Verifying Weak and Strong k-Step Opacity
in Discrete-Event Systems

Jiří Balun [email protected] Tomáš Masopust [email protected] Faculty of Science, Palacky University Olomouc, Czechia

Abstract

Opacity is an important system-theoretic property expressing whether a system may reveal its secret to a passive observer (an intruder) who knows the structure of the system but has only limited observations of its behavior. Several notions of opacity have been discussed in the literature, including current-state opacity, $k$ -step opacity, and infinite-step opacity. We investigate weak and strong $k$ -step opacity, the notions that generalize both current-state opacity and infinite-step opacity, and ask whether the intruder is not able to decide, at any time instant, when respectively whether the system was in a secret state during the last $k$ observable steps. We design a new algorithm verifying weak $k$ -step opacity, the complexity of which is lower than the complexity of existing algorithms and does not depend on the parameter $k$ , and show how to use it to verify strong $k$ -step opacity by reducing strong $k$ -step opacity to weak $k$ -step opacity. The complexity of the resulting algorithm is again better than the complexity of existing algorithms and does not depend on the parameter $k$ .

keywords:

Discrete event systems, finite automata, opacity, verification, complexity, algorithms.

^†^†journal: ArXiv^†^†thanks: This work is an extended version of Balun and Masopust (2022b) that was presented at WODES 2022. Supported by the Ministy of Education, Youths and Sports under the INTER-EXCELLENCE project LTAUSA19098 and by IGA PrF 2022 018 and 2023 026. Corresponding author: T. Masopust.

and

1 Introduction

Opacity is an information-flow property used to study security and privacy questions of discrete-event systems, communication protocols, and computer systems. Besides security and privacy, an interesting application of opacity is its ability to express other state-estimation properties. In particular, Lin (2011) has shown how to express and verify observability, diagnosability, and detectability in terms of opacity.

Opacity guarantees that a system prevents an intruder from revealing its secret. The intruder is a passive observer that knows the structure of the system but has only limited observations of system’s behavior. Intuitively, the intruder estimates the behavior of the system, and the system is opaque if for every secret behavior, there is a nonsecret behavior that looks the same to the intruder. The secret is modeled as a set of secret states or as a set of secret behaviors. Modeling the secret as a set of secret states results in state-based opacity, introduced by Bryans et al. (2005, 2008) for Petri nets and transition systems, and adapted to automata by Saboori and Hadjicostis (2007). Modeling the secret as a set of secret behaviors results in language-based opacity, introduced by Badouel et al. (2007) and Dubreil et al. (2008). See the overview by Jacob et al. (2016) for more details.

Many notions of opacity have been discussed in the literature, including initial-state opacity and current-state opacity. While initial-state opacity prevents the intruder from revealing, at any time instant, whether the system started in a secret state, current-state opacity prevents the intruder “only” from revealing whether the system is currently in a secret state. This, however, does not exclude the possibility that the intruder later realizes that the system was in a secret state at a former step of the computation. For instance, if the intruder estimates that the system is in one of two possible states and, in the next step, the system proceeds by an observable event enabled only in one of the states, then the intruder reveals the state in which the system was one step ago.

Saboori and Hadjicostis (2007, 2012) addressed this issue and introduce the notion of weak $k$ -step opacity. Weak $k$ -step opacity requires that the intruder is not able to ascertain the secret in the current state and $k$ subsequent observable steps. For $k=0$ and $k=\infty$ , weak $k$ -step opacity coincides with current-state opacity and infinite-step opacity, respectively. The notion of infinite-step opacity may be confusing in the context of finite automata, because an $n$ -state automaton is infinite-step opaque if and only if it is $(2^{n}-2)$ -step opaque, see Yin and Lafortune (2017).

The verification of weak $k$ -step opacity has been intensively studied in the literature, resulting in (at least) five different approaches: (1) the secret observer approach with complexity $O(\ell 2^{n(k+3)})$ , where $n$ is the number of states and $\ell$ is the number of observable events, (2) the reverse comparison approach with complexity $O((n+m)(k+1)3^{n})$ , where $m\leq\ell n^{2}$ is the number of transitions in an involved NFA, (3) the state estimator approach of Saboori and Hadjicostis (2011) with complexity $O(\ell(\ell+1)^{k}2^{n})$ , (4) the two-way observer approach of Yin and Lafortune (2017) with complexity $O(\min\{n2^{2n},n\ell^{k}2^{n}\})$ , already corrected by Lan et al. (2020), and (5) the projected automaton approach of Balun and Masopust (2021) of complexity $O((k+1)2^{n}(n+m\ell^{2}))$ ; see also Wintenberg et al. (2022) for more details on the state complexity and an experimental comparison. The reader can see that the complexity of all the algorithms depends on the parameter $k$ . A partial exception is the two-way observer algorithm that does not depend on the parameter $k$ if $\ell^{k}>2^{n}$ , that is, if $k$ is larger than the number of states divided by the logarithm of the number of observable events.

In this paper, we design a new algorithm verifying weak $k$ -step opacity, the complexity of which does not depend on the parameter $k$ . The state complexity of our algorithm is $O(n2^{n})$ and the time complexity is $O((n+m)2^{n})$ , where $n$ is the number of states of the input automaton and $m\leq\ell n^{2}$ is the number of transitions of the projected input automaton. Hence, our algorithm is faster than all the existing algorithms, with the exception of a very small parameter $k$ ; namely, if $k$ is smaller than $2\log(n)/\log(\ell)$ , where $n$ is the number of states of the input automaton and $\ell$ is its number of observable events, then the algorithms based on the state estimator and on the two-way observer are, in the worst-case, faster than our algorithm.

However, Falcone and Marchand (2015) have later noticed that even weak $k$ -step opacity may not be as confidential as intuitively expected. In particular, the intruder may realize that the system was in a secret state, although it cannot deduce the exact time when this has happened (see an example in Section 4 or in Falcone and Marchand (2015) for more details). This problem motivated Falcone and Marchand (2015) to introduce strong $k$ -step opacity as the notion of $k$ -step opacity with a higher level of confidentiality. The idea is that whereas weak $k$ -step opacity prevents the intruder from revealing the exact time when the system was in a secret state during the last $k$ observable steps, strong $k$ -step opacity prevents the intruder from revealing that the system was in a secret state during the last $k$ observable steps.

Ma et al. (2021) pointed out without proofs that strong and weak $k$ -step opacity are incomparable in the sense that neither strong $k$ -step opacity implies weak $k$ -step opacity nor vice versa. In fact, under the assumption that there are no neutral states (states that are neither secret nor nonsecret), which is assumed in most of the literature, including this paper, strong $k$ -step opacity implies weak $k$ -step opacity (see Appendix A for more details).

However, the verification of one type of $k$ -step opacity cannot be directly used for the verification of the other. We show how to do it indirectly. Namely, we construct a polynomial-time transformation of strong $k$ -step opacity to weak $k$ -step opacity, which makes it possible to verify strong $k$ -step opacity by the algorithms for weak $k$ -step opacity. In addition, using our new algorithm verifying weak $k$ -step opacity results in a new algorithm to verify strong $k$ -step opacity with a lower complexity that does not depend on the parameter $k$ .

2 Preliminaries

We assume that the reader is familiar with discrete-event systems, see Cassandras and Lafortune (2021) for more details. For a set $S$ , $|S|$ denotes the cardinality of $S$ , and $2^{S}$ denotes the power set of $S$ . An alphabet $\Sigma$ is a finite nonempty set of events. A string over $\Sigma$ is a sequence of events from $\Sigma$ ; the empty string is denoted by $\varepsilon$ . The set of all finite strings over $\Sigma$ is denoted by $\Sigma^{*}$ . A language $L$ over $\Sigma$ is a subset of $\Sigma^{*}$ . For a string $u\in\Sigma^{*}$ , $|u|$ denotes the length of $u$ .

A nondeterministic finite automaton (NFA) over an alphabet $\Sigma$ is a structure $G=(Q,\Sigma,\delta,I,F)$ , where $Q$ is a finite set of states, $I\subseteq Q$ is a nonempty set of initial states, $F\subseteq Q$ is a set of marked states, and $\delta\colon Q\times\Sigma\to 2^{Q}$ is a transition function that can be extended to the domain $2^{Q}\times\Sigma^{*}$ by induction; we often consider the transition function $\delta$ as the corresponding relation $\delta\subseteq Q\times\Sigma\times Q$ . In addition, for a set $S\subseteq\Sigma^{*}$ , we define $\delta(Q,S)=\cup_{s\in S}\,\delta(Q,s)$ . For a set $Q_{0}\subseteq Q$ , the set $L_{m}(G,Q_{0})=\{w\in\Sigma^{*}\mid\delta(Q_{0},w)\cap F\neq\emptyset\}$ is the language marked by $G$ from the states of $Q_{0}$ , and $L(G,Q_{0})=\{w\in\Sigma^{*}\mid\delta(Q_{0},w)\neq\emptyset\}$ is the language generated by $G$ from the states of $Q_{0}$ . The languages marked and generated by $G$ are defined as $L_{m}(G)=L_{m}(G,I)$ and $L(G)=L(G,I)$ , respectively. The NFA $G$ is deterministic (DFA) if $|I|=1$ and $|\delta(q,a)|\leq 1$ for every $q\in Q$ and $a\in\Sigma$ . In this case, we identify the singleton $I=\{q_{0}\}$ with its element $q_{0}$ , and simply write $G=(Q,\Sigma,\delta,q_{0},F)$ instead of $G=(Q,\Sigma,\delta,\{q_{0}\},F)$ .

A discrete-event system (DES) $G$ over $\Sigma$ is an NFA over $\Sigma$ together with the partition of $\Sigma$ into $\Sigma_{o}$ and $\Sigma_{uo}$ of observable and unobservable events, respectively. If we want to specify that the DES is modeled by a DFA, we talk about deterministic DES. If the marked states are irrelevant, we omit them and simply write $G=(Q,\Sigma,\delta,I)$ .

The state estimation is modeled by projection $P\colon\Sigma^{*}\to\Sigma_{o}^{*}$ , which is a morphism for concatenation defined by $P(a)=\varepsilon$ if $a\in\Sigma_{uo}$ , and $P(a)=a$ if $a\in\Sigma_{o}$ . The action of $P$ on a string $a_{1}a_{2}\cdots a_{n}$ is to erase all unobservable events, that is, $P(a_{1}a_{2}\cdots a_{n})=P(a_{1})P(a_{2})\cdots P(a_{n})$ . The definition can be readily extended to languages.

Let $G$ be a DES over $\Sigma$ , and let $P\colon\Sigma^{*}\to\Sigma_{o}^{*}$ be the corresponding projection. The projected automaton of $G$ is the NFA $P(G)$ obtained from $G$ by replacing every transition $(p,a,q)$ by $(p,P(a),q)$ , followed by the standard elimination of the $\varepsilon$ -transitions. In particular, if $\delta$ is the transition function of $G$ , then the transition function $\gamma\colon Q\times\Sigma_{o}\to 2^{Q}$ of $P(G)$ is defined as $\gamma(q,a)=\delta(q,P^{-1}(a))$ . The projected automaton $P(G)$ is an NFA over $\Sigma_{o}$ with the same states as $G$ that recognizes the language $P(L_{m}(G))$ and that can be constructed in polynomial time, see Hopcroft et al. (2006).

We call the DFA constructed from $P(G)$ by the standard subset construction a full observer of $G$ . The accessible part of the full observer of $G$ is called an observer of $G$ , cf. Cassandras and Lafortune (2021). The full observer has exponentially many states compared with $G$ . In the worst case, the same holds for the observer as well, see Wong (1998); Jirásková and Masopust (2012) for more details.

For two DESs $G_{i}=(Q_{i},\Sigma,\delta_{i},I_{i})$ , $i=1,2$ , over the common alphabet $\Sigma$ , the product automaton of $G_{1}$ and $G_{2}$ is defined as the DES $G_{1}\times G_{2}=(Q_{1}\times Q_{2},\Sigma,\delta,I_{1}\times I_{2})$ , where $\delta((q_{1},q_{2}),a)=\delta_{1}(q_{1},a)\times\delta_{2}(q_{2},a)$ , for every pair of states $(q_{1},q_{2})\in Q_{1}\times Q_{2}$ and every event $a\in\Sigma$ . Notice that the definition does not restrict the state space of the product automaton to its reachable part.

3 Verification of Weak k-Step Opacity

In this section, we recall the definition of weak $k$ -step opacity for DESs, and design a new algorithm to verify weak $k$ -step opacity. To this end, we denote by $\mathbb{N}_{\infty}=\mathbb{N}\cup\{\infty\}$ the set of all nonnegative integers together with their limit. For $k\in\mathbb{N}_{\infty}$ , weak $k$ -step opacity asks whether the intruder cannot reveal the secret of a system in the current and $k$ subsequent states.

Definition 1.

Given a DES $G=(Q,\Sigma,\delta,I)$ and $k\in\mathbb{N}_{\infty}$ . System $G$ is weakly $k$ -step opaque ( $k$ -SO) with respect to the sets $Q_{S}$ of secret and $Q_{NS}$ of nonsecret states and observation $P\colon\Sigma^{*}\to\Sigma_{o}^{*}$ if for every string $st\in L(G)$ with $|P(t)|\leq k$ and $\delta(\delta(I,s)\cap Q_{S},t)\neq\emptyset$ , there exists a string $s^{\prime}t^{\prime}\in L(G)$ such that $P(s)=P(s^{\prime})$ , $P(t)=P(t^{\prime})$ , and $\delta(\delta(I,s^{\prime})\cap Q_{NS},t^{\prime})\neq\emptyset$ .

{algorithm}

Verification of weak $k$ -step opacity

1:A DES

G=(Q,\Sigma,\delta,I)

Q_{S},Q_{NS}\subseteq Q

\Sigma_{o}\subseteq\Sigma

, and

k\in\mathbb{N}_{\infty}

2:true if and only if

G

is weakly

k

-step opaque with respect to

Q_{S}

Q_{NS}

, and

P\colon\Sigma^{*}\to\Sigma_{o}^{*}

3:Set

Y:=\emptyset

4:Compute the observer

G^{obs}

G

5:Compute the projected automaton

P(G)

G

6:for every state

X

G^{obs}

7: for every state

x\in X\cap Q_{S}

8: add state

(x,X\cap Q_{NS})

to set

Y

9: end for

10:end for

11:Construct

H

as the part of the full observer of

G

accessible from the states of the second components of

Y

12:Compute the product automaton

\operatorname{\mathcal{C}}=P(G)\times H

13:Use the Breadth-First Search (BFS) of Algorithm 3 to mark all states of

\operatorname{\mathcal{C}}

reachable from the states of

Y

in at most

k

steps

14:if

\operatorname{\mathcal{C}}

contains a marked state of the form

(q,\emptyset)

then

15: return false

16:else

17: return true

18:end if

Algorithm 3 describes our new algorithm verifying weak $k$ -step opacity. The idea of the algorithm is as follows. We first compute the observer of $G$ , denoted by $G^{obs}$ , and the projected automaton of $G$ , denoted by $P(G)$ . Then, for every reachable state $X$ of $G^{obs}$ , we add the pairs $(x,X\cap Q_{NS})$ to the set $Y$ , where $x$ is a secret state of $X$ and $X\cap Q_{NS}$ is the set of all nonsecret states of $X$ . Intuitively, in these states, the intruder estimates that $G$ may be in the secret state $x$ or in the nonsecret states of $X\cap Q_{NS}$ . To verify that the intruder does not reveal the secret state, we need to check that every possible path of length up to $k$ starting in $x$ is accompanied by a path with the same observation starting in a nonsecret state of $X\cap Q_{NS}$ . To this end, we construct the automaton $H$ as the part of the full observer of $G$ consisting only of states reachable from the states forming the second components of the pairs in $Y$ , and the automaton $\operatorname{\mathcal{C}}=P(G)\times H$ as the product automaton of the projected automaton of $G$ and $H$ . In $\operatorname{\mathcal{C}}$ , all transitions are observable, and every path from a secret state $x$ is synchronized with all the possible paths with the same observation starting in the states of $X\cap Q_{NS}$ . Thus, if there is a path from the secret state $x$ of length up to $k$ that is not accompanied by a path with the same observation from a state of $X\cap Q_{NS}$ , then this path from the state $x$ in $P(G)$ ends up in a state, say, $q$ , whereas all paths in $H$ with the same observation from the state $X\cap Q_{NS}$ end up in the state $\emptyset$ . Here, $X\cap Q_{NS}$ and $\emptyset$ are understood as the states of the full observer of $G$ . Thus, if the DES $G$ is not weakly $k$ -step opaque, there is a state of $Y$ from which a state of the from $(q,\emptyset)$ is reachable in at most $k$ steps. Therefore, we search the automaton $\operatorname{\mathcal{C}}$ and mark all its states that are reachable from a state of $Y$ in at most $k$ steps. If a state of the from $(q,\emptyset)$ is marked, then $G$ is not weakly $k$ -step opaque; otherwise, it is.

We prove the correctness of Algorithm 3 and analyze its complexity in detail below. Intuitively, the correctness follows from the fact that the BFS visits all nodes at distance $d$ before visiting any nodes at distance $d+1$ . In other words, all states of $\operatorname{\mathcal{C}}$ reachable from the states of $Y$ in at most $k$ steps are visited (and marked) before any state at distance $k+1$ . The implementation of the BFS is, however, the key step to obtain the claimed complexity. Namely, the classical BFS of Cormen et al. (2009) maintains an array to store the shortest distances (aka the number of hops) of every node to an initial node. Since storing a number less than or equal to $k$ requires $\log(k)$ bits, using the classical BFS requires the space of size $O(\log(k)n2^{n})$ to store the shortest distance of every state of $\operatorname{\mathcal{C}}$ to a state of $Y$ , because $\operatorname{\mathcal{C}}$ has $O(n2^{n})$ states.

For our purposes, we do not need to know the shortest distance of every state to a state of $Y$ , but we rather need to keep track of the number of hops from the states of $Y$ made so far.

We can achieve this by modifying the classical BFS so that we do not store the shortest distances for every state of $\operatorname{\mathcal{C}}$ , but only the current distance. We store the current distance in the queue used by the BFS, see Algorithm 3. In particular, we first push number 0 to the queue, followed by all the states of $Y$ . Assuming that $k>0$ , number 0 is processed in such a way that it is dequeued from the queue, and number 1 is enqueued. After processing all the states of $Y$ from the queue, that is, having number 1 at the head of the queue, we know that all the elements of the queue after number 1 are the states at distance one from the states of $Y$ and not less. The algorithm proceeds this way until it has either visited all the states of $\operatorname{\mathcal{C}}$ or the number stored in the queue is $k$ . The algorithm marks all states of $\operatorname{\mathcal{C}}$ that it visits.

This approach requires to store only one $\log(k)$ -bit number at a time rather than $n2^{n}$ such numbers, and hence the complexity of the algorithm then basically follows from the fact that the distance is bounded by the number of states of $\operatorname{\mathcal{C}}$ , and not by the parameter $k$ .

Since Algorithm 3 is a minor modification of the BFS of Cormen et al. (2009), very similar arguments show its correctness and complexity. For this reason, we do not further discuss the correctness and complexity of Algorithm 3.

{algorithm}

The Breadth-First Search used in Algorithm 3

1:A DES

G=(V,\Sigma,\delta,I)

, a set

S\subseteq V

k\in\mathbb{N}_{\infty}

G

with all states at distance at most

k

from the states of

Y

marked

3:Initialize the queue

Q:=\emptyset

4:Enqueue number 0 to

Q

5:Mark every node

s\in S

and enqueue it to

Q

6:Color every node

u\in V-S

white

7:while

Q\neq\emptyset

u:=

Dequeue

(Q)

9: if

u\notin V

and

u=k

then

10: Terminate, states at distance

\leq k

were visited

11: else if

u\notin V

and

u<k

then

12: Enqueue

u+1

Q

13: else if

u\in V

is a state of

G

then

14: for every state

v

reachable in one step from

u

15: if the color of

v

is white then

16: Mark state

v

and enqueue it to

Q

17: end if

18: end for

19: Color

u

black

20: end if

21:end while

Before we prove Theorem 2 below showing that $G$ is weakly $k$ -step opaque if and only if no state of the form $(\cdot,\emptyset)$ is marked in $\operatorname{\mathcal{C}}$ , we illustrate Algorithm 3 in the following two examples.

In the first example, we consider one-step opacity of the DES $G$ depicted in Figure 1(a) where all events are observable, state $2$ is secret, and state $4$ is nonsecret. The other states are neutral, meaning that they are neither secret nor nonsecret.¹¹1The meaning of neutral states is not yet clear in the literature. They are fundamental in language-based opacity, but questionable in state-based opacity. In any case, we cannot simply handle neutral states as nonsecret states. The observer $G^{obs}$ of $G$ is depicted in Figure 1(b).

Since $G$ has no unobservable events, the projected automaton $P(G)=G$ . Now, only the state $X=\{2,4\}$ of $G^{obs}$ contains a secret state, and hence intersecting it with $Q_{S}$ results in the set $Y=\{(2,\{4\})\}$ . Notice that state $\{4\}$ is not in the observer $G^{obs}$ , and therefore we need to add it to $H$ together with all the states that are reachable from state $\{4\}$ in the full observer of $G$ . The resulting automaton $H$ is depicted in Figure 1(b) and is formed by the observer $G^{obs}$ together with the dashed state $\{4\}$ and the dashed transition from $\{4\}$ to $\{5\}$ . Notice that, by the definition of the (full) observer, all the missing transitions in Figure 1(b) indeed lead to state $\emptyset$ , for instance, $\delta(\{1\},b)=\delta(\{5\},a)=\emptyset$ . However, to keep the figures simple, we do not depict state $\emptyset$ and the transitions to state $\emptyset$ . The marked part of the automaton $\operatorname{\mathcal{C}}_{1}=P(G)\times H$ reachable from the states of $Y$ in at most one step is depicted in Figure 2. Since state $(3,\emptyset)$ is marked in $\operatorname{\mathcal{C}}_{1}$ , $G$ is not one-step opaque; indeed, observing the string $ab$ , the intruder reveals that $G$ must have been in the secret state $2$ one step ago.

To illustrate an affirmative case, we again consider the DES $G$ , but this time we assume that the event $c$ is unobservable. We denote by $\tilde{G}$ the DES $G$ where events $a,b$ are observable, the event $c$ is unobservable, state $2$ is secret, and state $4$ is nonsecret. The projected automaton $P(\tilde{G})$ and the observer $\tilde{G}^{obs}$ are depicted in Figure 3. The only state of $\tilde{G}^{obs}$ containing a secret state is the state $X=\{2,4,5\}$ , which results in the set $Y=\{(2,\{4\})\}$ . Again, state $\{4\}$ is not in $\tilde{G}^{obs}$ , and hence we construct the relevant part $\tilde{H}$ of the full observer of $\tilde{G}$ by extending $\tilde{G}^{obs}$ by state $\{4\}$ and all the reachable states from it. The result (without state $\emptyset$ and the transitions to state $\emptyset$ ) is depicted in Figure 3(b), both the solid and the dashed part. The marked part of $\operatorname{\mathcal{C}}_{2}=P(\tilde{G})\times\tilde{H}$ is depicted in Figure 4. Since no state of the form $(\cdot,\emptyset)$ is marked in $\operatorname{\mathcal{C}}_{2}$ , $\tilde{G}$ is one-step opaque.

We now prove the correctness of our algorithm.

Theorem 2.

A DES $G$ is weakly $k$ -step opaque with respect to $Q_{S}$ , $Q_{NS}$ , and $P$ if and only if Algorithm 3 returns true.

Proof 3.1.

If $G=(Q,\Sigma,\delta,I)$ is not weakly $k$ -step opaque, then there is $st\in L(G)$ such that $|P(t)|\leq k$ , $\delta(\delta(I,s)\cap Q_{S},t)\neq\emptyset$ , and $\delta(\delta(I,P^{-1}P(s))\cap Q_{NS},P^{-1}P(t))=\emptyset$ . We have two cases.

(i) If $\delta(I,P^{-1}P(s))\cap Q_{NS}=\emptyset$ , then $G$ is not weakly $k$ -step opaque. Algorithm 3 detects this case, because for the state $X=\delta(I,P^{-1}P(s))$ of the observer of $G$ , we have that $X\cap Q_{S}\supseteq\delta(I,s)\cap Q_{S}\neq\emptyset$ and $X\cap Q_{NS}=\emptyset$ , and hence there is $q\in X\cap Q_{S}$ resulting in adding the pair $(q,\emptyset)$ to the set $Y$ in line 8.

(ii) If $\delta(I,P^{-1}P(s))\cap Q_{NS}=Z\neq\emptyset$ , then all pairs of the form $(\delta(I,P^{-1}P(s))\cap Q_{S})\times\{Z\}$ are added to $Y$ . Since $\delta(\delta(I,s)\cap Q_{S},t)\neq\emptyset$ , there is a pair $(z,Z)\in Y$ such that generating the string $P(t)$ in the automaton $P(G)$ from state $z$ changes the state to a state $q$ . On the other hand, $\delta(Z,P^{-1}P(t))=\emptyset$ implies that generating $P(t)$ in the full observer of $G$ from state $Z$ changes the state to state $\emptyset$ , and hence the pair $(q,\emptyset)$ is reachable in $\operatorname{\mathcal{C}}$ from the state $(z,Z)\in Y$ in at most $|P(t)|\leq k$ steps. In both cases, Algorithm 3 marks $(q,\emptyset)$ , and returns false.

On the other hand, if $G$ is weakly $k$ -step opaque, we show that no pair of the form $(q,\emptyset)$ is reachable in $\operatorname{\mathcal{C}}$ from a state of $Y$ in at most $k$ steps. For the sake of contradiction, we assume that a pair $(q,\emptyset)$ is marked in $\operatorname{\mathcal{C}}$ . However, this means that, in $G$ , there is a string $s$ and a state $z\in Q$ such that $z\in\delta(I,s)\cap Q_{S}$ , the state of the observer of $G$ reached under the string $P(s)$ is $X=\delta(I,P^{-1}P(s))$ , and, for $Z=X\cap Q_{NS}$ , the pair $(q,\emptyset)$ is reachable in $\operatorname{\mathcal{C}}$ from the pair $(z,Z)\in Y$ by a string $w\in\Sigma_{o}^{*}$ of length at most $k$ . In particular, there is a string $t\in P^{-1}(w)$ such that when $G$ generates $t$ , it changes its state from $z$ to $q$ . Therefore, $q\in\delta(\delta(I,s)\cap Q_{S},t)\neq\emptyset$ . However, $\delta(\delta(I,P^{-1}P(s))\cap Q_{NS},P^{-1}(w))=\delta(Z,P^{-1}(w))=\emptyset$ , because generating $w$ in $\operatorname{\mathcal{C}}$ changes the pair $(z,Z)$ to $(q,\emptyset)$ , and hence the full observer of $G$ changes its state from $Z$ to $\emptyset$ when generating $w$ . This shows that $G$ is not weakly $k$ -step opaque, which is a contradiction.

We now discuss the complexity of our algorithm.

Theorem 3.

The space and time complexity of Algorithm 3 is $O(n2^{n})$ and $O((n+m)2^{n})$ , respectively, where $n$ is the number of states of the input DES $G$ and $m$ is the number of transitions of $P(G)$ . In particular, $m\leq\ell n^{2}$ , where $\ell$ is the number of observable events.

Proof 3.2.

Computing the observer and the projected NFA of $G$ , lines 4 and 5, takes time $O(\ell 2^{n})$ and $O(m+n)$ , respectively. The cycle on lines 6–10 takes time $O(n2^{n})$ . Constructing the part $H$ of the full observer of $G$ , line 11, takes time $O(\ell 2^{n})$ . Constructing $\operatorname{\mathcal{C}}$ , line 12, takes time $O(n2^{n}+m2^{n})$ , where $O(n2^{n})$ is the number of states and $O(m2^{n})$ is the number of transitions of $\operatorname{\mathcal{C}}$ . The bounds come from the fact that we create at most $2^{n}$ copies of the automaton $P(G)$ . The BFS takes time linear in the size of $\operatorname{\mathcal{C}}$ , and the condition of line 13 can be processed during the BFS. Since $m\geq\ell$ , the proof is complete.

We now briefly review the complexity of existing algorithms verifying weak $k$ -step opacity. First, notice that the complexity of existing algorithms is exponential, which seems unavoidable because the problem is PSpace-complete, see Balun and Masopust (2021, 2022a) for more details.²²2It is a long-standing open problem of computer science whether PSpace-complete problems can be solved in polynomial time. In particular, Saboori and Hadjicostis (2011) designed an algorithm with complexity $O(\ell(\ell+1)^{k}2^{n})$ , where $n$ is the number of states and $\ell$ is the number of observable events. Considering the verification of weak $\infty$ -step opacity, Saboori and Hadjicostis (2012) designed an algorithm with complexity $O(\ell 2^{n^{2}+n})$ . Yin and Lafortune (2017) introduced the notion of a two-way observer and applied it to the verification of weak $k$ -step opacity with complexity $O(\min\{n2^{2n},n\ell^{k}2^{n}\})$ , and to the verification of weak $\infty$ -step opacity with complexity $O(n2^{2n})$ ; the formulae already include a correction by Lan et al. (2020). Balun and Masopust (2021) designed algorithms verifying weak $k$ -step opacity and weak $\infty$ -step opacity with complexities $O((k+1)2^{n}(n+m\ell^{2}))$ and $O((n+m\ell)2^{n})$ , respectively, where $m\leq\ell n^{2}$ is the number of transitions in the projected automaton. These algorithms outperform the two-way observer if $k$ is polynomial in $n$ or larger than $2^{n}-2$ , since weak $(2^{n}-2)$ -step opacity and weak $\infty$ -step opacity coincide, see Yin and Lafortune (2017). Wintenberg et al. (2022) discussed and experimentally compared four approaches to the verification of weak $k$ -step opacity based on (i) the secret observer, (ii) the reverse comparison, (iii) the state estimator, and (iv) the two-way observer. Their respective state complexities are $O(2^{n(k+3)})$ , $O(n(k+1)3^{n})$ , $O((\ell+1)^{k}2^{n})$ , and $O(\min\{2^{n},\ell^{k}\}2^{n})$ .³³3The state complexity of the two-way observer is correct. The correction of Lan et al. (2020) consists in adding a time bound to compute the intersection of two sets, and hence it does not influence the number of states.

Notice that these bounds are formulated only in the number of states of the constructed automata, disregarding the number of transitions and the time of the construction. Therefore, the time-complexity bounds differ from the state-complexity bounds at least by the factor of $\ell$ , if the constructed automata are deterministic, or by a factor of $m\leq\ell n^{2}$ if the construction of the automaton involves an NFA, such as in the case of the reverse comparison. Namely, the time-complexity bounds are $O(\ell 2^{n(k+3)})$ for the secret observer, where $n$ is the number of states and $\ell$ is the number of observable events, $O((n+m)(k+1)3^{n})$ for the reverse comparison, where $m\leq\ell n^{2}$ is the number of transitions in an involved NFA, $O(\ell(\ell+1)^{k}2^{n})$ for the state estimator, and $O(\min\{n2^{2n},n\ell^{k}2^{n}\})$ for the two-way observer.

As the reader may notice, the above complexities depend on the parameter $k$ . A partial exception is the two-way observer that does not depend on $k$ if $\ell^{k}\geq 2^{n}$ , that is, if $k$ is larger than the number of states divided by the logarithm of the number of observable events.

Since the complexity of Algorithm 3 is $O((n+m)2^{n})$ , where $n$ is the number of states of the input DES $G$ and $m\leq\ell n^{2}$ is the number of transitions of the projected automaton of $G$ , it does not depend on the parameter $k$ and, in general, outperforms the existing algorithms. An exception is the case of a very small parameter $k$ . In particular, if $k<2\log(n)/\log(\ell)$ , the algorithms based on the state estimator and on the two-way observer are, in the worst-case, faster than our algorithm. Notice that this theoretical result agrees with the experimental results of Wintenberg et al. (2022).

4 Verification of Strong k-Step Opacity

Although weak $k$ -step opacity seems confidential enough, Falcone and Marchand (2015) have pointed out that it is actually not as confidential as intuitively expected. Namely, the intruder may realize that the system previously was in a secret state, though it is not able to deduce the exact time when that happened, see Falcone and Marchand (2015) for more details and examples. Consequently, they defined strong $k$ -step opacity as a variation of $k$ -step opacity with a higher level of confidentiality.

Before we recall the definition of strong $k$ -step opacity as formulated by Falcone and Marchand (2015), we illustrate the problem with weak $k$ -step opacity. To this end, we consider the system depicted in Figure 5, where state $2$ is secret and the other states are nonsecret, and where the event $a$ is observable and the event $u$ is unobservable. Observing the string $aa$ , the intruder realizes that the system must have been in the secret state $2$ , though it cannot say whether it was one or two steps ago. Actually, even observing the string $a$ already reveals that the system currently is or one step ago was in the secret state $2$ .

In accordance with Falcone and Marchand (2015), we consider strong $k$ -step opacity only for deterministic DES where all states that are not secret are nonsecret, that is, $Q_{NS}=Q-Q_{S}$ . It means that every state has its own secret/nonsecret status and there are no neutral states.

Definition 4.

Given a deterministic DES $G=(Q,\Sigma,\delta,q_{0})$ and $k\in\mathbb{N}_{\infty}$ . System $G$ is strongly $k$ -step opaque ( $k$ -SSO) with respect to the set $Q_{S}$ of secret states and observation $P\colon\Sigma^{*}\to\Sigma_{o}^{*}$ if for every string $s\in L(G)$ , there exists a string $w\in L(G)$ such that $P(s)=P(w)$ and for every prefix $w^{\prime}$ of $w$ , if $|P(w)|-|P(w^{\prime})|\leq k$ , then $\delta(q_{0},w^{\prime})\notin Q_{S}$ .

Notice that whereas weak $k$ -step opacity prevents the intruder from revealing the exact time when the system was in a secret state during the last $k$ observable steps, strong $k$ -step opacity prevents the intruder from revealing that the system was in a secret state during the last $k$ observable steps.

For an illustration, we again consider the system depicted in Figure 5, where state $2$ is secret and event $u$ is unobservable. The system is weakly one-step opaque, but not strongly one-step opaque, because for $s=aua$ , the only $w$ with the same observation as $s$ is $w=aua$ , and hence the prefixes $w^{\prime}$ for which $|P(w)|-|P(w^{\prime})|\leq 1$ are the strings $w^{\prime}=a$ , $w^{\prime}=au$ , and $w^{\prime}=aua$ . However, for $w^{\prime}=a$ , we obtain that $\delta(1,a)=2\in Q_{S}$ , which violates the definition of strong one-step opacity.

In fact, the system is neither strongly 0-step opaque, because for $s=au$ , the only $w$ with the same observation as $s$ are the strings $au$ and $a$ , and therefore the prefixes $w^{\prime}$ for which $|P(w)|-|P(w^{\prime})|\leq 0$ is either $w^{\prime}=a$ or $w^{\prime}=au$ . However, for $w^{\prime}=a$ , we obtain that $\delta(1,a)=2\in Q_{S}$ , which violates the definition of strong $0$ -step opacity. On the other hand, the system is obviously current-state opaque. Consequently, the notions of strong 0-step opacity and current-state opacity⁴⁴4Current-state opacity is a synonym for weak 0-step opacity. do not coincide.

We show in Theorem 8 below that unobservable transitions from secret states to nonsecret states, as in our example, are the only issues making the difference between strong 0-step opacity and weak 0-step (current-state) opacity. To this end, we define the notion of a normal DES.

4.1 Normalization

In what follows, we call the systems where there are no unobservable transitions from secret states to nonsecret states normal. For systems that are not normal, we provide a construction to normalize them, that is, we eliminate unobservable transitions from secret states to nonsecret states without affecting the property of being strongly $k$ -step opaque.

Construction 5.

Let $G=(Q,\Sigma,\delta,q_{0})$ be a deterministic DES, $k\in\mathbb{N}_{\infty}$ , $Q_{S}\subseteq Q$ be the set of secret states, and $P\colon\Sigma^{*}\to\Sigma_{o}^{*}$ be the observations. We construct

G_{norm}=(Q_{n},\Sigma,\delta_{n},q_{0})

where $Q_{n}=Q\cup Q^{\prime}$ for $Q^{\prime}=\{q^{\prime}\mid q\in Q\}$ being a disjoint copy of $Q$ , and the transition function $\delta_{n}$ is defined as follows. We initialize $\delta_{n}:=\delta$ and further modify it in the following four steps:

1.

For every $p\in Q_{S}$ , $q\in Q_{NS}$ , and $u\in\Sigma_{uo}$ , we replace the transition $(p,u,q)$ by $(p,u,q^{\prime})$ in $\delta_{n}$ .
2.

For every unobservable transition $(p,u,q)$ in $\delta$ , that is, $u\in\Sigma_{uo}$ , we add the transition $(p^{\prime},u,q^{\prime})$ to $\delta_{n}$ .
3.

For every observable transition $(q,a,r)$ in $\delta$ , that is, $a\in\Sigma_{o}$ , we add the transition $(q^{\prime},a,r)$ to $\delta_{n}$ .
4.

We remove unreachable states and corresponding transitions.

The set of secret states of $G_{norm}$ is the set $Q_{n}^{S}=Q_{S}\cup Q^{\prime}$ . $\diamond$

In the sequel, we call $G_{norm}$ the normalization of $G$ . If $G$ and $G_{norm}$ coincide, we say that $G$ is normal.

To illustrate Construction 5, consider the system depicted in Figure 6 (left). Its normalization $G_{norm}$ is depicted in the same figure (right). States $2$ and $3$ of $G$ are secret, events $a$ and $b$ are observable, and $u$ is unobservable. The normalization $G_{norm}$ of $G$ initially contains five new secret states $1^{\prime}$ , $2^{\prime}$ , $3^{\prime}$ , $4^{\prime}$ , $5^{\prime}$ . Step (1) of Construction 5 replaces transitions $(2,u,4)$ and $(3,u,4)$ by $(2,u,4^{\prime})$ and $(3,u,4^{\prime})$ , respectively, step (2) adds four unobservable transitions $(1^{\prime},u,2^{\prime})$ , $(2^{\prime},u,4^{\prime})$ , $(3^{\prime},u,4^{\prime})$ , and $(4^{\prime},u,5^{\prime})$ , and step (3) adds the observable transitions $(1^{\prime},a,3)$ , $(2^{\prime},a,4)$ , $(4^{\prime},a,5)$ and $(5^{\prime},b,5)$ . Finally, step (4) eliminates unreachable states $1^{\prime}$ , $2^{\prime}$ , $3^{\prime}$ , and the corresponding transitions.

The following lemma compares the behaviors of $G$ and its normalization $G_{norm}$ .

Lemma 6.

Let $G=(Q,\Sigma,\delta,q_{0})$ be a deterministic DES, and let $Q_{S}\subseteq Q$ be the set of secret states. Let $G_{norm}$ be the normalization of $G$ obtained by Construction 5. Then, for every $w\in\Sigma^{*}$ and $a\in\Sigma$ , the following holds:

1.

For $a\in\Sigma_{uo}$ , $\delta(q_{0},wa)=p$ if and only if $\delta_{n}(q_{0},wa)\in\{p,p^{\prime}\}$ , where $p^{\prime}\in Q^{\prime}$ is a copy of $p\in Q$ ;
2.

For $a\in\Sigma_{o}$ , $\delta(q_{0},wa)=\delta_{n}(q_{0},wa)$ ;
3.

$L(G)=L(G_{norm})$ .

Proof 4.1.

We prove (1) and (2) by induction on the length of $w$ . The induction hypothesis is that either $\delta(q_{0},w)=p=\delta_{n}(q_{0},w)$ , or $\delta(q_{0},w)=p$ and $\delta_{n}(q_{0},w)=p^{\prime}$ .

To prove (1), let $a$ be unobservable. We first consider the case $\delta(q_{0},w)=\delta_{n}(q_{0},w)=p$ . First, if $p$ is nonsecret, Construction 5 adds every transition $(p,a,q)\in\delta$ to $\delta_{n}$ . On the other hand, if $p$ is secret, $\delta_{n}$ contains the transition $(p,a,q^{\prime})$ for every transition $(p,a,q)\in\delta$ with $q\in Q_{NS}$ , and the transition $(p,a,q)$ for every transition $(p,a,q)\in\delta$ with $q\in Q_{S}$ . In both cases, Construction 5 adds no other transition from state $p$ to $\delta_{n}$ , and hence $\delta(q_{0},wa)=\delta(p,a)=q$ if and only if $\delta_{n}(q_{0},wa)=\delta_{n}(p,a)\in\{q,q^{\prime}\}$ . Notice that this case also covers the base case of the induction, since for $w=\varepsilon$ , $\delta(q_{0},w)=\delta_{n}(q_{0},w)=q_{0}$ .

Now, we consider the case $\delta_{n}(q_{0},w)=p^{\prime}$ and $\delta(q_{0},w)=p$ . Since Construction 5 adds the transition $(p^{\prime},a,q^{\prime})$ to $\delta_{n}$ for every unobservable transition $(p,a,q)\in\delta$ , we have that $\delta(q_{0},wa)=\delta(p,a)=q$ if and only if $\delta_{n}(q_{0},wa)=\delta_{n}(p^{\prime},a)=q^{\prime}$ .

To prove (2), let $a$ be observable. We first consider the case $\delta(q_{0},w)=\delta_{n}(q_{0},w)=p$ . Then, from the state $p$ , Construction 5 adds to $\delta_{n}$ all and only the observable transitions of $\delta$ , and hence $\delta(p,a)=\delta_{n}(p,a)$ .

Now, we consider the case $\delta_{n}(q_{0},w)=p^{\prime}$ and $\delta(q_{0},w)=p$ . Then, Construction 5 adds the transition $(p^{\prime},a,q)$ to $\delta_{n}$ for every observable transition $(p,a,q)\in\delta$ , and therefore $\delta(q_{0},wa)=\delta(p,a)=\delta_{n}(p^{\prime},a)=\delta_{n}(q_{0},wa)$ .

Finally, $L(G)=L(G_{norm})$ of (3) follows from (1) and (2), since, for every $w\in\Sigma^{*}$ , $\delta(q_{0},w)$ is undefined if and only if $\delta_{n}(q_{0},w)$ is undefined.

The following lemma describes the meaning of normalization and states the main properties of a normalized DES.

Lemma 7.

For a deterministic DES $G=(Q,\Sigma,\delta,q_{0})$ , $k\in\mathbb{N}_{\infty}$ , the set of secret states $Q_{S}$ , and the observation $P\colon\Sigma^{*}\to\Sigma_{o}^{*}$ , let $G_{norm}$ be the normalization of $G$ obtained by Construction 5. Then, the following holds true:

1.

$G_{norm}$ is deterministic;
2.

In $G_{norm}$ , there is no nonsecret state reachable from a secret state by a sequence of unobservable events, that is, $\delta_{n}(Q_{n}^{S},P^{-1}(\varepsilon))\cap(Q_{n}-Q_{n}^{S})=\emptyset$ ;
3.

$G$ is $k$ -SSO with respect to $Q_{S}$ and $P$ if and only if $G_{norm}$ is $k$ -SSO with respect to $Q_{n}^{S}$ and $P$ .

Proof 4.2.

To prove $(1)$ , we analyze the steps of Construction 5 creating $\delta_{n}$ . First, $\delta_{n}$ is defined as $\delta$ , which is deterministic. Then, step (1) replaces some unobservable transitions, which is an operation that preserves determinism of $\delta_{n}$ . Step (2) adds the transition $(p^{\prime},u,q^{\prime})$ for every unobservable transition $(p,u,q)$ in $G$ . Similarly, step (3) adds the transition $(q^{\prime},a,p)$ for every observable transition $(q,a,p)$ in $G$ . Since $G$ is deterministic, steps (2) and (3) preserve determinism. Altogether, $G_{norm}$ is deterministic.

To prove $(2)$ , step (1) of Construction 5 replaces all unobservable transitions from a secret state to a nonsecret state by transitions from a secret state to a new secret state. Step (2) adds unobservable transitions only between the new states, which are all secret. Since no unobservable transition is defined from the new states to the old states, there is no nonsecret state in $G_{norm}$ reachable from a secret state by a sequence of unobservable events.

To prove the first direction of $(3)$ , we assume that $G$ is $k$ -SSO with respect to $Q_{S}$ and $P$ , and show that then $G_{norm}$ is $k$ -SSO with respect to $Q_{n}^{S}$ and $P$ . To this end, we show that for every string $s\in L(G_{norm})$ , there exists a string $w\in L(G_{norm})$ such that $P(s)=P(w)$ and, for every prefix $w^{\prime}$ of $w$ , if $|P(w)|-|P(w^{\prime})|\leq k$ , then $\delta_{n}(q_{0},w^{\prime})\not\in Q_{n}^{S}$ . Thus, let $s\in L(G_{norm})$ be an arbitrary string. Then, by Lemma 6, $s\in L(G_{norm})=L(G)$ , and since $G$ is $k$ -SSO with respect to $Q_{S}$ and $P$ , there is a string $\tilde{w}\in L(G)$ such that $P(s)=P(\tilde{w})$ and, for every prefix $\tilde{w}^{\prime}$ of $\tilde{w}$ , if $|P(\tilde{w})|-|P(\tilde{w}^{\prime})|\leq k$ , then $\delta(q_{0},\tilde{w}^{\prime})\not\in Q_{S}$ . By defining $w=\tilde{w}$ , we obtain that the string $w\in L(G)=L(G_{norm})$ and that $P(s)=P(w)$ . It remains to show that for every prefix $w^{\prime}$ of $w$ , if $|P(w)|-|P(w^{\prime})|\leq k$ , then $\delta_{n}(q_{0},w^{\prime})\not\in Q_{n}^{S}$ . To this end, let $xy=w$ be the decomposition of $w$ , where $x$ is the shortest prefix of $w$ such that $|P(w)|-|P(x)|\leq k$ . Then, $x$ is either empty or ends with an observable event. Hence, by Lemma 6, $\delta(q_{0},x)=\delta_{n}(q_{0},x)=q\in Q$ in $G$ . However, for every prefix $y^{\prime}$ of $y$ , the string $xy^{\prime}$ is a prefix of $\tilde{w}$ satisfying $|P(\tilde{w})|-|P(xy^{\prime})|\leq k$ , and hence $\delta(q_{0},xy^{\prime})\notin Q_{S}$ . In other words, the computation of $\delta(q,y)$ in $G$ does not go through a secret state, and therefore the same sequence of transitions exists in $G_{norm}$ , that is, $\delta(q_{0},xy^{\prime})=\delta_{n}(q_{0},xy^{\prime})\notin Q_{n}^{S}=Q_{S}\cup Q^{\prime}$ . Since every prefix $w^{\prime}$ of $w$ satisfying $|P(w)|-|P(w^{\prime})|\leq k$ is of the form $w^{\prime}=xy^{\prime}$ , where $y^{\prime}$ is a prefix of $y$ , we have shown that $\delta_{n}(q_{0},w^{\prime})\notin Q_{n}^{S}$ , which was to be shown.

To prove the other direction, we assume that $G$ is not $k$ -SSO with respect to $Q_{S}$ and $P$ , and show that neither the $G_{norm}$ is $k$ -SSO with respect to $Q_{n}^{S}$ and $P$ . To this end, let $s\in L(G)$ be a string violating $k$ -SSO in $G$ ; that is, for every $w\in L(G)$ such that $P(s)=P(w)$ , there exists a prefix $w^{\prime}$ of $w$ such that $|P(w)|-|P(w^{\prime})|\leq k$ and $\delta(q_{0},w^{\prime})=q_{w}\in Q_{S}$ . However, by Lemma 6, $w\in L(G_{norm})=L(G)$ and $\delta_{n}(q_{0},w^{\prime})\in\{q_{w},q_{w}^{\prime}\}$ . Since both states $q_{w},q_{w}^{\prime}\in Q_{n}^{S}=Q_{S}\cup Q^{\prime}$ are secret in $G_{norm}$ , we conclude that $G_{norm}$ is not $k$ -SSO with respect to $Q_{n}^{S}$ and $P$ .

4.2 Weak versus Strong 0-Step Opacity

In this section, we discuss the relationship between strong $0$ -step opacity and weak $0$ -step (current-state) opacity for normal deterministic DES. The following result characterizes the relationship between these two notions and fixes the claim of Ma et al. (2021) stating that strong 0-step opacity reduces to current-state opacity, which is not the case as shown in the example of Figure 5.

Theorem 8.

A normal deterministic DES $G=(Q,\Sigma,\delta,q_{0})$ is strongly $0$ -step opaque with respect to $Q_{S}$ and $P$ if and only if $G$ is weakly $0$ -step opaque with respect to $Q_{S}$ , $Q_{NS}=Q-Q_{S}$ , and $P$ .

Proof 4.3.

We first assume that $G=(Q,\Sigma,\delta,q_{0})$ is $0$ -SSO with respect to $Q_{S}$ and $P$ . To show that $G$ is $0$ -SO with respect to $Q_{S}$ and $P$ , let $st\in L(G)$ be such that $|P(t)|\leq 0$ and $\delta(q_{0},s)\in Q_{S}$ . Since $st\in L(G)$ and $G$ is deterministic, $\delta(q_{0},st)$ is defined. Therefore, we need to show that there is a string $s^{\prime}t^{\prime}\in L(G)$ such that $P(s)=P(s^{\prime})$ , $P(t)=P(t^{\prime})$ , and $\delta(q_{0},s^{\prime})\in Q_{NS}=Q-Q_{S}$ . However, since $G$ is $k$ -SSO with respect to $Q_{S}$ and $P$ , there is a string $w\in L(G)$ such that $P(w)=P(st)$ and, for every prefix $w^{\prime}$ of $w$ with $|P(w)|-|P(w^{\prime})|=0$ , $\delta(q_{0},w^{\prime})\in Q-Q_{S}$ . Let $w^{\prime}$ be any, but fixed, such prefix of $w$ . We set $s^{\prime}=w^{\prime}$ and $s^{\prime}t^{\prime}=w$ . Then, $P(s^{\prime})=P(w^{\prime})=P(w)=P(st)=P(s)$ , $P(t^{\prime})=\varepsilon=P(t)$ , and $\delta(q_{0},s^{\prime})=\delta(q_{0},w^{\prime})\in Q-Q_{S}=Q_{NS}$ . Thus, we have shown that $G$ is $0$ -SO with respect to $Q_{S}$ and $P$ .⁵⁵5Notice that the proof does not hold if we admit neutral states, that is, $Q_{NS}\neq Q-Q_{S}$ . However, it is not the case in this paper.

For the other direction, we assume that $G$ is not $0$ -SSO with respect to $Q_{S}$ and $P$ . To show that $G$ is neither $0$ -SO with respect to $Q_{S}$ and $P$ , we need to find a string $st\in L(G)$ with $|P(t)|\leq 0$ and $\delta(q_{0},s)\in Q_{S}$ such that, for every string $s^{\prime}t^{\prime}\in L(G)$ with $P(s)=P(s^{\prime})$ and $P(t)=P(t^{\prime})$ , the state $\delta(q_{0},s^{\prime})\in Q_{S}$ . However, from the assumption that $G$ is not $0$ -SSO with respect to $Q_{S}$ and $P$ , we have a string $st\in L(G)$ such that $\delta(q_{0},s)\in Q_{S}$ , $|P(t)|\leq 0$ , and, for every string $w\in L(G)$ with $P(st)=P(w)$ , there is a prefix $w^{\prime}$ of $w$ such that $|P(w)|-|P(w^{\prime})|=0$ and $\delta(q_{0},w^{\prime})\in Q_{S}$ . To complete the proof, we show that for every $s^{\prime}t^{\prime}\in L(G)$ with $P(s)=P(s^{\prime})$ and $P(t)=P(t^{\prime})$ , the state $\delta(q_{0},s^{\prime})$ is secret. To this end, let $xy=s^{\prime}t^{\prime}$ be the decomposition of $s^{\prime}t^{\prime}$ such that $y$ is the longest suffix of $s^{\prime}t^{\prime}$ consisting only of unobservable events. Notice that $x$ is a prefix of $s^{\prime}$ , because $P(t^{\prime})=P(t)=\varepsilon$ . Since $P(st)=P(x)$ , there must be a prefix $x^{\prime}$ of $x$ such that $|P(x)|-|P(x^{\prime})|=0$ and $\delta(q_{0},x^{\prime})\in Q_{S}$ . However, the last event of $x$ is observable, and hence the only prefix $x^{\prime}$ of $x$ for which $|P(x)|-|P(x^{\prime})|=0$ is $x^{\prime}=x$ , and therefore $\delta(q_{0},x)=\delta(q_{0},x^{\prime})\in Q_{S}$ . Since $G$ is normal, there are no nonsecret states reachable from the secret state $\delta(q_{0},x)$ under a sequence of unobservable events. In particular, $\delta(q_{0},s^{\prime})=\delta(q_{0},xy^{\prime})\in Q_{S}$ , where $y^{\prime}$ is a prefix of $y$ for which $s^{\prime}=xy^{\prime}$ ; recall that $y$ is the longest suffix of $s^{\prime}t^{\prime}$ consisting only of unobservable events. Thus, we have shown that $G$ is not $0$ -SO.

4.3 Weak versus Strong k-Step Opacity

In this section, we show how to reduce strong $k$ -step opacity to weak $k$ -step opacity. In the construction, we assume that $G$ is a normal deterministic DES. By Lemma 7, this assumption is without loss of generality, because if $G$ is not normal, then we can consider $G_{norm}$ instead.

Construction 9.

Let $G=(Q,\Sigma,\delta,q_{0})$ be a normal deterministic DES, $P\colon\Sigma^{*}\to\Sigma_{o}^{*}$ be the observation projection, and $Q_{S}$ be the set of secret states. We construct

G^{\prime}=(Q\cup Q_{NS}^{\prime},\Sigma\cup\{u\},\delta^{\prime},q_{0})

as a disjoint union of $G$ and $G_{ns}=(Q_{NS}^{\prime},\Sigma,\delta_{ns},q_{0}^{\prime})$ , where $G_{ns}$ is obtained from $G$ by removing all secret states and corresponding transitions, and $Q_{NS}^{\prime}=\{q^{\prime}\mid q\in Q_{NS}\}$ is a copy of $Q_{NS}$ disjoint from $Q$ . We use a new unobservable event $u$ to connect $G_{ns}$ to $G$ so that we initialize $\delta^{\prime}:=\delta\cup\delta_{ns}$ and extend $\delta^{\prime}$ by additional transitions $(q,u,q^{\prime})$ for every $q\in Q_{NS}$ , cf. Figure 7 for an illustration. The states of $Q_{NS}^{\prime}$ are the only nonsecret states of $G^{\prime}$ , that is, the set of secret states of $G^{\prime}$ is the set $Q_{S}^{\prime}=Q$ . Finally, we define the projection $P^{\prime}\colon(\Sigma\cup\{u\})^{*}\to\Sigma_{o}^{*}$ . $\diamond$

The following theorem describes the relationship between strong $k$ -step opacity and weak $k$ -step opacity, and justifies the correctness of Algorithm 4.4 below.

Theorem 10.

Let $G=(Q,\Sigma,\delta,q_{0})$ be a normal deterministic DES, and let $G^{\prime}$ be the DES obtained from $G$ by Construction 9. Then, $G$ is strongly $k$ -step opaque with respect to $Q_{S}$ and $P$ if and only if $G^{\prime}$ is weakly $k$ -step opaque with respect to $Q_{S}^{\prime}$ , $Q_{NS}^{\prime}$ , and $P^{\prime}$ , where $Q_{S}^{\prime}$ , $Q_{NS}^{\prime}$ , and $P^{\prime}$ are defined in Construction 9.

Proof 4.4.

For the first implication, we assume that $G$ is $k$ -SSO with respect to $Q_{S}$ and $P$ , and we show that $G^{\prime}$ is $k$ -SO with respect to $Q_{S}^{\prime}$ , $Q_{NS}^{\prime}$ , and $P^{\prime}$ . To this end, let $st\in L(G^{\prime})$ be such that $|P^{\prime}(t)|\leq k$ and $\delta^{\prime}(q_{0},s)\in Q_{S}^{\prime}$ . We need to show that there is a string $s^{\prime}t^{\prime}\in L(G^{\prime})$ such that $P^{\prime}(s)=P^{\prime}(s^{\prime})$ , $P^{\prime}(t)=P^{\prime}(t^{\prime})$ , and $\delta^{\prime}(q_{0},s^{\prime})\in Q_{NS}^{\prime}$ .

Let $P_{u}$ denote the projection that removes every occurrence of event $u$ , that is, $P_{u}(a)=a$ for $a\in\Sigma$ , and $P_{u}(u)=\varepsilon$ . We first show that $P_{u}(st)\in L(G)$ . Indeed, if $st$ does not contain $u$ , then $P_{u}(st)=st\in L(G)$ . If $st$ contains $u$ , then, by the construction of $G^{\prime}$ , any string of $L(G^{\prime})$ contains at most one occurrence of $u$ . Since $\delta^{\prime}(q_{0},s)\in Q_{S}^{\prime}$ , we have that $u$ occurs in $t$ . Let $st=st_{1}ut_{2}$ . Then, there are states $p,r\in Q$ in $G^{\prime}$ such that $\delta^{\prime}(q_{0},st_{1})=p$ , $\delta^{\prime}(p,u)=p^{\prime}$ , and $\delta^{\prime}(p^{\prime},t_{2})=r^{\prime}$ . However, by the construction, this means that $\delta(q_{0},st_{1})=p$ and $\delta(p,t_{2})=r$ in $G$ , and hence $P_{u}(st)=st_{1}t_{2}\in L(G)$ .

Since $G$ is $k$ -SSO with respect to $Q_{S}$ and $P$ , there exists a string $w\in L(G)$ such that $P(P_{u}(st))=P(w)$ and, for every prefix $w^{\prime}$ of $w$ , if $|P(w)|-|P(w^{\prime})|\leq k$ , then $\delta(q_{0},w^{\prime})\notin Q_{S}$ . Since $P^{\prime}(st)=P(P_{u}(st))=P(w)$ , we define $xy=w$ to be a (fixed) decomposition of $w$ such that $P^{\prime}(s)=P(x)$ and $P^{\prime}(t)=P(y)$ . Then, $|P(w)|-|P(x)|=|P^{\prime}(st)|-|P^{\prime}(s)|=|P^{\prime}(t)|\leq k$ , which implies that $\delta(q_{0},x)=\delta^{\prime}(q_{0},x)=q$ for some state $q$ that is not secret in $G$ . Therefore, the transition $(q,u,q^{\prime})\in\delta^{\prime}$ , and hence $\delta^{\prime}(q_{0},xu)=q^{\prime}\in Q_{NS}^{\prime}$ . Since the state $\delta(q_{0},xy^{\prime})\notin Q_{S}$ for every prefix $y^{\prime}$ of $y$ , because $xy^{\prime}$ is a prefix of $w$ with $|P(w)|-|P(xy^{\prime})|\leq k$ , the computation of $\delta(q,y)$ in $G$ does not go through a secret state. Therefore, the same sequence of transitions is enabled in $G^{\prime}$ from state $q^{\prime}$ . Setting now $s^{\prime}=xu$ and $t^{\prime}=y$ implies that $P^{\prime}(s)=P^{\prime}(s^{\prime})$ , $P^{\prime}(t)=P^{\prime}(t^{\prime})$ , $\delta^{\prime}(q_{0},s^{\prime})\in Q_{NS}^{\prime}$ , and $\delta^{\prime}(q_{0},s^{\prime}t^{\prime})$ is defined, which proves that $G^{\prime}$ is weakly $k$ -step opaque.

To prove the other direction, we assume that $G$ is not $k$ -SSO with respect to $Q_{S}$ and $P$ , and we show that $G^{\prime}$ is not $k$ -SO with respect to $Q_{S}^{\prime}$ , $Q_{NS}^{\prime}$ , and $P^{\prime}$ . To this end, we need to show that there is a string $st\in L(G^{\prime})$ such that $|P^{\prime}(t)|\leq k$ , $\delta^{\prime}(q_{0},s)\in Q_{S}^{\prime}$ , and for every $s^{\prime}t^{\prime}\in L(G^{\prime})$ such that $P^{\prime}(s)=P^{\prime}(s^{\prime})$ and $P^{\prime}(t)=P^{\prime}(t^{\prime})$ , the state $\delta^{\prime}(q_{0},s^{\prime})\notin Q_{NS}^{\prime}$ .

However, since $G$ is not $k$ -SSO with respect to $Q_{S}$ and $P$ , there exists a string $v\in L(G)$ such that, for every string $w\in L(G)$ with $P(w)=P(v)$ , there is a prefix $w^{\prime}$ of $w$ such that $|P(w)|-|P(w^{\prime})|\leq k$ and $\delta(q_{0},w^{\prime})\in Q_{S}$ . In particular, there is a prefix $v^{\prime}$ of $v$ such that $|P(v)|-|P(v^{\prime})|\leq k$ and $\delta(q_{0},v^{\prime})\in Q_{S}$ .

Let $xy=v$ be the decomposition of $v$ such that $y$ is the longest suffix of $v$ containing at most $k$ observable events. We set $s=x$ and $t=y$ , for which we have that $|P(t)|\leq k$ , $\delta^{\prime}(q_{0},st)$ is defined, and, since neither $s$ nor $t$ contains the event $u$ , the state $\delta^{\prime}(q_{0},s)\in Q_{S}^{\prime}$ . It remains to show that for every string $s^{\prime}t^{\prime}\in L(G^{\prime})$ with $P^{\prime}(s^{\prime})=P^{\prime}(s)$ and $P^{\prime}(t^{\prime})=P^{\prime}(t)$ , the state $\delta^{\prime}(q_{0},s^{\prime})\notin Q_{NS}^{\prime}$ . We distinguish two cases.

In the first case, we assume that $\delta(q_{0},P^{-1}P(s))\cap Q_{NS}=\emptyset$ , and we consider any string $s^{\prime}t^{\prime}\in L(G^{\prime})$ such that $P^{\prime}(s^{\prime})=P^{\prime}(s)$ and $P^{\prime}(t^{\prime})=P^{\prime}(t)$ . If $s^{\prime}$ does not contain the event $u$ , then $s^{\prime}\in P^{-1}P(s)$ , and therefore $\delta^{\prime}(q_{0},s^{\prime})=\delta(q_{0},s^{\prime})\in Q_{S}\subseteq Q_{S}^{\prime}$ . If, on the other hand, $s^{\prime}$ contains the event $u$ , then $s^{\prime}=s_{1}us_{2}$ where neither $s_{1}$ nor $s_{2}$ contains the event $u$ . But then $\delta^{\prime}(q_{0},s^{\prime})=r^{\prime}$ , where $r^{\prime}$ is a copy of $r=\delta(q_{0},s_{1}s_{2})$ . Since $s_{1}s_{2}\in P^{-1}P(s)$ , the state $r=\delta(q_{0},s_{1}s_{2})\in Q_{S}$ , and hence $r^{\prime}\notin Q_{NS}^{\prime}$ by construction. In both cases, $\delta^{\prime}(q_{0},s^{\prime})\notin Q_{NS}^{\prime}$ , which was to be shown.

In the second case, let $\delta(q_{0},P^{-1}P(s))\cap Q_{NS}=Z\neq\emptyset$ , and consider any string $s^{\prime}t^{\prime}\in L(G^{\prime})$ with $P^{\prime}(s^{\prime})=P^{\prime}(s)$ and $P^{\prime}(t^{\prime})=P^{\prime}(t)$ . Using the projection $P_{u}$ removing the event $u$ , we set $z:=P_{u}(s^{\prime}t^{\prime})\in L(G)$ . Recall that the string $st$ does not contain the event $u$ , that is, $P^{\prime}(st)=P(st)$ , and therefore $P(z)=P(P_{u}(s^{\prime}t^{\prime}))=P^{\prime}(s^{\prime}t^{\prime})=P^{\prime}(st)=P(st)=P(v)$ . Since $G$ is not $k$ -SSO with respect to $Q_{S}$ and $P$ , there is a prefix $z^{\prime}$ of $z$ such that $|P(z)|-|P(z^{\prime})|\leq k$ and $q_{s}:=\delta(q_{0},z^{\prime})\in Q_{S}$ . In particular, by the choice of $s$ , we have that $|P(s)|\leq|P(z^{\prime})|$ . Furthermore, $G$ is normal, and hence there is no nonsecret state reachable from the secret state $q_{s}$ by a sequence of unobservable events.

In particular, the prefix $P_{u}(s^{\prime})$ of the string $z=P_{u}(s^{\prime})P_{u}(t^{\prime})$ satisfies $P(P_{u}(s^{\prime}))=P^{\prime}(s^{\prime})=P^{\prime}(s)=P(s)$ , where the last equality comes from the fact that $s$ does not contain the event $u$ . Then $P_{u}(s^{\prime})\in P^{-1}P(s)$ , and hence if $\delta(q_{0},P_{u}(s^{\prime}))\in Q_{NS}$ , then $\delta(q_{0},P_{u}(s^{\prime}))\in Q_{NS}\cap Z$ . Thus, assume that $\delta(q_{0},P_{u}(s^{\prime}))\in Q_{NS}\cap Z$ . Then, the string $P_{u}(s^{\prime})$ is a strict prefix of $z^{\prime}$ ; otherwise, if $z^{\prime}$ was a strict prefix of $P_{u}(s^{\prime})$ , then we would have that $|P(z^{\prime})|\leq|P(P_{u}(s^{\prime}))|=|P(s)|$ , which, together with $|P(s)|\leq|P(z^{\prime})|$ , would give that $|P(z^{\prime})|=|P(P_{u}(s^{\prime}))|=|P(s)|$ , and hence the nonsecret state $q_{ns}=\delta(q_{0},P_{u}(s^{\prime}))$ would be reachable from the secret state $q_{s}$ by a sequence of unobservable events, which is a contradiction with the normality of $G$ . Consequently, generating the string $P_{u}(t^{\prime})$ from the state $q_{ns}$ , $G$ must go through the secret state $q_{s}$ . In other words, $q_{s}$ is reachable from the state $q_{ns}$ by a prefix of $P_{u}(t^{\prime})$ .

Thus, in $G^{\prime}$ , state $\delta^{\prime}(q_{0},s^{\prime})\in\{q_{ns},q_{ns}^{\prime}\}$ , where $q_{ns}^{\prime}\in Z^{\prime}=\{q^{\prime}\mid q\in Z\}\subseteq Q_{NS}^{\prime}$ . If $\delta^{\prime}(q_{0},s^{\prime})=q_{ns}\in Q_{S}^{\prime}$ , we are done. If $\delta^{\prime}(q_{0},s^{\prime})=q_{ns}^{\prime}\in Q_{NS}^{\prime}$ , we show that $\delta^{\prime}(q_{ns}^{\prime},t^{\prime})$ is undefined, which contradicts the assumption that $s^{\prime}t^{\prime}\in L(G^{\prime})$ , and hence $\delta^{\prime}(q_{0},s^{\prime})=q_{ns}^{\prime}\in Q_{NS}^{\prime}$ cannot happen. Indeed, if $\delta^{\prime}(q_{0},s^{\prime})\in Q_{NS}^{\prime}$ , then $P_{u}(t^{\prime})=t^{\prime}$ . Since the computation of $\delta(q_{ns},t^{\prime})=\delta(q_{ns},P_{u}(t^{\prime}))$ in $G$ goes through the secret state $q_{s}$ , the computation of $\delta^{\prime}(q_{ns}^{\prime},t^{\prime})$ in $G^{\prime}$ has to go through the state $q_{s}^{\prime}$ , which is the primed copy of the state $q_{s}$ . But the computation $\delta^{\prime}(q_{ns}^{\prime},t^{\prime})$ is performed in the automaton $G_{ns}$ , which is obtained from $G$ by removing all secret states and corresponding transitions. Since $q_{s}^{\prime}$ is a copy of a secret state, it does not exist in $G_{ns}$ , and hence it does not belong to $Q_{NS}^{\prime}$ . Therefore, $\delta^{\prime}(q_{ns}^{\prime},t^{\prime})$ is undefined.

We have thus shown that $G^{\prime}$ is not $k$ -step opaque.

Both Construction 5 and Construction 9 are polynomial and preserve the number of observable events. Therefore, Theorem 10 and the existing results (Balun and Masopust, 2021, Table 1) immediately imply the following result.

Theorem 11.

Deciding whether a given deterministic DES $G$ is strongly $k$ -step opaque is (i) coNP-complete if $G$ has only a single observable event, and (ii) PSpace-complete if $G$ has at least two observable events. ∎

The motivation to consider the case of a single observable event comes from the timed discrete-event systems framework of Brandin and Wonham (1994), where the only observable event is the tick of the global clock.

4.4 Verifying Strong k-Step Opacity

Theorem 10 gives us a clue how to verify strong $k$ -step opacity of a given deterministic DES with the help of the verification algorithm for weak $k$ -step opacity from Section 3. This idea is formulated as Algorithm 4.4. Before analyzing the complexity of Algorithm 4.4 and comparing it with the existing algorithms, we illustrate it by two examples.

{algorithm}

Verification of strong $k$ -step opacity

1:A deterministic DES

G=(Q,\Sigma,\delta,q_{0})

Q_{S}\subseteq Q

\Sigma_{o}\subseteq\Sigma

, and

k\in\mathbb{N}_{\infty}

2:true if and only if

G

is strongly

k

-step opaque with respect to

Q_{S}

and

P\colon\Sigma^{*}\to\Sigma_{o}^{*}

3:Let

G_{norm}

be the normalization of

G

by Construction 5

4:Transform

G_{norm}

G^{\prime}

by Construction 9

5:Use Algorithm 3 on

G^{\prime}

with the set of secret states

Q_{S}^{\prime}

, the set of nonsecret states

Q_{NS}^{\prime}

, observable events

\Sigma_{o}

, and

k

6:return the answer of Algorithm 3

As the first example, we adopt the DES $G$ from Falcone and Marchand (2015) depicted in Figure 8 (left), where events $a$ , $b$ , $c$ are observable, event $u_{1}$ is unobservable, and states $4$ and $6$ are secret. Falcone and Marchand (2015) claimed that $G$ is strongly one-step opaque. However, it is not the case, as we show by using our transformation to weak $k$ -step opacity.

Since $G$ is normal, Algorithm 4.4 proceeds directly to the application of Construction 9, which results in the DES $G^{\prime}$ depicted in Figure 8 (right). Namely, $G^{\prime}$ was constructed from $G$ by adding six new nonsecret states and one new unobservable event $u_{2}$ , and by making states $1$ through $8$ secret, that is, $Q_{S}^{\prime}=\{1,2,3,4,5,6,7,8\}$ and $Q_{NS}^{\prime}=\{1^{\prime},2^{\prime},3^{\prime},5^{\prime},7^{\prime},8^{\prime}\}$ . Applying Algorithm 3 to $G^{\prime}$ , $Q_{S}^{\prime}$ , $Q_{NS}^{\prime}$ , $\Sigma_{o}=\{a,b,c\}$ , and $k=1$ results in the observer $G^{\prime obs}$ of $G^{\prime}$ and the automaton $H$ depicted in Figure 9.

The set $Y$ and the part of $\operatorname{\mathcal{C}}_{1}=P(G^{\prime})\times H$ reachable from the states of $Y$ in one step are depicted in Figure 10. Since, e.g., state $(2,\emptyset)$ is reachable in $\operatorname{\mathcal{C}}_{1}$ in one step from the state $(4,\{8^{\prime}\})\in Y$ , $G^{\prime}$ is not weakly one-step opaque. By Theorem 10, $G$ is not strongly one-step opaque. Indeed, observing the string $abac$ in $G$ , the intruder reveals that $G$ is either in the secret state $6$ at that time instant or must have been in the secret state $4$ one step ago.

As the second example, we consider the DES $\tilde{G}$ obtained from $G$ by replacing the transitions $(4,c,2)$ and $(8,c,6)$ by the transitions $(4,c,3)$ and $(8,c,7)$ , respectively, see Figure 11.

Then, Construction 9 results in the DES $\tilde{G}^{\prime}$ with $\tilde{Q}_{S}^{\prime}=\{1,2,3,4,5,6,7,8\}$ and $\tilde{Q}_{NS}^{\prime}=\{1^{\prime},2^{\prime},3^{\prime},5^{\prime},7^{\prime},8^{\prime}\}$ . Applying Algorithm 3 to $\tilde{G}^{\prime}$ , $\tilde{Q}_{S}^{\prime}$ , $\tilde{Q}_{NS}^{\prime}$ , $\Sigma_{o}=\{a,b,c\}$ , and $k=1$ results in the observer $\tilde{G}^{\prime obs}$ of $\tilde{G}^{\prime}$ and the automaton $\tilde{H}$ depicted in Figure 12. The set $\tilde{Y}$ and the part of $\operatorname{\mathcal{C}}_{2}=P(\tilde{G}^{\prime})\times\tilde{H}$ reachable from the states of $Y$ in one step are depicted in Figure 13. Since no state of the form $(q,\emptyset)$ is reachable from a state of $\tilde{Y}$ in one step, $\tilde{G}^{\prime}$ is weakly one-step opaque. By Theorem 10, $\tilde{G}$ is strongly one-step opaque.

4.5 Complexity Analysis of Algorithm 4.4

Algorithms verifying strong $k$ -step opacity have been investigated in the literature. In particular, Falcone and Marchand (2015) designed an algorithm based on a $k$ -delay trajectory estimation, but they did not analyze its complexity. The complexity analyses in the literature are inconsistent. While Ma et al. (2021) state that the complexity is $O(\ell 2^{n^{2}+n})$ , where $n$ is the number of states and $\ell$ is the number of observable events of the verified deterministic DES, Wintenberg et al. (2022) state that the state complexity is $O((\ell+1)^{k}2^{n})$ . According to (Falcone and Marchand, 2015, Definition 7), however, the $k$ -delay trajectory estimator has $O(2^{n^{k+1}\cdot 2^{k}})$ states.

Recently, Ma et al. (2021) designed another algorithm with complexity $O(\ell 2^{(k+2)n})$ , and even more recently, Wintenberg et al. (2022) discussed and experimentally compared algorithms based on (i) the secret observer with complexity $O(\ell(k+3)^{n})$ , on (ii) the reverse comparison with complexity $O((n+m)(k+1)2^{n})$ , where $m\leq\ell n^{2}$ is the number of transitions in the involved projected NFA, and on (iii) the construction of the $k$ -delay trajectory estimator of Falcone and Marchand (2015), which they claim to be of complexity $O(\ell(\ell+1)^{k}2^{n})$ .

We now analyze the complexity of Algorithm 4.4 and show that its worst-case complexity is better than the complexity of existing algorithms. Namely, we show that the space and time complexity of Algorithm 4.4 is $O(n2^{n})$ and $O((n+m)2^{n})$ , respectively, where $n$ is the number of states of $G$ and $m$ is the number of transitions of $P(G)$ . Notice that the complexity does not depend on the parameter $k$ .

Before we prove this result, notice that $m\leq\ell n^{2}$ , where $\ell$ is the number of observable events. Since $\ell n^{2}$ is the maximum number of transitions in an $n$ -state NFA with $\ell$ events, $m$ is often significantly smaller than $\ell n^{2}$ .

For a deterministic DES with $n$ states, Construction 5 results in a normalized DES with up to $2n$ states, and hence it may seem that the observer of the normalized DES could have up to $2^{2n}$ states. The following lemma shows that the observer of the normalized DES has in fact at most $2^{n}$ states.

Lemma 12.

Let $G$ be an $n$ -state deterministic DES, and let $G_{norm}$ be its normalization obtained by Construction 5. Then, the observer of $G_{norm}$ has at most $2^{n}$ states.

Proof 4.5.

Let $G=(Q,\Sigma,\delta,q_{0})$ be a deterministic DES with $n$ states, and let $\Sigma_{uo}$ be the set of unobservable events. The application of Construction 5 on $G$ results in the deterministic DES $G_{norm}=(Q_{n},\Sigma,\delta_{n},q_{0})$ , where $Q_{n}\subseteq Q\cup Q^{\prime}$ and $Q^{\prime}=\{q^{\prime}\mid q\in Q\}$ is a disjoint copy of $Q$ . All states of $Q_{n}$ are reachable in $G_{norm}$ by construction. The observer $G_{norm}^{obs}=(X_{obs},\Sigma_{o},\delta_{obs},x_{0})$ of $G_{norm}$ is defined as follows. The set of states is the subset of the power set of $Q_{n}$ , namely, $X_{obs}\subseteq 2^{Q_{n}}$ . The initial state is the unobservable reach (UR) of the initial state of the automaton $G_{norm}$ , that is, $x_{0}:=UR(q_{0})=\delta_{n}(q_{0},\Sigma_{uo}^{*})$ . The transition function $\delta_{obs}$ is defined for every $X\in X_{obs}$ and every observable event $a\in\Sigma_{o}$ as the unobservable reach of the states reachable in $G_{norm}$ from the states of $X$ by the event $a$ , that is,

\delta_{obs}(X,a):=UR(\delta_{n}(X,a))

where, for every $Y\subseteq Q_{n}$ , $UR(Y)=\delta_{n}(Y,\Sigma_{uo}^{*})$ . By item (2) of Lemma 6,

\delta_{n}(X,a)\subseteq Q\,,

and hence every state of the observer of $G_{norm}$ is uniquely determined by a subset of $Q$ . In particular, we define an injective mapping $f\colon X_{obs}\to 2^{Q}$ assigning subsets of $Q$ to the states of the observer of $G_{norm}$ as follows: $f(x_{0})=\{q_{0}\}$ , and for every state $Y\neq x_{0}$ of the observer of $G_{norm}$ , we pick and fix a state $X\in X_{obs}$ such that $\delta_{obs}(X,a)=Y$ , for some observable event $a\in\Sigma_{o}$ , and we define $f(Y)=\delta_{n}(X,a)$ . Such a state $X$ exists because every state of the observer is reachable. Then, $Y=\delta_{obs}(X,a)=UR(\delta_{n}(X,a))=UR(f(Y))$ , and we have that if $f(Y_{1})=f(Y_{2})$ , then $Y_{1}=UR(f(Y_{1}))=UR(f(Y_{2}))=Y_{2}$ , which shows that the mapping $f$ is injective. Consequently, the number of states of the observer of $G_{norm}$ is bounded by the number of subsets of the set $Q$ , which is $2^{n}$ .

Notice that Lemma 12 does not claim that the number of states of the observer of $G$ and of the observer of its normalization $G_{norm}$ coincide. It only provides an upper bound on the worst-case complexity.

Similarly, for a normal deterministic DES $G$ with $n$ states, Construction 9 results in a deterministic DES $G^{\prime}$ with up to $2n$ states. The second lemma shows that the observer of $G^{\prime}$ has as many states as the observer of $G$ .

Lemma 13.

Let $G$ be a normal deterministic DES with $n$ states, and let $G^{\prime}$ be obtained from $G$ by Construction 9. Then, the numbers of states of the observer of $G^{\prime}$ and of the observer of $G$ coincide.

Proof 4.6.

Let $G=(Q,\Sigma,\delta,q_{0})$ be a normal deterministic DES, and let $G^{\prime}=(Q\cup Q_{NS}^{\prime},\Sigma\cup\{u\},\delta^{\prime},q_{0})$ be the DES obtained from $G$ by Construction 9. Recall that $G^{\prime}$ is obtained as a disjoint union of $G$ and $G_{ns}$ , where $G_{ns}$ is a copy of $G$ without the secret states and the corresponding transitions, $Q_{NS}^{\prime}=\{q^{\prime}\mid q\in Q_{NS}\}$ is a copy of $Q_{NS}$ disjoint from $Q$ , and the event $u$ is unobservable. For every reachable state $S$ of the observer of $G^{\prime}$ , we show that $S$ contains a state $p^{\prime}\in Q_{NS}^{\prime}$ if and only if $S$ contains the corresponding state $p\in Q_{NS}$ . Consequently, the observer of $G^{\prime}$ and the observer of $G$ have the same number of states.

To prove one direction, let $S$ be a reachable state of the observer of $G^{\prime}$ . If $S$ contains a state $p\in Q_{NS}$ , then the unobservable transition $(p,u,p^{\prime})$ of $G^{\prime}$ implies that $S$ also contains the state $p^{\prime}\in Q_{NS}^{\prime}$ .

To prove the other direction, let $S$ be a reachable state of the observer of $G^{\prime}$ , and assume that a state $p^{\prime}\in Q_{NS}^{\prime}$ belongs to $S$ . Then, for every string $w\in P^{\prime}(L(G^{\prime}))$ under which the state $S$ is reachable from the initial state $\{q_{0}\}$ in the observer of $G^{\prime}$ , there exists a string $w^{\prime}\in L(G^{\prime})$ such that $P^{\prime}(w^{\prime})=w$ and $\delta^{\prime}(q_{0},w^{\prime})=p^{\prime}$ . Since $q_{0}\in Q$ , $p^{\prime}\in Q_{NS}^{\prime}$ , and every string of $L(G^{\prime})$ contains at most one occurrence of the event $u$ , we can partition the string $w^{\prime}=w_{1}uw_{2}$ so that $\delta^{\prime}(q_{0},w_{1})=r$ , $\delta^{\prime}(r,u)=r^{\prime}$ , and $\delta^{\prime}(r^{\prime},w_{2})=p^{\prime}$ , for some state $r\in Q$ . However, $\delta^{\prime}(r^{\prime},w_{2})=p^{\prime}$ is executed in $G_{ns}$ , which is obtained from $G$ by removing all secret states. Therefore, $\delta(r,w_{2})=p$ must be defined in $G$ . Altogether, we have shown that $\delta(q_{0},w_{1}w_{2})=p$ is defined in $G$ , and hence the string $w_{1}w_{2}\in L(G)$ . Since $w=P^{\prime}(w^{\prime})=P^{\prime}(w_{1}w_{2})$ , we have shown that $p\in S$ .

We can now prove the following result analyzing the complexity of Algorithm 4.4.

Theorem 14.

The space and time complexity of Algorithm 4.4 is $O(n2^{n})$ and $O((n+m)2^{n})$ , respectively, where $n$ is the number of states of $G$ and $m$ is the number of transitions of $P(G)$ , that is, $m\leq\ell n^{2}$ , where $\ell$ is the number of observable events.

Proof 4.7.

Let $G$ be an $n$ -state deterministic DES. In the first step, we construct the normalization $G_{norm}$ of $G$ with at most $2n$ states, the observer of which has at most $2^{n}$ states by Lemma 12. Then, we apply Algorithm 3 to $G^{\prime}$ obtained from $G_{norm}$ by Construction 9. In particular, by Lemma 13, we compute the observer $G^{\prime obs}$ of $G^{\prime}$ with at most $2^{n}$ states, and the projected automaton $P(G^{\prime})$ with at most $4n$ states. Then, for every reachable state $X$ of $G^{\prime obs}$ , and for every $x\in X\cap Q_{S}^{\prime}$ , we add the pair $(x,X\cap Q_{NS}^{\prime})$ to the set $Y$ . This computation takes time $O(n2^{n})$ . Afterwards, we construct the automaton $H$ as the part of the full observer of $G^{\prime}$ that is accessible from the states of the second components of $Y$ . Since $H$ consists only of the subsets of $Q_{NS}^{\prime}$ , of which there is at most $2^{n}$ , the automaton $H$ has $O(2^{n})$ states. The automaton $\operatorname{\mathcal{C}}=P(G^{\prime})\times H$ thus has $O(n2^{n})$ states and $O(m2^{n})$ transitions, the sum of which is the time complexity of the BFS applied to mark states of $\operatorname{\mathcal{C}}$ reachable from the states of $Y$ in at most $k$ steps. Therefore, the state complexity of Algorithm 4.4 is $O(n2^{n})$ and the time complexity is $O(n2^{n}+(n+m)2^{n})=O((n+m)2^{n})$ .

Comparing the complexity $O((n+m)2^{n})$ of Algorithm 4.4 with the complexity of the existing algorithms, the reader may see that (1) the complexity of Algorithm 4.4 does not depend on the parameter $k$ , and (2) it is better than the complexity of the existing algorithms, because the minimum of the worst-case complexities $O(\ell 2^{n^{k+1}\cdot 2^{k}})$ , $O(\ell 2^{(k+2)n})$ , $O(\ell(k+3)^{n})$ , and $O((n+m)(k+1)2^{n})$ of the existing algorithms discussed at the beginning of this subsection is $O((n+m)2^{n})$ for $k=1$ , and $O((n+m)(k+1)2^{n})=O((n+m)2^{2n})$ for $k\in O(2^{n})$ . Notice that the minimum worst-case complexity for large $k$ is significantly higher than the complexity $O((n+m)2^{n})$ of Algorithm 4.4. In fact, the complexity of Algorithm 4.4, and the minimum worst-case complexity of the existing algorithms for very small $k$ , coincide. However, while the existing algorithms can handle only inputs with a very small $k$ with this complexity, our algorithm can handle inputs with $k$ of arbitrary value with this complexity. Consequently, our algorithm improves the complexity of the verification of strong $k$ -step opacity.

5 Conclusions

We investigated and discussed the relationship between the notions of weak and strong $k$ -step opacity. We designed an algorithm verifying weak $k$ -step opacity that, compared with the existing algorithms, does not depend on the parameter $k$ , and has a lower worst-case complexity than the existing algorithms. We further discussed strong $k$ -step opacity and transformed it to weak $k$ -step opacity in linear time, obtaining thus an algorithm to verify strong $k$ -step opacity. Again, this algorithm does not depend on the parameter $k$ , and has a lower worst-case complexity than the existing algorithms.

Finally, we point out that the complexity of our algorithms may be further optimized. For instance, rather than eliminating $\varepsilon$ -transitions in $P(G)$ , we may suitably redefine the product of two NFAs for NFAs with $\varepsilon$ -transitions. In this case, the parameter $m$ in the complexity formula would be bounded by $\ell n$ rather than $\ell n^{2}$ . We leave these and further optimizations for the future work.

{ack}

We gratefully acknowledge suggestions and comments of the anonymous referees.

Appendix A Relation between Strong and Weak $k$ -Step Opacity

As already mentioned in the introduction, Ma et al. (2021) pointed out that strong $k$ -step opacity and weak $k$ -step opacity are incomparable in the sense that neither strong $k$ -step opacity implies weak $k$ -step opacity nor the other way round.

We now show that under the assumption that the set of states is partitioned into secret and nonsecret states, disregarding neutral states, which is a common assumption in the literature (Saboori and Hadjicostis, 2011; Yin and Lafortune, 2017), including this paper, the two notions are comparable. This fact was also recently pointed out by Wintenberg et al. (2022).

Theorem 15.

Let $G=(Q,\Sigma,\delta,i)$ be a deterministic DES, and let $k\in\mathbb{N}_{\infty}$ . If $G$ is $k$ -SSO with respect to $Q_{S}$ and $P$ , then $G$ is $k$ -SO with respect to $Q_{S}$ , $Q-Q_{S}$ , and $P$ .

Proof A.1.

Assume that $G$ is $k$ -SSO with respect to $Q_{S}$ and $P$ . We show that $G$ is $k$ -SO with respect to $Q_{S}$ , $Q_{NS}=Q-Q_{S}$ , and $P$ . To this end, we consider any string $st\in L(G)$ with $|P(t)|\leq k$ such that $\delta(i,s)=q_{s}\in Q_{S}$ ; since $st\in L(G)$ , we have $\delta(q_{s},t)$ is defined. Since $G$ is $k$ -SSO, there is a string $w\in L(G)$ such that $P(st)=P(w)$ and for every prefix $w^{\prime}$ of $w$ , if $|P(w)|-|P(w^{\prime})|\leq k$ , then $\delta(i,w^{\prime})\notin Q_{S}$ . Because $P(st)=P(w)$ , the string $w$ can be written as $w=s^{\prime}t^{\prime}$ , where $P(s)=P(s^{\prime})$ and $P(t)=P(t^{\prime})$ . Since $s^{\prime}$ is a prefix of $w=s^{\prime}t^{\prime}$ , and $|P(s^{\prime}t^{\prime})|-|P(s^{\prime})|=|P(t^{\prime})|=|P(t)|\leq k$ , we have $\delta(i,s^{\prime})\notin Q_{S}$ , that is, $\delta(i,s^{\prime})\in Q_{NS}$ . But then the string $s^{\prime}t^{\prime}\in L(G)$ is such that $P(s)=P(s^{\prime})$ , $P(t)=P(t^{\prime})$ , $\delta(i,s^{\prime})=q_{ns}\in Q_{NS}$ , and $\delta(q_{ns},t^{\prime})$ is defined, because $s^{\prime}t^{\prime}=w\in L(G)$ ; therefore, $G$ is $k$ -SO with respect to $Q_{S}$ , $Q-Q_{S}$ , and $P$ .

It can be seen in the previous proof that if there are neutral states, then the implication does not hold in general.

References

Badouel et al. (2007) Badouel, E., Bednarczyk, M., Borzyszkowski, A., Caillaud, B., Darondeau, P., 2007. Concurrent secrets. Discrete Event Dynamic Systems 17, 425–446.
Balun and Masopust (2021) Balun, J., Masopust, T., 2021. Comparing the notions of opacity for discrete-event systems. Discrete Event Dynamic Systems 31, 553–582.
Balun and Masopust (2022a) Balun, J., Masopust, T., 2022a. On transformations among opacity notions, in: IEEE International Conference on Systems, Man, and Cybernetics (SMC), pp. 3012–3017.
Balun and Masopust (2022b) Balun, J., Masopust, T., 2022b. On verification of weak and strong k-step opacity for discrete-event systems. IFAC PapersOnLine 55, 108–113.
Brandin and Wonham (1994) Brandin, B., Wonham, W., 1994. Supervisory control of timed discrete-event systems. IEEE Transactions on Automatic Control 39, 329–342.
Bryans et al. (2008) Bryans, J.W., Koutny, M., Mazaré, L., Ryan, P.Y.A., 2008. Opacity generalised to transition systems. International Journal of Information Security 7, 421–435.
Bryans et al. (2005) Bryans, J.W., Koutny, M., Ryan, P.Y., 2005. Modelling opacity using Petri nets. Electronic Notes in Theoretical Computer Science 121, 101–115.
Cassandras and Lafortune (2021) Cassandras, C.G., Lafortune, S. (Eds.), 2021. Introduction to Discrete Event Systems. 3rd ed., Springer.
Cormen et al. (2009) Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C., 2009. Introduction to Algorithms. MIT Press.
Dubreil et al. (2008) Dubreil, J., Darondeau, P., Marchand, H., 2008. Opacity enforcing control synthesis, in: Workshop on Discrete Event Systems (WODES), pp. 28–35.
Falcone and Marchand (2015) Falcone, Y., Marchand, H., 2015. Enforcement and validation (at runtime) of various notions of opacity. Discrete Event Dynamic Systems 25, 531–570.
Hopcroft et al. (2006) Hopcroft, J.E., Motwani, R., Ullman, J.D., 2006. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley.
Jacob et al. (2016) Jacob, R., Lesage, J.J., Faure, J.M., 2016. Overview of discrete event systems opacity: Models, validation, and quantification. Annual Reviews in Control 41, 135–146.
Jirásková and Masopust (2012) Jirásková, G., Masopust, T., 2012. On a structural property in the state complexity of projected regular languages. Theoretical Computer Science 449, 93–105.
Lan et al. (2020) Lan, H., Tong, Y., Guo, J., Giua, A., 2020. Comments on “A new approach for the verification of infinite-step and K-step opacity using two-way observers” [Automatica 80 (2017) 162–171]. Automatica 122, 109290.
Lin (2011) Lin, F., 2011. Opacity of discrete event systems and its applications. Automatica 47, 496–503.
Ma et al. (2021) Ma, Z., Yin, X., Li, Z., 2021. Verification and enforcement of strong infinite- and k-step opacity using state recognizers. Automatica 133, 109838.
Saboori and Hadjicostis (2007) Saboori, A., Hadjicostis, C.N., 2007. Notions of security and opacity in discrete event systems, in: IEEE Conference on Decision and Control, pp. 5056–5061.
Saboori and Hadjicostis (2011) Saboori, A., Hadjicostis, C.N., 2011. Verification of $K$ -step opacity and analysis of its complexity. IEEE Transactions on Automation Science and Engineering 8, 549–559.
Saboori and Hadjicostis (2012) Saboori, A., Hadjicostis, C.N., 2012. Verification of infinite-step opacity and complexity considerations. IEEE Transactions on Automatic Control 57, 1265–1269.
Wintenberg et al. (2022) Wintenberg, A., Blischke, M., Lafortune, S., Ozay, N., 2022. A general language-based framework for specifying and verifying notions of opacity. Discrete Event Dynamic Systems 32, 253–289.
Wong (1998) Wong, K., 1998. On the complexity of projections of discrete-event systems, in: Workshop on Discrete Event Systems (WODES), pp. 201–206.
Yin and Lafortune (2017) Yin, X., Lafortune, S., 2017. A new approach for the verification of infinite-step and K-step opacity using two-way observers. Automatica 80, 162–171.

Verifying Weak and Strong k-Step Opacity in Discrete-Event Systems

Abstract

keywords:

1 Introduction

2 Preliminaries

3 Verification of Weak k-Step Opacity

Definition 1.

Theorem 2.

Proof 3.1.

Theorem 3.

Proof 3.2.

4 Verification of Strong k-Step Opacity

Definition 4.

4.1 Normalization

Construction 5.

Lemma 6.

Proof 4.1.

Lemma 7.

Proof 4.2.

4.2 Weak versus Strong 0-Step Opacity

Theorem 8.

Proof 4.3.

4.3 Weak versus Strong k-Step Opacity

Construction 9.

Theorem 10.

Proof 4.4.

Theorem 11.

4.4 Verifying Strong k-Step Opacity

4.5 Complexity Analysis of Algorithm 4.4

Lemma 12.

Proof 4.5.

Lemma 13.

Proof 4.6.

Theorem 14.

Proof 4.7.

5 Conclusions

Appendix A Relation between Strong and Weak kk-Step Opacity

Theorem 15.

Proof A.1.

References

Verifying Weak and Strong k-Step Opacity
in Discrete-Event Systems

Appendix A Relation between Strong and Weak $k$ -Step Opacity