*6.2. Privacy Preserving*

In the proposed scheme, if we consider the encrypted text by a home appliance

$$c\_{ip} = \left[1 + n \cdot \sigma\_{\dot{\jmath}} \cdot \left(\mathbf{x}\_{i} \cdot \sigma\_{0} + \mathbf{x}\_{i}^{2}\right)\right] \cdot H(T\_{s})^{n \cdot p\_{i}} \mod n^{2} \tag{30}$$

and that of the aggregated cipher text [82]

$$C\_p^\* = \left(1 + n \cdot \sum\_{\substack{i=1, i \neq a}}^N \sigma\_j^\* \cdot (x\_i \cdot \sigma\_0 + x\_i^2) \right) \cdot \prod\_{\substack{i=1, i \neq a}}^{N+1} H(T\_s)^{n \cdot p\_i} \bmod n^2$$

and take *σj* · (*xi* · *<sup>σ</sup>*0+*x*<sup>2</sup> *i* ) as a *message* and ·*<sup>H</sup>*(*Ts*)·*pi* as a random number *rand* and ∑ *N i*=1,*i*=*<sup>a</sup> σ*<sup>∗</sup> *j* · (*xi* · *σ*0 + *x*2 *i* ) as *Message* and ∏ *N*+1 *i*=1,*i*=*<sup>a</sup> <sup>H</sup>*(*Ts*)·*pi* as *Rand* then

$$x\_{ip} = \left[1 + n \cdot \overline{\text{message}\,\theta}\right] \cdot \overline{rand}^n \text{ mod } n^2 \tag{31}$$

and

$$\mathbb{C}\_p^\* = \left(1 + n \cdot \overbrace{\mathbb{M}essage}\right) \cdot \overline{\mathbb{R}and}^n \text{ mod } n^2$$

are valid Paillier ciphers. Under the chosen plaintext attack, Paillier encryption is indistinguishable, and an external attacker cannot obtain the exact message. The sink node may be curious about the exact message. However, without the knowledge of secret keys *p*0 and *λ*, the sink node has no knowledge of the information. Whereas the smart meter can recover *Message* and may want to recover the message sent by individual devices. For that purpose, it has to collude with the sink node, which is not possible under the threat model. Hence, the suggested technique protects aggregated data privacy.

### **7. Performance Evaluation**

In this section, we analyze the communication and processing overhead of household appliances, sink nodes, and smart meters.

### *7.1. Communication Overhead*

The proposed privacy preserving scheme aggregates the data from different subsets into one and the smart meter can recover the mean and variance of the individual subset. To demonstrate the efficiency of the proposed technique, we compare it to the basic Paillier encryption [80] in which the bit length of *n*<sup>2</sup> is 2048 and that of n is 1024. Therefore, the communication overhead from N devices to sink node is 2048 × N bits, because each home appliance encrypts both *xi* and *x*2*i* into one cipher text, as shown in Equation (9). However, because the data in the BPE is encrypted into two cipher texts, the transmission cost is doubled, and the overhead is 4096 × N bits.

In the proposed scheme, the sink node and smart meter are independent of the number of devices as the aggregation is undertaken at the sink node. In BPE, the communications cost is dependent on the number of subsets. If there are k subsets, then the communications cost is 4096 × k bits, while in the proposed scheme, all data have been aggregated in one cipher text. Therefore, the communications overhead from the sink node to the SM is only 2048 bits. Figure 2 plots a graph for the communications overhead from the home appliances to the sink node, and Figure 3 shows the communications overhead pattern of the sink node to the SM. As a result, it is obvious that the suggested method is superior to BPE in terms of communication costs. We use the Chinese remainder theorem that enables a careful parameter choice and, hence, in real-time scenarios the message size is small.

**Figure 2.** Communication overhead from home appliances to sink node.
