Distributed Multi-Unit Privacy Assured Bidding (PAB) for Smart Grid Demand Response Programs

Save this PDF as:

Size: px
Start display at page:

Download "Distributed Multi-Unit Privacy Assured Bidding (PAB) for Smart Grid Demand Response Programs"


1 1 Distributed Multi-Uit Privacy Assured Biddig (PAB) for Smart Grid Demad Respose Programs Muhammed Fatih Balli, Suleyma Uludag, Member, IEEE, Ali Aydi Selcuk, ad Bulet Tavli Member, IEEE, Abstract The striget requiremet of the demad-supply equilibrium for deliverig electricity has traditioally bee dealt with a supply-side perspective, assumig that the demad is ot alterable. With the promises of the Smart Grid, demadside maagemet techiques are icreasigly becomig more feasible. A demad-side maagemet techique, called Demad Respose, aims at iducig chages i electricity load i respose to fiacial icetives, some of which ivolve biddig as the uderlyig facilitator. It is well-established that the effectiveess of the DR is proportioal to the umber of participats. Yet, may of the DR programs, icludig those ivolvig biddig, may suffer due to cosumer privacy cocers. Withi this cotext, i this paper, we propose a distributed ad multi-uit privacy guarateeig biddig mechaism as part of a DR program without relyig o ay third party, trusted or ot, to protect the participats biddig iformatio, except obviously for the wiig price ad the wier exposed to the utility. To the best of our kowledge, this is the first such approach for the DR biddig programs. We provide a security aalysis of our approach uder the hoest-but-curious ad active adversary assumptios ad prove the privacy assurig property. Idex Terms Smart Grid Privacy, Demad Respose, Demad Respose Biddig Privacy, Biddig Privacy without Trusted Third Party. I. INTRODUCTION A major paradigm shift i the geeratio, trasmissio, ad distributio of electricity has bee gaiig more mometum tha ever uder the umbrella term of Smart Grid (SG) [1] [3]. Electricity service has a distictive characteristic that requires the maiteace of the supply ad demad equilibrium at all times. The loss of this equilibrium may result i regulatory itervetio, cost icreases, ad/or frequecy istabilities. With the ifeasibility of its storage, the geerated power must be cosumed rapidly to avoid ay complicatios i the ifrastructure. The covetioal mechaism to cope with this itrisically required equilibrium has bee through adjustig the supply side sice demad has bee assumed to be o-maipulatable. Demad-side techiques have bee gaiig more attetio with advaces i the computig ad commuicatios techologies [4], [5]. These approaches, geerally referred to as Demad Respose (DR) programs, are at M. F. Balli is with Computer ad Commuicatio Scieces, Ecole Polytechique Federale de Lausae, Switzerlad, S. Uludag is with the Departmet of Computer Sciece, Egieerig ad Physics, Uiversity of Michiga - Flit, MI, USA. A. A. Selcuk is with the Departmet of Computer Egieerig, TOBB Uiversity of Ecoomics ad Techology, Akara, Turkey, B. Tavli is with the Departmet of Electrical ad Electroics Egieerig, TOBB Uiversity of Ecoomics ad Techology, Akara, Turkey. the same time a key facilitator of the SG to iduce chage/shift i electricity cosumptio to restore the demad-supply equilibrium uder perilous coditios or durig imbalace periods. Wild fluctuatios of the real demad for power are either suppressed or disteded to achieve a smoother ad more desirable effective demad, which i tur has dramatic effects o the price of the electricity produced. The aggregate values of effective ad real demad may be idetical, if oly demad shiftig mechaisms are utilized, or differet, if demad suppressio mechaisms are employed. Thus, DR may reduce ew capital expeditures i geeratio, trasmissio, ad distributio [6]. See [7], [8] for more detailed discussio of fiacial ad performace beefits. DR programs iclude icetives, tariffs, ad programs (amog other mechaisms). May DR programs iclude some form or shape of biddig i their implemetatios. For example, some expose Real Time Pricig (RTP) [7], [9] to ed users ad some are based o customers biddig for eergy usage, such as demad biddig [8], [10] where customers bid for icetives to alter load. Upcomig emissios tradig [11], acillary services market program [8], distributio automatio load maagemet, electric vehicle chargig/dischargig, retail power electricity market [11], [12] are all expected to iclude some biddig mechaism. A very basic sie qua o of ay DR is the geeratio, trasmissio, storage, maiteace, ad aalysis of uprecedeted amout of data through smart meters i the Advaced Meterig Ifrastructure (AMI). A ievitable cosequece of such abudace of data is the ease of extractio of Persoally Idetifiable Iformatio (PII) for potetial abuse or misuse, such as behavioral ifereces, deductio of idividual habits or activities [11], [13] [17]. Biddig as part of DR programs i the SG is thus subject to privacy cocers. I this paper, we propose a ovel system to provide a distributed, privacy-guarateeig biddig protocol ivolvig oly a service provider ad biddig customers without the eed for the ivolvemet of ay other etities such as a trusted third party. At the ed of our proposed biddig process, oly the wiig bidder is disclosed to the service provider while either the bidders or the service provider ca lear the other customers private biddig prices to ifer ay private iformatio. To the best of our kowledge, ours is the first privacy-preservig protocol proposed i the SG eergy biddig process where o third party etity is ivolved to miimize the exposure of the private iformatio. The rest of the paper is orgaized as follows: Sectio II summarizes the related work. A syopsis of our proposed approach i terms of the liear expressios is provided i Sectio III

2 2 with a illustrative toy example. Sectio IV provides the full cryptographic details built o Elgamal ecryptio. A security aalysis with Zero-Kowledge Proofs (ZKPs) describe the privacy assurig features of our approach i Sectio V. Sectio VI cocludes the paper. II. RELATED WORK The awareess ad sesitivity of the public have bee icreasig o privacy issues due partly to such recet ews as the Europea Court of Justice s ivalidatio of Safe Harbor Law, Wikileaks, US NSA leaks by Edward Sowde, Facebook s recet disclosure of Emotio Experimet, ad EU s recet rulig o right to be forgotte. It is withi the same lie of iterest that privacy dimesio of the DR iitiatives eeds to be addressed. A succict defiitio of privacy may stated as the the right to be left aloe [18]. I more geeral terms, our work falls ito the domai of privacy-ehacig techologies (PET) as coied by Chaum i 1995 [19] ad defied i [20]: PET stads for a coheret system of Iformatio ad commuicatios techology (ICT) measures that protects privacy by elimiatig or reducig persoal data or by prevetig uecessary ad/or udesired processig of persoal data, all without losig the fuctioality of the iformatio system. The mai focus of SG related privacy studies has bee placed o the smart meter data collectio for moitorig ad billig [21] i terms of perturbig, aoymizig, miimizig, ad/or obfuscatig the trasmissio. Privacy of behavior, actio, lifestyle, presece/absece, ad umber of persos may be derived from the smart meter data. The iviolability of family life ad homes is i dager. A report by Dutch Cosumers Associatio cocluded that smart meters would violate article 8 of the the Europea Covetio of Huma Rights [17]. I the DR cotext, Customer Eergy Usage Data (CEUD) as well as ay other persoally idetifiable data from collectio, trasmissio, aggregatio, dissemiatio, ad aalysis should also be icluded as part of the privacy studies. Similar to potetial ifereces that ca be draw from CEUD, biddig iformatio may reveal cosumer s behavior, which may be persoally objectioable or outright ulawful i some coutries [17]. Yet, DR privacy, ad biddig i particular, caot make use of the existig privacy techiques [21] directly as accuracy is crucially essetial for acceptable operatio ad has ot received much attetio. OpeADR (Automated Demad Respose) [22], [23] is a ope stadard commuicatios specificatio to relay DR sigals back ad forth amog the participatig etities. OpeADR versio 1 specifies a Demad Respose Automatio Server (DRAS) as etity that maages otificatio, participatio as well as fial rewardig of customers wheever DR-icetive is requested by the utility provider. With that provisio, Paverd et al. suggest i [24], [25] a form of a trusted third party relayig etity, called Trusted Remote Etity (TRE), that is maily resposible for aoymizatio of customers i DRbiddig to prevet utility provider havig direct access to customer private biddig iformatio. TRE is also resposible for billig of customers ad cosumptio data i real time. I fact, privacy is established i the presece of mutual distrust betwee the utility ad customers by meas of a trusted platform module (TPM). Karwe et al. [26] similarly focus o iteractive DRdemads, statig that a semi-hoest DRAS may easily compromise the privacy of customers. They propose ehaced fuctioality for DRAS, the trusted third party, to hide cosumptio profiles of customers. DRAS is resposible for pseudoymizatio of real idetities to protect customer privacy from utility provider, whereas utility ad customers use attribute based ecryptio (ABE) to hider DRAS from lookig ito private data. Gog et al. [27] propose a solutio i which idetity of customers are liked with pseudoyms at the proxy ad icetive based DR is implemeted o these aoymous accouts. They icorporate idetity-committable sigatures, ZKPs ad partially blid sigatures to prevet malicious activity with these aoymous parties. However, they also rely o a trusted third party, called demad respose provider, who is capable of trackig the biddig history of ay participat for future potetial privacy violatios. I our scheme, biddig history of the participats caot be tracked ad o profilig may take place by ay third-party, except obviously for the wier that must be kow to the utility. Similarly, Rahma et al. [28] propose a privacy solutio for icetive based DR. While the authors claim to establish a biddig process without a trusted third party, the Biddig Maager (BM) i their setup acts as a idetity escrow agecy, implyig a level of trust ad hece a otio of trusted third party i the scheme. Further, ay coalitio betwee BM ad Relayig Maager (RM) leaves the customer privacy exposed. That is, BM ad RM are capable of keepig track of biddig history of the participats for future potetial privacy violatios. Fially, it is uclear whether their biddig sceario works for sigle-wier or multi-wier ad how wiers are chose i a verifiable maer. I the aforemetioed studies, the deploymet of a itermediary or a trusted third party 1, be it TRE, proxy, BM or DRAS, proliferates the etities ivolved ad potetial attack vectors, ad icreases the ueasiess of, at the very least, the privacy-coscious customers, if ot a larger populatio (i.e., the possibility of existece of a weak chai i privacy protectio system deters some customers from takig place i biddig processes). Please ote that there is othig required i our scheme to elimiate itermediaries. A hierarchical system would just be fie with these itermediaries to cotiue providig their useful fuctio. We are just hidig irrelevat iformatio from the utility or utility-like etities (such as 1 It is a geerally kow fact that compaies are after cosumer data to be able to market more products ad bombard them with more other advertisemets. The cosumers are profiled from these extracted data. The tracked iformatio icludes habits, patters, behavior, locatio, demographics, etc. Biddig history is a useful piece of iformatio to these profilig activities. This is what we are shieldig from the utility compay i the biddig process, of course except for the wier. Thus, it is perfectly fie with our scheme to have itermediaries (or aggregators) to act like a utility i a hierarchical biddig system. What we are providig is the privacy protectio to the customers agaist these itermediaries without elimiatig them.

3 3 itermediaries) from accessig, ad hece collectig, more iformatio tha ecessary i lie with the geerally accepted security best practices of the priciple of the least privileged. To the best of our kowledge, the oly other privacyguarateeig DR biddig scheme proposed i the literature that truly does ot rely o a third party i ay shape or form is reported i our earlier work [29], which has a high computatioal complexity i a sigle-wier based auctio system. I this paper, we preset our ovel privacy-assured biddig (PAB) solutio for the SG DR by augmetig our aforemetioed solutio with a multi-uit, multi-wier auctio algorithm for both the customers ad the utility compay. As part of the security aalysis, we provide Zero-Kowledge Proofs to show that our algorithms ca guaratee the privacy uder differet threat models. Such a approach without a trusted third party is likely to be a key argumet i the post-sowde era i allayig customers fears about privacy violatios ad/or i recruitig more customers ito DR programs, which is critical i logterm success ad sustaiability of such iitiatives. III. BASIC ALGORITHM FOR PRIVACY ASSURED BIDDING Our auctio ca be classified as a multi-uit, multi-wier, ad sigle-price auctio. That is, i our scheme, the utility starts the biddig process by aoucig the relevat parameters, amely the price vector ad the total umber of uits beig auctioed. Iterested customers eter ito the bidig by specifyig the uits demaded ad the biddig price. It is always possible for customers to stay out of the biddig process ad to take advatage of the stadard tariff. At the ed of the biddig, wiers ad losers 2 together with the wiig price is decided. Wiers get the exact quatity they origially sought at the price they specified or lower. I this sectio, we describe fudametal liear operatios of our approach without emphasizig the cryptographic dimesio i order to simplify the otatio ad the arrative. The motivatio is to build a liear system, that fits the auctio descriptio above, i which participats ca submit their bids, distribute the available umber of uits from highest to lowest bid offer, ad determie their idividual outcomes through a give liear fuctio. By restrictig our system to liear operatios, we will be able to make use of the homomorphic properties of Elgamal ecryptio, as described i Sectio IV. A. Mathematical Formulatio The otatio table for our approach is give i Table I. We use idices i or a to imply that a elemet is related to customer i or a, respectively, ad similarly j to imply that particular elemet correspods to the j-th price. 2 DR-biddig mechaism evisios shiftig the peak cosumptio to relaxed hours. The eergy auctioed is ot the total eergy delivered by the utility compaies. The biddig is a method i the overall demad respose mechaism where we would like to have some demad-side attempts to maitai the load-supply equilibrium, especially durig periods of higher-tha-ormal risk. As such, that is ot the mai meas of deliverig eergy, or it is the sole methodology. Thus, losig a auctio is just missig the opportuity to take advatage of the icetives or fiacial compesatio offered i exchage for a chage or shift i demad; it does ot mea the loser will be left without eergy. k i j a π M V b a B d c bid a uit a x a y a y TABLE I NOTATIONS USED IN OUR APPROACH. Number of customers participatig i biddig Number of acceptable price values i biddig Geeric idex ragig from 1 to Geeric idex ragig from 1 to k Secodary idex ragig from 1 to The descedig price vector with k discrete values Pre-aouced available umber of uits Maximum umber of uits each customer ca demad The bid vector for customer a The matrix to represet all bid vectors together Cumulative demad vector Wiig price idicator created by the utility The idex of biddig price submitted by customer a The umber of uits demaded by customer a The private key of customer a The public key of customer a The master public key joitly geerated by all customers We base the pricipal protocol desig of our approach o the idea described i [30], [31]. M is the total umber of uits beig sold, e.g. the amout of eergy uits, V correspods to the maximum umber of uits each customer ca demad, e.g. 50KWh, ad is the umber of customers participatig, i.e. electric cosumers. Also, π is a price vector of discrete values sorted i descedig order, e.g. [60, 50, 40, 30], defied by the utility, ad k is the size of π, i.e. k = π : π = [π 1 π 2 π 3 π k ] Let L l, U l, I l deote the l l lower triagular, upper triagular ad idetity matrices, respectively. Furthermore, let R l deote a l l radomizatio matrix, 0 0 R l = whose diagoal etries are joitly-geerated radom umbers ukow to ay sigle customer. This radom matrix is used upo the termiatio of the protocol to guaratee that o private iformatio is leaked, as explaied later. Wheever a ew DR biddig is iitiated by the utility, alog with the aoucemet of the parameters (π, M,V ), each customer i chooses a elemet with idex bid i from the price vector π ad the umber of uits uit i to buy at π bidi price, such that 1 uit i V ad 1 bid i k. The, each customer creates a bid vector deoted by b i such that b i = k = π, which cosists of (k 1) 0s, ad uit i at idex bid i, as give below: b i = [ 0 0 uit i 0 0 ] T which states that the customer is biddig to purchase uit i may uits of eergy at up to a price of π bidi. I order to simplify the otatio, we defie B as a matrix whose colums correspod to the bid vectors of customers, i.e. B = [b 1 b 2 b ]. Now that ay customer i has his ow

4 4 bid vector placed i i-th colum of matrix B, the cumulative demad vector is defied as d: d = b i (1) The first goal of the utility is to fid the maximum idex t that satisfies the iequalities for the pre-aouced available amout M: t j=1 d j M < t+1 j=1 d j (2) After fidig t, the utility creates a vector, deoted by c, that cosists of (k 1) 1s, ad oe 0 at the t-th etry oly. c = [ ] T The fial outcome fuctio for each customer i is give below, with which each customer ca ifer whether he wo, ad if so, at what price. It is importat to radomize o-zero elemets of the outcome fuctio so that a customer ca oly ifer his wi/loss status. (3) f i (B) = R k (c + (U k I k ) b i ) (4) By markig the idices except t with oes i c, we are maskig the other bid values, so that ay wier cocludes this price as the fial. Fially, each customer i checks the result of f i (B) to fid whether there is a 0 i it or ot. The latter simply meas the customer lost the biddig, whereas the former idicates that he wo ad ca determie the price by usig the positio of 0 i f i (B) that correspods to the actual price i π. Note that i this multi-uit multi-wier auctio system, the available uits are distributed amog the bidders who offered oe of the highest t prices i the price vector π. This implies that there might be some usold uits from available pool at the ed. Our focus i this paper is i the privacy-protectio of the biddig process. There are various differet auctio methodologies i the literature (e.g., Eglish Auctio, Dutch Auctio, Vickery Auctio). Our goal is ot to optimize the biddig process or to pick oe of the aforemetioed auctio mechaisms. The distributio of uits algorithm i our protocol is such that the available umber of uits are distributed amog the highest t price bidders depedig o the available uits M. We thereby assume a simple ad fair auctioig mechaism as the uderlyig biddig i order to provide a cryptographically secure ad private protocol. We do ot claim ay optimality i that sese, but we assure that bidder privacy is protected. Nevertheless, our protocol ca be modified fairly easily to accommodate a wide rage of biddig protocols i the removal of depedecy o trusted third parties to achieve privacy preservatio. B. Toy Example As a example, below are the three bid vectors for three customers; for the price vector π = [ ], where M is defied as 6 uits. From = 3 customers i total, customer 1 wats to buy 3 uits at a price of up to $60, customer 2 wats to buy 2 uits at a price of up to $50, ad customer 3 wats 4 uits up to $40. They create their b i vectors as follows: b 1 = 0 0, b 2 = 2 0, b 3 = The, customers should joitly calculate d: 3 d = b i = Now the utility fids t = 2 as stated i Equatio (2) ad creates the c vector. c = [ ] T From this we ca easily compute the outcome fuctio f i for each customer as show below: f 1 (B) = R 0 k = f 2 (B) = R 0 k = f 3 (B) = R 0 k = Note that each * deotes a uiform o-zero radom value idepedet of others, ad is used to mask o-zero values so a customer caot ifer aythig about his rivals. At the ed, customer 1 ad customer 2 cocludes that they wo the biddig with the price of $50 with the quatities they submitted. Customer 3 oly realizes that he lost. The operatios metioed so far actually cosist of three phases: i. Customers joitly calculate d from the b i vectors. ii. The utility determies t from d, ad creates c. iii. Customers calculate their outcome f i (B) by usig c. Note that the first ad third operatios are liear ad may be performed i the expoet as part of the Elgamal ecryptio to be described i the ext sectio by exploitig the homomorphic property. They are performed as separate rouds i the multiparty computatio to be detailed below. However, the secod operatio requires a full kowledge ad disclosure of the complete vector d. Thus, we assume that the utility will have a access to that iformatio i order to carry out that phase of the operatios. Please ote that the matrix represetatios we used so far are chose to simplify the formal descriptio ad imply liearity

5 5 of operatios i our protocol, but the real implemetatio of the protocol replaces the matrix operatios with the cryptographic operatios described i the followig sectio. IV. PRIVACY ASSURED BIDDING PROTOCOL I this sectio, we ehace the algorithm preseted i the previous sectio with cryptographic operatios usig Elgamal ecryptio, thereby defie our protocol. A. Prelimiaries Elgamal ecryptio is oe of the best-kow public key cryptosystems after RSA. It has a simple ad elegat mathematical structure that allows such operatios as distributed key geeratio ad homomorphic ecryptio. I a prelude to the explaatio of our approach, we below summarize the Elgamal ecryptio algorithm ad its various relevat features. All the arithmetic is carried out i Z p uless otherwise stated. Elgamal Cryptosystem: Let p be a large prime, ad g be a elemet of order q i Z p, for some large prime q (p 1). Alice chooses a radom x {1,2,...,q 1} as her private key, ad y = g x mod p is her public key. To ecrypt a message µ for Alice, Bob chooses a radom r {1,2,...,q 1} as a oe-time secret, ad computes the ciphertext (α,β) as α = µy r mod p ad β = g r mod p (i.e., the message is masked by g xr mod p). Alice decrypts the message by recomputig the maskig factor by g xr = β x ad removig it from the message: µ = α(β x ) 1. Homomorphic Ecryptio: Elgamal ecryptio is homomorphic accordig to multiplicatio: Give E(µ 1 ) = (α 1,β 1 ) ad E(µ 2 ) = (α 2,β 2 ), we ca compute the ecryptio of µ 1 µ 2 by E(µ 1 µ 2 ) = (α 1 α 2, β 1 β 2 ). Distributed Key Geeratio: A commo Elgamal public/private key pair ca be geerated by a group of participats by each participat geeratig a part of the key: Each party i geerates his partial private ad public key (x i,y i = g x i) ad broadcasts the public key y i to the group. The master public key is y = i y i. The private key x = i x i mod q is held i a distributed fashio by the group where party i has share x i. Distributed Decryptio: Let (α, β) be a ciphertext ecrypted uder a public key y = g x, where the private key x = i x i mod q is distributed amog a group of participats with user i havig x i. The message ca be decrypted collectively, without ay participat revealig his secret share: User i computes ad broadcasts φ i = β x i. Oe participat combies these partial results ad decrypts the message as µ = α( i φ i ) 1. Distributed Radomizatio: The homomorphic property of Elgamal ecryptio eables a group of users to radomize a ecrypted message while the radomizatio factor is ukow to ay user: For a give ciphertext (α, β), each party picks his radomizatio parameter m i, calculates ad broadcasts (α i = α m i,β i = β m i). The radomized ciphertext is calculated as (α m = i α i,β m = i β i ), for m = i m i. B. Biddig Privacy Usig Multiparty Computatio Secure multi-party computatio (MPC) is used to compute a fuctio collectively by a umber of participats such that, i the ed, o participat ca lear aythig except its ow iput ad the result [32]. I this sectio, we give a MPC protocol that calculates the outcome of the auctio described i Sectio III privately. We first give a high-level descriptio of our protocol ad the the details: 1) Each customer a geerates a public-private key pair (x a,y a ) ad broadcasts the y a value. 2) The commo group public key y = y i mod p is calculated by all, ad the group private key x = x i mod q is composed of partial private keys held by the customers, oe of which may costruct the full group private key. 3) Each customer a geerates his bid vector b a, ecrypts it by the group public key, ad broadcasts. 4) Each customer calculates a partial decryptio factor usig his share of the private key, ad seds it to the utility. 5) The utility decrypts the cumulative demad vector d usig the partial results computed by the customers. The the utility calculates the c vector, ecrypts it by the group public key, ad broadcasts. 6) Each customer calculates his auctio fuctio i Equatio (4) i the expoet ad broadcasts the result. 7) Each customer calculates a set of partial decryptio factors over the values broadcast i the previous step, ad seds them to the utility. 8) The utility shares these partial results selectively such that each customer ca calculate the auctio result privately, without learig aythig extra. We ow describe the protocol i detail. The calculatios are i Z p: Roud 1: Customer a geerates a private key x a, its public key y a = g x a, a radom vector r a, ad a matrix of radom values m (a),1 i,1 j k. The, he broadcasts his partial public key y a ad calculates the commo public key y, by usig the partial public keys of the others: y = y i Roud 2: Customer a ecrypts his bid vector b a, α a j = g b a j y r a j β a j = g r a j for 1 j k, ad broadcasts it. Roud 3: Each customer calculates, for 1 j k, α j = α, β j = β. Roud 4: Customer a calculates ad seds his partial decryptio factor φ a j, for 1 j k, to the utility privately (over Trasport Layer Security TLS ) so that the utility ca decrypt d: φ a j = β x a j Roud 5: The utility computes, for 1 j k, g d j = α j φ.

6 6 I order to obtai d, the utility eeds to extract each d j by solvig a discrete logarithm with a upper boud of V. This problem ca be solved practically by square-root methods such as Shak s baby-step-giat-step [33] ad Pollard s kagaroo [34]. For cases where k V, the algorithm described i [35] ca be preferred. After calculatig d, the utility determies the idex t ad creates the c vector as described i Equatios (2) ad (3). Roud 6: The utility ecrypts c usig radom r u j to calculate α u j, for 1 j k, where u deotes the utility: α u j = g c j y r u j β u j = g r u j Roud 7: Customer a executes the liear operatio give i Equatio (4) i the expoet, radomized by m (a), γ (a) = ( α u j k q= j+1 ) (a) m ( α iq σ (a) = β u j k q= j+1 ) (a) m β iq for 1 i,1 j k, ad broadcasts the result. Roud 8: Customer a calculates ad seds his decryptio factors φ (a), for 1 i,1 j k, to the utility privately (over TLS): ( φ (a) = q=1 σ (q) The utility broadcasts all φ (a) parameters for 1 i,1 j k,1 a, except a = i. By doig so, the utility guaratees that oly the customer a himself ca compute the fuctio f a (B). Roud 9: Fially, customer a does the followig compoet-wise computatio as the fial operatio to compute his idividual f a (B) to check his wi/loss status: ) xa g f a(b) j = γ(i) a j φ (i) a j At this poit, customer a checks the fial result i the expoet to see whether the vector g f a(b) cotais a 1, which correspods to havig a 0 i f a (B). If there is a 1 i the result, the positio of 1 is used to determie the uit price from the π price vector. Note that, the utility also computes f a (B) fuctio for each customer a to determie the wiers. I the ed, the oly extra iformatio available to the utility is the cumulative demad vector d, which correspods to total demad versus price iformatio pertaiig to curret biddig process. Note that this vector does ot cotai ay private iformatio about ay customer. As such, makig the total demad vector d trasparet does ot compromise ay privacy otio with respect to the customers. Further, it may facilitate a useful mechaism for the customers for their future bids as a historical data poit. Utility s access to this iformatio is also beeficial i the sese that it will kow what the curret market coditios are. The most performace demadig aspect of our algorithm comes from the Roud 7, i which radomizatio of elemets are performed. This requires computatios with matrices that have 2 k elemets. Thus our algorithm scales with O( 2 k). We believe our algorithm ca be easily implemeted for biddig i low-cost embedded devices. Please also ote that the biddig algorithm we hereby propose is ot expected to ru i a real-time sceario. The time-graularity is likely to be i a similar magitude of real-time pricig updates from the utility, which is typically i 15 miutes or so. Whe the time scale is cosidered withi these parameters, our algorithm is sigificatly well withi the expected frequecy of such mechaisms ad i a acceptable time frame. V. SECURITY ANALYSIS I the previous sectio, we have defied our basic protocol which is secure agaist hoest but curious (HbC) adversaries, i.e., a party who acts hoestly ad performs the prescribed operatio exactly, but may go beyod what is expected of him ad tries to extract privacy-violatig iformatio by actig curiously. I this sectio, we ehace our protocol to be secure agaist fully malicious adversaries [36] who do ot ecessarily follow the protocol or create their iputs as specified. Later, we also discuss a hybrid versio which is more efficiet tha the fully secure versio. We employ zero-kowledge proofs (ZKPs) to verify that expected operatios are hoestly performed. ZKPs eable us to verify the itegrity of the protocol through validatio without forcig parties to disclose their private iformatio. I what follows, we first elaborate o four ZKPs. Buildig o top of these four ZKPs, we go o to provide the security aalysis to prove that privacy of customer bids are guarateed i our approach. A. Zero-Kowledge Proofs I what follows, we drop mod p from the otatios to reduce the clutter. As before, all the arithmetic is i mod p (i Z p) uless otherwise stated. ZK1: Alice has y = g x ad wats to prove her kowledge of x to Bob, without disclosig x, where y ad g are publicly kow [37]. i. Alice picks a radom z, seds g z to Bob. ii. Bob seds a radom c as a challege to Alice. iii. Alice seds r = (z + xc) mod q to Bob. iv. Bob checks if g r = g z y c. ZK2: Alice has y 1 = g x 1 ad y 2 = g x 2 ad wats to prove equality ad kowledge of discrete logarithm log g1 y 1 = log g2 y 2 = x, without disclosig x, where y 1, y 2, g 1 ad g 2 are public [38]. i. Alice picks z radomly ad seds g z 1, gz 2 to Bob. ii. Bob seds a radom c as challege to Alice. iii. Alice seds r = (z + xc) mod q to Bob. iv. Bob verifies the equality of two discrete logarithm by checkig both g r 1 = gz 1 yc 1 ad gr 2 = gz 2 yc 2. ZK3: Alice has (α,β) = (my r,g r ) ad wats to prove that either m = z or m = 1 without disclosig which oe it is. [39] i. If m = 1, Alice chooses r 1, d 1, w at radom ad seds (α,β), a 1 = g r 1β d 1, b 1 = y r 1(α/z) d 1 ad a 2 = g w, b 2 = y w to Bob.

7 7 If m = z, Alice chooses r 2, d 2, w at radom ad seds (α,β), a 1 = g w, b 1 = y w, a 2 = g r 2β d 2, b 2 = y r 2α d 2 to Bob. ii. Bob seds a radom c as challege to Alice. iii. If m = 1, Alice seds d 1, d 2 = c d 1 mod q, r 1 ad r 2 = w rd 2 mod q to Bob. If m = z, Alice seds d 1 = c d 2 mod q, d 2, r 1 = w rd 1 mod q, ad r 2 to Bob. iv. Bob verifies that ecrypted value (α,β) is either 1 or z by checkig c = d 1 + d 2 mod q, a 1 = g r 1β d 1, b 1 = y r 1(α/z) d 1, a 2 = g r 2β d 2 ad b 2 = y r 2α d 2. ZK4: Alice wats to prove that her ecrypted elemet (α,β) = (g c y r,g r ) decrypts to g c, where r is ephemeral key (oe-time key) ad c [0,2 l 1], where l is a arbitrary system parameter. i. Alice writes dow c i biary form, e.g. c = c l 1 c 1 c 0 each c t beig either 1 or 0 for t [0,l 1]. The, she creates ecrypted elemets (α l 1,β l 1 ), (α l 2,β l 2 ),, (α 0,β 0 ) such that each elemet satisfies (g 2t c t y r t,g r t ) = (α t,β t ) as well as ephemeral keys satisfyig r = r t. The, she seds ew ecrypted elemets (α t,β t ) to Bob. ii. For each elemet, Alice proves each (α t,β t ) decrypts to either 1 or g 2t with ZK3. iii. Bob checks if α t = α ad β t = β, alog with ZK3 proofs for each (α t,β t ) pair, ad cofirms that (α,β) ideed correspods to g c where c [0,2 l 1 ]. B. Active Adversaries The protocol we described i Sectio IV so far assumes that each customer follows the procedure rouds give i Sectio III hoestly, leavig possible vulerabilities. Therefore, the protocol is required to be secured agaist active adversaries, for which oe possible solutio is eforcig the software with Trusted Computig (TC). However, i order to elimiate aother trusted party, i.e. TC hardware/software platform, we are proposig a extesio to our protocol with ZKPs. We cosider a full-adversary model. I this security sceario, all operatios of the customers, ad eve the utility, must be verified. We desig our protocol such that ay participat should be able to verify others usig the aforemetioed ZKPs with their o-iteractive Fiat-Shamir versios [40]. This strog privacy versio requires two slight chages from the above protocol: each customer publicly aouces his decryptig factor i Roud 4 ad receives others as well as each calculates r ad c such that every customer eds up havig the same elemet via idepedet computatios, implyig the same ephemeral key for the ecryptio. It also implies that the cotributio of the utility to the DR-biddig is limited to oly determiig the available umber of uits M, thereby elimiatig ay possible malicious attempt by the utility. Below, we describe the rouds as to how the ZKPs i Sectio V-A ca be used: R1: Each customer uses ZK1 to prove kowledge of x a for his published partial public key y a. R2: Each customer uses ZK4 for every b ja, 1 j k, to prove that his bid vectors satisfy the price vector iterval coditio to prevet ay kid of price riggig or collusio. R3: Ay verifier does the same computatio ad checks equality of the results. R4: Each customer uses ZK2 to prove log g y a = log σ φ a j, for 1 j k. R5-6: Each customer calculates r idividually, creates c j ad ecrypts with public key y usig the same ephemeral key. R7: With ZK2, discrete logarithm equality is show for each (γ (a),σ (a) ), 1 i,1 j k by customer a. R8: With ZK2, discrete logarithm equality is show for each log g y a = log (a), 1 i,1 j k by σ φ (a) customer a. R9: Betwee the utility ad each customer, the outcomes should be equal ad ca be verified via the direct equality check. Remember that the protocol descriptio i Sectio III assumes that the utility is a HbC. Obviously, uder the full adversary model, we ca o loger trust the utility to carry out the computatios give i Equatio (2). Thus, we resort to the distributed computatio of these values by everyoe usig a form of MPC. I the former model whe the utility is a HbC, it has the luxury of keepig the wiig price secret without disclosig it to the losers of the biddig process. However, for the latter, sice it is doe i a distributed fashio, all parties will fid out the settlemet price, icludig the losers. While more parties are exposed to this previously secret settlemet price, oe might argue that this exposure might be beeficial from a game-theoretical perspective. However, this dimesio is out of the scope of our paper. A major computatioal overhead of the ew protocol is the requiremet that every party verify every ZKP created by every other party. A hybrid solutio is possible to relieve this burde: The utility verifies the ZKPs ad broadcasts the results. It is up to each customer whether to accept these results or to verify them o his ow. We believe that havig the possibility to ivoke the full ZKP of each ad every step of the biddig process is by itself a great deterret to ay misuse or abuse to compromise the itegrity. So, i practice, the computatioal load of the ZKP for each ad every bid ca be avoided. A radom ivocatio of the full ZKP with strict sactioig of ay misbehavior is likely to be a strog mechaism agaist ay adversarial participatio. VI. CONCLUSION Demad respose is a cetral compoet of the Smart Grid paradigm as it is the fudametal eabler of a sigificat portio of fiacial ad operatioal beefits to all the parties ivolved. Ideed, it is reported by various iterest groups that realizatio of a demad respose ecosystem with full participatio of market stakeholders has a potetial to reduce the peak electricity demad as much as %20. Hece, icreasig the participatio i demad respose programs is imperative for boostig the beefits for both idividual cosumers ad the

8 8 system as a whole. Yet, efficiet mechaisms for mitigatig the privacy violatio possibilities due to the participatio i demad respose programs are ot readily available. Therefore, i this study, we preset a distributed. multi-uit privacy assurig biddig (PAB) protocol for demad respose. The most importat feature of our protocol is that it does ot rely o ay kid of trusted third party which is essetial i elimiatig a potetial source for security breaches by adversaries. We also provide a thorough security aalysis of PAB by meas of four Zero-Kowledge Proofs to show that ay potetial privacy cocers of the customers are addressed while the itegrity of the process from the utility s perspective is preserved. What replaces the trusted third party i our protocol is the computatioal hardess of discrete logarithm problem ad efficiet zero kowledge proofs. ACKNOWLEDGEMENT Suleyma Uludag is partially supported by The Scietific ad Techological Research Coucil of Turkey (TUBITAK) BIDEB 2221 Fellowship for Visitig Scietists Program 2015/12. REFERENCES [1] Natioal Istitute of Stadards ad Techology Special Publicatio 1108r3, NIST Framework ad Roadmap for Smart Grid Iteroperability Stadards, Release 3.0, Smart Grid Iteroperability Pael (SGIP), [2] Europea Committee for Electrotechical Stadardizatio, Fial report of the CEN/CENELEC/ETSI Joit Workig Group o Stadards for Smart Grids, [3] IEEE Guide for Smart Grid Iteroperability of Eergy Techology ad Iformatio Techology Operatio with the Electric Power System (EPS), Ed-Use Applicatios, ad Loads, IEEE Std , pp , [4] Y. W. Law, T. Alpca, V. C. Lee, A. Lo, S. Marusic, ad M. Palaiswami, Demad Respose Architectures ad Load Maagemet Algorithms for Eergy-Efficiet Power Grids: A Survey, i Proc. IEEE Iteratioal Coferece o Kowledge, Iformatio ad Creativity Support Systems, 2012, pp [5] M. Albadi ad E. El-Saaday, A summary of demad respose i electricity markets, Electric Power Systems Research, vol. 78, o. 11, pp , Nov [6] White paper: Demad Respose: A Multi-Purpose Resource For Utilities ad Grid Operators, Eergy Network Operatios Ceter (Eer- NOC), Tech. Rep., [7] P. Siao, Demad respose ad smart grids: A survey, Reewable ad Sustaiable Eergy Reviews, vol. 30, pp , Feb [8] Beefits of Demad Respose i Electricity Markets ad Recommedatios for Achievig Them - A Report to the Uited States Cogress Pursat to Sectio 1252 of the Eergy Policy Act of 2005, US Departmet of Eergy, US Departmet of Eergy, Tech. Rep., [9] NERC Demad Respose Availability Data System (DADS): Phase I & II Fial Report, The North America Electric Reliability Corporatio (NERC), Tech. Rep., [10] The Power to choose: demad respose i liberalised electricity markets, Iteratioal Eergy Developmet Agecy, Orgaisatio for Ecoomic Co-operatio ad Developmet (OECD), Tech. Rep., [11] NISTIR 7628 Revisio 1, Guidelies for Smart Grid Cybersecurity: Vol. 2, Privacy ad the Smart Grid, Smart Grid Iteroperability Pael (SGIP), Smart Grid Cybersecurity Committee, [12] C.-L. Su ad D. Kirsche, Quatifyig the Effect of Demad Respose o Electricity Markets, IEEE Tras. Power Syst., vol. 24, o. 3, pp , Aug [13] Z. Wag ad G. Zheg, Residetial Appliaces Idetificatio ad Moitorig by a Noitrusive Method, IEEE Tras. Smart Grid, vol. 3, o. 1, pp , Mar [14] M. A. Lisovich, D. K. Mulliga, ad S. B. Wicker, Iferrig Persoal Iformatio from Demad-Respose Systems, IEEE Security Privacy, vol. 8, o. 1, pp , Ja.-Feb [15] E. L. Qui, Privacy ad the ew eergy ifrastructure, Ceter for Eergy ad Evirometal Security (CEES) Workig Paper No , [16] M. Zeifma ad K. Roth, Noitrusive appliace load moitorig: Review ad outlook, IEEE Tras. Cosum. Electro., vol. 57, o. 1, pp , Feb [17] C. Cuijpers ad B.-J. Koops, Europea Data Protectio: Comig of Age. Dordrecht: Spriger Netherlads, 2013, ch. Smart Meterig ad Privacy i Europe: Lessos from the Dutch Case, pp [18] S. D. Warre ad L. D. Bradeis, The Right to Privacy, Harvard Law Review, vol. 4, o. 5, pp , Dec [19] H. va Rossum, H. Gardeiers, J. Borkig, A. Cavoukia, J. Bras, N. Muttupulle, ad N. Magistrale, Privacy-Ehacig Techologies: The Path to Aoymity. De Haag: Iformatio ad Privacy Commissioer / Otario, Caada & Registratiekamer, The Netherlads, [20] G. V. Blarkom, J. Borkig, ad J. Olk, Hadbook of privacy ad privacy-ehacig techologies, Privacy Icorporated Software Agets, pp , [21] S. Uludag, S. Zeadally, ad M. Badra, Techiques, Taxoomy, ad Challeges of Privacy Protectio i Smart Grid, i Privacy i a Digital, Networked World : Techologies, Implicatios ad Solutios, S. Zeadally ad M. Badra, Eds. Spriger Lodo, 2015, ch. 15. [22] White paper: The OpeADR Primer, A itroductio to Automated Demad Respose ad the OpeADR Stadard, OpeADR Alliace, Tech. Rep., [23] M. A. Piette, G. Ghatikar, S. Kiliccote, E. Koch, D. Heage, P. Palesky, ad C. McParlad, Ope Automated Demad Respose Commuicatios Specificatio (Versio 1.0), [24] A. Paverd, A. Marti, ad I. Brow, Privacy-Ehaced Bi-Directioal Commuicatio i the Smart Grid usig Trusted Computig, i Proc. IEEE Iteratioal Coferece o Smart Grid Commuicatios (Smart- GridComm), 2014, pp [25], Security ad Privacy i Smart Grid Demad Respose Systems, i Smart Grid Security, ser. Lecture Notes i Computer Sciece, J. Cuellar, Ed. Spriger, 2014, vol. 8448, pp [26] M. Karwe ad J. Struker, Maitaiig Privacy i Data Rich Demad Respose Applicatios, i Smart Grid Security, ser. Lecture Notes i Computer Sciece, J. Cuellar, Ed. Berli, Heidelberg: Spriger, 2013, vol. 7823, pp [27] Y. Gog, Y. Cai, Y. Guo, ad Y. Fag, A Privacy-Preservig Scheme for Icetive-Based Demad Respose i the Smart Grid, IEEE Tras. Smart Grid, vol. 7, o. 3, pp , May [28] M. S. Rahma, A. Basu, ad S. Kiyomoto, Privacy-friedly secure biddig scheme for demad respose i smart grid, i Proc. IEEE Iteratioal Smart Cities Coferece (ISC2), Oct. 2015, pp [29] S. Uludag, M. F. Balli, A. A. Selcuk, ad B. Tavli, Privacy- Guarateeig Biddig i Smart Grid Demad Respose Programs, i Proc. IEEE Globecom Workshop o SmartGrid Resiliece (SGR) (GC 15 - Workshop - SGR), Sa Diego, USA, Dec. 2015, pp [30] F. Bradt ad T. Sadholm, Fiacial Cryptography ad Data Security: 9th Iteratioal Coferece (FC 2005). Spriger, 2005, ch. Efficiet Privacy-Preservig Protocols for Multi-uit Auctios, pp [31] F. Bradt, How to obtai full privacy i auctios, Iteratioal Joural of Iformatio Security, vol. 5, o. 4, pp , Oct [32] A. C. Yao, Protocols for secure computatios, Proc. Aual Symp. Foudatios of Computer Sciece (SFCS 1982), pp , Nov [33] D. Shaks, Class umber, a theory of factorizatio, ad geera, i Proc. Sympos. Pure Math., 1971, vol. XX, pp [34] J. M. Pollard, Kagaroos, Moopoly ad Discrete Logarithms, Joural of Cryptology, vol. 13, o. 4, pp , Sep [35] D. J. Berstei ad T. Lage, Computig small discrete logarithms faster, i Proc. Progress i Cryptology (INDOCRYPT 2012), S. Galbraith ad M. Nadi, Eds. Spriger, 2012, pp [36] O. Goldreich, Foudatios of Cryptography: Volume 1. New York, NY, USA: Cambridge Uiversity Press, [37] C. P. Schorr, Efficiet sigature geeratio by smart cards, Joural of Cryptology, vol. 4, o. 3, pp , Ja [38] D. Chaum ad T. P. Pederse, Wallet databases with observers, i Proc. Advaces i Cryptology (CRYPTO 92), E. F. Brickell, Ed. Spriger, 1993, pp [39] R. Cramer, R. Gearo, ad B. Schoemakers, A secure ad optimally efficiet multi-authority electio scheme, i Proc. Aual Iteratioal Coferece o Theory ad Applicatio of Cryptographic Techiques (EUROCRYPT 97), 1997, pp [40] A. Fiat ad A. Shamir, Proc. Advaces i Cryptology (CRYPTO 86). Spriger, 1987, ch. How To Prove Yourself: Practical Solutios to Idetificatio ad Sigature Problems, pp

9 9 Muhammed Fatih Balli received his BS degrees i both Electrical ad Electroics Egieerig ad Computer Egieerig from TOBB Uiversity of Ecoomics ad Techology, Akara, Turkey, i He is curretly a PhD cadidate at the Laboratory of Cryptography ad Security (LASEC), at Ecole Polytechique Federale de Lausae. He is iterested i applied cryptography, homomorphic ecryptio ad biometric idetity privacy. Suleyma Uludag is a Associate Professor of Computer Sciece at the Uiversity of Michiga - Flit. His research iterests have bee aroud secure data collectio, Smart Grid commuicatios, Smart Grid privacy, Smart Grid optimizatio, demad respose biddig privacy, Deial-of-Service i the Smart Grid, cybersecurity educatio ad curriculum developmet, routig ad chael assigmet i Wireless Mesh Networks, Quality-of-Service (QoS) routig i wired ad wireless etworks, topology aggregatio. Ali Aydi Selcuk is a Professor at the Computer Egieerig Departmet, TOBB Uiversity of Ecoomics ad Techology, Akara, Turkey. He received his BS ad MS degrees i Idustrial Egieerig from Middle East Techical Uiversity ad Bilket Uiversity, Akara, Turkey, i 1993 ad 1995, respectively. He received his PhD degree i Computer Sciece from Uiversity of Marylad Baltimore Couty, Marylad, USA i Prior to joiig TOBB Uiversity, he worked at Bilket Uiversity, Purdue Uiversity, Novell Networks, ad RSA Laboratories. His research iterests are i applied cryptography ad etwork security. Bulet Tavli (S 97 M 05) is a Professor at the Electrical ad Electroics Egieerig Departmet, TOBB Uiversity of Ecoomics ad Techology, Akara, Turkey. He received his BS degree i Electrical ad Electroics Egieerig from the Middle East Techical Uiversity, Akara, Turkey, i He received his MS ad PhD degrees i Electrical ad Computer Egieerig from the Uiversity of Rochester, Rochester, NY, USA i 2002 ad 2005, respectively. Wireless commuicatios, etworkig, optimizatio, embedded systems, iformatio security, ad smart grid are his curret research areas.