Abstract-Efficiency and security are two basic requirements for sensor network design. However, these requirements could be sharply contrary to each other in some scenarios. For example, innetwork data aggregation can significantly reduce communication overhead and thus has been adopted widely as a means to improve network efficiency; however, the adoption of in-network data aggregation may prevent data from being encrypted since it is a prerequisite for aggregation that data be accessible during forwarding. In this paper, we address this dilemma by proposing a family of secret perturbation-based schemes that can protect sensor data confidentiality without disrupting additive data aggregation. Extensive simulations are also conducted to evaluate the proposed schemes. The results show that our schemes provide confidentiality protection for both raw and aggregated data items with an overhead lower than that of existing related schemes.