A privacy-enhanced data aggregation method supporting offline fault tolerance and rectification
By constructing a sparse collaborative graph and using collaborative mask signatures in the smart grid, the problems of privacy leakage and data aggregation distortion caused by the offline status of terminal devices in the smart grid are solved, realizing efficient multi-dimensional data aggregation and privacy protection, which is suitable for resource-constrained IoT environments.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- GUILIN UNIV OF ELECTRONIC TECH
- Filing Date
- 2026-04-15
- Publication Date
- 2026-07-14
AI Technical Summary
In smart grids, the risks of privacy leaks and data aggregation distortion caused by offline terminal devices are significant. Existing technologies cannot effectively protect user privacy and have insufficient fault tolerance, especially when deployed on resource-constrained IoT terminals, where their practicality is poor.
A privacy-enhancing data aggregation method that supports offline fault tolerance and correction is adopted. Parameters and dynamic pseudonyms are generated through the key generation center to construct a sparse collaborative graph. Data is packaged and signed using collaborative masks and exclusive masks. The control center performs correction and recovery to achieve multi-dimensional encrypted data aggregation and identity privacy protection.
It enables the recovery of correct multidimensional data aggregation results without additional communication and secondary terminal response, providing strong privacy protection and efficient fault tolerance, and is suitable for resource-constrained smart grid and Internet of Things scenarios.
Smart Images

Figure CN122394774A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the fields of smart grid data security, privacy computing, and edge computing, specifically to a multi-dimensional data aggregation method and system that supports offline fault tolerance, encrypted error correction, and privacy enhancement. Background Technology
[0002] With the large-scale deployment of advanced metering infrastructure and various sensing devices in smart grids, the power grid continuously generates massive amounts of fine-grained electricity consumption data. This data is crucial for tasks such as load forecasting, demand response, anomaly detection, economic dispatch, and coordinated control, and has become a vital data foundation for the operation and optimization of modern power systems. However, while fine-grained smart meter data enhances the grid's sensing and control capabilities, it may also leak a large amount of sensitive user information, such as residents' daily routines, household occupancy status, and appliance usage behavior. Therefore, how to protect user privacy while ensuring data availability has become a key issue in smart grid data collection, and privacy-preserving data aggregation has consequently become an important research direction in this field.
[0003] In scenarios such as smart grids, the Internet of Things, and edge computing, terminal devices need to periodically upload sensor data, which is then aggregated and computed by edge nodes to achieve global status monitoring and scheduling decisions. Multidimensional data aggregation can support refined statistics and complex analysis, but it faces two core challenges:
[0004] 1. Privacy leakage risk: The raw data on the terminal contains sensitive information, and plaintext transmission and aggregation can easily lead to the theft of user privacy;
[0005] 2. Insufficient fault tolerance for equipment downtime: When the terminal is unable to report on time due to communication jitter, power outage, fault, or other reasons, the security aggregation scheme based on collaborative mask will have residual mask, resulting in distortion of the aggregation result.
[0006] Existing privacy-preserving aggregation solutions have significant drawbacks: fault tolerance and recovery rely on secondary calculations by surviving nodes or data retransmission by offline nodes, resulting in high communication overhead and latency; multi-dimensional aggregation, identity privacy protection, and lightweight verification are difficult to balance; most solutions rely on fully trusted third parties, resulting in poor deployment practicality; and offline recovery interaction costs are high, making them unsuitable for resource-constrained IoT terminals.
[0007] Therefore, there is an urgent need for a privacy-enhanced fault-tolerant aggregation method that does not require secondary intervention from the terminal, allows the control center to complete the correction unidirectionally, and supports the secure aggregation of multi-dimensional data. Summary of the Invention
[0008] To address the shortcomings of existing technologies, this invention provides a privacy-enhanced data aggregation method that supports fault tolerance and correction for device disconnections. This method enables multi-dimensional encrypted data aggregation, identity privacy protection, message integrity authentication, and one-way correction for device disconnections, restoring the correct aggregation result without additional communication or secondary terminal response.
[0009] The technical solution to achieve the objective of this invention is:
[0010] A privacy-enhancing data aggregation method that supports offline fault tolerance and correction includes the following steps:
[0011] (1) Set up a privacy-enhanced data aggregation system that supports fault tolerance and correction for disconnection;
[0012] (2) System initialization: The key generation center KGC generates elliptic curve public parameters, system master key and master public key, and configures Chinese Remainder Theorem (CRT) parameters that satisfy the overflow prevention constraint for multidimensional data packaging and unpacking;
[0013] (3) Entity registration and key pre-distribution: The control center CC and fog node FN complete static identity registration; the smart meter SM generates dynamic pseudo-names in batches, the key generation center KGC issues partial private keys for the dynamic pseudo-names in batches, and the smart meter SM generates the current round of dynamic certificateless key pairs in combination with the long-term secret value.
[0014] (4) Sparse collaborative graph construction and seed presetting: The control center CC constructs a global sparse undirected collaborative graph. Adjacent smart meters SM negotiate edge collaborative seeds through elliptic curve Diffie-Hellman key exchange. Each smart meter SM negotiates a dedicated shared seed with the control center CC.
[0015] (5) Terminal reporting generation: The smart meter SM collects multi-dimensional data and packages it into a single integer through CRT. It then overlays a collaborative mask based on neighbor relationship and an SM-CC exclusive mask to generate ciphertext, which is then reported to the fog node FN after dynamic certificateless signing.
[0016] (6) Batch verification and ciphertext aggregation: After the reporting deadline, the fog node FN freezes the candidate list, performs batch signature verification on the reported messages, performs addition aggregation on the valid ciphertext, and sends the aggregated ciphertext and the set of valid participants to the CC;
[0017] (7) Offline correction and result recovery: The control center (CC) identifies the offline node based on the frozen candidate set and the effective participation set, locates the cross-set boundary edge, reconstructs the residual collaborative mask locally to complete the correction, and obtains the multidimensional aggregation result by unpacking through CRT after removing the sum of the exclusive masks.
[0018] Furthermore, the privacy-enhanced data aggregation system supporting disconnection tolerance and error correction described in step (1) includes:
[0019] Key Generation Center (KGC): Used for system initialization, parameter generation, entity registration, and partial private key issuance;
[0020] Smart Meter (SM): Used for multi-dimensional data acquisition, CRT packetization, mask overlay, dynamic signature, and reporting;
[0021] Fog Node (FN): Used for message reception, batch signature verification, ciphertext aggregation, metadata encapsulation and forwarding;
[0022] Control Center (CC): Used for collaborative graph construction, seed negotiation, disconnection detection, residual mask reconstruction, ciphertext correction, and CRT unpacking.
[0023] Further, the CRT configuration in step (2) is as follows: To support efficient aggregation of multidimensional data, the system first sets the total number of statistical dimensions of the smart meter data to D. For the k-th dimension data (k ∈ [1,D]), the system assigns a CRT base module to it. , among which A pairwise coprime prime number. To ensure that the control center does not experience data distortion due to modulo overflow during final unpacking, the system must pre-set strict overflow prevention constraints. Let the maximum possible reported value of a single table on this dimension be... The maximum number of online meters that can participate in this aggregation round is [number missing]. And the system has a reserved fault tolerance margin of Then the k-th modulus The following boundary inequality must be satisfied:
[0024]
[0025] Based on the above constraints, calculate the total number of modules M of the CRT:
[0026]
[0027] Simultaneously define a pseudo-random generator and pseudo-random functions .
[0028] Subsequently, for each dimension k ∈ [1,D], KGC calculates the corresponding CRT coefficients. And its model The inverse element below .
[0029] Finally, KGC initializes the publicly exposed global system parameters to... .
[0030] Furthermore, in step (3), the smart meter SM generates dynamic pseudo-names in batches: to avoid the KGC becoming a communication bottleneck of the system due to high-frequency periodic reporting, during network idle periods, Generate dynamic pseudo-names in batches for a future time window (containing T aggregate rounds). For any round within the window... , Randomly select a temporary random number Calculate pseudonym component and ,get . Construct a batch of encrypted pseudonyms All credentials will be sent to the KGC application system.
[0031] When KGC receives the batch request, it uses the system master key s to calculate And based on this, the true identity of the electricity meter can be restored without loss. If the recovered For legitimate registered users, KGC continues to generate partial private key materials for each round of pseudonyms. KGC randomly selects a number. ,
[0032] calculate as well as And generate a portion of the private key for that round:
[0033]
[0034] Subsequently, KGC will contain a set of T sets of credentials. Send via secure channel .
[0035] In the When aggregating data, No online communication or interaction with KGC is required. Only the corresponding voucher for this round is retrieved locally and verified through equation checking. Verify legality and completeness. If verification passes, set... For long-term secret value The resulting fixed-length bit string is encoded and used as the key input for the pseudo-random function (PRF), combined with the current round identifier. With this round of dynamic pseudonyms Locally generated local secret value in this round:
[0036]
[0037] final, The complete private key pair for this round was constructed. ,in And calculate the user's public key for this round. Used for subsequent authentication reporting and signature generation.
[0038] Further, in step (4), the edge collaboration seed is as follows: During initial deployment, CC constructs a connected global baseline sparse undirected graph G = (V, E) based on the initialized set of smart meters in the region, serving as the reference collaboration topology for subsequent rounds of data aggregation. Here, the vertex set V contains all legal terminal nodes, and the edge set E describes the pre-established collaboration relationships between nodes. To balance the overhead of single-point collaboration with the complexity of later recovery, the maximum degree of each node is limited to a small constant d (satisfying d≪N). Subsequently, CC distributes the baseline topology G to FN, and FN synchronizes the topology information required for subsequent aggregation to the smart meters within its coverage area.
[0039] Entering the During round data aggregation, the global baseline topology is securely mapped to a real-time collaborative graph based on the dynamic pseudonyms of this round. Among them, vertex set From all active participants in this round The pseudonym structure; and the real-time edge set Then it is selected from the baseline edge set E—that is, if there are physical cooperative edges in the baseline graph. If both terminals are active in this round, then a corresponding pseudo-named collaborative edge will be generated in this round. .
[0040] After receiving the topology information, adjacent smart meters in the graph need to negotiate a cooperative seed based on sparse neighbor relationships. For the edge set... any edge in , First, obtain the user's public key published by the neighboring node. And combined with its own dynamic private key Calculate the shared secret value Similarly, Computable ,and .
[0041] Both parties further linked the shared secret value to the current round. The final collaborative seed is calculated by hashing the dynamic pseudonyms of both parties.
[0042]
[0043] In addition, to ensure that CC can handle data corruption caused by internal node drop-outs during subsequent aggregation and unpacking stages, each We also need to negotiate a dedicated shared seed with CC. Using the static public key published by CC ,calculate:
[0044]
[0045] CC can leverage its long-term secret value and The public key of this round The shared seed was calculated without any online interaction. .
[0046] Furthermore, in step (5), the encrypted message is reported: in the... In the round of data aggregation, smart meters The locally collected multi-dimensional electricity consumption data needs to be securely packaged, masked, and signed before being reported to the fog node FN.
[0047] set up In the The multidimensional measurement data vector collected in the round is The data in the k-th dimension satisfy , k ∈ [1,D]. Based on the set CRT parameters, First, the D-dimensional plaintext data is losslessly packaged into a single integer:
[0048]
[0049] in , .
[0050] To ensure that the mask value and the packed plaintext are in the same addition field Inside, The negotiated shared seed material needs to be further expanded into a mask value modulo M using a pseudo-random generator. For each collaborative edge... The edge collaborative mask is defined as
[0051]
[0052] and The dedicated mask between the control center (CC) and the control center (CC) is defined as follows:
[0053]
[0054] remember For real-time collaborative graph Middle node The set of neighbor pseudonyms. To ensure that the cooperative mask can cancel out in pairs between nodes during subsequent aggregation, the following deterministic symbolic function is defined:
[0055]
[0056] therefore, The final reported ciphertext is generated as follows
[0057]
[0058] Subsequently, Use its complete dynamic certificateless private key Sign the encrypted report. Specifically, Random selection , and calculate:
[0059]
[0060] Next, calculate the hash value.
[0061]
[0062] And generate a signature scalar.
[0063]
[0064] Therefore, node The signature is The final reported message is constructed as follows
[0065]
[0066] Only in the first Only messages that arrive at FN before the reporting deadline of the current round will be included in the aggregation processing of the current round.
[0067] Furthermore, the batch verification and ciphertext aggregation described in step (6): in the first After the reporting deadline, the fog node FN collects all received reported messages and performs message validity verification before performing aggregation. This represents the set of candidate reports received by FN in this round.
[0068] For any received message FN first checks whether the round identifier τ it carries matches the current round. Then, FN recalculates.
[0069]
[0070] as well as
[0071]
[0072] Based on equation (14) and the above-mentioned construction method of the dynamic partial private key, a legitimate message should satisfy the following single-message verification equation:
[0073]
[0074] Considering the high overhead of verifying signatures one by one in scenarios with concurrent reporting from large-scale smart meters, FN can adopt a batch verification method to uniformly verify all candidate signatures in this round. Let... Given the set of message indexes participating in batch verification, FN accepts the batch of messages when the following formula is true:
[0075]
[0076] If batch verification fails, FN verifies each invalid message one by one and removes the invalid message from the current round. After removing the invalid message, FN obtains the next invalid message. The valid reporting set of the round is denoted as .
[0077] Subsequently, FN performs addition aggregation directly on all valid ciphertexts:
[0078]
[0079] In addition to the aggregated ciphertext, the control center (CC) also needs to know the set of legitimate nodes that successfully participated in the aggregation in this round, so as to remove the unique mask corresponding to each node in the subsequent recovery phase. Therefore, FN simultaneously constructs the set of valid participating nodes.
[0080]
[0081] This set records the identity information of legitimate nodes that successfully passed verification and actually participated in the aggregation in this round. It is used by CC to locate the exclusive mask of the corresponding node and complete the result recovery during the recovery phase.
[0082] Finally, FN encapsulates the aggregate ciphertext, the set of valid participating nodes, the authentication code of the current round's frozen candidate set, and the round identifier into an aggregate message.
[0083]
[0084] FN utilizes the long-term static complete private key obtained during the initialization process. , For aggregated messages Perform the signature. FN first randomly selects... , and calculate Then, FN calculates the signature hash value of the aggregated message.
[0085]
[0086] And generate a signature scalar.
[0087]
[0088] Therefore, the signature representation of FN for aggregated messages is as follows:
[0089]
[0090] Ultimately, FN will authenticate the aggregated message.
[0091]
[0092] Send to Control Center (CC).
[0093] Furthermore, the disconnection correction process in step (7) is as follows: the control center CC receives the aggregation message. Next, the signature and message integrity from FN are verified to ensure that the aggregation result indeed originates from a legitimate fog node and has not been tampered with during transmission. In a normal aggregation scenario, CC only needs to remove the exclusive mask corresponding to all valid nodes and perform CRT unpacking to restore the multidimensional aggregation result of this round.
[0094] For any valid node identifier pair CC uses its own private key Reconstruct the dedicated seed shared with this node:
[0095]
[0096] And regenerate the same exclusive mask value
[0097]
[0098] The sum of the unique masks of all valid nodes in this round is:
[0099]
[0100] Subsequently, the control center (CC) retrieved the aggregated ciphertext. Remove the total unique mask from the middle to get
[0101]
[0102] From equations (11) and (10), it can be seen that when all valid reports participate in the aggregation normally, the cooperative masks introduced between adjacent nodes will cancel each other out pairwise on an edge-by-edge basis after aggregation and summation. Therefore, we have
[0103]
[0104] Finally, the control center (CC) uses the CRT to perform dimension-by-dimensional reconstruction of the aggregated and packaged results, obtaining the sum of data for each dimension. For any dimension k ∈ [1,D], we have
[0105] .
[0106] The beneficial effects of the present invention through the above solution are:
[0107] (1) Multidimensional lightweight aggregation: Based on CRT, multidimensional data is packaged into single integers, reducing communication and aggregation overhead, and has excellent dimensional scalability;
[0108] (2) Strong privacy protection: dual masking by collaborative mask and exclusive mask, dynamic pseudonym achieves anonymity and non-linkability, no need for a completely trusted third party;
[0109] (3) High efficiency fault tolerance during disconnection: The control center (CC) completes the reconstruction and correction of the residual mask in one direction, with zero additional communication and no secondary participation from the terminal, and the recovery calculation is controllable in milliseconds;
[0110] (4) Secure and verifiable: Dynamic certificateless signing and batch verification ensure integrity, anti-counterfeiting and anti-replay properties;
[0111] (5) Strong scenario adaptability: The terminal computing is lightweight and the edge burden is low, making it suitable for resource-constrained scenarios such as smart grids and the Internet of Things. Attached Figure Description
[0112] Figure 1 This is a system model architecture diagram of the present invention;
[0113] Figure 2 This is a graph showing the variation of SM computational overhead with dimension in a scenario with no disconnections, as illustrated in the example.
[0114] Figure 3 This is a graph showing the total communication volume as a function of dimensions in a scenario with no dropped connections, as illustrated in the example.
[0115] Figure 4 This is a graph showing the change in FN computational overhead with node size in a scenario with no disconnections, as illustrated in the example.
[0116] Figure 5 This is a graph showing the change in CC computation overhead with node size in a scenario with no disconnections, as illustrated in the example.
[0117] Figure 6 This is a comparison chart showing the additional communication overhead during the recovery phase for different solutions under different disconnection rates in the example implementation.
[0118] Figure 7 This is a comparison chart showing the additional total computational overhead during the recovery phase for each scheme under different disconnection rates in the example implementation. Detailed Implementation
[0119] The present invention will now be described in detail with reference to embodiments and accompanying drawings.
[0120] Example:
[0121] In real-world smart grid environments, factors such as link jitter, terminal offline status, edge congestion, or temporary faults may prevent some smart meters from reporting before the current cycle's deadline. In this case, although fog nodes can still aggregate received messages, the cooperative mask only cancels out in pairs when both ends of an edge participate simultaneously. Node disconnection will cause some mask residue in the aggregation result, preventing the control center from directly recovering the true statistical sum using the aforementioned method. Therefore:
[0122] 1. Initialization and Cross-Set Boundary Edge Location
[0123] In round τ, let Lτ be the set of candidate pseudonyms frozen by the fog nodes. Based on the defined set of valid participating nodes Aτ, the control center first restores the set of pseudonyms that successfully participated in the aggregation in this round:
[0124]
[0125] Therefore, the set of pseudo-names that have been disconnected in this round can be represented as:
[0126]
[0127] According to the system design, the reverse mapping capability from pseudonyms to stable indexes, ID2SID(·), is held solely by the control center; fog nodes do not possess this mapping. Therefore, the control center can further map the set of successfully reported data and the set of disconnected data in this round to a set of stable indexes.
[0128]
[0129] in, This represents the set of stable nodes that successfully participated in the aggregation in this round. This represents the set of missing nodes in this round.
[0130] Consistent with the above collaborative mask generation rules, let edge (a,b) be in the th... The sign function of the wheel is
[0131]
[0132] in and These represent the stable nodes a and b at the nth... The dynamic pseudo-name corresponding to the round. For edge (a, b), the local contribution of node a to the aggregation result is: The contribution of node b is ,in This is the edge collaboration mask value generated from the edge seed in this round.
[0133] Based on the above, the set of cross-set boundary edges in this round can be defined as follows:
[0134]
[0135] Based on the pairwise cancellation property of edge masks, all edges can be divided into the following three categories:
[0136] 1) Both ends belong to Edges of this type. Both endpoints of such edges successfully participate in this round of aggregation, so the corresponding cooperative mask terms still cancel each other out after aggregation and summation, and have no net contribution to the final result.
[0137] 2) Both ends belong to Edges where neither endpoint is successfully reported; their corresponding edge masks are not included in the fog node aggregation results and will not affect the final aggregated ciphertext.
[0138] 3) One end belongs to The other end belongs to Edges of this type. Only the cooperative mask on the online side is included in the fog node aggregation. The other side is missing due to being offline, so it cannot be completely canceled out, leaving a single-sided residual in the aggregation result.
[0139] Therefore, all residual cooperative masks in this round originate only from cross-set boundary edges, and their total residual can be represented as:
[0140]
[0141] Therefore, as long as the control center can identify the edges across the set boundary and regenerate the corresponding edge mask for each edge in this round, the residual items caused by the disconnection can be accurately recovered without any online nodes participating again.
[0142] 2. Control Center Compensation Mechanism
[0143] In obtaining , After obtaining global edge information, the control center then... The round aggregation result performs unidirectional correction. The control center reconstructs the current round mask items corresponding to all cross-set boundary edges according to the same rules as Equation (38) based on the global static graph and edge sharing seed it holds, and calculates the correction value.
[0144]
[0145] Subsequently, the control center uploaded the aggregated ciphertext from the fog node. Removing the correction term yields the intermediate result after removing the residual co-mask:
[0146]
[0147] After completing the collaborative mask correction, the control center continues to remove the sum of the exclusive masks of all successfully participating aggregation nodes in the same manner as described above. The corrected and exclusive masked sum is obtained. The actual packaged total is
[0148]
[0149] Finally, the control center performs CRT unpacking on the actual packaged sum. For any dimension k ∈ [1,D], we have
[0150] .
[0151] The following safety objectives must be met during the implementation of this method:
[0152] Data Confidentiality: No entity (including the Control Center (CC), Fog Nodes (FN), and external attackers) can obtain the multidimensional plaintext statistical vector of a single smart meter in any round. The Control Center (CC) is only allowed to obtain the aggregated plaintext sum of users within a specified set, and is mathematically guaranteed not to be able to deduce the original electricity consumption data of any individual from it; the FN and external attackers also cannot infer any plaintext information from the reported ciphertext or blind aggregation results.
[0153] Integrity and Unforgeability: Attackers cannot tamper with, forge, or replay reported messages and aggregate-related metadata (such as round identifiers, online list summaries, set information, etc.) without being detected; FN and CC can detect and reject invalid or tampered data.
[0154] Anonymity and Unlinkability: External attackers and FNs find it difficult to correlate reports from different rounds to the same SM, thus avoiding user profiling and trajectory inference based on long-term observations. CC can perform set mapping and correction recovery within necessary limits.
[0155] Fault Tolerance: When some SMs go offline before the end of the round, the system can still complete the aggregation calculation; CC can correct the residual mask caused by the offline based on the online candidate list and the receiving set information of the current round, so that the recovered aggregation result remains correct on the defined target set, and does not need to rely on the offline node to retransmit.
[0156] The security of the method in this application is analyzed below:
[0157] A. Data confidentiality
[0158] The data confidentiality of this method stems from a dual masking structure of "edge collaborative mask + CC-specific mask". For any smart meter SMi, its first... The secret message on board is .
[0159] Theorem: Under the CDH assumption and the pseudo-randomness of the PRG, any attacker cannot obtain ciphertext from a single reported ciphertext. The plaintext of the target smart meter is recovered. Therefore, it is impossible to further recover its original multidimensional plaintext vector. .
[0160] Proof: If the opponent wants to recover from the ciphertext Then both types of masks must be removed. For the proprietary mask item, the adversary needs to restore the shared seed. However, only publicly available information can provide information about... and If we can further obtain This directly solves the CDH problem. For any sidemask entry, the adversary needs to recover... ,in If an adversary can deduce from the public key... This can also be used to solve CDH. Therefore, no external eavesdropper can extract the plaintext packet value of the target node from the reported ciphertext.
[0161] B. Integrity and Unforgeability
[0162] The integrity and anti-counterfeiting properties of this method are jointly guaranteed by dynamic certificate-free signing on the smart meter side and static signing on the fog node side. For any reported message Repi,τ, its signature hash value is defined as follows:
[0163]
[0164] And satisfy the verification equation
[0165]
[0166] Therefore, the dynamic pseudonym, public key, random component of partial private key, ciphertext, temporary commitment, and round identifier are all bound into the signature value. Tampering with any field in equation (43) will cause the original signature to no longer satisfy equation (44).
[0167] Similarly, fog nodes aggregate messages. The signature will also , , and They are bound together, so attackers cannot tamper with the aggregation results and their related metadata without detection. On the other hand, round identifiers... The signature hash is explicitly included, so if an old round message is replayed to a new round, the signature verification will fail due to the inconsistent hash input, thus providing anti-replay capability.
[0168] Theorem: Under the stochastic oracle model, if ECDLP is unsolvable on group G, then the signature mechanism in DBPMDA used for smart meters and fog nodes satisfies existence and unforgeability.
[0169] Proof: Suppose there exists an adversary capable of outputting a valid forged signature that has not been previously queried under an adaptive message selection attack. And its corresponding messages, making Established, among which According to Forking Lemma, after resetting the random oracle, the same temporary commitment can be obtained with a non-ignorable probability. Below, the second valid forged signature corresponding to the same message. And there are Therefore, subtracting the two equations yields... Therefore, the discrete logarithm corresponding to the target public key can be obtained:
[0170]
[0171] This contradicts the ECDLP difficulty assumption. Therefore, attackers cannot forge legitimate smart meter signatures.
[0172] C. Anonymity and Unreliability
[0173] The anonymity and unlinkability of this method are provided by a dynamic pseudonym mechanism. For any smart meter SMi, its pseudonym in the τth round is defined as...
[0174]
[0175] Since a new random number ki,τ is used in each round, and the round identifier τ enters the pseudonym generation process, the pseudonyms used by the same smart meter in different rounds are independent of each other.
[0176] Theorem: Under the condition that the CDH assumption holds and H3 is regarded as a random oracle, external attackers and fog nodes FN cannot recover the real identity from dynamic pseudonyms, nor can they associate reports from different rounds with the same smart meter with non-ignoring advantage.
[0177] Proof: If the attacker wants to regain their real identity Then the amount of shading must be obtained. However, publicly available information can only be observed and If the attacker can further obtain... This also solves the CDH problem. Therefore, the true identity remains hidden from both external attackers and FN.
[0178] D. Correctness and tolerance for error
[0179] This method can recover the true multidimensional aggregation results on the valid participating set in both normal aggregation scenarios and scenarios where some nodes are offline.
[0180] Theorem: For any τ-th round of data aggregation, DBPMDA can correctly recover the true multidimensional statistical sum on the effective participant set Vτ. When some smart meters go offline before the end of this round, the control center CC can still recover the correct aggregation result on set Vτ without the need for offline nodes to retransmit data or surviving nodes to respond twice.
[0181] Proof: For a typical scenario where no nodes are offline, the ciphertext of the reported message can be constructed as follows:
[0182] For any Repi,τ∈Vτ, we have
[0183]
[0184] Therefore, the aggregated ciphertext output by the fog node can be written as
[0185]
[0186] When all valid nodes participate in the aggregation on time, both ends of each collaborative edge simultaneously contribute edge mask items with opposite signs and the same value to the aggregation result. That is, for any edge... ,have , thus obtaining Therefore, all cooperative masks cancel each other out pairwise after aggregation, resulting in...
[0187]
[0188] Let the sum of the exclusive masks obtained by the control center based on the set of valid participating nodes Aτ be .
[0189]
[0190] After removing the exclusive mask, there is
[0191]
[0192] Since the CRT parameters selected during system initialization satisfy the non-wrap constraint, therefore, for any dimension... All have
[0193]
[0194] Therefore, in scenarios without disconnections, this method can correctly recover the true multidimensional aggregation results on the valid participating set.
[0195] Consider the scenario where some nodes go offline: Let the first node be... Round freezing of candidate pseudonyms set is The set of effective participating nodes is Then the control center first restores the set of pseudonyms that successfully participated in the aggregation. And further obtain the set of disconnection pseudo-names And map it to a set of stable nodes. With the set of missing nodes And based on this, determine the set of edges crossing the set boundary. Since edges where both ends successfully participate in the aggregation process maintain mask cancellation, while edges where both ends are disconnected do not enter the aggregation process, only those located at... Edges on the top will leave residual collaborative masks in the aggregation result. Let this total residual be denoted as . .
[0196] Control Center According to Share seed local reconstruction correction item with corresponding edge Subtracting the correction term from the aggregated ciphertext yields:
[0197]
[0198] The subsequent steps are calculated in the same way as in the scenario without disconnection. .
[0199] Therefore, even if some smart meters go offline before the end of this round, this method can still accurately recover the real multidimensional aggregation result on the effective participant set Vτ through the one-way correction and recovery process executed by the control center. Moreover, the entire recovery process does not require the offline nodes to retransmit data, nor does it rely on the secondary response of the surviving nodes.
[0200] The design goal of this method is not to achieve the lowest baseline overhead in all scenarios simultaneously, but rather to minimize recovery costs during device downtime while ensuring regular aggregate availability. This method provides a comprehensive evaluation of DBPMDA based on both regular overhead in scenarios without downtime and recovery overhead in scenarios with downtime:
[0201]
[0202] A. Experimental Environment
[0203] To evaluate the practical performance of the proposed method, an experimental environment was built on an Ubuntu 22.04 platform with an Intel Core i5-12600KF processor and 32 GB of memory. The system prototype was implemented using Python 3.10.12, and related cryptographic operations were performed using pycryptodome. RPMDA, MDA-FLH, and LPMMDA were selected for comparison. To ensure fairness, this application only counts the main overhead of each scheme in the online stage, namely message generation, aggregation verification, result recovery, and their corresponding communication volume, while excluding one-time initialization, offline registration, and preprocessing. It should be noted that DBPMDA requires additional maintenance of the sparse collaborative graph G and pseudonym batch registration information in the preprocessing stage, but these overheads are one-time offline costs and do not affect the online aggregation efficiency. Unless otherwise specified, the default parameters are set to n=500, D=7, and d=2. The network size is set to n∈{100, 200, ..., 1000}, the data dimension is set to D∈{1, ..., 7}, and the drop rate is set to pdrop∈{0.01, 0.03, 0.05, 0.10, 0.20, 0.30}. For each parameter set, the drop-related experiments used 30 random seeds and averaged the results to reduce the impact of random fluctuations.
[0204] B. Overhead Analysis in Non-Dropout Scenarios
[0205] The experiments in the no-disconnection scenario were mainly used to evaluate the normal operating cost of DBPMDA. Overall, DBPMDA does not outperform in all metrics during the normal aggregation phase, which is consistent with the design goal: DBPMDA provides structural support for subsequent disconnection recovery by introducing collaborative masks, CC-only pads, and set information maintenance during the normal phase, so its baseline cost is inevitably higher than that of a solution that only optimizes the normal aggregation process.
[0206] From the perspective of dimensional extensibility, such as Figure 2 As shown, DBPMDA's terminal-side computation is not sensitive to dimensionality growth. When D increases from 1 to 7, the change in SM-side time is minimal. This indicates that DBPMDA's CRT-based multidimensional packing does not translate terminal overhead into a rapidly increasing dimensionality-based computational burden; the additional terminal-side cost is primarily driven by the fixed mask generation and signature processes. In contrast, LPPMM-DA and MDA-FLH's SM overhead is more significantly affected by dimensionality growth, which is related to their dimensionality-based processing or more complex cryptographic operations.
[0207] From a communication perspective, such as Figure 3As shown, the total communication volume of DBPMDA increases with the dimension: when n=500, the total communication volume increases by approximately 20.02%. This phenomenon indicates that DBPMDA's multidimensional aggregation is not a "free extension": although CRT packaging avoids independent reporting of each dimension, the payload length still increases with D to ensure unambiguous unpacking of data in each dimension during recovery. However, this increase is smooth and controllable, rather than causing a significant computational amplification at both the terminal and edge sides as seen in dimension-wise homomorphic encryption.
[0208] From the perspective of scalability, such as Figure 4 and Figure 5 As shown, the computation time for both FN and CC in DBPMDA increases approximately linearly with the increase in the node size n. When n increases from 100 to 1000, the FN time increases from 131.1144ms to 838.9102ms, and the CC time increases from 92.3549ms to 907.7549ms; under the same settings, the total communication throughput also increases from 231,680 bits to 2,305,280 bits. This is because the FN side needs to handle more message verification and aggregation, while the CC side needs to remove dedicated pads from successfully participating nodes and complete recovery unpacking; therefore, both increase with the number of participating nodes.
[0209] Based on the results at fixed points n=500 and D=7, the SM, FN, and CC times for DBPMDA are 3.6726ms, 579.4972ms, and 454.7549ms, respectively. Compared to RPMDA, DBPMDA has higher overhead in the regular phase, indicating that RPMDA is indeed more lightweight in the ideal scenario of "no disconnections and no additional interaction requirements." However, compared to MDA-FLH, DBPMDA has significantly lower overhead on the terminal and edge sides. For example, the FN side overhead is 579.4972ms, while MDA-FLH is 8888.6131ms, indicating that DBPMDA effectively controls the edge-side burden by avoiding Paillier-type repetitive homomorphic operations. Compared to LPPMM-DA, DBPMDA is also lighter on the terminal and edge sides, while the problem with LPPMM-DA is that it does not support subsequent disconnection recovery. Therefore, the conclusion that is more appropriate to draw from the no-disconnection experiment is that the baseline cost of DBPMDA is acceptable, but its main value does not lie in its absolute optimization in normal scenarios, but in the reasonable cost exchange for disconnection recovery capability.
[0210] C. Cost Analysis in Drop-off Scenarios
[0211] Disconnection scenarios are the key evaluation target of DBPMDA and the crucial part that differentiates this method from existing comparative solutions. Figure 6 and Figure 7The additional communication overhead and additional total computational overhead during the recovery phase for each scheme under different disconnection rates are given.
[0212] from Figure 6 It can be seen that DBPMDA's additional communication overhead is always 0 under all test downtime rates. This means that once a node goes offline before the round deadline, DBPMDA does not require online smart meters to re-upload auxiliary information, nor does it rely on the offline node to re-upload. Instead, CC completes unidirectional correction and recovery based on the frozen candidate set, the effective participation set, and the cross-set boundary edges.
[0213] In contrast, RPMDA consistently requires non-zero additional communication within the pdrop range of 0.01 to 0.30, with its additional communication volume decreasing from 62.13 KB to 44.00 KB; while MDA-FLH's additional communication volume increases from 1.89 KB to 56.62 KB. It's important to note that RPMDA's additional communication decreases with increasing disconnection rate, which does not necessarily mean its recovery mechanism is superior. Rather, it's because it relies on surviving nodes to perform a secondary upload; the more disconnected nodes there are, the fewer nodes can participate in the second round of interaction. In other words, RPMDA's "decreasing trend" essentially reflects a reduction in the number of terminals participating in recovery, rather than the recovery mechanism eliminating its interaction dependency.
[0214] from Figure 7 It can be seen that the additional recovery computation of DBPMDA is entirely concentrated on the CC side and increases with the drop rate, but remains within the millisecond range overall. When the drop rate increases from 1% to 30%, the total additional computation time of DBPMDA only increases from 0.1691ms to 2.5412ms. This increase is not random, but directly related to the number of cross-set boundary edges: the average number of boundary edges increases from 10.0 to 209.33, indicating that the additional cost of DBPMDA mainly comes from the CC's edge-by-edge reconstruction and correction of the residual cooperative mask.
[0215] Further examining the comparison of the experimental results, DBPMDA not only achieved zero additional communication under low to medium call drop rates, but also had a lower total additional computation time than RPMDA. For example, at pdrop=0.10, DBPMDA's total additional computation time was 1.1124ms, lower than RPMDA's 1.3717ms, and far lower than MDA-FLH's 147.9619ms. When the call drop rate continued to rise to 20% and 30%, DBPMDA's total additional computation time was 1.9604ms and 2.5412ms, respectively, slightly higher than RPMDA's 1.2217ms and 1.0717ms; however, even so, RPMDA still required 50.25KB and 44.00KB of additional communication, respectively, while DBPMDA remained at zero. Therefore, under high call drop rate conditions, the real cost of DBPMDA is not that "recovery becomes unacceptable," but rather that "trading a small amount of central-side computation for the complete elimination of secondary terminal participation."
[0216] This result reflects the fundamental differences in fault-tolerant recovery approaches among the three schemes. RPMDA's recovery mechanism tends to push fault repair tasks back to smart meters that are still online, making it lighter in normal scenarios, but inevitably introducing secondary messages after a disconnection. MDA-FLH achieves fault tolerance through share generation and reconstruction, but its recovery communication and computation increase significantly with the disconnection rate. DBPMDA, on the other hand, concentrates the recovery burden at the control center, completing recovery without increasing terminal interaction by freezing the candidate set and correcting edge behavior. For edge-assisted smart grids, terminal online stability, uplink quality, and response latency are often more sensitive than those at the control center (consuming 1-2ms more computation), making DBPMDA's advantage in disconnection scenarios even more significant in engineering applications.
[0217] This paper addresses the privacy-preserving aggregation recovery overhead caused by device outages in fog-assisted smart grids, proposing a privacy-enhanced multidimensional data aggregation scheme, DBPMDA, that supports outage tolerance and error correction. This method combines CRT multidimensional packaging, dynamic pseudonyms, neighbor collaborative masks, and SM-CC exclusive masks to achieve privacy-preserving data aggregation without the need for a strongly trusted third party in conventional aggregation. Furthermore, this method designs an error correction and recovery mechanism executed unidirectionally by the control center, enabling the system to recover the true aggregation results even when some smart meters go offline before the cycle deadline, without requiring retransmission from the offline nodes or secondary responses from surviving nodes. Security analysis shows that DBPMDA can meet security objectives such as data confidentiality, integrity, anonymity, and outage tolerance. Experimental results demonstrate that the scheme has acceptable baseline overhead in scenarios without outages, while achieving zero additional communication in outage scenarios and controlling recovery computation within milliseconds, making it more suitable for resource-constrained smart grid IoT environments.
Claims
1. A privacy-enhanced data aggregation method that supports offline fault tolerance and error correction, characterized by: Includes the following steps: (1) Establish a privacy-enhanced data aggregation system that supports fault tolerance and correction in case of disconnection; the system includes: Key Generation Center (KGC): Used for system initialization, parameter generation, entity registration, and partial private key issuance; Smart Meter (SM): Used for multi-dimensional data acquisition, CRT packetization, mask overlay, dynamic signature, and reporting; Fog Node (FN): Used for message reception, batch signature verification, ciphertext aggregation, metadata encapsulation and forwarding; Control Center (CC): Used for collaborative graph construction, seed negotiation, disconnection detection, residual mask reconstruction, ciphertext correction, and CRT unpacking; (2) System initialization: The key generation center KGC generates elliptic curve public parameters, system master key and master public key, and configures Chinese Remainder Theorem (CRT) parameters that satisfy the overflow prevention constraint for multidimensional data packaging and unpacking; (3) Entity registration and key pre-distribution: The control center CC and fog node FN complete static identity registration; the smart meter SM generates dynamic pseudo-names in batches, the key generation center KGC issues partial private keys for the dynamic pseudo-names in batches, and the smart meter SM generates the current round of dynamic certificateless key pairs in combination with the long-term secret value. (4) Sparse collaborative graph construction and seed presetting: The control center CC constructs a global sparse undirected collaborative graph. Adjacent smart meters SM negotiate edge collaborative seeds through elliptic curve Diffie-Hellman key exchange. Each smart meter SM negotiates a dedicated shared seed with the control center CC. (5) Terminal reporting generation: The smart meter SM collects multi-dimensional data and packages it into a single integer through CRT. It then overlays a collaborative mask based on neighbor relationship and an SM-CC exclusive mask to generate ciphertext, which is then reported to the fog node FN after dynamic certificateless signing. (6) Batch verification and ciphertext aggregation: After the reporting deadline, the fog node FN freezes the candidate list, performs batch signature verification on the reported messages, performs addition aggregation on the valid ciphertext, and sends the aggregated ciphertext and the set of valid participants to the CC; (7) Offline correction and result recovery: The control center (CC) identifies the offline node based on the frozen candidate set and the effective participation set, locates the cross-set boundary edge, reconstructs the residual collaborative mask locally to complete the correction, and obtains the multidimensional aggregation result by unpacking through CRT after removing the sum of the exclusive masks.
2. The privacy-enhanced data aggregation method supporting disconnection tolerance and error correction as described in claim 1, characterized in that: The CRT configuration in step (2) is as follows: To support efficient aggregation of multidimensional data, the system first sets the total number of statistical dimensions of the smart meter data to D; for the k-th dimension data ( The system assigns it a CRT base module. , among which Pairwise coprime prime numbers; to ensure that the control center does not experience data distortion due to modulo overflow during final unpacking, the system must pre-set strict overflow prevention constraints; let the maximum possible reported value of a single table on this dimension be... The maximum number of online meters that can participate in this aggregation round is [number missing]. And the system has a reserved fault tolerance margin of Then the k-th modulus The following boundary inequality must be satisfied: ; Based on the above constraints, calculate the total number of modules M of the CRT: ; Simultaneously define a pseudo-random generator and pseudo-random functions ; Subsequently, for each dimension k∈ [1,D], KGC calculates the corresponding CRT coefficients. And its model The inverse element below ; Finally, KGC initializes the publicly available global system parameters to... .
3. The privacy-enhanced data aggregation method supporting disconnection tolerance and error correction as described in claim 1, characterized in that: In step (3), the smart meter SM generates dynamic pseudo-names in batches: to avoid the KGC becoming a communication bottleneck in the system due to high-frequency periodic reporting, during network idle periods, Generate dynamic pseudonyms in batches for a future time window; for any round within the window , Randomly select a temporary random number Calculate pseudonym component and ,get ; Construct a batch of encrypted pseudonyms All credentials will be sent to the KGC application system. When KGC receives the batch request, it uses the system master key s to calculate And based on this, the true identity of the electricity meter can be restored without loss. If the recovered For legitimate registered users, KGC continues to generate partial private key materials for each round of pseudonyms; for each round KGC randomly selects a number. , calculate as well as And generate a portion of the private key for that round: ; Subsequently, KGC will contain a set of T sets of credentials. Send via secure channel ; In the When aggregating data, No online communication or interaction with KGC is required; only the corresponding voucher for this round is retrieved locally and verified through equation checking. Verify legality and completeness; After verification, set For long-term secret value The resulting fixed-length bit string is encoded and used as the key input for the pseudo-random function (PRF), combined with the current round identifier. With this round of dynamic pseudonyms Locally generated local secret value in this round: ; final, The complete private key pair for this round was constructed. ,in And calculate the user's public key for this round. Used for subsequent authentication reporting and signature generation.
4. The privacy-enhanced data aggregation method supporting disconnection tolerance and error correction as described in claim 1, characterized in that: In step (4), the edge collaboration seed is as follows: During the initial deployment, CC constructs a connected global baseline sparse undirected graph G = (V, E) based on the set of smart meters that have been initialized in the region, which serves as the reference collaboration topology for subsequent rounds of data aggregation. The vertex set V contains all legal terminal nodes, and the edge set E describes the pre-established collaboration relationships between nodes. To balance the single-point collaboration overhead with the later recovery complexity, the maximum degree of each node is limited to a small constant d (satisfying d≪N). Subsequently, CC sends the baseline topology G to FN, and FN synchronizes the topology information required for subsequent aggregation to the smart meters in its coverage area. Entering the During round data aggregation, the global baseline topology is securely mapped to a real-time collaborative graph based on the dynamic pseudonyms of this round. Among them, vertex set From all active participants in this round The pseudonym structure; and the real-time edge set Then it is selected from the baseline edge set E—that is, if there are physical cooperative edges in the baseline graph. If both terminals are active in this round, then a corresponding pseudo-named collaborative edge will be generated in this round. ; After receiving the topology information, adjacent smart meters in the graph need to negotiate a cooperative seed based on sparse neighbor relationships; for the edge set any edge in , First, obtain the user's public key published by the neighboring node. And combined with its own dynamic private key Calculate the shared secret value Similarly, Computable ,and ; Both parties further linked the shared secret value to the current round. The final collaborative seed is calculated by hashing the dynamic pseudonyms of both parties. ; In addition, to ensure that CC can handle data corruption caused by internal node failures during the subsequent aggregation and unpacking stages, each We also need to negotiate a dedicated shared seed with CC; Using the static public key published by CC ,calculate: ; CC can leverage its long-term secret value and The public key of this round The shared seed was calculated without any online interaction. .
5. The privacy-enhancing data aggregation method supporting disconnection fault tolerance and correction as described in claim 1, characterized in that: In step (5), the encrypted message is reported: in the... In the round of data aggregation, smart meters The locally collected multi-dimensional electricity consumption data needs to be securely packaged, masked, and signed before being reported to the fog node FN. set up In the The multidimensional measurement data vector collected in the round is The k-th dimension of the data satisfies , k∈[1,D]; based on the set CRT parameters, First, the D-dimensional plaintext data is losslessly packaged into a single integer: ; in , ; To ensure that the mask value and the packed plaintext are in the same addition field Inside, The shared seed material obtained through negotiation needs to be further expanded into a mask value modulo M using a pseudo-random generator; for each cooperative edge The edge collaborative mask is defined as ; and The dedicated mask between the control center (CC) and the control center (CC) is defined as follows: ; remember For real-time collaborative graph Middle node The set of neighbor pseudonyms; to ensure that the cooperative mask can cancel out in pairs between nodes during the subsequent aggregation process, the following deterministic symbolic function is defined: ; therefore, The final reported ciphertext is generated as follows ; Subsequently, Use its complete dynamic certificateless private key Sign the encrypted report; Random selection , and calculate: ; Next, calculate the hash value. ; And generate a signature scalar. ; Therefore, node The signature is The final reported message is constructed as follows ; Only in the first Only messages that arrive at FN before the reporting deadline of the current round will be included in the aggregation processing of the current round.
6. The privacy-enhancing data aggregation method supporting disconnection fault tolerance and correction as described in claim 1, characterized in that: Step (6) describes batch verification and ciphertext aggregation: in the first... After the reporting deadline, the fog node FN collects all received reporting messages and performs message validity verification before performing aggregation; This represents the set of candidate reports received by FN in this round; For any received message FN first checks whether the round identifier τ it carries is consistent with the current round; then, FN recalculates. ; as well as ; Based on equation (14) and the above-mentioned construction method of the dynamic partial private key, a legitimate message should satisfy the following single-message verification equation: ; Considering the high overhead of verifying signatures one by one in scenarios with concurrent reporting from large-scale smart meters, FN can adopt a batch verification method to uniformly verify all candidate signatures in this round; let... Given the set of message indexes participating in batch verification, FN accepts the batch of messages when the following expression holds true: ; If batch verification fails, FN verifies each invalid message one by one and removes the message from the current round; after removing invalid messages, FN obtains the next invalid message. The valid reporting set of the round is denoted as ; Subsequently, FN performs addition aggregation directly on all valid ciphertexts: ; In addition to the aggregated ciphertext, the control center (CC) also needs to know the set of legitimate nodes that successfully participated in the aggregation in this round, so as to remove the unique mask corresponding to each node in the subsequent recovery phase; therefore, FN simultaneously constructs the set of valid participating nodes. ; This set records the identity information of the legitimate nodes that successfully passed verification and actually participated in the aggregation in this round. It is used by CC to locate the exclusive mask of the corresponding node and complete the result recovery during the recovery phase. Finally, FN encapsulates the aggregate ciphertext, the set of valid participating nodes, the authentication code of the current round's frozen candidate set, and the round identifier into an aggregate message. ; FN utilizes the long-term, static, and complete private key obtained during the initialization process. , For aggregated messages Perform the signature; FN first randomly selects... , and calculate Then, FN calculates the signature hash value of the aggregated message. ; And generate a signature scalar. ; Therefore, the signature representation of FN for aggregated messages is as follows: ; Ultimately, FN will authenticate the aggregated message. ; Send to Control Center (CC).
7. The privacy-enhanced data aggregation method supporting disconnection fault tolerance and correction as described in claim 1, characterized in that: The disconnection correction process in step (7) is as follows: The control center (CC) receives the aggregation message. Next, the signature and message integrity from FN are verified to ensure that the aggregation result does indeed come from a legitimate fog node and has not been tampered with during transmission. In a normal aggregation scenario, CC only needs to remove the exclusive mask corresponding to all valid nodes and perform CRT unpacking to restore the multidimensional aggregation result of this round. For any valid node identifier pair CC uses its own private key Reconstruct the dedicated seed shared with this node: ; And regenerate the same exclusive mask value ; The sum of the unique masks of all valid nodes in this round is: ; Subsequently, the control center (CC) retrieved the aggregated ciphertext. Remove the total unique mask from the middle to get ; From equations (11) and (10), it can be seen that when all valid reports participate in the aggregation normally, the cooperative masks introduced between adjacent nodes will cancel each other out pairwise on an edge-by-edge basis after aggregation and summation. Therefore, we have ; Finally, the control center (CC) uses the CRT to perform dimension-by-dimensional reconstruction of the aggregated packaged results, obtaining the sum of data for each dimension; for any dimension k ∈ [1,D], we have 。