An Efficient Aggregate Authentication Protocol for ... - BBCR Group

2013 IEEE Wireless Communications and Networking Conference (WCNC): NETWORKS

EATH: An Efficient Aggregate Authentication Protocol for Smart Grid Communications †

‡

Rongxing Lu† , Xiaodong Lin‡ , Zhiguo Shi†,§ , and Xuemin (Sherman) Shen†

Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, Ontario, Canada N2L 3G1 Faculty of Business and Information Technology, University of Ontario Institute of Technology, Oshawa, Ontario, Canada § Department of Information and Electronic Engineering, Zhejiang University, Hangzhou 310027, China Email: {rxlu, xshen}@bbcr.uwaterloo.ca, [email protected], [email protected]

Abstract—The increasing demands for improving transmission reliability and efficiency have brought us a wide interest in smart grid. In current smart grid research, one of challenges is its security issue. If the security is not well addressed, the concept of smart grid cannot be widely accepted. In this paper, in order to simultaneously resolve the security and efficiency challenges in smart grid communications, we propose an efficient aggregate authentication protocol, called EATH, which is characterized by eliminating the Map-To-Hash hash and reducing the pairing operations in aggregation and verification to improve the computational efficiency. Detailed security analysis has shown that the proposed EATH protocol is secure in terms of source authentication and data integrity in smart grid communications. In addition, performance evaluation also demonstrates its efficiency in terms of low computation and communication overheads. Keywords— Smart Grid, Security, Aggregate Authentication

I. I NTRODUCTION The reliable supply of high-quality power is crucial for our daily lives. However, due to the “one-way” transmission of traditional power system, the current power grid is not as reliable as we imagine. For example, the July 2012 India blackout affected almost half of India’s population, and caused a huge loss [1]. In order to address the above challenging issue, the concept of smart grid has been proposed [2], [3]. Essentially, the smart grid is characterized by integrating various technologies, i.e., advanced control and sensing, data communication, and information processing technologies, into the traditional power grid, which not only can make the power transmission more efficient and reliable from power generation, transmission, and distribution to customers, but also support the renewable energy, like the solar and wind energies, into current power grid [2], [3]. Due to these characteristics, smart grid has been paid great attention not only from government but also from the industry and academia. As the next generation of power grid, the most promising characteristic of smart grid is its “two-way” communication, i.e., not only the power flowing from the generation to the customers, but also rich and real-time information exchanged between the control center and power grid, as shown in Fig. 1. To support the “two-way” communication, plenty of smart grid sensor nodes and smart meters should be deployed at power grid and customer sides, respectively. These smart This work is supported by ORF-RE, Ontario, Canada, and National Science Foundation of China (No. 61171149).

978-1-4673-5939-9/13/$31.00 ©2013 IEEE

Fig. 1.

The conceptual smart grid vision in future power system

devices collect the data relevant to the power grid and energy consumption, and periodically report these rich and real-time data to the control center for monitoring the whole power grid. Obviously, to make the “two-way” communication effective, these rich and real-time data should be not only secure but also efficient in transmission. If these data are insecure, e.g., modified by the adversary, the control center would make wrong, even dangerous decisions on power grid. On the other hand, if the transmission is not efficient, the long delay may make these real-time data useless. Quite recently, several research works on data aggregation [4]–[8] and authentication aggregation [9] have been carried out in smart grid communications to address the security and efficiency simultaneously. For the data aggregation, the homomorphic encryption technique has been widely adopted [6], [8]; while for the authentication aggregation, BLS-type aggregation signature (BLS-AG) is utilized [10]. However, since the BLS-AG requires the relatively time-consuming Map-to-Point hash and pairing operations, its computation cost is still high. In this paper, we propose a new efficient aggregate authentication protocol, called EATH, to further improve the efficiency in smart grid communications. In the proposed EATH protocol, once the control center sends a request to monitor the status of power transmission line in some area, all smart grid sensor nodes in the area will collect their sensed data, aggregate and report them to the control center. Compared with BLS-AG authentication aggregation protocol [10], the proposed EATH protocol, due to eliminating the Map-to-Point hash and reducing the pairing operations, is more efficient in terms of computation costs. In addition, with

1819

the formal provable security technique, the security of the proposed EATH protocol is also guaranteed. The remainder of this paper is organized as follows. In Section II, we introduce the system model, security model and design goal. In Section III, we propose our EATH protocol, followed by its security analysis and performance evaluation in Section IV and Section V, respectively. Related works are discussed in Section VI. Finally, we draw our conclusions in Section VII. II. M ODELS AND D ESIGN G OALS In this section, we formalize the system model, security model, and identify our design goal. A. System Model Let N = {N1 , N2 , · · · , Nn } be a set of smart grid sensors deployed at the power transmission in some area Area, and CC be the control center in our considered system model, as shown in Fig. 2.

the following security requirements on source authentication and data integrity should be desired. • The request from the control center should be authenticated. Only the request sent from the authentic CC can be accepted by the smart grid sensor nodes. Once the adversary forges or replays a request, the malicious actions should be detected. • The request from the smart grid sensor nodes should be secure. Only the sensed data from the sensor nodes can be accepted by the control center. Once the adversary forges a sensor node’s data, or modifies a data during the transmission, the malicious actions should also be detected. • The security overheads in the response should be aggregated. Since the number of smart grid sensor nodes is large in smart grid communications, it requires relatively expensive security overheads, i.e., digital signature, to guarantee the security of sensed data. Therefore, in order to make the transmission efficiency of these overheads, the overheads should be securely aggregated. C. Design Goal

Fig. 2. •

•

System model under consideration

Control Center (CC): CC is a highly-trusted entity, whose duty is to real-time monitor the health of the power transmission system, so as to improve the power transmission capacity and predict the possible imbalance and failure. Smart grid sensor nodes N = {N1 , N2 , · · · , Nn }: Smart grid sensor nodes are important components for assisting the CC to make the real-time monitoring of the power transmission. Specifically, these sensor nodes are deployed at power transmission system, once receiving the request from the CC, they will respond their sensed data to the CC. In order to improve the transmission efficiency, not all sensor nodes directly send their data to the CC. Instead, one aggregate node NA will be first selected from N = {N1 , N2 , · · · , Nn } each time, and then the NA will collect other nodes’ sensed data, aggregate them, and respond them to the CC simultaneously.

B. Security Model In our security model, we mainly focus on how to guarantee the security of the sensed data transmitted from smart grid sensor nodes to the control center. Note that in our security model, we consider an adversary is outside, it will not comprise the smart grid sensor nodes, but its goal is to forge, modify, or undue delay the sensed data. Specifically,

Our design goal is to propose an efficient aggregate authentication (EATH) protocol to satisfy the above security objectives. In particular, the following goals should be achieved • Source authentication and data integrity: The proposed EATH protocol should achieve the source authentication and data integrity in smart grid communications, so that the malicious actions launched by the outside adversary can be resisted. • Efficiency: The proposed EATH protocol should also minimize the computation and communication costs in the aggregate authentication. That is, compared with previously reported protocol [9], the proposed EATH protocol should be more efficient. III. T HE P ROPOSED EATH P ROTOCOL In this section, we propose our EATH protocol, which consists of three parts: system parameter settings, request from control center, and response from smart grid sensors. Before going to the details, we first recall the bilinear pairing technique [10], [11], which serves as the basis of the proposed EATH protocol. A. Bilinear Pairing Let (G, +) be an additive cyclic group generated by P with prime order q, and (GT , ×) be a multiplicative cyclic group of the same order q. Let e : G × G → GT be a bilinear map [10], [11], which satisfies the following properties: ∗ • Bilinear: Let P, Q ∈ G and a, b ∈ Zq then e(aP, bQ) = ab e(P, Q) . • Non-degenerated: Let P ∈ G then e(P, P ) = 1GT . • Computable: Let P, Q ∈ G then e(P, Q) can be easily and efficiently computable. Definition 1 (Bilinear Parameter Generator): A bilinear parameter generator Gen is a probabilistic algorithm that

1820

takes a security parameter κ as input, and outputs a 5-tuple (q, P, G, GT , e), where q is a κ-bit prime number, G, GT are two groups with order q, P ∈ G is a generator, and e : G × G → GT is a non-degenerated and efficiently computable bilinear map. Definition 2 (Computational Diffie-Hellman CDH Problem): Given (P, aP, bP ) ∈ G3 for unknown a, b ∈ Z∗q , the Computational Diffie-Hellman (CDH) Problem in G is to compute abP . Define the advantage of any probabilistic polynomial time algorithm A in solving CDH problem in G as AdvCDH = Pr[A(P, aP, bP ) = abP |a, b ∈ Z∗q ]. The A CDH assumption is that, for any probabilistic polynomial time algorithm A, the advantage AdvCDH is negligible. A B. Description of EATH 1) System parameter settings: For a smart grid system under consideration, we assume that all components in the system share the same parameters. Specifically, given the security parameter κ, the bilinear parameters (q, P, G, GT , e) are first generated by running Gen(κ). Then, two secure cryptographic hash functions H, H1 are chosen, where H : {0, 1}∗ → G and H1 : {0, 1}∗ → Z∗q . Finally, the system parameters param = {q, P, G, GT , e, H, H1 } are published. The control center CC chooses a random number x ∈ Z∗q as its private key, and calculates the corresponding public key Y = xP . In addition, each smart grid sensor Ni ∈ N is equipped with a public-private key pair (Yi , xi ), where Yi = xi P and xi ∈ Z∗q is a random number. 2) Request from control center: In order to monitor the weather conditions and power line temperature for determining the line’s carrying capacity in a specific area Area, the CC will periodically send a request REQ = Area||T S to all smart grid sensors N in the area, where T S is the current timestamp. Concretely, the CC first sets the request REQ and then runs the following steps: ∗ • Step 1: choose a random number r ∈ Zq , and compute R = rP ; • Step 2: use the private key x to make a short signature on REQ||R, i.e., θ = xH(REQ||R) [11]; • Step 3: send REQ together with R||θ to all smart grid sensors in the area Area. After receiving REQ||R||θ from the CC, each node Ni ∈ N first checks the timestamp T S in REQ. If it is outdated, REQ will be discarded to resist the potential replay attack. Otherwise, Ni continues to verify the validity of REQ by checking the following equation ?

e(θ, P ) = e(H(REQ||R), Y )

(1)

If it does hold, the request REQ is authenticated; Otherwise, REQ is invalid and will be rejected. The correctness is due to e(θ, P ) = e(xH(REQ||R), P ) = e(H(REQ||R), xP ) = e(H(REQ||R), Y ). 3) Response from smart grid sensors: In response to REQ, each node Ni ∈ N collects its sensed data mi and runs the following steps:

• •

Step 1: compute the hash value H1 (mi ) of the data mi ; Step 2: make a signature σi on mi with the private key xi , i.e., σi = xi R + xi H1 (mi )H(REQ||R)

(2)

Step 3: send mi ||σi to an aggregation node NA ∈ N. Note that, the aggregation node NA ∈ N is randomly chosen each time, aggregates all nodes N’s signatures {σ1 , σ2 , · · · , σn }, and reports the sensed results {m1 , m2 , · · · , mn } and an aggregated signature Φ to the CC. Concretely, the aggregation node NA will perform the following steps: • Step 1: Upon receiving mi ||σi from Ni ∈ N, NA first verifies its validity by checking •

?

e(σi , P ) = e(R, Yi )e(H(REQ||R), Yi )H1 (mi )

(3)

If it holds, σi is accepted, and rejected otherwise, since e(σi , P ) = e(xi (R + H1 (mi )H(REQ||R)), P ) =e(R + H1 (mi )H(REQ||R), Yi ) =e(R, Yi )e(H(REQ||R), Yi ) •

(4)

H1 (mi )

Step 2: After receiving n − 1 valid signatures from other nodes, plus its own mA ||σA , NA aggregates total n signatures as one aggregated signature Φ as below, Φ=

n

σi

(5)

i=1

and then reports (m1 , m2 , · · · , mn ) and Φ as the response RES to the CC. Upon receiving the response RES (m1 , m2 , · · · , mn ) and Φ, the CC runs the following equation to verify the aggregated signature Φ, n n ? H (m ) e(Φ, P ) = e R, Yi e (H(REQ||R), Yi ) 1 i (6) i=1

i=1

If it holds, the signature is accepted, and rejected otherwise. The correctness is due to n n e(Φ, P ) = e σi , P = e(σi , P ) =

n

i=1

i=1

e(R + H1 (mi )H(REQ||R), Yi )

i=1

=e R,

n i=1

Yi

n

e (H(REQ||R), Yi )

(7) H1 (mi )

i=1

After verifying all valid data (m1 , m2 , · · · , mn ), the CC can use these data to determine the power line’s carrying capacity in the area Area. IV. S ECURITY A NALYSIS In this section, we will discuss the security of the proposed EATH protocol, i.e., the request from control center is secure, and the response from smart grid sensors is secure as well.

1821

• The request from control center in the proposed EATH protocol is secure. When the CC sends the request REQ to all smart grid sensors, it also attaches the short signature θ on REQ||R, where θ = xH(REQ||R). Since the short signature θ is provably secure in the random oracle model [11], the source authentication and data integrity can be guaranteed. In addition, since REQ includes the current timestamp, the replay attack can be resisted. Therefore, the request from control center in the proposed EATH protocol is secure. • The response from smart grid sensors in the proposed EATH protocol is also secure. In the proposed EATH protocol, in order to show the response from smart grid sensors is secure, we should prove that each sensor node Ni ’ response (mi , σi ) is unforgeable. Therefore, we first use the following theorem to prove that each sensor node Ni ’s signature (mi , σi ) is unforgeable in the random oracle model [12]. Theorem 1: Let A be an adversary who can produce, with success probability SuccEF-CMA = , an existential forgery A signature of a sensor node Ni ∈ N, under chosen-message attacks within time τ , after qh , qs and qr queries to the hash function H, the Ni ’s signing oracle, and the request oracle in the proposed EATH protocol, respectively. Then the CDH problem in G can be solved with another probability with time τ , where qs +1 qs 1 = · (8) qs qs + 1 τ ≤ τ + (2 + qh + 3qr + qs ) · Tsm with Tsm denotes the time for a scale multiplication operation in G. Proof: We now prove the theorem based on the provable security technique with sequence games [13]. Assume that A is the adversary. We define a sequence of games Game1 , Game2 , · · · of modified attack games starting from the actual game Game0 . With these incremental games, we reduce a CDH problem instance, i.e., given (P, aP, bP ) for unknown a, b ∈ Z∗q to compute abP , to an attack against the sensor node Ni ’s signature. In other words, we will show that the adversary A can help us to solve the CDH problem in G. Game0 : This is an actual game in the random oracle model [12]. The adversary A is allowed to access a random oracle OH , a signing oracle OS of Ni , and a request oracle OR from the CC in the proposed EATH protocol. At the end of the attack, the adversary A can output its forged signature σi on mi in response to the request REQ ||R , then we check whether it is a valid signature or not. We denote Forge0 to be the event that the forged signature is valid and use the notation Forgej for the same meaning in any game Gamej . By definition, we have Pr[Forge0 ] = SuccEF-CMA = A

the sensor node Ni , we replace the public key Yi = xi P with the challenge aP . Obviously, with the above construction, the distributions of Y and Yi are unchanged, and the adversary A cannot distinguish them from the real game. Therefore, we have Pr[Forge1 ] = Pr[Forge0 ] (10)

Game2 : In this game, we will simulate the random oracle OH by maintaining a hash list ΛH . When a fresh query REQj ||Rj is queried, we choose a random number hj ∈ Z∗q and compute H(REQj ||Rj ) = hj P . We then store (REQj ||Rj , hj , hj P ) in the hash list ΛH and return H(REQj ||Rj ) as the answer to the oracle query. Clearly, in the random oracle model, since hj is randomly chosen from Z∗q , then H(REQj ||Rj ) is uniformly distributed in G, as a result this game is perfectly indistinguishable from the previous one. Therefore, Pr[Forge2 ] = Pr[Forge1 ]

(11)

Game3 : In this game, we will simulate the request oracle OR from the CC. Concretely, for each request REQj , we will proceed with the following steps. • Randomly choose an element Rj ∈ G with the following rule, i.e., – (Type-1) with the probability η ∈ (0, 1), we set Rj = rj P , where rj ∈ Z∗q , and store (Rj , rj ) in a list ΛR1 ; – (Type-2) with the probability 1 − η, we set Rj = rj bP , where rj ∈ Z∗q and bP is the challenge, and store (Rj , rj ) in another list ΛR2 . • Similar as the simulation in Game2 , we choose a random number hj ∈ Z∗q , compute H(REQj ||Rj ) = hj P , and store (REQj ||Rj , hj , hj P ) in the hash list ΛH . • Use the private key x ¯ of the CC to make the short signature θj = x ¯H(REQj ||Rj ) on REQj ||Rj . Obviously, with the above simulation, the distributions of these values are unchanged, and the signature θj on REQj ||Rj is also valid. Therefore, we will have Pr[Forge3 ] = Pr[Forge2 ]

(12)

Game4 : In this game, we will simulate the signing oracle OR of the sensor node Ni . In particular, when a query on sensed data mij in response to the request REQj ||Rj is submitted, the following steps are executed: • If Rj is Type-1, i.e., Rj = rj P , we retrieve the entry (Rj , rj ) from ΛR1 and (REQj ||Rj , hj , hj P ) from ΛH , make the signature as σi = rj aP + H1 (mij )hj aP . Because σi satisfies the verification equation e(σi , P ) = e(Rj , Yi )e(H(REQj ||Rj ), Yi )H1 (mij ) , i.e.,

(9)

Game1 : In this game, we simulate the key generation of the CC and the sensor node Ni in the proposed EATH protocol. First, we choose a random number x ¯ ∈ Z∗q and replace the CC’s public key Y = x ¯P and private key x ¯. For 1822

e(σi , P ) = e(rj aP + H1 (mij )hj aP, P ) =e(rj aP, P )e(H1 (mij )hj aP, P ) =e(rj P, aP )e(hj P, aP )H1 (mij ) =e(Rj , Yi )e(H(REQj ||Rj ), Yi )H1 (mij ) the signature σi is a valid simulation.

(13)

If Rj is Type-2, i.e., Rj = rj bP , we abort the game directly, since we cannot simulate a valid signature σi . Because Rj appears as rj P with probability η, the probability that we won’t abort the game after qs signing oracle queries is η qs , we will have •

(14)

Game5 : In this game, we observe the output of A’s forgery σi on mi in response to the request REQ ||R , and execute the following steps: • If R is Type-1, that is R corresponds one entry (Rj , rj ) in ΛR1 with Rj = rj P , we have to abort the game, since it cannot help us to resolve the CDH problem. • If R is Type-2, that is R corresponds one entry (Rj , rj ) in ΛR2 with Rj = rj bP , we first retrieve (REQ ||Rj , hj , hj P ) from ΛH , and then calculate the output of the CDH problem challenge as σi − hj H1 (mi )aP = abP rj

(15)

Since R is Type-2 with probability 1− η, the probability that we can output the CDH problem challenge abP is 1 − η, and therefore we have AdvCDH = Pr[Forge5 ] = (1 − η) Pr[Forge4 ] A

TABLE I C OMPUTATION COMPARISONS BETWEEN EATH

(16)

EATH

From Eqs. (9)-(16), we have (17)

qs −1 Define D = (1−η)η qs , when ∂D −(qs +1)η qs = 0, ∂η = qs η s i.e., η = qsq+1 , we have qs qs +1 qs qs 1 1 = ·= · (18) qs + 1 qs + 1 qs qs + 1

We only consider the scale multiplication in G in the simulation. Then, there are 1 scale multiplication in Game1 , qh scale multiplication in Game2 , 3qr scale multiplication in Game3 , qs scale multiplication in Game4 and 1 scale multiplication in Game5 . By a simple computation, we can obtain the claimed bound for τ ≤ τ + (2 + qh + 3qr + qs ) · Tsm

(19)

Thus, the proof is completed. Based on the above theorem, we have shown that each sensor node Ni ’s response mi ||σi is unforgeable. In the proposed EATH protocol, before aggregating all sensor node Ni ’s signature σi , for 1 ≤ i ≤ n, the aggregation node NA should first verify the validity of each signature σi . Because n of the verification, the aggregated signature Φ = i=1 σi is also unforgeable. Suppose an adversary A can forge a valid aggregated signature Φ, he must have forged at least one signature σi . But it will contradict with the result of the theorem. Therefore, the response from smart grid sensors in the proposed EATH protocol is also secure. Summarizing the above analyses, we can clearly see that the proposed EATH protocol is secure in our security model.

AND

BLS-AG

BLS-AG

2Tsm n(Tpa + Te ) Tpa + nTe

Tsm + Tmh n(2Tpa + Tmh ) (n + 1)Tpa + nTmh

In EATH, H(REQ||R), e(R, Yi ), and e(H(REQ||R), Yi ) can be pre-computed, they are not counted here.

1

In order to further get the numerical comparisons, we run the JPBC, a Java Pairing-Based Cryptography Library [15], on an Intel Pentium IV 2.5 GHZ machine to get the average timings of Tsm , Tpa , Tmh and Te . Based on the execution time results, we have Tsm = 5.5 ms, Tpa = 14.9 ms, Tmh = 6.2 ms, and Te = 0.9 ms. Then, we compare EATH with BLSAG in terms of NA ’s Aggregation and CC’s Verification in Fig. 3. From the figure, we can clearly see that our proposed EATH protocol is much more efficient than BLS-AG in terms of computational costs. 1800

1800 EATH BLS−AG

1600

1400

1200 1000 800 600 400

1200 1000 800 600 400

200 0

EATH BLS−AG

1600

1400 computation cost (ms)

= AdvCDH = (1 − η)η qs · A

Ni ’s Signing: NA ’s Aggregation: CC’s Verification:

1

computation cost (ms)

Pr[Forge4 ] = η qs Pr[Forge3 ]

V. P ERFORMANCE E VALUATION Efficient authentication and communication are crucial for the usefulness of smart grid communications. If the authentication and communication delay exceeds the required time windows, the exchanged information in smart grid communications may be useless, and ever worse it could incur the damage in the grid [14]. Therefore, in this section, we will evaluate the efficiency of the proposed EATH protocol in terms of computation cost and communication overhead. Computation Cost: BLS-type aggregation signature (BLSAG) [10] is popular and widely applied in many application scenarios. To evaluate the efficiency of the proposed EATH protocol, we first compare EATH with BLS-AG in terms of each sensor node’s signing, aggregation node’s aggregation, and the CC’s verification. Let Tsm be the time of one scale multiplication computation in G, Tpa be the time for one pairing computation; Tmh be the time for one Map-to-Point hash function, and Te be the time for one exponentiation in GT . Then, we summarize the comparisons between EATH and BLS-AG in Table I. Note that the time for other computation operations are not included, since they are much smaller than Tsm , Tpa , Tmh and Te .

200

0

10

20 30 n: the number of sensor nodes

(a) NA ’s aggregation Fig. 3.

40

50

0

0

10


40

50

(b) CC’s verification

Computation cost of EATH and BLS-AG varying with n

Communication Overhead: In the proposed EATH protocol, each sensor node Ni ’s signature σi = xi R +

1823

xi H1 (mi )H(REQ||R) ∈ G is of the same size as the BLS short signature [11], i.e., both of them are 512 bits when they are implemented on the same supersingular curve Y 2 = X 3 + X. When n all signatures σi , for 1 ≤ i ≤ n, are aggregated as Φ = i=1 σi ∈ G, the size is still the same 512 bits as the BLS-AG. Fig. 4 plots the security overhead varying with the number of sensor nodes n in EATH, BLS-AG, and non-aggregated authentication protocols. From the figure, we can easily see that our proposed EATH protocol is as efficient as BLS-AG in terms of communication costs, and much more efficient than non-aggregated authentication.

scheme, which can significantly reduce the computation and communication overhead during the aggregation process. For authentication aggregation, Li et al. [9] present an efficient and robust approach to authenticate data aggregation in smart grid via deploying signature aggregation, batch verification and signature amortization schemes to less communication overhead, reduce numbers of signing and verification operations, and provide fault tolerance. Our proposed EATH protocol also addresses the aggregate authentication in smart grid as Li et al.’s work [9]. However, since EATH does not employ the BLS-AG in aggregation, our proposed EATH protocol is more efficient than Li et al.’s approach.

4

3

x 10

EATH BLS−AG Non−Aggregated Authentication

security overhead (bits)

2.5

2

1.5

1

0.5

0

0

10


40

50

Fig. 4. Security overhead varying with n of EATH, BLS-AG, and nonaggregated authentication

Based on the above performance evaluation, we can conclude that our proposed EATH protocol is efficient. VI. R ELATED W ORKS Recently, there have appeared several research works that discuss aggregation techniques to improve the computation and communication efficiency in smart grid communications [4]–[9], which are generally categorized into data aggregation [4]–[8] and authentication aggregation [9]. For data aggregation, in [4], Bartoli et al. propose a secure lossless aggregation protocol for smart grid communications, which can not only facilitate both the hop-by-hop and endto-end security, but also is reliable and efficient. In [5], Kursawe et al. proposed two protocols for privately computing aggregate meter measurements in smart grid. In particular, the protocols allowing for fraud and leakage detection as well as further statistical processing of meter measurements, while without revealing any additional information about the individual meter readings. In [6], Li et al. use the homomorphic encryption to present a distributed incremental data aggregation approach, in which data aggregation is performed at all smart meters involved in routing the data from the source meter to the collector unit. In [7], Alharbi and Lin use the one-time masking technique to present an efficient lightweight privacy-preserving aggregation scheme for smart grid. Compared with other schemes, their scheme can efficiently achieve privacy-preserving electricity consumption data aggregation in building area network. In [8], Lu et al. use the super-increasing sequence technique to propose an efficient and privacy-preserving multidimensional aggregation

VII. C ONCLUSIONS In this paper, we have proposed an efficient aggregate authentication protocol, named EATH, for smart grid communications. The proposed EATH protocol is characterized by eliminating the Map-To-Point hash and reducing the pairing operation in aggregation and verification phases to improve the efficiency. Formal security analysis has shown the proposed EATH is secure under the considered security model. In addition, extensive performance evaluations have also demonstrated its efficiency. In our future work, we will consider some smart grid sensor nodes could be compromised, and then study the aggregate authentication under the challenging situation. R EFERENCES [1] “2012 india blackouts,” http://en.wikipedia.org/wiki/2012 India blackouts. [2] X. Li, X. Liang, R. Lu, X. Shen, X. Lin, and H. Zhu, “Securing smart grid: cyber attacks, countermeasures, and challenges,” IEEE Communications Magazine, vol. 50, no. 8, pp. 38–45, 2012. [3] Z. M. Fadlullah, N. Kato, R. Lu, X. Shen, and Y. Nozaki, “Toward secure targeted broadcast in smart grid,” IEEE Communications Magazine, vol. 50, no. 5, pp. 150–156, 2012. [4] A. Bartoli, J. Hernández-Serrano, M. Soriano, M. Dohler, A. A. Kountouris, and D. Barthel, “Secure lossless aggregation over fading and shadowing channels for smart grid m2m networks,” IEEE Trans. Smart Grid, vol. 2, no. 4, pp. 844–864, 2011. [5] K. Kursawe, G. Danezis, and M. Kohlweiss, “Privacy-friendly aggregation for the smart-grid,” in PETS, 2011, pp. 175–191. [6] F. Li, B. Luo, and P. Liu, “Secure and privacy-preserving information aggregation for smart grids,” IJSN, vol. 6, no. 1, pp. 28–39, 2011. [7] K. Alharbi and X. Lin, “LPDA: A lightweight privacy-preserving data aggregation scheme for smart grid,” in WCSP, 2012, pp. 1–6. [8] R. Lu, X. Liang, X. Li, X. Lin, and X. Shen, “EPPA: An efficient and privacy-preserving aggregation scheme for secure smart grid communications,” IEEE Trans. Parallel Distrib. Syst., vol. 23, pp. 1621–1631, 2012. [9] D. Li, Z. Aung, J. Williams, and A. Sanchez, “Efficient authentication scheme for data aggregation in smart grid fault tolerance and fault diagnosis,” in ISGT, 2012, pp. 1–8. [10] D. Boneh, C. Gentry, B. Lynn, and H. Shacham, “Aggregate and verifiably encrypted signatures from bilinear maps,” in EUROCRYPT, 2003, pp. 416–432. [11] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the weil pairing,” in ASIACRYPT, 2001, pp. 514–532. [12] M. Bellare and P. Rogaway, “Random oracles are practical: A paradigm for designing efficient protocols,” in ACM Conference on Computer and Communications Security, 1993, pp. 62–73. [13] R. Lu, X. Lin, Z. Cao, J. Shao, and X. Liang, “New (t, n) threshold directed signature scheme with provable security,” Inf. Sci., vol. 178, no. 3, pp. 756–765, 2008. [14] W. Wang, Y. Xu, and M. Khanna, “A survey on the communication architectures in smart grid,” Computer Networks, vol. 55, no. 15, pp. 3604–3629, 2011. [15] JPBC, “http://libeccio.dia.unisa.it/projects/jpbc/,” [Online].

1824