University of Oxford Logo University of OxfordDepartment of Computer Science - Home
Linked in
Linked in
Follow us on twitter
On Facebook

Trustworthy Remote Entities


How do you communicate with someone you don't trust? How do you share data with an untrusted system without compromising your privacy? How do you do this with today's technology? These questions are becoming increasingly important as networked computer systems become an integral part of our daily lives.

For example, the planned smart energy grid promises to revolutionize our public energy distribution infrastructure using smart measurement devices connected via modern communication networks. Smart energy meters installed in consumers homes will communicate frequently with energy suppliers and distribution network operators to enable load forecasting, real-time energy pricing and demand response. However, smart meter data has been shown to be highly privacy-sensitive because of the information that can be inferred from energy usage traces. Consumers might not want their energy suppliers to be able to infer this private information. Therefore it might appear that we have to make a trade-off: withholding this data reduces smart grid functionality whilst sharing it reduces consumers' privacy. Is there another option that could give us both functionality and privacy?

Protecting users' privacy in contexts such as the smart grid is a very active research area in which various solutions have been proposed. The archetypal solution is to introduce a some type of intermediary into the communication path to perform privacy-enhancing computations such as data aggregation or filtering. However, this approach is usually dismissed because we lack guarantees of this intermediary's trustworthiness - we don't want to introduce a trusted third party.

But what if we had a system we could trust - a system that is trustworthy? In this research endeavour we are designing, building and evaluating the Trustworthy Remote Entity (TRE), a highly-specialized single-function networked system that can perform privacy-enhancing data processing whilst providing a very high level of assurance. Unlike a trusted third party, users are not required to blindly trust the TRE. Instead, the TRE uses tools and techniques from the field of Trusted Computing, such as remote attestation and the Trusted Platform Module (TPM), to provide technical guarantees of its trustworthiness.

In particular, our research aims to minimize the TRE's Trusted Computing Base (TCB) whilst providing just enough functionality to serve a useful purpose in privacy-enhancing architectures in the smart grid and other application domains. We are also investigating the use of formal methods to model and analyse the system architecture and communication protocols. This architecture allows us to use today's well-established cryptographic techniques and widely deployed hardware, such as the TPM, to perform Secure Multi-party Computation (SMC) cheaply and efficiently and use this to enhance privacy in the smart energy grid and other aspects of our increasingly networked society.

Paper: Privacy-Enhanced Bi-Directional Communication in the Smart Grid

Authors: Andrew Paverd, Andrew Martin and Ian Brown

Fifth IEEE International Conference on Smart Grid Communications 2014 (SmartGridComm14)

Abstract: Although privacy concerns in smart metering have been widely studied, relatively little attention has been given to privacy in bi-directional communication between consumers and service providers. Full bi-directional communication is necessary for incentive-based demand response (DR) protocols, such as demand bidding, in which consumers bid to reduce their energy consumption. However, this can reveal private information about consumers. Existing proposals for privacy-enhancing protocols do not support bi-directional communication. To address this challenge, we present a privacy-enhancing communication architecture that incorporates all three major information flows (network monitoring, billing and bi-directional DR) using a combination of spatial and temporal aggregation and differential privacy. The key element of our architecture is the Trustworthy Remote Entity (TRE), a node that is singularly trusted by mutually distrusting entities. The TRE differs from a trusted third party in that it uses Trusted Computing approaches and techniques to provide a technical foundation for its trustworthiness. A automated formal analysis of our communication architecture shows that it achieves its security and privacy objectives with respect to a previously-defined adversary model. This is therefore the first application of privacy-enhancing techniques to bi-directional smart grid communication between mutually distrusting agents.

As explained in this paper, we used the Casper-Privacy tool to analyse the communication protocols in our architecture. The input scripts used in this analysis are available for download below:

Paper: Security and Privacy in Smart Grid Demand Response Systems

Authors: Andrew Paverd, Andrew Martin and Ian Brown

Second Open EIT ICT Labs Workshop on Smart Grid Security 2014 (SmartGridSec14)

Abstract: Various research efforts have focussed on the security and privacy concerns arising from the introduction of smart energy meters. However, in addition to smart metering, the ultimate vision of the smart grid includes bi-directional communication between consumers and suppliers to facilitate certain types of Demand Response (DR) strategies such as demand bidding (DR-DB). In this work we explore the security and privacy implications arising from this bi-directional communication. This paper builds on the preliminary work in this field to define a set of security and privacy goals for DR systems and to identify appropriate and realistic adversary models. We use these adversary models to analyse a DR-DB system, based on the Open Automated Demand Response (OpenADR) specifications, in terms of the security and privacy goals. Our analysis shows that whilst the system can achieve the defined security goals, the current system architecture cannot achieve the privacy goals in the presence of honest-but-curious adversaries. To address this issue, we present a preliminary proposal for an enhanced architecture which includes a trusted third party based on approaches and technologies from the field of Trusted Computing.

Student Research Abstract: Trustworthy remote Entities in the Smart Grid

Author: Andrew Paverd

Student Research Competition at ACM Symposium on Applied Computing 2013 (ACM SAC'13)

Selected as one of 5 international finalists

Abstract: It has been demonstrated that the frequent energy measurements from smart meters could pose a risk to individual privacy. Although various solutions have been proposed, this remains an open research challenge. This proposed research endeavour aims to enhance user privacy by introducing a novel element into the smart grid architecture. The Trustworthy Remote Entity (TRE) is a computational and communication system situated as an intermediary between a group of smart meters and the external smart grid entities. The TRE enhances user privacy by providing a degree of indirection in this bidirectional communication architecture. The proposed research methodology involves first modelling the behaviour of the TRE and then architecting this system using Trusted Computing technologies. Given the current state of smart grid development, it is anticipated that this research will have a significant impact on the smart grid.

Further Information

For any further information, please contact: Andrew Paverd