Vlog

SUTDLogoDark2x

Pre-MMA: precomputation-based multicast message authentication for smart grid

Technology title

Pre-MMA: precomputation-based multicast message authentication for smart grid

Pre-MMA: precomputation-based multicast message authentication for smart grid

Technology overview

This technology introduces Pre-MMA, a high-speed authentication framework designed to secure time-critical Industrial Control Systems (ICS). It specifically addresses the vulnerability of modern digital substations to False Data Injection (FDI) and malicious command injection without compromising operational speed.

 

Unlike traditional security methods that rely on heavy real-time computation or delayed key disclosure, Pre-MMA exploits the predictability of ICS message content (such as static fields, repetitive measurements, or binary status flags). By pre-computing cryptographic evidence using authenticated data structures, it allows receivers to verify messages in sub-milliseconds, satisfying the strict latency requirements of critical protection relays (typically under 4ms) while ensuring robust defence against spoofing.

Technology specifications

Pre-MMA is a lightweight “bump-in-the-wire” solution compatible with legacy hardware. Its core technical specifications include:

  • Dual-mode operation:
    • For Unicast: utilises efficient symmetric Message Authentication Codes (MACs) to secure point-to-point communications with minimal overhead.
    • For Multicast: employs a novel adaptation of the TESLA protocol combined with authenticated trees. This approach provides source authentication in broadcast environments without the typical “disclosure delay,” ensuring immediate verification by multiple receivers.
  • Optimised data structures: utilises Huffman Hash Trees (HHT) to prioritise the most frequent or urgent messages (e.g., “no state change” or “trip” commands). This minimises the verification path length for critical events, ensuring the highest priority messages are verified the fastest.
  • Performance metrics:
    • Throughput: supports high-volume traffic (such as IEC 61850 Sampled Values) at rates exceeding 4,000 packets/second.
    • Latency: post-message verification times are negligible, ranging from ~4 microseconds to ~250 microseconds depending on tree depth, vastly outperforming ECDSA signatures.
  • Security standards: built on SHA-256 and 256-bit nonces to ensure 128-bit security resilience against brute-force and collision attacks.
Sector

This invention is applicable to:

  • Energy and utilities: digital substations, renewable energy integration, smart metering.
  • Industrial Internet of Things (IIoT): factory automation, SCADA systems.
  • ܳٴdzdzپ:V2X (Vehicle-to-Everything) communication.
  • Financial services: high-frequency trading networks requiring authenticated low-latency data feeds.
Market opportunity
  • Critical infrastructure protection: as grids modernise, the attack surface for cyber-physical threats expands. Pre-MMA closes the security gap in multicast protocols (like GOOSE and SV) that currently lack authentication due to latency constraints.
  • Regulatory compliance: meets increasing governmental mandates for “Zero Trust” architectures in critical infrastructure without requiring a “rip and replace” of legacy equipment.
  • Scalability: the multicast architecture ensures that the computational load on the sender does not increase linearly with the number of receivers, making it the only viable solution for large-scale, dense sensor networks.
Applications

Key applications include message authentication services, devices or systems, or any other systems that use digital signatures and require time-stringent communication of predictable/predetermined/limited entropy messages.

 

Examples: IEC 61850 digital substations, retrofit security modules, emergency shutdown systems.

Customer benefits
  • Zero-delay verification: unlike standard TESLA or digital signatures, the multicast variant of Pre-MMA allows for immediate message acceptance, ensuring protection systems react instantly to faults.
  • Multicast security without delay: Pre-MMA provides the source authentication of digital signatures (preventing impersonation) with the speed of symmetric keys. Crucially, its “for multicast” variant eliminates the verification delay found in standard TESLA protocols, allowing for immediate message acceptance.
  • Computational efficiency: shifts the vast majority of the cryptographic workload to the “pre-computation” phase (before the event occurs), leaving only lightweight memory lookups for the critical runtime phase.
  • Resilience: the system is designed to be robust against packet loss and computational Denial of Service (DoS) attacks, as invalid traffic can be rejected with minimal processing.
Technology readiness level

TRL 4

Ideal collaboration partner 

Ideal collaboration partners include:

  • Original equipment manufacturers: makers of Protection Relays, RTUs, and Switchgear (e.g., Siemens, ABB, GE Grid Solutions) looking to embed native security.
  • Cybersecurity vendors: companies specialising in OT/ICS firewalls and Instruction Detection Systems (IDS).
  • Grid operators (TSOs/DSOs):  utilities seeking to pilot secure, next-generation digital substation architectures.
Collaboration mode

This technology is suitable for multiple collaboration modes including:

  • Technology licensing: exclusive or non-exclusive licensing of the patent and algorithm portfolio.
  • Joint development: partnering to port the Pre-MMA logic onto specific industrial-grade chips (FPGA/ASIC) for commercial rollout.