Secure and efficient sharing of authenticated energy usage data with privacy preservation

Secure and Efficient Sharing of Authenticated Energy Usage Data with Privacy Preservation

Journal Pre-proof

Secure and Efficient Sharing of Authenticated Energy Usage Data with Privacy Preservation Jianghua Liu, Jingyu Hou, Xinyi Huang, Yang Xiang, Tianqing Zhu PII: DOI: Reference:

S0167-4048(20)30040-7 https://doi.org/10.1016/j.cose.2020.101756 COSE 101756

To appear in:

Computers & Security

Received date: Revised date: Accepted date:

9 August 2019 12 December 2019 8 February 2020

Please cite this article as: Jianghua Liu, Jingyu Hou, Xinyi Huang, Yang Xiang, Tianqing Zhu, Secure and Efficient Sharing of Authenticated Energy Usage Data with Privacy Preservation, Computers & Security (2020), doi: https://doi.org/10.1016/j.cose.2020.101756

This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. © 2020 Published by Elsevier Ltd.

Secure and Efficient Sharing of Authenticated Energy Usage Data with Privacy Preservation Jianghua Liu1 , Jingyu Hou1 , Xinyi Huang2 , Yang Xiang3,4 , and Tianqing Zhu5 1

School of Information Technology, Deakin University, Australia [email protected], [email protected] 2 Fujian Provincial Key Laboratory of Network Security and Cryptology, College of Mathematics and Informatics, Fujian Normal University, China [email protected] (Corresponding Author) 3 Digital Research & Innovation Capability Platform, Swinburne University of Technology, Australia [email protected] 4 State Key Laboratory of Integrated Service Networks (ISN), Xidian University, China 5 School of Computer Science, University of Technology Sydney, Australia [email protected]

Abstract. As a technological innovation, smart grid improves electricity services in terms of substantiality, economics, efficiency, and reliability. This owes to the bi-directional communication property which not only enables the fine-grained energy usage data to be available for different entities but also facilitates the automated grid management. However, sharing such energy usage data with other parties could potentially cause the leakage of customers’ sensitive information. In addition, the data are vulnerable to be tampered with by any internal or external attacker such that the value of data could be destroyed. Therefore, it is crucial to preserve customers’ privacy and provide authenticity verifiability while sharing energy usage data with other parties. In this paper, we propose a bilinear-map accumulator based redactable signature scheme (RSSBMA) which allows customers to safeguard their privacy while guaranteeing the verifiability of shared data. Furthermore, the batch-data-block verification property of our design enhances not only efficiency but also security by prohibiting additional redaction to a batch of data blocks. We analyze the efficiency and security of our proposed scheme extensively, and the results indicate our construction is more practical than others.

Keywords: Smart grid, data sharing, data authentication, privacy preservation, redaction control

1

Introduction

Smart grids, as the envision of next generation of electricity grid system, have been adopted by many countries. Compared with traditional power grids, the

2

J. H. Liu et al.

electricity services smart grids provided are more substantial, economic, reliable, and efficient [13]. Smart meter, one of the vital devices used in the smart grid system, has the capability to monitor and report electricity usage information frequently via customers’ permission. The increasingly development of smart meter technology enables the bi-directional communication of fine-grained electricity usage data between customers and utility companies. With the help of such data, utility companies could make adjustment to improve efficiency and reliability of their services. For instance, to avoid service outage and improve the stability of the smart grid, utility companies can predict the peak demand with the fine-grained and real-time data. On the other hand, customers are also encouraged to access their own energy usage data to improve their energy usage efficiency by adjusting their energy consumption behaviors. Furthermore, through sharing the energy usage data with third-party service providers, such as social gaming sites, demand respond aggregators, data analytic service provider, et al., customers can benefit from their services. While enjoying all the benefits for both customers and utility companies, sharing energy usage data poses numerous security challenges which affect the scalability, usability, and overall performance of smart grid systems. For instance, once the energy usage data is shared with other parties, customers have no further control over their own data. This intensify concerns’ concerns of privacy leakage. The reason is that utility companies often outsource the data analytics of customers’ energy usage data to third parties. Even worse, the customer’s energy usage data could lead to personally identifiable information disclosure such as billing information and behavioral information like what type of appliances are used and when. Such energy-related information could provide business intelligence to competitors or support criminal targeting of customers’ home. However, under the current circumstance, customers’ privacy is not the priority. Although NIST recommended some privacy preservation methods, such as efficient enforcement of the privacy policies, minimization the disclose of customers’ energy usage data, acquisition of customers’ agreement on the subject of data utilization and sharing, et al., these regulations mainly aimed at utility companies rather than third-party service providers. Moreover, the services of demand response aggregators have been launched by a number of third-party service providers to facilitate the large-scale services. Regardless of whether the data is necessary for services providing, the third-party service providers prefer to collect as much data as possible. This violates the principle of minimal disclosure which is crucial for the privacy preservation in data sharing. Therefore, it is crucial to preserve privacy of individual customers while sharing energy usage data with third parties. Customer-centric energy usage data management [20] is regarded as a promising approach to alleviate customers’ concerns about privacy disclosure while sharing data with the third parties. In this framework, energy usage data collected by utility company customers are available for customers who can download and store the data on their repository for further utilization. Moreover, customers can control the repository and share some data with third parties to

Title Suppressed Due to Excessive Length

3

obtain some services. To protect their privacy, customers desire to minimize the quantity of released data while acquiring maximum services. In other words, it is possible for customers to remove part of the data they are reluctant to share with or that they deem unrelated to the service. However, to skew the personal usage history and gain illegitimate advantages, a dishonest customer may falsify his/her energy usage data, especially when billing are involved. Thus, in addition to the privacy disclosure concern from customers’ perspective, the integrity and authenticity of energy usage data is also extremely important for third-party service providers to provide services. Since energy usage data are vulnerable to be tampered with by any internal/external attacks or accidental errors, the third party should confirm that the energy usage data customers supplied are indeed from the utility companies and have never been modified. Conventional digital signatures offer such a security protection [22]. While digital signatures could protect energy usage data from any alteration, they also prohibit customers to hide part of the signed data for privacy preservation. This is because any alternation to the signed data could invalid the signature. Thus, conventional digital signatures are invalid for guaranteeing both privacy and integrity of energy usage data. Redactable signatures [17] can inherently and technically solve the incompatibility between the integrity verification and privacy preservation in energy usage data sharing. In the conventional Redactable Signature Schemes (RSSs), part of the signed data are removable by any party while the origin and integrity of the revealed data are still verifiable. As a result, the remaining data and signature disclose no information about the removed part. Hence, RSSs are such a promising solution in those situations where data authentication and privacy preservation are required simultaneously. The architecture of deploying RSSs in energy usage data sharing is shown in Fig. 1 which involves three parties: a customer with a repository under his/her control, a service provider (data consumer), and a utility company (data custodian). With the smart meter installed at customers’ home, the utility company collects customers’ power consumption data. Once receiving customers’ request, the utility company computes a redactable signature for the data, and then sends the data-signature pair to the customer. The data-signature pair is stored on customers’ repository for further access and utilization. In addition, customer can issue commands to the repository for data sharing. The repository generates a minimal-disclosure form of energy usage data and signature according to customers’ command. The third-party service provider can verify the integrity and origin of the shared data without obtaining any additional information of the removed parts. 1.1

Related Work

Customer privacy disclosure concerns is one of the unintended consequences in smart grid systems. A number of privacy preserving schemes have been introduced to solve this security challenge from a technical perspective. The scheme

4

J. H. Liu et al.

Service Provider

Signed energy usage data

Repository

Energy usage data Smart Meter

Utility

Customer

Fig. 1. The framework of sharing energy usage data under RSSs.

proposed in [46] intended to prevent the collection of privacy by utilizing noninteractive zero-knowledge proof. However, their scheme requires to update the present smart meter infrastructure which is impracticable. In [49], the authors proposed a cryptographic construction to prevent the data aggregator to learn any information of each individual’s privacy. Adding noise [1, 33] in energy usage data is another privacy preserving mechanism in this scenario. Yet the data generated under this mechanism is with lower granularity. In addition, various of privacy preserving schemes have been introduced [2, 19, 29, 36, 44, 45]. Nevertheless, none of the above schemes focused on the privacy disclosure against the third-party service provider in data sharing by allowing customers to have control on the amount of information to be disclosed. The customer can edit their data without any limitation before sharing if privacy is the only requirement. However, as discussed in [20], the third-party service provider should guarantee the shared data is reliable and meaningful such that they can provide the corresponding services. In other words, the integrity and origin of data provided by customers should be verified by the third-party. In the last decade, several authentication protocols have been introduced to solve the data security challenges in smart grid systems. Chim et al. [10] proposed a gateway-assisted authentication scheme of power usage data for smart grid network with privacy protection. However, the homomorphic encryption mechanism adopted in their work suffers from the weakness of inefficiency. To improve the efficiency, an ECC-based authentication scheme for smart grid was proposed by Mahmood et al. [32] to protect privacy disclosure. Koo et al. introduced a scheme with multi-source smart meters authentication and privacypreserving aggregation [18]. Most recently, Li et al. [23] also introduced a highly efficient and provably secure data authentication scheme for smart grid system. Whereas, Wu et al. [53] demonstrated that the scheme in [23] cannot provide secure data authentication and not practical in smart grid systems. At present,

Title Suppressed Due to Excessive Length

5

although there exist varieties of mechanisms to response the data authentication and privacy threat in smart grid system, customers still have no confidence in safeguarding their privacy while share their energy usage data with third-party service providers. Redactable signature schemes can inherently solve the authentication and privacy preservation issues under the data-owner-centric data sharing model. Since the introduction of redactable signature [17, 51], it has been deployed in a number of practical scenarios, such as smart grid systems, government documents release, health data sharing [25, 26], etc. To eliminate the document sanitizing problem in releasing official information, Miyazaki et al. [35] proposed a redactable signature scheme with additional redaction control. In their design a redactor can decide which portion of the signed document should be disclosed, and the redactor are allowed to assign a condition to forbidden the additional sanitizing attack. However, their following work [34] indicates that the scheme in [35] could reveal the number of deleted data blocks, which does not satisfy the transparency security property of RSSs. Thus, in the work, the authors proposed an invisible signed document redaction scheme based on aggregate signature. Secure sharing of patients’ health data in medical healthcare systems is one of the most extensive applications of RSSs [7, 27, 28, 30, 31]. Furthermore, RSSs have also been applied in resolving privacy disclosure and authentication of shared data in smart grid systems [20, 41] and social networks [40]. Recently, Derler et al. [11] presented a general construction mechanism of RSSs based on cryptographic accumulators. This general framework eliminates the necessity to construct specialized security models and schemes tailored to specific application scenarios. However, the signature verification cost and signature length increase linearly with the the number of data blocks. In order to improve the efficiency of signature verification, a batch verification scheme should be a good alternative solution. In 1989, Fiat [14] introduced batch verification for a variant of RSA. Later, Naccache et al. [37] proposed the first efficient batch verifier for Digital Signature Algorithm (DSA) signatures; however, an interactive batch verifier was broken by Lim and Lee [24]. Laih and Yen [54] proposed a new method for batch verification of RSA and DSA signatures in 1995, but the RSA batch verifier was broken by Boyd and Pavlovski [6] five years later. In 1998, Harn presented batch verification technique for RSA [16], but it was later broken by Boyd [6]. In 2000, Boyd and Pavlovski published some attacks against different batch verification schemes, mostly ones based on the small exponents test and related tests [6]. However, the authors also describe methods to repair some broken schemes based on this test. In 2004, A new ID-based signature scheme with batch verification was proposed by Yoon et al. [9], but the security proof is for aggregate signatures and does not meet the definition of batch verification by Bellare et al. [3]. A method was proposed for identifying invalid signatures in RSA-type batch signatures [21], but Stanek [50] showed that this method is flawed. Shacham and Boneh [48] gave a practical application of batch verification signature scheme to improve the efficiency of Secure Sockets Layer (SSL) handshakes on a busy server. Depending upon the

6

J. H. Liu et al.

application and security requirements, the choice of digital signature and its batch verifcation scheme is made. As per our knowledge, there is no batch verifcation scheme implemented in the environment of sharing energy usage data in smart grid system with privacy preservation. 1.2

Motivation

By applying redactable signature scheme in the sharing of customer energy usage data, a customer is allowed to hide some sensitive part of his/her energy usage data while the data authenticity is verifiable by any third party. Although RSSs allow customers to execute show-or-hide control to the energy usage data, it could destroy the usability of data. It is desirable for customers to share minimal data to third party while obtaining maximal service. On the other hand, third-party service providers should ensure that the shared data is sufficient and meaningful for the corresponding service. In some cases, the data blocks can be organized or combined in different ways such that releasing an arbitrary combination of data blocks or an individual data block often invalids utilization of energy consumption data. Therefore, it is crucial to deploy release control mechanism for customers and third parities to protect their respective interests. The release control mechanism was introduced by Steinfeld et al. [51] in which signers can specify the redactable portions of authenticated document. However, the release control mechanism’s complexity increases exponentially with the number of subdocument blocks. Miyazaki et al. [35] firstly proposed a signed document redaction scheme supporting additional redaction control. Nevertheless, the communication cost for signature transmission is relatively high. Besides, the redacted signature reveals the number of deleted portions which violates the privacy security property. Therefore, in their following work [34], they proposed a new redactable signatrure scheme which solved the privacy issue in their previous work. Nonetheless, both the communication and computation performance of this scheme is relatively poor. Recently, Ma et al. [31] introduced a novel and generalized construction of RSSs with fine-grained redaction control which permits signer to assign a redaction control policy to regulate the redaction operation of redactors. Afterwards, they proposed several RSSs [27,28] with fine-grained redaction control mechanism to resolve the privacy disclosure issues while releasing authenticated data in different scenarios. To regulate which party has the authority to execute the redaction operation, Pohls et al. [43] proposed the notion of RSSs with redactor accountability and gave a generic construction. Furthermore, Derler et al. [11] introduced the notion of designated redactors mechanism in the design of RSSs to control the redaction operation of redactor. Despite a number of related works have introduced the idea of regulating redactor’s impermissible redaction operation in the design of RSSs, most of them achieved this at the cost of efficiency performance or security. Besides, the computation and communication cost of most available RSSs increase linearly with the number of data blocks, which is not practical enough to be deployed in secure sharing of customers’ energy usage data. In this work, our aim is to introduce an efficient RSS to assure secure sharing of energy usage data.

Title Suppressed Due to Excessive Length

1.3

7

Contribution

To satisfy the aforementioned requirements for secure and efficient sharing of energy usage data, a new construction of redactable signature scheme is proposed. It does not only protect customers’ privacy but also provides data verifiability for third-party service providers. In this work, the utility company is also allowed to regulate the dependency of data blocks while generating a redactable signature for the data such that any party cannot proceed additional redaction operation to a group of data blocks that is a redacted version. The main contributions of this work are summarized as follows: – We for the first time propose a concrete redactable signature scheme based on bilinear-map accumulator (RSS-BMA) for secure and efficient sharing of energy usage data. Our proposed solution solves the integrity and origin authentication of shared energy usage data with privacy preservation. – In our design, data blocks are grouped such that only those blocks in the same group could be redacted together which realizes batch-data-block verification. This property not only improves the efficiency of signature verification but also enhances the security of shared energy usage data by prohibiting the redaction of data blocks in different bathes. – We formally define and prove the security properties of RSS-BMA in unforgeability, privacy, and transparency, respectively. The analysis results indicate our scheme satisfies the security requirements for energy usage data sharing. – We conduct an efficiency evaluation of our RSS-BMA by comparing it with other related works in theoretical and practical methods. Both the analysis results show that our scheme is more practical for the secure sharing of energy usage data with privacy preservation. 1.4

Paper Organization

The rest of this paper is organized as follows. In Section 2, several cryptographic primitives used in this paper are introduced. The scheme definition and security definitions of RSS-BMA are described in Section 3. Section 4 presents our concrete construction of RSS-BMA and its correctness analysis. We prove the security and analyze the efficiency of our RSS-BMA in Section 5. Finally, we conclude this paper in Section 6.

2

Preliminaries

In this section, several general notations used throughout this work are presented. Subsequently, the basic cryptographic primitives used during the work are provided, including the bilinear pairings, bilinear-map accumulator and digital signatures.

8

2.1

J. H. Liu et al.

General Notations

The assignment of a independently and uniformly distributed random element R from the set S to the variable s is denoted with s ← S. Let integer λ ∈ N represent the security parameter which determines the secret key size controlling security level of a cryptographic scheme. The symbol ⊥∈ / {0, 1}∗ means an error or an exception output of an algorithm. The symbol AdvEvent exp (λ) indicates the probability of event Event happens in experiment exp. If the success probability is a negligible function of λ for any PPT (probabilistic polynomial time) attacker in breaking a cryptographic protocol, we say that this protocol achieves the security notion. Notice that a function (λ) is called negligible if there exists λ0 such that (λ) < λ1 for all  > 0 and λ > λ0 . 2.2

Bilinear Pairings

Let G1 , G2 , and GT be three cyclic multiplicative groups of the same prime order p, where G1 and G2 are generated by g1 and g2 , respectively [39]. Suppose there exists an isomorphism ψ from G2 to G1 such that ψ(g2 ) = g1 . Let e be a bilinear map e : G1 × G2 → GT satisfying the following properties: 1. Computability: For all g1 ∈ G1 and g2 ∈ G2 , there is an efficient algorithm to compute e(g1 , g2 ); 2. Non-degenerate: e(g1 , g2 ) 6= 1; 3. Bilinearity: ∀u ∈ G1 , v ∈ G2 and a, b ∈ Zp , e(ua , v b ) = e(u, v)ab . For simplicity, we set g1 = g2 = g and G1 = G2 = G. A uniformly distributed bilinear pairing parameter tuple t = (p, G, GT , e, g) is generated through a Bilinear Pairing Instance Generator which is defined as a PPT algorithm G that takes as input the security parameter 1λ . 2.3

Bilinear-Map Accumulator

With cryptographic accumulators [4], a finite set X = {x1 , . . . , xn } could be accumulated into a single succinct value accX . For each member value xi ∈ X , a witness witxi is efficiently computed to verify if xi is accumulated in acc. On the contrary, for any non-accumulated y ∈ / X , it is computationally infeasible to find a witness to prove that y is a value accumulated in acc. Although numerous accumulator schemes such as RSA accumulators, bilinear-map accumulators and hash-based accumulators have been proposed, the experimental results in [52] show that bilinear-map accumulator performs faster than the RSA accumulators in almost all cases. Therefore, we adopt the bilinear-map accumulator in [38] as a building block in our RSS-BMA, which not only improves the efficiency but also enhances the security of our scheme. We next overview the bilinear-map accumulator in [38]. Bilinear-Map Accumulator [38]: A bilinear-map accumulator consists of four algorithms (AGen, AEval, AWitCreate, AVerify) such that:

Title Suppressed Due to Excessive Length

9

AGen(t, λ): Parameter t and security parameter λ are taken as the input of this probabilistic algorithm, where t is the maximum number of elements to be accumulated if t 6= ∞. Let t = (p, G, GT , e, g) be a uniformly distributed tuple of bilinear pairing parameters returned by G. Choose s ∈ Z∗p randomly and calculate 2 t 2 t (g s , g s , . . . , g s ). The accumulator’s public key is pkacc = (g, g s , g s , . . . , g s ) and its secret key is skacc = s. AEval(X , pkacc /skacc ): Suppose X = {x1 , . . . , xn } ⊆ Z∗p \ {−s} is a set of n elements to be accumulated, where n ≤ t. Thus, accX = g (x1 +s)(x2 +s)...(xn +s) is defined as the accumulation value of X .

AWitCreate(X , xi , pkacc /skacc ) SubjectQto accX , each value xi ∈ X has a mem(x +s) bership witness witxi , where witxi = g xj ∈X \{xi } j .

AVerify(accX , witxi , xi , pkacc ) Given accumulator accX and witness witxi for xi , the membership of xi ∈ X is proved by checking that the equation e(witxi , g s g xi ) = e(accX , g) holds. It should be noticed that both the accumulation value and witness are computable with access to either secret key or public key. However, there is a significant difference between computing the two values with access to only public key and secret key. With the secret key skacc = s, the exponent of g can be computed directly, using addition and multiplication mod p. Thus, only a single group exponentiation operation is executed for the computing of accumulation value. Conversely, without sk, the exponent must be treated as a polynomial on s, which cannot be derived directly. Thus, it is necessary to find the coefficients of this polynomial. Suppose that {c0 , c1 , . . . , cn } are the coefficients of the polynomial f (s) in ascending order, the accumulation value is computed as 2 n accX = g c0 · (g s )c1 · (g s )c2 · · · (g s )cn . Although the accumulation values generated in the above two manners are identical, the method with public key only requires (n + 1) group multiplication and exponentiation operations, which is generally more computationally expensive than with secret key. The argument also applies to computation of witness. An accumulator scheme is secure if it satisfies correctness, collision-freeness, and indistinguishability. An accumulator scheme is correct if for every genuinely computed accumulator and witness, the AVerify algorithm will always return true. We omit the formal definition of correctness since it is straightforward. This accumulator is collision-free under the t-strong Diffie-Hellman assumption (t-SDH) [5]. Specifically, it is infeasible for any PPT adversary who does not have access to the trapdoor s to find two sets X 0 6= X such that accX 0 = accX , unless the adversary breaks the t-SDH [5]. Assumption 1 (t-SDH Assumption [5].) Let G be a finite cyclic group of order p generated by g, s ← Z∗p , and t > 0, where p is a prime for size λ. Then, for all PPT adversary A it holds that  t  1 Pr (c, g s+c ) ← A(g, g s , . . . , g s ) ≤ (λ),

where c ∈ Zp \ {−s}.

10

2.4

J. H. Liu et al.

Digital Signature Schemes

Digital signature, a significant primitive in cryptographic systems, was first introduced by Whitfield Diffie and Martin Hellman [12]. Since then, numerous digital signature schemes have been proposed to resolve the authentication issues in software distribution, financial transactions, etc. In the definition of digital signature, a signer S is allowed to “sign” a message with his/her private key sk such that anyone who knows the associated public key pk (and knows that pk was established by S) can verify that the message was not modified in transmission (integrity) and indeed originated from S (authenticity). Definition 1. A digital signature scheme (DSS) involves three PPT algorithms (DGen, DSign, DVerify) such that: DGen(1λ ): A security parameter 1λ is taken as the input of this algorithm. It outputs a secret key skDSS for signing and a public key pkDSS for verification. DSign(m, skDSS ): A message m from some message space (related to pkDSS ) and a secret key skDSS are taken as the input of this algorithm. It outputs a signature σ which is denoted as σ ← DSignskDSS (m). DVerify(pkDSS , m, σ): The input of this algorithm is a public key pkDSS , a signature σ, and a message m. The output is a bit b ∈ {0, 1}, where b = 0 means invalid and b = 1 means valid. This algorithm could be denoted as b := DVerifypkDSS (m, σ). A DSS is secure, if it is correct and existentially unforgeable under chosenmessage attack (EUF-CMA) [15]. The correctness of DSS requires that except with negligible probability over (pkDSS , skDSS ) ← DGen(1λ ), the verification equation DVerifypkDSS (m, σ) = 1 holds for every legal message m. The unforgeability of a DSS indicates that it is computational infeasible for an PPT adversary to output a valid forgery for a new message with non-negligible probability even if it has access to signatures on messages of its choice.

3

Definitions of RSS-BMA

In this section, the algorithm definition and formal security definitions of our proposed scheme are presented as follows. 3.1

The Scheme Definition of RSS-BMA

The construction of RSSs based on cryptographic accumulators has been introduced [11] in a black-box way. We heavily modify the model and define our RSS-BMA as follows. Definition 2 (RSS-BMA). An RSS-BMA contains four PPT algorithms (KeyGen, Sign, Verify, Redact) such that:

Title Suppressed Due to Excessive Length

11

KeyGen(1λ ): A security parameter 1λ and a parameter t are taken as the inputs of this algorithm. It outputs a secret key sk ← (skDSS , skacc , pkacc ) and a public key pk ← (pkDSS , pkacc ): (pkDSS , skDSS ) ← DGen(1λ ), (pkacc , skacc ) ← AGen(1λ , t). Sign(sk, M ): A secrete key sk and a message M = {m1 , m2 , · · · , mn } are taken as the inputs of this algorithm, where n ≤ t. A message-signature pair (M, σ) is output as: (M, σ) ← Sign(sk, M ). Verify(pk, M, σ): A signature σ, a message M , and a public key pk constitutes the inputs of this algorithm. It outputs a decision d ∈ {1, 0}, with d = 0 meaning invalid and d = 1 meaning valid: d ← Verify(pk, M, σ). Redact(pk, M, σ, X): A public key pk, a message M , a valid signature σ, as well as a redactable message X are taken as the inputs of this algorithm. It deletes X from M and computes a redacted signature σ 0 for M 0 ← M \ X (or ⊥): (M 0 , σ 0 ) ← Redact(pk, M, σ, X). Definition 3 (Correctness). Our RSS-BMA is correct if for every genuinely generated signature, the output of Vreify algorithm is always d = 1. Signing Correctness. Our RSS-BMA satisfies the signing correctness if Verify(pk, M, σ) = 1 for any security parameter λ ∈ N, any key pair (pk, sk) ← KeyGen(1λ ), any message M and any message-signature pair (M, σ) ← Sign(sk, M ). Redaction Correctness. Our RSS-BMA satisfies the redaction correctness if Verify(pk, M 0 , σ 0 ) = 1 holds for any security parameter λ ∈ N, any key pair (pk, sk) ← KeyGen(1λ ), any message M , any message-signature pair σ with Verify(pk, M, σ) = 1, any message X, and any redacted message-signature pair (M 0 , σ 0 ) ← Redact(pk, M, σ, X). 3.2

The Security Definitions of RSS-BMA

Unforgeability The unforgeability of RSS-BMA demands that it should be infeasible for any PPT attacker to output a pair (M ∗ , σ ∗ ) without having access to the signing secret key sk, such that: (i) σ ∗ passes the verification test for M ∗ , and (ii) M ∗ is either (A) a subset of a message queried to the signing oracle but an unauthorized redaction subset, or (B) Is not a subset of any message queried to the signing oracle (i.e. M ∗ * Mj ), where Mj indicates the j-th query from A to the signing oracle.

12

J. H. Liu et al.

Definition 4. (Unforgeability). If the probability for any PPT adversary A in winning the following game is (λ), then our RSS-BMA := (KeyGen, Sign, Verify, Redact) is EUF-CMA (existentially unforgeable under adaptive chosen-message attacks). Game 1 : UnforgeabilityRSS-BMA A – Setup: The challenger runs KeyGen to obtain a private key sk and a public key pk. Then pk is given to adversary A. – Query Phase: Adversary A proceeds signature requests with pk adaptively on at most Qs message of her choice M1 , M2 , · · · , MQs . For each query, the challenger runs (Mi , σi ) ← Sign(sk, Mi ) and forwards (Mi , σi ) to A. – Output: Finally, A outputs a pair (M ∗ , σ ∗ ) and wins the above game if (1) Verify(pk, M ∗ , σ ∗ ) = 1 and (2) for all i = 1, 2, . . . , Qs we have either (A) M∗ = 6 Mi , or (B) M ∗ ⊆ Mi , but M ∗ is not an authorized redaction subset. Privacy The privacy of RSS-BMA demands that it should be infeasible for any verifier to derive any information on deleted message when given a redacted message-signature pair. The privacy definition of RSS-BMA is similar to the indistinguishability game for encryption schemes: given a redacted message, a signature, and two possible originated message, it should be infeasible for anyone to decide the origination of the redacted message. Definition 5. (Privacy). If the advantage in wining the following game is a negligible function of the security parameter λ for any PPT adversary A, then our RSS-BMA := (KeyGen, Sign, Verify, Redact) satisfies privacy. Game 2 : PrivacyRSS-BMA A – Setup: The challenger runs KeyGen to obtain a private key sk and a public key pk. Then pk is given to adversary A. – Phase 1: Adversary A proceeds signature requests with pk adaptively on at most Qs1 message of her choice. Let M1 , M2 , · · · , MQs1 denote the Qs1 signatures that A launched. For each query, the challenger runs (Mi , σi ) ← Sign(sk, Mi ) and forwards (Mi , σi ) to A. – Challenge: 1. After the queries in Phase 1, adversary A outputs two identical messages M0 and M1 besides the difference of redactable part, i.e., M0 \X0 ' M1 \X1 with X0 6= X1 . Then, adversary A sends (M0 , X0 ) and (M1 , X1 ) to challenger. 2. By choosing a bit b ∈ {0, 1} randomly, the challenger chooses Mb and computes a redacted signature through (Mb , σb ) ← Sign(sk, Mb ) and (Mb0 , σb0 ) ← Redact(pk, Mb , σb , Xb ). Then (Mb0 , σb0 ) is forwarded to adversary A. – Phase 2: The adversary A can proceed again queries to the signing oracle as in Phase 1. – Guess: Eventually, A exports a guess b0 of b. If b0 = b, then A wins the above game.

Title Suppressed Due to Excessive Length

13

Privacy Our RSS-BMA satisfies privacy if the advantage AdvA (λ) is a negligiPrivacy ble function of the security parameter λ such that Adv (λ) ≤ (λ), where A Privacy 1 0 AdvA (λ) = Pr[b = b] − 2 is defined as the advantage that A has in the above game.

Transparency In the above definition of privacy, only the content of deleted part is hidden, but not necessarily the redaction operation. To enhance the security, transparency requires it should infeasible for any verifier to decide if the received message has been redacted. Definition 6. (Transparency). If the advantage in wining the following game is a negligible function of the security parameter λ for any PPT adversary A, then our RSS-BMA := (KeyGen, Sign, Verify, Redact) is transparent. Game 3 : TransparencyRSS-BMA A – Setup: The challenger runs KeyGen to obtain a private key sk and a public key pk. Then pk is given to adversary A. – Phase 1: The adversary A proceeds signature requests with pk adaptively on at most Qs2 message of her choice. Let M1 , M2 , · · · , MQs2 denote the quires that A launched. For every query, the challenger runs (Mi , σi ) ← Sign(sk, Mi ) and forwards (Mi , σi ) to A. – Challenge: 1. After the queries in Phase 1, adversary A outputs two two identical messages M0 and M1 satisfies M0 ⊆ M1 . Then, A sends M0 and M1 to the challenger. 2. By choosing a bit b ∈ {0, 1} randomly, the challenger generates signature for M0 . If b = 1, then a signature for M0 is computed (M1 , σ1) ← Sign(sk, M1 ) and (M0 , σ0 ) ← Redact(pk, M1 , σ1 , M1 \M0 ). If b = 0, then a signature for M0 is computed through (M0 , σ0 ) ← Sign(sk, M0 ). – Phase 2: The adversary A can proceed again queries to the signing oracle as in Phase 1. – Guess: Eventually, A exports a guess b0 of b. If b0 = b, then A wins the above game. Transparency Our RSS-BMA satisfies the transparency definition if the advantage AdvA (λ) Transparency is a negligible function of the security parameter λ such that Adv (λ) ≤ A Transparency (λ), where AdvA (λ) = Pr[b0 = b] − 21 is defined as the advantage that A has in the above game.

4

Our Construction

In this section, a concrete design of secure and efficient redactable signature scheme based on bilinear-map accumulator (RSS-BMA) is presented to support

14

J. H. Liu et al.

authenticated energy usage data sharing. The idea of our construction is as follows: To facilitate customers to share energy usage data with third-party service providers, the utility first divides the collected energy usage data into groups according to the dependency of data blocks. Then, an accumulation of the data blocks is computed based on the modified bilinear-map accumulator [38], which represents the data to be signed. Afterwards, the utility signs the accumulation value under some digital signature scheme and stores the generated redactable signature. Once receiving customer’s request, the utility sends the data-signature pair to customer’s repository. The outline of RSS-BMA is shown in Fig. 2. To share part of the authenticated energy usage data, a customer control the repository to generate a redacted signature for the released data and forward the redacted data-signature to a third party. For verification, the third party simply checks whether the signature on the accumulation value as well as the witnesses for each group of data blocks are valid. In our construction, redaction is simply removing witnesses related to the deleted groups of data blocks. Based on the property of the bilinear-map accumulator, we develop it to support batch-datablock verification which significantly reduces the signature computation time and size [11]. Furthermore, since the witness in conventional bilinear-map accumulator scheme could be generated publicly, anyone is allowed to generate a witness for an arbitrary group of data blocks. To prohibit the additional redaction and ensure the dependency of data blocks, we insert a special data block R m0 ← Z∗p \ {−s} in the accumulation value and witnesses. However, this data block is unavailable for any subsequent redactor or verifier except signer. The construction of our RSS-BMA is made of four algorithms: KeyGen, Sign, Verify and Redact.

Original Data 𝐌𝐌 Accumulation

Signing 𝑎𝑎𝑎𝑎𝑎𝑎𝐌𝐌

Grouped Data 𝐌𝐌 Group Witness

𝑚𝑚0 𝑚𝑚1 𝑚𝑚2 𝑚𝑚3 𝑚𝑚4 𝑚𝑚5 𝑚𝑚6 𝑚𝑚7 𝑚𝑚8 𝑚𝑚9 𝑚𝑚10

𝑚𝑚0

𝑎𝑎𝑎𝑎𝑎𝑎𝐌𝐌 𝜎𝜎𝑆𝑆

𝑚𝑚1 𝑚𝑚2 𝑚𝑚5 𝑚𝑚6 𝑚𝑚3 𝑚𝑚4 𝑚𝑚7 𝑚𝑚9 𝑚𝑚8 𝑚𝑚10

𝑤𝑤𝑤𝑤𝑤𝑤𝒎𝒎1 𝑤𝑤𝑤𝑤𝑤𝑤𝒎𝒎2 𝑤𝑤𝑤𝑤𝑤𝑤𝒎𝒎3 𝑤𝑤𝑤𝑤𝑤𝑤𝒎𝒎4

…

𝑤𝑤𝑤𝑤𝑤𝑤𝒎𝒎𝑗𝑗

… …

•

Generate a redactable signature 𝜎𝜎 for data M. 𝜎𝜎 = 𝜎𝜎𝑆𝑆 , 𝑎𝑎𝑎𝑎𝑎𝑎𝐌𝐌 , WIT = 𝑤𝑤𝑤𝑤𝑤𝑤𝒎𝒎𝑖𝑖 .

𝑎𝑎𝑎𝑎𝑎𝑎𝐌𝐌

𝑤𝑤𝑤𝑤𝑤𝑤𝒎𝒎1 𝑤𝑤𝑤𝑤𝑤𝑤𝒎𝒎2

•

Redact 𝑚𝑚3 , 𝑚𝑚4 , 𝑚𝑚7 , 𝑚𝑚9 and delete 𝑤𝑤𝑤𝑤𝑤𝑤𝒎𝒎3 . 𝜎𝜎 ′ = 𝜎𝜎𝑆𝑆 , 𝑎𝑎𝑎𝑎𝑎𝑎𝐌𝐌 , WIT ′ .

𝜎𝜎𝑆𝑆

𝑤𝑤𝑤𝑤𝑤𝑤𝒎𝒎4

Customer •

𝑚𝑚9 𝑚𝑚10

𝑚𝑚5 𝑚𝑚6

𝑚𝑚1 𝑚𝑚2 𝑚𝑚5 𝑚𝑚6

𝑚𝑚𝑛𝑛

Utility •

𝑚𝑚1 𝑚𝑚2

𝑚𝑚𝑛𝑛

…

𝑚𝑚8 𝑚𝑚10 𝑤𝑤𝑤𝑤𝑤𝑤𝒎𝒎𝑗𝑗

… …

𝑚𝑚𝑛𝑛

𝑚𝑚𝑛𝑛

Third party • •

Verify 𝜎𝜎𝑆𝑆 on 𝑎𝑎𝑎𝑎𝑎𝑎𝐌𝐌 . Verify the batch membership of each group of data blocks with 𝑎𝑎𝑎𝑎𝑎𝑎𝐌𝐌 and WIT ′ .

Fig. 2. The outline of our RSS-BMA.

KeyGen(1λ ): This algorithm fixes a standard digital signature scheme DSS. On input an upper bound t of the accumulator [38] and the security parameter 1λ , it runs the key generation algorithms of signature scheme (pkDSS , skDSS ) ←

Title Suppressed Due to Excessive Length

15

DGen(1λ ) and bilinear-map accumulator (pkacc , skacc ) ← AGen(1λ , t) respec2 t tively, where pkacc = (g, g s , g s , . . . , g s ) and skacc = s. This algorithm returns sk ← (skDSS , skacc , pkacc ) and pk ← (pkDSS , pkacc ). Sign(sk, M): In order to produce a redactable signature on energy usage data M = {m1 , m2 , . . . , mn } ⊆ Z∗p \ {−s} with n((n + 1) ≤ t) blocks, the signer divides M into several groups according to the dependency of the data blocks. For instance, the original data is M = {m1 , m2 , . . . , m10 }, and the grouped data is M = {{m1 }, {m3 , m4 , m7 , m9 }, {m2 , m5 , m6 }, {m8 , m10 }}. Then, the signer R chooses m0 ← Z∗p \ {−s}, and an accumulation value accM for m0 and M is generated by executing the AEval algorithm of accumulator. For each subset of data blocks in the grouped data (mj ∈ M), a witness witmj is computed via the AWitCreate algorithm. Finally, a digital signature on the accumulation value accM is computed through DSign. The concrete generation process of redactable signature is shown as follows: 1. The signer groups M = {m1 , m2 , . . . , m10 , . . . , mn } according to the dependency of the blocks, i.e., M = {{m1 }, {m3 , m4 , m7 , m9 }, {m2 , m5 , m6 }, . . .}. R

2. Choose m0 ← Z∗p \ {−s} and compute an accumulation value accM for m0 and M with the secret key skacc = s under AEval algorithm: accM = g (m0 +s)(m1 +s)...(mn +s) . 3. For each subset of data blocks in the grouped data (mj ⊆ M),Q a witness (m +s)

(m +s)

i mi ∈M:mi ∈m / j witmj is computed via the AWitCreate algorithm: witmj = g 0 4. Sign the accumulation value accM through DSign, i.e., σs ← DSign(skDSS , accM ). 5. Output (M, σ), where σ = (σs , accM , WIT = {witmj }mj ⊆M ).

Verify(pk, M, σ): A public key pk, energy usage data M, and a signature σ are taken as the inputs of this algorithm. It carries out the following steps: 1. The third party ensures that DVerify(pk, accM , σs ) = 1 holds, and rejects otherwise. 2. If the above equation holds, the bath membership for each Q group of data mi ∈mj (mi +s) ) = blocks in M is verified by checking whether e(wit , g mj Q (m +s)

is evaluated publicly, that is by e(accM , g) holds. Note that g mi ∈mQj i expanding the polynomial h(x) = mi ∈mj (mi + x) and evaluating it in G via pkacc , which results in g h(s) . 3. Finally, 1 is returned if all the above checks hold, and 0 otherwise.

Redact(pk, M, σ, X): The public key pk, energy usage data M, a signature σ, and a subset of data blocks X to be redacted are taken as the inputs of this algorithm. The customer performs as follows: 1. Ensure that Verify(pk, M, σ) = 1 holds, and rejects otherwise. 2. If X * M, return ⊥.

.

16

J. H. Liu et al.

3. Parse σ as (σs , accM , WIT = {witmj }mj ⊆M ), compute M0 ← M \ X, set WIT0 = WIT\{witmj }mj ∈X and returns (M0 , σ 0 ), where σ 0 = (σs , accM , WIT0 ). Apparently, our construction of RSS-BMA achieves both Signing Correctness and Redaction Correctness, as defined in subsection 3.1.

5

Analysis of RSS-BMA

The security and efficiency analysis of our proposed scheme are presented as follows. 5.1

Security analysis

In this subsection, the unforgeability, privacy and transparency of RSS-BMA are proved. Since transparency is a stronger security guarantee than privacy, and unforgeability does not follows from privacy [8], only the transparency and unforgeability analysis of RSS-BMA are presented as follows. Our Scheme is Unforgeable Theorem 1. If the underling bilinear-map accumulator is collision free and DSS is unforgeable, our scheme is unforgeable. Proof. Let A be an adversary winning the unforgeability game defined for RSSBMA. We show how to use A to construct an efficient algorithm Acf to break the collision freeness of the underling bilinear-map accumulator, or an efficient algorithm Aunf to break the unforgeability of the underling DSS. Suppose that A forges a redactable signature with success probability  under the adaptive Q-chosen message attack when a public key pk is given. Let {Mi }Q i=1 denote the Q queries that A sends to the signing oracle, and let σi = (σsi , accMi , WITi ) be the signatures output by signing oracle. The adversary A outputs a messagesignature pair (M∗ , σs∗ , acc∗M∗ , WIT∗ ) after the query phase. We will show next, that the unforgeability security of RSS-BMA relies on the security of bilinearmap accumulator and DSS. According to the definition in Game 1, a forgery should fall in at least one of the following cases: 1. The value protected by the underlying signature σs has never been signed, or 2. the value protected by the underlying signature σs has been signed, but (a) M∗ 6= Mi , or (b) M∗ ⊆ Mi is an unauthorized redaction subset of a queried message. Case 1. To forge a DSS signature with the help of A, we will show how to construct an algorithm Aunf that outputs a valid DSS signature for a new message M∗ not queried. The forger A is used as a black-box.

Title Suppressed Due to Excessive Length

17

Setup. Algorithm Aunf chooses a bilinear-map accumulator and a DSS. The public key pk ← (pkDSS , pkacc ) is given to A. Signature Quries. Let {Mi }Q i=1 be the Q queries that the adversary A queried to the signing oracle. These queries are forwarded to Aunf ’s own signing oracle and genuinely returned to A. Output. Finally, A halts. It either admits failure, in which case so does Aunf , or it returns a valid forgery of redactable signature (σs∗ , acc∗M∗ , WIT∗ ) for a message M∗ that has never been queried. Then, Aunf returns (σs∗ , acc∗M∗ ). If the digest has been queried, abort. The tuple (σs∗ , acc∗M∗ ) is a valid forgery of the underlying DSS, since M∗ has never been queried, i.e., no collision has been found. Therefore, the DSS must be forgeable. This indicates that if the adversary A succeeds in forging a signature for a message with nonnegligible probability , then an algorithm Aunf breaking the unforgeability of the underlying DSS with nonnegligible probability 0 exists. Case 2. To break the collision freeness of the underlying bilinear-map accumulator, we will use A in a new algorithm Acf to solve the so-called t-strong Diffie-Hellman assumption. Setup. Adversary Acf receives the underling bilinear-map accumulator and emulates the signing oracle to generate a key pair of the underling DSS. It forwards the public key pk ← (pkDSS , pkacc ) to A. Signature Quries. Let {Mi }Q i=1 denote the Q queries from the adversary A, and these queries are forwarded to Acf . Then, Acf generates signature σi under skDSS and returns the signature to A for each query. Output. Finally, A halts. It either concedes failure, in which case so does Acf , or it returns a valid forgery of redactable signature (σs∗ , acc∗M∗ , WIT∗ ). Given the transcript of the simulation, Acf searches for a pair such that acc∗M∗ = accMi . If such a pair is found and M∗ is not an releasable set of any queried message Mi , Acf outputs (M∗ , acc∗M∗ , WIT∗ ), else it aborts. This indicates that the adversary A is able to find a collision of the bilinear-map accumulator or forge a valid witness for a not releasable set. In particular, if probability  that A has in forging a signature for a message is nonnegligible, then an algorithm Acf breaking the t-strong Diffie-Hellman assumption of the bilinear-map accumulator with nonnegligible probability 0 exists.  In all cases: A is successful in forging a signature of RSS-BMA, iff it breaks at least one of the underlying primitives. Our Scheme is Transparent Theorem 2. If the underlying bilinear-map accumulator always outputs uniformly distributed accumulation value and is therefore indistinguishable, our scheme is transparent.

18

J. H. Liu et al.

Proof. It follows directly from the definition to prove the transparency, i.e., the accumulation values are uniform and random distribution. Particularly, all accumulation values should be computationally indistinguishable from random. Therefore, adding a random value from the accumulation domain could realize the indistinguishability of accumulation values, while this random value is hidden from any party except the signer. In our design of the signing algorithm of RSS-BMA, a randomly and uniformly distributed parameter m0 is accumulated, which results in a uniformly distributed accumulation value. This indicates the output of Sign resp. Redact is also computationally indistinguishable from a uniform distribution. Therefore, the secret bit b is perfectly hidden. Redacting message blocks and removing the related witnesses from the redactable signature also results a uniformly distributed signature. Hence, it is infeasible for any unbounded adversary to guess the bit better than at random. In other words, if an adversary breaks the transparency of RSS-BMA, then the accumulation value is distinguishable from a random parameter, which has been assumed to be infeasible. Thus in an information theoretic sense, our RSS-BMA is transparent.  5.2

Efficiency Analysis

The efficiency analysis of RSS-BMA are presented as follows. Our scheme is compared with several previous works [11, 42, 47] in terms of computation cost, communication cost, and functionality. Both the first scheme in [47] and [42] deploy RSA accumulator as the underlying accumulator scheme while [11] does not specify the accumulator. Apparently, our RSS-BMA is the first concrete construction based on bilinear-map accumulator. To compare them with our scheme, we assume that the underlying standard digital signature scheme is based on RSA, and the accumulator in [42] is also bilinear-map accumulator. Before the efficiency analysis, we define the notations we used in tables. Let tE denote the exponential computation time, tS denote the time for signing, tV be the verification time of DSS, and tP air be the bilinear pairing computation time. We denote H the number of data block groups in a signed data (H < n), H 0 the number of of data block groups removed, n the number of data blocks in a signed data, n0 the number of data blocks removed, and C1 the first construction. Furthermore, let |N | denote the bit string length of RSA modulus, |G| the bit string length of each element in group G. Finally, let AccRSA denote RSA accumulator, AccBM the bilinear-map accumulator, and Xrepresent the existence of this function. Theoretical Analysis. The theoretical comparisons of computation complexity, communication complexity, and functionality are presented in Table 1, Table 2, and Table 3, respectively. As shown in Table 1, our scheme is more efficient than others in the signature generation and verification computation. This is because, compare with [47] C1 and [42], both our scheme and [11] C1 adopt bilinear-map accumulator which is more efficient than RSA accumulator [52]. Furthermore, since our scheme supports batch-data-block verification and both the accumulation value and witness are computed with access to secret key, our

Title Suppressed Due to Excessive Length

19

RSS-BMA has a significant advantage in saving the computing resource. Although the communication cost of [47] C1 is the lowest in Table 2, our scheme is the only one that realized redaction control (Table 3). The communication cost of our scheme is still lower than [42] and [11] C1 because of the batch-data-block verification design. Therefore, it is obvious that our RSS-BMA is the first that realized redaction control while reducing the computation and communication cost. Practical Analysis. To further evaluate the real-time complexity, we simulate our RSS-BMA and calculate the running time and signature length by utilizing the PBC library (version 0.5.14) and GMP library (version 6.1.2). The test platform is set to be: Pentium (R) G640 CPU, 3.33 GB RAM, 500 G/5400 rpm hard disk, Ubuntu 10.10 LTS (64 Bit) OS, and C programming language. To achieve the corresponding security level, we set the group order to be |G| = 160 bits ((using a super singular curve y 2 = x3 + x) and the modulus of the RSA signature |N | = 2048 bits, respectively. The running time of signature generation and verification is presented in Table 4, and Table 5 shows the signature size which implies communication cost. Each of the test result is the average of 10 runs. As shown in Table 4, both the signature generation and verification cost increase with the number of data block groups. Furthermore, it is obvious that the time for redaction signature σ 0 generation is almost identical to that of the original signature σ verification. This is because the signature should be verified before redaction, and redaction amounts to simply deleting witness and the corresponding group of data blocks. Table 5 presents the communication cost of the original signature and redacted signature by calculating and comparing the signature length. Apparently, the bandwidth requirement of the original signature transmission increases linearly with the expansion of the number of data block groups while the communication cost of redacted signature increases linearly with the size of H − H 0 (the number of released data block groups). Therefore, both the computation and communication cost of our scheme increase linearly with the number of data block groups rather than the number of data blocks, which improves the efficiency performance of our scheme. In summary, through the performance analysis, it is clear that our RSS-BMA is practical for energy usage data sharing.

Table 1. Computation Cost Comparison Schemes σ Generation σ 0 Generation σ Verification σ 0 Verification [47] C1 O(ntE + tS ) O((n + n0 )tE + tV ) O(ntE + tV ) O((n − n0 )tE + tV ) [42] O((n + 1)tE ) O((n + 1)tE ) O((n + 1)tE ) O((n + 1 − n0 )tE ) [11] C1 O((n + 1)tE + tS ) O(ntP air + tV ) O(ntP air + tV ) O((n − n0 )tP air + tV ) Ours O((H + 1)tE + tS ) O(HtP air + tV ) O(HtP air + tV ) O((H − H 0 )tP air + tV )

20

J. H. Liu et al. Table 2. Communication Cost Comparison Schemes Original Signature Size Redacted Signature Size [47] C1 2|N | 2|N | [42] (n + 1)|N | (n + 1 − n0 )|N | [11] C1 (n + 1)|G| + |N | (n + 1 − n0 )|G| + |N | Ours (H + 1)|G| + |N | (H + 1 − H 0 )|G| + |N |

Table 3. Functionality Comparison Schemes Building Blocks Batch Verification Redaction Control [47] C1 AccRSA + DSS X [42] AccRSA [11] C1 Acc + DSS Ours AccBM + DSS X X

6

Conclusion

In this paper, we explored the authenticity verification and privacy preservation issues in secure sharing of energy usage data. To solve the problem, we proposed a secure and efficient redactable signature scheme based on bilinear-map accumulator (RSS-BMA). Our scheme supports batch-data-block verification which not only improves the efficiency but also enhances the security of shared data by prohibiting any additional redaction to a batch of data blocks. We carried out security analysis of our scheme, and the results show that our scheme achieves unforgeability and transparency which satisfies the security requirement in sharing energy usage data. Furthermore, we also conducted theoretical efficiency comparison and practical implementation of our scheme extensively. The results demonstrate that our scheme is indeed a practical solution for secure and efficient sharing of energy usage data. In our future work, we will devote to design redactable signature schemes with designated redactors or redactor revocation mechanism which determines who has the authority to modify the signed data in different scenarios.

Declaration of Competing Interests The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper. The authors declare the following financial interests/personal relationships which may be considered as potential competing interests: Table 4. Computation Cost (running time in second) Message Size (H/H 0 ) σ Generation σ 0 10/4 0.034475 50/18 0.143907 100/45 0.279363 200/72 0.536941

Generation σ Verification σ 0 0.034879 0.034868 0.154503 0.154472 0.313975 0.313975 0.603018 0.602983

Verification 0.022908 0.100651 0.169423 0.387708

Title Suppressed Due to Excessive Length

21

Table 5. Communication Cost (length of size in bit) Message Size (H/H 0 ) Original Signature Size Redacted Signature Size 10/4 5,568 3,968 50/18 18,368 12,608 100/45 34,368 19,968 200/72 66,368 43,328

Acknowledgment This work is supported by National Natural Science Foundation of China (61822202, 61872089, 61902070, 61972094) and the Australian Research Council Discovery Project (DP150103732).

References 1. Barbosa, P., Brito, A., Almeida, H., Clauß, S.: Lightweight privacy for smart metering data by adding noise. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing. pp. 531–538. ACM (2014) 2. Barthe, G., Danezis, G., Gr´egoire, B., Kunz, C., Zanella-Beguelin, S.: Verified computational differential privacy with applications to smart metering. In: 2013 IEEE 26th Computer Security Foundations Symposium. pp. 287–301. IEEE (2013) 3. Bellare, M., Garay, J.A., Rabin, T.: Fast batch verification for modular exponentiation and digital signatures. In: International Conference on the Theory and Applications of Cryptographic Techniques. pp. 236–250. Springer (1998) 4. Benaloh, J., De Mare, M.: One-way accumulators: A decentralized alternative to digital signatures. In: Workshop on the Theory and Application of of Cryptographic Techniques. pp. 274–285. Springer (1993) 5. Boneh, D., Boyen, X.: Short signatures without random oracles and the sdh assumption in bilinear groups. Journal of Cryptology 21(2), 149–177 (2008) 6. Boyd, C., Pavlovski, C.: Attacking and repairing batch verification schemes. In: International Conference on the Theory and Application of Cryptology and Information Security. pp. 58–71. Springer (2000) 7. Brown, J.L.: Verifiable and redactable medical documents. Ph.D. thesis, Georgia Institute of Technology (2012) 8. Brzuska, C., Busch, H., Dagdelen, O., Fischlin, M., Franz, M., Katzenbeisser, S., Manulis, M., Onete, C., Peter, A., Poettering, B., et al.: Redactable signatures for tree-structured data: definitions and constructions. In: International Conference on Applied Cryptography and Network Security. pp. 87–104. Springer (2010) 9. Cheon, J.H., Kim, Y., Yoon, H., et al.: A new id-based signature with batch verification. IACR Cryptology EPrint Archive 2004, 131 (2004) 10. Chim, T.W., Yiu, S.M., Li, V.O., Hui, L.C., Zhong, J.: Prga: Privacy-preserving recording & gateway-assisted authentication of power usage information for smart grid. IEEE Transactions on Dependable and Secure Computing 12(1), 85–97 (2014) 11. Derler, D., P¨ ohls, H.C., Samelin, K., Slamanig, D.: A general framework for redactable signatures and new constructions. In: International Conference on Information Security and Cryptology. pp. 3–19. Springer (2015) 12. Diffie, W., Hellman, M.: New directions in cryptography. IEEE transactions on Information Theory 22(6), 644–654 (1976)

22

J. H. Liu et al.

13. Farhangi, H.: The path of the smart grid. IEEE power and energy magazine 8(1), 18–28 (2010) 14. Fiat, A.: Batch rsa. In: Conference on the Theory and Application of Cryptology. pp. 175–185. Springer (1989) 15. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing 17(2), 281–308 (1988) 16. Harn, L.: Batch verifying multiple rsa digital signatures. Electronics Letters 34(12), 1219–1220 (1998) 17. Johnson, R., Molnar, D., Song, D., Wagner, D.: Homomorphic signature schemes. In: Cryptographers Track at the RSA Conference. pp. 244–262. Springer (2002) 18. Koo, D., Shin, Y., Hur, J.: Privacy-preserving aggregation and authentication of multi-source smart meters in a smart grid system. Applied Sciences 7(10), 1007 (2017) 19. Kursawe, K., Danezis, G., Kohlweiss, M.: Privacy-friendly aggregation for the smart-grid. In: International Symposium on Privacy Enhancing Technologies Symposium. pp. 175–191. Springer (2011) 20. Lahoti, G., Mashima, D., Chen, W.P.: Customer-centric energy usage data management and sharing in smart grid systems. In: Proceedings of the first ACM workshop on Smart energy grid security. pp. 53–64. ACM (2013) 21. Lee, S., Cho, S., Choi, J., Cho, Y.: Efficient identification of bad signatures in rsatype batch signature. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences 89(1), 74–80 (2006) 22. Li, F., Luo, B.: Preserving data integrity for smart grid data aggregation. In: 2012 IEEE Third International Conference on Smart Grid Communications (SmartGridComm). pp. 366–371. IEEE (2012) 23. Li, X., Wu, F., Kumari, S., Xu, L., Sangaiah, A.K., Choo, K.K.R.: A provably secure and anonymous message authentication scheme for smart grids. Journal of Parallel and Distributed Computing (2017) 24. Lim, C.H., Lee, P.J.: Security of interactive dsa batch verification. Electronics letters 30(19), 1592–1593 (1994) 25. Liu, J., Huang, X., Liu, J.K.: Secure sharing of personal health records in cloud computing: ciphertext-policy attribute-based signcryption. Future Generation Computer Systems 52, 67–76 (2015) 26. Liu, J., Ma, J., Wu, W., Chen, X., Huang, X., Xu, L.: Protecting mobile health records in cloud computing: A secure, efficient, and anonymous design. ACM Transactions on Embedded Computing Systems (TECS) 16(2), 57 (2017) 27. Liu, J., Ma, J., Xiang, Y., Zhou, W., Huang, X.: Authenticated medical documents releasing with privacy protection and release control. IEEE Transactions on Dependable and Secure Computing (2019) 28. Liu, J., Ma, J., Zhou, W., Xiang, Y., Huang, X.: Dissemination of authenticated tree-structured data with privacy protection and fine-grained control in outsourced databases. In: European Symposium on Research in Computer Security. pp. 167– 186. Springer (2018) 29. Lu, R., Liang, X., Li, X., Lin, X., Shen, X.: Eppa: An efficient and privacypreserving aggregation scheme for secure smart grid communications. IEEE Transactions on Parallel and Distributed Systems 23(9), 1621–1631 (2012) 30. Ma, J., Liu, J., Huang, X., Xiang, Y., Wu, W.: Authenticated data redaction with fine-grained control. IEEE Transactions on Emerging Topics in Computing (2017)

Title Suppressed Due to Excessive Length

23

31. Ma, J., Liu, J., Wang, M., Wu, W.: An efficient and secure design of redactable signature scheme with redaction condition control. In: International Conference on Green, Pervasive, and Cloud Computing. pp. 38–52. Springer (2017) 32. Mahmood, K., Chaudhry, S.A., Naqvi, H., Kumari, S., Li, X., Sangaiah, A.K.: An elliptic curve cryptography based lightweight authentication scheme for smart grid communication. Future Generation Computer Systems 81, 557–565 (2018) 33. Mashima, D., Roy, A.: Privacy preserving disclosure of authenticated energy usage data. In: 2014 IEEE international conference on smart grid communications (SmartGridComm). pp. 866–871. IEEE (2014) 34. Miyazaki, K., Hanaoka, G., Imai, H.: Digitally signed document sanitizing scheme based on bilinear maps. In: Proceedings of the 2006 ACM Symposium on Information, computer and communications security. pp. 343–354. ACM (2006) 35. Miyazaki, K., Iwamura, M., Matsumoto, T., Sasaki, R., Yoshiura, H., Tezuka, S.: Digitally signed document sanitizing scheme with disclosure condition control. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences 88(1), 239–246 (2005) 36. Molina-Markham, A., Danezis, G., Fu, K., Shenoy, P., Irwin, D.: Designing privacypreserving smart meters with low-cost microcontrollers. In: International Conference on Financial Cryptography and Data Security. pp. 239–253. Springer (2012) 37. Naccache, D., M’Ra¨Ihi, D., Vaudenay, S., Raphaeli, D.: Can dsa be improved?complexity trade-offs with the digital signature standard. In: Workshop on the Theory and Application of of Cryptographic Techniques. pp. 77–85. Springer (1994) 38. Nguyen, L.: Accumulators from bilinear pairings and applications. In: Cryptographers Track at the RSA Conference. pp. 275–292. Springer (2005) 39. Nguyen, L.: Efficient dynamic k-times anonymous authentication. In: International Conference on Cryptology in Vietnam. pp. 81–98. Springer (2006) 40. P¨ ohls, H.C., Bilzhause, A., Samelin, K., Posegga, J.: Sanitizable signed privacy preferences for social networks. DICCDI, LNI. GI (2011) 41. P¨ ohls, H.C., Karwe, M.: Redactable signatures to control the maximum noise for differential privacy in the smart grid. In: International Workshop on Smart Grid Security. pp. 79–93. Springer (2014) 42. P¨ ohls, H.C., Samelin, K.: On updatable redactable signatures. In: International Conference on Applied Cryptography and Network Security. pp. 457–475. Springer (2014) 43. P¨ ohls, H.C., Samelin, K.: Accountable redactable signatures. In: Availability, Reliability and Security (ARES), 2015 10th International Conference on. pp. 60–69. IEEE (2015) 44. Qu, Y., Yu, S., Gao, L., Zhou, W., Peng, S.: A hybrid privacy protection scheme in cyber-physical social networks. IEEE Transactions on Computational Social Systems (99), 1–12 (2018) 45. Qu, Y., Yu, S., Zhou, W., Peng, S., Wang, G., Xiao, K.: Privacy of things: Emerging challenges and opportunities in wireless internet of things. IEEE Wireless Communications 25(6), 91–97 (2018) 46. Rial, A., Danezis, G.: Privacy-preserving smart metering. In: Proceedings of the 10th annual ACM workshop on Privacy in the electronic society. pp. 49–60. ACM (2011) 47. Samelin, K., P¨ ohls, H.C., Bilzhause, A., Posegga, J., De Meer, H.: Redactable signatures for independent removal of structure and content. In: International Conference on Information Security Practice and Experience. pp. 17–33. Springer (2012)

24

J. H. Liu et al.

48. Shacham, H., Boneh, D.: Improving ssl handshake performance via batching. In: Cryptographers Track at the RSA Conference. pp. 28–43. Springer (2001) 49. Shi, E., Chan, H., Rieffel, E., Chow, R., Song, D.: Privacy-preserving aggregation of time-series data. In: Annual Network & Distributed System Security Symposium (NDSS). Internet Society. (2011) 50. Stanek, M.: Attacking lccc batch verification of rsa signatures. IACR Cryptology ePrint Archive 2006, 111 (2006) 51. Steinfeld, R., Bull, L., Zheng, Y.: Content extraction signatures. In: International Conference on Information Security and Cryptology. pp. 285–304. Springer (2001) 52. Tremel, E.: Real-world performance of cryptographic accumulators. Undergraduate Honors Thesis, Brown University (2013) 53. Wu, L., Wang, J., Zeadally, S., He, D.: Anonymous and efficient message authentication scheme for smart grid. Security and Communication Networks 2019 (2019) 54. Yen, S.M., Laih, C.S.: Improved digital signature suitable for batch verification. IEEE Transactions on Computers 44(7), 957–959 (1995)

Jianghua Liu received his M.S. degree from the School of Mathematics and Computer Science, Fujian Normal University, China, in 2016. Currently, he is pursuing the Ph.D. degree in the School of Information Technology, Deakin University, VIC, Australia. His research interests include cryptography and information security. He has published several research papers in international journals and conferences, such as IEEE TC, IEEE TDSC, IEEE TETC, ACM TECS, FGCS, ESORICS 2018 etc. Jingyu Hou is currently a senior lecturer in the School of Information Technology, Deakin University, Australia. He received PhD degrees in Computational Mathematics and Computer Science in 1995 and 2004 respectively. Jingyu has published 3 monographs and 70 refereed journal and conference papers. His research interests include data and web mining, bioinformatics, data analytics and algorithm design, databases and information retrieval. Xinyi Huang received his Ph.D. degree from the School of Computer Science and Software Engineering, University of Wollongong, Australia, in 2009. He is currently a Professor at the College of Mathematics and Informatics, Fujian Normal University, China. His research interests include cryptography and information security. He has published over 160 research papers in refereed international conferences and journals, such as ACM CCS, IEEE Transactions on Computers, IEEE Transactions on Parallel and Distributed Systems, and IEEE Transactions on Information Security and Forensics. His work has been cited more than 6200 times at Google Scholar. He is in the Editorial Board of International Journal of Information Security and SCIENCE CHINA Information Sciences. He has served as the program/general chair or program committee member in over 120 international conferences. Yang Xiang received his PhD in Computer Science from Deakin University, Australia. He is the Dean of Digital Research & Innovation Capability Platform, Swinburne University. His research interests include network and system security, data analytics, distributed systems, and networking. In particular, he is currently leading his team developing active defense systems against largescale distributed network attacks. He is the Chief Investigator of several projects in

Title Suppressed Due to Excessive Length

25

network and system security, funded by the Australian Research Council (ARC). He has published more than 200 research papers in many international journals and conferences. Tianqing Zhu received her BEng and MEng degrees from Wuhan University, China, in 2000 and 2004, respectively, and a PhD degree from Deakin University in Computer Science, Australia, in 2014. Dr Tianqing Zhu is currently a senior lecturer in the school of software in University of Technology Sydney, Australia. Before that, she was a lecture in the School of Information Technology, Deakin University, Australia, from 2014 to 2018. Her research interests include privacy preserving, data mining and network security.