**Abbreviations and Notations**

The following abbreviations are used in this manuscript:


#### **Appendix A. Billing Verification with Zero-Knowledge Proof**

After the bill is generated by the private platform, the ES should verify the correctness of the bill. Zero-knowledge proof (ZKP) is a proof approach that can verify the correctness of the provided information without revealing the details of the information [72,84]. ZKP protocol involves two parties, provider (P) and verifier (V), P interacts with V to convince that a secret is true, but V has no knowledge about the secret P wants to prove. Pedersen Commitment is employed in this verification process [85]. A commitment with secret *x* is generated as *c* = *Commit*(*<sup>x</sup>*,*<sup>r</sup>*), and *x* is di fficult to infer from *c*, the commitment can be opened with *c*, *x*,*r*, marked as *Open*(*<sup>c</sup>*, *x*, *y*). The *Open*(*<sup>c</sup>*, *x*, *y*) would return True if *c* is the commitment of secret *x*, otherwise False is returned. They have homomorphic features of commitments are important to verify the billing correctness:

$$\text{Commit}(\mathbf{x}, \mathbf{y}) \times \text{Commit}(m, n) = \text{Commit}(\mathbf{x} + m, \mathbf{y} + n) \tag{A1}$$

$$Commit(\mathbf{x}, \mathbf{y})^n = Commit(\mathbf{x} \times \mathbf{n}, \mathbf{y} \times \mathbf{n})\tag{A2}$$

In the proposed TOU billing channel, the private platform is P, and the ES is V, Public Key Infrastructure (PKI) assigns a series of commitments *COM* with the power consumption sequence *E* = *E*1,1, *E*1,2, ... *Ed*,*<sup>t</sup>* ... *E*30,48, and random value sequences *R* = *<sup>r</sup>*1,1, *<sup>r</sup>*1,2 ...*rd*,*<sup>t</sup>* ... *E*30,48 to the private platform:

$$\text{Commit}\_{d,t} = \text{Commit}\left(\mathcal{E}\_{d,t'} r\_{d,t}\right) \tag{A3}$$

$$\mathbf{COM} = \left( \mathbf{Commit}\_{1,1}, \mathbf{Commit}\_{1,2} \dots \mathbf{Commit}\_{d,1} \dots \mathbf{Commit}\_{30,48} \right) \tag{A4}$$

The private platform will receive the commitment *c* and energy consumption sequence *E* from the smart meter, and the TOU tariff sequence *TARIFF* = <sup>π</sup>1,1, <sup>π</sup>1,2 ...π*d*,*<sup>t</sup>* ...π30,48 from the ES. So, the private platform can calculate monthly price:

$$\mathbf{B}\_{\text{month}} = \sum\_{d=1}^{30} \sum\_{t=1}^{48} \pi\_{d,t} E\_{d,t} \tag{A5}$$

referring to (A1) and (A2), the ES multiplies *COM* with *TARIFF* to obtain the commitment of monthly bill:

$$\text{Commit}\_{\text{Bill}} = \prod\_{d=1, t=1}^{30 \times 48} \text{Commit} \left( \mathbb{E}\_{d, t'} r\_{d, t} \right)^{\pi\_{d, t}} \tag{A6}$$

By opening the commitment of monthly bill, ES can verify the correctness of the bill:

$$\text{Output}\_{\text{Bill}} = (\text{Commit}\_{\text{Bill}}, \text{B}\_{\text{month}}, r\_{\text{Bill}}) \tag{A7}$$

If *CommitBill* is really the commitment of B*month*, ES accepts the generated bill, otherwise, ES reject the bill.

#### **Appendix B. Privacy-Preserving Deep Learning-Based NILM Algorithm**

Deep learning is an important branch of machine learning, it is based on an artificial neural network (ANN) with multi-layers (normally one input layer, one output layer, and several hidden layers between the input and output), each layer contains a number of neurons. A neuron is a mathematic function that computes the sum of weighted input and obtain nonlinear output via an activation function (e.g., ReLU, Sigmoid, Tanh). Compared with a shallow ANN, a deep neural network (DNN) contains several hidden layers, which enables much more complex computation tasks. The expression for a typical *N*-layer DNN with input *x* is shown in (A8):

$$a\_N(\mathbf{x}; \; \theta\_{1,\dots,N}) = f\_N(f\_{N-1}(\dots f\_1(\mathbf{x}, \theta\_1), \theta\_{N-1}), \theta\_N) \tag{A8}$$

where *fi* is the activation function of *i*th layer, and θ*i* is the weight of *i*th layer.

A loss function L is adopted to calculate the mismatch between ground truth *y* and *aN*. The purpose of the DNN is to find the optimal parameters of the model θ∗ that minimize the L throughout the whole training process:

$$\mathcal{L}(\boldsymbol{\theta}) = \frac{1}{N} \sum\_{(\mathbf{x}, \mathbf{y}) \in (\mathbf{X}, \mathbf{Y})} \mathcal{L}(\boldsymbol{y}, \boldsymbol{a}\_N(\mathbf{x}; \boldsymbol{\theta}\_{1, \dots, N})) \tag{A9}$$

$$
\partial^\* \leftarrow \arg\min\_{\partial} \mathcal{L}(\theta) \tag{A10}
$$

Di fferential privacy-stochastic gradient descent (DP-SGD) provides ε-di fferential privacy to the DNN model by adding noise to the SGD [74]. The hyperparameters of the model are shown in Table A1. Di fferent from conventional SGD, at each time to calculate the gradient, the gradient is clipped and then a random Gaussian noise is added to the gradient. By adding the noise, *a* (<sup>ε</sup>, δ)-di fferential privacy is enabled each step. Since the number of training steps are large (range from hundreds to thousands), referring to the Composition Theorem stated as follow, the overall privacy guarantee is extremely large.

**Theorem A1.** *(Composition Theorem) If f is (*<sup>ε</sup>1, δ1*)-di*ff*erential privacy and g is (*<sup>ε</sup>2, δ2*)-di*ff*erential privacy, then*

$$f(D), \mathcal{g}(D) \text{ is } (\varepsilon\_1 + \varepsilon\_2, \delta\_1 + \delta\_2) - Differential \text{ Príncacy} \tag{A11}$$

To minimize the value of ε*total* = *T*ε, δ*total* = *T*δ (T is the total training steps), a Moments Accountant Theorem is proposed by M. Abadi, et al. [74]:

**Theorem A2.** *The privacy preserving NILM algorithm provides a (2 L N* ε √ *T,* δ*)-di*ff*erential privacy guarantee to ES.*

**Proof of Theorem 1.** A detailed proof is given in [74]. 


As shown in Figure A1, the target of the NILM services is to evaluate the individual appliance consumption (output) from overall power consumption measured by the smart meter (input). Three hidden layers are linked between input layer and output layer to extract features. DP-SGD algorithm is applied in the neural network to calculate the gradient of each training step.

**Figure A1.** Privacy-preserving deep learning NILM model.

Figure A2 shows the relation between the performance of NILM algorithm and privacy level ε [73], the smaller the value ε, the better privacy it provides. It is found that without using DP-SGD, the accuracy of NILM is near 90%. By increasing the noise scale σ (a decrease of ε), and the accuracy of the algorithm decreases. So, the TPs should carful choose a noise scale that follows privacy-utility trade-off to settle both services and privacy.


**Table A1.** Hyperparameters of the Model [74,86].

**Figure A2.** Privacy–accuracy curve of privacy-preserving NILM (Data from [73])**.**
