#### Abstract

To evaluate the working state of the smart grid, users need to count the status of devices collected by multiple smart meters. To avoid network congestion during data collection processes in the smart grid, an aggregation protocol is required to aggregate messages from multiple smart meters into one short message. However, since these messages may contain sensitive information of smart meters, privacy is a fundamental requirement for such a data aggregation protocol. At the same time, to avoid tampering of transmitted messages, data integrity is another important requirement during data aggregation. Currently, the privacy issue has been well addressed by using homomorphic encryption algorithms such as the Paillier cryptographic system, where multiple smart meters use the same encryption key for encrypting different messages. However, the integrity issue is much harder than the privacy issue since multiple smart meters use different private keys for signing different messages. To address the integrity issue, we propose a novel data aggregation protocol for the smart grid, called DASG. In DASG, we shall show how to aggregate signatures from multiple smart meters using the Chinese Remainder theorem and the Lagrange interpolation techniques, respectively. Since these two techniques can aggregate multiple messages into one, DASG is quite light-weight. Therefore, our newly designed data aggregation protocol for the smart grid can achieve both security and efficiency goals in the smart grid environment. Experimental results show that DASG is feasible for real world applications.

#### 1. Introduction

Recently, the smart grid has been widely deployed all over the world, which provides an intelligent power supply for smart cities [1]. In the smart grid environment, smart meters, users, and the grid operator’s network elements may communicate with each other for various applications, such as state estimation of the power distribution system and demand-side management [2]. Typically, traffic data in smart grid applications include billing data (e.g., active energy consumption data and reactive energy consumption data) and operational data (e.g., power, voltage, current, power outage logs, and alarms) [3, 4].

A big challenge is that the smart grid network has to handle a large number of messages collected by smart meters. As shown in [5, 6], each smart meter may send a few kilobytes of data every 15–60 minutes to grid operators. When there are a lot of smart meters, network congestion will occur [7–9]. Moreover, adversaries may track data flows and establish attacks on smart meters [10]. Therefore, to avoid network congestion and data-flow tracking in the smart grid, a data aggregation protocol for the smart grid is desired, which can aggregate multiple messages into one short message. By doing so, the number of messages transmitted across the operator’s network is reduced, and the network congestion is avoided. Moreover, since messages from multiple smart meters are aggregated into one short message, adversaries will no longer be able to track the data flow from smart meters.

Regardless of the underground technology implemented, a typical Data Aggregation protocol for Smart Grid (DASG) includes five entities as shown in Figure 1 [11]: the Data Repository (DR) who stores aggregated data, the user who downloads aggregated data from the data repository, the gateway who aggregates messages from multiple smart meters and then sends the aggregated message to the data repository, the Smart Meter (SM) who collects data and sends back to the data repository over the gateway, the Key Distribution Center (KDC) who is a trusted entity for distributing keys to the gateway, smart meters, and the user. There are mainly two processes, namely, the key distribution process and the data aggregation process. During the key distribution process, the KDC distributes keys to smart meters, the gateway, and the user for protecting the subsequent data flow. During the data aggregation process, the gateway aggregates status messages from multiple smart meters into one short message and sends them to the data repository for storage. Then, the user downloads aggregated message for status statistics.

Security is the main concern for DASG, which mainly includes two parts, namely, privacy and integrity. Currently, the privacy issue is well addressed by homomorphic encryption algorithms. In this sort of schemes, smart meters encrypt transmitted messages with the user’s public key, the gateway aggregates multiple encrypted messages into one short message without knowing the corresponding plaintexts, and the user decrypts the aggregated short message to get the status information. However, the integrity problem is still unsolved. Since multiple messages to be aggregated are signed with different private keys, the integrity problem is much harder. Unfortunately, the integrity issue is very important for DASG as illustrated below. If the adversary tampers with status information contained in the data flow, the user may make the wrong decision based on the tampered data, resulting in chaos over the smart grid. Therefore, the data aggregation protocol in the smart grid should provide integrity protection for collected data.

Efficiency is the second serious concern for DASG. First, due to limited resources, smart meters are seriously concerned about the high computation and communication costs for processing data illustrated as follows: (1) smart meters will typically process a variety of data. To provide privacy and integrity protections, smart meters have to run complicated cryptographic algorithms on collected data before sending it to the gateway, leading to high computation cost. (2) Transmitting a large volume of data to the gateway will result in high communication cost. Second, since the gateway has to aggregate a lot of messages from multiple smart meters, the computation cost on it will be quite high. Therefore, the data aggregation protocol in the smart grid should be highly efficient to handle a lot of messages.

Taking both integrity and efficiency into account, we aim to design a data aggregation protocol for smart grids. This newly designed data aggregation protocol can aggregate messages collected from multiple smart meters into one short message. More specifically, the data aggregation protocol for the smart grid should fulfill the following requirements.(1)Integrity. It should be guaranteed that the adversary cannot tamper with the transmitted data in this protocol.(2)Status statistics. It should be guaranteed that the data aggregation protocol can evaluate the status of the smart grid. For example, the user may want to count the number of smart meters whose currents are higher than a dangerous value. Or, the user may want to count the number of smart meters whose devices are shut down. In all these kinds of applications, the gateway needs to compute the sum of messages from multiple smart meters.(3)Computation cost. It should be guaranteed that the computation costs on smart meters, the gateway, and the user are low when running the data aggregation protocol.(4)Communication cost. It should be guaranteed that the communication costs across the smart grid are low by running the data aggregation protocol. Obviously, designing a data aggregation protocol for a smart grid is a nontrivial task illustrated as follows. First, the data aggregation protocol has to aggregate multiple messages signed by different private keys into one short message. Second, the data aggregation protocol should have the status statistics feature. Third, since there are a large number of messages to be aggregated by the gateway, the efficiency of a data aggregation protocol should be quite high. Recently, data aggregation protocols for smart grids have focused on the privacy feature during data aggregation, while the integrity feature has been largely neglected. Furthermore, when working on this research topic, we observe that there is no cryptographic primitive which can be directly applied to satisfy all the above requirements. Detailed analysis for arriving at this conclusion is presented in the next section. This issue is becoming more and more serious with the explosive deployment of smart grids in the real world. Motivated by this observation, we mainly make three contributions in this paper illustrated as follows.(1)We first identify the characteristics of data aggregation in smart grids and then present a comprehensive set of requirements for the protocol of this kind. We show some problems of current data aggregation protocols in smart grids.(2)We propose a novel data aggregation protocol for smart grids called DASG, which can fulfill all the above-given security and efficiency requirements. Moreover, different from current data aggregation protocols in smart grids, DASG mainly focuses on the integrity issue. To satisfy all the above-given requirements, we’ll design two homomorphic signing algorithms based on the Lagrange interpolation function [12] and the Chinese Remainder theorem [13], which allow the gateway to aggregate multiple messages signed by different private keys. Since these two techniques are quite light-weight, DASG can enjoy the high efficiency feature.(3)We analyze the security of DASG, which shows that it satisfies the above requirements (1) and (2). And, we evaluate the efficiency of DASG, which shows that it satisfies the above requirements (3) and (4).

The remainder of this paper is organized as follows. First, we survey the related work in Section 2. Second, we present the DASG protocol in Section 3. Third, we analyze the security of DASG in Section 4. Fourth, we evaluate the efficiency of DASG in Section 5. Finally, we draw our conclusions in Section 6.

#### 2. Related Work

Due to the large volume of data to be collected, data aggregation is an essential protocol in smart grid, which can reduce the volume of transmitted data significantly and hence avoid network congestion. Since adversaries may intercept and tamper with transmitted data, privacy and integrity are basic requirements for data aggregation protocols. Therefore, many works have focused on designing secure and efficient data aggregation protocols. Typically, these data aggregation protocols can be categorized into three types, namely, perturbation-based data aggregation, partition-based data aggregation, and homomorphic-encryption-based data aggregation. In the following paragraphs, we shall analyze them, respectively.

Perturbation-based data aggregation is the first technique for addressing the privacy issue in smart grid. In this kind of scheme, smart meters provide privacy protection for original data by adding random numbers to it [14–19]. For example, in [14], the authors introduced a cluster-based data aggregation protocol with privacy protection. In [15], the authors provided a K-indistinguishable privacy-preserving data aggregation protocol. In [16], the authors proposed a differential-privacy-based data aggregation protocol. In general, the random numbers can be random noises [17, 18] or interferences [19]. However, adding perturbations to the original data will lead to high computation costs. Moreover, perturbation-based data aggregation protocols cannot prevent adversaries from tampering data.

Partition-based data aggregation is the second technique for addressing the privacy issue in the smart grid. In this kind of scheme, original data are split into multiple partitions to achieve the privacy-preserving goal. For example, in [20], the authors designed a partition-mixture technique for data aggregation, and the authors in [21, 22] presented a data aggregation protocol based on secret-sharing. However, partition-based data aggregation protocols will lead to data loss an high communication costs among smart meters, resulting in failure of aggregation.

Homomorphic-encryption-based data aggregation is the third technique for addressing the privacy issue in the smart grid. In this kind of scheme, smart meters encrypt the original data, and the gateway aggregates data from multiple smart meters without decrypting it to provide privacy protection. For example, in [23–25], several addition homomorphic algorithms were designed for smart grid. In [26], the authors introduced a concealed data aggregation protocol. In [27, 28], the authors proposed a multi-layer security protection protocol for data aggregation. However, this sort of schemes will lead to high computation costs and cannot provide integrity protections for transmitted data.

There are several more approaches for data aggregation in smart grid. For example, in [29], the authors used the block-chain technique for managing the data aggregation processes [29], and in [4], the authors aggregated data according to the quality-of-service requirements.

From the above analysis, it can be seen that only the homomorphic encryption technique can provide privacy protection for aggregated data well. However, existing homomorphic-encryption-based data aggregation technique cannot provide integrity protection for transmitted data and lack the status statistics capacity. Moreover, many schemes will lead to low efficiency. The issues of existing schemes are shown in Table 1. Therefore, it is desirable to design a data aggregation protocol for a smart grid, which can efficiently aggregate data with integrity and statistical capacity.

#### 3. DASG: The Protocol

##### 3.1. Preliminaries

###### 3.1.1. Lagrange Interpolation

The Lagrange interpolation function [12] is a linear combination of Lagrange basis polynomials , where , and is a set of different 2-dimension vectors.

Specifically, for , the following equation holds: .

###### 3.1.2. Chinese Remainder Theorem

Given a set of integers whose elements are pairwise relatively prime, and a system of simultaneous congruences , the unique solution for modulo for the following system of simultaneous congruences is where and [13].

###### 3.1.3. Bilinear Map

Let and be two cyclic groups with the same prime order (i.e., ). Let be the generator of . Then, a bilinear map group is defined as , where has the following properties:(1)Bilinearity. For , . For , (2)Nondegeneracy. such that (3)Computability. For , it is efficient to calculate

The above-given can be constructed by the Weil or Tate pairings [30, 31] on elliptic curves.

##### 3.2. System Model

The system model of DASG is described in the following subsections, and Table 2 lists the notations used in this paper.

###### 3.2.1. The Key Distribution Process

Figure 2 shows the key distribution process of DASG. During this process, the KDC first initializes the set of public and private keying materials of the data aggregation system. The initialization algorithm is defined as follows.

. This algorithm is run by the key distribution center for initializing system parameters for DASG. It takes the parameter of security strength () as input, and outputs the private key of the KDC () and the corresponding public key of the KDC ().

For the user () who wants to verify and use the aggregated message, the KDC distributes to it.

For the gateway () who aggregates messages received from multiple SMs, the KDC generates the private key () and the corresponding public key () for the gateway. And then, the KDC distributes to the gateway. The key generating algorithm for the gateway is illustrated as follows.

. This algorithm is run by the key distribution center for generating public and private keys for the gateway. It takes as inputs the private key of the KDC (), the public key of the KDC (), and the gateway’s identity (), and outputs the private key of the gateway () and the corresponding public key of the gateway ().

For the th smart meter () who sends a message to the gateway for aggregation, the KDC generates the private key () and the corresponding public key () for the . And then, the KDC distributes to the th smart meter. The key generating algorithm for the is illustrated as follows.

. This algorithm is run by the key distribution center for generating public and private keys for the th smart meter. It takes as inputs the private key of the KDC (), the public key of the KDC (), and the th smart meter’s identity (), and outputs the private key of the th smart meter () and the corresponding public key of the th smart meter .

After the initialization phase, the data center holds ( and ), the user holds , the gateway holds (, , and ), and the holds (, , and ).

###### 3.2.2. The Data Aggregation Process

Figure 3 shows the data aggregation process of DASG. Assuming there are smart meters, the data aggregation process mainly includes three steps. First, each smart meter will send a message to the gateway. Second, the gateway will aggregate all the messages into one short message, and compute the corresponding signature from multiple signatures from SMs. Finally, the user will verify the aggregated message. The details of these three steps are illustrated as follows.

*Step 1. *Before each smart meter () sends a message () to the gateway for aggregation, it will sign this message using the algorithm, which is illustrated as follows.

. This algorithm is run by the for signing the message . It takes as inputs the message to be signed (), the 's private key (), the 's public key (), the KDC’s public key (), and outputs the signature ().

*Step 2. *Upon receiving the set of messages and the corresponding signatures , the gateway aggregates , into one short message and one short signature using the algorithm, which is illustrated as follows.

. This algorithm is run by the gateway for aggregating the set of messages () and the corresponding set of signatures () from multiple smart meters. It takes as inputs the set of messages (), the set of signatures (), the gateway’s private key (), the gateway’s public key (), the KDC’s public key (), and outputs the aggregated message (), and the corresponding aggregated signature ().

*Step 3. *After data aggregation, the gateway stores and to the data repository, and the user downloads and for verifying the aggregated message () and the corresponding signature () using the algorithm, which is illustrated as follows.

. This algorithm is run by the user for verifying the aggregated message . It takes as inputs the aggregated message (), the aggregated signature (), the KDC’s public key (), and outputs if the message passed the verification. Otherwise, it outputs .

After the data aggregation process, the user gets the sum of messages from multiple smart meters (), and checks the integrity of using the algorithm, which is the status statistics information of the smart grid.

In the above-given system model, the set of messages () is signed by smart meters and aggregated by the gateway, the user can make sure whether is tampered by verifying and . Therefore, the newly designed protocol has the integrity feature. Since is the sum of messages from multiple smart meters, the newly designed protocol has the status statistics feature. So, DASG can achieve the security goals described in Section 1. In Section 4, we shall further analyze the security of DASG.

##### 3.3. Construction

The construction of DASG is a tuple () of probabilistic polynomial time algorithms. In the following two subsections, we shall present two constructions based on the Chinese Remainder theorem and the Lagrange interpolation function, respectively.

###### 3.3.1. Construction Based on the Chinese Remainder theorem

. The key distribution center runs this algorithm for initializing system parameters for DASG as follows. First, the key distribution center generates a group with a random generator and a -bit prime order . Second, the key distribution center randomly generates numbers where are pairwise relatively prime and computes . Third, the key distribution center randomly generates . Fourth, the key distribution center randomly generates the main signing key as and computes the corresponding public key . Finally, the key distribution center gets and .

. The key distribution center runs this algorithm for generating public and private keys for the gateway as follows. First, the key distribution center computes the aggregating key as . Second, the key distribution center computes the related materials and . Finally, the key distribution center gets and .

. The key distribution center runs this algorithm for generating public and private keys for the th smart meter as follows. First, the key distribution center computes . Second, the key distribution center computes the related materials and . Third, the key distribution center computes the public key as . Finally, the key distribution center gets and .

. The runs this algorithm for signing the message as , where is a hash function, and is the index for uniquely identifying .

. The gateway runs this algorithm for aggregating the set of messages and the corresponding set of signatures () and from multiple smart meters as follows. First, the gateway aggregates messages as . Second, the gateway computes .

. The user runs this algorithm for verifying the aggregated message as . If the above-given equation holds, this algorithm returns . Otherwise, it returns .

###### 3.3.2. Construction Based on the Lagrange Interpolation Function

. The key distribution center runs this algorithm for initializing system parameters for DASG as follows. First, the key distribution center generates a group with a random generator and a -bit prime order . Second, the key distribution center randomly generates two private keys , and gets . Third, the key distribution center randomly generates . Fourth, the key distribution center computes and . Finally, the key distribution center gets and .

. The key distribution center runs this algorithm for generating public and private keys for the gateway as follows. First, the key distribution center computes the aggregating key as , where is a hash function. Second, the key distribution center computes the corresponding public key as .

. The key distribution center runs this algorithm for generating public and private keys for the th smart meter as follows. First, the key distribution center computes the signing key as , where is a hash function. Second, the key distribution center computes the corresponding public key as .

. The runs this algorithm for signing the message as , where is a hash function, and is the index for uniquely identifying .

. The gateway runs this algorithm for aggregating the set of messages and the corresponding set of signatures and from multiple smart meters as follows. First, the gateway aggregates messages as . Second, the gateway computes .

. The user runs this algorithm for verifying the aggregated message as . If the above-given equation holds, this algorithm returns . Otherwise, it returns .

###### 3.3.3. Discussions on the Two Constructions

In the above-given constructions, the message containing the status information () is signed by the smart meter. Then, the gateway aggregates multiple messages and the corresponding signatures into one short message and the corresponding short signature. Finally, the user checks the integrity of the aggregated short message using the key distribution center’s public key (). So, DASG can achieve the integrity goal. In Section 4, we shall further analyze the integrity of DASG.

In the above-given constructions, multiple messages containing the status information () are added up by the gateway, and the user can get the sum contained in the aggregated short message (). So, DASG can achieve the status statistics goal.

In the above constructions, the smart meters and the gateway only uses a few modular exponentiation operations for signing and aggregating multiple messages. And, the user only needs two bilinear pairing operations for multiple messages from smart meters. Therefore, DASG can enjoy high efficiency. In Section 5, we shall analyze the efficiency of DASG in detail.

In the above-given constructions, we assume smart meters are trustworthy. In some scenarios where smart meters are not trustworthy, two smart meters may be in collusion with each other to get the main signing key . For example, in the construction based on the Chinese Remainder Theorem, two smart meters may compute the main signing key as . Similarly, in the construction based on the Lagrange interpolation function, two smart meters may compute the main signing key as . Once these two smart meters get the main signing key (or ), they can tamper the aggregated message , and the corresponding signature . To address this issue, the KDC may distribute more private keys to the gateway for data aggregation. For example, in the construction based on the Chinese Remainder Theorem, the KDC may constructs a threshold signature system instead of current threshold system in the and distribute a set of private keys to the gateway instead of only one private key . In this case, two smart meters will not be able to compute anymore. Moreover, when , even smart meters are in collusion, they will not be able to compute .

In the above-given constructions, we mainly focus on the integrity problem. To provide privacy protection for the message , a homomorphic encryption algorithm can be used on , and our signing and verification algorithms are run over encrypted messages.

#### 4. Security Analysis

In this section, we shall first prove the correctness of DASG. Then, we shall analyze the integrity requirement described in Section 1.

##### 4.1. Correctness

In Section 3.3, smart meters sign status messages using the algorithm, the gateway aggregates multiple status messages and their corresponding signatures into one short message and one short signature using the algorithm, and the user checks the integrity of the aggregated message using the algorithm. In this subsection, we shall prove the correctness of the algorithm. That is to say, if the user, the gateway and the smart meters run their algorithms correctly, the algorithm will return .

###### 4.1.1. Correctness of the Chinese-Remainder-Theorem-Based Construction

First, from the algorithm, we can see that

Second, according to the Chinese Remainder Theorem, we can get . Therefore, the above equation can be further computed as follows:

Third, taking the above equation into the algorithm, we can get .

From the above-given analysis, we can see that our construction based on the Chinese Remainder theorem is correct.

###### 4.1.2. Correctness of the Lagrange-Interpolation-Function-Based Construction

First, from the algorithm, we can see that

Second, according to the Lagrange interpolation function, we can get . Therefore, the above equation can be further computed as DSLQ

Third, taking the above-given equation into the algorithm, we can get .

From the above-given analysis, we can see that our construction based on the Lagrange interpolation function is correct.

##### 4.2. Integrity

From Section 3.3, it can be seen that the newly designed algorithm is a variation of the famous BLS signature [32], whose security has been proven in the random oracle model [33]. The integrity of our constructions can be proven in a similar way as shown in Theorem 1.

Theorem 1. *After signing queries, if the adversary can forge (, ) with the probability in time , can solve the GDH problem with the probability in time , where is the time cost of modular exponentiation.*

*Proof. *The detailed security analysis is shown in the online supplementary material (available here).

So, both constructions given in Section 3.3 can satisfy the integrity requirement described in Section 1.

#### 5. Efficiency Evaluation

In this section, we shall evaluate the efficiency of DASG according to the requirements described in Section 1, namely the computation and communication costs.

From Section 3, we can see that DASG includes two processes, namely the key distribution process and the data aggregation process. The computation and communication costs are mainly consumed during the data aggregation process, while there are a variety of messages to be signed and aggregated. And, the key distribution process is run by the key distribution center only once before the data aggregation process. Therefore, in the following subsections, we mainly focus on the data aggregation process.

##### 5.1. Computation Costs

During the data aggregation process, multiple smart meters sign their messages using the algorithm with different private keys, the gateway aggregates multiple messages into one short message using the algorithm, and the user checks the integrity of the aggregated short message using the algorithm. Therefore, we mainly analyze the computation costs consumed by these three algorithms.

As shown in Section 3, the , and algorithms can be constructed based on the Chinese Remainder theorem and the Lagrange interpolation function. In both constructions, the mathematical operations include modular exponentiation, bilinear pairing, modular multiplication, modular addition, and hash function. Compared with those of the modular exponentiation and bilinear pairing operations, the computation costs of the modular multiplication, the modular addition, and the hash operations can be omitted. Therefore, in the following evaluation, we only take the modular exponentiation and bilinear pairing operations into account.

Currently, there is no data aggregation scheme with integrity protection. Therefore, to evaluate the computation costs reduced by our data aggregation constructions, we consider a benchmark scheme, where the gateway just relays multiple signed messages to the data repository without aggregating them and the user checks each message using the pairing algorithm as , where is the signature of .

Assuming there are smart meters, we can get the computation costs consumed by smart meters, the gateway, and the user, respectively. The results are shown in Table 3. Note that, we assume the algorithm is run times when computing the total computation costs, since there are smart meters.

From Table 3, we can draw the following conclusions:(1)Computation costs on smart meters. The computation costs of the algorithms on each smart meter in all the three schemes are the same () and are independent of the number of smart meters (). Therefore, data aggregation will not increase the computation costs on smart meters.(2)Computation costs on the gateway. The computation costs of the algorithms in both the Chinese-Remainder-Theorem-based construction and the Lagrange-interpolation-function-based construction are linear to the number of smart meters (). In addition, it is obvious that the computation cost on the gateway is 0 when the gateway does not aggregate messages. Therefore, data aggregation will increase additional computation costs on the gateway(3)Computation costs on the user. The computation costs of the algorithms in all the two schemes with data aggregation are the same (). However, when messages are not aggregated by the gateway, the user will have to run the algorithm once for each smart meter. Therefore, data aggregation will decrease the computation cost on the user.(4)The total computation costs. The total computation costs in all the three schemes are linear to the number of smart meters (i.e., ). However, the numbers of bilinear pairings in schemes with data aggregation are independent of the number of smart meters, but this in the benchmark without data aggregation depends on the number of smart meters. Since bilinear pairing is the most costly operation, data aggregation will potentially decrease the total computation costs as shown in the following paragraphs.

Then, to further compare the computation costs of these three schemes, we implemented our experiments on a Laptop with an Intel i7 processor whose clock frequency is 3.40 GHz. The operating system of this Laptop is Win10. Cryptographic libraries installed on this Laptop include OPENSSL [34] and PBC [35]. For investigating the computation costs of modular exponentiation and bilinear pairing, we used the 160-bit elliptic curve group [36, 37]. After experimentation, we get and . Taking these two results into Table 3, we get the time costs of algorithms used in these three schemes, as shown in Table 4.

From Table 4, we can draw the following conclusions:(1)The computation costs of the algorithms in all the three schemes are , which are quite light weight. Therefore, smart meters enjoy high efficiency, which is suitable for the smart grid, where smart meters are low-power devices.(2)Aggregating multiple messages into one short message will increase the computation cost on the gateway. In both the Chinese-Remainder-Theorem-based and the Lagrange-interpolation-function-based constructions, the computation costs are linear to the number of smart meters. When there are a lot of smart meters, the computation cost of the Chinese-Remainder-Theorem-based construction is around to that of the Lagrange-interpolation-function-based construction, since .(3)In both Chinese-Remainder-Theorem-based and Lagrange-interpolation-based constructions, the verification costs on the user are after data aggregation, which are quite light weight. On the other hand, without data aggregation, the verification costs will be linear to the number of smart meters (). When there are a lot of smart meters, the computation costs on the user will be quite high.(4)The total computation cost of the Chinese-Remainder-Theorem-based construction with data aggregation is around to that of construction without data aggregation. This is because . The total computation cost of the Lagrange-interpolation-based construction with data aggregation is around to that of construction without data aggregation. This is because . The total computation cost of the Chinese-Remainder-Theorem-based construction with data aggregation is around to that of the Lagrange-interpolation-based construction with data aggregation. This is because .

In summary, the data aggregation process can reduce the computation cost on the user by adding additional computation cost on the gateway. And both the Chinese-Remainder-Theorem-based construction and the Lagrange-interpolation-based construction can reduce the total computation cost significantly. Moreover, the Chinese-Remainder-Theorem-based construction is more efficient than the Lagrange-interpolation-based construction. This is because the aggregation process on the gateway in the former scheme is much more efficient. Therefore, DASG can satisfy the computation cost requirement defined in Section 1.

##### 5.2. Communication Costs

The communication cost is evaluated by using the number of messages and lengths of messages transmitted in DASG.

There are three kinds of messages, namely the messages sent from smart meters to the gateway, the messages sent from the gateway to the data repository, and the messages sent from the data repository to the user.

Similar to the evaluation of computation cost, we compare the communication costs of the three schemes. They are Chinese-Remainder-Theorem-based construction with data aggregation, Lagrange-interpolation-function-based construction with data aggregation, and the benchmark construction without data aggregation. Information transmitted in these messages includes , , , and . In our experiment, we used the 160-bit elliptic curve. In this case, and are integers whose lengths are , while and are points on the curve whose length are . Assuming there are smart meters, we can get the number of messages and lengths of messages transmitted in the three schemes as shown in Tables 5 and 6, respectively.

From Tables 5 and 6, we can draw the following conclusions:(1)The number of messages and lengths of messages sent from smart meters to the gateway are linear to the number of smart meters, and the data aggregation process does not reduce the communication costs between smart meters and the gateway.(2)With data aggregation, the number of messages and the lengths of messages will be independent of the number of smart meters. On the other hand, without data aggregation, they will be linear to the number of smart meters.(3)When there are a lot of smart meters, the total number of messages with data aggregation is around to that without data aggregation. This is because .(4)When there are a lot of smart meters, the total lengths of messages with data aggregation is around to that without data aggregation. This is because .

In summary, by data aggregating, the communication costs can be reduced significantly. Therefore, DASG can satisfy the communication cost requirement defined in Section 1.

#### 6. Conclusion

In this paper, we have designed a data aggregation protocol for a smart grid called DASG. In DASG, by using the Chinese Remainder theorem and the Lagrange interpolation function, the gateway can aggregate multiple messages signed by different smart meters with different private keys into one short message, and the user can check the integrity of the aggregated short message. By doing so, the computation and communication costs can be reduced significantly. Experimental results show that DASG is feasible for real world applications.

#### Data Availability

All data generated or analyzed during this study are included in this published article.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This paper was supported by the Science and Technology Project of State Grid Corporation of China (Grant no. 5100-202118566A-0-5-SF).

#### Supplementary Materials

The online supplementary material file named “security analysis” is the proof for Theorem 1.* (Supplementary Materials)*