1. Introduction
1.1. Motivation
The recent advances in reliability and speed of communication have led to an increased use of cloudbased services, which provide computation and data storage capabilities to clients. Control over the cloud [34, 14, 15] has numerous advantages, which include easier installation and maintenance [21], and the availability of global information from all of the cloud’s clients when making control decisions. However, the main advantage of control over the cloud is that it allows control systems to outsource expensive computational tasks to the cloud, thus potentially improving the speed of computation and freeing the local computational capabilities for other tasks.
An illustrative example of the benefits of outsourcing computing can be observed in Model Predictive Control (MPC). MPC is a conceptually simple, yet powerful scheme that was adopted in industry for multivariable control [23]. MPC inherently involves solving complex constrained optimization problems online (i.e., within one sampling interval). The work in [34] presents an experimental study that shows feasibility of MPC over the cloud for robot control. Another work (see [14]) considered the practicality and benefits of cloudbased MPC for a largescale solar plant. The availability of global information provided by control over the cloud can have many practical benefits, as shown in [15]
. There, the authors propose a solution to the problem of traffic flow estimation via the cloud.
However, relying on a thirdparty to perform computation is not without its dangers. Despite the benefits of control over the cloud, a number of studies have shown that exposing existing systems to connectivity may lead to security vulnerabilities in a vast variety of applications [5, 13, 6, 12], including control of process plants, traffic infrastructure, and smart meter systems. Cybersecurity attacks vary based on the amount of resources the attacker possesses [31]. One of the most basic attacks that requires little resources is eavesdropping. It can often serve as a stepping stone in the implementation of more complex attacks [24]. In control over the cloud, eavesdropping involves the adversary listening in to the communication channel between sensors, controllers, and actuators to leak valuable information about the model, the controller, and trajectories [10]. The client is expected to disclose all of this sensitive information to the cloud if it intends to receive valid control inputs from it. For example, we would expect drivers to share their locations, final destinations and, perhaps, dynamics to successfully allow traffic control over the cloud.
Eavesdropping attacks are usually prevented with encryption  the plant and the cloud establish a shared key with which they encrypt transmitted messages and decrypt the received ones. However, if the adversary manages to undermine the security of the cloud (e.g., gain unauthorized access to its memory), this technique can no longer protect the system since the cloud accesses the decrypted data. As stated in [26], traditional IT security provides only a partial solution. Therefore, there is a pressing need for development of controloverthecloud methods that do not rely on decryption of the incoming data. Although much effort has been directed to this problem, a universally secure scheme for control over the cloud that could support any client functionality has not yet been created [32, 2]. When solving the problem of private control over the cloud, two other important concerns need to be accounted for: efficiency and safety. Privacy cannot come at the cost of degradation of control performance either due to delays in the feedback loop or inaccurate control inputs.
1.2. Related work
The body of work on privacy in control over the cloud can be categorized into methods based on homomorphic encryption, differential privacy, and algebraic transformations.
When using homomorphic encryption techniques, the cloud is able to perform the computations on encrypted data without the need to decrypt it [3]. As a result, the cloud can implement optimization algorithms using fully homomorphic encryption (FHE), as done in [17, 11]. However, FHE is inefficient in terms of execution time [3], which makes it impractical for online optimization. Therefore, partially homomorphic encryption (PHE), a simpler form of FHE only allowing for a subset of operations to be performed on encrypted data, has become more popular in connection to privacy in control over the cloud. While PHE methods are shown to be feasible and are able to provide privacy guarantees [9, 10, 21, 27, 2, 1], execution time, which grows disproportionally with an increase in key length [10, 2], remains a valid concern in these methods. A consequence of this is that using homomorphic encrypion may potentially lead to instability in the controlled system due to processing delays. To address this problem, some works (see [10]) have shown that encryption parameters can be chosen to ensure stability of the closedloop performance, thus providing a natural tradeoff between security and control performance. The practical feasibility of encrypted control systems has been validated in [16] by considering control of a DC motor in real time.
Inspired by studies in privacy of databases, the problem of privacy in control over the cloud has also been approached from the standpoint of differential privacy (see [7, 18]). This technique ensures that the risk of losing privacy of a single user's data by means of data queries is low. The main idea of these methods is to perturb the response to a data query with appropriate noise [8]. However, to achieve more privacy, the user must sacrifice accuracy (i.e., add more noise), which, in the context of control, degrades the control performance.
The ideas behind algebraic transformation methods have initially stemed from works on privacy in optimization. The idea is to use algebraic transformations to produce a different, but equivalent optimization problem. In other words, although the cloud does not know the original optimization problem, it can provide the client with an optimal solution to an equivalent optimization problem from which the client is able to recover the optimal solution to the original problem. Although initially these methods found application exclusively in linear programs
[22, 35], several efforts have been directed to providing a unified framework and generalizing them to convex optimization problems (see [37, 36]). The work in [37] also shows one of the first attempls to define and quantify privacy of transformationbased methods. Algebraic transformation methods found applications in control due to their efficiency and guaranteed optimality of the solution [36]. For example, in [39] the authors propose a hybrid transformationbased method to preserve privacy of an MPC controller in networked control systems. In [38], transformationbased methods are used to provide privacy in a specific problem AC Optimal Power Flow.1.3. Contributions
This paper focuses on the use of transformationbased methods to preserve privacy of the system dynamics, control objective and constraints, and system trajectories. The contributions of this paper are fourfold:

we propose using isomorphisms and symmetries of control systems as a source of transformations so as to keep data private;

we quantify the privacy guaranteed by these methods via the dimension of the set that describes the uncertainty experienced by the adversary;

we quantify how much privacy is lost when the adversary is assumed to have access to side knowledge;

we show that the proposed method is computationally light as it only requires matrix multiplications.
The method proposed in this paper was initially introduced in [29]. In [28], it was extended to networked control systems with several agents requesting control input from a single cloud. In [30], the dimension of the set describing the uncertainty experienced by the adversary was proposed as a measure of privacy for this method and was evaluated for the special case of free group actions. This paper provides a unified presentation of the results in [29, 30] with simpler proofs and several new results, such as the bounds on privacy when the group action is not free and an exact quantification of privacy for prime systems.
While privacy quantification in optimization has been studied in [36], this work considers how much privacy is preserved in the more challenging context of control. Moreover, the measure of privacy proposed in this work has been chosen to be suitable for problems of optimization in control systems and, therefore, is different from any of those proposed in [36]. Although the application of transformationbased methods in control has been previously discussed in [39], the scheme proposed there only considers a special case, where the cloud optimizes the weighted sum of the norms of the input and state, and the state is taken to be the output of the system. Our algorithm can be applied to a wider class of problems as we allow for arbitrary quadratic costs, linear constraints and outputs different from the state.
2. Problem Definition
2.1. Plant dynamics and control objective
We consider discretetime affine plants, denoted by , and described by:
(2.1) 
where , , , , and describe the dynamics of the system, and , and denote the state, input and output of the system at time , respectively. We assume that system is controllable and observable. We also assume, without loss of generality, that and , since we can always eliminate linearly dependent columns (resp. rows) from (resp. .
To simplify notation, we lift every affine map to a linear map through the following construction:
(2.2) 
In the remainder of the paper we suppress the inner structure for simplicity and represent all the systems in the linear form (2.3). However, the reader is advised to remember that we are dealing with affine maps. This is also true for the affine maps we will use to define isomorphisms.
We refer to system (2.3) as the triple . We call a triple a trajectory of if it satisfies (2.1) for all .
Additionally, we define a cost function for that allows to compare trajectories and, thus, to formulate different control objectives. In alignment with the linear framework, we consider quadratic cost functions given by:
(2.4) 
where , and . The sequences and denote the reference trajectories to be tracked. We define to be a positivedefinite matrix. Due to the lift (2.2), this cost includes not only quadratic, but also linear terms.
In addition to a cost, we also consider control objectives that require certain constraints to be satisfied at all times. These constraints are defined as:
(2.5) 
where and . Note that, despite appearing to be linear constraints, the constraints above are in fact affine, in view of the construction (2.2).
2.2. Attack model and privacy objectives
The cloud is treated as a curious but honest adversary: the cloud adheres to the computations prescribed by an agreedupon protocol, but may seek to extract and leak confidential information by keeping record of all computations and communicated messages.
The interaction between the plant and the cloud is performed in two steps. During the first step, called the handshaking, the plant provides the cloud with a suitably modified version of the plant model, cost, and constraints. In exchange, the cloud agrees to compute the input minimizing the provided cost, subject to the constraints and plant dynamics. During the second step, called plant execution, the plant repeatedly sends a suitably modified version of its measurements to the cloud. The cloud computes a new input based on the received measurements and sends it to the plant, where it is suitably modified before being applied to the plant.
In the previous paragraph we purposely used the vague expression “suitably modified”. Making this expression more concrete requires that we first define the knowledge available to the plant. We consider the following three scenarios.
Problem 2.1 (Scenario 1).
Assuming the cloud has no knowledge about the plant:

how to modify the plant , cost , and constraint matrix before sending them during the handshaking step,

how to modify the measurements sent to the plant, and

how to modify the inputs received from the plant,
so that the plant’s trajectory minimizes cost in (2.4), while preventing the cloud from learning the plant , the cost , the constraint matrix , and the plant’s trajectory ?
Problem 2.2 (Scenario 2).
Assuming the cloud has no knowledge about the plant except for knowing what are its sensors and actuators:

how to modify the plant , cost , and constraint matrix before sending them during the handshaking step;

how to modify the measurements sent to the plant, and

how to modify the inputs received from the plant,
so that the plant’s trajectory minimizes cost in (2.4), while preventing the cloud from learning the plant , the cost , the constraint matrix , and the plant’s trajectory ?
Problem 2.3 (Scenario 3).
Assuming the cloud has complete knowledge about the plant dynamics, including its sensors and actuators:

how to modify cost , and constraint matrix before sending them alongside the plant during the handshaking step;

how to modify the measurements sent to the plant, and

how to modify the inputs received from the plant,
so that the plant’s trajectory minimizes cost in (2.4), while preventing the cloud from learning the cost , the constraint matrix , and the plant’s trajectory ?
3. Isomorphisms and
symmetries of control systems
In this section, we introduce the notions of isomorphism and symmetry of control systems along with several technical results used in Section 4 to provide a solution to the problems described in Section 2.
Let us denote by the set of all controllable and observable linear control systems with state, input and output dimensions , , and , respectively.
Definition 3.1.
An isomorphism of control systems in is a quadruple consisting of a change of state coordinates , state feedback , a change of coordinates in the input space , and a change of coordinates in the output space . Transformations and are affine invertible maps, is an affine map and is a linear invertible map.
Recall that, to simplify notation, we lift the affine maps to linear maps using the transformation (2.2).
Let us also denote the set of isomorphisms of described in Definition 3.1 as . The set forms a group under function composition as the group operation^{1}^{1}1A composition of two isomorphisms is given by , the identity is and the inverse is given by . This allows us to define a group action of on the set of linear control systems .
Definition 3.2.
Each element acts on to produce given by:
(3.1)  
The map is called an isomorphism action. We also say that systems and are equivalent.
An isomorphism maps the state , input , and output of system to the state , input , and output of system as follows:
(3.2)  
(3.3)  
(3.4) 
Similarly, an isomorphism induces transformation on the control objectives — i.e., the cost and constraints. The effect of on can be represented by:
(3.5) 
Therefore, the cost function can be expressed as a function of the sequence of modified states and the sequence of modified inputs as follows:
(3.6) 
where . Applying the isomorphism action to the constraints in (2.5) yields:
(3.7) 
where .
The effect of an isomorphism on the system, trajectory, cost and constraints will be used in Section 4 to prevent the cloud from learning them.
For a given system , there is a special subgroup of called the symmetry group of , which is defined by the following property.
Definition 3.3.
Let . An isomorphism is said to be a symmetry of if . The subgroup of symmetries of is denoted here as .
The notion of isomorphism was crafted to preserve properties of control systems. Among these, trajectories have a special significance. A simple induction argument can be used to establish the following result.
Lemma 3.4.
This means that if the cloud receives during the handshaking step, then the received sequence of measurements and the produced sequence of control inputs in the subsequent execution step are compatible with the plant . To elaborate, both the modified measurements and modified control inputs would be compatible with modified dynamics .
Let us now define to be a set of quadruples such that is a trajectory of a linear system minimizing cost function under constraints .
Lemma 3.5.
The set is a smooth manifold.
Proof.
We can see that is, in fact, the Cartesian product of with the set of cost functions , defined by positivedefinite matrices, with the set of constraints , defined by the set of fullrank matrices, where . It is known that the product space is a smooth manifold if its constituents are smooth manifolds [20, p. 21]. It remains to show that these constinuents are indeed smooth manifolds.
Let us construct the map:
(3.8)  
where and are the controllability and observability matrices of the dynamics . It can be seen that . The function is continuous since each of its elements is defined by a polynomial function of the elements of . Given that for continuous functions the preimage of every open set is an open set, we have that is an open subset of the domain of . Seeing that the domain of is a smooth manifold, is a smooth manifold of dimension .
The set of positivedefinite matrices is shown to be a smooth embedded submanifold of of dimension in [33].
The set of fullrank matrices is a smooth manifold of dimension [20, p. 19]. ∎
Similarly to , we can define a group action of on in view of the previous discussion.
Therefore, we can use the isomorphism action of to define an equivalence relation on .
Definition 3.6.
The equivalence relation , in turn, defines equivalence classes in . The equivalence class of defined by the action of is the set:
(3.11) 
This equivalence class is also called the orbit of under action of .
To facilitate further results, let us show that is a Lie group acting on .
Lemma 3.7.
The group is a Lie group of dimension acting smoothly on .
Proof.
It was previously established that
is a group. It is a Lie group because it is a Cartesian product of smooth manifolds (i.e., general linear groups and vector spaces of various dimensions) and its multiplication and inversion maps are smooth. Moreover, since the dimension of a product of smooth manifolds is equal to the sum of the factors’ dimensions, the dimension of
is [20, p. 21]. The group acts smoothly on since its action involves matrix multiplication and matrix inversion: the former results in every element of the product being a polynomial function of the elements of the factors, while the latter is smooth by Cramer’s rule [20]. ∎The next result shows that when the cloud optimizes and the plant replaces each with output , the resulting sequence of inputs can be used to reconstruct a sequence of inputs that optimizes . Its proof amounts to using the change of variables (3.2)(3.4).
Lemma 3.8.
Let and . Suppose the cloud solves the optimization problem:
subject to 
for the plant and the sequence is a unique solution of this optimization problem. Then, the unique solution of the optimization problem:
subject to 
for the plant is the sequence such that for all .
4. Solving the controloverthecloud
privacy problem
4.1. Enforcing privacy
The main reason for using isomorphisms is to preclude the cloud from distinguishing between isomorphic systems. We now formalize the notion of indistinguishability.
Definition 4.1.
A protocol renders two quadruples and indistinguishable by the cloud if the exchanged messages, when using the protocol between the cloud and the plant , and the exchanged messages, when using the protocol between the cloud and the plant , can be made the same.
The results from Section 3 allow us to construct a communication protocol between the plant and the cloud that, as will be further shown, solves Problems 2.12.3. We start by detailing this protocol.
From Lemma 3.8, we see that Algorithm 1 provides the plant with the inputs that satisfy the original control objective — i.e., the plant’s trajectory minimizes cost under affine constraints .
Let us note how all the required computations in this algorithm are matrix multiplications, which means that both handshaking and execution can be performed in time, where . However, performing matrix multiplications of constant matrices (e.g., ) in advance would reduce the complexity of the execution to . Both of these complexities were calculated only for the client side (i.e., Plant) of the algorithm.
Let us now show that applying this protocol indeed makes any two systems in the same equivalence class indistinguishable from each other.
Theorem 4.2.
Algorithm 1 renders isomorphic systems and indistinguishable by the cloud.
Proof.
Since and are isomorphic, there exists an isomorphism such that , , and . Indistinguishibility of and will be shown by running two instances of Algorithm 1: one with and as inputs, the other  with and the identity isomorphism . Let us denote the communication algorithm described in Algorithm 1 applied to with the selected isomorphism by . During handshaking:

when is executed, the plant sends , , and ;

when is executed ( is the identity of ), the plant sends , , and matrix unprotected.
Thus, the communicated dynamics and optimization problems are the same. During execution:

when is executed, takes trajectories of to trajectories of ;

when is executed, the trajectories are .
Therefore, the cloud receives the same measurements from both plants. In response, since both plants communicated the same optimization problem, the cloud sends the same control inputs to both plant and . ∎
The result described in Theorem 4.2 states that the cloud cannot differentiate between any two plants, costs, constraints or trajectories contained in the same equivalence class of the equivalence relation, thereby protecting the privacy of the system. In the next section, we quantify the amount of privacy provided by Algorithm 1.
4.2. Quantifying privacy
Privacy is created by preventing the cloud from knowing which quadruple in its equivalence class it is interacting with. Clearly, the larger the equivalence class, the more privacy is ensured. Since each equivalence class has infinitely many elements, cardinality cannot be used as a measure of privacy. In this section, we show that each equivalence class is a smooth manifold and we quantify privacy using the dimension of this manifold.
4.2.1. Preliminaries: stabilizer subgroups and their dimensions
The stabilizer subgroup of for any , denoted by , is defined by:
(4.1) 
The subgroup must be a subset of the symmetry subgroup since it must preserve the dynamics.
In [25], Respondek gives a characterization of the symmetries of controllable pairs . Since when considering pairs the output is not relevant, the isomorphisms of degenerate into the form , where the matrices , and are defined to be the same as their counterparts in Definition 3.1. We denote the group of these isomorphisms by . The group action of is given by:
(4.2) 
Let us define the symmetry subgroup of controllable systems as:
(4.3) 
The next proposition summarizes the results of [25] that are relevant to this paper and complements them with the results from [4]:
Proposition 4.3.
Let (A,B) be a controllable pair. Then:
where:
and are controllability indices of .
This result can be used to estimate the dimension of . If , then, from Proposition 4.3, we know the dimension of and that any satisfies . Given , finding a corresponding requires finding such that . Since we assume has linearly independent rows, for a given , this equation has at most one solution. A solution exists if and only if [19]. Let be the subset of defined by the elements for which a unique solution to exists. It can be seen that there is a onetoone correspondence between and . Since , this gives an upper bound on the dimension of the symmetry subgroup:
(4.4) 
Lemma 4.4.
Let us consider a special case, in which the dimension of can be computed exactly.
Definition 4.5.
A system is said to be a prime system if it is equivalent to the system of the form:
(4.5) 
where and are controllability indices of .
For prime systems we have the following characterization of the dimension of .
Lemma 4.6.
Let be a prime system. Then,
(4.6) 
where
and are controllability indices of .
Proof.
Without loss of generality, let us consider a prime system of the form (4.5). From Proposition 2 in [25], we can see that if a system is prime, a symmetry is uniquely defined by a transformation on its outputs (i.e., by transformation ).
We want to show that, in order to define a symmetry, transformation needs to be constructed in such a way that each transformed output is an affine function of outputs with relative degrees greater or equal than that of . To simplify notation, we prove this claim for the example with controllability indices , , although the employed arguments apply to any prime system:
(4.7)  
We will show, by contradiction, that if produces a transformed output based on outputs of a smaller relative degree, then cannot be part of a symmetry. In other words, there exist no matrices , , and such that the quadruple satisfies the equations:
(4.8)  
(4.9)  
(4.10) 
Assume that (4.8)(4.10) are satisfied and that contains nonzero elements if (i.e., the transformed output uses outputs of a smaller relative degree). From (4.10), we have that:
(4.11) 
By using (4.8) and (4.9), the following relation can be shown:
(4.12) 
Recursively substituting (4.12) into (4.11) results in:
Equation (4.9) implies that and, thus, leads to:
(4.13) 
Note that is a diagonal matrix such that:
(4.14) 
In other words, this diagonal matrix marks the indices corresponding to the outputs of equal relative degree. In addition, the expression is an matrix composed out of elements of (recall that and are in the form (4.5)).
The lefthand side of (4.13) selects the columns of corresponding to the outputs of relative degree . For the example in (4.7), taking gives:
(4.15) 
The righthand side of (4.13) fills the rows corresponding to the outputs of relative degree smaller or equal than with values from . In case of example in (4.7), the righthand side, given , is:
(4.16) 
Thus, the equality in (4.13), which was derived using the definition of symmetry, forces to zero if . In the example in (4.7), this leads to . This contradicts the assumption that produces a transformed output based on outputs of a smaller relative degree.
This idea can be generalized to any prime system and, therefore, each transformed output can only be an affine function of outputs with relative degrees greater or equal than that of .
The number of outputs with a relative degree greater or equal to that of (i.e., greater or equal than ) is equal to [4]. Therefore, each modified output is an affine function with arguments and a nonzero constant term, thus leading to the equality:
(4.17) 
∎
4.2.2. Main results
Consider the scenario from Problem 2.1, in which the cloud does not know anything about the system. In this scenario, the plant encodes using an isomorphism that can be regarded as a private key used to encode and decode the information exchanged with the cloud. This isomorphism is chosen from , the group of all isomorphisms.
Proposition 4.7.
Let . Then, under the scenario described in Problem 2.1, the cloud cannot distinguish between and any other system in the uncertainty set (i.e., the equivalence class of defined by the action of ) of dimension:
(4.18) 
if Algorithm 1 is used.
For such that its corresponding is prime, this implies that the dimension of is greater or equal to:
(4.20) 
where is given in Lemma 4.6.
Comments
There are no comments yet.