Access control encryption without sanitizers for Internet of Energy

Abstract

With the increasing popularity of Internet of Energy (IoE), more and more physical devices connected to IoE depend on the information system for energy control and coordination. Under this condition, how to achieve information flow control in IoE becomes a great challenge. Access control encryption (ACE) is a promising technology to address the problem. However, existing ACE requires a centralized sanitizer, hindering its successful application in IoE. In this paper, we construct a new kind of ACE without sanitizers for IoE. We first construct a basic ACE scheme based on number-theoretic assumptions (i.e., DBDH assumption), and this scheme can control not only what users can read but also what they can write. To resist against the quantum attacks, we further construct a more secure ACE scheme based on learning with errors (LWE). We formally prove that our proposed two ACE schemes are secure under the proposed security definition, and we also evaluate the applicability and the efficiency of them in experiments.

Introduction

As the world-wide demand for energy continues to rise, Internet of Energy (IoE) [29], [30] should be an increasingly important part of the energy supplying paradigm. At present, the large-scale exploration of traditional fossil energy have not only led to the shortage of resources, environmental pollution and other problems, but also given rise to a serious threat to human survival and sustainable development. As a new energy architecture, IoE is a combination of information technology, renewable energy utilization and energy storage, making efficient use of renewable energy to satisfy the demand for social sustainable development. An illustration of IoE can be demonstrated in Fig. 1.

The communication network in IoE has new requirements on data privacy and confidentiality due to the difference between the structure of the network and the sensitivity of transmitting information [29], [30]. IoE connects a large number of distributed devices, including energy collection and storage devices, and new power network nodes to realize the two-way flows of energy. In this case, IoE can match supply and demand information in real time, integrate and disperse demand, and generate energy transaction and demand response. Thus, instead of being transmitted to a remote center, the energy information is distributed stored on a designated node in the local or network. Smart energy generates a large amount of data in production, transmission, storage, transaction, maintenance and consumption. It is urgent to promote the capacity building of safety monitoring and protection of these data. Because in the age of IoE, any small security breach may lead to disastrous results.

IoE also has critical requirements on access control. A typical IoE system is composed of power generation, distribution grid, end-user and energy storage device. In the system, energy demand of end-users is collected by smart meters, and then the information about user’s demand will be uploaded to IoE network. Those who have the stored energy could sell their energy to the energy requester after receiving the information from IoE network. The information flows between different devices in IoE system, and the collected information from different end-users in IoE usually have different levels of sensitivity, for example, the sensitivity of the collected information in charging station is obviously lower than the energy consumption information which is collected in residential. Therefore, we need to protect energy information flow in different levels by access control. Energy providers with high security level cannot send sensitive information to low-privileged consumer, and unauthorized consumers also cannot access protected information.

Many cryptographic primitives can be employed for accessing to encrypted data, such as identity-based encryption (IBE), attribute-based encryption (ABE), and functional encryption (FE). IBE was first proposed by Shamir [24]. Later on, amounts of IBE schemes [26], [6], [20] have been proposed to enable the receiver with satisfied specified identity to read messages. As a variant of IBE, ABE [14], [18], [11] can ensure that the receiver read the messages when his attributes satisfy the access structure. FE [9] was proposed for enabling the receiver satisfying the specified policy to read messages. All of these schemes prevent unauthorized receivers from obtaining any information about the encrypted messages.

While many research efforts focus on the access control problem of how to read the encrypted data, the access control problem for writing also remains. As an example in IoE, the above solutions do not prevent a malicious energy providers from sending any encrypted message he wants to send to illegal receivers. Illegal receivers may steal large amounts of energy resources, resulting in a shortage of energy supply and disastrous results. In this condition, how to restrict the sender from sending messages to receivers who do not satisfy the access control policy becomes a challenge.

To address this problem, access control encryption (ACE) [10] can be used to restrict the flow of information in IoE, including read access and write access. In an ACE scheme, there are three entities: sender, sanitizer and receiver. All ciphertexts sent by senders are sanitized by a sanitizer, and then the sanitized ciphertexts are broadcasted to all receivers. Concretely, an ACE scheme works as follows with a set of senders $\mathcal{S}$, a set of receivers $\mathcal{R}$, and a policy $P:\left[N\right]\times \left[N\right]\to \{0,1\}$, where N is the number of identities. If $P(i,j)=1$, a sender $S_i\in \mathcal{S}$ can communicate to a receiver $R_j\in \mathcal{R}$ (and vice versa). When a sender $S_i$ wants to send a message m to a receiver $R_j$, he first encrypts the message m use encryption key ${\mathit{ek}}_i$ to generate a ciphertext CT and then send CT to the sanitizer. After the sanitizer receives CT, it sanitizes the CT and broadcasts the new ciphertext ${\mathit{CT}}^{\prime }$ to all receivers. The correctness of ACE scheme ensures that if $P(i,j)=1$, then the receiver $R_j$ can use decryption key ${\mathit{dk}}_j$ to decrypt ${\mathit{CT}}^{\prime }$ and read the message m.

However, existing ACE schemes have two serious issues that cannot be directly employed in IoE. First, most existing ACE schemes cannot resist malicious sanitizer. The malicious sanitizer may leak the encryption key to an unauthorized sender such that the sender can send messages to any receiver he wants. Since all ciphertexts go through the sanitizer, the malicious sanitizer may also prevent a valid receiver from reading the messages, replay previously sanitized ciphertext to the same receiver, or forward another sanitized ciphertext to the receiver who cannot decrypt it correctly. Second, most existing ACE proposals cannot resist quantum attacks. Considering the recent advances on quantum computing and its overwhelming threat on traditional cryptography, quantum attacks should be taken into consideration when constructing ACE schemes for IoE.

Motivated by these issues, in this paper, we propose two ACE schemes without sanitizer for IoE. Our first scheme is based on subset predicate encryption (SPE) [16]. To further resist against quantum attacks, we propose a new SPE from learning with errors (LWE), and construct our second scheme based on the proposed SPE. In our schemes, the provider/sender can send energy information directly to the consumer/receiver without going through a fog sanitizer. More specifically, we first define a predicate $P:{\{0,1\}}^l\times {\{0,1\}}^l\to \{0,1\},s_i,r_j\in {\{0,1\}}^l,P(s_i,r_j)=1\iff r_j\subseteq s_i$. $s_i$ and $r_j$ are the set owned by sender $S_i$ and receiver $R_j$, respectively. $P(s_i,r_j)=1$ means that a sender $S_i$ with a set $s_i$ is allowed to communicate with a receiver $R_j$ with a set $r_j$. Otherwise, $P(s_i,r_j)=0$, then $S_i$ is not allowed to communicate with $R_j$. After that, if the sender $S_i$ wants to initiate communications with the receiver $R_j,S_i$ encrypts energy information using his encryption key, and sends the ciphertext to $R_j$. The receiver $R_j$, having a decryption key that is related with a set $r_j$, can decrypt the ciphertext if $P(s_i,r_j)=1$.

Our contributions are summarized as follows:

• We simplify the existing model of ACE by getting rid of the sanitizer, and present its formal security definition. This not only eliminates the security risk when malicious sanitizer exists, but only alleviate the communication delay and network failure induced by centralized sanitizer.

• We construct an ACE scheme without the sanitizer for IoE. This ACE scheme is constructed on an SPE based on the DBDH assumption. Then we give formal security proof of the ACE scheme under the proposed security definition.

• To against quantum attacks, we propose a lattice-based SPE and prove that the scheme is secure under the LWE assumption. Then we construct an ACE scheme based on the proposed SPE, and prove that it is secure under the proposed security definition.

The remainder of this paper is organized as follows. Section 2 reviews the related work. In Section 3, we give the preliminary knowledge about our constructions. In Section 4, we define the system model and the security model. In Section 5, we construct an ACE scheme from SPE and give its correctness analysis and security proof. In Section 6, we first propose an SPE based on LWE and prove its correctness and security. Then we construct an ACE scheme based on the proposed SPE scheme, and prove that the ACE scheme is secure under the proposed security definition. Section 7 conducts the performance of our ACE schemes from a theoretical perspective. Finally, we conclude the paper in Section 8.