1

Privacy Preservation by Local Design inCooperative Networked Control Systems

Chao Yang, Wen Yang?, and Hongbo Shi

Abstract—In this paper, we study the privacy preservationproblem in a cooperative networked control system working forthe task of LQG control. The system consists of a user anda server: the user owns the state process, the server providescomputation capability, and the user employs the server tocompute control inputs for it. To enable the server’s computation,the user needs to provide the measurements of the process statesto the server. However, the user regards the states as privacy andwants the server to have deviated knowledge of the state estimatesrather than the true value. Regarding that, we propose a novellocal design of privacy preservation, which creates a deviation inthe server’s knowledge of the state estimates from the true value.Meanwhile, we propose an associated privacy metric to measurethe deviation and analyze the privacy performance accordingly.Furthermore, we analyze the service loss in the LQG controlperformance caused by the privacy scheme. Finally, we studythe performance trade-off between the privacy preservation andthe LQG control, where the proposed optimization problems aresolved by numerical methods efficiently.

Index Terms—privacy preservation, cooperative privacy, localdesign, cooperative networked control systems

I. INTRODUCTION

The networked control systems, featuring the flexibility ofconfiguring the various components of a control system, havegained numerous applications nowadays [1]. This flexibilitycould further facilitate the system to be run cooperatively bymore than one party: different individuals or organizations ownrespective parts of it. This could be realized by that variousparties unite together, or that the original owner of a systemoutsources some parts to external parties. We name this typeof systems as cooperative networked control systems. Thiscooperative manner should be a natural trend of economicdemand, since higher economic efficiency is usually achievedby deeper work division and cooperation. Practically, weobserve the exploding cloud service in industry in recent years[2]–[5], which may be viewed as a sign of this trend, sincethe cloud service can be expected to provide one way easilyrealizing the configurations of cooperative networked controlsystems.

A basic scenario of cooperative networked control systemsis presented in Fig. 1, which we name as the user-serversystem. In this scenario, the cooperative networked controlsystem is formed by two parties, the user and the server. Theuser employs the server to provide certain service for it, andto achieve this, it provides necessary information to the server.

Key Laboratory of Advanced Control and Optimization for Chemi-cal Processes, Dept. of Automation, East China University of Scienceand Technology, Shanghai, China, 200237. Email: {yangchao, weny, hb-shi}@ecust.edu.cn. The corresponding author is Wen Yang.

Fig. 1. The user-server system.

The cooperation of the user and the server brings efficiencyand economics advantages; however, the increased complexityin system structure will also cause new issues, one of whichis the privacy issue. The data provided by the user possiblycorrespond to certain other information, some of which may besupposed to be private. Meanwhile, the server is motivated toanalyze the information data purposely, since more knowledgeabout clients usually helps more. Hence, the user may faceunwilled exposure of privacy. For example, when people shopon-line, the data of items bought and money paid (maybeliving address also included) are recorded. These data canbe related to the customer’s income level, family structure,hobbies, and so on. The business provider could use thecustomer’s historical shopping records to depict his/her pref-erence profile, so that better business decisions can be made(such as a personalized recommendation service). However,for certain customers, they may not want their preferencesexposed. Nevertheless, the risk seems inevitable. We have tosay that the server does not literally betray the cooperation;it can be called “honest but curious” [6], i.e., it still honestlyserves the duty in cooperation, only meanwhile intending todiscover more knowledge of the user as well.

Consequently, to safely use the cooperative systems, weneed to address the privacy issue. One common methodologyis that the server provides certain privacy policy in favor of theuser. Nevertheless, a careful user may still have this demand:regardless of the server’s privacy policies, it demands a localprivacy scheme which is not open to the server, such that theserver’s achievable knowledge of the user’s private informationis not correct but deviated. However, according to the currentliterature, this demand has been seldom visited yet. In thispaper, we study this problem.

A. Related Studies

This cooperative privacy problem has been visited in manydirections, such as cloud security and outsourcing security [7]–[9].

When specifically considering the networked control sys-tems, one may first relate the privacy issue to the study onthe security of cyber-physical systems [10]–[13], since bothof them corresponds to system safety. However, the studymethodology on privacy preservation may differ from that of

arX

iv:2

207.

0390

4v1

[ee

ss.S

Y]

8 J

ul 2

022

2

the cyber-physical security and have its own particularities,as the two have different natures. 1) In the setup of CPSsecurity, an adversary is excluded in the original healthysystem, usually unknown. In privacy, the one to defense isthe known cooperator who also belongs to the system. 2) Insecurity setups, the information collection (usually by stealthy)is illegal and may be followed by system damaging, whichis unwanted. In privacy, information is collected with rightauthorized, and the cooperator normally serves the duty incooperation, which is needed. Hence, though overlapped insome aspects, the methodology of cyber-physical securitycannot entirely cover the study on privacy preservation, andthe study of privacy preservation needs to develop its own one.

The existing studies related to privacy in cooperative net-worked control systems have several frameworks, each ofwhich is based on the understanding and modeling of theconcept of privacy. The first important one is called differ-ential privacy. This concept was originally proposed in thefield of statistical databases [14], [15], where it pointed outthat one database item has the risk of being identified byanalyzing the differences between certain answering outputsof database queries. To protect the privacy, it proposed themethod of adding randomness to query answers. This conceptand method were later borrowed by the control field. Theywere mainly employed in the model who has a centraliz-ing or fusing mechanism with multiple participating parties,which are similar to the model of a statistical database whoassembles data from multiple participants. Huang et al. [16]considered the model of consensus in a centralized systemand in a distributed system, both with preserved differentialprivacy. He et al. [17] studied a distributed estimation modelunder differential privacy requirement. Le Ny and Pappas[18] studied the differential privacy problem for centralizedKalman filtering. Le Ny and Mohammady [19] considered theMIMO system. Koufogiannis and Pappas [20] considered thedifferential privacy preservation for current state of a runningdynamical system. Ye and Barg [21] considered the pointdistribution estimation from privatization samples. The modelof constrained optimization for distributed multiple users wasalso visited, such as Han et al. [22] and Hale and Egerstedt[23].

The second important framework of privacy preservationshould be the information-theoretic approach [24]. In thisframework, information entropy is used as a metric of pri-vacy. As the indicator of how much information is carried,information entropy is a natural metric to measure the privacy.Compared with differential privacy, who is only available forcentralized models with multiple participants, information-theoretic approach also works for models with one singleparticipant. Moreover, in differential privacy, the preservationis usually realized by injecting Gaussian or Laplacian noise,while in the information-theoretic approach, more sophisti-cated schemes are also proposed. Nekouei et al. [25] presentedtwo privatized information-sharing schemes in a multi-sensorestimation system. Li et al. [26] proposed the privacy-awarepolicy for resource distribution by solving an optimizationproblem. Nekouei et al. [27] designed a novel estimator whichguarantees the local parameter’s privacy. Jia et al. [28] studied

a closed-loop predictive control system. Tanaka et al. [6]considered a cloud-based LQG control system.

Another framework worth attention is the homomorphicencryption. In the previous two frameworks, privacy is pre-served by adding noise. Homomorphic encryption provides anentirely different methodology. It finds proper encryption oper-ators or algorithms, which guarantees the homomorphic naturebetween the data before and after the encryption operation.Farokhi et al. [29], [30] and Tran et al. [31] considered suchproblems. Ni et al. [32] proposed a novel privacy scheme fordistributed estimation based on the technique of homomorphicencryption.

Moreover, several significant studies are not included inthe previous frameworks, such as [33], [34], in which novelschemes of privacy preservation for initial values in consensussystems were proposed.

B. The Study of This Paper

In this paper, we consider the privacy preservation problemin a user-server system. Specifically, we study a cooperativeLQG control system, in which the state process of the systemis owned by the user, the computation function belongs to theserver, and the user employs the server to compute the optimalLQG control inputs for it.

To enable the server’s computation, the user provides nec-essary information about the states to the server. However, theuser takes its state trajectory as private information, and doesnot want the server to seize the correct knowledge of it. Itdemands a localized privacy scheme, which is not open to theserver, such that it manages to send revised data to the serverinstead of the original ones, while the server is unaware of thesituation. Consequently, since the server’s knowledge is gainedbased on the received data, its knowledge of the user’s stateis deviated and hence is incorrect. In this paper, we considerthe design and analysis of this type of privacy schemes.

This study has not been fully covered by existing literatureyet. Firstly, in substantial existing studies, the proposed privacyschemes are designed at the server (or the party equivalent tothe server), not the user [19], [22], or the server knows theexistence of the user’s local privacy scheme and is providedthe associated parameters as well [6], [35]. In both cases,the server is able to seize the correct, or not accurate butcorrect, information about the user’s privacy. Secondly, mostexisting studies investigated open-loop systems without feed-back, while few investigated the closed-loop dynamic controlsystem, as the analysis becomes difficult when a privacyscheme is added in the closed-loop dynamic system. The fewstudies on closed-loop dynamic system [6], [28], [35], [36]either rely on strong assumptions or system scale limitationand have no general results, or propose privacy schemes alsoopen to the server.

The novelty and main contributions of this paper are sum-marized as follows.

1) We study the privacy preservation problem in a basiccooperative networked control system, the user-serversystem, which specifically works for the closed-loopLQG control. We propose a novel local design of privacy

3

preservation scheme for the user, which makes theserver’s knowledge of the privacy information deviatefrom the true one.

2) We propose a novel privacy metric for the proposedprivacy methodology, which is meanwhile simple andcompatible with the existing study of networked controlsystems.

3) We analyze the privacy quality (Theorem 1) and theLQG control performance (Theorem 3), and study thetrade-off problems between them (Problem 1).

The remainder of the paper is organized as follows. SectionII proposes the study framework of the local design for privacypreservation in the considered system. Section III presentsthe main results. Section IV considers the privacy schemeswhich achieves privacy demand while has no loss in serviceperformance. Section V presents simulation examples. At last,Section VI discusses the possible future work directions andSection VII makes the conclusion of this study.

Notations: Z+ is the set of non-negative integers and k ∈ Z+

is the time index. R is the set of real numbers. Rn is then-dimensional Euclidean space. Sn+ (and Sn++) is the set ofn by n positive semi-definite matrices (and positive definitematrices); when X ∈ Sn+ (and Sn++), it is written as X ≥ 0(and X > 0). X ≥ Y if X −Y ∈ Sn+. E(·) is the expectationof a random variable and E(·|·) is the conditional expectation.tr(·) is the trace of a matrix. For a matrix X , N (X) is thekernel space of X .

II. FRAMEWORK OF THE PRIVACY PRESERVATION BYLOCAL DESIGN

In this section, we propose the framework of privacy preser-vation by local design in a user-server system for the task ofcooperative LQG control. In the remainder of this section,we present the setup of the ordinary cooperative system, themethodology of the proposed localized privacy preservation,and feasible problems to study.

A. Ordinary Cooperative System

The ordinary user-server system for cooperative LQG con-trol is illustrated in Fig. 2. The user owns a state process tocontrol, the server owns computation capability, and the useremploys the server to compute the optimal LQG control inputsfor it.

Fig. 2. Ordinary cooperative LQG control system with imperfect stateinformation.

The user has the following dynamic process to control:

xk+1 = Axk +Buk + wk, (1)

where xk ∈ Rn is the state of the process, uk ∈ Rm isthe control input, and wk is the Gaussian white noise withdistribution N (0, Q). The initial condition of the state isassumed as that x0 is Gaussian with N (x̄0,Σ0). The timehorizon of the process is assumed to be a finite T . (A,B) isassumed to be controllable.

The user has no direct access to the value of the state xk,and instead, it owns a sensor measuring the state as follows:

yk = Cxk + vk, (2)

where yk ∈ Rm is the measurement of xk taken by the sensorand vk is the white Gaussian noise corrupting the measurementwith distribution N (0, R) (R > 0). The noise {wk}, the noise{vk}, and the initial state x0 are mutually independent of eachother. We also assume that (A,

√Q) is stabilizable and (C,A)

is detectable.The user demands the optimal LQG control for its state

process. The considered finite-time quadratic objective for theLQG control is denoted as O0:T and is defined as

O0:T , E[ T−1∑k=0

(x′kWxk + u′kUuk) + x′TWxT

], (3)

where W and U are weight matrices satisfying W ≥ 0 andU > 0, and the expectation is taken with respect to all possiblerandomness.

In this cooperative system, the server computes the optimalLQG control inputs for the user. Since the process states areunavailable, the server has to also estimate the states beforecomputing the control inputs. That is to say, the server servesas the estimator and the controller in the control loop (Fig. 2).

To enable the server’s computation, before the process, theuser shares the following system parameters with the server:• A,B,W,U (for LQG control);• C,Q,R (for state estimation);• time horizon T ;• initial condition N (x̄0,Σ0).

When the process begins, the user is also supposed to provideyk to the server at each time k.

This is the classic problem of LQG control with imperfectstate information. The server works as follows. Firstly, beforethe process, it does the following computation in favor of theoptimal LQG control:

ST = W, (4)Sk = A′Sk+1A+W

−A′Sk+1B(B′Sk+1B + U)−1B′Sk+1A, (5)Lk = −(B′Sk+1B + U)−1B′Sk+1A. (6)

Secondly, it estimates the user’s state xk. When the processbegins, at each time k, the user sends yk to the server. LetYk , {y1, y2, ..., yk}. Then the server computes the a prioriand a posteriori estimates x̂k|k−1 and x̂k|k defined as follows:

x̂k|k−1 , E[xk|Yk−1],

x̂k|k , E[xk|Yk].

4

Meanwhile, let Pk|k−1 and Pk|k be the estimation error covari-ance matrices associated with x̂k|k−1 and x̂k|k, respectively:

Pk|k−1 , E[(xk − x̂k|k−1)(xk − x̂k|k−1)′|Yk−1],

Pk|k , E[(xk − x̂k|k)(xk − x̂k|k)′|Yk].

The calculation of the state estimation is standard: by Kalmanfiltering. Given the initial value x̂0|0 = x̄0 and P0|0 = Σ0, theserver does the following computation:

x̂k|k−1 = Ax̂k−1|k−1 +Buk−1, (7)Pk|k−1 = APk−1|k−1A

′ +Q, (8)

Kk = Pk|k−1C′(CPk|k−1C

′ +R)−1, (9)x̂k|k = x̂k|k−1 +Kk(yk − Cx̂k|k−1), (10)Pk|k = (I −KkC)Pk|k−1. (11)

Thirdly, the server computes the optimal control input:

u?k = Lkx̂k|k,

and returns u?k to the user’s actuator.Then we evaluate the performance of the optimal LQG

control. The optimal objective value, denoted as O?0:T , is givenas follows [37]:

O?0:T = E(x′0S0x0) +

T−1∑k=0

tr(Sk+1Q) +

T−1∑k=0

tr(ΦkPk), (12)

where

Φk = A′Sk+1B(B′Sk+1B + U)−1B′Sk+1A.

B. Local Design of Privacy Preservation

Fig. 3. Local privacy processor is used.

In the ordinary cooperative system, the estimates of theuser’s states trajectory {xk}Tk=0 are transparent to the server.However, the user takes its states trajectory as privacy. It wantsto conceal the true values of state estimates and let the serverhave incorrect state estimates, which are deviated from the trueones. Hence, it decides to employ a local privacy scheme, notopen to the server, to achieve the desired privacy preservation.

In this paper, as a start, we consider the simplest designof the privacy scheme for the user: just adding a module ofprivacy processor to process the data to be sent to the server(Fig. 3). At each time k, the user generates a signal zk, whichwe let be a function of yk:

zk = f(yk),

and sends it instead of yk to the server. The function f(·)could generally depend on Yk and u0, u1, ..., uk−1:

zk = f(Yk, u0, u1, ..., uk−1).

Remark 1: In existing related studies [6], [35], the privacyscheme is also located at the user side, but the existence of theprivacy scheme is known by the server and the parameters arealso shared with the server. Although the server cannot haveaccess to the accurate state values because of the privacyscheme, it is still able to obtain correct estimation based onthe shared knowledge of the privacy scheme.

C. Privacy Metric

Since the server is unaware that the user is using a localprivacy scheme, it will take zk as the user’s measurement yk.Then the signal zk will create deviations in the server’s stateestimates, as the user demands.

To analyze the quality of privacy preservation in this sce-nario, we clarify the following notations.• The true estimate of xk and the associated error covari-

ance under the privacy scheme are still denoted by x̂k|kand Pk|k.

• The public estimate of xk and the error covariance, i.e.,the ones the user let the server know, are denoted asx̂pubk|k and P pubk|k (the upper script stands for “public”). Thisestimate is not true but deviates from the true x̂k|k.

Since the server is planned to compute the state estimates andthe associated error covariance by eqn. (7)-(11), the publicestimate and error covariance evolve accordingly:

x̂pubk|k−1 = Ax̂pubk−1|k−1 +Buk−1, (13)

P pubk|k−1 = AP pubk−1|k−1A′ +Q, (14)

Kpubk = P pubk|k−1C

′(CP pubk|k−1C′ +R)−1, (15)

x̂pubk|k = x̂pubk|k−1 +Kpubk (zk − Cx̂pubk|k−1), (16)

P pubk|k = (I −Kpubk C)P pubk|k−1, (17)

where x̂pubk|k−1, P pubk|k−1, and Kpubk are the public versions of

corresponding variables.Then we propose the privacy metric to measure the quality

of privacy preservation, the deviation covariance at time k, as

Qkprivacy , E[(x̂pubk|k − x̂k|k)(x̂pubk|k − x̂k|k)′|Yk

], (18)

and the average deviation covariance over the process as

Qprivacy ,1

T

T−1∑k=0

Qkprivacy. (19)

They indicate the deviation of the knowledge of the estimatesgained by the server from the true one.

Remark 2: The proposed metric has a form similar to theerror covariance associated with an estimate. Actually, theprivacy problem considered in this paper can be seen as an“anti-estimation” problem. Hence, this metric is proper toindicate the privacy level for this type of problems.

Meanwhile, compared with the existing privacy metrics, theproposed one has its advantages. It works for a system with

5

only one single user, while differential privacy can be onlyused in centralized systems with multiple users. Compared withinformation entropy, the proposed metric works for the stateestimate rather than a probability distribution, and is morecompatible with the common notions in the study of networkedcontrol systems.

D. Problems to Study

Based on the proposed method of privacy preservation, weconsider to work on the following problems.

1) The analysis of the quality of privacy preservationQprivacy.

2) The privacy scheme makes the user also suffer relativeloss in service quality, the LQG control performance,denoted by QLQG. We also analyze this loss.

3) The trade-off between the privacy preservation and LQGcontrol performances:

max tr(Qprivacy)

s.t. QLQG ≤ α,

where α > 0 represents a given performance level.

III. SCHEME DESIGN AND PERFORMANCE ANALYSIS

A. Privacy Scheme

The function to process yk at the privacy processor could bevarious. In this paper, we consider one of the simplest: noiseinjection. We add to yk a noise signal δk, say,

zk = yk + δk. (20)

The noise δk is assumed to be i.i.d. and to have the Gaussiandistribution N (0,Σδ).

Remark 3: Although the scheme of noise injection is fre-quently seen in the studies of privacy preservation, when usedin this proposed framework, the analysis turns out to be moredifficult because of the method of local design together with thesystem’s closed-loop. By the local design, the injected noisecreates a deviation in the server’s knowledge, and will furthercreate a deviation in the control input from the original one.The effect of the input deviation will accumulate through theclosed-loop as time evolves (presented in Subsection III-C).This feature enhances the difficulty of analysis.

B. Privacy Performance

We have the following result.Theorem 1: It holds that

x̂pubk|k −x̂k|k = (I−KkC)A(x̂pubk−1|k−1−x̂k−1|k−1)+Kkδk (21)

and

Qkprivacy = (I−KkC)AQk−1privacyA

′(I−KkC)′+KkΣδK′k, (22)

where Kk is the Kalman gain defined in eqn. (9). The recursionstarts with x̂pub0|0 − x̂0|0 = 0 and Q0

privacy = 0.Proof: In appendix.

We can see that the privacy quality Qkprivacy is determinedby Σδ . Moreover, we find that a lower bound of Qkprivacyexists.

Theorem 2: A matrix sequence {Mk}, Mk ∈ Sn+, satisfiesthat M0 = 0, M1 = Q1

privacy, and when k ≥ 2,

M−k = AMk−1A′, (23)

Mk = M−k −M−k C′(CM−k C

′ + Σδ)−1CM−k . (24)

Then

Qkprivacy ≥Mk, ∀k.

Proof: Firstly, we have Q0privacy = M0 and Q1

privacy =M1. Since M1 6= 0, the sequence {Mk} will not be all 0.Assume that Qk−1

privacy ≥Mk−1 holds. Consider the operator

φ(X,Γ ) , (I − ΓC)X(I − ΓC)′ + ΓΣδΓ′.

Then Qkprivacy = φ(AQk−1privacyA

′,Kk). Let

ΓMk = M−k C′(CM−k C

′ + Σδ)−1,

we have Mk = φ(M−k−1,ΓMk ). Furthermore, it is straightfor-

ward to verify that

ΓMk = argminΓ

φ(M−k−1,Γ ).

Since Qk−1privacy ≥ Mk−1, we have AQk−1

privacyA′ ≥ M−k−1.

Notice that φ(X,Γ ) is linear in X . Then we have

φ(AQk−1privacyA

′,Kk) ≥ φ(M−k−1,Kk) ≥ φ(M−k−1,ΓMk ),

which is Qkprivacy ≥Mk.

From the proof of Theorem 1, we also find that Kpubk = Kk

and P pubk|k = Pk|k. Hence, P pubk|k is not the real error covarianceassociated with x̂pubk|k . We denote the real error covarianceassociated with x̂pubk|k as P pub.realk|k .

Lemma 1: It holds that

P pub.realk|k = Pk|k +Qkprivacy.

Proof: We have

P pub.realk|k

= E[(xk − x̂pubk|k )(xk − x̂pubk|k )′|Yk

]= E

[(xk−x̂k|k+x̂k|k−x̂pubk|k )(xk−x̂k|k+x̂k|k−x̂pubk|k )′|Yk

]= Pk|k +Qkprivacy + E

[(xk − x̂k|k)(x̂k|k − x̂pubk|k )′|Yk

]+E

[(x̂k|k − x̂pubk|k )(xk − x̂k|k)′|Yk

].

Notice that x̂k|k is the linear combination of Yk, x̂pubk|k is thelinear combination of Yk and {δ1, ..., δk}, and xk − x̂k|k isindependent of Yk and {δ1, ..., δk}. Then the two expectationterms in the last equality equals 0.

Remark 4: The local design scheme misleads the server’sknowledge so that x̂pubk|k is deviated from the true one x̂k|k.From another perspective, the deviation is equivalent to thatthe server’s seized estimate x̂pubk|k is correct but has a largererror covariance P pub.realk|k , which is unknown to the server.

6

Remark 5 (A Doubtful Server): In our paper, the serverentirely trusts the data provided by the user and has nodata analysis mechanism. If the server is “doubtful” and hasan additional detector to analyze the received measurementsequence zk, it will find that the covariance of zk is not asit supposed to be the one in the provided parameters. Theworst case is that the server successfully recovers Σδ , thecovariance of the injected noise, and it also makes the correctguess that it is due to noise injection in the measurementsequence (notice that even the server finds the mismatch ofthe measurement covariance, there are still many possibilitieshow the user makes the situation). Then the server couldadjust the knowledge of the measurement noise covarianceR by Rsvr = R + Σδ , and develop its own filtering processto estimate state xk:

x̂svrk|k−1 = Ax̂svrk−1|k−1 +Buk−1,

P svrk|k−1 = AP svrk−1|k−1A′ +Q,

Ksvrk = P svrk|k−1C

′(CP svrk|k−1C′ +Rsvr)−1,

x̂svrk|k = x̂svrk|k−1 +Ksvrk (zk − Cx̂svrk|k−1),

P svrk|k = (I −Ksvrk C)P svrk|k−1,

where the superscript “svr” represents the corresponding vari-ables are the server’s local version. This case is equivalent tothat the user shares its privacy parameters to the server, as inmany previous studies [6], [35]. Nevertheless, the knowledgeof the server is still corrupted by the noise and hence the userstill preserves certain level of privacy.

Remark 6: A feasible analysis on the state trajectory whichcan be done by the server is to smooth past estimates afterthe process ends: the server could compute x̂pubk|T , where T isthe time horizon of the process. Two problems can be visited:1) what is smoothed result x̂pubk|T like and how it is affected bythe future information where noise injection also exists, 2) thecomparison of x̂pubk|T with both x̂k|k and x̂k|T , respectively.

C. LQG Control Performance

The server computes the control law based on the knowl-edge of the user’s state estimate. Under the privacy scheme,the server computes the control input as

uk = Lkx̂pubk|k . (25)

Define

d̂k , x̂pubk|k − x̂k|k.

Hence, the true dynamics now is as follows:

xk+1 = Axk +Buk + wk,

uk = Lk(x̂k|k + d̂k).(26)

In eqn. (26), we can see the caused effect by the privacyscheme. The injected noise also creates a deviation in thecontrol input which will accumulate through the closed-loop,and hence makes the system performance not straightforwardto analyze. The control law set {uk} is non-optimal now;therefore, the resulting state trajectory {xk} is also non-optimal. Assume that the noise sequence {wk} and {vk} isgiven. Let the state trajectory under the optimal control law

{u?k} be {x?k} and its estimate be {x̂?k|k} in the system withoutprivacy scheme. We can see that {uk}, {xk} and {x̂k|k} areall deviated from {u?k}, {x?k} and {x̂?k|k}, respectively, andhence the LQG objective is also affected.

Then we consider the sacrifice in the LQG performancecaused by the privacy scheme. Without misunderstanding,we still use the notation O0:T to denote the objective underthe privacy scheme, which also includes the effect of theuncertainty of δk now. Define the metric of the quality loss inLQG control performance as

QLQG ,1

T(O0:T −O?0:T ). (27)

Theorem 3: Under the privacy scheme, it holds that

O0:T = E(x′0S0x0) +

T−1∑k=0

tr(Sk+1Q) +

T−1∑k=0

tr(ΦkPk)

+

T−1∑k=0

tr(ΦkQkprivacy

),

where

Φk = A′Sk+1B(B′Sk+1B + U)−1B′Sk+1A.

Proof: In appendix.We find that an additional item in the objective value is

produced by the privacy scheme. Hence, the performance lossof the LQG control caused by the privacy scheme is given as

QLQG =1

T

T−1∑k=0

tr(ΦkQkprivacy

). (28)

D. Optimization Problem

After the previous analysis, we can see that the privacypreservation is gained at the price of the LQG control perfor-mance. To study the trade-off, we propose the following op-timization problem: to maximize the privacy metric Qprivacywhen the loss of LQG control performance QLQG is requiredto be under a given level α. This problem is formulated asfollows.

Problem 1:

maxΣδ,Qkprivacy

tr(Qprivacy)

s.t. QLQG ≤ α,Qkprivacy = (I−KkC)AQk−1

privacyA′(I−KkC)′

+KkΣδK′k,

k = 1, 2, ..., T.

We find this problem is a linear programming one and canbe solved efficiently by numerical methods.

E. Infinite-Time Horizon

Particularly, we consider the case of infinite-time horizon.When the time horizon T approaches infinity, according to theproperty of Kalman filtering, Kk reaches a steady value:

K = limk→∞

Kk.

7

Then when k →∞, eqn. (22) becomes

limk→∞Qkprivacy=(I−KC)A lim

k→∞Qk−1privacyA

′(I−KC)′+KΣδK′.

Consider the Lyapunov equation

X = (I −KC)AXA′(I −KC)′ +KΣδK′. (29)

Since K is the Kalman gain, (I−KC)A is stable [38]. Hence,the existence of the unique solution to (29) is guaranteed. Thenthe steady state lim

k→∞Qkprivacy exists. We have the average

deviation covariance in this infinite-time case as follows:

Qprivacy = limT→∞

1

T

T−1∑k=0

Qkprivacy.

Then we find that

Qprivacy = limk→∞

Qkprivacy,

i.e., Qprivacy coincides with the steady state of Qkprivacy. Thenwe have

Qprivacy = (I−KC)AQprivacyA′(I−KC)′+KΣδK′. (30)

We also present the lower bound of Qprivacy in this case.Corollary 1: Let M and M− be the solutions to

M− = AMA′,

M = M− −M−C ′(CM−C ′ + Σδ)−1CM−.

Then

Qprivacy ≥M.

Proof: We can find M = limk→∞

Mk, where Mk is defined

in Theorem 2. Since Qkprivacy ≥ Mk for all k, then we havethe result.

Meanwhile, when T → ∞, according to the LQG controltheory, the matrix Sk defined in eqn. (5) converges to a steadystate and becomes time-invariant. We define

S = limT→∞

Sk.

Then S satisfies

S = A′SA+W −A′SB(U +B′SB)−1B′SA. (31)

Meanwhile, the associated LQG gain Lk also becomes time-invariant.

In the infinite-time case, the formulations is reduced accord-ingly. The loss of LQG performance is simplified as follows:

QLQG = limT→∞

1

T

T−1∑k=0

tr(ΦkQkprivacy

)= tr(ΦQprivacy),

where Φ = limk→∞

Φk = A′SB(U +B′SB)−1B′SA. SinceQLQG is finite, the stability of the system dynamics is guar-anteed.

Then we have the following optimization problem:

Problem 2:

maxΣδ,Qprivacy

tr(Qprivacy)

s.t. tr(ΦQprivacy) ≤ α,Qprivacy = (I−KC)AQprivacyA′(I−KC)′

+KΣδK′.

Lemma 2: In the scalar system, the solution to Problem 2is given by

Σ?δ =α

ΦK2

[1−A2(1−KC)2

]and

Q?privacy =α

Φ.

Proof: The result is solved by direct calculation.

IV. PERFECT PRIVACY PRESERVATION WITHOUTPERFORMANCE LOSS

To the user, the best situation is that the server has deviatedknowledge of the states while the user is still able to obtainoptimal control inputs. We provide simple results on thisdirection in this section.

A. System with Perfect State Information

We first consider a simple scenario. Assume that the user isable to directly have the value of xk and the does not need thesensor. This is a simplified version of the scenario we considerin this paper. Then the privacy scheme becomes

zk = xk + δk. (32)

In this case, the server will take zk as the user’s state xk. Wedenote the trajectory the server sees as {xpubk }. According tothe privacy scheme, xpubk is identical to zk:

xpubk = xk + δk. (33)

Similarly, the server computes the control input according to

uk = Lkxpubk . (34)

Denote the LQG objective in this scenario as I0:T and theoptimal objective as I?0:T .

Usually, the added noise δk in the transmitted signal alsocauses a corresponding additional deviation in the generatedcontrol input from the optimal one. However, this added δkdoes not always cause a deviation in the control input. As oneexample, if δk lies in N (Lk), the kernel space of Lk, i.e.,Lkδk = 0, we have

uk = Lkxpubk = Lk(xk + δk) = Lkxk,

i.e., the resulted uk is the optimal control input for the currentstate xk. We follow this idea and obtain the following result.

Theorem 4: Given an arbitrary time k, for the variable δkin eqn. (33), if

1) δk ∈ N (A) when A is not of full rank,2) or Sk+1Aδk ∈ N (B′),

it holds that uk = Lkxk, which is the optimal control input attime k. If for each time k, within 1) and 2), there always exists

8

one condition which is satisfied, then uk = u?k and xk = x?kfor all k. Moreover, I0:T = I?0:T .

Proof: Notice that Lk = −(B′Sk+1B + U)−1B′Sk+1Aand B′Sk+1B + U has full rank. Either condition 1) or 2)leads to that Lkδk = 0.

In this methodology, the variable δk is unnecessary to berandom. This methodology may create arbitrary deviation inthe server’s knowledge of xk while still maintaining optimalcontrol performance.

However, the problem is, this methodology needs the userto do complex computation before the process. Usually, thereason for a user to employ a server is that it lacks necessarycomputation capability. But maybe the user could employanother server to compute this particular set of δk for it.

B. System with Imperfect State Information

In this scenario, which is mainly studied in this paper, itbecomes more difficult to find the perfect preservation schemethan in the previous scenario. We present a result for thesystem with the matrix A without full rank.

Theorem 5: If A is not of full rank, for all time k, if thevariable δk in eqn. (20) satisfies that Kkδk 6= 0 and AKkδk =0, then uk = u?k, x̂k|k = x̂?k|k, and x̂pubk|k 6= x̂k|k for all k.Moreover, O0:T = O?0:T .

Proof:We have x̂pub0|0 = x̂0|0 = x̂?0|0 initially. Then

u0 = L0x̂pub0|0 = L0x̂

?0|0 = u?0.

Then we have

x̂pub1|0 = Ax̂pub0|0 +Bu0 = Ax̂?0|0 +Bu?0 = x̂?1|0.

It is simple to find x̂1|1 = x̂?1|1. Moreover, since K1δ1 6= 0,

x̂pub1|1 = x̂pub1|0 +Kpub1 (z1−Cx̂pub1|0 )

= x̂?1|0+K1(y1 + δ1−Cx̂?1|0)

6= x̂?1|0+K1(y1−Cx̂?1|0) = x̂?1|1 = x̂1|1.

Consider k = 2, we have

u1 = L1x̂pub1|1 = L1

[x̂?1|0+K1(z1−Cx̂?1|0)

]= L1

[x̂?1|0+K1(y1−Cx̂?1|0)

]+ L1K1δ1

= L1x̂?1|1 + L1K1δ1.

Since L1K1δ1 = −(B′S2B + U)−1B′S2AK1δ1 andAK1δ1 = 0, we have L1K1δ1 = 0. Then it holds that

u1 = L1x̂?1|1 = u?1.

Further we have

x̂pub2|1 = Ax̂pub1|1 +Bu1 = A[x̂?1|0+K1(z1−Cx̂?1|0)

]+Bu?1

= A[x̂?1|0+K1(y1−Cx̂?1|0)

]+AK1δ1 +Bu?1

= Ax̂?1|1 +Bu?1 = x̂?2|1.

We extend the derivation to general k and obtain uk = u?k,x̂k|k = x̂?k|k, and x̂pubk|k 6= x̂k|k for all k. We also see thatx̂pubk|k−1 = x̂k|k−1 = x̂?k|k−1.

V. EXAMPLES

In this section, we provide two examples to demonstrate theperformance of the privacy schemes.

Example 1: We consider a higher-order cooperative systemwith infinite-time horizon, whose parameters are given asfollows:

A =

0.19 0.86 0.100.31 0.80 0.440.13 0.43 0.40

, B =

2.0 0.99.1 2.01.3 8.1

,C =

[2.0 1.6 1.22.0 2.0 1.1

], Q =

1.9 0.9 0.40.9 2.8 2.00.4 2.0 2.4

,R =

[7.0 1.81.8 0.8

], W =

1.8 2.0 0.52.0 9.8 0.90.5 0.9 5.4

,U =

[4.5 1.01.0 8.8

].

Given a level α of the LQG control performance QLQG, theoptimal privacy performance Qprivacy is determined by solv-ing Problem 2. We denote the optimal Qprivacy as Q?privacy.We plot the traces of Q?privacy when α varies from 0 to 50with step length of 1, which is presented in Fig. 4.

0 5 10 15 20 25 30 35 40 45 500

50

100

150

200

250

300

350

400

450

500

α

tr(Q

? privacy)

Fig. 4. The plot of tr(Q?privacy) when α varies from 0 to 50.

We find the curve is a straight line. Although we cannotexplicitly obtain the property of the curve in a higher-ordersystem, it is proved in the case of scalar system, which isshown in Lemma 2.

Furthermore, given a particular value of Σδ , we plot the trueestimates x̂k|k and the public estimates x̂pubk|k . Let Σδ = 100I .The plots are presented in Fig. 5. In the plots, we find thatx̂pubk|k is deviated from x̂k|k.

Moreover, we plot the traces of several covariances inFig. 6: the deviation covariance Qkprivacy, its lower boundMk, the true estimation error covariance Pk|k, and the realerror covariance P pub.realk|k associated with x̂pubk|k . Notice thatthe curve of Pk|k does not coincide with the one of Mk.Meanwhile, we can find that Mk is only a loose bound ofQkprivacy.

Example 2: Consider the heating, ventilation, and air con-ditioning (HVAC) system of a building, which is rented andoccupied by a number of user companies and organizations.The building’s department of daily maintenance has an intel-ligent operation center to work for the HVAC control of the

9

0 20 40 60 80 100 120−15

−10

−5

0

5

10

15

k

estim

ates

x̂k|k (1)

x̂pub

k|k (1)

Fig. 5. The plot of the first component of x̂k|k and x̂pubk|k . The presented

time horizon is 100.

0 20 40 60 80 100 1200

5

10

15

20

25

30

35

40

k

trac

es o

f cov

aria

nces

tr(Qprivacy)

tr(Mk)

tr(Ppub.real

k|k )

tr(Pk|k)

Fig. 6. The plot of the traces of Qkprivacy , Mk , Pk|k , and P pub.real

k|k . Thepresented time horizon is 100.

whole building. Each company could submit its requirementson environment conditions to the operation center, and thenthe center helps adjust the conditions for it. However, as weknow, the environment data, such as the temperature, is relatedto the number of occupancy individuals, and this data can beused to further deduce the position trajectory of individuals inthe building, which causes leakage of privacy [28].

Suppose one of the companies, named Company C.Y., isalso under the service. This company wants to preserve itsprivacy when asking the operation center to do environmentcondition control, by a local privacy scheme proposed in thispaper. For simplicity of presentation, we focus on the controlof temperature. In the office of Company C.Y., the temperatureevolves according to eqn. (1), where each sampling time hasa distance of 30 minutes, and the state xk is the differencebetween the real temperature Tk at time k and the set value ofdemand: xk = Tk−23 (unit: degree Celsius). The temperaturesensor works according to eqn. (2). According to this paper,the company needs to revise the measurement data of thetemperature sensor to the center. If the company is unableto get access to the digital signal, an easy method is to put aheating/cooling equipment around the sensor to locally changethe environment. Assume the revision function follows eqn.(20).

The company requires an LQG control of the temperature,and the parameters of the system are given as follows: A =1.1, B = 3, C = 1, Q = 2.5, R = 1, W = 5, U = 3.

Consider that the company chooses a particular value of Σδ .Let Σδ = 1. Then we plot for it the true estimates x̂k|k and thepublic estimates x̂pubk|k within 24 hours. The plots are presentedin Fig. 7. In the plots, we find that x̂pubk|k is deviated from x̂k|k.The estimated temperature floats by around 2 degrees, whichis acceptable for people (who care about their privacy). Onecan further tune the parameters to optimize the result.

0 5 10 15 20 25 30 35 40 45 50−5

−4

−3

−2

−1

0

1

2

3

4

5

k

tem

pera

ture

offs

et fr

om 2

3 de

gree

Cel

sius

x̂k|k

x̂pubk|k

Fig. 7. The plot of x̂k|k and x̂pubk|k . The presented time horizon is 49.

VI. FUTURE WORK

Possible future work may be considered from the followingdirections.

System structures. In this paper we considered a simple co-operative networked control system. In most current literature,the considered systems also have simple structures, such as thecentralized ones. General systems in practical world shouldhave various and more complex structure, such as multipleparticipating parties and more complex topologies.

The function to process the original data. In this paper,we only considered adding a zero-mean white Gaussian noiseto the original measurement. More advanced forms of noiseand more general functions could be further investigated.

An extra processor at user’s receiving side. In this paperwe only have one processor (before sending data to the server),aiming at using the simplest equipment to preserve privacy.An extra processor at the receiving side can help process thecontrol input back from the server, and can be expected tofurther improve the scheme performance. The cooperation ofthe two processors may work like an encoder and a decoder.

Co-design with the data transmission. We may callit strategic communication. For example, the user claims asampling frequency which doubles the real one. At the oddtime instance, the user sends the real value and take theresulting control input; at the even time instance, the usersends interrupting signals and throws the resulting control law(by the the decoding processor). By doing this, the publicinformation is quite different from the true one.

The information to protect. Most of the literature, includ-ing our study, only considered certain signals as privacy. Alarger range of concerns also could be privacy, such as thesystem parameters, the system structure, or even the goal ofthe user. The ideal relationship between the user and servermay be just the server give the user what it claims wanted.

10

A doubtful server. The possibility that the user has a localprivacy scheme may motivate the curious server to employ adetection module to check the user’s shared data. Then theuser should consider the design of the privacy scheme underthat situation.

The trouble of the server. As a result of the user’s localprivacy scheme, the server cannot collect correct information,which will hurt its statistical consensus. Better designs bene-fiting both parties could be considered.

VII. CONCLUSION

In this paper, we propose the methodology of local designfor privacy preservation for the user in a cooperative LQGcontrol system. We propose the localized privacy scheme andthe corresponding privacy metric. Then we analyze the perfor-mance of the privacy preservation under the privacy schemeand analyze the service loss in LQG control performance. Atlast, we propose and solve optimization problems based on thetrade-off between the privacy quality and service loss.

APPENDIX

A. Proof of Theorem 1

We consider the recursion of the estimates. When k = 0,we have

x̂pub0|0 = x̂0|0 = x̄0,

P pub0|0 = P0|0 = Σ0.

When k = 1, the system dynamic is as follows:

x1 = Ax0 +Bu0 + w0,

u0 = L0x̂pub0|0 ,

y1 = Cx1 + v1.

The true estimate evolves as follows:

x̂1|0 = Ax̂0|0 +Bu0,

P1|0 = AP0|0A′ +Q,

K1 = P1|0C′(CP1|0C

′ +R)−1,

x̂1|1 = x̂1|0 +K1(y1 − Cx̂1|0),

P1|1 = (I −K1C)P1|0.

At the server side, the public estimate evolves as follows:

x̂pub1|0 = Ax̂pub0|0 +Bu0,

P pub1|0 = AP pub0|0 A′ +Q,

Kpub1 = P pub1|0 C

′(CP pub1|0 C′ +R)−1,

x̂pub1|1 = x̂pub1|0 +Kpub1 (z1 − Cx̂pub1|0 ),

P pub1|1 = (I −Kpub1 C)P pub1|0 .

Meanwhile, we can find that

x̂pub1|1 6= x̂1|1,

Kpub1 = K1,

P pub1|1 = P1|1.

For general k, the system dynamic is

xk = Axk−1 +Buk−1 + wk−1,

uk−1 = Lk−1x̂pubk−1|k−1,

yk = Cxk + vk.

The true estimate evolves according to eqn. (7)-(11) and thepublic estimate evolves according to eqn. (13)-(17). From therecursion, we can find that

x̂pubk|k 6= x̂k|k,

Kpubk = Kk,

P pubk|k = Pk|k.

Then we compare x̂pubk|k and x̂k|k. We have

x̂pubk|k = x̂pubk|k−1 +Kpubk (zk − Cx̂pubk|k−1)

= (I −Kpubk C)x̂pubk|k−1 +Kpub

k zk,

x̂k|k = x̂k|k−1 +Kk(yk − Cx̂k|k−1)

= (I −KkC)x̂k|k−1 +Kkyk.

Since Kpubk = Kk,

x̂pubk|k − x̂k|k = (I −KkC)(x̂pubk|k−1 − x̂k|k−1) +Kk(zk − yk)

= (I −KkC)(x̂pubk|k−1 − x̂k|k−1) +Kkδk.

Since

x̂pubk|k−1 = Ax̂pubk−1|k−1 +Buk−1,

x̂k|k−1 = Ax̂k−1|k−1 +Buk−1,

then

x̂pubk|k−1 − x̂k|k−1 = A(x̂pubk−1|k−1 − x̂k−1|k−1).

Hence we have

x̂pubk|k − x̂k|k = (I −KkC)A(x̂pubk−1|k−1 − x̂k−1|k−1) +Kkδk

and

Qkprivacy = (I −KkC)AQk−1privacyA

′(I −KkC)′ +KkΣδK′k.

Since x̂pub0|0 = x̂0|0, Qkprivacy is initialized by Q0privacy = 0. �

B. Proof of Theorem 3

In this scenario, the states are unaccessible. When we calcu-late the LQG objective O0:T from backward, the expectationshould condition on the information set defined as follows:

Ik = {y1, y2, ..., yk, u0, u1, ..., uk−1}. (35)

Define

Hk = x′kWxk + u′kUuk, k = 0, 1, ..., T − 1, (36)HT = x′TWxT . (37)

Then we define

Ok:T = E( T−1∑i=k

Hi

∣∣∣ Ik),

11

where the expectation is taken with respect to all possibleuncertainties, i.e.,• xk,• wk, wk+1, ..., wT−1 and vk+1, vk+2, ..., vT ,• δk, δk+1, ..., δT−1.

Notice that Ok:T is a function of Ik, i.e., Ok:T (Ik). We have

Ok:T = E(x′kWxk + u′kUuk +Ok+1:T | Ik)

= Eδk

[E

xk,wk,vk+1

(x′kWxk+u′kUuk+Ok+1:T |Ik, δk)∣∣∣Ik].

We calculate the objective in a backward manner. First wehave

OT :T = E(x′TWxT | IT ).

Then

OT−1:T = E(HT−1 +OT :T | IT−1)

= EδT−1

[E

xT−1,wT−1,vT(x′T−1WxT−1 + u′T−1UuT−1

+x′TWxT | IT−1, δT−1)∣∣ IT−1

].

To simplify the formulation, define

JT−1:T = ExT−1,wT−1,vT

(x′T−1WxT−1 + u′T−1UuT−1

+x′TWxT | IT−1, δT−1).

Then

OT−1:T = EδT−1

(JT−1:T | IT−1).

Since IT−1 and δT−1 are conditioned on, the control inputuT−1, which is determined by IT−1 and δT−1, is hence fixed.By straightforward calculation, we have

JT−1:T

= E(x′T−1WxT−1 | IT−1, δT−1) + u′T−1UuT−1

+E[(AxT−1 +BuT−1 + wT−1)′W

· (AxT−1 +BuT−1 + wT−1) | IT−1, δT−1

]= E

[x′T−1(W +A′WA)xT−1 | IT−1, δT−1

]+u′T−1(U +B′WB)uT−1 + 2x̂′T−1|T−1A

′WBuT−1

+tr(WQ)

= E[x′T−1(W +A′WA)xT−1 | IT−1, δT−1

]+[uT−1+(U+B′WB)−1B′WAx̂T−1|T−1

]′(U+B′WB)

·[uT−1+(U+B′WB)−1B′WAx̂T−1|T−1

]−x̂′T−1|T−1A

′WB(U+B′WB)−1B′WAx̂T−1|T−1+tr(WQ)

= E{x′T−1

[W+A′WA−A′WB(U+B′WB)−1B′WA

]xT−1

| IT−1, δT−1

}+ tr

[A′WB(U+B′WB)−1B′WAPT−1|T−1

]+tr(WQ)

+[uT−1+(U+B′WB)−1B′WAx̂T−1|T−1

]′(U +B′WB)

·[uT−1+(U+B′WB)−1B′WAx̂T−1|T−1

].

According to eqn. (4-6) and

uT−1 = LT−1(x̂T−1|T−1 + d̂T−1),

we have

JT−1:T = E(x′T−1ST−1xT−1 | IT−1, δT−1) + tr(STQ)

+tr[A′WB(U +B′WB)−1B′WAPT−1|T−1

]+d̂′T−1L

′T−1(U +B′STB)LT−1d̂T−1.

Back to OT−1:T , we have

OT−1:T = EδT−1

(JT−1:T | IT−1

)= E(x′T−1ST−1xT−1 | IT−1) + tr(STQ)

+tr[A′WB(U +B′WB)−1B′WAPT−1|T−1

]+E

[d̂′T−1L

′T−1(U +B′STB)LT−1d̂T−1 | IT−1

]= E(x′T−1ST−1xT−1 | IT−1) + tr(STQ)

+tr[A′WB(U +B′WB)−1B′WAPT−1|T−1

]+tr[L′T−1(U +B′STB)LT−1E(d̂T−1d̂

′T−1 | IT−1)

]= E(x′T−1ST−1xT−1 | IT−1) + tr(STQ)

+tr[A′WB(U +B′WB)−1B′WAPT−1|T−1

]+tr[L′T−1(U +B′STB)LT−1QT−1

privacy

].

Let

rT = 0,

rT−1 = rT + tr(STQ),

tT = 0,

tT−1 = tT + tr[A′WB(U +B′WB)−1B′WAPT−1|T−1

],

φT = 0,

φT−1 = φT + tr[L′T−1(U +B′STB)LT−1QT−1

privacy

].

Then we have

OT−1:T = E(x′T−1ST−1xT−1| IT−1) + rT−1 + tT−1 + φT−1.

Assume that Ok+1:T = E(x′k+1Sk+1xk+1 | Ik+1) + rk+1 +tk+1 + φk+1. Then

Ok:T = E(Hk +Ok+1:T | Ik)

= Eδk

[E

xk,wk,vk+1

(x′kWxk + u′kUuk + x′k+1Sk+1xk+1

+ rk+1 + tk+1 + φk+1 | Ik, δk)∣∣ Ik].

Define

Jk:T = Exk,wk,vk+1

(x′kWxk + u′kUuk + x′k+1Sk+1xk+1

+ rk+1 + tk+1 + φk+1 | Ik, δk).

Then

Ok:T = Eδk

(Jk:T | Ik

).

Similarly as the preceding calculation of JT−1:T , we have

Jk:T

= E[x′k(W+A′Sk+1A

−A′Sk+1B(U+B′Sk+1B)−1B′Sk+1A)xk | Ik, δk]

+tr[A′WB(U +B′WB)−1B′WAPk|k

]+[uk+(U+B′Sk+1B)−1B′Sk+1Ax̂k|k

]′(U+B′Sk+1B)

·[uk+(U+B′Sk+1B)−1B′Sk+1Ax̂k|k

]+tr(Sk+1Q) + rk+1 + tk+1 + φk+1.

12

Similarly, according to the definition of Sk and Lk, and define

rk = rk+1 + tr(Sk+1Q),

tk = tT + tr[A′Sk+1B(U +B′Sk+1B)−1B′Sk+1APk|k

],

we have

Jk:T = E(x′kSkxk | Ik, δk) + rk + tk + φk+1

+(uk − Lkxk)′(U +B′Sk+1B)(uk − Lkxk).

Since

uk = Lk(x̂k|k + d̂k),

we have

Jk:T = E(x′kSkxk | Ik, δk) + rk + tk + φk+1

+d̂′kL′k(U +B′Sk+1B)Lkd̂k.

Back to Ok:T , we have

Ok:T = E(x′kSkxk | Ik) + rk + tk + φk+1

+tr[L′k(U +B′Sk+1B)LkQkprivacy

].

Let

φk = φk+1 + tr[L′k(U +B′Sk+1B)LkQkprivacy

],

then

Ok:T = E(x′kSkxk | Ik) + rk + tk + φk.

Hence, ultimately we have

O0:T = E(x′0S0x0) + r0 + t0 + φ0

= E(x′0S0x0) +

T−1∑k=0

tr(Sk+1Q) +

T−1∑k=0

tr(ΦkPk)

+

T−1∑k=0

tr[L′k(U +B′Sk+1B)LkQkprivacy

]= E(x′0S0x0) +

T−1∑k=0

tr(Sk+1Q) +

T−1∑k=0

tr(ΦkPk)

+

T−1∑k=0

tr(ΦkQkprivacy

).

�

ACKNOWLEDGEMENT

The work by Chao Yang is supported by Natural ScienceFoundation of Shanghai (19ZR1413500). The work by WenYang is supported by National Natural Science Foundationof China (61973123), Shanghai Natural Science Foundation(18ZR1409700), and National Key R&D Program of China(2018YFB0104400).

REFERENCES

[1] J. P. Hespanha, P. Naghshtabrizi, and Y. Xu, “A survey of recent resultsin networked control systems,” Proceedings of IEEE, vol. 95, no. 1, pp.138–162, 2007.

[2] Amazon Web Service, https://aws.amazon.com/.[3] Microsoft Azure, https://azure.microsoft.com/.[4] Google Cloud, https://cloud.google.com/.[5] Alibaba Cloud, https://www.alibabacloud.com/.[6] T. Tanaka, M. Skoglund, H. Sandberg, and K. H. Johansson, “Directed

information and privacy loss in cloud-based control,” in Proceedings ofthe 2017 American Control Conference (ACC), Seattle, USA, May 2017,pp. 1666–1672.

[7] C. Wang, K. Ren, and J. Wang, “Secure and practical outsourcing oflinear programming in cloud computing,” in 2011 Proceedings IeeeInfocom. IEEE, 2011, pp. 820–828.

[8] Z. Xiao and Y. Xiao, “Security and privacy in cloud computing,” IEEEcommunications surveys & tutorials, vol. 15, no. 2, pp. 843–859, 2012.

[9] K. Ren, C. Wang, and Q. Wang, “Security challenges for the publiccloud,” IEEE Internet computing, vol. 16, no. 1, pp. 69–73, 2012.

[10] C.-Z. Bai, F. Pasqualetti, and V. Gupta, “Security in stochastic controlsystems: Fundamental limitations and performance bounds,” in 2015American Control Conference (ACC). IEEE, 2015, pp. 195–200.

[11] B. Tang, L. D. Alvergue, and G. Gu, “Secure networked control systemsagainst replay attacks without injecting authentication noise,” in 2015American Control Conference (ACC). IEEE, 2015, pp. 6028–6033.

[12] H. Zhang, Y. Shu, P. Cheng, and J. Chen, “Privacy and performancetrade-off in cyber-physical systems,” IEEE Network, vol. 30, no. 2, pp.62–66, 2016.

[13] G. K. Agarwal, M. Karmoose, S. Diggavi, C. Fragouli, and P. Tabuada,“Distorting an adversary’s view in cyber-physical systems,” in 2018IEEE Conference on Decision and Control (CDC). IEEE, 2018, pp.1476–1481.

[14] C. Dwork, “Differential privacy,” in Proceedings of the 33rd Interna-tional Colloquium on Automata, Languages and Programming (ICALP),Part II, Venice, Italy, July 2006, pp. 1–12.

[15] ——, “Differential privacy: A survey of results,” in Proceedings of the5th International Conference on Theory and Applications of Models ofComputation (TAMC), Xi’an, China, April 2008, pp. 1–19.

[16] Z. Huang, S. Mitra, and G. Dullerud, “Differentially private iterativesynchronous consensus,” in Proceedings of the 2012 ACM Workshopon Privacy in the Electronic Society, Raleigh, USA, October 2012, pp.81–90.

[17] J. He, L. Cai, and X. Guan, “Preserving data-privacy with addednoises: Optimal estimation and privacy analysis,” IEEE Transactionson Information Theory, vol. 64, no. 8, pp. 5677–5690, 2018.

[18] J. Le Ny and G. J. Pappas, “Differentially private filtering,” IEEETransactions on Automatic Control, vol. 59, no. 2, pp. 341–354, 2014.

[19] J. Le Ny and M. Mohammady, “Differentially private MIMO filteringfor event streams,” IEEE Transactions on Automatic Control, vol. 64,no. 1, pp. 145–157, 2018.

[20] F. Koufogiannis and G. J. Pappas, “Differential privacy for dynamicalsensitive data,” in 2017 IEEE 56th Annual Conference on Decision andControl (CDC). IEEE, 2017, pp. 1118–1125.

[21] M. Ye and A. Barg, “Optimal schemes for discrete distribution estima-tion under locally differential privacy,” IEEE Transactions on Informa-tion Theory, vol. 64, no. 8, pp. 5662–5676, 2018.

[22] S. Han, U. Topcu, and G. J. Pappas, “Differentially private distributedconstrained optimization,” IEEE Transactions on Automatic Control,vol. 62, no. 1, pp. 50–64, 2017.

[23] M. T. Hale and M. Egerstedt, “Cloud-enabled differentially private multi-agent optimization with constraints,” IEEE Transactions on Control ofNetwork Systems, vol. 5, no. 4, pp. 1693 – 1706, December 2018.

[24] E. Nekouei, T. Tanaka, M. Skoglund, and K. H. Johansson, “Information-theoretic approaches to privacy in estimation and control,” AnnualReviews in Control, vol. 47, 2019.

[25] E. Nekouei, M. Skoglund, and K. H. Johansson, “Privacy of informationsharing schemes in a cloud-based multi-sensor estimation problem,” inProceedings of the 2018 American Control Conference (ACC), Milwau-kee, USA, June 2018, pp. 998–1002.

[26] S. Li, A. Khisti, and A. Mahajan, “Information-theoretic privacy forsmart metering systems with a rechargeable battery,” IEEE Transactionson Information Theory, vol. 64, no. 5, pp. 3679–3695, 2018.

[27] E. Nekouei, H. Sandberg, M. Skoglund, and K. H. Johansson, “Privacy-aware minimum error probability estimation: An entropy constrainedapproach,” arXiv:1808.02271v1, 2018.

13

[28] R. Jia, R. Dong, S. S. Sastry, and C. J. Sapnos, “Privacy-enhancedarchitecture for occupancy-based HVAC control,” in 2017 ACM/IEEE8th International Conference on Cyber-Physical Systems (ICCPS), 2017,pp. 177–186.

[29] F. Farokhi, I. Shames, and N. Batterham, “Secure and private cloud-based control using semi-homomorphic encryption,” in Proceedingsof the 6th IFAC Workshop on Distributed Estimation and Control inNetworked Systems, Tokyo, Japan, September 2016, pp. 163–168.

[30] F. Farokhi, Privacy in Dynamical Systems. Springer, 2020.[31] J. Tran, F. Farokhi, M. Cantoni, and I. Shames, “Implementing homo-

morphic encryption based secure feedback control,” Control EngineeringPractice, https://doi.org/10.1016/j.conengprac.2020.104350, 2020.

[32] Y. Ni, J. Wu, and L. Li, “Multi-party dynamic state estimation thatpreserves data and model privacy,” IEEE Transactions on InformationForensics and Security, vol. 16, pp. 2288–2299, 2021.

[33] Y. Mo and R. M. Murray, “Privacy preserving average consensus,” inProceedings of the 53rd IEEE Conference on Decision and Control, LosAngeles, USA, December 2014, pp. 2154–2159.

[34] Y. Mo and R. M. Murray, “Privacy preserving average consensus,” IEEETransactions on Automatic Control, vol. 62, no. 2, pp. 753–765, 2017.

[35] M. Hale, A. Jones, and K. Leahy, “Privacy in feedback: The differentiallyprivate LQG,” in Proceedings of the 2018 American Control Conference(ACC), Milwaukee, USA, June 2018, pp. 3386–3391.

[36] A. B. Alexandru and G. J. Pappas, “Encrypted lqg using labeledhomomorphic encryption,” in Proceedings of the 10th ACM/IEEE in-ternational conference on cyber-physical systems, 2019, pp. 129–140.

[37] D. P. Bertsekas, Dynamic Programming and Optimal Control, VolumeI, Third Edition. Athena Scientific, 2005.

[38] B. Anderson and J. B. Moore, Optimal filtering. Prentice Hall, 1979.