Efficient Hash-Based Redactable Signature for Smart Grid Applications

Abstract

The sharing of energy usage data in smart grids is becoming increasingly popular because it not only allows different entities to access fine-grained energy consumption data but also improves the effectiveness of smart grid technologies. How to ensure both verifiability and privacy of the shared data is a vital issue. Most existing privacy-preserving authentication schemes greatly hinder the flexibility of sharing data among multiple parties due to vulnerability and inefficiency reasons. The customer-centric energy usage data management framework based on redactable signature (RS) technology can be seen as an effective solution. It offers customers the flexibility to remove parts of privacy-sensitive data depending on different data usage demands, and ensures data verifiability for third party service providers. However, existing RS schemes are computationally inefficient for constrained devices such as smart meters. Besides, it is said that quantum computers are expected to break all traditional public-key primitives. In this regard, almost all existing RS schemes are vulnerable to quantum attacks. To address the above concerns, in this work, we propose a hash-based RS scheme HRSS based on a variant of the Goldreich-Goldwasser-Micali tree, a length-doubling pseudorandom generator, and an underlying SPHINCS\(^+\) framework. Our HRSS is the first quantum-safe RS scheme, where the security depends only on the security of underlying hash functions. We instantiate and evaluate the performance of our design. Theoretical and experimental comparisons with recent works show that HRSS is practical for smart grids.

Appendix

Proof of Theorem 1. For space reasons, we provide a proof sketch here. Our proof is similar to [13, 16]. The proof implies that if there exists a p.p.t. adversary \(\mathcal {A}\) that can break our HRSS, then there exists another adversary \(\mathcal {F}\) who can unitize \(\mathcal {A}\) to break the collision resistance of collapsing hash function \(H(\cdot )\) or the security of \(G(\cdot )\) or the unforgeability of SPHINCS\(^+\).

In Setup Phase, \(\mathcal {F}\) executes Setup to obtain the secret key sk of the SPHINCS\(^+\) framework and the public key \(spk=\{pk, G, H(\cdot )\}\), and then sends spk to \(\mathcal {A}\). In Query Phase, \(\mathcal {A}\) is allowed to issue several oracle queries for a message M according to any adaptive policy such as pseudorandom value oracle \(O_{G}\), hash oracle \(O_H\), and signing oracle \(O_{Sign}\) ( \(O_{G}\) and sf \(O_H\) are publicly available):

• \(O_G\): On input M, it returns a n-leaf random GGM tree for \(T_M\), secret labels for nodes in \(T_M\), and auxiliary information \((r_M, s_M)\), where \(r_M\) and \(s_M\) are used to generate \(T_M\) and its node labels, respectively.

• \(O_H\): On input \(M, r_M, s_M\), and \(T_M\), it computes hash values bottom-up for nodes in \(T_M\) and returns the hash value \(h_{\varepsilon _M}\) for the root node \({\varepsilon _M}\).

• \(O_{Sign}\): On input \(h_{\varepsilon _M}\), it returns a signature \(\sigma _{\varepsilon _M}\).

Note that this process is equivalent to the natural setting of the scheme from \(\mathcal {A}\)’s perspective, and each query is recorded by \(\mathcal {F}\). For ease of presentation, we define the following notations. Let \(M_i\), \(i=1, 2, \ldots , q_s\) be the set of \(O_{Sign}\) queries made by \(\mathcal {A}\). Let \(s_{u,i}\) and \(h_{u,i}\) denote the key and hash value for node u at \(M_i\), respectively. For example, \(s_{\varepsilon ,i}\) denotes the random key for use with \(M_i\) and its redactions; \(h_{\varepsilon ,i}\) denotes the hash value for the root of the random GGM tree of \(M_i\). The notation \(\alpha _{u,i}\) represents the input of the hash at node u at \(M_i\), i.e., \(h_{u,i}=H(\alpha _{u,i})\). We also assume that all trees have a same \(r_{M_i}\) in this forgery game as it can reduce the difficulty for \(\mathcal {A}\).

In Output Phase, \(\mathcal {A}\) either admits failure or successfully outputs a valid forgery \(({h_i}^*, \{{s_u}^*: each \)u\( is a co-node of \ i \}, r_{M^*}, \sigma _{\varepsilon _{M^*}})\) on \(M^*\), where \(r^*=r_{M_i}\), \(\sigma _{\varepsilon _{M^*}}= \mathsf{S.Sign}(sk, h_{\varepsilon _{M^*}})\), and \(M^*\not \subseteq M_i\).

If for all i, the case \(\varepsilon _{M^*}\) \(\ne \) \(\varepsilon _{M_i}\) holds, \(\mathcal {F}\) finds an existential forgery of SPHINCS\(^+\) framework. Assume that there exists some i such that the case \(\varepsilon _{M^*}\) \(=\) \(\varepsilon _{M_i}\) holds. Denote by \(T_{M^*}\) the hash tree corresponding to \(M^*\). \(\mathcal {F}\) now compares \(T_{M^*}\) and \(T_{M_i}\) corresponding to \(M_i\): Due to the properties of the (random) Merkle tree, \(T_{M^*}\) is a sub-tree of \(T_{M_i}\). Also, the leaf/internal nodes of \(T_{M^*}\) should form leaf/internal nodes of \(T_{M_i}\). Otherwise, if there is some node v that is a leaf in \(T_{M_i}\) but is an internal node in \(T_{M^*}\), then \(\mathcal {F}\) finds a hash collision \(H(\alpha _{v,*})=H(\alpha _{v,i})\) since the hash value calculation method of leaf nodes and internal nodes is different.

Possibly, there may exist a case that there is some leaf node \(v \in T_{M^*}\) (such that \({M^*}_v={M_i}_v\)) but v is not found in the tree corresponding to \(M_i'\), where \(M_i'\) is the set of the redactions of \(M_i\). In this case, \(\mathcal {A}\)’s forgery must disclose \(s_u\) where u is some ancestor if v. However, note that 1) \(s_u\) should not be revealed by any oracle queries, and 2) \(s_u\) is not any of the key values of u’s ancestors. Therefore, the value should be guessed by \(\mathcal {A}\). Hence, \(\mathcal {F}\) can use it to break \(G(\cdot )\). This completes the proof.    \(\square \)

Proof of Theorem 2. Our Privacy game states that given a sub-message/signature pair with two possible source messages, no one can judge from which source message the sub-message stems. In such the game, the p.p.t. algorithm \(\mathcal {A}\) chooses two equal-length messages \(M_0\) and \(M_1\) and sends them to a challenger \(\mathcal {C}\) such that \(M_0\) and \(M_1\) are identical except in a sub-message \(X_0\ne X_1\), i.e., \(M'= M_0\backslash X_0= M_1\backslash X_1\), \(X_0 \subseteq M_0\), and \(X_1\subseteq M_1\). \(\mathcal {C}\) picks \(M_b\), \(b\in \{0,1\}\) and outputs \(M'\) by executing Sign and Redact. \(\mathcal {A}\) is allowed to make any signing queries to \(\mathcal {C}\), and finally outputs its guess on b.

Note that when \(X_0\) (say v-th position) is removed from \(M_0\), the disclosed value associated to \(X_0\) in the received information is \(h_v\), where \(h_v=H(0, s_v,X_0)\) and \(s_v\) is the key for v. Since \(F_s(x)=H(0,s,x)\) is a secure pseudorandom function, based on the claim in [23], we can simply treat each such \(h_v\) as an independently selected random value. This situation also applies to removing \(X_1\) from \(M_0\). That is to say, no information about removed nodes in the output of Sign remains in the output of Redact, and \(\mathcal {A}\) cannot output its guess on b better than at random. Hence the scheme is privacy-preserving.    \(\square \)