An ID-based Broadcast Encryption Scheme for Cloud-network Integration in Smart Grid

Abstract

The rapid growth of data has successfully promoted the development of modern information and communication technologies, which are used to process data generated by public urban departments and citizens in modern cities. In specific application areas where the ciphertext of messages generated by different users' needs to be transmitted, the concept of broadcast encryption is important. It can not only improve the transmission efficiency but also reduce the cost. However, the existing schemes cannot entirely ensure the privacy of receivers and dynamically adjust the user authorization. To mitigate these deficiencies, we propose an efficient, secure identity-based broadcast encryption scheme that achieves direct revocation and receiver anonymity, along with the analysis of smart grid solutions. Moreover, we constructed a security model to ensure wireless data transmission under cloud computing and internet of things integrated devices. The achieved results reveal that the proposed scheme is semantically secure in the random oracle model. The performance of the proposed scheme is evaluated through theoretical analysis and numerical experiments.

1. Introduction

With the rapid growth of the world population, a series of problems have appeared in urban governance. Providing some public services by the government is necessary to enhance the quality of life of citizens. A practical and safe monitoring network must be established to ensure sensitive information, such as water, electricity, and transportation. Traditional techniques and management methods are difficult to address effectively. Therefore, utilizing emerging information and communication technologies is essential to address the management of urbanization. In this context, some outstanding scholars have proposed the concept of smart cities [1,2]. For example, Zhang et al. [3] introduced the deficiencies in applying the internet of things (IoT) to smart homes, smart communities, smart grids, and public infrastructure scenarios. Ejaz et al. [4] used two practical examples to summarize the current energy management problems of IoT universities in smart cities. Specifically, the scheme in [4] considers how to effectively reduce energy consumption in the smart home, smart education, smart health, intelligent traffic systems (ITS) and smart industry application fields.

Smart grid is one of the application areas of smart cities, and it is a favorable trend for the development of power grid technology. At present, traditional power grids must rely on smart technology to achieve security information defense capabilities and self-healing capabilities to realize the development and transmission of clean energy while resisting natural disasters and external interference. What is more, smart technology can reduce costs and is costeffective [5]. However, conventional research has shown that information cannot be transmitted effectively due to the backwardness of many devices and technical deficiencies [6,7].

A possible scheme requires the smart power control center to encrypt and broadcast the ciphertext to the user for transmitting user electricity information efficiently and securely. Broadcast encryption technology allows broadcast servers to share messages with a group of receivers. However, many existing broadcast encryption schemes still have problems and challenges with smart grid data transmission. For instance, they are unable to achieve receiver anonymity. Furthermore, if the receivers leave the power system or malicious users, we must guarantee that direct revocation is implemented under data access control to adapt to the characteristics of the smart grid for transmitting lightweight files in the Internet of Things environment. Therefore, we also consider how to revoke the receivers of the specified set from the ciphertext generated. Our scheme’s main contributions are summarized as follows:

• We propose an efficient and privacy-preserving broadcast encryption scheme. Broadcast encryption is employed to guarantee transmission efficiency among broadcasters and users; Lagrange interpolation technology realizes the properties of receiver anonymity.

• The proposed scheme model combines smart grid application scenarios in smart cities for power data sharing. From the perspective of smart city users, leaving the system will cause information updates and other issues. We use the direct revocation method, which allows the user’s access privileges to be dynamically adjusted.

• We reduced expensive bilinear pairing operations to achieve more lightweight broadcasts and provided a comprehensive security proof and performance analysis of our scheme. The results showed that the efficiency and security of our scheme surpass that of existing schemes, and it is more suitable for practical applications.

In the following two sections, we will briefly review related works and the preliminaries, respectively. The proposed scheme and security proof are respectively presented in sections 4 and 5. In section 6, we present the performance evaluation. The paper is summarized in the last section.

2. Related works

At present, the emergence of sensor technology has a tremendous impact on conventional the grid, which collects detailed power information through sensor devices. Fortunately, sensor networks also provide technical support for power grid state analysis, making the traditional power grid smart. To ensure the security and privacy of information, Yasir Saleem et al. Saleem et al, 2019 [8] discussed power energy waste and data transmission security, and integrated internet of things devices to achieve the generation, distribution, transmission, and use of power data.

However, electricity consumption data may be tampered with or illegally accessed during transmission, which brings huge security risks to the smart grid environment. Only if the ciphertext and user identity satisfy the privacy-preserving properties, can the corresponding power information be safely transmitted. Therefore, smart grid access control schemes are emerging one after another nowadays. Fiat et al. [9] proposed the broadcast encryption technology in 1993, which allows the central broadcasting station to broadcast the ciphertext to any set of receivers while minimizing the transmission associated with key management. Privacy is a crucial issue in the broadcast environment. To satisfy the security and anonymity requirements of the broadcaster and receiver’s communication, the schemes in [10, 11, 12] use broadcast encryption technology to protect the privacy and confidentiality of information in a multi-receiver environment. However, the aforesaid scheme cannot achieve the complication of malevolent and revoked receiver’s adjustment access privileges. Significations, the schemes in [10] introduced Lagrange interpolation and embed user identity in ciphertext to realize receiver anonymity.

Direct revocation is an essential technique for standard broadcast encryption scheme. It is used to adjust authorization between multiple receivers such that only receivers within a receiver set specified by the smart power control center can decrypt the ciphertext. A quantity of work with direct revocation for the area has been proposed. For instance, Jia et al. [13] applied the constant-size ciphertext and private key property of revocation to a broadcast encryption scheme. To improve efficiency, Zhu et al. [14] constructed a mechanism to support designation and revocation and introduced dual-modes. In [15], Li et al. present a new broadcast encryption scheme for prime-order bilinear groups which achieves revocation. However, these works are not aimed at solving receiver anonymity.

To the best of our investigation, Lai et al. [16, 17, 18, 19] proposed broadcast encryption based on anonymous identities in 2016 and 2017, allowing the data owner to effectively broadcast ciphertext to a multi-receiver. These schemes support the direct revocation of the user’s identity, focusing on data access control, where the data owner sends ciphertexts to authorize users to realize the sharing of ciphertexts. However, these three schemes achieve identity anonymity between receivers, but a large amount of transmission and computation results in low computation efficiency. Nonetheless, in 2019, Wang et al. [20] presented an IBDE broadcast scheme and devised a secure economic data sharing protocol. The scheme is semi-adaptively semantically secure, but it does not guarantee the construction of public-key broadcast encryption by Guo et al [21]. Constructing public-key broadcast encryption could not realize privacy-preserving and authorization revocation.

3. Preliminaries

In this section, we give the smart grid solution and security goals. Table 1 provides the descriptions of the key symbols used in the proposed scheme.

Table 1. Notations and Descriptions

3.1 Smart grid solution

We consider the smart grid solution, as shown in Fig. 1. Following the smart grid solution in the IoT environment, the primary technologies for each layer are as follows:

perception layer. The perception layer is at the bottom. It mainly includes smart meters, RFID readers, sensors, monitors, M2M and other smart devices for sensing and identifying objects. Collect power consumption data of the users in the system.

Fig. 1. Example application domains in a smart city

network layer. The middle layer uses wired and wireless networks as the nerve center. This layer, called the network layer, realizes the broadcast communication transmission of events on the Internet. It mainly uses WLAN, 3G/4G network, LMDS and other internet technologies to achieve interconnection communication between the smart power control center and users.

platform layer. The middle platform layer has an aggregation switch that inherits user information gathered by the perception layer and supports the IoT infrastructure. In the integrated operating environment of the IoT, the aggregation switch can not only store, calculate, and distribute user data but also manage the user registration privileges in the system.

application layer. The top-layer in the entire architecture of information processing is the application layer. The smart power control center at the application layer can perform internal power dispatch, comprehensive evaluation, and regular maintenance of internal service equipment. For external services, whether government agencies, residential areas, schools, industrial areas or other users, it can provide a smart, accurate and secure power supply.

In many smart grid scenes, each smart meter in the perception layer is equipped with implanted sensor chips. The smart power control center could do real-time remote monitoring of the user’s power conditions by collecting the power data (i.e., power consumption, power use time and instantaneous peak power) through wireless sensor nodes.

The information gathered by the Internet is aggregated to the sink node in the platform layer directly. Then, the control devices distribute, store, and compute the power information in the integrated operating environment, respectively. Finally, apply the encapsulated information to internal services for users to access.

3.2 Security Notions

Based on the scheme in [22], our scheme defines four security models, respectively: identitybased chosen plaintext attack (IND-ID-CPA) security, anonymous identity-based chosen plaintext attack (ANON-ID-CPA) security, revocable identity-based chosen plaintext attack(IND-rID-CPA) security, and revocable anonymous identity-based chosen plaintext attack (selective ANON-rID-CPA) security. The four security goals by probability polynomial-time between adversary A and challenger Cgame to define.

Game 1. IND-ID-CPA security.

This game, under the IND-ID-CPA security model, is played between adversary A and challenger C. The security model is defined as follows:

Setup: Challenger C establishes the algorithm, inputs the security parameter λ , outputs mpk , and keeps msk .

Phase 1: Adversary A can issue private key queries. When receiving private queries about the identity setID_i , the challenger Cgenerates \(d_{I D_{i}}\) and returns it.

Challenge: Adversary A after the decision Phase 1 is over. Without the restriction of initiating a private key query for any \(I D_{i} \in S^{*}\) , adversary A outputs two messages of different lengths; M₀ , M₁ and the challenge set \(S^{*}=\left(I D_{1}, I D_{2}, L, I D_{n}\right)\). Challenger Cpicks a bit \(b \in\{0,1\}\) , and outputs the challenge ciphertextCT^∗ for M_b under S^∗.

Phase 2: Subject to the above Challenge, A issues more private key queries.

Guess: If \(b = b^{\prime}\), and adversary A outputs b′∈{0,1} and wins the game, we call the adversary game IND-ID-CPA adversary and wins the game with probability adversary \(A d v_{I N D-I D-C P A}^{A}(\lambda)=\left|\operatorname{Pr}\left[b=b^{\prime}\right]-\frac{1}{2}\right|\).

Definition 1. If the IND-ID-CPA adversary’s advantage \(A d v_{I N D-I D-C P A}^{A, M}(\lambda)\) in Game 1 is negligible in any polynomial time, the proposed ID-based broadcast encryption scheme for cloud network integration is IND-ID-CPA security.

Game 2. ANON-ID-CPA security.

The working principle of this security model is as follows: Setup, Phase 1, and Phase 2 are the same as in Game 1.

Challenge: Adversary A generates M^∗ , two different sets \(S_{0}=\left\{I D_{0,1}, I D_{0,2}, L, I D_{0, n}\right\}\) and \(S_{1}=\left\{I D_{1,1}, I D_{1,2}, L, I D_{1, n}\right\}\) for any ID_i ∈ S₀VS₁ = (S₀\S₁)∪(S₁\S₀). Challenger C outputs CT^∗ for M^∗ under S_b.

Guess: If \(b = b^{\prime}\) , and adversary A outputs b′∈{0,1} and wins the game, we call the adversary game ANON-rID-CPA adversary and wins the game with probability \(A d v_{A N O N-I D-C P A}^{A, M}(\lambda)=\left|\operatorname{Pr}\left[b=b^{\prime}\right]-\frac{1}{2}\right|\).

Definition 2. If the ANON-ID-CPA adversary’s advantage \(A d v_{A N O N-I D-C P A}^{A}(\lambda)\) in Game 2 is negligible in any polynomial time, the proposed ID-based broadcast encryption scheme for cloud network integration is ANON-ID-CPA security.

Game 3. IND-rID-CPA security.

The IND-rID-CPA security model is defined as follows: Setup, Phase 1, and Phase 2 are the same as in Game 1.

Challenge: Without the restriction of issuing private key queries, adversary A generates \(R^{*}=\left\{I D_{l_{1}}, I D_{l_{2}}, L, I D_{l_{t}}\right\}\) for any \(I D_{i} \in S^{*} \backslash R^{*}\) . Challenger C executes Encrypt and Revoke algorithms, generates CT^∗ for message M_b under S^∗ and R^∗

Guess: If b = b′ , and adversary A outputs b′∈{0,1} and wins the game, we call the adversary game IND-rID-CPA adversary and wins the game with probability \(A d v_{I N D-r I D-C P A}^{A, M}(\lambda)=\left|\operatorname{Pr}\left[b=b^{\prime}\right]-\frac{1}{2}\right|\) .

Definition 3. If the IND-rID-CPA adversary’s advantage \(A d v_{I N D-r I D-C P A}^{A, M}(\lambda)\), in Game 3 is negligible in any polynomial time, the proposed ID-based broadcast encryption scheme for cloud network integration is IND-rID-CPA security.

Game 4. Selective ANON-rID-CPA security.

Given two revocation sets of different lengths, Setup and Phase 1 are the same as in Game 1.

Init: Adversary A outputs \(R_{0}=\left\{I D_{0,1}, I D_{0,2}, \mathrm{~L}, I D_{0, t}\right\}\) and \(R_{1}=\left\{I D_{1,1}, I D_{1,2}, L, I D_{1, t}\right\}\) .

Challenge: A outputs M^∗ and broadcasts set \(S^{*}=\left(I D_{1}, I D_{2}, \mathrm{~L}, I D_{n}\right)\) . Challenger C outputs CT^∗ for M^∗ under S^∗ and R_b .

Phase 2: Adversary A initiates more private key queries to \(I D_{i} \notin R_{0} \vee R_{1}\) .

Guess: If b = b′ , and adversary A outputs b′∈{0,1} and wins the game, we call the adversary game ANON-rID-CPA adversary and wins the game with probability \(A d v_{A N O N-r I D-C P A}^{A, M}(\lambda)=\left|\operatorname{Pr}\left[b=b^{\prime}\right]-\frac{1}{2}\right|\).

Definition 4. If the ANON-rID-CPA adversary’s advantage \(A d v_{A N O N-r I D-C P A}^{A}(\lambda)\) in Game 3 is negligible in any polynomial time, the proposed ID-based broadcast encryption scheme for cloud network integration is selective ANON-rID-CPA security.

4. System construction

In this section, we introduce the application scenarios and basic construction of our scheme. The purpose of our scheme is to achieve the security of data transmission between smart grid and residential users in the cloud-network integration environment.

4.1 Basic construction of the scheme

The smart grid is a typical application scenario for broadcast encryption schemes in smart cities. In the smart grid, the data in transit (that is, between smart devices and the smart power control center) is encrypted to ensure the users’ privacy.

As shown in Fig. 2, our scheme is suitable for one-to-many ciphertext broadcast scenarios. The cloud-network model mainly includes five entities: private key generator (PKG), smart power control center, cloud server, smart device (smart meter), and data user. We assume the PKG is fully trusted and the cloud server is semi-trusted, which signifies that the cloud server follows the scheme, but is curious about the ciphertext. The PKG generates private keys for the smart power control center and receivers. Then, the smart power control center encrypts messages and transmits the original ciphertext to the cloud server. The cloud server transmits the ciphertext to the power plant and performs power transmission and computation through the network. Finally, it distributes the power ciphertext to users in residential areas. In the entire power transmission process, however, the user who can receive the key has the privileges to use the smart power service and access the ciphertext. The scheme includes the following five algorithms:

Setup(1^λ) mpk msk → : It is executed by the PKG that inputs security parameter λ :

• The PKG randomly selects a bilinear group BG = (G, G_T,  e, p), with generator P ∈ G . Then, it chooses a random integer s ∈ Z_p  , and computes public key P_sub = sP;

• It picks four collision-resistant hash functions:

\(H:\{0,1\}^{*} \rightarrow Z_{p}, H_{1}:\{0,1\}^{*} \rightarrow G, H_{2}: G_{T} \times\{0,1\}^{*} \rightarrow G \text { and } H_{3}: G_{T} \times\{0,1\}^{*} \rightarrow G\)

• Finally, the PKG outputs mpk = (BG, P, P_pub, H, H₁, H₂, H₃) and msk = s .

Fig. 2. A typical application scenario in smart grid

Keygen(mpk, msk, ID) → d_ID : On receiving (mpk,msk) and user identity ID ∈ {0,1}^∗  , the PKG executes the algorithm to compute d_ID sH₁(ID) for the user.

Encrypt(mpk, M, ,S) → CT : The broadcaster, also known as the smart power control center, inputs mpk , receiver set S = (ID₁, ID₂, L, ID_n ) and M ∈ G to be shared with the user message. It executes the following steps to generate broadcast ciphertextCT . The encryption phase model is shown in Fig. 3.

Fig. 3. Data encrypt

• It first extracts the function H from the mpk , computes X_i = H(ID_i) for i(i = 1, 2, L,  n) and constructs a polynomial function \(f_{i}(x)=\sum_{j=0}^{n-1} a_{i, j} x^{j} \bmod p\);

• It then randomly chooses two secret integers r₁ ∈ Z_p and k₁ ∈ G to compute 

\(A_{i}=k_{1}+H_{3}\left(e\left(H_{1}\left(I D_{i}\right), P_{p u b}\right)^{r_{1}}, I D_{i}\right), i \in[1, n] \text {, we have } f_{i}\left(x_{i}\right)=1 \text { and } f_{i}\left(x_{j}\right)=0 \text { for } i \neq j \text {; }\)

• It computes C₀ = k₁ + M, C₁ = r₁P and \(u_{i}=\sum_{j=1}^{n} a_{j, i-1} A_{j}, i=1,2, \mathrm{~L}, n\);

• It then sets \(H d r=\left(\left\{u_{i}: 1 \leq i \leq n\right\}, C_{1}\right)\) as broadcast-header;

• It generates the broadcast body ciphertext \(C_{M}=\left(C_{0}, A_{i}: 1 \leq n \leq i\right)\) ;

• Finally, it broadcastsCT Hdr CT = (Hdr, C_M ) to the cloud server to be stored in the smart meter.

Revoke (mpk, R, CT) → CT′ : Takes the mpk revocation identity set R and broadcasts the ciphertext CT = ( Hdr, M ) as input. The received original ciphertext CT is re-encrypted according to the identity of the revoked user to obtain the revoked ciphertext CT′ . In this process, the cloud server performs the algorithm and uses Lagrange interpolation to hide the receiver’s identity, but it cannot obtain any user identity or sensitive information from the ciphertext.

• If revocation identity set R = ∅ , then the cloud server sets CT′ = CT. Otherwise, it randomly selects an integer k₂ ∈ G to compute \(C_{0}^{\prime}=k_{2}+C_{0}\) and x_i = H(ID_i) for ID_i ∈ R. It then constructs polynomial the function \(\mathrm{g}(x)=\prod_{i=1}^{t}\left(x-x_{i}\right)=\sum_{i=1}^{t} b_{i} x^{i-1} \bmod p\);

• For any i = 1,2,L ,n, it computes T_i = g(x_i)^-1b_ik₂ ,b_i = 0, where i = t+1, t+2, L, n-1;

• It sets Hdr = ({T_i : 1 ≤ i ≤ n}) as broadcast-header after revocation;

• It then generates the broadcast body ciphertext \(C_{M}^{\prime}=\left(R, C_{0}^{\prime}\right)\);

• Finally, it broadcasts the ciphertext \(C T^{\prime}=\left(H d r, C_{M}^{\prime}\right)\) to the user and stores it in the smart meter.

Decrypt(mpk, CT', ID_i, d_ID) → M : Taking the mpk , ciphertext after revocationCT′ , receiver’s identity i ID , and privacy key dID as input, the user executes the decryption algorithm to obtain the plaintext M . The revocation phase and the decryption phase model are shown in Fig. 4.

Fig. 4. ID revoke and Data decrypt

• It extracts the functions H from the mpk , computes x_i = H(ID_i), i=1,2,L,n ;

• It parses out \(u=u_{1}+x_{i} u_{2}+x_{i}^{2} u_{3}+\mathrm{L}+x_{i}^{n-1} u_{n}\) from \(\left\{u_{i}: 1 \leq i \leq n\right\}\);

• It then obtains \(k_{1}^{\prime}=u-H_{3}\left(e\left(C_{1}, d_{I D_{i}}\right), I D_{i}\right)\) and \(k_{2}^{\prime}=T_{1}+x_{i} T_{2}+x_{i}^{2} T_{3}+\mathrm{L}+x_{i}^{t-1} T_{t}\) ;

Finally, it recovers message \(M=C_{0}^{\prime}-k_{1}^{\prime}-k_{2}^{\prime}\). If the identity satisfies ID_i ∈ S and ID_i ∉ R  , where \(k_{1}^{\prime}=k_{1}, k_{2}^{\prime}=k_{2}\) , the ciphertext is decrypted to obtain the correct plaintext.

In the definition of an encryption algorithm, the size of the revocation number t < n depends on the real situation of the application. If t = 0 , the data owner does not allow the server to revoke any user's identity. t n = indicates that the data owner allows the server to revoke any identity status in the set.

Correctness: We give the correctness of our proposed scheme as follows:

For each ID_i ∈ S  , after obtaining x_i by using its private key, we compute

\(\begin{aligned} u=& u_{1}+x_{i} u_{2}+x_{i}^{2} u_{3}+\mathrm{L}+x_{i}^{n-1} u_{n} \\ =&\left(a_{1,0}+a_{1,1} x_{i}+a_{1,2} x_{i}^{2}+\mathrm{L}+a_{1, n-1} x_{i}^{n-1}\right) A_{1} \\ &+\left(a_{2,0}+a_{2,1} x_{i}+a_{2,2} x_{i}^{2}+\mathrm{L}+a_{2, n-1} x_{i}^{n-1}\right) A_{2}+, \\ & \mathrm{L}+\left(a_{n, 0}+a_{n, 1} x_{i}+a_{n, 2} x_{i}^{2} \mathrm{~L}+a_{n, n-1} x_{i}^{n-1}\right) A_{n} \\ &=f_{1}\left(x_{i}\right) A_{1}+f_{2}\left(x_{i}\right) A_{2}+\mathrm{L}+f_{n}\left(x_{i}\right) A_{n}=A_{i} \end{aligned}\)

Then, we compute \(k_{1}^{\prime}\) as

\(k_{1}^{\prime}=u-H_{3}\left(e\left(C_{1}, d_{I D_{i}}\right), I D_{i}\right)=k_{1}+H_{3}\left(e\left(s H_{1}\left(I D_{i}\right), P\right)^{r_{1}}, I D_{i}\right)-H_{3}\left(e\left(P, s H_{1}\left(I D_{i}\right)^{r_{1}}, I D_{i}\right)\right)=k_{1},\)

For any ID_i ∈ S  and ID_i ∉ R  , g(x_i) ≠ 0 and we obtain \(k_{2}^{\prime}\) as

\(k_{2}^{\prime}=T_{1}+x_{i} T_{2}+x_{i}^{2} T_{3}+\mathrm{L}+x_{i}^{t-1} T_{t}=g\left(x_{i}\right)^{-1} k_{2} g\left(x_{i}\right)=k_{2}\)

After recovering \(k_{1}^{\prime}\) and \(k_{2}^{\prime}\) , we obtain the message as

\(C_{0}^{\prime}-k_{1}^{\prime}-k_{2}^{\prime}=k_{2}^{\prime}+C_{0}-k_{1}^{\prime}-k_{2}^{\prime}=k_{1}+M-k_{1}^{\prime}=M\)

5. Security proof

In this section, we give the security proof of the proposed scheme.

Definition 5. BDH ^[23] . Let G and G_T be multiplicative cyclic groups of prime order p and P be the generators of G and the bilinear map e: G × G → G_T . Given (P,aP,bP,cP) for unknown a,b,c ∈ Z_p  , we compute e(P,P)abc ∈ G_T . Adversary A has advantage ε, in solving the BDH problem if \(\operatorname{Pr}\left[A(P, a P, b P, c P)=e(P, P)^{a b c}\right] \geq \varepsilon\).

Theorem 1. Defines functions H and H₃ . If the BDH assumption holds, A attacks our scheme with advantage ε , the algorithm B solves the BDH problem with advantage \(\varepsilon^{\prime} \geq \varepsilon \cdot\left(e \cdot n \cdot q_{E} \cdot q_{H_{3}}\right)^{-1}\) is the number of broadcast identities, q_E is the number of queries to the private key and \(q_{H_{3}}\) is the number of queries to the hash function H₃ .

Proof. If there is IND-ID-CPA adversary, it will attack our scheme with non-negligible advantage ε . AlgorithmB is defined to solve the BDH problem with advantage ε′ . B inputs a random instance of the BDH problem (P, aP, bP, cP) and computes e(P,P)^abc . In Game 1, the interaction between simulator B and adversary A is as follows:

Setup: Simulator B sets P_pub = aP and mpk = (P, P_pub, H₁, H₂) . The response of B to the identity ID_i query is as follows:

H -query: Creates L and initializes it to be null. If the identity ID_i queried in (ID_i, c_i, t_i, l_i) already appears in L , it returns H(ID_i)=h_i , otherwise, B randomly chooses at_i ∈ Z_P^* and uses Pr[c_i = 0] = δ to choose c_i ∈{0,1} . If c_i = 0 , B computes h_i=t_ibP , otherwise, it computes h_i = t_iP , adds(ID_i, c_i, t_i, h_i) to L , and uses i h response to adversary A .

H₃ -query: The response of simulator B to the (Y_i, ID_i) query is as follows: It creates L₃(Y_i, ID_i, γ_i) and initializes it to null. If the (Y_i, ID_i) queried in (Y_i, ID_i, γ_i) appears in L₃ , it returns H₃(Y_i, ID_i)=γ_i , adds(Y_i, ID_i, γ_i)to L3 , and uses γ_i to respond to adversary A .

Phase 1: Simulator B obtains the corresponding c_i and t_i from L . If c_i and t_i do not exist, it executes H -query to obtain the corresponding c_i and t_i . If c_i = 0 , B terminates the operation, otherwise, it computes \(d_{I D_{i}}=s H_{1}\left(I D_{i}\right)=a t_{i} P=t_{i} P_{p u b}\).

Challenge: Once adversary A decides that Phase 1 is over, it outputs messages Μ₀ and Μ₁ of different lengths and broadcasts identity set S^* = (ID_1, ID₂, L, ID_n) . Simulator B performs the following steps:

• It randomly selects ID₀ ∈ S^* , \(B_{i}^{*} \in G\) and \(C_{0}{ }^{*} \in G\);

• It computes \(C_{1}^{*}=r_{1}^{*} P, r_{1}^{*} \in Z_{p}\);

• It obtains the value of H(ID_i) from L , and computes

\(A_{i}^{*}=k_{1}+H_{3}\left(e\left(H_{1}\left(I D_{i}\right), P_{p u b}\right)^{r_{1}{ }^{*}}, I D_{i}\right) \text { and } x_{i}^{*}=H\left(I D_{i}\right) ;\)

It then creates the polynomial function \(f_{i}(x)=\sum_{j=0}^{n-1} a_{i, j} x^{j}\) and computes \(u_{i}^{*}=\sum_{j=1}^{n} a_{j, i-1} A_{j}^{*}\) and defines challenge ciphertext \(C T^{*}=\left(C_{0}{ }^{*}, C_{1}{ }^{*}, r_{1}{ }^{*}, u_{i}{ }^{*}, i=0,1, \mathrm{~L}, n\right)\).

Phase 2: Adversary A cannot query the private key of ID_i , ID_i ∈ S^∗ . The response of B is the same as that of Phase 1.

Guess: Simulator B simulates the real attack environment of adversary A . If c_j = 0, H(ID_j) = t_jbP and , it checks \(e\left(d_{I D_{j}}, C_{1}^{*}\right)=e(P, P)^{t_{j} a b r_{1}^{*}}\) and simulator randomly selects (Y_j, ID_j, γ_j) from \(d_{I D_{j}}=t_{j} a b P\) L₃ , parses the corresponding t_j from L and outputs \(Y_{j}^{t_{j}^{-1}}\) . It then defines \(W_{i}=\left(e\left(H\left(I D_{i}\right), P_{p u b}\right)^{r_{1}}, I D_{i}\right)\) . Simulator B randomly selects H₃(W_i) and i u ∉ W , and computes \(A_{i}^{*}=u+H_{3}\left(W_{i}\right)\) . In accordance with this assumption, adversary A must query H₃ on at least one W_i . We define four events as follows:

E₁ : Cannot terminate private key query;

E₂ : At least one of the identities challenging the H value contains BDH problem;

E₃ : Adversary A chooses c_i = 0 to distinguish the challenge information;

E₄ : Simulator B accurately selects the solution from L₃ .

Only when all events occur at the same time, can simulator B successfully solve the BDH problem. Then, it analyzes the probability of all events. The simulation B will not terminate when each c_i = 1 is queried based on the private key. Therefore, \(\operatorname{Pr}[E r]=\operatorname{Pr}\left[c_{i}=1\right]=(1-\delta)^{q_{E}}\) where i = 1,2,L,q_E.

For event 2, it computes Pr[E₂] = δ . The probabilities of c_i = 0 and c_i = 1 are unknown to adversary A ,because the c_i is a secret value selected by the simulator B . Therefore, \(\operatorname{Pr}\left[E_{3}\right]=\frac{1}{n} \operatorname{Pr}\left[c_{i}=0\right]+\frac{1}{n} \operatorname{Pr}\left[c_{i}=1\right]=\frac{1}{n}\). However, the simulator B knows that the solution to the BDH problem is in L₃ , therefore can obtain the probability \(\operatorname{Pr}\left[E_{4}\right] \geq\left(q_{H_{3}}\right)^{-1}\). We can obtain \(\varepsilon^{\prime} \geq \operatorname{Pr}\left[E_{1} \wedge E_{2} \wedge E_{3} \wedge E_{4}\right] \cdot \varepsilon \geq(1-\delta)^{q_{E}} \cdot \delta \cdot \varepsilon \cdot\left(n \cdot q_{H_{3}}\right)^{-1}\). The function \((1-\delta)^{q_{E}} \cdot \delta\) is largest at \(\delta_{o p t}=\left(q_{E}+1\right)^{-1} \cdot \varepsilon^{\prime} \geq \varepsilon \cdot\left(e \cdot n \cdot q_{E} \cdot q_{H_{3}}\right)^{-1}\) is based on δ_opt .

Theorem 2. Three hash functions H , H2 and H3 are defined. If an adversary of ANON-ID-CPA attacks our scheme with advantage ε , simulator B solves the BDH problem with the advantage of \(\text { of } \varepsilon^{\prime} \geq \varepsilon \cdot\left(e \cdot n \cdot\left(q_{E} \cdot q_{H_{2}}+q_{E} \cdot q_{H_{3}}\right)\right)^{-1}\).

Proof. Compute e(P, P)^abc in Game 2. H -query, H₃ -query, and Phase 1 are the same as Theorem 1.

Setup: Simulator B creates mpk  = (P, P_pub, H₁).

H₂ -query: B 's response to the query of (X_i, ID_i) is as follows:

L₂(X_i, ID_i, λ_i) is initialized to be null. Simulator B checks L₂ . If (X_i, ID_i) ∈ L₂ ,  it returns H₂(X_i,ID_i) = λ_i . If not, B picks a λ_i ∈ G and sets H₂(X_i,ID_i) = λ_i. Then, it adds(X_i, ID_i, λ_i) to L₁ and responds with λ_i .

Challenge: Adversary A outputs M^∗ , broadcasts identity sets \(S_{0}=\left(I D_{0,1}, I D_{0,2}, \mathrm{~L}, I D_{0, n}\right)\) and \(S_{1}=\left(I D_{1,1}, I D_{1,2}, L, I D_{1, n}\right)\) without issuing private key queries to any \(I D_{i} \in S_{0} \vee S_{1}\) in Phase 1. Simulator B executes the following steps:

• It computes \(C_{0}^{*}=k_{1}^{*}+M^{*}\) and \(C_{1}^{*}=r_{1}^{*} P, B_{0}^{*} \in G, r_{1}^{*} \in Z_{p}, k_{1}^{*} \in G\) and \(I D_{i} \in S_{0} \vee S_{1}\) ;

• If ID_i does not exist in L , it executes H oracle, B obtains the values of H(ID_i) from L , computes \(x_{i}^{*}=H\left(I D_{i}\right)\) and creates the polynomial function \(f_{i}(x)=\sum_{j=0}^{n} a_{i, j} x^{j}\) ;

• It randomly selects \(A_{i}^{*} \in G\) for each \(I D_{i} \in S_{b} \backslash S_{1-b}\). Simulator B obtains c_i and t_i from L for each \(I D_{i} \in S_{0} \mid S_{1} \text {. If } c_{i}=0\) . If c_i = 0 , it computes \(X_{i}=e(a P, c P)^{r_{1}^{*} t_{i}}\). If c₁ = 1 and \(\left(X_{i}, I D_{i}\right) \in L_{2}\) , it obtains λ_i and sets it as \(A_{i}^{*}=\lambda_{i}\) otherwise, it randomly selects \(A_{i}^{*} \in G\) and adds a new tuple \(\left(X_{i}, I D_{i}, A_{i}^{*}\right)\) to L₂ ;

• It computes \(Y_{i}=e(a P, c P)^{t_{i}}\) . If \(\left(Y_{i}, I D_{i}\right) \in L_{3}\) , it obtains the γ_i and sets \(\omega_{i}^{*}=\gamma_{i}\) , otherwise, it picks \(\omega_{i}^{*} \in G\) and adds a new \(\left(Y_{i}, I D_{i}, \omega_{i}^{*}\right)\) to L₃ and compute \(A_{i}^{*}=k_{1}^{*}+\omega_{i}^{*}\) ;

• It then computes \(u_{i}^{*}=\sum_{j=1}^{n} a_{j, i-1} A_{j}^{*}\) , and the ciphertext after revocation is defined as \(C T^{*}=\left(C_{0}{ }^{*}, C_{1}{ }^{*}, r_{1}{ }^{*}, u_{i}{ }^{*}, i=[0, n]\right) \text { for } i=[0, n]\).

Phase 2: Adversary A issues private key queries but cannot issue the private key on \(I D_{i} \in S_{0} \vee S_{1}\) .

Guess: Simulator B ignores the adversary's guess and randomly selects(X_i, ID_i, λ_i ) from L₂ or randomly chooses(Y_i, ID_i, γ_i) from L₃ . If adversary A chooses L₂ , it outputs \(X_{j}{ }^{\left(r_{2}{ }^{*} t_{j}\right)^{-1}}\) as the solution to the BDH instance, but it outputs \(Y_{j}^{t_{j}^{-1}}\) , if it selects L₃ as analyzed by Theorem 1, exiting \(\varepsilon \cdot\left(e \cdot n \cdot q_{E} \cdot\left(q_{H_{2}}+q_{H_{3}}\right)\right)^{-1}\).

Theorem 3. Defines functions H and H₂ . If there is an IND-rID-CPA adversary A that can attack our scheme with advantage ε , the algorithm B solves the BDH problem with the advantage of \(\varepsilon^{\prime} \geq \varepsilon \cdot\left(e \cdot n \cdot q_{E} \cdot q_{H_{2}}\right)^{-1}\).

Proof. We compute e(P,P)^abc in Game 3. H -query and Phase 1 are the same as in Theorem 1, and H2 -query is the same as in Theorem 2.

Setup: Simulator B defines mpk = (P, P_pub, H₁, H₃).

Challenge: If adversary A did not initiate private key query to any ID_i ∈ S^* \ Q^*, it outputs S^*=(ID₁, ID₂, L, ID_n) , non-null revocation set \(R^{*}=\left(I D_{l_{1}}, I D_{l_{2}}, L, I D_{l_{t}}\right)\) and two messages Μ₀ and Μ ₁ of different lengths. Simulator B performs the following operations:

• It computes\(C_{0}{ }^{\prime *}=C_{0}{ }^{*}+k_{2}{ }^{*}=k_{1}{ }^{*}+M_{b}+k_{2}{ }^{*}, C_{1}{ }^{*}=r_{1}{ }^{*} P, I D_{0} \notin S^{*} \cup R^{*}, A_{0}{ }^{*}, k_{1}{ }^{*}, k_{2}{ }^{*} \in G\) and \(r_{1}^{*} \in Z_{p}\) ;

• It parses (c_i, t_i, h_i) from L for ID_i ∈ S^* | R^* . If c_i = 0 , algorithm terminates, otherwise, it computes \(X_{i}=e(a P, c P)^{t_{i}}\) . If \(\left(X_{i}, I D_{i}\right) \in L_{2}\), it returns λ_i , otherwise, it randomly selects λ_i ∈G . It defines \(A_{i}^{*}=\lambda_{i}\) and a new tuple (X_i, ID_i, λ_i) is added to L₂ . ID_i ∈ S^* \ R^* will exist for every i . It then randomly selects \(A_{i}^{*} \in G\);

• It computes \(x_{i}^{*}=H_{1}\left(I D_{i}\right) \quad, \quad f_{i}(x)=\sum_{j=0}^{n} a_{i, j} x^{j} \quad, \quad A_{i}^{*}=k_{1}^{*}+H_{3}\left(e\left(H_{1}\left(I D_{i}\right), P_{p u b}\right)^{r_{1}^{*}}, I D_{i}\right)\) and \(u_{i}^{*}=\sum_{j=1}^{n} a_{j, i-1} A_{j}\) . If there is ID_i ∈ R^∗  for each i , it computes \(x_{i}^{*}=H_{1}\left(I D_{i}\right)\) and creates the polynomial function \(g(x)=\prod_{i=1}^{t}\left(x-x_{i}^{*}\right)=\sum_{i=1}^{t} b_{i} x^{i-1} \bmod p\) ;

• It computes \(T_{i}^{*}=g\left(x_{i}\right)^{-1} b_{i} k_{2}^{*}\) for i = 0,1,2,L,t. It then defines the ciphertext after revocation as \(C T^{\prime *}=\left(R, C_{0}^{\prime *}, C_{1}^{*},\left[u_{i}^{*}, T_{i}^{*}\right]_{i=1}^{n}\right)\)

Phase 2: Adversary A cannot query the private key on ID_i ∈ S^* \ R^* .

Guess: Simulator B neglects the adversary's guess and randomly selects(X_i, ID_i, λ_i) from list L₂ , obtains t_j from L , and outputs \(X_{j}^{t_{j}^{-1}}\) . Adversary A cannot distinguish between information in security reduction. Therefore, once A outputs a terminator with a probability greater than \(\frac{1}{2}\) , and suppose we only consider the case that A chooses ID_i(HID_i(=t_ibP). Just like Theorem 1, it exists in \(\varepsilon^{\prime} \geq \varepsilon \cdot\left(e \cdot n \cdot q_{E} \cdot q_{H_{2}}\right)^{-1}\).

Theorem 4. Defines two functions H and H₁ . If selective ANON-rID-CPA adversary A can attack our scheme with advantage ε , B can solve the BDH problem with the advantage of \(\varepsilon^{\prime} \geq \varepsilon \cdot\left(t \cdot q_{H_{1}}\right)^{-1}\ .\ t\) is the number of revoked identities.

Proof. We compute e(P,P)^abc in Game 4. The interactive working process between simulator B and adversary A is as follows:

Init: A generates revoke sets \(R_{0}=\left(I D_{0,1}, I D_{0,2}, L, I D_{0, t}\right)\) and \(R_{1}=\left(I D_{1,1}, I D_{1,2}, L, I D_{1, t}\right)\).

Setup: B defines \(m p k=\left(P, P_{p u b}, H_{2}, H_{3}\right)\) , randomly selects b∈{0,1} and \( I D^{*} \in R_{b} \backslash R_{1-b}\) .

H -query: Adversary A issues H -query. Simulator B responds to i ID query as follows and creates \(L\left(I D_{i}, \mathrm{k}_{i}, h_{i}\right)\) , which is initialized to be null:

If \(I D_{i} \in L\left(I D_{i}, \mathrm{k}_{i}, h_{i}\right)\) , A returns H(ID_i)=h_i , otherwise, it randomly selects k_i ∈ Z_P. Simulator B sets h_i = k_ibP when ID_i = ID^*.

H₁ -query: Adversary A issues H₁ -query. Simulator B responds to the query of (T_i, ID_i) as follows and creates L₁(T_i, ID_i, η_i) and the list is initialized to be null:

If (T_i, ID_i) ∈ L₁ , B returns H₁(T_i, ID_i) = η_i , otherwise, it selects H₁(T_i, ID_i)=η_i , η_i ∈ G₁ and adds (T_i, ID_i, η_i) to list L₁ .

Phase 1: Adversary A issues a private key query to ID_i ∉ R₀VR₁ . The simulator obtains k_i from L and computes \(d_{I D_{i}}=s H_{1}\left(I D_{i}\right)=a k_{i} P=k_{i} P_{p u b}\).

Challenge: Adversary A outputs M^∗ and \(S^{*}=\left(I D_{1}, I D_{2}, L, I D_{n}\right)\). Simulator B executes the following steps:

• It selects \(I D_{0} \notin S^{*} \cup R_{0} \cup R_{1}, k_{1}^{*} \in G, k_{2}^{*} \in G\) computes \(C_{0}^{*}=k_{1}^{*}+k_{2}^{*}+M_{b} \text { and } C_{1}^{*}=c^{*} P\) ;

• If there is ID_i = ID^∗ for each \(I D_{i} \in S^{*}\) and ID₀ , it picks \(x^{*} \in Z_{p}\) , sets \(x_{i}^{*}=x^{*}\) , obtains (k_i, h_i) from L , and computes \(T_{i}=e(a P, c P)^{k_{i}}\) . If \(\left(T_{i}, I D_{i}\right) \in L_{1}\) , it returns η_i , otherwise, it randomly selects η_i , sets \(x_{i}^{*}=\eta_{i}\) , and adds to L₁ ;

• It computes \(f_{i}(x)=\sum_{j=0}^{n} a_{i, j} x^{j}\) and \(A_{i}^{*}=k_{1}^{*}+H_{3}\left(e\left(H_{1}\left(I D_{i}\right), P_{p u b}\right)^{r_{1}^{*}}, I D_{i}\right)\) , where \(i=0,1, \mathrm{~K} n\) , and also computes \(u_{i}^{*}=\sum_{j=1}^{n} a_{j, i-1} A_{j}^{*}\);

• For every i there is \(I D_{i} \in R_{0} \mid R_{1}\) . It obtains (k_i, h_i) from L , and computes \(T_{i}=e(a P, c P)^{k_{i}}\) . It then sets \(x_{i}^{*}=\eta_{i}\) and adds \(\left(T_{i}, I D_{i}, \eta_{i}\right)\) to L₁ . It randomly selects \(x_{i}^{*} \in Z_{p}\) for \(I D^{*} \in R_{b} \backslash R_{1-b}\) and computes \(\mathrm{g}(x)=\prod_{i=1}^{t}\left(x-x_{i}^{*}\right)=\sum_{i=1}^{t} b_{i} x^{i-1} \bmod p\) ;

• It computes \(T_{i}^{*}=g\left(x_{i}\right)^{-1} b_{i} k_{2}^{*}\) for any i = 0,1,2,L, t and defines the ciphertext revocation \(C T^{\prime *}=\left(R, C_{0}{ }^{\prime*}, C_{1}{ }^{*},\left[u_{i}{ }^{*}, T_{i}^{*}\right]_{i=1}^{n}\right)\) .

Phase 2: Adversary A issues a private key query on \(I D_{i} \notin R_{0} \mathrm{~V} R_{1}\) . The responses of the simulator are the same as that of Phase 1.

Guess: If adversary A chooses ID^∗ to distinguish revocation set, B can successfully solve the BDH problem by computing \(T^{* \frac{1}{k^*}}\) . It is not difficult to compute within the scope of Theorem 4. Finally, the probability of choosing ID^∗ to break the proposed scheme is \((t-k)^{-1} \geq t^{-1}\left(k=\left|R_{0}\right| R_{1} \mid\right)\) and we have \(\varepsilon^{\prime} \geq \varepsilon \cdot\left(t q_{H_{1}}\right)^{-1}\).

6. Performance evaluation

6.1 Comparison of functions

We analyzed the functional differences between our scheme and the other six broadcast encryption schemes. From Table 2, the schemes in [10, 12, 15] are consistent with the schemes in this paper, all of which are identity-based broadcast encryption. Combined with the changes in user privileges in smart cities, the user revocation property is used to adjust authorization identities dynamically. The schemes in [14, 15, 16] achieve the user revocation property. The schemes in [10, 11, 16] achieve receiver anonymity. The proposed scheme has certain advantages in functions when compared with the broadcast encryption schemes in Table 2.

Table 2. Functional comparison

6.2 Theoretical analysis

The computation overhead of our scheme is compared with those of schemes [17], [18] and [19], as shown in Table 3. The comparison between our scheme and other schemes in terms of storage costs is shown in Table 4.

Table 3. Computation overhead comparison

Table 4. Storage overhead comparison

1) Computation overhead comparison

In Table 3, T_p indicates the time of bilinear pairing operation, T_e indicates the time of exponential operation, T_m indicates the time of multiplication operation, T_h indicates the time of hash operation, and T_Inv indicates the time of multiplication inverse operation. The operation time sequence of standard cryptographic algorithms is \(T_{p}>T_{e}>T_{m}>T_{h}>T_{I n v}\) , and the pairing operation T_p is longer than that of other cryptographic operations. n indicates the number of user identities in the system. From Table 3, the computation overheads of the four schemes grow with the increase in the number of user identities, but our scheme is the most efficient, with computation overheads \(2 T_{h}+T_{p}+(n+1) T_{m}+T_{e}, T_{m}+T_{I n v}\) and \(T_{h}+T_{p}\) respectively.

2) Storage overhead comparison

In Table 4, we use |G₁| , |G_T| and |Z_P| to represent the lengths of elements in G₁ , G_T and Z_p respectively. In terms of storage overhead, our scheme (|G₁|+|G_T|+Z_P|) is the smallest compared with the three functions of our scheme and those of other schemes in Table 4. In the Encrypt phase, the storage overhead of the scheme in [18] is greater than that of our scheme. The storage overheads of the two other schemes are mostly the same but still larger than that of our scheme.

6.3 Numerical experiment

The accuracy and efficiency of the runtime depends on the CPU. We implemented the numerical simulation experiment using a pair-based cryptographic library under the Linux operating system. Programming was based on the C language, running on a 2.60 GHz CPU and an 8 GB RAM PC.

We analyzed the computation cost of the schemes in [17], [18], [19] and the proposed scheme in terms of Encrypt, Revoke, and Decrypt algorithms. The users’ access privileges of the other three schemes and our scheme will change. Therefore, we set the number of user identities as a variable which takes 10, 20, 30, 40, 50, and 60. In this paper, we used an average of 60 running results as the experimental results. The experimental results are shown in Fig. 5.

Fig. 5. (a). Comparisons of time in Encrypt phase; (b). Comparisons of time in Revoke phase; (c). Comparisons of time in Decrypt phase.

When there are n identities for a single identity requesting a service from the smart grid, in the Encrypt phase, the total computation overhead is \(2 T_{h}+T_{p}+(n+1) T_{m}+T_{e}\) . It can be seen from Fig. 5(a) that our scheme is more efficient than other schemes and has practical application significance.

In Fig. 5(b), the computation costs increase with the number of user identities, and the scheme’s growth [19] is particularly notable. When the number of user identities is 60, the running time of the scheme in [19] reaches 129.5ms. As shown in Fig. 5(b), the computation time of the proposed scheme is less than that of the other schemes.

As shown in Fig. 5(c), we compare the computation costs of the decryption algorithm. Obviously, the decryption time of the other schemes increases with the number of users’ identities. However, the time of our scheme is still a relatively small value because we only used some lightweight operations in this algorithm. In conclusion, our scheme has relative advantages compared with each phase of other schemes.

7. Conclusion

In this paper, we studied a fully privacy-preserving broadcast communication scheme and introduced how to apply cloud-network integration to the privacy-sensitive smart grid. Our proposed broadcast encryption scheme combines direct revocation and Lagrange interpolation technology. The scheme can dynamically adjust the receiver set and achieve identity anonymity. Compared with the existing schemes in terms of performance evaluation, security and other functionalities in detail, our scheme has made significant progress in performance. In future work, the proposed scheme will be used in biometric-based broadcast proxy reencryption scenarios to obtain practical significance.

8. Acknowledgements

This work was supported by the National Natural Science Foundation of China (Grants No. 61662071, No. 61662069, No. 61772022).