An Efficient Data Aggregation Scheme for Privacy-Friendly Dynamic Pricing-Based Billing and Demand-Response Management in Smart Grids

Smart grids take advantage of information and communication technologies to achieve energy efficiency, automation, and reliability. These systems allow two-way communications and power flow between the grid and consumers. However, these bidirectional communications introduce several security and privacy threats to consumers. One of the open challenges in this context is user privacy when smart meters (SMs) are used to capture fine-grained energy usage information. Although considerable research has been carried out in this direction, most of the existing solutions invariably introduce computational complexity and overhead, which makes them infeasible for resource constrained SMs. In this paper, we propose a privacy-friendly and efficient data aggregation scheme for dynamic pricing-based billing and demand-response management in smart grids. To the best of our knowledge, this is the first paper to address privacy in the context of billing under dynamic electricity pricing. Security and performance analyses show that the proposed scheme offers better privacy protection for electric meter reading aggregation and computational efficiency, as compared to existing schemes.


I. INTRODUCTION
Smart-grids represent the next generation of power grids which use extensive monitoring and measurements to manage the operation of the grid, and achieve greater efficiency and cost reduction.The combined volatility of both power supply (e.g. with renewables) and power demand creates a growing problem that needs to be resolved by smart grids.To enable the envisioned energy management in smart grids, information on current power consumption and the availability of power needs to be exchanged between power consumers and power suppliers.Hence, smart grids need a framework of interconnected smart monitoring and measurement devices.Besides, with the recent development in smart grids, many endeavours have started to introduce the Internet of Things (IoT) as an enabling technology for smart grids since each device in the grid can be considered as a connected object [1].In this regard, devices in the smart grid such as smart meters act as IoT devices that autonomously report their data to the grid infrastructure by using information and communication technology (ICT).However, this interconnection of grid technology with information and communication technologies leads to various security challenges in a power grid [2].A key challenge and major obstacle in the widespread deployment of smart grids is privacy, which is a primary concern from the customer's point of view.
In general, for pricing and feedback purposes, a smart grid relies heavily on the usage of a smart metering infrastructure.For instance, smart meter data is useful for load forecasting, demand-response management, and dynamic pricing.However, the recording and transmission of power consumption profiles may cause serious privacy issues.For example, finegrained power consumption data of a smart meter can be exploited for revealing a consumer's private information related to their daily routines or the appliances in the house.This can lead to personalized advertisements or be used extract information on when a house is empty.In [2], it is shown that complex usage patterns can be extracted from the highresolution consumption information using simple off-the-shelf statistical tools, and the extracted information can be used to profile and monitor users for various purposes.Thus, energy usage data must be protected for privacy in a smart grid.Furthermore, the computational resources at the consumer's side are usually very limited.Solutions for preserving user privacy should thus be computationally inexpensive.

A. Related Work
In order to address the privacy issues, several privacypreserving data aggregation protocols have been proposed in recent years.Lu et al. designed a privacy-preserving data aggregation protocol [3] by using the Paillier homomorphic crypto-system [4], which results in a high computation overhead on the entities like smart meters.Liang et al. proposed a usage-based dynamic pricing scheme for smart grids [5] by using the fully homomorphic technique devised by Naehring et al. [6].As fully homomorphic techniques are difficult to implement with current computing resources, this scheme is impractical.Chia-Mu et al. [7] introduced a ring signature based scheme to protect usage profiles.However, its computational cost increases with the size of the ring.In [8], a mesh-networkbased privacy-preserving data aggregation scheme has been proposed using elliptic curve cryptography (ECC).However, this scheme requires higher setup and computation cost.Zhang et al. have proposed a self-certified signature scheme [9] and Sui et al. have designed an incentive-based anonymous authentication scheme [10].These are constructed with the assumption of an anonymity network, where the sources of usage reports are anonymous.Therefore, it is hard to identify any smart meter or communication failure.Li et al. introduced a different technique for data aggregation in smart grids in a hop-by-hop way [11], [12].But it is still unclear how to construct the aggregation tree, and how to ensure aggregation in case of failure.Besides, the public key signatures used in these schemes result in higher computational cost.Apart from the schemes above, there are few more data aggregation protocols that have been introduced in recent years [13], [14], [15], [16].In [13] a discrete logarithm problem (DLP)-based data aggregation scheme is introduced, in which the authors allows a substation to access private data using a shared key.Hence, this scheme cannot ensure strong privacy.In [14], Kursawe et al. suggested a set of masking-based schemes for privacy in smart grids.In their schemes, the authors utilized the concept of Decisional Diffie-Hellman (DDH) group and Bilinear mapping for checking the correctness of the shared masking value, which are computationally expensive and illsuited for resource constrained smart meters.Knirsch et al. have also proposed a masking-based approach for data aggregation [15].Their scheme utilizes the concept of homomorphic hashing for checking the correctness of the shared secrets.However, this construction has a couple of issues.First, it is complicated to implement and computationally expensive to execute.Second, it cannot ensure security of the hashed data, and an attacker can compute the original message block by taking the logarithm of the hash for that block.In [16] a Paillier homomorphic encryption based data aggregation protocol is proposed.However, in the proposed scheme, the usage reports transmitted by each smart meter SM i reveals it's identity ID SMi , which is fixed for all transactions.Therefore, an adversary can easily understand that the usage data is from the same consumer's end and can easily link the ID SMi to an actual user.Thus, the scheme presented in [16] cannot ensure anonymity of a consumer.Mohammed et al. have proposed a multi-hop based data aggregation scheme [17].However, in their scheme the usage report is transmitted without any integrity protection.Besides, during data aggregation, a smart meter is not authenticated.Consequently, a dishonest or fake smart meter may falsify the data, which will cause an inaccurate aggregated result.Apart from [3][4][5][6][7][8][9][10][11][12][13][14][15][16][17], recently two more interesting data aggregation schemes have been proposed [25][26].However, these schemes are designed upon the computationally inefficient operations (such as EC-ElGamal cryptosystem and complex parabolic function).Hence, they would be infeasible for the resource constrained smart meters.

B. Problem Statement and Motivation
The collection of fine-grained energy consumption data is necessary for a number of smart-grid features and applications.For example, implementing dynamic electricity pricing based on time-of-day schedules, demand-side management through financial incentives, and energy demand-response management requires the collection of meter readings multiple times a day.Also, consumers may wish to know their energy usage information on a given day or period in order to adjust their energy consumption.Therefore, the utility or its designated data aggregator needs the ability to collect smart meter readings at arbitrary intervals or periods.Although several existing techniques have been proposed for privacy-preserving data aggregation for billing or demand-response management of energy in smart grids, most of the existing schemes are based on computationally expensive operations such as Paillier crypto system, lattice-based encryption, ElGamal encryption etc.On the other hand, in the existing masking-based schemes, for verifying the correctness of the masking secrets, they also use the computationally expensive operations such as DDH group and Bilinear mapping, or homomorphic hashing, which are not suitable for the resource-limited smart meters.For example, a smart meter from Atmel's family with ARM Cortex-M4 processor can provide a maximum CPU speed of 720 MHz [20].As such, this smart meter may not be suitable to perform any computationally expensive operations.Also, since smart grid systems are mostly operated in a large scale, computationally expensive operations may impair the efficiency of the system.Furthermore, existing billing solutions in the literature consider a constant tariff price rate throughout the day (even for the whole month), which is not suitable for the dynamic electricity pricing-based billing model used in many counties (such as Finland, Estonia, Norway, etc.) [22].For instance, in Portugal, tariff price rate varies four times in a day based on peak (3 hours/day), half-peak (14 hours/day), normal off-peak (3 hours/day) and super offpeak (4 hours/day).For that, we need a dynamic pricing-based billing model.
This paper seeks to address all these issues by proposing an efficient data aggregation scheme (EDAS) for privacy-aware secure billing systems and facilitating applications such as balancing the power production and demand in smart grids.Our proposed scheme is based on symmetric key cryptographic primitives such as hash functions, which cause very limited computational overhead and data aggregation time and hence is suitable for the resource constrained devices in smart grids.
The key contributions of this paper can be summarized as: • An efficient authentication and key establishment scheme is developed for data aggregation for dynamic pricingbased billing.• A computationally efficient, lightweight data aggregation scheme, EDAS, is proposed for dynamic pricing-based billing systems that ensures the privacy of the consumer's identity as well as the usage data.To the best of our knowledge, this is the first paper to address privacy in the context of billing under dynamic electricity pricing.• A novel data aggregation scheme for a group of consumers (e.g. from a region/locality) is proposed that does not compromise the privacy of any individual customer.• The proposed scheme provides a higher degree of efficiency.Specifically, the proposed scheme does not need to perform any asymmetric cryptographic operations.The rest of the paper is organized as follows.In Section II, we present the underlying smart grid model, adversary model, and security goals that are relevant to this paper.Section III presents the proposed EDAS scheme and its security is analyzed in Section IV.A discussion on the performance of Meter reading of the smart meter SM i at time interval T j the proposed scheme is presented in Section V and Section VI concludes the paper.The symbols and cryptographic functions used in this paper are defined in Table I.

II. SYSTEM AND ADVERSARY MODEL, AND SECURITY GOALS
In this section, we first describe the network architecture of the proposed privacy-preserving data aggregation mechanism and present the underlying adversary model.Subsequently, we define the security goals of our proposed scheme.

A. System Model
Figure 1 shows our system model for the smart metering infrastructure which is used to develop the proposed scheme.Our system model consists of five major entities: a service provider (SP), a third-party aggregator (TPA) employed by the service provider, a set of smart meters (SMs), a set of home gateways (HGs), and numerous home area networks (HANs).In our system model, the SP is responsible for procuring electricity from the producers, supplying electricity to consumers, and sending billing notification to each HAN.The TPA is responsible for accumulating the power consumption data of each HAN.At the end of each day or any specific period, the TPA sends the aggregated data to the SP for billing purposes.In this way, the TPA assists the SP to implement dynamic pricing-based billing and also reduces the overhead of the SP.Next, each HAN is composed of a SM, a HG, and a set of home appliances (HAs).Each SM is connected with its HG through a trusted link.A HG periodically collects reading from the SM and sends it to the TPA.The communication between a SM and its HG is through WiFi.Each HG communicates with the TPA through a Long-Term-Evolution-Advanced (LTE-A) network.Note that while the network model is provided for completeness, the proposed EDAS scheme does not rely on any specific underlying networking technology.

B. Adversary Model
In our system model, the SP handles the billing process.Therefore, the SP has to know relevant information about the consumer such as the consumer's name and the mailing address etc.Hence, in our adversary model we consider the SP as a trusted organization (e.g.owned by the government, such as Singapore Power in Singapore and National Grid in United Kingdom).On the other hand, the TPA is owned by a private company whose main responsibility is to assist the SP.Therefore, in our system model we consider the TPA as a honest-but-curious entity, who may want to know the consumption data of each HAN and subsequently may try to sell the usage information to another company, e.g. for marketing materials for home appliances.Various elements inside the communication network may also act as adversaries and be interested in private details of the power consumption of each HAN.A compromised network and its various elements (like router or switch) can alter or fabricate the meters' consumption data.Hence, any communication through the network may not be secure.Usually, the TPA and the communication network (like LTE-A) are owned and operated by two different organizations, and therefore we assume that they do not collude with each other.Also, any HG may act as an adversary and be interested to know the consumption data of another HG from a different HAN.An outside attacker may try to impersonate as a legitimate entity that can be a HG, or the TPA, to send data under its name.For instance, a dishonest or fake HG could falsify the data for causing inaccurate aggregation result.In addition, the outside attacker may eavesdrop on the network transmission media for obtaining the power consumption data and also may try to alter or retransmit them.

C. Security Goals
• Authentication: Before aggregating any data, the TPA needs to authenticate each HG in order to prevent inaccurate aggregation results.On the other hand, before obtaining the aggregated data from the TPA through the insecure public communication channel, the SP needs to authenticate the TPA.• Usage Data Confidentiality: The secrecy of the end-toend communication is vital and the electricity consumption data should be kept secret from any third party for protecting the privacy of the customer.In this regard, if an outsider or an inside adversary like other HGs from different HANs or the TPA obtains the messages with electricity consumption information, then he/she should not be able to comprehend the encrypted message.
• Usage Data Integrity: The TPA should be able to verify the integrity of the data received from each HG of a HAN.Similarly, the SP needs to check the integrity of the aggregated data received from the TPA.• Consumer Privacy: The TPA should not be able to extract any private information (e.g, name, address, contact number, etc.) of a HAN user.Only the SP should have the ability to know a consumer's real identity, and their electricity usage.This is necessary for determining the actual electricity consumption and proper billing services.
In addition, after eavesdropping the usage data, an outside adversary should not be able to comprehend that the data is from a particular consumer's end.• Forward Secrecy: Forward secrecy is extremely important since cryptographic computations, e.g., encryption, and authentication, are often carried out during data aggregation.In a scheme with forward secrecy, secret keys are evolved at regular time periods.Exposure of a secret key corresponding to a given time period does not enable an adversary to break the scheme for any prior time period.In other words, forward secrecy ensures that the messages of prior time periods are confidential even if the current time period's key has been compromised.
To improve the security level of smart meters, forward secrecy should be considered.Now, to ensure forward secrecy in our proposed scheme, it is important that the exposure of shared secret keys of HG i , TPA, and SP should not enable the adversary to obtain the aggregated meter reading and billing information of each user in the previous time periods.

III. PROPOSED ENERGY-EFFICIENT DATA AGGREGATION SCHEME -EDAS
In this section we present our EDAS which consists of three phases: authenticated initialization and refilling, data aggregation for dynamic pricing-based billing, and data aggregation for demand-response management.In the authenticated initialization and refilling phase, a home gateway HG i and the aggregator TPA mutually authenticate each other with the help of the SP and subsequently establish an integrity key k hi , a set of random integers, and temporary identities between them.In addition, through this phase, both the HG i and the TPA can update their integrity key and establish a new set of temporary identities.In the data aggregation for dynamic pricing-based billing phase, the TPA anonymously accumulates the usage data and eventually sends it to the SP for billing.In the final phase of EDAS, the TPA anonymously accumulates and aggregates the usage data of a group of HANs in order to assists the SP with demand-response management.

A. Authenticated Initialization and Refilling
Assume that there are n HANs in a locality which obtain power supply from the SP.During meter installation of a home HAN i , the SP randomly generates a shadow identity SID i and a secret key k i and assigns them to the HG of HAN i .This phase of the proposed scheme consists of the following steps: Step 1: HG i generates a nonce N g and computes V 1 = h(SID i ||N g ||k i ).Then, HG i composes a request message M A1 : {SID i , N g , V 1 } and sends it to the TPA.Since, a particular shadow identity SID i cannot be used twice, the request message M A1 cannot be replayed.Moreover to address the loss of synchronization issue or denial of service (DoS) attack [19], both HG i and the SP can maintain a set of pseudo identities PID i = {pid 1 , pid 2 , • • • , pid n }, where each identity can be used only once and after that it must be deleted by both sides.
Step 2: Upon receiving the request message M A1 , the TPA generates a random number N a and computes V 2 = h(ID A ||N a ||K as ).Subsequently, the TPA creates a message M A2 : {M A1 , ID A , N a , V 2 } and sends it to the SP.
Step 3: After receiving the message M A2 , the SP first tries to identify SID i and then checks V 1 and V 2 .If these parameters are valid, then the SP randomly generates an integrity key k h , a new shadow identity SID new i , and picks a set of q random integers R iq = {r i1 , r i2 , • • • , r iq } drawn uniformly from [a, b], where a and b are chosen to be orders of magnitude larger than the typical meter value.For instance, in the USA the average power consumption of a house is about 15 kWh each day.In this scenario, a and b may be chosen as 10 6 and 10 8 , respectively.To ensure better privacy, the choice of a and b should be changed regularly.Now, the SP computes , and )} and sends it to the TPA.Here, ENC denotes symmetric-key-based encryption using the Advanced Encryption Standard (AES).
Step 4: On receiving M A3 , the TPA first validates V 3 .If the validation is successful, then the TPA decodes k h = h(ID A ||K as ||N a ) ⊕ k A h and generates a set of q unique temporary identities )} and sends it to HG i .
Step 5: Upon receiving the message M A4 , HG i first computes and verifies V 4 and then decodes Hereafter, HG i verifies the parameter V 5 .If all the validations are successful, HG i decrypts R iq from R * iq , and TID iq from TID * iq , and stores {TID iq , R iq , k h } for data aggregation.Details of this phase are also depicted in Fig. 2.

B. Data Aggregation for Dynamic Pricing-based Billing
In this subsection, we present our privacy-friendly and efficient data aggregation scheme for dynamic pricing-based billing, where we consider the variations in tariff prices throughout the day according to the time-of-day period schedules.After a pre-defined schedule of the time interval T j , HG i collects the meter reading of SM i , selects the next unused masking value r ij ∈ R iq , and calculates the blinded measurement X ij = {M ij + r ij }, where it is assumed that r ij ≫ M ij .Then, HG i selects an unused temporary identity tid ij ∈ T ID{tid i1 , tid i2 , • • • , tid iq }, generates a timestamp t gi , and computes H ij = h(X ij ||k h ||t gi ).Finally, HG i composes a message {tid ij , t gi , X ij , H ij } and sends it to the TPA.Then, HG i deletes the pair of used (r ij , tid ij ) from the respective lists.Note that once all the masking values R iq = {r i1 , r i2 , • • • , r iq } and temporary identities tid ij ∈ T ID{tid i1 , tid i2 , • • • , tid iq } are used up, HG i needs to execute Phase 1 again.Now, upon receiving the usage data, the TPA first locates and validates the temporary identity tid ij , along with the timestamp t gi and key-hash integrity output H ij .If the validation is successful, the TPA stores X ij in its database.Otherwise, the TPA terminates the accumulation process and asks HG i to send the reading again.At the end of the day (or any desired interval), the TPA generates a timestamp t a and then computes X ACC = q j=1 {X ij }, E = ENC Kas (SID i ||t a ), and δ = h(SID i ||K as ||X ACC ||t a ).Here, denotes the accumulation of the blinded measurements, i.e., {X i1 ||X i2 || • • • ||X iq }.Finally, the TPA composes a message ∆ = {ID A , E , δ, X ACC } and sends it to the SP.After receiving the power consumption information the SP first decrypts E and then validates the timestamp t a , and δ.If the validation is successful, the SP locates R iq = {r i1 , r i2 , • • • , r iq } and the list of tariff prices Tar [q] = {tar 1 , tar 2 , • • • , tar q } for each interval and subsequently computes the bill amount for the day d, i.e., Bill d i = q j=1 (X ij − r ij )Tar [j ] and stores Bill d i in its database.Thus, the consumer can see his/her energy usage for each day.At the end of the month, the SP calculates the billing amount BA i = n d=1 Bill d i .After calculating BA i , the SP locates the consumer information and sends the bill to the owner of HAN i .Details of this phase are depicted in Fig. 3.
Note that for the correctness of the proposed scheme, both the SP and HG i should sequentially use the masking values from R iq = {r i1 , r i2 , • • • , r iq }.For instance, if it is assumed that there are five different tariff prices throughout the day, then HG i needs to send the usage information of HAN i five times (T 1 , T 2 , • • • , T 5 ) in a day.Now, we further assume that after the execution of each authenticated initialization and refilling phase, HG i receives five masking values, i.e., R i5 = {r i1 , r i2 , • • • , r i5 }.Therefore, both the SP and HG i are required to use R i5 in the following way: {r i1 (at T 1 ), r i2 (at T 2 ), • • • , r i5 ( at T 5 )}.However, for better performance of the proposed scheme, we assume that after execution of each authenticated initialization and refilling phase, HG i receives the masking values for two to three days.

C. Data Aggregation for Demand-Response Management
For maintaining balance between power production and demand, the SP needs to know the electricity usage of its users or any sub-group of its users (e.g. from a specific geographic region) on a regular basis (say, every one or two hours).Consider a group of n users for aggregation.In this regard, the SP maintains a n × q matrix (P ) of random integers, whose i-th row comprises of the vector R iq = {r i1 , r i2 , • • • , r iq } that was generated for and shared with HG i during the execution of the authenticated initialization and refilling phase.All HGs are synchronized with respect to their vector R iq and for any time period T j specified by the SP or the TPA, each HAN uses the j-th element of its vector of random variables (i.e., r ij for HG i ).Our data aggregation process then consists of the following steps: Step AG1: At a particular time interval T j , the SP selects the corresponding column of M and calculates Col jSum = n i=1 P [i ][j ].It then generates a time stamp t sp and computes ∆ SP = ENC Kas (Col jSum ||K as ), H SP = h(∆ SP ||K as ||t sp ), and subsequently sends {∆ SP , H SP , t sp } to the TPA.
Step AG2: Upon receiving {∆ SP , H SP , t sp }, the TPA first checks whether the time stamp t sp and H SP are valid or not.If they are valid, the TPA decrypts obtains Col jSum from ∆ SP .Then the TPA asks the HGs to return their reading for that interval.
Step AG3: Next, each gateway HG i picks an unused temporary identity tid ij ∈ TID and selects the predefined random integer r ij from its array, which was assigned for that particular interval.The HG i then collects the meter reading M i for that interval from SM i and generates a time stamp t gi .HG i then calculates its blinded measurement and sends it to the TPA.
Step AG4: After receiving the meter reading from each home gateway HG i , the TPA first checks t gi and H i , and then maps tid ij into SID i .It then computes the sum of the blinded measurement Sum BM = n i=1 X i , and obtains the aggregated result of the actual measurement by Sum AM = Sum BM − Col jSum .Thus the TPA obtains the aggregated power consumption data of the HANs, which may be used as an input for demand-response management.
Note that in our system if any of the checks in the steps above fails, this phase of the proposed scheme is aborted.Besides, to expedite the performance of the above data aggregation scheme, the SP can pre-compute ∆ SP and H SP for several sessions and send them to the TPA.Finally, in order to ensure forward secrecy in the proposed scheme, at the end of each interaction, all the three entities (HG i , the TPA, and the SP) need to update their shared secret keys.For example, after sending/receiving the aggregated data of each day, both HG i and the TPA need to update the hash-integrity key with k * hi = h(k hi ||t gi ).In case of loss of synchronization or denial of service (DoS) attack [19], both HG i and the TPA need to execute the authenticated initialization and refilling phase of the proposed scheme.Details of this phase are depicted in Fig. 4.

IV. SECURITY ANALYSIS
In this section, we demonstrate that the proposed scheme can achieve all the security goals listed in Section II.
1) Accomplishment of Authentication: In the authenticated initialization and refilling phase of EDAS, the SP authenticates HG i by verifying the shadow identity SID i and V 1 in the request message M A2 , where only a legitimate HG i can generate the valid key-hash output V 1 .Besides, the SP authenticates the TPA by using the request parameter V 2 , which must be equal to h(ID A ||N a ||K as ).On the other hand, both HG i and the TPA authenticate the SP by using the response parameters V 3 and V 4 , respectively.Now, in the data aggregation for billing phase of EDAS, before accumulating any usage data, the TPA authenticates HG i by using the time-stamp t gi and the response H ij .Moreover, in this phase of EDAS, the SP authenticates the TPA by using the hash-response parameter δ.On the other hand, in the data aggregation for balancing demand-response phase of EDAS, the TPA authenticates HG i by using the time-stamp t gi and the response H i .Finally, in EDAS, if an adversary tries to perform any replay attempt, the receiving end can easily comprehend such attacks by using the timestamps {t gi , t a }.Therefore, the proposed scheme is also secure against replay attacks.
2) Accomplishment of Usage Data Confidentiality: The amount of electricity usage in HAN i is blinded with the random integer r ij .Hence, the TPA can only see the blinded measurement of a HAN or the summation of the usage data of a group of HANs.As each element of R iq is unique and random, even if two consecutive readings from a HAN or the readings from two HANs are the same, an adversary (even the TPA) cannot comprehend that from the blinded measurements.Thus, the pattern of the electricity consumption is protected from detection by any eavesdropper.
3) Accomplishment of Usage Data Integrity: In the data aggregation for billing phase, we ensure two levels of data integrity.In the first level, the TPA checks whether it has received the same data as that was sent by HG i .For that, the TPA computes H * ij and checks whether H * ij is equal to H ij or not.Similarly, in the second level, the SP invokes the key-hash oracle and computes δ * to check the integrity of the aggregated electricity consumption by comparing δ * with δ.This approach facilitates the detection of any manipulation of the aggregated usage data during communication.On the other hand, in the data aggregation for balancing demand-response phase of EDAS, the TPA checks the integrity of the usage data by using the parameter H i , which helps to prevent the generation of an inaccurate aggregated result.
4) Accomplishment of Consumer Privacy : In EDAS, except for the SP, no one can gain knowledge of any private information of a HAN user.The TPA only knows the shadow identity SID i and uses that to accumulate the readings for each HAN.Besides, while sending the usage data, HG i is not allowed use the same temporary identity tid ij twice.No one except the TPA can recognize the mapping between tid ij and SID i .Therefore, an outsider cannot guess whether the usage data for two consecutive days are from the same HAN user.This approach of the proposed scheme is quite useful for achieving privacy against eavesdropper (PAE) [21].
5) Accomplishment of Forward Secrecy : EDAS uses a regular update of the shared keys k hi and K as .For instance, after sending/receiving the usage data of each day, both HG i and the TPA need to update the hash-integrity key k h with k * h .Now, even if the integrity key k * h is revealed, an attacker cannot obtain k h from k * h since the hash function h(•) is oneway.In this way, EDAS can prevent an attacker from obtaining any previous aggregated usage data and billing information.

V. PERFORMANCE ANALYSIS AND COMPARISONS
The objective of EDAS is not only to fulfill several security requirements in smart grids, but also to ensure that the computational and communication overhead is reasonable during the data aggregation process.To manifest the advantages of EDAS, we compare EDAS with recently proposed data aggregation schemes for smart grids: [12], [13], [14], [15], [16], and [17].We also demonstrate that EDAS is well suited for resource limited smart grid devices (like smart meters and home gateways).In order to analyze the performance of EDAS, particularly on the security front, our scheme has been compared with five state-of-the-art protocols [12], [13], [14], [15], [16], and [17] (shown in Table II), by considering all the security goals listed in Section II.From Table II we see that EDAS can ensure all the security goals listed in Section II, in contrast to the protocols presented in [12], [13], [14], [15], [16], and [17] that only guarantee a subset of the requirements.For instance, in [12], [14], [15], and [17], while data aggregation the identity and the legitimacy of the smart meters are not verified.Consequently, a dishonest or fake smart meter may falsify the data, which will cause an inaccurate aggregated result.On the other hand, in [12], [13], [14], [15], [16], and [17], the smart meters reveal their fixed identity while transmitting the usage data.As a consequence, an adversary can easily comprehend that the usage data is from the same HAN.Therefore, [12], [13], [14], [15], [16], and [17] cannot ensure consumer privacy.
Next, we consider the computation and communication costs for analyzing the performance of the data aggregation for billing phase EDAS with respect to other existing schemes.To ensure fairness, we compare EDAS with the scheme in [13] because both of these schemes use symmetric-key crypto systems to ensure privacy and integrity of the usage data for billing process.Before data aggregation, both the schemes require the establishment of a shared secret key between the HG and the TPA through an authenticated keyexchange protocol.However, it should be noted that unlike [13], for maintaining forward security EDAS does not need to execute the authenticated key-establishment protocol for each transaction.Instead, once all the random integers R iq are used up, EDAS executes the key-establishment protocol of the authenticated initialization and refilling phase for obtaining the new set of random integers (the results presented here use sets of 10 random integers).On the other hand, the key establishment protocol in [13] is based on the computationally expensive Diffie-Hellman key exchange scheme.In contrast, EDAS is based on the lightweight cryptographic primitives like one-way hash function, exclusive-OR, etc. (shown in Table III).
Next we present experimental results to analyze the performance of the proposed scheme more comprehensively.Table IV presents the experiential specifications, including the hardware, computational, and communication specifications.For measuring the computation time of different cryptographic operations used in [13] and/or EDAS, we conducted simulations of their cryptographic operations on an Intel Core i5-2500 processor with CPU speed 3.3 GHz (operating as the SP), an AMD E450 processor with 1.65 GHz CPU speed (operating as the TPA), and a HTC One X with ARM Cortex-A9 MPCore processor with 890 MHz CPU speed (operating as a HG).Moreover, the scheme presented in [13] uses asymmetric encryption during its key-establishment process and both EDAS and [13] use symmetric key encryption and hash operations during data aggregation.Hence, we emulate the Advance Encryption Standard with Cipher Block Chaining (AES-CBC) mode, the Elliptic Curve Integrated Encryption Scheme (ECIES), and SHA-256, as the symmetric encryption, asymmetric encryption, and hash operation, respectively.The simulation uses Java Cryptography Extension (JCE) [25] to evaluate the execution time of different cryptographic operations.
Based on our experimental results, the key-establishment process in [13] takes 147.48 ms on an average.Besides, for securely transferring 56 bytes of usage data, the protocol incurs 5.32 ms of communication cost.In our experiments, we consider the size of the usage data for each transactions to be 8 bytes, and the size of the identity of a HG and the hash integrity outputs to be 128 bits and 256 bits, respectively.Ensuring privacy and integrity of the usage data in [13] incurs 0.0075 ms of computation cost.Overall, the average computation and communication cost for data aggregation and billing process in [13] for an entire month is N × 152.9 ms, where N denotes the number of times the aggregated usage data is sent from a HG to the TPA in a month.One the other hand, the key-establishment process in EDAS takes 57.03 ms.In addition, transferring 72 bytes of data (including usage data of 8 bytes) between a HG and the TPA takes 6.49 ms.At the end, for transferring billing information to the SP, EDAS takes 9.63 ms.Overall, the entire computation and communication costs for the data aggregation and billing process for each x is the number of executions of the authenticated initialization and refilling phase in a month and d is the number of days in a month.Fig. 5 shows the total cost with respect to the number of HG data transmissions in a month.From Fig. 5, we see that if a HG sends it's meter reading twice in every day to the TPA (i.e.N = 60), d = 30 and x = 15 (i.e., one execution of the authenticated initialization and refilling phase every two days), then the scheme presented in [13] takes 9174 ms, whereas EDAS takes only 1533.3 ms.Finally, we consider the performance of the demand-response management phase in EDAS with the existing schemes.For this, we conducted simulations of the cryptographic operations used by the existing data aggregation schemes and by the proposed scheme on an AMD E450 processor with 1.65 GHz CPU speed (operating as the TPA or SP), and a HTC One X with ARM Cortex-A9 MPCore processor with 890 MHz CPU speed (operating as a HG).The simulations used the JPBC library Pbc-0.5.14 [23], JCE [25], and the Pailler library libpaillier-0.8 [24] to evaluate the execution time of different cryptographic operations.Table V shows the variation in the aggregation time for different numbers of SMs in the proposed scheme, and others.It can be seen from Table V that the aggregation time for the Pailler encryption based Li et al.'s scheme is higher than others.On the other hand, the data aggregation time for the proposed scheme is significantly lower as compared to the others.Hence, the proposed scheme is better suited for efficient data aggregation in smart-grids.

VI. CONCLUSION
In this paper, we proposed an efficient data aggregation scheme (EDAS) for secure and privacy-aware dynamic pricing-based billing, and demand-response management in smart-grids.It is designed using lightweight symmetric-keybased cryptographic primitives.We analyzed the security of the proposed scheme and it was shown that EDAS can ensure several security properties like authentication, data privacy, data integrity, etc., which are highly important for smart grid security.Moreover, it was shown that EDAS has significantly lower computation and communication cost as compared to other data aggregation schemes.Hence, we argue that EDAS is efficient, practical, and more suitable for applications with

Fig. 3 .
Fig. 3. Proposed computationally efficient and lightweight data aggregation scheme for secure dynamic pricing-based billing process in smart grids.

Fig. 4 .
Fig. 4. Proposed computationally efficient and lightweight data aggregation scheme for demand-response management in smart grids.

Fig. 5 .
Fig. 5. Performance comparison between Fouda et al.'s scheme [13] and EDAS-based Billing Approach in terms of total data aggregation time.

TABLE II PERFORMANCE
BENCHMARKING BASED ON SECURITY PROPERTIES (NOTATION: A: AUTHENTICATION; DC: DATA CONFIDENTIALITY; DI: DATA INTEGRITY; CP: CONSUMER PRIVACY; FS: FORWARD SECRECY).
Average Transmission Time for 896-bits 12.32 ms 16.19 ms month in EDAS is x × 57.03 + N × 6.49 + d × 9.63 ms, where

TABLE V VARIATION
OF AGGREGATION TIME FOR VARIOUS NUMBER OF SMS