A Multi-Authority Attribute-Based Signcryption Scheme with Efficient Revocation for Smart Grid Downlink Communication

04/25/2019
by   Ahmad Alsharif, et al.
0

In this paper, we propose a multi-authority attribute-based signcryption scheme with efficient revocation for smart grid downlink communications. In the proposed scheme, grid operators and electricity vendors can send multicast messages securely to different groups of consumers which is required in different applications such as firmware update distribution and sending direct load control messages. Our scheme can ensure the confidentiality and the integrity of the multicasted messages, allows consumers to authenticate the source of the multicasted messages, achieves and non-repudiation property, and allows prompt revocation, simultaneously which are required for the smart grid downlink communications. Our security analysis demonstrates that the proposed scheme can thwart various security threats to the smart grid. Our experiments conducted on an advanced metering infrastructure (AMI) testbed confirm that the proposed scheme has low computational overhead.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

06/04/2018

Privacy-preserving and Efficient Aggregation based on Blockchain for Power Grid Communications in Smart Communities

Intelligence is one of the most important aspects in the development of ...
08/26/2020

An Energy Efficient Authentication Scheme using Chebyshev Chaotic Map for Smart Grid Environment

As one of the important applications of Smart grid, charging between ele...
10/25/2018

Towards Delay-Tolerant Flexible Data Access Control for Smart Grid with Renewable Energy Resources

In the Smart Grid with Renewable Energy Resources (RERs), the Residentia...
10/25/2018

Achieving Efficient and Secure Data Acquisition for Cloud-supported Internet of Things in Smart Grid

Cloud-supported Internet of Things (Cloud-IoT) has been broadly deployed...
02/12/2019

Communication-efficient Certificate Revocation Management for Advanced Metering Infrastructure

Advanced Metering Infrastructure (AMI) forms a communication network for...
11/11/2019

A Routing and Link Scheduling Strategy for Smart Grid NAN Communications

As large scale deployment of smart devices in the power grid continues, ...
07/18/2019

OCC: A Smart Reply System for Efficient In-App Communications

Smart reply systems have been developed for various messaging platforms....
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

The smart grid (SG) is the next generation of the traditional power grid. It integrates information and communication technologies with traditional power grid to provide two-way communications between the grid’s major entities including grid operators, electricity vendors, and electricity consumers to ensure the efficient and reliable operation of the grid. One of the main components of the SG is the advanced metering infrastructure (AMI) networks which connect smart meters (SMs) installed at consumers’ houses to the grid operators and vendors.

Multi-authority AMI networks, which are deployed in most European countries and several states in the U.S., allow energy deregulation, i.e., electricity retailing through different electricity vendors [1, 2, 3]. Therefore, consumers not only can choose from a number of independent third party electricity vendors, but pricing options are also more plentiful due to the competition between these different vendors. Figure 1 shows the conceptual architecture a multi-authority AMI network [3]. As shown in the figure, data communication can be either uplink or downlink communication.

In the uplink data communication, data is sent by SMs to grid operators and vendors. This can allow the automated collection of metering data in which grid operators and vendors collect fine-grained power consumption data (PCD) at high rates, e.g., few minutes, for real-time grid monitoring, and energy distribution management. For example, fine-grained data analysis can be used for the reduction of the peak-to-average ratio which can help in preventing blackouts, failures to supply electricity [4, 5, 6]. Also, fine-grained PCD are needed for real-time price-based demand/response programs in which electricity prices vary depending on the supply-to-demand ratio especially during peak hours [7, 8].

On the other hand, in the downlink data communications, data is sent by grid operators or electricity vendors to a group of SMs. The downlink communication should ensure secure multicast for different applications. For example, sending firmware and configuration updates to a group of SMs in specific areas requires secure multicast [9, 10]. Also, in direct load control (DLC) demand/response programs, grid operators need to send DLC messages to a group of users, that subscribe to the same DLC demand/response plan, in order to turn off/on some specific load during peak/regular hours [11, 12]. Moreover, electricity vendors may send charging schedules to a group of users in selected areas to charge their electric vehicles or home batteries [13, 14]. Furthermore, electricity vendors may send energy trading requests to a group of users in selected areas that are subscribed to energy charging/discharging plans, asking for energy injection to the SG during peak hours [15, 16].

Fig. 1: Network model for SG downlink communications.

Extensive research has been conducted to study the security and privacy issues in AMI networks. However, most of the existing schemes address consumers’ privacy, data integrity and authenticity in uplink communication [17]. Few schemes have been proposed to study the security of the downlink communications in AMI networks. Moreover, the IEEE 802.11 protocol, which is the underlying protocol for AMI networks cannot be used for secure multicast communication efficiently and effectively [18]. Therefore, there is a need for a scheme that not only allows secure multicast communication, but also considers the unique characteristics of multi-authority AMI networks. Specifically, a good secure multicast scheme should ensure message confidentiality, i.e., the multicasted messages can be decrypted only by the intended users. In addition, the scheme should allow dynamic group memberships, i.e., members’ enrollment/revocation should be done efficiently and promptly since they can subscribe/unsubscribe to any plan with any vendor at any time. Moreover, users should be able to authenticate the senders of the multicasted messages. Furthermore, message non-repudiation property should be achieved.

In order to address the aforementioned challenges, we propose in this paper a multi-authority attribute-based signcryption scheme that can be used to secure SG downlink communications. We construct our scheme based on, but not limited to, the multi-authority attribute based encryption (MA-ABE) scheme proposed in [19]. To the best of our knowledge, this paper proposes the first fully decentralized multi-authority attribute based signcryption scheme that can ensure data confidentiality, sender authentication, and non-repudiation, and allow prompt attribute revocation, simultaneously.

The remainder of this paper is organized as follows. Related works are discussed in Section II. The considered system models and the design goals are presented in Section III. Preliminaries are given in Section IV. The proposed scheme is explained in Section V. The security analysis and performance evaluation are given in Sections VI and VII, respectively. Conclusions are drawn in Section VIII.

Ii Related Works

The SG downlink communication has been considered in several schemes [20, 21, 22]. However, these schemes consider only broadcast downlink communication and cannot support multicast communication. Several schemes have been proposed to ensure fine-grained access control and/or secure multicast for the SG communications [23, 24, 25]. In the ABE scheme proposed in [26], Liu et al. proposed a multi-authority access control scheme with attribute revocation for the SG [23]. In the proposed scheme, if a user’s attributes can satisfy the access policy associated with a ciphertext, this user can decrypt that ciphertext only after receiving a unique token from a central entity called third party auditor (TPA). Therefore, the proposed scheme [23] cannot support multicast communication efficiently since the TPA must send a unique token to each member in a multicast group using unicast communication, i.e., a unicast downlink communication is needed to decrypt any multicast message. In [24], Fadlullah et al. have proposed a secure multicast scheme for SG communications using the key-policy attribute-based encryption (KP-ABE) [27]. However, the scheme is limited to single attribute authority, i.e, a single authority controls all attributes. Also, it does not support sender authentication and non-repudiation. In [25], Hu et al. have proposed an attribute-based signcryption scheme to secure multicast communications in the SG. The scheme proposes a modification to CP-ABE [28] in order to achieve attribute-based encryption, data-origin authenticity and non-repudiation. However, the scheme is limited to single attribute authority and does not support attribute revocation.

Different from the above schemes, our scheme allows (1) multiple authorities to issue and control their own attributes; (2) data-origin authenticity and non-repudiation; and (3) prompt attribute revocation, simultaneously.

Iii System Models and Design Goals

Iii-a Network Model

The considered network model is shown in Figure 1. This model was used in [2, 3] to secure uplink smart grid communications. In this paper, we aim to secure the downlink communications. The network model has the following entities.

  • Distribution Network Operators (DNOs). We consider a set of DNO companies, . Each is licensed to distribute electricity in a particular geographic area . Each DNO manages and operates the distribution networks within its area.

  • Electricity Vendors. We consider a set of electricity vendor companies, . Each is responsible for supplying electricity to its users who may be located at different areas.

  • Users. We consider a set of users .

    Users can change from one vendor to another at any time. In addition, users can add, change, and remove plans offered by the same vendor at any time. An SM is installed at each user’s house that communicates with the DNOs and electricity vendors through a node called the data communication company (DCC).

  • Data Communication Company (DCC). It has the responsibility of delivering the downlink communications received from operators and vendors to users.

  • Networking Facilities. They form a hierarchical network structure to connect the DCC to SMs at users’ side through a WAN-GW, a NAN-GW, and a BAN-GW as shown in the figure.

Iii-B Threat Model

There exist an adversary that can eavesdrop all the transmitted messages. may try to decrypt the multicasted messages to revel any sensitive information sent to any group of users. Users also may try to breach data confidentiality, i.e, they may try to decrypt the multicasted messages intended to other groups of users. In addition, a malicious user may collude with other users or in order to decrypt a ciphertext that they can not decrypt individually. Moreover, may try to launch active attacks by injecting malicious messages to any group of users, e.g. sending malwares instead of firmware updates to have full control on their devices.

Iii-C Design Goals

Based on the aforementioned network and threat models, the following goals should be achieved.

  1. Secure multicast and data confidentiality. Only selected users by the grid operators or vendors should be able to decrypt the multicasted messages. Other users should be prevented from accessing these messages.

  2. Collusion resistance. Users that are not supposed to decrypt a ciphertext individually, should not be able to decrypt it even if they collude together by using their secret keys.

  3. Sender authentication and non-repudiation. Users should be able to authenticate the sender of the multicasted messages. Messages form should be detected and discarded. Also, non-repudiation property should be achieved.

  4. Prompt Revocation. Only valid, i.e. non-revoked, users should be able to decrypt the multicasted ciphertext. Revocation process should be done immediately without any delays.

Iv Preliminaries

Iv-a The Chinese Remainder Theorem

Let be pairwise relatively primes and let be arbitrary integers. The Chinese Remainder Theorem (CRT) states that the system of congruences has a unique solution modulo . The unique solution is given by

where and for .

Iv-B Multi-Authority Attribute-Based Encryption [19]

Let be the universe of the attributes, be the universe of the attribute authorities controlling the attributes, and be the universe of the global identities that identify users.

Iv-B1 Linear Secret Sharing and Access Policy

We use the same definition for linear secret sharing (LSS) and access policy as in [19] and [26]. Any monotonic boolean formula over can be represented as an access matrix as follows. Let be a prime. A secret-sharing scheme over a set of attributes is called linear (over ) if

  1. The shares of a secret

    for each attribute form a vector

    over .

  2. There exists a matrix called the share-generating matrix for . The matrix has rows and columns. For all , the row of is labeled by an attribute , where is a function that maps rows of to attributes from , i.e., . When we consider the column vector , where are randomly chosen, then is the vector of shares of the secret according to . The share belongs to the attribute .

As mentioned in [19, 26], each secret-sharing scheme should satisfy the following requirements:

  • A reconstruction requirement, i.e., each authorized set of attributes can reconstruct the secret.

  • A security requirement, i.e., other sets of attributes, unauthorized sets, cannot reveal any information about the secret.

For example, let S denote an authorized set of attributes and let I be the set of rows whose labels are in S. There exist constants such that for any valid shares of a secret according to , it is true that: , or equivalently , where is the row of . In Appendix A, we give an example of generating the access matrix, computing the vector of secret shares and the reconstruction coefficients from a boolean formula.

Iv-B2 Algorithms

The scheme in [19] consists of the following algorithms.

  • This algorithm takes a security parameter and outputs the public global parameters for the system. The global parameters (GP) includes , , , and which is a mapping function that maps each attribute in to a unique authority in , i.e., .

  • This algorithm generates a public/private key pair for each attribute authority .

  • This algorithm takes the global identity of a user , an attribute , the authority controlling the attribute , the secret key of the authority , and the global parameters GP. The algorithm outputs which is a secret key for the identity-attribute pair used for decryption.


  • This algorithm takes a message , an access policy , a set of public keys of the authorities controlling attributes in the access policy, and the global parameters GP. The algorithm outputs the ciphertext CT.


  • This algorithm takes the ciphertext CT, the set of secret keys of a single user with identity GID corresponding to different attributes, and the global parameters, and outputs if and only if the attribute set associated with can satisfy the access policy of the ciphertext, otherwise, decryption fails.

V The proposed scheme

In this section, we first provide the construction of our attribute-based signcryption scheme. Then, we discuss how the scheme can be applied to secure the SG downlink communications.

V-a Definitions

Let be the universe of attributes, be the universe of the attribute authorities controlling the attributes, be the universe of entities allowed to signcrypt messages, be the universe of identity attributes corresponding to signers, be the universe of the global identities that identifies users, and be pairwise relatively prime positive integers where each prime is assigned to a user with . Let and .

In addition, we use the same access structure as [19, 26] with an additional restriction. The access structure encoded as a monotonic boolean formula over and should be on the form “The signer identity attribute AND “any monotonic boolean formula over ”. Therefore, in order to designcrypt a signcryppted text, a user should do the following

  • Uses the verification key corresponding to the signer controlling the signer identity attribute .

  • Possess attributes satisfying the second part of the boolean formula.

Moreover, let be the set of users who holds an attribute . We refer to as the access list of the attribute . Let be the universe of access lists of the attributes defined in .

V-B Algorithms

Our scheme consists of the following eight algorithms.

  1. .
    This algorithm takes a security parameter and outputs the public global parameters for the system. The global parameters (GP) includes , , , and which is a mapping function that maps each element in to a unique element in , i.e., . More specifically, maps each element in to a unique element in and maps each element in to a unique element in .

  2. .
    This algorithm generates a private key for each entity . is used by a signer to add the signature component to the signcrypted text.

  3. .
    This algorithm generates a public/secret key pair for each attribute authority . is used during the signcryption process, whereas is used by the authority to generate users’ decryption keys.

  4. .
    This algorithms takes the global identity of a user , an attribute , the authority controlling the attribute , the secret key of the authority , and the global parameters. The algorithm outputs which is a decryption key for the identity-attribute pair.

  5. .

    This algorithms takes the global identity of a user , the signer identity attribute corresponding to the signer entity , the signer private key , and the global parameters. The algorithm outputs which is the key used by user with GID to verify the messages signcrypted by entity .

  6. This algorithm takes a message , an access structure , the signer private key , a set public keys of the attributes’ authorities in the access policy , and the global parameters GP and outputs the signcrypted text ST.

  7. This algorithm takes a signcrypted text ST including its access policy , the set of prime numbers , which is a set of access lists corresponding to the attributes defining , and the global parameters GP. The algorithm outputs the re-encrypted signcrypted text such that only users with valid attributes satisfying the access policy can perform designcryption.

  8. .
    This algorithm takes the re-encrypted signcrypted text , the verification key , the set of decryption keys of a single user with identity GID corresponding to its attributes, and the global parameters. The algorithm outputs the message if and only if the following three conditions are satisfied: (1) the message was signed by ; (2) the attribute set associated with can satisfy the access policy of the ciphertext, and (3) all the attribute set associated with are valid, i.e., none of them has not been revoked, otherwise, designcryption process fails.

V-C System Setup

Generation of Global Parameters. At the initial system setup phase, an offline trusted authority (TA) runs the algorithm. First, it defines the universe of the attributes , the universe of the attribute authorities , the universe of the signer entities , the universe of the signers’ identity attributes , the universe of the global identities , and the mapping function , where and . Then, it generates a bilinear pairing parameters where , are a multiplicative cyclic group of prime order , is a generator of , and . It also chooses two functions, and , that map the global identities and the attributes to elements in , respectively, i.e., , and . Finally, it publishes the global parameters GP as . Moreover, the TA generates the set of pairwise relatively prime positive integers and assigns to a user with .

Setup of Attribute Authorities. Each attribute authority runs the algorithm to generate its public/sectet key pair . The algorithm chooses two random exponents and publishes as the public key of authority , whereas the secret key is kept secret.

Private Key Generation. Each signer runs the algorithm to generate its private key that is used to add the signature component to the ciphertext. The algorithm chooses two random exponents as the private keys that are known only to .

V-D Users’ Key Generation

Key generation phase consists of two operations; (1) the generation of decryption keys which is executed by attribute authorities and (2) generation of verification keys which is executed by the signers.

Generation of Decryption Keys. Each attribute authority runs the algorithm to generate a decryption key for each identity-attribute pair, i.e., for user with identity GID holding an attribute . First, the algorithm chooses a random element . Then, it computes two components and . Finally, the algorithm outputs the decryption key as .

Generation of Verification Keys. Each signer runs the algorithm to generate a verification key for each user. First, the algorithm chooses a random element . Then, it computes and . Finally, it outputs the verification key as .

V-E Signcryption

When an signer wants to signcrypt a message , it defines the access matrix as explained in Appendix A. The boolean formula that should generate the access policy should be on the form “The signer identity attribute AND “any monotonic boolean formula over ”. It should be the case that , i.e., this signer identity attribute is controlled by the signer .

Then, the signcryptor runs the algorithm to generate the signcrypted text. The algorithm takes a message , an access policy with , the public keys of the relevant authorities, the private key , and the global parameters. Let be a mapping function that maps rows from the access policy to attribute authorities, i.e, defined as .

First, the algorithm creates vectors and where . For a secret , let represents the share corresponding to row and represents the share of a . In Appendix A, we explain how these shares can be computed. For each row of , the algorithm chooses a random and the signcrypted text is computed as

(1)

Note that, based on our definition to the boolen formula generating the access structure, there is only one row for which . Therefore, in order to correctly compute the components and , the signcryptor must have the knowledge of and . Since these two parameters are the private keys known only to entity , no other entity except can compute these components.

V-F Revocation

Before sending the signcrypted text to users, the algorithm is used to re-encrypt the signcrypted text such that only users with valid attributes can perform the designcryption process. For each access list corresponding to row in the access policy, the algorithm chooses a random key which is a group key for the members of and re-encrypts only one component of the signcrypted text to be . Only users with valid attribute should be able to recover and thus can perform designcryption. Therefore, for every user with valid attribute, i.e., for every , the algorithm computes where is the prime number corresponding to and is the XOR operation. Then, the algorithm computes the solution of the CRT congruence system modulo as

and attaches to re-encrypted signcrypted text as follows

(2)

is used to help the users with valid attributes to recover the secret and thus only this set of users can perform decryption as explained in the next subsection.

V-G Designcryption

If a user with identity GID has a set of valid attributes that can satisfy the access policy associated with the signcrypted text and has the verification key of the signer , then for each row corresponding to the attributes in , the user first recovers the group key as follows

(3)

This is true as the CRT states that and . It is clear that, since the solution of the CRT congruence is constructed using only the prime numbers of users with valid attributes, then only this set of users can reconstruct and can proceed with the designcryption process. Then, the user can recover from as . After that, the user computes

(4)

The correctness proof of Equation 4 is as follows.

(5)

Then, the user computes

(6)

The correctness proof of Equation 6 is as follows.

(7)

Finally, the user can recover the message as

(8)

V-H Using our scheme in multi-authority AMI networks

The aforementioned design goals can be achieved using our attribute-based signcryption scheme by mapping the multi-authority AMI network entities to our scheme as follows. The DNOs’ set and the vendors’ set are mapped to the universe of attribute authorities . This is because each DNO and vendor should be able to issue different attributes for their customers such as location attribute, electricity plan attribute, DLC membership attribute, etc. Also, the same sets are mapped to the universe of signer entities . This is because DNOs and vendors need to send authenticated multicast messages to their customers using signcryption. The users’ set is mapped to the universe of global identifiers . Upon registration, each user should receive its unique prime number , decryption keys and a verification key from the DNOs and vendors. In order to send a multicast message, a DNO or vendor should define the monotonic boolean relation under which a message is signcrypted and call the algorithm. Then, the signcrypted text is broadcasted to all users through the DCC and the hierarchal network structure. According to [2] and [3], the DCC is the entity that manages the supplier-users relationship, i.e., the DCC by default learns the set of attributes of each user, but it does not know their decryption keys. Therefore, the DCC is the entity that can run the algorithm to ensure that users with revoked attributes cannot decrypt the multicasted messages. Finally, upon receiving a multicast message, the user checks if his non-revoked attributes can satisfy the access policy, then he calls the algorithm to decrypt the message, otherwise, the message cannot be decrypted and should be discarded.

Vi Security Analysis

Vi-a Collusion Resistance

In collusion attack, several users may collude by combining their attributes to satisfy the access policy of a ciphertext and decrypt it, i.e., they combine their decryption keys to run the algorithm to decrypt a signcrypted text which they cannot decrypt individually. This attack cannot succeed in our scheme. During the designcryption process the shares of the “0”, values, are crucially engaged to the global identifier of the secret key of the user as in [19] and [26]. This is clear in Equation 7 where the term can be reduced to if and only if a single GID is used. Therefore, in case that two or more users collude and try to decrypt the same signcrypted text, the “0-shares” will result in a failed decryption, which can thwart collusion attacks.

Vi-B Signature Forgery Resistance and Non-repudiation

In forgery attack, an adversary may try to forge the singcryption of a signer . As discussed in subsection V-E, computing a valid signature of the signer requires the knowledge of and to correctly compute the components and . cannot obtain and from any verification key as this requires to split the three components and solve the discrete logarithmic problem (DLP) for each component which is infeasible. Therefore, our scheme can resist forging signatures and thus ensure sender authentication and message non-repudiation since entity is the only entity that can compute a valid signature.

Vii Performance Evaluation

Fig. 2: Signcryption time vs access policy size.

In this section, we compare our multi-authority attribute-based signcryption (MA-ABSC) scheme to the closest similar scheme in [25] which is a single-authority attribute-based signcryption scheme (ABSC). We implemented both schemes using Python charm cryptographic library [29]. Supersingular elliptic curve with the symmetric Type 1 pairing of size 512 bits (SS512 curve) is used for all pairing operations. All cryptographic operations were run 1,000 times and average measurements are reported. Typically, DNOs, vendors and the DCC have powerful computational resources. Therefore, in our experiments, they are implemented by a workstation with Intel Core i7-4765T 2.00 GHz and 8 GB RAM. The operations done by the DNOs and vendors are the signcryption processes, whereas the revocation process is executed by the DCC. On the other hand, to implement the resource-limited SMs, we used Tennessee Tech. University AMI testbed of 30 Raspberry-Pi 3 devices with an ARM Cortex-A53, 1.2 GHz processor and 1 GB RAM. The operation executed by the SMs is the designcryption.

Fig. 3: Deigncryption time vs access policy size.
Fig. 4: Revocation time vs number of users.

Figure 2 gives the signcryption time versus the access policy size used to signcrypt a message. As shown in the figure, our scheme has slightly higher signcryption time than the scheme in [25]. Figure 3 gives the designcryption time versus the number of attributes used during the designcryption process. As shown in the figure, the designcryption time is close to that of [25]. As compared to ABSC [25], the increased computation cost in the signcryption and designcryption processes are needed to allow multiple authorities to control their own attributes which cannot be achieved in [25] that allows only a single authority to control the whole attribute set.

Lastly, we plot in Figure 4 the revocation computation cost of our scheme as the number of users with valid attributes increases. ABSC [25] is not considered in this evaluation since it does not support attribute revocation. As shown in the figure, the revocation process adds an acceptable cost to our multicast scheme and the times are in the range of milliseconds. For instance, the revocation computation cost is only 0.34 second for a case in which the access list contains 250 users with valid attribute. To conclude, compared to the baseline attribute-based signcryption scheme in [25], our scheme achieves more features with acceptable additional computation cost.

Viii Conclusions

In this paper, we proposed an attribute-based signcryption scheme that can be used to secure SG downlink multicast communication. The proposed scheme can achieve data confidentiality, message source authentication, message non-repudiation, and immediate attribute revocation, simultaneously which are required for secure multicast communications. In addition, the scheme can resist collusion attacks in which several users collude to decrypt a ciphertext they cannot decrypt individually. Our security analysis confirms that the proposed scheme is secure and can achieve the aforementioned features. Our experiments conducted on the AMI testbed at Tennessee Tech. University confirms that the proposed scheme has low values of computational overheads which is required for resource-constrained SMs.

Appendix A Generating LSS Matrices from Monotonic Boolean Formulas

A monotonic boolean formula can be represented as a binary access tree in which interior nodes are AND and OR gates while the leaf nodes represent attributes. Figure 5 shows the access tree for the boolean formula where W, X, Y, and Z are the attributes.

AND

W

OR

X

AND

Y

Z
Fig. 5: Access Tree Example.

According to [26], the following algorithm can convert a monotonic boolean formula into an equivalent LSS matrix. First, a counter is initialized by one and the tree root node is labeled with a vector (a vector of length ). Then, each child node is labeled with a vector determined by the vector assigned to its parent node as follows. If the parent node is an OR gate labeled by the vector , then its children are labeled by (and the value of stays the same). If the parent node is an AND gate labeled by , first

is padded with zeros at the end (if necessary) to make it of length

. Then, one child node is labeled with the vector (where denotes appending a new element to vector ) and the other child node is labeled with the vector , where denotes a zero vector of length . Note that the summation of these two vectors is . Finally, is incremented by one. The process continues in a top-bottom manner until all the entire tree nodes are labeled. Once the entire tree is labeled, the vectors labeling the leaf nodes form the rows of the LSS matrix. If these vectors have different lengths, the shorter vectors are padded with zeros at the end.

For the tree shown in Figure 5, the root AND node is labeled (1), its left child, node (W) node, is labeled (1, 1) while its right child, node (OR), is labeled by . Then, both children of the OR node, nodes (X) and (AND), are labeled as their parent. Finally, the left child of the AND node, node (Y), is labeled while the right child, node (Z), is labeled . Figure 6 shows the fully labeled tree. The resulting LSS matrix after padding leaf nodes is

1

1,1

0,-1

0,-1

0,-1

0,-1,1

0,0,-1
Fig. 6: Access Tree with Labels.

To generate the secret shares, let a secret , construct the column vector where are random numbers, then compute the shares vector as

To reconstruct the secret, we recall . However, the aforementioned algorithm forces the reconstruction coefficients to have a value of one. This means that adding the secret shares corresponding to attributes validating the boolean formula can reconstruct the secret. For example (W AND X) can satisfy the boolean formula, therefore, adding the shares corresponding to W, which is , to the share corresponding to X, which is , can reconstruct the secret . The same applies to (W AND Y AND Z).

References

  • [1] Gregor Erbach, EPRS — European Parliamentary Research Service, “Understanding electricity markets in the EU,” http://www.europarl.europa.eu/thinktank/en/document.html?reference=EPRS_BRI(2016)593519, 2016, [Online; accessed Apr. 8, 2019].
  • [2] M. A. Mustafa, N. Zhang, G. Kalogridis, and Z. Fan,, “DEP2SA: A decentralized efficient privacy-preserving and selective aggregation scheme in advanced metering infrastructure,” IEEE Access, vol. 3, pp. 2828–2846, 2015.
  • [3] A. Alsharif, M. Nabil, M. Mahmoud, and M. Abdallah, “EPDA: Efficient and privacy-preserving data collection and access control scheme for multi-recipient AMI networks,” IEEE Access, vol. 7, pp. 27 829–27 845, 2019.
  • [4] E. J. Palacios-Garcia, E. Rodriguez-Diaz, A. Anvari-Moghaddam, M. Savaghebi, J. C. Vasquez, J. M. Guerrero, and A. Moreno-Munoz, “Using smart meters data for energy management operations and power quality monitoring in a microgrid,” Proceedings of the IEEE 26th International Symposium on Industrial Electronics (ISIE), pp. 1725–1731, June 2017.
  • [5] A. H. Mohsenian-Rad, V. W. Wong, J. Jatskevich, R. Schober, and A. Leon-Garcia, “Autonomous demand-side management based on game-theoretic energy consumption scheduling for the future smart grid,” IEEE Transactions on Smart Grid, vol. 1, no. 3, pp. 320–331, 2010.
  • [6] Constance Douris, “Balancing Smart Grid Data and Consumer Privacy,” http://www.lexingtoninstitute.org/wp-content/uploads/2017/07/Lexington_Smart_Grid_Data_Privacy-2017.pdf, 2017, [Online; accessed Apr. 8, 2019].
  • [7] A. Paverd, A. Martin, and I. Brown, “Security and privacy in smart grid demand response systems,” Proceedings of the International Workshop on Smart Grid Security, pp. 1–15, 2014.
  • [8] Y. Gong, Y. Cai, Y. Guo, and Y. Fang, “A privacy-preserving scheme for incentive-based demand response in the smart grid,” IEEE Transactions on Smart Grid, vol. 7, no. 3, pp. 1304–1313, 2016.
  • [9] M. Baza, M. Nabil, N. Lasla, K. Fidan, M. Mahmoud, and M. Abdallah, “Blockchain-based firmware update scheme tailored for autonomous vehicles,” arXiv preprint arXiv:1811.05905, 2018.
  • [10] S. Tonyali, K. Akkaya, N. Saputro, and X. Cheng, “An attribute & network coding-based secure multicast protocol for firmware updates in smart grid AMI networks,” Proceddings of the 26th International Conference on Computer Communication and Networks (ICCCN), pp. 1–9, 2017.
  • [11] A. Roy, H. Kim, N. Saxena, and R. R. Kandoori, “LTE multicast communication for demand response in smart grids,” Proceedings of the IEEE International Conference on Advanced Networks and Telecommuncations Systems (ANTS), pp. 1–6, 2014.
  • [12] N. Saxena and A. Roy, “Exploiting multicast in LTE networks for smart grids demand response,” Proceedings of the IEEE International Conference on Communications (ICC), pp. 3155–3160, 2015.
  • [13] M. Nabil, M. Bima, A. Alsharif, W. Johnson, S. Gunukula, M. Mahmoud, and M. Abdallah, “Priority-based and privacy-preserving electric vehicle dynamic charging system with divisible e-payment,” in Smart Cities Cybersecurity and Privacy.   Elsevier, 2019, pp. 165–186.
  • [14] M. Pazos-Revilla, A. Alsharif, S. Gunukula, T. N. Guo, M. Mahmoud, and X. Shen, “Secure and privacy-preserving physical-layer-assisted scheme for EV dynamic charging system,” IEEE Transactions on Vehicular Technology, vol. 67, no. 4, pp. 3304–3318, 2018.
  • [15] A. Sherif, M. Ismail, M. Pazos-Revilla, M. Mahmoud, K. Akkaya, E. Serpedin, and K. Qaraqe, “Privacy preserving power charging coordination scheme in the smart grid,” in Transportation and Power Grid in Smart Cities: Communication Networks and Services.   Wiley Online Library, 2018, pp. 555–576.
  • [16] M. Baza, M. Nabil, M. Ismail, M. Mahmoud, E. Serpedin, and M. Rahman, “Blockchain-based charging coordination mechanism for smart grid energy storage units,” arXiv preprint arXiv:1811.02001, 2018.
  • [17] M. R. Asghar, G. Dán, D. Miorandi, and I. Chlamtac, “Smart meter data privacy: A survey,” IEEE Communications Surveys & Tutorials, vol. 19, no. 4, pp. 2820–2835, 2017.
  • [18] S. Tonyali, K. Akkaya, and N. Saputro, “An attribute-based reliable multicast-over-broadcast protocol for firmware updates in smart meter networks,” Proceedings of the IEEE Infocom Computer Communications Workshops (INFOCOM WKSHPS),, pp. 97–102, 2017.
  • [19] Y. Rouselakis and B. Waters, “Efficient statically-secure large-universe multi-authority attribute-based encryption,” Proceedings of the International Conference on Financial Cryptography and Data Security, pp. 315–332, 2015.
  • [20] F. Ye, Y. Qian, and R. Q. Hu, “HIBaSS: hierarchical identity-based signature scheme for AMI downlink transmission,” Security and Communication Networks, vol. 8, no. 16, pp. 2901–2908, 2015.
  • [21] K. Alharbi and X. Lin, “Efficient and privacy-preserving smart grid downlink communication using identity based signcryption,” Proceddings of IEEE Global Communications Conference (GLOBECOM), 2016.
  • [22] M. I. Baza, M. M. Fouda, A. S. T. Eldien, and H. A. Mansour, “An efficient distributed approach for key management in microgrids,” Proceedings of the 11th International Computer Engineering Conference (ICENCO), pp. 19–24, 2015.
  • [23] D. Liu, H. Li, Y. Yang, and H. Yang, “Achieving multi-authority access control with efficient attribute revocation in smart grid,” Proceedings of the IEEE International Conference on Communications (ICC), pp. 634–639, 2014.
  • [24] Z. M. Fadlullah, N. Kato, R. Lu, X. Shen, and Y. Nozaki, “Toward secure targeted broadcast in smart grid,” IEEE Communications Magazine, vol. 50, no. 5, pp. 150–156, 2012.
  • [25] C. Hu, X. Cheng, Z. Tian, J. Yu, K. Akkaya, and L. Sun, “An attribute-based signcryption scheme to secure attribute-defined multicast communications,” Proceedings of the International Conference on Security and Privacy in Communication Systems, pp. 418–437, 2015.
  • [26] A. Lewko and B. Waters, “Decentralizing attribute-based encryption,” Proceedings of the Annual international conference on the theory and applications of cryptographic techniques, pp. 568–588, 2011.
  • [27] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” Proceedings of the 13th ACM conference on Computer and communications security, pp. 89–98, 2006.
  • [28] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” Procceings of the IEEE Symposium on Security and Privacy, (SP’07.), pp. 321–334, 2007.
  • [29] J. A. Akinyele, C. Garman, I. Miers, M. W. Pagano, M. Rushanan, M. Green, and A. D. Rubin, “Charm: a framework for rapidly prototyping cryptosystems,” Journal of Cryptographic Engineering, vol. 3, no. 2, pp. 111–128, 2013.