#### Abstract

As the next generation of information and communication infrastructure, Internet of Things (IoT) enables many advanced applications such as smart healthcare, smart grid, smart home, and so on, which provide the most flexibility and convenience in our daily life. However, pervasive security and privacy issues are also increasing in IoT. For instance, an attacker can get health condition of a patient via analyzing real-time records in a smart healthcare application. Therefore, it is very important for users to protect their private data. In this paper, we present two efficient data aggregation schemes to preserve private data of customers. In the first scheme, each IoT device slices its actual data randomly, keeps one piece to itself, and sends the remaining pieces to other devices which are in the same group via symmetric encryption. Then, each IoT device adds the received pieces and the held piece together to get an immediate result, which is sent to the aggregator after the computation. Moreover, homomorphic encryption and AES encryption are employed to guarantee secure communication. In the second scheme, the slicing strategy is also employed. Noise data are introduced to prevent the exchanged actual data of devices from disclosure when the devices blend data each other. AES encryption is also employed to guarantee secure communication between devices and aggregator, compared to homomorphic encryption, which has significantly less computational cost. Analysis shows that integrity and confidentiality of IoT devices’ data can be guaranteed in our schemes. Both schemes can resist external attack, internal attack, colluding attack, and so on.

#### 1. Introduction

As the important component of the new generation of information technology, Internet of Things (IoT) connects the physical world and information society. It is usually composed of a large number of various sensors and servers. The former is responsible for collecting data, and the latter is responsible for processing data, storing data, and maintaining situational knowledge of the whole system, thus making better decisions [1–3]. In recent decades, with the development of hardware and network, more and more IoT applications are emerging continuously, which bring us unprecedented accuracy, efficiency, and economic benefit. The various IoT applications, including smart healthcare [4, 5], smart city [6, 7], smart grid [8–10], smart home [11], social network [12–15], smart phone [16], and so on, have different functions and have changed our lifestyle much. For example, in smart healthcare application, many medical sensors which are embedded or attached to the skin of patients collect the real-time health data. Doctors can analyze patients’ health condition via monitoring the collected data [17]. In smart phone, a tourist can search for places like restaurants, hotels, scenic spots, and so on by location-based service [18]. In smart home, sensors collect the data of household appliances and report them to management center, which can assist users to know the running state of home appliances [19, 20].

Obviously, IoT applications bring us much convenience and efficiency. However, many security and privacy issues are also brought [21–27]. An adversary can compromise user’s privacy information by eavesdropping the data which are collected by sensors. For example, in smart healthcare application, an adversary is able to monitor a patient’s health condition by accessing to its real-time healthcare data [4, 28]. In smart grid, an adversary can infer user’s behavior and living habits by monitoring the electricity usage data of the user without any other tools [29–31]. In smart phone, an adversary can infer its identity-related information like health status [32, 33] or residence address by eavesdropping user’s location data, which may also reveal the user’s habits. Therefore, the data collected by IoT devices are attractive for adversary. Moreover, as we know, IoT devices are usually computation capability, memory, and power limited, which indicates that encryption algorithms with high computation are not suitable. Thus, how to protect user’s privacy information effectively in IoT network by a lightweight way has attracted much attention of many researchers, and thus many related schemes have been proposed. Among them, there are a number of schemes utilizing data aggregation to achieve privacy preservation [34–37]. Unfortunately, most of them either can only protect privacy of a single side or cause disclosure of intermediate results or are vulnerable to collusion attacks. Hence, it is a challenge to design a novel data aggregation protocol which has low computational cost and can overcome the aforementioned weakness.

In this paper, we mainly propose two secure and privacy-preserving data aggregation schemes for IoT devices. Both of them can prevent user’s privacy data disclosure, thus protect users’ private information from revealing. However, *Scheme-I* achieves private-preserving goal by employing homomorphic encryption and AES encryption, and *Scheme-II* achieves it by employing noise technology to reduce the computation of IoT devices and improve efficiency.

The remainder of this paper is organized as follows: In Section 2, we introduce the related works. In Section 3, we present our system model, security requirements, and our design goals. In Section 4, we recall homomorphic encryption. Then, we present our two schemes in Section 5, which is followed by security analysis, performance evaluation and comparison between two schemes in Sections 6 and 7, respectively. Finally, we draw our conclusions in Section 8.

#### 2. Related Works

Privacy issues of IoT have attracted attention of researchers and many schemes have been proposed. In this section, some state-of-the-art privacy-preserving data aggregation schemes are listed.

Lu et al. presented a lightweight privacy-preserving data aggregation scheme which can not only aggregate hybrid IoT devices’ data into one but also filter injected false data at the network edge by employing homomorphic Paillier encryption, Chinese remainder theorem, and one-way hash chain technique [38]. Alghamdi et al. proposed a novel method which encrypts the devices’ data by employing elliptic-curve-based seed exchange algorithm and Hilbert-curve-based data transformation. Even if an attacker eavesdrops the transmitted message, he cannot infer the real data [39]. He et al. proposed two data additive aggregation schemes. One scheme achieves private data aggregation by leveraging clustering protocol, and another scheme achieves private data aggregation based on slicing technique and the associative property of addition [40]. Gosman et al. proposed a privacy-preserving aggregation based on symmetric cryptography for smart transportation system [41]. Li et al. proposed an efficient privacy-preserving demand aggregation (EPPDA) scheme by using homomorphic encryption to preserve users’ privacy data for smart grids [42]. Karamitsios and Orphanoudakis proposed an efficient data aggregation for the medical data which are collected real-time by medical sensors for smart healthcare application [43].

Data aggregation has been used in many fields of IoT to achieve privacy preservation. However, most of the existing data aggregation schemes are not truly reliable. In this paper, we propose two efficient and practical data aggregation schemes in which the collected data of devices are blended before reported. Therefore, neither aggregator nor server can infer the actual data of devices.

#### 3. System Model, Security Requirements, and Design Goals

In this section, we formalize the system model, security requirements, and identify our design goals.

##### 3.1. System Model

We consider the architecture in Figure 1 as the basis of our following discussion. Figure 1 reproduced from Hu et al. [44]. There are three entities, including server, aggregator, and devices in our system model of the proposed schemes. We mainly focus on how to report the collected data of IoT devices to the server in an efficient and privacy-preserving way. A two-level gateway topology in IoT is presented as shown in Figure 1. We assume that the server covers *m* aggregators and that each aggregator covers *n* IoT devices.

###### 3.1.1. Server

Server is a trustable and powerful entity which provides space for IoT devices to store the collected data that can be retrieved by the users. Furthermore, it will also process and analyze the data to manage IoT applications and keep them operating smoothly.

###### 3.1.2. Aggregator

The aggregator is an honest but curious entity, whose duty is aggregation and relaying. The responsibility of aggregator is to aggregate the received data from IoT devices into an integrated one, whereas the responsibility of relaying is to transmit the aggregation result to the server.

###### 3.1.3. Device

Every IoT device, namely, a sensor, a smart meter, or an RFID reader, collects data, and preprocesses them. For the sake of simplicity, the IoT devices will be abbreviated as devices. We assume that the devices are honest but curious with some computational and storage capability. They keep the system running smoothly but try to infer other devices’ collected data.

##### 3.2. Attacker Model and Security Requirements

In our attack model, we consider the following three attacks in IoT system.

###### 3.2.1. External Attack

An adversary may eavesdrop or modify the message which is transmitted between the device and aggregator. Moreover, it may also compromise the aggregator to obtain the privacy information of all devices.

###### 3.2.2. Internal Attack

Aggregator may be curious about the privacy information of all devices and try to infer the actual data of each device, which may compromise the devices’ privacy.

###### 3.2.3. Collusion Attack

Some devices may be curious about others’ data and try to infer others’ privacy information via collusion activity.

In our system, the following security requirements should be achieved.

###### 3.2.4. Privacy Preservation

An adversary cannot obtain devices’ data during system communications and operations. Even if several devices collude with each other, they cannot infer other devices’ privacy data.

###### 3.2.5. Authentication

Aggregator should guarantee that the received data are valid and derived from legal entities.

###### 3.2.6. Data Integrity

When an adversary forges or modifies a report, the malicious operations should be detected by aggregator.

##### 3.3. Design Goals

According to the system model and security requirements, our design goal concentrates on proposing two secure, efficient, flexible, and privacy-preserving data aggregation schemes. Specifically, the following design goals are to be achieved.(i)Security: the proposed schemes should meet all the security requirements as mentioned above.(ii)Efficiency: the proposed schemes should consider computation efficiency. In other words, the system should support real-time disposal and transmission of data from hundreds and thousands of devices.(iii)Flexibility: the proposed schemes support “plug and play.” Besides, it should be convenient for system to add a new device in the IoT applications.

#### 4. Preliminaries

Homomorphic encryption [45] allows certain computation over encrypted data. Paillier cryptosystem [46] is a popular homomorphic encryption scheme that provides fast encryption and decryption, which is a probabilistic asymmetric algorithm based on the decisional composite residuosity problem. It is adopted by the secure scalar product, which has been widely used in privacy-preserving data mining. The Paillier cryptosystem is briefly introduced as follows:

##### 4.1. Key Generation

(i)Choose two large prime numbers *p* and *q* randomly and independently of each other such that . This property is assured if both primes are of equal length.(ii)Compute and .(iii)Choose random integer where .(iv)Ensure *n* divides the order of by checking the existence of the following modular multiplicative inverse: , where function is defined as .(v)The public key is .(vi)The private key is .

##### 4.2. Encryption

Given a plaintext *m* where , select random *r* where , and calculate the ciphertext as .

##### 4.3. Decryption

Given a ciphertext *c*, calculate the plaintext as .

##### 4.4. Homomorphic Addition of Ciphertexts

(i)We assume that there are two messages and . We can encrypt them with the public key independently and obtain ciphertexts and , which are denoted as following: and .(ii)We can calculate the product of and and obtain the result . Hence, the sum of plaintext can be calculated from multiplication of the ciphertext.

#### 5. Our Schemes

In this section, two novel data aggregation schemes are introduced. In the proposed schemes, aggregator and server can obtain all of the collected data without knowing the actual data of each device. Besides, the curious and collusive IoT devices cannot infer other devices’ private data either. We assume that the IoT devices have some computing power and storage. All IoT devices in the same residential area can be treated as one group. Each aggregator manages a group of IoT devices. Each device has a unique identification which is only known by itself and aggregator.

##### 5.1. Scheme-I

In *Scheme-I*, Advanced Encryption Standard (AES) symmetrical encryption and homomorphic encryption are employed to protect the transmitted data from leaking during communication. Moreover, hash chain technique is also proposed to achieve one-time pad. The scheme consists of the following three stages: (i) Key generation, (ii) data division and confusion, and (iii) reporting and aggregation.

###### 5.1.1. Key Generation

Before the IoT system starts to work, a series of keys and parameters ought to be distributed. The server will generate a private key and a public key , with the latter to be published. For each group, a group key is generated and broadcasted to all group members, along with a parameter *τ* for the updating.

###### 5.1.2. Data Division and Confusion

In this step, devices segment their data and swap the data pieces pairwise. We assume a topical residential area which comprises an aggregator connected with a large number of devices . The devices collect data , respectively, in a certain period.

In the first place, each device slices the data into *n* pieces randomly, where *n* is the amount of devices in the group. Namely,

Secondly, they exchange the pieces with each other and finally obtain obfuscated data. The piece is preserved by while the others are dispatched. Assuming that a device wants to transmit pieces of data to others, it will conduct a hash operation on them with real time *T*, denoted as . Then, it encrypts , *T*, and via AES, denoted as . The ciphertext *c* can be sent out.

Finally, when receiving the ciphertext *c*, the device decrypts it and obtains the data slice , the real time *T*, and hash value . *T* and will be utilized to verify whether the message has been manipulated or replayed. If the verification is passed, will be accepted or otherwise be discarded. All received slices and the preserved piece are added up, which is the obfuscated data.

It is worth mentioning that the keys used for device-to-device communication are updated continuously. Hash chain technique is employed for this one-time pad. Assuming that an initial key is , the subsequent secret keys are shown as follows:

Table 1 shows the result data of each device after this step. is the actual data of devices , and is the blended data of after these operations as above. In this way, the actual data of all devices have been covered. Meantime, the sum of devices’ data does not change. Namely, . Therefore, aggregator can obtain the correct data and not disclose the actual data of each device.

###### 5.1.3. Reporting and Aggregation

After devices’ exchanging partial collected data with each other as mentioned above, the actual data have been blended. All the blended data will be encrypted with which is the public key of server before transmitted, which can be denoted as . Moreover, devices will also compute the hash value of the identification , real time *T*, and preceding ciphertext denoted as to assist the aggregator to check whether this message has been manipulated or replayed or not. Finally, devices will report the ciphertext , real time *T*, and hash value *h* to the aggregator.

When the aggregator obtains the ciphertext , real time *T*, and the hash value *h* from devices, it verifies the message based on *T* and *h*. If the verification succeeds, the aggregator will aggregate ciphertext together to get immediate result denoted as and transmit *C* to the server. The server will decrypt it with the private key and obtain the total data of a residential area, which can be denoted as . During these procedures, both the server and aggregator do not know the actual data of each device.

##### 5.2. Scheme-II

Considering the calculative capability of IoT devices, we also propose another more efficient data aggregation scheme. In this scheme, not only slicing technology but also noise data are introduced to assist devices to blend the actual data. In communication between devices and aggregator, Advanced Encryption Standard (AES) symmetrical encryption rather than homomorphic encryption is employed in order to reduce computational cost. Similarly, the scheme also consists of the following three stages: (i) Key generation, (ii) data division and confusion, and (iii) reporting and aggregation.

###### 5.2.1. Key Generation

A pair of asymmetric key () will be generated by the aggregator and will be published. When a device is deployed, it generates a symmetric key and a parameter which are used to update based on hash chain technology. That is, . Then, will send them to the corresponding aggregator via the aggregator’s public key. Now, the device can communicate with the aggregator securely via symmetric key.

###### 5.2.2. Data Division and Confusion

We assume that there are a large number of IoT devices which are connected with the same aggregator. These devices collect data , respectively, in a certain period. Each device will slice its collected data into *n* pieces, which is the same as that in *Scheme-I*.

Afterwards, the devices swap their data. In order to protect the actual data from disclosing, each device will generate *n* pieces of noise data . These noise data are added to the data pieces and ought to meet the condition below:

Specifically, we have

Each device only preserves the piece and sends to others. After this process, all data are covered. The obfuscated data are shown below:

Table 2 shows the immediate result of each device after the stage of data division and confusion. It shows that the actual data of device is (because the sum of noise data which is generated by each device equals zero). However, after blending, the immediate result of the device will be which is different from , so it is successful to conceal the actual data of the device. Moreover, the sum of equals that of , which can be denoted as .

###### 5.2.3. Reporting and Aggregation

After finishing these operations as above, each device will obtain immediate result . A hash operation on identification , real time *T*, and will be done, which can be denoted as . Then, the hash value , the immediate result , , and *T* will be encrypted with the symmetric key , which can be denoted as . When obtaining the ciphertext , device will report it to the corresponding aggregator.

After receiving , aggregator will decrypt it with and verify whether this message has been manipulated or replayed by checking hash value and identification . If that passes, aggregator will aggregate the received data to an intermediate result and report it to the server. In this way, both of aggregator and server cannot know the actual data of each device.

#### 6. Security Analysis

In this section, we will analyze the security properties of the two proposed schemes. In particular, our analysis focuses on how the schemes can resist various attacks and achieve privacy preservation.

##### 6.1. Analysis on Scheme-I

###### 6.1.1. Resistance to Eavesdropping Attack

Theorem 1. *An adversary cannot obtain devices’ private data by eavesdropping the encrypted data during transmitting.*

*Proof. *All device’s data are encrypted with symmetrical encryption or asymmetric encryption before transmitting. Therefore, adversary without the private key cannot decrypt the ciphertext by brute-force with a non-negligible probability.

###### 6.1.2. Resistance to Replay Attack

Theorem 2. *If an adversary reports the same message to aggregator or IoT devices, it can be detected.*

*Proof. *If an adversary *A* transmits the replayed message *M* to aggregator or devices, when receiving *M*, the aggregator or devices will check the hash value of the real time *T* to verify whether this message is replayed or not.

###### 6.1.3. Resistance to Manipulation Attack

Theorem 3. *If an adversary manipulates the message between two IoT devices during communication, it can be detected.*

*Proof. *We assume that an IoT device transmits message *M* to another IoT device . *M* is the ciphertext ( is the transmitted plaintext data). When receiving *M*, it will decrypt *M* to obtain hash value , *T*, and . Then, will also do a hash operation on and *T* and verify whether this message has been manipulated by matching the result with preceding received hash value .

Theorem 4. *If an adversary manipulates the message between the IoT device and aggregator, it can be detected.*

*Proof. *We assume that an IoT device reports *M* to the aggregator. *M* contains the hash value (*H* is a hash function, is *A*’s unique identity, *T* is the real time, and *C* is the ciphertext of blended data), ciphertext *C*, and *T*. When receiving *M*, the aggregator will do a hash operation on s , *T*, *C*, and verify whether this message has been manipulated or not.

###### 6.1.4. Resistance to Impersonation Attack

Theorem 5. *If an adversary masquerades as another valid device reporting collected data to aggregator, it can be detected.*

*Proof. *If an adversary *A* wants to masquerade as another valid device and report message *M* to aggregator. When receiving *M*, aggregator will check the identity of *A*. Therefore, if *A* wants to masquerade as another valid device to report message, it must have the of . However, the of is only known by and aggregator. Adversary A cannot obtain it with a non-negligible probability.

###### 6.1.5. Resistance to Internal Attack

Theorem 6. *We assume that aggregator is an internal attacker which is curious about all devices’ privacy data. It still cannot obtain the actual data of all devices.*

*Proof. *We assume that IoT devices are and their reporting message is , respectively. *E* is the ciphertext of blended data which are encrypted with the public key of server, whereas the aggregator does not have the private key to decrypt the ciphertext.

###### 6.1.6. Resistance to Colluding Attack

Theorem 7. *Considering the curiosity of devices, some devices may conspire to reveal privacy data of others.*

*Proof. *We assume that there are *n* devices, whose collected data are , respectively. After slicing into n pieces, preserving one piece privately, and exchanging the remaining pieces of data with each other as mentioned above, all devices’ actual data have been blended. We also assume that colluding devices want to infer another device’s () information. The randomly divisional data of is , the preserved private data of is , and the blended data of is . The colluding devices only know the data which has exchanged with them, but they do not know the private data which is preserved privately and only known by itself. Moreover, they also cannot obtain the value of because has been encrypted before transmitting to the aggregator. Therefore, the colluding devices cannot reveal other devices’ privacy data.

##### 6.2. Analysis on Scheme-II

###### 6.2.1. Resistance to Eavesdropping Attack

Theorem 8. *An adversary cannot obtain devices’ private data by eavesdropping the transmitted data.*

*Proof. *For communication among devices, noise data have been added to all the transmitted data, so the adversary cannot reveal the actual data of devices. For the communication between aggregator and device, the transmitted data have been encrypted with symmetric key. However, the adversary cannot decrypt the ciphertext by brute-force with a non-negligible probability.

###### 6.2.2. Resistance to Replay Attack

Theorem 9. *If an adversary reports the same message to aggregator, it can be detected.**The proof of resistance to replay attack is the same as that in analysis on Scheme-I.*

###### 6.2.3. Resistance to Manipulation Attack

Theorem 10. *If an adversary manipulates the message between an IoT device and aggregator, it can be detected.*

*Proof. *We assume that an IoT device reports the ciphertext to the aggregator. The aggregator can decrypt it with the corresponding key and verify whether the message has been manipulated by checking hash value.

###### 6.2.4. Resistance to Impersonation Attack

The proof of resistance to replay attack is the same as that in analysis on *Scheme-I*.

###### 6.2.5. Resistance to Internal Attack

Theorem 11. *We assume that aggregator is an internal attacker which is curious about all devices’ privacy data. It still cannot obtain the actual data of each device.*

*Proof. *The data which is transmitted from device to aggregator is not the actual data of the device. It is the sum of its preserved one private piece data and the remaining pieces of data from other devices. Hence, aggregator cannot reveal the actual data of each device.

###### 6.2.6. Resistance to Colluding Attack

Theorem 12. *Considering the curiosity of devices, some devices may conspire to reveal privacy data of others.*

*Proof. *We assume that there are n devices which are connected with the same aggregator. The collected data of devices are , respectively. We also assume that colluding devices want to infer the collected data of another device . The colluding devices can only obtain the data pieces which contain the actual data of and noise data, but they cannot infer the actual data of . Therefore, the colluding devices cannot reveal other devices’ privacy data.

#### 7. Performance Evaluation

In this section, we will evaluate the computational cost of the proposed schemes. Besides, we will also compare the two proposed schemes and analyze their advantages and disadvantages.

##### 7.1. Computation Overhead

It is well known for us that the computational cost of modular exponentiation and multiplication operations is much higher than that of hash functions and addition operations, so we will ignore the cost of hash operations and addition operations and only focus on the computational cost incurred by encryption and decryption operations in this study.

We assume a topical residential area which comprises an aggregator connected with a large number of IoT devices . Note that is the computational cost of an exponentiation operation; is the computational cost of a multiplication operation; is the computational cost of a modulo operation, and and are the computational costs of an AES encryption and an AES decryption, respectively.

For one device, in *Scheme-I*, in data division and confusion phase, AES encryption operations, AES decryption operations, and a series of negligible addition operations are required, thus the cost is . Moreover, two exponentiation operations, one multiplication operation and one modulo operation are required in the reporting and aggregation phase, where the computational cost is . Hence, the total computational cost of one device is . In *Scheme-II*, only the negligible addition operations are required for devices in Data division and confusion phase. In the reporting and aggregation phase, only one AES encryption operation is required for one device. Therefore, the computational cost of one device is .

Moving next to the aggregator, in *Scheme-I*, only multiplication operations are executed, thus the total computational cost is . In *Scheme-II*, there are *n* AES decryption operations which will be executed, so the total computational cost is .

Table 3 summarizes the computational complexities of IoT device and aggregator in each phase of *Scheme-I* and that of *Scheme-II*. We conduct the experiments running in Python on a 3.7 GHz-processor 16 GB-memory computing machine on 8 byte data to study the operation costs. The experimental results indicate that an AES encryption operation with 256 bit key almost costs 0.0034 ms, an AES decryption operation with 256 bit key almost costs 0.0038 ms. When the key of Paillier cryptosystem is 256 bit, an encryption operation almost costs 110 ms and an decryption operation almost costs 0.9 ms.

##### 7.2. Comparisons Analysis

Both of the two proposed schemes are efficient and effective to prevent devices’ privacy data from revealing. However, they are also different in some respects, which makes them meet some different scenario requirements better. Firstly, *Scheme-I* employs AES to protect the exchanged pieces from leaking, but *Scheme-II* guarantees the privacy data by adding noise data. Moreover, Paillier cryptosystem is employed to guarantee the confidentiality and integrity of collected data during communications between IoT device and aggregator in *Scheme-I*, but *Scheme-II* employs AES to reduce computational cost of devices. In *Scheme-I*, the computational cost of one IoT device is . Similarly, the computational cost of one IoT device in *Scheme-II* is . It is shown in Figure 2, which indicates that even if there are nearly 10000 IoT devices in an area, the computational cost of one IoT device is not more than 0.2 s in *Scheme-I*, and the computational cost of one IoT device is just 0.0034 ms in *Scheme-II*. Hence, the computational cost for IoT devices is very low in the proposed schemes. Moreover, the total computational costs of IoT devices are also different. It can be denoted as and , respectively. We depict the variation of total computational costs of the two schemes in terms of device number *n* in Figure 3. The different value of them can be denoted as . It is shown in Figure 4. They illustrate that *Scheme-II* is more efficient than *Scheme-I*. Moreover, with the number of devices increasing, *Scheme-II* is more efficient than *Scheme-I*. Nonetheless, because each device has different secret keys to communicate with aggregator in *Scheme-II*, that is, the aggregator has to store *n* secret key, which may lead to key management issues. When the number of devices is very large in a residential area, it is difficult to manage so many keys for aggregator. However, aggregator only needs to store a group key and the corresponding parameter in *Scheme-I*.

#### 8. Conclusion

In this paper, two secure and efficient data aggregation schemes are proposed for IoT devices. Both of them support “plug and play” and preserve IoT devices’ private data by blending their data before reported. However, there are also some differences between the two proposed schemes. For *Scheme-I*, AES encryption and Paillier cryptosystem are employed to guarantee the confidentiality and integrity of the collected data. For *Scheme-II*, noise data are introduced to blend the actual data of users rather than encryption method, which can reduce computational cost of IoT devices and improve communication efficiency significantly. Moreover, we have provided security analysis to demonstrate that our schemes can resist external attack, internal attack, colluding attack, and so on. Meanwhile, we also make a comparison between the proposed schemes to demonstrate their strength and weakness. The result shows that *Scheme-I* is more secure and *Scheme-II* is more efficient. For the future work, we plan to improve the schemes by exploring more efficient and secure encryption method and further deploy them in the real-world IoT applications.

#### Data Availability

In this paper, we provide the detailed data in Section 6 (Performance Evaluation). Meanwhile, we also introduce the procedure of computational cost analysis. The researchers can verify our experiment results according to our introductions. We listed the key points of the experiment as follows. Key points of data statement: 1. The experiments running in Python on a 3.7 GHz-processor 16 GB-memory computing machine 2. The experimental results indicate an AES encryption operation with 256-bit key and AES decryption operation with 256-bit key 3. The Paillier cryptosystem is 256-bit 4. AES encryption operation costs 0.0034 ms, and AES decryption operation cost 0.0038 ms 5. The encryption operation of Paillier cryptosystem costs 110 ms and an decryption operation almost costs 0.9 ms. The researcher can verify the above experimental results in the same running environment.

#### Disclosure

The previous work [44] was published in International Conference on Wireless Algorithms, Systems, and Applications 2018.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This research was supported partially by the Fundamental Research Funds for the Central Universities (No. 2019CDQYRJ006), National Natural Science Foundation of China (Nos. 61702062, 61672118, 61932006, and U1836114), Science and Technology Project of Guandong Power Grid Co. Ltd. (GDKJXM20180250), Chongqing Research Program of Basic Research and Frontier Technology (Grant No. cstc2018jcyjAX0334), Key Project of Technology Innovation and Application Development of Chongqing (CSTC2019jscx-mbdx0151), and Overseas Returnees Innovation and Entrepreneurship Support Program of Chongqing (cx2018015).