Multi-resolution privacy-enhancing technologies for smart metering
- Fabian Knirsch^{1, 2}Email author,
- Günther Eibl^{1} and
- Dominik Engel^{1}
DOI: 10.1186/s13635-017-0058-3
© The Author(s) 2017
Received: 18 August 2016
Accepted: 3 March 2017
Published: 20 March 2017
Abstract
The availability of individual load profiles per household in the smart grid end-user domain combined with non-intrusive load monitoring to infer personal data from these load curves has led to privacy concerns. Privacy-enhancing technologies have been proposed to address these concerns. In this paper, the extension of privacy-enhancing technologies by wavelet-based multi-resolution analysis (MRA) is proposed to enhance the options available on the user side. For three types of privacy methods (secure aggregation, masking and differential privacy), we show that MRA not only enhances privacy, but also adds additional flexibility and control for the end-user. The combination of MRA and PETs is evaluated in terms of privacy, computational demands, and real-world feasibility for each of the three method types.
Keywords
Smart meter Homomorphic encryption Masking Differential privacy Multiple resolutions Smart grid1 Introduction
Intelligent energy systems and so-called smart grids, change the way electricity is generated, distributed, and used. The widespread roll-out of smart meters is one of the consequences. Such smart meters record energy consumption in a specified granularity (usually the time between readings is between 1 and 15 min, cf. Table 10 in [1]) and have the ability to transmit these load curves in a specified interval (e.g., once a day). Therefore, this involves a considerable amount of information that needs to be processed and analyzed. Smart grids further demand accurate and fine-grained data on network status, as well as a detailed analysis of load profiles from customers [2]. This is crucial for applications such as billing with dynamic pricing, demand response, and network monitoring.
However, it has been shown that personal information on the end-user can be inferred from fine-grained load curves [3, 4], and this has led to privacy concerns (e.g., [5]). This also implies some severe privacy threats such as the identification of customer presence at home, customer habits, and even the customer position when using electric vehicles [6]. In [7, 8], the authors show the impact of resolutions on privacy and that information can be deduced even at comparably low frequencies.
The accuracy of the inferred information is directly connected to the available resolution of the load data. A number of methods have been proposed to balance the need for privacy with the information needed for correct operation of smart grids. Two types of approaches show high potential to resolve this issue: (i) privacy-aware aggregation of encrypted load curves; and (ii) representation of load curves in multiple resolutions, each associated with different access levels.
1.1 Privacy-aware aggregation
Approaches for privacy-aware aggregation can again be divided into three categories: protocols using masking [9, 10], protocols using secure aggregation by homomorphic encryption [11, 12], and protocols using differential privacy [13, 14]. In this paper, the focus is put on the application of multi-resolution load curve representation in combination with secure aggregation protocols.
Privacy-enabling encryption for smart meter data by the use of homomorphic encryption is suggested by, [11, 12, 15, 16], allowing the aggregation of encrypted signals, also termed “secure signal processing”. A recent overview of secure signal processing, covering four proposals for privacy-preserving smart metering aggregation is given in [17]. Protocols that are using masking for aggregating data have been proposed by [9, 10, 18]. Masking approaches aim to hide individual contributions by additive noise, but still produce a valid aggregate. Differential privacy follows a similar approach, where contributions are hidden in a noisy aggregate that fulfills some statistical properties. Differential privacy is adapted for applications in the smart grid by, e.g., [13, 19–21].
1.2 Multiple resolutions
Approaches of this type suggest to represent load curve data in multiple resolutions, where each resolution can be used for a different purpose — e.g., low resolution for billing — and is therefore disclosed to selected parties only, e.g., [22]. Using the wavelet transform in order to produce an integrated bitstream supporting multiple resolutions has been proposed by [23]. Combined with conditional access, i.e., different encryption keys for each resolution [24], this wavelet-based representation allows user-centric privacy management: access can be granted or revoked for each resolution. Access to high resolutions, which are privacy-sensitive, may be reserved to a small number of trusted entities only, whereas resolutions of medium granularity may be provided more freely, e.g., to contribute to network stability (in exchange for lower energy prices or other incentives). An approach combining multiple resolutions and direct user control for smart metering is shown in [25]. The combination of MRA with homomorphic encryption, which is also one of the topics in this paper, has been discussed in [26].
1.3 Contribution
In this paper, a set of three privacy-preserving smart metering data aggregation methods that combine the two types of approaches, namely, multi-resolution representation and (i) homomorphic encryption; (ii) masking; and (iii) differential privacy, is proposed. This improves the capabilities for managing privacy requirements, as the combination of “traditional” privacy-enhancing methods with multi-resolution representation significantly increases the choices available for both system operator and end-user. We further contribute the sketch of a protocol for distributing keys and for providing distinct resolutions to different parties. Access control does not relate to the aggregated signal as a whole anymore, but access can be granted on the aggregate on each resolution individually. This is an important feature, as it allows to grant access to participants in the smart grid system, based on their roles and the functions they have to fulfill. Each role can be assigned access to the aggregate on the minimum resolution necessary to fulfill the functions associated with this role.
The combination of MRA with homomorphic encryption has previously been proposed in [26]. This paper extends the previous work by applying multi-resolution techniques to masking and differential privacy. A comprehensive presentation, discussion, and evaluation of multi-resolution representation in combination with widely used PETs is given.
The rest of this paper is structured as follows: in section Multi-resolution PETs the application scenario and common definitions are introduced. In section Background, background is presented on wavelets for the multi-resolution representation of load curves as well as on the three privacy-enhancing technologies (PETs) homomorphic encryption, masking, and differential privacy. Sections Multi-resolution secure aggregation, Multi-resolution masking, and Multi-resolution differential privacy describe each of these PETs individually and propose the combination of these approaches with wavelets. In section Evaluation, the security features of the proposed protocols, as well as cost and complexity are discussed, and further, the system is evaluated with respect to real-world applicability on the basis of a prototypical implementation. Section Conclusions summarizes this paper and gives an outlook to future work.
2 Multi-resolution PETs
While homomorphic encryption, simple masking, and differential privacy are efficient methods for the spatial reduction of resolution, temporal aggregation is not sufficiently covered with any of these approaches. Temporal resolution of time series can be reduced by subsequently applying a number of filters. When —for instance — applying an appropriate low-pass filter to a time series, all frequencies above the cutoff frequency are omitted, which results in a signal with less information. This is effectively performed by applying the wavelet transform, in particular the Haar wavelet, to a series of values.
2.1 Application scenario
- 1.
Settlement and profiling. In the energy market electricity generators and electricity suppliers trade at a wholesale marketplace. The arrangement of payments among these parties is called settlement [2, 9]. Profiling is used for determining forecasts and training models, e.g., in the UK this is based on half-hourly meter data from a representative sample of households [2]. Both applications thus require data in a comparably low resolution, but spatially aggregated over a number of households.
- 2.
Network monitoring. Network monitoring is used for detecting outages and peaks and thus maintaining the stability of the power grid. A detailed monitoring of power consumption, voltage levels and phase shifts is an important feature for network operators. For monitoring purposes, data at a high temporal resolution but with little spatial resolution is required.
- 3.
Billing. Billing requires meter data in a low temporal resolution (e.g., one value per month or year), however, on a per household or on a per meter basis, hence not spatially aggregated at all. In future applications, dynamic pricing might also require more fine-grained data [27]. Multi-resolution PETs enable the provision of load profiles in certain resolutions depending on the particular use case.
2.2 Topology
2.3 Problem statement and definitions
Given a number of smart meters SM_{ i }, for i=1…N, one or more aggregators A _{ k }, for k=1…M, and a trusted third party (TTP), each meter i measures a time series of values, i.e., at time t it measures m _{ i,t }. In this paper, a series of values measured by a meter i is denoted as m _{ i }. In order to protect customer privacy, the sum of the energy consumption for all smart meters should be provided to the aggregator. The following restrictions and requirements apply (aggregator oblivious): (i) no aggregator can gain any information about individual contributions; (ii) each aggregator can only unmask a valid sum up to the time resolution r≤R (with R as the maximum resolution) that is intended to be revealed for this aggregator. Hence, the aggregator is considered to be untrusted. In practice, the smart meters can be considered to be physically arranged in either a tree or a ring topology. Logic topologies may defer and may depend on the concrete protocol. For homomorphic encryption and masking, the TTP is needed to provide the keys (pk^{ r }, sk^{ r }) and the key shares (key^{ r }), respectively, to the smart meters and aggregators.
For this paper, we assume that there is a sufficient underlying secure communication infrastructure, i.e., the bidirectional and reliable exchange of information and the secure distribution of keys is given as well as authenticated communication among participants is guaranteed by, e.g., AES [29] and X.509 certificates [30]. We further assume all devices to be tamper-proof, i.e., the meter value itself cannot be manipulated.
3 Background
In this section, we briefly review the existing work on multi-resolution representation, homomorphic encryption, masking, and differential privacy.
3.1 Wavelet-based representation
A wavelet transform starts with the original load curve m=(m _{1},m _{2},…,m _{ T }), which denotes a series of values. Each step splits the original load curve into a high-pass component h and a low-pass components l. If the wavelet transform is performed recursively in d steps, this is denoted as W _{ d }(m). In each step q, for q=1,…d, half of the data (the highpass data) h _{ q } are stored as the wavelet coefficients (subband) of scale q, and the next step is performed for the low-pass data. At the end of the transformation, the final subband h _{ d } consists of a fraction of 2^{−d } samples compared to the original load curve. The higher the scale q, the lower the time resolution r:=d−q. Reindexing, and introducing the notation h ^{ r }=h _{ d−q }, at the end of the transformation one obtains a sequence h=(l _{0},h _{1},…,h _{ d }).
This selection can be realized in practice by replacing the high-pass subbands with zeros, i.e., applying T _{ r }(·) to a sequence W(m)=(l _{0},h _{1},…,h _{ r },…,h _{ d−1},h _{ d }) yields a sequence T _{ r }(W(m))=(l _{0},h _{1},…,h _{ r },0,…,0). This limits, after applying the inverse wavelet transform, the resolution of the signal. Making the signal available at the needed resolution instead of the full resolution increases privacy because less (personal) information can be deduced [8].
In [23], a variety of wavelet filters regarding their utility for the multi-resolution representation of load curves was evaluated. Only lossless transformations are useful in the context of smart metering. The Haar wavelet filter preserves the average over all resolutions, which is an important property for many use cases. Using the lifting implementation of the Haar wavelet, the transformation can be realized efficiently.
3.2 Additive homomorphic encryption
This property means that the decryption of the product of the ciphertexts is the sum of the original plaintext messages.
Privacy is preserved because of the distributed way of processing. Smart meters only have the plaintext information of their own messages, because they cannot decrypt the messages they get. The aggregator can decrypt messages, but, as it receives the product of the individual ciphertexts, it can only decrypt the sum of the load curves.
3.3 Masking
hence, the shares cancel each other out upon summation.
Principally, smart meters calculate the masked value \(\tilde m_{i}\) and submit this value to an aggregator. Once the aggregator has received all masked values, it can calculate the unmasked sum. If a single value is missing, the secret shares will not cancel each other out, and neither the aggregate nor any individual contribution can be reconstructed.
Kursawe et al. [9] present a number of methods for constructing such shares that meet the requirement for untraceability of individual contributions: (i) aggregation protocols for determining the sum as described above; and (ii) comparison protocols that require the aggregator already knows an (at least) approximate sum. For our purpose, we focus on the low-overhead protocol from the first group which has already been used in practical implementations [33]. For the low-overhead protocol, all smart meters hold a public key \(\phantom {\dot {i}\!}\text {pk}_{i}=g^{X_{i}}\) with X _{ i } as a secret key and \(g \in \mathbb {G}\) as a generator of a group satisfying the computational Diffie-Hellman assumption [34]. Each SM_{ i } is given the set of all public keys and computes a set of N−1 shared keys by \(K_{i,j}=H(\text {pk}_{j}^{X_{i}})\) with j=1…N.
In the method proposed by [9], shares cancel each other out pairwise, since s _{ i }+s _{ N−i }=0
j/i | 1 | 2 | 3 | … | N |
---|---|---|---|---|---|
1 | −H(K _{2,1}||t) | −H(K _{3,1}||t) | … | −H(K _{ N,1}||t) | |
2 | +H(K _{1,2}||t) | −H(K _{3,2}||t) | … | −H(K _{ N,2}||t) | |
3 | +H(K _{1,3}||t) | +H(K _{2,3}||t) | … | −H(K _{ N,3}||t) | |
⋮ | ⋮ | ⋮ | ⋮ | \(\ddots \) | ⋮ |
N | +H(K _{1,N }||t) | +H(K _{2,N }||t) | +H(K _{3,N }||t) | … | |
\(\sum _{j}\) | s _{1,t } | s _{2,t } | s _{3,t } | … | s _{ N,t } |
3.4 Differential privacy
While differential privacy is a theoretically appealing definition with nice properties (e.g., a function is differentially private under postprocessing), it is achieved by perturbing the function result with Laplacian noise \(\tilde f(t) = f(t)+n_{t}\) [19], where each noise value n _{ t } is independently and identically sampled from a Laplacian distribution n _{ t }∼Lap_{ λ } (the parameter λ must be set using the sensitivity of the function f [19]). As a drawback, the function result is not exact and can be useless if the number of entries in the dataset is too small.
4 Multi-resolution secure aggregation
4.1 Principal secure aggregation scheme
Homomorphic encryption is applied to each resolution separately with a different pair of keys (pk_{ r },sk_{ r }) for each resolution r. The resulting signal m is the sum of all signals m _{ i } (each of which has a maximum resolution of R) at resolution r≤R, whereby, W(·) denotes a wavelet transformation. The collector node can perform aggregation (i.e., multiply) in the encrypted domain, i.e., it does not have any keys. This ensures that the aggregating node cannot get information about the loads of its children, e.g., by divisions.
4.2 Basic approach
The aggregator gets the product of the encrypted messages and can therefore not extract any information about the individual messages. However, it can calculate the sum of the messages which is the information needed, e.g., for load forecasting. Note again that the product of the ciphertexts is calculated in either a distributed way by the smart meters or by a data concentrator and not by the aggregator (see section Topology). The number n must be chosen depending on the desired security level. It further determines the aggregation group size, since \(\prod _{i} E\left (T_{r}\left (W\left (m_{i}\right)\right)\right)<n^{2}\) and \(D\left (\prod _{i} E\left (T_{r}\left (W\left (m_{i}\right)\right)\right)\right)<n\). In section Space considerations, the issue of aggregation group sizes is discussed in detail. For the sake of readability the modulus parts of the calculations are omitted in the following proof.
Proof
is obtained. □
4.3 Multiple aggregators
An example use-case scenario is the use of aggregated load information for energy monitoring by the network operator as, e.g., suggested by [17]. The approach proposed here adds an additional layer of flexibility by making the aggregates available at different resolutions and only grant access to parties on the resolutions they need to fulfill a specific task. In combination with suitable key management, this approach implements the “need-to-know” principle of access for aggregated signals. The secure aggregation scheme presented above can be extended to support multiple aggregators. Each aggregator receives data in a certain resolution. This is easily achieved by encrypting with different keys at the collector node.
5 Multi-resolution masking
5.1 Principal masking scheme
Each smart meter SM_{ i } calculates at each time t=0…T a masked value \(\tilde m_{i,t}\) by adding a random share s _{ i,t } to its measured value m _{ i,t }. Upon spatial aggregation, the shares s _{ i } cancel each other out and the aggregator receives an unmasked sum. Note that in the following, operations involving masking of type a+b mod κ are written as a+b, i.e., the modulo parts are omitted for the sake of brevity and readability.
This approach can be enhanced by allowing to reduce the temporal resolution of the signal. Even more, a number of different resolutions can be provided within the same bitstream, and the key for a certain resolution is only given to the aggregator. This is achieved by applying a wavelet transform to the signal. Hence, even if the aggregator is given the full load curve data, it can only unmask the bitstream up to the resolution for which it holds the key share.
5.2 Basic approach
The basic approach describes spatio-temporal masking with one aggregator.
5.2.1 Initialization
TTP agrees with all smart meters in the group G={SM_{1},…,SM_{ N }} on providing a resolution r of a total of T values to an aggregator A.
5.2.2 Masking
Simultaneously, all SM_{ i } and TTP calculate a random share s _{ i,t } for t=0…T, as described for the principal masking above. Each smart meter now holds a set of shares s _{ i } and TTP holds a key share key.
All SM_{ i } now calculate a series of masked values \(\tilde m_{i} = W(m_{i}) + s_{i}\) and submit this series to A. TTP calculates the key share key^{ r } for the resolution r of its key share by T _{ r }(key) and submits this to A. Note that the wavelet transform is only applied to the metered value and before adding the random share.
5.2.3 Aggregation
If the aggregator attempts to retrieve any resolution r ^{+}>r, the result will be noisy and useless. However, the aggregator may reconstruct arbitrary resolutions r ^{−}≤r from the data.
Proof
However, after applying the function T _{ r }(·) with the same parameter r to the equation, this yields Eq. 20 which is the correct result for this particular resolution r. Note that the wavelet transform is recursively applied to the resulting low-pass band, i.e., any resolution r ^{−}<r can be retrieved, since applying T _{ r }(·) to the key share only replaces the high-pass components by zero, and only the low-pass components remain for reconstructing the signal. □
Note that this scheme fulfills both of our initial requirements: (i) individual contributions are masked, and the aggregator cannot gain any information without having all the values from all SM_{ i }∈G; and (ii) the highest resolution that is accessible for the aggregator is determined by the resolution of the key share.
5.3 Multiple aggregators
The scheme we present in the following extends the basic approach with multiple aggregators that receive data in different resolutions. Extending the scheme requires more overhead and communication than for the secure aggregation. A simple approach would be to have multiple bitstreams in multiple resolutions for each aggregator. The advantage of the MRA approach is, however, to have all the information for different resolutions in a single bitstream where no data expansion occurs. Therefore, a different key share for every recipient is created with the tradeoff of distributing an aggregate of M−1 key shares in addition to the actual key share.
5.3.1 Initialization
For the enhanced scheme supporting multiple aggregators L={A _{1},…,A _{ M }}, a TTP agrees with all smart meters in the group G={SM_{1},…,SM_{ N }} on providing a resolution r _{ k } of a total of T values to each aggregator A _{ k }∈L.
5.3.2 Masking
As in the basic scheme, all smart meters SM_{ i } calculate a random share s _{ i,t } for t=0…T. Again, each smart meter now holds a set of shares s _{ i }, calculates the series of masked values \(\tilde m_{i} = W(m_{i}) + s_{i}.\) and submits this series to all aggregators A _{ k }∈L. TTP calculates a total of M (number of aggregators) key shares key_{1},…,key_{ M }. For each key share k=1…M, TTP further calculates the resolution r _{ k } by \(\text {key}_{k}^{r_{k}} = T_{r_{k}}(\text {key}_{k})\) and submits this to A _{ k }. It further submits the sum of all other key shares \(\sum _{i \neq k} \text {key}_{i}\) to A _{ k }.
5.3.3 Aggregation
As for the basic approach, both of our initial requirements are fulfilled: (i) individual contributions are masked, and none of the aggregators can gain any information without having all the values from all SM_{ i }∈G and the sum of all other key shares \(\sum _{i \neq k} \text {key}_{i}\); and (ii) the highest resolution that is accessible for each aggregator is determined by the resolution of the individual key share. These requirements are fulfilled due to the properties of the masking approach as introduced in section Masking and formally shown in section Basic approach.
5.4 Proof of correctness
In the following, it is shown that applying the wavelet transform to a meter value and masking can be combined in order to provide a certain resolution only. This proof is — for simplicity and without loss of generality — for a single smart meter and a single aggregator. The proof also applies to multiple smart meters and multiple aggregators. The only difference is that instead of a single meter value, share and key, respectively, a (spatially) aggregated sum of values is used. For multiple aggregators, the sum of all other key shares is also required as shown in the previous section.
Proof
Given the property of masking, shares cancel each other out by \(s^{r}_{i} + \text {key}^{r} = 0\), and therefore \(m^{r}_{i} + W^{-1} \left (0 \right) = \hat m^{r}_{i}\).
This is obviously equivalent to \(m^{r}_{i} = \hat m^{r}_{i}\), i.e., the aggregator only receives a certain resolution \(m_{i}^{r}\) of the original meter value m _{ i }. □
6 Multi-resolution differential privacy
In this section, it is shown that the wavelet approach can be combined with an additional differential privacy method. The benefit of this approach is an additional ε-differential privacy guarantee (Eq. 7) for the resulting aggregated signal.
6.1 Combining wavelets and differential privacy
is shown to be a perturbed function of the smoothed consumption sum. This smoothed consumption sum is ε-differentially private, if the Laplacian noise is set in the right manner. Therefore, in principle, the wavelet decomposition is compatible with differential privacy.
Another difference to the presented masking scheme is that the noise is added to the restricted wavelet values instead of the unrestricted values W(m _{ i }) (Eq. 32). However, since several different resolutions occur, setting the right amount of noise λ is not trivial and remains a task for future research. First preliminary steps in that direction show that it is possible to derive a choice for λ which, however, only provides differential privacy for a single resolution r. With such a noise differential privacy can only be provided for a single resolution r and, due to the post-processing property, all coarser solutions.
6.2 Choice of parameter λ
In this subsection, we show how the parameter λ must be chosen by proving the following theorem.
where \(\mathcal {R}\) denotes the number of coefficients up to resolution r=d−q.
Note that \(\mathcal {R}\) consists of a fraction of 2^{−q } samples compared to the original load curve. The smaller the resolution r, the smaller the λ, and therefore the added noise is chosen.
Proof
If we manage to prove differential privacy for our choice of f, the proof is finished since a function applied to a differentially private mechanism can not destroy the differential privacy property (closure under post-processing property of differential privacy). Therefore, if \(\tilde {w}^{r}\) is ε-differentially private this also holds for \(\tilde {m}^{r} = W^{-1}(\tilde {w}^{r})\).
Thus, theorem Differential privacy can be applied and proves differential privacy for f. □
7 Evaluation
In this section, we evaluate the proposed PETs in combination with MRA with respect to the security features, cost and complexity, and real-world applicability.
7.1 Applications
In this paper, multi-resolution secure aggregation has been introduced for both single aggregator and multiple aggregators. Given the building blocks of the additive homomorphic Paillier cryptosystem, masking, and differential privacy in combination with the wavelet transform, a scheme can be constructed that allows to encrypt different resolutions with different keys while maintaining a single bitstream. In section Application scenario, three typical application scenarios for smart grid have been introduced: (i) settlement and profiling; (ii) network monitoring; and (iii) billing.
Settlement and profiling require data in a comparably low resolution, but spatially aggregated over a number of households for determining forecasts and training models. Network monitoring, by contrast, still works with the aggregate, but requires a much higher temporal resolution. Both homomorphic encryption and masking can be used for aggregating over a number of smart meters, e.g., from households connected to the same substation or participants belonging to the same consumption group (residential/industrial). By adding the ability to selectively decrypt a subset of multiple resolutions, the same aggregated bitstream, but with different keys, can be provided to both the utility provider for forecasts and model training and the network operator for network monitoring. This reduces the overhead for managing and transferring various bitstreams simultaneously to distinct recipients. While network monitoring might require very high accuracy (e.g., voltage levels must remain in a narrow band), for settlement and profiling, customer privacy can be even enhanced by adding differential privacy in order to prevent the detection of the presence of a single household in the aggregate, while at the same time providing a certain guaranteed ε-differential privacy level. While differential privacy is a compelling approach due to this property, it is not suitable for applications that require the exact aggregate.
Billing and dynamic pricing will require data at high resolutions and generally not aggregated. Further, differential privacy is not a desired property for billing. However, if in a dynamic pricing scenario, data in different granularity is needed over the day (e.g., a stable night tariff and more dynamic tariffs at noon), the multi-resolution approach allows to dynamically adjust the level of granularity of the provided meter data.
7.2 Security analysis
In this section, a security analysis of the proposed PETs is conducted. We consider an honest-but-curious adversarial model, meaning the adversary follows the protocols but tries to gain additional information.
Secure signal processing: for MRA with secure signal processing, an honest-but-curious aggregator will not learn any information. Due to the additive homomorphic property of the cryptosystem, even at collector nodes, all operations are performed in the encrypted domain, and the aggregator can only decrypt the sum.
Masking with single aggregator: for a total number of smart meters N>1 and a single aggregator M=1, the masking scheme preserves full privacy in terms of spatial resolution, and it preserves full privacy with respect to temporal resolution. Given exactly one aggregator M=1, the basic approach for multi-resolution masking is applied. A receives a set of N masked values and a single key share. By combining both, A can calculate the sum at a particular resolution. For spatial aggregation, privacy is preserved by the scheme proposed by Kursawe et al. [9], i.e., the individual measurements are masked, and the random shares cancel each other out upon summation. The temporal resolution is limited by the resolution of the key share. The privacy preserving feature of this approach has been discussed in detail in section Basic approach. Section Proof of correctness includes the proof of correctness for the masking approach in combination with wavelets.
Masking with multiple aggregators: for a total number of smart meters N>1 and a total number of aggregators M=2, the multiple aggregators approach for multi-resolution masking is applied. Each aggregator A _{ k },k={1,2} receives a set of N masked values, an individual key share \(\text {key}_{1}^{r}\) and \(\text {key}_{2}^{r}\), respectively and the sum of the keys of all other aggregators \(\sum _{i \neq 1} \text {key}_{i}^{r} = \text {key}_{2}^{r}\) and \(\sum _{i \neq 2} \text {key}_{i}^{r} = \text {key}_{1}^{r}\), respectively. Therefore, each aggregator additionally holds the other aggregators share in full resolution and thus privacy in terms of temporal aggregation is not given anymore.
For a setting with M>2 privacy is preserved, as the key shares of all other aggregators are hidden in the sum. Therefore, the above limitation for M=2 does not apply, since \(\sum _{i \neq k} \text {key}_{i}^{r} \neq \text {key}_{i}^{r}\) for any i,k∈{1…M}. This means that holding all keys except for one does not yield a valid key. This assures that the aggregator cannot learn anything beyond the resolution of the key, which is formally shown in section Multiple aggregators.
Differential privacy: it is a proven property of differential privacy, that the aggregator has no means to decrease privacy of the aggregated signal by any kind of postprocessing. If differential privacy would be combined with wavelets only, the aggregator could, however, inspect a single smart meter’s consumption profile. A single profile is only protected by Gamma-distributed noise which does not provide differential privacy. Therefore, the mechanism achieving differential privacy must include a way to protect the summation operation by using a secure aggregation scheme, e.g., as described in section Multi-resolution secure aggregation.
7.3 Space considerations
When using homomorphic encryption for aggregation, the modulus n determines the amount of data that can be stored within one encrypted packet. Let us denote the number of bits needed to represent a wavelet coefficient by \(\bar m,\) and the number of values used for the wavelet transform by T. The sum of two coefficients will take up \(\bar m+1\) bits of space. More generally, the sum of u coefficients requires \(\left \lceil \log _{2}(u) + \bar m \right \rceil \) bits. If encrypting each wavelet coefficient individually, i.e., using T encryptions, the modulus of n bits allows to sum up a total of \(u \leq 2^{n -\bar m}\) wavelet coefficients, since \(n = \left \lceil \log _{2}(u) + \bar m \right \rceil \), i.e., u represents the total number of wavelet coefficients from household measurement values that can be aggregated for a given modulus.
Setting T=256, n=1024 and \(\bar m=16\), this allows for the aggregation of more than 2·10^{303} households but requires 256 encryptions. However, in practice such large aggregation groups are not needed. Instead of encrypting each coefficient individually, the available space of n bits can be exploited better when using data packing [36]. Values are shifted to a certain bit range, such that a number of values can be packed within a single encryption. The available space is therefore split into p packets of fixed size n ^{′}, i.e., \(p = \frac {n}{n'}\). This allows for \(n' = \left \lceil \log _{2}(u') + \bar m \right \rceil \) a number of \(u' \leq 2^{n' -\bar m}\) wavelet coefficients per packet, and a total of u ^{′}·p wavelet coefficients of household measurement values per encryption. This results in only \(T'=\frac {T}{p}\) encryptions.
Setting n=1024, \(\bar m=16\) and n ^{′}=32, this results in p=32 packets and still allows to aggregate up to 65536 households, but with only a fraction (T ^{′}=8) of the number of encryption operations compared to the above approach where each coefficient is encrypted separately. In practice, these values have to be chosen with respect to the number of households that will be aggregated.
7.4 Cost and complexity
Execution time t in milliseconds and standard deviation σ for transforming/encrypting/masking a single load curve (average over 400 load curves with 100 encryptions each)
WAV | AES | HYB | PAI-2048 | PAI-4096 | MA | ||
---|---|---|---|---|---|---|---|
t | <0.001 | 0.07 | 0.7 | 5,219 | 38,700 | <0.001 | |
σ | <0.001 | 0.02 | 0.01 | 25.4 | 51 | <0.001 |
It can be seen that by using a lifting implementation, the computational overhead of the wavelet transformation is negligible compared to the encryption step. Homomorphic encryption comes at the cost of a significant increase in computational overhead compared to that of conventional encryption. The results show that the computational demands grow exponentially with the module size. Although the used implementation of Paillier is not optimized and could be improved considerably in terms of efficiency, it is clear that running homomorphic encryption on smart meter hardware will provide a challenge: while AES encryption only takes 1.25 ms, for the used (non-optimized) implementation, Paillier encryption with a 2048 bit module of a load curve with 96 values takes approximately 52 s. Further, it can be seen that masking is highly efficient in terms of computation time when compared to encryption, however, at the cost of losing the entire aggregate when a single smart meter fails.
8 Conclusions
The approaches proposed in this paper allow to get both temporal and spatial aggregation by combining the wavelet transform with homomorphic encryption, masking, and differential privacy. In this paper, it has been shown that it is possible to combine homomorphic encryption, masking, and differential privacy with the Haar wavelet transform. Furthermore, a protocol has been sketched for addressing different aggregators with different resolutions of the measured time series while still maintaining a certain level of privacy. For masking, future work will focus on a scheme that is more error-resilient and still yields the correct result even if a subset of smart meters fail.
9 Endnote
^{1} Building on the implementation by Kun Liu http://www.csee.umbc.edu/~kunliu1/research/Paillier.html
Declarations
Acknowledgements
The financial support by the Austrian Federal Ministry of Science, Research and Economy and the Austrian National Foundation for Research, Technology and Development is gratefully acknowledged. Funding by the Federal State of Salzburg is gratefully acknowledged.
Authors’ contributions
This paper was written by FK (40%), GE (30%), and DE (30%). The detailed contributions are as follows: the Abstract was written by FK (100%). The Introduction was written by FK (80%) and DE (20%). The Background section was written by FK (40%), DE (40%), and GE (20%). The Multi-resolution Secure Aggregation section was written by DE (100%). The Multi-resolution Masking section was written by FK (100%). The Multi-resolution Differential Privacy section was written by GE (100%). The Evaluation section was written by FK (60%), DE (30%), and GE (10%). Conclusions and Outlook were written by FK (100%). The figures were created by FK (100%). Measurements for homomorphic encryption were performed by DE (100%). All authors read and approved the final manuscript.
Competing interests
The authors declare that they have no competing interests.
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License(http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
Authors’ Affiliations
References
- European Commission (2014). Cost-benefit analyses and state of play of smart metering deployment in the EU-27. Technical report. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52014SC0189%26from=EN.
- McKenna, E, Richardson, I, Thomson, M (2012). Smart meter data: balancing consumer privacy concerns with legitimate applications. Energy Policy, 41, 807–14.View ArticleGoogle Scholar
- Hart, GW (1992). Nonintrusive appliance load monitoring. Proc. IEEE, 80(12), 1870–91.View ArticleGoogle Scholar
- Molina-Markham, A, Shenoy, P, Fu, K, Cecchet, E, Irwin, D (2010). Private memoirs of a smart meter. In Proceedings of the 2nd ACM Workshop on Embedded Sensing Systems for Energy-Efficiency in Building. BuildSys ’10. ACM, New York, (pp. 61–6).View ArticleGoogle Scholar
- Lisovich, M, Mulligan, D, Wicker, S (2010). Inferring personal information from demand-response systems. IEEE Secur. Priv, 8(1), 11–20.View ArticleGoogle Scholar
- Knirsch, F, Engel, D, Frincu, M, Prasanna, V (2015). Model based assessment for balancing privacy requirements and operational capabilities in the smart grid, Innovative smart grid technologies conference (ISGT), 2015 IEEE Power & Energy Society. In Proceedings of the 6th Conference on Innovative Smart Grid Technologies (ISGT2015). IEEE, Washington, (pp. 1–5).Google Scholar
- Eibl, G, & Engel, D (2014). Influence of data granularity on nonintrusive appliance load monitoring. In Proceedings of the Second ACM Workshop on Information Hiding and Multimedia Security (IH&MMSec ’14). ACM, Salzburg, (pp. 147–51).Google Scholar
- Eibl, G, & Engel, D (2015). Influence of data granularity on smart meter privacy. IEEE Trans. Smart Grid, 6(2), 930–9.View ArticleGoogle Scholar
- Kursawe, K, Danezis, G, Kohlweiss, M (2011). Privacy-friendly aggregation for the smart grid. In Privacy Enhanced Technology Symposium. Springer, Berlin Heidelberg, (pp. 175–91).View ArticleGoogle Scholar
- Gomez Marmol, F, Sorge, C, Petrlic, R, Ugus, O, Westhoff, D, Martinez Perez, G (2013). Privacy-enhanced architecture for smart metering. Int. J. Inf. Secur, 12(2), 67–82.View ArticleGoogle Scholar
- Li, F, Luo, B, Liu, P (2010). Secure Information Aggregation for Smart Grids Using Homomorphic Encryption. In Proceedings of First IEEE International Conference on Smart Grid Communications. IEEE, Gaithersburg, (pp. 327–332).Google Scholar
- Erkin, Z, & Tsudik, G (2012). Private computation of spatial and temporal power consumption with smart meters. In Proceedings of the 10th International Conference on Applied Cryptography and Network Security. ACNS’12. Springer, Berlin, (pp. 561–77).Google Scholar
- Rastogi, V, & Suman, N (2010). Differentially private aggregation of distributed time-series with transformation and encryption. In Proceedings of the 2010 ACM SIGMOD International Conference on Management of Data. ACM, Conference, Indianapolis.Google Scholar
- Danezis, G, Kohlweiss, M, Rial, A. (2011). Differentially private billing with rebates (Vol. 6958 LNCS, pp. 148–62). Berlin: Springer.Google Scholar
- Garcia, F, & Jacobs, B (2011). Privacy-friendly energy-metering via homomorphic encryption. In: Cuellar, J, Lopez, J, Barthe, G, Pretschner, A (Eds.) In Security and Trust Management. Lecture Notes in Computer Science, (Vol. 6710. Springer, Berlin, pp. 226–38).View ArticleGoogle Scholar
- Li, F, & Luo, B (2012). Preserving data integrity for smart grid data aggregation. In Third International Conference on Smart Grid Communications (SmartGridComm) 2012. IEEE, Tainan, (pp. 366–71).View ArticleGoogle Scholar
- Erkin, Z, Troncoso-pastoriza, JR, Lagendijk, RL, Perez-Gonzalez, F (2013). Privacy-preserving data aggregation in smart metering systems: an overview. IEEE Signal Proc. Mag, 30(2), 75–86.View ArticleGoogle Scholar
- Biselli, A, Franz, E, Coutinho, MP (2013). Protection of consumer data in the smart grid compliant with the German smart metering guideline. In Proceedings of the First ACM Workshop on Smart Energy Grid Security. SEGS ’13. ACM, New York, (pp. 41–52).View ArticleGoogle Scholar
- Dwork, C, McSherry, F, Nissim, K, Smith, A (2006). Calibrating noise to sensitivity in private data analysis. In Theory of Cryptography. Springer, Berlin, (pp. 265–84).View ArticleGoogle Scholar
- Acs, G, & Castelluccia, C (2011). I have a DREAM! (DiffeRentially privatE smArt Metering). In Proc. Information Hiding Conference. Springer, Berlin Heidelberg, (pp. 118–132).View ArticleGoogle Scholar
- Shi, E, Chow, R, Chan, THH, Song, D, Rieffel, E (2011). Privacy-preserving aggregation of time-series data. In Proc. NDSS Symposium 2011. Internet Society, San Diego.Google Scholar
- Efthymiou, C, & Kalogridis, G (2010). Smart grid privacy via anonymization of smart metering data. In Proceedings of First IEEE International Conference on Smart Grid Communications. IEEE, Gaithersburg, (pp. 238–43).Google Scholar
- Engel, D (2013). Wavelet-based load profile representation for smart meter privacy. In Proc. IEEE PES Innovative Smart Grid Technologies (ISGT’13). IEEE, Washington, (pp. 1–6).Google Scholar
- Peer, CD, Engel, D, Wicker, SB (2014). Hierarchical key management for multi-resolution load data representation. In 2014 IEEE International Conference on Smart Grid Communications (SmartGridComm). IEEE, Venice, (pp. 926–32).View ArticleGoogle Scholar
- Engel, D, & Eibl, G (2016). Wavelet-based multiresolution smart meter privacy. IEEE Trans. Smart Grid, PP(99), 1–12.Google Scholar
- Engel, D, & Eibl, G (2013). Multi-resolution load curve representation with privacy-preserving aggregation. In Proceedings of IEEE Innovative Smart Grid Technologies (ISGT) 2013. IEEE, Copenhagen, (pp. 1–5).View ArticleGoogle Scholar
- Jawurek, M, Johns, M, Kerschbaum, F (2011). Plug-in privacy for smart metering billing. In Privacy Enhancing Technologies (PETS). Springer, Berlin Heidelberg, (pp. 192–210).View ArticleGoogle Scholar
- Erkin, Z (2015). Private data aggregation with groups for smart grids in a dynamic setting using CRT. In 2015 IEEE International Workshop on Information Forensics and Security (WIFS). IEEE, Rome.Google Scholar
- (2001). National Institute of Standards and Technology (NIST), Specification for the advanced encryption standard (AES).Google Scholar
- ITU-T (2012). Recommendation ITU-T X.509 – Information technology – open systems interconnection – the directory: public-key and attribute certificate frameworks.Google Scholar
- Daubechies, I, & Sweldens, W (1998). Factoring wavelet transforms into lifting steps. J. Fourier Anal. Appl, 4(3), 247–69.View ArticleMATHMathSciNetGoogle Scholar
- Paillier, P (1999). Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In: Stern, J (Ed.) In Advances in Cryptology — EUROCRYPT ’99: International Conference on the Theory and Application of Cryptographic Techniques Prague, Czech Republic, May 2–6, 1999 Proceedings. Lecture Notes in Computer Science, (Vol. 1592. Springer, Berlin, pp. 223–38).View ArticleGoogle Scholar
- Defend, B, & Kursawe, K (2013). Implementation of privacy-friendly aggregation for the smart grid. In Proceedings of the First ACM Workshop on Smart Energy Grid Security - SEGS ’13. ACM, Conference, Berlin, (pp. 65–74).View ArticleGoogle Scholar
- Diffie, W, & Hellman, M (1976). New directions in cryptography. IEEE Trans. Inf. Theory, 22(6), 644–654.View ArticleMATHMathSciNetGoogle Scholar
- Kotz, S, Kozubowski, TJ, Krzysztof, P. (2001). The Laplace distribution and generalizations. Basel: Birkhäuser Basel.View ArticleGoogle Scholar
- Erkin, Z, Veugen, T, Toft, T, Lagendijk, RL (2012). Generating private recommendations efficiently using homomorphic encryption and data packing. IEEE Trans. Inf. Forensic. Secur, 7(3), 1053–66.View ArticleGoogle Scholar
- Barker, E, Barker, W, Burr, W, Polk, W, Smid, M. (2012). Division, Computer Security NIST Special Publication 800-57, Recommendation for Key Management (Revision 3): NIST.Google Scholar