The document discusses the problem of finite operation times for controllers with non-integer coefficients in homomorphically encrypted dynamic systems. It proposes converting non-integer coefficient controllers to integer coefficient controllers through optimization to avoid issues from repeated operations on ciphertexts. Simulation results show the encrypted controller with integer coefficients can operate for an infinite time horizon, unlike previous non-integer approaches.

1. Need for Controllers having Integer Coefficients
in Homomorphically Encrypted Dynamic System
Jung Hee Cheon1, Kyoohyung Han1, Hyuntae Kim2,
Junsoo Kim2, and Hyungbo Shim2
1Department of Mathematical Science, Seoul Nat’l University
2Department of Electrical and Computer Engineering, Seoul Nat’l University
LABORATORY
CONTROL & DYNAMIC SYSTEMS
LABORATORY
CONTROL & DYNAMIC SYSTEMS
@ SNU
CONTROL & DYNAMIC SYSTEMS
December 19, 2018

2. Conventional Control System Protected by Cryptograph
Secret key is kept inside the controller
↓
Increased vulnerability
2 / 17

3. Idea of Decreasing Vulnerability
Can we perform arithmetic operations over the ciphertexts?
Yes, by the “homomorphic encryption” scheme.
3 / 17

4. Cryptosystem (P, C, Encsk, Decsk)
An example of LWE (Learning with Error) Scheme
P: plaintext space Zp, p: integer
C: ciphertext space Zq × ZN
q , q: integer multiple of p
sk: secret key ¯s ∈ ZN
q
¯m = Encsk(m) encrypts/maps m ∈ P into C
1. generate a random vector ¯a ∈ ZN
q
2. generate a random scalar e ∈ Zq s.t. |e| < (q/p)
3. compute b = ¯aT
¯s + q
p m + e
4. Enc¯s(m) returns ¯m = (b, ¯a)
m = Decsk( ¯m) decrypts/maps ¯m ∈ C into P
Dec¯s(b, ¯a) = (b − ¯aT
¯s) ×
p
q
= m
where the rounding · eliminate e
so that
Decsk(Encsk(m)) = m for every m ∈ P
4 / 17

5. Homomorphic Cryptosystem
LWE is one of homomorphic cryptosystems
Homomorphic cryptosystem has the homomorphic property:
Encsk(m1) ∗C Encsk(m2) = Encsk(m1 ∗P m2)
∗P: a binary operation on plaintext space P
∗C: a binary operation on ciphertext space C
Example of addition:
Enc¯s(m1) + Enc¯s(m2)
= (¯aT
1¯s +
q
p
m1 + e1, ¯a1) + (¯aT
2¯s +
q
p
m2 + e2, ¯a2)
= (¯a1 + ¯a2)T
¯s +
q
p
(m1 + m2) + (e1 + e2), ¯a1 + ¯a2
= (¯aT
¯s +
q
p
(m1 + m2) + e, ¯a) = Enc¯s(m1 + m2)
Multiplication in LWE scheme is also possible but complicated.
5 / 17

6. Short History of Homomorphic Encryption (HE)
and its Application to Feedback Control
taken from [Acar et al., ACM Computing Surveys, 2018]
Concept appeared in Rivest et al. (1978).
Partially homomorphic encryption:
Multiplication only: El-Gamal (1985)
→ Kogiso & Fujita (2015, CDC)
Addition only: Paillier (1999)
→ Farokhi, Shames, Batterham (2016, IFAC NecSys)
Fully homomorphic encryption [Gentry 2009]
→ Kim, Lee, Shim, Cheon, Kim, Kim, Song (2016, IFAC NecSys)
6 / 17

7. Application of HE to Feedback Control
is not yet mature, not ready for real-time streaming
data, and there are many issues.
One of the critical issues in all the previous results is that
the arithmetic operations on ciphertexts
for non-integer real number can be done only finite number of times
7 / 17

8. Problem: Multiplication of Non-integer Real Values
1. Non-integer real number can be handled by the
“floating-point” idea (maintaining two variables for
significand=mantissa and exponent),
as done in [Cheon, Kim, Kim, Song, ASIACRYPT 2017]
2. Floating-point arithmetic can discard LSB(least significant
bits) of mantissa:
3. It is impossible to perform an infinite number
of discarding LSB of mantissa on ciphertexts.
→ Explosion of mantissa for repeated operations.
8 / 17

9. How to Avoid Explosion of Mantissa?
1. If operation is not recursive, scaling is enough:
for example, in the case of static feedback
u = gy with g = 1.2 and y = 3.4
do the following:
¯y = Enc( Sy·y ) → ¯u = SM·g ·¯y → u =
1
SMSy
Dec(¯u)
with SM = Sy = 10,
¯y = Enc(34) → ¯u = 12 · ¯y → u =
1
102
Dec(¯u)
Idea: Use static feedbacks (as in [Farokhi (2016)])
or FIR(finite-impulse-reponse) filters
¯u(k) =
L
i=0
gi¯y(k − i)
9 / 17

10. How to Avoid Explosion of Mantissa?
2 If operation is recursive like in a dynamic controller
x(k + 1) = Ax(k) + By(k)
u(k) = Cx(k) + Dy(k)
then the scaling doesn’t help when A is non-integer:
e.g., with B = 0 and x(0) being integer
¯x(k + 1) = SM · A · ¯x(k) ⇒ ¯x(k) = SM · A k
· ¯x(0)
the mantissa of ¯x(k) explodes even if x(k) is bounded.
Note: Rounding A may not be a solution.
P(z) =
2.4
z + 1.4
is stable with C(z) =
1
z − 1.01
but not with C(z) =
1
z − 1
10 / 17

11. Dynamic Controller with A having Integer Elements
Controller: x(k + 1) = Ax(k) + By(k)
u(k) = Cx(k) + Dy(k)
A has integer elements
B, C, D, and y can be non-integer, and |y(k)| is bounded
Operation can be performed on ciphertexts:
¯x(k + 1) = A · ¯x(k) + SM · B · ¯y(k)
¯u(k) = SM · C · ¯x(k) + SM · D · ¯y(k)
and finally
x(k) =
1
SMSy
Dec(¯x(k)), u(k) =
1
S2
MSy
Dec(¯u(k))
Theorem: Arithmetic operation can be performed infinite times
under closed-loop stability.
11 / 17

12. What If The Matrix A is Non-integer?
First observation: if denominators are integers
C(z) =
bn−1zn−1 + · · · + b0
zn + an−1zn−1 + · · · + a0
then it has a realization
x(k + 1) =





−an−1 · · · −a1 −a0
1 · · · 0 0
...
...
...
...
0 · · · 1 0





x(k) +





1
0
...
0





y(k)
u(k) = bn−1 · · · b1 b0 x(t)
that has integer elements of A.
12 / 17

13. What If The Matrix A is Non-integer?
Therefore, if the coefficients {ai} are non-integers
C(z) =
bn−1zn−1 + · · · + b0
zn + an−1zn−1 + · · · + a0
,
find a higher order approximation that preserves closed-loop stability
For example,
C(z) =
1
z − 1.01
=
(z + 0.01)
(z − 1.01)(z + 0.01)
=
(z + 0.01)
z2 − z − 0.0101
↓
˜C(z) =
(z + 0.01)
(z − 1.01)(z + 0.01) + 0.0101
=
(z + 0.01)
z2 − z
both C(z) and ˜C(z) make the closed-loop stable
0.0101 is small s.t. C(z) ≈ ˜C(z)
z + 0.01 is stable
13 / 17

14. Example of Finding ˜C(z) by Optimization
C(z) =
1
z − a
→ ˜C(z) =
σ(z)
(z − a)σ(z) + ∆
=
σ(z)
zn+1 + Inzn + · · · + I0
|∆| < 1 ( it just makes I0 integer)
Coefficients of stable σ(z) = Πn
i=1(z − λi) are bounded.
→ Coefficient of (z − a)σ(z) + ∆ are bounded.
→ Searching space S for Ii is bounded.
Therefore, pick n and solve
minimize
I0,··· ,In∈S
|∆| = |an+1
+ Inan
+ · · · + I0|
subject to σ(z) is stable
14 / 17

15. If the minimum |∆| is sufficiently small, stability of the
closed-loop is preserved with C(z) replaced by ˜C(z).
Lemma: The closed-loop system with P(z) and ˜C(z) is stable if
σ(z) is stable, and
with P(z) = N(z)/D(z)
|∆| <
min|z|=1 |σ(z) ((z − a)D(z) + N(z))|
max|z|=1 |D(z)|
So, if the closed-loop is not stable with the optimal ∆, increase n
and solve the optimization again.
15 / 17

16. Simulation Result by LWE Scheme
(P, C, Encsk, Decsk) = (Z290 , Z5
2120 , Enc¯s, Dec¯s)
P(z) =
2.4
z + 1.4
and C(z) =
1
z − 1.01
the proposed optimization yields
˜C(z) =
σ(z)
(z − 1.01)σ(z) + ∆
=
σ(z)
z5 − 3z4 + 3z3 − z2
with the error ∆ = 1.01E − 6
500 600 700 800 900 1000
Step
0.09
0.095
0.1
0.105
0.11
y
Output y(k) with C(z) and ˜C(z) for step r(k) = 0.1
→
Encrypted
controller
˜C(z) can go
infinite time
horizon!
16 / 17

17. Conclusion
discussed the problem of finite time operation in
homomorphically encrypted dynamic controller
highlighted that an encrypted LTI controller can operate for
infinite time horizon if A has integer elements
proposed a method to convert non-integer coefficients
controller to integer coefficients without losing stability
Thank you!
Presenter: Hyuntae Kim (htkim@cdsl.kr)
17 / 17