Data Confidentiality for Distributed

Sensor Fusion

DISSERTATION

zur Erlangung des akademischen Grades

Doktoringenieur (Dr.-Ing)
angenommen durch die Fakultät für Informatik der
Otto-von-Guericke-Universität Magdeburg von
M.Eng. Marko Ristic
geb. am 05.10.1994 in Brisbane, Australia.

Gutachterinnen/Gutachter:
Prof. Dr. Moritz Schulze Darup (TU Dortmund, Dortmund, Germany)
Prof. Dr.-Ing. Benjamin Noack (OVGU, Magdeburg, Germany)
Prof. Dr. Ping Zhang (RPTU Kaiserslautern, Kaiserslautern, Germany)

Magdeburg, den 8.12.2023

(Abgabedatum 30.5.2023)
Contents
Acknowledgements iii

Abstract iv

Kurzfassung v

Notation vi

1. Introduction 1
1.1. Research Questions and the State-of-the-Art . . . . . . . . . . . . . . . . . 2
1.1.1. Estimate Fusion on an Untrusted Cloud . . . . . . . . . . . . . . . 2
1.1.2. Non-Linear Measurement Fusion with Untrusted Participants . . . 3
1.1.3. Provable Estimation Difference . . . . . . . . . . . . . . . . . . . . 4
1.2. Structure and Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2. Preliminaries 6
2.1. Estimation Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.1. Kalman Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.2. Kalman Filter Optimality . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.3. Extended Kalman Filter . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.4. Information Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.5. Extended Information Filter . . . . . . . . . . . . . . . . . . . . . . 10
2.1.6. Covariance Intersection and Fast Covariance Intersection . . . . . 11
2.2. Encryption Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.1. Meeting Cryptographic Notions . . . . . . . . . . . . . . . . . . . . 13
2.2.2. Paillier Homomorphic Encryption Scheme . . . . . . . . . . . . . . 13
2.2.3. Joye-Libert Aggregation Scheme . . . . . . . . . . . . . . . . . . . 14
2.2.4. Lewi Order-Revealing Encryption Scheme . . . . . . . . . . . . . . 15
2.2.5. Encoding Numbers for Encryption . . . . . . . . . . . . . . . . . . 16

3. Estimate Fusion on an Untrusted Cloud 18

3.1. Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2. Confidential Cloud Fusion Leaking Fusion Weights . . . . . . . . . . . . . 19
3.2.1. Two-sensor Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2.2. Multi-sensor Case . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.2.3. Computational Complexity . . . . . . . . . . . . . . . . . . . . . . 25
3.2.4. Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.2.5. Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

i
 Contents

3.3. Confidential Cloud Fusion Without Leaking Fusion Weights . . . . . . . . 28

3.3.1. Computational Complexity . . . . . . . . . . . . . . . . . . . . . . 31
3.3.2. Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.3.3. Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.4. Conclusions on Estimate Fusion on an Untrusted Cloud . . . . . . . . . . 33

4. Non-Linear Measurement Fusion with Untrusted Participants 34

4.1. Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4.1.1. Formal Cryptographic Problem . . . . . . . . . . . . . . . . . . . . 34
4.1.2. Estimation problem . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.2. A Linear Combination Aggregation Scheme . . . . . . . . . . . . . . . . . 38
4.3. Confidential Range-Only Localisation . . . . . . . . . . . . . . . . . . . . 40
4.3.1. Range Measurement Modification . . . . . . . . . . . . . . . . . . . 41
4.3.2. Applying the Linear Combination Aggregation Scheme . . . . . . . 43
4.3.3. Pseudocode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4.3.4. Solvable Sub-Class of Non-Linear Measurement Models . . . . . . 45
4.3.5. Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.3.6. Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.4. Conclusions on Non-Linear Measurement Fusion with Untrusted Partici-
pants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

5. Provable Estimation Difference 55

5.1. Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.1.1. Formal Cryptographic Problem . . . . . . . . . . . . . . . . . . . . 55
5.1.2. Estimation Problem . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.1.3. Multi-Sensor Problem . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.2. Privileged Estimation for Linear Systems . . . . . . . . . . . . . . . . . . 58
5.2.1. Gaussian Keystream . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.2.2. Measurement Modification . . . . . . . . . . . . . . . . . . . . . . 60
5.2.3. Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5.2.4. Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
5.3. Fusion in Privileged Estimation Environments . . . . . . . . . . . . . . . . 65
5.3.1. Correlated Gaussian Keystreams . . . . . . . . . . . . . . . . . . . 65
5.3.2. Measurement Modification . . . . . . . . . . . . . . . . . . . . . . 66
5.3.3. Distribution of Noise Terms . . . . . . . . . . . . . . . . . . . . . . 69
5.3.4. Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
5.3.5. Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
5.4. Conclusions on Provable Estimation Difference . . . . . . . . . . . . . . . 76

6. Conclusion 78

A. Linear-Combination Aggregator Obliviousness 79

B. Cryptographic Proof for Meeting the LCAO Notion 81

ii
Acknowledgements
No interpretation can see this thesis as a product of only myself, as it has the persistent
support, care, suggestions and opinions of those around me to thank. Understanding
peers who have spent hours discussing their research topics, finding flaws in my ideas
and helping construct the solutions that have led to this thesis are all to thank. Mixed
with these professional discussions, continual philosophical debates, acrostics, board
games and puzzles all only scratch the surface of their collective creative input. Just
as important for creative exposure, I equally thank those who have shown me countless
galleries, museums, concerts and shows during my time in Europe. Accompanying them
are those with whom I have cooked numerous delicious dinners, prepared exotic drinks
and spent long nights out forgotten by the morning. My gratitude is extended to the
climbers with whom days have been spent on ropes, in gyms, on distant summits and
during foreign escapades, sharing their adventurous lives with my own. High on this
list of supporters, I cannot overstate my luck and gratitude for the unconditional love
and positivity from those abroad, keeping me sane during my time away. Delightfully
honoured by those around me, I wish to have contributed a fraction to their lives of
that which they have provided me; with them, this time away has been immeasurably
enriched. Ultimately, I explicitly thank the continual support of my thesis supervisor,
Prof. Dr.-Ing. Benjamin Noack.

iii
Abstract
Distributed sensing and fusion algorithms are increasingly present in public computing
networks and have led to a natural concern for data security in these environments. This
thesis aims to present generalisable data fusion algorithms that simultaneously provide
strict cryptographic guarantees on user data confidentiality. While fusion algorithms
providing some degrees of security guarantees exist, these are typically either provided
at the cost of solution generality or lack formal security proofs. Here, novel crypto-
graphic constructs and state-of-the-art encryption schemes are used to develop formal
security guarantees for new and generalised data fusion algorithms. Industry-standard
Kalman filter derivates are modified and existing schemes abstracted such that novel
cryptographic notions capturing the required communications can be formalised, while
simulations provide an analysis of practicality. Due to the generality of the presented
solutions, broad applications are supported, including autonomous vehicle communica-
tions, smart sensor networks and distributed localisation.

iv
Kurzfassung
Verteilte Mess- und Fusionsalgorithmen sind in öffentlichen Computernetzen immer
häufiger anzutreffen und haben zu einer natürlichen Sorge um die Datensicherheit in
diesen Umgebungen geführt. Ziel dieser Arbeit ist es, verallgemeinerbare Datenfusion-
salgorithmen vorzustellen, die gleichzeitig strenge kryptographische Garantien für die
Vertraulichkeit der Benutzerdaten bieten. Zwar gibt es bereits Fusionsalgorithmen, die
ein gewisses Maß an Sicherheitsgarantien bieten, doch gehen diese in der Regel en-
tweder auf Kosten der Allgemeinheit der Lösung oder es fehlen formale Sicherheits-
beweise. In dieser Arbeit werden neuartige kryptographische Konstrukte und mod-
ernste Verschlüsselungsverfahren verwendet, um formale Sicherheitsgarantien für neue
und verallgemeinerte Datenfusionsalgorithmen zu entwickeln. Standard Kalman-Filter-
Derivate werden modifiziert und bestehende Schemata abstrahiert, so dass neuartige
kryptographische Begriffe, die die erforderliche Kommunikation erfassen, formalisiert
werden können, während Simulationen eine Analyse der Praktikabilität liefern. Auf-
grund der Allgemeingültigkeit der vorgestellten Lösungen wird eine Vielzahl von An-
wendungen unterstützt, darunter autonome Fahrzeugkommunikation, intelligente Sen-
sornetzwerke und verteilte Lokalisierung.

v
Notation
Symbols

v Column vector (underlined)

M Matrix (bold)
N Set of natural numbers
Z Set of integers
Q Set of rational numbers
R Set of real numbers
Rn n-dimensional Euclidian space
Rn×m Vector space of all n-by-m-dimensional matrices
Zn Set of integers modulo n
Z∗n Multiplicative group of integers modulo n
0 Arbitrary-size zero vector
0 Arbitrary-size zero matrix
I Arbitrary-size identity matrix
N (x, P) Gaussian distribution with mean x and covariance P
{a1 , . . . , an } Set of n elements
⟨a1 , . . . , an ⟩ Ordered list of n elements
 
⊤ ⊤
v (a:b) Stacked vector v ⊤a · · · vb
M(a:b) Block diagonal matrix with diagonal block elements Ma , . . . , Mb
x̂k|k′ Estimate of x at timestep k given measurements up to timestep k ′
A(v) Arbitrary algorithm output given inputs v

Operations

v⊤ Transpose of column vector v

M⊤ Transpose of matrix M
M−1 Inverse of matrix M
M≻0 Positive-definiteness of matrix M
M⪰0 Positive-semidefiniteness of matrix M
M≻N Positive-definiteness of matrix M − N
M⪰N Positive-semidefiniteness of matrix M − N
tr(·) Trace
eig(·) Set of eigenvalues

vi
 Notation

|·| Absolute value

∥·∥ Vector norm
log · Base-2 logarithm
⌊·⌋ Rounding towards zero
⌊·⌉ Rounding to nearest integer
E[·] Statistical expectation
Var[·] Statistical variance
Cov[·] Statistical covariance
∼ Real distribution
∼˙ Pseudorandom distribution
∥ Binary concatenation operator
(mod ·) Modulo
lcm(·, ·) Lowest common denominator
cmp(·, ·) Comparison function
Esk (·) Encryption with key sk
EskL (·) Lewi order-revealing “left” encryption with key sk
EskR (·) Lewi order-revealing “right” encryption with key sk
Dsk (·) Decryption with key sk
C(·) Lewi order-revealing encryption comparison function
Eδ (·) Elementwise integer encoding with parameter δ
E−1δ (·) Elementwise integer decoding with parameter δ
⊗ Elementwise plaintext-ciphertext homomorphic multiplication
⊕ Elementwise ciphertext-ciphertext homomorphic addition
⊕ni=1 Elementwise ciphertext-ciphertext homomorphic summation

Variable Conventions

d State dimension
(t)
ei Linear combination from sensor i at instance t
e[π,τ ] Estimator with privilege π and measurement access τ
f k (·) System model transition function at timestep k
Fk Linear system model transition matrix at timestep k
F̂k Linearisation of system model transition function f k
g Stepsize of covariance intersection weight discretisation
gk Pseudorandom noise at timestep k
g k,i Correlated pseudorandom noise for sensor i at timestep k
hi (·) Measurement model scalar function from sensor i
hk (·) Measurement model function at timestep k
hk,i (·) Measurement model function from sensor i at timestep k
Hk Linear measurement model function at timestep k
Hk,i Linear measurement model function from sensor i at timestep k
Ĥk Linearisation of measurement model function hk

vii
 Notation

Ĥk,i Linearisation of measurement model function hk from sensor i

H(·) Encryption scheme public hash function
i Sensor or estimator identifier
ik Measurement vector at timestep k
ik,i Measurement vector from sensor i at timestep k
Ik Measurement matrix at timestep k
Ik,i Measurement matrix from sensor i at timestep k
k Timestep
(t)
l Number of linear combination aggregation weights θj broadcast at a
single instance t
m Measurement dimension
M Integer range encoding parameter
MM Measurement model parameters
MS System model parameters
n Number of sensors or estimators
N Homomorphic encryption modulus, N = pq
p Random prime of equal bit length to q
P Estimate covariance
Pk|k′ Estimate covariance at timestep k given measurements up to timestep
k′
Pfus Fused Estimate covariance
pk Paillier encryption scheme public key
pka Linear combination aggregation scheme navigator public key
pub Public parameters of an encryption scheme
q Random prime of equal bit length to p
Qk System model noise covariance at timestep k
rk,i Measurement model scalar noise variance from sensor i at timestep k
Rk Measurement model noise covariance at timestep k
Rk,i Measurement model noise covariance from sensor i at timestep k
sx,i x-position of sensor i
sy,i y-position of sensor i
si Position vector of sensor i
S Pseudorandom noise covariance
S(n) Correlated pseudorandom noise covariance for n sensors
sk Paillier encryption scheme secret key
sk0 Joye-Libert aggregation scheme aggregator key
ski Joye-Libert aggregation scheme sensor i key
ska,0 Linear combination aggregation scheme aggregator key
ska,i Linear combination aggregation scheme sensor i key
skg Privileged estimation scheme generation key
skg,i Privileged estimation scheme sensor i generation key
t Time instance (timestep for time-series other than the system state)

viii
 Notation

tk,ϵ Time instance computed as the bit concatenation of timestep k and

position index ϵ
vk,i Scalar measurement model noise from sensor i at timestep k
vk Measurement model noise at timestep k
v k,i Measurement model noise from sensor i at timestep k
V Fully correlated component of correlated pseudorandom noise covari-
ance
wk System model noise at timestep k
W Uncorrelated component of correlated pseudorandom noise covariance
xk System state at timestep k
x̂ Estimate of system state
x̂k|k′ Estimate of system state at timestep k given measurements up to
timestep k ′
x̂fus Fused estimate of system state
ŷ k|k′ Estimated information vector at timestep k given measurements up to
timestep k ′
Yk|k′ Estimated information matrix at timestep k given measurements up to
timestep k ′
zk,i Scalar measurement of state x from sensor i at timestep k
zk Measurement of state x at timestep k
z k,i Measurement of state x from sensor i at timestep k
{p}
zk Measurement of state x at timestep k available to a privileged estimator
{up}
zk Measurement of state x at timestep k available to an unprivileged
estimator
[π,τ ]
zk Observed measurement at timestep k for estimator of privilege π and
measurement access τ
δ Multiplicative depth encoding parameter
η(κ) Negligible function in security parameter κ
(t)
θj j-th linear combination aggregation weight at time instance t
κ Encryption scheme security parameter
λ Lowest common multiple of p and q
π Number of sequential privileged estimation generation keys held by
estimator (estimator privilege)
τ Number of sequential privileged estimation measurements accessed by
estimator (estimator measurement access)
ϕ Precision encoding parameter
ψt Pseudorandom Gaussian noise at instance t
ψk Pseudorandom Gaussian noise at timestep k
ψ k,i Pseudorandom Gaussian noise for sensor i at timestep k
ωi Covariance intersection fusion weight for estimator i
 ⊤
ω Vector of covariance intersection weights, ω = ω1 · · · ωn
ω̂ Estimate of covariance intersection weights ω

ix
 Notation

Acronyms

AES Advanced Encryption Standard

AES-CTR AES block cipher in Counter mode
AO Aggregator Obliviousness
CI Covariance Intersection
CIA Confidentiality-Integrity-Availability
DCRA Decisional Composite Residuosity Assumption
EIF Extended Information Filter
EKF Extended Kalman Filter
FCI Fast Covariance Intersection
FHE Fully Homomorphic Encryption
HE Homomorphic Encryption
IF Information Filter
IoT Internet of Things
IND-CPA Indistinguishability under a Chosen Plaintext Attack
IND-OCPA Indistinguishability under an Ordered Chosen Plaintext Attack
KF Kalman Filter
LCAO Linear Combination Aggregator Obliviousness
MSE Mean Square Error
ORE Order-Revealing Encryption
PGUB Performance Gain Upper Bound
PHE Partially Homomorphic Encryption
PLLB Performance Loss Lower Bound
PPT Probabilistic Polynomial-Time
pWSAc Private Weighted Sum Aggregation with Centralised weights
pWSAh Private Weighted Sum Aggregation with Hidden weights
RSA Rivest-Shamir-Adleman
WSL Windows Subsystem for Linux

x
1. Introduction
Sensor data processing, state estimation and data fusion have long been active areas
of research and continue to find applications in modern systems [1, 2]. As distributed
networks have become more prevalent over the years, greater stress has been put on
the need for broadly applicable algorithms that support varying types of measurements,
estimate accuracies and communication availabilities [3, 4], finding uses in localisation,
weather forecasting, mapping, cooperative computing and more [5, 6, 7, 8, 9, 10, 11]. In
particular, handling cross-correlations between distributed data, especially when they are
not known in advance, has been a well-studied difficulty in distributed estimation and is
closely tied to the challenges in the field [12, 13, 14, 15]. The use of Bayesian estimation
methods such as the popular Kalman filter (KF) and its non-linear derivatives have
become especially prevalent in these applications due to their recursive, often optimal,
properties and their suitability for modelling these cross-correlations [16, 17, 18, 19]. In
recent years, widespread advancements in distributed algorithms and the ubiquity of
public networks such as the Internet, wireless communication channels and the Internet-
of-things (IoT) paradigm, have brought privacy challenges into focus as well [20, 21].
In particular, the data confidentiality component of the cryptographic Confidentiality-
Integrity-Availability (CIA) triad [22] has become an important goal in security-aware
distributed data processing tasks. That is, for concrete data private to participants, to
remain confidential or leakage to be formally quantifiable. In general, the broader topic
of data privacy, concerned with the identification of individuals by any means including
the observation of this data, is used synonymously in literature [23, 24, 25, 26, 27] but
will not be considered in its entirety in this thesis.
Traditional data confidentiality involves keeping transmitted information private from
unauthorised parties in untrusted networks and can often be achieved irrespective of
the data processing algorithms used. Typically, these scenarios can be achieved by us-
ing common symmetric and asymmetric encryption schemes such as the Advanced En-
cryption Standard (AES) [28] or the Rivest-Shamir-Adleman (RSA) cryptosystem [29],
respectively. These scenarios, however, imply trust between encrypting and decrypt-
ing parties, which cannot always be assumed in distributed environments. Situations
where partial results are considered private, or only partial leakage of data is desired
for computing results, do not assume this trust and have led to the development of sev-
eral encryption schemes that provide encrypted operations and explicit formal leakages
[30, 31, 32, 33]. A very applicable group of these schemes in estimation, homomorphic
encryption (HE), allow operations to be performed on encrypted data without decryp-
tion. These schemes can be loosely grouped into two categories: fully homomorphic
encryption (FHE), allowing arbitrary operations on encryptions; and partially homo-
morphic encryption (PHE), allowing only a subset, typically one, operations. Although

1
 1. Introduction

FHE suits a wider variety of estimation problems, essentially allowing arbitrary com-
putations while preserving data confidentiality, its current implementations are still too
computationally expensive for large-scale or real-time processing [34, 35, 36]. For this
reason, PHE has been the more popular choice in providing data confidentiality dur-
ing a variety of estimation tasks [37, 38, 39, 40, 41] and is predominantly relied on
throughout this thesis. While these schemes provide a powerful tool for designing data-
processing algorithms, the nature of cryptographic analysis in distributed environments
depends heavily on communication protocols between participants, limiting the ease of
their combination with general estimation and data fusion solutions such as the Bayesian
methods mentioned previously. In turn, this has led to various context-specific estima-
tion solutions with differing degrees of cryptographic guarantees, often restricting general
solutions to provide meaningful cryptographic guarantees or foregoing provable security
for more general algorithms. This leads us to the goals of this thesis and the current
state-of-the-art in security-oriented estimation and data fusion.

1.1. Research Questions and the State-of-the-Art

The restrictions on the generality of solutions and the frequent foregoing of crypto-
graphic guarantees when providing security in estimation tasks form the literature gap
that this thesis is centred around. The overarching topics we are interested in are as
follows. We wish to find distributed estimation and data fusion solutions based on
Bayesian methods for non-linear models with provable security. Here, non-linear models
capture the broadest and therefore most generally applicable solutions in estimation.
Secondly, we are interested in formalising novel cryptographic definitions that capture
suitable communication protocols and leakages for any of these solutions should they
not exist. Lastly, we would like to define a general cryptographic notion that captures
adversary estimation performance with the potential to be applied to both novel and ex-
isting security-aware estimation schemes with no cryptographically provable guarantees
otherwise. From these topics, we concentrate on three specific problems that form the
main chapters of this thesis and will discuss the state-of-the-art in the context of each.

1.1.1. Estimate Fusion on an Untrusted Cloud

The first problem we consider is confidential estimate fusion on a centralised untrusted
cloud. This is a popular scenario in distributed sensor fusion, where a cloud or fusing
party obtains estimates from within the network and fuses them centrally, providing a
resulting fused state estimate for further processing [42, 43, 44, 45, 46, 47]. Some use
cases for the scenario include factory sensor data fusion, object tracking, centralised
weather forecasting and more. Intuitively, untrusted cloud processing brings security
concerns to mind, such as the confidentiality of individual estimate data and the privacy
of participants producing it [21, 48, 49, 50, 51]. Work on security-aware cloud processing
and data fusion exists in a variety of scenarios. FHE and PHE are particularly suited
to the problem, allowing computations to be finalised on confidential data before being
queried by trusted parties for final results [52, 53, 54]. This includes control aggregation

2
 1. Introduction

[55], private matrix multiplication [56] and private set intersection [39]. Another rele-
vant topic is differential privacy [57, 58]. Here, a formal cryptographic notion guarantees
that individual inputs to data fusion cannot be exactly estimated by guaranteeing that
results are indistinguishable when differing by only a single input. The downside to
this cryptographically meaningful and often applicable solution is the noisiness of fusion
results, rendering it unsuitable for scenarios where result accuracy cannot be compro-
mised. We are interested in accurate general solutions to data fusion in a Bayesian
setting and our solution to this problem aims to fuse arbitrary (non-linear and depen-
dent) state estimates while a cryptographically meaningful assessment of confidentiality
can be provided. Some applicable methods for this exist, albeit restricting the estima-
tion or security requirements. In [59], control inputs can be computed in an encrypted
control loop, with methods applicable to estimation, but rely on the presence of two
clouds that cannot maliciously collude. [60] presents a method for homomorphic fusion
but requires that partial fusions are collected in a hierarchical network and for fused
measurements to be linear and independent. While in [61], the homomorphic fusion of
data is used to perform range-measurement localisation on confidential measurements
but does not lend itself to a Bayesian setting where measurement noise properties are
considered. The formalised estimation problem and cryptographic goals as well as our
novel solutions to this problem are presented in chapter 3.

1.1.2. Non-Linear Measurement Fusion with Untrusted Participants

The next problem we look at is confidential measurement fusion when participants in
the network are untrusted. The scenario is in principle similar to the fusion problem
in section 1.1.1 but is distinguished by the party using the result and the properties
of the measurements. Unlike using a cloud, final computed fusion results are often
needed by the party computing the fusion itself, such as self-localisation and decentralised
estimation [10, 13, 62], rendering HE methods less practical as no trusted querying party
is present. We also distinguish measurements from estimates in that we assume they
are independent, allowing for the use of accurate Bayesian estimation methods such as
the KF which make this assumption [17]. Methods [60] and [61] again tackle a similar
problem, but remain limited in requiring a hierarchical communication network and not
considering measurement noise properties, respectively. Similarly to the fusion problem
above, differential privacy [57] is again a related and applicable field, including existing
applications to the KF [63], but results remain noisy and are considered undesirable
when accuracy is important. To provide an accurate non-linear distributed estimation
filter with meaningful cryptographic assessment, other cryptographic notions need to
be considered. Cryptographic constructs that support homomorphic computations as
well as the leakage of final results, as would be required in the case where a third-
party cloud is not used, exist. Private Weighted Sum Aggregation with centralised or
hidden weights (pWSAc and pWSAh, respectively) are introduced in [64] and [65] as a
means for computing control inputs in a distributed network without leaking individual
contributions. Here, formal definitions with different communication assumptions to
those suitable in a non-linear estimation problem are given. Similarly, more definitions

3
 1. Introduction

of aggregation schemes have been introduced [31, 66, 67, 68, 69, 70] with a variety of
specified communication protocols. A formalised estimation and cryptographic goal for
this problem as well as the presented solutions will be shown in chapter 4.

1.1.3. Provable Estimation Difference

The last problem that we consider is the creation of a general cryptographic notion
for proving the estimation difference between possible estimators and a scheme that
meets it. Use cases are varied and include scenarios where a provable difference is
desired, including the difference between trusted and untrusted estimators as well as
the difference between parties of different priorities or with differing access to data. In
many works, degraded estimation performance at untrusted parties is used as a form
of security in a system [24, 27, 71, 72, 73]. These include additional communication
channels [72, 73], adding noise that is removable by trusted estimators [74, 75] as well
as noise that doesn’t affect the final goal of estimation [27]. It is not uncommon for the
performance difference between trusted and untrusted estimators to be analysed in these
works [26, 74, 76, 77] but is typically done so from an information-theoretic point of view,
neglecting the generation of noise and assuming real-number representations are exact
in practice. Differential privacy [57] is again relevant in this problem as it captures the
inability to estimate a missing piece of data from a cryptographic perspective. However,
it targets the confidentiality of contributions to statistical data and does not capture the
imperfect ability of a trusted estimator to estimate a Bayesian system. We aim to capture
a cryptographically provable difference in performance between estimators of a different
privilege in a Bayesian setting while taking into account the computational capabilities
of attackers. In addition, we wish to present a scheme to which this notion can be
applied. This problem, its cryptographic goals and presented solutions are formalised in
chapter 5.

1.2. Structure and Contributions

After this introductory chapter, preliminaries for all content in the thesis are introduced
in chapter 2. The chapters that follow are independent, each tackling one of the problems
aimed to be solved and presenting appropriate contributions. Each of these chapters
includes an individual problem formulation and conclusion.
Chapter 3 focuses on the problem of estimate fusion on an untrusted cloud, initially
introduced in section 1.1.1, and makes the following contributions:

ˆ A novel method for the fusion of arbitrary stochastic estimates at a cloud while
keeping individual estimates confidential and leaking only fusion weights at the
cloud.

ˆ A novel method for the fusion of arbitrary stochastic estimates at a cloud while
keeping both fusion weights and individual estimates confidential at the cloud.

ˆ Cryptographic analysis and simulations of both presented methods.

4
 1. Introduction

Chapter 4 looks at non-linear measurement fusion with untrusted participants, intro-

duced in section 1.1.2, and presents the following:

ˆ A novel cryptographic notion capturing the confidential linear combination of

weights in a distributed network.

ˆ A novel encryption scheme meeting the defined notion.

ˆ A novel distributed estimation filter that allows range-only localisation using the
defined encryption scheme such that estimates, sensor measurements and sensor
properties remain confidential.

ˆ An analysis of the method’s extension to more general non-linear environments.

ˆ A cryptographic proof for the defined encryption scheme meeting the defined cryp-
tographic notion.

ˆ A cryptographic analysis and simulations of the presented estimation method.

Chapter 5 focuses on the problem of a provable estimation difference, introduced in

section 1.1.3, and presents:

ˆ A novel cryptographic notion capturing the difference in performance between

estimators in a Bayesian estimation scenario.

ˆ A novel single-sensor estimation scheme that relies on a secret key to distinguish

between types of estimators with performance differences provable with the defined
notion.

ˆ An extension to a multiple-sensor estimation scheme with similar properties that

takes the fusion of measurements into account.

ˆ A cryptographic analysis and simulations of the presented methods.

Finally, chapter 6 concludes the thesis in its entirety.

These contributions have led to several peer-reviewed publications that can be found
in [121, 122, 123, 124, 125].

5
2. Preliminaries
When introducing novel methods throughout this thesis, we make use of several exist-
ing algorithms and constructs. In this chapter, we present these relevant preliminaries
grouped by the fields they belong to: estimation and cryptography.

2.1. Estimation Preliminaries

Sensor and estimate data that we consider is primarily Bayesian in nature and typically
consists of estimates and associated estimate uncertainties. The linear KF and the lin-
earising extended Kalman filter (EKF), along with their information form equivalents,
are particularly useful in the estimation and fusion of such data. A general fusion algo-
rithm, the covariance intersection (CI), used when data cross-correlations are unknown,
is also introduced.

2.1.1. Kalman Filter

The KF [1, 78] is a popular and well-studied recursive state estimation filter that pro-
duces estimates and their error covariances x̂k|k′ ∈ Rd and Pk|k′ ∈ Rd×d , respectively, for
a timestep k ∈ N, given measurements up to and including timestep k ′ ∈ N [2, 17, 79, 80].
Although the KF supports the estimation of a system state which can be manipulated
through an external input, this thesis primarily discusses scenarios where no external
inputs are known to the estimator and will introduce the filter with these set to 0. In
this form, the KF assumes the existence of a true state xk ∈ Rd at each timestep k,
following the linear system model

xk = Fk xk−1 + wk , (2.1)

where wk ∼ N (0, Qk ) with known covariance Qk ∈ Rd×d . Similarly, measurements

z k ∈ Rm are assumed to follow the linear measurement model

z k = Hk xk + v k , (2.2)

where v k ∼ N (0, Rk ) with known covariance Rk ∈ Rm×m . The filter requires initiali-
sation with some known values x̂0|0 and P0|0 and is computed recursively in two steps.
First, the estimate for the next timestep is predicted without new measurement infor-
mation, known as the prediction step, and is given by

x̂k|k−1 = Fk x̂k−1|k−1 (2.3)

6
 2. Preliminaries

and
Pk|k−1 = Fk Pk−1|k−1 F⊤
k + Qk . (2.4)
Next, this prediction is updated with current measurement information, known as the
update step, and given by
 −1  
x̂k|k = x̂k|k−1 + Pk|k−1 H⊤
k H P H⊤
k k|k−1 k + Rk z k − H x̂
k k|k−1 (2.5)

and  −1
Pk|k = Pk|k−1 − Pk|k−1 H⊤ ⊤
k Hk Pk|k−1 Hk + Rk HPk|k−1 . (2.6)

In addition to alternating prediction and update steps as time progresses, the update
step (2.5) and (2.6) can be skipped at timesteps when no measurements are available.
Similarly, when multiple independent measurements are present at the same timestep,
the update step can be repeated for each measurement individually. Detailed derivations
of the KF and discussions on its properties can be found in [17, Chap. 6].

2.1.2. Kalman Filter Optimality

One of the reasons for the ubiquity and popularity of the KF introduced in section 2.1.1
is its optimality in terms of mean square error (MSE) [2, 17, 79, 80, 81]. That is, the
estimate’s error covariances, defined by the expectation capturing MSE,
  ⊤ 
Pk|k = E xk − x̂k|k xk − x̂k|k , (2.7)

and computed by (2.4) and (2.6), can be shown to equal the theoretical lower bound on
the covariance of an unbiased estimator when system and measurement models (2.1) and
(2.2), respectively, capture the estimated environment exactly [17, 82]. This property
will be used in later cryptographic discussions in this thesis to guarantee estimator
performances in terms of MSE. Further reading on the definitions and proofs of KF
optimality can be found in [17, Chap. 6].

2.1.3. Extended Kalman Filter

The EKF is a recursive state estimation filter applicable to non-linear models and closely
related to the linear KF [1, 83]. The filter produces estimates and their covariances at
each timestep by linearising models at the current estimate and evaluating the filter
similarly to the KF. As in the KF, a true state xk is assumed to follow known models.
The system model is now non-linear and given by

xk = f k (xk−1 ) + wk , (2.8)

7
 2. Preliminaries

where again wk ∼ N (0, Qk ) with known covariance Qk . Similarly, measurements are

assumed to follow the non-linear measurement model

z k = hk (xk ) + v k , (2.9)

with v k ∼ N (0, Rk ) and known covariance Rk . The EKF prediction step is given by
 
x̂k|k−1 = f k x̂k−1|k−1 (2.10)

and
Pk|k−1 = F̂k Pk−1|k−1 F̂⊤
k + Qk , (2.11)
with Jacobian
∂f k
F̂k = (2.12)
∂x x̂k−1|k−1

linearising the system model at the latest estimate for estimate error covariance predic-
tion. The EKF update step is given by
 −1  
x̂k|k = x̂k|k−1 + Pk|k−1 Ĥ⊤
k Ĥ P Ĥ
k k|k−1 k
⊤
+ Rk z k − h (x̂
k k|k−1 ) (2.13)

and  −1
Pk|k = Pk|k−1 − Pk|k−1 Ĥ⊤ ⊤
k Ĥk Pk|k−1 Ĥk + Rk ĤPk|k−1 , (2.14)

with Jacobian
∂hk
Ĥk = (2.15)
∂x x̂k|k−1

linearising the measurement model. Unlike the linear KF, by linearising the models
the EKF propagates Gaussian model noises in its estimates that may not be Gaussian
in reality, even when system and measurement models (2.8) and (2.9), respectively,
are exactly correct. For this reason, the EKF does not hold the same guarantees on
optimality as the KF does. To a similar effect, highly non-linear models or inaccurate
models can lead to greater inaccuracies and divergence of estimates from true states in
EKF estimates. Despite these downsides, its scalability and efficiency have made the
EKF an industry-standard estimation filter for non-linear systems [83, 84, 85]. More
details on the EKF and its derivation can be found in [17, Chap. 7].

2.1.4. Information Filter

The information filter (IF) is an algebraic reformulation of the KF from section 2.1.1
[2, 3]. The information form of the filter simplifies the update step of the filter mak-
ing it more suitable when multiple independent measurements are present at the same
timestep. The key difference of the IF is the storing and propagation of the information
vector ŷ k|k′ and information matrix Yk|k′ rather than the estimate and its error covari-
ance, x̂k|k′ and Pk|k′ , stored by the KF. When assuming the same linear and Gaussian

8
 2. Preliminaries

models (2.1) and (2.2), the information vector and matrix are related to the estimate
and its covariance by
ŷ k|k′ = P−1
k|k′ x̂k|k′ (2.16)

and
Yk|k′ = P−1
k|k′ , (2.17)
for an estimated timestep k and measurements from timesteps up to and including k ′ .
The estimation of the information vector and information matrix requires an initialisa-
tion of ŷ 0|0 and Y0|0 , similarly to the KF, and is also performed by iterating distinct
predict and update filter steps. The prediction step is given by
−1
ŷ k|k−1 = Yk|k−1 Fk Yk−1|k−1 ŷ k−1|k−1 (2.18)

and  −1
−1
Yk|k−1 = Fk Yk−1|k−1 F⊤
k + Qk . (2.19)

The update step is given by

ŷ k|k = ŷ k|k−1 + ik (2.20)

and
Yk|k = Yk|k−1 + Ik , (2.21)
where added terms ik and Ik are known as the measurement vector and measurement
matrix, respectively, and are defined as
−1
ik = H⊤
k Rk z k (2.22)

and
−1
Ik = H⊤
k Rk Hk . (2.23)
Since all information related to measurements and their sensors are captured in ik
and Ik , namely the measured value z k , measurement model Hk and measurement error
Rk , sequential IF update steps required in the presence of multiple sensors are easily
computed as a summation of this information from each sensor. That is, if we consider
the same system model (2.1) and multiple sensors i, 1 ≤ i ≤ n, making independent
measurements that follow models

z k,i = Hk,i xk + v k,i , (2.24)

with v k,i ∼ N (0, Rk,i ) and known covariances Rk,i , the update step of the filter using
all measurements at timestep k can be written as
n
X
ŷ k|k = ŷ k|k−1 + ik,i (2.25)
i=1

9
 2. Preliminaries

and
n
X
Yk|k = Yk|k−1 + Ik,i , (2.26)
i=1

where information vectors ik,i and information matrices Ik,i are now dependent on sensor
i and given by
−1
ik,i = H⊤
k,i Rk,i z k,i (2.27)
and
−1
Ik,i = H⊤
k,i Rk,i Hk,i . (2.28)
The easily computed summation has led to the IF being particularly suited to distributed
estimation environments, where multiple sensors are present and communicational costs
need to be reduced [19, 86, 87, 88]. In addition, since the IF is strictly a rearrangement of
terms in the KF, it holds the same optimality properties as the KF described in section
2.1.2. For additional reading on the IF, see [2, Chap. 6].

2.1.5. Extended Information Filter

The extended information filter (EIF) is an algebraic reformulation of the EKF and
represents a non-linear model extension to the linear IF [3, 89]. As with the IF, its
simplification of the update step to a trivial sum has led to its adoption in suitable
distributed environments with multiple sensors and a desire to reduce communicational
costs [90]. Similarly, the EIF estimates and propagates the information vector ŷ k|k′ and
information matrix Yk|k′ that relate to the state estimate and its covariance by (2.16) and
(2.17), respectively. Assuming the non-linear system model (2.8) and multiple sensors i,
1 ≤ i ≤ n, making independent non-linear measurements that follow models

z k,i = hk,i (xk ) + v k,i , (2.29)

with v k,i ∼ N (0, Rk,i ) and known covariances Rk,i , the EIF predict step is given by
 
−1
ŷ k|k−1 = Yk|k−1 f k Yk−1|k−1 ŷ k−1|k−1 (2.30)

and  −1
−1
Yk|k−1 = F̂k Yk−1|k−1 F̂⊤
k + Qk , (2.31)

with Jacobian linearising the system model

∂f k
F̂k = . (2.32)
∂x x̂k−1|k−1

The update step of the filter using all n measurements is given by

n
X
ŷ k|k = ŷ k|k−1 + ik,i (2.33)
i=1

10
 2. Preliminaries

and
n
X
Yk|k = Yk|k−1 + Ik,i , (2.34)
i=1

where information vectors ik,i and information matrices Ik,i now linearise the measure-
ment model and are given by
   
−1 −1 −1
ik,i = Ĥ⊤ R
k,i k,i z k,i − h k,i Y ŷ
k|k−1 k|k−1 + Ĥ Y ŷ
k,i k|k−1 k|k−1 (2.35)

and
−1
Ik,i = Ĥ⊤
k,i Rk,i Ĥk,i , (2.36)
with Jacobian
∂hk,i
Ĥk,i = . (2.37)
∂x x̂k|k−1

Similarly to the EKF, the linearisation of models leads to estimation errors making
optimality guarantees of the KF and IF not hold for the EIF. For further reading and
applications of the EIF, see [3, Chap. 2].

2.1.6. Covariance Intersection and Fast Covariance Intersection

In the filters presented in the previous sections, measurements from the same timestep
must be independent for sequential update steps to fuse them correctly. That is, non-
zero cross-correlations between measurements can lead to overly confident estimate error
covariances and estimation track divergence [91, 92]. In some cases, this independence of
measurements cannot be guaranteed and a conservative fusion method is required to ob-
tain a final estimate and its error covariance using all available measurements. A typical
scenario is the fusion of local estimator estimates themselves, such as those produced by
separate KF, IF, EKF or EIF instances, that may contain cross-correlations due to shared
system model assumptions during estimation [93, 94, 95]. CI is a time-independent fu-
sion algorithm that fuses estimates or measurements and their error covariances when
cross-correlations are unknown [12] and produces estimates that are guaranteed to be
conservative, that is, not overly confident in the error of resulting fused estimates. CI
is particularly well suited to fusing estimates x̂i and covariances Pi of sensor i in the
information form, as given in (2.16) and (2.17), such that the fusion of n information
vectors P−1 −1
i x̂i , 1 ≤ i ≤ n, and information matrices Pi , 1 ≤ i ≤ n, produces a fused
−1 −1
information vector Pfus x̂fus and matrix Pfus . It is given by
n
X
−1
Pfus x̂fus = ωi P−1
i x̂i (2.38)
i=1

and
n
X
P−1
fus = ωi P−1
i , (2.39)
i=1

11
 2. Preliminaries

for some weights 0 ≤ ωi ≤ 1, 1 ≤ i ≤ n, such that

n
X
ωi = 1 . (2.40)
i=1

The weights ωi are chosen in a way to speed up the convergence of estimate errors
over time and to minimise fusion estimate error by minimising some property of the
fused estimate error covariance Pfus . A common choice is to minimise the trace of the
covariance [96, 97, 98], requiring a solution to

arg min {tr (Pfus )} . (2.41)

ω1 ,...,ωn

However, minimising the non-linear cost function (2.41) can be computationally costly
and has led to the development of faster approximation techniques. The Fast Covariance
Intersection (FCI) algorithm [99] is one such method, that approximates (2.41) non-
iteratively, while still guaranteeing consistency. It is defined by adding new constraints

ωi tr(Pi ) − ωi+1 tr(Pi+1 ) = 0 , (2.42)

for 1 ≤ i ≤ n − 1, leading to the linear problem

 
P1 −P2 0 ··· 0    
 . .  ω1 0
0 P2 −P3 .. ..  
   ...   .. 
 .
 .. .. .. ..  =  (2.43)
 . . . . 0 
  ωn−1  0
0 ··· 0 Pn−1 −Pn  ω
n 1
1 ··· 1 1 1

and its solution

1
Pi
ωi = Pn 1 , (2.44)
j=1 Pj

for 1 ≤ i ≤ n, where Pi = tr(Pi ). Yeilding similar results to the optimal CI (2.41), FCI
has become a popular alternative due to its computational simplicity [45, 100, 101]. For
further reading, and uses of CI and FCI, see [12, 99].

2.2. Encryption Preliminaries

Used cryptographic notions and schemes are summarised here. In addition, the encoding
of floating point numbers to integers suitable for encryption by the presented schemes
is introduced as well.

12
 2. Preliminaries

2.2.1. Meeting Cryptographic Notions

Cryptographic notions are formal mathematical constructs used to prove the security of
cryptographic schemes. A notion applies to a type of cryptographic scheme, typically
defined by a tuple of algorithms, for example, (Generate, Encrypt, Decrypt), and captures
the capabilities of considered attackers and accepted leakage of information to these
attackers, that is, what an attacker can do and what they can learn [102]. When a scheme
of an appropriate form is proved to meet a cryptographic notion it is mathematically
guaranteed that any attacker with the capabilities specified by the notion is limited in
gaining information from encryptions as also specified by the notion.
Notion capabilities and leakages are dependent on the goal of a particular encryption
scheme and are typically defined as a cryptographic game (or experiment) involving an
adversary and the encryption scheme algorithms [102, 103, 104]. Proofs that schemes
meet these notions are often based on existing proofs or assumptions believed to hold,
and proved by contrapositive. Below, some cryptographic notions relevant to this thesis
are introduced.

Indistinguishability under a Chosen Plaintext Attack (IND-CPA) This notion targets

encryption schemes of the form (Generate, Encrypt, Decrypt) and states that an
attacker cannot distinguish between encryptions of unknown messages when they
can encrypt chosen messages of their own. For detailed definitions and the formal
cryptographic game, see [102].

Aggregator Obliviousness (AO) The AO notion considers an environment of multiple

participants where a single aggregator computes the summation of input from
all other participants. An encryption scheme for this interaction is of the form
(Setup, Encrypt, AggregateDecrypt). The notion states that no subset of colluding
participants with access to all encryptions and the final summation can compute
any more than a party with access to only the colluding participant inputs and the
final summation can. The notion of AO and the relevant game are given in [31].

Indistinguishability under an Ordered Chosen Plaintext Attack (IND-OCPA) Notion

IND-OCPA is the ideal notion of security for order-revealing encryption (ORE),
stating that no attacker can distinguish between two sequences of encryptions when
the numerical order of messages in the sequences is identical. The associated en-
cryption scheme for the notion is of the form (Setup, Encrypt, Compare). Additional
details and the cryptographic game are given in [105].

As novel encryption schemes and cryptographic games are presented in this thesis, ad-
ditional information on creating and proving cryptographic notions may be beneficial.
For introductory methods and the structure of proofs, see [102, 103].

2.2.2. Paillier Homomorphic Encryption Scheme

The Paillier encryption scheme [30] is an additive PHE scheme that bases its security
on the decisional composite residuosity assumption (DCRA) and meets the security

13
 2. Preliminaries

notion of IND-CPA. Key generation of the Paillier scheme is performed by choosing two
sufficiently large primes of an equal bit length, p and q, and computing N = pq [102].
The public key is defined by pk = N and the secret key by sk = (p, q).
Encryption of a plaintext message a ∈ ZN , producing ciphertext c ∈ Z∗N 2 , is computed
by
c = Epk (a) = (N + 1)a ρN (mod N 2 ) (2.45)
for a randomly chosen ρ ∈ ZN . Here, ρN can be considered the noise term which
hides the value (N + 1)a (mod N 2 ), which due to the scheme construction, is an easily
computable discrete logarithm. The decryption of the ciphertext c is computed by

L(cλ (mod N 2 ))
a = Dpk,sk (c) = (mod N ) (2.46)
L((N + 1)λ (mod N 2 ))

where λ = lcm(p − 1, q − 1) and L(ψ) = ψ−1 N .

In addition to encryption and decryption, the Paillier scheme provides the following
homomorphic properties, ∀a1 , a2 ∈ ZN ,


Dpk,sk Epk (a1 )Epk (a2 ) (mod N 2 ) = a1 + a2 (mod N ) , (2.47)
a2 2


Dpk,sk Epk (a1 )(N + 1) (mod N ) = a1 + a2 (mod N ) , (2.48)


Dpk,sk Epk (a1 )a2 (mod N 2 ) = a1 a2 (mod N ) . (2.49)

To simplify this notation, the shorthand operators ⊕ and ⊗ are used to denote homo-
morphic addition and multiplication, respectively, as

Epk (a1 ) ⊕ Epk (a2 ) ≡ Epk (a1 )Epk (a2 ) (mod N 2 ) (2.50)

and
a2 ⊗ Epk (a1 ) ≡ Epk (a1 )a2 (mod N 2 ) . (2.51)
Similarly, encryption Epk (·), decryption Dpk,sk (·) and the above operators ⊕ and ⊗ will
denote elementwise operations when inputs are multi-dimensional.

2.2.3. Joye-Libert Aggregation Scheme

The Joye-Libert privacy-preserving aggregation scheme [66] is a scheme defined for n + 1
parties, where n participants have their data aggregated by an aggregator that performs
the homomorphic summation. It is defined on time-series data, indexed by timestep k,
and meets the security notion AO. Similarly to the Paillier scheme in section 2.2.2, it
bases its security on the DCRA, however, an aggregation scheme generates secret keys
for individual participants and the aggregating party, requiring an additional trusted
party to perform an initial key generation and distribution step.
Key generation is computed by choosing two equal-length and sufficiently large primes
p and q, and computing N = pq. A hash function H : Z → Z∗N 2 is defined and the
scheme’s public parameters are set to pub = (N, H). n secret keys are generated by

14
 2. Preliminaries

choosing ski , 1 ≤ i ≤ n, uniformly from ZN 2 and distributing them to n participants

(whose data is to be aggregated). The last secret key is set as
n
X
sk0 = − ski , (2.52)
i=1

and sent to the aggregator.

(k)
At any timestep k, a participant i can encrypt time-series plaintext data ai ∈ ZN to
(k)
ciphertext ci ∈ ZN 2 with
  (k)
(k) (k)
ci = Eski ai = (N + 1)ai H(k)ski (mod N 2 ) . (2.53)

Here, we can consider H(k)ski the noise term which hides the easily computable discrete
(k)
logarithm (N + 1)ai (mod N 2 ).
(k)
When all encryptions ci , 1 ≤ i ≤ n are sent to the aggregator, summation and
decryption of the aggregated sum are computed by
n
Y
(k) (k)
c = ci (mod N 2 ) (2.54)
i=1

and
n
X   H(k)sk0 c(k) − 1
(k)
= Dsk0 c(k) =
ai (mod N ) . (2.55)
N
i=1
Pn
Correctness follows from i=0 ski = 0, and thus
n
Y
sk0 (k)
H(k) ci (mod N 2 )
i=1
n
Y (k)
sk0
≡H(k) (N + 1)ai H(k)ski (mod N 2 )
i=1
Pn n
Y (k)
skj
≡H(k) j=0 (N + 1)ai (mod N 2 )
i=1
Pn (k)
ai
≡(N + 1) i=1 (mod N 2 ) ,

removing all noise terms.

2.2.4. Lewi Order-Revealing Encryption Scheme

The Lewi ORE scheme is a symmetric encryption scheme that allows for message values
to be compared numerically after encryption. The scheme does not meet the ideal notion
of security for ORE, IND-OCPA, due to inherent difficulties of this problem but rather
meets a weaker simulation-based security that allows for some leakage [106].

15
 2. Preliminaries

To allow additional control over which encrypted values can be compared, the scheme
provides two encryption functions, namely a left encryption and right encryption, such
that comparisons can only take place between left and right encryptions. As complete
equations for the scheme are lengthy and unnecessary for following this thesis, only its
notation will be introduced here. The two encryption equations provided can encrypt
plaintexts a1 , a2 ∈ Z with a secret key sko and functions
L R
Esk o
(a1 ) and Esko
(a2 ) (2.56)

denoting left and right encryption, respectively. Their comparison can be computed with
a function  
L R
C Esk o
(a 1 ), E (a
sko 2 ) = cmp(a1 , a2 ) , (2.57)

where 

−1 a1 < a2
cmp(a1 , a2 ) = 0 a1 = a2 . (2.58)


1 a1 > a2
For details on implementation, see [107].

2.2.5. Encoding Numbers for Encryption

The Paillier encryption scheme and the Joye-Libert aggregation scheme in sections 2.2.2
and 2.2.3 both provide encryption on integer inputs in the modulo group ZN given a large
N . In addition, they provide homomorphic operations on these inputs after encryption,
namely, the Paillier scheme provides addition and scalar multiplication with (2.47), (2.48)
and (2.49) while the Joye-Libert scheme provides addition with (2.54). For this reason,
real-valued estimation variables that may require encryption with these schemes, such
as those introduced in section 2.1, require quantisation and integer mapping such that
the operations are preserved after encryption. Throughout this thesis, we will rely on a
generalised Q number encoding [108] due to applicability and implementation simplicity.
Quantisation to a subset of rational numbers is performed in terms of an output range
M ∈ N and fractional precision ϕ ∈ N. This contrasts with the common definition in
terms of total bits and fractional bits [108, 64, 109] but allows for a direct mapping to
integer ranges which are not a power of two, such as the group ZN . This rational subset,
QM,ϕ , is defined by
    
M M
QM,ϕ = χ ϕχ ∈ N ∧ − ≤ ϕχ < , (2.59)
2 2

and can be used to quantise any real number a ∈ R by taking the nearest rational
χ ∈ QM,ϕ , that is, arg minχ∈QM,ϕ |a − χ|. Mapping the rationals QM,ϕ , both positive
and negative, to a group ZM can then be achieved by modulo arithmetic. Additionally,
we note that the Q number format requires a precision factor ϕ to be removed after
each encoded multiplication. This is captured by a third parameter δ; the number of

16
 2. Preliminaries

additional precision factors present in encodings, defined by the current multiplicative

depth of the encoding.
The function for combined quantisation and encoding, EM,ϕ,δ (a), of a given number
a ∈ R and with output integer range ZM , precision ϕ and scaling for multiplicative depth
δ, is given by j m
EM,ϕ,δ (a) = ϕδ+1 a (mod M ) . (2.60)

Decoding of an integer u ∈ ZM is given by

  
 u (mod M ) M

 , u (mod M ) ≤
ϕ δ+1 2
E−1
M,ϕ,δ (u) =  . (2.61)
 M − u (mod M )
− , otherwise
ϕδ+1

Encoding with (2.60) additionally provides two useful properties when used with ho-
momorphic operations,

EM,ϕ,δ (a1 ) + EM,ϕ,δ (a2 ) (mod M ) ≈ EM,ϕ,δ (a1 + a2 ) (2.62)

and
EM,ϕ,δ (a1 )EM,ϕ,δ (a2 ) (mod M ) ≈ EM,ϕ,δ+1 (a1 a2 ) , (2.63)
where deviation from equality stems from quantisation and its associated error
1
E−1
M,ϕ,δ (EM,ϕ,δ (a)) − a ≤ . (2.64)
ϕ
In general, choosing a large precision parameter ϕ reduces quantisation errors but
risks overflow after too many multiplications. When the largest multiplicative depth,
δmax , and the largest value to be encoded, amax , are known, ϕ can be chosen to avoid
overflow by satisfying  
δmax +1 M
ϕ amax < . (2.65)
2
In practice, we set M = N to use the Paillier or Joye-Libert schemes, such that the prop-
erties (2.62) and (2.63) can be used with the homomorphic operations of the schemes.
Equation (2.65) can then be ignored as N is typically very large (N > 21024 ) and ϕ can
be made sufficiently large to make quantisation errors negligible. Lastly, as with the
simplified notation of Paillier functions, encoding EM,ϕ,δ (·) and decoding E−1
M,ϕ,δ (·) will
denote elementwise operations when inputs are multi-dimensional.

17
3. Estimate Fusion on an Untrusted Cloud
3.1. Problem Formulation
Motivated by the key step in multi-sensor fusion, we are interested in transmitting local
sensor state estimates over a network to be fused by a fusion cloud. In particular, we
consider centralised FCI fusion, as introduced in section 2.1.6, over a public network
and at an untrusted fusion cloud. The aim is for fusion to be computed by the cloud
on encrypted sensor data to preserve individual and fused estimate confidentiality, that
is, no estimate information should be made available to network eavesdroppers, sensors
that did not produce it or the fusion cloud itself. A trusted querying third party, holding
appropriate secret keys, is presumed to exist which can request and process the fused
estimate information from the cloud.
The concrete estimation problem is captured by a time-independent process defined
by its state x ∈ Rd and is estimated by sensors i, 1 ≤ i ≤ n, each producing a state
estimate and estimate error covariance,

x̂i ∈ Rd and Pi ∈ Rd×d , (3.1)

respectively. As we are interested in computing the FCI algorithm, we consider sensors

that produce estimates in the information form, namely, the information vector and
information matrix,
P−1 −1
i x̂i and Pi , (3.2)
instead. Information (3.2) is to be sent to the fusion cloud where FCI is computed and
a fused information vector and information matrix,

P−1 d −1
fus x̂fus ∈ R and Pfus ∈ R
d×d
, (3.3)

are produced. A trusted querying party can then request (3.3) from the cloud when
desired.
The cryptographic aims of this problem are captured by the actions of the involved
parties and the accepted leakage of confidential information.

Honest-but-curious parties We assume that all sensors and the fusion cloud follow fu-
sion protocols correctly and that no injection or modification to transmitted data
is performed by network eavesdroppers. However, all parties may use any learned
information for external malicious gain. Collusion between any malicious parties
is considered possible.

Encrypted estimates meeting IND-CPA Permitted leakage is such that all estimate in-

18
 3. Estimate Fusion on an Untrusted Cloud

formation available to a colluding subset of malicious parties, excluding any locally

produced estimates (in the case of malicious sensors), is encrypted with a scheme
meeting the IND-CPA cryptographic notion, introduced in section 2.2.1.

The relatively strict estimation and security aims above can be difficult to achieve
in general and relaxations of some requirements may be necessary to achieve others.
This will be seen in the two methods presented later in this chapter. Participants,
communications between them and whether they are trusted, concerning the ideal aims
above, are summarised graphically in figure 3.1.

Estimator 1 Estimator n

P−1 −1
1 x̂1 , P1 P−1 −1
n x̂n , Pn

Network Eavesdroppers

Cloud

P−1 −1
fus x̂fus , Pfus

Querying Party

Figure 3.1.: Trusted (green) and untrusted (red) participants, and the communications
between them in the cloud fusion problem.

3.2. Confidential Cloud Fusion Leaking Fusion Weights

In this section, we present a method for computing the fusion result (3.3) at the fusion
cloud by leaking the FCI fusion weights (2.44) to malicious adversaries. As stated in the
problem formulation, solving the fusion problem, in general, is difficult, and we make
some relaxations to the cryptographic aims for this solution.

Trusted sensors In this method, we assume that sensors are trusted. That is, only the
fusion cloud and eavesdroppers are considered honest-but-curious adversaries, and
no sensor estimate information should be made available to them.

Leakage of fusion weights While all estimate information available to colluding mali-
cious parties should be encrypted with a scheme meeting the IND-CPA notion, we
make an exception for the FCI fusion weights (2.44), which may be leaked to both
the fusion cloud and eavesdroppers.

Here, we also note that the weakening of cryptographic guarantees caused by the leakage
of fusion weights also has an upside that benefits fusion performance. The leakage of

19
 3. Estimate Fusion on an Untrusted Cloud

weights allows the cloud to prioritise some sensor data over others. For example, in
bandwidth-limited networks, communication with sensors of lower weight, and therefore
high uncertainty, may be dropped in favour of those that lead to better fusion results.
Lastly, we assume that the trusted sensors are computationally capable of locally run-
ning both the Paillier and Lewi encryption schemes, introduced in sections 2.2.2 and
2.2.4, and require a one-time network key distribution step before fusion of sensor data
can take place at the cloud. This key distribution step consists of a trusted party gener-
ating a Paillier scheme public key pair pk and sk and a shared Lewi scheme symmetric
key sko . The public key pk is made available to the cloud and sensors, the secret key sk
to the querying party and the shared ORE key sko to the sensors. The sharing of these
keys can be performed by any public-key encryption scheme such as RSA [29].

3.2.1. Two-sensor Case

The confidential fusion algorithm will first be introduced in the special case of two
sensors, before an extension to the n-sensor case. Recalling FCI fusion (2.38), (2.39)
and (2.40), we can write the fusion of two information vectors and matrices as

P−1 −1 −1
fus x̂fus = ω1 P1 x̂1 + (1 − ω1 )P2 x̂2 (3.4)

and
P−1 −1 −1
fus = ω1 P1 + (1 − ω1 )P2 , (3.5)
with 0 ≤ ω1 ≤ 1, and note the suitability of addition and scalar multiplication to the
Paillier scheme when the weight ω1 is known. To compute the fused information vector
P−1 −1
fus x̂fus and information matrix Pfus homomorphically, local estimate information must
first be encoded as integers before encryption at the sensors. Using the Q number format
in section 2.2.5, we let M = N , where N is the Paillier modulus, choose an appropriate
precision ϕ and denote encoding with multiplicative depth δ as Eδ (·). Encoding, en-
cryption and fusion with Paillier homomorphic properties (2.47) and (2.49) is then given
by









Epk E1 P−1 fus x̂fus ≈ E0 (ω1 ) ⊗ Epk E0 P−1
1 x̂1 ⊕ E0 (1 − ω1 ) ⊗ Epk E0 P−1
2 x̂2
(3.6)
and









Epk E1 P−1 fus ≈ E0 (ω1 ) ⊗ Epk E0 P−11 ⊕ E0 (1 − ω1 ) ⊗ Epk E0 P−1 2 , (3.7)

with encoding approximation errors dependent on precision parameter ϕ. The trusted

querying party can now request encryptions (3.6) and (3.7) from the cloud and decrypt
them with secret key sk.
All that remains for computing (3.6) and (3.7) in the two-sensor case is obtaining the
parameter ω1 at the cloud. Since ω1 depends on the estimate errors of both sensors
it cannot be computed locally and requires appropriate leakage to the cloud. This is
achieved by using the Lewi ORE scheme and encrypting discretised sequences whose

20
 3. Estimate Fusion on an Untrusted Cloud

intersection can be used to compute the two-sensor FCI fusion weight constraint (2.42),
namely
ω1 tr(P1 ) = (1 − ω1 ) tr(P2 ) . (3.8)
To evaluate (3.8) with comparisons at the cloud, a public stepsize g ≤ 1 is chosen, such
that 1/g ∈ N, and both sensors discretise the weight 0 ≤ ω1 ≤ 1 and compute resulting
sequences of either side of the equality in (3.8). This results in the sequence

⟨0, g tr(P1 ), 2g tr(P1 ), . . . , tr(P1 )⟩ (3.9)

at sensor 1 and
⟨tr(P2 ), (1 − g) tr(P2 ), (1 − 2g) tr(P2 ), . . . , 0⟩ (3.10)
at sensor 2. Comparison of same-index values in the sequences (3.9) and (3.10) leads to
the bounds ιg < ω1 < (ι + 1)g, for some index ι, that can be used to approximate the
true solution as ω̂1 = ιg + g/2 ≈ ω1 , or in the case of an equality, ω̂1 = ιg = ω1 . To
obtain this approximation without additional leakage, elements in (3.9) and (3.10) are
encrypted with the ORE key sko . As no homomorphic operations are performed with
the scheme an arbitrary precision integer encoding can be used and is neglected from
the notation below. The sequence produced by sensor 1 is therefore given by
D E
L L L L
Esk o
(0), Esko (g tr(P1 )), E sko (2g tr(P 1 )), . . . , Esko (tr(P1 )) (3.11)

and that by sensor 2 by

D E
R R R R
Esk o
(tr(P 2 )), Esk o
((1 − g) tr(P 2 )), Esk o
((1 − 2g) tr(P 2 )), . . . , E sko
(0) , (3.12)

where we note the difference between left and right encryptions for each sensor, allowing
comparisons between sequences. Efficiently findable using a binary search, the approxi-
mate solution when comparing elements of the two sequences can be seen graphically in
figure 3.2, where the approximation is taken as halfway between consecutive comparisons
that change sign.
In this way, computing fusion on the cloud homomorphically can be performed when
having access to only local encryptions of information vectors and matrices, (3.7) and
(3.6), in addition to the sequences of ORE encryptions (3.11) and (3.12) that leak an
approximation ω̂1 ≈ ω1 .

3.2.2. Multi-sensor Case

To compute the fusion of n sensor estimates in the information form we want the solutions
to
n
X
−1
Pfus x̂fus = ωi P−1
i x̂i (3.13)
i=1

21
 3. Estimate Fusion on an Untrusted Cloud

tr(P1 ) ω1 tr(P1 )
(1 − ω1 ) tr(P2 )
Solution Bounds
Approximate Solution

tr(P2 )

0.0 ω̂1 0.5 1.0

ω1

1 g = 0.1. Comparisons are only possible

Figure 3.2.: Approximation of ω1 with stepsize
when ω1 is a multiple of g (points on the graphs).

and
n
X
P−1
fus = ωi P−1
i . (3.14)
i=1
P
When the fusion weights ωi , 1 ≤ i ≤ n, ni=1 ωi = 1, are known, we can again use the
appropriate integer encoding and Paillier homomorphic properties to compute the fusion
homomorphically as






Epk E1 P−1fus x̂fus ≈ ⊕ni=1 E0 (ωi ) ⊗ Epk E0 P−1
i x̂i (3.15)

and





Epk E1 P−1
fus ≈ ⊕ni=1 E0 (ωi ) ⊗ Epk E0 P−1
i . (3.16)
What remains is to compute the weights ωi at the cloud such that the n-sensor FCI
conditions (2.42) are met. Similar to the two-sensor case, we can use sequences of ORE
encryptions to leak an approximation to this result.
Each condition (2.42) is considered as a partial problem, that is,

ωi tr(Pi ) = ωi+1 tr(Pi+1 ) , (3.17)

P
with 1 ≤ i < n and ni=1 ωi = 1, and their solution spaces, linear subspaces Si over
possible values of ω = [ ω1 ··· ωn ]⊤ , desired. The intersection of these subspaces naturally
results in the final solution to ω in (2.43). Each solution space Si can be defined by n − 1
(ζ)
linearly independent solution points ω i , 1 ≤ ζ ≤ n − 1. n − 2 of these solutions can

22
 3. Estimate Fusion on an Untrusted Cloud

be trivially obtained as the points where a single ωj = 1, j ̸= i ̸= i + 1 while the final

(n−1)
point, ω i , can be obtained as the solution to

ωi tr(Pi ) = (1 − ωi ) tr(Pi+1 ) , (3.18)

(ζ)
ωj = 0, j ̸= i ̸= i + 1, noting equivalence to (3.17) and ωi+1 = 1 − ωi . The solutions ω i
and the n − 2 dimensional subspace they define can be rewritten in parametric form as
h i
(1)
Si (γ) = ω i + ω̄ (2)
i · · · ω̄
(n−1)
i
γ, (3.19)

(ζ) (ζ) (1)

where ω̄ i = ω i − ω i denote the direction vectors. The intersection of these n − 1
subspaces gives the solution to ω in (2.43). This solution, as well as the parameters for
each subspace that provide it, γ i , can be obtained as a solution to the linear system
 (2) (n−1)  
−I ω̄ 1 ··· ω̄ 1 0 ··· 0 ω  (1) 
 .. .. .. ..   −ω 1
 . 0 . . .  γ1   .. 
  .. = . . (3.20)
 .. .. .. ..  . 
 . . . . 0  (1)
(2) (n−1) γ n−1 −ω n−1
−I 0 ··· 0 ω̄ n−1 · · · ω̄ n−1

Therefore, to compute (3.20) at the cloud leaking only comparisons required to com-
pute the fusion weights, we approximate the solutions to (3.18) with ORE sequences
similar to the two-sensor case. Each sensor i uses sko to encrypt the discretisation
D E
L L L L
Esko
(0), E sko
(g tr(P i )), E sko
(2g tr(Pi )), . . . , Esk o
(tr(P i )) , if i is odd, or
D E (3.21)
R R R R
Esko
(0), Esk o
(g tr(Pi )), Esk o
(2g tr(Pi )), . . . , Esk o
(tr(Pi )) , if i is even,

allowing for comparison between sequences from consecutive sensors i and i + 1. To

approximate the solution to each (3.18), the sequence from sensor i + 1 is reversed,
D E
L L L L
Esk o
(tr(Pi )), E sko ((1 − g) tr(Pi )), E sko ((1 − 2g) tr(P i )), . . . , E sko (0) , if i is odd, or
D E
R R R R
Esk o
(tr(Pi )), Esk o
((1 − g) tr(Pi )), Esk o
((1 − 2g) tr(Pi )), . . . , Esk o
(0) , if i is even,
(3.22)

resulting in sequences of the same form as (3.11) and (3.12). The value ω̂i = ιg+g/2 ≈ ωi ,
or in the case of an equality ω̂i = ιg = ωi , for some index ι, is used to approximate the
(n−1) (n−1)
solution ω̂ i ≈ ωi . A visualisation of solving (3.20) with partial solutions (3.18)
in the three-sensor case is graphically shown in figure 3.3.
A resulting estimate ω̂ ≈ ω can then be used with (3.15) and (3.16) to compute the
fusion of n information vectors and matrices at the cloud.

23
 3. Estimate Fusion on an Untrusted Cloud

(1)
ω1

n
X
ωi = 1
i=1
1.0 ω1
(2)
0.0 Solution Subspace S1 (γ)

0.5 0.5
ω3 ω1
0.0 1.0
0.0 0.5 1.0

ω2

(a) Approximated solution

1 space (3.19) when i = 1.

(2)
ω2
n
X
ωi = 1
i=1
1.0 0.0 Solution Subspace S2 (γ)

0.5 (1)
ω2 0.5
ω3 ω1
0.0 1.0
0.0 0.5 1.0

ω2

(b) Approximated solution

1 space (3.19) when i = 2.

n
X
ωi = 1
i=1
Solution Subspace S1 (γ)
1.0 0.0 Solution Subspace S2 (γ)
FCI Solution ω
0.5 0.5
ω3 ω1
0.0 1.0
0.0 0.5 1.0

ω2

(c) Intersection of partial solutions spaces

1 gives fusion weights ω in (2.43).

Figure 3.3.: Solving fusion weights ω as the intersect of partial solutions (3.17).

24
 3. Estimate Fusion on an Untrusted Cloud

3.2.3. Computational Complexity

The method introduced allows the computation of FCI by using the Paillier and Lewi
encryption schemes. Naturally, relying on encryption and homomorphic operations in-
creases the complexity of computing this fusion at the sensor, cloud and querying party.
Here, we look at the computational complexity of the method in terms of the required
operations at each party. We assume that both the Lewi and Paillier schemes use the
same key size, typically measured in bits, log N , where N is the Paillier modulus de-
fined in section 2.2.2. In addition, we note the distinction between floating-point or
small integer operations, treated as having runtime O(1), and large integer operations
with runtime dependent on bit length. While hardware architecture exists for faster
encryption operations [28], we consider software implementations and treat large integer
operations in terms of bit operations explicitly.
Individual encryption operation complexities with the assumptions made above have
been summarised in table 3.1. Applying operation complexities to the fusion algorithm

Table 3.1.: Computation complexity of involved encryption operations.

Operation Complexity
Paillier Encryption O(log3 N )
Paillier Decryption O(log3 N )
Paillier Addition O(log2 N )
Paillier Scalar Multiplication O(log3 N )
Lewi Left Encryption O(log2 N )
Lewi Right Encryption O(log2 N )
Lewi Comparison O(log2 N )

we get the computational complexity for the sensors, cloud and querying party. These
can be seen in table 3.2, where unencrypted FCI algorithm complexities are also shown
for reference. These complexities show the additional computational cost required for

Table 3.2.: Computation complexity for each party.

FCI Confidential
 Fusion LeakingWeights
Sensor O(1) O d2 log3 N + g1 log2 N

 
Cloud O nd2 + n3 O nd2 log3 N + n log g1 + n3


Querying Party O(1) O d2 log3 N

providing the security benefits of the presented scheme and must naturally be reflected
in chosen hardware when developing a system where the benefits are desired.

3.2.4. Security Analysis

Recalling the cryptographic aims of the estimate fusion problem introduced in the prob-
lem formulation and weakened for the presented method, we want all estimate informa-

25
 3. Estimate Fusion on an Untrusted Cloud

tion to be encrypted with a notion meeting IND-CPA at the fusion cloud and eavesdrop-
pers while allowing the leakage of fusion weights.
Since Paillier encryptions (3.15) and (3.16) meet the IND-CPA notion, this information
meets the desired aims. The remaining available information to the cloud and eaves-
droppers are the sequences encrypted by the Lewi ORE scheme. This scheme meets the
simulation-based security discussed in section 2.2.4 and is shown in section 3.2.2 to cor-
respond to the leakage of approximations to the weights ωi , in addition to some leakage
beyond the used ciphertext order comparisons due to the relaxation of the IND-OCPA
notation (which can be difficult to quantify in context). Lastly, we also acknowledge an
implicit leakage of estimate dimension d associated with the use of elementwise encryp-
tion. Although methods for the homomorphic encryption of vectors exist [65], we leave
this as future work on this topic and note that the dimension d may leak information
about the data fusion use case but that estimates themselves remain encrypted.
The leakages present in the introduced method, namely the leakage of fusion weights
and estimate dimensions, may lead to inferences about sensor hardware and must nat-
urally be considered when planning the implementation of this method in a real-world
system.

3.2.5. Simulation
Along with the discussions above, we have implemented a simulation of the method to
demonstrate its fusion accuracy when compared to the FCI algorithm on a trusted cloud.
A constant-velocity linear system,
 
1 0 0.5 0
0 1 0 0.5
xk+1 = 0 0 1
 x + wk , (3.23)
0 k
0 0 0 1

with noise term

  
0.42 0 1.25 0
 1  1.25
wk ∼ N   0 0.42 0  ,
0, 103 · 1.25 0 5.0 0  (3.24)
0 1.25 0 5.0

was simulated and measured by four independent position sensors 1 ≤ i ≤ 4, that

produced measurements
 
1 0 0 0
z k,i = x + v k,i , v k,i ∼ N (0, Ri ) , (3.25)
0 1 0 0 k

26
 3. Estimate Fusion on an Untrusted Cloud

with noise term covariances sampled independently, resulting in

 
4.77 −0.15
R1 = ,
−0.15 4.94
 
2.99 −0.55
R2 = ,
−0.55 4.44
  (3.26)
2.06 0.68
R3 = and
0.68 1.96
 
1.17 0.80
R4 = .
0.80 0.64

Each sensor ran a local linear IF from section 2.1.4, initialised with the true state of the
system, before processing and sending its estimate information, P−1 −1
k,i x̂k,i and Pk,i , to the
cloud for fusion. At each timestep, the time-independent fusion of information vectors
and matrices was computed homomorphically at the cloud and decrypted by the querying
party. The simulation was written in the Python and C programming languages, using
the Paillier PHE scheme library [110], and using a key size of 512 bits for encryption
schemes. Figure 3.4 shows the average estimation error of 1000 simulations when using
our algorithm with varying stepsizes g alongside the standard FCI algorithm. In all

0.35

0.30
Mean Square Error (MSE)

0.25

0.20

0.15

0.10 g = 0.1
g = 0.2
0.05 g = 0.5
FCI Benchmark
0.00
0 10 20 30 40 50
Simulation Timestep

Figure 3.4.: Average MSE with varying stepsize g over 1000 simulation runs.
1
cases, resulting plaintext information vectors and matrices were converted to estimates
and estimate error covariances before comparison with the true simulated state. From
the figure, it can be seen that the estimation error of our method is similar to the normal
FCI method when stepsize g is small, g = 0.1, but grows as expected when g, and thus
the possible error in weights ωi is increased.

27
 3. Estimate Fusion on an Untrusted Cloud

Since the system described by (3.23), (3.25) and estimated by the IF reaches an
estimation steady-state, fusion weights ωi do as well. Figure 3.5 shows the steady state
error of estimated weights when compared to the true FCI weights. Here, the maximum

ω̂ Estimate Error
0.05
Mean Square Error (MSE)

0.04

0.03

0.02

0.01

0.00
0.1 0.2 0.5
g

Figure 3.5.: Steady-state MSE of estimated weights ω̂ with varying stepsize g.

1
errors in fusion weights naturally depend on the stepsize g and support the results seen
in figure 3.4. Further, an upper bound on this error can be derived by considering the
maximum error of each approximation (3.18) and is given by
g√
|ω̂ − ω| ≤ n. (3.27)
2

3.3. Confidential Cloud Fusion Without Leaking Fusion

Weights
Previously, we presented a method for solving the estimate fusion problem by weakening
the desired cryptographic aims in section 3.1. In this section, we present a method that
meets these aims exactly by making a relaxation on the produced fusion output of the
fusion cloud.
Broader fusion output In this method, the fusion cloud is not strictly required to pro-
duce the fused information vector P−1 −1
fus x̂fus and matrix Pfus . Instead, any statistics
over data from individual sensors i can be computed homomorphically at the fu-
sion cloud and provided to the querying
Pn party. For example, the sum statistic over
−1
inverted estimate covariance traces, i=1 tr(Pi ) , may be returned.
The idea behind the method is to postpone the evaluation of operations that cannot
be performed homomorphically until partial fusion results are decrypted by the querying

28
 3. Estimate Fusion on an Untrusted Cloud

party. The remaining operations are then evaluated on unencrypted inputs to produce
the final fusion results. First, we note that FCI fusion (2.38), (2.39) and (2.44) can be
rearranged and weights substituted to obtain
n
!−1 n
X 1 X 1
P−1
fus x̂fus = P−1 x̂ (3.28)
tr(Pi ) tr(Pi ) i i
i=1 i=1

and !−1
n
X n
X
1 1
P−1 = P−1 . (3.29)
k,fus tr(Pi ) tr(Pi ) i
i=1 i=1

In this form, innermost summations

n
X n
X n
X
1 1 1
, P−1 and P−1 x̂ (3.30)
tr(Pi ) tr(Pi ) i
tr(Pi ) i i
i=1 i=1 i=1

combine information from individual sensors i, are computable homomorphically given

suitable encryption and suit the fusion relaxation defined above. Encryptions of these
sums can then be decrypted by the querying party, before remaining inversions and
multiplications in (3.28) and (3.29) can be computed to obtain the final results. To
depict this straightforward process, pseudocode for the encryption at the sensors, fusion
at the cloud and decryption at the querying party are shown in algorithms 1, 2 and 3,
respectively. As in the previous section, the Paillier encryption scheme, producing keys
pk and sk, is used, encoding from section 2.2.5 is used with M = N , where N is the
Paillier scheme modulus, and an appropriate precision ϕ is chosen.

Algorithm 1 Encryption at the Sensors

1: procedure Estimate(i, pk)
2: Estimate P−1
i x̂i locally
3: Estimate P−1
i locally
4: ▷ Encode and encrypt scaling, covariance and estimate components
  
1
5: ξi ← Epk E0 tr(P i)
  
6: bi ← Epk E0 tr(Pi ) P−1
1
i x̂i
  
1 −1
7: Bi ← Epk E0 tr(Pi ) Pi
8: Send ξi , bi and Bi to fusion cloud
9: end procedure

Along with allowing the summations to be performed homomorphically on the cloud,

we note that this form of the FCI also allows the cloud’s partial fusion operations to be
evaluated sequentially. This can be seen in algorithm 2, where individual components
ξi , bi and Bi from each sensor can continue to be sequentially aggregated as sensors send

29
 3. Estimate Fusion on an Untrusted Cloud

Algorithm 2 Partial Fusion at the Cloud

1: procedure PartialFuse(pk)
2: Receive ξi , bi and Bi for all 1 ≤ i ≤ n
3: ▷ Perform homomorphic summations
4: ξ ← ⊕ni=1 ξi
5: b ← ⊕ni=1 bi
6: B ← ⊕ni=1 Bi
7: Store ξ, b and B in case of query
8: end procedure

Algorithm 3 Completing Fusion at the Querying Party

1: procedure QueryFuse(pk, sk)
2: Query and receive ξ, b and B from fusion cloud
3: ▷ Decrypt and decode
4: ξ¯ ← E−1 (Dpk,sk (ξ))
0
−1
5: b̄ ← E0 (Dpk,sk (b))
6: B̄ ← E−1
0 (Dpk,sk (B))
7: ▷ Compute remaining fusion operations
8: P−1 x̂ ← ξ¯−1 · b̄
fus fus
P−1 ¯−1 · B̄
9: fus ← ξ
10: return P−1 fus x̂fus , P−1
fus
11: end procedure

30
 3. Estimate Fusion on an Untrusted Cloud

their estimate information. This, in turn, supports the dynamic joining and leaving of
sensors in the network without affecting the cloud or the operations of the querying
party.

3.3.1. Computational Complexity

As with the previous method, we allow the homomorphic computation of FCI fusion at
the computational cost of encryption and homomorphic operations. Here, we look at
this additional cost for each involved party using the newly presented scheme. We again
assume floating-point and small integer operations to have complexity O(1), the Paillier
scheme to have key size log N bits and repeat the Paillier operation complexities in
table 3.3 for convenience. In table 3.4, we apply the Paillier operation complexities to the

Table 3.3.: Computation complexity of Paillier encryption operations.

Operation Complexity
Paillier Encryption O(log3 N )
Paillier Decryption O(log3 N )
Paillier Addition O(log2 N )
Paillier Scalar Multiplication O(log3 N )

presented method and the unencrypted FCI algorithm is again shown for reference. Here

Table 3.4.: Computation complexity for each party.

FCI Confidential Fusion


Sensor O(1)
O d2 log3 N

Cloud O nd2 + n3 O nd2 log2 N

Querying Party O(1) O d2 log3 N

we see that the burden of computation is reduced when compared to the method leaking
weights in section 3.2. This can be attributed to no longer requiring the Lewi ORE
scheme and the computational simplicity of the final fusion steps at the querying party
compared to the required decryption operations. These computational requirements are
a necessity for providing the specified security and fusion aims and must be considered
when choosing hardware for a physical system where the aims are desired.

3.3.2. Security Analysis

Showing that the cryptographic aims of the fusion problem are met is relatively straight-
forward. Our aim is for all estimate information, excluding locally produced estimates,
that is available to the cloud, eavesdroppers and sensors to be encrypted with a scheme
meeting the IND-CPA notion. Since the Paillier scheme meets this notion and all trans-
mitted information is encrypted, and noting that the cloud, estimators and eavesdroppers
do not hold the secret key sk, the cryptographic aim is met. We do, however, note that

31
 3. Estimate Fusion on an Untrusted Cloud

the implicit leakage of state dimension d is again present in this method due to the
reliance on elementwise encryption.
Lastly, when discussing security, we recall that the partial computation of FCI in this
method supports the dynamic joining and leaving of sensors during fusion, but note
that the implementation of this in practice introduces additional implicit leakages that
need to be considered. Periodic estimation from a sensor may reveal when the sensor
is within an estimation range or context, potentially leaking sensor privacy. To combat
this, appropriate methods to mitigate implicit leakage need to be considered for real
hardware, for example, sending dummy estimate information, Epk (E0 (0)), Epk (E0 (0))
and Epk (E0 (0)), when sensor i is out of estimation context.

3.3.3. Simulation
To demonstrate the accuracy of the method and compare it to the method in section
3.2 as well as the FCI algorithm it approximates, we have implemented a simulation of
the fusion scenario. Since errors in fusion are now only introduced during real number
quantisation we expect the estimation error to be smaller than that in section 3.2. Code
was written in the Python programming language, again using the Paillier PHE scheme
library [110]. A key size of 512 bits was used, and the constant-velocity linear model
in (3.23) was implemented. At each timestep k, the system state xk was measured by
m = 4 sensors, 1 ≤ i ≤ 4, with measurements z k,i following the measurement models
(3.25) and covariances (3.26). Using a linear IF, initialised with the true state of the
system, each sensor produced estimate information P−1 −1
k,i x̂k,i and Pk,i , respectively, that
were processed, encrypted and fused at the cloud and querying party. The fusion error
results of 1000 simulation runs are shown in figure 3.6. From the figure, we can see the

0.35

0.30
Mean Square Error (MSE)

0.25

0.20

0.15

0.10
Without Leaking Weights
0.05 Leaking Weights (g = 0.2)
FCI Benchmark
0.00
0 10 20 30 40 50
Simulation Timestep

Figure 3.6.: Average MSE of presented fusion methods over 1000 simulations.
1

32
 3. Estimate Fusion on an Untrusted Cloud

expected similarity in performance between all three methods. The better approximation
of the fusion weights in the method from this section results in slightly more accurate
results than those with the method from section 3.2, however, choosing a smaller stepsize
g can reduce this difference, albeit increase complexity.

3.4. Conclusions on Estimate Fusion on an Untrusted Cloud

In this chapter, we have presented two methods for approximating the FCI fusion al-
gorithm on an untrusted cloud where estimates and final fusion meet specified crypto-
graphic aims. The methods primarily differ in whether the FCI fusion weights are leaked
to eavesdroppers and the cloud as well as the assumptions on collusions between parties
in the network.
The first method, providing confidential fusion with the leakage of weights, introduced
in section 3.2, has the benefit of allowing the untrusted cloud to prioritise sensors when
performing fusion. This is done by preferring sensors that reduce fused estimate error,
as indicated by their fusion weight, but requires the assumption that sensors are trusted
and cannot collude maliciously. The method also requires the use of two encryption
schemes, resulting in higher computational complexity at sensors and the cloud, as can
be seen in section 3.2.3. The second method, presented in section 3.3, provides confi-
dential fusion without the leakage of weights. This method doesn’t consider sensors as
trusted parties and leaks no information beyond the implicit leakage of state dimension,
present in both methods. The stronger security guarantees come with disadvantages,
namely that the cloud cannot prioritise estimates based on their fusion error and that
an additional, albeit constant, complexity is present at the querying party. Both meth-
ods have their computational complexity and security implications analysed and are
simulated to demonstrate estimation performance.
Future directions for the topic of estimate fusion on an untrusted cloud include multi-
variable encryption, removing the implicit leakage of state dimension, and the extension
of the method to decentralised environments where sensors themselves perform untrusted
fusion without a centralised cloud.

33
4. Non-Linear Measurement Fusion with
Untrusted Participants
4.1. Problem Formulation
In this problem, we aim to lay down a foundation for solving general non-linear mea-
surement fusion where all transmitted data from sensors and the estimator remains
confidential to those producing it. Solving the general problem is complicated by the
broad measurement definition and the need for concrete communications to be known
when proving cryptographic aims. Instead, we first study a specific non-linear problem.
The presented solution to this problem will lend itself to solving a class of related but
non-exhaustive non-linear measurement fusion problems with the same communication
and cryptographic requirements, discussed later in this chapter. We consider the specific
context of range sensor navigation, where no sensor is to learn any information about the
navigator or other sensors beyond their local measurements, while the navigator learns
no information about individual sensors beyond its location estimate. The problem is
two-fold, in that we require explicit cryptographic requirements with a suitable encryp-
tion scheme meeting them as well as an estimation scheme that can use the scheme in
the context of range-only navigation.
To give a formal cryptographic requirement in a distributed setting, we first consider
the communication requirements of our context and define attacker capabilities and the
desired security of a suitable encryption scheme. In this section, we define a communi-
cation protocol and the relevant formal definition of security we aim to achieve, followed
by the estimation problem to which we will apply it.

4.1.1. Formal Cryptographic Problem

The communication between the navigator and sensors in our estimation problem will
be decomposed into a simple two-step bi-directional protocol that will simplify defining
formal security. In section 4.3.2, we will show how this protocol is sufficient to compute
the location estimate at a navigator while meeting our desired security goals. The
communication protocol is as follows.
At every instance t (used to distinguish from an estimation timestep), the navigator
(t)
first broadcasts l weights θj , 1 ≤ j ≤ l, to all sensors i, 1 ≤ i ≤ n, who individu-
(t) P (t) (t)
ally compute linear combinations ei = lj=1 aj,i θj based on their measurement data
aj,i . Linear combinations are then sent back to the navigator, who computes their sum
Pn (t)
i=1 ei . This two-step linear combination aggregation protocol has been visually dis-
played in figure 4.1. In addition, we note that an alternative approach to the two-step

34
 4. Non-Linear Measurement Fusion with Untrusted Participants

(t) (t)
⟨θ1 , . . . , θl ⟩

l
X l
X
(t) (t) (t) (t) (t)
e1 = a1,j θj e(t)
n = an,j θj
j=1 j=1

Sensor 1 Sensor n

(a) Broadcast and Combination Step.

n X
X l n
X
(t) (t) (t)
ai,j θj = ei
i=1 j=1 i=1

(t) (t)
e1 en

Sensor 1 Sensor n

(b) Aggregation Step.

Figure 4.1.: Required linear combination aggregation steps at instance t.

35
 4. Non-Linear Measurement Fusion with Untrusted Participants

P (t) Pn (t) (t)

protocol is computing lj=1 (θj i=1 ai,j ) at the navigator, requiring only values ai,j ,
1 ≤ j ≤ l, to be sent from each sensor i. We justify the use of bi-directional communi-
cation by reducing communication costs when the number of weights is larger than the
number of sensors, l > n, and by sending fewer weights in the presence of repeats, as
will be shown to be the case in section 4.3.2.
Before giving a formal definition for the construction and security of our desired en-
cryption scheme, we make the following assumptions about the capabilities of the par-
ticipants.

Global Navigator Broadcast We assume that broadcast information from the navigator
is received by all sensors involved in the protocol.

Consistent Navigator Broadcast We assume that broadcast information from the nav-
igator is received equally by all sensors. This means the navigator may not send
different weights to individual sensors during a single instance t.

Honest-but-Curious Sensors We adopt the honest-but-curious attacker model for all

involved sensors, meaning that they follow the localisation procedure correctly but
may store or use any gained sensitive information.

We justify the global broadcast assumption by noting that any subset of sensors within
the range of the navigator can be considered a group and treated as the global set during
estimation, generalising the method, while the widespread use of cheap non-directional
antennas supports the assumption of consistent broadcasts. The final assumption refers
to the known problem of misbehaving sensors [111, 112], often requiring additional com-
plicated detection mechanisms, and will not be considered in this chapter.
We are now ready to define the type of encryption scheme we want for the spec-
ified communication protocol and the security guarantees it should provide. We let
a linear combination aggregation scheme be defined as a tuple of the four algorithms
(Setup, Enc, CombEnc, AggDec). These will be used by a trusted setup party, the navi-
gator, and sensors 1 ≤ i ≤ n. They are defined as follows.

Setup(κ) On input of security parameter κ, generate public parameters pub, the number
of weights l, the navigator’s public and private keys pka and ska,0 and the sensor
private keys ska,i , 1 ≤ i ≤ n.

Enc(pka , x) The navigator and sensors can encrypt any value x ∈ Z with the navigator’s
public key pka and obtain the encryption Epka (x).
(t) (t) (t) (t)
CombEnc(t, pka , ska,i , Epka (θ1 ), . . . , Epka (θl ), ai,1 , . . . , ai,l ) At instance t, sensor i com-
(t) P (t) (t)
putes the encrypted linear combination Epka ,ska,i (ei ) = Epka ,ska,i ( lj=1 ai,j θj ) us-
ing its secret key ska,i .
(t) (t)
AggDec(t, pka , ska,0 , e1 , . . . , en ) At instance t, the navigator computes the aggregation
P (t) P P (t) (t)
of linear combinations ni=1 ei = ni=1 lj=1 ai,j θj using its public and private
keys pka , ska,0 .

36
 4. Non-Linear Measurement Fusion with Untrusted Participants

The security notions we want these algorithms to meet reflect the previously stated
estimation security goals. The navigator should learn no information from individual
sensors while sensors should learn no information from the navigator or any other sensors.
In the context of the introduced communication protocol, this can be summarised as the
following notions.

Indistinguishable Weights No colluding subset of sensors gains any new knowledge

(t)
about the navigator weights θj , 1 ≤ j ≤ l, when receiving only their encryp-
tions from the current and previous instances and having the ability to encrypt
plaintexts of their choice.

Linear Combination Aggregator Obliviousness (LCAO) No colluding subset excluding

the navigator gains information about the remaining sensor values to be weighted,
(t)
ai,j , 1 ≤ j ≤ l, where sensor i is not colluding, given only encryptions of their linear
combinations ei from the current and previous instances. Any colluding subset
including the navigator learns only the sum of all linear combinations weighted by
P (t) P P (t) (t)
weights of their choice, ni=1 ei = ni=1 lj=1 ai,j θj .

While indistinguishable weights can be achieved by encrypting weights with an encryp-

tion scheme meeting the IND-CPA notion introduced in section 2.2.1, the novel notion
of LCAO has been formalised as a typical cryptographic game between attacker and
challenger in appendix A. Lastly, we conclude the cryptographic problem definition with
the following important remark.
Remark. A leakage function including weights from the navigator requires extra care
to be taken when giving its definition. If an attacker compromises the navigator, they
have control over the weights, and therefore the leakage function. We note that in the
Pn Pl (t) (t)
leakage function above, i=1 j=1 ai,j θj , an individual sum weighted by the same
P (t)
weight may be learnt by an attacker, for example, ni=1 ai,1 given weights (1, 0, . . . , 0),
(t)
but that individual sensor values ai,j remain private due to the assumption of a consistent
broadcast.

4.1.2. Estimation problem

The estimation problem we consider, for which we will reformulate communication to
the protocol above, is localisation with range-only sensors. In this thesis, we will focus
on the two-dimensional case for simplicity but will derive methods suitable for extension
to a three-dimensional equivalent. The state that we wish to estimate must capture
the navigator position, x and y, and may contain any other components relevant to the
system. It is of the form
 ⊤
x = x y ··· . (4.1)
This state evolves following some known system model, which at timestep k can be
written as
xk = f k (xk−1 , wk ) , (4.2)

37
 4. Non-Linear Measurement Fusion with Untrusted Participants

with noise term wk . Measurements of xk follow a measurement model dependent on

sensor i, 1 ≤ i ≤ n, given by
zk,i = hi (xk ) + vk,i , (4.3)
with Gaussian measurement noises vk,i ∼ N (0, rk,i ) and measurement function
 ⊤
hi (x) = x y − si
q (4.4)
= (x − sx,i )2 + (y − sy,i )2 ,

where  ⊤
si = sx,i sy,i (4.5)
is the location of sensor i.
We aim to provide a filter that estimates the navigator’s state xk , at every timestep k,
without learning sensor positions si , measurements zk,i and measurement variances rk,i
beyond the information in the corresponding aggregation leakage function. Similarly,
sensors should not learn any information about current state estimates or any other
sensor information. Leakage will be further discussed in section 4.3.5, but we note that
from any sequential state estimates, following known models, some sensor information
leakage can be computed by the navigator. In the context of our leakage function, we
will show that this corresponds to the global sums of private sensor information, while
individual, or subsets of sensors’, information remains private. Similarly, corrupted
sensors with access to one or more measurements can produce state estimates of their
own, leaking information about navigator state estimates, however, the most accurate
estimates, requiring all measurements, will always remain private to the navigator.

4.2. A Linear Combination Aggregation Scheme

In this section, we introduce an encryption scheme meeting the desired security prop-
erties in section 4.1.1. The scheme is a combination of the Paillier and Joye-Libert
schemes, introduced in section 2.2.2 and 2.2.3, respectively, that provides encrypted
weights meeting the IND-CPA notion and encrypted aggregation meeting the LCAO
notion in appendix A. Similarly to its constituents, the scheme bases its security on
the DCRA and, as with the Joye-Libert scheme, requires a trusted party for initial key
generation and distribution.
As aggregation is typically performed on scalar inputs, we extend our notation to
the context of multidimensional estimation data by letting an instance tk,ϵ uniquely
capture the scalar aggregation during an estimation timestep k for a single element with
position index ϵ. To achieve this in practice, any injective function can be used, such
as the concatenation tk,ϵ = k ∥ ϵ. The four algorithms defining our scheme are given as
follows.

Setup(κ) On input parameter κ, generate two equal-length, sufficiently large, primes p

and q, and compute N = pq. Define a hash function H : Z → Z∗N 2 , choose the

38
 4. Non-Linear Measurement Fusion with Untrusted Participants

number of weights to combine, l > 1, and set public parameter pub = H, navigator
public key pka = N and navigator private key ska,0 = (p, q). Sensor secret keys
P ska,i , 1 ≤ i ≤ n − 1, uniformly from ZN 2 and setting the
are generated by choosing
last key to ska,n = − n−1
i=1 ska,i .

Enc(pka , x) Public-key encryption is computed by the Paillier encryption scheme in sec-

tion 2.2.2. This is given by

Epka (x) = (N + 1)x ρN (mod N 2 ) , (4.6)

for a randomly chosen ρ ∈ ZN .

(k,ϵ) (k,ϵ) (k,ϵ) (k,ϵ)
CombEnc(tk,ϵ , pka , ska,i , Epka (θ1 ), . . . , Epka (θl ), ai,1 , . . . , ai,l ) At the instance tk,ϵ ,
encrypted linear combination is given by
l
Y (k,ϵ)
(k,ϵ) ska,i (k,ϵ) ai,j
ei = H(tk,ϵ ) Epka (θj ) (mod N 2 ) , (4.7)
j=1

making use ofPthe Paillier homomorphic properties (2.47) and (2.49). Correctness
follows from ni=1 ska,i = 0 and
l
Y (k,ϵ)
ska,i (k,ϵ) ai,j
H(tk,ϵ ) Epka (θj ) (mod N 2 )
j=1
l
Y
ska,i (k,ϵ) (k,ϵ)
≡H(tk,ϵ ) Epka (ai,j θj ) (mod N 2 )
j=1
l
Y (k,ϵ) (k,ϵ)
≡H(tk,ϵ ) ska,i
(N + 1)ai,j θj
ρN
j (mod N 2 )
j=1
Pl (k,ϵ) (k,ϵ)
ai,j θj
≡H(tk,ϵ )ska,i (N + 1) j=1 ρ̃N
i (mod N 2 ) ,
Q
for some values ρj ∈ ZN , 1 ≤ j ≤ l, and ρ̃i = lj=1 ρj . Here, ρ̃N
i and H(tk,ϵ )
ska,i

can be considered the noise terms corresponding to the two levels of encryption
from pka and ska,i , respectively.
(k,ϵ) (k,ϵ) Q (k,ϵ)
AggDec(tk,ϵ , pka , ska,0 , e1 , . . . , en ) Aggregation is computed as e(k,ϵ) = ni=1 ei
(mod N 2 ), removing the aggregation noise terms, and is followed by Paillier scheme
decryption
n X
X l
(k,ϵ) (k,ϵ) L((e(k,ϵ) )λ (mod N 2 ))
ai,j θj = (mod N ) , (4.8)
L((N + 1)λ (mod N 2 ))
i=1 j=1

ψ−1
with λ = lcm(p − 1, q − 1) and L(ψ) = N . The correctness of the aggregation

39
 4. Non-Linear Measurement Fusion with Untrusted Participants

can be seen from

n
Y Pl (k,ϵ) (k,ϵ)
ai,j θj
H(tk,ϵ )ska,i (N + 1) j=1 ρ̃N
i (mod N 2 )
i=1
Pn n
Y Pl (k,ϵ) (k,ϵ)
ska,i ai,j θj
≡H(tk,ϵ ) i=1 (N + 1) j=1 ρ̃N
i (mod N 2 )
i=1
Pn Pl (k,ϵ) (k,ϵ)
ai,j θj
≡(N + 1) i=1 j=1 (mod N 2 ) , ρ̃N
Q
for some values ρ̃i ∈ ZN , 1 ≤ i ≤ n, and ρ̃ = ni=1 ρ̃i .
(k,ϵ) (k,τ )
Additionally, we note that in the above construction, all weights θj and values ai,j
are integers and the resulting linear combinations and aggregation are computed modulo
N.
The security proof of this scheme must both show that encrypted weights meet IND-
CPA and that encrypted aggregation meets LCAO. As weights are encrypted with the
Paillier encryption scheme, the first requirement is already met. To show that aggrega-
tion meets LCAO, a reduction proof is given in appendix B.
Remark. Given the construction of the scheme above, it can be seen that any weights
(k,ϵ)
θj , whose values are known at each sensor, do not need to be broadcast by the
navigator. In this case, sensors can replace

(k,ϵ) a(k,ϵ) (k,ϵ) (k,ϵ)

Epka (θj ) i,j = (N + 1)θj ai,j
ρN
j (mod N 2 ) (4.9)

in (4.7), by
(k,ϵ) (k,ϵ)
(N + 1)θj ai,j
(mod N 2 ) . (4.10)
This is due to the removal of ρN
j terms during decryption and can be used to reduce the
(k,ϵ)
navigator’s broadcast communication cost by the number of weights θj that do not
hold any information private to the navigator and are known by the sensors in advance.

4.3. Confidential Range-Only Localisation

With a concrete scheme meeting the LCAO notion, we now put forward a localisation
filter with communication that can be reformulated to the required protocol. To produce
an estimate of the state xk , we make use of the EIF, introduced in section 2.1.5. The
EIF is performed on the information form of the state estimate and its error covariance,
repeated here for convenience. That is, the information vector and information matrix,

ŷ k|k−1 = P−1 −1
k|k−1 x̂k|k−1 and Yk|k−1 = Pk|k−1 , (4.11)

40
 4. Non-Linear Measurement Fusion with Untrusted Participants

respectively. The update equations for n sensor measurements at time k, with measure-
ment models (4.3), are given by
n
X  
−1
ŷ k|k = ŷ k|k−1 + Ĥ⊤ r
k,i i z k,i − hi (x̂ k|k−1 ) + Ĥk,i x̂ k|k−1 (4.12)
i=1

and
n
X
−1
Yk|k = Yk|k−1 + Ĥ⊤
k,i ri Ĥk,i , (4.13)
i=1

with Jacobians
∂hi
Ĥk,i = (4.14)
∂x x̂k|k−1

for sensors 1 ≤ i ≤ n. The updated information vector and matrix can then be used
in a local filter prediction step at the navigator, with any suitable filter for the known
system model (4.2).
In the form above, at every timestep k, all sensitive sensor information required for
state estimation is captured in the measurement vector
 
−1
ik,i = Ĥ⊤ r
k,i i z k,i − h (x̂
i k|k−1 ) + Ĥ x̂
k,i k|k−1 (4.15)

and the measurement matrix

−1
Ik,i = Ĥ⊤
k,i ri Ĥk,i , (4.16)
namely, their measurements zk,i , measurement variances rk,i and locations si ; captured
in measurement functions hi and Jacobians Ĥk,i . However, computing ik,i and Ik,i also
requires the current predicted state estimate x̂k|k−1 , when evaluating hi and Ĥk,i . To
achieve the communication protocol desired, we aim to rearrange (4.15) and (4.16) as a
linear combination of functions of x̂k|k−1 (considered the navigator weights), computable
at each sensor i, to be subsequently aggregated at the navigator. Application of the linear
combination aggregation scheme proposed can then guarantee that sensors do not learn
the navigator state, and the navigator learns only the aggregation required for updating
its estimate (4.12) and (4.13).

4.3.1. Range Measurement Modification

When rearranging ik,i and Ik,i to a linear combination of functions of x̂k|k−1 , we note
that hi does not inherently support this due to the present square-root. Similarly, the

41
 4. Non-Linear Measurement Fusion with Untrusted Participants

Jacobian of hi at x̂k|k−1 ,
 x̂k|k−1 −sx,i ⊤
√
 (x̂k|k−1 −sx,i )2 +(ŷk|k−1 −sy,i )2 
√ ŷk|k−1 −sy,i 
 
Ĥk,i = (x̂k|k−1 −sx,i )2 +(ŷk|k−1 −sy,i )2  , (4.17)
 0 
 
..
.

does not either. Instead, the modified measurement functions

h′i (x) = hi (x)2 , (4.18)

are considered. Now, the functions allow rearrangement of h′i and the corresponding
Jacobian Ĥ′k,i to a linear combination of powers of location elements in x̂k|k−1 , as

 ⊤ 2
h′i (x) = x y − si
= (x − sx,i )2 + (y − sy,i )2 (4.19)
= x2 + y 2 − 2sx,i x − 2sy,i y + s2x,i + s2y,i ,

and  ⊤
2x̂k|k−1 − 2sx,i
 2ŷk|k−1 − 2sy,i 
 
Ĥ′k,i = 0  . (4.20)
 
..
.

Here, h′i and Ĥ′k,i are linear combinations of x̂2k|k−1 , ŷk|k−1

2 , x̂k|k−1 and ŷk|k−1 . For the
rearrangement of corresponding modified measurement vectors i′k,i and matrices I′k,i ,
usable in the localisation update step, we also require the existence of measurements
following the considered modified measurement models,
′
zk,i = h′i (xk ) + vk,i
′
, (4.21)
′
where zk,i is the modified measurement, and noise term vk,i ′ is zero-mean and has a
′
known variance rk,i .
Computing zk,i′ and its variance r ′ from the original measurements z
k,i k,i is complicated
by the original noise term vk,i ∼ N (0, rk,i ). Squaring the original range measurements
produces
2
zk,i = (hi (xk ) + vk,i )2
(4.22)
= h′i (xk ) + 2hi (xk )vk,i + vk,i
2
,
2 , now dependent on the measurement function h ,
with a new noise term 2hi (xk )vk,i +vk,i i
and no longer zero-mean. The mean of this new noise term (a function of the Gaussian

42
 4. Non-Linear Measurement Fusion with Untrusted Participants

2 ] = r
term vk,i ) is given by E[2hi (xk )vk,i + vk,i k,i and can be used to mean-adjust the
squared measurement above, producing the modified measurements
′ 2
zk,i = zk,i − rk,i
= hi (xk )2 + 2hi (xk )vk,i + vk,i
2
− rk,i (4.23)
= h′i (xk ) + ′
vk,i ,
′ = 2h (x )v +v 2 −r . This noise, again a function
with now zero-mean noise term vk,i i k k,i k,i k,i
of vk,i , has variance
′
Var[vk,i ] = 4hi (xk )2 rk,i + 2rk,i
2
, (4.24)
still dependent on hi . To use the modified measurements (4.23) with the EIF, we require
an estimate for Var[vk,i′ ] at the sensor as well. Additionally, a conservative estimate,

that is, a larger variance resulting in less confidence in measurements, is desirable to

reduce filter divergence. Intuitively replacing hi (xk ) with zk,i in (4.24) may not provide
a conservative estimate when zk,i 2 < h (x )2 , but Gaussianity of v
i k k,i and the squaring
of zk,i can be exploited to provide a conservative estimate, with 95% confidence, by
√
adding two of its standard deviations, rk,i , to the replacement term zk,i . The modified
measurement’s variance at timestep k is then conservatively approximated by
′ √
rk,i = 4(zk,i + 2 rk,i )2 rk,i + 2rk,i
2

′
(4.25)
⪆ Var[vk,i ],

at each sensor i.
The modified measurement model (4.21) can now be used for localisation, when mea-
surements are modified by (4.23) and their new variances estimated with (4.25).

4.3.2. Applying the Linear Combination Aggregation Scheme

To complete the EIF update as a linear combination aggregation, modified vectors i′k,i
and matrices I′k,i , using the modified measurement model (4.21), can be rearranged as

′−1 ′
i′k,i = Ĥ′⊤ ′ ′
k,i rk,i (zk,i − hi (x̂k|k−1 ) + Ĥk,i x̂k|k−1 )
h i⊤ (4.26)
= αi(k,1) αi(k,2) 0 · · · ,

43
 4. Non-Linear Measurement Fusion with Untrusted Participants

with
(k,1) ′−1 3 ′−1 2 ′−1 ′−1
αi = (2rk,i )x̂k|k−1 + (2rk,i )x̂k|k−1 ŷk|k−1 + (−2rk,i sx,i )x̂2k|k−1 + (−2rk,i 2
sx,i )ŷk|k−1
′−1 ′ ′−1 2 ′−1 2 ′−1 3
+ (2rk,i zk,i )x̂k|k−1 + (−2rk,i sx,i )x̂k|k−1 + (−2rk,i sy,i )x̂k|k−1 + (2rk,i sx,i )
′−1 ′−1 ′
+ (2rk,i sx,i s2y,i ) + (−2rk,i sx,i zk,i ),
(k,2) ′−1 3 ′−1 2 ′−1 ′−1
αi = (2rk,i )ŷk|k−1 + (2rk,i )x̂k|k−1 ŷk|k−1 + (−2rk,i sy,i )x̂2k|k−1 + (−2rk,i 2
sy,i )ŷk|k−1
′−1 ′ ′−1 2 ′−1 2 ′−1
+ (2rk,i zk,i )ŷk|k−1 + (−2rk,i sx,i )ŷk|k−1 + (−2rk,i sy,i )ŷk|k−1 + (2rk,i sy,i s2x,i )
′−1 3 ′−1 ′
+ (2rk,i sy,i ) + (−2rk,i sy,i zk,i ),

and
′−1 ′
I′k,i = Ĥ′⊤
k,i rk,i Ĥk,i
 
(k,3) (k,4)
αi αi 0 ···
 (k,5) (k,6) 
αi αi 0 · · · (4.27)
= ,
0 0 0 · · · 
 
.. .. .. . .
. . . .

with
(k,3) ′−1 2 ′−1 ′−1 2
αi = (4rk,i )x̂k|k−1 + (−8rk,i sx,i )x̂k|k−1 + (4rk,i sx,i ) ,
(k,4) ′−1 ′−1 ′−1 ′−1
αi = (4rk,i )x̂k|k−1 ŷk|k−1 + (−4rk,i sy,i )x̂k|k−1 + (−4rk,i sx,i )ŷk|k−1 + (4rk,i sx,i sy,i ) ,
(k,5) (k,4)
αi = αi ,
(k,6) ′−1 2 ′−1 ′−1 2
αi = (4rk,i )ŷk|k−1 + (−8rk,i sy,i )ŷk|k−1 + (4rk,i sy,i ) .

The above rearrangements give i′k,i and I′k,i as linear combinations of elements in

{x̂3k|k−1 , ŷk|k−1
3
, x̂2k|k−1 ŷk|k−1 , x̂k|k−1 ŷk|k−1
2
,
(4.28)
x̂2k|k−1 , ŷk|k−1
2
, x̂k|k−1 ŷk|k−1 , x̂k|k−1 , ŷk|k−1 } ,

that capture all private state information in x̂k|k−1 required by the sensors. The corre-
sponding EIF update steps (4.12) and (4.13) then become
n
X
ŷ k|k = ŷ k|k−1 + i′k,i (4.29)
i=1

and
n
X
Yk|k = Yk|k−1 + I′k,i , (4.30)
i=1

respectively.

44
 4. Non-Linear Measurement Fusion with Untrusted Participants

Remark. The above has been derived for two-dimensional localisation but can be sim-
ilarly derived for the three-dimensional case. However, as can be seen from the rear-
rangements, the number of weights increases combinatorially with the state dimension,
thus affecting the cost of communication as well.

4.3.3. Pseudocode
Measurement modification, number encoding and linear combination aggregation are
all required to compute the EIF from the previous section and keep all sensor and
navigator information confidential. In this section, we summarise this process and give
the pseudocode for its execution. As in the previous chapter, we use the Q number
format from section 2.2.5 for encoding real number inputs, letting M = N , where N
is the generated public key, choosing an appropriate precision ϕ and denoting encoding
with multiplicative depth δ as Eδ (·). The confidential localisation filter consists of the
following steps.

Setup The Setup algorithm from section 4.2 is run only once by a trusted party. pub = H
and the navigator public key pka = N are made public, and the navigator and
sensor secret keys, ska,0 = (p, q) and ska,i , 1 ≤ i ≤ n, are distributed accordingly.

Prediction At each timestep k, the navigator computes the prediction of its current
state and its covariance with a local filter before encrypting weights (4.28) with
Enc and broadcasting them to the sensors. This has been shown in algorithm 4.

Measurement At each timestep k, sensors modify their measurements with (4.23) and
(4.25) before computing elementwise encryptions of i′k,i and I′k,i with CombEnc and
sending them back to the navigator. This is shown in algorithm 5.

Update At each timestep k, the navigator aggregates and decrypts received measure-
ment vectors and matrices with AggDec, before computing the EIF update equa-
tions (4.29) and (4.30). This is shown in algorithm 6.

Algorithms 4, 5 and 6 have also been summarised graphically in figure 4.2. Here,
Epka ,ska,i (·) and Eδ (·) denote elementwise operations with the same parameters.

4.3.4. Solvable Sub-Class of Non-Linear Measurement Models

So far in this chapter, we have presented a method for measurement fusion in the context
of range-only navigation that meets our desired security goals. The solution can be
generalised to solving a sub-class of non-linear measurement problems not limited to
range-only navigation and aims to establish the foundations for a general fusion method
for non-linear measurements that achieves the same data confidentiality guarantees.
Recalling our aim of rewriting (4.15) and (4.16) as a linear combination of functions of
x̂k|k−1 , and noting that this was possible when the measurement function hi could be
rewritten in the same way, a more general solution can be seen. That is, any non-linear

45
 4. Non-Linear Measurement Fusion with Untrusted Participants

ŷ k|k−1 , Yk|k−1

D E
Epka (E0 (θ)) | θ ∈ {x̂3k|k−1 , ŷk|k−1
3 ,...}

Sensor 1 Sensor n

(a) Prediction.

Epka ,ska,1 (E1 (i′k,1 )), Epka ,ska,n (E1 (i′k,n )),
Epka ,ska,1 (E1 (I′k,1 )) Epka ,ska,n (E1 (I′k,n ))

′ , r′
zk,1 ′ , r′
zk,n
k,1 k,n

Sensor 1 Sensor n

(b) Measurement.

Pn ′
Pn ′
i=1 ik,i , i=1 Ik,i
ŷ k|k , Yk|k

(c) Update.

Figure 4.2.: Procedure at timestep k for the proposed confidential range-only measure-
ment EIF.

46
 4. Non-Linear Measurement Fusion with Untrusted Participants

Algorithm 4 Navigator Prediction

1: procedure Prediction(ŷ k−1|k−1 , Yk−1|k−1 , pka )
2: ▷ Compute local prediction
3: Estimate ŷ k|k−1 locally
4: Estimate Yk|k−1 locally
5: ▷ Encode, encrypt and broadcast weights
  
6: Compute Epka E0 x̂3k|k−1 given (4.11)
  
7: Broadcast Epka E0 x̂3k|k−1 to sensors
8: for Remaining weights in (4.28) do
9: Encode, encrypt and broadcast weight in the form above
10: end for
11: return ŷ k|k−1 , Yk|k−1
12: end procedure

measurement functions hk,i that can be written in the form

ν
X
hk,i (x) = aj Hj (x) , (4.31)
j=1

where all functions Hj , 1 ≤ j ≤ ν, do not depend on any sensitive sensor information, are
sufficient for rearranging corresponding measurement vectors and matrices, ik,i and Ik,i ,
in a similar form and applying the encryption scheme in section 4.2 to the distributed
fusion problem.
To stress the applicability of this solution to the sub-class of non-linear problems,
we note that the presented method using range-only measurements does not directly fit
into this category, as shown in section 4.3.1, requiring modification to measurements to
achieve the desired form in (4.31). Similarly, other non-linear measurements that do not
directly suit the required form but can be modified accordingly are also solvable by the
presented method.

4.3.5. Security Analysis

With the confidential EIF defined in section 4.3.3, we can interpret the aggregation
leakage of an LCAO scheme in the context of range sensor localisation. The leakage
P from the AggDec
function P algorithm corresponds to the information vector and matrix
sums, ni=1 i′k,i and ni=1 I′k,i , respectively, but recalling that a compromised navigator

47
 4. Non-Linear Measurement Fusion with Untrusted Participants

Algorithm 5 Measurement at Sensor i

1: procedure Measurement(i, sx,i , sy,i , rk,i , pub, pka , ska,i )
2: H ← pub
3: N ← pka
4: ▷ Measure and modify measurement
5: Measure zk,i
6: ′ by (4.23)
Compute zk,i
7: ′ by (4.25)
Compute rk,i
8: ▷ Receive encrypted weights
  
9: Recieve Epka E0 x̂3k|k−1
10: for Remaining weights in (4.28) do
11: Recieve weight in the form above
12: end for
13: ▷ Compute linear combination of measurement vector and matrix components
(k,ϵ) (k,ϵ)
14: Let αi represent the encryption of αi in (4.26) and (4.27)
  E0 (2r′−1 )   E0 (2r′−1 )
(k,1) k,i k,i
15: αi ← Epka E0 x̂3k|k−1 2
· Epka E0 x̂k|k−1 ŷk|k−1 ·
  E0 (−2r′−1 sx,i )   E0 (−2r′−1 sx,i )
k,i k,i
Epka E0 x̂2k|k−1 2
· Epka E0 ŷk|k−1 ·


E0 (2r′−1 z ′ )

E0 (−2r′−1 s2x,i )
Epka E0 x̂k|k−1 k,i k,i
· Epka E0 x̂k|k−1 k,i
·


E0 (−2r′−1 s2y,i ) ( ′−1 3 ′−1
k,i x,i · (N + 1) 1 (2rk,i sx,i sy,i ) ·
)
E 2r s E 2
1
Epka E0 x̂k|k−1 k,i
· (N + 1)
′−1 ′
(N + 1)E1 (−2rk,i sx,i zk,i ) · H(k ∥ 1)ska,i (mod N 2 )
(k,ϵ)
16: Compute remaining αi using (4.26), (4.27), (4.7) and the remark from section
4.2 in the form above
17: ▷ Send linear combinations to the navigator
18: for ϵ ← 1 to 6 do
(k,ϵ)
19: Send αi to the navigator
20: end for
21: end procedure

48
 4. Non-Linear Measurement Fusion with Untrusted Participants

Algorithm 6 Navigator Update

1: procedure Update(ŷ k|k−1 , Yk|k−1 , pka , ska,0 )
2: N ← pka
3: ▷ Receive linear combinations from the sensors
4: for ϵ ← 1 to 6 do
(k,ϵ)
5: Receive αi from each sensor 1 ≤ i ≤ n
6: end for
7: ▷ Decrypt, decode and construct measurement vector and matrix
P (k,ϵ)
8: Let α(k,ϵ) represent an encryption of ni=1 αi
9: for ϵ ← 1 to 6 do
Q (k,ϵ)
10: α(k,ϵ) ← ni=1 αi (mod N 2 )
11: Compute E−1
1 (Dpka ,ska,0 (α
(k,ϵ) ))

12: end for

Pn ′
Pn ′
13: Construct i=1 ik,i and i=1 Ik,i from decoded decryptions above
14: ▷ Perform filter update
P
15: ŷ k|k ← ŷ k|k−1 + ni=1 i′k,i
P
16: Yk|k ← Yk|k−1 + ni=1 I′k,i
17: return ŷ k|k , Yk|k
18: end procedure

49
 4. Non-Linear Measurement Fusion with Untrusted Participants

can learn the individual sums weighted by the same weight, the sums
( n n n
)
X X X
−1 −1 −1
2rk,i , −rk,i sx,i , −2rk,i sx,i , . . . (4.32)
i=1 i=1 i=1

can be leaked as well. From this leakage, we can see that sensitive sensor information,
′ , r ′ and s , is present only in their complete sums
zk,i k,i i

n
X n
X n
X n
X
′ ′
zk,i , rk,i , sx,i and sy,i , (4.33)
i=1 i=1 i=1 i=1

which can in practice be interpreted as the leakage of their averages. Therefore, in the
context of our proposed localisation method, LCAO leakage corresponds to the averages
of sensors’ sensitive information, while individual sensor information remains private.
Considering the generalisation of the method discussed in section 4.3.4, the leakage
of an LCAO scheme in the context of general measurement fusion can be interpreted
similarly. Sensitive sensor information when measurement functions are in the form
(4.31) result in only
Ptheir sums being
P present in associated leaked measurement vectors
and matrix sums, ni=1 ik,i and ni=1 Ik,i , corresponding to leakage of average sensitive
information only.

4.3.6. Simulation
As well as having shown the theoretical backing for the security of our scheme, we
have simulated the proposed localisation method to evaluate its performance. As in the
previous chapter, a two-dimensional, constant-velocity linear system model,
 
1 0 0.5 0
0 1 0 0.5
xk = 
0 0 1
x + wk , (4.34)
0  k−1
0 0 0 1

with noise term

  
0.42 0 1.25 0
 1  1.25
wk ∼ N   0 0.42 0  ,
0, 103 · 1.25 0 5.0 0  (4.35)
0 1.25 0 5.0

was simulated. The navigator used a linear KF for local state prediction while the al-
gorithms in section 4.3.3 were used for measurement updates. Code was written in the
C programming language using the MPI library [113] to support asynchronous com-
putations by the sensors and the navigator. The MG1 mask generation function and
the SHA256 hash function from the OpenSSL library [114] were used to implement the
hash function H, and the Libpaillier library [115] was used for the Paillier encryption

50
 4. Non-Linear Measurement Fusion with Untrusted Participants

scheme. Additionally, GNU libraries, GSL [116] and GMP [117] were used for algebraic
operations and multiple-precision encoded integers, respectively. All timed executions
were performed on a 3.33GHz Xeon W3680 CPU, running on the Windows Subsystem
for Linux (WSL).
To capture the dependence of the estimated modified measurement variances rk,i ′ on

original measurements zk,i , we considered multiple sensor layouts, each with four sen-
sors, with varying average sensor distances from the navigator. The layouts along with
the initial state and a sample track are shown visually in figure 4.3. To demonstrate the

Ground Truth Initial Estimate Sensors

Normal Big

100

0
Location y

−100
Quite Big Very Big

100

−100
−100 0 100 −100 0 100

Location x

Figure 4.3.: Considered simulation layouts with varying distances between a sample nav-
igator track and sensors. 1

accuracy of the method, we compared the MSE of the presented filter to the standard
EIF using unmodified measurements. Estimation in each layout from figure 4.3 con-
sisted of 50 filter iterations and was run 1000 times. Unmodified measurement variances
were chosen as rk,i = 5 for all k > 0 and a large fractional precision factor, ϕ = 232 ,
was chosen. Simulation results can be seen in figure 4.4. From these results, we see
the similarity in performance between the presented confidential localisation filter and
that of the unmodified EIF. We also see that varying the distances between sensors and
the navigator has little impact on the performance of the presented method. We can
attribute the similar performance to the conservativeness of estimated modified measure-
ment variances rk,i ′ , eliminating additional filter divergences, and to the high fractional

precision factor ϕ, keeping computations consistent with the floating-point arithmetic of

the EIF.
In addition to filter performance, computational performance is also an important fac-
tor to consider in real-time applications relying on cryptographic methods. Figure 4.5
shows the averages of 10 execution times when varying the numbers of sensors and key

51
 4. Non-Linear Measurement Fusion with Untrusted Participants

Confidential Filter Unmodified EIF

Normal

20

Big

20
Mean Square Error (MSE)

Quite Big

20

Very Big

20

0
0 10 20 30 40 50

Simulation Timestep

Figure 4.4.: Average MSE of the presented confidential filter for the different layouts
over 1000 simulation runs. 1

52
 4. Non-Linear Measurement Fusion with Untrusted Participants

sizes (bit lengths of N ). Here, increasing the number of sensors primarily affected the
number of inter-process communications and aggregation steps due to the asynchronous
C implementation. We can see that the predominant computational costs stem from

Key Length (bits)

2560 1536 512
2048 1024

150
Runtime (s)

100

50

0
2 3 4 5
Number of Sensors

Figure 4.5.: Average simulation runtimes with varying key sizes and numbers of sensors.
1
cryptographic computations and are directly dependent on the chosen key size. In prac-
tice, choosing a key size should take into account the duration of secrecy and the secret
key lifetime. For example, when relying on the DCRA for security, as is the case for
the scheme presented in section 4.2, a key length of 2048 bits is recommended for en-
crypting government documents [118]. For our implementation and the aforementioned
hardware, a 2048 bit long key results in a filter update roughly every 1.7s. However,
if sensors are mobile and past navigations are not considered confidential, reduced key
sizes may be sufficient. Further, a greater decrease in computation time may be achieved
with additional code optimisations and more powerful hardware, not considered in this
work.

4.4. Conclusions on Non-Linear Measurement Fusion with

Untrusted Participants
We have presented a localisation filter that, in the presence of range-only sensors, keeps
private sensor information and navigator estimates confidential. A suitable crypto-
graphic notion and scheme have been introduced and an implementation of the filter
and scheme used to evaluate estimate and computational performance. The generali-
sation of the method to any non-linear measurement models fitting the form in section
4.3.4 has been discussed, leading to a more general solution, albeit non-exhaustive, to ap-

53
 4. Non-Linear Measurement Fusion with Untrusted Participants

plications in a variety of environments where sensor networks are untrusted or estimates

are considered private.
Future work on the topic of non-linear measurement fusion with untrusted participants
includes more computationally efficient schemes meeting the LCAO notion, relaxing the
honest-but-curious assumption of malicious sensors and expanding the LCAO notion to
enforce the consistent broadcast assumption.

54
5. Provable Estimation Difference
5.1. Problem Formulation
In this chapter, we look at the problem of formalising estimation performances from a
cryptographic perspective and allowing meaningful cryptographic guarantees when com-
paring estimators. The scenario that we will use to build this formalisation, capturing a
generally applicable scenario, is one where system and measurement models are known
and stochastic, and state estimators can have access to secret keys, providing them with
a certain privilege. Estimators holding no keys are termed unprivileged. In addition,
we will develop a single-sensor scheme that quantifies and cryptographically guarantees
a difference between privileged and unprivileged estimator performances when both es-
timators have access to the same measurements and when models are Gaussian and
linear. Further, we look at the extension to multiple sensors and the effect of fusion
on cryptographic estimation performance guarantees as well as the applicability of the
method to non-linear models.
To capture the aim of comparing a privileged and unprivileged estimator, we first
define how to assess the estimation difference between them, and which algorithms are
required to characterise a privileged estimation scheme. After giving relevant formal
cryptographic definitions, the considered single-sensor privileged estimation problem and
its extension to multiple sensors are presented.

5.1.1. Formal Cryptographic Problem

While we later introduce assumptions on the system and measurement models, it is
more practical to define a broader security notion that can be satisfied under arbitrary
specified conditions on the models. This lends the use of the notion to future literature
and is more in line with typical cryptographic practice.
We aim to give the security notion in terms of probabilistic polynomial-time (PPT)
attackers and capture the desired leakage as well as attacker capabilities. The most
commonly desired leakage, cryptographic indistinguishability, is not suitable for our sce-
nario due to our desire for both estimators to gain some information from measurements.
Instead, we define security in terms of a time series of semi-definite matrices, given ar-
bitrary known models, such that the difference in estimation error covariances between
the estimators with and without access to a privilege, respectively, is bounded by the
series at all times.
To formalize this, we introduce the following notations and definitions. We assume the
existence of an arbitrary process (not necessarily Gaussian or linear) following a known
system model exactly, with the state at timestep k denoted by xk ∈ Rd and model

55
 5. Provable Estimation Difference

parameters MS . Similarly, we assume the existence of a means of process measurement

following a known measurement model exactly, with the measurement at timestep k
denoted by z k ∈ Rm and model parameters MM . We can now define a relevant scheme.

Definition 5.1.1. A privileged estimation scheme is a pair of probabilistic algorithms

(Setup, Noise), given by

Setup(MS , MM , κ) On the input of models MS and MM , and the security parameter

κ, public parameters pub and a secret key skg are created.

Noise(pub, skg , k, MS , MM , z 1 , . . . , z k ) On input of public parameters pub, secret key

skg , timestep k, models MS and MM , and measurements z 1 , . . . , z k , a privileged
and unprivileged modified measurement (with no required model constraints) are
{p} {up}
returned, z k and z k , respectively.

In addition to the scheme above, we also give the following definitions to help formalize
our desired security notion.

Definition 5.1.2. An estimator is any probabilistic algorithm that produces a guess of

the state xk for a given timestep k.

Definition 5.1.3. A negligible covariance function,

neglCovm (κ) : N → Rm×m , (5.1)

is a function that returns a matrix A such that A is a valid covariance (A ≻ 0 and

A = A⊤ ) and for each of its eigenvalues a ∈ eig(A), there exists a negligible function
[102, Def. 3.4] η such that a ≤ η(κ).

Now we can give the security notion that captures the formal requirements of the
estimation difference we want to capture.

Definition 5.1.4. A privileged estimation scheme meets the notion {D1 , D2 , . . . }-

Covariance Privilege for Models MS and MM if for any PPT estimator A, there exists
a PPT estimator A′ , such that
h   i
{up} {up}
Cov A k, κ, pub, MS , MM , z 1 , . . . , z k − xk
h   i
{p} {p} (5.2)
− Cov A′ k, κ, pub, MS , MM , z 1 , . . . , z k − xk
⪰ Dk − neglCovm (κ)

for all k > 0, some negligible covariance function and where matrices Dk are semi-
definite, that is, Dk ⪯ 0 or Dk ⪰ 0. Here, estimators A and A′ are running in
polynomial-time with respect to the security parameter κ, and all probabilities are taken
over randomness introduced in models MS and MM , estimators A and A′ , and algo-
rithms Setup and Noise.

56
 5. Provable Estimation Difference

Informally, the above definition states that no estimator that can only access un-
{up} {up}
privileged measurements z 1 , . . . , z k can estimate a state xk for a timestep k with
an MSE covariance less than an equivalent estimator with access to privileged measure-
{p} {p}
ments z 1 , . . . , z k , by a margin of at least Dk . We also note that by taking probabilities
over randomness introduced in the system model, and therefore the possible true states
xk , the definition fits a Bayesian interpretation of probability for any stochastic system
model.

5.1.2. Estimation Problem

To make use of the introduced cryptographic notion, we consider specific estimation
models to use in the single-sensor case when developing a privileged estimation scheme
with a provable estimation performance difference between privileged and unprivileged
estimators. A system model gives the state xk ∈ Rd at an integer timestep k and is
given by
xk = Fk xk−1 + wk , (5.3)
with noise term wk ∼ N (0, Qk ) and a known non-zero covariance Qk ∈ Rd×d . Similarly,
the measurement model gives a measurement z k at a timestep k and is given by

z k = Hk xk + v k , (5.4)

with noise term v k ∼ N (0, Rk ) and a known non-zero covariance Rk ∈ Rm×m .

In this scenario, the sensor holds a secret key skg that it uses to modify its mea-
surements, and privileged estimators hold this shared key while unprivileged estimators
do not. We also assume that sensors and estimators are synchronised in timestep k to
simplify later cryptographic evaluation.

5.1.3. Multi-Sensor Problem

As well as the single-sensor problem, we are also interested in the extension to environ-
ments with multiple sensors, where the fusion of measurements can also lead to better
estimation performance irrespective of privilege. Here, we consider multiple privileges,
such that estimators with a higher privilege should perform better than those with a
lower one while taking into consideration the estimation benefits from fusing additional
measurements. We again consider linear and Gaussian models, where the state xk ∈ Rd
follows the system model (5.3). Measurements z k,i ∈ Rm are now indexed by sensor i,
1 ≤ i ≤ n, and follow the measurement models

z k,i = Hk,i xk + v k,i , (5.5)

with noise terms v k,i ∼ N (0, Rk,i ) and known non-zero covariances Rk,i ∈ Rm×m . In
addition to these models, we again assume synchronisation, between all estimators and
sensors i, in timesteps k, simplifying later cryptographic evaluation.
In this scenario, each sensor holds its own secret key skg,i , 1 ≤ i ≤ n, which is shared

57
 5. Provable Estimation Difference

with estimators of appropriate privileges. The privileges that we consider, in terms of

access to keys and measurements, will be defined by sequential sensor access. That is, in
the presence of n sensors, we will consider exactly n possible privilege levels, where each
privilege π > 0 corresponds to holding the sequential secret keys skg,j , 1 ≤ j ≤ π, while
being unprivileged, π = 0, corresponds to holding none. Additionally, we assume that
estimators have access to all privileged measurements, those from sensors whose keys
they hold, but can fuse additional unprivileged measurements, from those whose keys
they do not hold. To simplify notation, we consider access to unprivileged measurements
to be sequential as well, and can therefore capture estimator capabilities by letting e[π,τ ]
denote an estimator with privilege π and access to measurements from τ ≥ π sensors i,
1 ≤ i ≤ τ.
Multiple measurements and the effects of privilege and fusion on estimation perfor-
mance complicate the cryptographic analysis in the case of multiple sensors. To demon-
strate that a presented scheme guarantees better performance for higher privilege esti-
mators while limiting the benefit from fusing unprivileged measurements, the covariance
privilege notion in section 5.1.1 will be used to guarantee two estimation performance
differences for each privilege π.

Performance Loss Lower Bound (PLLB) Here, we aim to guarantee a lower bound on
the estimation performance loss of any unprivileged estimator e[0,n] on a privilege-
π estimator e[π,π] . Naturally, this will remain a lower bound when unprivileged
estimators have access to fewer unprivileged measurements or privileged estimators
have access to more.

Performance Gain Upper Bound (PGUB) This bound will guarantee an upper bound
on the estimation performance gain of any estimator e[π,n] on a privilege-π estima-
tor e[π,π] . The bound similarly remains an upper bound when fewer unprivileged
measurements are fused.

Lastly, a suitable scheme should be one with at least two free parameters responsible for
controlling the values of these two bounds.
Remark. We stress that the two bounds that will be guaranteed only bound the perfor-
mances of estimators of the specified forms. That is, nothing is said about estimators
which may corrupt sensors to obtain keys beyond their privilege or additional unprivi-
leged measurements. Bounds on leakage caused by corrupting sensors can in some cases
′ ′
be captured by estimators of a new form e[π ,τ ] , but are in general beyond the scope of
this thesis.

5.2. Privileged Estimation for Linear Systems

In this section, we propose a privileged estimation scheme meeting the security notion in
section 5.1.1 for a derivable series of semi-definite matrices when models MS and MM
are given by (5.3) and (5.4), respectively. The key idea behind the method is to add
pseudorandom Gaussian noise to existing measurement noise at the sensor, degrading

58
 5. Provable Estimation Difference

estimation at estimators that cannot remove it. This added noise is a keystream gen-
erated by the sensor’s secret key and can only be removed from measurements by an
estimator holding the same key.

5.2.1. Gaussian Keystream

To generate the desired pseudorandom Gaussian noise that can be added to existing mea-
surements, the sensor first generates a typical cryptographic pseudorandom bitstream
with its secret key skg . This can be done with any cryptographic stream cipher and
reduces the security of the method to a single, well-studied and replaceable component.
This bitstream can be interpreted as sequential pseudorandom integers of a suitable size
and used to generate a sequence of pseudorandom uniform real numbers υt ∼ ˙ U(0, 1) for
sequence indices t > 0.
Here, we note that the conversion to real numbers υt is cryptographically non-trivial
due to floating-point representation affecting the pseudorandomness of the samples, and
complicating the meeting of a desired cryptographic notion. Instead, we assume that
floating-point numbers are sufficiently close to real numbers and rely on any common
method for choosing the bit size of pseudorandom integers and the generation of uniform
numbers υt [119]. This assumption will be further discussed with the security of the
presented scheme in section 5.2.3.
With this assumption, we are left with generating a series of pseudorandom standard
Gaussian samples, which can be readily computed using the Box-Muller transform [120].
This is given by p
ψt = −2 ln(υt ) cos(2πυt+1 ) (5.6)
and p
ψt+1 = −2 ln(υt ) sin(2πυt+1 ) , (5.7)
obtaining two, independent, standard Gaussian samples from two uniform ones. To
generate noise that can be added by the sensor and removed by a privileged estimator
using this series, a conversion to a d-dimension zero-mean multivariate Gaussian sample
is required at every timestep k. As control over the difference in estimation error between
privileged and unprivileged estimators is desired, a symmetric matrix parameter S ≻ 0
is introduced, such that added pseudorandom noise g k follows distribution g k ∼ ˙ N (0, S).
Given S, g k can be computed using the next d Gaussian keystream samples,
 ⊤
ψ k = ψ(k−1)d+1 . . . ψkd , (5.8)

as
1
gk = S 2 ψk (5.9)
1 1 1
for any matrix S 2 such that S 2 S 2 ⊤ = S. We also note that for the correct removal of
noise terms g k by the privileged estimator, index information k is required but available
when sensors and estimators are synchronised, as assumed in the problem.

59
 5. Provable Estimation Difference

5.2.2. Measurement Modification

Using the noise in (5.9), the sensor can now modify measurements z k by

z ′k = z k + g k , (5.10)

resulting in a new measurement model

z ′k = Hk xk + v k + g k , (5.11)

with noise terms v k ∼ N (0, Rk ) and g k ∼

˙ N (0, S). This leads to two estimation problems
for the privileged and unprivileged estimators, respectively.

Privileged estimation An estimator that holds the secret key skg can compute the Gaus-
sian key stream ψt , t > 0, and therefore the added noise vectors g k at every timestep
k. Given the modified measurements (5.10), computing z k = z ′k − g k obtains mea-
surements following the measurement model (5.4) exactly.

Unprivileged estimation In the case where pseudorandomness is indistinguishable from

randomness, as is the case for an unprivileged estimator when a cryptographically
secure keystream is used and the secret key skg is not known, modified measure-
ments are indistinguishable from those following the unprivileged measurement
model
z ′k = Hk xk + v ′k , (5.12)
with v ′k ∼ N (0, Rk + S), exactly.

Intuitively, we can see that the two types of estimators have the difference between
their estimation errors dependent on matrix S.

5.2.3. Security Analysis

Recalling definition 5.1.4, we aim to show how the notion is met by the proposed estima-
tion scheme. Before the proof sketch, we look at our scheme in the context of a formal
privileged estimation scheme with model constraints and give some relevant optimality
properties.
We consider the stochastic system model (5.3) and measurement model (5.4) exactly,
that is, any linear models with known covariance, zero-mean, Gaussian additive noises.
We define these as our model conditions and capture all relevant parameters in the
respective equations in MS and MM . Our scheme meets the definition of a formal
privileged estimation scheme by defining the required algorithms Setup and Noise as

Setup(MS , MM , κ) Initialize a cryptographically indistinguishable stream cipher with

the parameter κ, set the secret key skg to the stream cipher key and include an
initial filter estimate x̂0 , error covariance P0 and added noise covariance S in the
public parameters pub.

60
 5. Provable Estimation Difference

Noise(pub, skg , k, MS , MM , z 1 , . . . , z k ) Using the stream cipher key skg and public pa-
rameters pub, create an unprivileged measurement by (5.10). Set and return the
{p} {up}
privileged measurement z k = z k and unprivileged measurement z k = z ′k .

Here, we note that in the Setup algorithm above, the inclusion of an initial state estimate,
its error covariance and the generated noise covariance in the public parameters pub are
present only for the completeness of the cryptographic definition and not a requirement
for the security of the scheme.
The idea behind our proof sketch relies on the optimality of the linear KF introduced in
section 2.1.2. Given an initial estimate and its error covariance, the KF produces updated
estimates with the minimum MSE achievable for any estimator when all measurements
z 1 , . . . , z k are observed, models are Gaussian and linear, and the same initialization is
used. Since the KF also preserves the initial error covariance order,

Pk ⪯ P′k =⇒ Pk+1 ⪯ P′k+1 , (5.13)

for two different filter estimate error covariances Pk and P′k , we can define an error
(l) (l)
covariance lower-bound Pk for all possible initialisations by setting P0 = 0 and com-
puting the KF error covariance using the combined predict and update equations

−1 
(l) (l) (l)
Pk = I − (Fk Pk−1 F⊤ ⊤ ⊤ ⊤
k + Qk )Hk Hk (Fk Pk−1 Fk + Qk )Hk + Rk Hk ·
  (5.14)
(l)
Fk Pk−1 F⊤ k + Qk .

This gives us a lower bound at every timestep k, such that

(l)
Pk ⪯ Cov [A (k, MS , MM , z 1 , . . . , z k ) − xk ] (5.15)

for any estimator A following definition 5.1.2 and any Gaussian and linear models MS
and MM . This leads us to the proof sketch.

Proof Sketch
We wish to show that the scheme in section 5.2.2 meets {D1 , D2 , . . . }-Covariance Priv-
ilege for Models MS and MM , for a computable series Dk , k > 0 dependent on a noise
parameter S, when MS and MM are Gaussian and linear.
Since a cryptographically pseudorandom stream cipher is used, the stream integers,
and therefore the uniform samples υt and Gaussian samples ψt , are indistinguishable
from those generated from a truly random stream for any PPT estimator without the
secret key. We persist with the previous assumption that floating-point representations
of ψt are sufficiently close to Gaussian and assume the KF to provide optimal estimation
when using floating-point arithmetic. Using the Setup and Noise algorithms given in
section 5.2.3 leads to pseudorandom measurements z ′k that are indistinguishable from
measurements following the unprivileged measurement model (5.12). We can then com-

61
 5. Provable Estimation Difference

′(l) ′(l)
pute a lower-bound Pk for any unprivileged estimator as P0 = 0 and

−1 
′(l) ′(l) ′(l)
Pk = I − (Fk Pk−1 F⊤ k + Q k )H⊤
k Hk (F P
k k−1 k F ⊤
+ Qk )H⊤
k + Rk + S Hk ·
  (5.16)
′(l)
Fk Pk−1 F⊤ k + Q k .

Taking the difference of (5.16) and the lower bound error covariances for privileged
estimators (5.14) produces the series
′(l) (l)
Dk = Pk − Pk , (5.17)
(l) ′(l)
for k > 0, which can be tuned by the parameter S. Since both series Pk and Pk give
the lowest possible error covariance of the respective estimators, an estimator following
the true model (5.4) can always be created for one following the unprivileged model
(5.12) such that their error covariances differ by at least Dk for each timestep k. A
reduction proof can therefore be constructed, in which the existence of an unprivileged
estimator that produces estimates such that (5.2) does not hold, implies the existence
′(l)
of an estimator with an error covariance lower than Pk following model (5.12). As
no such estimator exists, we conclude that our scheme meets {D1 , D2 , . . . }-Covariance
Privilege for Models MS and MM , when models are Gaussian and linear, concluding
our proof sketch.

Implicit Assumptions
In addition to the proof sketch, we stress some comments on accepting cryptographic
guarantees in terms of estimation models MS and MM when used to estimate a physical
process or approximate continuous models. The following assumptions are made in this
scenario.

Exact models When assigning a model to a physical process, any cryptographic guar-
antees about the model assume it describes the process exactly. Often, models
assume a Bayesian interpretation of probability (a stochastic state) or are chosen
to simplify estimation, resulting in the possibility of better estimation given alter-
native or more complicated models. Although the standard for state estimation,
we state the assumption to highlight the distinction between models and a physical
process.

Floating-point approximation As stated in section 5.2.1 and the proof sketch above,
floating-point approximations to real numbers complicate cryptographic guaran-
tees when relying on proofs using real numbers such as KF optimality. While
optimal estimation with floating-point numbers is beyond the scope of this thesis,
their prevalence in the field of state estimation justifies the assumption of suffi-
cient similarity and the insignificance of associated error introduced to the security
notion.

62
 5. Provable Estimation Difference

Non-Linear Systems
As the presented scheme provides a provable performance difference between privileged
and unprivileged estimators when models are Gaussian and linear, it leaves the question
of what can be said about the covariance privilege notion in our scheme when models
are arbitrary non-linear functions. The basis of our cryptographic guarantee is that op-
timal estimators for the considered models are known and therefore guarantee a certain
difference between privileged and unprivileged estimators’ performances. Here, we as-
sume that models are exact but accept that the cryptographic guarantee is useful even
when physical processes are not modelled perfectly, as long as optimal linear estimators
exist and estimate the process sufficiently well. With this reasoning, we argue that the
covariance privilege proof sketch can be similarly applied to non-linear methods when
using a non-linear (and non-optimal) estimator. In this case, the difference is no longer
cryptographically guaranteed, even if models were exact, since better estimators may ex-
ist. However, a derivable difference in performance between known and well-performing
estimators, with access to privileged and unprivileged measurements, respectively, still
provides meaningful and valuable security information.

5.2.4. Simulation
Simulation results of the presented privileged estimation scheme are shown here in ad-
dition to the theoretical backing above. As in previous chapters, we simulated the
two-dimension time-invariant constant velocity system model,
 
1 0 0.5 0
0 1 0 0.5
xk = 
0 0 1
x + wk , (5.18)
0  k−1
0 0 0 1

with noise term

  
0.42 0 1.25 0
 1  1.25
wk ∼ N 0, ·  0 0.42 0  . (5.19)
 103 1.25 0 5.0 0 
0 1.25 0 5.0

Two measurement models were considered, with bounded and unbounded system errors,
respectively, and estimators were implemented using the linear KF with initial error
covariance 0. Simulations were written in the Python programming language and the
AES block cipher in counter mode (AES-CTR) [28] was used as the cryptographically
secure stream cipher.
The first measurement model measured state location, leading to an asymptotically
stable system with bounded error covariances as k → ∞. It was given by
 
1 0 0 0
zk = x + vk (5.20)
0 1 0 0 k

63
 5. Provable Estimation Difference

and   
5 2
v k ∼ N 0, . (5.21)
2 5
The sensor added pseudorandom Gaussian samples with a covariance S = 35·I according
to our scheme in section 5.2.2. Figure 5.1 shows the average error covariance traces and
the MSE of a privileged and unprivileged estimator for 1000 simulations runs using the
models (5.18) and (5.20). As expected, it can be seen that the privileged estimator’s

Privileged Error (P(l) )

Unprivileged Error (P′(l) )
Difference (D)

8
8

Mean Square Error (MSE)

6
6
Trace

4 4

2 2

0 0
0 25 50 75 100 0 25 50 75 100

Simulation Timestep

Figure 5.1.: Error covariance trace and average MSE from 1000 simulation runs with
measurement model (5.20) 1

error covariance trace is lower than the unprivileged estimator’s and that the privileged
estimator has a lower MSE. The difference in trace between the two estimators has also
been plotted and equals the trace of the series (5.17) due to the simulation initial error
covariance 0.
The second simulation considered an asymptotically unstable system where only state
velocity is measured, leading to an unbounded error covariance as k → ∞. It was given
by  
0 0 1 0
zk = x + vk , (5.22)
0 0 0 1 k
and the same noise distribution and keystream covariance S as in the bounded case.
Figure 5.2 shows the average error covariance traces and MSE of estimation from 1000
simulation runs with models (5.18) and (5.22) and shows similar results.
Both figures capture the difference in estimation error between the best possible esti-
mators given the simulated processes (in terms of MSE) and support the security proof
sketch in section 5.2.3.

64
 5. Provable Estimation Difference

Privileged Error (P(l) )

Unprivileged Error (P′(l) )
Difference (D)

500 500

Mean Square Error (MSE)

400 400
Trace

300 300

200 200

100 100

0 0
0 25 50 75 100 0 25 50 75 100

Figure 5.2.: Error covariance trace and average MSE from 1000 simulation runs with
measurement model (5.22) 1

5.3. Fusion in Privileged Estimation Environments

Recalling the problem formulation in section 5.1.3, an effective single-sensor privileged
estimation scheme leads to interest in the extension to environments with multiple sen-
sors, where multiple privileges and accesses to measurements are possible, affecting the
estimation performance of present estimators. Here, we aim to present a scheme where
the PLLB and the PGUB, defined in section 5.1.3, can be derived and proved using
the covariance privilege notation from definition 5.1.4. The idea behind the scheme is
to add correlated Gaussian keystreams to the measurements from each sensor. These
noises can be computed and subtracted by estimators holding respective sensor keys,
while their correlation limits the additional information gained from fusing unprivileged
measurements.

5.3.1. Correlated Gaussian Keystreams

Similarly to the multivariate Gaussian keystream in section 5.2.1, pseudorandom samples
can be correlated in this way even when generated using different stream cipher keys.
To parameterise the correlation between noises at each sensor, we introduce a fully
correlated component V ∈ Rm×m , V ≻ 0, and an uncorrelated component W ∈ Rm×m ,
W ≻ 0, and define a noise cross-correlation matrix for x noises as S(x) ∈ Rxm×xm ,
   
V ··· V W 0 0
   
S(x) =  ... . . . ...  +  0 . . . 0  , (5.23)
V ··· V 0 0 W

65
 5. Provable Estimation Difference

and S(1) = V + W. Denoting generated multivariate standard Gaussian noise (5.8) and
added Gaussian noise (5.9) for sensor i at timestep k as ψ k,i and g k,i , respectively, the
(1:n)
generation of all n multivariate Gaussian noises at timestep k, g k , can be computed.
This can be done by
 
g k,1
 . 
g (1:n) =  . 
k  . 
g k,n
  (5.24)
ψ k,1
1  . 
= S(n) 2 ·  ..  ,

ψ k,n

where each ψ k,i is computed as ψ k in (5.8) using uniform samples generated with key skg,i ,
1 1 1
and S(n) 2 is a matrix such that S(n) 2 S(n) 2 ⊤ = S(n) . Notably, as we consider sequential
access to keys, it is important that the vector of the first π noises g k,i , 1 ≤ i ≤ π, in (5.24),
(1:π)
denoted g k , can be reproduced by an estimator of privilege π, holding only the keys
skg,i , 1 ≤ i ≤ π. One case where this is possible is when a lower-triangular decomposition,
1
such as the Cholesky decomposition, is used to compute S(n) 2 from S(n) . Then, each
correlated Gaussian sample g k,i is computable from preceding standard samples ψ k,j ,
j ≤ i only, and the generalised noise generation equation
 
ψ k,1

(π) 12  .. 

g (1:π)
k
= S ·  .  (5.25)
ψ k,π

(1:π)
generates the same first π noises g k as would be obtained from (5.24). This is due
(π) 12 1
to S ∈ Rπm×πm equalling the top left block of matrix S(n) 2 when using the lower-
triangular decomposition.
(1:n)
At every timestep k, g k can then be generated with (5.25) using all n keys and used
(1:π)
to modify sensor measurements, while the subset g k can be generated by estimators
of privilege π using only the keys they hold.

5.3.2. Measurement Modification

With a way to generate noises for sensors and estimators, we can introduce the means
of measurement modification and the observable measurement models for different es-
timators in the multiple-sensor environment. Measurement modification is performed
(1:n)
by adding noises g k to measurements from each sensor i before making them public,

66
 5. Provable Estimation Difference

resulting in modified measurement equations for each sensor,

z ′k,i = z k,i + g k,i = Hk,i xk + v k,i + g k,i , (5.26)

with measurement noise v k,i ∼ N (0, Rk,i ) and the vector of all added pseudorandom
(1:n)
noises g k ˙ N (0, S(n) ). As we assume that sensors are synchronised in k, we can
∼
capture the correlation between these modified measurements exactly by considering
the stacked measurement model for any estimator with access to τ measurements at
timestep k, as
′(1:τ ) (1:τ ) (1:τ ) (1:τ )
zk = zk + g (1:τ
k
)
= Hk xk + v k + g (1:τ
k
)
, (5.27)
(1:τ ) (1:τ ) (1:τ )
with v k ∼ N (0, Rk ) and g k ˙ N (0, S(τ ) ), where
∼
     
z ′k,1 z k,1 Hk,1
  (1:τ )  ..   
=  ...  , z k =  ...  ,
′(1:τ ) (1:τ )
zk =  .  , Hk
z ′k,τ z k,τ Hk,τ
   
v k,1 Rk,1 0 0
(1:τ )  ..  (1:τ )  .. 
vk =  .  , Rk = 0 . 0 
v k,τ 0 0 Rk,τ
and S(τ ) ∈ Rτ m×τ m defined by (5.23).
Since we are using a cryptographically sound stream cipher to generate the added
Gaussian keystream, the pseudorandom samples are indistinguishable from truly ran-
dom ones to estimators without appropriate keys, which leads us to three observable
measurement models, that is, the models that capture all the information available to
an estimator exactly, for three types of mutually exhaustive estimators. Recalling the
estimator notation introduced in section 5.1.3, we have

Estimators of the form e[0,τ ] Here, no keys are held by an unprivileged estimator with
(1:τ )
access to τ measurements, thus all generated noises g k are indistinguishable from
(τ )
noises from the truly random distribution N (0, S ). For these estimators, we can
rewrite the measurement equation (5.27) as the observed measurement model
[0,τ ] (1:τ )
zk = Hk xk + v ′k , (5.28)
(1:τ )
with truly Gaussian term v ′k ∼ N (0, Rk + S(τ ) ).

Estimators of the form e[π,π] Estimators with keys for all the sensors to which they have
access can generate all added noises and subtract them from the received measure-
(1:π) [π,π] ′(1:π) (1:π)
ments. That is, g k can be generated and z k = zk − gk computed to
give the observed measurement model equal to receiving unmodified measurements
only,
[π,π] (1:π) (1:π)
zk = Hk xk + v k , (5.29)

67
 5. Provable Estimation Difference

(1:π) (1:π)
where v k ∼ N (0, Rk ).

Estimators of the form e[π,τ ] , π < τ Lastly, we want the observed measurement model
when only some accessible measurements can have their noises removed. Here, the
noises from sensors i > π which cannot be removed are conditionally dependent
(1:π) (1:π)
on the known noises g k . Since we can generate the noises g k and know that
(1:τ )
gk ˙ N (0, S(τ ) ), we can write
∼
" #    (π) 
(1:π)
gk 0 S V̄
g (1:τ )
= ∼
˙ N , , (5.30)
k (π+1:τ )
gk 0 V̄⊤ S(τ −π)

where V̄ ∈ Rπm×(τ −π)m is a block matrix with every block equal to V, and compute
the conditional pseudorandom Gaussian distribution
 
⊤ (π)−1 (1:π) (τ −π) ⊤ (π)−1
g (π+1:τ
k
)
| g (1:π)
k
∼
˙ N V̄ S g k
, S − V̄ S V̄ . (5.31)

(1:π)
Now, subtracting the known noises g k and the means of the unknown noises
(5.31) from received measurements,
" #
(1:π)
[π,τ ] ′(1:τ ) g k
zk = zk − (1:π) , (5.32)
V̄⊤ S(π)−1 g k

and accounting for unknown pseudorandom noises being indistinguishable from

random, a zero-mean observed measurement model can be written as
[π,τ ] (1:τ )
zk = Hk xk + v ′k (5.33)

where " #!
(1:π)
Rk 0
v ′k ∼N 0, (π+1:τ ) . (5.34)
0 S(τ −π) − V̄⊤ S(π)−1 V̄ + Rk

Remark. Recalling that we assume estimators access unprivileged measurements sequen-

tially to simplify notation, (5.30), (5.32) and (5.33) can be generalised when having ac-
cess to arbitrary τ − π non-sequential unprivileged measurements z k,i , π < i ≤ τ , by
appropriately rearranging the columns of S(τ −π) in (5.30).
From the observed measurement models (5.28), (5.29) and (5.33) we can tell that the
parameters V and W (within matrices S(τ ) , S(π) and S(τ −π) ) will control the difference
in estimation performance between the three types of estimators. Computing the two
bounds we wish to cryptographically guarantee, PLLB and PGUB, respectively, and
how V and W affect them, will be more formally explored in sections 5.3.4 and 5.3.5.

68
 5. Provable Estimation Difference

5.3.3. Distribution of Noise Terms

While we have described a method for generating noises that modify n measurements
and result in different observed measurement models depending on estimator privilege,
we have not discussed where the noise is generated and how it is distributed to sensors.
(1:n)
To handle the inherent correlation of the noises g k , here we briefly consider how they
can be generated either centrally before distribution to sensors or sequentially at the
sensors themselves, given previously generated values.

Central noise generation To compute noises centrally, (5.25) can be computed for all
n noises at a central processor and each noise g k,i sent to the respective sensor i
before it modifies its local measurement by (5.26).

Sequential noise generation To compute the same noises sequentially for each timestep
k, sensor 1 can generate its noise independently using its current standard Gaussian
1
sample ψ k,1 , by g k,1 = S(1) 2 ψ k,1 . Each following sensor i > 1 can generate its noise
(1:i−1)
g k,i given the preceding noises g k and following the conditional reasoning in
(5.31), as
1
g k,i = V̄⊤ S(i−1)−1 g (1:i−1)
k
+ (S(1) − V̄⊤ S(i−1)−1 V̄) 2 ψ k,i . (5.35)

(1:i)
After local noise generation, sensor i sends its and preceding noises, g k , to the
next sensor i+1. This method has the clear downside of increasing communication
costs with each successive generation but requires no central communicator.
(1:n)
In both cases above, the computation of all noises g k can be performed offline, reduc-
ing the complexity of real-time measurement modification.

5.3.4. Security Analysis

The security analysis of the fusion problem aims to give proof sketches of the desired es-
timation performance differences. As in the single-sensor case, we again assume floating-
point numbers to be sufficiently close to real random numbers such that the optimality
of the linear KF in section 2.1.2 holds, and recall that all sensors are synchronised in
timestep k, leading to observed measurement models (5.28), (5.29) and (5.33) being ex-
actly correct. Similarly to the proof sketch in section 5.2.3, these assumptions are used
to produce a series of covariances for optimal estimators before taking their difference
to obtain the semi-definite series corresponding to the PLLB and PGUB. The series
can then be used as the sequence D1 , D2 , . . . in definition 5.1.4 for individual proofs of
appropriate privilege estimation schemes for the two bounds.

Performance Loss Lower Bound

First, we consider the lower bound to the loss in estimation performance an estima-
tor e[0,n] has compared to an estimator e[π,π] when measurements follow the presented

69
 5. Provable Estimation Difference

scheme. Since the observed measurement models for these estimators, (5.28) and (5.29),
interpret available measurements as a single stacked measurement, and since we do not
consider estimators that corrupt sensors, we can treat the stacked measurement as com-
ing from a single sensor and use the notion of covariance privilege in definition 5.1.4 to
guarantee the bound. The associated privileged estimation scheme for the PLLB can be
written for each privilege π as

Setup Given the system model (5.3), all measurements models (5.5) (interpretable as a
single stacked measurement model) and a security parameter κ used by all sensors,
generate n stream cipher keys skg,i , 1 ≤ i ≤ n, and let the scheme definition
secret key skg include all n keys. Generate the correlated and uncorrelated noise
components V and W, an initial estimate and error covariance x̂0 and P0 , and
include these in the public parameters pub.

NoisePLLB Given parameters, cipher keys, a timestep k and true sensor measurements
(1:n) {p} (1:π) {up} ′(1:π)
z k , let z k = z k and z k = z k from (5.27).

With the above formulation, we can use the KF to compute the optimal estimate error
{p} {up}
covariances for estimators with access to only measurements z k or z k , for all k as in
the proof sketch in section 5.2.3. Again, an initial covariance P0 = 0 is used, giving the
minimum achievable error covariance for an estimator e[π,π] , with access to measurements
[π,π]
identical to z k , as

[π,π] [π,π] (1:π)⊤
Pk = I − (Fk Pk−1 F⊤ k + Qk )Hk ·

(1:π) [π,π] (1:π)⊤ (1:π)
−1 (1:π)
Hk (Fk Pk−1 F⊤ k + Q k )H k + Rk Hk · (5.36)
 
[π,π]
Fk Pk−1 F⊤ k + Qk

[π,π]
and P0 = 0. Similarly, the same can be done for an estimator e[0,n] , with access to
[0,n]
measurements indistinguishable from z k , as

[0,n] [0,n] (1:n)⊤
Pk = I − (Fk Pk−1 F⊤ k + Qk )Hk ·


(1:n) [0,n] (1:n)⊤ (1:n) (n) −1 (1:n)
Hk (Fk Pk−1 F⊤ k + Q k )H k + Rk + S Hk · (5.37)
 
[0,n]
Fk Pk−1 F⊤ k + Qk ,

[0,n]
and P0 = 0. The bounds (5.36) and (5.37) are constructed such that at every timestep
k, h   i
[π,π] [π,π] [π,π]
Pk ⪯ Cov A k, MS , MM , z 1 , . . . , z k − xk (5.38)

and h   i
[0,n] [0,n] [0,n]
Pk ⪯ Cov A k, MS , MM , z 1 , . . . , z k − xk (5.39)

70
 5. Provable Estimation Difference

hold for any PPT estimator A. As before, taking the difference

[0,n] [π,π]
DPLLB,k = Pk − Pk (5.40)

produces a series where for any PPT estimator e[0,n] , an equivalent PPT estimator e[π,π] ,
lower bounded in error by (5.36), can always be created such that the difference between
their error covariances at timestep k is at least DPLLB,k . The existence of an estimator
violating the notion implies the existence of a linear estimator with error covariance lower
than the KF, proving the bound by contrapositive. We therefore conclude that the Setup
and NoisePLLB algorithms above meet {DPLLB,1 , DPLLB,2 , . . . }-Covariance Privilege for
System Model 5.3 and Stacked Measurement Models 5.5.
In the above, we lower bound the estimation performance loss an estimator e[0,n] has
on estimators e[π,π] . In the cases where the unprivileged estimator has access to fewer
measurements, e[0,τ ] , τ < n, or the privileged one to more, e[π,τ ] , τ > π, the achievable
difference can only increase (fewer measurements increase optimal error covariance while
more decrease it). This ensures the computed bound remains a lower bound between
any unprivileged and privilege-π estimators.

Performance Gain Upper Bound

Similar to the lower bound, we can use the same properties of the KF to give an upper
bound to the gain in estimation performance an estimator e[π,n] has compared to an
estimator e[π,π] when measurements follow the presented scheme. The associated privi-
leged estimation scheme for the PGUB for each privilege π is given by the same Setup
algorithm as in the PLLB case above and
NoisePGUB Given parameters, cipher keys, a timestep k and true sensor measurements
(1:n) {p} (1:π) {up} ′(1:n)
z k , let z k = z k and z k = z k from (5.27).
The minimum error covariances achievable by an estimator e[π,π] is again given by (5.36)
[π,π]
and P0 = 0. For an estimator e[π,n] with access to measurements indistinguishable
[π,n]
from z k it is given by

[π,n] [π,n] (1:n)⊤
Pk = I − (Fk Pk−1 F⊤ k + Qk )Hk ·
(1:n) [π,n] (1:n)⊤
−1 (1:n) 
Hk (Fk Pk−1 F⊤ k + Q k )H k + X Hk (5.41)
 
[π,n]
Fk Pk−1 F⊤ k + Qk ,

where " #
(1:π)
Rk 0
X= (π+1:n) (5.42)
0 S(n−π) − V̄⊤ S(π)−1 V̄ + Rk
[π,n]
and P0 = 0. Again, the bounding series are such that (5.38) and
h   i
[π,n] [π,n] [π,n]
Pk ⪯ Cov A k, MS , MM , z 1 , . . . , z k − xk (5.43)

71
 5. Provable Estimation Difference

hold for any PPT estimator A. Now, the difference

[π,n] [π,π]
DPGUB,k = Pk − Pk (5.44)

produces a series where for any PPT estimator e[π,n] , an equivalent PPT estimator e[π,π] ,
lower bounded in error by (5.36), can always be created such that the difference between
their error covariances at timestep k is at least DPGUB,k . With the same reasoning
as for the lower bound, we conclude that the Setup and NoisePGUB algorithms above
meet {DPGUB,1 , DPGUB,2 , . . . }-Covariance Privilege for System Model 5.3 and Stacked
Measurement Models 5.5.
In (5.44), DPGUB,k ⪯ 0 for all k > 0 and lower bounds the (negative) loss in perfor-
mance an estimator e[π,n] has on estimators e[π,π] . We refer to the bound as an upper
bound as its negation −DPGUB,k , k > 0, upper bounds the estimation performance gain
achievable by e[π,n] on the estimators e[π,π] , as desired in the multiple sensor problem
from section 5.1.3. In the case where fewer unprivileged measurements are accessible,
e[π,τ ] , τ < n, this gain decreases, keeping the upper bound valid for any estimators e[π,τ ] ,
τ > π.

Non-Linear Systems
Again, we are left with the question of what can be said about the above covariance
privilege proof sketches when models are arbitrary non-linear functions. Using the same
reasoning for the usefulness of the notion in the presence of a single sensor and with non-
linear models, discussed in section 5.2.3, we argue that applying the above methodology
to non-linear methods, and therefore non-optimal estimators, remains useful as well.
That is, although the differences are no longer cryptographically guaranteed, since better
estimators may exist, derivable bounds PLLB and PGUB when some arbitrary well-
performing estimators are known still provides meaningful security information in a
multiple sensor privileged estimation environment.

5.3.5. Simulation
Lastly, a simulation for the multiple sensor scheme is presented to demonstrate the effects
of the correlated and uncorrelated components V and W, respectively, on the bounds
PLLB and PGUB. We simulated the same time-invariant constant velocity system model
 
1 0 0.5 0
0 1 0 0.5
xk = 0 0 1
x + wk , (5.45)
0  k−1
0 0 0 1

72
 5. Provable Estimation Difference

with   
0.42 0 1.25 0
 1  1.25
wk ∼ N   0 0.42 0  ,
0, 103 · 1.25 0 5.0 0  (5.46)
0 1.25 0 5
which was measured independently by location sensors i, 1 ≤ i ≤ n = 4, with measure-
ment models  
1 0 0 0
z k,i = x + v k,i (5.47)
0 1 0 0 k
and   
5 2
v k,i ∼ N 0, . (5.48)
2 5
Simulations were implemented in the Python programming language and the AES-CTR
cipher was used for the required stream ciphers. The correlated and uncorrelated pa-
rameters were restricted to the forms V = V · I and W = W · I for simplicity. All
estimators implemented the linear KF with the model parameters above and initialised
with a known initial state (P0 = 0).
Figure 5.3 shows the errors of different privileged estimators with access to varying
sensor measurements when added noise parameters V and W are held constant. As
expected, the error decreases when more keys are available, while a further decrease is
achieved as more additional unprivileged measurements are fused. Here, the differences
in MSE between e[0,4] and e[π,π] (shaded orange region), and between e[π,π] and e[π,4]
(shaded purple region), are bounded on average by the trace of the PLLB series (5.40)
and PGUB series (5.44), respectively, when V = 2 and W = 10.
To demonstrate the effect of parameters V and W (and therefore V and W), figure
5.4 shows their effect on the MSE given fixed estimators. It can be seen that V has
a more prominent effect on the PLLB while W has it on the PGUB. However, it can
also be observed that both parameters affect both bounds to some degree, revealing
some limitations when specific bounds are desired using the proposed scheme. Figure
5.5 further captures this relation between the bounds and the parameters V and W . As
the simulated system is asymptotically stable, steady-state error covariances are reached
as k → ∞, and therefore DPLLB,k and DPGUB,k stabilise as well. From the figure, we
can see that increasing the fully correlated noise parameter V cannot greatly reduce
the PGUB (i.e., bring tr(DPGUB,k ) closer to 0), likely due to the accurate estimation
of this component by privileged estimators and the remaining uncorrelated component
staying unchanged. Simultaneously, however, the fully correlated component can greatly
increase the PLLB (i.e., take tr(DPLLB,k ) further from 0) as it increases the redundancy
of fusing only unprivileged measurements. The effects of increasing W are less one-
sided. The PGUB is reduced due to sufficient uncorrelated noise making the fusion
of unprivileged measurements hold little information even when some keys are known,
but the PLLB is increased, as uncorrelated noise still affects estimators fusing only
unprivileged measurements, albeit less drastically.
Figure 5.5 also shows how the bounds are affected by the privilege π they are computed

73
 5. Provable Estimation Difference

e[π,4] Error diff. bound by tr(DPLLB )

e[π,π] Error diff. bound by tr(DPGUB )
e[0,4]
π=1 π=2
2.0

1.5
Mean Square Error (MSE)

1.0

0.5

0.0
π=3 π=4
2.0

1.5

1.0

0.5

0.0
0 50 100 0 50 100

Simulation Timestep

Figure 5.3.: Average MSE of different estimators for 1000 simulation runs when V = 2
and W = 10.

74
 5. Provable Estimation Difference

e[2,4] Error diff. bound by tr(DPLLB )

e[2,2] Error diff. bound by tr(DPGUB )
e[0,4]
V = 2, W = 2 V = 10, W = 2
4

3
Mean Square Error (MSE)

0
V = 2, W = 10 V = 10, W = 10
4

0
0 50 100 0 50 100

Simulation Timestep

Figure 5.4.: Average MSE of unprivileged and privilege-2 estimators for 1000 simulation
runs when varying V and W . 1

75
 5. Provable Estimation Difference

for. Predictably, higher privilege results in fewer additional unprivileged measurements

to fuse, lowering the PGUB but also producing better estimates for the privileged esti-
mator, increasing the PLLB. We can also see that when the fully correlated noise term V
is small and privilege is low (π = 1), unprivileged estimators with access to all measure-
ments can perform better than privileged ones accessing only privileged measurements
(resulting in a negative tr(DPLLB,k )).

PLLB PGUB 0

π = 1, V = 5 π = 1, W = 5

2

Steady-State Trace tr( lim Dk )

1
k→∞

−1


π = 2, V = 5 π = 2, W = 5

−1
0 5 10 0 5 10
W V

Figure 5.5.: Steady-state traces of the PLLB and PGUB for privileges π = 1 and π = 2
when V and W are varied. 1

5.4. Conclusions on Provable Estimation Difference

Tackling this problem, we have presented the idea of privileged estimation and given a
formal cryptographic definition of covariance privilege that can be used to derive and
prove an estimation performance difference between estimators with different properties.
With a single sensor, one free parameter allowed the magnitude of this difference to be
controlled by the scheme designer. The extension to an environment with multiple sen-
sors and multiple privileges was also considered, and two important privilege-dependent
estimation performance differences were derived for which the same notion could also
be used. Here, two free parameters loosely controlled the magnitudes of the differences

76
 5. Provable Estimation Difference

but their complex relationship showed that more care needs to be taken when choosing
them than in the single-sensor case. Both cases were analysed cryptographically and
simulated to evaluate performance.
Future work on provable estimation difference includes hardware implementations to
demonstrate real-time capability, finding independent free parameters in the multiple-
sensor case and exploring methods for decentralised correlated noise generation with
fewer communication costs.

77
6. Conclusion
With the considered problems described and solutions presented, we can conclude this
thesis with a brief discussion of the contributions to security-aware distributed estimation
and future directions of the field. Chapters 3 and 4 aimed to present general solutions
to common estimation problems while taking into consideration the confidentiality of
transmitted data. Difficulties achieving this were first made apparent in chapter 3,
where fusion was computed using PHE by either leaking fusion weights or by requiring
extra computation upon decryption, noting that when no leakage was present estimates
could not be prioritised as may sometimes be beneficial. Similarly, solutions presented
in chapter 4 tackled a specific non-linear problem rather than estimation with arbitrary
non-linear measurements due to the requirement of a fixed communication protocol when
proving cryptographic guarantees in a distributed environment. The provided extension
of the solution to any models that can be written in the required protocol gave a more
general solution, albeit not arbitrary. Although with limitations, it is clear that the
novel solutions provide methods for data-confidential distributed estimation where pre-
vious general solutions did not exist. Chapter 5 tackled a different problem, defining
a general cryptographic notion for the difference between estimators that differ in the
measurements they observe while taking into account the computational capabilities of
attackers. As well as the presented new schemes that can use the notion to prove es-
timation differences, the generality of the definition allows its application to existing
schemes where optimal or near-optimal estimators are known, creating formal security
guarantees where ones did not previously exist. Following the methodology of split-
ting problems into estimation and cryptographic components solved separately, all three
chapters present successful results, aiming to form a basis for future work, with the hope
of even more general security-aware solutions. As hardware advancements are made and
up-and-coming cryptographic solutions such as FHE are further developed, we look for-
ward to interesting developments in the field that may build upon the methods presented
here.

78
A. Linear-Combination Aggregator
Obliviousness
The following game between attacker and challenger defines the security notion of LCAO.

Setup The challenger chooses security parameter κ, runs the Setup(κ) algorithm and
gives pub, l and pka to the attacker

Queries The attacker can now perform encryptions or submit queries that are answered
by the challenger. The types of actions are:
1. Encryption: The attacker chooses a value x and computes an encryption of
x under the aggregator’s public key pka , obtaining Epka (x).
2. Weight Queries: The attacker chooses an instance t and receives the weights
(t)
for that instance encrypted with the aggregator’s public key, Epka (θj ), 1 ≤
j ≤ l.
(t) (t)
3. Combine Queries: The attacker chooses a tuple (i, t, ai,1 , . . . , ai,l ) such that
(t) (t) ′(t′ ) ′(t′ )
for any two chosen query tuples (i, t, ai,1 , . . . , ai,l ) and (i′ , t′ , ai′ ,1 , . . . , ai′ ,l ),
the following condition holds:
(t) ′(t′ )
i = i′ ∧ t = t′ =⇒ ai,j = ai′ ,j , 1 ≤ j ≤ l .

The attacker is then given back the encryption of the linear combination
P (t) (t)
Epka ,ska,i ( lj=1 ai,j θj ) encrypted under both the aggregator public key pka
and the secret key ska,i .
4. Compromise queries: The attacker chooses i and receives the secret key ska,i .
The aggregator’s secret key may also be compromised (when choosing i = 0).

Challenge Next, the attacker chooses an instance t∗ , and a subset of users S ⊆ U where
U is the complete set of users for which no combine queries, for the instance t∗ ,
and no compromise queries, are made for the duration of the game. The attacker
then chooses two series of tuples
D  E
(t∗ )(0) (t∗ )(0)
i, t∗ , ai,1 , . . . , ai,l i∈S

and D  E
(t∗ )(1) (t∗ )(1)
i, t∗ , ai,1 , . . . , ai,l i∈S ,

79
 A. Linear-Combination Aggregator Obliviousness

and gives them to the challenger. In the case that 0 ∈ S (i.e., the aggregator is
compromised) and S = U , it is additionally required that
l
XX l
XX
(t∗ )(0) (t∗ ) (t∗ )(1) (t∗ )
ai,j θj = ai,j θj ,
i∈S j=1 i∈S j=1

(t∗ )
for weights θj , 1 ≤ j ≤ l, returned by a Weight Query with chosen instance t∗ .
The challenger then chooses a random bit β ∈ {1, 0} and returns encryptions
*   +
Xl
(t∗ )(β) (t∗ )
Epka ,ska,i  ai,j θj  i ∈ S .
j=1

More Queries The attacker can now perform more encryptions and submit queries, so
long as the queries do not break the requirements in the Challenge stage. That is,
S ⊆ U.

Guess At the end, the attacker outputs a bit β ′ and wins the game if and only if β ′ = β.
The advantage of an attacker A is defined as

1
AdvLCAO (A) := P[β ′ = β] − .
2

Definition A.0.1. An encryption scheme meets LCAO security if no PPT adversary,

with respect to the security parameter κ, has more than a negligible advantage in winning
the above security game. That is, for all adversaries A, there exists a negligible function
η, such that
AdvLCAO (A) ≤ η(κ) ,
with probabilities taken over randomness introduced by A, and in Setup, Enc and
CombEnc.

80
B. Cryptographic Proof for Meeting the
LCAO Notion
The scheme in section 4.2 will be shown to meet LCAO by contrapositive. We show that
for any adversary A playing against a challenger using the scheme, we can always create
an adversary A′ playing against a challenger C using the Joye-Libert scheme, such that

AdvLCAO (A) > η1 (κ) =⇒ AdvAO (A′ ) > η2 (κ) ,

for any negligible functions η1 , η2 and security parameter κ. That is, if we assume our
scheme does not meet LCAO, then the Joye-Libert scheme in section 2.2.3 does not meet
AO (which is not the case, [66]).

Proof. Consider adversary A playing the LCAO game. The following is a construction
of an adversary A′ playing the AO game [31] against a challenger C using the Joye-Libert
aggregation scheme.
Setup When receiving N and H as public parameters from C, choose an l > 1 and give
public parameter H, number of weights l, and pka = N to A.

Queries Handle queries from A:

(t)
Weight Query When A submits a weight query t, choose weights θj , 1 ≤ j ≤ l,
and random values ρj ∈ ZN , 1 ≤ j ≤ l, and return encryptions
(t)
(N + 1)θj ρN
j (mod N 2 ), 1 ≤ j ≤ l ,

to A.
(t) (t)
Combine Query When A submits a combine query (i, t, ai,1 , . . . , ai,l ), choose the
(t)
weights θj , 1 ≤ j ≤ l, if not already chosen for the instance t, and make
P (t) (t)
an AO encryption query (i, t, lj=1 ai,j θj ) to C. The received response will
Pl (t) (t)
ai,j θj
be of the form (N + 1) j=1 H(t)ska,i ; multiply it by ρ̃N for a random
ρ̃ ∈ ZN and return
Pl (t) (t)
ai,j θj
(N + 1) j=1 ρ̃N H(t)ska,i (mod N 2 )

to A.
Compromise Query When A submits compromise query i, make the same com-
promise query i to C, and return the recieved secret key ska,i to A.

81
 B. Cryptographic Proof for Meeting the LCAO Notion

Challenge When A submits challenge series

D  E
(t∗ )(0) (t∗ )(0)
i, t∗ , ai,1 , . . . , ai,l i∈S

and D  E
(t∗ )(1) (t∗ )(1)
i, t∗ , ai,1 , . . . , ai,l i∈S ,
(t∗ )
choose weights θj , 1 ≤ j ≤ l, for instance t∗ and submit AO challenge series
* l
 +
X (t∗ )(0) (t∗ )
i, t ,
∗
ai,j θj  i ∈ S
j=1

and *  +
l
X
i, t , ∗ (t∗ )(1) (t∗ ) 
ai,j θj i∈S ,
j=1

to C. The received response will be of the form

 Pl

(t∗ )(β) (t∗ )
(N + 1) j=1 ai,j θj H(t∗ )ska,i i∈U ,

for an unknown β ∈ {0, 1}. Multiply series elements by ρ̃N i , 1 ≤ i ≤ n, for

randomly chosen ρ̃i ∈ ZN and return
 Pl

(t∗ )(β) (t∗ )
ai,j θj N ∗ ska,i
(N + 1) j=1 ρ̃i H(t ) i∈U

to A.

Guess When A makes guess β ′ , make the same guess β ′ to C.

In the above construction, C follows the Joye-Libert scheme exactly, and to A, A′

follows our presented scheme exactly. Since A′ runs in polynomial-time to security
parameter when A does, and no non-negligible advantage adversary to C exists, we
conclude that no non-negligible advantage adversary A exists. That is, there exists a
negligible function η, such that

AdvLCAO (A) ≤ η(κ)

for security parameter κ. Lastly, the function H used by our scheme is treated as a
random oracle in the Joye-Libert AO proof and will, therefore, prove our scheme secure
in the random oracle model as well.

82
List of Figures
3.1. Trusted (green) and untrusted (red) participants, and the communications
between them in the cloud fusion problem. . . . . . . . . . . . . . . . . . . 19
3.2. Approximation of ω1 with stepsize g = 0.1. Comparisons are only possible
when ω1 is a multiple of g (points on the graphs). . . . . . . . . . . . . . . 22
3.3. Solving fusion weights ω as the intersect of partial solutions (3.17). . . . . 24
3.4. Average MSE with varying stepsize g over 1000 simulation runs. . . . . . 27
3.5. Steady-state MSE of estimated weights ω̂ with varying stepsize g. . . . . . 28
3.6. Average MSE of presented fusion methods over 1000 simulations. . . . . . 32

4.1. Required linear combination aggregation steps at instance t. . . . . . . . . 35

4.2. Procedure at timestep k for the proposed confidential range-only mea-
surement EIF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.3. Considered simulation layouts with varying distances between a sample
navigator track and sensors. . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.4. Average MSE of the presented confidential filter for the different layouts
over 1000 simulation runs. . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.5. Average simulation runtimes with varying key sizes and numbers of sensors. 53

5.1. Error covariance trace and average MSE from 1000 simulation runs with
measurement model (5.20) . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5.2. Error covariance trace and average MSE from 1000 simulation runs with
measurement model (5.22) . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.3. Average MSE of different estimators for 1000 simulation runs when V = 2
and W = 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
5.4. Average MSE of unprivileged and privilege-2 estimators for 1000 simula-
tion runs when varying V and W . . . . . . . . . . . . . . . . . . . . . . . 75
5.5. Steady-state traces of the PLLB and PGUB for privileges π = 1 and π = 2
when V and W are varied. . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

83
List of Tables
3.1. Computation complexity of involved encryption operations. . . . . . . . . 25
3.2. Computation complexity for each party. . . . . . . . . . . . . . . . . . . . 25
3.3. Computation complexity of Paillier encryption operations. . . . . . . . . . 31
3.4. Computation complexity for each party. . . . . . . . . . . . . . . . . . . . 31

84
List of Algorithms
1. Encryption at the Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2. Partial Fusion at the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3. Completing Fusion at the Querying Party . . . . . . . . . . . . . . . . . . 30

4. Navigator Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5. Measurement at Sensor i . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
6. Navigator Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

85
Bibliography
[1] B. D. O. Anderson and J. B. Moore, Optimal Filtering. Dover Publications, 1979.
[2] D. Simon, Optimal State Estimation: Kalman, H Infinity and Nonlinear Ap-
proaches. Wiley-Interscience, 2006.
[3] A. G. O. Mutambara, Decentralized Estimation and Control for Multisensor Sys-
tems. CRC press, 1998.
[4] M. Liggins, C. Y. Chong, D. Hall, and J. Llinas, Distributed Data Fusion for
Network-Centric Operations. CRC Press, 2012.
[5] G. Galanis, P. Louka, P. Katsafados, I. Pytharoulis, and G. Kallos, “Applications
of Kalman Filters Based on Non-Linear Functions to Numerical Weather Predic-
tions,” Annales Geophysicae, vol. 24, no. 10, pp. 2451–2460, 2006.
[6] S. Gillijns, O. Mendoza, J. Chandrasekar, B. De Moor, D. Bernstein, and A. Ridley,
“What is the Ensemble Kalman Filter and How Well Does it Work?” in American
Control Conference (ACC), 2006, p. 6.
[7] S. Gezici, Z. Tian, G. Giannakis, H. Kobayashi, A. Molisch, H. Poor, and
Z. Sahinoglu, “Localization via Ultra-Wideband Radios: A Look at Positioning
Aspects for Future Sensor Networks,” IEEE Signal Processing Magazine, vol. 22,
no. 4, pp. 70–84, 2005.
[8] B. Siebler, S. Sand, and U. D. Hanebeck, “Localization with Magnetic Field Dis-
tortions and Simultaneous Magnetometer Calibration,” IEEE Sensors Journal,
vol. 21, no. 3, pp. 3388–3397, 2020.
[9] S. S. Kia, S. Rounds, and S. Martinez, “Cooperative Localization for Mobile
Agents: A Recursive Decentralized Algorithm Based on Kalman-Filter Decou-
pling,” IEEE Control Systems Magazine, vol. 36, no. 2, pp. 86–101, Apr. 2016.
[10] S. Sridhar and A. Eskandarian, “Cooperative Perception in Autonomous Ground
Vehicles Using a Mobile-Robot Testbed,” Intelligent Transport Systems (IET),
vol. 13, no. 10, pp. 1545–1556, 2019.
[11] J. Aulinas, Y. Petillot, J. Salvi, Llad&#243, and Xavier, “The SLAM Problem:
A Survey,” Artificial Intelligence Research and Development, pp. 363–371, 2008.
[12] S. J. Julier and J. K. Uhlmann, “A Non-Divergent Estimation Algorithm in the
Presence of Unknown Correlations,” in American Control Conference (ACC),
vol. 4, 1997, pp. 2369–2373.

86
 Bibliography

[13] S. Grime and H. F. Durrant-Whyte, “Data Fusion in Decentralized Sensor Net-

works,” Control Engineering Practice, vol. 2, no. 5, pp. 849–863, 1994.

[14] B. Noack, J. Sijs, M. Reinhardt, and U. D. Hanebeck, Treatment of Dependent

Information in Multisensor Kalman Filtering and Data Fusion. CRC Press, 2017,
pp. 169–192.

[15] S. Radtke, B. Noack, U. D. Hanebeck, and O. Straka, “Reconstruction of Cross-

Correlations with Constant Number of Deterministic Samples,” in 21st IEEE In-
ternational Conference on Information Fusion (FUSION), 2018, pp. 1638–1645.

[16] C. Y. Chong, “Forty Years of Distributed Estimation: A Review of Noteworthy

Developments,” in IEEE/ISIF Workshop on Sensor Data Fusion: Trends, Solu-
tions, Applications (SDF), 2017, pp. 1–10.

[17] A. J. Haug, Bayesian Estimation and Tracking: A Practical Guide. John Wiley
& Sons, 2012.

[18] D. Willner, C. B. Chang, and K. P. Dunn, “Kalman Filter Algorithms for a Multi-
sensor System,” in 15th IEEE Conference on Decision and Control (CDC), 1976,
pp. 570–574.

[19] F. Pfaff, B. Noack, U. D. Hanebeck, F. Govaers, and W. Koch, “Information

Form Distributed Kalman Filtering (IDKF) with Explicit Inputs,” in 20th IEEE
International Conference on Information Fusion (FUSION), 2017, pp. 1–8.

[20] M. Brenner, J. Wiebelitz, G. von Voigt, and M. Smith, “Secret Program Execu-
tion in the Cloud Applying Homomorphic Encryption,” in 5th IEEE International
Conference on Digital Ecosystems and Technologies (DEST), 2011, pp. 114–119.

[21] K. Ren, C. Wang, and Q. Wang, “Security Challenges for the Public Cloud,” IEEE
Internet Computing, vol. 16, no. 1, pp. 69–73, 2012.

[22] T. Keyser, “Security Policy,” in The Information Governance Toolkit. CRC Press,
2005, p. 6.

[23] F. Farokhi, Ed., Privacy in Dynamical Systems. Springer, 2020.

[24] P. Speciale, J. L. Schonberger, S. B. Kang, S. N. Sinha, and M. Pollefeys, “Privacy

Preserving Image-Based Localization,” in IEEE/CVF Conference on Computer
Vision and Pattern Recognition (CVPR). IEEE, 2019, pp. 5488–5498.

[25] Z. Erkin, M. Franz, J. Guajardo, S. Katzenbeisser, I. Lagendijk, and T. Toft,

“Privacy-Preserving Face Recognition,” in Privacy Enhancing Technologies.
Berlin, Heidelberg: Springer Berlin Heidelberg, 2009, vol. 5672, pp. 235–253.

[26] J. He, L. Cai, and X. Guan, “Preserving Data-Privacy With Added Noises: Opti-
mal Estimation and Privacy Analysis,” IEEE Transactions on Information Theory,
vol. 64, no. 8, pp. 5677–5690, Aug. 2018.

87
 Bibliography

[27] Q. Li, R. Heusdens, and M. G. Christensen, “Privacy-Preserving Distributed Opti-

mization via Subspace Perturbation: A General Framework,” IEEE Transactions
on Signal Processing, vol. 68, pp. 5983–5996, 2020.

[28] S. Gueron, “Intel Advanced Encryption Standard (AES) New Instructions Set,”
Intel Corporation, 2010.

[29] R. L. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital Sig-
natures and Public-key Cryptosystems,” Communications of the ACM (CACM),
vol. 21, no. 2, pp. 120–126, 1978.

[30] P. Paillier, “Public-Key Cryptosystems Based on Composite Degree Residuosity

Classes,” in Advances in Cryptology (EUROCRYPT). Springer, 1999, pp. 223–
238.

[31] E. Shi, T.-H. H. Chan, and E. Rieffel, “Privacy-Preserving Aggregation of Time-

Series Data,” Annual Network & Distributed System Security Symposium (NDSS),
p. 17, 2011.

[32] J. Chotard, E. Dufour Sans, R. Gay, D. H. Phan, and D. Pointcheval, “Decen-

tralized Multi-Client Functional Encryption for Inner Product,” in Advances in
Cryptology (ASIACRYPT). Springer, 2018, pp. 703–732.

[33] M. E. Andrés, N. E. Bordenabe, K. Chatzikokolakis, and C. Palamidessi, “Geo-

Indistinguishability: Differential Privacy for Location-Based Systems,” in ACM
SIGSAC Conference on Computer & Communications Security, ser. CCS ’13. New
York, NY, USA: Association for Computing Machinery, 2013, pp. 901–914.

[34] A. Acar, H. Aksu, A. S. Uluagac, and M. Conti, “A Survey on Homomorphic

Encryption Schemes: Theory and Implementation,” ACM Computing Surveys
(CSUR), vol. 51, no. 4, pp. 1–35, 2018.

[35] C. Gentry, “Fully Homomorphic Encryption Using Ideal Lattices,” in 41st ACM
Symposium on Theory of Computing (STOC), 2009, pp. 169–178.

[36] D. Stehlé and R. Steinfeld, “Faster Fully Homomorphic Encryption,” in Advances

in Cryptology (ASIACRYPT), vol. 6477, 2010, pp. 377–394.

[37] R. L. Lagendijk, Z. Erkin, and M. Barni, “Encrypted Signal Processing for Privacy
Protection: Conveying the Utility of Homomorphic Encryption and Multiparty
Computation,” IEEE Signal Processing Magazine, vol. 30, no. 1, pp. 82–105, 2012.

[38] P. Y. A. Ryan, “Prêt à Voter with Paillier Encryption,” Mathematical and Com-
puter Modelling, vol. 48, no. 9, pp. 1646–1662, 2008.

[39] F. Kerschbaum, “Outsourced Private Set Intersection Using Homomorphic En-

cryption,” in 7th ACM Symposium on Information, Computer and Communica-
tions Security (ASIACCS), 2012, p. 85.

88
 Bibliography

[40] D. Catalano and D. Fiore, “Using Linearly-Homomorphic Encryption to Evaluate

Degree-2 Functions on Encrypted Data,” in 22nd ACM SIGSAC Conference on
Computer and Communications Security. New York, NY, USA: ACM, 2015, pp.
1518–1529.
[41] M. Abdalla, F. Benhamouda, and R. Gay, “From Single-Input to Multi-client
Inner-Product Functional Encryption,” in Advances in Cryptology (ASIACRYPT).
Cham: Springer International Publishing, 2019, pp. 552–582.
[42] M. Liggins, C.-Y. Chong, I. Kadar, M. Alford, V. Vannicola, and S. Thomopoulos,
“Distributed Fusion Architectures and Algorithms for Target Tracking,” Proceed-
ings of the IEEE, vol. 85, no. 1, pp. 95–107, 1997.
[43] Y. Bar-Shalom and L. Campo, “The Effect of the Common Process Noise on
the Two-Sensor Fused-Track Covariance,” IEEE Transactions on Aerospace and
Electronic Systems, vol. AES-22, no. 6, pp. 803–805, 1986.
[44] T. He, C. Huang, B. M. Blum, J. A. Stankovic, and T. Abdelzaher, “Range-Free
Localization Schemes for Large Scale Sensor Networks,” in 9th Annual Interna-
tional Conference on Mobile Computing and Networking, 2003, pp. 81–95.
[45] J. Cong, Y. Li, G. Qi, and A. Sheng, “An Order Insensitive Sequential Fast Co-
variance Intersection Fusion Algorithm,” Information Sciences, vol. 367, pp. 28–40,
2016.
[46] Y. Xu and J. Hespanha, “Estimation Under Uncontrolled and Controlled Commu-
nications in Networked Control Systems,” in 44th IEEE Conference on Decision
and Control (CDC), 2005, pp. 842–847.
[47] F. Rosenthal, B. Noack, and U. D. Hanebeck, “Scheduling of Measurement Trans-
mission in Networked Control Systems Subject to Communication Constraints,”
in American Control Conference (ACC), 2018, pp. 5730–5736.
[48] X. Lei, X. Liao, T. Huang, H. Li, and C. Hu, “Outsourcing Large Matrix Inversion
Computation to A Public Cloud,” IEEE Transactions on Cloud Computing, vol. 1,
no. 1, pp. 1–1, 2013.
[49] L. Nandakumar, G. Tillem, Z. Erkin, and T. Keviczky, “Protecting the Grid Topol-
ogy and User Consumption Patterns During State Estimation in Smart Grids
Based on Data Obfuscation,” Energy Informatics, vol. 2, no. S1, p. 25, 2019.
[50] J. Zhang, X. Wang, S.-M. Yiu, Z. L. Jiang, and J. Li, “Secure Dot Product of
Outsourced Encrypted Vectors and its Application to SVM,” in 5th ACM Inter-
national Workshop on Security in Cloud Computing (SCC). Abu Dhabi, United
Arab Emirates: ACM Press, 2017, pp. 75–82.
[51] M. Schulze Darup, A. B. Alexandru, D. E. Quevedo, and G. J. Pappas, “En-
crypted Control for Networked Systems: An Illustrative Introduction and Current
Challenges,” IEEE Control Systems Magazine, vol. 41, no. 3, pp. 58–78, 2021.

89
 Bibliography

[52] A. López-Alt, E. Tromer, and V. Vaikuntanathan, “On-the-Fly Multiparty Com-

putation on the Cloud via Multikey Fully Homomorphic Encryption,” in 44th
Symposium on Theory of Computing (STOC). New York, New York, USA: ACM
Press, 2012, p. 1219.

[53] M. M. Potey, C. A. Dhote, and D. H. Sharma, “Homomorphic Encryption for

Security of Cloud Data,” Procedia Computer Science, vol. 79, pp. 175–181, Jan.
2016.

[54] F. Zhao, C. Li, and C. F. Liu, “A Cloud Computing Security Solution Based on
Fully Homomorphic Encryption,” in 16th International Conference on Advanced
Communication Technology, 2014, pp. 485–488.

[55] A. B. Alexandru, M. S. Darup, and G. J. Pappas, “Encrypted Cooperative Control

Revisited,” in 58th IEEE Conference on Decision and Control (CDC), 2019, pp.
7196–7202.

[56] K. Kogiso and T. Fujita, “Cyber-Security Enhancement of Networked Control

Systems Using Homomorphic Encryption,” in 54th IEEE Conference on Decision
and Control (CDC), vol. 54, 2015, pp. 6836–6843.

[57] C. Dwork, “Differential Privacy: A Survey of Results,” in Theory and Applications

of Models of Computation. Springer, 2008, pp. 1–19.

[58] R. J. Wilson, C. Y. Zhang, W. Lam, D. Desfontaines, D. Simmons-Marengo, and

B. Gipson, “Differentially Private SQL with Bounded User Contribution,” Pro-
ceedings on Privacy Enhancing Technologies, vol. 2, pp. 230–250, 2020.

[59] M. S. Daru and T. Jager, “Encrypted Cloud-based Control Using Secret Sharing
with One-time Pads,” in 58th IEEE Conference on Decision and Control (CDC),
2019, pp. 7215–7221.

[60] M. Aristov, B. Noack, U. D. Hanebeck, and J. Müller-Quade, “Encrypted Multisen-

sor Information Filtering,” in 21st IEEE International Conference on Information
Fusion (FUSION), Cambridge, UK, 2018, pp. 1631–1637.

[61] A. Alanwar, Y. Shoukry, S. Chakraborty, P. Martin, P. Tabuada, and M. Sri-

vastava, “PrOLoc: Resilient Localization with Private Observers Using Partial
Homomorphic Encryption,” in 16th ACM/IEEE International Conference on In-
formation Processing in Sensor Networks (IPSN), 2017, pp. 41–52.

[62] M. Pinto, H. Sobreira, A. Paulo Moreira, H. Mendonça, and A. Matos, “Self-

Localisation of Indoor Mobile Robots Using Multi-Hypotheses and a Matching
Algorithm,” Mechatronics, vol. 23, no. 6, pp. 727–737, Sept. 2013.

[63] J. Le Ny and G. J. Pappas, “Differentially Private Filtering,” IEEE Transactions

on Automatic Control (TAC), vol. 59, no. 2, pp. 341–354, Feb. 2014.

90
 Bibliography

[64] M. Schulze Darup, A. Redder, and D. E. Quevedo, “Encrypted Cooperative Con-

trol Based on Structured Feedback,” IEEE Control Systems Letters (L-CSS),
vol. 3, no. 1, pp. 37–42, 2019.

[65] A. B. Alexandru and G. J. Pappas, “Private Weighted Sum Aggregation,” IEEE

Transactions on Control of Network Systems, vol. 9, no. 1, pp. 219–230, Mar. 2022.

[66] M. Joye and B. Libert, “A Scalable Scheme for Privacy-Preserving Aggregation

of Time-Series Data,” in International Conference on Financial Cryptography and
Data Security. Springer, 2013, pp. 111–125.

[67] F. Benhamouda, M. Joye, and B. Libert, “A New Framework for Privacy-

Preserving Aggregation of Time-Series Data,” ACM Transactions on Information
and System Security, vol. 18, no. 3, pp. 10:1–10:21, 2016.

[68] P. D’Arco, R. De Prisco, A. De Santis, A. Pérez Del Pozo, and U. Vaccaro, “Prob-
abilistic Secret Sharing,” in 43rd International Symposium on Mathematical Foun-
dations of Computer Science (MFCS), 2018.

[69] D. Becker, J. Guajardo, and K.-H. Zimmermann, “Revisiting Private Stream Ag-
gregation: Lattice-Based PSA,” in Network and Distributed System Security Sym-
posium. San Diego, CA: Internet Society, 2018.

[70] T. H. H. Chan, E. Shi, and D. Song, “Privacy-Preserving Stream Aggregation

with Fault Tolerance,” in Financial Cryptography and Data Security. Berlin,
Heidelberg: Springer, 2012, pp. 200–214.

[71] A. S. Leong, D. E. Quevedo, D. Dolz, and S. Dey, “Transmission Scheduling for

Remote State Estimation Over Packet Dropping Links in the Presence of an Eaves-
dropper,” IEEE Transactions on Automatic Control (TAC), vol. 64, no. 9, pp.
3732–3739, 2019.

[72] A. S. Leong, D. E. Quevedo, D. Dolz, and S. Dey, “Information Bounds for State
Estimation in the Presence of an Eavesdropper,” IEEE Control Systems Letters
(L-CSS), vol. 3, no. 3, pp. 547–552, 2019.

[73] P. D. Groves, “Principles of GNSS, Inertial, and Multisensor Integrated Navigation

Systems,” IEEE Aerospace and Electronic Systems Magazine, vol. 30, no. 2, pp.
26–27, 2015.

[74] C. Murguia, I. Shames, F. Farokhi, and D. Nešić, “Information-Theoretic Pri-

vacy Through Chaos Synchronization and Optimal Additive Noise,” in Privacy in
Dynamical Systems. Springer, 2020, pp. 103–129.

[75] A. S. Leong, A. Redder, D. E. Quevedo, and S. Dey, “On the Use of Artificial
Noise for Secure State Estimation in the Presence of Eavesdroppers,” in European
Control Conference (ECC), 2018, pp. 325–330.

91
 Bibliography

[76] B. Sinopoli, L. Schenato, M. Franceschetti, K. Poolla, M. I. Jordan, and S. S.

Sastry, “Kalman Filtering with Intermittent Observations,” IEEE Transactions
on Automatic Control (TAC), vol. 49, no. 9, pp. 1453–1464, 2004.

[77] S. Mishra, Y. Shoukry, N. Karamchandani, S. Diggavi, and P. Tabuada, “Secure

State Estimation: Optimal Guarantees Against Sensor Attacks in the Presence of
Noise,” in IEEE International Symposium on Information Theory (ISIT), 2015,
pp. 2929–2933.

[78] R. E. Kalman, “A New Approach to Linear Filtering and Prediction Problems,”

Journal of Basic Engineering, vol. 82, no. 1, pp. 35–45, 1960.

[79] J. L. Crassidis and J. L. Junkins, Optimal Estimation of Dynamic Systems. CRC

Press, 2004.

[80] C. K. Chui and G. Chen, Kalman Filtering with Real-Time Applications. Springer
Science & Business Media, 2013.

[81] P. S. Maybeck, Stochastic Models, Estimation, and Control. Academic Press,

1982.

[82] P. Tichavsky, C. Muravchik, and A. Nehorai, “Posterior Cramer-Rao Bounds

for Discrete-Time Nonlinear Filtering,” IEEE Transactions on Signal Processing,
vol. 46, no. 5, pp. 1386–1396, May 1998.

[83] The Analytic Sciences Corporation, Applied Optimal Estimation. MIT Press,
1974.

[84] S. Yang and M. Baum, “Extended Kalman Filter for Extended Object Track-
ing,” in IEEE International Conference on Acoustics, Speech and Signal Processing
(ICASSP), 2017, pp. 4386–4390.

[85] M. L. Psiaki and H. Jung, “Extended Kalman Filter Methods for Tracking Weak
GPS Signals,” in 15th International Technical Meeting of the Satellite Division of
The Institute of Navigation (ION GPS), 2002, pp. 2539–2553.

[86] K. P. B. Chandra, D.-W. Gu, and I. Postlethwaite, “Cubature H∞ Information

Filter and its Extensions,” European Journal of Control, vol. 29, pp. 17–32, 2016.

[87] N. Assimakis, M. Adam, and A. Douladiris, “Information Filter and Kalman Filter
Comparison: Selection of the Faster Filter,” International Journal of Information
Engineering (IJIE), vol. 2, pp. 1–5, Jan. 2012.

[88] M. Reinhardt, B. Noack, S. Kulkarni, and U. D. Hanebeck, “Distributed Kalman

Filtering in the Presence of Packet Delays and Losses,” in 17th IEEE International
Conference on Information Fusion (FUSION), 2014, pp. 1–7.

92
 Bibliography

[89] S. Thrun, D. Koller, Z. Ghahramani, H. Durrant-Whyte, and A. Y. Ng, “Si-

multaneous Mapping and Localization with Sparse Extended Information Filters:
Theory and Initial Results,” in Algorithmic Foundations of Robotics V. Berlin,
Heidelberg: Springer, 2004, pp. 363–380.

[90] T. Garritsen, “Using the Extended Information Filter for Localization of Humanoid
Robots on a Soccer Field,” Ph.D. dissertation, University of Amsterdam, Infor-
matics Institute, Faculty of Science, 2018.

[91] Y. Bar-Shalom, “On The Track-to-track Correlation Problem,” IEEE Transactions

on Automatic Control (TAC), vol. 26, no. 2, pp. 571–572, 1981.

[92] S. L. Sun and Z. L. Deng, “Multi-sensor Optimal Information Fusion Kalman

Filter,” Automatica, vol. 40, no. 6, pp. 1017–1023, 2004.

[93] Y. Wang and X. R. Li, “Distributed Estimation Fusion with Unavailable Cross-
Correlation,” IEEE Transactions on Aerospace and Electronic Systems, vol. 48,
no. 1, pp. 259–278, Jan. 2012.

[94] S. Radtke, B. Noack, and U. D. Hanebeck, “Distributed Estimation using Square

Root Decompositions of Dependent Information,” in 22th IEEE International Con-
ference on Information Fusion (FUSION), 2019, pp. 1–8.

[95] J. Ajgl and O. Straka, “Inverse Covariance Intersection Fusion of Multiple Esti-
mates,” in 23rd IEEE International Conference on Information Fusion (FUSION),
2020, pp. 1–8.

[96] C. Funk, B. Noack, and U. D. Hanebeck, “Conservative Quantization of Fast

Covariance Intersection,” in IEEE International Conference on Multisensor Fusion
and Integration for Intelligent Systems (MFI), Sept. 2020, pp. 68–74.

[97] L. Chen, P. Arambel, and R. Mehra, “Estimation Under Unknown Correlation:

Covariance Intersection Revisited,” IEEE Transactions on Automatic Control
(TAC), vol. 47, no. 11, pp. 1879–1882, 2002.

[98] P. Arambel, C. Rago, and R. Mehra, “Covariance Intersection Algorithm for Dis-
tributed Spacecraft State Estimation,” in American Control Conference (ACC),
vol. 6, 2001, pp. 4398–4403.

[99] W. Niehsen, “Information Fusion Based On Fast Covariance Intersection Filter-

ing,” in 5th IEEE International Conference on Information Fusion (FUSION),
vol. 2, 2002, pp. 901–904.

[100] D. Fränken and A. Hüpper, “Improved Fast Covariance Intersection For Dis-
tributed Data Fusion,” in 7th International Conference on Information Fusion
(FUSION), vol. 1, 2005, p. 7.

93
 Bibliography

[101] H. Zhang, C. Song, M. Hao, and L. Chen, “A Fast Covariance Intersection Tracking
Algorithm Based on CDKF,” in 2019 Chinese Control Conference (CCC), July
2019, pp. 4230–4235.

[102] J. Katz and Y. Lindell, Introduction to Modern Cryptography: Principles and

Protocols. Chapman & Hall, 2008.

[103] S. O. Hwang, I. Kim, and W. K. Lee, Modern Cryptography with Proof Techniques
and Implementations. CRC Press, 2021.

[104] M. Bellare and P. Rogaway, “Random Oracles are Practical: A Paradigm for
Designing Effcient Protocols,” in 1st ACM Conference on Computer and Commu-
nications Security, 1993, pp. 62–73.

[105] A. Boldyreva, N. Chenette, Y. Lee, and A. O’Neill, “Order-Preserving Symmetric

Encryption,” in Advances in Cryptology (EUROCRYPT). Berlin, Heidelberg:
Springer, 2009, pp. 224–241.

[106] N. Chenette, K. Lewi, S. A. Weis, and D. J. Wu, “Practical Order-Revealing

Encryption with Limited Leakage,” in IACR Fast Software Encryption (FSE).
Springer, 2016, pp. 474–493.

[107] K. Lewi and D. J. Wu, “Order-Revealing Encryption: New Constructions, Ap-

plications, and Lower Bounds,” in ACM SIGSAC Conference on Computer and
Communications Security (CCS), 2016, pp. 1167–1178.

[108] E. L. Oberstar, Fixed-Point Representation and Fractional Math. Oberstar Con-

sulting, 2007.

[109] F. Farokhi, I. Shames, and N. Batterham, “Secure and Private Control Using
Semi-Homomorphic Encryption,” Control Engineering Practice, vol. 67, pp. 13–
20, 2017.

[110] CSIRO’s Data61, “Python Paillier Library,” https://github.com/data61/python-

paillier, 2013.

[111] L. Lazos and R. Poovendran, “SeRLoc: Secure Range-Independent Localization

for Wireless Sensor Networks,” in ACM Workshop on Wireless Security (WiSe).
Philadelphia, PA, USA: ACM, 2004, p. 21.

[112] I. Ben-Gal, “Outlier Detection,” in Data Mining and Knowledge Discovery Hand-
book. Boston, MA, USA: Springer, 2005, pp. 131–146.

[113] The OpenMPI Project, “Open MPI,” https://www.open-mpi.org/, 2020.

[114] The OpenSSL Project, “OpenSSL,” https://www.openssl.org/, 2020.

[115] J. Bethencourt, “Libpaillier,” http://acsc.cs.utexas.edu/libpaillier/, 2010.

94
 Bibliography

[116] The GSL development team, “GSL - GNU Scientific Library,”

https://www.gnu.org/software/gsl/, 2019.

[117] T. Granlund and The GMP Development Team, “GMP - The GNU Multiple
Precision Arithmetic Library,” https://gmplib.org/, 2020.

[118] E. Barker, L. Chen, A. Roginsky, A. Vassilev, R. Davis, and S. Simon, “Recom-

mendation for Pair-Wise Key Establishment Using Integer Factorization Cryptog-
raphy,” National Institute of Standards and Technology, Gaithersburg, MD, USA,
Tech. Rep. NIST SP 800-56Br2, 2019.

[119] F. Goualard, “Generating Random Floating-Point Numbers by Dividing Integers:

A Case Study,” in Computational Science (ICCS). Springer International Pub-
lishing, 2020, pp. 15–28.

[120] R. E. A. C. Paley and N. Wiener, Fourier Transforms in the Complex Domain.

American Mathematical Society, 1934, vol. 19.

95
Thesis Publications
[121] M. Ristic, B. Noack, and U. D. Hanebeck, “Secure Fast Covariance Intersection
Using Partially Homomorphic and Order Revealing Encryption Schemes,” IEEE
Control Systems Letters (L-CSS), vol. 5, no. 1, pp. 217–222, 2021.

[122] M. Ristic and B. Noack, “Encrypted Fast Covariance Intersection Without Leaking
Fusion Weights,” in IEEE International Conference on Multisensor Fusion and
Integration for Intelligent Systems (MFI), 2022, pp. 1–6.

[123] M. Ristic, B. Noack, and U. D. Hanebeck, “Distributed Range-Only Localisation

That Preserves Sensor and Navigator Privacies,” IEEE Transactions on Automatic
Control (TAC), pp. 1–12, 2023.

[124] M. Ristic, B. Noack, and U. D. Hanebeck, “Cryptographically Privileged State

Estimation With Gaussian Keystreams,” IEEE Control Systems Letters (L-CSS),
vol. 6, pp. 602–607, 2022.

[125] M. Ristic and B. Noack, “Privileged Estimate Fusion With Correlated Gaussian
Keystreams,” in 61st IEEE Conference on Decision and Control (CDC), 2022, pp.
7732–7739.

96