Privacy Preservation by Local Design in Cooperative Networked Control Systems

TL;DR

The paper tackles privacy in cooperative closed-loop networked control by enabling a user-local privacy design that distorts signals sent to a server computing LQG control. It introduces a noise-injection scheme $z_k=y_k+oldsymbol{or delta_k}$ with covariance $oldsymbol{\Sigma_ ext{delta}}$, derives a Kalman-filtered recursion for the server-side estimation error, and proves that the resulting LQG performance loss can be bounded via $oldsymbol{Q}_{privacy}$ and $oldsymbol{Q}_{LQG}$. A privacy metric $oldsymbol{Q}_{privacy}$ is defined to quantify the deviation between the server’s private estimate and the true estimate, and the authors formulate a semidefinite programming problem to optimize privacy under a given performance loss constraint, including infinite-horizon steady-state analysis. The work demonstrates that privacy can be enhanced without destabilizing the system in many cases and provides a tractable optimization framework to balance privacy against control performance, with numerical examples supporting the theory. These results offer a practical approach to privacy-preserving cooperation in networked control with guaranteed performance bounds and scalable optimization tools.

Abstract

In this paper, we study the privacy preservation problem in a cooperative networked control system, which has closed-loop dynamics, working for the task of linear quadratic Guassian (LQG) control. The system consists of a user and a server: the user owns the plant to control, while the server provides computation capability, and the user employs the server to compute control inputs for it. To enable the server's computation, the user needs to provide the measurements of the plant states to the server, who then calculates estimates of the states, based on which the control inputs are computed. However, the user regards the states as privacy, and makes an interesting request: the user wants the server to have "incorrect" knowledge of the state estimates rather than the true values. Regarding that, we propose a novel design methodology for the privacy preservation, in which the privacy scheme is locally equipped at the user side not open to the server, which manages to create a deviation in the server's knowledge of the state estimates from the true values. However, this methodology also raises significant challenges: in a closed-loop dynamic system, when the server's seized knowledge is incorrect, the system's behavior becomes complex to analyze; even the stability of the system becomes questionable, as the incorrectness will accumulate through the closed loop as time evolves. In this paper, we succeed in showing that the performance loss in LQG control caused by the proposed privacy scheme is bounded by rigorous mathematical proofs, which convinces the availability of the proposed design methodology. We also propose an associated novel privacy metric and obtain the analytical result on evaluating the privacy performance. Finally, we study the performance trade-off between privacy and control, where the accordingly proposed optimization problems are solved by numerical methods efficiently.

Figures (7)

• Figure 1: The user-server system.
• Figure 2: The ordinary cooperative LQG control system.
• Figure 3: A local privacy processor is used.
• Figure 4: The plot of $\mathrm{tr}(\mathcal{Q}^\star_{privacy})$ when $\alpha$ varies from 0 to 50.
• Figure 5: The plot of the first component of $\hat{x}_{k|k}$ and $\hat{x}^{svr}_{k|k}$. The presented time horizon is 100.

Theorems & Definitions (28)

• Remark 1
• Remark 2
• Theorem 1
• proof
• Theorem 2
• proof
• Lemma 1
• proof
• Remark 3
• Remark 4: A Doubtful Server