Enabling Fine-grained Access Control with Efficient Attribute Revocation and Policy Updating in Smart Grid

Abstract

In smart grid, electricity consumption data may be handed over to a third party for various purposes. While government regulations and industry compliance prevent utility companies from improper or illegal sharing of their customers' electricity consumption data, there are some scenarios where it can be very useful. For example, it allows the consumers' data to be shared among various energy resources so the energy resources are able to analyze the data and adjust their operation to the actual power demand. However, it is crucial to protect sensitive electricity consumption data during the sharing process. In this paper, we propose a fine-grained access control scheme (FAC) with efficient attribute revocation and policy updating in smart grid. Specifically, by introducing the concept of Third-party Auditor (TPA), the proposed FAC achieves efficient attribute revocation. Also, we design an efficient policy updating algorithm by outsourcing the computational task to a cloud server. Moreover, we give security analysis and conduct experiments to demonstrate that the FAC is both secure and efficient compared with existing ABE-based approaches.

1. Introduction

Compared to the traditional power grid, smart gird integrates power and communication networks to achieve a two-way communication [1, 2]. Smart grid can improve the efficiency, sustainability and reliability between the energy producers and customers. As shown in Fig. 1, a general structure of smart grid consists of six logical domains [3-5]. Each one of the four (Bulk Generation, Transmission, Distribution and User) can generate, store and deliver electricity in two-way. Control center (CC) is the core component of the smart grid which can manage all the electricity and information movement of the whole system. Users of three types (Home Area Network (HAN), Building Area Network (BAN), Industrial Area Network (IAN)) are connected to the smart grid system by Smart Meters. And the Markets are where grid assets are bought and sold [6, 14].

Fig. 1.General architecture of smart grid

The information flows in smart grid are of great significance [12, 13]. CC collects the generation and consumption data from the generators and the consumers. These data can help CC make decisions on system-level to improve the efficiency of the electricity flows. In smart grid, users’ electricity data are collected by the smart meters and aggregated at the control center. Then, the control center intends to release the sensitive aggregated data to the markets that are very interested in them in a privacy-preserving manner. By analyzing the electricity usage information such as the air-conditioner or the television usage data in a specific period of time, the advertisers can obtain the time people usually watch TV in this area and then adjust their strategies. The television sellers can determine whether users prefer to watch videos online rather than watching televisions.

To handle the data release efficiently and securely, existing literature [7, 8] adopt the Attribute-based Encryption (ABE) technique to provide fine-grained access control over the sensitive data. For practical uses, the proposed scheme must support attribute revocation since the role of the markets may dynamically change in the system. Fadlullah et al. [7] introduce Key-policy ABE technique to achieve a targeted data broadcast in smart grid but do not take the problem of attribute revocation into considerations. Ruj et al. [8] utilize ciphertext-policy ABE for data release in smart grid. However, their attribute revocation method lacks efficiency since it requires updating all the ciphertexts that contain the revoked attribute. Moreover, the access policy of the sensitive data may need to be updated. A naïve way is that CC retrieves the data and re-computes the ciphertext, which may incur heavy computation and communication cost.

On addressing the above issues, we propose a fine-grained access control scheme (FAC) with efficient attribute revocation and policy updating in smart grid in this paper.

Our Contributions. The contributions of this paper can be summarized as follows.

Compared with the preliminary conference version [14] of this paper, this journal version studies dynamic access policy updating problem for the control center. Specifically, we present the policy updating algorithm for the access control structure in the FAC to make the FAC more suitable for practical uses. Moreover, we show the policy updating algorithm is secure and efficient by giving the analysis and evaluation of the new scheme.

Organization. The remainder of this paper is organized as follows. In Section 2, the system model, security requirements and design goals are formalized. We recall bilinear pairing and CP-ABE in Section 3. In Section 4, we propose our FAC scheme. Its security analysis and performance evaluation of the FAC are shown in Section 5 and Section 6, respectively. In Section 7, we present related works. Finally, we conclude this paper in Section 8.

 

2. System Model, Security requirements and Design goals

2.1 System Model

The FAC consists of the following six entities: Certificate Authority (CA), Control Center (CC), Markets, Third Party Auditor (TPA), Cloud Sever (CS), and Attribute Authorities (AAs).

In smart grid, there are two types of networks including power network and communication network. In this paper, we mainly focus on the information flow between the control center and market. Specifically, the user electricity data are collected by the smart meters and aggregated at the control center. Then, the control center intends to distribute the sensitive aggregated to the markets securely and efficiently. On addressing the above problem, we utilize the attribute-based encryption and third-party auditor technique to outsource the data to the cloud server. Therefore, we introduce some other entities including certificate authority, attribute authorities, cloud server and third-party auditor. Specifically, CA is a globally trusted certificate authority and may be audited by the government office. CA would initialize the system by setting up the parameters for AAs and authenticating the markets. AAs are responsible for the attribute key generation including public attribute key for CC and private attribute key for markets. Every attribute is associated with a single AA, but each AA can manage a set of attributes.

As shown in Fig. 2, to securely and efficiently distribute the electricity data to the markets, the system operates in the following steps. CC first obtains the public attribute keys from AAs. Then, CC defines the access policy for the different kinds of the aggregated user electricity data and encrypts them using public attribute keys before outsourcing them to CS. Markets may first register themselves in CA and obtain private attribute keys from the AAs according to their roles in the system. When markets intend to access the electricity data on the cloud server, they would ask TPA to check the legality of their identities to help the legal markets decrypt the data by generating a decryption Token.

Fig. 2.System model

When attribute revocation occurs and some of the market’s attribute keys may need to be changed, CA and AAs would assign a new set of private keys to the market and update the associated information in TPA. And when CC intends to update the access policy, CC would only need to generate the update token and send it to CS. CS would do the updating job using the old access policies.

2.2 Security Requirements

In the FAC, the control center is the core component of the smart grid and is run by the government. Therefore, we assume it to be trusted. And we assume CA is also trusted, but we still need to prevent it from decrypting the data. AAs and TPA are curious but honest, i.e., they execute the task assigned by CA and never collude with markets to get the unauthorized data. It is reasonable since TPA and AAs are audited by government offices. CS is also curious but honest [9, 10]. Markets are dishonest and may collude to get access to the unauthorized data. Specifically, the security requirements in FAC cover the following four aspects [15].

2.3 Design goals

In order to design an efficient and secure fine-grained data release scheme in smart grid, our design goals should focus on the following aspects:

 

3. Preliminaries

3.1 Bilinear Paring

Let G, GT be two multiplicative cyclic groups of the same prime order q, and g be generator of group G . Suppose G and GT are equipped with a pairing, i.e., a non-degenerated and efficiently computable bilinear map e : G × G → GT such that e() = e(P1, Q1)ab ∈ GT for all a,b ∈ and any P1,Q2 ∈ G. We can obtain more comprehensive descriptions of pairing technique through reference [18].

3.2 Ciphertext-Policy Attribute-based Encryption

In ciphertext policy attribute-based encryption (CP-ABE) [17], ciphertexts are created with an access structure (usually an access tree) which defines the access policy. A user can decrypt the data only if the attributes embedded in her attribute keys satisfy the access policy in the ciphertext. In CP-ABE, the encrypter holds the ultimate authority of the access policy [11].

 

4. Proposed Scheme

In the FAC, the electricity data are already collected by the smart meters and aggregated by the control center. Then, the control center could first encrypt the data and outsource the data to the cloud server to enjoy a flexible and efficient data access service. Markets who are interested in the aggregated data could connect to the cloud server and access to the data with their attribute keys. In this section, we propose our FAC, which consists of the following seven phases: System Initialization, Market Attribute Keys Generation, Encryption by CC, Auditing by TPA, Decryption by Market, Attribute Revocation and Access Policy Updating.

Table 1.Notations

4.1 System Initialization

1) CA Setup

At the beginning of system initialization, CA selects a prime q, two cyclic groups G, GT of prime order q, a generator g of G, a map e : G × G → GT, two functions H : {0,1}* → G, F : {0,1}* → Zq and a secure symmetric encryption algorithm Enc(), e.g., AES. In addition, CA defines a dictionary for all the attributes of the system. For attribute i, CA generates a global attribute id xi. Then CA chooses two random numbers β,γ ∈ Zq as the system master secret key and computes e(g,g)β,gγ,e(g,g)γ. Finally, CA publishes the system parameters as:

2) AA Setup

CA distributes a set of attributes to each AA and makes sure that every two AAs do not manage the same attributes. Let Lj be the set of attributes that AAj manages. For each attribute xi ∈ Lj, AAj chooses two random numbers αxi,yxi ∈ Zq as the secret attribute key:

Then AAj computes the public attribute key for each attribute xi ∈ Lj as

3) Market Registration

If a market is legal in the system, CA assigns a global market id um to it. Then CA chooses a random number zm ∈ Zq and a random market version number vm ∈ Zq. And then CA generates a pair of global market key GMK and local market key LMK for the marketum as follows:

Next, CA sends theGMK , LMK to the market and{um,vm} to TPA secretly. In addition, CA computes the market generation key MGK as follows:

CA publishes MGK to AAs.

4.2 Market Attribute Keys Generation

AAs assign a set of attributes Im to this market according to its role. Then for each attribute xi ∈ Im, AAs generate the related market attribute key makxi,um using the market’s MGK as

Finally, AAs send the maks to markets through a secure channel.

4.3 Encryption by CC

CC encrypts the aggregated electricity data, denoted as Data, by using a symmetric encryption key k. The encrypted data is represented as Enck(Data). Then CC constructs the Linear Secret-Sharing Schemes (LSSS) matrix R according to the pre-defined access policy [19]. Each row of R is associated with one attribute that is involved in the access policy. Then CC defines a map π, mapping the row of matrix R to the attributes. And then CC encrypts the symmetric key k using the related public attribute keys and system parameters as follows:

Step 1: CC chooses a random number s ∈ Zq and a random vector v ∈ with s as its first entry, where l represents the number of the attributes involved in the R and is equal to the number of rows in the R.

Step 2: For each row of R, CC computes λx = Rx·v, where Rx is the xth row of the matrix R. Then CC chooses a random vector ω ∈ with 0 as its first entry and computes ωx = Rx·ω.

Step 3: For each row of R, CC chooses a random number kx ∈ Zq and computes the ciphertext as follows:

where π(x) maps the xth row of R to attribute xi.

Step 4: The ciphertext Cph is as follows:

Finally, CC sends the CT = {Enck(Data),Cph} to CS.

4.4 Auditing by TPA

All registered markets can query any interested encrypted data from CS. However, only if a market’s attributes satisfy the access policy embedded in the ciphertext and the market attribute keys maks contain the right market version number vm, the market um can decrypt the ciphertext with the help of TPA. Specifically, the Auditing by TPA phase consists of the following four steps:

Step1: The market um sends its market attribute keys maks and local market key LMK to TPA. TPA firstly checks the validity of maks by using the market version number vm which is generated in the Market Registration phase. TPA checks the following equation.

Step 2: If equation (9) holds, TPA computes the set of attributes {π(x): x ∈ X} ∩ Im, where Im and X represent the attributes that the market um includes and the set of rows of LSSS matrix R in ciphertext CT, respectively. For these attributes, TPA checks if there is a subset X′ of them in which (1, 0, 0…, 0) is their linear combination. If yes, it computes a set of cx ∈ Zq such that = (1, 0,0∙∙∙,0), where Rx represents the xth row of R. Otherwise, the market’s attributes do not satisfy the access policy of ciphertext CT and decryption is impossible.

Step 3: TPA computes the dec(x) for each x as follows:

Step 4: According to reference [17], and . TPA computes Token as

4.5 Decryption by Market

Upon receiving the Token, the market um can simply decrypt the ciphertext C to get the symmetric key k by using its GMK as

Then market um can use the symmetric key k to further decrypt the encrypted data Enck(Data).

4.6 Attribute Revocation

When a market’s role has been changed and some of its attributes are revoked, AAs need to re-compute a set of maks for the market. Firstly, CA chooses a new random market version number and secretly sends {um, }to TPA. Then, CA computes the new local market key as:

and sends it to the market. And then CA computes the market generation key as:

and publishes MGK' to AAs. Finally, AAs re-compute the new mak for each non-revoked attribute of market umusing the market’s new MGK' as

Thus, the revoked market attribute keys are invalid for its outdate market version number vm. TPA cannot compute the Token for the market if it uses the revoked market attribute keys.

4.7 Access Policy Updating

In this subsection, we leverage the policy updating algorithm in [23] to achieve efficient updating operation. Specifically, when CC finds the access policy defined in LSSS [19] matrix is changed, it only needs to run the update key generation algorithm to construct the update keys and send them to CS. The update key generation algorithm is defined as follows.

Update Key Generation: The update key generation algorithm UKGen takes asinputs the old secret s, the previous access policy (R,π) with the previous random vector v,ω, and the new one (R′,π′), where l′ represents the number of the attributes involved in the new access policy R′ and π′ represents the new map mapping the rows of R′to the associated attributes. Since π and π′ are non-injective, we define numπ(x),R and numπ(x),R′ as the number of attribute π(x) in R and R′, respectively.

Step 1: CC runs the PolicyCompare algorithm to compare the new policy (R′ ,π′) with the previous one (R, π) as follows.

Step 2: Then CC obtains three sets of row indexes In1,R′, In2,R′, In3,R′ of R′, where In1,R′ and In2,R′ represent the set of row indexes y of R′ such that π′(y) exists in R. Moreover, L2,R′ will include those exceeding numπ′(x),R′ − numπ′(x),R indexes y , If numπ′(x),R′ ≥ numπ′(x),R. In3,R′ represents the set of indexes y such that π′(y) is a new attribute. Let InR = {1, ∙∙∙,l} be the index set of the rows of R. Further, CC chooses two new random vectors v′,ω′ ∈ with the old secretsand 0 as its first entry, respectively and computes and , where represents theyth row of new LSSS matrix R′.

Step 3: CC computes the update key for each type of index y ∈[1, l′]. Specifically, they could be divided into three types. If (y,x) ∈ In1,R', it is Type1; If (y,x) ∈ In2,R', it is Type 2; If (y,x) ∈ In3,R', it is Type 3..

For Type 1, CC computes the update key as follows:

And set .

For Type 2, CC first chooses random numbers , ay ∈ Zq and computes the update key as follows:

For Type 3, CC chooses a number ∈ Zq, where = aykx and computes the update key as follows:

Step 4: The update key UKData is constructed as

Then, CC sends the update key UKData to CS.

Next, upon receiving the update key UKData, CS will update the ciphertext from the previous access policy to the new policy as follows:

For Type 1, CS updates the ciphertext as

where = kx.

For Type2, CS updates the ciphertext as

where = aykx.

For Type3, CS updates the ciphertext component as

The ciphertext Cph′ is as follows:

Finally, CS changes the CT as CT′ = {Enck(Data),Cph′}

 

5. Security Analysis

Given the assumptions presented in Section 2, we analyze the security properties of the FAC. Specifically, our analysis focuses on how the FAC could achieve confidentiality and privacy, fine-grained access control, collusion resistance, and secure attribute revocation and policy updating.

5.1 Confidentiality and Privacy

The aggregated user electricity data are first encrypted using the symmetric encryption method. As long as the symmetric key is well kept and distributed, the confidentiality of the data would be well preserved. Note that, CS cannot decrypt the data since it does not know the market attribute keys kept by markets and market version number vm kept by TPA. In addition, though TPA does much decryption for the markets, it still cannot get access to the electricity data without the global market key GMK . That is, only a market with valid attributes that satisfy the access policy can decrypt the ciphertext. In the system, each AA is only in charge of one kind of attribute. That is, markets obtain their market attribute keys from different AAs and each AA only knows part of their attributes. Thus, single AA cannot recover all the markets’ attribute information. Moreover, markets communicate with AAs or TPA using their global market id, i.e., only CA knows markets’ true identities. Therefore, the confidentiality of the data and markets’ privacy are well protected in the FAC.

5.2 Find-grained Access Control

CC firstly defines the access policy and uses the corresponding public attribute keys to encrypt the symmetric key that is used to encrypt the electricity data before outsourcing it to CS. The access policy defined in LSSS [19] matrix supports complex Boolean operations including both AND and OR gate. For more details about the construction of the LSSS matrix, we direct the readers to reference [17]. That is, the FAC can achieve a fine-grained access control.

5.3 Collusion Resistance

In the FAC, markets are dishonest and may intend to combine their market attribute keys to get access to the electricity data which they cannot get access individually. To address this problem, AAs would generate market attribute keys with a market’s identity and the market version number vm. If two or more markets combine their market attribute keys to satisfy the ciphertext’s access policy, in the Auditing by TPA phase. Therefore, TPA would not compute Token for the colluding markets. Thus, the proposed FAC scheme is collusion-resistant.

5.4 Secure Attribute Revocation and Policy Updating

When attribute revocation happens and some of the market’s attribute are revoked, CA would choose a new random market version number and sends it to TPA. Then AAs re-calculate the market attribute keys for the non-revoked attributes of the market. We assume that a market tries to decrypt the ciphertext using the revoked market attribute key. Unfortunately, in the auditing by TPA phase, and cannot be computed correctly since the revoked market attribute key does not contain the true version number . During the policy updating operations, CC would first obtain the old access policy and then compute the updating token using public parameters. The aim of this token-based policy updating algorithm is to make full use of the ciphertext on the cloud server to reduce the computation cost in CC. That is, all the information leaked in the policy updating phase to the CS is some relationship between the old policies and the new policies. It is acceptable since knowing this does not mean that CS could further pry into the encrypted data. That is, the FAC could achieve secure attribute revocation and policy updating.

 

6. Performance Evaluation

In this section, we evaluate the performance of FAC in terms of functionality as well as computation and communication overhead.

Table 2.Notations

6.1 Functionality

As shown in Table 3, we compare functionalities among the FAC, Ruj’s scheme [8] and Faslullah’s scheme [7]. Specifically, all the above schemes achieve access control over the outsourced data. However, Faslullah’s scheme [7] cannot achieve attribute revocation and policy updating while Ruj’s scheme [8] only supports attribute revocation. The FAC could achieve all the above functionalities.

Table 3.Comparison of Functionalities

Further, we would compare Ruj’s and the FAC in terms of computation and communication overhead as follows.

6.2 Computation Overhead

In this subsection, we focus on the computation overhead of the FAC and compare it with Ruj’s scheme [8]. Since the performance is mainly affected by the time cost of exponentiation operations in G, exponentiation operation in GT and pairing operation, we ignore the other operations. And we give the notations of symbols that are used in this subsection in Table 2.

As for the data encryption, time cost of the FAC and Ruj’s scheme [8] are almost the same, which are (2Nc + 1)Tet + (3Nc + 1)Te in the FAC and 2NcTet + 2NcTe in [8], respectively. In the Decryption by Market phase, since most of the decryption computation are moved to TPA, the market um only needs to perform an exponentiation operation in GT to decrypt the decryption token, resulting in Tet time cost in the FAC. In Ruj’s scheme, the market needs to do all the decryption tasks, and the computation overhead is (2Nc + 1)Tp + 5NcTet [8].

In the Attribute Revocation phase, when one of the market’s attributes is revoked, FAC only requires to re-compute a set of market attribute keys marks and local market key LMK for the non-revoked attributes of the market. That is, the computation overhead is 3(Nm,atrTe + Te). However, in Ruj’s scheme which requires CS to update every ciphertext that contains the revoked attribute, the computation overhead is 3Nct,atr(i)Tet.

In the policy updating phase, CC only needs to compute the update key for each type rather than re-compute the ciphertext. For Type 1, CC needs time; For Type 2, CC needs ; For Type 3, CC needs time. The operations that cost most time are moved from CC to CS. Compared with the time cost for re-computing the ciphertext that cost (2Nc + 1)Tet + (3Nc + 1)Te, this token-based updating algorithm could significantly reduce the computation overhead of CC, especially when the new access policy is little different from the old one and CS could fully make use of the previous ciphertext. The comparison of computation overhead is shown in Table 4.

Table 4.Comparison of Computation overhead

Moreover, we conduct simulation experiments on a 2.53Hz-processor, 4GB memory computing machine with MIRACL library [20] to study the execution time. In the FAC, we assume that market can include at most 20 attributes. That is, Nm,atr = 20. As for encryption phase shown in Fig. 3, the FAC achieves almost the same cost compared with Ruj’s. This is reasonable since the encryption is only required once. The computation overhead of Decryption and Revocation of FAC and Ruj’s is shown in Fig. 4 and Fig. 5. As we can see, the computation overhead for Decryption and Revocation in Ruj’s scheme linearly increase while they are constant in FAC. Then, we show the execution time of the policy updating phase in Fig. 6. We denote . As we can see, updating operation for all the three types incurs less computation overhead compared with re-computing the ciphertext.

Fig. 3.Comparison of computation overhead for encryption

Fig. 4.Comparison of computation overhead for decryption

Fig. 5.Comparison of computation overhead for revocation

Fig. 6.Comparison of computation overhead for policy updating()

6.3 Communication Overhead

In this subsection, we mainly focus on the communication overhead of the attribute revocation. When one of the market’s attributes is revoked, the FAC only requires AAs to re-compute the market attribute keys for the market and send the keys to it, resulting in at most (2Nm,atr + 1)|G| communication overhead. In Ruj’s scheme, it requires the CS to send all the ciphertexts that contain the revoked attribute to every non-revoked user which includes the revoked attribute, which incurs (Nct,atr(i)Nm,atr(i) + 1)|GT| size of transmitted messages.

If we choose a 160-bit G, and 960-bit GT with embedded degree 6 [20], we can get the comparison of communication overhead between FAC and Ruj’s as shown in Fig. 7. As we can see, the communication overhead in the FAC is constant while it is lineally increasing in Ruj’s scheme.

Fig. 7.Comparison of communication overhead for attribute revocation

 

7. Related Works

Much research effort has been directed to the security of smart grid recently. Li et.al. [1] propose an efficient privacy-preserving demand response scheme with adaptive key evolution in smart grid, which employs a homomorphic encryption to achieve privacy-preserving demand aggregation and efficient response. Yang et.al. [13] propose a ranked range query scheme in smart grid auction market, which can support both range query and ranked search.

Attribute-based encryption (ABE) is a promising technique that can achieve fine-grained access control of the encrypted data. The first ABE scheme is introduced by Sahai and Waters [21]. Then, Goyal et al. [22] classify ABE into two new forms Key-Policy ABE (KP-ABE) and Ciphertext-Policy ABE (CP-ABE). In KP-ABE, the attribute key is generated with access control policy and the ciphertext is associated with attributes. While in CP-ABE, the ciphertext is created with access policy. Later Lewko and Waters propose a multi-authority CP-ABE scheme [17]. However their work does not consider the attribute revocation and the policy updating problem. Yu et.al. [24] propose a secure, scalable, and fine-grained data access control scheme in cloud computing by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Yuan et.al. [25] propose a secure and constant cost public cloud storage auditing scheme with deduplication.

Some research works based on ABE technique have been directed to achieve access control in smart grid. Fadlullah et al. [7] utilize KP-ABE technique to achieve targeted broadcast in smart grid. But their scheme does not consider the revocation problem. Based on Lewko and Water’ ABE scheme [17], Ruj et al. propose an access control infrastructure with revocation for smart grid [8]. However, in their scheme, attribute revocation incurs a heavy computation and communication overhead since it requires updating all the ciphertexts which contain the revoked attribute and sending them to every non-revoked user. Moreover, both the above schemes do not consider the policy updating problem. Yang et.al. [23] propose an efficient access control scheme with dynamic policy updating, which outsources the updating work to the cloud and supports different types of access policies.

 

8. Conclusion

In this paper, we proposed a fine-grained access control scheme (FAC) with efficient attribute revocation and policy updating in smart grid. The proposed FAC is more suitable for practical access control issues since it supports dynamic operations. Moreover, we gave thorough security analysis and demonstrated that the FAC can achieve high level security guarantees. In addition, performance evaluation and analysis show that the FAC is more efficient compared with the existing schemes through comprehensive experiments. For the future work, we would explore privacy-preserving data aggregation problem in smart grid.