I Introduction
Realistic and publicly available power network models based on real data are important for the research community. One of the difficulties in developing such a model is that grid operators are reluctant to disclose consumer data or any information that may be commercially sensitive. Differential privacy, first developed in [1, 2, 3], has been widely used to evaluate the privacy loss for individual users in a dataset. It has recently been used by the researchers in the power systems community for use in applications such as distributed algorithms for EV charging [4], power system data release [5], and load management [6].
In our work, we consider the differential privacy of power systems induced by an Optimal Power Flow (OPF) problem. In this context, the optimal generation can be viewed as a function of the loads. Typically generation data is publicly available. In contrast, load data can reveal consumer habits and other commercially sensitive information, and thus we aim to keep it private. We aim to prevent changes in generation data from disclosing sensitive load data. Instead of proposing new mechanisms, for a given network we study how much noise is required to be added to the data in order to achieve a certain level of differential privacy for existing mechanisms such as the Laplace mechanism. We introduce the concept of monotonicity, a metric that is central to our differential privacy analysis. We also show how it is affected under different system topologies. Finally we present examples of three systems with different topologies and thus different monotonic characterizations, i.e., different parameters. For each system we show that to preserve the same level of differential privacy, the required amount of noise implied by our theorem is very different for each example. We hope that such theoretical guarantees will not only guide the design of differentially private power systems, but also encourage greater data sharing and cooperation between grid operators and academia in the future.
We stress that the aim of this work is not to show that a linear program can be made differentially private. There are numerous results in this area, see for example [7, 8, 9]. In the setting we consider, the grid operator will solve an appropriate optimization problem and will have access to all the data. The results we provide will be based on using the Laplace mechanism to release this data privately. We note that there are other mechanisms available (e.g. the exponential and Gaussian mechanisms, as well as some that allow one to specify the support of a distribution) and indeed some may be better suited for this particular application. However, the Laplace mechanism is used in this paper as it most clearly links the key concepts of monotonicity, sensitivity, and topology and their relationship to privacy  this dependence has until now not been identified.
Ii Background
Notation
Vectors and matrices are typically written in bold while scalars are not. Given two vectors , denotes the elementwise partial order for . For a scalar , we define the projection operator . We define as the number of nonzero elements of the vector . For , the restriction denotes the matrix composed of stacking rows , and on top of each other. We will frequently use a set to describe the rows we wish to form the restriction from, in which case we assume the elements of the set are arranged in increasing order. We will use to denote the standard basis vector, its dimension will be clear from the context. Finally, let and .
Iia System Model
Consider a power network modeled by an undirected graph , where
denotes the set of buses which can be further classified into generators in set
and loads in set , and is the set of all branches linking those buses. We will later use the terms (graph, vertex, edge) and (power network, bus, branch) interchangeably. Suppose and there are generator and loads, respectively. For simplicity, let , . Let . Without loss of generality, is a connected graph with edges labelled as . Let be the signed incidence matrix. Let , where is the susceptance for branch . As we adopt a DC power flow model, all branches are assumed lossless. Further, we denote the generation and load as , , respectively. Thus refers to the generation on bus while refers to the load on bus . We will refer to bus simply as load for simplicity. The power flow on branch is denoted as , and is the vector of all branch power flows. The following assumption is made to simplify the analysis.Assumption 1
There are no buses in the network that are both loads and generators. Formally, .
The above assumption is not restrictive under the lossless assumption in DC power flow. We can always split a bus with both a generator and a load into a bus with only the generator connected to another bus with only the load, and connect all the neighbors of the original bus to that load bus.
IiB Optimal Power Flow
We focus on the DC OPF problem with a linear cost function [10]. That is to say, the voltage magnitudes are assumed to be fixed and known. Without loss of generality, we assume all the voltage magnitudes to be . The decision variables are the voltage angles denoted by vector and power generations , given loads . The DC OPF takes the following form:
(1a)  
subject to  (1e)  
Here, each entry of is the unit cost for a generator, and bus is selected as the slack bus with fixed voltage angle . In (1e), we let the injections for generators be positive while the injections for loads be the negation of . The upper and lower limits for the generation are set as and , respectively, and and are the limits for branch power flow. We assume that (1) is well posed, i.e. , .
IiC Differential Privacy
In this subsection, we introduce the concept of differential privacy as a method for evaluating the privacy status of a dataset. In general, a differentially private dataset can protect the privacy of each individual user by adding noise to database queries such that the change in a single record cannot be effectively detected [1, 2, 3]. Suppose is the data space for users. Then a data element is . A query is a function . Examples include “count” functions, e.g. return the number of records in the database where property holds (
). Other examples include statistical queries such as computing mean and variance. A mechanism
is a randomized function of which releases the result of the query combined with an appropriately defined level of noise. For example, a mechanism can return the value for an appropriately chosen noise .Definition 1 ([1])
The mechanism is said to preserve differential privacy if and only if such that , and , we have
A mechanism that satisfies the properties of Definition 1 ensures that the addition or removal of a single entry to the database does not change (much) the outcome of the query.
The Laplace mechanism is a popular choice relying on the symmetric Laplace distribution
. For a random variable
the probability density function is given by
and has variance . Intuitively, as increases, the distribution flattens and spreads symmetrically about the origin. The Laplace mechanism is defined by where are independent and identically distributed for and is the sensitivity of the query :
(2) 
The following theorem explains the importance of the Laplace mechanism [1]:
Theorem 1
For , the Laplace mechanism defined by provides differential privacy.
From the theorem and the definition of the Laplace distribution, it can be seen that for a fixed privacy level (specified by ), as the sensitivity increases, the mechanism responds by adding noise drawn from a distribution of increasing variance. Fortunately, many queries of interest have low sensitivity; e.g., counting queries and sumseparable functions have ,
Iii Preliminaries
Iiia OPF Operator
We now fix the topology and susceptances of the power network. Let be the vector of system limits. Define
For each , define
Here is convex and nonempty. When we fix and there is no confusion, we use and instead.
We now define the operator , which will be used throughout the rest of the paper.
Definition 2
Let the set valued operator be the mapping such that is the set of optimal solutions to (1) with parameter . ^{1}^{1}1Here, indicates the power set of .
We adopt the following assumption to simplify . Fix and , let be the set of such that ,

(1) has a unique solution;
Assumption 2
The objective vector is in , i.e, always guarantees the uniqueness of the solution to (1) for all .
The motivation for Assumption 2 is technical and deferred to the Appendix.
Remark 1
Remark 2
Intuitively, and contain the parameters that make (1) feasible, while and also provide with good properties such as uniqueness and differentiability.
IiiB System Monotonicity
System monotonicity characterizes how the optimal generation reacts to a change in load. It sheds lights on the sensitivity.
Definition 3
A power system is said to be monotone if such that and , we have .
In the DC power flow model, , i.e., the total generation to meet demand is greater than or equal to the total generation to meet demand , but the equalities in Definition 3 are stronger. They are elementwise, i.e., a system is monotone if all generations will increase or remain unchanged when any single load increases. This is often too stringent a requirement. We are interested in approximately monotone systems, formalized in the following definition.
Definition 4
For , a power system is said to be monotone if such that and , we have .We refer to as a monotonicity pair.
By definition, a monotone system is always monotone for any positive . In the next subsections, we will study the derivative and then relate it to monotonicity.
Here we use the IEEE 9bus testcase as an example to illustrate the concept of monotonicity. As shown in Figure 1, increasing the load on either bus 5 (dashed curves) or bus 9 (solid curves) will lead to production decrease in generator 2. Thereby, IEEE 9bus testcase is not monotone. A more careful analysis shows that for any , the system is actually monotone, meaning the total decrease in the optimal generation will not exceed 2.01 times the increase in the load.
IiiC Determining Monotonicity
Monotonicity as in Definition 3 does not hold for general networks. In this subsection we characterize topologies that are monotone. In particular, we show that radial networks are monotone.
An equivalent definition of monotonicity is that the derivative^{2}^{2}2We adopt the following notation: , which has dimension . of the corresponding operator is elementwise nonnegative (when it exists). Let and denote the set of generators and branches that are binding, respectively, for a given , i.e.
When there is no danger of confusion, we will write and for simplicity.
Assumption 3
The set is dense in . For , the derivative always exists, and the sets and do not change in a neighborhood of .
Returning to the graph , we divide into two disjoint sets:
Links in are called bridges in . In general, it is possible that , e.g., when is a ring. The next result connects monotonicity to network topology.
Theorem 2
For any such that , we have , i.e., the system is monotone.
See Appendix C.
Thereom 2 directly implies the following corollaries.
Corollary 1
Power networks whose graphs are trees are monotone.
Corollary 2
If all the possible branch flow bottlenecks^{3}^{3}3We define a bottleneck to be any edge such that where the optimal power flow . in the power system are in , then the system is monotone.
In general, when the cycles in the graph are not adjacent to each other, the monotonicity pair
can be efficiently estimated. The algorithm and its proof will be presented in the journal version of this paper.
Iv OPF Privacy
Iva Motivation and Definition
Ideally both the generations and loads are available for the research community to build realistic power system models from. However, load data may contain sensitive information, and hence it is desirable to preserve the privacy of .
Suppose is a (randomized) function of , and acts as the mechanism of the data. It is reasonable to assume that is always chosen as the unique optimal solution to the OPF problem, i.e., . Then we can write as . For simplicity, we denote it as . The privacy problem is to design a mechanism that hides individual load changes when the database containing the vectors is queried. We let denote the changes to an individual load, i.e., for some . To address this problem, we introduce a modified version of differential privacy:
Definition 5
For , the mechanism preserves differential privacy ^{4}^{4}4The definition of differential privacy in this paper is different from the standard definition used in [3]. In particular, the second parameter does not refer to an additive term in Definition 1, but rather a bound on the sensitivity of the loads. if and only if such that and , and , we have
Theorem 1 can be readily extended to our differential privacy.
Lemma 1
Let be a deterministic query. The mechanism , with drawn i.i.d. from , preserves differential privacy if for any such that and , satisfies
IvB Queries for Power Systems
We investigated a few commonly used statistics for power systems provided by U.S. Energy Information Administration (EIA) [12] and French transmission system operator (RTE) [13]. Here we list a few of them and view them as the potential queries for power system data.

Regional aggregated generation and load: total generation or load within a region regulated by each grid operator.

Power generation by energy source: total generation provided by each individual source of energy such as solar or wind.

Interregional flows: power traded among different regions.
Most of those statistics can be regarded as some linear functions of the generation and load . In the next subsection, we will focus on the example of an aggregation query, which is a generalized model for many statistics listed above.
IvC Aggregation Query
In [14], we propose a method to release load and generation data in a way that attempts to strike a balance between the privacy of data owners and the need of the research community for realistic samples. The method consists of two steps. First, instead of and , the data owner releases their aggregations over discrete regions of the network. Second, a disaggregation algorithm is used to estimate the loads and generations based on the released aggregated data. In this section, we study how differential privacy is preserved for the aggregation query. See [5] for another approach.
Suppose the buses in are partitioned into regions , where is the set of bus IDs in region . Let the aggregation query for region be
The system operator discloses a noisy version of the aggregation query, denoted as and . Here, and are independent random variables and are intentionally added to ensure privacy. Let
(4) 
be the Laplace mechanism for this aggregation query. Since the support of Laplace distribution is unbounded, there is a chance that the mechanism will change the signs of the query and make the output data unrealistic. In practice, one can easily use the exponential mechanism to solve this issue by defining a quality function which penalizes the data with wrong signs [15]. In this paper we will not provide the details as space is limited and our primary motivation is to show how system monotonicity, sensitivity, and topology are related to the data privacy via the Laplace mechanism. We will see in Section V that networks that are likely to encounter sign errors tend to be far from monotone, in which case it is hard to preserve both the privacy and data quality no matter which mechanism is applied due to high sensitivity of the system.
Theorem 3
Suppose the system is monotone. The mechanism (4) where and are drawn i.i.d. from preserves differential privacy.
Corollary 3
Suppose the power system is monotone. The mechanism (4) where and are drawn i.i.d. from preserves differential privacy.
Remark 3
The monotonicity pairs for a fixed system are not unique. In Theorem 3, for any given , there always exists such that the system is monotone.
Remark 4
For the Laplace distributions given in Theorems 3 and Corollary 3, the level of differential privacy is independent of how the aggregation regions are divided and how the data are aggregated. In particular, the amount of noise required relies on neither the number of regions nor the number of buses in each region.
The following example shows why we want the level of differential privacy to be independent of the region division. Consider a trivial mechanism which can preserve the same differential privacy by adding i.i.d. Laplace noise drawn from to each individual load and then solving an OPF problem with the noisy load data to obtain the generations. This mechanism can guarantee differential privacy, assuming that the noisy load makes
feasible and yields a unique solution. Then, from the central limit theorem, the equivalent noise added to
would converge in probability to the Gaussian distribution
. The variance of this distribution depends on the size of the region and can grow rapidly if the region is large, in comparison to the (equivalent) Laplacian distribution given in Theorem 3. As for the equivalent noise added to , we can give a rough estimation. Since the noise added to each load is on the order of , the noise vector added to the load vector has the norm on the order of . Assume that monotone system can potentially amplify the noise in the load vector by a factor of roughly , the equivalent noise added to could be on the order of , which also depends on the size of the region and can potentially be quite large.IvD Generalization
In general, for an arbitrary query not necessarily the aggregation query, the sensitivity in (2) depends on the properties of both and . When is the aggregation query, the problem boils down to the monotonicity of , as shown in the previous subsection. However, for general , the estimation of may require a more careful analysis of the structure of . The next result provides a rough estimation of the required amount of noise for differential privacy. Its proof is omitted due to space limitation.
Theorem 4
Suppose a power system is monotone, and all elements of the Jacobian matrix with respective to are upper bounded by the same constant . Then the mechanism , where all are drawn from independent Laplace distribution , preserves differential privacy.
V Simulation
Va Radial Network
First, we apply the mechanism (4) to a radial power network (embedded image in Figure 2), i.e., network with a tree topology. Corollary 1 implies that the system is monotone, and by Theorem 3, the noise should be drawn independently from the Laplace distribution so as to preserve differential privacy. In this simulation, we set (MW) and . The interpretation is that any two datasets whose difference we would like to hide should differ in any one load by at most MW. This example has been constructed so that the doubleline edge in Fig. 2 is a bottleneck (i.e., a binding constraint in the solution of (1)). According to Appendix C, this bottleneck splits the tree into two subtrees and each subtree contains exactly one generator which is not saturated. Provided the OPF problem remains feasible, any change in the load will directly lead to the same amount of change in the generator which resides in the same subtree as the changing load.
Specifically, if the load on the left increases by , the left generator will increase its generation by while the right generator will remain unchanged. Hence the groundtruths of the aggregation queries (shown by vertical lines in Fig. 2) are separated by MW, the same as . The density functions shown in Fig. 2 are sharper than those of networks with cycles, as shown in Figures 3 and 4.
VB IEEE 9Bus Network
As we mentioned, the IEEE 9bus network is monotone for any positive . We again set (MW), and divide the system into two regions. In our simulations, region 1 contains buses 1, 2, 4, 5, 6, while region 2 contains buses 3, 7, 8, 9. Figure 3 shows the probability density functions for the aggregation mechanism when the load on bus 9 increases by . The difference between and comes directly from the change on bus 9, but the difference between and is mainly due to the fact that generator 3 has to increase its generation so as to compensate for the decrease in generation on bus 2. Hence the distributions for and are further apart compared to the distributions for and . As a result, to preserve the same level of differential privacy, the required noise magnitude is greater than what would have been needed if the system were monotone. The distributions in Figure 3 are indeed flatter than those in Figure 2.
VC Bad Topology
There are networks whose behavior can be arbitrarily far from monotone, i.e., they are monotone with large . For these networks, differential privacy is only possible with the addition of large noise, potentially rendering the output of the mechanism meaningless.
One such network is shown in Figure 4. This network consists of a cycle with buses, with generators on two adjacent buses (black nodes). The branch indicated by the doubleline edge is the only bottleneck where the line flow constraint is binding. It can be shown that this network is monotone for some positive . This means that a change in load can be amplified times in some generator, implying a large sensitivity. Figure 4 shows that to achieve differential privacy, a far bigger noise is required than in the monotone case. As increases, the density function becomes flatter. When buses, the density function in Figure 4
is close to a uniform distribution, i.e., the mechanism hardly discloses any useful information.
Vi Conclusion
We have proposed a differential privacy model for OPF data in power systems. We have introduced the notion of monotonicity of the operator and used it to determine the amount of noise needed to preserve differential privacy for aggregation queries. We have also shown that, for the aggregation query, the level of differential privacy is independent of the number of aggregation regions and the number of buses in a region. We also derive the required noise level for arbitrary queries with bounded Jacobian values. Future work will look at how these results can be applied to the design of new mechanisms.
References
 [1] C. Dwork, F. McSherry, K. Nissim, and A. Smith, “Calibrating noise to sensitivity in private data analysis,” in Theory of Cryptography Conference. Springer, 2006, pp. 265–284.
 [2] C. Dwork, “Differential privacy: A survey of results,” in International Conference on Theory and Applications of Models of Computation. Springer, 2008, pp. 1–19.
 [3] C. Dwork, A. Roth et al., “The algorithmic foundations of differential privacy,” Foundations and Trends® in Theoretical Computer Science, vol. 9, no. 3–4, pp. 211–407, 2014.
 [4] S. Han, U. Topcu, and G. J. Pappas, “Differentially private distributed protocol for electric vehicle charging,” in Communication, Control, and Computing (Allerton), 2014 52nd Annual Allerton Conference on. IEEE, 2014, pp. 242–249.

[5]
F. Fioretto and P. Van Hentenryck, “Constrainedbased differential privacy:
Releasing optimal power flow benchmarks privately,” in
International Conference on the Integration of Constraint Programming, Artificial Intelligence, and Operations Research
. Springer, 2018, pp. 215–231.  [6] A. Halder, X. Geng, P. Kumar, and L. Xie, “Architecture and algorithms for privacy preserving thermal inertial load management by a load serving entity,” IEEE Transactions on Power Systems, vol. 32, no. 4, pp. 3275–3286, 2017.
 [7] J. Hsu, A. Roth, T. Roughgarden, and J. Ullman, “Privately solving linear programs,” in International Colloquium on Automata, Languages, and Programming. Springer, 2014, pp. 612–624.
 [8] J. Hsu, Z. Huang, A. Roth, and Z. S. Wu, “Jointly private convex programming,” in Proceedings of the twentyseventh annual ACMSIAM symposium on Discrete algorithms. Society for Industrial and Applied Mathematics, 2016, pp. 580–599.
 [9] M. J. Wainwright, M. I. Jordan, and J. C. Duchi, “Privacy aware learning,” in Advances in Neural Information Processing Systems, 2012, pp. 1430–1438.
 [10] A. J. Wood and B. F. Wollenberg, Power generation, operation, and control. John Wiley & Sons, 2012.
 [11] X.S. Zhang and D.G. Liu, “A note on the continuity of solutions of parametric linear programs,” Mathematical Programming, vol. 47, no. 13, pp. 143–153, 1990.
 [12] “U.S. electric system operating data (EIA).” [Online]. Available: https://www.eia.gov/realtime{_}grid
 [13] “RTE France eCO2mix data and analysis.” [Online]. Available: https://www.rtefrance.com/fr/eco2mix/eco2mix
 [14] J. Anderson, F. Zhou, and S. H. Low, “Disaggregation for networked power systems,” in 2018 Power Systems Computation Conference (PSCC). IEEE, 2018, pp. 1–7.
 [15] F. McSherry and K. Talwar, “Mechanism design via differential privacy,” in Foundations of Computer Science, 2007. FOCS’07. 48th Annual IEEE Symposium on. IEEE, 2007, pp. 94–103.
 [16] D. Bertsimas and J. N. Tsitsiklis, Introduction to linear optimization. Athena Scientific Belmont, MA, 1997, vol. 6.
 [17] S. Boyd and L. Vandenberghe, Convex optimization. Cambridge university press, 2004.
 [18] A. V. Fiacco, “Sensitivity analysis for nonlinear programming using penalty methods,” Mathematical programming, vol. 10, no. 1, pp. 287–311, 1976.
 [19] ——, “Introduction to sensitivity and stability analysis in nonlinear programming,” 1983.
Comments
There are no comments yet.