A Privacy-Preserving, Two-Party, Secure Computation Mechanism for Consensus-Based Peer-to-Peer Energy Trading in the Smart Grid

Consumers in electricity markets are becoming more proactive because of the rapid development of demand–response management and distributed energy resources, which boost the transformation of peer-to-peer (P2P) energy-trading mechanisms. However, in the P2P negotiation process, it is a challenging task to prevent private information from being attacked by malicious agents. In this paper, we propose a privacy-preserving, two-party, secure computation mechanism for consensus-based P2P energy trading. First, a novel P2P negotiation mechanism for energy trading is proposed based on the consensus + innovation (C + I) method and the power transfer distribution factor (PTDF), and this mechanism can simultaneously maximize social welfare and maintain physical network constraints. In addition, the C + I method only requires a minimum set of information to be exchanged. Then, we analyze the strategy of malicious neighboring agents colluding to attack in order to steal private information. To defend against this attack, we propose a two-party, secure computation mechanism in order to realize safe negotiation between each pair of prosumers based on Paillier homomorphic encryption (HE), a smart contract (SC), and zero-knowledge proof (ZKP). The energy price is updated in a safe way without leaking any private information. Finally, we simulate the functionality of the privacy-preserving mechanism in terms of convergence performance, computational efficiency, scalability, and SC operations.


Introduction
Recently, renewable distributed energy resources (DERs) [1], electric vehicles (EVs) [2][3][4][5][6], and energy storage systems (ESSs) have turned traditional consumers into prosumers; therefore, they can share energy locally to optimize the load and costs. Many households are now equipped with renewable generators, such as solar panels or wind turbines, which can provide energy in order to satisfy their own demand. The use of these DERs can help more DERs be absorbed into the grid in order to further reduce pollution. However, consumers who participate in the electricity market are required to behave more proactively and are, thus, known as prosumers. The increase in the number of prosumers naturally implies the need for a decentralized energy-trading mechanism that allows prosumers to freely trade with each other without a central supervising entity. Therefore, the network architecture is also changing from centralized to decentralized. A fully decentralized network architecture can be defined as a peer-to-peer (P2P) network in which the participants in the network share a portion of their own resources with one another. These shared resources can be accessed directly by consensus + innovation (C + I) method with a power transfer distribution factor (PTDF) model. Then, we analyze the privacy disclosure risk of this mechanism in the case of collusive attacks from neighboring agents. To avoid this risk, a secure, two-party computation framework is designed for updating the energy price between each pair of agents. Finally, the simulation results demonstrate the performance of market convergence, and the line-limit constraints, scalability, and encryption/decryption computation are maintained. The main contributions are the following: • We propose a novel P2P negotiation mechanism that incorporates the power transfer distribution factor (PTDF) model into the consensus + innovation (C + I) method, which can simultaneously maximize social welfare and comply with physical line constraints. By introducing line prices into the update process, agents are encouraged not to transfer power over congested lines. • Although the C + I method exchanges a minimum amount of information, there is still a risk of revealing private information. We analyze how individual private information (e.g., coefficients of generation, utility functions, and power limits) can be stolen and computed through a collusion attack by a group of collusive neighboring agents in the context of the P2P negotiation mechanism based on the C + I method. • The security objective and novelty of this paper are to protect the information exchanged between each pair of agents in the energy-trading negotiation process. We propose a novel, secure, two-party computation mechanism for the energy price update between each pair of agents based on the SC and Paillier encryption algorithm, which is known as an efficient additive HE method. Moreover, we propose a ZKP protocol to prove that the decrypted plaintext matches the ciphertext computed by SC.
The rest of the paper is organized as follows: Section 1 presents the formulation of the P2P energy-trading and social welfare maximization problem. Section 2 proposes the SC-based P2P negotiation mechanism for energy trading, followed by the two-party, secure computation framework in Section 3. The numerical results are presented in Section 4. Finally, in Sections 5 and 6, the discussions, conclusions, and future perspectives are drawn.

Problem Formulation
A typical P2P architecture for electricity markets is shown in Figure 1, which consists of simultaneous negotiation of the price and energy of multilateral trades based on predefined trading rules. It can be seen that a P2P mechanism for electricity markets is much more decentralized than existing centralized markets, where all agents must submit all their information, e.g., cost or utility function, power limits, and uncertainty information, to the market operator (MO), who centrally determines the dispatches of energy. In contrast, in P2P markets, all agents can freely negotiate the prices and quantities with each other for multilateral trading.

Peer-to-Peer Trading
In this paper, we build a market with a set Ω of agents defined as either producers or consumers. The market-clearing mechanism proposed below is for a day-ahead market to allocate the supply and demand of energy. It is assumed that all agents are supposed to be rational and truthful, as in [30], which means that they always make decisions to maximize individual benefits. A similar model of the P2P energy-trading process was proposed in our previous work [31,32].
First, the power injection E n of each agent n ∈ Ω is divided into a sum of bilaterally traded quantities with a set of neighboring agents m ∈ ω n as A positive value of E n represents surplus energy and a negative value means required energy. Before P2P energy trading, each prosumer will individually calculate the value of E n according to the power generation and consumption and then decide to be a buyer or seller in the trading. A positive value of E nm represents a sale/production, and a negative value means a purchase/consumption. To lighten notations, E n = {E n1 , . . . , E nm , m ∈ ω n } is used to represent the whole set of transactions of agent n. The power of an agent n is constrained as below: Each agent is restrained to either producer or consumer (E n E n ≥ 0). Hence, the decision variables are constrained to be positive (E nm ≥ 0) if it is a producer and negative (E nm ≤ 0) if it is a consumer, as follows: where Ω p and Ω c are the sets of energy producers and consumers, respectively. Finally, the market equilibrium between energy production and consumption is represented by a set of balance constraints of each pair of agents

Line Flow Constraints of Power Network
In this paper, PTDF is used to compute the power flow of lines and to label the lines used for power transfer in each transaction [33,34]. The PTDF for line l is denoted by ϕ l ij and indicates the fraction of the energy generated by the agents on bus i that is transmitted over line l to the agents on bus j. The PTDF is calculated by ϕ l ij = ψ l i − ψ l j , where ψ l i , ψ l j are injection shift factors (ISF) in line l for bus i and j. The ISF is an approximation of the sensitivity matrix and quantifies the redistribution of power through each branch after a change in generation or load on a particular bus. The ISF matrix is represented by Ψ [ψ l i ] ∈ R L×N , where N is the number of buses and L is the number of lines. This matrix can be obtained using Ψ B AC −1 by a diagonal branch susceptance matrix (B ), a branch-node incidence matrix (A), and a reduced nodal susceptance matrix (C). In the matrix A, a T l is the l th row where a line exists between bus i and j.
By having PTDF matrix and traded energy between prosumers, the power flow in line l can be computed by (6) In the above Equation (6), the producer n is at bus i and the consumer m is at bus j. Their traded power E nm has an impact on the flow of the line l. If the value is below or above the boundaries, the line prices (υ l , υ l ) are sent to the agents using that particular line to transfer power to avoid overflow or congestion.
Since the agents in the power grid use the conventional grid to transmit energy, both social welfare and line flow constraints should be considered. Here, line flow constraints are added as a constraint to the objective function to model the physical network in energy trading. To avoid damage to the transmission lines, the real power flow P l in each line l is bounded by the maximum capacity P max l with respect to the heat they can dissipate.

Social Welfare Maximization Problem
To simplify the formulation of the process, we model the production cost and consumer utility functions as quadratic functions of the power set-point, as below: where a n , b n , and c n are predetermined positive constants. From above, the P2P market has the objective to maximize the social welfare of all agents under the constraints. The problem can be equivalently formulated as a cost minimization problem, as below: Since the social welfare maximization (or cost minimization) problem is a convex optimization problem, it has a unique optimum that can be achieved by a plethora of centralized methods. However, this requires the disclosure of all the agents' information. It is better to design a P2P negotiation mechanism that can achieve optimal dispatches of the above optimization problem (9).

Blockchain-Based P2P Negotiation Mechanism for Energy Trading
In this section, we first design a novel P2P negotiation mechanism for energy trading inspired by the consensus-based approach proposed in [35]. We then present the implementation of P2P energy trading using blockchain and SC.

C + I-Based Decentralized Negotiation Mechanism
The decentralized negotiation mechanism for P2P energy trading is based on the C + I method, which consists of updates to the primary energy quantity variables, updates to the dual variables, and convergence criteria. The main reason for choosing the C + I method to design the market-clearing algorithm is that the information exchanged between agents is minimal compared to other methods, such as the ADMM method [36,37] and the primal-dual gradient [33]. Since the shared information is very small, the communication overhead is lower and the risk of leakage of private information is also lower. Compared with the previous results in [35], the first difference is that the physical line flow constraints of the power grid are considered in our model. Line prices are introduced to induce agents to spontaneously adjust their power generation or consumption, as shown in (13). The second difference is that SC is used to implement the mechanism, including updating the energy quantities and prices, calculating the power flows, updating the line prices, convergence checking, storing the transaction results, and querying. Therefore, compared with previous work, the mechanism we developed is a more realistic and practical decentralized negotiation algorithm for P2P energy trading.

Local Optimization Problem
For each agent n in bus i, the local optimization problem at a given iteration k is where λ nm are the dual variables of the equilibrium conditions (4) and define the traded energy prices E nm . λ n = {λ n1 , . . . , λ nm } is used to represent the total traded energy prices between neighboring agents.

Primal Variable Updates
Updates to the energy quantities of agent n are based on the Karush-Kuhn-Tucker (KKT) conditions of the local optimization problem. The relaxed Lagrangian function of the local optimization problem (10) at iteration k can be expressed as follows: According to the first-order optimality conditions of the Lagrangian problem, for all trades between agents n ∈ Ω and m ∈ ω n , we have Then, we can obtain that According to the complementary conditions µ n × E n = µ n × E n = 0, the above update (13) can be equivalently transformed to another more concise form, as below: In this way, the dual variables {υ k l , υ k l } is omitted and the update process is simpler. Then, the primal variables {E nm , m ∈ ω n } are updated as below (here for a producer): where f nm is an asymptotically proportional factor defined as with δ k a positive constant. The operator [·] + = max(0, ·) in (15) is used to enforce the sign constraint of the decision variables and is replaced in the case of a consumer by operator [·] − = min(0, ·).

Dual Variable Updates
The price for a given trade is calculated individually by each agent. After convergence, a consensus has to be reached on these prices (i.e., λ nm = λ mn ). The energy price λ k+1 nm will be updated in this form: Price convergence is ensured in the price update by a consensus term. The last term, the innovation term, ensures energy equilibrium between agents. α k and β k are sequences of positive factors set by the individuals such that each excitation is persistent so that the series of each sequence converge. The tuning of these parameters (α k and β k ) is key to the convergence performance of the algorithm and usually requires a trade-off between convergence speed and adaptation to changes in setting. Performance could be improved by using an adaptive parameter. The calculations steps (13)- (16) are all performed locally without communicating with others. Only in step (17) does agent n need to receive information {E k mn , λ k mn } from agent m to update the energy price λ k+1 nm . Finally, the line manager (LM) will be responsible for calculating the power flows in each line by (6), and the line prices υ k+1 l , υ k+1 l will be updated as where φ k is the tuning parameter.

Condition of Convergence
The above decentralized algorithm converges as long as the following conditions are met: where χ E , χ λ and χ υ are stopping criterion predetermined by market operator.

Implementation of P2P Energy Trading by Smart Contracts
An illustration of the blockchain-based P2P trading architecture is shown in Figure 2. The process is described below.

•
In the first step, all agents initiate a pair of energy prices and quantities in parallel and send it to neighboring agents. Then, each agent updates its quantities and prices for its neighbors using (15) and (17), respectively. The update process is automatically performed by SC, which is installed on each agent.
• After updating each agent, all agents send their traded energy to LM, which calculates the power flows and line prices on each line using (6) and (18), also from SC. • Then, LM sends the line flow prices to the corresponding agents using the particular line for power transmission. By applying these line usage price signals, the agents will try to trade energy with nearby ones, which can reduce power losses. • After each iteration, each agent and LM send the updated results to MO, who will check if the stopping criteria are met (19).

Privacy-Friendly P2P Computation Framework
We have formulated a decentralized negotiation algorithm between agents based on the C + I method, but there are still obvious shortcomings. During the negotiation process, agents need to share the updated energy and price data with neighboring agents, and privacy may be lost during the process. Malicious attackers can obtain private information by studying the updated energy and prices. Therefore, developing a privacy-friendly information exchange scheme is the prerequisite for P2P energy trading. In this paper, we propose a privacy-friendly, two-party, secure computation scheme, mainly using HE technology, SC, and ZKP to realize secure information exchange between agents. To our knowledge, none of the existing work uses HE for P2P energy trading. Previous works mainly use HE to solve the AC optimal power flow (ACOPF) problem [25], DC optimal power flow [27], and gradient-based distributed optimization [28]. Our work is the first attempt to combine the HE method with a consensus-based approach and to apply it to the P2P energy-trading mechanism. In the proposed scheme, encryption is implemented by the Paillier cryptosystem [38].
There are two security goals for the privacy-friendly P2P computational framework.
The first is to protect individual private information F k nm = E k nm , λ k nm from attacks and acquisition by malicious neighboring agents. The second task is to guarantee that the third party (not the agents) follows the energy price update rules (17) during operation.

Collusion Attack
To perform C + I updates, a minimum amount of information must be exchanged. At each iteration of the process, the set F k nm of information sent from one agent n ∈ Ω to a neighboring agent m ∈ ω n at iteration k must be the following: The internal production/consumption parameters (a n , b n , E n , E n ) of all agents need not be shared to achieve optimality. However, this mechanism cannot protect individual privacy. Consider a specific scenario in which the neighboring agents of agent n conspire to obtain the internal production/consumption parameters of agent n, as shown in Figure 3a. We will introduce two attack strategies to derive the parameters (E n , E n ) and (a n , b n ), respectively. 1.
If agent n is a producer, all neighboring agents (consumers) can intentionally increase the purchase price λ mn little by little until E nm remains unchanged between two iterations. In this case, the output of agent n has reached the upper bound E n . After that, all neighboring agents can communicate with each other to sum all E nm and obtain the private information E n . Similarly, a group of malicious neighboring agents can cooperatively lower the purchase price to obtain the lower bound E n . 2.
Since the neighboring agents of agent n have received the information about the power boundaries, the group of neighbors for the power update (13) can construct a set λ n such that the output does not reach (E n , E n ), (means µ n = µ n = 0 ). Under this construction, the update (13) can be simplified as follows: By substituting two iteration results λ k n , E k+1 n , λ k+1 n , E k+2 n (where E n can be obtained by summing up all E nm ) into (21), a n can be solved by randomly choosing a trade with neighbor m, as below: where V k nm = ∑ l∈L n,m∈i,j ϕ l ij υ k l − υ k l , and this is all public information. After obtaining a n , b n can be readily calculated by (21).
Thus, although very little information needs to be shared in C + I updates, there is still the risk of loss of privacy in the event of a clandestine attack by a group of malicious neighboring agents. There is a need to develop a privacy-protection mechanism for P2P negotiations between agents.

Smart Contract
⑦ send +1 and a ZKP that proves the decrypted result is correct with the ciphertext b Two-party, secure computation

Homomorphic Encryption/Decryption Mechanism
The Paillier algorithm implementation scheme is detailed below [39]. Key generation: Two prime numbers p and q are randomly chosen to satisfy gcd(pq, (p − 1)(q − 1)) = 1, where gcd stands for the greatest common divisor. Then, N = p * q and λ = lcm(p − 1, q − 1) are founded, where lcm stands for the least common multiple. We randomly pick g ∈ Z * N 2 to satisfy gcd(L(g λ mod N 2 ), N) = 1 and ensure there exists where L(x) = x−1 N . The public key is found as N, g, and the private key is found as λ, µ. Encryption Function (Enc): Let the plaintext message be m ∈ Z N and the public key be pk; then, the encrypting function is Enc(m, pk) = g m · r N mod N 2 (24) where r is a random pad r ∈ Z * N 2 . Decryption Function (Enc): Let the ciphertext be c and the secret key be sk, the plaintext can be computed as follows:

Property 1. (Additive Homomorphic):
The additive homomorphic property allows the user to operate the message in its ciphertext directly. Assume the two plaintexts are m 1 , m 2 and the key pair is sk i , pk i ; then, we have Obviously, we have c 1 * c 2 ≡ g m 1 +m 2 · (r 1 · r 2 ) N mod N 2 ; thus, we can conclude that m 1 + m 2 mod N = Dec(Enc(m 1 , pk i ) ⊕ Enc(m 2 , pk i ), sk i ) = Dec(c 1 * c 2 , sk i ).

Property 2. (Non-Deterministic):
The non-deterministic means that a given plaintext can be encrypted into a very large set of possible ciphertexts. This property prevents an adversary from associating ciphertext with observed information.

Two-Party, Secure Computation
A privacy-preserving, two-party, secure computation framework is designed using HE, ZKP, and SC, as shown in Figure 3b. Before submitting the transaction data to SC, the agents use the public keys generated by the Paillier encryption algorithm to encrypt the aggregated transaction data. The data are in the form of ciphertext, which does not reveal any private information of the agents even if an attacker obtains it. The result of the ciphertext operation matches the result of the plaintext operation Compared to standard public key encryption, it is the simpler method with the same result, but there is no guarantee that agent n follows the rules to compute λ k+1 nm . Agent n can increase λ k+1 nm to make more profit but runs the risk of not offering enough goods in real time. The combination of HE and SC costs more computational resources but can guarantee the update of energy prices, fend off privacy attacks, and restore the computation result to the blockchain for verification.
Looking at the update steps, only the energy price update (17) will use the information F k nm = E k nm , λ k nm received from neighbor m. Thus, the energy price update is implemented by the Paillier encryption algorithm since it satisfies additive homomorphic. The HE-based secure two-party computation algorithm is described below.
• Agent n generates an individual public key pk n and a secret key sk n . The public key is sent to agent m for encryption. • Agent n performs an aggregation operation I nm = (1 − β k )λ k nm − α k E k nm , and an encryption Enc(I nm , pk n ) is sent to SC on Agent n. • Agent m also first performs an aggregation operation I mn = β k λ k mn − α k E k mn and an encryption Enc(I mn , pk n ) using agent n's public key and sends it to SC. • After collecting the information from two agents, SC computes Enc(I nm , pk n ) ⊕ Enc(I mn , pk n ). From (17), we have λ k+1 nm = I nm + I mn . Thus, according to the additive homomorphic encryption property, the result is Enc(λ k+1 nm , pk n ), which will be sent to agent n and m.

•
Agent n executes Dec Enc(λ k+1 nm , pk n ), sk n to obtain the decryption λ k+1 nm and sends it to Agent m. • Agent n generates and sends a ZKP to Agent m to prove that the plaintext λ k+1 nm is correct with the ciphertext Enc(λ k+1 nm , pk n ) computed by SC. Details of the construction of the ZKP are provided in Appendix A.

Remark 1.
Another challenge is to verify the authenticity of the message Enc(I nm , pk n ). To solve this problem, we can take advantage of digital signatures. Agent n first uses a one-way hash function to obtain a 128-bit digest H(Enc(I nm , pk n )) and then encrypts the digest with its private key to obtain the encrypted digest D n = Enc(H(Enc(I nm , pk n )), sk n )). The message Enc(I nm , pk n ), the encrypted digest D n , and the public key pk n are packed and sent to SC. SC verifies the authenticity of the message by checking that the digest of the message processed by the hash function matches the decryption of the received encrypted digest with the public key, i.e., H(Enc(I nm , pk n )) ? = Dec(D n , pk n )

Security and Privacy Analysis
Given the two security goals, to achieve the first goal, we first perform an information aggregation operation for agent n and m, respectively (I nm = (1 − β k )λ k nm − α k E k nm and I mn = β k λ k mn − α k E k mn ). By using aggregation operations, even if attackers obtain the information, they cannot reveal the original information. Then, agent n uses public key pk n to encrypt I nm and sends pk n to neighboring agent m to encrypt I mn . The information is encrypted with the public key of agent n, so even if the information is obtained by malicious attackers, the original data cannot be recovered without the private key. The information is encrypted with agent n's public key, so it is undeniable that agent n can recover I m n. However, agent n can only obtain the value of I m n; there is no way for agent n to recover the original private information {E k mn , λ k mn } from I m n since the aggregation operation is performed locally in agent m.
To achieve the second goal, the third party is traditionally required to provide zeroknowledge proof of the additional operation. However, this can lead to a higher computational cost for generating the proof. In this work, HE ensures that the decryption value of the result of the ciphertext computation is equal to the result of the plaintext computation, and we use secure SC to realize the ciphertext computation Enc(I nm , pk n ) ⊕ Enc(I mn , pk n ). Thus, the combination of SC and HE can ensure the correctness of the result Enc(λ k+1 nm , pk n ). Moreover, we design a ZKP protocol to prove that the decrypted result is correct with the ciphertext computed by SC using Paillier's algorithm.
Through the above analysis, it is concluded that using a combination of HE, SC, and ZKP to build the two-party secure operation is a very useful and efficient way to satisfy the security goals of P2P energy trading.

Results
This section presents numerical results for performance evaluation of the proposed privacy-preserving, P2P negotiation mechanism using different case studies. The case studies were conducted on a computer with an Intel Core i7 processor running at 2.90 GHz and 32 GB RAM. We use Ganache to set up a private Ethereum Homestead blockchain test network. Remote procedure calls via Web3.py/HTTP allow the Python scripts to communicate with the SCs. The Solidity language is used to develop the SCs, which is a special language for SCs on Ethereum.

Simulation Setup
For illustration and discussion, a small distribution network with seven agents is considered as in [33]. The convergence performance, line congestion management, and encryption algorithm performance are shown in Figures 4-6, respectively. Then, we investigate the impact of the number of agents on convergence performance, as measured by the number of iterations and computation time, and the results are shown in Figure 7. The results verify that our proposed mechanism is feasible for networks with a large number of agents. For line congestion management, the verification results in networks with 13 nodes are sufficient to prove the feasibility of the proposed mechanism in large networks. Finally, regarding the performance of the encryption algorithm, increasing the number of nodes has little impact on the computational performance since the method is used for the negotiation process between two agents.

Convergence performance of the negotiation mechanism
In this case study, the maximum line capacity P max l is set to 10 for all lines. The convergence process of the algorithm is shown in Figure 5, from which it can be seen that all trading between sellers and buyers converge after about 160 iterations. Although the consensus-based algorithm only requires a minimum set of information to be exchanged, the main drawbacks is the number of iteration for convergence may be higher than other methods. It can be seen that, the sum of energy amount and energy prices absolute value of gap keep decreasing with oscillation, while the sum of line prices absolute value of gap is staying at zero, since no line is congested. The final traded energy quantities and prices are shown in Figure 2. It is noticed that the results of S1 and S3 are same, since their parameters a n and b n are same. While for B1 and B3, their buying prices are same, but the quantities of B3 are higher since its demand is higher (−8 < −7).

Performance of Line congestion management
The impact of line capacity limit on the power flow is investigated. The maximum line capacity for these lines ranges from 3-8 kW. In the test system, the results are displayed only for lines with non-zero power flow. The results are displayed in Figure 6, and it is confirmed that the power flows in these lines are always within the maximum line capacity, which means the proposed algorithm can maintain line flow constraints in the P2P power network. If there is a congested line in the network, and agents will avoid trading through the congested lines because they have to pay additional network fees.

Performance of Scalability
In real world, P2P energy trading mechanism will be deployed on power networks with a large number of agents, and the amounts of transactions will be substantial. The computation time and number of iteration are two key factors measuring the scalability of the mechanism. To demonstrate the scalability of our mechanism, we add more agents There are seven agents in the power network, consisting of four sellers and three buyers. The test system is a 13-node network, as shown in Figure 8. The sellers are located at buses 2, 5, 8, and 10, and the buyers are located at buses 3, 4, and 9. Bus 1 is the reference bus. The connections indicate the physical electrical connections, and the communication network is assumed to have a connected network for the communication of all agents. The parameters of sellers and buyers are listed in Table 1. We set the susceptance of each branch to b 1 = b 2 = . . . = b L = 10s. All stopping criteria χ are set to 10 −4 . The tuning parameters are chosen as follows: and the stopping criteria are set to

Convergence Performance of the Negotiation Mechanism
In this case study, the maximum line capacity P max l for all lines is set to 10. The convergence process of the algorithm is shown in Figure 4, from which it can be seen that all trading between sellers and buyers converges after about 160 iterations. Although the consensus-based algorithm requires a minimum amount of information to be exchanged, the main drawback is that the number of iterations to converge can be higher than other methods. It can be seen that the sum of the absolute values of the gap of energy quantity and prices decreases with oscillation, while the sum of the absolute values of the gap of line prices remains at zero since no line is congested. The final traded energy quantities and prices are shown in Table 2. It is noticeable that the results of S1 and S3 are the same because their parameters a n and b n are the same. For B1 and B3, the purchase prices are the same, but the quantities of B3 are higher because the demand of B3 is higher (−8 < −7).

Performance of Line Congestion Management
The impact of line capacity limit on power flow is investigated. The maximum line capacity for these lines ranges from 3 to 8 kW. In the test system, the results are shown only for lines with non-zero power flow. The results are shown in Figure 5, and it is confirmed that the power flows in these lines are always within the maximum line capacity, which means that the proposed algorithm can meet the line flow constraints in the P2P power grid. If there is a congested line in the network, agents will avoid trading over the congested lines because they have to pay additional network charges

Performance of Scalability
In the real world, the P2P energy trading mechanism will be used in power networks with a large number of agents, and the number of transactions will be significant. The computation time and the number of iterations are two key factors that measure the scalability of the mechanism. To demonstrate the scalability of our mechanism, we add more agents to each bus. The parameters of the agents are chosen randomly, while the tuning parameters (δ k , β k , and α k ) are carefully designed for tolerable performance. The line capacity is chosen large enough to make no congestion happens. Figure 7 shows the effects of the number of agents (between 70 and 420) on the two factors. It can be seen that both the computation time and the number of iterations increase approximately linearly with the number of agents. The performance of computational time is excellent (under 4 s for 420 agents), but more iterations (almost 450) cost. The results show that our proposed mechanism is feasible for networks with a large number of agents.

Encryption Algorithm Computation Performance Analysis
In this section, we analyze the trade-off between privacy and computational cost. In the original decentralized negotiation mechanism, where no homomorphic encryption is applied, the computation time of each agent for each iteration is so small that it is negligible. To ensure privacy, a privacy-preserving mechanism based on homomorphic encryption is proposed to be used at each iteration. Agents need to encrypt their private information and to submit it to SC to perform ciphertext computation. The Paillier homomorphic encryption used in the simulation comes from the phe (Partially Homomorphic Encryption) library in Python. Figure 6a shows the encryption and decryption time of the agents. The encryption time of agent n and m is close to each other and is about 0.11 s. The decryption time is much lower compared to the encryption time and is about 0.03 s. Figure 6b shows the public/private key and the size of the ciphertext. The size of the ciphertext is slightly larger than 1750, while the public/private keys are much smaller.

Computational Performance under Different Mechanisms
In this section, we investigate the computational performance under four different mechanisms. (1) P2P trading is performed without a privacy-preserving mechanism.
(2) P2P trading runs under the Paillier HE mechanism. The agents each encrypt their bid information {λ nm , E nm } and send it to a program to perform cipher computation.
(3) P2P trading runs under the two-party, secure computation mechanism without ZKP. (4) P2P trading runs under the two-party, secure computation mechanism with ZKP. The computation time for each agent in one iteration is displayed in Figure 9. It can be seen that the computation efficiency is very high without any privacy mechanism. The time spent on the second mechanism is higher than for the third because more information needs to be encrypted, which is very time-consuming. The efficiency of the third mechanism is at a medium level and is acceptable. The agents only need to encrypt the aggregated information {I nm , I mn }, which can greatly reduce the time consumption. Finally, the fourth mechanism is the most ineffective one because the ZKP protocol is very time-consuming and, most of the time, is for computing the inverse element by the expand Euclid algorithm (M = N −1 mod φ(N)). This problem will be studied in our future work.
No privacy-preserving mechanism Only Paillier HE Two-party secure computaion without ZKP Two-party secure computaion with ZKP

Blockchain-based P2P Energy Trading Platform
In our simulation, we use Ganache to establish a private Ethereum Homestead blockchain called "Privacy-Preserving P2P Market", as shown in Figure 10. The first address belongs to MO, and the second one is LM's address. The rest of the addresses are assigned to each and every agent. The local computation steps are executed by Pythons codes, and then sending the encrypted information to SC installed on Ganache by Web3.py/HTTP.
Agents have two ways to update the energy prices. First is to run the SC SC AG to realize automatically energy price update. Second one is submit the encrypted information to the SC SC AGHE to implement the ciphertexts computation. After updating the energy quantities and prices, which will be broadcast over the network, LM will updates power flows and line prices via SC SC LM , while MO will check if the market converges via SC CO . Finally, after all trading are balanced, MO will store the transaction results on the blockchain via SC TR , which can be checked by everyone in the network.

Blockchain-Based P2P Energy-Trading Platform
In our simulation, we use Ganache to establish a private Ethereum homestead blockchain named "Privacy-Preserving P2P Market", as shown in Figure 10. The first address belongs to MO; the second is LM's address. The remaining addresses are assigned to each agent. The local computation steps are performed by Python's codes, and then, the encrypted information is sent via Web3.py/HTTP to SC installed on Ganache.
The agents have two ways to update the energy prices. The first is to run SC SC AG to automatically update the energy prices. The second option is to submit the encrypted information to SC SC AGHE to implement the ciphertext calculation. After updating the energy quantities and prices disseminated over the network, LM updates the power flows and line prices via SC SC LM , while MO checks whether the market converges via SC CO . Finally, after all trades are balanced, MO stores the transaction results on the blockchain via SC TR , which can be checked by anyone on the network.

Discussion
The most valuable achievement of our proposed mechanism is to provide a privacypreserving, two-party, secure computation mechanism for the P2P negotiation mechanism between each pair of agents. The agents cannot know each other's actual bidding information. However, operational efficiency has been sacrificed for privacy protection. A lot of time and computing power are spent on encrypting and decrypting information. In addition, the introduction of SC further extends the time to achieve convergence. Therefore, our future work will mainly focus on how to increase the computational efficiency under the privacy-friendly mechanism. The first way is to develop a P2P negotiation mechanism that uses a more efficient decentralized optimization algorithm. For example, the consensus ADMM algorithm [31,32], which can guarantee convergence with a smaller number of iterations. The challenge is to combine the consensus ADMM with the HE mechanism. Another way to increase efficiency is to reduce the amount of information to be encrypted or protected. As we analyzed in Section 3.1, in the C + I method, private information is revealed and disclosed only in the collusion attack by all neighboring agents. If we carefully select a part of the exchanged information to be encrypted, the private information can also be protected. We can perform the two-party secure computation with only one neighboring agent, and that is enough to protect private information from attacks. With this strategy, the computation cost can be reduced from O(N 2 ∆T) to O(N∆T), where ∆T is the sum of the encryption and decryption time of the two-party secure computation.

Conclusions
In the P2P energy market, agents must exchange a large amount of information to reach consensus on the final trade. However, this fully decentralized negotiation may lead to the disclosure of private information. In this paper, we propose a privacy-preserving, two-party, secure computation mechanism for P2P energy trading that leverages many technologies. We first design a P2P negotiation mechanism based on the C + I method and the PTDF model. This mechanism can maximize social welfare while satisfying the physical line flow constraints. Then, for this mechanism, we analyze the two collusion attack strategies to obtain private information from a group of malicious neighboring agents. To protect against this kind of attacks, a two-party, secure computation mechanism is proposed for each pair of agents to update the energy prices. The agents first aggregate their bid price and bid quantity and then encrypt the information with the public key generated by the Paillier algorithm. Then, the computation of the ciphertext is automatically performed by SC, and the correctness of the decryption is proved by a ZKP protocol. The simulation results demonstrate the performance of convergence, line congestion management, scalability, computation efficiency, and SC operations.

Conflicts of Interest:
The authors declare no conflict of interest.

C n (·)
Production cost or utility function of agent n i, j Indices for buses n, m Indices for agents l Index for power lines E, E Boundaries of power a n , b n , c n Coefficients of the quadratic function of agent n L Set of lines N Set of buses Ω Set of agents χ E , χ λ , χ υ Stopping criterion I nm Aggregation Information pk n , sk n Public key and secret key of agent n