Privacy-Preserving Smart Metering with Multiple Data Consumers ✩ Cristina Rottondi a,1 , Giacomo Verticale a , Antonio Capone a,∗ a Dipartimento di Elettronica e Informazione, Politecnico di Milano Piazza Leonardo da Vinci, 32, Milano, Italy Abstract The increasing diffusion of Automatic Meter Reading (AMR) and the pos- sibility to open the system to third party services has raised many concerns about the protection of personal data related to energy, water or gas consump- tion, from which details about the habits of the users can be inferred. This paper proposes an infrastructure and a communication protocol for allowing utilities and third parties (Data Consumers) to collect measurement data with different levels of spatial and temporal aggregation from smart me- ters without revealing the individual measurements to any single node of the architecture. The proposed infrastructure introduces a set of functional nodes in the Smart Grid, namely the Privacy Preserving Nodes (PPNs), which collect customer data encrypted by means of Shamir’s Secret Sharing Scheme, and are supposed to be controlled by independent parties. By exploiting the homomorphic properties of the sharing scheme, the measurements can be aggregated directly in the encrypted domain. Therefore, an honest-but-curious attacker can obtain neither disaggregated nor aggregated data. The PPNs perform different spatial and temporal aggregation for each Consumer according to its needs and access rights. The information Consumers recover the aggregated data by collecting multiple ✩ A preliminary version of this paper appears in C. Rottondi, G. Verticale, and A. Capone, “A security framework for smart metering with multiple data consumers,” in 1st IEEE INFOCOM CCSES Workshop on Green Networking and Smart Grids, mar. 2012. * Corresponding Author 1 Cristina Rottondi is funded by Fondazione Ugo Bordoni. Preprint submitted to Elsevier July 3, 2013