Abstract
The recent deployment of smart grids promises to bring numerous advantages in terms of energy consumption reduction in both homes and businesses. A more transparent and instantaneous measurement of electricity consumption through smart meters utilization leads to an enhancement in the ability of monitoring, controlling and predicting energy usage. Nevertheless, it also has associated drawbacks related to the privacy of customers, since such management might reveal their personal habits, which electrical appliances they are using at each moment, whether they are at home or not, etc. In this work, we present a privacyenhanced architecture for smart metering aimed at tackling this threat by means of encrypting individual measurements while allowing the electricity supplier to access the aggregation of the corresponding decrypted values.
This is a preview of subscription content, access via your institution.
Notes
Note that control is somewhat limited; the ES can send updated price information or control commands to a specific smart meter, but does not know the current electricity consumption measured by that device. However, it would be possible to broadcast messages containing conditional instructions to be evaluated by the smart meters themselves.
Note that the actual formation, updating and maintenance of such ring is out of scope of this paper.
For \(n = 1\), no privacy can be achieved. Therefore, we assume that the smart metering architecture is composed of at least two smart meters.
Smart meters may report the same energy measurement at multiple periods, for example, during the night when the energy consumption remains nearly constant.
The period parameter \(j\) can be seen as a nonce to compute the new key from the old one.
References
Wood, G., Newborough, M.: Dynamic energyconsumption indicators for domestic appliances: Environment, behaviour and design. Energy Build. 35(8), 821–841 (2003). doi:10.1016/S03787788(02)002414
Cheng, S.T., Wang, C.H.: An adaptive scenariobased reasoning system across smart houses. Wirel. Pers. Commun. 64(2), 287–304 (2012). doi:10.1007/s112770100199x
Bañares Hernández, S.: Smart grid for electricity efficiency. In: Workshop On ICT For Innovation and Economy Recovery. University of Murcia (Spain) (2010)
Wood, G., Newborough, M.: Dynamic energyconsumption indicators for domestic appliances: Environment, behaviour and design. Elsevier Energy Build. 35(8), 821–841 (2003)
McDaniel, P., McLaughlin, S.: Security and privacy challenges in the smart grid. IEEE Secur. Priv. 7, 75–77 (2009)
Cavoukian, A., Polonetsky, J., Wolf, C.: SmartPrivacy for the smart grid: Embedding privacy into the design of electricity conservation. Identity Inf. Soc. 3(2), 275–294 (2010)
Rivest, R., Adleman, L., Dertouzos, M.: Foundations of Secure Computation. Academic Press, pp. 169–177. Ch. On data banks and privacy homomorphisms (1978)
Armknecht, F., Westhoff, D., Girao, J., Hessler, A.: A lifetimeoptimized endtoend encryption scheme for sensor networks allowing innetwork processing. Comput. Commun. 31(4), 734–749 (2008)
Mykletun, E., Girao, J., Westhoff, D.: Public key based cryptoschemes for data concealment in wireless sensor networks. In: IEEE International Conference on Communications, ICC2006. Istanbul, Turkey (2006)
García, F.D., Jacobs, B.: Privacyfriendly energymetering via homomorphic encryption. In: 6th Workshop on Security and Trust Management (STM 2010) (2010)
Paillier, P.: Publickey cryptosystems based on composite degree residuosity classes. In: Proceedings of EUROCRYPT’99, pp. 223–238 (1999)
Li, F., Luo, B., Liu, P.: Secure information aggregation for smart grids using homomorphic encryption. In: First IEEE International Conference on Smart Grid Communications. IEEE Communications Society, Gaithersburg, USA, pp. 327–332 (2010)
Finster, S., Conrad, M.: Privacyaware realtime smart metering. In: VDE Kongress 2010—EMobility: TechnologienInfrastrukturMärkte (2010)
Petrlic, R.: A privacypreserving concept for smart grids. In: Sicherheit in vernetzten Systemen: 18. DFN Workshop. Books on Demand GmbH, pp. B1–B14 (2010)
Lim, H.W., Paterson, K.G.: Identitybased cryptography for grid security. Int. J. Inf. Secur. 10(1), 15–32 (2011)
Bohli, J.M., Sorge, C., Ugus, O.: A privacy model for smart metering. In:IEEE International Conference on Communications (2010)
McLaughlin, S., McDaniel, P., Aiello, W.: Protecting consumer privacy from electric load monitoring. In: Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, pp. 87–98 (2011)
Rial, A., Danezis, G.: Privacypreserving smart metering. In: Proceedings of the 10th Annual ACM Workshop on Privacy in the Electronic Society, WPES ’11. ACM, New York, NY, USA, pp. 49–60 (2011)
Gómez Mármol, F., Sorge, C., Ugus, O., Martínez Pérez, G.: Do not snoop my habits. Preserving privacy in the smart grid. IEEE Commun. Mag. 50(5), 166–172 (2012)
Minami, K., Lee, A.J., Winslett, M., Borisov, N.: Secure aggregation in a publishsubscribe system. In: WPES ’08: Proceedings of the 7th ACM Workshop on Privacy in the Electronic, Society, pp. 95–104 (2008)
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard) (Aug. 2008). http://www.ietf.org/rfc/rfc5246.txt
Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Advances in Cryptology CRYPTO’04, pp. 56–72 (2004)
Ateniese, G., Camenisch, J., Joye, M., Tsudik, G.: A practical and provably secure coalitionresistant group signature scheme. In: Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology, pp. 255–270 (2000)
Zsolt Berta, I., Buttyan, L., Vajda, I.: A framework for the revocation of unintended digital signatures initiated by malicious terminals. IEEE Trans. Dependable Secur. Comput. 2, 268–272 (2005)
Fonseca, E., Festag, A., Baldessari, R., Aguiar, R.L.: Support of anonymity in vanetsputting pseudonymity into practice. In: Wireless Communications and Networking Conference 2007. WCNC 2007. IEEE. pp. 3400–3405 (2007) doi:10.1109/WCNC.2007.625
Dingledine, R., Mathewson, N., Syverson, P.: Tor: the secondgeneration onion router. In: Proceedings of the 13th Conference on USENIX Security Symposium, vol. 13, SSYM’04. pp. 21–21 (2004)
Peter, S., Westhoff, D., Castelluccia, C.: A survey on the encryption of convergecasttraffic with innetwork processing. IEEE Trans. Dependable Secur. Comput. 4, 20–34 (2010). doi:10.1109/TDSC.2008.23
Castelluccia, C., Mykletun, E., Tsudik, G.: Efficient aggregation of encrypted data in wireless sensor networks. In: The Second Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services, pp. 109–117 (2005)
Sirivianos, M., Westhoff, D., Armknecht, F., Girao, J.: Nonmanipulable aggregator node election protocols for wireless sensor networks. In: Proceedings of the International Symposium on Modeling and Optimization in Mobile. Ad Hoc, and Wireless Networks (WiOpt) (2007)
RebolloMonedero, D., Forné, J., Solanas, A., MartínezBallesté, A.: Private locationbased information retrieval through user collaboration. Comput. Commun. 33(6), 762–774 (2010). doi:10.1016/j.comcom.2009.11.024
Acknowledgments
The work presented in this paper was partially supported by the BMWI within the project SmartPowerHamburg. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements of the SmartPowerHamburg project. Thanks also to the Funding Program for Research Groups of Excellence granted as well by the Séneca Foundation with code 04552/GERM/06. Finally, the authors thank Daniel Kuntze, Peter Günther and Santiago Pina for their support in determining the number of secure configurations presented in Sect. 4.5 and “Appendix A”.
Author information
Authors and Affiliations
Corresponding author
Electronic supplementary material
Below is the link to the electronic supplementary material.
Appendix A: Attacker success probability
Appendix A: Attacker success probability
To compute an attacker’s success probability if a number of smart meters are compromised (as described in Sect. 4.5), we derive a recursive solution. In the sense of the SMPB game definition, the attacker is successful if the attacker gets information from at least one honest (noncompromised) smart meter. This requires a configuration where, at least at one position in the ring, an honest smart meter’s predecessor and successor are both compromised. The attacker compromises \(a\) out of \(n\) nodes at random positions in the ring. To simplify notation, we use the abbreviations \(H\) for an honest smart meter and \(C\) for a compromised one.
We count the number of node configurations in which the attacker is not successful, that is, the sequence \(CHC\) never occurs. Such a configuration will be referred to as secure configuration. As a starting point, we use smart meters arranged on a line segment; we will introduce a correction term in the next step.
1.1 A.1 Line segment configurations
Consider \(n\) smart meters arranged on a line segment. We append this line segment to a prefix of two nodes, that is, we consider \(n+2\) nodes. Let \(h(n,a,HH)\) be the number of secure configurations where the prefix consists of two honest nodes \((HH)\), and there are \(a\) compromised nodes in the original line segment. To compute \(h(n,a,HH)\), we narrow the considered window, looking at the \(n1\) rightmost nodes and, again, a prefix of length 2. As the new prefix uses the old prefix’s right node, the two possible prefixes are \(HC\) or \(HH\). The number of compromised nodes in the new line segment is \(a1\) or \(a\), respectively. Therefore, \(h(n,a,HH) = h(n1,a,HH) + h(n1,a1,HC)\). For \(h(n,a,CC)\), an analogous construction can be used (and the same one for \(h(n,a,HC)\)). Finally, for \(h(n,a,CH)\), we only get secure configurations if the leftmost node in the line segment is honest. When doing the recursive step, the new prefix can only be \(HH\), so \(h(n,a,CH) = h(n1,a,HH)\).
In summary, we get
Given the identity of \(h(n,a,HC)\) and \(h(n,a,CC)\) and performing a substitution in the second equation, we get a simplified set of equations:
Note that the prefix plays a role when applying the recursion; however, the prefix \(HH\) has no impact on the number of secure configurations (for insecure configurations, an honest node must be between two compromised nodes; the prefix \(HH\) has no impact on whether or not this can happen). Therefore, \(h(n,a,HH)\) is the number of secure configurations in a line segment of length \(n\) we are looking for.
To further simplify the presentation, we define \(f(n,a)=h(n,a,CC)\) and \(g(n,a)=h(n,a,HH)\) and rearrange the equations above. This results in
With this, we have found a simple recursive presentation of function \(g(n,a)\), which represents the number of secure configurations on a line segment. Some simple considerations make it possible to terminate the recursion:

\(f(k,k) \!=\! g(k,k) \!=\! 1\) for all valid \(k\), as there is only one possible configuration (independent of the prefix) if all nodes are attackers. This configuration is considered “secure”, as no information from honest nodes is revealed.

\(f(k,0) = g(k,0) = 1\) for all valid \(k\). With no attackers present, there is also only one possible configuration, independent of the prefix.

\(f(k+1,k) = 1\) for all valid \(k\). In this case, only one node is present that is not compromised. Due to the \(CC\) prefix, the leftmost position of this node does not lead to a secure configuration—only the rightmost one does, so once again, only one configuration is possible.
1.2 A.2 Ring configurations
There are configurations in which the attacker does not succeed in the line segment configuration, but does so in the ring configuration. Consider the example \(HCHHC\). In this line segment, no honest node’s readings are revealed. However, if the first and the last node are connected to yield a ring structure, an insecure configuration is reached. We therefore have to subtract all configurations that become insecure by creating the ring structure from our result above.
There are two patterns that lead to an insecure configuration in the ring structure despite a secure configuration in the line segment: Either the two leftmost nodes are \(HC\) and the rightmost one is \(C\), or the two rightmost nodes are \(CH\), and the leftmost one is \(C\). For symmetry reasons, considering one of the two is sufficient. We therefore compute the number of secure line segment configurations with the leftmost node \(C\) and the rightmost nodes \(CH\).
As a first step, we count all secure configurations of length \(n\), with \(a\) compromised nodes, having \(C\) as the leftmost node. This can be expressed as the number of secure configurations of length \(n1\), with \(a1\) compromised nodes, having the prefix \(CC\) (the additional compromised node in the prefix does not change anything). We have defined this above as \(f(n1,a1)\).
From that result, we can subtract the number of secure configurations of length \(n\), with \(a\) compromised nodes, having \(C\) as the leftmost node and not having \(CH\) as the two rightmost nodes. We do so by constructing a modified version \(f^{\prime }(\cdot )\) of function \(f(\cdot )\) as above. Just like \(f(\cdot ),\,f^{\prime }(\cdot )\) counts the number of secure line segment configurations with prefix \(CC\); the modification makes sure we do not count the configuration \(CH\) as the two rightmost nodes. All we have to change from the construction above are two conditions:

\(f^{\prime }(k+1,k) = 0\) for all valid \(k\): All nodes, except one, are compromised. Previously, that node could take only the rightmost position to achieve a secure configuration; this position is now excluded by definition.

As a special case, \(f^{\prime }(1,0) = 0\). The prefix \(CC\), which exists due to definition of the function, also leads to the only possible configuration \(CH\) at the rightmost position; this, too, is excluded by the definition of \(f^{\prime }\).
Summarized, we get the number of secure configurations in the ring configuration as:
where \(f(\cdot ), g(\cdot )\) are defined as above and \(f^{\prime }(\cdot ), g^{\prime }(\cdot )\) are given below:
Rights and permissions
About this article
Cite this article
Gómez Mármol, F., Sorge, C., Petrlic, R. et al. Privacyenhanced architecture for smart metering. Int. J. Inf. Secur. 12, 67–82 (2013). https://doi.org/10.1007/s1020701201816
Published:
Issue Date:
DOI: https://doi.org/10.1007/s1020701201816
Keywords
 Homomorphic encryption transformation
 Privacy
 Smart meters
 Smart grid