1 Understanding Game-Based Privacy Proofs for Energy Consumption Aggregation Protocols Andreas Unterweger, Sanaz Taheri-Boshrooyeh, G¨ unther Eibl, Member, IEEE, Fabian Knirsch, Alptekin K¨ upc ¸¨ u, Member, IEEE, and Dominik Engel, Member, IEEE Abstract—Despite the large number of privacy-preserving aggregation protocols in the Smart Grid, there is no common methodology for evaluating and comparing their privacy guar- antees. Protocol discussion often lacks a formal evaluation of the proposed privacy guarantees. In order to transfer the well- established formal methodology of game-based proofs to the Smart Grid domain, in this paper, we present (i) a game-based privacy definition which addresses the privacy requirement to be captured in an aggregation protocol (the definition may be used or extended for other protocols); (ii) we exemplify our game-based proof technique for two aggregation protocols, and (iii) we provide a novel and compact way to visualize and easily compare the privacy guarantees of different protocols. We employ two sample protocols that reflect the basis of the most common approaches currently found in the energy aggregation literature. In summary, we contribute a guideline on how to conduct formal evaluations for protocol developers as well as an easy-to-understand way to assess the privacy guarantees of different aggregation protocols for non-experts. Index Terms—Smart Grid, Aggregation, Privacy, Game-based Proof, Visualization I. I NTRODUCTION F OR some use cases in the Smart Grid, e.g., grid stability and load forecasting, the total energy consumption of a neighborhood, city, or region is needed [1]. While aggregating, i.e., adding up, the individual consumption values of each household in an area seems to be a trivial task, straight-forward summation would expose each household’s contribution al- though only the sum of all consumption values is needed [2]. This raises privacy concerns [3], especially if smart meters measure at high resolutions [4]. The concerns lead to a large number of proposals for privacy-preserving aggregation protocols, e.g., [5]–[8]. Pro- tocols that protect customer privacy aim at reducing the data to the required minimum for the purpose of providing a particular service [9]. For aggregation protocols, this is reflected by providing data at minimum required spatial or temporal resolution needed for the use case, e.g., network monitoring or billing. While the terms privacy and security are often used incon- sistently, for the purpose of this paper, privacy is defined as protecting legally acquired data from illegal or unauthorized use (e.g., smart meters learning other smart meters’ individual A. Unterweger, F. Knirsch, G. Eibl and D. Engel are with the Center for Secure Energy Informatics, Salzburg University of Applied Sciences, Puch bei Hallein, Austria. S. Taheri and A. K¨ upc ¸¨ u are with the Cryptography, Security and Privacy Research Group, Koc ¸ University, ˙ Istanbul, Turkey. Manuscript received December 5, 2017; revised October 19, 2018. energy consumption), whereas security refers to an external attacker affecting correctness (e.g., changing the aggregate). In this paper, our focus is privacy only. Protocols that protect customer privacy therefore aim at reducing the data to the required minimum for the purpose of providing a particular service [9]. For aggregation protocols, this is reflected by pro- viding data at minimum required spatial or temporal resolution needed for the use case, e.g., network monitoring or billing. Different methods to ensure privacy are used by various privacy-preserving aggregation protocols, e.g., homomorphic encryption [10], masking [6], and secret sharing [11]. Despite the indicated advantages and disadvantages of each method, choosing a protocol from the wide variety is difficult due to the vast differences in privacy guarantees that the corresponding publications make. There are two main reasons for these differences. First, different publications assume different adversaries and adversary capabilities, i.e., who may attack the data to be aggregated and how. While some authors consider very powerful adversaries, e.g., one capable of manipulating data and colluding with other parties participating in the protocol [12], others only consider a subset of honest parties which must not collude, e.g., [10], [13]. This makes it very hard to compare different protocols. Second, and more importantly, different publications use different levels of rigor to prove the privacy-preserving prop- erties of the protocols they propose. “Proofs” range from short arguments in prose (e.g., [2], [12]) to actual game- based proofs (e.g., [14]–[16]). On the one hand, this limits the number of available protocols with rigorous proofs of their privacy-preserving properties, while, on the other hand, for non-experts, protocols with in-depth proofs are sometimes hard to follow (e.g., [6]) and thus difficult to classify in terms of their exact privacy guarantees. To make the comparison of privacy guarantees of aggrega- tion protocols easier, in this paper we present the following: • First, we provide a rigorous game-based definition of the required privacy guarantees for aggregation protocols. Note that, while other proof techniques like simulation- based proofs also exist [17] in the context of aggregation protocols, for the sake of presentation and space, we leave them out of scope and as future work. • Second, we provide exemplary formal game-based proofs of sample aggregation protocols, based on our formal definition and cryptographic methodology. • Third, we describe privacy levels that reflect different amounts of effort required to break the privacy of a Published version available at IEEE: https://doi.org/10.1109/TSG.2018.2883951 Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.