IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS 1
EPPA: An Efficient and Privacy-Preserving
Aggregation Scheme for Secure Smart Grid
Communications
Rongxing Lu, Member, IEEE, Xiaohui Liang, Student Member, IEEE, Xu Li, Member, IEEE,
Xiaodong Lin, Member, IEEE, and Xuemin (Sherman) Shen, Fellow, IEEE
Abstract—The concept of smart grid has emerged as a convergence of traditional power system engineering and information and
communication technology. It is vital to the success of next generation of power grid, which is expected to be featuring reliable, efficient,
flexible, clean, friendly and secure characteristics. In this paper, we propose an efficient and privacy-preserving aggregation scheme,
named EPPA, for smart grid communications. EPPA uses a super-increasing sequence to structure multi-dimensional data and encrypt
the structured data by the homomorphic Paillier cryptosystem technique. For data communications from user to smart grid operation
center, data aggregation is performed directly on ciphertext at local gateways without decryption, and the aggregation result of the
original data can be obtained at the operation center. EPPA also adopts the batch verification technique to reduce authentication cost.
Through extensive analysis, we demonstrate that EPPA resists various security threats and preserve user privacy, and has significantly
less computation and communication overhead than existing competing approaches.
Index Terms—Smart grid, Security, Privacy-preserving, Multi-dimensional aggregation.
✦
1INTRODUCTION
T
HE August 2003 electrical blackout in North America
affected over 100 power plants and paralyzed tens of
millions of people’s lives [1]. Investigations revealed that
the failure was due to load imbalance and lack of effective
real-time diagnosis, among others. Indeed, because electricity
cannot be easily stocked, load must be matched by the
power supply and transmission capacity in the electric power
grid. While swift advances in science and technology are
triggering radical innovations in many fields, today’s power
grid is surprisingly still grounded on a design more than
100 years old [2]. With the ubiquitous adoption of electronic
devices, it is undoubtedly outdated and no longer meets our
growing demand for continuous stable electricity distribution.
Modernizing the aging power system is currently a strategic
plan in many countries.
Recently, the concept of smart grid has emerged and been
recognized as the next generation of power grid [3], [4], [5],
[6], [7]. Traditional grid is featured with centralized one-
way transmission (from generation plants to customers) and
demand-driven response. Smart grid combines traditional grid
and information and control technologies. It allows decen-
tralized two-way transmission and reliability- and efficiency-
driven response, and aims to provide improved reliability (e.g.,
• R. Lu, X. Liang and X. Shen are with the Department of Electrical and
Computer Engineering, University of Waterloo, Waterloo, ON, Canada N2L
3G1 (e-mail: {rxlu, x27liang, xshen}@bbcr.uwaterloo.ca).
• X. Lin is with the Faculty of Business and Information Technology,
University of Ontario Institute of Technology, Oshawa, ON, Canada L1H
7K4 (e-mail: xiaodong.lin@uoit.ca).
• X. Li is with INRIA Lille - Nord Europe, France. (e-mail: xu.li@inria.fr).
self-healing, self-activating, automated outage management),
efficiency (e.g., cost-effective power generation, transmission
and distribution), sustainability (e.g., accommodation of future
alternative and renewable power sources), consumer involve-
ment, and security (physical and cyber).
Smart meters are important components of smart grid. They
are two-way communication devices deployed at consumers
premise, records power consumption periodically. With smart
meters, smart grid is able to collect real-time information about
grid operations and status at an operation center, through a
reliable communications network deployed in parallel to the
power transmission and distribution grid, as shown in Fig. 1.
The operation center may be implemented in a distributed
way and span different geographic regions. It is responsible
for dynamically adjusting power supply to meet demand, and
detecting and responding to weaknesses or failures in the
power system in real time. Smart grid also automates reliable
power distribution by engaging and empowering customers
in utility management. It exposes customers’ detailed real-
time electricity use information (through smart meters) to
utility companies, which may then change electricity price
accordingly or even adjust customers’ usage by pre-installed
load control switches in order to help flatten demand peaks.
Customers are allowed to access their own real-time use
information through smart grid services. In order to lower their
own energy costs and enjoy uninterrupted activities, they will
be willing to use energy-efficient appliances and tend to shift
power use from peak times to non-peak times.
Cyber security is of paramount importance in smart grid as
communications are deeply involved in its operations [8], [9],
[10], [11], [12], [13]. All the data transmitted in the grid must
be authenticated and secured against malicious modification.
Privacy (i.e., data confidentiality) is a primary concern from
Digital Object Indentifier 10.1109/TPDS.2012.86 1045-9219/12/$31.00 © 2012 IEEE
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
2 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
WŽǁĞƌWůĂŶƚ
d ƌĂŶƐŵŝƐƐŝŽŶ ŝƐƚƌŝďƵƚŝŽŶ ƵƐƚŽŵĞƌ
KƉĞƌĂƚŝŽŶĞŶƚĞƌ
ůĞĐƚƌŝĐĂů&ůŽǁƐ
^ĞĐƵƌĞ/ŶĨŽƌŵĂƚŝŽŶ&ůŽǁƐ
,E;,ŽŵĞƌĞĂEĞƚǁŽƌŬͿ
^ŵĂƌƚ ƉƉůŝĂŶĐĞƐ^ŵĂƌƚ
ŵĞƚĞƌƐĨŽƌZĞĂůƚŝŵĞ
ƵƐĂŐĞ Ě ĂƚĂĐŽůůĞĐƚŝŽŶ
^ŵĂƌƚ DĞƚĞƌƐ
Fig. 1. The conceptual architecture of smart grid
customers point of view as power use information may reveal
their physical activities. For example, unusually low daily
power consumption of a household and continuous lack of
power use for stove and microwave indicate that the home
owners are probably away from their home. Such privacy-
sensitive information must be protected from unauthorized
access. Data confidentiality can be achieved by simple end-
to-end encryption. While hiding communication content and
protecting privacy, encryption increases data size, and may
cause unacceptable communication overhead when power use
information is collected at high frequency. Considering that the
operation center is concerned only with the overall information
in a region, the data of individual consumers in the region can
be aggregated at a local gateway and forwarded in a compact
form to the operation center in order to save communication
bandwidth.
To preserve user privacy, local gateways should not be able
to access the content of consumers data. To enable them to
perform data aggregation, homomorphic encryption techniques
[14] may be applied for encrypting consumers data. In this
technique, a specific linear algebraic manipulation toward
the plaintext is equivalent to another one conducted on the
ciphertext. This unique feature allows the local gateway to
perform summation and multiplication based aggregation on
received consumer data without decrypting them. Existing
data aggregation schemes [15], [16], [17] regards power use
information as one-dimensional information. With smart me-
ters being used, it is however multi-dimensional in nature,
for example, including the amount of energy consumed, at
what time and for what purpose the consumption was, and
so on. Taking into account all the dimensions allows finer-
grained control and optimization. When multiple dimensions
are present, the existing schemes [15], [16], [17] will have
to process every dimension separately. We further notice that
power usage information is often small in size, smaller than the
plain text space of the encryption algorithm used. Each time
when it is encrypted, its size will be increased to occupy the
entire plain text space. Considering the high data collection
frequency, multi-dimensional use information and massive
number of consumers, the existing data aggregation schemes
generate not only huge communication cost but also impose
overwhelming process load on local gateways.
To save communication and computation resources, in
this paper, we process all the dimension data as a whole
rather than separately, and propose a novel E
fficient and
P
rivacy-Preserving Aggregation (EPPA) scheme. This scheme
expresses multi-dimensional power use data in a single-
dimensional form and supports privacy-preserving aggregation
operations on the reformatted data. As a result, data can be
efficiently reported to smart grid operation center at a high
frequency for real-time monitoring and control. The main
contributions of this paper are two-fold.
• Firstly, inspired by the fact that electricity usage data is
small in size and multi-dimensional in nature, we present
the novel EPPA scheme that utilizes the homomorphic
Paillier cryptosystem [14] to achieve privacy-preserving
multi-dimensional data aggregation and efficient smart
grid communications. Compared with traditional one-
dimensional aggregation schemes [15], [16], [17], it leads
to dramatically reduced the computation and communi-
cation cost.
• Secondly, we analyze the security strength and privacy-
preservation ability of EPPA. In particular, we apply
the provable security technique to formally prove that
the smart grid operation center’s response is semantic
secure under the chosen plaintext attack. Through com-
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
LU et al.: EPPA: AN EFFICIENT AND PRIVACY-PRESERVING AGGREGATION SCHEME FOR SECURE SMART GRID COMMUNICATIONS 3
parative performance analysis, we demonstrate that EPPA
is indeed significantly more efficient than existing one-
dimensional aggregation schemes [15], [16], [17].
The remainder of this paper is organized as follows. In
Section 2, we introduce our system model, security require-
ments and our design goal. In Section 3, we recall the bilinear
pairings [18] and Paillier cryptosystem as the preliminaries.
Then, we present our EPPA scheme in Section 4, followed by
its security analysis and performance evaluation in Section 5
and Section 6, respectively. We also discuss the related work
in Section 7. Finally, we draw our conclusions in Section 8.
2SYSTEM MODEL,SECURITY REQUIRE-
MENTS AND DESIGN GOAL
In this section, we formalize the system model, security
requirements, and identify our design goals.
2.1 System Model
In our system model, we mainly focus on how to report
residential users’ privacy-preserving electricity usage data to
the operation center in smart grid communications. Specif-
ically, we consider a typical residential area (RA), which
comprises a local gateway (GW) connected with smart grid
operation center, and a large number of residential users
U = {U
1
,U
2
, ··· ,U
w
}, as shown in Fig. 2. The GW is a
powerful workshop, which mainly performs two functions:
aggregation and relaying. The aggregation component is re-
sponsible for aggregating residential users’ electricity usage
data into a compressed one, while the relaying component
helps residential users with forwarding data to the operation
center, i.e., to a trusted operation authority (OA) located at
operation center, and also helps the OA with relaying the
responses back to the residential users in the RA as well. In
the process of the aggregation and relaying, the GW will also
perform some authentication operations to guarantee the data’s
authenticity and integrity.
KƉĞƌĂƚŝŽŶĞŶƚĞƌK
,E
ϭ
,E
Ϯ
,E
ϯ
,E
ǁͲϭ
,E
ǁ
ZĞƐŝĚĞŶƚŝĂůƌĞĂ't
^D
ϯ
^D
ǁͲϭ
^D
ǁ
^D
Ϯ
^D
ϭ
Fig. 2. System model under consideration
Each user U
i
∈ U is equipped with various smart meters
(SMs), which form a Home Area Network (HAN), and can
electronically record the real-time data about electricity use.
These near real-time data will then be reported to the OA every
a certain period with the relay of the GW. On receiving the
reports from residential users, the OA can get the real-time
situational awareness so as to make the electricity use more
efficient by either carrying out the dynamic price or directly
controlling to reduce consumption during peak periods and
shift some demands to off-peak hours.
Communication model. In the residential area RA, the
communication between each user U
i
∈ U and the local GW
is through relatively inexpensive WiFi technology. In other
words, within the WiFi coverage of the GW, each U
i
∈ U can
directly/indirectly communicate with the GW. On the other
hand, since the distance between the residential area and the
operation center is far away, the communication between the
GW and the OA is through either wired links or any other links
with high bandwidth and low delay. However, although the
communication in smart grid is featured with high bandwidth
and low delay, since hundred and thousand of residential
users scattered at different residential areas in a region will
report their electricity usage data almost at the same time, the
communication efficiency of the GW-to-OA communication is
still a challenging issue.
2.2 Security Requirements
Security is crucial for the success of secure smart grid
communications. In our security model, we consider the OA
and the GW are trustable, and the residential users U =
{U
1
,U
2
, ··· ,U
w
} are honest as well. However, there exists
an adversary A residing in the RA to eavesdrop the residential
users’ reports. More seriously, the adversary A could also
intrude in the database of the GW and the smart grid operation
center to steal the individual user reports. In addition, the
adversary A could also launch some active attacks to threaten
the data integrity. Therefore, in order to prevent the adversary
A from learning the users’ reports and to detect the adversary
A’s malicious actions, the following security requirements
should be satisfied in secure smart grid communications.
• Confidentiality. Protect individual residential user’s re-
ports from the adversary A, i.e., even if A eavesdrops
the WiFi communication in the RA, it cannot identify
the contents of the reports; and even if A steals the data
from the operation center’s and/or the GW’s databases, it
can also not identify each individual user’s data. In such
a way, each individual user’s electricity usage data can
achieve the privacy-preserving requirement. In addition,
the confidentiality requirement also includes the OA’s
responses should be privacy-preserving, i.e., only the
legal residential users in the RA can read them.
• Authentication and Data Integrity. Authenticating an en-
crypted report that is really sent by a legal residential user
and has not been altered during the transmission, i.e.,
if the adversary A forges and/or modifies a report, the
malicious operations should be detected. Then, only the
correct reports can be received by the OA and helpful for
the electricity use monitoring. Meanwhile, the responses
from the OA should also be authenticated so that the
residential users can receive the authentic and reliable
information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
4 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
2.3 Design Goal
Under the aforementioned system model and security re-
quirements, our design goal is to develop an efficient and
privacy-preserving aggregation scheme for secure smart grid
communications. Specifically, the following two objectives
should be achieved.
• The security requirements should be guaranteed in the
proposed scheme. As stated above, if the smart grid
does not consider the security, the residential users’
privacy could be disclosed, and the real-time electricity
use reports could be altered. Then, the smart grid cannot
step into its flourish. Therefore, the proposed scheme
should achieve the confidentiality, authentication and data
integrity requirements simultaneously.
• The communication-effectiveness should be achieved in
the proposed scheme. Although the communication be-
tween the OA and the GW is featured with high-
bandwidth and low-delay, to support hundred and thou-
sand residential users’ reports to the OA at almost the
same time, the proposed scheme should also consider the
communication-effectiveness, so that the near real-time
user reports can be fast transmitted to the OA.
3PRELIMINA RIES
In this section, we outline the bilinear pairing technique [18]
and review the Paillier Cryptosystem [14], which will serve as
the basis of the proposed EPPA scheme.
3.1 Bilinear Pairing
Let G, G
T
be two cyclic groups of the same prime order
q,andP be a generator of group G. Suppose G and G
T
are
equipped with a pairing, i.e., a non-degenerated and efficiently
computable bilinear map e : G × G → G
T
such that
e(P, P) =1
G
T
and e(aP
1
,bQ
1
)=e(P
1
,Q
1
)
ab
∈ G
T
for
all a, b ∈ Z
∗
q
and any P
1
,Q
1
∈ G. We refer to [18] for
a more comprehensive description of pairing technique, and
complexity assumptions.
Definition 1: A bilinear parameter generator Gen is a prob-
abilistic algorithm that takes a security parameter κ as input,
and outputs a 5-tuple (q, P, G, G
T
,e) where q is a κ-bit prime
number, G, G
T
are two groups with the same order q, P ∈ G
is a generator, and e : G × G → G
T
is a non-degenerated and
efficiently computable bilinear map.
Definition 2: (Computational Diffie-Hellman (CDH) Prob-
lem) The CDH problem is stated as follows: Given the
elements (P, aP, bP) ∈ G for unknown a, b ∈ Z
∗
q
, to compute
abP ∈ G.
Definition 3: (Bilinear Diffie-Hellman (BDH) Problem)
The BDH problem is stated as follows: Given the elements
(P, aP, bP, cP) ∈ G for unknown a, b, c ∈ Z
∗
q
, to compute
e(P, P )
abc
∈ G
T
.
Definition 4: (Decisional BDH (DBDH) Problem) The
DBDH problem in (G, G
T
) is stated as follows: Given the
elements (P, aP, bP, cP) ∈ G for unknown a, b, c ∈ Z
∗
q
and
W ∈ G
T
, decide whether W = e(P, P )
abc
∈ G
T
or a random
element R drawn from G
T
.
3.2 Paillier Cryptosystem
The Paillier Cryptosystem can achieve the homomorphic prop-
erties, which is widely desirable in many privacy-preserving
applications [19], [20]. Concretely, the Paillier Cryptosystem
is comprised of three algorithms: key generation, encryption
and decryption.
• Key Generation: Given the security parameter κ
1
,two
large prime numbers p
1
,q
1
are first chosen, where |p
1
| =
|q
1
| = κ
1
. Then, the RSA modulus n = p
1
q
1
and λ =
lcm(p
1
− 1,q
1
− 1) are computed. Define a function L(u)=
u−1
n
, after choosing a generator g ∈ Z
∗
n
2
, μ =(L(g
λ
mod
n
2
))
−1
mod n is further calculated. Then, the public key is
pk =(n, g), and the corresponding private key is sk =(λ, μ).
• Encryption: Given a message m ∈ Z
n
, choose a random
number r ∈ Z
∗
n
, and the ciphertext can be calculated as c =
E(m)=g
m
· r
n
mod n
2
.
• Decryption: Given the ciphertext c ∈ Z
∗
n
2
,thecor-
responding message can be recovered as m = D(c)=
L(c
λ mod n
2
) · μ mod n. Note that, the Paillier Cryptosystem
is provably secure against chosen plaintext attack, and the
correctness and security can be referred to [14].
4PROPOSED EPPA SCHEME
In this section, we propose the efficient and privacy-preserving
aggregation scheme (EPPA) for secure smart grid communica-
tions, which mainly consists of the following four parts: sys-
tem initialization, user report generation, privacy-preserving
report aggregation, and secure report reading and response.
4.1 System Initialization
For a single-authority smart grid system under consideration,
it is reasonable to assume a trusted operation authority (OA)
can bootstrap the whole system. Specifically, in the system ini-
tialization phase, given the security parameters κ, κ
1
,OAfirst
generates (q, P, G, G
T
,e) by running Gen(κ), and then cal-
culates the Paillier Cryptosystem’s public key (n = p
1
q
1
,g),
and the corresponding private key (λ, μ), where p
1
,q
1
are
two large primes with |p
1
| = |q
1
| = κ
1
. Assume that
the maximum number of households in a residential area is
no more than a constant w, and there are total l types of
electricity usage data (T
1
,T
2
, ··· ,T
l
) to be reported in smart
grid communications, the value of each type T
i
is less than
a constant d. Then, OA chooses a super-increasing sequence
a =(a
1
=1,a
2
, ··· ,a
l
), where a
2
, ··· ,a
l
are large primes
such that the length |a
i
|≥κ,
i−1
j=1
a
j
· w · d<a
i
for
i =2, ··· ,l,and
l
i=1
a
i
·w ·d<n. After that, OA computes
(g
1
,g
2
, ··· ,g
l
), where
g
i
= g
a
i
, for i =1, 2, ··· ,l (1)
OA also chooses two random elements Q
1
,Q
2
∈ G, two ran-
dom numbers α, x ∈ Z
∗
q
, and computes e(P, P )
α
, Y = xP .In
addition, OA chooses two secure cryptographic hash functions
H and H
1
, where H : {0, 1}
∗
→ G and H
1
: {0, 1}
∗
→ Z
∗
q
.
In the end, OA publishes the system parameters as
pubs =
q, P, G, G
T
,e,n,g
1
, ··· ,g
l
,
Q
1
,Q
2
,e(P, P )
α
,Y,H,H
1
(2)
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
LU et al.: EPPA: AN EFFICIENT AND PRIVACY-PRESERVING AGGREGATION SCHEME FOR SECURE SMART GRID COMMUNICATIONS 5
and keeps the master keys (λ, μ,
a,α,x) secretly.
When a local gateway (GW) of the residential area (RA)
registers itself in the system, it first chooses a random number
x
g
∈ Z
∗
q
as the private key, and computes the corresponding
public key Y
g
= x
g
P . While when a HAN user U
i
∈ U of the
RA joins in the system, U
i
chooses a random number x
i
∈ Z
∗
q
as the private key, and computes the corresponding public key
Y
i
= x
i
P . In addition, the OA uses the master key (α, x) to
compute
t
i1
= H
1
(U
i
||RA||α),t
i2
= H
1
(U
i
||RA||x) (3)
and generates the authorized RA-related key ak
i
to U
i
, where
ak
i
=(αP + t
i1
Y,t
i1
P, t
i2
P, t
i1
Q
1
+ t
i2
Q
2
) (4)
With the authorized key ak
i
, U
i
can securely receive the
response sent by the OA in smart grid communication system.
4.2 User Report Generation
In order to achieve the nearly real-time residential users’
electricity usage data every η minutes, e.g., η =15minutes,
each HAN user U
i
∈ U uses the smart meters to collect l types
of data (d
i1
,d
i2
, ··· ,d
il
), where each d
ij
≤ d, and performs
the following steps:
• Step-1: Choose a random number r
i
∈ Z
∗
n
, and compute
C
i
= g
d
i1
1
· g
d
i2
2
·····g
d
il
l
· r
n
i
mod n
2
(5)
• Step-2: Use the private key x
i
to make a signature σ
i
as
σ
i
= x
i
H(C
i
||RA||U
i
||TS) (6)
where TS is the current timestamp, which can resist the
potential replay attack.
• Step-3: Report the encrypted electricity usage data
C
i
||RA||U
i
||TS||σ
i
to the local gateway GW in the residential
area RA.
4.3 Privacy-preserving Repor t Aggregation
After receiving total w encrypted electricity usage data
C
i
||RA||U
i
||TS||σ
i
, for i =1, 2, ··· ,w, the local GW
first checks the timestamp TS and the signature σ
i
to verify its validity, i.e., verify whether e(P, σ
i
)
?
=
e(Y
i
,H(C
i
||RA||U
i
||TS)). If it does hold, the signature is
accepted, since e(P, σ
i
)=e(P, x
i
H(C
i
||RA||U
i
||TS)) =
e(Y
i
,H(C
i
||RA||U
i
||TS)). In order to make the verification
efficiently, the GW can perform the batch verification as
e
P,
w
i=1
σ
i
= e
P,
w
i=1
x
i
H(C
i
||RA||U
i
||TS)
=
w
i=1
e (P, x
i
H(C
i
||RA||U
i
||TS))
=
w
i=1
e (Y
i
,H(C
i
||RA||U
i
||TS))
(7)
Then, the time-consuming pairing operations e(·, ·) can be
reduced from 2w to w +1 times.
After the validity checking, the GW performs the following
steps for privacy-preserving report aggregation:
• Step-1: Compute the aggregated and encrypted data C on
C
1
,C
2
, ··· ,C
w
as
C =
w
i=1
C
i
mod n
2
(8)
• Step-2: Use the private key x
g
to make a signature σ
g
as
σ
g
= x
g
H(C||RA||GW ||TS) (9)
where TS is the current timestamp.
• Step-3: Report the aggregated and encrypted data
C||RA||GW ||TS||σ
g
to the operation authority OA.
4.4 Secure Report Reading and Response
Upon receiving C||RA||GW ||TS||σ
g
,theOAfirst verifies the
validity by checking e(P, σ
g
)=e(Y
g
,H(C||RA||GW ||TS)),
and then performs the following steps to read the aggregated
and encrypted report C, where C is implicitly formed by
C =
w
i=1
C
i
mod n
2
=
w
i=1
g
d
i1
1
· g
d
i2
2
·····g
d
il
l
· r
n
i
mod n
2
= g
w
i=1
d
i1
1
· g
w
i=1
d
i2
2
···g
w
i=1
d
il
l
·
w
i=1
r
i
n
mod n
2
= g
a
1
w
i=1
d
i1
· g
a
2
w
i=1
d
i2
···g
a
l
w
i=1
d
il
·
w
i=1
r
i
n
mod n
2
= g
a
1
w
i=1
d
i1
+a
2
w
i=1
d
i2
+···+a
l
w
i=1
d
il
·
w
i=1
r
i
n
mod n
2
(10)
• Step-1: By taking M = a
1
w
i=1
d
i1
+a
2
w
i=1
d
i2
+···+
a
l
w
i=1
d
il
and R =
w
i=1
r
i
, the report C = g
M
·R
n
mod n
2
is still a ciphertext of Paillier Cryptosystem. Therefore, the OA
can use the master key (λ, μ) to recover M as
M = a
1
w
i=1
d
i1
+ a
2
w
i=1
d
i2
+ ···+ a
l
w
i=1
d
il
mod n (11)
• Step-2: By invoking the Algorithm 1, the OA can recover
and store the aggregated data (D
1
,D
2
, ··· ,D
l
), where each
D
j
=
w
i=1
d
ij
.
Algorithm 1 Recover the aggregated report
1: procedure RECOVER THE AGGREGATED REPORT
Input:
a =(a
1
=1,a
2
, ··· ,a
l
) and M
Output: (D
1
,D
2
, ··· ,D
l
)
2: Set X
l
= M
3: for j = l to 2 do
4: X
j−1
= X
j
mod a
j
5: D
j
=
X
j
−X
j−1
a
j
=
w
i=1
d
ij
6: end for
7: D
1
= X
1
=
w
i=1
d
i1
8: return (D
1
,D
2
, ··· ,D
l
)
9: end procedure
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
