- Published in: IEEE Conference on Decision and Control 2018
- Authors: Jung Hee Cheon, Kyoohyung Han, Hyuntae Kim, Junsoo Kim, Hyungbo Shim
- Abstract: Encryption of feedback controller based on homomorphic encryption techniques allows control operation on encrypted sensor measurements, to protect data secrecy of networked control systems. In this paper, we first revisit the fact that an encrypted dynamic controller based on partially homomorphic cryptosystems cannot operate for infinite time horizon in general due to the problem of the size of encrypted controller state. Then, it is highlighted that an encrypted LTI controller can operate for infinite time horizon when the denominator of its transfer function is a monic polynomial with integer coefficients. In this case, it does not utilize bootstrapping techniques from fully homomorphic encryption for resizing the controller state, and it does not assume the decryption of controller state from time to time. In this respect, we discuss potential benefits of using PID controllers and FIR filters. Then, we introduce a way how to approximately convert controllers having non-integer coefficients to have integer coefficients without losing stability.
Slides used in the presentation:
Conventional control system protected by cryptography encrypt and decrypt signals sent and received to the controller. Therefore, there was a problem with having to keep the secret key inside the controller. This means that the attacker could hack the controller to reveal the secret key.
To solve this problem, there was a way to calculate the signal sent and received by the controller in an encrypted state rather than decode it. However, for this purpose, the arithmetic operation must be done in encrypted state. These cryptosystems are called homomorphic encryption scheme.
Homomorphic cryptosystem
The cryptosystem consists of four elements: \(\textsf{P}\) is a plaintext space, \( \textsf{C}\) is a ciphertext space, \( \textsf{SK}\) is a secret key, an encryption function, and a decryption function. In particular, the learning with error (LWE) encryption scheme used in our lab has the p-modulus integer scalar plaintext space, q-modulus integer vector ciphertext space, q-modulus integer vector secret key, and the encryption, decryption functions follow the particular characteristics. (can be checked on page 4 of the presentation)
LWE encryption scheme is a homomorphic cryptosystem. A homomorphic cryptosystem is a cryptosystem that follows the following characteristics:
where \(*_C\) is a binary operation on plaintext space and \(*_P\) is a binary operation on ciphertext space. This means that the operation on ciphertext space has the same result with encryption of operation between plaintext space. There is an example of an LWE:
This means that the LWE scheme is additionally homomorphic encryption scheme, and in fact, it is also homomorphic on multiplication, but it is omitted because of complexity.
The short history of a homomorphic cryptosystem is as follows:
This concept was first proposed in Rivest’s paper in 1978. Then, a partially homomorphic cryptosystem was proposed in El-Gamal’s paper and Paillier’s paper. Finally, a fully homomorphic cryptosystem was proposed in Gentry’s paper.
With this history, the first paper of the encrypted controller was proposed in Kogiso and Fujita’s paper by using El-Gamal’s method. And then, Farokhi used Paillier’s method, and Kim used Gentry’s method.
Problem of encrypted controller
There are many problems in encrypted controller because of this short history. Application of homomorphic encryption to feedback control is not yet mature, not ready for real-time streaming data, and there are many issues. One of the critical issues in all previous results is that the arithmetic operations on ciphertexts for non-integer real numbers can be done only a finite number of times.
Let’s see more details of this problem. First, a non-integer real number can be handled by the “floating point” idea that maintains two variables for mantissa and exponent. Second, Floating-point arithmetic can discard the least significant bits (LSB) of mantissa.
For example, if we multiply these two floating-point numbers, we need to discard this red number. Finally, it is impossible to perform an infinite number of discarding LSB of mantissa on ciphertexts. This means an explosion of mantissa happens for repeated operations.
How to avoid an explosion of the mantissa problem?
First, if the operation is not recursive, scaling is enough: For example, in the case of static feedback \( u = gy \) with \(g = 1.2 \) and \(y = 3.4 \) do the following:
with \({S_{\textsf{M}}} = {S_{\textsf{y}}} = 10\),
This idea is also used in static feedback or FIR filters.
Second, if the operation is recursive like in a dynamic controller, then the scaling doesn’t help when \(A\) is non-integer. Let’s think about the simple case with \(B = 0\) and \(x(0)\) is integer.
Also, note that rounding of \(A\) may not be a solution. Because \(P(z) = \frac{2.4}{z+1.4}\) is stable with the controller \(C(z) = \frac{1}{z-1.01} \) but not with \(C(z) = \frac{1}{z-1} \).
Dynamic controller with \(A\) having integer elements can be performed infinite times as
and
We can clearly make a theorem that arithmetic operation in a dynamic controller with \(A\) having integer elements can be performed infinite times under closed-loop stability.
What if the matrix \(A\) is non-integer?
The first observation is that if coefficients of controller’s denominator are integer, then it has a realization as in presentation that has integer elements of \(A\). Therefore, if the coefficients are non-integers, we try to find a high order approximation that preserves closed-loop stability. Finally, we change this problem as an optimization problem.
With this approximated integer controller, if the minimum is sufficiently small, the stability of the closed-loop is preserved with an approximated integer controller. There is a simulation result with the plant and controller. Also, an approximated integer controller has a similar performance with nominal controller and can done infinite number of operations.
Related Posts
- “Toward a Secure Drone System: Flying with Real-time Homomorphic Authenticated Encryption”
- Article published: Comparison of encrypted control approaches and tutorial on dynamic systems using Learning With Errors-based homomorphic encryption
- Dynamic Controller that Operates over Homomorphically Encrypted Data for Infinite Time Horizon
- “Detection of Sensor Attack and Resilient State Estimation for Uniformly Observable Nonlinear Systems having Redundant Sensors”
- Weighted Averaged Behavior of Synchronization among Heterogeneous Agents in a Sampled data Setting
Comments are closed.