EPPDR: An Efficient Privacy-PreservingDemand Response Scheme with Adaptive Key

Evolution in Smart GridHongwei Li, Member, IEEE, Xiaodong Lin, Member, IEEE, Haomiao Yang, Member, IEEE,

Xiaohui Liang, Student Member, IEEE, Rongxing Lu, Member, IEEE, andXuemin (Sherman) Shen, Fellow, IEEE

AbstractSmart grid has recently emerged as the next generation of power grid due to its distinguished features, such asdistributed energy control, robust to load fluctuations, and close user-grid interactions. As a vital component of smart grid,demand response can maintain supply-demand balance and reduce users electricity bills. Furthermore, it is also critical topreserve user privacy and cyber security in smart grid. In this paper, we propose an efficient privacy-preserving demandresponse (EPPDR) scheme which employs a homomorphic encryption to achieve privacy-preserving demand aggregation andefficient response. In addition, an adaptive key evolution technique is further investigated to ensure the users session keys tobe forward secure. Security analysis indicates that EPPDR can achieve privacy-preservation of electricity demand, forwardsecrecy of users session keys, and evolution of users private keys. In comparison with an existing scheme which alsoachieves forward secrecy, EPPDR has better efficiency in terms of computation and communication overheads and canadaptively control the key evolution to balance the trade-off between the communication efficiency and security level.

Index TermsSmart grid, demand response, privacy-preserving, forward secrecy, key evolution

1 INTRODUCTION

RECENTLY, smart grid has emerged as a promisingsolution to the next generation power grid system [1].It utilizes information and communications technology togather and act on information, such as information aboutthe behaviors of suppliers and consumers, in an automatedfashion to improve the reliability, efficiency, economics,and sustainability of the generation and distribution ofelectricity [2]. One appealing feature of smart grid is demandresponse (DR), which can assist users to use energyefficiently and transfer non-emergent power demand fromon-peak time to off-peak time [3]. DR can also bring variousbenefits to users. For example, users can reduce their

electricity expenditure by matching the operation time ofdifferent electric appliances in their places to the period withthe cheapest price. To enable the above characteristics of DR,it often relies on a control center to implement real-timemanagement of users electricity demand through thecommunications between the control center and smartmeters installed in users homes.

As smart grid is closely related to peoples daily lives, toresolve the security and privacy concerns in smart grid iscrucial [4], [5]. Note that in the smart grid networks,adversaries might eavesdrop the communication betweenusers and control center and identify the users electricitydemand. With this information, they are able to track learnabout the users habits or lifestyles [6]. Moreover, adver-saries might compromise the smart meters and furtherobtain stored secret information such as their session keysand private keys [7]. To preserve user privacy and cybersecurity, DR should not only provide privacy-preservationof electricity demand, but also mitigate the damage causedby the exposure of secret keys stored on the smart meters.

Among many security and privacy requirements forprotection of electricity demand and response messages insmart grid, forward secrecy is extremely important sincecryptographic computations, e.g., encryption, signature,and authentication, are often carried out on the insecuresmart meters [8]. In a scheme with forward secrecy, secretkeys are evolved at regular time periods. Exposure of asecret key corresponding to a given time period does notenable an adversary to break the scheme for any prior timeperiod [9]. To improve the security level of smart meters,forward secrecy should be considered.

. H. Li and H. Yang are with the School of Computer Science andEngineering, University of Electronic Science and Technology ofChina, Chengdu 611731, China. E-mail: hongwei.uestc@gmail.com;haomyang@uestc.edu.cn.

. X. Lin is with the Faculty of Business and Information Technology,University of Ontario Institute of Technology, Oshawa, ON L1H 7K4,Canada. E-mail: xiaodong.lin@uoit.ca.

. X. Liang is with the Department of Computer Science, Dartmouth College,Hanover, NH 03755-3510, USA. E-mail: xiaohui.liang@dartmouth.edu.

. R. Lu is with the School of Electrical and Electronics Engineering,Nanyang Technological University, Singapore. E-mail: rxlu@ntu.edu.sg.

. X. Shen is with the Department of Electrical and Computer Engineering,University of Waterloo, Waterloo, ON N2L 3G1, Canada. E-mail:sshen@uwaterloo.ca.

Manuscript received 24 Feb. 2013; revised 31 Mar. 2013; accepted 13 Apr.2013. Date of publication 18 Apr. 2013; date of current version 16 July 2014.Recommended for acceptance by N. Kato.For information on obtaining reprints of this article, please send e-mail to:reprints@ieee.org, and reference the Digital Object Identifier below.Digital Object Identifier no. 10.1109/TPDS.2013.124

1045-9219 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 8, AUGUST 2014 2053

Despite its importance, forward secrecy has not beenwell studied in smart grid due to the complexity of smartgrid communication. Existing schemes mainly focus onachieving confidentiality and integrity of communication,and mutual authentication among different entities [10],[11]. The first attempt to achieve forward secrecy of userssession keys in smart grid was studied in [12]. However,since it adopts RSA public key algorithm and Diffie-Hellman exchange protocol to evolve the session key as aneffort to ensure forward secrecy, the computation andcommunication overheads are heavy, thereby making itimpractical. In addition, the private keys of users should beevolved since they could also be compromised [8].However, frequently evolving session keys and privatekeys will lead to heavy communication overhead; never-theless, sparsely evolving session keys and private keyswill degrade the security level. Therefore, it is challengingto develop a key evolution algorithm which can achieveboth efficiency and security level.

In this paper, we propose an Efficient Privacy-PreservingDemand Response scheme with adaptive key evolution,named EPPDR. This work extends our previous research [6]in improving the preliminary demand response scheme forachieving adaptive key evolution. The security and perfor-mance of EPPDR are extensively analyzed. Specifically, thecontributions of this paper are twofold.

. Firstly, we propose the novel EPPDR scheme thatemploys the homomorphic encryption [13] toachieve privacy-preserving demand aggregationand efficient response. The security analysis demon-strates that EPPDR can achieve privacy-preservationof electricity demand, forward secrecy of userssession keys, and evolution of users private keys.

. Secondly, we compare EPPDR with an existingscheme [12] which also achieves forward secrecy.The comparison results demonstrate that EPPDRis more efficient in terms of computation andcommunication overheads. In addition, EPPDR canadaptively control the key evolution to balance thetrade-off between the communication efficiency andsecurity level.

The remainder of the paper is organized as follows. Wepresent the related works in Section 2. In Section 3, weformalize the network model, the security model and thedesign goal. In Section 4, we review the homomorphicencryption, the bilinear pairing and identity-based signa-ture. Then, we propose the EPPDR scheme in Section 5,followed by the security analysis and the performanceevaluation in Sections 6 and 7, respectively. Finally, wedraw our conclusions in Section 8.

2 RELATED WORKSIn this section, we review and discuss three techniques:homomorphic encryption, forward secrecy and key evolu-tion which are closely related to the proposed scheme inthis paper.

Homomorphic encryption can achieve certain algebraicoperations on the plaintext to be performed directly on the

ciphertext and has been used in many data aggregationschemes [14], [15]. Theses schemes are very promising andhave triggered considerable following research work [10],[16], [11] in smart grid. Li et al. [10] present a distributedincremental data aggregation approach. To protect userprivacy, homomorphic encryption is used to secure thedata en route. Seo et al. [16] propose a secure and efficientpower management mechanism leveraging a homomor-phic data aggregation and capability-based power distri-bution. The proposed mechanism enables to gather thepower demands of users securely. Lu et al. [11] propose aprivacy-preserving aggregation scheme for secure andefficient smart grid communications. It realizes multi-dimensional data aggregation approach based on thehomomorphic Paillier cryptosystem. Those schemes as-sume that the session keys between home area network(HAN) users and building area network gateway (BG) areunchanged. However, once an adversary A compromisesthe session keys, A can decrypt any previous responsemessage.

Forward secrecy is a property that ensures that themessages of prior time period are confidential even ifthe current time periods key has been compromised [9].Kate et al. [17] present an improved forward secrecy schemefor onion routing anonymity networks, Its computation andcommunication overheads are significantly less comparedwith the previous schemes. Chen et al. [18] propose anefficient approach to establish security links in wirelesssensor networks. The proposed scheme only requires smallmemory size and can achieve forward secrecy. Forwardsecrecy can be implemented by key evolution techniquewhich generates the new keys based on the old ones. Liuet al. [19] propose a key evolution technique for sensornetworks. The technique can ensure forward secrecy andachieve viable trade-offs between security and resourceconsumption. Libert et al. [20] propose the key evolutionsystems in untrusted update environments. The systemsimplement an efficient generic construction and can beextended a forward-secure public key encryption scheme.Although the importance of forward secrecy and keyevolution, how to design a data aggregation scheme withforward secrecy of session keys and the evolution of usersprivate keys in smart grid is a challenging issue. Fouda et al.[12] propose a lightweight message authentication schemeachieving forward secrecy. Specifically, in the proposedscheme, the HAN users can achieve mutual authenticationwith BG.Detailed security analysis shows that the proposedscheme can satisfy confidentiality, data integrity, authen-ticity and forward secrecy. Since the scheme adopts RSApublic key signature algorithm and Diffie-Hellman ex-change protocol to evolve the session keys between HANusers and BG, the computation and communication over-heads are heavy. In this paper, we will design an efficientdemand response scheme with forward secrecy of sessionkeys. Based on the non-interactive property of identity-based cryptography, we will propose an adaptive keyevolution technique to evolve the session keys in batchmode. Our approach can achieve lower computation andcommunication overheads compared with the scheme in[12]. In addition, our approach can also achieve theevolution of users private keys.

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 8, AUGUST 20142054

3 MODELS AND DESIGN GOAL3.1 Network ModelAs shown in Fig. 1, network model for smart grid is dividedinto a number of hierarchical networks comprising controlcenter (CC), building area network (BAN) and home areanetwork (HAN). The CC covers n BANs. For the sake ofsimplicity, we assume each BAN comprisesmHANs. EachHAN is assigned a smart meter enabling an automated,two-way communication between the CC and the HANuser. Meantime, each BAN is equipped with a gateway(GW).

Communication between a HAN user and the BAN GW(BG) is through relatively inexpensive WiFi technology,i.e., within the WiFi coverage of the BG, each HAN usercan directly communicate with the BG. For the HAN userwho is beyond the coverage of the BG, communication hasto be done in multiple hops. However, since the distancebetween a BG and the CC is far away, the communicationbetween a BG and the CC is through either wired links orany other links with high bandwidth and low delay.

3.2 Security ModelIn our security model, CC and BGs are trusted by all partiesin the scheme, and infeasible for any adversary tocompromise. In specific, we consider the following securitygoals needed to be achieved.

. Privacy-preservation of electricity demand: Theusers electricity demand should not be disclosedto the unauthorized/untrusted entities. Even if anadversary A hacks into the database of BGs and CC,it can also not identify the contents of ciphertexts.

. Confidentiality: The electricity response messagesshould be confidential, i.e., if an adversary Acaptures the response messages, it cannot identifythe encrypted messages.

. Authenticity and data integrity: BGs and HAN usersshould be authenticated by CC and BGs, respec-tively. Meanwhile, if an adversary A modifies theelectricity demand, the malicious operations can bedetected.

. Forward secrecy of users session keys: It should beensured that the exposure of users session keyscorresponding to a given time period does notenable an adversary to decrypt any prior timeperiod messages. Specifically, if an adversary Acompromises a HAN user, A cannot get its previouselectricity information. As a result, the forwardsecrecy can be achieved.

. Evolution of users private keys: The evolution ofusers private keys should be achieved, i.e., if anadversary A compromises any previous private keyof a HAN user, A cannot use it currently or in thefuture.

3.3 Design GoalUnder the above models, our design goal is to develop anefficient privacy-preserving demand response scheme withadaptive key evolution. Specifically, the following threedesirable objectives will be achieved.

. The proposed scheme should achieve efficientforward secrecy, i.e., evolution of users sessionkeys should be cost-effective in terms of computa-tion and communication overheads.

. The proposed scheme should achieve adaptively keyevolution, i.e., BG can adaptively control the fre-quency of key evolution by considering the balanceof security level and communication efficiency.

. The proposed scheme should achieve the privacy-preservation of electricity demand, the demandssource authentication and data integrity, the confi-dentiality of the response messages.

4 PRELIMINARIESIn this section, we review the homomorphic encryption, thebilinear pairing and identity-based signature, which willserve as the basis of the proposed EPPDR scheme.

4.1 Homomorphic EncryptionHomomorphic Encryption (HE) allows certain algebraicoperations on the plaintext to be performed directly on theciphertext. HE is usually used for privacy-preservingapplications (e.g., data aggregation, e-voting). In this paper,we adopt the Paillier cryptosystem [13]. In the Pailliercryptosystem, the public key is pkN; g, and thecorresponding private key is sk; . Let E;m, and r bethe encryption function, a message and a random number,respectively. The ciphertext is

c Em gm rN modN2: (1)

The plaintext is

m Dc Lc mod N2 modN (2)

Fig. 1. Network model for smart grid.

LI ET AL.: EFFICIENT PRIVACY-PRESERVING DEMAND RESPONSE SCHEME 2055

where the function Lx x 1=N . Then, the additivehomomorphic property is as follows:

Em1 Em2 gm1 rn1

gm2 rn2

mod n2

gm1m2 r1r2n mod n2Em1 m2: (3)

4.2 Bilinear PairingLet G and GT be two multiplicative cyclic groups of thesame prime order q, and P be a generator of group G.Suppose G and GT are equipped with a pairing, i.e., a non-degenerated and efficiently computable bilinear mape : GG! GT such that eaP1; bQ1 eP1; Q1ab 2 GTfor all a; b 2 Zq and any P1; Q1 2 G. We refer to [21] for amore comprehensive description of pairing technique, andcomplexity assumptions.

Definition 1. A bilinear parameter generator Gen is a proba-bilistic algorithm that takes a security parameter as input,and outputs a 5-tuple q; P;G;GT ; e.

4.3 Identity-Based SignatureIdentity-based signature is made of four algorithms thatare depicted as follows [22]:

. Setup: Private key generator (PKG) first generatesq; P;G;GT ; e by running Gen. Then PKGchooses a random s 2 Zq as the master key andcomputes the associated public key Ppub sP . It alsopicks two cryptographic hash functions of samedomain and range H1, H2 : f0; 1g ! _G. The sys-tems public parameters are q; P;G;GT ; e;H1; H2.

. Keygen: Given an users identity ID, PKG computesQID H1ID and the associated private keydID sQID that is transmitted to the user.

. Sign: In order to sign message M, the user picks arandom number r 2 Zq ; and computes U rP ,V dID rH2ID;M; U. The signature on M isthe pair hU; V i.

. Verify: To verify a signature hU; V i on a messageM for an identity ID, the verifier accepts thesignature if eP; V ePpub; H1IDeU;H2ID;M; Uand rejects it otherwise.

5 PROPOSED EPPDR SCHEMEIn this section, we propose the EPPDR scheme, whichconsists of five phases: CC initialization, BAN initializa-tion, demand aggregation, demand processing and re-sponse, and key evolution.

5.1 CC InitializationWe assume a control center (CC) will bootstrap the wholesystem. Specifically, given the security parameter , CCfirst generates the bilinear parameters q; P;G;GT ; e byrunning Gen, and chooses one secure symmetricencryption algorithm Enc, e.g., AES, and three securecryptographic hash functions H1, H2, and H3, whereH1; H2 : f0; 1g ! G and H3 : GT ! Zq . In addition, CC

also chooses a random number 2 Zq , and computesQ P and PCC H1IDCC, where IDCC is the identitystring of CC. CC also calculates the homomorphicencryptions public key N; g, and the correspondingprivate key ; . Finally, CC publishes the systemparameters as

pubs q; P;G;GT ; e; Q;H1; H2; H3; N; g; Encf g (4)and keeps the master key ; ; ;PCC secretly. WhenBGii 1; 2; . . . ; n registers itself into the system, CC runsthe following steps:

. Step-1: CC computes the identity-based private keySKBGi H1IDCCkIDBGi, where IDCC and IDBGiare the identity strings of CC and BGi, respectively.

. Step-2: CC grants SKBGi to BGi through a securechannel [21].

After receiving SKBGi , BGi can non-interactively share asession key KBGiCC with CC. BGi computes KBGiCC H3eSKBGi ;H1IDCC, and CC computes KBGiCC H3eH1IDCCkIDBGi;PCC. The correctness is shown asfollows:

KBGiCC H3 e SKBGi ;H1IDCC H3 e H1 IDCCkIDBGi ; H1IDCC H3 e H1 IDCCkIDBGi ; H1IDCC H3 e H1 IDCCkIDBGi ; H1IDCC H3 e H1 IDCCkIDBGi ;PCC : (5)

5.2 BAN InitializationBGii 1; 2; . . . ; n chooses a random number SBGi 2 Zq asits master key and computes

QBGi SBGiP (6)and its private point

PBGi SBGiH1 IDBGi : (7)When a HAN user Uijj 1; 2; . . . ; m registers itself intothe BGi, BGi runs the following steps:

. Step-1: BGi computes the identity-based private keySKUij SBGiH1IDBGikIDUij, where IDBGi andIDUij are the identity strings of BGi and Uij,respectively.

. Step-2: BGi grants SKUij to Uij through a securechannel [21].

After receiving SKUij , Uij can non-interactively share asession key KUijBGi with BGi. Uij computes KUijBGi H3eSKUij ; H1IDBGi, and BGi computes KUijBGi H3eH1IDBGikIDUij;PBGi. Similar to the equation (5),the correctness is shown as follows:

KUijBGiH3 e SKUij ; H1 IDBGi

H3 e SBGiH1 IDBGikIDUij

; H1 IDBGi

H3 e H1 IDBGikIDUij

; H1 IDBGi SBGi

H3 e H1 IDBGikIDUij

; SBGiH1 IDBGi

H3 e H1 IDBGikIDUij

;PBGi

: (8)

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 8, AUGUST 20142056

5.3 Demand AggregationAs shown in Fig. 2, each HAN user Uij 2 BGii 1; 2;. . . ; n; j 1; 2; . . . ; m uses the smart meter to collectelectricity demand dij, and performs the following steps:

. Step-1: Uij chooses a random number rij 2 ZN andcomputes:

CUij gdij rNij modN2: (9). Step-2: Uij uses the private key SKUij to make an

identity-based signature Uij on M, where M CUijkIDBGikIDUijkTS, TS is the current timestamp. Firstly,Uij picks a random number rij 2 Zq , and computesU rijP , V SKUij rijH2M;U. The signature onM is the pair Uij hU; V i.

. Step-3: Uij sends the encrypted electricity demandCUijkIDBGikIDUijkTSkUij to the BGi.

After receiving encrypted electricity demand CUijkIDBGikIDUijkTSkUij , BGi first checks signature Uij toverify its validity. BGi accepts the signature if the followingequation holds.

eP; V e QBGi ;H1 IDBGikIDUij

e U;H2M;U (10)whereM CUijkIDBGikIDUijkTS. The correctness is shownas follows:

eP; V e P; SKUij rijH2M;U

e P; SKUij

e P; rijH2M;U

e P; SBGiH1 IDBGikIDUij

e rijP; H2M;U

e SBGiP; H1 IDBGikIDUij

e U;H2M;U e QBGi ; H1 IDBGikIDUij

e U;H2M;U : (11)

After the validity checking, BGi performs the followingsteps based on multiple received CUijj 1; . . . ; m:

. Step-1: BGi computes the aggregated demand onCUi1 ; CUi2 ; . . . ; CUim as

CBGi Ymj1

CUij : (12)

. Step-2: BGi uses the private key SKBGi to make anidentity-based signature BGi on M

0, where M 0 CBGikIDBGikIDCCkTS, TS is the current timestamp.Firstly, BGi picks a random number r

0i 2 Zq , and

computes U 0r0iP and V 0SKBGir0iH2M 0; U 0. Thesignature on M 0 is the pair BGi hU 0; V 0i.

. Step-3: BGi sends the aggregated result CBGikIDBGikIDCCkTSkBGi to the CC.

5.4 Demand Processing and ResponseAs shown in Fig. 3, upon receiving n encrypted electricitydemand CBGikIDBGikIDCCkTSkBGii 1; 2; . . . ; n, CC

Fig. 2. Demand aggregation.

Fig. 3. Demand processing and response.

LI ET AL.: EFFICIENT PRIVACY-PRESERVING DEMAND RESPONSE SCHEME 2057

first checks signature BGi to verify its validity. CC acceptsthe signature if the following equation holds

eP; V 0 e Q;H1 IDCCkIDBGi e U 0; H2M 0; U 0 : (13)Where M 0 CBGikIDBGikIDCCkTS. The correctness isshown as follows:

eP; V 0 e P; SKBGi r0iH2M 0; U 0

e P; SKBGi e P; r0iH2M 0; U 0

e P; H1 IDCCkIDBGi e r0iP; H2M 0; U 0

e P;H1 IDCCkIDBGi e U 0; H2M 0; U 0 e Q;H1 IDCCkIDBGi e U 0; H2M 0; U 0 : (14)

After the validity checking, CC performs the followingsteps to read the aggregated demand C, where C isimplicitly formed by:

C Yni1

CBGi

Yni1

Ymj1

CUij

!

Yni1

Ymj1

gdij rNij modN2 !

Yni1

gPm

j1 dij Ymj1

rij

!NmodN2

0@

1A

gPn

i1Pm

j1 dij

Yni1

Ymj1

rij

! !NmodN2: (15)

. Step-1: By taking M Pni1Pmj1 dij and R Qni1

Qmj1 rij, the report C gM RNmod N2 is still

a ciphertext of Paillier Cryptosystem. Therefore, CCcan use the master key ; to recover M asM Pni1Pmj1 dij. Similarly, CC can recoverBGis aggregated electricity demand as

Pmj1 dij.

. Step-2: After analyzing the real-time electricitydemand

Pni1

Pmj1 dij and

Pmj1 diji 1; 2; . . . ; n,

CC generates the response message Si0 G Si 1forBGii 1; 2; . . . ; n, respectively [3], where Si is ascale coefficient. For example, the electricity de-mand from BGi is

Pmj1 dij 20000 kw=h, however,

CC would like to provide 16000 kw/h consideringthe electricity generation and the total electricitydemand

Pni1

Pmj1 dij. Then CC sets Si 0:8. If

electricity consumption from BGi is more than16000 kw/h, the electricity tariff will be higherthan before.

. Step-3: CC sends CikIDCCkIDBGikTS to BGii 1; 2;. . . ; n, respectively, where Ci EncKBGiCC SikIDCCkIDBGikTS and TS is the current timestamp.

. Step-4: Upon receiving CikIDCCkIDBGikTS, BGidecrypts Ci to get Si. Then BGi forwards CijkIDBGikIDUijkTS to the HANuser Uij, where Cij EncKUijBGiSikIDBGikIDUijkTS andTS is the current timestamp.

. Step-5: After receiving CijkIDBGikIDUijkTS, HANuser Uij decrypts Cij to get Si: Then Uij analyzes Siand determines to shift power use from peak timesto non-peak times for lower electricity bills [3].

5.5 Key EvolutionFirstly, we extend the identity string ID to IDkd, where drepresents the expiry date. Note that the extension does notinfluence the previous EPPDR scheme. For the HAN userUij, the identity string IDUijkd is only valid before thespecified expiry date d. After d, the corresponding privatekey SKUijkd is automatically revoked if a new private key isnot generated by BGi. If the unit of d is chosen as one day[20], the lifetime of each private key is also that. Asshown in Fig. 4, the proposed key evolution mechanismis comprised of many rounds. At the end of Roundii 1; 2; ,Roundi1s keys will be generated by key evolutionalgorithm as described in Fig. 5. The time interval of eachround can be calculated by the number of its keys. Forinstance, if the number of Roundi1s keys is N , then thetime interval ofRoundi1 isN days since the lifetime of eachkey is one day. Next, we discuss the key evolutionalgorithm in detail . Specifically, at the end ofRoundii 1; 2; , a HAN user Uij can generateRoundi1s keys by performing the following steps:

. Step-1: According to the security and efficiencyrequirement, Uij chooses an integer lij as the numberof evolving private keys. For example, when thesecurity level is more important than efficiency, Uijcan choose a small integer for lij, e.g., lij 5. On theother hand, when the efficiency is more importantthan security level, Uij can choose a bigger integerfor lij, e.g., lij 30. we will further show the resultsin Section 7.

. Step-2: Uij sends CijkIDBGikIDUijkTS to BGi, whereCij EncKUijBGi lijkIDBGikIDUijkTS and TS is thecurrent timestamp.

. Step-3: After receiving CijkIDBGikIDUijkTS, BGifirstly decrypts Cij to get lij with the session keyKUijBGi . Then BGi checks whether lij G mij, wheremij represents the maximum number of private keyswhichBGi can assign to Uij. if it does hold,BGi doesnothing. Otherwise, BGi lets lij mij. And then BGigenerates lij private keys as

SKUijkd1 SBGiH1 IDBGi IDUij d 1

SKUijkd2 SBGiH1 IDBGi IDUij d 2

SKUijkdlij SBGiH1 IDBGi IDUij

dlij : (16)The set of private keys is as follows:

! SKUijkd1; SKUijkd2; . . . ; SKUijkdlijn o

: (17)

Fig. 4. Proposed key evolution mechanism.

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 8, AUGUST 20142058

. Step-4: BGi sends C0ijkIDBGikIDUijkTS to Uij, whereC0ij EncKUijBGi !kIDBGikIDUijkTS and TS is thecurrent timestamp.

. Step-5: After receiving C0ijkIDBGikIDUijkTS to Uij, Uijfirstly recovers !with the session keyKUijBGi . ThenUij deletes previous session and processing infor-mation and stores ! secretly. Thus, the secureprivate key evolution is achieved.

. Step-6: On the date d aa 1; . . . ; lij, Uij firstlydeletes the previous private key. Then Uij can non-interactively share a new session key K0UijBGi withBGi. Uij computes

K0UijBGi H3 e SKUijkda; H1 IDBGi

(18)

and BGi computes

K0UijBGi H3 e H1 IDBGi IDUij d a ;PBGi : (19)

The correctness is shown as follows:

K0UijBGi

H3 e SKUijkda; H1 IDBGi

H3 e H1 IDBGi IDUij da ; H1 IDBGi SBGi

H3 e H1 IDBGi IDUij d a ;PBGi : (20)

After that, Uij deletes the previous session key KUijBGi .Thus, even if an adversaryA compromises Uij, it cannot getany previous session key. Therefore, the forward secrecy ofsession key is achieved.

6 SECURITY ANALYSISIn this section, we analyze the security properties of theproposed EPPDR scheme. In particular, following the

security model discussed earlier, we are most concernedwith how EPPDR can achieve the privacy-preservation ofelectricity demand, the source authentication and dataintegrity of electricity demand, and the confidentiality ofresponse messages, the forward secrecy of users sessionkeys, and the evolution of users private keys.

6.1 EPPDR Provides the Privacy-Preservation ofElectricity Demand

In the proposed EPPDR scheme, since HAN userselectricity demand is a homomorphic encryption cipther-text [13], an adversary A cannot identify the correspondingelectricity demand even though A eavesdrops the cipher-text. Moreover, since BGi only aggregates and does notdecrypt the electricity demands,A cannot get the electricitydemand even if A compromises the BGis database. Finally,CC recovers the aggregated demands

Pni1

Pmj1 dij andPm

j1 diji 1; 2; . . . ; n. However, sincePn

i1Pm

j1 dij andPmj1 diji 1; 2; . . . ; n are all aggregated results, even if A

intrudes the CCs database, A still cannot get the each HANusers electricity demand. Therefore, the proposed EPPDRscheme preserves the electricity demand privacy.

6.2 EPPDR Provides the Source Authentication andData Integrity of Electricity Demand, and theConfidentiality of Response Messages

In the proposed EPPDR scheme, as mentioned in Section 5.3,each HAN users electricity demand and the aggregateddemand are signed by the identity-based signature [22].Since the signature is provably secure in the random oraclemodel [22], the source authentication and data integrity ofelectricity demand can be guaranteed. In addition, note thatthe HAN user Uijs private key SKUij SBGiH1IDBGikIDUij, namely SKUij is bound toBGi. Thus,BGi can identifywhether a HAN user belongs to its administration domain.As mentioned in equation (10), a HAN user cannot pass thesignature verification if it is not in BGis administrationdomain. On the other hand, in the proposed EPPDR scheme,when CC sends the response messages to BGii1; 2; . . . ; n,CC encrypts them as Ci EncKBGiCC Sik IDCCkIDBGikTS.Then, BGi forwards the response messages to Uijj1; 2;. . . ;m in the form of CijEncKUijBGi Sik IDBGikIDUijkTS.Since Ci and Cij are encrypted by AES [23], the confiden-tiality of response messages can be guaranteed.

6.3 EPPDR Provides the Forward Secrecy of UsersSession Keys

In the proposed EPPDR scheme, the confidentiality ofcommunication between HAN user and BG is achievedbased on the secure session key. In the key evolution phase,after computing the new session key K0UijBGi , Uij deletesthe previous session key KUijBGi . As a result, even if Acompromises the HAN users Uij, A cannot get anyprevious session key. Moreover, A cannot compute anyprevious session key as mentioned in equation (18) sincethe corresponding private key has been deleted. Therefore,the forward secrecy of users session keys is achieved in theproposed EPPDR scheme.

Furthermore, we analyze the information leakage in bothscheme without forward secrecy (denoted by NFS) and that

Fig. 5. Key evolution algorithm.

LI ET AL.: EFFICIENT PRIVACY-PRESERVING DEMAND RESPONSE SCHEME 2059

with forward secrecy (denoted by FS). The informationleakage happens when the encrypted messages are de-crypted by an unauthorized adversary [24]. The number ofinformation leakage can be calculated by the time interval inwhich the encrypted messages cannot be guaranteed to beconfidential. As shown in Fig. 6, t0 and t1 represent the timeswhen Uij is compromised and when the system detects theattack and revokes Uij, respectively. Tc represents the timeinterval between t 0 and t t0. Xi and Td represent thetime interval of Roundi and the time delay of systemdetection, respectively. In probability theory and statistics,the Poisson distribution is a discrete probability distribu-tion that expresses the probability of a given number ofevents occurring in a fixed interval of time and/or space ifthese events occur with an average rate and independentlyof the time since the last event [25]. Note that Xi and Td canbe seen as the discrete events in the visual spaces the time

interval of Roundi and the time delay of systemdetection, respectively. And the time interval ofRoundi and the time delay of system detection bothoccur with an average rate and independently of the timesince the last event. Therefore, we can model thatXi and Tdfollow the Poisson distribution with intensity x and d,

respectively, then P Xi k exkxk! and P Td k

ed kd

k! .Next, we discuss the number of information leakage in bothNFS and FS. For NFS, all messages encrypted before t t1can be decrypted since the session key has not been evolvedsince t 0. Thus, the number of information leakage forNFS is Tc d. In comparison, for FS, since a user Uij onlystores the current rounds keys and has deleted the previousrounds keys, the previous rounds messages cannot bedecrypted even if Uij is compromised. Therefore, in theworst case of FS when t0 is at the end ofRoundii 1; 2; ,an adversary can decrypt the messages encrypted in bothRoundi and the following d time interval. Thus, thenumber of information leakage is x dt0 X1. And inthe best case of FS when t0 is at the beginning of a round, anadversary only can decrypt the messages encrypted in thefollowing d time interval. Thus, the number of informationleakage is d.

The comparison of the number of information leakagebetween FS and NFS is shown in Fig. 7. It can be seen thatFS significantly reduces the number of information leakagecompared with NFS. In addition, it is observed that whend is constant, the number of information leakage increaseswith the increased x. For example, when d 5 andx 10, as shown in Fig. 7a, the number of informationleakage is in the interval [5], [15]. However, when d 5and x 20, as shown in Fig. 7c, the number of informationleakage is in the interval [5], [25]. Note that x represents

Fig. 6. Information leakage model.

Fig. 7. Comparison of the number of information leakage. (a) x 10 and d 5; (b) x 10 and d 10; (c) x 20 and d 5; (d) x 20 andd 10.

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 8, AUGUST 20142060

the intensity of Xi, where Xi is the time interval of Roundi.As mentioned in Section 5.5, Xi can be controlled by mijsince mij is the upper bound of Xi. When mij is set smallenough, Xi is also. Further x is also since x is the averagevalue of Xii 1; 2; [25]. Thus, the small x enables thenumber of information leakage to be low. In comparison,when mij is set bigger, Xi and x can be relativelyincreased, thereby make the number of informationleakage high. Therefore, in our key evolution technique,when mij is set relatively bigger when the evolution ofsession keys and private keys is sparse, the number ofinformation leakage is higher. As a result, the security levelis degraded. On the other hand, when mij is set smallerwhen the evolution of session keys and private keys isfrequent, the number of information leakage can bedecreased and the security level can be upgraded. How-ever, the smaller mij will lead to heavy communicationoverhead. We will discuss that in Section 7.2.

6.4 EPPDR Provides the Evolution of UsersPrivate Keys

In the key evolution phase, Uij firstly sends lij to BGi by thesymmetric encryption algorithm. Then according to lijprovided by Uij,BGi generates the set of private keys ! andfurther sends ! to Uij by the symmetric encryptionalgorithm. Thus, even if an adversary A eavesdrops thecommunication between BGi and Uij, it cannot get anyinformation about !. On the other hand, even if anadversary A compromises any previous private key, itcannot deduce current or future private keys since thediscrete logarithm problem ensures the private keyssecurity [21]. Therefore, the secure private key evolutionof user is achieved in the proposed EPPDR scheme.

Finally, we present the comparison results of securitylevel in Table 1. It can be seen that the scheme [10] onlyachieves the confidentiality, the scheme [16] achievesconfidentiality and data integrity, the scheme [11] achievesconfidentiality, data integrity and authenticity, and thescheme [12] achieves confidentiality, data integrity, au-thenticity, forward secrecy. The proposed EPPDR schemeachieves additional private key evolution compared withthe scheme [12].

7 PERFORMANCE EVALUATIONIn this section, we evaluate the computation and commu-nication overheads of the session key evolution betweenuser Uij and BGi in both EPPDR and the scheme [12].

7.1 Computation OverheadCompared to exponentiation operations in G, pairingoperations and RSA encryption/decryption, the computa-

tion overhead of AES encryption/decryption and hashoperations are negligible [26]. In EPPDR, as described inSection 5.5, BGi computes lij new private keys and lij newsession keys with lij multiplication operations in G and lijpairing operations, respectively. Uij computes the newsession keys with lij pairing operations. Note that the abovecomputation overhead is constant even if mij varies.Therefore, in this section, we do not consider the variantsof EPPDR with different mij. We will discuss the balancebetween the communication efficiency and security level inthe Section 7.2. Denote the computation overhead of amultiplication operation in G and a pairing operation byCm and Cp, respectively. Thus, the total computationoverhead is lij Cm 2lij Cp. In comparison, in thescheme [12], for evolving each session key, it requires1 RSA encryption for HAN user i to generate the requestpacket. After receiving the ciphertext from HAN user i,BG j decrypts the request packet including 1 RSA de-cryption and computes the new session key with 1 expo-nentiation operation in Zq . In addition, BG j sends anencrypted response message including 1 RSA encryption.Then HAN user i decrypts the response message with1 RSA decryption and computes the new session key in-cluding 1 exponentiation operation in Zq . Denote the com-putation overhead of an exponentiation operation in Zq , aRSA encryption and a RSA decryption by Ce, RSAe andRSAd, respectively. Thus, the total computation overheadfor evolving a session key is 2 Ce RSAe RSAd. There-fore, the total computation overhead for evolving lij sessionkeys is 2 lij Ce RSAe RSAd.

Experiments were conducted on a 3.0 GHz-processor,1 GB memory computing machine with MIRACL [27]and Pbc [28] libraries to study the execution time. For Gover the FST curve, a single multiplication operation costs1.1 ms and the corresponding paring operation costs3.1 ms. Meantime, a 1024-RSA decryption and a 1024-RSAencryption cost 3.88 ms and 0.02 ms, respectively. Anexponentiation operation in Zqjqj 1024 costs 0.64 ms.The comparison of computation overhead is shown inFig. 8. We can see that EPPDR achieves lower executiontimes compared to the scheme [12].

7.2 Communication OverheadIn the scheme [12], for evolving each session key, HANuser i first sends a RSA ciphtertext to BG j in the form

of fikjkgagfencrgPubBAN GWj . Then BAN GW j responds aRSA ciphertext to HAN user i in the form of fikjkgakgbgfencrgPubHAN GWi . Finally, HAN user i sends an AESciphertext to BG j in the form of fMikTik HMACKigfencrgKi .The overall communication overhead consists of two RSAciphertexts and one AES ciphertext. Thus, the overallcommunication overhead is 2 1024 256 2304 bits if wechoose 1024-bit RSA and 256-bit AES. Therefore, the totalcommunication overhead for evolving lij session keys is2304 lij bits. In comparison, in EPPDR, for evolving lijsession keys, Uij firstly sends message to BGi. The messageis in the form of CUijkIDBGikIDUijkTS, where CUijEncKUijBGilijkIDBGikIDUijkTS. If we choose AES ciphertext with256-bit and set jBGij jUijj jTSj as 80-bit length, the

TABLE 1Comparison of Security Level

LI ET AL.: EFFICIENT PRIVACY-PRESERVING DEMAND RESPONSE SCHEME 2061

whole message size is 256 80 336 bits. Then, BGi checksif lij Gmij, if it does hold,BGi does nothing else lets lij mij.And then BGi responds a message in the form ofC0ijkIDBGikIDUijkTS to Uij, where C0ijEncKUijBGi !kIDBGikIDUijkTS, !fSKUijkd1;SKUijkd2; . . . ;SKUijkdlijg. If wechoose G with 160-bit order and use point compressiontechnique [29], the element in G is roughly 161-bit. If wechoose AES ciphertext with 256-bit, C0ij should be gener-ated based on the 256-bit block encryption [23]. Thus, thesize of C0ij is d161Minlij;mij 80= 256e 256 bits, whereMinlij;mij is theminimum between lij andmij. Note that forevolving lij session keys, the whole evolving process willbe run dlij=mije times. So the total communication overhead isdlij=mijed161Minlij;mij80=256e256 80336 bits.

Fig. 9 shows the communication overhead for differ-ent number of evolving session keys. When the numberof evolving session keys is small, the communicationoverhead is low in both EPPDR and the scheme [12].Then the communication overhead increases with theincreased number of keys. However, it should be notedthat the increase is much faster in the case of the scheme[12]. EPPDR significantly reduces the communicationoverhead for the session key evolution. On the otherhand, among three variants of EPPDR with different mij,the communication overhead decreases with the in-creased mij since the bigger mij reduces the frequencyof key evolution. However, as mentioned in Section 6.3,whenmij is increased, the number of information leakage isalso increased and the security level is degraded. In ourproposed EPPDR scheme, as mentioned in Section 5.5, BGican adaptively adjust mij to balance the trade-off betweenthe communication efficiency and security level.

8 CONCLUSIONIn this paper, we have proposed an efficient privacy-preserving demand response (EPPDR) scheme with adap-tive key evolution. It realizes secure and efficient electricitydemand aggregation and response based on the homo-morphic encryption and the key evolution techniques.Security analysis has demonstrated that EPPDR canachieve privacy-preservation of electricity demand, for-ward secrecy of users session keys, evolution of usersprivate keys. Performance evaluation further demonstrates

its efficiency in terms of computation and communicationoverhead. In addition, EPPDR can adaptively control thekey evolution to balance the trade-off between the com-munication efficiency and security level.

ACKNOWLEDGMENTThis work is supported by the National Natural ScienceFoundation of China under Grants 61350110238, 61103207,U1233108, U1333127, 61272525, 61073106, and 61003232,the International Science and Technology Cooperation andExchange Program of Sichuan Province, China under Grant2014HH0029, and the 2011 Korea-China Young ScientistExchange Program, and NSERC, Canada. In addition, thefirst author is very grateful toM.Wen for helpful discussionsand comments.

REFERENCES[1] H. Liang, B. Choi, W. Zhuang, and X. Shen, Towards Optimal

Energy Store-Carry-and-Deliver for Phevs via V2G System, inProc. IEEE INFOCOM, 2012, pp. 1674-1682.

[2] H. Liang, B. Choi, A. Abdrabou, W. Zhuang, and X. Shen,Decentralized Economic Dispatch in Microgrids via Heteroge-neous Wireless Networks, IEEE J. Sel. Areas Commun., vol. 30,no. 6, pp. 1061-1074, July 2012.

[3] F. Rahimi and A. Ipakchi, Demand Response as a MarketResource under the Smart Grid Paradigm, IEEE Trans. SmartGrid, vol. 1, no. 1, pp. 82-88, June 2010.

[4] X. Li, X. Liang, R. Lu, H. Zhu, X. Lin, and X. Shen, SecuringSmart Grid: Cyber Attacks, Countermeasures and Challenges,IEEE Commun. Mag., vol. 50, no. 8, pp. 38-45, Aug. 2012.

[5] X. Liang, X. Li, R. Lu, X. Lin, and X. Shen, UDP: Usage-BasedDynamic Pricing with Privacy Preservation for Smart Grid,IEEE Trans. Smart Grid, vol. 4, no. 1, pp. 141-150, Mar. 2013.

[6] H. Li, X. Liang, R. Lu, X. Lin, and X. Shen, EDR: An EfficientDemand Response Scheme for Achieving Forward Secrecy inSmart Grid, in Proc. IEEE GLOBECOM, Dec. 2012, pp. 929-934.

[7] H. Li, R. Lu, L. Zhou, B. Yang, and X. Shen, An Efficient MerkleTree Based Authentication Scheme for Smart Grid, IEEE Syst. J.,DOI: 10.1109/JSYST.2013.2271537.

[8] J. Xia and Y. Wang, Secure Key Distribution for the SmartGrid, IEEE Trans. Smart Grid, vol. 3, no. 3, pp. 1437-1443,Sept. 2012.

[9] R. Canetti, S. Halevi, and J. Katz, A Forward-Secure Public-KeyEncryption Scheme, in Proc. Adv. Eurocrypt, 2003, pp. 646-646.

[10] F. Li, B. Luo, and P. Liu, Secure Information Aggregation forSmart Grids using Homomorphic Encryption, in Proc. IEEE Int.Conf. SmartGridComm, 2010, pp. 327-332.

[11] R. Lu, X. Liang, X. Li, X. Lin, and X. Shen, EPPA: An Efficientand Privacy Preserving Aggregation Scheme for Secure Smart

Fig. 9. Comparison of communication overhead.Fig. 8. Comparison of computation overhead.

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 8, AUGUST 20142062

Grid Communications, IEEE Trans. Parallel Distrib. Syst., vol. 23,no. 9, pp. 1621-1631, Sept. 2012.

[12] M. Fouda, Z. Fadlullah, N. Kato, R. Lu, and X. Shen, ALightweight Message Authentication Scheme for Smart GridCommunications, IEEE Trans. Smart Grid, vol. 2, no. 4, pp. 675-685, Dec. 2011.

[13] P. Paillier, Public-Key Cryptosystems Based on CompositeDegree Residuosity Classes, in Proc. EUROCRYPT, 1999,pp. 223-238.

[14] J. Shi, R. Zhang, Y. Liu, and Y. Zhang, Prisense: Privacy-Preserving Data Aggregation in People-Centric Urban SensingSystems, in Proc. IEEE INFOCOM, 2010, pp. 1-9.

[15] X. Lin, R. Lu, and X. Shen, MDPA: Multidimensional Privacy-Preserving Aggregation Scheme for Wireless Sensor Networks,Wireless Commun. Mobile Comput., vol. 10, no. 6, pp. 843-856,June 2010.

[16] D. Seo, H. Lee, and A. Perrig, Secure and Efficient Capability-Based Power Management in the Smart Grid, in Proc. IEEEISPAW, 2011, pp. 119-126.

[17] A. Kate, G. Zaverucha, and I. Goldberg, Pairing-Based OnionRouting with Improved Forward Secrecy, ACM Trans. Inf. Syst.Security, vol. 13, no. 4, p. 29, Dec. 2010.

[18] C. Chen, S. Huang, and I. Lin, Providing Perfect ForwardSecrecyforLocation-AwareWirelessSensorNetworks,EURASIPJ.Wireless Commun. Netw., vol. 2012, no. 1, p. 241, Aug. 2012.

[19] Z. Liu, J. Ma, Q. Pei, L. Pang, and Y. Park, Key Infection, SecrecyTransfer, Key Evolution for Sensor Networks, IEEE Trans.Wireless Commun., vol. 9, no. 8, pp. 2643-2653, Aug. 2010.

[20] B. Libert, J. Quisquater, and M. Yung, Key Evolution Systems inUntrusted Update Environments, ACM Trans. Inf. Syst. Security,vol. 13, no. 4, p. 37, Dec. 2010.

[21] D. Boneh and M.K. Franklin, Identity-Based Encryption fromthe Weil Pairing, in Proc. CRYPTO, 2001, pp. 213-229.

[22] B. Libert and J. Quisquater, The Exact Security of an IdentityBased Signature and its Applications, in Preprint. [Online].Available: http://eprint. iacr. org/2004/102

[23] D. Stinson, Cryptography: Theory and Practice. Boca Raton, FL,USA: CRC Press, 2006.

[24] J. Kelsey, Compression and Information Leakage of Plaintext,in Fast Software Encryption 2002. New York, NY, USA: Springer-Verlag, 2002, pp. 95-102.

[25] S. Katti and A. Rao, Handbook of the Poisson Distribution,Technometrics, vol. 10, no. 2, p. 412, May 1968.

[26] W. Dai, Crypto++ 5.6.0 Benchmarks, (2009). [Online]. Available:http://www.cryptopp.com/benchmarks.html

[27] Miracl Crypto. [Online]. Available: https://certivox.com/solutions/miracl-crypto-sdk/

[28] B. Lynn, PBC Library. [Online]. Available: http://crypto.stanford.edu/pbc/

[29] I. Blake, G. Seroussi, and N. Smart, Pairings, in Advances inElliptic Curve Cryptography. Cambridge, U.K.: Cambridge Univ.Press, 2005, pp. 183-213.

Hongwei Li is an Associate Professor with theSchool of Computer Science and Engineering,University of Electronic Science and Technologyof China, China. He received the PhD degree incomputer software and theory from University ofElectronic Science and Technology of China,China in 2008. He has worked as a Post-Doctoral Fellow in Department of Electrical andComputer Engineering at University of Waterloofor one year until Oct. 2012. His researchinterests include network security, applied cryp-

tography, and trusted computing. Dr. Li serves as the Associate Editorof Peer-to-Peer Networking and Applications, the Guest Editor for Peer-to-Peer Networking and Applications Special Issue on Security andPrivacy of P2P Networks in Emerging Smart City. He also serves on thetechnical program committees for many international conferences suchas IEEE INFOCOM, IEEE ICC, IEEE GLOBECOM, IEEE WCNC, IEEESmartGridComm, BODYNETS and IEEE DASC. He is a member ofIEEE, a member of China Computer Federation and a member of ChinaAssociation for Cryptologic Research.

Xiaodong Lin received the PhD degree ininformation engineering from Beijing Universityof Posts and Telecommunications, Beijing,China, in 1998, and the PhD degree (withOutstanding Achievement in Graduate StudiesAward) in electrical and computer engineeringfrom the University of Waterloo, Waterloo, ON,Canada, in 2008. Currently, he is an AssistantProfessor of information security with the Fac-ulty of Business and Information Technology,University of Ontario Institute of Technology,

Oshawa, ON, Canada. His research interests include wireless networksecurity, applied cryptography, computer forensics, software security,and wireless networking and mobile computing. Dr. Lin was therecipient of a Natural Sciences and Engineering Research Council ofCanada (NSERC) Canada Graduate Scholarships (CGS) Doctoral andthe Best Paper Awards of the 18th International Conference onComputer Communications and Networks (ICCCN 2009), the 5thInternational Conference on Body Area Networks (BodyNets 2010),and IEEE International Conference on Communications (ICC 2007).He is a member of the IEEE.

Haomiao Yang is an Associate Professor inNetwork Security Technology Laboratory inUniversity of Electronic Science and Technologyof China (UESTC). He received the MS and PhDdegrees in computer applied technology fromUniversity of Electronic Science and Technologyof China UESTC, Chengdu, China, in 2004 and2008, respectively. He has worked as a Post-Doctoral Fellow in the Research Center of In-formation Cross over Security at Kyungil Uni-versity for one year until June 2013. His research

interests include cryptography, cloud security, and the cyber securityfor smart grid. He is a member of the IEEE.

Xiaohui Liang received the BSc degree incomputer science and engineering and theMSc degree in computer software and theoryfrom Shanghai Jiao Tong University (SJTU),Shanghai, China, in 2006 and 2009, respective-ly. He received the PhD degree in electrical andcomputer engineering from the University ofWaterloo, Waterloo, ON, Canada, in 2013.Currently, he is Postdoctoral Fellow in theDepartment of Computer Science, DartmouthCollege, Hanover, NH, USA. His research

interests include applied cryptography, and security and privacy issuesfor e-healthcare system, cloud computing, mobile social networks, andsmart grid. He is a Student Member of the IEEE.

Rongxing Lu received the PhD degree incomputer science from Shanghai Jiao TongUniversity, Shanghai, China in 2006 and thePhD degree in electrical and computer engi-neering from the University of Waterloo, Waterloo,ON, Canada, in 2012. He is currently an assistantprofessor, School of Electrical and ElectronicsEngineering, Nanyang Technological University,Singapore. His research interests include wire-less network security, applied cryptography, andtrusted computing.

LI ET AL.: EFFICIENT PRIVACY-PRESERVING DEMAND RESPONSE SCHEME 2063

Xuemin (Sherman) Shen is a Professor andUniversity Research Chair, Department of Elec-trical and Computer Engineering, University ofWaterloo, Waterloo, Canada. He was the Asso-ciate Chair for Graduate Studies from 2004 to2008. His research focuses on resource man-agement in interconnected wireless/wired net-works, wireless network security, vehicular adhoc, and sensor networks. Dr. Shen served asthe Technical Program Committee Chair forIEEE VTC10 Fall and IEEE Globecom07. He

also serves/served as the Editor-in-Chief for IEEE Network, Peer-to-Peer Networking and Application, and IET Communications; aFounding Area Editor for IEEE Transactions on Wireless Communica-tions; an Associate Editor for IEEE Transactions on VehicularTechnology, Computer Networks. Dr. Shen is a registered ProfessionalEngineer of Ontario, Canada, a Fellow of the IEEE, a Fellow of the IEEEEngineering Institute of Canada, a Fellow of the Canadian Academy ofEngineering, and a Distinguished Lecturer of IEEE Vehicular Technol-ogy Society and Communications Society.

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 8, AUGUST 20142064

/ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 300 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages false /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 1200 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 600 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName () /PDFXTrapped /False

/Description > /Namespace [ (Adobe) (Common) (1.0) ] /OtherNamespaces [ > /FormElements false /GenerateStructure false /IncludeBookmarks false /IncludeHyperlinks false /IncludeInteractive false /IncludeLayers false /IncludeProfiles false /MultimediaHandling /UseObjectSettings /Namespace [ (Adobe) (CreativeSuite) (2.0) ] /PDFXOutputIntentProfileSelector /DocumentCMYK /PreserveEditing true /UntaggedCMYKHandling /LeaveUntagged /UntaggedRGBHandling /UseDocumentProfile /UseDocumentBleed false >> ]>> setdistillerparams> setpagedevice