P2PEdge: A Decentralised, Scalable P2P Architecture for Energy Trading in Real-Time

: Current Peer-to-Peer (P2P) energy market models raise serious concerns regarding the conﬁdentiality and integrity of energy consumption, trading and billing data. While Distributed Ledger Technology (DLT) systems (e.g., blockchain) have been proposed to enhance security, an attacker could damage other parts of the model, such as its infrastructure: an adversarial attacker could target the communication between entities by, e.g., eavesdropping or modifying data. The main goal of this paper is to propose a model for a decentralised P2P marketplace for trading energy, which addresses the problem of developing security and privacy-aware environments. Additionally, a Multi-Agent System (MAS) architecture is presented with a focus on security and sustainability. In order to propose a solution to DLT’s scalability issues (i.e., through transaction conﬁrmation delays), off-chain state channels are considered for the energy negotiation and resolution processes. Additionally, a STRIDE (spooﬁng, tampering, repudiation, information disclosure, denial of service, elevation of privilege) security analysis is conducted within the context of the proposed model to identify potential vulnerabilities.


Introduction
Technological changes have induced an ongoing transition from traditional power grids to smart grids [1]. While the traditional power grid can be characterised as a centralised and mostly passive system, the smart grid can be described as a decentralised system with a two-way flow of communication and energy between customers and producers. The characteristics of each system also apply to the way data are handled. In traditional power grid systems, transactions are managed centrally for each interaction of an energy consumer and producer, which can result in scalability issues in bi-directional distributed markets. Scalability can be defined as the ability of a system to maintain its function and performance while the system grows larger [2]. However, scaling a system does not necessarily imply that a system performs well. For instance, Hines et al. [3] found that centralised control structures are inferior to local control structures. Furthermore, in terms of resilience, fault tolerance, adaptability, security and trust, the decentralised approach is seen as potentially superior [4][5][6][7].
Numerous researchers [8][9][10][11] have proposed decentralised approaches for the implementation of management, control and business processes using smart grids based on Distributed Ledger Technology (DLT). The strength of DLT and its decentralised Peerto-Peer (P2P) structure makes it a natural choice [8,[10][11][12][13][14] for the implementation of a smart grid marketplace and its energy systems as a Multi-Agent System (MAS) [15]. The best known DLT, blockchain, can be described as a chain of cryptographically secured, time-stamped and immutable blocks that exist in multiple, geographically disparate and synchronised ledger nodes. All DLT systems use Byzantine Fault-Tolerant algorithms to create consensus among the nodes and therefore create a strong non-repudiation property [10].
The currently proposed P2P energy market models ignore the security and privacy of the infrastructure and architecture of the market. For example, Luo et al. [12] presented a two-layered P2P marketplace with a multi-agent trading negotiation as a first layer and a DLT settlement system as a second layer. The model mentions only the role of prosumersconsumers that can generate energy by using Distributed Energy Resources (DERs) such as photo-voltaic systems [15]-while disregarding other market participants. Additionally, the paper barely considers security measures outside of a DLT system. In parallel, Zhang et al. [9] proposed a P2P local energy market based on game theory that includes other market participants such as consumers, electricity suppliers and a community coordinator but does not consider security considerations. The work from Guerrero et al. [13] includes distributors in their P2P market while also considering that an energy transaction does not violate any constraints of the electrical grid. However, this paper has similar security shortcomings. While some works acknowledged the importance of security through the use of DLT [8,12], potential threats from the communication between entities and the system's architecture are not considered thoroughly enough. Malicious insiders, for example, could exploit their approved status [11] to manipulate other participants' statuses in the system. An adversary could use impersonation techniques to gather information about trades and other participants, or the communication lines could be used to eavesdrop, modify data and infiltrate malware.
The main goal of this paper is to propose a model for a P2P marketplace for trading energy between autonomous agents (i.e., market participants) using DLT. Subsequently, this model is referred to as P2PEdge. P2PEdge combines emerging technologies (DLT, 5G, edge computing) which allow for the provision of dynamic, scalable and sustainable MAS. The potential trading relationships among agents are defined by a DLT network through smart contracts. Smart contracts are self-executing contracts with the terms of the agreement between the buyer and the seller [16]. As the execution of a smart contract is controlled by a decentralised, distributed DLT network, its transactions are therefore trackable and irreversible [16]. However, DLT systems are subject to transaction limitations due to delays of transaction confirmations [17]. The delay results in high latency, which is unsustainable when a transaction needs to be completed in milliseconds instead of every hour [10]. An off-chain resolution is considered as it provides a verifiable, real-time solution: an off-chain solution enhances the scalability of the energy market, increasing the security and the privacy of the model [18,19].
Another issue is that a real-time marketplace comes at an additional performance cost. For instance, the installation of advanced metering infrastructure (e.g., smart meters) and energy management systems is necessary to support the communication between consumers and the grid. With smart meters aggregating a tremendous amount of data that are difficult to transfer, analyse and store [20], new solutions need to be introduced. One potential solution that can circumvent the data problem is the use of an edge computing architecture [21]; for instance, by adding cloud computing capabilities (i.e., storage, computational resources) at the edge of a radio access network. Edge computing could be able to process the data produced by smart meters and also increase transmission performance. The decreased latency for network communication would also aid the system to provide data analysis in near real-time [20]. However, it should be kept in mind that a performant network connection to all hosts would be necessary to prevent the formation of a bottleneck at the radio access network. The system then can be introduced to Artificial Intelligence (AI) in order to control the energy flow, manage the automated trading and forecast future loads. Specifically, our contributions in this paper include the following: • We propose a novel architecture which combines emerging technologies such as 5G and edge computing to handle dynamic complex conditions better.
• Based on the alternating offers protocol [12,22], we present an algorithm for contract negotiation. • We propose a DLT-enabled P2P marketplace model. • In order to counter the scalability issues of DLT, we propose an off-chain state channel during the energy contract negotiation and payment processes [17]. • We perform a STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege) threat analysis to illustrate the importance of security-aware environments. For the analysis, we consider the model from the perspective of a remote attacker who pursues capital gain by attacking the confidentiality, integrity or availability of the P2P model.
The remainder of the paper is organised as follows: Section 2 reviews relevant literature, Section 3 discusses the methodology, and the architecture of P2PEdge is described in Section 4. Section 5 shows details of the trading model, followed by a review of DLT in Section 6, a discussion of security and privacy is presented in Sections 7 and 8, and we conclude the paper with Section 9.

Related Work
The feasibility of P2P energy markets has been demonstrated in previous projects [23] and studies [9,12,13], which have all focused on different issues within the P2P market.
Many proposals include DLT systems, such as blockchain, in their models [8,[10][11][12][13] to provide security for the market. However, only a few of these [10,11,24] have analysed the constraints of these blockchain systems. While blockchain certainly provides security through public-key cryptography, and the consensus algorithms add immutable transactions that prohibit fraud and double-spending [11,14], other aspects of security remain problematic for blockchain-based P2P models. Two of the major problems with blockchain technology are scalability and privacy leakage [16]. Through an increase in transactions, the validation time for transactions increases as well, both on an individual block level and system level. This increase occurs because block-sizes scale with transactions, as all transactions are stored in each node of the blockchain before they are validated. Additionally, blockchain technology leaks information regarding transactions, as all the information in the system is publicly accessible, such as the details of transactions and the balances [16,17]. One viable solution to increase the scalability of blockchain is off-chain resolution [19]; it also includes the protection of sensitive information through off-chain processing [25].
In [10], Li et al. proposed a consortium blockchain to address security problems and ensure the safety of transactions. Gai et al. [11] proposed a permissioned blockchain to address security issues by combining blockchain and edge computing. In [26], researchers utilise blockchain with multi-signatures for transaction security in a decentralised smart grid system. The proposed system uses anonymous encrypted message streams to protect against privacy leakage and to counter the need of third parties.
Outside of blockchain technology, limited research has been conducted on the security and privacy of P2P models. This includes the development of a security-aware environment and a privacy-preserving trading mechanism which still provides a certain flexibility and robustness. In Wang et al. [27], the authors obtained privacy for P2P energy trading between prosumers by "randomly" splitting up transactions. By distributing multiple parts of transactions to various prosumers, it is claimed that no-one in the system can obtain complete information regarding a prosumers' energy production or consumption. It should be noted that the CryptoNote protocol [28], used by the cryptocurrency Monero, uses the same principles to provide anonymity for transactions.

Methodology
In this section, the methodology for our P2PEdge model is discussed: this includes an explanation of the building blocks chosen for the model as well as the methodology behind the theoretical validation of the model.
The P2PEdge model is a marketplace architecture that makes use of several emerging technologies. We propose the use of load forecasting by calculating operational schedules from different aggregated data sources. A three-tier edge computing architecture was introduced to thwart problems that could arise with legacy systems that do not have enough processing power to calculate the operational schedule. In these cases, the data management system or the manager units can be used to do the calculations. Furthermore, the edge computing architecture helps the load balancing of the data shared between the entities as well as the management of the marketplace. Moreover, we introduced 5G technology in P2PEdge as a measure to increase the performance of the model even further. Through the use of 5G, we wanted to avoid the creation of any bottlenecks during transfer, processing or communication.
P2PEdge uses DLT (e.g., Blockchain) for marketplace trading; DLT has multiple advantages but also some drawbacks. For instance, one of the drawbacks is that the transaction confirmation delays restrict the scalability. Furthermore, in most DLT systems, personal data can be leaked, as all information is publicly available. As a solution, we proposed the use of state channels as an off-chain measure. We selected state channels instead of side-chains or sharding, as these techniques have their own drawbacks and need more research. For example, side-chains are only secure if the second chain also has enough nodes; otherwise, the security is at risk. Sharding, on the other hand, could result in management issues for data and nodes.
From a security perspective, we described a ransomware attacker that might have some financial gain in mind. We used this type of breach as it is most likely that this kind of attacker would try to exploit our system. During the modelling of P2PEdge and then performance of the security analysis, we had this attacker use-case in mind.
For the security analysis, we performed a STRIDE threat analysis. We chose STRIDE instead of other measures as it is a flexible, adaptive method that is widely used in industry to provide a common foundation for security analysis and its discussion [32].
STRIDE threat analysis includes the six categories of spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege. In order to carry out the STRIDE security analysis, we followed the four steps outlined in [33]. We started with the modelling phase, in which we created the Data Flow Diagram (DFD) model of Figure 3. Afterwards, we analysed our model for possible risks, categorising-and where possible resolving-the issues prior to redefining the model. We note that this step mostly depends on the experience of the researching team as well as documentation from other industries and academia. After defining all possible outcomes, we combined the most salient of them and created Table 1 as a result. We then used a per-element approach to analyse every element of the DFD model according to the six STRIDE categories as well as the possible consequences of an adversary attacking the system. The results of the STRIDE per-element approach analysis are documented in Table 2. The third step in our STRIDE threat analysis was the threat elicitation phase. In this phase, we investigated the likely issues (technological or logical) which could precipitate the identified vulnerabilities and weighed up the risks. The fourth phase, risk management, is discussed throughout the following sections of this paper, following two threads: system integrity and confidentiality (privacy). System integrity is analysed and discussed as part of the model formalisation, while privacy is discussed in its own section prior to the conclusion.

The P2PEdge Model Architecture
P2PEdge is modelled as an MAS; a MAS comprises multiple agents that interact with each other to solve a problem while the agents maintain autonomy. Each agent has access to specified capabilities along with resources that allow goal completion [15]. In this paper, the agents work together for the modelling of a multi-layered electricity market.
There are four layers to the model: (1) a DLT marketplace, (2) an off-chain state channel for the negotiation, (3) a communication layer for the grouping of entities, and (4) an electrical grid; i.e., the local power network. The schematic of the energy marketplace is illustrated in Figure 1.

Agent Preferences and Contract Selection
There are two widely known trading types in the context of a double auction. The first is named Continuous Double Auction (CDA), and other is known as Periodic Double Auction. Both variants differ in the way the auctions are handled. A Periodic Double Auction collects its bids during a specified time interval and afterwards clears the market. This variant can be used for environments in which commodities are limited and not available at all times. Furthermore, for this double auction type, the overhead is lower and, therefore, the system can be faster. However, this also means that transactions could easily break if unforeseen problems arise. Furthermore, the Periodic Double Auction could lead to drainage and increased prices. On the other hand, CDA operates by matching buyers and sellers when compatible bids are detected. Additionally, a CDA market does not hold any commodities itself, which makes it suitable for P2P markets. Furthermore, the allocation mechanisms of CDA fit decentralised markets as a centralised control is not needed. Moreover, CDA is a trading format which is widely used for, e.g., stock markets such as the NYSE. The characteristics of CDA can result in the better pricing and the better matching of buyers and sellers. However, this market format could lead to a management overheads which would increase the transaction fees in a DLT system. Moreover, the implementation of a CDA marketplace requires stricter policies regarding transactions, pricing and self-regulation [34][35][36].
For marketplace trading, P2PEdge uses CDA as it fits our purposes better and is expected to provide better results [34]. The proposed P2P market comprises the following: • Trader agents τ ⊇ distributor δ, prosumer ρ, consumer γ, producer ϕ. • A set of buyers S β , where each buyer β ∈ S β defines his trading price P β . • A set of sellers S σ , where each seller σ ∈ S σ defines his trading price P σ . • Agent systems as Home Energy Management System (HEMS), Data Management Systems (DMSs) for data collection, aggregation and group management, and a manager system as a marketplace manager (see Figure 1). • A smart contract SC(·) with offers from buyers SC(β, P β , Q β , t) and bids from sellers SC(σ, P σ , Q σ , t). • Energy amounts Q β (to buy) and Q σ (to sell) which are estimated by the agents of S β and S σ using the data of their smart meters.
The SC inherits the time variable t (Algorithm 1, line 4) as a measure for the DLT trading limit and is included to hinder inactivity, fraud or Denial of Service (DoS)-like attacks when trading with the off-chain state channel. Additionally, the trading timer t ω k trading needs also to consider the timing limitations of the underlying DLT system (e.g., locking time of the deposit, block mining times, staking times, transmission performance, etc.). Further, we need to consider time differences that could be passed on to the marketplace through, e.g., the temporal-spatial discretisation of power flow or an energy storage system (ESS) with longer than usual operating times. Therefore, a correction factor has to be applied to the trading timer. We note that we did not specify the trading timer mathematically, as our focus is the DLT in this paper. During an active trading session, we assume that the CDA considers each time slot individually and orders are received according to the Poisson process within a mean arrival rate λ. open state channel 4: while t < t ω k trading do 5: for each ω k ∈ Ω do 6: for each seller σ ∈ C(β) do 7: if Energy end if 10: end for 11: if σ ∈ Ω ∧ β / ∈ C(β) then 12: select other group where β ∈ C(β) 13: else 15: break 16: end if 17: end for 18: end if 22: end while 23: close state channel 24: end procedure To increase privacy, only transaction-related information is exchanged among the market participants. Information related to energy consumption and production is not revealed publicly (e.g., operational status, battery status, etc.) but exchanged through encrypted channels. Before detailing our model, we will define the role and capabilities of each participant.

Distributors
Distributors, or Distribution System Operators (DSOs) δ ∈ τ, are intermediaries and own or rent part of the power grid infrastructure. They are responsible for the reliable operation of the distribution system and congestion management [15,37]. Traditionally, the DSO is also responsible for the monitoring of flexible load operations [37]. In the model, distributors also buy and sell energy from other agents for profit. The quantity of energy bought during a given time Q t ∈ ω B must match the energy sold Q t ∈ ω S . For the model, the distributor has to pay linear transaction costs to buy and sell energy, depending on the used DLT and the usage of the power grid. Accordingly, buyers and sellers will need to involve a distributor if energy is intended to be bought from a third party or when purchasing energy from the grid.

Prosumers
The prosumer ρ ∈ τ is equipped with a DER and an agent system. This agent of the prosumer can buy and sell energy in different conditions but in accordance with relevant policy. Preference-wise, the prosumer has access to DER, and, when the battery storage is replenished, the prosumer will buy energy from the marketplace or take energy from the grid. Energy usage is measured using a smart meter and may occur at any time of the day. The agent calculates the net demand by probing the smart meter data and offsetting the data against the production of energy. The battery is used to store the excess energy as well as to handle fluctuations that occur due to trading and energy transfers. An over-supply of energy will be used by the agent system to generate a selling order ω S k (·) ∈ Ω, and an under-supply generates a buying order ω B k (·) ∈ Ω.

Consumers
The consumer γ ∈ τ does not possess a DER, and therefore can only consume energy. However, the consumer can still participate in the P2PEdge market and trade contracts when equipped accordingly. In order to trade energy, the consumer needs a smart meter and a smart trading agent to control the energy consumption for the household and estimate future consumption. Furthermore, the consumer can set preferences in the marketplace for buying (e.g., buying only from certain merchants). Like the prosumer, the consumer's agent can create buying orders ω B k (·) ∈ Ω.

Producers
Each producer ϕ ∈ τ owns a DER that either uses renewable energies or is based on fuel. Producers only generate energy for profit and do not want to consume energy themselves. Accordingly, they own an agent system but, in contrast to the prosumers' and consumers' agents, it is only used for trading. As with the prosumer, the producer generates selling orders ω S k (·).

The Agent System
The agent system is a HEMS that autonomously manages the energy for a consumer, prosumer or producer. By calculating a local scheduling model, the optimal actions for the energy resources can be determined. The main objectives of the agents are energy management, autonomous trading in the marketplace and gathering information about the net demand. The monitoring of household net-demand is indispensable for advanced analytic techniques and forecast models which are used by the DSO for load shedding and load distribution (i.e., load balancing) measures across smart grids; failing to do so would risk energy fluctuations [38].
However, the limitations affecting power grid infrastructure are heterogeneous. A gatekeeping mechanism is required at critical switching stations to prevent the overloading of distribution lines. The mechanism rejects any additional throughput over a specific limit to restrict further loads from being applied.
In order to protect data privacy, a categorisation into public and private data is done which allows the agent to share personal data with other systems. For example, public data transferred to the DMS are used for advanced prediction models and energy network stability. The collected data are then analysed and further relayed. Private data are encrypted by the agent and cannot be decrypted by the DMS node. Accordingly, an encryption model should support cryptographic tools to aggregate data confidentially. Through cryptographic tools such as additive homomorphic encryption [39], a non-trusted entity can be hindered from accessing private data [40]. The decryption key is only shared between agent and the manager systems.
In the case of a prosumer, the agent calculates the net demand by probing the internal smart meter and calculating the current demand against the energy production of any DER. For the standard consumer, the agent excludes any production from the equation. The producer only supplies energy to the grid and therefore has no demand.
The configuration of constraints is essential, as the prices in the marketplace fluctuate depending on the time of the day, weather or other unpredictable events. Thus, any owner of an edge device can set preferences and define constraints for acceptable prices as well as trading hours. By default, the agent is configured to submit offers and bids to achieve the best price possible and negotiate with every acceptable trader.

The Data Management System
The DMS manages groups of agent systems and comprises an edge computing node as well as a cellular network node. An edge node provides additional computational capabilities to achieve near real-time analysis [21]. Through the cellular node, the agent connects to the DMS. Preferably, a 5G connection is used for lower latency and better performance, but 4G is also supported for backward compatibility. Within the range of a DMS, all agent systems form a group. Member agents of the group can be added or removed at any time but can only belong to one DMS group at the same time. The combination of 5G with edge computing can provide P2PEdge with better scalability, extended computational powers and lower latency, as well as decreased response times.
The main goal of the DMS is the collection of public data from agents to forecast future loads. The analysis of current demand and supply is watched by the agents and sent through status updates to the group's DMS. A status update is used to predict future net demand. Accordingly, in regular updates, data are bundled, obfuscated for privacypreservation and added to databases for historical data collection. The DMS will aggregate private data and regularly send them to the manager. Additionally, future demand and supply data based on public historical datasets are shared with the manager. This crucial information can help the manager system to decide specific measures; e.g., when a supply shortfall is detected, and the DSO has to get involved. Additionally, the DMS's responsibility is to relay information to the microgrid controller so that electrical contracts can be fulfilled.

The Manager System
The manager's primary purposes are data aggregation for DSOs and energy management on a regional level. Therefore, the manager is involved in the negotiation and resolution of energy contracts across multiple DMSs. The manager consolidates this information to the grid participants and distributes the energy accordingly. Considering the architecture, the manager is placed in the cloud, although it should be distributed geographically over multiple availability zones for decentralisation.
Furthermore, the manager's task is to create forecasts for the energy demand and supply of DMSs. In order to be able to do so, each DMS updates the manager with information on the group, including public data (e.g., obfuscated demand and supply information) and status updates. Status updates involve information about the group members' status, such as the number of members, consumers, prosumers and producers as well as other demographic data. However, certain circumstances require immediate status updates; for instance, when the connection to the microgrid controller is lost, or group members are disconnected without a leaving notification. Accordingly, data are shared between the agent and the manager. By encrypting private information, only authorised entities will have access. The exclusion of certain entities from access mitigates the threat of a single-point failure threat, as well as optimising the usability of resources.
Appropriate to the predicted demand, the DMS and the Transmission System Operator (TSO) will be informed. The TSO, which operates on load requests, can use this information and contact the distributor to start, e.g., load shedding or load distribution measures. When the future demand exceeds the predicted supply of nearby DMSs, the DSO distributes the loads accordingly and stores them at a nearby energy storage systems (ESS) for easier distribution to the corresponding DMS group.

Learning Model
Previously, the entities (i.e., agent systems, DMS, manager system) which can use intelligent load forecasting were discussed, where each entity uses algorithms to achieve different results. The agent system aims to automate the energy management and trade in the energy marketplace. The DMS aims to predict future loads, and the manager collects information about the loads in the case that the DSO needs to be notified and energy needs to be distributed. All of these tasks involve sophisticated AI algorithms which require learning models that are trained and back-tested. The learning model needs to fulfil certain requirements: (1) it must be applicable to computational constraint devices; (2) it must be adaptive-i.e., it should take various inputs (e.g., weather data) and include current consumption information; (3) it must be able to consume large datasets (e.g., historical datasets).
Note that the underlying learning model for P2PEdge is outside the scope of this paper. Accordingly, the concrete form of the learning model depends on its implementation. For instance, a technical error in a DMS could influence the amount of gathered data which can be passed on to the DSO, which subsequently would influence the quality of the operational schedule. There are multiple models available in the literature (e.g., [41]) that can be applied. However, the outcome of the learning model is an operational schedule for the agent systems, DMSs and manager system.

Energy Trading Model
The core of P2PEdge is its marketplace, in which consumers, prosumers or producers can interact with each other within set boundaries and preferences. Figure 2 illustrates the workflow of the electricity trading mechanism and the workflow between the entities of the agent systems, DMS and manager system. The workflow is designed as a loop, where the agent continuously monitors the local energy resources and performs load scheduling based on the prediction model. Each time the agent updates the schedule, a message is sent to the DMS, which also updates the manager. When an agent system detects an energy shortage, it acts as a buyer in the marketplace.
The contract negotiation in the marketplace is described below. The marketplace is considered to be a materials market which solely trades energy contracts. Accordingly, when there is no successful bid, the energy will be purchased from the grid, and a process of load distribution begins. Although not depicted in Figure 2, we note that sellers can interact with the marketplace in order to generate sell offers.
Furthermore, in its current version, the model supports only atomic transactions, but it can also support the splitting of transactions into multiple packets. For the splitting of transactions, atomic transactions need to form a tree of related transactions, in such a way that the transaction at the top of the tree is the aggregate of the sub-contracts lower in the tree. Furthermore, in each branch, the terminal sub-contracts need to designate the destination or the origin for the sub-total demanded.

Selection Procedure
Agents that detect an overproduction of energy Energy σ > 0 will need to sell energy to the market (i.e., energy production > predicted load ∧ Energy Moreover, when the trader is a prosumer τ = ρ, multiple policies could be applied when a buy or sell order should be created. For this paper, we consider the use of policies that are based on the ESS's state of charge (SOC) [42]. The SOC is a measure of the amount of charge that is stored in a battery and, therefore, shows how much of the energy capacity of an ESS is left. The policies are displayed with the Equations (1)- (9).
For instance, if the ESS's SOC has reached the maximal capacity Energy ω k →ESS SOC σ = FULL and the energy production is positive, a sell order can be placed ω S k . Therefore, energy sell orders will be fulfilled until a specified sell threshold Energy ω k →ESS SOC THRESσ is reached. On the other hand, if the ESS's SOC has reached the minimal capacity threshold Energy ω k →ESS SOC THRES β a buying order ω B k will be generated. The threshold for buying and selling are dependent on the maximum capacity of the ESS, the time a system would need to buy or sell the energy, transport the energy, the type of the ESS, the ESS's degradation over time and, lastly, a reserve if a problem occurs and the power grid needs to be consulted [42]. Although there are various types of ESS (e.g., mechanical, chemical, electrical and thermal), electrochemical ESSs have been shown to be widely applicable for various purposes [43].
If Energy If Energy If Energy If Energy If Energy If Energy If Energy If Energy If Energy Additionally, depending on the materials selection of an electrochemical battery, it has been shown that there are operational limits that affect the degradation of the system [44]. Therefore, the SOC should be within thresholds; for instance, when the batteries' SOC approaches the lower end of the spectrum, it will become increasingly difficult to charge, and if the battery stays too long at full capacity, it will affect the efficiency and the lifetime of the battery. Moreover, price predictions and possible price fluctuations could be made by agents to gain an economic advantage. For example, when the ESS's SOC is at maximum but the price for energy is estimated to rise, the energy could be bought and directly consumed instead of using the ESS. However, the detailed economics of market price prediction are out of scope for this paper, but they should be considered in a future extension.
The procedure for the selection of sellers illustrated in Algorithm 1 is based on a multi-agent coalition mechanism [12]. A multi-agent coalition mechanism [12,45] refers to an MAS with cooperating agents that aim to complete a common objective. The algorithm begins with the buyer detecting sellers within the same DMS group C(·) in the marketplace. Thus, the process is triggered, and the buyer contacts sellers to negotiate a contract before the trading timer is reached t ω k trading . The trading timer is set for the whole negotiation process and thwarts agents that want to hinder trading or agents that experience problems (e.g., a dropped network connection).
Furthermore, the negotiation occurs within an off-chain state channel. When a problem occurs and a dispute is raised, a dispute timer t dispute is set. A dispute can be raised at each step of the negotiation by each of the involved parties. Closure by dispute would require the involvement of the blockchain and cause the parties to be written on a dispute list. After n remarks are given on the dispute list, an entity will be written onto a greylist, which is then followed by a blacklist. Additionally, the buyer calculates the available energy Energy ω k σ of the seller based on the capacity of the power line to ensure that Energy ω σ ≤ κ max σ . After the negotiation process (see Algorithm 2), if no problem has occurred, the state channel is closed.
Moreover, in the case that there is no energy selling order available in the same DMS group, the buyer propagates the request to neighbours across different DMSs when (1) t < t ω k trading ; (2) there is at least one agent which is not part as the group C(β); or (3) the preferences of the local agent are configured to allow trading across multiple DMSs. After the deadline t has passed, the buyer β determines the final contract S f inal SC(β,σ k ) from its temporary contracts S SC(β,σ k ) . Furthermore, the amount of energy purchased from the grid has to be determined (SC for order ω k (·); σ generates ω S k : SC(σ, P σ , Q σ , t) to β do 3: if P σ ≤ P β then 4: return contract negotiated 8: else 9: β generates ω B * k : SC(β, P * β , Q * β , t * ) to σ 10: if P * σ ≤ P * β then 11: SC * (σ, P * σ , Q * σ , t * ) based on ω B * k (·)

Trading Negotiation
When another agent detects an energy deficit (see Figure 2), it will request energy from the marketplace. The agents trade energy based on the set preferences of the buyer and seller. These could include achieving the best price (i.e., buying at low prices and selling at high prices), but this could also include other criteria such as preferred contracts, reliability requirements or an ethical energy supply. Subsequently, when energy is available (Energy ω k σ > 0) or certain criteria X (see Algorithm 1) are met, the buyer will start a request for a certain amount of electricity Q β from a potential seller. The seller σ will respond and start the market trading negotiation procedure. The proposed negotiation procedure illustrated in Algorithm 2 is based on an alternating offers protocol [12,22]. First, the seller σ replies to the buyer β by generating an offer ω S k . The set of temporary smart contracts of the buyer S SC(β) and the seller S SC(σ) inherits smart contracts SC(·) based on their orders of ω [B,S] k . The seller will select the price which reflects the generation cost, transmission costs and the number of existing contracts the seller has: where P gen,ω k σ is the cost for generating electricity for task ω k . Its value is determined by the operation schedule. P trans,ω k δ,t is the fixed price of the transmission cost given by the distributor δ at time t. The negotiating factor ς σ of the seller is raised in proportion to the amount of existing contracts.
The buyer receives the offer and can either accept, reject or generate a counteroffer ω B * k . As with the seller, the buyer has to calculate its bid price: where P market,ω k β,t is the market retail price of a signed plan by the buyer (i.e., consumer or prosumer) at a fixed time t and P trans,ω k δ,t is the transmission cost at a fixed time t. ς β is the negotiating factor of the buyer, which decreases in proportion to the amount of contracts available.
Based on P β , the buyer β accepts the offer if P σ ≤ P β , rejects the offer if P σ > P β and responds with a counteroffer when P β < P σ < P market,ω k β,t . In the case that the buyer β makes a counteroffer ω B * k , the seller σ is at liberty to either accept or reject it. He will reject the counteroffer if the energy amount of all temporary contracts is large enough and the price of the counteroffer is smaller than the price of the temporary contracts on average (P * σ ≤ P * β ). Otherwise, the seller will accept the counteroffer, and a new contract is created SC * (σ, P * σ , Q * σ , t * ).

Trading Mechanism
All agents that want to trade on the energy marketplace compose a DLT network. Further, the network uses a strict consensus with which every agent needs to comply. The consensus in the proposed model inherits a public ledger chain and a channel. A public ledger can be based on any DLT system and is non-exclusively bound to blockchain technology. As DLT inherits the issues of scalability [16], a solution to reduce the number of transactions and increase scalability is used in P2PEdge. There are multiple open proposals to blockchain's scalability issues, such as sidechains [18], sharding [46,47] and state channels [11,19]. A sidechain is an alternative blockchain which validates data from other blockchains (i.e., the mainchain). It has block producers, which decide the order of transaction occurrences, and users that publish transactions for inclusion to the chain [18,19]. Sidechains can improve the performance of the blockchain system (i.e., the mainchain) by taking over some of the burden of transaction processing. However, sidechains also create a management overhead, as an additional chain needs to be managed (e.g., it needs its own miners for a proof-of-work-based consensus algorithm to ensure its safety against attacks).
Sharding, which is widely used by distributed database systems [48], is an approach that is now proposed for blockchain. When using sharding, the entire state of the blockchain network is split into multiple partitions that are called shards. Each shard can operate almost independently as it contains its own piece of state and transaction history. Shards require cooperative behaviour when transactions are processed that affect the data on multiple shards [46,47]. The advantage of sharding is that the throughput can be improved by parallel processing transactions. However, the downside is that sharding can become a management challenge and security risk depending on the scope to which it is applied.
If, for instance, sharding is applied to the whole DLT system, the data integrity might be compromised when one shard is hijacked by an attacker (i.e., a 1% attack) [48].
On the other hand, a state channel has n parties that agree through unanimous consent to new states which are further processed off-chain. State channels are protected against the full collusion of all other parties, and in certain situations, the states can be published to the blockchain; e.g., to resolve disputes [19]. The advantage of the state channel is the ability for parties to carry out transactions among themselves. In contrary, DLT systems need to interact with the whole network after every transaction. For the setup, each participant must deposit coins in the blockchain for the channel. After locking the coins, all parties execute the state transitions and exchange signatures to authorise each of the new states. When a participant is not co-operating or is suspected of committing fraud, the state channel entrusts the underlying DLT to resolve the dispute and self-enforce the state transition [18,19]. The chosen underlying DLT system needs to be able to cope with smart contracts as they guarantee not only the safety of coins for the online participants but also the liveness of the application so that smart contract will always progress and terminate.

Ledger Technology
The most widespread DLT is blockchain [49], which is a globally distributed ledger technology that can use different algorithms to achieve consensus among all participants [16,17]. Participants are represented by distributed nodes which can store, transfer, verify and send data. Furthermore, nodes have access to the ledger, which contains the history of network transactions. The use of a consensus algorithm ensures the validity of transactions. Only when a new transaction complies with the algorithm is it regarded as valid and added as a block to a time-stamped chain of blocks in the ledger. Blockchains can have many forms, but commonly used forms include private-permissioned and publiceither permissioned or permissionless-systems. While a permissionless blockchain has no restrictions on who can access or add to the blockchain, a permissoned approach is controlled and only accessible by authorised entities [50,51]. The distinction between public and private systems refers to the access to ledger information. Private blockchains are accessible by specified users, while a public system can be accessed by anyone. It should be noted that private-permissioned systems could have limitations due to their fewer nodes when it comes to scalability and specific network attacks (e.g., a 51% attack, if an attacker gets access to the network).
In P2PEdge, the ledger technology is used to establish the preliminaries of a state channel by protecting the deposits of involved entities, resolving disputes during a channel negotiation session and updating balances after the channel is closed. Adding DLT to the model enables the use of integrity protection and non-repudiation, which are properties necessary for a real-time energy marketplace where financial loss can be a consequence.
There are multiple variations of the underlying DLT system which can be used for P2PEdge. One version of the chain could be to use one or multiple permissioned chains with authorised trader accounts [11]. This system could use a delegated proof-of-stake or proof-of-authority consensus algorithm, which utilises autonomous managers to verify blocks [52]. This approach would also significantly reduce the computational burden of conventional proof-of-work-based DLT systems [14]. Moreover, possible security risks could be drastically minimised as the network is private, and joining the network needs authorisation. However, another version of the public ledger marketplace could focus on decentralisation and would use a public available DLT system, which is most likely based on a proof-of-work consensus algorithm. This system would pose other risks but is less costly and easily deployable. Furthermore, the management overhead is minimised, which could be the main focus of specific applications. Additionally, a DLT system that enhances privacy by providing anonymity, fungibility and linkability could be used to minimise the risk of private data exposure. Examples would be Monero's CryptoNote protocol [28], ring signatures [53][54][55] and bulletproofs (non-interactive zero-knowledge proofs) [56].

The State Channel
The off-chain state channel is an extension of the DLT-enabled marketplace which takes on the scalability issues of DLT. This means that, in our model, on-chain and offchain transactions need to be signed similarly; otherwise, the security of the state channel would be at risk. However, the signing process for the state channel needs to be chosen carefully, as it may affect composability when considering changes to the DLT system. One advantage of state channels is the reduction of necessary on-chain transactions, which increases their scalability. Additionally, state channels enhance privacy as transactions are shared between two parties only instead of being public. For P2PEdge, all payment and negotiation transactions should be handled off-chain. The initialisation of the creation of a state channel is started by one of the parties and enforced by the marketplace.
The creation of the channel involves the smart contract of the application SC(·), which is responsible for instantiating the state channel contract with the list of entities E 1 . . . E n ⊂ τ and the timer for the dispute t dispute . The status of the channel is set to ON, meaning that all entities can authorise new states.
With the status ON, an entity E involved in SC(·) can propose a new state transition: where ψ i is the current state. The state is hashed with a nonce (as protection against replay attacks) ψ nonce i+1 = nonce(ψ i+1 , rand i+1 ) (13) and then signed Accordingly, the entity E gathers approval from the other entities E n by sending ψ nonce i+1 , ψ i+1 , rand i+1 and Sign E . All other entities in the channel then verify the new state before they authorise it. Therefore, they need to re-compute the new state ψ * i+1 and its hash ψ nonce * i+1 before verifying the signature with Veri f ySign(E, (ψ nonce i+1 , i + 1), Sign E ) Besides, each entity signs the hash of the state Sign E n for the contract of the application SC(·) and the contract of the state channel SC S as well as sending the signature to the other entities. The new state is only valid when each entity has received a signature from each other entity; otherwise, a dispute process is triggered, and the execution is continued on the DLT system.
Triggering a dispute process self-enforces the dispute time period t dispute start = t now ; t dispute end = t now + t dispute ∆ and sets the status to DISPUTE. All entities are required to submit their latest state hash, the version of the state and a list of signatures to provide proof that the state was authorised. The contract of the state channel SC S (·) inherits the last version of the hashed state ψ nonce i only if it was signed. After the dispute period (i.e., the dispute timer is passed), any entity can resolve the dispute and therefore set the status of the channel to OFF. Furthermore, a record of the dispute (t dispute start , t dispute end , i, E n ) is stored on a dispute list. When the dispute is resolved, the contract SC can fetch the final state and use it for trading. Otherwise, the trading will be disrupted, and the negotiation will be aborted. If an entity is placed on the dispute list more than n times, an additional remark will be made on a local greylist. The greylist is publicly available as a smart contract within the DLT system and therefore can be checked by every external entity. When trading agents continue their suspicious behaviour and are marked on the greylist repeatedly, they will be additionally added to a blacklist. Once blacklisted, there are numerous hindrances to trading in the market, as the preferences of the agent systems are pre-configured so that one cannot trade with blacklisted agents. However, this configuration can be overridden, or a more strict configuration can be applied, and greylisted traders with a specified number of remarks on the list could also be excluded from trading with an agent. The primary purpose of the blacklist is to block traders with malicious intent in the marketplace. However, agents that are written to greylists or blacklists can also be removed depending on set preferences. It should be noted that the usage of a greylist without the ability to remove participants may facilitate DoS attacks. For instance, an attacker could intentionally fill the greylist by employing negative behaviours, which would slow down an agent's ability to validate traders until the validation is no longer possible.
Accordingly, the optimal closure of a negotiation process would be the closure of a state channel with consent by signing the negotiated final state. The last state ψ nonce i and its version i are then submitted to the public ledger chain.

Security
In order to examine possible threats to the system, a STRIDE threat analysis is carried out. STRIDE [57] is a recognised and comprehensive systematic approach that aids in system security on the component level through clear impact delivery for the entire system [58]. The technique is used to identify computer security threats based on six categories which form a acronym [58]: (1) Spoofing: The breach of user's authentication information by a third party.
(2) Tampering: The adversarial alteration of system or user data.
(3) Repudiation: A not-trusted third party user engages in activities without the ability to be traced. (4) Information disclosure: Information is exposed to unprivileged third party individuals. (5) Denial of Service: The attacker makes the system temporarily unavailable. (6) Elevation of privilege: Privileged access by an unprivileged third party that then has the ability to damage or destroy the entire system. STRIDE analyses vulnerabilities against system components which could be used by an adversarial attacker to exploit a system. A standard methodology that can be applied to every system is not given, as the system is highly flexible. In the case of the current model, our STRIDE methodology is based on the steps analysed by Scandariato et al. [33].
1. Modelling: First, a decomposition of the model is necessary for the development of a Data Flow Diagram (DFD). The DFD is used to visualise internal entities and external entities (EE), processes (P), data flow (DF) and data stores (DS). 2. Categorisation: All elements identified in the modelling phase are sorted into at least one of the six threat categories. 3. Threat elicitation: The previously identified and categorised threats are investigated to reveal any possible causes of vulnerabilities. 4. Risk management: Vulnerabilities are documented to allow further measures (e.g., risk assessment) and act appropriately according to a mitigation plan.
The success of the methodology is greatly dependent on the scope and the precision of the conducted analysis, the thoroughness of the in-depth investigation and the experience of the team members.

Use Case
For our use case, we assume a remote attacker who is in pursuit of a capital gain. The attacker could be paid to cause a disruption on either part of the system or get access to sensitive information. For instance, powerful malware could be used to attack the integrity and availability of systems (e.g., to hijack control systems) [7]. More sinister attackers may also use ransomware to extort targets to pay a ransom; in either case, the availability of the system would be attacked [59,60].

Threat Modelling
The first step is the system decomposition and the modelling of a DFD. We identified the following components to our system: an agent subsystem, a data management subsystem, a manager subsystem and a smart grid. As described previously, the DFD visualises each of the system components and helps to identify threats. A DFD for the complete system is provided in Figure 3.
Note that, for the STRIDE analysis, smart grids are treated as black boxes which only supply high-level information. A full STRIDE analysis of smart grid security, due to its importance and length, will be the subject of another paper. At the current stage, it can be mentioned that other works have applied STRIDE to smart grid industrial control systems [61], cyber-physical systems (e.g., microgrids) [58] and blockchain [62]. In P2PEdge, we focus on the P2P marketplace architecture rather than on the smart grid. Additionally, we acknowledge the importance of a full smart grid security analysis and aim to research this in a future paper. In this paper, however, we focus the threat analysis on a high-level representation of other parts of the model such as the agent systems, DMS and manager system as well as the state channels.

Categorisation
For the threat analysis and categorisation (step 2), the intentions of an adversarial attacker (i.e., possible risks) have to be documented first. Table 1 documents these possible threat risks and associates each one with a risk identifier. Some of the threat risks (e.g., TR-1-TR-3) are not exclusive to the proposed model, while others are more specific (e.g., TR-8). Inability to meet local power demand C-2 TR-9 Disclosure of information in the state channel -TR- 10 Termination of state channel -Consequence identifiers: C-1 = financial loss, C-2 = power outage.
A STRIDE per-element approach is used that allows the separate analysis of each component's behaviour and operations. The results of the threat analysis are summarised in Table 2 and explained below. Table 2. STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege) threat modelling using a per-element methodology. DFD: Data Flow Diagram; P: processes; EE: external entities; DF: data flow; DS: data stores.

STRIDE DFD Elements Threat Risks
S P-2, P-4 -P-6, P-9, EE-2, EE-4 P-2 P-4, P-6, P-9 EE-2 P-5 An attacker might spoof process elements (e.g., P-2, P-5, etc.) to trick other parties to disclose information about the system, such as system-critical messages (TR-7) or keys (TR-6). Furthermore, spoofing the nodes (P-4, P-6, P-9) might disclose information about the state channel (TR-9) to an attacker. An adversary could spoof multiple nodes to provoke double-spending attacks [62], which could mean a financial loss for the victim. Additionally, an attacker could spoof the authorisation or authentication credentials to gain access to systems, which would breach confidentiality. The consequently disclosed information could be used to perform other attacks, which could lead to the inability to communicate with other elements in certain cases. For instance, spoofing the external entity EE-2 might result in the ability to connect P-2 with P-5 over DF-1 and DF-2. The results could be noticeable in the availability of the system when legitimate entities are unable to connect with, e.g., the agent (TR-1), the DMS (TR-2) or the cell tower (TR-5).

Tampering
In Figure 3, alterations of data or alteration attempts which could take place at multiple elements are shown. The DLT system and the state channel could be targeted (P-4, P-6, P-9, DS-2, DS-7). For instance, attackers could try to tamper with the public ledger to make a financial profit or cause damage to participants. While the consensus mechanism would hinder attackers from altering data successfully, an adversary could try to alter transactions or leak personal data. Therefore, the usage of state channels is proposed as an extension to the DLT system for better transaction protection as well as increased scalability.
An adversary could launch a tampering attack against other parts of the system. For example, P-2 makes predictions based on multiple datasets dependent on readings from the P-1. Thus, an attacker could alter information on any of the communication channels (e.g., by using a false data injection [63]).
Furthermore, EE-2 is susceptible to attacks as the external entity uses 4G/5G technology. Accordingly, the security of the technology cannot be influenced by our model. Zero-day exploits could be used for attacks and disclose a vulnerability.

Repudiation
Although mutual non-repudiation would be ideal, it cannot be guaranteed for every element in the DFD. Non-repudiation should be issued for critical messages, as otherwise an injection of these messages could be used by an attacker. For example, it is crucial to secure the integrity of the trading system (P-4, P-6, P-9), as the termination of the state channel (TR-10) could otherwise be risked. Furthermore, an injection of messages to P-2, P-5 or P-8 could result in the disclosure of system states or the inability to communicate with other elements.

Information Disclosure
Confidentiality attacks can lead to the disclosure of information which could be exploited by an attacker. For instance, the leakage of metadata is only a threat in the case of eavesdropping on DF-1-DF-4, as all other transferred data should be encrypted. Attacking the configurations (DS-1, DS-3 or DS-5) would be of more interest when an attacker aims to gather information for a more complex attack. Otherwise, P-2, P-5 or P-8 could disclose personal data or DMS group information. EE-2 could provide an attacker with more metadata about the connected parties, P-4 or DF-5 may be used to disclose information about trades on the P2P marketplace, and DS-2/DS-7 could leak key secrets of the corresponding ledgers (e.g., private keys).

Denial of Service
DoS attacks could interrupt the power supply, the availability of parts of the infrastructure or hinder marketplace trading. For example, if P-2 is not available, the agent system cannot trade in the marketplace and has to purchase energy from the grid. Additionally, the data for the calculation of the operational schedule will not be as detailed, even though data from different sources will be available. Furthermore, attacking P-5 will affect the whole DMS group, as status updates can no longer be received. The trading will be available for group entities, as transactions are made on the DLT system; i.e., a system with a high resistance against DoS. Moreover, P-8's availability affects the accuracy of demand and supply information. Otherwise, any estimations of energy demand and supply have to be done by the TSO, DSO and the microgrid controller. Their estimations are not as precise but will ensure the feasibility of control measures until P-8 is available again.

Elevation of Privilege
Elevation of privilege describes a situation in which non-authorised users can execute tasks that are beyond their privilege level. For the thread analysis, there are no privilege levels defined. Therefore, only a legitimate element or an attacker is able to execute a process. Attacking P-2 can result in an inability to verify commands from legitimate users, which may reveal configurations to an attacker. When trading on the P2P marketplace, P-4 cannot validate the authenticity of a state channel, which could lead to a termination of the channel (TR-10) when the other party commits fraud. Consequently, the termination could also lead to insufficient local electrical power (TR-8) when the demand is not met. Furthermore, for P-2, P-5, P-8 and EE-4, a privilege escalation could mean that commands cannot be verified, which could potentially lead to system failures and result in an inability to communicate with other parties.

Threat Elicitation
The third step of our STRIDE methodology is the analysis of the categorised threats. As described, the connection between the agent and DMS uses 4G/5G protocols with SIM cards. The SIM card itself can be used as a variant of a trusted platform module (TPM) which can be probed to provide a particular amount of trust [64]. However, 4G and 5G are mutually authenticated and encrypted communication protocols; therefore, no changes to the security of the communication entities are necessary unless a new zero-day vulnerability is disclosed.
Between the agents, DMSs and manager systems, the communication channels are not defined and can be chosen by the parties themselves, but they should satisfy a high security standard. Firstly, the DMS and manager exchange long-term shared secrets through a secure key exchange protocol. These long-term shared secrets are used subsequently to derive session keys which protect communication sessions. When a communication session is closed, the session key will be dumped.
Secondly, an end-to-end encrypted communication channel can be ensured through the use of long-term shared secrets in combination with freshness, a mutual authentication challenge-response protocol and mutual entity authentication. This communication channel can also be extended to the communication between the manager system and the grid. A further advantage is that this protocol would provide viable security measures against most common attacks-e.g., man-in-the-middle, impersonation and replay attacks-which is crucial for the protection of security properties. Thirdly, the communication can be secured by a TLS session.Additionally, the agent and manager entities use a long-term shared secret to exchange encrypted data, to which the same previously described process applies. All secrets are exchanged within a key management life-cycle which is a crucial part of system, as a key can be stolen or lost.
As described, the DLT system's properties allow the immutability of transactions and protection against alterations of any kind. However, the system is not privacy-preserving, as certain information has to be shared publicly. Depending on the used DLT system, a permissioned or consortium blockchain with an authorised account-model could protect the users' privacy [10,11,24]. Furthermore, current DLT systems rely on public-key cryptography, which is safe under current circumstances. However, for a sustainable system, we cannot solely rely on the future safety of public-key cryptography based on classical computer security [65], as research into achieving quantum supremacy is ongoing [66]. Novel systems need to include either lightweight post-quantum cryptography [65], which can protect against potential threats from quantum computers, or include a privacypreserving system such as data escrow [67], where a secure and trusted third party stores the personal data.

Privacy
For now, the smart contract SC(·) and the order ω(·) contain the identifier of the buyer β or of the seller σ, depending on who created the contract. By using the identifier, the contract or the order are clearly identifiable. Therefore, personal data of all agents are exposed to a potential adversary.
For example, public information regarding a seller could be used to draw conclusions about their day-to-day life. Regular hours of increased energy distribution could suggest that sellers use less energy themselves, which again suggests that the sellers are likely not at home. However, less malicious infringements of privacy are also easily possible. For instance, advertisement companies could use the data to gather public information on households, such as the likely size of the household (inferred through the amount of consumption) or whether a household owns an electric car (inferred by uncharacteristic spikes in energy consumption during a specific time of day). As a preventive measure, the proposed model needs to be adjusted with an extension for privacy-preserving trading and billing that does not distribute any personal data; if not, the gathered information could be misused by an adversary.
For privacy preservation in P2PEdge, two different techniques could be applied: (1) identifier encryption or (2) a Universally Unique Temporary Identifier (UUTID). Identifiers can be encrypted using any kind of encryption mechanisms. For example, using a derived session secret from shared secrets can be used to encrypt and decrypt identifiers through different entities. However, this mechanism will require an established communication channel through which an additional key can be exchanged safely.
The UUTID, on the other hand, is a temporary identifier that has no fixed associations and changes frequently. The concept of the UUTID is used in telecommunication protocols (i.e., 4G, 5G) to hide identities and thwart identity theft. Currently, 4G and 5G's Global Unique Temporary Identifier (GUTI) is an 80 bit-long core network identifier that is exchanged with IMSI, a unique permanent identifier [68]. P2PEdge could utilise either of the systems as long as particular requirements are met: (1) the energy flow must remain intact after an energy contract formation, which means that certain parties need to know where to relay the energy; (2) the identity of all market participants must be hidden from other participants at all times; (3) identity theft or impersonation must not be possible; and (4) the privacy-preserving ID must have pre-image resistance and second pre-image resistance and also be resilient against collision attacks [65] (for review, see [69]).
The only parties that know the original ID-and therefore are capable of determining the identity-of a market participant should be trusted parties such as the DMS and the manager. The agent itself generates a new ID and afterwards informs its DMS. Informing the DMS is part of a handshake protocol that the agent system and the DMS have to perform. The initial handshake comprises a long-term shared secret and the ID of the agent, which is later exchanged by the privacy-preserving ID. Furthermore, the original ID will be encrypted by the shared secret of the agent and manager, which is then sent over the DMS to the manager.
Sharing the identity with the DMS and the manager is a necessity for the management of the energy flow because a finalised contract requires the seller to communicate to coordinate the transfer of energy to the buyer and direct the funds to the seller. Accordingly, all non-crucial information or personal data shared in the marketplace should be encrypted using sessions keys which are derived from the agent's and manager's shared secret. Only the participating entities should be at discretion to view specific information in the market. This also applies to the information during a state channel negotiation. However, this system will yield implications for the hardware of the agents, and thus a requirement for a certain level of computational power arises. Legacy systems, such as Supervisory Control And Data Acquisition (SCADA) systems [15], which are used for control, monitoring and management in power grids, could have too many constraints and may not be able to verify every state shared in the state channel. Therefore, either P2PEdge should not support legacy systems or other involved systems need to vouch for the legitimacy of legacy systems' states.

Conclusions
In this paper, we proposed a novel model for a decentralised marketplace for trading energy that protects the security and privacy of peers during data collection, trading and billing. With the usage of DLT, the marketplace inherits its cryptographic properties of strong non-repudiation and integrity protection. To overcome some of the limitations of DLT and increase privacy, we proposed the usage of state channels for trading negotiations. Further, we identified various security requirements through scenario-based elicitation techniques and discussed the applicability of our model.
Our model relies on the capabilities of multiple agents to aggregate data. Compared with existing approaches, the proposed model architecture is dynamically adjustable to different scenarios while achieving stronger cyber-physical robustness and privacy preservation. The model is only constrained by the capabilities and transmission performances of other external entities (i.e., the cloud, DSO or TSO). Furthermore, limitations apply to the edge computing node when a high volume of information needs to be computed simultaneously. The coordination of resources could prevent a computational bottleneck. The model can be used by any market participant (e.g., consumer, producer) and is non-inclusive to prosumers.
Future research may include the provision of formal proofs and the implementation of P2PEdge to provide a better comparison and performance analysis to existing models. Furthermore, a comparison of different DLT systems for P2P energy trading is planned, as well as detailed research into the security and privacy implications of future systems utilising any DLT system. Additionally, research is planned into off-chain resolution approaches to identify the unique security and service provision challenges of dynamic energy and information supply networks.