Privacy-Preserving Meter Report Protocol of Isolated Smart Grid Devices

Smart grid aims to improve the reliability, efficiency, and security of the traditional grid, which allows two-way transmission and efficiency-driven response. However, a main concern of this new technique is that the fine-grained metering data may leak the personal privacy information of the customers. Thus, the data aggregation mechanism for privacy protection is required for the meter report protocol in smart grid. In this paper, we propose an efficient privacy-preserving meter report protocol for the isolated smart grid devices. Our protocol consists of an encryption scheme with additively homomorphic property and a linearly homomorphic signature scheme, where the linearly homomorphic signature scheme is suitable for privacy-preserving data aggregation. We also provide security analysis of our protocol in the context of some typical attacks in smart grid. The implementation of our protocol on the Intel Edison platform shows that our protocol is efficient enough for the physical constrained devices, like smart meters.


Introduction
While the swift advances in smart grid are triggering radical innovations in this field, today's power grid is widely different from the traditional grid [1][2][3][4].Traditional grid has the characteristic of centralized one-way transmission, which only transmits electricity from the generation plants to customers.Smart grid is featured with intelligent transmission (decentralized two-way transmission) and distribution networks, which combines the traditional grid and the new information processing technologies.On the one hand, smart grid integrates more green energies such as solar and wind power into energy supply; on the other hand, it improves the reliability, security, and efficiency of electric system by two-way communication of consumption data and other electric system's operations.In general, smart grid can realize the intelligent electricity generation, resource allocation, and dynamic pricing.
In this system, smart grid devices such as smart meters play an important role for collecting the power usage data and the status data.Such data are generated by some plug-in monitor sensors.In general, the smart grid data communication network can be divided into four layers [5] as Figure 1 shows.Various sensors and other smart grid devices consisting of a home area network are the first layer.Then, the smart meters and a neighborhood gateway which form a neighborhood area network are the second layer.Furthermore, all the neighborhood gateways connecting each other consist of the third layer network.Moreover, the forth layer network is a high speed public network through fiber gateways which is responsible for transfer all the data to the data center in electricity service provider (ESP).
However, not all smart grid devices are connected to the smart grid data communication network, due to the network outrage or opt-out agreement between the customers and the ESP.According to the utility-scale smart meter deployments report [6] published by Electric Innovation at Edison Foundation, the smart meters only cover 43% US homes.Some smart grid devices are located sparsely and far away from the data center of ESP.Thus, it would be a heavy cost to extend the smart grid data communication network for covering such isolated smart grid devices.Moreover, some in-network smart grid devices also will be disconnected from the smart grid network due to the natural disasters such as tornado and earthquake.Thus, for such isolated smart grid devices, the ESP may send a worker to the location of them and read the power usage data by using the handhold smart meter reader.In general, several protocols are used in smart grid communication network [7], for the propose of authentication, power allocation, meter reporting, and so on.The meter report protocol is used to calculate the total monthly power consumption data for each individual customers.For the isolated smart grid device, a smart reader device should be used as a bridge between the ESP and it as Figure 2 shows.Although the smart reader device needs to read the smart meter more frequently for monitoring the energy supply, the ESP only needs to obtain the total long-term consumption data for the energy forecast.
Up to now, several privacy-protection aggregation schemes have been proposed.Li et al. [8] constructed an incremental aggregation scheme based on a virtual aggregation tree which relies on the topology of network.Garcia and Jacobs [7] proposed an aggregation scheme combined with additive secret sharing.Lu et al. [9] proposed an efficient privacy-preserving scheme for multidimensional data structure.The three schemes are all based on Pallier's homomorphic encryption technology.Fan et al. [10] proposed data aggregations scheme based on the subgroup indistinguishability assumption.All the above aggregation schemes are designed for the in-network smart grid devices, and they are used to aggregate individual usage date from different customers.For the isolate smart grid devices, Sha et al. [5] proposed a secure and efficient authentication protocol, but their meter report protocol did not provide a data aggregation mechanism for privacy-preserving.For the isolated smart grid devices, there exists the same drawback as in-network devices that fine-grained power usage data may leak the personal privacy information [11,12].If a corrupted worker in the ESP can obtain the fine-grained power usage data, then he can analyze the daily activities of the customer.Thus, a secure data aggregation mechanism for privacy protection is also required for isolated smart grid devices.The fine-grained power usage data should be protected in the reader device and cannot be leaked to anyone else.
This paper aims to propose an efficient privacy-preserving meter report protocol for the isolate smart grid devices.The protocol not only contains an additively homomorphic encryption scheme used to aggregate the encrypted data but also includes a linearly homomorphic signature scheme [13,14] for protection against unintentional errors and altering messages in malicious.Furthermore, both the isolated smart grid devices and the reader devices have only restricted resources, and thus both the encryption and signature schemes should provide the high performance in terms of efficiency.
The contributions of this paper can be listed as follows: (1) We propose an encryption scheme with additively homomorphic property to aggregate the encrypted metering data.To be compatible with the data aggregation, we also propose a linearly homomorphic signature scheme which is used to sign the ciphertext of metering data.The signatures will be aggregated along with the ciphertexts stored in the reader device.This allows the ESP to verify the correctness of aggregated result by checking the aggregation signature.(2) We provide a security analysis to our meter report protocol in context of several typical attacks in smart grid.(3) To evaluate the appropriacy of our meter report protocol for the resourceconstrained devices, we implement our protocol on the Intel Edison platform which is a development system for Internet of Things (IoT) devices.Organization.Related mathematical concepts to our construction and proofs are reviewed in Section 2. The privacypreserving meter report protocol for isolated smart grid devices is proposed in Section 3. We analyze our protocol against several typical attacks in Section 4. Section 5 discusses the performance of our protocol on the platform of MacBook Pro and Edison.Finally, we conclude our paper in Section 6.

Preliminary
In this section, we review related mathematical concepts for our construction and proofs.
Assuming that  and   are two cyclic groups with the prime order , we define  :  ×  →   to be the bilinear map as it has the following properties: (1) Bilinear: (2) Nondegenerate: ∃ ∈ , (, ) ̸ = 1.
We define the -strong Diffie-Hellman (-SDH) assumption over  as follows.
Definition 1 (-SDH assumption).Let Gen(1  ) be a group generation algorithm that takes a security parameter  as input and outputs a description of a prime order group Θ = {, ,   , }.The -SDH assumption over group  states that, for any probabilistic polynomial-time (PPT) attackers, given a tuple (,   ,   2 , . . .,    ) for randomly chosen    →   and    → , the advantage for obtaining a solution (,  1/(+) ) is negligible in , where  ∈   .
Next, we define two composite order groups (  ,    ) with order  = , where  and  are distinct large primes.Thus,  is a product of two groups   =    ×    , and their orders are  and , respectively.In essence, the subgroup indistinguishability assumption is that an element in group   is computationally indistinguishable from a random element in    or    .Let   be a generator of   .We define a nongenerate and efficiently computable bilinear map  :   ×   →    over   and    .The subgroup indistinguishability assumption [15] can be described as follows.

Definition 2 (subgroup indistinguishability assumption). Let
Gen(1  ) be a group generation algorithm that takes a security parameter  as input and outputs a description of a multiplicative group Ψ = {, ,   ,    ,   }, where   =    ×    .
The subgroup indistinguishability assumption over group   states that, for any PPT attackers, the advantage is negligible in .

System Model.
There are three parties including electricity service provider (ESP), reader, and isolated smart grid device in the system model of the proposed protocol.
The ESP and the isolated smart grid device should setup their public/secret key pairs and other public information.
When the reader tries to frequently collect the encrypted metering data from the isolated smart grid device, several attacks may be possible.Firstly, an attacker may listen to the communications between the reader and the isolated smart grid device to obtain the metering data or alter the messages.Secondly, a corrupted reader may be used to obtain the power usage data.Thirdly, a corrupted reader may provide an incorrect total power usage data to the ESP.Finally, a fake ESP worker may analyze the power usage data with fine granularity to identify the daily activities of the customer.
In the meter report model as Figure 2 shows, the reader needs to much more frequently read from the smart grid device for monitoring the energy supply.Each time the reader reads, the smart grid device encrypts its metering data with a random number and signs it before he sends it to the reader.After a long term, the ESP can only obtain the total power usage data of the customer.

Construction.
The proposed protocol consists of four phases, which will be described in detail as follows.Some notations can be defined here.
(iii) ID esp is the identity information of electricity service provider.
(iv)   is the th random number chosen by smart grid device.
(v)  0 is the sum of random numbers ∑   .
Wireless Communications and Mobile Computing (vi)  is the secret key of isolated smart grid device.
(vii)  is the public key of isolated smart grid device.
( (ii) Isolated smart grid device: the isolated smart grid device randomly chooses  ∈  *  as its secret key and publishes the public key  =   .Then, let ID esp denote the identity of ESP who is the customer's energy supplier.
(2) Reading Phase (i) Isolated smart grid device: when the reader needs to read the metering data   for the th time in a long term, the isolated smart grid device chooses   ∈  *  randomly and computes a ciphertext CT  =    ℎ   .We assume that reader reads the metering data  times during such a long term.There is a limitation that  0 = ∑  =1   should not be a large number.Then, the smart grid device computes a signature where  is the tag of currently regular period.Finally, it sends {CT  , ( 1 ,  2 )} to the reader.(ii) Reader: after receiving {CT  , ( 1 ,  2 )}, the reader verifies identity of its ESP and the currently long term by checking ( 1 ,  ⋅  (ID esp ‖) ) = (, ).
Here, the reader verifies the smart grid device's first signature component to assure that who is its ESP and to avoid that the customer will make payments for an improper ESP.If the signature  1 is true, then the reader stores {CT  , ( 1 ,  2 )}.
(3) Aggregation Phase (i) Isolated smart grid device: at the end of a long term, the isolated smart grid device encrypts  0 as CT  0 =   0 ℎ  with a random number  ∈  *  and sends it to the reader.
(ii) Reader: after receiving CT  0 =   0 ℎ  , the reader needs to aggregate the total power usage data of the isolated smart grid device.We assume that the reader has read the smart grid device  times during this long term, and thus  ciphertext/signature pairs {CT  , ( 1 ,  2 )} ∈ [1,𝑛] have been stored in the reader.Then, the reader computes CT = ∏  =1 CT  and  2 = ∏  =1  2 , and reports {CT, ( 1 ,  2 ), CT  0 } to the ESP.
(4) Decryption and Verification Phase (i) ESP: when the ESP receives {CT, ( 1 ,  2 ), CT  0 }, it firstly verifies its identity information and the currently long term by checking ( 1 ,  ⋅  (ID esp ‖) ) = (, ) and then computes  = CT   0 = (  )  0 and g =   .Since  0 is not a large number, the ESP can compute the discrete log of  on the base of g by using Pollard's lambda method [16] in polynomial time.Then, the ESP computes  = CT⋅ℎ − 0 =  ∑  =1   .Since the total power usage data  = ∑  =1   is also not a large number, the ESP can compute the discrete log of  on the base of .Finally, the ESP computes  =   2 and verifies  2 by checking (, ⋅ (ID esp ‖) ) = ( g, )  .
The correctness of the above formulas can be depicted as follows.

Security Analysis
Our privacy-preserving meter report protocol is proposed not only to prevent the unauthorized parties to read or alter the metering data from the isolated smart grid devices, but also to securely aggregate the fine-grained power usage data in a long term.Here, we show the security properties of our scheme in context of six typical attacks in smart grid.

Against External Attack.
The external attackers can eavesdrop on the communication channels to obtain the unauthorized information.In our protocol, all the metering data are encrypted, which provide strong protection to the external attackers.The proof of Theorem A.2 in Appendix shows that our encryption scheme satisfies the CPA secure under the subgroup indistinguishability assumption.The external attackers also cannot alter a metering data of the isolated smart grid device, since they cannot forge a valid signature.Theorems A.4 and A.5 in Appendix show that our linearly homomorphic signature schemes are unforgeable under the -SDH assumption and Boneh and Boyen signature.

Against Smart Grid Device Attack.
A smart grid device attack is that a fake smart grid device aims to mimic a legitimate device.In our design, we use the signature technology to prevent a fake smart grid device from authenticating with the reader and ESP.Moreover, a fake smart grid device may want to let the customer to pay for an improper ESP, but our design can also avoid this situation, since the first component of linearly homomorphic signature is a signature of the proper ESP's identity, and its unforgeable security is under Boneh and Boyen signature (the security proof of Theorem A.4 can be seen in Appendix).

Against Internal (Reader)
Attack.An attacker may use a lost legitimate reader to obtain the unauthorized information or maliciously alter total the power usage data of a smart grid device, which is called the internal (reader) attack.In reading phase, the legitimate reader only can verify the signature of device's identity.But the power usage data   cannot be recovered from the ciphertext CT  =    ℎ   , since the reader cannot get the ESP's secret key (, ).In aggregation phase, the reader also cannot decrypts CT  0 to get  0 and obtains the total power usage data.On the other hand, the linearly homomorphic signature and the encryption of  0 prevent the reader from altering the total power usage data, since it does not know the secret key  of the isolated smart grid device.The unforgeability of our linearly homomorphic signature scheme has been proved by Theorems A.4 and A.5.The properties of linearly homomorphic signature also protect the correctness and integrity of the total power usage data.

Against Internal (ESP) Attack.
We assume that the legitimate workers of ESP make the malicious attacks.After receiving the ciphertext/signature pair {CT, ( 1 ,  2 ), CT  0 } from the reader, the ESP can compute  = CT ⋅ ℎ − 0 =  ∑  =1   to recover the total power usage data.However, the ESP cannot decrypt the individual metering data   from CT and  0 , since it does not know each corresponding random number   .

Against Man-In-The-Middle Attack.
A Man-In-The-Middle attacker aims to mimic the right person to fool one side by using the information from another side.In readerdevice and ESP-device authentication, a public key based linearly homomorphic signature scheme is used to authenticate the device's identity and the ciphertexts.It provides the strong defense for the Man-In-The-Middle attacks, since the attacker cannot convince the reader and ESP to accept its public key.

Against Replay Attack.
If an attacker obtains the information between the communication of two sides, then he intercepts the communication and replays the information maliciously, which is called replay attack.In our designing, we use the tag of currently term  to prevent the replay attack from different terms.If the attacker wants to modify  in device's signature for the replay attack, then he should get the device's secret key .However, it is almost impossible to guess the device's secret key.If an attacker wants to make replay attack in the same period, then it should modify  0 in ciphertext CT  0 that is also impossible.

Performance Analysis
Let  denote the pairing computation cost,  denote the exponent cost, and Mu denote the point multiplication.Table 1 shows the computational complexity of our protocol.
Following the theoretical analysis, we test our scheme on two different platforms, where one is a normal personal computer, and the other is a resource-constrained device.We implement our protocol in C with the pairing based cryptography (PBC) library [17] for the underlying arithmetic and pairing operations.We use the Type-A curves as defined in PBC library for the implementation, since the Type-A curves offers the highest efficiency among all the three types of curves.
The first test machine is MacBook Pro with Intel core i5 CPU (2.5 GHz) running Os X 10.9.3, which RAM is 4 GB.The second test machine is Intel Edison development platform, which is designed to rapidly prototype and produce Internet of Things (IoT) products.Since the isolated smart grid device and reader device are usually resource-constrained devices, we test our protocol on this platform.We use Edison platform with a dual-core, dual-threaded Intel Atom CPU at 500 MHz and 1 GB RAM, running Yocto Linux v1.6.
Table 2 shows the time cost of reading phase for smart grid device and reader.We compute the average value on 100 randomized runs.The time cost of isolated smart grid device is about 0.43 seconds, if our protocol is run over the Edison platform.For the reader, it needs 0.42 seconds to verify the signature, while the protocol is run over the Edison platform.In aggregation phase, the time cost of isolated device is about  1.5 milliseconds on the Edison platform, while it needs about 0.06 milliseconds over MacBook Pro. Figure 3 shows the time cost of reader in aggregation phase.We can see that the time consuming of reader is increased by the number of ciphertext/signature pairs to be aggregated.The time cost of decryption for the ESP is about 77 milliseconds.Although the total power usage data  is increased by the number of individual consumption data   , the computation of the discrete log of  is very slightly raised.

Conclusion
In practical, the fine-grained individual power consumption data may leak the personal privacy information of the users.Thus, in order to protect the personal privacy, data aggregation mechanism should be designed in the meter report protocol.In this paper, we propose an efficient privacypreserving meter report protocol for the isolated smart grid devices, which consists of an encryption scheme with additively homomorphic property and a linearly homomorphic signature scheme.To prevent unauthorized seeing the intermediate metering data, the metering data should be encrypted by using the encryption scheme with additively homomorphic property and aggregated using such a property.Besides the encryption scheme, a linearly homomorphic signature scheme which is compatible with data aggregation is also designed in our protocol for verifying the correctness and integrity of the aggregation result.We give security analysis to our protocol in context of six typical attacks in smart grid.The implementation of our protocol on the Edison platform shows that our protocol is efficient enough for the resource-constrained devices.
Output.A outputs its guess   to , and if   = , then A wins the game and C outputs that " is uniformly in   ".Otherwise, C outputs that " is uniformly in ".
If  is uniformly in , then the challenge ciphertext CT is randomly in   , which is independent of .Thus, Pr[  = ] = 1/2 in this case.However, if  is uniformly in   , then Pr[  = ] = 1/2 + () in this case since A can break the above encryption scheme with the probability of ().The probability difference of these two cases is (), which is nonnegligible in our assumption.But it contradicts that the subgroup indistinguishability assumption is hard.Thus, our assumption is not correct, and the encryption scheme is CPA secure.
Our linearly homomorphic signature scheme is based on Boneh and Boyen signature [18], which has been proved strongly unforgeability against a weak attacker under the -SDH assumption.Here, we will firstly provide the security definition of linearly homomorphic signature.
Definition A.3.An linearly homomorphic signature scheme is simply unforgeable, if for all the advantage of any PPT attacker A in the following game is negligible in the security parameter .
Setup.The challenger obtains the public/secret key pair (, ) by running Setup(1  ) and sends  to the attacker, where the public key includes a message space M and a signature space Σ.The challenger sets Sign as the signing algorithm and Verif y as the verification algorithm.
Queries.The attacker sends a random number  ∈ {0, 1} * and a message  ∈ M to the challenger for a signature query.Then, if  is the first query for , the challenger randomly chooses a tag   ∈  *  and gives it to the attacker.Otherwise, the challenger looks up the previously chosen   .The challenger then returns the signature  ← Sign(,   , ).This query can be repeated for a polynomial times; however there is a restriction that at most  message can be queried for one tag   .We let   denote the set of elements  queried for .The advantage of the attacker is the probability that the attacker wins the game.
We can show that type 1 and type 2(a) forgery in our linearly homomorphic signature scheme will lead to a forgery of the underlying Boneh and Boyen (BB) signature.
Theorem A.4.Our linearly homomorphic signature scheme is secure against type 1 and type 2(a) forgeries, if BB signature is strong unforgeable against a weak attacker.
Proof.Sketch.The challenger simulates the public key of our scheme by using the public key of BB signature and the element ℎ =   .For responding the signature query on  in our scheme, the challenger queries  to the challenger of BB signature and obtains  1 .Then, the challenger returns ( 1 ,  2 =  +⋅ 1 ) for a random number  ∈  *  .Finally, if the attacker of our scheme outputs a valid forgery ( * ,  * ,  * ), then the first component of  * is a valid forgery of BB signature.
Theorem A.5.Our linearly homomorphic signature scheme is secure against type 2(b) forgeries, if q-SDH assumption holds.

Figure 1 :
Figure 1: Smart grid data communication network.

Figure 2 :
Figure 2: Meter report of isolated smart grid devices.

Figure 3 :
Figure 3: Time Cost of reader in aggregation phase.

Output.
The attacker outputs a tag  * ∈  *  , a message  * ∈ M, and a signature  * ∈ Σ.The attacker wins if Verif y(,  * ,  * ,  * ) = 1 and satisfies one of the following conditions (the type 2 forgery can be split into 2 subtypes): Type 1:  * ̸ =   for all  queried by attacker (a type 1 forgery).
1) Setup Phase (i) ESP: the ESP randomly chooses two distinct large primes (, ) and computes the RSA parameter  =  (example initiation: let P, , and  be distinct large primes such that P = 2 + 1. Obviously,  * p is a quadratic residue group with order  = . * p can be denoted as  * p =   ×   , where   and   are both prime order cyclic groups.Gonzalez et al. proved that the subgroup decision assumption over  * p holds if the factoring problem over  is hard).It generates  in group  with order  and produces a generator  of the subgroup   .Then, it computes ℎ =   , which is an element in subgroup   .Finally, the ESP publishes the public parameters {, , ℎ, , ID esp } where ID esp is its identity information and keeps {, } as the secret information.

Table 1 :
Computational complexity of our protocol.

Table 2 :
Time cost in reading phase.