Need for Controllers having Integer Coefficients in Homomorphically Encrypted Dynamic System

Slides used in the presentation:

Need for Controllers having Integer Coefficients in Homomorphically Encrypted Dynamic System from CDSL_at_SNU

Conventional control system protected by cryptography encrypt and decrypt signals sent and received to the controller. Therefore, there was a problem with having to keep the secret key inside the controller. This means that the attacker could hack the controller to reveal the secret key.

To solve this problem, there was a way to calculate the signal sent and received by the controller in an encrypted state rather than decode it. However, for this purpose, the arithmetic operation must be done in encrypted state. These cryptosystems are called homomorphic encryption scheme.

Homomorphic cryptosystem

The cryptosystem consists of four elements: \(\textsf{P}\) is a plaintext space, \( \textsf{C}\) is a ciphertext space, \( \textsf{SK}\) is a secret key, an encryption function, and a decryption function. In particular, the learning with error (LWE) encryption scheme used in our lab has the p-modulus integer scalar plaintext space, q-modulus integer vector ciphertext space, q-modulus integer vector secret key, and the encryption, decryption functions follow the particular characteristics. (can be checked on page 4 of the presentation)

LWE encryption scheme is a homomorphic cryptosystem. A homomorphic cryptosystem is a cryptosystem that follows the following characteristics:

where \(*_C\) is a binary operation on plaintext space and \(*_P\) is a binary operation on ciphertext space. This means that the operation on ciphertext space has the same result with encryption of operation between plaintext space. There is an example of an LWE:

This means that the LWE scheme is additionally homomorphic encryption scheme, and in fact, it is also homomorphic on multiplication, but it is omitted because of complexity.

The short history of a homomorphic cryptosystem is as follows:

This concept was first proposed in Rivest’s paper in 1978. Then, a partially homomorphic cryptosystem was proposed in El-Gamal’s paper and Paillier’s paper. Finally, a fully homomorphic cryptosystem was proposed in Gentry’s paper.
With this history, the first paper of the encrypted controller was proposed in Kogiso and Fujita’s paper by using El-Gamal’s method. And then, Farokhi used Paillier’s method, and Kim used Gentry’s method.

Problem of encrypted controller

There are many problems in encrypted controller because of this short history. Application of homomorphic encryption to feedback control is not yet mature, not ready for real-time streaming data, and there are many issues. One of the critical issues in all previous results is that the arithmetic operations on ciphertexts for non-integer real numbers can be done only a finite number of times.

Let’s see more details of this problem. First, a non-integer real number can be handled by the “floating point” idea that maintains two variables for mantissa and exponent. Second, Floating-point arithmetic can discard the least significant bits (LSB) of mantissa.

For example, if we multiply these two floating-point numbers, we need to discard this red number. Finally, it is impossible to perform an infinite number of discarding LSB of mantissa on ciphertexts. This means an explosion of mantissa happens for repeated operations.

How to avoid an explosion of the mantissa problem?
First, if the operation is not recursive, scaling is enough: For example, in the case of static feedback \( u = gy \) with \(g = 1.2 \) and \(y = 3.4 \) do the following:

with \({S_{\textsf{M}}} = {S_{\textsf{y}}} = 10\),

This idea is also used in static feedback or FIR filters.

Second, if the operation is recursive like in a dynamic controller, then the scaling doesn’t help when \(A\) is non-integer. Let’s think about the simple case with \(B = 0\) and \(x(0)\) is integer.

Also, note that rounding of \(A\) may not be a solution. Because \(P(z) = \frac{2.4}{z+1.4}\) is stable with the controller \(C(z) = \frac{1}{z-1.01} \) but not with \(C(z) = \frac{1}{z-1} \).

Dynamic controller with \(A\) having integer elements can be performed infinite times as

and

We can clearly make a theorem that arithmetic operation in a dynamic controller with \(A\) having integer elements can be performed infinite times under closed-loop stability.

What if the matrix \(A\) is non-integer?
The first observation is that if coefficients of controller’s denominator are integer, then it has a realization as in presentation that has integer elements of \(A\). Therefore, if the coefficients are non-integers, we try to find a high order approximation that preserves closed-loop stability. Finally, we change this problem as an optimization problem.

With this approximated integer controller, if the minimum is sufficiently small, the stability of the closed-loop is preserved with an approximated integer controller. There is a simulation result with the plant and controller. Also, an approximated integer controller has a similar performance with nominal controller and can done infinite number of operations.