Secure Motion-Copying via Homomorphic Encryption

The ElGamal encryption scheme, denoted as $\mathcal{E}=(\mathsf{Gen},\mathsf{Enc},\mathsf{Dec})$, consists of three fundamental algorithms: key generation $\mathsf{Gen}$, encryption $\mathsf{Enc}$, and decryption $\mathsf{Dec}$. With a key length of $\lambda$ bits, the key generation algorithm, $\mathsf{Gen}$, produces a public key $k_{p}$ and a private key $k_{s}$, which can be expressed as $\mathsf{Gen}(\lambda)=(k_{p},k_{s})$. The encryption algorithm, $\mathsf{Enc}$, is responsible for encrypting a plaintext $m$ using the public key $k_{p}$, resulting in ciphertext $c$, i.e., $\mathsf{Enc}(k_{p},m)=c$. The decryption algorithm, $\mathsf{Dec}$, is employed to decrypt the ciphertext $c$ using both the public key $k_{p}$ and the private key $k_{s}$, and it yields the plaintext $m^{\prime}$, i.e., $\mathsf{Dec}(k_{s},c)=m^{\prime}$. It’s important to note that the equation $\mathsf{Dec}(k_{s},\mathsf{Enc}(k_{p},m))=m$ holds true.

ElGamal encryption possesses a multiplicative homomorphic property, allowing for ciphertext multiplication. Given two plaintexts, $m_{1}$ and $m_{2}$, and their respective ciphertexts, $c_{1}=\mathsf{Enc}(k_{p},m_{1})$ and $c_{2}=\mathsf{Enc}(k_{p},m_{2})$, the resulting ciphertext of their product $m_{1}m_{2}$ is expressed as $\mathsf{Enc}(k_{p},m_{1}m_{2})=c_{1}\otimes c_{2}$, where $\otimes$ represents element-wise multiplication. This property is known as a multiplicative homomorphism.

To utilize ElGamal encryption, real numbers must be encoded to the plaintext space $\mathcal{M}$ using an appropriate quantization gain $\gamma$ and $a$, as defined by the following function:

where $a=0$ if $x\geq 0$ and $a=p$ otherwise, and $\lceil\cdot\rfloor$ signifies rounding to the nearest element in the plaintext space $\mathcal{M}$. If $q$ and $p=2q+1$ are prime, $q$ and $p$ are called a Sophie Germain prime and a safe prime number, respectively. Such primes play a crucial role in enhancing the security of ElGamal encryption. Furthermore, the decrypted plaintext is decoded as follows:

where $b=0$ if $\check{x}\leq q$ and $a=p$ otherwise and $\mathbb{Q}$ denotes rational numbers. Hereafter, we redefine $\mathsf{Enc}$ to perform encoding and encryption and $\mathsf{Dec}$ to perform decryption and decoding.

The encrypted four-channel bilateral control system with robotic arms, as illustrated in Fig. 2, is used to construct the proposed secure motion-copying system. The control objective is to achieve ideal kinesthetic coupling:

between the yaw-axis motors of the leader and follower robotic arms:

where $t\geq 0$ is a continuous time, $\theta\in\mathbb{R}$ is the angle measured by the encoder; $\tau^{d}\in\mathbb{R}$ represents the unknown disturbance torque; $i\in\mathbb{R}$ represents the current input to the motor; $\bar{J}$ and $\bar{K}$ represent the nominal moment of inertia and torque coefficient of the motor, which are described in its specifications; subscripts $l$ and $f$ denote the leader and follower, respectively. The torque is expressed in the following equation consisting of modeling error, cable tension, friction, and an external force $\tau^{e}$:

where $J$ and $K$ represent the moment of inertia and the torque coefficient of the motor, which are not measurable, respectively, and a nonlinear function $f$ of the angle $\theta$ and velocity $w=\dot{\theta}$, encompasses cable tension and friction forces:

To achieve the control objective for the robotic arm (4), we designed model-based linear controllers consisting of Proportional-Derivative (PD) and Proportional (P) controllers for position and force control, Disturbance Observer (DOB), and Reaction Force Observer (RFOB). Discretizing the controllers by a bilinear transformation with a sampling period $T_{s}$ results in the following discrete-time state-space representation:

with

where subscript $k\geq 0$ represents a step (discrete time), $\psi_{l}\in\mathbb{R}^{8}$ and $\psi_{f}\in\mathbb{R}^{8}$ are controller outputs for the leader and follower, respectively; $\xi_{l}\in\mathbb{R}^{11}$ and $\xi_{f}\in\mathbb{R}^{11}$ are the controller inputs for the leader and follower, respectively; $\Phi\in\mathbb{R}^{8\times 11}$ is identical controller parameters (system matrix) for the leader and follower. Moreover, $f_{l}$ and $f_{f}$ indicate the leader and follower controllers, respectively.

Let $f_{l}=f_{l}^{+}\circ f_{l}^{\times}$, where $f_{l}^{+}$ and $f_{l}^{\times}$ denote addition and multiplication on the leader, respectively, and similarly, $f_{f}=f_{f}^{+}\circ f_{f}^{\times}$ is defined on the follower. If the quantization error is negligibly small, the leader and follower encrypted controllers $f^{\times}_{l\mathcal{E}^{+}}$ and $f^{\times}_{f\mathcal{E}^{+}}$ are represented as follows:

where $\Psi_{lk}\coloneqq f_{l}^{\times}(\Phi,\xi_{lk})$ and $\Psi_{fk}\coloneqq f_{l}^{\times}(\Phi,\xi_{fk})$, which are computed using the multiplicative homomorphism. Define $\mathsf{Dec}^{+}\coloneqq f^{+}\circ\mathsf{Dec}$. Then, $\tilde{\psi}_{lk}$ and $\tilde{\psi}_{fk}$ are obtained as follows:

where $\mathcal{E}^{+}\coloneqq(\mathsf{Gen},\mathsf{Enc},\mathsf{Dec}^{+})$ is a modified ElGamal encryption scheme. In addition, the quantization error, denoted as $\psi_{l}-{\tilde{\psi}}_{l}$, is assumed to be negligible in this study, and the definition and derivation of the matrices and vectors are detailed in [29]. Consequently, the encrypted four-channel bilateral control system with the robotic arms, encrypted controller (12), and modified decryption (13), can be constructed as illustrated in Fig. 2, where it features encrypted communications and blocks, highlighted in green.

Firstly, the secure motion data memory is introduced to store and edit the motion data. The memory is supposed to be located on a specific networked server that the motion-saving and motion-loading systems can communicate with, and the secure motion data on the memory is denoted as a finite set of data sequences:

where $x_{k}$ and $y_{k}$ are a ciphertext at step $k$ and $\{x_{k}\}_{k=0}^{N}$ means a sequence of encrypted signal $x_{k}$ with data length $N$. The multiplicative homomorphism of the ElGamal encryption scheme allows us to scale the data set by scaling parameter $\alpha=(\alpha_{x},\alpha_{y})\in\Re^{2}$ with the corresponding quantization gain $\gamma_{\alpha}>0$. This operation is referred to as spatial scaling [8]. When the motion data are scaled, the updated data set is denoted as

It should be noted that the motion data, $\mathcal{D}$ and $\mathcal{D}(\alpha)$, and scaling parameter, $\alpha$, are all encrypted and stored in the memory. In addition, although the proposed concept enables us to store multiple motion-data sequences with different data lengths in the memory, this paper considers two sequences with identical lengths for simplicity.

We present the encrypted motion-saving system, illustrated in Fig. 3(a), consisting of the encrypted four-channel bilateral control system and the secure motion data memory to save the leader’s motion data. This study considers that the motion data measured during the operation are the encrypted rotation angle $\mathsf{Enc}(\theta_{lk})$ and estimated torque $\mathsf{Enc}(\hat{\tau}^{e}_{lk})$ regarding the yaw-axis motor, which appears in the argument and output of the leader’s encrypted controller $f^{\times}_{l\mathcal{E}^{+}}$ in (12). They are encapsulated within the set denoted as $\mathcal{D}$:

Fig. 3(a) confirms that the presented motion-saving system is a secure networked system configuration. The green lines and blocks indicate the encrypted communications and data processing, so the controllers and memory outside the plant sides operate with encrypted signals and parameters. Hence, even if malicious attackers eavesdrop on the control system or steal data from the secure motion data memory, it is challenging to ascertain the stored motions.

We present the encrypted motion-loading system, illustrated in Fig. 3(b), consisting of the follower-side control system with the robotic arm and the secure motion data memory to reproduce the motion. This study considers that the motion data $\mathcal{D}$ in (16) are computed using an appropriate scaling parameter to be updated, as follows:

When the follower wants to reproduce the motion, the motion-loading system transmits the secure motion data of $\mathcal{D}(\alpha)$ from the memory to the follower’s controller. Noted that the decoder installed on the follower side must have quantization gain set to $\gamma=\gamma_{\xi}\gamma_{\Phi}\gamma_{\alpha}$, where $\gamma_{\xi}>0$ and $\gamma_{\Phi}>0$ are quantization gains corresponding to encoding signals $\xi$ and parameters $\Phi$, respectively. Then, the follower robotic arm is controlled by the decrypted control command regarding an input current, which reproduces the desired motion.

Fig. 3(b) confirms that the presented motion-loading system is also a secure networked system configuration because the follower controller and memory outside the plant side are operated with the signals and parameters encrypted. Hence, it is challenging for malicious attackers to ascertain the stored motions.

Consequently, the concept of the proposed motion-copying system allows for the secure preservation and reproduction of motion. In the following section, we will delve into the practical setup used to investigate the effectiveness of the proposed system.

The free motion scenario represents saving and loading motion data without physical interaction with objects. In saving motion, a human operator controls the leader robot, and the follower robot replicates its movements, resulting in a 15-second motion sequence regarding the leader that is stored in the secure motion data memory. In loading motion, the developed system reproduces the stored motion such that the follower emulates the leader’s actions, where the scaling parameter $\alpha$ was set to (1,1). The obtained results for saving and loading the motion are shown in Fig. 4.

Figs. 4(a)-(d) show the time responses of the leader and follower robotic arms during saving motion, where the red and blue lines indicate the leader and follower, respectively. Figs. 4(a) and (b) illustrate the yaw-axis rotation angles and the estimated torque on the leader and follower sides, respectively. Figs. 4(c) and (d) show the encrypted rotation angle and estimated torque of the leader, respectively. The figures confirm that the follower’s behavior almost matches the leader’s and that the torques are approximately zeros due to no contact. The encrypted motions regarding $\theta_{l}$ and $\hat{\tau}^{e}_{l}$ shown in Figs. 4(c) and (d) were stored in the secure motion data memory $\mathcal{D}$, where the encrypted data exhibit random fluctuations at the order of $10^{38}$.

Figs. 4(e)-(h) show the time responses of the follower during loading motion from $\mathcal{D}(\alpha)$. Figs. 4(e) and (f) illustrate the yaw-axis rotation angles and the estimated torques, respectively, where the blue line indicates the resulting follower’s behavior and the red line being the same as one of Figs. 4(a) and (b) was added for comparison. Figs. 4(g) and (h) show the encrypted rotation angles and estimated torques that were loaded from $\mathcal{D}(\alpha)$, respectively. Consequently, the figures confirm that the reproduced behavior of the follower has a good tracking performance to the original behavior and that the estimated torque of the follower is almost the same as that of the follower in saving motion.

The object contact scenario represents saving and loading motion data involving physical object interaction, highlighting the capability of reproducing the contact force. This experiment considers an aluminum block fixed on the basement as an obstacle within the movable range of the follower’s robotic arm, as shown in Fig. 5. In saving motion, the follower robotic arm physically contacts the aluminum block in the telemanipulation by the operator, resulting in a 15-second motion sequence. In loading motion, the developed system reproduces the stored motion such that the follower emulates the leader’s movements during and after contact with the object, where the scaling parameter $\alpha$ was set to (1,1). The obtained results are shown in Fig. 6.

Figs. 6(a)-(d) show the time responses of the leader and follower robotic arms during saving motion, where the red and blue lines indicate the leader and follower, respectively. Figs. 6(a) and (b) illustrate the yaw-axis rotation angles and the estimated torque of the leader and follower, respectively. Figs. 6(c) and (d) shows the encrypted motions regarding $\theta_{l}$ and $\hat{\tau}^{e}_{l}$ . These figures confirm that the follower comes into contact with the aluminum object at $5\text{\,}\mathrm{s}$ while maintaining nearly identical rotation angles to the leader and that estimated torques for the leader and follower are equal magnitudes and opposite signs, affirming adherence to Newton’s third law. The encrypted rotation angles and estimated torques exhibiting random fluctuations at $10^{38}$ were stored in $\mathcal{D}$.

Figs. 6(e)-(h) show the time responses of the follower during loading motion, where the object is fixed on the same location as saving motion. Figs. 6(e) and (f) illustrate the yaw-axis rotation angles and the estimated torques, respectively, where the meanings of the blue and red lines are the same as those in Fig. 4. Figs. 6(g) and (h) illustrate the leader’s encrypted motion loaded from $\mathcal{D}(\alpha)$. Consequently, these figures confirm that even in the aluminum-block environment, the proposed system securely reproduces the follower’s behavior which was almost the same as the leader’s behavior.

The spatial scaling scenario represents saving and loading the scaled motion with and without object contact. This experiment investigates the system’s capability of reproducing the scaled motion in each scenario of free motion with $\alpha=(2,1)$ and object contact with $\alpha=(1,2)$. Similarly, in saving motion, 15-second motion sequences were stored in the secure memory $\mathcal{D}$, and in loading motion, the follower’s behavior was reproduced using the scaled motion loaded from $\mathcal{D}(\alpha)$. The obtained results for the free motion and object contact scenarios are shown in Figs. 7 and 8, respectively.

Figs. 7(a)-(d) show the time responses of both the robotic arms during saving motion, which confirms that the follower’s behavior matches the leader’s behavior. Meanwhile, Figs. 7(e)-(h) show the time responses of the follower’s behavior during loading motion. Fig. 7(e) confirms that the yaw-axis rotation angle of the follower was successfully doubled to the original leader’s behavior, while the estimated torque in Fig. 7(f) has no significant impact. Figs. 7(g) and (h) illustrate the encrypted rotation angle and estimated torque that were loaded from $\mathcal{D}(\alpha)$.

Furthermore, Figs. 8(a)-(d) show the time responses of both the robotic arms during saving motion. In this case, the follower comes into contact with the aluminum object at 2 s. During contact, the leader maintains a rotation angle nearly identical to the follower’s, exhibiting an estimated torque of the opposite sign. Meanwhile, Figs. 8(e)-(h) show the time responses of both the robotics arms during loading motion. Fig. 8(f) confirms that the estimated torque of the follower was successfully doubled to the original leader’s behavior, while the rotation angle in Fig. 8(e) has no significant impact. Fig. 8(g) and (h) illustrate the scaled encrypted behavior that was loaded from $\mathcal{D}(\alpha)$.