## Abstract

Smart grids leverage data from smart meters to improve operations management and to achieve cost reductions. The fine-grained meter data also enable pricing schemes that simultaneously benefit electricity retailers and users. Our goal is to design a practical dynamic pricing protocol for smart grids in which the rate charged by a retailer depends on the total demand among its users. Realizing this goal is challenging because neither the retailer nor the users are trusted. The first challenge is to design a pricing scheme that incentivizes consumption behavior that leads to lower costs for both the users and the retailer. The second challenge is to prevent the retailer from tampering with the data, for example, by claiming that the total consumption is much higher than its real value. The third challenge is data privacy, that is, how to hide the meter data from adversarial users. To address these challenges, we propose a scheme in which peak rates are charged if either the total or the individual consumptions exceed some thresholds. We formally define a privacy-preserving transparent pricing scheme (PPTP) that allows honest users to detect tampering at the retailer while ensuring data privacy. We present two instantiations of PPTP, and prove their security. Both protocols use secure commitments and zero-knowledge proofs. We implement and evaluate the protocols on server and edge hardware, demonstrating that PPTP has practical performance at scale.

This is a preview of subscription content, access via your institution.

## Buying options

## Notes

- 1.
Although the grid operators will typically perform their own high-level measurements for system monitoring, e.g., using phasor measurement units, they will not be able to distinguish between the customers of different retailers in a small area.

- 2.
Some range proof techniques, e.g., Bulletproofs [4], allow for the aggregation of multiple proofs over the same range, leading to reduced bandwidth costs.

- 3.

## References

Ács, G., Castelluccia, C.: I have a DREAM! (DiffeRentially privatE smArt Metering). In: Filler, T., Pevný, T., Craver, S., Ker, A. (eds.) IH 2011. LNCS, vol. 6958, pp. 118–132. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24178-9_9

Allcott, H.: Real time pricing and electricity markets. Working paper, Harvard University (2009)

Brown, D.: Standards for efficient cryptography 2 (SEC 2). Technical report, Certicom (2010)

Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 315–334. IEEE (2018)

Chase, M., Meiklejohn, S.: Transparency overlays and applications. In: CCS, pp. 168–179. ACM (2016)

Erkin, Z., Tsudik, G.: Private computation of spatial and temporal power consumption with smart meters. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 561–577. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31284-7_33

Laurie, B.: Certificate transparency. Commun. ACM

**57**(10), 40–46 (2014)Luh, P., Ho, Y., Muralidharan, R.: Load adaptive pricing: an emerging tool for electric utilities. IEEE Trans. Autom. Control

**27**(2), 320–329 (1982)Mohsenian-Rad, H., Leon-Garcia, A.: Optimal residential load control with price prediction in real-time electricity pricing environments. IEEE Trans. Smart Grid

**1**(2), 120–133 (2010)Morais, E., Koens, T., Van Wijk, C., Koren, A.: A survey on zero knowledge range proofs and applications. SN Appl. Sci.

**1**(8), 946 (2019)Pedrasa, M.A.A., Spooner, T.D., MacGill, I.F.: Coordinated scheduling of residential distributed energy resources to optimize smart home energy services. IEEE Trans. Smart Grid

**1**(2), 134–143 (2010)Samadi, P., Mohsenian-Rad, H., Schober, R., Wong, V.W.: Advanced demand side management for the future smart grid using mechanism design. IEEE Trans. Smart Grid

**3**(3), 1170–1180 (2012)Shi, E., Chan, T.H., Rieffel, E., Chow, R., Song, D.: Privacy-preserving aggregation of time-series data. In: NDSS (2011)

Vardakas, J.S., Zorba, N., Verikoukis, C.V.: A survey on demand response programs in smart grids: pricing methods and optimization algorithms. IEEE Commun. Surv. Tutor.

**17**(1), 152–178 (2014)Wood, A.J., Wollenberg, B.F., Sheblé, G.B.: Power Generation, Operation, and Control. Wiley, New York (2013)

Zhang, Y., Katz, J., Papamanthou, C.: IntegriDB: verifiable SQL for outsourced databases. In: ACM CCS (2015)

## Acknowledgment

This research/project is supported by the National Research Foundation (NRF), Prime Minister’s Office, Singapore, under its National Cybersecurity R&D Programme and administered by the National Satellite of Excellence in Design Science and Technology for Secure Critical Infrastructure, Award No. NSoE DeST-SCI2019-0009. This research is also supported by A*STAR under its RIE2020 Advanced Manufacturing and Engineering (AME) Industry Alignment Fund - Pre Positioning (IAF-PP) Award A19D6a0053. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not reflect the views of A*STAR. Finally, we thank the anonymous reviewers whose comments helped improve the paper.

## Author information

### Authors and Affiliations

### Corresponding authors

## Editor information

### Editors and Affiliations

## Appendices

### Appendix A: A Protocol Without Auditors

We describe a protocol that relies on users randomly checking each other’s proofs. The only difference to the protocol presented in Sect. 5 is the \(\mathsf {EvidenceVrf}\) algorithm. In particular, the \(\mathsf {EvidenceVrf}(\text {P}_\text {tp},r_{i\,t},x_{i\,t},\text {E}_t,t)\) algorithm consists of two phases. In the first phase, it executes the subroutines of \(\mathsf {EvidenceVrf}\) from Sect. 5 where the user is not an auditor. In the second phase, the user randomly picks *z* other users, and then requests the inclusion proof \(G_j\) and runs \(\mathsf {VerifyRangeProofs}(\text {P}_{\text {zk}}, c_{j\,t}, \pi _{j\,t})\) and \(\mathsf {VerifyInclusionProof}(G_j)\) for every user *j* that it picks. If the range proof verification fails for *j*, the user publishes the invalid inclusion proof of *j* to the bulletin board. If the verification succeeds for all *z* users, then the user waits for a certain time *T* and checks if the bulletin board contains any incorrect range proof. The algorithm returns true if there is no such proof, and false otherwise.

### Theorem 5

Let *h* be the number of honest users who each check *z* proofs of other users, and let *f* be the number of malicious users whose committed value exceeds \(\delta _t\), such that \(h+f \le n\). Let *T* be a bound on the amount of time before any evidence of misbehavior appears on the bulletin board. If the commitment scheme \(\mathsf {COM}\) is additively homomorphic and satisfies the binding property, and if the non-interactive zero-knowledge proof system \(\mathsf {NIZK}\) is simulation-extractable, then the above protocol achieves transparency for sufficiently large *h* or *z*.

**Proof of Theorem** 5**.** In the following, we assume that in each period *t*, each user *i* draws the same number of other users *z* from \([n] \backslash \{i\}\) without replacement (as there is no need to check the same proof twice). The number \(U_i\) of incorrect leaves that are drawn by *i* is then a random variable with the *hypergeometric distribution*, i.e.,

By substituting \(u=0\), the probability that user *i* draws 0 incorrect leaves can therefore be shown to be equal to \(\frac{(n-f-1)!}{(n-f-z-1)!} / \frac{(n-1)!}{(n-z-1)!} = \prod _{i=0}^{z-1} \frac{n-f-i-1}{n-i-1}\) which is bounded by \(\left( \frac{n-f-1}{n-1}\right) ^z\) because the highest element in the product occurs at \(i=0\). If *h* honest nodes perform this experiment, then the probability that none of them detect an error is therefore at most \(\left( \frac{n-f-1}{n-1}\right) ^{hz}\) because the honest nodes perform their experiment independently. This is therefore an upper bound on the probability of failure, i.e., not detecting misbehavior, and the bound vanishes if \(h\rightarrow \infty \) or \(z \rightarrow \infty \).

### Appendix B: Security Proofs

In the following, we present the proofs of the corresponding theorems.

**Proof of Theorem** 1**.** We give a sketch of proof here due to shortness of space. Recall that in the transparency game the adversary has to generate at least a dishonest measurement such that \(\bar{x}_{i\,t^*}> d_t\). First, we claim that the commitment \(C^*_{i\,t^*} =\mathsf {COM.Commit}(\text {P}_\text {c}, \bar{x}_{i\,t^*}, r_{i\,t^*})\) of \(\bar{x}\) has a negligible probability to collide with the commitment \(C_{i\,t^*} =\mathsf {COM.Commit}(\text {P}_\text {c}, x_{i\,t^*}, r_{i\,t^*})\) of the honest (challenge) measurement \(x_{i\,t^*}\), i.e., \( C^*_{i\,t^*}= C_{i\,t^*}\). Since if such a collision occurs with non-negligible probability, we could build an efficient algorithm \(\mathcal {B}\) which runs the transparency-adversary \(\mathcal {A}\) as a subroutine to break the binding security property of \(\mathsf {COM}\). Therefore, there is no ambiguity about the committed measurements after each user’s confirmation of the corresponding commitment. Next, we show that no adversary \(\mathcal {A}\) can produce a proof \(\pi ^*_{i\,t^*}\) for a false statement \(\bar{x}_{i\,t^*}> d_t\) which may lead to a false bill \(B^*_{j^*}> B_j\) where \(B_j\) is the bill determined by the challenge measurements. Note that the condition \(\bar{x}_{i\,t^*}> d_t\) implies that it belongs to a relation which does not belong to the honest relation \(\mathcal {RL}\) for \(x_{i\,t^*}\). Obviously, if \(\mathcal {A}\) can generate a false zero-knowledge proof \(\pi ^*_{i\,t^*}\) for \(\bar{x}_{i\,t^*}\), so we can make use of \(\mathcal {A}\) to break the simulation-extractability of \(\mathsf {NIZK}\).

**Proof of Theorem** 2**.** We first reduce the security to that of the pseudo-random function \(\mathsf {PRF}\) by replacing the slot secret \( r_{j^*\,t^*}\) (which is supposed to compute the challenge evidence \(\text {E}_{t^*}\)) with a uniform random value. If there is an adversary \(\mathcal {A}\) which can distinguish this modification, then we could make use of \(\mathcal {A}\) to build an efficient algorithm \(\mathcal {B}\) to break the security of \(\mathsf {PRF}\). Since the slot secret \( r_{j^*\,t^*}\) is uniform random now, this can enable us to reduce the security to the hiding property of commitment scheme. Namely, if there exists an adversary \(\mathcal {A}\) which can distinguish the bit *b* in the privacy game, we can build an efficient algorithm \(\mathcal {B}\) running \(\mathcal {A}\) to break the hiding property of the commitment scheme. \(\mathcal {B}\) can return the bit \(b'\) obtained from \(\mathcal {A}\) to the commitment-challenger to win the game. Now, we use a simulator of \(\mathsf {NIZK}\) to generate the zero-knowledge proof for challenge measurements \(( x^0_{j^*\,t^*}, x^1_{j^*\,t^*})\) without using the corresponding witness. Similarly, any adversary which distinguishes this change, can be used to break the zero-knowledge property of \(\mathsf {NIZK}\). Since the \(\mathsf {NIZK}\) does not leak any information of the committed measurement, so we can always use \(x^1_{j^*\,t^*}\) (which is random) to generate the challenge evidence. Note that from the compromised slot secrets at the time \(t^*\), the adversary can learn at most \(n-1\) measurements. But our scheme does not reveal the sum the measurements, so the adversary cannot directly get the measurement used for computing \(c_{j^*\,t^*}\) and \(\pi _{j^*\,t^*}\). Namely, we change the challenge evidence to be one which is independent of the bit *b*, so the advantage of the adversary is zero after all the above changes. In a nutshell, due to the security of the building blocks, the adversary can only have negligible advantage in breaking our baseline scheme.

**Proof of Theorem** 3**.** The commitments of leaf nodes are generated identically to those of baseline scheme. By our assumption there are at most *f* dishonest auditors, so there must have at least one auditor’s verification result (on the entire Merkle tree) among those \(f+1\) signed results published on bulletin board within required time *T* is faithful. If the Merkle tree if correctly built, then those leaf nodes’ commitments are bind to the measurements from users except for a negligible property due to the binding property of the commitment scheme. Besides, the additively homomorphic property does not affect the binding property of the aggregated non-leaf nodes in the Merkle tree, which implies each commitment of the corresponding correctly commit the sum of the committed values of its children. With a similar argument in the proof of Theorem 1, the zero-knowledge proofs for the non-leaf nodes would not deviate from the range of the corresponding committed value except for a negligible property because of the simulation-extractable property. Hence, we can conclude that the Merkle tree scheme achieves transparency.

**Proof of Theorem** 4**.** Since the adversary can reveal at most \(n-1\) slot secrets of users at the challenge time \(t^*\), she can learn \(n-1\) measurements of the compromised users. In this case, only the challenge measurement \(x^b_{j^*\,t^*}\) and the sum of its parent node in the Merkle tree is unknown to the adversary. Note that the sub-tree involving the challenge user \(j^*\) and its sibling forms is identical to the baseline scheme with just two users. So if there exists an adversary \(\mathcal {A}\) who can breaks the privacy of the baseline scheme with users \(n'=2\), then we can make use of it to build an efficient algorithm \(\mathcal {B}\) to break the privacy of the Merkle tree scheme. It is not hard to see that \(\mathcal {B}\) can forward the challenge measurements from \(\mathcal {A}\) to its privacy-challenger to receive back the challenge evidence for simulating the challenge response to \(\mathcal {A}\). All other queries from \(\mathcal {A}\) can be simulated based on the secrets chosen by \(\mathcal {B}\). In a nutshell, the privacy of the Merkle tree scheme is implied by that of the baseline scheme.

## Rights and permissions

## Copyright information

© 2021 Springer Nature Switzerland AG

## About this paper

### Cite this paper

Reijsbergen, D., Yang, Z., Maw, A., Dinh, T.T.A., Zhou, J. (2021). Transparent Electricity Pricing with Privacy. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12973. Springer, Cham. https://doi.org/10.1007/978-3-030-88428-4_22

### Download citation

DOI: https://doi.org/10.1007/978-3-030-88428-4_22

Published:

Publisher Name: Springer, Cham

Print ISBN: 978-3-030-88427-7

Online ISBN: 978-3-030-88428-4

eBook Packages: Computer ScienceComputer Science (R0)