A Privacy-Preserving Noise Addition Data Aggregation Scheme for Smart Grid

: Smart meters are applied to the smart grid to report instant electricity consumption to servers periodically; these data enable a fine-grained energy supply. However, these regularly reported data may cause some privacy problems. For example, they can reveal whether the house owner is at home, if the television is working, etc. As privacy is becoming a big issue, people are reluctant to disclose this kind of personal information. In this study, we analyzed past studies and found that the traditional method suffers from a meter failure problem and a meter replacement problem, thus we propose a smart meter aggregation scheme based on a noise addition method and the homomorphic encryption algorithm, which can avoid the aforementioned problems. After simulation, the experimental results show that the computation cost on both the aggregator and smart meter side is reduced. A formal security analysis shows that the proposed scheme has semantic security.


Introduction
Smart meters are widely applied in Europe. Member states have committed to rolling out close to 200 million smart meters for electricity and 45 million for gas by 2020 [1], and more than 200 million European households will have smart meters in 2023 [2]. According to the European Parliament and the European Council, "Member States are required to ensure the implementation of smart metering systems that assist the active participation of consumers in the electricity supply and gas supply markets" [3].
Smart meters can report instant electricity consumption to servers periodically, making finegrained energy supply possible. However, these instantly reported data also bring some potential privacy risks. By using advanced power signature analysis tools such as nonintrusive appliance load monitoring (NIALM), an attacker can find out which appliances are working at any time [4], and thus can learn more detailed information about a customer's daily activities. According to Barbosa et al. (2015) [5], "Fine-grained data of electricity usage naturally include personal and privacy-sensitive information regarding which appliances are active." For example, the adversary can tell if there are people in the house or not, when the inhabitants wake up, take a shower, turn off the television, or even if some individual appliances are operating at a desired level of efficiency. There is a great need to protect this kind of personal information from being disclosed. Thus smart meter aggregation schemes have been proposed to protect people's privacy.
Recently, Fan et al. (2014) proposed a smart meter aggregation scheme based on the bilinear map and computationally hard problems of group theory [6].  improved the scheme of [6] by importing the homomorphic encryption algorithm [7]. Both of these schemes were claimed to be secure. However, we found that although both schemes can protect a user's personal data from being leaked, they both have scalability problems. Once the system is deployed, it is hard to add a new smart meter to the system, and when one smart meter in the system is broken, the whole system cannot work correctly. In addition, replacing a broken smart meter with a new one is difficult. Moreover, both schemes have higher accuracy requirements for time, which means that all the smart meters in the system have to keep exactly the same time; even a one millisecond error will lead to an incorrect result. We will discuss these problems in Section 3.
To solve these problems, a privacy-preserving data aggregation scheme for the smart grid is proposed, which enables smart meters to report their consumption periodically and at the same time prevents private information from being leaked. The proposed scheme is partly based on the homomorphic encryption algorithm. Our contributions are mainly reflected in two aspects: 1.
First, the noise addition method is used to prevent an adversary from obtaining a smart meter's consumption, and the efficiency of the proposed scheme is improved by using this method. We also analyzed different ways of generating noise.

2.
Second, the proposed scheme overcomes the problems in related works, such as the scalability problem, and does not have a high accuracy requirement for time.
This study focuses on the security and privacy part of work done under the e-GOTHAM project; the previous work has been published [8]. The paper is organized as follows: Related works are discussed in Section 2. In Section 3, we discuss the problems of the two related works. The proposed scheme is introduced in Section 4. Security analysis is described in Section 5. A comparison with the related schemes is in Section 6. We conclude the paper in Section 7.

Related Work
Smart grid privacy and security problems have drawn much attention. There are many ways to protect the privacy of a smart meter when it reports its consumption to the aggregator; for example, homomorphic encryption methods, rechargeable battery methods, noise addition methods, and trusted third party methods.
Noise addition is a promising and efficient way to protect the consumption privacy of a smart meter. Bohli first used this approach [9], and Barbosa et al. (2015) [5] and Wang et al. (2013) [10] analyzed the privacy and utility metric of this problem, both proposing a metric for utility preservation. Wang et al. (2013) masked the data using Gaussian mixture models (GMMs) [10]. Their experimental results show that the accuracy of recovering total electricity consumption can approximate 99%, while the ability to identify an individual's usage pattern is substantially obviated. He et al. (2013) proposed masking the data by adding Gaussian noise [11]. Random noise is purposely introduced to distort the smart meter's consumption so that it is infeasible for an adversary to recover the real consumption. The random noise is chosen according to the power consumption data and other prior knowledge. Jordi and Josep analyzed the optimality of data-independent random noise distributions to achieve ε-differential privacy [12]. They also analyzed the situations for single univariate query and multiple queries. Noise addition methods can significantly reduce the computation and communication costs of smart meters. "Since to preserve privacy the proposed approach just generates a random number, we claim that the proposed approach is lightweight" [5]. However, the lack of authentication between the smart meter and the aggregator makes it possible for an adversary to easily launch an attack.
Some schemes require a trusted third party; we call this the trusted third party model, in which a trusted third party is introduced. He et al. (2017) built their scheme based on elliptic curve cryptography (ECC) [13]. Fan et al. (2014) proposed a scheme based on the bilinear map and computationally hard problems in group theory [6].  improved the computation efficiency of the scheme of Fan et al. [7], and their scheme reduced the computation cost. García and Jacobs [14] were the first to try to apply additive homomorphic encryption to privacy-friendly smart metering architecture. In their architecture, each reporting period requires the transmission of O (n 2 ) ciphertexts. Lu et al. (2016) proposed an efficient and privacy-preserving aggregation scheme for secure smart grid communication [15]. Their scheme realized a multidimensional data aggregation approach based on the homomorphic Paillier cryptosystem, which satisfies the real-time high-frequency data collection requirements of smart grid communication. Busom et al. [16] built their scheme on the homomorphic encryption method, too. By homomorphically adding all n consumption, the existing link between customers and their consumption values is broken. In this way, detailed information can be sent without leaking individual personal data. Their approach does not require a trusted third party (except a certification authority) or communication among smart meters; the communication complexity is linear O (n). Dimitriou and Awad presented two decentralized privacy-respecting aggregating protocols for smart meters [17]. Their first protocol focuses on honest-but-curious adversaries by using symmetric cryptography primitives. Their second one protects against more aggressive adversaries that not only try to infer individual measurements, but also disrupt protocol execution, which is based on public cryptography primitives.
Besides these ways of protecting the privacy of smart meter consumption, authentication between the smart meter and the aggregator is another factor that should receive attention when thinking about privacy protection. Elliptic curve [18][19][20][21][22][23][24][25] and bilinear map pairing [26][27][28][29][30] are two of the most commonly used encryption methods for authentication schemes. Generally speaking, the bilinear map requires more computation cost than the elliptic curve method, and the elliptic curve method is more efficient.
Ping et al. proposed an elliptic curve cryptography-based authentication scheme with identity protection for smart grids [23]. Adversaries are unable to obtain the real identities because the identities of the smart appliances and substations are encrypted before they are transmitted. Saxena and Choi proposed another authentication protocol for smart grid communication, also based on the elliptic curve. The hierarchy of their scheme is also three-layer [24]. The scheme of Nicanfar and Leung is a multilayer consensus password authenticated key-exchange scheme for the smart grid [25]. Saxena et al. proposed an authentication and authorization scheme for the smart grid; the protocol is based on bilinear map pairing [28]. A bilinear pairing cryptography-based shared secret key is generated between the user and the device, and the key enables the two to communicate securely. Odelu et al. proposed a secure key agreement scheme for the smart grid; they built their scheme on bilinear map pairing [29]. Jo et al. proposed privacy-preserving protocols for the smart grid using the distributed verification method; their encryption scheme is based on bilinear map pairing [30].

Problems in the Trusted Third Party Model
In a trusted third party model, three types of entities are in the system: smart meters, an aggregator, and a trusted third party. Figure 1 depicts the system structure. García and Jacobs [14] were the first to try to apply additive homomorphic encryption to privacy-friendly smart metering architecture. In their architecture, each reporting period requires the transmission of O (n 2 ) ciphertexts. Lu et al. (2016) proposed an efficient and privacy-preserving aggregation scheme for secure smart grid communication [15]. Their scheme realized a multidimensional data aggregation approach based on the homomorphic Paillier cryptosystem, which satisfies the real-time high-frequency data collection requirements of smart grid communication. Busom et al. [16] built their scheme on the homomorphic encryption method, too. By homomorphically adding all n consumption, the existing link between customers and their consumption values is broken. In this way, detailed information can be sent without leaking individual personal data. Their approach does not require a trusted third party (except a certification authority) or communication among smart meters; the communication complexity is linear O (n). Dimitriou and Awad presented two decentralized privacy-respecting aggregating protocols for smart meters [17]. Their first protocol focuses on honest-but-curious adversaries by using symmetric cryptography primitives. Their second one protects against more aggressive adversaries that not only try to infer individual measurements, but also disrupt protocol execution, which is based on public cryptography primitives.
Besides these ways of protecting the privacy of smart meter consumption, authentication between the smart meter and the aggregator is another factor that should receive attention when thinking about privacy protection. Elliptic curve [18][19][20][21][22][23][24][25] and bilinear map pairing [26][27][28][29][30] are two of the most commonly used encryption methods for authentication schemes. Generally speaking, the bilinear map requires more computation cost than the elliptic curve method, and the elliptic curve method is more efficient.
Ping et al. proposed an elliptic curve cryptography-based authentication scheme with identity protection for smart grids [23]. Adversaries are unable to obtain the real identities because the identities of the smart appliances and substations are encrypted before they are transmitted. Saxena and Choi proposed another authentication protocol for smart grid communication, also based on the elliptic curve. The hierarchy of their scheme is also three-layer [24]. The scheme of Nicanfar and Leung is a multilayer consensus password authenticated key-exchange scheme for the smart grid [25]. Saxena et al. proposed an authentication and authorization scheme for the smart grid; the protocol is based on bilinear map pairing [28]. A bilinear pairing cryptography-based shared secret key is generated between the user and the device, and the key enables the two to communicate securely. Odelu et al. proposed a secure key agreement scheme for the smart grid; they built their scheme on bilinear map pairing [29]. Jo et al. proposed privacy-preserving protocols for the smart grid using the distributed verification method; their encryption scheme is based on bilinear map pairing [30].

Problems in the Trusted Third Party Model
In a trusted third party model, three types of entities are in the system: smart meters, an aggregator, and a trusted third party. Figure 1 depicts the system structure.  In this system, during the system initialization phase, the trusted third party will generate a series of random numbers π 0 , π 1 , π 1 , . . . , π k , and make sure π 0 = −(π 1 + π 2 + , . . . , + π k ) = − ∑ k i=1 π i ; these numbers are called blind factors. The blind factor π 0 is sent to the aggregator, and π 1 , π 2 , . . . , π k are sent to the ith smart meter. At the aggregation phase, smart meter M i sends (m i + π i ) to the aggregator; m i is the meter's consumption data. The aggregator can recover the total consumption In this way, the aggregator can get the total consumption of all the smart meters. However, it is unable to get the consumption of a single smart meter.

Scalability Problem
One of the drawbacks of the trusted third party model is the scalability problem. After deploying the system, it is difficult to add a new smart meter. If we want to add a smart meter M k+1 to the system, we need to assign it a new blind factor, π k+1 . However, it is not enough to just assign a new π k+1 to the smart meter. We have to update π 0 for the aggregator, otherwise the aggregator is unable to recover the total consumption of the smart meters using the old π 0 ; π 0 has to be updated to However, if π 0 is sent to the aggregator, it can get the blind factor π k+1 by computing π k+1 = π 0 − π 0 . If the aggregator knows the blind factor π k+1 , it can get the original consumption of smart meter M k+1 . One potential solution is to run the system initialization phase again and let the trusted third party assign new blind factors for all smart meters and aggregators; however, it will be a daunting task once the smart meters have been deployed.
Another problem is that the system will fail to work when a smart meter is broken. Suppose M i is broken and it cannot send (m i + π i ) to the aggregator, then the aggregator is unable to get the total consumption of all the smart meters; what the aggregator gets is logĝ((H 2 (t)) −π i ·q 1 ·(g q 1 ) ∑ k i=1 m i ), in whichĝ = (g q 1 ). The following is an analysis based on the reported data in the research of Fan et al. [6]: What is worse, it is also difficult to replace a broken smart meter with a new one. If we want to replace the meter, we will encounter the problem of adding a meter to the system. As we have discussed, adding smart meters to the system is difficult.

Precise Time Requirement
The other problem in the trusted third party model is that it has a high accuracy requirement for time, which means that all of the smart meters have to synchronize their time precisely, because it is a prerequisite of this model that the time of different smart meters must be identical, otherwise the aggregator is unable to recover the original consumption data. The problem becomes worse in Fan's scheme [6], where the aggregator has to synchronize its time with all the smart meters, and even a one millisecond error will lead to a wrong answer.

Comparison
Finally, we get Table 1, a comparison of the trusted third party model and the proposed scheme. It is clearly shown in the table that the proposed scheme overcomes the problems of the trusted third party model.

Proposed Scheme
The model of the proposed scheme is depicted in Figure 2; there are two types of entities in the system, smart meter and aggregator. All the smart meters in the system have to register at the aggregator first; after registration, they can report their consumption data to the aggregator periodically. The aggregator will only accept the reporting data of the registered smart meters.

Comparison
Finally, we get Table 1, a comparison of the trusted third party model and the proposed scheme. It is clearly shown in the table that the proposed scheme overcomes the problems of the trusted third party model.

Proposed Scheme
The model of the proposed scheme is depicted in Figure 2; there are two types of entities in the system, smart meter and aggregator. All the smart meters in the system have to register at the aggregator first; after registration, they can report their consumption data to the aggregator periodically. The aggregator will only accept the reporting data of the registered smart meters.

Smart Meters Aggregator
Registration Reporting data To protect the privacy of the users, in every reporting cycle, a smart meter generates a random noise to perturb its consumption, and will send ( + ) to the aggregator. In this way, the aggregator is unable to get the because it does not know the . Since the noises are generated following a normal distribution, if we set the average value of the random numbers to be 0, we know ∑ ≈ 0, is the number of smart meters in an aggregation system, thus the aggregator can get the total consumption: We should note here that when become larger, ∑ will gradually approach 0, and ∑ will not become larger even when becomes larger.
For example, if we set the tolerable error ∑ to be within the range of [-5, 5] kWh, the probability that ∑ falls into [-5, 5] kWh is set to be: Pr −5 ≤ ∑ ≤ 5 = 0.98. If we set = 100, we can get = 0.0462. That is, if the noise generated obeys the normal distribution with average = 0, and = 0.0462, then the sum of ∑ will be within the range of [-5, 5] kWh with a probability of 98%. The noise generated follows other distributions, too, and the results are listed in Table 2 [5]. To protect the privacy of the users, in every reporting cycle, a smart meter generates a random noise n i to perturb its consumption, and will send (n i + m i ) to the aggregator. In this way, the aggregator is unable to get the m i because it does not know the n i .
Since the noises are generated following a normal distribution, if we set the average value of the random numbers to be 0, we know ∑ k i=0 n i ≈ 0, k is the number of smart meters in an aggregation system, thus the aggregator can get the total consumption: We should note here that when k become larger, ∑ k i=0 n i will gradually approach 0, and ∑ k i=0 n i will not become larger even when k becomes larger.
For example, if we set the tolerable error ∑ k i=0 n i to be within the range of [-5, 5] kWh, the probability that ∑ k i=0 n i falls into [-5, 5] kWh is set to be: Pr(−5 ≤ ∑ k i=1 n i ≤ 5) = 0.98. If we set k = 100, we can get σ 2 X = 0.0462. That is, if the noise generated obeys the normal distribution with average µ = 0, and σ 2 X = 0.0462, then the sum of ∑ k i=0 n i will be within the range of [-5, 5] kWh with a probability of 98%. The noise generated follows other distributions, too, and the results are listed in

Distribution Model Comments
Arcsin e 0 ∼ N(0, kX 2 2 ) X is the range of the original distribution X is the range of the original distribution U-quadratic e 0 ∼ N(0, 3kX 2 5 ) X is the range of the original distribution To find out which distribution model is the best, we use Table 3, which is the distributions of noises when k = 100, Pr(−5 ≤ ∑ n i=1 n i ≤ 5) = 0.98. The noise obeys the normal distribution or the Laplace distribution aggregated too closely around the average value µ e = 0, which means a large amount of the noise is too small. For noise that obeys the Laplace distribution, 58.09% of the noise is within [-0.01, 0.01], which means more than half of the noise is too small. The range of noises obeying the U-quadratic distribution is [-0.0385, 0.0385] and the range of noises obeying the arcsin distribution is [-0.0462, 0.0462], and both are smaller than the much larger range of noises obeying the uniform distribution, [-0.0693, 0.0693].
Now we can conclude that noises obeying uniform distribution are the best. On the one hand, they are equally distributed within the range; on the other hand, the range of noises obeying uniform distribution is larger.

Notions Used in the Schemes
The proposed scheme is based on the Boneh-Goh-Nissim homomorphic encryption scheme [31]; Boneh et al. (2005) proposed a probabilistic homomorphic encryption algorithm. The system resembles the Paillier [32] and Okamoto-Uchiyama [33] encryption schemes. This system is additively homomorphic. The proposed scheme consists of three phases, the system initialization phase, the smart meter registration phase, and the meter reporting phase. Some notions are given in Table 4. Table 4. Symbols used in the scheme.

Symbols Description
g, u, g 1 Generators of G 1 q 1 , q 2 Secret keys of aggregator k Number of smart meters in an aggregation system (M i , id i ) ith smart meter and its identity A i ith aggregator (x i , X i ) Public key pair of smart meter M i (x ← Z) x is randomly picked from set Z || String connection h() General hash SHA256 method h 2 () Hash a string to a big integer

System Initialization
In this phase, the aggregator initializes and publicizes the parameters; this is a three-step process.
Step 1: For the elliptic curve parameters, the aggregator selects two random τ-bit primes q 1 , q 2 and sets n = q 1 q 2 , and generates a multiplicative group G 1 . Let g, u, g 1 be generators of G 1 , set η = u q 2 and e : G 1 × G 1 → G 2 be a bilinear map.
Step 2: For the modular exponential group parameters, the aggregator randomly generates two large numbersp,q (p is a 1024-bit prime number andq is a 160-bit prime number) and picks a generator ξ ∈ Z * p . In this study, a 1024-bit group with a 160-bit prime order subgroup is chosen.

Smart Meter Registration Phase
The smart meter registration process is depicted in Table 5. In the registration phase, the smart meter generates a registration request and sends it to the aggregator. When the aggregator receives the request, it first checks the correctness of the message; if it is correct, the aggregator will store this message in it memory.
First, smart meter M i generates a private key x i ← Z * q , then M i computes the public key X i = ξ x i modp and a signature α i = h(X i ||id i ||T i ), where T i is the current timestamp. M i sends the registration request {X i , T i , α i , id i } to the aggregator over a secure channel.
When Table 5. Registration phase of the proposed scheme.

Smart Meter M i
Aggregator A i

Reporting Phase
In the reporting phase, the smart meters extract their consumption data and send the encrypted data to the aggregator. When the aggregator receives the data, it will first authenticate and then decrypt the data using its private key. The reporting process is depicted in Table 6.
At the beginning of a reporting cycle, each smart meter generates a noise n i to perturb its consumption m i . Then (m i + n i ) is encrypted by the homomorphic encryption algorithm. The process is as follows:

1.
Meter M i extracts its consumption data m i , generates a random element r i ← Z + , and picks an element t i ← Z * q .

2.
Meter M i generates noise n i , which obeys the uniform distribution.

3.
Meter M i computes c i = g m i +n i ·η r i .

4.
Meter M i computes d i = ξ t i modp.

5.
Meter M i gets the signature of c i and d i by Meter M i computes e i = t i + φ i ·x i modq.

7.
Meter M i sends Message1 = {c i , d i , e i , T i } to the aggregator. After receiving the reporting messages from all smart meters, the aggregator A i first checks the correctness of the incoming messages, then gets the consumption of all the smart meters using Pollard's lambda method, since the total consumption is not a large number in a regular interval [34].

5.
If the upper test holds, aggregator A i gets the electricity consumption by computing logĝ(∏ k i=1 c i ) q 1 , whereĝ = g q 1 . Table 6. Proposed aggregation scheme.

Random numbers
The aggregator is able to get the consumption data of all the smart meters as ∑ k i=1 m i ≈ logĝ(∏ k i=1 c i ) q 1 . The following shows the proof of the correctness of the proposed scheme. As ∑ k i=1 n i ≈ 0 and η q 1 = 1, we can get the following equations: using Pollard's lambda method ( [35], p. 128).

Security Analysis
In this section, we conduct a security analysis of the proposed scheme in terms of security against external and internal adversaries, and security of the signature scheme.

For External Adversaries
As the Boneh-Goh-Nissim homomorphic encryption algorithm is semantically secure, we can get Theorem 1. (⇒) Suppose there is an efficient algorithm O I that could break the Boneh-Goh-Nissim homomorphic encryption algorithm in probabilistic polynomial time, which means for a real consumption pair {m 1 + n 1 , m 2 + n 2 } and a cipher c i = g m i +n i ·η r i and public parameter Paras, an adversary A I is able to judge if m i + n i is the cipher of m 1 + n 1 or m 2 + n 2 with a probability that is higher than 1/2. Given a cipher c i = g m i +n i ·η r i and public parameter Paras, the adversary A I is able to get m i + n i by using algorithm O I . If m 1 + n 1 = m i + n i , then m i + n i is the cipher of m 1 + n 1 , and if m 2 + n 2 = m i + n i , then m i + n i is the cipher of m 2 + n 2 . In both situations, the adversary A I is able to judge if m i + n i is the cipher of m 1 + n 1 or m 2 + n 2 with a probability that is higher than 1/2. We can conclude that with algorithm O I , an adversary can break the semantic security of the proposed scheme with a probability that is higher than 1/2.
(⇐) Suppose there is an efficient algorithm O I I that could break the proposed scheme in probabilistic polynomial time. Given a cipher c i = g m i +n i ·η r i and public parameter Paras, adversary A II is able to judge if c i is the cipher of m 1 + n 1 or a random number.
If c i is the cipher of m 1 + n 1 , for the Boneh-Goh-Nissim homomorphic encryption algorithm, given C = (g m η r ) q 1 = c i = g m i +n i ·η r i , A II can get m = m i + n i . This means A II is able to break the algorithm.

For Internal Adversaries
In the proposed scheme, the smart meter reports (m i + n i ) to the aggregator m i represent the real consumption and a noise n i is randomly generated by the smart meter. Only the smart meter knows n i , other entities in the system are unable to get n i , thus they are unable to get the original consumption m i . The privacy of a single smart meter is protected, only the smart meter knows the real consumption m i .

Security of the Signature Scheme
Now we are going to prove that the signature scheme in the proposed schemes is secure. The proof is based on the computational hardness of the discrete logarithm (DL) problem. The discrete logarithm problem for a group G can be stated as: Given a group G with order q, for g ∈ G and a ∈< g >, find an integer x such that g x = a.
Theorem 2. The signature scheme in the proposed scheme achieves semantic security under the chosen cipher attack if and only if the discrete logarithm problem is unable to be solved in polynomial time.
(⇒) Suppose there is an efficient algorithm O I that could break the DL problem in probabilistic polynomial time. This means that for a message pair {c 1 , c 2 } and a signature e i = t i + φ i ·x i , given {d i , id i , T i } and public parameter Paras included the public key X i of id i , an adversary A I is able to get: If e 1 = e i , then e i is the signature of c 1 , and if e 2 = e i , then e i is the signature of c 2 ; in both situations, the adversary A I is able to judge if e i is the signature of c 1 or c 2 with a probability that is higher than 1/2. We can get the conclusion that algorithm O I can break the semantic security of the signature scheme with a probability that is higher than 1/2. (⇐) Suppose there is an efficient algorithm O I I that could break the signature scheme in the proposed scheme. Given a message c 1 , a signature e i = t i + φ i ·x i , {d i , id i , T i } and public parameter Paras included the public key X i of id i , adversary A I is able to judge if e i is the signature of c 1 or a random number. If e i is the signature of c 1 , an adversary A II is able to get: This means that with the help of an algorithm O I I , given {d i , id i , T i } and public parameter Paras included the public key X i of id i , the adversary A II can get d i ·(X i ) φ 1 = ξ t i +φ i ·x i modq. As for the DL problem, suppose a = d i ·(X i ) φ 1 and g x = ξ t i +φ i ·x i . Given g x = a, A II can get x = t i + φ i ·x i . This means the adversary can break the semantic security of the DL problem.

Security Analysis Using AVISPA
We ran a security check using the constraint-logic -based model-checker [36] and the on-the-fly model-checker (OFMC) [37,38] of Automated Validation of Internet Security Protocols and Applications (AVISPA). The simulation results shown in Table 7 demonstrate that the proposed scheme is safe.

Comparison
In this section, we compare the computation times for each scheme. The experimental results of different kinds of operations are shown in Table 8. We use the famous Java Pairing-Based Cryptography Library (JPBC) [39]. Type A1 pairings are constructed on the curve y 2 = x 3 + x over the field F q for some prime q = 3 mod 4, and this pairing is symmetric. The order of the group is some prime factor of (q + 1) for the initiation of the curve, the number of primes is set to 2, and the bit length of each prime is set to 160. The parameters for the elliptic curve are listed in Appendix A. The upper bound of Pollard's lambda is set at 100,000.

Computation Performance Analysis
We analyzed the computation cost of different schemes at the smart meter registration and aggregation phases. Suppose there are k smart meters in an aggregation system. For Fan's scheme, in the registration phase, the smart meter has to conduct two G exp and two H 2b operations; the aggregator has to conduct one G mul , one H 2b , and two G exp operations. In the aggregation phase, the smart meter has to conduct two G mul , two G h2p , and four G exp operations; the aggregator has to conduct one G pol , (k + 1) G bp , (2k − 1) G mul , (2k + 2) G exp , (k + 1) G h2p , and (k − 1) GT mul operations. For He's scheme, in the registration phase, the smart meter has to conduct two D exp , one D mul , and one H 2b operations; the aggregator has to conduct two D exp , one D mul , and one H 2b operations. In the aggregation phase, the smart meter has to conduct two G mul , one G h2b , three G exp , one D exp , one D mul and one H 2b operations; the aggregator has to conduct one G pol , k G mul , two G exp , one G h2p , (k + 1) D exp , k D exps , (2k − 1) D mul , and k H 2b operations.
For the proposed scheme, in the registration phase, the smart meter has to conduct one D exp and one H 256 operation; the aggregator has to conduct one H 256 operation. In the aggregation phase, the smart meter has to conduct one G mul , two G exp , one D exp , one D mul , and one H 2b operations; the aggregator has to conduct one G pol , (k − 1) G mul , one G exp , one D exp , (122k + 120) D mul , and k H 2b operations. Table 9 shows the computation cost of the registration phase and Table 10 shows the computation cost of the aggregation phase, in which k stands for the number of smart meters in the aggregation system.
The aggregator's computation cost in the modular group of He's scheme is cited directly from their paper. Table 11 shows the computation costs of different schemes in the registration phase in milliseconds. It is clearly shown in the table that the cost is minimal. This is because the proposed scheme only needs modular exponential group operations and the general SHA-256 operation. These two kinds of operations are both lightweight. Table 11. Computation cost of registration phase in milliseconds.

Scheme Smart Meter Side Aggregator Side
Fan [6] 20.32823 20.3458 He [7] 0.73439 0.73439 Ours 0.36543 0.00410 Figure 3 shows the computation costs of the smart meter side in the aggregation phase. The horizontal axis of this figure is the computation time, and the unit is a millisecond. It is clearly shown in the figure that the computation cost of the proposed scheme is minimal.
The aggregator's computation cost in the modular group of He's scheme is cited directly from their paper. Table 11 shows the computation costs of different schemes in the registration phase in milliseconds. It is clearly shown in the table that the cost is minimal. This is because the proposed scheme only needs modular exponential group operations and the general SHA-256 operation. These two kinds of operations are both lightweight. Table 11. Computation cost of registration phase in milliseconds.

Scheme Smart Meter Side Aggregator Side
Fan [6] 20.32823 20.3458 He [7] 0.73439 0.73439 Ours 0.36543 0.00410 Figure 3 shows the computation costs of the smart meter side in the aggregation phase. The horizontal axis of this figure is the computation time, and the unit is a millisecond. It is clearly shown in the figure that the computation cost of the proposed scheme is minimal.

Communication Performance Analysis
In this section, we show the communication cost of all the schemes. The lengths of * , * are 1024 bits and 160 bits, respectively. The length of is 330 bits, the length of an element of is 660 bits, the order of the curve is a 320-bit-long number. The size of the timestamp is 32 bits, and the identity is set to be 64 bits long. We analyzed the communication cost of the registration and aggregation phases. For Fan's scheme, at the registration phase, the smart meter has to send { , , , , } to the aggregator, and the bit length of this message is 660 + 660 + 330 + 330 + 64 = 2044. In the aggregation phase, the smart meter has to send { , , } to the aggregator, and the bit length of this message is 64 + 660 + 660 = 1384. For He's scheme, at the registration phase, the smart meter has to send { , , , } to the aggregator, and the bit length of this message is 64 + 1024 + 1024 + 160 = 2272. In the aggregation phase, the smart meter has to send { , , , , } to the aggregator, and the bit length of this message is 64 + 660 + 1024 + 160 + 32 = 1940.
For the proposed scheme, at the registration phase, the smart meter has to send { , , , } to the aggregator, and the bit length of this message is 1024 + 32 + 256 + 64 = 1376. In the aggregation phase, the smart meter has to send { , , , , } to the aggregator, and the bit length of this message is 64 + 660 + 1024 + 160 + 32 = 1940.
The communication cost of different schemes is shown in Table 12. Computation time at aggregator side Fan He Our

Communication Performance Analysis
In this section, we show the communication cost of all the schemes. The lengths of Z * p , Z * q are 1024 bits and 160 bits, respectively. The length of Z + is 330 bits, the length of an element of G 1 is 660 bits, the order of the curve is a 320-bit-long number. The size of the timestamp is 32 bits, and the identity is set to be 64 bits long. We analyzed the communication cost of the registration and aggregation phases.
For Fan's scheme, at the registration phase, the smart meter has to send {Y i , α i , β i , γ i , id i } to the aggregator, and the bit length of this message is 660 + 660 + 330 + 330 + 64 = 2044. In the aggregation phase, the smart meter has to send {id i , σ i , CT i } to the aggregator, and the bit length of this message is 64 + 660 + 660 = 1384. For He's scheme, at the registration phase, the smart meter has to send {id i , X i , Y i , α i } to the aggregator, and the bit length of this message is 64 + 1024 + 1024 + 160 = 2272. In the aggregation phase, the smart meter has to send {id i , c i , d i , e i , T i } to the aggregator, and the bit length of this message is 64 + 660 + 1024 + 160 + 32 = 1940.
For the proposed scheme, at the registration phase, the smart meter has to send {X i , T i , α i , id i } to the aggregator, and the bit length of this message is 1024 + 32 + 256 + 64 = 1376. In the aggregation phase, the smart meter has to send {id i , c i , d i , e i , T i } to the aggregator, and the bit length of this message is 64 + 660 + 1024 + 160 + 32 = 1940.
The communication cost of different schemes is shown in Table 12.

Comparison of All Features
In this section we compare the three schemes in different metrics, and the results are shown in Table 13. As we discussed in Section 3, the schemes of He et al. and Fan et al. have a meter failure problem: when one or more of the smart meters are broken, the scheme fails to work. If we want to add a new smart meter to the system, the whole system needs to be redeployed. Besides, it is a difficult task to replace a broken smart meter with a new one in the other two schemes; if a smart meter is broken, the whole system needs to be redeployed, too. The two schemes also require a higher time accuracy; this means that even if there is only a one millisecond mistake, the aggregator will not get the original data. Moreover, the computation cost of the proposed scheme is the least of the three under all conditions.

Conclusions
In this study, we first analyzed five noise-generating methods and found that noise obeying uniform distribution is the best for the smart meter privacy protection scenario. We introduced a smart meter aggregation scheme based on the noise addition method and a probabilistic homomorphic encryption algorithm. The proposed scheme can protect the privacy of users and overcome the problems in related works, such as meter replacement problem, meter failure problem, etc. The security analysis shows that the proposed scheme is secure. Besides, by using the noise addition method, we considerably decreased the computation cost of the smart meter side and the aggregator side. Moreover, the authentication process at the aggregator side is accelerated.