Multiauthority Traceable Ring Signature Scheme for Smart Grid Based on Blockchain

As the next-generation power grid system, the smart grid can realize the balance of supply and demand and help in communication security and privacy protection. However, real-time power consumption data collection might expose the users’ privacy information, such as their living habits and economic conditions. In addition, during the process of data transmission, it may lead to data inconsistency between the user side and the storage side. Blockchain provides tamper-resistant and traceable characteristics for solving these problems, and ring signature schemes provide an anonymous authentication mechanism. Therefore, in this work, we consider the applications of ring signature scheme in smart grid based on blockchain. We introduce the notion of multi-authority traceable ring signature (MA-TRS) scheme for distributed setting. In our scheme, there is an auditing node that can distinguish the identity of the real signer from the ring without any secret information. Last but not least, we prove that the proposed scheme is unforgeable, anonymous, and traceable.


Introduction
The rapid development of society and economy has driven the increasing demand for electricity of the people, which requires that the power supply system is more convenient, stable, and secure. However, the traditional power grid system has the problems of load imbalance and lack of effective diagnosis of faults in real time. Therefore, a smart grid emerges to cope up with these problems.
Smart grid, combining the traditional power grid system with state-of-the-art information and communication technology, is considered as one of the most significant trends in the next generation power grids [1][2][3][4]. In smart grid, different from the one-way communication of the traditional power grid (which just transmits electricity from generation plants to electricity users), it allows two-way communication, which enables the electricity users to easily get their consumption data and intelligently control their use of the domestic electrical equipment properly [5,6]. In addition, the electricity company can adjust the plan of the power supply to solve the problem of peak power consumption according to the real-time electricity data collection. Compared with traditional power grids, a smart grid system has a lot of significant advantages. However, some researchers have indicated that the malicious attackers or eavesdroppers can infer the users' living habits, financial situations, identity information, or even which household equipment is being used during the process of the real-time power data collection [7,8]. And it will pose a threat to individual and national security. Hence, how to deal with the leakage of power consumption data and identity information has become the focus of researchers [9].
As the underlying core technology of Bitcoin [10], blockchain is a distributed ledger that maintains the sustainable growth of data records list confirmed by all the participating nodes. Blockchain is a promising and powerful technology, which utilizes cryptography, P2P, and so on to guarantee the security of the system. Due to the properties of decentralization, tamper-resistance, and traceability, blockchain is considered as an alternative option for setting up a trustful platform without a trusted third party. In recent years, it has been widely used in diverse industrial areas, including finance [11,12], artificial intelligence [13,14], health care [15,16], and Internet of Things (IoT) [17][18][19]. Obviously, it is feasible to utilize blockchain technology into the smart grid system to address the above-mentioned weaknesses. Guan et al. [20] proposed a privacy-preserving and efficient data aggregation scheme based on blockchain for power grid communications. In this study, users are divided into different groups and each group possesses a private blockchain. In order to disguise the users' real identities, every user creates multiple pseudonyms. But this scheme uses a key generation center to generate users' keys, which will lead to key escrow problem, and it lacks of tracing function when data inconsistency.
Although the properties of blockchain can make users' identities anonymous and protect their privacy, it is far from enough to solve the problem of users' information privacy. Ring signature is one of the best methods to tackle it. In order to achieve anonymity of users, Rivest et al. [21] formalized the concept of ring signature in 2001, which is one of the digital signature schemes applied in blockchain. Distinct from group signature [22], ring signature has no group manager and allows any member of the ring to sign on behalf of all ring members as well as protecting the real identity of the true signer.
Identity-based cryptosystem was introduced by Shamir [23], allowing the users to utilize their own identities as the public keys. Zhang and Kim [24] constructed an identitybased ring signature (IDRS) scheme, combining the properties of ring signature and identity-based signature. After that, other researchers have come up with their own ID-based signature schemes, such as [25][26][27]. Ring signature, however, is not always a best option owing to its full anonymity. Therefore, a traceable ring signature (TRS) scheme [28] was proposed for restricting abusing anonymity. As for group signature, it has a strong ability of traceability, and ring signature has a strong ability of full anonymity. Traceable ring signature keeps the balance between group signature and ring signature. To be specific, traceable ring signature has the characteristics of traceability and anonymity. In a traceable ring signature scheme, not only does it provide anonymity for any signer when he/she signs any message but also provides traceability for verifiers to distinguish whether the signatures are produced by the identical signer on the same transaction while the malicious signer abuses anonymity in some situations. Besides, some researchers have proposed the ring signature schemes with anonymity revocation [29,30], while it is based on single authority, which is not suitable for blockchain applications.
Based on the above analysis, we present a multi-authority traceable ring signature (MA-TRS) scheme for smart grid based on blockchain. The main contributions of this work are listed as follows.
(1) The definition of TRS scheme in the multiple authorities setting is formalized. In our definition, there exist n key-generation nodes, and the electricity user is supposed to interact with at least t out of n keygeneration nodes to generate his/her own private keys.
(2) We construct an MA-TRS scheme for blockchainbased smart grid based on ID-based ring signature. And it has the properties of unforgeability, anonymity, and traceability.
(3) In our scheme, the auditing node is responsible for tracing the real signer when the power consumption data of the electricity users is inconsistent with that of the blockchain network, while the auditing node does not possess any secret information.
The rest of this paper is organized as follows. In Section 2, we introduce the preliminary knowledge of our proposed scheme. The system model and security model will be defined in Section 3. Then in Section 4, we present the MA-TRS scheme. In addition, the correctness and security are given in Section 5. Last but not least, we draw a conclusion in Section 6.

Preliminaries
In this section, we will introduce the relevant background materials that are utilized in the construction of our scheme.

Bilinear Map.
Let G 1 , G 2 be two multiplicative cyclic groups with the same large prime order q and P be the generator of G 1 . A bilinear map e : G 1 × G 1 → G 2 needs to satisfy the following three properties: There is an efficient algorithm to calculate eðaP, bPÞ for all a, b ∈ ℤ q 2.2. Complexity Assumption Definition 1. Discrete logarithm problem (DLP): for all P, Q ∈ G 1 , it is difficult to find η ∈ ℤ * q to satisfy Q = ηP.

Definitions
In this section, we will formalize the definition of the system model and the security model in our scheme.

System Model.
In the MA-TRS scheme, we design a smart grid network with traceable anonymous authentication mechanism based on blockchain between electricity company and users, in order to guarantee the data privacy of the users. As depicted in Figure 1, our system model is comprised of eight entities: electricity company (EC), data center (DC), smart meter (SM) in the residential area (RA), registration and authentication node (RAN), key-generation node (KGN), data processing node (DPN), blockchain network (BCN), and auditing node (AN).

Wireless Communications and Mobile Computing
3.1.1. Electricity Company. In our scheme, the EC is connected to the smart grid network, analyzes the real-time power consumption data, and responds to the electricity demand of the electricity users for providing them with customized services.

Data
Center. The DC is in charge of receiving and storing the data copies uploaded by the DPNs to the blockchain network and providing them to the EC or other scientific research institutions for further scientific researches.

Smart Meter.
The SM is equipped in the electricity user's house in the residential area to collect the electricity consumption data of his/her household electrical appliance regularly and simultaneously (e.g., 15 minutes). Before uploading the power consumption data to the smart grid network, every smart grid needs to register with the RAN to obtain his/her unique identity. After that, when the electricity user logs in to the smart grid system, the RAN will authenticate the unique identity of the electricity user. Then, the user uses the identities of other users in the same residential area to form the identity set L, generates the ring signature, and sends the power consumption data to the DNPs in the smart grid network.

Registration and Authentication
Node. The RAN is responsible for allocating the unique identity to the electricity user who signs up for the smart grid system and authenticating the legitimacy of the user. 3 Wireless Communications and Mobile Computing 3.1.5. Key-Generation Node. The KGNs jointly generate their own key shares when the system is initialized. The electricity user needs to obtain at least t key shares from n KGNs to generate his/her private key.
3.1.6. Data Processing Node. The DPN parses the uploaded power consumption data and packages it to generate the blocks as well as storing the data copy to the DC. Especially, in our scheme, the DPN still records some other operations into the block, such as reading and storage. Because of the strict supervision of every operation via blocks, all kinds of operations of every node can be traced and the interaction of data can be protected, which makes our scheme distinct from the traditional smart grid schemes.
3.1.7. Blockchain Network. The BCN stores the event blocks that the DPNs process, which can achieve the function of data tamper resistance.
3.1.8. Auditing Node. When the electricity consumption data of the electricity user is inconsistent with that of the blockchain network, the AN intervenes to trace the real signer, which makes the data traceable.

Security
Model. The security model of our proposed scheme should meet these three security requirements: unforgeability, anonymity, and traceability.
(1) Unforgeability. Unforgeability means that no one can generate a valid ring signature for the identity set L unless he/she has one of the private keys corresponding to L (i) System Setup. Challenger C runs the system setup algorithm to produce the system public parameters params and master key shares sk 1 , sk 2 , ⋯, sk n for KGNs whose identities are aid 1 , aid 2 , ⋯, aid n , respectively, then C returns params to adversary A who possesses all of the public keys of users but not any private key (ii) Queries. A can make the following four kinds of queries to C: (2) Anonymity. Anonymity means that given a signature, no one can determine the real signer unless all of the ring members (the users in the same residential area as the signer) launch collusion attacks (i) System Setup. Challenger C executes the system setup algorithm to compute the system public parameters params and returns it to adversary A (ii) Queries. A adaptively executes polynomial times ring signature queries (iii) Challenge. In the phase of challenge, A outputs a message m, the identity set L of ℓ users, two different public key Y 1 , Y 2 ∈ L, and transmits them to C. C randomly chooses a bit y ∈ f0, 1g and runs the signature generation algorithm with the real signer uid y , then returns σ to A (iv) Queries. A adaptively executes polynomial times ring signature queries (v) Challenge. Finally, A outputs a bit y ′ ∈ f0, 1g. A will succeed if and only if y = y ′ .
(3) Traceability. Different from the ring signature schemes [31], whose anonymity cannot be revoked, the property of the anonymity of TRS schemes is conditional. The property of traceability of TRS schemes means that for any valid ring signature, there exists someone who can determine the real signer from the ring (all users in the same residential area including the signer) Definition 3. The MA-TRS scheme is unforgeable for any A, because the advantage of him/her is negligible.
Definition 4. The advantage of any polynomial time adversary A is defined as Adv = |Pr ½y = y ′ − 1/2 | . We say that an MA-TRS scheme is anonymous if the advantage of A is negligible.

Multiauthority Traceable Ring Signature Scheme
In this section, we construct a multi-authority traceable ring signature (MA-TRS) scheme for smart grid based on blockchain, which is mainly comprised of the following five parts: system setup, user registration, user report generation, data storage, and user data tracing.
4.1. System Setup. The system setup phase is divided into two subprocesses: system initialization and key-generation nodes initialization.
(1) System initialization is responsible for generating all system public parameters by the DPNs (2) During key-generation nodes initialization subprocess, all the KGNs cooperate with each other to generate their own master key shares (a) Each KGN aid i ∈ ℤ * q chooses randomly a polynomial f i ðzÞ ∈ ℤ * q of degree t − 1 calculates its own master key share sk i = ∑ n j=1 s ji and computes its corresponding public key share pk i = s k i P. Note that the master secret key s can be recovered by at least t out of n master key shares sk i (f) For the purpose of computing the master public key, any one of the KGNs can select at random t out of n KGNs' public key shares. Suppose Ω is the set of qualified KGNs to generate master keys. Therefore, it calculates the master public key as (g) All the KGNs append P pub and their own faid i , pk i g n i=1 to params as params = fq, P, e, G 1 , G 2 , H 1 , H 2 , t, n, P pub , faid i , pk i g n i=1 g

User Registration.
If the electricity user intends to join the smart grid, he/she is supposed to submit the registration information to the RAN. Then, the RAN will assign him/her a unique identity. After that, the electricity user needs to interact with at least t out of n KGNs to generate his/her private key. In other words, when there are less than t KGNs, the user cannot generate his/her own private key. There do not exist any two of t KGNs interacting with each other in this phase. Consequently, the user can choose any t KGNs according to his/her preference. After the interaction with KGNs, the user computes his/her own private key with the secret key shares from t KGNs.
(1) Each user initiates a registration request to the RAN. Subsequently, the RAN allocates him/her a unique identity uid i ∈ ℤ * q . Next, the DPNs calculate and publish B i = H 1 ðuid i Þ.
(2) Every KGN aid j computes psk ij = sk i B i and transmits it to user uid i securely (3) When receiving the secret key share psk ij from KGN aid j , user uid i verifies whether the equation eðpsk ij , PÞ = eðB i , pk j Þ holds. If it holds, the secret key share is valid. Conversely, the user discards the invalid secret key share and KGN aid j has to resend the value that satisfies the equation (4) When collecting t secret key shares, user uid i can generate his/her secret key as follows:

Wireless Communications and Mobile Computing
(5) Every user selects a random number x i ∈ ℤ * q , then calculates X i = x i C i and Y i = x i ðP + B i Þ. After that, the user keeps ðx i , C i Þ as his/her private key and regards ðY i , uid i Þ as his/her public key. At last, the user broadcasts ðY i , uid i Þ.

User Report Generation.
In this phase, every electricity user utilizes the SM to collect power consumption data m ∈ f0, 1g * , generates ring signature of it, and sends the data to the smart grid network regularly, e.g., every 15 minutes. Let L = fuid 1 , uid 2 , ⋯, uid ℓ g be the identity set of all ℓ users in the same residential area. Assume that the real signer, indexed by S, keeps ðY S , uid S Þ as his/her public key and ðx S , C S Þ as his/her private key, where Y S = x S ðP + B S Þ.
(1) Signer chooses r i , u i ∈ ℤ * q , respectively, and calculates the following equations: (2) Signer selects a random u S ∈ ℤ * q and computes: where U S ≠ U i . If U S = U i , u S needs to be reselected.
(3) The ring signature of power consumption data m signed by signer S outputs as (1) After receiving the signed electricity data, the DPN computes the following equation if |T ′ − T | ≤ΔT: where T ′ is the current time stamp, and ΔT is a predefined time threshold value.
(2) The DPN checks the validity of the signature by examining whether holds. If it holds, accept the signature. Otherwise, reject it.
(3) The DPN packages the signed electricity data into block and broadcasts it to other DNPs. After most DNPs verify and accept the block, the DPN uploads it into the blockchain network. At the same time, the DPN sends the data copies to the DC for further scientific researches. Besides, the DPN will also record the operation of uploading data in the blockchain, which makes every operation traceable and data interaction protected 4.5. User Data Tracing. When the user finds that the electricity consumption data is inconsistent with that stored in the blockchain network, he/she can initiate an audit request. Then, the AN intervenes to solve it. During this process, the AN only needs to interact with all the users in the same residential area once to trace the real signer S. What the AN executes is as follows.
(1) The AN firstly parses the operation recorded in the blockchain to trace which operation of the data inconsistency (2) In accordance with R i ′ and the set of identities of the electricity users in the same residential area L in ring signature σ, the AN collects the value of R i from the relevant user uid i in the same residential area by

Correctness and Security
This section proves the correctness and security of our proposed scheme.

Correctness
Theorem 5. If eðP pub , ∑ ℓ i=1 ðU i + h i Y i ÞÞ = eðP, DÞ, the signature of the power consumption data is valid. Proof.
Theorem 6. If eðR i ′ , P + B i Þ = eðR i , Y i Þ and eðR, P + B i Þ = e ðW, Y i Þ, the user data can be traced correctly. Proof.
Proof. Because the master secret key s is jointly generated by at least t key-generation nodes and the private key of the user is produced after interacting with at least t key-generation nodes, it is infeasible for anyone who does not belong to the signature ring to obtain the part of the private key C i of the user. Additionally, another part of user's private key x i cannot be computed by Y i = x i ðP + B i Þ due to DLP. Namely, it is difficult to forge any valid private key of the ring members. The values U i , R i , R i ′ of one signature can be produced by anyone. However, the calculation of the values R, D requires at least one of the private keys of the ring members.
According to the security model of unforgeability, the adversary cannot obtain any private key of the ring. And it is impossible to compute D by U i , h i owing to CDHP. Therefore, it is impossible for anyone who is not a member of the ring to forge a valid signature.

Anonymity
Theorem 8. The ring signature is anonymity of the signer in our proposed MA-TRS scheme.
Proof. The values of r i , u i are chosen at random from ℤ * q , so the values of U i , R i , R i ′ are evenly distributed in the group G 1 , and the same is the value of h i . In addition, the value u S is selected randomly by the real signer, and the value U S computed by U S = u S B S − ∑ ℓ i=1,i≠S ðU i + h i Y i Þ is evenly distributed. Therefore, the values R and D will not reveal the information of the signer. In another word, it is computationally distinguishable unless all the ring members cooperate to compute. So, it is anonymous for the signer in our MA-TRS scheme.

Traceability
Theorem 9. The proposed MA-TRS scheme can trace the real signer if necessary.
Proof. When the user or the electricity company finds the power consumption data is different from the data stored in the blockchain network, the auditing node will execute the tracing program to trace the real signer. The auditing node can obtain the value of R i after interacting with every user in the same residential area. After collecting ℓR i , the auditing node verifies their validity, then traces the real signer by the public parameters. In the whole process of tracing, it is impossible for any member to leak his/her private key. That means the auditing node possesses nothing concerning the secret but the published information. Only the ring member who satisfies the equation eðR, P + B i Þ = eðW, Y i Þ is the real signer. Hence, the proposed MA-TRS scheme is traceable.

Conclusion
In this paper, we propose a multi-authority traceable ring signature scheme for smart grid based on blockchain, combining ring signature scheme and blockchain technology. In addition, our scheme takes advantage of distributed key generation technology to address the problem of key escrow. A responsible user can generate his/her secret key by interacting with t out of n key-generation nodes, and no one knows the master secret key. When the power consumption data of the user is inconsistent with that of the blockchain network, the auditing node can trace the real signer and solve this data inconsistency, which makes our scheme different from other smart grid schemes. Compared with other ring signature schemes, our scheme has the properties of unforgeability, anonymity, and traceability. At last, we discuss the security proof of our scheme.