#### DMCA

## Privacy-friendly aggregation for the smart-grid. Privacy Enhancing Technologies (2011)

Citations: | 46 - 5 self |

### Citations

1641 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...s secret key, or by using cryptographic verifiability as discussed in Section 4.1. 3 For our security analysis we will make use of the random oracle model to guarantee the randomness of the gi values =-=[9]-=-.3 Concrete Protocols As we have seen, the general framework of our protocols requires a number of meters or users to have a secret value xj per meter or xi,j per meter per round, such that they all ... |

1145 |
Data analysis using regression and multilevel/hierarchical models. New York:
- Gelman, Hill
- 2006
(Show Context)
Citation Context ...nd µb took less than 0.001 seconds to run, and was implemented in 30 lines of pure python with standard numerical libraries. As expected it returns the values of the means with negligible error. (See =-=[22]-=- for a detailed treatment of error analysis in regression.) This demonstrates that computing statistics from aggregate measurements using regression analysis is computationally feasible even at a nati... |

1026 | A.: How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...ntations [16]. These results are often given in the form of Σ-protocols but with the help of hash functions they can be turned into non-interactive zero-knowledge arguments in the random oracle model =-=[17]-=-. When referring to the proofs above, we follow the notation introduced by Camenisch and Stadler [18]. The interactive protocol can be verified by using a simple version of a verifiable secret sharing... |

739 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ...essages to ensure no customer has deviated from the valid protocol. We use several existing results to prove statements about discrete logarithms, such as, proofs of knowledge of a discrete logarithm =-=[15]-=- and proofs of knowledge of the equality of elements in different representations [16]. These results are often given in the form of Σ-protocols but with the help of hash functions they can be turned ... |

574 | The dining cryptographers problem: Unconditional sender and recipient untraceability
- Chaum
- 1988
(Show Context)
Citation Context ...Hellman Key-Exchange Based Protocol. Our second scheme is based on the standard Diffie-Hellman key exchange protocol, combined with a modified variant of the Dining Cryptographer’s anonymity protocol =-=[10, 11]-=-. We assume that each meter j has a secret key Xj, and a corresponding public key Pubj. – For each round i, let gi = H(i) be a generator of a Diffie-Hellman group G. The generator gi is the same as fo... |

502 |
Non-interactive and information-theoretic secure verifiable secret sharing
- Pedersen
- 1991
(Show Context)
Citation Context ...ing billing protocols [6] have proposed a simple modification to meters that enables further privacy preserving computations: meters output commitments to their readings (such as Petersen commitments =-=[14]-=- of the form Cci,j = gci,j open h i,j ) and a signature over them. The customer associated with meter can open those commitments but can also use them as input to certify further computations. Let us ... |

371 |
Wallet databases with observers
- Chaum, Pedersen
- 1992
(Show Context)
Citation Context ...sting results to prove statements about discrete logarithms, such as, proofs of knowledge of a discrete logarithm [15] and proofs of knowledge of the equality of elements in different representations =-=[16]-=-. These results are often given in the form of Σ-protocols but with the help of hash functions they can be turned into non-interactive zero-knowledge arguments in the random oracle model [17]. When re... |

251 | A forward-secure public-key encryption scheme
- Canetti, Halevi, et al.
(Show Context)
Citation Context ...xed public key per meter. The construction is similarly to the modified Dining-Cryptographers protocols in [12]. Let G1, G2, and GT be groups in which the Decisional Bilinear DiffieHellman assumption =-=[13]-=- holds with a bi-linear map function e(G1, G2) → GT . Each meter only has to produce once a fixed public key Pubj = ˆg Xj 0 where ˆg0 is a generator of G1. Let H({0, 1} ∗ ) → G2 be a hash function map... |

111 | Curve25519: new Diffie-Hellman speed records.
- BERNSTEIN
- 2006
(Show Context)
Citation Context ...the Python language. The code core with the cryptographic operations spans 89 lines of code. It uses the standard library hash function SHA256, and a separate pure-python implementation of Curve25519 =-=[21]-=- for DiffieHellman key generation and derivation yielding 32 byte public keys. Readings and their cipher texts are represented using 4 bytes.We tested our protocols in the setting of 100 meters repor... |

79 | Privacy-Preserving Smart Metering
- Rial, Danezis
- 2011
(Show Context)
Citation Context ...n). Fu. et all [5], highlight the privacy related threats of smart metering and propose an architecture for secure measurements, that rely on trusted components outside of the meter. Rial and Danezis =-=[6]-=- propose a protocol using commitments and zero knowledge proofs to privately derive and prove the correctness of bills, but not for aggregation across meters. The latter techniques have also been exte... |

77 | Proof systems for general statements about discrete logarithms.
- Camenisch, Stadler
- 1997
(Show Context)
Citation Context ...ctions they can be turned into non-interactive zero-knowledge arguments in the random oracle model [17]. When referring to the proofs above, we follow the notation introduced by Camenisch and Stadler =-=[18]-=-. The interactive protocol can be verified by using a simple version of a verifiable secret sharing scheme [14] to certify that all protocol messages are well formed. For every round of aggregation i ... |

63 | Off-the-record communication, or, why not to use PGP
- Borisov, Goldberg, et al.
- 2004
(Show Context)
Citation Context ... should not be able to interfere with the integrity of the protocol messages unless they have compromised the physical meters, or have physically bypassed the meter – which is common.Forward secrecy =-=[19, 13, 20]-=- is desirable to minimize the impact of a potentially leaked private key. The interactive and DH based protocols can be modified to provide some forward secrecy. The interactive protocol participants ... |

61 |
Private Memoirs of a Smart Meter
- Molina-Markham, Shenoy, et al.
- 2010
(Show Context)
Citation Context ... Garcia and Jacobs [4]. Their protocol requires O(n 2 ) bytes of interaction between the individual meters as well as relatively expensive cryptography on the meters (Paillier ecnryption). Fu. et all =-=[5]-=-, highlight the privacy related threats of smart metering and propose an architecture for secure measurements, that rely on trusted components outside of the meter. Rial and Danezis [6] propose a prot... |

48 | Privacy-friendly energy-metering via homomorphic encryption,”
- Garcia, Jacobs
- 2011
(Show Context)
Citation Context ...ion is currently underway in collaboration with a meter manufacturer and a Dutch utility. Related work. Privacy preserving metering aggregation and comparison has been introduced by Garcia and Jacobs =-=[4]-=-. Their protocol requires O(n 2 ) bytes of interaction between the individual meters as well as relatively expensive cryptography on the meters (Paillier ecnryption). Fu. et all [5], highlight the pri... |

48 | Dining cryptographers revisited
- Golle, Juels
- 2004
(Show Context)
Citation Context ...man and Bilinear-map Based Protocol. The DH-based scheme can be extended to only require a fixed public key per meter. The construction is similarly to the modified Dining-Cryptographers protocols in =-=[12]-=-. Let G1, G2, and GT be groups in which the Decisional Bilinear DiffieHellman assumption [13] holds with a bi-linear map function e(G1, G2) → GT . Each meter only has to produce once a fixed public ke... |

18 | A 2-round anonymous veto protocol,”
- Hao, Zielinski
- 2009
(Show Context)
Citation Context ...Hellman Key-Exchange Based Protocol. Our second scheme is based on the standard Diffie-Hellman key exchange protocol, combined with a modified variant of the Dining Cryptographer’s anonymity protocol =-=[10, 11]-=-. We assume that each meter j has a secret key Xj, and a corresponding public key Pubj. – For each round i, let gi = H(i) be a generator of a Diffie-Hellman group G. The generator gi is the same as fo... |

10 | Differentially private billing with rebates. In:
- Danezis, Kohlweiss, et al.
- 2011
(Show Context)
Citation Context ... to privately derive and prove the correctness of bills, but not for aggregation across meters. The latter techniques have also been extended to protocols that provide differential privacy guarantees =-=[7]-=-. 2 Basic Protocols The protocols we propose follow the principle of [8] by relying on masking the meter consumptions ci,j output by meter j for a reading i, in such a way that an adversary cannot rec... |

9 |
P.B.j.: Het wetsvoorstel slimme meters: een privacytoets op basis van art . 8 EVRM Onderzoek in opdracht van de Consumentenbond.
- Cuijpers, Koops
- 2008
(Show Context)
Citation Context ... grid implementation. Simultaneously, privacy issues are mounting – in 2009, the Dutch Senate stopped a law aimed to make the usage of smart meters compulsory based on privacy and human rights issues =-=[2]-=-. On the US side, NIST has identified privacy as one of the main concerns in a smart grid implementation, and proposes using the “privacy by design” approach [3] to alleviate them. While it is not cle... |

2 |
Authentication and authenticated key exchanges,” Des. Codes Cryptography
- Diffie, Oorschot, et al.
- 1992
(Show Context)
Citation Context ... should not be able to interfere with the integrity of the protocol messages unless they have compromised the physical meters, or have physically bypassed the meter – which is common.Forward secrecy =-=[19, 13, 20]-=- is desirable to minimize the impact of a potentially leaked private key. The interactive and DH based protocols can be modified to provide some forward secrecy. The interactive protocol participants ... |

1 |
Some Ideas on Privacy Preserving Meter Aggregation
- Kursawe
- 2011
(Show Context)
Citation Context ...regation across meters. The latter techniques have also been extended to protocols that provide differential privacy guarantees [7]. 2 Basic Protocols The protocols we propose follow the principle of =-=[8]-=- by relying on masking the meter consumptions ci,j output by meter j for a reading i, in such a way that an adversary cannot recover individual readings. Yet, the sum of the masking values across mete... |