Optimal Security Parameter for Encrypted Control Systems Against Eavesdropper and Malicious Server

A sample identifying complexity and a sample deciphering time have been introduced in a previous study to capture an estimation error and a computation time of system identification by adversaries. The quantities play a crucial role in defining the security of encrypted control systems and designing a security parameter. This study proposes an optimal security parameter for an encrypted control system under a network eavesdropper and a malicious controller server who attempt to identify system parameters using a least squares method. The security parameter design is achieved based on a modification of conventional homomorphic encryption for improving a sample deciphering time and a novel sample identifying complexity, characterized by controllability Gramians and the variance ratio of identification input to system noise. The effectiveness of the proposed design method for a security parameter is demonstrated through numerical simulations.


Introduction
Outsourcing computation of controllers to a cloud server, such as control as a service (CaaS), is one form of realization of cyber-physical systems that improve the efficiency and flexibility of traditional control systems.However, such computing services often face threats that adversaries eavesdrop and learn about private information of control systems.Homomorphic encryption is the major countermeasure against such threats because it provides direct computation on encrypted data without accessing the original messages [1].The encryption was applied to realize an encrypted control that is a framework for secure outsourcing computation of control algorithms [2][3][4][5][6].Owning to the benefits of encrypted control, various controls, such as model predictive control [7,8], motion control [9,10], and reinforcement learning [11], were implemented in encrypted forms.
Some recent studies have defined and analyzed the security of encrypted control systems through two approaches to clarify how secure an encrypted control system is against what type of adversary.One of them is a cryptographic approach that defines the provable security of encrypted controls and reveals a relation between the security and existing security notions in cryptography [12].In this security definition, an adversary and information used for attacks are formulated as a probabilistic polynomial-time algorithm and its inputs, respectively, instead of assuming specific attacks.Using the security notion, we can analyze qualitative security for a broad class of encrypted control systems.In contrast, other studies employed a control theoretic approach that considers the security of encrypted control systems under an adversary who wants to learn the system parameters by system identification [13,14].The security in this approach is defined by the system identification error and computation time for the process.Unlike the cryptographic approach, the security notion in this approach enables quantifying a security level of encrypted control systems.The studies also solved an optimization problem for designing a security parameter to minimize the computation costs of encryption algorithms while satisfying the desired security level.
This study focuses on designing an optimal security parameter for encrypted control systems under an adversary who attempts to identify the system and input matrices of a system controlled by an encrypted controller, although the conventional works [13,14] dealt with an adversary identifying a system matrix of a closed-loop system.Such an adversary represents a network eavesdropper executing man-in-the-middle attacks and a malicious controller server infected by malware or spoofing an authorized server computing encrypted control algorithms.Furthermore, the adversary employs a basic least squares identification method, which is more prevalent in practical use than the Bayesian estimation method discussed in [13].
Unfortunately, the existing design methods for an optimal security parameter are effective only against a network eavesdropper.That is, they cannot work for a malicious controller server appropriately.The existing methods must share a token in updatable homomorphic encryption, of which key pairs are updated every sampling period, with a controller server to update controller ciphertexts.Furthermore, the update token needs to be kept secret against adversaries because it can be exploited to estimate past and future key pairs from the current key pair.Indeed, the previous study [13] assumed that an update token is transmitted by a secure communication channel using traditional symmetric-key encryption, such as AES.However, such an assumption is not valid for a malicious controller server because the ciphertext of an update token must be decrypted on the server.Hence, the design of an optimal security parameter for encrypted control systems is still a challenging problem when an adversary is a malicious controller server rather than a network eavesdropper.
To solve the problem, this study modifies the updatable homomorphic encryption in [13].The modified encryption enables the computation of encrypted data and correct decryption without sharing an update token while updating key pairs.Furthermore, we propose a novel sample identifying complexity, which is characterized by controllability Gramians and variance ratio of adversarial input for the system identification and system noise, for defining the security of encrypted control systems under the eavesdropper and malicious server.Using the proposed complexity, we can estimate how precisely the adversaries are expected to identify the system and input matrices of a given system for a certain number of data.We design an optimal security parameter for an encrypted control system under the adversaries using the proposed updatable homomorphic encryption and sample identifying complexity.
The rest of this paper is organized as follows.Section 2 defines the syntax and security of homomorphic encryption and encrypted control.Section 3 formulates a threat model considered in this study.Section 4 presents a modified homomorphic encryption.Section 5 proposes a novel sample identifying complexity and an optimal security parameter for the modified encryption.Section 6 shows the results of numerical simulations.Section 7 describes the conclusions and future work.

Notation
The sets of natural numbers, integers, and real numbers are denoted by N, Z, and R, respectively.Key, plaintext, and ciphertext spaces are denoted by K, M, and C, respectively.Define the set Z + := {z ∈ Z | 0 ≤ z} and a bounded set X ⊂ R. The sets of n-dimensional vectors and m-by-n matrices of which elements and entries belong to a set A are denoted by A n and A m×n , respectively.The ith element of a vector v ∈ A n and the (i, j) entry of a matrix M ∈ A are denoted by v i and M ij , respectively.The Euclidean norm and the Frobenius norm of v ∈ A n and M ∈ A m×n are denoted by v 2 and M F , respectively.The column stack vector of M is defined as vec(M ) : where M i is the ith column vector of M .

Homomorphic encryption
This section introduces the syntax and security level of homomorphic encryption.First, the syntax of homomorphic encryption [1] is defined as follows.
Definition 2.1.Homomorphic encryption is (KeyGen, Enc, Dec, Eval) such that: • (pk, sk) ← KeyGen(1 λ ): A key generation algorithm takes 1 λ as input and outputs a key pair (pk, sk) ∈ K, where 1 λ is the unary representation of a security parameter λ ∈ N, pk is a public key, and sk is a secret key.Example 2.2.The algorithms of ElGamal encryption [15] are as follows.
This study quantifies the security level of an encryption scheme by the number of bits as follows [16].Definition 2.5.An encryption scheme satisfies λ bit security if at least 2 λ operations are required for breaking the scheme.
A security parameter in Definition 2.1 quantifies the level of bit security for (updatable) homomorphic encryption.We address how to design the number of bits, λ, such that an encrypted control system becomes secure.

Encrypted control
This section introduces the syntax and security definition of encrypted control with updatable homomorphic encryption.Definition 2.6.Given updatable homomorphic encryption and a controller f : (Φ, ξ) → ψ, where Φ ∈ X α×β is a controller parameter, ξ ∈ X β is a controller input, and ψ ∈ X α is a controller output.Suppose there exist an encoder Ecd and a decoder Dcd such that: • m ← Ecd(x; ∆): An encoder algorithm takes x ∈ X and a scaling factor ∆ ∈ R as input and outputs a plaintext m ∈ M. • x ← Dcd(m; ∆): A decoder algorithm takes a plaintext m ∈ M and a scaling factor ∆ ∈ R as input and outputs x ∈ X .
The controller parameter and input need to be encoded to plaintexts by the encoder Ecd before encryption because control systems typically operate over real numbers.Although the encoding causes quantization errors, we ignore the errors for simplicity.
The security of encrypted control systems is defined based on a kind of sample complexities of system identification and computation time for breaking ciphertexts used in the system identification [13].The complexity and computatin time are called a sample identifying complexity and a sample deciphering time, respectively, defined as follows.
Definition 2.7.Let N be a sample size for system identification by an adversary.A sample identifying complexity γ is a function satisfying γ(N ) ≤ E [ (N )], where is an estimation error of the system identification.Definition 2.8.Suppose an adversary uses a computer of Υ FLOPS.A sample deciphering time τ is a computation time required for breaking N ciphertexts of an updatable homomorphic encryption that satisfies λ bit security used for system identification by an adversary, namely τ (N, λ) = 2 λ N/Υ.
The security of encrypted control systems is defined using the sample identifying complexity and sample deciphering time as follows.
Definition 2.9.Let γ c be an acceptable estimation error, and τ c be a defense period.An encrypted control system is secure if there does not exist a sample size N such that γ(N ) < γ c and τ (N, λ) ≤ τ c , where γ and τ are defined in Definition 2.7 and Definition 2.8, respectively.Otherwise, the encrypted control system is unsecure.
Note that a pair of γ c and τ c shows a security level of encrypted control systems and is used as design parameters for a security parameter later.
Remark 1.The sample deciphering time in the case of using a typical homomorphic encryption with a fixed key pair is computed as τ (1, λ) regardless of a sample size N because an adversary can obtain the original message of any ciphertext once the encryption scheme is broken.However, the sample deciphering time in Definition 2.8

Eve
Actuator Sensor  depends on N because ciphertexts at different times are corresponding to different key pairs when updatable homomorphic encryption is used.

Threat Model
This section formulates a threat model considered in this study.Fig. 1 shows two types of adversaries that aim to identify system parameters.Eve in Fig. 1(a) is an adversary eavesdropping on network signals and exploiting illegal input signals to a communication channel from the encrypted controller to the decryptor.This type of adversary represents man-in-the-middle attacks.Fig. 1(b) depicts another adversary performing system identification.In the figure, Eve is in a server that computes an encrypted control algorithm.The adversary records inputs and outputs of the encrypted control algorithm and returns falsified outputs.Thus, it is called a malicious server that represents a server infected by malware or spoofing as an authorized agent.It should be noted here that the signal flow of encrypted control systems under the adversaries in Fig. 1 is the same structure.Hence, we can deal with the attacks by a unified threat model without assuming the adversary types.
Suppose the system in Fig. 1 is given as where t ∈ Z + is a time, x ∈ R n is a state, u ∈ R m is an input, and w ∈ R n is a noise.Suppose x 0 and w t are independent and identically distributed over the Gaussian distribution with mean 0 and variance σ 2 w I.A ∈ R n×n and B ∈ R n×m are system parameters, and A is assumed to be stable.The state of (1) is encrypted by updatable homomorphic encryption as ct x,t ← Enc(pk t , Ecd(x t ; ∆)) and transmitted to a controller server, where (pk 0 , sk 0 ) ← KeyGen(1 λ ), and (pk t+1 , sk t+1 , σ t ) ← KeyUpd(pk t , sk t ).The server returns an input ciphertext ct u,t ← EC(pk t , ct Φ,t , ct x,t ) to the system, where Φ is a controller parameter, ct Φ,0 ← Enc(pk, Ecd(Φ; ∆)), and ct Φ,t+1 ← CtUpd(ct Φ,t , σ t ).The system decrypts the input ciphertext and obtains an input as u t ← Dcd(Dec(sk t , ct u,t ); ∆).
This study considers an adversary following the protocol: 1) collecting some encrypted samples, 2) exposing the original data by breaking the samples, and 3) identifying system parameters (A, B) by a least squares method with the exposed data.The attack scenario is formally defined as follows.
Definition 3.1.The adversary attempts to identify (A, B) of (1) by the following procedure.
(1) The adversary injects malicious inputs u t = a t for t ∈ [t s , t f ] and collects N = t f − t s + 1 pairs of input and state ciphertexts {(ct u,t , ct x,t )} tf t=ts .
(3) The adversary estimates (A, B) by a least squares method with the exposed data.
For the third step in Definition 3.1, we consider the following least squares identification method.Define data matrices It follows from (1) that The least squares estimators ( Â, B) of (A, B) are given as where ([X p U p ] ) + is the pseudo inverse matrix of [X p U p ] .
Remark 2. In the first step of Definition 3.1, the malicious inputs a t can be injected properly even though control inputs are encrypted by updatable homomorphic encryption because, in general, an encryption scheme and a public key are public information.Furthermore, even if an adversary does not know a public key, the adversary can falsify ciphertexts using malleability [17][18][19][20].

Secure Updatable Homomorphic Encryption Against Malicious Server
This section presents a modification of the updatable homomorphic encryption scheme in Example 2.4.To begin with, we introduce a desired cryptographic property of the encryption scheme [13].
The proposition implies the impossibility for estimating the previous and next secret keys from the current secret key.Hence, the proposition is the foundation for that the sample deciphering time in Definition 2.8 depends on a sample size N because an adversary must keep breaking N − 1 ciphertexts even though the adversary succeeds to break one of N ciphertexts.However, the impossibility makes sense only for a network eavesdropper because the proposition is satisfied as long as an update token is secret against the adversary.The following proposition reveals that there exists a simple attack to obtain the next secret key from the current secret key and update token.
Proof.Let sk t = s and sk t+1 = s .Here d = s − s and σ t = (h, d) for some h, and thus the adversary can estimate sk t+1 as ŝk t+1 = sk t + d = s + (s − s) = s .By the proposition, the conventional encryption scheme cannot satisfy the impossibility against a malicious server who must has an update token for updating a controller parameter ciphertext as in Definition 2.6.This study presents the modified homomorphic evaluation and decryption algorithms to solve this problem.Return m ← Dec(sk 1 , (c 1 , c)).
The homomorphism of original homomorphic evaluation algorithm in Example 2.4 holds only for two ciphertexts of the same time.In contrast, the modified algorithm can satisfy the homomorphism with two ciphertexts of different times.Dec(sk t , sk t+k , Eval(pk t , Enc(pk t , m 1 ), Enc(pk t+k , m 2 ))) = m 1 m 2 mod p for any (pk 0 , sk 0 ) ← KeyGen(1 λ ), for any m 1 , m 2 ∈ M, and for all t ∈ Z + , where (pk t+1 , sk t+1 , σ t ) ← KeyUpd(pk t , sk t ).Proof.Let sk t = s, sk t+k = s , pk t = (p, q, g, g s mod p), and pk t+k = (p, q, g, g s mod p).Then, Eval(pk t , Enc(pk t , m 1 ), Enc(pk t+k , m 2 )) = (c 1 , c 2 , c 3 = (g r mod p, g r mod p, m 1 m 2 g sr+s r mod p), where r and r are random numbers corresponding to times t and t + k, respectively.The intermediate output c is obtained as c = Dec(sk t+k , (c

System Actuator Sensor
With the algorithms in Example 2.4 and Definition 4.3, the encrypted control algorithm in Definition 2.6 of a linear controller (Φ, ξ t ) → ψ t = Φξ t can be implemented as where the decryption algorithm in Definition 2.6 is given as Sum • Dec, and Sum : . Fig. 2 shows the encrypted control system using the modified updatable homomorphic encryption that operates without transmitting an update token σ t from the system to the controller server.Note that an encoder Ecd and a decoder Dcd are omitted in the figure for simplicity.The controller server receives ct ξ,t ← Enc(pk t , Ecd(ξ t ; ∆)) at every time and returns ct ψ,t ← EC(pk 0 , ct Φ,0 , ct ξ,t ), where ct Φ,0 ← Enc(pk 0 , Ecd(Φ; ∆)), while public and secret keys are updated by (pk t+1 , sk t+1 , σ t ) ← KeyUpd(pk t , sk t ).The system recovers a controller output as ψ t ← Dcd(Sum(Dec(sk 0 , sk t , ct ψ,t )); ∆).Consequently, the modification in Definition 4.3 is beneficial for achieving the impossibility against not only an eavesdropper but also a malicious server.

Security Parameter Design
This section proposes a design method for a security parameter of the modified updatable homomorphic encryption that consists of the algorithms in Example 2.4 and Definition 4.3.To this end, we propose a novel sample identifying complexity of (1) with the encrypted controller (4) under the adversary in Definition 3.1.Using the sample identifying complexity, we design the minimum security parameter that makes the encrypted control system secure against the adversary.
A sample identifying complexity and a sample deciphering time are crucial for defining the security of encrypted control systems in Definition 2.9.The sample deciphering time in Definition 2.8 can be computed without assuming a used encryption scheme.In contrast, a computation method for a sample identifying complexity is not obvious because it depends on system dynamics and a system identification method.This study proposes a sample identifying complexity of (1) under the adversary in Definition 3.1 when the estimation error of least squares identification method is defined as follows.
Definition 5.1.The estimation error of ( 3) is defined as where c = n(n + m) is the number of entries of A and B.
By Definition 5.1, is a mean square error of the Â and B. It should be noted here that one of the best strategies for the adversary in Definition 3.1 to design the malicious inputs a ts , . . ., a tf minimizing the error is that the inputs are independently and identically sampled from the Gaussian distribution with mean zero.Under this setting, the following theorem reveals a sample identifying complexity.Theorem 5.2.Suppose malicious inputs a ts , . . ., a tf are i.i.d.signals following the Gaussian distribution with mean 0 and variance σ 2 u I.The function is the sample identifying complexity of (1) under the adversary in Definition 3.1, where Ψ u and Ψ w are controllability Gramians obtained by solving the discrete Lyapunov equations, AΨ u A − Ψ u + BB = 0 and AΨ w A − Ψ w + I = 0, respectively.
where ⊗ is the Kronecker product.Using Jensen's inequality, the expectation of trace of inverse matrix is bounded from below by tr .
It follows from (1) that Thus, the expectations of traces are given as Furthermore, the matrices are bounded by Therefore, we obtain By Definition 2.7, γ(N ) is the sample identifying complexity of (1) under the adversary in Definition 3.1 If a sample size is sufficiently large, the sample identifying complexity ( 5) is given as a simple equation.
u /σ 2 w .Suppose a sample size N is sufficiently large.Then, the function is the sample identifying complexity of (1) under the adversary in Definition 3.1.
Proof.If N is sufficiently large, the denominator of ( 5) can be approximated by (N −1) σ 2 u (tr(Ψ u ) + m) + σ 2 w tr(Ψ w ) .Then, (6) holds by dividing both the numerator and denominator of (5) by σ 2 w .The equation (6) shows that the sample identifying complexity is characterized by the traces of controllability Gramians Ψ u , Ψ w and variance ratio R σ .If R σ is small, i.e., σ 2 u σ 2 w , the sample identifying complexity can be approximated by and system states are driven by almost only system noises.In such a case, the smaller eigenvalues of Ψ w that represent the degree of effects from the noises to the states are, the larger sample identifying complexity is.In contrast, if R σ is large, i.e., σ 2 u σ 2 w , the sample identifying complexity can be approximated by and the states are driven by almost only system inputs rather than the noises.The sample identifying complexity in this case increases as the trace of Ψ u decreases.
The observations suggest a defense policy that minimizes the eigenvalues of Gramians to reduce the information leakage of (1) by maximizing the sample identifying complexity.However, the defense policy seems to have a limitation.An adversary may choose an input variance σ 2 u sufficiently larger than a noise variance σ 2 w for decreasing the estimation error.Then, the sample identifying complexity converges to γ(N ) = m + n (N − 1)mR σ (7) as the trace of Gramian Ψ u goes to zero.The equation ( 7) is the upperbound of sample identifying complexity when R σ is large.Furthermore, reducing the trace of Ψ u implies that the energy of system inputs affecting system states is attenuated.
In other words, the controllability of (1) should be worse for improving the sample identifying complexity.This property is not desired in practice because it means that the system is difficult to control.Note that, even when σ 2 u is sufficiently smaller than σ 2 w , there is the upperbound γ(N ) = m + n (N − 1)n because AΨ w A − Ψ w + I = 0 holds only if tr(Ψ w ) > tr(I) = n as long as A is not a zero matrix.
The upperbounds motivate to increase a security parameter of a used encryption scheme for further improving the security.Meanwhile, a large security parameter leads to a high computational burden.This dilemma can be solved reasonably by obtaining the optimal security parameter designed as the minimum security parameter that guarantees the security of encrypted control system.The security parameter design in this study follows the approach in [14] using the sample identifying complexity (6).The rest of this section describes the summary of this approach.The sample deciphering time in Definition 2.8 is monotonically increasing on a sample size N .Hence, by Definition 2.9, an encrypted control system becomes secure if the sample deciphering time τ (N * , λ) becomes larger than a defense period τ c , where N * is the minimum sample size such that the sample identifying complexity γ(N * ) is smaller than an acceptable estimation error γ c .Consequently, we obtain the following theorem.
Theorem 5.4.Suppose a sample size N is sufficiently large.The minimum security parameter λ * guarantees that the encrypted control system consisting of (1) and (4) becomes secure, in the sense of Definition 2.9, is where Υ and (γ c , τ c ) are defined in Definition 2.8 and Definition 2.9, respectively.
Proof.It follows from (6) that Hence, the minimum sample size N * such that γ(N * ) < γ c is given as Similarly, the minimum security parameter λ * such that τ (N * , λ * ) > τ c is given as where This completes the proof.
Note that the minimum key length k * of an encryption scheme that satisfies λ * bit security can be computed as where λ * is given by (8), and Ω(k) is the time complexity of fastest known algorithm for breaking the encryption scheme.

Numerical Simulation
This section presents the results of numerical simulations.We set m = n = 4 and σ 2 x = 1 throughout the simulations.
Consider the system (1) whose controllability Gramians are Ψ w = Ψ u = 2I, where the corresponding system parameters are A = 0.7071I and B = I.Fig. 3 shows the estimation errors and sample identifying complexities with the nine combinations of σ 2 w = 0.1, 1, 10 and σ 2 u = 0.1, 1, 10.The gray dots are the estimation errors in Definition 5.1.The blue solid and orange dashed lines are the expectations of estimation errors and the sample identifying complexities (6), respectively.Here, the system identification is performed 50 times for each sample size with different data sets based on the dynamics of (1) with the system parameters.The estimation errors and their expectations in the figure are smaller as the variance ratio increases, and the proposed complexities capture the behavior of expectations in all the cases.Moreover, the sample identifying complexity with the larger variance ratio is less conservative.Hence, our proposed complexity becomes more practical as an adversary attempts to estimate system parameters more accurately.Next, we confirm changes in the expectation of estimation error and the sample identifying complexity when the controllability Gramian Ψ u is varied.The other Gramian Ψ w and variance ratio R σ in this simulation are fixed to 2I and 100, respectively.Fig. 4 depicts the expectations and sample identifying complexities as with Fig. 3. Additionally, the black dotted lines are the upperbound (7) of sample identifying complexities.The sample identifying complexity in the figure converges to the upperbound as the trace of Ψ u decreases.Accordingly, the expectation of estimation error increases, which helps the difficulty of system identification improve.

Conclusion
This study presented a modification of a conventional updatable homomorphic encryption scheme for improving the security of encrypted control systems against an eavesdropper and a malicious server.The novel sample identifying complexity was also proposed under an adversary attempting to identify system parameters in an encrypted control system using a least squares method.The proposed sample identifying complexity is characterized by controllability Gramians and a variance ratio between an identification input and a system noise.Furthermore, using the sample identifying complexity, the optimal security parameter for encrypted control systems with the modified updatable homomorphic encryption was designed.The effectiveness of the proposed method was demonstrated through numerical simulations.
Our future work includes extending the optimal security parameter design under other identification methods, such as subspace identification methods, and considering multi-agent and nonlinear systems.
• ct ← Enc(pk, m): An encryption algorithm takes a public key pk and a plaintext m ∈ M as input and outputs a ciphertext ct ∈ C. • m ← Dec(sk, ct): A decryption algorithm takes a secret key sk and a ciphertext ct ∈ C as input and outputs a plaintext m ∈ M. • ct ← Eval(pk, ct 1 , ct 2 ): A homomorphic evaluation algorithm takes a public key pk and ciphertexts ct 1 , ct 2 ∈ C as input and outputs a ciphertext ct ∈ C. • Correctness: Dec(sk, Enc(pk, m)) = m holds for any (pk, sk) ← KeyGen(1 λ ) and for any m ∈ M. • Homomorphism: Dec(sk, Eval(pk, ct 1 , ct 2 )) = m 1 • m 2 holds for any (pk, sk) ← KeyGen(1 λ ) and for any m 1 , m 2 ∈ M, where ct 1 ← Enc(pk, m 1 ), ct 2 ← Enc(pk, m 2 ), and • is a binary operation on M.
Malicious server.

Figure 1 .
Figure 1.Two types of adversaries identifying the system.

Theorem 4 . 4 .
Let k ∈ N. The encryption scheme in Example 2.4 with the modified algorithms in Definition 4.3 satisfies

Figure 2 .
Figure 2. Encrypted control system with the modified updatable homomorphic encryption.

Figure 3 .
Figure 3.Comparison between the expectation of estimation error and the sample identifying complexity.

Figure 4 .
Figure 4. Changes of the expectation of estimation error and the sample identifying complexity with the various controllability Gramians.