Homomorphic Encryption of Supervisory Control Systems Using Automata

Cyber-physical systems have been highly integrated into many contemporary infrastructures. As this integration deepens, the importance of protecting these systems from unauthorized access and data corruption increases. Nowadays, cyber-physical systems are not well protected against network attacks. One solution is to improve the security of a system by encrypting the transmitted data. In this paper, we consider the encryption of supervisors of discrete event systems modeled with deterministic finite-state automata. We propose an encryption framework of supervisory control systems based on the matrix notation of automata. The purpose of using matrix notation is to make it suitable for homomorphic encryption schemes over integers, which are emerging in the cryptography area. We calculate the entropy of the matrix notation and find that as the size of a system increases, it gets smaller and approaches zero. Owing to the low entropy of the matrix notation, we propose an algorithm to enhance its entropy. By applying the entropy-enhancing process, the distribution characteristics of entries in matrices or vectors can be hidden to avoid a brute force attack. Correspondingly, we propose an entropy restoration algorithm to ensure that the control action can be transmitted correctly.


I. INTRODUCTION
Cyber-physical systems (CPSs) are the integrations of computation, communication, control, and physical processes [1]. They realize the interaction of information flows between the physical world and the cyber-world. Today, individuals, society, industry, and every aspect of economic activities are highly dependent on this network system technology. Examples of CPSs include various complex human-made systems such as smart grids, robotics systems, oil and gas distribution systems, factory automation, and autonomous vehicle systems [2]- [5].
The associate editor coordinating the review of this manuscript and approving it for publication was Zhiwu Li . Intuitively, physical systems are considered to be able to effectively resist various attacks due to their closure and preset security mechanisms, thereby ensuring the security of CPSs. However, recent security incidents such as ''Hide and Seek IoT Botnet'' [6] and DTrack [7] have shown that, because of the interaction between physical and information systems through the network, cyber-attacks can directly affect the security of a CPS. The spread of data has become a fundamental feature of complex systems [8]. Notably, during the evolution of the traditional physical systems to CPSs, the operating environment of a system changes from being closed and isolated to open and interconnected. Therefore, in recent years, the security of CPSs has become a very fertile field of research [9]. VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ From an engineering perspective, it is significant to model a CPS for design and development. First, in the day-to-day life of our technological and increasingly computer-dependent world, many processes are discontinuous. Secondly, in a typical CPS, embedded computers and networks usually monitor and control the physical processes through feedback loops where physical processes affect computations and vice versa [10]. Based on the above considerations, in this paper, we model a CPS as the supervisory control problem for discrete event systems. A discrete event system is a dynamic system whose state space is discrete and possibly infinite, and its dynamics is event-driven, not time-driven [11]. Supervisory control theory is designed for closed-loop control systems of discrete event systems and related security [12]. Fig. 1 depicts a typical supervisory control system. According to the severity and involvement of cyber attacks, attacks can be divided into active and passive ones [13]. Passive attacks are those in which an attacker intercepts information flows between two parties to steal information stored in a system by eavesdropping or similar means. Opacity is an information flow property that characterizes the inability for an external intruder to know whether the given ''secret'' behavior happens in a system [14], [15]. However, almost all studies on opacity are based on data transmitted in plaintext data. A more general and straightforward way to hide information is to encrypt the transmitted data.
In the research of data encryption, a traditional method is mainly communication data encryption, that is, the data transmitted through the communication channel is encrypted and protected, thus significantly enhancing the security of the communication channel data.
However, the encryption of data by the conventional method is limited to the communication channel. Other data in the system, especially the critical data in the supervisor, is in a situation of lack of protection, which can bring serious security risks to the entire system.
When an attacker steals the plaintext data in a supervisor, he/she can use the data to break the cyber-physical system. First, the attacker can directly use essential data such as process signals and control policy to infer the current state of the plant. Second, the attacker can provide attack preparations for the implementation of subsequent covert attacks based on critical data in the supervisor, and then cause serious attack damage [16].
Given the shortcomings of communication encryption methods, in recent years, some researchers have proposed a new way to simultaneously encrypt the communication channel and the data in the supervisor, that is, the ''encrypted supervisor'' [17]- [21].
Better than communication encryption, the new method no longer needs to decrypt the input of the supervisor. It directly calculates the encrypted output from the encrypted input and control policy, thereby ensuring the security of the communication channel and the data in the supervisor. Even if the attacker successfully steals the data in the supervisor, because the data is encrypted and protected, as long as the data cannot be decrypted correctly, it is difficult to pose a threat and damage to the cyber-physical system. Specifically, the new encryption method is realized by using a homomorphic encryption scheme.
The notion of homomorphic encryption was first proposed by Rivest et al. in 1978 [22]. It is a form of encryption that allows computations on the ciphertext to produce an encrypted result that, after decryption, matches the result of the operation as if the operation is performed on the plaintext. Therefore, data can be kept confidential during processing, enabling data residing in untrusted environments to perform useful tasks.
After the first fully homomorphic encryption scheme is proposed [43], the research on homomorphic encryption schemes develops in a spurt. Due to the excellent property of homomorphic encryption schemes, they are widely used in many systems such as cloud systems [23], [24]. The first attempt to apply the homomorphic encryption scheme for a supervisor is in [17].
In [17], the authors encrypt a linear controller by using multiplicative homomorphic encryption schemes. Since the encryption schemes adopted do not apply to the addition operation in the controller, they extract part of the process of the controller to the outside, which reduces the coupling of the whole system. To overcome this difficulty, the study in [18] uses fully homomorphic encryption schemes to encrypt the controller.
In the majority of these works, a system to be considered is modeled as a continuous-variable dynamic system. The study in [21] is the first work to introduce homomorphic encryption schemes into controlled discrete event systems. In [21], the authors consider the design of a supervisor encryption scheme developed for networked control systems, where the supervisor is modeled as a signal interpreted Petri net [25]. However, the encryption scheme in [21] is symmetric, which means that although there is no decryption process inside the supervisor, secret keys need to be saved for the supervisor encryption.
Compared with the signal interpreted Petri nets, general Petri nets [26]- [36] and automata [37]- [39] are tools that are more basic and extensively applied for modeling and analysis. When using signal interpreted Petri nets to model a system, transitions are associated with a firing condition given as input signals, and places to specify output signals, which significantly affects its modeling power. Many researchers have used automata as models to study the network security of CPSs [39]. In this paper, we employ finite-state automata to model a system. To reduce the insecurity caused by the private key storage of a supervisor, we propose to use public-key homomorphic encryption schemes in the framework. The main contributions of this paper are stated as follows: • A supervisor encryption framework is developed for supervisory control systems, where the supervisor is modeled as an automaton.
• A matrix notation of automata is proposed, which makes it possible to introduce encryption schemes into the encryption framework.
• Two algorithms for enhancing and restoring the min-entropy of matrices or vectors in matrix notation are developed to increase the security of the overall framework. The remaining sections of this paper are organized as follows. Section II introduces the related preliminary concepts. Section III formally defines a novel matrix notation of automata. In Section IV, we calculate the entropy of the proposed matrix notations and propose two algorithms to increase and restore the entropy. Section V presents a supervisor encryption framework. Section VI selects an encryption scheme to illustrate the correctness of the framework. Finally, Section VII concludes the paper.

A. AUTOMATON MODEL
We consider plants modeled as deterministic finite-state automata. Such an automaton is denoted by G = (Q, E, f , q 1 ), where Q is the finite set of states, E is the finite set of events, f : Q × E → Q is the (potentially partial) transition function, and q 1 is the initial state. The state of an automaton at time epoch k + 1 is denoted by q(k + 1) and is uniquely determined by its state q(k) at the previous time epoch k and the event e(k) applied to the system at time epoch k, that is: The term ''time epoch k'' is used to indicate the moment when the state of the automaton changes.

B. SUPERVISORY CONTROL THEORY
Supervisory control theory is a technology for automatically synthesizing supervisors that restrict the behavior of a system to satisfy given specifications [40]. The supervisor observes some, probably all, events executed by the plant. Then, the supervisor tells the plant which events in the current active event set of the plant are allowed next. More precisely, the supervisor can disable some, but not necessarily all, available events of the plant. Whenever the supervisor observes the plant executing a new event, it can make the decision on which events to disable. If we use an automaton to represent the plant, then we can also use an automaton to describe the supervisor. We can use the parallel composition of automata as an algebraic means to capture the effects of a controlled closed-loop system [11].
Usually, due to the limited availability of sensors in real systems, only partial observations of states and events can be obtained directly [41]. However, this is an issue that should be considered when modeling a supervisor and is beyond the scope of the paper. Interested readers may refer to [11], [12], [31], [37].

C. HOMOMORPHIC ENCRYPTION
A homomorphic encryption scheme consists of the following four algorithms [42]: key generation, encryption, decryption, and evaluation. The key generation algorithm accepts a security parameter and outputs a public key pk and a secret key sk. The encryption algorithm accepts pk and a plaintext m, outputs the corresponding ciphertext c. The decryption algorithm takes sk and c, outputs the plaintext m. The evaluation algorithm accepts the public key pk, a function F and a set of ciphertexts c 1 , c 2 , . . . , c n , and outputs a ciphertext c F : The encryption scheme is correct for a function F if for any key-pair (pk, sk) generated by the key generation algorithm, any plaintexts m 1 , m 2 , . . . , m n and the corresponding ciphertexts c 1 , c 2 , . . . , c n , the ciphertext c F generated by the evaluation algorithm satisfies the following equation: that is, the result calculated on the ciphertext after decryption is equal to the result calculated on the plaintext. In the rest of the paper, we use Enc(·) and Dec(·) that do not specify the key used to denote encryption and decryption algorithms, respectively.
According to the scope of the function F supported on the ciphertext, homomorphic encryption schemes can be divided into partially homomorphic encryption schemes and fully homomorphic encryption schemes. If F can be an arbitrary function, the homomorphic encryption scheme is a fully homomorphic encryption scheme; otherwise, it is a partially homomorphic encryption scheme. Gentry [43] proposes the first fully homomorphic encryption scheme, but it cannot be put into practical application due to low calculation efficiency.
The functions F supported by current mainstream homomorphic encryption schemes include addition or multiplication or both.

D. PUBLIC-KEY CRYPTOGRAPHY
Generally, there are mainly two cryptography categories: private-and public-key cryptography. In the setting of private-key encryption, two parties share a secret key and use this key when they want to communicate secretly. However, in contrast to private-key techniques, public-key cryptography enables parties to communicate privately without having agreed on any secret information in advance.
In a public-key setting, a party who wishes to communicate securely generates a pair of keys: a public key that is widely disseminated, and a private key that is kept secret [44]. Having generated these keys, a party can use them to ensure secrecy for messages that it receives using a public-key encryption scheme, or integrity for messages that it sends using a digital signature scheme [45]- [47].
The most apparent difference between private-and public-key encryption is that the former assumes complete secrecy of all cryptographic keys, whereas the latter requires secrecy for only the private key [44]. In other words, when we apply a public-key encryption scheme, as long as the private key is safe, the encrypted data can be trusted.

E. MIN-ENTROPY
Min-entropy is a measure of the difficulty for an attacker to guess the most likely secret in a system. In [48], the minentropy of an independent discrete random variable X that takes values from the set If X has min-entropy H , then the probability of observing any particular value of X is no greater than 2 −H . The maximum possible value of the min-entropy of a random variable with P different values is log 2 P, which is obtained when the random variable has a uniform probability distribution.
The lower the min-entropy of a random variable is, the more heterogeneous its distribution is. A low min-entropy indicates that there must be a subset of variables with a higher probability, and this subset can help an attacker to perform a group representation attack [49]. Therefore, high entropy is a necessary condition for security.

III. A NOVEL MATRIX NOTATION OF AUTOMATA
In [50], the authors propose a transition matrix notation of automata. They use different binary transition matrices to represent different events such that the structure of automata can be derived from the transition matrices. Here we propose a novel matrix notation of automata, using vectors to denote events, thereby separating the structure of automata from the mathematical representation of events.
Given Without causing ambiguity, we denote the i-th entry of the indicator vector q(k)(e(k)) as q(k) i (e(k) i ).
As shown in Eq. (1), the next state of an automaton is determined by the current state and the event that has occurred. Now we have vectors representing the current state and event, and only two vectors cannot describe this fact. In order to establish the relationship between the event vector and the state vector, and to achieve the purpose of characterizing the evolution of the automaton, we define an operation named Events Trigger to describe the automaton at state q(k) and time epoch k and the event e(k) that has occurred.

Definition 3 (Events Trigger):
If event e(k) happens and the current state is q(k), we represent this situation by constructing a new vector as follows. Specifically, we multiply e(k), which is a vector, by every entry of q(k), which is a scalar, to obtain new vectors, and then arrange these new vectors to form a new vector qe(k): . . .
Note that qe(k) is a vector of size M × 1 composed of vectors of size N × 1. According to the definition of q(k), there is only one entry with value ''1'' in q(k), so qe(k) is a vector of zero vectors except for a single nonzero entry with value e(k) at the j-th position if the automaton is at state q j and time epoch k, and e(k) has occurred. Since qe(k) is a vector in which each entry is a vector, it is not convenient for the computer to store and calculate. Therefore, we develop a process to solve this problem.
For convenience, we denote the i-th row of the matrix S as row i (S), the j-th column of the matrix S as col j (S), and the elements of the matrix S in the i-th row and j-th column as S i,j . for i = 1 to |col 1 (vM )| do 15: for j = 1 to |row 1 (vM )| do 16: for k = 1 to |vM i,j | do 17: ADD vM i,j k to row i (vM s ) 18 ♦ In the same way, we can find qe s (k) = ES(qe(k)) as a vector of size MN × 1.
We know that any automaton can be shown graphically by a state transition diagram where the states are represented by the vertices and each edge represents the event that causes the state transition. In other words, the states of an automaton are all connected by events. Thus, we can represent the structure of an automaton by recording events between each state.
To represent this kind of connection, we use a binary indicator vector of size 1 × N and denote it as e ij (i, j ∈ M ). If there are several events e k 1 , e k 2 , · · · , e k m from state q i to q j , then e ij is a vector of zeros except nonzero entries with value ''1'' at the k t -th position (t ∈ {1, · · · , m}). We call it the connection vector between states.
Then, we construct a structural matrix S of size M × M to denote the automaton's structure. Each entry at the (j-th, i-th) position of the structural matrix is the connection vector e ij , denoting events from q i to q j . For the sake of calculation, we apply Algorithm 1 to S to obtain a new structural matrix S s of size M × MN . Thus, every N column represents all connection relationships between different states.
With the above notations, we have Theorem 1: Eq. (8) accurately describes the transition function of an automaton, that is, Eq. (8) is the equivalent representation of Eq. (1) in the matrix notation of automaton.
Proof: We consider an automaton with M states and N events, and assume that at time epoch k, the automaton is at state q i , and event e t occurs. The next state of the automaton becomes q j . As expressed in Eq. (1), it is: Now we represent q i and e t with the binary indicator vectors mentioned earlier, and then we need to verify that after the operation of Eq. (8), the resulting vector is a representation of q j . By definition, we have: As shown in Eq. (11), in the structural matrix of the automaton, we only indicate the t-th entry of the (j-th, i-th) connection vector since the other entries do not affect the calculation of Eq. (8). After the operation Events Trigger, we have: . . .
Note that S is an M ×M matrix, where each entry is a 1×N vector; qe(k) is an M × 1 vector, where each entry is an N × 1 VOLUME 8, 2020 vector. According to the definition of matrix multiplication, we can multiply S and qe(k) and obtain the following result: which is a state vector that represents q j and conforms to Eq. (9). The Entry Scalarization process on S and qe(k) is only for the convenience of computer processing and simplified display, and will not affect the calculation results.
Example 2: Consider the automaton in Fig. 3. It has three states and four events, therefore we can define the following structural matrix: For ease of understanding, we write every four column in a group. For example, the first four columns of S s indicate that there is only one event e 1 from q 1 to q 2 , and there is no transition to q 3 or self-loop to q 1 . Assume that at the time epoch k, the state of the automaton is q 2 , and event e 3 occurs. Then we have: ♦ In this paper, we model the supervisor as an automaton, and the control action is reflected from the active event set of the current state of the supervisor. Thus we need to obtain the active event set from the structural matrix and the current state vector, which can be achieved by Algorithm 2.
In Algorithm 2, Esize in Line 2 represents the number of events in an automaton, which is equivalent to Esize = MN M = N . Lines 3-7 determine the current state of the automaton from the state vector. The current state of the automaton is q currentLo . Lines 9-17 determine the current active event set. Every of Esize columns in S s corresponds to the related column of the connection vector in S. The time complexity of Algorithm 2 is O(MN ), where M is the number of states of an automaton and N is the number of events.

Algorithm 2 Active Event Set Generator
Input: q(k), the current state vector; S s , the structural matrix of the automaton Output: AEset, the active event set of the current state 1: AEset ← ∅ 2: Esize ← |row 1 (S s )| / |q(k)| 3: for i = 1 to |q(k)| do 4: if q(k) i = 1 then 5: currentLo ← i 6: end if 7: end for 8: J ← Esize × (currentLo − 1) + 1 9: for j = J to (J + Esize − 1) do 10: for k = 1 to |col 1 (S s )| do 11: if S s k,j == 1 then 12: if e j−J +1 not in AEset then 13: ADD e j−J +1 to AEset 14: end if 15: end if 16: end for 17: end for 18: return AEset Example 3: Consider the automaton in Fig. 2, and its structural matrix is shown in Eq. (14). Assume that the current state vector is q(k) = [0, 1, 0] T . By running Algorithm 2, we can first obtain the number of events of the automaton from Line 2, i.e., Esize = 4. Then from Lines 3-7, we can determine the current state as q 2 , and finally we can find that the current active event set is {e 2 , e 3 } through Lines 9-17. Obviously, the running result of Algorithm 2 is in line with the facts. ♦

IV. EVALUATION AND IMPROVEMENT OF MATRIX NOTATION
Before applying the encryption algorithm, we need to calculate the entropy of the matrix notation of an automaton. If the entropy of this notation is low, it needs to be improved accordingly, since in practice, low-entropy data can be easily cracked by brute force.

A. MIN-ENTROPY OF ONE ENCRYPTION
In the above matrix notation, all entries of a matrix or vector are binary, i.e., 0 and 1. Even if they are evenly distributed, i.e., their probability is 0.5 in the plaintext space, according to Eq. (6), we can find that the min-entropy of the plaintext is only one, which is far lower than the requirements for practical applications. Here we give more accurate calculations and find that the facts are worse than what we expect. From Section III, we can quickly know that to represent the structure of an automaton, in the matrix notation, the number of entries ''0'' is much larger than that of entries ''1''. Now we consider the worst case, that is, increase the number of entries ''0'' as much as possible, for the reason that the higher the probability of the most probable element in the plaintext space is, the lower the min-entropy of the plaintext space is.
If we put all the entries of the structural matrix, the state vector, and the event vector together as the plaintext data, the min-entropy of the plaintext is −log 2 . It is not difficult to find that as N increases, the min-entropy of the plaintext approaches to 0.

B. WAYS TO INCREASE AND RESTORE THE ENTROPY
If the entropy of the plaintext is too low, we use either an encryption scheme for low-entropy data or perform an entropy increase operation before encryption, without affecting the correctness of the decryption.
Before proposing a method to increase entropy, we analyze the operation process of the matrix notation first. By analyzing Eq. (8), the core equation representing the state transition of the automaton, we find that the right side of the equation includes two operations and one process: Event Trigger, Entry Scalarization, and matrix multiplication.
Here we call the operation between entries a meta-operation and analyze the types of meta-operations. Consider the Event Trigger first. Since both the state vector and event vector have only one entry ''1'', there is only one ''1 × 1'' meta-operation in the entire operation, and the other operations are ''0 × 0'' meta-operations or ''0 × 1'' meta-operations. The Entry Scalarization process does not increase the type of metaoperations. Matrix multiplication adds two kinds ''0 + 0'' and ''0 + 1'' meta-operations. Through the above analysis, we know that there are five kinds of meta-operations in the entire calculation process: which is similar to odd and even operations: even + even = even, even + odd = odd, even × even = even, even × odd = even, odd ×odd = odd. Therefore, we can increase the entropy of the matrix notation by using random large odd numbers to represent entries ''1'' and random large even numbers to represent entries ''0''. The following two algorithms are used to increase entropy and recover entropy, respectively. Here we use s ← $ S to denote a value s chosen uniformly and randomly from the discrete set S.
Here, ρ is a security parameter, which is the degree of security that we want to achieve. We can see that after Algorithm 3 is adopted, all entries in the matrix or vector are evenly distributed in 2 ρ numbers, and their entropy is ρ. In practice, with ρ ≥ 32, we can provide sufficient entropy Algorithm 3 Entropy-Enhancing Process Input: weakEntry, ρ Output: strongEntry 1: if weakEntry = 0 then 2: strongEntry ← $ [1, 2 ρ+1 ] and strongEntry is even 3: else 4: strongEntry ← $ [1, 2 ρ+1 ] and strongEntry is odd 5: end if 6: return strongEntry for the desired security, since breaking the system would require more than a billion of guesses [24].
Although Algorithm 3 enhances entries ''0'' and ''1'' to big random numbers, the parity of the enhanced entries unchanged, thereby Algorithm 4 only needs to perform inverse deduction based on the parity of the enhanced data.

Algorithm 4 Entropy Restoration Process
Input: strongEntry Output: weakEntry 1: if strongEntry is even then 2: weakEntry ← 0 3: else 4: weakEntry ← 1 5: end if 6: return weakEntry Remark 1: Note that in Algorithm 3, we set the upper limit of the random number interval to 2 ρ+1 instead of 2 ρ , since we specify its parity when randomly selecting entries, which means that they are randomly distributed over 2 ρ numbers instead of 2 ρ+1 numbers. As a qualified encryption algorithm does not preserve the parity of the plaintext, we do not have to worry about whether the above algorithms will bring insecurity.
It is not difficult to find that the time complexity of Algorithms 3 and 4 are both O(1). Since they are applied to each entry in the vector or matrix, when we enhance or restore the entropy of the state vector There are 36 entries in the original structural matrix, and the number of entries ''0'' is dominant. If we treat these 36 entries as a plaintext space, the probability of occurrence of ''0'' is 0.889. According to Eq. (6), the min-entropy of the original structural matrix is 0.169. VOLUME 8, 2020 After performing Algorithm 3 on the original structural matrix, we can see that all its entries are evenly distributed over the 2 7 different integers. That is, the probability of all entries occurring is 2 −7 , which means that the min-entropy of the new structural matrix is seven and is significantly improved relative to 0.169. ♦

V. SUPERVISOR ENCRYPTION FRAMEWORK
The basic idea of the Supervisor Encryption Framework is to use a public-key homomorphic encryption scheme such that there is no private key in the supervisor, which reduces the distribution of keys in the entire framework and enhances security. We add two interfaces to the original closed-loop system: an encryptor and a decryptor. As shown in Fig. 3, the encryptor is an interface between the sensor and the supervisor, and the decryptor is an interface between the supervisor and the actuator. The public key is stored in the encryptor and supervisor, which is used to encrypt the data obtained from the sensor and the structural matrix of the supervisor. The private key is stored in the decryptor, which is used to decrypt the control action obtained from the supervisor.

A. FEASIBILITY OF APPLYING HOMOMORPHIC ENCRYPTION SCHEME
In this paper, we consider the case where both the plant and the supervisor are modeled as automata. When we use an automaton to model the supervisor, we can use the set active events at the current supervisor's state as the control action, which can be obtained from Algorithm 2. Therefore, we can say that the current state of the supervisor represents the control action, and the state transition of the supervisor represents the control policy. In other words, when the supervisor is modeled as an automaton, we can use Eq. (1) to represent the supervisor. We use the symbol S A to represent the supervisor modeled as an automaton. Based on the above information, we can decide whether a supervisor can be homomorphically encrypted.

Definition 4 (Encrypted Supervisor):
Given a supervisor S A that satisfies Eq. (1) and a homomorphic encryption scheme {KGen, Enc, Dec, Eval}, if there exists a map f ε such that: f ε (Enc(q(k)), Enc(e(k))) = Enc(f (q(k), e(k))), (15) we say that the given S A can be homomorphically encrypted through a specified encryption scheme. We call f ε as an encrypted control policy. When we apply the matrix notation to S A , we can use a multiplicatively and additively homomorphic encryption scheme to achieve this goal. Here, we apply a scalar encryption scheme, that is, when we talk about encrypting a matrix or a vector, we encrypt each entry of them separately.
According to the nature of multiplicatively and additively homomorphic encryption schemes, we have where ⊕ and ⊗ are specific operations on the ciphertext space, and m 1 and m 2 are arbitrary plaintexts. We can think of them as multiplication and addition operations in the ciphertext space. By these two operations, we can sequentially define scalar-vector multiplication and matrix multiplication in the ciphertext space.

Definition 5 (Scalar-Vector Multiplication in the Ciphertext Space):
Given an encrypted scalar c and an encrypted vector vc, the product of c and vc is defined as an vector C with entries and we denote the scalar-vector multiplication on the ciphertext space as C = c ⊗ vc. Definition 6 (Matrix Multiplication in the Ciphertext Space): Given two encrypted matrices EA and EB, if the number of columns in EA, with entries ea ij , and the number of rows in EB, with entries eb ij , are equal, then the product of EA and EB is defined as a matrix EC with entries (18) where n is the number of columns in EA. To avoid confusion, we denote the matrix multiplication on the ciphertext space as EC = EA EB. Obviously where m is a scalar in the plaintext space, vm is a vector in the plaintext space, and A and B are two arbitrary matrices that satisfy matrix multiplication condition in the plaintext space. Theorem 1 makes sense since it highlights the equivalence of Eqs. (8) and (1). Therefore, we can use the matrix notation of an automaton to illustrate the feasibility of using a homomorphic encryption scheme to construct an encryption supervisor. We first establish two lemmas to illustrate the homomorphism of the operation Events Trigger and the Entry Scalarization process under homomorphic encryption scheme.
Lemma 1 The operation Events Trigger can maintain homomorphic properties under multiplicatively homomorphic encryption scheme. That is, there is a mapping f ET in the ciphertext space that makes the following equation true: f ET (Enc(q(k)), Enc(e(k))) = Enc(ET (q(k), e(k)). (20) Proof: To prove this lemma, we construct the f ET as: . . .

Enc(q(k)) M ⊗ Enc(e(k))
According to the property of multiplicatively homomorphic encryption schemes and Definition 5, we can readily deduce that Eq. (16) holds.
Lemma 2: The Entry Scalarization process can maintain homomorphic properties under homomorphic encryption scheme.
Proof: Since the plaintext data that we encrypt here is a single entry in matrices or vectors, and the Entry Scalarization process does not change the relative position between entries or the value of the entry, the operation does not affect the encryption result, which means that the following equation holds: where m is a matrix or vector. Theorem 2: In a discrete event system, any supervisor modeled as a finite-state automaton can be homomorphically encrypted by appropriately choosing an additively and multiplicatively homomorphic encryption scheme.
Proof: As shown in Section III, when a supervisor is modeled as a deterministic finite-state automaton, we can use the matrix notation to represent a supervisor. From Theorem 1, we can use Eq. (8) to characterize the operation of the supervisor.
In summary, the theorem is proved.

B. INFORMATION FLOW IN THE FRAMEWORK
The data circulating in the entire framework can be seen in Fig. 3. Due to the low entropy nature of the matrix notation, we need to increase the entropy before encrypting the plaintext data and restore it after decryption, as shown in Fig. 4. For brevity, we call it compound encryption and compound decryption operations. Here, we add a pair of brackets and a subscript e to the data to indicate that the data is entropyenhanced. For the sake of easy understanding, we divide the operation of the entire encryption framework into two stages: initialization and normal operation.
In the initialization stage, the supervisor formulates the corresponding control policy according to the structure of the plant and obtains the structural matrix S and the initial state vector q 1 . Then, we perform Entry Scalarization process and compound encryption operation on S to get Enc([S s ] e ); and perform compound encryption operation on q 1 to obtain Enc([q 1 ] e ). Finally, the supervisor sends Enc([S s ] e ) and Enc([q 1 ] e ) to the decryptor, and the decryptor can obtain the VOLUME 8, 2020 initial control action through decryption, entropy restoration, and Algorithm 2.
After entering the normal operation stage, the sensor monitors the corresponding data from the plant, which is e(k), and sends it to the encryptor. The encryptor performs the compound encryption operation on e(k) to obtain Enc([e(k)] e ), and sends it to the supervisor. Then the supervisor can obtain the encrypted next state Enc([q(k + 1)] e ) through Eq. (24). Finally, the supervisor sends Enc([S s ] e ) and Enc([q(k + 1)] e ) to the decryptor, and the decryptor can obtain the current control action through the same operation as in the initialization stage.
Remark 2: The underlying encryption framework proposed in this work is based on a fully homomorphic encryption scheme that can perform arbitrary operations on encrypted data. However, for higher efficiency, a somewhat homomorphic encryption scheme can also be used. Somewhat homomorphic encryption schemes are homomorphic encryption schemes that support addition and multiplication, but are limited to evaluating low-degree polynomials over encrypted data.
If we use a somewhat homomorphic encryption scheme, repeated operations on the ciphertext may increase the noise generated during the encryption process, resulting in decryption failure. To solve this problem, we can use the method in [21] to add an internal channel between the decryptor and the encryptor to prevent the increase of noise by refreshing the ciphertext of the state vector. As shown in Fig. 5, after one encryption iteration, the decryptor sends q(k + 1) to the encryptor. The encryptor updates q(k) to the data received from the decryptor, and encrypts it in the next round of encryption operation, and then sends it to the supervisor.

C. SECURITY ANALYSIS
The structural matrix S s and signals e(k) are processed within the supervisor to yield the control action, AEset. If someone performs unauthorized accesses to the supervisor, then S s and e(k) could be monitored and be used to infer the operating status of the plant. From an engineering perspective, it is essential to discuss protection methods that prevent malicious users from recording and stealing parameters and signals. In this framework, all the information appearing in the supervisor is encrypted, and the encrypted output is calculated directly from the encrypted input using the encrypted automata model without any decryption process inside. The final supervisor runs in an encrypted environment, which may help to enhance the network security of the cyber-physical system. This framework is used to resist passive attacks. It is assumed that an intruder has all the knowledge of the system but does not know the secret key. All data transmitted over the network is encrypted ciphertext. Even if the intruder obtains the public key, based on the nature of the public-key encryption scheme, the intruder still knows nothing about the data transmitted in the network. The security of the framework is based on the safety of the selected encryption scheme. As long as the selected scheme is not broken, the whole closed-loop system is secure.

VI. A PRACTICAL EXAMPLE
To illustrate the implementation of the supervisor encryption framework described in Section V, let us consider the material handling system shown in Fig. 6, which consists of two AGV (automated guided vehicles) that move on two different tracks. One AGV serves three stations (A, B, C); the other serves two stations (C and D). We assume that the initial and final position of the first AGV is in station A, and the initial and final position of the second AGV is in station D. We assume that event e 2 is uncontrollable. The desired behavior of the material handling system is that two AGVs should not be present at station C at the same time to avoid a collision. The plant model is shown in Fig. 7 and the corresponding supervisor model is shown in Fig. 8. State XX means that AGV 1 is in station X , and AGV 2 is in station X . (X ∈ {A, B, C, }, X ∈ {C, D}) A. SELECTED SCHEME-HE L First, we need to choose a suitable encryption algorithm. It should be noted that any multiplicatively and additively homomorphic encryption scheme over integers with public-keys can be used for this framework. Here we choose the HE L encryption scheme in [51]. Its security is ensured due to the hard problem of solving the two-element Partial  Approximate Greatest Common Divisor. It consists of the following four algorithms: • Key generation Choose two random odd integers P and R of size e and e , respectively. Choose two g -bit random integers Q 0 , Q 1 , i.e., Q i ← $ Z ∩ [0, 2 g /P), for i = 0, 1. Take a random integer R ← $ Z ∩ [2 r −1 , 2 r ). Compute X 0 = PQ 0 , X 1 = PQ 1 +RR . Output the secret key, SK = (P, R) and the public key, PK = (X 0 , X 1 ).
• Decryption We can obtain the plaintext from the ciphertext c and the equation m = (C mod P) mod R.
• Evaluation The addition and multiplication of two ciphertexts are given by Add(C, C ) = C + C (mod X 0 ) and Mult(C, C ) = CC (mod X 0 ). Assume that the size of the plaintext integer to be encrypted is p, which may be taken as O(n). The suggested theoretical parameter setting is: e = O(n 3 ), e = O(n 2 ), g = O(n 4 ), s = n, and r = n.

B. A LIGHTWEIGHT APPLICATION
To illustrate the proposed framework, we set the security parameters ρ here to be 2, then we have p = 4, n = 4, e = 64, e = 16, s = 4, r = 4, and g = 256.
We name states AD, BD, CD, AC as q 1 , q 2 , q 3 , q 4 , respectively. The structural matrix of the supervisor is: Following Algorithm 2, the active event set of q(k +1) is {e 4 }, that is, the control action after the supervisor observes e 5 is that e 4 is allowed to occur.

C. SIMULATION STUDY
Following the steps in Section V, we simulate the behavior of the material handling system under control with different security parameters to compare the performance and computation time to finish the whole encryption-decryption processes. The encryption shceme is HE L mentioned above, and parameters are set based on ρ: n = ρ + 2, e = n 3 , e = n 2 , g = n 4 , s = n, and r = n, where ρ is the min-entropy of the matrix notation after it is enhanced. The computation is done with Python programming language on macOS Catalina over a laptop with Intel(R) i7-8750H CPU at 2.20GHz and 16GB of RAM. Due to limited computing power, only four values of ρ are considered. Table 1 shows the time that is taken for the supervisor to run at different stages, and Table 2 shows the time that is taken for the encryptor and decryptor to run. Although the running time of the system is not ideal when ρ is large, this problem will be solved with the development of homomorphic encryption technology.

VII. CONCLUSION
In this paper, we propose a novel matrix notation of automata intended for use in the supervisor encryption framework. We verify the low entropy of this kind of notation and propose algorithms to increase and restore the entropy, respectively. The most significant feature of the proposed framework is the encryption of a supervisor and the signals in the network. Another feature is also essential, that is, the supervisor does not need to keep any private keys to calculate the control input, which means that the supervisor does not require a decryption process inside.
In the future, we are interested in finding new automaton conversion methods to facilitate integration with other encryption schemes. We are also interested in modeling such a system using Petri nets, time Petri nets [52]- [56], or statetree structures [57], [58]. Another interesting direction for future work is to study in more detail on the framework of the supervisor encryption. Besides, security and machine learning issues in heterogeneous networked systems are of much interest [59]- [65].
ZHENHUA YU received the B.S. and M.S. degrees from Xidian University, Xi'an, China, in 1999 and 2003, respectively, and the Ph.D. degree from Xi'an Jiao Tong University, Xi'an, in 2006. He is currently a Professor with the College of Computer Science and Technology, Institute of Systems Security and Control, Xi'an University of Science and Technology, Xi'an. He has authored more than 20 technical articles for conferences and journals, and holds two invention patents. His research interests include cyber-physical systems, system security, and social networks.  He developed his researches in the field of system design, control of linear and nonlinear systems, embedded system design, the Internet of Things (IOT), and implementation of autonomous mobile robot. His research interests include modeling, optimization, observer design, model predictive controller of vehicle dynamics under the wheel-terrain interaction slippage phenomenon, artificial intelligent, machine learning and deep learning related to the field of robotics, image processing, and renewable energy.