Recent advances of Internet and microelectronics technologies have led to the concept of smart grid which has been a widespread concern for industry, governments, and academia. The openness of communications in the smart grid environment makes the system vulnerable to different types of attacks. The implementation of secure communication and the protection of consumers’ privacy have become challenging issues. The data aggregation scheme is an important technique for preserving consumers’ privacy because it can stop the leakage of a specific consumer’s data. To satisfy the security requirements of practical applications, a lot of data aggregation schemes were presented over the last several years. However, most of them suffer from security weaknesses or have poor performances. To reduce computation cost and achieve better security, we construct a lightweight data aggregation scheme against internal attackers in the smart grid environment using Elliptic Curve Cryptography (ECC). Security analysis of our proposed approach shows that it is provably secure and can provide confidentiality, authentication, and integrity. Performance analysis of the proposed scheme demonstrates that both computation and communication costs of the proposed scheme are much lower than the three previous schemes. As a result of these aforementioned benefits, the proposed lightweight data aggregation scheme is more practical for deployment in the smart grid environment.
National Natural Science Foundation of China615723706150133361572379U1536204National High-Tech Research and Development Program of China2015AA016004Natural Science Foundation of Hubei Province2015CFB257University of Kentucky1. Introduction
By providing bidirectional communications of electricity and information, the smart grid performs real-time monitoring of power usage [1]. Based on the real-time information, the providers can monitor the power generation and consumption and get immediate power demand of each area. Then, they can take prompt action to optimize the power supply. The consumer can also get the current power price and adjust his/her behavior to lower expenses. Therefore, the smart grid can achieve efficient, economical, and reliable power services. Due to such advantages, the smart grid was a widespread concern for governments, industry, and academia in the last decade and is considered as the most promising candidate of the next generation power system [2].
The National Institute of Standards and Technology (NIST) presents a model and describes seven important domains of the smart gird [3]. As shown in Figure 1 [4], a smart gird consists of seven important domains, that is, the power generation (PG) domain, the power transmission (PT) domain, the power distribution (PD) domain, the power customer (PC) domain, the power operation (PO) domain, the power market (PM) domain, and the power service provider (PSP) domain [5, 6]. After being generated, transmitted, and distributed in the PG domain, the PT domain, and the PD domain, respectively, the customers in the PC domain can enjoy wonderful life based on the power. The PO domain, the PM domain, and the PSP domain manage the power flow, the participants, and all third-party operations, respectively [7, 8].
The model of the smart grid.
The smart meters in the smart grid collect the consumers’ power consumption data and other information and send them to the remote control center. Generally speaking, the smart meter is installed outside the door of a consumer and an attacker is in charge of the communication channel easily due to its openness. The attacker may maliciously modify the power consumption data to increase/decrease the consumer’s power expense. He/she also can get the daily routine of the consumer in order to commit crimes. For example, he/she knows that the consumer goes out when there is no power consumption and sneaks into the house to steal expensive things.
To address the above problems, how to achieve secure communications in the smart grid becomes an issue that needs to be addressed. In particular, ensuring the data’s integrity and confidentiality is even more important. Several cryptographic schemes can be applied for secure communications in the smart grid. Many key management schemes [9–11], key distribution schemes [12–14], and key agreement schemes [15–17] were presented in recent years. However, many of these schemes cannot implement the integrity and confidentiality simultaneously. To address this challenge, data aggregation schemes have been proposed by several researchers and applied in the smart grid. However, most of them are vulnerable to attacks from internal attackers. Although several data aggregation schemes against internal attackers were proposed to enhance security, their computation or communication costs are too high for practical smart grid applications. In addition, the smart meter has very limited computation and communication capabilities. It is therefore necessary to design lightweight data aggregation schemes for practical deployment.
1.1. Our Contributions
To reduce both computation and communication costs, we propose a lightweight data aggregation scheme based on the Elliptic Curve Cryptography (ECC) [18, 19], which can obtain the same security level but with a much shorter key size. The main contributions of our paper are demonstrated as follows:
First, we propose a lightweight data aggregation scheme based on Schnorr’s signature scheme [18].
Second, we prove that the proposed lightweight data aggregation scheme is secure and is able to satisfy security requirements.
Finally, we analyze the performance of the proposed lightweight data aggregation scheme to demonstrate its high performance.
1.2. Organization of the Paper
In Section 2, we briefly review related papers about data aggregation schemes. In Section 3, we give some preliminaries, including backgrounds of ECC, network model, and security requirements of the data aggregation scheme. In Section 4, we present our lightweight data aggregation scheme based on ECC. In Section 5, we describe a security model for the data aggregation scheme and present the security analyses of our scheme. In Section 6, we present the computation and communication analyses of our data aggregation scheme.
2. Related Works
To guarantee secure communication in open environments, a lot of authentication schemes [20–22], encryption schemes [23–26], and secure outsourcing schemes [25, 27, 28] have been constructed in last several years. Li et al. [29] and Garcia and Jacobs [30] designed two data aggregation schemes using Paillier’s encryption scheme [31]. To improve performance, Lu et al. [32] designed an improved data aggregation scheme using Paillier’s encryption scheme and the super-increasing sequence. However, the above three schemes [29, 30, 32] cannot protect consumers’ privacy because none of them can provide anonymity. To protect consumers’ privacy, Zhang et al. [33] designed a security-enhanced data aggregation scheme based on the Chinese Remainder Theorem and Paillier’s encryption scheme. Chen et al. [34] also designed a security-enhanced data aggregation scheme with fault tolerance based on Paillier’s encryption scheme.
Unfortunately, internal attacks are not considered in the above data aggregation schemes [29, 30, 32–34] thereby allowing internal attackers to access the consumers smart grid data. To address this weakness, Fan et al. [35] designed the first data aggregation scheme that can withstand attacks from internal attackers by using blinding technology. Unfortunately, Bao and Lu [36] demonstrated that Fan et al.’s data aggregation scheme cannot guarantee the integrity of transmitted data. To enhance security, He et al. [4] designed an improved data aggregation scheme based on Boneh et al.’s encryption scheme [37]. The performance of Fan et al.’s data aggregation scheme [35] and He et al.’s data aggregation scheme [4] is not good enough because they use bilinear pairing operations.
3. Preliminaries3.1. Elliptic Curve
Given a prime number p, we say that the equation y2=x3+a·x+bmodp defines an elliptic curve E(Fp), where a,b∈Fp and Δ=4a3+27b2≠0modp [38]. It is well known that all points on E(Fp) and the infinite point O make an additive group G. Given a generator point P with a prime order q, the scale multiplication operation is defined as n·P=P+P+⋯+Pntimes, where n is a positive integer.
Previous researches have showed that the following problems in the group G are suitable for the design of public key cryptography because no probabilistic polynomial time algorithm can solve them efficiently [38].
Discrete Logarithm (DL) Problem. Given an element Q∈G, the DL problem is to extract an element x∈Zq∗ such that Q=x·P.
Computational Diffie-Hellman (CDH) Problem. Given two elements x·P,y·P∈G with two unknown elements x,y∈Zq∗, the CDH problem is to extract the element Q=x·y·P.
3.2. Network Model
As shown in Figure 2 [4], there are three participants in the system of a data aggregation scheme, namely, a trusted third party (TTP), an aggregator (Agg), and a smart meter (SMi) [4, 35]. The functions of the above three participants are presented as below.
TTP: it is a trusted third party and its function is to generate blinding factors to withstand the internal attackers.
Agg: it is the manager of the smart grid and its function is to generate the system parameters and the private keys of smart meters.
SMi: it is a smart meter and its function is to collect consumers’ electricity consumption data and send it to Agg.
The registration phase.
The workflow of the system is presented as follows. (1) Agg produces the system parameters and the mast private key; (2) SMi registers in Agg and gets its private key; (3) TTP generates the blinding factors for Agg and SMi; (4) SMi collects the electricity consumption, produces a ciphertext, and sends it to Agg; (5) after collecting all ciphertexts, Agg checks their validity and extracts the sum of all electricity consumption data.
3.3. Security Requirements
Based on recently works, we know that a data aggregation scheme for the smart grid should meet the below security requirements [4, 35].
(i) Confidentiality. The consumer’s power consumption data indicates his/her habit and its leakage may be used by an attacker to commit a crime. To ensure the consumer’s safety, a data aggregation scheme should provide confidentiality; that is, both the external attackers and the internal attackers cannot extract the electricity consumption data from intercepted messages.
(ii) Authentication. The malicious attacker may forge a message and impersonate the consumer. To ensure if the received message is transmitted by a legal SMi, a data aggregation scheme should provide authentication; that is, Agg can check the legality of the received message.
(iii) Integrity. All messages are transmitted over open communication channels and the malicious attacker may modify them to break regular transactions. To protect the rights and interests of all participants in the smart grid, a data aggregation scheme should provide integrity; that is, Agg can detect any modification of the received data.
(iv) Resistance against Attacks. Due to the openness of communication channels in the smart grid, the system is vulnerable to many types of attacks. To obtain secure communications in the smart grid, a data aggregation scheme should supply resistance against attacks; that is, it can withstand the replay attack, the modification attack, the man-in-the-middle attack, and the impersonation attack.
4. The Proposed Data Scheme
We describe our proposed lightweight data aggregation scheme, which consists of three phases, namely, the initialization phase, the registration phase, and the aggregation phase.
Initialization Phase. In this phase, Agg executes some steps to produce the system parameters. TTP and Agg execute some other steps to produce the blind factors against internal attackers.
Agg runs the following steps to produce the system parameters.
Agg selects an elliptic curve E(Fp) determined by the equation y2=x3+a·x+bmodp, where p is a prime and a,b∈Zq.
Agg selects an element P with the order q existing on E(Fp), where q is a prime.
Agg selects an element s∈Zq∗ and calculates Ppub=s·P.
Agg selects three cryptographic hash functions hi:{0,1}∗→Zq∗(i=1,2,3).
Agg publishes params={p,a,b,q,P,Ppub,h1,h2,h3} and saves s secretly.
TTP and Agg execute the following steps to produce the blinding factors.
TTP randomly selects a group of elements θ1,θ2,…,θn∈Zq∗ and computes θ=∑i=1nθimodq. At last, TTP sends θ to Agg and also sends θi to SMi, where i=1,2,…,n.
Agg computes θ0=-θmodq and keeps it secretly.
Registration Phase. In this phase, SMi registers in Agg. After registration, SMi receives its private key and becomes a legal smart meter. As demonstrated in Table 1, SMi and Agg run the following processes to finish the registration.
SMi randomly chooses an element xi′∈Zq^∗, computes Xi′=xi′·P, and transmits {idi,Xi′} to Agg secretly.
Agg randomly chooses an element xi′′∈Zq^∗ and computes Xi′′=xi′′·P,Xi=Xi′+Xi′′,αi=h1(idi,Xi), and si′′=s+αi·xi′′modq. At last, Agg sends si′′,Xi′′ to SMi secretly.
SMi computes Xi=Xi′+Xi′′,αi=h1(idi,Xi),si=si′′+xi′·αimodq and checks if the equation si·P=Ppub+αi·Xi holds. If not, SMi rejects the session; otherwise, SMi stores {si,Xi} and finishes the registration.
Xi=Xi′′+Xi′; αi=h1idi,Xi; si=si′′+αi⋅xi′modq; check si⋅P=?Ppub+αi⋅Xi; store si,Xi
Due to the fact that Xi′=xi′·P, Xi′′=xi′′·P,Xi=Xi′+Xi′′,si′′=s+αi·xi′′modq, and si=si′′+xi′·αimodq, then we have(1)si·P=si′′+xi′·αi·P=s+αi·xi′′+αi·xi′·P=s+αi·xi′+xi′′·P=s·P+αi·xi′+xi′′·P=Ppub+αi·xi′·P+x′′·P=Ppub+αi·Xi′+Xi′′=Ppub+αi·Xi.
Therefore, the correctness of the registration phase is demonstrated.
Aggregation Phase. In this phase, SMi extracts the power consumption data and sends it to Agg. Agg checks the validity of the received messages and aggregates all the received data. As demonstrated in Table 1, the steps below are executed by SMi and Agg.
SMi gets the power consumption data mi, randomly chooses an element yi∈Zq^∗, and computes Yi=yi·P,Y^i=yi·Ppub,ci=mi+θi+h2R^imodq,βi=h3(idi,Xi,Yi,ci,t), and di=si+βi·yimodq. At last, SMi transmits {Xi,Yi,ci,di,t} to Agg.
Agg checks if di·P=Ppub+αi·Xi+βi·Yi, where αi=h1(idi,Xi) and βi=h3(idi,Xi,Yi,ci,t). To improve performance, we use the small exponent test technology [39] to achieve the batch verification. Agg randomly chooses a group of integers z1,z2,…,zn∈[1,2w] and checks if the equation ∑i=1nzi·di·P=(∑i=1nzi)Ppub+∑i=1nzi·αi·Xi+zi·βi·Yi holds. Agg computes c=∑i=1nci-h2s·Yi and extracts the sum of the power consumption data by computing m=c+θ0modq.
Due to the fact that si·P=Ppub+αi·Xi,Yi=yi·P,Y^i=yi·Ppub,ci=mi+θi+h2Y^imodq and di=si+βi·yimodq, we can derive(2)di·P=si+βi·yi·P=si·P+βi·yi·P=Ppub+αi·Xi+βi·Yi∑i=1nzi·di·P=∑i=1nzi·si+βi·yi·P=∑i=1nzi·si+βi·yi·P=∑i=1nzi·si·P+zi·βi·yi·P=∑i=1nzi·Ppub+αi·Xi+zi·βi·Yi=∑i=1nzi·Ppub+∑i=1nzi·αi·Xi+zi·βi·Yi,(3)c+θ0=∑i=1nci-h2s·Yi+θ0=∑i=1nmi+θi+h2R^i-h2s·yi·P-θ=∑i=1nmi+θi+h2R^i-h2yi·s·P-θ=∑i=1nmi+θi+h2R^i-h2yi·Ppub-θ=∑i=1nmi+θi+h2R^i-h2R^i-θ=∑i=1nmi+∑i=1nθi-∑i=1nθi=∑i=1nmi.
According to the above equations, the correctness of the aggregation phase of our scheme is demonstrated.
5. Security Analysis
The security of the proposed lightweight data aggregation scheme is analyzed in this section. First, we present a security model for the data aggregation scheme. Second, we demonstrate that the proposed lightweight data aggregation scheme is provably secure in the security model. Finally, we demonstrate that the proposed lightweight data aggregation scheme can meet the security requirements presented in Section 3.
5.1. Security Model
Based on security models [40] for signcryption schemes, we presented a security model for data aggregation schemes. The security of confidentiality and unforgeability is formally defined by two games executed by an attacker A and a challenger C. A is allowed to make the following queries.
hi(m): for such a query made by A, C randomly selects r∈Zq∗, sends r to A, and stores (m,r) in the table Lhi, where i=1,2,3.
CreateSM(idi): for such a query made by A, C generates SMi’s secret key and blinding factor and stores them in the table LSM.
CorruptSM(idi): for such a query made by A, C sends SMi’s private key and blinding factor to A.
Signcrypt(idi,mi): for such a query made by A, C generates a ciphertext {Xi,Yi,ci,di,t} corresponding to the message mi.
Designcrypt(idi,Xi,Yi,ci,di,t): for the query made by A, C checks the validity of the ciphertext and decrypts it to get the plaintext.
Definition 1.
A data aggregation scheme is able to provide confidentiality [indistinguishability against adaptive chosen ciphertext attacks (IND-CCA)] if no attacker can win the following game with a nonnegligible advantage.
Setup. C produces system parameters and transmits them to A.
Phase 1. A is able to adaptively make hi, CreateSM, CorruptSM, Signcrypt, and Designcrypt queries.
Challenge. A picks a challenging identity idi∗, chooses two messages m0 and m1, and sends them to C. C picks a random element b∈{0,1}, produces a signcrypted ciphertext {Xi,Yi,ci,di,t}, and sends it to A.
Phase 2. In this phase, A can adaptively make hi, CreateSM, CorruptSM, and Signcrypt queries except that it cannot make a CorruptSM query with idi∗ or a Designcrypt query with {Xi,Yi,ci,di,t}.
Finally, A gives its guess b′∈{0,1} about the value of b selected by C.
The advantage of A is defined by the equation AdvAIND-CCA=|2·Pr[b′=b]-1|. A wins in the above game if it guesses the value of b correctly.
Definition 2.
A data aggregation scheme is able to provide unforgeability [existential unforgeability against adaptive chosen messages attacks (EUFCMA)] if no attacker wins the following game with a nonnegligible advantage.
Setup. C produces the system parameters and sends them to A.
Qurey. In this phase, A picks a challenging identity idi∗ and is able to adaptively make hi, CreateSM, CorruptSM, Signcrypt, and Designcrypt queries except that it cannot make a CorruptSM query with idi∗.
Forgery. In this phase, A outputs a ciphertext {Xi,Yi,ci,di,t} corresponding to the challenging identity idi∗.
We say A wins in the above game if {Xi,Yi,ci,di,t} is valid and it is not generated by executing a Signcrypt query.
5.2. Security AnalysisTheorem 3.
The proposed data aggregation scheme is able to provide confidentiality if the CDH problem is hard.
Proof.
Assume that an attacker A wins the game defined in Definition 1 with a nonnegligible advantage ϵ. Based on A’s capability, we can construct a challenger to solve the CDH problem with a nonnegligible advantage. Given an instance (P,Q1=a·P,Q2=b·P) of the CDH problem, C sets Ppub←a·P and sends params={p,a,b,q,P,Ppub,h1,h2,h3} to A. C randomly picks up an identity idI as the challenging identity and answers queries from A according to the rules below.
hi(m): C keeps a table Lhi of the form (m,r), where i∈{1,2,3}. Upon receiving such a query, C checks if Lhi contains a tuple (m,r). If so, C sends r to A; otherwise, C randomly selects an element r∈Zq∗, stores (m,r) into Lhi, and sends r to A.
CreateSM(idi): C keeps a table LSM of the form (idi,θi,si,Xi). Upon receiving such a query, C checks if LSM contains a tuple (idi,θi,si,Xi). If so, C sends Xi to A; otherwise, C randomly selects three integers θi,αi,si∈Zq∗ and sets Xi←αi-1·(si·P-Ppub). C stores (idi,Xi,αi) and (idi,θi,si,Xi) into LSM, respectively.
CorruptSM(idi): C checks if LSM contains a tuple (idi,θi,si,Xi). If not, C makes CreateSM-query with the identity idi. After that, C returns (idi,θi,si,Xi) to C.
Signcrypt(idi,mi): C checks if LSM contains a tuple (idi,θi,si,Xi). If not, C makes CreateSM-query with the identity idi. After that, C gets the tuple (idi,θi,si,Xi) from LSM and uses it to produce a ciphertext {Xi,Yi,ci,di,t}. At last, C sends {Xi,Yi,ci,di,t} to A.
Given the power consumption data m0 and m1, C extracts (idI,θI,sI,XI) from LSM and selects a random element b∈{0,1}. C sets YI←b·P, randomly selects three elements βI,cI,dI∈Zq∗, stores (idI,XI,YI,cI,t,βI) into Lh3, and sends {XI,YI,cI,dI,t} to A.
After that, A can make hi, CreateSM, CorruptSM, and Signcrypt queries and get the corresponding responses. Then, A outputs b′ as his/her guess against the confidentiality. C selects a random tuple (R,r) from Lh2 and outputs R as the solution of the given CDH problem.
Let qh2 denote the number of h2-query involved in the game. The probability that C can solve the given CDH problem is η=ϵ/qh2. Because of the nonnegligibility of ϵ, we know that η is nonnegligible. This contradicts with the hardness of the CDH problem. Thus, the proposed data aggregation scheme is able to provide confidentiality.
Theorem 4.
The proposed data aggregation scheme is able to provide unforgeability if the DL problem is hard.
Proof.
Assume that an attacker A wins the game defined in Definition 1 with a nonnegligible advantage ϵ. Based on A’s capability, we can construct a challenger to solve the DL problem with a nonnegligible advantage. Given an instance (P,Q1=a·P) of the DL problem, C picks a random integer s∈Zq∗, computes Ppub=s·P, and sends params={p,a,b,q,P,Ppub,h1,h2,h3} to A. C randomly selects an identity idI as the challenging identity and answers queries from A according to the rules below.
hi(m): C keeps a table Lhi of the form (m,r), where i∈{1,2,3}. Upon receiving such a query, C checks if Lhi contains a tuple (m,r). If so, C sends r to A; otherwise, C randomly picks up an element r∈Zq∗, stores (m,r) into Lhi, and sends r to A.
CreateSM(idi): C keeps a table LSM of the form (idi,θi,si,Xi). Upon receiving such a query, C checks if LSM contains a tuple (idi,θi,si,Xi). If so, C sends Xi to A; otherwise, C answers the query through the rules below:
If idi=idI, C randomly picks two integers θi,αi∈Zq∗ and sets Xi←a·P. C stores (idi,Xi,αi) and (idi,θi,⊥,Xi) into LSM, respectively.
Otherwise (idi≠idI), C randomly selects three integers θi,αi,si∈Zq∗ and sets Xi←αi-1·(si·P-Ppub). C stores (idi,Xi,αi) and (idi,θi,si,Xi) into LSM, respectively.
CorruptSM(idi): C checks if LSM contains a tuple (idi,θi,si,Xi). If not, C makes CreateSM-query with the identity idi. After that, C returns (idi,θi,si,Xi) to A.
Signcrypt(idi,mi): C checks if idi and idI are equal. If they are not, C extracts the tuple (idi,θi,si,Xi) from LSM and uses it to produce a ciphertext {Xi,Yi,ci,di,t} according to the description of the proposed data aggregation; otherwise, C randomly selects two integers di,βi∈Zq∗ and computes Yi=βi-1·(di·P-Ppub-αi·Xi) and ci=mi+θi+h2(s·Yi). C stores (idi,Xi,Yi,ci,t) into Lh2 and sends {Xi,Yi,ci,di,t} to A.
Designcrypt(idi,Xi,Yi,ci,di,t): for the query made by A, C checks the validity of the ciphertext and decrypts it to get the plaintext using the systems secret key s.
At last, A outputs a forged ciphertext (idi,Xi,Yi,ci,di,t). C stops the game if the equation idi=idI holds. Based on the forking lemma [41], C can output another valid ciphertext (idi,Xi,Yi,ci,di′,t) by choosing a different hash function h1. Since both ciphertexts are valid, we can derive the following two equation:(4)di·P=Ppub+αi·Xi+βi·Yi,di′·P=Ppub+αi′·Xi+βi·Yi.
Based on the above two equations, we can derive the equation below:(5)di-di′·P=di·P-di′·P=Ppub+αi·Xi+βi·Yi-Ppub+αi′·Xi+βi·Yi=αi-αi′·Xi=αi-αi′·a·P.
C outputs (di-di′)·(αi-αi′)-1 as the solution of the given DL problem. To compute the probability that C solves the DL problem, three related events are listed below.
E1: idi equals idI.
E2: C is able to forge a legal ciphertext.
Let qh1 denote the number of h1 involved in the game. It is easy to get that Pr[E1]=1/qh1 and Pr[E2|E1]=ϵ. Then, the probability that C solves the DL problem is η=Pr[E1∧E2]=Pr[E2|E1]·Pr[E1]=ϵ/qh1. Because of the nonnegligibility of ϵ, we know that η is nonnegligible. This is in contradiction with the hardness of the DL problem. Thus, the proposed data aggregation scheme is able to provide unforgeability.
5.3. Analysis of Security Requirements
We will show that the proposed lightweight data aggregation scheme is able to meet security requirements presented in Section 3.
(i) Confidentiality. The internal attacker against the proposed data aggregation scheme can compute c=∑i=1nci-h2s·Yi. Without the blinding factor c, he/she cannot extract the sum of the power consumption data by computing m=c+θ0modq. Besides, Theorem 4 shows that the proposed lightweight data aggregation scheme can supply confidentiality against any external attacker. Thus, our lightweight data aggregation scheme can supply confidentiality.
(ii) Authentication. Theorem 3 shows that any attacker cannot forge a legal ciphertext. Then, Agg can verify the legality of received messages by verifying if the equation (∑i=1nzi·di)·P=(∑i=1nzi)Ppub+∑i=1nzi·αi·Xi+zi·βi·Yi holds. Therefore, the proposed data aggregation scheme can provide authentication.
(iii) Integrity. Theorem 3 demonstrates that any attacker against the proposed data aggregation scheme cannot forge a legal ciphertext. Agg can detect any modification of the received data by verifying if the equation (∑i=1nzi·di)·P=(∑i=1nzi)Ppub+∑i=1nzi·αi·Xi+zi·βi·Yi holds. Therefore, the proposed data aggregation scheme can provide integrity.
(iv) Resistance against Attacks. The proposed lightweight data aggregation scheme can resist the replay attack, the modification attack, the man-in-the-middle attack, and the impersonation attack. The reason is analyzed below.
(1) Replay Attack. The timestamp t is involved in the ciphertext. Agg can find any reply of previous message by verifying t’s freshness. Thus, the proposed lightweight data aggregation scheme can resist the replay attack.
(2) Modification Attack. Theorem 3 demonstrates that any attacker against the proposed data aggregation scheme cannot forge a legal ciphertext. Agg can detect any modification of the received data by verifying if (∑i=1nzi·di)·P=(∑i=1nzi)Ppub+∑i=1nzi·αi·Xi+zi·βi·Yi holds. Thus, the proposed lightweight data aggregation scheme can resist the modification attack.
(3) Man-in-the-Middle Attack. The above analysis demonstrates that the proposed lightweight data aggregation scheme can supply authentication; that is, Agg can authenticate SMi by checking if di·P=Ppub+αi·Xi+βi·Yi holds. Thus, the proposed lightweight data aggregation scheme can resist the man-in-the-middle attack.
(4) Impersonation Attack. Theorem 4 shows that any attacker cannot forge a legal ciphertext without SMi’s secret key. Then, Agg can detect any impersonation by verifying the validity of the received ciphertext. Therefore, the proposed lightweight data aggregation scheme can resist the impersonation attack.
6. Performance Analysis
We analyze both computation and communication costs of our lightweight data aggregation scheme in this section. We also compare its performance with two of the most recently proposed data aggregation schemes to show its lightweight costs.
To achieve a fair comparison, we compare recently proposed aggregation schemes under the same security level. In the BGN encryption scheme [37], two 512-bit prime numbers p=2·p′+1 and q=2·q′+1 are applied in our experiments, where p′ and q′ are also large prime numbers. In schemes based on bilinear pairing, a Tate pairing based on a Type A elliptic curve E^:y2=x3+1modp^ with a prime order q^ is applied in our experiments, where the lengths of p^ and q^ are 512 bits and 160 bits, respectively. In schemes based on ECC, an elliptic curve E¯:y2=x3+a·x+bmodp¯ with a prime order q¯ is applied in our experiments, where the lengths of p^ and q^ are 160 bits.
6.1. Analysis of Computation Costs
Based on the well-known cryptographic library MIRACL [42], we have implemented all related operations on a personal computer with an Intel I5-3210M 2.50 GHz Center Processor Unit (CPU), an 8 Gbyte Random Access Memory (RAM), and the Windows 7 operation system. Table 3 presents the operations’ notations and runtime results.
Each SMi in the Fan et al.’s scheme [35] runs one BGN encryption operation, one exponentiation in BGN algorithm, two multiplications related to BGN algorithm, one HTPG1 operation, one PMG1 operation, and one general hash function. Therefore, SMi’s runtime is TENCBGN+TEXPBGN+2 × TMULBGN+THTPBP+TPMBP+TGH = 8.315+8.096+2 × 0.032+14.293+5.485+0.001 = 36.254 ms. Agg in Fan et al.’s scheme [35] runs one BGN decryption, one exponentiation related to the BGN algorithm, n-1 multiplication related to BGN algorithm, n hash-to-point, n+1 bilinear pairing, 2n point multiplication related to the bilinear pairing, n-1 point multiplication with a short exponent related to the bilinear pairing, n-1 exponentiation related to the bilinear pairing, and one general hash function. Therefore, Agg’s runtime is TDECBNG+Texp-BNG+(n-1)·TMULBNG + n·THTPBP+(n+1)·TBP+(2n)·TPMBP-s + (n-1)·TPABP+(n-1)·TEXPBP+TGH = 4.056+8.096+(n-1)×0.032+n×14.293+(n+1)×17.001 + (2n)×0.343+(n-1)×0.023 + (n-1)×0.874+0.001 = (32.909·n+28.225) microseconds.
Each SMi in the proposed scheme executes two point multiplication operations related to ECC and two general hash functions. Therefore, SMi’s runtime is 2×TPMECC+2×TGH=2×0.986+2×0.001=1.974 microseconds. Agg in the proposed scheme executes 3×n+2 point multiplication related to ECC, 2×n point addition related to ECC, and 3×n general hash functions. Therefore, Agg’s runtime is (3×n+2)×TPMECC+2×n×TPAECC + 3×n×TGH = (3×n+2)×0.986+2×n×0.004 + 3×n×0.001=2.969·n+1.972.
Table 4 and Figure 3 show the runtime comparisons among Fan et al.’s data aggregation scheme [35], He et al.’s scheme [4], and the proposed scheme. From Tables 4 and 2, the proposed scheme incurs a lower computation cost as compared to Fan et al.’s scheme and He et al.’s scheme at both sides of SMi and Agg.
Notations about related operations and runtime results (microseconds).
Notation
Description
Runtime
ENCBGN
BGN encryption
8.315
DECBGN
BGN decryption
4.056
EXPBGN
Exponentiation related to BGN algorithm
8.096
MULBGN
Multiplication related to BGN algorithm
0.032
BP
Bilinear pairing
17.001
HTP
Hash-to-point
14.293
PMBP
Point multiplication related to the bilinear pairing
5.485
PMBP-s
Point multiplication with a short exponent related to the bilinear pairing
0.343
PABP
Point addition related to the bilinear pairing
0.023
EXPBP
Exponentiation related to the bilinear pairing
0.874
MULBP
Multiplication related to the bilinear pairing
0.005
EXPDLP
Exponentiation related to the DL problem
1.295
EXPDLP-s
Exponentiation with a short exponent related to the DL problem
0.081
MULDLP
Multiplication related to the DL problem
0.012
PMECC
Point multiplication related to ECC
0.986
PMECC-s
Point multiplication with a short exponent related to ECC
0.061
PAECC
Point addition related to ECC
0.004
GH
General hash function
0.001
Runtime comparisons (microseconds).
Fan et al.’s scheme
He et al.’s scheme
The proposed scheme
SMi
36.254
20.145
17.751
Agg
32.909n+28.225
6.264n+48.249
2.969n+1.972
Runtime comparisons of related schemes.
6.2. Analysis of Communication Costs
Since the sizes of p1, q1, p′, q′, p^, and q^ are 512 bits, 512 bits, 512 bits, 160 bits, 1024 bits, and 160 bits, respectively, we can determine that the sizes of elements in Zn∗, G1, G2, Zq′∗, Zp^∗, and Zq^∗ are 1024 bits, 1024 bits, 1024 bits, 160 bits, 1024 bits, and 160 bits, respectively. We assume that the size of both the timestamp and the identity are each 32 bits. The communication costs of the related data aggregation schemes are shown below.
In Fan et al.’s data aggregation scheme [35] SMi sends the message (δi,CTi,t) to Agg, where δi∈G1, CTi∈Zn∗, and t is the timestamp. Therefore, the communication cost of Fan et al.’s data aggregation scheme is 1024 + 1024 + 32 = 2080 bits. In He et al.’s data aggregation scheme [4] SMi sends the message (IDi,Ri,δi,CTi,t) to Agg, where Ri∈G1, δi∈Zq′∗, CTi∈G1, IDi is SMi’s identity, and t is the timestamp. Therefore, the communication cost of He et al.’s data aggregation scheme is 32 + 1024 + 160 + 1024 + 32 = 2272 bits. In the proposed data aggregation scheme, SMi sends the message (ci,di,ei,t) to Agg, where ci∈Zn∗, di∈Zp^∗, ei∈Zq^∗, and t is the timestamp. Therefore, the communication cost of the proposed data aggregation scheme is 1024 + 1024 + 160 + 32 = 2240 bits.
Based on the above evaluation, we note that the proposed data aggregation scheme incurs lower communication cost than He et al.’s data aggregation scheme. The proposed data aggregation scheme incurs a higher communication cost than Fan et al.’s data aggregation scheme. Security is most important for a data aggregation scheme. Therefore, it is reasonable to address serious security weaknesses in Fan et al.’s data aggregation scheme at the cost of increasing the communication cost slightly.
7. Conclusion
To ensure security and protect privacy in the smart grid environment, several data aggregation schemes have been proposed in recent years. However, most of them are not secure against internal attackers. To address the problem, Fan et al. [35] proposed a data aggregation scheme to mitigate internal attacks. Unfortunately, their data aggregation scheme suffers from serious security weaknesses. To enhance security, He et al. [4] proposed an improved data aggregation scheme using bilinear pairing. However, the performance of He et al.’s scheme is not very suitable for the smart grid environment because the smart meter has limited computation capability. In this paper, we have proposed a novel data aggregation scheme that can thwart internal attacks for the smart grid environment. The security analysis shows that the proposed scheme is provably secure and can meet the security requirements. Besides, performance evaluation results show that the proposed scheme incurs lower communication costs. The stronger security and better performance of the proposed scheme demonstrate that it is more suitable for smart grids.
With the fast development of quantum computing, the traditional mathematical problems (such as the DL problem and the CDH problem) are likely to be solved in polynomial time by quantum computers. Subsequently, all the above data aggregation schemes for the smart grid will not be secure at all. The lattice has been widely used to construct many cryptographic schemes that can provide resistance against the strong capabilities of quantum computers. However, no data aggregation scheme based on the lattice has been proposed yet. To improve security, it is worthwhile to consider the design of a data aggregation scheme for the smart grid based on the lattice approach.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
Acknowledgments
The work was supported by the National Natural Science Foundation of China (nos. 61572370, 61501333, 61572379, and U1536204), the National High-Tech Research and Development Program of China (863 Program) (no. 2015AA016004), and the Natural Science Foundation of Hubei Province of China (no. 2015CFB257). Sherali Zeadally’s work has been supported by a University Research Professorship Award from the University of Kentucky.
FadlullahZ. M.FoudaM. M.KatoN.TakeuchiA.IwasakiN.NozakiY.Toward intelligent machine-to-machine communications in smart gridZhangY.YuR.NekoveeM.LiuY.XieS.GjessingS.Cognitive machine-to-machine communications: visions and potentials for the smart gridGreerC.WollmanD. A.ProchaskaD. E.Nist framework and roadmap for smart grid interoperability standards, release 3.010.6028/NIST.SP.1108r3HeD.KumarN.LeeJ.-H.Privacy-preserving data aggregation scheme against internal attackers in smart gridsGaoJ.XiaoY.LiuJ.LiangW.ChenC. L. P.A survey of communication/networking in smart gridsSaputroN.AkkayaK.UludagS.A survey of routing protocols for smart grid communicationsGüngörV. C.SahinD.KocakT.ErgütS.BuccellaC.CecatiC.HanckeG. P.Smart grid technologies: communication technologies and standardsSuW.EichiH.ZengW.ChowM.-Y.A survey on the electrification of transportation in a smart grid environmentWuD.ZhouC.Fault-tolerant and scalable key management for smart gridWanZ.WangG.YangY.ShiS.SKM: scalable key management for advanced metering infrastructure in smart gridsYuK.ArifuzzamanM.WenZ.ZhangD.SatoT.A key management scheme for secure communications of information centric advanced metering infrastructure in smart gridParkJ. H.KimM.KwonD.Security weakness in the smart grid key distribution scheme proposed by xia and wangTsaiJ.-L.LoN.-W.Secure Anonymous Key Distribution Scheme for Smart GridHeD.WangH.KhanM. K.WangL.Lightweight anonymous key distribution scheme for smart grid using elliptic curve cryptographyLiuH.NingH.ZhangY.GuizaniM.Battery status-aware authentication scheme for V2G networks in smart gridLiH.LuR.ZhouL.YangB.ShenX.An efficient Merkle-tree-based authentication scheme for smart gridSaxenaN.ChoiB. J.LuR.Authentication and Authorization Scheme for Various User Roles and Devices in Smart GridKoblitzN.Elliptic curve cryptosystemsMillerV. S.Use of elliptic curves in cryptographyProceedings of the Conference on the Theory and Application of Cryptographic Techniques1985Springer41742610.1007/3-540-39799-X_31MR851432HuangX.XiangY.BertinoE.ZhouJ.XuL.Robust multi-factor authentication for fragile communicationsHuangX.XiangY.ChonkaA.ZhouJ.DengR. H.A generic framework for three-factor authentication: Preserving security and privacy in distributed systemsHeD.ZeadallyS.KumarN.LeeJ.-H.Anonymous authentication for wireless body area networks with provable securityFuZ.SunX.LiuQ.ZhouL.ShuJ.Achieving efficient cloud search services: multi-keyword ranked search over encrypted cloud data supporting parallel computingFuZ.WuX.GuanC.SunX.RenK.Toward efficient multi-keyword fuzzy search over encrypted outsourced data with accuracy improvementFuZ.RenK.ShuJ.SunX.HuangF.Enabling personalized search over encrypted outsourced data with efficiency improvementXiaZ.WangX.SunX.LiuQ.WangQ.A secure and dynamic multi-keyword ranked search scheme over encrypted cloud dataChenX. F.LiJ.MaJ.TangQ.LouW.New algorithms for secure outsourcing of modular exponentiationsChenX.LiJ.HuangX.MaJ.LouW.New Publicly Verifiable Databases with Efficient UpdatesLiF.LuoB.LiuP.Secure information aggregation for smart grids using homomorphic encryption,Proceedings of the 1st IEEE International Conference on Smart Grid Communications (SmartGridComm '10)201032733210.1109/smartgrid.2010.5622064GarciaF. D.JacobsB.Privacy-friendly energy-metering via homomorphic encryptionPreceedings of the International Workshop on Security and Trust Management2010Springer22623810.1007/978-3-642-22444-7_15PaillierP.Public-key cryptosystems based on composite degree residuosity classes1592Proceedings of the International Conference on the Theory and Applications of Cryptographic TechniquesSpringer, Berlin, Germany22323810.1007/3-540-48910-X_16MR1717471LuR.LiangX.LiX.LinX.ShenX.EPPA: an efficient and privacy-preserving aggregation scheme for secure smart grid communicationsZhangJ.LiuL.CuiY.ChenZ.SP^{2}DAS: self-certified PKC-based privacy-preserving data aggregation scheme in smart gridChenL.LuR.CaoZ.PDAFT: a privacy-preserving data aggregation scheme with fault tolerance for smart grid communicationsFanC.-I.HuangS.-Y.LaiY.-L.Privacy-enhanced data aggregation scheme against internal attackers in smart gridBaoH.LuR.Comment on 'Privacy-Enhanced Data Aggregation Scheme Against Internal Attackers in Smart Grid'BonehD.GohE.-J.NissimK.Evaluating 2-dnf formulas on ciphertexts3378Proceedings of the Theory of Cryptography Conference2005Springer, Berlin, Gremany325341Lecture Notes in Comput. Sci.10.1007/978-3-540-30576-7_18MR2168490CohenH.FreyG.AvanziR.LiuJ. K.YuenT. H.AuM. H.SusiloW.Improvements on an authentication scheme for vehicular sensor networksBarbosaM.FarshimP.Certificateless signcryptionProceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS '08)March 2008ACM36937210.1145/1368310.13683642-s2.0-62449111027PointchevalD.SternJ.Security arguments for digital signatures and blind signaturesScottM.Miracl library, 2011, http://www.shamus.ie