I Introduction
Distributed energy resources (DERs) have been increasingly deployed in the smart grid infrastructure to supplement the power supply with renewable energy such as solar and wind. Equipped with DERs, electricity consumers (e.g., small homes with installed solar panels, hospitals and campuses with deployed microgrids) can also be considered as suppliers that have reduced their dependence on the electricity grid [43]. Recently, multiagent systems in the smart grid [30] have attracted significant interests by considering the smart homes or microgrids as distributed agents [11, 51]. In reality, smart homes or microgrids may generate excessive energy that cannot be consumed immediately during routine operations. A current solution to deal with the excessive energy is to either consume/waste it or sell it to the main grid [44, 2], even if many of the smart homes/microgrids have been equipped with local storage devices. Essentially, from the economic perspective of such multiagent systems and social welfare, transmitting excessive energy back to the main grid or storing the energy is not an ideal outcome, compared to involving more consumers (which requests external energy) to receive the excessive electricity and consume them immediately [1].
To this end, the smart grid begins to incentivize agents with local energy to cooperate with each other, e.g., decentralized power supply restoration [4], energy sharing [22] and threeparty energy trading [44]. Inspired by them, we study the distributed energy trading problem which enables smart homes or microgrids to sell their excessive energy to other consumers besides selling back to the power market monopoly, the main grid [45, 57]. It will greatly benefit all the agents: (1) sellers can receive more rewards with a trading price generally higher than the price requested by the main grid, (2) buyers can reduce their costs (i.e., electricity bill) with the trading price generally lower than the retail price of the main grid [31], and (3) interactions/loads between the consumers and the main grid can be reduced to provide better reliability via autonomy [13].
However, as shown in Figure 1, distributed energy trading requests significant amounts of local data from all the agents (e.g., each seller/buyer’s local generation and demand load at different times) to compute the optimal price and allocate the energy trading amounts for all the sellers and buyers [44]. Disclosing such local data for computation would explicitly compromise their privacy. For instance, local generation reveals the generation capacities and time series generation patterns [25], and the local demand load reveals consumption patterns (e.g., which appliance is used at which time) [3, 23].
To address such privacy concerns, we propose a novel privacy preserving distributed energy trading framework, namely “Private Energy Market (PEM)” in which all the agents privately compute the optimal price (ensured by a Nash Equilibrium of a designed Stackelberg game) and allocate pairwise energy trading amounts without disclosing local data. To this end, our PEM framework ensures that all the computations are performed in novel cryptographic protocols under the theory of secure multiparty computation (MPC) [55, 19] which provides provable privacy guarantee. Thus, the major contributions of this paper are summarized as follows:

To our best knowledge, the propose PEM is the first privacy preserving distributed energy trading framework, which enables all the agents on the electric grid to privately compute their optimal trading price (ensured by a Nash Equilibrium) and pairwise trading amounts, as well as complete their pairwise transactions without disclosing their private data (via cryptographic protocols).

We implement a prototype for the proposed PEM framework with negligible latency in real time. We also conduct substantial experimental evaluations on real datasets to validate the system performance of the PEM.
The remainder of this paper is organized as follows. In Section II, we formulate the problem, discuss the threat model and the PEM framework. Section III illustrates the energy trading model under the Stackelberg game. Section IV presents the cryptographic protocols for the PEM. Theoretical analyses are given in Section V. Section VI gives some discussions. In Section VII, we elaborate our system implementation and demonstrate the experimental results. Section VIII reviews the literature, and Section IX draws the conclusions.
Ii Preliminaries
In this section, we present some preliminaries for the distributed energy trading and the PEM framework.
Iia Distributed Energy Trading
We first introduce the background [44, 11, 21, 31] on the power grid, where agents represent the consumers with local generation, e.g., smart homes, and microgrids.

Energy trading occurs over a fixed length of periods, each of which is referred as a “trading window”. All the agents complete their transactions (either selling or buying energy) within each trading window.

Agent can be a buyer in a trading window, and a seller in another trading window, but cannot be both in any trading window (otherwise, its payoff would not be optimal [21]).

Each seller can decide how much energy it consumes (including charging its battery if available [2]) and how much energy is available in the current trading window.

We assume that the main grid has unlimited power supply with a higher price than distributed trading [31], and energy is transmitted with a negligible loss.
We denote the main grid as and the set of agents as (with cardinality ). For each agent , we denote its generation (e.g., from solar panels) and demand load in trading window as and , respectively. Each agent optionally installs an energy storage device or battery [54] with capacity (the maximum energy storage after charging), which can be specified as 0 (if “no battery”). Denoting the energy amount charging into or discharging out of the battery as (in trading window ), if charging, we have ; if discharging, we have . Then, we can define the net energy of as :
(1) 
In every trading window , each agent
will be classified as either buyer or seller according to their net energy: (1) if
, is a seller, (2) if , is a buyer, and (3) if , will be off market. Then, we formally define as the set of sellers and as the set of buyers, where the market supply of sellers and the market demand of buyers can be derived as:(2) 
Optimal Trading Price. At the end of every trading window, a seller can store the unsold energy or sell the unsold energy to the main grid [2]. However, the price offered by the main grid (denoted as ) is much lower than the regular retail electricity price for purchasing from the grid (denoted as ) [31]. In the energy trading market, while trading energy in window , all the buyers and sellers will jointly learn an optimal price between and [31] where all the players achieve an equilibrium in a game (with individual rationality and incentive compatibility [29]).
PEM also sets an acceptable market price range to incentivize the sellers or buyers to join the trading [31] such that the price in the trading window satisfies:
(3) 
which is set by the PEM rather than specific agents.^{1}^{1}1If , all the rational buyers will purchase energy directly from the main grid; if , all the rational sellers will sell the energy directly to the main grid. Thus, PEM specifies a reasonable price range.
Section III will illustrate how to derive the optimal price and allocate energy trading amounts in every trading window.
IiB Threat Model
More importantly, our PEM framework addresses the privacy concerns of all the participants (e.g.,. agents with local energy) in the distributed energy trading. Specifically, to realize the energy trading, all the agents should share its local private information to a trusted third party so as to compute their optimal price as well as allocating pairwise energy trading amounts. However, such shared local information are sensitive in general [40, 23, 42], e.g., ’s local energy generation amount, energy consumption amount, battery storage amount, and its utility parameter (which are detailed in Section III).
To tackle the above concerns, we propose the PEM framework (without a trusted third party) based on efficient cryptographic protocols [55, 19] to privately function distributed energy trading without disclosing local information. We define the threat model in the distributed energy trading as below:

Besides the semihonest model, all the agents have the incentive to improve its payoff by cheating on its data.

All the messages in the framework are assumed to be transmitted in a secure channel.
IiC PEM Framework
To sum up, PEM will provide the following three properties against the adversaries:

Privacy: each seller/buyer’s privacy is protected in the PEM with provable privacy guarantee.

Individual Rationality: each seller/buyer has a higher payoff by participating in the PEM.

Incentive Compatibility: each seller/buyer cannot improve its payoff by untruthfully changing its strategy.
Iii Distributed Energy Trading
In this section, we first present the distributed trading scheme for PEM without privacy consideration.
Iiia Incentive Measurement
We first define two functions to measure the incentives for both sellers and buyers in the trading [44]. The utility function measures the payoff received by each seller while the cost function measures how much each buyer pays.
Seller’s Utility Function [39, 54] is defined to quantify the total utility of any seller in trading window :
(4) 
where is the load behavior preference parameter of the seller (either locally consuming more energy or selling them), is the market price. and are defined as the load and generation of . For the battery, is defined as the energy charging/discharging amount: charging if positive (as additional load) and discharging if negative (as additional supply); represents the loss coefficient for the battery, which measure the ratio of battery’s contribution amount as load (charging) utility.
Buyer’s Cost Function is defined to measure the cost of any buyer from the energy market and main grid:
(5) 
Similarly, , , and denote the buyer’s local load, generation, and battery charging/discharging amounts, respectively. Moreover, is defined as the energy amount that purchased from the trading market, thus we have .
IiiB Stackelberg Game for PEM
To further pursue the cooperation of agents, two coalitions are formed based on each agent’s net energy in every trading window (seller coalition and buyer coalition; the agents in two coalitions change over time). In our PEM framework, the seller coalition sells energy with the total supply while the buyer coalition purchases energy with their total demand, and their shares of energy to sell/buy are allocated proportional to their input shares (as detailed in Section IIID). Such trading mechanism could make the market more stable, and guarantee the payoffs for conservative sellers/buyers who may not want to fully compete with other sellers/buyers.
IiiB1 Stackelberg Game
Per the two (utility and cost) functions defined for sellers and buyers, the objectives of two coalitions consist of two aspects: (1) buyers incline to minimize their costs (as a coalition); (2) sellers incline to maximize their utility. To learn the optimal price, we propose a Stackelberg game for seller and buyer coalitions [8].
Specifically, the market supply (from agents) is generally less than market demand (since renewable energy cannot feed all the load in current practice [44]). Therefore, in the Stackelberg game, the buyer coalition is specified as the leader while the seller coalition is defined as the follower (otherwise, sellers will dominate the market). Then, the game can be formally defined as:
(6) 
with the following components in each trading window :

the buyer coalition is the leader to set up the price while the seller coalition chooses their strategies as a response to the proposed price.

is the set of load profiles of all the sellers (strategies) to maximize their payoffs.

is the utility function of seller .

is the price proposed by the buyer coalition.

is the total cost for the buyer coalition:
(7) where and are the market supply/demand (Eq. 2).
Then, the objective of the model is to minimize the total costs of the buyers/leader and to maximize the individual utility function of each seller/follower (such that the seller coalition’s total utility is also maximized) by choosing their own strategies. We define the equilibrium as below:
Definition 1.
The set of strategies is an equilibrium for the game , if and only if it satisfies:
where .
Therefore, we seek for the equilibrium of this game in which the follower (aka. sellers) derives the best response to the optimal price proposed by the leader (aka. buyers). At this equilibrium, neither the leader nor any follower can increase its payoff via any unilateral strategic move. In other words, when the game reaches the equilibrium, the buyers cannot reduce the cost by decreasing the price while the sellers cannot improve their utility by adjusting their strategies on load profiles .
IiiB2 Optimal Price
Lemma 1.
A unique equilibrium exists.
Proof.
First, we get the second derivative of the utility function (Eq. 4):
(8) 
which is always less than 0 since . The utility function is concave with . Then given any price , each seller can only find a unique to get its maximum utility. On the contrary, the buyers can also find the optimal price while the sellers specify their load profiles in the Nash Equilibrium. Thus, the equilibrium exists.
Second, to prove the uniqueness of the equilibrium, we need to prove that the optimal price is unique for the minimum cost of the buyer coalition (leader of the game). We first find the optimal load profile for each seller : . We then get the first derivative of ’s utility function (whose value should be for the maximum utility):
(9) 
Thus, we get the optimal load profile for seller :
(10) 
Replacing in the total cost function , then we get the second derivative of :
(11) 
Then, is strictly convex with , which generates a unique optimal price. Thus, equilibrium is unique. This completes the proof. ∎
To find the optimal price in game , we calculate the first derivative of :
(14) 
Replacing in the load profile (Eq. 10) with , we can get the optimal load profile (strategy) for each seller :
(15) 
Note that if there is no battery installed for the seller, we thus have .
IiiC Trading Scheme in an Extreme Market
If the market supply in the PEM is greater than or equal to the market demand (this rarely occurs in the current smart grid infrastructure, “extreme market”), to maintain a robust market, the market electricity price should be set to the lower bound which is still greater than the price offered by the main grid. Different from the general market case, the sellers also maximize their utilities by selling the remaining energy to the main grid and the buyer coalition will buy the electricity for all its demand from the market (to minimize their costs).
IiiD Energy Distribution and Payment
Considering as the general market and as the extreme market, our PEM framework allocates trading amount for each pair of buyer and seller based on the demand (general market) or supply ratio (extreme market) out of the total market supply and demand to ensure fairness of distribution. We now discuss the allocation strategies for the two markets.
General Market: the optimal price is proposed by the buyer coalition in the Stackelberg Game and all the market supply should be sold to the buyer coalition with price . In the buyer coalition, the amount of electricity should be allocated in terms of their demand ratio out of the total demand . Then, each buyer requests energy with the amount from seller , and pays to seller .
Extreme Market: the price is directly set as . Similarly, each seller sells the amount of to buyer and receives the payment of from buyer .
Iv Cryptographic Protocols
In this section, we present the cryptographic protocols for the distributed energy trading in PEM.
Iva Cryptographic Building Blocks
We adopt homomorphic encryption [36] and garbled circuit [55, 19] as the building blocks to construct our protocols.
Homomorphic Encryption (e.g., Paillier cryptosystem [36]) is a semanticallysecure public key encryption to generate the ciphertext of an arithmetic operation between two plaintexts by other operations between their ciphertexts. It has the additional property that given any two encrypted messages and , we have , where denotes the multiplication of ciphertexts (in some abelian groups).
Garbled Circuit was originally proposed by Yao [55]. It enables two parties to jointly compute a function without disclosing their private inputs where one party creates the garbled circuit and the other party evaluates the circuit to derive the result of the secure computation. Our protocols only incorporate garbled circuit (e.g., the Fairplay system [27]) for realizing some lightweight computations (e.g., secure comparison) instead of the entire trading scheme.
IvB Overview of the PEM
As shown in Figure 2 and Protocol 1, in the PEM framework, all the agents firstly form the seller and buyer coalitions (Initialization). Then, in Private Market Evaluation, the two coalitions securely evaluate the market. If a general market case is returned, Private Pricing is executed to securely compute the optimal price. For both general and extreme market cases, Private Distribution is executed to complete the trading.
IvC Initialization
Since secure computation in the PEM primarily utilizes the Homomorphic encryption (e.g., Paillier Cryptosystem [36]), each seller/buyer locally generates its own publicprivate key pair and shares all their public keys. At the beginning of each trading window, each agent claims its role as buyer or seller or off the market to form the seller and buyer coalitions. If the seller coalition is empty (), all the buyers should buy energy from the main grid with the retail electricity price.
IvD Private Market Evaluation
After the initialization, PEM determines the market to be a general or extreme market, where the seller coalition and buyer coalition jointly aggregate their private net energy, and then compare the overall supply and demand . Specifically, there are “two rounds” of aggregations. In the first round, an arbitrary seller will be chosen, then each buyer encrypts the demand plus a random nonce using ’s public key , i.e., for summing up . The ciphertext will be sent to one random seller in the seller coalition except . Similarly, each seller of the seller coalition generates a nonce and encrypts it for summing up the value in the ciphertext. Finally, decrypts the ciphertext to get the aggregated value with its private key (see Lines 210 in Protocol 2). The second round is similar to the first: one random selected buyer ’s public key is used to aggregate the of each seller and the nonce of each buyer to get (see Lines 1113).
As shown in Protocol 2, neither the chosen seller nor buyer knows the value of or and they only obtain the aggregated random value ( or ). Furthermore, Private Market Evaluation securely compares and by and to determine the market case using the garbled circuits (e.g., the Fairplay system [9], see Lines 1418). Note that the comparison result of and is equivalent to the comparison result of or since the same sum of random nonces are added to and to obtain and .
IvE Private Pricing
If general market is returned in Protocol 2, Private Pricing will be executed to find the optimal price of the Stackelberg Equilibrium. Specifically, a seller will be chosen at random to securely aggregate two local values of each seller : (1) , and (2) (locally computed). Then derives the optimal price per the Eq. 14 in Section IIIB once getting , and broadcasts the optimal price (see Lines 89 in Protocol 3).
IvF Private Distribution
As discussed in Section IIID, the trading amount of electricity between each pair of seller and buyer should be allocated in proportion to its demand/supply ratio out of the market demand/supply in both general and extreme market case. W.l.o.g., we discuss the protocol for the general market (which can be simply extended for the extreme market). For buyer , the allocated amount of electricity from seller should be . Since any buyer may intend to cheat by using a larger demand to increase its share in the allocation (reduce costs with a lower price to buy energy), the market demand cannot be directly disclosed to the buyers. The seller coalition cannot get the market demand considering the privacy and fairness. Since the homomorphic encryption schemes (e.g., Paillier Cryptosystem [36]) only obtain additive and/or multiplicative property (not fully homomorphic [17] to securely compute “division”), we cannot directly adopt homomorphic encryption for privately computing the pairwise allocated amounts using their input ratios.
To address such issue, we transform the ciphertext computation for the “division/ratio” in . Specifically, each buyer locally computes with . Note that should be multiplied by an integer to be converted to an integer. Then and will be sent to the seller , and decrypts it to get the allocation ratio via . The only information that the seller knows is the allocation ratio for buyer coalition (while and are unknown). Thus, the seller can broadcast the allocation ratio in the seller coalition. Finally, each seller calculates the allocated amount of energy and routes the energy to each buyer ; pays to (see Lines 1012 in Protocol 4). Similarly, in an extreme market, the protocol can be implemented by swapping their roles. Figure 3 illustrates the major procedures of Private Distribution (note that the random seller is chosen as ).
V Analysis
In this section, we give theoretical analysis for privacy, incentives, and the complexity in our PEM framework.
Va Security/Privacy Analysis
We now prove the security/privacy for the protocols in our PEM framework under the theory of secure multiparty computation [55, 19], which requires each party to simulate all its received messages with only its input and output in polynomial time (“Computational Indistinguishability”) [18]. The PEM framework executes Private Market Evaluation, Private Distribution and possibly Private Pricing in each trading window. Then, we first examine the security of the three protocols and then discuss the composition [18].
Lemma 2.
The Private Market Evaluation (Protocol 2) does not reveal any private information.
Proof.
Three different types of parties are involved in Protocol 2: a randomly selected seller , a randomly selected buyer , and the remaining sellers/buyers.
We first examine the received messages of the remaining sellers/buyers. Each of them only receives a ciphertext of a random number (which cannot be decrypted without the private key), which can be polynomially simulated by repeating the encryption with the public key. Thus, the protocol does not reveal private information to them.
and can decrypt the ciphertexts to obtain two different random numbers and
(which are decrypted with the private keys), respectively. Each random number can be polynomially simulated by generating a random number from the uniform probability distribution over range
. Notice that the random numbers are scaled to fixed precision over a closed field (after decryption), enabling such a selection. Thus, . Finally, and also securely execute Fairplay to compare two random numbers for market evaluation, which does not reveal any private information (as proven in [27]). ∎Lemma 3.
The Private Pricing (Protocol 3) only reveals nonprivate information and to a randomly selected buyer .
Proof.
This Protocol involves two different types of parties: a randomly selected buyer and all the sellers.
We first analyze ’s received messages. can decrypt the received ciphertexts with its private key to obtain and . Although such two aggregated values are revealed to , cannot learn any seller’s private data, e.g., , from the aggregated results.
On the other hand, all the sellers receive only two ciphertexts and cannot decrypt them without the private key. Since each seller can polynomially simulate its received two ciphertexts using the public key (by repeating the encryption), we can claim that the protocol does not reveal any information to the sellers. ∎
Lemma 4.
The Private Distribution (Protocol 4) only reveals the nonprivate market demand ratios to the seller coalition (in the general market), or the nonprivate market supply ratios to the buyer coalition (in the extreme market).
Proof.
Similar to the proof in Lemma 3, we can prove that the seller coalition can only receive the demand ratios (from the buyer coalition) in general market. Moreover, buyer coalition can only receive the supply ratios (from the seller coalition) in extreme market. However, they cannot learn any supply or demand from the ratios in these two cases. ∎
VB Incentive Analysis
Theorem 2.
The PEM framework ensures individual rationality and incentive compatibility.
Proof.
We first evaluate the individual rationality. In the general market, if each buyer directly purchases energy from the main grid at the price , which is greater than , the cost will increase; if each seller directly sells the energy to the grid at the price , which is less than the : the payoff will decrease. In the extreme market, the buyer can buy the energy from the PEM with a lower price () and the seller can still sell the energy with a higher price (), both of which receive more payoffs. This proves the individual rationality.
Second, we discuss the incentive compatibility for two different markets: for the general market, we assume that there exists one seller which untruthfully utilizes its net energy by adjusting its load profile to . Per Lemma 1, there exists only one load profile to reach the equilibrium and return the optimal price . Then, it is impossible to find another since is derived only if all the sellers hold the profile. On the contrary, as all the sellers hold the optimal load profile, the buyers cannot reduce the total costs by decreasing market price.
In addition, for the extreme market, the buyers purchase all the energy from the PEM with a lower price , then rational buyers cannot gain more payoff with untruthful participation (since the payment cannot be lower). For any rational seller , if untruthfully utilizes a higher supply to increase its allocated amount of sold energy, the market price would be reduced (no additional payoff, either). This proves the incentive compatibility. ∎
VC Complexity Analysis
Lemma 5.
The complexity of protocols in the PEM is .
Proof.
It is straightforward to analyze the complexity of algorithms in our PEM framework. First, Private Market Evaluation algorithm has complexity – securely aggregating random values is while secure comparison is . Similarly, Private Pricing algorithm has complexity , and Private Distribution algorithm has complexity . Therefore, the complexity of the PEM framework is . ∎
Vi Discussion
Generalization of PEM. PEM can be extended to VehicletoGrid (V2G) applications [5] by considering electrical vehicles as agents with local energy. Last but not least, the proposed PEM is a general framework for privacy preserving energy trading (focusing on privacy and incentive compatibility), which can be readily extended for ensuring privacy and incentive compatibility for other applications on the power grid (e.g., energy trading w.r.t. future prices, energy trading by possibly storing energy for the future, and demand response [49]). Finally, PEM can also be adapted for trading other products, such as the allocation of spectrum in the cognitive radio networks [53], and the Wifi & LTE sharing [56].
Seller/Buyer Coalitions. We forms coalitions for sellers and buyers in our PEM. First, the formation of coalition can enable the agents to cooperate to achieve more benefits/social welfare compared with trading directly with the monopoly, the main grid. Recall that coalitions make the market more stable for such emerging applications, e.g., ensuring the fairness among the seller/buyer coalition by allocating the amounts based on sellers/buyers’ shares in the market supply/demand. Such setting would be more applicable for conservative agents. Nevertheless, it is also worth exploring the privacy preserving schemes for noncooperative energy trading or fully competitive energy market [48], which left for future work.
Malicious Model. PEM is based on the semihonest model, and each agent (rational) is also assumed to have incentives to cheat for payoffs. Our model can also be extended to defend against malicious agents, which may deviate the protocol (regardless of their payoffs) by faking the trading data, colluding with other agents, and/or performing advanced attacks. For instance, we can design verifiable and collusionresistant schemes (e.g., detect the violation of data integrity, and prevent collusion by randomly picking agents [50]).
Scalability. With the advancement of distributed computation [50, 26], secure computation [55, 19] can be applied to perform complex computation on the smart grid. Each distributed agent (e.g., a smart home) can also locally compute the data, such that the computational load of whole system can be greatly reduced. As shown in the experimental settings in Section VIIA, we take advantage of the container technology, e.g., Docker, to emulate local computing agents for different smart homes in the PEM. High efficiency and scalability of PEM have been demonstrated.
Blockchain Deployment. PEM can also be integrated with the emerging blockchain technology [32]. Specifically, the final distribution and transaction between the sellers and buyers can be realized by the smart contract of the blockchain to ensure the integrity and truthfulness (extra anonymity and privacy should be ensured on the blockchain) [24]. Moreover, the online blockchain can also facilitate the communication of the MPC protocols in the PEM.
Secure Computation. The recent protocols/systems on secure computation (e.g., MPCasaservice [6], against both semihonest and malicious adversaries [14], MPC for small number parties [10]) cannot be adapted to solve our problem for the following two major reasons: (1) whether the system can function real time transactions has not been validated in most of such systems (we have validated the feasibility and scalability of deploying PEM in real time in Section VII), and (2) incentive problems are not studied in most of such systems. Thus, the proposed cryptographic protocols in PEM can also complement the literature of secure computation for privacy preserving trading (which is limited to our best knowledge).
Vii Evaluation
In this section, we illustrate our system implementation for the PEM framework and demonstrate the experimental results.
Viia Experimental Setup
Our PEM framework is deployed on the NSF CloudLab platform (https://docs.cloudlab.com), of which the server has eight 64bit ARMv8 cores with 2.4 GHZ, 64GB memory and 120GB of flash storage with Ubuntu:16.04 OS. Docker (https://docs.docker.com/) is utilized to start a container for each buyer/seller. We created the image for container based on the raw image of Ubuntu 16.04 by integrating all the system environments (e.g., JRE and JDK), and source codes.
We conducted the experiments on 300 smart homes’ real power generation data (solar panels) and load data over one day (available at UMASS Trace Repository [7]). We tune the following parameters in evaluations:

the number of smart homes ;

the number of trading windows : from 7:00AM to 7:00PM (a trading window per minute);

the key size: 512/1024/2048bit.
Benchmark. There is no existing schemes which can be directly applicable to our problem setting. Then, we use the traditional energy trading (without PEM) as the benchmark: all the agents directly purchase energy from the main grid. Specifically, if a seller (with excessive energy) will sell them back to the main grid with the offered price , and the buyer (short of energy) will buy energy from the main grid with the retail electricity price . We set the retail price as =120 cents/kWh and offered price from the main grid = 80 cents/kWh. We also set the price range of PEM as cents/kWh. Note the interaction between agents and the main grid will increase greatly for trading without PEM.
Figure 4 illustrates the sizes of seller and buyer coalitions (the number of smart homes) in all 720 trading windows. The roles of smart homes change over time.
ViiB Computational Performance Evaluation
We evaluate the computational cost of PEM among 100 to 300 agents, using three different key sizes (512/1024/2048bit). Fig. 5(a) shows the average runtime for a single trading window (including securely evaluating the market, computing the optimal price as well as the energy trading distribution amounts) as the number of trading windows varies from 1 to 720. The average runtime for each trading window is around 1 sec. This indicates that our PEM framework can efficiently function realtime trading in practice (with negligible latency).
Fig. 5(b) demonstrates the total runtime on different number of trading windows among 200 agents (with three different key sizes bit). Given the same number of trading windows, we observe that the key size for encryption and decryption executed in our protocols does not affect the runtime (since the encryption and decryption are independently executed in parallel during idle time). Finally, Fig. 5(c) validates that the total runtime increases as the number of agents increases.
ViiC Energy Trading Performance Evaluation
We have also evaluated the trading performance of our PEM framework from the following perspectives:

the optimal price in all the trading windows;

utility received by some representative sellers;

total cost for the buyer coalition;

interactions with the main grid.
ViiC1 Optimal Trading Price
Fig. 6(a) shows the optimal prices in all the 720 trading windows. We can observe that the price changes over time: in the first few trading windows, the price equals (purchasing all the energy from the grid). This shows that at the beginning of the day, the generation is close to 0, all the agents have to buy energy from the main grid. Similarly, at the end of day (around 7:00pm), the price is still for the same reason. Furthermore, in many trading windows in the middle of the day, the trading price would be lower bounded: either the optimal price in the general market is out of range (this also applies to the upper bound), or the extreme market occurs.
ViiC2 Utility and Total Cost
We fix the preference parameter for all the sellers in different trading windows. Fig. 6(b) presents the utility of two agents (which are sellers in all 720 trading windows). We have the following observations:

The utility of the agents with our PEM framework is higher than their utility without PEM (buyers only purchase energy from the main grid).

The utility improvement (with the PEM) in case of is higher than . since lower preference parameter would make the sellers to sell more local energy (which results in more payoff).
In addition, Fig. 6(c) shows the total cost of buyer coalition in the PEM (for 100 and 200 agents), which can be greatly reduced in all trading windows (e.g., 25.3% in the current setting on average).
ViiC3 Interaction with the Main Grid
Our PEM framework can also benefit the main grid by reducing the interactions between the agents and the grid, which is measured by the amount of electricity all the agents request from or feed into the grid. As shown in Fig. 6(d), since more energy can be traded in the PEM framework among agents, the interactions with the PEM are much lower than the original energy consumption (without the PEM).
ViiD Communication Overheads
We have also evaluated the bandwidth consumption of all the smart homes while executing the secure computation and communication among the 200 smart homes with different key sizes (512bit, 1024bit and 2048bit). Table I shows the average bandwidth over different numbers of trading windows (of all the smart homes). With such minor bandwidth consumption, our PEM framework can be deployed in most of the networking environments.
300  360  420  480  540  600  660  720  

512bit  0.45  0.54  0.48  0.52  0.47  0.48  0.55  0.46 
1024bit  0.84  0.88  1.02  0.93  0.98  1.06  0.97  0.96 
2048bit  1.87  2.12  2.05  2.11  2.20  2.16  2.05  2.01 
Viii Related Work
Smart Grid Privacy. Most smart grid privacy research focuses on protecting data collected from smart meters integrated in the power grid [28]. Different privacy preserving techniques have been proposed to tackle such privacy concerns [3, 38]. For instance, He et al. [20] presented a distortion based privacy preserving metering scheme by introducing tolerable noise to obfuscate the consumption data. Rottondi et al. [38] leveraged secure communication protocols to implement a privacy preserving infrastructure which allows utilities and data consumers to collect measurement data by securely aggregating smart metering data. [54] studied how to utilize the renewable energy sources (i.e., batteries) to hide the load/metering information of individual households.[12] proposed a privacypreserving way to aggregate smart metering data for the billing of utility provider. Recently, [51] researches on privately balancing the power load between the main grid and agents (microgrids). However, none of such techniques can be applied to multiagent energy trading.
Secure Computation. The theory of Secure multiparty computation (MPC) [55, 19] has significantly advanced the development of collaborative computation among multiple parties, which guarantees that functions can be securely computed with limited disclosure. Recently, secure computation has been intensively applied for privacy preserving system design in different contexts such as locationbased services [37], and medical data analysis [47]. Moreover, Furukawa et al. [14] have recently proposed a threeparty secure computation against both semihonest and malicious adversaries, which achieves low communication complexity and simple computation. Barak et al. [6] have proposed the MPCasaservice concept and implemented an endtoend system for large scale P2P secure computation with low bandwidth.
Energy Trading. Energy trading has been widely discussed with the development of smart grid. The integration of renewable energy sources has greatly motivated studies of energy market, e.g., incentive mechanisms for trading [46] and auction [34], and multiagent energy management [35], which could improve the stability and utility of the grid. Furthermore, distributed energy trading has been identified as a promising scheme for the energy market in [45, 57]. There are also many ongoing projects, e.g., LO3 Energy [1] which focuses on the commercial energy trading to encourage residential units to trade with the neighborhoods. [15] focuses on the energy trading by blockchain. However, the scalability of the proposed scheme is not very clear. To the best of our knowledge, we design and implement the first privacy preserving distributed energy trading framework.
Ix Conclusion
We have proposed a novel privacy preserving distributed energy trading framework (PEM) which ensures privacy, individual rationality, and incentive compatibility. The optimal price for both sellers and buyers can reach a unique equilibrium in the modeled Stackelberg game. Moreover, we have designed novel cryptographic protocols for the entire PEM framework. Theoretical analyses are given to prove all the properties of the PEM framework. Finally, we have implemented a prototype for PEM, and conducted experiments to evaluate the system performance using real smart grid datasets. The experimental results (high computational efficiency, low bandwidth consumption and negligible latency) demonstrate that PEM can be readily integrated into the smart grid infrastructure.
Acknowledgments
This work is partially supported by the National Science Foundation (NSF) under Grant No. CNS1745894. The authors would like to thank the anonymous reviewers for their constructive comments.
References
 [1] “https://lo3energy.com/,” 2019.
 [2] “http://www.solarray.com/completepackages/,” 2019.
 [3] G. Ács and C. Castelluccia, “I have a dream! (differentially private smart metering),” in Information Hiding, 2011, pp. 118–132.
 [4] P. Agrawal, A. Kumar, and P. Varakantham, “Nearoptimal decentralized power supply restoration in smart grids,” in AAMAS, 2015.
 [5] A. T. AlAwami and E. Sortomme, “Coordinating vehicletogrid services with energy trading,” IEEE TSG, vol. 3, no. 1, pp. 453–462, 2011.
 [6] A. Barak, M. Hirt, L. Koskas, and Y. Lindell, “An endtoend system for large scale p2p mpcasaservice and lowbandwidth mpc for weak participants,” in ACM CCS, 2018, pp. 695–712.
 [7] S. Barker, A. Mishra, D. Irwin, P. Shenoy, and J. Albrecht, “SmartCap: Flattening peak electricity demand in smart homes,” PerCom, 2012.

[8]
T. Basar and G. J. Olsder,
Dynamic Noncooperative Game Theory
, 1999.  [9] A. BenDavid, N. Nisan, and B. Pinkas, “Fairplaymp: a system for secure multiparty computation,” in ACM CCS, 2008, pp. 257–266.
 [10] M. Byali, A. Joseph, A. Patra, and D. Ravi, “Fast secure computation for small population over the internet,” in CCS, 2018, pp. 677–694.
 [11] J. Cerquides, G. Picard, and J. A. RodríguezAguilar, “Designing a marketplace for the trading and distribution of energy in the smart grid,” in AAMAS, 2015, pp. 1285–1293.
 [12] T. Dimitriou and G. Karame, “Privacyfriendly tasking and trading of energy in smart grids,” in Proc. ASAC, 2013, pp. 652–659.
 [13] F. Fioretto, W. Yeoh, E. Pontelli, Y. Ma, and S. J. Ranade, “A distributed constraint optimization (DCOP) approach to the economic dispatch with demand response,” in AAMAS, 2017, pp. 999–1007.
 [14] J. Furukawa, Y. Lindell, A. Nof, and O. Weinstein, “Highthroughput secure threeparty computation for malicious adversaries and an honest majority,” in Eurocrypt, 2017, pp. 225–255.
 [15] K. Gai, Y. Wu, L. Zhu, M. Qiu, and M. Shen, “Privacypreserving energy trading using consortium blockchain in smart grid,” IEEE Trans. on Industrial Informatics, 2019.
 [16] J. Garay, J. Katz, U. Maurer, B. Tackmann, and V. Zikas, “Rational protocol design: Cryptography against incentivedriven adversaries,” in IEEE FOCS, 2013, pp. 648–657.
 [17] C. Gentry, “Fully homomorphic encryption using ideal lattices,” in ACM STOC, 2009, pp. 169–178.
 [18] O. Goldreich, The Foundations of Cryptography. Cambridge University Press, 2004, vol. 2, ch. Encryption Schemes.
 [19] O. Goldreich, S. Micali, and A. Wigderson, “How to play any mental game  a completeness theorem for protocols with honest majority,” in ACM STOC, 1987, pp. 218–229.
 [20] X. He, X. Zhang, and C.C. J. Kuo, “A distortionbased approach to privacypreserving metering in smart grids,” IEEE Practical Innovations: Open Solutions, vol. 1, no. 3, pp. 67–78, 2013.
 [21] Y. Hong, S. Goel, and W. M. Liu, “An efficient and privacypreserving scheme for p2p energy exchange among smart microgrids,” International Journal of Energy Research, vol. 40, no. 3, pp. 313–331, 2016.
 [22] Y. Hong, H. Wang, S. Xie, and B. Liu, “Privacy preserving and collusion resistant energy sharing,” ICASSP, 2018, pp. 6941–6945.
 [23] Y. Hong, W. M. Liu, and L. Wang, “Privacy preserving smart meter streaming against information leakage of appliance status,” IEEE TIFS, vol. 12, no. 9, pp. 2227–2241, 2017.
 [24] A. Kosba, A. Miller, E. Shi, Z. Wen, and C. Papamanthou, “Hawk: The blockchain model of cryptography and privacypreserving smart contracts,” in IEEE SP, 2016, pp. 839–858.
 [25] K. Kursawe, G. Danezis, and M. Kohlweiss, “Privacyfriendly aggregation for the smartgrid,” in PETS’11, 2011, pp. 175–191.
 [26] S. Maharjan, Q. Zhu, Y. Zhang, S. Gjessing, and T. Basar, “Dependable demand response management in the smart grid: A stackelberg game approach,” IEEE Trans. Smart Grid, vol. 4, no. 1, pp. 120–132, 2013.
 [27] D. Malkhi, N. Nisan, B. Pinkas, and Y. Sella, “Fairplay  secure twoparty computation system,” in USENIX Security, 2004.
 [28] F. G. Mármol, C. Sorge, O. Ugus, and G. M. Pérez, “Do not snoop my habits: preserving privacy in the smart grid,” IEEE Communications Magazine, vol. 50, no. 5, pp. 166–172, 2012.
 [29] A. MasColell, M. Whinston, and J. Green, Microeconomic Theory, 1995.
 [30] S. D. J. McArthur, E. M. Davidson, V. M. Catterson, A. L. Dimeas, N. D. Hatziargyriou, F. Ponci, and T. Funabashi, “Multiagent systems for power engineering applications—part i: Concepts, approaches, and technical challenges,” IEEE TPS, vol. 22, no. 4, pp. 1743–1752, 2007.
 [31] E. McKenna and M. Thomson, “Photovoltaic metering configurations, feedin tariffs and the variable effective electricity prices that result,” IET Renewable Power Generation, vol. 7, no. 3, pp. 235–245, 2013.
 [32] S. Nakamoto et al., “Bitcoin: A peertopeer electronic cash system,” 2008.
 [33] N. Nisan, T. Roughgarden, E. Tardos, and V. V. Vazirani, Algorithmic Game Theory. New York, NY, USA: Cambridge University Press, 2007.
 [34] B. Liu, S. Xie, and Y. Hong, “PrivacyAware Double Auction for Divisible Resources without a Mediator,” AAMAS, 2020, to appear.
 [35] H. Nunna and S. Doolla, “Multiagentbased distributedenergyresource management for intelligent microgrids,” IEEE Trans. Industrial Electronics, vol. 60, no. 4, pp. 1678–1687, April 2013.
 [36] P. Paillier, “Public key cryptosystems based on composite degree residuosity classes,” in Advances in Cryptology  Eurocrypt ’99 Proceedings, LNCS 1592, 1999, pp. 223–238.
 [37] R. A. Popa, A. J. Blumberg, H. Balakrishnan, and F. H. Li, “Privacy and accountability for locationbased aggregate statistics,” in ACM CCS, 2011, pp. 653–666.
 [38] C. Rottondi, G. Verticale, and A. Capone, “Privacypreserving smart metering with multiple data consumers,” Computer Networks, vol. 57, no. 7, pp. 1699–1713, 2013.
 [39] P. Samadi, A. MohsenianRad, R. Schober, V. W. S. Wong, and J. Jatskevich, “Optimal realtime pricing algorithm based on utility maximization for smart grid,” in IEEE SmartGridComm, Oct 2010, pp. 415–420.
 [40] L. Sankar, S. R. Rajagopalan, S. Mohajer, and H. V. Poor, “Smart meter privacy: A theoretical framework,” IEEE TSG, vol. 4, no. 2, 2013.
 [41] Y. Singer, “Budget feasible mechanisms,” in IEEE FOCS, 2010.
 [42] O. Tan, D. Gündüz, and H. V. Poor, “Increasing smart meter privacy through energy harvesting and storage devices,” IEEE Journal on Selected Areas in Communications, vol. 31, no. 7, pp. 1331–1341, 2013.
 [43] C. Tham and T. Luo, “Sensingdriven energy purchasing in smart grid cyberphysical system,” IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 43, no. 4, pp. 773–784, July 2013.
 [44] W. Tushar, B. Chai, C. Yuen, D. B. Smith, K. L. Wood, Z. Yang, and H. V. Poor, “Threeparty energy management with distributed energy resources in smart grid,” IEEE Transactions on Industrial Electronics, vol. 62, no. 4, pp. 2487–2498, April 2015.
 [45] W. Tushar, C. Yuen, H. MohsenianRad, T. Saha, H. V. Poor, and K. L. Wood, “Transforming energy networks via peertopeer energy trading: The potential of gametheoretic approaches,” IEEE Signal Processing Magazine, vol. 35, no. 4, pp. 90–111, July 2018.
 [46] H. Wang and J. Huang, “Incentivizing energy trading for interconnected microgrids,” IEEE TSG, vol. 9, no. 4, pp. 2647–2657, 2018.
 [47] X. S. Wang, Y. Huang, Y. Zhao, H. Tang, X. Wang, and D. Bu, “Efficient genomewide, privacypreserving similar patient query based on private edit distance,” in ACM CCS, 2015, pp. 492–503.
 [48] Y. Wang, W. Saad, Z. Han, H. V. Poor, and T. Başar, “A gametheoretic approach to energy trading in the smart grid,” IEEE Transactions on Smart Grid, vol. 5, no. 3, pp. 1439–1450, 2014.
 [49] Z. Wang, C. Gu, F. Li, P. Bale, and H. Sun, “Active demand response using shared energy storage for household energy management,” IEEE Transactions on Smart Grid, vol. 4, no. 4, pp. 1888–1897, 2013.
 [50] S. Xie, Y. Hong, and P. Wan, “Pairing: Privately balancing multiparty realtime supply and demand on the power grid,” IEEE Transactions on Information Forensics and Security, pp. 1–1, 2019.
 [51] S. Xie, Y. Hong, and P. Wan, “A privacy preserving multiagent system for load balancing in the smart grid,” in AAMAS, 2019, pp. 2273–2275.
 [52] D. Yang, G. Xue, X. Fang, and J. Tang, “Crowdsourcing to smartphones: Incentive mechanism design for mobile phone sensing,” in Mobicom, 2012, pp. 173–184.
 [53] L. Yang, H. Kim, J. Zhang, M. Chiang, and C. W. Tan, “Pricingbased decentralized spectrum access control in cognitive radio networks,” IEEE/ACM Trans. on Networking, vol. 21, no. 2, pp. 522–535, 2013.
 [54] W. Yang, N. Li, Y. Qi, W. Qardaji, S. McLaughlin, and P. McDaniel, “Minimizing private data disclosures in the smart grid,” in ACM CCS, 2012, pp. 415–427.
 [55] A. C. Yao, “How to generate and exchange secrets,” in IEEE FOCS, 1986, pp. 162–167.
 [56] X. Yuan, X. Qin, F. Tian, Y. T. Hou, W. Lou, S. F. Midkiff, and J. H. Reed, “Coexistence between wifi and lte on unlicensed spectrum: A humancentric approach,” IEEE JSAC, vol. 35, no. 4, pp. 964–977, 2017.
 [57] C. Zhang, J. Wu, M. Cheng, Y. Zhou, and C. Long, “A bidding system for peertopeer energy trading in a gridconnected microgrid,” Energy Procedia, vol. 103, pp. 147 – 152, 2016.
Comments
There are no comments yet.