EPLC: An Efficient Privacy-Preserving Line-Loss Calculation Scheme for Residential Areas of Smart Grid

,


Introduction
In the modern world, electrical energy plays a crucially important role in economic, social, and industrial development of all nations and regions.Smart grid, defined by the US Department of Energy [1], is considered to be the next generation of power grid infrastructure by integrating information and communication technologies (ICT) and can real-time monitor and control the physical processes of power system to constantly heighten the electrical energy using efficiency and optimize services to adjust electrical energy supply to meet demand, so smart grid is characterised by high intelligence, efficiency, reliability, economic behavior, and security.Figure 1 shows the architecture of smart grid provided by National Institute of Standards and Technology (NIST) [2], which contains seven domains: generation domain, generating electrical energy; transmission domain, transmitting electrical energy to and from the distribution; distribution domain, distributing electrical energy to and from customers; customers domain, users or home area networks (HANs); operation domain, managing the electricity flow; market domain, managing the electricity market in the smart grid; service provider domain, managing all the thirdparty operations.
Smart meter is a kind of intelligent instrument with significant capabilities for two-way communication, measuring and reporting electricity consumption in near real-time (15 minutes) periodically [3,4], and also as one kind of the key components for realization of smart grid deployed at users, voltage transformers, and wherever needed.Accordingly, smart meter is set to become one of the most important sources of near real-time electrical energy flows data in smart grid.Based on the detailed view on electrical energy flows, through near real-time state estimation, not only the monitoring of smart grid's performance, but also optimization of supply, distribution, and consumption can be executed synchronously well.
Line-loss, the decrease of electrical energy from the source to destination due to inherent inefficiencies and defects in smart grid, is an important synthetic indicator to reflect the management level and is also a main content of assessment for performance level of smart grid enterprises [5].A variety of factors such as resistance effect (variable losses, with the increasing of current), electromagnetism influence (fixed losses, with the increasing of voltage), management factors (electric larceny, metering error, and electricity leakage), etc. are the causes of the line-loss.Especially for residential areas which are located in the grid terminal and the most bottom of administrative level, they generally consist of various kinds of equipment and directly associated with all kinds of users, so line-loss such as electric larceny, leakage, and etc. is much more likely to happen.As a result, we only consider the line-loss of residential areas in our scheme.
Fortunately, based on the idea of electrical energy quantity [6] for line-loss calculation, the basic method is fairly simple by considering the line-loss as distributed sale electric quantity noncorrespondence [7,8], which can extrapolate line-loss for most environment or variables, so the process of line-loss calculation for each residential area only needs to do some sums and subtractions over the corresponding data of near real-time electricity consumption recorded by smart meters.But unfortunately these data can directly reflect the privacy of users [9][10][11][12][13] such as the occupancy of a household, and an sophisticated adversary A can leverage some data mining algorithms by some clever tricks to infer the lifestyle habits, economic status, etc. [3,4,14], and even users' interests as well [15].Worse yet, some opportunities for criminal purpose will be provided too [16].
In general, smart meter has its own secure components [17], and symmetric cryptosystem is introduced [11,18], after completion symmetric encryption operation.Although all the sensitive and private data measured by smart meter achieve cryptographic storages as well as communications, many utilities such as the line-loss calculation mentioned above and data that are encrypted need to be decrypted before they can be used.Therefore, there are still considerable risks for exposure of users' sensitive information by inside attack [19].
EPLC is the scheme mainly focusing on preserving privacy of users while calculating the line-loss by the method mentioned above of each residential area.To preserve privacy of users from internal and external attacks, the communication channels, gateways, and servers are not fully trusted.All sensitive data should be encrypted against eavesdropping before sending; all receivers should verify the ciphertext received to catch tampering before processing.The line-loss calculation and the storage both depend on ciphertext to resist the attack from the inside such as administrator of servers or gateways, and all the detailed elaboration will be made in a later section.
The remainder of our paper is organized as follows: in Section 2, overview of related works is provided; Section 3 elaborates on system model, security requirements, and design goal; we introduce the bilinear pairing, Paillier cryptosystem, and Horner's rule as the preliminaries of EPLC in Section 4; Section 5 presents the process of EPLC scheme The th district area of system model The th residential area of the th district area The th user in the The VT which is equipped in the   RAGW The RAGW which belongs to the   step by step; security analysis and performance evaluation are described in Sections 6 and 7, respectively; finally, a conclusion is given in Section 8.

Related Work
Recently, the leakage of personalized privacy in smart grid from data of smart meters which demonstrate electricity consumption of users becomes a potential problem.For preserving users' privacy, predecessors have proposed several approaches.Y. Sun et al. [20] hide household load in the data of smart meters by leveraging existed thermal appliances and energy storage units to protect privacy of users.The study [21] obfuscates the real electricity consumption based on masking.Based on the differential privacy-preserving technique [22] and Boneh-Goh-Nissim cryptosystem [23], the scheme [24] uses Laplace noise in the form of ciphertext to protect the privacy of users in the honest-but-curious model.
For privacy-preserving in aggregation, super-increasing sequences and Horner's ruler are introduced to structure multidimensional data of smart meters, respectively [10,25].The scheme [26], named privacy-preserving multisubset aggregation (PPMA), divides users electricity consumption data into different subsets which represented different ranges before aggregation for improving the efficiency.Reference [27] can aggregate hybrid IoT devices data into one with resisting against false data injection attack; the scheme [28] performs aggregation with privacy-preserving and fault tolerance and recovers the private key by Shamirs secret-sharing scheme [29].All works [10,[25][26][27][28] implement aggregation of smart meters' data as well as keeping the privacy of users are based on the homomorphic property of Paillier cryptosystem [30].Additionally, privacy-preserving aggregation is performed by sharing the session keys of users with wireless [31]; fully homomorphic encryption (FHE) and secure multiparty computation are leveraged for achieving users privacy preserving in secure in-network data aggregation by smart grid V2G networks [32], W. Han et al. proposed an integrated privacy-preserving data management architecture (IP 2 DM) [33] which achieves anonymous data aggregation by partial homomorphic encryption [34] for privacy-preserving data management.
According to the line-loss calculation method mentioned above, this paper focuses on efficient line-loss calculation of residential areas based on data of smart meters as well as avoiding any leaks of private information of users.

System Model, Security Requirements, and Design Goal
In this section, we formalize the system model and security requirements, identify our design goals, and refer to Table 1 for listing some notations to represent the main entities and definitions in system model.

System
Model.In our system model, our focus is on how to get the line-loss in residential areas correctly and efficiently while keeping users' privacy.As shown in Figure 2, on the one hand by the aspect of electricity, the electrical energies generated from power plants, solar panels, windmills, and etc. are transmitted through transmission and distribution to each voltage transformer (VT) of residential areas and then transmit to users by using electrical lines of the residential area (RA) to meet needs, and some RAs form a district area (DA) generally; on the other hand, according to the information technology, there are four types of entities: Control Center (CC), Residential Area Gateway (RAGW), Home Area Network (HAN or user), and Smart Meter (SM).
In general, there is only one CC in the system, according to the needs of self-business management, the CC manages at most  DAs D = { 1 ,  2 , . . .,   , . . .,   }, and each DA contains at most  RAs; the RAs in the th DA   could be described as R = { 1 ,  2 , . . .,   , . . .,   }.Also, each RA has at most  HANs or residential users, taking a typical RA   as an example, as shown in Figure 3, which means the th (1 ≤  ≤ ) RA of the th (1 ≤  ≤ ) DA managed by the CC in the system, the   comprises at most  residential users U = { 1 ,  2 , . . .,   , . . .,   }, and the notation   ∈ U means the th user of the th RA in the th DA.
The nearly real-time (e.g., 15 minutes) electricity consumption of users and RAs can be recorded automatically and respectively by corresponding smart meters, which are equipped in each HAN (User) and VT of RA.RAGW is a powerful computing resource and primarily completes three functions: authentication, line-loss calculation for corresponding RA, and relaying.Firstly, RAGW can perform some authentication operations to guarantee the received data's authenticity and integrity; secondly, by getting the data  (ciphertext) from smart meters of users and VT of corresponding RA, RAGW can calculate the line-loss ciphertext of the RA; thirdly, the relaying component is responsible for forwarding the line-loss ciphertext of corresponding RA to CC.According to business need, CC is responsible for receiving the reports (ciphertext) from all RAGWs and decrypting each line-loss of RAs, which can help itself get the real-time situation awareness and produce some responses.
As mentioned before, according to Figure 3, all electricity consumption of users in one RA comes from the VT of the RA.In other words, all the electrical energies consumed by users of the RA can be recorded periodically (e.g., 15 minutes) by the smart meter equipped on the VT.However, the data of the VT's smart meter record not only the electricity consumption of all users in the RA, but also the line-loss of the RA, such as loss of the electrical lines and other types of equipment, equipment failures, and even electric larceny in the process of energies transmission as shown in red dash dotted box of Figure 3.To get the line-loss of each residential area, firstly we make the aggregation by collecting all users' electricity consumption of the corresponding residential area, respectively; secondly, we calculate the difference by subtracting the aggregation result from the corresponding reading of VT's smart meter.
Typically, considering the communication model in one residential area RA as shown in Figure 3, the number of users is limited, the distances between the two sides of the communications are short and there are not too much electromagnetic interferences, so the communications between users   ∈ U and RAGW of the RA can use relatively  inexpensive wireless technology, e.g., WiFi technology.On the other hand, according to Figure 2, since the distances between the RAGWs and CC are far away, the communications between them are through the use of some wired links with high bandwidth and low delay, like optical fiber.

Security Requirements.
Security is crucial for our scheme.In our security model, we consider the CC fully trusted, and RAGWs and users follow the honest-but-curious model.Although RAGW will execute correctly according to design, keeping all data from smart meters and all intermediate computational results will lead to a huge threat of users' privacy leakage.Users will not drop or distort any source data spitefully and keep the system running correctly.However, another potential risk for privacy leakage is using collusion attack to infer other users' electricity consumption.There might exist an external adversary A in the system, who can eavesdrop not only residential users' but also RAGWs' reports on different kinds of communication channels, like wireless technology in RA and wired links between CC and RAGW.More seriously, a powerful adversary A even could intrude in the databases of RAGWs and CC to steal some private and personal-sensitive data of electricity consumption or put forward to launch some active attacks to compromise the data integrity.As is clear from the above descriptions, to avoid being sniffed and to detect malicious actions which are both by the adversary A, we should achieve the following security requirements in our scheme: (i) Confidentiality.In our system, for protecting privacy of individual users of residential areas against malicious actions of adversary A, even if eavesdropping occurs on communication channels and data in databases of CC or RAGWs have been stolen, adversary A also can neither obtain any information of individual users' electricity energy consumption, nor identify or infer any other users' privacy information.(ii) Authentication and Data Integrity.Notice that RAs are in public places, a skilled adversary A can easily hack Security and Communication Networks into the communication system, then forge or modify reports which are sent by legal residential users.So we must authenticate encrypted reports which are really sent by their corresponding legal residential users and have not been tampered during the transmission.

Design
Goal.Under our system model and for achieving the aforementioned security requirements, our design goal is to develop an efficient, privacy-preserving line-loss calculation scheme.Particularly, the scheme achieved the following three objectives: (i) Security and Reliability.The security and reliability are the most essential goals in our scheme.Without the security and reliability, the privacy information about users' real-time electricity consumption will be leaked or even tampered, after which error results will be generated in processing the tampered information and then sent to CC.If the error results are applied in the planning, operation or analysis fields of power system, it will cause collapse for the worst.So our proposed scheme should guarantee the authentication, confidentiality, and integrity simultaneously.(ii) High Efficiency.Consider the real-timeness requirement and characteristics of communication architecture in smart grid system.For example, the communication channels in RA always use wireless technology, which is featured with low-bandwidth and high-delay compared to wired technology, and smart meters have limited computing ability, memory, and so on.So our proposed scheme should reduce communication cost and improve the efficiency of the line-loss calculation processing.(iii) Good Flexibility.Even though the numbers of users, RAs, or DAs varied, the business logic changed constantly, etc., the proposed scheme still can carry out flexible line-loss calculation for each RA very well.

The Bilinear Pairing.
Let G 1 and G 2 be two additive cyclic groups of the same large prime number ,  be a generator of group G 1 , and let  : (iii) Computability.For any ,  ∈ G 1 , there exists an efficient polynomial time algorithm to compute (, ) and the group operation in G 1 is also efficiently computable.(iv) Symmetry.The map  is symmetric: (, ) = (, )  = (, ).
Bilinear Pairing Generation Algorithm.A bilinear parameter generator Ge is a probabilistic algorithm, which takes a security parameter  as input and then outputs a fivetuple (, , G 1 , G 2 , ); in the tuple, the  is a -bit prime number, the  ∈ G 1 is a generator, and the  : a bilinear map which has the above properties.

The Paillier Cryptosystem.
Just as the Goldwasser-Micali, RSA, and Rabin encryption schemes, the Paillier cryptosystem is also based on the hardness of factoring a composite number  which is a product of two prime numbers, while the more specially and importantly is that the Paillier cryptosystem possesses unique ℎℎ characteristic property, and its efficiency is almost the same with RSA and Rabin but higher than Goldwasser-Micali.The Paillier cryptosystem utilizes the group where  = ,  and  are both big prime numbers of the same length with different values,  ∈ Z  ,  ∈ Z *  , (, ) ∈ Z *  2 , and (, ()) = 1, the order of (1 + ) in Z *  2 is  because for an integer  with 0 ≤  ≤ , and the equation (1 + )  = (1 + ) mod  2 will always be true.(ii) Encryption.For each user's message  ∈ Z  , a random number  ∈ Z *  was chosen by the user; then generate the ciphertext  = () =   ⋅   mod  2 .

Algorithms of Paillier Cryptosystem
(iii) Decryption.When the user get a ciphertext  ∈ Z *  2 , deciphering it by () = (  mod  2 ) ⋅  mod , the corresponding message  can be got.

Horner's Rule.
The Horner algorithm is a fast algorithm for computing polynomials, which was named for William George Horner who is an English mathematician.According All the line-loss of the system at time T in the form of cipher as a number   T All the line-loss of the system at time T in the form of polynomials as a number to a parameter Υ, Horner's rule will actually be able to turn any polynomial expressed as After transformation, calculating the polynomial only needs  multiplications and  additions; obviously it is more efficient than before.Particularly, given a set of data ), then all the information of the set V is interpreted by the (Υ) as a number.After that, if only we know the value of the (Υ) and Υ, retrieving the V by  exact divisions and modulo operations, respectively, is going to be easy.

Our Proposed EPLC Scheme
In this section, an efficient privacy-preserving line-loss calculation scheme for residential areas of smart grid is proposed, which is made up of the following four parts: system initialization, user report generation, privacy-preserving lineloss calculation, and decryption of line-loss.Following the description of system model, we assume the numbers of DAs, RAs of each DA, and users in each RA are not larger than , , and , respectively.In the meanwhile, the line-loss of each RA is less than a constant Θ.The main parameters used in our scheme are listed in Table 2.

System Initialization.
We assume the single trusted authority CC is responsible for bootstrapping the whole system.In the system initialization, use the presented security parameters to generate system parameters firstly and secondly register system entities in CC.

(i) Generating Process of System Parameters
(1) Based on the Bilinear Pairing technique, given the security parameter , after running G(), CC can generate parameters (, , G 1 , G 2 , ).
(2) Again, given the security parameter , according to the Paillier cryptosystem, after choosing two large prime numbers  and , whose length are both , then CC can calculate the public keys ( = , ) and the private keys (, ).
(4) CC also chooses two common factors Υ 1 and Υ 2 as line-loss calculation parameters randomly, which must meet the requirements that In our system, after the two initialization processes above, we assumed the numbers of DAs, RAs in the   and users in the   are N  , N   , and N   , respectively.

Report Generation
where   and   are both chosen by users and VTs randomly from Z *  , respectively (  ,   ∈ Z *  ).(2)   and   use their private keys   and   , respectively, and hash function  of CC to generate individual signatures as follows: (3)   and   generate reports (see ( 5)), respectively: After the report is generated,   and   send   and   to RAGW  for each  ∈ {1, 2, . . ., N   }, respectively.

Verification by RAGW.
In   , after the RAGW  receives all the reports of time T: {  ,   }, for each  ∈ {1, 2, . . ., N   }, based on the bilinear pairings, by verifying if all the equations of ( 6) are hold, then reports   and   are accepted, not vice versa.Because the function  of bilinear pairing technique is time-consuming and high cost, after introducing batch verification [10,38], we can make the verification efficiently.The batch verification in the   performs as  (, ( As a result, the batch verification can reduce the running times of  from 2⋅(N   +1) to N   +2 compared to the original verification.

Privacy-Preserving Line-Loss Calculation.
After RAGWs received the verified reporters of time T, each RAGW generates line-loss of its corresponding RA in the form of cipher by privacy-preserving calculation.Once each RA's ciphertext of line-loss is generated, all of them will be sent to CC, then CC also performs calculation to convert all the whole RAs' line-loss cipher data of time T to a number.The steps are as follows.

Processing in RAGW.
Let the notation   T represent a value of   at time T which is calculated by Let According to section of system model, in (8), the notation   T means the plaintext of the line-loss of the   , so the   T shows the line-loss in   at time T in the form of cipher.
After the   T is generated, the corresponding RAGW  creates its signature   as Utilizing the signature, the RAGW  generates a report   as At last, each RAGW sends its reports of different time to CC.

Processing in CC.
Similar to the verification by RAGW, after importing the batch verification, CC can verify all the    came from RAGWs by verifying the follow equations: After all    of time T are verified by CC, CC calculates a number   T to represent the line-loss originated from all RAs of the system at time T in the form of cipher as follows: ) At last, CC stores a tuple <   T , T > in database to imply the line-loss of the whole RAs at the time T without any privacy leaks.
) mod Υ 1 4: end for 5: end for ] Algorithm 1: Generating each   T with Horner's rule.   T ⋅ ( Obviously, (14) coming from ( 13) is still in the form of ciphertext which can be generated by Paillier cryptosystem: where Therefore, after searching from database by T, CC can get the   T , then by using private keys (, ), the   T can be recovered from (14).Using Algorithm 1 can extract any   T of its corresponding   at different time T, and also if CC just want to get the line-loss of a specified RA   , only they need to perform the line 3 of Algorithm 1 with the parameters  and  described as (18): ) mod Υ 1 (18)

Correctness and Security Analysis
In this section, we analyze our scheme on correctness and security aspects.Our scheme's design is correctly proved with bilinear pairing and Horner's rule, while its security is presented in privacy preserving, authentication, and integrity.

Correctness Analysis.
Before getting into details about the security of our scheme, let us firstly prove our scheme's correctness based on the properties of bilinear pairing and Horner's rule.Theorem 1.Each RAGW and CC will only process correct (not tampered and from a legal sender) data.
Proof.We leverage the properties of bilinear pairing mentioned in Section 4.1 to ensure the correctness of data, so all RAGWs and CC will only process correct (not tampered and from a legal sender) data after (7) and (12) are verified, respectively.Theorem 2. Using Horner's rule iteratively will recover each line-loss of all RAs or any specified RA's line-loss correctly.
Proof.The cipher in (3) contains not only the data from corresponding SM but also the information about its region information (RA and DA) by parameters Υ 1 and Υ 2 .After RAGW's processing in (8), we can also record both line-loss of the RA (see (9)) and the region information in the form of cipher.Similarly, according to (13), all line-loss data and its area information both will be stored in a cipher (number).Finally, after decryption of the Paillier by using private keys, we can get (16) which is calculated by the polynomial in (13), because of the reasonable choice of the parameters Υ 1 and Υ 2 (Υ 1 > Θ, Υ 2 > Υ  1 ⋅Θ), then we can use Horner's rule iteratively to get the coefficients of the polynomial then recover each line-loss of all RAs or any specified RA's line-loss correctly as shown in Algorithm 1 and (18).

Security Analysis.
Particularly, based on the security requirements discussed before, considering from three aspects, which involves privacy, authentication, and integrity, this section focuses on analyzing the security properties of the proposed EPLC scheme individually.
(i) Privacy-Preserving.Since Paillier cryptosystem had been proved semantic secure against the chosen plaintext attack, based on the proposed EPLC scheme applied in the system model, the analyses are as follows.
Theorem 3. The users' and VTs' reports are privacy preserving in our proposed scheme.
Proof.In our scheme, the almost real-time electricity consumption data   and   are collected by smart meters equipped at each user (  ) and VT(  ), which are formed and encrypted as (3).
Obviously, the ciphertexts  Proof.After having received all reports  1 ,  2 , . . .,  N   , if the adversary A hijacks RAGW.Firstly, all the private information of the reports received from users and VTs is encrypted by Paillier cryptosystem.Secondly, all the line-loss calculations on RAGW are based on ciphertexts generated from users and VTs.Thirdly, even if there exist collusion attacks launched by several users, VTs, and RAGWs, which means all of them can share and analyze each other's and their own information, as mentioned before, the information will involve ID, random number used by Paillier cryptosystem, and public information of the system.Because of the existence of semantic security of Paillier cryptosystem, the adversary A cannot infer any sensitive information of users and VTs.
The processing of CC is similar to the methods of RAGW, so in the actual operation, CC also can guarantee the users privacy away from infringement of adversary A.
To summarise, even if the adversary A can eavesdrop and intercept reports on communication channel, hijack RAGW, intrude into the database of CC, and steal some data about line-loss of the system, each user's sensitive data of almost real-time electricity consumption are privacy preserved in the proposed EPLC scheme as long as the system keeps the private keys under the secret protection.
(ii) Authentication and Integrity.Based on the  problem [37] of the random oracle model,  short signature has been proved to be secure, which is tamper-resistant and guarantees each report is from its corresponding legal sender.Theorem 5.The authentication and data integrity of the users' and VTs' reports,  , are both guaranteed in our proposed scheme.
Proof.In EPLC scheme, utilizing individual private keys of each entity, reports of each individual user and VT and each ciphertext   T of line-loss calculated by RAGWs are both signed by  short signature [39] before sending.Because the secure of  short signature has been proved, which is tamper-resistant and can guarantee each report is from its corresponding legal sender, so malicious behaviors of the adversary A such as tampering and falsifying in the system can be detected.So the authentication and the integrity of reporters from each users, VTs, and RAGWs are guaranteed by EPLC.

Performance Evaluation
In this section, we analyze the computational cost of users, RAGWs, and CC in the process of our EPLC scheme.Experiments are conducted on a PC with Processor: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz; Memory (RAM): 12 GB; OS: 64-bit Windows 10 Pro; Java-version 1.8.0 181; JPBC [40]  According to the requirement of our EPLC scheme, we set Υ 1 to 101, slightly more than the maxima of line-loss and Υ 2 to 1220190039947966824482749091552564190200101, slightly more than Υ ℎ     ℎ  1 (the maxima of lineloss).

The Analysis of Users' Computational
Cost.Meter's data of users and VTs are established, followed by the encryption and signature processes.From Figure 4, it can be seen that the computational cost of users and VTs belonged to different RAs of different DAs ranging from 200 to 320 and the distribution is affected fairly by the sequence number of DA.According to (3) and (4), the computational cost increase with the sequence number of DA is justified.

The Analysis of RAGWs' Computational Cost.
When RAGW has received all reports of users and VT in corresponding RA at a certain time T, then it performs batch verification and line-loss calculation.It can be seen from Figure 5 that the computational cost of RAGWs belonged to different RA of different DA range from 33300 to 33530 and are irrelevant to the sequence number of RA and DA.

The Analysis of CC's Computational
Cost.Similar to RAGW, batch verification and calculation of the number   T will be executed when all reports belong to the certain time period T of RAGW received, and the computational cost of CC is 33562.
The computational cost of decryption for each line-loss of RA can be seen from Figure 6 range from 31 to 47, also irrelevant to the sequence number of RA and DA.
As mentioned before, in general, the standard period of measuring and reporting by smart meters is 15 minutes [3,4],  according to the computational cost of different entities.It is obvious that our scheme achieves high efficiency.

Conclusion
In this paper, we have proposed an efficient privacypreserving line-loss calculation scheme for residential areas of smart grid.The scheme can calculate the line-loss of each RA in different DA based on the Paillier cryptosystem and Horner's rule with the protection of users' privacy.For one time T, the control center only needs to store a ciphertext   T to represent all values of RAs' line-loss, then can obtain each line-loss of RA in different DA when possessing the private key, and further attain finer-grained electricity regulation for smart grid.We have also demonstrated our scheme's security strength and privacy-preserving ability in the section of security analysis.And our scheme also satisfies the real-time requirement of smart grid in terms of computational cost.For the future work, line-loss of DA will be considered, and we will develop more flexible schemes to get line-loss of different areas, and then regulate electricity for RAs and DAs effectively.

Figure 3 :
Figure 3: System model of a residential area.

5. 5 .
Decryption of Line-Loss.CC also can recover any RA's line-loss of different DAs at different time T.

Theorem 4 .
The processing in RAGW and CC are also privacy preserving in our proposed scheme.
library-version 2.0.0.; 1024-bit (| 2 | = 2048) for Paillier cryptosystem and 160-bit G 1 for symmetric pairing.Meter's data of users and VTs are established from the random numbers generated based on the  method of V..package, and we assume the numbers of DAs and RAs in each DA and users in each RA are 10, 20, and 200; the range of values for line-loss and meter's data of users are 10 to 100 and 10 to 2000, respectively.

Figure 4 :
Figure 4: Computational cost of each user.

Figure 6 :
Figure 6: Computational cost of decrypting each RA line-loss.

Table 2 :
Main parameters.Parameter Description , , , G 1 , G 2 ,  Parameters of Bilinear Pairing , , , , , ,  Parameters of Pallier Cryptosystem   ,   The private key and public key of RAGW    ,   The private key and public key of     ,   The private key and public key of VT(  ) Υ 1 , Υ 2 After initialization, the number of RAs in the   N   After initialization, the number of users in the     T The ciphertext of line-loss in   at time T   T The plaintext of line-loss in   at time T   T (6)t last, CC publishes the system parameters {, , G 1 , G 2 , , , , , Υ 1 , Υ 2 } as public keys and keeps the master key {, } secret.represents the RAGW which belongs to the   (the th RA of the th DA).(2)Each RAGW  ( ∈ {1, 2, ..., },  ∈ {1, 2, ..., }) randomly chooses   ∈ Z *  as its private key and calculates   =    as its public key.(3)Allusers in the   send registration requests to RAGW  ; as shown in Figure3, according to the management situation, RAGW  , respectively, set a unique number  from the sequence set {1, 2, ..., } to the user, as the section of system model mentioned; the notation   means the th user of the th RA in the th DA. (4) Each   ( ∈ {1, 2, ..., },  ∈ {1, 2, ..., },  ∈ {1, 2, ..., }) randomly chooses   ∈ Z *  as its private key, and calculates   =    as its public key.(5)All the VTs, which equipped with smart meters located in all RAs, also send requests to their corresponding RAGWs.Without loss of generality, considering the   , RAGW  sets the two numbers ,  to the VTs; for the convenience of discussion and without loss of correctness, we utilize the notation   for expressing the VT equipped in the   .(6)TheVT in th RA of the th DA, shown in Figure2, each RAGW belongs to a RA; the RA is in a DA.According to its actual business and administrative situation, CC sets a unique number  from the sequence set {1, 2, . . ., } and another unique number  from another sequence set {1, 2, . . ., } to the RAGW.The notation RAGW  ( ∈ {1, 2, . . ., },  ∈ {1, 2, . . ., }) randomly chooses   ∈ Z *  as its private key and calculates   =    as its public key.
and   encrypt collecting data of electricity consumption   and   , respectively, as follows: . Each   and VT(  ) ( ∈ {1, 2, . .., },  ∈ {1, 2, . .., },  ∈ {1, 2, . .., }) can collect electricity consumption periodically (e.g., 15 minutes) by equipped with smart meters.After collecting nearly real-time electricity usage for different time T, each user and each VT need to utilize the public keys published by CC to encrypt the data firstly, make a signature of the data by using individual private keys   ,   secondly, and generate a corresponding report thirdly.(1) mod  2 have the same form as a valid ciphertext of Paillier cryptosystem   ⋅   mod  2 , so the data   in   and   in   are sematic secure and privacy preserved.Specially, since each   and each   are a random number in Z *  , based on different   ̸ =        , the two same data   =        are encrypted to different ciphertexts   ̸=        for resisting dictionary attacks.If the collusion attacks are launched by several users, which means all of them can share all their individual information with each other, including ID, random number  (for Paillier Encryption), and the corresponding ciphertext and in conjunction with the public information of system, no one can infer any others' private information.