A Privacy-preserving Data Aggregation Scheme with Efficient Batch Verification in Smart Grid

Abstract

This paper presents a privacy-preserving data aggregation scheme deals with the multidimensional data. It is essential that the multidimensional data is rarely mentioned in all researches on smart grid. We use the Paillier Cryptosystem and blinding factor technique to encrypt the multidimensional data as a whole and take advantage of the homomorphic property of the Paillier Cryptosystem to achieve data aggregation. Signature and efficient batch verification have also been applied into our scheme for data integrity and quick verification. And the efficient batch verification only requires 2 pairing operations. Our scheme also supports fault tolerance which means that even some smart meters don't work, our scheme can still work well. In addition, we give two extensions of our scheme. One is that our scheme can be used to compute a fixed user's time-of-use electricity bill. The other is that our scheme is able to effectively and quickly deal with the dynamic user situation. In security analysis, we prove the detailed unforgeability and security of batch verification, and briefly introduce other security features. Performance analysis shows that our scheme has lower computational complexity and communication overhead than existing schemes.

​1. Introduction

With the development of smart grid technology, smart grid has increasingly shown its importance. Compared with the centralized one-way transmission of traditional grid, smart grid makes a feature of decentralized two-way transmission as shown in Fig. 1 and is aimed at providing improved reliability, efficiency and sustainability, consumer involvement and security [1]. In smart grid, every user is equipped with a smart meter. On one hand, the smart grid needs to collect real-time information from smart meters for adjusting power supplies or changing electricity price etc. On the other hand, the aggregator is not supposed to know the personal detailed electricity consumption information on each user because the detailed electricity consumption information may leak the user’s behavior information [2]. Therefore, there are two important tasks for security in the smart grid [3]. One is to hide the data privacy of the individual smart meter readings. At the same time, the other one is to allow the aggregator to obtain the overall electricity consumption information about all users.

Fig. 1. The architecture of smart grid

To solve the two important tasks in smart grid, homomorphic Paillier encryption technique [4] can be applied. So the aggregator can perform the aggregation operation without decrypting the encrypted data of users. Such homomorphic encryption has been applied in many existing data aggregation schemes [1, 5-12]. Most of the aggregation schemes focused on one dimensional data [5-12], while Lu et al.’s scheme [1] focuses on multidimensional user data which is rarely mentioned in existing approaches. But the scheme of [1] has one drawback that it can’t resist internal attackers. That is, if the operation authority (OA) is compromised by attackers, users’ data will be revealed. And although they adopte the batch verification technique to reduce authentication cost, the time consuming of their pairing operations is still proportional to the number of users. Fan et al. proposed a privacy-enhanced data aggregation scheme [13]. In [13], each user embeds a blinding factor into their ciphertext to protect their data from internal attackers; and the aggregator also holds one that makes the sum of all these blinding factors is 0. This kind of blinding factor technique has been applied in several works [6, 14-17]. But they all share one major drawback that they are not tolerant to smart meter failures. If some users fail to report their data, the aggregator will obtain the wrong aggregation result as the sum of the blinding factors is no longer 0. A privacy-preserving data aggregation scheme is proposed by Chen et al. [9]. In [9], TA takes charge of distributing the blinding factors to the aggregator and users. If some users’ smart meters don’t work, the aggregation scheme can still work well by the help of TA. But the communication overhead is significant in [9] and it cannot get message authentication. Based on above descriptions, this paper presents a privacy-preserving data aggregation scheme that can deal with the multidimensional data. System model includes a trusted authority (TA), an untrusted aggregator and users. We use the Paillier Cryptosystem and blinding factor technique to encrypt the multidimensional data as a whole and take advantage of the homomorphic property of the Paillier Cryptosystem to achieve data aggregation. Signature and efficient batch verification have also been applied into our scheme for data integrity and quick verification. And the efficient batch verification only requires 2 pairing operations. Our scheme also supports fault tolerance which means that if some users’ smart meters don’t work, our scheme can still work well with the help of TA. Furthermore, we consider the situation that the batch verification may fail. If the batch verification fails, we can use the technique proposed in [18] to quickly find the invalid signatures. In addition, we give two extensions of our scheme, one is that our scheme can be used to compute a fixed user’s time-of-use electricity bill. The other is that our scheme is able to effectively and quickly deal with dynamic user situation. In security analysis, we prove the unforgeability and batch verification security in details and explain that our scheme can also resist external attackers and internal attackers. Through performance analysis, our scheme has lower computational complexity and communication overhead than existing schemes.

The remainder of this paper is organized as follows. The system model and preliminaries are introduced in Section 2. Our detailed scheme and the extensions of our scheme are given in Section 3 and Section 4, respectively. In Section 5, the security and performance analysis of our scheme are discussed. Lastly, we draw conclusions in Section 6.

2. Simplified System Model and Preliminaries

2.1 Simplified System Model

We consider simplified smart grid architecture in our system model, which includes a number of users, an aggregator and a trusted authority (TA) as shown in Fig. 2. This paper mainly deals with how to report users’ data to the aggregator in a privacy-preserving way with the signature aggregation and batch verification.

Fig. 2. System model

• Trusted Authority (TA): TA is a trusted entity in our system model which belongs to some independent organizations like Regional Transmission Organizations (RTO) or Independent System Operators (ISO). In the initialization phase, TA selects blinding factors and sends them to the aggregator and each user. Besides that, if some smart meters cannot report the real-time data to the aggregator, TA can help to make the aggregation process to continue normal execution. We assume that TA cannot be compromised by any strong adversaries.

• Aggregator: The aggregator is a powerful entity who is curious about users’ electricity consumption data. In our system model, the aggregator might be compromised by the outside adversaries, thus it is untrusted. During the initialization phase, the aggregator generates secret values and publishes public information. During the aggregation phase, the aggregator can use the batch verification to verify users’ signatures and get users’ total electricity consumption information without knowing each user’s.

• Users U={U₁, U₂,…,U_n}: represents user set. If there are n users, U={U₁, U₂,…,U_n}. Each user U_i∈U is equipped with a smart meter that can record the real-time electricity consumption information. These real-time data will be reported to the aggregator in a certain period, i.e. every 15 minutes. Sometimes smart meters may malfunction i.e. they may stop reporting for a while or reset it later.

2.2 Bilinear Pairing Setting

We define two cyclic multiplicative groups {G₁,G₂} with the same prime order q. g is a generator of G₁ and G₂ possess a nondegenerated and efficiently computable bilinear map e: G₁×G₁→G₂. The bilinear pairing contains the following features [13].

• Bilinearity: \(e(P, P) \neq 1_{\mathrm{G}_{2}}\) and e(P^a,Q^b)=e(P,Q)^ab∈G₂ for all P,Q∈G₁, \(a, b \in Z_{q}^{*}\)

• Nondegeneracy: There exists P,Q∈G₁ such that \(e(P, Q) \neq 1_{\mathrm{G}_{2}}\).

• Computability: There exists an efficient algorithm to compute e(P,Q) for all P,Q∈G₁.

2.3 Paillier Cryptosystem

The Paillier Cryptosystem [4] can acquire the homomorphic properties. The Paillier cryptosystem specifically contains key generation, encryption and decryption [1].

• Key Generation: According to the security parameter k, two large prime numbers p,q are first selected, where |p|=|q|=k. Then the RSA modulus are computed with N=pq and λ=lcm(p-1,q-1). Define a function \(L(u)=\frac{u-1}{N}\), after choosing a generator \(g \in Z_{N^{2}}^{*}\), \(\mu=\left(L\left(g^{\lambda} \bmod N^{2}\right)\right)^{-1} \bmod N\) is further calculated. Then, the public key is pk=(N,g), and the corresponding private key is sk=(λ,μ).

• Encryption: Given a message m∈Z_N, select a random number \(r \in Z_{N}^{*}\). The ciphertext of m is c=E(m)=g^m·r^N MOD N².

• Decryption: Given the ciphertext \(c \in Z_{N}^{*}\), the corresponding message can be recovered as m=D(c)=L(c^λ mod N²). μ mod N.

In addition, the Paillier encryption can be proved to satisfy the chosen plaintext security, and the correctness and security can be referred to [4].

2.4 Small Exponent Test

If someone needs to verify the equations set Y_i=g^X_i(i=1,2,…,n), where g is a generator for a group of prime order q . One can calculate and check if the equation \(\prod_{i=1}^{n} y_{i}=g^{\sum_{i=1}^{n} x_{i}}\) is true. If there are such two pairs (x₁,y₁) and (x₂,y₂), their product can be verified correctly, but each verification is not correct, for example, by submitting the pairs (X₁-α,Y₁) and (X₂-α,Y₂) for any α [19]. Because of the above reasons, the small exponent test method is proposed in [20], which will be applied to pairings in the following section.

Small exponent test [20]: choose a small exponent δ_i of ℓ_b bits and compute \(\prod_{i=1}^{n} y_{i}^{\delta_{i}}=g^{\sum_{i=1}^{n} x \delta_{i}}\). The probability is 2^-ℓ_b when a bad pair is accepted. Choose the size of b l according to the trade-off between efficiency and security.

2.5 Notation

Some notations are defined as follows.

t: the time when the aggregator needs to aggregate the power usage data.

U: the user set.

U_i: the users in the neighborhood, where i=1,2,…,n.

ID_i: the identifier of U_i.

π_i: the U_i’s blinding factor.

π₀: the blinding factor of aggregator.

N, g_AG: the public key of aggregator.

λ,μ: the private key of aggregator.

X_i: the U_i's private key.

Y_i: the U_i's private key.

3. Proposed Scheme

3.1 Initialization Phase

Aggregator: First the aggregator calculates the Paillier Cryptosystem’s public key (N=p₁q₁,g_AG), and the corresponding private key (λ,μ), where p₁, q₁ are two large primes, g_AG is a generator of \(\mathrm{Z}_{N^{2}}^{*}\), λ=lcm(p₁-1,q₁-1) and \(\mu=\left(L\left(g_{A g}^{\lambda} \bmod N^{2}\right)\right)^{-1} \bmod N\). Assume that there needs to report l types of electricity usage data in total. Then the aggregator needs to choose a sequence \(\overrightarrow{\mathrm{a}}=\left(a_{1}, a_{2}, \ldots, a_{l}\right)\) where α₁∈Z⁺, for i=1,2,…,l. Lastly, the public information {N(g₁…g_l)} is published by the aggregator, and {λ,μ} is kept as secrets.

TA: Choose the security parameter k, TA runs Gen(k) to generate (q,g,G₁,G₂,e). TA also needs to select (n +1) blinding factors {π₀,π₁,…,π_n} at random such that \(\pi_{0}+\pi_{1}+\cdots+\pi_{n} \equiv 0 \bmod N\). Firstly, n random numbers {π₁,…,π_n}(π₁∈Z_N, i=1,…,n) are generated by running pseudorandom generators, and π₀=-(π₁+…+π_n)mod N is computed. Actually, the size should not be less than 1024 bits for each blinding factor. Lastly, TA respectively sends π₀ to the aggregator and π_i to U_i for each i=1,2,…,n. In addition, TA need to select three secure hash functions H₁, H₂, H₃ where H₁:{0,1}^*→G₁, \(H_{2}:\{0,1\}^{*} \rightarrow Z_{N}^{*}\) and \(H_{3}:\{0,1\}^{*} \rightarrow Z_{q}^{*}\).

U_i: U_i selects a random number \(X_{i} \in Z_{q}^{*}\) and computes the corresponding value Y_i where Y_i=g^X_i. Then X_i is U_i's private key and Y_i is its public key.

3.2 Report Phase

Each user U_i∈U collects l types of data (d_i1,d_i2,…,d_il) by the smart meter in a period time so as to achieve the real-time users’ electricity consumption data. Then U_i performs the following steps.

(1) After getting the l types of data (d_i1,d_i2,…,d_il) from the smart meter, U_i computes the ciphertext \(C T_{i}=g_{1}^{d_{i 1}} \cdot g_{2}^{d_{i 2}} \cdots \cdot g_{l}^{d_{i}} \cdot\left(H_{2}(t)\right)^{\pi_{i}} \bmod N^{2}\) according to Paillier Cryptosystem.

(2) U_i first calculates two values h_i, W, where h_i=H₃(CT_i), W=H₁(t) and then computes V_i=W^X_ih_i. Finally the signature σ_i=V_i.

(3) U_i reports the ciphertext and signature {σ_i,CT_i} to the aggregator.

3.3 Aggregation Phase

After receiving total n reports {σ_i,CT_i} from the users where i=1,2,…,n, the aggregator calculates h_i=H₃(CT_i) for i=1,2,…,n and  W=H₁(t) and performs the following steps.

(1) Firstly, the aggregator verifies all signatures by checking whether \(e\left(g, \sigma_{i}\right)=e\left(W, Y_{i}^{h_{i}}\right)\). In order to improve the efficiency of verification, the aggregator can perform the batch verification by checking whether \(e\left(g, \prod_{i=1}^{n} \sigma_{i}^{\delta_{i}}\right)=e\left(W, \prod_{i=1}^{n}\left(Y_{i}^{h_{i}}\right)^{\delta_{i}}\right)\) where δ_i is a random element in \(\mathrm{Z}_{q}^{*}\). Then the time-consuming pairing operation e(·,·) can be reduced from 2n to 2 times.

(2) If the signatures are all valid in step 1, the aggregator computes \(V=H_{2}(t)^{\pi_{0}} \prod_{i=1}^{n} C T_{i} \bmod N^{2}\), where V satisfies \(V=g_{A g}^{a_{1} \sum_{i=1}^{n} d_{i 1}+a_{2} \sum_{i=1}^{n} d_{i 2}+\cdots+a_{l} \sum_{i=1}^{n} d_{d}} \cdot H_{2}(t)^{\beta N} \bmod N^{2}\). This equation will be explained in Section 3 and 4. Here we take \(M=a_{1} \sum_{i=1}^{n} d_{i 1}+a_{2} \sum_{i=1}^{n} d_{i 2}+\cdots+a_{l} \sum_{i=1}^{n} d_{i l} \text { and } R=\left(H_{2}(t)\right)^{\beta}\) and R=(H₂(t))^β. And we can see the report \(V=g_{A g}^{M} R^{N} \bmod N^{2}\) is a ciphertext of the Paillier Cryptosystem. Thus the aggregator can get M by taking the decryption algorithm of the Paillier Cryptosystem. By taking the Algorithm 1 [1], the aggregator can recover the summation of the data with the different type (D₁,D₂,…,D_l), where \(D_{j}=\sum_{i=1}^{n} d_{i j}(j=1,2, \ldots, l)\) represents the data aggregation value for type j.

Algorithm 1 [1]. Recover the aggregated report

The batch verification will fail when any of the signatures is invalid. In this case, we can use the technique proposed by Law and Matt [18] in 2007 for tracing the users who provide invalid signatures in a batch.

3.4 Correctness

Signature Verification: According to the bilinearity feature of the bilinear pairing mentioned in Section 2.2, we give the correctness verification as (1).

\(\begin{aligned} e\left(W, \prod_{i=1}^{n}\left(Y_{i}^{h_{i}}\right)^{\delta_{i}}\right) &=e\left(W, \prod_{i=1}^{n}\left(g^{x, h_{i}}\right)^{\delta_{i}}\right) \\ &=\prod_{i=1}^{n} e\left(W, g^{x h_{i} \delta_{i}}\right) \\ &=\prod_{i=1}^{n} e\left(W^{x h_{i} \delta_{i}}, g\right) \\ &=\prod_{i=1}^{n} e\left(V_{i}^{\delta_{i}}, g\right) \\ &=e\left(\prod_{i=1}^{n} \sigma_{i}^{\delta_{i}}, g\right) \end{aligned}\)       (1)

Ciphertext Decryption: In the aggregation phase, if they are valid for all the signatures, the aggregator needs to compute the value V for further decryption. We will now verify the correctness of the ciphertext decryption in our scheme. We use the feature of the blinding factors that \(\pi_{0}+\pi_{1}+\cdots+\pi_{n} \equiv 0 \bmod N\) so the correctness verification is given as following (2).

\(\begin{aligned} V &=H_{2}(t)^{\pi_{0}} \prod_{i=1}^{n} C T_{i} \bmod N^{2} \\ &=H_{2}(t)^{\pi_{0}} \prod_{i=1}^{n} g_{1}^{d_{i 1}} \cdot g_{2}^{d_{i 2}} \cdots \cdot g_{l}^{d_{i}} H_{2}(t)^{\pi_{i}} \bmod N^{2} \\ &=\prod_{i=1}^{n} g_{1}^{d_{i 1}} \cdot g_{2}^{d_{i 2}} \cdots \cdots g_{l}^{d_{i}} H_{2}(t)^{\pi_{0}+\pi_{1}+\cdots+\pi_{n}} \bmod N^{2} \\ &=g_{1}^{\sum_{i=1}^{n} d_{i 1}} \cdot g_{2}^{\sum_{i=1}^{n} d_{i 2}} \ldots \cdots g_{l}^{\sum_{i=1}^{n} d_{i l}} \cdot H_{2}(t)^{\sum_{j=0}^{n} \pi_{j}} \bmod N^{2} \end{aligned}\\ \longrightarrow{\sum_{j=0}^{n} \pi_{j}=0 \bmod N \Rightarrow \sum_{j=0}^{n} \pi_{j}=\beta N \text { for some } \beta}\\ \begin{aligned} &=g_{1}^{\sum_{i=1}^{n} d_{i 1}} \cdot g_{2} \sum_{i=1}^{n} d_{i 2} \ldots g_{l} \sum_{i=1}^{n} d_{d i} \cdot H_{2}(t)^{\beta N} \bmod N^{2} \\ &=g_{A g}^{a_{1} \sum_{i=1}^{n} d_{i 1}} \cdot g_{A g}^{a_{2} \sum_{i=1}^{n} d_{i 2}} \ldots \cdot g_{A g}^{a_{l} \sum_{i=1}^{n} d_{d}} \cdot H_{2}(t)^{\beta N} \bmod N^{2} \\ &=g_{A g}^{a_{1} \sum_{i=1}^{n} d_{i 1}+a_{2} \sum_{i=1}^{n} d_{i 2}+\cdots+a_{l} \sum_{i=1}^{n} d_{i l}} \cdot H_{2}(t)^{\beta N} \bmod N^{2} \end{aligned} \)       (2)

3.5 Fault Tolerance Handling

As mentioned in Section 2.1, if some users’ smart meters don’t work well, smart meters might take a break from reporting or reset it later. Here we use \(\widehat{U} \subset U\) to represent the users with broken smart meters and \(\mathrm{U} / \widehat{\mathrm{U}}\) to represent the rest users with normal smart meters. Then these scenarios will greatly influence the character of the blinding factors such that \(\sum_{i \in U / 0} \pi_{i} \neq 0 \bmod N\). This will directly lead to get the wrong aggregation results for the aggregator. Depending on such occasions, we now modify some parts of our scheme to make the aggregation go well.

The initialization phase and the report phase will not change. During the beginning part of the aggregation phase, once the aggregator discovers that the total number of the users’ reports is not n , it then sends the set \(\hat{U}\) to TA. After receiving the set \(\hat{U}\), TA calculates \(\hat{H}=H_{2}(t)_{i \in U}^{\sum \pi_{i}}\) and sends \(\hat{H}\) back to the aggregator. Then the aggregator can continue calculate \(V^{\prime}=\hat{H} \cdot H_{2}(t)^{\pi_{0}} \prod_{i \in \mathrm{U} / \mathrm{U}} C T_{i} \bmod N^{2}\) as (3).

\(V^{\prime}=\left(g_{A g}\right)^{a_{1} \sum_{i \in U / /} d_{i 1}+a_{2} \sum_{i \in U / N} d_{i 2}+\cdots+a_{l} \sum_{i \in U N} d_{i l}}\left(H_{2}(t)\right)^{\beta N} \bmod N^{2}\)       (3)

Here we take \(M^{\prime}=a_{1} \sum_{i \in \mathrm{U} / \mathrm{U}} d_{i 1}+a_{2} \sum_{i \in \mathrm{U} / \mathrm{U}} d_{i 2}+\cdots+a_{l} \sum_{i \in \mathrm{U} / \mathrm{U}} d_{i l}\) and R=(H₂(t))^β. And we can see the report \(V^{\prime}=g_{A g}^{M^{\prime}} R^{N} \bmod N^{2}\) is still a ciphertext of the Paillier Cryptosystem. Thus the aggregator can get M' by taking the decryption algorithm of the Paillier Cryptosystem. By taking the Algorithm 1, the aggregator can recover the summation of the data with the same type (\(D_{1}^{\prime}, D_{2}^{\prime}, \ldots, D_{l}^{\prime}\)) where each \(D_{j}^{\prime}=\sum_{i \in \mathrm{U} / \hat{\mathrm{U}}} d_{i j}\).

4. Extensions

4.1 Extension to Support Time-of-Use Electricity Pricing Mode

Time-of-use electricity pricing mode divides one day into several different time periods and sets up corresponding electricity price for these time periods. In each time period, smart meter collects the total power consumption and then multiplies by the corresponding price to get the electricity fees for the user. So when the aggregator needs to obtain a fixed user’s electricity fees in a certain time period, our scheme can support such demand.

Assume one day is divided into T₁,T₂,…,T_m and the corresponding price is β₁,β₂,…,β_m. The collection cycle of the aggregator covers w time periods, i.e. from T₁ to T_w, from T_w+1 to T_2w, and so on. We use \(\Sigma_{i 1}, \Sigma_{i 2}, \ldots, \Sigma_{i m}\) to represent the total electricity usages of a fixed user U_i in each time period. We take the first cycle as an example. It is to say that we will show how the aggregator computes the electricity fees for user U_i during T₁ to T_w. In report phase, for j=1,,…,2w-1, U_i computes the ciphertext as \(C T_{i, j}=g^{\beta_{j} \Sigma_{i j}} H_{2}\left(T_{j}\right)^{\pi_{i}} \bmod N^{2}\) and for the last one T_w the ciphertext is modified as \(C T_{i, \omega}=g^{\beta_{\omega} \Sigma_{i \theta}} \hat{H}_{\omega}^{\pi_{i}} \cdot r_{i}^{N} \bmod N^{2}\), where \(r_{i} \in Z_{N}^{*}\) is a random number and \(\hat{H}_{\omega}\) is constructed as (4). 

\(\hat{H}_{\omega}=\left(\prod_{j=1}^{\omega-1} H_{2}\left(T_{j}\right)\right)^{-1} \bmod N^{2}\)       (4)

In the aggregation phase, the aggregator collects w ciphertexts and aggregates them as following (5).

\(\begin{aligned} C T_{i} &=C T_{i, \omega} \cdot \prod_{j=1}^{\omega-1} C T_{i, j} \bmod N^{2} \\ &=g^{\beta_{1} \sum_{i 1}+\beta_{2} \sum_{i 2}+\cdots+\beta_{\omega} \sum_{i \theta}} \cdot\left(\prod_{j=1}^{\omega-1} H_{2}\left(T_{j}\right)\right)^{\pi_{i}} \cdot\left(\hat{H}_{\omega}\right)^{\pi_{i}} \cdot r_{i}^{N} \bmod N^{2} \\ &=g^{\sum_{j=1}^{\beta} \beta_{j} S_{i j}} \cdot r_{i}^{N} \bmod N^{2} \end{aligned}\)       (5)

Therefore the aggregator can get \(\sum_{j=1}^{\omega} \beta_{j} \Sigma_{i j}\) by taking decryption algorithm of the Paillier Cryptosystem. And \(\sum_{j=1}^{\omega} \beta_{j} \Sigma_{i j}\) is the electricity fees for user U_i during T₁ to T_w.

4.2 Extension to Support Dynamic Users

In this section, we will discuss the case that some users may join or leave the system at any time period. So we need to modify some parts of the proposed scheme so that the aggregation can still be successful no matter users’ addition or removal.

Here we assume that at any time period, the added users set is U_a and the removed users set is U_b. So in the initialization phase, TA first generates blinding factors \(\left\{\pi_{i}\right\}_{i \in \mathrm{U}_{a}}\) for new users. Then TA gives the aggregator \(\pi_{0}^{\prime}=\pi_{0}-\sum_{a \in \mathrm{U}_{a}} \pi_{a}+\sum_{b \in \mathrm{U}_{b}} \pi_{b}\) as the new blinding factor. Here we take \(\tilde{\mathrm{U}}=\mathrm{U}+\mathrm{U}_{a}-\mathrm{U}_{b}\) as the new updated users. In the report phase, the aggregator will receive a set of reports \(\left\{\sigma_{i}, C T_{i}\right\}_{i \in \tilde{U}}\). Since the batch verification won’t be influenced, so if they are valid for all the signatures, the aggregator computes the value \(V=H_{2}(t)^{\pi_{0}^{\prime}} \prod_{i \in U} C T_{i} \bmod N^{2}\) as (6).

\(\begin{aligned} V &=g_{A g}^{a_{1} \sum_{i \in \tilde{U}} d_{i 1}+a_{2} \sum_{i \in \mathbb{U}} d_{i 2}+\cdots+a_{l} \sum_{i \in \tilde{U}} d_{i l}} H_{2}(t)^{\pi_{0}^{\prime}+\sum_{j \in \tilde{U}} \pi_{j}} \bmod N^{2} \\ &=g_{A g}^{a_{1} \sum_{i \in \tilde{U}} d_{i 1}+a_{2} \sum_{i \in U} d_{i 2}+\cdots+a_{l} \sum_{i \in \tilde{U}} d_{i l}} H_{2}(t)^{\pi_{0}^{\prime}+\sum_{i=1}^{n} \pi_{i}+\sum_{j \in U_{a}} \pi_{a}-\sum_{j \in U_{b}} \pi_{b}} \bmod N^{2} \\ &=g_{A g}^{a_{1} \sum_{i \in \tilde{U}} d_{i 1}+a_{2} \sum_{i \in \mathbb{U}} d_{i 2}+\cdots+a_{l} \sum_{i \in \tilde{U}} d_{i l}} H_{2}(t)^{\sum_{i=0}^{n} \pi_{i}} \bmod N^{2} \\ &=g_{A g}^{a_{1} \sum_{i \in \tilde{U}} d_{i 1}+a_{2} \sum_{i \in \mathbb{U}} d_{i 2}+\cdots+a_{l} \sum_{i \in \tilde{U}} d_{i l}} H_{2}(t)^{\beta N} \bmod N^{2} \end{aligned}\)       (6)

Then the aggregator takes the decryption algorithm of the Paillier Cryptosystem and Algorithm 1 to get (D₁, D₂, …, D_l) where \(D_{j}=\sum_{i \in \mathbb{U}} d_{i j}\). We can see that when users join the system, TA only needs to generate blinding factors for the new users and change the blinding factor for the aggregator. And when users leave the system, we only need TA to generate new blinding factor for the aggregator. All the other users do not need to change anything for aggregation. So it’s obvious that this scheme can handle the dynamic user scenarios in an efficient way.

5. Security and Performance Analysis

5.1 Security Analysis

Against External Attackers: The communication flows from users to the aggregator can be eavesdropped by external attackers but they cannot get users’ electricity consumption information from the encrypted data. That is to say, although external attackers can get the data \(C T_{i}=g_{1}^{d_{i 1}} \cdot g_{2}^{d_{i 2}} \cdots \cdots g_{l}^{d_{i}} \cdot\left(H_{2}(t)\right)^{\pi_{i}} \bmod N^{2}\) from user U_i, they can’t get the information about (d_i1, d_i2, …, d_il) because π_i is unknown to attackers. So external attackers can’t get the value \(\left(H_{2}(t)\right)^{\pi_{i}}\). And they can’t know (d_i1, d_i2, …, d_il). Therefore, the electricity consumption information about users is secure against the external attackers.

Against Internal Attackers: As we mentioned before in the system model, the aggregator is untrusted. So here we’d like to refer the aggregator as the internal attacker. We can see that the aggregator obtains all the users’ encrypted data \(\left\{C T_{i}\right\}_{i=1}^{n}\) and the value (D₁, D₂, …, D_l). First the aggregator can’t get each user’s electricity usage data because the value π_i is unknown to the aggregator. So the aggregator can’t know \(\left(H_{2}(t)\right)^{\pi_{i}}\) the value which means the aggregator won’t know (d_i1, d_i2, …, d_il). Second, although the aggregator gets the aggregated result \(D_{j}=\sum_{i=1}^{n} d_{i j}\), it still unable to obtain personal user electricity consumption data (d_i1, d_i2, …,d_il). So the electricity consumption information about users is secure against the internal attackers.

Traceability: If the batch verification fails, our scheme has the ability to find out which users’ signatures are invalid by finding invalid signature algorithm in [18].

Unforgeability: The signature part of our scheme is unforgeable under the assumption of the standard CDH problem. We give the proof of unforgeability as follow.

Proof of Unforgeability

In random oracle model, the signature part of our scheme is existentially unforgeable under the assumption of the standard CDH problem in multiplicative cyclic groups. According to the theorem 3.2 in [21], we prove our signature is unforgeable as follows.

Definition 1. Order-q group G₁ is a (t',ε')-bilinear group if G₁ satisfies the following properties:

• A group G₂ of order q and a bilinear map e:G_1×G₁→G₂ exist, and e is computable in time at most t'.

• No algorithm ε-breaks CDH on G₁.

Definition 2. In a chosen-message attack [22], if a signature scheme (KeyGen,Sign,Verify) satisfies existential unforgeability, the scheme is defined by the following game between an adversary A and a challenger:

Setup. The challenger can get a public key PK and private key SK by running algorithm KeyGen. The adversary A can obtain PK.

Queries. A can adaptively requests at most q_s messages \(M_{1}, \ldots, M_{q_{s}} \in\{0,1\}^{*}\) with PK. The challenger responds to each signature σ_i=Sign(SK_i,M_i) which is queried.

Output. If M is not in (\(M_{1}, \ldots, M_{q_{s}}\)) and Verify (PK,M,σ) = valid , A outputs a pair (M,σ) and wins the game 

AdvSig_A is defined as the probability that wins in the above game, taken over the coin tosses of and of A.

Definition 3. If a forger makes at most q_s signature queries and \(q_{H_{1}}\) queries for the hash function H₁ and \(q_{H_{3}}\) queries for the hash function H₃, A is called (\(t, q_{H_{1}}, q_{H_{3}}, q_{s}, \varepsilon\)) - breaks a signature scheme in time at most t with AdvSig_A being at least ε. If no forger (\(t, q_{H_{1}}, q_{H_{3}}, q_{s}, \varepsilon\)) -breaks a signature scheme, the signature scheme is (\(t, q_{H_{1}}, q_{H_{3}}, q_{s}, \varepsilon\)) - existentially unforgeable under an adaptive chosen-message attack.

Theorem 1. Let G₁ be a (t',ε')-multiplicative cyclic group of order q. Under an adaptive chosen-message attack, the signature scheme proposed on G₁ is (\(t, q_{H_{1}}, q_{H_{3}}, q_{s}, \varepsilon\))-secure against existential forgery.

Proof. If a forger can (\(t, q_{H_{1}}, q_{H_{3}}, q_{s}, \varepsilon\))-breaks the signature scheme, there is a t'-time algorithm B to solve standard CDH on G₁ with probability ε' at least.

Algorithm B can give an instance (q,g,g^a,g^b) of the CDH problem to output g^ab with a generator g of G₁. Algorithm B simulates the challenger and interacts with forger A as follows:

Setup. Algorithm starts by giving the generator and the public key Y_i=g^a.

H-queries. Algorithm A can query the random oracle at all times.

For H₁-query on t_j:

1. If the query t_j already appears on the H₁-list in a tuple (t_j, H₁-coin_j, k_j, l_j) then algorithm B retrieves (k_j, l_j) from H₁-list.

2. Otherwise, a random coin H₁-coin_j∈{0,1} will be generated by B. If H₁-coin_j=1, B generates \(k_{j} \in Z_{q}^{*}\) and l_j=0; else B generates \(k_{j}, l_{j} \in Z_{q}^{*}\). B logs (t_j, H₁-coin_j, k_j, l_j) in the H₁-list.

3. responds with \(W=H_{1}\left(t_{j}\right)=g^{k_{j}} \cdot\left(g^{b}\right)^{l_{j}}\).

For H₃-query on CT_i:

1. If the CT_i query has already appeared on the H₃-list in a tuple (CT_i, n_i), algorithm B retrieves n_i from H₃-list.

2. Otherwise, generates \(n_{i} \in Z_{q}^{*}\) and logs (CT_i, n_i) in the H₃-list.

3. B responds h_i=H₃(CT_i)=n_i.

Signature Queries. While requests a signature on (CT_i, t_j), makes the following response to the query.

1. Algorithm B can obtain H₁(t_j)by running the above algorithm for responding to H₁- queries. The corresponding tuple is (t_j, H₁-coin_j, k_j, l_j) on the H₁-list. When H₁-coin_j=0, let abort.

2. Otherwise, we know H₁-coin_j=1 and hence W=H₁(t_j)=g^k_j and h_i=H₃(CT_i)=n_i. Define σ_i=V_i=(g^a)^k_jn_i. Observe that \(e\left(g, \sigma_{i}\right)=e\left(W, Y_{i}^{h_{i}}\right)\) and so σ_i is a valid signature on (CT_i, t_j). Algorithm A can get σ_i from algorithm B.

Output. Finally, algorithm products a signature σ_f on (CT_f, t_s) and CT_f is without signature query. If there is no tuple containing CT_f and t_s on the H₁-list and H₃-list, B issues a query for H₁(t_s) and H₃(CT_f) by itself to ensure there is such a tuple. Assume σ_f is a valid signature on (CT_f, t_s); if not, B aborts. Then the tuple (t_s, H₁-coin, k, l) can be found by algorithm B on the H₁-list and the tuple (CT_f, n) on the H₃-list. When H₁-coin=1, B aborts. Otherwise, B can derive its CDH problem answer from the following (7).

\(\begin{aligned} \sigma_{f} &=W^{a h} \\ &=H_{1}\left(t_{s}\right)^{a H_{3}\left(C T_{f}\right)} \\ &=\left(g^{k} \cdot\left(g^{b}\right)^{l}\right)^{a n} \\ &=\left(g^{k+b l}\right)^{a n} \\ &=g^{a n k} \cdot g^{a b n l} \end{aligned}\)       (7)

The description of algorithm B is completed.

Data Integrity: Since the signature part of our scheme is proved secure under the CDH problem in the random oracle model, data integrity can be guaranteed.

Batch Verification Security: Our scheme satisfies batch verification security and it can be proved in the following.

Proof of Batch Verification

According to the security proof of [19], first Verify (M₁,SK₁,σ_i) =…= Verify (M_n,SK_n,σ_n)=1 implies that Batch((M₁,SK₁,σ_i),…,(M_n,SK_n,σ_n))=1. Let vector △=(δ₁,δ₂,…,δ_n) where each δ₁ is ℓ_b bits random element in \(\mathrm{Z}_{q}^{*}\). The following (8) represent the verification equation.

\(\begin{aligned} e\left(\prod_{i=1}^{n} \sigma_{i}^{\delta_{i}}, g\right) &=\prod_{i=1}^{n} e\left(\sigma_{i}^{\delta_{i}}, g\right) \\ &=\prod_{i=1}^{n} e\left(H_{1}(t)^{S K_{i} H_{3}\left(M_{i}\right)}, g\right) \\ &=\prod_{i=1}^{n} e\left(H_{1}(t)^{H_{3}\left(M_{i}\right)}, g^{s K_{i}}\right) \\ &=\prod_{i=1}^{n} e\left(H_{1}(t)^{H_{3}\left(M_{i}\right)}, P K_{i}\right) \end{aligned}\)       (8)

Since σ_i, H₁(t)^H₃(M_i) and PK_i are all in G₁ for all i , we can rewrite σ_i=g^σ_i, H₁(t)^H₃(M_i)=g^r_i and PK_i=g^X_i for all \(\alpha_{i}, r_{i}, X_{i} \in Z_{q}^{*}\). So the verification equation can be rewritten to (9).

\(\begin{aligned} e\left(\prod_{i=1}^{n} g^{\alpha_{i} \delta_{i}}, g\right) &=\prod_{i=1}^{n} e\left(g^{f_{i} \delta_{i}}, g^{x_{i}}\right) \\ & \Rightarrow e(g, g)^{\sum_{i=1}^{n} \delta_{i} \alpha_{i}}=e(g, g)^{\sum_{i=1}^{n} \delta_{i} r_{i} X} \end{aligned}\)       (9)

If we set β_i=α_i-r_iX_i, then we can obtain (10).

\(\begin{aligned} e(g, g)^{\sum_{i=1}^{n} \delta_{i} \alpha_{i}-\sum_{i=1}^{n} \delta_{i} r_{i} x_{i}} &=1 \\ & \Rightarrow \sum_{i=1}^{n} \delta_{i} \alpha_{i}-\sum_{i=1}^{n} \delta_{i} r_{i} X_{i} \equiv 0 \bmod q \\ & \Rightarrow \sum_{i=1}^{n} \delta_{i} \beta_{i} \equiv 0 \bmod q \end{aligned}\)       (10)

If Batch((M₁,SK₁,σ_i),…,(M_n,SK_n,σ_n))=1, but we find out that for some j, there exists such a situation that  Verify (M_j,SK_j,σ_j)=0. Because q is a prime, so β_j has an inverse γ_j such that \(\beta_{j} \gamma_{j} \equiv 1 \bmod q\). Thus, we can set j =1 and \(\delta_{1} \equiv-\gamma_{1} \sum_{i=2}^{n} \delta_{i} \beta_{i} \bmod q\). And now we can see that Verify (M₁,SK₁,σ_i)=0 but Batch((M₁,SK₁,σ_i),…,(M_n,SK_n,σ_n))=1. Obviously this breaks batch verification. So we define E be an event that Verify (M₁,SK₁,σ_i)=0 holds but Batch((M₁,SK₁,σ_i),…,(M_n,SK_n,σ_n))=1. Note that we make no assumptions about the remaining values.

Let the last n-1 values of △ be △'=δ₂,…,δ_n and |△'| denotes the number of possible values for this vector. From above we know there is exactly one value of δ₁ for a fixed vector △', which will make event happen. Given by randomly chosen, the probability of E is Pr[E|△']=2^ℓ_b. So, when we choose at random and sum up all possible choices of △', \(\operatorname{Pr}[E] \leq \sum_{i=1}^{|\Delta|}\left(\operatorname{Pr}\left[E / \Delta^{\prime}\right] \cdot \operatorname{Pr}\left[\Delta^{\prime}\right]\right)\) can be obtained. When the values are plugged, we can obtain \(\operatorname{Pr}[E] \leq \sum_{i=1}^{2^{\iota^{b}(n-1)}}\left(2^{-\iota_{b}} \cdot 2^{-l_{b}(n-1)}\right)=2^{-\iota_{b}}\). The advantage is negligible for valid batch verification over invalid signature.

5.2 Performance Analysis

Comparison. In this part, our scheme is compared with other schemes [1, 5, 9, 13] about some security features as in Table 1.

Table 1. Comparison of Features

Computational Cost. In this part, we will evaluate the computational complexity of our scheme in two aspects. One is the computational costs of each user and the aggregator throughout the whole process. The other is the computational costs about the data aggregation and batch verification. The following is a detailed description.

First, our scheme is compared with Lu et al.’s scheme [1] about the computational costs of each user and the aggregator throughout the whole process. As for our scheme, when one user generates a ciphertext CT_i of his electricity usage data (d_i1, d_i2, …, d_il), it requires (l+1) exponentiation operations and l multiplication operations. Moreover, it requires 1 exponentiation operation and 1 multiplication operation to generate the signature σ_i for the user. Therefore, a total of l+2 exponentiation operations and l+1 multiplication operations are required for user. When the aggregator receives the total n ciphertexts from users, it requires 2 pairing operations, 2n exponentiation operations and 2(n-1) multiplication operations for batch verification. And the aggregator requires 1 exponentiation operation and n multiplication operations for generating the value V. As for decryption, it requires 1 paillier cryptosystem decryption operation [1]. Therefore, the aggregator requires a total of 2 pairing operations, 2n+1 exponentiation operations, 3n-2 multiplication operations and 1 paillier cryptosystem decryption operation. In [1], the local GW verifies the signatures and aggregates the encrypted data while OA recovers the aggregated report and gets the total aggregated data. So the computational complexity of the aggregator in our scheme will be compared with the GW and OA together in Lu et al.’s scheme [1]. According to [1], we make the comparison in Table 2. This paper defines the computational complexity costs of a pairing operation, an exponentiation operation, a multiplication operation and Paillier Cryptosystem Decryption by C_p, C_e, C_m and C_pai respectively.

Table 2. Comparison of Computational Complexity

Furthermore, Table 3 shows the time costs of all operations according to [13].

Table 3. Time Costs of Operation

According to the operating costs, Fig. 3(a) describes the variation of each user’s computational costs and Fig. 3(b) describes the variation of the aggregator’s computational costs in terms of l. we can see that there is an unknown number n represents the total user numbers in Table 2. In Fig. 3(b), we simply assume n=100. In reality, the total users’ number is larger; the advantage will be more obvious in our scheme. So it is clear that we distinctly reduce the computational complexity.

Fig. 3. Computational cost of each user and the aggregator

Second, we compare our scheme with the schemes in [1,13] in the computational costs about the data aggregation and batch verification. For homogeneity, we set l=1 both in our scheme and in [1]. Our scheme requires 2 exponentiation operations and 1 multiplication operation to calculate CT_i for each user and 1 exponentiation operation and n multiplication operations for the aggregator to aggregate ciphertexts of all users. Therefore, our scheme requires 2n+1 exponentiation operations and 2n multiplication operations in all. According to the schemes in [1,13], the computational costs of aggregation are (3n+2)C_e +3nC_m and (4n+2)C_p+(2n+2)C_e +(3n+3)C_m respectively. We make the comparison in Table 4 and Fig. 4.

Table 4. Comparison of Aggregation

Fig. 4. Performance Comparison of Aggregation

As for batch verification, our scheme requires 2 pairing operations, 2n exponentiation operations and 2(n-1) multiplication operations for aggregator to batch verify all signatures. According to the schemes in [1,13], the computational costs of batch verification are (n+1)C_p+(2n+1)C_e+(n+1)C_m and (n+1)C_p+(n+1)C_m respectively. We make the comparison in Table 5 and Fig. 5.

Table 5. Comparison of Batch Verification

Fig. 5. Performance Comparison of Batch Verification

Communication Overhead. In this part, we will evaluate the computation overhead of user-to- aggregator in our scheme. Each user generates the encrypted data CT_i and σ_i, then sends them to the aggregator. So the size should be S_z=|CT_i|+|σ_i|. If N is 1024-bit and G_i is 160-bit, then the size S_z=2048+160. So the total communication overhead is S=n·S_z from user to aggregator for n users and l types electricity usage data. For each dimensional data, each user generates a 2048-bit ciphertext in [13]. So if they have to transmit l types data, the communication overhead is S'=(2048·l+160)·n in total. We plot the communication overhead of Fan et al.’s scheme [13] in Fig. 6(a) and our scheme in Fig. 6(b) according to user number n and data type l.

Fig. 6. Communication Overhead between User and Aggregator

From the above performance analysis, our scheme obviously meets more security features but has less computational complexity and lower communication overhead. So our scheme is suitable to be applied into the smart grid communications.

6. Conclusion

In this paper, a data aggregation scheme is proposed. Our scheme has many excellent properties. First, we take the multidimensional data which is rarely mentioned in researches on smart grid into account. Second, though each user has multidimensional data, we use the Paillier Cryptosystem to encrypt the multidimensional data as a whole and take advantage of the homomorphic property to achieve data aggregation demand. Third, we apply blinding factor technique into our scheme so our scheme can resist the internal attackers on the security level. Fourth, our scheme is able to support fault tolerance so that even some smart meters don’t work, the aggregation process can still work well. Fifth, we construct efficient batch verification that reduces the computational complexity from 2n to 2 pairing operations. Sixth, our batch verification is suitable to use the technique in [18] to find invalid signatures if the batch verification fails. Seventh, our scheme can be extended to support time-of-use electricity pricing mode and dynamic users. Eighth, we provide security analysis that our scheme can resist external attackers and internal attackers and give detailed proof of unforgeability security and batch verification security. Ninth, through performance analysis, the computational costs and communication overhead can be significantly reduced in our scheme. In the future, we will study the possible attack named human-factor-aware differential aggregation attack and extend our scheme to resist such attack.