Controller encryption using RSA public-key encryption scheme (Asian Control Conference 2015)

June 3 Wed., 2015, 11:20-11:30, Technology And Theory For Cybersecurity Of Industrial Control Systems @ Meeting Room 2

Security  Enhancements  of  Networked  Control  Systems  Using  RSA  Public-‐‑‒

Key  Cryptosystem

Takahiro FujitaNara Institute of Science and Technology

Kiminao Kogiso, Kenji Sawada and Seiichi ShinUniversity of Electro-Communications

The 10th Asian Control ConferenceMay 31 to June 3, 2015

@ Sutera Harbour Resort, Sabah, Malaysia

Outline

2

Introduction  Problem  Statement  RSA-‐‑‒Encrypted  Controller  Simulation  &  Validation  Conclusion

Introduction

3

Controller device is important, but exposed to threats of hacking and targeted attacks. signals: interruption, modeling, stealing recipe, management policy and know-how parameters: knowledges about system designs and operations

Attacks to networked control system

plantcontrollerref. (recipe)

control signals

feedback signalsparameters

[1] Sandberg et al., 2015. [2] Sato et al., 2015. [3] Pang et al., 2011

Related works aiming to conceal the signals control-theoretical approach: detection[1], positive use of noises[2] cryptography-based approach: encryption of communication links[3]

no studies trying to encrypt the controller itself…

control (cipher)

feedback(cipher)

EncDec

Enc Decplantcontroller

ref. ref.

(cipher)Enc Dec

Introduction

4

Objective of this workRealize a cryptography-based control law to conceal both the signals & parameters.

control (cipher)

feedback(cipher)

EncDec

Enc Decplantcontroller

ref. ref.

(cipher)Enc Dec

conventional:

control (cipher)

feedback(cipher)

Enc

Decplantencrypted

controller

ref. ref.

(cipher)Enc

parameters (cipher)

proposed:

The encrypted controller: calculates an encrypted control directly from an encrypted feedback signal & an encrypted reference using encrypted parameters, and

incorporates homomorphism of RSA public-key encryption into the control law.

Problem Statement

5

Encryption of controllerConsider a feedback control law :

K : scalar gain k : discrete time

: scalar plant output: scalar control inputu

y

f

Controller encryption problem:

Given an encryption scheme , for a control law realize an encrypted law .fE fE

Define an encrypted control law , given an encryption scheme , satisfyingfE

fE(Enc(K),Enc(y)) = Enc(f(K, y))

5

control (cipher)

feedback(cipher)

Enc

Decplant

parameters (cipher)

fE(Enc(K),Enc(y))

Enc(y)

Enc(u) u

yEnc(K)

E

.

u[k] = f(K, y[k]) := Ky[k]

RSA-Encrypted Controller

6[4] Rivest, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystem”, 1978. [5] Rivest, “On Data Banks and Privacy Homomorphisms”, 1978.

RSA public-key encryptionRSA encryption scheme[4,5] (Rivest-Shamir-Adelman cryptosystem)

key generation: public keys , , and private key (prime numbers)

encryption:

decryption:

e n d

m

c

: integer in plaintext space

: integer in ciphertext space

Homomorphism of the RSA encryption[5]

Enc(m1 ⇥m2) = Enc(m1)⇥ Enc(m2) mod n

Assumed that and , then the following holds.m1 = K m2 = y

fE(Enc(K),Enc(y)) := Enc(K)⇥ Enc(y) mod n

= Enc(K ⇥ y) = Enc(u)

c = Enc(m) = memod n

m = Enc(c) = cd mod n

RSA-Encrypted Controller

7

a 2 Nb•e : round function

KpM = ba⇥KpeyM[k] = ba⇥ y[k]euM[k] = KpMyM[k]

Kp

y[k]

u[k] = Kpy[k]

example: , then .Kp = 0.83, a = 1000 KpM = b1000⇥ 0.83e = 830

RemarksSignals & parameters are real; Plaintext is integer.

need a map: multiplying by a natural number and rounding off to an integer, i.e.,

with and sufficient large, rounding (quantization) error can be made small.

Enc(uM[k]) = Enc(KpM)Enc(yM) mod n

a

encrypted controller

u[k]

y[k]Enc

Dec

Enc(KpM)

Enc(yM[k])

Enc(uM[k])a�2

yM[k]

uM[k]

ba•eplant

n

Simulation: Controller Encryption

8

Enc(KpM) = (ba⇥Kpe)e mod n = 36364958n = 94399927 e = 587 d = 42929459(key length 27bit)

Things seen in controller

Kp = 0.83

Enc(KpM) = 36364958

encrypted controller

Enc(KpM)

Enc(yM[k])

Enc(uM[k])

0 10 20 300

5

10x 107

Enc(uM[k])

time[s]−1

0

1

0 10 20 300

5

10x 107

Enc(yM[k])

time[s]−1

0

1

u[k]

y[k]

normal:

proposed:

Kp

u[k]

y[k]

controller

a = 1000

Validation: Protection from Stealing

9

Result of system identification (n4sid)

−150

−100

−50

0

50

10−1

100

101

102

103

−270

−180

−90

0

original closed loop systemwithout encryptionwith encryption

frequency[rad/s]

gain

[dB

]phas

e[deg

]

Conclusion

10

0 10 20 300

5

10x 107

Enc(uM[k])

time[s]−1

0

1

0 10 20 300

5

10x 107

Enc(yM[k])

time[s]−1

0

1

u[k]

y[k]

−150

−100

−50

0

50

10−1

100

101

102

103

−270

−180

−90

0

original closed loop systemwithout encryptionwith encryption

frequency[rad/s]

gain

[dB

]phas

e[deg

]

Introduction Problem Statement controller encryption problem

RSA-Encrypted Controller homomorphism of RSA encryption remarks in quantization error

Simulation & Validation enable to conceal signals & parameters inside the controller device in terms of cryptography. enable to hide dynamics of the control system.

Future works conceal control operations perfectly. extend to linear and polynomial control laws.

Simulation: Computation Cost

11

0 500 1000 1500 2000 2500 30000

1

2

3

4x 10−4

steps(sampling interval : 10ms)

com

puta

tiona

l tim

e[s]

MATLAB R2014a　Intel Core i5 3.2GHz　RAM16GB