#### Abstract

In smart grids (SG), data aggregation is widely used to strike a balance between data usability and privacy protection. The fault tolerance is an important requirement to improve the robustness of data aggregation protocols, which enables normal execution of the protocols even with failures on some entities. However, to achieve fault tolerance, most schemes either sacrifice the aggregation accuracy due to the use of differential privacy or substitution strategy or need to rely on an online trusted entity to manage all user blinding factors. In this paper, a () threshold privacy-preserving data aggregation scheme named ()-PDA is proposed, which reconciles data usability and data privacy through the BGN cryptosystem and achieves fault tolerance with accurate aggregation using Shamir’s secret sharing without any online trusted entity. Besides, our scheme supports the efficient changing of users’ membership. Specifically, the dynamic secrete key is distributed to smart meters (SMs) through the threshold secret sharing algorithm. When or more meters participate in the aggregation, the data service center (DSC) can reconstruct the key to compute the aggregate results, and less than SMs cannot recover the key. Thus, our solution still works functionally even if up to SMs fail; also, it resists attacks from the collusion of less than SMs. Moreover, system and performance analyses demonstrate that our scheme achieves privacy, fault tolerance, and membership dynamics with high efficiency.

#### 1. Introduction

The development of information, communication technology, and advanced control technology has driven the emergence of the smart grid. In SG, the sophisticated control system uses the real-time electricity consumption data monitored from smart meters to balance the supply and demand of electricity, thereby to stabilize power supply and improve power quality. However, fine-grained consumption data may pose a threat to consumers’ privacy. Some researchers have pointed out that according to the real-time electricity consumption data, data collectors or eavesdroppers can infer consumers’ living habits, household occupancy, economic conditions, or even which appliances are being used [1–3]. If the real-time consumption data is collected without assurance of users’ privacy, the smart grid would be hardly developed. Therefore, how to ensure the usability of data while protecting the privacy of users has become a concern of researchers [3, 4]. For the control system of a smart grid, it is sufficient to know the total instantaneous power demand and the power supply in a certain area. So, among the popular solutions is data aggregation which provides the sum of the real-time consumption data of users in a group rather than the data of each user [3–5].

Researchers have proposed many efficient privacy-preserving data aggregation protocols which can be classified into two types: fault-intolerant schemes and fault-tolerant schemes. In fault-intolerant schemes [6–10], the system can carry out the scheme to obtain aggregate data with privacy-preservation when all entities work well. However, the aggregation process may be stopped due to failures on smart meters. As a continuously operating system, the smart grid cannot be completely fault-free. Therefore, this type of aggregation scheme is impractical. In fault-tolerant schemes [11–17], the system can still work and compute the aggregation result despite some failures on SMs. Specifically, some fault-tolerant schemes are based on differential privacy, replacement strategies, but the aggregation result is an approximate value; others are based on an online trusted entity to manage blind factors of all SMs and the aggregator, which may increase the privacy risk. However, accurate aggregate values are the basis for the smart grid to accurately grasp real-time loads.

In addition to fault tolerance, dynamic membership management is also very important to the practicality of smart grids. In schemes that have no consideration on the dynamic management of members, any changing of membership, withdrawal, or joining may even cause all the entities in the system to be reconfigured. At the same time, a large amount of computation and communication will be imposed on the system. However, both the migration of users and the alternation of power providers will lead to changes in membership.

In this paper, we propose a novel privacy-preserving data aggregation protocol named (, )-PDA in smart grids where is the number of *SMs* in the aggregation area, and is the threshold. Our solution is based on the BGN cryptosystem and Shamir’s secret sharing algorithm. The main contributions of this paper are summarized as follows:
(i)We construct the encryption, aggregation, and decryption process based on the BGN homomorphic cryptosystem to ensure the confidentiality and privacy of data(ii)We use the threshold characteristics of Shamir’s secret sharing algorithm to make the aggregation scheme threshold fault-tolerant, which means that accurate aggregate value with privacy preservation can be obtained even when - SMs collude with each other or do not work normally. The threshold can be set according to experience and security to avoid the system still performing meaningless aggregation when a serious abnormality happens in the grid. Moreover, Shamir’s algorithm makes our scheme easily achieve dynamic membership management(iii)We use the one-time pad to achieve forward security(iv)We analyze the security and some other system properties to show that the proposed scheme holds confidentiality, privacy preservation, fault tolerance, dynamic membership, forward security, and no need for any online trusted or high authority entity. Also, we evaluate the efficiency of the system to confirm that our solution has a good real-time performance

The rest of this paper is organized as follows: Section 2 introduces some related works. We present some preliminaries in Section 3. The system model, adversarial model, and design goals are described in Section 4, and our scheme is detailed in Section 5. System analysis and performance evaluation of the scheme are shown, respectively, in Section 6 and Section 7. Section 8 concludes this article.

#### 2. Related Works

The communication security and data privacy protection in the smart grid have received great attention from researchers. Many excellent solutions have been proposed to ensure communication security through methods such as authentication or key management [18–20]. In terms of privacy protection, the popular methods are anonymization and data aggregation. The anonymization scheme [21] delinks individual raw data and their source. However, attackers may relink the raw data and the source by depseudonymization [22, 23].

In recent years, many effective data aggregation schemes have been proposed to aggregate data of consumers with privacy preservation. Some of them cannot run when any part of entities fails to work, and others are fault-tolerant.

Schemes that are intolerant of fault, such as [7–10], are usually based on a group of random integers which sum to zero. These random integers are distributed to SMs and the aggregator as blind factors. SMs use blind factors to mask their data to achieve privacy and encrypt the masked data with homomorphic encryption. Then, the aggregator removes these masking factors from the aggregate ciphertext with its private key to obtain aggregate ciphertext. Finally, the data service center (DSC) decrypts the ciphertext to get accurate aggregate values. However, if any SM cannot send information to the aggregator (AG), AG cannot eliminate the blinding factor from the aggregate ciphertext. Consequently, DSC cannot obtain the aggregate value.

To achieve fault tolerance, schemes with fault tolerance usually adopt differential privacy, substitution strategy, centralized management of user blinding factors, etc., or a combination of two or more of them.

Schemes based on differential privacy [11, 12] mask the original data by adding random noises that follow a randomized function distribution. Finally, these noises are removed according to the expected value of the function from the aggregate data to get an approximation of the aggregation result.

Substitution strategy [13–15] is that the faulty users’ data are replaced with the data of other users who have the same blinding factors. In [15], if an SM, such as , in a group fails to send the message, the data aggregation device will select an SM, such as , from other groups with the same blinding factor, to replace the malfunctioning so that the aggregation process can proceed. To reduce the error, this kind of schemes usually processes the data of based on the past data of the group. Although these two kinds of schemes are fault-tolerant, they cannot provide accurate aggregate results.

The schemes with centralized management of blinding factors [14, 16, 17] essentially require an online entity or a trusted authority to manage blinding factors for the aggregator and the smart meters. In FESDA [16], the control center (CC) keeps all users’ blinding factors. When some users fail to participate in the aggregation, CC calculates the sum of all the blinding factors of the failed users. Then, the sum is used to decrypt the aggregate ciphertext to obtain accurate results. In PDAFT [14] and PPFA [17], when an SM fails to upload data, the trusted third party will send the blind factor of the SM to help the aggregation process. However, the centralized management of blinding factors needs an online trusted authority or an online entity with high authority to hold all blinding factors, which will bring risks to users’ privacy.

Recently, some fault-tolerant aggregation schemes without any trusted authority have been proposed [24, 25]. In [24], K. Xue et al. use the (, ) threshold secret sharing scheme to achieve flexible dynamic user management. In detail, each SM in building area networks (BAN) has a secret key, and the sum of these keys is zero. Every user needs to choose randomly a group of users to share its key with the secret sharing algorithm. When an SM fails, the control center (CC) needs to broadcast the identity of the failed SM and collect enough shares to recover its secret key. If the fault SM is restored, it needs to generate a new key and shares the key to a newly chosen group of users through a secure channel, which is impractical for a continuously running system. In [25], Wang et al. proposed to use multiple subsets and blinding factors to achieve privacy-preserving data aggregation. Users negotiate to update the blinding factor. If some SMs are fault, the aggregator (AG) publishes the event and their identities. Then, their cooperators have to remove their parts from the blind factors and execute the encryption again. Finally, all normal users need to report their ciphertext again. These solutions can obtain accurate aggregate values. However, they require a complex mechanism to deal with SMs’ malfunction, which may cause a heavy computation and communication burden to the system.

#### 3. Preliminaries

In this section, we briefly review some important algorithms that are used as the building of our scheme.

##### 3.1. Bilinear Map of Composite Order Groups

A bilinear map of composite order groups related to an inputting security parameter is defined as a 5-tuple , where are two random *τ*-bit primes, are two multiplicative cyclic groups of order , and *e* is a bilinear map with the following properties:
(1)*Bilinearity*: , and , we have (2)*Nondegeneracy*: is a generator of G; then, must be a generator of and (3)*Computability*: , there is a polynomial-time algorithm to calculate .

##### 3.2. Boneh-Goh-Nissim Cryptosystem

The Boneh-Goh-Nissim (BGN) cryptosystem [26] is a homomorphic encryption scheme supporting unlimited addition operations but at most one multiplication and is widely applied in privacy-preserving computation. It consists of three phases: key generation, encryption, and decryption.
(1)*Key generation*: given a security parameter , the algorithm outputs a bilinear map of composite order groups as described in Billinear Map of Composite Order Groups. The key management agency chooses two random generators of and calculates and , where *h* is a generator of the subgroup of with order *q*. As a result, we have public key and private key (2)*Encryption*: for a message , picks a random and encrypts into (3)*Decryption*: with private key to decrypt the ciphertext , calculate . Let , then *m* can be recovered by using Pollard’s lambda method [27] to solve the discrete logarithm of base with time complexity

##### 3.3. Shamir’s Secret Sharing Scheme

Shamir’s secret sharing scheme [28] is a threshold secret sharing scheme where a secret is divided into pieces, and the secret can be easily calculated when or more secret shares are known, while it is impossible to reconstruct if the number of known secret shares are less than . In the scheme, all elements are in a limited field. We can realize this scheme in a limited field of size , where is a prime number, by constructing a polynomial: where are random integers less than , and each participant gets a unique and calculates ; then, is a secret share. With different shares, the polynomial can be reconstructed by the Lagrange interpolation as below:

However, we just need to find from the polynomial . is the free coefficient. So, we only need to calculate

#### 4. System Setup

The ()-PDA scheme includes four entities in the system and targets to get several design goals; meanwhile, against some attacks which may be launched by entities defined as the adversarial model in Adversarial Model and Assumptions. In this section, we introduce the system model formally and describe the adversarial model and design goals in detail.

##### 4.1. System Model

Figure 1 shows the system model, which consists of four kinds of entities.
(1)*Smart meters* (SMs): The SMs are devices equipped in energy consumers’ houses to collect users’ real-time energy consumption in every sampling time (like 15 minutes), encrypt these data, and send them to the aggregator at the end of every time slot. Usually, customers are grouped according to their locations. In this paper, we assume each aggregation domain has SMs recorded as a set . It should be noted that some SMs may be faulty and cannot take part in the aggregation. Suppose there are SMs that are online and participating in the aggregation, these SMs make up and . We record the set of offline SM*s* as and (2)*Aggregator* (AG): AG is used to verify the identities of SM*s*, sum encrypted data from online *SMs* in the same group, and send the sum to the data service center(3)*Data service center* (DSC): DSC decrypts ciphertexts received from legal aggregators and gets the sum of the consumption data of the set at each time slot(4)*Operating Center* (OC): the operating center provides user registration services and key initialization for the smart grid

##### 4.2. Adversarial Model and Assumptions

In our system, OC is a trusted organization. DSC and AG are faithful to performing system tasks but are curious to know the users’ real-time data. Every SM (customer) will try its best to protect the privacy of data and may also infer private data of other customers through public information and its private data. An external attacker may monitor the communication channels and try to figure out users’ sensitive data.

Since there are many excellent solutions [18–20] to ensure communication security in the smart grid and this paper mainly focuses on the privacy protection of users, we assume that all transmitted messages in the system are properly authenticated with existing signature methods to achieve the required authentication and integrity. We also assume all physical participants are tamper-proof and sealed, so that any illegal reading from physical devices will be perceived, and any alteration to data from entities cannot be achieved without being detected.

##### 4.3. Design Goals

Our solution aims to provide aggregate data without revealing users’ private data. At the same time, on the premise of ensuring confidentiality, to make this protocol more practical, we hope that when some smart meters fail to send their messages, the system can still aggregate the remaining users’ data. Besides, when a user joins in or logs out, we hope that other users are not affected. Our design goals are detailed as follows:

*Confidentiality:* external attackers may eavesdrop on the messages transmitted on the communication channel. It should be ensured that unauthorized entities cannot obtain any useful information from these messages.

*Privacy:* the aggregate data is available to the public utilities; meanwhile, the individual data of every customer cannot be obtained by any other entities.

*Fault tolerance:* if any fault on SM*s* may cause data aggregation to fail, the usefulness of the system will be greatly reduced. Therefore, we are committed to designing an aggregation protocol that works well when even SM*s* cannot normally send consumption data, where is the total number of *SMs* in a group and is the threshold number of SMs working normally.

*Dynamic membership:* when a new user joins or an old user logs out, the system should not need to update any parameter of other users.

*Forward security:* in order to improve the antirisk ability, it is required that even if the current key is compromised, the adversary cannot find out the previous individual data.

#### 5. Our Scheme

This section presents our privacy-preserving data aggregation protocol. The procedure includes four phases: system initialization, encryption, data aggregation, and decryption. In the initialization phase, OC generates and publishes system parameters and registers for SMs. In the encryption phase, AG publishes a random number to SMs; then, each SM generates a dynamic key to encrypt real-time readings and report the ciphertexts to AG; also, each SM computes its share of the dynamic key and sends to DSC. In the aggregation phase, AG aggregates the received ciphertexts and reports the aggregate ciphertext to DSC. Finally, in the decryption phase, DSC reconstructs the dynamic key and decrypts the aggregate ciphertext to obtain the plaintext of aggregate data. The frame of the proposed scheme is shown in Figure 2 and notations to be used in the rest of the paper are listed in Table 1.

##### 5.1. System Initialization

*Step 1. *with the algorithm and the input secure parameter , OC generates a bilinear map of composite order groups and computes .

*Step 2. *OC chooses two generator of and gets .

*Step 3. *OC selects a prime number greater than and chooses a secure argument as the threshold based on data privacy and failure rate. Specifically, the higher the failure rate is, the smaller should be, but too small will affect the user’s privacy or arouse a meaningless aggregation when a serious abnormality happens, so a good balance needs to be struck. Notably, these parameters satisfy .

*Step 4. *OC gets random numbers with and constructs a Shamir secret sharing model with as the secret:

*Step 5. *if a user has registered successfully, OC chooses a unique as the user’s identity (ID) and evaluates. Also, OC generates a random number as the group key for users in the same group and then sends to the user through a safe channel (usually embedded in the SM and cannot be read by external devices).

*Step 6. *OC chooses two secure hash functions .

*Step 7. *We use to represent the reading of OC chooses a positive integer according to the upper limit of consumption data, satisfying .

*Step 8. *OC publishes .

*Step 9. *DSC produces a secret/public key pair based on the RSA cryptosystem and releases to SMs. DSC also selects a unique ID for the aggregator, marked as .

##### 5.2. Encryption

Usually, AG collects users’ data every 15 minutes and aggregates them. Users encrypt their private data before forwarding them to AG. The following are the detailed steps of the encryption process at time .

*Step 1. **AG* generates and publishes a random number to SMs of the same group before data collection.

*Step 2. * computes the dynamic secret key , generates a random number , and then encrypts with and to generate the ciphertext as equation (5).

*Step 3. * generates the signature for *H*2(*x _{i}|t|C_{i}*) and sends to AG.

*Step 4. * encrypts with the public key to generate ciphertext and a signature for , then sends (*x _{i}*, , ) to

*DSC*. To ensure better real-time, this information can be sent out at the idle time before the decryption stage.

##### 5.3. Data Aggregation

After receiving messages from , *AG* verifies the signature first. If the verification fails, the message will be discarded. If *AG* confirms that there are legitimate users sent their data, the aggregation processes as follows.

*Step 1. *AG aggregates all ciphertexts from all online SM*s* to obtain the aggregate ciphertext .

*Step 2. *AG generates a signature for and sends () to DSC.

##### 5.4. Decryption

Firstly, DSC verifies the identity of SMs and AG and confirms the number of SM*s*. Secondly, the DSC needs to obtain the secret key from the messages of SM*s* to decrypt the ciphertext sent by AG. Therefore, the decryption process is divided into two steps: reconstructing the secret key and decrypting .

###### 5.4.1. Key Reconstruction

*DSC* decrypts the from with the private key to obtain and then uses of SM*s* to construct equation (7) by the Lagrange interpolation.

Compute according to equation (3).

###### 5.4.2. Decrypting

*DSC* decrypts with .

We can use pollard’s lambda method to solve out the aggregate value .

#### 6. System Characteristic Analyses

In this section, we prove that the -PDA has achieved the design goals including confidentiality, privacy preservation, fault tolerance, dynamic membership, and forward security.

##### 6.1. Confidentiality

If attackers eavesdrop on the communication channel between entities, they may be able to obtain messages transmitted in the channels. But even if intercepting all the information, i.e., (,, , , ), sent by all the SMs, the attackers cannot figure out the private data of any SM. Because if the attackers want to find privacy information from the ciphertext issued by , they need to decrypt . There are two ways to solve out . One way is to calculate it with , but is embedded in the SM, any illegal reading will be perceived, and is the secret key owned by the offline *OC* which adversaries cannot break. Another way is to collect no less than users’ secret shares for reconstruction. However, before the reconstruction, attackers must decrypt to obtain with DSC’*s* private key or collude with at least SM*s*. As can be seen from the foregoing description, even if the attacker obtains data sent by all users and colludes with some (less than ) SMs, the decryption key cannot be reconstructed.

##### 6.2. Privacy Preservation

Our solution aims to achieve data aggregation while protecting user data privacy. Although both AG and DSC are authorized users of the system, they can legally accept the data sent by users and complete the aggregation protocol, but they still cannot obtain users’ fine-grained electricity consumption data. The following describes in detail that this solution can satisfy privacy requirement.

In our scheme, since SMs are honest and only receive parameters from the aggregator, SMs have no way to find any secret data of other users.

Although AG collects sent by each , it cannot decrypt even owning , because AG has no shares of the decryption key to recover the key and also cannot calculate the key directly without and .

Also, *DSC* can only obtain the aggregate ciphertext *C* from *AG*, and cannot obtain the ciphertext sent by a single user, so that even *DSC* can reconstruct the key but cannot reveal any individual user’s real-time usage with the key.

##### 6.3. Fault Tolerance

As described in our scheme, when or more SM*s* can send information to AG and DSC, the aggregation process can be executed correctly to obtain the accurate aggregate data of online SMs. In detail, working SMs send messages to AG and DSC. After receiving messages from SM*s*, AG aggregates to obtain aggregate ciphertext and then sends to DSC. Next, DSC recovery is the key with secret shares received from SM*s* to decrypt the ciphertext received from AG to obtain the accurate aggregation result of the working SM*s*. That is to say, the proposed scheme can tolerate the failure of or fewer SMs and achieve accurate aggregation without the need for special processing. Therefore, the ()-PDA is fault-tolerant.

##### 6.4. Dynamic Membership

In the actual application environment, users may join in or exit the grid. Therefore, the aggregation scheme needs to support the random entry or exit of users with low communication traffic and computational cost. In -PDA scheme, when a new user wants to join in a smart grid, the user applies to OC. After receiving the application, OC reviews the user’s qualifications to determine whether to approve the application. If the application is approved, then OC assigns the user a group with group key , chooses a new , and evaluates the corresponding , then sends (*s _{g’}*, , ) to the user. At the same time, the number of users in the group is increased by one. If a user wants to exit from the grid, he only needs to unregister his ID from the system and reclaim his smart meter. The number of meters in the group is reduced by one. It can be seen that the joining of new users and the exit of old users do not need to do anything for other users, which is completely in line with the actual application scenarios.

##### 6.5. Forward Security

The proposed scheme is forward-secure. In other words, if an adversary breaks the system in the time slot and obtains the secret key , the adversary can only solve users’ private information at , but it cannot obtain any previous information. Because even the adversary has , it cannot derive and . Furthermore, the random number distributed by the aggregator changes with time and then updates with . Therefore, the secret key of the time slot just affects to ciphertext at time .

##### 6.6. System Feature Comparison

In Table 2, we compare our scheme with several related fault-tolerant schemes [12–17, 25] in terms of whether it achieves some important features like confidentiality, privacy, forward security, the demand for an online trusted third party, dynamic membership, and accurate aggregation. Comparing with those schemes, -PDA not only satisfies the necessary security and privacy requirements but also achieves the efficient dynamic membership management and accurate aggregate values without online high-authority entities or online trusted entities.

#### 7. Efficiency Evaluation

In this section, we evaluate the efficiency of -PDA on the computation cost and communication overload and make a comparison with some fault-tolerant schemes (Guan and Si 2017) [15], FESDA [16] (Wang et al. 2020) [25]). For convenience, we assume there are SMs in the aggregation domain, and SMs out of the domain are working normally which is over the aggregation threshold required in the scheme. Furthermore, to evaluate efficiency, we set the secure parameter , then bits, bits, and bits, set the RSA module as 1024 bits, the length of the big prime in Shamir’s secrete scheme as bits, set timestamps and signatures as 64 bits, and set ID as 32 bits.

##### 7.1. Computation Cost

Generally speaking, the service center/control center (DSC in our scheme) has sufficient computing and storage resources, and all of the algorithms in our scheme and other peering schemes are widely used. Therefore, we only evaluate the computational workload on the terminal and the aggregator. Also, according to the assumptions in Adversarial Model and Assumptions, we do not count the computational overhead of signatures and verifications. Table 3 defines some symbols of executing time of related operations which are executed based on the PBC and OpenSSL library in a PC with 64-bit Windows 10 operating system, Intel Xeon E3 @3.5GHz CPU, and 8 GB memory.

*Computations on*: in the encryption stage, -PDA needs to compute and a to encrypt . In subsequent stages, and does not need to do any calculations. Therefore, the computational cost on each SM is + 2.400 ms in each time slot. In Guan and Si [15], it takes to calculate , . In FESDA [16], uses to get and . In (Wang et al. [25], each user needs to update its blind factor through discussion with three or more users, so it takes at least to finish the encryption and blinding factor update. For the partners of a faulty SM, extra is needed to update the blind factor and reencryption. The more faulty users a user cooperates with, the more calculations are required. Therefore, compared with these peered schemes, the computational overload is acceptable for SMs in our scheme.

*Computations on the aggregator:* In the encryption stage, AG just generates a random number . The computational workload of the generation of a random can be ignored. In the aggregation stage, AG needs to calculate . According to the descriptions in Guan and Si [15], the data aggregator (DA) needs to deal with malfunctioning *SMs*. Then, DA spends to compute and to compute . The amount of computational cost of DA in this stage is . In FESDA [16], the fog nod (FN) spends to aggregate received data to get and to generate and , so the computational cost in FN is . In Wang et al. [25], the aggregator takes to aggregate the received ciphertext. According to the above comparison, the calculation amount on the aggregator in -PDA is small.

The comparison of the calculation amount shows that our scheme is relatively friendly in terms of the calculation burden. The computation cost comparison among our scheme and others are illustrated in Table 4.

##### 7.2. Communication Cost

The evaluation of communication can be considered due to real-time communication traffic demand. It reflects the real-time performance and the demand for communication capabilities of devices.

In the encryption phase of -PDA, AG sends to each terminal. The traffic is bits. Each SM sends to AG that causes traffic of bits. In contrast, each SM sends 2304 bits to DA in Guan and Si 2017, and each SM sends 2368 bits to FN in FESDA. In Wang et al. [25], normally, each user needs to send 2048 bits to the aggregator and 1024 bits to each cooperator. If some users fail to report their data, according to the description in [25], all users have to update their keys, recompute the ciphertext, and send the new ciphertext, which will cause another 2048 bits traffic for every SM. Therefore, with at least three partners, the amount of data each user needs to send is not less than 7168 bits. As we can see, in this stage, SMs in our scheme are easier with communication.

In the aggregation phase, AG sends () to DSC, which causes a communication overhead of bits. Meanwhile, in Guan and Si [15], DA sends a message of 3072 bits to CC. In FESDA, if there is no malfunctioning SM, FN sends a message of 2304 bits to CC; otherwise, each malfunctioning SM will cause 32 bits traffic. In Wang et al. [25], the aggregator sends 2048 bits to the data center. If some failures occur, the aggregator needs to broadcast the identities of failed users to all users. That adds another bits of communication overload. Also, in the aggregation process, the communication cost on AG in the proposed solution is lower than that in these peering schemes.

In the decryption phase of our scheme, DSC needs shares to reconstruct the key. So, before decryption, each working SM sends (*x _{i}*,, ) to DSC, generating 1216 bits of upload traffic. However, this traffic can be uploaded at idle time.

Figure 3 shows the comparison of communication traffic from a real-time perspective. The proposed solution distributes the communication volume to each stage in a more balanced manner, which allows more timely execution and lower bandwidth requirements.

#### 8. Conclusion

This paper proposes the -PDA scheme for smart grids to obtain the accurate aggregate real-time consuming data while ensuring users’ privacy and achieving fault tolerance and dynamic membership without any online entity with high authorities. The analyses are present to prove that the proposed scheme meets all the design goals and system performance requirements.

#### Data Availability

No data were used to support this study Yining Liu Guilin University of Electronic Technology, China.

#### Conflicts of Interest

The authors declare that there is no conflict of interest regarding the publication of this paper.

#### Acknowledgments

The study of the manuscript titled “Fault-tolerant Privacy-preserving Data Aggregation for Smart Grid” is funded by the National Natural Science Foundation of China under grant no. 61662016 and Key Projects of Guangxi Natural Science Foundation under grant no. 2018JJD170004.