Privacy-preserving Computation for Large-scale Security-Constrained Optimal Power Flow Problem in Smart Grid

In this paper, we present a distributed privacy-preserving quadratic optimization algorithm to solve the Security Constrained Optimal Power Flow (SCOPF) problem in the smart grid. The SCOPF problem seeks the optimal dispatch subject to a set of postulated constraints under the normal and contingency conditions. However, due to the large problem size and real-time requirement, a fast and robust technique is required to solve this problem. Moreover, due to privacy concerns, it is important that the data remains confidential and processed on local computers. Therefore, a fully privacy-preserving algorithm is proposed which performs computation directly over the encrypted SCOPF problem. The SCOPF is decomposed into smaller subproblems corresponding to individual pre-contingency and post-contingency cases using the Alternating Direction Method of Multipliers (ADMM) and gradient projection algorithms. Both algorithms are presented for solving the SCOPF problem in a privacy-preserving and distributed manner. Security analysis shows that our algorithm can preserve both system confidentiality and data privacy. Performance evaluations validate the correctness and effectiveness of the proposed algorithm.


I. INTRODUCTION
I N order to adequately supply the connected load while minimizing the operating costs, system operators need to solve the optimal power flow (OPF) problem subject to physical constraints and control limits of the power system [1]. However, due to the large-scale interconnected topology of transmission and distribution networks, the OPF model can not ensure the demand-supply balance condition when the power system experiences unexpected failure and disconnection of components such as generators, transmission lines, transformers, etc., known as an outage or a contingency [2]. To address this issue, security requirements that ensure the power system continues its reliable operation during contingency scenarios need to be performed with the OPF problem, which is referred to as the security-constrained optimal power flow (SCOPF) problem in the literature [3], [4]. The optimal solution of the SCOPF problem produces the minimal cost generation dispatch while still assures that the power system remains balanced and no operational constraints are violated in both the normal state and contingencies [3], [4].
The contingency analysis is performed by independent system operators (ISOs) to ensure the reliable operation of power systems in both normal and contingency cases. By taking into account both pre-contingency constraints and post-contingency constraints in the SCOPF, the security of the power system can be significantly improved [5]. An illustration of the SCOPF is shown in Fig. 1. The system security level is improved by taking into account a number of contingencies in a dedicated selected contingency list. The SCOPF is commonly classified into two major types: the preventive model [3] and corrective model [4]. The preventive SCOPF formulation seeks the minimum cost dispatch solution in the normal state that requires the normal-state variables to be feasible for all pre-specified contingency conditions, i.e., the control variables are not allowed to reschedule in contingency scenarios. However, this model makes the solution to be more conservative and may incur, in general, a higher operation cost [3].
The corrective SCOPF model, on the other hand, permits system operators to adjust post-contingency control variables such as power generation outputs and line power flows within a certain limit to eliminate any violation caused by the contingency. Due to the capability of adjusting control variables, the corrective SCOPF model often produces the optimal solution that has a lower total generation cost than the preventive model [6].
Despite the economical benefit of the corrective SCOPF model, its formulation generates a significant number of variables, which sharply increase the problem size when numerous contingencies are taken into account. The large-scale problem may result in excessive memory usage and unacceptable computation time [7]. On one hand, researchers have been investigating possible ways to optimize a variety of optimization problems [8]. On the other hand, new technologies, such as edge computing and cloud computing, have demonstrated their huge potential of tremendously speeding up intensive computation while reducing the cost [9], [10]. Hence, outsourcing the SCOPF problem to the cloud has emerged as a promising solution to the aforementioned challenges. Nonetheless, the fact that the operation takes place entirely at a third party will inevitably raise privacy concerns about data sensitivity. Sensitive power grid data can be captured by cyber attackers and used to initiate more sophisticated attacks (e.g. false data injection attack [11]) which could have potentially catastrophic consequences. Alternatively, the generic secure multi-party computation can implement any algorithm in principle, allowing the utility companies to take advantage of the aforementioned outsourcing paradigms while protecting the privacy of their operational data.
In this paper, we present a decentralized structure of outsourcing paradigm and a distributed privacy-preserving algorithm to demonstrate the feasibility of solving the corrective SCOPF problem without losing data privacy. The basic idea of the proposed scheme is to let each substation encrypt its private data after which a third party performs the SCOPF algorithm over the encrypted data without decrypting it. The third party then sends the encrypted result to the ISO company, which can be decrypted using the pre-distributed secret key. This is accomplished by leveraging additive Homomorphic Encryption (such as the Paillier cryptosystem [12]). However, according to the additive homomorphism property, we cannot directly solve the SCOPF problem using any available methods. In this work, we leverage both alternating direction method of multipliers (ADMM) [13] and gradient projection algorithm [14] to transform the SCOPF problem into a solvable problem for the additive homomorphic cryptosystem.
Note that even though the proposed scheme is based on ADMM and gradient projection, it can also be easily extended to other sophisticated optimization algorithms. Also, our proposed method is not limited to solve the SCOPF problem; it can also be applied to any other optimization problems that involve ADMM or gradient projection such as Internet congestion control and power system state estimation.
By presenting privacy-preserving computation for the large-scale SCOPF problem the main contributions of this paper can be summarized as follows: • This work is the first to consider a privacy-preserving method for the SCOPF problem. Although there are a number of papers published to solve OPF problems in a privacy-preserving manner. With additional contingencies, solving SCOPF problems is much more costly. With a strong secure guarantee against semihonest attackers that is proposed in this paper, ISO can confidently outsource the computation-heavy SCOPF problem to public cloud computing services. • Decompose the SCOPF problem into independent subproblems using ADMM and gradient projection which can be solved asynchronously. • Propose privacy-preserving ADMM and gradient projection algorithms using additive homomorphic encryption. Both algorithms can be applied to other quadratic optimization problems with minor modifications. We organize the rest of this paper as follows. Section II reviews the related works. Section III introduces the architecture and threat model. Section IV explains the components of privacy-preserving SCOPF. The section continues to present the optimization techniques and summarizes our proposed privacy-preserving SCOPF scheme along with security analysis in Section V. Section VI presents the experiment results of our proposed scheme. Finally, we conclude this paper in Section VII.

II. RELATED WORK
Due to the large-scale nature of the SCOPF problem, recent research has tried to propose different methodologies to handle the SCOPF problem. The contingency filtering technique has been developed in [15], [16] to discard contingencies that do not affect the optimal solution. An exact method to obtain the global optimal solution using a branch-andbound algorithm is proposed in [7]. The authors in [17] use benders decomposition techniques to handle each contingency separately and check the feasibility of the optimization problem to achieve computational efficiency. The studies in [6], [18] apply the ADMM decomposition method to design a parallel computing framework, which can be executed simultaneously on multiple computers to reduce the latency. [19], [20] try to solve the OPF problem using differentialprivacy (DP) algorithms. Those methods target a multi-agent distributed computation scenario and use conventional OPF methods with different types of DP methods. In comparison, our paper has a stronger adversary model (honest-but-curious adversaries) thus cannot leverage DP methods. Another paper also considers the privacy of OPF in a multi-party computation scenario in [21]. This paper uses obfuscation to guarantee the privacy which is not computationally indistinguishable against probabilistic polynomial-time adversaries.
Previously, researchers mainly focused on the privacy of customer data in the smart grid. Giaconi et al. [22] study information leakage issues in a smart meter system and the privacy can be partially preserved by a low-complexity policy that can approach the theoretical lower bound. This scheme only guarantees a lower information leakage rate in limited scenarios. Other methods for protecting consumers' privacy can be found in [23]- [25]. Additionally, only a few research works have been published to address sensitive operational data for the power system. [26] tries to securely outsource widely applicable linear programming (LP) computations by applying affine mapping on decision variables, which will transform the original vector space to a different one. [27] proposes a novel scheme that enables privacy-preserving multi-party spectral estimations, which conduct spectral estimation directly over the encrypted synchrophasors to limit privacy breaches. However, both works only deal with the minimal scenario which cannot be applied to solve more complicated problems such as SCOPF.
Furthermore, privacy-preserving computations have received significant attention in areas other than the smart grid. A popular approach that makes use of two-party computation is based on Yao's garbled circuits. [28] shows the feasibility by designing a system that performs matrix factorization, a popular method used in a variety of modern recommendation systems. Several frameworks implement Yao's garbled circuits and describe many applications [29]. However, due to the inherent serial property, recent work [30] shows that the garbled circuit is 2 14 times slower than computing in plaintext. To deal with the slowness of the garbled circuit, some works introduced hybrid approaches, such as combining Homomorphic Encryption and garbled circuits for re-  The set of generators N The set of buses B The set of branches θ c ∈ R |N | The vector of voltage angles P g,c ∈ R |G| The vector of real power flows f g i The generation cost function P g,0 i The displaceable real power of each individual generation unit i for pre-contingency configuration B c bus ∈ R |N |×|N | The power network system admittance matrix The sparse generator connection matrix, whose element (i, j) element is 1 if generator j is located at bus i and 0 otherwise Fmax The vector for the maximum power flow P g,c The upper bound of real power generation P g,c The lower bound of real power generation ∆c The pre-defined maximal allowed variation of power outputs K priv The private key of a cryptosystem K pub The public key of a cryptosystem E A Paillier cryptosystem F The plaintext of a SCOPF problem, denoted as a collection of base case and all the contingencies Fc The encrypted SCOPF problem stored in the server The encryption form of x using Paillier cryptosystem gression [28], face [31] and fingerprint recognition [32], and combining secret sharing with garbled circuits for learning a decision tree [33]. Nonetheless, the performance of those hybrid approaches is largely affected by network connection, which does not apply to our scheme.

A. SYSTEM MODEL
Our system is designed for one or multiple entities who want to solve the large-scale SCOPF problem with a limited computational resource. The system model of the proposed scheme is captured in Fig. 2 where the notation is given in Table 1. The proposed system model involves four different entities: Control Center (CC), Balancing Authority (BA), Server (S), and Cryptographic Provider (CP).
Control Center refers to the operator of the regional power system who solves the SCOPF problem to minimize generation costs, market surplus, and losses, etc. An independent system operator (ISO) firstly prepares a SCOPF problem F which contains the object function and constraints and sends the initiation request to each balancing authority. In our scheme, the control center initiates a SCOPF problem and sends it to the server.
Balancing Authority is normally a substation in the power system F which contains local operation data and contingencies. In our scheme, after receiving a request command from the control center, balancing authorities generate encrypted local data and upload it to the server.
Server only stores the public key K pub . Upon receiving the encrypted SCOPF problem F c from the ISO, the server executes the privacy-preserving algorithm over F c , and finally returns encrypted optimal [P g,c ] to the ISO. The The architecture of proposed scheme contribution of our system is to ensure that the server learns nothing about the power flow while still being capable of computing the optimal state of the power system. Cryptographic Provider is a third party that initializes the system by assigning setup parameters to each party and is needed for a short one-round online step in each iteration while the server computes the model.

B. DESIGN GOALS AND THREAT MODEL
To enable secure, efficient, and accurate solving SCOPF over the encrypted problem under the above model. Our goal is to ensure the security of our algorithms using the secure twoparty computation framework for semi-honest adversaries (or honest-but-curious adversaries) [34]. The specific requirements are summarized as follows: • Data Privacy: The server and cryptographic provider could not reveal the power flow using the statistical information during the computation process. • System Confidentiality: Given an encrypted SCOPF problem F c , The server and cryptographic provider are not able to recover key information of the power grid, such as power demand, bus limits, and generation load. • Efficiency: The scheme aims to achieve efficiency by offloading the computation to the server and by using the parallel approach. • Accuracy: The difference between the result calculated by the proposed parallel scheme and traditional centralized method will not exceed the threshold e. In our system, we assume that the Server is able to produce a correct model. Thus, we are not concerned with a malicious server that tries to disrupt the optimization algorithm to output an incorrect result. However, the server is motivated to learn information about private data stored in the server since this data can potentially be sold to other parties, e.g., the black market. In our scenario, consider the server is compromised by a semi-honest adversary. The adversary aims to learn the SCOPF problem and the optimization result as much as possible by analyzing all the input and output of this party. That is to say, the server can conduct a ciphertextonly attack (COA) [34] in this model. However, the adversary cannot prevent this party from executing the algorithm faithfully. Hence, we do not consider an adversary who will intentionally corrupt the operation to generate misleading results.

IV. PRELIMINARIES
To better understand our scheme, in this section, we review the SCOPF problem and necessary components of the proposed algorithm.

A. SCOPF PROBLEM FORMULATION
The corrective SCOPF problem finds the optimal dispatch solution for the power network while satisfying security criteria in which the system operator is allowed to re-adjust control variables after a contingency occurs. This capability gives the system operator a time window to adjust control variables in order to eliminate any violations caused by the contingency. The general formulation of the corrective SCOPF problem can be compactly formulated as follows [4]: where C = {1, 2, . . . , C} is the set of postulated contingencies, superscript c denotes variables and constraints associated with the c-th contingency, superscript 0 represents the base case (pre-contingency state), x and u denote state variables and control variable. The constraints in (2) and (3) denote the set of equality and inequality constraints associated with the operation of the power system such as transmission line limits, power flow equations, etc., in the base case. Similarly, (4) and (5) represent the operational constraints of the power system when switching into contingency states. The last constraints in (6) are the coupling constraints between the base case and post-contingency, which means that the deviation of control variables between the normal state and contingency states must be within the allowable adjustment limit, denoted by ∆ c .
In the SCOPF problem, equality constraints g c are the nodal load-flow equations, and inequality constraints h c are the plant and transmission system operating limits. Constraints (2)-(3) stand for the economic dispatch and enforce the feasibility of the pre-contingency state while constraints (4)-(5) stand for the post-contingency state. The superscript c = 0 corresponds to the pre-contingency configuration, while c = 1, . . . , C corresponds to the c-th post-contingency state. ∆ c is the maximal allowance of the control variables between the pre-contingency and post-contingency states. Note that there are some variations on the objective function and constraints of the SCOPF problem, and we focus on the conventional formulation in this paper.
Based on the standard form of the SCOPF problem, there are some variations on the objective function and constraints for the SCOPF problem in alternating current (AC) and direct current (DC) power networks. For the sake of computational tractability of the proposed privacy scheme, we consider a DC power network with the objective function is to minimize the total generation cost while ensuring the security requirements for the power system. Therefore, the corrective SCOPF problem can be simplified as follows [18]: where P g,0 i is the generation output of each individual generator for pre-contingency configuration, f g i (P g,0 i ) represents the generation cost function of the generator using the following function where a i , b i and c i are the cost coefficients. The constraints (8) and (9) are the nodal load-flow equations. The inequality constraints (10) and (11) are the transmission line limits. Constraints (12) and (13) are the power generation limits. Constraints (14) enforce the maximum adjusting limits for the generation units when switching into post-contingency states. The key notations of the above problem can be found in Table 1.
The problem in (7)-(15) is convex and can be solved by a central controller using convex optimization techniques [35]. However, due to numerous contingencies being incorporated into the model, the formulated problem becomes a largescale optimization problem, which makes the centralized computational framework impractical. We will propose a parallel computation algorithm using the ADMM decomposition technique in the next section.

B. PAILLIER CRYPTOSYSTEM
Paillier cryptosystem is a public key based additive homomorphic cryptosystem first proposed in [12] and further generalized by Damgård and Jurik [36]. Here, additive homomorphic cryptosystem means it can compute the sum of two values in the encrypted domain, which means given the encryption of a and b, we can get encryption a + b without decryption. In this case, the Paillier cryptosystem is very useful for privacy-preserving applications. In this subsection, we will illustrate the key components of the Paillier cryptosystem.

1) Key Generation
First, two big prime numbers p and q are selected to compute n = pq and λ = lcm(p − 1, q − 1). Then choose a random integer g where g ∈ Z * n 2 and the order of g is a multiple of n. The private key is λ and the public key is the tuple (n, g).

2) Encryption
To encrypt a value m where m < n in the typical setting, we need to select a random value r ∈ Z * n . Then the ciphertext can be computed as: c = g m · r n mod n 2 . Note that in our scenario, m is not necessarily positive. Therefore, we divide the encryption space in two parts and then m is in the range of (−n/2, n/2).

3) Decryption
To decrypt a ciphertext c, the plaintext message can be computed as: where function L is defined as L(u) = u−1 n .

4) Additive Homomorphism
Given the ciphertext of m 1 and m 2 , the product of two ciphertexts will decrypt to the sum of their corresponding plaintexts: Moreover, given a ciphertext and a plaintext, we can compute the sum of the corresponding plaintexts:

5) Homomorphic Multiplication of Plaintext
By raising the ciphertext to a constant k, we can get the encryption of the product of the plaintext and the constant: However, given the encryptions of two plaintexts, there is no direct way to compute the product of these messages without knowing the private key. VOLUME 4, 2016

C. THE ADMM METHOD
ADMM is a powerful algorithm that is proposed to solve convex optimization. Its general idea is to solve small local subproblems, which are coordinated to find a solution to a global problem by blending the benefits of dual decomposition and augmented Lagrangian methods for constrained optimization and also widely adopted in power system [6], [18], [37]. The general form of ADMM is described as follows: subject to Ax + Bz = c, where x ∈ R n , z ∈ R m , A ∈ R p×n , B ∈ R p×m and c ∈ R p . Functions f and g are closed, convex and proper. The scaled augmented Lagrangian can be expressed as: where ρ > 0 is the penalty parameter and µ is the scaled dual variable. Using the scaled dual variable, x and z can be updated in a Guass-Seidel fashion. At each iteration k, the update process can be expressed as: Finally, the scale dual variable is updated by:

V. PRIVACY-PRESERVING SCOPF
The basic idea of this algorithm is to use the Paillier cryptosystem to solve multiplication, addition, and subtraction without leaking any information about the input. However, the objective function of the SCOPF problem is not necessarily linear and usually in quadratic form. To address this challenge, we will reformulate the SCOPF problem using the ADMM and gradient projection algorithms in this section.

A. REFORMULATING THE PROBLEM
The SCOPF problem in (7)-(15) contains a large number of constraints. However, we can separate constraints (8)- (13) into the normal state and each contingency state. The only constraints in (14) are coupling between the normal state and contingency state. In order to make constraints in (14) to be separable, we define auxiliary variables where each auxiliary variable P g,c o can be interpreted as a local copy of P g,c at the normal state. Then, constraint (14) now can be rewritten separately for the normal state and contingencies as

Algorithm 1 Distributed SCOPF
Input: B c bus , B c f , A g,c , P d,c , P g,c , P g,c , ∆ c Initialize: θ c , P g,c , p c , µ c , ρ c , k = 0 1: while not converge do 2: P g,0 -update 3: P g,c -update, distributively at each node: 5: Adjust penalty parameter ρ c when necessary 8: k = k + 1 9: end while 10: return θ c , P g,c , c = 0, ..., C The constraints (8), (10), (12), and (28) are now consisting of variables in the normal state only, while constraints (9), (11), and (13) contains variables in contingencies. To facilitate the presentation, we define the feasible sets in the normal state, F 0 , and each contingency state, F c , as Then, the problem in (7)-(15) can be rewritten as min θ 0 ,...,θ C ;P g,0 ,...,P g,C i∈G The augmented Lagrangian can then be calculated as: Based on the Lagrangian function, we can decompose the problem in (7)-(15) into C + 1 subproblems as follows: P g,0update; P g,c -update; dual variables update. The subproblems are updated iteratively and can be processed distributively on the server. At each iteration, the P g,0 -update needs to coordinate with all the nodes to solve (34). The updated P g,0 will then be distributed to each computing node for P g,c , µ c and dual variable update.
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2021.3119618, IEEE Access 1) P g,0 -update At k th iteration, the P g,0 -update solves the base scenario with square regularization terms enforce by the coupling constraints and expressed as: P g,0 [k + 1] = arg min L ρ (P g,0 ) = arg min P g,0 ,p i∈G 2) P g,c -update The remaining C subproblems are associated with variables in contingency scenarios. Each contingency can be solved in parallel at different computing nodes as P g,c [k + 1] = arg min L ρ (P g,c ) = arg min 3) µ -update The computation of updating dual variables are also linear and can be performed locally at c th computing utility as:

B. SOLVING SUBPROBLEMS
In this section, we explain how to solve each subproblem using Homomorphic Encryption in a simple way. We formulate each subproblem as a quadratic optimization problem: arg min The linear inequality constraints are difficult to deal with basic operations in their current form. So we further simplify this problem by introducing a dummy variable y = C · x. Then, we obtain the problem: arg min This subproblem itself can be solved by ADMM. We denote the augmented Lagrangian: where w1 and w2 are scaled Lagrange multipliers, and β is a penalty parameter. The iteration of ADMM is The x-subproblem does not have a closed-form solution. It is solved by another iteration of gradient projection: x ← proj [s;t] (x−α x L β (x, y; w 1 , w 2 ). Since L is quadratic, (x− α x L β (x, y; w 1 , w 2 ) is linear and reduces to matrix-vector multiplications and vector-vector sums/differences.
To summarize, the numerical operations of the above algorithms include and only include: • matrix-vector multiplications; • vector-vector addition and subtraction; • component-wise min and max.

C. GRADIENT PROJECTION ALGORITHM
In the previous section, we reformulate the SCOPF problem to a set of subproblems that are solvable by additive Homomorphic Encryption. However, at the end of each subproblem, P g,0 and P g,c are updated using the gradient projection algorithm. The gradient projection algorithm solves the bound-constrained optimization problems by projecting the result of the gradient descent to the feasible set: For the bound-constrained problems, the projection can be easily computed by setting: where mid is the median element of a set that cannot be directly solved by additive Homomorphic Encryption. We now describe our privacy-preserving gradient projection algorithm. One challenging part is how to perform comparison in the ciphertext domain. There are a few approaches to perform comparison efficiently. One naive way is sending the projection operation back to the ISO and calculating offline. Although this method is very efficient, it requires the ISO to keep online. Two methods that do not need the ISO to keep online are using specialized homomorphic encryption [38], or using garbled circuits [39]. Based on [40], the former is more efficient for comparison of encrypted values, VOLUME the second is more efficient for comparison of unencrypted values. In our system, the lower and upper boundaries are normally power generation or bus limits which are sensitive information for the power grid. In this case, we are using homomorphic encryption to solve the comparison.
The idea is to exploit the homomorphic property to obscure the inputs with an additive mask. Here r l , r h ← (−2 l , 2 l ) are in the message space of homomorphic encryption E and they follows that: To evaluate (52) over encrypted x, we need first calculate [x k ] − α · [ L x (x)] using its homomorphic property. Then, the server chooses a random mask r l , r h , obscures the difference [x − s; x − t] as above, and sends the masked value to the Cryptographic Provider. The Cryptographic Provider can apply its decryption key and determine if a number is positive or negative. proj [s,t] (x) is hence solved by the cloud by simply checking the value of (r l ; r h ) the result sent from the Cryptographic Provider.
The privacy-preserving gradient projection algorithm details in Algorithm 2. Here, we use [x] to denote the encryption of x under the Paillier cryptosystem. Note that the computations in this algorithm are in the ciphertext domain and [a] · [b] −1 mod N 2 in the ciphertext domain is equal to a − b in the plaintext domain. Detailed secure proof of Algorithm 2 is in Section V-G.

D. DEALING WITH FLOATING POINT NUMBERS
Given its Homomorphic property, the Paillier cryptosystem has been tested in many scenarios. However, one limitation of the Paillier cryptosystem is that it can only work with integers. Although we can test our scheme only on an integer model, the SCOPF problem usually uses floating-point num-bers in the real world. Hence when we evaluate our scheme, we must adapt it accordingly.
In practice, as discussed in Section IV-B, the Paillier cryptosystem involves only additions and multiplications. Therefore, in [27], the authors use a solution by multiplying each floating number with a constant K. However, the selection of K must guarantee that we do not overflow the Paillier cryptosystem plaintext space during the entire operation. To guarantee this, the selection of K must satisfy: where m max is the largest plaintext number in the system. The square root is due to the fact that for multiplications, the Paillier cryptosystem requires integers for both sides of the operation. Fortunately, due to constraints (10)- (13) introduced in the SCOPF problem, the range of the encrypted values is small enough to ensure that the selection of K can maintain high accuracy of the scheme. Recall that, in our scheme, the global minima is found by iterations P g,c ← P g,c − α · L(P g,c ) and at each iteration, the magnitude of x will increase by K. This is because both α and L(P g,c ) are scaled to integers by multiplying K. Moreover, as mentioned in Section IV-B, the Paillier cryptosystem can only deal with multiplication directly, not division. As a consequence, the plaintext space will be overflowed after several rounds of iterations. The simplest way to rescale P g,c is to send it to an authorized party who has the secret key to decrypt it and sends the rescaled value back to the cloud. However, in reality, it is costly to find a trusted third party for this job since this party needs to keep online during the whole process. Another practical solution is to use a garbled circuit for operations that are not able to be solved by Homomorphic Encryption. In our case, the garbled circuit is considered computationally complex compared with Homomorphic Encryption if we only use the garbled circuit to solve divisions.
In [41], an efficient way to compute [x ÷ d] from [x] and d is proposed by additive blinding. Because B is not allowed to learn the value x, it is additively blinded by a random number r which is the statistical security parameter. It leads to Algorithm 3, where the random number r is chosen as large as possible to ensure the best statistical hiding of x.

E. PRIVACY-PRESERVING SCOPF
Our Privacy-Preserving SCOPF algorithm can fall into 4 phases: • Phase 1: Key Generation and Distribution. After the system is activated, Cryptographic Provider initializes the Paillier cryptosystem as described in Section IV-B with a public key K pub and a private key K priv . The Cryptographic Provider sends the private key to the control center and keeps a copy to itself and assigns the public key to server S and balancing authorities BA. • Phase 2: System Initialization. With the public key generated by the Cryptographic Provider, each area can encrypt its sub-SCOPF problem and upload it to the server. The server then collects all the encrypted data and sets up the system by initializing the following variables: It should notice that ADMM converges to the optimum geometrically for the convex optimization problem [42], and the convergence time will be significantly reduced by using the warm start technique [43]. • Phase 3: Privacy-preserving SCOPF. With the encrypted input, the server securely operates the privacypreserving SCOPF Algorithm 4, which calls two supporting algorithms, i.e. Algorithms 2 and 3. Since all computations are carried out in the ciphertext domain, no information about the measurement is revealed. • Phase 4: Result Decryption. The ISO receives the encrypted θ c , P g,c , c = 0, ..., C as a result of Algorithm 4 from the server. It then decrypts for the optimized variables using the private key. Also, since the uploaded power variables are multiplied by K, the optimized power variables should be divided by K accordingly.

F. DISCUSSION
The proposed algorithm has several strengths that make them efficient and practical in real-world scenarios: • First, both balancing authorities and the control center do not need to stay online during the process. The ISO can leave the system after submitting the SCOPF problem and wait until final optimization is reached. • Second, each local area can upload data in the encrypted form directly to the server to avoid the communication delay that costs by routing through the control center. The data integrity can be preserved using Internet layer security protocols such as IPsec. • Furthermore, the system can be easily applied to solve SCOPF multiple times. Assuming that utility companies wish to perform optimization with different settings, it can initiate multiple instances. Consider an ISO wanting to know their system's operation performance under different numbers of secure constraints. The server can test SCOPF with 20 and 40 secure constraints at the same time. • Also, multiple estimations can be started when the ISO , ρ, k = 0 while not converge do P g,0 -update: S computes P g,0 L ρ (P g,0 k ) S computes P g,0 k+1 ← proj [s,t] (P g,0 k − α P g,0 L ρ (P g,0 k )) /* Using Algorithm 2 */ S computes P g,0 k+1 /K /* Using Algorithm 3 */ P g,c -update: while c < C do S computes P g,c L ρ (P g,c k ) S computes P g,c k+1 ← proj [u,v] (P g,c k − α P g,c L ρ (P g,c k )) /* Using Algorithm 2 */ S computes P g,c k divide by K /* Using Algorithm 3 */ end while while c < C do Update µ c k+1 = µ c k + ρ(P g,c − P g,c o ) end while Adjust penalty parameter ρ c when necessary k = k + 1 end while return [θ c ], [P g,c ], c = 0, ..., C CC decrypts [P g,0 ] and [P g,c ], divides it by K to get final result.
upload additional security constraints. In particular, the cryptographic provider does not need to refresh the public key too often since the public keys are long-lived, meaning that the ISO can submit more secure constants to the server without changing the previous ones. • The computation is decoupled to subproblems [P g,c ] to node c and then iteratively update the dual variable to make sure the block-coupling constraints (28) are satisfied. In contrast with typical dual, or primaldual decomposition schemes, the strength of ADMM resides in its noise-resilience as well as the very loose assumptions required to guarantee the robustness of our proposed method.

G. SECURITY ANALYSIS
In our model, what we are mainly trying to preserve is the value of θ c , P g,c , c = 0, ..., C. Since the computation procedure of ADMM is publicly available, there is no need to hide the computation procedure. We will show the correctness of the algorithms, and then give proof of security in the honestbut-curious model. For correctness, we just modify the proof of [40].
Definition. The two-party protocol securely computes the function f if there exist two probabilistic polynomial-time VOLUME 4, 2016 algorithms for every possible input a, b, f , it is computationally indistinguishable against probabilistic polynomial-time adversaries.
Here, S A means all the input of A, ≡ c means statistically indistinguishable for the adversaries, and V A means the view of A. Since we do not need to hide the computation procedure, we can reduce the secure definition to: if the input and output are statistically indistinguishable for the adversaries.
Proposition 1. Algorithm 2 is correct and secure in the honest-but-curious model.
Proof: Since the process of upper and lower projections are identical here, we only try to prove the security of the process of lower boundary projection.
A's view is According to [44], it is sufficient to show that there exists a probabilistic polynomial-time algorithm S such that S(x, f (x)) is computationally indistinguishable from V . By semantic security of the Paillier cryptosystem, each encryption is computationally indistinguishable, so this condition is easily verified if S randomly generates r of log c N − 1 bits. However, the following security is not guaranteed because A will get the B's view is V B = (K p riv, x + r, z/d) and the output is [x ÷ d]. So if r 1 and r 2 are taken from the same distribution, independently from any other parameter. Here, since r is taken randomly in (−2 l , 2 l ), the distribution of r1 ÷ d and r2 ÷ d are identical. Therefore, follow the similar steps, we conclude with the computational indistinguishability of V A and V B .
Proposition 3. Algorithm 4 is correct and secure in the honest-but-curious model. Proof: Algorithm 4 is semantically secure, because the algorithm only calls Algorithm 2 and Algorithm 3, and does not include computations other than the underlying Paillier cryptosystem. Both the called algorithms are semantically secure by our analysis.

VI. EVALUATION
In this section, the numerical tests are given to evaluate the performance of the proposed algorithm. Two classical test systems are used to formulate the SCOPF problem: IEEE 57 bus, IEEE 118 bus, whose structures and characteristics are summarized in TABLE 2. Two kinds of contingencies are considered in numerical tests: branch outage and generator failure. The contingencies are artificially generated and the number of contingencies considered is listed in TABLE 2. We follow the physical limits on the equipment of test systems and assume every active generator can reschedule up to 50% of its maximum real power capacity.
The numerical tests are implemented in Java and run on a personal computer with a 4 core, 8 threads, 2.2GHz processor and 16GB memory.
The performance of the convergence and computing time of the proposed algorithm are investigated in the following parts.

A. ACCURACY
One of the most dominant features that affect the performance of our system is the number of K used in the Paillier cryptosystem . Through synthetic experiments based on IEEE  57 bus case, TABLE 3 illustrates the trade-off between the number of bits of K, with the relative error and time. Suppose r[k] is the result of the value of object function at the kth iteration, and r * is the optimal solution. The relative error e is defined as e = | r[k]−r * r[0]−r * |. Relative time is defined as t = | t[k]−tmin tmin | where t min is the lowest time in the test. It is shown that the larger selection of K will increase the computation time while reducing the relative errors. However, when K is larger than 20 bits, the relative error will significantly increase. This is because the plaintext space of the Paillier cryptosystem is overflowed when K is larger than 20 bits. In this case, to balance between efficiency and accuracy, we choose 15 bits as the length of K in the following experiment.

B. CONVERGENCE RATE
We then consider the convergence issue of the proposed algorithm. To better understand the convergence rate between different cases, the relative error is used here to demonstrate the results. The convergence performances are shown in Fig. 3. It shows that the proposed algorithm converges to the optimal values in all two cases after a few iterations.  We can see that with a larger scale of the test system and the number of contingencies, the proposed algorithm has a slower convergence rate, which is due to the fact that a larger system and the number of contingencies considered, lead to a larger optimization problem. By comparing the convergence rate with algorithms that optimizing the same IEEE 57-bus, IEEE 118-bus problems in plaintext space, we observe that the performance of our method aligns with ADMM-based method [45], and out-performs [46] which couples Dierential Evolutionary (DE) and Particle Swarm Optimization (PSO) together. For the IEEE 57 case, all three methods are able to converge at iteration 15.

C. PERFORMANCE
In this part, we compare the computing time of the proposed algorithm with the centralized approach to solve the SCOPF problem. Note that, both algorithms are performed over the same personal computer. The performance can be further optimized when outsourcing to the cloud computing platforms like Amazon EC2 which use a higher clock rate CPU and more machines.
The computing time to obtain the optimal solution is considered in both cases. Communication overhead is also presented. The results of the computing time performance and communication overhead are presented in Table 4. From the table, we can see that the computing time of our system is slower than the centralized algorithm. This is because our methods perform entirely over the encrypted data. However, compared with the performance of Yao's garbled circuit [30], which is normally 2 10 time slower than plaintext implementations, our system is significantly more efficient. In addition, the gap between centralized and proposed algorithms becomes smaller when the testing case is larger. This is due to the communication overhead between different processes during the simulations. A larger problem can be achieved on a large-scale test system because the communication overhead is negligible compared with the computing time of the optimization subproblem handled by each computing node.

VII. CONCLUSION
In this paper, the original SCOPF problem is decoupled and divided into smaller subproblems. The subproblems are approximately the same size and optimized in a parallel fashion on distributed nodes. We then presented a practical approach that can solve the large-scale SCOPF problem directly over the encrypted SCOPF problem to guarantee the security and privacy of the system. The privacy-preserving ADMM and gradient projection algorithms were also proposed to support the scheme. The scheme is computationally secure and parallelizable based on the additive homomorphic cryptosystem. The numerical tests on IEEE buses were carried out, which showed that our proposed scheme is less than 2 4 times slower than the non-privacy-preserving method. Moreover, security analysis proves that our scheme can preserve both system confidentiality and data privacy against semi-honest attackers. As a result, the SCOPF problem can be solved by entities with abundant computational resources to achieve better efficiency and economy using our scheme. Dr. Han is 1% highly cited researcher since 2017 according to Web of Science. Dr. Han is also the winner of 2021 IEEE Kiyo Tomiyasu Award, for outstanding early to mid-career contributions to technologies holding the promise of innovative applications, with the following citation: "for contributions to game theory and distributed management of autonomous communication networks." VOLUME 4, 2016