Smart Meter Privacy with Renewable Energy and an Energy Storage Device
Giulio Giaconi, Deniz Gunduz, H. Vincent Poor

TL;DR
This paper investigates how renewable energy sources and rechargeable batteries can enhance smart meter privacy by reducing information leakage, with theoretical analysis and numerical results demonstrating privacy gains and the importance of storage capacity.
Contribution
It provides a novel information-theoretic framework for quantifying smart meter privacy considering renewable energy and storage, including explicit expressions for extreme cases and numerical analysis for finite capacity.
Findings
Privacy improves with more renewable energy availability.
Larger storage capacity enhances privacy gains.
Infinite storage capacity achieves minimal information leakage.
Abstract
A smart meter (SM) measures a consumer's electricity consumption and reports it automatically to a utility provider (UP) in almost real time. Despite many advantages of SMs, their use also leads to serious concerns about consumer privacy. In this paper, SM privacy is studied by considering the presence of a renewable energy source (RES) and a rechargeable battery (RB), which can be used to partially hide the consumer's energy consumption behavior. Privacy is measured by the information leakage rate, which denotes the average mutual information between the user's real energy consumption and the energy requested from the grid, which the SM reads and reports to the UP. The impact of the knowledge of the amount of energy generated by the RES at the UP is also considered. The minimum information leakage rate is characterized as a computable information theoretic single-letter expression in…
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Figure 10
Figure 11
Figure 12
Figure 13| Residential Battery | Capacity (kWh) |
|
|
||||
|---|---|---|---|---|---|---|---|
| Sunverge SIS-6848 [35] | , , , | ||||||
| SonnenBatterie eco [36] | |||||||
| Tesla Powerwall [37] | |||||||
| LG RESU 48V [38] | , , | , , | , , | ||||
| Panasonic Battery System LJ-SK84A [39] | |||||||
| Powervault G200-LI-2/4/6KWH [40] | , , | , | , | ||||
| Orison Panel [41] | |||||||
| Simpliphi PHI 3.4 - 48V [42] |
| Source | Location | Resolution | Time Frame | # of Houses | kW | kW | kW | kW | kW | kW |
| [43] | Texas | mins | 01/01/2016 - 31/05/2016 | |||||||
| 01/01/2015 - 31/12/2015 | ||||||||||
| 01/01/2014 - 31/12/2014 | ||||||||||
| 01/01/2013 - 31/12/2013 | ||||||||||
| 01/01/2012 - 31/12/2012 | ||||||||||
| [44] | UK | mins | 01/05/2010 - 31/07/2011 | |||||||
| [45] | Netherlands | sec | 05/07/2015 - 05/12/2015 | |||||||
| [46] | France | min | 16/12/2006 - 26/11/2010 |
| Solar Panel Area () | Solar Panel Cell Type | Nominal Installed Capacity (kWp) | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Monocrystalline | Polycrystalline | |||||||||
| Transition Probability | ||||||
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSmart Grid Security and Resilience · Wireless Communication Security Techniques · Energy Harvesting in Wireless Networks
Smart Meter Privacy with Renewable Energy and an Energy Storage Device
Giulio Giaconi, , Deniz Gündüz, , and H. Vincent Poor The work of G. Giaconi was supported by the Engineering and Physical Sciences Research Council (EPSRC) of the U.K. under Grant 1507704. This work was supported in part by the EPSRC through the project COPES under Grant 173605884, in part by the European Research Council under Starting Grant BEACON (agreement 677854), and in part by the U.S. National Science Foundation under Grant CMMI-1435778, Grant ECCS-1549881, and Grant ECCS-1647198. This paper was presented in part at the IEEE International Conference on Communications, London, U.K., June 2015 [1]. G. Giaconi and D. Gündüz are with the Department of Electrical and Electronic Engineering, Imperial College London, London, SW7 2AZ, UK (e-mail: {g.giaconi, d.gunduz}@imperial.ac.uk). H. V. Poor is with the Department of Electrical Engineering, Princeton University, Princeton, NJ 08544 USA (e-mail: [email protected]).
Abstract
A smart meter (SM) measures a consumer’s electricity consumption and reports it automatically to a utility provider (UP) in almost real time. Despite many advantages of SMs, their use also leads to serious concerns about consumer privacy. In this paper, SM privacy is studied by considering the presence of a renewable energy source (RES) and a rechargeable battery (RB), which can be used to partially hide the consumer’s energy consumption behavior. Privacy is measured by the information leakage rate, which denotes the average mutual information between the user’s real energy consumption and the energy requested from the grid, which the SM reads and reports to the UP. The impact of the knowledge of the amount of energy generated by the RES at the UP is also considered. The minimum information leakage rate is characterized as a computable information theoretic single-letter expression in the two extreme cases, that is, when the battery capacity is infinite or zero. Numerical results are presented for the finite battery capacity case to illustrate the potential privacy gains from the existence of an RB. It is shown that, while the information leakage rate decreases with increasing availability of an RES, larger storage capacity is needed to fully exploit the available energy to improve the privacy.
I Introduction
The transition from the legacy power distribution network to the new power grid paradigm, the so-called smart grid (SG), is rapidly ongoing. An SG provides many advantages for energy generation, transmission, distribution and consumption thanks to the use of information and communication technologies that enable SGs to monitor and control the power network more effectively [2]. In addition, an SG eases the integration of renewable energy sources (RESs), which is a fundamental factor in reducing our dependence on fossil fuels and moving on to a low carbon economy. A key feature of an SG is the advanced metering infrastructure, and in particular smart meters (SMs), which record and report the electricity consumption of a household. SMs that are currently being rolled out in the United Kingdom send measurements every minutes [3], whereas those in Texas send every minutes [4]. The frequency of SM measurements is expected to increase drastically in the near future when renewable energy integration increases and the energy market becomes more efficient by incorporating time-of-usage pricing and demand shifting [5].
The installation of SMs is rapidly advancing worldwide. For example, all European Union countries are required to have 80% SM adoption by 2020 and 100% by 2022 [6]. On the other hand, the information that is collected by SMs may be potentially used for other purposes, thereby raising the question of data privacy. By using nonintrusive appliance load monitoring (NILM) techniques, power consumption load profiles can reveal sensitive information, such as the users’ habits, presence at home and working hours, potential illnesses or disabilities, equipment being used, and even which TV channel is being watched [7]. First NILM devices were built in the 80s and were already able to detect the activity of some appliances by knowing their power signature [8]. Molina-Markham et al. [9] showed that it is possible to detect users’ activity by simply using off-the-shelf clustering and pattern recognition methods, even without any a priori knowledge of the appliances’ power signature. The current state of the art is to consider a factorial hidden Markov model to model the total consumption of various household appliances, whose solution is, however, NP hard. To solve this issue, [10] describes a computationally efficient method based on a semidefinite relaxation combined with randomized rounding.
I-A Privacy-Aware SM Techniques
To date, there are two main families of approaches that have been investigated to provide privacy to consumers. The first family includes approaches that process SM data before sending it to the UP, while approaches in the second family aim at modifying the actual user energy demand. Considered within the first family are methods such as data obfuscation, data aggregation and data anonymization. Data obfuscation, i.e., the perturbation of metering data by adding noise, is a classic method, and has been adapted to SGs in [11] and [12]. Among these methods, differential privacy [13], a well-established concept in the data mining literature based on distorting data to protect the privacy of individuals, is applied to SMs in [14]. Along these lines, authors in [15] provide a framework that measures the trade-off between altering data (privacy) and sharing them (utility). Data aggregation, proposed in [12], [16] and [17], considers aggregating power measurements over a group of households so that the UP is prevented from knowing individual consumptions. The aggregation can be performed with or without the help of a trusted third party. Data anonymization mainly considers resorting to pseudonyms rather than the real identities, as in [18] and [19].
The first family of approaches, however, suffer from a further privacy risk. In fact, the energy consumed by a user is provided directly from the grid, which is fully controlled by the distribution system operator (DSO), i.e., the entity that manages the power grid; and hence, the DSO can embed additional sensors to monitor the energy requested by a household or a business, without fully relying on SM readings. Moreover, any attacker, e.g., a thief or an intelligence agency, may decide to install a sensor for directly monitoring a specific household or business. Another disadvantage of data obfuscation methods is the mismatch between the reported values and the real energy consumption. This prevents the DSO from accurately monitoring the grid states and rapidly reacting to outages, energy theft or other problems. To address these problems, the second family of privacy-preserving approaches directly modifies the actual energy consumption profile of the user, called the input load rather than simply modifying the data sent to the UP. This can be done, for example, by filtering the energy via an energy storage device, i.e., a rechargeable battery (RB), as in [20, 21, 22, 23, 24, 25, 26], or by using an RES, as originally proposed in [24]. If we denote the energy received from the grid as the output load, the idea is to physically differentiate the output load with respect to the input load. Different heuristic algorithms have been proposed, such as the best-effort water-filling algorithm in [21] that aims at keeping the output load at its most recent value, or the stepping algorithm in [22] that quantizes the power demand into a step function. In [25] the problem is solved in the offline setting by taking the energy cost into account, while the online privacy problem is formulated as a Markov decision process in [26], and solved numerically in general, while a “single-letter” expression is provided for an independent and identically distributed (i.i.d.) input load. In [27] Fisher information is used as a measure of privacy and, by using the Cramér-Rao bound, the variance of the estimation error of any unbiased estimator of the household consumption is maximized by minimizing the trace of the Fisher information matrix. When considering also the presence of an RES, a single-letter solution is given for this problem in [28, 29, 30] under average and peak power constraints on the available RES. In [31] model predictive control is adopted to jointly optimize cost and and privacy in the presence of a battery and local energy generation.
In this paper, we adopt the latter approach, and focus on providing privacy by considering the presence of both an RES and an RB. We study privacy from an information theoretic point of view, and, for some scenarios, provide closed-form expressions for the best privacy performance achievable. A similar model, studied in [30], imposes only average and peak power constraints on the RES, which can be a microgrid, capable of providing any amount of energy at each time instant. However, the energy produced by an RES at each time instant is typically random, and its statistics depend on the energy source (e.g., solar, wind) and the energy generator specifications. In addition, the finite-capacity battery imposes further limitations on the available energy. Thus, in this paper we study the minimum amount of user’s energy consumption information leaked to the UP by taking into account instantaneous power constraints, as initially proposed in [1]. While the analysis in [1] is limited to the two extreme scenarios of zero and infinite battery capacity with a discrete-alphabet input load, here we also study the more practical scenario with a finite-capacity storage device, as well as a continuous-alphabet input load.
Following up on [23], [24] and [30], we model user’s energy consumption profile as a randomly generated time series whose statistics are known by the UP, and measure the user’s information leakage by the average mutual information between the input and output load vectors, i.e., between the real energy consumption profile of the appliances and the SM readings, which is called the information leakage rate. Mutual information between random variables and , , is as a measure of dependence between and , which is equal to zero if and only if and are independent. We can also interpret mutual information as the reduction in the uncertainty of the UP about the real energy consumption of the appliances, , after receiving the SM measurements, . Thus, minimizing mutual information can be interpreted as a way of improving privacy for SM users. Moreover, mutual information as a privacy measure does not depend on the technological implementation of load monitoring algorithms, and therefore, provides statistical privacy guarantees independent of the computational power of the attacker or the particular monitoring algorithm employed. Mutual information as a measure of privacy leakage has also been considered in other domains, see for example [32, 33, 34].
I-B Current Home Batteries and Typical Household Input Loads
In this section we briefly summarize the specifications of residential batteries available in the market and the general statistics of household energy consumption and generation to illustrate the feasibility of privacy-protection through energy management. Table I lists the storage capacity and peak power for some of the currently available batteries for residential use. It is noteworthy that the capacities are in the range of few kWh. A typical household’s average energy consumption also lies within the same range, as shown in Table II, where we report the distribution of the average user power consumption over different years obtained from various databases, with different time resolutions. From the Dataport database [43] we observe that, independently from the period considered, the average user demand is less than kWh for of the time. Current batteries charged at full capacity would then be able to satisfy the demand for a few hours only.
In Table III we have also included information about the amount of average power generated via a rooftop solar panel. Locations, technology as well as inclinations and sizes of panels vary, as shown in Table IV for one of the databases considered, where kWp denotes the kilowatt peak, i.e., the output power achieved by a panel under full solar radiation. As expected, around of time, i.e., at night, no energy is generated at all, while there are differences in the distribution of the average values for the two databases considered, due to the different areas considered. If we compare these values with those in Table I, we can see that the capacities of current batteries are sufficient to store many hours of average solar energy generated by the solar panels most of the time, for which the infinite battery assumption may be an accurate model.
I-C Main Contributions
The main contributions of this paper can be summarized as follows:
We provide computable closed-form single-letter expressions for the minimum information leakage rate when the battery capacity is zero and infinite. We provide detailed proofs for these results, which have been stated in [1] without proofs. These two asymptotic performance results can also be considered as upper and lower bounds on the achievable privacy performance for a more practical SM system with a finite-capacity battery. 2. 2.
For these scenarios, we study the information leakage rate also considering the availability of the RES information at the UP, which provides additional side information to the UP. 3. 3.
For a finite-capacity battery scenario, we propose a suboptimal parameterized energy management policy, and optimize the policy parameters using a policy search technique that exploits stochastic gradient descent. We show numerically that the performance of the proposed energy management policy approaches the one with an infinite battery even with a relatively small battery size. This shows the efficacy of the proposed privacy preservation scheme. 4. 4.
We show that the information leakage rate decreases with the rate of the available RES, and that a larger RB is needed to fully exploit the available energy to improve the privacy.
The remainder of the paper is organized as follows. In Section II the system model is introduced. In Section III an ideal system with an infinite-capacity battery is studied, while in Section IV another extreme case with no energy storage is considered. For both scenarios, we also study the case in which the UP knows the realizations of the renewable energy process. In Section V we study the binary scenario, while in Section VI we propose achievable schemes for the generic finite battery capacity scenario, and present the corresponding numerical results. In Section VII a continuous input load is considered, while conclusions are drawn in Section VIII.
I-D Notation
Random variables (RVs) are denoted by capital letters , their realizations by lower-case letters , and the corresponding alphabets by calligraphic letters . The probability distribution of a RV taking values in is denoted by . For integers , denotes the sequence , while . All logarithms and exponentials are in base , unless specified otherwise.
II System Model
A discrete time system model is adopted as depicted in Figure 1. is the total amount of power demanded by a user in time slot , where , while is the energy received from the UP at time , where . We call as the input load and as the output load to simplify the terminology. For simplicity, we assume that the entries of the input load sequence are i.i.d. with distribution . In time slot , units of energy are generated from the RES, which becomes available to the energy management unit (EMU) at the beginning of time slot . The entries of the renewable energy sequence are also i.i.d. with distribution and alphabet , while the average renewable energy rate is denoted by . We further consider the presence of an RB in which the renewable energy can be stored for future use. The state of charge (SOC) of the battery at time is , and its capacity is . We assume no losses in the battery charging and discharging processes.
The EMU always satisfies user’s energy demands by drawing energy from either the UP or the RB; that is, outages or demand shifting are not allowed. As a consequence, we have . We do not allow extra energy to be drawn from the grid and then wasted. This could provide additional privacy, albeit at a significantly higher energy cost. Also, the battery is exclusively for storing the generated renewable energy, and it cannot be recharged with grid energy. While storing grid energy in the battery to be supplied later to the appliances can provide additional privacy [23], here we limit the use of the battery to renewable energy storage to isolate and understand the privacy benefits of RESs. Hence, we impose
[TABLE]
while is the amount of energy obtained from the RB in time slot . The energy retrieved from the battery must be smaller than the energy available in it, i.e.,
[TABLE]
We also consider a peak power constraint on the amount of energy that can be requested at any time from the RB, i.e.,
[TABLE]
and for the rest of the paper we assume that .
Given and the constraints (1), (2), and (3), the set of feasible energy requests at time is
[TABLE]
where if , and [math] otherwise.
The battery update equation can be written as
[TABLE]
We aim at designing energy management policies that decide on the amount of energy to request from the UP at each time , given the previous values of input load , renewable energy , battery SOCs , and output load , i.e.,
[TABLE]
while satisfying (4) and (5), where and denotes the set of feasible policies, i.e., which produce output load values that satisfy the RB and RES constraints at any time, as well as the battery update equation.
We measure privacy via the information leakage rate, defined as the average mutual information rate between the actual user energy consumption and the energy received from the grid, which also corresponds to the reported SM data, i.e.,
[TABLE]
where the subscript denotes the specific energy management policy employed, and the superscript stresses the fact that we are considering instantaneous power constraints. Thus, the optimization problem can be written as the minimization of (6) over all feasible policies , i.e.,
[TABLE]
A single-letter expression for the information leakage rate is provided in [28, 29, 30] when the EMU is constrained only by the average and peak power constraints. In general, because of the memory effects introduced by the RB and the RES, satisfying the input load from the RB or the RES at some time period may come at the expense of revealing more information about the energy consumption at future time periods. For this reason, the information theoretic analysis typically focuses on the average performance, measured over a period of time slots, and aims at understanding the fundamental performance bounds by letting this time period go to infinity, i.e., , as in (6). However, the definition of the information leakage rate in (6) involves -length sequences and , and the asymptotic performance limit corresponds to an infinite-dimensional optimization problem, which cannot be solved numerically. On the contrary, characterizing a single-letter expression allows the optimal solution to be to described as an optimization problem in terms of the single-letter random variables, which can be a finite-dimensional optimization problem when the involved random variables are defined over finite alphabets. Therefore, a single-letter characterization of the information theoretic privacy is desirable to be able to evaluate the minimum possible information leakage rate.
In [29] the privacy-power function is defined as the minimum information leakage rate that can be achieved when the energy management policy satisfies the average power constraint \mathbbm{E}\big{[}\sum_{t=1}^{n}(X_{t}-Y_{t})\big{]}\leq\bar{P}, as well as the peak power constraint , . The privacy-power function has the single-letter characterization provided by the following theorem.
Theorem 1**.**
[29, Theorem 1]** The privacy-power function for an i.i.d. input load vector with distribution and output load vector , when the average and peak values of the power provided by the RES are limited by and , respectively, is given by
[TABLE]
where .
Lemma 1**.**
[29, Lemma 1]** The privacy-power function , given above, is a non-increasing convex function of and .
It is shown in [30] that, when the input load alphabet is discrete, i.e., , the output load alphabet , which is not necessarily discrete, can be restricted to the input load alphabet, i.e., , without loss of optimality. Given this restriction and the convexity of the privacy-power function, can be numerically evaluated, e.g., by the efficient Blahut-Arimoto (BA) [48] algorithm. The following lemma states that this property holds also in our setting for the various battery capacities we analyze in the following. Thus, in the discrete case, we can assume that all the involved random processes are defined over finite alphabets and that there is a minimum quantum of energy such that all the aforementioned quantities are integer multiples of this quantum.
Lemma 2**.**
If the input alphabet is discrete, the output alphabet can be constrained to the input alphabet without loss of optimality.
Proof.
The proof is similar to that of [30, Theorem 2]. Let be the discrete input load alphabet and let . Then, for any given energy management policy, and the resultant output load , we define a new output load as , that is, is a post-processed version of , and . By construction, we have that , i.e., the power demanded by the battery cannot have a larger peak value than the original demanded power. Similarly, the new output load satisfies all the instantaneous power constraints as well. This proves that the policy is feasible. Also, the information leakage rate is not increased as is a deterministic function of , and thus forms a Markov chain, and by the data processing inequality. ∎
Here we introduce a generic energy management policy, which we later specialize to the different scenarios we consider. This is a stationary and memoryless policy that generates randomly using a conditional probability distribution that is based only on the current input load and the available total renewable energy , i.e.,
[TABLE]
Note that, in the presence of an RB, in which the generated renewable energy is stored and used for privacy, a memoryless energy management policy is suboptimal in general, as it ignores the history. However, in the following we show that a memoryless policy is able to achieve the minimum information leakage rate in the two extreme scenarios of and .
III Infinite Battery Capacity
In this section we relax the constraint on the battery capacity and consider . This is an extreme situation that may model a battery with a relatively large capacity compared to the average generation rate of renewable energy, , and the average input load. This scenario provides useful insights on the best achievable privacy performance, and also serves as a bound on the performance achievable with a finite-capacity RB.
In each time slot, the EMU is limited by both the peak power constraint (3) and the energy available in the RB, which is the difference between the total renewable energy generated and the total energy that has been requested from the battery up to that time, i.e.,
[TABLE]
III-A Generated Renewable Energy not Known by the UP
In this section is treated as a random sequence whose realization is known only to the consumer in a causal manner. This scenario may occur if the renewable energy originates from sources which could be extremely difficult, if not impossible, for the UP to track.
The following theorem states that the minimum information leakage rate when is equivalent to the average and peak power-constrained scenario, as in [29]; that is, the cumulative constraints on the EMU policy do not reduce the achievable privacy if the battery capacity is sufficiently large.
Theorem 2**.**
If and the peak power constraint on the amount of energy taken from the RB is , then the minimum information leakage rate for an i.i.d. input load and a renewable energy generation process with average power , is
[TABLE]
is a trivial lower bound on . In the following section an energy management policy that achieves is presented. The proposed policy is a specialization of the generalized memoryless policy introduced in (9).
III-B Optimal Energy Management Policy for
Consider the following energy management policy. In each time slot , the EMU, based on the instantaneous input load , decides on the optimal portion of the input load to be received from the grid, , by using the optimal conditional probability distribution that minimizes (8). If there is enough energy available to fully satisfy the EMU requests, i.e., , the EMU uses units of renewable energy and units of energy from the grid, i.e., ; otherwise, all the input load is satisfied directly from the grid, i.e., , thus leading to the maximum information leakage for that time instant, i.e., the UP learns perfectly. The time instants at which such leakage occurs cannot be computed beforehand, since they depend on the realizations of the renewable energy process, input and output loads. Given the nature of this policy, which tries to follow the optimal policy generated by ignoring the current SOC, we name it the best-effort energy management policy. Algorithm 1 summarizes this policy.
Equation (12), shown at the bottom of the page, specializes policy (9) to the best-effort policy. The second case in (12) includes all the instances for which outputs either , or an infeasible output, i.e, for which .
Since the energy arrival is stochastic, it may seem that very little can be said about the information leakage rate. However, if the condition holds, then it is possible to show that the number of times full leakage of information occurs due to unavailability of energy is relatively small compared to the operating time of the system. This is proved in the following lemma.
Lemma 3**.**
If , and the EMU follows the best-effort energy management policy, then almost surely the condition holds only in finitely many time slots in the limit of infinite horizon.
Proof.
Let , for some . The sequence has zero mean. By the strong law of large numbers, the sample average of the sequence converges almost surely to its expected value, i.e., the sequence of events , and thus the sequence occurs only for finitely many times. This implies that, with generated according to the best-effort policy, the unavailability of energy at any time, , occurs only for finitely many times. ∎
Lemma 4**.**
If , then the minimum information leakage rate of the best-effort policy tends to , as .
Proof.
Divide the sequence of input and output loads according to the time instants in which a private SM operation is achieved, i.e., the time instants the EMU can fully emulate , and time instants in which full leakage occurs. From Lemma 3 we know that as , there is only a finite number of time instants, say , in which the level of privacy induced by is not achieved, i.e., for which the condition holds, when is generated based on . We remind that the condition always holds. Then, we can write
[TABLE]
where is the set of instants when full leakage of information takes place, i.e., for which , and is the set of time instants in which the output is generated through , i.e., ; (13c) follows since conditioning reduces entropy; (13e) follows since is finite. ∎
III-C Store-and-Hide Energy Management Policy
Here we provide an alternative energy management policy in the case of an infinite-capacity battery. The store-and-hide energy management policy consists of an initial storage phase, during which all the energy requests of the user are satisfied from the grid while all the generated renewable energy is stored in the battery, and a second hiding phase, during which the EMU deploys the optimal policy .
More formally, consider time slots. In the first time slots, the so-called storage phase, no privacy is achieved because we have , for . In the remaining time slots, the so-called hiding phase, user demand is satisfied by taking energy from both the grid and the battery according to the optimal policy . We assume that , with , and . The initial waiting time enables the battery to store on average units of energy. In the following lemma we show that the energy stored in the initial storage phase is sufficient to let the EMU follow the optimal energy management policy during the hiding phase, without energy outages almost surely. After units of time, thanks to the energy already stored in the RB, the system is able to overcome the uncertainty in the energy arrival, and is able to adopt the optimal privacy-preserving energy management policy for the remaining time.
Remark 1**.**
It is noteworthy that no information about the recharge process of the battery is required, and all the EMU needs to know is the average power generated by the renewable energy process, .
Lemma 5**.**
With a storage phase of length , where , and , the store-and-hide policy satisfies the energy constraints in (10) almost surely provided that .
The proof can be found in Appendix A.
By means of Lemma 5 it is possible to show that the minimum information leakage rate of the store-and-hide policy approaches as , as shown in the following lemma, whose proof can be found in Appendix B.
Lemma 6**.**
If , then the information leakage rate of the store-and-hide policy with as specified in Lemma 5 approaches as .
Remark 2**.**
Even though the two schemes described above achieve the same privacy performance as , they do have some conceptual differences. During the initial phase of energy saving, the store-and-hide policy satisfies all the user demands from the grid leaking full information. Therefore, the SM readings reveal user’s activity completely in this period. While the impact of this on the information leakage rate vanishes as , this might not be preferable in practice. Therefore, we believe that the best-effort policy is more appropriate for practical applications.
III-D Generated Renewable Energy Known by the UP
Here we assume that the UP knows the realization of the renewable energy process , as highlighted in Figure 2. This scenario can occur if, for example, we consider solar energy as the RES, and the UP can accurately estimate the renewable energy produced from its own observations in nearby locations, weather forecast of the area, and the specifications of the solar panel. This is a worst-case situation and we expect the amount of leaked information in this case to be greater than or equal to that of the previous scenario, in which only the EMU knows the current state of the renewable energy produced. In this setting, the information leakage rate is defined as
[TABLE]
The following theorem states that does not necessarily provide more information to the UP compared to the scenario where the UP does not have access to this information.
Theorem 3**.**
If , the minimum information leakage rates for the cases in which is either known or not known to the UP are the same, i.e., .
Proof.
We have the following chain of inequalities:
[TABLE]
where (15a) follows as and are independent from each other, and (15c) is due to the non negativity of mutual information. Thus, we have .
The inequality in (15c) becomes an equality if . This condition can be achieved by the store-and-hide policy. In fact, at the end of the storage phase the battery is filled up with an infinite amount of energy, and, as a consequence, the optimal policy during the hiding phase does not need to take the information about the RES into account. This implies that ; and therefore, , and that . ∎
IV SM System Without Energy Storage
In this section we focus on another extreme scenario in which there is no RB for storing extra renewable energy, i.e., . The renewable energy available at time slot , , can be considered as an i.i.d. state information, and could be known, or not, to the UP. Given and , the EMU decides on the amount of energy to use from the grid and from the RES. In each time slot the energy that can be obtained from the RES, , is limited by the energy generated in time slot , , i.e., . Thus, this is an SM system with a stochastic peak power constraint on the energy that the EMU can obtain from the RES. Therefore, this section can be considered as a generalization of [30], where the authors consider a fixed peak power constraint.
Remark 3**.**
We note that a peak power constraint other than can be easily incorporated to the model, as this would simply correspond to a new instantaneous power constraint of . Therefore, for the brevity of the presentation we do not consider a peak power constraint in this section.
Note that, as opposed to the infinite-capacity battery scenario, here the past has no influence on the energy constraint, since there is no battery, and thus, no memory, in the system.
To analyze this scenario, we first consider the minimum information leakage rate when the generated renewable energy is constant in every time slot, i.e., , which is known by both the EMU and the UP. The privacy-power function is obtained by considering only a peak power constraint, which can be obtained as a special case of Theorem 1.
Lemma 7**.**
If and , the privacy-power function for an i.i.d. input load is given by .
IV-A Generated Renewable Energy not Known by the UP
As in Section III-A, here the realization of the renewable energy process is assumed to be known only by the EMU, while the UP only knows the probability distribution .
Theorem 4**.**
If , and the renewable energy produced by the RES is i.i.d. with distribution , the optimal information leakage rate, denoted by , is given by
[TABLE]
where .
Proof.
Achievability. We consider a conditional probability distribution that satisfies the conditions of Theorem 4. At each time instant, for given and , is generated independently using the conditional distribution . Since the input and output load sequences are generated i.i.d. with the induced joint distribution , the information leakage rate is given by , whereas the instantaneous peak power constraint is satisfied for all conditional distributions in .
Converse. We assume that there is an energy management policy that satisfies the instantaneous peak power constraints, i.e., . Then, the information leakage rate satisfies the following chain of inequalities:
[TABLE]
where (17b) follows since is i.i.d.; (17c) follows since conditioning reduces entropy; and (17d) follows from the definition of in (16). ∎
IV-B Generated Renewable Energy Known by the UP
Here we assume the UP also knows the state , .
Theorem 5**.**
If , the input load is i.i.d. with distribution , and the amount of generated renewable energy is also known by the UP at each time , then the optimal information leakage rate is given by
[TABLE]
where .
Proof:
Achievability of (18) follows trivially by employing the optimal that minimizes (18) at each time slot. To prove the converse, we show that any energy management policy that satisfies the stochastic peak power constraint at each time instant satisfies the following chain of inequalities:
[TABLE]
where (19c) follows because and are independent of each other and across time, and conditioning reduces entropy; (19d) follows by explicitly considering all the states of ; and (19e) follows from Lemma 7. ∎
From the chain rule of mutual information, we have
[TABLE]
where (20a) follows since and are independent of each other. From (20a) and (20b), we get . Hence, from Theorems 4 and 5, we have , as expected.
V Binary Scenario
In order to provide further insights into the behavior of the information leakage rate, here we consider a simple scenario with binary energy demands, binary energy generation and binary output load, i.e., . This scenario may represent appliances that are either on or off/standby. and follow independent Bernoulli distributions with and , respectively. We compare the minimum information leakage rates for the infinite and zero battery scenarios.
If , the minimum information leakage rate can be characterized explicitly as
[TABLE]
where we set the peak power constraint to .
When , there are two scenarios. If the generated renewable energy is known only by the EMU, the minimum information leakage rate for this scenario is given by
[TABLE]
where is the binary entropy function defined as , is fixed, and is the probability of using the energy available in the battery whenever and .
Proposition 1**.**
For every and , the information leakage rate is minimized with .
Proof:
The proof follows from observing that . Thus, the minimum of is reached when takes its maximum value, i.e., . ∎
When is known also by the UP, if the peak power constraint is , no information is leaked, whereas if , the input load is known perfectly by the UP, leading to a leakage of . Hence, the minimum information leakage rate when the state information is known by the UP is
[TABLE]
Numerical comparison of the information leakage rate for zero and infinite battery capacities in the binary scenario will be presented in the next section together with the results corresponding to a finite battery capacity.
VI Finite Battery Capacity
A closed-form expression for the finite-capacity battery scenario is elusive as the presence of a finite battery brings memory into the system, and the future energy usage depends on how much renewable energy has been generated in the previous time slots, how much of that energy has already been used by the EMU, and how much is available in the RB. Instead, we propose a low-complexity energy management policy and compare it to the two previous scenarios, which represent upper and lower bounds on the system performance for the finite battery scenario.
VI-A Binary Alphabet:
In this setting , and have binary alphabets and we consider a discrete-time system, modeled via a finite state machine. As in Section V, we set and , while represents the energy taken by the EMU from the battery, with .
VI-A1 Battery-independent Policy
Here we consider a time-invariant policy according to which the evolution of the battery state can be modeled as the Markov chain of Figure 3, where the -tuples represent the realization at time of the input load , the renewable energy , the energy taken from the battery by the EMU , and the output load , respectively. At every time, the RB can be charged, discharged or remain in the current SOC, depending on the transition probabilities. We note that a similar model has been adopted in [24], with the difference that in [24] the RB can also store energy from the grid. We define as the probability that the energy is taken from the battery provided that the user is asking for energy and that there is energy available for use, i.e., p_{v}\triangleq\Pr\{V=1\big{|}X=1,E+B\geq 1\}. Since the value of does not change according to the current battery state, we name this policy battery-independent policy. Table V lists all the possible states and transition probabilities for this scenario. In particular, the table shows for each transition from to and each combination of the tuple the corresponding transition probability.
To compute the information leakage rate, all the distributions are considered to be Bernoulli. For and we use the single-letter expressions derived in Section V, and set for . For a finite-capacity battery, we implement the achievable scheme described above, and by means of the algorithm in [49] we simulate the system for very long sequences and evaluate the information leakage between the input and the output loads numerically and for different battery capacities. Moreover, for each , we find the value of that achieves the minimum information leakage rate by searching over a discretized set of values. As an example, Figure 4 represents the optimal values for each , when the input load is uniformly distributed and . In the figure, is not represented because, regardless of , the leakage when is always equal to the entropy of the input load. Also, the figure shows that for higher values, the minimum leakage is achieved for , i.e., it is better to always use the energy when available.
VI-A2 Battery-conditioned Policy
Here we consider a policy, in which , as defined before, can differ for different battery SOCs, i.e., the policy is characterized by a specific for each battery SOC , for . Thus, we now have the vector
[TABLE]
To find the optimal for each and we deploy a stochastic gradient descent algorithm, specifically we use the least square-based finite difference method to approximate the gradient [50]. Briefly, the algorithm works as follows. At any step, small perturbations are applied to each according to a uniform distribution over a predefined interval, and the leakage corresponding to the resulting perturbed vector is computed. The gradient of the leakage function can thus be approximated numerically by employing the leakage corresponding to a number of different perturbations. A new is finally computed using the gradient estimate and a predefined learning rate, and its corresponding leakage is determined and compared with that of the previous step. If the difference between the two leakage rates is below a certain threshold, the algorithm stops. Otherwise, the algorithm keeps on iterating.
Figure 5 shows the information leakage rate with respect to the renewable energy generation rate , for different battery capacities. For , we adopt the battery-conditioned policy, which has only a small gain with respect to the battery-independent policy. In particular, this gain is focused around smaller values. As expected, the least information leakage rate is achieved when and , while the maximum leakage occurs when and the UP knows the renewable energy process realizations. When the information leakage rate reduces significantly if the state is not known by the UP and, more interestingly, we observe that the performance of the proposed suboptimal memoryless scheme approaches that of the infinite-capacity battery with relatively small battery sizes. In addition, we can see that the gain from the battery is much higher when the renewable generation rate is higher, i.e., when is high. This is expected because when is low, there is less energy to be stored for future time slots.
VI-B Larger Alphabets:
Here we consider larger alphabets for , and . As the alphabet sizes grow, so does the complexity of searching for the optimal policy. Instead, we consider the following suboptimal policy. At each time instant, the policy chooses among using all of the available energy, half of it, or no energy at all and we model the probability as in the following:
[TABLE]
The probability pairs in (25) refer to the probability of using all the available energy and the probability of using half of it. Therefore, we have , for , and , for . For example, if , all of the available energy is used with probability , half of it, or the nearest integer value lower than that, is used with probability , and none of it is used with probability .
Figure 6 shows the results for the scenario for when . The input load is uniformly distributed over the alphabet , while the renewable energy generation follows a binomial distribution with parameters and . The information leakage rate for the infinite and zero battery scenarios is computed by using the single-letter expressions which are evaluated by efficient numerical algorithms, specifically the BA algorithm [48] and the CVX package [51]. In particular, for we set . For the finite battery scenario, we adopt the aforementioned policy and optimize the performance by trying different combinations of the probabilities , . Similar considerations to that of Figure 5 can be drawn for Figure 6 as well.
Remark 4**.**
We remark here that, in order to isolate the privacy benefits of RESs, we do not allow charging the battery directly from the grid, which can potentially reduce the information leakage. It is known that modulating grid energy intake by employing a storage device provides privacy even in the absence of an RES [23, 26], or jointly with an RES [52]. The additional privacy benefits of allowing charging of the RB from the grid will depend on the battery capacity. When , perfect privacy can be achieved by charging the battery initially, and using the battery throughout the operation. In the other extreme scenario, that is, when , obviously it is not possible to charge a non-existent battery from the grid. We leave a more detailed study of a finite-capacity storage device that can be charged by both the RES and the grid as a future work.
VII Continuous Input Loads
In the simulation results presented above, we have considered discrete alphabets for all the involved random variables. A set of fixed discrete values for the energy demands may not be an accurate model for all the appliances in the real world. However, as discussed in Section II, such hypothesis enables to constrain the output alphabet to the input alphabet without loss of optimality and to apply efficient algorithms to find the minimum amount of information leakage.
For continuous input loads, the optimal alphabet is also continuous. Thus, low-complexity numerical algorithms, such as the BA algorithm, cannot be applied. However, one can provide a lower bound on the privacy-power function by using the Shannon lower bound (SLB) [53, 54], which has been introduced by Shannon, and widely used in the literature to provide a computable lower bound to the rate-distortion function. Although it is not always a tight bound, it is shown in [30] that the SLB provides a tight bound for the information leakage rate for an exponentially distributed input load. The SLB for the rate distortion function is defined as where . The truncated exponential distribution maximises the entropy for a given mean value and a peak power constraint [53] and has the form [29]
[TABLE]
where and are chosen to satisfy the constraints on the moments. Thus, the SLB for the privacy-power function introduced in Theorem 1 is given by
[TABLE]
Authors in [29] show that the SLB is indeed achievable for peak and average power constraints, by finding the conditional distribution that satisfies the SLB with equality, provided that the energy coming from the battery is distributed according to a truncated exponential distribution with mean and peak .
Authors in [30] provide the SLB for the average power constraint, which, as we have shown, is equivalent to the infinite-capacity battery scenario.
VII-A No Battery - Renewable Energy not Known by the UP
Here only a peak power constraint is considered, i.e., is constrained by . The distribution that maximises the entropy over an interval is the uniform distribution
[TABLE]
For a fixed , the differential entropy of this distribution is . Then, the SLB in the case of zero capacity battery is
[TABLE]
where is a RV with a certain known distribution.
VII-B No Battery - Renewable Energy Known by the UP
As in the previous scenario, only peak power constraints are considered and thus the entropy maximising distribution is still the uniform distribution (28). The privacy-power function is given by the expected value over the distribution of the states of the privacy-power function related to every state. Hence, the SLB is
[TABLE]
VIII Conclusions
We have studied information leakage in an SM system by considering an RES along with an RB. For infinite and zero battery capacities, we have provided single-letter information theoretic expressions for the minimum information leakage rate, which can be efficiently evaluated when the input load has a discrete alphabet. For these scenarios, we have also studied the information leakage rate when the UP knows the exact amount of renewable energy generated in each time slot. In addition, for the finite-capacity battery scenario, we have proposed a suboptimal low-complexity energy management policy, and evaluated the corresponding privacy performance using a stochastic gradient descent algorithm. Our results show that the privacy achieved by the proposed low-complexity policy approaches the theoretical lower bound obtained by assuming an infinite-capacity battery with a relatively small battery capacity, especially when the generation rate of the RES is low or high.
Appendix A Proof of Lemma 5
Proof.
During the hiding phase, the random variable is i.i.d., as and are i.i.d and is generated from through a memoryless policy. can assume both positive and negative values with positive probability. The stochastic process
[TABLE]
is a random walk based on that moves along the battery SOC axis. Since by hypothesis , then , meaning that the random walk has a positive drift, i.e., as , drift towards the positive values of the SOC axis.
By the law of large numbers, when the amount of energy stored in the battery at the end of the storage phase is , almost surely. Let . When , . At , when the hiding phase begins, the energy in the battery is used according to the optimal privacy-preserving policy and the random walk state is . For any , represents the battery SOC at time . Our objective is to prove that the battery is never emptied, i.e., that the probability of crossing the threshold for any time is zero:
[TABLE]
This scenario is represented in Figure 7. We recall a corollary of Wald’s Identity [55, Chapter 7.5, Corollary 2], which is applied to find exponential bounds on the probability of threshold crossing. In particular, the corollary states that if we consider as having a finite moment-generating function over an interval , a negative drift and being the positive root of , then the probability of crossing threshold by the random walk is
[TABLE]
where is the minimum for which the threshold is crossed. Having a finite moment generating function means that must have moments of all orders and the tails of its distribution function must decay at least exponentially in as and . In our specific setting, , , and . We can still apply Wald’s identity by changing the signs of and and by considering the probability of crossing a negative threshold. Thus, we have
[TABLE]
where and . When and , and . Thus, we obtain
[TABLE]
∎
Appendix B Proof of Lemma 6
Proof.
Split the sequence of input and output symbols into the storage and hiding phases of duration and , respectively and let . Then, it is possible to write
[TABLE]
where (36b) follows because is i.i.d. and conditioning reduces entropy; (36d) follows since in the first time instants leakage of full information takes place, while in the following time slots private operation is assured via the optimal strategy of Theorem 2.
If we take the limit , since and is finite, we obtain the leakage rate
[TABLE]
∎
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] G. Giaconi, D. Gündüz, and H. V. Poor, “Smart meter privacy with an energy harvesting device and instantaneous power constraints,” in Proc. IEEE Int. Conf. on Commun. , London, UK, Jun. 2015, pp. 7216–7221.
- 2[2] Y. Mo, T.-H. Kim, K. Brancik, D. Dickinson, H. Lee, A. Perrig, and B. Sinopoli, “Cyber-physical security of a smart grid infrastructure,” Proc. IEEE , vol. 100, no. 1, pp. 195–209, Jan. 2012.
- 3[3] Smart Energy GB. Using a smart meter. [Online]. Available: https://www.smartenergygb.org/en/faqs?category=using-a-smart-meter
- 4[4] Smart Meter Texas. About us. [Online]. Available: https://www.smartmetertexas.com/CAP/public/home/home_about_us.html
- 5[5] M. S. R. Segovia. (2011) Set of common functional requirements of the smart meter”. [Online]. Available: https://ec.europa.eu/energy/sites/ener/files/documents/2011_10_smart_meter_funtionalities_report.pdf
- 6[6] European Union, “Directive 2009/72/EC of the European parliament and of the council of 13 July 2009 concerning common rules for the internal market in electricity and repealing directive 2003/54/EC,” Official J. European Union , vol. 52, no. L 211, p. 55–93, Aug. 2009.
- 7[7] I. Rouf, H. Mustafa, M. Xu, W. Xu, R. Miller, and M. Gruteser, “Neighborhood watch: Security and privacy analysis of automatic meter reading systems,” in Proc. ACM Conf. on Comput. and Commun. Security , Raleigh, NC, USA, Oct. 2012, pp. 462–473.
- 8[8] G. Hart, “Nonintrusive appliance load monitoring,” Proc. IEEE , vol. 80, no. 12, pp. 1870–1891, Dec. 1992.
