Abstract
The sharing of energy usage data in smart grids is becoming increasingly popular because it not only allows different entities to access fine-grained energy consumption data but also improves the effectiveness of smart grid technologies. How to ensure both verifiability and privacy of the shared data is a vital issue. Most existing privacy-preserving authentication schemes greatly hinder the flexibility of sharing data among multiple parties due to vulnerability and inefficiency reasons. The customer-centric energy usage data management framework based on redactable signature (RS) technology can be seen as an effective solution. It offers customers the flexibility to remove parts of privacy-sensitive data depending on different data usage demands, and ensures data verifiability for third party service providers. However, existing RS schemes are computationally inefficient for constrained devices such as smart meters. Besides, it is said that quantum computers are expected to break all traditional public-key primitives. In this regard, almost all existing RS schemes are vulnerable to quantum attacks. To address the above concerns, in this work, we propose a hash-based RS scheme HRSS based on a variant of the Goldreich-Goldwasser-Micali tree, a length-doubling pseudorandom generator, and an underlying SPHINCS\(^+\) framework. Our HRSS is the first quantum-safe RS scheme, where the security depends only on the security of underlying hash functions. We instantiate and evaluate the performance of our design. Theoretical and experimental comparisons with recent works show that HRSS is practical for smart grids.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Note that Redact supports the redaction of multiple sub-messages simultaneously. For ease of presentation, we here only redact one sub-message.
- 3.
- 4.
- 5.
References
Ahene, E., Qin, Z., Adusei, A.K., Li, F.: Efficient signcryption with proxy re-encryption and its application in smart grid. IEEE Internet Things J. 6(6), 9722–9737 (2019)
Bernstein, D.J., et al.: SPHINCS+, submission to the NIST post-quantum project, vol. 3 (2020). www.sphincs.org/data/sphincs+-round3-specification.pdf
Bernstein, D., et al.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_15
Bogdanov, A., Rosen, A.: Pseudorandom functions: three decades later. IACR Cryptol. ePrint Arch. 2017, 652 (2017)
Bürstinghaus-Steinbach, K., Krauß, C., Niederhagen, R., Schneider, M.: Post-quantum TLS on embedded systems: integrating and evaluating kyber and SPHINCS+ with mbed TLS. In: ASIA CCS 2020, Taipei, Taiwan, 5–9 Oct 2020, pp. 841–852. ACM (2020)
Camenisch, J., Dubovitskaya, M., Haralambiev, K., Kohlweiss, M.: Composable and modular anonymous credentials: definitions and practical constructions. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 262–288. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_11
Chang, E.-C., Lim, C.L., Xu, J.: Short redactable signatures using random trees. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 133–147. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00862-7_9
Czajkowski, J., Groot Bruinderink, L., Hülsing, A., Schaffner, C., Unruh, D.: Post-quantum security of the sponge construction. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 185–204. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_9
Derler, D., Pöhls, H.C., Samelin, K., Slamanig, D.: A general framework for redactable signatures and new constructions. In: Kwon, S., Yun, A. (eds.) ICISC 2015. LNCS, vol. 9558, pp. 3–19. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30840-1_1
Gennaro, R., Halevi, S., Rabin, T.: Secure hash-and-sign signatures without the random oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_9
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: FOCS 1984, West Palm Beach, Florida, USA, 24–26 Oct 1984, pp. 464–479. IEEE (1984)
Gope, P., Sikdar, B.: An efficient privacy-preserving dynamic pricing-based billing scheme for smart grids. In: CNS 2018, Beijing, China, May 30 - June 1 2018. pp. 1–2. IEEE (2018)
Haber, S., et al.: Efficient signature schemes supporting redaction, pseudonymization, and data deidentification. In: ASIACCS 2008, Tokyo, Japan, 18–20 Mar 2008, pp. 353–362. ACM (2008)
Huang, X., et al.: Cost-effective authentic and anonymous data sharing with forward security. IEEE Trans. Computers 64(4), 971–983 (2015)
Jeske, T.: Privacy-preserving smart metering without a trusted-third-party. In: SECRYPT 2011, Seville, Spain, 18–21 July 2011, pp. 114–123 (2011)
Johnson, R., Molnar, D., Song, D., Wagner, D.: Homomorphic signature schemes. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 244–262. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45760-7_17
Kar, J.: Provably secure certificateless deniable authenticated encryption scheme. J. Inf. Secur. Appl. 54, 102581 (2020)
Kong, W., Shen, J., Vijayakumar, P., Cho, Y., Chang, V.: A practical group blind signature scheme for privacy protection in smart grid. J. Parallel Distributed Comput. 136, 29–39 (2020)
Lahoti, G., Mashima, D., Chen, W.: Customer-centric energy usage data management and sharing in smart grid systems. In: SEGS2013, 8 Nov 2013, Berlin, Germany, pp. 53–64. ACM (2013)
Limbasiya, T., Das, D., Das, S.K.: Mcomiov: secure and energy-efficient message communication protocols for internet of vehicles. IEEE/ACM Trans. Netw. 29(3), 1349–1361 (2021)
Liu, J., Hou, J., Huang, X., Xiang, Y., Zhu, T.: Secure and efficient sharing of authenticated energy usage data with privacy preservation. Comput. Secur. 92, 101756 (2020)
McCallister, E., Grance, T., Scarfone, K.: Guide to protecting the confidentiality of personally identifiable information (PII), SP 800–122. In: NIST (2010)
Micali, S., Sidney, R.: A simple method for generating and sharing pseudo-random functions, with applications to clipper-like key escrow systems. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 185–196. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-44750-4_15
Miyazaki, K., Hanaoka, G., Imai, H.: Digitally signed document sanitizing scheme based on bilinear maps. In: ASIACCS 2006, Taipei, Taiwan, 21–24 Mar 2006, pp. 343–354. ACM (2006)
NIST: Report on post-quantum cryptography (2016). www.dx.doi.org/10.6028/NIST.IR.8105
NIST: Recommendation for stateful hash-based signature schemes (2020). www.doi.org/10.6028/NIST.SP.800-208
Nojima, R., Tamura, J., Kadobayashi, Y., Kikuchi, H.: A storage efficient redactable signature in the standard model. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 326–337. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04474-8_26
PG &E: PG &E smart grid annual report 2020 (2020). www.pge.com/pge_global/common/pdfs/safety/how-the-system-works/electric-systems/smart-grid/AnnualReport2020.pdf
Pöhls, H.C., Samelin, K.: On updatable redactable signatures. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 457–475. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07536-5_27
Pöhls, H.C., Samelin, K.: Accountable redactable signatures. In: ARES 2015, Toulouse, France, 24–27 Aug 2015, pp. 60–69. IEEE (2015)
Sanders, O.: Efficient redactable signature and application to anonymous credentials. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 628–656. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45388-6_22
Saxena, N., Grijalva, S.: Efficient signature scheme for delivering authentic control commands in the smart grid. IEEE Trans. Smart Grid 9(5), 4323–4334 (2018)
Steinfeld, R., Bull, L., Zheng, Y.: Content extraction signatures. In: Kim, K. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 285–304. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45861-1_22
Sui, Z., de Meer, H.: An efficient signcryption protocol for hop-by-hop data aggregations in smart grids. IEEE J. Sel. Areas Commun. 38(1), 132–140 (2020)
Sultan, S.: Privacy-preserving metering in smart grid for billing, operational metering, and incentive-based schemes: a survey. Comput. Secur. 84, 148–165 (2019)
Tang, F., Pang, J., Cheng, K., Gong, Q.: Multiauthority traceable ring signature scheme for smart grid based on blockchain. Wirel. Commun. Mob. Comput. 2021, 1–9 (2021)
Tanveer, M., Khan, A.U., Kumar, N., Naushad, A., Chaudhry, S.A.: A robust access control protocol for the smart grid systems. IEEE Internet Things J. 9(9), 6855–6865 (2022)
Union, E.: The EU general data protection regulation (GDPR) (2018). www.eugdpr.org
X, E.: Enernoc, global leader in smart energy management (2017). www.corporate.enelx.com/en/stories/2017/08/enernoc-global-leader-in-smart-energy-management
Zhang, K., Cui, H., Yu, Y.: SPHINCS-\(\alpha \): a compact stateless hash-based signature scheme. IACR Cryptol. ePrint Arch. 059 (2022)
Zhu, F., Yi, X., Abuadbba, A., Khalil, I., Nepal, S., Huang, X.: Cost-effective authenticated data redaction with privacy protection in iot. IEEE Internet Things J. 8(14), 11678–11689 (2021)
Acknowledgements
We have no conflicts of interest associated with this manuscript. We would like to thank the anonymous reviewers for their valuable comments. This work was supported in part by Australian Research Council (ARC) Linkage Project (LP160101766), ARC Discovery Project (DP180103251), the Data61 collaborative research project - ‘Enhancing Security and Privacy of IoT’, National Natural Science Foundation of China (62032005), and Science Foundation of Fujian Provincial Science and Technology Agency (2020J02016).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
Proof of Theorem 1. For space reasons, we provide a proof sketch here. Our proof is similar to [13, 16]. The proof implies that if there exists a p.p.t. adversary \(\mathcal {A}\) that can break our HRSS, then there exists another adversary \(\mathcal {F}\) who can unitize \(\mathcal {A}\) to break the collision resistance of collapsing hash function \(H(\cdot )\) or the security of \(G(\cdot )\) or the unforgeability of SPHINCS\(^+\).
In Setup Phase, \(\mathcal {F}\) executes Setup to obtain the secret key sk of the SPHINCS\(^+\) framework and the public key \(spk=\{pk, G, H(\cdot )\}\), and then sends spk to \(\mathcal {A}\). In Query Phase, \(\mathcal {A}\) is allowed to issue several oracle queries for a message M according to any adaptive policy such as pseudorandom value oracle \(O_{G}\), hash oracle \(O_H\), and signing oracle \(O_{Sign}\) ( \(O_{G}\) and sf \(O_H\) are publicly available):
-
\(O_G\): On input M, it returns a n-leaf random GGM tree for \(T_M\), secret labels for nodes in \(T_M\), and auxiliary information \((r_M, s_M)\), where \(r_M\) and \(s_M\) are used to generate \(T_M\) and its node labels, respectively.
-
\(O_H\): On input \(M, r_M, s_M\), and \(T_M\), it computes hash values bottom-up for nodes in \(T_M\) and returns the hash value \(h_{\varepsilon _M}\) for the root node \({\varepsilon _M}\).
-
\(O_{Sign}\): On input \(h_{\varepsilon _M}\), it returns a signature \(\sigma _{\varepsilon _M}\).
Note that this process is equivalent to the natural setting of the scheme from \(\mathcal {A}\)’s perspective, and each query is recorded by \(\mathcal {F}\). For ease of presentation, we define the following notations. Let \(M_i\), \(i=1, 2, \ldots , q_s\) be the set of \(O_{Sign}\) queries made by \(\mathcal {A}\). Let \(s_{u,i}\) and \(h_{u,i}\) denote the key and hash value for node u at \(M_i\), respectively. For example, \(s_{\varepsilon ,i}\) denotes the random key for use with \(M_i\) and its redactions; \(h_{\varepsilon ,i}\) denotes the hash value for the root of the random GGM tree of \(M_i\). The notation \(\alpha _{u,i}\) represents the input of the hash at node u at \(M_i\), i.e., \(h_{u,i}=H(\alpha _{u,i})\). We also assume that all trees have a same \(r_{M_i}\) in this forgery game as it can reduce the difficulty for \(\mathcal {A}\).
In Output Phase, \(\mathcal {A}\) either admits failure or successfully outputs a valid forgery \(({h_i}^*, \{{s_u}^*: each \)u\( is a co-node of \ i \}, r_{M^*}, \sigma _{\varepsilon _{M^*}})\) on \(M^*\), where \(r^*=r_{M_i}\), \(\sigma _{\varepsilon _{M^*}}= \mathsf{S.Sign}(sk, h_{\varepsilon _{M^*}})\), and \(M^*\not \subseteq M_i\).
If for all i, the case \(\varepsilon _{M^*}\) \(\ne \) \(\varepsilon _{M_i}\) holds, \(\mathcal {F}\) finds an existential forgery of SPHINCS\(^+\) framework. Assume that there exists some i such that the case \(\varepsilon _{M^*}\) \(=\) \(\varepsilon _{M_i}\) holds. Denote by \(T_{M^*}\) the hash tree corresponding to \(M^*\). \(\mathcal {F}\) now compares \(T_{M^*}\) and \(T_{M_i}\) corresponding to \(M_i\): Due to the properties of the (random) Merkle tree, \(T_{M^*}\) is a sub-tree of \(T_{M_i}\). Also, the leaf/internal nodes of \(T_{M^*}\) should form leaf/internal nodes of \(T_{M_i}\). Otherwise, if there is some node v that is a leaf in \(T_{M_i}\) but is an internal node in \(T_{M^*}\), then \(\mathcal {F}\) finds a hash collision \(H(\alpha _{v,*})=H(\alpha _{v,i})\) since the hash value calculation method of leaf nodes and internal nodes is different.
Possibly, there may exist a case that there is some leaf node \(v \in T_{M^*}\) (such that \({M^*}_v={M_i}_v\)) but v is not found in the tree corresponding to \(M_i'\), where \(M_i'\) is the set of the redactions of \(M_i\). In this case, \(\mathcal {A}\)’s forgery must disclose \(s_u\) where u is some ancestor if v. However, note that 1) \(s_u\) should not be revealed by any oracle queries, and 2) \(s_u\) is not any of the key values of u’s ancestors. Therefore, the value should be guessed by \(\mathcal {A}\). Hence, \(\mathcal {F}\) can use it to break \(G(\cdot )\). This completes the proof. \(\square \)
Proof of Theorem 2. Our Privacy game states that given a sub-message/signature pair with two possible source messages, no one can judge from which source message the sub-message stems. In such the game, the p.p.t. algorithm \(\mathcal {A}\) chooses two equal-length messages \(M_0\) and \(M_1\) and sends them to a challenger \(\mathcal {C}\) such that \(M_0\) and \(M_1\) are identical except in a sub-message \(X_0\ne X_1\), i.e., \(M'= M_0\backslash X_0= M_1\backslash X_1\), \(X_0 \subseteq M_0\), and \(X_1\subseteq M_1\). \(\mathcal {C}\) picks \(M_b\), \(b\in \{0,1\}\) and outputs \(M'\) by executing Sign and Redact. \(\mathcal {A}\) is allowed to make any signing queries to \(\mathcal {C}\), and finally outputs its guess on b.
Note that when \(X_0\) (say v-th position) is removed from \(M_0\), the disclosed value associated to \(X_0\) in the received information is \(h_v\), where \(h_v=H(0, s_v,X_0)\) and \(s_v\) is the key for v. Since \(F_s(x)=H(0,s,x)\) is a secure pseudorandom function, based on the claim in [23], we can simply treat each such \(h_v\) as an independently selected random value. This situation also applies to removing \(X_1\) from \(M_0\). That is to say, no information about removed nodes in the output of Sign remains in the output of Redact, and \(\mathcal {A}\) cannot output its guess on b better than at random. Hence the scheme is privacy-preserving. \(\square \)
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Zhu, F., Yi, X., Abuadbba, A., Luo, J., Nepal, S., Huang, X. (2022). Efficient Hash-Based Redactable Signature for Smart Grid Applications. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13556. Springer, Cham. https://doi.org/10.1007/978-3-031-17143-7_27
Download citation
DOI: https://doi.org/10.1007/978-3-031-17143-7_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17142-0
Online ISBN: 978-3-031-17143-7
eBook Packages: Computer ScienceComputer Science (R0)