SP2DAS: Self-certified PKC-Based Privacy-Preserving Data Aggregation Scheme in Smart Grid

Smart grid is a network of computers and power infrastructures that monitor and control energy usage by collecting data from the power grid. It can gather and distribute information about the behavior of all consumers in order to improve the efficiency, reliability, economics, safety, and sustainability of electricity services. In this paper, we propose a self-certified PKC-based privacy-preserving data aggregation scheme in smart grid to increase computation efficiency and achieve privacy protection of end users. To realize the anonymous aggregation of multidimensional data, we adopt the Chinese Remainder Theorem and homomorphic property of Paillier cryptosystem to achieve it. Comparing our scheme with Lu et al.'s scheme, the result shows that our scheme has more advantages over Lu et al.'s scheme in terms of computational costs of the user, GW, and OA. After adopting batch verification technique, the computational cost of GW is constant in our scheme, however, that of GW is linear with the number of the users in Lu et al.'s scheme. Furthermore, our scheme also supports the anonymity of the user's identity. It indicates that the local gateway GW does not know the real identity of the resident user such that the privacy of the user is better protected.


Introduction
Power electric systems in most countries have became old and inefficient.It might result in potential safety hazards.e Northeast blackout of 2003 was worth to be pondered.In this accident, about 200,000 people were affected, and 265 power plants were shut down during the outage.Investigations report found that the reason of blackout was due to human error and equipment failures.And this report indicated that this blackout could have been prevented and that immediate actions must be taken in both the United States and Canada to ensure that our electric system was more reliable.It puts forth a challenge for us.When a problem appears, how should we �nd it and solve it in time� To overcome the problems caused by aging power grids, smart grid is developed.e earlier emerging smart grid technologies are electronic control, metering, and monitoring.e term smart grid has been used since at least 2005, when it appeared in [1�.ere are many smart grid de�nitions in the recent literature in different �avors.However, a common factor in these de�nitions is the application of digital processing and communications to the power grid, making data �ow and information management central to the smart grid.
e objective of smart grid is to provide end users or consumers with power in a more �exible, stable, and reliable manner.It makes end users know real-time electricity usage so as to actively adjust use of electricity.erefore, the smart grid is characterized by a two-way �ow of electricity and information between the provider and consumer of electric power.It achieves an automated, distributed energy delivery network and helps end users to balance power supply and demand by distributed computing and communications to deliver real-time information.Meanwhile, it also can detect and respond to weaknesses or failures in the power system in real time such that potential dangers are prevented.
Communication framework in smart grid is shown in Figure 1, where power transmission and distribution systems are separated from the communication system.In the communication system in smart grid, smart meter is an important component in smart grid it can record consumption of electric energy in a time interval and communicate the information back to the utility for monitoring and billing purposes.However, current smart metering technologies which are applied in smart meters may result in privacy leak issues because they depend upon centralizing personal consumption information of the consumers at their smart meters.In 2009, e Netherlands enacted relevant laws to force to consider privacy issues in case of using smart meters [2].Similarly, in the United States, NIST dictated that there privacy issues be taken into account in the design of smart grid communications [3].ese privacy concerns may be addressed by adequately authenticating the smart meters.However, smart meter is a rather limited resources device with low memory and computational capacity.us, we cannot put too much burden on the constrained smart metering resources in the time of designing an authentication mechanism for smart grid communication.
Because communication in smart grid is based on the public data communication networks such as Internet.there exist a wide variety of malicious attacks, such as replay, eavesdropper, tamper of data, traffic analysis, tracing of the locations, and denial of service (DOS) attacks.us, before putting the application of smart grid into practice, the corresponding security and privacy issues must be resolved.For example, without the security and privacy guarantees, an adversary in smart grid can forge a fraudulent electricity usage data or breakdown information to mislead operation center.In terms of end users, privacy is a most concerned problem.It includes privacy of identity and privacy of data.Power-consuming data may reveal family income and physical activities.For example, power consumption of a household in a certain time is very low or zero; it implies that no one is at home.e user's identity is sensitive information.If it is leaked, it may result in potential unsafe factor.en home address and the number of apartments of the user are known.us, this privacy-sensitive information must be anonymous.
To achieve data privacy, encryption algorithm is used to ensure the safety of data.However, it may result in data expansion.How do we resist data expansion in the case of keeping data privacy?It brings a challenge to the smart meter with constraint resource.To solve this issue, we adopt homomorphic encryption technique [4] since it can achieve data aggregation under the condition that the data is encrypted.In other words, data can be aggregated in the ciphertext form.In 2005, Castelluccia et al. [5] adopted homomorphic encryption techniques to realize the aggregation of encrypted data without decryption at intermediate nodes.Subsequently, Westhoff et al. showed that the scheme [6] may result in an increased message overhead in per monitoring node since the ID list of the encrypting nodes must be transmitted when every node used different keys.us, a symmetric homomorphic encryption technique was applied to increase the efficiency in [6].In [7], Shi et al. was based on Castelluccia's scheme to put forth a privacy-preserving data aggregation scheme to preserve user privacy.Most of the previous works mainly focus on one-dimensional data.Recently, Lu et al. proposed a multidimensional data aggregation approach based on the homomorphic Paillier cryptosystem by using superincreasing sequence [8].However, the computation overhead of local gateway is rather high.And the identity of end user is revealed in the communication between user and local gateway.According to [9], the memory size of the local GW is up to 128 KB random access memory (RAM), 1 MB �ash memory, and 1�0 MHz CPU.us, the computational cost of the local gateway should be low as soon as possible.
Since the communication between the end user and the local gateway (GW) usually adopts wireless technology, it makes the end user suffer from the different attacks due to the open wireless network.Privacy protection of the end user's identity is particularly important.To guarantee end user's privacy, two important approaches are pseudonym mechanisms and group signature technique.e pseudonymity-based approach needs to periodically change a pseudonym.e group signature-based approach results in longer length of a signature than that of original signature, and computation cost of verifying a signature is very large.ese approaches are suitable for smart metering with limited resource.
Self-certi�ed public key cryptosystem was introduced by Marc [10].In the self-certi�ed public key system, veri�cation and management of certi�cates are not required, and the key escrow problem can also be eliminated.e main idea is that certi�cate of public key is replaced by a witness, and the public key is implicitly embedded in it.Anyone who holds a witness along with an attributive identity can recover the corresponding public key to verify a signature.us, it leads to the reduction of communication, computation, and storage amount.
Our Contributions.To construct a scheme which is suitable for the device with low communication and computation resources in smart grid and achieve privacy protection of the end user's identity, in this paper, we propose a novel self-certi�ed PKC privacy-preserving data aggregation (SP 2 DA) scheme.is scheme supports the aggregation of multidimensional power usage data by converting multidimensional data into a single-dimensional data.e main works of this paper are three-fold.
(1) To support aggregation of multidimensional data, we adopt the Chinese Remainder eorem to achieve the conversion of multidimensional data to singledimensional data.
(2) To support privacy of identity, the scheme adopts self-certi�ed public key cryptography to achieve it.It makes the scheme have the following advantages: short length of the signature and low computation.
(3) In the scheme, we realize that the computational cost of the local gateway is constant.It makes our scheme have more advantage over Lu et al. 's scheme [8] in terms of computational cost.

Communication System Model in Smart Grid
In the following, we give formal communication system model, security requirements, and our design goals.Here, we assume that the OA is trustable and the local gateway GW is semitrustable, and the users U = (U 1 , U 2 , … , U  ) in the residential area are honest.Because the connection of local gateway with the users adopts wireless techniques, there may exist an adversary  to eavesdrop the residential users' communication to obtain message.In addition, we allow the adversary  to launch active attacks on the residential users.To resist attacks of the adversary , we require that the communication in smart grid should satisfy the following security requirements.
(1) Authentication: it includes authentication of the user identity and message integrity.e user identity authentication means that the encrypted report is from a legal user.Message integrity authentication means that the transmitted data has not been altered.Any tempered data can be detected.
(2) Private: it also includes two points.e �rst point indicates that the data which is sent by the residential user is private since it is encrypted and the �nal data is aggregated.Only the operation authority OA can recover it.e other point indicates that the identity of the residential user is privacy for the local gateway.Any one cannot obtain the relevant information to the identity of the user from the transmitted data.Even the OA cannot also obtain any relevant information to the user from the aggregated data.

Design Goal.
Based on the previous communication model and security requirements, our design goal is to construct an efficient data aggregation protocol to achieve the following three objectives.
(1) Multidimensional data aggregation: in smart grid, the data which smart meters collect includes various types, such as the amount of the consumed power, and temperature and so on.e data in each dimension do not re�ect the use of the global situation; thus, we must take into account all the dimensions in order to reali�e �ner-grained control and optimi�ation.At the same time, smart meters of hundred and thousand residential users periodically send the multidimensional data.To efficiently deal with the huge communication cost and multidimensional data, we need to construct an efficient aggregation scheme to support multidata aggregation.(2) Global security.e smart meter-generated data should be authenticated to guarantee that they are from real sources and have not been tampered with during transmission.A tampered fraudulent data must be caught by the OA.(3) Privacy of the residential user: if a residential user behaves honestly and follows the protocol, its identity privacy should be guaranteed against attackers who can eavesdrop communication in smart grid.It means that the identities of the residential users were not revealed during the transmission of the data.However the OA cannot also obtain the identity information of the residential users from the transmitted real-time reports.

Preliminaries
In the following, we �rst review the bilinear pairing technique [11] and the Paillier Cryptosystem [9] as well as some mathematics problems.ey are the basis of the proposed SP 2 DA scheme.en some security assumptions which are the basis of security proof are given.

Bilinear Map and Paillier Cryptosystem.
In this subsection, we brie�y review the properties of the bilinear pairings.
Let  1 ,  2 , and   be three cyclic multiplicative groups with the prime order .Let  1 , and  2 be the generator of groups  1 and  2 .An admissible pairing    1 ×  2 →   , which satis�es the following three properties: e modi�ed �eil pairing and the Tate pairing are admissible maps of this kind.Please the interested readers refer to [12] for the details.e Paillier Cryptosystem [9] is a classic homomorphic encryption.Its homomorphic property takes advantage of the homomorphic property of the exponentiation function and makes an encryption of message  1 +  2 be obtained from any encryption of messages  1 and  2 , as  1 ,  1 ) 2 ,  2 ) =  1 +  2 ,  1  2 ).And the security of the scheme is based on a discrete logarithm trapdoor modulo a large integer.In the following, we brie�y review it.
(1) Key generation phase: let  =  1  1 be an RSA modulus where  1 , and  1 are two large prime numbers.
Let  be an element of order at least  in the multiplicative group   2 .en the public key is pk = , ), and the corresponding private key is  1 ,  1 ) (2) Encryption phase: let  be an encrypted message and     , and randomly choose     to compute a ciphertext  = ) =     mod  2 .
(3) Decryption phase: given a ciphertext     2 , the corresponding plaintext  = ) can be recovered by the private key  1 ,  1 ).Please refer to [4] for the detailed process.

Security Assumption
�� �ur �n�n�m�u� Se����erti�e� Signature Scheme In this section, we will give a novel self-certi�ed anonymous signature scheme which is the basis to achieve the anonymity of the residential user's identity in our SP 2 DA scheme.(8) and sends it to the user.en the user's private key is , ).

Anonymous Signing.
To produce a signature on message , the user with identity ID computes as follows.
(1) First, it randomly chooses a number     to compute   = )  and   =  1 ID))  in order to conceal the witness   of the user and his identity "ID".

4.5.
Verifying.Aer receiving a signature  on message , a veri�er can execute the following process for each signature.
(   1 .In the following, we will give the detailed process.To answer the different queries from the adversary , we need to run ℬ to set up the system parameters.Let  1 ,  2 , and   be three cyclic groups with order . ∶  1 ×  2 →   is a bilinear pairing map.ℬ sets  2 = ℎ  as the generator of group  2 and MPK = ℎ as the master public key of the TTP, where the master private key    −1 of TTP is unknown.Let  be a computable isomorphism from group  2 to  1 such that  2 )   1 . 1 ∶ {0, 1} * →  2 and  2 ∶  5  1 →   are two hash functions.Finally, ℬ sends the system parameters Para   1 ,  2 , ,  1 ,  2 , MPK,  2 , )) to the attacker . 1 -Oracle.when an adversary  makes a query with message ID  , ℬ outputs  1   1 ID  ) if ID  appears in the list  1 which is initially empty.Otherwise, ℬ tosses a coin with the probability Pr[coin   1]   and randomly chooses   ∈    to answer the following query.
Anonymous Signing Oracle.When the adversary  issues an anonymous signature query with   , ID  ).If ID  exists in the lists   and   , then ℬ retrieves the corresponding   and  ′  and runs anonymous signing algorithm to produce a signature .Otherwise, ℬ executes as follows.
Note we assume that ID  is queried for  1 -Oracle before other oracles were queried with ID  .
(3) ID * is not an input of vehicle register oracle.
(4) e corresponding coin  * with ID * is equal to 1 in the  1 -list.( 5) e corresponding  * with ID * exists in the   -list.
According to the forking lemma [14], ℬ makes a replay with the same random tap but different choice of Although the private key  of the signer is included,  is randomized by two random numbers , and .us,  has not also reveal any information of the signer's identity.According to the previous statement, any one cannot obtain the identity of the signer from a signature.erefore, our scheme achieves anonymity.

Our Privacy-Preserving Data Aggregation Scheme
In the following, we will put forth a novel privacy-presrving aggregation scheme in smart by utilizing the proposed self-certi�ed anonymous signature scheme.ree types of entities, at is, the trusted operation authority (OA), a local gateway (GW), and the residential users (U), are involved in the scheme.It mainly consists of the following six phases: system initialization, GW register, user register, user report generation phase, privacy-preserving report aggregation phase, secure report reading, and response phase.In addition, OA initializes Paillier cryptosystem.erefore, it chooses two large primes  1 , and  1 with equal length, then it computes RSA modulus    1  1 and   lcm( 1 − 1  1 − 1).De�ne a function ()  ( − 1) and choose a generator  ∈   2 .OA computes   ((    2

System
)) −1  .At the same time, we assume that the number of households in a residential area is at most  and  denotes the number of the different type of reported electricity usage data ( 1  …    ) in smart grid, where   is less than a constant .en, OA chooses  coprime number ( and keeps the master keys (   1  …     ).

GW Registration.
When a local gateway (GW) of the residential area wants to register itself in the system, it randomly chooses a number   as the private key and computes the corresponding public key       1 .

User Registration.
When a user U  of residential area wants to join this system, the user U  with real identity ID U must interactively communicate with OA by a con�dential channel by the following steps. ( and returns ( ′     ) to the resident user  and keeps (ID    ′  ) in the database.(4) Upon receiving (ID    ′  ), the user �rst checks whether it is valid by the following equation: If it is valid, then (ID    ′  ) is the membership certi�cate of the user U  , and it is added into the local database.

User Report Generation.
To periodically report electricity usage data of the residential user, each user U  collects  types of data ( 1  …    ) by using the smart meters to execute the following steps.
(1) Randomly choose   ∈   to compute the Paillier encryption  We can �nd that the computation overhead in the batch veri�cation is appro�imate to that in the veri�cation of a signature.It only needs three pairing operations which are the most time-consuming operators.
Aer all previously mentioned verifying is valid, the gateway GW performs the following aggregation process to aggregate all electricity usage reports.
(1) It aggregates all encrypted data  1 ,  for  = 1 to  compute   =  mod   = ∑  =1  1 mod   .All derived electricity usage data ( 1 ,  2 ,  ,   ) are the aggregation of  residential user's electricity usage.Aer analyzing these data, the OA sends the feedback data  ∈   to notify all residential users in residential area RA for adjusting the usage of electricity quantity.e process is done as follows.
(3) e resultant cipher is  = (U, , ).In fact, it is a broadcast encryption from Step 1 to Step 3.
( With the recovered electricity usage feedback report , the user U  can control power use of household appliances from peak times to nonpeak times for saving electrical energy and rational utilization.

Security Analysis
In this section, we show that our scheme satis�es the previous security requirements.
(1) Global security requirement: obviously, this security requirement is satis�ed since each user's report is signed by our anonymous signature algorithm and the aggregated report is signed by BLS signature algorithm in our scheme.Furthermore, Lemma 1 shows that our anonymous signature is secure against adaptive chosen message attack, and the BLS short signature is provably secure under the CDH problem.us, we can efficiently identify the identity of the resident user, and it is impossible that exists a valid signature on a tempered data.
(2) Multidimensional data aggregation: in our SP

Conclusion
In this paper, we have proposed an efficient self-certi�ed PKC-based privacy-preserving data aggregation scheme to satisfy the requirement of efficiency in smart grid communication.By adopting the Chinese Remainder eorem technique and homomorphic property of Paillier cryptosystem, it achieves a multidimensional data aggregation approach under the ciphertext form.And it applies our proposed anonymous signature scheme to achieve anonymity of the real identities of end users in end-user-to-GW communication.It efficiently resists the end user's identity leakage problem which is not considered in other literatures.Compared with Lu et al. 's multidimensional data aggregation scheme, our scheme can signi�cantly reduce computational cost of the local gateway GW.And we have also provided security analysis to demonstrate that the proposed scheme can satisfy the desirable security requirements.It is a future work to trace the malicious behavior of a dishonest residential user (end user) in a residential area.

F 1 :
e conceptual architecture of smart grid.
where  is an integer and     , the goal of -weak CDH problem is to compute  −1 1 .e -wCDH problem is , )-hard, if there is no PPT algorithm  that can solve the -wCDH problem in time at most  with probability  if Exponent Problem (EP).Let  1 be a multiplicative cyclic group of order ;  1 is a generator of group  1 .  is a �nite �eld.�iven  + 1 values  1 ,   1 ,   2 1 , … ,    1 ), where  is an integer and     , its goal is to compute   +1 1 .e  + 1 EP is , )-hard, if there is no PPT algorithm  can solve the  + 1 EP in time at most  with probability  if Exponent Problem (EP).Let  1 and  2 be two multiplicative cyclic groups of order ;  2 is a generator of group  2 .  is a �nite �eld, and  is a computable isomorphism from group  2 onto group  1 such that  2 ) =  1 .Given   1 values  2 ,   2 ,   2 2 , … ,    2 ) and an isomorphism map , where  is an integer and     , its goal is to compute   1 1 .e extended   1EP is , )-hard, if there is no PPT algorithm  that can solve the extended   1 EP in time at most  with probability  if Chinese Remainder eorem [13].Suppose  1 ,  2 , … ,   are positive integers which are pairwise coprime.en, for any given sequence of integers  1 ,  2 , … ,   , there exists an integer  solving the following system of simultaneous congruences: (5)isional Bilinear Diffie-Hellman Problem(DBDH).eDBDH problem in  1 ,  2 ,   ) is stated as follows: given four elements for unknown , ,     , and     , determine whether =  =  1 ,  2 )  .eWeakComputationalDiffie-HellmanProblem (WCDH).Let  1 be a multiplicative cyclic group of order ;  1 is a generator of group  1 .isa�nite �eld.�iven+ 1 values e hardness of  + 1 exponent problem is proved that it is polynomial time equal to the -wCDHP.eExtended+1(5)Let the product  =  1  2 ⋯   be de�ned.en a solution  can be found as follows: For each , the integers   and   are coprime.Using the extended Euclidean algorithm we can �nd integers   and   such that          = 1.Let   =     .en a solution  is solved as follows:  =   =1     mod .
Let  1 ,  2 , and   are three cyclic groups with the same prime order . ∶  1 ×  2 →   is a pairing map. 2 is a generator of group  2 . ∶  2 →  1 is an isomorphism map.e TTP chooses two hash functions  1 ∶ {0, 1} * →  1 and  2 ∶ {0, 1} * →   .en it randomly chooses     as his private key msk =  and computes the corresponding public key mpk =   2 .Finally, the system parameters are published as follows:  1 ,  2 ,   ,  2 , , , ,  1 ,  2 , mpk .When a user with identity ID wants to register, it computes a proof of zero-knowledge  of its private key PK{   =   2 } and sends ID, pk, , ) to the TTP.e TTP �rst checks whether  1 , ) pk  and  is valid.If they hold, then it produces the following witness  =  1  1 ID) (7).System Setup.(7)4.2.KeyGen.For a user with identity ID, it �rst randomly selects     to compute pk =  1 ,  2 )  .en the publicprivate key pair is pk, ).4.3.WitReg.?= If there exists an adversary  can forge the previous anonymous signature on a message , then the 1 EP problem can be solved in the polynomial time.Proof.Here, we will show that if an adversary  could forge a valid message signature in our scheme, then there exists another adversary ℬ that can solve the   1-EP instance 3   .Finally, ℬ returns ℎ 1 to the adversary  and adds ID  ,   , coin  , ℎ 1 ) in the  1 -list. 2 -Oracle: when an adversary makes a query with string   , ℬ outputs ℎ 2   2   ) if   is in the list  2 which is initially empty.Otherwise, ℬ randomly chooses   ∈   to set     2   ) and returns   to the adversary; then it adds   ,   ) to the  2 -list.Corruption Oracle.When  makes a corruption query with identity ID  .If ID  exists in the list   which is initially empty, then ℬ outputs   .Otherwise, ℬ randomly chooses   ∈   to return to  and adds ID  ,   ) to the list   .WitReg Oracle. issues a witness register query on input ID  , pk  ,   ), and ℬ outputs a  ′  if ID  is in the List   which is initially empty.Otherwise, ℬ searches the private key   in the list   and   in the list  1 , respectively, and returns the corresponding   and   .If coin   0, then ℬ computes the following witness: 5) ℬ checks whether string   ||  ||  ||  exists in the  2 -list.If it exists, ℬ outputs Fail and aborts it.Otherwise, it sets    2   ||  ||  || ).(6) Finally, the resultant signature   , , , ) is returned to .Forgery.Eventually,  outputs a forgery  *   * ,  * ,  * ,  * ) on message  * under the identity ID * . wins the game if and only if the following conditions hold.
and  is an unknown number which is a blinded factor in the signing phase, namely,  *   1 ID * )  .scheme, we know that (  1 (ID)) are the relevant identity information of the signer.However, in our signature,  and  1 (ID) are blinded by a random number .us, it is impossible to obtain any information of  1 (ID) and  from ( 2 ; then it outputs another valid signature  *   ′ * ,  ′ * ,  ′ * ,  ′ * ) on the same message  * , where  ′ *   * ,  *   ′ * , and  *   ′ * .We assume that  * is in the  1 -list.en we have * ,  * ,  * ,  * ) and ℎ * Initialization.e trusted operation authority (OA) set up the system as follows.Let  1 ,  2 , and   be three multiplicative cyclic groups of the same big prime order . 2 ∈  2 is a generator of group  2 . is a computable isomorphism from group  2 onto group  1 such that ( 2 )   1 .   1 ×  2 →   is a bilinear map.e trusted operation authority (OA) randomly chooses   0 ∈  *  as master key; then the corresponding public keys MPK    2 and MPK 0    0 2 are computed. 1 is a random element of group  1 .And it chooses three collision-resistant hash functions   0 1 * → G 1 ,  1  0 1 * → G 1 , and  2  0 1 * →   .
1  …    ).Let ( 1  …    )  ∑  1     and ∑  1   ≤   and   ∑  1   < , where   is derived by the previous Chinese Remainder eorem and   denotes the th electricity usage data of the user .Aer that, for   1 to , OA computes        .Finally, OA publishes the system parameters params    1   2       2   MPK MPK 0    1   2   1  … e user U  with identity ID  �rst chooses a   ∈   as his private key   and computes the corresponding public key pk   ( 1   2 )   .(2) en it computes a zero-knowledge proof ZKP 0 of private key      2and sends (ID    pk   ZKP 0 ) to OA.(3) e OA veri�es the validity of ( )  pk   and the zero-knowledge proof ZKP 0 .If they hold, then the OA computes (2) en, it randomly chooses   ∈   to compute    ( ′  )   and    ( 1 (ID   ))   in order to conceal the certi�cate  ′  and his identity ID  of the residential user U  .And randomly choose   ∈   to compute   =  1    ,   = 1 −    2   ||   ||   ||          , ) e resultant anonymous signature on message  is   = (  ,   ,   ,   ).(5) Finally, the encrypted electricity usage data   ||   ||   || RA is reported to be the local gateway GW in the residential area RA.Note that the reported electricity usage data of the user U  do not reveal any information of the user's identity.Aer receiving all electricity usage data   ||   ||   || RA,  = 1, 2,  ,  from RA, the local gateway GW �rst checks whether   belongs to a valid time slots, then it veri�es the validity of signature   , ( = 1, 2,  , ) by the following processes.(1) Firstly, GW parses   into (  ,   ,   ,   ) and computes ℎ 2 =  2 (  ||   ||   ||   ).
2 ,  ,   into  Finally, send the aggregated data  || RA || GW ||   ||   to the operation authority OA. 5.6.Secure Report Reading and Response.Aer receiving an aggregated  on message , the authority operation OA �rst checks whether the signature   is valid by the equation (,   ) = (  , ( || RA || GW ||   )).en it decrypts the aggregated and encrypted electricity usage report  by the Paillier decryption algorithm.
) en the OA produces a BLS signature  = ( || RA || OA || )  where  is a timestamp and feedback  ||  to the local gateway GW in the residential area.(5) Upon receiving the transmitted  || , the GW can check whether it is valid by the following equation  ,  2  =    || RA || OA ||  , MPK .
2DA scheme, we adopt the Chinese Remainder eorem and Paillier Cryptosystem.It can achieve multidimensional data aggregation in the ciphertext form.For a user's transmitted data (  , … ,   , they are represented as       ⋅   2 2 ⋯      ⋅    mod  2       +⋯+       mod  2 .+ ⋯ +     can be considered as singledimensional data to process.When receiving  data (  , … ,   , the local gateway GW can aggregate these  data as Privacy of the residential user: Because the transmitted report of the residential user is signed by adopting our anonymous signing algorithm in our SP 2 DA scheme, each residential user's identity is protected.Furthermore, the transmitted report is encrypted by Paillier Encryption algorithm, it means even if the attacker  eavesdrops the transmitted report, it still cannot obtain the individual user's data.For afeedback message  of the OA, OA sends the ciphertext   (U, ,  of this feedback message  to all residential users in residential area RA by adopting broadcast encryption.Only the residential user in the RA can recover the corresponding feedback message .In the following security proof, we will show that the con�dentiality of the transmitted feedback message  can be achieved.Lemma 3. e broadcast encryption scheme in our SP 2 A scheme is semantic secure against chosen-plaintext attack under the DBDH problem.Proof.Suppose that there exists an adversary  that can break the broadcast encryption in SP 2 DA scheme; then we can construct an algorithm ℬ that can solve the DBDH problem with advantage  by using  as a subroutine.Let ℬ be given a DBDH problem instance Its goal is to determine (   ,   2   ? .ℬruns  as a subroutine to solve the DBDH problem.ℬ sets MPK    2 and randomly chooses     to set MPK 0    2 .Let    (  2 .enℬ publishes MPK, MPK 0 ,   ,   ,  2 ,  and the other system parameters.In the challenge phase, the adversary  chooses two messages  0 and   and sends them to ℬ. ℬ randomly selects a bit   0,  to produce a ciphertext  *  (  U * ,   * ,   *  of message   , where to the adversary .Finally, the adversary  outputs a bit  ′ . If  ′  , it means that   (  ,  2   since * * is a valid component of the ciphertext  * .In this case, the probability which  outputs  ′   is (2 + .When  is a