Comparing the Notions of Opacity for Discrete-Event Systems
NNoname manuscript No. (will be inserted by the editor)
Comparing the Notions of Opacity for Discete-Event Systems
Jiří Balun · Tomáš Masopust
Received: date / Accepted: date
Abstract
Opacity is an information flow property characterizing whether a system reveals itssecret to a passive observer. Several notions of opacity have been introduced in the literature.We study the notions of language-based opacity, current-state opacity, initial-state opacity,initial-and-final-state opacity, K-step opacity, and infinite-step opacity. Comparing the no-tions is a natural question that has been investigated and summarized by Wu and Lafortune, who provided transformations among current-state opacity, initial-and-final-state opacity,and language-based opacity, and, for prefix-closed languages, also between language-basedopacity and initial-state opacity. We extend these results by showing that all the discussednotions of opacity are transformable to each other. The transformations are computable inpolynomial time, preserve the number of observable events, and determinism. Besides adeeper insight into the differences among the notions, the transformations have applicationsin complexity results. Namely, we improve the algorithmic complexity of deciding language-based opacity, infinite-step opacity, and K-step opacity, and provide a complete and improvedcomplexity picture of the verification of the discussed notions of opacity.
Keywords
Discrete event systems · Finite automata · Opacity · Transformations · Complexity
Applications often require to keep some information about the behavior of a system secret.Properties that guarantee such requirements include anonymity [26], noninterference [13],secrecy [1], security [12], and opacity [20].In this paper, we are interested in opacity for discrete-event systems (DESs) modeled byfinite automata. Opacity is a state-estimation property that asks whether a system prevents
Partially supported by the Ministry of Education, Youth and Sports under the INTER-EXCELLENCE projectLTAUSA19098 and by the University project IGA PrF 2020 019.Jiří BalunFaculty of Science, Palacky University in Olomouc, Czechia. E-mail: [email protected]áš MasopustFaculty of Science, Palacky University in Olomouc, Czechia. E-mail: [email protected] a r X i v : . [ ee ss . S Y ] F e b Jiří Balun, Tomáš Masopust an intruder from revealing the secret. The intruder is modeled as a passive observer with thecomplete knowledge of the structure of the system, but with only limited observation of thebehavior of the system. Based on the observation, the intruder estimates the behavior of thesystem, and the system is opaque if the intruder never reveals the secret. In other words, forany secret behavior of the system, there is a non-secret behavior of the system that looks thesame to the intruder.If the secret is modeled as a set of states, the opacity is referred to as state-based. Bryanset al. [7] introduced state-based opacity for systems modeled by Petri nets, Saboori andHadjicostis [22] adapted it to (stochastic) automata, and Bryans et al. [6] generalized it totransition systems. If the secret is modeled as a set of behaviors, the opacity is referred to aslanguage-based. Language-based opacity was introduced by Badouel et al. [4] and Dubreilet al. [11]. For more details, we refer the reader to the overview by Jacob et al. [17].Several notions of opacity have been introduced in the literature. In this paper, we areinterested in the notions of current-state opacity (CSO), initial-state opacity (ISO), initial-and-final-state opacity (IFO), language-based opacity (LBO), K-step opacity (K-SO), andinfinite-step opacity (INSO). Current-state opacity is the property that the intruder can neverdecide whether the system is currently in a secret state. Initial-state opacity is the propertythat the intruder can never reveal whether the computation started in a secret state. Initial-and-final-state opacity of Wu and Lafortune [29] is a generalization of both, where the secretis represented as a pair of an initial and a marked state. Consequently, initial-state opacityis a special case of initial-and-final-state opacity where the marked states do not play a role, and current-state opacity is a special case where the initial states do not play a role.While initial-state opacity prevents the intruder from revealing, at any time during thecomputation, whether the system started in a secret state, current-state opacity prevents theintruder only from revealing whether the current state of the system is a secret state. However,it may happen that the intruder realizes in the future that the system was in a secret state atsome former point of the computation. For instance, if the intruder estimates that the systemis in one of two possible states and, in the next step, the system proceeds by an observableevent that is possible only from one of the states, then the intruder reveals the state in whichthe system was one step ago.This issue has been considered in the literature and led to the notions of K-step opacity(K-SO) and infinite-step opacity (INSO) introduced by Saboori and Hadjicostis [22,25].While K-step opacity requires that the intruder cannot reveal the secret in the current and 𝐾 subsequent states, infinite-step opacity requires that the intruder can never reveal that thesystem was in a secret state. Notice that 0-step opacity coincides with current-state opacity bydefinition, and that an 𝑛 -state automaton is infinite-step opaque if and only if it is ( 𝑛 − ) -stepopaque [30].Comparing different notions of opacity for automata models, Saboori and Hadjicostis [23]provided a language-based definition of initial-state opacity, Cassez et al. [9] transformedlanguage-based opacity to current-state opacity, and Wu and Lafortune showed that current-state opacity, initial-and-final-state opacity, and language-based opacity can be transformedto each other. They further provided transformations of initial-state opacity to language-basedopacity and to initial-and-final-state opacity, and, for prefix-closed languages, a transforma-tion of language-based opacity to initial-state opacity.In this paper, we extend these results by showing that, for automata models, all thediscussed notions of opacity are transformable to each other. As well as the existing trans-formations, our transformations are computable in polynomial time, preserve the number ofobservable events, and determinism (whenever it is meaningful). In more detail, the trans-formations of Wu and Lafortune [29] preserve the determinism of transitions, but result in omparing the Notions of Opacity for Discete-Event Systems 3 LBOK-SO ISOCSOINSO IFO [29][29] 4.1.1[29]4.2.24.2.1 [29][29][29]4.3.24.3.1 [29]
Fig. 1
Overview of the transformations among the notions of opacity for automata models. automata with a set of initial states. This issue can, however, be easily fixed by adding a newinitial state, connecting it to the original initial states by new unobserable events, and makingthe original initial states non-initial. We summarize our results, together with the existingresults, in Fig. 1.There are two immediate applications of the transformations. First, the transformationsprovide a deeper understanding of the differences among the opacity notions from thestructural point of view. For instance, the reader may deduce from the transformationsthat, for prefix-closed languages, the notions of language-based opacity, initial-state opacity, and current-state opacity coincide, or that to transform current-state opacity to infinite-stepopacity means to add only a single state and a few transitions.Second, the transformations provide a tool to obtain the complexity results for all thediscussed opacity notions by studying just one of the notions. For an illustration, consider, forinstance, our recent result showing that deciding current-state opacity for systems modeledby DFAs with three events, one of which is unobservable, is PSpace-complete [5]. Sincewe can transform the problems of deciding current-state opacity and of deciding infinite-step opacity to each other in polynomial time, preserving determinism and the number ofobservable events, we obtain that deciding infinite-step opacity for systems modeled by DFAswith three events, one of which is unobservable, is PSpace-complete as well. In particular,combining the transformations with known results [17,5], we obtain a complete complexitypicture of the verification of the discussed notions of opacity as summarized in Table 1.The fact that checking opacity for DESs is PSpace-complete was known for some of theconsidered notions [17]. In particular, deciding current-state opacity, initial-state opacity,and language-based opacity were known to be PSpace-complete, deciding K-step opacitywas known to be NP-hard, and deciding infinite-step opacity was known to be PSpace-hard.Complexity theory tells us that any two PSpace-complete problems can be transformedto each other in polynomial time. In other words, it gives the existence of polynomialtransformations between the notions of opacity for which the verification is PSpace-complete.However, the theory and the PSpace-hardness proofs presented in the literature do not givea clue how to obtain these transformations. Therefore, from the complexity point of view,our contribution is not the existence of the transformations, but the construction of specific transformations. Since the presented transformations preserve determinism and the number of observable events, they allow us to present stronger results than those known in theliterature [17] that we summarize in Table 1.The transformations further allow us to improve the algorithmic complexity of decidinglanguage-based opacity, infinite-step opacity, and K-step opacity. In the case of language-based opacity, Lin [19] suggested an algorithm with complexity 𝑂 ( 𝑛 ) , where 𝑛 is the Jiří Balun, Tomáš MasopustOpacity notion | Σ 𝑜 | = | Σ 𝑜 | ≥ 𝑂 ( ℓ 𝑛 ) [21]LBO coNP-complete PSpace-complete 𝑂 ( ( 𝑛 + 𝑚ℓ ) 𝑛 ) (Thm 3)ISO NL-complete (Thm 2) PSpace-complete 𝑂 ( ℓ 𝑛 ) [29]IFO coNP-complete PSpace-complete 𝑂 ( ℓ 𝑛 ) [29]K-SO coNP-complete PSpace-complete 𝑂 ( ( 𝐾 + ) 𝑛 ( 𝑛 + 𝑚ℓ )) (Sec 4.3.4)INSO coNP-complete PSpace-complete 𝑂 ( ( 𝑛 + 𝑚ℓ ) 𝑛 ) (Sec 4.2.4) Table 1
Complexity of verifying the notions of opacity for DESs with Σ 𝑜 being the set of observable eventsfollowing from the transformations and known results; 𝑛 stands for the number of states of the input automaton, ℓ for the number of observable events of the input automaton, and 𝑚 ≤ ℓ𝑛 for the number of transitions inthe projected automaton of the input automaton. number of states of the input automaton. In this paper, we improve this complexity to 𝑂 (( 𝑛 + 𝑚ℓ ) 𝑛 ) , where ℓ = | Σ 𝑜 | is the number of observable events and 𝑚 ≤ ℓ𝑛 is thenumber of transitions in the projected automaton of the input automaton. For infinite-stepopacity and K-step opacity, the latest results are by Yin and Lafortune [30] who designed analgorithm for checking infinite-step opacity with complexity 𝑂 ( ℓ 𝑛 ) , and an algorithm forchecking K-step opacity with complexity 𝑂 ( min { ℓ 𝑛 , ℓ 𝐾 + 𝑛 }) . In this paper, we suggest anew algorithm for deciding infinite-step opacity with complexity 𝑂 (( 𝑛 + 𝑚ℓ ) 𝑛 ) , and a newalgorithm for checking K-step opacity with complexity 𝑂 (( 𝐾 + ) 𝑛 ( 𝑛 + 𝑚ℓ )) . The resultsare summarized in Table 1. We assume that the reader is familiar with the basic notions of automata theory [8]. For aset 𝑆 , | 𝑆 | denotes the cardinality of 𝑆 , and 2 𝑆 the power set of 𝑆 . An alphabet Σ is a finitenonempty set of events. A string over Σ is a sequence of events from Σ . Let Σ ∗ denote the setof all finite strings over Σ ; the empty string is denoted by 𝜀 . A language 𝐿 over Σ is a subset of Σ ∗ . The set of all prefixes of strings of 𝐿 is the set 𝐿 = { 𝑢 | there is 𝑣 ∈ Σ ∗ such that 𝑢𝑣 ∈ 𝐿 } .For a string 𝑢 ∈ Σ ∗ , | 𝑢 | denotes the length of 𝑢 , and 𝑢 denotes the set of all prefixes of 𝑢 .A nondeterministic finite automaton (NFA) over an alphabet Σ is a structure G = ( 𝑄, Σ , 𝛿, 𝐼, 𝐹 ) , where 𝑄 is a finite set of states, 𝐼 ⊆ 𝑄 is a set of initial states, 𝐹 ⊆ 𝑄 is a set of marked states, and 𝛿 : 𝑄 × Σ → 𝑄 is a transition function that can be ex-tended to the domain 2 𝑄 × Σ ∗ by induction. To simplify our proofs, we use the notation 𝛿 ( 𝑄, 𝑆 ) = ∪ 𝑠 ∈ 𝑆 𝛿 ( 𝑄, 𝑠 ) , where 𝑆 ⊆ Σ ∗ . For a set of states 𝑄 ⊆ 𝑄 , the language marked by G from the states of 𝑄 is the set 𝐿 𝑚 (G , 𝑄 ) = { 𝑤 ∈ Σ ∗ | 𝛿 ( 𝑄 , 𝑤 ) ∩ 𝐹 ≠ ∅} , and the lan-guage generated by G from the states of 𝑄 is the set 𝐿 (G , 𝑄 ) = { 𝑤 ∈ Σ ∗ | 𝛿 ( 𝑄 , 𝑤 ) ≠ ∅} .The language marked by G is then 𝐿 𝑚 (G , 𝐼 ) , and the language generated by G is 𝐿 (G , 𝐼 ) .The NFA G is deterministic (DFA) if | 𝐼 | = | 𝛿 ( 𝑞, 𝑎 )| ≤ 𝑞 ∈ 𝑄 and 𝑎 ∈ Σ .A discrete-event system (DES) 𝐺 over Σ is an NFA together with the partition of thealphabet Σ into two disjoint subsets Σ 𝑜 and Σ 𝑢𝑜 = Σ \ Σ 𝑜 of observable and unobservable events , respectively. In the case where all states of the automaton are marked, we simplywrite 𝐺 = ( 𝑄, Σ , 𝛿, 𝐼 ) without specifying the set of marked states.When discussing the state estimation properties, the literature often studies deterministicsystems with a set of initial states. Such systems are known as deterministic DES anddefined as a DFA with several initial states; namely, a deterministic DES is an NFA G = ( 𝑄, Σ , 𝛿, 𝐼, 𝐹 ) , where | 𝛿 ( 𝑞, 𝑎 )| ≤ 𝑞 ∈ 𝑄 and 𝑎 ∈ Σ . omparing the Notions of Opacity for Discete-Event Systems 5 The opacity property is based on partial observations of events described by projection 𝑃 : Σ ∗ → Σ ∗ 𝑜 . The projection is a morphism defined by 𝑃 ( 𝑎 ) = 𝜀 for 𝑎 ∈ Σ 𝑢𝑜 , and 𝑃 ( 𝑎 ) = 𝑎 for 𝑎 ∈ Σ 𝑜 . The action of 𝑃 on a string 𝜎 𝜎 · · · 𝜎 𝑛 , with 𝜎 𝑖 ∈ Σ for 1 ≤ 𝑖 ≤ 𝑛 , is to eraseall events that do not belong to Σ 𝑜 , that is, 𝑃 ( 𝜎 𝜎 · · · 𝜎 𝑛 ) = 𝑃 ( 𝜎 ) 𝑃 ( 𝜎 ) · · · 𝑃 ( 𝜎 𝑛 ) . Thedefinition can be readily extended to languages.Let 𝐺 be a NFA over Σ , and let 𝑃 : Σ ∗ → Σ ∗ 𝑜 be a projection. By the projected automaton of 𝐺 , we mean the automaton 𝑃 ( 𝐺 ) obtained from 𝐺 by replacing every transition ( 𝑝, 𝑎, 𝑞 ) by the transition ( 𝑝, 𝑃 ( 𝑎 ) , 𝑞 ) , and by eliminating the 𝜀 -transitions. Then 𝑃 ( 𝐺 ) is an NFAover Σ 𝑜 , with the same set of states as 𝐺 , that recognizes the language 𝑃 ( 𝐿 𝑚 ( 𝐺 )) and canbe constructed in polynomial time [15].A decision problem is a yes-no question. A decision problem is decidable if there is an al-gorithm that solves it. Complexity theory classifies decidable problems into classes based onthe time or space an algorithm needs to solve the problem. The complexity classes we considerare L, NL, P, NP, and PSpace denoting the classes of problems solvable by a deterministiclogarithmic-space, nondeterministic logarithmic-space, deterministic polynomial-time, non-deterministic polynomial-time, and deterministic polynomial-space algorithm, respectively.The hierarchy of classes is L ⊆ NL ⊆ P ⊆ NP ⊆ PSpace. Which of the inclusions arestrict is an open problem. The widely accepted conjecture is that all are strict. A decisionproblem is NL-complete (resp. NP-complete, PSpace-complete) if (i) it belongs to NL (resp.NP, PSpace) and (ii) every problem from NL (resp. NP, PSpace) can be reduced to it bya deterministic logarithmic-space (resp. polynomial-time) algorithm. Condition (i) is called membership and condition (ii) hardness . In this section, we recall the definitions of the notions of opacity we discuss. The notion ofinitial-and-final-state opacity is recalled to make the paper self-contained.Current-state opacity asks whether the intruder cannot decide, at any instance of time,whether the system is currently in a secret state.
Definition 1 (Current-state opacity (CSO))
Given a DES 𝐺 = ( 𝑄, Σ , 𝛿, 𝐼 ) , a projection 𝑃 : Σ ∗ → Σ ∗ 𝑜 , a set of secret states 𝑄 𝑆 ⊆ 𝑄 , and a set of non-secret states 𝑄 𝑁 𝑆 ⊆ 𝑄 . System 𝐺 is current-state opaque if for every string 𝑤 such that 𝛿 ( 𝐼, 𝑤 ) ∩ 𝑄 𝑆 ≠ ∅ , there exists astring 𝑤 (cid:48) such that 𝑃 ( 𝑤 ) = 𝑃 ( 𝑤 (cid:48) ) and 𝛿 ( 𝐼, 𝑤 (cid:48) ) ∩ 𝑄 𝑁 𝑆 ≠ ∅ .The definition of current-state opacity can be reformulated as a language inclusion asshown in the following lemma. This result is similar to that of Wu and Lafortune [29] used totransform current-state opacity to language-based opacity. We use this alternative definitionto simplify proofs. Lemma 1 ([5])
Let 𝐺 = ( 𝑄, Σ , 𝛿, 𝐼 ) be a DES, 𝑃 : Σ ∗ → Σ ∗ 𝑜 a projection, and 𝑄 𝑆 , 𝑄 𝑁 𝑆 ⊆ 𝑄 sets of secret and non-secret states, respectively. Let 𝐿 𝑆 denote the marked language ofthe automaton 𝐺 𝑆 = ( 𝑄, Σ , 𝛿, 𝐼, 𝑄 𝑆 ) , and let 𝐿 𝑁 𝑆 denote the marked language of 𝐺 𝑁 𝑆 = ( 𝑄, Σ , 𝛿, 𝐼, 𝑄 𝑁 𝑆 ) . Then 𝐺 is current-state opaque if and only if 𝐿 𝑚 ( 𝑃 ( 𝐺 𝑆 )) ⊆ 𝐿 𝑚 ( 𝑃 ( 𝐺 𝑁 𝑆 )) . The second notion of opacity under consideration is language-based opacity. Intuitively,a system is language-based opaque if for any string 𝑤 in the secret language, there existsa string 𝑤 (cid:48) in the non-secret language with the same observation 𝑃 ( 𝑤 ) = 𝑃 ( 𝑤 (cid:48) ) . In thiscase, the intruder cannot conclude whether the secret string 𝑤 or the non-secret string 𝑤 (cid:48) hasoccurred. We recall the most general definition by Lin [19]. Jiří Balun, Tomáš Masopust
Definition 2 (Language-based opacity (LBO))
Given a DES 𝐺 = ( 𝑄, Σ , 𝛿, 𝐼 ) , a projection 𝑃 : Σ ∗ → Σ ∗ 𝑜 , a secret language 𝐿 𝑆 ⊆ 𝐿 ( 𝐺 ) , and a non-secret language 𝐿 𝑁 𝑆 ⊆ 𝐿 ( 𝐺 ) .System 𝐺 is language-based opaque if 𝐿 𝑆 ⊆ 𝑃 − 𝑃 ( 𝐿 𝑁 𝑆 ) .It is worth mentioning that the secret and non-secret languages are often considered tobe regular; and we consider it as well. The reason is that, for non-regular languages, theinclusion problem is undecidable; see Asveld and Nijholt [3] for more details.The third notion is the notion of initial-state opacity. Initial-state opacity asks whetherthe intruder can never reveal whether the computation started in a secret state. Definition 3 (Initial-state opacity (ISO))
Given a DES 𝐺 = ( 𝑄, Σ , 𝛿, 𝐼 ) , a projection 𝑃 : Σ ∗ → Σ ∗ 𝑜 , a set of secret initial states 𝑄 𝑆 ⊆ 𝐼 , and a set of non-secret initial states 𝑄 𝑁 𝑆 ⊆ 𝐼 . System 𝐺 is initial-state opaque with respect to 𝑄 𝑆 , 𝑄 𝑁 𝑆 and 𝑃 if for every 𝑤 ∈ 𝐿 ( 𝐺, 𝑄 𝑆 ) , there exists 𝑤 (cid:48) ∈ 𝐿 ( 𝐺, 𝑄
𝑁 𝑆 ) such that 𝑃 ( 𝑤 ) = 𝑃 ( 𝑤 (cid:48) ) .The fourth notion is the notion of initial-and-final-state opacity of Wu and Lafortune [29].Initial-and-final-state opacity is a generalization of both current-state opacity and initial-stateopacity, where the secret is represented as a pair of an initial and a marked state. Consequently,initial-state opacity is a special case of initial-and-final-state opacity where the marked statesdo not play a role, and current-state opacity is a special case where the initial states do notplay a role. Definition 4 (Initial-and-final-state opacity (IFO))
Given a DES 𝐺 = ( 𝑄, Σ , 𝛿, 𝐼 ) , a pro-jection 𝑃 : Σ ∗ → Σ ∗ 𝑜 , a set of secret state pairs 𝑄 𝑆 ⊆ 𝐼 × 𝑄 , and a set of non-secret state pairs 𝑄 𝑁 𝑆 ⊆ 𝐼 × 𝑄 . System 𝐺 is initial-and-final-state opaque with respect to 𝑄 𝑆 , 𝑄 𝑁 𝑆 and 𝑃 iffor every secret pair ( 𝑞 , 𝑞 𝑓 ) ∈ 𝑄 𝑆 and every 𝑤 ∈ 𝐿 ( 𝐺, 𝑞 ) such that 𝑞 𝑓 ∈ 𝛿 ( 𝑞 , 𝑤 ) , thereexists ( 𝑞 (cid:48) , 𝑞 (cid:48) 𝑓 ) ∈ 𝑄 𝑁 𝑆 and 𝑤 (cid:48) ∈ 𝐿 ( 𝐺, 𝑞 (cid:48) ) such that 𝑞 (cid:48) 𝑓 ∈ 𝛿 ( 𝑞 (cid:48) , 𝑤 (cid:48) ) and 𝑃 ( 𝑤 ) = 𝑃 ( 𝑤 (cid:48) ) .The fifth notion is the notion of K-step opacity. K-step opacity is a generalization ofcurrent-state opacity requiring that the intruder cannot reveal the secret in the current and 𝐾 subsequent states. By definition, current-state opacity is equivalent to 0-step opacity. Weslightly generalize and reformulate the definition of Saboori and Hadjicostis [25]. Definition 5 (K-step opacity (K-SO))
Given a system 𝐺 = ( 𝑄, Σ , 𝛿, 𝐼 ) , a projection 𝑃 : Σ ∗ → Σ ∗ 𝑜 , a set of secret states 𝑄 𝑆 ⊆ 𝑄 , a set of non-secret states 𝑄 𝑁 𝑆 ⊆ 𝑄 , and anon-negative integer 𝐾 ∈ N . System 𝐺 is K-step opaque with respect to 𝑄 𝑆 , 𝑄 𝑁 𝑆 , and 𝑃 iffor every string 𝑠𝑡 ∈ 𝐿 ( 𝐺 ) such that | 𝑃 ( 𝑡 )| ≤ 𝐾 and 𝛿 ( 𝛿 ( 𝐼, 𝑠 ) ∩ 𝑄 𝑆 , 𝑡 ) ≠ ∅ , there exists astring 𝑠 (cid:48) 𝑡 (cid:48) ∈ 𝐿 ( 𝐺 ) such that 𝑃 ( 𝑠 ) = 𝑃 ( 𝑠 (cid:48) ) , 𝑃 ( 𝑡 ) = 𝑃 ( 𝑡 (cid:48) ) , and 𝛿 ( 𝛿 ( 𝐼, 𝑠 (cid:48) ) ∩ 𝑄 𝑁 𝑆 , 𝑡 (cid:48) ) ≠ ∅ .Finally, the last notion we consider is the notion of infinite-step opacity. Infinite-stepopacity is a further generalization of K-step opacity by setting 𝐾 being infinity. Actually, Yinand Lafortune [30] have shown that an 𝑛 -state automaton is infinite-step opaque if and onlyif it is ( 𝑛 − ) -step opaque. Again, we slightly generalize and reformulate the definition ofSaboori and Hadjicostis [24]. Definition 6 (Infinite-step opacity (INSO))
Given a system 𝐺 = ( 𝑄, Σ , 𝛿, 𝐼 ) , a projection 𝑃 : Σ ∗ → Σ ∗ 𝑜 , a set of secret states 𝑄 𝑆 ⊆ 𝑄 , and a set of non-secret states 𝑄 𝑁 𝑆 ⊆ 𝑄 . System 𝐺 is infinite-step opaque with respect to 𝑄 𝑆 , 𝑄 𝑁 𝑆 and 𝑃 if for every string 𝑠𝑡 ∈ 𝐿 ( 𝐺 ) such that 𝛿 ( 𝛿 ( 𝐼, 𝑠 ) ∩ 𝑄 𝑆 , 𝑡 ) ≠ ∅ , there exists a string 𝑠 (cid:48) 𝑡 (cid:48) ∈ 𝐿 ( 𝐺 ) such that 𝑃 ( 𝑠 ) = 𝑃 ( 𝑠 (cid:48) ) , 𝑃 ( 𝑡 ) = 𝑃 ( 𝑡 (cid:48) ) , and 𝛿 ( 𝛿 ( 𝐼, 𝑠 (cid:48) ) ∩ 𝑄 𝑁 𝑆 , 𝑡 (cid:48) ) ≠ ∅ . omparing the Notions of Opacity for Discete-Event Systems 7 p rqs a a a = ⇒ p p p srq Fig. 2
The replacement of three observable events { 𝑎 , 𝑎 , 𝑎 } with the encoding 𝑒 ( 𝑎 ) = 𝑒 ( 𝑎 ) = 𝑒 ( 𝑎 ) =
10, and new states 𝑝 and 𝑝 . Although some of the transformations were previously known in the literature, Wu and Lafor-tune [29] were first who studied the transformations systematically. In particular, they pro-vided polynomial-time transformations among current-state opacity, language-based opacity,initial-state opacity, and initial-and-final-state opacity, see Fig. 1. Inspecting the reductions,it can be seen that after eliminating the unnecessary
Trim operations, the transformationsuse only logarithmic space, preserve the number of observable events, and determinism(whenever it is meaningful). As we already pointed out, the transformations of Wu andLafortune [29] preserve the determinism of transitions, but they admit a set of initial states.This issue can, however, be easily eliminated by adding a new initial state, connecting it to theoriginal initial states by new unobserable events, and making the original initial states non- initial. However, their transformation from language-based opacity to initial-state opacity isrestricted only to the case where the secret and non-secret languages of the language-basedopacity problem are prefix closed.We complete the polynomial-time transformations among all the discussed notions ofopacity. In particular, we provide a general transformation from language-based opacityto initial-state opacity in Section 4.1.1, transformations between infinite-step opacity andcurrent-state opacity in Section 4.2, and transformations between K-step opacity and current-state opacity in Section 4.3. All the transformations preserve the number of observable eventsand determinism. Except for a few exceptions, the transformations need only logarithmicspace. Our results are summarized in Fig. 1 with references to the corresponding sections.The following auxiliary lemma states that we can reduce the number of observableevents in DESs with at least three observable events without affecting current-state opacityand initial-state opacity of the DES. We make use of this lemma to preserve the numberof observable events in cases where we introduce new observable events in our reductions,namely in Sections 4.1.1, 4.2.2, and 4.3.2.
Lemma 2
Let 𝐺 = ( 𝑄, Σ , 𝛿, 𝐼, 𝐹 ) be an NFA, and let Γ 𝑜 ⊆ Σ 𝑜 contain at least threeevents. Let 𝐺 (cid:48) = ( 𝑄 (cid:48) , ( Σ − Γ 𝑜 ) ∪ { , } , 𝛿 (cid:48) , 𝐼, 𝐹 ) be an NFA obtained from 𝐺 as follows. Let 𝑘 = (cid:100) log (| Γ 𝑜 |)(cid:101) , and let 𝑒 : Γ 𝑜 → { , } 𝑘 be a binary encoding of the events of Γ 𝑜 . Wereplace every transition ( 𝑝, 𝑎, 𝑞 ) with 𝑎 ∈ Γ 𝑜 by 𝑘 transitions ( 𝑝, 𝑏 , 𝑝 𝑏 ) , ( 𝑝 𝑏 , 𝑏 , 𝑝 𝑏 𝑏 ) , . . . , ( 𝑝 𝑏 ··· 𝑏 𝑘 − , 𝑏 𝑘 , 𝑞 ) where 𝑒 ( 𝑎 ) = 𝑏 𝑏 · · · 𝑏 𝑘 ∈ { , } 𝑘 , and 𝑝 𝑏 , . . . , 𝑝 𝑏 ··· 𝑏 𝑘 − are states that are added to thestate set of 𝐺 (cid:48) . Notice that these states are neither secret nor non-secret and that, to preservedeterminism, they are newly created when they are needed for the first time, and reusedwhen they are needed later during the replacements, cf. Fig. 2 illustrating a replacementof three observable events { 𝑎 , 𝑎 , 𝑎 } with the encoding 𝑒 ( 𝑎 ) = , 𝑒 ( 𝑎 ) = , and Jiří Balun, Tomáš Masopust 𝑒 ( 𝑎 ) = . Then 𝐺 is current-state (initial-state) opaque with respect to 𝑄 𝑆 , 𝑄 𝑁 𝑆 , and 𝑃 : Σ ∗ → Σ ∗ 𝑜 if and only if 𝐺 (cid:48) is current-state (initial-state) opaque with respect to 𝑄 𝑆 , 𝑄 𝑁 𝑆 ,and 𝑃 (cid:48) : [( Σ − Γ 𝑜 ) ∪ { , }] ∗ → [( Σ 𝑜 − Γ 𝑜 ) ∪ { , }] ∗ .Proof To show that 𝐺 is current-state opaque if and only if 𝐺 (cid:48) is current-state opaque,we define the languages 𝐿 𝑆 = 𝐿 𝑚 ( 𝑄, Σ , 𝛿, 𝐼, 𝑄 𝑆 ) , 𝐿 𝑁 𝑆 = 𝐿 𝑚 ( 𝑄, Σ , 𝛿, 𝐼, 𝑄 𝑁 𝑆 ) , 𝐿 (cid:48) 𝑆 = 𝐿 𝑚 ( 𝑄 (cid:48) , ( Σ − Γ 𝑜 ) ∪ { , } , 𝛿 (cid:48) , 𝐼, 𝑄 𝑆 ) , and 𝐿 (cid:48) 𝑁 𝑆 = 𝐿 𝑚 ( 𝑄 (cid:48) , ( Σ − Γ 𝑜 ) ∪ { , } , 𝛿 (cid:48) , 𝐼, 𝑄 𝑁 𝑆 ) . UsingLemma 1, we now need to show that 𝑃 ( 𝐿 𝑆 ) ⊆ 𝑃 ( 𝐿 𝑁 𝑆 ) if and only if 𝑃 (cid:48) ( 𝐿 (cid:48) 𝑆 ) ⊆ 𝑃 (cid:48) ( 𝐿 (cid:48) 𝑁 𝑆 ) . Tothis end, we define a morphism 𝑓 : Σ ∗ → (( Σ − Γ 𝑜 ) ∪ { , }) ∗ so that 𝑓 ( 𝑎 ) = 𝑒 ( 𝑎 ) for 𝑎 ∈ Γ 𝑜 ,and 𝑓 ( 𝑎 ) = 𝑎 for 𝑎 ∈ Σ − Γ 𝑜 . By the definition of 𝑒 and the construction of 𝐺 (cid:48) , for any string 𝑤 , we have that 𝑤 ∈ 𝐿 ( 𝐺 ) if and only if 𝑓 ( 𝑤 ) ∈ 𝐿 ( 𝐺 (cid:48) ) . In particular, 𝑃 ( 𝑤 ) ∈ 𝑃 ( 𝐿 𝑆 ) ifand only if 𝑃 (cid:48) ( 𝑓 ( 𝑤 )) ∈ 𝑃 (cid:48) ( 𝐿 (cid:48) 𝑆 ) , and 𝑃 ( 𝑤 ) ∈ 𝑃 ( 𝐿 𝑁 𝑆 ) if and only if 𝑃 (cid:48) ( 𝑓 ( 𝑤 )) ∈ 𝑃 (cid:48) ( 𝐿 (cid:48) 𝑁 𝑆 ) ,which completes this part of the proof.To show that 𝐺 is initial-state opaque if and only if 𝐺 (cid:48) is initial-state opaque, we definethe languages 𝐿 𝑆 = 𝐿 ( 𝑄, Σ , 𝛿, 𝑄 𝑆 ) , 𝐿 𝑁 𝑆 = 𝐿 ( 𝑄, Σ , 𝛿, 𝑄 𝑁 𝑆 ) , 𝐿 (cid:48) 𝑆 = 𝐿 ( 𝑄 (cid:48) , ( Σ − Γ 𝑜 ) ∪{ , } , 𝛿 (cid:48) , 𝑄 𝑆 ) , and 𝐿 (cid:48) 𝑁 𝑆 = 𝐿 ( 𝑄 (cid:48) , ( Σ − Γ 𝑜 ) ∪ { , } , 𝛿 (cid:48) , 𝑄 𝑁 𝑆 ) . Since this transforms initial-state opacity to language-based opacity [29], it is sufficient to show that 𝑃 ( 𝐿 𝑆 ) ⊆ 𝑃 ( 𝐿 𝑁 𝑆 ) if and only if 𝑃 (cid:48) ( 𝐿 (cid:48) 𝑆 ) ⊆ 𝑃 (cid:48) ( 𝐿 (cid:48) 𝑁 𝑆 ) . However, this can be shown analogously as above. (cid:117)(cid:116) Notice that this binary encoding can be done in polynomial time, and that it preservesdeterminism.
The language-based opacity problem consists of a DES 𝐺 𝐿𝐵𝑂 over Σ , a projection 𝑃 : Σ ∗ → Σ ∗ 𝑜 , a secret language 𝐿 𝑆 ⊆ 𝐿 ( 𝐺 ) , and a non-secret language 𝐿 𝑁 𝑆 ⊆ 𝐿 ( 𝐺 ) . We transform itto a DES 𝐺 𝐼 𝑆𝑂 in such a way that 𝐺 𝐿𝐵𝑂 is language-based opaque if and only if 𝐺 𝐼 𝑆𝑂 isinitial-state opaque.Assume that the languages 𝐿 𝑆 and 𝐿 𝑁 𝑆 are represented by the non-blocking automata 𝐴 𝑆 = ( 𝑄 𝑆 , Σ 𝑆 , 𝛿 𝑆 , 𝐼 𝑆 , 𝐹 𝑆 ) and 𝐴 𝑁 𝑆 = ( 𝑄 𝑁 𝑆 , Σ 𝑁 𝑆 , 𝛿
𝑁 𝑆 , 𝐼
𝑁 𝑆 , 𝐹
𝑁 𝑆 ) , respectively. Withoutloss of generality, we may assume that their sets of states are disjoint, that is, 𝑄 𝑆 ∩ 𝑄 𝑁 𝑆 = ∅ .Our transformation proceeds in two steps:1. We construct a DES 𝐺 𝐼 𝑆𝑂 with one additional observable event @.2. We use Lemma 2 to reduce the number of observable events of 𝐺 𝐼 𝑆𝑂 by one.Since the second step follows from Lemma 2, we only describe the first step, that is, theconstruction of 𝐺 𝐼 𝑆𝑂 over Σ ∪ { @ } , and the specification of the sets of secret states 𝑄 (cid:48) 𝑆 andnon-secret states 𝑄 (cid:48) 𝑁 𝑆 . From the automata 𝐴 𝑆 and 𝐴 𝑁 𝑆 , we construct the automata 𝐺 𝑆 = ( 𝑄 𝑆 ∪{ 𝑥 𝑆 } , Σ 𝑆 , 𝛿 𝑆 , 𝐼 𝑆 , 𝑄 𝑆 ∪{ 𝑥 𝑆 }) and 𝐺 𝑁 𝑆 = ( 𝑄 𝑁 𝑆 ∪{ 𝑥 𝑁 𝑆 } , Σ 𝑁 𝑆 , 𝛿
𝑁 𝑆 , 𝐼
𝑁 𝑆 , 𝑄
𝑁 𝑆 ∪{ 𝑥 𝑁 𝑆 }) by adding two new states 𝑥 𝑆 and 𝑥 𝑁 𝑆 , and the following transitions, see Fig. 3 for anillustration of the construction: omparing the Notions of Opacity for Discete-Event Systems 9 p qrA S s tvA NS G LBO = ⇒ p qr x S A S s tv x NS A NS G ISO @@@@
Fig. 3
Transforming LBO to ISO. – for every state 𝑞 ∈ 𝐹 𝑆 , we add a new transition ( 𝑞, @ , 𝑥 𝑆 ) to 𝛿 𝑆 ; – for every state 𝑞 ∈ 𝐹 𝑁 𝑆 , we add a new transition ( 𝑞, @ , 𝑥 𝑁 𝑆 ) to 𝛿 𝑁 𝑆 .Let 𝑄 (cid:48) 𝑆 = 𝐼 𝑆 denote the set of secret initial states of 𝐺 𝐼 𝑆𝑂 , and let 𝑄 (cid:48) 𝑁 𝑆 = 𝐼 𝑁 𝑆 denotethe set of non-secret initial states of 𝐺 𝐼 𝑆𝑂 . We extend projection 𝑃 to 𝑃 (cid:48) : ( Σ ∪ { @ }) ∗ → ( Σ 𝑜 ∪ { @ }) ∗ . Finally, let 𝐺 𝐼 𝑆𝑂 denote the automata 𝐺 𝑆 and 𝐺 𝑁 𝑆 considered as a singleNFA. Before we show that 𝐺 𝐿𝐵𝑂 is language-based opaque if and only if 𝐺 𝐼 𝑆𝑂 is initial-stateopaque, notice that the transformation can be done in polynomial time and that it preservesdeterminism.
Theorem 1
The DES 𝐺 𝐿𝐵𝑂 is language-based opaque with respect to 𝐿 𝑆 , 𝐿 𝑁 𝑆 , and 𝑃 ifand only if the DES 𝐺 𝐼 𝑆𝑂 is initial-state opaque with respect to 𝑄 (cid:48) 𝑆 , 𝑄 (cid:48) 𝑁 𝑆 , and 𝑃 (cid:48) .Proof We need to show that 𝑃 ( 𝐿 𝑆 ) ⊆ 𝑃 ( 𝐿 𝑁 𝑆 ) if and only if 𝑃 (cid:48) ( 𝐿 ( 𝐺 𝑆 )) ⊆ 𝑃 (cid:48) ( 𝐿 ( 𝐺 𝑁 𝑆 )) .However, by construction, 𝐿 ( 𝐺 𝑆 ) = 𝐿 𝑆 ∪ 𝐿 𝑆 @ and 𝐿 ( 𝐺 𝑁 𝑆 ) = 𝐿 𝑁 𝑆 ∪ 𝐿 𝑁 𝑆 @, and hence 𝑃 ( 𝐿 𝑆 ) ⊆ 𝑃 ( 𝐿 𝑁 𝑆 ) if and only if 𝑃 (cid:48) ( 𝐿 ( 𝐺 𝑆 )) ⊆ 𝑃 (cid:48) ( 𝐿 ( 𝐺 𝑁 𝑆 )) , which is if and only if 𝐺 𝐼 𝑆𝑂 isinitial-state opaque. (cid:117)(cid:116)
The second step of our construction, Lemma 2, requires that 𝐺 𝐼 𝑆𝑂 has at least three observ-able events or, equivalently, that 𝐺 𝐿𝐵𝑂 has at least two observable events. Consequently,our transformation does not preserve the number of observable events if 𝐺 𝐿𝐵𝑂 has a singleobservable event. In fact, we show that there does not exist such a transformation unless P = NP, which is a longstanding open problem of computer science. Deciding language-basedopacity for systems with a single observable event is coNP-complete [14,27]. We show thatdeciding initial-state opacity for systems with a single observable event is NL-complete, andhence efficiently solvable on a parallel computer [2]. In particular, the problem can be solvedin polynomial time.
Theorem 2
Deciding initial-state opacity for DESs with a single observable event is NL -complete.Proof Deciding initial-state opacity is equivalent to checking the inclusion of two prefix-closed languages. Namely, a DES 𝐺 with Σ 𝑜 = { 𝑎 } is initial-state opaque with respect to secret states 𝑄 𝑆 and non-secret states 𝑄 𝑁 𝑆 if and only if 𝐾 𝑆 ⊆ 𝐾 𝑁 𝑆 for 𝐾 𝑆 = 𝑃 ( 𝐿 ( 𝐺, 𝑄 𝑆 )) and 𝐾 𝑁 𝑆 = 𝑃 ( 𝐿 ( 𝐺, 𝑄
𝑁 𝑆 )) . Since the languages 𝐾 𝑆 and 𝐾 𝑁 𝑆 are prefix-closed, they areeither finite, consisting of at most | 𝑄 | strings, or equal to { 𝑎 } ∗ .To show that the problem belongs to NL, we show how to verify 𝐾 𝑆 (cid:42) 𝐾 𝑁 𝑆 in nondeter-ministic logarithmic space. Then, since NL is closed under complement [16,28], 𝐾 𝑆 ⊆ 𝐾 𝑁 𝑆 belongs to NL. Thus, to check that 𝐾 𝑆 (cid:42) 𝐾 𝑁 𝑆 in nondeterministic logarithmic space, weguess 𝑘 ∈ { , . . . , | 𝑄 |} in binary, store it in logarithmic space, and verify that 𝑎 𝑘 ∈ 𝐾 𝑆 and 𝑎 𝑘 ∉ 𝐾 𝑁 𝑆 . To verify 𝑎 𝑘 ∈ 𝐾 𝑆 , we guess a path in 𝐺 step by step, storing only the currentstate, and counting the number of steps by decreasing 𝑘 by one in each step; logarithmic spaceis sufficient for this. Since 𝑎 𝑘 ∉ 𝐾 𝑁 𝑆 belongs to the complement of NL, which coincideswith NL, we can check 𝑎 𝑘 ∉ 𝐾 𝑁 𝑆 in nondeterministic logarithmic space as well.To show that deciding initial-state opacity for DESs with a single observable event isNL-hard, we reduce the DAG reachability problem [18]: given a DAG 𝐺 = ( 𝑉, 𝐸 ) and nodes 𝑠, 𝑡 ∈ 𝑉 , the problem asks whether 𝑡 is reachable from 𝑠 . From 𝐺 , we construct a DES A = ( 𝑉 ∪ { 𝑖 } , { 𝑎 } , 𝛿, { 𝑠, 𝑖 }) , where 𝑖 is a new initial state and 𝑎 is an observable event, asfollows. With each node of 𝐺 , we associate a state in A . Whenever there is an edge from 𝑗 to 𝑘 in 𝐺 , we add an 𝑎 -transition from 𝑗 to 𝑘 to A . We add a self-loop labeled by 𝑎 to 𝑡 and to 𝑖 . The set of secret initial states is 𝑄 𝑆 = { 𝑖 } and the set of non-secret initial states 𝑄 𝑁 𝑆 = { 𝑠 } . Then, A is initial-state opaque if and only if there is a path from 𝑠 to 𝑡 in 𝐺 .Indeed, 𝐿 (A , 𝑖 ) = { 𝑎 } ∗ is included in 𝐿 (A , 𝑠 ) if and only if 𝐿 (A , 𝑠 ) = { 𝑎 } ∗ , which is if andonly if 𝑡 is reachable from 𝑠 . (cid:117)(cid:116) The algorithmic complexity of deciding whether a given DES is language-based opaquewith respect to given secret and non-secret languages has been investigated in the literature.Lin [19] suggested an algorithm with the complexity 𝑂 ( 𝑛 ) , where 𝑛 is the order of thestate spaces of the automata representing the secret and non-secret languages. The samecomplexity has been achieved by Wu and Lafortune [29] using the transformation to current-state opacity. We improve this complexity. Theorem 3
The time complexity of deciding whether a DES 𝐺 is language-based opaquewith respect to a projection 𝑃 , a secret language 𝐿 𝑆 ⊆ 𝐿 ( 𝐺 ) , and a non-secret language 𝐿 𝑁 𝑆 ⊆ 𝐿 ( 𝐺 ) is 𝑂 ( 𝑚ℓ 𝑛 + 𝑛 𝑛 ) , where 𝑛 is the number of states of the automatonrecognizing 𝐿 𝑆 , 𝑛 is the number of states recognizing 𝐿 𝑁 𝑆 , 𝑚 ≤ ℓ𝑛 is the number oftransitions of an NFA recognizing 𝑃 ( 𝐿 𝑆 ) , and ℓ is the number of observable events.Proof Let 𝐺 𝑆 and 𝐺 𝑁 𝑆 be automata recognizing 𝐿 𝑆 and 𝐿 𝑁 𝑆 with 𝑛 and 𝑛 states, respec-tively. Then 𝑃 ( 𝐿 𝑆 ) ⊆ 𝑃 ( 𝐿 𝑁 𝑆 ) if and only if 𝑃 ( 𝐿 𝑆 ) ∩ co- 𝑃 ( 𝐿 𝑁 𝑆 ) = ∅ , where co- 𝑃 ( 𝐿 𝑁 𝑆 ) stands for Σ ∗ − 𝑃 ( 𝐿 𝑁 𝑆 ) . We represent 𝑃 ( 𝐿 𝑆 ) by the projected automaton 𝑃 ( 𝐺 𝑆 ) with 𝑚 transitions and at most 𝑛 states, and co- 𝑃 ( 𝐿 𝑁 𝑆 ) by the complement of the observer of 𝐺 𝑁 𝑆 , denoted by co- 𝐺 𝑜𝑏𝑠𝑁 𝑆 , which has at most 2 𝑛 states and ℓ 𝑛 transitions. The problemis now equivalent to checking whether the language of 𝑃 ( 𝐺 𝑆 ) ∩ co- 𝐺 𝑜𝑏𝑠𝑁 𝑆 is empty, whichmeans to search the structure for a reachable marked state. Since 𝑃 ( 𝐺 𝑆 ) has at most 𝑛 statesand 𝑚 ≤ ℓ𝑛 transitions, the structure has 𝑂 ( 𝑚ℓ 𝑛 + 𝑛 𝑛 ) transitions and states, whichcompletes the proof. (cid:117)(cid:116) omparing the Notions of Opacity for Discete-Event Systems 11 p q rs tG CSO Q S Q NS = ⇒ p q rs tG INSO q ∗ Q S Q NS uu Σ Fig. 4
Transforming CSO to INSO.
We first focus on the transformation from current-state opacity to infinite-step opacity. Theproblem of deciding current-state opacity consists of a DES 𝐺 𝐶𝑆𝑂 = ( 𝑄, Σ , 𝛿, 𝐼 ) , a projection 𝑃 : Σ ∗ → Σ ∗ 𝑜 , a set of secret states 𝑄 𝑆 ⊆ 𝑄 , and a set of non-secret states 𝑄 𝑁 𝑆 ⊆ 𝑄 . From 𝐺 𝐶𝑆𝑂 , we construct a DES 𝐺 𝐼 𝑁 𝑆𝑂 over the alphabet Σ ∪ { 𝑢 } , where 𝑢 is a new unobservable event. Specifically, we construct 𝐺 𝐼 𝑁 𝑆𝑂 = ( 𝑄 ∪ { 𝑞 ∗ } , Σ ∪ { 𝑢 } , 𝛿 (cid:48) , 𝐼 ) from 𝐺 𝐶𝑆𝑂 by addinga new state 𝑞 ∗ that is neither secret nor non-secret, and by defining 𝛿 (cid:48) as follows, see Fig. 4for an illustration:1. 𝛿 (cid:48) = 𝛿 ;2. for each state 𝑞 ∈ 𝑄 𝑁 𝑆 , we add a transition ( 𝑞, 𝑢, 𝑞 ∗ ) to 𝛿 (cid:48) ;3. for each 𝑎 ∈ Σ , we add a self-loop ( 𝑞 ∗ , 𝑎, 𝑞 ∗ ) to 𝛿 (cid:48) .We extend the projection 𝑃 to the projection 𝑃 (cid:48) : ( Σ ∪ { 𝑢 }) ∗ → Σ ∗ 𝑜 . The sets 𝑄 𝑆 and 𝑄 𝑁 𝑆 remain unchanged.Notice that the transformation preserves the number of observable events and determin-ism, and that it requires only logarithmic space. It remains to show that 𝐺 𝐶𝑆𝑂 is current-stateopaque if and only if 𝐺 𝐼 𝑁 𝑆𝑂 is infinite-step opaque.
Theorem 4
The DES 𝐺 𝐶𝑆𝑂 is current-state opaque with respect to 𝑄 𝑆 , 𝑄 𝑁 𝑆 , and 𝑃 if andonly if the DES 𝐺 𝐼 𝑁 𝑆𝑂 is infinite-step opaque with respect to 𝑄 𝑆 , 𝑄 𝑁 𝑆 , and 𝑃 (cid:48) .Proof Assume first that 𝐺 𝐶𝑆𝑂 is not current-state opaque. Since the new state 𝑞 ∗ is neithersecret nor non-secret, we have that 𝐺 𝐼 𝑁 𝑆𝑂 is not current-state opaque either. Consequently, 𝐺 𝐼 𝑁 𝑆𝑂 is not infinite-step opaque.On the other hand, assume that 𝐺 𝐶𝑆𝑂 is current-state opaque. Since the new state 𝑞 ∗ is neither secret nor non-secret, we have that 𝐺 𝐼 𝑁 𝑆𝑂 is current-state opaque as well. Let 𝑠𝑡 ∈ 𝐿 ( 𝐺 𝐼 𝑁 𝑆𝑂 ) be such that 𝛿 (cid:48) ( 𝛿 (cid:48) ( 𝐼, 𝑠 ) ∩ 𝑄 𝑆 , 𝑡 ) ≠ ∅ ; in particular, 𝛿 (cid:48) ( 𝐼, 𝑠 ) ∩ 𝑄 𝑆 ≠ ∅ . Then,since 𝐺 𝐼 𝑁 𝑆𝑂 is current-state opaque, there exists 𝑠 (cid:48) ∈ 𝐿 ( 𝐺 𝐼 𝑁 𝑆𝑂 ) such that 𝑃 ( 𝑠 (cid:48) ) = 𝑃 ( 𝑠 ) and 𝛿 (cid:48) ( 𝐼, 𝑠 (cid:48) ) ∩ 𝑄 𝑁 𝑆 ≠ ∅ . By construction, 𝑠 (cid:48) can be extended by the string 𝑢𝑡 using the transitionsto state 𝑞 ∗ followed by self-loops in state 𝑞 ∗ . Therefore, 𝛿 (cid:48) ( 𝛿 (cid:48) ( 𝐼, 𝑠 (cid:48) ) ∩ 𝑄 𝑁 𝑆 , 𝑢𝑡 ) ≠ ∅ and 𝑃 (cid:48) ( 𝑠𝑡 ) = 𝑃 (cid:48) ( 𝑠𝑢𝑡 ) , which shows that 𝐺 𝐼 𝑁 𝑆𝑂 is infinite-step opaque. (cid:117)(cid:116)
Our transformation further reveals that the difference between current-state opacity andinfinite-step opacity is very minor from the structural point of view. p q rs tG
INSO Q S Q NS = ⇒ p q rs tG INSO p + q + r + s + t + G S p − q − r − s − t − G NS G CSO @ @@ @
Fig. 5
Transforming INSO to CSO.
Transforming infinite-step opacity to current-state opacity is technically more involved.The problem of deciding infinite-step opacity consists of a DES 𝐺 𝐼 𝑁 𝑆𝑂 = ( 𝑄, Σ , 𝛿, 𝐼 ) ,a projection 𝑃 : Σ ∗ → Σ ∗ 𝑜 , a set of secret states 𝑄 𝑆 ⊆ 𝑄 , and a set of non-secret states 𝑄 𝑁 𝑆 ⊆ 𝑄 . From 𝐺 𝐼 𝑁 𝑆𝑂 , we construct a DES 𝐺 𝐶𝑆𝑂 in the following two steps:1. We construct a DES 𝐺 𝐶𝑆𝑂 such that 𝐺 𝐶𝑆𝑂 is current-state opaque if and only if 𝐺 𝐼 𝑁 𝑆𝑂 is infinite-step opaque. In this step of the construction, 𝐺 𝐶𝑆𝑂 has one observable eventmore than 𝐺 𝐼 𝑁 𝑆𝑂 .2. To reduce the number of observable events by one, we apply Lemma 2. Consequently,the resulting DES has the same number of observable events as 𝐺 𝐼 𝑁 𝑆𝑂 , if 𝐺 𝐼 𝑁 𝑆𝑂 has atleast two observable events, is deterministic if and only if 𝐺 𝐶𝑆𝑂 is, and is current-stateopaque if and only if 𝐺 𝐶𝑆𝑂 is.We now describe the construction of 𝐺 𝐶𝑆𝑂 = ( 𝑄 ∪ 𝑄 + ∪ 𝑄 − , Σ ∪ { @ } , 𝛿 (cid:48) , 𝐼 ) , where 𝑄 + = { 𝑞 + | 𝑞 ∈ 𝑄 } , 𝑄 − = { 𝑞 − | 𝑞 ∈ 𝑄 } , and @ is a new observable event. To this end, wefirst make two disjoint copies of 𝐺 𝐼 𝑁 𝑆𝑂 , denoted by 𝐺 𝑆 and 𝐺 𝑁 𝑆 , where the set of statesof 𝐺 𝑆 is denoted by 𝑄 (cid:48) 𝑆 = 𝑄 + and the set of states of 𝐺 𝑁 𝑆 is denoted by 𝑄 (cid:48) 𝑁 𝑆 = 𝑄 − . TheDES 𝐺 𝐶𝑆𝑂 is taken as the disjoint union of the automata 𝐺 𝐼 𝑁 𝑆𝑂 , 𝐺 𝑆 , and 𝐺 𝑁 𝑆 , see Fig. 5for an illustration. Furthermore, for every state 𝑞 ∈ 𝑄 𝑆 , we add the transition ( 𝑞, @ , 𝑞 + ) and, for every state 𝑞 ∈ 𝑄 𝑁 𝑆 , we add the transition ( 𝑞, @ , 𝑞 − ) . The set of secret states of 𝐺 𝐶𝑆𝑂 is 𝑄 (cid:48) 𝑆 and the set of non-secret states of 𝐺 𝐶𝑆𝑂 is 𝑄 (cid:48) 𝑁 𝑆 . We extend projection 𝑃 to 𝑃 (cid:48) : ( Σ ∪ { @ }) ∗ → ( Σ 𝑜 ∪ { @ }) ∗ .Notice that 𝐺 𝐶𝑆𝑂 is deterministic if and only if 𝐺 𝐼 𝑁 𝑆𝑂 is, and that logarithmic space issufficient for the construction of 𝐺 𝐶𝑆𝑂 . As already pointed out, however, the constructiondoes not preserve the number of observable events, which requires the second step of theconstruction using Lemma 2 as described above. omparing the Notions of Opacity for Discete-Event Systems 13
We now show that 𝐺 𝐼 𝑁 𝑆𝑂 is infinite-step opaque if and only if 𝐺 𝐶𝑆𝑂 is current-stateopaque.
Theorem 5
The DES 𝐺 𝐼 𝑁 𝑆𝑂 is infinite-step opaque with respect to 𝑄 𝑆 , 𝑄 𝑁 𝑆 , and 𝑃 ifand only if the DES 𝐺 𝐶𝑆𝑂 is current-state opaque with respect to 𝑄 (cid:48) 𝑆 , 𝑄 (cid:48) 𝑁 𝑆 , and 𝑃 (cid:48) : ( Σ ∪{ @ }) ∗ → ( Σ 𝑜 ∪ { @ }) ∗ .Proof Assume that 𝐺 𝐼 𝑁 𝑆𝑂 is infinite-step opaque. We show that 𝐺 𝐶𝑆𝑂 is current-stateopaque. To this end, consider a string 𝑤 such that 𝛿 (cid:48) ( 𝐼, 𝑤 ) ∩ 𝑄 (cid:48) 𝑆 ≠ ∅ . We want to show thatthere exists 𝑤 (cid:48) such that 𝑃 (cid:48) ( 𝑤 ) = 𝑃 (cid:48) ( 𝑤 (cid:48) ) and 𝛿 (cid:48) ( 𝐼, 𝑤 (cid:48) ) ∩ 𝑄 (cid:48) 𝑁 𝑆 ≠ ∅ . However, since 𝑄 (cid:48) 𝑆 = 𝑄 + , 𝑤 is of the form 𝑤 @ 𝑤 and, by the construction, 𝛿 ( 𝐼, 𝑤 ) contains a secret state of 𝐺 𝐼 𝑁 𝑆𝑂 .Because 𝑤 can be read in the copy of 𝐺 𝐼 𝑁 𝑆𝑂 from a state 𝑞 + for a state 𝑞 ∈ 𝛿 ( 𝐼, 𝑤 ) ∩ 𝑄 𝑆 ,we further have that 𝛿 ( 𝐼, 𝑤 𝑤 ) ≠ ∅ . Altogether, 𝛿 ( 𝛿 ( 𝐼, 𝑤 ) ∩ 𝑄 𝑆 , 𝑤 ) ≠ ∅ and the fact that 𝐺 𝐼 𝑁 𝑆𝑂 is infinite-step opaque imply that there exists a string 𝑤 (cid:48) 𝑤 (cid:48) ∈ 𝐿 ( 𝐺 𝐼 𝑁 𝑆𝑂 ) such that 𝑃 ( 𝑤 ) = 𝑃 ( 𝑤 (cid:48) ) , 𝑃 ( 𝑤 ) = 𝑃 ( 𝑤 (cid:48) ) , and 𝛿 ( 𝛿 ( 𝐼, 𝑤 (cid:48) ) ∩ 𝑄 𝑁 𝑆 , 𝑤 (cid:48) ) ≠ ∅ . Let 𝑤 (cid:48) = 𝑤 (cid:48) @ 𝑤 (cid:48) . Then 𝑃 (cid:48) ( 𝑤 ) = 𝑃 (cid:48) ( 𝑤 (cid:48) ) and, by the construction, ∅ ≠ 𝛿 (cid:48) ( 𝛿 (cid:48) ( 𝐼, 𝑤 (cid:48) @ ) ∩ 𝑄 (cid:48) 𝑁 𝑆 , 𝑤 (cid:48) ) ⊆ 𝑄 (cid:48) 𝑁 𝑆 , whichcompletes the proof.On the other hand, assume that 𝐺 𝐼 𝑁 𝑆𝑂 is not infinite-step opaque, that is, there exists astring 𝑠𝑡 ∈ 𝐿 ( 𝐺 𝐼 𝑁 𝑆𝑂 ) such that 𝛿 ( 𝛿 ( 𝐼, 𝑠 ) ∩ 𝑄 𝑆 , 𝑡 ) ≠ ∅ and for every 𝑠 (cid:48) 𝑡 (cid:48) ∈ 𝐿 ( 𝐺 𝐼 𝑁 𝑆𝑂 ) with 𝑃 ( 𝑠 ) = 𝑃 ( 𝑠 (cid:48) ) and 𝑃 ( 𝑡 ) = 𝑃 ( 𝑡 (cid:48) ) , 𝛿 ( 𝛿 ( 𝐼, 𝑠 (cid:48) ) ∩ 𝑄 𝑁 𝑆 , 𝑡 (cid:48) ) = ∅ . But then for 𝑠 @ 𝑡 ∈ 𝐿 ( 𝐺 𝐶𝑆𝑂 ) , wehave that ∅ ≠ 𝛿 (cid:48) ( 𝛿 (cid:48) ( 𝐼, 𝑠 @ )∩ 𝑄 (cid:48) 𝑆 , 𝑡 ) = 𝛿 (cid:48) ( 𝐼, 𝑠 @ 𝑡 ) ⊆ 𝑄 (cid:48) 𝑆 and, for every 𝑠 (cid:48) @ 𝑡 (cid:48) ∈ 𝐿 ( 𝐺 𝐶𝑆𝑂 ) suchthat 𝑃 (cid:48) ( 𝑠 @ 𝑡 ) = 𝑃 (cid:48) ( 𝑠 (cid:48) @ 𝑡 (cid:48) ) , we have that 𝛿 (cid:48) ( 𝐼, 𝑠 (cid:48) @ 𝑡 (cid:48) ) ∩ 𝑄 (cid:48) 𝑁 𝑆 = 𝛿 (cid:48) ( 𝛿 (cid:48) ( 𝐼, 𝑠 (cid:48) @ ) ∩ 𝑄 (cid:48) 𝑁 𝑆 , 𝑡 (cid:48) ) = ∅ , which shows that 𝐺 𝐶𝑆𝑂 is not current-state opaque. (cid:117)(cid:116)
To preserve the number of observable events, our transformation of infinite-step opacity tocurrent state opacity relies on Lemma 2. This lemma requires at least two observable eventsin 𝐺 𝐼 𝑁 𝑆𝑂 , and hence it is not applicable to systems with a single observable event. Forthese systems, we provide a different transformation that requires to add at most a quadraticnumber of new states.The problem of deciding infinite-step opacity for systems with a single observable eventconsists of a DES 𝐺 𝐼 𝑁 𝑆𝑂 = ( 𝑄, Σ , 𝛿, 𝐼 ) with Σ 𝑜 = { 𝑎 } , a set of secret states 𝑄 𝑆 ⊆ 𝑄 , a setof non-secret states 𝑄 𝑁 𝑆 ⊆ 𝑄 , and a projection 𝑃 : Σ ∗ → { 𝑎 } ∗ . We denote the number ofstates of 𝐺 𝐼 𝑁 𝑆𝑂 by 𝑛 , and define a function 𝜑 : 𝑄 → { , . . . , 𝑛 } that assigns, to every state 𝑞 , the maximal number 𝑘 ∈ { , . . . , 𝑛 } of observable steps that are possible from state 𝑞 ;formally, 𝜑 ( 𝑞 ) = max (cid:8) 𝑘 ∈ { , . . . , 𝑛 } | 𝛿 ( 𝑞, 𝑃 − ( 𝑎 𝑘 )) ≠ ∅ (cid:9) .From 𝐺 𝐼 𝑁 𝑆𝑂 , we construct a DES 𝐺 𝐶𝑆𝑂 = ( 𝑄 (cid:48) , Σ , 𝛿 (cid:48) , 𝐼 ) as illustrated in Fig. 6, where 𝛿 (cid:48) is initialized as 𝛿 and modified as follows. For every state 𝑝 ∈ 𝑄 with 𝜑 ( 𝑝 ) >
0, weadd 𝑛 new states 𝑝 , . . . , 𝑝 𝑛 to 𝑄 (cid:48) and 𝑛 new transitions ( 𝑝, 𝑎, 𝑝 ) and ( 𝑝 𝑖 , 𝑎, 𝑝 𝑖 + ) , for 𝑖 = , . . . , 𝑛 −
1, to 𝛿 (cid:48) . Finally, we replace every transition ( 𝑝, 𝑎, 𝑟 ) in 𝛿 (cid:48) by the transition ( 𝑝 𝑛 , 𝑎, 𝑟 ) . Notice that the transformation requires to add at most 𝑛 states, and hence it canbe done in polynomial time. Let 𝑄 (cid:48) 𝑆 = 𝑄 𝑆 and 𝑄 (cid:48) 𝑁 𝑆 = 𝑄 𝑁 𝑆 . For every state 𝑝 ∈ 𝑄 𝑆 with 𝜑 ( 𝑝 ) = 𝑘 >
0, we add the corresponding states 𝑝 , . . . , 𝑝 𝑘 to 𝑄 (cid:48) 𝑆 . Analogously, for 𝑝 ∈ 𝑄 𝑁 𝑆 with 𝜑 ( 𝑝 ) = 𝑘 >
0, we add 𝑝 , . . . , 𝑝 𝑘 to 𝑄 (cid:48) 𝑁 𝑆 .Notice that the transformation can be done in polynomial time, preserves the number ofobservable events, and determinism. However, whether the transformation can be done inlogarithmic space is open. Even if the DES had no unobservable event, to determine whether 𝜑 (·) = 𝑛 is equivalent to the detection of a cycle. The detection of a cycle is NL-hard: We p qrv xys tuG INSO Q S Q NS aaaaaa = ⇒ p p · · · p k · · · p n qrs s · · · · · · · · · s n tuv v · · · v ‘ · · · v n xyG CSO Q S Q NS ϕ ( p ) = kϕ ( v ) = ‘a a a a a aaa a a aaa a a a a aa Fig. 6
Transforming INSO to CSO for systems with a single observable event. can reduce the DAG reachability problem as follows. Given a DAG 𝐺 and two nodes 𝑠 and 𝑡 ,we construct a DES G by associating a state with every node of 𝐺 and an 𝑎 -transition withevery edge of 𝐺 . Finally, we add an 𝑎 -transition from 𝑡 to 𝑠 . Then 𝑡 is reachable from 𝑠 in 𝐺 if and only if G contains a cycle. Since it is an open problem whether 𝐿 = 𝑁 𝐿 , it is an openproblem whether 𝜑 can be computed in deterministic logarithmic space.We show that 𝐺 𝐼 𝑁 𝑆𝑂 is infinite-step opaque if and only if 𝐺 𝐶𝑆𝑂 is current-state opaque.
Theorem 6
The DES 𝐺 𝐼 𝑁 𝑆𝑂 with a single observable event is infinite-step opaque withrespect to 𝑄 𝑆 , 𝑄 𝑁 𝑆 , and 𝑃 if and only if the DES 𝐺 𝐶𝑆𝑂 is current-state opaque with respectto 𝑄 (cid:48) 𝑆 , 𝑄 (cid:48) 𝑁 𝑆 , and 𝑃 .Proof Assume that 𝐺 𝐼 𝑁 𝑆𝑂 is not infinite-step opaque. Then, there exists 𝑠𝑡 ∈ 𝐿 ( 𝐺 𝐼 𝑁 𝑆𝑂 ) with 𝛿 ( 𝛿 ( 𝐼, 𝑠 ) ∩ 𝑄 𝑆 , 𝑡 ) ≠ ∅ such that 𝛿 ( 𝛿 ( 𝐼, 𝑃 − 𝑃 ( 𝑠 )) ∩ 𝑄 𝑁 𝑆 , 𝑃 − 𝑃 ( 𝑡 )) = ∅ . Let 𝑓 : Σ ∗ → Σ ∗ be a morphism such that 𝑓 ( 𝑎 ) = 𝑎 𝑛 + and 𝑓 ( 𝑏 ) = 𝑏 , for 𝑎 ≠ 𝑏 ∈ Σ . Then, by construction, 𝛿 ( 𝐼, 𝑠 ) = 𝛿 (cid:48) ( 𝐼, 𝑓 ( 𝑠 )) , and hence 𝛿 (cid:48) ( 𝐼, 𝑓 ( 𝑠 )) ∩ 𝑄 (cid:48) 𝑆 ≠ ∅ . If 𝛿 ( 𝐼, 𝑃 − 𝑃 ( 𝑠 )) ∩ 𝑄 𝑁 𝑆 = ∅ ,then 𝛿 ( 𝐼, 𝑓 ( 𝑃 − 𝑃 ( 𝑠 ))) ∩ 𝑄 (cid:48) 𝑁 𝑆 = ∅ because 𝛿 ( 𝐼, 𝑠 (cid:48) ) = 𝛿 (cid:48) ( 𝐼, 𝑓 ( 𝑠 (cid:48) )) for any 𝑠 (cid:48) ∈ 𝑃 − 𝑃 ( 𝑠 ) ,and 𝐺 𝐶𝑆𝑂 is not current-state opaque. Otherwise, we denote by 𝑞 𝑠 ∈ 𝛿 ( 𝐼, 𝑠 ) ∩ 𝑄 𝑆 and 𝑞 𝑛𝑠 ∈ 𝛿 ( 𝐼, 𝑃 − 𝑃 ( 𝑠 )) ∩ 𝑄 𝑁 𝑆 the states with maximal 𝜑 ( 𝑞 𝑠 ) and 𝜑 ( 𝑞 𝑛𝑠 ) . Since 𝐺 𝐼 𝑁 𝑆𝑂 isnot infinite-step opaque, 𝜑 ( 𝑞 𝑠 ) > 𝜑 ( 𝑞 𝑛𝑠 ) . Then, in 𝐺 𝐶𝑆𝑂 , 𝑞 𝑠 has exactly one outgoingobservable transition and is followed by 𝜑 ( 𝑞 𝑠 ) = 𝑘 secret states, while 𝑞 𝑛𝑠 is followed by 𝜑 ( 𝑞 𝑛𝑠 ) < 𝑘 non-secret states. Therefore, 𝛿 (cid:48) ( 𝐼, 𝑓 ( 𝑠 ) 𝑎 𝑘 ) ∩ 𝑄 (cid:48) 𝑆 ≠ ∅ and 𝛿 (cid:48) ( 𝐼, 𝑓 ( 𝑠 (cid:48) ) 𝑎 𝑘 ) ∩ 𝑄 (cid:48) 𝑁 𝑆 = ∅ for any 𝑠 (cid:48) ∈ 𝑃 − 𝑃 ( 𝑠 ) , and hence 𝐺 𝐶𝑆𝑂 is not current-state opaque.On the other hand, assume that 𝐺 𝐼 𝑁 𝑆𝑂 is infinite-step opaque, and that 𝛿 (cid:48) ( 𝐼, 𝑤 )∩ 𝑄 (cid:48) 𝑆 ≠ ∅ .We show that 𝛿 (cid:48) ( 𝐼, 𝑃 − 𝑃 ( 𝑤 )) ∩ 𝑄 𝑁 𝑆 ≠ ∅ . Consider a state 𝑞 𝑠 ∈ 𝛿 (cid:48) ( 𝐼, 𝑤 ) ∩ 𝑄 (cid:48) 𝑆 and a path 𝜋 in 𝐺 𝐶𝑆𝑂 leading to 𝑞 𝑠 under 𝑤 . Denote by 𝑝 the last state of 𝜋 that corresponds to astate of 𝐺 𝐼 𝑁 𝑆𝑂 ; that is, 𝑝 is not a new state added by the construction of 𝐺 𝐶𝑆𝑂 . Since 𝑞 𝑠 ∈ 𝑄 (cid:48) 𝑆 , we have, by construction, that 𝑝 ∈ 𝑄 𝑆 . Then the choice of 𝑝 partitions 𝑤 = 𝑢𝑣 ,where 𝑢 , read along the path 𝜋 , leads to state 𝑝 , and 𝑣 = 𝑎 ℓ is a suffix of length ℓ ≤ 𝑛 .Let 𝑢 (cid:48) be a string such that 𝑓 ( 𝑢 (cid:48) ) = 𝑢 . Then 𝑝 ∈ 𝛿 ( 𝐼, 𝑢 (cid:48) ) ∩ 𝑄 𝑆 . Since 𝜑 ( 𝑝 ) ≥ ℓ , thereexists 𝑡 such that 𝑃 ( 𝑡 ) = 𝑎 ℓ and 𝛿 ( 𝛿 ( 𝐼, 𝑢 (cid:48) ) ∩ 𝑄 𝑆 , 𝑡 ) ≠ ∅ in 𝐺 𝐼 𝑁 𝑆𝑂 . Then infinite-stepopacity of 𝐺 𝐼 𝑁 𝑆𝑂 implies that there exists 𝑢 (cid:48)(cid:48) and 𝑡 (cid:48) such that 𝑃 ( 𝑢 (cid:48) ) = 𝑃 ( 𝑢 (cid:48)(cid:48) ) , 𝑃 ( 𝑡 ) = 𝑃 ( 𝑡 (cid:48) ) ,and 𝛿 ( 𝛿 ( 𝐼, 𝑢 (cid:48)(cid:48) ) ∩ 𝑄 𝑁 𝑆 , 𝑡 (cid:48) ) ≠ ∅ . In particular, there is a state 𝑞 𝑛𝑠 ∈ 𝛿 ( 𝐼, 𝑢 (cid:48)(cid:48) ) ∩ 𝑄 𝑁 𝑆 with 𝜑 ( 𝑞 𝑛𝑠 ) ≥ ℓ , and 𝛿 (cid:48) ( 𝐼, 𝑓 ( 𝑢 (cid:48)(cid:48) )) ∩ 𝑄 (cid:48) 𝑁 𝑆 ≠ ∅ . Therefore, 𝛿 (cid:48) ( 𝐼, 𝑓 ( 𝑢 (cid:48)(cid:48) ) 𝑎 ℓ ) ∩ 𝑄 (cid:48) 𝑁 𝑆 ≠ ∅ and 𝑃 ( 𝑓 ( 𝑢 (cid:48)(cid:48) ) 𝑎 ℓ ) = 𝑃 ( 𝑢𝑣 ) = 𝑃 ( 𝑤 ) , which completes the proof. (cid:117)(cid:116) omparing the Notions of Opacity for Discete-Event Systems 15 Let 𝐺 = ( 𝑄, Σ , 𝛿, 𝐼, 𝐹 ) be an automaton. We design an algorithm deciding infinite-stepopacity in time 𝑂 (( 𝑛 + 𝑚ℓ ) 𝑛 ) , where ℓ = | Σ 𝑜 | is the number of observable events, 𝑛 is thenumber of states of 𝐺 , and 𝑚 is the number of transitions of 𝑃 ( 𝐺 ) , 𝑚 ≤ ℓ𝑛 .To decide whether 𝐺 is infinite-step opaque with respect to 𝑄 𝑆 , 𝑄 𝑁 𝑆 ⊆ 𝑄 , and 𝑃 : Σ ∗ → Σ ∗ 𝑜 , we proceed as follows:1. We compute the observer G 𝑜𝑏𝑠 of 𝐺 in time 𝑂 ( ℓ 𝑛 ) [8];2. We compute the projected automaton 𝑃 ( 𝐺 ) of 𝐺 in time 𝑂 ( 𝑚 + 𝑛 ) [15];3. We compute the product automaton C = 𝑃 ( 𝐺 ) × G 𝑜𝑏𝑠 in time 𝑂 (( 𝑚 + 𝑛 ) · ℓ 𝑛 ) [10]; – states of C are of the form 𝑄 × 𝑄 ;4. For every state 𝑋 of G 𝑜𝑏𝑠 , we compute 𝑋 𝑆 = 𝑋 ∩ 𝑄 𝑆 and 𝑋 𝑁 𝑆 = 𝑋 ∩ 𝑄 𝑁 𝑆 ;(a) If 𝑋 𝑆 ≠ ∅ and 𝑋 𝑁 𝑆 = ∅ , then 𝐺 is not infinite-step opaque; this is, actually, thestandard check whether 𝐺 is current-state opaque;(b) Otherwise, for every state 𝑥 ∈ 𝑋 𝑆 , we add a transition from 𝑋 under @ to state ( 𝑥, 𝑋 𝑁 𝑆 ) of C , and we add the state ( 𝑥, 𝑋 𝑁 𝑆 ) to set 𝑌 ;5. If C contains a state of the form ( 𝑎, ∅) reachable from 𝑌 , then 𝐺 is not infinite-stepopaque; otherwise, 𝐺 is infinite-step opaque.Informally, we first make use of the standard check in the observer of 𝐺 whether 𝐺 iscurrent-state opaque. If it is not, then it is neither infinite-step opaque. Otherwise, for every state 𝑋 of the observer of 𝐺 that contains both secret and non-secret states, we add a transitionunder the new event @ to a pair of a secret state 𝑥 ∈ 𝑋 and the set of all non-secret states 𝑋 𝑁 𝑆 of 𝑋 . If a state of the form ( 𝑎, ∅) is reachable from ( 𝑥, 𝑋 𝑁 𝑆 ) , then 𝐺 is not infinite-stepopaque. Otherwise, 𝐺 is infinite-step opaque. We now formally prove correctness. Lemma 3
Automaton 𝐺 is infinite-step opaque if and only if 𝐺 is current-state opaque andno state of the form ( 𝑎, ∅) is reachable in C from the set 𝑌 .Proof Assume that 𝐺 is not infinite-step opaque. Then, there exists 𝑠𝑡 ∈ 𝐿 ( 𝐺 ) such that 𝛿 ( 𝛿 ( 𝐼, 𝑠 ) ∩ 𝑄 𝑆 , 𝑡 ) ≠ ∅ and 𝛿 ( 𝛿 ( 𝐼, 𝑃 − 𝑃 ( 𝑠 )) ∩ 𝑄 𝑁 𝑆 , 𝑃 − 𝑃 ( 𝑡 )) = ∅ . There are two cases:(i) either 𝛿 ( 𝐼, 𝑃 − 𝑃 ( 𝑠 )) ∩ 𝑄 𝑁 𝑆 = ∅ , in which case 𝐺 is not current-state opaque, neitherinfinite-step opaque, and the algorithm detects this situation in the observer of 𝐺 on line4(a), (ii) or 𝛿 ( 𝐼, 𝑃 − 𝑃 ( 𝑠 )) ∩ 𝑄 𝑁 𝑆 = 𝑍 ≠ ∅ . In this case, 𝑃 ( 𝑠 ) @ leads from the observer of 𝐺 to the pairs ( 𝛿 ( 𝐼, 𝑃 − 𝑃 ( 𝑠 )) ∩ 𝑄 𝑆 ) × { 𝑍 } of the NFA C . Since 𝛿 ( 𝐼, 𝑠𝑡 ) ≠ ∅ , there exists ( 𝑧, 𝑍 ) ∈ ( 𝛿 ( 𝐼, 𝑃 − 𝑃 ( 𝑠 )) ∩ 𝑄 𝑆 ) × { 𝑍 } such that 𝑃 ( 𝑡 ) leads the projected automaton 𝑃 ( 𝐺 ) from state 𝑧 to a state 𝑎 . However, 𝛿 ( 𝑍, 𝑃 − 𝑃 ( 𝑡 )) = ∅ implies that 𝑃 ( 𝑡 ) leads the observer of 𝐺 from state 𝑍 to state ∅ , and hence the pair ( 𝑎, ∅) is reachable in C from a state of 𝑌 .On the other hand, if 𝐺 is infinite-step opaque, then it is current-state opaque, and weshow that no state of the form ( 𝑎, ∅) is reachable in C from a state of 𝑌 . For the sake ofcontradiction, assume that a state of the form ( 𝑎, ∅) is reachable in C from a state of 𝑌 .Then, there must be a string 𝑠 such that 𝑃 ( 𝑠 ) reaches a state 𝑋 in the observer of 𝐺 such that 𝑋 𝑆 = 𝑋 ∩ 𝑄 𝑆 contains a state 𝑧 , 𝑋 ∩ 𝑄 𝑁 𝑆 = 𝑍 ≠ ∅ , there is a transition under @ from 𝑋 to the pair ( 𝑧, 𝑍 ) of C , and the NFA C reaches state ( 𝑎, ∅) from ( 𝑧, 𝑍 ) under a string 𝑤 . Inparticular, there must be a string 𝑡 ∈ 𝑃 − ( 𝑤 ) that moves 𝐺 from state 𝑧 to state 𝑎 . But then 𝛿 ( 𝛿 ( 𝐼, 𝑠 ) ∩ 𝑄 𝑆 , 𝑡 ) ≠ ∅ , and 𝛿 ( 𝛿 ( 𝐼, 𝑃 − 𝑃 ( 𝑠 )) ∩ 𝑄 𝑁 𝑆 , 𝑃 − ( 𝑤 )) = ∅ , which means that 𝐺 isnot infinite-step opaque – a contradiction. (cid:117)(cid:116) Since our algorithm constructs and searches the NFA C that has 𝑂 ( 𝑛 𝑛 ) states and 𝑂 ( 𝑚ℓ 𝑛 ) transitions, the overall time complexity of our algorithm is 𝑂 (( 𝑛 + 𝑚ℓ ) 𝑛 ) . p q rs tG CSO Q S Q NS = ⇒ p q rs tq ∗ · · · q ∗ K G K - SO Q S Q NS Σ o Σ o u u Fig. 7
Transforming CSO to K-SO.
The transformation from current state opacity to K-step opacity is analogous to the trans- formation from current state opacity to infinite-step opacity of Section 4.2.1. Intuitively, themodification is that we need to make only K observable steps from any non-secret stateinstead of infinitely many such steps.The problem of deciding current-state opacity consists of a DES 𝐺 𝐶𝑆𝑂 = ( 𝑄, Σ , 𝛿, 𝐼 ) , aprojection 𝑃 : Σ ∗ → Σ ∗ 𝑜 , a set of secret states 𝑄 𝑆 ⊆ 𝑄 , and a set of non-secret states 𝑄 𝑁 𝑆 ⊆ 𝑄 .For a given 𝐾 ∈ N , from 𝐺 𝐶𝑆𝑂 , we construct a DES 𝐺 𝐾 - 𝑆𝑂 = ( 𝑄 ∪ 𝑄 ∗ , Σ ∪ { 𝑢 } , 𝛿 (cid:48) , 𝐼 ) , where 𝑢 is a new unobservable event, by adding 𝐾 + 𝑄 ∗ = { 𝑞 ∗ , . . . , 𝑞 ∗ 𝐾 } that are neithersecret nor non-secret, and by defining 𝛿 (cid:48) as follows, see Fig. 7 for an illustration:1. 𝛿 (cid:48) = 𝛿 ;2. for every state 𝑞 ∈ 𝑄 𝑁 𝑆 , we add the transition ( 𝑞, 𝑢, 𝑞 ∗ ) to 𝛿 (cid:48) ;3. for 𝑖 = , . . . , 𝐾 − 𝑎 ∈ Σ 𝑜 , we add the transition ( 𝑞 ∗ 𝑖 , 𝑎, 𝑞 ∗ 𝑖 + ) to 𝛿 (cid:48) .We extend the projection 𝑃 to the projection 𝑃 (cid:48) : ( Σ ∪ { 𝑢 }) ∗ → Σ ∗ 𝑜 . The sets 𝑄 𝑆 and 𝑄 𝑁 𝑆 remain unchanged.
Theorem 7
The DES 𝐺 𝐶𝑆𝑂 is current-state opaque with respect to 𝑄 𝑆 , 𝑄 𝑁 𝑆 , and 𝑃 if andonly if the DES 𝐺 𝐾 - 𝑆𝑂 is K-step opaque with respect to 𝑄 𝑆 , 𝑄 𝑁 𝑆 , 𝑃 (cid:48) , and 𝐾 .Proof Assume first that 𝐺 𝐶𝑆𝑂 is not current-state opaque. Since the new states 𝑞 ∗ , . . . , 𝑞 ∗ 𝐾 are neither secret nor non-secret, 𝐺 𝐾 - 𝑆𝑂 is not current-state opaque either, and hence 𝐺 𝐾 - 𝑆𝑂 is not K-step opaque.On the other hand, assume that 𝐺 𝐶𝑆𝑂 is current-state opaque. Since the new states 𝑞 ∗ , . . . , 𝑞 ∗ 𝐾 are neither secret nor non-secret, 𝐺 𝐾 - 𝑆𝑂 is current-state opaque as well. Let 𝑠𝑡 ∈ 𝐿 ( 𝐺 𝐾 - 𝑆𝑂 ) be such that | 𝑃 ( 𝑡 )| ≤ 𝐾 and 𝛿 (cid:48) ( 𝛿 (cid:48) ( 𝐼, 𝑠 ) ∩ 𝑄 𝑆 , 𝑡 ) ≠ ∅ . Then, since 𝐺 𝐾 - 𝑆𝑂 iscurrent-state opaque, there is 𝑠 (cid:48) ∈ 𝑃 − 𝑃 ( 𝑠 ) such that 𝛿 (cid:48) ( 𝐼, 𝑠 (cid:48) ) ∩ 𝑄 𝑁 𝑆 ≠ ∅ . By construction,we can extend 𝑠 (cid:48) by the string 𝑢𝑃 ( 𝑡 ) using the transitions through the new states 𝑞 ∗ , . . . , 𝑞 ∗ 𝐾 ,that is, 𝛿 (cid:48) ( 𝛿 (cid:48) ( 𝐼, 𝑠 (cid:48) ) ∩ 𝑄 𝑁 𝑆 , 𝑢𝑃 ( 𝑡 )) ≠ ∅ , and hence 𝐺 𝐾 - 𝑆𝑂 is K-step opaque. (cid:117)(cid:116) omparing the Notions of Opacity for Discete-Event Systems 17 p qQ S rQ NS G K - SO = ⇒ p q rQ p + q + r + Q S p − q − r − Q − G CSO q ∗ q ∗ ... q ∗ K q ∗ K +1 Q NS @ @ u u u Σ o Σ o Σ o Σ o Σ o Fig. 8
Transforming K-SO to CSO.
Transforming K-step opacity to current-state opacity is again similar to the transformationof infinite-step opacity to current-state opacity. Again, we only need to check K subsequent steps instead of all the subsequent steps. The problem of deciding K-step opacity consists ofa DES 𝐺 K-SO = ( 𝑄, Σ , 𝛿, 𝐼 ) , a projection 𝑃 : Σ ∗ → Σ ∗ 𝑜 , a set of secret states 𝑄 𝑆 ⊆ 𝑄 , and aset of non-secret states 𝑄 𝑁 𝑆 ⊆ 𝑄 . From 𝐺 K-SO , we construct a DES 𝐺 𝐶𝑆𝑂 in the followingtwo steps:1. We construct a DES 𝐺 𝐶𝑆𝑂 such that 𝐺 𝐶𝑆𝑂 is current-state opaque if and only if 𝐺 K-SO is K-step opaque. In this step of the construction, 𝐺 𝐶𝑆𝑂 has one observable event morethan 𝐺 K-SO .2. To reduce the number of observable events by one, we apply Lemma 2. Consequently,the resulting DES has the same number of observable events as 𝐺 K-SO , if 𝐺 K-SO has atleast two observable events, is deterministic if and only if 𝐺 𝐶𝑆𝑂 is, and is current-stateopaque if and only if 𝐺 𝐶𝑆𝑂 is.We now describe the construction of 𝐺 𝐶𝑆𝑂 = ( 𝑄 ∪ 𝑄 + ∪ 𝑄 − ∪ 𝑄 ∗ , Σ ∪ { 𝑢, @ } , 𝛿 (cid:48) , 𝐼 ) ,where 𝑄 + = { 𝑞 + | 𝑞 ∈ 𝑄 } , 𝑄 − = { 𝑞 − | 𝑞 ∈ 𝑄 } , 𝑄 ∗ = { 𝑞 ∗ , . . . , 𝑞 ∗ 𝐾 + } , @ is a new observableevent, and 𝑢 is a new unobservable event. To this end, we first make two disjoint copies of 𝐺 K-SO , denoted by 𝐺 + and 𝐺 − , where the set of states of 𝐺 + is denoted by 𝑄 + and the setof states of 𝐺 − is denoted by 𝑄 − . The DES 𝐺 𝐶𝑆𝑂 is now taken as the disjoint union of theautomata 𝐺 K-SO , 𝐺 + , and 𝐺 − , see Fig. 5 for an illustration. We now add K+2 new states 𝑞 ∗ , . . . , 𝑞 ∗ 𝐾 + to 𝐺 𝐶𝑆𝑂 and the following transitions. For every state 𝑞 ∈ 𝑄 𝑆 , we add thetransition ( 𝑞, @ , 𝑞 + ) , for every state 𝑞 ∈ 𝑄 𝑁 𝑆 , we add the transition ( 𝑞, @ , 𝑞 − ) , for every 𝑞 − ∈ 𝑄 − , we add the transition ( 𝑞 − , 𝑢, 𝑞 ∗ ) , for every 𝑎 ∈ Σ 𝑜 and 𝑖 = , . . . , 𝐾 , we add thetransition ( 𝑞 ∗ 𝑖 , 𝑎, 𝑞 ∗ 𝑖 + ) , and, finally, we add the self-loop ( 𝑞 ∗ 𝐾 + , 𝑎, 𝑞 ∗ 𝐾 + ) for every 𝑎 ∈ Σ 𝑜 .The set of secret states of 𝐺 𝐶𝑆𝑂 is the 𝑄 (cid:48) 𝑆 = 𝑄 + and the set of non-secret states of 𝐺 𝐶𝑆𝑂 is the set 𝑄 (cid:48) 𝑁 𝑆 = { 𝑞 ∗ , 𝑞 ∗ 𝐾 + } . We extend projection 𝑃 to 𝑃 (cid:48) : ( Σ ∪ { @ , 𝑢 }) ∗ → ( Σ 𝑜 ∪ { @ }) ∗ .Notice that 𝐺 𝐶𝑆𝑂 is deterministic if and only if 𝐺 K-SO is, and that logarithmic space issufficient for the construction of 𝐺 𝐶𝑆𝑂 . However, as already pointed out, the constructiondoes not preserve the number of observable events, which requires the second step of theconstruction using Lemma 2.
We now show that 𝐺 K-SO is K-step opaque if and only if 𝐺 𝐶𝑆𝑂 is current-state opaque.
Theorem 8
The DES 𝐺 𝐾 - 𝑆𝑂 is K-step opaque with respect to 𝑄 𝑆 , 𝑄 𝑁 𝑆 , and 𝑃 if and only ifthe DES 𝐺 𝐶𝑆𝑂 is current-state opaque with respect to 𝑄 (cid:48) 𝑆 , 𝑄 (cid:48) 𝑁 𝑆 , and 𝑃 (cid:48) : ( Σ ∪ { @ , 𝑢 }) ∗ →( Σ 𝑜 ∪ { @ }) ∗ .Proof Assume that 𝐺 K-SO is K-step opaque. We show that 𝐺 𝐶𝑆𝑂 is current-state opaque. Tothis end, consider a string 𝑤 such that 𝛿 (cid:48) ( 𝐼, 𝑤 ) ∩ 𝑄 (cid:48) 𝑆 ≠ ∅ . We want to show that there exists 𝑤 (cid:48) ∈ 𝑃 (cid:48)− 𝑃 (cid:48) ( 𝑤 ) such that 𝛿 (cid:48) ( 𝐼, 𝑤 (cid:48) ) ∩ 𝑄 (cid:48) 𝑁 𝑆 ≠ ∅ . However, since 𝑄 (cid:48) 𝑆 = 𝑄 + , 𝑤 is of the form 𝑤 @ 𝑤 and, by the construction, 𝛿 ( 𝐼, 𝑤 ) contains a secret state of 𝐺 K-SO . Since 𝐺 is K-stepopaque, there exists a string 𝑤 (cid:48) ∈ 𝑃 − 𝑃 ( 𝑤 ) such that 𝛿 ( 𝐼, 𝑤 (cid:48) ) ∩ 𝑄 𝑁 𝑆 ≠ ∅ . Then, because 𝑤 can be read in the copy of 𝐺 K-SO from a state 𝑞 + for a state 𝑞 ∈ 𝛿 ( 𝐼, 𝑤 ) ∩ 𝑄 𝑆 , we furtherhave that 𝛿 ( 𝛿 ( 𝐼, 𝑤 ) ∩ 𝑄 𝑆 , 𝑤 ) ≠ ∅ . If | 𝑃 ( 𝑤 )| ≤ 𝐾 , then K-step opacity of 𝐺 K-SO impliesthat there exists a string 𝑤 (cid:48)(cid:48) 𝑤 (cid:48)(cid:48) ∈ 𝐿 ( 𝐺 K-SO ) such that 𝑃 ( 𝑤 (cid:48)(cid:48) ) = 𝑃 ( 𝑤 ) , 𝑃 ( 𝑤 (cid:48)(cid:48) ) = 𝑃 ( 𝑤 ) , and 𝛿 ( 𝛿 ( 𝐼, 𝑤 (cid:48)(cid:48) ) ∩ 𝑄 𝑁 𝑆 , 𝑤 (cid:48)(cid:48) ) ≠ ∅ . By construction, 𝑞 ∗ ∈ 𝛿 (cid:48) ( 𝛿 (cid:48) ( 𝐼, 𝑤 (cid:48)(cid:48) @ ) ∩ 𝑄 𝑁 𝑆 , 𝑤 (cid:48)(cid:48) 𝑢 ) , and hence 𝐺 𝐶𝑆𝑂 is current-state opaque. If | 𝑃 ( 𝑤 )| > 𝐾 , then 𝑞 ∗ 𝐾 + ∈ 𝛿 (cid:48) ( 𝛿 (cid:48) ( 𝐼, 𝑤 (cid:48) @ ) ∩ 𝑄 𝑁 𝑆 , 𝑢𝑃 ( 𝑤 (cid:48)(cid:48) )) ,and hence 𝐺 𝐶𝑆𝑂 is current-state opaque.On the other hand, assume that 𝐺 K-SO is not K-step opaque, that is, there exists a string 𝑠𝑡 ∈ 𝐿 ( 𝐺 K-SO ) such that | 𝑃 ( 𝑡 )| ≤ 𝐾 , 𝛿 ( 𝛿 ( 𝐼, 𝑠 ) ∩ 𝑄 𝑆 , 𝑡 ) ≠ ∅ and, for every 𝑠 (cid:48) ∈ 𝑃 − 𝑃 ( 𝑠 ) and 𝑡 (cid:48) ∈ 𝑃 − 𝑃 ( 𝑡 ) , 𝛿 ( 𝛿 ( 𝐼, 𝑠 (cid:48) ) ∩ 𝑄 𝑁 𝑆 , 𝑡 (cid:48) ) = ∅ . But then, for 𝑠 @ 𝑡 ∈ 𝐿 ( 𝐺 𝐶𝑆𝑂 ) , we have that 𝛿 (cid:48) ( 𝛿 (cid:48) ( 𝐼, 𝑠 @ ) ∩ 𝑄 (cid:48) 𝑆 , 𝑡 ) ∩ 𝑄 (cid:48) 𝑆 ≠ ∅ and, for every 𝑠 (cid:48) @ 𝑡 (cid:48) ∈ 𝐿 ( 𝐺 𝐶𝑆𝑂 ) such that 𝑃 (cid:48) ( 𝑠 @ 𝑡 ) = 𝑃 (cid:48) ( 𝑠 (cid:48) @ 𝑡 (cid:48) ) , we have two cases: (i) If 𝛿 ( 𝐼, 𝑠 (cid:48) ) ∩ 𝑄 𝑁 𝑆 = ∅ , then 𝛿 (cid:48) ( 𝐼, 𝑠 (cid:48) @ 𝑡 (cid:48) ) ∩ 𝑄 (cid:48) 𝑁 𝑆 = 𝛿 (cid:48) ( 𝛿 (cid:48) ( 𝐼, 𝑠 (cid:48) @ ) ∩ 𝑄 − , 𝑡 (cid:48) ) = 𝛿 (cid:48) (∅ , 𝑡 (cid:48) ) = ∅ , which shows that 𝐺 𝐶𝑆𝑂 is not current-state opaque.(ii) If 𝛿 ( 𝐼, 𝑠 (cid:48) ) ∩ 𝑄 𝑁 𝑆 ≠ ∅ , then 𝛿 (cid:48) ( 𝐼, 𝑠 (cid:48) @ 𝑡 (cid:48) ) ∩ 𝑄 (cid:48) 𝑁 𝑆 = 𝛿 (cid:48) ( 𝛿 (cid:48) ( 𝐼, 𝑠 (cid:48) @ ) ∩ 𝑄 − , 𝑡 (cid:48) ) = ∅ , becauseinserting 𝑢 to any strict prefix of 𝑡 (cid:48) may reach 𝑞 ∗ but has to leave it when the rest of 𝑡 (cid:48) is read,and the rest (neither 𝑃 ( 𝑡 (cid:48) ) ) is not long enough to reach state 𝑞 ∗ 𝐾 + . Therefore, 𝐺 𝐶𝑆𝑂 is notcurrent-state opaque. (cid:117)(cid:116)
To preserve the number of observable events, our transformation of K-step opacity to currentstate opacity relies on Lemma 2. This lemma requires at least two observable events in 𝐺 K-SO ,and hence it is not applicable to systems with a single observable event. For these systems,we provide a different transformation that requires to add at most a quadratic number of newstates.The problem of deciding K-step opacity for systems with a single observable eventconsists of a DES 𝐺 K-SO = ( 𝑄, Σ , 𝛿, 𝐼 ) with Σ 𝑜 = { 𝑎 } , a set of secret states 𝑄 𝑆 ⊆ 𝑄 , a setof non-secret states 𝑄 𝑁 𝑆 ⊆ 𝑄 , and a projection 𝑃 : Σ ∗ → { 𝑎 } ∗ . We denote the number ofstates of 𝐺 K-SO by 𝑛 , and define a function 𝜑 : 𝑄 → { , . . . , 𝐾 } that assigns, to every state 𝑞 , the maximal number 𝑘 ∈ { , . . . , 𝐾 } of observable steps that are possible from state 𝑞 ;formally, 𝜑 ( 𝑞 ) = max (cid:8) 𝑘 ∈ { , . . . , 𝐾 } | 𝛿 ( 𝑞, 𝑃 − ( 𝑎 𝑘 )) ≠ ∅ (cid:9) . Notice that if 𝐾 > 𝑛 −
1, thena system with a single observable event is K-step opaque if and only if it is infinite-stepopaque. Therefore, we may consider only 𝐾 ≤ 𝑛 − 𝐺 K-SO , we construct a DES 𝐺 𝐶𝑆𝑂 = ( 𝑄 (cid:48) , Σ , 𝛿 (cid:48) , 𝐼 ) as illustrated in Fig. 9, where 𝛿 (cid:48) is initialized as 𝛿 and modified as follows. For every state 𝑝 ∈ 𝑄 with 𝜑 ( 𝑝 ) >
0, weadd 𝐾 new states 𝑝 , . . . , 𝑝 𝐾 to 𝑄 (cid:48) and 𝐾 new transitions ( 𝑝, 𝑎, 𝑝 ) and ( 𝑝 𝑖 , 𝑎, 𝑝 𝑖 + ) , for 𝑖 = , . . . , 𝐾 −
1, to 𝛿 (cid:48) . Finally, we replace every transition ( 𝑝, 𝑎, 𝑟 ) in 𝛿 (cid:48) by the transition ( 𝑝 𝐾 , 𝑎, 𝑟 ) . Notice that the transformation requires to add at most 𝑛 states, and hence it canbe done in polynomial time. Let 𝑄 (cid:48) 𝑆 = 𝑄 𝑆 and 𝑄 (cid:48) 𝑁 𝑆 = 𝑄 𝑁 𝑆 . For every state 𝑝 ∈ 𝑄 𝑆 with omparing the Notions of Opacity for Discete-Event Systems 19 p qrv xys tuG INSO Q S Q NS aaaaaa = ⇒ p p · · · p k · · · p K qrs s · · · · · · · · · s K tuv v · · · v ‘ · · · v K xyG CSO Q S Q NS ϕ ( p ) = kϕ ( v ) = ‘a a a a a aaa a a aaa a a a a aa Fig. 9
Transforming K-SO to CSO for systems with a single observable event. 𝜑 ( 𝑝 ) = 𝑘 >
0, we add the corresponding states 𝑝 , . . . , 𝑝 𝑘 to 𝑄 (cid:48) 𝑆 and, for every 𝑝 ∈ 𝑄 𝑁 𝑆 with 𝜑 ( 𝑝 ) = 𝑘 >
0, we add 𝑝 , . . . , 𝑝 𝑘 to 𝑄 (cid:48) 𝑁 𝑆 .Notice that the transformation can be done in polynomial time, preserves the number ofobservable events, and determinism. However, whether the transformation can be done inlogarithmic space is open.We show that 𝐺 K-SO is K-step opaque if and only if 𝐺 𝐶𝑆𝑂 is current-state opaque.
Theorem 9
The DES 𝐺 K-SO with a single observable event is K-step opaque with respect to 𝑄 𝑆 , 𝑄 𝑁 𝑆 , and 𝑃 if and only if the DES 𝐺 𝐶𝑆𝑂 is current-state opaque with respect to 𝑄 (cid:48) 𝑆 , 𝑄 (cid:48) 𝑁 𝑆 , and 𝑃 .Proof Assume that 𝐺 K-SO is not K-step opaque, that is, there is 𝑠𝑡 ∈ 𝐿 ( 𝐺 K-SO ) with | 𝑃 ( 𝑡 )| ≤ 𝐾 such that 𝛿 ( 𝛿 ( 𝐼, 𝑠 ) ∩ 𝑄 𝑆 , 𝑡 ) ≠ ∅ and 𝛿 ( 𝛿 ( 𝐼, 𝑃 − 𝑃 ( 𝑠 )) ∩ 𝑄 𝑁 𝑆 , 𝑃 − 𝑃 ( 𝑡 )) = ∅ . Let 𝑓 : Σ ∗ → Σ ∗ be a morphism such that 𝑓 ( 𝑎 ) = 𝑎 𝐾 + and 𝑓 ( 𝑏 ) = 𝑏 , for 𝑎 ≠ 𝑏 ∈ Σ . Then, by construction, 𝛿 ( 𝐼, 𝑠 ) = 𝛿 (cid:48) ( 𝐼, 𝑓 ( 𝑠 )) , and hence 𝛿 (cid:48) ( 𝐼, 𝑓 ( 𝑠 )) ∩ 𝑄 (cid:48) 𝑆 ≠ ∅ . If 𝛿 ( 𝐼, 𝑃 − 𝑃 ( 𝑠 )) ∩ 𝑄 𝑁 𝑆 = ∅ ,then 𝛿 (cid:48) ( 𝐼, 𝑓 ( 𝑃 − 𝑃 ( 𝑠 ))) ∩ 𝑄 (cid:48) 𝑁 𝑆 = ∅ because 𝛿 ( 𝐼, 𝑠 (cid:48) ) = 𝛿 (cid:48) ( 𝐼, 𝑓 ( 𝑠 (cid:48) )) for any 𝑠 (cid:48) ∈ 𝑃 − 𝑃 ( 𝑠 ) ,and 𝐺 𝐶𝑆𝑂 is not current-state opaque. Otherwise, we denote by 𝑞 𝑠 ∈ 𝛿 ( 𝐼, 𝑠 ) ∩ 𝑄 𝑆 and 𝑞 𝑛𝑠 ∈ 𝛿 ( 𝐼, 𝑃 − 𝑃 ( 𝑠 )) ∩ 𝑄 𝑁 𝑆 the states with maximal 𝜑 ( 𝑞 𝑠 ) and 𝜑 ( 𝑞 𝑛𝑠 ) . Since 𝐺 K-SO is notK-step opaque, 𝜑 ( 𝑞 𝑠 ) > 𝜑 ( 𝑞 𝑛𝑠 ) . Then, in 𝐺 𝐶𝑆𝑂 , 𝑞 𝑠 has exactly one outgoing observabletransition and is followed by 𝜑 ( 𝑞 𝑠 ) = 𝑘 secret states, while 𝑞 𝑛𝑠 is followed by 𝜑 ( 𝑞 𝑛𝑠 ) < 𝑘 non-secret states. Therefore, 𝛿 (cid:48) ( 𝐼, 𝑓 ( 𝑠 ) 𝑎 𝑘 ) ∩ 𝑄 (cid:48) 𝑆 ≠ ∅ and 𝛿 (cid:48) ( 𝐼, 𝑓 ( 𝑠 (cid:48) ) 𝑎 𝑘 ) ∩ 𝑄 (cid:48) 𝑁 𝑆 = ∅ for any 𝑠 (cid:48) ∈ 𝑃 − 𝑃 ( 𝑠 ) , and hence 𝐺 𝐶𝑆𝑂 is not current-state opaque.On the other hand, assume that 𝐺 K-SO is K-step opaque, and that 𝛿 (cid:48) ( 𝐼, 𝑤 ) ∩ 𝑄 (cid:48) 𝑆 ≠ ∅ . Weshow that 𝛿 (cid:48) ( 𝐼, 𝑃 − 𝑃 ( 𝑤 )) ∩ 𝑄 𝑁 𝑆 ≠ ∅ . Consider a state 𝑞 𝑠 ∈ 𝛿 (cid:48) ( 𝐼, 𝑤 ) ∩ 𝑄 (cid:48) 𝑆 and a path 𝜋 in 𝐺 𝐶𝑆𝑂 leading to 𝑞 𝑠 under 𝑤 . Denote by 𝑝 the last state of 𝜋 that corresponds to a state of 𝐺 K-SO ; that is, 𝑝 is not a new state added by the construction of 𝐺 𝐶𝑆𝑂 . Since 𝑞 𝑠 ∈ 𝑄 (cid:48) 𝑆 , wehave, by construction, that 𝑝 ∈ 𝑄 𝑆 . Then the choice of 𝑝 partitions 𝑤 = 𝑢𝑣 , where 𝑢 , readalong the path 𝜋 , leads to state 𝑝 , and 𝑣 = 𝑎 ℓ is a suffix of length ℓ ≤ 𝐾 . Let 𝑢 (cid:48) be a string suchthat 𝑓 ( 𝑢 (cid:48) ) = 𝑢 . Then 𝑝 ∈ 𝛿 ( 𝐼, 𝑢 (cid:48) ) ∩ 𝑄 𝑆 . Since 𝜑 ( 𝑝 ) ≥ ℓ , there exists 𝑡 such that 𝑃 ( 𝑡 ) = 𝑎 ℓ and 𝛿 ( 𝛿 ( 𝐼, 𝑢 (cid:48) ) ∩ 𝑄 𝑆 , 𝑡 ) ≠ ∅ in 𝐺 K-SO . Then K-step opacity of 𝐺 K-SO implies that there exists 𝑢 (cid:48)(cid:48) and 𝑡 (cid:48) such that 𝑃 ( 𝑢 (cid:48) ) = 𝑃 ( 𝑢 (cid:48)(cid:48) ) , 𝑃 ( 𝑡 ) = 𝑃 ( 𝑡 (cid:48) ) , and 𝛿 ( 𝛿 ( 𝐼, 𝑢 (cid:48)(cid:48) ) ∩ 𝑄 𝑁 𝑆 , 𝑡 (cid:48) ) ≠ ∅ . In particular,there is a state 𝑞 𝑛𝑠 ∈ 𝛿 ( 𝐼, 𝑢 (cid:48)(cid:48) ) ∩ 𝑄 𝑁 𝑆 with 𝜑 ( 𝑞 𝑛𝑠 ) ≥ ℓ , and 𝛿 (cid:48) ( 𝐼, 𝑓 ( 𝑢 (cid:48)(cid:48) )) ∩ 𝑄 (cid:48) 𝑁 𝑆 ≠ ∅ .Therefore, 𝛿 (cid:48) ( 𝐼, 𝑓 ( 𝑢 (cid:48)(cid:48) ) 𝑎 ℓ ) ∩ 𝑄 (cid:48) 𝑁 𝑆 ≠ ∅ and 𝑃 ( 𝑓 ( 𝑢 (cid:48)(cid:48) ) 𝑎 ℓ ) = 𝑃 ( 𝑢𝑣 ) = 𝑃 ( 𝑤 ) , which completesthe proof. (cid:117)(cid:116) Let 𝐺 = ( 𝑄, Σ , 𝛿, 𝐼, 𝐹 ) be an automaton. We design an algorithm deciding K-step opacity intime 𝑂 (( 𝐾 + ) 𝑛 ( 𝑛 + ℓ 𝑚 )) , where ℓ = | Σ 𝑜 | is the number of observable events, 𝑛 is thenumber of states of 𝐺 , and 𝑚 is the number of transitions of 𝑃 ( 𝐺 ) , 𝑚 ≤ ℓ𝑛 .To decide whether 𝐺 is K-step opaque with respect to 𝑄 𝑆 , 𝑄 𝑁 𝑆 ⊆ 𝑄 , and 𝑃 : Σ ∗ → Σ ∗ 𝑜 ,we proceed as follows:1. We compute the observer G 𝑜𝑏𝑠 of 𝐺 in time 𝑂 ( ℓ 𝑛 ) ;2. We compute the projected automaton 𝑃 ( 𝐺 ) of 𝐺 in polymonial time 𝑂 ( 𝑚 + 𝑛 ) ;3. We compute a DFA D accepting the langauge Σ 𝐾𝑜 ; then D has 𝐾 + 𝑂 ( ℓ ( 𝐾 + )) ;4. We compute the product automaton C = 𝑃 ( 𝐺 ) × G 𝑜𝑏𝑠 in time 𝑂 (( 𝑚 + 𝑛 ) · ℓ 𝑛 ) ; – states of C are of the form 𝑄 × 𝑄 ;5. For every state 𝑋 of G 𝑜𝑏𝑠 , we compute 𝑋 𝑆 = 𝑋 ∩ 𝑄 𝑆 and 𝑋 𝑁 𝑆 = 𝑋 ∩ 𝑄 𝑁 𝑆 ;(a) If 𝑋 𝑆 ≠ ∅ and 𝑋 𝑁 𝑆 = ∅ , then 𝐺 is not K-step opaque;(b) Otherwise, for every state 𝑥 ∈ 𝑋 𝑆 , we add a transition from 𝑋 under @ to state ( 𝑥, 𝑋 𝑁 𝑆 ) of C , and we add the state ( 𝑥, 𝑋 𝑁 𝑆 ) to set 𝑌 ;6. We set 𝑌 to be the set of initial states of C , and compute G = C × D ;(a) If G contains a reachable state of the form ( 𝑎, ∅ , 𝑑 ) , then 𝐺 is not K-step opaque;otherwise, 𝐺 is K-step opaque. Informally, we make use of the algorithm designed for deciding infinite-step opacity ofSection 4.2.4 with the modification that we take an intersection of C with the automatonrecognizing Σ 𝐾𝑜 . This modification ensures that any computation of C ends after K steps,and hence we check at most K subsequent steps. Lemma 4
Automaton 𝐺 is K-step opaque if and only if 𝐺 is current-state opaque and nostate of the form ( 𝑎, ∅) is reachable in C from the set 𝑌 .Proof The algorithm works as that deciding infinite-step opacity. The only modification isthat we intersect C with D , recognizing Σ 𝐾𝑜 . This modification ensures that the algorithmchecking infinite-step opacity is blocked after K subsequent steps, and hence it decides K-stepopacity. (cid:117)(cid:116) Since our algorithm constructs and searches the NFA G with 𝑂 (( 𝐾 + ) 𝑛 𝑛 ) states and 𝑂 (( 𝐾 + ) ℓ𝑚 𝑛 ℓ ) transitions, the time complexity of our algorithm is 𝑂 (( 𝐾 + ) 𝑛 ( 𝑛 + ℓ 𝑚 )) . We studied the transformations among the notions of language-based opacity, current-stateopacity, initial-state opacity, initial-and-final-state opacity, K-step opacity, and infinite-stepopacity. In particular, we provided a general transformation from language-based opacityto initial-state opacity, and constructed transformations between infinite-step opacity andcurrent-state opacity, and between K-step opacity and current-state opacity. Together withthe transformations of Wu and Lafortune [29], we have a complete list of transformationsbetween the discussed notions of opacity. The transformations are computable in polynomialtime, preserve the number of observable events, and determinism. We further applied thetransformations to improve the algorithmic complexity of deciding language-based opacity,infinite-step opacity, and K-step opacity, and to obtain the precise computational complexityof deciding the discussed notions of opacity. omparing the Notions of Opacity for Discete-Event Systems 21
References
1. Alur, R., Černý, P., Zdancewic, S.: Preserving secrecy under refinement. In: International Colloquiumon Automata, Languages and Programming (ICALP), pp. 107–118 (2006)2. Arora, S., Barak, B.: Computational Complexity – A Modern Approach. Cambridge University Press(2009)3. Asveld, P.R.J., Nijholt, A.: The inclusion problem for some subclasses of context-free languages. Theo-retical Computer Science (1-2), 247–256 (2000)4. Badouel, E., Bednarczyk, M., Borzyszkowski, A., Caillaud, B., Darondeau, P.: Concurrent secrets. Dis-crete Event Dynamic Systems (4), 425–446 (2007)5. Balun, J., Masopust, T.: On opacity verification for discrete-event systems. In: IFAC World Congress, pp.2105–2110 (2020)6. Bryans, J.W., Koutny, M., Mazaré, L., Ryan, P.Y.A.: Opacity generalised to transition systems. Interna-tional Journal of Information Security (6), 421–435 (2008)7. Bryans, J.W., Koutny, M., Ryan, P.Y.A.: Modelling opacity using Petri nets. Electronic Notes in Theo-retical Computer Science , 101–115 (2005)8. Cassandras, C.G., Lafortune, S.: Introduction to Discrete Event Systems, 2nd edn. Springer (2008)9. Cassez, F., Dubreil, J., Marchand, H.: Synthesis of opaque systems with static and dynamic masks.Formal Methods in System Design (1), 88–115 (2012)10. Domaratzki, M., Salomaa, K.: Transition complexity of language operations. Theoretical ComputerScience (2), 147–154 (2007)11. Dubreil, J., Darondeau, P., Marchand, H.: Opacity enforcing control synthesis. In: Workshop on DiscreteEvent Systems (WODES), pp. 28–35 (2008)12. Focardi, R., Gorrieri, R.: A taxonomy of trace-based security properties for ccs. In: Computer SecurityFoundations Workshop VII, pp. 126–136 (1994)13. Hadj-Alouane, N.B., Lafrance, S., Lin, F., Mullins, J., Yeddes, M.M.: On the verification of intransitivenoninterference in mulitlevel security. IEEE Transactions on Systems, Man, and Cybernetics, Part B (5), 948–958 (2005)14. Holzer, M., Kutrib, M.: Descriptional and computational complexity of finite automata—A survey.Information and Computation (3), 456–470 (2011)15. Hopcroft, J.E., Ullman, J.D.: Introduction to Automata Theory, Languages and Computation. Addison-Wesley (1979)16. Immerman, N.: Nondeterministic space is closed under complementation. SIAM Journal on Computing , 935–938 (1988)17. Jacob, R., Lesage, J., Faure, J.: Overview of discrete event systems opacity: Models, validation, andquantification. Annual Reviews in Control , 135–146 (2016)18. Jones, N.D.: Space-bounded reducibility among combinatorial problems. Journal of Computer andSystem Sciences (1), 68–85 (1975)19. Lin, F.: Opacity of discrete event systems and its applications. Automatica (3), 496–503 (2011)20. Mazaré, L.: Decidability of opacity with non-atomic keys. In: Formal Aspects in Security and Trust, pp.71–84 (2004)21. Saboori, A.: Verification and enforcement of state-based notions of opacity in discrete event systems.Ph.D. thesis, University of Illinois at Urbana-Champaign (2011)22. Saboori, A., Hadjicostis, C.N.: Notions of security and opacity in discrete event systems. In: Conferenceon Decision and Control (CDC), pp. 5056–5061 (2007)23. Saboori, A., Hadjicostis, C.N.: Opacity-enforcing supervisory strategies for secure discrete event systems.In: Conference on Decision and Control. IEEE (2008)24. Saboori, A., Hadjicostis, C.N.: Verification of 𝐾 -step opacity and analysis of its complexity. IEEETransactions on Automation Science and Engineering (3), 549–559 (2011)25. Saboori, A., Hadjicostis, C.N.: Verification of infinite-step opacity and complexity considerations. IEEETransactions on Automatic Control (5), 1265–1269 (2012)26. Schneider, S., Sidiropoulos, A.: CSP and anonymity. In: European Symposium on Research in ComputerSecurity (ESORICS), LNCS , vol. 1146, pp. 198–218 (1996)27. Stockmeyer, L.J., Meyer, A.R.: Word problems requiring exponential time: Preliminary report. In: ACMSymposium on Theory of Computing (STOC), pp. 1–9 (1973)28. Szelepcsényi, R.: The method of forced enumeration for nondeterministic automata. Acta Informatica , 279–284 (1988)29. Wu, Y.C., Lafortune, S.: Comparative analysis of related notions of opacity in centralized and coordinatedarchitectures. Discrete Event Dynamic Systems (3), 307–339 (2013)30. Yin, X., Lafortune, S.: A new approach for the verification of infinite-step and K-step opacity usingtwo-way observers. Automatica80