Introduction

Smart grid is envisioned as a next-generation power grid that aims to provide users with electricity in a more reliable and efficient manner [1–5]. The main feature of a traditional power grid is one-way electricity distribution from power plants to consumers. In contrast, a smart grid integrates advanced communication technologies into the traditional grid, allowing two-way energy and information flow. In addition, a smart grid provides consumers with tools to optimize their energy consumption.

Smart meters, which include processors and storage, are key components of a smart grid. Smart meters can communicate with household appliances as well as with facilities at the utility. A smart grid equipped with smart meters can monitor electricity distribution and consumption information in real-time, provide subscribed users with power and fulfill advanced demands as well as manage power usage and outages [6] through a reliable communication network. A smart meter at each home collects electrical usage data from all the electric appliances at the home and transmits these data to the utility company. Thus, a smart grid can provide specific real-time power usage details through the communications between the smart meters and the utility. Then, the utility can change the price of power accordingly. Moreover, it also can adjust users’ power usage using preset load controls to flatten peak demands and avoid potential blackouts. Customers can obtain information about their electricity usage from the smart meters, and thus reschedule their current electric power usage, transferring power usage from peak times to non-peak times to control their costs.

A smart grid provides large benefits for both consumers and the utility. However, its success heavily relies upon communications systems, and the vulnerabilities inherent to communications systems can clearly affect the smart grid, cause severe harm to the entire infrastructure, and damage the economy, the society and affect people’s lives. Thus, communications security is a primary concern in smart grids [7–15]. In this paper, we concentrate primarily on sending power consumption information from smart meters to a utility in a secure manner. The basic considerations are as follows. 1) The power consumption data should be obtainable only by the smart meters and the utility. No other entities should be able to obtain the power consumption data because these data are sensitive. 2) The power consumption data must be authenticated. Without authentication, power consumption data are potentially fake. 3) The power consumption data must not have been altered during transmission. If the power consumption data have been modified, malicious operations have been detected. 4) After a smart meter has sent a consumer’s data to the utility, it cannot retroactively deny its action. 5) The power usage data include no extractable information that can help a third party to identify either the meter or the utility.

It is difficult to propose a scheme that simultaneously meets all the abovementioned properties. Additionally, we must consider that the computational and communication resources of a smart meter are limited. However, the utility has strong computational and communication resources. Thus, the resources available to smart meters and to the utility are not equivalent. Thus, we propose a heterogeneous secure signcryption scheme that accords with such characteristics. The advantage of this heterogeneous scheme is that smart meters have no certificate management problem, but the utility can afford the overhead involved in certificate management.

To ensure secure communications from smart meters to the utility, in this paper, we design a secure HSC scheme. This scheme supports heterogeneous operations on the communication entities. There are three primary innovative points made in this paper.

• First, based on the fact that energy usage data must be well protected, we propose a secure HSC scheme to simultaneously achieve confidentiality, authentication, integrity, non-repudiation and ciphertext anonymity in a logical single step.
• Second, to analyze the security strength of our scheme, a provable security technique is employed to formally prove the proposed scheme’s security. This scheme has the properties of IND-CCA2 [16] and EUF-CMA [16] under the CDH problem in the random oracle model. According to this performance analysis, we conclude that the proposed scheme is more efficient than any other existing HSC schemes [17–19].
• Third, we adopt the heterogeneous communication system. Specifically, we require that a smart meter working in an IBC system be able to send a message to a utility belonging to a PKI system. This heterogeneous characteristic allows our scheme to be used for power information transmission in a smart grid because smart meters have no certificate management ability.

The reminder of the paper is arranged as follows. Related works are reviewed in Section 2. The system model, security requirements, design goal and bilinear pairings are introduced in Section 3. Then, the HSC scheme is designed in Section 4. We discuss its security and performance in Sections 5 and 6, respectively. Finally, Section 7 provides conclusions.

System model, security requirements and design goals

In this section, we describe the system model, security requirements and design goals.

Preliminaries

In this section, the bilinear pairings and the CDH problem are outlined.

Let G₁ and G_T be a cyclic additive group and a cyclic multiplicative group. The generator of G₁ is P. G₁ and G_T have the same order q. A bilinear pairing is a map with the following three properties:

1. Bilinear: On inputting , we have .
2. Non-degeneracy: There exists a P, Q ∈ G₁ such that .
3. Computability: On inputting P, Q ∈ G₁, an efficient algorithm exists to compute .

A bilinear pairing that satisfies the abovementioned properties is called an admissible bilinear pairing. The modified Weil pairing or Tate pairing are admissible maps of this type. For more details, readers can refer to [33].

On inputting a cyclic addition group G₁, its prime order q and generator P, the CDH problem in G₁ involves computing abP given (P, aP, bP) ∈ G₁.

Definition 1. The (ϵ, t)-CDH assumption holds when no t-polynomial time adversary exists who has advantage of at least ϵ in solving the CDH problem.

An HSC scheme

In this section, we first provide the syntax and security notions for an HSC scheme that permits only a sender belonging to an IBC system to transmit a message to a receiver belonging to a PKI system. Here, we employ IP-HSC to denote the following SC, in which “I” denotes IBC and “P” denotes PKI. Then, we describe our proposed HSC scheme.

Proposed IP-HSC scheme

In this section, we present an efficient IP-HSC scheme for secure smart grid communications that mainly comprises five algorithms: Setup, IBC-KE, PKI-KG, SC and USC. Then, we present the design of IP-HSC. We list the main notations of our scheme in Table 1.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 1. Notations.

https://doi.org/10.1371/journal.pone.0208311.t001

1. Setup: On inputting a security parameter k, the PKG selects the bilinear map groups (G₁, G₂) of prime order q, a generator P for G₁ and a bilinear map G₁ × G₁ → G₂. It then chooses a master private key , a master public key P_pub = sP, and the hash functions H₁: {0, 1}* → G₁, , . Here, n denotes the size of a message to be signcrypted. The public parameters are {G₁, G₂, e, q, P, P_pub, n, H₁, H₂, H₃}.
2. IBC-KE: A sender belonging to an IBC transmits its identity ID_s to PKG. The PKG calculates and sends the private key to the sender.
3. PKI-KG: A receiver in a PKI selects a random value as its private key and computes y_r = x_rP as the corresponding public key.
4. SC: On inputting a message m, the sender’s private key , and the receiver’s public key y_r, the sender executes the following procedures.
   1. Choose randomly and compute U = rP.
   2. Compute h₂ = H₂(m, U, ID_s, y_r).
   3. Compute .
   4. Compute W = m ∥ ID_s ⊕ H₃(U, y_r, ry_r).
   5. Output the ciphertext σ = (U, V, W).
5. USC: On inputting a ciphertext σ, a sender’s public key , and a receiver’s private key x_r, the receiver executes the following procedures.
   1. Compute T = x_rU.
   2. Compute m ∥ ID_s = W ⊕ H₃(U, y_r, T).
   3. Compute h₂ = H₂(m, U, ID_s, y_r).
   4. Check whether . If so, output the message m. Otherwise, reject and output a failure symbol ⊥.

Our IP-HSC scheme is heterogeneous, which is different from HSC [24–26, 34, 35]. In our proposed scheme, the sender is in an IBC system while the receiver is in a PKI system. Therefore, the characteristics of heterogeneous systems are highly suitable for power usage data transmission in a smart grid. A smart meter belonging to the IBC system employs the SC algorithm to obtain a ciphertext and transmits it to a utility belonging to the PKI system. Notice that we use the IBC technique in smart meters, which have no certificate management problem; thus, the computational burden of the smart meters is decreased. We employ the PKI technique at the utility, which has no key escrow problem.

In our scheme, every smart meter sends its electronic data to the utility which realize one to one communication. In smart grid, there will be many smart meters to communicate with the utility. Therefore, in order to achieve scalability, we add a data collector in the sender, which collect data from lots of smart meters. The utility does not need to establish a single communication channel to each smart meter. Thus, we can achieve multiple to one communication. To realize efficiency, the limited computation ability of smart meter does not perform many expensive calculation.

Security analysis

In this section, we analyze the confidentiality and unforgeability of our proposed IP-HSC scheme by following Theorem 1 and 2, respectively.

Theorem 1 (Confidentiality) In the random oracle model, if an adversary exists that can break the IND-CCA2 security of our proposed IP-HSC scheme with a nonnegligible advantage ϵ, running in a given time t and making at most q_u unsigncryption queries and oracle H_i (i = 1, 2, 3) queries, then there exists a PPT algorithm that settles the CDH problem with an advantage in a given time , where t_e is the time of a pairing operation.

1. Proof: It is assumed that we construct an algorithm that employs as a subroutine to settle the random instance (P, aP, bP) of the CDH problem.
2. Initial: randomly selects a master private key s and calculates a master public key P_pub = sP. also calculates a receiver’s public key y_r = aP. Here a simulates the receiver’s private key, and is not aware of the value of a.
3. Phase 1: acts as the challenger to in the confidentiality game defined in Section 4. Three lists are kept to simulate the hash oracles H₁, H₂, H₃, respectively. Assume that H₁ queries are distinct. We also assume that will issue an H₁(ID) query before employing ID in any other queries.
   • H₁ queries: For an H₁ query on the identity ID_i, first examines whether H₁’s value is already in the list L₁. If yes, the existing value is returned; otherwise, selects randomly, set t_iP as the value and inserts the tuple (ID_i, t_i) into the list L₁.
   • H₂ queries: For an H₂ query on (m, U, ID_s, y_r), first determines whether H₂’s value is already in the list L₂. If so, the existing value is returned; otherwise, picks a random value , sets e_iP as the answer and inserts the tuple (m, U, ID_s, y_r, e_iP) into the list L₂.
   • H₃ queries: For an H₃ query on (U, y_r, T), performs the following steps.
     1. If e(aP, bP) = e(T, P), outputs T and stops. On this occasion, has settled the given CDH problem.
     2. If a tuple of the form (U, y_r, *, h_3,i) exists in list L₃ such that e(U, y_r) = e(T, P), outputs h_3,i and regenerates the symbol * with T.
     3. If reaches the execution point, it selects h_3,i ∈ {0, 1}ⁿ randomly and gives it to . Then, saves the query and inserts the response into the list L₃.
4. Unsigncryption queries: selects a sender’s identity ID_s and a ciphertext σ = (U, W). performs the following steps.
   1. searches for a tuple of the form (U, y_r, T) for different T values, such that e(U, y_r) = e(T, P). If such an entry exists, h_3,i’s correct value can be obtained, and employs this value h_3,i to decrypt the ciphertext (i.e., m = W ⊕ h₃). If no such entry exists in L₃, randomly selects h_3,i ∈ {0, 1}ⁿ and adds the tuple (U, y_r, *, h_3,i) to the list L₃. Then, decrypts the ciphertext using the random value h_3,i.
   2. asks an H₂ query and obtains h_2,i = H₂(m, U, ID_s, y_r). Then, it checks whether . When the conditions hold, message m is returned to . Otherwise, rejects the ciphertext.
5. Challenge: produces two equal length plaintexts (m₀andm₁) and a challenge identity of a sender. In response, first sets U* = bP and selects W* from {0, 1}ⁿ. Then, transfers the ciphertext σ* = (U*, W*) to .
6. Phase 2: adaptively performs an unsigncryption query again as in Phase 1. There is a restriction that cannot issue an unsigncryption query on () to obtain the corresponding plaintext. replies to ’s queries following the same approach as in Phase 1.
7. Guess: generates a bit β′ that is neglected by .

The simulation is perfect except that requests an H₃ query on the entry (u*, y_r, aT*). If no such entry exists in the list L₃, has no advantage. Nevertheless, if that happens, because of the first step in H₃’s simulation, will solve the CDH problem. Throughout this entire simulation, the failure probability for unsigncryption queries is at most q_u/2^k.

Theorem 2 (Unforgeability) Under the random oracle model, if an adversary exists that can break the EUF-CMA security of our proposed IP-HSC scheme, running in a given time t and making at most q_k key extraction queries, q_s signcryption queries, and oracle H_i (i = 1, 2, 3) queries with a nonnegligible advantage ϵ, then there exists an algorithm that settles the CDH problem with an advantage in a time of O(t).

1. Proof: Assume that we construct an algorithm that employs as a subroutine to solve the random instance (P, aP, bP) of the CDH problem.
2. Initial: randomly selects a receiver’s secret key x_r from and calculates the corresponding public key y_r = x_rP. Then, sends the receiver’s key pair (x_r, y_r) and the system parameters params with P_pub = aP to . Notice that is not aware of the a value that simulates the PKG’s master private key.
3. Attack: acts as the challenger to in the unforgeability game defined in Section 4. Three lists are kept to simulate the hash oracles H₁, H₂, andH₃. It is assumed that H₁ queries are distinct. We also assume that will re-query H₁(ID) before utilizing ID in any other queries.
   • H₁ queries: performs H₁ queries on identity ID_i, as in the proof technique by Coron [36]. spins a coin T ∈ {0, 1} that takes a value of 0 with the probability of ξ and a value of 1 with the probability 1 − ξ. If T = 0, then picks n_i from and defines H₁(ID_i) = n_iP. If T = 1, then outputs H₁(ID_i) = n_ibP. In these two cases, adds a triple (ID_i, n_i, T) to the list L₁.
   • H₂ queries: For an H₂(m, U, ID_s, y_r) query, first examines whether the H₂ value is already in list L₂ for the entry (m, U, ID_s, y_r). If so, it outputs the existing value; otherwise, outputs h_2,i from G₁ as the answer. Then, inserts the tuple (m, U, ID_s, y_r, h_2,i) into list L₂.
   • H₃ queries: For an H₃(U, y_r, T) query, first determines whether the H₃ value is already in list L₃ for the entry (U, y_r, T). If so, it returns the existing value; otherwise, outputs a random value h_3,i from {0, 1}ⁿ as the answer. Then, inserts the tuple (U, y_r, T, h_3,i) into the list L₃.
   • Key extraction queries: When performs a key extraction query on an identity ID_i, obtains the corresponding triple (ID_i, n_i, T) from list L₁. When T = 1, fails and stops because it cannot compute the private key. Otherwise, outputs the private key n_iaP.
   • Signcryption queries: selects a message m and a sender’s identity ID_s. In response, performs the following steps.
     1. Select randomly and compute U = tP_pub, V = rP_pub.
     2. Set and add the tuple (m, U, ID_s, y_r) to the list L₂.
     3. Define h₃ = H₃(U, y_r, T) and insert the tuple (U, y_r, T) into the list L₃.
     4. Compute W = m ⊕ h₃.
     5. Return the ciphertext σ = (U, W).

Eventually, outputs a challenge ciphertext σ* = (U*, W*) and a challenge identity of a sender. Then, retrieves the tuple from the list L₁. If T* = 0, fails and stops. Otherwise, it continues and list L₂ must contain an item with an overwhelming probability. Because was defined as , if succeeds in the game, realizes that with , for . Then, is aware of that and that is the solution of the CDH problem.

Now we evaluate the ρ value. ’s successful probability in all key extraction queries is at most . During the forgery phase, the probability that has not asked a key extraction query for an identity is 1 − ρ. In addition, ’s probability of success for all key extraction queries is . The value is maximized at ρ′ = q_k/(q_k + 1). Utilizing this value, ρ′, we obtain

Additionally, utilizing the result lim_λ→0(1 + λ)^1/λ = e, we have for large q_k values. Hence, the probability that will succeeds in key extraction queries is at most , while the probability of failing at all signcryption queries is is because a conflict exists on H₂. Therefore, we obtain

Performance evaluation

Table 2 shows the performance of the proposed scheme, which is evaluated based on comparing the major computational cost, security, and communication overhead of our scheme with those of existing schemes SL-II [17], HWY-I [18], HWY-II [18] and LX-II [19], which are representative HSC schemes. In these four schemes, the senders work in the IBC setting and the receivers work in the PKI setting. They are denoted by PM, E, PC, the point multiplication in G₁, the exponentiation, and the pairing operation in G₂. Since hash function operation and XOR operations are much cheaper than PM or PC, we ignore those two operations. We assume that the sender in an IBC system has limited computation and storage capability but that the receiver in the PKI system has sufficient computation and storage resources. Therefore, we compare only the computational cost for signcryption. From Table 2, we can see that the computational cost of signcryption in these five schemes is considerable. In the “security” column, CCA2, CMA, and IS, denote IND-CCA2, EUF-CMA, and insider security, respectively. we can see that SL-II [17] does not meet CMA and IS security requirements. HWY-I [18], HWY-II [18], LX [19] and our scheme meet the requirements of insider security. In the “Communication overhead” column, our scheme is the shortest at 432 bits.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 2. Performance comparison.

https://doi.org/10.1371/journal.pone.0208311.t002

Here we give a quantitative analysis for SL-II [17], HWY-I [18], HWY-II [18], LX-II [19] and our scheme. We also only consider the smart meter part which has limited capacity. The experiment in [37] is adopted on MICA2 which is equipped with an ATmega128 8-bit processor clocked at 7.3728 MHz, 4 KB RAM and 128 KB ROM. According to [37], a PC needs 1.9s and an E needs 0.9s utilizing the supersingular curve y² + y = x³ + x with an embedding degree 4 and implementing η_T pairing: E(F_2²⁷¹) × E(F_2²⁷¹)→F_2^4⋅271 at an 80-bit security level. From [38], a PM operation in the extension field F_2^4⋅271 takes about 0.81s. As in [37, 38], we can see that the computational time on the meter of SL-II [17], HWY-I [18], HWY-II [18], LX-II [19] and our scheme are 1 * 1.9 = 1.9s, 3 * 0.81 = 2.43s, 2 * 0.81 = 1.62s, 2 * 0.81 + 1 * 0.9 = 2.52s and 3 * 0.81 = 2.43s, respectively. Fig 1 shows the relationship between the computational cost of smart meters and the related protocols. From Fig 1, we can see that the computational cost of our scheme is not the least, which is lower than LX-II [19], but higher than SL-II [17] and HWY-II [18].

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 1. The computational cost of smart meters versus related protocols.

https://doi.org/10.1371/journal.pone.0208311.g001

According to [37, 39], let us suppose that the current draw in active mode is 8.0mA, the current draw in receiving mode is 10mA, the current draw in transmitting mode is 27mA, the power level of MICA2 is 3.0V, and the data rate is 12.4kbps. For energy consumption, as in [40, 41], a PC operation consumers 3.0 * 8.0 * 1.9 = 45.6mJ, an E operation in G₂ consumers 3.0 * 8.0 * 0.9 = 21.6mJ and a PM consumers 3.0 * 8.0 * 0.81 = 19.44mJ. Hence, the computational energy cost on the meter of SL-II [17], HWY-I [18], HWY-II [18], LX-II [19] and our scheme are 1.9 * 45.6 = 86.64mJ, 3 * 0.81 * 19.44 = 47.24mJ, 2 * 0.81 * 19.44 = 31.49mJ, 2 * 0.81 * 21.16 + 0.9 * 19.44 = 51.78mJ and 3 * 0.81 * 19.44 = 47.24mJ, respectively.

For the communication cost, let us suppose that |ID| = 80bits as well as |m| = 160bits. Because we employ a subgroup G₁ of the 252-bit prime order, which is based on the supersingular curve y² + y = x³ + x over F_2²⁷¹, an element’s size in group G₁ is 542bits and can be reduced to 272bits (34 bytes) by means of standard compression technique [37] and an element’s size in group G₂ is 1084bits. Therefore, the meter in SL-II [17], HWY-I [18], HWY-II [18], LX-II [19] and the proposed scheme needs to transmit 560bits = 70bytes, 1328bits = 166bytes, 1328bits = 166bytes, 704bits = 88bytes and 432bits = 54bytes messages. From [37], we can see that the meter consumers 3 * 27 * 8/12400 = 0.052mJ to transmit one byte messages. Hence, the communication energy consumption of the meter in SL-II [17], HWY-I [18], HWY-II [18], LX-II [19] and our scheme are 0.025 * 70 = 1.75mJ, 0.025 * 166 = 4.15mJ, 0.025 * 166 = 4.15mJ, 0.025 * 88 = 2.2mJ, 0.025 * 54 = 1.35mJ. Therefore, the total energy consumption of SL-II [17], HWY-I [18], HWY-II [18], LX-II [19] and our scheme are 86.84 + 1.75 = 88.39mJ, 47.24 + 4.15 = 51.39mJ, 31.49 + 4.15 = 35.64mJ, 51.78 + 2.2 = 53.98mJ and 47.24 + 1.35 = 48.59mJ.

The communication energy consumption at the meter is summarized in Fig 2, from which we can see that the proposed scheme requires the least energy consumption for communication among the five tested schemes. We can also see that the proposed scheme needs only 1.35mJ to transmit a message. This energy cost is highly suitable for practical use in a smart grid.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 2. The communication energy consumption versus transmit a message.

https://doi.org/10.1371/journal.pone.0208311.g002

Conclusion

In this paper, we proposed an efficient HSC scheme for secure smart grid communications that allows a sender to belong to an IBC environment but to transmit a message to a receiver belonging to a PKI environment. The proposed scheme is proved to have IND-CCA2 as well as EUF-CMA properties under the CDH problem in the random oracle model, and it achieves confidentiality, integrity, authentication and non-repudiation simultaneously in a single logical step. Compared with existing HSC schemes that support a sender working in an IBC setting and a receiver working in a PKI setting, our scheme greatly enhances the communication efficiency, which meets the demand for real-time power usage data transmission in smart grid communications. A performance analysis is provided to demonstrate the efficiency improvement.

Supporting information

Acknowledgments

The authors thank the anonymous reviewers and the Editor for the constructive comments and generous feedback.