Privacy-preserving Data-aggregation for Internet-of-things in Smart Grid

Transcription

1 Privacy-preserving Data-aggregation for Internet-of-things in Smart Grid Aakanksha Chowdhery Postdoctoral Researcher, Microsoft Research Collaborators: Victor Bahl, Ratul Mahajan, Frank Mcsherry, Abhradeep Thakurta

2 Smart meters/devices in home Utility/ Third Party Measure fine-grained energy use Collected data transmitted by smart meter & aggregated at Energy data center data consumer: utility/third party

3 Smart meter data enables Billing - with time-of-use pricing Fraud detection Demand response Load monitoring and forecasting Power outage notifications Energy Efficiency analysis & optimization etc 3

4 Privacy Concerns 4

5 Privacy Concerns What can your smart meter tell? - Did you leave late for work? - Did you leave your child home alone? - Were you home during your sick leave? - Did you watch the game last night? (Molina-Markham et al, Private Memoirs of Smart Meters, BuildSys 10) 5

6 Privacy Concerns Energy Industry maximize revenues Third-party companies - target marketing material eg building & insulation Hackers real-time mass surveillance, burglary Data Privacy compromised if leak personally identifiable information/attributes 6

7 Current Privacy Policies Under Fair Information Practice Principles at Federal Detailed readings - sensitive Requires consumer awareness & consent California Public Utilities protect smart meter data (rulings in 2011 & April 2014) Utilities can t sell customer s personal/consumption data Third parties can t use it for secondary commercial use 7

8 Pseudo-nymizing smart meter data Separate consumption trace & household identity 8

9 Naïve Pseudo-nymizing is fragile Correlate two data sources overlapping in time Attack: Linking by anomaly Jawurek et al, Smart Metering de-pseudonymization, ACSAC

10 Privacy-enhancing Technologies Prevent privacy violations before they occur Pseudo-nymizing Trusted third party Aggregates Adds noise (differential privacy) Cryptographic computation 10

11 System Model Smart Meter 1 Smart Meter 2 query Utility/ Third Party Smart Meter N Energy Data Center: Private/Public Cloud 11

12 Trusted third party aggregates Smart Meter 1 Smart Meter 2 Energy Data Center Smart Meter N Trusted link Gateway/ Aggregator query Utility/ Third Party Gateway aggregates the high-frequency readings No private data items sent, yet some individual identifiable 12

13 Trusted third party adds noise Smart Meter 1 Smart Meter 2 Energy Smart Meter N Trusted link Gateway/ Aggregator Add noise Data Center query Utility/ Third Party Differential privacy - add random noise to aggregate 13

14 Differential privacy (intuition) A mechanism is differentially private if every output is produced with similar probability whether any given input is included or not A B C Similar output distributions F(x) F(x) A B C D Bounded risk for D if she includes her data! Cynthia Dwork Differential Privacy ICALP

15 Achieving differential privacy A simple differentially private mechanism Smart Meter 1 Smart Meter 2 Smart Meter N Trusted link Gateway/ Aggregator Tell me f(x) f(x)+noise Utility/ Third Party How much noise should one add? 15

16 Achieving differential privacy Function sensitivity (intuition): Maximum effect of any single input on the output Aim: Need to conceal this effect to preserve privacy Example: Computing the aggregate mean of the readings has low sensitivity Any single user s reading does not affect the final mean by too much Calculating the maximum reading has high sensitivity 16

17 Achieving differential privacy Function sensitivity (intuition): Maximum effect of any single input on the output Aim: Need to conceal this effect to preserve privacy Example: SUM over input elements drawn from [0, M] X 1 X 2 X 3 X 4 SUM Sensitivity = M Max effect of any input element is M 17

18 Achieving differential privacy A simple differentially private mechanism Smart Meter 1 Smart Meter 2 Smart Meter N Trusted link Gateway/ Aggregator Tell me f(x) f(x)+noise Intuition: Noise needed to mask the effect of a single input Utility/ Third Party 18

19 Privacy-enhancing Technologies Prevent privacy violations before they occur Pseudo-nymizing Trusted third party Aggregates Adds noise (differential privacy) Cryptographic computation 19

20 Cryptographic Computation Strongest privacy/security guarantee Aggregate via homomorphic encryption The product of encryptions of two messages is an encryption of the sum of the two messages Paillier cryptosystem - additively homomorphic Enables spatial/temporal aggregation Erkin et al Private computation of spatial and temporal power consumption with smart meters, ACNS

21 Cryptographic Computation Smart Meter 1 Smart Meter 2 One Paillier public key Each smart meter encrypts Gateway/ Aggregator Smart Meter N Aggregator combines the encrypted readings Can decrypt the sum of readings Can t decrypt the individual (modified Paillier scheme) Erkin et al Private computation of spatial and temporal power consumption with smart meters, ACNS

22 Cryptographic Computation Time-of-use pricing & billing require individual meter readings? Integrity certify meter readings and bill calculations? 22

23 Cryptographic Computation Rial et al Privacy- Preserving Smart Metering; WPES

24 Cryptographic Computation Time-of-use pricing & billing require individual meter readings? No use homomorphic encryption Integrity certify meter readings and billing calculations Use zero-knowledge proof Smart meter proves to the utility (the verifier) that the reading and calculation is true, Doesn t reveal individual readings Rial et al Privacy-Preserving Smart Metering; WPES

25 Recap: Privacy-enhancing Technologies Smart Meter 1 Smart Meter 2 Gateway/ Aggregator Energy Data Center Smart Meter N query Utility/ Third Party Pseudo-nymizing Trusted third party aggregates & adds noise Cryptographic computation 25

26 Implementation Overheads Smart meter: low computation power & memory No overhead with Pseudo-nymizing & trusted third party Additional computation/hardware for cryptographic Communication bandwidth Pseudo-nymizing < Trusted third party <= Cryptographic Computation at the aggregator Increases with the complexity of the protocol Scalability 26

27 Conclusions Smart-meter data can be privacy intrusive Personally identifiable information Time granularity matters Anonymizing the readings is not sufficient Privacy-enhancing technologies can prevent privacy violations before they occur Trusted third party can aggregate the data & add noise using differential privacy Cryptographic computation enables verifiable spatiotemporal aggregations 27

28 THANK YOU! 28