Privacy-Preserving Multidimensional Data Aggregation Scheme for Smart Grid

In a smart grid, data aggregation is a commonmethod to evaluate regional power consumption. Data leakage in the process of data transmission poses a security threat to the privacy of users. Many existing data aggregation schemes can only aggregate onedimensional data; however, it is necessary to aggregate multidimensional data in practical smart grid applications. ,erefore, this paper proposes a privacy-preserving multidimensional data aggregation scheme, which can aggregate multidimensional data and protect the individual user’s identity and data privacy. ,e security of the proposed scheme is proved under the random oracle model. ,e simulation results show that the proposed scheme has great advantages in computing overhead, and the communication overhead also meets the requirements of the smart grid.


Introduction
A smart grid is a more efficient and modern grid. "Grid 2030" defines a smart grid as follows: "A fully automatic power transmission network that monitors and controls each user and node to ensure the two-way flow of power and information between power plants and power devices and all nodes between them" [1]. Smart grid consists of seven domains: the generation, transmission, distribution, customer, electricity market, service provider, and operation center domain, as shown in Figure 1.
Based on the real-time information of power consumption, the control center can monitor the power generation and consumption of each area, get the real-time power demand, and then take timely measures to optimize the power generation and distribution strategy. e customer can also get knowledge of current real-time power consumption and adjust his behavior to reduce expenses. In order to make a better transmission and distribution strategy, data aggregation is usually used to evaluate the power usage in a certain area. e purpose of data aggregation in a smart grid is to collect total power consumption data of users in a certain area and protect the power consumption data of an individual user from leakage. In order to support various network functions, many smart devices such as smart terminals and smart meters have been deployed and used in the smart grid [2]. As wireless networks are increasingly used in smart grids, the communication channel between the smart meter and the control center may be open [3]. erefore, the attacker can easily intercept, tamper with, or delete the messages in the communication channel, which causes great distress or economic loss. For example, an attacker can track a user's habits or lifestyle (he or she is at home or not at home) after obtaining his or her power consumption data, thus committing a crime inside a house [4]. An attacker may also cause economic loss to the user or service provider by injecting false information or making unreasonable demands.
With the wide application of the smart home, actual power data is possible to be multidimensional, for example, measuring power data by the type of household appliances such as refrigerators, air conditioners, and washing machines. erefore, it is necessary to study multidimensional data aggregation in a smart grid.
In this paper, we propose a privacy-preserving multidimensional data aggregation scheme. e characteristics of the proposed scheme are as follows: (1) feasibility: the proposed scheme can aggregate multidimensional data; (2) security: the proposed scheme can protect the user's identity and data privacy; (3) robustness: the proposed scheme can work normally when any smart meter is off-line or out of order; (4) high efficiency: the proposed scheme adopts EC-ElGamal cryptosystem, and the computation performance is efficient. e rest of this paper is organized as follows. In Section 2, we review the related works. In Section 3, we describe the preliminaries. In Section 4, we describe the system model and security requirements. We present our proposed scheme in Section 5. We analyze the security and performance in Sections 6 and 7, respectively. Finally, we make some conclusions in Section 8.

Related Work
Smart meters have three factors: smart meters' real-time power consumption data, smart meters' total power consumption data, and smart meters' identity [5]. In order to achieve the goal of data aggregation and protect the privacy of smart meters, several privacy-preserving one-dimensional data aggregation schemes have been proposed based on homomorphic encryption, blind factors, and Shamir's secret sharing.
Homomorphic encryption combined with blind factors (random numbers) is a common method to design data aggregation schemes. e trusted third party predistributes different blind factors to each user and the aggregator. Each user uses its own blind factor to obfuscate the power consumption data. When the aggregator receives data from all users, it can eliminate the blind factors added by all users to obtain aggregated data. Fan et al. [19] proposed the first data aggregation scheme that can resist internal attacks, which uses BGN cryptosystem and blind factors. Bao and Lu [20] found that Fan's scheme cannot provide data integrity. He et al. also proposed their scheme by using BGN cryptosystem and blind factors in [21], which can protect the integrity of data. e scheme proposed by He et al. [22] and Vahedi et al. [23] uses EC-ElGamal cryptosystem and blind factors and has high computational efficiency. All of the above [19][20][21][22][23] schemes can defend against internal attacks. e combination of homomorphic encryption and Shamir's secret sharing is also used to design a data aggregation scheme [24]. For example, the PMDA scheme proposed by He [25] uses Shamir's secret sharing to allow smart meters to collectively negotiate aggregation parameters and supports multifunctional data aggregation. e 3PDA scheme proposed by Liu et al. [26] uses EC-ElGamal cryptosystem and Shamir's secret sharing, and users construct a virtual aggregation area to mask single data. e scheme presented in [25,26] does not rely on a trusted third party. Even if any smart meter is off-line or out of order, the system can work normally. New smart meters can be easily added to the system while the user's secret share remains the same.
At present, only one-dimensional data is considered in many schemes, but in practical application, power consumption data is usually multidimensional to facilitate finegrained analysis. Based on the superincreasing sequence and Horner's rule, some researchers proposed multidimensional data aggregation schemes.
Knapsack cryptosystem based on superincreasing sequence can compress multidimensional data into one-dimensional data. e PPMA scheme proposed by Li et al. [27] uses Paillier cryptosystem and superincreasing sequence to aggregate multidimensional data. e PPMA scheme gives several successive power consumption ranges, divides the regional users into several subsets, and can get the sum of power consumption data of each subset and the number of users. e EPPA scheme proposed by Lu et al. [28] uses a superincreasing sequence to compress multidimensional data into one-dimensional data and then uses Paillier's cryptosystem to encrypt the compressed data.
e algorithm based on Horner's rule can also compress multidimensional data into one-dimensional data. e scheme proposed by Shen et al. [29] uses Paillier's cryptosystem and Horner's rule. Each user constructs Horner polynomial with the first Horner parameter, storing the multidimensional data in a single data. After embedding the second Horner parameter into the polynomial, Paillier's cryptosystem is used to encrypt the single data.

Hard Problems.
Let G be an additive cyclic group with prime order q; then some hard problems in the group G are described as follows.
Elliptic Curve Discrete Logarithm (DL) Problem. Given points G, Q ∈ G , where Q � aG, a ∈ Z * q , a is unknown. DL problem is to compute the value of a.
Elliptic Curve Computational Diffie-Hellman (CDH) Problem. Given points G, P, Q ∈ G, where P � aG and Q � bG, a, b ∈ Z * q , a and b are unknown. CDH problem is to compute abG. CDH assumption holds if there exists no probabilistic polynomial-time adversary that can solve the CDH problem with a nonnegligible advantage.
Elliptic Curve Decisional Diffie-Hellman (DDH) Problem. Given a point G, P, Q, Z ∈ G, where P � aG and Q � bG, a, b ∈ Z * q , a and b are unknown. e DDH problem is to determine whether Z � abG holds. DDH assumption holds if there exists no probabilistic polynomial-time adversary that can solve the DDH problem with a nonnegligible advantage.

Security Model of Authentication and Key Agreement.
Define a probabilistic polynomial-time adversary A, which can make a series of queries to simulate real attacks, define a simulator S, and define a game played between A and S. en, A can adaptively make the following queries.
Hash(m): is query simulates an adversary's hash request for a message m. S needs to keep a table L H � (m, r). When S receives the request from A, S checks if L H contains a tuple (m, r). If so, S returns r to A; otherwise, S randomly chooses r, stores (m, r) in L H , and returns r to A. Execute(ID i ): A makes this query to simulate an eavesdropping attack (passive attack). S returns a copy of the exchange message executed under the real authentication protocol. Send(ID i , m): A makes this query to simulate an active attack. A can query the response information associated with the message m. S normally performs the steps of the authentication protocol and then returns the corresponding message to A. Corrupt(ID i ): A makes this query to simulate a corrosive attack that can obtain the participant's private key. S returns the relevant private key according to the authentication protocol. Reveal(ID i ): A makes this query to simulate a known session key attack. If a valid session exists, S returns the session key corresponding to the participant; otherwise, S returns ⊥. Test(ID i ): is query simulates an adversary's ability to distinguish between a true session key and a random number. When the session key has been defined, S chooses a random number b ∈ 0, 1 { }. If b � 1, S returns the true session key to A; if not, S returns a random number with the same length of the session key to A.
After making the above queries, A can make Test query. e output of Test query depends only on the value of the bit b. e output of A is the result of guessing b ′ associated with the bit b. If b � b ′ , A wins the game. Define an event Succ as A wins the game. e advantage of A breaking the semantic security of the authentication protocol is (1) Definition 1. e proposed authentication protocol is semantic secure if there exists no probabilistic polynomialtime adversary A that can win the above game with a nonnegligible advantage.

Security Model of Encryption and Signature.
e encryption and signature scheme are used in this paper. erefore, semantic security and unforgeability should be considered in the security model. Define a probabilistic polynomial-time adversary A that can make a series of queries to simulate real attacks, define a simulator S, and define a game played between A and S. en A can adaptively make the following queries. h(m): is query simulates an adversary's request for a message m. S needs to keep a table L h � (m, r). When

Security and Communication Networks
S receives a request from A, S checks if L h contains a tuple (m, r). If so, S returns r to A; otherwise, S randomly chooses r, stores (m, r) in L h , and returns r to A. Creat(ID i ): is query simulates an adversary's attack to obtain the smart meter's public key. S needs to keep a table L U � (ID i , SK, PK). When S receives the request from A, S checks if table L U exists in the public key PK with ID i . If so, S returns PK to A; otherwise, S randomly chooses a private key SK, generates the corresponding public key PK, stores (ID i , SK, PK) in L U , and returns PK to A. Extract(ID i ): is query simulates an adversary's attack to obtain the smart meter's private key. S checks if table L U exists in the private key SK with ID i . If so, S returns SK to A; otherwise, S randomly chooses a private key SK, generates the corresponding public key PK, stores (ID i , SK, PK) in L U , and returns SK to A Encrypt(ID i , m i ): this query simulates an adversary's encryption request for a message m i . S queries the public key PK with ID i , uses PK to encrypt the message m i , and then returns the ciphertext to A.
is query simulates an adversary's signature request for a message m i . S queries the private key SK with ID i , uses SK to sign message m i , and then returns the message m i and signature to A. Unsign(ID i , mi): is query simulates an adversary's request to verify the message m i 's signature. S queries the public key PK with ID i and uses PK to validate the signature of the message m i .

Definition 2.
If there exists no probabilistic polynomialtime adversary that can win the following game with a nonnegligible advantage, the proposed scheme is secure against indistinguishability under the chosen-plaintext attack (IND-CPA).
Initialization: S runs a key generation algorithm, generates a key pair (PK, SK), sends the public key PK to A, and keeps the private key SK Phase 1: A can access a random oracle to make a series of queries. A randomly chooses two plaintexts m 0 , m 1 with the same length and sends them to S. Challenge: S randomly chooses a bit u ∈ 0, 1 { } and sends the ciphertext C u of the message m u to A. We call the ciphertext C u the challenging ciphertext Guess: A outputs its guess u ′ ∈ 0, 1 { }. e advantage of A in the above game is defined as follows: Definition 3. If there exists no probabilistic polynomial-time adversary that can win the following game with a nonnegligible advantage, the proposed scheme is secure against existential unforgeability under the adaptive chosen messages attacks (EUF-CMA).
Initialization: S runs a key generation algorithm, generates a key pair (PK, SK), sends the public key PK to A (also known as a forger), and keeps the private key SK. Query 1: A queries the hash value of the message m, and S returns the corresponding hash value h(m) to A. Query 2: A queries the signature of the message m, and S returns the corresponding signature Sign(m) to A. Challenge: A forges a message's signature pair (m * , Sign(m * )) and sends it to S. S verifies the validity of the signature. If the forged signature is valid, A succeeds; otherwise, A fails.

System Model.
In the proposed scheme, the system model for the smart grid consists of four entities: smart meter (SM), aggregator (AGG), control center (CC), and trusted third party (TTP), as shown in Figure 2.
SM: It is responsible for regularly collecting realtime power consumption data of the user and sending encrypted data to the aggregator. e smart meter is honest-but-curious. It operates according to the protocol and may infer information from other users. AGG: It is responsible for aggregating the power consumption data of all users and sending the aggregated data to the control center. e aggregator is honest-but-curious. It stores all intermediate computational results and may get users' privacy information from them CC: It is responsible for decrypting and analyzing aggregated data to obtain the sum of users' power consumption data for each area and to generate an appropriate response. e control center is fully trusted and may attempt to analyze incoming messages to obtain valuable information. TTP: It is responsible for generating and distributing security parameters for all smart meters. TTP is fully trusted and participate only in the registration process, not in the data aggregation process.

Security Requirement.
According to related works in recent years, the data aggregation scheme in a smart grid should meet three security requirements. We summarize these requirements as follows.
Confidentiality: A malicious attacker may intercept information from a user. e leakage of a user's power consumption data can compromise its privacy. erefore, it is important to ensure that the attacker cannot obtain the power consumption data of an individual user. Integrity: A malicious attacker may tamper with a message sent by a user, which will affect the normal statistical analysis. erefore, it is important to ensure that the messages sent by the user are correct. 4 Security and Communication Networks Authentication: A malicious attacker may forge a message and impersonate a real user to send a message, which will affect the normal process of statistical analysis. erefore, it is important to ensure that the data received by the aggregator is from a legitimate user.

Scheme Construction
is section describes the proposed privacy-preserving multidimensional data aggregation scheme. e proposed scheme consists of six steps: system setup, registration and login, authentication and key agreement, data generation, data aggregation, and multidimensional data decryption. We assume that there are n users in each residential area. e symbols and their definitions used in this section are shown in Table 1.

System Setup.
e initialization phase is used to generate system public parameters. e smart meter, aggregator, control center, and trusted third party randomly choose an integer from Z * q as their private key and compute the corresponding public key

Registration and Login
(1) Registration. All smart meters need to register, and each smart meter only needs to register once. e detailed steps for the registration phase are described as follows: (1) SM i submits its identity ID i and password PW i to TTP through a secure channel. (2) After receiving the message ID i , PW i , TTP saves the identity and password information and Finally, TTP returns the message PID i , B i to SM i through a secure channel.
(3) After receiving the message PID i , B i , SM i saves PID i , B i in its own memory (with some tamper-proof ability).
(2) Login. SM i needs to perform a login phase before communicating with the aggregator. e detailed steps of the login phase are described as follows: If so, the login of SM i succeeds; otherwise, the login of SM i fails

Authentication and Key Agreement.
e goal of the authentication and key agreement phase is for the smart meter to request authentication from the aggregator and establish a session key between the smart meter and the aggregator, as shown in Figure 3. e session key is used by the aggregator to encrypt the response message using a symmetric encryption algorithm when the response message is returned. e detailed steps for authentication and key agreement phase are described as follows.
(1) SM i randomly chooses an integer r i ∈ Z * q and holds. If not, AGG terminates the communication; otherwise, AGG randomly chooses r j ∈ Z * q and computes where sk ij is the session key and t j is the current timestamp. Finally, AGG returns the message T j , δ 2 , t j to SM i (3) After receiving the message T j , δ 2 , t j , SM i computes S ij � r i T j , sk ij � H 1 (R i ‖T j ‖sk ij ‖ID i ) and checks whether the equation (1) SM i randomly chooses s i ∈ Z * q and computes the ciphertext according to (2) SM i randomly chooses k i ∈ Z * q and computes its signature (K i , z i ) according to where T i is the current timestamp.

Data Aggregation.
After receiving the message AID i ‖X i ‖C i ‖K i ‖T i � � � �z i , AGG verifies the smart meter's signature and computes the aggregated ciphertext, as shown in Figure 4. Suppose that there are currently k smart meters participating in the data aggregation.
(1) AGG verifies signatures of all smart meters according to (2) AGG computes the aggregated ciphertext C according to (3) AGG partially decrypts the aggregated ciphertext C using the private key x A according to erefore, the form of partially decrypted ciphertext C A is shown in (4) AGG randomly chooses k A ∈ Z * q and computes its signature (K A , z A ) according to After successful verification, CC decrypts the aggregated ciphertext C A using its own private key x CC to get the sum of the power consumption data.
(1) CC verifies the signature of AGG according to Security and Communication Networks 7 (2) CC decrypts the aggregated ciphertext C A using the private key x CC according to (3) Using Pollard's lambda algorithm, the sum of the power consumption data for each dimension can be computed, as shown in (12), where k i�1 d il represents the total power consumption data of k users in the l − th dimension.

Theorem 1. Assume that ADV Ptotocol
A represents the advantage of a probabilistic polynomial-time adversary to break the semantic security of the proposed authentication protocol; then,

ADV Ptotocol
where L represents the size of the identity space, |H i | represents the size of the hash function space, q is the prime order of group G, and q send , q exe , and q H i represent the number of Send query, Execute query, and Hash query, respectively.
Proof. Define a series of games Game 0 , Game 1 , Game 2 , and Game 6 .
We use Succ j (j � 0, 1, . . . , 6) to indicate the event that A successfully guesses b � b ′ in Test query in Game j .
Game 2 : this game simulates all queries in Game 1 ; the only difference is that Game 2 will simulate an adversary's guess attack on the smart meter's true identity.
Since the smart meter's identity is converted to a pseudonym by a random number during each authentication phase, the adversary is unable to determine the smart meter's true identity and has no other information to verify the smart meter's true identity. erefore, we have Game 3 : this game simulates all queries in Game 2 ; the only difference is that Game 3 will simulate collision attacks that occur on messages AID i , R i , δ i , t i , T j , δ 2 , t j , and δ 3 , t i ′ . erefore, we have Game 4 : this game simulates all queries in Game 3 ; the only difference is that Game 4 will simulate the adversary's corrosion attack on the participant. When Corrupt query is executed, the private key stored in the smart meter and in the aggregator can be extracted by the adversary. However, this information is useless for calculating the session key, because a secret random number that is generated temporarily must be required. Due to the fact that r i and r j are randomly selected from Z * q , we have Game 5 : this game simulates all queries in Game 4 ; the only difference is that other hash functions will be used to compute the temporary session key sk ij . at is, instead of using a random oracle, we use Game 6 : this game simulates all queries in Game 5 ; the only difference is that Game 6 will simulate an event where the adversary breaks CDH problem, randomly choose two integers a, b ∈ Z * q , given an instance of CDH problem (aG, bG), and compute A � aG, B � bG; then, we have AskH 6 ( R i ‖T j ‖CDH( aG, bG ) � � � �ID i ). In Game 5 , the adversary needs to make a query such as where ADV CDH G (t) represents the advantage of A to break the CDH problem.
From the above analysis, we have

Due to ADV Protocol
To sum up, the advantage of adversary A to break the proposed authentication protocol is negligible, and the proposed authentication protocol is semantic secure.

Theorem 2.
e proposed scheme is secure against IND-CPA, if the DDH problem is hard.
Proof. Assume that there exists a probabilistic polynomialtime adversary A that can win the game in Definition 2 with a nonnegligible advantage ε. en, we can construct a simulator S to solve DDH problem with a nonnegligible advantage ε ′ . e simulator S chooses a challenging identity ID I , and the adversary A can make the following queries: , r), where i � 0, 1, 2, 3, 4. After receiving the hash request from A, S checks if the tuple (m, r) exists in L H i . If so, S returns r to A; otherwise, S randomly chooses r, stores (m, r) into L H i , and returns r to A h(ID i , X i , C i , K i , T i ): S needs to keep a table L h � (ID i , X i , C i , K i , T i , r). After receiving the hash request from A, S checks if (ID i , X i , C i , K i , T i , r) exists in L h . If so, S returns r to A; otherwise, S randomly chooses r ∈ Z * q , stores (ID i , X i , C i , K i , T i , r) into L h , and returns r to A After receiving the request from A, S checks if (ID i , x i , X i ) exists in L U . If so, S returns X i to A; otherwise, S randomly chooses x i ∈ Z * q , computes X i � x i G, stores (ID i , x i , X i ) into L U , and returns X i to A Extract(ID i ): after receiving the request from A, S first checks whether the identity ID i used by A in the query is equivalent to the challenging identity ID I . If so, S terminates this game; otherwise, S checks if (ID i , x i , X i ) exists in L U . If so, S returns x i to A; otherwise, S makes Creat(ID i ) query to generate the private key and public key x i and X i , stores (ID i , x i , X i ) into L U , and returns x i to A Encrypt(ID i , m i ): after receiving the request from A, S checks if (ID i , x i , X i ) exists in L U . If so, S uses X i to generate the ciphertext; otherwise, S makes Creat(ID i ) query to generate the private key and public key x i and X i and then uses X i to generate the ciphertext □ Proof. Assume that the ciphertext C i � m i G + s i X is secure against IND-CPA. Define a series of games Game 0 , Game 1 , and Game 2 . With these games, we reduce the instance of the DDH problem.
at is, given (G, P � aG, Q � bG, Z), determine whether Z � abG, where G, P, Q, Z ∈ G, a, b ∈ Z * q , and a and b are unknown. S chooses a challenging identity ID I . Game 0 : this game simulates real-world attacks. S acts as a smart meter, knowing the public and private key pair (S i � s i G, s i ). A knows the public key and has access to the random oracle. At some point, A randomly chooses an identity ID i and two plaintexts Security and Communication Networks (m i0 , m i1 ) with the same length and sends them to S for an encryption query. en, S chooses a bit u ∈ 0, 1 { }, encrypts the ciphertext C i � m iu G + s i X, and sends the ciphertext C i to A. Finally, A outputs its guess u ′ ∈ 0, 1 { }. Succ 0 represents the event in Game 0 that u � u ′ , and we use symbols Succ j (j � 0, 1, 2) to represent the same meaning in any game. Based on Definition 2, we have Game 1 : in this game, we embed the instance (G, aG, bG, Z) of the DDH problem. When A makes Creat(ID i ) query, S randomly chooses r i ∈ Z * q , sets X � r i bG, saves (ID i , r i , X) into L U , and sends X to A. Because X � r i bG is evenly distributed in the group G, Game 1 is completely indistinguishable from Game 0 . erefore, we have Pr Succ 1 � Pr Succ 0 .
Game 2 : in this game, S replaces the public key S i � s i G with S i � aG. S does not know the private key a. erefore, when A makes Encrypt(ID i , m i ) query, S performs the following steps. (1) When ID i � ID I , S looks for the record (ID I , r I , X) in L U . (2) S computes C I � m Iu G + r I Z and sends C I to A. (3) Define Z � abG ∈ G as event E.
If event E actually occurs, then C I is a valid ciphertext when public key S i � aG and X � r I bG holds. erefore, at this time, A can play its ability to guess whether u � u ′ .
However, if event E does not occur, A can only guess u � u ′ at a random probability of (1/2). erefore, we have erefore, based on the above analysis, we can solve the DDH problem with probability ε ′ .
Because the advantage ε in the previous assumption cannot be ignored, ε ′ cannot be ignored. at is, a simulator S can be constructed to solve the DDH problem. However, DDH problem cannot be solved in practice; then, the conclusion is impossible. erefore, our assumption does not hold. In other words, the proposed scheme is secure against indistinguishability under the chosen-plaintext attack (IND-CPA).

Theorem 3.
e proposed scheme is secure against EUF-CMA, if the discrete logarithm problem is hard.
Proof. Assume that there exists a probabilistic polynomialtime adversary that can win the game in Definition 3 with a nonnegligible advantage ε. en, we can construct a simulator S to solve the discrete logarithm problem. Given an instance (P, Q) of a discrete logarithm problem, where P, Q ∈ G, the goal of S is to find x ∈ Z * q , such that Q � xG. S chooses a challenging identity ID I . A can make H i (m), h(ID i , X i , C i , K i , T i ), Extract(ID i ) queries as it did in eorem 2. e adversary can also make other queries as follows: After receiving the request from A, S first checks if (ID i , x i , X i ) exists in L U . If so, S returns X i to A; otherwise, S checks whether the identity ID i used by A is equal to the challenging identity ID I , and if not, S generates x i and X i according to the proposed scheme; otherwise, S sets X i � Q, stores (ID i , , X i ) into L U , and returns X i to A Sign(ID i , m i ): after receiving the request from A, S first checks whether ID i and ID I are equal. If not, S generates the signature of the message m i according to the proposed scheme; otherwise, S randomly chooses erefore, we can obtain two equations: According to the above equations, we have To calculate the advantage of S solving the discrete logarithm problem, we define the following three events. ( erefore, the probability of A solving the discrete logarithm problem is Because ε cannot be ignored, the probability of A using S to solve discrete logarithm problem cannot be ignored. However, in the actual situation, the discrete logarithm problem is unable to solve; therefore, the conclusion cannot hold. As a result, our assumption does not hold. at is, the proposed scheme is secure against existential unforgeability under the adaptive chosen messages attacks (EUF-CMA).

Informal Security Analysis
(1) e proposed scheme provides anonymity for users.
As wireless networks are increasingly used in the smart grid, communication channels may be open. It is easy for adversaries to intercept messages from communication channels. In the proposed authentication protocol, the identity of each smart meter is anonymous. Because the CDH problem is hard, the adversary cannot obtain a true identity without knowing the temporary random number. erefore, the proposed scheme can protect the identity privacy of users. (2) e proposed scheme ensures the confidentiality of the session key. In the proposed scheme, the session key in the proposed authentication protocol uses random numbers chosen by the smart meter and the aggregator. During each authentication phase, the smart meter and aggregator reselect new random numbers. Even if the adversary eavesdrops on the communication channel, it is difficult for the adversary to guess the session key or to calculate the session key from the messages transmitted over the network. erefore, the proposed scheme ensures the confidentiality of the session key.
(3) e proposed scheme ensures the confidentiality of users' data. EC-ElGamal cryptosystem is used to encrypt the power consumption data. Assume that the DDH problem is hard, the EC-ElGamal cryptosystem is secure against IND-CPA. erefore, an external eavesdropper cannot obtain any individual user's power consumption data. Furthermore, the adversary cannot infer the plaintext of the aggregated data in the aggregator's database and the control center's database. erefore, the proposed scheme ensures the confidentiality of users' data. (4) e proposed scheme ensures data integrity and authentication. e signature algorithm in the proposed scheme is provable secure. In practice, if an attacker wants to forge a signature, it would have to either crack the hash function or the discrete logarithm problem. In the proposed scheme, the signature algorithm uses a secure hash function and an elliptic curve, so that the possibility of both types of cracking is negligible. erefore, the proposed scheme provides data integrity and authentication. (5) e proposed scheme is secure under the attack of malware. Suppose an attacker successfully intercepts private information from the aggregator database by deploying malicious software in the aggregator system. Because the aggregator cannot completely decrypt the aggregated ciphertext, the attacker cannot obtain any single user's power consumption data. In addition, the attacker can also intercept private information from the control center. e decrypted plaintext of the control center is the sum of users' power consumption data, and the attacker cannot obtain the power consumption data of an individual user. erefore, the proposed scheme can protect the user's power consumption data from malicious software. (6) e proposed scheme can resist replay attacks. Because the messages whether in the authentication or data generation phase contain a timestamp, the aggregator can detect any replayed messages by verifying the validity of the timestamp. erefore, the proposed scheme can resist replay attacks.

Performance Analysis
is section presents the performance comparison between the proposed scheme and other similar schemes in the data generation phase and data aggregation phase. Performance includes computation overhead and communication overhead. Experiments were all performed on a personal computer with Intel Core i5-7200U CPU @2.50 GHz, 12.00 GB memory, and Windows 10 operating system, based on the JPBC library.

Computation Cost.
We compare the computation cost of the proposed scheme with that of Li et al. [27], Shen et al. [29], and Lang et al. [30]. For convenience, we define some notations and descriptions as shown in Table 2. Since CC is generally supposed to have enough computing power, we only compare the computation overhead of SM i and AGG.
In Li's scheme [27], SM i executes two EXP operations, one HTP operation, and one PMUL operation. erefore, the runtime of SM i is 2T EXP + T HTP + T PMUL . AGG executes one EXP operation, (n + 1)PMUL operations, and one HTP operation.
In Shen's scheme [29], SM i executes two EXP operations and one PMUL operation. erefore, the runtime of SM i is 2T EXP + T PMUL . AGG executes (n + 1)BP operations and nHTP operations. erefore, the runtime of AGG is (n + 1)T BP + nT HTP .

Communication Cost.
Because the size of q 1 , q 2 , q is 512 bits, 512 bits, and 160 bits, respectively, we can know that the size of Z * n , G 1 , G 2 , G, Z * q is 1024 bits, 1024 bits, 160 bits, 160 bits, and 160 bits. Assume that the timestamp and the identity are both 32 bits.
In Li's scheme [27], SM i sends (ID i , CT i , δ i , T) to AGG, where the length of CT i is 1024 bits and the length of δ i is 512 bits.
In Shen's scheme [29], SM i sends (ID i , ID AGG , CT i , δ i , T) to AGG, where the length of CT i is 2048 bits and the length of δ i is 160 bits. us, the communication cost is 32 + 32 + 2048 + 160 + 32 � 2304 bits.
In Lang's scheme [30], SM i sends (ID i , CT i , δ i , T) to AGG, where the length of CT i is 4096 bits and the length of δ i is 512 bits when data has seven dimensions. us, the communication cost is 32 + 4096 + 512 + 32 � 4672 bits.
In our proposed scheme, SM i sends (ID i , C i , δ i , T) to AGG, where the length of CT i is 2240 bits and the length of δ i is 512 bits when data has seven dimensions. us, the communication cost is 32 + 2240 + 512 + 32 � 2816 bits.
As shown in Figures 5 and 6, the computation overhead in the aggregation phase of our proposed scheme has obvious advantages over Shen et al.'s [29] scheme. e communication cost is at the middle level compared with other schemes. Considering the security and reliability, it is reasonable to increase the communication cost. erefore, the proposed scheme satisfies the requirement of security and performance for the smart grid.

Conclusion
In this paper, we propose a privacy-preserving multidimensional data aggregation scheme for a smart grid, which can aggregate multidimensional data and protect the user's User (ms) AGG (ms) Li's scheme [27] 2T EXP + T HTP + T PMUL T EXP + (n + 1)T PMUL + T HTP Shen's scheme [29] 2T EXP + T PMUL (n + 1)T BP + nT HTP Lang's scheme [30] (l + 1)T MUL− BGN + T PMUL (n + 1)T PMUL Our scheme (2l + 2)T PMUL (n + 1)T PMUL     e analysis shows that the proposed scheme is provable secure and efficient. In addition, we will consider a more appropriate method of aggregating multidimensional data to improve the applicability of the proposed scheme in further work.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.