Skip to main content

Privacy-enhanced architecture for smart metering


The recent deployment of smart grids promises to bring numerous advantages in terms of energy consumption reduction in both homes and businesses. A more transparent and instantaneous measurement of electricity consumption through smart meters utilization leads to an enhancement in the ability of monitoring, controlling and predicting energy usage. Nevertheless, it also has associated drawbacks related to the privacy of customers, since such management might reveal their personal habits, which electrical appliances they are using at each moment, whether they are at home or not, etc. In this work, we present a privacy-enhanced architecture for smart metering aimed at tackling this threat by means of encrypting individual measurements while allowing the electricity supplier to access the aggregation of the corresponding decrypted values.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4


  1. Note that control is somewhat limited; the ES can send updated price information or control commands to a specific smart meter, but does not know the current electricity consumption measured by that device. However, it would be possible to broadcast messages containing conditional instructions to be evaluated by the smart meters themselves.

  2. Note that the actual formation, updating and maintenance of such ring is out of scope of this paper.

  3. For \(n = 1\), no privacy can be achieved. Therefore, we assume that the smart metering architecture is composed of at least two smart meters.

  4. Smart meters may report the same energy measurement at multiple periods, for example, during the night when the energy consumption remains nearly constant.

  5. The period parameter \(j\) can be seen as a nonce to compute the new key from the old one.


  1. Wood, G., Newborough, M.: Dynamic energy-consumption indicators for domestic appliances: Environment, behaviour and design. Energy Build. 35(8), 821–841 (2003). doi:10.1016/S0378-7788(02)00241-4

    Article  Google Scholar 

  2. Cheng, S.-T., Wang, C.-H.: An adaptive scenario-based reasoning system across smart houses. Wirel. Pers. Commun. 64(2), 287–304 (2012). doi:10.1007/s11277-010-0199-x

    Article  Google Scholar 

  3. Bañares Hernández, S.: Smart grid for electricity efficiency. In: Workshop On ICT For Innovation and Economy Recovery. University of Murcia (Spain) (2010)

  4. Wood, G., Newborough, M.: Dynamic energy-consumption indicators for domestic appliances: Environment, behaviour and design. Elsevier Energy Build. 35(8), 821–841 (2003)

    Article  Google Scholar 

  5. McDaniel, P., McLaughlin, S.: Security and privacy challenges in the smart grid. IEEE Secur. Priv. 7, 75–77 (2009)

    Google Scholar 

  6. Cavoukian, A., Polonetsky, J., Wolf, C.: SmartPrivacy for the smart grid: Embedding privacy into the design of electricity conservation. Identity Inf. Soc. 3(2), 275–294 (2010)

    Article  Google Scholar 

  7. Rivest, R., Adleman, L., Dertouzos, M.: Foundations of Secure Computation. Academic Press, pp. 169–177. Ch. On data banks and privacy homomorphisms (1978)

  8. Armknecht, F., Westhoff, D., Girao, J., Hessler, A.: A lifetime-optimized end-to-end encryption scheme for sensor networks allowing in-network processing. Comput. Commun. 31(4), 734–749 (2008)

    Article  Google Scholar 

  9. Mykletun, E., Girao, J., Westhoff, D.: Public key based cryptoschemes for data concealment in wireless sensor networks. In: IEEE International Conference on Communications, ICC2006. Istanbul, Turkey (2006)

  10. García, F.D., Jacobs, B.: Privacy-friendly energy-metering via homomorphic encryption. In: 6th Workshop on Security and Trust Management (STM 2010) (2010)

  11. Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Proceedings of EUROCRYPT’99, pp. 223–238 (1999)

  12. Li, F., Luo, B., Liu, P.: Secure information aggregation for smart grids using homomorphic encryption. In: First IEEE International Conference on Smart Grid Communications. IEEE Communications Society, Gaithersburg, USA, pp. 327–332 (2010)

  13. Finster, S., Conrad, M.: Privacy-aware realtime smart metering. In: VDE Kongress 2010—E-Mobility: Technologien-Infrastruktur-Märkte (2010)

  14. Petrlic, R.: A privacy-preserving concept for smart grids. In: Sicherheit in vernetzten Systemen: 18. DFN Workshop. Books on Demand GmbH, pp. B1–B14 (2010)

  15. Lim, H.W., Paterson, K.G.: Identity-based cryptography for grid security. Int. J. Inf. Secur. 10(1), 15–32 (2011)

    Google Scholar 

  16. Bohli, J.-M., Sorge, C., Ugus, O.: A privacy model for smart metering. In:IEEE International Conference on Communications (2010)

  17. McLaughlin, S., McDaniel, P., Aiello, W.: Protecting consumer privacy from electric load monitoring. In: Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, pp. 87–98 (2011)

  18. Rial, A., Danezis, G.: Privacy-preserving smart metering. In: Proceedings of the 10th Annual ACM Workshop on Privacy in the Electronic Society, WPES ’11. ACM, New York, NY, USA, pp. 49–60 (2011)

  19. Gómez Mármol, F., Sorge, C., Ugus, O., Martínez Pérez, G.: Do not snoop my habits. Preserving privacy in the smart grid. IEEE Commun. Mag. 50(5), 166–172 (2012)

    Article  Google Scholar 

  20. Minami, K., Lee, A.J., Winslett, M., Borisov, N.: Secure aggregation in a publish-subscribe system. In: WPES ’08: Proceedings of the 7th ACM Workshop on Privacy in the Electronic, Society, pp. 95–104 (2008)

  21. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard) (Aug. 2008).

  22. Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Advances in Cryptology CRYPTO’04, pp. 56–72 (2004)

  23. Ateniese, G., Camenisch, J., Joye, M., Tsudik, G.: A practical and provably secure coalition-resistant group signature scheme. In: Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology, pp. 255–270 (2000)

  24. Zsolt Berta, I., Buttyan, L., Vajda, I.: A framework for the revocation of unintended digital signatures initiated by malicious terminals. IEEE Trans. Dependable Secur. Comput. 2, 268–272 (2005)

    Google Scholar 

  25. Fonseca, E., Festag, A., Baldessari, R., Aguiar, R.L.: Support of anonymity in vanets-putting pseudonymity into practice. In: Wireless Communications and Networking Conference 2007. WCNC 2007. IEEE. pp. 3400–3405 (2007) doi:10.1109/WCNC.2007.625

  26. Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. In: Proceedings of the 13th Conference on USENIX Security Symposium, vol. 13, SSYM’04. pp. 21–21 (2004)

  27. Peter, S., Westhoff, D., Castelluccia, C.: A survey on the encryption of convergecast-traffic with in-network processing. IEEE Trans. Dependable Secur. Comput. 4, 20–34 (2010). doi:10.1109/TDSC.2008.23

    Article  Google Scholar 

  28. Castelluccia, C., Mykletun, E., Tsudik, G.: Efficient aggregation of encrypted data in wireless sensor networks. In: The Second Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services, pp. 109–117 (2005)

  29. Sirivianos, M., Westhoff, D., Armknecht, F., Girao, J.: Non-manipulable aggregator node election protocols for wireless sensor networks. In: Proceedings of the International Symposium on Modeling and Optimization in Mobile. Ad Hoc, and Wireless Networks (WiOpt) (2007)

  30. Rebollo-Monedero, D., Forné, J., Solanas, A., Martínez-Ballesté, A.: Private location-based information retrieval through user collaboration. Comput. Commun. 33(6), 762–774 (2010). doi:10.1016/j.comcom.2009.11.024

    Google Scholar 

Download references


The work presented in this paper was partially supported by the BMWI within the project SmartPowerHamburg. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements of the SmartPowerHamburg project. Thanks also to the Funding Program for Research Groups of Excellence granted as well by the Séneca Foundation with code 04552/GERM/06. Finally, the authors thank Daniel Kuntze, Peter Günther and Santiago Pina for their support in determining the number of secure configurations presented in Sect. 4.5 and “Appendix A”.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Félix Gómez Mármol.

Electronic supplementary material

Below is the link to the electronic supplementary material.

ESM 1 (PDF 373 kb)

Appendix A: Attacker success probability

Appendix A: Attacker success probability

To compute an attacker’s success probability if a number of smart meters are compromised (as described in Sect. 4.5), we derive a recursive solution. In the sense of the SMPB game definition, the attacker is successful if the attacker gets information from at least one honest (non-compromised) smart meter. This requires a configuration where, at least at one position in the ring, an honest smart meter’s predecessor and successor are both compromised. The attacker compromises \(a\) out of \(n\) nodes at random positions in the ring. To simplify notation, we use the abbreviations \(H\) for an honest smart meter and \(C\) for a compromised one.

We count the number of node configurations in which the attacker is not successful, that is, the sequence \(CHC\) never occurs. Such a configuration will be referred to as secure configuration. As a starting point, we use smart meters arranged on a line segment; we will introduce a correction term in the next step.

1.1 A.1 Line segment configurations

Consider \(n\) smart meters arranged on a line segment. We append this line segment to a prefix of two nodes, that is, we consider \(n+2\) nodes. Let \(h(n,a,HH)\) be the number of secure configurations where the prefix consists of two honest nodes \((HH)\), and there are \(a\) compromised nodes in the original line segment. To compute \(h(n,a,HH)\), we narrow the considered window, looking at the \(n-1\) rightmost nodes and, again, a prefix of length 2. As the new prefix uses the old prefix’s right node, the two possible prefixes are \(HC\) or \(HH\). The number of compromised nodes in the new line segment is \(a-1\) or \(a\), respectively. Therefore, \(h(n,a,HH) = h(n-1,a,HH) + h(n-1,a-1,HC)\). For \(h(n,a,CC)\), an analogous construction can be used (and the same one for \(h(n,a,HC)\)). Finally, for \(h(n,a,CH)\), we only get secure configurations if the leftmost node in the line segment is honest. When doing the recursive step, the new prefix can only be \(HH\), so \(h(n,a,CH) = h(n-1,a,HH)\).

In summary, we get

$$\begin{aligned} h(n,a,HC)&= h(n-1,a,CH) + h(n-1,a-1,CC)\\ h(n,a,CC)&= h(n-1,a,CH) + h(n-1,a-1,CC)\\ h(n,a,CH)&= h(n-1,a,HH)\\ h(n,a,HH)&= h(n-1,a,HH) + h(n-1,a-1,HC) \end{aligned}$$

Given the identity of \(h(n,a,HC)\) and \(h(n,a,CC)\) and performing a substitution in the second equation, we get a simplified set of equations:

$$\begin{aligned} \begin{array}{l} h(n,a,CC) = h(n-2,a,HH) + h(n-1,a-1,CC)\\ h(n,a,HH) = h(n-1,a,HH) + h(n-1,a-1,CC)\\ \end{array} \end{aligned}$$

Note that the prefix plays a role when applying the recursion; however, the prefix \(HH\) has no impact on the number of secure configurations (for insecure configurations, an honest node must be between two compromised nodes; the prefix \(HH\) has no impact on whether or not this can happen). Therefore, \(h(n,a,HH)\) is the number of secure configurations in a line segment of length \(n\) we are looking for.

To further simplify the presentation, we define \(f(n,a)=h(n,a,CC)\) and \(g(n,a)=h(n,a,HH)\) and re-arrange the equations above. This results in

$$\begin{aligned} \begin{array}{l} f(n,a) = f(n-1,a-1) + g(n-2,a)\\ g(n,a) = f(n-1,a-1) + g(n-1,a)\\ \end{array} \end{aligned}$$

With this, we have found a simple recursive presentation of function \(g(n,a)\), which represents the number of secure configurations on a line segment. Some simple considerations make it possible to terminate the recursion:

  • \(f(k,k) \!=\! g(k,k) \!=\! 1\) for all valid \(k\), as there is only one possible configuration (independent of the prefix) if all nodes are attackers. This configuration is considered “secure”, as no information from honest nodes is revealed.

  • \(f(k,0) = g(k,0) = 1\) for all valid \(k\). With no attackers present, there is also only one possible configuration, independent of the prefix.

  • \(f(k+1,k) = 1\) for all valid \(k\). In this case, only one node is present that is not compromised. Due to the \(CC\) prefix, the leftmost position of this node does not lead to a secure configuration—only the rightmost one does, so once again, only one configuration is possible.

1.2 A.2 Ring configurations

There are configurations in which the attacker does not succeed in the line segment configuration, but does so in the ring configuration. Consider the example \(HCHHC\). In this line segment, no honest node’s readings are revealed. However, if the first and the last node are connected to yield a ring structure, an insecure configuration is reached. We therefore have to subtract all configurations that become insecure by creating the ring structure from our result above.

There are two patterns that lead to an insecure configuration in the ring structure despite a secure configuration in the line segment: Either the two leftmost nodes are \(HC\) and the rightmost one is \(C\), or the two rightmost nodes are \(CH\), and the leftmost one is \(C\). For symmetry reasons, considering one of the two is sufficient. We therefore compute the number of secure line segment configurations with the leftmost node \(C\) and the rightmost nodes \(CH\).

As a first step, we count all secure configurations of length \(n\), with \(a\) compromised nodes, having \(C\) as the leftmost node. This can be expressed as the number of secure configurations of length \(n-1\), with \(a-1\) compromised nodes, having the prefix \(CC\) (the additional compromised node in the prefix does not change anything). We have defined this above as \(f(n-1,a-1)\).

From that result, we can subtract the number of secure configurations of length \(n\), with \(a\) compromised nodes, having \(C\) as the leftmost node and not having \(CH\) as the two rightmost nodes. We do so by constructing a modified version \(f^{\prime }(\cdot )\) of function \(f(\cdot )\) as above. Just like \(f(\cdot ),\,f^{\prime }(\cdot )\) counts the number of secure line segment configurations with prefix \(CC\); the modification makes sure we do not count the configuration \(CH\) as the two rightmost nodes. All we have to change from the construction above are two conditions:

  • \(f^{\prime }(k+1,k) = 0\) for all valid \(k\): All nodes, except one, are compromised. Previously, that node could take only the rightmost position to achieve a secure configuration; this position is now excluded by definition.

  • As a special case, \(f^{\prime }(1,0) = 0\). The prefix \(CC\), which exists due to definition of the function, also leads to the only possible configuration \(CH\) at the rightmost position; this, too, is excluded by the definition of \(f^{\prime }\).

Summarized, we get the number of secure configurations in the ring configuration as:

$$\begin{aligned} c(n,a) = g(n,a) - 2(f(n-1,a-1) - f^{\prime }(n-1,a-1)) \end{aligned}$$

where \(f(\cdot ), g(\cdot )\) are defined as above and \(f^{\prime }(\cdot ), g^{\prime }(\cdot )\) are given below:

$$\begin{aligned} f^{\prime }(n,a)&= f^{\prime }(n-1,a-1) + g^{\prime }(n-2,a)\\ g^{\prime }(n,a)&= f^{\prime }(n-1,a-1) + g^{\prime }(n-1,a)\\ f^{\prime }(k,k)&= g^{\prime }(k,k) = 1\\ f^{\prime }(1,0)&= f^{\prime }(k+1,k) = 0\\ f^{\prime }(k,0)&= 1, k \ge 2\\ g^{\prime }(k,0)&= 0. \end{aligned}$$

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Gómez Mármol, F., Sorge, C., Petrlic, R. et al. Privacy-enhanced architecture for smart metering. Int. J. Inf. Secur. 12, 67–82 (2013).

Download citation

  • Published:

  • Issue Date:

  • DOI:


  • Homomorphic encryption transformation
  • Privacy
  • Smart meters
  • Smart grid