*5.1. System Model*

In the proposed model, we consider smart home appliances, a dedicated sink node, a smart meter, and a third party trusted authority.


variance for each subset, which is a group of particular appliances. For the mean, we have the following equation:

$$M(G\_k) = \sum\_{G\_i \& G\_k} \mathbf{x}\_i / N\_k \text{:} \tag{1}$$

While for the variance, we can calculate it with:

$$Var(G\_k) = \sum\_{\mathcal{G}\_k \mathbf{c} \mathbf{C}\_k} \mathbf{x}\_i^2 / N\_k - M(\mathcal{G}\_k)^2;\tag{2}$$

• Trusted Authority: Trusted authority is a trusted third party which initializes the system and manages key generation and other parameters for each entity in the network and assign keys to all the entities in the network including home appliances, sink nodes, and smart meters. Trusted authority will only be active while initiating the system and adding new appliances. It will will be offline afterwards. The trusted party will not participate in the following actions.

### *5.2. Threat Model*

We assume that the trusted authority is a trusted third party and it will not be involved in any misconduct that can compromise the privacy of the HAN while the smart meter and sink node are honest but curious. The smart meter and sink node may be affected by undetected malware and those malware might eavesdrop on the smart appliances. The smart meter and sink node are honest, meaning that they will follow the design protocols. They are also curious, that is, they are also curious about smart appliance's data privacy. They will not collude with each other. Smart appliances are not resourceful, so they are vulnerable to attacks. The attacks that might affect the smart appliances are false data injection by an external attacker or attacks may prevent a device from reporting readings or replay an old message. However, we have a resourceful smart meter and sink node, and the sink node will apply some techniques to check whether an appliance is malfunctioning or it is simply inactive at the time. If an appliance is inactive it will simply send a zero in its reading. The sink node can filter out the false data and will not include false data during the aggregation process.
