### Citations

1642 | Random oracles are practical: A paradigm for designing efficient protocols - Bellare, Rogaway - 1993 |

1027 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...e previous [14]. These results are often given in the form of Σ-protocols but they can be turned into non-interactive zero-knowledge arguments in the random oracle model via the Fiat-Shamir heuristic =-=[20]-=-. When referring to the proofs above, we follow the notation introduced by Camenisch and Stadler [10] for various proofs of knowledge of discrete logarithms and proofs of the validity of statements ab... |

956 | A digital signature scheme secure against adaptive chosen-message attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ... Verify(pk, s, m) outputs accept if s is a valid signature on m and reject otherwise. This definition can be extended to support multi-block messages ⃗m = {m1, . . . , mn}. Existential unforgeability =-=[20]-=- requires that no probabilistic polynomial time (p.p.t.) adversary should be able to output a message-signature pair (s, m) unless he has previously obtained a signature on m. The signature schemes of... |

830 | Universally Composable Security: A New Paradigm for Cryptographic Protocols
- Canetti
- 2001
(Show Context)
Citation Context ...y M. 4.3 Security Definition Full definitions, constructions and proofs of security are available in the extended technical report 3 . We define security following the ideal-world/real-world paradigm =-=[8]-=-. In the real world, a set of parties interact according to the protocol description in the presence of a real adversary A, while in the ideal world dummy parties interact with an ideal functionality ... |

740 |
Efficient Signature Generation by Smart Cards.
- Schnorr
- 1991
(Show Context)
Citation Context ...t reveal which witness (among all possible witnesses) was used by the prover. We use several existing results to prove statements about discrete logarithms: proof of knowledge of a discrete logarithm =-=[35]-=-; proof of knowledge of the equality of some element in different representations [10]; proof with interval checks [33], range proof [5] and proof of the disjunction or conjunction of any two of the p... |

371 |
Wallet databases with observers
- Chaum, Pedersen
- 1992
(Show Context)
Citation Context ...everal existing results to prove statements about discrete logarithms: proof of knowledge of a discrete logarithm [35]; proof of knowledge of the equality of some element in different representations =-=[10]-=-; proof with interval checks [33], range proof [5] and proof of the disjunction or conjunction of any two of the previous [11]. These results are often given in the form of Σ-protocols but they can be... |

334 | Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols. Advances in Cryptology - Crypto 1994, LNCS vol. 839
- Cramer, Damgard, et al.
- 1994
(Show Context)
Citation Context ...of knowledge of the equality of some element in different representations [10]; proof with interval checks [33], range proof [5] and proof of the disjunction or conjunction of any two of the previous =-=[11]-=-. These results are often given in the form of Σ-protocols but they can be turned into non-interactive zero-knowledge arguments in the random oracle model via the Fiat-Shamir heuristic [18]. When refe... |

209 | A Signature Scheme with Efficient Protocols
- Camenisch, Lysyanskaya
- 2003
(Show Context)
Citation Context ...ny existentially unforgeable signature scheme – we have used the NIST Digital Signature Algorithm (DSA). For P’s signature scheme, we choose the signature scheme proposed by Camenisch and Lysyanskaya =-=[6]-=-. Commitment schemes. A non-interactive commitment scheme consists of the algorithms ComSetup, Commit and Open. ComSetup(1 k ) generates the parameters of the commitment scheme parc. Commit(parc, x) o... |

193 |
Nonintrusive appliance load monitoring”
- Hart
- 1992
(Show Context)
Citation Context ...y problems [2]: meters send all fine-grained measurements to the utilities or a centralised database. Yet, it is recognised that meter readings leak personal information. For example, load monitoring =-=[23, 27]-=- allows the identification of specific electrical appliances. As a result, detailed consumption data would facilitate the creation of user lifestyle profiles, including but not limited to house occupa... |

166 | Efficient proofs that a committed number lies in an interval. In:
- Boudot
- 2000
(Show Context)
Citation Context ...iscrete logarithms: proof of knowledge of a discrete logarithm [35]; proof of knowledge of the equality of some element in different representations [10]; proof with interval checks [33], range proof =-=[5]-=- and proof of the disjunction or conjunction of any two of the previous [11]. These results are often given in the form of Σ-protocols but they can be turned into non-interactive zero-knowledge argume... |

91 |
Security and Privacy Challenges in the Smart Grid.
- McDaniel, McLaughlin
- 2009
(Show Context)
Citation Context ...ssion of deployment and interoperability issues. 2 http://research.microsoft.com/apps/pubs/?id= 141726 2. RELATED WORK Smart meters privacy concerns have previously been studied both from a technical =-=[29, 30]-=- and a legal perspective [9, 34]. These works propose enforcement of privacy properties based on procedural means and assume that fine-grained billing inevitably requires the sharing of detailed meter... |

80 | Secure distributed programming with value-dependent types.
- Swamy, Chen, et al.
- 2011
(Show Context)
Citation Context ...n this work, as well as making use of our low-communication overhead techniques to make aggregation practical. Finally, Fournet et al. have verified an implementation of the Fast-PSM protocol in Fine =-=[36]-=-, and Aizatulin et al. [1] have done verification work on the concrete C implementation of our protocols for real-world meters. We will not be discussing further these extensions to the basic protocol... |

78 | Optimal and autonomous incentive-based energy consumption scheduling algorithm for smart grid,” presented at the
- Mohsenian-Rad, Wong, et al.
- 2010
(Show Context)
Citation Context ...rity of smart grids and conclude that they introduce new vulnerabilities that ease electricity theft. The design of algorithms that schedule energy consumption to reduce costs has also been addressed =-=[22]-=-. Proposals to enhance the security of the smart grid infrastructure include Fatemieh et al. [17]. No complete and thorough solution exists for computing privately individual bills when complex time-o... |

77 | Proof systems for general statements about discrete logarithms.
- Camenisch, Stadler
- 1997
(Show Context)
Citation Context ... non-interactive zero-knowledge arguments in the random oracle model via the Fiat-Shamir heuristic [18]. When referring to the proofs above, we follow the notation introduced by Camenisch and Stadler =-=[7]-=- for various proofs of knowledge of discrete logarithms and proofs of the validity of statements about discrete logarithms. NIPK{(α, β, δ) : y = g0 α g1 β ∧ ˜y = ˜g0 α ˜g1 δ ∧ A ≤ α ≤ B} denotes a “ze... |

74 |
An efficient divisible electronic cash scheme,” in
- Okamoto
- 1995
(Show Context)
Citation Context ...statements about discrete logarithms: proof of knowledge of a discrete logarithm [35]; proof of knowledge of the equality of some element in different representations [10]; proof with interval checks =-=[33]-=-, range proof [5] and proof of the disjunction or conjunction of any two of the previous [11]. These results are often given in the form of Σ-protocols but they can be turned into non-interactive zero... |

71 |
December). Why information security is hard-an economic perspective.
- Anderson
- 2001
(Show Context)
Citation Context ...performing the calculation. Different parties cannot rely on the same set of certified readings to bill customers for different usages. Most importantly, the black box model might misalign incentives =-=[2]-=-: meters are provided by utilities that have no incentive to invest in high quality privacy for their customers. They are regulated by metrological authorities that have no established competence in m... |

61 |
Private Memoirs of a Smart Meter
- Molina-Markham, Shenoy, et al.
- 2010
(Show Context)
Citation Context ...heir consumption privately. The NIST privacy subgroup [37] suggests anonymizing traces of readings, as proposed by Efthymiou et al. [16], but also warns of the ease of reidentification. Molina et al. =-=[32]-=- highlight the private information that current meters leak, and sketch a protocol that uses zero-knowledge proofs to achieve privacy in metering. Kumari et al. [25] propose usage control mechanisms f... |

51 |
Systems Analysis
- Power
- 1999
(Show Context)
Citation Context ...y problems [2]: meters send all fine-grained measurements to the utilities or a centralised database. Yet, it is recognised that meter readings leak personal information. For example, load monitoring =-=[23, 27]-=- allows the identification of specific electrical appliances. As a result, detailed consumption data would facilitate the creation of user lifestyle profiles, including but not limited to house occupa... |

48 | Privacy-friendly energy-metering via homomorphic encryption,”
- Garcia, Jacobs
- 2011
(Show Context)
Citation Context ...n the design of technical solutions to protect privacy in the smart grid. Wagner et al. [39] propose a privacy-aware framework for the smart grid based on semantic web technologies. Garcia and Jacobs =-=[19]-=- design a multiparty computation to compute the sum of their consumption privately. The NIST privacy subgroup [37] suggests anonymizing traces of readings, as proposed by Efthymiou et al. [16], but al... |

46 | Privacy-friendly Aggregation for the Smart-grid
- Kursawe, Danezis, et al.
- 2011
(Show Context)
Citation Context ...ks. In Kohlweiss et al. [13] it is extended to obscure inferences that can be drawn from the final bill using a combination of differentially private mechanisms and oblivious payments. Kursawe et al. =-=[26]-=- propose an aggregation protocol to privately sum readings from multiple meters, including protocols that are compatible with the protocols presented in this work, as well as making use of our low-com... |

40 | On the Notion of “Software Independence” in Voting Systems.
- Rivest, Wack
- 2006
(Show Context)
Citation Context ...as long as the software producing the bill can be updated. In all cases the integrity of the billing is guaranteed by the verification process. This property is similar to the “software independence” =-=[36]-=- that is sought in electronic election protocols. Privacy relies on the platform and software processing the certified reading to produce the bill without leaking information. The user is free to choo... |

38 |
Looking Back at the Bell-La Padula Model,”
- Bell
- 2005
(Show Context)
Citation Context ...Our system model differs from ongoing smart grid projects as we restrict the unidirectional communication from the metering core M and the provider P to protect privacy. A multi-level security policy =-=[4]-=- is defined to protect confidentiality: raw readings in the meter M are classified as “high” and the provider P systems are cleared only for “low” information, i.e. the final billing information. It i... |

34 | Anonymous Credentials on a Standard Java Card
- Bichsel, Camenisch, et al.
- 2009
(Show Context)
Citation Context ...0 minutes, and one signature on a set of commitments per billing period. This is well within the capabilities of cheap, off-theshelf, tamper resistant smart-cards or microcontrollers as documented in =-=[7]-=-. Web-deployment evaluation. The design rational for privacy preserving metering includes deployment of the schemes using web technologies, as illustrated in Figure 1. We implemented a billing back-en... |

28 |
SmartPrivacy for the smart grid: embedding privacy into the design of electricity conservation. Identity in the Information Society,
- Cavoukian, Polonetsky, et al.
- 2010
(Show Context)
Citation Context ...oncept of smart grid refers to the modernization of the existing electrical grid, including bidirectional communication between meters and utilities, more accurate meter readings and flexible tariffs =-=[9]-=-. Expected electricity savings depend on matching generation and demand, achieved partly through dynamic tariffs with higher rates during peak consumption periods. Further savings are expected through... |

28 | Non-interactive zero-knowledge arguments for voting.
- Groth
- 2005
(Show Context)
Citation Context ...and a value x2, the trapdoor td allows finding open x2 such that algorithm Open(parc, c, x2, open x2 ) outputs accept. For our implementation we choose the integer commitment scheme proposed by Groth =-=[21]-=-. Proofs of Knowledge. A zero-knowledge proof of knowledge [4] is a two-party protocol between a prover and a verifier. The prover demonstrates to the verifier her knowledge of some secret input (witn... |

27 |
PriPAYD: privacy friendly pay-as-you-drive insurance.
- Troncoso, Danezis, et al.
- 2007
(Show Context)
Citation Context ...ach very expensive). Smart metering is a special case of metering. LeMay et al. propose an architecture for attested metering [28] based on calculations performed on trusted hardware. Troncoso et al. =-=[38]-=- propose an architecture in which secure meters are used to calculate final bills for pay-as-you-drive insurance. Our protocol follows an approach similar to the one described in [3, 14] for the desig... |

24 | Randomized algorithms in number theory," - Rabin, Shallit - 1986 |

22 | On the security economics of electricity metering.
- Anderson, Fuloria
- 2012
(Show Context)
Citation Context ...th the United States and the European Union currently promote the deployment of smart grids. 1 Currently, most smart grid deployment projects lean towards an architecture with severe privacy problems =-=[2]-=-: meters send all fine-grained measurements to the utilities or a centralised database. Yet, it is recognised that meter readings leak personal information. For example, load monitoring [23, 27] allow... |

22 | Unified architecture for large-scale attested metering.
- LeMay, Gross, et al.
- 2007
(Show Context)
Citation Context ...zations to reduce meter communication costs we present, making their approach very expensive). Smart metering is a special case of metering. LeMay et al. propose an architecture for attested metering =-=[28]-=- based on calculations performed on trusted hardware. Troncoso et al. [38] propose an architecture in which secure meters are used to calculate final bills for pay-as-you-drive insurance. Our protocol... |

16 | Plug-in Privacy for Smart Metering Billing
- Jawurek, Johns, et al.
- 2011
(Show Context)
Citation Context ...ly individual bills when complex time-of-use tariffs are applied, or perform general private computations needed to run a modern grid (the special case of linear policies was independently studied in =-=[24]-=- – yet it does not include the opimizations to reduce meter communication costs we present, making their approach very expensive). Smart metering is a special case of metering. LeMay et al. propose an... |

15 |
Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution.
- Aizatulin, Gordon, et al.
- 2011
(Show Context)
Citation Context ...ing use of our low-communication overhead techniques to make aggregation practical. Finally, Fournet et al. have verified an implementation of the Fast-PSM protocol in Fine [36], and Aizatulin et al. =-=[1]-=- have done verification work on the concrete C implementation of our protocols for real-world meters. We will not be discussing further these extensions to the basic protocols presented here.ü Certif... |

15 | Privacy-Friendly Electronic Traffic Pricing via Commits. In:
- Jonge, Jacobs
- 2009
(Show Context)
Citation Context ... Troncoso et al. [38] propose an architecture in which secure meters are used to calculate final bills for pay-as-you-drive insurance. Our protocol follows an approach similar to the one described in =-=[3, 14]-=- for the design of a privacy-friendly electronic toll pricing system. We extend their paradigm of proving some aspects of a metering system using cryptography by providing full end-to-end verifiabilit... |

11 | A.: Data protection in heterogeneous distributed systems: A smart meter example
- Kumari, Kelbert, et al.
- 2011
(Show Context)
Citation Context ...of reidentification. Molina et al. [32] highlight the private information that current meters leak, and sketch a protocol that uses zero-knowledge proofs to achieve privacy in metering. Kumari et al. =-=[25]-=- propose usage control mechanisms for data shared by smart meters connected to web based social networks. Some work focuses on more general aspects of smart grid security. Anderson and Fuloria [2] ana... |

7 |
Privacy and the new energy infrastructure. SSRN
- Quinn
- 2009
(Show Context)
Citation Context ...ability issues. 2 http://research.microsoft.com/apps/pubs/?id= 141726 2. RELATED WORK Smart meters privacy concerns have previously been studied both from a technical [29, 30] and a legal perspective =-=[9, 34]-=-. These works propose enforcement of privacy properties based on procedural means and assume that fine-grained billing inevitably requires the sharing of detailed meter readings. Little work exists on... |

6 | Reducing the Trusted Computing Base for Applications on Commodity Systems.
- McCune
- 2009
(Show Context)
Citation Context ...to minimise the requirements for storage, communications, upgradability, and generic computations. This keeps the meter Trusted Computing Base small and as a result cheap and amenable to verification =-=[29]-=-. As argued by Garcia and Jacobs [21], independently verified tamper-resistant meters are also required for consumer protection. In our scheme, each meter stores a signature key and signs the readings... |

5 |
No to mandatory smart metering does not equal privacy
- Cuijpers
(Show Context)
Citation Context ... use it to illustrate our techniques. Other computations on readings are also supported. Consumer privacy concerns have already jeopardised the mandatory deployment of smart meters in the Netherlands =-=[12]-=-, leading to a deployment deadlock. This deadlock stems from the assumption that smart metering is necessarily privacy invasive and that a balance needs to be struck between privacy and the social uti... |

4 |
Privacy concerns in upcoming residential and commercial demand-response systems
- Lisovich, Wicker
- 2008
(Show Context)
Citation Context ...ssion of deployment and interoperability issues. 2 http://research.microsoft.com/apps/pubs/?id= 141726 2. RELATED WORK Smart meters privacy concerns have previously been studied both from a technical =-=[29, 30]-=- and a legal perspective [9, 34]. These works propose enforcement of privacy properties based on procedural means and assume that fine-grained billing inevitably requires the sharing of detailed meter... |

4 | Linked Data for a Privacy-Aware Smart Grid
- Wagner, Speiser, et al.
(Show Context)
Citation Context ...ssume that fine-grained billing inevitably requires the sharing of detailed meter readings. Little work exists on the design of technical solutions to protect privacy in the smart grid. Wagner et al. =-=[39]-=- propose a privacy-aware framework for the smart grid based on semantic web technologies. Garcia and Jacobs [19] design a multiparty computation to compute the sum of their consumption privately. The ... |

3 | C.A.: Low cost and secure smart meter communications using the TV white spaces
- Fatemieh, Chandra, et al.
- 2010
(Show Context)
Citation Context ...eft. The design of algorithms that schedule energy consumption to reduce costs has also been addressed [22]. Proposals to enhance the security of the smart grid infrastructure include Fatemieh et al. =-=[17]-=-. No complete and thorough solution exists for computing privately individual bills when complex time-of-use tariffs are applied, or perform general private computations needed to run a modern grid (t... |

2 |
A.: Differentially private billing with rebates. IACR Cryptology ePrint Archive 2011
- Danezis, Kohlweiss, et al.
- 2011
(Show Context)
Citation Context ...g system using cryptography by providing full end-to-end verifiability for computations. Further Work. The work presented in this paper has already been extended in several works. In Kohlweiss et al. =-=[13]-=- it is extended to obscure inferences that can be drawn from the final bill using a combination of differentially private mechanisms and oblivious payments. Kursawe et al. [26] propose an aggregation ... |

2 |
Efthymiou and Georgios Kalogridis. Smart grid privacy via anonymization of smart metering data
- Costas
- 2010
(Show Context)
Citation Context ... Jacobs [19] design a multiparty computation to compute the sum of their consumption privately. The NIST privacy subgroup [37] suggests anonymizing traces of readings, as proposed by Efthymiou et al. =-=[16]-=-, but also warns of the ease of reidentification. Molina et al. [32] highlight the private information that current meters leak, and sketch a protocol that uses zero-knowledge proofs to achieve privac... |

1 |
Preneel, Ingrid Verbauwhede, and Christophe Geuens. Pretp: Privacy-preserving electronic toll pricing
- Balasch, Rial, et al.
- 2010
(Show Context)
Citation Context ... Troncoso et al. [38] propose an architecture in which secure meters are used to calculate final bills for pay-as-you-drive insurance. Our protocol follows an approach similar to the one described in =-=[3, 14]-=- for the design of a privacy-friendly electronic toll pricing system. We extend their paradigm of proving some aspects of a metering system using cryptography by providing full end-to-end verifiabilit... |

1 |
Cryptographic protocols of the identity mixer library, v. 2.3.0. IBM research report RZ3730
- Dwork
(Show Context)
Citation Context ...d value lies in an interval. All the proofs in our implementation are computed via the FiatShamir heuristic. To prove possession of a Camenisch-Lysyanskaya signature, we employ the proof described in =-=[15]-=-. To prove that a message m3 committed in cm3 = g m3 1 hopen m3 is the product of two messages m1 and m2 committed in cm1 = g m1 1 hopen m1 and cm2 = g m2 1 hopen m2 respectively, the following proof ... |

1 |
How to prove yourself: solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...e previous [11]. These results are often given in the form of Σ-protocols but they can be turned into non-interactive zero-knowledge arguments in the random oracle model via the Fiat-Shamir heuristic =-=[18]-=-. When referring to the proofs above, we follow the notation introduced by Camenisch and Stadler [7] for various proofs of knowledge of discrete logarithms and proofs of the validity of statements abo... |

1 |
Dmitry Podkuiko. Energy theft in the advanced metering infrastructure
- McLaughlin, McDaniel
- 2009
(Show Context)
Citation Context ...cted to web based social networks. Some work focuses on more general aspects of smart grid security. Anderson and Fuloria [2] analyze the security economics of electricity metering. McLaughlin et al. =-=[31]-=- analyze security of smart grids and conclude that they introduce new vulnerabilities that ease electricity theft. The design of algorithms that schedule energy consumption to reduce costs has also be... |