Secure and Private Control Using Semi ... - WordPress.com · Secure and Private Control Using Semi-Homomorphic Encryption I,II Farhad Farokhi a, Iman Shames , Nathan Batterham aDepartment

Secure and Private Control Using Semi-Homomorphic Encryption I,II

Farhad Farokhia, Iman Shamesa, Nathan Batterhama

aDepartment of Electrical and Electronic Engineering, University of Melbourne, Parkville, VIC 3010, Australia

Abstract

Networked control systems with encrypted sensors measurements is considered. Semi-homomorphic encryption, specif-ically the Paillier encryption, is used so that the controller can perform the required computation on the encrypteddata. Conditions on the parameters of the encryption technique are provided that guarantee the stability and the per-formance of the closed-loop system. The results are subsequently extended Laplacian based distributed systems, such asformation-seeking algorithms. It is shown that the problem of figuring out the state measurements of the neighbouringagents of a compromised agent upon using the proposed algorithm is numerically intractable.

Keywords: Networked control system; Privacy; Security; Semi-homomorphic encryption; Paillier method.

1. Introduction

Recent technological advances in communication engi-neering have facilitated the design and the deployment oflarge-scale systems that are remotely monitored and con-trolled. Modern infrastructures, such as smart grids andintelligent transportation systems, are examples of suchsystems. The massive size of the collected data and thecomputational power required for operating these systemshave motivated outsourcing estimation and control tasksto third-party platforms, namely, the cloud-computingcompanies. This allows the system operator to save con-siderably in terms of the required infrastructure and thebudget for expanding the system. Although very desir-able, relying on third-party computation is not withoutits perils. Cyber-security threats and invasion of privacyof the users are just two examples of the sort of problemsarising in this context [2–4].

Cyber-security attacks can be decomposed into variouscategories based on the type and the amount of the re-sources that the attacker uses to achieve its goal [3]. Eaves-dropping is one of the most basic attacks that requires rela-tively low amount of resources. This attack also serves as astarting point for many more sophisticated attacks [5]. Ineavesdropping attacks, the adversary listens to the com-munication channel between the sensors, the controller,and the actuator to extract valuable information about the

IAn early version of this paper was presented at the 6th IFACWorkshop on Distributed Estimation and Control in Networked Sys-tems [1]. Corresponding author F. Farokhi.

IIThe work was supported by a McKenzie Fellowship, an earlycareer grant from Melbourne School of Engineering, ARC grantLP130100605, and Defence Science and Technology Group throughthe Research Agreement MyIP:6288.

Email addresses: [email protected] (Farhad Farokhi),[email protected] (Iman Shames),[email protected] (Nathan Batterham)

model and the controller based on the transmitted data.Encryption is a tool that is widely utilized to combat suchattacks. A typical control loop with encryption-decryptionunits is shown in Figure 1. The sensor and the controllerencrypt their signals before transmitting them through thecommunication network. This technique is good for mak-ing eavesdropping attacks difficult over the communicationchannel, i.e., points A and B in Figure 1. However, the en-cryption is useless if the cloud-computing platform is com-promised, i.e., if the attacker has access to points C, D, andE in Figure 1. Privacy breaches also often happen insidethe cloud-computing services, where a third-party serviceprovider or an adversary agent can reconstruct the privatedata of the participants or the infrastructure. Hence, en-cryption techniques in the networked systems of the formin Figure 1 are not effective for these privacy breaches. Inlight of these observations, it is desirable to use encryptiontechniques, such as semi-homomorphic encryption, thatdo not require the data to be decrypted before enteringthe cloud-computing services. Thus, reducing the risks ofcyber-security attacks and privacy breaches in points C,D, and E in Figure 1.

In this paper, a networked control loop of the form ofFigure 2 is closely studied. Homomorphic encryption isa form of encryption that allows the controller (on thecloud-computing platform) to carry out the necessary com-putations on encrypted data. Semi-homomorphic encryp-tion are a simpler form of homomorphic encryption thatonly allow for a category of operations to be performed onthe encrypted data. For instance, the Paillier method [6],which is a semi-homomorphic encryption technique, allowssummation of plain data to be performed by multiplica-tion of the encrypted ones. On contrary, ElGamal encryp-tion [7] allows the multiplication of plain data using themultiplication of the encrypted data. In contrast, fully-homomorphic encryption schemes, such as Gentry’s en-

Preprint submitted to Control Engineering Practice May 31, 2017

System Sensor EncryptionActuator

Network

DecryptionControllerEncryption

Network

Decryption

AB

C D

E

Figure 1: The schematic diagram of a networked control system with encryption-decryption units.

System SensorSemi-Homorphic

EncryptionActuator

NetworkControllerNetwork

Decryption

Figure 2: The schematic diagram of a networked control system with semi-homomorphic encryption-decryption units.

cryption [8], allow for both multiplication and summationof plain data through appropriate arithmetic operationson the encrypted data.

In this paper, the Paillier encryption technique is usedfor secure and private computation of control laws us-ing untrusted cloud-computing platforms. Specifically, theparameters of the Paillier encryption technique are de-termined so that the stability of the closed-loop systemand its closed-loop performance can be guaranteed. Theresults are subsequently extended Laplacian based dis-tributed systems, such as formation-seeking algorithms. Itis shown that the problem of figuring out the state mea-surements of the neighbouring agents of a compromisedagent upon using the proposed algorithm is numericallyintractable.

This is not the first time that the semi-homomorphic orhomomorphic encryption schemes are utilized when usingthird-party cloud-computing services; e.g., see [9–13] andthe references there-in. However, none of these studies,except [13], have considered these techniques in networkedcontrol system. In addition, in [13], only a framework forusing semi-homomorphic encryption in networked controlsystems is developed and practical aspects, such as ensur-ing stability and maintaining the closed-loop performanceof the system, are not studied. Further, these results havenot addressed the possibility of using homomorphic en-cryption in distributed systems for securing the commu-nications from possible adversaries through compromisedagents.

The rest of the paper is organized as follows. First,background materials on fixed-point arithmetic and semi-homomorphic encryptions are presented in Section 2. Thecontrol strategy is discussed in Section 3. The results aregeneralized to Laplacian based distributed systems in Sec-tion 4. Numerical examples are provided in Section 5 andthe paper is concluded in Section 6.

2. Background materials

2.1. Fixed-point arithmetic

The objects of interest, in this paper, are signed fixed-point rational numbers in base 2, such as

± cn−1cn−2 · · · cm+1︸︷︷︸integer bits

. cmcm−1 · · · c1︸︷︷︸fractional bits

for given integers n,m ∈ N such that m ≤ n. The set ofall such numbers can be denoted by

Q(n,m) :=

b ∈ Q | b = −bn2n−m−1 +

n−1∑i=1

2i−m−1bi,

bi ∈ 0, 1 ∀i ∈ 1, . . . , n.

This set contains all rational numbers between −2n−m−1

and 2n−m−1−2−m separated from each other by the resolu-tion 2−m. Although conceptually useful, these fixed-point

2

rationals need to be transformed into integers so that a dig-ital processor can use them. To do so, define the mappingfn,m : Q(n,m) → Z2n such that fn,m(b) = 2mbmod 2n

for all b ∈ Q(n,m). The notation Zq denotes the setof integers modulo q for all q ∈ N. Moreover, definethe inverse mapping f−1

n,m : Z2n → Q(n,m) such thatf−1n,m(a) = (a − 2n1a≥2n−1)/2m for all a ∈ Z2n , where1p is a characteristic function that is equal to one if thestatement p holds true and equal to zero otherwise.

Proposition 1. The following two statements are valid:

1. f−1n,m(fn,m(b)) = b for all b ∈ Q(n,m);

2. fn,m(f−1n,m(a)) = a for all a ∈ Z2n .

Proof. See Appendix A.

This proposition shows that Q(n,m) is isomorph to Z2n

and thus every operation in the set of signed fixed-pointrationals Q(n,m) can be translated into an operation inthe set of integers modulo 2n and vice versa. This rela-tionship is explored in detail in the following proposition.Noting that n and m are clear from the context, with slightabuse of notation, in this proposition, f and f−1 are usedinstead of fn,m and f−1

n,m, respectively.

Proposition 2. The following identities hold:

1. For all b, b′ ∈ Q(n,m) such that b + b′ ∈ Q(n,m),f(b+ b′) = (f(b) + f(b′)) mod 2n;

2. For all b ∈ Q(n,m) such that −b ∈ Q(n,m), f(−b) =2n − f(b);

3. For all b, b′ ∈ Q(n,m) such that b − b′ ∈ Q(n,m),f(b− b′) = (2n + f(b)− f(b′)) mod 2n;

4. For all b, b′ ∈ Q(n,m) such that bb′ ∈Q(n,m), f(bb′) = ((f(b) − 2n1b<0)(f(b′) −2n1b′<0)/2m) mod 2n.

Proof. See Appendix B.

For the ease of the presentation of the operations in Z2n ,the following operators for all a, a′ ∈ Z2n are defined:

an⊕a′ = (a+ a′) mod 2n,

ana′ = (2n + a− a′) mod 2n,

an⊗ma′ = ((a− 2n1a≥2n−1)(a′ − 2n1a′≥2n−1)/2m) mod 2n.

The following properties can be proved for these new op-erators.

Corollary 1. The following identities hold:

1. For all b, b′ ∈ Q(n,m) such that b + b′ ∈ Q(n,m),

fn,m(b+ b′) = fn,m(b)n⊕fn,m(b′);

2. For all b ∈ Q(n,m) such that −b ∈ Q(n,m),

fn,m(−b) = 0nfn,m(b);

3. For all b, b′ ∈ Q(n,m) such that b − b′ ∈ Q(n,m),

fn,m(b− b′) = fn,m(b)nfn,m(b′);

4. For all b, b′ ∈ Q(n,m) such that bb′ ∈ Q(n,m),

fn,m(bb′) = fn,m(b)n⊗mfn,m(b′).

Proof. The proof directly follows from the application ofProposition 2.

The multiplication is more difficult to implement in com-parison to the summation as the sign of the operands(i.e., the numbers on which the operators act) needs to bechecked. This creates difficulties in the subsequent sections(as the sign of encrypted numbers cannot be checked). In-terestingly, this difficulty is caused by the existence of thefractional bits. The following properties of the multiplica-tion are used in the subsequent sections to overcome thedifficulty of implementing it.

Proposition 3. The following properties are valid:

1. an⊗0a′ = aa′mod 2n;

2. an⊗ma′ = (aa′/2m) mod 2n if 2m|a′ and a′ < 2n−1.

Proof. See Appendix C.

Note that if a is divisible by 2m then f−1n,m(a) is an in-

teger. Therefore, the complexity of the implantation canbe reduced by ensuring that one of the numbers is positiveand that its fixed-point representation is integer. Finally,the following useful property can be used for cases wherem 6= 0.

Proposition 4. For all b, b′ ∈ Q(n,m) such that bb′ ∈Q(n,m),

fn+2m,0(22mbb′) = fn+2m,0(2mb)n+2m⊗0

fn+2m,0(2mb).

Proof. See Appendix D.

The result of Proposition 4 is particularly useful as the

implementation of the operationn+2m⊗0

does not require

comparisons (see Proposition 3) in contrast to implemen-

tation ofn⊗m

.

2.2. Semi-homomorphic encryption

In this subsection, a simple semi-homomorphic encryp-tion scheme, namely, the Paillier encryption technique, isintroduced. This technique relies on Decisional Composite

3

Residuosity Assumption1 [6]. The encryption scheme is asfollows:

• Key generation:

- Select large prime numbers p and q randomly andindependently of each other such that gcd(pq, (1 −p)(1 − q)) = 1, where gcd(a, b) refers to the greatestcommon divisor of a and b;

- Compute public key N = pq;

- Calculate private key λ = lcm(p − 1, q − 1) and µ =λ−1 modN , where lcm(a, b) refers to least commonmultiple of a and b.

• Encryption:

- Select random r ∈ Z∗N := x ∈ ZN | gcd(x,N) = 1;- Construct the ciphertext of a message t ∈ ZN asE(t; r) = (N + 1)trN modN2.

• Decryption:

- For any ciphertext c ∈ ZN2 , the plain text is givenby D(c) = L(cλ modN2)µmodN , where L(x) = (x−1)/N .

In the Paillier encryption scheme, N is the public key(i.e., it is shared with all the parties and is used for en-cryption) and the pair (λ, µ) is the private key (i.e., onlythe entity that needs to decrypt the data has access to it).Following [6], an important (and obvious) property of thethis system is that

D(E(t; r)) = t, ∀r ∈ Z∗N ,∀t ∈ ZN .

This shows that there is an invertible relationship betweenthe encrypted texts and the plain text. The following im-portant properties can be proved to establish that the Pail-lier is a semi-homomorphic encryption scheme.

Proposition 5. The following identities hold:

1. For all r, r′ ∈ Z∗N and t, t′ ∈ ZN such that t+t′ ∈ ZN ,E(t; r)E(t′; r′) modN2 = E(t+ t′; rr′);

2. For all r ∈ Z∗N and t, t′ ∈ ZN such that tt′ ∈ ZN ,

E(t; r)t′modN2 = E(t′t; rt

′).

Proof. See Appendix E.

These two properties provide an opportunity to performcalculations on the encrypted data. However, noting thatit is impossible to check the sign of an encrypted number,multiplication is not easy to implement. The followingresult identifies a few cases in which the multiplication isimplementable.

1Decisional Composite Residuosity Assumption refers to thatgiven integers N ∈ Z and x ∈ ZN2 , it is “hard” to decide whetherthere exists y ∈ ZN2 such that x ≡ yN modN . This is equivalentto that the decryption without access to the private key is computa-tionally impossible unless P=NP.

Proposition 6. Assume that N > 2n. For all r ∈ Z∗Nand a, a′ ∈ Z2n , the following statements are valid:

1. D((E(a; r)a′modN2)θ modN2) mod 2n = a

n⊗ma′ with

θ = 2−m modN , if an⊗ma′ ∈ Z2n , a, a′ < 2n−1, and

gcd(2m, N) = 1;

2. D(E(a; r)a′/2m

modN2) mod 2n = an⊗ma′ if a

n⊗ma′ ∈

Z2n , 2m|a′, and a′ < 2n−1;

3. D(E(a; r)a′modN2) mod 2n = a

n⊗0a′ if a

n⊗0a′ ∈ Z2n .

Proof. See Appendix F.

Proposition 6 requires that the outcome of the multi-plication does not overflow (i.e., it does not become largethan Z2n). Since checking overflows are not possible whenworking with the encrypted data, it is up to the designerto select a large enough set of fixed point rationals so thatthe outcome of all the algebraic computations stays insidethe same set.

With these background material in hand, the controlarchitecture is presented in the next section.

3. Control architecture

Consider the discrete-time linear time-invariant dynam-ical system of the form

x[k + 1] = Ax[k] +Bu[k], x[0] = x0, (1a)

y[k] = Cx[k], (1b)

where x[k] ∈ Rpx denotes the state, u[k] ∈ Rpu denotesthe control input, and y[k] ∈ Rpy denotes the outputsmeasured by the sensors. The controller takes the form of

u[k] = Ky[k]. (2)

Throughout this paper, the following assumption is made.

Assumption 1. There exists K ∈ Rpu×py such that A+BKC is Schur, i.e., all the eigenvalues of A + BKC areinside the unit circle in the complex plane.

Conditions for checking the validity of this assumptionas a function of the model matrices and their sparsity pat-terns are given in [14, 15]. To be able to implement thecontrol law in (2) on digital computers, one needs to re-strict the control gain to be in the set Q(n1,m1)pu×py forsome appropriately selected parameters n1,m1 ∈ N. Theexistence of such quantized control gains is ensured by thatthe eigenvalues of a matrix are continuous functions of theentries of the matrix [16, p. 88-89]. In fact, the continuityshows that, for any K ∈ Rpu×py such that A + BKC isSchur, there exists ε(K) > 0 such that A+BKC is Schurif ‖K− K‖F ≤ ε(K). The following results can be proved.

4

Algorithm 1 Secure and private implementation of thestatic controller with encrypted output measurements.

Require: n1, m1, n2, m2, K, y[k], p, qEnsure: u[k]

1: Set n = py + n1 + n2 and m = m1 +m2

2: # Control designer3: Compute K ∈ arg minK′∈Q(n1,m1)pu×py ‖K ′ − K‖F4: Transmit Γji = fn+2m,0(2mKji) to the controller5: # Sensors6: for i = 1, . . . , py do7: Construct yi[k] by projecting yi[k] in Q(n2,m2)8: Transmit zi = E(fn+2m,0(2myi[k]); r) to the con-

troller9: end for

10: # Controller11: for j = 1, . . . , pu do

12: Set `j [k] = zΓj1

1 modN2

13: for i = 2, . . . , py do

14: Compute `j [k] = (`j [k](zΓji

i modN2)) modN2

15: end for16: Transmit `j [k] to the actuators17: end for18: # Actuators19: for j = 1, . . . , pu do20: Implement uj [k] = D(`j [k]) mod 2n+2m/22m

21: end for

Proposition 7. Let K ∈ Rpu×py such that A + BKCis Schur. Let K ∈ arg minK′∈Q(n1,m1)pu×py ‖K ′ − K‖Ffor m1 ≥ d− log2(ε(K)/

√pupy)e and n1 ≥ dm1 + 1 +

log2(maxi,j |Kij |)e. Then, A+BKC is Schur.

Proof. See Appendix G.

In addition to quantizing the controller parameters, theoutput of the system needs to be also quantized. Let y[k]denoted the quantized version of the output y[k], that is,

y[k] = minz∈Q(n2,m2)py

‖z − y[k]‖2,

for appropriately selected n2,m2 ∈ N. To be able to prop-erly quantize the output, it should be proved that it staysbounded.

Proposition 8. Assume that A+ BKC is Schur. Thereexists M(x0) > 0 such that y[k] ∈ [−M(x0),M(x0)]py forthe system (1) with controller u[k] = Ky[k] if n2 ≥ dm2 +1 + log2(M(x0))e.

Proof. See Appendix H.

The control designer, the sensors, the controller (whichis implemented on the cloud), and the actuators can followAlgorithm 1 to ensure the private and secure implementa-tion of the static control law in (2).

Theorem 1. Let K ∈ Rpu×py be such that A + BKC isSchur. Assume

N > 2py+n1+n2 , (3a)

m1 ≥ d− log2(ε(K)/√pupy)e, (3b)

n1 ≥ dm1 + 1 + log2(maxi,j|Kij |)e, (3c)

n2 > dm2 + 1 + log2(M(x0))e. (3d)

Then limk→∞ dist(x[k],B(2−m2ξ)) = 0, where ξ > 0 is aconstant2, if the controller is calculated by Algorithm 1.

Proof. See Appendix I.

Remark 1. (Stability and Performance). Theorem 1proves that the closed-loop system is practically stable(rather than asymptomatic stability). This is due to theeffect of the quantization. This theorem further relatesthe performance of the system to m2, the resolution ofthe quantization of the output measurements y[k]. By in-creasing this resolution, the performance can be improvedarbitrarily.

Remark 2. (Computational Complexity and Com-munication Overhead). The computation cost of theencryption and decryption algorithms scale3 as O(N3) be-cause the most burdensome computation in both cases iscalculating exponential operations. Each multiplication isAlgorithm 1 costs O(N2) operations and each exponenti-ation costs O(N3) operations. Therefore, assuming thatpu, py = O(1), i.e., constants independent of N , the overallcomputational complexity of Algorithm 1 scales as O(N3).In addition, note that instead of sending packets of thesize n, the communication involves transmitting packets ofthe length O(N). Finally, recall that N itself scales ex-ponentially with n, i.e., N = O(2n). This exponentialincrease in the computational complexity and communica-tion overhead can be interpreted as the cost of privacy andsecurity in networked control systems.

Remark 3 (Privacy and Security). The problem ofbreaking the Paillier’s encryption and thus, in the setupof Algorithm 1, figuring out the state measurements y[k]from all zi and `j is numerically intractable under Deci-sional Composite Residuosity Assumption if the key lengthis selected large enough. In fact, it can be proved that anyprobabilistic polynomial-time adversary (i.e., an adversarywith extremely high, yet reasonable, computational ability;see [17, p. 187] for a proper definition) can only infer thecorrect yi[k] from all the communicated messages (i.e., ziand `i) with probability 2−n2 plus a negligible function4

2ξ = (c1 + c2)(1/λmin(Q) + 1/λmin(P )) where P , Q, c1, and c2are defined in the proof of Proposition 8.

3We say f1(N) scales as O(f2(N)) if limN→∞ f1(N)/f2(N) =c <∞.

4A function f : N → R≥0 is called negligible if, for any c ∈ N,there exists nc ∈ N such that f(n) ≤ 1/nc for all n ≥ nc [18].

5

Algorithm 2 Secure and private implementation of thestatic controller with encrypted control parameters.

Require: n1, m1, n2, m2, K, y[k], p, qEnsure: u[k]

1: Set n = py + n1 + n2 and m = m1 +m2

2: # Control designer3: Compute K ∈ arg minK′∈Q(n,m)pu×py ‖K ′ − K‖F4: Transmit Γji = E(fn+2m,0(2mKji); r) to the controller5: # Sensors6: for i = 1, . . . , py do7: Construct yi[k] by projecting yi[k] in Q(n,m)8: Transmit yi[k] = fn+2m,0(2myi[k]) to the controller9: end for

10: # Controller11: for j = 1, . . . , pu do

12: Set `j [k] = Γy1[k]j1 modN2

13: for i = 2, . . . , py do

14: Compute `j [k] = (`j [k](Γyi[k]ji modN2)) modN2

15: end for16: Transmit `j [k] to the actuators17: end for18: # Actuators19: for j = 1, . . . , pu do20: Implement uj [k] = D(`j [k]) mod 2n+2m/22m

21: end for

of the key length. This is a direct consequence of the se-mantic security, also known as Indistinguishability underChosen Plaintext Attack (IND-CPA), in [6]. Therefore,the probability that an adversary can infer the measure-ments (from all the encrypted communications and compu-tations) is equal to 2−n2 for large enough key lengths. Notethat 2−n2 is equal to the probability of guessing a measure-ment without the basis of any observations. Therefore, theadversary cannot gain anything from having access to theencrypted measurements.

Contrary to the previously-described scenario, it couldbe of interest to encrypt the controller parameters insteadof the output measurements. This could be because ofthat the controller is a trade secret and needs to be keptprivately while outsourcing the computational aspects tothe cloud services. Algorithm 2 describes the procedurethat the sensors, the controller (on the cloud), and theactuators must follow to ensure the controller parametersare protected.

Theorem 2. Let K ∈ Rpu×py be such that A + BKCis Schur. Assume that the conditions in (3) hold. Thenlimk→∞ dist(x[k],B(2−m2ξ)) = 0, where ξ > 0 is a con-stant, if the controller is calculated by Algorithm 2.

Proof. The proof is similar to the that of Theorem 1.

4. Laplacian based distributed systems

Consider a network comprised of J nodes. The inter-connection of these nodes can be captured by a directedgraph G = (V, E) with i ∈ V = 1, . . . , J and E beingthe vertex set and the set of directed edges, respectively,where the directed edge (i, j) ∈ E if the dynamics of nodej depends on node i. We call a graph G strongly connectedif it is possible to reach any i ∈ V starting from any j ∈ Vby traversing edges in their direction(s). We have the fol-lowing standing assumption.

Assumption 2. The graph G is strongly connected.

The dynamics of each node V of a vast majority of suchnetworks (see, e.g., [19–22]) is of the following form

xi[k + 1] = Aixi[k] + τ (vi[k] + ui[k]) (4)

vi[k] = −∑j∈Ni

vji[k] (5)

vji[k] = wji[k] (xj [k]− xi[k]) (6)

where xi[k] ∈ Rpxi denotes the state of system i, u[k] ∈Rpui denotes the control input of node i, Ni = j|(j, i) ∈E, wji[k] ∈ (0, wmax], ∀i, j ∈ V and k ≥ 0 with wmax

being a bounded positive real number, and τ is some ap-propriately selected sampling time.

Remark 4. Assumption 2 is sufficient for the guarantee-ing the convergence of the systems whose dynamics areof the type described by (4)-(6). This assumption is pre-sented for the sake of simplicity of the exposition and canbe relaxed to include the cases where the network is time-varying. However, this will have no impact on the discus-sion presented next.

Note that while i in principle does not require the statesof all its neighbours explicitly to evaluate (5), in practicethese values are revealed, i.e., only the difference of thestates is required to evaluate the control law rather thanabsolute state measurements. This poses a security riskdue to the fact that if node i is compromised by an ad-versary, the states of all its neighbours are revealed to theadversary as well. In what follows, a mechanism to remedythis security vulnerability is described. First, we assumethat each j ∈ Ni has access to Ni, i.e. the public key ofnode i. At each time step k, i transmits Ei(x

−i [k]; rij [k])

to j ∈ Ni where x−i [k] = fn+2m,0(−2mxi[k]), xi[k] is theprojection of xi[k] onto Q(n,m), and random rij [k] ∈ Z?Ni

.Agent j in turn picks a random wji[k] ∈ (0, wmax] and com-putes wji[k], i.e. the projection of wji[k] onto Q(n,m). Itthen transmits eij [k]wji[k] modN2

i back to i, where

eij [k] = Ei(x−i [k]; rij [k])Ei(x

+j [k]; ρji[k]) modN2

i , (7)

with random ρji[k] ∈ Z?Ni, x+

j [k] = fn+2m,0(2mxj [k]),wji[k] = fn+2m,0(2mwji[k]), and xj [k] being the projec-tion of xj [k] onto Q(n,m). Agent i decrypts this message

6

and obtains vji[k] after dividing the decrypted value by22m without explicitly knowing x+

j (or in fact xj [k]). Insummary, the secure implementation of (4)-(6) is as thefollowing:

xi[k + 1] = Aixi[k] + τ (vi[k] + ui[k]) (8)


vji[k] (9)

vji[k] = Di(eij [k]wji[k] modN2i )/22m, ∀j ∈ Ni, (10)

where Di(c) = Li(cλi modN2

i )µi modNi, Li(d) = (d −1)/Ni, and (λi, µi) are the private keys of node i, andeij [k] is given in (7). In this new setup, if node i is com-promised only a scaled difference between the state of iand its neighbours is immediately revealed to the adver-sary. We conclude this section by stating a few results forthe case where node i is compromised by an adversary.Consequently, we assume that the adversarial node knows(λi, µi), xi[k], and vji[k]. Note that is due to the fact thatthe adversary is able to carry out the decryption step of(10). For the ease of exposition in what follows we makethe following standing assumption.

Assumption 3. The states xj [k], j ∈ 1, . . . , J arescalar.

The adversary node then needs to find all the solutions tothe following equation to be able to estimate the projectionof xj [k] onto Q(n,m);

w(x− xi[k]) = vji[k]. (11)

where w, x ∈ Q(n,m). From [23] we know that (11) isNP-complete and the complexity bound5 for finding all itssolutions is equal to Θ

(22n). However, one can make a

stronger statement regarding the complexity of finding atleast one pair (x,w) that satisfies (11). To this aim, oneneeds to cast (11) as integer linear equations.

Before continuing any further we define the followingsets:

Ω+ji = (ϕ, ϑ)|ϕ− α+

i ϑ = βji,

ϕ ∈ Z22n−1−2n , ϑ ∈ Z2n−1−1 (12)

where α+i = (xi[k] + 2n−m)2m, βji = 22mvji[k], and

Ω−ji = (ϕ, ϑ)|ϕ+ α+i ϑ = −βji,

ϕ ∈ Z22n−1−2n , ϑ ∈ Z2n−1−1 (13)

where α−i = (xi[k]−2n−m)2m. Moreover, define χji as theset of all solution pairs (x,w) of (11) with x,w ∈ Q(n,m).We have the following result.

5For positive functions x(n) and y(n) of integer number n wewrite x(n) = Θ(y(n)) if there exist c, c′ > 0 such that large enoughn, cy(n) ≤ x(n) ≤ c′y(n). For more details on Θ(·) the reader mayconsult [23, Chapter 8].

Proposition 9. The following statements are true.

1. For any (x,w) ∈ χji there is a unique (ϕ, ϑ) ∈ Ω+ji

such that ϕ = w(x + 2n−m)22m and ϑ = 2mw.Similarly for any (ϕ, ϑ) ∈ Ω+

ji there exists a unique

(x,w) ∈ χji such that w = 2−mϑ and x = 2−mϑ−1ϕ−2n−m.

2. For any (x,w) ∈ χji there is a unique (ϕ, ϑ) ∈Ω−ji such that ϕ = −w(x − 2n−m)22m and ϑ =

2mw. Similarly for any (ϕ, ϑ) ∈ Ω+ji there exists

a unique (x,w) ∈ χji such that w = 2−mϑ andx = −2−mϑ−1ϕ+ 2n−m.

3. |χji| = |Ω+ji| = |Ω

−ji| where | · | denotes the cardinality

of its argument.

Proof. See Appendix J.

The following proposition introduces potentially smallersubsets of Ω+

ji and Ω−ji that contain at least one of thesolutions to (12) or (13).

Proposition 10. The following statements are true.

1. If Ω+ji 6= ∅ then there exists at least one pair (ϕ, ϑ) ∈

Ω+ji such that (ϕ, ϑ) ∈ Φ+

ji where

Φ+ji = (ϕ, ϑ)|ϕ− α+

i ϑ = βji,

ϕ ∈ Zmin(22n−1−2n,γ+ji),

ϑ ∈ Zmin(2n−1−1,γ+ji), (14)

γ+ji = 2η5

i+(1 + |βji|), and ηi+ = max(1, |α+i |).

2. If Ω−ji 6= ∅ then there exists at least one pair (ϕ, ϑ) ∈Ω−ji such that (ϕ, ϑ) ∈ Φ−ji where

Φ−ji = (ϕ, ϑ)|ϕ+ α−i ϑ = −βji,ϕ ∈ Zmin(22n−1−2n,γ−ji)

,

ϑ ∈ Zmin(2n−1−1,γ−ji), (15)

γ−ji = 2η5i−(1 + |βji|), and ηi− = max(1, |α−i |).

Proof. The proof is a consequence of applying Theorem13.4 of [23] to (12) and (13).

Remark 5. Note that there is no guarantees that the fea-sible solution pairs that belong to Φ+

ji and Φ−ji correspondto the real values of xj [k] and wji[k]. But in the absence ofany other known bounds on the solution of the integer lin-ear programs of the type described above, in what follows,we limit our discussion to these solutions.

In the absence of any other information (and if P 6=NP), the computational complexity of finding the so-lutions promised in Proposition 10 is equal to γji =Θ(min

(ψ+ji, ψ

−ji, 2

2n))

where

ψ+ji = min(2n−1 − 1, γ+

ji) min(22n−1 − 2n, γ+ji),

7

and

ψ−ji = min(2n−1 − 1, γ−ji) min(22n−1 − 2n, γ−ji).

However, in the case where xi[k] −2n−m−1, γji =

Θ(

min((γ−ji)2, 22n

))or if xi[k] 2n−m−1 − 2−m then

γji = Θ(

min((γ+ji

)2, 22n

)). These observations lead to

the following result.

Proposition 11. If node i is hacked by an adversary,then the computational complexity of the problem of find-ing one pair of feasible solutions of (11) is equal toΘ(min

(4(1 + |βji|)2, 22n

))if xi[k] = −2n−m−1 or xi[k] =

2n−m−1 − 2−m.

Proof. Let xi[k] = −2n−m−1 (as the case where xi[k] =2n−m−1 − 2−m is identical). Then α+

i = 0, ψ+ji =

2(1 + |βji|), and consequently from Proposition 10 γji =Θ(min

(4(1 + |βji|)2, 22n

)).

Proposition 11 states the relative ease of finding at leastone pair of feasible solutions of (11) if the hacked node hasa state close to the boundaries of Q(m,n). From a controldesign perspective then it is necessary to ensure that n ischosen in such a way that xi[k] does not take any valueclose to the extrema of Q(n,m), i.e.−2n−m or 2n−m−2−m.For instance if n is selected in a way that |xi[k]| ≤ κ forκ ∈ Q(n,m) and k ≥ 0 then with similar arguments tothose in the proof of Proposition 11 it can be seen thatthe smallest computational complexity of finding a pair ofsolutions of (11) becomes γji = Θ

(min

(ψ+ji, 2

2n))

, where

γ+ji = 2

(2m(2n−m−1 − κ)

)5(1 + |βji|)). Selecting n in a

way that κ 2n−m−1 renders the computational com-plexity of finding one pair of feasible solutions equal tothat of finding all the solutions of (11), i.e. γji = Θ

(22n).

5. Experiment and numerical example

In this section, first, the application of Algorithm 1 tonavigate a differential wheeled robot to a desired desti-nation is demonstrated. The robot is a low-cost platformnamed GoPiGo developed by Dexter Industries. The com-putations are done locally on a Raspberry Pi 2 that isconnected to the robot. The position of the centre of massof the robot is measured using an OptiTrak camera sys-tem; see Figure 3. The speed references for each of thewheels are provided such that the robot travels with de-sired linear and angular velocities. Particularly, one canapply appropriate inputs to the wheels to choose betweentwo modes of operations; (1) turn on the spot, (2) moveon a direct line along the robot’s heading direction, see[24, Chapter 13] for more information on the equations ofmotion for a differential wheeled robot. Let x = [x1, x2]>

and θ ∈ [−π, π] denote the position and the heading ofthe vehicle, respectively and τ is the sampling time. Inthis experiment sampling time is set to be equal to 0.1s.

Figure 3: The experimental setup.

Moreover, v and ω are the linear and the angular velocitiesof the vehicle such that |v| ≤ vmax and |ω| ≤ ωmax withvmax and ωmax being the maximum values for the linearand angular speeds. The desired destination is assumedto be xd = [0.9, 0.9]> and is provided by an external con-troller. It is assumed that x and xd need to be encryptedwith p and q being random prime numbers in [263, 264].Moreover, n = 10 and m = 5. For security purposes,the reference planner and the sensor encrypt their mes-sages and the external controller calculates and transmits∆[k] = E(fn+2m,0(2mK(xd − x[k])); r) (based on the en-crypted data using Algorithm 1) to the robot at each stepk where K is a random integer unknown to the robot. Itis ensured that ωmax ≥ 2π/τ and vmax ≥ K(xd − x[0]).Under the aforementioned modes of operation where forthe first half of the sampling time the robot turns on thespot and for the second half it travels along its heading,and in the light of this assumption the dynamics of therobot can be written as

x[k + 1] = x[k] +τ

2ν[k] (16)

θ[k + 1] = θ[k] +τ

2ωd[k] (17)

where ν[k] = D(∆[k]) and ωd[k] is the smallest signed an-gle between θ[k] and θd[k] = tan−1

2 (ν[k]) with tan−12 (·)

being the two argument inverse tangent of its vector argu-ment. The trajectory of the centre of mass of the robot isdepicted in Figure 4. A video of the experiment can alsobe accessed on YouTube6. Table 1 shows the computa-tional time required for encryption, computing the controllaw (using the encrypted measurements), and decryptingthe control signal for various key lengths (in bits). Asexpected the computational time increases with the keylength; however, it is possible to perform all the requiredtasks if the key length is smaller than or equal 256 bitswithin 0.1 sec sampling time. For larger key lengths, sam-pling time should be increased, e.g., the sampling timeshould be increased to 0.25 sec if the key length is 512 bits.

Next, we consider the case where J = 10 mobile agentsover a connected graph with dynamics

xi[k + 1] = xi[k] + τvi[k]


vji[k]

6https://youtu.be/7M17R5bcv4o

8

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0

x (m), τ= 0. 1s

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1.0

y(m

)

Initial Position

Final Position

Figure 4: The trajectory of the centre of mass of the robot. Theexperiment is assumed to be complete when ‖x[k]− xd‖ ≤ 0.05.

Table 1: The computational time of various parts of the algorithm.

Key length (bits) 64 128 256 512

Encryption (ms) 0.897 2.877 15.568 103.333Controller (ms) 0.951 2.934 15.800 108.921Decryption (ms) 0.318 0.976 5.408 36.537

where vji[k] is obtained from decrypting the encrypted ver-sion of wji[k] (xj [k]− xi[k] + uj − ui) similar to the mech-anism outlined in Section 4 where ui, i ∈ 1, . . . , J deter-mine the shape of the formation that the agents acquire.Each agent i does not have access to xj [k] and uj , j ∈ Ni inthis simulation. In this simulation, similar to the previouscase, the private keys are selected from [263, 264], n = 10,m = 5, τ = 0.1, and wmax = 3. The trajectories of theagents are depicted in Figure 5.

6. Conclusions

In this paper, networked control systems with encryptedsensors measurements were considered. The sensors usethe Paillier encryption, which is a semi-homomorphic en-cryption, so that the controller can perform the requiredcomputation on the encrypted data. The parameters ofthe encryption technique were constructed to guaranteethe stability of the closed-loop system and to ensure cer-tain bounds on the closed-loop performance. This providesstrong privacy and security guarantees for the closed-loopsystem at the cost of extra computations (thus increasingthe consumption of resources, such as energy and time).Future research questions may include implementing dy-namic feedback controllers and taking advantage of hard-ware acceleration for faster computation of the compo-nents of Algorithm 1 and Algorithm 2. One of the dif-ficulties of the dynamic controller is that the number ofthe fractional bits in the state of the dynamic controller,

8 6 4 2 0 2 4 6 8 10

x, τ= 0. 1s

10

5

0

5

10

y

Figure 5: The trajectories of the agents converging to a formationshape under semi-homomorphic encryption information passing.

which is encrypted, grows larger with time (due to pres-ence of multiplications of rational numbers). Therefore,the encrypted implementation of the dynamic controllercan only run for a short planning horizon. Computation-ally friendly methods should be developed to address thisdifficulty.

References

[1] F. Farokhi, I. Shames, and N. Batterham, “Secure and pri-vate cloud-based control using semi-homomorphic encryption,”in Proceedings of the 6th IFAC Workshop on Distributed Esti-mation and Control in Networked Systems (NecSys), 2016.

[2] S. Amin, G. A. Schwartz, A. A. Cardenas, and S. S. Sastry,“Game-theoretic models of electricity theft detection in smartutility networks: Providing new capabilities with advanced me-tering infrastructure,” IEEE Control Systems, vol. 35, no. 1,pp. 66–81, 2015.

[3] A. Teixeira, K. C. Sou, H. Sandberg, and K. H. Johansson,“Secure control systems: A quantitative risk management ap-proach,” Control Systems, IEEE, vol. 35, no. 1, pp. 24–45, 2015.

[4] L. Yang, X. Chen, J. Zhang, and H. V. Poor, “Cost-effectiveand privacy-preserving energy management for smart meters,”Smart Grid, IEEE Transactions on, vol. 6, no. 1, pp. 486–495,2015.

[5] Y. Mo and B. Sinopoli, “Secure control against replay attacks,”in Procceedings of the 47th Annual Allerton Conference onCommunication, Control, and Computing, pp. 911–918, 2009.

[6] P. Paillier, “Public-key cryptosystems based on composite de-gree residuosity classes,” in Advances in Cryptology — EURO-CRYPT ’99: International Conference on the Theory and Ap-plication of Cryptographic Techniques Prague, Czech Republic,May 2–6, 1999 Proceedings (J. Stern, ed.), pp. 223–238, Berlin,Heidelberg: Springer Berlin Heidelberg, 1999.

[7] T. ElGamal, “A public key cryptosystem and a signaturescheme based on discrete logarithms,” IEEE Transactions onInformation Theory, vol. 31, no. 4, pp. 469–472, 1985.

[8] C. Gentry, “Fully homomorphic encryption using ideal lattices,”in Proceedings of the 41st Annual ACM Symposium on Theoryof Computing, STOC ’09, pp. 169–178, 2009.

[9] A. Lopez-Alt, E. Tromer, and V. Vaikuntanathan, “On-the-flymultiparty computation on the cloud via multikey fully homo-morphic encryption,” in Proceedings of the 44th annual ACMSymposium on Theory of Computing, pp. 1219–1234, 2012.

9

[10] M. Brenner, J. Wiebelitz, G. Von Voigt, and M. Smith, “Secretprogram execution in the cloud applying homomorphic encryp-tion,” in Proceedings of the 5th IEEE International Conferenceon Digital Ecosystems and Technologies Conference, pp. 114–119, 2011.

[11] K. Ren, C. Wang, and Q. Wang, “Security challenges for thepublic cloud,” IEEE Internet Computing, no. 1, pp. 69–73,2012.

[12] F. Kerschbaum, “Outsourced private set intersection using ho-momorphic encryption,” in Proceedings of the 7th ACM Sympo-sium on Information, Computer and Communications Security,pp. 85–86, 2012.

[13] K. Kogiso and T. Fujita, “Cyber-security enhancement of net-worked control systems using homomorphic encryption,” in Pro-ceedings of the 54th Annual Conference on Decision and Con-trol, pp. 6836–6843, 2015.

[14] S.-H. Wang and E. J. Davison, “On the stabilization of decen-tralized control systems,” Automatic Control, IEEE Transac-tions on, vol. 18, no. 5, pp. 473–478, 1973.

[15] B. D. Anderson and D. J. Clements, “Algebraic characterizationof fixed modes in decentralized control,” Automatica, vol. 17,no. 5, pp. 703–712, 1981.

[16] D. Serre, Matrices: Theory and Applications. Graduate Textsin Mathematics, Springer New York, 2010.

[17] O. Goldreich, Computational Complexity: A Conceptual Per-spective. Cambridge University Press, 2008.

[18] R. Ostrovsky and E. W. Skeith, “Private searching on streamingdata,” Journal of Cryptology, vol. 20, no. 4, pp. 397–430, 2007.

[19] J. A. Fax and R. M. Murray, “Information flow and cooperativecontrol of vehicle formations,” IEEE transactions on automaticcontrol, vol. 49, no. 9, pp. 1465–1476, 2004.

[20] A. Jadbabaie, J. Lin, and A. S. Morse, “Coordination ofgroups of mobile autonomous agents using nearest neighborrules,” IEEE Transactions on automatic control, vol. 48, no. 6,pp. 988–1001, 2003.

[21] L. Xiao and S. Boyd, “Fast linear iterations for distributed av-eraging,” Systems & Control Letters, vol. 53, no. 1, pp. 65–78,2004.

[22] W. Ren and R. Beard, “Decentralized scheme for spacecraftformation flying via the virtual structure approach,” Journal ofGuidance, Control, and Dynamics, vol. 27, no. 1, pp. 73–82,2004.

[23] C. H. Papadimitriou and K. Steiglitz, Combinatorial optimiza-tion: algorithms and complexity. Dover Publications, 1998.

[24] S. M. LaValle, Planning algorithms. Cambridge universitypress, 2006.

[25] J. P. Hespanha, Linear Systems Theory. Princeton UniversityPress, 2009.

Appendix A. Proof of Proposition 1

Since the proofs of parts (1) and (2) are very similar,the proof of part (1) is only presented. First, note that

f−1n,m(fn,m(b))

= f−1n,m(2mbmod 2n)

= f−1n,m

((− bn2n−1 +

n−1∑i=1

2i−1bi

)mod 2n

),

where bi ∈ 0, 1 for all i ∈ 1, . . . , n are selected so

that b = −bn2n−m−1 +∑n−1i=1 2i−m−1bi. For b ≥ 0, the

expression for f−1n,m(fn,m(b)) can be further simplified to

f−1n,m(fn,m(b)) = f−1

n,m

(( n−1∑i=1

2i−1bi

)mod 2n

)

=

( n−1∑i=1

2i−1bi

)/2m

= b.

A similar argument leads to that f−1(f(b)) = b if b < 0.

Appendix B. Proof of Proposition 2

Note that

(f(b)+f(b′)) mod 2n=(2mbmod 2n+2mb′mod 2n) mod 2n

=2m(b+ b′) mod 2n

=f(b+ b′).

For any b ∈ Q(n,m), there exists (bi)ni=1 ∈ 0, 1n such

that b = −bn2n−m−1 +∑n−1i=1 2i−m−1bi. Therefore,

f(−b) = (−2mb) mod 2n

=

(−∑n−1i=1 2i−1bi

)mod 2n, b ≥ 0,(

2n−1 −∑n−1i=1 2i−1bi

)mod 2n, b < 0,

=

2n −

∑n−1i=1 2i−1bi, b ≥ 0,

2n−1 −∑n−1i=1 2i−1bi, b < 0,

=

2n − a, b ≥ 0,

2n −(

2n−1 +∑n−1i=1 2i−1bi

), b < 0,

= 2n − a,

where a = f(b). For the product operation, the proofneeds to be separated into multiple cases:

• Case 1 (b, b′ ≥ 0): Let a, a′ ∈ Z2n and b, b′ ∈ Q(n,m)be such that a = f(b) and a′ = f(b′). In this case, itcan be proved that

f(bb′) = f(f−1(a)f−1(a′))

= f((a− 2n1a≥2n−1)(a′ − 2n1a′≥2n−1)/22m)

= f(aa′/22m)

= (aa′/2m) mod 2n.

• Case 2 (b ≥ 0 and b′ < 0): Note that

f(bb′) = f((a− 2n1a≥2n−1)(a′ − 2n1a′≥2n−1)/22m)

= f(a(a′ − 2n)/22m)

= (a(a′ − 2n)/2m) mod 2n.

10

• Case 3 (b, b′ < 0): It can be shown that

f(bb′) = f((a− 2n1a≥2n−1)(a′ − 2n1a′≥2n−1)/22m)

= f((a− 2n)(a′ − 2n)/22m)

= ((a− 2n)(a′ − 2n)/2m) mod 2n.

This concludes the proof.

Appendix C. Proof of Proposition 3

The proof of part (1) directly follows from the applica-tion of Proposition 2. For part (2), the following two casesmay occur:

• Case 1 (a < 2n−1): In this case, by definition, an⊗ma′ =

(aa′/2m) mod 2n.

• Case 2 (a ≥ 2n−1): Note that

an⊗ma′ = ((a− 2n)a′/2m) mod 2n

= (aa′/2m − 2n(a′/2m)) mod 2n

= (aa′/2m) mod 2n,

where the last equality follows from that a′/2m ∈ Z.


Appendix D. Proof of Proposition 4

First, construct b = 2mb and b′ = 2mb′. Since b, b′ ∈Q(n,m), it can be deduced that b, b′ ∈ Q(n+m, 0) ⊆ Q(n+2m, 0). Let a = fn,m(b), a′ = fn,m(b′), a = fn+2m,0(b),and a′ = fn+2m,0(b′). Now, Corollary 1 can be used to

show that fn+2m,0(bb′) = an+2m⊗0

a′ since bb′ ∈ Q(n +

2m, 0) following the observation that bb′ = 22mbb′ withbb′ ∈ Q(n,m). Therefore, fn,m(bb′) = fn,m(bb′/22m) =

fn,m(f−1n+m,0(a

n⊗0a′)/22m).

Appendix E. Proof of Proposition 5

Notice that

E(t; r)E(t′; r′) modN2

= (N + 1)t+t′(rr′)N modN2

= E(t+ t′; rr′), ∀r, r′ ∈ Z∗N ,∀t, t′ ∈ ZN ,

and

E(t; r)t′modN2 = (N + 1)t

′trt′N modN2

= E(t′t; rt′), ∀r ∈ Z∗N ,∀t, t′ ∈ ZN .


Appendix F. Proof of Proposition 6

The proof of part (1) follows from

(E(a; r)a′modN2)θmodN2=E((aa′) modN ; ra

′)θ modN2

=E((aa′θ) modN ; ra′θ)

=E((aa′/2m) modN ; ra′θ)

=E(aa′/2m; ra′θ)

=E(an⊗ma′; ra

′θ).

The proof of the rest of the parts follows from the appli-cation Propositions 5 and 3.

Appendix G. Proof of Proposition 7

If n1 and m1 are selected such that 2n1−m1−1 >maxi,j |Kij | and 2−m1 ≤ ε(K)/

√pupy, then

‖K − K‖F =

√∑i,j

(Kij − Kij)22

≤√∑

i,j

2−2m1

≤√∑

i,j

ε(K)2/(pupy)

= ε(K).


Appendix H. Proof of Proposition 8

The stability of the closed-loop system implies thatthere exists a Lyapunov function of the form x>Px withpositive-definite P for which (A+BKC)>P (A+BKC)−P = −Q < 0 [25, p. 71]. Let e[k] = y[k] − y[k]. As-sume that |ei[k]| ≤ 2−m2 for all k. First, we prove thatX := x ∈ Rpx |x>Px ≤ ζ for an appropriately selectedζ is an invariant set. To do so, notice that

x[k + 1]>Px[k + 1]− x[k]>Px[k]

=x[k]>((A+BKC)>P (A+BKC)− P )x[k]

+ 2x[k]>(A+BKC)>PBKe[k]

+ e[k]>(BK)>PBKe[k]

≤− x[k]>Qx[k] + c12−m2 + c22−2m2 (H.1)

≤− x[k]>Qx[k] + (c1 + c2)2−m2 , (H.2)

where

c1 = 2√ζ/λmin(P )

∑i,j

|Wij |,

c2 = pyλmax(K>B>PBK)

11

with W = (A + BKC)>PBK. The inequality in (H.1)follows from that

2x[k]>(A+BKC)>PBKe[k]

≤2|x[k]>We[k]|

≤2∑i,j

|xi[k]||Wij ||ej [k]|

≤(

2√ζ/λmin(P )

∑i,j

|Wij |)

2−m2 .

In what follows, we select ζ so that X becomes an invari-ant set since both Q and P are positive-definite matrices.First, for all x[k], we get that

x[k]>Qx[k] ≥ λmin(Q)x[k]>x[k]

≥ λmin(Q)/λmax(P )x[k]>Px[k].

To prove that X is invariant, we need to show that if x[k] ∈X then x[k + 1] ∈ X . Assume that x[k] ∈ X . We provethat also x[k + 1] ∈ X .

Case 1: Let λmin(Q) ≤ λmax(P ); we will prove the othercase later. Therefore, we get

x[k + 1]>Px[k + 1] ≤(

1− λmin(Q)

λmax(P )

)x[k]>Px[k]

+ (c1 + c2)2−m2

≤(

1− λmin(Q)

λmax(P )

)ζ + (c1 + c2)2−m2

Note that x[k + 1] ∈ X if x[k + 1]>Px[k + 1] ≤ ζ, whichcan be ensure by selecting ζ such that(

1− λmin(Q)

λmax(P )

)ζ + (c1 + c2)2−m2 ≤ ζ.

This inequality is equivalent to that

λmin(Q)

λmax(P )ζ −

21−m2∑i,j |Wij |√

λmin(P )

√ζ − c22−m2 ≥ 0.

Due to the structure of the left-hand side of this inequal-ity (being a second order polynomial in

√ζ with a posi-

tive leading coefficient), there exists ς (the largest root ofthe aforementioned polynomial) such that the inequalityis satisfied if ζ ≥ max(0, ς)2.

Case 2: Now, let λmin(Q) > λmax(P ). Therefore, we get

x[k + 1]>Px[k + 1] ≤ (c1 + c2)2−m2 .

To ensure that x[k + 1] ∈ X , we can select ζ such that

(c1 + c2)2−m2 ≤ ζ.

This inequality is equivalent to that

ζ −21−m2

∑i,j |Wij |√

λmin(P )

√ζ − c22−m2 ≥ 0.

Following the same line of reasoning, we can show thatthere exists ς (the largest root of the second order polyno-mial in

√ζ in the left hand side of inequality) such that

the inequality is satisfied if ζ ≥ max(0, ς)2.This proves that X is an invariant set if ζ ≥ max(0, ς)2.

Now, the constant M(x0) can be chosen such as M(x0) =maxx∈X max1≤i≤py |Cix|, where Ci denotes the i-th row ofmatrix C. Finally, if n2 is selected such that 2n2−m2−1 >M(x0), it can be ensured that |ei[k]| ≤ 2−m2 . This con-cludes the proof.

Appendix I. Proof of Theorem 1

First, we show that the set X ′ := x ∈ Rpx |x>Px ≤(c1 + c2)2−m(λmin(P )/λmin(Q) + 1) is an invariant set.To do so, we prove that if x[k] ∈ X ′, then x[k + 1] ∈ X ′.One of the following two cases occur.

Case 1: Assume that x[k] ∈ X ′ and x[k]>Px[k] ≥ (c1 +c2)2−mλmin(P )/λmin(Q). In this case, x[k + 1]>Px[k +1]− x[k]>Px[k] < 0 because

x[k + 1]>Px[k + 1]− x[k]>Px[k]

≤ −λmin(Q)x[k]>x[k] + (c1 + c2)2−m

≤ −(λmin(Q)/λmin(P ))x[k]>Px[k] + (c1 + c2)2−m

with the controller u[k] = Kyi[k]. Hence, x[k + 1] ∈ X ′.Case 2: Assume that x[k] ∈ X ′ and x[k]>Px[k] ≤ (c1 +

c2)2−mλmin(P )/λmin(Q). In this case, x[k+1]>Px[k+1]−x[k]>Px[k] is not necessarily negative and, thus, the valueof the Lyapunov function might increase. The increase ishowever bounded as x[k + 1]>Px[k + 1] − x[k]>Px[k] ≤(c1 + c2)2−m. Therefore, x[k + 1]>Px[k + 1] ≤ (c1 +c2)2−m(λmin(P )/λmin(Q)+1), where the inequality followsfrom that x[k]>Px[k] ≤ (c1 + c2)2−mλmin(P )/λmin(Q).

Now, we need to prove that the set X ′ is an attractiveset. This follows from that

x[k + 1]>Px[k + 1]− x[k]>Px[k]

≤ −(λmin(Q)/λmin(P ))x[k]>Px[k] + (c1 + c2)2−m

≤ 0,

where the second inequality is because x[k]>Px[k] ≥ (c1 +c2)2−mλmin(P )/λmin(Q) if x[k] /∈ X ′.

Note that, evidently, if all the trajectories of thesystem converge to X ′, they also converge to B((c1 +c2)2−m(1/λmin(Q) + 1/λmin(P )))

To be able to use the results of Proposition 3, 5, and 6,the outcome of all the summations and the multiplicationsshould not over flow or under flow from the set Q(n,m).Therefore, n ≥ py + n1 + n2 and m ≥ m1 + m2 must beselected to ensure this property. These numbers are calcu-lated based on the worst-case scenarios (very large or verysmall numbers are multiplied and summed). The rest ofthe proof follows from the application of Propositions 3, 5,and 6.

12

Appendix J. Proof of Proposition 9

Observe χji = (x,w)|wx − wxi[k] = vji[k], x, w ∈Q(n,m). It can be seen that one obtains |Ω+

ji| via the

change of variables ϕ = w(x + 2n−m)22m and ϑ = 2mwand letting α+

i = (xi[k] + 2n−m)2m and βji = 22mvji[k].Noting that the aforementioned change of variables areequivalent to w = 2−mϑ and x = 2−mϑ−1ϕ − 2n−m com-pletes the proof for the first statement. The second state-ment can be established in a similar fashion as well. Thethird statement is a direct consequence of the first and thesecond statements.

13

Documents

Secure and Private Control Using Semi ... - WordPress.com · Secure and Private Control Using Semi-Homomorphic Encryption I,II Farhad Farokhi a, Iman Shames , Nathan Batterham aDepartment