A Blockchain-Based Access Control Scheme for

Smart Grids
Yuyang Zhou Yuanfeng Guan
School of Computer Science and Engineering SI-TECH Information Technology Co., Ltd
University of Electronic Science and Technology of China Beijing 100031, China
Chengdu 611731, China
yuyang.zhou@std.uestc.edu.cn

Zhiwei Zhang Fagen Li

SI-TECH Information Technology Co., Ltd School of Computer Science and Engineering
Beijing 100031, China University of Electronic Science and Technology of China
Chengdu 611731, China
fagenli@uestc.edu.cn

Abstract—At present, the access control schemes in the power If a attacker illegally obtains the users power usage infor-
grid are centralized. In the centralized system, the data of the mation, he can infer the users specific activity information
network sensor nodes is transmitted by centralized nodes, and according to the users power usage pattern. At the same
the data itself may be illegally tamped with or lost, which can
lead to reduced system reliability. For this feature, we apply time, if the attacker impersonates a legitimate user to transmit
blockchain technology to the design of access control schemes. malicious information to the power provider (e.g., DDOS
In this paper, we propose a blockchain-based access control attack), it will also hinder the power providers daily work.
scheme that is suitable for multiple scenarios in the smart In order to protect these sensitive information being attacked
grid. Our access control scheme is based on an identity-based and utilized, research on access control of smart grids was
combined encryption, signature and signcryption scheme. In
addition, we design a consensus algorithm in the power system for proposed.
the consortium blockchain architecture to solve the key escrow Access control ensures only authorized user can access the
problem of the untrusted third parties. Our scheme also ensures specified data and solves the problem of unauthorized access
the confidentiality, integrity, authentication and non-repudiation of important information. Access and authentication measures
of the data. Compared with the existing work, our scheme in existing smart grids have the following weaknesses: (1)cur-
can use the same key pair to encrypt, sign and signcrypt the
message, which has lower computation and communication costs rent mainstream access control scheme implements cross-
in multiple scenarios of smart grids. domain access through centralized authentication or third
Keywords—smart grids, access control, blockchain, combined party centralized authentication, but whether a third party is
public key scheme absolutely credible; (2)at the same time, there are massive
user access nodes and two-way information circulation in the
I. I NTRODUCTION smart grid. All of this pose a challenge to the design of access
control schemes in smart grids.
The smart grid, also known as the next generation power Blockchain is an emerging decentralized architecture and
grid, is based on the physical grid system using advanced distributed computing paradigm [3]. Blockchain technology
information communication technology, sensor measurement has the characteristics of decentralization, collective mainte-
technology, computer technology and control technology [1]. nance, security and credibility. At present, many access control
Relying on modern information technologies, the smart grid schemes adopt centralized management. If the blockchain
can digitally manage power production, power transmission, technology is used for upgrade the present access control
power division and power control. Different from the tradi- schemes, the traditional access control method will have the
tional power grid, a main feature of the smart grid is the characteristics of decentralization and high reliability of the
ability of the two-way flow of information between the user blockchain. So its especially suitable for smart grid systems,
and the power provider. For example, in a traditional power which have multiple nodes.
grid, electricity is generated in a power plant and then be
transmitted to users through a transmission network, a branch A. Related Work
network. But in a smart grid, electricity can also be returned to Access control in smart grids has received much attention in
the power provider by user (e.g., user can generate electricity recent years. In 2011, Sankar et al. [4] presented a centralized
from their home solar panels and transfer them to the power access scheme for power grids that requires the regional
provider). User models in smart grids can be divided into three transmission organizations (RTOs) to be online during data
types: Home Area Network (HAN), Building Area Network transmission. However, such method can easily become a
(BAN), Industrial Area Network (IAN) [2]. system bottleneck. Sun et al. [5] proposed an identity-based
encryption (ABE) access control scheme in smart grids, which systems. In the environment of asynchronous communication,
alleviated the computational overhead of intelligent terminals. the algorithm can guarantee the safety and liveness [12] of
the system under the failure node of no more than n−1

However, in [5], the master authentication center and each 3 .
terminal of the jurisdiction share the key, which easily suffer In a limited number of nodes, the efficiency of the PBFT
from main-in-the-middle attacks. So, the confidentiality of the is considerable. But if the number of nodes increases, the
data cannot be guaranteed. In 2014, Wu et al. [6] proposed quality of the service provided will decrease. In addition, there
a lattic based access control scheme which used identity- are some other consensus algorithms, such as Raft [13] and
based cryptography (IBC). However, it assumes there is a Paxos [14].
fully trusted network controller who is in charge of the In 2017, Maesa et al. explored how to formulate the classical
whole network. In 2017, Guan et al. [7] proposed a delay- access control scheme as a smart contract that can be stored
tolerant flexible data access control scheme based on key and executed in the blockchain [15]. In 2018, Lin et al.
policy attribute-based encryption (ABE) for smart grids. Their proposed a novel blockchain-based framework to ensure a se-
scheme has no central trusted server to perform the encryption cure user authentication with fine-grained access control [16],
and decryption. But when the user revokes, the remote terminal which used Attribute-based signature (ABS). Both of them
unit (RTU) needs to redefine the access structure and recalcu- only consider signature or encryption, and did not prove the
late part of the ciphertext, and this increases the overhead of strict security proof in the random oracle model (ROM).
RTU calculation and communication. In 2011, the concept of a combined public key cryptosys-
In 2008, Satoshi Naknamo proposed a new digital currency- tem was first proposed by Haber and Pinkas [17]. They
Bitcoin [8], which is constructed on a Peer-to-Peer (P2P) net- showed that reusing a single key pair during encryption and
work. Blockchain is the underlying core supporting technology signature does not compromise the security of the solution.
of Bitcoin. Blockchain is mainly divided into three types: pub- That is, in an signature scheme, an adversary can access the
lic blockchain, consortium blockchain and private blockchain. decryption oracle in an encryption scheme. In addition, in
Public blockchain is a fully decentralized distributed archi- an encryption scheme, an adversary can access the signature
tecture, registration and presentation of nodes is frequent and oracle in a signature scheme, which does not pose any
the number of nodes is constantly changing. Today’s digital security threat to an encryption scheme. In 2015, Vasco et
currencies, e.g. bitcoin, are traded on the public blockchain. al. [18] constructed an identity-based combined public key
Consortium blockchain is a relatively stable blockchain of cryptography scheme, and proved that the Hess identity-based
nodes. The joining or exiting of each participating node in the signature (IBS) scheme [19] and the Boneh and Franlins
consortium blockchain requires permission. Private blockchain identity-based encryption (IBE) scheme [20] can be safely
generally has a fully trusted controller. To some extent, combined. In 2017, Zhou and Li proposed an identity-based
private blockchain has lost the meaning of decentralization. combined public key scheme for signature, encryption and
Consensus mechanism makes blockchain to be a decentralized signature (IBCSESC) [21]. Under the premise of ensuring the
distributed ledge system. Public blockchain generally uses a confidentiality, integrity, authentication and non-repudiation of
single proof mechanism to achieve consensus, such as Proof- data, the combined cryptosystem reduces the key management
of-Work (PoW), Proof-of-Stake (PoS). PoW is anonymized by work, saves storage space and computational consumption, and
Naknamo, whose main idea is to use computing power to find is very suitable applied for complex grid environment.
specific numbers to make the block to meet the requirements.
B. Motivation and Contribution
PoW consensus algorithm solves the consensus problem in
a completely decentralized network. At the same time, PoW At present, power grids generally usually store information
brings defects of low system efficiency, waste of resources. in plaintexts. The existing access control schemes generally
Therefore, the scenario of applying Pow is very limited. In include a trusted third party, which is easy to suffer from key
2012, King and Nadal proposed the concept of PoS [9], it use escrow attacks. The idea of decentralization of the blockchain
the stake to replace or partially replace computing resources. can solve the problem of key escrow.
PoS is more resource efficient than PoW, and the creation This paper focuses on the premise that there are many smart
of blocks is no longer limited to hash calculations that satisfy grid nodes and many application scenarios. We makes the
high difficulty coefficients. However, PoS consensus algorithm following contributions:
is easy lead to uneven wealth, because rich nodes always have 1) We give a consensus algorithm for the selection of
advantage to be chosen as ledgers. Apart from these, Larine private key generator (PKG) in smart power grids. This
proposed Delegate Proof-of-Stake (DPoS) which each share- consensus algorithm not only has an incentive mecha-
holder has a certain voting right [10]. Compared to the public nism, but also has a penalty mechanism, which is not
blockchain, consortium blockchain and private blockchain can currently available in consensus algorithms.
achieve consensus without relying on computing resources, 2) We design a blockchain-based access control scheme
and only need to improve the underlying consensus agreement. that uses a combined cryptosystem. Our scheme satisfies
The Byzantine Fault Tolerant Algorithm (PBFT) is a consis- the security requirements of power grids, solves the key
tency algorithm based on state machine replication proposed escrow problem, and makes users more involved in the
by Castro and Liskov [11], and is widely used in distributed daily management of smart grids. The reuse of keys saves
 system communication costs, and is also very suitable for B. Security Requirements
different services in smart grids multi-environments. The secure communication of data in smart grids needs to
meet the following security requirements.
C. Organization
1) Confidentiality: Privacy data can only be accessed by
The rest of the paper is arranged as follows. The network authorized users, i. e. the message should satisfy indis-
model and security requirements are introduced in section II. tinguishability against adaptive chosen ciphertext attacks
The blockchain-based access control scheme is proposed in under chosen identity attacks (IND-ID-CCA2);
section III. The security analysis for our scheme is given in 2) Integrity: Data will not be tampered by illegal attack-
section IV and the performance analysis is given in section V. ers, i. e. the message should satisfy existential unforge-
Finally, the conclusions are given in section VI. ability against adaptive chosen messages attacks under
chosen identity attacks (EUF-ID-CMA);
II. P RELIMINARIES 3) Identity authentication: The sending and receiving of
A. Network Model data must be legitimate users. The authentication includes
the legal authentication of the user and the legal authen-
The blockchain-based access control scheme proposed in tication of the device;
this paper is showed in Figure 1. In Figure I, we mentioned 4) Non-repudiation: Users cannot deny the data they sent
that smart grids consist of three user types (i.g. HAN, BAN and or received.
IAN). In this paper, we take HAN as an example to describe
our access control scheme. The network model includes three III. A B LOCKCHAIN - BASED ACCESS C ONTROL S CHEME
parts: a HAN, a power provider and a PKG. FOR S MART G RIDS

1) HAN: Smart meter can collect the user’s power con- Most access control schemes in smart grids require a fully
sumption data, which will be monitored by the mas- trusted third-party, e.g. PKG. However, if PKG is replaced
ter controller. Master controller in the HAN is used by a malicious adversary, then this malicious adversary can
to manage the user’s power consumption and establish very easy to know users’ and power providers’ private keys.
communication with the power provider. And this adversary can deceive both parties to get information
2) Power provider: Power provider is an electric power they want (e.g. man-in-the-middle attack). Considering the
company, which mainly produce, transmit and sell elec- decentralization of the blockchain, we decided to use the
tricity. Power provider can customize the power con- consensus mechanism to solve the third-party trust problem.
sumption scheme according to the power consumption The two-way communication in smart grids also enhances
information returned by the user, and inform the user the interaction between users and power providers. Some
through the e-mail and so on. At the same time, in scenarios only need to encrypt the message (e.g upload users’
smart girds, some users can sell their collected excess private information to the power cloud system), some sce-
power to the electric power company. Therefore, the narios only need to sign the message (e.g. individual users
flow of information in smart grids is two-way. Power with sufficient power storage apply to sell excess electricity
provider uploads the information in smart grids to the to the power provider), and some scenarios need signcrypt
cloud system. message (e.g. power provider apply to access users’ private
3) PKG: A PKG will generate the user’s and power information). In order to reduce the storage space of keys
provider’s private key. In this paper, PKG is a consensus and grid system’s communication costs. Our scheme based
reached by multiple HAN user nodes and multiple servers on Boneh and Franklin’s IBE scheme [20], Cha and Cheon’s
in the power provider. IBS scheme [25], Zhou and Li’s IBCSESC scheme [21].
A. Consensus Mechanism
Nodes in the public blockchain can be accessed or exited at
any time without permission. However, in smart grids, nodes
are generally relatively fixed. Public blockchain generally uses
a single proof mechanism to achieve consensus, but most of
the proof mechanisms would waste a lot of resources, such
as Pow, which needs to use workload. Therefore, we have
chosen PKG to bulid on consortium blockchain, in which each
participating node joining or withdrawing requires permission.
Our scheme is based on the PoS consensus algorithm, but we
specify that the node does not have dynamics like in PoS.
Every node that wants to campaign for the PKG must be the
relatively fixed user node and server node inside the power
Fig. 1. Smart grids network model provider. One HAN represents a user node. These nodes must
be registered full network, submit to a representative audit
system, such as on the local national department’s website. PKG cannot be reelected within a certain period. This makes
It can be said that representative audit system is also a the election more fair.
trusted third party, but this must be controlled by the state or In addition, our consensus algorithm also has incentive
government. At the same time, draw inspiration from FBFT mechanism and penalty mechanism. If a node successfully
algorithm, we also divide the nodes in HAN into master wins to be PKG and runs safely during the period of its
and slave nodes. Only the master node can participate in the responsibility, there will be certain rewards, such as the
campaign PKG. Slave only forward the received transaction free electricity. However, if a information disclosure accident
data, and participate in confirming the generation of PKG. happens, the node that is acting as PKG this time, its credit
The master-slave of the node is confirmed by the auditing evaluation will be dropped significantly and can never to be a
agency according to its social credit rating when node is master node.
registered. Social credit refers not only to the credit evaluation
of users participating in smart grids, but also the behavioral B. A Detailed Access Control Scheme
credit evaluation of the user in social activities. Therefore, In this subsection, we design a based access control scheme
the auditing agency must be a national-level organization, for smart grids, in which we use the blockchain consensus
otherwise it would not be able to collect information on social algorithm to genarate PKG. PKG generate the users’ and
activities of ordinary users. power providers’ private key according to their ID. The
We treat every user node or server node as a block scheme consists of four parts: initial phase, registration phase,
and the output block is the PKG. The consensus algo- verification and authorization phase, and withdrawal phase.
rithm is showed below. Let every candidate node is B =< Figure 2 summarizes these five phases.
nonce, txs, preHash >. nonce is a integer and changing
any bit nonce will completely change the hash value of the
entire nodes. txs is transaction records contained in the block.
preHash is the hash value of the previous block. D is the
difficult value and defines how many leading zeros are needed
for the current hash value of the entire block. The more the
leading zeros, the more difficult it is. In order to prevent users
from consuming a lot of computing resources, this D can also
automatically adjust the parameters so that D is a suitable
value. The detailed description of the consensus algorithm is
showed in algorithm 1 below.

Algorithm 1 Consensus Algorithm

Input: preHash, txs, D, energyU sed, HashT ransactionT ime;
Output: block
1: nonce ← 1
2: coins ← energyU sed
3: age ← currentT ime − hashT ransactionT ime
4: while (H(nonce, txs, preHash) ≥ coins · age · D do
5: nonce ← nonce + 1
6: Broadcast(< nonce, txs, preHash >) Fig. 2. Access control scheme
7: end while
8: if (H(nonce, txs, preHash) < coins · age · D then • Initial phase: In this phase, the nodes with voting rights
9: The node that in smart grids ran for PKG. Note that this PKG is only
first Broadcast(< nonce, txs, preHash >) is PKG for a while. If user’s private keys are compromised during
10: end if this time, or if a serious malicious incident occurs, the
11: return block node playing the PKG will be deprived of PKG voting
rights and campaign rights.
In a period of time, the more electricity users use, the Given a security parameter k, the PKG selects an ad-
easier it is to be chosen to be PKG. The server node in- ditive group G1 , a multiplicative group G2 , a bilinear
side the power provider will receive a certain percentage of pair ê, and five hash functions H1 : {0, 1}n → G1 ,
energyU sed based on the amount of electricity it delivers. H2 : {0, 1}n × G1 → Z∗q , H3 : {0, 1}n × {0, 1}n →
Note that the slave node does not participate in the campaign Z∗q , H4 : G2 → {0, 1}∗ , H5 : {0, 1}∗ → {0, 1}∗ ,
for PKG. However, in the sixth step broadcast, it participates H6 : G2 → {0, 1}|G1 |+|ID|+n . The group, whose order
in confirming the generation of PKG. When a PKG campaign is prime q and the generator of G1 is P . Bilinear pair
ends, age will be cleared. In order to allow more nodes to is ê : G1 × G1 → G2 . n is the number bits of the
participate in the PKG campaign, the nodes that have elected encrypted or signed message, |G1 | and |ID| are the
 number of bits in G1 and ID. PKG selects a master • Data access phase: In this phase, we have different
key s and keeps it secret, then calculates own public key access data phases for the above three scenarios.
Ppub = sP . Finally, PKG public system public parameter 1) When receiving the ciphertext c, user first compute
par = {G1 , G2 , ê, n, P, Ppub , H1 , H2 , H3 , H4 , H5 , H6 }. ω = ê(X, SIDU ), Z k IDP P k m∗ = y ⊕ H6 (ω)
• Registration phase: In this phase, users in HANs and and h = H2 (m∗ , X). Next, user verifies ê(Z, P ) =
power providers obtain their public keys and private ê(Ppub , X + hQP P ) is true. If it holds, user accepts
keys. User and power provider submit their own IDU m = m∗ k T . Otherwise, user rejects c and outputs
and IDP P to PKG, and PKG check whether the ID is ⊥.
valid. If the ID is illegal, PKG rejects the applicant’s 2) In order to verify whether σ is the valid signature
registration request. Otherwise, PKG generates corre- under message m sent by the user with identity
sponding public key QU = H1 (IDU k EDU ) and IDU , power provider should first compute h =
QP P = H1 (IDP P k EDP P ), private keys SU = sQU H2 (m∗ , X). Then, if ê(Z, P ) = ê(Ppub , X + hQU )
and SP P = sQP P according to their ID. Note that, holds, power provider accept m = T k m∗ . Other-
EDU and EDP P are the an access validity periods for wise, power provider rejects σ and outputs ⊥.
user and power provider applicants. PKG sends (SU , 3) When the power provider downloads the ciphertext
SP P ) to user and power provider online or offline. If c from the cloud server, he uses his private key SP P
online transmission is used, then we can use the secure to decrypt c. First, power provider computes λ =
socket layer (SSL) protocol to ensure the confidentiality V ⊕H4 (ê(U, SP P )). Next, power provider computes
of private key. m = W ⊕ H5 (λ), t = H3 (λ, m), and verifies U =
• Data creation phase: In this phase, we have three tP is true. If it holds, power provider will accept m,
scenarios. otherwise rejects c. This ensures that the message m
will not be stolen on the cloud storage server.
1) We assume that a power provider with identity
• Withdrawal phase: In this phase, users in HAN and
IDP P want to access the data of a user with identity
IDU . The power provider first generate a query power providers registration are automatically revoked
message m. In order to resist the replay attack, the due to expiration of the expiration date ED. For example,
power provider concatenates m and a timestamp T to if the due date is ”2019-12-28”, then their private keys are
form a new message that is m∗ = m k T . The power valid before December 28,2019. If for some special rea-
provider random selects r ∈ Z∗q , then calculates son, the deadline is advanced. Then PKG will broadcast
X = rQP P , h = H2 (m∗ , X), Z = (r + h)SP P , the identity of the revoked user identity and create a table
ω = ê(rSP P , QU ), and y = H6 (ω) ⊕ (Z k IDP P k to hold the identity of these invalid users. At the same
m∗ ). The ciphertext is c = (X, y). Finally, power time, we can also use Tsai and Tseng’s methods [22] to
provider sends c to user. revoke the power of user access.
2) We assume a user with identity IDU want to sell In the above Registration phase and Data access phase,
his excess electricity to a power provider. Users only we can see the advantage of our access control scheme. That
need to verify their legal identity IDU in smart grids is, the same key can be reused under different requirement of
to the power provider. User first generate a query scenarios. Because of the complexity of the scenarios, access
message m. In order to resist the replay attack, the control in smart grids often cannot be covered by a single
user concatenates m and a timestamp T to form a scheme. However, in our access control scheme, users in smart
new message that is m∗ = m k T . Then in order to girds can use only one key to encrypt, signature and signcryt
gain anonymity, the user calculates X = rQU . Next, message. No matter users in what scenario, only one key can
user calculates h = H2 (m∗ , X) and Z = (r + h)SU . meet the user’s access control needs. Therefor, our scheme
The signature is σ = (X, Z). Finally, user sends σ simplifies the access control program, saves the storage space
to power provider. of keys, reduce the communication cost of the system and also
3) We assume that power provider with identity IDP P guarantee the confidentiality, integrity, and non-repudiation of
want to save user information to cloud storage the verification message.
servers. So he only needs to encrypt the message
m with his public key QP P . When he want to IV. S ECURITY A NALYSIS
acquire m, he decrypt ciphertext with his private In this section, we analyze the security of our proposed
key SP P . In order to resist the replay attack, power access control scheme. In the subsection II-B, we defined a
provider generate a new message m∗ = m k T . access control scheme in smart grids need to meet the security
First, power provider random selects λ ∈ {0, 1}n requirements: confidentiality,integrity, identity authentication,
and computes t = H3 (λ, m). Next, power provider non-repudiation.
compute U = tP , V = λ ⊕ H4 (ê(QP P , Ppub )t ) and Because our scheme uses signature with user’s identity, so
W = m ⊕ H5 (λ). The cipertext is c = (U, V, W ). we can achieve identity authentication. At the time, our scheme
Power provider upload c to the cloud storage server. use hash function for message, so a message creator cannot
deny the fact that he made the message, that means our scheme non-negligible advantage  and in a bounded time t0 . We
achieve non-repudiation. Our access control scheme is based can construct a challenger C that can break the Boneh and
on Boneh and Franklin’s IBE scheme [20], Cha and Cheon’s Franklin’s IBE scheme’s (, t, qk , qd )-IND-ID-CCA2 security,
IBS scheme [25].So under that these two schemes have been in which qd = qd0 + qusc 0
, t = t0 + O(qsc
0 0
Te + qusc Tv ), Te and
proven to be safe, we prove that our access control scheme Tv are the maximum time spent calculating an encryption and
satisfies the confidentiality and integrity by following 1 and 2, verifying a signature.
respectively. • Initial:We assume that the system public param-
Theorem 1: Our proposed access control scheme satisfies eters of Boneh and Franklin’s IBE scheme are
IND-ID-CCA2 security in the random oracle model. parbf . C choose H2 , H6 and sends par =
Proof: Our proposed access control scheme uses same (G1 , G2 , n, ê, P, Ppub , H1 , H2 , H3 , H4 , H5 , H6 ) to A.
key to achieve encryption and signcryption, so we should • Phase 1:Apart from the following two queries, C can
prove the IND-ID-CCA2 security of the encryption part and make the same answers as the Phase 1 in the previous
the IND-ID-CCA2 security of the signcryption part.The IND- game according to A’s queries.
ID-CCA2 security of our proposed access control scheme a) When A asks a signcryption query with a
is defined through the following game played between a (m, IDP P , IDU ), C randomly selects r ∈ Z∗q ,
challenger C and an adversary A. computes X = rP − hQIDP P , h = H2 (m, X),
1) If an adversary A can use the qk key extraction queries, Z = rPpub , ω = ê(r − hQIDP P /P, QIDU Ppub ),
qd decryption queries, qs signature queries to break the y = H6 (ω) ⊕ (Z k IDP P k m) and returns the result
(, t, qk , qd , qs )-IND-ID-CCA2 security of the encryption part σ = (X, Z, y) to A.
of our proposed access control scheme with a non-negligible b) When A asks an unsigncryption query with a
advantage  and in a bounded time t. We can construct a (c, IDP P , IDU ), C creates a table L2 to store A’s
challenger C that can break the Boneh and Franklin’s IBE queries and H2 ’s answers, and checks whether the
scheme’s (, t, qk , qd )-IND-ID-CCA2 security. record (ω, m, r) in L2 satisfies X = rQP P , h =
• Initial:We assume that the system public parameters H2 (m, X),and y = H6 (ω) ⊕ (Z k IDP P k m). If it
of Boneh and Franklin’s IBE scheme are is included, the unsigncryption result is m, otherwise
parbf = (G1 , G2 , n, ê, P, Ppub , H1 , H3 , H4 , H5 ), it returns ⊥.
and C choose H2 and sends par = • Challenge:A generates two plaintexts m0 and m1 of the
(G1 , G2 , n, ê, P, Ppub , H1 , H2 , H3 , H4 , H5 ) to A. same length, one sender identity IDP∗ P and one receiver
• Phase 1: ∗
identity IDU that is intended to challenge, and A cannot
a) When A asks a key extraction query with an identity request the private key of IDP∗ P in Phase 1. C sends m0 ,
ID, C submits the ID to its key extraction oracle and m1 , IDP∗ P , IDU ∗
to the oracle and gets the corresponding
returns the result to A. ∗
ciphertext c = SigncryptIDP∗ P ,IDU∗ (mγ ), then returns
b) When A asks a decryption query with a (c, ID), C c∗ to A.
submits the (c, ID) to its decryption oracle and returns • Phase 2:
the result to A. a) A can perform a polynomial bounded number of
c) When A asks a signature query with a (m, ID), C ran- queries as in Phase 1.
domly selects r ∈ Z∗q ,computes h = H2 (m, X),X = b) A cannot make a key extraction query for IDU ∗
.
rP − hQID , Z = rPpub and returns the result σ = c) A cannot make a unsigncryption query for
(X, Z) to A. (c∗ , IDP∗ P , IDU ∗
), which means C cannot submit
• Challenge:A generates two plaintexts m0 and m1 of the ∗ ∗
(c , IDU ) to its decryption oracle.
same length, one user identity ID∗ that is intended to 0
• Guess: A outputs a bit γ and wins the game if γ = γ.
0
challenge, and A cannot request the private key of ID∗
in Phase 1. C sends m0 , m1 , ID∗ to oracle and gets the
Theorem 2: Our proposed access control scheme satisfies
ciphertext c∗ = EncryptID∗ (mγ ), then returns c∗ to A.
EUF-ID-CMA security in the random oracle model.
• Phase 2:
Proof: Our proposed access control scheme uses same
a) A can perform a polynomial bounded number of key to achieve encryption and signcryption, so we prove the
queries as in Phase 1. EUF-ID-CMA security of the signature part and the EUF-
b) A cannot make a key extraction query for ID∗ . ID-CMA security of the signcryption part.The EUF-ID-CMA
c) A cannot make a decryption query for (c∗ , ID∗ ). security of our proposed access control scheme is defined
0 0
• Guess: A outputs a bit γ and wins the game if γ = γ. through the following game played between a challenger C
2) If an adversary A can use the qk key extraction and an forgery F.
queries, qd0 decryption queries, qs0 signature queries, qsc 0
sign- 1)If an adversary F can use the qk key extraction queries,
0
cryption queries, qusc unsigncryption queries to break the qd decryption queries, qs signature queries to break the
(, t0 , qk , qd0 , qs0 , qsc
0 0
, qusc )-IND-ID-CCA2 security of the sign- (, t, qk , qd , qs )-EUF-ID-CMA security of the signature part
crtption part of our proposed access control scheme with a of our proposed access control scheme with a non-negligible
advantage  and in a bounded time t. We can construct a costs, we use |m| to denote the number of bits of message
challenger C that can break the Cha and Cheon’s IBS scheme m, |G1 | indicates the number of bits of an element in group
(, t, qk , qs )-EUF-ID-CMA security. G1 , |G2 | indicates the number of bits of an element in group
2)If an adversary F can use the qk key extraction G2 , Z∗q indicates the number of bits of an element in the
queries, qd0 decryption queries, qs0 signature queries, qsc 0
sign- group Z∗q , |ID| indicates the number of bits of the group ID
0 . At the same time, because of the attributed-based scheme, we
cryption queries, qusc unsigncryption queries to break the
(, t0 , qk , qd0 , qs0 , qsc
0 0
, qusc )-EUF-ID-CMA security of the sign- use l to indicate the length of the attribute set involved, ns to
crtption part of our proposed access control scheme with a represent the number of group members in the self-organizing
non-negligible advantage  and in a bounded time t0 . We network, and |S| to represent the number of bits in the attribute
can construct a challenger C that can break the Cha and organization.
Cheon’s IBS scheme (, t, qk , qs )-EUF-ID-CMA security, in
which qs = qs0 + qsc 0
, t = t0 + O(qsc
0 0
Te + qusc Tv ), Te and TABLE II
Tv are the maximum time spent calculating an encryption and C OMPARISON OF SCHEMES PERFORMANCE
verifying a signature.
Except the attacker’s queries parts, the content for EUF-ID- Scheme
Computation cost
Communication cost
Sender Receiver
CMA security of our scheme is similar to the proof of EUF-
[23] 5PM+4Exp 2Add+3PM+Exp+3P 3|G1 | + Z∗
q + |G2 |
ID-CMA security in [21], which we will not prove again in
[18] Add+3PM+2Exp+2P PM+Exp+3P 3|m|+3|G1 |
this paper. If you have any questions, please contact us by [24] (3l + ns + 3)Exp (l + ns )Exp+(3+2l)P (2l+3)|G1 |+|G2 |+|S|
email. ours 3PM+Exp+P Add+PM+3P 2|G1 |+|m|+|ID|

In addition, unlike the incentive mechanism of Bitcoin,

From Table II, we can see that our scheme has fewer number
our scheme can take penalty mechanism, which means that
of point multiplication operation, exponential operations, and
the designated mode will be blacklisted and isolated once he
pairing operations than [23] and [18]. Attribute-based cryp-
refuses to ensure the safe operation of the power system. We
tosystem universal storage makes the private key length too
assume that more than half of the nodes in the system network
long. It also has the characteristics of the computation cost, the
are honest, so we can conclude that our access control scheme
length of the attribute set and the number of group members in
satisfied the security requirements in the subsection II-B.
the self-organizing network are linearly increased. Therefore,
V. P ERFORMANCE A NALYSIS the calculation cost in the scheme [24] cannot obtain a value
in this paper. It can only be known that the scheme [24]
In this section, we discuss our access control scheme’s does not have any advantage in terms of computation cost
performance. After reviewing papers, we compared it with and communication cost.
Paerson et al. [23], Vasco et al. [18] and Wang et al. [24].
√
Table I shows the components of each scheme. Symbol ” ”
indicates the scheme has this feature and symbol ”×” indicates
the scheme has not this feature. Table I shows our comparison
results.

TABLE I
C OMPARISON OF SCHEMES COMPONENT

Scheme Encryption
√ Signature
√ Signcryption Crypotosystem
[23] √ √ × IBC
[18] ×
√ IBC
[24] ×
√ ×
√ √ ABC
ours IBC

Because the addition operation, exponent operation, pairing Fig. 3. Comparison in communication cost
operation, and point multiplication operation are the most
expensive in the whole scheme, and other operations are negli- In order to more intuitively draw the advantages of our
gible compared with them. So we use these four operation as a scheme in communication cost, we set |m|=160 bits, |ID|=160
measure to calculate the basic operation of cost. Table II shows bits, |G1 | = 513 bits, |G2 | = 1024 bits, Z∗q = 169 bits. Fig-
the comparison of the calculation costs and communication ure 3 shows the comparison of communication costs of these
costs of these schemes. Here, we use PM to denote the point schemes. For scheme [24], we set the length of the attribute
multiplication operation in the group G1 , use Exp to denote set l in 0 bit, and the number of bits |S| of the elements in
the exponent operation in the group G2 , and use P to denote the attribute mechanism is 0 bit. In reality, l and |S| cannot
the pairing operation on the bilinear map. For communication be 0 bits. Our scheme also dominates the communication
cost. As can be seen from Table II and Figure 3, our scheme
has certain advantages in computing cost and communication
cost in theoretical analysis. In particular, our scheme is also
the only one of the four schemes that implements combined
encryption, signature, and signcryption. Next, we implemented
the access control scheme using the JPBC library.
Constructing a bilinear pair here, we use a symmetric
pairing based on the elliptic curve y 2 = x3 + x mod p in the
finite field E(Fp ). Considering the security of the protocol,
we take p=512 bits, the order q of the cyclic group is a large
prime number of 160 bits. So the output of H2 and H3 is 160
bits. Since G1 is a cyclic addition group on the finite field
E(Fp ), P is the generator of G1 , so the size of P is 1024
bits. The size of Ppub is 1024 bits, and the output of the Hash
function H1 is also 1024 bits. Here we use the secure Hash
function SHA-256, so the H4 , and H5 output is 256 bits. Fig. 4. Ratio of each phase running time
We implement our scheme is Eclipse, Neon.1a Release
(4.6.1). The computer configuration of the program execu-
tion environment is: Intel(R) Core(TM) i5-5200U CPU @ [2] A. Mahmood, N. Javaid, S. Razzaq: A Review of Wireless Communi-
cations for Smart Grid. In Renewable and Sustainable Energy Reviews,
2.20GHz 2.19GHz processor, 8GB of RAM, 64-bit Windows vol. 41, pp. 248–260 (2015)
operating system. In order to make the experimental values [3] Y. Yuang, F.Y. Wang: Blockchain: The State of the Art and Future
more representative, we cycle through the entire steps of the Trends. In Acta Auto-matica Sinica, vol. 42, no. 4, pp. 481–494 (2016)
[4] L. Sankar, S. Kar, R. Tandon, et al.: Competitive Privacy in the Smart
access control scheme 1000 times to get the average time taken Grid: An Infor-mation-theoretic Approach. In Pro. IEEE International
to complete each algorithm. In scenario 1, we only need to Conference on Smart Grid Com-munication, pp. 220–225 (2011)
encrypt and decrypt message to achieve our access control, so [5] Z.W. Sun, R.G. Zhang: Access Control for communication Network of
Smart Distribution Grid. In Power System Protection and Control, vol.
the the initial phase time is 105 ms, the creation phase time is 21, no. 38, pp. 118–121 (2010)
24 ms, the access data phase is 21 ms. In scenario 2, we only [6] J. Wu, M.X. Dong, et al.: Toward Fault-Tolerant Fine-Grained Data
need to sign and verify message to achieve our access control, Access Control for Smart Grid. In Wireless Personal Communications,
vol. 75, no. 3, pp. 1787-1808 (2014)
so the the initial phase time is 105 ms, the creation phase time [7] Z.T. Guan, J. Li, et al.: Toward Delay-Tolerant Flexible Data Access
is 73 ms, the access data phase is 76 ms. In scenario 3, we Control for Smart Grid With Renewable Energy Resources. In IEEE
only need to signcrypt and unsigncrypt message to achieve Transactions on Industrial Informatics, vol. 13, no. 6, pp. 3216–3225
(2017)
our access control, so the the initial phase time is 105 ms, the
[8] S. Nakamoto: Bitcoin: a-peer-to-peer electronic cash system. In https://
creation phase time is 95 ms, the access data phase is 81 ms. www.coindesk.com/bitcoin-peer-to-peer-electronic-cash-system, (2008)
From the figure 4, we can know that the initial phase has a [9] S. King, S. Nadal: Ppcoin: Peer-to-peer crypto-currency with proof-of-
large proportion of time in every scenario. If the user needs stake. Self-published paper, (2012)
[10] D. Larine: Delegated Proof-of-Stake (DPoS). In http://docs.bitshares.org/
to implement all three scenarios, the proportion of time in the bitshares/dpos.html, (2014)
initial phase will be greatly increased, then the computational [11] M. Castro, B. Liskov: Practical byzantine fault tolerance and proactive
cost of the system will increase greatly. Conversely, if the user recovery. In ACM Transactions on Computer Systems, vol. 20, no. 4,
pp. 398–461 (2002)
uses our scheme, the initial phase time will be reduced to 1/3 [12] L. Lamport: Proving the Correctness of Multiprocess Programs. In IEEE
of the original. Transactions on Software Engineering, vol. SE-3, no. 2, pp. 125–143
(1977)
VI. C ONCLUSIONS [13] D. Ongaro, J. Ousterhout: In search of an understandable consensus algo-
rithm. In Pro. 2014 USENIX Annual Technical Conference, pp. 305–319
In this paper, we proposed an access control scheme for (2014)
smart grids based on blockchain technology. In our scheme, [14] L. Lamport: Generalized Consensus and Paxos. In Microsoft Research,
we use a consensus mechanism based on the consortium vol. 7, no. 7, pp. 809–812 (2005)
[15] D. D. F. Maesa, P. Mori, L. Ricci:Blockchain Based Access Control. In
blockchain, which solves the trust problem of PKG. At the Pro. 17th IFIP WG 6.1 International Conference, pp. 206C-220 (2017)
same time, we use a combined cryptosystem to enable our [16] C. Lin, D. He, et al: BSeIn: A blockchain-based secure mutual au-
access control scheme to cope with as many scenarios as thentication with fine-grained access control system for industry 4.0. In
Journal of Network and Computer Ap-plications, vol. 116 ,pp. 42–52
possible. Analysis shows that the proposed scheme has lower (2018)
communication cost compared with the scheme of the same [17] S. Haber, B. Pinkas: Security combining public-key cryptosystem. In
type. Therefore our proposed access control scheme is very Pro. 8th ACM on CCS 2001, pp. 215–224 (2001)
suitable for application in practical smart grids. [18] M.I.G. Vasco, F. Hess, R. Steinwandt: Combined schemes for signature
and encryption: The public-key and identity-based setting. In Informa-
tion and Computation, vol. 247, pp. 1–10 (2016)
R EFERENCES
[19] F. Hess: Efficient identity based signature schemes based pairing. In
[1] X. Fang, S. Misra, G. Xue, D. Yang: Smart Grid-The New and Improved Spring-Verlag Berlin Heidelberg, pp. 310–324 (2002)
Power Grid: A survey. In IEEE Communications Surveys & Tutorials, [20] D. Boneh, M. Franklin: Identity-based encryption from the weil pairing.
vol. 14, no. 4, pp. 944–980 (2011) In SIAM Journal of computing, vol. 32, no. 3, pp. 586–615 (2003)
[21] Y.Y Zhou, Z.Q. Li, G. Hu, F.G. Li: Identity-Based Combined Public Key
Schemes for Signature, Encryption, and Signcryption. In Pro. Informa-
tion Technology and Applied Mathematics international conference 2017
, vol. 699, pp. 3–22 (2018)
[22] T.T. Tsai and Y.M. Tseng: Revocable certificateless public key encryp-
tion. In IEEE System Journal, vol. 9, no. 3, pp. 824–833 (2015)
[23] K.G. Paterson, J.C.N Schuldt, M. Stam, S. Thomson: On the joint
security of encryption and signature, revisited. In Pro. International Con-
ference on the Theory and Application of Cryptology and Information
Security, pp. 161–178 (2011)
[24] C. Wang, X. Xu, Y. Li, et al: Integrating ciphertext-policy attributed-
based encryption with identity-based ring signature to enhance security
and privacy in wireless body area networks. In Information Security and
Crytology, LNCS 8957, pp. 424-442 (2015)
[25] J.C. Cha, J.H. Cheon: An identity-based signature from gap Diffie-
Hellman groups. LNCS, vol. 2567, pp. 18–30 (2003)