Privacy-Preserving Billing for Local Energy

Markets

Eman Alqahtani1,3 and Mustafa A. Mustafa1,2

1
The University of Manchester, Manchester, UK
eman.alqahtani@postgrad.manchester.ac.uk
arXiv:2404.15886v1 [cs.CR] 24 Apr 2024

2
COSIC, KU Leuven, Leuven, 3001, Belgium
3
FCIT, KAU, Jeddah, 1589, Saudi Arabia

Abstract. We propose a privacy-preserving billing protocol for local

energy markets (PBP-LEMs) that takes into account market partici-
pants’ energy volume deviations from their bids. PBP-LEMs enables a
group of market entities to jointly compute participants’ bills in a decen-
tralized and privacy-preserving manner without sacrificing correctness.
It also mitigates risks on individuals’ privacy arising from any poten-
tial internal collusion. We first propose a novel, efficient, and privacy-
preserving individual billing scheme, achieving information-theoretic se-
curity, which serves as a building block. PBP-LEMs utilizes this scheme,
along with other techniques such as multiparty computation, Pedersen
commitments and inner product functional encryption, to ensure data
confidentiality and accuracy. Additionally, we present three approaches,
resulting in different levels of privacy and performance. We prove that
the protocol meets its security and privacy requirements and is feasi-
ble for deployment in real LEMs. Our analysis also shows variations in
overall performance and identifies areas where overhead is concentrated
based on the applied approach.

Keywords: Privacy · security · billing · local energy market · smart grid

· multiparty computation · functional encryption

1 Introduction

In the quest of a sustainable energy future, the use of renewable energy sources
(RESs) has increased widely, facilitating carbon emissions reduction. However,
the inherent unpredictability and intermittency of their output poses challenges
in existing traditional markets, leading to the emergence of local energy markets
(LEMs). These markts enable prosumers – individuals who consume and pro-
duce energy – to actively participate in open markets, supporting direct trading
of surplus energy with others. This contrasts with the traditional practice of sell-
ing excess energy to contracted suppliers at a feed-in-tariff (FiT) price, which is
often lower than retail market prices (RP). Such a transition allows prosumers
to optimise their profits by securing better prices and offers consumers the op-
portunity to reduce their expenses [15].
2 E. Alqahtani and M. Mustafa

LEMs typically require their participants to submit bids before the actual
trading periods (ranging from 30 minutes to a day in advance) [15]. Therefore,
market participants need to forecast the necessary bid volumes, indicating the
amount of energy they intend to trade. This prediction relies on historical data
and estimated consumption, making it inherently prone to errors and challenging
to achieve absolute accuracy. Whether due to intentional actions or inaccuracies
in predictions, participants may commit to trading specific energy volumes but
subsequently fail to fulfill these commitments.
As this failure can disrupt grid stability and increase balancing costs, mar-
ket participants should be accounted for their deviations from their committed
bid volumes during the billing process [36]. This consideration would incentivise
the participants to reduce their deviations and, subsequently, the negative ef-
fect they cause on the grid. Furthermore, a market participant’s deviation may
cause a different level of effect on the grid depending on what part of the grid
the participant resides in. As a result, some might bear higher costs for their
deviations compared to others, not only due to their deviation amounts but also
because of their specific locations on the grid. For example, the total deviation
of households (i.e., market participants) connected to a particular distribution
line may result in a total deviation of zero. That means the positive deviations
of the households on that line compensate for the negative deviations. As such,
it is rational not to account those individuals for their deviations regardless of
the total deviation of the entire market area.
The computation and settlement of bills and rewards for participants in
LEMs, while considering their energy deviations from their bids, requires criti-
cal private information, such as individual bid volumes and meter readings for
each trading period. Such information are closely associated with individuals’
consumption patterns, which have been shown to pose potential risks to their
privacy [38]. For example, personal details such as presence at home, sleep pat-
terns or even the detection of particular appliance activation could be inferred
from the amount of energy traded at a particular period [28, 38].
A number of previous studies have already addressed the privacy concerns
of market participants during billing and settlement, employing techniques such
as anonymization [2, 7, 18–21, 32, 34, 39, 41, 43], perturbation [23, 25, 44], and
homomorphic encryption [22, 27]. However, the majority have primarily sug-
gested payment approaches based only on bid commitments, assuming perfect
fulfillment of the bid volumes. A very limited number of the privacy-preserving
billing studies have considered establishing a billing mechanism based on the
actual amount of produced/consumed energy by the market’s participants [23,
24, 40, 44] or to additionally account for their deviations [3, 22, 27]. However, the
billing process is coordinated or executed by a single party [23, 24, 27, 40, 44],
assuming trustworthiness and honesty from that party in performing the billing
process, disclosing some or all of the individuals private data to that trusted
party and potentially imposing a high computational cost on a single party. All
of the above raise questions about the applicability or scalability of their solu-
tions in realistic scenarios. In contrast to the previously mentioned works, the
 Privacy-Preserving Billing for Local Energy Markets 3

solutions proposed by [3, 22], do not rely on a single entity for carrying out
billing calculations. Instead, they involve a group of entities working together to
compute individual bills/rewards privately. However, they are vulnerable to the
risk of internal collusion, potentially leading to the disclosure of highly sensitive
data such as individuals’ meter readings and bid volumes. Additionally, market
participants were uniformly charged for their deviations in all of the aforemen-
tioned works, irrespective of their positions on the grid, and the grid usage cost
was not considered.
To address these limitations, in this paper, we propose a privacy-preserving
billing protocol, considering participants’ deviations and their locations on the
grid. This work is an improvement on our previous study [3] to mitigate the
impact of internal collusion on individuals’ privacy. Specifically, the contributions
of this paper are threefold:

– We propose a novel efficient and privacy-preserving individual billing scheme

(EPIBS) that achieves an information theoretic security which forms a build-
ing block for PBP-LEM.
– We design PBP-LEM - a privacy-preserving billing protocol that enables
suppliers to obtain bills for their contracted customers in LEMs. PBP-LEM
takes into account participants’ energy volume deviations, their locations on
the grid, and distribution network usage cost, all without revealing any indi-
vidual participant’s private data to any party. It involves a collaboration of
different entities performing bill computation with verification of correctness.
It also mitigates the potential impact on individuals’ privacy resulting from
internal collusion. We utilise our proposed scheme, EPIBS, as well as various
cryptographic primitives, namely Pedersen commitments, multiparty com-
putation (MPC), and function-hiding inner product encryption (FHIPE), to
compute individual bills. We propose three different approaches, resulting in
different levels of privacy and performance.
– We evaluate the computation and communication complexity of PBP-LEM
under two security settings (honest-majority and dishonest-majority MPC)
to demonstrate its feasibility in real-world settings. Our analysis shows vari-
ations in the overall performance and identifies parts where the overhead is
majorly focused, depending on the employed approach. The implementation
is publicly available at: https://github.com/EmanAlqahtani/ZPPB-LEM2.

The rest of the paper is organised as follows. Section 2 covers the related
work. Section 3 introduces our system model and its requirements. Section 4
explains the utilised building blocks. Section 5 describes PBP-LEM. Section 6
provides security analysis, while Section 7 evaluates the performance of PBP-
LEM. Finally, Section 8 concludes the paper.

2 Related Work
Concerns regarding security and privacy in LEMs have been previously high-
lighted [13], prompting the proposal of several solutions using anonymization,
4 E. Alqahtani and M. Mustafa

perturbation, and homomorphic encryption techniques. Only a few of these so-

lutions have considered applying their privacy approach to a billing mechanism
based on the actual amount of exported/imported energy by market participants,
as recorded by their smart meters (SMs) [22–24, 27, 40, 44]. The work in [22, 27]
have also considered the participants’ deviations from bid commitments.
The authors of [23, 44] proposed a dynamic one-to-many accounts mapping
technique to hide participant’s trading distribution when their transactions are
being recorded on blockchain. A key part of their works is a trusted entity, token
bank, responsible for assigning each participant to multiple accounts based on a
dynamically-styled bound that achieves the effect of deferential privacy. a major
drawback of applying both [23] and [44] works in the real world is the reliance
on trusted identity management having access to user’s accounts mappings and
their transactions (i.e., which party could take this role in the real world and
whether users are willing to reveal their transactions to them).
The works of [24] and [40] mainly focused on protecting the privacy of market
participants during the market clearance phase. The employed FHIPE enabling
a market operator to execute the market and perform peer matching on en-
crypted bids without accessing their details. To hide individuals’ participation
in the market, participants (both sellers and buyers) are anonymised, and a new
identifier (pseudonym) is generated for every new session to prevent linkability.
However, after the market is executed, the distribution system operator takes
on the responsibility of invoicing participants. In doing so, it gains access to the
bid contents, and the correspondence between real identities and the one-time
identifiers utilised in each session. This results in a similar limitation to that
found in the works of [23, 44], where there is a reliance on a party to handle the
billing process, revealing both the real identities and bid details to that party.
The studies conducted by [3, 22, 27] are the only ones that have consid-
ered imperfect fulfilment of bid volumes. The work in [27] proposed a privacy-
preserving protocol for the three billing models outlined in [36] by utilizing the
Paillier homomorphic encryption technique. This protocol enables a trading plat-
form (market operator) to compute individuals’ bills/rewards without revealing
their most sensitive data. In detail, during each trading period, each SM encrypts
its meter reading and the deviation from its bid volume using the homomorphic
public key of their contracted suppliers. Subsequently, it sends the encrypted
data, along with other less sensitive information (e.g., the type of individuals’
participation), to the trading platform. The platform then calculates individuals’
bills privately in accordance with one of the billing models and sends the results
to the suppliers, which in turn decrypts them. However, this work has certain
shortcomings. Firstly, some of the participants’ private data, such as the type
of participation (i.e., whether a user is selling or buying energy) and whether
the bid was accepted or rejected, is disclosed to the trading platform. Secondly,
the protocol requires a full trust in a single party – the trading platform – for
accurate computation of bills/rewards for all market participants without any
verification of correctness.
 Privacy-Preserving Billing for Local Energy Markets 5

Similar to the approach taken by [27], the work in [22] used the Paillier
homomorphic encryption technique to implement a privacy-preserving billing
model, accounting for participants’ deviations from their commitments. However,
in contrast to [27], this solution does not rely on a single party for executing
the billing calculations. Instead, a randomly chosen set of market participants
collaboratively computes individual bills/rewards in a private manner as follows:
Individual private data are homomorphically encrypted using the supplier’s keys
and then transmitted to the chosen set, which, in turn, performs the computation
privately. The solution also incorporates a referee to verify the correctness of
bills/rewards computation simultaneously and intervene to resolve any disputes.
The referee then sends the resultant encrypted bills/rewards to the supplier for
decryption. However, a considerable limitation of this work is that it does not
provide protection against collusion. For instance, any individual in the chosen
set can collude with the supplier by providing it with others’ encrypted individual
data, subsequently enabling the supplier to decrypt the data and compromise the
individuals’ privacy. Another limitation is similar to that found in [27], wherein
the type of individual participation is disclosed.
Our previous work [3] leveraged MPC technique to apply a privacy-preserving
billing model considering participants’ deviations from their bid volumes. Instead
of relying on a single trusted party for computing the bills, our approach employs
three parties to jointly compute individual bills while ensuring the confidential-
ity of all the market participants’ data, including their types of participation.
The solution has also been evaluated under malicious and dishonest majority
settings, implying that the presence of at least one honest party is sufficient to
detect errors during bill calculations, even if the other two parties were malicious.
Nevertheless, even though the probability of collusion among all three parties is
low, given that each is controlled by a different entity, any such occurrence could
lead to the disclosure of highly sensitive data.
Unlike the aforementioned works, PBP-LEM integrates the following fea-
tures: (i) it charges for market participants who fail to fulfil their bid commit-
ments, (ii) it incorporates the participants’ locations on the grid to distribute
deviation costs fairly and accounts for distribution network usage fees in the
participants’ bills, (iii) it does not rely on a single trusted party to compute in-
dividual bills, (iv) it mitigates the impact of potential collusion among internal
parties by ensuring that only less sensitive data might be revealed in the event
of such collusion, and (v) it protects all participants’ private data including their
types of participation.

3 System Model and Requirements

In this section, we describe the system model, threat model as well as the func-
tional and privacy requirements that PBP-LEM needs to satisfy.
6 E. Alqahtani and M. Mustafa

Fig. 1: System model.

3.1 System Model

As shown in Fig. 1, our system model consists of the following entities. SMs are
devices that measure and communicate the volumes of imported and exported
energy by households in nearly real-time. Users are household owners supported
by SMs and potentially RESs. They engage in a LEM to increase their profits
and minimise their expenses. They submit bids (consisting of energy volume
and offered price) to the LEM to sell surplus energy to others at a price higher
than the Feed-in Tariff (FiT) price or buy energy at a price lower than the retail
price (RP). Local Energy Market Operator (LEMO) executes the LEM, identi-
fying both the trading price and the approved bids for trading in each trading
period. Suppliers provide energy to all users in need. They buy electricity from
the wholesale market and distribute it to their contracted customers in the re-
tail market (RM) at RP determined by suppliers. They also purchase electricity
injected by their customers that is not traded in the LEM at FiT price. Ad-
ditionally, they generate and manage their customers’ (i., users) bills based on
their participation in the LEM. RM Regulators (RMRs) are entities that set
FiT prices that users pay to their contracted suppliers for the energy they sell
in the RM. Distribution System Operator (DSO) manages and maintains the
distribution network of a particular area. It divides the LEM area into small
zones based on the physical network specifications and historical data that esti-
mate each zone state for each time period. DSO also sets energy importing and
 Privacy-Preserving Billing for Local Energy Markets 7

exporting fees for each zone. It also coordinates the redistribution of payments
to/from the LEM between users performed through their suppliers. Computa-
tional Severs (CS) calculate the required deviation cost information (e.g., total
global deviation) according to the zone-based billing model with universal cost
split (ZBUCS) introduced in [3] which is a modification of the billing model pro-
posed in [36]. To avoid collusion, the parties should have conflicting interests.
We assume that one party is controlled by suppliers, one by users, and a third
by the DSO. Key Authority (KA) generates the required encryption/decryption
keys and provides them to the designated entities.

3.2 Threat Model and Assumptions

LEMO, RMRs and suppliers are assumed to be semi-honest. They follow PBP-
LEM honestly, but they may try to infer sensitive individual data. Suppliers may
attempt to learn individual bids, meter readings, rewards/bills within the LEM
for a particular trading period, or may try to access the bills of users who are
contracted with other suppliers. In addition, the correctness of bill settlements
performed by suppliers must be verified by DSO. Users are considered to be
malicious. They may try to learn or manipulate their own (or other users’) data
(i.e., bid volumes, meter readings and deviations) to increase their profits or
reduce their bills. External entities are also malicious. They may eavesdrop or
modify transmitted data to disturb the billing process in LEM.
We assume two different security settings for CS: honest majority and dis-
honest majority with active (malicious) adversaries. For the former, one of the
three parties can be corrupted while the later allows the presence of two mali-
cious parties. The corrupted parties may try to infer information about users’
data (bids, meter readings, bills and deviations) or deviate from the protocol, for
example, by sending faulty data during the computations to distort the result.
In the case of deviation, honest parties should abort the execution.
As the focus of this work is on protecting users’ privacy, we make the following
assumptions. The communication channels are private and authentic. All entities
are time-synchronized. SMs are tamper-proof and sealed, meaning any attempt
to tamper with them will be readily detected.

3.3 Functional Requirements

– Each supplier should learn each of their customers’ aggregated bills/rewards

generated from their participation in LEM per billing period (e.g., monthly).
– Each supplier should learn its income balance incurred from selling (buying)
the deviation shares to (from) their customers per trading slot.
– Each user should learn their own LEM bill/reward per billing period.

3.4 Security and Privacy Requirements

PBP-LEM should satisfy the following requirements:

8 E. Alqahtani and M. Mustafa

– Privacy preservation: exact users’ locations, their participation in LEM, and

the type of participation (selling or buying) should be hidden from all parties.
– Confidentiality: users’ bid volumes, meter readings, deviations, and bills/rewards
per trading period from LEM should be hidden from all parties.
– Authorisation: aggregated users’ bills and rewards from participating in LEM
should be accessed only by their contracted suppliers.
– Collusion Impact Mitigation: users’ highly sensitive data (i.e., bid volumes
and meter readings) should not be revealed in the event of internal collusion.
– Accountability: reported capital exchanged within the LEM through each
supplier should be verified for accuracy to ensure correct bill settlement.

4 Building Blocks

This section describes the foundational cryptographic techniques and building

blocks utilized by PBP-LEM: function-hiding inner product functional encryp-
tion, pedersen commitment and multiparty computation.

4.1 Multiparty Computation

Multiparty Computation (MPC) enables a group of parties to jointly compute a

function on their private inputs, revealing only the computation results and keep-
ing individual data confidential [35]. This can be achieved through various cryp-
tographic techniques such as secret sharing, oblivious transfer, and homomorphic
encryption. The security provided by these techniques can either be perfect, of-
fering unconditional security against adversaries, or computational/conditional,
ensuring security given computational limitations on adversaries. Information-
theoretic protocols such as BGW provide perfect security [8], while protocols
relying on public key primitives such as garbled circuits [42] and SPDZ [17] offer
conditional security.
An essential property of MPC protocols is how many parties can be cor-
rupted. While information-theoretic protocols offer stronger (perfect) security,
they require an honest majority [35]. In contrast, computationally secure proto-
cols can tolerate a dishonest majority; however, they tend to be more complex
and expensive [26]. The MPC protocols employed in our work for each security
setting are as follows:

– Honest-Majority Setting: In this setting, we utilize an optimized secret shar-

ing approach from [5] based on replicated secret sharing, specifically designed
for three parties. This protocol minimizes communication and computation
costs as every party sends only one element for each multiplication gate us-
ing pseudo-random zero sharing. To achieve malicious security, we use the
protocol proposed by [16], which uses information-theoretic tags as in SPDZ
protocol to check for computation correctness. The protocol supports secu-
rity with abort, aiming for high efficiency.
 Privacy-Preserving Billing for Local Energy Markets 9

– Dishonest-Majority Setting: In this setting, we adopt the MASCOT proto-

col [30] for the malicious model. It is an improvement of the original SPDZ
protocol, replacing the costly somewhat homomorphic encryption used for
computing Beaver triples with oblivious transfer.

4.2 Pedersen Commitments

One of the core techniques used by PBP-LEM is Pedersen Commitments. In

essence, it allows one party to commit to a secret value and later reveal the
committed value in such a way that it becomes hard to change the initially
committed value [37]. Operating over a cyclic group G and based on the discrete
logarithmic problem, Pedersen Commitments involve two fundamental functions:

– Commit(m, r) → c: takes a value m and a random value r. It generates a

commitment c. Mathematically, let g and h be generators of G, then c =
g m .hr modp.
– Open(c, m, r) → true/f alse: takes a commitment c, a value m and a random
value r. It generates true if c is a commitment of m and f alse otherwise.

Pedersen Commitment has three main properties. It ensures hiding, where given
only a commitment c, it is computationally infeasible to determine the original
value m. It upholds binding; that is, given c, m and r, it is computationally
infeasible to find a value m̄ ̸= m and a matching value r̄ such that Open(c, m̄, r̄)
returns true. Finally, it satisfies a useful property known as homorphism, in
which the product of two commitments equals the commitment to the sum of
two initially committed values.

Commit(m1 , r1 ) ∗ Commit(m2 , r2 ) = Commit(m1 + m2 , r1 + r2 )

4.3 Inner Product Functional Encryption

Functional encryption (FE) is a special type of public key cryptography that al-
lows the performance of some computations over encrypted data. In FE schemes,
the owner of the master key (i.e., key distribution centre) can generate secret
keys for parties wishing to learn only outputs of specific functions over secret
inputs and nothing else [10]. In formal terms, given a ciphertext C corresponding
to a plaintext x and a functional decryption key sk related to a function f , a
decryptor can obtain the results of f (x) without learning anything about x.

Inner product functional encryption (IPE) is a a special scheme of FE, where

data x is represented as a vector, functional decryption key sky is associated to
a vector y. Then, given the ciphertext Ctx of x, the owner of sky can evaluate
< x.y > without learning x, which is the inner product of the vectors x and
y. Function-hiding IPE (FHIPE) provides an additional property in which both
x and y are kept secret from the function evaluator (i.e., the decryptor). In
this work, we adopt the practical FHIPE scheme proposed in [31]. The original
10 E. Alqahtani and M. Mustafa

formulation of IPE schemes involves four algorithms: Setup, KeyGen, Encrypt,

and Decrypt [9, 31]. However, for some cases, a more intuitive representation
suggests KeyGen be referred to as LeftEncrypt and Encrypt as RightEncrypt,
as discussed in [31]. A theoretical description of the algorithms is given below.
For technical details, please refer to the original work of [31].
– IP E.Setup(1λ , S) → (pp, msk) given a security parameter λ, Setup initial-
izes the system and outputs the public parameters pp and master key msk.
– IP E.Lef tEncrypt(msk, α, x) → Ctx given the master key msk, a vector x
and a uniformly random element α, LeftEncrypt outputs a ciphertext Ctx .
– IP E.RightEncrypt(msk, α, y) → Cty given the master key msk, a vector y
and a uniformly distributed element β, RightEncrypt outputs Cty ,
– IP E.Decrypt(pp, El (x), Er (y)) → z given the public parameters pp, a ci-
phertext Ctx . and a ciphertext Cty , Decrypt outputs a message z such that
z =< x, y >.

4.4 Dual Binary Encoding for Integer Comparison Using Inner

Products
In this work, we utilise a dual binary encoding scheme proposed by [24]. The
scheme converts two integer numbers, x and y, into arrays of vectors with a
limited number of elements to enable comparing these two numbers by means
of multiple inner products. More specifically, x and y undergo two different
encoding methods:
– fx (x) → (Xvl , Xvg ): on input a number x, the method fx output two encoded
arrays of vectors Xvl = [x0,l , x1,l , ..., xN,l ] and Xvg = [x0,g , x1,g , ..., xN,g ].
– fy (y) → Yv : on input a number y, the method fy output one encoded array
of vector Yv = [y0 , y1 , ..., yN ]. 4
By performing the inner products operations of < Xvl , Yv > and < Xvg , Yv >
simultaneously, the results are interpreted as follows:
– If < xn,l , yn >= 0 is satisfied first, it indicates that x < y.
– If < xn,g , yn >= 0 is satisfied first, it indicates that y < x.
– If none of the above conditions is satisfied, this means x = y.

5 Privacy-Preserving Billing Protocol for Local Energy

Market
In this section, we propose PBP-LEM, considering the deviations cost. PBP-
LEM is designed based on the billing model with a universal deviation cost split
proposed in [36], which was later modified in our previous work [3] to incorporate
users’ locations on the grid. The main idea revolves around having the RM as
a backup market to compensate for users’ deviations, which could come at a
4
For technical details about the encoding processes, please refer to the work of [24]
 Privacy-Preserving Billing for Local Energy Markets 11

cost. The zone-based billing model with universal cost split, ZBUCS, introduced
in [3] splits the total deviation cost among market participants whose deviations
are in the same direction as the total deviation while considering the zones to
which the participants belong on the grid. Prosumers (consumers) then pay (get
paid by) their contracted suppliers for their total deviation share according to
FiT (RP) rather than the LEM price, which is less beneficial. Please refer to the
work of [36] and [3] for more details.
It is important to note that this research specifically focuses on the billing
phase of the LEM. The issue of preserving users’ privacy during the market
clearance phase has been addressed in earlier research, as referenced in [4]. Our
assumption is that user privacy during LEMO’s market execution is protected
by the adoption of privacy-preserving solutions outlined in previous studies, such
as [1, 24, 40]. Consequently, the transmission of data by LEMO in PBP-LEM
does not imply unrestricted access to individual user data by the entity. In-
stead, it only requires forwarding the securely protected data (e.g., bid volumes)
to the computing parties after the market is executed to compute individual
bills/rewards.
The section begins by proposing an efficient and privacy-preserving indi-
vidual billing technique (Section 5.1), which in turn is utilized by PBP-LEM
(Section 5.2). Table 1 lists the notation used throughout the paper.

5.1 Efficient and Privacy-Preserving Individual Billing Scheme

In this section, we propose an efficient and privacy-preserving individual billing

scheme, EPIB, that achieves information-theoretic security and forms a build-
ing block for PBP-LEM. Initially, let’s assume that a set of encryption keys
tpN
Si = {skitp1 , . . . , ski k } is generated for every user, corresponding to trading
periods {tp1 , . . . , tpNk } within one billing period, bpu . Each encryption key ski
is a randomly generated number over a finite field modulo q (zq ). Then, our
privacy-preserving individual billing technique operates over zq as follows.
After each trading period, tpk , each user, i, encrypts its recorded meter read-
ing, mi , during tpk using the corresponding skitpk by simply computing:

mctp
i
k
= mtp
i
k
+ skitpk

Given the identified market trading price, T P tpk , to compute the encrypted
individual bill/reward, one performs the following computation:

bctp
i
k
= mctp
i
k
∗ T P tpk

Including the deviation cost and distribution network usage cost in users’
bills/rewards based on ZBUCS requires knowledge of the user’s type of partic-
ipation, dtp
i
k
– that is, whether the user offered to produce or consume energy
during tpk . To protect dtp k
i , we begin by encoding it into two distinct values,
12 E. Alqahtani and M. Mustafa

Table 1: Notations
Symbol Description
bpu u-th billing period, u ∈ {1, ..., Nu }.
tpk k-th trading period, k ∈ {1, ..., Nk }.
Idi Unique identifier of user i, i ∈ {1, ..., Nu }.
SIdj , ZIdz Unique identifier of supplier j, zone z.
tp tp tp tp
bi k , m i k , v i k , di k , Bid volume, meter reading, individual deviation, type of par-
tp tp
si k , bli k ticipation (binary value), deviation cost inclusion state (binary
value), individual bill/reward of user i at tpk .
tp
Vi k , BLbp i
u
Total deviation, individual bill/reward of user i at bpu .
BLbp i
u ,LEM
Total bills/rewards of user i dedicated to the LEM at bpu .
SBaljbpu , SCapbp j
u
Income balance of supplier j resulting from users trading of
deviations cost, capital traded exclusively within the LEM
through supplier j at bpu .
tp tp
ppi k , mski k Public parameters and master key for user i at tpk .
Si , Sip , Sic Three set of random keys corresponding to the trading periods
{tp1 , . . . , tpNk } within bpu generated for user i
tp tp
Ci,pk , Ci,ck Condition that requires user i to pay/get paid to/by supplier
due to his/her deviation at tpk .
tp tp tp tp tp tp tp tp tp
mci k , dci,pk , dci,ck Ciphertext of mi k , di,pk , di,ck with ski k , ski,pk , ski,ck , respec-
tively at tpk using EPIB.
tp
bci k /Blcbp i
u
Ciphertext of bli at tpk /bpu using EPIB.
tp tp
dki k ,DKibpu Decryption key of bci k , Blcbp u
i,S using EPIB.
tpk tpk tpk tp
Mi , Bi,vr , Bi,vl Dual binary encoded arrays of vectors representing mi k and
tpk
bi using fy and fx respectively.
tp tp tp tp tp
M ci k , Bci,vkr , Bci,vkl Ciphertexts of Mi k , Bi,vr and Bi,vl at tpk with mski k using
IP E.Lef tEncrypt and IP E.RightEncrypt.
T tpk /N P tpk /N C tpk , Total deviation/number of prosumers/number of consumers in
W tpk the entire LEM area at tpk , zonal deviation weight.
tp tp tpk
tz k , npz k , ncz Total deviation, number of prosumers, number of consumers in
zone z at tpk .
T P tpk , F iT tpk , RP tpk LEM trading price, FiT and RP at tpk .
z,tp z,tp
N Fp k /N Fc k Network fee for exporting/importing in zone z at tpk .
 Privacy-Preserving Billing for Local Energy Markets 13

dtp k tpk
i,p and di,c , each representing a binary state of the user’s type participa-
tion at tpk . For example, if the user is buying energy at tpk , then dtpk
i,p = 1
tpk tpk
and di,c = 0. Conversely, if the user is consuming energy, then di,p = 0 and
tpN tpN
dtp k p tp1 k c tp1
i,c = 1. Let Si = {ski,p , . . . , ski,p } and Si = {ski,c , . . . , ski,p } represent
k

two sets of randomly generated keys over zk , corresponding to the trading pe-
riods {tp1 , . . . , tpNk } within bpu . For each tpk , each user masks dtp k tpk
i,p and di,c
tpk tpk
using ski,p and ski,c , respectively.

dctpk tpk tpk

i,p = di,p + ski,p

dctp k tpk tpk

i,c = di,c + ski,c

Let N Fptpk and N Fctpk represent the distribution network fee for exporting
and importing energy in zone z, respectively. Let devptpk denote the cost to
be paid by certain prosumers to their suppliers due to deviations based on a
tpk
condition, Ci,p p, and devctpk denote the compensation to be received by specific
tpk
consumers from their suppliers for deviations based on a condition, Ci,c , as
defined in ZBUCS. Then, for each tpk , the addition of devptpk and devctpk to bctp
i
k

is as follows:

bctp
i
k
= bctp
i
k
+ mctp
i
k
∗ ((dctp tpk tpk tpk
i,p ∗ N Fp ) + (dci,c ∗ N Fc ))
k

tpk
+ [Ci,p ](dctp k tpk tpk tpk tpk
i,p ∗ devp ) + [Ci,c ](dci,c ∗ devc )

tpk tpk
Here, the notation [Ci,p ] and [Ci,c ] represents Iverson brackets, where [C]
is equal to 1 if condition C is true, and 0 otherwise. The decryption key for tpk
is then computed as:

dkidev,tpk = [Ci,p
tpk tpk
](ski,p tpk
∗ devptpk ) + [Ci,c tpk
](ski,c ∗ devctpk )

dkitpk = (skitpk ∗ T P tpk ) + (ski,p

tpk tpk
∗ N Fptpk ) + (ski,c ∗ N Fptpk ) + dkidev,tpk

For every bpu , the encrypted monthly bill BLcbp i

u
is calculated by summing
tpk bpu PNk tpk
the results bci of each tpk : BLci = k=1 bci . Similarly, the decryption
key DKibpu for bpu is computed by summing the results dkitpk for every tpk :
PNk
DKibpu = k=1 dkitpk . Finally, to decrypt, one simply computes:

BLbp
i
u
= BLcbp
i
u
− DKibpu
14 E. Alqahtani and M. Mustafa

The above scheme guarantees the protection of mtp i

k
and dtpk
i . Its security
tpk tpk tpk
comes from the fact that if ski , ski,p and ski,c are fresh random numbers
generated for every tpk , then the scheme can be seen as equivalent to one-time
pad.

5.2 Privacy-Preserving Billing Protocol

This section provides a detailed description of PBP-LEM considering the devi-

ations cost. PBP-LEM consists of five steps: input data generation and distri-
bution, bills computation per trading period, bills computation and distribution
per billing period, individual deviations verification, and bills settlement and
verification. We first discuss some prerequisite steps that should be performed.
We will then discuss the five protocol steps in detail in the remainder of the
section. The discussion includes a description of three different approaches ap-
plied in PBP-LEM, leading to varying degrees of privacy and performance. In
the subsequent sections of this paper, the square brackets [x] denote that x is
secretly shared, and the angles ⟨x⟩ denote a Pedersen commitment to x.

Prerequisites Before engaging in the LEM trading, users are required to reg-
ister with the key authority, KA. Each user sends a registration request along
with the tuple (Idi , SIdj , ZIdz ) containing their unique identifiers, Idi , their
contracted supplier identifiers, Sidj , and the zone to which the user belongs,
ZIdz , to the KA. Subsequently, KA generates three sets Si , Sic and Sip of ran-
dom keys, following EPIB. It also generates a master key, mskitpk , and public
parameters, pptp k
i , using Setup method of the IPE scheme [31]. KA then trans-
mits the tuple (Si , Sic , Sip , mskitpk , pptp k
i ) to the user’s SM. For every bpu , KA
c p
regenerates new sets of Si , Si and Si for each user.
Additionally, we make the following assumptions: bid volumes, btp k
i , are en-
coded using fx of the dual-binary encoding scheme [24] into two arrays of vectors,
tpk tpk tpk tpk
Bi,v r
and Bi,v l
. LEMO possesses the encryption of Bi,v g
and Bi,v l
using mskitpk
and pptpi
k
with the IP E.RightEncrypt, denoted by Bctp k tpk
i,vr and Bci,vl , respec-
tively, which it receives from users before the market clearance phase to execute
the market privately, as in [24]. Please note that the above assumption is re-
quired only for approach 1 in step 2. We also assume that users send dctp k tpk
i,p , dci,c
tpk
and Pedersen commitments to the negative inverse of their bid volumes, ⟨−bi ⟩,
to LEMO along with their submitted bids before the market execution. Next,
we discuss the five steps of PBP-LEM.

Step 1: Input Data Generation and Distribution After each trading pe-
riod tpk , tuples are prepared by users, their respective SMs, and LEMO. These
tuples are then shared with CS and suppliers, enabling collaborative computation
of the users’ bills and rewards from the LEM, inclusive of their deviations cost.
In detail, every user in every zone calculates their deviation viz,tpk by subtracting
mtp
i
k
from btp k z,tpk
i . Each user then generates a tuple (Idi , SIdj , ZIdz , [v]i , [d]z,tp
i
k
)
 Privacy-Preserving Billing for Local Energy Markets 15

Algorithm 1 Zone-based Deviations Aggregation

Input: Set of Nuz user tuples U = ([v], [d]) who belong to zone z
Output: Zone z tuple ZN = ([t], [np], [nc])
for i = 0 to Nuz do
tp tp tp
[t]z k ← [t]z k + [v]i k
tpk tpk tp
[p]z ← [p]z + [d]i k
tpk tpk tp
[c]z ← [p]z + 1 − [d]i k
end for

which contains shares of the computed deviations, [v]tp i

k ,z
and shares of their type
z,tpk
of participation [d]i (i.e., a prosumer or consumer) and send it to the CS.
In addition, every SM encodes mtp i
k
into an array of vectors, Mitpk , us-
ing fy method of the dual binary encoding scheme [24]. The SM then en-
crypts Mitpk with mskitpk and pptp i
k
using IP E.Lef tEncrypt, M ctp k
i . The SM
tpk tpk tpk
also encrypts mi with ski using EPIB, mci . It also computes a peder-
sen commitment to mtp tpk
i , ⟨mi ⟩. Upon completion, the SM prepares the tuple
k

tpk tpk tpk

(Idi , ZIdz , mci , M ci , ⟨mi ⟩) and transmit it to the supplier. Additionally,
LEMO forwards the following tuple (Idi , Bctp tpk tpk tpk tpk
i,vr , Bci,vl , ⟨−bi ⟩, dci,p , dci,c ) for
k

each user to the supplier. Please note that in the following step, we will present
three different approaches where M ctp k tpk tpk
i , Bci,vr and Bci,vl are only required by
approach 1.

Step 2: Bills Computation Per Trading Period Upon the receipt of the
tuples, firstly, CS jointly computes what is required to include users’ devia-
tions cost in their bills/rewards. The CS then sends the results to the sup-
pliers, which subsequently continue the computations to calculate users’ total
bills/rewards per tpk in a data oblivious fashion. In detail, once the CS re-
ceives (Idi , SIdj , ZIdz , [v]tp k tpk
i , [d]i ) from users, they evaluate the total devia-
tpk
tion, [tz ] , number of consumers, [nctp z ], and number of prosumers, [npz ]
k tpk
,
per zone obliviously as shown in algorithm 1. The CS then reconstruct tz , nctp
tpk
z
k

and nptpz
k
for each zone using their shares in order to compute the total global
deviation, T tpk , and the zonal deviation weight, W tpk , which help to distribute
the total global deviation proportionally between the zones (For more details
about the calculation of W tpk , please refer to our previous work of [3]). Once
completed, the CS, publish the set of Nz tuples ZN = (ttp tpk tpk
z , ncz , npz ), re-
k

tpk tpk
sulting from algorithm 1, as well as (T , W ) tuple to all suppliers, users and
KA.
Upon receiving the necessary data from the CS, suppliers can begin calcu-
lating LEM bills and rewards for the users, who are their contracted customers
in the RM. Initially, suppliers need to determine a binary value, stp k
i , for each of
their customers, indicating if the user must pay a deviation cost (the part of the
user’s production/consumption they have to sell (buy) to (from) their suppliers
according to FiT or RP rather than T Ptpk ) based on ZBUCS. stp i
k
is equal to 1
if the user has to pay a deviation cost and 0 otherwise.
16 E. Alqahtani and M. Mustafa

Algorithm 2 stp
i
k
identification by suppliers
ktp k tp ktp tpk tpk
Input: M ci,IP El , Bci,vg ,IP Er , Bci,vl ,IP Er , T , tz to which the user belongs.
tp
Output: si k
tp
si k ← 0
if T tpk > 0 then
tp
if tz k > 0 then
for n = 0 to Nv do
tp tp tp
IP ← IP E.Decrypt(ppi k , M ci k , Bci,vkl )
tpk tpk
if IP = 0 then ▷ bi < mi
tp tp
si k ← 1 return si k
end if
tp tp tp
IP ← IP E.Decrypt(ppi k , M ci k , Bci,vkr )
tpk tpk tpk
if IP = 0 then ▷ bi > mi return si
end if
end for
end if
else if T tpk < 0 then
tp
if tz k < 0 then
for n = 0 to Nv do
tp tp tp
IP ← IP E.Decrypt(ppi k , M ci k , Bci,vkl )
tpk tpk tpk
if IP = 0 then ▷ bi < mi return si
end if
tp tp tp
IP ← IP E.Decrypt(ppi k , M ci k , Bci,vkr )
tpk tpk
if IP = 0 then ▷ bi > mi
tp tp
si k ← 1 return si k
end if
end for
end if
tp tpk tpk
end if return si k ▷ bi = mi

Approach 1: stp i
k
Identification Performed by Suppliers In this approach,
suppliers identify si by themselves without knowledge of mtp
tpk
i
k
or btp k
i . They
utilize the dual binary encoding scheme, integer comparison using multiple in-
ner products [24] and IPE [31]. Specifically, for each user, using Bctp k tpk
i,vl , Bci,vr
obtained from LEMO and M ctp i
k
received from the SM, the supplier compares
mi and bi values and determine stp
tpk tpk
i
k
in an oblivious manner as shown in
algorithm 2.

Approach 2: stp i
k
Identification by CS In this approach, the CS takes
charge of identifying stp
i
k
instead of leaving it to the suppliers. The CS contin-
ues to perform computations on [vitpk ] by executing comparisons as detailed in
algorithm 3. Subsequently, the CS sends the resultant shares to the designated
supplier according to SIdj , allowing them to recover stp k
i .
 Privacy-Preserving Billing for Local Energy Markets 17

Algorithm 3 stp
i
k
identification by CS
tp
Input: T tpk , tz k to which the user belongs.
tp
Output: [s]i k
tpk
[s]i ← 0
if T tpk > 0 then
tp
if tz k > 0 then
tp tp
[s]i k ← [v]i k > 0
end if
else if T tpk < 0 then
tp
if tz k < 0 then
tp tp
[s]i k ← [v]i k < 0
end if
end if

Approach 3: Individual Deviations Disclosed to Suppliers As individual

deviations are less sensitive data, we may allow their disclosure to suppliers,
enabling them to compare the values in clear. Accordingly, each user simply
sends a tuple (idi ,vitpk ) to its corresponding supplier. This avoids the significant
overhead caused by parties performing comparisons on the encrypted or secretly
shared data. Disclosing users’ deviations would reveal some information about
users. However, critical sensitive data such as meter readings and bid volumes
should still not be inferred.
After identifying stp k
i , suppliers proceed with the computation of users’ bills/rewards
per tpk , using EPIB as shown in Algorithm 4. Specifically, for each user, their
respective supplier calculates bctp i
k
based on mctp
i
k
received from the SMs, and
dci,p and dci,c obtained form LEMO (line 1 ). The supplier then modifies bctp
tpk tpk
i
k

to incorporate the deviation cost (lines 6 and 10 ). In addition, the supplier up-
dates its income balance resulting from users’ deviations, denoted as SBaljtpk ,
by adding revenue and subtracting expenditures incurred from selling (or buy-
ing) the deviations costs to (or from) users (line 7 and 11 ). Upon completion,
tpk tpk
the supplier reports Ci,c and Ci,p to KA which in turn computes dkidev,tpk and
tpk tpk tpk tpk
dki using ski , ski,p and ski,c based on EPIB.

Step 3: Bills Computation and Distribution Per Billing Period At

the end of the billing period bpu , suppliers finalize the computation of users’
bills/rewards using EPIB. For each user, their corresponding supplier aggre-
PNk
gates bctp
i
k
for all trading periods within bpu : BLcbp
i
u
= k=1 bctp k
i . Simulta-
neously, KA computes DKibpu using all previously computed dkitpk during bpu :
PNk
DKibpu = k=1 dkitpk . KA then sends the user’s DKibpu to the designated sup-
plier according to Sidj . Upon receiving DKibpu from KA, the supplier decrypts
BLcibpu using EPIB to obtain the user’s bill/reward ,BLbp u
i , which is then sent
to the user. As each user has all the required information (e.g., T tpk and W )
to compute its individual bill/reward, the user accepts BLbp i
u
only if it is iden-
18 E. Alqahtani and M. Mustafa

Algorithm 4 Individual Bill Computation Per Trading Period

tp tp tp tp tp
Input: mci k , si k , dci,pk , dci,ck , SBalj k , (T tpk , W tpk ), zone z tuple ZN =
tpk tp tp
(tz , ncz k , npz k ) to which the user belongs.
tp tp tp c,tp
Output: bci k , SBalj k , Ci,pk , Ci k
tp tp tp z,tp tp z,tpk
1: bci k ← mci k ∗ (T P tpk + (dci,pk × −N Fp k ) + (dci,ck × N Fc ))
tp tp
2: Ci,pk ← (T tpk > 0 and si k )
tpk tpk tp
3: Ci,c ← (T < 0 and si k )
tpk
4: if Ci,p then
tp tp tp
5: devp k ← (tz k × W tpk /npz k ) × (F iT tpk − T P tpk )
tpk tpk tpk tp
6: bci ← bci + dci,p × devp k
tp tp tp tp
7: SBalj k ← SBalj k − dci,pk × devp k
tpk
8: else if Ci,c then
tp tp tp
9: devc k ← (tz k × W tpk /ncz k ) × (RP tpk − T P tpk )
tpk tpk tpk tp
10: bci ← bci + dci,c × devc k
tpk tpk tpk tp
11: SBalj ← SBalj + dci,c × devc k
12: end if

tical to its locally computed bill. Additionally, for subsequent verification, each
user calculates its total deviation cost, BLbp
i
u ,dev
, representing the cost of sell-
ing/buying the total deviation share to/from their contracted suppliers per bpu .
The user then deducts BLibpu ,dev from BLbp i
u
to determine the value dedicated
bpu ,LEM
solely to the LEM, BLi .

Step 4: Individual Deviations Verification The purpose of this step is to

verify the accuracy of the individual deviations [v]tp
i
k
computed by each user
and transmitted to the CS. Before getting into details, it is important to stress
that this is an ongoing process conducted for every tpk and at the end of bpu .
Pedersen commitment is employed to verify the accuracy of [v]tp i
k
for each user.
tpk tpk
For every tpk , given ⟨mi ⟩ received from an SM and ⟨−bi ⟩ received from
LEMO, the designated supplier exploits the homomorphism property of Pedersen
commitment to obtain a commitment to vitpk :

⟨vitpk ⟩ = ⟨mtp tpk

i ⟩.⟨−bi ⟩
k

At the end of bpu , utilising the same homomorphism property, the supplier
computes a commitment to the aggregated vitpk during bpu by means of multi-
plication:

Nk
X Nk
Y
< vitpk >= ⟨vitpk ⟩
k=1 k=1
 Privacy-Preserving Billing for Local Energy Markets 19

Concurrently, the CS aggregates all [vi ]tpk values during bpu , for each user:
Nk
X
[Vibpu ] = [vitpk ]
k=1

The CS then retrieves the result, Vibpu , by reconstructing their shares and sends it
to the designated supplier according to SIdj . Additionally, each SM sums all the
PNk tpk
random numbers, Ribpu = k=1 ri , used earlier in its previous commitments
(i.e., ⟨mi ⟩ and ⟨−bi ⟩) and sends the total Ribpu to the designated supplier.
tpk tpk

Finally, the supplier checks that Vibpu is correct if opening the commitment
PNk tpk
< k=1 vi > using Vibpu and Ribpu returns true.
Nk
X
Open(< vitpk >, Vibpu , Ribpu ) → true
k=1

This, in turn, indicates that all previous vitpk shared by user i with the CS were
correct.

Step 5: Bills Settlement and Verification In this final step, suppliers set-
tle billing period bills with users who are their contracted customers, ensuring
that any payments to or from the LEM, sent or received by these customers,
are appropriately allocated among other suppliers. Specifically, each supplier
conducts billing with their customers based on BLbp u
i , which encompasses both
LEM payments/rewards and deviations share payments/rewards dedicated to
the suppliers. The supplier, then, separates these twoPNvalues. First, the supplier
computes its accurate income balance for tpk using i=1 u
dkidev,tpk received from
KA:
Nu
X
SBaljtpk = SBaljtpk − dkidev,tpk
i=1

The supplier, then, subtract its income balance during bpu from its aggregate
customers bills to compute the remaining capital exchanged within the LEM
through it.
Nu
X Nk
X
SCapjbpu = BLbp
i
u
− SBaljtpk
i=1 k=1

SCapjbpu values are redistributed among other suppliers through the coordi-
nation of the DSO. The sum of these values should be zero, indicating that all the
LEM transactions have been accounted for legitimately. In the case of a non-zero
sum, the DSO should intervene to verify the correctness of each SCapbp j
u
value.
bpu ,LEM
To do so, the DSO collects tuples (BLi , Sidj ) from all users. The DSO
then segregates and aggregates BLbp i
u ,LEM
values based on their supplier cor-
respondence Sidj , such that SCapbp j
u ,DSO
represents the leftover capital traded
20 E. Alqahtani and M. Mustafa

at the LEM and computed by the DSO. The DSO then validates every SCapbp j
u

bpu ,DSO
value by comparing it with SCapj . Any mismatch indicates that supplier
j has been dishonest in submitting an invalid SCapbp
j
u
value.

6 Security Analysis

We analyse the security of PBP-LEM under the Universal Composability (UC)

framework [11, 12]. The framework provides a strong security gurantees by which
a protocol proven secure in this framework is assured to maintain its security
when it is run sequentially or concurrently with other protocols. The framework
consists of the real world (i.e. the real protocol), ideal world and an environment.
In the ideal world, the parties do not communicate with each other. Instead they
have access to an ideal functionality (i.e., “trusted party”) that is defined to
capture the desired security requirements of the real protocol. Then, security of
the real protocol is implied if no environment can computationally distinguish
between the two worlds.

Definition 1 (UC emulation [11]). A real protocol π UC-realizes an ideal

functionality F if for any real-world adversary A, there exists a simulator S
such that no environment Z is able to distinguish with a non-negligible probability
between an interaction with A and real parties running protocol π and an interac-
tion with S and dummy parties accessing F, i.e., REALπ,A,Z ≈ IDEALF ,S,Z .

Definition 2 (Composition Theorem [11]). Let ρ, φ, and π be protocols

such that φ is a subroutine of π, ρ UC-emulates φ, and π UC-realizes an ideal
functionality F, then protocol π φ→ρ UC-realizes F.

We assume the presence of the following ideal functionalities: secure com-

putation ideal functionality FSecComp for MPC and IPFE; and a commitment
ideal functionality FCOM . FSecComp receives private inputs from users, preform
computation on the inputs and reveal the results upon parties agreement. FCOM
receives values to be committed from users, stores them in its internal state and
reveal them upon request. We also construct an ideal functionality for EPIB
FEP IB as shown in Fig. 2. For simplicity, the functionality solely captures the
computation of individual bills with no inclusion of the deviations cost.

Theorem 1. Let πEPIB be the billing protocol employing EPIB, excluding the
consideration of the deviations cost. Then the protocol πEPIB securely emulates
the functionality FBLEM .

PROOF. We construct a simulator S such that no environment Z can dis-

tinguish between an ideal and real execution. S executes a simulated copy of A
and imitates an interaction with parties running πEPIB to make the simulation
of internal protocol interactions consistent with the real execution. S proceeds
as follows: upon receiving (Idi , l(mtp
i
k
+ skitpk ), l(ski,p
tpk tpk
), l(ski,c )) from FEP IB ,
S mimics the encryption operations of EPIB on behalf of the smart meter. It
 Privacy-Preserving Billing for Local Energy Markets 21

Functionality FEP IB
FEP IB proceeds as follows, when parameterized by a mapping between users and
their suppliers, a leakage function l which returns the length of a message and a
tp
function B to compute bli k .
tp tp tp tp tp
– Upon receiving an input (”ComputBill”, SID, Idi , mi k , di k , ski k , ski,pk , ski,ck )
tp tp tp tp
from a SM of user i, compute bli k = B(mi k , di k ), record (Idi , bli k ) and send
tp tp tp tp
a message (Idi , l(mi k + ski k ), l(ski,pk ), l(ski,ck )) to S. If user i is corrupted,
tp tp
then disclose mi k and di k to S.

Fig. 2: Functionality FEP IB

defines mctpk tpk tpk

i , dci,p , dci,c to be random values ∆mctpk , ∆dctpk , ∆dctpk from the
i i,p i,c

appropriate space given l(mtpi

k
+ skitpk ), l(ski,p
tpk tpk
), l(ski,c ). S then feeds A with
the defined values ∆mctpk , ∆dctpk and ∆dctpk .
i i,p i,c

Now given that skitpk , ski,p

tpk tpk
and ski,c are truly random numbers, it implies
tpk tpk tpk
that mci , dci,p and dci,c based on EPIB, are uniformly distributed. This in-
dicates perfect indistinguishably as it is impossible to distinguish between mctp
i
k

and ∆mctpk (since the distribution over the ciphertext is the same in every case
i
as in one-time pad). Therefore , we can conclude that the output of the of the
real world and ideal world executions are indistinguishable.

Definition 3 (Ideal Functionality of Billing for LEM FBLEM ). Given a

set of input tupples (Idi , SIdj , ZIdz , viz,tpk , dz,tp
i
k
) from users and a set of tupples
(Idi , ZIdz , mi ) from their SMs and a set of tupples (Idi , btp
tpk k
i ) from LEMO,
bpu bpu
the ideal functionality FEP IB computes BLi and SCapj for all users and
suppliers and return the results to the designated parties.

Next we show that all three approaches of PBP-LEM securely realise FBLEM .

Theorem 2. Let πApp1 ,πApp2 and πApp3 be PBP-LEM employing Approach 1, 2

and 3 , respectively. Then the protocols πApp1 ,πApp2 and πApp3 securely emulate
the functionality FBLEM in the {FSecComp , FCOM , FEP IB }-hybrid model.

PROOF. Assuming the presence of concrete implementations of the underlying

functionalities FSecComp [6, 14] and FCOM [13], the proof is a straightforward
application of the composition theorem. Since the protocols πApp1 ,πApp2 and
πApp3 compromise only FSecComp , FCOM and FEP IB , which can be substituted
by their universally composable implementations.

Authorisation and Collusion Impact Mitigation: authorisation is achieved by

allowing aggregated users’ bills to be retrieved by their contracted suppliers
only. This is simply accomplished through the use of SIdj , which ensures that
22 E. Alqahtani and M. Mustafa

Table 2: Computational Complexity.

Per tpk Per bpu
Entity

All Apprs. Only Appr. 1 Only Appr. 2 All Apprs.

SM Commit Nv ∗ IP E.Lef tEncrypt -
User Commit 2 ∗ Nv ∗ IP E.RightEncrypt -
Supplier Nus ∗ 2 ∗ HomoAdd Nus ∗ 2 ∗ Nv ∗ IP E.Decrypt - Nus ∗ Open
CS - - Nu ∗ Comp

the relevant parties (KA, LEMO, and CS) forward the individual data necessary
for bill computation only to the designated suppliers.
Regarding the collusion impact mitigation, it is achieved by ensuring that
any potential collusion between computing parties in the market does not re-
sult in the disclosure of critical fine-grained private data (e.g., btp i
k
and mtp k
i ).
Specifically, in the case of an honest-majority CS, it is sufficient for two compu-
tational servers to collude to reveal private individual data, whereas in the case
of a dishonest majority CS, all three servers must collude for malicious collusion
to occur. However, in either scenario, the only private data CS are capable of
retrieving are dtp
i
k
and vitpk , which reveal significantly less sensitive information
about users compared to btp i
k
and mtp k
i . Additionally, collusion between CS and
suppliers has no higher impact since all private data in the possession of users’
suppliers is encrypted (using EPIB and IPFE).

7 Performance Evaluation
This section evaluates the performance of PBP-LEM in terms of computa-
tional and communication complexity, while considering the three proposed ap-
proaches.

7.1 Computational Complexity

The most computationally demanding operations in PBP-LEM are IPE methods
(specifically IPE.LeftEncrypt, IPE.RightEncrypt, and IPE.Decrypt), multiplica-
tion, and comparison operations performed by CS, followed by Pedersen com-
mitment methods (Commit and Open). The computation cost of all remaining
operations, including EPIB operations, is negligible.
For all approaches, for every tpk , each SM computes one Commit over its
recorded meter reading; each user computes one Commit over its bid volume
and each supplier computes two homomorphic additions on the commitments
for each of its contracted user: Nus × 2× HomoAdd. Moreover, for every bpu ,
every supplier performs one commitment opening for each corresponding user:
Nus × Open. If approach (1) is adopted, in addition to the previously mentioned
operations, each SM computes Nv × IPE.LeftEncrypt; every user computes Nv ×
 Privacy-Preserving Billing for Local Energy Markets 23

Fig. 3: Computational overhead for each entity per trading period.

2× IPE.RightEncrypt and each supplier computes Nus ×Nv ×2× IPE.Decrypt in

the ultimate worst case scenario. Here, Nv is the number of vectors required to
encode each bid volume and meter reading using dual binary encoding scheme
methods (i.e. fy and fx ) [24]. Please note that suppliers may perform Nv × 2×
IPE.Decrypt for each user in the worst-case scenario, which occurs when the bid
volume and meter reading values are equal. However, in most cases, the values
result in a better cost, as the “for” loop in Algorithm(2) may exit before iterating
Nv times. In the case of approach (2), CS additionally performs one comparison
and one multiplication for each user in the market: Nu × Comp + Nu × M ult. In
case approach (3) is employed, no additional computationally heavy operations
are to be performed.
We also conducted experiments to test the performance of PBP-LEM. CS,
supplier and KA were implemented on a 64-bit Linux server equipped with 16
cores single thread Intel Xeon processors and 64 GB of memory. We run all the
parties on the same server, therefore, network latency is not considered. Users
and SMs operations were evaluated on a laptop with Intel Core i7 CPU and 8 GB
of memory. CS algorithms were executed using the MP-SPDZ framework [29],
which supports the underlying primitives and MPC protocols employed by PBP-
LEM (Section 4.1). All other entities’ algorithms were implemented in python.
IPE modules was adopted from [33].
24 E. Alqahtani and M. Mustafa

We followed the same random generation approach used in [36] –based on a

realistic dataset from [1] – to simulate bid volumes and meter readings over a 30-
minute trading period, typical for Local Energy Markets (LEMs). To facilitate
accurate and efficient private bills computation, values are represented as integer
numbers. Upon the completion of bills calculation, correct bills are retrieved by
performing the necessary conversions. RP of the suppliers, FiT, TP and network
fees for exporting and importing energy in all zones are set to .3£/Wh, .1£/Wh,
.2£/Wh, .05£/Wh and .04£/Wh, respectively. We assume that each trading
period is 30 minutes long and each billing period is one month, meaning that a
single billing period consist of 1440 trading periods. We initiated our experiments
with 1000 users participating in a LEM for one trading period and gradually
increased the number to 4000 users. The user distribution comprised an equal
split between prosumers and consumers, resulting in 500 users of each type for
every 1000 users. We assumed that there are 6 different suppliers and four zones
in the market, allocating users equally among them.
Based on the generated bid volumes and meter reading values ranges, we set
Nv to 12 for Approach (1), allowing the representation of 4095 different integer
values according to the dual binary encoding scheme [24]. Our results indicate
that each Commit costs 2.10 ms; HomoAdd costs 0.124812 ms; Open costs 0.25
ms; Nv × IPE.LeftEncrypt costs 25.40 ms; Nv × IPE.RightEncrypt costs 164.10
ms; .2 × Nv × IPE.Decrypt costs 622 ms.
Figure 3 illustrates the computational cost per tpk for each entity in the mar-
ket with respect to each of the three approaches. Approach (1) incurs additional
costs for the resource-constrained market entities (i.e., SMs and users) com-
pared to the other approaches, as it involves more intensive operations during
Step (1). Nevertheless, none of the three approaches impose significant compu-
tational demands on SMs and users. For instance, in approach (1), the overall
computational time per tpk for each SM and user is 27.56 ms and 330.14 ms,
respectively. Regarding suppliers and CS, the selected approach during Step (2)
determines which entity should handle the most computationally intensive oper-
ations to incorporate deviation costs in bill calculations. This costs arises from
Algorithm (3) performed by CS in approach (2) or Algorithm (2) executed dis-
tributively by users’ respective suppliers in approach (1). Please note that, as we
evenly distributed the number of users among suppliers, they all share similar
costs. However, in a more realistic scenario, some suppliers might bear higher
costs than others based on the number of their contracted users. In approach (3),
users’ privacy has been relaxed in exchange for eliminating heavy computations,
resulting in a trivial cost for both suppliers and CS.
Figure 4 displays the total computation time for bill calculation per tpk in
all approaches, as well as PPBSP by [27] for benchmarking. Please note that
the figure accounts for CS’s computation time, considering the offline phase of
the underlying MPC primitives. Clearly, Approach (3) stands out as the most
efficient, attributed to privacy loosening—specifically, disclosing individual de-
viations to the suppliers. If such leakage is not tolerated by users, the decision
between approaches (1) and (2) becomes less straightforward, given our param-
 Privacy-Preserving Billing for Local Energy Markets 25

Fig. 4: Overall bills computation cost per trading period.

Table 3: Communication Complexity.

Per tpk Per bpu
Entity

All Apprs. Only Appr. 1 Only Appr. 2 All Apprs.

SMs-to-Suppliers Nu ∗ (|C| + |⟨X⟩)| Nu ∗ Nv ∗ |CTl | - Nu ∗ |R|
LEMO-to-Suppliers Nu ∗ (|⟨X⟩| + 2 ∗ |C|) 2 ∗ Nu ∗ Nv ∗ |CTr | - -
Usres-to-CS 6 ∗ Nu ∗ |[X]| - -
CS-to-Suppliers/KA - - 3 ∗ Nu ∗ |[X]| Nu ∗ |X|
Suppliers-to-Users - - - Nu ∗ |X|
Suppliers-to-KA 2 ∗ Nu ∗ |CN | - - -
KA-to-SMs - - Nu ∗ 1440 ∗ |K|
KA-to-Users - - Nu ∗ 2880 ∗ |K|

eter assumptions. In the case of a malicious majority CS, the overall computa-
tional time for bill computation in approaches (1) and (2) is comparable, and
the key difference lies in the part of the market where the cost is concentrated,
i.e., CS or suppliers. However, considering only the online phase of CS would
give preference to approach (2). Another crucial factor to consider is the num-
ber of suppliers in the market and the distribution of users among them. For
instance, assuming that over 20% of market users are associated with a single
supplier would result in a slower bill computation time for those users in Ap-
proach (1) compared to Approach (2). In the scenario of an honest-majority CS,
Approach (2) is preferable, providing a more private solution than Approach (3)
and significantly greater efficiency than Approach (1).
Compared to PPBSP, PBP-LEM excels only in the case of Approach (3)
and Approach (2) with an honest-majority CS, taking into account the offline
phase. Nevertheless, bill computation per tpk in all approaches can be completed
maximally in less than 5 minutes for 4000 users, demonstrating the feasibility of
PBP-LEM for real LEM deployment.
26 E. Alqahtani and M. Mustafa

Fig. 5: Total communication cost per trading period.

7.2 Communication Complexity

In evaluating communication complexity, we focus specifically on the costs as-

sociated with implementing privacy techniques and measures within PBP-LEM.
Table 3 provides a summary of the communication complexity in PBP-LEM for
different approaches, where, |X| represents the size of a single value, |[X]| the
size of a share, | < X > | the size of a Pedersen commitment, |C| the size of a
ciphertext using EPIB, |R| the size of a random value used in Pedersen commit-
ments, |CTl | the size of a ciphertext using IP E.Lef tEncrypt, |CTr | the size of
a ciphertext using IP E.RightEncrypt, |CN | a boolean value, and |K| the size
of a random key generated for EPIB.
|CTl | and |CTr | have been evaluated to be 550 and 1650 bytes, respectively,
considering that the number of elements in each vector is Nv +1, i.e., 12. Measur-
ing the communication cost between CS using MP-SPDZ and setting |[X]| = 64,
| < X > | = |R| = 256, |K| = 128, |X| = |C| = 32, |CN | = 1 bits, we present the
communication cost of PBP-LEM (using the three approaches) and PPBSP [27].
PBP-LEM outperforms PPBSP only in the case of the relaxed privacy ap-
proach, i.e., Approach 3. Comparing PBP-LEM’s approaches, as expected, Ap-
proach 3 exhibits the significantly lowest communication cost due to the dis-
 Privacy-Preserving Billing for Local Energy Markets 27

closure of individual deviations. This indicates that the major communication

overhead arises from the protection of individual deviations that requires pri-
vate comparison to determine whether each user has to pay for their deviations.
With regards to the choice between Approach 2 and Approach 3, the decision
depends on the chosen security model of the CS. For an honest-majority CS, the
communication cost of Approach 2 is almost half that of Approach 1. However,
in the case of a dishonest-majority CS, Approach 2 incurs a significantly higher
cost concentrated between CS parties.

8 Conclusion
We introduced a privacy-preserving billing protocol for LEMs (PBP-LEM) based
on a novel scheme and other cryptographic techniques. PBP-LEM considers im-
perfect bid fulfillment and distributes bill computation among different parties
(i.e., CS and suppliers) while protecting users’ private data (e.g., bid volumes,
smart meter readings, deviations, and locations) with mitigation of internal col-
lusion impact. Furthermore, we presented three approaches that offer varying
degrees of privacy and performance. We also proved that PBP-LEM fulfill its
security and privacy requirements. Finally, we analysed the associated compu-
tation and communication costs of all our approaches under different security
settings. The results demonstrate the variations in performance between the ap-
proaches and indicate the feasibility of PBP-LEM for a setting based on real
LEMs.
 References

[1] Abidin, A., Aly, A., Cleemput, S., Mustafa, M.A.: An mpc-based privacy-
preserving protocol for a local electricity trading market. In: Cryptology
and Network Security. pp. 615–625. Springer (2016)
[2] Aitzhan, N.Z., Svetinovic, D.: Security and privacy in decentralized energy
trading through multi-signatures, blockchain and anonymous messaging
streams. IEEE Transactions on Dependable and Secure Computing 15(5),
840–852 (2018). https://doi.org/10.1109/TDSC.2016.2616861
[3] Alqahtani, E., Mustafa, M.A.: Zone-based privacy-preserving billing for lo-
cal energy market based on multiparty computation (2023)
[4] Alqahtani, E., Mustafa A., M.: Privacy-preserving local energy markets: A
systematic literature review. Social Science Research Network (SSRN) (June
2023). https://doi.org/http://dx.doi.org/10.2139/ssrn.4483407
[5] Araki, T., Furukawa, J., Lindell, Y., Nof, A., Ohara, K.: High-throughput
semi-honest secure three-party computation with an honest majority. In:
ACM SIGSAC Conference on Computer and Communications Security. p.
805–817. ACM (2016)
[6] Asharov, G., Lindell, Y.: A full proof of the bgw protocol for perfectly secure
multiparty computation. J. Cryptol. 30(1), 58–151 (jan 2017)
[7] Baza, M., Sherif, A., Mahmoud, M.M.E.A., Bakiras, S., Alasmary, W.,
Abdallah, M., Lin, X.: Privacy-preserving blockchain-based energy trading
schemes for electric vehicles. IEEE Transactions on Vehicular Technology
70(9), 9369–9384 (2021). https://doi.org/10.1109/TVT.2021.3098188
[8] Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-
cryptographic fault-tolerant distributed computation. p. 1–10. ACM (1988)
[9] Bishop, A., Jain, A., Kowalczyk, L.: Function-hiding inner product en-
cryption. In: Iwata, T., Cheon, J.H. (eds.) Advances in Cryptology – ASI-
ACRYPT 2015. pp. 470–491. Springer Berlin Heidelberg, Berlin, Heidelberg
(2015)
[10] Boneh, D., Sahai, A., Waters, B.: Functional encryption: Definitions and
challenges. In: Ishai, Y. (ed.) Theory of Cryptography. pp. 253–273. Springer
Berlin Heidelberg, Berlin, Heidelberg (2011)
[11] Canetti, R.: Universally composable security: a new paradigm for crypto-
graphic protocols. In: Proceedings 42nd IEEE Symposium on Foundations
of Computer Science. pp. 136–145 (2001)
[12] Canetti, R.: Security and composition of multiparty cryptographic proto-
cols. J. Cryptol. 13(1), 143–202 (jan 2000)
[13] Canetti, R., Fischlin, M.: Universally composable commitments. In: Kilian,
J. (ed.) Advances in Cryptology — CRYPTO 2001. pp. 19–40. Springer
Berlin Heidelberg, Berlin, Heidelberg (2001)
[14] Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally compos-
able two-party and multi-party secure computation. In: Proceedings of
 Privacy-Preserving Billing for Local Energy Markets 29

the Thiry-Fourth Annual ACM Symposium on Theory of Computing. p.

494–503. STOC ’02, Association for Computing Machinery, NY, USA (2002)
[15] Capper, T., Gorbatcheva, A., Mustafa, M.A., Bahloul, M., Schwidtal, J.M.,
Chitchyan, R., Andoni, M., Robu, V., Montakhabi, M., Scott, I.J., Fran-
cis, C., Mbavarira, T., Espana, J.M., Kiesling, L.: Peer-to-peer, community
self-consumption, and transactive energy: A systematic literature review
of local energy market models. Renewable and Sustainable Energy Re-
views 162, 112403 (2022). https://doi.org/https://doi.org/10.1016/
j.rser.2022.112403
[16] Chida, K., Genkin, D., Hamada, K., Ikarashi, D., Kikuchi, R., Lindell, Y.,
Nof, A.: Fast large-scale honest-majority mpc for malicious adversaries. In:
Advances in Cryptology – CRYPTO 2018. pp. 34–64. Springer (2018)
[17] Damgård, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation
from somewhat homomorphic encryption. In: Advances in Cryptology –
CRYPTO 2012. pp. 643–662. Springer (2012)
[18] Dimitriou, T., Karame, G.: Privacy-friendly tasking and trading of energy
in smart grids. In: Proceedings of the 28th Annual ACM Symposium on Ap-
plied Computing. p. 652–659. SAC ’13, Association for Computing Machin-
ery, New York, NY, USA (2013). https://doi.org/10.1145/2480362.
2480488, https://doi.org/10.1145/2480362.2480488
[19] Dorri, A., Hill, A., Kanhere, S., Jurdak, R., Luo, F., Dong, Z.Y.: Peer-to-
peer energytrade: A distributed private energy trading platform. In: 2019
IEEE International Conference on Blockchain and Cryptocurrency (ICBC).
pp. 61–64. https://doi.org/10.1109/BLOC.2019.8751268
[20] Dorri, A., Luo, F., Kanhere, S.S., Jurdak, R., Dong, Z.Y.: Spb: A secure pri-
vate blockchain-based solution for distributed energy trading. IEEE Com-
munications Magazine 57(7), 120–126 (2019). https://doi.org/10.1109/
MCOM.2019.1800577
[21] Eisele, S., Eghtesad, T., Campanelli, K., Agrawal, P., Laszka, A., Dubey,
A.: Safe and private forward-trading platform for transactive microgrids.
ACM Trans. Cyber-Phys. Syst. 5(1), Article 8 (2021). https://doi.org/
10.1145/3403711, https://doi.org/10.1145/3403711
[22] Erdayandi, K., Cordeiro, L.C., Mustafa, M.A.: A privacy-preserving and
accountable billing protocol for peer-to-peer energy trading markets. In:
2023 International Conference on Smart Energy Systems and Technologies
(SEST). pp. 1–6 (2023). https://doi.org/10.1109/SEST57387.2023.
10257524
[23] Gai, K., Wu, Y., Zhu, L., Qiu, M., Shen, M.: Privacy-preserving energy
trading using consortium blockchain in smart grid. IEEE Trans. on In-
dustrial Informatics 15(6), 3548–3558 (2019). https://doi.org/10.1109/
TII.2019.2893433
[24] Gaybullaev, T., Kwon, H.Y., Kim, T., Lee, M.K.: Efficient and privacy-
preserving energy trading on blockchain using dual binary encoding for
inner product encryption. Sensors 21(6) (2021)
[25] Hassan, M.U., Rehmani, M.H., Chen, J.: Deal: Differentially private auction
for blockchain-based microgrids energy trading. IEEE Transactions on Ser-
30 E. Alqahtani and M. Mustafa

vices Computing 13(2), 263–275 (2020). https://doi.org/10.1109/TSC.

2019.2947471
[26] Hastings, M., Hemenway, B., Noble, D., Zdancewic, S.: Sok: General purpose
compilers for secure multi-party computation. In: 2019 IEEE Symposium
on Security and Privacy (SP). pp. 1220–1237 (2019). https://doi.org/
10.1109/SP.2019.00028
[27] Hutu, A., Mustafa, M.A.: Privacy preserving billing in local energy markets
with imperfect bid-offer fulfillment. In: IEEE International Conference on
Smart Grid Communications (SmartGridComm) (2023)
[28] Jawurek, M., Kerschbaum, F., Danezis, G.: Privacy technologies for
smart grids - a survey of options. Tech. Rep. MSR-TR-2012-119 (Novem-
ber 2012), https://www.microsoft.com/en-us/research/publication/
privacy-technologies-for-smart-grids-a-survey-of-options/
[29] Keller, M.: Mp-spdz: A versatile framework for multi-party computation.
In: ACM SIGSAC Conf. on Computer and Communications Security. p.
1575–1590. ACM (2020)
[30] Keller, M., Orsini, E., Scholl, P.: Mascot: Faster malicious arithmetic se-
cure computation with oblivious transfer. In: ACM SIGSAC Conference on
Computer and Communications Security. p. 830–842. ACM (2016)
[31] Kim, S., Lewi, K., Mandal, A., Montgomery, H., Roy, A., Wu, D.J.:
Function-hiding inner product encryption is practical. In: Catalano, D.,
De Prisco, R. (eds.) Security and Cryptography for Networks. pp. 544–562.
Springer International Publishing, Cham (2018)
[32] Laszka, A., Dubey, A., Walker, M., Schmidt, D.: Providing privacy, safety,
and security in iot-based transactive energy systems using distributed
ledgers. In: Proceedings of the Seventh International Conference on the In-
ternet of Things. IoT ’17, Association for Computing Machinery, New York,
NY, USA (2017). https://doi.org/10.1145/3131542.3131562, https:
//doi.org/10.1145/3131542.3131562
[33] Lewi, K.: An implementation of function-hiding inner product encryp-
tion (fhipe). https://github.com/kevinlewi/fhipe (2016), last accessed:
April 25, 2024
[34] Li, S., Zhang, X., Xue, K., Zhou, L., Yue, H.: Privacy-preserving prepayment
based power request and trading in smart grid. China Communications
15(4), 14–27 (2018). https://doi.org/10.1109/CC.2018.8357698
[35] Lindell, Y.: Secure multiparty computation. Commun. ACM 64(1), 86–96
(2020)
[36] Madhusudan, A., Zobiri, F., Mustafa, M.A.: Billing models for peer-to-peer
electricity trading markets with imperfect bid-offer fulfillment. In: IEEE
International Smart Cities Conference (ISC2). pp. 1–7 (2022). https://
doi.org/10.1109/ISC255366.2022.9922530
[37] Pedersen, T.P.: Non-interactive and information-theoretic secure verifi-
able secret sharing. In: Feigenbaum, J. (ed.) Advances in Cryptology —
CRYPTO ’91. pp. 129–140. Springer Berlin Heidelberg, Berlin, Heidelberg
(1992)
 Privacy-Preserving Billing for Local Energy Markets 31

[38] Quinn, E.L.: Privacy and the new energy infrastructure. Social Science
Research Network (SSRN) pp. 1–41 (February 2009). https://doi.org/
http://dx.doi.org/10.2139/ssrn.1370731
[39] Radi, E.M., Lasla, N., Bakiras, S., Mahmoud, M.: Privacy-preserving elec-
tric vehicle charging for peer-to-peer energy trading ecosystems. In: ICC
2019 - 2019 IEEE International Conference on Communications (ICC).
pp. 1–6. https://doi.org/10.1109/ICC.2019.8761788
[40] Son, Y.B., Im, J.H., Kwon, H.Y., Jeon, S.Y., Lee, M.K.: Privacy-preserving
peer-to-peer energy trading in blockchain-enabled smart grids using func-
tional encryption. Energies 13(6), 1321 (2020), https://www.mdpi.com/
1996-1073/13/6/1321
[41] Wang, Y., Su, Z., Zhang, K.: A secure private charging pile sharing scheme
with electric vehicles in energy blockchain. In: 2019 18th IEEE International
Conference On Trust, Security And Privacy In Computing And Commu-
nications/13th IEEE International Conference On Big Data Science And
Engineering (TrustCom/BigDataSE). pp. 648–654. https://doi.org/10.
1109/TrustCom/BigDataSE.2019.00092
[42] Yao, A.C.: Protocols for secure computations. In: Annual Symposium on
Foundations of Computer Science (sfcs 1982). pp. 160–164 (1982). https:
//doi.org/10.1109/SFCS.1982.38
[43] Zhang, X., Zhou, L., Li, S., Xue, K., Yue, H.: Privacy-preserving power
request and trading by prepayment in smart grid. In: 2017 IEEE/CIC
International Conference on Communications in China (ICCC). pp. 1–6.
https://doi.org/10.1109/ICCChina.2017.8330340
[44] Zhang, X., Jiang, S., Liu, Y., Jiang, T., Zhou, Y.: Privacy-preserving scheme
with account-mapping and noise-adding for energy trading based on consor-
tium blockchain. IEEE Trans. on Network and Service Management pp. 1–1
(2021). https://doi.org/10.1109/TNSM.2021.3110980