Privacy-enhanced architecture for smart metering

  • Félix Gómez Mármol
  • Christoph Sorge
  • Ronald Petrlic
  • Osman Ugus
  • Dirk Westhoff
  • Gregorio Martínez Pérez
Regular Contribution


The recent deployment of smart grids promises to bring numerous advantages in terms of energy consumption reduction in both homes and businesses. A more transparent and instantaneous measurement of electricity consumption through smart meters utilization leads to an enhancement in the ability of monitoring, controlling and predicting energy usage. Nevertheless, it also has associated drawbacks related to the privacy of customers, since such management might reveal their personal habits, which electrical appliances they are using at each moment, whether they are at home or not, etc. In this work, we present a privacy-enhanced architecture for smart metering aimed at tackling this threat by means of encrypting individual measurements while allowing the electricity supplier to access the aggregation of the corresponding decrypted values.


Homomorphic encryption transformation Privacy Smart meters Smart grid 

1 Introduction

Existing power grids are continuously upgraded with information technology to become next-generation networks (smart grids) [1]. This process aims at optimizing energy efficiency through a two-way information exchange between suppliers and consumers in real time.

The shift from using mainly fossil fuels for electricity production toward an increased use of renewable energy sources has made a modernization of the power grid indispensable. Providing a basic energy supply with sun or wind energy is not feasible when customers use electricity in times when those energy sources do not produce electricity to the required extent. If energy suppliers have access to accurate up-to-date information about their customers’ electricity usage, they are able to influence their customers, for example, via price mechanisms, to promote the use of electricity in times of availability. The smart grid allows for a (near) real-time communication between customers and the electricity supplier and it is therefore seen as an enabler of future energy scenarios [2].

In the course of grid modernization, smart meters have found their way into customers’ homes. Those embedded devices are a more sophisticated version of traditional electricity meters, containing a processor, non-volatile storage and communication facilities to allow for real-time communication with the electricity supplier. Among other advanced features, smart meters provide functionalities like tracking electricity usage as a function of time, remotely disconnecting customers via software, or sending out alarms in case of problems.

Unlike water or gas, electricity is not easily storable in large quantities, so an instantaneous balance between production and demand is needed [3]. Smart meters can provide energy consumption measurements to customers and energy suppliers (almost) instantaneously. This feature allows a better energy consumption monitoring, control and prediction, resulting in remarkable cost savings to both energy suppliers and final customers, as well as an immense reduction in carbon dioxide emissions to the atmosphere [4].

However, important privacy issues arise, since such a fine-grained monitoring might reveal users’ presence/absence in their houses, which electrical appliances they are using at each moment, or even their daily habits at home. From a legal perspective, smart meter readings must be considered as personally identifiable information, which is legally protected, for example, in the member states of the European Union. While the aggregation of readings over time helps with solving this problem, it also limits the electricity suppliers’ ability to quickly react to changes in electricity consumption.

This paper at hand focuses on a novel solution providing up-to-date and accurate aggregated information to an electricity supplier about customer groups’ electricity consumption. However, no information about individual customers is revealed. While our approach preserves individual customers’ privacy, the electricity supplier is still enabled to accurately monitor the total amount of electricity needed by its customers living in a specific region, or belonging to a pre-defined group.

To achieve this goal, we have designed an original solution that combines the employment of smart meter grouping with the use of homomorphic encryption of the consumption reports. This way, the electricity supplier can periodically receive encrypted individual measurements from smart meters which belong to the same group and aggregate them. However, the electricity supplier cannot decrypt those individual reports (hence preserving customers’ privacy). Instead, it can only decrypt the aggregation of those encrypted values, obtaining the aggregated electricity consumption of the aforementioned whole group throughout a period of time.

Our contribution is the development of an approach that does not require a trusted third party, but only an untrusted aggregator, a role for which one of the smart meters is chosen. We base our solution on the proper interaction among smart meters and toward the electricity supplier and do not put the burden of privacy enforcement and communication overhead on a single party. Furthermore, we present a solution to deal with failing smart meters. Thus, even if certain smart meters fail to send the specified messages, our approach still ensures that the electricity supplier receives an accurate aggregated consumption value from the remaining meters in each reporting period. Note that the transmission of incorrect values by a smart meter affects the aggregation result, but does not help an attacker to breach the privacy of other meters.

The remainder of the article is organized as follows: We give an overview on related work in the field of smart meter privacy in Sect. 2. In Sect. 3, we present our solution for a privacy-enhanced architecture for smart metering. We perform a security analysis in Sect. 4 and compare our approach with previous work in Sect. 5. Finally, we conclude the article and give an outlook to future work in Sect. 6.

2 Related work

Security and privacy requirements for the smart grid, including the necessity to protect electricity consumption patterns, have been identified by many authors before [5, 6]. In this paper at hand, we develop a solution that is based on the use of a so-called homomorphic encryption scheme (introduced by [7, 8, 9]).

Homomorphic encryption has been used in several works to achieve a certain level of privacy for smart meter users. Garcia and Jacobs [10], for instance, make use of Paillier’s additive homomorphic encryption [11] as well as additive secret sharing. In their work, all smart meters are connected to an aggregating substation which is in charge of collecting electricity measurements. The security of the proposed protocol is based on the assumption that at least two out of the total number of smart meters connected to the aggregating substation are uncorrupted, that is, they behave according to the protocol specification.

Li et al. [12] proposes the use of homomorphic encryption in order to secure data transmission among smart meters which act as data aggregators involved in routing the electricity reports from source meters to the collector unit. The authors develop the construction of an aggregation tree covering the entire set of designated smart meters with a minimum overhead. The proposed aggregation tree enables all smart meters to participate in the aggregation, while preventing them from seeing any intermediate or final result.

Finster and Conrad [13] present an approach based on cooperation between smart meters. Each smart meter contributes to privacy protection by sharing the parts of its current consumption value with the other smart meters within the same group.

Another architecture proposed for a privacy-enhanced smart metering is presented in [14]. An identity management approach [15] is used to preserve the individual customers’ privacy.

Finally, [16] shows privacy solutions for smart metering, with and without the involvement of trusted third parties.

There is some work on smart metering privacy that focuses on different and complementary aspects to the article at hand. McLaughlin et al. [17] suggest using a battery to hide consumption peaks from the electricity supplier. While this approach might also be beneficial to the electricity network as such, it requires additional hardware—in contrast to purely cryptographic solutions. Rial et al. [18] show how to securely generate electricity bills on the customer’s side, preserving customers’ privacy while keeping the requirements on the smart meters at a minimum. Our goal, however, is different: We aim at providing up-to-date aggregated information to the electricity supplier, while billing is out of the scope of this article.

Core concepts of this paper at hand have been published by the authors in [19]. To the best of our knowledge, this is one of the first solutions applying homomorphic encryption as well as grouping of smart meters in order to preserve the privacy of final customers in the smart grid, avoiding the figure of a trusted aggregator. Even if the aggregator present in our scheme acts maliciously, it cannot gain information about users’ electricity consumptions. Moreover, it has to perform its task only when smart meters enter or leave the system and during attack or error conditions. If anonymous channels to the aggregator are available, even a collusion of the aggregator with the electricity supplier does not affect the achieved privacy. On the other hand, employing an anonymous credential scheme for the authentication of the smart meters’ consumption data, our solution still provides the possibility to detect which smart meter behaved maliciously—in case an incident is detected.

Section 5 will compare the previously mentioned solutions with our proposal in terms of several aspects such as the communication or the computation overhead. The result will show that, during normal protocol execution, our scheme requires less computation power than other schemes that do not require trusted aggregators. In addition, our solution does not introduce an extensive communication overhead—as schemes based on secret sharing do, for instance.

3 Privacy-enhanced architecture

3.1 Problem statement

Smart metering can provide several enhancements with regards to the way the energy is controlled, provisioned and monitored within the smart grid. Nevertheless, as a drawback, it can also provide the electricity suppliers (hereafter ES) with mechanisms by means of which they can generate individual user profiles by analyzing customers’ energy consumption patterns.

Our main goal is to tackle this threat, while preserving the advantages that the smart grid brings to us. Hence, we propose a mechanism that prevents the ES from knowing the current individual energy consumptions of their users, whereas it is able to obtain the aggregation of a certain set of them, instead. Additionally, we want to avoid the figure of an intermediate trusted aggregator for electricity measurements as proposed in other works such as [16].

3.2 Basic approach

We assume that the ES will receive electricity measurements \(e_{ij}\) from smart meters \(\text{ sm}_i\) per period \(j\), encrypted with keys \(k_{ij}\), which are specific to a period \(j\). The ES will not be able to decrypt such measurements. However, it will be able to decrypt the aggregation of the measurements through the use of homomorphic encryption, as we will see later. Our main idea is to use a scheme that allows to encrypt values within individual smart meters, to aggregate the encrypted values, and to allow the ES the decryption of such aggregated value using an aggregated key.

Our approach is graphically depicted in Fig. 1. The symbol \(\bigotimes \) represents an additive operation over encrypted values while \(\bigoplus \) denotes an additive operation over plain texts:
Fig. 1

Basic approach

  1. 1.
    ES periodically receives measurements \(e_{ij}\) encrypted with key \(k_{ij}\), that is, \(E_{k_{ij}}(e_{ij}),\,\forall \, i,j\)
    $$\begin{aligned} (E_{k_{1j}}(e_{1j}),E_{k_{2j}}(e_{2j}),\ldots ,E_{k_{nj}}(e_{nj})) \end{aligned}$$
  2. 2.

    ES does not know the temporary keys \(k_{ij}\) (or the complementary keys to decrypt messages encrypted with \(k_{ij}\)).

  3. 3.
    ES computes the aggregation \(\bigotimes _iE_{k_{ij}}(e_{ij})\), that should be equal to \(E_K(\bigoplus _ie_{ij})\), where \(K\) denotes the aggregated key. Encryption and aggregation functions must satisfy the following requirement:
    $$\begin{aligned} \bigotimes _{i=1}^nE_{k_{ij}}(e_{ij})=E_K\left(\bigoplus _{i=1}^ne_{ij}\right) \end{aligned}$$
  4. 4.

    ES receives key \(K=f(k_{1j},k_{2j},\ldots ,k_{nj})\) and therefore can decrypt \(E_K(\bigoplus _ie_{ij})\) in order to obtain the aggregation \(\bigoplus _ie_{ij}\).

  5. 5.

    \(f\) should have the property of a one-way function, that is, it should not be possible (or at least computationally hard) to obtain keys \(k_{1j},k_{2j},\ldots ,k_{nj}\) from key \(K\) (it will be further described in Sect. 3.7).


3.3 Smart meters grouping

As mentioned before, our aim is to protect the privacy of users utilizing smart meters, while preserving the ability of the ES to monitor, control1 and predict energy usage. To this end, we propose to organize individual smart meters into groups, in order to anonymize their consumption reports, in a similar way to the approach followed by Minami et al. [20]. The model described in Sect. 3.2 is applied separately to each group.

The groups could be formed in a natural way, by putting together all the smart meters belonging to the same building, or even to the same street or neighborhood. In a practical deployment, smart meters associated with the same group would have to belong to the same electricity supplier as well (although, in some cases, a number of suppliers share the same physical electricity network).

3.4 Establishment of a secure channel

The basic approach described in Sect. 3.2 enables a secure aggregation of smart meter readings, but does not yet take into account “classic” protection goals, for which we need an additional solution. Therefore, as a first step, we aim at protecting authenticity and confidentiality of transmitted readings from unauthorized third parties (other than the intended communication partner). Establishing this secure channel requires an authentication mechanism. In our protocols, either the ES or a so-called key aggregator (Sect. 3.7) acts as a server and does not need to be anonymous. We therefore start by establishing a TLS [21] connection, in which the server is authenticated using a certificate.

In case of communication between a smart meter and the ES, we also rely on certificate-based authentication of the client, which is an optional feature of the TLS handshake protocol (alternatively, authentication with a shared secret is also possible). Anonymity is not required in that case, as the information transmitted on that channel cannot be used for user profile creation.

Concerning the authentication of smart meters toward the key aggregator, our architecture only requires them to prove that they are indeed authorized members of a group; both anonymous credential schemes [22] and group signatures [23] would satisfy this requirement. Group signatures offer the additional advantage that values are actually signed, that is, non-repudiation can be achieved at least if, in case of disputes, the signer’s anonymity is revoked.

However, in that case, we assume that the smart meter in question would have to be physically examined, anyway. We have therefore opted to use anonymous credentials as the simpler solution.

So, within the established TLS connection to the key aggregator, the smart meter proves—using an anonymous credential scheme—that it is indeed entitled to send a value. In case an abuse is suspected, the smart meter’s anonymity can be revoked; this revocation is possible, for example, if the Camenisch/Lysyanskaya scheme [22] is used. Note that, in order to avoid grandmaster chess attacks [24], a smart meter may only use the anonymous credential scheme after the server has been authenticated.

The establishment of a secure channel guarantees communication confidentiality, integrity and authenticity, but is not sufficient to reach our goal concerning privacy.

3.5 Anonymous communication channels

Even if anonymous credentials are used, anonymity of smart meters might be endangered by information from OSI layers 1–3. This problem occurs if the operator of the communication infrastructure is not trusted (e.g., if the electricity supplier also operates the electricity grid and the communication infrastructure with it). It can be avoided by mechanisms depending on the network setup:
  • If power line communication is used, there are usually multiple meters connected to a shared power line, thus forming a broadcast domain. The shared medium makes it difficult to distinguish between different meters except by using their MAC addresses. In other contexts, researchers have investigated the feasibility of changing addresses on different layers of the communication stack (see [25] for an example in the domain of vehicular ad hoc networks). There are no fundamental issues preventing MAC address changes (assuming no two devices have the same MAC address at any given time, which can be ensured with a very high probability by independently selecting random addresses for each device). Therefore, anonymous communication can be easily established. To take advantage of this fact, the group formation mechanism should ensure that all smart meters of a group are located in the same broadcast domain. While this task should not be performed by the ES itself (a third party such as a regulatory authority would be an option instead), it is only necessary during the initial setup phase.

  • For other setups, such as the use of the households’ broadband internet connection, standard anonymizing approaches such as anonymizer proxies or the Tor [26] network can be used.

3.6 Castelluccia–Mykletun–Tsudik (CMT) scheme

As stated above, it is our goal for the ES to be able to decrypt aggregated values using an aggregated key. To achieve this goal, we suggest to concretely use the symmetric homomorphic encryption transformation (for an introduction, see [27]) developed by Castelluccia et al. [28]. Table 1 specifies how encryption, decryption and aggregation of encrypted values as well as their decryption using aggregated keys are performed in this scheme.
Table 1

Castelluccia, Mykletun, Tsudik (CMT) algorithm


Message\(m\in [0,M-1]\),


randomly generated keystream


      \(k\in [0,M-1]\)


\(c=(m+k)\) mod \(M\)


\(Dec(c,k,M) = c-k \pmod {M}\)


Let\(c_1 = Enc(m_1,k_1,M)\)and


      \(c_2 = Enc(m_2,k_2,M)\)


For\(k = k_1 + k_2\),


      \(Dec(c_1+c_2,k,M)=m_1 + m_2\)

The main idea of the scheme is to replace the \(xor\) (exclusive OR) operation found in one-time pad with modular addition \((+)\). Since this new cipher only uses modular additions (with very small modulus), it is well suited for CPU-constrained devices, like (in some cases) smart meters.

This scheme is, however, known to be vulnerable to malleability when an attacker feeds the system with extra and bogus encrypted values. However, recall that the additional application of secure channels (authenticated with certificates or anonymous credentials, respectively) avoids the potential of an unauthorized entity (not belonging to the group of smart meters) sending messages on behalf of a member of a given group.

3.7 Aggregated key and keys updating

For the Castelluccia–Mykletun–Tsudik scheme to be secure, encryption keys may not be reused. Therefore, we present a method of updating keys in each round.

In our proposal, one smart meter per group is periodically designated as the key aggregator, therefore receiving, through a secure channel, the individual keys \(k_{ij}\) from each of the rest of the smart meters within such a group. We do not restrict the actual election mechanism; however, in [29], some of the authors of this work designed and compared three secure node election protocols. These protocols randomly choose one node out of a well-defined group in a decentralized way by using lightweight cryptographic primitives to ensure that no party can manipulate the outcome of the election process at honest nodes. As mentioned above, an anonymous credential scheme is used for authentication toward the key aggregator. By applying the aforementioned mechanism, the following properties are achieved:
  • The key aggregator is not able to decrypt the values \(E_{k_{ij}}(e_{ij})\) sent by each smart meter, even if he knows their keys \(k_{ij}\), since the former are sent to the ES through a secure channel.

  • Nobody knows other member keys (except the key aggregator).

  • If the key aggregator acts maliciously and shares the received keys \(k_{ij}\) with the ES, the latter cannot link or relate each key with each received value from that group, since the key shares are sent anonymously, and via a secure channel. Moreover, the keys \(k_{ij}\) are different per reporting period and the key aggregator changes periodically. Note that our scheme would work without anonymous credentials (just using standard authentication methods) if a fully trusted key aggregator was assumed.

If the key aggregator fails, leaves the group or it is found to act maliciously (as we will see in Sect. 3.9), another smart meter is selected as the new group key aggregator.
So once every smart meter \(\text{ sm}_i\) has sent its key \(k_{ij}\) to the key aggregator, in period \(j\), the aggregated key \(K\) is computed as follows, and sent to the ES:
$$\begin{aligned} K=f(k_{1j},k_{2j},\ldots ,k_{nj})=\bigoplus _{i=1}^nk_{ij}=\sum _{i=1}^nk_{ij} \end{aligned}$$
Note that the aggregated key \(K\) remains constant over time (it is not \(K_j\), but just \(K\)), even if the individual keys \(k_{ij}\) change for every period \(j\). This feature allows the group to send the aggregated key \(K\) to the electricity supplier only once, when bootstrapping the system, instead of sending it every round. Thus, the KA is not needed in every round. However, if a smart meter within the group fails or leaves, or a new one joins, then key \(K\) has to be recalculated and sent again to the ES.
In order to keep \(K\) constant while varying individual keys \(k_{ij}\) every round, all the smart meters within the same group organize themselves in a ring, as it can be observed in Fig. 2, where each smart meter sends its successor in the ring a random value \(\delta \), through a secure channel, which is subtracted from its key and added to the next smart meter’s key2. That is:
$$\begin{aligned} k_{i,j}=k_{i,j-1}-\delta _{i,j}+\delta _{i-1,j} \end{aligned}$$
Fig. 2

Smart meters ring: keys updating

3.8 Aggregation by ES

The ES, after receiving all the encrypted measurements \(E_{k_{ij}}(e_{ij})\), computes their aggregation \(\bigotimes _iE_{k_{ij}}(e_{ij})\) according to the following expression (based on the CMT scheme), which fulfills equation (1):
$$\begin{aligned} \bigotimes _{i=1}^nE_{k_{ij}}(e_{ij})&= \sum _{i=1}^nE_{k_{ij}}(e_{ij}) =\sum _{i=1}^n(e_{ij}+k_{ij})\nonumber \\&= \sum _{i=1}^ne_{ij}+\sum _{i=1}^nk_{ij}=E_K\left(\bigoplus _{i=1}^ne_{ij}\right) \end{aligned}$$
Therefore, equation (4) would transform into the following expression, which constitutes a homomorphic encryption [8]:
$$\begin{aligned} \bigotimes _{i=1}^nE_{k_{ij}}(e_{ij})=\sum _{i=1}^ne_{ij}+K \end{aligned}$$
The decryption of such aggregated value, made by the ES would be performed as:
$$\begin{aligned}&D_K\left(E_K\left(\bigoplus _{i=1}^ne_{ij}\right)\right){\mathop {=}\limits ^{(1)}} D_K\left(\bigotimes _{i=1}^nE_{k_{ij}}(e_{ij})\right)\nonumber \\&\quad {\mathop {=}\limits ^{(5)}}D_K\left(\sum _{i=1}^ne_{ij}+K\right)=\left(\sum _{i=1}^ne_{ij}+K\right)-K\nonumber \\&\quad =\sum _{i=1}^ne_{ij}=\bigoplus _{i=1}^ne_{ij} \end{aligned}$$
When a new smart meter joins the system, it just has to become a member of a certain group, and it will be able to provide input to the aggregation.
Figure 3a summarizes the steps to be followed by our approach in a normal functioning mode, extending the basic approach presented in Sect. 3.2. These steps are as follows:
Fig. 3

Privacy-enhanced architecture for smart metering: a normal behavior, b dealing with malicious smart meters

  1. 1.

    Every smart meter \(\text{ sm}_i\) sends its key \(k_{ij}\) to the key aggregator KA in reporting period \(j\), through a secure channel that provides anonymity for \(\text{ sm}_i\) (with key aggregator authentication using a certificate and client authentication using anonymous credentials).

  2. 2.

    The KA computes the aggregated key \(K\).

  3. 3.

    KA sends key \(K\) to the ES, together with the number of received keys, \(n\).

  4. 4.

    Every smart meter \(\text{ sm}_i\) sends its electricity measurement report in period \(j\), encrypted with key \(k_{ij},\,E_{k_{ij}}(e_{ij})\), to the ES through a secure channel (with server and client authentication using certificates or even using shared secrets).

  5. 5.

    If the number of received \(E_{k_{ij}}(e_{ij})\) matches with the number of aggregated keys, \(n\), the ES performs the decryption of the aggregation of individual encrypted values, according to equation (6), to obtain the aggregation of plain energy consumption reports.

Note that since \(K\) remains constant, steps 1–3 have to be performed only when initializing the system, when a smart meter fails or leaves the group or when a new one joins, but not every single round, as explained in Sect. 3.7. The ES can trigger these steps in case it is aware of an imminent change. Alternatively, they can also be performed if the set of smart meters that have sent encrypted consumption values turns out to be different from the previous round in step 5. A problem occurs if the set of participating smart meters changes between steps 2 and 4; we describe in the next section how to deal with that situation.

3.9 Dealing with faulty smart meters

In a real-world setting, it is possible that some messages are lost or not sent. In particular, a smart meter might send its key to the corresponding key aggregator, but without sending the electricity consumption report to the ES, or vice versa. This could be due to a malicious intent of the smart meter, or due to technical failures.

In order to avoid problems caused by lost messages, we propose an alternative token-based solution, which would be enabled only when a message loss has been detected. For a better understanding, recall that the number of smart meters reporting their encrypted measurements via an authenticated channel is known to the ES. Hence, the ES infers that a message has been lost or was not sent if the received number of encrypted measurements within a given duration belonging to a group is smaller than the size of that group. Similarly, a key aggregator knows the number of smart meters from which it expects to receive a key. So, a key aggregator can detect a faulty (or possibly malicious) smart meter not sending its key by comparing the number of received keys with the number of expected keys.

Figure 3(b) depicts the sequence diagram followed in such a scenario, whose steps are the following ones:
  1. 1.

    Each smart meter \(\text{ sm}_i\) sends its key \(k_{ij}\) to the key aggregator KA, through a secure channel.

  2. 2.

    The KA replies with a pseudo-random ACK token, \(T_{\mathrm{KA},i}\), for each received key \(k_{ij}\).

  3. 3.

    Each smart meter \(\text{ sm}_i\) then sends the encrypted measurement \(E_{k_{ij}}(e_{ij})\), together with the ACK token \(T_{\mathrm{KA},i}\), to the ES.

  4. 4.

    The ES only accepts encrypted measurements from smart meters that come with such tokens and replies with another ACK token \(T_{\mathrm{ES},i}\), directly to the key aggregator KA, for each received \(T_{\mathrm{KA},i}\); the new ACK token is simply a confirmation that \(T_{\mathrm{KA},i}\) has been received.

  5. 5.

    Once the KA receives such token \(T_{\mathrm{ES},i}\), it actually accepts the key \(k_{ij}\) received in step 1 and computes the aggregated key \(K\). If the key aggregator does not receive the token \(T_{\mathrm{ES},i}\), then key \(k_{ij}\) will be discarded and not aggregated.

  6. 6.

    KA sends key \(K\) to the ES, together with the number of received keys, \(n\), and a list of the tokens.

  7. 7.

    The ES performs the decryption of the aggregation of individual encrypted values, according to Eq. (6), in order to obtain the aggregation of plain energy consumption reports.

Note that steps 1 and 2 can be integrated in the normal protocol, that is, the KA sends its token each time. The rest of the protocol is only enabled in exceptional cases: The ES requests execution of the token-based protocol (steps 3–7) when a failure in the system has been detected. So, if it is triggered, one can assume that (some of) the smart meters are failing, have been compromised and/or are intentionally acting maliciously. The ES and KA together can determine which smart meter has failed. If an appropriate anonymous credential scheme with revocation support is used, participation of that smart meter in the key aggregation process can be blocked, for example, in case of repeated failures. The token solution itself, however, will be applied only for the round in which a failure has been detected.

Use of the token solution allows attacks by an ES collaborating with the KA (though neither of them have an advantage on their own). For that reason, it has to be logged by all protocol participants to enable auditing at a later point in time.

4 Security analysis

To achieve the protection goals of integrity and authenticity (as well as confidentiality of communication channels), our scheme relies on standard techniques. Message integrity is required in the communication both with KA and ES; in addition, authenticity of KA, ES and the smart meters must be ensured. We achieve this by transmitting energy measurements of smart meters to the ES using a secure channel. This channel also guarantees confidential transport and authentication of the communication partners (using anonymous credentials for authentication of smart meters toward the KA, and certificate-based authentication for all other cases). How such a secure channel can be established is described in Sect. 3.4. In this respect, the security of our scheme depends on the underlying mechanisms (TLS and anonymous credential scheme). The anonymous credential scheme also ensures anonymity of smart meters toward the KA, which is required if malicious key aggregators might collaborate with the ES. Such a collaboration is, however, possible when the tokens solution is used; that is why we require a means to audit its usage.

As the main focus of this paper is on privacy protection, in the following, we merely concentrate on the evaluation of the privacy properties of the proposed smart metering architecture.

4.1 Adversarial models

In order to evaluate the privacy properties of our architecture, it is necessary first to define the adversarial model and the definition which constitutes a privacy break of the scheme. An adversarial model specifies the power of the adversary, that is, the tools and information available to the attacker for breaking the privacy of smart meters.

The main goal of the architecture proposed in this work is to hide the individual smart meter measurements from the ES. Therefore, the knowledge of the ES in a realistic scenario constitutes the capabilities of the adversary. As it is not feasible to predict all possible adversarial strategies, we make no assumptions on the adversary’s strategy. Instead, we define attack classes in which all possible strategies can be carried out by an adversary belonging to that class.

We consider two classes of adversarial attacks: an eavesdropping attack and an attack in which the adversary collaborates with malicious key aggregators. As all energy consumptions are transmitted to the ES, we can assume that all information exchanged between a smart meter and the ES is known to the adversary. Hence, the knowledge of the ES in the real-world setting of the proposed smart metering protocol basically constitutes the eavesdropping capability of an adversary.

The second class of adversarial attack is stronger and assumes malicious smart meters. In addition to the capabilities of an eavesdropping adversary, this adversary may obtain the private key of smart meters from a malicious key aggregator.

We introduce a smart meter privacy break game to evaluate the security of the proposed solution against the eavesdropping adversary. The main intuition modeled with this game is that the proposed smart metering architecture is privacy preserving, if an adversary cannot distinguish between the encryptions of smart meter measurements [16].

4.2 Definitions

The proposed smart metering architecture (SMA) consists of an ES and a set of smart meters \(\text{ SM} = \{sm_i: 1\le i \le n\}\) with \(n \ge 2\).3 Next, we summarize the key generation and the encryption algorithms used in the proposed solution:
  • Key-generation algorithm KG is a randomized algorithm which takes the number of smart meters \(n\ge 2\) as input and outputs the keys \(\{K, k_1,\ldots ,k_n\}\). The aggregated key \(K=\sum _{i=1}^nk_{i}\) is given to the ES. The encryption keys \(k_i\) are given to the smart meters\(\text{ sm}_i\).

  • Encryption algorithm\(E\) is an algorithm which takes a key \(k\) and a plaintext message \(e\) as input and outputs a ciphertext \(c = (e + g_k(j))\) mod \(p\). Here, \(g_k(j)\) denotes a function which represents the computation of an encryption key from a private key \(k\) in a period \(j\) in the smart meters ring as described in Sect. 3.7. The key update is of particular importance to achieve security under multiple encryptions in multiple reporting periods. Using a different encryption key in every period results in a different ciphertext even if the same plaintexts are encrypted in multiple periods.4 Hence, for simplicity, we can see the encryption mechanism as a probabilistic algorithm which takes as an input an additional parameter \(j\) besides the key and the message and outputs the ciphertext. That is \(c \leftarrow E(e,k,j)\), where \(j\) denotes a period in which the encryption is performed.5 Hereafter, we denote an encryption under a key \(k\) of a smart meter \(i\) in a period \(j\) by \(E_{k_{ij}}\).

4.3 Security notions

We will show that the eavesdropping indistinguishability of the underlying encryption mechanism implies the security of the proposed smart metering protocol. We introduce a smart meter privacy break game (SMPB) to evaluate the security of the proposed protocol. We note that we adapt the SMPB game proposed in [16] according to the smart metering architecture proposed in this work.
  • The SMPB game:
    1. 1.

      Setup: The challenger runs the key-generation algorithm KG for a given set of smart meters \(\text{ SM} = \{sm_i: 1\le i \le n\}\) and generates the keys \(\{K, k_1,\ldots , k_n \}\) for \(n \ge 2\). The challenger gives the aggregated key \(K\) to the adversary \(A\) and keeps the smart meter encryption keys \(\{k_i: i \le 1 \le n \}\).

    2. 2.

      Challenge: The adversary decides for two energy consumption scenarios denoted by \(M_{0j} = \{e^{0}_{1j},\ldots ,e^{0}_{nj}\}\) and \(M_{1j} = \{e^{1}_{1j},\ldots ,e^{1}_{nj}\}\) for a period \(j\). The restriction is that \(\sum _{i=1}^ne^{0}_{ij} = \sum _{i=1}^ne^{1}_{ij}\) and \(e^{0}_{ij} \ne e^{1}_{ij}\) for some \(i\). The energy consumption scenarios are given to the challenger. The challenger chooses a random bit \(b \leftarrow \{0,1\}\) to select between \(M_{0j}\) and \(M_{1j}\). The challenger then computes the challenge ciphertexts \(C_{b,j} = \{E_{k_{ij}}(e^{b}_{ij}): i \le 1 \le n \}\) and gives them as a challenge to the adversary.

    3. 3.

      Guess: The adversary outputs a bit \(b^{\prime }\) as a guess for \(b\) and wins the game if \(b^{\prime } = b\). The SMPB advantage of the adversary is defined as \(Adv^{SMPB}_{A} =\)\(|Pr[b^{\prime }=b] - 1/2 |\).

We note that the adversary decides between the energy consumption scenarios denoted by \(M_{0j}\) and \(M_{1j}\) with the restriction that \(\sum _{i=1}^ne^{0}_{ij} = \sum _{i=1}^ne^{1}_{ij}\). This ensures that learning the sum of energy consumptions constitutes no privacy break as the sum in every period is known to the ES in the real-world setting.

The main idea behind the above game is that if an adversary cannot even distinguish between two energy consumption scenarios of its own choice, then the proposed protocol reveals no information about the individual energy consumptions. The basic game describes one period; an extension to multiple periods is straightforward (each scenario selected by the adversary contains the energy consumption values of multiple periods).

Theorem 1

The encryption mechanism used in the proposed smart metering architecture has indistinguishable encryptions against all efficient eavesdropping adversaries.


(Sketch) The encryption mechanism we use in our smart metering architecture differs from the CMT scheme [28] in the generation of encryption keys. An encryption scheme has indistinguishable encryptions for an eavesdropping adversary iff it is semantically secure against an eavesdropping adversary. As the CMT scheme is semantically secure in the presence of an eavesdropping adversary, we need to show that its semantic security implies the semantic security of the construction used in this work. We do not prove the semantic security of the CMT scheme which is already shown in [28]. We show that the differences in our construction compared with the CMT do not remove its semantic security.

The CMT scheme uses a keyed pseudo-random function to generate an actual encryption key using a nonce as a seed. The encryption key using a fresh nonce is updated every time whenever a message needs to be encrypted. The decryption key is then reconstructed using the pseudo-random function seeded with the same nonce. In more detail, the set of \(n\) encryption keys in CMT is \(\{f_{k_{i}}(\text{ nonce}): 1 \le i \le n \}\), where \(f_{k_{i}}\) is a keyed pseudo-random function. The secret keys \(k_i\) are known to the entity which is allowed to perform decryption. The set of decryption keys which is equal to the set of encryption keys is re-constructed using the keyed pseudo-random function.

In the construction of this work, encryption keys are updated in a smart meters ring as described in Sect. 3.7. The encryption keys are the set \(\{g(\cdot ): 1 \le i \le n \}\), where \(g\) is a three-input function which is defined as \(g(k_i, \delta _i, \delta _{i-1}) = |k_i - \delta _{i-1} + \delta _{i-1}|\). \(k_i\) is a secret smart meter key which is generated using a pseudo-random function and stored on the smart meters during bootstrapping. \(\delta _y = f_{k_{y}}(j)\) for \(y = i\) and \(y= i-1\), where \(j\) is a nonce unique in each period \(j\) (it can be the current date in the precision of seconds). The decryption key is \(K=\sum _{i=1}^nk_{i}\).

The CMT scheme and the encryption mechanism used in this work differ in how the encryption keys are generated. Hence, to show the semantic security of the encryption mechanism used in our smart metering architecture, one needs to show that an encryption key generated with the function \(g(\cdot )\) is indistinguishable from a key which is generated from a keyed pseudo-random function. The main idea is that if the quality of the individual keys in terms of randomness are not reduced, the semantic security of the scheme is not lost due to badly generated keys. The randomness of the encryption keys relies on the refreshment parameters \(\delta _i\) and \(\delta _{i-1}\) and the key \(k_i\). All these parameters are pseudo- random numbers generated by a keyed pseudo-random function with a unique nonce in each period. As applying arithmetic operations on different pseudo-random numbers results in a pseudo-random result, the resulting encryption key generated with \(g(\cdot )\) should be indistinguishable from a key generated with a keyed pseudo-random function.

4.4 Security in the presence of malicious key aggregators

As described in Sect. 3.7, the ES can collaborate with a malicious key aggregator to receive the encryption keys of smart meters. In order to resist such a threat, our architecture proposes the smart meter grouping approach. That is, each smart meter sends its key to the key aggregator as a member of a group using an anonymous credential scheme. Therefore, the ES cannot map an encryption key received from a malicious key aggregator with an encrypted measurement received from a smart meter which is encrypted using that key.

For the same reason, the key aggregator cannot exploit the fact that it is also a normal smart meter, taking part in the key update process. While, in this process, it communicates with other smart meters using a “classically” authenticated secure channel, it cannot map any information received to the keys exchanged during key aggregation.

As a consequence, the success probability of the ES breaking the privacy of the proposed solution is no better than guessing, assuming the anonymous credential scheme used in the protocol is secure.

Moreover, the key aggregator only knows the keys in the periods in which these are actually sent—not after key updates, which are performed in each round.

4.5 Security in the presence of other malicious smart meters

As long as only one period is considered, the presence of malicious (compromised) smart meters has little impact on the privacy of honest ones (while the readings of the compromised smart meters themselves, obviously, cannot be protected). The current key of any device is only known to the device itself and, if a new aggregated key is determined, to the key aggregator. The only disadvantage is that a malicious key aggregator’s success probability in correctly guessing the owner of an anonymously received key increases if malicious smart meters can be excluded from the set of potential candidates.

However, if a smart meter’s predecessor and its successor in the key update ring collaborate, they can determine the change\(\Delta k_i\) of its key from one round to the next: during the key update process, fixed identities are used, owed to the more efficient authentication using certificates or shared secrets. Assume that, as defined in the multi-period SMPB game, the adversary can select two different energy consumption scenarios. In the first scenario, electricity consumption remains constant for all nodes; in the second one, each node’s electricity consumption is changed between both periods. To decide between the two scenarios, the adversary only needs to check whether the encrypted consumption (as it would be reported to the ES) of any node has changed by \(\Delta k_i\), as the chance of this change to appear randomly can be neglected. Note that we have to exclude the measurements of compromised nodes from the scenarios; using them to break privacy is trivial, independent of the used scheme.

It depends on the adversary’s capabilities how large the success probability of this attack becomes. If the adversary can selectively compromise at least two specific nodes and can also select all nodes’ energy consumption in both scenarios, the attack will succeed with probability \(1\). If, on the other hand, the adversary can compromise a certain number \(a\) of nodes without knowing their position on the ring, there is still a chance for the attack to fail.

There are \(\frac{n!}{a! (n-a)!}\) possible arrangements of the smart meters. We select those arrangements for which there is no honest node whose predecessor and successor are both compromised.

The number of configurations \(c(n,a)\) for which this is true can be recursively computed using the following equations, with \(k\) in \([1,n]\):
$$\begin{aligned} \begin{array}{l} c(n,a) = g(n,a) - 2(f(n-1,a-1) - f^{\prime }(n-1,a-1))\\ f(n,a) = f(n-1,a-1) + g(n-2,a)\\ g(n,a) = f(n-1,a-1) + g(n-1,a)\\ f^{\prime }(n,a) = f^{\prime }(n-1,a-1) + g^{\prime }(n-2,a)\\ g^{\prime }(n,a) = f^{\prime }(n-1,a-1) + g^{\prime }(n-1,a)\\ f(k+1,k) = f(k,k) = f(k,0) = f^{\prime }(k,k) = 1\\ g(k,k) = g(k,0) = g^{\prime }(k,k) = g^{\prime }(k,0) = 1\\ f^{\prime }(k+1,k) = f^{\prime }(1,0) = 0\\ f^{\prime }(k,0) = 1, k \ge 2\\ \end{array} \end{aligned}$$
For a derivation of this computation, see “Appendix A”. The probability of the attacker failing to achieve its desired node placement is thus
$$\begin{aligned} p_\mathrm{fail} = \frac{c(n,a)}{\frac{n!}{a!(n-a)!}}= \frac{c(n,a)a!(n-a)!}{n!} \end{aligned}$$
The attacker succeeds with probability \(1-p_\mathrm{fail}\).
If the adversary does not achieve its desired node placement, it can still guess the correct scenario with probability \(\frac{1}{2}\). As a consequence, its overall probability of winning the SMPB game is
$$\begin{aligned} p_\mathrm{win} = 1-p_\mathrm{fail} + \frac{p_\mathrm{fail}}{2} = 1 - \frac{p_\mathrm{fail}}{2} \end{aligned}$$
In other words, the adversary’s advantage over random guessing is the following one, as observed in Fig. 4:
$$\begin{aligned} \text{ Adv}^\mathrm{SMPB}_{A} = \frac{1}{2}(1-p_\mathrm{fail}) \end{aligned}$$
Fig. 4

Adversary’s advantage over random guessing

Note that this advantage only means that an adversary has a high probability of distinguishing two scenarios chosen by itself over the course of at least two periods if a sufficient number of nodes have been compromised (even though the scenarios contain only the electricity consumptions of honest smart meters). In practice, this is equivalent to learning the change of at least one smart meter’s reported electricity consumptions over several periods.

5 Discussion

Table 2 compares our approach for a privacy-enhanced architecture for smart metering with related work. The comparison is in terms of need for trusted third party, need for aggregation node, computation overhead on smart meter/aggregation node, communication architecture and overhead, capability to deal with smart meter abuse and threats against the approaches.
Table 2

Comparison of privacy-preserving smart metering approaches: Paper at hand, A Privacy Model for Smart Metering [16], Privacy-friendly Energy-metering via Homomorphic Encryption [10], Privacy-aware real-time smart metering [13], and Secure Information Aggregation for Smart Grids Using Homomorphic Encryption [12]


Paper at hand

[16]: solution with TTP

[16]: solution without TTP





+ (No TTP needed)

\(-\) (TTP receives individual consumption values)

+ (No TTP needed)

\(\sim \) (Certification authority (CA) must only certify valid smart meters)

\(\sim \) (Need for CA not mentioned in paper)

+ (No TTP needed)

Aggregator (Scaling)

+ (Key aggregator for each group; ES aggregates data)

\(-\) (Same TTP as aggregator in each round)

+ (No explicit aggregator needed; ES aggregates data)

+ (Data aggregator for each group)

+ (Data aggregator for each group)

+ (Each smart meter as intermediate aggregator; explicit aggregator for each group)

Computation overhead per smart meter

Negligible (symmetric encryption); key aggregation: \(\mathcal{O }(k)\) asymmetric ops.

Negligible (symmetric encryption)

Negligible (symmetric encryption)

High (asymmetric crypto.: check of \(n\) certificates and encryption \(n-1\) times)

Low (symmetric crypto.: \(n\) encryptions)

High (asymmetric crypto.: homomorphic encryption several times)

Computation overhead: aggregator

Medium (symmetric decryption)



High (\(n\) times: basic ops. in the order of \(n\))

High (\(n\) times: basic ops. in the order of \(n\))

Medium (asymmetric decryption)

Communication architecture

\(-\) (Direct communication between smart meters needed; key aggregation: anonymization network)

+ (Connection between smart meters and TTP, and between TTP and ES needed)

+ (Direct communication between smart meters and ES)

+ (No communication between smart meters needed; aggregator as relay)

+ (No communication between smart meters needed; aggregator as relay)

\(-\) (Direct communication between smart meters needed)

Communication overhead

Medium (exchange of \(\delta \) values between smart meters; \(n\) keys to KA; \(n\) values to ES); token solution: high (\(n\) keys to KA; \(n\) tokens to smart meters; \(n\) encrypted values and \(n\) tokens to ES; \(n\) tokens to KA); key aggregation: \(\mathcal{O }(k)\) messages per smart meter

Low (\(N\) values to TTP)

Low (\(N\) values to ES)

High (\(n\) certificates to each smart meter; \(n-1\) shares from each smart meter to aggregator; \(n\) values to each smart meter; \(n\) values to aggregator)

High (list with \(N\) entries; \(n-1\) values and MAC values to \(n-1\) smart meters; \(n\) values and encryptions to aggregator)

Low (due to in-network aggregation)

Misuse detection and dealing

Yes (token solution)

Yes (TTP may check whether it received data from each smart meter)


Yes (data checked against energy provided within group\({}^\mathrm{a}\))

Yes (wrong data can be detected)

Yes (except for the case the graph becomes unconnected)


Malicious smart meters; KA may cooperate with ES if no anonymous channel to KA is available

TTP is in possession of all customers’ data


Aggregator requests many certificates and deceives smart meters in terms of group size


The overhead stated in gray occurs only rarely—during key aggregation in the infrequent case Tor is needed to provide anonymity on the network layer;

\({}^\mathrm{a}\) Note that this check is possible as [10] propose that the smart meters send their data to the grid operator and not to the energy supplier

5.1 Authentication

We do not consider authentication in this comparison in detail as the approaches focus on privacy preservation and hardly go into any details concerning authentication.

However, authentication is an important protection goal as the ES must not receive measurements from non-involved parties. As we have pointed out in Sect. 3.4, we propose a secure channel where each smart meter is authenticated only as a member of a group of authorized smart meters in its communication with the key aggregator. Note that this needs to be done only very rarely during key aggregation phases. Keep in mind that using such an authentication scheme based on anonymous credentials or a group signature will highly affect the computation overhead on the part of the smart meters. The authentication scheme proposed by [13] is more efficient as they need just \(n\) MAC computations (symmetric cryptography) and one signature generation (asymmetric cryptography).

5.2 Trusted third party and aggregator nodes

The TTPs’ roles are quite different in the considered approaches. They reach from the lack of need for a TTP (paper at hand) over the TTP’s function as a certificate issuing authority ([10]) to the TTP’s involvement in every energy consumption transmission period ([16]: solution with TTP). Note that, as pointed out in Sect. 4.4, key aggregators may act maliciously. However, they do not gain any information and thus, they need not be seen as trusted third parties.

Data aggregation is performed by different parties as proposed by the authors of the considered papers. In terms of scaling, it is advantageous to have more than one single aggregation party to cope with the (prospective) high number of smart meter readings. We propose to have a key aggregator for each group and the smart meter readings, that is, the data, are aggregated by the ES. García and Jacobs [10], Finster and Conrad [13], and Li et al. [12] propose a data aggregator for each group which allows for a good scaling, that is, new groups may be built if the number of smart meters within a group grows. Bohli et al. [16] proposes a solution with a TTP which is used in each round for data aggregation. This approach lacks scalability as one single party is burdened with the data aggregation.

5.3 Computation overhead for smart meter and aggregator

The number of all smart meters in the system is denoted by \(N\) and the number of smart meters within a group is denoted by \(n\), where \(n\) can be assumed to be in the scale of some hundreds. The overheads given in the table apply for every energy consumption transmission period \(j\). We base our rough computation overhead estimations on the type of cryptographic operations being executed, that is, asymmetric or symmetric operations. The runtime of those operations depends on the processor architecture. As no implementation details are given, we do not consider any runtime aspects.

The computation overhead for smart meters in our approach is negligible in most cases as they only have to perform symmetric operations. Only during key aggregation phases in the case that the communication architecture requires the employment of Tor (see Sect. 3.5), the computation overhead rises as \(\mathcal{O }(k)\) asymmetric operations need to be performed. In this case, \(k\) denotes the security parameter, that is, the number of employed hops before the message is forwarded to the KA. As this case rarely happens, it is shown in gray in the table. The computation overhead for the aggregator in our approach is medium as it needs to perform the decryption of the aggregation of individual encrypted values. Those operations are symmetric cryptographic operations.

The computation overhead for smart meters is negligible for both solutions proposed by [16]. As shown in the table, the computation overhead for the schemes proposed by [10, 13], and [12] is rather high as they employ asymmetric cryptography, respectively, an extensive number of symmetric operations.

As discussed in Sect. 3.7, some node is periodically elected as key aggregator. We do not restrict the actual election mechanism. The mechanism based on commitments [29], as proposed, only uses lightweight cryptographic primitives. Thus, we neglect the computation overhead for the election mechanism in this overview.

5.4 Communication architecture and overhead

The need for direct communication between the smart meters is the major drawback of our approach. Li et al. [12] also requires direct communication between the smart meters. Within the other considered approaches, the smart meters are either directly connected with the ES or the aggregator nodes act as relaying parties.

The solutions by [12] and [16] entail a low communication overhead whereas the solutions by [10] and [13] entail a high communication overhead. The communication overhead of our approach is acceptable. However, if an anonymization network such as Tor is used to provide anonymization on the network layer, as proposed in Sect. 3.5, the communication overhead of our approach exceeds the overheads of the other schemes. Note, however, that an anonymization network is only needed during key aggregation phases, that is, during system bootstrapping or when a smart meter within a group fails or leaves, or a new one joins—and only in certain cases depending on the network architecture as stated in Sect. 3.5.

The communication overhead introduced by the key aggregator election mechanism is negligible. If the protocol based on commitments [29] is used, two messages are needed per smart meter per election. Note that the election is rarely performed and the introduced message overhead is negligible. Thus, it is not shown in the table. The message length of a commitment \(c\) for a random value \(r\) must be large enough to maintain security of the commitment [29] and \(|r| \ge \lg n\), where \(n\) is the number of smart meters within a group, as described in Sect. 5.3.

5.5 Memory overhead

We do not take the memory overhead for the smart meters and the aggregator node into account in our consideration as we can assume sufficient memory to be available in state of the art smart meters and aggregation nodes. However, note that if there is no third party in place that keeps track of all the reported consumption values of the smart meters, each smart meter has to store its consumption values over the billing period (and possibly even longer for legal reasons in practical implementations) to be able to compute the bill at the end of the billing period. Depending on legal requirements, it can be sufficient to store an accumulator for each billing period, instead of all the individual measurements.

5.6 Misuse detection

All solutions, except for the one without TTP proposed by [16], allow detecting and dealing with misuse in some form. Misuse means that some smart meter does not send its measurements. The token solution helps in case any smart meter does not send the key or the data. However, we cannot detect wrong data values provided by smart meters. Wrong data can be detected by the approaches of [10] and [13].

5.7 Threats

Malicious smart meters as well as cooperations between the KAs and the ES constitute major threats to our scheme. We have discussed those aspects in Sect. 4. The major threat to the scheme with a TTP presented by [16] is that the TTP is in possession of all of the customers’ data. Thus, even if the TTP is not malicious, it may constitute a promising attack target. The approach by [10] entails the problem that a malicious aggregator node may request many certificates and thereby deceive the smart meters in terms of group size in order to be able to get individual smart meters’ readings.

5.8 Comparison with practical solution

Compared with a practical current smart metering application, our presented solution keeps customers’ privacy by introducing a minor computation and communication overhead. The main disadvantage of our approach is the need for direct communication among smart meters. Moreover, while malicious smart meters in current setups can report wrong values (and must therefore be trusted devices), a malicious smart meter (reporting false readings or keys) can cause the whole group to deliver a false aggregated result, which may be hard to detect depending on the extent of the falsification. This limitation is, however, inherent to the aggregation of readings within groups, not just our approach.

6 Conclusions and future work

Within this work, we present a privacy-enhanced architecture for smart metering which ensures privacy of the electricity usage of end users, while at the same time allowing the energy supplier to receive accurate electricity consumption from a group of smart meters. Typically, this set of smart meters reflects a well-defined administrative region for the energy supplier, thus still enabling to provide the required amount of energy to the various households. Technically, our approach is based on the use of a pairwise symmetric homomorphic encryption transformation in conjunction with group keys. A smart meters’ key ring for key update provides a key refreshment of the pairwise keys without the need to update the master key at the energy supplier’s side. Compared with other approaches, our solution is more flexible with regard to the choice of the key aggregator.

In the future work, we are planning to perform an evaluation of the scalability of the proposal being presented in this paper. Moreover, some other open issues are based on the inclusion of physical attacks as part of the attacker model; in the same line, we are also working on guaranteeing the validity of a decrypted value. Finally, the bootstrapping of the current proposal is also a matter of current research.

Going beyond the domain of smart meters, we also plan to explore the applicability of our solution in other domains, such as location-based services; in addition, we want to investigate how approaches from such other domains, such as Rebollo-Monedero et al. [30], can be adapted to improve the privacy of smart meters.

Such a broader scope may also prove helpful in the development of a comprehensive model to measure user privacy. For example, our focus has been mainly on aggregation over customer groups—how to measure the effect of combined aggregation both over time and over customer groups is still an open question.


Note that control is somewhat limited; the ES can send updated price information or control commands to a specific smart meter, but does not know the current electricity consumption measured by that device. However, it would be possible to broadcast messages containing conditional instructions to be evaluated by the smart meters themselves.


Note that the actual formation, updating and maintenance of such ring is out of scope of this paper.


For \(n = 1\), no privacy can be achieved. Therefore, we assume that the smart metering architecture is composed of at least two smart meters.


Smart meters may report the same energy measurement at multiple periods, for example, during the night when the energy consumption remains nearly constant.


The period parameter \(j\) can be seen as a nonce to compute the new key from the old one.



The work presented in this paper was partially supported by the BMWI within the project SmartPowerHamburg. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements of the SmartPowerHamburg project. Thanks also to the Funding Program for Research Groups of Excellence granted as well by the Séneca Foundation with code 04552/GERM/06. Finally, the authors thank Daniel Kuntze, Peter Günther and Santiago Pina for their support in determining the number of secure configurations presented in Sect. 4.5 and “Appendix A”.

Supplementary material

10207_2012_181_MOESM1_ESM.pdf (373 kb)
ESM 1 (PDF 373 kb)

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Félix Gómez Mármol
    • 1
  • Christoph Sorge
    • 2
  • Ronald Petrlic
    • 2
  • Osman Ugus
    • 3
  • Dirk Westhoff
    • 4
  • Gregorio Martínez Pérez
    • 5
  1. 1.NEC Europe LtdHeidelbergGermany
  2. 2.Institut für InformatikUniversity of PaderbornPaderbornGermany
  3. 3.Hamburg University of Applied SciencesHamburgGermany
  4. 4.Hochschule FurtwangenFurtwangenGermany
  5. 5.Departamento de Ingeniería de la Información y las ComunicacionesUniversity of MurciaMurciaSpain

Personalised recommendations