Fault-Tolerant Privacy-Preserving Data Aggregation for Smart Grid

In smart grids (SG), data aggregation is widely used to strike a balance between data usability and privacy protection. The fault tolerance is an important requirement to improve the robustness of data aggregation protocols, which enables normal execution of the protocols even with failures on some entities. However, to achieve fault tolerance, most schemes either sacri ﬁ ce the aggregation accuracy due to the use of di ﬀ erential privacy or substitution strategy or need to rely on an online trusted entity to manage all user blinding factors. In this paper, a ( k , n ) threshold privacy-preserving data aggregation scheme named ( k , n )-PDA is proposed, which reconciles data usability and data privacy through the BGN cryptosystem and achieves fault tolerance with accurate aggregation using Shamir ’ s secret sharing without any online trusted entity. Besides, our scheme supports the e ﬃ cient changing of users ’ membership. Speci ﬁ cally, the dynamic secrete key is distributed to n smart meters (SMs) through the threshold secret sharing algorithm. When k or more meters participate in the aggregation, the data service center (DSC) can reconstruct the key to compute the aggregate results, and less than k SMs cannot recover the key. Thus, our solution still works functionally even if up to n − k SMs fail; also, it resists attacks from the collusion of less than k SMs. Moreover, system and performance analyses demonstrate that our scheme achieves privacy, fault tolerance, and membership dynamics with high e ﬃ ciency.


Introduction
The development of information, communication technology, and advanced control technology has driven the emergence of the smart grid. In SG, the sophisticated control system uses the real-time electricity consumption data monitored from smart meters to balance the supply and demand of electricity, thereby to stabilize power supply and improve power quality. However, fine-grained consumption data may pose a threat to consumers' privacy. Some researchers have pointed out that according to the real-time electricity consumption data, data collectors or eavesdroppers can infer consumers' living habits, household occupancy, economic conditions, or even which appliances are being used [1][2][3]. If the real-time consumption data is collected without assurance of users' privacy, the smart grid would be hardly developed. Therefore, how to ensure the usability of data while protecting the privacy of users has become a concern of researchers [3,4]. For the control system of a smart grid, it is sufficient to know the total instantaneous power demand and the power supply in a certain area. So, among the popular solutions is data aggregation which provides the sum of the real-time consumption data of users in a group rather than the data of each user [3][4][5].
Researchers have proposed many efficient privacypreserving data aggregation protocols which can be classified into two types: fault-intolerant schemes and fault-tolerant schemes. In fault-intolerant schemes [6][7][8][9][10], the system can carry out the scheme to obtain aggregate data with privacypreservation when all entities work well. However, the aggregation process may be stopped due to failures on smart meters. As a continuously operating system, the smart grid cannot be completely fault-free. Therefore, this type of aggregation scheme is impractical. In fault-tolerant schemes [11][12][13][14][15][16][17], the system can still work and compute the aggregation result despite some failures on SMs. Specifically, some fault-tolerant schemes are based on differential privacy, replacement strategies, but the aggregation result is an approximate value; others are based on an online trusted entity to manage blind factors of all SMs and the aggregator, which may increase the privacy risk. However, accurate aggregate values are the basis for the smart grid to accurately grasp real-time loads.
In addition to fault tolerance, dynamic membership management is also very important to the practicality of smart grids. In schemes that have no consideration on the dynamic management of members, any changing of membership, withdrawal, or joining may even cause all the entities in the system to be reconfigured. At the same time, a large amount of computation and communication will be imposed on the system. However, both the migration of users and the alternation of power providers will lead to changes in membership.
In this paper, we propose a novel privacy-preserving data aggregation protocol named (k, n)-PDA in smart grids where n is the number of SMs in the aggregation area, and k is the threshold. Our solution is based on the BGN cryptosystem and Shamir's secret sharing algorithm. The main contributions of this paper are summarized as follows: (i) We construct the encryption, aggregation, and decryption process based on the BGN homomorphic cryptosystem to ensure the confidentiality and privacy of data (ii) We use the threshold characteristics of Shamir's secret sharing algorithm to make the aggregation scheme threshold fault-tolerant, which means that accurate aggregate value with privacy preservation can be obtained even when n-k SMs collude with each other or do not work normally. The threshold k can be set according to experience and security to avoid the system still performing meaningless aggregation when a serious abnormality happens in the grid. Moreover, Shamir's algorithm makes our scheme easily achieve dynamic membership management (iii) We use the one-time pad to achieve forward security (iv) We analyze the security and some other system properties to show that the proposed scheme holds confidentiality, privacy preservation, fault tolerance, dynamic membership, forward security, and no need for any online trusted or high authority entity. Also, we evaluate the efficiency of the system to confirm that our solution has a good real-time performance The rest of this paper is organized as follows: Section 2 introduces some related works. We present some preliminaries in Section 3. The system model, adversarial model, and design goals are described in Section 4, and our scheme is detailed in Section 5. System analysis and performance evaluation of the scheme are shown, respectively, in Section 6 and Section 7. Section 8 concludes this article.

Related Works
The communication security and data privacy protection in the smart grid have received great attention from researchers.
Many excellent solutions have been proposed to ensure communication security through methods such as authentication or key management [18][19][20]. In terms of privacy protection, the popular methods are anonymization and data aggregation. The anonymization scheme [21] delinks individual raw data and their source. However, attackers may relink the raw data and the source by depseudonymization [22,23].
In recent years, many effective data aggregation schemes have been proposed to aggregate data of consumers with privacy preservation. Some of them cannot run when any part of entities fails to work, and others are fault-tolerant.
Schemes that are intolerant of fault, such as [7][8][9][10], are usually based on a group of random integers which sum to zero. These random integers are distributed to SMs and the aggregator as blind factors. SMs use blind factors to mask their data to achieve privacy and encrypt the masked data with homomorphic encryption. Then, the aggregator removes these masking factors from the aggregate ciphertext with its private key to obtain aggregate ciphertext. Finally, the data service center (DSC) decrypts the ciphertext to get accurate aggregate values. However, if any SM cannot send information to the aggregator (AG), AG cannot eliminate the blinding factor from the aggregate ciphertext. Consequently, DSC cannot obtain the aggregate value.
To achieve fault tolerance, schemes with fault tolerance usually adopt differential privacy, substitution strategy, centralized management of user blinding factors, etc., or a combination of two or more of them.
Schemes based on differential privacy [11,12] mask the original data by adding random noises that follow a randomized function distribution. Finally, these noises are removed according to the expected value of the function from the aggregate data to get an approximation of the aggregation result.
Substitution strategy [13][14][15] is that the faulty users' data are replaced with the data of other users who have the same blinding factors. In [15], if an SM, such as SM i , in a group fails to send the message, the data aggregation device will select an SM, such as SM j , from other groups with the same blinding factor, to replace the malfunctioning SM i so that the aggregation process can proceed. To reduce the error, this kind of schemes usually processes the data of SM j based on the past data of the group. Although these two kinds of schemes are fault-tolerant, they cannot provide accurate aggregate results.
The schemes with centralized management of blinding factors [14,16,17] essentially require an online entity or a trusted authority to manage blinding factors for the aggregator and the smart meters. In FESDA [16], the control center (CC) keeps all users' blinding factors. When some users fail to participate in the aggregation, CC calculates the sum of all the blinding factors of the failed users. Then, the sum is used to decrypt the aggregate ciphertext to obtain accurate results. In PDAFT [14] and PPFA [17], when an SM fails to upload data, the trusted third party will send the blind factor of the SM to help the aggregation process. However, the centralized management of blinding factors needs an online trusted authority or an online entity with high authority to hold all blinding factors, which will bring risks to users' privacy.

Wireless Communications and Mobile Computing
Recently, some fault-tolerant aggregation schemes without any trusted authority have been proposed [24,25]. In [24], K. Xue et al. use the (t, n) threshold secret sharing scheme to achieve flexible dynamic user management. In detail, each SM in building area networks (BAN) has a secret key, and the sum of these keys is zero. Every user needs to choose randomly a group of users to share its key with the secret sharing algorithm. When an SM fails, the control center (CC) needs to broadcast the identity of the failed SM and collect enough shares to recover its secret key. If the fault SM is restored, it needs to generate a new key and shares the key to a newly chosen group of users through a secure channel, which is impractical for a continuously running system. In [25], Wang et al. proposed to use multiple subsets and blinding factors to achieve privacy-preserving data aggregation. Users negotiate to update the blinding factor. If some SMs are fault, the aggregator (AG) publishes the event and their identities. Then, their cooperators have to remove their parts from the blind factors and execute the encryption again. Finally, all normal users need to report their ciphertext again. These solutions can obtain accurate aggregate values. However, they require a complex mechanism to deal with SMs' malfunction, which may cause a heavy computation and communication burden to the system.

Preliminaries
In this section, we briefly review some important algorithms that are used as the building of our scheme.

Bilinear Map of Composite Order Groups.
A bilinear map of composite order groups related to an inputting security parameter τ ∈ ℤ + is defined as a 5-tuple ðp, q, G, G 1 , eÞ, where p, q are two random τ-bit primes, G, G 1 are two multiplicative cyclic groups of order N = pq, and e is a bilinear map e : G × G ⟶ G 1 with the following properties: (1) Bilinearity: ∀u, v ∈ G, and ∀a, b ∈ Z N , we have eðu a , v b Þ = eðu, vÞ ab (2) Nondegeneracy: g is a generator of G; then, eðg, gÞ must be a generator of G 1 and eðg, gÞ there is a polynomial-time algorithm to calculate eðu, vÞ. [26] is a homomorphic encryption scheme supporting unlimited addition operations but at most one multiplication and is widely applied in privacypreserving computation. It consists of three phases: key generation, encryption, and decryption.
(1) Key generation: given a security parameter τ ∈ Z + , the algorithm G outputs a bilinear map of composite order groups ðp, q, G, G 1 , eÞ as described in Billinear Map of Composite Order Groups. The key management agency chooses two random generators g, u of G and calculates h = u p and N = pq, where h is a generator of the subgroup of G with order q. As a result, we have public key PK = fN, G, G 1 , e, g, hg and private key SK = q (2) Encryption: for a message m ∈ Z T , T < p picks a random r ∈ Z N−1 and encrypts m into C = g m h r ∈ G (3) Decryption: with private key SK = q to decrypt the ciphertext C, calculate C q = ðg m h r Þ q = g mq = ðg q Þ m . Letĝ = g q , then m can be recovered by using Pollard's lambda method [27] to solve the discrete logarithm of C q baseĝ with time complexity Oð ffiffiffi ffi T p Þ 3.3. Shamir's Secret Sharing Scheme. Shamir's secret sharing scheme [28] is a ðk, nÞ threshold secret sharing scheme where a secret S is divided into n pieces, and the secret S can be easily calculated when k or more secret shares are known, while it is impossible to reconstruct S if the number of known secret shares are less than k. In the scheme, all elements are in a limited field. We can realize this scheme in a limited field of size P, where P is a prime number, by constructing a polynomial: where q 1 , q 2 , ⋯, q k−1 are random integers less than P, and each participant gets a unique x i and calculates y i = f ðx i Þ; then, ðx i , y i Þ is a secret share. With k different shares, the polynomial can be reconstructed by the Lagrange interpolation as below: However, we just need to find S from the polynomial f ðxÞ . S is the free coefficient. So, we only need to calculate

System Setup
The (k, n)-PDA scheme includes four entities in the system and targets to get several design goals; meanwhile, against some attacks which may be launched by entities defined as the adversarial model in Adversarial Model and Assumptions. In this section, we introduce the system model formally and describe the adversarial model and design goals in detail.

System
Model. Figure 1 shows the system model, which consists of four kinds of entities.
(1) Smart meters (SMs): The SMs are devices equipped in energy consumers' houses to collect users' real-time energy consumption in every sampling time (like 15 minutes), encrypt these data, and send them to the aggregator at the end of every time slot. Usually, customers are grouped according to their locations. In this paper, we assume each aggregation domain 3 Wireless Communications and Mobile Computing has n SMs recorded as a set U g = fSM 1 , SM 2 , ⋯, SM n g. It should be noted that some SMs may be faulty and cannot take part in the aggregation. Suppose there are l SMs that are online and participating in the aggregation, these SMs make up U on ⊆ U g and jU on j = l. We record the set of offline SMs as U off = U g − U on and jU off j = n − l 4.2. Adversarial Model and Assumptions. In our system, OC is a trusted organization. DSC and AG are faithful to performing system tasks but are curious to know the users' real-time data. Every SM (customer) will try its best to protect the privacy of data and may also infer private data of other customers through public information and its private data. An external attacker may monitor the communication channels and try to figure out users' sensitive data.
Since there are many excellent solutions [18][19][20] to ensure communication security in the smart grid and this paper mainly focuses on the privacy protection of users, we assume that all transmitted messages in the system are properly authenticated with existing signature methods to achieve the required authentication and integrity. We also assume all physical participants are tamper-proof and sealed, so that any illegal reading from physical devices will be perceived, and any alteration to data from entities cannot be achieved without being detected.

Design Goals.
Our solution aims to provide aggregate data without revealing users' private data. At the same time, on the premise of ensuring confidentiality, to make this protocol more practical, we hope that when some smart meters fail to send their messages, the system can still aggregate the remaining users' data. Besides, when a user joins in or logs out, we hope that other users are not affected. Our design goals are detailed as follows: Confidentiality: external attackers may eavesdrop on the messages transmitted on the communication channel. It should be ensured that unauthorized entities cannot obtain any useful information from these messages.
Privacy: the aggregate data is available to the public utilities; meanwhile, the individual data of every customer cannot be obtained by any other entities.
Fault tolerance: if any fault on SMs may cause data aggregation to fail, the usefulness of the system will be greatly reduced. Therefore, we are committed to designing an aggregation protocol that works well when even n − k SMs cannot normally send consumption data, where n is the total number of SMs in a group and k is the threshold number of SMs working normally.
Dynamic membership: when a new user joins or an old user logs out, the system should not need to update any parameter of other users.
Forward security: in order to improve the antirisk ability, it is required that even if the current key is compromised, the adversary cannot find out the previous individual data.

Our Scheme
This section presents our privacy-preserving data aggregation protocol. The procedure includes four phases: system initialization, encryption, data aggregation, and decryption. In the initialization phase, OC generates and publishes system parameters and registers for SMs. In the encryption phase, AG publishes a random number to SMs; then, each SM generates a dynamic key to encrypt real-time readings and report the ciphertexts to AG; also, each SM computes   Wireless Communications and Mobile Computing its share of the dynamic key and sends to DSC. In the aggregation phase, AG aggregates the received ciphertexts and reports the aggregate ciphertext to DSC. Finally, in the decryption phase, DSC reconstructs the dynamic key and decrypts the aggregate ciphertext to obtain the plaintext of aggregate data. The frame of the proposed scheme is shown in Figure 2 and notations to be used in the rest of the paper are listed in Table 1.

System Initialization
.
Step 1. with the algorithm G and the input secure parameter τ ∈ Z + , OC generates a bilinear map of composite order groups ðp, q, G, G 1 , eÞ and computes N = pq.
Step 2. OC chooses two generator g, u of G and gets h = u p .
Step 3. OC selects a prime number P greater than n and chooses a secure argument k as the threshold based on data privacy and failure rate. Specifically, the higher the failure rate is, the smaller k should be, but too small k will affect the user's privacy or arouse a meaningless aggregation when a serious abnormality happens, so a good balance needs to be struck. Notably, these parameters satisfy 1 < k < n < P.
Step 4. OC gets k − 1 random numbers q 1 , q 2 , ⋯, q k−1 with q i < P and constructs a Shamir secret sharing model with q as the secret: Step 5. if a user has registered successfully, OC chooses a unique x i as the user's identity (ID) and evaluates y i = f ðx i Þ. Also, OC generates a random number s g ∈ Z * N as the group key for users in the same group and then sends ðx i , y i , s g Þ to the user through a safe channel (usually embedded in the SM and cannot be read by external devices).
Step 7. We use m i to represent the reading of SM i : OC chooses a positive integer T according to the upper limit of consumption data, satisfying 0 ≤ m i < T < P < p.
Step 9. DSC produces a secret/public key pair ðsk DSC , pk DSC Þ based on the RSA cryptosystem and releases pk DSC to SMs. DSC also selects a unique ID for the aggregator, marked as ID AG .

Encryption.
Usually, AG collects users' data every 15 minutes and aggregates them. Users encrypt their private data before forwarding them to AG. The following are the detailed steps of the encryption process at time t.
Step 1. AG generates and publishes a random number r t ∈ Z * p to SMs of the same group before data collection.
Step 2. SM i ðSM i ∈ U on Þ computes the dynamic secret key H = H1ðr t jtjs g Þ, generates a random number r i , and then encrypts m i with H and r i to generate the ciphertext C i as equation (5).
Step 3. SM i generates the signature σ iAG for H2(x i |t|C i ) and sends ðx i , σ iAG , C i Þ to AG.

Wireless Communications and Mobile Computing
Step 4. SM i encrypts H · y i with the public key pk DSC to generate ciphertext C iDSC = E DSC ðH•y i Þ and a signature σ iDSC for H2 ðC iDSC jtjx i Þ, then sends (x i , σ iDSC , C iDSC ) to DSC. To ensure better real-time, this information can be sent out at the idle time before the decryption stage.

Data Aggregation.
After receiving messages from SM i , AG verifies the signature σ iAG first. If the verification fails, the message will be discarded. If AG confirms that there are lðn ≥ l ≥ kÞ legitimate users sent their data, the aggregation processes as follows.
Step 1. AG aggregates all ciphertexts from all online SMs to obtain the aggregate ciphertext C.
Step 2. AG generates a signature σ AG for H2ðCjtjID AG Þ and sends (σ AG , C, ID AG ) to DSC.

Decryption.
Firstly, DSC verifies the identity of SMs and AG and confirms the number l of SMs. Secondly, the DSC needs to obtain the secret key from the messages of SMs to decrypt the ciphertext C sent by AG. Therefore, the decryption process is divided into two steps: reconstructing the secret key and decrypting C.

Key
Reconstruction. DSC decrypts the C iDSC from SM i ðSM i ∈ U on Þ with the private key sk DSC to obtain H · y i and then uses H · y i of k SMs to construct equation (7) by the Lagrange interpolation. Compute

Decrypting
We can use pollard's lambda method to solve out the aggregate value ∑ l i=1 m i .

System Characteristic Analyses
In this section, we prove that the ðk, nÞ-PDA has achieved the design goals including confidentiality, privacy preservation, fault tolerance, dynamic membership, and forward security.
6.1. Confidentiality. If attackers eavesdrop on the communication channel between entities, they may be able to obtain messages transmitted in the channels. But even if intercepting all the information, i.e., (x i ,σ iAG , C i , σ iDSC , C iDSC ), sent by all the SMs, the attackers cannot figure out the private data of any SM. Because if the attackers want to find privacy information from the ciphertext C i issued by SM i , they need H1 ðr t jtjs g Þ•q to decrypt C i . There are two ways to solve out H 1ðr t jtjs g Þ•q. One way is to calculate it with r t , s g , q, but s g is embedded in the SM, any illegal reading will be perceived, and q is the secret key owned by the offline OC which adversaries cannot break. Another way is to collect no less than k users' secret shares for reconstruction. However, before the reconstruction, attackers must decrypt C iDSC to obtain H1ðr t jtjs g Þ · y i with DSC's private key sk DSC or collude with at least k SMs. As can be seen from the foregoing description, even if the attacker obtains data sent by all users and colludes with some (less than k) SMs, the decryption key cannot be reconstructed.

Privacy Preservation.
Our solution aims to achieve data aggregation while protecting user data privacy. Although both AG and DSC are authorized users of the system, they can legally accept the data sent by users and complete the aggregation protocol, but they still cannot obtain users' fine-grained electricity consumption data. The following describes in detail that this solution can satisfy privacy requirement. In our scheme, since SMs are honest and only receive parameters from the aggregator, SMs have no way to find any secret data of other users.
Although AG collects ðx i , σ iAG , C i Þ sent by each SM i , it cannot decrypt C i even owning r t , because AG has no shares of the decryption key H1ðr t jtjs g Þ · q to recover the key and also cannot calculate the key directly without s g and q.
Also, DSC can only obtain the aggregate ciphertext C from AG, and cannot obtain the ciphertext C i sent by a single user, so that even DSC can reconstruct the key H1ðr t jtjs g Þ · q but cannot reveal any individual user's real-time usage with the key.
6.3. Fault Tolerance. As described in our scheme, when k or more SMs can send information to AG and DSC, the aggregation process can be executed correctly to obtain the accurate aggregate data of online SMs. In detail, l ðl ≥ kÞ working SMs send messages to AG and DSC. After receiving messages from SMs, AG aggregates C i to obtain aggregate ciphertext C and then sends C to DSC. Next, DSC recovery is the key with l secret shares received from l SMs to decrypt the ciphertext C received from AG to obtain the accurate aggregation result of the l working SMs. That is to say, the proposed scheme can tolerate the failure of n − k or fewer SMs and achieve accurate aggregation without the need for special processing. Therefore, the (k, n)-PDA is fault-tolerant.

Dynamic Membership.
In the actual application environment, users may join in or exit the grid. Therefore, the 6 Wireless Communications and Mobile Computing aggregation scheme needs to support the random entry or exit of users with low communication traffic and computational cost. In ðk, nÞ-PDA scheme, when a new user wants to join in a smart grid, the user applies to OC. After receiving the application, OC reviews the user's qualifications to determine whether to approve the application. If the application is approved, then OC assigns the user a group g′ with group key s g ′ , chooses a new id new , and evaluates the corresponding y new = f ðx new Þ, then sends (s g' , id new , y new ) to the user. At the same time, the number of users in the group is increased by one. If a user wants to exit from the grid, he only needs to unregister his ID from the system and reclaim his smart meter. The number of meters in the group is reduced by one. It can be seen that the joining of new users and the exit of old users do not need to do anything for other users, which is completely in line with the actual application scenarios.
6.5. Forward Security. The proposed scheme is forwardsecure. In other words, if an adversary breaks the system in the time slot t i and obtains the secret key H1ðr t i jt i js g Þ•q, the adversary can only solve users' private information at t i , but it cannot obtain any previous information. Because even the adversary has H1ðr t i jt i js g Þ•q, it cannot derive s g and q.
Furthermore, the random number r t distributed by the aggregator changes with time and then H1ðr t jtjs g Þ•q updates with r t . Therefore, the secret key of the time slot t i just affects to ciphertext at time t i .
6.6. System Feature Comparison. In Table 2, we compare our scheme with several related fault-tolerant schemes [12][13][14][15][16][17]25] in terms of whether it achieves some important features like confidentiality, privacy, forward security, the demand for an online trusted third party, dynamic membership, and accurate aggregation. Comparing with those schemes, ðk, nÞ -PDA not only satisfies the necessary security and privacy requirements but also achieves the efficient dynamic membership management and accurate aggregate values without online high-authority entities or online trusted entities.

Efficiency Evaluation
In this section, we evaluate the efficiency of ðk, nÞ-PDA on the computation cost and communication overload and make a comparison with some fault-tolerant schemes (Guan and Si 2017) [15], FESDA [16] (Wang et al. 2020) [25]). For convenience, we assume there are n = 1000 SMs in the aggregation domain, and l = 990 SMs out of the domain are working normally which is over the aggregation threshold required in the scheme. Furthermore, to evaluate efficiency, we set the secure parameter τ = κ = 512, then jpj = jqj = 512 bits, jNj = 1024 bits, and jN 2 j = 2048 bits, set the RSA module as 1024 bits, the length of the big prime in Shamir's secrete scheme as jPj = 128 bits, set timestamps and signatures as 64 bits, and set ID as 32 bits.
7.1. Computation Cost. Generally speaking, the service center/control center (DSC in our scheme) has sufficient computing and storage resources, and all of the algorithms in our scheme and other peering schemes are widely used. Therefore, we only evaluate the computational workload on the terminal and the aggregator. Also, according to the assumptions in Adversarial Model and Assumptions, we do not count the computational overhead of signatures and verifications. Table 3 defines some symbols of executing time of related operations which are executed based on the PBC and OpenSSL library in a PC with 64-bit Windows 10 operating system, Intel Xeon E3 @3.5GHz CPU, and 8 GB memory.
Computations on SM i : in the encryption stage, ðk, nÞ-PDA needs T H + 2T e + T m to compute C i and a T e to encrypt H · y i . In subsequent stages, and SM i does not need to do any calculations. Therefore, the computational cost on each SM is T H + 3T e +T m ≈ 2.400 ms in each time slot. In Guan and Si [15], it takes SM i 2T H + 3T e + 3T m ≈ 2:405 ms to calculate C i , H 1 , and H 2 . In FESDA [16], SM i uses 2T H + 2T e + 2   [25], each user needs to update its blind factor through discussion with three or more users, so it takes at least 3T b + 4 T e + 8T m + 4T H ≈ 8:685 ms to finish the encryption and blinding factor update. For the partners of a faulty SM, extra 4T e + 2T m + T H ≈ 3:201 ms is needed to update the blind factor and reencryption. The more faulty users a user cooperates with, the more calculations are required. Therefore, compared with these peered schemes, the computational overload is acceptable for SMs in our scheme.
Computations on the aggregator: In the encryption stage, AG just generates a random number r t . The computational workload of the generation of a random can be ignored. In the aggregation stage, AG needs ðl − 1ÞT m ≈ 1:978 ms to calculate C = Q l i=1 C i . According to the descriptions in Guan and Si [15], the data aggregator (DA) needs ðn − lÞððn − 1Þ T a + 2T m + T e Þ to deal with malfunctioning SMs. Then, DA spends ðn − 1ÞT m to compute C sum and T H + T e to compute ENCðsk D , H 1 Þ. The amount of computational cost of DA in this stage is ðn − lÞððn − 1ÞT a + 2T m + T e Þ + ðn − 1ÞT m + T e + T H ≈ 20:818 ms. In FESDA [16], the fog nod (FN) spends ðl − 1ÞT m to aggregate received data to getĈ and 4T H to generate MAC j and MAC x , so the computational cost in FN is 4T H + ðl − 1ÞT m ≈ 1:982 ms. In Wang et al. [25], the aggregator takes ðl − 1ÞT m ≈ 1:978 ms to aggregate the received ciphertext. According to the above comparison, the calculation amount on the aggregator in ðk, nÞ-PDA is small.
The comparison of the calculation amount shows that our scheme is relatively friendly in terms of the calculation burden. The computation cost comparison among our scheme and others are illustrated in Table 4. In the encryption phase of ðk, nÞ-PDA, AG sends r t to each terminal. The traffic is n * 512 bits. Each SM sends ðx i , σ iAG , C i Þ to AG that causes traffic of ð128 + 64 + 1024Þ = 1216 bits. In contrast, each SM sends 2304 bits to DA in Guan and Si 2017, and each SM sends 2368 bits to FN in FESDA. In Wang et al. [25], normally, each user needs to send 2048 bits to the aggregator and 1024 bits to each cooperator. If some users fail to report their data, according to the description in [25], all users have to update their keys, recompute the ciphertext, and send the new ciphertext, which will cause another 2048 bits traffic for every SM. Therefore, with at least three partners, the amount of data each user needs to send is not less than 7168 bits. As we can see, in this stage, SMs in our scheme are easier with communication.
In the aggregation phase, AG sends (σ AG , C, ID AG ) to DSC, which causes a communication overhead of ð64 + 1024 + 32Þ = 1120 bits. Meanwhile, in Guan and Si [15], DA sends a message of 3072 bits to CC. In FESDA, if there is no malfunctioning SM, FN sends a message of 2304 bits to CC; otherwise, each malfunctioning SM will cause 32 bits traffic. In Wang et al. [25], the aggregator sends 2048 bits to the data center. If some failures occur, the aggregator needs to broadcast the identities of failed users to all users. That adds another n × 32 = 32000 bits of communication overload. Also, in the aggregation process, the communication cost on AG in the proposed solution is lower than that in these peering schemes.
In the decryption phase of our scheme, DSC needs k shares to reconstruct the key. So, before decryption, each working SM sends (x i , σ iDSC , C iDSC ) to DSC, generating 1216 bits of upload traffic. However, this traffic can be uploaded at idle time.   Wireless Communications and Mobile Computing Figure 3 shows the comparison of communication traffic from a real-time perspective. The proposed solution distributes the communication volume to each stage in a more balanced manner, which allows more timely execution and lower bandwidth requirements.

Conclusion
This paper proposes the ðk, nÞ-PDA scheme for smart grids to obtain the accurate aggregate real-time consuming data while ensuring users' privacy and achieving fault tolerance and dynamic membership without any online entity with high authorities. The analyses are present to prove that the proposed scheme meets all the design goals and system performance requirements.

Data Availability
No data were used to support this study Yining Liu Guilin University of Electronic Technology, China.

Conflicts of Interest
The authors declare that there is no conflict of interest regarding the publication of this paper.