#### Abstract

As an extension of the Internet of Things (IoT), smart city is a new aim for applications used in different industrial aspects. Intelligent IoT devices are used everywhere in smart cities to implement the functions such as monitoring and managing. Smart grid is one of the critical parts. Obtaining the quantity and cost of electricity usage is the most critical task of the smart grid. But such data in plaintext may leak the user privacy. So, it is an emergent aim to protect the private information of the user. Thus, we present a secure scheme for the smart grid, which not only protects the user’s information including identity and power consumption in the communications but also tracks the correct electricity cost for each user. Also, electricity consumption data from users could be aggregated in fog devices and then analyzed by the utility provider. The formal proof shows that the message transmission reaches the security level of the chosen plaintext attack (CPA). Also, the security properties of the scheme express the robustness. Finally, the performance study demonstrates that the proposed protocol is acceptable in practice.

#### 1. Introduction

Nowadays, smart city aims to optimize every function of the city and improve the quality of citizens’ life with data analysis and technology development. Quality of life has been improved substantially in smart city. To complete the whole process from data collection to instruction assignment to concrete sensors, intelligent Internet of Things (IoT) devices such as smart meters, robots, aggregation devices, and software-defined production processes are deployed for different sorts of usage. Through sensors distributed everywhere, many kinds of data are gathered and sent to center servers for decision-making. Under that background, power grid, traffic, agriculture, and accommodation turn to be smart grid, smart traffic, smart agriculture, and smart home, respectively. However, security gaps containing weak authentication or vulnerability in code pieces lead to serious and urgent risks. Attackers can exploit the operating system and software’s holes, eavesdrop on the messages in public channels between sensors and servers, or compromise sensors to get valuable information after analyzing relative data flows.

Traditional electricity grid consists of power stations, high-voltage transmission lines, and distribution lines. They build a large network that delivers electricity from the producer to the users, and the balance of power supply and usage relies on the construction of power plants. The more electricity is required, the more plants should be built. But with the technology progressing, smart grid becomes an attractive term, and it turns to be true in some developed countries. Promising changes appear in every aspect, including intelligent power generation, transmission, and applications. Advanced metering infrastructure (AMI) is the architecture of smart grid, where bidirection demand response is an important property, which permits the users and the utility provider to monitor, adjust, count, and forecast the electricity use. The time-of-use pricing mechanism is employed, and users should pay higher fees in the peak time under this measure. Also, smart grid is one of the most important sorts of cyber-physical systems (CPSs). As physical devices, smart meters (s) are distributed widely outside the houses or gathered in a meter box in a building. Each smart meter collects the power consumption value in one house with every fixed period to calculate the fees due to different prices in peaks and valleys. Since the power usage data are fine-grained, smart grid faces security problems containing threats and weaknesses including identity and consumption leaking, replay attack, denial-of-service attack, and so forth. The attacker may deduce user habits or behaviors via such information, so the privacy of the personal information turns to be an important issue and is discussed by researchers. According to [1], several requirements should be satisfied, including transmitted data privacy, data reliability, and authentication between participants.

With the popularization of smart grid, enormous data have been generated. Simple data processing is done on fog devices (s). Fog computing means that some critical computations are completed on the edge of the network or fog devices distributed everywhere. s in one domain submit their collected data to the corresponding , and the extensional calculations, like clarifying the consumption fee and making data aggregations, could be done based on the data owned by s. All transmitted messages should be kept away from danger. Authentication and public key mechanism [2–4] are the necessary ways to protect the security of data. It is necessary to study the current situation of privacy-preserving schemes for smart grid and we will list the related literature.

##### 1.1. Related Work

In recent years, a host of schemes for AMI has been presented. Based on [5], there are three classic sorts: key agreement, only consumption data encryption, and data aggregation. Authentication and key agreement is the usual way for sending information in smart grid [2–4, 6–15]. In 2011, Fouda et al. [6] presented a key agreement scheme between the building area network and home area network. But, it is criticized in [7] that heavy computation cost is used. Then, Li et al. [11] pointed out that identities of users were exposed by plaintext in [7]. In 2016, Tsai and Lo [8] presented a scheme with a session key formed between the smart meters and corresponding service supporter. But Odelu et al. and He et al. [9, 10] considered that calculation time in [8] costs too much due to bilinear pairing calculations. Unfortunately, the two schemes could not satisfy the anonymity of user [2]. In 2018, schemes [12–14] were proposed, but the weaknesses like lack of forward security and anonymity were still troubling people.

The second sort is that only the consumption data are protected, but the user’s identity is not considered as the secret [5, 16–20]. In 2015, Diao et al. [16] proposed a scheme built on zero-knowledge and Camenisch-Lysyanskaya signature. They claimed that user identity was anonymous and linkable in the scheme, but soon, the forgery attack on the scheme was given in [17]. In 2016, Sui et al. [18] designed a scheme between and the electricity utility. But the user who consumes more electricity than the threshold will be exposed in plaintext. Next year, Ge et al. [19] pointed out that unlinkability feature could not be satisfied in [18]. But the two schemes [18, 19] are unfit due to exposing user identity simply and crudely. And in [5], secure channel is required several times when normal data transmission proceeds, and the identity is also in plaintext against the anonymity requirement. In 2020, Ding et al. [20] put forward a data aggregation scheme for smart grid, but both the identity and public key of user were transmitted directly in the public channel. In 2021, Su et al. [21] proposed a changeable threshold-based aggregation scheme for smart grid. However, identity is ignored in the message transmission, and only the aggregation value can be obtained in the control center, which is equal to here. Also, Wang et al. [22] presented an aggregation scheme keeping privacy of user in the same year, but the identity of user was still ignored.

The last sort is aggregating data relative to the consumption [1, 23–29]. In 2017, He et al. proposed studies [23, 24] which described the aggregation between s and the special aggregator. But in the aggregation part, the identity of user, which should be transmitted in plaintext, is needed to verify the data. Wang’s scheme [25], which employed the identity-based signature, had the same problem, where the user’s identity must be exposed in the public channel or the final check on the aggregation device could not be completed. In 2017, Badra and Zeadally [1] presented a scheme with symmetric homomorphic encryption and Diffie–Hellman problem. Every time, one user should update the shared key between the server and himself, with the help of another user. But how to find the suitable helper is not mentioned. Shen et al. [26] proposed a cube-data aggregation scheme for smart grid. However, the user identity is also in plaintext. Lu et al. [27] proposed a Paillier encryption-based scheme to make the data aggregation. But the time-based hash chain in the scheme is not suitable if the smart meter malfunctions once. The fog device cannot check the correct submission, while the last one or several submissions are lost or rejected. Liu et al. [28] used lifted EC-ElGamal cryptosystem with plaintext identity. However, except [1], all of the above schemes do not consider the fee of each user. Only aggregation and some statistical operations, such as mean and variance values, are regarded. Smart grid is first for electrical consumption, and the fee of electricity usage is much more important than statistical data for prognosis. On this aspect, in 2016, Wang et al. [29] proposed a scheme which could not only disclose the user consumption but also collect statistical data for computing statistic values. However, some weaknesses are exposed: the data in the aggregation process cannot be verified, the adversary can calculate the private consumption from the message, and the pseudoidentity will be exhaustively searched on the trusted server side by doing both hash and scalar multiplication, since the trusted server only calculates the collected data of the special smart meter which is required by .

Usually, the quantity of electricity usage is set as the discrete logarithm in aggregation. Based on [30], the power energy consumption in China is about 7225.5 terawatt/hour in 2017. This number is at the level of , and such discrete logarithm could be solved in 0.1 s [31], generally with the Pollard rho algorithm [32]. This technology is employed in many studies [23–25, 27, 29, 33].

##### 1.2. Contributions

(1)We give a new data transmission scheme for smart grid, and it could make both the power consumption and data aggregation clear.(2)Formal proof demonstrates that the messages are robust enough against forgery attacks(3)Considering the security characters and performance evaluation, our scheme is good for practicality##### 1.3. Organization of the Paper

The rest of study is organized as follows: Section 2 expresses the basic knowledge of the study. Our scheme is in Section 3. Then, the formal proof lies in Section 4 and security analysis is in Section 5. The performance situation is in Section 6. Finally, the conclusion is drawn in Section 7.

#### 2. Preliminary

##### 2.1. Notations

In Table 1, the notations used throughout the study are given.

##### 2.2. Referred Mathematical Problems

The problems given in the following are based on the elliptic group with order and generator mentioned in Table 1.

*Definition 1. *The discrete logarithm (DL) problem is that in the tuple , where is unknown, it is hard to calculate .

*Definition 2. *The computational Diffie–Hellman (CDH) problem on is that given the tuple , where are unknown, it is hard to calculate *abP*∈*G*.

*Definition 3. *The decisional Diffie–Hellman (DDH) problem on is that given the tuple , where are unknown, it is hard to judge if .

*Definition 4. *The gap Diffie–Hellman (GDH) problem on is that given tuple , where are unknown, it is hard to calculate via the help of DDH tool, like an oracle. Here, we define , which is the probability of solving GDH problem for in polynomial time .

##### 2.3. Network Model

Our scheme relies on the model in [29]. If the users obey the laws and pay the bill in time, it is unnecessary to expose the fine-grain consumption value to smart grid, especially . only accepts the aggregation of consumption and changes power supply with the corresponding price in different time spans. The architecture of the network is shown in Figure 1. Four kinds of devices are in the network: smart meter, fog device, trusted server , and utility provider. Smart meter measures the power consumption details for every house. It is natural that the fee should be checked. But in [29], the fee is calculated on side. Without verifications on some trusted server, such data cannot be believed. Different from [29], only the consumptions will be submitted. Fees are not considered. Also, only total electricity consumption in one house is submitted in our scheme. Consumptions from all appliances in the house are not considered. Such data are submitted to the fog device, which stores the collection and is ready to provide data for people to check the consumption and to aggregate the data without leaking user information. The trusted server can get power consumption from each user, in order to calculate the electricity fee later. Also, it generates the key for the fog device to send the aggregated data with encryption, in order to prevent the attacker from cracking. The utility provider requires the aggregated statistical data to predict the total data in a long time. Wired channels are between fog devices and the trusted server and between fog devices and .

##### 2.4. Security Model

Combining studies [27, 29, 34], we give the security model of our scheme as follows.(1)The scheme is chosen plaintext attack (CPA) secure(2)The trusted server is reliable and can get the real identity and power consumption of user. It is for the property of user anonymity and traceability.(3) could eavesdrop and forge messages in the public channel(4)The and fog devices are honest-but-curious, since they execute the protocol but are curious about the privacy of users. However, according to [27], any will not collude with .

#### 3. Proposed Scheme

We divide our scheme into six phases: initialization, data encryption, consumption affirmation, aggregation key generation, aggregation, and aggregated data decryption. Different from [29], we do not consider user’s fee submission, as the fee should be checked on the side, and it is not suitable to completely trust the fee calculated by smart meters. Moreover, we focus on the unitary consumption or one smart meter for a house. We do not use the way in [29], where each appliance is counted, respectively. Moreover, there is only one and one . Moreover, we put the process from Section 3.2 to Section 3.6 in Table 2.

##### 3.1. Initialization

generates a cyclic group with a large prime order and generator , as given in Table 1. Its private/public key pair is . Similarly, owns its private/public key pair , and owns its private/public key pair . Moreover, ’s identity is and ’s identity is ; stores the pair , where the submission target of is ; also stores the pair , such that should submit the information to . At last, and have a common secret key . stores the quantity of smart meters in ’s domain. Finally, hash functions are defined as follows: and .

##### 3.2. Data Encryption

selects random numbers , picks the timestamp , and calculates the following elements with user consumption : , , , , , , , and . Then, sends to the corresponding .

##### 3.3. Consumption Affirmation

checks and stores if is valid. Then, it sends to , in order to disclose the user identity and corresponding power consumption. computes , , , , , and , finds out the corresponding according to , and checks if , , , and . If true, could calculate the fee according to .

##### 3.4. Aggregation Key Generation

In order to help aggregate power usage in smart meters for a time span, selects a random string , the timestamp in relative time span and , and calculates , , , , and . Then, sends to .

##### 3.5. Aggregation

checks , gets the number as the number of functioning smart meters, picks up timestamp and , calculates , and checks if . If true, computes , , , , , , , , , , , and . Then, sends to .

##### 3.6. Aggregated Data Decryption

checks and searches based on . If the checks and the data are found, it computes and checks . If true, computes and checks if . If correct, computes and and then uses the Pollard rho algorithm to get from and from . If , the mean value and the variance value ; else, if , the variance value is changed to be .

#### 4. Formal Proof

Nowadays, researchers consider that attackers should have negligible probability to retrieve any plaintext from ciphertext in cryptographic protocols. Such protocol should meet indistinguishability (IND) security which means that could not distinguish two plaintexts, while one of corresponding ciphertexts is given. In this study, chosen plaintext attack (CPA), which means does not have decryption right for any ciphertext he selects, will be proved for our scheme.

Our scheme is under IND-CPA secure. The concrete proof is given.

##### 4.1. Basic Knowledge of IND-CPA Security for Our Scheme

Three games are brought in to explain the security for the three messages. We show the game process and then give the analysis of the games. The results show how the scheme keeps IND-CPA security. The proposed scheme meets the CPA security requirements if the polynomial time adversary has negligible probability to win the games. A simulator is used to provide the random oracle query service and makes queries to try to break the IND-CPA security. All games can be divided into five phases as follows:(1)Initialization: generates system parameters including with generator and large prime order , public keys of , , and , identities of smart meters, fog devices, trusted server and utility provider, secret keys between and , and hash functions. We define the public keys of . and are , , and , respectively, where , , and are unknown.(2)Query 1: queries the hash oracles, and returns the results.(3)Challenge: selects fresh information and to . then chooses a bit . And is used to generate the corresponding message in the game.(4)Query 2: it is same as query 1.(5)Guess: should give a bit as the result of guessing . If , wins the game.

knows all public parameters and all identities of participants. He will ask oracle for times. There are hash lists for storing ’s corresponding hash queries. For instance, stores , where is queried by and is the hash result of . The advantage for breaking the message is denoted as . In the following proofs, we only consider the extra probabilities beyond 1/2. As mentioned in Section 2.2, , and we employ the probability to express the hard level of solving the GDH problem in the following theorems. That probability is used when we find the tuple format occurring in the hash list , where and are unknown, as we mentioned also in Section 2.2.

##### 4.2. Proof of CPA

Theorem 1. *The data encryption phase is IND-CPA secure and .*

*Proof. *The concrete operations are as follows:(1)Initialization: produces parameters as mentioned in Section 4.1.(2)Query 1: makes , , and queries with the string . searches if there is the existed queried tuple in . If true, will be returned. Otherwise, selects , and the tuple is written into the list.(3)Challenge: selects and and submits them to . produces as the following operations. First, a bit is chosen and is used to produce the message. Then, the corresponding message is sent to .(4)Query 2: makes , , and queries again until the numbers are reached.(5)Guessing: gives a bit .If , we divide the advantage of ’s guessing into three parts. First, to avoid the collision of hash results, the upper probability is , based on birthday paradox. Second, if the hash results are guessed correctly without oracle queries, the probability is at most . Finally, if could judge the message by generating a correct one for comparison, , , and can be obtained from , and , respectively. So, the condition of querying the correct strings is solving both GDH problems, and the probability is . Then, the theorem is deduced.

Theorem 2. *The aggregation key generation phase is IND-CPA secure and .*

*Proof. *The concrete operations are as follows:(1)Initialization: produces parameters as mentioned in Section 4.1.(2)Query 1: makes , , , , and queries with the string . searches if there is the existed queried tuple in . If true, will be returned. Otherwise, selects or , and the tuple is written into the list.(3)Challenge: selects strings and and sends them to . Then, is produced as follows. First, chooses a bit and is used to produce the message . Then, the corresponding message is sent to .(4)Query 2: makes , , , , and queries again until the numbers are reached.(5)Guessing: gives a bit .If , we divide the advantage of ’s guessing into three parts. First, to avoid the collision of hash results, the upper probability is , based on birthday paradox. Second, if the hash results are guessed correctly without oracle queries, the probability is at most . Finally, if could judge the message by generating a correct one for comparison, , , , and could be found. The probability is at least . Like the analysis in Theorem 1, the probability is . So, we get the theorem*.*

Theorem 3. *The aggregation phase is IND-CPA secure and .*

*Proof. *The concrete operations are as follows:(1)Initialization: produces parameters as mentioned in Section 4.1.(2)Query 1: according to , all related hash functions are queried by . searches if there is the existed queried tuple in . If true, will be returned. Otherwise, selects or , and the tuple is written into the list.(3)Challenge: selects and and submits them to . Then, is produced as follows: first, a bit is chosen, and is used to produce .(4)Query 2: makes , , , , and queries again until the numbers are reached.(5)Guessing: gives a bit .If , we divide the advantage of ’s guessing into three parts. First, to avoid the collision of hash results, the upper probability is . Second, if the hash results are guessed correctly without oracle queries, the probability is at most . Finally, if could judge the message by generating a correct one for comparison, , , , and could be found. The probability is at least . Like the analysis in Theorem 1, the probability is . So, we get the theorem.

#### 5. Security Property Expression

The security properties are illustrated, and we compare our scheme with some recent ones [18, 20, 22, 27, 29]. Readers may search for some concrete details in corresponding studies. The results are given in Table 3. ✓ denotes the scheme meets the security property, while denotes the opposite case. If the property is not fit for the scheme, is used. P1–P7 denote confidentiality, user anonymity, traceability, data aggregation, scalability, against internal attacks, and replay attacks, respectively. From the results, we see that the proposed scheme meets all the security requirements.

##### 5.1. Confidentiality

First, we discuss our scheme. For , if wants to get and , he should know ’s secret key to get and from and . For , if wants to get the critical element , he must know any of the private keys or . For , if wants to get the element , he must know any private keys same as in .

Moreover, in [29], the keys for reencryption are directly sent to the public cloud server in the rekey phase, and they are exposed in the channel. Also, there is no authentication between the public cloud server and , so the data generated in this phase can be changed, e.g., adding on . cannot check the correctness of data. Last, the consumption information is leaked. In the Enc phase, power usage and the cost are sent by and , respectively. could calculate by subtraction and Pollard rho algorithm. Then, gets . is just the price of electricity in the fixed period, and the power usage can be deduced.

##### 5.2. User Anonymity

In our scheme, is hidden by . should know ’s secret key to calculate based on . But in [18], the user identity may be exposed. Information of users who consume more electricity than the threshold will be exposed in the channel, including identity and power consumption. Using more electricity is not a crime, and it is unsuitable to publish user information simply due to such a case. Also, in [20], user identity is in plaintext obviously. So, we use for the two schemes. In [22], user identity is not needed in the entire scheme, and is used.

##### 5.3. Trace Ability

We set Section 3.3 to make the power consumption of the user clear and to satisfy the basic function of the smart grid. computes and to get the identity , accompanying with the consumption . Such calculations can make get the tuple and know the fee of the user consumption.

However, in [20, 22, 27], no entity except the smart meter itself knows the power consumption. How to affirm the user’s fee for power usage is a difficult thing in the above three mentioned schemes.

##### 5.4. Data Aggregation

Same as [20, 22, 27, 29], our scheme has the part of data aggregation, in order to analyze the statistical data on . But, in [18], data aggregation is not focused.

##### 5.5. Scalability

In Section 3.3, does not require exhaustive searching for checking the identity. Or we say that no extra computation is before searching, even a hash result. But, in [29], if questions for some smart meter, the trusted server should use a scalar multiplication and a hash function to check all indexed users. We use at the corresponding blank. But, such property does not fit for [20, 22, 27], since no tracking operation is in any of them.

##### 5.6. Against Internal Attack

We make analysis based on the fourth item in Section 2.4. Since no fine-grained data appear in , if colludes with to crack the messages, still faces DL problem and GDH problem to get the timely private data from the messages due to lack of the private key . A similar situation for colluding with fog devices can be deduced.

##### 5.7. Against Replay Attack

To avoid replay attack, timestamps , , and are used in our scheme. Once tries to modify any message, he must change the element for checking. In , contains , where and are also included. Computing the two results mean that two GDH problems should be cracked, based on , , and the public key of . In , is used in , where , , and are also referred. Besides guessing and , computing also means that one GDH problem should be cracked, based on and the public key of . Similar situation occurs in . is used in , where is needed to crack based on and public key of .

#### 6. Performance Evaluation

In this section, we compare our scheme with [20, 22, 29] via time cost and communication cost. The test platform is MIRACL Library under Ubuntu 20, with Intel(R) Core(TM) i5-9400H CPU 2.50 GHz and 16.0 GB memory. The length of points on the elliptic curve is 320 bits, where the order of the additive group is 160 bits long. The timestamps have 64 bits, while all identities of devices have 32 bits and the hash function is Sha2-256. We use AES as the symmetric encryption/decryption algorithm in [29]. The symbols of time cost are given in Table 4, and the time cost comparison is given in Table 5. We use PH1–PH5 to express phases including data encryption, consumption affirmation, aggregation key generation, aggregation, and aggregated data decryption. is the number of smart meters belonging to one fog device, and is the number of fog devices.

From Table 5, we see that our scheme costs less than [29] in PH2 and PH5. In PH1, we use two random numbers for scalar multiplications. Since the power usage and fee are relatively small numbers, it is probable to calculate the private consumption, as we have demonstrated in Section 5.1 for [29]. In PH3, we add the operations to protect the rekeys, while there is no such idea in [29]. In PH5, since each submission of will cost the same time, we only list one round calculation in . Our scheme costs only a little more than [29]. Here, we should claim that there is no phase like PH2 and PH3 in schemes [20, 22], so the corresponding blanks are empty. In PH5, only one Pollard rho algorithm is used in [20, 22], since the final result is aimed at the aggregation value of consumption that is different from our scheme and [29], which also have another target of the variance value. In PH4, as long as a natural condition exists, we see that our scheme costs better than [20, 22, 29]. The verifications of the process are settled on for our scheme and [29], unlike [20, 22], such the verification is put on the media devices. The reason is that the cost of user consumption needs to be calculated and affirmed.

We illustrate the concrete communication cost here. For our scheme, in the data encryption phase, has bits, and there are totally bits in one period. In the consumption affirmation phase, all s submit the collected messages to , and the total information is the same as the last step. In the aggregation key generation phase, has bits, and there are totally bits in one transmission. In the aggregation phase, has bits, and there are totally bits. So, the whole communication cost is bits. We evaluate the transmission situation. Generally, channels between smart meters and their corresponding fog devices are considered to be wireless. Suppose a normal building for residents, about 30 floors, and generally, it has less than 200 houses. Each smart meter submits its data in every 15 minutes [35]. In the 15-minute period, there are less than in total or less than , that is, a very small data rate. Second, we consider wired transmission messages and . Suppose there are 100000 fog devices to send the messages. The total data volume is . Note such volume is for 15 minutes, and the fiber can support 10 Gbps rate [36]. So, the communication cost in our scheme is practical.

On the other side, for scheme in [29], in the enc phase, the message has bits and in total bits. In the TTP-Dec phase, the message has bits and in total bits. In the rekey phase, the message has bits and in total bits. In the LiAgg-ReEnc phase, the message has bits and in total bits. So, the whole communication cost is bits. All could see that our scheme costs more than the scheme in [29]. However, according to our analysis of Section 4 and Section 5, our scheme is CPA secure and meets common security properties. Moreover, in [29], only CPA security is proved only for Enc and LiAgg-ReEnc phases. How to transmit the aggregation key from trusted server (corresponding to TTP in [29]) to (corresponding to PCS in [29]) is not demonstrated. If the secure channel is used, such cost is high. So, we consider that the consumption information is transmitted in public channels. At the same time, the whole scheme in [29] does not even reach CPA security, and the cost of time and communication increases in our scheme is rewarding.

Schemes in [20, 22] belong to the same type. They both lack the communication between the servers which calculates the aggregation data and the media device, like collector or gateway. In Ding et al.’s scheme [20], the message from the smart meter to the collector has bits and in total bits. The message from the collector to the electricity service provider has the same construction as the last, and there are bits. Finally, we could see that bits occur in the whole process. Similarly, in Wang et al.’s scheme [22], the entire communication cost is bits. However, both of them have weaknesses including lack of user anonymity and no consideration of traceability, which we have mentioned in Section 5. Also, no statistic data are deduced on service providers on both of them [20, 22].

Above all, our scheme is better than other schemes in [20, 22, 29] for security and practicality.

#### 7. Conclusion

In this study, based on industrial Internet of Things, we give a novel scheme on smart grid, getting user power consumption and statistical data simultaneously. Formal proof with random oracle condition is shown to illustrate CPA security of the presented scheme. We also compare our scheme with some relative schemes for smart grid, and all can see ours is the only one that satisfies the security requirements. Via time and communication cost study, we express that our scheme performs well and it is fit for practicality.

The security level is an important index to evaluate the scheme. In the future, we will try to enhance the security level of such scheme, e.g., designing a new scheme that resists chosen-ciphertext attack and meets the practical requirements like tracking the concrete power consumption of every user and not only owns the function of aggregating data.

#### Data Availability

No data were used to support this study.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

Fan Wu was supported by Xiamen University Tan Kah Kee College Scientific Research Foundation (JG2022SRF02). Professor Xiong Li was supported by the National Natural Science Foundation of China (62072078).