Privacy-Enhancing Decentralized Anonymous Credential in Smart Grids

https://doi.org/10.1016/j.csi.2020.103505Get rights and content

Highlights

  • We propose a SM2 digital signature-based set membership protocol, which could then be adopted to construct range proofs for range [0; ul) and arbitrary range [a;b].

  • We integrate our noninteractive range proofs with permissioned blockchain (e.g. Hyperledger Fabric) to construct a novel decentralized anonymous credential protocol with enhanced privacy.

  • We evaluate our proposed protocols by implementing a prototype of our proposal and comparing it with two novel protocol in terms of the communication and computation costs.

Abstract

Decentralized Anonymous Credential (DAC) has posed enormous potential in smart grids for protecting user privacy (e.g. preventing user’s daily life from being sketched out). However, the existing DAC protocols still compromise user privacy for a full list of attributes are disclosed during showing credentials. In this paper, to construct a privacy-enhancing decentralized anonymous credential (PEDAC) protocol, we first design a more efficient range proof to hide user’s attributes. Specifically, we are inspired by Camenisch et al. (ASIACRYPT 2008), but replace their adopted Boneh-Boyen signature scheme with the Chinese standard SM2 signature scheme (incorporated in the ISO/IEC 14888-3) to propose pairing-free set membership and range proof protocols. These protocols can be executed non-interactively upon the Fiat-Shamir heuristic (INDOCRYPT 2012), and then be used to construct our PEDAC protocol. By compared with the protocols of Camenisch et al. (ASIACRYPT 2008) and Poelstra et al. (FC 2018), our proposed range proofs are with less communication and computation costs and hence more practical for constructing PEDAC protocols in smart grids.

Introduction

The smart grid is a network comprising computers and power infrastructures, which monitors and manages real-time energy usage [1], [2]. Its typical architecture comprises control center, collector and smart meter (see Figure 1). Smart meter is responsible for recording and transmitting message (i.e. energy usage) to the collector. On basis of the collected energy usage information from smart meters, the collector performs the statistical analysis and sends the results to the control center. Correspondingly, the control center is connected with the electricity distribution network, and can respond to the user demand upon the received results [3].

This not only provides reliability and efficiency of timely controlling the energy generation or consumption by forecasting users’ demands, but also owns potential benefits for minimizing climate impact by incorporating energy sources such as geothermal and wind power. However, the connectivity between smart meter and collector for reporting energy usage information will incur vulnerabilities in Smart Grid Cyber Security [4]. For example, attackers can clearly sketch out user’s daily life, including time of getting up and coming back from work, through a statistical analysis on its long-time and sufficient energy usage data.

To address these privacy issues, there are many techniques have been proposed, which could be classified into two types namely, aggregation and anonymity techniques [3], [5], [6]. The former focuses on the energy usage data protection to achieve privacy protection, but the latter is concerned about hiding users’ identities. In this paper, we mainly study the anonymity techniques, for which are much closer to practical habits but the other (such as data aggregations [7], [8]) may hinder the aforementioned potential benefits of smart grids. Specifically, we focus on the design of anonymous credentials in smart grids.

In the anonymous credential architecture, a smart meter can adopt an anonymous credential to report its energy usage information such that the collector cannot tell which smart meter is reporting. The anonymous credential, on the other hand, can also help the supplier to confirm that the report is from a valid smart meter by verifying the signature [3]. But unfortunately, existing anonymous credential systems such as [9], [10] face a fundamental limitation, namely, using blind signatures requires a central, trusted party to issue credentials. This entity may cause a single point of failure and its signing key seems to be a compromise target obviously, either of which can seriously threaten the reliability of anonymous credential systems.

To solve these issues, several decentralized anonymous credential (DAC) protocols have been proposed (e.g. [11],  [12]). Nevertheless, in these DAC protocols, a user needs to provide a full list of its attributes for showing credentials. To mitigate this privacy issue, Garman et al. in [11] further suggested using range proofs to show those attributes that the user wants to display. However, it is not so easy as that described in [11], especially when the current range proofs are not practical enough for constructing DAC protocols.

Recently, to the best of our knowledge, the most widely used range proofs are proposed by Bünz et al. [13] and Camenisch et al. [14], both of which have achieved relatively short proofs with both practicality and cost efficiency. However, the former involves linearly increasing number of public key operations with circuit size [15], and the latter requires the intractable bilinear paring operation which is intolerable in the environment of smart grids. Hence, before constructing a privacy-enhancing DAC (PEDAC) protocol, we first design a more efficient range proof with shorter proof size.

Inspired by the techniques of Camenisch et al. [14], we also require that the verifier provides signatures on a set of digits, and the prover proves in zero-knowledge that the secret value in its given commitment matches one of these digits, and that its commitment corresponds to one of the signatures. Instead of using Boneh-Boyen signature mentioned in [14], we adopt the Chinese standard SM2 digital signature scheme (which is also incorporated into ISO/IEC 14888-3 1) to achieve pairing-free constructions with higher efficiency and shorter proof size.

Contributions. Concretely, we propose a SM2 digital signature-based set membership protocol, which could then be adopted to construct range proofs for range [0,ul) and arbitrary range [a,b]. Moreover, we integrate our non-interactive range proofs (using Fiat-Shamir heuristic [16]) with permissioned blockchain (e.g. Hyperledger Fabric) to construct a novel DAC protocol with enhanced privacy, namely, not only the real identity, but even the attributes can be successfully hided. Finally, to show the advantage of our range proofs in constructing PEDAC protocols, we evaluate our proposed protocols by implementing a prototype of our proposal and comparing it with Camenisch et al.’s [14] and Poelstra et al.’s [17] in terms of the communication and computation costs.

Organization. We organize the reminder of this paper as follows. In Section 2, we will review the related work of anonymous credentials and blockchain in smart grids and range proofs. Then, some preliminaries will be introduced in Section 3. We further propose our protocols with security analysis in Section 4, as well as performance evaluation in Section 5. Finally, Section 6 concludes this paper.

Section snippets

Anonymous Credentials and Blockchain in Smart Grids

The first anonymous credential architecture using blind signatures was proposed by Cheung et al. [18] for protecting users’ privacy information such as daily energy usage pattern. Then, there are variant solutions inspired by anonymous credentials have been proposed. For instance, Chu et al. [19] adopted a physical anonymous channel and signature to blur the relationship between a user and its signature. Diao et al. [3] proposed a linkable anonymous credential for constructing

Preliminaries

This section briefly reviews the related preliminaries in our paper.

Our proposed protocols

In this section, we will construct a novel set membership protocol based on the SM2 digital signature scheme, which could be further used to construct range proofs. Both of them are zero-knowledge arguments (satisfying completeness, soundness and honest-verifier zero-knowledge). Here, we only describe the interactive instantiation, but the Fiat-Shamir heuristic [16] can also work for us to achieve non-interactive ones. The resulting non-interactive protocols are subsequently integrated with

Performance Evaluation

To evaluate the performance of our proposed PEDAC, we first implement the prototype on basic of Hyperledger Fabric 3. Specifically, we build a permissioned test chain comprising two organizations and each organization is with one peer node, where the simulation platform is with the operation system (Ubuntu TLS 16.04), CPU (Intel(R) Xeon(R) CPU E5-2667 v4 @ 3.20GHz), memory (4 GB RAM), and Hyperledger Fabric (version 1.4.0). In the built chain, we create two

Conclusion

Anonymous credentials are widely adopted technologies in privacy protection of smart grids. However, the existing anonymous credential protocols have a fundamental limitation (i.e. depending on a trusted party to issue credentials). While the existing DAC protocols can avoid the trusted parties, in which the provided full list of attributes during showing credentials still compromise user privacy. Range proofs can work to further hide the user’s attributes, but the current range proofs are

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Declaration of Competing Interest

The authors declare that they have no conflicts of interest.

Acknowledgements

The work was supported by the National Natural Science Foundation of China (Nos.61972294, 61932016, 62032005), the Special Project on Science and Technology Program of Hubei Provience (No. 2020AEA013), the Natural Science Foundation of Hubei Province (No. 2020CFA052) and the Wuhan Municipal Science and Technology Project (No. 2020010601012187).

References (35)

  • C. Wu et al.

    Probably secure efficient anonymous credential scheme

    IJSI

    (2018)
  • C. Garman et al.

    Decentralized anonymous credentials

    21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014

    (2014)
  • R. Yang et al.

    Decentralized blacklistable anonymous credentials with reputation

  • B. Bünz et al.

    Bulletproofs: Short proofs for confidential transactions and more

    2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, 21-23 May 2018, San Francisco, California, USA

    (2018)
  • J. Camenisch et al.

    Efficient protocols for set membership and range proofs

  • M. Backes et al.

    Efficient non-interactive zero-knowledge proofs in cross-domains without trusted setup

  • S. Faust et al.

    On the non-malleability of the fiat-shamir transform

  • Cited by (9)

    • A flexible and lightweight privacy-preserving handshake protocol based on DTLShps for IoT

      2022, Computer Networks
      Citation Excerpt :

      Our scheme is also compared with DTLShps [16], on which our scheme is based. We compare FLPP-DTLShps with the other four schemes in [10,12,14,16] on the aspect of functionality attributes in Table 5. The DTLShps scheme [16] does not support the function of certificate anonymity and works without the ZKP.

    • TPPSUPPLY: A traceable and privacy-preserving blockchain system architecture for the supply chain

      2022, Journal of Information Security and Applications
      Citation Excerpt :

      The proposed structure enables operation without central authorities and intermediaries. In [58], it is stated that DAC protocols are flexible in terms of credential confidentiality and range proofs can be used for this situation. In the study, a range-proof protocol-based SM2 digital signature scheme is proposed to protect the privacy of smart grids.

    • Repudiable ring signature: Stronger security and logarithmic-size

      2022, Computer Standards and Interfaces
      Citation Excerpt :

      The repudiability for a ring signature scheme is a necessary property in some situations. For example, if we use a completely anonymous ring signature scheme in the blockchain, we will get a completely Decentralized Anonymous Payment (DAP) system, such as Monero [2,9]. But this system can be exploited by criminal activities [10], such as money laundering, payment of ransom for ransomware, online extortion, etc.

    View all citing articles on Scopus
    View full text