Disclosed is a protocol for a fault-tolerant, private distributed aggregation model that allows a data consumer to calculate unbounded statistics (weighted sums) over homomorphically encrypted sensitive data items from data producers. The data consumer can choose to calculate over an arbitrary subset of all available data items, thus providing fault tolerance; i.e., failing data producers do not prevent the statistics calculation. A key-managing authority ensures differential privacy before responding to the data consumer's decryption request for the homomorphically encrypted statistics result, thus preservation the data's producer's privacy. Security against malicious data consumers is provided along with aggregator obliviousness, differential privacy in a unidirectional communication model between data producers and data consumers.