EPPA:
An Efficient and Privacy-Preserving Aggregation
Scheme for Secure Smart Grid Communications
Rongxing Lu, Xiaohui Liang, Xu Li, Xiaodong Lin, Xuemin (Sherman) Shen
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
VOL. 23, NO. 9, SEPTEMBER 2012
Presenter : 周新偉
Date:2014/10/27
1
Outline
• Intorduction
• Systrm Model,Security Requirement And Design Model
• Preliminaries
• EPPA Schmem
• Security Analysis
• Performance
• Conclusions
2
Outline
• Intorduction
• Systrm Model,Security Requirement And Design Model
• Preliminaries
• EPPA Schmem
• Security Analysis
• Performance
• Conclusions
3
Intorduction
4
Outline
• Intorduction
• Systrm Model,Security Requirement And Design Model
• Preliminaries
• EPPA Schmem
• Security Analysis
• Performance
• Conclusions
5
System Model
6
Security Requirements
• Confidentiality
• Authentication and Data Integrity
7
Design Goal
• The secure requirement should be guaranteed in the proposed
scheme
• The communication effectiveness should be achieved in the proposed
scheme
8
Outline
• Intorduction
• Systrm Model,Security Requirement And Design Model
• Preliminaries
• EPPA Schmem
• Security Analysis
• Performance
• Conclusions
9
Preliminaries
Bilinear Pairing
ℊen(κ) = (q,P,𝔾, 𝔾T,e)
Computational Diffie-Hellman(CDH) Problem
Bilinear Diffie-Hellman(BDH) Problem
Decisional BDH(DBDH) Problem
10
Preliminaries-----Paillier Cryptosystem(1/3)
Key Generation
security parameter κ1
large prime p1 , q1
| p1|=|q1|=|κ1|
RSA modulus : n=p1 * q1
λ=lcm(p1-1, q1-1)
L(u)=(u-1)/n
μ=(L(gλmodn2))-1 mod n
Public key pk = (n,g)
Privite key sk = (λ, μ)
11
Preliminaries-----Paillier Crypyosystem(2/3)
Encryption
message m ∈ ℤ𝑛
random number r ∈ ℤ𝑛∗
ciphertext c=E(m)=gm*rn mod n2
12
Preliminaries-----Paillier Crypyosystem(3/3)
Decryption
ciphertext c ∈ ℤ∗𝑛2
2
λ
𝑚𝑜𝑑
𝑛
m=D(c)=L(𝑐
) *μ mod n
13
Outline
• Introduction
• System Model, Security Requirement And Design Model
• Preliminaries
• EPPA Scheme
• Security Analysis
• Performance
• Conclusions
14
EPPA Scheme---System Initialization(1/3)
Security parameters κ, κ1
ℊen(κ) = (q,P,𝔾, 𝔾T,e)
Calculate public key pk = (n,g) //n=p1q1
privite key sk = (λ, μ)
Electricity usage data (T1 ,T2 ,…,Tl )
Superincreasing sequence a = (a1 =1,a2 ,…,al)
//a2,…,al are large prime
gi=gai , for i=1,2,…,l
15
EPPA Scheme---System Initialization(2/3)
2 random element Q1,Q2 ∈𝔾
2 random number α, 𝑥∈ ℤ𝑞∗
Computes e(P,P) α , Y=𝑥P
2 secure cryptographic hash function H,H1
H : {0,1}*
𝔾
H1: {0,1}* ℤ𝑞∗
16
EPPA Scheme---System Initialization(3/3)
Keep Master keys (λ, μ , 𝑎, α, 𝑥) security
While when a HAN user Ui ∈ U of the RA joins in the system , Ui
choose a random number 𝑥 i ∈ ℤ𝑞∗ as the private key ,and compute the
corresponding public key Yi=𝑥 iP
17
EPPA Scheme---User Report Generation
Step 1. choose a random number r∈ℤ𝑛∗ and compute
Step 2. use private key 𝑥i to make sinature
Step 3.
report encrypted electricity usage data Ci ∥ 𝑅𝐴 ∥ 𝑈𝑖 ∥ 𝑇𝑆 ∥ σ𝑖
to local GW in the RA
18
EPPA Scheme---Privacy-Preserving Report Aggregation
After receiving Ci ∥ 𝑅𝐴 ∥ 𝑈𝑖 ∥ 𝑇𝑆 ∥ σ𝑖 for i = 1,2,…,w
Local GW check TS & σ𝑖 if
hold?
Hold, the signature is accept . In order to make verification efficiently
GW perform as
The time-consuming pairing operation can be reduce from 2w to w+1 time.
19
EPPA Scheme---Privacy-Preserving Report Aggregation
After validity checking, the following steps for privacy-preserving report
aggregation :
20
EPPA Scheme---Secure Report Reading And Response(1/6)
After receiving C∥ 𝑅𝐴 ∥ 𝑈 ∥ 𝑇𝑆 ∥ σ𝑔 ,
OA check
C is implicitly formed by
21
EPPA Scheme---Secure Report Reading And Response(2/6)
Taking
And
the report C=gMRn mod n2 is still ciphertext for
Paillier Cryptosystem
OA use master key to recover M
22
EPPA Scheme---Secure Report Reading And Response(3/6)
By invoking algorithm 1,OA can recover and store the aggregated data
23
EPPA Scheme---Secure Report Reading And Response(4/6)
Correctness of algorithm 1,assume Xl=M
Since any type of data is less than d,
24
EPPA Scheme---Secure Report Reading And Response(5/6)
With the same procedure, we can also prove each
Dj= 𝑤
𝑖=1 𝑑𝑖𝑗 ,for j = 1,2,…,l-1.
After analyzing the near real-time electricity usage data,OA send a message m∈𝔾T to
inform user in RA
step1. OA first choose a random number s ∈ ℤ∗ ,
𝑞
and compute C=(C1,C2,C3,C4),where
Then OA make signature σ =𝑥H(C ∥ 𝑅𝐴 ∥ 𝑂𝐴 ∥ 𝑇𝑆 ) ,
and send back C ∥ σ to local GW at RA
25
EPPA Scheme---Secure Report Reading And Response(6/6)
step2. upon receivingC ∥ σ GW check
e(P, σ)=e(Y,H(C ∥ 𝑅𝐴 ∥ 𝑂𝐴 ∥ 𝑇𝑆 ) )
if hold,GW broadcast C in RA
step3. authorized key
aki =(αP+ti1 Y,ti1 P, ti2 P, ti1 Q1+ti2 Q2)
to recover m form C :
26
Outline
• Intorduction
• Systrm Model,Security Requirement And Design Model
• Preliminaries
• EPPA Schmem
• Security Analysis
• Performance
• Conclusions
27
Security Analysis(1/2)
User’s data (di1,di2,…,dil) sensed by smart meters are formed as
C =g di1 ∙ g𝑑𝑖2 ∙,…,g𝑑𝑖𝑙 ∙ 𝑟 𝑛 mod n2 ,
i
1
2
𝑙
𝑖
which can be express as
Since Paillier Crytosystem is semantic secure against the chosen
plaintext attack . Thus the data is secure and privacy-preserving.
28
Security Analysis(2/2)
After GW collect all report C1,C2,…,Cw from residential user ,
GW compute C=
𝑤
2 to perform report aggregation.
C
mod
n
𝑖=1 i
After receiving C from GW, the OA recover C as (𝐷1, 𝐷2, … , 𝐷l),and store
the entry in the database.
Dj=
𝑤
𝑗=1 𝑑𝑖𝑗
29
Outline
• Intorduction
• Systrm Model,Security Requirement And Design Model
• Preliminaries
• EPPA Schmem
• Security Analysis
• Performance
• Conclusions
30
Performance(1/3)
31
Performance(1/3)
32
Performance(2/3)
33
Performance(3/3)
34
Outline
• Intorduction
• Systrm Model,Security Requirement And Design Model
• Preliminaries
• EPPA Schmem
• Security Analysis
• Performance
• Conclusions
35
Conclusions
In this paper, we have proposed an efficient and privacypreserving aggregation scheme for
secure smart grid communications. It realizes a multidimensional data aggregation
approach based on the homomorphic Paillier cryptosystem.
Compared with the traditional one-dimensional data aggregation methods, EPPA can
significantly reduce computational cost and significantly improve communication efficiency,
satisfying the real-time high-frequency data collection requirements in smart grid
communications.
We have also provided security analysis to demonstrate its security strength and privacypreserving ability, and performance analysis to show the efficiency improvement.
For the future work, we will study the possible behavior by internal attackers and extend
the EPPA scheme to effectively resist such attacks.
36
心得
37
Thanks for your listening
38