Sage Journals: Discover world-class research

Abstract

Message authentication has vital significance for dynamic microgrid partition in smart grid. However, current message authentication protocols based on “public key infrastructure” are too complicated to be deployed in smart grid and lack group information management function. On the other hand, group information management protocols based on “logic key hierarchy” need to broadcast a lot of messages during microgrid partition processes, resulting in high communication costs. To address these issues, we present a novel identity-based message authentication protocol for dynamic microgrid partition called securing dynamic microgrid partition. Similar to the protocols of this field, securing dynamic microgrid partition can provide message authentication and group information management functions. However, compared to other well-known approaches, securing dynamic microgrid partition uses Bloom filter for managing group information, which can reduce the communication cost of logic key hierarchy significantly. Moreover, securing dynamic microgrid partition uses Lagrange interpolation for designing new identity-based signing and verification algorithms, which is simple to be deployed in smart grid environment and much more efficient than current identity-based protocols. Experimental results show that the proposed approach is feasible for real-world applications.

Keywords

Dynamic microgrid partition message authentication Bloom filter Lagrange interpolation

Introduction

The “smart grid (SG)” is an energy-based communication system, providing power generation, distribution, and consumption services for customers.¹ To enhance the efficiency and reliability of SGs, the concept of dynamic microgrid partition has been proposed recently,² where all “smart meters (SMs)” in a SG are dynamically divided into multiple “microgrid groups (MGs).” Typically, the microgrid partition process is conducted by an entity called “Meter data management system (MDMS),” which determines the MG each SM belongs to. And each SM is involved in three communication models (i.e. the intra-group multicast, the inter-group unicast, and the intra-group unicast models) to exchange energy with SMs in the same or different groups.³

To secure dynamic microgrid partition in the SG, message authentication protocols^4–27 have been designed for protecting messages transmitted among SMs. Regardless of the technology implemented, a message authentication scenario includes two kinds of entities: the “MDMS” and a set of SMs. In practice, as shown in Figure 1, these entities are involved in three phases (i.e. the initialization phase, the dynamic microgrid partition phase, and the message authentication phase). During the initialization phase, the MDMS generates keying materials for all SMs in the SG and deploys them to each SM, respectively. During the microgrid partition phase, the MDMS broadcasts partition information to all SMs in the SG. During the message authentication phase, one SM signs messages and transmits signatures along with messages to one or multiple SMs in the same or different groups.

Figure 1.

Secure dynamic microgrid partition overview.

Scalability is a serious concern for the above message authentication protocol. First, due to the large number of MGs and SMs in the SG, it is hard to manage so many keys for signing and verifying messages. Second, different from traditional group communications, a SM in one group may need to exchange energy with SMs in other groups, resulting in high complexity of key management. Unfortunately, traditional public-key-based^4–14 and symmetric-key-based schemes^24,25,28,29 cannot fulfill the scalability feature, as discussed below: (1) traditional public-key-based schemes (i.e. schemes based on “public key infrastructure (PKI)”^30,31) cannot fulfill the above scalability requirement, as illustrated by the following two examples. First, when there are a large number of MGs and SMs, the certificate management and verification processes will be complicated. Second, traditional PKI technique has no group information management feature. (2) Traditional symmetric-key-based schemes (i.e. schemes based on “logical key hierarchy (LKH)³²”) cannot fulfill the above scalability requirement, as illustrated by the following two examples. First, when there are a large number of MGs and SMs, the management of logical key tree will be quite complicated. Second, LKH cannot distinguish SMs in the same group and does not support inter-group communications. In sections “Related work” and “Efficiency evaluation,” we will further discuss these issues. To address the above issues, it is prerequisite to elaborately design a message authentication protocol for dynamic microgrid partition without PKI and LKH.

A message authentication protocol for dynamic microgrid partition without PKI and LKH should satisfy the following requirements:

Integrity. It should be guaranteed that the receiver gets correct messages. The integrity feature can be analyzed using two vectors (i.e. group identification and forgery). For the group identification vector, the receiver should be ensured that the sender really belongs to its claimed MG. For the forgery vector, the receiver should be ensured that the message is not tampered by an adversary.

Scalability. It should be guaranteed that the group information management and message authentication processes are simple, when there are a lot of SMs and MGs. The scalability feature can be evaluated using three vectors (i.e. deployment complexity, computation cost, and communication cost). For the deployment complexity vector, it should be ensured that no additional security infrastructure such as PKI is deployed. For the computation cost vector, it should be ensured that time for executing cryptographic algorithms is short. For the communication cost vector, it should be ensured that the length of transmitted messages is short.

Obviously, designing a message authentication protocol for dynamic microgrid partition is a nontrivial task, because there are a variety of SMs as well as MGs, resulting in a lot of integrity and scalability issues. When considering this research topic, we observe that no existing cryptographic primitive can be directly applied to satisfy all the above requirements. In section “Related work,” we will give the detailed analysis to arrive at this conclusion. Given the trend that more and more microgrids are being developed, this becomes a more severe issue. Motivated by this observation, this article mainly makes three contributions:

First, we identify the characteristics of message authentication in dynamic microgrid partition and define requirements for the protocol of this kind. We show some integrity and scalability issues of current message authentication protocols in SG.

Second, we present a novel message authentication protocol for SG called securing dynamic microgrid partition (SDMGP), which can fulfill all the above requirements. However, different from current message authentication mechanisms that are built on PKI and LKH, SDMGP is built on “identity-based cryptography (IBC),”³³ Bloom filter,³⁴ Lagrange interpolation,³⁵ and bilinear map.³⁶ We do not use PKI and LKH here due to their incomplete integrity and scalability features. On the other hand, observing that IBC has much lower deployment complexity than PKI and LKH, SDMGP aims to use it for managing keys for signing and verifying messages in SG. At the same time, we introduce the Bloom filter technique to SDMGP for group identification, which is quite lightweight. By doing so, the complicated group key management in LKH is avoided. Moreover, using Lagrange interpolation and bilinear map, we design novel signing and verification algorithms to prevent adversary from tampering messages, which enjoys low computation and communication costs.

Third, we analyze both the security and efficiency of SDMGP, showing it is feasible for real-world applications.

We organize the remainder of this article as follows. In section “Related work,” we survey the related work and discuss problems in current protocols. Section “SDMGP: the protocol” describes SDMGP in detail. Then, in sections “Security analysis” and “Efficiency evaluation,” we present the security analysis and efficiency evaluation for SDMGP, respectively. Finally, in section “Conclusion,” we draw our conclusions.

Related work

Due to the openness of SG network, message authentication has vital significance for dynamic microgrid partition. Therefore, a large number of security protocols^4–29 have been designed for this purpose. All these protocols can be categorized into three types: symmetric-key-based protocols, traditional public-key-based protocols, and identity-based protocols.

In symmetric-key-based protocols, to provide integrity protection, two SMs are pre-configured with a shared pairwise key, while SMs in the same MG are pre-configured with a shared group key. During message transmission, SMs use the shared pairwise or group key to sign and verify messages. Therefore, the message authentication protocol is quite lightweight. However, symmetric-key-based protocols have the following two issues: (1) first, for unicast message authentication, each pair of SMs in the SG will be pre-configured with a pairwise key. When there are a lot of SMs, the pairwise-key management process will be complicated (i.e. the pairwise-key management process lacks scalability), as illustrated by the following example. If there are $1000$ SMs in the SG, the total number of pairwise keys will be $1000 \times (1000 - 1) / 2 = 499, 500$ . This will lead to high communication cost. (2) Second, for multicast message authentication, each group of SMs will be pre-configured with a group key using the LKH technique. When there are a lot of SMs leaving and joining MGs, the group key management process will be quite complicated (i.e. the group key management process lacks scalability), as illustrated by the following example. During one microgrid partition process, if there are $10$ MGs in the SG, each group has 128 SMs, and there are 40 SMs in each group requesting for leaving, the MDMS will broadcast around $(\underset{2}{\log} 128 + 1) \times 40 \times 10 = 3200$ messages for transmitting new keys, according to the LKH technique. Moreover, since all SMs in the same MG use one shared group key for signing and verifying messages, the receiver in the MG cannot distinguish SMs in the MG from each other. Thomas and Thomas¹⁵ investigated real-time broadcast authentication schemes for command and control messages. Liu et al.²⁵ proposed a key management scheme to secure both unicast and multicast communications, which is based on a trusted third party. Benmalek and Challal²⁴ is a key graph management approach that is an enhancement of LKH. Perrig et al.²⁸ presented a message authentication protocol based on hash chain. Long et al.²⁹ is a combination of LKH and hash chain techniques.

In traditional public-key-based protocols, each SM is configured with a public–private key pair instead of a lot of symmetric keys. During message transmission, the sender signs messages using its private key, and the receiver verifies messages using the corresponding public key. By doing so, the pre-configuration process is much simpler than those of symmetric-key-based protocols. However, traditional public-key-based protocols have the following two issues: (1) this sort of protocols use PKI for managing certificates for signing and verifying messages, which is quite complicated. Moreover, verifying certificate leads to additional computation cost. (2) Current public-key-based protocols mainly focus on integrity protection for unicast messages, and the management of group information is largely neglected. Yaghmaee and Mohades⁴ is a message authentication protocol between a SM and a MDMS. Nizamuddin et al.⁵ designed a signcryption algorithm, which can be used for securing multicast communications. Liu et al.⁶ is an authentication protocol for V2G network. Fouda et al.^7,9 presented two message authentication protocols between gateways in SG. Li and Cao,⁸ Wu and Zhou,¹¹ Reyzin and Reyzin,¹² and Badra and Zeadally¹³ are security protocols for unicast messages in SG. Yan et al.¹⁰ is an in-network collaborative communication architecture. Nabeel et al.¹⁴ is based on the “physically unclonable function (PUF)” technique. Yavuz²⁷ is a broadcast authentication scheme for command and control messages.

Observing the above issues, we use IBC instead of LKH and PKI for avoiding the complicated key management processes. However, current IBC protocols cannot manage group information, either. To address this issue, this article aims to use the Bloom filter technique for managing group information, which is quite lightweight. In addition, we use Lagrange interpolation and bilinear map for constructing a novel identity-based message authentication protocol for SG, which enjoys low computation and communication costs. By doing so, SDMGP can fulfill all requirements described in section “Introduction.” Avril et al.¹⁶ discussed the potential use of IBC in SG. So et al.¹⁷ use IBC for securing messages transmitted between two SMs. A framework of identity-based message authentication protocol for SG is used by Nicanfar et al.¹⁸ Two identity-based symmetric key agreement protocols are described by Kamto et al.¹⁹ and Wan et al.²⁶ Nicanfar et al.²⁰ proposed an identity-based authentication protocol between a SM and the MDMS. Gentry and Silverberg²¹ introduced the concept of hierarchical IBC. Liu et al.²² presented an identity-based signing algorithm without private key generator. Lee et al.²³ is an identity-based key distribution protocol.

SDMGP: the protocol

In this section, we first introduce the preliminaries used in SDMGP. Then, we describe the system model (i.e. the high-level architecture of SDMGP). Finally, we give the construction (i.e. the algorithms used in SDMGP).

Preliminaries

Bloom filter

A Bloom filter³⁴ is a randomized data structure as described below:

Given a set $S$ with $n$ elements $S = {x_{1}, . . ., x_{n}}$ , a $m$ -bit array $BF$ , and a set of $l$ independent hash functions $I = {h_{i} (x), 1 \leq h_{i} (x) \leq m, 1 \leq i \leq l}$ , the Bloom filter technique maps each element $x_{j} \in S$ to $BF$ as follows: for $1 \leq i \leq l$ , if $h_{i} (x_{j}) = t$ , $B F_{t} = 1$ (i.e. set the $t$ th bit of $BF$ to $1$ ).

A verifier checks whether an element $x_{j} \in S$ as follows: for $1 \leq i \leq l$ , the verifier computes $t = h_{i} (x_{j})$ and checks whether the $t$ th bit in $BF$ is 1. If all checked bits are 1, the verifier can make sure $x_{j} \in S$ . Otherwise, $x_{j} \notin S$ .

From the above definition, it can be seen that a Bloom filter is a space-efficient data structure that can be used for checking whether an element is in a data set.

Lagrange interpolation

Given a set of data points $P = {(x_{j}, y_{j}), 0 \leq j \leq n}$ where no two $x_{j}$ s are the same, the Lagrange interpolation polynomial³⁵ is a linear combination $L (x) = \sum_{j = 0}^{n} y_{j} l_{j} (x)$ of Lagrange basis polynomials $l_{j} (x) = \underset{0 \leq m \leq n, m \neq j}{Π} \frac{x - x_{m}}{x_{j} - x_{m}}$ , where $0 \leq j \leq n$ .

Specifically, for $n = 1$ , the following equation holds: $L (0) = y_{0} \frac{0 - x_{1}}{x_{0} - x_{1}} + y_{1} \frac{0 - x_{0}}{x_{1} - x_{0}}$ .

Bilinear map

Let $G$ and $G_{T}$ be two groups that have the same order $q$ , and $g$ is the generator of $G$ . Then, a bilinear map group³⁶ is denoted by $\hat{e} : G \times G \to G_{T}$ , which fulfills the following requirements:

Bilinearity. $\forall x, y \in Z_{q}$ , $\hat{e} (g^{x}, g^{y}) = \hat{e} (g, g)^{xy} = \hat{e} (g^{xy}, g) = \hat{e} (g, g^{xy}) = \hat{e} (g^{y}, g^{x})$ . $\forall A, B \in G$ , $\hat{e} (XY, g) = \hat{e} (X, g) \hat{e} (Y, g)$ .

Non-degeneracy. $\exists X, Y \in G$ , $\hat{e} (X, Y) \neq 1_{G_{T}}$ .

Computability. For $\forall X, Y \in G$ , it is efficient to compute $\hat{e} (X, Y)$ .

System model

The system model of SDMGP is shown in Figure 2, including three phases as described below. And the notations used in this article are listed in Table 1.

Figure 2.

System model of SDMGP.

Table 1.

Notation table.

Notation	Description
$SG = {S M_{1}, . . ., S M_{k}}$	A set of identities of smart meters in the smart grid
$pub$	$pub$ is the set of public parameters
$G, q, g$	$G$ is a group, $q$ is the order of $G$ , and $g$ is the generator of $G$
$p k_{1}, p k_{2}$	Public keys of MDMS
$s k_{r} = {a, b}$	Private keys of MDMS
$sk = {s k_{i}, 1 \leq i \leq k}$	Private keys of smart meters in the smart grid
$SG = {M G_{i}, 1 \leq i \leq l}$	A set of microgrids in the smart grid
$BF = {B F_{x}, 1 \leq x \leq l}$	A set of Bloom filters of microgrids
$M, σ_{M}$	Transmitted message and its signature
$h (), H (), h_{j} (), 1 \leq j \leq l$	Hash functions

The initialization phase

During the initialization phase, the MDMS first generates a set of public parameters and its own private key. Then, it generates a private key for each SM and distributes keying materials to each SM. The key-generating algorithm is shown below.

${pub, s k_{r}, sk} \leftarrow GenKey (SG)$ . This algorithm is run by the MDMS for initializing cryptographic parameters of SDMGP. It takes as input the set of identities of SMs in the SG (i.e. $SG = {S M_{1}, . . ., S M_{k}}$ ), and outputs a set of public parameters (i.e. $pub$ ), the MDMS’s private key (i.e. $s k_{r}$ ), and a set of private keys of SMs (i.e. $sk = {s k_{1}, . . ., s k_{k}}$ ), where $k$ is the number of SMs in the SG.

After the initialization phase, the MDMS holds $(s k_{r}, pub)$ , while each SM (e.g. $S M_{i} \in SG$ ) holds $(s k_{i} \in sk, pub)$ .

The dynamic microgrid partition phase

The dynamic microgrid partition phase which is carried out between the MDMS and multiple SMs is as follows.

Given a smart grid $SG$ , the MDMS divides it into various number of MGs $SG = {M G_{1}, \dots, M G_{l}}$ , where $l$ is the number of MGs. Then, for $1 \leq x \leq l$ , the MDMS creates a Bloom filter $B F_{x}$ and maps each identity $S M_{i} \in M G_{x}$ to $B F_{x}$ using the following $BFMap$ algorithm. Finally, the MDMS broadcasts the set of Bloom filters $BF = {B F_{x}, 1 \leq x \leq l}$ all over the SG. The $BFMap$ algorithm is shown below.

$B F_{x} \leftarrow BFMap (M G_{x})$ . This algorithm is run by the MDMS for mapping each identity $S M_{i} \in M G_{x}$ to $B F_{x}$ . It takes as input the set of identities (i.e. $M G_{x}$ ) and outputs a Bloom filter (i.e. $B F_{x}$ ).

Upon receiving $BF$ , each $S M_{i} \in SG$ checks whether it belongs to $M G_{x}$ , using the following checking algorithm.

${T, F} \leftarrow BFchk (B F_{x}, S M_{i})$ . This algorithm is run by $S M_{i} \in SG$ for checking whether it belongs to the group $B F_{x}$ . It takes as input the identity of the SM (i.e. $S M_{i}$ ) and the Bloom filter (i.e. $B F_{x}$ ), and output $T$ if $S M_{i}$ belongs to $B F_{x}$ . Or $F$ otherwise.

The message authentication phase

There are mainly three kinds of message transmissions in SG, namely, intra-group multicast, intra-group unicast, and inter-group unicast, which are shown in Figure 3. During intra-group multicast, the sender (e.g. $S M_{i} \in M G_{x}$ ) signs a message (i.e. $M$ ) and multicasts it to the MG (i.e. $M G_{x}$ ) along with the signature (i.e. $σ_{M}$ ), while each $S M_{j} \in M G_{x}$ verifies the received message. During inter-group unicast, the sender (e.g. $S M_{i} \in M G_{x}$ ) signs a message (i.e. $M$ ) and unicasts it to an SM in another microgrid (e.g. $S M_{j} \in M G_{y}$ ) along with the signature (i.e. $σ_{M}$ ), while the receiver (i.e. $S M_{j} \in M G_{y}$ ) verifies the received message. During intra-group unicast, the sender (e.g. $S M_{i} \in M G_{x}$ ) signs a message (i.e. $M$ ) and unicasts it to the receiver (i.e. $S M_{j} \in M G_{x}$ ) along with the signature (i.e. $σ_{M}$ ), while the receiver (i.e. $S M_{j} \in M G_{x}$ ) verifies the received message. Algorithms used in these three message authentication processes are described below, respectively.

Figure 3.

The message authentication phase.

$σ_{M} \leftarrow IntraMSigning (M, B F_{x}, s k_{i}, S M_{i}, pub)$ . This algorithm is run by the SM (i.e. $S M_{i}$ ) for signing the message (i.e. $M$ ) multicasted to the intra-group $M G_{x}$ . It takes as inputs the message to be multicasted (i.e. $M$ ), the Bloom filter of the group (i.e. $B F_{x}$ ), the private key of $S M_{i}$ (i.e. $s k_{i}$ ), the identity of $S M_{i}$ (i.e. $S M_{i}$ ), and the public parameter (i.e. $pub$ ), and outputs a signature $σ_{M}$ .

${T, F} \leftarrow IntraMchk (M, σ_{M}, B F_{x}, s k_{j}, S M_{i},$ $pub)$ . This algorithm is run by the SM (i.e. $S M_{j}$ ) for checking the integrity of the received intra-group multicast message (i.e. $M$ ). It takes as inputs the message (i.e. $M$ ), the signature (i.e. $σ_{M}$ ), the sender’s Bloom filter (i.e. $B F_{x}$ ), $S M_{j}$ ’s private key (i.e. $s k_{j}$ ), the sender’s identity (i.e. $S M_{i}$ ), and the public parameter (i.e. $pub$ ), and outputs $T$ if $M$ is not tampered. Or $F$ otherwise.

$σ_{M} \leftarrow InterUSigning (M, B F_{x}, s k_{i}, S M_{i}, S M_{j},$ $B F_{y}, pub)$ . This algorithm is run by the SM (i.e. $S M_{i} \in M G_{x}$ ) for signing the message (i.e. $M$ ) unicasted to the inter-group SM (i.e. $S M_{j} \in M G_{y}$ ). It takes as inputs the message to be sent (i.e. $M$ ), the Bloom filter of the sender’s group (i.e. $B F_{x}$ ), the private key of $S M_{i}$ (i.e. $s k_{i}$ ), the identity of $S M_{i}$ (i.e. $S M_{i}$ ), the identity of the receiver (i.e. $S M_{j}$ ), the Bloom filter of $S M_{j}$ (i.e. $B F_{y}$ ), and the public parameter (i.e. $pub$ ), and outputs a signature $σ_{M}$ .

${T, F} \leftarrow InterUchk (M, σ_{M}, B F_{x}, s k_{j}, S M_{i},$ $pub)$ . This algorithm is run by the SM (i.e. $S M_{j} \in M G_{y}$ ) for checking the integrity of the received message (i.e. $M$ ). It takes as inputs the message (i.e. $M$ ), the signature (i.e. $σ_{M}$ ), the sender’s Bloom filter (i.e. $B F_{x}$ ), $S M_{j}$ ’s private key (i.e. $s k_{j}$ ), the sender’s identity (i.e. $S M_{i}$ ), and the public parameter (i.e. $pub$ ), and outputs $T$ if $M$ is not tampered. Or $F$ otherwise.

$σ_{M} \leftarrow IntraUSigning (M, B F_{x}, s k_{i}, S M_{i}, S M_{j}, pub)$ . This algorithm is run by the SM (i.e. $S M_{i} \in M G_{x}$ ) for signing the message (i.e. $M$ ) unicasted to the intra-group SM (i.e. $S M_{j} \in M G_{x}$ ). It takes as inputs the message to be sent (i.e. $M$ ), the Bloom filter of the sender’s group (i.e. $B F_{x}$ ), the private key of $S M_{i}$ (i.e. $s k_{i}$ ), the identity of $S M_{i}$ (i.e. $S M_{i}$ ), and the public parameter (i.e. $pub$ ), and outputs a signature $σ_{M}$ .

${T, F} \leftarrow IntraUchk (M, σ_{M}, B F_{x}, s k_{j}, S M_{i},$ $pub)$ . This algorithm is run by the SM (i.e. $S M_{j} \in M G_{x}$ ) for checking the integrity of the received message (i.e. $M$ ). It takes as inputs the message (i.e. $M$ ), the signature (i.e. $σ_{M}$ ), the sender’s Bloom filter (i.e. $B F_{x}$ ), $S M_{j}$ ’s private key (i.e. $s k_{j}$ ), the sender’s identity (i.e. $S M_{i}$ ), and the public parameter (i.e. $pub$ ), and outputs $T$ if $M$ is not tampered. Or $F$ otherwise.

From the above system model, it can be seen that there are nine cryptographic algorithms used in SDMGP (i.e. $GenKey$ , $BFMap$ , $BFchk$ , $IntraMSigning$ , $IntraMchk$ , $InterUSigning$ , $InterUchk$ , $IntraUSigning$ , and $IntraUchk$ ). In the following subsection, we will construct these nine algorithms using Bloom filter and Lagrange interpolation.

Construction

The construction of SDMGP is a tuple ( $GenKey$ , $BFMap$ , $BFchk$ , $IntraMSigning$ , $IntraMchk$ , $InterUSigning$ , $InterUchk$ , $IntraUSigning$ , $IntraUchk$ ) of probabilistic polynomial time algorithms.

${pub, s k_{r}, sk} \leftarrow GenKey (SG)$ . The MDMS runs this algorithm for generating cryptographic parameters of SDMGP as follows. First, MDMS creates a cyclic group $G$ , with the prime order $q$ , and the generator $g \in G$ . Second, MDMS randomly generates two secrets $a, b \in Z_{q}$ , and forms a Lagrange polynomial: $L (x) = a + bxmodq$ . Note that $L (0) = a$ . Third, MDMS computes the public keys of $a$ and $b$ as $p k_{1} = g^{a} \in G$ and $p k_{2} = g^{b} \in G$ . Fourth, for each $S M_{i} \in SG$ , MDMS computes $s k_{i} = a + bh (S M_{i}) modq$ and takes $s k_{i}$ as $S M_{i}$ ’s private key, where $h : Z_{q} \to Z_{q}$ is a hash function. Finally, the MDMS gets $pub = {G, q, g, p k_{1}, p k_{2}}$ , $s k_{r} = {a, b}$ , and $sk = {s k_{i}, 1 \leq i \leq k}$ .

$B F_{x} \leftarrow BFMap (M G_{x})$ . The MDMS runs this algorithm for mapping each identity $S M_{i} \in M G_{x}$ to $B F_{x}$ as follows. First, assuming there are $n$ SMs in $M G_{x}$ and the error rate of Bloom filter is set to $LER$ , the MDMS computes the length of $B F_{x}$ (i.e. $m$ bits) using the algorithm that will be shown in section “Security analysis.” Second, the MDMS creates a $m$ -bit string as the Bloom filter $B F_{x}$ . Third, the MDMS maps each $S M_{i} \in M G_{x}$ to $B F_{x}$ as follows. For $1 \leq j \leq l$ , if $h_{j} (S M_{i}) = t$ , MDMS sets the $t$ th bit of $B F_{x}$ to $1$ , where ${h_{j} (.), 1 \leq j \leq l}$ is a set of independent hash functions.

${T, F} \leftarrow BFchk (B F_{x}, S M_{i})$ . Upon receiving the Bloom filter $B F_{x}$ , the receiver runs this algorithm for checking whether the sender (i.e. $S M_{i}$ ) belongs to the MG (i.e. $M G_{x}$ ) as follows. For $1 \leq j \leq l$ , if $h_{j} (S M_{i}) = t$ , the receiver checks whether the $t$ th bit of $B F_{x}$ is $1$ , where ${h_{j} (.), 1 \leq j \leq l}$ is a set of independent hash functions. If all the $t$ th bits of $B F_{x}$ are $1$ , the receiver returns $T$ . Otherwise, it returns $F$ .

$σ_{M} \leftarrow IntraMSigning (M, B F_{x}, s k_{i}, S M_{i}, pub)$ . The SM (i.e. $S M_{i} \in M G_{x}$ ) runs this algorithm for signing the message (i.e. $M$ ) multicasted to the MG $M G_{x}$ as follows. First, $S M_{i}$ computes $s = H (M | B F_{x})$ , where $H : Z_{q} \to G$ is a hash function. Then, it computes the signature as $σ_{M} = s^{s k_{i}} \in G$ .

${T, F} \leftarrow IntraMchk (M, σ_{M}, B F_{x}, s k_{j}, S M_{i},$ $pub)$ . The SM (i.e. $S M_{j} \in M G_{x}$ ) runs this algorithm for verifying the message (i.e. $M$ ) multicasted to the MG $M G_{x}$ as follows. First, $S M_{j}$ checks whether the sender $S M_{i}$ belongs to the group $M G_{x}$ by running the above $BFchk$ algorithm. If $S M_{i} \notin M G_{x}$ , $S M_{j}$ returns $F$ . Second, $S M_{j}$ checks whether the message is tampered by the adversary using the following equation: $\hat{e} (σ_{M}^{\frac{h (S M_{i})}{h (S M_{i}) - h (S M_{j})}} H (M | B F_{x})^{\frac{s k_{j} h (S M_{j})}{h (S M_{j}) - h (S M_{i})}}, g) \overset{?}{=} \hat{e} (H (M | B F_{x}), p k_{1})$ . If this equation holds, it returns $T$ . Otherwise it returns $F$ . The above equation holds because: $\hat{e} (σ_{M}^{\frac{h (S M_{i})}{h (S M_{i}) - h (S M_{j})}} H (M | B F_{x})^{\frac{s k_{j} h (S M_{j})}{h (S M_{j}) - h (S M_{i})}}, g) = \hat{e} (H (M | B F_{x})^{a}, g) = \hat{e} (H (M | B F_{x}), p k_{1})$ .

$σ_{M} \leftarrow InterUSigning (M, B F_{x}, s k_{i}, S M_{i}, S M_{j},$ $B F_{y}, pub)$ . The SM (i.e. $S M_{i} \in M G_{x}$ ) runs this algorithm for signing the message (i.e. $M$ ) unicasted to the SM in another MG (i.e. $S M_{j} \in M G_{y}$ ) as follows. First, $S M_{i}$ checks whether the receiver $S M_{j}$ belongs to the group $M G_{y}$ by running the above $BFchk$ algorithm. If $S M_{j} \notin M G_{y}$ , $S M_{i}$ aborts. Second, $S M_{i}$ computes $s = H (M | B F_{x} | B F_{y})$ , where $H : Z_{q} \to G$ is a hash function. Finally, it computes the signature as $σ_{M} = s^{s k_{i}} \in G$ .

${T, F} \leftarrow InterUchk (M, σ_{M}, B F_{x}, s k_{j}, S M_{i},$ $pub)$ . The SM (i.e. $S M_{j} \in M G_{y}$ ) runs this algorithm for verifying the message (i.e. $M$ ) unicasted to it as follows. First, $S M_{j}$ checks whether the sender $S M_{i}$ belongs to the group $M G_{x}$ by running the above $BFchk$ algorithm. If $S M_{i} \notin M G_{x}$ , $S M_{j}$ returns $F$ . Second, $S M_{j}$ checks whether the message is tampered by the adversary using the following equation: $\hat{e} (σ_{M}^{\frac{h (S M_{i})}{h (S M_{i}) - h (S M_{j})}} H (M | B F_{x} | B F_{y})^{\frac{s k_{j} h (S M_{j})}{h (S M_{j}) - h (S M_{i})}}, g) \overset{?}{=} \hat{e} (H (M | B F_{x} | B F_{y}), p k_{1})$ . If this equation holds, it returns $T$ . Otherwise it returns $F$ . The above equation holds because: $\hat{e} (σ_{M}^{\frac{h (S M_{i})}{h (S M_{i}) - h (S M_{j})}} H (M | B F_{x} | B F_{y})^{\frac{s k_{j} h (S M_{j})}{h (S M_{j}) - h (S M_{i})}}, g) = \hat{e} (H (M | B F_{x} | B F_{y})^{a}, g) = \hat{e} (H (M | B F_{x} | B F_{y}), p k_{1})$ .

$σ_{M} \leftarrow IntraUSigning (M, B F_{x}, s k_{i}, S M_{i}, S M_{j},$ $pub)$ . The SM (i.e. $S M_{i} \in M G_{x}$ ) runs this algorithm for signing the message (i.e. $M$ ) unicasted to the SM in the same MG (i.e. $S M_{j} \in M G_{x}$ ) as follows. First, $S M_{i}$ checks whether the receiver $S M_{j}$ belongs to the group $M G_{x}$ by running the above $BFchk$ algorithm. If $S M_{j} \notin M G_{x}$ , $S M_{i}$ aborts. Second, $S M_{i}$ computes $s = H (M | B F_{x})$ , where $H : Z_{q} \to G$ is a hash function. Finally, it computes the signature as $σ_{M} = s^{s k_{i}} \in G$ .

${T, F} \leftarrow IntraUchk (M, σ_{M}, B F_{x}, s k_{j}, S M_{i},$ $pub)$ . The SM (i.e. $S M_{j} \in M G_{x}$ ) runs this algorithm for verifying the message (i.e. $M$ ) unicasted to it as follows. First, $S M_{j}$ checks whether the sender $S M_{i}$ belongs to the group $M G_{x}$ by running the above $BFchk$ algorithm. If $S M_{i} \notin M G_{x}$ , $S M_{j}$ returns $F$ . Second, $S M_{j}$ checks whether the message is tampered by the adversary using the following equation: $\hat{e} (σ_{M}^{\frac{h (S M_{i})}{h (S M_{i}) - h (S M_{j})}} H (M | B F_{x})^{\frac{s k_{j} h (S M_{j})}{h (S M_{j}) - h (S M_{i})}}, g) \overset{?}{=} \hat{e} (H (M | B F_{x}), p k_{1})$ . If this equation holds, it returns $T$ . Otherwise it returns $F$ . The above equation holds because $\hat{e} (σ_{M}^{\frac{h (S M_{i})}{h (S M_{i}) - h (S M_{j})}} H (M | B F_{x})^{\frac{s k_{j} h (S M_{j})}{h (S M_{j}) - h (S M_{i})}}, g) = \hat{e} (H (M | B F_{x})^{a}, g) = \hat{e} (H (M | B F_{x}), p k_{1})$ .

From the above system model and construction, it can be seen that SDMGP uses Bloom filter for managing group information and uses Lagrange interpolation and bilinear map for constructing signing and verification algorithms. So, SDMGP can fulfill the integrity feature described in section “Introduction.” In section “Security analysis,” we will further analyze the integrity of SDMGP.

From the above system model and construction, it can be seen that SDMGP uses IBC instead of PKI to reduce the deployment complexity. So, SDMGP can fulfill the scalability feature described in section “Introduction.” In section “Efficiency evaluation,” we will further analyze the scalability of SDMGP using the other two vectors, namely, computation and communication costs.

Further discussion

In the above system model and construction, we mainly focus on new requirements in microgrid partition described in section “Introduction.” However, there may be some traditional attacks that have not been considered such as the replay attack. A simple way to prevent replay attacks is to use timestamp or sequence number in the signing and verification algorithms. For example, in the $IntraMSigning$ algorithm, $S M_{i}$ can insert a timestamp ( $T$ ) when computing $s$ . That is, $S M_{i}$ uses $s = H (T | M | B F_{x})$ instead of $s = H (M | B F_{x})$ and sends the timestamp along with the message. At the same time, in the $IntraMchk$ algorithm, $S M_{j}$ checks the timestamp to make sure the received message is not a replayed one.

Another issue is that the SM may join in or leave the microgrid. In this case, the MDMS may need to update the Bloom filter. To address this issue, the MDMS just runs the $BFMap$ algorithm to generate a new Bloom filter and broadcasts it in the SG. Moreover, the SM may join in or leave the SG. In this case, the MDMS just needs to update the Bloom filter. By doing so, the verifier just verifies the new Bloom filter to prevent the leaving SM from sending messages.

Security analysis

We analyze the security of SDMGP with respect to the security requirement described in section “Introduction” (i.e. integrity). As discussed in section “Introduction,” integrity can be analyzed using two vectors, namely, group identification and forgery. For the group identification vector, we will analyze the error rate of Bloom filter, as shown in section “Group identification.” For the forgery vector, we will prove that the adversary cannot tamper the transmitted message in the random oracle model,³⁷ as shown in section “Forgery.”

Group identification

Let $M G_{x}$ be a set of $n$ SMs. Let $B F_{x}$ be a $m$ -bit Bloom filter with $l$ hash functions. The error rate of $B F_{x}$ is the probability that $S M_{u} \notin M G_{x}$ can pass the $BFchk$ algorithm, which is computed in the following two steps.

In step 1, while running the $BFMap$ algorithm, we can compute the probability that a bit (e.g. the $i$ th bit in $B F_{x}$ ) is set to 1 as follows. First, while mapping one identity using one hash function, the probability that the $i$ th bit in $B F_{x}$ is $NOT$ set to 1 is $1 - 1 / m$ . Second, when mapping one identity using $l$ hash functions, the probability that the $i$ th bit in $B F_{x}$ is $NOT$ set to 1 is $(1 - 1 / m)^{l}$ . Third, when mapping $M G_{x}$ using $l$ hash functions, the probability that the $i$ th bit in $B F_{x}$ is $NOT$ set to 1 is $(1 - 1 / m)^{\ln}$ . Therefore, while mapping $M G_{x}$ to $B F_{x}$ using $BFMap$ , the probability that the $i$ th bit in $B F_{x}$ is $SET$ to 1 is $1 - (1 - 1 / m)^{\ln}$ .

In step 2, we can compute the error rate of $B F_{x}$ as follows. If $S M_{u} \notin M G_{x}$ can pass the $BFchk$ algorithm, it must be that all $l$ mapped bits of $S M_{u}$ have been set to 1 in step 1. From step 1, it can be seen that the probability that the $i$ th bit in $B F_{x}$ is set to 1 is $1 - (1 - 1 / m)^{\ln}$ . So, the probability that all $l$ mapped bits of $S M_{u}$ are set to 1 is $(1 - (1 - 1 / m)^{\ln})^{l}$ . In other words, the error rate of $B F_{x}$ is $f (m, n, l) = (1 - (1 - 1 / m)^{\ln})^{l}$ . Moreover, since $lim_{m \to \infty} (1 - 1 / m)^{- m} \approx e$ , $f (m, n, l) = (1 - ((1 - 1 / m)^{- m})^{- \ln / m})^{l} \approx (1 - e^{- \ln / m})^{l}$ .

Finally, for fixed $n$ and $m$ , the least error rate of $B F_{x}$ exists when $\partial f (m, n, l) / \partial l = 0$ . By solving this equation, we can get the least error rate $LER \approx 0 . 6185^{m / n}$ when $l = 0.7 \frac{m}{n}$ .

Forgery

For the forgery vector, we divide our analysis into three parts (i.e. security assumption, adversary model, and security proof). The security assumption defines a hard mathematical problem which cannot be solved efficiently. The adversary model defines the adversary’s behaviors. The security proof shows the above adversary cannot establish an attack on SDMGP efficiently. Otherwise, we can construct an algorithm that can use the adversary for solving the hard mathematical problem described in the security assumption part. Therefore, existing of this adversary contradicts our security assumption. In other words, such an adversary does not exist, and SDMGP is secure.

In addition, there are three kinds of message transmissions in SDMGP as shown in section “SDMGP: the protocol.” We mainly analyze the security of intra-group unicast, and the security of intra-group multicast and inter-group unicast can be analyzed in a similar way.

Part 1: security assumption

Hard mathematical problems on $G$ :

CDH (i.e. Computational Diffie-Hellman) problem. One wants to compute $g^{xy} \in G$ from $(g \in G, g^{x} \in G, g^{y} \in G)$ for randomly distributed unknown $x, y \in Z_{q}$ .

DDH (i.e. Decisional Diffie-Hellman) problem. One wants to decide whether $z = xymodq$ from $(g \in G, g^{x} \in G, g^{y} \in G, g^{z} \in G)$ for randomly distributed unknown $x, y, z \in Z_{q}$ .

GDH (i.e. Gap Diffie-Hellman) group. If the DDH problem can be efficiently solved while the CDH problem cannot be solved in probabilistic polynomial time, we say $G$ is a GDH group. For bilinear pairing, the DDH problem can be solved by checking $\hat{e} (g^{z}, g) \overset{?}{=} \hat{e} (g^{x}, g) \hat{e} (g^{y}, g)$ . This is because $\hat{e} (g^{z}, g) = \hat{e} (g, g)^{z} = \hat{e} (g, g)^{xy} = \hat{e} (g^{x}, g) \hat{e} (g^{y}, g)$ . So, in SDMGP, a GDH group is to ensure the CDH problem on $G$ cannot be solved.

Security assumption of SDMGP:

We assume $G$ in SDMGP is a GDH group. That is, given $g \in G, g^{x} \in G, g^{y} \in G$ , there is no $t$ -time algorithm, who can compute $g^{xy} \in G$ from randomly distributed unknown $x, y \in Z_{q}$ with the non-negligible probability $ϵ$ .

Part 2: adversary model

To provide integrity protection for transmitted message, it should be guaranteed that no one can forge messages sent from the SM (i.e. $S M_{i}$ ). So, the potential adversary is any malicious node who can access the SG and tamper transmitted messages. This adversary ( $A$ ) can interact with a challenger ( $C$ ) as follows:

Key-generating. $C$ acts as the SM $S M_{j}$ . It holds $(s k_{j}, pub)$ and gives $pub$ to $A$ , while the corresponding private key $s k_{r}$ is unknown to $C$ .

Hash query. $A$ sends a list of hash queries (i.e. $M_{i}$ ) to $C$ , and the latter returns the Hash values (i.e. $H (.)$ ).

Signing query. $A$ sends a list of signing queries (i.e. $M_{i}$ ) to $C$ , and the latter returns the signature (i.e. $σ_{M_{i}}$ ).

Forgery. $A$ generates a forged message-signature pair (i.e. $(M', σ_{M'})$ ), where the query for $M'$ has never been sent.

We say $A$ wins the game only if the $IntraUchk$ algorithm returns $T$ for $(M', σ_{M'})$ .

Part 3: security proof

In this part, we will show $A$ cannot forge $(M', σ_{M'})$ efficiently. Otherwise, $C$ can use this adversary for solving the GDH problem, as shown in Theorem 1.

Theorem 1. If $A$ can forge $(M', σ_{M'})$ in time $t$ with the probability $ϵ$ after $q_{h}$ signing queries, $C$ can solve the GDH problem in time $t' = t + 2 (q_{h} + 1) T_{e}$ with the probability $ϵ' \approx ϵ / e q_{h}$ , where $T_{e}$ is the time cost of modular exponentiation.

Proof. Assuming $A$ can forge $(M', σ_{M'})$ with the probability $ϵ$ in time $t$ , we can construct an algorithm $C$ that can solve the GDH problem in time $t'$ with the probability $ϵ'$ .

Given $(g, p k_{1} = g^{a} \in pub, g^{x} \in G)$ for randomly distributed unknown $(a \in s k_{r}, x)$ , $C$ can compute $g^{ax}$ as follows:

Key-generating. $C$ acts as the smart meter $S M_{j}$ . It holds $(s k_{j}, pub)$ and gives $pub$ to $A$ , while the corresponding private key $a$ is unknown to $C$ .

Hash query. $C$ maintains a set $T_{H}$ of tuples (i.e. $(M_{i}, x_{i}, y_{i}, z_{i})$ ) for responding to hash queries, which is managed as follows:

At the beginning, $T_{H}$ is empty.

When a hash query for $M_{i}$ is issued by $A$ , $C$ responds as follows. First, if the query (e.g. $(M_{i}, x_{i}, y_{i}, z_{i})$ ) already appears in $T_{H}$ , $C$ responds with $H (M_{i} | B F_{x}) = x_{i}$ . Second, if the query for $M_{i}$ is not in $T_{H}$ , $C$ randomly generates a coin $z_{i} \in {0, 1}$ according to the bivariate probability distribution $p [z_{i} = 0] = 1 / (q_{h} + 1)$ . Third, $C$ generates a random element $y_{i} \in z_{q}$ . If $z_{i} = 0$ , $C$ computes $x_{i} = g^{x} g^{y_{i}}$ . Otherwise, $C$ computes $x_{i} = g^{y_{i}}$ . Fourth, $C$ adds the query (i.e. $(M_{i}, x_{i}, y_{i}, z_{i})$ ) to $T_{H}$ and responds $H (M_{i} | B F_{x}) = x_{i}$ to $A$ .

Signing query. $C$ responds to the signing query for $M_{i}$ as follows. First, $C$ issues the hash query for $M_{i}$ to obtain $H (M_{i} | B F_{x})$ , and $(M_{i}, x_{i}, y_{i}, z_{i})$ is the corresponding tuple in $T_{H}$ . Second, if $z_{i} = 0$ , $C$ aborts. Otherwise, $C$ gives $σ_{M_{i}} = {pk}_{1}^{y_{i}}$ to $A$ .

Forgery. $A$ generates a forged message-signature pair $(M', σ_{M'})$ , where the query for $M'$ has never been sent.

Solving the GDH problem. $C$ can solve the GDH problem as follows. First, $C$ runs $A$ to get $(M', σ_{M'})$ , in which the query for $M'$ has never been sent. Second, $C$ sends a hash query for $M'$ to get the tuple $(M', x', y', z')$ . If $z' = 1$ , $C$ aborts. Otherwise, it gets $H (M' | B F_{x}) = x' = g^{x} g^{y'}$ . Third, from the $IntraUchk$ algorithm, $C$ gets $\begin{matrix} \hat{e} ((σ_{M'})^{\frac{h (S M_{i})}{h (S M_{i}) - h (S M_{j})}} H (M | B F_{x})^{\frac{s k_{j} h (S M_{j})}{h (S M_{j}) - h (S M_{i})}}, g) = \hat{e} (H (M | B F_{x}), p k_{1}) = \hat{e} (H (M | B F_{x})^{a}, g) \Rightarrow (σ_{M'})^{\frac{h (S M_{i})}{h (S M_{i}) - h (S M_{j})}} H (M | B F_{x})^{\frac{s k_{j} h (S M_{j})}{h (S M_{j}) - h (S M_{i})}} = H (M | B F_{x})^{a} = (g^{x} g^{y'})^{a} = g^{ax} (g^{a})^{y'} = g^{ax} (p k_{1})^{y'} \Rightarrow g^{ax} = (p k_{1})^{- y'} (σ_{M'})^{\frac{h (S M_{i})}{h (S M_{i}) - h (S M_{j})}} H (M | B F_{x})^{\frac{s k_{j} h (S M_{j})}{h (S M_{j}) - h (S M_{i})}} \end{matrix}$ . In other words, given (g, pk₁=g^a, g^x) for randomly distributed unknown $(a, x)$ , $C$ can compute $g^{ax}$ .

Probability for solving the GDH problem. From the above simulation process, we can compute the probability for solving the GDH problem as follows. First, $C$ needs to successfully respond to $q_{h}$ signing queries from $A$ . This probability is $(1 - \frac{1}{q_{h} + 1})^{q_{h}}$ . Second, $C$ runs $A$ to get the forged $(M', σ_{M'})$ . According to the assumption of Theorem 1, this probability of success is $ϵ$ . Third, $C$ sends a hash query for $M'$ to get the tuple $(M', x', y', z')$ . The probability of $z' = 0$ is $\frac{1}{q_{h} + 1}$ . Finally, the total probability is a multiplication of the above three probabilities: $ϵ' = (1 - \frac{1}{q_{h} + 1})^{q_{h}} ϵ \frac{1}{q_{h} + 1} \approx \frac{ϵ}{e q_{h}}$ .

Time for solving the GDH problem. From the above simulation process, we can compute the time for solving the GDH problem as follows. First, $C$ needs to successfully respond to $q_{h}$ signing queries from $A$ . The time is $2 q_{h} T_{e}$ . Second, $C$ runs $A$ to get the forged $(M', σ_{M'})$ . According to the assumption of Theorem 1, this time is $t$ . Third, $C$ sends a hash query for $M'$ to get the tuple $(M', x', y', z')$ . The time is $2 T_{e}$ . Finally, the total time can be computed as $t' = (2 q_{h} T_{e}) + t + 2 T_{e} = t + 2 (q_{h} + 1) T_{e}$ .

Efficiency evaluation

We evaluate the efficiency of SDMGP with respect to the efficiency requirement described in section “Introduction” (i.e. scalability). As discussed in section “Introduction,” scalability can be evaluated using three vectors, namely, deployment complexity, computation cost, and communication cost. In section “SDMGP: the protocol,” we have discussed the deployment complexity vector. So, in this section, we mainly focus on the other two vectors (i.e. computation and communication costs), as shown in sections “Computation cost” and “Communication cost,” respectively.

Computation cost

Computation cost is the first vector for evaluating the scalability feature, which is defined as time costs consumed by cryptographic algorithms. In SDMGP, computation cost is mainly consumed by the signing and verification algorithms in the message authentication phase. So, we mainly compare signing and verification costs of SDMGP with those of current protocols. Moreover, there are a lot of identity-based protocols for SG,^{17–19,21,22,26} but only So et al.,¹⁷ Gentry and Silverberg,²¹ and Liu et al.²² provide signing and verification algorithms. So, we only choose these three protocols for comparison.

To compare the computation costs, we first investigated time costs consumed by basic cryptographic algorithms, namely, hash function, modular exponentiation, and bilinear map. Then, we compared SDMGP with So et al.,¹⁷ Gentry and Silverberg,²¹ and Liu et al.²²

We conducted our experiments on a CentOS operating system with an Intel i7 processor of 3.40 GHz clock frequency. Cryptographic libraries used in the experiments are PBC³⁸ and OPENSSL.³⁹ To achieve 80-bit security level, we chose the 160-bit elliptic curve group.³⁹ Moreover, SHA1³⁹ is used as the hash function, and type F parameter³⁸ is used for bilinear map.

We run each basic cryptographic operation for 500 times and got the means of bilinear map (i.e. $T_{b}$ ), modular exponentiation (i.e. $T_{e}$ ), and SHA1 (i.e. $T_{h}$ ) as follows: $T_{b} = 29450.2$ µs, $T_{e} = 759.8$ µs, and $T_{h} = 0.5$ µs.

From the above results, it can be seen that (1) the time costs of bilinear map and modular exponentiation are around $10^{3} ~ 10^{4}$ to that of SHA1, because $T_{e} / T_{h} = 759.8 / 0.5 = 1519.6 \approx 1.5 \times 10^{3}$ and $T_{b} / T_{h} = 29450.2 / 0.5 = 58900.4 \approx 5.9 \times 10^{4}$ and (2) the time cost of pairing is around $10^{1}$ to that of modular exponentiation, because $T_{b} / T_{e} = 29450.2 / 759.8 \approx 3.9 \times 10^{1}$ . These two conclusions show that the time cost of SHA1 can be omitted. Therefore, in the following comparison, we do not take it into account.

Then, we computed the time costs of signing and verification algorithms in Table 2, where $T_{s}$ is the signing cost and $T_{v}$ is the verification cost.

Table 2.

Comparison of computation costs (unit: µs).

	SDMGP	So et al.¹⁷	Gentry and Silverberg²¹	Liu et al.²²
$T_{s}$	$T_{e} = 759.8$	$2 T_{b} + 5 T_{e} = 62, 699.4$	$2 T_{e} = 1519.6$	$T_{b} + 3 T_{e} = 31, 729.6$
$T_{v}$	$2 T_{b} + 2 T_{e} = 60, 420$	$3 T_{b} + T_{e} = 89, 110.4$	$3 T_{b} = 88, 353.6$	$2 T_{b} + T_{e} = 59, 660.2$

From Table 2, it can be seen that (1) the computation cost of SDMGP is much lower than those of So et al.,¹⁷ Gentry and Silverberg,²¹ and Liu et al.²² on the sender’s side. This is because $62, 699.4 / 759.8 \approx 8.3 \times 10^{1}$ , $1519.6 / 759.8 = 2$ , and $31, 729.6 / 759.8 \approx 4.2 \times 10^{1}$ . (2) The computation cost of SDMGP is much lower than those of So et al.,¹⁷ Gentry and Silverberg,²¹ and Liu et al.²² on the receiver’s side. This is because $89, 110.4 / 60, 420 \approx 1.5$ , $88, 353.6 / 60, 420 \approx 1.5$ and $59, 660.2 / 60, 420 \approx 1$ .

The above discussion shows that SDMGP enjoys the scalability feature when evaluated using the computation cost vector.

Communication cost

Communication cost is the second vector for evaluating the scalability feature, which is determined by the total length of messages transmitted in the SG.

There are three kinds of messages which are transmitted during the initialization phase, the dynamic microgrid partition phase, and the message authentication phase. During the initialization phase, the MDMS distributes keying materials to each SM. Since this process is run only once and few public/private keys are transmitted to each SM, the communication cost during the initialization phase can be omitted. Similarly, during the message authentication phase, SMs only need to exchange signatures along with messages, whose communication costs can be omitted too. On the other hand, during the dynamic microgrid partition phase, the MDMS needs to broadcast group information to SMs whose length is quite long. So, in this section, we mainly compare the communication costs of the dynamic microgrid partition phase.

Moreover, we mainly compare the communication cost of SDMGP with that of LKH,³² since traditional PKI-based protocols and identity-based protocols do not support group information management.

To compute the communication costs of SDMGP and LKH, we consider the following example, which is a typical scenario of dynamic microgrid partition: There are $100$ MGs in the SG, each MG contains $128$ SMs, there are $50$ SMs requesting for leaving and joining in each MG, the key length of LKH is set to $80$ bits, and the error rate of Bloom filter is set to $10^{- 3}$ .

In this example, we can compute the message length of SDMGP in two steps. First, from the $LER$ equation in section “Group identification” (i.e. $LER \approx 0 . 6185^{\frac{m}{n}}$ ), we can compute the length of each Bloom filter $m = n \frac{lnLER}{\ln 0.6185} = 128 \times \frac{\ln {(10}^{- 3})}{\ln 0.6185} \approx 1.8 \times 10^{3}$ bits. Second, the length of message transmitted during the dynamic microgrid partition phase is equal to the length of all Bloom filters: $L_{SDMGP} = 100 m = 1.8 \times 10^{5}$ bits.

At the same time, we can compute the message length of LKH in four steps. First, when one SM requests for leaving, the MDMS needs to broadcast $\underset{2}{\log} 128 + 1 = 8$ symmetric keys to remove this SM from the microgrid. Second, when $100 \times 50 = 5 \times 10^{3}$ SMs in the whole SG request for leaving, the MDMS needs to broadcast $5 \times 10^{3} \times 8 = 4 \times 10^{4}$ symmetric keys to remove these SMs from the whole SG. Third, when $100 \times 50 = 5 \times 10^{3}$ SMs in the whole SG request for joining, the MDMS needs to transmit $5 \times 10^{3} \times (\underset{2}{\log} 128 + 1) = 4 \times 10^{4}$ symmetric keys to add these SMs to MGs. Fourth, we can compute the total length of messages transmitted during the dynamic microgrid partition phase as $L_{LKH} = (4 \times 10^{4} + 4 \times 10^{4}) \times 80 = 6.4 \times 10^{6}$ bits.

Finally, we can get $L_{LKH} / L_{SDMGP} = (6.4 \times 10^{6}) / (1.8 \times 10^{5}) = 35.6$ . This result shows that the communication cost of SDMGP is much lower than that of LKH. Therefore, SDMGP enjoys the scalability feature when evaluated using the communication cost vector.

Conclusion

In this article, we have identified features for dynamic microgrid partition in SG and defined several evaluation vectors. Moreover, we have proposed a new protocol named SDMGP, which satisfies a set of important requirements that have not been addressed by previous works. The security analysis and experimental results show that SDMGP is feasible for real-world applications.

Footnotes

Academic Editor: Jose Moreno

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research,authorship,and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research,authorship,and/or publication of this article: This paper was supported by the NSFC (Nos 61101088 and 71402070),the Natural Science Foundation of Jiangsu province (No. BK20161099),and the Opening Project of Key Lab of Information Network Security of Ministry of Public Security (No. C16604).

References

Sridhar

Hahn

Govindarasu

. Cyberphysical system security for the electric power grid. Proc IEEE 2012; 100(1): 210–224.

Simonov

. Dynamic partitioning of DC microgrid in resilient clusters using event-driven approach. IEEE T Smart Grid 2014, 5(5): 2618–2625.

Zhang

Yang

Lin

. On false data injection attacks against the dynamic microgrid partition in the smart grid. In: Proceedings of IEEE ICC, London, 8–12 June 2015, pp.7222–7227. New York: IEEE.

Yaghmaee

Mohades

. A lightweight mechanism for mutual authentication in smart grid. In: Proceedings of CIRED workshop, Rome, 11–12 June 2014, pp.1–5, http://www.cired.net/publications/workshop2014/papers/CIRED2014WS_0223_final.pdf

Nizamuddin Umar

Ul Amin

. A novel secure multicast communication in smart grid based on signcryption. J Appl Environ Biol Sci 2016; 6(3S): 127–133.

Liu

Ning

Zhang

. Aggregated-proofs based privacy-preserving authentication for V2G networks in the smart grid. IEEE T Smart Grid 2012; 3(4): 1722–1733.

Fouda

Fadlullah

Kato

. A lightweight message authentication scheme for smart grid communications. IEEE T Smart Grid 2011; 2(4): 675–685.

Cao

. Multicast authentication in smart grid with one-time signature. IEEE T Smart Grid 2012; 2(4): 686–696.

Fouda

Fadlullah

Kato

. Towards a light-weight message authentication mechanism tailored for smart grid communications. In: Proceedings of the first international workshop on security in computers, networking and communications, Shanghai, China, 10–15 April 2011, pp.1035–1040. New York: IEEE.

10.

Yan

Qian

Sharif

. A secure and reliable in-network collaborative communication scheme for advanced metering infrastructure in smart grid. In: Proceedings of the IEEE wireless communications and networking conference (WCNC), Cancun, 28–31 March 2011, pp.909–914. New York: IEEE.

11.

Zhou

. Fault-tolerant and scalable key management for smart grid. IEEE T Smart Grid 2011; 2(2): 375–381.

12.

Reyzin

. Better than BiBa: short one-time signatures with fast signing and verifying. In: Proceedings of the Australian conference on information security and privacy, Melbourne, VIC, Australia, 3–5 July 2002.

13.

Badra

Zeadally

. Design and performance analysis of a virtual ring architecture for smart grid privacy. IEEE T Inf Foren Sec 2014; 9(2): 321–329.

14.

Nabeel

Kerr

Ding

. Authentication and key management for advanced metering infrastructures utilizing physically unclonable functions. In: Proceedings of the IEEE SmartGridComm 2012 symposium-cybersecurity and privacy, Tainan City, Taiwan, 5–8 November 2012, pp.324–329. New York: IEEE.

15.

Thomas

. Survey on real time broadcast authentication schemes for command and control messages. Int J Comput Sci Inf Tech 2015; 6(1): 614–618.

16.

Avril

Basta

Bouillet

. Identity based cryptography for smart-grid protection. In: Proceedings of 9th international conference on computer engineering and applications, Dubai, UAE, 22–24 February 2015, pp.1–10, http://www.wseas.us/e-library/conferences/2015/Dubai/CEA/CEA-01.pdf

17.

HKH

Kwok

DHM

Lam

. Zero-configuration identity-based signcryption scheme for smart grid. In: Proceedings of the 2010 first IEEE international conference on smart grid communications (SmartGridComm), Gaithersburg, MD, 4–6 October 2010, pp.321–326. New York: IEEE.

18.

Nicanfar

Jokar

Leung

VCM

. Smart grid authentication and key management for unicast and multicast communications. In: Proceedings of IEEE PES innovative smart grid technologies Asia (ISGT), Perth, WA, Australia, 13–16 November 2011, pp.1–8. New York: IEEE.

19.

Kamto

Qian

Fuller

. Light-weight key distribution and management for advanced metering infrastructure. In: Proceedings of IEEE international workshop on smart grid communications and networks, Houston, TX, 5–9 December 2011. New York: IEEE.

20.

Nicanfar

Jokar

Beznosov

. Efficient authentication and key management mechanisms for smart grid communications. IEEE Syst J 2013; 8: 629–640.

21.

Gentry

Silverberg

. Hierarchical ID-based cryptography. London: Springer, 2002.

22.

Liu

Sun

Kou

. Efficient ID-based signature without trusted PKG, 2007, https://eprint.iacr.org/2007/135.pdf

23.

Lee

Boyd

Dawson

. Secure key issuing in ID-based cryptography, 2004, http://crpit.com/confpapers/CRPITV32Lee.pdf

24.

Benmalek

Challal

. eSKAMI: efficient and scalable multi-group key management for advanced metering infrastructure in smart grid. In: Proceedings of the IEEE Trustcom/BigDataSE/ISPA, Helsinki, 20–22 August 2015, pp.1–8. New York: IEEE.

25.

Liu

Chen

Zhu

. A key management scheme for secure communications of advanced metering infrastructure in smart grid. IEEE T Ind Electron 2013; 60(10): 4746–4756.

26.

Wan

Wang

Yang

. SKM: scalable key management for advanced metering infrastructure in smart grids. IEEE T Ind Electron 2014; 61(12): 7055–7066.

27.

Yavuz

. An efficient real time broadcast authentication scheme for command and control messages. IEEE T Inf Foren Sec 2014; 9(10): 1733–1742.

28.

Perrig

Song

Canetti

. Timed efficient stream loss-tolerant authentication (TESLA): multicast source authentication transform introduction (IETF RFC4082). 2005, https://tools.ietf.org/html/rfc4082

29.

Long

Tipper

Qian

. An advanced key management scheme for secure smart grid communications. In: Proceedings of the IEEE SmartGridComm 2013 symposium-cybersecurity and privacy, Vancouver, BC, Canada, 21–24 October 2013, pp.504–509. New York: IEEE.

30.

Cooper

Santesson

Farrell

. Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile (IETF RFC5280), May2008, https://www.ietf.org/rfc/rfc5280.txt

31.

Yee

. Updates to the Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile (IETF RFC6818), January 2013, https://tools.ietf.org/html/rfc6818

32.

Wallner

Harder

Agee

. Key management for multicast: issues and architectures (IETF RFC2627), 1999, https://tools.ietf.org/html/rfc2627

33.

Shamir

. Identity-based cryptosystems and signature schemes. In: Blakley

Chaum

(eds) Advances in cryptology. Berlin, Heidelberg: Springer, 1984, pp.47–53.

34.

Bloom

. Space/time trade-offs in hash coding with allowable errors. Commun ACM 1970; 13(7): 422–426.

35.

Hildebrand

. Introduction to numerical analysis. 2nd ed.New York: Dover, 1974.

36.

Boneh

Franklin

. Identity-based encryption from the weil pairing. In: Kilian

(ed.) Advances in cryptology—CRYPTO 2001 (vol. 2139 of lecture notes in computer science). Berlin: Springer, 2001, pp.213–229.

37.

Bellare

Rogaway

. Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM conference on computer and communications security, Fairfax, VA, 3–5 November 1993, pp.62–73. New York: ACM.

38.

Lynn

. PBC library manual 0.5.11, 2006, http://crypto.stanford.edu/pbc/manual/

39.

Openssl.org. OpenSSL-1.0.1e.tar.gz, February 2013, http://www.openssl.org/source/