System Initialization

The trusted authority is a completely trustworthy party that starts the system. The trusted authority chooses two random prime numbers *m* and *n*, where *m = 2m' + 1* and *n = 2n' + 1* and | *m*|=|*n*| = *k*0, compute *p = mn*, and *λ* = *lcm(m* −*1, n* −*1) = 2m'n'*; and defines a function, as in [82]

$$L(\mathbf{x}) = \mathbf{x} - \mathbf{1}/m \tag{3}$$

Then, consider that there are N home appliances inside a HAN. The trusted authority chooses *N+2* random numbers such that

$$\sum\_{i=0}^{N+1} p\_i = 0 \\ mod \lambda \tag{4}$$

Suppose that there are k subgroups in the home area network and the maximum communications range for any group is [0, *Xj*], then we can define the range of data sensing for an appliance as *X = max( X*1*, X*2*, X*3*,* ...*, Xk)*. Note that, the range [0, *Xk*] is a small message

space as compared to *Zn*. With this knowledge, the trusted authority chooses k + 1 prime numbers *α*0, *n*1, *n*2, *n*3,... *nk*, and computes

$$\begin{cases} R = n\_1 \times n\_2 \times \cdots \times n\_k\\ R\_i = \frac{R}{n\_i}, \quad y\_i \equiv \frac{1}{R\_i} \bmod n\_i\\ \sigma\_i = R\_i \cdot y\_i \end{cases} \tag{5}$$

where all the prime numbers are of the same length, i.e., |*ni*| = *k*1 for 1 ≤ *i* ≤ *k*. The condition of parameters is as follows (as taken from [82])

$$\begin{cases} N \cdot X^2 \le \sigma\_{0\prime} & N \cdot (X^2 + X \cdot \sigma\_0) < n\_i \\ k\_1 \cdot (k+1) + \lg k < |n| \end{cases} \tag{6}$$

which enables us to gather all data in one cipher text. The trusted authority then chooses two secure hash functions *h, H* where h = (0, 1)*l* and H = (0,1)\*  *Z*<sup>∗</sup>*n* and a random number *t*0  (0, 1)*l* as the secret key. As the system initializes, the home appliance will report the power consumption periodically after a specific time. Thus, we divide the reporting time into w time slots for ease. At each time slot, the reporting appliance reports its reading and will send zero when a device is off or inactive. Thus, the trusted authority chooses a random number *t*0 and generates a chain of N one way hash functions such as *HC*1, *HC*2, *HC*3, ..., *HCN* where each chain contains *HCN* = *hi*1, *hi*2, ..., *hiw* which is of length (*w+1*), and *hiw* (0,1)*<sup>l</sup>* is a randomly chosen number.

$$h\_{ij} = h(h\_{i(j+1)} \parallel T\_j)j = 0, 1, 2, \dots, w - 1 \tag{7}$$

For each *hij*, 1 ≤ j ≤ w, the trusted authority will also compute its corresponding key

$$key\_{ij} = h(h\_{ij} \parallel t\_0) \tag{8}$$

The proposed scheme utilizes the property of a one-time password for authentication and encryption. For that purpose, we have *hij* and *keyij* in time slot *Tj*. The header of each hash chain *h*10, *h*20, ..., *hN*0 will be signed with *α* by the third party trusted authority to ensure the validity of the hash chains for authentication. The scheme employs the AES algorithm for home appliances for encrypting the reading before sending it to the sink node. We have public parameters for the system, *parameter*: N, *ni*: i = 1, 2, 3, . . . , k, *<sup>σ</sup>j*: (j = 1, 2, 3, . . . , k), h, H, L(x), AES. Then, we have the public parameters for the system, so we will calculate key and assign it to the network entities.


### *5.4. Home Appliance Reporting*

At every time slot *Ts*, each appliance will report its reading to the sink node by calculating the following:

• Step 1: Appliance uses its secret key *pi* and (*<sup>σ</sup>*0, *σj*) to compute

$$c\_{ip} = \left[1 + n \cdot \sigma\_{\dot{\jmath}} \cdot (\mathbf{x}\_{\dot{\imath}} \cdot \sigma\_0 + \mathbf{x}\_{\dot{\imath}}^2)\right] \cdot H(T\_s)^{n \cdot p\_i} \mod n^2 \tag{9}$$

and uses the key *keyip* to compute *Cip* = *AESkeyip* (*cip*). This method is used to prevent any external attacker from knowing the readings or to avoid the worst-case scenario that HAN might communicate with an unauthorized or compromised sink node.

• Step 2: *APi* uses the hash value *hip* from hash chain vector to compute

$$\text{mac}\_{ip} = h(\mathbb{C}\_{ip} || h\_{ip}) \tag{10}$$

•Step 3: The appliance then forwards the (*Cip*, *hip*, *macip*) to the sink node. The appliance can efficiently compute these parameters, especially if *<sup>H</sup>*(*Ts*)*<sup>n</sup>*·*pi* is computed in advance.

### *5.5. Sink Node Data Aggregation*

Upon receiving the (*Cip*, *hip*, *macip*) in time slot *Ts*, the sink node checks whether the data is sent by an authenticated sender.


$$mac'\_{ip} = h(\mathbb{C}\_{ip} || h\_{ip}) \tag{11}$$

•Step 3: If *Cip* is accepted, the sink node computes *keyip* = h(*hip* || *t*0) and uses *keyip* to reproduce *cip* from *Cip* = *AESkeyip* (*cip*).

After verifying the encrypted readings received from all home appliances, the sink node runs the following data aggregation operation and calculates a single cipher text *Cp* and sends (*Cp*, *macp*) to the smart meter.

$$\begin{cases} \mathbb{C}\_p = \left(\prod\_{i=1}^N c\_{ip}\right) \cdot H(T\_s)^{n \cdot p\_{N+1}} \bmod n^2\\ \max\_s = h(\mathbb{C}\_p || T\_s || \text{sk}) \end{cases} \tag{12}$$
