WO2020179672A1 - Encryption control system, encryption control method, and encryption control program - Google Patents

Abstract

Disclosed is an encryption control system for making it possible to prevent all keys from being deciphered within the service life of a controlling system even if the key length of cryptographic keys used for encryption control is relatively short, the encryption control system controlling a control target by an encryption controller capable of concealing information in the controlling system by cryptography. The encryption control system comprises: a cryptographic key updating unit that dynamically updates a private key and a public key in every encryption step; and a ciphertext updating unit that dynamically updates a ciphertext in every encryption step. The cryptographic key updating unit and the ciphertext updating unit each include a random number generator, and are configured so that the same random number is generated when updating the cryptographic keys and the ciphertext.

Description

Encryption control system, encryption control method, and encryption control program

The present invention relates to an encryption control system, an encryption control method, and an encryption control program.

In recent years, along with the development of information technology such as the Internet, networks of control systems that apply information technology are advancing in important infrastructure such as electric power and water, and large-scale control systems such as chemical plants. In such a networked control system (control system), various devices in the system are interconnected via a network.

In such a control system, various devices can be interconnected to improve the processing speed of the entire system and the sophistication of processing contents. In addition, since the system administrator can monitor and control the plant from a remote location via the network, many benefits can be obtained in terms of system management.

However, while networking within the control system improves convenience, it may also harm the system and its surroundings. In fact, cyber attacks on control systems that monitor or control plant operations such as power plants and factories have emerged, and are of concern as a socially important issue. For example, in Australia in 2000, a networked sewage treatment plant was attacked, causing a million liters of sewage to flood the city. In 2010, a nuclear-related facility in Iran was infected with a virus called Stuxnet, and the facility was destroyed.

In this way, the damage caused by cyber attacks tends to become more serious, and there is an urgent need to develop technology to protect networked control systems from cyber attacks. For this reason, research on diversion of information security technology and research on detection of cyber attacks are also underway in the field of control engineering.
For example, in network communication between a controller (controller) and a control target (plant), a signal is encrypted to prevent wiretapping or tampering with the signal.

The inventor has already performed a secret arithmetic operation on the controller side by directly performing arithmetic processing on the encrypted input data and output data without decrypting them by the controller, which is the core part of the control system. We have developed and obtained a patent for an encryption control system technology that does not require a key (see Patent Document 1). In the technique described in Patent Document 1, the private key only needs to be installed on the plant side, and it is not necessary to move the private key to the controller or the plant. Therefore, the risk of the private key being lost or leaked can be reduced. it can.

Further, the inventors have proposed a method of determining a control input while ciphering signals and parameters inside a controller (controller) while keeping them secret (Non-Patent Document 1).
Furthermore, the inventors conducted an experiment of encryption control using a key of 128 (bit) or less by ElGamal encryption and verified the real-time property (Non-Patent Document 2).
In this Non-Patent Document 2, the inventors report that there is a trade-off relationship between security and processing time because the processing time increases as the encryption key used in the encryption control system becomes longer. The processing time is the time required for the "encryption and decryption" processing, and it is known that if the encryption key is lengthened, not only the decryption processing time but also the encryption processing time increases.

　Here, I will explain the real-time property. The real-time property refers to a time constraint on the processing time from when the system starts one process to when it ends. For example, if a control system is designed to perform encryption control once every 10 (ms), the processing time must always be within 10 (ms). In this verification method, the processing time is measured by repeatedly executing the encryption control 10,000 times and 100,000 times using an experimental device. Then, when the processing time never exceeds the time constraint of 10 (ms) during control, this control system is guaranteed to be real-time with a sampling cycle of 10 (ms).

In general, when managing the privacy of an individual's account number, etc., the privacy of the individual's account number, etc. must be kept secret for at least the life of the individual. Therefore, it is necessary to prevent the decryption of the code for an extremely long period of time, such as during the life of an individual, and for that purpose, it is necessary to prepare a strong encryption method that is difficult to break in reality. ..

On the other hand, many control systems have a useful life of about 10 to 20 years. In other words, as long as it is possible to prevent a cyber attack within the useful life, there are many cases where there is no problem even if the secret key and the input/output signal are exposed after the controlled object exceeds the useful life.
For this reason, in the key length design problem used in existing cryptographic control systems, confidentiality, which is difficult to decipher, is particularly important, whereas cryptographic control systems aimed at preventing cyber attacks within the useful life. Therefore, a new key length design index that achieves both confidentiality and availability of the control system is required.

Japanese Patent No. 6360781

In the encryption control system described in Patent Document 1, since only one pair of public key and private key is used, and the public key and private key are not updated, enormous computer resources such as cloud computing are required. There is no denying the danger of decrypting the ciphertext if used.

The inventors turned to ElGamal encryption to solve this problem. ElGamal encryption is an encryption method whose security is based on the difficulty of finding a solution to a discrete logarithmic problem.
However, even in ElGamal encryption, there are cases where the discrete logarithm problem on a finite field with 768 (bit) order has already been solved, and an encryption system with higher security is required. The inventors have studied a key length design problem capable of avoiding all key deciphering within the useful life of the controlled object, and are aiming to apply the encryption control to a real system.

That is, the inventors use ElGamal encryption to prevent key decryption within the useful life (10 to 20 years) with a shorter key length than the encryption keys (public key and private key) used in conventional encryption control systems. I found a way to do dynamic expansion of. Then, we conducted a control simulation with the control signal and calculation kept secret, and considered a mechanism to update the encryption key (public key, secret key) in the sensing time unit of the sensor for the controlled object within the service life.

Therefore, an object of the present invention is to provide an encryption control system, an encryption control method, and an encryption control program in which an encryption key and a ciphertext are dynamically and endlessly updated in a predetermined time unit (step). is there.

In order to solve the above-mentioned problems, an encryption control system of the present invention is an encryption control system for controlling a control target by an encryption controller that enables information in a control system to be concealed by a cryptographic theory. Each step includes an encryption key update unit that dynamically updates the private key and the public key, and an encryption text update unit that dynamically updates the encryption text.

In addition, the encryption key updating unit and the ciphertext updating unit in the encryption control system of the present invention each include a random number generator, and all the random number generators generate the same random number at the same time step and are generated by the random number generator. By performing the multiplication remainder processing of the random number and the encryption control parameter, the private key, the public key, and the ciphertext are updated.

Further, in the encryption control system of the present invention, the encryption key updating unit creates the encryption key used at the next time step from the encryption key used at the current time step based on the control law of the control system. The ciphertext update unit updates the ciphertext, and the ciphertext update unit creates the ciphertext by calculating the ciphertext used at the next time step based on the control law of the control system from the ciphertext used at the current time step. Try to update.

According to the present invention, even if the key length is relatively shorter than the key length of the conventional encryption control system, it becomes possible to avoid all key decryption within the useful life of the control system.
Problems, configurations, and effects other than those described above will be clarified by the following description of the embodiments.

It is a figure for demonstrating the principle of the encryption control of the encryption control system which concerns on embodiment of this invention. It is a block diagram which shows the principle that the encryption key (private key, public key) and the ciphertext which concerns on the encryption control of this invention are updated, and the figure which shows the state of being updated in every step. It is a figure which shows the output response and error response in the control simulation which concerns on the encryption control of this invention. FIG. 11 is a waveform diagram showing a comparison between the dynamic encryption control for updating the key of the present invention and the conventional static encryption control. It is a figure explaining the key size and processing time of the dynamic encryption control which performs the key update of this invention by comparison with the solution of the conventional discrete logarithm problem. It is a schematic diagram showing the whole encryption control system composition concerning an embodiment of the present invention. It is a block diagram which shows the hardware configuration of the input device of the encryption control system which concerns on embodiment of this invention. It is a block diagram which shows the hardware configuration of the controller of the encryption control system which concerns on embodiment of this invention. It is a block diagram which shows the hardware constitutions of the plant side control apparatus of the encryption control system which concerns on embodiment of this invention. It is a block diagram which shows the software function of the encryption control system which concerns on embodiment of this invention. It is a flow chart explaining synchronous operation of an encryption control system of an encryption control system concerning an embodiment of the present invention. It is a sequence diagram explaining operation|movement in the encryption control system of the encryption control system which concerns on embodiment of this invention. It is a block diagram which shows the software function in the control network of the controller which concerns on the modification of embodiment of this invention.

First, before describing an embodiment of the encryption control system of the present invention, an outline of the ElGamal encryption used in the encryption control system of the present invention will be described.
In the following description, Z _n is an integer set of 0 or more and less than n, and Z _n ^x is a set of relatively prime elements in Z _n . Further, M is a set of integer values (plaintext) that can be used for encryption.
The ElGamal encryption algorithm consists of three algorithms: key generation (Gen), encryption (Enc), and decryption (Dec).

The key generation algorithm (Gen) outputs a public key k _p := (G,q,g,h) and a secret key k _s :=s based on a parameter k given by the designer.
However, q is a prime number of k (bit), G is contained in ^{_{Z p x, (p-1}} ) mod q = 0 and is a prime number p modulo the position number of cyclic groups q, g is the cyclic group G It is a generation source. The private key k _s is between the parameters g, h of the public key k _{p and} the parameter _s of the private key k _s , h = g ^s.   It is a key designed so that mod p holds. The symbol G representing the cyclic group is a symbol representing a set used in a general encryption method, and here, G=M, that is, the plaintext space M.

Here, the meaning and code of the words of the encryption key, public key, and private key will be explained. The term encryption key is usually used as a term that includes both a public key and a private key. Cryptographic key is a technical term translated into Japanese from "cryptographic key", and according to the definition published by the Information-technology Promotion Agency (IPA), an affiliated organization of the Ministry of Economy, Trade and Industry, the encryption key is "encryption and decryption". The sequence of symbols that control the conversion process."

The public key is represented by k _p (t) and the private key is represented by k _s (t). (t) indicates that both the public key and the private key are variables that change over time. The public key k _p : = (G, q, g, h) is the ElGamal encryption public key k _{p, which} is the cyclic group G, the prime number q, the generator g of the cyclic group G, and the time (t). ) Includes four parameters of h(t). That is, h (t) is one parameter that constitutes the public key k _p (t), but since the parameters other than this h (t) do not change with time, the public key k _p ( In some cases, the description will be made by replacing t) with the public key h(t). The secret key k _s (t) of the ElGamal encryption is composed of only the changing parameter s (t), and thus the secret key k _s (t) is synonymous with the secret key s (t). Therefore, the secret key k _s (t) may be described as the secret key s (t) in the following calculation formulas and the like.

The encryption algorithm (Enc) uses the public key k _p :=(G,q,g,h) to encrypt the plaintext m belonging to the set M of plaintexts. The ciphertext vector C is composed of two components, scalar values c ₁ and c ₂ , which will be described later. The ciphertext vector C is represented by Formula 1.

This equation of number 1 shows that the plaintext m encrypted with the public key k _p becomes the ciphertext vector C. The scalar values c ₁ and c ₂ , which are the components of the ciphertext vector C, are g ⁿ , respectively, as shown by the equation 1.   It is indicated by mod p and mh ⁿ mod p. However, n is a random number uniformly selected from the set of integers Z _q when encrypting. Here, the "random number selected uniformly" means a random number selected from random values following a uniform distribution. That is, a random number n is an integer value selected with the same probability from all the elements of the integer set Z _q , which are 0 or more and less than q.

The decryption algorithm (Dec) decodes the ciphertext vector C according to the equation 2 using the private key k _s : = s and the public key k _p : = (G, q, g, h), and outputs the plaintext m'. To do. When the decoding is done correctly, m'=m.

However, (c ₁ ) ^-s is a modular reciprocal whose method (divisor) is p of (c ₁ ) ^s . If the ciphertext C is encrypted by the equation 1, the equation 3 holds. This equation of number 3 is a mathematical expression showing that the plaintext m is encrypted with the public key k _p and then decrypted with the private key k _s to return to the original plaintext m.

Next, the principle of the encryption control system of the present invention will be described. Here, R is a real number set, N is a natural number set, and Z is an integer set. It is assumed that the discrete-time controller used in the encryption control system of the present invention is designed in advance, and the input / output relationship thereof is described by the control rule f shown by Equation 4.

Here, t is an element of the natural number set N, and is a step (t=1,2,3,4...) In which the current date and time is rounded by a natural number. In addition, Φ is a control parameter of the controller, and is a symbol that collectively indicates the control parameters K _p , K _i , and K _d . K _p is a proportional element, K _i is an integral element, and K _d is a differential element. ζ is an input vector that summarizes the state vector x of the controller and the input u _c to the controller. The state vector x is a vector of state variables, and the state variable is a variable that numerically represents the state of the control system such as the controlled object or the controller.
The matrices A, B, C and D are coefficient matrices representing the control parameter Φ, and an appropriate coefficient is set on the basis of control engineering by an administrator (responsible person) who has knowledge of the controlled object.

Ψ is a matrix summarizing the calculation process of the control input u and the updated state vector x. The map f represents the product of a matrix and a vector. f ^× represents the multiplication of the row vector of Φ and the column vector of ζ. In addition, f ⁺ represents a mapping in which the column vectors of the matrix are added together. At this time, the map f can be expressed as a composite function of f ⁺ and f ^× . Ψ is the output of the map f ^× and the input of the map f ⁺ , and is a matrix summarizing the calculation process of the map f.

Further, x (t) is a vector indicating the state of the controller at time t, and u (t) indicates a control input. u _c (t) is the input to the controller. From Equation 4, it can be seen that ζ is an input vector that combines the state vector x of the controller and the input u _c to the controller. The equation 4 means the multiplication of the input vector ζ and the control parameter Φ. By multiplying the input vector ζ (t) from the equation 4 to the controller and the control parameter Φ, the control input u (t) ) Is obtained, and the state vector x (t) of the control is updated to x (t + 1) by multiplying the state vector x (t) of the control by the control parameter Φ. Then, when the control law f of the target control system is given by the equation 4, and the function fε satisfies the equation 5 as the encryption method (Gen, Enc, Dec), the function fε is encrypted for the function f. Call.

This equation 5 is obtained by encrypting the control parameter Φ of the controller with the public key k _p and encrypting the input vector ζ of the controller with the public key k _p according to the encryption control rule fε. It is shown that f (Φ, ζ (t)) can be obtained by decoding with k _s .
Here, when ElGamal encryption is used as the encryption method (Gen, Enc, Dec), the plaintext space M is defined by the equation 6 using the public key k _p : = (G, q, g, h). It In Equation 6, g is the generator of the cyclic group G and is one parameter of the public key k _p . p is a prime number derived from the public key parameter q. In order to maintain the security of ElGamal encryption, the plaintext space M needs to be defined as a subgroup of the real number set Zp.

Since the observed value and the parameter of the controller are real numbers, when encrypting, the coefficient γ for reducing the rounding error as shown in Equation 7 is used to round the plaintext space M is necessary.

Here, y is a real number vector, γy is an integer vector of elements of the set M, and y _i and d _i are i-th elements of the vectors y and d. γ is an integer value to be multiplied in order to reduce the error of rounding to the set M, and is called a plaintext conversion gain. Q is a mapping that transforms the real vector y into an integer vector of the elements of the set M.

Here, the plaintext conversion gain γ and the rounding to the set M will be described in more detail. Since y is a real number, numbers below the decimal point appear repeatedly. As an example, it is assumed that the observed value y is a real number followed by "y=2.3568937..." If this number is rounded to an integer, the number after the decimal point will be rounded down to "2". The error from the observed value y at this time is about 35.7%. When the plaintext conversion gain γ = 10 is set to 10y, it becomes “γy = 23.568937…”, and when this numerical value γy is rounded to an integer, it becomes “23”, and the error is about 5.7%, which is compared with before multiplying the plaintext conversion gain γ. Then, it can be seen that the error is significantly reduced. The above is the meaning of rounding into the set M.

<Key length design problem of encryption control system>
First, a method (procedure) for an attacker to decrypt the key will be described. When the attacker obtains the parameter h of the public key k _p and the prime number p on the network, the attacker needs to specify the secret key parameter s that satisfies the equation (8). Note that p is a prime number obtained from the parameter q of the public key k _p .

The problem of finding the secret key parameter s from the parameter h of the public key k _p and the prime number p in this equation of number 8 is the discrete logarithm problem. A method called a quasi-exponential time algorithm is known as a method for solving this problem. It is also known that the expected time L _p required to solve the discrete logarithm problem of Equation 8 by using this quasi-exponential time algorithm is Equation 9.

Here, p is represented by p=2q+1 (q is a prime number), and is a prime number such that 2 ^k <p<2 ^k+1 with respect to the key length k (bit). A p that gives a prime number q is called a safety prime number. v and c are constants determined by the algorithm. In the exponential calculation method, v=1/2 and c=1. In the number field sieving method, v=1/3 and c=(64/9) ^1/3 . is there. When p→∞, o(1) converges to 0.
Since the calculation time L _p exponentially increases as the key length k (bit) increases, it is considered difficult to solve the discrete logarithm problem under sufficiently large k.

Therefore, the inventors have a key length design problem in which it is difficult to decipher the key within the useful life of the control system (for example, 10 to 20 years) in order to prevent leakage of all input / output signals during operation of the encrypted control system. It was investigated.
_Let L _u (sec) be the useful life of the control system, and L _a (sec) be the time required for an attacker to decrypt all keys. Then, if the _{L u (sec) ≧ L a} (sec), since the attacker can get all of the secret key during the operation of encryption control system, for an attacker, decoding of the input and output signals of all time Will be possible.

However, on the other hand, if _{L u (sec) <L a} (sec), the attacker can not identify all of the private key in the operating time of encryption control system. In other words, in this case, the encrypted control system reaches the end of its life (useful life) before the input / output signals at all times are leaked, so even if an attacker identifies all the private keys, it will be controlled. There is no chance to attack the system.
From the above discussion, the key length design problem can be reduced to a minimum of the problem of finding a key length k (bit) that satisfies _{L u (sec) <L a} (sec).

In static encryption control system does not update the key, the time L _a attackers required for all key decryption (sec), the expected time L _p (v required to solve the discrete logarithm problem shown in equation (9) ,c). For example, assuming that the control system useful life _Lu (sec) is 30 years (≈ 9.46 × 10 ⁸ sec), an attacker uses a computer with a performance of 480 (GFLOPS: Giga Floating-point Operations Per Second) when you perform a law, the smallest k that satisfies _{L u (sec) <L a} (sec) becomes 601 (bit).
Since the number of high-performance computers that can solve this cipher with k=601 (bit) in real time is limited, the conventional static encryption control system that does not update the key is not realistic.
On the other hand, in an experiment using Raspberry Pi, which is a single board computer equipped with an ARM (arm) processor, also known as Raspberry Pi, the key length is limited to 128 (bit).

<Solution by dynamic expansion>
Therefore, the inventors of the present invention dynamically update the public key k _p (t) and the secret key k _s (t) according to the time (step) t, thereby enabling the real-time encryption with a short key length. The control system was considered.
That is, as a solution to the key length design problem, the inventors dynamically extend the ElGamal encryption by implementing a plurality of keys, and solve the key length design problem of the encryption control system with a shorter key length key. I succeeded in getting at.

Previously described, the service life L _u attackers control system in comparison with the time L _a required for all key decryption, the minimum satisfying _{L u (sec) <L a} (sec) in a single key The key length k was 601 (bit). However, if this is two keys, the minimum key length k can be a shorter bit length. If there are three encryption keys, the key length k can be further shortened. Extend this idea, given that updating the encryption key for each step response of the control system, the minimum key length k satisfying _{L u (sec) <L a} (sec) is shorter than 128 (bit) But the problem goes away. In other words, if the number of encryption keys becomes huge, it becomes virtually impossible for an attacker to decrypt all the encryption keys. That is, by introducing the technical idea of updating the encryption key for each step response of the control system, it is possible to realize a sufficiently practical encryption control system even with a weak computer resource such as the above-mentioned single board computer. It will be possible.

The inventors updated the public key k _p (t), the secret key k _s (t), and the ciphertext C(c ₁ (t),c ₂ (t)) of the ElGamal cipher with the equation 10 I decided to update it step by step based on the formula. In the equation tens, the public key k _p (t) is represented by h (t), which is one of the parameters of ElGamal encryption, and the private key k _s (t) is also represented by the parameter s (t). Therefore, in the following description of the mathematical formula, it is simply described as the public key h (t) and the private key s (t).

Here, v (t) and w (t) are random numbers that form the elements of the integer set Z _q . To prove that this update rule gives a solution to the discrete logarithm problem in every step, the private key s (t + 1), public key h (t + 1) and ciphertext C (c ₁ ) in the next step The following two theorems are considered for (t + 1) and c ₂ (t + 1)).
[Theorem 1] (Key update)
In the encryption key (public key and private key), the initial value h (0) of the public key and the initial value s (0) of the private key can be obtained by the encryption control algorithm (Gen). Given in the equation, the public key h (t) and the private key s (t) satisfy the equation 3 at all times t.

This Theorem 1 transforms the formula of the decoding algorithm Dec at the time (t+1) shown in the formula 3 to obtain the formula of the decoding algorithm (Dec) at the time (t) as shown in the following formula 11. It can be proved by this.
Here, n(t) is a random number updated at each step by the formula n(t+1)=(n(t)+v(t))mod q. Although they are the same random numbers, n(t) is a random number n used in Formula 1 unlike v(t) and w(t) used in Formula 10.

[Theorem 2] (Ciphertext update)
If the ciphertext update is given by Expression 10, the ciphertexts c ₁ (t) and c ₂ (t) satisfy Expression 3 at all times t.
This theorem 2 can also be proved by confirming that the equation 3 holds, as shown in the equation 12.

As explained above, it was found that the public key h (t), the private key s (t), and the ciphertexts c ₁ (t) and c ₂ (t) can be updated using random numbers. Furthermore, it was also found that the ciphertexts c ₁ (t + 1) and c ₂ (t + 1) updated by the equation tens satisfy homomorphism with respect to multiplication.

It is considered that the public key h (t) and the private key s (t) used in the control system are updated every sampling period T _s using a random number by the update formula shown in the equation several tens. Since it is updated every sampling cycle T _s , it is difficult for an attacker who does not have the same random number generator as the control system to update to s (t + 1) even if the private key s (t) is acquired. is there.

The sampling cycle T _s varies depending on the type of control system. For example, if the control target is something like a mechanical robot, the sampling cycle T _s of this mechanical robot can be switched at a cycle of about 0.1 msec. On the other hand, in the case of a large plant such as a chemical plant, it may occur once every few months or years. That is, the sampling cycle T _s is a value that is determined by how fast the control target is sensed, and may be a short cycle or a long cycle depending on the control target. In general, slow-moving objects have a long cycle, and fast-moving objects have a short cycle.

Incidentally, the number of samples in the useful life L _u (number of steps) is the value L _u / T _s step of dividing the service life L _u of the control system at the sampling period T _s. On the other hand, there are q possible values of the private key s (t) (q is a prime number of k (bit)).
Here, if q ≧ L _u / T _s, time L _a required for all key _{decryption, L a = (L u /} T s) L p {v, c} becomes. L _p is the estimated time required to solve the discrete logarithm problem using the quasi-exponential time algorithm (see Equation 9).

The key length design problem in the encryption control system using the update formula shown in Formula 10 is that both the useful life L _u and the sampling period T _s are positive values larger than 0, and T _s <L _p {v, c}.
For example, if the sampling period T _s = 1.0 × 10 ^-2 (sec), the minimum k (bit) value that satisfies T _s <L _p {v, c} is 105 (bit). Further, if the sampling cycle T _s is further shortened and T _s =1.0×10 ⁻³ (sec), the minimum k(bit) value becomes 83 (bit). From this, if the ElGamal cipher is dynamically expanded by the update formula shown in Formula 10, it is difficult to specify all the input signals within one sampling period T _s even if the key length is shorter than before. It can be said that there is.

<Control simulation>
Next, it is confirmed by simulation that the public key, the secret key, and the ciphertext are updated, and that the control performance does not significantly change, using the update formulas of the several tens formulas. Therefore, we designed a discretized PID controller with a sampling period T _s =1.0 × 10 ^-2 (sec) for the first-order lag system, set the initial position to "1", the initial velocity to "0", and the target position to " A control simulation was performed to converge to "0".
First, the controller and signal were encrypted using the public key of k = 128 (bit), and the simulation was performed under the same conditions as the conventional controller. The update cycle of the public key h (t) and the private key s (t) is the same as the sampling cycle.

FIG. 1 is for explaining the principle of an encryption control system in which a decryption unit 30 and an encryption unit 40 are provided between a controller (encryption controller) 10 for performing this control simulation and a plant 20 including a control target 21. It is a schematic diagram of. In FIG. 1, the plant 20 and the controlled object 21 are described separately, but these two can be considered to be substantially synonymous.

Referring to FIG. 1, an example of a PID (Proportional Integral Differential Controller) controller, which is a type of general feedback control in control engineering, is a method of controlling an input value by a deviation between an output value and a target value. As described below.
As shown in FIG. 1, a target value r is set for the plant 20 including the controlled object 21.
This target value r is supplied from the decryption unit 30 to the plant 20, and in order to realize this, the encryption target value Enc (r) is supplied to the encryption controller 10.
Further, by sensing the controlled object 21 controlled by the control input u from the decoding unit 30 with a sensor (not shown), the observed value y is output from the controlled object 21.

This observed value y is subtracted from the target value r decoded by the decoding unit 30 in the subtractor 22, and the target error ε (= r-y) is output from the subtractor 22. Although the target value r output from the decoding unit 30 differs depending on the control target 21 of the plant 20, in the PID control simulation described later with reference to FIG. 4, the initial position is “1”, the initial speed is “0”, The target position is set to "0". The target error ε output from the subtractor 22 is sent to the encryption unit 40.

The state vector x of the encryption controller 10 is also output from the decryption unit 30 and sent to the encryption unit 40. The encryption unit 40 generates an input vector ζ that is a collection of the state vector x and the target error ε of the encryption controller 10, and encrypts the input vector ζ with the public key k _p (t). Then, the encryption input vector Enc (ζ) is output from the encryption unit 40 and sent to the encryption controller (control) 10. The encrypted input vector Enc(ζ) includes the encrypted state vector Enc(x) and the encrypted target error Enc(ε).

In the encryption controller 10, in addition to the encrypted input vector Enc(ζ), the encrypted target value Enc(r), the first encryption control parameter Enc(K _p ), and the second encryption control parameter Enc( K _i ) and the third cryptographic control parameter Enc (K _d ) are supplied.
For example, the simplest proportional control will be explained. In proportional control, an error is proportionally multiplied by a proportional gain, so that Enc(K _p )×Enc(ε)mod p=Enc(u). This calculation agrees with the calculation of K _p ×ε between plaintexts.

The first to third encryption control parameters Enc (K _p ), Enc (K _i ), and Enc (K _d ) supplied to the encryption controller 10 are typical encryption control parameters. Multiplying this encryption control parameter with the encrypted input vector Enc (ζ) When the remainder processing operation is performed, the output matrix Enc (Ψ) of the encrypted encryption controller (control) 10 is output. The output matrix Enc (Ψ) contains the encryption control signal Enc (u) and the updated encryption state vector Enc (x).

The encrypted output matrix Enc(Ψ) and the encrypted target value Enc(r) output from the encryption controller 10 are added to the decryption unit 30, decrypted by the decryption unit 30, and the control signal u, A state vector x and a target value r are generated. Then, the control signal u is used to control the controlled object 21. Further, the target value r is sent to the subtractor 22 of the plant 20, and the state vector x of the controller is sent to the encryption unit 40 via the plant 20.

The process shown in FIG. 1 is repeated in each step (sampling cycle T _s ), and the public key h (t) used for encryption of the encryption unit 40 and the private key used for decryption of the decryption unit 30 in each step. s (t) and ciphertext C (c ₁ (t), c ₂ (t)) are updated. The updating process of the public key h(t), the secret key s(t), and the ciphertext C(c ₁ (t),c ₂ (t)) is performed according to the updating rule described in Expression 10. The ciphertext C is the encryption control parameters Enc(K _p ), Enc(K _i ), Enc(K _d ), encryption target value Enc(r), encryption control signal Enc(u), encryption Includes all of the state vector Enc (x) and the encryption target error Enc (ε).

Here, the decryption unit 30, the encryption unit 40, and the encryption controller (control) 10 are connected via a transmission line. In FIG. 1, the components other than the encryption controller (control) 10 are surrounded by a dotted line. The meaning of being surrounded by a dotted line is that the decryption unit 30 and the encryption unit 40 are closely related to the plant 20, and the decrypted control signal u, target value r, target error ε, and state vector x are This means that the plaintext is not output to the transmission line.

FIG. 2A is a block diagram showing a function when updating the public key h(t), the secret key s(t), the ciphertext c ₁ (t), and the c ₂ (t) by the update rule shown in Formula 10. is there. As shown in FIG. 2A, as the functional block for executing the key update, the storage unit 50, the random number generator 51, the secret key update unit 52, the public key update unit 53, the ciphertext update units 54 and 55, and the random number update unit 56. Equipped with.

As shown in FIG. 2A, in the first step (t = 0), the initial value of each parameter is stored in the storage unit 50. p and q are prime numbers, g is a generator of the cyclic group G, and these scalar values p, q, and g are fixed numbers that do not change with time. Further, in the storage unit 50, the secret key parameter s (0) of the step (t = 0), the public / BR> J key parameter H (0) of the step (t = 0), and the random number of the step (T = 0) are stored. N (0) is stored. Further, the storage unit 50 also stores the encryption control parameter ENCΦ (0) in step (T = 0). The secret key parameter S(0), the public key parameter H(0), the random number N(0), and the encryption control parameter ENCΦ(0) are the secret key S(T), the public key when calculating with the formula 10. This is the initial value for updating H (T), ciphertext C ₁ (t), and c ₂ (t) at each step.

Fixed parameters (p, q, g) stored in the storage unit 50 and initial values (s(0), h(0), n(0), EncΦ(0)) of parameters updated with time are It is selected according to its use and sent to the private key update unit 52, the public key update unit 53, the ciphertext update units 54 and 55, and the random number update unit 56. In addition, the random numbers v(t) and w(t) generated by the random number generator 51, together with the parameters from the storage unit 50, the secret key updating unit 52, the public key updating unit 53, the ciphertext updating units 54 and 55, and It is sent to the random number update unit 56. The initial values (s(0), h(0), n(0), EncΦ(0)) of the parameters to be updated are at time t (steps t=1, 2, 3, 4,... ). When it is updated, it becomes a value (s (t), h (t), n (t), EncΦ (t)) at that time (step t) and is stored in the storage unit 50. Then, the stored secret key s(t), public key h(t), random number n(t), and encryption control parameter EncΦ(t) at step t are updated at the next step (t+1). It is used for.

The private key update unit 52 updates the initial value s (0) of the private key using the random number w (0) according to the first equation of several tens of equations, and the private key s (1) in the next step (t = 1). ). The public key update unit 53 updates the initial value h (0) of the public key using the random number w (0) according to the second equation of several tens of equations, and the public key h (1) in the next step (t = 1). ). The ciphertext update unit 54 updates the initial value EncΦ (0) of the encryption control parameter using the random number v (0) according to the third equation of several tens of equations, and the ciphertext c in the next step (t = 1). _{Get 1} (1).

Further, the ciphertext updating unit 55 uses the ciphertext initial values c ₁ (0) and c ₂ (0) obtained from the encryption control parameter Enc initial value Φ(0) and the random numbers v(0) and w(0 ) Is used to update with several tens of equations to obtain the ciphertext c ₂ (1). The random number update unit 56 generates a random number n (1) to be used in the next step by using the initial value n (0) of the random number taken out from the storage unit 50 and the random number v (0) from the random number generator 51. .. The update formula for this random number n (t) is not shown in the equation of several tens, but the following formula is used.
n(t+1)= (n(t)+v(t)) mod q
In this way, the secret key s(1), public key h(1), ciphertext c ₁ (1), c ₂ (1) and random number n(1) updated in step (t=1) are It is stored or overwritten in the storage unit 50 and used as a new initial value in the next update step.

FIG. 2B shows how the public key h (t), the private key s (t), and the ciphertext control parameter Enc (Φ) are updated at each step corresponding to the sampling period T _s . Enc (Φ) shown in FIG. 2B is the first encryption control parameter Enc (K _p ), the second encryption control parameter Enc (K _i ), and the third encryption control parameter Enc (K _d ) in FIG. It is an encryption control parameter shown as a representative. As described above, updating the encryption control parameter EncΦ(t) is synonymous with updating the ciphertext C(c ₁ , c ₂ ).

As shown in FIG. 2B, the public key h(t), the secret key s(t), and the ciphertext C(c ₁ (t), c ₂ (t)) are updated at each step, and the update is repeated. As explained in equation tens, f ₁ is a mapping that updates the private key s (t), and the new secret key s (t + 1) is entered by inputting the private key s (t) and the random number w (t). make. Further, f ₂ is a map for updating the public key h(t), and the public key h(t) and the random number w(t) are input to create a new public key h(t+1). f ₃ is the map to update the ciphertext c _1, make the ciphertext c ₁ (t), random number v (t) by entering a new ciphertext c ₁ (t + _1). Similarly, f ₄ is a mapping that updates the ciphertext c ₂ (t), and the new ciphertexts c ₁ (t), c ₂ (t), random numbers v (t), w (t) are entered. Generate the ciphertext c ₂ (t+1).

In this way, according to the encryption control method that updates the key using ElGamal encryption, it is possible to create innumerable encryption keys and ciphertexts. For example, if k=32 (bit), it is possible to generate 2,147,483,693 ways of keys, and the frequency of using a once leaked key is reduced, so that the validity and functionality of the key are significantly improved.

FIG. 3A shows the output when the controller and the signal are encrypted using the public key of k = 128 (bit) (ECS (128bit)) and when it is not encrypted (normal PID) by the simulation of the PID controller. Show the response. The horizontal axis is time (sec), and the vertical axis is output (observed value) y. As shown in FIG. 3A, both are almost the same regardless of whether they are encrypted or not. FIG. 3B shows the difference (y-ECSy) between the response when encrypted and the response when not encrypted. From FIG. 3B, it can be seen that the error between the two responses is within the guaranteed range (15 digits) of the double precision floating point type.

4A to 4C show a secret key (s), a public key (h), and an encryption control parameter Enc(K _p ) when a conventional static key and a dynamically expanded key according to the present invention are used. It is the figure which showed by comparison. The encryption control parameter Enc (K _p ) is the result of a simulation specialized for proportional control.
As shown in FIG. 4A, when the static key is used, the secret key (s) has a constant value. However, when the secret key (s) is updated by the update rule of Equation 10, the secret key (s) changes drastically. ing. Similarly, the public key (h) is also a constant value when a static key is used, but as can be seen from FIG. 4B, when it is updated by the update rule of several tens of equations, it changes drastically. There is. That is, it can be seen that the private key (s) and the public key (h) are updated at all times.

FIG. 4C shows the gain of the encryption control parameter Enc(K _p ) of proportional control, which is an example of a ciphertext, and it can be seen that this value also changes greatly and is updated at each step. The drastic fluctuation of the encryption control parameter Enc (K _p ) in FIG. 4C means that the ciphertext C also fluctuates drastically. Although FIG. 4C shows only the variation of the scalar value c ₁ (t) of the ciphertext C(c ₁ , c ₂ ), it goes without saying that the scalar value c ₂ (t) also varies. ..

Thus, as shown in FIG. 4C, the ciphertext C changes drastically, but from FIG. 3A it can be said that the control simulation is being performed correctly, so it can be seen that the corresponding plaintext is constant. That is, even if the plaintext has a constant value, the value of the ciphertext C changes from moment to moment because the public key (h) is updated from moment to moment. It has succeeded in concealing it reliably. As shown in FIG. 4, since the ciphertext C, the private key (s), and the public key (h) are all changing drastically in the same way, the private key (s) and the public key (h) of several tens of expressions are changed. ), It can be seen that the update formula of the ciphertext C (c ₁ (t), c ₂ (t)) is functioning effectively.

5A and 5B show the processing time related to the discrete logarithm problem. FIG. 5A shows a numerical example of the key length design problem based on the calculation result already published in the inventors' paper (Non-Patent Document 2).
Assume that the useful life of a control system L _u = 100 (sec), the sampling period ^{_{T s = 1.0 × 10 -2 (}} sec).
Then, the encryption simulation was calculated for 1000 steps using the update formula of several 10 with the key length of 32 to 96 (bit), and the public key and the secret key used in each step were recorded. FIG. 5A is a Mac book air (registered trademark (registration number No. 5205574): CPU: 1.6 GHz, memory 8 GB) using an exponential calculation algorithm to obtain a secret key (s) from the recorded public key (h). The processing time (μsec) obtained by calculating the discrete logarithm problem 1000 times is shown. FIG. 5B shows the maximum value, the average value, and the minimum value of the processing time required for the attack.

As can be seen from FIG. 5B, in the case of the static cryptographic control system, the useful life L _u of the control system is smaller than the expected time L _p required to solve the discrete logarithm problem (L _u <L _p {v,c The key length is 96 (bit). On the other hand, in the case of a dynamic cryptographic control system using several tens of update equations, the sampling period T _s is smaller than the expected time L _p required to solve the discrete logarithm problem (T _s <L _p {v, c}). ) The key length is 48 (bit). From FIG. 5B, it can be seen that the dynamic encryption system prevents the identification of all input signals with a shorter key length than the static encryption system. However, if a 48 (bit) encryption key is used, an attacker may succeed in real-time decryption within the sampling cycle T _s . If there is such a concern, it can be understood from FIG. 5B that a key length of 80 (bit) or more should be set.

<Example of Embodiment of encryption control system>
Hereinafter, specific embodiments of the plant control system using the private key, public key, and ciphertext update rule of the encryption control system of the present invention will be described.

FIG. 6 is a schematic view showing the overall configuration of the encryption control system 101 according to the embodiment of the encryption control of the present invention. The encryption control system 101 includes an input device 102, a plant-side control device 103, a controller 104, and a date and time information source device 105.
The controller 104 is connected to the input device 102 by the first control network L108, and is connected to the plant side control device 103 by the second control network L109.
A controlled object 106 and a sensor 107 are connected to the plant-side control device 103. As will be described later, the plant-side control device 103 gives a control signal to the control target 106 and acquires an observation value, which is state information of the control target 106, from the sensor 107.

Further, the input device 102, the controller 104, and the plant side control device 103 are each connected to the date and time information source device 105 through the information network L110. The date and time information source device 105 is a personal computer or server on which a network OS, an NTP server (Network Time Protocol), and an NTP client are operated. The first control network L108 and the second control network L109 are networks that emphasize the certainty of data transfer, and various types of network interfaces can be used. On the other hand, the information network L110 is not required to be as reliable as the control network.

The input device 102, the controller 104, and the plant-side controller 103 are devices called programmable controllers. The programmable controller includes a case-shaped mount base 111 having a large number of slots, and a module having a size accommodated in the slots of the mount base 111 is accommodated according to a required function.
The mount base 111 has a built-in interface for connecting the modules to each other, and when the modules are inserted into the slots, transmission/reception of data between the modules and supply of appropriate power are established.

The CPU module 112, the information network module 113, and the first control network module 114a are mounted on the mount base 111a of the input device 102. A CPU module 112, an information network module 113, a first control network module 114b, and a second control network module 115 are mounted on the mount base 111b of the controller 104.
A CPU module 112, an information network module 113, a second control network module 115, and an input/output module 116 are mounted on the mount base 111c of the plant-side control device 103.

The first control network module 114a of the input device 102 is the transmitting side, and the first control network module 114b of the controller 104 is the receiving side. In the controller 104 and the second control network module 115 of the plant-side control device 103, the transmission side terminal and the reception side terminal are mutually connected.

[Hardware configuration of input device 102]
FIG. 7 is a block diagram showing the hardware configuration of the input device 102.
The input device 102 includes a CPU module 112, an information network module 113, and a first control network module 114a connected to a module bus 201 provided on the mount base 111. The CPU module 112 includes a CPU 202 connected to an internal bus 206, a ROM 203, a RAM 204, and an RTC (Real Time Clock) 205 that generates date and time information. The internal bus 206 is connected to the module bus 201. The ROM 203 of the CPU module 112 stores a program for executing control calculation processing, encryption processing, and the like in the encryption control system 101.

The information network module 113 includes a CPU 202, a ROM 203, a RAM 204, and a NIC (Network Interface Card) 207 connected to the internal bus 206. The internal bus 206 is connected to the module bus 201. The ROM 203 of the information network module 113 stores a network OS, an NTP server program, an NTP client program, and the like. The transmission unit 208 of the first control network module 114a is connected to the module bus 201.

[Hardware configuration of controller 104]
FIG. 8 is a block diagram showing the hardware configuration of the controller 104. The controller 104 includes a CPU module 112, an information network module 113, a first control network module 114b, and a second control network module 115. These modules are connected to the module bus 201 provided on the mount base 111. Since the CPU module 112 and the information network module 113 are the same as those of the input device 102, the description thereof will be omitted.

The first control network module 114b includes a receiving unit 309 connected to the module bus 201. The second control network module 115 includes a transmitter 208 and a receiver 309 connected to the internal bus 206. The internal bus 206 is connected to the module bus 201.

[Hardware configuration of plant-side controller 103]
FIG. 9 is a block diagram showing a hardware configuration of the plant-side control device 103. The plant-side control device 103 includes a CPU module 112, an information network module 113, a second control network module 115, and an input / output module 116. These modules are connected to the module bus 201 provided on the mount base 111 (see FIG. 1). Since the CPU module 112, the information network module 113, and the second control network module 115 are the same as those of the controller 104, the description thereof will be omitted.

The input / output module 116 includes an A / D converter 410 to which the sensor 107 is connected, and a D / A converter 411 to which the controlled object 106 is connected. The internal bus 206 is connected to the module bus 201. The input/output module 116 is merely an example, and a signal processing circuit or the like connected to the A/D converter 410 and the D/A converter 411 is required depending on the connected control target 106, sensor 107, or the like. May become.

Although the hardware configuration diagram is omitted here, the date and time information source device 105 shown in FIG. 6 is also composed of a server device, a personal computer, and the like, and the CPU, ROM, RAM, and the like connected to the bus. It goes without saying that it has a non-volatile storage, an RTC and a NIC.

<Software Function of Encryption Control System of Embodiment of the Present Invention>
FIG. 10 is a block diagram showing software functions in the control network of the encryption control system 101.

[Software function of input device 102]
The input device 102 includes a target value input unit 501, an input/output control unit 502, an encryption processing unit 503, a storage unit 504, a public key update unit 505, and a date/time information generation unit 506.

The target value input unit 501 gives the input / output control unit 502 the target value r before being encrypted. The input / output control unit 502 sends the target value r input from the target value input unit 501 to the encryption processing unit 503. The encryption processing unit 503 encrypts the target value r using the public key k _p updated by the public key update unit 505. Then, the encryption processing unit 503 sends the encrypted target value Enc(r) to the input/output control unit 502, and the input/output control unit 502 sends the encrypted target value Enc(r) to the controller 104. ..

Here, the storage unit 504 stores the public key k _p (0) that is an initial value for updating the public key k _p (t). The parameter of the public key k _p is k _p := (G,q,g,h), but only h(t) is updated at this time (step), so the initial value at time t The only value is the public key parameter h(0). Further, the public key update unit 505 has a built-in random number generator 505a, and the random number generator 505a generates a random number w (t) necessary for updating the public key h (t). Then, the public key update unit 505 performs the multiplication remainder processing of the public key h (0) of the initial value from the storage unit 504 and the random number w (0) from the random number generator 505a, so that the second equation of several tens of equations can be used. Output the public key h (1) updated according to the update rule shown in the equation.

The updated new public key h (1) is stored in the storage unit 504 as an initial value for the next step. By sequentially repeating this process, the public key update unit 505 changes the public key h (t) at time t (step t) to the public key h (t + 1) at the next step (time (t + 1)). To update.
The public key updating unit 505 corresponds to the public key updating unit 53 in FIG. 2A, and the random number generator 505a corresponds to the random number generator 51 in FIG. 2A. Among the elements stored in the storage unit 50 of FIG. 2A, p, q, g, h (0) are stored in the storage unit 504, and h (t) is updated as the time t advances. It

The random numbers v (t) and w (t) generated by the random number generator 505a are random numbers used in the calculation of the public key update unit 505, but the random number generator 510a of the ciphertext update unit 510 of the controller 104 described later and It must be synchronized with the random number generator 513a of the encryption key updating unit 513 of the plant-side control device 103. The three random number generators 505a, 510a, and 513a are synchronized based on the time information from the date and time information generation units 506, 511, and 319, and are controlled to generate the same random number at the same time t (step t). .. For example, the random number generators 505a, 510a, and 513a have the same random number list composed of a plurality of random numbers, and at the same time t, the random number generators 505a, 510a, and 513a read the records having the same record number in the random number list. , And the same random numbers v(t) and w(t) are generated, respectively.

Then, the public key update unit 505 sends the public key h (t + 1) updated in step (t + 1) to the encryption processing unit 503. The encryption processing unit 503 encrypts the target value r with the new public key h(t+1) updated by the public key updating unit 505, and outputs the encrypted target value Enc(r) to the input/output control unit. Send to 502.

<Software Function of Controller 104>
The controller 104 includes an input/output control unit 507, a multiplication unit 508, a storage unit 509, a ciphertext update unit 510, a date/time information generation unit 511, and a log table 520. Further, the transmission unit 208 and the reception unit 309 described in the hardware configuration of FIG. 8 are provided.

The encryption target value Enc (r) transmitted from the input device 102 to the controller 104 is input to the input / output control unit 507 of the controller 104. The input / output control unit 507 transmits the encryption target value Enc (r) to the plant side control device 103 as it is via the transmission unit 208. Further, the input / output control unit 507 receives the encrypted input vector Enc (ζ) from the plant side control device 103 via the receiving unit 309, and sends the encrypted input vector Enc (ζ) to the multiplication unit 508. The information output from the input / output control unit 507 and the information input to the input / output control unit 507 are all stored in the log table 520.

The ciphertext update unit 510 of the controller 104 uses the first to third encryption control parameters Enc (K _p ), Enc (K _i ), and Enc (K _d ) stored in the storage unit 509 (hereinafter collectively). Update the "encryption control parameter Enc (Φ) or EncΦ"). That is, the ciphertext update unit 510 has the encryption control parameter Enc (Φ) recorded in the storage unit 509 based on the current date and time information included in the data received from the plant side control device 103 via the reception unit 309. ) Is read, updated to the encryption control parameter EncΦ (1), and sent to the multiplication unit 508. The updated encryption control parameter EncΦ (1) is stored in the storage unit 509. In this way, the ciphertext update unit 510 repeatedly updates the encryption control parameter EncΦ (t), and the next time (t + 1) (step (t + 1)) according to the third and fourth equations of several tens of equations. ) Cryptographic control parameter EncΦ (t + 1) is generated and sent to the multiplier 508.

As described above, the ciphertext update unit 510 has a built-in random number generator 510a, and the same random number is generated from this random number generator 510a at the same time (step) as the random number generator 505a of the input device 102. To be done.
After the encryption control unit EncΦ(t) has been updated in the encryption update unit 510, the updated encryption control parameter EncΦ(t+1) is also stored in the storage unit 509 for the next update. It At this time, the updated date and time information from the date and time information generation unit 511 is also stored in the storage unit 509 together with the encryption control parameter EncΦ(t+1).

The ciphertext updating unit 510 includes the functions of the public key updating unit 53 in addition to the ciphertext updating unit 54 and the ciphertext updating unit 55 of FIG. 2A. This is because the public key h (t) is required to update the ciphertext c ₂ (t) as shown by the equation of several tens. The random number generator 510a corresponds to the random number generator 51 of FIG. 2A. Of the elements stored in the storage unit 50 of FIG. 2A, p, q, g, h(0), EncΦ(0) are stored in the storage unit 509, and as the time t advances, h( t) and EncΦ(t) are updated.

The multiplication unit 508 performs a multiplication process between the encrypted input vector Enc (ζ) sent from the input / output control unit 507 and the encryption control parameter EncΦ (t) from the ciphertext update unit 510, and performs the encryption output matrix Enc. Calculate (Ψ). Since this encrypted output matrix Enc (Ψ) includes the encryption control signal Enc (u) and the updated encryption state vector Enc (x) as described in FIG. 1, the encrypted output matrix Enc (Ψ) Ψ) may be read as the encryption control input Enc (u) for explanation.

The encrypted output matrix Enc(Ψ) calculated by the multiplication process of the multiplication unit 508 is sent to the plant-side control device 103 via the input/output control unit 507 and the transmission unit 208. Further, the encrypted output matrix Enc (Ψ) is fed back to the input device 102 for monitoring.
In the controller 104, the state vector x of the controller (controller) 104 is also encrypted, and the encrypted state vector Enc(x) included in the encrypted output matrix Enc(Ψ) is transmitted to the plant side via the transmission unit 208. It is sent to the control device 103.

As described above, the encrypted input vector Enc(ζ) to the controller is the control signal x(t) indicating the state of the controller at time t and the input vector u _c (t) to the controller. (See Equation 4). The output matrix Enc (Ψ) of the encryption controller is calculated by calculating the parameter Enc (Φ) of the encryption controller and the input vector Enc (ζ) of the encryption controller read from the storage unit 509 by the ciphertext update unit 510. ) Is output. The encryption state vector Enc (x) included in the output matrix Enc (Ψ) is decrypted by the decoding processing unit 512 of the plant-side control device 103 and used as the state vector x as the state vector x through the encryption processing unit 518 through the control arithmetic processing unit 514. Sent to.

The date / time information generation unit 511 that outputs the current date / time information outputs the date / time information (hereinafter referred to as “start date / time information”) at the start of synchronous operation between the plant-side controller 103 and the controller 104, and starts the ciphertext update unit 510. And stop control.
Further, the current date and time information generated by the date and time information generation unit 511 is sent to the data frame of the encryption control input Enc (u) transmitted from the multiplication unit 508 to the plant side control device 103 through the input / output control unit 507 and the transmission unit 208. It is stored as encoded date and time information.

[Software function of plant-side control device 103]
The plant-side control device 103 includes a decryption processing unit 512, an encryption key update unit 513, a control arithmetic processing unit 514, a control processing unit 515, a signal conversion processing unit 516, a target error arithmetic processing unit 517, an encryption processing unit 518, and a date and time. An information generation unit 519 and a storage unit 521 are provided.

The encryption control input Enc (u) included in the encryption target value Enc (r) and the encryption output matrix Enc (Ψ) transmitted from the controller 104 to the plant side controller 103 via the transmission unit 208 is on the plant side. It is input to the decoding processing unit 512 through the receiving unit 309 of the control device 103.
The decryption processing unit 512 decrypts the encryption target value Enc(r) and the encryption control input Enc(u) using the secret key s(t+1) updated by the encryption key updating unit 513. The encrypted target value Enc(r) and the encrypted control input Enc(u) decrypted by the decryption processing unit 512 become the target value r and the control input u and are sent to the control arithmetic processing unit 514 for control. The target value r and the control input u are output from the arithmetic processing unit 514. Then, the control input u is sent to the control processing unit 515, and the target value r is sent to the target error calculation unit 517. Further, the control arithmetic processing unit 514 outputs the state vector x of the controller 104 decrypted by the decryption processing unit 512, and sends this state vector x to the encryption processing unit 518.

Here, the key update process of the encryption key update unit 513 will be described. The encryption key updating unit 513 includes a random number generator 513a. The random number generator 513a also generates the same random numbers v (t) and w (t) at the same time in synchronization with the random number generator 505a of the input device 102 and the random number generator 510a of the controller 104. Further, the storage unit 521 stores the initial values of the public key h (t) and the private key s (t) before the update.

The encryption key update unit 513 reads the secret key s (t) before the update stored in the storage unit 521, and reads the secret key s (t) and the random number w (t) read from the random number generator 513a. The private key s (t + 1) after the update is generated by performing the multiplication remainder processing by the update equation shown in the first equation of the equation of several tens. Then, this updated private key s (t + 1) is sent to the decryption processing unit 512. As described above, the decryption processing unit 512 uses the secret key s(t+1) to decrypt the encryption target value Enc(r) and the encryption control input Enc(u).

Further, the encryption key update unit 513 reads the public key h (t) before the update stored in the storage unit 521, and the public key h (t) and the random number w (t) read from the random number generator 513a. Is multiplied by the update formula shown in the second formula of the equation tens, and the public key h (t + 1) after the update is generated. Then, the updated public key s (t + 1) is sent to the encryption processing unit 518.

The control processing unit 515 generates a control signal based on the control input u input from the control arithmetic processing unit 514, and controls the control target 106 by this control signal. For example, if the control target 106 is a motor, the control processing unit 515 controls the voltage, phase, etc. applied to the motor. When the control target 106 is controlled by the control signal, the operating state of the control target 106 is detected by the sensor 107.
The signal output from the sensor 107 is sent to the signal conversion processing unit 516 and converted into the observed value y. Then, the observed value y is sent to the target error calculation processing section 517. The target error calculation processing unit 517 calculates the difference between the target value r from the control calculation processing unit 514 and the observed value y from the signal conversion processing unit 516, and outputs the target error ε. In the case of a PID controller, u _c (t), which indicates the overall input to the controller, is equal to the target error ε (t), so u _c =ε and feed back the target error ε (t) to the controller. The encryption is performed by.

The target error ε is encrypted by the encryption processing unit 518 and converted into the encryption target error Enc (ε). At this time, the public key h (t + 1) at the time (t + 1) updated by the encryption key update unit 513 is supplied to the encryption processing unit 518, and the public key h (t +) is supplied to the encryption processing unit 518. The target error ε is encrypted using 1).
The encryption target error Enc (ε) encrypted by the encryption processing unit 518 is transmitted to the controller 104 via the transmission unit 208. Further, the state vector x of the decrypted controller 104 output from the control arithmetic processing unit 514 is also encrypted by the encryption processing unit 518, and is included in the encryption input vector Enc (ζ). The vector Enc(x) is transmitted to the controller 104 via the transmission unit 208.

In updating the public key and the private key step by step in the encryption key update unit 513, the current date and time information and the start date and time information included in the data frame received from the controller 104 through the reception unit 309 are used. The storage unit 521 stores the public key h (t) and the private key s (t) in the current step before the update. The updated secret key s(t+1) and public key h(t+1) are stored in the storage unit 521 as the base values for the next update.
The cipher key updating unit 513 includes the functions of the secret key updating unit 52, the public key updating unit 53, and the ciphertext updating units 54 and 55 of FIG. 2A. The random number generator 513a corresponds to the random number generator 51 of FIG. 2A. Among the elements stored in the storage unit 50 of FIG. 2A, the storage unit 521 stores p, q, g, s (0), h (0), and EncΦ (0), and the time t advances. S (t), h (t) and EncΦ (t) are updated accordingly.

The date and time information generation unit 519 outputs the current date and time information, and also outputs the same date and time information at the start of synchronous operation as instructed by the date and time information generation unit 511 of the controller 104 (hereinafter, "start date and time information"). The date and time information generation unit 519 also controls activation and stop of the encryption key update unit 513. Further, the current date and time information generated by the date and time information generation unit 519 is encoded in the data frame of the encryption target error Enc (ε) included in the encryption input vector Enc (ζ) transmitted from the encryption processing unit 518. Stored as information.

<Synchronous operation start processing in the encryption control system of the present embodiment example>
As described with reference to FIG. 10, in the encryption control system in the present embodiment, the private key s (t), the public key h (t), and the ciphertexts c ₁ (t) and c ₂ (t) are used in each step. It is a dynamically expanded cryptographic control system that is updated. Therefore, it is extremely important to operate the input device 102, the controller 104, and the plant-side control device 103 in synchronization. Therefore, the input device 102, the controller 104, and the plant-side control device 103 are individually provided with date and time information generation units 506, 511, and 519.

FIG. 11 is a flowchart showing the flow of synchronous operation start processing of the date / time information generation unit 506 of the input device 102, the date / time information generation unit 519 of the plant side control device 103, and the date / time information generation unit 511 of the controller 104.
In FIG. 11, the date/time information generation unit 511 of the controller 104 serves as a master, and the date/time information generation unit 519 of the plant-side control device 103 and the date/time information generation unit 506 of the input device 102 serve as slaves. Of course, instead of the date/time information generation unit 511 of the controller 104, the date/time information generation unit of the input device 102 or the plant-side control device 103 may be the master.

When the processing is started (S11), the date/time information generating unit 511 of the controller 104 determines whether or not the date/time information of itself is calibrated with a sufficiently small error from the date/time information output by the date/time information source device 105 shown in FIG. Is confirmed (S12). Here, the sufficiently small error means that the error is calibrated to a state sufficiently smaller than the period in which the information from the plant is sensed to obtain the observed value y. The same applies to steps S13 and S14 described later.

When it is confirmed that the date and time information of the date and time information generation unit 511 itself of the controller 104 is calibrated with a sufficiently small error from the date and time information output by the date and time information source device 105 (YES in S12), then The date/time information generation unit 511 of the controller 104 determines whether or not the date/time information generation unit 506 of the input device 102 is calibrated to the input device 102 with a sufficiently small error from the date/time information output by the date/time information source device 105. Inquire and confirm (S13).

When it is confirmed that the date and time information of the date and time information generating unit 506 of the input device 102 is calibrated with a sufficiently small error from the date and time information output by the date and time information source device 105 (YES in S13), The date/time information generation unit 511 of the controller 104 is calibrated to the plant-side control device 103 by the date/time information generation unit 519 of the plant-side control device 103 with a sufficiently small error from the date/time information output by the date/time information source device 105. An inquiry is made as to whether or not it is present (S14).

When it is confirmed in step S14 that the date and time information of the date and time information generation unit 519 of the plant side control device 103 is calibrated with a sufficiently small error from the date and time information output by the date and time information source device 105 (S14 YES), at this point, all the date and time information generation units 506, 511, and 519 of the input device 102, the controller 104, and the plant-side control device 103 are calibrated. Therefore, the date/time information generation unit 511 of the controller 104 determines the time to start the synchronous operation, the step time to update the encryption key, the initial value of the key update, and the like as the preparation step for the synchronous operation, and the date/time information of the input device 102. The data is transmitted to the generation unit 506 and the date/time information generation unit 519 of the plant-side control device 103 (S15).

When the preparation for the synchronous operation is completed in step S15, the date / time information generation unit 511 of the controller 104 waits until the set synchronous operation start time is reached (NO in S16), and when the synchronous operation start time is reached (in S16). YES), synchronous operation is started (S17), and a series of processes is completed (S18).
In any of the conditional branches of steps S12, S13 and S14, if the calibration of the date and time information is not completed normally (NO in S12, NO in S13, NO in S14), return to step S12 and perform the confirmation work. repeat.

<Synchronous operation processing in the encryption control system of the present embodiment example>
FIG. 12 is a sequence diagram for explaining the synchronous operation of the input device 102, the controller 104, and the plant-side control device 103 of the encryption control system 101. In FIG. 12, the sampling cycle T _s (step time), which is the encryption update cycle, is 10 msec, and the sampling step is t. That is, the following description will be made on the assumption that t=0 at the time of starting the synchronous operation, and after t=0, each time t advances by one step, t=1, 2,...

At the start of synchronous operation (t = 0), the input device 102 encrypts the target value r with the public key k _p (t) when t = 0 to obtain the encryption target value Enc (r). Then, the encryption target value Enc (r) is transmitted to the plant-side controller 103 via the controller 104 (S21). Here, the data frame D21 of the encryption target value Enc(r) includes the current date/time information at t=0 generated by the date/time information generation unit 506.

At the start of the synchronous operation (t = 0), the controller 104 determines the encryption control parameter Enc (Φ (0)) which is the initial value at the time of t = 0 stored in the storage unit 509 in the ciphertext update unit 510. ) Is read, and this initial value Enc (Φ (0)) is multiplied by the input Enc (u _c ) to the encryption controller included in the encryption input vector Enc (ζ), that is, the encryption control error Enc (ε). The process of multiplication is performed in unit 508. Then, the encrypted output matrix Enc(Ψ) is obtained from the multiplication unit 508, and the encrypted control signal Enc(u) included in the encrypted output matrix Enc(Ψ) is transmitted via the transmission unit 208 to the plant-side control device. It is transmitted to 103 (S22). The data frame D22 of the encrypted control signal Enc(u) includes start date/time information at the start of synchronous operation and current date/time information at t=0. At the time of t = 0, the start date / time information and the current date / time information are the same.

Further, the plant-side control device 103 receives the encryption target value Enc (r) from the input device 102 via the controller 104 at the start of the synchronous operation (t = 0), and also receives the encryption control input from the controller 104. Enc(u) is received (S23).
The decryption processing unit 512 of the plant-side control device 103 obtains the secret key k _s (0) (same as s (0) at t = 0) from the encryption key update unit 513 in relation to the current date / time information and the start date / time information. Decodes the received and encrypted target value Enc (r) and control input Enc (u). Then, the control arithmetic processing unit 514 generates a target value r and a control input u by arithmetically processing the decoded signal from the decoding processing unit 512. BR> 驕 IS24).

The homomorphic cipher used in the embodiment of the present invention can multiply (or divide) the encrypted data, but cannot add or subtract. Therefore, the multiplication unit 508 of the controller 104 only performs multiplication processing on the given data, and after decoding, the control calculation processing unit 514 performs addition / subtraction processing. Further, the control processing unit 515 generates a control signal from the control input u and controls the control target 106. When the control target 106 is controlled by the control processing unit 515, the operation of the control target 106 is detected by the sensor 107 (S24).

The observation signal detected by the sensor 107 is converted into the observation value y by the signal conversion processing unit 516. The observed value y output from the signal conversion processing unit 516 is input to the target error calculation processing unit 517 together with the target value r from the control calculation processing unit 514. The target error calculation processing unit 517 subtracts the observed value y from the target value r and outputs the target error ε (S24).
The encryption processing unit 518 encrypts the target error ε at time t with the public key k _p (t+1) updated by the encryption key updating unit 513 so as to correspond to the step at time (t+1). (S25). At this point, the time t is "0" but the time (t + 1) is "1", that is, the public key k _p (t + 1) corresponding to step 1 is used for encryption of the target error ε.

As described above, when the step number is incremented by 1 from the synchronous operation start (t=0) to t=1, the plant-side control device 103 causes the transmission target unit 208 to transmit the encrypted target error Enc(ε ) Is transmitted to the controller 104 (S26). The data frame D23 of the encryption target error Enc (ε) includes start date and time information at the start of synchronous operation and current date and time information at t = 1.

At the time of t = 1, the controller 104 receives the encryption target error Enc (ε) from the plant-side controller 103 via the receiving unit 309 (S27). The received encryption target error Enc(ε) is sent to the multiplication unit 508 through the input/output control unit 507. The multiplication unit 508 sends the start date / time information and the current date / time information at t = 1 attached to the data frame of the encryption target error Enc (ε) to the ciphertext update unit 510.

The ciphertext update unit 510 reads the encryption control parameter EncΦ (1) updated at the time of t = 1 from the storage unit 509 and sends it to the multiplication unit 508. The multiplication unit 508 multiplies the encryption control parameter EncΦ (1) and the encryption target error Enc (ε) included in the encryption input vector Enc (ζ) to calculate the encryption control gain, and based on this. The encryption control input Enc(u) is obtained (S28). Then, the encryption control input Enc (u) is transmitted to the plant-side control device 103 (S29). The data frame D24 of the encryption control input Enc (u) includes start date and time information at the start of synchronous operation and current date and time information at t = 1.

At the time of t = 1, the input device 102 encrypts the target value r with the new public key k _p (t + 1) corresponding to the step of t = 1 to obtain the encryption target value Enc (r). Then, this encrypted target value Enc(r) is transmitted to the plant-side control device 103 via the controller 104 (S30). The data frame D25 of the encryption target value Enc(r) includes the current date/time information at t=1.

The plant-side control device 103 receives the encryption target value Enc(r) from the input device 102 and the encryption control input Enc(u) from the controller 104 at time t=1 (S31). Next, the decryption processing unit 512 of the plant-side control device 103 uses the current date/time information and start date/time information attached to the data frame of the encryption target value Enc(r) and the encryption control input Enc(u) as a basis. The target value r and the control input u are decrypted using the encryption key.
Then, the control arithmetic processing unit 514 outputs the target value r decoded by the decoding processing unit 512, the control input u, and the state vector x of the controller 104. Then, the control processing unit 515 generates a control signal from the control input u and controls the control target 106. When the controlled object 106 is controlled by the control processing unit 515, the operation of the controlled object 106 is detected by the sensor 107.

The observation signal output from the sensor 107 is converted into the observation value y by the signal conversion processing unit 516. As described with reference to FIG. 10, the observed value y is input to the target error calculation processing unit 517 together with the target value r output from the control calculation processing unit 514. Then, the target error calculation processing section 517 subtracts the observed value y from the target value r and outputs the target error ε (S32).
The encryption processing unit 518 encrypts this target error ε with the public key k _p (t+1) updated in step (t+1) (S33). At this point, the current time t is already "1", so the step (t+1) is "2". Therefore, the public key used by the encryption processing unit 518 to encrypt the target error ε is the public key k _p (t+2) corresponding to step 2.

Similarly, when the plant side control device 103 receives the encryption target value Enc (r) in step 2 from the input device 102 and receives the encryption control input Enc (u) in step 2 from the controller 104, the plant side control device 103 receives the encryption target value Enc (r) in step 2. The control target 106 is controlled based on the corresponding target value r and the control input u. Then, similarly, the observed value y obtained from the sensor 107 is subtracted from the target value r to obtain the target error ε. The encryption processing unit 518 encrypts the target error ε with the public key k _p (t + 2) in step 2, and outputs the encryption target error Enc (ε) to the controller 104 (S34). The data frame D26 of the encryption target error Enc(ε) at this time includes the current date and time information at t=2.
That is, in the cycle of data reception, calculation, and data transmission of the plant-side control device 103, the step is incremented by 1.

<Modification>
FIG. 13 shows a modified example of the embodiment of the encryption control system of the present invention shown in FIG. In the modified example shown in FIG. 13, the controller 500 has a configuration in which the input device 102 and the controller 104 shown in FIG. 10 are integrated.
Here, the cipher key/cipher text update unit 521 has the functions of both the public key update unit 505 and the cipher text update unit 510 shown in FIG. Further, the storage unit 522 has the functions of both the storage unit 504 and the storage unit 509 of FIG.

That is, the encryption key/ciphertext update unit 521 updates the public key before update obtained from the storage unit 522 to the public key of the next step, and provides the updated public key to the encryption processing unit 503. Further, the encryption key/ciphertext update unit 521 uses the random number generated by the random number generator 521 a and the encryption control parameter EncΦ(t) stored in the storage unit 522 to update the ciphertext C(before update). Update c ₁ (t), c ₂ (t)) to the ciphertext C (c ₁ (t + 1), c ₂ (t + 1)) of the next step, and update this updated ciphertext to the multiplication unit 508. Send to.

The input/output control unit 523 is an input/output controller that also has the functions of the input/output control unit 502 of the input device 102 and the input/output control unit 507 of the controller 104.
However, it is not necessary to have two date and time information generators. The date and time information generation unit 511 included in the controller 104 may be provided. The date/time information generation unit 511 provides date/time information to be added to the encryption control input Enc(u) output from the multiplication unit 508, and also provides activation timing for activating the encryption key/ciphertext update unit 521.

As described above, even if the controller 500 in which the input device 102 and the controller 104 are integrated as shown in FIG. 13 is used, the input device 102 and the controller in the encryption control system 101 shown in FIG. An encryption control system having a function equivalent to the function of 104 can be realized.

In this embodiment, the encryption control system 101 is disclosed. The input device 102, the plant-side control device 103, and the controller 104 perform synchronous operation at the same time. By configuring the encryption control system 101 in this way, it becomes possible to update the public key, the secret key, and the ciphertext at each step in synchronization with the control cycle of the entire control system.
Therefore, the encryption key (public key, private key) and ciphertext are updated in a relatively short time compared to the service life of the control target, making it extremely difficult for a malicious third party to decipher the encryption key and ciphertext. Is thought to be.

Further, in the encryption control system of the present invention, the private key, the public key and the ciphertext are updated based on the dynamic extension of the ElGamal encryption, but the ElGamal encryption is only an example, and the encryption of the present invention is used. The basic technical idea of the computerized control system can be applied to other ciphers. Although the technical idea and the embodiment example thereof that are the basis of the encryption control system of the present invention have been described above, the present invention is not limited to the above embodiment example, and the gist of the present invention described in the claims As long as it does not deviate from the above, other modifications and applications are included.

10, 104, 500 ... controller, 20 ... plant, 21, 106 ... controlled object, 22 ... subtractor, 30 ... decryption unit, 40 ... encryption unit, 50, 504, 509, 521, 522 ... storage unit, 52 ... Private key update unit, 513 ... Encryption key (private key, public key) update unit, 53, 505 ... Public key update unit, 54, 55, 510 ... Ciphertext update unit, 56 ... Random number update unit,
101 ... Cryptographic control system, 102 ... Input device, 103 ... Plant side control device, 105 ... Date and time information source device, 107 ... Sensor, 111 ... Mount base, 112 ... CPU module, 113 ... Information network module, 114a, 114b ... First control network module, 115 ... second control network module, 116 ... input / output module, 202 ... CPU, 203 ... ROM, 204 ... RAM, 205 ... RTC, 206 ... bus, 207 ... NIC, 208 ... transmitter, 309 ... Receiver, 410 ... A / D converter, 411 ... D / A converter, 501 ... Target value input unit, 502, 507 ... Input / output control unit, 503 ... Encryption processing unit, 506, 511, 519 ... Date and time Information generation unit, 508 ... Multiplying unit, 512 ... Decoding processing unit, 514 ... Control arithmetic processing unit, 515 ... Control processing unit, 516 ... Signal conversion processing unit, 517 ... Target error calculation processing unit, 518 ... Encryption processing unit , 620... Log table, 523... Encryption key/ciphertext update unit

Claims (9)

1. An encryption control system for controlling an object to be controlled by an encryption controller that enables information in a control system to be concealed by a cryptographic theory,
   For each encryption step, an encryption key update unit that dynamically updates the private key and public key according to an update rule that satisfies the condition that is the solution of the discrete logarithm problem,
   A ciphertext update unit that dynamically updates the ciphertext for each encryption step,
   The encryption key update unit and the ciphertext update unit each have a random number generator, and each of the random number generators generates the same random number at the same time step of encryption, and the respective random number generators. An encryption control system for updating the secret key, the public key, and the ciphertext by performing a modular multiplication with the random number generated in step 1 and the encryption control parameter.
2. The encryption key update unit updates the encryption key by calculating the encryption key to be used in the next step from the encryption key used in the current step based on the control rules of the control system.
   The ciphertext update unit updates the ciphertext by creating a ciphertext to be used in the next step by calculation from the ciphertext used at the current time based on the control law of the control system,
   The encryption control system according to claim 1.
3. When the private key of the control system is s (t), the public key is h (t), and the ciphertext is c ₁ (t) _, c ₂ (t), the private key, the public key, and the ciphertext The above-mentioned control rule regarding update is based on the following equation.
   The encryption control system according to claim 2.
   

   

   However, f ₁ is a map for updating the secret key s(t), f ₂ is a map for updating the public key h(t), and f ₃ and f ₄ are ciphertexts c ₁ (t) _and c ₂ (t). The maps to be updated, w(t) and v(t) are the random numbers used to update the secret key s(t), public key h(t) and ciphertexts c ₁ (t) _and c ₂ (t), p and q Is a prime number (p = 2q + 1) and g is the generator of the patrol group.
4. The encryption control system according to any one of claims 1 to 3, wherein the encryption key update unit and the ciphertext used in the ciphertext update unit are ElGamal encryption.
5. The number of steps of updating the encryption key and the ciphertext is a value obtained by dividing the service life L _u (sec) of the control system by the sampling cycle T _s (sec) for sensing the control target L _u (sec)/ T _s (sec),
   The encryption control system according to claim 2 or 3.
6. An encryption control method for controlling a control target by an encryption controller that enables information in a control system to be concealed by a cryptographic theory,
   At each encryption step, the encryption key update unit multiplies the random number generated by the random number generator included in the encryption key update unit with the private key and public key one step before, and the private key and public key are surplus. And the procedure to dynamically update
   For each step of encryption, in the ciphertext update unit, a random number generated by the random number generator provided in the ciphertext update unit and a random number generated by the random number generator included in the encryption key update unit are the same random number and 1 Includes a procedure for dynamically updating the ciphertext by performing modular multiplication with the encryption control parameter before the step,
   Encryption control method.
7. In the procedure for dynamically updating the private key and the public key, the next time, based on the private key and public key used in the current step t and the control rule of the control system shown in the following equation using a random number. Generate a private and public key to use at time (t + 1)
   In the procedure for dynamically updating the ciphertext, the ciphertext used at the current time t and the ciphertext used at the next time (t + 1) are used based on the control rules of the control system shown in the following equation. Generate a statement,
   The encryption control method according to claim 6.
   

   

   However, f ₁ is a map that updates the private key s (t), f ₂ is a map that updates the public key h (t), and f ₃ and f ₄ are ciphertexts c ₁ (t) _and c ₂ (t). The map to be updated, w (t), v (t) is the private key s (t), the public key h (t) and the ciphertext c ₁ (t) _, c ₂ (t) are the random numbers used to update, p, q Is a prime number (p=2q+1) and g is a generator of the cyclic group.
8. An encryption control program that causes a computer to execute encryption control for controlling a control target by an encryption controller that enables information in a control system to be concealed by a cryptographic theory,
   At each encryption step, the encryption key update unit multiplies the random number generated by the random number generator included in the encryption key update unit with the private key and public key one step before, and the private key and public key are surplus. And the procedure to dynamically update
   At each step of encryption, in the ciphertext update unit, a random number generated by the random number generator included in the ciphertext update unit and the same random number generated by the random number generator included in the encryption key update unit is 1 A procedure for dynamically updating the ciphertext by performing modular multiplication on the encryption control parameter before the step,
   An encryption control program that causes a computer to execute.
9. In the procedure for dynamically updating the private key and the public key, the next step (t +) is based on the control rule of the control system shown in the following equation using the encryption key and the random number used in the current step t. Generate the private key and public key used in 1)
   In the procedure for dynamically updating the ciphertext, the ciphertext used in the next step (t + 1) is based on the control rule of the control system shown in the following equation from the ciphertext and the random number used in the current step t. To generate,
   The encryption control program according to claim 8.
   

   

   However, f ₁ is a map for updating the secret key s(t), f ₂ is a map for updating the public key h(t), and f ₃ and f ₄ are ciphertexts c ₁ (t) _and c ₂ (t). The maps to be updated, w(t) and v(t) are the random numbers used to update the secret key s(t), public key h(t) and ciphertexts c ₁ (t) _and c ₂ (t), p and q Is a prime number (p = 2q + 1) and g is the generator of the patrol group.

Images