Keywords

1 Introduction

Energy Internet as a pluralistic energy network [1], as the issues of environmental pollution and energy crisis are becoming increasingly serious, Energy Internet supports the large-scale use of renewable energy sources, which has been given broad intensive attention. Energy Internet can be divided into energy network and information network. Energy generated from various users turns into electricity and interacts with the power plant through the energy transfer network and information network, as shown in Fig. 1. Compared with smart grid, the Energy Internet can make full use of the various types of distributed energy [2], so the energy management and real-time data analysis are important in Energy Internet [3, 4]. In the Energy Internet, the scope of system data collection will be expanded greatly, SMs and a variety of smart appliances will be used as collection devices to upload nearly real-time periodically, however, frequently electricity usage data collection may bring user sensitive information leakage and other issues, which threaten user privacy [5], and calculation cost and communication overhead bring much pressure to the system. Using data aggregation [6, 7] not only reduces communication overhead but also protects individual data privacy. Most of the existing aggregation schemes use homomorphic encryption to encrypt users’ data, device like SM (smart meter) encrypts data and aggregates in edge nodes in communication network without decryption, which can reduce the communication overhead and calculation cost for other entities, improving system efficiency, as show in Fig. 1.

Fig. 1.
figure 1

Energy Internet system architecture

Full size image

Due to a large number of GWs are widely distributed in the RA, it is difficult to manage, vulnerable to be destroyed or controlled by the adversary, resulting in the error aggregation data will be transmitted to CC, improper power generation plan or dynamic price will reduce system reliability, as shown in Fig. 2, then how to trace the target gateway in time to ensure Energy Internet reliability, which is still a problem. In addition, CC’s identity is vulnerable to be used fraudulently by the adversary, which may cause user privacy disclosure. To solve above problems, in this paper, we propose IBE-based Device Traceable Privacy-Preserving Aggregation Scheme based on IBE (IBE-DTPPA). A security-efficient, supporting target GW traceability. The main contributions of this paper are divided into three parts as follows:

Fig. 2.
figure 2

Energy Internet edge equipment threat

Full size image
  1. (1)

    We add a random number in aggregation in BGN Cryptosystem to realize verification of aggregation data integrity. Choose CC’s dynamic ID as public key IBE encryption, ID updates aperiodically in short period of time, ensuring the authenticity of CC’s identity.

  2. (2)

    We encrypt the RA aggregation data by IBE Cryptosystem, calculating ciphertext based on GW’s dynamic ID, realizing the target GW traceability.

  3. (3)

    We prove the security of our scheme, analyze the relevant parameters through detailed analysis, proving our scheme is secure against different attacks and can realize device traceability efficiently.

The rest of this paper is organized as follows. Section 2 introduces the related work. In Sect. 3, some preliminaries are given. In Sect. 4, showing the system model and design goals. In Sect. 5, our scheme is stated. In Sect. 6, security analysis is given. In Sect. 7, the paper is concluded.

2 Related Work

Existing data aggregation schemes have a common concern, individual user’s privacy-sensitive data should not be exposed. The common solutions to realize data aggregation contain homomorphic encryption [8] and data obfuscation [9]. However, the selection of parameters in data obfuscation is a difficult task. Therefore, homomorphic encryption has been widely used. Existing schemes use a homomorphic encryption to encrypt user’s privacy-sensitive data and the edge nodes like gateway in the Energy Internet can aggregate all user’s data without decryption, Przydatek et al. propose a specific framework for secure data aggregation in distributed energy environment, although Przydatek et al.’s framework could provide efficient data aggregation, the data privacy still needs to be improved. To address the individual user privacy issue in data aggregation, Shi et al. [10] propose a scheme to aggregate time-series data, which allows a group of collection devices upload the encrypted user’s data to the aggregator periodically, and aggregate the data without disclosing any information. Homomorphic hash function [11] has been used to authenticate SM and CC. In [12], Lu et al. proposes an efficient and privacy-preserving aggregation scheme by homomorphic multidimensional data encryption schemes (EPPA), which can realize the multidimensional data aggregation. On this basis Chen et al. [13] try to use third parties to achieve fault tolerance of data aggregation, but the obvious disadvantages is that third party security is difficult to guarantee. Shi et al. [14] proposes the DG-APED scheme, which can resolve the problems caused by malfunctioning SMs. it will aggregate the data by grouping, and drop the group which contains the damaged SM. However, because of error rate is not ideal and extra computational cost in searching the damaged member also needs to spend. Works [15] are committed to achieve the efficient data aggregation, but the cost of realizing fault tolerance is still too high, and there is still room for improvement. Works [16] are proposed to realize the differential privacy in aggregation schemes. Wang et al. [17] proposes an electric vehicle in the smart grid traceability of privacy protection and precision incentive scheme, using a restrictive partially blind signature technique and pseudonym in V2G (vehicle-to-grid) networks to achieve traceability of malicious users. Several other papers (e.g., [18,19,20,21,22,23,24]) have studied related security and network issues.

3 Preliminaries

3.1 Bilinear Maps

Let G0 and G1 be two multiplicative cyclic groups of prime order p and g be the generator of G0. The bilinear map e is, \( e:G_{0} { \times }G_{0} \to G_{1} \), for all \( a,b \in {\mathbf{\mathbb{Z}}}_{p} \):

Bilinearity::

\( \forall u,v \in G_{1} ,e(u^{a} ,v^{b} ) = e(u,v)^{ab} \)

Non-degeneracy::

\( e(g,g) \ne 1 \)

Symmetric::

\( e(g^{a} ,g^{b} ) = e(g,g)^{ab} = e(g^{b} ,g^{a} ) \)

3.2 Elliptic Curve Cryptography (ECC)

Elliptic curve encryption (ECC) algorithm [25, 26], proposed by Koblitz and Miller in 1985, Define an elliptic curve \( E \) and a field \( GF(q) \).Consider \( x,y \) Abel with a form of rational number \( E(q) \), Elliptic curve equation \( E \) defined as

$$ y^{2} + a_{1} xy + a_{2} y = x^{3} + a_{3} x^{2} + a_{4} x + a_{6} $$

The point E(K) on the elliptic curve that satisfies the equation plus the set of infinity points is expressed:

$$ E(K) = \{ (x,y) \in k^{2} |y_{2} + a_{1} xy + a_{2} y = x^{3} + a_{3} x^{2} + a_{4} x + a_{6} \} \cup \{ 0\} $$

3.3 Complexity Assumptions

Definition 1.

ECC is based on the problem of finding elliptic curve discrete pairs (ECDLP) is difficult.

That is, for a base point on the elliptic curve, it is easy to give an integer test, but it is very difficult to derive the integer from the point and point, that is, there is no algorithm to solve the polynomial time, which is elliptic curve discrete Logarithmic problem, to provide security for ECC-based encryption algorithms.

Definition 2 Bilinear Diffie-Hellman (BDH) Problem.

The Bilinear Diffie-Hellman (BDH) problem in G is as follows: Given \( { (}P,aP,bP,cP ) (a,b,c \in Z_{q}^{*} ) \), calculate, \( \omega = e(P,P)^{abc} \in G_{2} \), e is a bilinear mapping, P is the generator of \( G_{1} \), \( G_{1} \), \( G_{2} \) is the order of prime numbers q of the two groups, Set the algorithm \( A \) to solve the BDH problem, The advantage of an adversary \( \tau \) is defined as \( \Pr |A(P,aP,bP,cP) = e(P,P)^{abc} | \ge \tau \).

There is no valid algorithm to solve the BDH problem, so it can be assumed that the BDH problem is a difficult problem.

3.4 Based on BDH IBE (Identity-Based Cryptosystem)

IBE [25] algorithm consists of four steps:

  1. Step 1

    System initialization:

Let \( k \in Z^{ + } \) be a safety parameter, run the BDH parameter generation algorithm \( g \), Output prime number \( q \), group orders of \( q \), \( G_{1} \), \( G_{2} \), a bilinear mapping \( e:G_{1} \,{ \times }\,G_{1} \to G_{2} \). Select a random generator \( P \in G_{1} \), random selection \( s \in Z_{q}^{*} \), calculating \( P_{pub} = sP \). Select a hash function \( H_{1} :\{ 0,1\}^{*} \to G_{1}^{*} \), for n, Select another hash function \( H_{2} :G_{2}^{{}} \to \{ 0,1\}^{n} \), the message space is \( {\rm M} = \{ 0,1\}^{n} \) ciphertext space is \( \text{C} = G{}_{1}^{*} \times \{ 0,1\}^{n} \), System parameters are public: \( {\text{params}} = {<}q,G_{1} ,G_{2} ,e,n,P,P_{pub},H_{ 1},H_{2}{>} \), \( s \) is the master key, is confidential.

  1. Step 2

    Encryption:

The identity ID of the recipient is encrypted as a public key, \( M \in \text{M} \), calculate \( Q_{ID} = H_{1} (ID) \in G_{1}^{*} \), choosing random number \( r \in Z_{q}^{*} \), generating ciphertext:

$$ C = {<}rP,M \oplus H_{2} (\text{g}_{ID}^{r} ){>} ,\;\text{g}_{ID}^{{}} = e(Q_{ID} ,P_{\text{pub}} ) \in G_{2}^{*} $$
(1)
  1. Step 3

    Key generation:

For a given bit string \( \text{ID} = \{ 0,1\}^{*} \), calculate \( Q_{ID} = H_{1} (ID) \in G_{1}^{*} \), then calculate secret key \( d_{ID} = sQ_{ID} \), master key is \( s \).

  1. Step 4

    Decryption:

Set ciphertext is \( C = {<}U,V{>} \in \text{C} \), then use \( d_{ID} \) calculate

$$ V \oplus H_{2} (e(d_{ID} ,U)) = M,\;\text{Get}\,\text{the}\,\text{plaintext}\,\,M $$
(2)

3.5 BGN (Boneh-Goh-Nissim) Cryptosystem

Given the security parameter g, composite bilinear parameters \( (p,q,{\mathbb{G}},{\mathbb{G}}{}_{1},e) \) are generated by \( \varsigma (\kappa ) \), where \( n = pq \) and \( p \), \( q \) are two k-bit prime numbers \( g \in {\mathbb{G}} \) is a generator of order n. Set \( h = g^{q} \), then \( h \) is a random generator of the subgroup of \( {\mathbb{G}} \) order \( p \). The public key is \( PK = (N,{\mathbb{G}},{\mathbb{G}}{}_{1},e,g,h) \), and the corresponding private key is \( SK = p \).

  1. Step 2

    Encryption:

We assume the message space consists of integers in the set \( m = \{ 0,1, \ldots \ldots W\} \) with \( W \ll q \). To encrypt a message m, we choose a random number \( r \in {\mathbb{Z}}{}_{N} \) and compute the ciphertext:

$$ c = E(m,r) = g^{m} \cdot h^{r} \in {\mathbb{G}} $$
(3)
  1. Step 3

    Decryption:

Given the ciphertext \( c = E(m,r) = g^{m} h^{r} \in {\mathbb{G}} \), the corresponding message can be recovered by the private key \( SK = p \),

$$ c^{p} = (g{}^{m} \cdot h^{r} )^{p} = (g^{p} )^{m} . $$
(4)

Let \( g^{*} = g^{p} \), To recover m, it suffices to compute the discrete log of \( c^{p} \) base \( g^{*} \). Since \( 0 \le m \le T \), the expected time is around \( O(\sqrt T ) \) when using the Pollard’s lambda method [26].

4 Models and Goals

4.1 System Model

In this section, we propose an IBE-based Device Traceable Privacy-Preserving Aggregation Scheme in the Energy Internet. The system model as Fig. 3 shows, mainly composed of CC, TCA (Trusted Third Party), edge nodes like GWs, and a varied of Users in the RA.

Fig. 3.
figure 3

System model

Full size image

  • User: We divide all the users into distributed energy providers, energy consumers and electric vehicle users. They all need to upload their real-time data to the control center for the energy optimization through SMs. As the real-time data is related to user privacy, the data must be encrypted by the SM before sending to the CC.

  • GW (gateway): is responsible for collecting the encrypted data sent by SMs in RA, calculating the aggregation of real-time data by running the homomorphic algorithm and uploading the sum to the control center. Responsible for data aggregation integrity verification and encryption of aggregated data by IBE. In order to improve the efficiency of the system, the user selects the nearest available GW in RA.

  • TCA (Trusted Third Party): responsible for the SM, GW and CC initialization to generate keys and system parameters, generating dynamic IDs for the GW in RA and CC, and CC authentication.

  • CC (Control Center): Can acquire the summary of real–time data from GW with these data, CC can get the trend of power consumption and create the power generation plan or dynamic price immediately. In order to improve efficiency of the Energy Internet, different regions set up different CCs.

4.2 IBE-DTPPA Scheme Procedure

The procedure of IBE-DTPPA Scheme has the following four steps:

  1. Step 1

    User data request and encryption:

(1) When the CC Sends a data request in RA, or Users’ data is collected periodically (15 min), the TCA is initialized to generate the encryption parameters for SM and GW. (2) SM encrypts current data by BGN, and transfers to the nearest available GW in RA.

  1. Step 2

    Data aggregation and aggregation integrity verification:

(1) When GW receives encrypted data from users in RA, then GW aggregates data and user random numbers. (2) The aggregation integrity of the user data in RA is verified by the random number aggregation.

  1. Step 3

    Secondary Encryption:

If the data is successfully aggregated, the aggregation is re-encrypted by IBE encryption based on the dynamic ID of CC in GW, choosing CC’s ID as public key, calculating ciphertext based on GW’s ID. To realize the CC real-time authentication and traceability of malicious GW. The ciphertext is forwarded to CC.

  1. Step 4

    Decryption and GW traceability:

If the authentication of CC is successful, CC gets decrypt permission, getting the aggregation data in RA, if CC doubts the authenticity of the aggregation data, and wants to trace the source, then the GW which responsible for the data aggregation will be traced. If find the GW is destroyed or controlled by the adversary, the malicious GW will be isolated and replaced by other available GWs in RA in time.

4.3 Adversary Model

We assume that SM installed on the user side is a trusted device. The communication channel is not secure and adversary may eavesdrop on the channel. The GW is vulnerable to be controlled or destroyed by the adversary. CC is not fully credible, will not take the initiative to disclose user information, but the adversary will use CC’s identity fraudulently to steal user’s data, which will bring the privacy and security threats to users.

4.4 Design Goals

Considering the above mentioned, our design goals can be divided into three aspects.

  1. (1)

    Privacy-preserving: users’ data in RA is inaccessible to any other users. The outside adversary, GW or CC should not acquire the real-time data of users even if they try to conspire with each other.

  2. (2)

    Target GW traceable: The aggregation data encrypted by IBE Cryptosystem, calculating the ciphertext by GW’s dynamic ID. When CC wants to trace the source of the aggregation data, tracing the target GW efficiently.

  3. (3)

    CC authentication and aggregation integrity verification: preventing the adversary from fraudulently using CC’s identity, using CC’s dynamic ID as IBE public key to realize real-time authentication of CC. In order to ensure the accuracy of data collection of RA, random number aggregation is used to verify the integrity of user data aggregation in RA by BGN Cryptosystem.

5 IBE-DTPPA Scheme

5.1 System Initialization

  1. (1)

    Device dynamic identity generation

In order to achieve CC real-time authentication, preventing the adversary tracing the data owner based on the fixed ID of GW, in our scheme, updating the dynamic ID of GW and CC \( \text{ID} {}_{{G{}_{i}}} \) \( \text{ID} {}_{{{\text{C}}{}_{i}}} \) in a short period, updated \( \text{ID} {}_{{G{}_{i}}} \), \( \text{ID} {}_{{{\text{C}}{}_{i}}} \) by TCA. The update period is bounded by the times of calculations of RA data collection. For example, the number of GW calculations \( {\text{Times}}_{\text{GW}} ( {\text{Times}}_{\text{GW}} \le 5 0 ) \) and CC \( {\text{Times}}_{\text{CC}} ( {\text{Times}}_{\text{CC}} \le 1 0 0 ) \), and the TCA updates the ID for the device when the threshold is reached.

  1. (2)

    System parameter generation

  2. Step 1.

    TCA runs \( \text{Gen} {}_{ 1}(k) \), generating the parameters used for DBH-based IBE Cryptosystem: Given the security parameter \( k \in Z^{ + } \), calculating a prime number \( q_{IBE} \), groups \( G{}_{1} \), \( G{}_{2} \), \( G{}_{1}{ \times }G_{1} \to G{}_{2} \) of order \( q_{IBE} \). Select the random generate \( P \in G{}_{1} \), selecting random number \( s \in Z{}_{q}^{*} \), calculating \( \text{PK}_{IBE} = sP \), selecting Hash Function \( H_{ 1} :\{ 0,1\}^{*} \to G{}_{1}^{*} \) \( H_{2} :G{}_{2} \to \{ 0,1\} {}^{n} \). Public parameter is \( {\text{par}}_{IBE} = {<}q_{IBE} ,G_{1} ,G_{2} ,e,n,P,P_{pub} ,H_{ 1} ,H_{2}{>} \).

  3. Step 2.

    Run \( \text{Gen} {}_{ 2}(k) \), generating the required parameters for BGN Cryptosystem, \( (p,q,G) \), \( p,q \) are two prime numbers, selecting random numbers \( g \in G \), \( x \in G \), calculating \( h = x^{q} \), \( \text{PK}_{BGN} = (N,G,g,h) \), \( \text{SK}_{BGN} = p \).

  4. Step 3.

    In order to achieve aggregation integrity verification, when RA users \( U = \{ U{}_{1},U{}_{2}, \ldots ,U{}_{n}\} \) data encrypted by BGN (assigned to the same GW), TCA will generates a system random number \( r{}_{s} \) for the RA users, calculating the random number of each user based on the system random number:

    $$ (r{}_{1} + r{}_{2} + \ldots + r{}_{n}) = r{}_{s}\bmod \,p $$
    (5)

Send the different random number \( r_{i} \) for each user to the user in RA for encryption.

Parameter generation process as Fig. 4 shows.

Fig. 4.
figure 4

System initialization

Full size image

5.2 User Data Encryption

  1. (1)

    SM (Smart Meter)

User \( U{}_{i} \) in \( RA{}_{j} \) collects user’s data \( d_{i} \) periodically (15 min) by SM, encrypting \( d_{i} \) by BGN Cryptosystem, and based on the user’s random number \( r_{i} \), according to the formula (3), calculating \( C_{BGNi} = g^{{d_{i} }} h^{{r_{i} }} \).

After the encryption process, in order to prevent the attacker from listening at the target GW, and increase the efficiency of the system. TCA choose the nearest available GW in \( RA{}_{j} \) for the users to aggregate data randomly. And then SM forwards \( C_{BGNi} \) to the chosen GW.

  1. (2)

    GW (Gateway)

Upon receiving all the encrypted data from SMs, \( GW_{a} \) aggregates all the data by:

$$ \begin{aligned} {\text{C}}{}_{{Ua{}_{j}}} & { = }\prod\nolimits_{i = 1}^{n} {C_{BGNi} } \\ & = g^{{d_{1} }} h^{{r_{1} }} \cdot g^{{d_{2} }} h^{{r_{2} }} \cdots g^{{d_{n} }} h^{{r_{n} }} \\ & = \left( {g^{{\sum\nolimits_{i = 1}^{n} {d_{i} } }} h^{{\sum\nolimits_{i = 1}^{n} {r_{i} } }} } \right) \\ & = g^{{^{{\sum\nolimits_{i = 1}^{n} {d_{i} } }} }} h^{{r{}_{s}{}^{\prime }}} \\ \end{aligned} $$
(6)

After aggregating data in \( GW_{a} \), and then aggregates user random number \( r_{i} \), compared with system random number \( r{}_{s} \), \( \sum\nolimits_{i = 1}^{n} {r^{i} } \mathop { = }\limits^{?} r_{s} \) if it does hold, proved aggregation is successful, otherwise, directly abandon the data, sending a data request to CC again, which will increase system strategy reliability and reduce overhead of error aggregation data for the system.

5.3 Secondary Encryption

In order to achieve the traceability of the GW device and increase the security of the CC, we encrypts aggregation data by IBE Cryptosystem in IBE-DTPPA scheme. We use CC’s dynamic ID as the public key, calculating ciphertext based on GW’s dynamic ID as random number. Secondary aggregation data encryption, increasing the data security, CC real-time identity authentication to ensure that CC is not be used fraudulently and trace target GW efficiently. The process as:

When the GW requests the secondary encryption of the aggregated data, TCA generates the public parameters \( {\text{par}}_{IBE} \) for the IBE encryption, sending the GW dynamic ID, \( {\text{ID}}{}_{{g{}_{a}}} \) CC dynamic ID, \( {\text{ID}}{}_{{{\text{C}}{}_{i}}} \) and the public parameters \( {\text{par}}_{IBE} \) to the target GW. TCA calculates the public key based on \( {\text{ID}}{}_{{{\text{C}}{}_{i}}} \), calculating ciphertext \( C{}^{\prime } \) by IBE Encryption. The current time stamp. \( TS_{t} \) is set, in order to prevent replay attack. And in order to ensure the integrity of the message, we select the hash function \( H_{2} :G{}_{2} \to \{ 0,1\} {}^{n} \), generating a message digest \( \delta \), and GW sends it with \( TS_{t} \), \( C{}^{\prime } \) to the CC.

  1. Step 1.

    Calculate \( Q{}_{{{\text{ID}}{}_{{{\text{C}}{}_{i}}}}} = H{}_{1} ( {\text{ID}}{}_{{{\text{C}}{}_{i}}}) \in G{}_{ 1}^{*} \);

  2. Step 2.

    The GW dynamic identity information \( {\text{ID}}{}_{{g{}_{i}}} \in {\text{Z}}_{q}^{*} \) is taken as a random number.

  3. Step 3.

    According to the formula (1), calculating the ciphertext:

    $$ C{}^{\prime} = {<}{\text{ID}}{}_{{g{}_{a}}}P,\;g^{{^{{\sum\nolimits_{i = 1}^{n} {d_{i} } }} }} h^{{r^{\prime}}} \oplus H{}_{2}(g{}_{{{\text{ID}}{}_{{g{}_{a}}}}}^{{{\text{ID}}{}_{{g{}_{a}}}}} ){>} $$
    (7)
  4. Step 4.

    Calculate \( \delta = H_{2} (C{}^{\prime }) \), sending \( {\{ }\delta = H_{2} (C{}^{\prime }),C{}^{\prime },TS_{t} \} \) to the target CC.

5.4 Data Decryption and Devices Traceability

  1. (1)

    CC Authentication

After receiving \( \{ \delta = H_{2} (C{}^{\prime }),C{}^{\prime },TS_{t} \} \), and CC verifies whether \( H_{2} (C{}^{\prime })\mathop { = }\limits^{?} \delta \), If it does hold, the message has not been tampered, otherwise the data request is sent again to the user in \( RA{}_{j} \). Then verifies whether the aggregated data is available by checking \( TS_{t} \) then CC sends a decrypted data request to the TCA, following as:

  1. Step 1

    TCA authenticates the CC’s current identity and generates the key: \( Q{}_{{\text{ID} {}_{{{\text{C}}{}_{i}}}}} = H{}_{1}(\text{ID} {}_{{{\text{C}}{}_{i}}}) \in G{}_{ 1}^{*} \), \( SK_{IBE} = d{}_{{ID{}_{{{\text{C}}{}_{i}}}}} = sQ{}_{{ID{}_{{{\text{C}}{}_{i}}}}} \), when the verification is successful, sending \( sQ{}_{{ID{}_{{{\text{C}}{}_{i}}}}} \) to CC.

  2. Step 2

    Decrypt \( C{}^{\prime} = {<}{\text{ID}}{}_{{g{}_{i}}}P,\;g^{{^{{\sum\nolimits_{i = 1}^{n} {d_{i} } }} }} h^{{r^{\prime}}} \oplus H{}_{2}(g{}_{{{\text{ID}}{}_{{g{}_{i}}}}}^{{{\text{ID}}{}_{{g{}_{i}}}}} ){>} \) by IBE Cryptosystem. According to the formula (2), as:

    $$ \begin{aligned} {\text{C}}{}_{{Ua{}_{j}}} & = g^{{^{{\sum\nolimits_{i = 1}^{n} {d_{i} } }} }} h^{{r^{\prime } }} \oplus H{}_{2}\left( {g{}_{{{\text{ID}}{}_{{g{}_{i}}}}}^{{{\text{ID}}{}_{{g{}_{i}}}}} } \right) \\ & \quad \oplus H_{2} (e(sQ_{\text{ID}} ,{\text{ID}}{}_{{g{}_{i}}}P)) \\ & = g^{{^{{\sum\nolimits_{i = 1}^{n} {d_{i} } }} }} h^{{r^{\prime } }} \\ \end{aligned} $$
    (8)

    Generate \( ID{}_{{G{}_{i}}}P \) and \( {\text{C}}{}_{{Ua{}_{j}}} \) by IBE Cryptosystem encryption.

  3. Step 3

    Decrypt \( {\text{C}}{}_{{Ua{}_{j}}} \) according to secret key \( \text{SK}_{BGN} = p \) by BGN Cryptosystem, as:

    $$ \begin{aligned} C^{{SK_{BGN} }} & = \left( {g^{{^{{\sum\nolimits_{i = 1}^{n} {d_{i} } }} }} h^{{r^{\prime } }} } \right)^{p} = g^{{^{{\sum\nolimits_{i = 1}^{n} {d_{i} \,} p}} }} x^{{nr^{\prime } }} \\ & = g^{{\sum\nolimits_{i = 1}^{n} {d_{i} } p}} e^{{r^{\prime } }} \\ & = (g^{p} )^{{\sum\nolimits_{i = 1}^{n} {d_{i} } }} \\ \end{aligned} $$
    (9)

To recover \( \sum\nolimits_{i = 1}^{n} {d_{i} } \), which suffices to compute the discrete log of \( c^{p} \) base \( g^{*} \). Since \( 0 \le d \le T \), CC can get the sum of users’ data \( \sum\nolimits_{i = 1}^{n} {d_{i} } \) in expected time \( O(\sqrt {nT} ) \) using the Pollard’s lambda method [26].

  1. (2)

    Target GW Device Traceability

If CC doubts the authenticity of the aggregation data, and wants to trace the source, then the GW which responsible for the data aggregation will be traced, sending \( ID{}_{{{\text{G}}{}_{i}}}P \) in the ciphertext \( C{}^{\prime } \) by IBE Cryptosystem to TCA, CC send \( ID{}_{{G{}_{i}}}P \) to TCA, calculating the target GW’s dynamic ID, \( ID{}_{{{\text{G}}{}_{i}}} \) based on public parameter \( P \), TCA trace the target GW by \( ID{}_{{{\text{G}}{}_{i}}} \). If TCA finds the GW is destroyed or controlled by the adversary, the malicious GW will be isolated and replaced by other available GWs in RA in time.

6 Security Analysis

In this section, we analyze the security properties of the proposed IBE-DTPPA scheme. In particular, following the security requirements discussed earlier, our analysis will focus on how IBE-DTPPA scheme can achieve the privacy of individual user data in RA, the authentication of CC and the verification of data aggregation, and the suspicious GW traced efficiently.

  1. (1)

    The individual user’s data is privacy-preserving in the proposed IBE-DTPPA scheme

In the propose IBE-DTPPA scheme, user \( U{}_{i} \)’s data in RA, \( (d_{1} ,d_{2} , \ldots ,d_{i} ) \) sensed by SMs are encrypted as \( C_{BGNi} = g^{{d_{i} }} h^{{r_{i} }} \) by BGN cryptosystem. Since BGN cryptosystem is provably secure against chosen plaintext attack based on the subgroup decision assumption, the data \( (d_{1} ,d_{2} , \ldots ,d_{i} ) \) in \( C_{BGNi} \) is also semantic secure and privacy-preserving. Therefore, even though the adversary \( \mathcal{A} \) eavesdrops \( C_{BGNi} \), he still cannot identify the corresponding contents. After collecting all reports \( (C_{BGN1} ,C_{BGN2} , \ldots ,C_{BGNi} ) \) from the RA, the GW will not recover each user’s data, instead, it just computes \( {\text{C}}{}_{{Ua{}_{j}}}{ = }\prod\nolimits_{i = 1}^{n} {C_{BGNi} } \) to perform report aggregation. Therefore, even if the adversary \( \mathcal{A} \) intrudes in the GW’s database, he cannot get the individual report \( (d_{1} ,d_{2} , \ldots ,d_{i} ) \) either. Finally, after receiving \( {\text{C}}{}_{{Ua{}_{j}}}{ = }\prod\nolimits_{i = 1}^{n} {C_{BGNi} } \) from GW, the CC recovers \( {\text{C}}{}_{{Ua{}_{j}}} \) as \( D_{j} = \sum\nolimits_{i = 1}^{n} {d_{i} } \). However, since \( D_{j} \) is an aggregated result, even if the adversary \( \mathcal{A} \) steals the data, he still cannot get the individual user \( U{}_{i} \)’s data \( (d_{1} ,d_{2} , \ldots ,d_{i} ) \) Therefore, from the above three aspects, the individual user’s report is privacy-preserving in the proposed IBE-DTPPA scheme.

  1. (2)

    The authentication of CC and the security of aggregation data can be guaranteed in IBE-DTPPA scheme

(1) In the propose IBE-DTPPA scheme, each individual user’s data is encrypted by BGN cryptosystem and the aggregated report are encrypted by IBE Cryptosystem, choosing CC’s dynamic ID, \( {\text{ID}}{}_{{{\text{C}}{}_{i}}} \) as public key and encrypt the aggregation data generate \( {\text{C}}_{{Ua{}_{j}}}^{\prime } \) by IBE Cryptosystem, the CC’s identity authentication can be realized. Since \( {\text{ID}}{}_{{{\text{C}}{}_{i}}} \) updates aperiodically by TCA, the adversary \( \mathcal{A} \) cannot get CC’s current ID, preventing the adversary \( \mathcal{A} \) from using CC identity fraudulently.

(2) GW sends message \( M = \{ \delta ,C{}^{\prime },TS_{t} \} \), \( \delta = H_{2} (C{}^{\prime }) \) to the CC, \( \delta \) is the digest of hash function \( H_{2} :G_{2}^{{}} \to \{ 0,1\}^{n} \) in random oracle model, \( C{}^{\prime } \) and is a valid ciphertext of IBE Cryptosystem. Since in IBE-DTPPA scheme, IBE Cryptosystem is based ECC (Elliptic curve cryptography) algorithm, which is under the assumption that ECDLP problem is hard, IBE is semantic secure against the chosen plaintext attack under the assumption that BDH problem is hard. Therefore, \( M{ = }\{ \delta ,C{}^{\prime },TS_{t} \} \) is semantic secure against chosen-plaintext attack based on IBE Cryptosystem and random oracle model. As a result, the authentication of CC’s identity can be realized, adversary \( \mathcal{A} \) in the Energy Internet cannot fraudulently use CC identity to steal the user’s data, the security of ciphertext encrypted by IBE Cryptosystem can be guaranteed in IBE-DTPPA scheme.

  1. (3)

    Target GW in the Energy Internet can be traced efficiently in IBE-DTPPA scheme

After the CC’s authentication is successful, CC recovers the aggregated data \( D_{j} \) in \( RA_{i} \) from \( {\text{C}}_{{Ua{}_{j}}}^{\prime } \). If CC doubts the authenticity of the aggregation data, and wants to trace the source, CC will send \( ID{}_{{{\text{G}}{}_{i}}}P \) in \( {\text{C}}_{{Ua{}_{j}}}^{\prime } \) to TCA, to trace the target GW which responsible for the data aggregation, TCA calculates GW’s dynamic ID, \( ID{}_{{{\text{G}}{}_{i}}} \) based on public parameter \( P \), GW will be traced efficiently. If find the GW is destroyed or controlled by the adversary, the malicious GW will be isolated and replaced by other available GWs in RA in time. As a result, the adversary \( \mathcal{A} \) in the Energy Internet cannot control any GW to transmit error aggregated data, thus improving the CA’s system strategic-making reliability.

7 Conclusion

This paper, we proposed IBE-DTPPA scheme, IBE-based Device Traceable Privacy-Preserving Aggregation Scheme. It can realize: (1) the traceability of target GW device; (2) CC real-time authentication to preventing the adversary from using CC identity fraudulently; (3) increase data aggregation integrity verification, to ensure the accuracy of system decision-making while creating the power generation plan or dynamic price immediately. We also provide security analysis to demonstrate its security.. For future work, we will work on resolving the fault-tolerant in GW, deepen the IBE-DTPPA scheme.