Mechanism and Primitive Description
The block-aggregated capacity attestation is the cryptographic mechanism by which a building's installed population of modular-substrate energy-storage blocks is presented to a grid counterparty as a single, dispatch-eligible aggregate resource. Each block, at the time of manufacture, is provisioned with a manufacturer-signed credentialed energy-storage admissibility surface: a structured statement specifying the block's signed nameplate capacity, charge-rate limits, discharge-rate limits, round-trip efficiency curve, and degradation envelope. The surface is bound to the block's hardware identity through a manufacturer-rooted certificate chain, and is exposed at the block's electrical interface through a credential-presentation protocol.
Upon installation, the building electrical system enumerates each connected block, reads each block's admissibility surface, and verifies the manufacturer signature against the manufacturer's published root. The building electrical system then computes the aggregate of the signed scalar capacity values, performing element-wise summation across the population, and constructs an aggregate admissibility surface that represents the union of constituent envelopes. The aggregate surface is signed under the building electrical system's own signing key, which itself derives authority from a building-level certificate provisioned at commissioning.
Critically, the aggregate attestation embeds cryptographic references, content-addressed hashes, to each underlying per-block attestation. The aggregate is therefore not a freestanding claim but a verifiable reduction over a committed set of constituent claims. A counterparty receiving the aggregate can, at any time, request the constituent set and verify the reduction was performed honestly. The aggregate attestation thus functions both as a presentation primitive (a single signed object representing whole-building capacity) and as an audit primitive (an opening into the per-block manufacturer-signed substrate).
Operating Parameters and Engineering Envelope
The aggregation function is defined over a vector of admissibility-surface parameters rather than a single scalar, because grid-facing dispatch obligations bind not only against gross energy capacity but against rate-limited power capability, state-of-charge windows, and degradation-conservative discharge depth. The building electrical system aggregates each parameter according to its physical composition rule: nameplate energy capacities sum linearly; instantaneous charge and discharge power limits sum linearly within the bounds of the building's interconnection conductor rating; round-trip efficiency aggregates as a capacity-weighted harmonic mean; and the aggregate degradation envelope is computed as the per-block-signed envelope reduced by the most-degraded block's remaining margin.
Re-attestation cadence is bounded by two competing requirements. Aggregate attestations must be fresh enough that grid counterparties accept them as representative of present installed state, and must be stable enough that high-frequency dispatch signaling does not require recomputation on every settlement interval. The disclosed envelope contemplates re-attestation triggered by state-change events, block installation, block removal, block fault-flag, manufacturer-signed firmware update, with a maximum staleness ceiling on the order of twenty-four hours absent state change. Each re-attestation increments a monotonic sequence number and references the prior attestation's hash, producing a tamper-evident lineage.
The signing key of the building electrical system is held in tamper-resistant hardware at the electrical panel; key rotation is supported through a manufacturer-anchored re-provisioning path that preserves attestation lineage continuity. Aggregate attestations carry a counterparty-presentable form (compact, suitable for transport over metering protocols) and an audit-presentable form (expanded, including constituent attestation set), with the compact form binding cryptographically to the expanded form.
Alternative Embodiments
The aggregation primitive admits several embodiments that vary in how the constituent set is committed. A direct embodiment lists each constituent attestation hash as a flat array within the aggregate. A Merkle-tree embodiment commits to the set through a root hash, allowing selective disclosure of individual block credentials without revealing the full population, useful where a counterparty's audit right is bounded to a sample. A vector-commitment embodiment supports succinct membership and update proofs, allowing incremental aggregate updates as blocks are added or removed without full recomputation.
The signing authority of the building electrical system may itself be embodied as a single hardware root, as a threshold of independent panel-resident signers (tolerating compromise of a minority), or as a delegation chain rooted in a building-management certificate authority. The aggregation function may be performed continuously, on-demand at counterparty request, or on a scheduled cadence. Embodiments may also nest: a campus-level aggregate may compose building-level aggregates, themselves composed of block-level attestations, producing a recursive trust structure of arbitrary depth.
Composition with Adjacent Primitives
The aggregate attestation composes directly with the pair-settled dispatch primitive disclosed elsewhere in the parent provisional. Grid-facing dispatch instructions bind against the aggregate's signed capability surface, not against any individual block; the building electrical system is responsible for internal allocation of the dispatch obligation across constituent blocks subject to each block's per-credentialed admissibility. This separation allows grid counterparties to contract against a stable aggregate while permitting the building to optimize internal dispatch, load-leveling across blocks, isolating faulted blocks, or rotating duty to equalize degradation, without renegotiating the grid-facing contract.
The aggregate attestation also composes with manufacturer-rooted lineage primitives: each constituent block's admissibility surface itself references the manufacturing-line attestations that produced it, so a counterparty walking the audit chain proceeds from grid contract to building aggregate to per-block credential to manufacturer process attestation. The aggregate is the convergence point at which retail-scale heterogeneous installations become legible to wholesale-scale grid markets.
Prior-Art Distinctions
Existing distributed-energy-resource aggregation schemes typically rely on utility-issued or aggregator-issued capacity certifications, in which a utility or virtual-power-plant operator inspects an installation and issues a capacity rating under its own authority. The trust root in such schemes is the certifying entity; the underlying per-device claims, if signed at all, are not cryptographically composed into the certification. The disclosed primitive differs in that the aggregate carries, by construction, verifiable cryptographic descent from manufacturer-rooted per-block credentials, eliminating the certifier as a trust dependency.
Prior art in cryptographic device attestation, for example, TPM-style platform attestation or supply-chain firmware attestation, addresses the integrity of an individual device's identity and software state, but does not address the composition of multiple device-level attestations into a single resource-economic aggregate suitable for energy-market dispatch. The disclosed primitive's distinguishing feature is its composition rule: a typed reduction over physically meaningful capacity parameters that preserves cryptographic auditability across the reduction.
Existing energy-market metering attestation, where it exists, attests to measured energy delivery ex post, not to capacity admissibility ex ante. The disclosed primitive operates in the ex-ante regime, binding dispatch eligibility before settlement rather than verifying delivery after.
Disclosure Scope
The disclosure of this primitive in Provisional 64/050,895 contemplates the building-electrical-system's role as the aggregating authority, but is not limited to aggregation at the building scope. The same composition rule applies at any scope at which a population of credentialed energy-storage units is to be presented as a single resource: a single panel within a building, a campus across multiple buildings, a fleet of mobile storage units, or a virtual portfolio assembled across geographically distributed sites. The aggregating authority may be the physical electrical infrastructure or a logical operator presenting a portfolio to a counterparty.
The disclosed scope also covers heterogeneous aggregates in which constituent blocks originate from different manufacturers under different root certificates, provided each constituent root is independently verifiable to the counterparty. The aggregate attestation in such embodiments commits to a multi-rooted constituent set, and the verification procedure walks each chain independently. The primitive thereby contemplates an open ecosystem of interoperable storage manufacturers feeding into a common aggregation and dispatch substrate, and is disclosed as the enabling cryptographic primitive for that ecosystem.
Claims arising from this disclosure are intended to cover the composition rule, the cryptographic linkage between aggregate and constituent attestations, the audit-walk verification procedure, and the binding of grid-facing dispatch obligations to the aggregate rather than to constituents. Equivalents that perform the same composition under alternative cryptographic primitives, distinct signature schemes, distinct commitment schemes, distinct certificate-chain structures, are intended within the disclosed scope.
The disclosure further contemplates the primitive's application across the full lifecycle of a building's storage population: at initial commissioning, when the aggregate is first computed; at incremental capacity additions, when a new block joins the population and the aggregate is updated by re-signing rather than recomputing from scratch; at decommissioning of individual blocks, when the aggregate is reduced; at warranty events, where the audit walk to manufacturer attestation provides the evidentiary basis for warranty claims; and at end-of-life retirement of the building system, when the aggregate's terminal state is signed and archived as part of the building's storage history. The cryptographic continuity across these lifecycle events is itself within the disclosed scope, since lineage continuity is what permits a counterparty entering a contract mid-life to reason about the population's history without requiring contemporaneous trust in any prior operator.
Equivalents in scope further include aggregations performed against admissibility surfaces of differing dimensional schemas (where manufacturers expose differing parameter sets, the aggregation reduces to the common subset and signs the reduction), aggregations across mixed storage technologies (where the common admissibility-surface schema permits composition of blocks employing different underlying chemistries), and aggregations performed by intermediating logical agents that do not themselves possess physical electrical interconnection but operate on attestation objects exchanged through standardized protocols.