PRESERVATION

Algorithm 6.1: Distributed Coloring Require: INPUT

7.5 Smart Meter Privacy-Preserving Approaches

7.5.1 Anonymization approaches

The anonymity of the consumer can be achieved by replacing the consumer iden- tity with pseudonym(s) (i.e., identity pseudonymization), employing a trusted data gateway, or using a trusted third party (TTP) as the data collector.

7.5.1.1 Identity pseudonymization

Pseudonym(s) can be generated through TTP [16], without TTP involve- ment, by employing the public key infrastructure (PKI) [19] or using group anonymity [51].

In [16], TTP generates two distinct pseudonyms for every consumer,anony- mous identityandattributable identity. An anonymous identity is used to send the nonbilling meter reading to the utility company or third party that requires the aggregated meter-reading data, while the attributable identity is used to send the billing meter reading to the utility company. Figure 7.10 illustrates the use of the pseudonyms. These pseudonyms are hard-coded within the smart meter and only the TTP possesses the association information. The utility company only

TTP

SM Utility

company Anon

ymou s iden

tity,

attributable iden tity

Nonbilling Billing

(Anonymous, timestamp, reading)

(Attributable, timestamp, reading)

Figure 7.10: Identity pseudonymization through TTP.

knows the attributable identity. To avoid an unauthorized party discovering the association between the pseudonyms, the delivery of the pseudonyms is per- formed separately over a long random time schedule.

In [19], instead of using TTP, the smart meter generates one RSA key pair of a public and private key (SMPUB,SMPRV) while the grid operator generates two RSA key pairs of public and private keys. The grid operator uses the first public and private key to create and check the blind signature (GSPUB,GSPRV), while the second key pair is used to encrypt and decrypt the meter reading (GEPUB,GEPRV).

A blinded factorris used to create a blinded pseudonym from the smart meter public key. This blinded pseudonym is sent to the grid operator through a secure channel. The grid operator signs the blinded pseudonym with its private key GSPRV, and sends this signature to the smart meter. When the smart meter sends its meter reading, the meter reading is encrypted with the grid operator public keyGEPUBand signed with smart meter private keySPRV. The smart meter then sends a data tuple that consists of the encrypted meter reading, its signature, the smart meter public key, and the smart meter public key signature to the utility company. To avoid the association of the pseudonym and the network address of the smart meter when sending the meter reading directly to the utility company, a peer-to-peer (p2p) overlay network [38] is employed to hide the association.

In the p2p overlay network, each meter reading generated from a smart meter will pass through several other smart meters before it reaches the utility com- pany. In this way, the utility company will never know from which smart meter the received meter reading originated. Another effort to create anonymity is by using group anonymity [51]. In this approach, a group pseudonym is used by a group ofksmart meters (i.e.,k-anonymity).

7.5.1.2 Anonymity through trusted neighborhood gateways

Anonymity from the utility company can also be provided by avoiding transmis- sion of the fine-grained meter reading directly to the utility company. A trusted neighborhood gateway [40] is used as the data collector. Every smart meter sends

Smart meter 1

Smart meter n Smart meter n–1 Smart meter 2

Neighborhood gateway

Utility company

Attributable meter reading Legend :

Billing report Bill verification

Anonymous meter reading

Figure 7.11: Anonymity through trusted gateways.

its attributable fine-grained power consumption to the gateway (e.g., it sends [user identity, timestamp, usage]). The gateway then relays it to the utility com- pany in the form of anonymous power consumption (i.e., without any originator identity (e.g., [timestamp, usage]). All communications between smart meters, the gateway, and the utility are assumed to be over a secure channel that pro- vides authenticity, confidentiality, and integrity. Since the utility company only receives anonymous power consumption, the smart meter performs the billing calculation and sends it directly to the utility company. In order to verify the correctness of the billing report, a zero-knowledge protocol [23] is employed.

In each billing cycle, the smart meter must perform the registration by cryp- tographically designatingN pseudorandom tags and a set of m keys.N is the number of meter readings needed for billing, andm is the number of verifica- tion rounds in each billing cycle. The utility company will carry outmseries of challenge-response mechanisms with the smart meter for interactive billing ver- ification. In addition, the gateway can leak a small amount of attributable power consumption to the utility company for sporadic random spot checks. The goal is to prevent the smart meter from manipulating data. Figure 7.11 illustrates the gateway operations.

Relying on smart meters for billing calculations poses an issue of software updates when there is a change in billing regulations. In such a case, millions of smart meters may need to update their software, which may not be feasible.

To overcome this problem, another approach, in which a TTP replaces the gate- way, is pursued [8]. In this approach, instead of sending anonymous individual meter readings to the utility company, the TTP aggregates the meter readings and sends the neighborhood-level power consumption to the utility company.

At the end of each billing cycle, the TTP aggregates the individual consump- tion amounts from each smart meter and sends the attributable aggregated power consumption amounts from each smart meter to the utility company for billing processing.