A. Definitions

In the description of related work and the remainder of this paper, we use the following nomenclature.

1. Supplier is responsible to manage the power grid.

2. Customer is a household buyer or seller of electricity.

3. Meter is a temper-resistant device installed in customer residence, and that measures the flow of electric energy.

4. Consolidated measurement is the sum of the measurements of $N$ meters, i.e., $m_{1}+m_{2}+\cdots +m_{N}$ .

B. Cryptographic Primitives

Many privacy-enhancing protocols use Paillier’s scheme [6] because it is an additive homomorphic encryption. Thus, if two meters encrypt their measurements, ${\mathsf {Enc}}(m_{1})$ and ${\mathsf {Enc}}(m_{2})$ , then applying the product, they have the encrypted sum, that is $$\begin{equation} {\mathsf {Enc}}(m_{1})\cdot {\mathsf {Enc}} (m_{2})= {\mathsf {Enc}}(m_{1}+m_{2}). \end{equation}$$ View Source\begin{equation} {\mathsf {Enc}}(m_{1})\cdot {\mathsf {Enc}} (m_{2})= {\mathsf {Enc}}(m_{1}+m_{2}). \end{equation}

The encryption function Enc with the additive homomorphic property from (1) presented by Paillier is given by $$\begin{equation} \begin{split} {\mathsf {Enc}}\,:\,\mathbb {Z}_{n}\times \mathbb {Z}^{*}_{n} &\longmapsto \mathbb {Z}_{n^{2}} \\ {\mathsf {Enc}}(m,r) &\longmapsto g^{m}\cdot r^{n} \mod n^{2} \end{split} \end{equation}$$ View Source\begin{equation} \begin{split} {\mathsf {Enc}}\,:\,\mathbb {Z}_{n}\times \mathbb {Z}^{*}_{n} &\longmapsto \mathbb {Z}_{n^{2}} \\ {\mathsf {Enc}}(m,r) &\longmapsto g^{m}\cdot r^{n} \mod n^{2} \end{split} \end{equation} where $m$ is a measurement, $n=p\cdot q$ with $p$ and $q$ safe primes such that $n$ divides the order of a random number $g\in \mathbb {Z}^{*}_{n^{2}}$ defined by the supplier, and $r$ is a random number chosen by the meter. Only the supplier knows the primes. The public key is composed of $n$ and $g$ . The private key is the Carmichael’s function $\lambda (n) = \operatorname {lcm}(p - 1, q -1)$ . The requirement that $n$ divides the order of $g\in \mathbb {Z}^{*}_{n^{2}}$ ensures that (2) is a bijection. From (2), the aggregation of encrypted measurements $c$ is given by $c= {\mathsf {Enc}}(m_{1},r_{1})\cdot {\mathsf {Enc}} (m_{2},r_{2}) = g^{m_{1}}r_{1}^{n}g^{m_{2}}r_{2}^{n} \mod n^{2} = g^{m_{1}+m_{2}}(r_{1}r_{2})^{n}\mod n^{2} = {\mathsf {Enc}}(m_{1}+m_{2},r_{1}r_{2})$ . The product is performed over $\mathbb {Z}_{n^{2}}$ and the addition over $\mathbb {Z}_{n}$ .

The decryption function Dec is given by $$\begin{equation} \begin{split} {\mathsf {Dec}}\,:\,\mathbb {Z}_{n^{2}} &\mapsto \mathbb {Z}_{n} \\ {\mathsf {Dec}}(c) &\mapsto \frac {L\left (c^\lambda \mod n^{2}\right )}{L\left (g^\lambda \mod n^{2}\right )} \mod n \end{split} \end{equation}$$ View Source\begin{equation} \begin{split} {\mathsf {Dec}}\,:\,\mathbb {Z}_{n^{2}} &\mapsto \mathbb {Z}_{n} \\ {\mathsf {Dec}}(c) &\mapsto \frac {L\left (c^\lambda \mod n^{2}\right )}{L\left (g^\lambda \mod n^{2}\right )} \mod n \end{split} \end{equation} where $L(u)=(u-1)/n$ . Since, the denominator is constant, it can be precomputed to speed up the processing time. Thus, the decryption is practically one modular exponentiation.

Notice that Dec does not depend on the random numbers. Therefore, we can write ${\mathsf {Dec}}( {\mathsf {Enc}}(m_{1})\cdot {\mathsf {Enc}} (m_{2}) \mod n^{2})=m_{1}\,+\,m_{2} \mod n.$ EPPP4SMS is one novelty based on Paillier’s scheme [6].

C. Related Work

There is much related work in the literature. Here, we present the most relevant to our contribution in this paper. For simplicity, we show the protocols only for one round of measurements.

A. Verification Property

In case of defect, if a meter did not send its measurement or send an invalid-signed message, the supplier knows exactly which meter it is. Thus, the supplier can request the meter to resend the message or provide a fix to hardware problems. In the meantime, the supplier cannot read consolidated consumption. Nevertheless, meters can cooperate to disclose the key of the damaged meter. The meter cooperation can disclose the sum of the keys of others, but they cannot disclose individual keys, unless $N-1$ meters cooperate. A better solution is the generation of new keys for nondamaged meter.

If the supplier identifies that something is wrong and asks for verification, a meter $i$ can reveal its measurement $m_{i_{t}}$ of the round $t$ without disclosing its permanent key. To perform a verification over a sent encrypted value $c$ of the meter $i$ , the supplier sends a request to the meter, which might send $m_{i_{t}}$ and $v=h_{1_{t}}^{k_{1_{i}}}h_{2_{t}}^{k_{2_{i}}}$ to the supplier. Therefore, the sent encrypted value is verified if $c\stackrel {?}{=} g^{m_{i_{t}}}\cdot v.$ From the perspective of privacy, the verification should be based on the sum of all accumulated measurements, instead of disclosing individual measurements. The supplier and meters can verify the sum of all measurements, which is much more privacy-friendly than sharing individual measurements. Notice that billing information is shared with the supplier in nonsmart grids already. In the same way a measurement is proven, the meters can prove their billing information or the sum of measurements. They need to store the product $V=\prod v_{t}$ of all $v_{t}=h_{1_{t}}^{k_{1_{i}}}h_{2_{t}}^{k_{2_{i}}}$ , where $t$ is the round based on a sequential or chronological timestamp. For example, at the end of one day, the meter $i$ sends $V$ and the consumption of the day $M=\sum m_{i_{t}}$ to its supplier that has stored the product of all encrypted measurements $C=\prod g^{m_{i_{t}}}h_{1_{t}}^{k_{1_{i}}}h_{2_{t}}^{k_{2_{i}}}$ from the meter $i$ . If $C \stackrel {?}{=} g^{M}\cdot V,$ then the meter proves whether its billing information is correct or not. Moreover, the meter still can use its permanent key for every new round.

B. Privacy Analysis

Suppose that an adversary has access to the private key $\lambda$ of the supplier. The adversary can intercept one message in the round $t$ and try to decrypt it ${\mathsf {Dec}}(g^{m_{i_{t}}}h_{1_{t}}^{k_{1_{i}}}h_{2_{t}}^{k_{2_{i}}})$ , but the adversary has no information about $m_{i_{t}}$ , neither $k_{1_{i}}$ , and neither $k_{2_{i}}$ , because $h_{1_{t}}$ and $h_{2_{t}}$ are cancelled when they are raised to the power of $n\lambda$ . Otherwise, the decryption returns no information, for the same reason that the random number $r$ is cancelled when we raise $r$ to the power of $n\lambda$ in Paillier’s scheme [6]. Showing details of this property inherited from Paillier’s scheme is beyond the scope of this paper, but we show what the adversary can see. Trying to decrypt an individual measurement leads to $$\begin{equation} \frac {L\left (\left (g^{m_{i_{t}}}h_{1_{t}}^{k_{1_{i}}}h_{2_{t}}^{k_{2_{i}}}\right )^\lambda \mod n^{2}\right )}{L(g^\lambda \mod n^{2})} \mod n \end{equation}$$ View Source\begin{equation} \frac {L\left (\left (g^{m_{i_{t}}}h_{1_{t}}^{k_{1_{i}}}h_{2_{t}}^{k_{2_{i}}}\right )^\lambda \mod n^{2}\right )}{L(g^\lambda \mod n^{2})} \mod n \end{equation} where $L(u)=(u-1)n^{-1}$ , which results in $m_{i_{t}}h_{1_{t}}^{k_{1_{i}}\lambda }h_{2_{t}}^{k_{2_{i}}\lambda } \mod n$ . The adversary only has success if the cancelling of $h_{1_{t}}$ and $h_{2_{t}}$ in (5) can be done in polynomial time, but this is considered an intractable problem. The adversary can also try to guess the value of $m_{i_{t}}$ and try to discover the values of $k_{1_{i}}$ and $k_{2_{i}}$ . Suppose that an adversary uses an intercepted encrypted measurement to disclose $k_{1_{i}}$ and $k_{2_{i}}$ , when the values $g$ , $n$ , $\lambda$ and $m_{i_{t}}$ are known by the adversary. Thus, this adversary can compute $$\begin{equation} \frac {L\left (\left (h_{1_{t}}^{k_{1_{i}}}h_{2_{t}}^{k_{2_{i}}}\right )^\lambda \mod n^{2}\right )}{L((h_{1_{t}}h_{2_{t}})^\lambda \mod n^{2})} \mod n. \end{equation}$$ View Source\begin{equation} \frac {L\left (\left (h_{1_{t}}^{k_{1_{i}}}h_{2_{t}}^{k_{2_{i}}}\right )^\lambda \mod n^{2}\right )}{L((h_{1_{t}}h_{2_{t}})^\lambda \mod n^{2})} \mod n. \end{equation} However, (6) does not return the values of $k_{1_{i}}$ and $k_{2_{i}}$ , since $k_{1_{i}}\neq k_{2_{i}}$ and $h_{1_{t}}\neq h_{2_{t}}$ .

If some adversaries try to use encrypted measurements from the same meter $i$ in different measurement rounds, e.g., $t=1$ and $t=2$ , then they may find $$\begin{equation} g^{m_{i_{1}}+m_{i_{2}}}h_{1_{1}}^{k_{1}}h_{2_{1}}^{k_{2}}h_{1_{2}}^{k_{1}}h_{2_{2}}^{k_{2}} \end{equation}$$ View Source\begin{equation} g^{m_{i_{1}}+m_{i_{2}}}h_{1_{1}}^{k_{1}}h_{2_{1}}^{k_{2}}h_{1_{2}}^{k_{1}}h_{2_{2}}^{k_{2}} \end{equation} or $$\begin{equation} g^{m_{i_{1}}-m_{i_{2}}}h_{1_{1}}^{k_{1}}h_{2_{1}}^{k_{2}}h_{1_{2}}^{-k_{1}}h_{2_{2}}^{-k_{2}} \end{equation}$$ View Source\begin{equation} g^{m_{i_{1}}-m_{i_{2}}}h_{1_{1}}^{k_{1}}h_{2_{1}}^{k_{2}}h_{1_{2}}^{-k_{1}}h_{2_{2}}^{-k_{2}} \end{equation} which again returns no information because the values generated by H are not cancelled, unless $h_{1_{1}}=h_{1_{2}}^{-1}$ and $h_{2_{1}}=h_{2_{2}}^{-1}$ in (7) or $h_{1_{1}}=h_{1_{2}}$ and $h_{2_{1}}=h_{2_{2}}$ in (8). However, this possibility is negligible because the values come from a secure hash function.

The adversary can collect the encrypted measurements from all meters in the same round $t$ and discover the consolidated consumption, if and only if the adversary has the private key of the supplier. However, it is also possible to collect all encrypted measurements from the same round and leave out the encrypted measurement from a meter $i$ , that is $$\begin{equation} g^{m_{1}+m_{2}+\cdots +m_{N}-m_{i}}h_{1_{t}}^{n-d_{1}-k_{1_{i}}}h_{2_{t}}^{n-d_{2}-k_{2_{i}}} \end{equation}$$ View Source\begin{equation} g^{m_{1}+m_{2}+\cdots +m_{N}-m_{i}}h_{1_{t}}^{n-d_{1}-k_{1_{i}}}h_{2_{t}}^{n-d_{2}-k_{2_{i}}} \end{equation} which again does not cancel $h_{1_{t}}$ and $h_{2_{t}}$ .

Considering $k_{1_{i}}\neq k_{2_{i}}$ and $h_{1_{t}} \neq h_{2_{t}}$ , (9) shows that an individual measurement cannot be decrypted by an adversary. Equation (5) shows that $k_{1_{i}}$ and $k_{2_{i}}$ cannot be recovered from an encrypted measurement. Equations (7) and (8) show that there is no relation between the rounds. Equation (9) shows that an adversary cannot decrypt partial measurements, i.e., only the consolidated measurement, if the private key of the supplier is known.

C. Security Analysis

If an adversary cannot decrypt an individual measurement with the knowledge of the private key of the supplier, it is much harder to decrypt a measurement without the key. In addition, if a meter $i$ sends a message containing its encrypted measurements and its signature, i.e., ${\mathsf {Enc}}(m_{i})|| {\mathsf {Sign}}_{i}$ , then any adversary can compromise the message. As meters are temper resistant or they have trusted modules by definition, then only the meter can sign its measurements. The signature Sign also avoids malleability and allows the supplier to detect failures. Moreover, the invoice can be verified, even without signature.

As only the consolidated consumption can be decrypted, the supplier might outsource the aggregation. An adversary cannot use malleability to change the consolidated consumption, i.e., an adversary cannot aggregate twice the same encrypted measurement $m_{i}$ , because it leads to $g^{m_{1}+m_{2}+\cdots +m_{N}+m_{i}}h_{1}^{n-d_{1}+k_{1_{i}}}h_{2}^{n-d_{2}+k_{2_{i}}}$ , which shows that the consolidated consumption plus $m_{i}$ are encrypted, because $h_{1_{t}}$ and $h_{2_{t}}$ are not cancelled.

To obtain $k_{1_{x}}$ of a meter $x$ , the adversary needs to know the sum of all other keys $\sum _{i\neq x} k_{1_{i}}$ and $n-d_{1}$ . Similar reasoning is valid for $k_{2_{x}}$ . However, given $k_{1_{i}}$ or $k_{2_{i}}$ an adversary can use (6) to discover $k_{2_{i}}$ or $k_{1_{i}}$ , respectively. Other security issues are the same as Paillier’s scheme.

An important question may arise: is an adversary able to solve the discrete logarithm modulo a composite? That is $h^{k} \!\!\!\mod n$ . In the following, we show that solving composite discrete logarithms implies integer factorization, which is an intractable problem for a classical computer [15]. We may realize that given $y$ , $h$ , $n$ , and $y\equiv h^{k} \mod n$ is infeasible to determine $k$ . Indeed, finding $k$ is the discrete logarithm problem. Thus, given $h$ and $h^{\varphi (n)}\equiv 1 \mod n$ , where $\varphi (n)=(p-1)(q-1)$ , determining $\varphi (n)$ is as infeasible as $k$ . If we could find efficiently the exponents, we could choose different values of $y$ to find $\varphi (n)$ . Since, $\varphi (n)=n-(p+q)+1$ , hence $p+q=n-\varphi (n)+1$ . However, if the sum and the product of $p$ and $q$ are given, then we can easily find the prime factors in an intersection of the curve $x\cdot y=n$ with the curve $x+y=p+q$ .

One can argue that an adversary can select special values to $p$ and $q$ in order for a posteriori easily to solve the discrete logarithm problem. Nevertheless, the meters can verify whether $n$ is a product of two safe primes or not [16]. Other argumentation is that $h$ might have low order, and, thus, an adversary can find an exponent smaller than $k$ that is congruent to $k$ . However, meters can verity if $h$ has a high order because $n$ is a product of safe primes.

D. Parameters and Performance

Secure parameters that keep a good performance depend on the best algorithms to solve the integer factorization problem and the discrete logarithm problem. The first may be solving with general number field sieve (GNFS) [17]. The second may be solving with brute force attack, or with some algorithm that depends on the factors of $n$ , or that depends on the size of the fields [18]. However, to find $k$ given $h$ , $n$ , and $h^{k}\! {\,\mod \,} n$ , the algorithms try to solve a discrete logarithm problem with subexponential time on $n$ like the GNFS. If $k$ is too small, a brute force attack is much more efficient, although its complexity is $2^{k}$ . To search for the exponent, one may use Pollard’s rho or Baby-step giant-step algorithm for logarithms that has complexity $\sqrt {2^{o}}$ [19], where $o$ is the bit length of the order of $h$ . If we stipulate a maximal bit length of $k$ as standard, then this value may be attributed to $o$ . In this case, the complexity is $2^{k/2}$ . Thus, we can compare the complexity to find the exponent with the complexity of integer factorization. As result, we have the best parameters for EPPP4SMS, and we can compare them with the Paillier’s scheme.

Asymptotically, the GNFS still has the best heuristic time: $\exp \,\left ((64/9)^{1/3+O(1)}\log (n)^{1/3}\log (\log (n))^{2/3}\right )$ . The value of $O(1)$ tends toward zero when the processing time becomes faster. Thus, we can calculate the relation $$\begin{equation} \exp \,\left (\left (64/9\right )^{1/3}\log (n)^{1/3}\log (\log (n))^{2/3}\right )=2^{k/2} \end{equation}$$ View Source\begin{equation} \exp \,\left (\left (64/9\right )^{1/3}\log (n)^{1/3}\log (\log (n))^{2/3}\right )=2^{k/2} \end{equation} between $n$ and $k$ , to keep the same level of security. We found the values of $n$ and $k$ from (10) and present them in Fig. 1 with $\lceil k \rceil =\min \,\{x\in \mathbb {Z}\mid x\ge k\}$ . They are close to twice the value of keys to symmetric algorithms and in the range for bit length of keys to algorithms based on elliptic curve cryptography (ECC) specified in the Federal Information Processing Standards Publications (FIPS 800-57 Part 1—Revision 3) by National Institute of Standards and Technology (NIST). The value 4096 does not appear in such FIPS.

Fig. 1.

Relation between the levels of security based on the bit length.

Show All

The most costly operation in Paillier’s scheme and in EPPP4SMS is the modular exponentiation, which is processed in $O(\log _{2}(e))$ , where $e$ is the bit length of the exponent [20]. Thus, reducing the bit length of the exponents is equivalent to speeding up the processing time. Paillier’s encryption needs to raise a random number to the power of $n=pq$ , and EPPP4SMS needs to raise hashes to the power of $k_{1}$ and $k_{2}$ , in the encryption function. Discounting $g^{m}$ that is equal in both protocols, Paillier’s scheme has complexity $O(\log _{2}(n))$ to encrypt when EPPP4SMS has $2O(\log _{2}(\lceil k \rceil ))$ . Therefore, we can see in Fig. 1 that EPPP4SMS is faster to encrypt, and the difference of processing time increases significantly when the level of security increases. Contrarily, Paillier’s scheme is faster to decrypt than EPPP4SMS. The former needs only one modular exponentiation with the size closer to $n$ , namely $\lambda$ . The latter needs three modular exponentiations, namely $d_{1}$ , $d_{2}$ and the same as the former. The length of the two additional exponents depends on the number of aggregated meters, but generally they are closer to the length of $n$ . For example, if $p$ and $q$ have 1024 bits each, then $n$ is chosen with 2048 bits, $k_{1}$ and $k_{2}$ are chosen with 234 bits each. Thus, $d_{1}$ has $2^{2048} -N 2^{234}$ bits, where $N$ is the total number of meters in the aggregation. Therefore, the aggregation should have $2^{1814}$ meters to $d_{1}$ and analogously $d_{2}$ be equal to zero. Thus, we can say that Paillier’s scheme has complexity $O(\log _{2}(n))$ to decrypt when EPPP4SMS has $3O(\log _{2}(n))$ . However, the decryption is as fast as $\log _{2}(d_{1} \mod n)$ and $\log _{2}(d_{2} \mod n)$ are close to zero. For huge number of meters, the decryption might become $O(\log _{2}(n))$ .

On one hand, EPPP4SMS is much faster to encrypt on the meter side that has many meters with constrained hardware. On the other hand, EPPP4SMS is around three times slower to decrypt on the supplier side; nonetheless, such decryption happens only once for every round.

A. Verification

We constructed a protocol that enables verification of measurements because machines might fail. Indeed, we detected in the dataset that two meters presented errors. They sent two measurements in the same round for six times. Moreover, the values of the reported measurements are different from each other in the same round. Thus, the problem was not only a duplicated message, and each of the two meters repeats the same error in six rounds. In total, we have 24 measurements in which at least 12 are certainly wrong, but we cannot verify from the dataset which one is correct or wrong. If the meters were running EPPP4SMS, we could verify. As we cannot verify or ask for new measurements, we decided to eliminate these 24 measurements.

We also detected some issues in the timestamp. The firsts 30 min are coded as 1 in the dataset, namely, the interval from 00:00:00 to 00:29:59 is coded as 1. The interval from 00:30:00 to 01:00:00 is coded as 2, and so on. As the day has 24 h, the time code of a normal day goes from 1 to 48. We also detected 25 002 messages with time code bigger than 48. The majority, i.e., 24 462 measurements were coded as 49 and 50. We detected that 12 568 and 11 874 messages are due to daylight saving time on last Sundays of October 25, 2009, and October 31, 2010. However, 20 measurements were coded as 49 and 50 on normal days. Moreover, we found 540 messages with time code from 51 to 95 that may be errors. No time code was coded as zero. Again, we cannot verify, thus we decide to erase the messages with errors and code time bigger than 48 from the dataset.

Although the total number of error seems to be big, it is small in relation to the total number of measurements. These failures in the collected data are very important to recall our attention to the fact that machines might fail and a real-world dataset guides us to develop protocols with verification.

B. Complementation and Privacy

To preserve privacy, every one of the 6435 meters in the set should report its consumption in every new round. If a meter did not send its consumption because the value is zero, an adversary can know when there is consumption or not.

After we eliminate the lines with problems in the dataset, we have 1 557 216 measurements reporting zero consumption. However, not all meters send their consumption in all rounds. For this reason, we complement the missing measurements with zero. In the total, we insert 7 578 840 new zeros, reaching a total of 9 136 056 zeros.

C. Implementation of the Core Algorithms

We implemented the source code for EPPP4SMS and Paillier’s scheme that is used in many protocols. Both implementations were written in C and compiled with GCC version 4.4.6 for GNU/Linux with Red Hat distribution. We also used the GNU multiple precision arithmetic library (GMP) to manipulate big numbers and the open multi processing (OpenMP) to parallelize the encryption.

The computer used was an Intel^® Xeon^®, CPU E5-2620 of 2.00 GHz, 12 recognized cores, and 70 Gigabytes of shared memory.

D. Simulation Parameters

After we sanitized the dataset, we have 6435 meters times 25 726 timestamps that gives us 165 546 810 measurements. While we should aggregate the measurements of 6435 meters per round, we decided to parallelize the encryption in 11 threads and leave the aggregation and decryption in one thread.

Since we used real-world data, we only needed to determine the primes, $g$ , and the exponents $k_{1_{1}},k_{1_{2}},\dots ,k_{1_{N}}$ and $k_{2_{1}},k_{2_{2}},\dots ,k_{2_{N}}$ that the other parameters are defined in the protocols. We used a pseudorandom number generator to select values with 174 bits for the exponents in EPPP4SMS and primes with 512 bits for both schemes; thus, $n$ has 1024 bits, which is equivalent to the level 1 of security in Fig. 1. Notice that level 1 provides the smallest difference in processing time between the protocols.

E. Simulation Results

We collected the processing time of the encryption, aggregation, and decryption. With their data and the programming language R, we present box plots of the observed processing time in Fig. 2.

Fig. 2.

Box plots of the processing time spent in parallelized encryption, aggregation, and decryption of the consolidated consumption.

Show All

As expected, EPPP4SMS is much faster in encryption than many protocols that use Paillier’s scheme. The simulation of EPPP4SMS ran in a mean time of 1284 ms, while the Paillier’s scheme ran in 3514 for encryption. The cost of the aggregation is equivalent in both protocols, namely, 35.08 against 36.88 ms on average. For decryption, Paillier’s scheme is around three times faster than EPPP4SMS. The mean time of the former was 13.47 ms, and for the latter was 4.71 ms. Nevertheless, the encryption should run on the meter with constrained resources and the decryption should run on the supplier side. Moreover, the benefit of around 2230 ms using 11 threads in the encryption is much bigger than the drawback of around 9 ms using 1 threads in the decryption.