Citation Context

...s secret key, or by using cryptographic verifiability as discussed in Section 4.1. 3 For our security analysis we will make use of the random oracle model to guarantee the randomness of the gi values =-=[9]-=-.3 Concrete Protocols As we have seen, the general framework of our protocols requires a number of meters or users to have a secret value xj per meter or xi,j per meter per round, such that they all ...

Citation Context

...nd µb took less than 0.001 seconds to run, and was implemented in 30 lines of pure python with standard numerical libraries. As expected it returns the values of the means with negligible error. (See =-=[22]-=- for a detailed treatment of error analysis in regression.) This demonstrates that computing statistics from aggregate measurements using regression analysis is computationally feasible even at a nati...

Citation Context

...ntations [16]. These results are often given in the form of Σ-protocols but with the help of hash functions they can be turned into non-interactive zero-knowledge arguments in the random oracle model =-=[17]-=-. When referring to the proofs above, we follow the notation introduced by Camenisch and Stadler [18]. The interactive protocol can be verified by using a simple version of a verifiable secret sharing...

Citation Context

...essages to ensure no customer has deviated from the valid protocol. We use several existing results to prove statements about discrete logarithms, such as, proofs of knowledge of a discrete logarithm =-=[15]-=- and proofs of knowledge of the equality of elements in different representations [16]. These results are often given in the form of Σ-protocols but with the help of hash functions they can be turned ...

Citation Context

...Hellman Key-Exchange Based Protocol. Our second scheme is based on the standard Diffie-Hellman key exchange protocol, combined with a modified variant of the Dining Cryptographer’s anonymity protocol =-=[10, 11]-=-. We assume that each meter j has a secret key Xj, and a corresponding public key Pubj. – For each round i, let gi = H(i) be a generator of a Diffie-Hellman group G. The generator gi is the same as fo...

Citation Context

...ing billing protocols [6] have proposed a simple modification to meters that enables further privacy preserving computations: meters output commitments to their readings (such as Petersen commitments =-=[14]-=- of the form Cci,j = gci,j open h i,j ) and a signature over them. The customer associated with meter can open those commitments but can also use them as input to certify further computations. Let us ...

Citation Context

...sting results to prove statements about discrete logarithms, such as, proofs of knowledge of a discrete logarithm [15] and proofs of knowledge of the equality of elements in different representations =-=[16]-=-. These results are often given in the form of Σ-protocols but with the help of hash functions they can be turned into non-interactive zero-knowledge arguments in the random oracle model [17]. When re...

Citation Context

...xed public key per meter. The construction is similarly to the modified Dining-Cryptographers protocols in [12]. Let G1, G2, and GT be groups in which the Decisional Bilinear DiffieHellman assumption =-=[13]-=- holds with a bi-linear map function e(G1, G2) → GT . Each meter only has to produce once a fixed public key Pubj = ˆg Xj 0 where ˆg0 is a generator of G1. Let H({0, 1} ∗ ) → G2 be a hash function map...

Citation Context

...the Python language. The code core with the cryptographic operations spans 89 lines of code. It uses the standard library hash function SHA256, and a separate pure-python implementation of Curve25519 =-=[21]-=- for DiffieHellman key generation and derivation yielding 32 byte public keys. Readings and their cipher texts are represented using 4 bytes.We tested our protocols in the setting of 100 meters repor...

Citation Context

...n). Fu. et all [5], highlight the privacy related threats of smart metering and propose an architecture for secure measurements, that rely on trusted components outside of the meter. Rial and Danezis =-=[6]-=- propose a protocol using commitments and zero knowledge proofs to privately derive and prove the correctness of bills, but not for aggregation across meters. The latter techniques have also been exte...

Citation Context

...ctions they can be turned into non-interactive zero-knowledge arguments in the random oracle model [17]. When referring to the proofs above, we follow the notation introduced by Camenisch and Stadler =-=[18]-=-. The interactive protocol can be verified by using a simple version of a verifiable secret sharing scheme [14] to certify that all protocol messages are well formed. For every round of aggregation i ...

Citation Context

... should not be able to interfere with the integrity of the protocol messages unless they have compromised the physical meters, or have physically bypassed the meter – which is common.Forward secrecy =-=[19, 13, 20]-=- is desirable to minimize the impact of a potentially leaked private key. The interactive and DH based protocols can be modified to provide some forward secrecy. The interactive protocol participants ...

Citation Context

... Garcia and Jacobs [4]. Their protocol requires O(n 2 ) bytes of interaction between the individual meters as well as relatively expensive cryptography on the meters (Paillier ecnryption). Fu. et all =-=[5]-=-, highlight the privacy related threats of smart metering and propose an architecture for secure measurements, that rely on trusted components outside of the meter. Rial and Danezis [6] propose a prot...

Citation Context

...ion is currently underway in collaboration with a meter manufacturer and a Dutch utility. Related work. Privacy preserving metering aggregation and comparison has been introduced by Garcia and Jacobs =-=[4]-=-. Their protocol requires O(n 2 ) bytes of interaction between the individual meters as well as relatively expensive cryptography on the meters (Paillier ecnryption). Fu. et all [5], highlight the pri...

Citation Context

...man and Bilinear-map Based Protocol. The DH-based scheme can be extended to only require a fixed public key per meter. The construction is similarly to the modified Dining-Cryptographers protocols in =-=[12]-=-. Let G1, G2, and GT be groups in which the Decisional Bilinear DiffieHellman assumption [13] holds with a bi-linear map function e(G1, G2) → GT . Each meter only has to produce once a fixed public ke...

Citation Context

...Hellman Key-Exchange Based Protocol. Our second scheme is based on the standard Diffie-Hellman key exchange protocol, combined with a modified variant of the Dining Cryptographer’s anonymity protocol =-=[10, 11]-=-. We assume that each meter j has a secret key Xj, and a corresponding public key Pubj. – For each round i, let gi = H(i) be a generator of a Diffie-Hellman group G. The generator gi is the same as fo...

Citation Context

... to privately derive and prove the correctness of bills, but not for aggregation across meters. The latter techniques have also been extended to protocols that provide differential privacy guarantees =-=[7]-=-. 2 Basic Protocols The protocols we propose follow the principle of [8] by relying on masking the meter consumptions ci,j output by meter j for a reading i, in such a way that an adversary cannot rec...

Citation Context

... grid implementation. Simultaneously, privacy issues are mounting – in 2009, the Dutch Senate stopped a law aimed to make the usage of smart meters compulsory based on privacy and human rights issues =-=[2]-=-. On the US side, NIST has identified privacy as one of the main concerns in a smart grid implementation, and proposes using the “privacy by design” approach [3] to alleviate them. While it is not cle...

Citation Context

... should not be able to interfere with the integrity of the protocol messages unless they have compromised the physical meters, or have physically bypassed the meter – which is common.Forward secrecy =-=[19, 13, 20]-=- is desirable to minimize the impact of a potentially leaked private key. The interactive and DH based protocols can be modified to provide some forward secrecy. The interactive protocol participants ...

Citation Context

...regation across meters. The latter techniques have also been extended to protocols that provide differential privacy guarantees [7]. 2 Basic Protocols The protocols we propose follow the principle of =-=[8]-=- by relying on masking the meter consumptions ci,j output by meter j for a reading i, in such a way that an adversary cannot recover individual readings. Yet, the sum of the masking values across mete...