Secure Networked Control Systems Design Using Semi-homomorphic Encryption

Abstract

A secure and private nonlinear networked control systems (NCSs) design using semi-homomorphic encryption is studied. Static feedback controllers are used and network architectures are provided to enable control signal computation using encrypted signals directly. As a result, the security of the NCSs is further enhanced by preserving the privacy of information flowing through the whole network. Whereas in traditional encryption techniques, encrypted signals are decrypted before control computation and are encrypted again after computation for transmission. While this is highly desirable from privacy point of view, additional technical difficulties in the design and analysis of NCSs are induced compared to standard NCSs. In this chapter, we provide sufficient conditions on the encryption parameters that guarantee robust stability of the NCS in the presence of disturbances in a semi-global practical sense and discuss the trade-offs between the required computational resources, security guarantees, and the closed-loop performance. The proof technique is based on Lyapunov methods.

Appendices

12.9 Proof of Theorem 12.1

Proof

First, note that Step 9 of Algorithm 12.2 represents the standard multiplication between matrices on encrypted numbers. Since each addition may lead to at most one more integer bit, for an \(n_y\) dimensional vector \(\bar{g}(x)\), \(n_y-1\) additions are required. Thus the condition \(N>2^{n_y+n_1+n_2-1}\) ensures that all encrypted data can be decrypted to get the desired control inputs without overflow and underflow. For simplicity, we will use the following equivalent dynamics \(f(x, \bar{K}\bar{g}(x), w)\) to represent the closed-loop system.

We represent \(f(x,\bar{K}g(x),w)\) and f(x, Kg(x), w) by \(f_1\) and f, respectively, for simplicity. Similarly we write \(f(x,\bar{K}\bar{g}(x),w)\) as \(f_2\). We prove the theorem by 2 steps. First, we show that under certain conditions the closed-loop system with gain matrix quantization (\(f_1\)) is ISS in a proper sense, then based on this result, we derive sufficient conditions to allow extra quantization of the measurement signal (\(f_2\)) without losing ISS.

Then for the same Lyapunov function given in Assumption 12.3, we have for all \(x\in \mathbb {R}^{n_x}\):

$$\begin{aligned} \begin{aligned} V(f_1)-V(x)&=V(f_1)-V(f)+V(f)-V(x)\\&\le V(f_1)-V(f)-\alpha _3(|x|)+\gamma (|w|). \end{aligned} \end{aligned}$$

(12.26)

For any \(\varDelta _x=\bar{\varDelta }>0\), on the ball of radius \(\varDelta _x\), \(\mathbb {B}_{\varDelta _x}=\{x\in \mathbb {R}^{n_x}:|x|\le \varDelta _x\}\), there exists a positive constant \(L_V\) such that \(|V(x)-V(y)|\le L_V|x-y|\), for all \(x,y\in \mathbb {B}_{\varDelta _x}\). Thus (12.26) implies that for all \(x\in \mathbb {B}_{\varDelta _x}\):

$$\begin{aligned} \begin{aligned} V(f_1)-V(x)&\le V(f_1)-V(f)-\alpha _3(|x|)+\gamma (|w|)\\&\le |V(f_1)-V(f)|-\alpha _3(|x|)+\gamma (|w|)\\&\le L_V|f_1-f|-\alpha _3(|x|)+\gamma (|w|)\\&\le L_VL_fe_1|g(x)|-\alpha _3(|x|)+\gamma (|w|), \end{aligned} \end{aligned}$$

(12.27)

where the second step follows from the fact that a continuous mapping maps a compact set to another compact set, thus the existence of the Lipschitz constant \(L_V\) can be guaranteed. Since g(x) is continuous on \(\mathbb {R}^{n_x}\), for any \(\delta _x\le |x|\le \varDelta _x\), |g(x)| attains its maximum \(M_1>0\). Thus we have if \(e_1\le \epsilon _1=\frac{(1-\mu _1)\alpha _3(\delta _x)}{M_1L_VL_f}\) with \(0<\mu _1<1\), then \(V(f_1)-V(x)\le -\mu _1\alpha _3(|x|)+\gamma (|w|)\).

For all \(\delta _x\le |x|\le \varDelta _x\) the following holds:

$$\begin{aligned} \begin{aligned} V(f_2)-V(x)&=V(f_2)-V(f_1)+V(f_1)-V(x)\\&\le V(f_2)-V(f_1)-\mu _1\alpha _3(|x|)+\gamma (|w|)\\&\le L_V|f_2-f_1|-\mu _1\alpha _3(|x|)+\gamma (|w|)\\&\le L_VL_f|\bar{K}|e_2-\mu _1\alpha _3(|x|)+\gamma (|w|). \end{aligned} \end{aligned}$$

(12.28)

Thus, if \(e_2\le \epsilon _2=\frac{\mu _1(1-\mu _2)\alpha _3(\delta _x)}{L_VL_f|\bar{K}|}\) with \(0<\mu _2<1\), we have \(V(f(x,\bar{K}\bar{g}(x),w))-V(x)\le -\mu _1\mu _2\alpha _3(|x|)+\gamma (|w|)\). In contrast to the continuous-time case, this condition is insufficient for concluding that the discrete-time closed-loop system is semi-globally practically ISS as discussed in Sect. III of [29]. For the region \(\mathbb {B}_{\delta _x}=\{x\in \mathbb {R}^{n_x}:|x|\le \delta _x\}\), (12.28) does not hold in general, instead, from (12.27), we have for all \(x\in \mathbb {B}_{\delta _x}\):

$$\begin{aligned} \begin{aligned}&V(f_2)-V(x)\le V(f_2)-V(f_1)+V(f_1)-V(x)\\&\le L_VL_f(e_1|g(x)|+e_2|\bar{K}|)-\alpha _3(|x|)+\gamma (|w|)\\&\le L_VL_f(\epsilon _1|g(x)|+\epsilon _2|\bar{K}|)-\alpha _3(|x|)+\gamma (|w|)\\&\le -\alpha _3(|x|)+\gamma (|w|)+\eta , \end{aligned} \end{aligned}$$

(12.29)

where \(\eta =\frac{M_2(1-\mu _1)\alpha _3(\delta _x)}{M_1}+\mu _1(1-\mu _2)\alpha _3(\delta _x)\), \(M_2=\text {max}_{x\in \mathbb {B}_{\delta _x}}|g(x)|\). By Lemma 3.5 in [17], the set \(\{x\in \mathbb {R}^{n_x}:V(x)\le b_1\}\) where \(b_1=\alpha _2\circ \alpha _3^{-1}\circ \rho ^{-1}(\eta +\gamma (||w||))\) and \(\rho \) is any \(\mathcal {K}_{\infty }\) function such that \(Id-\rho \in \mathcal {K}_{\infty }\), is forward invariant. Define \(b_{1max}=\alpha _2\circ \alpha _3^{-1}\circ \rho ^{-1}(\eta +\gamma (\varDelta _w))\). Since the upper bound of the disturbance satisfies \(\alpha _1^{-1}(b_{1max})<\varDelta _x\), the state cannot escape away from the set \(\mathbb {B}_{\varDelta _x}\) from the set \(\mathbb {B}_{\delta _x}\) even in the presence of disturbances. As a result, following similar arguments, the set \(\{x\in \mathbb {R}^{n_x}:V(x)\le b_2\}\) is also forward invariant, where \(b_2=\alpha _2\circ \alpha _3^{-1}\circ \mu _1^{-1}\mu _2^{-1}\rho ^{-1}(\gamma (||w||))\). Define \(b_{2max}=\alpha _2\circ \alpha _3^{-1}\circ \mu _1^{-1}\mu _2^{-1}\rho ^{-1}(\gamma (\varDelta _w))\). Since we have \(\alpha _1^{-1}(b_{2max})<\varDelta _x\), the set \(\mathbb {B}_{\varDelta _x}\) is forward invariant. Then follow similar arguments in Sect. 3.5 in [17], we deduce that there exists \(\beta \in \mathcal {KL}\) such that \(\phi (k,x_0,w)\), the solution of (12.11) starting at \(x_0\) with \(|x_0|\le \varDelta _x\) at time k satisfies

$$\begin{aligned} |\phi (k,x_0,w)|\le \beta (|x_0|,k)+\sigma (||w||)+\delta , \end{aligned}$$

(12.30)

where \(\delta =\alpha _1^{-1}((\frac{M_2(1-\mu _1)}{M_1}+\mu _1(1-\mu _2))\alpha _3(\delta _x)+\alpha _2(\delta _x))\) and \(\sigma (s)=\text {max}\{\sigma _1,\sigma _2\}\) where \(\sigma _1(s)=\alpha _1^{-1}\circ \alpha _2\circ \alpha _3^{-1}\circ \mu _1^{-1}\mu _2^{-1}(Id+\rho )\circ \gamma (s)\), \(\sigma _2(s)=\alpha _1^{-1}\circ \alpha _2\circ \alpha _3^{-1}\circ (Id+\rho )\circ \gamma (2s)\).

12.10 Proof of Theorem 12.2

Proof

We only present a sketch of the proof since it overlaps a lot with the proof of Theorem 12.1. Based on stated assumptions and Lemma 12.3, (12.21), (12.22) and (12.23) are guaranteed to hold.

Thus, by Lemma 12.3, for all \(x\in \mathbb {R}^{n_x}\) we have

$$\begin{aligned} \begin{aligned} V(f)-V(x)&=V(f)-V(f(x,Kg(x),0))\\&+V(f(x,Kg(x),0))-V(x)\\&\le -c_3|x|+LL_w|w|. \end{aligned} \end{aligned}$$

(12.31)

$$\begin{aligned} \begin{aligned} V(f_1)-V(x)&=V(f_1)-V(f)+V(f)-V(x)\\&\le V(f_1)-V(f)-c_3|x|+LL_w|w|\\&\le |V(f_1)-V(f)|-c_3|x|+LL_w|w|\\&\le L|f_1-f|-c_3|x|+LL_w|w|\\&\le LL_fe_1\kappa |x|-c_3|x|+LL_w|w|. \end{aligned} \end{aligned}$$

(12.32)

Then we have if \(e_1\le \epsilon _1=\frac{c_3(1-\mu _1)}{LL_f\kappa }\), where \(0<\mu _1<1\), it holds true that \(V(f_1)-V(x)\le -\mu _1c_3|x|+LL_w|w|\) for all \(x\in \mathbb {R}^{n_x}\).

Since the following holds:

$$\begin{aligned} \begin{aligned} V(f_2)-V(x)&=V(f_2)-V(f_1)+V(f_1)-V(x)\\&\le V(f_2)-V(f_1)-\mu _1c_3|x|+LL_w|w|\\&\le L|f_2-f_1|-\mu _1c_3|x|+LL_w|w|\\&\le LL_f|\bar{K}|e_2-\mu _1c_3|x|+LL_w|w|. \end{aligned} \end{aligned}$$

(12.33)

Thus, for any \(0<\delta _x<\varDelta _x<\infty \), if \(e_2\le \epsilon _2=\frac{\mu _1(1-\mu _2)c_3\delta _x}{LL_f|\bar{K}|}\), with \(0<\mu _2<1\) we have \(V(f(x,\bar{K}\bar{g}(x),w))-V(x)\le -\mu _1\mu _2c_3|x|+LL_w|w|\le -\frac{\mu _1\mu _2c_3}{c_2}V(x)+LL_w|w|\). For the region \(\mathbb {B}_{\delta _x}=\{x\in \mathbb {R}^{n_x}:|x|\le \delta _x\}\), we have

$$\begin{aligned} \begin{aligned} V(f_2)-V(x)&\le V(f_2)-V(f_1)+V(f_1)-V(x)\\&\le \mu _1(1-\mu _2)c_3\delta _x-\mu _1c_3|x|+LL_w|w|\\&\le -\mu _1c_3|x|+LL_w|w|+\eta \\&\le -\frac{\mu _1c_3}{c_2}V(x)+LL_w|w|+\eta , \end{aligned} \end{aligned}$$

(12.34)

where \(\eta =\mu _1(1-\mu _2)c_3\delta _x\). By Lemma 3.5 in [17], the set \(\{x\in \mathbb {R}^{n_x}:V(x)\le b_1\}\) where \(b_1=\frac{c_2(\eta +LL_w||w||)}{c_3\rho }\) and \(\rho \) is any constant such that \(0<\rho <1\) is forward invariant. Define \(b_{1max}=\frac{c_2(\eta +LL_w\varDelta _w)}{c_3\rho }\). Since the upper bound of the disturbance satisfies \(\frac{b_{1max}}{c_1}<\varDelta _x\), the state cannot escape away from the set \(\mathbb {B}_{\varDelta _x}\) from the set \(\mathbb {B}_{\delta _x}\) even in the presence of disturbances. Following similar arguments, the set \(\{x\in \mathbb {R}^{n_x}:V(x)\le b_2\}\) is also forward invariant, where \(b_2=\frac{c_2LL_w||w||}{c_3\mu _1\mu _2\rho }\). Define \(b_{2max}=\frac{c_2LL_w\varDelta _w}{c_3\mu _1\mu _2\rho }\). Since we have \(\frac{b_{2max}}{c_1}<\varDelta _x\), the set \(\mathbb {B}_{\varDelta _x}\) is forward invariant. Then \(\phi (k,x_0)\) with \(|x_0|\le \varDelta _x\) satisfies

$$\begin{aligned} |\phi (k,x_0)|\le \frac{c_2}{c_1}|x_0|(1-\frac{\mu _1\mu _2c_3}{c_2})^k+\sigma ||w||+\delta , \end{aligned}$$

(12.35)

where \(\delta =\frac{c_2\eta }{c_1c_3\rho }\), \(\sigma =\text {max}\{\sigma _1, \sigma _2\}\), \(\sigma _1=\frac{c_2LL_w}{c_1c_3\mu _1\mu _2}\) and \(\sigma _2=\frac{c_2LL_w}{c_1c_3\mu _1}\). Since we have \(0<\mu _2<1\), \(\sigma =\sigma _1=\frac{c_2LL_w}{c_1c_3\mu _1\mu _2}\).