1/13
Secrecy Codes for Wireless Control Systems
Anastasios Tsiamis, Konstantinos Gatsis, George J. Pappas
University of Pennsylvania
July 13, 2018
2/13
Secrecy Issues in the Internet of Things
I Interconnected sensors and actuators.
I Communication over wireless networks.
The wireless medium may be compromised.
I Broadcast nature.
I Eavesdroppers may intercept sensitive data about the physicalsystem.
3/13
Eavesdropping attacks in Dynamical Systems
Dynamical System
ENC
Sensor
ChannelDEC
User
Eavesdropper
GoalI Protect dynamical state information, e.g. position, velocity.
I Design secrecy codes.
ChallengesI Tradeoff between security and code complexity.
ApproachI Can we exploit model knowledge/physics for secrecy?
3/13
Eavesdropping attacks in Dynamical Systems
Dynamical System
ENC
Sensor
ChannelDEC
User
Eavesdropper
GoalI Protect dynamical state information, e.g. position, velocity.
I Design secrecy codes.
ChallengesI Tradeoff between security and code complexity.
ApproachI Can we exploit model knowledge/physics for secrecy?
3/13
Eavesdropping attacks in Dynamical Systems
Dynamical System
ENC
Sensor
ChannelDEC
User
Eavesdropper
GoalI Protect dynamical state information, e.g. position, velocity.
I Design secrecy codes.
ChallengesI Tradeoff between security and code complexity.
ApproachI Can we exploit model knowledge/physics for secrecy?
3/13
Eavesdropping attacks in Dynamical Systems
Dynamical System
ENC
Sensor
ChannelDEC
User
Eavesdropper
GoalI Protect dynamical state information, e.g. position, velocity.
I Design secrecy codes.
ChallengesI Tradeoff between security and code complexity.
ApproachI Can we exploit model knowledge/physics for secrecy?
4/13
Previous work
Encryption
I Generic tool applied in practice. J. Katz and Y. Lindell. 2014
I Adversary should have bounded computational capabilities.
I Communication/computation overheads.
Physical layer security
I Information theoretic tools. A. D. Wyner. 1975, M. Wiese et al. 2016
I Provable guarantees.
I Requires eavesdropper’s channel model.
Our approach: State-Secrecy Codes
I Exploit the system dynamics.
I New tradeoff between code complexity and security.
I Simple and fast.
I Strong security guarantees about the current state.
Related work
I Codes for several types of linear systems
A. Tsiamis et al. CDC 2017, ACC 2018, CDC 2018
I Non-coding approach
A. S. Leong et al. IFAC 2017, CDC 2017
A. Tsiamis et al. IFAC 2017
4/13
Previous work
Encryption
I Generic tool applied in practice. J. Katz and Y. Lindell. 2014
I Adversary should have bounded computational capabilities.
I Communication/computation overheads.
Physical layer security
I Information theoretic tools. A. D. Wyner. 1975, M. Wiese et al. 2016
I Provable guarantees.
I Requires eavesdropper’s channel model.
Our approach: State-Secrecy Codes
I Exploit the system dynamics.
I New tradeoff between code complexity and security.
I Simple and fast.
I Strong security guarantees about the current state.
Related work
I Codes for several types of linear systems
A. Tsiamis et al. CDC 2017, ACC 2018, CDC 2018
I Non-coding approach
A. S. Leong et al. IFAC 2017, CDC 2017
A. Tsiamis et al. IFAC 2017
4/13
Previous work
Encryption
I Generic tool applied in practice. J. Katz and Y. Lindell. 2014
I Adversary should have bounded computational capabilities.
I Communication/computation overheads.
Physical layer security
I Information theoretic tools. A. D. Wyner. 1975, M. Wiese et al. 2016
I Provable guarantees.
I Requires eavesdropper’s channel model.
Our approach: State-Secrecy Codes
I Exploit the system dynamics.
I New tradeoff between code complexity and security.
I Simple and fast.
I Strong security guarantees about the current state.
Related work
I Codes for several types of linear systems
A. Tsiamis et al. CDC 2017, ACC 2018, CDC 2018
I Non-coding approach
A. S. Leong et al. IFAC 2017, CDC 2017
A. Tsiamis et al. IFAC 2017
4/13
Previous work
Our approach: State-Secrecy Codes
I Exploit the system dynamics.
I New tradeoff between code complexity and security.
I Simple and fast.
I Strong security guarantees about the current state.
Related work
I Codes for several types of linear systems
A. Tsiamis et al. CDC 2017, ACC 2018, CDC 2018
I Non-coding approach
A. S. Leong et al. IFAC 2017, CDC 2017
A. Tsiamis et al. IFAC 2017
5/13
Model
System
Sensor &Encoder
User
Eavesdropper
xk zk
γu,k
γe,k
x̂u,k
x̂e,k
ACK
Linear System
I state xk; e.g. position and velocity at time k
xk+1 = Axk + wk+1, wk : Gaussian process noise
Sensor and encoder
I zk encoded version of state xk.
5/13
Model
System
Sensor &Encoder
User
Eavesdropper
xk zk
γu,k
γe,k
x̂u,k
x̂e,k
ACK
Linear System
I state xk; e.g. position and velocity at time k
xk+1 = Axk + wk+1, wk : Gaussian process noise
Sensor and encoder
I zk encoded version of state xk.
5/13
Model
System
Sensor &Encoder
User
Eavesdropper
xk zk
γu,k
γe,k
x̂u,k
x̂e,k
ACK
ChannelI Packet drop channels:
I Message either received intact or dropped.
I γu,k = 1: message zk received.
I γu,k = 0: message zk dropped.
I Acknowledgment signals available.
5/13
Model
System
Sensor &Encoder
User
Eavesdropper
xk zk
γu,k
γe,k
x̂u,k
x̂e,k
ACK
Decoders: Minimum Mean Square Error Estimators
I Information sets:
Iu,k = {Received messages zk}Ie,k = {Intercepted messages zk,User’s outcomes γu,k}
I Estimation:
x̂u,k minimizes E(‖xk − x̂u,k‖2 |Iu,k)
Pu,k user mmse covariance given Iu,k
5/13
Model
System
Sensor &Encoder
User
Eavesdropper
xk zk
γu,k
γe,k
x̂u,k
x̂e,k
ACK
Decoders: Minimum Mean Square Error Estimators
I Information sets:
Iu,k = {Received messages zk}Ie,k = {Intercepted messages zk,User’s outcomes γu,k}
I Estimation:
x̂u,k minimizes E(‖xk − x̂u,k‖2 |Iu,k)
Pu,k user mmse covariance given Iu,k
6/13
Problem: Secrecy
Secrecy
Find a coding scheme such that:
I Eavesdropper’s minimum mean square error (mmse) forthe current state is maximum asymptotically.
I User’s mmse is optimal.
Assumptions
I Public A.
I Passive eavesdropper.
I Eavesdropper knows model, coding scheme, acknowledgments.
7/13
State-Secrecy Code
Coding Scheme
zk = xk − Lk−tkxtk
tk: the most recent message received at the user
I Matrix L depends on the dynamical system’s model.
I Choice of L: makes zk less correlated to xk for the eavesdropper.
I ACKs: user and sensor agree on tk.
I Fast and simple.
I Can be used along with encryption.
8/13
Example
Code
zk = xk − Lk−tkxtk
Encoder User Eavesdropper
x0
x0 x0
x1 − Lx0 −x2 − L2x0 −x3 − Lx2 − x3 − Lx2x4 − L2x2 x4 − L2x2
I User decodes by adding.
I Eavesdropper decodes initially.
I Eavesdropper cannot decode for k > 2.
8/13
Example
Code
zk = xk − Lk−tkxtk
Encoder User Eavesdropper
x0 x0
x0
x1 − Lx0 −x2 − L2x0 −x3 − Lx2 − x3 − Lx2x4 − L2x2 x4 − L2x2
I User decodes by adding.
I Eavesdropper decodes initially.
I Eavesdropper cannot decode for k > 2.
8/13
Example
Code
zk = xk − Lk−tkxtk
Encoder User Eavesdropper
x0 x0
x0
x1 − Lx0
−x2 − L2x0 −x3 − Lx2 − x3 − Lx2x4 − L2x2 x4 − L2x2
I User decodes by adding.
I Eavesdropper decodes initially.
I Eavesdropper cannot decode for k > 2.
8/13
Example
Code
zk = xk − Lk−tkxtk
Encoder User Eavesdropper
x0 x0
x0
x1 − Lx0 −
x2 − L2x0 −x3 − Lx2 − x3 − Lx2x4 − L2x2 x4 − L2x2
I User decodes by adding.
I Eavesdropper decodes initially.
I Eavesdropper cannot decode for k > 2.
8/13
Example
Code
zk = xk − Lk−tkxtk
Encoder User Eavesdropper
x0 x0
x0
x1 − Lx0 −x2 − L2x0
−x3 − Lx2 − x3 − Lx2x4 − L2x2 x4 − L2x2
I User decodes by adding.
I Eavesdropper decodes initially.
I Eavesdropper cannot decode for k > 2.
8/13
Example
Code
zk = xk − Lk−tkxtk
Encoder User Eavesdropper
x0 x0
x0
x1 − Lx0 −x2 − L2x0 x2 − L2x0
−x3 − Lx2 − x3 − Lx2x4 − L2x2 x4 − L2x2
I User decodes by adding.
I Eavesdropper decodes initially.
I Eavesdropper cannot decode for k > 2.
8/13
Example
Code
zk = xk − Lk−tkxtk
Encoder User Eavesdropper
x0 x0
x0
x1 − Lx0 −x2 − L2x0 x2 − L2x0
−
x3 − Lx2
− x3 − Lx2x4 − L2x2 x4 − L2x2
I User decodes by adding.
I Eavesdropper decodes initially.
I Eavesdropper cannot decode for k > 2.
8/13
Example
Code
zk = xk − Lk−tkxtk
Encoder User Eavesdropper
x0 x0
x0
x1 − Lx0 −x2 − L2x0 x2 − L2x0
−
x3 − Lx2 −
x3 − Lx2x4 − L2x2 x4 − L2x2
I User decodes by adding.
I Eavesdropper decodes initially.
I Eavesdropper cannot decode for k > 2.
8/13
Example
Code
zk = xk − Lk−tkxtk
Encoder User Eavesdropper
x0 x0
x0
x1 − Lx0 −x2 − L2x0 x2 − L2x0
−
x3 − Lx2 −
x3 − Lx2
x4 − L2x2
x4 − L2x2
I User decodes by adding.
I Eavesdropper decodes initially.
I Eavesdropper cannot decode for k > 2.
8/13
Example
Code
zk = xk − Lk−tkxtk
Encoder User Eavesdropper
x0 x0
x0
x1 − Lx0 −x2 − L2x0 x2 − L2x0
−
x3 − Lx2 −
x3 − Lx2
x4 − L2x2 x4 − L2x2
x4 − L2x2
I User decodes by adding.
I Eavesdropper decodes initially.
I Eavesdropper cannot decode for k > 2.
8/13
Example
Code
zk = xk − Lk−tkxtk
Encoder User Eavesdropper
x0 x0 x0
x1 − Lx0 − x1 − Lx0x2 − L2x0 x2 − L2x0 −x3 − Lx2 − x3 − Lx2x4 − L2x2 x4 − L2x2 x4 − L2x2
I User decodes by adding.
I Eavesdropper decodes initially.
I Eavesdropper cannot decode for k > 2.
8/13
Example
Code
zk = xk − Lk−tkxtk
Encoder User Eavesdropper
x0 x0 x0
x1 − Lx0 − x1 − Lx0x2 − L2x0 x2 − L2x0 −x3 − Lx2 − x3 − Lx2x4 − L2x2 x4 − L2x2 x4 − L2x2
I User decodes by adding.
I Eavesdropper decodes initially.
I Eavesdropper cannot decode for k > 2.
8/13
Example
Code
zk = xk − Lk−tkxtk
Encoder User Eavesdropper
x0 x0 x0
x1 − Lx0 − x1 − Lx0x2 − L2x0 x2 −x3 − Lx2 − x3 − Lx2x4 − L2x2 x4 − L2x2 x4 − L2x2
I User decodes by adding.
I Eavesdropper decodes initially.
I Eavesdropper cannot decode for k > 2.
8/13
Example
Code
zk = xk − Lk−tkxtk
Encoder User Eavesdropper
x0 x0 x0
x1 − Lx0 − x1 − Lx0x2 − L2x0 x2 −x3 − Lx2 − x3 − Lx2x4 − L2x2 x4 x4 − L2x2
I User decodes by adding.
I Eavesdropper decodes initially.
I Eavesdropper cannot decode for k > 2.
8/13
Example
Code
zk = xk − Lk−tkxtk
Encoder User Eavesdropper
x0 x0 x0
x1 − Lx0 − x1
x2 − L2x0 x2 −x3 − Lx2 − x3 − Lx2x4 − L2x2 x4 x4 − L2x2
I User decodes by adding.
I Eavesdropper decodes initially.
I Eavesdropper cannot decode for k > 2.
8/13
Example
Code
zk = xk − Lk−tkxtk
Encoder User Eavesdropper
x0 x0 x0
x1 − Lx0 − x1
x2 − L2x0 x2 −x3 − Lx2 − x3 − Lx2, x3 =?
x4 − L2x2 x4 x4 − L2x2, x4 =?
I User decodes by adding.
I Eavesdropper decodes initially.
I Eavesdropper cannot decode for k > 2.
8/13
Example
Code
zk = xk − Lk−tkxtk
Encoder User Eavesdropper
x0 x0 x0
x1 − Lx0 − x1
x2 − L2x0 x2 −x3 − Lx2 − x3 − Lx2, x3 =?
x4 − L2x2 x4 x4 − L2x2, x4 =?
Critical eventWhen the user receives while the eavesdropper misses:
γu,k = 1, γe,k = 0, for some k
Damages the eavesdropper (here for k = 2).
9/13
Secrecy guarantees
Theorem 1: Secrecy
If the critical event occurs at time k0 secrecy is achieved:
I Eavesdropper’s mmse is asymptotically maximum:
Pe,k → maximum value
I User’s mmse remains optimal:
Pu,k = 0, when user receives. (γu,k = 1)
I One occurrence of the critical event is sufficient.(user receives and eavesdropper fails to intercept at some time k.)
I Condition holds for most packet dropping channels.
10/13
Simulation scenario
z
y
φ
I Linearized dynamics, planar quadrotor
I Hovers around target point (0, 0, 0)
I State is position and velocity
11/13
Simulation scenario
0 50 100 150 200 250 300 350 400
z es
timat
ion
-1
-0.5
0
0.5
1
UserEavesdropperTrue state
I Height estimation
I Critical event occurs at time k = 47
I Eavesdropper gets confused about the state; trivial estimatexe = 0
I User’s estimation remains accurate
11/13
Simulation scenario
0 50 100 150 200 250 300 350 400
z es
timat
ion
-1
-0.5
0
0.5
1
UserEavesdropperTrue state
I Height estimation
I Critical event occurs at time k = 47
I Eavesdropper gets confused about the state; trivial estimatexe = 0
I User’s estimation remains accurate
11/13
Simulation scenario
0 50 100 150 200 250 300 350 400
z es
timat
ion
-1
-0.5
0
0.5
1
UserEavesdropperTrue state
I Height estimation
I Critical event occurs at time k = 47
I Eavesdropper gets confused about the state; trivial estimatexe = 0
I User’s estimation remains accurate
11/13
Simulation scenario
0 50 100 150 200 250 300 350 400
z es
timat
ion
-1
-0.5
0
0.5
1
UserEavesdropperTrue state
I Height estimation
I Critical event occurs at time k = 47
I Eavesdropper gets confused about the state; trivial estimatexe = 0
I User’s estimation remains accurate
12/13
Conclusion
Summary
I We can exploit the dynamical system model/physics for secrecy.
I Codes specialized for dynamical systems.
I Simple and fast, strong guarantees for the current state.
I Secrecy guarantees for several types of linear systems.
Future Work
I How to defend against active eavesdroppers?
I How can we combine codes with encryption efficiently?
I How can we apply the codes in closed-loop control systems?
I How can we protect past states?
12/13
Conclusion
Summary
I We can exploit the dynamical system model/physics for secrecy.
I Codes specialized for dynamical systems.
I Simple and fast, strong guarantees for the current state.
I Secrecy guarantees for several types of linear systems.
Future Work
I How to defend against active eavesdroppers?
I How can we combine codes with encryption efficiently?
I How can we apply the codes in closed-loop control systems?
I How can we protect past states?
13/13
Thank you!
Top Related