December 18 Fri., 2015, 13:30-13:50, Regular Session: Networked Control Systems 2, Frb09.1 @ 1003

Cyber-‐‑‒Security  Enhancements  of  Networked  Control  Systems  Using  

Homomorphic  Encryption

Kiminao KogisoUniversity of Electro-Communications

Tokyo, Japan

Takahiro FujitaYokogawa Denshikiki Co., Ltd.

The 54 Conference on Decision and ControlOsaka International Convention Center, Osaka, Japan

December 15 to 18, 2015

Outline

2

Introduction  Problem  Statement  Controller  Encryption  Simulation  &  Validation  Conclusion

Introduction

3

Controller device is important, but exposed to threats of hacking and targeted attacks. signals: modeling, stealing recipe, management policy and know-how parameters: knowledges about system designs and operations

Attacks on networked control system

plantcontrollerref. (recipe)

control signals

feedback signalsparameters

[1] Sandberg et al., 2015. [2] Sato et al., 2015. [3] Pang et al., 2011

Related works aiming to conceal the signals control-theoretical approach: detection[1], positive use of noises[2] cryptography-based approach: encryption of communication links[3]

no studies considering encryption of the controller or its inside…

control (cipher)

feedback(cipher)

EncDec

Enc Decplantcontroller

ref. ref.

(cipher)Enc Dec

Introduction

4

Objective of this workRealize a cryptography-based control law to conceal both the signals & parameters.

control (cipher)

feedback(cipher)

EncDec

Enc Decplantcontroller

ref. ref.

(cipher)Enc Dec

conventional:

control (cipher)

feedback(cipher)

Enc

Decplantencrypted

controller

ref. ref.

(cipher)Enc

parameters (cipher)

proposed:

Concept of encrypted controller: calculates an encrypted control directly from an encrypted feedback signal & an encrypted reference using encrypted parameters,

is achieved by incorporating homomorphic encryption scheme into the control law.

Problem Statement

5

Encryption of linear controllerConsider a linear controller: f

Controller Encryption Problem:

Given an encryption scheme , for a control law realize an encrypted law .fE fE

Define an encrypted control law , given an encryption scheme , satisfyingfE E

x[k + 1]u[k]

�=

A B

C D

� x[k]y[k]

�:= �⇠[k] := f(�, ⇠[k])

: parameter matrix

: plant output

: control inputuy

�

5

control (cipher)

feedback(cipher)

Enc

Decplant

parameters (cipher)

Enc(y)

Enc(u) u

yEnc(�)

fE(Enc(�),Enc(⇠))

fE(Enc(�),Enc(⇠)) = Enc(f(�, ⇠))

RSA encryption[4,5] (deterministic) & ElGamal encryption[6] (stochastic) ElGamal encryption scheme[4]

key generation: public , and private (random)

encryption:

decryption:

Controller Encryption 1/3

6[4] Rivest, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystem”, 1978. [5] Rivest, “On Data Banks and Privacy Homomorphisms”, 1978.

Homomorphic encryption schemes

RSA: Rivest-Shamir-Adelman

Dec(c1, c2) = c2 ⇥ c�s1 mod p

g, p, s 2 N(g, p) s

r 2 N :  randomEnc(m) = (gr mod p, m⇥ gsr mod p)= c1 = c2 m : integer in plaintext space

: integer in ciphertext spacec1, c2

Homomorphism definition

Enc(m1 •m2) = Enc(m1) ⇤ Enc(m2)

in the case of ElGamal· : multiplication ⇤ : modulo operation

plaintext  spaceciphertext  space

m1

m2

⇥

⇥⇥

m2•m1

⇥

⇥⇥

Enc(m1)

Enc(m2)

N N2

Enc

Enc

Enc

Controller Encryption 2/3

7

Idea for controller encryptionDivide the linear operation to apply the homomorphism.

f = f+ � f⇥

f⇥(�, ⇠) =⇥�1⇠1 �2⇠2 · · ·�L⇠L

⇤=:

←  executed  after  the  decryption

←  executed  in  the  controller  device

modification of the decryption process to update the decryption algorithm with “Dec+”.

Dec+

Configuration using ElGamal encryption scheme

signals (cipher)

feedback(cipher)

Enc

Decplant

parameters (cipher)

Enc(�)

Enc( )f+

f⇥

Enc(⇠)

x[k + 1]

u[k]

⇠

fE(Enc(�),Enc(⇠))

f+( ) =LX

l=1

l

with and sufficient large, rounding (quantization) error can be made small.a

encrypted controller

u[k]

y[k]Enc

Enc(KpM)

Enc(yM[k])

Enc(uM[k])a�2

yM[k]

uM[k]

ba•eplant

Dec+

n

Controller Encryption 3/3

8

a 2 Nb•e : round function

KpM = ba⇥KpeyM[k] = ba⇥ y[k]euM[k] = KpMyM[k]

Kp

y[k]

u[k] = Kpy[k]

example: , then .Kp = 0.83, a = 1000 KpM = b1000⇥ 0.83e = 830

RemarksSignals & parameters are real; Plaintext is integer. need a map: multiplying by a natural number and rounding off to an integer, i.e.,

Simulation: Controller Encryption

9

(key length 25bit)

Things seen in controller

encrypted controller

normal:

proposed:

u[k]

y[k]

controller

n = 67108913 g = 3

Enc(�)

�

� =

2

41 0.0063 00 0.3678 0.006310 �99.90 3

3

5

=

Enc(x[k])Enc(y[k])

�Enc(⇠[k])

Enc( [k])

0 1 2 3 4 5

-3

-2

-1

0

1

0 1 2 3 4 5-0.5

0

0.5

1

1.5

time [s] time [s]

control output

0 1 2 3 4 5time [s]

01234 × 107

0 1 2 3 4 5time [s]

01234 × 107

0 1 2 3 4 5time [s]

01234 × 107

0 1 2 3 4 5time [s]

01234 × 107

0 1 2 3 4 5time [s]

01234 × 107

0 1 2 3 4 5time [s]

01234 × 107

0 1 2 3 4 50

1

2

3

4 × 107

0 1 2 3 4 50

1

2

3

4 × 107

6 signals related to control

2 signals related to output

0 1 2 3 4 5-0.5

0

0.5

1

1.5

0 1 2 3 4 5

-3

-2

-1

0

1

Enc(�)2 =

2

414170023 24305287 411447224817983 26559389 3337940629922594 31813162 24125985

3

5

Enc(�)1 =

2

416354115 11333831 1242809425939844 22437363 1765074523018684 228286 8037052

3

5

Validation: Protection from Stealing

10

System identification (n4sid)

-150

-100

-50

0

50

10-2 100 102-270-225-180-135-90-450

frequency [rad/s]

gain

[d

B]

phas

e [deg

]

original closed loop systemwithout encryptionwith encryption(RSA)with encryption(ElGamal)

Conclusion

11

Introduction Problem Statement controller encryption problem

Encrypted Controller homomorphism of specific encryption scheme remarks in quantization error

Simulation & Validation enable to conceal signals & parameters inside the controller device in terms of cryptography. enable to hide dynamics of the control system.

Future works incorporate an attack detection method. validate computation cost of encrypted controller.

-150

-100

-50

0

50

10-2 100 102-270-225-180-135-90-450

frequency [rad/s]

gain

[d

B]

phas

e [deg

]

original closed loop systemwithout encryptionwith encryption(RSA)with encryption(ElGamal)

0 1 2 3 4 5time [s]

01234 × 107

0 1 2 3 4 5time [s]

01234 × 107

0 1 2 3 4 5time [s]

01234 × 107

0 1 2 3 4 5time [s]

01234 × 107

0 1 2 3 4 5time [s]

01234 × 107

0 1 2 3 4 5time [s]

01234 × 107

0 1 2 3 4 50

1

2

3

4 × 107

0 1 2 3 4 50

1

2

3

4 × 107