Privacy-enhanced architecture for smart metering

Abstract

The recent deployment of smart grids promises to bring numerous advantages in terms of energy consumption reduction in both homes and businesses. A more transparent and instantaneous measurement of electricity consumption through smart meters utilization leads to an enhancement in the ability of monitoring, controlling and predicting energy usage. Nevertheless, it also has associated drawbacks related to the privacy of customers, since such management might reveal their personal habits, which electrical appliances they are using at each moment, whether they are at home or not, etc. In this work, we present a privacy-enhanced architecture for smart metering aimed at tackling this threat by means of encrypting individual measurements while allowing the electricity supplier to access the aggregation of the corresponding decrypted values.

Appendix A: Attacker success probability

To compute an attacker’s success probability if a number of smart meters are compromised (as described in Sect. 4.5), we derive a recursive solution. In the sense of the SMPB game definition, the attacker is successful if the attacker gets information from at least one honest (non-compromised) smart meter. This requires a configuration where, at least at one position in the ring, an honest smart meter’s predecessor and successor are both compromised. The attacker compromises \(a\) out of \(n\) nodes at random positions in the ring. To simplify notation, we use the abbreviations \(H\) for an honest smart meter and \(C\) for a compromised one.

We count the number of node configurations in which the attacker is not successful, that is, the sequence \(CHC\) never occurs. Such a configuration will be referred to as secure configuration. As a starting point, we use smart meters arranged on a line segment; we will introduce a correction term in the next step.

1.1 A.1 Line segment configurations

Consider \(n\) smart meters arranged on a line segment. We append this line segment to a prefix of two nodes, that is, we consider \(n+2\) nodes. Let \(h(n,a,HH)\) be the number of secure configurations where the prefix consists of two honest nodes \((HH)\), and there are \(a\) compromised nodes in the original line segment. To compute \(h(n,a,HH)\), we narrow the considered window, looking at the \(n-1\) rightmost nodes and, again, a prefix of length 2. As the new prefix uses the old prefix’s right node, the two possible prefixes are \(HC\) or \(HH\). The number of compromised nodes in the new line segment is \(a-1\) or \(a\), respectively. Therefore, \(h(n,a,HH) = h(n-1,a,HH) + h(n-1,a-1,HC)\). For \(h(n,a,CC)\), an analogous construction can be used (and the same one for \(h(n,a,HC)\)). Finally, for \(h(n,a,CH)\), we only get secure configurations if the leftmost node in the line segment is honest. When doing the recursive step, the new prefix can only be \(HH\), so \(h(n,a,CH) = h(n-1,a,HH)\).

In summary, we get

$$\begin{aligned} h(n,a,HC)&= h(n-1,a,CH) + h(n-1,a-1,CC)\\ h(n,a,CC)&= h(n-1,a,CH) + h(n-1,a-1,CC)\\ h(n,a,CH)&= h(n-1,a,HH)\\ h(n,a,HH)&= h(n-1,a,HH) + h(n-1,a-1,HC) \end{aligned}$$

Given the identity of \(h(n,a,HC)\) and \(h(n,a,CC)\) and performing a substitution in the second equation, we get a simplified set of equations:

$$\begin{aligned} \begin{array}{l} h(n,a,CC) = h(n-2,a,HH) + h(n-1,a-1,CC)\\ h(n,a,HH) = h(n-1,a,HH) + h(n-1,a-1,CC)\\ \end{array} \end{aligned}$$

Note that the prefix plays a role when applying the recursion; however, the prefix \(HH\) has no impact on the number of secure configurations (for insecure configurations, an honest node must be between two compromised nodes; the prefix \(HH\) has no impact on whether or not this can happen). Therefore, \(h(n,a,HH)\) is the number of secure configurations in a line segment of length \(n\) we are looking for.

To further simplify the presentation, we define \(f(n,a)=h(n,a,CC)\) and \(g(n,a)=h(n,a,HH)\) and re-arrange the equations above. This results in

$$\begin{aligned} \begin{array}{l} f(n,a) = f(n-1,a-1) + g(n-2,a)\\ g(n,a) = f(n-1,a-1) + g(n-1,a)\\ \end{array} \end{aligned}$$

With this, we have found a simple recursive presentation of function \(g(n,a)\), which represents the number of secure configurations on a line segment. Some simple considerations make it possible to terminate the recursion:

• \(f(k,k) \!=\! g(k,k) \!=\! 1\) for all valid \(k\), as there is only one possible configuration (independent of the prefix) if all nodes are attackers. This configuration is considered “secure”, as no information from honest nodes is revealed.

• \(f(k,0) = g(k,0) = 1\) for all valid \(k\). With no attackers present, there is also only one possible configuration, independent of the prefix.

• \(f(k+1,k) = 1\) for all valid \(k\). In this case, only one node is present that is not compromised. Due to the \(CC\) prefix, the leftmost position of this node does not lead to a secure configuration—only the rightmost one does, so once again, only one configuration is possible.

1.2 A.2 Ring configurations

There are configurations in which the attacker does not succeed in the line segment configuration, but does so in the ring configuration. Consider the example \(HCHHC\). In this line segment, no honest node’s readings are revealed. However, if the first and the last node are connected to yield a ring structure, an insecure configuration is reached. We therefore have to subtract all configurations that become insecure by creating the ring structure from our result above.

There are two patterns that lead to an insecure configuration in the ring structure despite a secure configuration in the line segment: Either the two leftmost nodes are \(HC\) and the rightmost one is \(C\), or the two rightmost nodes are \(CH\), and the leftmost one is \(C\). For symmetry reasons, considering one of the two is sufficient. We therefore compute the number of secure line segment configurations with the leftmost node \(C\) and the rightmost nodes \(CH\).

As a first step, we count all secure configurations of length \(n\), with \(a\) compromised nodes, having \(C\) as the leftmost node. This can be expressed as the number of secure configurations of length \(n-1\), with \(a-1\) compromised nodes, having the prefix \(CC\) (the additional compromised node in the prefix does not change anything). We have defined this above as \(f(n-1,a-1)\).

From that result, we can subtract the number of secure configurations of length \(n\), with \(a\) compromised nodes, having \(C\) as the leftmost node and not having \(CH\) as the two rightmost nodes. We do so by constructing a modified version \(f^{\prime }(\cdot )\) of function \(f(\cdot )\) as above. Just like \(f(\cdot ),\,f^{\prime }(\cdot )\) counts the number of secure line segment configurations with prefix \(CC\); the modification makes sure we do not count the configuration \(CH\) as the two rightmost nodes. All we have to change from the construction above are two conditions:

• \(f^{\prime }(k+1,k) = 0\) for all valid \(k\): All nodes, except one, are compromised. Previously, that node could take only the rightmost position to achieve a secure configuration; this position is now excluded by definition.

• As a special case, \(f^{\prime }(1,0) = 0\). The prefix \(CC\), which exists due to definition of the function, also leads to the only possible configuration \(CH\) at the rightmost position; this, too, is excluded by the definition of \(f^{\prime }\).

Summarized, we get the number of secure configurations in the ring configuration as:

$$\begin{aligned} c(n,a) = g(n,a) - 2(f(n-1,a-1) - f^{\prime }(n-1,a-1)) \end{aligned}$$

where \(f(\cdot ), g(\cdot )\) are defined as above and \(f^{\prime }(\cdot ), g^{\prime }(\cdot )\) are given below:

$$\begin{aligned} f^{\prime }(n,a)&= f^{\prime }(n-1,a-1) + g^{\prime }(n-2,a)\\ g^{\prime }(n,a)&= f^{\prime }(n-1,a-1) + g^{\prime }(n-1,a)\\ f^{\prime }(k,k)&= g^{\prime }(k,k) = 1\\ f^{\prime }(1,0)&= f^{\prime }(k+1,k) = 0\\ f^{\prime }(k,0)&= 1, k \ge 2\\ g^{\prime }(k,0)&= 0. \end{aligned}$$