Anomaly Detection with LWE Encrypted Control

TL;DR

This work addresses detecting cyber-physical attacks while signals are encrypted under LWE, avoiding decryption and extra secure channels. It builds a detection framework that applies lattice-based transformations to encrypted residuals, yielding a statistically powerful hypothesis test whose strength scales polynomially with approximate lattice solutions. The approach preserves LWE security by removing dependence on the secret through linear filtering, and the authors illustrate the method with numerical results demonstrating attack detection under realistic quantized controller settings. The study highlights the trade-offs between encryption strength, detection power, and computational effort, and suggests directions for extending the framework with more advanced lattice-reduction techniques and coarse co-design of controllers and cryptosystems.

Abstract

Detecting attacks using encrypted signals is challenging since encryption hides its information content. We present a novel mechanism for anomaly detection over Learning with Errors (LWE) encrypted signals without using decryption, secure channels, nor complex communication schemes. Instead, the detector exploits the homomorphic property of LWE encryption to perform hypothesis tests on transformations of the encrypted samples. The specific transformations are determined by solutions to a hard lattice-based minimization problem. While the test's sensitivity deteriorates with suboptimal solutions, similar to the exponential deterioration of the (related) test that breaks the cryptosystem, we show that the deterioration is polynomial for our test. This rate gap can be exploited to pick parameters that lead to somewhat weaker encryption but large gains in detection capability. Finally, we conclude the paper by presenting a numerical example that simulates anomaly detection, demonstrating the effectiveness of our method in identifying attacks.

Figures (9)

• Figure 1: An attacker can inject stealthy attack signals $y^a_k$ and $u^a_k$ into the loop, by observing $\bar{y}_k$ and $\bar{u}_k$. While encryption hinders the attacker from these observations, it also obstructs the detection of anomalies. We propose an anomaly detector that uses $y^e_k+y_k^a$ and $\hat{y}^e_k$ for detection through encryption.
• Figure 2: Instead of individually converting each block in the controller to be compatible with encrypted signals, we reduce the compounding approximation errors by combining the three blocks (two static and one dynamic) into a single dynamic block, $C_d$ with two outputs. It is made compatible with integer signals by scaling and rounding its parameters.
• Figure 3: The schematic shows a high-level picture of how the secret vector is revealed using the algorithm laid out in regev2009. First, the LWE sampled is transformed into a uniform one by modifying the public key, as shown in Step 1 (confirmation that this transformation is successful is not treated in regev2009). Then, by guessing the correct value of the secret vector, one can return the sample back to an LWE sample, as in Step 2. The ability to confirm that the sample is LWE again verifies the guess and thus reveals the secret vector.
• Figure 4: The graph shows the probability distribution for the discrete normal and uniform distributions. Note that rejecting the uniform distribution results in a very small rejection region, whose maximal power is achieved by centering it around the mean of the alternative distribution, which is the discrete normal here. If we design a test to reject the other hypothesis, one may see that the resulting rejection region in red, to reject the discrete normal, is much larger. Specifically, its false-positive probability is minimized by placing the rejection region around the tails.
• Figure 5: The graph shows the Type II Error of the two hypothesis tests as a function of the resulting variance using $q=10^{16}$ (256-bit security if $v=1024$ and $\sigma^2=10$). Note the exponential convergence of rejecting the uniform distribution (red curve). It indicates that for the test to be statistically significant, an (exponentially) short vector must be found to solve the underlying lattice problem. For the other hypothesis test, used in our anomaly detector, the convergence rate is not exponential, which is proven by the upper bound from Theorem \ref{['thm:bounds']}, given by the yellow curve.

Theorems & Definitions (28)

• Definition 1
• Definition 2
• Definition 3
• Definition 4
• Definition 5
• Lemma 1
• Remark 1
• Lemma 2
• Definition 6
• Definition 7