 Research
 Open Access
 Published:
Multiresolution privacyenhancing technologies for smart metering
EURASIP Journal on Information Security volume 2017, Article number: 6 (2017)
Abstract
The availability of individual load profiles per household in the smart grid enduser domain combined with nonintrusive load monitoring to infer personal data from these load curves has led to privacy concerns. Privacyenhancing technologies have been proposed to address these concerns. In this paper, the extension of privacyenhancing technologies by waveletbased multiresolution analysis (MRA) is proposed to enhance the options available on the user side. For three types of privacy methods (secure aggregation, masking and differential privacy), we show that MRA not only enhances privacy, but also adds additional flexibility and control for the enduser. The combination of MRA and PETs is evaluated in terms of privacy, computational demands, and realworld feasibility for each of the three method types.
Introduction
Intelligent energy systems and socalled smart grids, change the way electricity is generated, distributed, and used. The widespread rollout of smart meters is one of the consequences. Such smart meters record energy consumption in a specified granularity (usually the time between readings is between 1 and 15 min, cf. Table 10 in [1]) and have the ability to transmit these load curves in a specified interval (e.g., once a day). Therefore, this involves a considerable amount of information that needs to be processed and analyzed. Smart grids further demand accurate and finegrained data on network status, as well as a detailed analysis of load profiles from customers [2]. This is crucial for applications such as billing with dynamic pricing, demand response, and network monitoring.
However, it has been shown that personal information on the enduser can be inferred from finegrained load curves [3, 4], and this has led to privacy concerns (e.g., [5]). This also implies some severe privacy threats such as the identification of customer presence at home, customer habits, and even the customer position when using electric vehicles [6]. In [7, 8], the authors show the impact of resolutions on privacy and that information can be deduced even at comparably low frequencies.
The accuracy of the inferred information is directly connected to the available resolution of the load data. A number of methods have been proposed to balance the need for privacy with the information needed for correct operation of smart grids. Two types of approaches show high potential to resolve this issue: (i) privacyaware aggregation of encrypted load curves; and (ii) representation of load curves in multiple resolutions, each associated with different access levels.
Privacyaware aggregation
Approaches for privacyaware aggregation can again be divided into three categories: protocols using masking [9, 10], protocols using secure aggregation by homomorphic encryption [11, 12], and protocols using differential privacy [13, 14]. In this paper, the focus is put on the application of multiresolution load curve representation in combination with secure aggregation protocols.
Privacyenabling encryption for smart meter data by the use of homomorphic encryption is suggested by, [11, 12, 15, 16], allowing the aggregation of encrypted signals, also termed “secure signal processing”. A recent overview of secure signal processing, covering four proposals for privacypreserving smart metering aggregation is given in [17]. Protocols that are using masking for aggregating data have been proposed by [9, 10, 18]. Masking approaches aim to hide individual contributions by additive noise, but still produce a valid aggregate. Differential privacy follows a similar approach, where contributions are hidden in a noisy aggregate that fulfills some statistical properties. Differential privacy is adapted for applications in the smart grid by, e.g., [13, 19–21].
Multiple resolutions
Approaches of this type suggest to represent load curve data in multiple resolutions, where each resolution can be used for a different purpose — e.g., low resolution for billing — and is therefore disclosed to selected parties only, e.g., [22]. Using the wavelet transform in order to produce an integrated bitstream supporting multiple resolutions has been proposed by [23]. Combined with conditional access, i.e., different encryption keys for each resolution [24], this waveletbased representation allows usercentric privacy management: access can be granted or revoked for each resolution. Access to high resolutions, which are privacysensitive, may be reserved to a small number of trusted entities only, whereas resolutions of medium granularity may be provided more freely, e.g., to contribute to network stability (in exchange for lower energy prices or other incentives). An approach combining multiple resolutions and direct user control for smart metering is shown in [25]. The combination of MRA with homomorphic encryption, which is also one of the topics in this paper, has been discussed in [26].
Contribution
In this paper, a set of three privacypreserving smart metering data aggregation methods that combine the two types of approaches, namely, multiresolution representation and (i) homomorphic encryption; (ii) masking; and (iii) differential privacy, is proposed. This improves the capabilities for managing privacy requirements, as the combination of “traditional” privacyenhancing methods with multiresolution representation significantly increases the choices available for both system operator and enduser. We further contribute the sketch of a protocol for distributing keys and for providing distinct resolutions to different parties. Access control does not relate to the aggregated signal as a whole anymore, but access can be granted on the aggregate on each resolution individually. This is an important feature, as it allows to grant access to participants in the smart grid system, based on their roles and the functions they have to fulfill. Each role can be assigned access to the aggregate on the minimum resolution necessary to fulfill the functions associated with this role.
The combination of MRA with homomorphic encryption has previously been proposed in [26]. This paper extends the previous work by applying multiresolution techniques to masking and differential privacy. A comprehensive presentation, discussion, and evaluation of multiresolution representation in combination with widely used PETs is given.
The rest of this paper is structured as follows: in section Multiresolution PETs the application scenario and common definitions are introduced. In section Background, background is presented on wavelets for the multiresolution representation of load curves as well as on the three privacyenhancing technologies (PETs) homomorphic encryption, masking, and differential privacy. Sections Multiresolution secure aggregation, Multiresolution masking, and Multiresolution differential privacy describe each of these PETs individually and propose the combination of these approaches with wavelets. In section Evaluation, the security features of the proposed protocols, as well as cost and complexity are discussed, and further, the system is evaluated with respect to realworld applicability on the basis of a prototypical implementation. Section Conclusions summarizes this paper and gives an outlook to future work.
Multiresolution PETs
While homomorphic encryption, simple masking, and differential privacy are efficient methods for the spatial reduction of resolution, temporal aggregation is not sufficiently covered with any of these approaches. Temporal resolution of time series can be reduced by subsequently applying a number of filters. When —for instance — applying an appropriate lowpass filter to a time series, all frequencies above the cutoff frequency are omitted, which results in a signal with less information. This is effectively performed by applying the wavelet transform, in particular the Haar wavelet, to a series of values.
Application scenario
Smart meter data has a wide range of applications, such as inhouse monitoring, billing, network monitoring, and demand response. As pointed out in [2, 8], data resolution depends on the use case and has an impact on the privacy, i.e., the information the recipient can gain from that data. In the following, we introduce three typical application scenarios and motivate the need for multiresolution PETs and their flexibility with respect to spatial and temporal resolution.

1.
Settlement and profiling. In the energy market electricity generators and electricity suppliers trade at a wholesale marketplace. The arrangement of payments among these parties is called settlement [2, 9]. Profiling is used for determining forecasts and training models, e.g., in the UK this is based on halfhourly meter data from a representative sample of households [2]. Both applications thus require data in a comparably low resolution, but spatially aggregated over a number of households.

2.
Network monitoring. Network monitoring is used for detecting outages and peaks and thus maintaining the stability of the power grid. A detailed monitoring of power consumption, voltage levels and phase shifts is an important feature for network operators. For monitoring purposes, data at a high temporal resolution but with little spatial resolution is required.

3.
Billing. Billing requires meter data in a low temporal resolution (e.g., one value per month or year), however, on a per household or on a per meter basis, hence not spatially aggregated at all. In future applications, dynamic pricing might also require more finegrained data [27]. Multiresolution PETs enable the provision of load profiles in certain resolutions depending on the particular use case.
Topology
For data aggregation in the smart grid, a number of different topologies are proposed, such as star topologies (e.g., [20, 28]), ring topologies (e.g., [10]), and tree topologies (e.g., [16]). In any case, the smart meters generate a time series of values that is either sent to a dedicated collector node or to a data concentrator, which is responsible for aggregating these measurements. Or the smart meters aggregate in a hopbyhop manner, i.e., a smart meter sends its measurement to its successor or parent node where this measurement is combined with its own value. The data concentrator and the last smart meter, respectively, forward the aggregated measurements to one or more recipients (in the following referred to as aggregators). Each aggregator receives data in a different spatiotemporal resolution depending on the role of the recipient and the needed granularity. Figure 1 shows examples for star and tree topologies. For the protocols presented in this paper, the aggregation method (direct or hopbyhop) is not restricted and either of these approaches can be used.
Problem statement and definitions
Given a number of smart meters SM_{ i }, for i=1…N, one or more aggregators A _{ k }, for k=1…M, and a trusted third party (TTP), each meter i measures a time series of values, i.e., at time t it measures m _{ i,t }. In this paper, a series of values measured by a meter i is denoted as m _{ i }. In order to protect customer privacy, the sum of the energy consumption for all smart meters should be provided to the aggregator. The following restrictions and requirements apply (aggregator oblivious): (i) no aggregator can gain any information about individual contributions; (ii) each aggregator can only unmask a valid sum up to the time resolution r≤R (with R as the maximum resolution) that is intended to be revealed for this aggregator. Hence, the aggregator is considered to be untrusted. In practice, the smart meters can be considered to be physically arranged in either a tree or a ring topology. Logic topologies may defer and may depend on the concrete protocol. For homomorphic encryption and masking, the TTP is needed to provide the keys (pk^{r}, sk^{r}) and the key shares (key^{r}), respectively, to the smart meters and aggregators.
For this paper, we assume that there is a sufficient underlying secure communication infrastructure, i.e., the bidirectional and reliable exchange of information and the secure distribution of keys is given as well as authenticated communication among participants is guaranteed by, e.g., AES [29] and X.509 certificates [30]. We further assume all devices to be tamperproof, i.e., the meter value itself cannot be manipulated.
Background
In this section, we briefly review the existing work on multiresolution representation, homomorphic encryption, masking, and differential privacy.
Waveletbased representation
A wavelet transform starts with the original load curve m=(m _{1},m _{2},…,m _{ T }), which denotes a series of values. Each step splits the original load curve into a highpass component h and a lowpass components l. If the wavelet transform is performed recursively in d steps, this is denoted as W _{ d }(m). In each step q, for q=1,…d, half of the data (the highpass data) h _{ q } are stored as the wavelet coefficients (subband) of scale q, and the next step is performed for the lowpass data. At the end of the transformation, the final subband h _{ d } consists of a fraction of 2^{−d} samples compared to the original load curve. The higher the scale q, the lower the time resolution r:=d−q. Reindexing, and introducing the notation h ^{r}=h _{ d−q }, at the end of the transformation one obtains a sequence h=(l _{0},h _{1},…,h _{ d }).
The synthesis step of the inverse wavelet transform W ^{−1} starts with the lowest resolution r=0. To get the next higher resolution of the signal, the next higher resolution subband is needed, so that in a series of d steps one finally obtains the original load curve (since we only consider lossless transformations). In order to provide a signal m ^{r} with maximum resolution r, only r synthesis steps must be performed and only the subbands with resolution r≤R, i.e., m ^{r}=(l _{0},h _{1},…,h _{ r }), are needed. Denoting the selection of the r highest resolutions as a function T _{ r }, this can be written as
This selection can be realized in practice by replacing the highpass subbands with zeros, i.e., applying T _{ r }(·) to a sequence W(m)=(l _{0},h _{1},…,h _{ r },…,h _{ d−1},h _{ d }) yields a sequence T _{ r }(W(m))=(l _{0},h _{1},…,h _{ r },0,…,0). This limits, after applying the inverse wavelet transform, the resolution of the signal. Making the signal available at the needed resolution instead of the full resolution increases privacy because less (personal) information can be deduced [8].
In [23], a variety of wavelet filters regarding their utility for the multiresolution representation of load curves was evaluated. Only lossless transformations are useful in the context of smart metering. The Haar wavelet filter preserves the average over all resolutions, which is an important property for many use cases. Using the lifting implementation of the Haar wavelet, the transformation can be realized efficiently.
The lifting steps for the forward transform with the Haar wavelet have been formulated by [31]. As the original Haar wavelet uses real coeffcients, it is illsuited for use with homomorphic encryption. Therefore, for the combination of PETs, a modified version of the Haar wavelet is used that only produces integer values for the transformed load curve. While this is generally not an issue for masking and differential privacy, we still use the modified version for all PETs. A detailed description of the Haar wavelet lifting scheme can be found in [23]. Note that the average of the original series is still preserved over all resolutions for the modified Haar filter:
Additive homomorphic encryption
Following previous proposals [11, 12, 15] for this work, the Paillier cryptosystem [32] is employed. This additive homomorphic cryptosystem has the following important property, which is called the additive property:
This property means that the decryption of the product of the ciphertexts is the sum of the original plaintext messages.
In a practical setting, the network is assumed to have treelike connections. Each smart meter sends its measured load in encrypted form to its parent node. The parent smart meter multiplies the obtained encrypted signals with its own encrypted signal and in turn sends this product to its parent node. Finally, the aggregator multiplies the obtained signals and decrypts the product. Due to the additive homomorphic property, the result is the sum of the measurements. With E and D denoting Pailler encryption and decryption, this can be stated as
Privacy is preserved because of the distributed way of processing. Smart meters only have the plaintext information of their own messages, because they cannot decrypt the messages they get. The aggregator can decrypt messages, but, as it receives the product of the individual ciphertexts, it can only decrypt the sum of the load curves.
Masking
Masking refers to the obfuscation of individual contributions, such that the summation of load profiles over a number of households yields the correct sum, but no individual contribution is traceable. This is achieved by adding for each SM _{ i } at time t a random share s _{ i } in the range 1,…,κ−1 to the meter value m _{ i }. This results in a masked meter value \(\tilde m_{i} = m_{i} + s_{i} \mod \kappa \). The set of random shares is constructed in such a way that
hence, the shares cancel each other out upon summation.
Principally, smart meters calculate the masked value \(\tilde m_{i}\) and submit this value to an aggregator. Once the aggregator has received all masked values, it can calculate the unmasked sum. If a single value is missing, the secret shares will not cancel each other out, and neither the aggregate nor any individual contribution can be reconstructed.
Kursawe et al. [9] present a number of methods for constructing such shares that meet the requirement for untraceability of individual contributions: (i) aggregation protocols for determining the sum as described above; and (ii) comparison protocols that require the aggregator already knows an (at least) approximate sum. For our purpose, we focus on the lowoverhead protocol from the first group which has already been used in practical implementations [33]. For the lowoverhead protocol, all smart meters hold a public key \(\phantom {\dot {i}\!}\text {pk}_{i}=g^{X_{i}}\) with X _{ i } as a secret key and \(g \in \mathbb {G}\) as a generator of a group satisfying the computational DiffieHellman assumption [34]. Each SM_{ i } is given the set of all public keys and computes a set of N−1 shared keys by \(K_{i,j}=H(\text {pk}_{j}^{X_{i}})\) with j=1…N.
As described in [9], for each meter value at time t each SM_{ i } creates a random share by
where b(i,j) returns 1 if j<i and 0 otherwise, and \(H: \{0,1\}^{*} \rightarrow \mathbb {G}\) is a hash function mapping its input to an element of \(\mathbb {G}\). This term in Eq. 6 results in +H(K _{ i,j }t) for b(j,i)=0 and −H(K _{ i,j }t) for b(j,i)=1. Summing up this values assures that all s _{ i } cancel each other out pairwise since \(\phantom {\dot {i}\!}K_{i,j} = K_{j,i}\) because of \(g^{X_{i} X_{j}} = g^{X_{j} X_{i}}\phantom {\dot {i}\!}\). This is shown for N smart meters at one point in time t in Table 1, where the rows represent k, and the columns represent i for values from 1 to N. Summing up the resulting terms in each row yields the random share s _{ i,t }.
Differential privacy
Differential privacy is a privacy definition that defines privacy of a function f by an indistinguishability property of the function result. In this paper, the function is the time series of the sum of different smart meter measurements \(f(t) = \sum _{i=1}^{N} T_{r} \left (W(m_{i})\right)\). However, note that here the noise is added to the selected resolutions (operator T _{ r }) in the wavelet domain and not in the original domain. The aim is that by examining a perturbed result \(\tilde f(t)\), one cannot distinguish whether a single person’s entry is contained or not. Since the noise is only added to the needed resolutions ≤r, only a small amount of noise is added. More formally, two neighboring datasets \(\mathcal {D}\) and \(\mathcal {D}'\) that differ in the entries of a single person/household only are considered. The function mechanism \(\tilde f\) is then εdifferentially private, if for a small privacy parameter ε>0
While differential privacy is a theoretically appealing definition with nice properties (e.g., a function is differentially private under postprocessing), it is achieved by perturbing the function result with Laplacian noise \(\tilde f(t) = f(t)+n_{t}\) [19], where each noise value n _{ t } is independently and identically sampled from a Laplacian distribution n _{ t }∼Lap_{ λ } (the parameter λ must be set using the sensitivity of the function f [19]). As a drawback, the function result is not exact and can be useless if the number of entries in the dataset is too small.
More specifically, according to the Theorem of Dwork [19], the L _{ p } sensitivity of a function \(f: D^{n} \to \mathbb {R}^{d}\) is the smallest number S _{ p }(f) such that for two neighboring datasets x and x ^{′}
The most common mechanism that achieves differential privacy is the Laplace mechanism \(\mathcal {M}_{L}\) that perturbs the output of f by adding noise from a Laplace distribution having the density
in a noninteractive way, yielding
An important theorem states that the Laplace mechanism is εdifferentially private if the parameter λ is chosen by
The resulting noise does not need to be added directly to the function result. It can also be added in a distributed manner [20, 35] when each contributing party i adds i.i.d. noise G _{ λ,N } defined by
where G^{1} and G^{2} are two i.i.d. gamma distributions with identical shape parameter 1/N and scale parameter λ. Then
Multiresolution secure aggregation
In this section, the combination of the wavelet transform with homomorphic encryption is presented. The principal scheme is shown in Fig. 2. First, the basic approach with only one aggregator is presented, and second, it is shown that this approach can easily be extended to multiple aggregators.
Principal secure aggregation scheme
Homomorphic encryption is applied to each resolution separately with a different pair of keys (pk_{ r },sk_{ r }) for each resolution r. The resulting signal m is the sum of all signals m _{ i } (each of which has a maximum resolution of R) at resolution r≤R, whereby, W(·) denotes a wavelet transformation. The collector node can perform aggregation (i.e., multiply) in the encrypted domain, i.e., it does not have any keys. This ensures that the aggregating node cannot get information about the loads of its children, e.g., by divisions.
Basic approach
The basic approach covers a number of smart meters and a single aggregator. Writing the principal scheme mathematically yields the following calculation of the ciphertext c
The ciphertext c is decrypted by the aggregator by
Using this procedure, the wavelet transformation is compatible with homomorphic encryption, i.e., the property that the message m equals the sum of the messages is preserved (choosing r = R). Even more, choosing r≤R, the decrypted message m equals the sum of the messages of resolution r:
The aggregator gets the product of the encrypted messages and can therefore not extract any information about the individual messages. However, it can calculate the sum of the messages which is the information needed, e.g., for load forecasting. Note again that the product of the ciphertexts is calculated in either a distributed way by the smart meters or by a data concentrator and not by the aggregator (see section Topology). The number n must be chosen depending on the desired security level. It further determines the aggregation group size, since \(\prod _{i} E\left (T_{r}\left (W\left (m_{i}\right)\right)\right)<n^{2}\) and \(D\left (\prod _{i} E\left (T_{r}\left (W\left (m_{i}\right)\right)\right)\right)<n\). In section Space considerations, the issue of aggregation group sizes is discussed in detail. For the sake of readability the modulus parts of the calculations are omitted in the following proof.
Proof
Without loss of generality, two messages are considered. To simplify the analysis the notation y _{ i }:=T _{ r }(W(m _{ i })) is used, so E(T _{ r }(W(m _{ i })))=E(y _{ i }). The aggregator calculates the signal W ^{−1}(D(c)). Using the fact that the ciphertext c is the product of the individual ciphertexts and the homomorphic encryption property leads to
Substituting the y _{ i } using the linearity of the wavelet transform and the definition of m ^{r} yields
So in general for N different messages and ciphertext \(c=\prod _{i} c_{i}\), the desired property (16)
is obtained. □
Multiple aggregators
An example usecase scenario is the use of aggregated load information for energy monitoring by the network operator as, e.g., suggested by [17]. The approach proposed here adds an additional layer of flexibility by making the aggregates available at different resolutions and only grant access to parties on the resolutions they need to fulfill a specific task. In combination with suitable key management, this approach implements the “needtoknow” principle of access for aggregated signals. The secure aggregation scheme presented above can be extended to support multiple aggregators. Each aggregator receives data in a certain resolution. This is easily achieved by encrypting with different keys at the collector node.
Multiresolution masking
In this section, the multiresolution masking approach is presented. The principal scheme is shown in Fig. 3. After briefly recapitulating the principal masking scheme, first, the basic approach for one aggregator is presented and second, this approach is extended to multiple aggregators receiving data in different resolutions. The latter is especially useful for application scenarios such as settlement and profiling, where different parties should be provided information in different resolutions.
Principal masking scheme
Each smart meter SM_{ i } calculates at each time t=0…T a masked value \(\tilde m_{i,t}\) by adding a random share s _{ i,t } to its measured value m _{ i,t }. Upon spatial aggregation, the shares s _{ i } cancel each other out and the aggregator receives an unmasked sum. Note that in the following, operations involving masking of type a+b mod κ are written as a+b, i.e., the modulo parts are omitted for the sake of brevity and readability.
This approach can be enhanced by allowing to reduce the temporal resolution of the signal. Even more, a number of different resolutions can be provided within the same bitstream, and the key for a certain resolution is only given to the aggregator. This is achieved by applying a wavelet transform to the signal. Hence, even if the aggregator is given the full load curve data, it can only unmask the bitstream up to the resolution for which it holds the key share.
Basic approach
The basic approach describes spatiotemporal masking with one aggregator.
Initialization
TTP agrees with all smart meters in the group G={SM_{1},…,SM_{ N }} on providing a resolution r of a total of T values to an aggregator A.
Masking
Simultaneously, all SM_{ i } and TTP calculate a random share s _{ i,t } for t=0…T, as described for the principal masking above. Each smart meter now holds a set of shares s _{ i } and TTP holds a key share key.
All SM_{ i } now calculate a series of masked values \(\tilde m_{i} = W(m_{i}) + s_{i}\) and submit this series to A. TTP calculates the key share key^{r} for the resolution r of its key share by T _{ r }(key) and submits this to A. Note that the wavelet transform is only applied to the metered value and before adding the random share.
Aggregation
After receiving both, the shares from all smart meters and the key share A can calculate the aggregated sum over all smart meters at a time resolution r by
If the aggregator attempts to retrieve any resolution r ^{+}>r, the result will be noisy and useless. However, the aggregator may reconstruct arbitrary resolutions r ^{−}≤r from the data.
Proof
Proof that reconstructing a resolution r ^{+} for a key with resolution r will be noisy. The aggregator receives an aggregation of the masked meter values
and a key share key^{r}=T _{ r }(key) for some resolution r. Applying this function T _{ r }(·) to a series of values replaces the highpass components by zeros. The key share and the random shares for masking have the property that
but that the key share for a particular resolution r yields
since the highpass components are set to zero in the key share and do not cancel out the corresponding components in the sum of the shares. Therefore,
and
However, after applying the function T _{ r }(·) with the same parameter r to the equation, this yields Eq. 20 which is the correct result for this particular resolution r. Note that the wavelet transform is recursively applied to the resulting lowpass band, i.e., any resolution r ^{−}<r can be retrieved, since applying T _{ r }(·) to the key share only replaces the highpass components by zero, and only the lowpass components remain for reconstructing the signal. □
Note that this scheme fulfills both of our initial requirements: (i) individual contributions are masked, and the aggregator cannot gain any information without having all the values from all SM_{ i }∈G; and (ii) the highest resolution that is accessible for the aggregator is determined by the resolution of the key share.
Multiple aggregators
The scheme we present in the following extends the basic approach with multiple aggregators that receive data in different resolutions. Extending the scheme requires more overhead and communication than for the secure aggregation. A simple approach would be to have multiple bitstreams in multiple resolutions for each aggregator. The advantage of the MRA approach is, however, to have all the information for different resolutions in a single bitstream where no data expansion occurs. Therefore, a different key share for every recipient is created with the tradeoff of distributing an aggregate of M−1 key shares in addition to the actual key share.
Initialization
For the enhanced scheme supporting multiple aggregators L={A _{1},…,A _{ M }}, a TTP agrees with all smart meters in the group G={SM_{1},…,SM_{ N }} on providing a resolution r _{ k } of a total of T values to each aggregator A _{ k }∈L.
Masking
As in the basic scheme, all smart meters SM_{ i } calculate a random share s _{ i,t } for t=0…T. Again, each smart meter now holds a set of shares s _{ i }, calculates the series of masked values \(\tilde m_{i} = W(m_{i}) + s_{i}.\) and submits this series to all aggregators A _{ k }∈L. TTP calculates a total of M (number of aggregators) key shares key_{1},…,key_{ M }. For each key share k=1…M, TTP further calculates the resolution r _{ k } by \(\text {key}_{k}^{r_{k}} = T_{r_{k}}(\text {key}_{k})\) and submits this to A _{ k }. It further submits the sum of all other key shares \(\sum _{i \neq k} \text {key}_{i}\) to A _{ k }.
Aggregation
After receiving both, the shares from all smart meters and the set of key shares, each A _{ k }∈L can calculate the aggregated sum over all smart meters at a time resolution r _{ k } by
As for the basic approach, both of our initial requirements are fulfilled: (i) individual contributions are masked, and none of the aggregators can gain any information without having all the values from all SM_{ i }∈G and the sum of all other key shares \(\sum _{i \neq k} \text {key}_{i}\); and (ii) the highest resolution that is accessible for each aggregator is determined by the resolution of the individual key share. These requirements are fulfilled due to the properties of the masking approach as introduced in section Masking and formally shown in section Basic approach.
Proof of correctness
In the following, it is shown that applying the wavelet transform to a meter value and masking can be combined in order to provide a certain resolution only. This proof is — for simplicity and without loss of generality — for a single smart meter and a single aggregator. The proof also applies to multiple smart meters and multiple aggregators. The only difference is that instead of a single meter value, share and key, respectively, a (spatially) aggregated sum of values is used. For multiple aggregators, the sum of all other key shares is also required as shown in the previous section.
Proof
Proof for a single aggregator that it is receiving \(m^{r}_{i}\) at the end of the above masking scheme. Starting from
where the braces indicate what the smart meter and the TTP calculate and what the aggregator receives at the end of the protocol, T _{ r }∘W ^{−1} is applied on both sides of the equation:
Due to the linearity of both, the wavelet transform and the function T _{ r }(·) this is equivalent to
Substituting \(m^{r}_{i} = W^{1} \left (T_{r} \left (W \left (m_{i} \right) \right) \right)\), \(s^{r}_{i} = T_{r} \left (s_{i} \right)\) and \(\text {key}^{r}_{i} = T_{r} \left (\text {key} \right)\) results in
Given the property of masking, shares cancel each other out by \(s^{r}_{i} + \text {key}^{r} = 0\), and therefore \(m^{r}_{i} + W^{1} \left (0 \right) = \hat m^{r}_{i}\).
This is obviously equivalent to \(m^{r}_{i} = \hat m^{r}_{i}\), i.e., the aggregator only receives a certain resolution \(m_{i}^{r}\) of the original meter value m _{ i }. □
Multiresolution differential privacy
In this section, it is shown that the wavelet approach can be combined with an additional differential privacy method. The benefit of this approach is an additional εdifferential privacy guarantee (Eq. 7) for the resulting aggregated signal.
Combining wavelets and differential privacy
Combining differential privacy in a distributed way with wavelets, only guarantees differential privacy for the sum, but not for the individual signals. Therefore, combining differential privacy with wavelets alone, would not enhance privacy so that the combination with homomorphic secure aggregation is needed. Similar to the masking approach, the combination with the differential privacy method requires a distributed addition and later summation of random values. The scheme is described in Fig. 2 and leads, using the additive homomorphic property of the encryption, to the following intermediate result.
The additional use of homomorphic encryption is not the only difference to masking. In contrast to masking, the random values are drawn independently from each other from a nonuniform probability distribution G _{ λ,N }, denoted as block DP in Fig. 2. Due to Eq. 13, these distributedly generated probability distributions sum up to the Laplacian distribution which is needed for differential privacy of the aggregate profile
Thus, if the noise parameter λ is chosen such that \(\sum _{i=1}^{N} T_{r_{i}}\left (W\left (m_{i}\right)\right)\) is εdifferentially private, due to the postprocessing property of differential privacy, also \(\tilde f= W^{1}\left (\sum _{i=1}^{N} T_{r_{i}}\left (W\left (m_{i}\right)\right)+\text {Lap}_{\lambda }\right)\) is εdifferentially private. Finally, using the linearity of W,
is shown to be a perturbed function of the smoothed consumption sum. This smoothed consumption sum is εdifferentially private, if the Laplacian noise is set in the right manner. Therefore, in principle, the wavelet decomposition is compatible with differential privacy.
Another difference to the presented masking scheme is that the noise is added to the restricted wavelet values instead of the unrestricted values W(m _{ i }) (Eq. 32). However, since several different resolutions occur, setting the right amount of noise λ is not trivial and remains a task for future research. First preliminary steps in that direction show that it is possible to derive a choice for λ which, however, only provides differential privacy for a single resolution r. With such a noise differential privacy can only be provided for a single resolution r and, due to the postprocessing property, all coarser solutions.
Choice of parameter λ
In this subsection, we show how the parameter λ must be chosen by proving the following theorem.
Theorem (choice of λ): the presented algorithm is εdifferentially private, if (i) W is a tight frame; and (ii) parameter λ is chosen as
where \(\mathcal {R}\) denotes the number of coefficients up to resolution r=d−q.
Note that \(\mathcal {R}\) consists of a fraction of 2^{−q} samples compared to the original load curve. The smaller the resolution r, the smaller the λ, and therefore the added noise is chosen.
Proof
First, the situation of this algorithm must be properly mapped into the differential privacy setting. Note that the term \(\tilde {w}^{r}\) of the algorithm can be rewritten as
Due to the divisibility property, the sum of the Gammadistributions yield the Laplace distribution. Thus, we have
If we manage to prove differential privacy for our choice of f, the proof is finished since a function applied to a differentially private mechanism can not destroy the differential privacy property (closure under postprocessing property of differential privacy). Therefore, if \(\tilde {w}^{r}\) is εdifferentially private this also holds for \(\tilde {m}^{r} = W^{1}(\tilde {w}^{r})\).
In order to prove differential privacy for our choice of f, we will show that the choice of λ ensures that it is at least as big as the one of theorem Differential privacy, whose application then proves differential privacy. Since m and m ^{′} differ in a single household’s entry, we can write without loss of generality that m=(m _{1,·},…,m _{ N,·},m _{ N+1,·})=(m ^{′},m _{ N+1,·}). Since in theorem Differential privacy, a 1norm is needed instead of a 2norm, first the transition is done using the inequality
Note that this inequality can itself be proven by applying the CauchySchwarz inequality to \(\langle \mathbb {1}, \vert x \vert \rangle \). Together with the linearity of T _{ r } and W, this yields
The restriction to a smaller resolution is equivalent to setting the higher resolutions to zero. Therefore, the restriction T _{ r } decreases the norm while the wavelet transformation does not change it due to our restriction of using only transformations with the tightness property
Finally, this equation directly yields
Thus, theorem Differential privacy can be applied and proves differential privacy for f. □
Evaluation
In this section, we evaluate the proposed PETs in combination with MRA with respect to the security features, cost and complexity, and realworld applicability.
Applications
In this paper, multiresolution secure aggregation has been introduced for both single aggregator and multiple aggregators. Given the building blocks of the additive homomorphic Paillier cryptosystem, masking, and differential privacy in combination with the wavelet transform, a scheme can be constructed that allows to encrypt different resolutions with different keys while maintaining a single bitstream. In section Application scenario, three typical application scenarios for smart grid have been introduced: (i) settlement and profiling; (ii) network monitoring; and (iii) billing.
Settlement and profiling require data in a comparably low resolution, but spatially aggregated over a number of households for determining forecasts and training models. Network monitoring, by contrast, still works with the aggregate, but requires a much higher temporal resolution. Both homomorphic encryption and masking can be used for aggregating over a number of smart meters, e.g., from households connected to the same substation or participants belonging to the same consumption group (residential/industrial). By adding the ability to selectively decrypt a subset of multiple resolutions, the same aggregated bitstream, but with different keys, can be provided to both the utility provider for forecasts and model training and the network operator for network monitoring. This reduces the overhead for managing and transferring various bitstreams simultaneously to distinct recipients. While network monitoring might require very high accuracy (e.g., voltage levels must remain in a narrow band), for settlement and profiling, customer privacy can be even enhanced by adding differential privacy in order to prevent the detection of the presence of a single household in the aggregate, while at the same time providing a certain guaranteed εdifferential privacy level. While differential privacy is a compelling approach due to this property, it is not suitable for applications that require the exact aggregate.
Billing and dynamic pricing will require data at high resolutions and generally not aggregated. Further, differential privacy is not a desired property for billing. However, if in a dynamic pricing scenario, data in different granularity is needed over the day (e.g., a stable night tariff and more dynamic tariffs at noon), the multiresolution approach allows to dynamically adjust the level of granularity of the provided meter data.
Security analysis
In this section, a security analysis of the proposed PETs is conducted. We consider an honestbutcurious adversarial model, meaning the adversary follows the protocols but tries to gain additional information.
Secure signal processing: for MRA with secure signal processing, an honestbutcurious aggregator will not learn any information. Due to the additive homomorphic property of the cryptosystem, even at collector nodes, all operations are performed in the encrypted domain, and the aggregator can only decrypt the sum.
Masking with single aggregator: for a total number of smart meters N>1 and a single aggregator M=1, the masking scheme preserves full privacy in terms of spatial resolution, and it preserves full privacy with respect to temporal resolution. Given exactly one aggregator M=1, the basic approach for multiresolution masking is applied. A receives a set of N masked values and a single key share. By combining both, A can calculate the sum at a particular resolution. For spatial aggregation, privacy is preserved by the scheme proposed by Kursawe et al. [9], i.e., the individual measurements are masked, and the random shares cancel each other out upon summation. The temporal resolution is limited by the resolution of the key share. The privacy preserving feature of this approach has been discussed in detail in section Basic approach. Section Proof of correctness includes the proof of correctness for the masking approach in combination with wavelets.
Masking with multiple aggregators: for a total number of smart meters N>1 and a total number of aggregators M=2, the multiple aggregators approach for multiresolution masking is applied. Each aggregator A _{ k },k={1,2} receives a set of N masked values, an individual key share \(\text {key}_{1}^{r}\) and \(\text {key}_{2}^{r}\), respectively and the sum of the keys of all other aggregators \(\sum _{i \neq 1} \text {key}_{i}^{r} = \text {key}_{2}^{r}\) and \(\sum _{i \neq 2} \text {key}_{i}^{r} = \text {key}_{1}^{r}\), respectively. Therefore, each aggregator additionally holds the other aggregators share in full resolution and thus privacy in terms of temporal aggregation is not given anymore.
For a setting with M>2 privacy is preserved, as the key shares of all other aggregators are hidden in the sum. Therefore, the above limitation for M=2 does not apply, since \(\sum _{i \neq k} \text {key}_{i}^{r} \neq \text {key}_{i}^{r}\) for any i,k∈{1…M}. This means that holding all keys except for one does not yield a valid key. This assures that the aggregator cannot learn anything beyond the resolution of the key, which is formally shown in section Multiple aggregators.
Differential privacy: it is a proven property of differential privacy, that the aggregator has no means to decrease privacy of the aggregated signal by any kind of postprocessing. If differential privacy would be combined with wavelets only, the aggregator could, however, inspect a single smart meter’s consumption profile. A single profile is only protected by Gammadistributed noise which does not provide differential privacy. Therefore, the mechanism achieving differential privacy must include a way to protect the summation operation by using a secure aggregation scheme, e.g., as described in section Multiresolution secure aggregation.
Space considerations
When using homomorphic encryption for aggregation, the modulus n determines the amount of data that can be stored within one encrypted packet. Let us denote the number of bits needed to represent a wavelet coefficient by \(\bar m,\) and the number of values used for the wavelet transform by T. The sum of two coefficients will take up \(\bar m+1\) bits of space. More generally, the sum of u coefficients requires \(\left \lceil \log _{2}(u) + \bar m \right \rceil \) bits. If encrypting each wavelet coefficient individually, i.e., using T encryptions, the modulus of n bits allows to sum up a total of \(u \leq 2^{n \bar m}\) wavelet coefficients, since \(n = \left \lceil \log _{2}(u) + \bar m \right \rceil \), i.e., u represents the total number of wavelet coefficients from household measurement values that can be aggregated for a given modulus.
Setting T=256, n=1024 and \(\bar m=16\), this allows for the aggregation of more than 2·10^{303} households but requires 256 encryptions. However, in practice such large aggregation groups are not needed. Instead of encrypting each coefficient individually, the available space of n bits can be exploited better when using data packing [36]. Values are shifted to a certain bit range, such that a number of values can be packed within a single encryption. The available space is therefore split into p packets of fixed size n ^{′}, i.e., \(p = \frac {n}{n'}\). This allows for \(n' = \left \lceil \log _{2}(u') + \bar m \right \rceil \) a number of \(u' \leq 2^{n' \bar m}\) wavelet coefficients per packet, and a total of u ^{′}·p wavelet coefficients of household measurement values per encryption. This results in only \(T'=\frac {T}{p}\) encryptions.
Setting n=1024, \(\bar m=16\) and n ^{′}=32, this results in p=32 packets and still allows to aggregate up to 65536 households, but with only a fraction (T ^{′}=8) of the number of encryption operations compared to the above approach where each coefficient is encrypted separately. In practice, these values have to be chosen with respect to the number of households that will be aggregated.
Cost and complexity
Both methods secure signal processing with the Paillier cryptosystem^{1} and masking have been implemented together with the wavelet transform. The proof of concept implementation is built on Oracle Java 1.8 and is tested on a HP Z230 workstation with 8 GB RAM and an Intel Xeon CPU (3.4 GHz). Results are shown in Table 2: each value represents the execution time for a single load curve consisting of 96 values for the wavelet transform combined with different encryption settings and masking, averaged over 400 load curves with 100 encryptions/additions for masking each (acquisition of the load curve and key generation as well as precalculating the masking shares are not considered in the timing results). WAV denotes the wavelet transform only, without any encryption or masking applied. AES denotes the wavelet transform followed by encryption with the symmetric AES cipher with a 256 bit key for each subband. HYB denotes hybrid encryption, which adds RSA 2048 bit public key encryption of the AES keys with a different public key for each subband. PAIn denotes Pailler encryption with a module of n bits and a different key for each subband. For practical applications and according to [37], a module of at least 2048 bits should be chosen. Finally, MA denotes the masking of values.
It can be seen that by using a lifting implementation, the computational overhead of the wavelet transformation is negligible compared to the encryption step. Homomorphic encryption comes at the cost of a significant increase in computational overhead compared to that of conventional encryption. The results show that the computational demands grow exponentially with the module size. Although the used implementation of Paillier is not optimized and could be improved considerably in terms of efficiency, it is clear that running homomorphic encryption on smart meter hardware will provide a challenge: while AES encryption only takes 1.25 ms, for the used (nonoptimized) implementation, Paillier encryption with a 2048 bit module of a load curve with 96 values takes approximately 52 s. Further, it can be seen that masking is highly efficient in terms of computation time when compared to encryption, however, at the cost of losing the entire aggregate when a single smart meter fails.
Conclusions
The approaches proposed in this paper allow to get both temporal and spatial aggregation by combining the wavelet transform with homomorphic encryption, masking, and differential privacy. In this paper, it has been shown that it is possible to combine homomorphic encryption, masking, and differential privacy with the Haar wavelet transform. Furthermore, a protocol has been sketched for addressing different aggregators with different resolutions of the measured time series while still maintaining a certain level of privacy. For masking, future work will focus on a scheme that is more errorresilient and still yields the correct result even if a subset of smart meters fail.
Endnote
^{1} Building on the implementation by Kun Liu http://www.csee.umbc.edu/~kunliu1/research/Paillier.html
References
European Commission (2014). Costbenefit analyses and state of play of smart metering deployment in the EU27. Technical report. http://eurlex.europa.eu/legalcontent/EN/TXT/PDF/?uri=CELEX:52014SC0189%26from=EN.
McKenna, E, Richardson, I, Thomson, M (2012). Smart meter data: balancing consumer privacy concerns with legitimate applications. Energy Policy, 41, 807–14.
Hart, GW (1992). Nonintrusive appliance load monitoring. Proc. IEEE, 80(12), 1870–91.
MolinaMarkham, A, Shenoy, P, Fu, K, Cecchet, E, Irwin, D (2010). Private memoirs of a smart meter. In Proceedings of the 2nd ACM Workshop on Embedded Sensing Systems for EnergyEfficiency in Building. BuildSys ’10. ACM, New York, (pp. 61–6).
Lisovich, M, Mulligan, D, Wicker, S (2010). Inferring personal information from demandresponse systems. IEEE Secur. Priv, 8(1), 11–20.
Knirsch, F, Engel, D, Frincu, M, Prasanna, V (2015). Model based assessment for balancing privacy requirements and operational capabilities in the smart grid, Innovative smart grid technologies conference (ISGT), 2015 IEEE Power & Energy Society. In Proceedings of the 6th Conference on Innovative Smart Grid Technologies (ISGT2015). IEEE, Washington, (pp. 1–5).
Eibl, G, & Engel, D (2014). Influence of data granularity on nonintrusive appliance load monitoring. In Proceedings of the Second ACM Workshop on Information Hiding and Multimedia Security (IH&MMSec ’14). ACM, Salzburg, (pp. 147–51).
Eibl, G, & Engel, D (2015). Influence of data granularity on smart meter privacy. IEEE Trans. Smart Grid, 6(2), 930–9.
Kursawe, K, Danezis, G, Kohlweiss, M (2011). Privacyfriendly aggregation for the smart grid. In Privacy Enhanced Technology Symposium. Springer, Berlin Heidelberg, (pp. 175–91).
Gomez Marmol, F, Sorge, C, Petrlic, R, Ugus, O, Westhoff, D, Martinez Perez, G (2013). Privacyenhanced architecture for smart metering. Int. J. Inf. Secur, 12(2), 67–82.
Li, F, Luo, B, Liu, P (2010). Secure Information Aggregation for Smart Grids Using Homomorphic Encryption. In Proceedings of First IEEE International Conference on Smart Grid Communications. IEEE, Gaithersburg, (pp. 327–332).
Erkin, Z, & Tsudik, G (2012). Private computation of spatial and temporal power consumption with smart meters. In Proceedings of the 10th International Conference on Applied Cryptography and Network Security. ACNS’12. Springer, Berlin, (pp. 561–77).
Rastogi, V, & Suman, N (2010). Differentially private aggregation of distributed timeseries with transformation and encryption. In Proceedings of the 2010 ACM SIGMOD International Conference on Management of Data. ACM, Conference, Indianapolis.
Danezis, G, Kohlweiss, M, Rial, A. (2011). Differentially private billing with rebates (Vol. 6958 LNCS, pp. 148–62). Berlin: Springer.
Garcia, F, & Jacobs, B (2011). Privacyfriendly energymetering via homomorphic encryption. In: Cuellar, J, Lopez, J, Barthe, G, Pretschner, A (Eds.) In Security and Trust Management. Lecture Notes in Computer Science, (Vol. 6710. Springer, Berlin, pp. 226–38).
Li, F, & Luo, B (2012). Preserving data integrity for smart grid data aggregation. In Third International Conference on Smart Grid Communications (SmartGridComm) 2012. IEEE, Tainan, (pp. 366–71).
Erkin, Z, Troncosopastoriza, JR, Lagendijk, RL, PerezGonzalez, F (2013). Privacypreserving data aggregation in smart metering systems: an overview. IEEE Signal Proc. Mag, 30(2), 75–86.
Biselli, A, Franz, E, Coutinho, MP (2013). Protection of consumer data in the smart grid compliant with the German smart metering guideline. In Proceedings of the First ACM Workshop on Smart Energy Grid Security. SEGS ’13. ACM, New York, (pp. 41–52).
Dwork, C, McSherry, F, Nissim, K, Smith, A (2006). Calibrating noise to sensitivity in private data analysis. In Theory of Cryptography. Springer, Berlin, (pp. 265–84).
Acs, G, & Castelluccia, C (2011). I have a DREAM! (DiffeRentially privatE smArt Metering). In Proc. Information Hiding Conference. Springer, Berlin Heidelberg, (pp. 118–132).
Shi, E, Chow, R, Chan, THH, Song, D, Rieffel, E (2011). Privacypreserving aggregation of timeseries data. In Proc. NDSS Symposium 2011. Internet Society, San Diego.
Efthymiou, C, & Kalogridis, G (2010). Smart grid privacy via anonymization of smart metering data. In Proceedings of First IEEE International Conference on Smart Grid Communications. IEEE, Gaithersburg, (pp. 238–43).
Engel, D (2013). Waveletbased load profile representation for smart meter privacy. In Proc. IEEE PES Innovative Smart Grid Technologies (ISGT’13). IEEE, Washington, (pp. 1–6).
Peer, CD, Engel, D, Wicker, SB (2014). Hierarchical key management for multiresolution load data representation. In 2014 IEEE International Conference on Smart Grid Communications (SmartGridComm). IEEE, Venice, (pp. 926–32).
Engel, D, & Eibl, G (2016). Waveletbased multiresolution smart meter privacy. IEEE Trans. Smart Grid, PP(99), 1–12.
Engel, D, & Eibl, G (2013). Multiresolution load curve representation with privacypreserving aggregation. In Proceedings of IEEE Innovative Smart Grid Technologies (ISGT) 2013. IEEE, Copenhagen, (pp. 1–5).
Jawurek, M, Johns, M, Kerschbaum, F (2011). Plugin privacy for smart metering billing. In Privacy Enhancing Technologies (PETS). Springer, Berlin Heidelberg, (pp. 192–210).
Erkin, Z (2015). Private data aggregation with groups for smart grids in a dynamic setting using CRT. In 2015 IEEE International Workshop on Information Forensics and Security (WIFS). IEEE, Rome.
(2001). National Institute of Standards and Technology (NIST), Specification for the advanced encryption standard (AES).
ITUT (2012). Recommendation ITUT X.509 – Information technology – open systems interconnection – the directory: publickey and attribute certificate frameworks.
Daubechies, I, & Sweldens, W (1998). Factoring wavelet transforms into lifting steps. J. Fourier Anal. Appl, 4(3), 247–69.
Paillier, P (1999). PublicKey Cryptosystems Based on Composite Degree Residuosity Classes. In: Stern, J (Ed.) In Advances in Cryptology — EUROCRYPT ’99: International Conference on the Theory and Application of Cryptographic Techniques Prague, Czech Republic, May 2–6, 1999 Proceedings. Lecture Notes in Computer Science, (Vol. 1592. Springer, Berlin, pp. 223–38).
Defend, B, & Kursawe, K (2013). Implementation of privacyfriendly aggregation for the smart grid. In Proceedings of the First ACM Workshop on Smart Energy Grid Security  SEGS ’13. ACM, Conference, Berlin, (pp. 65–74).
Diffie, W, & Hellman, M (1976). New directions in cryptography. IEEE Trans. Inf. Theory, 22(6), 644–654.
Kotz, S, Kozubowski, TJ, Krzysztof, P. (2001). The Laplace distribution and generalizations. Basel: Birkhäuser Basel.
Erkin, Z, Veugen, T, Toft, T, Lagendijk, RL (2012). Generating private recommendations efficiently using homomorphic encryption and data packing. IEEE Trans. Inf. Forensic. Secur, 7(3), 1053–66.
Barker, E, Barker, W, Burr, W, Polk, W, Smid, M. (2012). Division, Computer Security NIST Special Publication 80057, Recommendation for Key Management (Revision 3): NIST.
Acknowledgements
The financial support by the Austrian Federal Ministry of Science, Research and Economy and the Austrian National Foundation for Research, Technology and Development is gratefully acknowledged. Funding by the Federal State of Salzburg is gratefully acknowledged.
Authors’ contributions
This paper was written by FK (40%), GE (30%), and DE (30%). The detailed contributions are as follows: the Abstract was written by FK (100%). The Introduction was written by FK (80%) and DE (20%). The Background section was written by FK (40%), DE (40%), and GE (20%). The Multiresolution Secure Aggregation section was written by DE (100%). The Multiresolution Masking section was written by FK (100%). The Multiresolution Differential Privacy section was written by GE (100%). The Evaluation section was written by FK (60%), DE (30%), and GE (10%). Conclusions and Outlook were written by FK (100%). The figures were created by FK (100%). Measurements for homomorphic encryption were performed by DE (100%). All authors read and approved the final manuscript.
Competing interests
The authors declare that they have no competing interests.
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Author information
Affiliations
Corresponding author
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License(http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
About this article
Cite this article
Knirsch, F., Eibl, G. & Engel, D. Multiresolution privacyenhancing technologies for smart metering. EURASIP J. on Info. Security 2017, 6 (2017). https://doi.org/10.1186/s1363501700583
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s1363501700583
Keywords
 Smart meter
 Homomorphic encryption
 Masking
 Differential privacy
 Multiple resolutions
 Smart grid