2.?Related WorksCurrently, many secure data aggregation schemes have been proposed. For symmetric schemes, Ozdemir et al. [9] integrated false data detection with data aggregation and confidentiality, and proposed an authentication protocol. In the scheme, every aggregator has some monitoring nodes which also perform data aggregation for data verification, and the integrity of the encrypted data is verified by the sensors between two consecutive aggregators. Its limitation is the rigorous topological constraints. Papadopoulos et al. [10] presented an exact aggregation scheme with integrity and confidentiality, named SIES. SIES combines the symmetric homomorphic encryption with secret sharing. A wide range of aggregates can be covered, and a small amount of bandwidth consumption is introduced in SIES. However, the data transmission efficiency is low due to the oversize space of secret keys. Based on Aggregation-Commit-Verify approach, Chan et al. [12] first proposed a provably secure hierarchical data aggregation scheme, where the adversary is forced to commit to its choice of aggregation results, then the sensors are allowed to verify whether their aggregation contributions are correct or not. The scheme can be used for multiple malicious nodes and arbitrary topologies, but it inherits the weakness of large amount of communication and computation overheads. To address this issue, Frikken et al. [13] improve Chan’s scheme by reducing the maximum communication per node from O(��log2n) to O(��logn), where n is the number of nodes in WSNs, and �� is the maximum degree of the aggregation tree.For asymmetric schemes, Zhu et al. [14] focused on preserving data integrity and proposed an efficient integrity-preserving data aggregation protocol named EIPDAP. The scheme is based on the modulo addition operation using ECC, and has the most optimal upper bound on solving the integrity-preserving problem for data aggregation. Niu et al. [15] proposed a secure identity-based lossy data aggregation scheme using homomorphic selleck inhibitor hashing and identity-based aggregate signature. In the scheme, the authenticity of aggregated data can be verified by both aggregators and BS. The computation and communication overheads could be significantly reduced because the BS can perform batch verification. However, the above two schemes may lead to the leakage of data privacy due to decryption at the aggregator. Based on PH, Westhoff et al. [16] and Girao et al. [17] proposed CDA methods to facilitate aggregation in encrypted data, where richer algebraic operations can be directly executed on encrypted data by aggregators. Mykletun et al. [18] adopted several public-key-based PH encryptions to achieve data concealment in WSNs. Furthermore, Girao et al. [8] proposed a novel scheme by extending the ELGamal PH encryption. However, the above schemes cannot resist node compromise attacks. Specific security analysis is presented in Section 5.3.