Professional Documents
Culture Documents
Abstract—The real-time electricity consumption data can manage the power grid more accurately. Moreover, the electric-
be used in value-added service such as big data analysis, ity consumption data has economic values, for example, it can
meanwhile the single user’s privacy needs to be protected. be used for the business advertisement and government deci-
How to balance the data utility and the privacy preservation
is a vital issue, where the privacy-preserving data aggrega- sions [7]–[11]. Hence, the electricity data should be provided to
tion could be a feasible solution. Most of the existing data other organizations out of the power grid system. However, the
aggregation schemes rely on a trusted third party (TTP). single user’s electricity consumption data contains the privacy
However, this assumption will have negative impact on reli- information, for example, the user’s habits and the lifestyle can
ability, because the system can be easily knocked down by
be easily inferred, the thief may break in when there is nobody
the denial of service attack. In this paper, a practical privacy-
preserving data aggregation scheme is proposed without in the house, which may cause serious result. Therefore, how to
TTP, in which the users with some extent trust construct balance the usability and the privacy of the electricity consump-
a virtual aggregation area to mask the single user’s data, tion data is not only a vital academic issue, but also a technique
and meanwhile, the aggregation result almost has no effect bottleneck for the smart grid. In order to address this problem,
for the data utility in large scale applications. The computa-
privacy-preserving data aggregation has been suggested as a fea-
tion cost and communication overhead are reduced in order
to promote the practicability. Moreover, the security analy- sible solution [12], [13], with the following two requirements:
sis and the performance evaluation show that the proposed First, the aggregation operator can obtain the sum of usage data
scheme is robust and efficient. in a region. Second, the aggregation operator knows nothing
Index Terms—Data aggregation, data utility, distributed about a single usage data in this region.
decryption algorithm, privacy preservation, smart grid. The homomorphic encryption (HE) [14] is a prospective tool
to achieve data aggregation due to its property, which allows
I. INTRODUCTION the addition operation to be performed on the encrypted values.
S THE next generation of grid, the smart grid has greater Specifically, each user encrypts her data using HE, then sends it
A advantage over the traditional power grid due to its
advanced communication capacity [1]–[5]. In the model [6]
to the aggregation operator. Afterward, the aggregation opera-
tor decrypts the aggregated ciphertext to obtain the sum of data
presented by National Institute of Standards and Technology usage thanks to the additive homomorphic property. However,
(NIST), the smart meter (SM) in the building (residence, com- the privacy only relying on HE is not perfect, since the aggre-
pany, or industry) collects and sends the real-time usage data to gation operator may violate the individual privacy by directly
the operation center (OC), and meantime, SM receives the com- decrypting a single ciphertext [15]. Thus, a trusted data collec-
mand messages from OC. With the real-time usage data, OC can tion unit (DCU) is used to prevent the aggregation operator from
obtaining the single ciphertext, and its duty is to provide the ag-
Manuscript received November 4, 2017; revised January 5, 2018 gregated ciphertext to the aggregation operator. In short, DCU
and February 5, 2018; accepted February 13, 2018. Date of publica- as a security anchor should be trusted to aggregate all users’
tion February 27, 2018; date of current version March 1, 2019. This ciphertexts and it should only provide the aggregated ciphertext
work was supported in part by the National Natural Science Founda-
tion of China under Grant 61662016, Grant 61672029, Grant 61772224, to the aggregation operator.
Grant 61572146, Grant U1501252, and Grant U1711263, in part by Random number is another useful tool to design data ag-
the Innovation Project of Guangxi Graduate Education under Grant gregation scheme [16]–[18]. Usually, a series of random num-
YCSW2017139, and in part by the Study Abroad Program for Graduate
Student of Guilin University of Electronic Technology. Paper no. TII-17- bers satisfying some requirements are securely distributed to
2595. (Corresponding author: Yining Liu and Chi Cheng.) the users and the aggregation operator in advance, and each user
Y. Liu, W. Guo, and L. Chang are with the Guangxi Key Laboratory can obfuscate the usage data with its random number, then the
of Trusted Software, Guilin University of Electronic Technology, Guilin
541004, China (e-mail: ynliu@guet.edu.cn; guoweigetit@gmail.com; aggregation operator can eliminate all user’s random numbers to
changl@guet.edu.cn). obtain the aggregation of the usage data. However, this process
C.-I. Fan is with the Department of Computer Science and Engineer- relies on a TTP to generate and distribute the random numbers.
ing, National Sun Yat-sen University, Kaohsiung 80424, Taiwan (e-mail:
cifan@cse.nsysu.edu.tw). Another example using random numbers is the differential
C. Cheng is with the School of Computer Science, China University of privacy [19], which adds the random noise obeying Laplace
Geosciences, Wuhan 430074, China (e-mail: chengchizz@gmail.com). or other distribution to mask the original value. Although the
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org. aggregation using differential privacy is not accurate, it is used
Digital Object Identifier 10.1109/TII.2018.2809672 in many studies. For instance, Liu et al. [20] proposed a data
1551-3203 © 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution
requires IEEE permission. See http://www.ieee.org/publications standards/publications/rights/index.html for more information.
1768 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 15, NO. 3, MARCH 2019
TABLE I 2) DCU aggregates the received data, and sends the aggre-
NOTATIONS
gated ciphertext (C a , C b ) to OC.
3) OC recovers the aggregated result Sum using the dis-
Notation Description tributed decryption algorithm.
E(F p ) Elliptic curve on the Galois field F p
q Order of E(F p )
G1, G2, G3 Generators of E(F p )
A. System Setup
H1 , H2 H1 : {0, 1}∗ → Z q∗ , H2 : {0, 1}∗ → E(F p ) A 3PDA is built on the elliptic curve E(F p ) with order q, and
xi , Yi , σi , σ̂i Private key, public key, and signature of SMi
xDCU , YDCU , σDCU Private key, public key, and signature of DCU G 1 , G 2 , G 3 are generators. H1 and H2 are secure hash functions,
xOC , YOC , σOC Private key, public key, and signature of OC where H1 : {0, 1}∗ → Z q∗ and H2 : {0, 1}∗ → E(F p ).
Certi Certificate of SMi OC issues digital certificates to SMs and DCU as follows.
(Cia , Cib ) Ciphertext from SMi
(C a , C b ) Aggregated ciphertext
1) Step 1: SMi and DCU select random numbers xi and
|| Concatenation operation xDCU from Z q∗ as their private keys, then calculate the
corresponding public keys Yi = xi · G 1 and YDCU =
xDCU · G 1 .
(2) Uti performs the distributed decryption Di = xti C a with
2) Step 2: OC issues the certificates Certi and CertDCU
the received messages, then sends Di back to the de-
to SMi and DCU, where Certi = xOC · H2 (I Di ||Yi )
cryption operator.
and CertDCU = xOC · H2 (I DDCU ||YDCU ).
(3) The decryption operator recovers m by
E(F p ), q, G 1 , G 2 , G 3 , H1 , H2 , and YOC are published as
k
public parameters, where YOC is OC’s public key.
m = logG 1 C − b
λi Di (7)
i=1
B. Aggregation Area Creation
tj
where λi is the Lagrange coefficient j∈{A−i} t j −ti , and
n SMs form an aggregation area (group) by generating a
A is the number set [1, k]. group key GK.
1) Step 1: SMi broadcasts I Di , Yi , Certi into the group,
B. CL* Signature Scheme (i = 1, . . . , n).
The CL* signature scheme [33] is characterized by verifying 2) Step 2: SMi verifies other SMs’ information by
n signatures from n users simultaneously. ⎛ ⎞ ⎛ ⎞
1) Key Generation: CL* signature is based on the elliptic
⎜n
⎟ ? ⎜ n
⎟
curve E(F p ) of the order q with three generators G 1 , G 2 , G 3 . ⎜ ⎟ ⎜
H2 (I D j ||Y j ), YOC ⎠ = e ⎝ Cert j , G 1 ⎟
e⎝ ⎠.
There are n users Ui , (i = 1, ..., n) with the private key xi ∈ Z q∗ j=1 j=1
and the public key Yi = xi · G 1 . In addition, a series of public j=i j=i
σi = xi · G 2 + xi h i · G 3 . (8) GK = Yi . (11)
i=1
3) Batch Verification: The received (m i , σi ), (i = 1, ..., n)
from n users are verified with (9), where e is the mapping of the C. Ciphertext Generation
bilinear pairings [26], [34]
n SMi , (i = 1, . . . , n) encrypts its data m i and sends the cipher-
?
n n
text to DCU as follows.
e σi , G 1 = e G 2 , Yi · e G 3 , H1 (m i ) · Yi . 1) Step 1: SMi selects a random number ri ∈ Z q∗ , and
i=1 i=1 i=1
(9) computes the ciphertext (Cia , Cib ), where Cia = ri ·
G 1 and Cib = m i · G 1 + ri · GK.
V. OUR SCHEME 2) Step 2: With the private key xi , SMi generates
the signature σi = xi · G 2 + xi h i · G 3 , where h i =
Our 3PDA scheme includes five phases: System setup, aggre- H1 (I Di ||Cia ||Dib ||T si ). T si denotes the time of the
gation area creation, ciphertext generation, ciphertext aggre- data collection.
gation, and distributed decryption. The notations are listed in 3) Step 3: SMi broadcasts Pi = {I Di , Cia , Cib , T si , σi }
Table I. to DCU.
As illustrated in Fig. 3, the main workflows in 3PDA are as
follows.
D. Ciphertext Aggregation
1) n SMs form an aggregation area and compute a group
key GK, then SMi encrypts its data m i into the ciphertext DCU aggregates the received messages from SMi , (i =
(Cia , Cib ) and sends it to DCU. 1, ..., n), and forwards it to OC.
LIU et al.: PRACTICAL PRIVACY-PRESERVING DATA AGGREGATION (3PDA) SCHEME FOR SMART GRID 1771
1) Step 1: Receiving the packets Pi , (i = 1, ..., n), 4) Step 4: Receiving P̂i , (i = 1, ..., n), OC verifies the
DCU verifies n signatures by (12), where h i = signatures by (15), where ĥ i = H1 (I Di ||Di ||T̂ si )
H1 (I Di ||Cia ||Cib ||T si ). n
n ?
n n
n
n e σ̂i , G 1 =e G 2 , Yi · e G 3 , (ĥ i · Yi ) .
?
e σi , G 1 = e G 2 , Yi · e G 3 , (h i · Yi ) . i=1 i=1 i=1
i=1 i=1 i=1 (15)
(12) 5) Step 5: If the authentication is successful, OC uses
2) Step 2: Using those ciphertexts (Cia , Cib )(i = Di (i = 1, ..., n) to recover the aggregated data Sum
1, ..., n), DCU computes the aggregated
n ciphertext by (16). Following the assumption m i ∈ [0, K ] in
(C
n
a
, C b
) by (13), where r = i=1 r i and Sum = Section IV-A, the range of Sum falls within
i=1 m i . [0, n K ]. Thus, Sum can be recovered using the Pol-
n lard’s
√ Lambda algorithm with the time complexity
n
(C , C ) =
a b
Ci ,
a b
Ci O( n K )
(13)
i=1 i=1 n
?
e(Ca , Yi ) = e(Di , G 1 ) (17) B. Authentication and Integrity
where Ca is sent from DCU, Yi is public key of SMi , and G 1 is Since the digital signature is created with the private key,
the system parameter. If this equation holds, the user is believed and is verified with the corresponding public key, it is used to
to execute correctly. Otherwise, the user is viewed as a lazy achieved the authentication and integrity.
participant, and would be severely punished. In 3PDA, all data, sent from SMs and DCU, are signed with
In fact, Postinspection phase is optional, OC determines CL* signature method, which is based on LRSW assumption
which users are picked and when to execute this phase. [36], and provably secure under the random oracle model.
TABLE II
TIME COST OF SUBOPERATIONS ON 3PDA
[19] C. Dwork, K. Kenthapadi, F. McSherry, I. Mironov, and M. Naor, “Our Wei Guo received the M.E. degree in computer
data, ourselves: Privacy via distributed noise generation.” in Eurocrypt, technology from Guilin University of Electronic
vol. 4004. New York, NY, USA: Springer, 2006, pp. 486–503. Technology, Guilin, China, in 2018. He received
[20] Y. Liu, G. Liu, C. Cheng, Z. Xia, and J. Shen, “A privacy-preserving health the B.S. degree in information and computa-
data aggregation scheme.” KSII Trans. Internet Inf. Syst., vol. 10, no. 8, tional science from the Guilin University of Elec-
pp. 3852–3864, 2016. tronic Technology, in 2015.
[21] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22, no. 11, His research interest focuses on data
pp. 612–613, 1979. aggregation.
[22] C. Tang, S. Gao, C. Zhang, “The optimal linear secret sharing scheme
for any given access structure,” J. Syst. Sci. Complexity, vol. 26, no. 4,
pp. 634–649, 2013.
[23] C. Rottondi, G. Verticale, and C. Krauss, “Distributed privacy-preserving
aggregation of metering data in smart grids,” IEEE J. Sel. Areas Commun.,
vol. 31, no. 7, pp. 1342–1354, Jul. 2013.
[24] R. Lu, X. Liang, X. Li, X. Lin, and X. Shen, “EPPA: An efficient and
privacy-preserving aggregation scheme for secure smart grid communica-
tions,” IEEE Trans. Parallel Distrib. Syst., vol. 23, no. 9, pp. 1621–1631, Chun-I Fan received the M.S. degree in com-
Sep. 2012. puter science and information engineering from
[25] T. W. Chim, S.-M. Yiu, V. O. Li, L. C. Hui, and J. Zhong, “PRGA: the National Chiao Tung University, Taiwan, in
Privacy-preserving recording gateway-assisted authentication of power 1993, and the Ph.D. degree in electrical en-
usage information for smart grid,” IEEE Trans. Dependable Secure Com- gineering from the National Taiwan University,
put., vol. 12, no. 1, pp. 85–97, 2015. Taiwan, in 1998.
[26] H. Shen, M. Zhang, and J. Shen, “Efficient privacy-preserving cube-data He is currently a Full Professor with the De-
aggregation scheme for smart grids,” IEEE Trans. Inf. Forensics Security, partment of Computer Science and Engineer-
vol. 12, no. 6, pp. 1369–1381, Jun. 2017. ing, National Sun Yat-sen University, Kaohsiung,
[27] H. J. Jo, I. S. Kim, and D. H. Lee, “Efficient and privacy-preserving Taiwan. His research interests include applied
metering protocols for smart grid systems,” IEEE Trans. Smart Grid, cryptology, cryptographic protocols, and infor-
vol. 7, no. 3, pp. 1732–1742, May 2016. mation and communication security.
[28] A. Sanjab, W. Saad, I. Guvenc, A. Sarwat, and S. Biswas, “Smart grid
security: Threats, challenges, and solutions,” arXiv:1606.06992, 2016.
[29] C. Cheng, R. Lu, A. Petzoldt, and T. Takagi, “Securing the Internet of
Things in a quantum world,” IEEE Commun. Mag., vol. 55, no. 2, pp. 116–
120, Feb. 2017.
[30] T. ElGamal, “A public key cryptosystem and a signature scheme based on
discrete logarithms,” IEEE Trans. Inform. Theory, vol. 31, no. 4, pp. 469–
472, Jul. 1985.
[31] Y. G. Desmedt, “Threshold cryptography,” Eur. Trans. Telecom- Liang Chang received the Ph.D. degree in
mun., vol. 5, no. 4, pp. 449–458, 1994, [Online]. Available: http:// computer science from the Institute of Comput-
dx.doi.org/10.1002/ett.4460050407 ing Technology, Chinese Academy of Sciences,
[32] M. Balli, S. Uludag, A. Selcuk, and B. Tavli, “Distributed multi- Beijing, China, in 2008.
unit privacy assured bidding (PAB) for smart grid demand re- He is currently a Professor with the School
sponse programs,” IEEE Trans. Smart Grid, [Online]. Available: of Computer Science and Information Secu-
http://dx.doi.org/10.1109/TSG.2017.2651029. rity, Guilin University of Electronic Technology,
[33] J. Camenisch, S. Hohenberger, and M. Ø. Pedersen, “Batch verification Guilin, China. His research interests include
of short signatures,” J. Cryptol., vol. 25, no. 4, pp. 723–747, 2012. trusted software and security protocol.
[34] C. Zuo, J. Shao, J. K. Liu, G. Wei, and Y. Ling, “Fine-grained two-factor
protection mechanism for data sharing in cloud storage,” IEEE Trans. Inf.
Forensics Security, vol. 13, no. 1, pp. 186–196, Jan. 2018.
[35] R. Lu and Z. Cao, “Simple three-party key exchange protocol,” Comput.
Security, vol. 26, no. 1, pp. 94–97, 2007.
[36] A. Lysyanskaya, R. L. Rivest, A. Sahai, and S. Wolf, “Pseudonym sys-
tems,” in Selected Areas in Cryptography, vol. 1758. New York, NY, USA:
Springer, 1999, pp. 184–199.
Chi Cheng received the B.S. and M.S. degrees
in mathematics from Hubei University, Wuhan,
Yining Liu received the B.S. degree in applied P. R. China, in 2003 and 2006, respectively, and
mathematics from Information Engineering Uni- the Ph.D. degree in information and communi-
versity, Zhengzhou, China, in 1995, the M.E. in cation engineering from Huazhong University of
computer software and theory from Huazhong Science and Technology, Wuhan, P. R. China,
University of Science and Technology, Wuhan, in December, 2013. From November 2014 to
China, in 2003, and the Ph.D. degree in mathe- November 2016, he was a Japan Society for
matics from Hubei University, Wuhan, China, in the Promotion of Science (JSPS) postdoctoral
2007. researcher at Kyushu University, Japan.
He is currently a Professor with the School of He is currently an Associate Professor in the
Computer and Information Security, Guilin Uni- School of Computer Science, China University of Geosciences (Wuhan),
versity of Electronic Technology, Guilin, China. China. His research interests focus on Applied cryptography and network
His research interests include the information security protocol, and data security.
privacy.