*4.3. Mathematical Model*

#### 4.3.1. The Smart Meter

The smart meter in the proposed system does not communicate with the energy supplier directly, the measurements of the smart meter will be uploaded to a private platform (PC or smartphone) via HAN. The private platform has basic storage and computation ability to save power consumption and calculate the bills. Assume the area involves a smart meter group SM = {*sm*1, ...*smi*, ...*sm N*}(*<sup>i</sup>* ∈ [1, *<sup>N</sup>*]). The smart meter can measure power consumption with interval *T* (normally 15 min), marked as *PT,i*. The smart meter data are encrypted to prevent consumers from modifying the power consumption data. There is no backdoor when the smart meter is manufactured, so manufacturers or energy suppliers cannot illegally access the smart meter data, and all data transmission between consumers and the utility is monitored by the DCC. In the proposed system, the smart meter reports the monthly energy consumption *Emonth* and monthly bills *Bmonth*.

#### 4.3.2. Protection from Inner and Outer Attacks—Adversary Element

Using a consequentialist perspective to ensure that stakeholders are held to identification and account [11], in our model all stakeholders could adopt an "honest-but-curious" ethic [21]. They follow functional protocols properly and provide expected services to consumers ("honest"), but at the same time, they keep inferring sensitive information from the consumers ("curious"). In the proposed system, household adversaries could access aggregated power consumption *PAGG* (kW) and monthly energy consumption of smart meter i *Emonth* (kW·h). Their purpose would be to obtain data. They could have a high computational ability to disaggregate the obtained data into individual appliance power consumption data by applying methods like the NILM algorithm, leading them to potentially use data for unethical or illegal purposes.

#### *4.4. High-Frequency Aggregated Data Channel*

The high-frequency aggregated data channel transmits the aggregated power consumption data to the DCC. We install a substation-level smart meter inside the distribution-level substation. The substation contains all consumers' power consumption in the local area without requiring every individual smart meter to send data to it, so it plays the role of an "aggregator," but without collecting

the power consumption data from every single house. The measurement frequency of substations in our research is selected as *fh f* = 100 Hz, which is twice the British power system frequency. The high interval resolution data is used for grid operation and managemen<sup>t</sup> since near real-time data is vital for demand-side managemen<sup>t</sup> to deal with unexpected incidents such as a blackout.

The reason that the distribution-level substation can play the role of "aggregator" is twofold. Firstly, substations already exist. No extra facilities like data aggregators need to be constructed, so the development investment can be saved. Secondly, no TTP or homomorphic encryption is involved in this scheme, so the concerns of inner attacks from TTP and computation overhead raised by complex encryption are eliminated. Table 2 shows three typical feeder models summarized by GridLAB-D's feeder taxonomy [70], these three models represents feeders at light rural area, heavy suburban, and moderate urban respectively. The house units under each feeder can be estimated by adding up household-level data to match the feeder model [71]. From the table, the light rural area consists around 408 houses. In Section 5, an evaluation is implemented whether feeder/substation level measurement at light rural area satisfies the privacy requirement.

**Table 2.** House units under different feeder models [70,71].


#### *4.5. Time-of-Use Billing Channel*

The TOU channel enables the dynamic TOU tariff, see Figure 3. In the conventional smart metering system, the smart meter should report the energy consumption at each charging point to obtain TOU bills. The more charging points the utility sets, the more detailed information about an individual is obtained by the utility, and the more it is possible that privacy is breached.

In our TOU billing channel, the direction of information transmission is the opposite. The algorithm of calculating the TOU billing is shown in Algorithm 1.

**Figure 3.** Time-of-use billing channel and billing correctness verification.

```
Algorithm 1 Dynamic TOU billing program.
Input: Half-Hourly Energy Consumption Ed,t, Half-Hourly TOU tariff πd,t;
For d = 1; d ≤ 30 (d is the day of month) do
  for t = 1; t ≤ 48 (t is the time of the day) do
    Record and storage Ed,t and πt during t.
  End
End
While d ≥ 30 do:
       Calculate Emonth = 30d=1 48t=1 Ed,t.
       Calculate Bmonth = 30d=1 48t=1 πd,tEd,t.
End
Return Emonth, Bmonth.
Output:MonthlyEnergyConsumption Emonth,MonthlyBills Bmonth.
```
• Step 1: Data storage. The ES sends the TOU price π to the smart meter every 30 min. The smart meter stores the energy consumption of the past half-hour with the current TOU price in pairs


#### *4.6. Additional Service Channel*

The additional service channel is designed for TP to provide additional services to the consumers. The "third party" refers to non-licensed energy service companies. They bring profits and innovation to the smart grid industry. The consumers have the freedom of choice to select wanted services. Currently, services include a warning for exceeding power thresholds, monitoring for seniors/children, monitoring the operating condition of selected appliances. From the consultation documents of Department of Energy & Climate Change (DECC) [19], there are strict limitations on TPs' access to data, an agreemen<sup>t</sup> is required among TP, DCC, and consumers, and the TP can only access the consumers' smart meter data when they have consumer consent.

Referring to the privacy-functionality trade-off strategy mentioned in Section 4, the value-added service channel follows a data minimization principle, preventing personal data "leaving" consumer's house. Rather than sending personal data to the server of TPs, TPs send algorithms and models to consumers' private platforms, including their personal computers and mobile phone, then the consumer can use the model to obtain the result on these platforms. However, there are two concerns related to this method referring to [21]:


To settle the above two concerns, particularly relevant to our work [73], a value-added service channel utilizing a privacy-preserving deep learning algorithm is proposed. The algorithm adds noise into gradient descents of deep neural network parameters to reduce the sensitivity of single training data, and further preserve the privacy of both neural network model and training dataset [74]. The privacy-preserving deep learning combines two advanced techniques, differential privacy, and deep learning together.

As shown in Figure 4, the process of the value-added service channel consists of the following steps, and all steps can be divided into two categories depending on the network (WAN or HAN):

Operations via WAN:


Operations via HAN:


The data flow in Figure 4 shows that the consumer's energy data are shared inside HAN and are never sent to the utility, but the services are enabled. The enabled services include NILM, STLF, and demand response. The detail of the privacy-preserving deep learning NILM algorithm is shown in our paper [73].

**Figure 4.** Privacy-preserving valued-added services.
