Cyber-Security Enhancements of Networked Control Systems Using Homomorphic Encryption
1. December 18 Fri., 2015, 13:30-13:50, Regular Session: Networked Control Systems 2, Frb09.1 @ 1003
Cyber-‐‑‒Security Enhancements of
Networked Control Systems Using
Homomorphic Encryption
Kiminao Kogiso
University of Electro-Communications
Tokyo, Japan
Takahiro Fujita
Yokogawa Denshikiki Co., Ltd.
The 54 Conference on Decision and Control
Osaka International Convention Center, Osaka, Japan
December 15 to 18, 2015
3. Introduction
3
Controller device is important, but exposed to threats of hacking and targeted attacks.
signals: modeling, stealing recipe, management policy and know-how
parameters: knowledges about system designs and operations
Attacks on networked control system
plantcontroller
ref. (recipe)
control signals
feedback signals
parameters
[1] Sandberg et al., 2015. [2] Sato et al., 2015. [3] Pang et al., 2011
Related works
aiming to conceal the signals
control-theoretical approach: detection[1], positive use of noises[2]
cryptography-based approach: encryption of communication links[3]
no studies considering encryption of the controller or its inside…
control
(cipher)
feedback
(cipher)
EncDec
Enc Dec
plantcontroller
ref.
ref.
(cipher)
Enc Dec
4. Introduction
4
Objective of this work
Realize a cryptography-based control law to conceal both the signals & parameters.
control
(cipher)
feedback
(cipher)
EncDec
Enc Dec
plantcontroller
ref.
ref.
(cipher)
Enc Dec
conventional:
control
(cipher)
feedback
(cipher)
Enc
Dec
plantencrypted
controller
ref.
ref.
(cipher)
Enc
parameters
(cipher)
proposed:
Concept of encrypted controller:
calculates an encrypted control directly from an encrypted feedback signal & an encrypted
reference using encrypted parameters,
is achieved by incorporating homomorphic encryption scheme into the control law.
5. Problem Statement
5
Encryption of linear controller
Consider a linear controller: f
Controller Encryption Problem:
Given an encryption scheme , for a control law realize an encrypted law .fE fE
Define an encrypted control law , given an encryption scheme , satisfyingfE E
x[k + 1]
u[k]
=
A B
C D
x[k]
y[k]
:= ⇠[k] := f( , ⇠[k])
: parameter matrix
: plant output
: control inputu
y
5
control
(cipher)
feedback
(cipher)
Enc
Dec
plant
parameters
(cipher)
Enc(y)
Enc(u) u
y
Enc( )
fE (Enc( ), Enc(⇠))
fE (Enc( ), Enc(⇠)) = Enc(f( , ⇠))
6. RSA encryption[4,5] (deterministic) & ElGamal encryption[6] (stochastic)
ElGamal encryption scheme[4]
key generation: public , and private (random)
encryption:
decryption:
Controller Encryption 1/3
6[4] Rivest, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystem”, 1978. [5] Rivest, “On Data Banks and Privacy Homomorphisms”, 1978.
Homomorphic encryption schemes
RSA: Rivest-Shamir-Adelman
Dec(c1, c2) = c2 ⇥ c s
1 mod p
g, p, s 2 N(g, p) s
r 2 N: randomEnc(m) = (gr
mod p, m ⇥ gsr
mod p)
= c1 = c2 m: integer in plaintext space
: integer in ciphertext spacec1, c2
Homomorphism
definition
Enc(m1 • m2) = Enc(m1) ⇤ Enc(m2)
in the case of ElGamal
·: multiplication ⇤ : modulo operation
plaintext
space
ciphertext
space
m1
m2
⇥
⇥
⇥
m2•m1
⇥
⇥
⇥
Enc(m1)
Enc(m2)
N N2
Enc
Enc
Enc
7. Controller Encryption 2/3
7
Idea for controller encryption
Divide the linear operation to apply the homomorphism.
f = f+
f⇥
f⇥
( , ⇠) =
⇥
1⇠1 2⇠2 · · · L⇠L
⇤
=:
← executed after the decryption
← executed in the controller device
modification of the decryption process to update the decryption algorithm with “Dec+
”.
Dec+
Configuration using ElGamal encryption scheme
signals
(cipher)
feedback
(cipher)
Enc
Dec
plant
parameters
(cipher)
Enc( )
Enc( )
f+
f⇥
Enc(⇠)
x[k + 1]
u[k]
⇠
fE (Enc( ), Enc(⇠))
f+
( ) =
LX
l=1
l
8. with and sufficient large, rounding (quantization) error can be made small.a
encrypted
controller
u[k]
y[k]
Enc
Enc(KpM)
Enc(yM[k])
Enc(uM[k])
a 2
yM[k]
uM[k]
ba•e
plant
Dec+
n
Controller Encryption 3/3
8
a 2 N
b•e : round function
KpM = ba ⇥ Kpe
yM[k] = ba ⇥ y[k]e
uM[k] = KpMyM[k]
Kp
y[k]
u[k] = Kpy[k]
example: , then .Kp = 0.83, a = 1000 KpM = b1000 ⇥ 0.83e = 830
Remarks
Signals & parameters are real; Plaintext is integer.
need a map: multiplying by a natural number and rounding off to an integer, i.e.,
10. Validation: Protection from Stealing
10
System identification (n4sid)
-150
-100
-50
0
50
10-2
100
102
-270
-225
-180
-135
-90
-45
0
frequency [rad/s]
gain[dB]phase[deg]
original closed loop system
without encryption
with encryption(RSA)
with encryption(ElGamal)
11. Conclusion
11
Introduction
Problem Statement
controller encryption problem
Encrypted Controller
homomorphism of specific encryption scheme
remarks in quantization error
Simulation & Validation
enable to conceal signals & parameters inside
the controller device in terms of cryptography.
enable to hide dynamics of the control system.
Future works
incorporate an attack detection method.
validate computation cost of encrypted controller.
-150
-100
-50
0
50
10-2
100
102
-270
-225
-180
-135
-90
-45
0
frequency [rad/s]
gain[dB]phase[deg]
original closed loop system
without encryption
with encryption(RSA)
with encryption(ElGamal)
0 1 2 3 4 5
time [s]
0
1
2
3
4
× 107
0 1 2 3 4 5
time [s]
0
1
2
3
4
× 107
0 1 2 3 4 5
time [s]
0
1
2
3
4
× 107
0 1 2 3 4 5
time [s]
0
1
2
3
4
× 107
0 1 2 3 4 5
time [s]
0
1
2
3
4
× 107
0 1 2 3 4 5
time [s]
0
1
2
3
4
× 107
0 1 2 3 4 5
0
1
2
3
4
× 107
0 1 2 3 4 5
0
1
2
3
4
× 107