Encrypted Control System with Quantizer

This paper considers the design of encrypted control systems to secure data privacy when the control systems operate over a network. In particular, we propose to combine Paillier cryptosystem with a quantizer whose sensitivity changes with the evolution of the system. This allows the encrypted control system to balance between the cipher strength and processing time. Such an ability is essential for control systems that are expected to run real-time. It also allows the closed-loop system to achieve the asymptotic stability for linear systems. Extensions to event-triggered control and nonlinear control systems are also discussed.


I. INTRODUCTION
Networked control systems are ubiquitous [1]- [4]. The use of networks has not only reduced the deployment cost and increased the flexibility of control systems, but also allowed the systems to outsource computations of control inputs to a cloud controller when a plant does not have sufficient computational resources [5], [6]. However, this raises new privacy and security concerns; plants may want to protect the privacy of the sampled data because the cloud controller is not trustworthy, and communication networks may be vulnerable to cyber-attacks [1].
One approach to protect privacy is to use "differential privacy" [7]. Differential privacy adds noise to the data so that the contribution of a specific agent is hidden without changing the solution to the problem significantly. Although differential privacy is a relatively new notion, it has found applications in a variety of networked systems including systems and controls [8]- [10].
Another approach is to use "encryptions". "Encrypted control system" is a control architecture in which the controller computes the control input using encrypted sampled data without decrypting them. As the controller does not require a private key for decryption, encrypted control systems can not only protect the privacy of the plant data from the controller, but also enhance the cyber-security. The idea of encrypted control system was first proposed based on public-key RSA [11] and ElGamal [12] cryptosystems in [13]. Subsequently, an encrypted control system with Paillier cryptosystem [14] was considered in [15], and a solution approach to quadratic optimization with Paillier cryptosystem was proposed in [16].
This paper proposes encrypted control architectures using Paillier cryptosystem [14] combined with quantizers. As in [13], the proposed architectures do not require the controller to have private keys to compute the control inputs. The main contribution of this paper is to propose the augmentation M. Kishida is with National Institute of Informatics / address: 2-1-2 Hitotsubashi, Chiyoda-ku, Tokyo 101-8430, Japan / phone: +81-3-4212-2231 / email: kishida@nii.ac.jp of quantizers whose sensitivity changes while the system evolves. The quantizers are applied to real-valued sampled data and map to integers in [−q sat , q sat ] for a fixed saturation value q sat . Thus, the plaintext space (key length) may be kept small by choosing a small q sat , which allows us to balance between cipher strength and control performance (sampling time). This is essential for control systems that require realtime computation of control inputs. Moreover, the use of quantizers eliminates the analysis for the fixed-arithmetic [15] to guarantee stability, and allows the linear system to achieve asymptotic stability. Other contributions include extensions to event-triggered control and nonlinear control systems. In particular, this is the first study to consider the construction of an encrypted nonlinear control system.
The rest of the paper is organized as follows. Section II provides the mathematical preliminaries and operation rules of encrypted data (ciphertext). An encrypted linear statefeedback control is presented in Section III, which is extended to event-triggered control in Section IV and nonlinear control in Section V. Finally, the paper is concluded in Section VI.

A. Notation
The sets of real numbers and integers are denoted by R and Z, respectively. The set of vectors of length n is denoted by R n and the set of matrices of size n by m is denoted by R n×m . The greatest common divisor and the least common multiple of a, b ∈ Z \ {0} are denoted by gcd(a, b) and lcm(a, b), respectively. We define the sets of integers Z n := {z ∈ Z : 0 ≤ z < n} and Z * n := {z ∈ Z n : gcd(z, n) = 1}. For a vector v ∈ R n , the ith element of v is denoted by v i , and the Euclidean norm is denoted by v . For a matrix M ∈ R n×n , the i, jth element of M is denoted by m ij , and the induced 2-norm and the Frobenius norm are denoted by M and M F , respectively. The maximum and minimum eigenvalues of a symmetric matrix M = M T are denoted by λ max (M ) and λ min (M ), respectively. The floor function is denoted by x := max{k ∈ Z : k < x}.

B. Quantizer
Paillier cryptosystem operates over the message of nonnegative integers (plaintext). However, the control theory usually deals with the data of real numbers. In order to map the data to nonnegative integers, we use quantizers.
For a positive integer q sat and a positive real number ∆, a arXiv:1807.06717v1 [cs.SY] 18 Jul 2018 quantizer q : R → Z is given by [17] q ∆ (x):= where ∆ is the sensitivity of the quantizer and q sat is the saturation value of the quantizer. For the shorthand notation, we define With an abuse of notation, we write v q := q ∆ (v) ∈ R n and M q := q ∆ (M ) ∈ R n×m to denote element-wise quantization with ∆ for a vector v and a matrix M , and definev,ṽ,M andM similarly to (2). Then,

C. Paillier cryptosystem
An overview of Paillier cryptosystem [14] is given below. 1) Encryption scheme: • Key generation: -Choose two large prime numbers p and q randomly and independently of each other such that gcd(pq, (p − 1)(q − 1)) = 1 -Generate public key: N = pq, and g ∈ Z * N 2 such that the order of g is a multiple of N -Generate private key: λ = lcm(p − 1, q − 1) • Encryption (P-encryptor): Given a message m ∈ Z N , -Compute ciphertext: c = g m · r N modN 2 with a random integer r ∈ Z * N • Decryption (P-decryptor): Given a ciphertext c < N 2 , -Compute the message: We denote the Paillier encryption of the message m by E P (m), and the decryption of ciphertext c by D P (c).
2) Encryption properties: Paillier cryptosystem allows us to add two encrypted values with the addition operator ⊕ and to multiply by a plaintext with the multiplication operator ⊗. Namely, for m, m i ∈ Z N , it holds that therefore, D. Multiplicative blinding using a random number (rencryptor/r-decryptor) To perform some computations that can not be performed on Paillier encrypted values E P (m), we must offload such computations. To avoid direct access, as is often done, we "obfuscate" the message m by multiplying a random number r ∈ Z rmax for some r max ∈ Z/{0} to obtain E r (m) := rm (multiplicative blinding [18]). The inverse operation is denoted by D r (c) := c/r.

E. Matrix-vector multiplication
The element-wise encryptions for a vector v and a matrix M are denoted by E P (v) and E P (M ), respectively, and the corresponding element-wise decryptions are denoted by With these notation, for b i ∈ Z N , observe that Therefore, for If r ∈ Z N and each element of rAb is in Z N , we have

F. Remarks between quantizer and encryptor
After mapping a real number to an integer using the quantizer, we need to convert this integer to an element in Z N . As Paillier arithmetic uses modulo N , we may take the convention that a number x < N/3 is positive, and that a number x > 2N/3 is negative. The range N/3 < x < 2N/3 allows for overflow detection [19]. We include this mapping from an integer to a nonnegative integer in the steps of encryption, i.e., we use E P (x) to denote the Paillier encryption of x mod N . Similarly, we use D P (x) to denote the Paillier decryption of x followed by subtraction of N if the Paillier decryption yields the value greater than N/2.

III. ENCRYPTED STATE-FEEDBACK CONTROL
In this section, we present an encrypted linear statefeedback control system that achieves asymptotic stability.
Consider the discrete-time linear system where x[t] ∈ R nx is the system state, and u[t] ∈ R nu is the control input. Suppose that (A, B) is controllable, and K ∈ R nu×nx is found such that A − BK is Schur, i.e., all the eigenvalues of A − BK are inside the unit circle in the complex plane. Then, the system (11) is stabilized by the state-feedback control Problem: Design an encrypted control system for (11)-(12) that achieves the asymptotic stability while protecting the privacy of the sampled data x[t] and the controller gain K from the controller.
In the following subsections, the overall control design is presented, followed by the analysis and design of quantizers.

A. Overview of encryption architecture
The proposed architecture consists of the plant node and controller node between which no information from which the values of x q [t] and K q can be identified is exchanged ( Figure 1). In order to encrypt the sampled data x[t] and the gain K, there are two quantizers in the system: one for x[t] has the time-varying sensitivity ∆[t] and one for K has the constant sensitivity ∆ g , and both quantizers are designed not to saturate. The role of each node is summarized below (P and C denote the plant and controller nodes, respectively): P: Quantizes the gain K to K q , obfuscates K q to E r (K q ), and then sends E r (K q ) to the controller node. P: Quantizes the sampled state to the controller node at every sampling time after some time t 0 . Sends E P (0) to the controller node at every sampling time before t 0 . (The time instance t 0 is determined in III-B.2.) C: Upon receiving the obfuscated/encrypted scaled data E r (K q ) and E P (x q [t]), computes the encrypted scaled control inputs E P (E r (u q [t])) for u q [t] = K q x q [t], and sends E P (E r (u q [t])) to the plant node. P: Upon receiving the encrypted scaled control inputs P: Scales u q [t] to obtain u[t] = u q [t]∆ g ∆[t] using the sensitivities ∆ g and ∆[t] and applies it to the plant.
Note that the controller uses the encrypted data of the quantizer output (scaled approximations). This means that the data sent and received among the three node is encryptions of integers between −q sat and q sat . Thus, there are no fractional bits, which renders multiplication easy [15].
This architecture preserves the privacy of the plant state x[t] (x q [t]) and the controller gain K (K q ) from the controller node because the controller does not know the private key and the value of r. Thus, if quantizers are designed such that the closed-loop achieves the asymptotic stability, then the overall encrypted control system achieves asymptotic stability while protecting the privacy of x[t] and K in the sense that the controller node can access only the encrypted data of x[t] and K.
Remark 1: • When generating the public key, p and q are chosen such that N for the cryptosystem satisfies N > 3(q sat + 1/2)(q sat,g + 1/2)n x r max , where q sat and q sat,g are the saturation values of the quantizers for the states and the controller gain, respectively, and determined in the next subsection. This guarantees that the elements of rK q x q mod N are uniquely determined for each rK q x q and vice versa. Recalling the notation for E P and D P in Section II-F and (10), for we have D r (D P (E P (E r (u q )))) = 1 r (D P (E P (rK q x q ))) = K q x q .
Similar assumptions on N are posed on later sections. • The sensitivity of the quantizer for K can be timevarying. For example, it can be synchronized with the sensitivity of the quantizer in the plant node as long as (16) is satisfied. • The quantization and encryption of K are required only once, but can be repeated using different random number at every sampling time. Remark 2: Strictly speaking, the quantization and encryption of the state x[t] is performed at sensor, which differs from where the quantization and encryption of the gain K is performed. Similarly, decryptions and scaling to obtain the control input u[t] is performed at actuator. Those are combined in the plant node to indicate that they have common keys and quantizers.

B. Quantizer design
To analyze the effect of quantization in the design of quantizers, consider the system in Fig. 1 without encryptors and decryptors. The quantized closed-loop system for (11)-(12) is 1) Quantizer for the gain: Let us first determine the sensitivity ∆ g of the quantizer for the gain K.
As A − BK is Schur, for any given Q = Q T > 0, there exists P = P T > 0 such that It is guaranteed that A − BK is Schur if Therefore, after some computations using (4), the sensitivity ∆ g is chosen to satisfy for any Q = Q T > 0 of the designer's choice and the corresponding P satisfying (14) with ε > 0.
Once the sensitivity is determined, the saturation value q sat,g is selected such that the elements of K are not truncated, i.e., To simplify the notation, once the quantizer is determined and the gain is quantized toK = K q ∆ g , we chooseQ = Q T > 0 and findP =P T > 0 that solves We use thisP andQ to design the quantizer for the states.
2) Quantizer for the states: The design of quantizer for the states follows the approach proposed in [17]. Due to space limitation, we only present the summary of the quantizer and interested readers are referred to the cited reference.
The employed quantizer uses a constant saturation level q sat and a time-varying sensitivity given by where ∆ 0 = A 2t0 , Ω is a scaling factor and t i are the time instances of sensitivity updates. Thus, the sensitivity decreases by the factor of Ω at every time of updates. The scaling factor is given by where and parameters ε > 0 and q sat ≥ 1 are chosen such that Ω ∈ (0, 1). The time instances t i are given by By construction, it holds that and this quantizer guarantees that These quantizers lead to asymptotic stability of the closedloop system because the rule for sensitivity updates (19) implies ∆[t] → 0 as t → ∞, and (25) implies that x[t] approaches to 0 as ∆[t] → 0.

IV. EXTENSION TO EVENT-TRIGGERED CONTROL
This section presents how to augment an event-triggered control scheme to the encrypted control law developed in Section III to save communications and actuator updates. Event-triggered control takes samples of the plant state at every time instance and updates the control input only when specified conditions are satisfied [20].
Problem: Design an event-triggered encrypted control system for (11)-(12) that achieves the asymptotic stability while protecting the privacy of the sampled data x[t] and the controller gain K from the controller.
We propose to augment an event-trigger architecture to the plant node. More specifically, we implement the event-trigger mechanism between the plant and the quantizer in the plant node. This way, the sampled data is quantized, encrypted and sent to the controller only when an event-trigger condition is met. In the following, the event-trigger condition is designed.
The event-triggered control system is given by where t (i) for i = 1, 2, · · · , are the time instances of the control updates, andx[t (i) Using a Lyapunov function where . This Lyapunov function is negative outside the ball {x : x ≤ 2Θ e }, where Θ is in (22). Thus, an event-trigger condition can be set as When the event-trigger condition is satisfied, check if the quantizer needs to be updated or not, and update if necessary using (23). The rest of the analysis is the same as in Section III and [17]. This is because the aforementioned event-trigger condition (27) guarantees the decrease of the Lyapunov function, based on which the analysis is developed. This is a straightforward extension of well-known results, because the plant node knows both x[t (i) ] and x[t].
Remark 3: It is also possible to augment an event-trigger architecture to the controller node rather than the plant node. However, in order to do this, it is needed to add another node that communicates with the controller and checks the satisfaction of the event-triggered condition.

V. EXTENSION TO NONLINEAR SYSTEMS
This section extends the approach in Section III to a simple nonlinear system using feedback linearization [21].
Consider the scalar nonlinear system where x[t] ∈ R is the system state, and u[t] ∈ R is the control input. Assume that ab = 0. The feedback linearization uses the control input , yielding If k ∈ R such that |a − bk| < 1 is selected, then, the system (29) is stabilized by v[t] = kx[t], and (28) is stabilized by Problem: Design an encrypted control system for (28) using (30) that achieves the practical stability while protecting the privacy of the sampled data x[t] on a bounded set X := [x min , x max ] from the controller.
The system is said to be practically stable if |x[0]| < c 1 , then |x[t]| < c 2 for t ≥t for somet > 0 for given c 1 and c 2 such that 0 < c 1 < c 2 [22]. The reason for requiring practical stability instead of asymptotic stability will become clear in the rest of this section.

A. Function approximation
In order to compute the control input using encrypted data for x[t], we first approximate the nonlinear function α(x[t]) using the quantized values. From Weierstrass approximation theorem [23], for any ε 1 > 0 there exist p and c j such that With a quantizer of sensitivity ∆, definē where c j,q = q ∆ (c j ), x j q = q ∆ (x j ) as usual, and Then with some constant ε 2 , it holds that With ε 1 = 2ε 1 /∆, (31) and (34) imply that B. Overview of encryption architecture As before, the proposed architecture consists of two nodes between which only encrypted data is exchanged ( Figure 2). However, two quantizers maintain the same sensitivity ∆[t]. The role of each node is summarized below (P and C denote the plant and controller nodes, respectively): P: Quantizes the gain k and the coefficients c j to k q and c j,q , respectively, and constructs a vector k q = c q − k q e 2 , where e 2 is the second column of the identity matrix of size p + 1. Then, obfuscates k q to E r (k q ), and then sends E r (k q ) to the controller node (at every time the sensitivity changes). P: Quantizes the polynomial basis of the sampled state x[t] to x q [t], and encrypts x q [t] to E P (x q [t]), and then sends to the controller node (at every sampling time). C: Upon receiving the obfuscated/encrypted data, computes the scaled encrypted control inputs E P (E r (u q [t])) for u q [t] = k q T x q . P: Upon receiving the encrypted scaled control inputs E P (E r (u q [t])), decrypts E P (E r (u q [t])) to E r (u q [t]) and then u q [t]. P: Scales u q [t] to obtain the control input and applies it to the plant.

C. Quantizer analysis and design
As before, we analyze the effect of quantization in the design of quantizers by considering the system in Fig. 2 without encryptors and decryptors.
With the quantized control input the quantized closed-loop system is With a Lyapunov function V = (x[t]) 2 , (37) implies that where This time, consider using a modified version of the quantizer in Section III, i.e., where Ω is a scaling factor and t i are the time instances of sensitivity updates. Unlike Section III, the quantizer is initialized with the sensitivity ∆ 0 and the saturation level q sat such that satisfy with some ε > 0. Then, we have Θ < q sat − 1/2. In order to avoid truncating k and c j , make sure that q sat is large enough satisfying Also in order to guarantee |a − bk| < 1, make sure that Choosing the time instances of sensitivity updates t i+1 = min {t ≥ t i + 1 : q ∆i (x[t]) ≤ Θ + ε + 1/2}, it holds that |x[t i ]| ≤ ∆ i (Θ + ε + 1) , i = 1, 2, · · · .
The existence of t i is guaranteed using the similar analysis in [17] while k and c j are not truncated. This quantizer guarantees that for t ∈ [t i , t i+1 ) as long as k and c j are not truncated, i.e., |k| ≤ (q sat − 1/2)∆[t], |c j | ≤ (q sat − 1/2)∆[t], ∀j. (46) However, as ∆[t] approaches to zero, two problems occur: • the quantized values of k and c j will be truncated no matter how large q sat is chosen, and • the required upper bound ε 1 for the function approximation (31) approaches to zero, which possibly leads to an infinitely large p. Therefore, asymptotic stability cannot be guaranteed. On the other hand, we may hold the sensitivity ∆[t] constant once it becomes sufficiently small to avoid the above two problems. In other words, using the quantizer in the form of we can guarantee the practical stability of the system with without incurring the problem. We may also choose to use a time-invariant quantizer in the gain node to guarantee the practical stability, in which case, the region that x[t] will stay depends on the sensitivity of the quantizer in the gain node.

VI. CONCLUSIONS
In this paper, the control systems combined with quantizers and encryptors/decryptors are proposed and investigated. It is shown that encrypted control systems can be constructed that achieve asymptotic stability for linear systems, and practical stability for some nonlinear systems with the aid of function approximations using Weierstrass approximation theorem. Since the combination with quantizers allows us to choose short key length, the processing time for encryption/decryption may be reduced for the sake of cipher strength.