Privacy-Preserving Platooning Control of Vehicular Cyber–Physical Systems With Saturated Inputs

Metaverse allows the physical reality to tightly integrate with the digital universe. As one typical metaverse application, platooning control of vehicular cyber–physical systems has attracted extensive attention as it is beneficial to improve traffic efficiency, driving safety, and emission reduction. However, due to the open nature of wireless communication networks, the transmitted vehicle-to-vehicle (V2V) data packets become exposed to the public and concomitant data leakage can lead to unintended consequences to vehicular platoons. This article is concerned with the privacy-preserving platooning control issue of vehicular cyber–physical systems with input saturations. First, a novel distributed proportional-integral observer is proposed to estimate the full state of each vehicle, where the integral terms with a forgetting factor facilitate to realize the tradeoff between transient performance and steady-state performance for the platoon. Second, sampled-data-based dynamic encryption and decryption schemes, featuring a dynamic private key, are developed such that the encrypted and decrypted V2V data can be kept private to each platoon vehicle. It is then shown that the platooning control problem over a generic communication topology can be cast into the stability issue of an auxiliary dynamic system. Furthermore, sufficient conditions on the existence of the desired observer and controller gains as well as the private key parameter selection are derived to guarantee the desired platoon stability and privacy preservation requirements. Finally, an illustrative example is given to demonstrate the effectiveness of the proposed control method.

automobile industries have been reported; see [1], [2], [3], [4], [5], [6], and [7] and references therein. Those results show the potential of Metaverse to improve vehicle performance and the driver's experience. However, Metaverse applications in connected and automated vehicles rely heavily on suitable wireless communication networks to guarantee safety both in the real and cyber worlds [8], [9], [10], [11], [12]. Therefore, how to better integrate communication networks with physical vehicles, leading to the so-called vehicular cyber-physical system, is of both theoretical and practical significance. Among the various control problems for vehicular cyber-physical systems, platooning control, whose primary objective is to coordinate a group of connected and automated vehicles such that they can travel in close proximity to one another at highway speeds, has attracted intensive attention; see the recent surveys [13], [14], [15], [16]. In their early stage, vehicles mainly use onboard sensing devices such as radars and lidars to get information from other vehicles. As a result, vehicles can only obtain information from the vehicles nearest to them, and the developed platooning control results apply to only the predecessor-following platoon structure.
With the rapid development of communication and network technologies, the vehicle-to-vehicle (V2V) information flow topologies become much more flexible and versatile, under which the platooning control performance can generally be made better [17], [18], [19]. Metaverse aims to provide customized services to its users, requiring unique data from different users. Benefitting from the flourishing telecommunication and automotive industries, vehicles have the ability to share information with various remote transportation participants via different networks, including V2V communication networks, vehicleto-infrastructure communication (V2I) networks, and vehicleto-everything (V2X) communication networks [20]. Along with the advantage of information exchanges, there is an ever-increasing concern about data leakage due to the open nature of communication networks [21], [22], [23], [24], [25]. As such, data privacy is regarded as a critical issue that should be taken into consideration in vehicle platooning control. Up to now, data leakage has been an urgent yet underappreciated problem. From the perspective of system security, any leaked data leaves the system vulnerable to cyber attacks as malicious adversaries are very likely to launch more targeted attacks [26], [27], [28]. Vehicles suffering from those malicious attacks may collide with their preceding or following vehicles. Fortunately, the problem of data privacy This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ preservation has stimulated scientific interest in the past few years. To date, several cryptographic techniques, such as block chain [21], [22], group signatures [23], trustworthiness evaluation [24], and voting theory [25], have been applied to vehicular platoon privacy preservation. At the same time, various proactive defense mechanisms of moving targets have been developed to improve the system security, see the survey [29]. It should be pointed out that these cryptographic techniques require high computation resources. In vehicle platooning control, such a drawback is intolerable to manufacturers as it will lead to a cost surge. Additionally, these cryptographic techniques only focus on logical data privacy and overlook their impacts on platoon control performance.
Apart from the cryptographic techniques, the communication network itself also plays an important role in the privacy problem. For instance, a 5G-based V2X communication network is proposed in [30] to guarantee the privacy requirements of data where the communication task is allocated to the proper network slice. Moreover, the notion of -differential privacy is also prevalent in the field of data privacy preservation. When considering -differential privacy, Laplacian or Gaussian noises will be added to the original data such that each data can not be recognized uniquely while keeping the overall statistic characteristics of the data almost unchanged. Although -differential privacy can put system dynamics into consideration, these added noises may cover the original data and destroy the data integrity. One of the effective approaches to overcome such a shortage is to add fading noises to the original data [31], [32], [33]. However, these added noises will still deviate the system from the desired consensus states [31]. Even worse, the -differential privacy mechanism will lose its effectiveness as the added noises decay to zero. Motivated by the k-anonymity in private data release technology [34], [35], this article aims to design a privacypreserving control scheme based on the output of vehicles and eliminate the adverse effects of the privacy-preserving scheme.
Up to now, various state-feedback controllers have been proposed for vehicular cyber-physical systems in [17], [18], and [36]. However, in many practical situations, the full state of a vehicle may not be measured directly and precisely. Therefore, it is necessary to develop suitable observers to estimate the full states of vehicles via leveraging the limited sensor measurements. In comparison with traditional Luenberger observers, proportional-integral observers (PIOs) provides additional degrees of freedom to improve the estimated performance via an additional integral term. Specifically, such degree of freedom can eliminate the steady-state estimation errors and becomes more robust to disturbances or uncertainties [37], [38]. Nevertheless, the employed integral term inevitably impairs the transient performance of PIOs. It then becomes important to realize the tradeoff between transient performance and steady-state performance. Furthermore, considering both privacy-preserving schemes and PIOs, it is also nontrivial to develop an easy-to-implement scheme to design the desired controller and observer gains while finding the verifiable condition on the parameters of privacy-preserving schemes.
Summarizing the discussion above, this article presents a distributed PIO-based control scheme with a privacypreserving guarantee for a class of vehicular cyber-physical systems subject to input saturations. The main contributions of this article are highlighted as follows.
1) A novel PIO with a forgetting factor in the integral term is constructed to estimate the full states of vehicles while realizing the tradeoff between transient performance and steady-state performance. 2) A distributed encryption-decryption-based platooning control law is developed for each following vehicle. The proposed encryption and decryption schemes feature a dynamic private key that plays a key role in preserving the privacy of each vehicle's data. 3) By resorting to nonsingular transformation as well as the special structure of vehicular platoon systems with a digraph, the issue of platooning control is transformed into the stability issue of an auxiliary system. 4) Sufficient conditions on the existence of the desired PIOs and platoon controllers are derived to guarantee the expected platoon stability and privacy-preserving performance. It is shown that the selected range of parameters in private keys can be explicitly disclosed. The remainder of this article is arranged as follows. Section II presents the preliminaries and formulates the main problem to be solved. Section III provides the main results in terms of stability analysis and gain design of PIOs and controllers. An illustrative example is given in Section IV to verify the effectiveness of the derived main results. Conclusions are drawn in Section V.
Notations: N denotes the set of natural numbers, and N + stands for the set N/{0}. For symmetric matrix X, X < 0 means that X is negative definite. A and λ(A) are the transpose and the eigenvalue of matrix A. λ max (A) (λ min (A)) denotes the maximum (minimum, respectively) eigenvalue. diag{A 1 , A 2 , . . .} means a block-diagonal matrix whose diagonal elements are A 1 , A 2 , . . . "e" describes Euler's number. Other notations are quite standard except where otherwise stated.

A. V2V Communication Topologies
Consider a vehicular platoon encompassing one leader and N followers. The V2V communication topology among fol-  Remark 1: Assumptions 1 and 2 are mild in the context of platooning control. Specifically, the spanning tree requirement holds for the commonly used information flow topologies, such as predecessor following (PF), predecessor leader following (PLF), bidirectional (BD), and BD leader (BDL). Furthermore, the eigenvalues of L + D 0 for those four topologies are all real. What is more, by the Gershgorin circle theorem, we know that the ith eigenvalue is located in

B. Longitudinal Vehicle Dynamics
The widely studied third-order position-velocityacceleration model [18], [39] is adopted to describe the longitudinal dynamics of each platoon vehicle where p i (t) ∈ R is the position of vehicle i, τ ∈ R is the inertial lag of longitudinal vehicle dynamics, and u i (t) ∈ R denotes the desired acceleration control input to be designed. Similarly, the dynamics of the leader can be modeled by where p 0 (t) ∈ R is the position of the leader. For simplicity, the control input is set as u 0 (t) = 0. Introducing the augmented state x i (t) = [p i (t),ṗ i (t),p i (t)] T and the low-dimensional sensor measurement y i (t) ∈ R q with q ≤ 3, the longitudinal dynamics (1) can be rewritten into the following state-space form: for i ∈ {0}∪V, where C is a known output matrix with full-row rank, and Remark 2: One of the most important concepts of Metaverse is digital twins [6], [7]. Digital twins, a 2-tuple consisting of one digital entity and its corresponding entity in the real world, provides a novel insight into the integration of the virtual and real worlds. With such a virtual entity, we can describe and predict the behavior of its corresponding real entity. Therefore, it is necessary to investigate the behavior of virtual entities to guarantee a better performance of corresponding real entities. In what follows, leveraging only each vehicle's sensor measurement y i (t), we aim to develop a distributed observer and a distributed encryption-decryptionbased controller in the virtual world. The virtual world will output the desired control input commands u i (t) for each vehicle i ∈ V in the physical world such that the platoon vehicles' longitudinal motions can be regulated in a distributed manner.

C. Distributed PIOs and Encryption-Decryption Schemes
For each vehicle i ∈ V in the platoon, the following distributed PIO is adopted to estimate its full state x i (t): wherex i (t) andỹ i (t) describe, respectively, the estimates of state x i (t) and measurement y i (t), and r i (t) stands for the auxiliary variable to reflect the behavior of integral loops. The scalar φ > 0 is the forgetting factor to balance the influence of historical data, and L P and L I are proportional and integral gains to be determined later.
Denoting the estimation error as e oi (t) = x i (t) −x i (t) and applying (4) to (3) lead tȯ , one has the following error dynamics:ψ where generally needs to be transmitted to its neighbors to realize the desired platooning performance. Considering privacy preservation [40], [41], [42], [43], we are now ready to construct the following encryption and decryption schemes. Let T be the sampling period of the transmitted data.
The following distributed sampled-data-based dynamic encryption scheme is proposed for each vehicle i: is a piecewise function serving as a dynamic encryption key with the following rule: where g 0 > 0, g 1 ∈ N + , and γ ∈ (0, 1). The uniform quantizer q(x) is defined as For the received information j ((k + 1)T) from its neighbor j, the following distributed sampled-data-based decryption scheme is carried out: wherex ij (t) is an internal state of decryptor i for decrypting data from its neighbor j. According to (7) and (9), it is easy to verify thatx for the following presentation of controller design, where ξ ix (t) ∈ R 3 andx ijx (t) ∈ R 3 correspond to the estimated states, and ξ ir (t) ∈ R q andx ijr (t) ∈ R q correspond to the auxiliary variables.

D. Distributed Platooning Control Law
A traditional platooning control law with saturation constraints takes the following form: where K is the control gain to be designed, d ij is the desired distance between the ith and jth vehicles, d i0 is the desired distance between the ith vehicle and the leader, and Sat(·) is the saturation function to guarantee physical limits or safety requirements. Inspired by the method in [44], a dead-zone function (t) is employed to deal with the challenge of saturation constraints, that is where (12) with u max being the saturation level. Such a dead-zone function satisfies the following condition.
Lemma 1 [44]: There exists a positive scalar ι ∈ (0, 1) such that ιs s ≥ (s) (s). Due to privacy-preserving requirements, the encrypted data, rather than plain data of any platoon vehicle, will be sent to its neighboring vehicles via the communication network. To this end, the actual platooning control law should incorporate the encrypted and decrypted vehicular data. By virtue of the state of the encryptor and the output of the decryptor, we propose the following distributed platooning control law for each vehicle i ∈ V: withũ Noting that ξ j (t) =x ij (t), one has that (13) is equivalent to Remark 3: In our encryption scheme, only i (kT) is transmitted via V2V communication networks. The dynamic encryption key is private to each vehicle and the data privacy is preserved. On the other hand, input saturation is a common phenomenon in vehicle platooning control owing to the physical limitations on throttles and brakes of each vehicle. The saturation nonlinearity is generally handled by transforming it into other smooth functions [45], [46], such as hyperbolic tangent and sigmoid functions. However, it is not an easyto-implement tool for controller design due to the intrinsic nonlinearity of employed functions. Inspired by the approach in [44] and [47], a dead-zone function is employed to realize platooning control design.
To proceed with, we define the platoon tracking error as (3) and (14), one haṡ For the simplicity of analysis, we further denote the following stacked vectors: and reorganize the above error dynamics as follows: On the other hand, there exists a nonsingular matrix One haṡ The objective of this article is to achieve the desired platooning requirement with the predetermined gap reference by designing a distributed PIO-based controller u i (t) (13) (or 14) under the encryption and decryption schemes (7)-(9). In other words, the purpose is to determine the gain matrices L P , L I and K such that the following two requirements are satisfied simultaneously.

III. STABILITY ANALYSIS AND CONTROLLER DESIGN
This section will design suitable gain matrices while deriving a sufficient condition to guarantee the stability of the PIO error dynamics. In light of the designed PIO, the control gain under the adopted privacy preserving framework will be further determined to ensure successful vehicle platooning.
We first examine the privacy of the employed encryption and decryption schemes. The variable z i (t) = ξ ix (t)−x i (t) describes the privacy-preserving error (i.e., the gap the protected data and the real ones). Then, denote the quantization error at time instant kT as Furthermore, it follows from the above formula and the fourth formula in (7) that: Lemma 2 [34]: For any k ∈ N, one has where b(t) = b 0 √ 3Ng(t) with b 0 = max{(1/2), (1/ √ 3g 0 )}. Remark 4: It is clear from the above lemma that the privacy-preserving error z(kT) highly depends on both the dynamic private key g(t) and the quantizer level , which are private to the public involving adversaries. In other words, the adversaries executing the encryption algorithm with unmatched parameters cannot infer the estimated valuex i (t) of interested vehicle i via the eavesdropped data i (kT). Furthermore, the key g(t) has the capability of improving quantitative accuracy via amplifying the quantizer's input.

A. Stability Analysis and PIO Gain Design
This section presents a sufficient condition for observer gain design, while guaranteeing the desired stability of the PIO error dynamics.
Theorem 1: Consider the distributed PIO (4) for vehicle i modeled by (3). The estimation error (6) is convergent exponentially if there exist positive definite matrices Q 1 and Q 2 and matricesL P andL I such that holds. Furthermore, the observer gain matrices are determined by L P = Q −1 1L P and L I = Q −1 1L I . Proof: Select the following Lyapunov candidate: where Q = diag{Q 1 , Q 2 }.
Taking the derivation of (18) along error dynamics (6)  results inV Considering the relationshipL P Q 1 L P andL I Q 1 L I , one has that there exists a negative constant ϑ = λ max ( 1 ) such thatV if 1 < 0 holds. Integrating both sides of (19) leads to which, together with (18), means that is, e oi (t) and r i (t) converge to zero exponentially. The proof completed.

B. Some Important Lemmas for Performance Analysis
This section is to provide two lemmas for subsequent controller design.
Proof: This lemma can be proved by the following two cases.
Case a): lim t→∞ t 0 |e aτ h(τ )|dτ < ∞. In this case, it is not difficult to find that  (22) whereē vi (t),z i (t) andē oi (t) are the subvectors related to Jordan matrix J i . C2: The matrix A + λ i BK is Hurwitz, where the inputs satisfy Proof: According to the structure of Jordan matrix J, the saturation-free system (16) can be easily decomposed into m subsystems. Without loss of generality, its ith subsystem with stateē vi (t) = [ē vi1ē vi2 · · ·ē vil ] corresponding Jordan block J i ∈ R l×l can be further rewritten as follows: where the structure of vectorsz i (t) andē oi (t) is the same asē vi (t).
According to condition C2, Lemma 3, as well as the solution of linear systems, one has the subsystem (23b) is stable, that is, lim t→∞ ē vil (t) = 0. In what follows, let us disclose the stability of subsystems (23a) via the well-known mathematical induction. To this end, assume that lim t→∞ ē vi,s+1 (t) = 0 holds and let us disclose lim t→∞ ē vi,s (t) = 0.
It is not difficult to find that the solution of (23a) can be written as e vis (t) = e (A+λ i BK)tē vis (0) Due to lim t→∞ ϕ is (t) = 0, applying the condition C2 and Lemma 3 again results in lim t→∞ēvis (t) = 0. As such, according to mathematical induction, one has the ith subsystem of (16) is stable, that is, the platooning control of the saturation-free vehicular system is achieved.
On the other hand, according to the relationship between the subsystem (23a) and (23b) and the auxiliary error subsystem (22), one can easily obtain that the platooning control can be achieved if the condition C1 is true, and the proof is completed.

C. Stability Analysis and Controller Gain Design
It should be indicated that the challenge from digraphs is the specific structure Jordan matrix J in platooning error dynamics (16). Benefitting from Lemma 4, such a challenge can be effectively handled by resorting to an auxiliary system consisting of a set of subsystems matched with the last row of each Jordan block. By doing so, one first stack the eigenvalues of L + D 0 into an N × N diagonal matrix = diag{λ 1 , . . . , λ 1 , . . . , λ 2 , . . . , λ 2 , . . . , λ m , . . . , λ m }, where the multiplicity of each eigenvalue equals to the dimension of its corresponding Jordan matrix. Then, define a composite vector w(t) = −1 N ⊗ (z 0 (t) +ē o0 (t)) and an augmented vector ζ(t) = [ē v (t)ē o (t)r (t) ] . Considering the relationship among (5), (16), and (22) in Lemma 4, one can obtain the following auxiliary system: where Now, the platooning control problem of the addressed vehicular system (1) with PIO (4), encryptor (7), and decryptor (9) is transformed into the stability analysis issue of the above auxiliary system. The corresponding result is stated in the following theorem.
Theorem 2: Consider a vehicular platoon consisting of (1) with PIO (4), encryptor (7), and decryptor (9). Furthermore, observer gains L I and L P of PIO (4) are designed via the condition in Theorem 1. The platooning requirement with the specified spacing reference is guaranteed if there exist a positive definite matrix P, a matrixK, and two positive scalars ι ∈ (0, 1) and 1 > 0 such that (25) for i = 1 and i = N, wherẽ and, meanwhile, parameters are selected as Proof: Select the Lyapunov function as where P = diag{I N ⊗ P, I N ⊗ Q 1 , I N ⊗ Q 2 } with Q 1 and Q 2 acquired from Theorem 1. Differentiating (26) along dynamics (24) leads tȯ Considering with 1 from Theorem 1, one haṡ Due to the fact that recalling Lemma 1 and (13), one has Taking the above inequality into account, one haṡ To proceed with, let us first assume that holds. Such an assumption can be guaranteed by (25) and will be verified in the later analysis. Then, there exists a positive constant 2 such thaṫ where E 2 = PE 1 + 2 3Ā 14 A 14 and E 3 = PF 2 + 2 3Ā 14 A 14 . For the cross terms in (29), one has where η is a positive constant. In what follows, substituting (30)- (32) into (29) yieldṡ Up to now, it is obvious that the first part − 2 η(1 + η) −1 ζ (t)ζ (t) inV(t) is negative. However, it is hard to determine whether the remaining part is negative or not because there exist jump phenomena inz(t) as the communication between vehicles is not continuous.
As such, to deal with this challenge, one needs to reveal that the upper bound of V(t) over a given time interval is nonincreasing and will decrease to zero as time goes infinity. Inspired by [34], the following proof will be laid out in three parts.

1) Upper Bound ofz(t):
It follows from (4) and (7) that: Solving these differential equations in t ∈ (kg 1 T, (kg 1 + 1)T), one has For the notational simplicity, denote Because of γ ∈ (e −(ϑ/[2λ max (Q) , 1), condition (20) and Lemma 2, the upper bound of the last term in (35) is If the selected sampling period T satisfies T ≤ ([ln Similarly, the upper bound of the last term in (34) is In what follows, denote: Combining with (13), one has the upper bound of the second term in (34) as Then, considering the relationship Summarizing the inequalities above yields Following the same steps, one can also obtain: Finally, denoting a 1 and recalling Lemma 2, one has Taking (40)-(42) into consideration, one arrives at thatz(t) is bounded.
In what follows, substituting (42) into (33) generates: where It can be easily observed the positiveness or negativeness oḟ one has 2 2 P −1 −a 2 0 a 2 2 E 4 2 > 0. In light of the discriminant for polynomials, it is not difficult to conclude that f 1 (v kT ) = 0 has two roots r 1 (kT) and r 2 (kT) satisfying r 1 (kT) < 0 < r 2 (kT). Furthermore, one has f 1 (v) > 0 if v > r 2 (kT). Now, we are the position to disclose that V(t) is nonincreasing for any t ∈ [kg 1 T, (k + 1)g 1 T) (k ∈ N), which is divided into two cases.
Noting that b(t) ≡ b(kg 1 T) and e o,kg 1 T ≥ e o (t) for any t ∈ [kg 1 T, (k + 1)g 1 T), it is easy to extend the results above on the interval [kg 1 T, (kg 1 + 1)T) to the interval t ∈ [kg 1 T, (k + 1)g 1 T). Finally, synthesizing case a) and case b), one has that V(t) is nonincreasing. In what follows, let us disclose the convergence of function V(t).
3) Convergence of Function V(t): Recalling case b) above, one can simplify (43) tȯ ). Solving such a differential equation yields Then, considering the fact v 2 sup,kg 1 = V(kg 1 T), one has Summarizing (45) and case a), one can obtain the upper bound By iterative calculation, it can be obtained that Due to lim k→∞ β k and lim k→∞ γ 2i β k−1−i = 0, one can conclude that lim k→∞ V(kg 1 T) = 0, which means lim t→∞ ζ(t) = 0. That is to say, the desired platooning requirement is achieved. Finally, let us discuss condition (28). First, considering that A +Ā is a block matrix and 1 is negative definite, and applying the Schur complement, (28) for any λ i (i = 1, 2, . . . , N), wherẽ Pre-and post-multiplying (46) by diag{P −1 , P −1 , I p , 1}, one has that (28) is true if 2 (λ i ) < 0 for any eigenvalues. On the other hand, there exists a constant θ i ∈ [0, 1] (i = 1, 2, . . . , N) satisfying As such, (28) is true only when both 2 (λ 1 ) < 0 and 2 (λ N ) < 0 hold, and the proof is now completed. Remark 5: It should be pointed out that an executable condition only dependent of the maximum and minimum eigenvalues is derived in Theorem 2 via an auxiliary system. In this theorem, the effect from the digraph is reflected by the transformation matrix and the suitable range is discovered for parameters in the dynamic private key g(t).
Finally, it is worth noting that the key g(t) tends to zero due mainly to γ < 1. If i (t) diverges to be infinity, then an infinite data rate is needed for information transmission, which is not applicable in practical engineering. As such, one has to further determine this parameter to avoid the phenomenon that for ∀i ∈ V, where L = C L P C . It follows from (7) that the upper bound of the first term can be calculated as: For the second term, one has With the help of (39) and (42), it follows: t kT u(τ ) dτ ≤ ρ 2 Tv sup,k + ρ 3 Tz sup,k When the selected β satisfies β ≤ γ 2 , one has Similarly, recalling (42) and (41), one has Keeping the above inequalities in mind, one has that (49) is bounded and its upper bound is denoted as c 4 , that is Finally, by selecting γ > e (ϑ/[2λ max (Q)]) and recalling (37), one has Combining the inequalities above, we can conclude that with c = c 1 + c 4 + c 5 , which means i is bounded for time instant t = (k + 1)T. Due to the arbitrariness of time instant k, the conclusion (51) always holds for all k = 0, 1, 2, . . . and the proof is therefore completed.
Remark 6: It should be pointed out that data privacy in the context of intelligent transportation systems mainly focuses on logical privacy and overlook the control problem of vehicular platoons [21], [22], [23], [24], [25]. Conversely, those who have considered the control issue fail to take into account the preservation of privacy [17], [18], [19]. The primary challenge lies in how to analyze privacy and platoon performance within a unified framework, and this article fills this gap. When considering vehicles with directed information flow topologies, our method, which is dependent on the specific structure of platooning error dynamics, converts the original platooning control problem into a stability problem of an auxiliary system such that the control gain design for the platoon only requires the maximum and minimum eigenvalues of the topology matrix. From the perspective of real application, this article examines actuator saturation (especially for the jerk limitation of vehicles), which reflects the requirement of the passenger's comfort [48].

IV. SIMULATIONS
In this section, an illustrative example is presented to demonstrate the efficacy and merits of the developed results.
Without loss of generality, we consider a platoon consisting of 15 vehicles over a PF information flow topology (that is, each vehicle receives information from its direct predecessor). The Inertial lag of vehicle engine dynamics is chosen as τ = 0.3 s and it is assumed that only the position information can be measured, that is, the output matrix takes the form of C = [1, 0, 0]. The parameters in the dynamic private key, dependent on the desired capability of privacy preserving, are selected as g 0 = 1 and γ = 0.8. For the purpose of balancing the effect of quantization and privacy preservation, the quantization level is set to be = 0.1. Parameters η = 0.03 and 1 = 0.1 are selected to satisfy the requirement of Young's inequalities, and parameter β is selected to be 0.9534. Furthermore, considering the physical limitation and the comfort of the passengers, the saturation value of the actuator is set to be u max = 3 m/s 2 , and the corresponding scalar is set to be ι = 0.9246. Sampling period T is set to be 0.01. Furthermore, solving the linear matrix inequalities in Theorems 1 and 2, we obtain the desired gains as

A. Platooning Control Performance Validation
Applying the designed PIOs and controllers, the relative simulation results are presented in Figs. 1-3. Specifically, Fig. 1 depicts the saturated control inputs implemented by each platoon vehicles. Fig. 2 plots the platoon behavior with PIO (4), encryptor (7), and decryptor (9). It can be observed that all following vehicles under the guidance of the leader move forward orderly and the desired safety spacing among vehicles is definitely guaranteed. Hence, the anticipated vehicular platooning control performance is successfully achieved even in the presence of input saturations and privacy preservation. Note that the abrupt changes of the control effort and platoon behavior at the initial stage in Figs. 1 and 2(d) arise from the effects of nonzero initial spacing and velocity errors as well as the input saturation. On the other hand, it is clear from Fig. 3(a) and (d) that observer errors converge to zero faster than the dynamic private key, which complies with the condition for Theorem 2. Fig. 3(c) and (d) indicate that although dynamic private key decreases over time, package size is always limited, which matches the conclusion of Theorem 3. Furthermore, one can see from Fig. 3(b) that encryption errors also converge to zero over time.

B. Privacy Preservation Performance Comparison
To examine the performance of our privacy preservation scheme, it is assumed that eavesdroppers are capable to acquire our encryption and decryption schemes and obtain all the transmitted vehicular data. However, they are not able to access the private key from each vehicle. As such, eavesdroppers have to employ unmatched dynamic private keys to decrypt the stolen data with four different parameters for the comparison: 1) g 0 = 1 and γ = 0.8; 2) g 0 = 1.1 and γ = 0.8; 3) g 0 = 1 and γ = 0.7; and 4) g 0 = 1.1 and γ = 0.9.
The decrypted results are given in Fig. 4, from which one can observe that: 1) eavesdroppers could obtain the actual states of the vehicle if they obtain the right key (i.e., g 0 = 1 and γ = 0.8) and 2) the decrypted states undoubtedly deviate from the actual ones as time goes if the wrong key is carried out. It is verified that the data privacy can be preserved as long as keeping the key private for eavesdroppers. Additionally, although γ is chosen as a number from the interval (0, 1), there is no limitation on choosing g 0 > 0. Therefore, g(t) can be any positive real scalar for eavesdroppers, which guarantees the privacy of the encrypted data.

V. CONCLUSION
This article investigated the distributed platooning control of vehicular cyber-physical systems with data privacy preservation and input saturation constraints. Considering that not all states of vehicles are obtainable, a distributed PIO was designed for each vehicle to estimate its unavailable full state at every instant of time. Different from traditional distributed observers, the integral term with a forgetting factor was adopted to achieve the tradeoff between transient performance and steady-state performance. Then, distributed sampled-databased encryptors and decryptors with a dynamic private key were designed to encrypt and decrypt the estimated states on each platoon vehicle, which were further employed to generate the desired control inputs. After that, the platooning control issue was creatively transformed into the general stability issue of an auxiliary system. Sufficient conditions involving the selected range of parameters in private keys were derived to guarantee the desired platoon stability and privacy preservation performance. One of our future work will focus on platooning control with simultaneous privacy-preserving and collision-free guarantees [49], [50].