Professional Documents
Culture Documents
Privacy-Preserving Billing For Local Energy Markets
Privacy-Preserving Billing For Local Energy Markets
Privacy-Preserving Billing For Local Energy Markets
Markets
2
COSIC, KU Leuven, Leuven, 3001, Belgium
3
FCIT, KAU, Jeddah, 1589, Saudi Arabia
1 Introduction
In the quest of a sustainable energy future, the use of renewable energy sources
(RESs) has increased widely, facilitating carbon emissions reduction. However,
the inherent unpredictability and intermittency of their output poses challenges
in existing traditional markets, leading to the emergence of local energy markets
(LEMs). These markts enable prosumers – individuals who consume and pro-
duce energy – to actively participate in open markets, supporting direct trading
of surplus energy with others. This contrasts with the traditional practice of sell-
ing excess energy to contracted suppliers at a feed-in-tariff (FiT) price, which is
often lower than retail market prices (RP). Such a transition allows prosumers
to optimise their profits by securing better prices and offers consumers the op-
portunity to reduce their expenses [15].
2 E. Alqahtani and M. Mustafa
LEMs typically require their participants to submit bids before the actual
trading periods (ranging from 30 minutes to a day in advance) [15]. Therefore,
market participants need to forecast the necessary bid volumes, indicating the
amount of energy they intend to trade. This prediction relies on historical data
and estimated consumption, making it inherently prone to errors and challenging
to achieve absolute accuracy. Whether due to intentional actions or inaccuracies
in predictions, participants may commit to trading specific energy volumes but
subsequently fail to fulfill these commitments.
As this failure can disrupt grid stability and increase balancing costs, mar-
ket participants should be accounted for their deviations from their committed
bid volumes during the billing process [36]. This consideration would incentivise
the participants to reduce their deviations and, subsequently, the negative ef-
fect they cause on the grid. Furthermore, a market participant’s deviation may
cause a different level of effect on the grid depending on what part of the grid
the participant resides in. As a result, some might bear higher costs for their
deviations compared to others, not only due to their deviation amounts but also
because of their specific locations on the grid. For example, the total deviation
of households (i.e., market participants) connected to a particular distribution
line may result in a total deviation of zero. That means the positive deviations
of the households on that line compensate for the negative deviations. As such,
it is rational not to account those individuals for their deviations regardless of
the total deviation of the entire market area.
The computation and settlement of bills and rewards for participants in
LEMs, while considering their energy deviations from their bids, requires criti-
cal private information, such as individual bid volumes and meter readings for
each trading period. Such information are closely associated with individuals’
consumption patterns, which have been shown to pose potential risks to their
privacy [38]. For example, personal details such as presence at home, sleep pat-
terns or even the detection of particular appliance activation could be inferred
from the amount of energy traded at a particular period [28, 38].
A number of previous studies have already addressed the privacy concerns
of market participants during billing and settlement, employing techniques such
as anonymization [2, 7, 18–21, 32, 34, 39, 41, 43], perturbation [23, 25, 44], and
homomorphic encryption [22, 27]. However, the majority have primarily sug-
gested payment approaches based only on bid commitments, assuming perfect
fulfillment of the bid volumes. A very limited number of the privacy-preserving
billing studies have considered establishing a billing mechanism based on the
actual amount of produced/consumed energy by the market’s participants [23,
24, 40, 44] or to additionally account for their deviations [3, 22, 27]. However, the
billing process is coordinated or executed by a single party [23, 24, 27, 40, 44],
assuming trustworthiness and honesty from that party in performing the billing
process, disclosing some or all of the individuals private data to that trusted
party and potentially imposing a high computational cost on a single party. All
of the above raise questions about the applicability or scalability of their solu-
tions in realistic scenarios. In contrast to the previously mentioned works, the
Privacy-Preserving Billing for Local Energy Markets 3
solutions proposed by [3, 22], do not rely on a single entity for carrying out
billing calculations. Instead, they involve a group of entities working together to
compute individual bills/rewards privately. However, they are vulnerable to the
risk of internal collusion, potentially leading to the disclosure of highly sensitive
data such as individuals’ meter readings and bid volumes. Additionally, market
participants were uniformly charged for their deviations in all of the aforemen-
tioned works, irrespective of their positions on the grid, and the grid usage cost
was not considered.
To address these limitations, in this paper, we propose a privacy-preserving
billing protocol, considering participants’ deviations and their locations on the
grid. This work is an improvement on our previous study [3] to mitigate the
impact of internal collusion on individuals’ privacy. Specifically, the contributions
of this paper are threefold:
The rest of the paper is organised as follows. Section 2 covers the related
work. Section 3 introduces our system model and its requirements. Section 4
explains the utilised building blocks. Section 5 describes PBP-LEM. Section 6
provides security analysis, while Section 7 evaluates the performance of PBP-
LEM. Finally, Section 8 concludes the paper.
2 Related Work
Concerns regarding security and privacy in LEMs have been previously high-
lighted [13], prompting the proposal of several solutions using anonymization,
4 E. Alqahtani and M. Mustafa
Similar to the approach taken by [27], the work in [22] used the Paillier
homomorphic encryption technique to implement a privacy-preserving billing
model, accounting for participants’ deviations from their commitments. However,
in contrast to [27], this solution does not rely on a single party for executing
the billing calculations. Instead, a randomly chosen set of market participants
collaboratively computes individual bills/rewards in a private manner as follows:
Individual private data are homomorphically encrypted using the supplier’s keys
and then transmitted to the chosen set, which, in turn, performs the computation
privately. The solution also incorporates a referee to verify the correctness of
bills/rewards computation simultaneously and intervene to resolve any disputes.
The referee then sends the resultant encrypted bills/rewards to the supplier for
decryption. However, a considerable limitation of this work is that it does not
provide protection against collusion. For instance, any individual in the chosen
set can collude with the supplier by providing it with others’ encrypted individual
data, subsequently enabling the supplier to decrypt the data and compromise the
individuals’ privacy. Another limitation is similar to that found in [27], wherein
the type of individual participation is disclosed.
Our previous work [3] leveraged MPC technique to apply a privacy-preserving
billing model considering participants’ deviations from their bid volumes. Instead
of relying on a single trusted party for computing the bills, our approach employs
three parties to jointly compute individual bills while ensuring the confidential-
ity of all the market participants’ data, including their types of participation.
The solution has also been evaluated under malicious and dishonest majority
settings, implying that the presence of at least one honest party is sufficient to
detect errors during bill calculations, even if the other two parties were malicious.
Nevertheless, even though the probability of collusion among all three parties is
low, given that each is controlled by a different entity, any such occurrence could
lead to the disclosure of highly sensitive data.
Unlike the aforementioned works, PBP-LEM integrates the following fea-
tures: (i) it charges for market participants who fail to fulfil their bid commit-
ments, (ii) it incorporates the participants’ locations on the grid to distribute
deviation costs fairly and accounts for distribution network usage fees in the
participants’ bills, (iii) it does not rely on a single trusted party to compute in-
dividual bills, (iv) it mitigates the impact of potential collusion among internal
parties by ensuring that only less sensitive data might be revealed in the event
of such collusion, and (v) it protects all participants’ private data including their
types of participation.
In this section, we describe the system model, threat model as well as the func-
tional and privacy requirements that PBP-LEM needs to satisfy.
6 E. Alqahtani and M. Mustafa
As shown in Fig. 1, our system model consists of the following entities. SMs are
devices that measure and communicate the volumes of imported and exported
energy by households in nearly real-time. Users are household owners supported
by SMs and potentially RESs. They engage in a LEM to increase their profits
and minimise their expenses. They submit bids (consisting of energy volume
and offered price) to the LEM to sell surplus energy to others at a price higher
than the Feed-in Tariff (FiT) price or buy energy at a price lower than the retail
price (RP). Local Energy Market Operator (LEMO) executes the LEM, identi-
fying both the trading price and the approved bids for trading in each trading
period. Suppliers provide energy to all users in need. They buy electricity from
the wholesale market and distribute it to their contracted customers in the re-
tail market (RM) at RP determined by suppliers. They also purchase electricity
injected by their customers that is not traded in the LEM at FiT price. Ad-
ditionally, they generate and manage their customers’ (i., users) bills based on
their participation in the LEM. RM Regulators (RMRs) are entities that set
FiT prices that users pay to their contracted suppliers for the energy they sell
in the RM. Distribution System Operator (DSO) manages and maintains the
distribution network of a particular area. It divides the LEM area into small
zones based on the physical network specifications and historical data that esti-
mate each zone state for each time period. DSO also sets energy importing and
Privacy-Preserving Billing for Local Energy Markets 7
exporting fees for each zone. It also coordinates the redistribution of payments
to/from the LEM between users performed through their suppliers. Computa-
tional Severs (CS) calculate the required deviation cost information (e.g., total
global deviation) according to the zone-based billing model with universal cost
split (ZBUCS) introduced in [3] which is a modification of the billing model pro-
posed in [36]. To avoid collusion, the parties should have conflicting interests.
We assume that one party is controlled by suppliers, one by users, and a third
by the DSO. Key Authority (KA) generates the required encryption/decryption
keys and provides them to the designated entities.
LEMO, RMRs and suppliers are assumed to be semi-honest. They follow PBP-
LEM honestly, but they may try to infer sensitive individual data. Suppliers may
attempt to learn individual bids, meter readings, rewards/bills within the LEM
for a particular trading period, or may try to access the bills of users who are
contracted with other suppliers. In addition, the correctness of bill settlements
performed by suppliers must be verified by DSO. Users are considered to be
malicious. They may try to learn or manipulate their own (or other users’) data
(i.e., bid volumes, meter readings and deviations) to increase their profits or
reduce their bills. External entities are also malicious. They may eavesdrop or
modify transmitted data to disturb the billing process in LEM.
We assume two different security settings for CS: honest majority and dis-
honest majority with active (malicious) adversaries. For the former, one of the
three parties can be corrupted while the later allows the presence of two mali-
cious parties. The corrupted parties may try to infer information about users’
data (bids, meter readings, bills and deviations) or deviate from the protocol, for
example, by sending faulty data during the computations to distort the result.
In the case of deviation, honest parties should abort the execution.
As the focus of this work is on protecting users’ privacy, we make the following
assumptions. The communication channels are private and authentic. All entities
are time-synchronized. SMs are tamper-proof and sealed, meaning any attempt
to tamper with them will be readily detected.
4 Building Blocks
Pedersen Commitment has three main properties. It ensures hiding, where given
only a commitment c, it is computationally infeasible to determine the original
value m. It upholds binding; that is, given c, m and r, it is computationally
infeasible to find a value m̄ ̸= m and a matching value r̄ such that Open(c, m̄, r̄)
returns true. Finally, it satisfies a useful property known as homorphism, in
which the product of two commitments equals the commitment to the sum of
two initially committed values.
Functional encryption (FE) is a special type of public key cryptography that al-
lows the performance of some computations over encrypted data. In FE schemes,
the owner of the master key (i.e., key distribution centre) can generate secret
keys for parties wishing to learn only outputs of specific functions over secret
inputs and nothing else [10]. In formal terms, given a ciphertext C corresponding
to a plaintext x and a functional decryption key sk related to a function f , a
decryptor can obtain the results of f (x) without learning anything about x.
cost. The zone-based billing model with universal cost split, ZBUCS, introduced
in [3] splits the total deviation cost among market participants whose deviations
are in the same direction as the total deviation while considering the zones to
which the participants belong on the grid. Prosumers (consumers) then pay (get
paid by) their contracted suppliers for their total deviation share according to
FiT (RP) rather than the LEM price, which is less beneficial. Please refer to the
work of [36] and [3] for more details.
It is important to note that this research specifically focuses on the billing
phase of the LEM. The issue of preserving users’ privacy during the market
clearance phase has been addressed in earlier research, as referenced in [4]. Our
assumption is that user privacy during LEMO’s market execution is protected
by the adoption of privacy-preserving solutions outlined in previous studies, such
as [1, 24, 40]. Consequently, the transmission of data by LEMO in PBP-LEM
does not imply unrestricted access to individual user data by the entity. In-
stead, it only requires forwarding the securely protected data (e.g., bid volumes)
to the computing parties after the market is executed to compute individual
bills/rewards.
The section begins by proposing an efficient and privacy-preserving indi-
vidual billing technique (Section 5.1), which in turn is utilized by PBP-LEM
(Section 5.2). Table 1 lists the notation used throughout the paper.
mctp
i
k
= mtp
i
k
+ skitpk
Given the identified market trading price, T P tpk , to compute the encrypted
individual bill/reward, one performs the following computation:
bctp
i
k
= mctp
i
k
∗ T P tpk
Including the deviation cost and distribution network usage cost in users’
bills/rewards based on ZBUCS requires knowledge of the user’s type of partic-
ipation, dtp
i
k
– that is, whether the user offered to produce or consume energy
during tpk . To protect dtp k
i , we begin by encoding it into two distinct values,
12 E. Alqahtani and M. Mustafa
Table 1: Notations
Symbol Description
bpu u-th billing period, u ∈ {1, ..., Nu }.
tpk k-th trading period, k ∈ {1, ..., Nk }.
Idi Unique identifier of user i, i ∈ {1, ..., Nu }.
SIdj , ZIdz Unique identifier of supplier j, zone z.
tp tp tp tp
bi k , m i k , v i k , di k , Bid volume, meter reading, individual deviation, type of par-
tp tp
si k , bli k ticipation (binary value), deviation cost inclusion state (binary
value), individual bill/reward of user i at tpk .
tp
Vi k , BLbp i
u
Total deviation, individual bill/reward of user i at bpu .
BLbp i
u ,LEM
Total bills/rewards of user i dedicated to the LEM at bpu .
SBaljbpu , SCapbp j
u
Income balance of supplier j resulting from users trading of
deviations cost, capital traded exclusively within the LEM
through supplier j at bpu .
tp tp
ppi k , mski k Public parameters and master key for user i at tpk .
Si , Sip , Sic Three set of random keys corresponding to the trading periods
{tp1 , . . . , tpNk } within bpu generated for user i
tp tp
Ci,pk , Ci,ck Condition that requires user i to pay/get paid to/by supplier
due to his/her deviation at tpk .
tp tp tp tp tp tp tp tp tp
mci k , dci,pk , dci,ck Ciphertext of mi k , di,pk , di,ck with ski k , ski,pk , ski,ck , respec-
tively at tpk using EPIB.
tp
bci k /Blcbp i
u
Ciphertext of bli at tpk /bpu using EPIB.
tp tp
dki k ,DKibpu Decryption key of bci k , Blcbp u
i,S using EPIB.
tpk tpk tpk tp
Mi , Bi,vr , Bi,vl Dual binary encoded arrays of vectors representing mi k and
tpk
bi using fy and fx respectively.
tp tp tp tp tp
M ci k , Bci,vkr , Bci,vkl Ciphertexts of Mi k , Bi,vr and Bi,vl at tpk with mski k using
IP E.Lef tEncrypt and IP E.RightEncrypt.
T tpk /N P tpk /N C tpk , Total deviation/number of prosumers/number of consumers in
W tpk the entire LEM area at tpk , zonal deviation weight.
tp tp tpk
tz k , npz k , ncz Total deviation, number of prosumers, number of consumers in
zone z at tpk .
T P tpk , F iT tpk , RP tpk LEM trading price, FiT and RP at tpk .
z,tp z,tp
N Fp k /N Fc k Network fee for exporting/importing in zone z at tpk .
Privacy-Preserving Billing for Local Energy Markets 13
dtp k tpk
i,p and di,c , each representing a binary state of the user’s type participa-
tion at tpk . For example, if the user is buying energy at tpk , then dtpk
i,p = 1
tpk tpk
and di,c = 0. Conversely, if the user is consuming energy, then di,p = 0 and
tpN tpN
dtp k p tp1 k c tp1
i,c = 1. Let Si = {ski,p , . . . , ski,p } and Si = {ski,c , . . . , ski,p } represent
k
two sets of randomly generated keys over zk , corresponding to the trading pe-
riods {tp1 , . . . , tpNk } within bpu . For each tpk , each user masks dtp k tpk
i,p and di,c
tpk tpk
using ski,p and ski,c , respectively.
Let N Fptpk and N Fctpk represent the distribution network fee for exporting
and importing energy in zone z, respectively. Let devptpk denote the cost to
be paid by certain prosumers to their suppliers due to deviations based on a
tpk
condition, Ci,p p, and devctpk denote the compensation to be received by specific
tpk
consumers from their suppliers for deviations based on a condition, Ci,c , as
defined in ZBUCS. Then, for each tpk , the addition of devptpk and devctpk to bctp
i
k
is as follows:
bctp
i
k
= bctp
i
k
+ mctp
i
k
∗ ((dctp tpk tpk tpk
i,p ∗ N Fp ) + (dci,c ∗ N Fc ))
k
tpk
+ [Ci,p ](dctp k tpk tpk tpk tpk
i,p ∗ devp ) + [Ci,c ](dci,c ∗ devc )
tpk tpk
Here, the notation [Ci,p ] and [Ci,c ] represents Iverson brackets, where [C]
is equal to 1 if condition C is true, and 0 otherwise. The decryption key for tpk
is then computed as:
dkidev,tpk = [Ci,p
tpk tpk
](ski,p tpk
∗ devptpk ) + [Ci,c tpk
](ski,c ∗ devctpk )
BLbp
i
u
= BLcbp
i
u
− DKibpu
14 E. Alqahtani and M. Mustafa
Prerequisites Before engaging in the LEM trading, users are required to reg-
ister with the key authority, KA. Each user sends a registration request along
with the tuple (Idi , SIdj , ZIdz ) containing their unique identifiers, Idi , their
contracted supplier identifiers, Sidj , and the zone to which the user belongs,
ZIdz , to the KA. Subsequently, KA generates three sets Si , Sic and Sip of ran-
dom keys, following EPIB. It also generates a master key, mskitpk , and public
parameters, pptp k
i , using Setup method of the IPE scheme [31]. KA then trans-
mits the tuple (Si , Sic , Sip , mskitpk , pptp k
i ) to the user’s SM. For every bpu , KA
c p
regenerates new sets of Si , Si and Si for each user.
Additionally, we make the following assumptions: bid volumes, btp k
i , are en-
coded using fx of the dual-binary encoding scheme [24] into two arrays of vectors,
tpk tpk tpk tpk
Bi,v r
and Bi,v l
. LEMO possesses the encryption of Bi,v g
and Bi,v l
using mskitpk
and pptpi
k
with the IP E.RightEncrypt, denoted by Bctp k tpk
i,vr and Bci,vl , respec-
tively, which it receives from users before the market clearance phase to execute
the market privately, as in [24]. Please note that the above assumption is re-
quired only for approach 1 in step 2. We also assume that users send dctp k tpk
i,p , dci,c
tpk
and Pedersen commitments to the negative inverse of their bid volumes, ⟨−bi ⟩,
to LEMO along with their submitted bids before the market execution. Next,
we discuss the five steps of PBP-LEM.
Step 1: Input Data Generation and Distribution After each trading pe-
riod tpk , tuples are prepared by users, their respective SMs, and LEMO. These
tuples are then shared with CS and suppliers, enabling collaborative computation
of the users’ bills and rewards from the LEM, inclusive of their deviations cost.
In detail, every user in every zone calculates their deviation viz,tpk by subtracting
mtp
i
k
from btp k z,tpk
i . Each user then generates a tuple (Idi , SIdj , ZIdz , [v]i , [d]z,tp
i
k
)
Privacy-Preserving Billing for Local Energy Markets 15
each user to the supplier. Please note that in the following step, we will present
three different approaches where M ctp k tpk tpk
i , Bci,vr and Bci,vl are only required by
approach 1.
Step 2: Bills Computation Per Trading Period Upon the receipt of the
tuples, firstly, CS jointly computes what is required to include users’ devia-
tions cost in their bills/rewards. The CS then sends the results to the sup-
pliers, which subsequently continue the computations to calculate users’ total
bills/rewards per tpk in a data oblivious fashion. In detail, once the CS re-
ceives (Idi , SIdj , ZIdz , [v]tp k tpk
i , [d]i ) from users, they evaluate the total devia-
tpk
tion, [tz ] , number of consumers, [nctp z ], and number of prosumers, [npz ]
k tpk
,
per zone obliviously as shown in algorithm 1. The CS then reconstruct tz , nctp
tpk
z
k
and nptpz
k
for each zone using their shares in order to compute the total global
deviation, T tpk , and the zonal deviation weight, W tpk , which help to distribute
the total global deviation proportionally between the zones (For more details
about the calculation of W tpk , please refer to our previous work of [3]). Once
completed, the CS, publish the set of Nz tuples ZN = (ttp tpk tpk
z , ncz , npz ), re-
k
tpk tpk
sulting from algorithm 1, as well as (T , W ) tuple to all suppliers, users and
KA.
Upon receiving the necessary data from the CS, suppliers can begin calcu-
lating LEM bills and rewards for the users, who are their contracted customers
in the RM. Initially, suppliers need to determine a binary value, stp k
i , for each of
their customers, indicating if the user must pay a deviation cost (the part of the
user’s production/consumption they have to sell (buy) to (from) their suppliers
according to FiT or RP rather than T Ptpk ) based on ZBUCS. stp i
k
is equal to 1
if the user has to pay a deviation cost and 0 otherwise.
16 E. Alqahtani and M. Mustafa
Algorithm 2 stp
i
k
identification by suppliers
ktp k tp ktp tpk tpk
Input: M ci,IP El , Bci,vg ,IP Er , Bci,vl ,IP Er , T , tz to which the user belongs.
tp
Output: si k
tp
si k ← 0
if T tpk > 0 then
tp
if tz k > 0 then
for n = 0 to Nv do
tp tp tp
IP ← IP E.Decrypt(ppi k , M ci k , Bci,vkl )
tpk tpk
if IP = 0 then ▷ bi < mi
tp tp
si k ← 1 return si k
end if
tp tp tp
IP ← IP E.Decrypt(ppi k , M ci k , Bci,vkr )
tpk tpk tpk
if IP = 0 then ▷ bi > mi return si
end if
end for
end if
else if T tpk < 0 then
tp
if tz k < 0 then
for n = 0 to Nv do
tp tp tp
IP ← IP E.Decrypt(ppi k , M ci k , Bci,vkl )
tpk tpk tpk
if IP = 0 then ▷ bi < mi return si
end if
tp tp tp
IP ← IP E.Decrypt(ppi k , M ci k , Bci,vkr )
tpk tpk
if IP = 0 then ▷ bi > mi
tp tp
si k ← 1 return si k
end if
end for
end if
tp tpk tpk
end if return si k ▷ bi = mi
Approach 1: stp i
k
Identification Performed by Suppliers In this approach,
suppliers identify si by themselves without knowledge of mtp
tpk
i
k
or btp k
i . They
utilize the dual binary encoding scheme, integer comparison using multiple in-
ner products [24] and IPE [31]. Specifically, for each user, using Bctp k tpk
i,vl , Bci,vr
obtained from LEMO and M ctp i
k
received from the SM, the supplier compares
mi and bi values and determine stp
tpk tpk
i
k
in an oblivious manner as shown in
algorithm 2.
Approach 2: stp i
k
Identification by CS In this approach, the CS takes
charge of identifying stp
i
k
instead of leaving it to the suppliers. The CS contin-
ues to perform computations on [vitpk ] by executing comparisons as detailed in
algorithm 3. Subsequently, the CS sends the resultant shares to the designated
supplier according to SIdj , allowing them to recover stp k
i .
Privacy-Preserving Billing for Local Energy Markets 17
Algorithm 3 stp
i
k
identification by CS
tp
Input: T tpk , tz k to which the user belongs.
tp
Output: [s]i k
tpk
[s]i ← 0
if T tpk > 0 then
tp
if tz k > 0 then
tp tp
[s]i k ← [v]i k > 0
end if
else if T tpk < 0 then
tp
if tz k < 0 then
tp tp
[s]i k ← [v]i k < 0
end if
end if
to incorporate the deviation cost (lines 6 and 10 ). In addition, the supplier up-
dates its income balance resulting from users’ deviations, denoted as SBaljtpk ,
by adding revenue and subtracting expenditures incurred from selling (or buy-
ing) the deviations costs to (or from) users (line 7 and 11 ). Upon completion,
tpk tpk
the supplier reports Ci,c and Ci,p to KA which in turn computes dkidev,tpk and
tpk tpk tpk tpk
dki using ski , ski,p and ski,c based on EPIB.
tical to its locally computed bill. Additionally, for subsequent verification, each
user calculates its total deviation cost, BLbp
i
u ,dev
, representing the cost of sell-
ing/buying the total deviation share to/from their contracted suppliers per bpu .
The user then deducts BLibpu ,dev from BLbp i
u
to determine the value dedicated
bpu ,LEM
solely to the LEM, BLi .
At the end of bpu , utilising the same homomorphism property, the supplier
computes a commitment to the aggregated vitpk during bpu by means of multi-
plication:
Nk
X Nk
Y
< vitpk >= ⟨vitpk ⟩
k=1 k=1
Privacy-Preserving Billing for Local Energy Markets 19
Concurrently, the CS aggregates all [vi ]tpk values during bpu , for each user:
Nk
X
[Vibpu ] = [vitpk ]
k=1
The CS then retrieves the result, Vibpu , by reconstructing their shares and sends it
to the designated supplier according to SIdj . Additionally, each SM sums all the
PNk tpk
random numbers, Ribpu = k=1 ri , used earlier in its previous commitments
(i.e., ⟨mi ⟩ and ⟨−bi ⟩) and sends the total Ribpu to the designated supplier.
tpk tpk
Finally, the supplier checks that Vibpu is correct if opening the commitment
PNk tpk
< k=1 vi > using Vibpu and Ribpu returns true.
Nk
X
Open(< vitpk >, Vibpu , Ribpu ) → true
k=1
This, in turn, indicates that all previous vitpk shared by user i with the CS were
correct.
Step 5: Bills Settlement and Verification In this final step, suppliers set-
tle billing period bills with users who are their contracted customers, ensuring
that any payments to or from the LEM, sent or received by these customers,
are appropriately allocated among other suppliers. Specifically, each supplier
conducts billing with their customers based on BLbp u
i , which encompasses both
LEM payments/rewards and deviations share payments/rewards dedicated to
the suppliers. The supplier, then, separates these twoPNvalues. First, the supplier
computes its accurate income balance for tpk using i=1 u
dkidev,tpk received from
KA:
Nu
X
SBaljtpk = SBaljtpk − dkidev,tpk
i=1
The supplier, then, subtract its income balance during bpu from its aggregate
customers bills to compute the remaining capital exchanged within the LEM
through it.
Nu
X Nk
X
SCapjbpu = BLbp
i
u
− SBaljtpk
i=1 k=1
SCapjbpu values are redistributed among other suppliers through the coordi-
nation of the DSO. The sum of these values should be zero, indicating that all the
LEM transactions have been accounted for legitimately. In the case of a non-zero
sum, the DSO should intervene to verify the correctness of each SCapbp j
u
value.
bpu ,LEM
To do so, the DSO collects tuples (BLi , Sidj ) from all users. The DSO
then segregates and aggregates BLbp i
u ,LEM
values based on their supplier cor-
respondence Sidj , such that SCapbp j
u ,DSO
represents the leftover capital traded
20 E. Alqahtani and M. Mustafa
at the LEM and computed by the DSO. The DSO then validates every SCapbp j
u
bpu ,DSO
value by comparing it with SCapj . Any mismatch indicates that supplier
j has been dishonest in submitting an invalid SCapbp
j
u
value.
6 Security Analysis
Theorem 1. Let πEPIB be the billing protocol employing EPIB, excluding the
consideration of the deviations cost. Then the protocol πEPIB securely emulates
the functionality FBLEM .
Functionality FEP IB
FEP IB proceeds as follows, when parameterized by a mapping between users and
their suppliers, a leakage function l which returns the length of a message and a
tp
function B to compute bli k .
tp tp tp tp tp
– Upon receiving an input (”ComputBill”, SID, Idi , mi k , di k , ski k , ski,pk , ski,ck )
tp tp tp tp
from a SM of user i, compute bli k = B(mi k , di k ), record (Idi , bli k ) and send
tp tp tp tp
a message (Idi , l(mi k + ski k ), l(ski,pk ), l(ski,ck )) to S. If user i is corrupted,
tp tp
then disclose mi k and di k to S.
and ∆mctpk (since the distribution over the ciphertext is the same in every case
i
as in one-time pad). Therefore , we can conclude that the output of the of the
real world and ideal world executions are indistinguishable.
Next we show that all three approaches of PBP-LEM securely realise FBLEM .
the relevant parties (KA, LEMO, and CS) forward the individual data necessary
for bill computation only to the designated suppliers.
Regarding the collusion impact mitigation, it is achieved by ensuring that
any potential collusion between computing parties in the market does not re-
sult in the disclosure of critical fine-grained private data (e.g., btp i
k
and mtp k
i ).
Specifically, in the case of an honest-majority CS, it is sufficient for two compu-
tational servers to collude to reveal private individual data, whereas in the case
of a dishonest majority CS, all three servers must collude for malicious collusion
to occur. However, in either scenario, the only private data CS are capable of
retrieving are dtp
i
k
and vitpk , which reveal significantly less sensitive information
about users compared to btp i
k
and mtp k
i . Additionally, collusion between CS and
suppliers has no higher impact since all private data in the possession of users’
suppliers is encrypted (using EPIB and IPFE).
7 Performance Evaluation
This section evaluates the performance of PBP-LEM in terms of computa-
tional and communication complexity, while considering the three proposed ap-
proaches.
eter assumptions. In the case of a malicious majority CS, the overall computa-
tional time for bill computation in approaches (1) and (2) is comparable, and
the key difference lies in the part of the market where the cost is concentrated,
i.e., CS or suppliers. However, considering only the online phase of CS would
give preference to approach (2). Another crucial factor to consider is the num-
ber of suppliers in the market and the distribution of users among them. For
instance, assuming that over 20% of market users are associated with a single
supplier would result in a slower bill computation time for those users in Ap-
proach (1) compared to Approach (2). In the scenario of an honest-majority CS,
Approach (2) is preferable, providing a more private solution than Approach (3)
and significantly greater efficiency than Approach (1).
Compared to PPBSP, PBP-LEM excels only in the case of Approach (3)
and Approach (2) with an honest-majority CS, taking into account the offline
phase. Nevertheless, bill computation per tpk in all approaches can be completed
maximally in less than 5 minutes for 4000 users, demonstrating the feasibility of
PBP-LEM for real LEM deployment.
26 E. Alqahtani and M. Mustafa
8 Conclusion
We introduced a privacy-preserving billing protocol for LEMs (PBP-LEM) based
on a novel scheme and other cryptographic techniques. PBP-LEM considers im-
perfect bid fulfillment and distributes bill computation among different parties
(i.e., CS and suppliers) while protecting users’ private data (e.g., bid volumes,
smart meter readings, deviations, and locations) with mitigation of internal col-
lusion impact. Furthermore, we presented three approaches that offer varying
degrees of privacy and performance. We also proved that PBP-LEM fulfill its
security and privacy requirements. Finally, we analysed the associated compu-
tation and communication costs of all our approaches under different security
settings. The results demonstrate the variations in performance between the ap-
proaches and indicate the feasibility of PBP-LEM for a setting based on real
LEMs.
References
[1] Abidin, A., Aly, A., Cleemput, S., Mustafa, M.A.: An mpc-based privacy-
preserving protocol for a local electricity trading market. In: Cryptology
and Network Security. pp. 615–625. Springer (2016)
[2] Aitzhan, N.Z., Svetinovic, D.: Security and privacy in decentralized energy
trading through multi-signatures, blockchain and anonymous messaging
streams. IEEE Transactions on Dependable and Secure Computing 15(5),
840–852 (2018). https://doi.org/10.1109/TDSC.2016.2616861
[3] Alqahtani, E., Mustafa, M.A.: Zone-based privacy-preserving billing for lo-
cal energy market based on multiparty computation (2023)
[4] Alqahtani, E., Mustafa A., M.: Privacy-preserving local energy markets: A
systematic literature review. Social Science Research Network (SSRN) (June
2023). https://doi.org/http://dx.doi.org/10.2139/ssrn.4483407
[5] Araki, T., Furukawa, J., Lindell, Y., Nof, A., Ohara, K.: High-throughput
semi-honest secure three-party computation with an honest majority. In:
ACM SIGSAC Conference on Computer and Communications Security. p.
805–817. ACM (2016)
[6] Asharov, G., Lindell, Y.: A full proof of the bgw protocol for perfectly secure
multiparty computation. J. Cryptol. 30(1), 58–151 (jan 2017)
[7] Baza, M., Sherif, A., Mahmoud, M.M.E.A., Bakiras, S., Alasmary, W.,
Abdallah, M., Lin, X.: Privacy-preserving blockchain-based energy trading
schemes for electric vehicles. IEEE Transactions on Vehicular Technology
70(9), 9369–9384 (2021). https://doi.org/10.1109/TVT.2021.3098188
[8] Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-
cryptographic fault-tolerant distributed computation. p. 1–10. ACM (1988)
[9] Bishop, A., Jain, A., Kowalczyk, L.: Function-hiding inner product en-
cryption. In: Iwata, T., Cheon, J.H. (eds.) Advances in Cryptology – ASI-
ACRYPT 2015. pp. 470–491. Springer Berlin Heidelberg, Berlin, Heidelberg
(2015)
[10] Boneh, D., Sahai, A., Waters, B.: Functional encryption: Definitions and
challenges. In: Ishai, Y. (ed.) Theory of Cryptography. pp. 253–273. Springer
Berlin Heidelberg, Berlin, Heidelberg (2011)
[11] Canetti, R.: Universally composable security: a new paradigm for crypto-
graphic protocols. In: Proceedings 42nd IEEE Symposium on Foundations
of Computer Science. pp. 136–145 (2001)
[12] Canetti, R.: Security and composition of multiparty cryptographic proto-
cols. J. Cryptol. 13(1), 143–202 (jan 2000)
[13] Canetti, R., Fischlin, M.: Universally composable commitments. In: Kilian,
J. (ed.) Advances in Cryptology — CRYPTO 2001. pp. 19–40. Springer
Berlin Heidelberg, Berlin, Heidelberg (2001)
[14] Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally compos-
able two-party and multi-party secure computation. In: Proceedings of
Privacy-Preserving Billing for Local Energy Markets 29
[38] Quinn, E.L.: Privacy and the new energy infrastructure. Social Science
Research Network (SSRN) pp. 1–41 (February 2009). https://doi.org/
http://dx.doi.org/10.2139/ssrn.1370731
[39] Radi, E.M., Lasla, N., Bakiras, S., Mahmoud, M.: Privacy-preserving elec-
tric vehicle charging for peer-to-peer energy trading ecosystems. In: ICC
2019 - 2019 IEEE International Conference on Communications (ICC).
pp. 1–6. https://doi.org/10.1109/ICC.2019.8761788
[40] Son, Y.B., Im, J.H., Kwon, H.Y., Jeon, S.Y., Lee, M.K.: Privacy-preserving
peer-to-peer energy trading in blockchain-enabled smart grids using func-
tional encryption. Energies 13(6), 1321 (2020), https://www.mdpi.com/
1996-1073/13/6/1321
[41] Wang, Y., Su, Z., Zhang, K.: A secure private charging pile sharing scheme
with electric vehicles in energy blockchain. In: 2019 18th IEEE International
Conference On Trust, Security And Privacy In Computing And Commu-
nications/13th IEEE International Conference On Big Data Science And
Engineering (TrustCom/BigDataSE). pp. 648–654. https://doi.org/10.
1109/TrustCom/BigDataSE.2019.00092
[42] Yao, A.C.: Protocols for secure computations. In: Annual Symposium on
Foundations of Computer Science (sfcs 1982). pp. 160–164 (1982). https:
//doi.org/10.1109/SFCS.1982.38
[43] Zhang, X., Zhou, L., Li, S., Xue, K., Yue, H.: Privacy-preserving power
request and trading by prepayment in smart grid. In: 2017 IEEE/CIC
International Conference on Communications in China (ICCC). pp. 1–6.
https://doi.org/10.1109/ICCChina.2017.8330340
[44] Zhang, X., Jiang, S., Liu, Y., Jiang, T., Zhou, Y.: Privacy-preserving scheme
with account-mapping and noise-adding for energy trading based on consor-
tium blockchain. IEEE Trans. on Network and Service Management pp. 1–1
(2021). https://doi.org/10.1109/TNSM.2021.3110980