A Secure and Scalable Data Communication Scheme in Smart Grids

1Key Laboratory of Dependable Service Computing in Cyber Physical Society, Chongqing University, Ministry of Education, Chongqing, China 2School of Software Engineering, Chongqing University, Chongqing, China 3Department of Electrical Engineering & Computer Science, The Catholic University of America, Washington, DC, USA 4Department of Computer Science, Texas Christian University, Fort Worth, TX, USA 5School of Electronics and Information Engineering, Beijing Jiaotong University, Beijing, China 6Department of Computer Science, The George Washington University, Washington DC, USA 7Department Electrical and Computer Engineering, University of British Columbia, Vancouver, BC, Canada 8Beijing Key Laboratory of IOT Information Security Technology, Institute of Information Engineering, CAS, Beijing, China


Introduction
The concept of smart grid gained tremendous attention among researchers and utility providers in recent years.With such a technology, advanced developments such as sensing, control, digital communications, and networking are integrated into the power systems to effectively and intelligently control and monitor the power grid.Generally speaking, the power grid consists of three major components: power generation, power transmission, and power distribution [1].Typically, wired communications such as optical networking are adopted to support the power backbone consisting of the power generation and transmission systems [2]; but for the power distribution network, which provides power directly to customers, both wired and wireless communications are adopted.
Smart grid brings new features into the power grid: renewable-based generation, demand-response, wide area protection, and smart metering, just to name a few [3].Within a smart grid, utility companies can send alerts to notify customers and may further ask them to reduce their power consumption by temporarily turning off some devices during the periods of peak energy consumption [4].The certain critical control actions can be sent from the control center to smart meters, in which the actions are expected to be taken immediately for safe operations, and the wide area protection schemes can be deployed to prevent cascaded failures and provide better interconnections.However, despite the attractive features provided by smart grid technologies, challenges, especially those in cyber security and privacy [5], are still present.For example, it has been reported that the pervasively adopted integrated Supervisory Control and Data Acquisition (SCADA)/Energy Management systems [6] are vulnerable to significant security threats [7][8][9][10].
As paper [11] pointed out, we need new technologies to protect the confidentiality of the customer's data.Also, customer's privacy should be preserved when data are collected for marketing purpose.It has been demonstrated by [12] that, even without a priori knowledge of household activities, it is still possible to extract customers' usage patterns from the data uploaded by smart meters once every 15 minutes.
Utility companies need customer's energy consumption data for billing purpose.Third-party service providers may need to collect electricity usage records of certain smart devices to monitor device's status and detect potential problems.Some other data analysis companies may need user's energy consumption data to do market research.From customer's perspective, customer should have control over their own data.It means that customer knows and controls the access to his own energy consumption data.If the data is needed for marketing purpose, customer should be informed and guaranteed that his own data are anonymized.Traditionally, smart meter needs to learn receiver's identity (e.g., smart meters should know the certificate of the utility company) and decides whether to send its data or not.For such a large communication network, it may not desirable for smart meters to learn all the identities.And the wide used public-key infrastructure based on X.509 protocol on Internet does not provide enough security guarantees since a fake or stolen certificate may cause tremendous damage and loss in smart grid communication network.On the other hand, all the data can be uploaded into a data repositories [13][14][15], which store customers' data and distribute them to the third-party service providers under the supervision of a fine-grained access control.It is the data repositories' responsibility to enforce the access control policies and distribute customers' data based on customer's choice and the related regulations and laws, which certainly put tremendous burden on the data repository servers since the compromise of a data repository server reveals all the data it maintains.
To tackle the challenges, we take a fundamentally different approach by employing attribute based crypto system: attribute based encryption (ABE) enables the smart meters to encrypt its data on a set of descriptive attributes, which determine the access privilege of the data.All the legitimate users that may have different identities but possess appropriate sets of attributes can decrypt the data independently.This successfully implements a secure multicast of the customer's data to multiple users, and the smart meters even do not need to know the receiver's detailed identity.Attribute based signature (ABS), in which a signature attests not to the identity of the individual who endorsed a message, but instead to a (possibly complex) claim regarding the attributes she possesses [16], provides a strong unforgeability guarantee for the verifier that the signature was produced by a single party whose attributes satisfy the claim being made.Also, the signature reveals nothing about the identity and even the attributes of the signer beyond what is explicitly revealed by the claim being made.This successfully solves the problem of data anonymity, so that the marketing companies only know that the data comes from the desired group of customer and customer's identity is fully preserved.
Attribute based encryption, more specifically, Ciphertext-Policy Attribute Based Encryption (CP ABE) [17], provides a secure multicasting and role-based access control.Data stored on data repositories are encrypted and the compromise of data repositories only leaks the encrypted data.It does not need to use a software approach that checks an entities' privilege and decide whether access is granted or not.Attribute based signature is more preferable than other privacy preserving signature schemes such as group signatures [18,19], ring signatures [20], and mesh signatures [21]; that is, ABS is more practical and provides a stronger guarantee on privacy.Group signature needs a predefined group of people and a group manager.Ring signature needs a predefined group of people too.And the group should be large enough to achieve anonymity.As for mesh signature, it explicitly allows collusion [16], which is not desirable in our case.
ABE and ABS need attribute authority to issue secret keys for attributes so the entity with proper set of secret keys can decrypt and sign a message.In a large scale communication network like smart grid, the attribute authority might become the bottleneck of the entire system.It is desirable to have attribute authority distributed.The decentralized attribute based encryption proposed by Lewko and Waters [22] makes multiauthority possible, and attribute authority does not need to trust each other in the system.Multiauthority ABS has been proposed by Maji et al. [16] that enables multiauthority settings too.In our paper, we mainly focus on implementing and analyzing the decentralized ABE and multiauthority ABS in smart grid communication network.
The contributions of this paper are summarized as follows: (1) We propose a secure and scalable communication architecture involving multiple authorities, smart meters, data consumers, and data repositories for smart grid systems.Our architecture emphasizes customers' control on their data and privacy.
(2) We implemented decentralized attribute based encryption scheme [22] and multiauthority attribute based signature [16] scheme.We described the communication protocols to achieve customer controlled access control and data anonymity.
(3) We measured the performance of the implemented schemes on different types of curves and groups.We analyzed the efficiency of the implemented schemes and provide future research directions.
The remainder of this paper is structured as follows.In Section 2, we discuss the related work.In Section 3, we introduce the required preliminaries and the system model.Section 4 proposes the secure communication mechanism and presents a scheme to ensure access control for the sensitive data.Section 5 gives performance analysis, followed by the conclusions in Section 6.

Related Work
In smart grid communication network, security problems mainly lie in the subjects of sensor networks, wireless networks, and Internet.A significant amount of research has been carried out to protect the smart grid systems.Multicast authentication schemes such as TELSA, Biba, HORS, and OTS [3,23] were proposed for authenticating entities such as utility companies and control centers when messages or control commands are sent to smart meters.To authenticate smart meters or other smart devices to the control center, batch verification schemes [24][25][26][27] were developed to improve the efficiency.Data aggregation based on homomorphic encryption, secret sharing, and other technologies [13,25,26] was designed to aggregate customers' data and to protect their privacy.
Recently, ABE has received significant amount of attention in securing smart grids because it does not require certificates and it can be used to construct a fine-grained access control mechanism.Actually, the original motivation for ABE scheme is to design an error-tolerant (or fuzzy) identity-based encryption scheme [28] that could be applied to biometric identities.However, the original threshold ABE scheme in [28] is not very impressive as it is limited from designing more general systems.A more general idea called key-policy attribute based encryption (KP ABE) was proposed by Goyal et al. [29] to embed a general secret sharing scheme for a monotonic access tree instead of the Shamir secret sharing scheme used in [28].Later, Bethencourt et al. proposed the Ciphertext-Policy Attribute Based Encryption (CP ABE or BSW CP ABE) scheme [17] that reverses the KP ABE construction: the encrypted data (the ciphertext) carries an access structure over attributes; meanwhile, a user's private key is associated with a set of descriptive attributes.The owner or the encryptor now has more control over the data by constructing an access structure for every data to be encrypted.
Later, ABE has been utilized to fit practical problems.Pirretti et al. implemented the threshold ABE system [30] while Chase [31] provided a construction for a multiauthority attribute based encryption system.A decentralized Ciphertext-Policy Attribute Based Encryption scheme was proposed in [22], which deals with the fact that, in practice, there may be more than one attribute authority.And we implemented the decentralized ABE in prime order group in this paper and further analyze the computational cost in different curves and groups.
ABS was introduced by Maji et al. in [16] to achieve a strong unforgeability guarantee for the verifier, which means that the signature was produced by a single party whose attributes satisfy the claim being made.And the privacy of the singer is fully preserved since the signature reveals nothing about the identity or attributes of the signer beyond what is explicitly revealed by the claim being made.However, the security proof in [16] is in generic model group.Later Li et al. proposed an ABS scheme that is selective secure in standard model.But the scheme deals with only (, )-threshold, which means that it may not be as expressive as Maji et al. 's ABS scheme, which uses an monotone access structure.Moreover, since we prefer large universe construction in smart grid communication network, it is hard and unpractical to implement schemes that are secure in standard model (usually we need to have a polynomial () with degree  and the size of public parameters grows with ).We implemented and analyzed Maji et al. 's multiauthority ABS [16] scheme in this paper.One has to notice that, in multiauthority attribute based crypto system, attribute authorities are completely independent from each other, which is a desirable feature for large scale, distributed smart grid communication network.
As a promising technique, identity/attribute based crypto system has been proposed to solve problems in smart grid communication network.A scheme that employs IBE to provide a zero-configuration encryption and authentication solution for end-to-end secure communications was proposed in [32].The concept of IBE was utilized by [25] to construct a signature and later verify the signature.KP ABE was adopted by [33] to broadcast a single encrypted message to a specific group of users.Reference [13] utilizes the Linear Secret Sharing to construct the access policy [22,34] and then enforce access control.However, most of the works done before have no implementation and real life performance analysis.This paper serves as a step that brings the discussion to a more practical stage: implementation and performance analysis.Essentially, the decentralized ABE scheme and multiauthority ABS scheme have their own set of parameters.There are works which have been done to combine ABE with ABS [35], which can be a potential future research direction.

Preliminaries
In this section, we mainly introduce the preliminaries related to our actual implementation.Theoretical preliminaries can be found in [16,22,36,37].
A asymmetric bilinear map is that  is an efficiently computable function: and the property of Nondegeneracy and Bilinearity still hold.We run our implementation on both symmetric and asymmetric pairings and analysis the efficiency.
We are more familiar with (, )-threshold gate and a threshold gate in [17] can be represented as Boolean formula.For example, an (2, 3)-threshold gate of {, , } can be expressed as ( AND ) OR ( AND ) OR ( AND ).In this paper, we are using Boolean formula to express an access structure.
Further, we are using the linear secret sharing schemes (LSSS) proposed in [39,40], which means we will parse a Boolean formula into a access matrix  and a mapping (), where  is called the share-generating matrix and () maps rows of the matrix to the elements in the Boolean formula.Formally,  has ℓ rows and  columns, and the  th row of  will be mapped to an elements in Boolean formula by the function ().When we consider the column vector V = (,  2 , . . .,   ), where  ∈ Z  is the secret to be shared and  2 , . . .,   ∈ Z  are randomly chosen,  ⋅ V is the vector of ℓ shares of the secret .The share (⋅V)  belongs to the element ().
We use the converting method in [22] and the detailed algorithm is described in Section 5.6.Here is an example: consider an access structure ( AND ( OR ( AND ))); the corresponding access matrix and () will be ( For an authorized set {, , }, the corresponding matrix  matched ( has a vector (1, 0, . . ., 0) in their span.In other words, there is a vector   , which in this case is (1, 1, 1), and   ×  matched = (1, 0, . . ., 0).In this case, (  ×  matched ) × V  =  means that once we have  matched and   , we can recover .The processing described above is called linear reconstruction.Note that we do not lose any efficiency by using the LSSS matrix as opposed to the previously used tree access structure descriptions in [17].The reason is that the computational cost is directly related to the number of attributes involved in the encryption or sign, and the computational cost of linear reconstruction or polynomial interpolation is negligible.Section 5 will go through a detailed analysis of computational cost.

Security Notions and Models.
There are two security notions in identity-based encryption: selective-ID secure and fully secure.Selective secure, introduced by Canetti et al. [41,42], is weaker than fully secure, which was introduced by Boneh and Franklin in [43].Generally speaking, fully secure means that the scheme is secure even if the adversary adaptively selects identity to attack based on previous secret keys.For selective secure, the adversary must commit ahead of time to the identity that he will attack.In other words, adversary in fully secure is more powerful since he can query even after he receives the identity to attack.
There are several security models for public-key crypto system.The random oracle model was first introduced by Bellare and Rogaway [44].It assumes that the adversary has the access right to a public, truly random hash function, which is based on SHA-1.Random oracle model is very useful in practice, but from a theoretical perspective, the standard model is more preferred.In the standard mode, security is proven using only standard complexity assumptions.For example, [45] is built on Decisional Bilinear Diffie-Hellman Assumption and Computational Diffie-Hellman Assumption.
Even if standard model is desirable from the perspective of theory, random oracle model is more practical especially when it comes to large universe construction.Paper [46] is fully secure under standard model.But we need to random a set of group elements for attributes in the system.It means that attributes are defined at the setup and published in the public parameters.We call this kind of construction as "small universe construction."In practice, especially in a communication network like smart grid, it is desirable to dynamically use any attribute as we want.The easy way to do this is to use a hash function that we model as a random oracle to map an attribute to a group element.However, we end up with a scheme that secure in random oracle model.
If we still adopt the standard model, we can use a polynomial () with degree  [46] and map attributes in Z  to elements in G by setting (attribute) :=  (attribute) , where  is the generator of group G.The public parameters would then include { () } for  + 1 points  so that (attribute) could be computed for any attribute by polynomial interpolation.One has to notice that, in practice, we not only need to map an attribute into a group element, but also need to map an identity (which we call it uid in this paper) into a group element.Since () is a ( + 1)-wise independent function modulo primes, the system is vulnerable to collusion attacks when a user has  + 1 secret keys or more than  + 1 users get together to collude.To prevent this from happening, we need to set  large enough so that no users will have more than  + 1 secret keys and it is impossible for more than  + 1 users to get together and collude.This will boost the size of public parameters and the assumption that no more than +1 users will collude sounds less convincing than random oracle model and a SHA-1 hash function.

Generic Group Model, Composite, and Prime Order
Groups.Besides random oracle model and standard model, there is a model called generic group model, proposed by Shoup [47].The model relies on hardness of problems related to finding the discrete logarithm in a group with bilinear pairings.In the model, algorithms can only manipulate group elements via canonical group operations (including the bilinear pairing).We are using prime order groups here in our paper since prime order subgroups of general elliptic curve groups are good examples of groups where all known attacks against the discrete log problem are not significantly better than attacks in the generic group.The multiauthority ABS [16] is secure in the generic group model.The decentralized ABE [22] in prime order groups is secure in generic group model too.
Bilinear groups of composite order were introduced by Boneh et al. [48].Since the elliptic curve group order  must be infeasible to factor in composite order group, it must be at least 1024 bits.On the other hand, the size of a prime order elliptic curve group that provides an equivalent level of security is 160 bits.It is not practical to implement the decentralized ABE scheme on composite order group since group operations and especially pairing computations are prohibitively slow on composite order curves [49].A Tate pairing on a 1024-bit composite order elliptic curve is roughly 50 times slower than the same pairing on a comparable prime order curve [49].The small universe construction of decentralized ABE is fully secure in standard model in composite order groups.However, we implemented the decentralized ABE scheme in prime order group and the security reduced to the generic group model.
In summary, we implemented the decentralized ABE and multiauthority ABS that are secure in generic group model.We test and analyze the performance of implementation under both symmetric groups and asymmetric groups.And we are using LSSS matrix and linear reconstruction in our implementation.

Architecture and Protocol
In this section, we introduce our architecture and communication protocol.Generally speaking, we use decentralized ABE to achieve a fine-grained access control on data collected by smart meters.Also, multiauthority ABS has been used to achieve data anonymity when data consumers or marketing companies need data from certain area or subset of smart meters while user's privacy needs to be preserved.

System Model.
We consider the architecture in Figure 1 as the basis of our following discussion.Figure 1 reproduced from Hu et al. (2017) [14].There are different entities in the communication structure: attribute authorities (AAs), smart meters, data repositories, and data consumers.Data consumers mainly refer to the utility companies (UCs) and third-party service providers (TPDCs).The following sections are a brief introduction to all the entities.
(1) Attribute Authorities (AAs).AAs are responsible for generate and distribute secret keys for smart meters and data consumers.There are multiple AAs in the system and they may not know each other or trust each other.An AA is only responsible for generating secret keys for attributes.We assume that every entity in the system has a unique identifier (GID or uid), and any entity should prove its identity to AA if it needs secret key for its attributes.In this, we do not discuss how to obtain the GID or uid for an entity and how to prove its identity for AAs.Generally speaking, in a communication network like smart grid, every entity (e.g., smart meter) has a unique ID and registered in certain government authorities.The distribution of secret keys can be done by preestablished channel.
Note that a signature trustee should be deployed besides AAs in a multiauthority ABS system.The signature trustee is responsible for issuing an "ID" to the entity.We model the signature trustee as an attribute authority in our architecture.
(2) Smart Meters.Smart meters are the key entities in a smart grid communication network.Smart meters collect user's energy consumption information and other pieces of information.In a home area network, smart meters are the center controller.Smart meters monitor the activities of every smart device in the home area.In our architecture, smart meters mainly collect user smart devices' energy consumption information.The total energy consumption can be used by UCs to charge the bill.Energy consumption by some smart devices (e.g., e-cars, TV, and PCs) can be used by thirdparty SPs to analysis device's working status and diagnose potential problems.Also, TPSPs can use those data to do market analysis and further guide the marketing.However, in this case, anonymity should be enforced to preserve user's privacy and we are proposing multiauthority ABS to achieve data's anonymity.
Each smart meter has a unique officially certified ID, which registers in the system.The communication between smart meters (and any other entities that need secret keys from AAs) and AAs is preestablished secured channel, which is out of our paper.Identity-based encryption/signature systems are an intriguing candidate to establish a secure channel between smart meters and AAs since every single entity is uniquely identified.We leave the integration of identity-base encryption/signature schemes as one of the future works.In the same time, smart meters use attribute based encryption to encrypt its data to achieve a user defined fine-grained access control.For example, the user can construct an access structure ("ARLINGTON.22202"and "ARLINGTON.UC") and encrypt data with it.Only the entity that has corresponding valid set of key can decrypt the data.The data consumers may need data for market purpose and want to protect users' privacy too.Smart meters can sign a data with the secret key for attributes and claim that the secret keys it process satisfy the predicate, which is the access structure or access matrix.One has to notice that we trust smart meters to honestly encrypt and sign a message.The compromise of a smart meter may cause some misbehavers.For example, the attacker controls some smart meters to encrypt and sign any data at any frequency.Further mechanisms should be adopted to secure smart meter and detect the attacks, which is also beyond our discussion here.
(3) Data Repositories.Data repositories are storage facility that stores the encrypted or signed data.In attribute based crypto system, the data needs to be encrypted or signed once and later any entities with appropriate set of secret keys can decrypt.Instead of store all the data themselves, smart meters can upload the data to the data repositories and data consumers can retrieve the data from the repository.Data repositories should have higher network throughout capacity.It is certainly more reasonable to have some data repositories with high network bandwidth than having all communication between smart meters and data consumers directly, which may require every smart meter to have higher network processing capacity.
The deployment of data repositories does not affect the confidentiality of the data encrypted under an access structure.The data uploaded by smart meters are encrypted with ABE and only the entities with appropriate set of secret keys can be decrypted.ABE reduces the trust we traditionally put on a data repositories, which has software to enforce the access policy based on the records to describe every entity's privilege.ABE's key feature is the fine-grained access control provided by underlying cryptography algorithms.The data repositories handle the request and deliver the data.Even if a data repository is compromised, the data are safe since they are encrypted.
Note that the data is already protected by ABE and we do not need to have a secured channel between data repositories and other entities.However, the assumption is that every entity in the system has a unique identifier and every entity has the ability to verify the sender's identity.This can be done with identity-based encryption/signature, of which we leave the integration as one of the feature works.
(4) Data Consumers.Data consumers refer to utility companies (UCs) and third-party service providers (TPSPs).Generally speaking, UCs need the data collected by smart meters to do the billing.TPSPs may need the data collected by smart meters regarding a specific device to understand their working status and detect potential problems.Also, TPSPs may need data to do market research while they protect user's privacy.Briefly, if data consumers need data, they can retrieve data from data repositories and decrypt it if they have required secret keys to satisfy the access structure.Data consumers verify the signature on data during anonymity data collection, too.

Protect Smart Meter's Data with ABE.
We implemented appendix D of paper [22].Decentralized ABE scheme will enable user defined access control to the data.We will talk about how we use decentralized ABE scheme to protect the data collected by smart meters in this subsection.The scheme  we implemented can be found at Appendix of this paper and the following subsections briefly describe the algorithm and the communication protocol.
(1) Global Setup.Global setup in DABE will output ABE GP, which contains the generators, an hash function we model as a random oracle.Also, ( 1 ,  2 ) is precalculated.
(2) Authority Setup.We describe the AAs as the issuer of secret keys for attributes.One has to notice that AAs are independent with each other and even if two AAs issue secret keys for the same attribute called "TV," they are essentially different and one should specify which AA the attribute belongs to during the encryption and decryption.We are using the format "Arlington.TV" to represent an attribute.The first part of the attribute name is the name of the AA and the second part is the description of the attribute.In this way, attribute "WashingtonDC.TV" is different from "Arlington.TV" and it becomes much more clear during the encryption and decryption regarding which AA an attribute belongs to.In the attribute authority setup, the AA will generate two random exponents for each attribute and publishes PK, which contains all the public keys for attributes and AA will save exponents as the secret key.For example, given an input, {ABE GP, attributes = {"22201", "22202", "", ""}, name = "Arlington"} Algorithm ABE AuthoritySetup() will output: ABE APK Arlington := {"Arlington.22201":{G  ×G 1 }, "Arlington.22202":{G  ×G 1 }, "Arlington.CAR": {G  × G 1 }, "Arlington.TV": {G  × G 1 }} ABE ASK Arlington := {"Arlington.22201":{Z  × Z  }, "Arlington.22202":{Z  × Z  }, "Arlington.CAR": {Z  × Z  }, "Arlington.TV": {Z  × Z  }} as the APK and ASK for AA "Arlington," which are python dictionaries indexed by the name of the attribute (the concatenation of AA's name and attribute's name) and {G  × G 1 }, mean the that they contain an element in G  group and an element in G 1 group.
(3) Attribute Generation.In order to decrypt a data block encrypted by smart meters with an access structure, data consumers need to process a proper set of secret keys.Data consumers obtain secret keys from AAs first.We assume that data consumers and AAs can establish a secured communication by other ways via identity-based encryption/signature or traditional PKI. Figure 2 illustrates the protocol between data consumer and AAs.Data consumer "UC Pentagon" needs secret keys for attribute "Arlington.22202,""Arlington.22201," and "Arlington.TV."The AA "Arlington" will first check if the attributes belong to it or not and it will only generate secret keys for attributes it has.
(4) Encryption.Smart meters can upload encrypted data to data repository.Data will be encrypted by ABE with an access structure (AS).The  will be converted into a access matrix  in the encryption algorithm.Figure 3 illustrates the protocol between smart meter and data repository.There is no need to establish a secured channel forehead since the data transmitted are already encrypted.The MAC in the protocol serves as a proof of sender's identity and protects the integrity of the payload and so do all the MAC described in the following section.If we have identity-based signature in our system, we can use the identity-based signature to sign a digest of the payload.We leave the integration of identity-based encryption/signature as one of the future works.(5) Decryption.Data consumer can retrieve the data from data repositories by using the record id or (uid and (start-Time, endTime)).The data repository will return the ciphertext.On receiving the ciphertext, data consumer will decrypt the data with the secret keys it has.Figure 4 illustrated the communication between data consumer and data repository.One has to notice that data consumer will have secret keys from different AAs.And the decryption should distinguish keys from different AAs.

Protect Data Anonymity by ABS.
We use the ABS to provide data anonymity and achieve sender's verification.On verifying the signature, the receiver knows that the secret keys the sender have satisfy the access structure and nothing more.ABS provides a strong privacy guarantee.The following subsection describes the communication between entities.The code can be found in Appendix of the paper and we will only highlight the communication protocols in the following subsections.There are researchers working on ABE and ABS that share the same set of parameters [35], but for now, we treat ABE and ABS as separate systems, which means that the global parameters, keys, and other parameters are different.
(1) Global Setup.The difference between decentralized ABE and multiauthority ABS is that ABS has one more entities, which is called "signature trustee."Signature trustee will issue a token to a user based on its "uid" and the token must be provided when a user requests secret keys from AAs.In our implementation, we model the signature trustee as one of the AAs (AA "signature trustee") too.And AA "signature trustee" will run the ABS GlobalSetup( max ) → ABS GP, ABS TSK.AA "signature trustee" will save ABS TSK and publish ABS GP.  max is the max number of columns in an access structure, which is related to the numbers of AND gate in the access structure.In our implementation, we first give  max a value and the value can be changed to a larger value in the future if needed.
(2) Authority Setup.The authority setup of multiauthority ABS is similar to the authority setup of decentralized ABE except that there is no need to explicitly specify the set of attributes at the setup.One has to notice that the decentralized ABE and multiauthority ABS scheme we implemented are both in large universe construction, which means that we can have as much attributes as we want.AA in multiauthority can issue keys for any attributes.However, in ABS Sign() and ABS Verify(), one must explicitly specify the source of the attributes, which means that, for every attribute, one needs to specify which AA it belongs to.
(3) Token Register and Attribute Generation.Before entities request secret keys for attributes, the entity needs to register itself at AA "signature trustee."The signature trustee will produce a token for an entity.With the token, an entity can request secret keys from any AAs in the system.One has to notice that secret key for attribute "Arlington.22201" in multiauthority ABS is different from the secret key for "Arlington.22201" in decentralized ABE system even for the same entity.They belong to different scheme and we donate them separately as ABS SK uid and ABE SK uid .Also, the communication happens in a secured channel.Figure 5 illustrates that the smart meter "SM RiverhouseApt" requests its token and secret keys from AAs.
(4) Sign.To sign a message , the smart meter must have proper set of secret keys.If it does not have, ABS Sign() will abort at the first stage.Also,  will be parsed into an access matrix  with a mapping function ().As what we did in decentralized ABE, the  here also explicitly tells the AA of an attribute by using an attribute like "Arlington.22201."Signed data will be uploaded to the data repository too. Figure 6 illustrates the communication between smart meters and data repository.
(5) Verify.In verify, if the ABS Verify() returns reject, the verification failed.The verification is successful if it passes all the "checkpoint."Figure 7 illustrates the communication between data consumer and data repository.

Combine ABE and ABS.
If a customer wants his smart meter to anonymously sign a data and, in the meanwhile, control the access by an access structure, the smart meter can combine ABE and ABS.It can either sign first and then encrypt or encrypt first and then sign.Since every entity in the system can verify a signature but only the entities with proper set of secret keys can decrypt, our recommendation is to sign and then encrypt.The reason is simple: for those entities that cannot decrypt, we do not want them to know that the signature ever existed.From the perspective of data analysis companies, it can only collect data that intended to been sent to them.

Eliminate the MAC in the Protocol.
We use a MAC in the communication protocol.Actually, if we have identitybased signature (IBS) in our system, we can use IBS to sign the digest of the payload.To integrate an IBS into our current architecture, we may need a trustee that certifies every identity.We leave it as a future research direction.
In our current architecture, one can remove the MAC by using our ABS and set the access structure to be the sender's identity.The sender (in this case, a smart meter) can obtain a secret key for its identity and sign the message with an access structure that involved only its identity.However, the computational cost of doing this is larger than using IBS and we discourage this particular method.4.6.Security Analysis.Both schemes we implemented are secure in generic group model.In actual large university construction of attribute based crypto system, security in standard is hard to achieve since we need to introduce a polynomial and assumptions that no more than certain amount of user will get together and collude.Generic group model and random oracle model are practical in real-left applications.

Performance Analysis
We implemented the decentralized attribute based encryption scheme in prime order group, the scheme in appendix D in [22].Also, we implemented the multiauthority ABS in Section 4.2 of paper [16].This section discusses the implementation details and performance analysis.

Implementation Details.
The implementation is based on a python library, Charm crypto [50], which is framework that is prototyping advanced cryptosystems such as IBE and IBS.The core mathematical functions behind Charm are from the Stanford Pairing-Based Cryptography (PBC) library [38], which is a free C library that performs the mathematical operations underlying pairing-based cryptosystems.At the same time, there is a project called TinyPBC [51] that has a better performance in terms of elements multiplication in groups.The efficiency of multiplication was improved by a factor of 4-5 and so does the Exponential operation.However, the current release of Charm does not have TinyPBC integrated.We are still using the PBC library for underlying mathematical operations.
The implementation of the decentralized ABE scheme is a little bit different from the original scheme due to the fact that the original paper describes the scheme in symmetric groups.We implemented the decentralized ABE scheme in asymmetric groups and add some precalculated values into the public parameters to reduce the computational cost in Enc() and Dec().The detailed implementation can be found at Appendix.Since we are using the prime order group instead of the composite order group, the scheme implemented is secure in generic group model.As mentioned before, using composite order groups will largely increase the element size in groups.The computation cost will be boosted especially when we want higher security level; for example, A Tate pairing on a 1024-bit composite order elliptic curve is roughly 50 times slower than the same pairing on a comparable prime order curve [49].As argued above, generic group model and random oracle model are practical in real life applications.The implementation of multiauthority ABS can also be found at Appendix.Some notations have been changed to avoid confusion.
We are running the code on 32-bit Ubuntu 12.04, which is a virtual machine running in VMWare fusion on a MACbook Air with 1.8 GHz Intel i5 and 4 GB memory.The virtual machine has access to one core of CPU and maximum 1 GB of memory.The PBC library provides a preprocessing mode for Exponential and Pairing.However, we did not use any preprocessing here since Charm did not integrate it.One has to notice that the preprocessing improves the performance by precalculating some value, which means that the preparation itself takes a long time.Preprocessing is recommend when there are a lot of Exponential and Pairing operations to compensate the cost of preparation itself.

Groups and Curves.
We implement based on both symmetric groups and asymmetric groups.We will use "SS512" to denote the symmetric group that has a 160-bit order and 512bit long of base field.A group with order of 160 bits equals 80 bits of NIST symmetric encryption security.For asymmetric groups, we use MNT curve [52] with degree 6 and BN curve [53] with degree 12.To have 80 bits of symmetric security, we use "MNT159," which has a 159-bit base field size in G 1 .The field size of G 2 should be 6 times longer than the field size of G 1 .However, the PBC library actually implemented G 2 to be 3 times longer.One has to know that the shorter an element in a group is, the faster the multiplication will be and so does the Exponential.As we will see in the following subsections, choosing groups and curves has a great influence to efficiency.
The BN curve has a field size of 160 bits in G 1 and the NIST symmetric security is 80 bits too.The degree of BN curve is 12, which means that the operation in G  group is more expensive than operations in G  in MNT curve, which has a degree of 6. Table 1 is the real world benchmark in Charm of different operations in different groups and curves.People care about the number of Pairing in an identity/attribute based scheme.Table 1 shows that the Exponential operation consumes equal computational cost.Usually the Pairing operation takes longer than Exponential, but the underlying mathematical function of Charm, which is the PBC library, has no optimizations to the multiplication operation, and the Exponential takes longer than we expect.More discussions of optimization can be found at Section 5.5.For now, the python based Charm crypto is our choice to do the implementation.
From Table 1, the G 1 Exponential is expensive in SS512 since the field size of SS512 is 512 bits while MNT159 and BN have 160 bits of field size.Also, the G 2 Exponential in MNT159 is expensive compared to SS512 even if the element in G 2 is only 3 times longer than G 1 , which is about 480 bits.In terms of G 2 Exponential, BN curve is better.BN curve is better in both G 1 Exponential and G 2 Exponential.That is why BN curve is a good candidate when the top priority is to minimize bandwidth (e.g., shorter signature) and faster the schemes that have most of the operation in G 1 and G 2 .Another advantage of BN curve is that if finite field discrete log algorithms improve further, MNT curves need to use larger fields, but BN can still remain short [38].However, G  Exponential and Pairing in BN curve take much more longer time than in SS512 and MNT159.If a scheme has heavier operations in G  and a large amount of Pairing, we should avoid using BN curve.Different identity/attribute based crypto schemes have different amount of Exponential and Pairing operations in key generation (sometimes called key extraction), encryption, decryption, signature, and verification.We are going to analyze the performance of the decentralized ABE scheme and multiauthority ABS scheme in the following subsection.   2 lists the number of operations for KeyGen(), Enc(), and Dec() of the scheme we implemented, which can be found at Appendix.ℓ is the number of attributes involved in the access structure, and it is also the number of rows in an access matrix.ℓ  is the number of required attributes to decrypt a message.The receiver may not need all the attributes in the access structure to decrypt the message since the minimal set that satisfies the access structure will work.

Performance of
The key generation needs 2G 2 per attribute.The Exponential in G 2 in asymmetric groups is slower than Exponential in G 1 .To make the key generation faster, one can play a trick and swap G 1 with G 2 .After we swapped G 1 with G 2 , the key generation is operations in G 1 .However, Enc() will have 3G 2 per attribute instead of 3G 1 .Table 3 is the running time of key generation under SS512, MNT159, and MNT159.S. MNT159.S means that we swapped G 1 with G 2 in the scheme.The swap will not affect the security of the scheme.It will affect only the efficiency and the length of parameters.Note that there are some inconsistency between Tables 1 and 3.The reason that the key generation in MNT159 is about 25 ms longer than we expect is that we need to map an identity to an element in G 2 using a random oracle.And the time of mapping depends on the target group (G 1 , G 2 , G  , or Z  ) and the curve (SS512, MNT, or BN) been used.And the mapping is the reason to the variance in Figure 9 too.
In Figures 8 and 9, the error bar means the standard deviation of the Enc() and Dec().As we expected, the running time of Enc() and Dec() grows with the number of attributes involved and the number of attributes required, respectively.One can see that MNT159 has the best performance in Enc(), but the worst in KeyGen().As for Dec(), SS512 is better.MNT159 and MNT159.S should have the same performance in Dec() according to Table 3 since Dec() involves no Exponential in both G 1 and G 2 .However, in Dec(), we do need to map an identity to an element in the target group (its G 2 in MNT159 and G 1 in MNT159.S), and as mentioned before, the mapping takes 25 ms when mapping the identity to an element in G 2 in MNT159.This explains why the red line is about 25 ms above the brown line in Figure 9.
In the architecture we proposed, the KeyGen() is performed by the attribute authorities (AAs), and the Enc() and Dec() are performed by smart meters or data consumers.The intuition is that Enc() and Dec() are performed distributively, and the AAs might have bottleneck issues with the fact that there are a large amount of users need secret keys from the  AAs.Situation becomes worse if we take key and user revocation into consideration.For example, if the secret keys issued by the AA have a time tag attached (e.g., Arlington.TV.Jan 2013), which means that this attribute will expire in certain amount of time and users should obtain the secret key for the next time period of this attribute by contacting the AA or we integrate some real-time user (or key) revocation scheme just as paper [54] did, the KeyGen() will certainly cause a lot of pains to the AAs.Our recommendation here is to use MNT159 curve and swap G 1 with G 2 to achieve the best efficiency in KeyGen().Even the performance of MNT159.S in Enc() is the worst, it will be acceptable due to the fact that the encryption will only need to be performed once and the computation is totally distributed.

Performance of Multiauthority ABS.
We also implemented the multiauthority ABS [16] and ran the performance test on our implementation.The difference between the decentralized ABE scheme and multiauthority ABS scheme is that the multiauthority ABS scheme has a signature trustee, which handles the user registration part.Given the token from signature trustee, AAs can generate secret keys for attributes the user requested.Since the TSetup() and ASetup() only happen once, we mainly focus on the TRegister(), AttrGen(), Sign(), and Verify().One has to notice that the verification we implemented is the probabilistic verification mentioned in Section 3.3.1 of paper [16], which has at most 1/ probability to make a false positive.The computational cost of verification reduced by one degree: from ℓ ⋅  + 2 to ℓ + 4, where ℓ is the number of rows in the access matrix and  is the number of columns.
Table 4 summarizes the number of operations for TRegister(), AttrGen(), Sign(), and Verification() of the scheme we implemented, which can also be found at the Appendix.
ℓ is the number of attributes involved in the access structure, and it is also the number of rows in an access matrix. is the number of columns of the access matrix. increases by one when the algorithm meets an "AND" gate in an access structure.ℓ  is the number of required attributes to sign a message.Also, we start with the AttrGen(), which may be the bottleneck of our system.The TRegister() has the same amount of computational cost to the AttrGen() according to Table 4.However, we need to use a random oracle to map the identity into an element in groups and the discussion in the previous subsection.However, this mapping may take a long time.Meanwhile, a user needs to contact the signature trustee to get this token, then the user needs more than secret key for the attributes.The computational cost of TRegister() should be less than the computational cost of AttrGen().We focus on AttrGen() now and we can generalize the performance of TRegister() from Table 5.
As what has been discussed in the previous subsection, MNT159.S swaps G 1 with G 2 , and BN curves are brought into discussion as it has its advantages in G 1 and G 2 Exponential operations.
From Figures 10 and 11, error bar means standard deviation.Computational cost in Sign() and Verify() is higher than the Dec() and Enc() in the decentralized ABE scheme just as we expected.The multiauthority ABS signature has a lot more Exponential operations in G 1 and G 2 .Particularly in Sign(), it grows with ℓ ⋅ .It also grows with the number of attributes required to sign.In the access structure we using, the number of required attributes to sign is ℓ  = ℓ/2.The verification is the probabilistic verification which has   .However, the sender needs only to generate one signature for a message and verification might happen more than one time.One can also consider the verification as the priority; MNT159.S would be a better choice.
In the smart grid communication network, the AttrGen() is centralized and may be the bottleneck.Both MNT159.S and BN.S can fit the task.If the efficiency of Sign() matters, one should use BN curve and swap G 1 with G 2 .Also, the signature size can be reduced to compare with MNT curve: in G 1 , elements have the same length.However, the elements in G 2 are 2 times longer than elements in G 1 in BN curve instead of 3 times longer in MNT curve.If the resource on smart meters is very limited, BN curve will be a good choice.However, if the efficiency of verify() is the priority, MNT159.S should be used.In the scenario that data consumers need to collect anonymity data from a group of users that satisfy an access structure, the verification is performed per user and MNT159.S will save a lot of computational cost.

More about Efficiency.
Efficiency can be further improved by using the preprocessing provided by PBC library or using the Lopez-Dahab algorithm [55], which is TinyPBC's optimization on multiplication.Both of them are not in Charm's current release.In PBC library, we can prepare an element for Exponential operation or Pairing operation.For example, if we preprocess the generator  1 , the exponential operation based on  1 will be roughly 6-8 time faster, which is shown in Table 6.See Table 6 for details.
According to TinyPBC's implementation on multiplication, the speed of multiplication will be 4-6 times faster.If we combine the preprocessing and Lopez-Dahab algorithm, we expect the implemented scheme to be 20 times faster.Further work needs to be done to optimize the underlying mathematical functions to make the multiplication and pairing faster.5.6.Converting an  to an Matrix More Efficiently.Algorithm 1 is converting an access structure to an access matrix.
From decentralized ABE and multiauthority ABS scheme, the size of matrix influences the efficiency.The project [56] reduces the size of access matrix and the computational cost of our implemented schemes will reduce too.We leave the implementation of a more efficient transformation of access matrix as one of the potential future research directions too.
In summary, we run the implementation on different curves and groups and analyze the performance in this section.Note that the decentralized ABE and multiauthority ABS do not share the common parameters such as group generator and so on.Reference [35] has some initial work in combining ABE with ABS, and ABE shares public parameters, even the secret keys with ABS.Combined ABE and ABS can be a potential next step in our future work.However, once we combine the ABE and ABS, even the storage for secret keys reduced, computational cost would be higher than using ABE and ABS schemes, separately.Different schemes have different performance under different curves and groups.

Conclusion
In this paper, we describe a smart grid communication architecture and then present a secure and scalable data communication scheme in smart grids, which is employed decentralized attribute based encryption.The security analysis demonstrated that the scheme ensures security and privacy.The performance analysis shows that the scheme is efficient in terms of computational cost.
Our future research lies in the following directions: design a decentralized CP ABE scheme with constant size of ciphertext length to reduce the storage and communication cost.Examine more attacks on the architecture we proposed and defend those attacks.Cooperate our current scheme with other broadcast authentication schemes and signature schemes to make a more comprehensive and applicable architecture.The communication architecture for smart grids proposed in this paper serves at the basis of our future research and we shall further propose new approaches to enhance and extend this architecture.

#
of attributes in the access matrix

#
of attributes in the access matrix

Table 1 :
Benchmark on curves and groups, time unit is ms.Run 1000 trials and the average is recorded.
Decentralized ABE.Different curves have different computational costs for Exponential operation in groups.The chosen curves will affect the performance of decentralized ABE scheme.Since Table1lists the Exponential

Table 2 :
Number of operations of decentralized ABE scheme.

Table 3 :
Key generation per attribute of decentralized ABE scheme.

Table 4 :
Number of operations of multiauthority ABS scheme.

Table 5 :
Key generation per attribute of multiauthority ABS scheme.reasonable and negligent probability to produce a false positive.Both MNT159.S and BN.S have a better performance in AttrGen().As for Sign(), BN.S has the lowest cost since the Exponential operations in G 1 and G 2 are less expensive than other schemes.MNT159.S has better performance in the verification.If considering the performance of Sign() as the priority, BN curve should be used and G 1 should be swapped with G 2 a