Break down the decentralization-security-privacy trilemma in management of distributed energy systems

Distributed Energy Systems (DESs) enable energy customers to act as prosumers using local devices (e.g., PV, microturbines, batteries). Coordinating multiple DES entities to maximize collective benefits is challenging because owners may not cede control to a central operator. Decentralized management via cooperative optimization can address this, but designs must satisfy feasibility and optimality while also meeting non-functional requirements such as usability, computational performance, security, and degree of decentralization. Existing blockchain-only schemes achieve secure, publicly verifiable decisions but expose private information (e.g., loads, behaviors, device details, network topology). Parallelizable algorithms (PA) like distributed dual ascent and Consensus+Innovation preserve privacy by local computation and limited data exchange, but impose heavy computational burdens on participants and expand the trusted computing base, enabling manipulations. This creates a trilemma among decentralization, privacy, and security. The research goal is to develop a decentralized DES management mechanism that simultaneously ensures privacy preservation, security/robustness against manipulation, and efficient convergence to optimal cooperative operation, without centralized authority.

Blockchain-based coordination uses smart contracts and consensus (PoW, PoS, pBFT), with variants such as Proof of Clearance and Proof of Solution tailored for energy applications. In these paradigms, optimization problems are disclosed and solved/verified publicly, ensuring tamper resistance but risking privacy leakage of user behaviors, load patterns, device specifics, and network topology. Parallelizable mathematical optimization (e.g., dual decomposition, ADMM, Consensus+Innovation) decomposes problems into local subproblems and iteratively exchanges limited information to reach consensus, improving privacy but increasing computational load and susceptibility to dishonest local computations. Prior attempts to combine PA and blockchain often aggregate plaintext decisions on-chain, compromising privacy; some restrict exchanges to prices, but lack support for diverse DES characteristics and physical network constraints. Moreover, dishonest participants can still disrupt convergence or supply consistent but false information. The literature gap is a framework that verifiably enforces secure convergence while preserving privacy through obfuscation, and that accounts for physical constraints and heterogeneous DESs.

The framework integrates encrypted local subproblems, off-chain computation by third-party workers, on-chain verification by miners, and TEE-backed edge devices at each DES. The day-ahead operation objective is to minimize the total bid cost over all DESs under power flow and device constraints, with coupling across neighbors via line flows and voltages. Decentralized optimization is based on ADMM: each DES i forms a local subproblem whose decision variables include local device set points x_di and coupling variables x_cij with neighbor j. Augmented Lagrangian penalties incorporate negotiated averages e_cij and multipliers λ_ij for coupling consistency. Subproblem encryption: each DES i obfuscates its quadratic program min ½ x^T H x + c^T x + a, s.t. A x = b, G x ≤ h, by mapping x_i = N_i R_i y_i + x_i^0, where N_i spans the null space of A_i (A_i N_i = 0), R_i is an invertible random matrix, and x_i^0 is a particular solution of A_i x_i = b_i. The transformed problem in y_i exposes masked parameters H′_i, c′_i, G′_i, h′_i that preserve optimality while hiding true cost functions and constraints. Only masked C_i N_i R_i rows corresponding to coupling variables and C_i x_i^0 are shared with neighbors for partial recovery of shared decisions needed to compute e_cij; full decryption keys remain local. Roles: (a) DES owners plus TEE-backed edge devices generate masks (N_i, R_i, x_i^0), validate bids, broadcast masked problem parameters (H′_i, c′_i updated each iteration, G′_i, h′_i once), and locally compute simple matrix operations to update e and penalties. TEEs provide integrity and confidentiality for edge computations and key handling. (b) Computation parties (professionals) solve assigned masked subproblems off-chain using interior-point methods and rebroadcast solutions. (c) Blockchain miners run a pBFT protocol to schedule tasks (based on performance and block hashes), verify optimality/feasibility of submitted solutions, and record confirmed results. Iterative process: 1) DES owners submit bids to edge devices; 2) edge devices formulate and encrypt subproblems; 3) exchange of relevant mask rows with neighbors; 4) broadcast masked problems; 5) workers solve; 6) solutions broadcast; 7) miners verify via pBFT and commit; 8) edge devices recover local and partial neighbor solutions to compute e_cij and update penalties; 9) repeat until convergence (small changes in x_e and e). Settlement: After convergence and day-ahead execution, neighbor-to-neighbor payments are computed using shadow prices λ_ij associated with coupling constraints, with λ_ij + λ_ji = 0 and x_cij = x_cji at convergence. Each DES i pays Σ_j λ_ij x_cij, aligning with decentralized analogs of LMP while identifying bilateral payees. The scheme ensures individual rationality, balanced budget, and ex-post efficiency (not full incentive compatibility per Myerson–Satterthwaite). Test system and implementation: A real 10 kV, 60-bus distribution grid in Yingkou City, China (1 substation, 48 customer nodes, 11 intermediates; 21 buses with DERs) is used. Dispatch interval 15 min, 96 points/day, 7 days. Computations simulated on Intel i7-12700 with CVXPY+GUROBI; SGX enclaves simulated via SCONE; WebSocket/Flask for networked demo. Convergence metrics include primal/dual residuals; performance measures include subproblem solve time, edge update time, and iteration counts. Attack simulations evaluate three manipulation types: (a) dishonest DES owner injecting inconsistent local results; (b) manipulative third-party decision-maker colluding to bias dispatch/prices; (c) irrational DoS participant attempting to prevent convergence.

• Cost and optimality: Across 6–12 Nov 2023, decentralized management reduced daily energy costs by 3.0–7.5% versus the non-cooperative baseline, approaching centralized optimal results (e.g., on 9 Nov: Non-coop 42271 CNY; Proposed 39226 CNY; Centralized 39105 CNY). Benefits were broadly shared among DESs.
• Convergence and performance: Average ≈735 iterations/day (total 5149 over 7 days) to reach residual threshold 1e−3; near-zero primal and dual residuals indicate agreement on neighbor flows/voltages and stable operation decisions. Average max solve time per encrypted subproblem per iteration ≈0.15 s (≈50% increase vs 0.10 s unencrypted) due to sparsity loss; edge device parameter update ≈0.001 s (negligible). In a real 10-node network demo, per-iteration time ≈0.2 s for 15-min resolution (0.1 s compute, 0.02 s TEE update, 0.08 s comm/verification) and ≈0.08 s for 1-hour resolution (0.03 s compute, 0.05 s comm).
• Privacy: Original decision vector length 1536 (reveals detailed operation), while exposed masked vector length 716 with irregular values; mapping is secret to the DES and only neighbors can partially recover coupling terms. Eigenvalues of encrypted cost matrix H are disrupted, hiding true bid cost functions.
• Security/robustness under adversaries (9 Nov case): • Manipulation (a) dishonest DES owner (PA-only): DES 5 sends falsified local results, decreasing its cost by 228 CNY while increasing neighbors’ bills (DES 6–11) despite unchanged total system cost; demonstrates vulnerability of PA-only schemes. Proposed and blockchain-only schemes are immune (verifiable bidding and collective decision-making prevent this). • Manipulation (b) collusive third-party decision-maker (centralized comparator): Dispatcher at DES 0 biases dispatch (raising output at DES 5, 21, 49) and sets false LMPs, yielding a 0.4% total cost increase but 2221 CNY extra income to manipulator and DES 52; proposed and blockchain-only schemes prevent this. • Manipulation (c) irrational DoS: PA-only and PA+plaintext-blockchain may not converge (worst-case time to infinity, effectively reverting to non-cooperative cost). Proposed and blockchain-only schemes remain operable: excluding non-participating DES 5 yields a suboptimal but feasible plan with total cost +1.5% and DES 5’s own income −146 CNY.
• Decentralization by specialization: Division into Encrypted Modeling (TEE at edges), Decentralized Computation (workers), and Verification & Record (blockchain) layers achieves secure, privacy-preserving, and fully decentralized coordination while considering physical grid constraints.

The study addresses the decentralization-security-privacy trilemma by combining PA-based decomposition (for distributed decision-making and locality) with blockchain-based verification (for integrity and robustness) and encryption via linear transformations (for privacy). The results show that the framework converges efficiently to near-optimal cooperative operation while keeping sensitive bids and schedules masked from miners and workers, and limiting information exposure to partial coupling variables among neighbors. Attack simulations demonstrate resilience to rational manipulations by DES owners and third-party decision-makers and the ability to maintain feasible outcomes under irrational DoS behavior, which blockchain-backed supervision prevents from derailing the process. The neighbor-to-neighbor settlement using shadow prices aligns incentives and distributes benefits, promoting participation without centralized authority. Collectively, these findings validate that secure and privacy-preserving decentralized DES management is achievable in realistic grid settings with physical constraints, offering a path to more active and competitive distribution systems.

The paper proposes a decentralized DES management mechanism that reconciles the trade-offs among decentralization, security, and privacy. By encrypting decomposed subproblems (via null-space and random linear mappings), outsourcing computation to professional workers, verifying solutions on-chain with pBFT, and constraining local actions to TEE-protected operations, the framework ensures privacy-preserving and tamper-resistant convergence. Empirical evaluation on a real 60-bus distribution grid demonstrates 3.0–7.5% cost reductions versus non-cooperative operation, near-centralized optimality, practical iteration times, and robustness against manipulative and irrational behaviors. Future work may include engineering contingencies for edge device/network outages, deeper analysis of TEE and cryptographic dependencies, optimizing performance overhead from encryption/sparsity loss, and market design refinements toward stronger incentive compatibility while preserving privacy.

• Dependence on TEE integrity and cryptographic infrastructure: Vulnerabilities in TEE implementations (e.g., side-channel risks) or asymmetric cryptography could impact security. The study assumes remote attestation and TEE protections; practical deployments must consider mitigations and incident response.
• Performance overhead: Encryption breaks sparsity, increasing subproblem solve time by ~50% (0.10 s to 0.15 s) and requiring iterative communication, which lengthens decision times relative to centralized solvers.
• Operational reliability: Edge devices may go offline due to network fluctuations; backup and fallback procedures are necessary in real deployments.
• Incentive compatibility: The settlement ensures individual rationality, balanced budget, and ex-post efficiency, but not full incentive compatibility per Myerson–Satterthwaite; strategic misreporting of costs remains theoretically possible, though privacy reduces information asymmetry that would facilitate it.
• Scope: Physical testbed lacked real devices (10-node communication demo); full-scale hardware deployments and broader network conditions were not experimentally validated within this study.