Alexandria Engineering Journal (2023) 67, 209–217

H O S T E D BY
Alexandria University

Alexandria Engineering Journal

www.elsevier.com/locate/aej
www.sciencedirect.com

ORIGINAL ARTICLE

A user-friendly attribute-based data access control

scheme for smart grids
Tianshi Mu *, Yuyang Lai, Guocong Feng, Huahui Lyu, Hang Yang, Jianfeng Deng

China Southern Power Grid Digital Grid Group Co., Ltd., Guangzhou 510000, China

Received 31 May 2022; revised 9 October 2022; accepted 19 December 2022

Available online 30 December 2022

KEYWORDS Abstract Smart grids are envisioned as the next-generation electricity grids and can contribute to
Data access control; the overall economic and environmental health of our society. It is evident that effective use of the
Smart grid; data measured from the grid is what makes the grid ‘‘smart”. Because the smart grid is a major issue
Attribute-based encryption of people’s livelihood, the data measured from it is very sensitive. It is thus highly necessary to
adopt data access control in smart grids to guarantee the security and privacy of the measured data.
Due to its flexibility and scalability, attribute-based encryption (ABE) is widely utilized to realize
data access control in smart grids. However, most existing ABE solutions impose a heavy decryp-
tion overhead on their users, which hinders the widespread use of data and often causes the data to
be left to ‘‘sleep” in the repository. To this end, we propose a user-friendly attribute-based data
access control scheme for smart grids by adopting the idea of computation outsourcing. Under
our proposed scheme, users can outsource a large amount of computation to a server during the
decryption phase while still guaranteeing the security and privacy of the data. Theoretical analysis
and experimental results demonstrate that our scheme outperforms the existing schemes by achiev-
ing a very low decryption cost. We hope that our proposed scheme will facilitate the use of data
measured in smart grids.
Ó 2022 THE AUTHORS. Published by Elsevier BV on behalf of Faculty of Engineering, Alexandria
University. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/
licenses/by-nc-nd/4.0/).

1. Introduction transmission, faster recovery after electricity disturbances, and

more effective integration of new energy systems, among
The ‘‘smart grid” is envisioned as the next-generation electric- others..
ity grid system that will herald a new era of reliability, avail- As can be seen in Fig. 1, there is a power flow and an infor-
ability, and efficiency for the energy industry. Smart grids mation flow in the smart grid. The power flow takes the form
will contribute to the health of our economic and environment, of a limited one-way interaction, i.e.. electricity flows unidirec-
bringing enormous benefits including more efficient electricity tionally from the power plant to the consumer. The informa-
tion flow is a two-way interaction in which information can
be exchanged in both directions between the power plant
* Corresponding author.
and the consumer. Obviously, the information flow, which is
E-mail address: [email protected] (T. Mu).
q
used to transmit data collected from sensors and meters
Peer review under responsibility of Faculty of Engineering,
located throughout the grid, is what makes the grid ‘‘smart”.
Alexandria University.
https://doi.org/10.1016/j.aej.2022.12.041
1110-0168 Ó 2022 THE AUTHORS. Published by Elsevier BV on behalf of Faculty of Engineering, Alexandria University.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
210 T. Mu et al.

Fig. 1 Data access control in the smart grid.

Currently, three types of data measurement systems have It is therefore highly necessary to introduce access control dur-
been used in smart grids, namely the supervisory control and ing the data usage. At present, due to its flexibility and scala-
data acquisition (SCADA) system based on the remote termi- bility, attribute-based encryption (ABE) [3] is widely used to
nal unit (RTU), the wide area measurement system (WAMS) realize data access control in smart grids. In the commonly
based on the phasor measurement unit (PMU), and the used ciphertext-policy ABE, the secret key of the user is gener-
advanced metering infrastructure (AMI) based on the smart ated based on its attributes (e.g.. identity, department, rank),
meter (SM). As is well known, the RTU has a variety of func- and a ciphertext specifies an access policy that is defined over
tions, including measurement, communication, control, etc., the attributes in the whole system. A ciphertext can be
and is widely used in energy management systems. The main decrypted by a user if and only if the user’s attributes match
disadvantage of RTU is that it lacks a synchronization clock the ciphertext’s access policy [4]. Although ABE can be used
and the measured data is not synchronized; moreover, the data to realize data access control in smart grids, most existing
sampling frequency of RTU is relatively low, meaning that the ABE schemes set comparatively high hurdles for users desiring
dynamic information of the power grid cannot be obtained in to use the data, as these users need to bear a heavy computa-
real time [1]. The PMU is a high-speed sensor that measures tional overhead in order to decrypt the data. In order to lower
the voltage and current synchrophasors of the grid system with the barrier to data use and prevent the data from ‘‘sleeping” in
accuracy in the order of one microsecond, which is much faster the repository, we propose a user-friendly attribute-based data
than the speed of RTU [2]. Additionally, the PMU is equipped access control scheme for smart grids. Specifically, we adopt
with a global positioning sytem (GPS), which means that all the idea of computation outsourcing, enabling data users to
data collected by the PMU is completely synchronized. The outsource a large amount of the decrypting computation to a
SM plays a vital role in the two-way communication. The main server. Our solution can effectively reduce the user’s computa-
functions of the SM include obtaining the electricity consump- tional overhead while simultaneously guaranteeing the security
tion data from customers’ various devices, providing energy- and privacy of the data. Theoretical analysis and experimental
saving suggestions to customers, managing power-outage and evaluation show that our proposed scheme outperforms exist-
dynamic-billing, etc. At present, RTU, PMU and SM are all ing schemes by achieving a very low decryption cost.
important data-sensing devices in smart grids; they provide a
wide range of data measurement from the wide area network, 2. Related work
the neighborhood area network, and the customer premises
area network. 2.1. Attribute-based encryption
The data collected by RTUs, PMUs and SMs is aggregated
and stored in the data repository for use by different types of
The concept of attribute-based encryption was first introduced
users (e.g.. power grid staff, government officials, researchers,
by Sahai and Waters [3]. The authors presented two construc-
etc.). For the smart grid, data acquisition is only the first step;
tions of fuzzy identity-based encryption schemes, in which sev-
the more critical element is how to make good use of the data.
eral attributes are used to compose a fuzzy identity. Thus, the
However, security and privacy must be taken into account
fuzzy IBE is referred to as ‘‘attribute-based encryption”.
when the data is being used. The smart grid is highly important
Bethencourt et al. [5] developed a ciphertext-policy
to the national economy and the people’s livelihood. The data
attribute-based encryption (CP-ABE) scheme. In their scheme,
collected from the smart grid is very sensitive; if the data is
attributes are used to generate a user’s secret and the party that
leaked or improperly used, the consequences will be serious.
A user-friendly attribute-based data access control scheme for smart grids 211

encrypts the data specifies a policy stipulating who can decrypt the secure sharing of data and hiding users’ identity
the data. information.
To improve the overall performance, Zhang et al. [6] devel- Ogundoyin et al. [22] developed a lightweight privacy-
oped a CP-ABE scheme in which the ciphertext size and the preserving authentication and fine-grained access control
computational overhead are constant. Malluhi et al. [7] intro- scheme for smart health, which can be used as a reference
duced a CP-ABE solution with efficient decryption based on for data access control in smart grids. Zhang et al. [23] intro-
the linear secret sharing schemes. Agrawal and Chase [8] duced a distributed privacy-preserving data aggregation
devised a fully secure ciphertext-policy ABE scheme under scheme for smart grid with fine-grained access control, homo-
the decisional linear assumption, and demonstrated that their morphic encryption, digital signature, distributed and zero-
scheme performs better on almost all parameters of interest. knowledge proof. Ge et al. [24] proposed an attribute-based
Revocable CP-ABE is used to realize revocation of attri- collaborative access control scheme with constant ciphertext
butes or users with fine granularity. Attrapadung and Imai length for smart grids, which can overcome the limitation of
[9] developed a broadcast ABE with a direct revocation mech- storage and transmission capacity of smart grid equipment.
anism. Yu et al. [10] introduced an CP-ABE solution over the In addition to cryptography technology, some emerging
AND-gate policy, which can realize indirect revocation of technologies, such as blockchain [25–27], are also being uti-
attributes and users. Zhang et al. [11] proposed to specify lized for data access control in smart grids.
and update revocation-related ciphertext by using an auxiliary
function. 3. User-friendly data access control scheme
Chase [12] designed a multi-authority ABE scheme, in
which a certain number of independent authorities are allowed 3.1. Preliminaries
to manage attributes and distribute secret keys. Lewko and
Waters [13] proposed a decentralized CP-ABE scheme, in
Definition 1 (Multiplicative cyclic group). A group G is a cyclic
which the multiple attribute authorities do not need to cooper-
group if:
ate. Li et al. [14] developed a CP-ABE solution with one cen-
tral authority to alleviate the computational overhead caused
G ¼ fgn : n 2 Zp g ð1Þ
by the existence of multiple central authorities.
where Zp ¼ f0; 1;    ; p  1g. That is, every element in G has
2.2. Data access control in smart grids the form of gn for some integer n. g is called the generator of
G and p is the order of G. If the operation in the cyclic group
Ruj and Nayak [15] introduced a robust decentralized frame- G is multiplication, the group G is called a multiplicative cyclic
work for smart grids, integrating both data aggregation and group.
access control. The proposed framework employs attribute-
based encryption, which provides access control for different Definition 2 (Bilinear map). Let G and GT be two multiplica-
smart grid users. The access control scheme is not reliant on tive cyclic groups with the same prime order p, and let g be a
a single key distribution center for distributing keys, thus mak- generator of G. A bilinear map e : G  G ! GT has the fol-
ing this approach robust. lowing properties:
Hur [16] pointed out that in smart grids the data-sharing
policies may also contain sensitive information. To this end,  Bilinear: For 8a; b 2 Zp , we can get
a data sharing scheme based on ABE is proposed. Under this eðga ; gb Þ ¼ eðgb ; ga Þ ¼ eðg; gÞab .
scheme, not only the data itself but also the data access policies  Non-degeneracy: The generator g satisfies eðg; gÞ – 1,
are obfuscated. where 1 is an identity element in GT .
To ease the burden associated with processing encrypted  Computability: There is an efficient algorithm to compute
data, Eltayieb et al. [17] developed an attribute-based online/ eðg; gÞ.
offline searchable encryption solution, which is further applied
in a cloud-based smart grid. Alharbi and Lin [18] introduced
an identity-based signcryption scheme with privacy preserva- Definition 3 (Linear secret sharing scheme [13]). A secret
tion for smart grids. Zhang et al. [19] developed a data sharing sharing scheme A over a set of parties P is called linear
framework for smart grids based on multi-authority ABE, in ðover Zp Þ if:
which both the attribute set and the access policy are fuzzy.
Wang et al. [20] focused on the inefficiency problem impact-  The shares for each party form a vector over Zp .
ing most existing data sharing schemes in the cloud-assisted  There exists a matrix M called the share-generating matrix
smart grid. To address this problem, they designed two effi- for A. The matrix M has l rows and n columns. For
cient pairing-free CP-ABE schemes, which get rid of the com- i ¼ 1;    ; l, the i-th row of M is labeled by a party qðiÞ,
putationally intensive bilinear paring operations. To solve the where qðÞ is a function from f1;    ; lg to P. Given a col-
problem of high computational overhead caused by dynamic umn vector ~ v ¼ ðs; y 2 ;    ; y n Þ, where s 2 Zp is the secret to
management of the data access control in smart grids, Ye be shared and y 2 ;    ; y n are randomly chosen from
et al. [21] developed a decentralized attribute-based data shar- Zp ; M ~ v is the vector of l shares of the secret s according
ing solution that removes the central authority while ensuring to A. The share ðM ~ vÞi , i.e.. the inner product M i ~ v,
belongs to party qðiÞ.
212 T. Mu et al.

3.2. Overview government officials, or researchers. A user is able to decrypt

the ciphertext only if its attributes meet the requirements of
As shown in Fig. 2, there are five types of entities in our pro- the access policy defined in the ciphertext.
posed data access control scheme: a central authority (CA), an Our proposed data access control scheme comprises the fol-
attribute authority (AA), a server (Server), data owners lowing algorithms:
(Owner), and data users (User).
CA. There exists a global trusted central authority, which is  CASetupðÞ ! ðPPCA sys ; SKcert ; PKcert Þ. The CA setup algo-
CA CA

responsible for setting up the whole system and processing the rithm has no input. It outputs the system public parameter
registration of the attribute authority and data users. PPCAsys , along with a pair of CA’s secret and public keys
AA. The attribute authority is responsible for managing
cert ; PKcert ) that are used for issuing certificates to users.
(SKCA CA
attributes across the entire system. It generates a pair of
 UserRegisterðPPCA sys ; SKcert Þ ! ðuid; SKuid ; PKuid ; Certuid Þ.
CA CA CA CA
secret/public keys for each attribute and issues secret keys
The user registration algorithm takes the system public
for users based on their attributes. Note that there may be mul-
tiple attribute authorities in the system; in the interests of clar- parameter PPCA sys and the CA’s secret key SKcert as inputs.
CA

ity and simplicity, we here consider only one attribute It assigns a global unique user identity uid to the user, gen-
erates a pair of user’s secret/public keys (SKCA uid ; PKuid ) and
CA
authority.
Server. The server is used to generate a decryption token for issues the user with a certificate Certuid . CA

assisting the user to decrypt the ciphertext, which significantly  AARegisterðÞ ! aid. The attribute authority registration
reduces the user’s computational overhead during the algorithm takes no input. The CA handles the AA’s regis-
decryption. tration request and simply assigns a global unique identity
Owner. The owner is the data possessor or manager in the aid to it.
system. In smart grids, the measured data from generation,  AASetupðPPCA sys ; aidÞ ! ðSKaid ; PKaid ; SKx ; PKx Þ.
AA AA AA AA
The
transmission, distribution and consumption phases should be attribute authority setup algorithm takes the system public
maintained and supervised by dedicated personnel to ensure
parameter PPCA sys and the attribute authority identity aid as
safety. The owner specifies the data access policy and encrypts
the data before uploading the data to the repository. inputs, then outputs a pair of AA’s secret/public keys
aid ; PKaid ) and a set of attributes’ secret/public keys
(SKAA AA
User. The user is a person who wants to use the data in the
system. In smart grids, users may be power grid staff members, (SKx ; PKx ).
AA AA

Fig. 2 Framework of the data access control scheme. There are five types of entities in the system, i.e.. CA, AA, Server, Owner and User.
A user-friendly attribute-based data access control scheme for smart grids 213

 EncryptðPPCA
sys ; PKaid ; PKx ; m; AÞ ! CT. The encryption
AA AA
SKCA
uid ¼ zuid
ð4Þ
algorithm takes the system public parameter PPCA
sys , the
PKCA
uid ¼ g
uuid

AA’s public key PKAA aid , the attributes’ public keys PKx ,
AA
The CA also signs a certificate CertCA
uid for the user uid. Certuid
CA
the data m, and its corresponding access policy A as inputs. can be expressed as follows:
It outputs the ciphertext CT.
1
 SecretKeyGenðPPCA sys ; SKaid ; SKx ; Certuid Þ ! SKuid;x . The
AA AA CA AA
uid ¼ SignðSKCA
CertCA CA ðuid; uuid ; g uid Þ
cert ;PKcert Þ
z
ð5Þ
secret key generation algorithm takes the system public
(3) AA Registration
parameter PPCAsys , AA’s secret key SKaid , attributes’ secret
AA
The AA registration is initiated by the AA and handled by
keys SKAAx , and the user’s certificate Certuid as inputs. It out-
CA
the CA. First, the AA asks for a registration. The CA then
puts a user’s attribute secret key SKuid;x for the user based
AA
runs the algorithm AARegister and assigns a global unique
on its attributes. identity aid to the AA.
 TokenGenðCT; PKCA (4) AA Setup
uid ; SKuid;x Þ ! TK. The token generation
AA
The AA setup is conducted by the AA through running the
algorithm takes the ciphertext CT, the CA’s public key
algorithm AASetup, which takes as inputs the system public
uid and the user’s attribute secret key SKuid;x as inputs.
PKCA AA
parameter PPCA sys and the attribute authority identity aid.
Only when the user’s attributes satisfy the access policy
The AA first chooses three random numbers a; b; c 2 Zp ,
defined in the ciphertext will the algorithm successfully out-
put a correct token TK for use in decrypting the ciphertext then generates a pair of AA’s secret/public keys as follows:
CT. aid ¼ ða; b; cÞ
SKAA

 ð6Þ
 DecryptðCT; TK; SKCA uid Þ ! m. The decryption algorithm a 1 c
PKAA
aid ¼ eðg; gÞ ; g ; g
b b
takes the ciphertext CT, the token TK and the user’s secret
key SKCAuid as inputs. It outputs the data m. The AA also generates a pair of attribute’s secret/public key
for each attribute. Let SAA
Att denote the set of all attributes man-
aged by the AA. For each attribute xk 2 SAA Att , the AA generates
3.3. Data access control scheme a pair of attribute’s secret/public key as follows:
pxk
Our data access control scheme consists of four phases: system SKAA
xk ¼ g  Hðxk Þ
ð7Þ
initialization, data encryption, secret key generation, and data xk ¼ ðg
PKAA pxk
 Hðxk ÞÞc
decryption.
Phase 1: System Initialization where pxk is randomly selected from Zp , i.e.. pxk 2 Zp .
The system initialization comprises four steps: CA setup, The set of all attributes’ secret/public keys can be expressed
user registration, AA registration, and AA setup. as follows:
(1) CA Setup pxk
x ¼ fg
SKAA  Hðxk Þgxk 2SAA
The CA setup is conducted by the CA through the algo- Att
ð8Þ
rithm CASetup. The CA first chooses a random number PKAA
x ¼ fðg
pxk
 Hðxk ÞÞc gxk 2SAA
Att

a 2 Zp , then constructs the system public parameter as follows:

Phase 2: Data Encryption
PPCA
sys ¼ ðg; g ; eð; Þ; HðÞÞ
a
ð2Þ The data encryption is conducted by the owner through
running the algorithm Encrypt, which takes as inputs the
where g is the generator of the group G; eð; Þ is the bilinear system public parameter PPCAsys , the AA’s public key PKaid ,
AA
map and H : f0; 1g ! G is the hash function.
the attributes’ public keys PKAA x , the data m, and the corre-
Next, the CA chooses two random numbers c1 ; c2 2 Zp and
sponding data access policy A.
generates a pair of the CA’s secret/public keys as follows:
The owner first maps the access policy to a linear secret
cert ¼ c1
SKCA sharing scheme (LSSS) matrix M. The way in which an access
ð3Þ policy is mapped to an LSSS matrix is beyond the scope of this
PKCA
cert ¼ g
c2
article; readers can refer to the literature [28] for details. An
example is presented below.
SKCAcert and PKcert are a pair of signature and verification keys,
CA
Fig. 3(a) shows the threshold access policy ‘‘an eligible user
which are used to issue certificates for users.
should have attribute Att1 and at least two or more attributes
(2) User Registration
within the set fAtt2 ; Att3 ; Att4 g”, which can be converted into a
The user registration is initiated by the user and handled by
Boolean function
the CA. The user sends its information (e.g.. name, depart-
Att1 ^ ððAtt2 _ Att3 Þ ^ ðAtt3 _ Att4 Þ ^ ðAtt2 _ Att4ÞÞ. As
ment, etc.) to the CA and asks for a registration. If the user
shown in Fig. 3(b), the Boolean function can be represented
is legal in the system, the CA runs the algorithm
by an access tree, with attributes at the leaf nodes and the log-
UserRegister, which takes as inputs the system public
ical operators (ANDð^Þ and ORð_Þ) at the intermediate or
parameter PPCA sys and the CA’s secret key SKcert .
CA
root nodes. The access tree can be further converted into an
The CA first assigns a global unique user identity uid to the LSSS matrix (Fig. 3(c)) using Lewko-Waters algorithm [13].
user. Subsequently, it chooses two random numbers It can be seen that M is an l  n matrix, where l denotes the
uuid ; zuid 2 Zp and generates a pair of user’s secret/public keys total number of all attributes on the leaf nodes. The function
as follows: qðÞ is used to associate rows of M to the attributes.
214 T. Mu et al.

Fig. 3 The threshold access policy is mapped to an LSSS matrix.

a a
After constructing the LSSS matrix, the encryption algo- QAA
uid ¼ gzuid  gauuid  gbtuid
rithm chooses a random number s 2 Zp as the encryption b
t
RAA ¼ gzuid uid
exponent along with a random vector ~ v ¼ ðs; y2 ;    ; yn Þ 2 Zp . uid
UAA ¼ gatuid ð11Þ
Let Mi denote the vector corresponding to the i-th row of uid
n bc o
M. For i ¼ 1;    l, it computes ki ¼ Mi  ~ v. The algorithm then QAA ¼ gzuid uid  ðgpxk  Hðxk ÞÞcbuuid
t
uid;x
randomly chooses r1 ; r2 ;    ; rl 2 Zp and computes the follow- xk 2SAA
Att;uid

ing parameters:
The user’s attribute secret key SKAA
uid;x is composed of the above
¼ m  ðeðg; gÞa Þ
s
C four parameters, which can be expressed as follows:

C0 ¼ gs uid;x ¼ ðQuid ; Ruid ; Uuid ; Quid;x Þ

SKAA AA AA AA AA
ð12Þ

s
Phase 4: Data Decryption
C00 ¼ gb The data decryption is performed collaboratively by the
server and the user. The decryption can be divided into two
n c
ol
C000
r ri
¼ Ci ¼ gaki  ððgpqðiÞ  HðqðiÞÞÞc Þ i ; Ei ¼ g b ; Fi ¼ gbri steps: token generation and final decryption.
i¼1 (1) Token Generation.
ð9Þ The token generation is conducted by the server through
running the algorithm TokenGen, which takes as inputs the
The ciphertext CT is composed of the above four parameters,
which can be expressed as follows: ciphertext CT, the CA’s public key PKCAuid and the user’s attri-
bute secret key SKAA .
CT ¼ ðC; C0 ; C00 ; C000 Þ
uid;x
ð10Þ
The token TK is computed as follows:
Phase 3: Secret Key Generation 0 00 ;UAA Þ1

eðC ;Quid ÞeðC
AA

The secret key generation is conducted by the AA through TK ¼ Y uid w i

eðCi ;PKCA ÞeðEi ;QAA ÞeðFi ;RAA Þ
the algorithm SecretKeyGen, which takes as inputs the sys- uid uid;qðiÞ uid
i;qðiÞ2SAA
tem public parameter PPCA
sys , AA’s secret key SKaid , attributes’
AA Att;uid
a s
Y uid eðg;gÞ uid
au s z
secret keys SKAA x , and the user’s certificate Certuid .
CA
¼ eðg;gÞ
w
eðgaki ;guuid Þ i
For the user uid, the AA first verifies its certificate CertCAuid by ð13Þ
i;qðiÞ2SAA
using the CA’s public key PKCA
Att;uid
cert . If the user is legal, the AA a s

assigns a set of attributes SAAAtt;uid to the user uid according to ¼ X

eðg;gÞauuid s eðg;gÞzuid
auuid ki wi
its role in the system, then generates a user’s attribute secret
i;qðiÞ2SAA
key for this user. The AA first chooses a random number eðg;gÞ Att;uid

a
tuid 2 Zp , then constructs the following four parameters: ¼ eðg; gÞzuid
s
A user-friendly attribute-based data access control scheme for smart grids 215

Only when the user’s attributes satisfy the access policy defined 4.2. Performance analysis
in the ciphertext can the algorithm successfully compute a cor-
rect token for the decryption. To evaluate the performance of our proposed scheme, we com-
(2) Final Decryption. pare it with three existing ABE schemes [29–31]. As shown in
The final decryption is conducted by the user through run- Table 1, we use nc to denote the number of attributes defined in
ning the algorithm Decrypt, which takes as inputs the cipher- the ciphertext, nu to denote the number of attributes in the
text CT, the token TK and the user’s secret key SKCA uid . user’s attribute set, EG to denote the time required to compute
The data m is decrypted as follows: an exponential operation in the group G; EGT to denote the
m ¼ C TKzuid time required to compute an exponential operation in the
a s group GT , and P to denote the time required to compute a
¼  mðeðg;gÞ
a z
Þ
z s uid
ð14Þ bilinear pairing operation. We ignore some less time-
eðg;gÞ uid

¼m consuming operations such as general hash operations, scalar

multiplication operations, etc.
The theoretical analysis of computational cost at the
4. Analysis and evaluation encryption and decryption phases is shown in Table 2. Theo-
retical and empirical studies demonstrate that the computa-
In this section, we provide a comprehensive analysis (including tional cost of a bilinear pairing operation is much higher
security analysis and performance analysis) and evaluation of than that of an exponential operation in the group. Therefore,
our proposed data access control scheme. as we can see from Table 2, the encryption cost of our scheme
is higher than that of the other three comparison schemes;
4.1. Security analysis however, the decryption cost of our scheme is significantly
lower than that of the others. The reason for this is that in
As is well understood, data access control schemes based on order to support computation outsourcing at the decryption
attribute-based encryption are usually vulnerable to collusion phase, we have made additional operations at the encryption
attacks, i.e.. different users stealing secrets by sharing secret phase. Specifically, the ciphertext CT generated at the encryp-
keys or attributes they hold. In order to resist collusion tion phase is composed of four parameters, i.e.. C; C0 ; C00 , and
attacks, the CA in our system assigns a global unique identity C000 , among which C0 ; C00 , and C000 will be sent to the server for
generating a decryption token. Since a large number of expo-
uid to each user. Each user’s attribute secret key SKAA uid;x is asso-
nential operations in the group G are conducted to construct
ciated with their uid; thus, it is impossible for two or more
the parameters C0 ; C00 , and C000 , the encryption cost of our
users to collude and decrypt the ciphertext by combining their
scheme is higher than that of the other three comparison
secret keys or attributes. Our scheme is accordingly secure
schemes. At the decryption phase, a large amount of computa-
against the collusion attacks performed by users.
tion in our scheme has been outsourced to the server, and the
In order to alleviate the decryption cost for the user, our
user only need to compute an exponential operation in the
scheme outsources a large amount of computation to the ser-
group GT , so the decryption cost of our scheme is significantly
ver. During the data decryption phase, the user provides its
lower than that of the others.
attribute secret key SKAA uid;x to the server to obtain a decryption To validate the theoretical analysis presented in Table 2, we
token TK. While the server is able to get the user’s attribute implement our scheme and the three comparison schemes
secret key SKAA uid;x , it cannot decrypt the ciphertext if it does using the PBC library [32], which provides routines such as
not know the user’s secret key SKCA uid , which is firmly in the
elliptic curve generation, elliptic curve arithmetic, and pairing
hands of the user. Therefore, our scheme can guarantee pri- computation. The experimental environment is an Ubuntu
vacy preservation during the data decryption. 16.04 LTS system with Intel(R) Core(TM) i7-6700HQ
Our proposed attribute-based data access control scheme [email protected]8 and 16 GB RAM. We use a 160-bit sym-
also supports confidentiality, integrity, and availability (CIA) metric elliptic curve a-curve with the embedding degree of 2.
of data. Specifically, the owner first encrypts the data m and We consider Zp ¼ 20 bytes and G ¼ GT ¼ 128 bytes. The
the corresponding access policy A by using the system public experimental results are shown in Fig. 4. In order to precisely
parameter PPCA evaluate the performance of the different schemes, we run 100
sys , the AA’s public key PKaid , and the attributes’
AA

public keys PKAAx , and then uploads the encrypted data to the
repository. Encryption ensures that only authorized users (i.e..
the users having the secret keys) are able to read the encrypted Table 1 Symbols used in the performance analysis.
data, thus guaranteeing the confidentiality of data. Since there Symbol Implication
is a hash function in the data encryption key and the hash
nc Number of attributes in the ciphertext.
function is also encrypted, if the data is modified, even a single
nu Number of attributes in the user’s attribute set.
bit is changed, the hash is different and the modification is EG Time required to compute an exponential operation in
detected; thus, our scheme achieves data integrity. Our scheme the group G.
supports availability in the sense that the encrypted data is EGT Time required to compute an exponential operation in
only accessible to authorized users (i.e.. the users having the the group GT .
secret keys), and not to unauthorized users. P Time required to compute a bilinear pairing operation.
216 T. Mu et al.

our scheme to be particularly well-suited to the data access

Table 2 Comparison of computational cost at the encryption
control in smart grids, given that the data measured from
and decryption phases.
the smart grid usually only needs to be encrypted once, while
Schemes Computational cost decryption occurs many times due to the existence of different
Encryption Decryption users.
[29] 2P þ ðnc þ 5ÞEG þ 2EGT 4P þ ð3nu þ 4ÞEG þ EGT
In the future, we will focus on developing an efficient attri-
[30] ðnc þ 1ÞEG þ EGT ð2nu þ 2ÞP bute revocation method for our proposed data access control
[31] ðnc þ 1ÞEG þ EGT ðnu þ 3ÞP scheme. Besides, we will further explore how to integrate our
Our P þ ð4nc þ 2ÞEG þ EGT EGT scheme into the privacy-preserving data aggregation network,
thus making data access control in smart grids more efficient.

Declaration of Competing Interest

The authors declare that they have no known competing

experiments and obtain an average result under each configu- financial interests or personal relationships that could have
ration. As we can see from Fig. 4, the encryption cost of all appeared to influence the work reported in this paper.
schemes rises linearly with the increase of the number of attri-
butes in the ciphertext. Under the same configuration, the
References
encryption cost of our scheme is higher than that of the three
other schemes. However, due to the fact that a large amount of [1] J. Cao, Y. Wan, H. Hua, G. Yang, Performance modeling for
computation has been outsourced, the decryption cost of our data monitoring services in smart grid: A network calculus based
scheme is significantly lower than that of the others. Moreover, approach, CSEE J. Power Energy Syst. 6 (3) (2020) 610–618.
the decryption cost of our scheme remains constant and does [2] S. Dutta, P.K. Sadhu, M.J.B. Reddy, D.K. Mohanta, Chapter 7
not increase as the number of user’s attributes increases, while - role of microphasor measurement unit for decision making
the decryption cost of the compared schemes obviously based on enhanced situational awareness of a modern
increases with higher numbers of user’s attributes. distribution system, in: Decision Making Applications in
It can be observed that the experimental results are consis- Modern Power Systems, Academic Press, 2020, pp. 181–199.
tent with the theoretical analysis. Our proposed scheme [3] A. Sahai, B. Waters, Fuzzy identity-based encryption, in:
Proceedings of the 24th Annual International Conference on
achieves a very low decryption cost, which is aligned with
the Theory and Applications of Cryptographic Techniques, Vol.
the original intention of our design; we hope that the data 3494, 2005, pp. 457–473.
can be easily utilized for reflecting its value. [4] Y. Zhang, R.H. Deng, S. Xu, J. Sun, Q. Li, D. Zheng, Attribute-
based encryption for cloud computing access control: A survey,
5. Conclusion ACM Comput. Surv. 53 (4) (2020) 83:1–83:41.
[5] J. Bethencourt, A. Sahai, B. Waters, Ciphertext-policy attribute-
based encryption, in: Proceedings of the 2007 IEEE Symposium
In this paper, we propose a user-friendly attribute-based data
on Security and Privacy, 2007, pp. 321–334.
access control scheme for smart grids. Our data access control [6] Y. Zhang, D. Zheng, X. Chen, J. Li, H. Li, Computationally
scheme consists of four phases: system initialization, data efficient ciphertext-policy attribute-based encryption with
encryption, secret key generation, and data decryption. We constant-size ciphertexts, in: Proceedings of the 8th
first provide an overview of our proposed scheme, then elabo- International Conference on Provable Security, Vol. 8782,
rate on the construction of the scheme and the implementation 2014, pp. 259–273.
of the algorithms. Finally, we provide a comprehensive analy- [7] Q.M. Malluhi, A. Shikfa, V.C. Trinh, A ciphertext-policy
sis and experimental evaluation of the data access control attribute-based encryption scheme with optimized ciphertext
scheme. Although the encryption cost of our scheme is higher size and fast decryption, in: Proceedings of the 2017 ACM on
than that of the existing schemes, the decryption cost is signif- Asia Conference on Computer and Communications Security,
2017, pp. 230–240.
icantly lower than that of the comparison schemes. We believe

Fig. 4 Encryption and decryption costs for the proposed scheme and comparison schemes. Each result is the average of 100 runs.
A user-friendly attribute-based data access control scheme for smart grids 217

[8] S. Agrawal, M. Chase, FAME: Fast attribute-based message pairing for cloud-assisted smart grid, IEEE Access 8 (2020)
encryption, in: Proceedings of the 2017 ACM SIGSAC 40704–40713.
Conference on Computer and Communications Security, 2017, [21] Y. Ye, L. Zhang, W. You, Y. Mu, Secure decentralized access
pp. 665–682. control policy for data sharing in smart grid, in: Proceedings of
[9] N. Attrapadung, H. Imai, Conjunctive broadcast and attribute- the 2021 IEEE Conference on Computer Communications
based encryption, in: Proceedings of the Third International Workshops, 2021, pp. 1–6.
Conference on Pairing-Based Cryptography, Vol. 5671, 2009, [22] S.O. Ogundoyin, I.A. Kamil, PAASH: A privacy-preserving
pp. 248–265. authentication and fine-grained access control of outsourced
[10] S. Yu, C. Wang, K. Ren, W. Lou, Attribute based data sharing data for secure smart health in smart cities, J. Parallel
with attribute revocation, in: Proceedings of the 5th ACM Distributed Comput. 155 (2021) 101–119.
Symposium on Information, Computer and Communications [23] W. Zhang, S. Liu, Z. Xia, A distributed privacy-preserving data
Security, 2010, pp. 261–270. aggregation scheme for smart grid with fine-grained access
[11] Y. Zhang, X. Chen, J. Li, H. Li, F. Li, Attribute-based data control, J. Inf. Secur. Appl. 66 (2022) 103118.
sharing with flexible and direct revocation in cloud computing, [24] J. Ge, M. Wen, L. Wang, R. Xie, Attribute-based collaborative
KSII Trans. Internet Inf. Syst. 8 (11) (2014) 4028–4049. access control scheme with constant ciphertext length for smart
[12] M. Chase, Multi-authority attribute based encryption, in: grid, in: Proceedings of the IEEE International Conference on
Proceedings of the 4th Conference on Theory of Communications, 2022, pp. 540–546.
Cryptography, Vol. 4392, 2007, pp. 515–534. [25] L. Zhang, J. Li, F. Hu, Y. Huang, J. Bai, Smart grid data access
[13] A.B. Lewko, B. Waters, Decentralizing attribute-based control scheme based on blockchain, Comput. Intell. 36 (4)
encryption, in: Proceedings of the 30th Annual International (2020) 1773–1784.
Conference on the Theory and Applications of Cryptographic [26] B. Bera, S. Saha, A.K. Das, A.V. Vasilakos, Designing
Techniques, Vol. 6632, 2011, pp. 568–588. blockchain-based access control protocol in IoT-enabled
[14] Q. Li, J. Ma, R. Li, X. Liu, J. Xiong, D. Chen, Secure, efficient smart-grid system, IEEE Internet Things J. 8 (7) (2021) 5744–
and revocable multi-authority access control system in cloud 5761.
storage, Comput. Secur. 59 (2016) 45–59. [27] W. Yang, Z. Guan, L. Wu, X. Du, M. Guizani, Secure data
[15] S. Ruj, A. Nayak, A decentralized security framework for data access control with fair accountability in smart grid data
aggregation and access control in smart grids, IEEE Trans. sharing: An edge blockchain approach, IEEE Internet Things
Smart Grid 4 (1) (2013) 196–205. J. 8 (10) (2021) 8632–8643.
[16] J. Hur, Attribute-based secure data sharing with hidden policies [28] A. Beimel, Secure schemes for secret sharing and key
in smart grid, IEEE Trans. Parallel Distributed Syst. 24 (11) distribution, Israel Institute of Technology, 1996, Ph.D. thesis.
(2013) 2171–2180. [29] K. Liang, W. Susilo, Searchable attribute-based mechanism with
[17] N. Eltayieb, R. Elhabob, A. Hassan, F. Li, An efficient efficient data sharing for secure cloud storage, IEEE Trans. Inf.
attribute-based online/offline searchable encryption and its Forensics Secur. 10 (9) (2015) 1981–1992.
application in cloud-based reliable smart grid, J. Syst. Archit. [30] J. Li, X. Lin, Y. Zhang, J. Han, KSF-OABE: Outsourced
98 (2019) 165–172. attribute-based encryption with keyword search function for
[18] K.N. Alharbi, X. Lin, Efficient and privacy-preserving smart cloud storage, IEEE Trans. Serv. Comput. 10 (5) (2017) 715–
grid downlink communication using identity based signcryption, 725.
in: Proceedings of the 2016 IEEE Global Communications [31] Y. Miao, J. Ma, X. Liu, J. Weng, H. Li, H. Li, Lightweight fine-
Conference, 2016, pp. 1–6. grained search over encrypted data in fog computing, IEEE
[19] L. Zhang, J. Ren, Y. Mu, B. Wang, Privacy-preserving multi- Trans. Serv. Comput. 12 (5) (2019) 772–785.
authority attribute-based data sharing framework for smart [32] B. Lynn, H. Shacham, M. Steiner, J. Cooley, R. Figueiredo, The
grid, IEEE Access 8 (2020) 23294–23307. pairing-based cryptography library, https://crypto.stanford.edu/
[20] Y. Wang, B. Chen, L. Li, Q. Ma, H. Li, D. He, Efficient and pbc/.
secure ciphertext-policy attribute-based encryption without