The document summarizes research on encrypting controllers using RSA public-key cryptography. It presents: 1) The problem of encrypting control signals and parameters to conceal a system's dynamics from attackers. 2) A proposed encrypted controller that calculates encrypted control signals directly from encrypted feedback and reference using encrypted parameters and the homomorphic properties of RSA encryption. 3) Simulations showing the encrypted controller functions properly while hiding internal signals and parameters, and validation that system identification is not possible without the private key.

1. June 3 Wed., 2015, 11:20-11:30, Technology And Theory For Cybersecurity Of Industrial Control Systems @ Meeting Room 2
Security Enhancements of Networked
Control Systems Using RSA Public-‐‑‒
Key Cryptosystem
Takahiro Fujita
Nara Institute of Science and Technology
Kiminao Kogiso, Kenji Sawada and Seiichi Shin
University of Electro-Communications
The 10th Asian Control Conference
May 31 to June 3, 2015
@ Sutera Harbour Resort, Sabah, Malaysia

2. Outline
2
Introduction
Problem Statement
RSA-‐‑‒Encrypted Controller
Simulation & Validation
Conclusion

3. Introduction
3
Controller device is important, but exposed to threats of hacking and targeted attacks.
signals: interruption, modeling, stealing recipe, management policy and know-how
parameters: knowledges about system designs and operations
Attacks to networked control system
plantcontroller
ref. (recipe)
control signals
feedback signals
parameters
[1] Sandberg et al., 2015. [2] Sato et al., 2015. [3] Pang et al., 2011
Related works
aiming to conceal the signals
control-theoretical approach: detection[1], positive use of noises[2]
cryptography-based approach: encryption of communication links[3]
no studies trying to encrypt the controller itself…
control
(cipher)
feedback
(cipher)
EncDec
Enc Dec
plantcontroller
ref.
ref.
(cipher)
Enc Dec

4. Introduction
4
Objective of this work
Realize a cryptography-based control law to conceal both the signals & parameters.
control
(cipher)
feedback
(cipher)
EncDec
Enc Dec
plantcontroller
ref.
ref.
(cipher)
Enc Dec
conventional:
control
(cipher)
feedback
(cipher)
Enc
Dec
plantencrypted
controller
ref.
ref.
(cipher)
Enc
parameters
(cipher)
proposed:
The encrypted controller:
calculates an encrypted control directly from an encrypted feedback signal & an encrypted
reference using encrypted parameters, and
incorporates homomorphism of RSA public-key encryption into the control law.

5. Problem Statement
5
Encryption of controller
Consider a feedback control law :
K: scalar gain k : discrete time
: scalar plant output
: scalar control inputu
y
f
Controller encryption problem:
Given an encryption scheme , for a control law realize an encrypted law .fE fE
Define an encrypted control law , given an encryption scheme , satisfyingfE
fE (Enc(K), Enc(y)) = Enc(f(K, y))
5
control
(cipher)
feedback
(cipher)
Enc
Dec
plant
parameters
(cipher)
fE (Enc(K), Enc(y))
Enc(y)
Enc(u) u
y
Enc(K)
E
.
u[k] = f(K, y[k]) := Ky[k]

6. RSA-Encrypted Controller
6[4] Rivest, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystem”, 1978. [5] Rivest, “On Data Banks and Privacy Homomorphisms”, 1978.
RSA public-key encryption
RSA encryption scheme[4,5] (Rivest-Shamir-Adelman cryptosystem)
key generation: public keys , , and private key (prime numbers)
encryption:
decryption:
e n d
m
c
: integer in plaintext space
: integer in ciphertext space
Homomorphism of the RSA encryption[5]
Enc(m1 ⇥ m2) = Enc(m1) ⇥ Enc(m2) mod n
Assumed that and , then the following holds.m1 = K m2 = y
fE (Enc(K), Enc(y)) := Enc(K) ⇥ Enc(y) mod n
= Enc(K ⇥ y) = Enc(u)
c = Enc(m) = me
mod n
m = Enc(c) = cd
mod n

7. RSA-Encrypted Controller
7
a 2 N
b•e : round function
KpM = ba ⇥ Kpe
yM[k] = ba ⇥ y[k]e
uM[k] = KpMyM[k]
Kp
y[k]
u[k] = Kpy[k]
example: , then .Kp = 0.83, a = 1000 KpM = b1000 ⇥ 0.83e = 830
Remarks
Signals & parameters are real; Plaintext is integer.
need a map: multiplying by a natural number and rounding off to an integer, i.e.,
with and sufficient large, rounding (quantization) error can be made small.
Enc(uM[k]) = Enc(KpM)Enc(yM) mod n
a
encrypted
controller
u[k]
y[k]
Enc
Dec
Enc(KpM)
Enc(yM[k])
Enc(uM[k])
a 2
yM[k]
uM[k]
ba•e
plant
n

8. Simulation: Controller Encryption
8
Enc(KpM) = (ba ⇥ Kpe)e
mod n = 36364958n = 94399927 e = 587 d = 42929459
(key length 27bit)
Things seen in controller
Kp = 0.83
Enc(KpM) = 36364958
encrypted
controller
Enc(KpM)
Enc(yM[k])
Enc(uM[k])
0 10 20 30
0
5
10
x 10
7
Enc(uM[k])
time[s]
−1
0
1
0 10 20 30
0
5
10
x 10
7
Enc(yM[k])
time[s]
−1
0
1
u[k]y[k]
normal:
proposed:
Kp
u[k]
y[k]
controller
a = 1000

9. Validation: Protection from Stealing
9
Result of system identification (n4sid)
−150
−100
−50
0
50
10
−1
10
0
10
1
10
2
10
3
−270
−180
−90
0
original closed loop system
without encryption
with encryption
frequency[rad/s]
gain[dB]phase[deg]

10. Conclusion
10
0 10 20 30
0
5
10
x 10
7
Enc(uM[k])
time[s]
−1
0
1
0 10 20 30
0
5
10
x 10
7
Enc(yM[k])
time[s]
−1
0
1
u[k]y[k]
−150
−100
−50
0
50
10
−1
10
0
10
1
10
2
10
3
−270
−180
−90
0
original closed loop system
without encryption
with encryption
frequency[rad/s]
gain[dB]phase[deg]
Introduction
Problem Statement
controller encryption problem
RSA-Encrypted Controller
homomorphism of RSA encryption
remarks in quantization error
Simulation & Validation
enable to conceal signals & parameters inside
the controller device in terms of cryptography.
enable to hide dynamics of the control system.
Future works
conceal control operations perfectly.
extend to linear and polynomial control laws.

11. Simulation: Computation Cost
11
0 500 1000 1500 2000 2500 3000
0
1
2
3
4
x 10
−4
steps(sampling interval : 10ms)
computationaltime[s]
MATLAB R2014a Intel Core i5 3.2GHz RAM16GB