Efficient Privacy-Preserving Cube-Data Aggregation Scheme For Smart Grids

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2656475, IEEE
Transactions on Information Forensics and Security
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, manuscript ID 1
Efficient Privacy-preserving Cube-data

Aggregation Scheme for Smart Grids
Hua Shen, Mingwu Zhang*, Jian Shen
response is possible [7]. However, attackers can eavesdrop on

AbstractEfficient power management in smart grids requires the communication channel between user and control center,
obtaining power consumption data from each resident. However, and identify the users electricity demand [8]. They can then
data concerning users electricity consumption might reveal track the users living habits or lifestyle, which are private
sensitive information, such as living habits and lifestyles. In order
information of the residents [9], [10]. Therefore, privacy
to solve this problem, this paper proposes a privacy-preserving
cube-data aggregation scheme for electricity consumption. In our protection is a very important issue during deployment of smart
scheme, a data item is described as a multi-dimensional data grids.
structure (l-dimensional), and users form and live in multiple Electricity data aggregation [11-15] can be used to help
residential areas (m areas, and at most n users in each area). implement privacy protection for residential grids. For example,
Based on Horners Rule, for each user, we construct a user-level a user sends encrypted electricity usage data to a gateway; after
polynomial to store dimensional values in a single data space by
receiving all user data, the gateway decrypts them and
using the first Horner parameter. After embedding the second
Horner parameter into the polynomial, the polynomial is hidden aggregates them into one-dimensional integrated data. Finally,
by using Paillier cryptosystem. By aggregating data from m areas, the gateway sends the aggregated data to the control center.
we hide the area-level polynomial into the final output. Moreover, Traditional approaches allow the control center to obtain the
we propose a batch verification scheme in multi-dimensional data total electricity usage data but nothing pertaining to data for any
to reduce authentication cost. Finally, our analysis shows that the particular user. However, an adversary can obtain a users
proposed scheme is efficient in terms of computation and
private information by invading the gateways database. In
communication costs, suitable for massive user groups, and
supports the flexible and rapid growth of residential scales in order to avoid this situation, the gateway must not carry out the
smart grids. aggregation operations in a plaintext manner.
Recently, several one-dimensional data aggregation schemes
Index TermsSmart grids, Privacy preserving, Cube data based on homomorphic encryption technologies (Paillier
aggregation. cryptosystem, Boneh-Goh-Nissim cryptosystem, etc.) have
been proposed [8], [11], [16-22]. Based on the techniques of
one-time masking, secret-sharing, lattice cryptographic, and the
I. INTRODUCTION grouping idea, some studies [11], [23-26] have proposed
one-dimensional data aggregation schemes.
S mart grid is considered as one of the most important trends In practice, electricity usage data are multi-dimensional for
fine-grained control. For example, we can categorize electricity
in next-generation power grids, which integrates the traditional data according to electrical appliances (lamp, refrigerator,
power grid system with advanced information and air-conditioning, and so on), and this can realize state-of-the-art
communication technology [1-4]. A reliable, secure, flexible, control aiming to green electricity consumption. These
and manageable information and communication network is the categories allow the user to control and use the device
backbone of smart grids [5]. To support various network efficiently. By using a super-increasing sequence and Paillier
functions, many intelligent electronic devices, such as cryptosystem to address multi-dimensional measurements, [27]
intelligent terminals and smart meters, have been deployed and proposed a multi-dimensional data aggregation scheme (EPPA).
used in smart grid systems [6]. Due to the installation of smart Based on the cryptographic token issuance and the partial blind
meters at user side, two-way communication (which can signature, [28] provided an anonymous multi-dimensional data
implement request and response) is established, and demand aggregation scheme. The system model in [28] is a
flat-topology structure, and users directly send reports to the
Manuscript received July 21, 2016. This work was supported by the control center. However, this topology limits the rapid growth
National Natural Science Foundation of China under grant 61370224 and of the user scale, and leads to non-flexible electricity regulation.
61672010, the CICAEET fund and the PAPD fund.
H. Shen and M. Zhang are with the School of Computer Science, Hubei
The system model in [27] imposes a local gateway to achieve a
University of Technology, Wuhan 430068, China (e-mail: nancy78733@ non-flat topological structure and resolves the above drawback;
126.com, scauzhang@gmail.com). users send reports to the local gateway, which then sends
J. Shen is with the School of Computer and Software, Nanjing University of
Information Science and Technology, Nanjing 210044, China (e-mail:
aggregated data to the control center. However, in this model,
s_shenjian@126.com) all users form and live in only one residential area, which limits
* Corresponding author: Mingwu Zhang, csmwzhang@gmail.com
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2017.2656475, IEEE
the upper bound of the user scale. TABLE I

To realize multi-granularity electricity regulation and MAIN NOTATIONS
large-scale user management, we propose a privacy-preserving Notation Description
cube-data aggregation scheme based on a two-level gateway CC, DGW Control center, District gateway
RAGWi i-th Residential area gateway
topology. HANik/Userik k-th Home area network (HAN) / User in i-th
The remainder of this paper is organized as follows: We residential area
provide an overview of related work in Section 2. In Section 3, BAMDDi Basic aggregated multi-dimensional data of i-th
residential area
we summarize our work and provide the system model, security SAMDD Secondary aggregated multi-dimension data
requirements, and the design goal. In Section 4, we introduce AMDij Sum of j-th dimensional data for i-th residential area
some terms and technologies that are used in the paper. We DMji Sum of j-th dimensional data for first i residential areas
RA_set Residential area set
provide our concrete scheme in Section 5 and the security DMjRA_set Sum of j-th dimensional data for these residential areas
analysis in Section 6. The feature comparison and performance in RA_set
analysis is provided in Sections 7 and 8, respectively. Finally, , q , 1, 2 , Parameters of bilinear map
P, a, b, e
we draw our conclusion in Section 9.
1, p1, q1 , g, Parameters of Paillier Cryptosystem
, , N, g
II. RELATED WORK H Cryptographic hash function
R1, R2 Common factors in integrating l-dimensional data
In smart grids, in order to improve the efficiency of grid n The maximum number of users in one residential area
operations, electricity usage is collected many times a day ni The number of users in i-th residential area
D The maximum value of each dimensional item
through smart meters. But this fine-grained information can Useriks l-dimensional data
dik
easily reveal household activities in real time [29], [30]. To Mik The result of integrating dik
preserve user privacy, several approaches are proposed. x, Y DGWs private key and public key
Using cryptography commitments and zero knowledge, [31] xi, Yi RAGWis private key and public key
xik, Yik Useriks private key and public key
proposed a method to calculate the energy bill without releasing
users private information. By adding random noise to user data,
a private data aggregation was achieved under a differential RAGWs, each RAGW covers n HANs, and each users
privacy model [32], [33]. By using Shamirs secret-sharing electricity consumption data is l-dimensional. In one residential
scheme, the protocol in [29] makes it possible to aggregate the area, the communication between RAGW and HAN uses
same data according to different rules. relatively inexpensive open wireless technology. The
Other approaches to privacy preservation in smart grids are communications between DGW and RAGW, and between CC
secure data aggregation techniques. In [30], a bi-homomorphic and DGW, use either wired links or any other link with high
encryption system is utilized to achieve secure data aggregation. bandwidth and low delay. HAN is composed of various smart
By constructing an aggregation tree and aggregation routes, and meters that can record real-time l-dimensional data. RAGW
using homomorphic encryption to secure the data en route, [35] aggregates n encrypted user data items into a compressed
implemented secure data aggregation. A security architecture wholenamely Basic Aggregated Multi-dimensional Data
for the distributed aggregation of energy consumption metering (BAMDD). DGW aggregates m BAMDDs into a compressed
data was proposed in [36]. It developed two secure protocols wholenamely Secondary Aggregated Multi-dimensional
for privacy-preserving data collection and aggregation based on Data (SAMDD). CC is responsible for decrypting and resolving
CramerShoup schemes and Shamir secret-sharing. Most of the SAMDD to obtain the sum of each dimension of data of each
aforementioned schemes consider one-dimensional data area, which helps it produce appropriate responses.
aggregation. This paper pays close attention to the aggregation
of multi-dimensional electricity usage data to obtain the sums
of each dimension without revealing users private information.
III. SYSTEM MODEL, SECURITY REQUIREMENTS, AND DESIGN

GOAL
In this section, we formalize the system model and the
security requirements, and identify our design goals. For ease
of reading, we refer to Table I for our main abbreviations and
parameters.
A. System Model
Our system model describes a two-level gateway topology in
smart grids, as shown in Fig. 1, which consists of four types of Fig. 1. System model
entities: control center (CC), district gateway (DGW),
residential area gateway (RAGW), and home area network
(HAN or User). There is only one CC and one DGW in the B. Attacker Model and Security Requirements
system. For simplicity, we assume that DGW covers m In our security model, the following attacker models are
assumed: C. Design Goal

CC is considered fully trusted. Our design goal is to develop an efficient, flexible
DGW and RAGWs follow the honest-but-curious model, privacy-preserving aggregation scheme. In particular, the
a.k.a., the semi-honest model. They follow the protocol following three desirable objectives need to be considered:
properly, but keep all inputs from other entities and all Security: The proposed scheme should meet the security
intermediate computational results to maximize the chance of requirements as above.
obtaining others privacy information. Efficiency: The proposed scheme should effectively reduce
Users are honest but curious. They do not spitefully drop communication cost and improve the efficiency of data
or distort any source value or intermediate result, and keep the processing to satisfy real-timeness requirements.
system running smoothly. However, they do try to infer other Flexibility. CC should be able to carry out flexible
users electricity usage. electricity regulations for different kinds of electricity data and
is an external adversary. That is, can eavesdrop on different geographical ranges.
communication channel to obtain residential users reports,
Fig. 2. The main issues solved by our scheme
BAMDDs, and SAMDD. can intrude in the databases of

D. Our Contribution
RAGWs, DGW, and CC, and can launch active attacks to
threaten data integrity. In practical applications, residents usually live in different
In our system, the following security goals should be areas. We consider ways to enable CC to simultaneously obtain
achieved: the sum of each dimension of data of users in each residential
Privacy Preservation: Even if DGW, RAGWs and several area without revealing their private information in Fig. 2.
users collude with one another, they cannot also obtain other Suppose there are m (m 2, and m is not a large integer)
users data. cannot acquire individual user data during residential areas, where each contains at most n (n is a large
system communications and operations. integer, and n >> m) users, and each users data is l-dimensional
Authentication and Data Integrity: It guarantees that the (l 2). The ranges of the subscripts of symbols are stated as
received data are valid and derived from legal entities; invalid follows: the range of subscript i is [1, m], that of subscript k is [1,
data are able to be detected. In other words, if forges and/or n], and the range of subscript j is [1, l].
modifies a report, the malicious operations should be detected. The cube shown in Fig. 2(a) is composed of m planes. Each
plane has n rows and l columns, and represents a residential
area, as shown in Fig. 2(b). Each row of a plane represents one In our scheme, cube-data aggregation is implemented by
users l-dimensional data. We aim to make CC be able to obtain using the Paillier cryptosystem and Horners Rule. We only
the sum of each column of a plane without releasing any item in need two Horner parameters for this.
the cube, as shown in Fig. 2(d). Our model contains several areas and two-level gateways
AMij represents the sum of the j-th dimensional data of the that can realize large-scale user management, and obtain
i-th residential area. In Fig. 2(c), AMi1, AMi2, , AMil are the flexible scalability of user scales and electricity regulation.
sums of the first, the second, , the l-th columns of the i-th In most cases, our batch verification technology can attain
plane, respectively. The target outputs are (AM11, AM12, , good forgery-resisting effects.
Fig. 3. Overall framework of our scheme
AM1l), , (AMm1, AMm2, , AMml) as shown in Fig. 2(d). We

use DMji to represent the j-th (1 j l) dimensional total IV. PRELIMINARIES
electricity usage of first i (1 i m) residential areas. DMji can A. Bilinear Pairing
be obtained by computing
Let 1 and 2 be two additive cyclic groups of the same
DM ij r 1 AM rj
i
(1) order q, where q is a large prime. e : 1 1 2 is a
In particular, we can obtain the total electricity usage along non-degenerated and efficiently computable bilinear such that:
each dimension for all m residential areas (DM1m, DM2m, , Bilinearity: e(aP, bQ) = e(P, Q)ab for P, Q 1 and a, b
DMlm) by (1) with i = m. q*.
When we take user multi-dimensional data as a whole, the Non-degeneracy: e(P, P) 12 for P 1.
total electricity consumption DM of entire region can be Computability: There exists an effective polynomial time
calculated by algorithm to calculate the value of bilinear pairing.
DM = DM1m + DM2m + + DMlm (2) Definition 1 (Bilinear Pairing Generation Algorithm):
Suppose RAset is a subset of {1, 2, , m}. We can also gain
Bilinear pairing generation algorithm Gen is a probabilistic
the total electricity usage along each dimension of these
algorithm. Gen takes the security parameter as input and
residential areas belonging to RA_set by computing
outputs a five-tuple (q, P, 1, 2, e), where q is a -bit prime
DM RA _ set
rRA _ set AM rj (3)
j
number, P is a generator of 1, and e: 11 2 is a bilinear
Contributions: We propose a privacy-preserving cube-data map.
aggregation scheme that guarantees user privacy while solving
the issues shown in Fig. 2. Our contributions are manifold, and B. Paillier Cryptosystem
can be summarized as follows: The Paillier cryptosystem is classic homomorphic
Our scheme can convert multi-dimensional data for several encryption consisting of three algorithms:
residential areas (i.e., cube data) into aggregated data. In most Key Generation: Let N = p1q1 and = lcm(p11, q11),
cases, since users join or leave an area, the number of users in where p1 and q1 are two large prime numbers, and | p1| = | q1| =
each residential area may not be the same. That is, the 1, where 1 is the security parameter of this cryptosystem.
corresponding planes have different rows. To aggregate the Define function L(u) = (u1)/N, choose generator g N , and 2
cube data, our scheme should guarantee that these planes have calculate = (L(g mod N2))-1. The public key is pk = (N, g),
the same number of rows prior to aggregation. and the private key is sk = (, ).
Encryption: Given M N, select a random number r

N
parameters, and the second is to register the system entities.
and calculate the ciphertext C = E(M) = g r mod N . M N 2 1) Generation of System Parameters and Aggregation
Parameters
Decryption: Given C N , recover the corresponding
2
The generating process is as shown in Fig. 4.
message by M = D(C) = L(C mod N2) mod N. Step1.1: CC chooses security parameter and generates (q,
C. Horners Rule P, 1, 2, e) by calling Gen().
Horners rule [36] is a typical algorithm to calculate a CC chooses security parameter 1 and calculates the public
polynomial. Any polynomial can be expressed as p(R) = anRn + key (N = p1q1, g) and the private key (, ) of the Paillier
an-1Rn-1 + + a1R + a0. Using Horners Rule, the polynomial cryptosystem. It also selects the secure cryptographic hash
can be represented as p(R) = ((anR + an-1)R + )R + a0. The function H: {0, 1}*1.
rule is a high-efficiency method and only requires n Step1.2: CC randomly chooses two common factors R1 and
multiplications and n additions. R2 such that R1 > nD and R2 > nD.
In this paper, we construct a polynomial p(R) = anRn + Step 1.3: CC releases public parameters {q, P, 1, 2, e; N,
an-1Rn-1 + + a1R = ((anR + an-1)R + + a1)R and ensure R > g, H, R1, R2}.
max{an, an-1, , a1}. If we know p(R) and R, we can obtain n 2) System Entities Registration
coefficients a1, a2, , an by n exact division operations and n The registration process of system entities is as shown in Fig.
modulo operations. 4.
Fig. 4. Flowchart of system initialization
Step 1.4: DGW chooses x R q* as its private key, and

V. OUR SCHEME calculates Y = xP as its public key.
Our scheme consists of five phases: System Initialization, Step 1.5: RAGWi sends a registration request to CC.
User Report Generation, Privacy-preserving BAMDD Step 1.6: CC chooses a unique number i from the integer
Generation (i.e., l-dimensional data aggregation for a single sequence {1, 2, } as the registered RAGW Number, and
residential area), Privacy-preserving SAMDD Generation (i.e., returns it to RAGWi.
multiple residential areas l-dimensional data aggregation), and Step 1.7: RAGWi (i = 1, 2, , m) chooses xi R q* as its
Data Parse. The framework is as shown in Fig. 3. In most cases, private key, and computes its public key by calculating Yi = xiP.
the number of users in each residential area may not be the Step 1.8: Userik sends a registration request to RAGWi;
same. We thus assume that the number of users in a residential Step 1.9: RAGWi returns the residential area Number i to
area is no more than constant n, and use ni to indicate the given Userik;
number of users in the i-th residential area, where ni n. We Step 1.10: Userik (k = 1, 2, , ni) chooses xik R q* as its
also assume that the value of each dimensional item is less than private key, and takes Yik = xikP as its public key.
a constant D.
B. User Report Generation
A. System Initialization Each user encrypts his/her l-dimensional data, creates a
System initialization primarily completes two tasks. The first digital signature for the data, and forms a transmitted user
is to generate the system parameters and the aggregation
report. The detailed process is as shown in Fig. 5. e( P, r ) e(Yir , H (Cir || ID _ RAGWi || ID _ Userir || T )) (8)
Step 2.1: Userik (i = 1, 2, , m; k = 1, 2, , ni) periodically Dr Seti1 Dr Seti1
collects own data dik = (dik1, dik2, , dikl), and integrates dik by e( P, r ) e(Yir , H (Cir || ID _ RAGWi || ID _ Userir || T )) (9)
computing Dr Seti 2 Dr Seti 2
M ik R2i R11 dik1 R12 dik 2 R1l dikl (4) Step 3.2: Create Ci , ni 1 , Ci , ni 2 , , Cin as
The user then chooses rik R N* and encrypts dik as Cik g Mik rikN mod N 2 g R2 ( R1 0 R1 0
i 1 2
R1l 0)
rikN mod N 2 (10)
Cik g r mod NM ik N
ik
2
(5) where rik R N* and k = ni + 1, ni + 2, , n.
Following this, Userik uses his/her private key xik to generate Step 3.3: Aggregate n ciphertexts as
signature ik as n
ik xik H (Cik || ID _ RAGWi || ID _ Userik || T ) (6) BAMDDi Cik mod N 2 (11)

k 1
where T is the current time, ID_RAGWi is the identity of
Step 3.4: Create BAMDDis signature i as
RAGWi, and ID_Userik is the identity of Userik. Finally, Userik
i xi H ( BAMDDi || ID _ DGW || ID _ RAGWi || ni || T ) (12)
generates the report by computing
Dik Cik || ID _ RAGWi || ID _ Userik || T || ik (7) where ID_DGW is the identity of the DGW. Compute
Di BAMDDi || ID _ DGW || ID _ RAGWi || ni || T || i (13)
Step 2.2: Userik sends Dik to RAGWi.
Fig. 5. Flowchart of the implementation of proposed scheme.
Step 3.4: RAGWi sends Di to DGW.

C. Privacy-preserving BAMDD Generation
RAGWi (i = 1, 2, , m) verifies the received ni reports Di1, D. Privacy-preserving SAMDD Generation
Di2, , Di , ni in a batch-wise manner. If the verification is DGW verifies D1, D2, , Dm, and aggregates BAMDD1,
successful, RAGWi aggregates n = ni + (n - ni) encrypted BAMDD2, , BAMDDm to obtain SAMDD as shown in Fig. 5.
l-dimensional data items Ci1, Ci2, , Cin to obtain BAMDDi, Step 4.1: DGW also uses the batch verification method as
described in Step 3.1.
where Ci1, Ci2, , Ci , ni are ciphertexts received by RAGWi,
Step 4.2: If the above verifications are successful, DGW
and Ci , ni 1 , Ci , ni 2 , , Cin are constructed by it. Note that performs the secondary aggregation operation as
m
RAGWi updates ni according to the number of received reports. SAMDD BAMDDi mod N 2 (14)
The concrete aggregation process is as shown in Fig. 5. i 1
Step 3.1: After receiving Di1, Di2, , Di , ni , RAGWi Step 4.3: DGW uses its private key x to create signature
verifies whether these reports are from legal users. To improve as
processing efficiency, we use a batch verification method. It xH (SAMDD || ID _ CC || ID _ DGW || n1 || n2 || || nm || T ) (15)
randomly divides Seti = { Di1, Di2, , Di , ni } into two subsets, where ID_CC is the identity of CC. Then, DGW obtains the
transmitted secondary aggregation data by computing
Seti1 (|Seti1| = ni/2) and Seti2 (|Seti2| = ni/2). RAGWi verifies
the following equations:
D SAMDD || ID _ CC || ID _ DGW || n1 || n2 || || nm || T || (16) Algorithm 1 Parsing polynomials with Horners Rule

Step 4.4: DGW sends D to CC. Input: PM and R
Output: Coefficient Vector (a1, a2, , al)
E. Data Parse 1: X0 PM / R;
// X0 = a1 + R1a2 + + Rl-1al
After the verification of D, CC uses the Paillier decryption 2: for j 1 to l do
algorithm and Horners Rule to handle SAMDD. Subsequently, 3: aj Xj-1 mod R;
it can obtain summed electricity consumption with a variety of 4: Xj Xj-1 / R;
granularities. The detailed process is as shown in Fig. 5. 5: end for
6: return (a1, a2, , al) ;
Step 5.1: Having received D from DGW, CC first verifies
the validity of the data:
e(P, ) e(Y , H (SAMDD || ID _ CC || ID _ DGW || n1 || || nm || T )) (17) privacy preserving. Since rik is not a fixed random number, the
Step 5.2: CC decrypts and analyzes SAMDD: same data dik is encrypted to different ciphertexts with different
m m
n
values of rik, resulting in the resistibility to dictionary attacks. If
SAMDD BAMDDi mod N 2 Cik mod N 2 several users collude, they can share their information,
i 1 i 1 k 1
including area Number, random number (for encryption),
m
n n m
g M ik rikN mod N 2 g M ik rikN mod N 2 electricity consumption data, and the corresponding ciphertext.
i 1 k 1 k 1 i 1 From this information in conjunction with the systems public
n m n
information, they still cannot infer private information of other
( g M1k g M 2 k g M mk ) ( rik ) N mod N 2 (18)
k 1 i 1 k 1 users.
Having received all reports Ci1, Ci2, , Cini , RAGWi directly
g k 1 k 1 M 2 k k 1 M mk (
n n n m n
rik ) N mod N 2
M1k
i 1 k 1 performs the basic aggregation operation as in Eq. (11). In the

k 1 j1 k 1 j1 m n
same way, after receiving BAMDD1, BAMDD2, , BAMDDm,
n l n l
R1j d1 kj R2m R1j d mkj
( rik ) mod N
R21
g N 2
i 1 k 1 DGW directly performs the secondary aggregation operation as

j 1 R1j k 1 d1kj j 1 R1j k 1 dmkj m n in Eq. (14). Since these calculations are based on ciphertexts,
l n l n
R2m
( rik ) N mod N 2
R21
g
i 1 k 1
RAGWi and DGW cannot infer users electricity usage by
analyzing intermediate results and information routed through
Let AM ij k 1 dikj , AM i j 1 R1j AM ij , AM i 1 R2i AM i and
n l m
them. In case of collusion, some users, the district gateway and

m n multiple residential area gateways attempt to obtain other users
R ri , then SAMDD g AM RN mod N 2 .
i 1 k 1
electricity usage by sharing and analyzing their own
CC can recover AM by using private key (, ). By executing information, which consists of ciphertext and public
Algorithm 1 with AM and R2 as inputs, CC can obtain AM1, information. Since Paillier cryptosystem is semantic secure and
AM2, , AMm. By executing Algorithm 1 with AMi and R1 as its private keys are secretly protected, these collaborators
inputs, CC can obtain (AMi1, AMi2, , AMil). Algorithm 1 cannot infer other users electricity usage.
should be executed 1 + m times, the total computation Moreover, even if an external adversary intrudes into
complexity is O(m) + mO(l). Since m and l are not large RAGWis or DGWs databases, he/she cannot obtain any
integers, O(m) + mO(l) can be considered equal to O(1). individual user data. After receiving SAMDD, the CC recovers
According to Eq. (1), Eq. (2), and Eq. (3), CC can also obtain SMADD as (AMi1, AMi2, , AMil), (DM1i, DM2i, , DMli), DM,
DMji, DM, and DMjRA_set. Moreover, we can compute the (DM1RA_set, DM2RA_set, , DMlRA_set). Even if the adversary
average value of the j-th dimensional electricity consumption. steals these data, he/she will not be able to acquire any
AVG _ AM ij AM ij ni individual user data.
Theorem 2. The authentication and data integrity of the
AVG _ DM ij DM ij / b 1 nb
i
(19) users report, BAMDD and SAMDD, are guaranteed in the
proposed scheme.
AVG _ DM RA _ set
j DM RA _ set
j bRA _ set
nb
Proof. In our scheme, prior to sending a message, each entity
uses its private key to generate a signature for the message.
VI. SECURITY ANALYSIS When receiving a message packet, every entity uses the
Theorem 1: The users report is privacy preserving in the senders public key to verify the message packet. In our scheme,
proposed scheme. BLS short signature is adopted, which has been proved to be
Proof: In our scheme, Useriks (i = 1, 2, , m; k = 1, 2, , ni) secure under the CDH problem [37]. This ensures that every
electricity usage data dik = (dik1, dik2, , dikl) is formed and packet is from a legal sender and cannot be falsified, and that
encrypted by Eqs. (4) and (5) , respectively. adversaries malicious behaviors can be detected. Therefore,
the authentication and data integrity of the users report,
The ciphertext Cik g ik rik mod N is a valid and normative
M N 2
BAMDD and SAMDD, are guaranteed in our
ciphertext of Paillier cryptosystem. Since Paillier cryptosystem scheme.
is semantic secure against the chosen plaintext attack, Useriks
data dik = (dik1, dik2, , dikl) in Mik is also semantic secure and
VII. COMPARATIVE ANALYSIS verified, as follows:

In this section, we compare our scheme with EPPA [27] and e( P, r ) e(Yr , H (Cr || ID _ INFORMATION || T )) (21)
EPPDR [8]. Note that the response phase of EPPA and EPPDR rS1 rS1
are not considered here. The results of feature comparisons are e( P, r ) e(Yr , H (Cr || ID _ INFORMATION || T )) (22)
summarized in Table II. rS2 rS2
TABLE II This batch verification method reduces the pairing operations

FEATURE COMPARISON from 2k to (k/2 + 1) + (k/2 + 1) = k + 2. Although in our
Our Scheme EPPA EPPDR scheme there is one more pairing operation, our batch
Multi-dimensional Yes Yes No validation method achieves good forgery-resisting effects in
Multi-area Yes No Yes most cases. In order to further illustrate this, we consider the
Two-level Aggregation Yes No No following two cases:
Batch Verification Yes Yes No Case 1: (an external adversary) forges two signatures 1
Online User-level Scalability Yes Yes No = 1 - a and 2 = 2 + a, the probability is
Offline User-level Scalability Yes Yes Yes 1 1 (23)
PrSuccForge 1 k (k 1)
Online Area-level Scalability Yes No No Ck1 Ck11
Offline Area-level Scalability Yes No Yes This probability is very small when k is large, as shown in
Electricity Control Flexibility High Low Low Table III. In smart grids, the number of users, k, in a residential
area is usually a large number. In this case, our scheme can
achieve good forgery-resisting effects.
A. System Model Comparison Case 2: forges k signatures 1 = 1 - a, , k/2 = k/2
In our scheme and EPPA, users electricity data is - a, k/2+1 = k/2+1 + a, , k = k + a for 1 +2 + 3 +
multi-dimensional, but it is not in EPPDR. In our system model + k = 1 +2 + 3 + + k, the probability is
and that of EPPDR, there are several residential areas; in EPPA, Ckk 24 Ckk 24
PrSuccForge
however, there is only one residential area. Ckk 2
We assume that there are m areas in our scheme and EPPDR, (k 2)! (k 2)! ( k 2)!( k k 2)!

and that the i-th (1 i m) gateway (called RAGWi in our (k 4)!(k 2 k 4)! ( k 4)!( k 2 k 4)! k!
scheme and BGi in EPPDR) is deployed for the i-th area. In ((k 2)!) 4
EPPDR, BGi aggregates the i-th areas data and sends the data
((k 4)!) 4 k !
to CC, which receives m aggregated data. In our scheme, after
(24)
aggregating the i-th areas data, RAGWi sends the data to DGW.
Case 2 is the extreme case of our scheme in which forges all
Then DGW executes the secondary aggregation operation,
users signatures and PrSuccForge is of maximum. It is shown in
turning m items into a single secondary item which is sent to
Table III that a large value of k gains a low probability of
CC. Through two-level aggregation, our scheme reduces the
successful forgery. When k equals to 400, has to forge 400
overhead due to the communication between the gateway and
signatures to achieve the maximum PrSuccForge, 0.0796. But
CC.
from Table III, we can observe forgery-resisting effects of our
B. Batch Verification Comparison scheme in case 2 is not as good as that in case 1.
Our scheme and EPPA both use the batch verification TABLE III
PROBABILITY OF SUCCESSFUL FORGERY
method, but EPPDR does not. Our scheme and EPPA both use
k Case 1 Case 2 k Case1 Case 2
the BLS short signature to create signatures, assuming that k
-5
signatures need to be verified. If adopting the traditional 50 4.0810 -4
2.2210 -1 250 1.6110 1.0110-1
-5
one-to-one method of authentication, we need 2k bilinear 100 1.0110 -4
1.5810 -1 300 1.1110 9.1910-2
-6
pairing operations. In order to improve the efficiency of 150 4.4710 -5
1.3010 -1 350 8.1910 8.5110-2
-6
verification, EPPA performs the batch verification as 200 2.5110-5 1.1210-1 400 6.2710 7.9610-2
k k
e( P, r ) e(Yr , H (Cr || ID _ INFORMATION || T )) (20)
r 1 r 1
C. Scalability Comparison
Although the above batch verification method can reduce the
number of time-consuming pairing operations from 2k to k + 1, From the perspectives of two levels (user-level and area-level)
and two modes (online and offline), we compare the system
it cannot resist forgery attacks. For example, the adversary
scalability of our scheme with those of EPPA and EPPDR. Here,
chooses aR q* and can easily forge at least two signatures 1
user-level system scalability means that some users join or leave
= 1 - a and 2 = 2 + a for 1 +2 + 3 + + k = 1 +2 +
an area, and area-level system scalability means that some areas
3 + + k. join or leave a system. If system scalability does not involve
In order to solve this problem, our scheme randomly system initialization, it can be implemented in either online or
distributes k signatures in two sets S1 and S2, where | S1 | = k/2 offline mode; otherwise, it can be implemented only in offline
and | S2 | = k/2. The signatures in S1 and S2 are then batch mode. Implementing system scalability in offline mode is a
common way. We focus on comparing the three schemes obtained by a scheme. The control flexibility indicator of the
scalability in online mode. scheme is defined as
1) User-level Scalability CFI C1Num _ grained CNum
2
_ grained CNum
Num _ grained
_ grained (25)
When a new user (Usernew) wants to join an area (the
According to Fig. 6, the control flexibility indicators of our
corresponding gateway is BGex) in EPPDR, BGex generates an
scheme, EPPA and EPPDR are
identity-based private key SKnewuser for Usernew, and computes a
session key shared with Usernew. These operations should be C C
CFI OurScheme Cl1
m
i 1
i
m l
2 m
i 1
Cmi Cll m
i 1
Cmi
C C
completed in the BANs (building area network) initialization l m
j i
phase. Therefore, EPPDR can not realize online user-level j 1 l i 1 m
(26)
extension. In EPPA, Usernews private key and public key are
l l! m!
j 1 i 1
m
generated by the user, because of which online user-level
extension is possible. EPPA and EPPDR are not affected by user j !(l j )! i !(m i)!
departures (such as smart meter failures). l!
Cll j 1 Cl j j 1
l l
In our scheme, when a new user wants to join the i-th area, CFI EPPA Cl1 Cl2 (27)
j !(l j )!
Usernew generates his/her own private and public keys, and sends
m!
Cmm i 1 Cmi i 1
m m
a registration request to RAGWi. RAGWi directly returns its area CFI EPPDR Cm1 Cm2 (28)
Number i to Usernew. Therefore, online user-level extension is i !(m i)!
feasible in our scheme. The aggregation of cube data (see Fig. 2) According to Eqs. (26), (27), and (28), we can obtain the
requires that every plane in the cube has the same scale. But in following inequalities:
most cases, because of the users joining or leaving, the number CFIOurScheme CFI EPPA , CFIOurScheme CFI EPPDR (29)
of users in each area may not be the same (i.e., these planes may Therefore, our scheme has better electricity control flexibility.
have different rows). In our scheme, the key issue in online
user-level system scalability is to guarantee that these planes
have the same number of rows. In order to solve this problem,
RAGWi computes n - ni zero l-dimensional vectors ciphertexts
before aggregating n ciphertexts, where ni is the given number
of users in the i-th area. Therefore, our scheme achieves online
user-level scalability. Note that there is an upper bound n on the
number of users in an area. If the number of users arrives the
designed bound, the area no longer allows any more user to join.
2) Area-level Scalability
There is only one gateway in EPPAs system model, EPPA
cannot attain area-level scalability. On the other hand, when a
new residential area is ready to join the system in EPPDR, it is
necessary to deploy BGnew, where the private and session keys
between BGnew and CC should be generated in the CC
initialization phase and the BAN initialization phase,
respectively. Hence, EPPDR can only realize offline area-level
Fig. 6. Electricity control flexibility
extension.
It is provided that there already exist m areas in our system.
When a new area joins the system, a corresponding new gateway
RAGWm+1 needs to be deployed and registered to CC. After VIII. PERFORMANCE EVALUATION
receiving the registration request from RAGW m+1, CC can In this section, we compare EPPA [27], EPPDR [8], and our
directly return the area Number m+1 to RAGWm+1 as long as scheme in terms of computational cost and communication
the length of the integer sequence (for area Number distribution) overhead.
is greater than m. Therefore, our scheme implements online A. Computational Cost
area-level extension.

Since the multiplication in N is considered negligibly 2
D. Electricity Control Flexibility

small compared to the exponentiation and pairing operations,
In this paper, the number of different grained aggregated data the computational cost of the aggregation and multiplication
obtained by a scheme is used to measure the schemes control operations in ZN are negligible. Ce, Cm, and Cp denote the
flexibility. The comparison of electricity control flexibility is
shown in Fig. 6, where the block at the i-th row and the j-th computation costs of an exponentiation operation in N , a 2
column represents the sum of the j-th dimension of the electricity multiplication operation in 1, and a pairing operation,
of the i-th area. respectively. Note that each users data is l-dimensional (in our
Definition 2 (Control Flexibility Indicator): Suppose scheme and EPPA), and there are n users in a residential area
Nummin_grained is the number of minimum grained aggregated data (EPPA and EPPDR), ni users in each i-th residential area, and
the upper bound of the number of users in an area is n (in our TotalCEPPDR > TotalCOurScheme. Therefore, our scheme has lower
scheme). There are m residential areas. The computational computational complexity. From Figs. 8 and 9, it can be seen
costs of our scheme, EPPA, and EPPDR are compared in Table that the growth of TotalCOurScheme is slower than TotalCEPPDR.
IV.
A 3-GHz Pentium IV processor with 512 MB memory is
used to estimate the operational costs. We choose a 1024-bit N
(|N2| = 2048) and a 160-bit 1. According to the MIRACL [38]
and PBC [39] libraries, Ce = 12.4 ms, Cm = 6.4 ms, and Cp = 20
ms.
1) Comparison of Computational Cost of Each User
User data is one-dimensional in EPPDR but
multi-dimensional in our scheme. Table IV shows that the
computational cost of a user in our scheme is more efficient
than EPPDR. User data is also multi-dimensional data in EPPA,
like in our scheme. Fig. 7 shows that in terms of the
computational cost of a user, our schemes advantage is
Fig. 8. Total computational cost of gateways in our scheme
remarkable.
Fig. 7. Computational cost of each user

Fig. 9. Total computational cost of gateways in EPPDR
2) Comparison of Computational Cost of Gateway

We compare the computational cost of a single gateway 3) Comparison of Computational Cost of Control Center
between our scheme and EPPA. From Table IV, we observe In Table IV, it can be easily observed that on the CC / OA /
that on the gateway side, when ni = n, our scheme needs one CC sides, the computational cost of out scheme is equal to that
more pairing operation than EPPA. When ni < n, let of EPPA and less than that of EPPDR.
((n 1)C p Cm ) ((ni 2)C p (n ni )Ce Cm ) 0 (30) TABLE IV
COMPARISON OF COMPUTATIONAL COSTS
Then, Our Scheme EPPA EPPDR
7.6(n ni ) 20 0 n ni 2.63
(31) User/User/User 2Ce + Cm (l + 1)Ce + Cm 2Ce + 2Cm
From Eq. (31), it is clear that when ni n - 3, our scheme has (ni + 2)Cp +
RAGW/GW/BG (n - ni)Ce +Cm (n + 1)Cp + Cm 3nCp + 2Cm
better computational complexity.
The total computational cost of the gateway side based on DGW/-/- (m + 2)Cp + Cm
our scheme and EPPDR can be calculated as follows: CC/OA/CC 2Cp 2Cp 3mCp
TotalCOurScheme m((n 2)C p Cm ) (m 2)C p Cm
(32)
(mn 3m 2)C p (m 1)Cm
From the above analysis, we conclude that our scheme can
TotalCEPPDR m(3nC p 2Cm ) 3mnC p 2mCm (33) achieve higher efficiency in terms of computational cost
By Eqs. (32) and (33), comparing with EPPA and EPPDR.
TotalCEPPDR TotalCOurScheme (2mn 3m 2)C p (m 1)Cm (34) B. Communication Overhead
Because m 2, so (m1)Cm > 0. Let 2mn3m2 0, 1) Comparison between Our Scheme and EPPA
2 Since both our scheme and EPPA use Paillier cryptosystem
2mn 3m 2 0 m(2n 3) 2 m (35)
2n 3 and BLS short signature, we assume that the lengths of the user
2 reports in the two schemes are identical (indicated by L1), and
Let 2 4n 6 2 4n 8 n 2 (36) the lengths of the other packets in the two schemes are the same
2n 3
(indicated by L2).
From Eqs. (34), (35), and (36), it can be shown that if n 2,
Case 1: The total number of users in the two schemes is 2308 577
identical. In other words, in our scheme, there are m residential 160m(n 1) 2308 0 m (37)
160(n 1) 40(n 1)
areas and n/m (supposing m can divide n) users in each
because m 2; let
residential area. Usually, m is a very small integer. The
577 577
comparison of communication overhead is shown in Table V. 2 n 1 7 (38)
40(n 1) 80
TABLE V
COMPARISON OF COMMUNICATION OVERLOAD IN CASE 1 According Eqs. (37) and (38), it is obvious that our scheme
Our Scheme EPPA achieves better performance in terms of communication
User-to-RAGW / User-to-GW n/mL1 * m = nL1 nL1 overhead when n is not less than 7.
RAGW-to-DGW mL2
DGW-to- CC / GW-to-OA L2 L2 IX. CONCLUSION
In this paper, we proposed an efficient and
privacy-preserving scheme for the aggregation of electricity
The total communication cost of our scheme is nL1 + (m + consumption cube-data in smart grids. The scheme can
1)L2, and that of EPPA is nL1 + L2. Hence, the communication aggregate multiple users multi-dimensional data from multiple
cost of our scheme is approximately equal to that of EPPA. residential areas with various granularities. The control center
Case 2: The number of users of each residential area in our can obtain the sum of each dimension of electricity usage of
scheme is identical to that in EPPA. That is, in our scheme, the each residential area, attain flexible electricity regulation, and
total number of users reached mn. The results of the comparison regulate electricity for any residential area and any dimension
are shown in Table VI. of electricity usage. The security strength and
TABLE VI privacy-preserving ability of our scheme are demonstrated in
COMPARISON OF COMMUNICATION OVERLOAD IN CASE 2
security analysis. By comparing our scheme with EPPA and
Our Scheme EPPA
EPPDR, it is observed that our scheme can achieve higher
User-to-RAGW / User-to-GW nL1 * m = mnL1 nL1
efficiency in terms of both computation and communication
RAGW-to-DGW mL2
cost, and satisfies the application requirements of smart grids.
RGW-to-CC / GW-to-OA L2 L2
In future, we will study other security issues (e.g., differential
attacks), and develop effective schemes to resist more kinds of
attacks.
The total communication cost of our scheme is mnL1 + (m +
1)L2, and that of EPPA is nL1 + L2. Because n >> m (n is much
REFERENCES
greater than m), the communication cost of our scheme is
approximately the same as that of EPPA. [1] W. Y. Wang and Z. Lu. Cyber security in the smart grid: survey and
challenges, Computer Networks, vol. 57, no. 5, pp. 1344-1371, Jan.
2) Comparison between Our Scheme and EPPDR 2013.
In our scheme and EPPDR, the transmitted packet consists of [2] B. Samareah, M. Sudip and J.P.C.R. Joel. Cloud computing applications
three parts: the ciphertext of user data, other information for smart grid: a survey, IEEE Transaction on Parallel and Distributed
Systems, vol. 26, no. 5, pp. 1477-1494, May 2015.
(identity information and timestamp information), and a digital [3] L. Zhou and S.P. Chen. A survey of research on smart grid security, in
signature. Our scheme and EPPDR both use the Paillier Network Computing and Information Security, Berlin, Germany:
encryption algorithm to encrypt user data. Let |N| = 1024 bits; Springer-Verlag, 2011, pp. 395-405.
[4] J. Shen, H. W. Tan, J Wang, J. W. Wang and S. Lee. A novel routing
then, the length of the ciphertext is 2048 bits. In terms of digital protocol providing good transmission reliability in underwater sensor
signatures, our scheme utilizes BLS short signature and EPPDR networks, Journal of Internet Technology, vol. 16, no. 1, pp. 171-178,
uses identity-based signature. Let |1| = 160 bits. The length of Jan. 2015.
[5] M. P. Naran, D. Dipankar, S. Dipti and C. Marco. Infrastructure Security
signature in our scheme is 160 bits and the length of signature for Smart Electric Grids: A Survey, in Optimization and Security
in EPPDR is 160 bits + 160 bits = 320 bits. Let the length of the Challenges in Smart Power Grids, Berlin, Germany: Springer-Verlag,
other information be the same, such as 100 bits. The 2013, pp. 161-180.
[6] W. X. Meng, R. F. Ma and H. H. Chen. Smart grid neighborhood area
communication overhead is compared in Table VII. networks: a survey, IEEE Network, vol. 28, no. 1, pp. 24-32, Jan./Feb.
TABLE VII 2014.
COMPARISON OF COMMUNICATION OVERLOAD [7] R. L. Deng, Z. Y. Yang, M. Y. Chow and J. Chen. A survey on demand
Our Scheme EPPDR response in smart grids: mathematical models and approaches, IEEE
Transactions on Industrial Informatics, vol. 11, no. 3, pp. 570-582, June
User-to-RAGW / User-to-BG 2308mnbits 2468mnbits 2015.
RAGW-to-DGW 2308mbits [8] H. W. Li, X. D. Lin, H. M. Yang, X. H. Liang, R. X. Lu and X. M. Shen.
DGW-to-CC / BG-to-CC 2308bits 2468mbits EPPDR: an efficient privacy-preserving demand response scheme with
adaptive key evolution in smart grid, IEEE Transactions on Parallel and
Distributed Systems, vol. 25, no. 8, pp. 2053-2064, Aug. 2014.
[9] H. W. Li, R. X. Lu, X. D. Lin and X. M. Shen. EDR: An efficient
The total communication cost of our scheme is 2308(mn + m demand response scheme for achieving forward secrecy in smart grid, in
+ 1) bits and that of EPPDR is 2468m(n + 1) bits. The Proc. of IEEE GLOBECOM, 2012, pp. 929-934.
[10] N. Komninos, E. Philippou and A. Pitsillides. Survey in smart grid and
difference between two schemes is 160m(n + 1) 2308. Let smart home security: issues, challenges and countermeasures, IEEE
160m(n+1) 2308 0. Then, we can obtain:
Communication Surveys & Tutorials, vol. 16, no. 4, pp. 1933-1954, Apr. [31] A. Rial and G. Danezis. Privacy-preserving smart metering, in Proc.
2014. of 10th Annual ACM Workshop on Privacy in the Electronic Society
[11] Z. Erkin, J. R. Troncoso-Pastoriza, R.L. Lagendijk and F. Perez-Gonzalez. (WPES 11), 2011, pp. 4960.
Privacy-preserving data aggregation in smart metering systems: an [32] G. cs and C. Castelluccia. I have a dream! (differentially private smart
overview, IEEE Signal Processing Magazine, vol. 30, no. 2, pp. 75-86, metering), in International Workshop on Information Hiding, 2011, pp.
Mar. 2013. 118-132.
[12] Y. K. Chiang, N. C. Wang and C. H. Hsieh. A cycle-based data [33] E. Shi, T-H. H. Chan, E. G. Rieffel, R. Chow and D. Song.
aggregation scheme for grid-based wireless sensor networks, Sensors, Privacy-preserving aggregation of time-series data, in 18th Annual
vol. 14, no. 5, pp. 8447-8464, May 2014. Network & Distributed System Security Symposium (NDSS), 2011.
[13] Y. H. Lin, S. Y. Chang and H. M. Sun. CDAMA: concealed data [34] F. J. Li, B Luo and P. Liu. Secure information aggregation for smart
aggregation scheme for multiple applications in wireless sensor networks, grids using homomorphic encryption, in 2010 First IEEE International
IEEE Transactions on Knowledge and Data Engineering, vol. 25, no. 7, Conference on Smart Grid Communications (SmartGridComm), 2010, pp.
pp. 1471-1483, July 2015. 327-332.
[14] K. Manish, V. Shekhar and L. Kusum. (2014, Aug.). Secure data [35] C. Rottondi, G. Verticale and C. Krauss. Distributed privacy-preserving
aggregation in wireless sensor networks using homomorphic encryption, aggregation of metering data in smart grids, IEEE Journal on Selected
International Journal of Electronics. [online]. 102(4), pp. 690-702. Areas in Communications, vol. 31, no. 7, pp. 1342-1354, Jul. 2013.
Available: http://dx.doi.org/10.1080/00207217.2014.936524. [36] L. Anany. Transform-and-Conquer, in Introduction to the Design &
[15] K. A. Shim and C. M. Park. A secure data aggregation scheme based on Analysis of Algorithms, 3rd ed. Boston: Addison-Wesley Longman
appropriate cryptographic primitives in heterogeneous wireless sensor Publishing Co., Inc., 2002, pp. 225-228.
networks, IEEE Transactions on Parallel and Distributed Systems, vol. [37] B. Mihir and R. Phillip. Random oracles are practical: a paradigm for
26, no. 8, pp. 2128-2139, Aug. 2015. designing efficient protocols, in Proc. of the 1st ACM Conference on
[16] S. Ruj and A. Nayak. A decentralized security framework for data Computer and Communications Security (CCS93), 1993, pp. 62-73.
aggregation and access control in smart grids, IEEE Transaction on [38] Multiprecision integer and rational arithmetic c/c++ library,
Smart Grid, vol. 4, no. 1, pp. 196-205, Mar. 2013. http://www.shamus.ie/.
[17] B. Fbio and M. Mhlhuser. EPPP4SMS: efficient privacy-preserving [39] B. Lynn, PBC library, http://crypto.stanford.edu/pbc/.
protocol for smart metering systems and its simulation using real-world
data, IEEE Transactions on Smart Grid, vol. 5, no. 6, pp. 2701-2708,
Hua Shen received the M.S. and Ph.D.
Nov. 2014.
[18] T. W. Chim, S. M. Yiu, V. O. K. Li, L. C. K. Hui and J. Zhong. PRGA: degrees from Wuhan University, Wuhan,
Privacy-preserving recording & gateway-assisted authentication of power China, in 2007 and 2014, respectively. She
usage information for smart grid, IEEE Transactions on Dependable and is currently an Associate Professor with
Secure Computing, vol. 12, no. 1, pp. 85-97, Jan./Feb. 2015.
the School of Computer Scienc, Hubei
[19] L. Chen, R. X. Lu and Z. F. Cao. PDAFT: A privacy-preserving data
aggregation scheme with fault tolerance for smart grid communications, University of Technology. Her research
Peer-to-Peer Netw. Appl., vol. 8, no. 6, pp. 1122-1132, Nov. 2015. interests include privacy preserving,
[20] M. Bae, K. Kim and H. Kim. Preserving privacy and efficiency in data information security, and cloud
communication and aggregation for AMI network, Journal of Network
computing.
and Computer Applications, vol. 59, pp. 333-344, Jan. 2016.
[21] C. I. Fan, S. Y. Huang and Y. L. Lai. Privacy-enhanced data aggregation
scheme against internal attackers in smart grid, IEEE Transactions on Mingwu Zhang received the Ph.D. from
Industrial Informatics, vol. 10, no. 1, pp. 666-675, Feb. 2014. South China Agric University in 2009. He
[22] L. Chen, R. X. Lu, Z. F. Cao, K Alharbi and X. D. Lin. MuDA:
is a Professor with the School of Computer
multifunctional data aggregation in privacy-preserving smart grid
communications, Peer-to-Peer Netw. Appl., vol. 8, no. 5, pp. 777-792, Science in Hubei University of
Sept. 2015. Technology. From August 2010 to August
[23] K. Alharbi and X. D. Lin. LPDA: a lightweight privacy-preserving data 2012, he has been a JSPS Postdoctoral
aggregation scheme for smart grid, in Proc. Of the 2012 International
Fellow at Institute of Mathematics for
Conference on Wireless Communications & Signal Processing (WCSP),
2012, pp. 1-6. Industry in Kyushu University. From June
[24] Z. G. Shi, R. X. Sun, R. X. Lu, L. Chen, J. M. Chen and X. M. Shen. 2015 to June 2016, he has been a Senior
Diverse grouping-based aggregation protocol with error detection for Research Fellow with the Centre for Computer and Information
smart grid communications, IEEE Transactions on Smart Grid, vol. 6,
Security, University of Wollongong. His current research
no. 6, pp. 2856-2868, Nov. 2015.
[25] W. W. Jia, H. J. Zhu, Z. F. Cao, X. L. Dong and C. X. Xiao. interests include cryptography technology for networks, secure
Human-factor-aware privacy-preserving aggregation in smart grid, computations, and privacy preservation.
IEEE Systems Journal, vol. 8, no. 2, pp. 598-607, June 2014.
[26] C. Li, R. X. Lu, H. Li, L. Chen and J. Chen. PDA: a privacy-preserving
Jian Shen received the M.E. and Ph.D.
dual-functional aggregation scheme for smart grid communications,
Security and Communication Networks, vol. 8, no. 15, pp. 2494-2506, degrees in Computer Science from Chosun
Oct. 2015. University, Gwangju, Korea in 2009 and
[27] R. X. Lu, X. H. Liang, X. Li, X. D. Lin and X. M. Shen. EPPA: an 2012, respectively. Since late 2012, he has
efficient and privacy-preserving aggregation scheme for secure smart grid
been a full professor in the School of
communications, IEEE Transactions on Parallel and Distributed System,
vol. 23, no. 9, pp. 1621-1631, Sept. 2012. Computer and Software at Nanjing
[28] X. F. Liu, Y. Q. Zhang, B. Y. Wang and H. Q. Wang. An anonymous University of Information Science and
data aggregation scheme for smart grid systems, Security and Technology, Nanjing, China. His research
Communication Networks, vol. 7, no. 3, pp. 602-610, Mar. 2014.
interests include information security,
[29] C. Rottondi, G. Verticale and A. Capone. Privacy-preserving smart
metering with multiple data consumers, Computer Networks, vol. 57, no. public cryptography, security systems, and network security.
7, pp. 1699-1713, Mar. 2013.
[30] F. G. Mrmol, C. Sorge, O. Ugus and G. M. Prez. Do not snoop my
habits: preserving privacy in the smart grid, IEEE Communications
Magazine, vol. 50, no. 5, pp. 166-172, May 2012.

Efficient Privacy-Preserving Cube-Data Aggregation Scheme For Smart Grids

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Efficient Privacy-Preserving Cube-Data Aggregation Scheme For Smart Grids

Încărcat de

Drepturi de autor:

Formate disponibile

This article has been accepted for publication in a future issue of this journal, but has not been

Efficient Privacy-preserving Cube-data

response is possible [7]. However, attackers can eavesdrop on

the upper bound of the user scale. TABLE I

III. SYSTEM MODEL, SECURITY REQUIREMENTS, AND DESIGN

assumed: C. Design Goal

Fig. 2. The main issues solved by our scheme

BAMDDs, and SAMDD. can intrude in the databases of

Fig. 3. Overall framework of our scheme

AM1l), , (AMm1, AMm2, , AMml) as shown in Fig. 2(d). We

Encryption: Given M N, select a random number r

Fig. 4. Flowchart of system initialization

Step 1.4: DGW chooses x R q* as its private key, and

ik xik H (Cik || ID _ RAGWi || ID _ Userik || T ) (6) BAMDDi Cik mod N 2 (11)

Fig. 5. Flowchart of the implementation of proposed scheme.

Step 3.4: RAGWi sends Di to DGW.

D SAMDD || ID _ CC || ID _ DGW || n1 || n2 || || nm || T || (16) Algorithm 1 Parsing polynomials with Horners Rule

i 1 k 1 performs the basic aggregation operation as in Eq. (11). In the

i 1 k 1 DGW directly performs the secondary aggregation operation as

them. In case of collusion, some users, the district gateway and

VII. COMPARATIVE ANALYSIS verified, as follows:

TABLE II This batch verification method reduces the pairing operations

D. Electricity Control Flexibility

Fig. 7. Computational cost of each user

2) Comparison of Computational Cost of Gateway

S-ar putea să vă placă și