Strong current-state and initial-state opacity of
discrete-event systems

Xiaoguang Han [email protected] Kuize Zhang [email protected] Jiahui Zhang [email protected] Zhiwu Li [email protected] Zengqiang Chen [email protected] College of Electronic Information and Automation, Tianjin University of Science and Technology, Tianjin 300222, China Control Systems Group, Technical University of Berlin, Berlin 10587, Germany Institute of Systems Engineering, Macau University of Science and Technology, Taipa 519020, China, and School of Electro-Mechanical Engineering, Xidian University, Xi’an 710071, China College of Artificial Intelligence, Nankai University, Tianjin 300350, China

Abstract

Opacity, as an important property in information-flow security, characterizes the ability of a system to keep some secret information from an intruder. In discrete-event systems, based on a standard setting in which an intruder has the complete knowledge of the system’s structure, the standard versions of current-state opacity and initial-state opacity cannot perfectly characterize high-level privacy requirements. To overcome such a limitation, in this paper we propose two stronger versions of opacity in partially-observed discrete-event systems, called strong current-state opacity and strong initial-state opacity. Strong current-state opacity describes that an intruder never makes for sure whether a system is in a secret state at the current time, that is, if a system satisfies this property, then for each run of the system ended by a secret state, there exists a non-secret run whose observation is the same as that of the previous run. Strong initial-state opacity captures that the visit of a secret state at the initial time cannot be inferred by an intruder at any instant. Specifically, a system is said to be strongly initial-state opaque if for each run starting from a secret state, there exists a non-secret run of the system that has the same observation as the previous run has. To verify these two properties, we propose two information structures using a novel concurrent-composition technique, which has exponential-time complexity $O(|X|^{4}|\Sigma_{o}||\Sigma_{uo}||\Sigma|2^{|X|})$ , where $|X|$ (resp., $|\Sigma|$ , $|\Sigma_{o}|$ , $|\Sigma_{uo}|$ ) is the number of states (resp., events, observable events, unobservable events) of a system.

keywords:

Discrete-event system, Strong current-state opacity, Strong initial-state opacity, Observer, Concurrent composition

^†^†thanks: This work is supported in part by the National Natural Science Foundation of China under Grant 61903274, the Tianjin Natural Science Foundation of China under Grant 18JCQNJC74000, and the Alexander von Humboldt Foundation.

, , , ,

1 Introduction

Opacity is a confidentiality property, which characterizes the scenario whether some “secret” of a system is ambiguous to a potential malicious intruder based on the evolution of the system. In other words, an opaque system always holds the plausible deniability for its “secret” during its execution. Opacity can be adapted to capture a variety of privacy and security requirements in cyber-physical systems, including event-driven dynamic systems [1, 2] and time-driven dynamic systems [3, 4].

The notion of opacity initially appeared in the computer science literature [5] to analyze cryptographic protocols. Whereafter, various versions of opacity were characterized in the context of discrete-event systems (DESs). For instance, in automata-based models, several notions of opacity have been proposed and studied, which include current-state opacity [6], initial-state opacity [7], $K$ -step opacity [8], infinite-step opacity [9], and language-based opacity [10, 11]. Some more efficient algorithms to check them have also been provided in [11, 12, 13]. Furthermore, when a given system is not opaque, its opacity enforcement problem has been extensively investigated using a variety of techniques, including supervisory control [14, 15, 16], insertion or edit functions [17, 18, 19, 20], dynamic observers [21], etc. Recently, verification and/or enforcement of opacity have been extended to other classes of settings, including Petri nets [22, 23, 24], stochastic systems [25, 26, 27], modular systems [28], networked systems [29, 30], etc. In recent literature [31, 32], the authors studied opacity preserving (bi)simulation relations using an abstraction-based technique for nondeterministic transition systems and metric systems, respectively. Some applications of opacity in real-world systems have also been provided in the literature, see, e.g., [33, 34, 35, 36].

In automata-based models, different notions of opacity can capture different security requirements. For example, current-state opacity (CSO) characterizes that an intruder cannot determine for sure whether a system is currently in a secret state. In Location-Based Services (LBS), a user may want to hide his/her initial location or his/her location (e.g., visiting a hospital or bank) at some specific previous instant. Such requirements can be characterized by initial-state opacity (ISO) and $K$ /infinite-step opacity ( $K$ /Inf-SO)¹¹1For convenience, the notion originally named CSO (resp., ISO, $K$ -SO, and Inf-SO) is categorized as standard CSO (resp., standard ISO, standard $K$ -SO, and standard Inf-SO) in this paper.. However, these four standard versions of opacity have some limitations in practice. Specifically, they cannot capture the situation that an intruder can never infer for sure whether the system has passed through a secret state based on his/her observation. In other words, even though a system is “opaque” in the standard sense, the intruder may necessarily determine that a secret state must has been passed through. To this end, in [37], a strong version of opacity called strong $K$ -step opacity is proposed to capture that the visit of a secret state cannot be inferred within $K$ steps. Also, an algorithm that has complexity $O(2^{|X|+|X|^{2}})$ is provided to check it using so-called $K$ -delay trajectory estimators and R-verifiers, where $|X|$ is the number of states of a system.

Inspired by [37], in this paper we are interested in defining and verifying two other strong versions of opacity in partially-observed nondeterministic finite-state automata (NFAs), called strong current-state opacity (SCSO) and strong initial-state opacity (SISO), respectively. They mean that if a run passes through a secret state at the current time (resp., at the initial time), there exists another run that never passes through a secret state and has the same observation as the previous run has. Obviously, they have higher-level confidentiality than the standard versions. Note that, by the definition of strong $K$ -step opacity proposed in [37], we know readily that strong $K$ -step opacity reduces to standard CSO when $K=0$ . Thus, we conclude that SCSO implies the strong $0$ -step opacity but actually these two strong versions of opacity are incomparable when $K\geq 1$ . Therefore, the proposed notions of SCSO and SISO are clearly different from all the existing ones in the literature. Further, we develop a novel method to verify SCSO and SISO from a span-new perspective. Specifically, the main contributions of this paper are summarized below.

•

To overcome the inadequacy that the standard CSO and ISO cannot perfectly characterize high-level privacy requirements, we propose two stronger versions of opacity, called SCSO and SISO. They can characterize higher-level confidentiality than the standard versions.
•

For SCSO, we construct an information structure using a novel concurrent-composition technique. And then, we propose a verification criterion of SCSO based on leaking secret states defined by us in the proposed structure. This verification approach costs time $O(|X|^{4}|\Sigma_{o}||\Sigma_{uo}||\Sigma|2^{|X|})$ , where $|X|$ (resp., $|\Sigma|,|\Sigma_{o}|,|\Sigma_{uo}|$ ) is the number of states (resp., events, observable events, unobservable events) of a system.
•

Regarding the verification problem of SISO, using the novel concurrent-composition technique, we propose another information structure in which the information that whether a system has passed through a secret initial state can be characterized. This approach has also time complexity $O(|X|^{4}|\Sigma_{o}||\Sigma_{uo}||\Sigma|2^{|X|})$ .

The rest of this paper is arranged as follows. Section 2 provides preliminaries needed in this paper, including the system model, the formal definitions of standard CSO and ISO, and their limitations on confidentiality. Section 3 formalizes the notion of SCSO, and proposes a novel information structure for its verification. In Section 4, the notion of SISO is proposed, and its verification approach is reported. In Section 5, we conclude this paper with a brief discussion on how to use the proposed concurrent-composition structure to verify strong infinite-step opacity, which can be seen as a strong version of the standard Inf-SO.

2 Preliminaries

2.1 System model

A DES of interest is modeled as a nondeterministic finite-state automaton (NFA) $G=(X,\Sigma,\delta,X_{0})$ , where $X$ is the finite set of states, $\Sigma$ is the finite set of events, $X_{0}\subseteq X$ is the set of initial states, $\delta:X\times\Sigma\rightarrow 2^{X}$ is the transition function, which depicts the system dynamics: given states $x,y\in X$ and an event $\sigma\in\Sigma$ , $y\in\delta(x,\sigma)$ implies that there exists a transition labeled by $\sigma$ from $x$ to $y$ . Note that for $x\in X$ and $\sigma\in\Sigma$ , if there exists no $y\in X$ such that $y\in\delta(x,\sigma)$ , then $\delta(x,\sigma)=\emptyset$ . We can extend the transition function to $\delta:X\times\Sigma^{\ast}\rightarrow 2^{X}$ in the usual manner, where $\Sigma^{\ast}$ denotes the Kleene closure of $\Sigma$ , consisting of all finite sequences composed of the events in $\Sigma$ (including the empty sequence $\epsilon$ ), see, e.g., [38] for more details on DESs. We use $\mathcal{L}(G,x)$ to denote the language generated by $G$ from state $x$ , i.e., $\mathcal{L}(G,x)=\{s\in\Sigma^{\ast}:\delta(x,s)\neq\emptyset\}$ . Therefore, the language generated by $G$ is $\mathcal{L}(G)=\cup_{x_{0}\in X_{0}}\mathcal{L}(G,x_{0})$ . For a sequence $s\in\mathcal{L}(G)$ , we denote its prefix closure by $Pr(s)$ , i.e., $Pr(s)=\{w\in\mathcal{L}(G):(\exists w^{\prime}\in\Sigma^{\ast})[ww^{\prime}=s]\}$ . Further, for a prefix $w\in Pr(s)$ , we use the notation $s/w$ to denote the suffix of $s$ after its prefix $w$ . We without loss of generality assume that $G$ is accessible, i.e., all its states are reachable from $X_{0}$ .

As usual, we assume that the intruder can only see partially the system’s behavior. To this end, $\Sigma$ is partitioned into the set $\Sigma_{o}$ of observable events and the set $\Sigma_{uo}$ of unobservable events, i.e., $\Sigma_{o}\cup\Sigma_{uo}=\Sigma$ and $\Sigma_{o}\cap\Sigma_{uo}=\emptyset$ . The natural projection $P:\Sigma^{\ast}\rightarrow\Sigma_{o}^{\ast}$ is defined recursively by ( $i$ ) $P(\epsilon)=\epsilon$ , ( $ii$ ) $P(s\sigma)=P(s)\sigma,\mbox{ if }\sigma\in\Sigma_{o}$ , ( $iii$ ) $P(s\sigma)=P(s),\mbox{ if }\sigma\in\Sigma_{uo}$ , where $s\in\Sigma^{\ast}$ . We extend the natural projection $P$ to $\mathcal{L}(G)$ by $P(\mathcal{L}(G))=\{P(s)\in\Sigma_{o}^{\ast}:s\in\mathcal{L}(G)\}$ . We denote the inverse projection by a mapping $P^{-1}:\Sigma_{o}^{\ast}\rightarrow 2^{\Sigma^{\ast}}$ , i.e., for any $\alpha\in\Sigma_{o}^{\ast}$ , we have $P^{-1}(\alpha)=\{s\in\Sigma^{\ast}:P(s)=\alpha\}$ .

To study opacity of $G=(X,\Sigma,\delta,X_{0})$ , we assume that $G$ has a set of secret states, denoted by $X_{S}\subset X$ . We use $X_{NS}$ to denote the set of non-secret initial states. Let $s=s_{1}s_{2}\ldots s_{n}\in\Sigma^{\ast}$ and $x_{0}\in X_{0},x_{i}\in X$ , $i=1,2,\ldots,n$ . If $x_{k+1}\in\delta(x_{k},s_{k+1})$ , $0\leq k\leq n-1$ , we call $x_{0}\stackrel{{\scriptstyle s_{1}}}{{\rightarrow}}x_{1}\stackrel{{\scriptstyle s_{2}}}{{\rightarrow}}x_{2}\stackrel{{\scriptstyle s_{3}}}{{\rightarrow}}\cdots\stackrel{{\scriptstyle s_{n}}}{{\rightarrow}}x_{n}$ a run generated by $G$ from $x_{0}$ to $x_{n}$ under $s$ . We write $x_{0}\stackrel{{\scriptstyle s}}{{\rightarrow}}x_{n}$ (resp., $x_{0}\stackrel{{\scriptstyle s}}{{\rightarrow}}$ ) when $x_{1},x_{2},\ldots,x_{n-1}$ (resp., $x_{1},x_{2},\ldots,x_{n}$ ) are not specified. Note that there may be more than one run under a sequence $s\in\mathcal{L}(G,x_{0})$ based on nondeterminism of $G$ . In other words, $x_{0}\stackrel{{\scriptstyle s}}{{\rightarrow}}x_{n}$ may denote some runs. $x_{0}\stackrel{{\scriptstyle s_{1}}}{{\rightarrow}}x_{1}\stackrel{{\scriptstyle s_{2}}}{{\rightarrow}}x_{2}\stackrel{{\scriptstyle s_{3}}}{{\rightarrow}}\cdots\stackrel{{\scriptstyle s_{n}}}{{\rightarrow}}x_{n}$ is called a non-secret run if $x_{i}\in X\backslash X_{S}$ , $i=0,1,2,\cdots,n$ .

2.2 Standard current-state opacity and initial-state opacity

In this subsection, we first recall the formal definitions of standard CSO and ISO in [6] and [7, 11], respectively. And then, we discuss their limitations for characterizing information security.

Definition 2.1 (Standard CSO [6]).

Given a system $G=(X,\Sigma,\delta,X_{0})$ , a projection map $P$ w.r.t. the set $\Sigma_{o}$ of observable events, and a set $X_{S}\subset X$ of secret states, $G$ is said to be current-state opaque (CSO)²²2For brevity, the terminology “CSO” (resp., ISO), is used as the acronym of both “current-state opacity” (resp., “initial-state opacity”) and “current-state opaque” (resp., “initial-state opaque”), adapted to the context. (w.r.t. $\Sigma_{o}$ and $X_{S}$ ), if for all $x_{0}\in X_{0}$ and for all $s\in\mathcal{L}(G,x_{0})$ such that $\delta(x_{0},s)\cap X_{S}\neq\emptyset$ , it holds

\begin{split}(\exists x^{\prime}_{0}\in X_{0})(\exists t\in\mathcal{L}(G,x^{\prime}_{0}))[\delta(x^{\prime}_{0},t)\cap(X\backslash X_{S})\neq\emptyset\\ \wedge P(s)=P(t)].\end{split}

(1)

Note that, in [6] the notion of standard CSO was defined for deterministic finite-state automata. Obviously, this property can be readily extended to the nondeterministic setting as in Definition 2.1.

Definition 2.2 (Standard ISO [7]).

Given a system $G=(X,\Sigma,\delta,X_{0})$ , a projection map $P$ w.r.t. the set $\Sigma_{o}$ of observable events, and a set $X_{S}\subset X$ of secret states, $G$ is said to be initial-state opaque (ISO) (w.r.t. $\Sigma_{o}$ and $X_{S}$ ), if for all $x_{0}\in X_{0}\cap X_{S}$ and for all $s\in\mathcal{L}(G,x_{0})$ , it holds

(\exists x^{\prime}_{0}\in X_{NS})(\exists t\in\mathcal{L}(G,x^{\prime}_{0}))[P(s)=P(t)].

(2)

Remark 2.1.

Many results on the verification and enforcement of CSO and ISO have been obtained so far. However, the aforementioned two categories of opacity may not be able to characterize higher-level privacy requirements in some practical applications. The following two examples illustrate their limitations.

Example 2.1.

Let us consider the system $G$ shown in Fig. 1, in which the set of secret states is $X_{S}=\{x_{4},x_{5}\}$ .

Refer to caption — Figure 1: The system $G$ considered in Example 2.1, where $\Sigma_{o}=\{a,b\}$ , $\Sigma_{uo}=\{u\}$ and $X_{0}=\{x_{0}\}$ .

After observing the sequence $ab^{k}$ , $k\geq 0$ , $G$ can be in any state of $\{x_{2},x_{3},x_{4},x_{5}\}$ (resp., $\{x_{3},x_{5}\}$ ) when $k=0$ (reps., when $k\geq 1$ ). For the sequences $s=aab^{n}$ and $t=uaab^{n}$ , $n\geq 0$ , we have $\delta(x_{0},s)=\{x_{5}\}$ , $\delta(x_{0},t)=\{x_{6}\}$ and P(s)=P(t). This means that, for each observation generated by $G$ , the intruder can never infer precisely whether $G$ is currently at secret states $x_{4}$ and/or $x_{5}$ . By Definition 2.1, $G$ is standard CSO w.r.t. $\Sigma_{o}$ and $X_{S}$ . Since an intruder has the perfect knowledge of the structure of $G$ , he/she immediately concludes that $G$ must have visited secret state $x_{4}$ or $x_{5}$ after observing $aab^{n}$ , $n\geq 0$ . This leads to some limitations that the security requirement characterized Definition 2.1 is not sufficiently strong to forbid the secret from being revealed.

Example 2.2.

Consider the system $G$ shown in Fig. 2, where the set of secret states is $X_{S}=\{x_{2}\}$ .

According to Definition 2.2, we conclude readily that $G$ is standard ISO. However, $G$ cannot keep the high-level secret based on the privacy condition characterized by Definition 2.2 since after observing the sequence $ab^{n}$ ( $n\geq 0$ ) an intruder unambiguously determines that $G$ must have passed through secret initial state $x_{2}$ .

The phenomena in Examples 2.1 and 2.2 indicate that the standard versions of CSO and ISO have some limitations to some extent for characterizing high-level information security of a system. In order to overcome the aforementioned limitations, in this paper we propose two strong versions of opacity, called strong current-state opacity (SCSO) and strong initial-state opacity (SISO). Note that these two stronger notions of opacity provide high-level confidentiality.

3 Strong current-state opacity

In this section, we formally formulate the strong version of CSO for a system. And then, we propose a novel approach to verify it.

3.1 Notion of strong current-state opacity

Definition 3.1 (SCSO).

Given a system $G=(X,\Sigma,\delta,$ $X_{0})$ , a projection map $P$ w.r.t. the set $\Sigma_{o}$ of observable events, and a set $X_{S}\subset X$ of secret states, $G$ is said to be strongly current-state opaque (SCSO)³³3The terminology “SCSO” is the acronym of both “strong current-state opacity” and “strongly current-state opaque”, which depends on the context. (w.r.t. $\Sigma_{o}$ and $X_{S}$ ), if for all $x_{0}\in X_{0}$ and for all $s\in\mathcal{L}(G,x_{0})$ such that $\delta(x_{0},s)\cap X_{S}\neq\emptyset$ , there exists a non-secret run $x^{\prime}_{0}\stackrel{{\scriptstyle t}}{{\rightarrow}}x$ such that $P(t)=P(s)$ , where $x^{\prime}_{0}\in X_{0}$ , $x\in X$ .

Note that if $G$ is a deterministic finite-state automaton, SCSO in Definition 3.1 can be rephrased as follows: $G$ is said to be SCSO (w.r.t. $\Sigma_{o}$ and $X_{S}$ ) if

\begin{split}&(\forall x_{0}\in X_{0},\forall s\in\mathcal{L}(G,x_{0}):\delta(x_{0},s)\in X_{S})\\ &(\exists x^{\prime}_{0}\in X_{0},\exists t\in\mathcal{L}(G,x^{\prime}_{0}))[(P(s)=P(t))\wedge\\ &(\forall\bar{t}\in Pr(t))[\delta(x^{\prime}_{0},\bar{t})\notin X_{S}]].\end{split}

Now we give a physical interpretation of Definition 3.1. The notion of SCSO captures that if a sequence $s\in\mathcal{L}(G)$ is generated and a secret state is reached, then there exists a sequence $t\in\mathcal{L}(G)$ that has the same projection as $s$ and its execution generates a run that never passes through a secret state. SCSO has a higher-level confidentiality than standard CSO. In other words, SCSO implies standard CSO, but the converse implication does not hold. For instance, the system $G$ in Example 2.1 is standard CSO, but not SCSO since after observing the sequence $aa$ an intruder certainly concludes that $G$ has passed secret state $x_{4}$ or $x_{5}$ . This results in the following proposition for SCSO and CSO whose straightforward proof is omitted.

Proposition 3.1.

If system $G$ is SCSO w.r.t. $\Sigma_{o}$ and $X_{S}$ , then it is also standard CSO w.r.t. $\Sigma_{o}$ and $X_{S}$ . The converse is not true.

Remark 3.1.

In [37], the authors proposed the notion of strong $K$ -step opacity for a deterministic finite-state automaton $G$ . Specifically, $G$ is said to be strongly $K$ -step opaque (w.r.t. $\Sigma_{o}$ and $X_{S}$ ) if for all $x_{0}\in X_{0}$ and for all $s=s_{1}s_{2}\in\mathcal{L}(G,x_{0})$ such that $\delta(x_{0},s_{1})\cap X_{S}\neq\emptyset$ and $|P(s_{2})|\leq K$ , there exists $x^{\prime}_{0}\in X_{0}$ and $t\in\mathcal{L}(G,x^{\prime}_{0})$ such that $P(t)=P(s)$ and for all $\bar{t}\in Pr(t)$ , if $|P(t/\bar{t})|\leq K$ , then $\delta(x^{\prime}_{0},\bar{t})\in X\backslash X_{S}$ . Now we show that SCSO and strong $K$ -step opacity are incomparable when $K\geq 1$ . Obviously, strong $K$ -step opacity does not imply SCSO based on their definitions. Also, the converse does not hold. Let us consider the system $G$ shown in Fig. 2, we conclude readily that $G$ is SCSO, but not strongly $K$ -step opaque for any $K\geq 1$ .

In the following Subsection 3.2, we study the verification of SCSO based on a novel verification approach, which has time complexity $O(|X|^{4}|\Sigma_{o}||\Sigma_{uo}||\Sigma|2^{|X|})$ .

3.2 Verifying strong current-state opacity

In this subsection, we focus on the verification of SCSO in Definition 3.1. In order to obtain the main result, we need to introduce three notions of non-secret subautomaton, observer and concurrent composition for a given system.

Given a system $G=(X,\Sigma,\delta,X_{0})$ and a set $X_{S}\subset X$ of secret states, we construct a non-secret subautomaton by deleting all its secret states from $G$ , which is denoted by $G_{dss}$ , where “ $dss$ ” stands for the acronym of “deleting secret states”. Note that when we delete a secret state $x_{s}\in X_{S}$ , all transitions attached to $x_{s}$ are also deleted. Formally,

G_{dss}=(X_{dss},\Sigma_{dss},\delta_{dss},X_{dss,0}),

(3)

where

•

$X_{dss}=\{x\in X\backslash X_{S}:\mbox{ there is a non-secret run }x_{0}\stackrel{{\scriptstyle s}}{{\rightarrow}}x\mbox{ for some }x_{0}\in X_{NS}\mbox{ and }s\in\Sigma^{\ast}\}$ stands for the set of states;
•

$\Sigma_{dss}=\{\sigma\in\Sigma:\exists x,x^{\prime}\in X_{dss}\mbox{ s.t. }x^{\prime}\in\delta(x,\sigma)\}$ stands for the set of events;
•

$\delta_{dss}:X_{dss}\times\Sigma_{dss}\rightarrow 2^{X_{dss}}$ stands for the transition function, i.e., for all $x,x^{\prime}\in X_{dss}\mbox{ and }\sigma\in\Sigma_{dss},x^{\prime}\in\delta_{dss}(x,\sigma)\mbox{ if }x^{\prime}\in\delta(x,\sigma)$ ;
•

$X_{dss,0}=X_{NS}$ stands for the set of initial states.

Next, we recall the observer of $G_{dss}$ that is defined by

Obs(G_{dss})=(X^{obs}_{dss},\Sigma^{obs}_{dss},\delta^{obs}_{dss},X^{obs}_{dss,0}),

(4)

where $X^{obs}_{dss}\subseteq 2^{X_{dss}}\backslash\emptyset$ stands for the set of states; $\Sigma^{obs}_{dss}$ stands for the observable event set $\Sigma_{dss,o}$ of $\Sigma_{dss}$ ; $\delta^{obs}_{dss}:X^{obs}_{dss}\times\Sigma^{obs}_{dss}\rightarrow X^{obs}_{dss}$ stands for the (partial) deterministic transition function defined as follows: for any $q\in X^{obs}_{dss}$ and $\sigma\in\Sigma^{obs}_{dss}$ , we have $\delta^{obs}_{dss}(q,\sigma)=\{x^{\prime}\in X_{dss}:\exists x\in q,\exists w\in\Sigma_{dss,uo}^{\ast}\mbox{ s.t. }x^{\prime}\in\delta_{dss}(x,\sigma w)\}$ if it is nonempty, where $\Sigma_{dss,uo}=\Sigma_{dss}\backslash\Sigma_{dss,o}$ ; $X^{obs}_{dss,0}=\{x\in X_{dss}:\exists x_{0}\in X_{dss,0},\exists w\in\Sigma_{dss,uo}^{\ast}\mbox{ s.t. }x\in\delta_{dss}(x_{0},w)\}$ stands for the (unique) initial state. For brevity, we only consider the accessible part of observer $Obs(G_{dss})$ .

Note that the widely-used observer $Obs(G_{dss})$ is an important information structure that can track all possible states of $G_{dss}$ consistent with the current observation. Specifically, $Obs(G_{dss})$ captures the observable behavior of $G_{dss}$ , that is, $\mathcal{L}(Obs(G_{dss}))=P(\mathcal{L}(G_{dss}))$ . The time complexity of computing observer $Obs(G_{dss})$ for $G_{dss}$ is $O(|X|^{2}|\Sigma_{o}||\Sigma_{uo}|2^{|X|})$ . We refer the reader to [38, 39] for more details on the notion of observer.

Example 3.1.

Consider the system $G$ depicted in Fig. 3, where the set of secret states is $X_{S}=\{x_{2},x_{4}\}$ . The non-secret subautomaton $G_{dss}$ and the observer $Obs(G_{dss})$ for $G$ are shown in Fig. 4.

Now we are ready to introduce a novel information structure called the concurrent composition of system $G$ and observer $Obs(G_{dss})$ , which will be used to verify SCSO in Definition 3.1.

Definition 3.2 (Concurrent Composition).

Given a system $G=(X,\Sigma,\delta,X_{0})$ and a set $X_{S}\subset X$ of secret states, the concurrent composition of $G$ and $Obs(G_{dss})$ is an NFA

Cc(G,Obs(G_{dss}))=(X_{cc},\Sigma_{cc},\delta_{cc},X_{cc,0}),

(5)

where

•

$X_{cc}\subseteq X\times 2^{X}$ stands for the set of states;
•

$\Sigma_{cc}=\{(\sigma,\sigma):\sigma\in\Sigma_{o}\}\cup\{(\sigma,\epsilon):\sigma\in\Sigma_{uo}\}$ stands for the set of events;

•

$\delta_{cc}:X_{cc}\times\Sigma_{cc}\rightarrow 2^{X_{cc}}$ is the transition function defined as follows: for any state $(x,q)\in X_{cc}$ and for any event $\sigma\in\Sigma$ ,

(i)

when $q\neq\emptyset$ ,
(a) if $\sigma\in\Sigma_{o}$ , then

\begin{split}&\delta_{cc}((x,q),(\sigma,\sigma))=\{(x^{\prime},q^{\prime})\in X_{cc}:x^{\prime}\in\delta(x,\sigma),\\ &q^{\prime}=\delta^{obs}_{dss}(q,\sigma)\mbox{ if }\delta^{obs}_{dss}(q,\sigma)\mbox{ is well-defined },q^{\prime}=\emptyset\\ &\mbox{otherwise}\};\end{split}

(b) if $\sigma\in\Sigma_{uo}$ , then

\delta_{cc}((x,q),(\sigma,\epsilon))=\{(x^{\prime},q)\in X_{cc}:x^{\prime}\in\delta(x,\sigma)\}.

(ii)

When $q=\emptyset$ ,
(a) if $\sigma\in\Sigma_{o}$ , then

$\delta_{cc}((x,\emptyset),(\sigma,\sigma))=\{(x^{\prime},\emptyset)\in X_{cc}:x^{\prime}\in\delta(x,\sigma)\};$

(b) if $\sigma\in\Sigma_{uo}$ , then

$\delta_{cc}((x,\emptyset),(\sigma,\epsilon))=\{(x^{\prime},\emptyset)\in X_{cc}:x^{\prime}\in\delta(x,\sigma)\}.$

•

$X_{cc,0}=X_{0}\times\{X^{obs}_{dss,0}\}$ stands for the set of initial states.

For a sequence $e\in\mathcal{L}(Cc(G,Obs(G_{dss})))$ , we utilize the notations $e(L)$ and $e(R)$ to denote its left and right components, respectively. A similar notation is employed to the language $\mathcal{L}(Cc(G,Obs(G_{dss})))$ . Further, we use $P(e)$ to denote $P(e(L))$ or $P(e(R))$ since $P(e(L))=P(e(R))$ for any $e\in\mathcal{L}(Cc(G,Obs(G_{dss})))$ , which depends on the context. Intuitively, $Cc(G,Obs(G_{dss}))$ characterizes the following two properties: (i) $\mathcal{L}(Cc(G,$ $Obs(G_{dss})))(L)=\mathcal{L}(G)$ ; and (ii) it tracks a sequence $s\in\mathcal{L}(G)$ from $X_{0}$ and an observation $\alpha\in\mathcal{L}(Obs(G_{dss}))$ from $X^{obs}_{dss,0}$ (if exists) such that $P(s)=\alpha$ .

Remark 3.2.

The idea of concurrent composition was used in [40] to verify the so-called eventual strong detectability for a finite-state automaton. However, there are differences between the construction proposed in [40] and the above construction. First, the construction proposed in [40] is based on a system $G$ , while the concurrent composition defined in (5) is based on two different settings. Second, the two definitions of transition functions meet different requirements. Specifically, in [40], the concurrent composition aggregates each pair of transition sequences of $G$ generating the same projection. However, by Definition 3.2, $Cc(G,Obs(G_{dss}))$ captures that for any sequence $s\in\mathcal{L}(G)$ , whether or not there exists an observation $\alpha\in\mathcal{L}(Obs(G_{dss})))$ such that $P(s)=\alpha$ .

Example 3.2.

Consider again the system $G$ depicted in Fig. 3, the concurrent composition $Cc(G,Obs(G_{dss}))$ for $G$ is shown in Fig. 5, where $Obs(G_{dss})$ is shown in Fig. 4. For brevity, for each state in $Cc(G,Obs(G_{dss}))$ , its first and second components are abbreviated by using their respective subscript sets. For example, state $(4,\{1,5\})$ stands for state $(x_{4},\{x_{1},x_{5}\})$ .

In order to present the first main result of this paper, we classify the states whose first components belong to $X_{S}$ in $Cc(G,Obs(G_{dss}))$ defined in (5) into two types:

•

leaking secret states: $(x,q)\in X_{cc}$ with $x\in X_{S}\wedge q=\emptyset$ ;
•

non-leaking secret states: $(x,q)\in X_{cc}$ with $x\in X_{S}\wedge q\neq\emptyset$ ;

The leaking and non-leaking secret states are interpreted physically as follows. If $(x,q)\in X_{cc}$ is a leaking secret state, then, by Definition 3.2, in $G$ there exists $x_{0}\in X_{0}$ and $s\in\mathcal{L}(G,x_{0})$ such that $x\in\delta(x_{0},s)$ , and there exists no observation $\alpha\in\mathcal{L}(Obs(G_{dss}))$ such that $P(s)=\alpha$ . This means that an intruder certainly concludes that $G$ has reached/passed through at least one secret state by observing $P(s)$ . If $(x,q)\in X_{cc}$ is a non-leaking secret state, then there exist $x_{0},x^{\prime}_{0}\in X_{0}$ , $s\in\mathcal{L}(G,x_{0})$ , and $t\in\mathcal{L}(G,x^{\prime}_{0})$ such that: (i) $x\in\delta(x_{0},s)$ ; (ii) $s$ and $t$ have the same projection, i.e., $P(s)=P(t)$ ; (iii) there exists a non-secret run $x^{\prime}_{0}\stackrel{{\scriptstyle t}}{{\rightarrow}}x^{\prime}$ generated by $G$ from $x^{\prime}_{0}$ to $x^{\prime}$ under $t$ .

Based on the above preparation, now we are ready to introduce the main result on verification of SCSO for a system. It reveals that a system is SCSO if and only if its concurrent-composition structure does not contain any leaking secret state.

Theorem 3.1.

Given a system $G=(X,\Sigma,\delta,X_{0})$ , a projection map $P$ w.r.t. the set $\Sigma_{o}$ of observable events, and a set $X_{S}\subset X$ of secret states, let $Cc(G,Obs(G_{dss}))$ be the concurrent composition of $G$ and $Obs(G_{dss})$ . $G$ is SCSO w.r.t. $\Sigma_{o}$ and $X_{S}$ if and only if there exists no leaking secret state in $Cc(G,Obs(G_{dss}))$ .

Proof $(\Rightarrow)$ By contrapositive, assume that there exists a leaking secret state $(x,\emptyset)$ in $Cc(G,Obs(G_{dss}))$ . Let $e\in\mathcal{L}(Cc(G,Obs(G_{dss})))$ be a sequence that leads to $(x,\emptyset)$ from $X_{cc,0}$ . Then, there exists an initial state $(x_{0},X^{obs}_{dss,0})\in X_{cc,0}$ such that $(x,\emptyset)\in\delta_{cc}((x_{0},X^{obs}_{dss,0}),e)$ . Further, by the construction of $Cc(G,Obs(G_{dss}))$ , we have that $x\in\delta(x_{0},e(L))$ and $\delta^{obs}_{dss}(X^{obs}_{dss,0},e(R))$ is not well-defined. The former means $e(L)\in\mathcal{L}(G,x_{0})$ and $\delta(x_{0},e(L))\cap X_{S}\neq\emptyset$ . The latter means that for all $x^{\prime}_{0}\in X_{NS}$ and for all $t\in\mathcal{L}(G_{dss},x^{\prime}_{0})$ with $P(t)=e(R)=P(e(L))$ , it holds $\delta_{dss}(x^{\prime}_{0},t)=\emptyset$ . By the construction of $G_{dss}$ , we conclude that there exists no non-secret run in $G$ starting from $X_{0}$ with observation $P(e)$ . Therefore, by Definition 3.1, $G$ is not SCSO w.r.t. $\Sigma_{o}$ and $X_{S}$ .

$(\Leftarrow)$ Also by contrapositive, assume that $G$ is not SCSO w.r.t. $\Sigma_{o}$ and $X_{S}$ . By Definition 3.1, there exists a run $x_{0}\stackrel{{\scriptstyle s}}{{\rightarrow}}x_{s}$ , where $x_{0}\in X_{0}$ and $x_{s}\in X_{S}$ , and there exist no $x^{\prime}_{0}\in X_{NS}$ and $t\in\mathcal{L}(G,x^{\prime}_{0})$ such that $P(t)=P(s)$ and $G$ generates a non-secret run starting from $x^{\prime}_{0}$ under $t$ . The former means $x_{s}\in\delta(x_{0},s)$ . By the construction of $G_{dss}$ , the latter means $\delta_{dss}(x^{\prime\prime}_{0},t)=\emptyset$ for all $x^{\prime\prime}_{0}\in X_{NS}$ and for all $t\in\mathcal{L}(G,x^{\prime\prime}_{0})$ with $P(t)=P(s)$ . This further means that $\delta^{obs}_{dss}(X_{dss,0}^{obs},P(t))$ is not well-defined. By the construction of $Cc(G,Obs(G_{dss}))$ , we conclude that there is $e\in\mathcal{L}(Cc(G,Obs(G_{dss})))$ with $e(L)=s$ and $e(R)=P(t)$ such that $(x_{s},\emptyset)\in\delta_{cc}((x_{0},X^{obs}_{dss,0}),e)$ . Therefore, $(x_{s},\emptyset)$ a leaking secret state in $Cc(G,Obs(G_{dss}))$ .

Example 3.3.

(1) For the system $G$ depicted in Fig. 3, there exists no leaking state in $Cc(G,Obs(G_{dss}))$ shown in Fig. 5. By Theorem 3.1, $G$ is SCSO w.r.t. $X_{S}$ . (2) For the system $G$ depicted in Fig. 1, its concurrent composition $Cc(G,Obs(G_{dss}))$ is shown in Fig. 6 in which there exists a leaking secret states $(5,\emptyset)$ . By Theorem 3.1, $G$ is not SCSO w.r.t. $\Sigma_{o}$ and $X_{S}$ .

We end this section by analyzing the time complexity of using Theorem 3.1 to verify SCSO. Since $G$ has the complexity of $O(|X|^{2}|\Sigma|)$ and computing $Obs(G_{dss})$ costs time $O(|X|^{2}|\Sigma_{o}||\Sigma_{uo}|2^{|X|})$ , the time complexity of constructing $Cc(G,Obs(G_{dss}))$ is $O(|X|^{4}|\Sigma_{o}||\Sigma_{uo}||\Sigma|2^{|X|})$ . Consequently, the (worst-case) time complexity of using Theorem 3.1 to verify SCSO is $O(|X|^{4}|\Sigma_{o}||\Sigma_{uo}||\Sigma|2^{|X|})$ .

4 Strong initial-state opacity

In this section, we focus on the formulation of strong ISO and its verification problem for a system.

4.1 Notion of strong initial-state opacity

Definition 4.1 (SISO).

Given a system $G=(X,\Sigma,\delta,$ $X_{0})$ , a projection map $P$ w.r.t. the set $\Sigma_{o}$ of observable events, and a set $X_{S}\subset X$ of secret states, $G$ is said to be strongly initial-state opaque (SISO)⁴⁴4Similar to the terminology “SCSO”, in this paper “SISO” is the acronym of both “strong initial-state opacity” and “strongly initial-state opaque”, which also depends on the context. (w.r.t. $\Sigma_{o}$ and $X_{S}$ ), if for all $x_{0}\in X_{0}\cap X_{S}$ and for all $s\in\mathcal{L}(G,x_{0})$ , there exists a non-secret run $x^{\prime}_{0}\stackrel{{\scriptstyle t}}{{\rightarrow}}$ such that $P(t)=P(s)$ , where $x^{\prime}_{0}\in X_{NS}$ .

Intuitively, SISO in Definition 4.1 captures that for each sequence $s\in\mathcal{L}(G)$ starting from any $x_{0}\in X_{0}\cap X_{S}$ , there exists a sequence $t\in\mathcal{L}(G)$ starting from some $x^{\prime}_{0}\in X_{NS}$ such that $P(t)=P(s)$ and $G$ generates a non-secret run starting from $x^{\prime}_{0}$ under $t$ . Note that, SISO, compared with standard ISO in Definition 2.2, has a higher-level confidentiality obviously. In other words, SISO implies standard ISO, but the converse is not true. Taking the system $G$ shown in Fig. 2 for example, by Definitions 2.2 and 4.1, we conclude readily that $G$ is standard ISO, but not SISO.

Next, we illustrate these two strong versions of opacity in Definitions 3.1 and 4.1 are incomparable. In other words, SCSO does not imply SISO, and vice versa. For instance, by Definitions 3.1 and 4.1, the system $G$ depicted in Fig. 2 is SCSO, but not SISO. On the other hand, let us consider the system $G$ shown in Fig. 8. We know that $G$ is SISO, but not SCSO.

4.2 Verifying strong initial-state opacity

Inspired by the verification of SCSO in Section 3, we, in this subsection, use a minor variant of the concurrent composition approach to verify SISO of a system.

Consider a system $G=(X,\Sigma,\delta,X_{0})$ in which the set of secret states is denoted by $X_{S}\subset X$ . $G_{dss}$ stands for the non-secret subautomaton obtained by deleting all secret states in $G$ , which is defined in Eq. (4). $Obs(G_{dss})$ defined in Eq. (5) stands for the observer of $G_{dss}$ . To check SISO in Definition 4.1, we construct an initial-secret subautomaton from $G$ , denoted by $\hat{G}$ , as follows:

\hat{G}=(\hat{X},\hat{\Sigma},\hat{\delta},\hat{X}_{0}),

(6)

where

•

$\hat{X}=\{x\in X:\exists x_{0}\in{X_{0}}\cap{X_{S}},\exists s\in\Sigma^{\ast}\mbox{ s.t. }x\in\delta(x_{0},s)\}$ stands for the set of states;
•

$\hat{\Sigma}=\{\sigma\in\Sigma:\exists x,x^{\prime}\in\hat{X}\mbox{ s.t. }x^{\prime}\in\delta(x,\sigma)\}$ stands for the set of events;
•

$\hat{\delta}:\hat{X}\times\hat{\Sigma}\rightarrow 2^{\hat{X}}$ stands for the transition function, i.e., for all $x,x^{\prime}\in\hat{X}$ and $\sigma\in\hat{\Sigma}$ , $x^{\prime}\in\hat{\delta}(x,\sigma)$ if $x^{\prime}\in\delta(x,\sigma)$ ;
•

$\hat{X}_{0}={X_{0}}\cap{X_{S}}$ stands for the set of secret initial states.

Note that when we “delete” a state that is inaccessible from the set $\hat{X}_{0}$ of secret initial states, we also delete all transitions attached to that state. Obviously, $\hat{G}$ is a subautomaton of $G$ and is obtained by deleting all its states unreachable from $\hat{X}_{0}$ .

Next, we construct the concurrent composition of $\hat{G}$ and $Obs(G_{dss})$ for $G$ , which also is an NFA, as follows.

Cc(\hat{G},Obs(G_{dss}))=(\hat{X}_{cc},\hat{\Sigma}_{cc},\hat{\delta}_{cc},\hat{X}_{cc,0}),

(7)

where

•

$\hat{X}_{cc}\subseteq\hat{X}\times 2^{X}$ stands for the set of states;
•

$\hat{\Sigma}_{cc}=\{(\sigma,\sigma):\sigma\in\hat{\Sigma}_{o}\}\cup\{(\sigma,\epsilon):\sigma\in\hat{\Sigma}_{uo}\}$ stands for the set of events, where $\hat{\Sigma}_{o}$ (resp., $\hat{\Sigma}_{uo}$ ) is the set of observable (resp., unobservable) events of $\hat{\Sigma}$ ;

•

$\hat{\delta}_{cc}:\hat{X}_{cc}\times\hat{\Sigma}_{cc}\rightarrow 2^{\hat{X}_{cc}}$ is the transition function defined as follows: for any state $(x,q)\in\hat{X}_{cc}$ , and for any event $\sigma\in\hat{\Sigma}$ ,

(i)

when $q\neq\emptyset$ ,
(a) if $\sigma\in\hat{\Sigma}_{o}$ , then

\begin{split}&\hat{\delta}_{cc}((x,q),(\sigma,\sigma))=\{(x^{\prime},q^{\prime})\in\hat{X}_{cc}:x^{\prime}\in\hat{\delta}(x,\sigma),\\ &q^{\prime}=\delta^{obs}_{dss}(q,\sigma)\mbox{ if }\delta^{obs}_{dss}(q,\sigma)\mbox{ is well-defined, }q^{\prime}=\emptyset\\ &\mbox{otherwise}\};\end{split}

(b) if $\sigma\in\hat{\Sigma}_{uo}$ , then

\hat{\delta}_{cc}((x,q),(\sigma,\epsilon))=\{(x^{\prime},q)\in\hat{X}_{cc}:x^{\prime}\in\hat{\delta}(x,\sigma)\}.

(ii)

when $q=\emptyset$ ,
(a) if $\sigma\in\hat{\Sigma}_{o}$ , then

\hat{\delta}_{cc}((x,\emptyset),(\sigma,\sigma))=\{(x^{\prime},\emptyset)\in\hat{X}_{cc}:x^{\prime}\in\hat{\delta}(x,\sigma)\};

(b) if $\sigma\in\hat{\Sigma}_{uo}$ , then

\hat{\delta}_{cc}((x,\emptyset),(\sigma,\epsilon))=\{(x^{\prime},\emptyset)\in\hat{X}_{cc}:x^{\prime}\in\hat{\delta}(x,\sigma)\}.

•

$\hat{X}_{cc,0}=\hat{X}_{0}\times\{X^{obs}_{dss,0}\}$ stands for the set of initial states.

In order to present the verification criterion of SISO in Definition 4.1, similarly to the argument in Section 3, we classify the states in $Cc(\hat{G},Obs(G_{dss}))$ defined in (7) into two types:

•

leaking states: for all $(x,q)\in\hat{X}_{cc}$ with $x\in\hat{X}\wedge q=\emptyset$ ;
•

non-leaking states: for all $(x,q)\in\hat{X}_{cc}$ with $x\in\hat{X}\wedge q\neq\emptyset$ ;

We now give an interpretation of leaking and non-leaking states as follows: if $(x,q)\in\hat{X}_{cc}$ is a leaking state, by the construction of $Cc(\hat{G},Obs(G_{dss}))$ , then in $G$ there exists a secret initial state $x_{0}\in X_{0}\cap X_{S}$ and a sequence $s\in\mathcal{L}(G,x_{0})$ such that $x\in\delta(x_{0},s)$ , and there exists no $x^{\prime}_{0}\in X_{NS}$ and $t\in\mathcal{L}(G,x^{\prime}_{0})$ such that $x^{\prime}_{0}\stackrel{{\scriptstyle t}}{{\rightarrow}}$ is a non-secret run and $P(t)=P(s)$ . If $(x,q)\in\hat{X}_{cc}$ is a non-leaking state, then in $G$ there exists $x_{0}\in X_{0}\cap X_{S}$ , $x^{\prime}_{0}\in X_{NS}$ , $s\in\mathcal{L}(G,x_{0})$ , and $t\in\mathcal{L}(G,x^{\prime}_{0})$ such that: (i) $P(t)=P(s)$ , and (ii) $G$ generates a non-secret run starting from $x^{\prime}_{0}$ under $t$ .

Theorem 4.1.

Given a system $G=(X,\Sigma,\delta,X_{0})$ , a projection map $P$ w.r.t. the set $\Sigma_{o}$ of observable events, and a set $X_{S}\subset X$ of secret states, let $Cc(\hat{G},Obs(G_{dss}))$ be the concurrent composition of $\hat{G}$ and $Obs(G_{dss})$ . $G$ is SISO w.r.t. $\Sigma_{o}$ and $X_{S}$ if and only if there exists no leaking state in $Cc(\hat{G},Obs(G_{dss}))$ .

Proof This proof is analogous to that of Theorem 3.1 by contraposition.

$(\Rightarrow)$ Assume that there exists a leaking state $(x,\emptyset)$ in $Cc(\hat{G},Obs(G_{dss}))$ . Let $e\in\mathcal{L}(Cc(\hat{G},Obs(G_{dss})))$ be a sequence that leads to $(x,\emptyset)$ from $\hat{X}_{cc,0}$ . Then, there exists an initial state $(x_{0},X^{obs}_{dss,0})\in\hat{X}_{cc,0}$ such that $(x,\emptyset)\in\hat{\delta}_{cc}((x_{0},X^{obs}_{dss,0}),e)$ . By the construction of $Cc(\hat{G},Obs(G_{dss}))$ , one has $x_{0}\in{X_{0}}\cap{X_{S}}$ , $x\in\hat{\delta}(x_{0},e(L))$ and $\delta^{obs}_{dss}(X^{obs}_{dss,0},e(R))$ is not well-defined. Since $\hat{G}$ is the initial-secret subautomaton of $G$ , $x\in\hat{\delta}(x_{0},e(L))$ means $x\in\delta(x_{0},e(L))$ . However, $\delta^{obs}_{dss}(X^{obs}_{dss,0},e(R))$ not well-defined implies that for all $x^{\prime}_{0}\in X_{NS}$ and for all $t\in\mathcal{L}(G_{dss},x^{\prime}_{0})$ with $P(t)=e(R)=P(e(L))$ , it holds $\delta_{dss}(x^{\prime}_{0},t)=\emptyset$ . By the construction of $G_{dss}$ , we conclude that there do not exist a state $x^{\prime}_{0}\in X_{NS}$ and a sequence $t\in\mathcal{L}(G,x^{\prime}_{0})$ with $P(t)=P(e)$ such that $G$ generates a non-secret run starting from $x^{\prime}_{0}$ under $t$ . Therefore, by Definition 4.1, $G$ is not SISO w.r.t. $\Sigma_{o}$ and $X_{S}$ .

$(\Leftarrow)$ Assume that $G$ is not SISO w.r.t. $\Sigma_{o}$ and $X_{S}$ . By Definition 4.1, we know that: (1) in $G$ there exists a secret initial state $x_{0}\in X_{0}\cap X_{S}$ and a sequence $s\in\mathcal{L}(G,x_{0})$ , and (2) there does not exist a sequence $t\in\mathcal{L}(G,x^{\prime}_{0})$ for any $x^{\prime}_{0}\in X_{NS}$ such that $x^{\prime}_{0}\stackrel{{\scriptstyle t}}{{\rightarrow}}$ is a non-secret run and $P(t)=P(s)$ . By the construction of $\hat{G}$ , the former means that there exists a state $x\in\hat{X}$ such that $x\in\hat{\delta}(x_{0},s)$ . By the construction of $G_{dss}$ , the latter means $\delta_{dss}(x^{\prime\prime}_{0},t)=\emptyset$ for all $x^{\prime\prime}_{0}\in X_{NS}$ and for all $t\in\mathcal{L}(\hat{G},x^{\prime\prime}_{0})$ with $P(t)=P(s)$ . This further implies that $\delta^{obs}_{dss}(X_{dss,0}^{obs},P(t))$ is not well-defined. By the construction of $Cc(\hat{G},Obs(G_{dss}))$ , we conclude that there exists a sequence $e\in\mathcal{L}(Cc(\hat{G},Obs(G_{dss})))$ with $e(L)=s$ and $e(R)=P(t)$ such that $(x,\emptyset)\in\hat{\delta}_{cc}((x_{0},X_{dss,0}^{obs}),e)$ . Therefore, $(x,\emptyset)$ a leaking state in $Cc(\hat{G},Obs(G_{dss}))$ .

Remark 4.1.

We discuss the time complexity of checking SISO for $G$ using Theorem 4.1. From Subsection 3.2, $Obs(G_{dss})$ has time complexity $O(|X|^{2}|\Sigma_{o}||\Sigma_{uo}|2^{|X|})$ . By Eq. (6), the time complexity of constructing $\hat{G}$ from $G$ is $O(|X|^{2}|\Sigma|)$ . Therefore, the time complexity of constructing $Cc(\hat{G},Obs(G_{dss}))$ is $O(|X|^{4}|\Sigma_{o}||\Sigma_{uo}||\Sigma|2^{|X|})$ . This indicates that the time complexity of verifying SISO in Definition 4.1 is $O(|X|^{4}|\Sigma_{o}||\Sigma_{uo}||\Sigma|2^{|X|})$ .

Example 4.1.

Let us consider the system $G$ depicted in Fig. 9, where the set of secret states is $X_{S}=\{x_{1}\}$ . The constructed automata $\hat{G}$ , $G_{dss}$ and $Obs(G_{dss})$ for $G$ are shown in Fig. 10. Further, the concurrent composition $Cc(\hat{G},Obs(G_{dss}))$ is shown in Fig. 11 in which there exist two leaking states $(4,\emptyset)$ and $(5,\emptyset)$ ⁵⁵5Note that, similar to $Cc(G,Obs(G_{dss}))$ , for each state in $Cc(\hat{G},Obs(G_{dss}))$ , its first and second components are also abbreviated by using their respective subscript set. For instance, $(4,\emptyset)$ is the abbreviation of state $(x_{4},\emptyset)$ .. By Theorem 4.1, $G$ is not SISO w.r.t. $\Sigma_{o}$ and $X_{S}$ .

5 Concluding remarks

In this paper, we characterized two strong versions of opacity called strong current-state opacity and strong initial-state opacity, respectively. They have higher-level confidentiality than the standard versions. Further, we constructed two information structures using a novel concurrent-composition technique to verify these two strong versions of opacity, which have (worst-case) time complexity $O(|X|^{4}|\Sigma_{o}||\Sigma_{uo}||\Sigma|2^{|X|})$ .

Motivated by [37] and our work, a strong version of standard Inf-SO, called strong infinite-step opacity (Inf-SSO), is formally formulate in the context of nondeterministic settings as follows.

Definition 5.1 (Inf-SSO).

Given a system $G=(X,\Sigma,$ $\delta,X_{0})$ , a projection map $P$ w.r.t. the set $\Sigma_{o}$ of observable events, and a set $X_{S}\subset X$ of secret states, $G$ is said to be strongly infinite-step opaque (Inf-SSO) (w.r.t. $\Sigma_{o}$ and $X_{S}$ ), if for all $x_{0}\in X_{0}$ and for all $s=s_{1}s_{2}\in\mathcal{L}(G,x_{0})$ such that $\delta(x_{0},s_{1})\cap X_{S}\neq\emptyset$ , there exists a non-secret run $x^{\prime}_{0}\stackrel{{\scriptstyle t}}{{\rightarrow}}$ such that $P(t)=P(s)$ , where $x^{\prime}_{0}\in X_{NS}$ .

By Definition 5.1, one sees that $G$ is Inf-SSO if and only if for all $x_{0}\in X_{0}$ and for all $s\in\mathcal{L}(G,x_{0})$ , there exists a non-secret run $x^{\prime}_{0}\stackrel{{\scriptstyle t}}{{\rightarrow}}$ for some $x^{\prime}_{0}\in X_{NS}$ and some $t\in\mathcal{L}(G,x^{\prime}_{0})$ such that $P(t)=P(s)$ . We can use the concurrent composition $Cc(G,Obs(G_{dss}))$ of $G$ and $Obs(G_{dss})$ constructed in Definition 3.2 to present the result on verification of Inf-SSO, which also has time complexity $O(|X|^{4}|\Sigma_{o}||\Sigma_{uo}||\Sigma|2^{|X|})$ . We here omit its proof, which is similar to that of Theorem 3.1.

Theorem 5.1.

Given a system $G=(X,\Sigma,\delta,X_{0})$ , a projection map $P$ w.r.t. the set $\Sigma_{o}$ of observable events, and a set $X_{S}\subset X$ of secret states, let $Cc(G,Obs(G_{dss}))$ be the concurrent composition of $G$ and $Obs(G_{dss})$ . $G$ is Inf-SSO w.r.t. $\Sigma_{o}$ and $X_{S}$ if and only if there exists no such a state in $Cc(G,Obs(G_{dss}))$ whose right component is $\emptyset$ .

In the future, we plan to exploit the proposed concurrent-composition approach to design algorithms for enforcing strong current-state opacity, strong initial-state opacity and strong infinite-step opacity.

References

[1] S. Lafortune, F. Lin, and C. Hadjicostis. On the history of diagnosability and opacity in discrete event systems. Annual Reviews in Control, 45:257–266, 2018.
[2] C. Hadjicostis. Estimation and Inference in Discrete Event Systems. Springer, Switzerland AG, 2020.
[3] L. An and G. Yang. Opacity enforcement for confidential robust control in linear cyber-physical systems. IEEE Transactions on Automatic Control, 265(3):1234–1241, 2020.
[4] B. Ramasubramanian, W.R. Cleaveland, and S. Marcus. Notions of centralized and decentralized opacity in linear systems. IEEE Transactions on Automatic Control, 265(4):1442–1455, 2020.
[5] L. Mazaré. Using unification for opacity prooperties. In: Proceeding of the Workshop on Issues in the Theory of Security, pages 165–176, 2004.
[6] A. Saboori and C. Hadjicostis. Notions of security and opaicty in discrete event systems. In: Proceedings of 46th IEEE Conference on Decision and Control, pages 5056–5061, 2007.
[7] A. Saboori and C. Hadjicostis. Verification of initial-state opacity in security appications of discrete event systems. Information Sciences, 246:115–132, 2013.
[8] A. Saboori and C. Hadjicostis. Verification of $K$ -step opacity and analysis of its complexity. IEEE Transactions on Automation Science and Engineering, 8(3):549–559, 2011.
[9] A. Saboori and C. Hadjicostis. Verification of infinite-step opacity and complexity considerations. IEEE Transactions on Automatic Control, 57(5):1265–1269, 2012.
[10] F. Lin. Opacity of discrete event systems and its applications. Automatica, 47(3):496–503, 2011.
[11] Y. Wu and S. Lafortune. Comparative analysis of related notions of opacity in centralized and coordinated architectures. Discrete Event Dynamic Systems, 23(3): 307–339, 2013.
[12] X. Yin and S. Lafortune. A new approach for the verification of infinite-step and K-step opacity using two-way observers. Automatica, 80:162–171, 2017.
[13] H. Lan, Y. Tong, J. Guo, and A. Giua. Comments on “A new approach for the verification of infinite-step and K-step opacity using two-way observers”. Automatica, 122:109290, 2020.
[14] J. Dubreil, P. Darondeau, and H. Marchand. Supervisory control for opacity. IEEE Transactions on Automatic Control, 55(5):1089–1100, 2010.
[15] A. Saboori and C. Hadjicostis. Opacity-enforcing supervisory strategies via state estimator constructions. IEEE Transactions on Automatic Control, 57(2):1155–1165, 2012.
[16] Y. Tong, Z. Li, C. Seatzu, and A. Giua. Current-state opacity enforcement in discrete event systems under incomparable observations. Discrete Event Dynamic Systems, 28(2):161–182, 2018.
[17] Y. Ji, Y. Wu, and S. Lafortune. Enforcement of opacity by public and private insertion functions. Automatica, 93:369–378, 2018.
[18] Y. Ji, X. Yin, and S. Lafortune. Opacity enforcement using nondeterministic publicly-known edit functions. IEEE Transactions on Automatic Control, 64(10):4369–4376, 2019.
[19] Y. Ji, X. Yin, and S. Lafortune. Enforcing opacity by insertion functions under multiple energy constraints and imperfect information. Automatica, 108:1–14, 2019.
[20] X. Yin and S. Li. Synthesis of dynamic masks for infinite-step opacity. IEEE Transactions on Automatic Control, 65(4):1429–1441, 2020.
[21] B. Zhang, S. Shu, and F. Lin. Maximum information release while ensuring opacity in discrete event systems. IEEE Transactions on Automation Science and Engineering, 12(4):1067–1079, 2015.
[22] J. Bryans, M. Koutny, L. Mazaré, et al. Opacity generalised to transition systems. International Journal of Information Security, 7(6):421–435, 2008.
[23] Y. Tong, Z. Li, C. Seatzu, et al. Verification of state-based opacity using Petri nets. IEEE Transactions on Automatic Control, 62(6):2823–2837, 2017.
[24] X. Cong, M.P. Fanti, A.M. Mangini, and Z. Li. On-line verification of current-state opacity by petri nets and integer linear programming. Automatica, 94:205–213, 2018.
[25] A. Saboori and C. Hadjicostis. Current-state opacity formulations in probabilistic finite automata. IEEE Transactions on Automatic Control, 59(1):120–133, 2014.
[26] C. Keroglou and C. Hadjicostis. Probabilistic system opacity in discrete event systems. Discrete Event Dynamic Systems, 28:289–314, 2018.
[27] X. Yin, Z. Li, W. Wang, et al. Infinite-step opacity and K-step opacity of stochastic discrete-event systems. Automatica, 99:266–274, 2019.
[28] Y. Tong and H. Lan. Current-state opacity verification in modular discrete event systems. In: Proceedings of the 58th IEEE Conference on Decision and Control, pages 7665–7670, 2019.
[29] X. Yin and S. Li. Opacity of networked supervisory control systems over insecure multiple channel networks. In: Proceedings of the 58th IEEE Conference on Decision and Control, pages 7641–7646, 2019.
[30] J. Yang, W. Deng, C. Jiang, and D. Qiu. Opacity of networked discrete event systems. In: Proceedings of the 58th IEEE Conference on Decision and Control, pages 6736–6741, 2019.
[31] K. Zhang, X. Yin, and M. Zamani. Opacity of nondeterministic transition systems: A (bi)simulation relation approach. IEEE Transactions on Automatic Control, 64(2):5116–5123, 2019.
[32] X. Yin, M. Zamani, and S. Liu. On approximate opacity of Cyber-physical systems. IEEE Transactions on Automatic Control, DOI 10.1109/TAC.2020.2998733.
[33] A. Saboori and C.N. Hadjicostis.. Coverage analysis of mobile agent trajectory via state-based opacity formulations. Control Engineering Practice, 19(9):967–977, 2011.
[34] Y. Wu, K. Sankararaman, and S. Lafortune. Ensuring privacy in location-based services: An approach based on opacity enforcement. In: Proceedings of 12th International Workshop on Discrete Event Systems, pages 33–38, 2014.
[35] A. Bourouis, K. Klai, N. Ben Hadj-Alouane, and Y. El Touati. On the verification of opacity in web services and their composition. IEEE Transactions on Services Computing, 10(1):66–79, 2017.
[36] F. Lin, W. Chen, W. Wang, and F. Wang. Information control in networked discrete event systems and its application to battery management systems. Discrete Event Dynamic Systems, 30(2):243–268, 2020.
[37] Y. Falcone and H. Marchand. Enforcement and validation (at runtime) of various notions of opacity. Discrete Event Dynamic Systems, 25:531–570, 2015.
[38] C. G. Cassandras and S. Lafortune. Introduction to disctete event system. Springer, New York, 2nd Edition, 2008.
[39] S. Shu, F. Lin, and H. Ying. Detectability of discrete event systems. IEEE Transactions on Automatic Control, 52(12):2356–2359, 2007.
[40] K. Zhang and A. Giua. On detectability of labeled Petri nets and finite automata. Discrete Event Dynamic Systems, 30:465–497, 2020.

Strong current-state and initial-state opacity of discrete-event systems

Abstract

keywords:

1 Introduction

2 Preliminaries

2.1 System model

2.2 Standard current-state opacity and initial-state opacity

Definition 2.1 (Standard CSO [6]).

Definition 2.2 (Standard ISO [7]).

Remark 2.1.

Example 2.1.

Example 2.2.

3 Strong current-state opacity

3.1 Notion of strong current-state opacity

Definition 3.1 (SCSO).

Proposition 3.1.

Remark 3.1.

3.2 Verifying strong current-state opacity

Example 3.1.

Definition 3.2 (Concurrent Composition).

Remark 3.2.

Example 3.2.

Theorem 3.1.

Example 3.3.

4 Strong initial-state opacity

4.1 Notion of strong initial-state opacity

Definition 4.1 (SISO).

4.2 Verifying strong initial-state opacity

Theorem 4.1.

Remark 4.1.

Example 4.1.

5 Concluding remarks

Definition 5.1 (Inf-SSO).

Theorem 5.1.

References

Strong current-state and initial-state opacity of
discrete-event systems