was selected as the encryption and decryption algorithm in the hybrid cryptosystem.   Table 2 shows the encryption and decryption efficiency of different key lengths. From the data in the table, it can be seen that, with the increase of the key length, the encryption and decryption efficiency of AES algorithm was obviously reduced. In the hybrid cryptosystem, AES algorithm is mainly used to encrypt data, thus efficiency is the first factor to be considered. After comprehensive consideration of security, interoperability, and computing cost, AES-128-CTR was selected as the encryption and decryption algorithm in the hybrid cryptosystem.

Conclusion
Computing cost of encryption and decryption increases with the increase of key length The trend table of the six modes is the same as that of ECB, and computing cost of encryption and decryption increases with the increase of key length

Encryption and Decryption Efficiency of RSA Algorithm of Different Key Lengths
Because the encryption speed of asymmetric algorithm RSA is too slow to fit the large data collection of the NILM real-time system, it is usually used for encryption and decryption of the encryption key and digital signature and verification. The electric power industry usually uses it as longitudinal encryption authentication gateway, network security isolation device (inverse), and device management, among others. Common RSA key length is 1024 bit and 2048 bit. It could be found in the test that the encryption data size was 128 byte and 256 byte, respectively, with the key length of 1024 bit and 2048 bit, respectively. Although the data size is limited by the length of the key, as the auto-fill mode is used during the encryption process, the encryption and decryption times are exactly the same on the maximum allowed data length. At the same time, the effect of key length on encryption and decryption efficiency was tested as shown in Table 3. From the table, the speed of RSA public encryption was fast and private encryption was slow. The speed of data signature was slow and data verification was fast. Owing to the difficulty of factorization based on large integers, it is difficult to decrypt the RSA algorithm. With the development of cryptography technology, RSA-768-bit algorithm was already declassified in the year 2009. Although the amount of calculation for decrypting a 1024-bit key is more than 1000 times that of a 768-bit key, an expert estimated the former will be declassified in the next 10 years. Application of 2048-bit key length will be the mainstream of RSA algorithm. At present, the NILM system is only in pilot use in Nanjing. With the wide popularization in future, its use period will extend and the security of the cryptography algorithm will be guaranteed. Therefore, RSA algorithm with a key length of 2048 bit was selected.

Hybrid Cryptography Scheme Test
According to the analysis above, symmetric algorithm AES-126-CTR was selected to encrypt data. Asymmetric algorithm RSA-2048 was selected to encrypt the AES key and digital signature. In order to ensure the accuracy of the data, HMAC-SHA1 was used in the mixed encryption and decryption scheme to check the integrity. It is agreed that the initial counter value of AES-CTR algorithm module on the side of power supplier and power consumers is set to be 0. In the case of transmission error, if the integrity check fails, the sender will be immediately informed to resend the data. At this time, the receiver reinitializes the AES-CTR module and resynchronizes the counter, which is set to 0. The hybrid encryption scheme of NILM electro-data was composed with these three parts. The effectiveness and computing cost of the scheme were tested as shown in Figure 10 below.
Because the encryption speed of asymmetric algorithm RSA is too slow to fit the large data collection of the NILM real-time system, it is usually used for encryption and decryption of the encryption key and digital signature and verification. The electric power industry usually uses it as longitudinal encryption authentication gateway, network security isolation device (inverse), and device management, among others. Common RSA key length is 1024 bit and 2048 bit. It could be found in the test that the encryption data size was 128 byte and 256 byte, respectively, with the key length of 1024 bit and 2048 bit, respectively. Although the data size is limited by the length of the key, as the auto-fill mode is used during the encryption process, the encryption and decryption times are exactly the same on the maximum allowed data length. At the same time, the effect of key length on encryption and decryption efficiency was tested as shown in Table 3. From the table, the speed of RSA public encryption was fast and private encryption was slow. The speed of data signature was slow and data verification was fast. Owing to the difficulty of factorization based on large integers, it is difficult to decrypt the RSA algorithm. With the development of cryptography technology, RSA-768-bit algorithm was already declassified in the year 2009. Although the amount of calculation for decrypting a 1024-bit key is more than 1000 times that of a 768-bit key, an expert estimated the former will be declassified in the next 10 years. Application of 2048-bit key length will be the mainstream of RSA algorithm. At present, the NILM system is only in pilot use in Nanjing. With the wide popularization in future, its use period will extend and the security of the cryptography algorithm will be guaranteed. Therefore, RSA algorithm with a key length of 2048 bit was selected.

Hybrid Cryptography Scheme Test
According to the analysis above, symmetric algorithm AES-126-CTR was selected to encrypt data. Asymmetric algorithm RSA-2048 was selected to encrypt the AES key and digital signature. In order to ensure the accuracy of the data, HMAC-SHA1 was used in the mixed encryption and decryption scheme to check the integrity. It is agreed that the initial counter value of AES-CTR algorithm module on the side of power supplier and power consumers is set to be 0. In the case of transmission error, if the integrity check fails, the sender will be immediately informed to resend the data. At this time, the receiver reinitializes the AES-CTR module and resynchronizes the counter, which is set to 0. The hybrid encryption scheme of NILM electro-data was composed with these three parts. The effectiveness and computing cost of the scheme were tested as shown in Figure 10 below.  Figure 10. Scheme test interface. Figure 10. Scheme test interface.
The encryption and decryption computing time of each module in the scheme was tested, including AES encryption data, HMAC-SHA1 data message digest generation, RSA encryption of AES key, and signature of HMAC-SHA1 digest generation. In order to guarantee the effectiveness of the scheme, the encrypted and decrypted data and ciphertext were displayed on the interface for analysis and comparison. After many repetitions of the test, the encrypted data were consistent with the decrypted data and message digest of user and power supplier were consistent, so the NILM hybrid cryptography algorithm was effective. From the test, the whole scheme computing cost depended on the RSA decryption and digital signature, as shown in Figure 11 below.
AES key, and signature of HMAC-SHA1 digest generation. In order to guarantee the effectiveness of the scheme, the encrypted and decrypted data and ciphertext were displayed on the interface for analysis and comparison. After many repetitions of the test, the encrypted data were consistent with the decrypted data and message digest of user and power supplier were consistent, so the NILM hybrid cryptography algorithm was effective. From the test, the whole scheme computing cost depended on the RSA decryption and digital signature, as shown in Figure 11 below.

Conclusions
By being installed at the power entrance of the user, NILM collects the electricity customers' power utility information to achieve better power consumption experience and value added-services. Although frequent data collection brings convenience to electricity customers, it is inevitable that disclosure of sensitive information of electricity customers is involved. Therefore, NILM data security, especially concerning the privacy protection of electricity users, becomes an important security requirement in the NILM system. Taking into full consideration the NILM system characteristics, this paper proposed a hybrid cryptographic scheme. In the scheme, symmetric algorithm AES was used to encrypt electro-data. Asymmetric algorithm RSA was used to encrypt AES key to achieve efficient key management, which was also used for authentication, and hash algorithm HMAC-SHA1 guaranteed the integrity of data. The computing cost, key management, authentication, and integrity of data were considered in the scheme. The requirements of data security and confidentiality were satisfied. By transplanting the algorithm to STM32 MCU and developing the test interface, the performance of the scheme computing cost was mainly tested. A. Five working modes of AES algorithm, including ECB, CBC, OFB, CFB, and CTR, were tested with different key lengths of 128 bit, 192 bit, and 256 bit, respectively. The test results showed that the computing cost of the five working modes was linear with the data length and the key length. In addition to CTR mode, the computing cost of the other four modes was highly coincident. When the data quantity of CTR mode was 145,000 byte, the computing cost of mode was only 2.5 ms higher than that of other modes, so it can be drawn that the computing cost of the five working modes is the same. From the test, the encryption and decryption time of the CTR mode were the same. On the basis of the real-time requirement of the NILM system, the AES-128-CTR mode was selected as the working mode of the hybrid cipher scheme. B. The efficiency of RSA algorithm with the key lengths of 1024 bit and 2048 bit was tested. The test results showed that speed of RSA public encryption was fast and private encryption was slow. The speed of data signature was slow and data signature verification was fast. Considering the Figure 11. Scheme computing time test result.

Conclusions
By being installed at the power entrance of the user, NILM collects the electricity customers' power utility information to achieve better power consumption experience and value added-services. Although frequent data collection brings convenience to electricity customers, it is inevitable that disclosure of sensitive information of electricity customers is involved. Therefore, NILM data security, especially concerning the privacy protection of electricity users, becomes an important security requirement in the NILM system. Taking into full consideration the NILM system characteristics, this paper proposed a hybrid cryptographic scheme. In the scheme, symmetric algorithm AES was used to encrypt electro-data. Asymmetric algorithm RSA was used to encrypt AES key to achieve efficient key management, which was also used for authentication, and hash algorithm HMAC-SHA1 guaranteed the integrity of data. The computing cost, key management, authentication, and integrity of data were considered in the scheme. The requirements of data security and confidentiality were satisfied. By transplanting the algorithm to STM32 MCU and developing the test interface, the performance of the scheme computing cost was mainly tested.

A.
Five working modes of AES algorithm, including ECB, CBC, OFB, CFB, and CTR, were tested with different key lengths of 128 bit, 192 bit, and 256 bit, respectively. The test results showed that the computing cost of the five working modes was linear with the data length and the key length. In addition to CTR mode, the computing cost of the other four modes was highly coincident. When the data quantity of CTR mode was 145,000 byte, the computing cost of mode was only 2.5 ms higher than that of other modes, so it can be drawn that the computing cost of the five working modes is the same. From the test, the encryption and decryption time of the CTR mode were the same. On the basis of the real-time requirement of the NILM system, the AES-128-CTR mode was selected as the working mode of the hybrid cipher scheme. B.
The efficiency of RSA algorithm with the key lengths of 1024 bit and 2048 bit was tested. The test results showed that speed of RSA public encryption was fast and private encryption was slow. The speed of data signature was slow and data signature verification was fast. Considering the security requirements of NILM, RSA-2048 was selected as the working mode of the hybrid cipher scheme. C.
The effectiveness and efficiency of the hybrid cipher algorithm scheme were tested. By testing many times on the developed interface, the encrypted data were consistent with the decrypted data. Information digest of the power consumers and power supplier was consistent; therefore, the NILM hybrid cipher algorithm was effective. The computing cost of RSA decryption and signature basically determined the computing cost of the total scheme.

Conflicts of Interest:
The authors declare no conflict of interest.