A METHOD FOR STATISTICAL ANALYSIS OF AGGREGATE ENCRYPTED DATA WITH KEY-LEAKAGE RESILIENCE FOR SMART GRIDS

Abstract

This invention publishes a method for statistical analysis of aggregate encrypted data with key-leakage resilience for smart grids. In this invention, every user area is managed by a fog node which plays the role of data aggregation gateway and data relay. All the users' electricity consumption data sent by smart meters in the same user area are firstly aggregated by the fog node to generate a fog-level aggregate ciphertext. Then the fog node further generates a digital signature for the fog-level aggregate ciphertext and sends these data to a cloud server for long-time storage. The cloud server stores all the aggregate ciphertexts and digital signatures received from different user areas in its database, and provides data query and statistical analysis services for the control center of smart grids. On the premise of without violating users' privacy, the cloud server could provide enough information for the control center, enabling it to compute the sum, arithmetic mean and variance of all users' data in specified areas in a privacy-preserving way.

Claims

1. The features of this method, i.e., the method for statistical analysis of aggregate encrypted data with key-leakage resilience for smart grids, include the following five aspects: S1. System Initialization: A trust center generates the security parameters involved in this method and distributes public-private key pairs to communication entities. The mentioned communication entities include smart meters, fog nodes, a cloud server and the control center. Then the trust center publishes all public parameters and sends private keys to corresponding communication entities via a secure channel. S2. Data Reporting: A smart meter encrypts electricity consumption data to generate a ciphertext, generates a digital signature for the ciphertext and sends the ciphertext and signature as reported data to corresponding fog node for data aggregation. S3. Fog-level Aggregation: After the fog node receives all reported data from smart meters in its managed area in the prespecified period, it firstly verifies all the digital signatures of reported data. If the verification passes, fog node aggregates all the data ciphertexts of reported data to generate the fog-level aggregate ciphertext and signs the aggregate value to generate a fog-level signature. Then fog node sends the fog-level aggregate ciphertext and fog-level signature to the cloud server for long-time storage. S4. Data Analysis Request and Response: The control center sends a challenge message which includes a user area list for data analysis and a random chosen coefficient sequence to the cloud server. The cloud server gets fog-level aggregate data from its database according to the received user area list. Then it firstly generates a cloud-level aggregate ciphertext, and signs the aggregate value to generate verifiable response information using fog-level signatures and received coefficient sequence. Finally it sends these data to the control center. S5. Verification and Decryption: The control center firstly verifies the response information returned by the cloud server to confirm the data integrity of cloud-level aggregate ciphertext. If the verification passes, the control center decrypts the aggregate ciphertext and further computes the arithmetic mean and variance of all users' electricity consumption data within the specified user area list.

2. According to aforementioned method for statistical analysis of aggregate encrypted data with key-leakage resilience for smart grids in claim 1, it is characterized in that the security parameters of step S1 is twofold, including security parameters of a key-leakage resilient homomorphic encryption algorithm and security parameters of a linear homomorphic digital signature algorithm.

3. According to aforementioned method for statistical analysis of aggregate encrypted data with key-leakage resilience for smart grids in claim 1, it is characterized in that smart meters combine a random blinding technique with a key-leakage resilient homomorphic algorithm to encrypt users' electricity consumption data in step S2 and use a privacy-preserving decryption algorithm to decrypt the response data in step S5.

4. According to aforementioned method for statistical analysis of aggregate encrypted data with key-leakage resilience for smart grids in claim 1, it is characterized in that fog nodes use a batch verification method to check the data integrity of received data in step S3.

5. According to aforementioned method for statistical analysis of aggregate encrypted data with key-leakage resilience for smart grids in claim 1, it is characterized in that the step S1 includes: S11. Given a security parameter k, the trust authority generates parameters of a key-leakage resilient homomorphic encryption algorithm (n, g, G, G.sub.T, e), where e:G×G.fwdarw.G.sub.T is an admissible bilinear map, G and G.sub.T are both cyclic groups with composite order n, and n=p.sub.1p.sub.2, p.sub.1 and p.sub.2 are both big prime numbers with k-bit length, g is a generator of group G. The trust authority computes public key of the control center as ξ=g.sup.P2. S12. The trust authority determines an elliptic curve E over the finite field F.sub.p and another bilinear map {tilde over (e)}:G.sub.1×G.sub.1.fwdarw.G.sub.2 based on E, where p is a big prime number, G.sub.1 is an additive cyclic group with order q, G.sub.2 is a multiplicative cyclic group with order q. The trust authority selects a generator P of group G.sub.1, and sets the number of fog nodes in the system to be N and the number of smart meters in each user area to be l. The trust authority sets two secure collision-resistant hash functions: H.sub.1:{0,1}*.fwdarw.G.sub.1,h.sub.1:{0, 1}*.fwdarw.Z.sub.q*, where {0, 1}* denotes the set of binary strings with arbitrary length, Z.sub.q* is the multiplicative cyclic group which is composed of residue systems relatively prime to q. S13. The trust authority randomly chooses five constants: α, β, γ, δ, ζ satisfying α.Math.β+γ.Math.δ+ζ=n, where α∈Z.sub.n, β∈Z.sub.n, γ∈Z.sub.n, δ∈Z.sub.n, ζ∈Z.sub.n, computes public parameters f=g.sup.α and ε=g.sup.γ. Besides, it selects a private key y.sub.i∈Z.sub.q for digital signature algorithm for each fog node FN.sub.i and computes the corresponding public key Y.sub.i=y.sub.iP for signature verification. S14. For each smart meter SM.sub.ij with a unique identifier ID.sub.SM.sub.ij, the trust authority randomly selects a private key y.sub.ij∈Z.sub.q for digital signature, where Z.sub.q is the ring of residue classes modulo q, SM.sub.ij is the j-th smart meter in the user area corresponding to the i-th fog node FN.sub.i. The trust authority computes the public key Y.sub.ij=y.sub.ijP for signature verification for SM.sub.ij, and selects two random numbers π.sub.ij and s.sub.ij for each SM.sub.ij, where π.sub.ij∈Z.sub.n, s.sub.ij∈Z.sub.n, α.Math.π.sub.ij+γ.Math.s.sub.ij=ζ, π.sub.ij≤β, s.sub.ij≤δ, after that it computes two parameters π.sub.i=β−π.sub.ij and s.sub.i=δ−s.sub.ij for each fog node FN.sub.i. S15. The trust authority sends the private key P.sub.1 to the control center, private key y.sub.ij, secret parameters π.sub.ij and s.sub.ij to smart meter SM.sub.ij, and private key y.sub.i, secret parameters π.sub.i and s.sub.i to the fog node FN.sub.i via a secure channel, respectively.

6. According to aforementioned method for statistical analysis of aggregate encrypted data with key-leakage resilience for smart grids in claim 5, it is characterized in that the step S2 includes: S21. For each smart meter SM.sub.ij with a unique identifier ID.sub.SM.sub.ij, it randomly selects a number r.sub.ij∈Z.sub.n and generates a ciphertext as c.sub.ij=f.sup.π.sup.ijε.sup.s.sup.ijg.sup.m.sup.ijξ.sup.r.sup.ij∈G, where m.sub.ij∈[0,MAX] is the electricity consumption data of user, MAX is a prespecified upper bound of all users' electricity consumption data, MAX is far less than p.sub.2; S22. The Smart meter SM.sub.ij acquires current timestamp t.sub.ij, and uses the private key y.sub.ij to compute a digital signature as σ.sub.ij=y.sub.ijH(ID.sub.SM.sub.ij∥c.sub.ij∥t.sub.ij); S23. The smart meter SM.sub.ij sends {ID.sub.SM.sub.ij, c.sub.ij, σ.sub.ij, t.sub.ij} to the corresponding fog node FN.sub.i.

7. According to aforementioned method for statistical analysis of aggregate encrypted data with key-leakage resilience for smart grids in claim 6, it is characterized in that the step S3 includes: S31. After the fog node FN.sub.i receives data {ID.sub.SM.sub.ij, c.sub.ij, σ.sub.ij, t.sub.ij} from all smart meters SM.sub.ij, J=1, 2, . . . l of the user area in the time period, it verifies all the signatures σ.sub.ij sent by all smart meters SM.sub.ij using the following verification equation: $\tilde{e}\left(\underset{j=1}{\overset{\ell }{.Math.}}{\sigma }_{\mathrm{ij}},P\right)=\underset{j=1}{\overset{\ell }{.Math.}}\tilde{e}\left(H_1\left({\mathrm{ID}}_{{\mathrm{SM}}_{\mathrm{ij}}}.Math.c_{\mathrm{ij}}.Math.t_{\mathrm{ij}}\right),Y_{\mathrm{ij}}\right);$ S32. If the verification equation in step S31 passes, then the fog node FN.sub.i computes the first intermediate state ciphertext as c.sub.i=c.sub.ij and the second intermediate state ciphertext as C.sub.i=f.sup.π.sup.iε.sup.s.sup.ic.sub.i. S33. The fog node FN.sub.i generates fog-level aggregate ciphertexts, which include the first fog-level aggregate ciphertext as CT.sub.i=.Math.c.sub.i and the second fog-level aggregate ciphertext as SCT.sub.i=e(c.sub.ijC.sub.i, c.sub.ijC.sub.i). S34. The fog node FN.sub.i computes a fog-level digital signature as σ.sub.i=(y.sub.i+h.sub.1(CT.sub.i∥SCT.sub.i))H.sub.1(ID.sub.CS), where ID.sub.CS is a unique identifier of the cloud server. S35. The fog node FN.sub.i sends all the aggregate data {CT.sub.i, SCT.sub.i, σ.sub.i} to cloud server for long-time storage.

8. According to aforementioned method for statistical analysis of aggregate encrypted data with key-leakage resilience for smart grids in claim 7, it is characterized in that the step S4 includes: S41. The control center generates a challenge message {L, chal}, and sends it to the cloud server, where L is a list of user areas, L={ϑ.sub.1, ϑ.sub.2, . . . , ϑ.sub.θ}.Math.{1, 2, . . . , N}, chal={η.sub.ϑ.sub.1, η.sub.ϑ.sub.2, . . . , η.sub.ϑ.sub.θ-2, λ, μ} is a sequence of random matching coefficients of length ϑ. S42. The cloud server generates cloud-level aggregate ciphertexts, which include the first aggregate ciphertext CT=Π.sub.ϑ∈LCT.sub.ϑ, the second aggregate ciphertext PCT=Π.sub.ϑ∈Le(CT.sub.ϑ, CT.sub.ϑ) and the third aggregate ciphertext SCT=Π.sub.ϑ∈LSCT.sub.ϑ. S43. The cloud server uses random coefficients λ and μ, the cloud-level aggregate ciphertext to produce two random values η.sub.ϑ.sub.θ-1=h.sub.1(CT∥λ) and η.sub.ϑ.sub.θ=h.sub.1(PCT∥SCT∥μ). And it gets the signatures {σ.sub.ϑ.sub.1, σ.sub.ϑ.sub.2, . . . , σ.sub.ϑ.sub.θ} of fog-level aggregate ciphertexts from database according to list L and computes an aggregate signature σ=Σ.sub.ϑ∈L(η.sub.ϑH.sub.1(ID.sub.CS)+σ.sub.ϑ). S44. The cloud server computes a combined hash value as h=Σ.sub.ϑ∈Lh.sub.1(CT.sub.ϑ∥SCT.sub.ϑ) and a combined public key as Y=Σ.sub.ϑ∈LY.sub.ϑ. S45. The cloud server sends the response data Agg={σ, h, Y, CT, PCT, SCT} to the control center.

9. According to aforementioned method for statistical analysis of aggregate encrypted data with key-leakage resilience for smart grids in claim 8, it is characterized in that the step S5 includes: S51. The control center uses random coefficients λ and μ, and the cloud-level aggregate ciphertext to produce η.sub.ϑθ-1=h.sub.1(CT∥λ) and η.sub.ϑ.sub.θ=h.sub.1(PCT∥SCT∥μ) in the same way, and computes the sum of random matching coefficients as η=.sub.ϑ∈Lη.sub.ϑ, then it verifies the signatures by the following verification equation:
{tilde over (e)}(σ,P)={tilde over (e)}((h+η)H.sub.1(ID.sub.CS),P).Math.{tilde over (e)}(H.sub.1(ID.sub.CS),Y) S52. If the verification equation in step S51 passes, the control center uses key-leakage resilient decryption algorithm to compute the discrete logarithm of CT.sup.P.sup.1 of base ĝ=g.sup.P.sup.1, and divides the result by +1 to get the sum M of all users' electricity consumption data in the user areas specified in the user area list, namely M=log.sub.ĝ.sup.CT.sup.p1/(+1). S53. The control center uses private key p.sub.1 to compute discrete logarithms log.sub.ê.sup.SCT.sup.p1 and log.sub.ê.sup.PCT.sup.p1 respectively, where ê=e(g, g).sup.P1 is a bilinear map value, and computes the sum of squares of all users' electricity consumption data in the user areas specified in the user area list, namely M.sup.2=Σ.sub.ϑ∈LΣ.sub.j=1.sup.lm.sub.ϑ.sub.j.sup.2=log.sub.ê.sup.SCT.sup.p1−(l+2).Math.(log.sub.ê.sup.PCT.sup.p1/(+1).sup.2). S54. The control center computes the arithmetic mean of all users' data as $\overline{m}=\frac{M}{\theta .Math.}.$ S55. The control center computes the variance of all users' data as $\mathrm{var}\left(m\right)=\frac{M}{\theta .Math.}-{\stackrel{\_}{m}}^2.$

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0050] FIG. 1 is a schematic diagram of a smart grid system.

[0051] FIG. 2 is the flow chart of this invention.

DETAILED DESCRIPTION

[0052] This section combines with an implementation instance to clearly and completely describe the technical scheme of this invention. Apparently, the described implementation instance is just a partial instance of this invention which does not cover all possibilities. Based on the implementation instance of this invention, all other implementation instances obtained by technicians of this field without any creative efforts fall in the range protected by this invention.

[0053] This invention provides a method for statistical analysis of aggregate encrypted data with key-leakage resilience for smart grids:

[0054] As illustrated by FIG. 1 and FIG. 2, the method for statistical analysis of aggregate encrypted data with key-leakage resilience for smart grids includes:

[0055] S1. System Initialization: A trust center generates the security parameters involved in this method and distributes public-private key pairs to communication entities. The mentioned communication entities include smart meters, fog nodes, a cloud server and the control center. Then the trust center publishes all public parameters and sends private keys to corresponding communication entities via a secure channel.

[0056] In some implementation instances, the security parameters in step S1 include security parameters of a key-leakage resilient homomorphic encryption algorithm and security parameters of a linear homomorphic digital signature algorithm.

[0057] The aforementioned step S1 includes:

[0058] S11. Given a security parameter k, the trust authority generates parameters of a key-leakage resilient homomorphic encryption algorithm (n, g, G, G.sub.T, e), where e:G×G.fwdarw.G.sub.T is an admissible bilinear pairing map, G and G.sub.T are both cyclic groups with composite order n, and n=p.sub.1p.sub.2, p.sub.1 and p.sub.2 are both big prime numbers with k-bit length, g is a generator of group G. The trust authority computes public key of the control center as ξ=g.sup.P2.

[0059] S12. The trust authority determines an elliptic curve E over the finite field F.sub.p and another bilinear pairing map {tilde over (e)}: G.sub.1×G.sub.1.fwdarw.G.sub.2 based on E, where p is a big prime number, G.sub.1 is an additive cyclic group with order q, G.sub.2 is a multiplicative cyclic group with order q. The trust authority selects a generator P of group G.sub.1, and sets the number of fog nodes in the system to be N and the number of smart meters in each user area to be . The trust authority sets two secure collision-resistant hash functions: H.sub.1:{0,1}*.fwdarw.G.sub.1, h.sub.1:{0,1}*.fwdarw.Z.sub.q*, where {0,1}* denotes the set of binary strings with arbitrary length, Z.sub.q* is the multiplicative cyclic group which is composed of residue systems relatively prime to q.

[0060] S13. The trust authority randomly chooses five constants: α, β, γ, δ, ζ satisfying α.Math.β+γ.Math.δ+ζ=n, where α∈Z.sub.n, β∈Z.sub.n, γ∈Z.sub.n, δ∈Z.sub.n, ζ∈Z.sub.n, computes public parameters f=g.sup.α and ε=g.sup.γ. Besides, the trust authority selects a private key y.sub.i∈Z.sub.q for digital signature algorithm for each fog node FN.sub.i and computes the corresponding public key Y.sub.i=y.sub.iP for signature verification.

[0061] S14. For each smart meter SM.sub.ij with a unique identifier ID.sub.SM.sub.ij, the trust authority randomly selects a private key y.sub.ij∈Z.sub.q for digital signature, where Z.sub.q is the ring of residue classes modulo q, SM.sub.ij is the j-th smart meter in the user area corresponding to the i-th fog node FN.sub.i. The trust authority computes the public key Y.sub.ij=y.sub.ijP for signature verification for SM.sub.ij, and selects two random numbers π.sub.ij and s.sub.ij for each SM.sub.ij, where π.sub.ij∈Z.sub.n, s.sub.ij∈Z.sub.n, α.Math.π.sub.ij+γ.Math.s.sub.ij=ζ, π.sub.ij≤β, s.sub.ij≤δ, after that it computes two parameters π.sub.i=β−π.sub.ij and s.sub.i=δ−s.sub.ij for each fog node FN.sub.i.

[0062] S15. The trust authority sends the private key P.sub.1 to the control center, sends private key y.sub.ij, secret parameters π.sub.ij and s.sub.ij to corresponding smart meter SM.sub.ij, and sends private key y.sub.i, secret parameters π.sub.i and s.sub.i to corresponding fog node FN.sub.i via a secure channel, respectively.

[0063] S2. Data Reporting: Smart meters encrypt collected user's electricity consumption data to generate a ciphertext, generate a digital signature for the ciphertext and send the ciphertext and signature as reported data to corresponding fog node for data aggregation.

[0064] In the step S2 of some implementation instances, smart meters combine a random blinding technique with the key-leakage resilient homomorphic encryption algorithm to encrypt users' electricity consumption data. In step S5, the control center uses corresponding key-leakage resilient homomorphic decryption algorithm to decrypt the response data.

[0065] The aforementioned step S2 includes:

[0066] S21. For each smart meter SM.sub.ij, with a unique identifier ID.sub.SM.sub.ij, it randomly selects a number r.sub.ij∈Z.sub.ij, and generates a ciphertext as c.sub.ij=f.sup.π.sup.ijε.sup.s.sup.ijg.sup.m.sup.ijξ.sup.r.sup.ij∈G, where m.sub.ij∈[0,MAX] is the electricity consumption data of user, MAX is a prespecified upper bound of all users' electricity consumption data, MAX is far less than p.sub.2;

[0067] S22. The Smart meter SM.sub.ij, acquires current timestamp t.sub.ij, and uses the private key y.sub.ij to compute a digital signature as σ.sub.ij=y.sub.ijH (ID.sub.SM.sub.ij∥c.sub.ij∥t.sub.ij);

[0068] S23. The smart meter SM.sub.ij sends {ID.sub.SM.sub.ij, C.sub.ij, σ.sub.ij, t.sub.ij} to the corresponding fog node FN.sub.i.

[0069] S3. Fog-level Aggregation: After the fog node receives all reported data from smart meters in its managed area in the prespecified period, it firstly verifies all the digital signatures of reported data. If the verification passes, fog node aggregates all the data ciphertexts of reported data to generate the fog-level aggregate ciphertext and signs the aggregate value to generate a fog-level signature. Then fog node sends the fog-level aggregate ciphertext and fog-level signature to the cloud server for long-time storage.

[0070] The aforementioned step S3 includes:

[0071] S31. After the fog node FN.sub.i receives data {ID.sub.SM.sub.ij, C.sub.ij, σ.sub.ij, t.sub.ij} from all smart meters SM.sub.ij, j=1, 2, . . . , of the user area in the time period, it verifies all the signatures σ.sub.ij sent by all smart meters SM.sub.ij using the following verification equation:

[00004]$\begin{array}{cc}\tilde{e}\left(\underset{j=1}{\stackrel{\ell }{.Math.}}{\sigma }_{\mathrm{ij}},P\right)=\underset{j=1}{\overset{\ell }{.Math.}}\tilde{e}\left(H_1\left({\mathrm{ID}}_{{\mathrm{SM}}_{\mathrm{ij}}}.Math.c_{\mathrm{ij}}.Math.t_{\mathrm{ij}}\right),Y_{\mathrm{ij}}\right);& \end{array}$

[0072] S32. If the verification equation in step S31 passes, then the fog node FN.sub.i computes the first intermediate state ciphertext as c.sub.i=c.sub.ij and the second intermediate state ciphertext as C.sub.i=f.sup.π.sup.iε.sup.s.sup.ic.sub.i.

[0073] S33. The fog node FN.sub.i generates fog-level aggregate ciphertexts, which include the first fog-level aggregate ciphertext as CT.sub.i=.Math.c.sub.i and the second fog-level aggregate ciphertext as SCT.sub.i=e(c.sub.ijC.sub.i,c.sub.ijC.sub.i).

[0074] S34. The fog node FN.sub.i computes a fog-level digital signature as σ.sub.i=(y.sub.i+h.sub.1(CT.sub.i∥SCT.sub.i))H.sub.1(ID.sub.CS), where ID.sub.CS is a unique identifier of the cloud server.

[0075] S35. The fog node FN.sub.i sends all the aggregate data {CT.sub.i, SCT.sub.i, σ.sub.i} to cloud server for long-time storage.

[0076] S4. Data Analysis Request and Response: The control center sends a challenge message which includes a user area list for data analysis and a random chosen coefficient sequence to the cloud server. The cloud server abstracts fog-level aggregate data from its database according to the received user area list. Then it firstly generates a cloud-level aggregate ciphertext and secondly signs the aggregate value to generate verifiable response information using fog-level signatures and received coefficient sequence. Finally it sends these data to the control center.

[0077] The aforementioned step S4 includes:

[0078] S41. The control center generates a challenge message {L, chal}, and sends it to the cloud server, where L is a list of user areas, L={ϑ.sub.1, ϑ.sub.2, . . . , ϑ.sub.θ}.Math.{1, 2, . . . , N}, chal={η.sub.ϑ.sub.1, η.sub.ϑ.sub.2, . . . , η.sub.ϑ.sub.θ-2, λ, μ} is a sequence of random matching coefficients of length ϑ.

[0079] S42. The cloud server generates cloud-level aggregate ciphertexts, which include the first aggregate ciphertext CT=Π.sub.ϑ∈LCT.sub.ϑ, the second aggregate ciphertext PCT=Π.sub.ϑ∈Le(CT.sub.ϑ, CT.sub.ϑ) and the third aggregate ciphertext SCT=Π.sub.ϑ∈LSCT.sub.ϑ.

[0080] S43. The cloud server uses random coefficients λ and μ, the cloud-level aggregate ciphertext to produce two random values η.sub.ϑ.sub.θ-1=h.sub.1(CT∥λ) and η.sub.ϑ.sub.θ=h.sub.1(PCT∥SCT∥μ). And it gets the signatures {σ.sub.ϑ.sub.1, σ.sub.ϑ.sub.2, . . . , σ.sub.ϑ.sub.θ} of fog-level aggregate ciphertexts from database according to list L and computes an aggregate signature σ=Σ.sub.ϑ∈L(η.sub.ϑH.sub.1(ID.sub.CS)+σ.sub.ϑ).

[0081] S44. The cloud server computes a combined hash value as h=Σ.sub.ϑ∈Lh.sub.1(CT.sub.ϑ∥SCT.sub.ϑ) and a combined public key as Y=Σ.sub.ϑ∈LY.sub.ϑ.

[0082] S45. The cloud server sends the response data Agg={σ, h, Y, CT, PCT, SCT} to the control center.

[0083] S5. Verification and Decryption: The control center firstly verifies the response information returned by the cloud server to confirm the data integrity of cloud-level aggregate ciphertext. If the verification passes, the control center decrypts the aggregate ciphertext and further computes the arithmetic mean and variance of all users' electricity consumption data within the specified user area list.

[0084] In the step S5 of some implementation instances, the control center uses the key-leakage resilient homomorphic decryption algorithm to decrypt the response data.

[0085] The aforementioned step S5 includes:

[0086] S51. The control center uses random coefficients λ and μ, and the cloud-level aggregate ciphertext to produce η.sub.ϑθ-1=h.sub.1(CT∥λ) and η.sub.ϑ.sub.θ=h.sub.1(PCT∥SCT∥μ) in the same way, and computes the sum of random matching coefficients as η=.sub.ϑ∈Lη.sub.ϑ, then it verifies the signatures by the following verification equation:

{tilde over (e)}(σ,P)={tilde over (e)}((h+η)H.sub.1(ID.sub.CS),P).Math.{tilde over (e)}(H.sub.1(ID.sub.CS),Y)

[0087] S52. If the verification equation in step S51 passes, the control center uses key-leakage resilient decryption algorithm to compute the discrete logarithm of CT.sup.P.sup.1 of base ĝ=g.sup.P.sup.1, and divides the result by +1 to get the sum M of all users' electricity consumption data in the user areas specified in the user area list, namely M=log.sub.ĝ.sup.CT.sup.p1/(+1).

[0088] S53. The control center uses private key p.sub.1 to compute discrete logarithms log.sub.ê.sup.SCT.sup.p1 and log.sub.ê.sup.PCT.sup.p1 respectively, where ê=e(g, g).sup.P1 is a bilinear map value, and computes the sum of squares of all users' electricity consumption data in the user areas specified in the user area list, namely M.sup.2=Σ.sub.ϑ∈LΣ.sub.j=1.sup.lm.sub.ϑ.sub.j.sup.2=log.sub.ê.sup.SCT.sup.p1−(l+2).Math.(log.sub.ê.sup.PCT.sup.p1/(+1).sup.2).

[0089] S54. The control center computes the arithmetic mean of all users' data as

[00005]$\overline{m}=\frac{M}{\theta .Math.}.$

[0090] S55. The control center computes the variance of all users' data as

[00006]$\mathrm{var}\left(m\right)=\frac{M}{\theta .Math.}-{\stackrel{\_}{m}}^2.$

[0091] Each user area in this implementation instance is supervised by a fog node which plays the role of a data aggregate gateway and a data relay. All encrypted data sent by smart meters in the user area are aggregated for the first time by the fog node to generate a fog-level aggregate ciphertext. Then the fog node computes a signature for the fog-level aggregate ciphertext and sends all data to the cloud server for long-time storage. The cloud server stores all fog-level aggregate ciphertexts and signatures of different user areas in the database and provides data query service for the control center of smart grids.

[0092] The correctness of this implementation instance is proved as follows:

[0093] Let M.sub.ϑ=m.sub.ϑ.sub.j, M.sub.ϑ.sup.2=(m.sub.ϑ.sub.j).sup.2, R.sub.ϑ=r.sub.ϑ.sub.j, M=Σ.sub.ϑ∈LM.sub.ϑ, R=Σ.sub.ϑ∈LR.sub.ϑ, M.sup.2=Σ.sub.ϑ∈Lm.sub.ϑj.sup.2.

[0094] The correctness of equation for data integrity verification is proved as follows:

[00007]$\begin{array}{c}\tilde{e}\left(\sigma ,P\right)=\tilde{e}\left(\underset{\vartheta \in L}{.Math.}\left({\eta }_{\vartheta }{H}_1\left({\mathrm{ID}}_{\mathrm{CS}}\right)+{\sigma }_{\vartheta }\right),P\right)\\ =\tilde{e}\left(\underset{\vartheta \in L}{.Math.}\left({\eta }_{\vartheta }+y_{\vartheta }+h_1\left({\mathrm{CT}}_{\vartheta }.Math..Math.{\mathrm{SCT}}_{\vartheta }\right)\right)H_1\left({\mathrm{ID}}_{\mathrm{CS}}\right),P\right)\\ =\tilde{e}\left(\underset{\vartheta \in L}{.Math.}\left({\eta }_{\vartheta }+h_1\left({\mathrm{CT}}_{\vartheta }.Math..Math.{\mathrm{SCT}}_{\vartheta }\right)\right)H_1\left({\mathrm{ID}}_{\mathrm{CS}}\right),P\right).Math.\\ \tilde{e}\left(\underset{\vartheta \in L}{.Math.}{y}_{\vartheta }{H}_1\left({\mathrm{ID}}_{\mathrm{CS}}\right),P\right)\\ =\tilde{e}\left(\left(h+\eta \right)H_1\left({\mathrm{ID}}_{\mathrm{CS}}\right),P\right).Math.\tilde{e}\left(H_1\left({\mathrm{ID}}_{\mathrm{CS}}\right),\underset{\vartheta \in L}{.Math.}{y}_{\vartheta }P\right)\\ =\tilde{e}\left(\left(h+\eta \right)H_1\left({\mathrm{ID}}_{\mathrm{CS}}\right),P\right).Math.\tilde{e}\left(H_1\left({\mathrm{ID}}_{\mathrm{CS}}\right),Y\right)\end{array}$

[0095] The correctness of computing statistical information M by the control center is proved as follows:

[00008]$\begin{array}{c}{\mathrm{CT}}^{p_1}={\left(\underset{\vartheta \in L}{.Math.}{\mathrm{CT}}_{\vartheta }\right)}^{p_1}\\ ={\left(\underset{\vartheta \in L}{.Math.}{C}_{\vartheta }^{\ell }.Math.c_{\vartheta }\right)}^{p_1}\\ ={\left(\underset{\vartheta \in L}{.Math.}{\left(f^{{\pi }_{\vartheta }}{\epsilon }^{s_{\vartheta }}{c}_{\vartheta }\right)}^{\ell }.Math.c_{\vartheta }\right)}^{p_1}\\ ={\left(\underset{\vartheta \in L}{.Math.}{\left(f^{\beta }{\epsilon }^{\delta }{g}^{M_{\vartheta }}{\xi }^{R_{\vartheta }}\right)}^{\ell }.Math.\underset{j=1}{\overset{\ell }{.Math.}}{c}_{\vartheta j}\right)}^{p_1}\\ ={\left(\underset{\vartheta \in L}{.Math.}{g}^{\left(\ell +1\right)M_{\vartheta }}{\xi }^{\left(\ell +1\right)R_{\vartheta }}\right)}^{p_1}\\ ={\left(g^{\left(\ell +1\right).Math.{.Math.}_{\vartheta \in L}{M}_{\vartheta }}{\xi }^{\left(\ell +1\right).Math.{.Math.}_{\vartheta \in L}{R}_{\vartheta }}\right)}^{p_1}\\ ={\left(g^{p_1}\right)}^{\left(\ell +1\right).Math.M}={\hat{g}}^{\left(\ell +1\right).Math.M}\end{array}$$\mathrm{So}M={\log }_{\hat{g}}^{{\mathrm{CT}}^{p_1}}/\left(\ell +1\right).$

[0096] The correctness of computing statistical information M.sup.2 by the control center is proved as follows:

[00009]$\begin{array}{c}{\mathrm{PCT}}^{p_1}={\left(\underset{\vartheta \in L}{.Math.}e\left({\mathrm{CT}}_{\vartheta },{\mathrm{CT}}_{\vartheta }\right)\right)}^{p_1}\\ ={\left(\underset{\vartheta \in L}{.Math.}e\left(g^{\left(\ell +1\right)M_{\vartheta }}{\xi }^{\left(\ell +1\right)R_{\vartheta }},g^{\left(\ell +1\right)M_{\vartheta }}{\xi }^{\left(\ell +1\right)R_{\vartheta }}\right)\right)}^{p_1}\\ =(\underset{\vartheta \in L}{.Math.}({e\left(g,g\right)}^{{\left(\left(\ell +1\right)M_{\vartheta }\right)}^2}.Math.\\ {{e\left(g,\xi \right)}^{2\left(\ell +1\right)M_{\vartheta }.Math.\left(\ell +1\right)R_{\vartheta }+{p_2\left(\left(\ell +1\right)R_{\vartheta }\right)}^2}))}^{p_1}\\ =({e\left(g,g\right)}^{{\left(\ell +1\right)}^2{.Math.}_{\vartheta \in L}{M}_{\vartheta }^2}.Math.\\ {e{\left(g,\xi \right)}^{{.Math.}_{\vartheta \in L}\left(2\left(\ell +1\right)M_{\vartheta }.Math.\left(\ell +1\right)R_{\vartheta }+{p_2\left(\left(\ell +1\right)R_{\vartheta }\right)}^2\right)})}^{p_1}\\ ={\hat{e}}^{{\left(\ell +1\right)}^2{.Math.}_{\vartheta \in L}{M}_{\vartheta }^2}\end{array}$$\begin{array}{c}{\mathrm{SCT}}^{p_1}={\left(\underset{\vartheta \in L}{.Math.}{\mathrm{SCT}}_{\vartheta }\right)}^{p_1}\\ =\text{}\underset{\vartheta \in L}{.Math.}{\mathrm{SCT}}_{\vartheta }^{p_1}\\ =\underset{\vartheta \in L}{.Math.}{\left(\underset{j=1}{\overset{\ell }{.Math.}}e\left(c_{\vartheta j}{C}_{\vartheta },c_{\vartheta j}{C}_{\vartheta }\right)\right)}^{p_1}\\ =\underset{\vartheta \in L}{.Math.}{\left(\underset{j=1}{\overset{\ell }{.Math.}}e\left(g^{m_{\vartheta j}+M_{\vartheta }}{\xi }^{r_{\vartheta j}+R_{\vartheta }},g^{m_{\vartheta j}+M_{\vartheta }}{\xi }^{r_{\vartheta j}+R_{\vartheta }}\right)\right)}^{p_1}\\ =\underset{\vartheta \in L}{.Math.}(\underset{j=1}{\overset{\ell }{.Math.}}({e\left(g,g\right)}^{{\left(m_{\vartheta j}+M_{\vartheta }\right)}^2}.Math.\\ {{e\left(g,\xi \right)}^{2\left(m_{\vartheta j}+M_{\vartheta }\right)\left(r_{\vartheta j}+R_{\vartheta }\right)+{p_2\left(r_{\vartheta j}+R_{\vartheta }\right)}^2}))}^{p_1}\\ =\underset{\vartheta \in L}{.Math.}({e\left(g,g\right)}^{{.Math.}_{j=1}^{\ell }{\left(m_{\vartheta j}+M_{\vartheta }\right)}^2}.Math.\\ {{e\left(g,\xi \right)}^{{.Math.}_{j=1}^{\ell }\left(2\left(m_{\vartheta j}+M_{\vartheta }\right)\left(r_{\vartheta j}+R_{\vartheta }\right)+{p_2\left(r_{\vartheta j}+R_{\vartheta }\right)}^2\right)})}^{p_1}\\ =\underset{\vartheta \in L}{.Math.}{\hat{e}}^{{.Math.}_{j=1}^{\ell }{\left(m_{\vartheta j}+M_{\vartheta }\right)}^2}\\ ={\hat{e}}^{{.Math.}_{\vartheta \in L}{.Math.}_{j=1}^{\ell }{\left(m_{\vartheta j}+M_{\vartheta }\right)}^2}\\ ={\hat{e}}^{{.Math.}_{\vartheta \in L}{.Math.}_{j=1}^{\ell }\left(m_{\vartheta j}^2+2M_{\vartheta }+M_{\vartheta }^2\right)}\\ ={\hat{e}}^{{.Math.}_{\vartheta \in L}{.Math.}_{j=1}^{\ell }{m}_{\vartheta j}^2+2{.Math.}_{\vartheta \in L}{M}_{\vartheta }+{.Math.}_{j=1}^{\ell }{m}_{\vartheta j}+\ell .Math.{.Math.}_{\vartheta \in L}{M}_{\vartheta }^2}\\ ={\hat{e}}^{M^2+2{.Math.}_{\vartheta \in L}{M}_{\vartheta }^2+\ell .Math.{.Math.}_{\vartheta \in L}{M}_{\vartheta }^2}\\ ={\hat{e}}^{M^2+\left(\ell +2\right).Math.{.Math.}_{\vartheta \in L}{M}_{\vartheta }^2}\end{array}$$\mathrm{So}{M}^2={\log }_{\hat{e}}^{{\mathrm{SCT}}^{p_1}}-\left(\ell +2\right).Math.\left({\log }_{\hat{e}}^{{\mathrm{SCT}}^{p_1}}/{\left(\ell +1\right)}^2\right).$

[0097] The aforementioned contents are just the prior implementation of this invention. It is to be understood that this invention is not limited to the forms disclosed herein, and is not to be construed as excluding other embodiments, but is capable of use in various other combinations, modifications, and environments and is capable of modifications within the scope of the teachings presented herein or the skill or knowledge of the relevant art. It is intended that the present invention cover the modifications and variations of this invention provided they come within the spirit and scope of the appended claims.