A Blind Signature-Aided Privacy-Preserving Power Request Scheme for Smart Grid

Smart grid is an emerging power system capable of providing appropriate electricity generation and distribution adjustments in the two-way communication mode. However, privacy preservation is a critical issue in the power request system since malicious adversaries could obtain users’ daily schedule through power transmission channel. Blind signature is an effective method of hiding users’ private information. In this paper, we propose an untraceable blind signature scheme under the reputable modification digital signature algorithm (MDSA). Moreover, we put forward an improved credential-based power request system architecture integrated with the proposed blind signature. In addition, we prove our blind signature’s blindness and unforgeability under the assumption of Elliptic Curve Discrete Logarithm Problem (ECDLP). Meanwhile, we analyze privacy preservation, unforgeability, untraceability, and verifiability of the proposed scheme. Computational cost analysis demonstrates that our scheme has better efficiency compared with other two blind signatures.


Introduction
The concept of "Intelligrid" is first proposed by the American Electric Power Research Institute in 2001 [1], and exploration of smart grid is becoming more and more popular. Since the notion of industry 4.0 is put forward, operation and management of smart grid are optimized through connection of various facilities, equipment, and devices [2]. Smart grid is regarded as the next-generation power grid infrastructure capable of promoting secure and effective electricity transmission from power operators to electric appliance. Power operation and management in smart grid are upgraded by integrating advanced bidirectional communications and widespread computing capabilities for efficient control, distribution, reliability, and safety [3]. Smart grid not only eliminates barriers between users and power producers but also ensures continuous electricity supply for users due to intelligently monitoring electricity consumption behaviour of users to realize suitable adjustments in the amount of power deployment [4].
In general, a smart grid network is roughly comprised of three layers: control center, substations, and smart appliances (i.e., smart meters) [5]. Figure 1 depicts a simplified architecture of the smart grid network. As a kind of physical carrier, smart meters are installed in each electricity appliance system and users could send power request to substation with the help of smart meters. Moreover, smart meters will push appliance information to substations periodically. Substations could collect users' real-time demand and forward it to the control center via the Supervisory Control and Data Acquisition (SCADA) system [6,7]. Then, the power control center will make further power deployment analysis and distribute proper electricity amount to substations as various requirements. Finally, users could obtain the required electricity through substations.
It should be noted that the major differences between traditional power network and smart grid are that smart meters bearing users' application information communicate with substations via wired or wireless networks. Specifically, one of the main information is the users' real-time electricity consumption and demands. Due to the power request which has the potential of leaking users' daily schedule, which is private, we devote to the privacy and security issues of electricity request communication. Furthermore, power demands are not only related to users' privacy directly but also related to the charging policy and fairness. How to take effective measures to guarantee genuineness of power demand sources and the user's privacy is a significant issue. The former problem could be solved by identity authentication, and the latter needs privacy preservation techniques to be settled [8].
The digital signature is an important cryptographic protocol for ensuring the authenticity and the integrity of messages [9][10][11]. The blind signature is a special digital signature, which is an effective method for user's privacy preservation. The pioneer of blind signature conception is from Chaum et al.'s research [12], in which they established a user's privacy-preserved electric payment system based on blind signature. The blind digital signature generation process contains two parties: a signer S and a user U. On receiving a blind signature request from a user U, the signer S generates a random element and sends it to U. Then, the user utilizes received element and produced blind factors to blind the original message m. The blinded message denoted bym is sent to S. Actually, S signsm as a secure signature scheme. Finally, U unblinded signature values from S to obtain the ultimate blind signature. In the above process, S cannot recognize the real signing message even if he saves all the signature scripts that he has signed. The unmatchability between output of blind signature and signer's signature scripts is viewed as untraceability.
Amounts of blind signature schemes have been proposed [13][14][15][16][17][18][19], but they cannot hold untraceability, where the signer S can find a match between his signature scripts and blind signature outputs. Thus, S can distinguish the original message he has signed and privacy of user could not be ensured. In this paper, we improved Bütün and Demirer's scheme and proposed a secure blind signature. Based on the advanced blind signature, we put forward a power request system model. Contributions of this paper are as follows: (i) We put forward an improved blind signature-aided power request privacy preservation system model, in which smart meters (i.e., users) could send power request, a blindly signed credential with a certain amount, to substations, and the control center cannot identify the real user identity through blind signature verification (ii) We analyze Bütün and Demirer's scheme and point out its weakness, that is a malicious signer could find a match message between his signing scripts and user's blind signature outputs (iii) We propose a secure blind signature scheme under the reputable MDSA digital signature. What is more, blindness and unforgeability of our proposed blind signature are proved under difficulty assumption of ECDLP  2 Wireless Communications and Mobile Computing original message he has signed. In Section 6, we proposed our improved blind signature with untraceability. In Section 7, we prove our scheme's blindness and unforgeability and analyze properties of privacy preservation, unforgeability, untraceability, and verifiability. Section 8 gives comparisons of security properties and computational costs with Bütün and Demirer's scheme [13] and Verma and Singh's scheme [16].

Related Works
Since the advent of "smart grid" concept, a flow of smart grid surveys has sprung up [3,[20][21][22][23][24][25][26]. Fang et al. explore three major systems and gave the future expectations for smart grid [20]. This paper has an important reference value for the following smart grid survey. Alshehri gives further research for smart grid and studied multiperiod demand response management [21]. Wen et al. [25] and Makhadmenh et al. [26], respectively, conducted researches on smart meters and smart homes. However, some sensitive information of users may leak through the two-way communication channel. Therefore, privacy preservation is especially significant.
Si et al. analyze the existing privacy problems and enumerate some solutions from a global perspective for smart grid [27]. Mahmood et al. propose an elliptic curve-based authentication to provide communication security between customers and substations [28]. Blind signature is an effective way of hiding users' sensitive information and first proposed by Camenisch et al. [29]. Blind signature could guarantee anonymity of participants. Tseng put forward a specific privacy-preserving communication protocol utilizing the restrictive partially blind signature [30]. Sarde and Banerjee propose an incentive-based demand response privacypreserving scheme for the smart grid [14]. Yang et al. make an attempt to identify the privacy-preserving issues and put forward a reward architecture for V2G networks [31]. Yu et al. propose a power request scheme to satisfy the security requirements [32]. Han and Xiao give a thorough and deep survey on the privacy preservation for smart grid and point out that the blind signature is a universal method for users' security issues [33], but they do not give a detailed blind signature based privacy preservation scheme.
In conclusion, the above papers have great effects on the smart grid privacy preservation research. But they either give a general description or lack of a comprehensive blind signature scheme. In this paper, we proposed an integrated blind signature-aided privacy-preserving power request scheme for smart grid.

Preliminaries
In this section, we introduce the system model, fundamental knowledge, definition of blind signature, and security model of blind signature.
3.1. The System Model. In this subsection, we propose an improved system model of Cheung et al.'s architecture [34]. A smart grid network can be simplified into a hierarchical structure consisting of three basic layer-control centers, sub-stations, and smart meters. It can be shown that they have different characteristics.
(i) A control center (CC) is at the top level and maintained by the power operator. It can be a single server inside the power plant or be distributed servers at different locations responsible for parameter generation, entity registration, and issuing credentials for smart meters. In this paper, we assume that the control center is trusted (ii) Substations (SS) are at the middle of the structure and fixed in a particular geographic location as it contains expensive electric devices. They could communicate with users directly (iii) Smart meters (SM) are at the lowest level and installed in the power application positions such as users' homes. They could send power requests to the control center In our system construction, the main idea is that the control center makes good use of the proposed blind signature scheme to sign credentials for users. In this case, identities of users cannot be recognized when he or she sends a request to the control center, while the user's identity can be validly verified due to only legal user could have requested control center for blind signatures.
The workflow of the system model is shown in Figure 2 [5]. In the system setup phase, the control center (CC) generates a pair of public and private keys and assigns a unique identifier ID SM for each smart meter (SM) to be registered. In the smart meter registration phase, the CC first authenticates the SM's identity and decides to accept or reject this SM. Then, each user submits the blinded credential information to the CC. Each credential consists of a unique identity CID, issuance date T, a substation identifier ID SS , and a value of power amount v that a credential holder could request. Then, the CC generates a blind signature for the credential and sends it to SM. Eventually, the SM unblinds the signature and obtains a signed credential. In the power requesting phase, smart meters of a user request for more power when it finds the electric appliances cannot be satisfied. The SM chooses a signed credential of required value and transmits it to the SS with identity ID SS noted in the credential. Then, SS sends the signature credential to CC. If the signature is valid and the credential's identity CID is not in the credential revocation list, CC distributes proper power as the credential to the SS. Meanwhile, CC adds CID in the credential revocation list. Finally, the SM receives required power amount.
In the above process, the control center cannot recognize the real user identity through blind signature. Therefore, the power consumption information is not disclosed to CC. In the next subsection, we will introduce blind signatures related to knowledge. Elliptic Curve Discrete Logarithm Problem (ECDLP). Suppose that G is a generator on EðF p Þ and Q is a possible point on the elliptic curve, it is difficult to find an x ∈ Z * n such that the equation Q = x · G holds.

The Modification Digital Signature Algorithm (MDSA).
As cited, the MDSA is mainly composed of three phases as follows: key generation, signing, and verifying.
(i) Key Generation. The signer randomly chooses an x ∈ Z n as the private key and computes Q = x · G as the public key (ii) Signing. The user selects a random number k ∈ Z n and computes R = k · G = ðx 1 , y 1 Þ. x 1 mod n is denoted by r. Then, he calculates e = HðmÞ and s = ke + xr mod n. The signature output is ðs, RÞ (iii) Verifying. Upon receiving m, s, R, the verifier first computes e = HðmÞ and extracts r = x 1 mod n. Then, he verifies the equation If it is the case, ðs, RÞ is a valid signature 3.3. Definition of Blind Signature. A complete blind signature is composed of setup phase, key generation phase, blind signature phase, and verification phase [29]. Specifically, the blind signature phase consists of two probabilistic polynomial-time (PPT) interactive algorithms in the respective party of signer S and user U.
(i) Setup Phase ðparams ⟵ SetupðλÞÞ. On inputting a security parameter λ for expected security level, a series of public parameters are output in this phase (ii) Key Generation Phase ððpk, skÞ ⟵ GenðλÞÞ. This is a probabilistic polynomial-time (PPT) algorithm.
Taking the security parameter λ as input, outputting a public and private key ðpk, skÞ (iii) Blind Signature Phase. This phase includes two interactive PPT algorithms Signerðpk, skÞ and User ðpk, mÞ (a) complete or uncomplete ⟵ Signerðpk, skÞ.
Upon inputting a public key pk and the corresponding secret key sk generated by Genð·Þ, the signer S outputs complete or uncomplete through blind signature interactive process (b) σðmÞ or fail ⟵ Userðpk, nonce, mÞ. Upon inputting a common public key pk of S, selected blind factors nonce, and the message m to be signed, the user U selects the demanded blind outputs fail or σðmÞ through blind signature interactive process (iv) Verification Phase ðaccept or reject ⟵ Verifyðpk, m, σðmÞÞÞ. This is a deterministic polynomial-time algorithm. On inputting public key pk, message m, and the signature σðmÞ, it always outputs accept with the condition that both signer S and user U follows the blind signature and S outputs complete, U outputs complete 3.4. Security Model of Blind Signature. We refer to Okamoto who proposed a security model for blind signatures and consider the following two properties: blindness and unforgeability [35].
3.4.1. Blindness. The blindness of blind signature is depicted by the following game between an adversarial signer S * and a simulator B which controls two honest users U 0 , U 1 .
(i) An adversary S * inputs the security parameter λ to obtain the public key pk and two ordered messages (v) Finally, S * outputs a guess bit b ′ ∈ f0, 1g We define where Adv blind BS is the advantage of adversary S * breaking the blindness property.
Definition 1 (blindness property). A blind signature protocol is recognized to be ðt, εÞ-blind if no PPT adversary S * breaks the blindness property in time at most t, and Adv blind BS is at least ε.
3.4.2. Unforgeability. The unforgeability of blind signature is described by the following game between an honest signer S and a malicious user U * .
(i) GenðλÞ is run to obtain public and private keys ðpk , skÞ. Then, pk is sent to U * and sk is secretly held by S (ii) U * adaptively engages in polynomially parallel interactive blind signatures by Userðpk, mÞ algorithm with S executing Signerðpk, skÞ algorithm (iii) Let l denote the number of executions among U * and S, where S outputs complete (iv) U * wins the game if he outputs l * valid signature ð m 1 , σðm 1 Þ, ⋯, ðm l * , σðm l * ÞÞ such that they are different signatures for l * different messages and l * l We define Adv unforge BS is the probability that U * wins the above game. Then, we give the definition of blind signature unforgeability.
Definition 2 (unforgeability). A blind signature is ðt, q S , εÞ -unforgeable if there does not exist PPT adversary U * win the above game, where t is the most time, q S is the most times U * motivates the blind signature, and ε is the least Adv unforge BS . Notations used in this paper are explained in Table 1.

Review of Bütün and Demirer's Scheme
In this section, Bütün and Demirer's scheme [13] will be briefly reviewed. Their scheme comprises the following five phases, including initialization, blinding, signing, unblinding, and verifying. Each phase of Bütün and Demirer's scheme is presented in the following subsection.
(i) Initialization Phase. The elliptic curve parameters are params = fp, F p , a, b, G, ng, where F p is a finite field defined by the big prime number p; a, b defines the elliptic curve EðF p Þ: y 2 = x 3 + ax + b mod p; G is a base point on EðF p Þ with the order n The signer randomly selects an integer d ∈ Z * n as the secret key and calculates Q = d · G as the public key. For each blind signature request from a user, the signer chooses a random number k ∈ Z * n and computes the pointR = kG = ðx 1 ′ , y 1 ′Þ andr = x 1 ′ mod n. Ifr = 0, the signer reselects the nonce k; otherwise, he transmitsR to the user.
(ii) Blinding Phase. Upon receivingR, the user first extractsr fromR and chooses two blind factors α, β ∈ Z * n . Then, he calculates R = αR + βG = ðx 1 , y 1 Þ, r = x 1 mod n and blinds message m throughm = αH ðmÞrr −1 mod n. Finally, the user transmits the blinded messagem to the signer Eventually, U outputs the digital signature fs, Rg on message m (v) Verifying Phase. On receiving fs, Rg, the verifier, respectively, calculates f 1 = s · G mod n and f 2 = r · Q + HðmÞ · R. Then, he verifies the equation If the equation holds, fs, Rg is a valid signature of the message m; otherwise, the signature is invalid Correctness. The correctness can be verified by the following equations:

Attack on Bütün and Demirer's Scheme
In this section, we show a malicious signer M can find a link between the blind signature s′ and the original message m.
Suppose that the signer saves all the transcripts fk,R′, f m′,s ′g of his signatures. Using the unblinded signature fm, R, s g, M can match a blinded signature he has signed to an original message m. Detailed procedures are as follows: (iv) Using the private key d to verify whether the following equation dr + kα ′ Hðm ′ Þ + β ′ Hðm ′ Þ = s holds If equation (4) holds, M is able to find the linkage between the blind signature and his signed blind message m ; otherwise, going through all transcripts fk, R ′ , m ′ , s ′ g and repeating the above process. This shows Bütün and Demirer's scheme is insecure, because there is absence of untraceability. The next section is our improvement of Bütün and Demirer's scheme.

Our Proposed Scheme
In this section, an untraceable blind signature scheme is completely described. Our blind signature scheme comprises four phases: setup phase, key generation phase, blind signing phase, and verification phase.
6.1. Setup Phase. On inputting the security parameter λ to reach the expected security magnitude, the elliptic curve parameters are output as params = fp, F p , a, b, G, ng, where p is a large prime that specifies the finite field F p ; a, b ∈ F p defines the elliptic curve EðF p Þ: y 2 = x 3 + ax + b mod p; G is a base point on EðF p Þ, and n is the prime order of G.
6.2. Key Generation Phase. The private and public key of the signer S is generated by the following steps: First, generating a random nonce d from Z * n . Second, calculating the elliptic curve point Q = d · G = ðx Q , y Q Þ. Finally, S keeps the private key d secret and the public key Q published. Figure 3, the user and the signer execute the following steps to generate a signature.

Blind Signing Phase. As shown in
(i) For each blind signature request, a random integer k is generated by S and the elliptic curve pointR is computed as follows: Moreover, the signer checksr ≠ 0. If the inequation holds, S transmits the elliptic curve pointR to the user U; otherwise, S reselects k and repeats (5) to fulfillr ≠ 0 (ii) Upon receivingR, U performs the following operations to obtain the blinded messagem. Firstly, extractingr = x 1 ′ mod n fromR. Secondly, randomly selecting two factors α, β ∈ Z * n and computes R = ðα + βHðmÞ −1 ÞR + ðα −1r−1 + αβÞG = ðx 1 , y 1 Þ. Thirdly, extracting r = x 1 mod n from R. Finally, calculatingm = ðαHðmÞ + βÞr −1r mod n to blind the original message. Having executed the above steps, U sends the blinded messagem to S (iii) Upon receivingm, S first extractsr = x 1 ′ mod n fromR. Then, he uses private key d and selects a random nonce k to compute the blind signatures = dr + km mod n. Finally, S transmits the blinded signatures to U (iv) On receivings, U verifies whethers ∈ Z * n satisfies. If it holds, the signature is unblinded as follows: 6 Wireless Communications and Mobile Computing Eventually, U outputs the digital signature fs, Rg on message m 6.4. Verification Phase. Any verifier can verify the validity of the signature fs, Rg. First, using the public parameter G and signature s to compute g 1 = s · G mod n; second, extracting r = x 1 mod n from R = ðx 1 , y 1 Þ; third, using the signer's public key Q and signature value R to calculate g 2 = r · Q + Hð mÞ · R; finally, verifying whether the equation g 1 = g 2 holds.
If the equation holds, fs, Rg is a valid signature of message m; otherwise, the signature is invalid.
Correctness. The correctness can be verified by the following equations:

Security
In this section, we give the formal security proof of our blind signature scheme's blindness property and unforgeability.

Security Proof.
According to the security model of blindness in Section 3.4, the blindness is to guarantee that an adversarial signer S * cannot distinguish signatures from two different messages. We will show that our scheme's signature values are independent from the view of S * .

Theorem 3 (blindness property).
Our proposed blind signature keeps blindness property.
Proof. For any public key output Q from the malicious signer S * , ðk,mÞ is perfectly independent from ðm, α, βÞ in the blind signature process in the view of S * . On the one hand, the k is a completely random number chosen from Z * n . On the other hand,m = ðαHðmÞ + βÞr −1r mod n, wherer is the    x-coordinate ofR = k · G. Due to the randomness of k,m is independent of ðm, α, βÞ. ☐ Next, we will prove that the signature ðm, s, RÞ is independent from the view of S * . Since s = ðsr + α −1 HðmÞÞr −1 + αβHðmÞ mod n and ðm, α, βÞ cannot be obtained from ð k,mÞ, s is perfectly independent. Moreover, R = ðα + βH ðmÞ −1 ÞR + ðα −1r−1 ÞG + αβG and ðα, βÞ is not related to ðk, mÞ. Therefore, the signature values ðm, s, RÞ are independent in the view of S * .
Above all, our blind signature scheme keeps perfectly blindness property.
Proof. Suppose that A is an adversary delegated for a malicious user that forges the proposed blind signature scheme, there exists a challenger C that can break unforgeability of the MDSA. Then, it is contradictory to the ECDLP assumption. ☐ In this proof, Signerðpk, skÞ algorithm is modelled as a signing oracle and forging process of the proposed blind signature is depicted as follows.
(i) C runs the GenðλÞ to generate a pair of public and private keys ðQ = x · G, sk = xÞ. Then, B sends Q to A as the public key (ii) C executes signing oracle following the proposed blind signature, that is, the signing oracle outputsR ands with the correspondingm from A (iii) A could adaptively request l times C to sign differentm as the proposed interactive blind signature (iv) If A outputs l * different signatures Σ = ððm 1 , s 1 , R 1 Þ, ⋯, ðm l * , s l * , R l * Þ, l * lÞ, there exists one signature ð m f , s f , R f Þ ∈ Σ forged by A. In addition, A cannot obtain the secret key x throughR,s due toR is unrelated to x and the private key cannot be recovered by the equations = xr + km mod n with k unknown to A Moreover, the signature ðs, RÞ is a variant of MDSA since s = ðsr + α −1 HðmÞÞr −1 + αβHðmÞ mod n = xr + HðmÞðα + β HðmÞ −1 + α −1r−1 + αβÞ = xr + HðmÞz where z = α + βH ðmÞ −1 + α −1r−1 + αβ and the signature is verified by the equation s · G = r · Q + HðmÞ · R. Therefore, unforgeability of the proposed blind signature is reduced to the security of MDSA. Under the difficulty assumption of ECDLP, MDSA is existential unforgeability.

Security Analysis.
According to references, we analyze identity privacy preservation, unforgeability, untraceability, and verifiability of the proposed scheme.
(i) Privacy Preservation. We have proven blindness of our proposed blind signature in 7.1. Therefore, nobody including the control center and substations could recognize the real identity of users when they request for more power. Thus, identity and electricity consumption privacy of users could be protected (ii) Unforgeability. As shown in 7.1, the proposed blind signature scheme is existential unforgeability.  Tables 2 and 3 separately. 8.1. Security Properties. As we have analyzed in this paper, Bütün and Demirer's scheme [13] cannot resist that a malicious signer traces the original message he has signed, which means there is no untraceability in Bütün and Demirer's scheme. Furthermore, traceability provides opportunities for adversaries to recognize users' daily schedule and privacy preservation does not hold. In addition, [36] does not provide unlinkability proof and [37] does not have privileged insider resistance and unlinkability proof.

Performance Analysis
8.2.1. Computational Cost. In this subsection, we mainly consider the more time-consuming operations hash-to-point ð T H Þ, point multiplication ðT pm Þ, and modular inversion ð T mi Þ and adopt the executing time in [38] as shown in Table 4. It can be seen that the proposed scheme requires 3 point multiplication operations and 4 modular inversions, i.e., 6.663 ms, which is only slightly larger than that of [13] and smaller than the other three schemes' computational cost.  Table 3. We can see that our scheme and Ref. [13] have the least communication cost, i.e., 1024 bits than the other three literatures. Therefore, our scheme needs the least communicational bandwidth. Above all, the proposed scheme has better security properties than Bütün and Demirer's [13] although performing two more modular inversions and has better computational costs with the same security properties of Verma et al.'s scheme.

Conclusion
Our scheme provided values of theory and application to some extent. On the one hand, the proposed untraceable blind signature is constructed under the noted MDSA algorithm and proof of which gave theoretical insurance of blindness and unforgeability. On the other hand, we put forward a new credential-based privacy-preserving power request model for smart grid. In this system model, the user's daily schedule could not leak outside with the help of blind signature since blinded factors hide the real signed message for the signer and verifiers cannot identify the real sources of messages. Moreover, it was shown that this scheme has better security or computational costs compared with other blind signatures under the same background or cryptographic infrastructure.

Data Availability
The data used to support the findings of this study are available from the corresponding author upon request.