ElGamal-type encryption for optimal dynamic quantizer in encrypted control systems

This study considers a quantizer design problem with controller encryption for minimizing performance degradation caused by encryption. It is difficult to design an optimal dynamic quantizer that converts real numbers to plaintexts for encrypted control systems with ElGamal encryption because the plaintext space of ElGamal encryption is intermittent and does not include zero and negative numbers. A variant of ElGamal encryption is proposed to apply a conventional optimal dynamic quantizer for encrypted control systems. The proposed multiplicative homomorphic cryptosystem, wherein the plaintext space is consecutive integers within a certain range, can handle zero and negative integers properly. Numerical simulations demonstrate that the optimal dynamic quantizer with the proposed cryptosystem improves the control performance of an encrypted regulator.


Introduction
Threats against control systems are essential concerns in recent years [1][2][3]. Encrypted control [4] is expected to improve the cyber-security of control systems because it reduces the risks of eavesdropping attacks, which are the main class of attacks for control systems [2]. This attack is performed for collecting information about a targeted control system to execute more severe attacks such as replay attacks [5]. In encrypted control systems, control inputs are directly determined using encrypted data without decryption, and thus, it effectively prevents eavesdropping attacks.
Encrypted control with multiplicative homomorphic encryption, such as RSA [6] and ElGamal encryption [7], was proposed in [4]. Not only signals over network links but also controller parameters are concealed by encryption. Encrypted control with additive homomorphic encryption, such as Paillier encryption [8], was studied in [9]. In this encrypted control scheme, either signals or controller gains are encrypted. Encrypted control with fully homomorphic encryption was provided in [10]. Additive and fully homomorphic encryption require higher computational costs than multiplicative homomorphic encryption; therefore, multiplicative homomorphic encryption would be most suitable for encrypting control systems. Furthermore, a detection method for falsification attacks and replay attacks based on encrypted control with multiplicative homomorphic encryption was introduced in [11,12].
For designing encrypted control systems, controller parameters and signals should be quantized. This quantization may cause a degradation of stability and control performance [13]. Several studies were conducted to avoid destabilization by encryption. The authors of [9] introduced a binary number representation for quantization in encrypted control. This method is suitable for implementing encrypted control systems with additive homomorphic encryption on digital computers. The quantization approach of [14] was applied for an encrypted state-feedback controller with Paillier encryption to achieve asymptotic stability [15]. The quantization approach for average consensus control, event-triggered control, and control of nonlinear scalar systems were also considered [15,16]. The authors of [17] proposed a dynamic quantizer for encrypted control systems with ElGamal encryption. The dynamic quantizer guarantees that a closed-loop system with an encrypted state-feedback controller inherits the asymptotic stability of an unencrypted closed-loop system. Furthermore, encrypted event-triggered control with the dynamic quantizer was studied [18].
Previous studies on quantization in encrypted control systems focused only on guaranteeing the stability of a control system after encryption. Despite the criticality of control performance as well as stability in control systems, the conventional quantization methods do not consider the control performance of encrypted control systems. Minimizing the degradation of control performance caused by the quantization and estimating the degree of performance degradation before control systems operation is meaningful for the efficient design of encrypted control systems and performance guarantee. Therefore, we consider the following problem. Problem 1.1: Given a multiplicative homomorphic encryption scheme and a controller stabilizing a plant, assume that there exists an encrypted controller such that a closed-loop system with the plant is stable. Design a quantizer to minimize the maximum error between the output of the unencrypted control system and an encrypted control system and determine the maximum error.
Azuma and Sugie's dynamic quantizer [19] may be considered a solution to the above problem. Their dynamic quantizer is a general form of modulator consisting of a uniform mid-tread quantizer, which rounds off an argument to the nearest neighbour of a discrete output set, and a quantizer state updated based on a quantization error. The dynamic quantizer minimizes the maximum quantization error within the scope of using the simple quantizer structure. Additionally, the maximum error is explicitly determined simultaneously with the quantizer design.
Despite a number of merits of the dynamic quantizer, applying it to encrypted control systems is not straightforward because, in general, a plaintext space of multiplicative homomorphic encryption does not include zero and negative numbers. Numbers not included in a plaintext space cannot be encrypted, and thus, we can handle only positive numbers as long as conventional multiplicative homomorphic encryption is used. Furthermore, using ElGamal encryption, a plaintext space is intermittent. The dynamic quantizer guarantees optimality only when the output set of the quantizer is uniform. Note that a naive variable transformation, such as adding a number to an argument to shift non-positive numbers to positive numbers, cannot be applied to convert a real number and plaintext because an identity element is not preserved before and after the transformation. Besides, in principle, zero cannot be considered in a plaintext space of conventional multiplicative homomorphic encryption no matter what a variable transformation is used since a multiplication between zero and any number is always zero.
We propose a variant of ElGamal encryption using encoding and decoding maps, converting real numbers and plaintexts to each other to apply Azuma and Sugie's dynamic quantizer for encrypted control systems. The proposed cryptosystem can appropriately handle zero and negative numbers while preserving multiplicative homomorphism. Additionally, a plaintext space of the proposed encryption scheme can be regarded as consecutive integers through the encoding and decoding maps. Thus, the dynamic quantizer in encrypted control systems with the variant achieves optimal performance. Numerical examples confirm that the proposed scheme improves control performance compared to one in a case with the normal ElGamal cryptosystem.
The remainder of this paper is organized as follows. Section 2 summarizes the preliminaries of number theory, cryptography, and encrypted control. Section 3 describes the proposed encryption scheme with encoding and decoding maps to implement an optimal dynamic quantizer. Section 4 introduces an optimal dynamic quantizer in encrypted control systems using the proposed cryptosystem. Section 5 provides the results of numerical simulation demonstrating the validity of the proposed method. Finally, Section 6 describes the conclusions and future work.

Notation
The sets of real numbers, integers, primes, security parameters, key pairs, public keys, secret keys, plaintexts, and ciphertexts are denoted by R, Z, P, S, K, K p , K s , M, and C, respectively. We define sets The set of vectors whose sizes are n is denoted by R n , and the set of matrices whose sizes are m × n is denoted by R m×n .
The floor function is defined as · : R → Z : x → max{z ∈ Z | z ≤ x}. The identity map on a set A is denoted by id A .

Definition 2.1:
The minimal residue of an integer a modulo m is defined as

Definition 2.2:
An integer a is called as a quadratic residue modulo m if there exists an integer b such that b 2 = a mod m. We use Gauss's notation, i.e. we use aRm if a is a quadratic residue modulo m; otherwise, we use aNm.

Definition 2.3:
The Legendre symbol is a map from

ElGamal encryption
ElGamal encryption is a tuple E := (Gen, Enc, Dec), where Gen : q, g, h), s) is a key generation algorithm, Enc : −s c 2 mod p is a decryption algorithm, pk is a public key, sk is a secret key, q is a k bit prime, p = 2q + 1 is a safe prime, g is a generator of a cyclic group G : and r and s are random numbers in Z q . Enc and Dec perform elementwise operations for a vector and a matrix.

Remark 2.1:
For m, m ∈ M, ElGamal encryption satisfies the following homomorphism: where * is the Hadamard product.

Encrypted controller
A plant P and a controller f are given as follows: P : f : where t ∈ Z + is a time step, x ∈ R n is a state, u ∈ R m is an input, y ∈ R l is an output, A, B, and C are plant parameters, x c ∈ R n c is a controller state, and A c , B c , C c , and D c are controller parameters. f can be rewritten

Variant of Elgamal encryption
This section proposes a modified ElGamal encryption whose plaintext space has uniform width and contains zero and negative numbers. Our basic idea is based on the fact that G is a set of quadratic residue modulo p, and (m/p) L m can be used for encoding to G for all m ∈ Z p \ {0} [20]. The proposed cryptosystem can be used to design an optimal dynamic quantizer for encrypted control systems.

Definition 3.1:
We define encoding maps A and C , and decoding maps B and D in Figure 1 as where ∈ R + \ {0} is a sensitivity. For simplicity, we employ Ecd := C • A and Dcd := B • D, which perform elementwise operations for a vector and a matrix.

Remark 3.1:
In practice, an error caused by A and B is bounded from above by /2, that is, |B (A (x)) − x| ≤ /2. Therefore, the error converges to zero as goes to zero. This theorem implies that the encoding and decoding maps convert an argument without loss of information when errors do not occur in A and B . → (Enc(pk, m 1 ), Enc(pk, m 2 ), Enc(pk, m 3 )), where c 1 , c 2 , c 3 ∈ G 2 , M = G 3 , and C = G 6 . Enc † and Dec † perform elementwise operations for a vector and a matrix. In the following, we omit pk and sk in the encryption and decryption algorithms for simplicity.

Remark 3.2:
From Proposition 3.2, we can regard the plaintext space M as P q 2 × Z q . P q 2 and Z q are involved with a sign and magnitude of plaintext, respectively. That is, the plaintext space can be treated as a set of consecutive integers. Although this study considers using Azuma and Sugie's dynamic quantizer for quantization in encrypted control, the property of our proposed cryptosystem is also useful for other quantizers. For example, a logarithmic quantizer cannot be applied for quantization in encrypted control with the normal ElGamal cryptosystem because it is impossible to design a resolution to determine the quantizer's output set due to intermittence of a plaintext space of the encryption scheme. In contrast, a plaintext space of our cryptosystem is consecutive. Therefore, we can easily design a logarithmic quantizer resolution for encrypted control by using the cryptosystem.
Because of the symmetry of x and x , the proofs for the cases of z = 0 ∧ z = 0 and (z/p) L = 1 ∧ (z /p) L = −1 are the same as (i) and (iii), respectively.

Remark 3.3:
In the modified ElGamal encryption scheme, multiplication between ciphertexts is allowed up to log 2 q times.

Optimal dynamic quantizer
To implement encrypted controllers, controller parameters and signals should be converted into the plaintext space. This process can be regarded as the quantization of controller parameters and signals in a closed-loop system [17]. P andf in Figure 3, which is a quantized control system equivalent to Figure 2, are given as follows: where Q : ξ →ξ is a quantizer, I and O are, respectively, an identity matrix and a zero matrix of an appropriate size, and¯ = Dcd (Ecd ( )). The closedloop system can be written as : where Figure 4,

Theorem 4.1: Suppose A is Schur, and C B is a non-singular matrix. An optimal dynamic quantizer in
can be designed as where x q is a quantizer state, x q (0) = 0, A q , B q , and C q are quantizer parameters, and ξ I is an output ofP in Figure 3 when the quantizer Q is not involved. Furthermore, the maximum difference betweenξ(t) and ξ I (t) is given as The proof is omitted due to space constraints. The complete proof of an optimal dynamic quantizer is shown in [19].

Remark 4.2:
The dynamic quantizer may be applied for encrypted control systems even though the normal ElGamal cryptosystem is employed by using the conventional encoding and decoding maps [4,17]. However, the quantization results are not optimal [19] because the intermittence of a plaintext space is not solved, and the maps cannot consider zero. In these cases, E(Q ) is upper-bounded as where d max is the maximum width of M, andĀ c ,B c ,C c , andD c are given by the encoding and decoding maps. Unfortunately, there is no efficient method to search d max of a given cryptosystem in our best knowledge. The computation time of the linear search for finding d max is O(2 k ). Thus, using the previous encoding and decoding maps and the calculation of the upper-bound are not practical if the key length is large.

Remark 4.3:
Although the dynamic quantizer does not necessarily guarantee the stability of a closedloop system, it is possible to achieve asymptotic stability by changing the sensitivity ξ according to plant behaviour [17].

Numerical example
Consider the following continuous-time plant: This plant is discretized as where a sampling period is set to 0.1 s. A regulator for the plant is given as wherex ∈ R n is an estimated state, L ∈ R n×l is an observer gain, and F ∈ R m×n is a state-feedback gain.
In  Figure 5(a,b) show the input and output of the encrypted control system using the dynamic quantizer with the normal ElGamal cryptosystem. Similarly, Figure 6(a,b) depict the signals with the optimal dynamic quantizer based on the proposed ElGamaltype encryption scheme. In both the simulation results,  an impulse disturbance is added to the control input at 60 s to evaluate whether the encrypted control system is stable under the disturbance even after quantization and encryption. Figures 5(c,d) and 6(c,d) are enlarged graphs of Figures 5(a,b) and 6(a,b), respectively. These results confirm that the optimal dynamic quantizer with the proposed cryptosystem improves the control performance of the encrypted control system, and the encrypted control system inherits the stability of the original control system.

Conclusions
This study proposed a variant of ElGamal encryption, in which the width of the plaintext space is uniform and it can properly handle zero to implement an optimal dynamic quantizer in encrypted control systems. The proposed cryptosystem employs encoding and decoding maps, which convert between integers and quadratic residues without loss of information. The optimal dynamic quantizer minimizes the maximum difference between outputs of an augmented plant in an encrypted control system with the proposed encryption scheme and that in unencrypted control system. The numerical simulations demonstrated that the proposed cryptosystem allowed the implementation of the optimal dynamic quantizer, and the quantizer improved the control performance of an encrypted control system. In future work, we will consider implementing an encrypted optimal dynamic quantizer whose processes are addressed in a ciphertext space.

Disclosure statement
No potential conflict of interest was reported by the author(s).