This paper introduces a novel compositional method for verifying opacity in systems by transforming the problem into a nonblocking verification task, enabling efficient analysis of large systems.
Contribution
It presents a new abstraction-based approach that reduces opacity verification to nonblocking verification, applicable to current-state and K-step opacity in modular automata.
Findings
01
Efficient verification of current-state opacity in large systems
02
Transformation ensures equivalence between opacity and nonblocking properties
03
Applicable to both current-state and K-step opacity
Abstract
We consider the verification of current-state and K-step opacity for systems modeled as interacting non-deterministic finite-state automata. We describe a new methodology for compositional opacity verification that employs abstraction, in the form of a notion called opaque observation equivalence, and that leverages existing compositional nonblocking verification algorithms. The compositional approach is based on a transformation of the system, where the transformed system is nonblocking if and only if the original one is current-state opaque. Furthermore, we prove that K-step opacity can also be inferred if the transformed system is nonblocking. We provide experimental results where current-state opacity is verified efficiently for a large scaled-up system.
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Full text
Transforming opacity verification to nonblocking verification in modular systems
Sahar Mohajerani
Department of Electrical engineering and Computer Science
Department of Electrical engineering and Computer Science
University of Michigan
[email protected]
The work of the first author was supported by the Swedish Research Council. The work of the second author was supported in part by US NSF grant CNS-1421122.
1 Abstract
We consider the verification of current-state and K-step opacity for systems modeled as interacting non-deterministic finite-state automata.
We describe a new methodology for compositional opacity verification that employs abstraction, in the form of a notion called opaque observation equivalence, and that leverages
existing compositional nonblocking verification algorithms.
The compositional approach is based on a transformation of the system, where the transformed system is nonblocking if and only if the original one is current-state opaque.
Furthermore, we prove that K-step opacity can also be inferred if the transformed system is nonblocking.
We provide experimental results where current-state opacity is verified efficiently for a large scaled-up system.
While there is a large amount of information people willingly release everyday, there is some information that we wish to remain secret.
Thus, various notions of security have been studied in the past decades; opacity is one such example.
Opacity is an information flow property that identifies whether or not a secret is released to an external observer of the behavior of a known dynamic system.
We refer to the external observer as the intruder in this paper.
The notion of opacity was introduced in the field of discrete event systems in [1], where the system is modeled as a Petri net.
Later, a variety of notions of opacity were introduced to cope with different security requirements.
Current-state opacity [2], initial-state opacity [3], initial-and-final-state opacity [4], K-step opacity [5, 6], infinite-step opacity [7], and language-based opacity [8] are some examples of state-based and language-based opacity notions.
In [4], polynomial-time algorithms are presented to transform the verification of current-state, initial-state, initial-and-final-state opacity, and language based-opacity to one another.
In this paper, we study the verification of current-state and K-step opacity under the framework of modular discrete event systems.
A system is said to be current-state opaque if the intruder can never know for sure that the current state of the system is a secret state.
On the other hand, a system is K-step opaque if the intruder cannot determine if the system had entered a secret state within the K previous steps of its observed behavior (i.e., it is a smoothing property in system-theoretic terminology).
In this paper, we consider a class of modular systems that are modeled as partially observed (or non-deterministic) interacting finite state automata.
The monolithic approach to verify any opacity property for modular systems is to synchronize all the components of the system and then use the corresponding verification algorithm on the resulting monolithic system.
This approach is limited by the well-known state-space explosion problem, when composing a large number of system components.
Abstraction and modular approaches are standard techniques that can be used to alleviate the state-space explosion problem, either independently or jointly.
In the opacity verification problem domain, the verification of initial-state opacity in a modular setting was studied in [9], where it is shown that the system is initial-state opaque if and only if the strings causing violations of opacity are disabled by synchronization.
Abstraction-based bisimulation was used in [10] to reduce the complexity of the system when verifying infinite-step opacity.
One method to alleviate the state-space explosion problem is the compositional approach based on abstraction.
This approach is well-developed for nonblocking verification and supervisor synthesis in modular systems; see, e.g., [11, 12, 13, 14].
The compositional approach seeks to remove and merge states that are redundant for the purpose of verification or synthesis, and it proceeds in an incremental manner in terms of system components.
This paper presents a novel compositional approach for the verification of current-state, infinite-step, and K-step opacity.
As infinite-step opacity is a limiting case of K-step opacity, we mainly focus on current-state and K-step opacity.
In our framework, each system component is abstracted using a restricted version of observation equivalence or weak bisimulation [15], that we call opaque observation equivalence.
After such abstraction, the current-state estimator [16] or the two-way observer [17] of each component is generated, depending on which opacity property is to be verified, either current-state or K-step.
Next, the opacity verification problem is transformed to a suitable nonblocking verification problem.
This makes it possible to use well-developed nonblocking verification algorithms to verify the different notions of opacity.
In the case of current-state opacity, we show that the transformation to nonblocking leads to an equivalent problem, i.e., we show necessity and sufficiency.
In the case of K-step opacity, we show sufficiency of the transformation.
We used the software tool Supremica [18] to verify current-state opacity of a large modular system using our compositional approach.
Specifically, we have successfully verified current-state opacity for a large system containing 4⋅103 automata under one minute on a standard laptop computer.
The presentation of our results is organized as follows.
Sect. 3 gives a brief background about different notions of opacity.
Sect. 4 explains the general compositional opacity problem.
Next, Sections 5 and 7 explain the compositional approach for current-state and K-step opacity, respectively.
Our experimental results on a scaled-up example are presented in Sect. 8.
Finally, some concluding remarks can be found in Sect. 9.
3 Modeling framework
3.1 Automata and their composition
Discrete system behaviors can be modeled by deterministic or nondeterministic automata.
Definition 1
A (nondeterministic) finite-state automaton is a tuple G=⟨Σ,\penalty750Q∘,\penalty750→∘,\penalty750Q∘⟩,
where Σ is a finite set of events, Q is a finite set of states,
\mbox{\stackrel{{\scriptstyle}}{{\rightarrow}}}\subseteq Q\times\Sigma\times Q is the state
transition relation, and Q∘⊆Q is the set of
initial states.
G is deterministic if ∣Q∘∣=1 and if x→σy1 and x→σy2 always implies that y1=y2.
When marking is important the above definition can be extended to G=⟨Σ,Q,→,Q∘,Qm⟩, where Qm⊆Q is the set of marked states.
In this paper, we identify marked states in the figures using gray shading.
We assume that the intruder can only partially observe the system. Thus, Σ is partitioned into two disjoint subsets, the set of observable events and the set of unobservable events. Since the identity of unobservable events are irrelevant they are all replaced by a special event τ. The event τ is never included in the alphabet Σ, unless explicitly mentioned. For this, Στ=Σ∪{τ} is used [11]. Nondeterministic automata hereafter may contain transitions labeled by τ.
However, since τ represents unobservable events, deterministic automata will never have τ transitions.
In opacity problems, the set of states is also partitioned into two disjoint subsets: QS the set of secret states and QNS=Q∖QS the set of non-secret states.
When automata are brought together to interact, lock-step synchronization
in the style of [19] is used.
Definition 2
Let G1=⟨Σ1,\penalty750Q1∘,\penalty750→1∘,\penalty750Q1∘,\penalty750Q1m⟩ and G2=⟨Σ2,\penalty750Q2∘,\penalty750→2∘,\penalty750Q2∘,\penalty750Q2m⟩ be two nondeterministic automata, with sets of secret states
Q1S⊆Q1 and Q2S⊆Q2.
The synchronous composition of G1 and G2 is defined as
[TABLE]
where
[TABLE]
and where the set of secret states of G, QS, is defined in one of the two following ways:
(i)
QS={(x1,x2)∣x1∈Q1S∧x2∈Q2S},
2. (ii)
QS={(x1,x2)∣x1∈Q1S∨x2∈Q2S}.
Importantly, this definition of synchronous composition only imposes lock-step synchronization on common events in Σ.
In the following, whenever necessary, we use the notations ∥∧ and ∥∨ to show that the secret states of synchronous composition are defined as in Def. 2(i) or (ii), respectively.
When ∥∧ is used, a synchronized state is considered secret if all the composed states are secret.
In ∥∨ however, if one of the states of the synchronized state is secret, then the synchronized state is considered secret. ∥∨ and ∥∧ are the first natural constructs for joint secrecy.
Σ∗ is the set of all finite traces of events from Σ,
including the empty traceε.
The
natural projectionPτ:Στ∗→Σ∗ is the
operation that removes from traces t∈Στ∗ all events not in Σ, which affects only event τ in our setting.
The transition relation of an automaton G is written in infix notation x→σy,
and it is extended to strings in Στ∗ by letting x→εx for all x∈Q, and x→tσz if
x→ty and y→σz for
some y∈Q. Furthermore, x→t means that x→ty for
some y∈Q, and x→y means that x→ty for some t∈Στ∗. These notations also apply to state sets, where X→tY for X,Y⊆Q means that x→ty for some x∈X and y∈Y, and to automata, where
G→t means that Q∘→t, etc.
For brevity, p⇒sq, with s∈Σ∗, denotes the existence of a string t∈Στ∗ such that Pτ(t)=s and p→tq. Thus, p→uq, u∈Στ∗, means a path containing exactly the events in u, while p⇒uq, u∈Σ∗, means existence of a path between p and q with arbitrary number of τ events between the events of u. Similarly, p⇒τq denotes the existence of a string t∈{τ}∗ such that p→tq.
The language of an automaton G
is defined as L(G)={s∈Σ∗∣G⇒s} and the language generated by G from q∈Q is L(G,q)={s∈Σ∗∣q⇒s}.
Thus we do not include event τ in the strings in the language of an automaton.
Moreover, from Def. 2, it follows that s∈L(G1∥G2) if and only if P1(s)∈L(G1) and P2(s)∈L(G2),
where Pi:Σ1∪Σ2→Σi, for i=1,2 (and these functions are extended to strings in the usual manner).
Renamings Δ:Σ→Σ×{ϵ} and ΔR:Σ→{ϵ}×Σ are two maps such that Δ(σ)=(σ,ϵ) and ΔR(σ)=(ϵ,σ). Renamings are extended to traces
s∈Σ∗ by applying them to each event, and to languages L⊆Σ∗ by applying them to all traces. They are also
extended to automata with alphabet Σ by replacing all transitions
x→σy with xΔ(σ)y and xΔR(σ)y.
Given an automaton G=⟨Στ,Q,→,Q∘⟩ the reversed automaton of G is a non-deterministic automaton GR=⟨Στ,Q,→R,Q⟩ where →R={(x,σ,y)∣y→σx} and all states are considered to be initial [4].
For non-deterministic automaton G=⟨Στ,\penalty750Q∘,\penalty750→∘,\penalty750Q∘⟩, the set of unobservably reached states of B∈2Q, is UR(B)=⋃{C⊆Q∣B⇒τC}. The observer automatondet(G)=⟨Σ,Xobs,→obs,Xobs∘⟩ is a deterministic automaton, where Xobs∘=UR(Qo) and Xobs⊆2Q, and X→obsY, where X,Y⊆Xobs, if and only if Y=⋃{UR(y)∣x→σyfor somex∈Xandy∈Q}. By convention, in this paper only reachable states from Xobs∘ under →obs are considered in Xobs. Also, we will refer to the observer automaton as the current-state estimator, abbreviated as CSE.
In this paper, the special blocking event ψ∈/Σ is used to label additional transitions going out of a special set of states, termed ψ-states and denoted by Xψ.
Definition 3
Let G=⟨Σ,Q,→,q∘⟩ be a deterministic automaton with set of ψ-states Xψ⊆Q. Then Gψ=⟨Σ∪{ψ},Q∪{⊥},→ψ,q∘,Qm⟩ is a deterministic automaton such that ⊥ is a new state, Qm=Q, which means that all the original states are marked, and
[TABLE]
This “ψ-transformation” will be used later on to transform opacity verification to nonblocking verification. To check if a specific state of the system can be reached, the state can be considered as a ψ-state and nonblocking verification can be done on the transformed system, termed the ψ-system. In our setting the ψ-states are the states that violate opacity.
Another common automaton operation is the quotient modulo an
equivalence relation on the state set.
Definition 4
Let Z be a set. A relation ∼⊆Z×Z is called an
equivalence relation on Z if it is reflexive,
symmetric, and transitive.
Given an equivalence relation ∼ on Z, the equivalence class of z∈Z
is [z]={z′∈Z∣z∼z′},
and Z~={[z]∣z∈Z} is the set of all equivalence classes modulo ∼.
Definition 5
Let G=⟨Στ,\penalty750Q∘,\penalty750→∘,\penalty750Q∘⟩ be an automaton and let ∼⊆Q×Q be an equivalence relation. The quotient automaton of G
modulo ∼ is
[TABLE]
where \mbox{\stackrel{{\scriptstyle}}{{\rightarrow}}}/\mathord{\sim}=\mbox{\stackrel{{\scriptstyle}}{{\rightarrow}}}/\mathord{\sim}=\{\,([x],\sigma,[y])\mid\exists x^{\prime}\in[x],y^{\prime}\in[y]:x^{\prime}\stackrel{{\scriptstyle\sigma}}{{\rightarrow}}y^{\prime}\,\} and Q~∘={[x∘]∣x∘∈Q∘}.
3.2 Notions of opacity
In general, opacity addresses the issue whether an intruder observing the system, and knowing the model of the system, can determine for sure if the system is in a secret state. There are different notions of opacity in the literature. It is shown in [4] that initial, final, current-state, and language-based opacity can be transformed to one another with polynomial-time algorithms for verification purposes. Moreover, infinite-step opacity is a limiting case of K-step opacity. Thus, in this paper, we mainly address the verification of current-state opacity first, and then that of K-step opacity, which cannot be transformed to current-state opacity for verification purposes.
We recall the formal definitions of these properties in the context of the framework of this paper.
Definition 6
A non-deterministic automaton G with event set Σ and set of secret states QS is current-state opaque, with respect to QS if and only if
[TABLE]
The system is current-state opaque if an intruder cannot determine whether the system is currently in a secret state or not.
Definition 7
A non-deterministic automaton G with event set Σ and set of secret states QS is infinite-step opaque, with respect to QS
[TABLE]
The system is infinite-step opaque if an intruder cannot determine whether the system ever was in a secret state or not at any time in the past.
Definition 8
A non-deterministic automaton G with event set Σ and set of secret states QS is K-step opaque, with respect to QS
[TABLE]
The system is K-step opaque if the entrance of the system into a secret state remains uncertain for an intruder after up to K future observations.
Hence, 0-step opacity is equivalent to current-state opacity,
and when K→∞, then K-step opacity becomes infinite-step opacity [7].
It is shown in [16] that current-state opacity can be verified by building the standard observer automaton.
Proposition 1
[16*]**
Let G=⟨Στ,\penalty750Q∘,\penalty750→∘,\penalty750Q∘⟩ be a non-deterministic automaton with set of secret states QS. Let det(G)=⟨Σ,Xobs,→obs,Xobs∘⟩ be the current-state estimator of G. Then G is current-state opaque with respect to QS if and only if for all s∈L(G) it holds that [det(G)→sXimplies thatX⊆QS].
*
The verification of infinite-step and K-step opacity is considered in [5] and [7], respectively, where these properties were first introduced.
Recently, a new approach for the verification of infinite and K-step opacity was introduced, which relies on building the so-called two-way observer of the system [17].
We will leverage this latter approach in the development of our results.
Again, we recall relevant definitions and results, restated in the context of our framework.
Definition 9
[17]**
Let G=⟨Στ,\penalty750Q∘,\penalty750→∘,\penalty750Q∘⟩ be a non-deterministic automaton and GR be the reversed automaton of G. Let Δ:Σ→Σ×{ϵ} and ΔR:Σ→{ϵ}×Σ. The two-way observer of G is the deterministic automaton obtained by:
[TABLE]
Proposition 2
[17]**
Let G=⟨Στ,\penalty750Q∘,\penalty750→∘,\penalty750Q∘⟩ be a non-deterministic automaton with set of secret states QS. Let Δ:Σ→Σ×{ϵ} and ΔR:Σ→{ϵ}×Σ and let H=⟨Δ(Σ)∪ΔR(Σ),QH,→H,QH∘⟩ be the two-way observer of G. Then G is infinite-step opaque with respect to QS if and only if
[TABLE]
The system is infinite-step opaque if for all the reachable states of the two-way observer, the intersection of the first with the second components is not a subset of the secret states of the system or it is empty.
Proposition 3
[17]**
Let G=⟨Στ,\penalty750Q∘,\penalty750→∘,\penalty750Q∘⟩ be a non-deterministic automaton with set of secret states QS. Let Δ:Σ→Σ×{ϵ} and ΔR:Σ→{ϵ}×Σ and let H=⟨ΣH,QH,→H,QH∘⟩, with ΣH=Δ(Σ)∪ΔR(Σ), be the two-way observer of G. Let PΔ:ΣH→ΔR(Σ). Then G is K-step opaque with respect to QS if and only if, for any string s∈L(H) such that QH∘→s(h1,h2), we have that
[TABLE]
Example 1
Consider automaton G1 in Fig. 1. Assume that the set of secret states is QS={s1,s3}; we have that Δ:{α,β}→{(α,ϵ),(β,ϵ)} and ΔR:{α,β}→{(ϵ,α),(ϵ,β)}. In the figure det(G1) and H1 are the current-state estimator and the two-way observer of G1, respectively. In H1 the states are:
•
A=({s0},{s0,s1,s2,s3,s4,s5}),
•
B=({s0},{s0}),
•
C=({s0},{s1,s3}),
•
D=({s1,s2,s3,s4},{s0,s1,s2,,s3,s4,s5}),
•
E=({s1,s2,s3,s4},{s0}),
•
F=({s1,s2,s3,s4},{s1,s3}),
•
I=({s5},{s0,s1,s2,s3,s4,s5}),
•
J=({s5},{s0}),
•
K=({s5},{s1,s3}).
The system is current-state opaque as the intruder cannot distinguish between s0→αs1 and s0→αs2. Automaton det(G1) confirms that the system is current-state opaque since there is no state in det(G1) which is subset of QS (Prop. 1). However, the system is not infinite-step opaque, because after observing event β the intruder will know that system was in s1 and s3. The two-way observer H1 confirms this result as in the state F we have {s1,s2,s3,s4}∩{s1,s3}={s1,s3}⊆QS (Prop. 2). The system is not K=1 step opaque either since H1(ϵ,β)(α,ϵ)F and {s1,s2,s3,s4}∩{s1,s3}={s1,s3}⊆QS but PΔ((ϵ,β)(α,ϵ))=(ϵ,β) and ∣PΔ((ϵ,β)(α,ϵ))∣>1 (Prop. 3).
4 Compositional opacity verification
This section describes the general framework of transforming current-state opacity and K-step opacity to nonblocking verification.
Since infinite-step opacity is a limiting case of K-step opacity, a specific treatment of this property is omitted hereafter; instead, we make relevant observations about it in our discussion; see Sect. 7.
Note that current-state opacity is also a special case of K-step opacity.
However, since verification of current-state opacity requires building the current state estimator and not the two-way observer, we address current-state opacity separately from K-step opacity.
The input to the algorithm is a modular nondeterministic system.
A modular system is a collection of interacting components
[TABLE]
The compositional opacity verification algorithm is summarized in Fig. 2 and the steps are as follow:
(i)
At the first of the compositional opacity verification, the modular
system (5) is abstracted, using opaque observation equivalence.
Each automaton Gi may be replaced by an abstracted version,
G~i, with less states or transitions.
2. (ii)
Next, the current-state estimators, in the case of current-state opacity verification, or the two-way observers, in the case of K-step opacity verification, of the individual abstracted components are built, Hi in Fig. 2.
3. (iii)
Next, the opacity verification problem is transformed to nonblocking verification problem. The states of the individual current-state estimators or the two-way observers that violate opacity are identified and transitions to blocking states from those states are added, resulting in Hi,ψi in Fig. 2.
4. (iv)
Compositional nonblocking verification is used to verified opacity problem. In compositional nonblocking verification, the synchronous composition is computed gradually, abstracting each intermediate result again.
Eventually, the procedure leads to a single automaton, denoted by H~, which due to the abstraction process
has less states and transitions compared to the original system.
Once H~ is found, it is used for nonblocking verification. The system is current-state opaque if and only if H~ is nonblocking and it is K-step opaque if H~ is nonblocking.
Our motivation for proceeding as above is that compositional nonblocking verification has been well studied and it has shown very promising results [11, 12].
The monolithic approach to verify opacity, first synchronizes all the component of the system and builds the monolithic current-state estimator or two-way observer of the system.
As the number of the states of the synchronized product grows exponentially with the number of components, the complexity of building the CSE or the two-way observer of the whole system is O(2∣X∣n). In contrast, the complexity of generating modular CSEs or two-way observers, instead of their monolithic counterparts, is O(2∣X∣), which is significantly smaller.
In addition, the proposed approach in this paper not only avoid building synchronized product of the whole system, but it also abstracts the components and reduces the number of the states of each component before the construction of CSEs or two-way observers.
Fig. 2 illustrates the steps of compositional opacity verification for the two cases of ∥∨ and ∥∧.
The subsequent sections formally develop this approach.
This section describes compositional current-state opacity verification. First, Sect. 5.1 describes the abstraction methods that preserve current-state opacity. Next, Sect. 5.2 describes that individual current-state estimators can be built instead of the monolithic current-state estimator. Finally, Sect. 5.3 explains the transformation of current-state opacity verification to compositional nonblocking verification.
5.1 Opaque observation equivalence
At the first stage of compositional opacity verification, individual nondeterministic components are replaced by their abstracted opaque equivalent components, step (i) in Fig. 2.
Bisimulation equivalence and observation equivalence are two well-known abstraction methods [20] to abstract the state space of an automaton. Bisimulation considers states to be equivalent if they have outgoing transitions with the same events, including unobservable events, to equivalent states. Observation equivalence is more general than bisimulation as it ignores the unobservable events (namely, event τ in our set-up).
Definition 10
[20*]**
Let G=⟨Στ,\penalty750Q∘,\penalty750→∘,\penalty750Q∘⟩ be a non-deterministic automaton.
An equivalence relation ≈⊆Q×Q is called an
observation equivalence* on G, if the
following holds for all x1,x2∈Q such that x1≈x2:
if x1⇒sy1 for some s∈Σ∗, then there
exists y2∈Q such that x2⇒sy2, and y1≈y2.*
In order to use observation equivalence for abstraction in our compositional opacity verification methodology, the set of secret states needs to be taken into account. For this purpose, a restricted version of observation equivalence called opaque observation equivalence is defined.
Definition 11
Let G=⟨Στ,\penalty750Q∘,\penalty750→∘,\penalty750Q∘⟩ be a non-deterministic automaton with set of secret states QS⊆Q and set of non-secret states QNS=Q∖QS.
An equivalence relation ∼⊆Q×Q is called an
opaque observation equivalence on G if the following holds for all x1,x2∈Q such that x1∼x2:
(i)
if
x1⇒sy1 for some s∈Σ∗, then there
exists y2∈Q such that x2⇒sy2, and y1∼y2,
2. (ii)
x1∈QS* if and only if x2∈QS.*
Opaque observation equivalence considers two states to be equivalent if they have the same secret property and from both of them equivalent states can be reached by the same sequences of events aside from the τ event.
We present our first result on the use of opaque observation equivalence in the verification of opacity.
(In the sequel, for the sake of simplicity of notation, we will denote the event set of non-deterministic automata by Σ, with the understanding that some transitions may be labeled by τ.)
Theorem 4
Let G={G1,…,Gn} be a non-deterministic system with ∥∨ for interaction, where each automaton has set of secret states QiS. Hence, the set of secret states of the system is QS=Q∖QNS, where QNS=Q1NS×…×QnNS. Let ∼ be an opaque observation equivalence on G1 such that G~={G1~,G2,…,Gn}. Then G is current-state opaque if and only if G~ is current-state opaque.
Proof:
Consider T=G2∥G3∥…∥Gn=⟨ΣT,QT,→,QT∘⟩. Then QTS=QT∖QTNS, where QTNS=Q2NS×…×QnNS. Let PG:ΣT∪ΣG1→ΣG1 and PT:ΣT∪ΣG1→ΣT. It suffices to show that if G1∥∨T is not current-state opaque then G1~∥∨T is not current-state opaque either, and vice versa.
(i)
Assume that G1∥∨T is not current-state opaque. Then there exists (x1,xT)∈QG1×QT such that G1∥∨T⇒s(x1,xT) and x1∈Q1S or xT∈QTS, and there does not exist (x1′,xT′)∈Q1NS×QTNS such that G1∥∨T⇒s(x1′,xT′). From G1∥∨T⇒s(x1,xT) it follows that G1⟹PG(s)x1 and T⟹PT(s)xT.
From there does not exist (x1′,xT′)∈Q1NS×QTNS such that G1∥∨T⇒s(x1′,xT′), it follows that for all x1′∈QG1 such that G1⟹PG(s)x1′ it holds that x1′∈Q1S or for all xT′∈QT such that T⟹PT(s)xT′ it holds that xT′∈QTS.
Moreover, since G1 and G1~ are opaque observation equivalent from G1⟹PG(s)x1 and based on Def. 11, it follows that G1~⟹PG(s)[x2] such that x1∈[x2].
Now, consider three cases:
a)
xT∈QTS and x1∈Q1NS. Then from G1~⟹PG(s)[x2] and T⟹PT(s)xT, it follows that G1~∥T⇒s([x2],xT). State ([x2],xT) is also considered secret as xT∈QTS. Since for all xT′∈QT such that T⟹PT(s)xT′ it holds that xT′∈QTS, then G1~∥∨T⇒s([x2],xT′) such that xT′∈QTNS does not exist. Thus, G1~∥∨T is not current-state opaque.
2. b)
x1∈Q1S and xT∈QTNS. Then from G1~⟹PG(s)[x2] and T⟹PT(s)xT, it follows that G~1∥T⇒s([x2],xT). As x1∈[x2] based on Definition 11, it holds that for all x∈[x2], x∈Q1S and [x2]∈Q~1S, which implies that ([x2],xT) is a secret state. Since for all x1′∈QG1 such that G1⟹PG(s)x1′ it holds that x1′∈Q1S, based on Definition 11 it follows that for all [x′]∈Q~G1 such that G1~⟹PG(s)[x′] it holds that [x′]∈Q~1S. Thus, G1~∥∨T⇒s([x′],xT′) such that [x′]∈Q~1NS does not exist, which means that G1~∥∨T is not current-state opaque.
3. c)
xT∈QTS and x1∈Q1S. Then the proof follows from (i)a) and (i)b).
2. (ii)
Assume that G1~∥∨T is not current-state opaque. Then there exists G1~∥∨T⇒s([x1],xT) such that [x1]∈Q~1S or xT∈QTS and there does not exists ([x1′],xT′)∈Q~G1×QT such that G1~∥∨T⇒s([x1′],xT′) and ([x1′],xT′)∈Q~1NS×QTNS.
From G1~∥∨T⇒s([x1],xT), it follows that G1~⟹PG(s)[x1] and T⟹PT(s)xT. From there does not exist ([x1′],xT′)∈Q~1NS×QTNS such that G1~∥∨T⇒s([x1′],xT′), it follows that for all [x1′]∈Q~G1 such that G1~⟹PG(s)[x1′] it holds that [x1′]∈Q~1S or for all xT′∈QT such that T⟹PT(s)xT′ it holds that xT′∈QTS.
Moreover, since G1 and G1~ are opaque observation equivalent from G1~⟹PG(s)[x1] and based on Definition 11, it follows that there exists x∈[x1] such that G1⟹PG(s)x.
Again, consider three cases:
a)
xT∈QTS and [x1]∈Q~1NS. The proof is similar to (i)a).
2. b)
[x1]∈Q~1S and xT∈QTNS. Then as [x1]∈Q~1S it holds that for all x∈[x1] also x∈Q1S. Thus, from G1⟹PG(s)x and T⟹PT(s)xT it follows that there exists G1∥T⇒s(x,xT), where (x,xT) is considered a secret state. Since for all [x1′]∈Q~G1 such that G1~⟹PG(s)[x1′] it holds that [x1′]∈Q~1S,
then by Definition 11 it holds that
for all x′∈QG1 such that G1⟹PG(s)x′ it holds that x′∈Q1S. This
means that G1∥∨T⇒s(x′,xT′) such that x′∈Q1NS does not hold, which implies that G1∥∨T is not current-state opaque.
3. c)
xT∈QTS and [x1]∈Q~1S. Then the proof follows from (ii)a) and (ii)b). ■
Theorem 4 illustrates that the components of a modular system that are interacting by ∥∨ can be abstracted using opaque observation equivalence while preserving the current-state opacity property. If ∥∧ is used for interaction, a similar result holds and the following corollary can be proved.
Corollary 5
Let G={G1,…,Gn} be a non-deterministic system with ∥∧ for interaction and with the set of secret states QS=Q1S×…×QnS. Let ∼ be an opaque observation equivalence on G1 such that G~={G1~,G2,…,Gn}. Then G is current-state opaque if and only if G~ is current-state opaque.
Proof:
Consider G2∥…∥Gn=T=⟨ΣT,QT,→,QT∘⟩. It suffices to show that if G1∥∧T is not current-state opaque then G~1∥∧T is not current-state opaque either and vice versa. Let PG:ΣT∪ΣG1→ΣG and PT:ΣT∪ΣG1→ΣT.
(i)
If G1∥∧T is not current-state opaque. Then there exists (x1,xT)∈QG1×QT such that G1∥∧T⇒s(x1,xT) and (x1,xT)∈Q1S×QTS, and there does not exist (x1′,xT′)∈QG1×XT such that G1∥∧T⇒s(x1′,xT′) and x1′∈Q1NS or xT′∈QTNS. This means, there does not exist x1′∈QGNS or xT′∈QTNS such that G1⟹PG(s)x1′ or T⟹PT(s)xT′. Now we need to show the two following cases:
a)
G~1∥∧T⇒s([x2],xT) and ([x2],xT)∈Q~1S×QTS. Since G1 and G~1 are opaque observation equivalent from G1⟹PG(s)x1 and based on Definition 11 it follows that G~1⟹PG(s)[x2] such that x1∈[x2]. From G~1⟹PG(s)[x2] and T⟹PT(s)xT it follows that G~1∥∧T⇒s([x2],xT). As x1∈[x2] based on Definition 11 it holds that for all x∈[x2], x∈Q1S and [x2]∈Q~1S. This means ([x2],xT)∈Q~1S×QTS.
2. b)
There does not exist G~1∥∧T⇒s([x′],xT′) such that [x′]∈Q~1NS or xT′∈QTNS. From
there does not exist x1′∈QGNS or xT′∈QTNS such that G1⟹PG(s)x1′ or T⟹PT(s)xT′
and based on Definition 11 it follows that there does not exist [x′]∈Q~1NS and x1′∈[x′] such that G~1⟹PG(s)[x′] either. This implies
there does not exist G~1∥∧T⇒s([x′],xT′) such that [x′]∈Q~1NS or xT′∈QTNS.
Therefore it can be concluded that G~1∥∧T is not current-state opaque.
2. (ii)
If G~1∥∧T is not current-state opaque. Then there exists G~1∥∧T⇒s([x1],xT) such that ([x1],xT)∈Q~1S×QTS and there does not exist ([x1′],xT′)∈Q~G1×QT such that G~1∥∧T⇒s([x1′],xT′) and [x1′]∈Q~1NS or xT′∈QTNS.
From G~1∥∧T⇒s([x1],xT) it follows that G~1⟹PG(s)[x1] and T⟹PT(s)xT and [x1]∈Q~GS and xT∈QTS. Again we need to show the two following cases:
a)
G1∥T⇒s(x,xT), where (x,xT)∈Q1S×QTS. since G1 and G~1 are opaque observation equivalent from G~1⟹PG(s)[x1] and based on Definition 11 it follows that there exists x∈[x1] such that G1⟹PG(s)x. Then as [x1]∈Q~1S it holds that for all x∈[x1] also x∈Q1S. Thus, from G1⟹PG(s)x and T⟹PT(s)xT it follows that G1∥T⇒s(x,xT), where (x,xT)∈Q1S×QTS.
2. b)
G1∥∧T⇒s(x′,xT′) such that x′∈Q1NS or xT′∈QTNS does not exist. From there does not exist ([x1′],xT′)∈Q~G1×QT such that G~1∥∧T⇒s([x1′],xT′) and [x1′]∈Q~1NS or xT′∈QTNS and based on Definition 11 it holds that G1⟹PG(s)x′ such that x′∈Q1NS does not exist. This means G1∥∧T⇒s(x′,xT′) such that x′∈Q1NS or xT′∈QTNS does not exist.
Therefore, it can be concluded that the G1∥∧T is not current-state opaque. ■
Example 2
Consider automaton G1 in Fig. 1 with set of secret states Q1S={s1,s3}. Consider states s2 and s4. Both states are non-secret states, s2,s4∈QNS, and they have the same future behavior since s2→τs4 and s4→εs4. Thus, states s2 and s4 can be merged while preserving opaque observation equivalence. A similar argument holds for s1,s3. Merging s2 and s4, and s1 and s3, results in G1~ with two less states compared to G1; it is shown in Fig. 1.
5.2 Synchronous composition of CSEs
The idea of compositional opacity verification is to abstract the components and construct the current-state estimator (CSE) for each abstracted component and, next, transform opacity verification to compositional nonblocking verification.
For this approach to work, it needs to be shown that current-state opacity is preserved by synchronization of individual CSEs, step (ii) in Fig. 2.
In the following, Prop. 6 first shows that synchronization of CSEs produces an automaton that is isomorphic with the monolithic CSE of the original system, det(G).111We could not find a proof of this result in the literature.
Then, Theorem 7 and Corollary 8 show that the current-state opacity of a system can be verified by constructing the CSEs of individual components and then synchronizing them by using ∥∨ or ∥∧, respectively.
As ∥∨ is more general compared with ∥∧, The following proposition has been presented and proved in Chapter 5 of [21], Proposition 5.5.
Proposition 6
[21]**
Let G1=⟨Σ1,\penalty750Q1∘,\penalty750→1∘,\penalty750Q1∘⟩ and G2=⟨Σ2,\penalty750Q2∘,\penalty750→2∘,\penalty750Q2∘⟩ be two non-deterministic automata. Then det(G1∥G2) is isomorphic to det(G1)∥det(G2).
Prop. 6 shows that the CSEs of the components of a system can be constructed individually.222If the system components synchronize also on common unobservable events, then Prop. 6 may not hold.
The idea of this paper is to transform the opacity verification problem to compositional nonblocking verification problem. Since the input to compositional nonblocking verification is a set of automata, it is essential for the proposed algorithm to keep the modular structure of the system.
The following theorem shows that current-state opacity is preserved by synchronization of the individual CSEs.
Theorem 7
Let G={G1,⋯,Gn} be a non-deterministic system with ∥∨ for interaction, where each automaton has set of secret states QiS. Hence, the set of secret states of the system is QS=Q∖QNS, where QNS=Q1NS×…×QnNS. Let det(Gi)=⟨Σi,Xobsi,→i,Xi∘⟩ for 1≤i≤n. Then G is current-state opaque if and only if det(G1)∥∨…∥∨det(Gn)→s(X1,…,Xn) implies
Xi⊆QiS for all 1≤i≤n.
Proof:
Based on Prop. 6, it holds that det(G)→sX if and only det(G1)∥…∥det(Gn)→s(X1,…,Xn) and (x1,…,xn)∈X if and only if (x1,…,xn)∈X1×⋯×Xn. If the system is current-state opaque then for all det(G)→sX it holds that X⊆QS. Since ∥∨ is used for composition, this means there exists (x1,…,xn)∈X such that xi∈QiNS for all 1≤i≤n. Based on Prop. 6 it holds that det(G1)∥…∥det(Gn)→s(X1,…,Xn) and there exists (x1,…,xn)∈X1×⋯×Xn such that xi∈QiNS for all 1≤i≤n. This means that Xi⊆QiS for all 1≤i≤n.
Similarly, assume that det(G1)∥…∥det(Gn)→s(X1,…,Xn) and Xi⊆QiS for all 1≤i≤n. Since ∥∨ is used for composition, this means there exists (x1,…,xn)∈X1×⋯×Xn such that xi∈QiNS for all 1≤i≤n. Based on Prop. 6 it holds that det(G)→sX and there exists (x1,…,xn)∈X such that xi∈QiNS for all 1≤i≤n, which implies X⊆QS. Thus, the system is current-state opaque. ■
Theorem 7 proves that a system is current state opaque if and only if no state of the modular current-state estimator lies entirely in the set of secret states. The set of secret states in Theorem 7 is defined based on ∥∨. The following corollary proves that a similar result also holds when ∥∧ is used for synchronization.
Corollary 8
Let G={G1,⋯,Gn} be a non-deterministic system with ∥∧ and with set of secret states QS=Q1S×⋯×QnS and det(Gi)=⟨Σi,Xobsi,→i,Xi∘⟩ for 1≤i≤n. Then G is current-state opaque if and only if det(G1)∥∧…∥∧det(Gn)→s(X1,⋯,Xn)
implies X1×⋯×Xn⊆Q1S×⋯×QnS.
Proof:
Based on Prop. 6 it holds that det(G)→sX if and only det(G1)∥…∥det(Gn)→s(X1,⋯,Xn) and (x1,⋯,xn)∈X if and only if (x1,⋯,xn)∈X1×⋯×Xn. If the system is current-state opaque then for all det(G)→sX it holds that X⊆QS, which means that there exists (x1,⋯,xn)∈X such that (x1,…,xn)∈Q1S×…×QnS. Based on Prop. 6 it holds that det(G1)∥…∥det(Gn)→s(X1,⋯,Xn) and there exists (x1,⋯,xn)∈X1×⋯×Xn such that (x1,…,xn)∈Q1S×…×QnS. Thus, X1×⋯×Xn⊆Q1S×…×QnS.
Similarly assume det(G1)∥…∥det(Gn)→s(X1,⋯,Xn) and X1×⋯×Xn⊆Q1S×…×QnS. This means that there exists (x1,…,xn)∈X1×⋯×Xn such that (x1,…,xn)∈Q1S×…×QnS. Based on Prop. 6 it holds that det(G)→sX and there exists (x1,⋯,xn)∈X such that (x1,…,xn)∈Q1S×…×QnS, which implies X⊂QS. Thus, the system is current-state opaque. ■
Example 3
Assume we have the system G={G~1,G2}, where the set of secret states of G~1 is Q~1S={[s1],[s2]} and Q2S={t1}. Automaton G~1 and G2 are shown in Fig. 1 and Fig. 3, respectively. Fig. 3 also shows D=det(G~1∥G2) and D′=det(G~1)∥det(G2), where
•
D0={(s0,t0)}, D1={([s1],t1),([s2],t1)} in D
•
D0′=({s0},{t0}), D1′=({[s1],[s2]},{t1}) in D′.
It can be observed that D and D′ are isomorphic. If ∥∨ is used for synchronization, then ([s1],t1) and ([s2],t1) are considered secret states. This means that D1⊆QS. Therefore, it can be concluded that G1∥∨G2 is not current-state opaque. Moreover, ([s1],t1) and ([s2],t1) are also considered secret if ∥∧ is used for interaction. Therefore, G1∥∧G2 is not current-state opaque.
5.3 Current-state opacity to nonblocking verification
So far, we have shown that the components of a modular system can be abstracted using opaque observation equivalence and the CSEs of individual abstracted components can be built.
This section describes the transformation of compositional opacity verification to nonblocking verification, steps (iii) and (iv) in Fig. 2.
These steps are done after creating the modular current-state estimators.
The compositional approach is well-established for nonblocking verification [11, 12].
A variety of abstraction methods with efficient implementations that preserve the nonblocking property are introduced in [11, 12].
Thus, transforming current-state opacity to nonblocking verification makes it possible to use well-developed algorithms for nonblocking verification.
To transform current-state opacity to nonblocking verification, the first step is to identify the states of individual current-state estimators that are violating opacity.
These states are considered as ψ-states in Def. 3.
From these states, transitions to blocking states are added.
The system is current-state opaque if and only if the transformed system is nonblocking.
As explained in Sect. 3, the components of the system can interact either by ∥∨ or ∥∧. Therefore, two different transformations are required to reflect this. In the following, Theorem 9 and Corollary 10 formally describe how to transform current-state opacity to nonblocking verification when ∥∨ and ∥∧ are used, respectively.
Theorem 9
Let G={G1,⋯,Gn} be a non-deterministic system, with ∥∨ used for interaction, where each automaton has set of secret states QiS. Hence, the set of secret states of the system is QS=Q∖QNS, where QNS=Q1NS×…×QnNS. Let det(Gi)=⟨Σi,Xobsi,→i,Xi∘⟩. Then G is not current-state opaque if and only if det(G1)ψ1∥…∥det(Gn)ψn is blocking, where Xψii={X∈Xobsi∣X⊆QiS}.
Proof:
First, assume that G is not current-state opaque. Based on Theorem 7 it holds that det(G1)∥…∥det(Gn)→s(X1,⋯,Xn) such that Xi⊆QiS for some 1≤i≤n, which implies Xi∈Xψii. Based on Lemma 24 in Appendix, det(G1)ψ1∥…∥det(Gn)ψn is blocking.
Next, assume that det(G1)ψ1∥…∥det(Gn)ψn is blocking. Then based on Lemma 24 in Appendix, it holds that det(G1)∥…∥det(Gn)→s(X1,⋯,Xn) such that Xi∈Xobsi and Xi∈Xψii for some 1≤i≤n. This means that det(G1)∥…∥det(Gn)→s(X1,⋯,Xn) such that Xi⊆QiS for some 1≤i≤n, which based on Theorem 7 implies that G is not current-state opaque. ■
The following example shows all the steps of compositional current-state opacity verification.
Example 4
Consider the system G={G1,G2}, where G1 is shown in Fig. 1 and G2 is shown in Fig. 3. Assume that the set of secret states of G1 and G2 are Q1S={s1,s2,s3,s4} and Q2S={t1}, respectively. At the first step of the compositional approach, step (i) in Fig 2, each automaton is abstracted using opaque observation equivalence. Thus, G1 is replaced by G~1, shown in Fig. 1, and G2 can not be abstracted. Automaton G~1 has set of secret states Q~1S={[s1],[s2]}. Next, det(G~1) and det(G2) are constructed, step (ii) in Fig. 2. Fig. 3 shows det(G~1) and since G2 is deterministic, det(G2)=G2. The next step in the compositional approach is to transform opacity verification to nonblocking verification by building the ψ-automata of the individual components, step (iii) in Fig. 2. Assume that ∥∨ is used for interaction. As {[s1],[s2]}⊆Q1S in det(G1~) and {t1}⊆Q2S in det(G2), it follows that Xψ11={{[s1],[s2]}} and Xψ22={{t1}}. The ψ-automata of det(G~1) and det(G2) are shown in Fig. 4 as O1 and O2, respectively. The transformed system is blocking as O1∥O2αψ1⊥, step (iv) in Fig. 2. Thus, we can conclude that the original system is not current-state opaque when ∥∨ is used for interaction. Indeed, the system is not current-state opaque as if α occurs in the monolithic system, then G1∥∨G2 goes to the secret states (s1,t1) or (s2,t1), from where there is no possible denial.
Corollary 10
Let G={G1,⋯,Gn} be a non-deterministic system, with ∥∧ used for interaction, where the set of secret states is QS=Q1S×⋯×QnS. Let det(Gi)=⟨Σi,Xobsi,→i,Xi∘⟩. Then G is not current-state opaque if and only if det(G1)ψ∥…∥det(Gn)ψ is blocking, where Xψi={X∈Xobsi∣X⊆QiS}.
Proof:
First assume G is not current-state opaque. Based on Definition 6 it holds that there exists s∈Σ∗ such that det(G)→sX and X⊆QS. Based on Prop. 6det(G) is isomorphic to det(G1)∥…∥det(Gn). Thus, det(G1)∥…∥det(Gn)→s(X1,⋯,Xn) and X1×⋯×Xn⊆Q1S×…×QnS, which implies Xi⊆QiS for all 1≤i≤n. Thus, it holds that X1×⋯×Xn⊆Xψ1×⋯×Xψn. Based on Lemma 25, det(G1)ψ∥…∥det(Gn)ψ is blocking.
Now assume det(G1)ψ∥…∥det(Gn)ψ is blocking. Then based on Lemma 25 it holds that det(G1)∥…∥det(Gn)→s(X1,⋯,Xn) and X1×⋯×Xn⊆Xψ1×⋯×Xψn. This means det(G1)∥…∥det(Gn)→s(X1,⋯,Xn) and Xi⊆QiS for all 1≤i≤n, which implies that G is not current-state opaque. ■
The main difference between Theorem 9 and Corollary 10 is in generating the ψ-automata of the individual components. When ∥∨ is used for composition, then the system is not current-state opaque if at least one state of the composed states is secret. To capture this feature, individual components Gi have different ψi-transitions. This guarantees that if the transformed system is blocking, then there is a composed state in the original system with at least one secret state. In contrast, when ∥∧ is used for interaction, a composed state is considered secret if all the states are secret. To assure this, in the transformed system all the components have the same ψ-transitions. Thus, the ψ-transitions happen if and only if they happen in all the components simultaneously.
Example 5
Consider again the system G={G~1,G2}, where G~1 is shown in Fig. 1 and G2 is shown in Fig. 3. Assume that the set of secret states of G~1 and G2 are Q~1S={[s1],[s2]} and Q2S={t1}, respectively. Now, assume that ∥∧ is used for interaction. Similarly to Example 4, we have that Xψ1={{[s1],[s2]}} and Xψ2={{t1}}. In contrast to Example 4, to generate the ψ-automata when ∥∧ is used for interaction, all the transitions to ⊥ are labeled by the same ψ event. The ψ-automata of det(G~1) and det(G2) are shown in Fig. 4 as O1′ and O2′, respectively. The ψ-system is blocking as O1′∥O2′αψ⊥. Thus, we can conclude that the original system is not current-state opaque when ∥∧ is used for interaction.
This section discusses the compositional approach for infinite-step opacity verification. In the compositional infinite-step opacity verification individual components are first abstracted. Next, the two-way observers [17] of components are generated and finally the infinite-step opacity verification is transformed to the compositional nonblocking verification. In the following, Section 6.1 explains how individual components can be abstracted before building the modular two-way observers. Next, Section 6.2 establishes a link between the modular two-way observers and the monolithic two-way observer. Section 6.3 shows the transformation of the infinite-step opacity verification to nonblocking verification when ∥∨ and ∥∧ is used for interaction.
6.1 Opaque observation equivalence
As explained in Section 4, the first step of the compositional infinite-step opacity is to abstract the components using opaque observation equivalence. In the following Theorem 11 and Corollary 12 show that opaque observation equivalence preserves infinite-step opacity when ∥∨ and ∥∧ are used for interaction, respectively. Theorem 11 and Corollary 12 are similar to Theorem 4 and Corollary 5 presented
in Section 5.1, and accordingly, they have similar proofs.
Theorem 11
Let G={G1,…,Gn} be a non-deterministic system with ∥∨ for interaction, where each automaton has set of secret states QiS. Hence, the set of secret states of the system is QS=Q∖QNS, where QNS=Q1NS×…×QnNS. Let ∼ be an opaque observation equivalence on G1 such that G~={G1~,G2,…,Gn}. Then G is infinite-step opaque if and only if G~ is infinite-step opaque.
Proof:
Assume T=G2∥∨…∥∨Gn with set of secret states QTS and set of non secret states QTNS=QT∖QTS. Then QTS=QT∖QTNS, where QTNS=Q2NS×…×QnNS. It suffices to show that if G1∥∨T is not infinite-step opaque then G~1∥∨T is not infinite-step opaque either and vice versa.
(i)
First assume that G1∥∨T is not infinite-step opaque. Then there exists (xG0,xT0)∈QG1∘×QT∘ and st∈L(G1∥∨T,(xG0,xT0)) such that (xG0,xT0)⇒s(x1,xT), and x1∈QG1S or xT∈QTS, and one of the following holds.
•
For all (x1′,xT′)∈QG1NS×QTNS such that G1∥∨T⇒s(x1′,xT′) then G1∥∨T⇒s(x1′,xT′)⇒t.
•
There does not exist (x1′,xT′)∈QG1NS×QTNS such that G1∥∨T⇒s(x1′,xT′).
Since G1∼G~1 it holds that G~1∥∨T∼G1∥∨T. This means, if G1∥∨T⇒s(x1′,xT′)⇒t then G~1∥∨T⇒s([x1′],xT′)⇒t, where x1′∈[x1′] and (x1′,xT′)∈QG1NS×QTNS if and only if ([x1′],xT′)∈Q~G1NS×QTNS. Thus, G~1∥∨T is not infinite-step opaque either.
Now consider the case when G1∥∨T is not infinite-step opaque because (xG0,xT0)⇒s(x1,xT), and x1∈QG1S or xT∈QTS and there does not exist (x1′,xT′)∈QG1NS×QTNS such that G1∥∨T⇒s(x1′,xT′).
The proof for this part is the same as the proof for Theorem 4 in Section 5.1, proof of opaque observation equivalence preserves current-state opacity, and consequently omitted.
2. (ii)
If G~1∥∨T is not infinite-step opaque. Then there exists ([xG0],xT0)∈Q~G1∘×QT∘ and st∈L(G~1∥∨T,([xG0],xT0)) such that ([xG0],xT0)⇒s([x1],xT), and [x1]∈Q~G1S or xT∈QTS, and one of the following cases holds.
•
For all ([x1′],xT′)∈Q~G1NS×QTNS such that G~1∥∨T⇒s([x1′],xT′) then G~∥∨T⇒s([x1′],xT′)⇒t.
•
There does not exist ([x1′],xT′)∈Q~G1NS×QTNS such that G~1∥∨T⇒s([x1′],xT′).
Since G1∼G~1 it holds that G~1∥∨T∼G∥∨T. This means, if G~1∥∨T⇒s([x1′],xT′)⇒t then G1∥∨T⇒s(x1′,xT′)⇒t, where x1′∈[x1′] and (x1′,xT′)∈QG1NS×QTNS if and only if ([x1′],xT′)∈Q~G1NS×QTNS. Thus, G1∥∨T is not infinite-step opaque either.
Now consider the case when G~1∥∨T is not infinite-step opaque because ([xG0],xT0)⇒s([x1],xT), and [x1]∈Q~G1S or xT∈QTS and there does not exist ([x1′],xT′)∈Q~G1NS×QTNS such that G~1∥∨T⇒s([x1′],xT′).
Again the proof for this part is the same as the proof for Theorem 4 in Section 5.1, proof of opaque observation equivalence preserves current-state opacity, and consequently omitted. ■
In the theorem ∼inf refers to infinite-step opaque equivalence definite in Section 5.
Corollary 12
Let G={G1,…,Gn} be a non-deterministic system with ∥∧ for interaction and with the set of secret states QS=Q1S×…×QnS. Let ∼ be an opaque observation equivalence on G1 such that G~={G1~,G2,…,Gn}. Then G is infinite-step opaque if and only if G~ is infinite-step opaque.
Proof:
Assume T=G2∥∧…∥∧Gn with set of secret states QTS and set of non secret states QTNS=QT∖QTS. Then QTS=QT∖QTNS, where QTS=Q2S×…×QnS. It suffices to show that if G1∥∧T is not infinite-step opaque then G~1∥∧T is not infinite-step opaque either and vice versa.
(i)
First assume that G1∥∧T is not infinite-step opaque. Then there exists (xG0,xT0)∈QG1∘×QT∘ and st∈L(G1∥∧T,(xG0,xT0)) such that (xG0,xT0)⇒s(x1,xT), and (x1,xT)∈QG1S×QTS, and one of the following holds.
•
For all (x1′,xT′) such that x1′∈QG1NS or xT′∈QTNS and G1∥∧T⇒s(x1′,xT′) then G1∥∧T⇒s(x1′,xT′)⇒t.
•
There does not exist x1′∈QG1NS or xT′∈QTNS such that G1∥∧T⇒s(x1′,xT′).
Since G1∼G~1 it holds that G~1∥∧T∼G1∥∧T. This means, if G1∥∧T⇒s(x1′,xT′)⇒t then G~1∥∧T⇒s([x1′],xT′)⇒t, where x1′∈[x1′] and x1′∈QG1NS if and only if [x1′]∈Q~G1NS. Thus, G~1∥∧T is not infinite-step opaque either.
Now consider the case, where (x1,xT)∈QG1×QT such that G1∥∧T⇒s(x1,xT) and (x1,xT)∈QG1S×QTS, and there does not exist x1′∈QG1NS or xT′∈QTNS such that G1∥∧T⇒s(x1′,xT′). The proof for this part is the same as the proof for Corollary 5, proof of opaque observation equivalence preserves current-state opacity, and consequently omitted.
Therefore, it can be concluded that G~1∥∧T is not infinite-step opaque.
2. (ii)
If G~1∥∧T is not infinite-step opaque. Then there exists ([xG0],xT0)∈Q~G1∘×QT∘ and st∈L(G~1∥∧T,([xG0],xT0)) such that ([xG0],xT0)⇒s([x1],xT), and ([x1],xT)∈Q~G1S×QTS, and one of the following cases holds.
•
For all ([x1′],xT′)∈Q~G1×QT such that [x1′]∈Q~NS or xT′∈QTNS and G~1∥∧T⇒s([x1′],xT′) then G~1∥∧T⇒s([x1′],xT′)⇒t.
•
There does not exist ([x1′],xT′)∈Q~G1NS×QTNS such that G~1∥∧T⇒s([x1′],xT′).
Since G∼G~1 it holds that G~1∥∧T∼G1∥∧T. This means, if G~1∥∧T⇒s([x1′],xT′)⇒t then G1∥∧T⇒s(x1′,xT′)⇒t, where x1′∈[x1′] and x1′∈QG1NS if and only if [x1′]∈Q~G1NS×QNS. Thus, G1∥∧T is not infinite-step opaque either.
Now consider the case where, G~1∥∧T is not infinite-step opaque because there exists G~1∥∧T⇒s([x1],xT) such that ([x1],xT)∈Q~G1S×QTS and G~1∥∧T⇒s([x1′],xT′) such that [x1′]∈Q~G1NS or xT′∈QTNS.
Again the proof for this part is the same as the proof for Corollary 5, proof of opaque observation equivalence preserves current-state opacity, and consequently omitted.
Therefore, it can be concluded that the G∥∧T is not infinite-step opaque. ■
6.2 Synchronous composition of two-way observers
It has been shown in [17] that a two-way observer can be used to verify infinite-step opacity. In order to monolithically verify the infinite-step opacity of a modular system the monolithic representation of whole system is generated first. Next, the two-way observer of the system is constructed, see Definition 9. This approach requires generating two observer automata for two potentially large components, which maybe intractable. The compositional approach on the other hand, avoids constructing the monolithic two-way observer of the system. Instead, the two-way observers of the components are built individually. However, the monolithic two-way observer of the system is a subautomaton of the composed individual two-way observers. This is shown in Proposition 13.
Proposition 13
Let G1 and G2 be two non-deterministic automata. Let Gi,R be the reversed automaton of Gi for i=1,2 and let GR be the reversed automaton of G1∥G2. Let Δ:Σ→Σ×{ϵ} and ΔR:Σ→{ϵ}×Σ. Let Hi=Δ(det(Gi))∥ΔR(det(Gi,R)) for i=1,2 and H=Δ(det(G1∥G2))∥ΔR(det(GR)). Then H⊑H1∥H2, which means that if H→s(X,XR)→σ(Y,YR) in H then H1∥H2→s((X1,XR1),(X2,XR2))→σ((Y1,YR1),(Y2,YR2)) in H1∥H2 such that
XR⊂XR1×XR2 and
YR⊆YR1×YR2.
Proof:
Based on Lemma 26 in Appendix, it holds that Δ(det(G1))∥Δ(det(G2))=Δ(det(G1)∥det(G2)), and based on Prop. 6, Δ(det(G1)∥det(G2)) and Δ(det(G1∥G2)) are isomorphic. Thus, it is enough to show that ΔR(det(GR))⊑ΔR(det(G1,R))∥ΔR(det(G2,R)). Moreover, based on Lemma 26, it holds that ΔR(det(G1,R))∥ΔR(det(G2,R))=ΔR(det(G1,R)∥det(G2,R)). Thus, it is enough to show that det(GR)⊑det(G1,R)∥det(G2,R).
It is shown by induction on n≥0 that X0→σ1X1→σ2…→σnXn in det(GR) if (X10,X20)→σ1(X11,X21)→σ2…→σn(X1n,X2n) in det(G1,R)∥det(G2,R) such that (x1,x2)∈Xj if (x1,x2)∈X1j×X2j.
Base case:n=0. Let XR∘ be the initial state of det(GR) and Xi,R∘ be the initial state of det(Gi,R) for i=1,2. If (x1,x2)∈XR∘, then as all the states of GR are considered as initial states it holds that (x1,x2) is a reachable state, which means that G1∥G2⇒s(x1,x2). Based on Def. 2, it holds that Gi⟹Pi(s)xi in Gi for i=1,2. Based on the definition of the reversed automaton, all the states of Gi,R for i=1,2 are considered as initial states, which implies that xi∈Qi,R∘ for i=1,2, . Thus, (x1,x2)∈Q1,R∘×Q2,R∘, which means that (x1,x2)∈X1,R∘×X2,R∘.
Inductive step: Assume that the claim holds for some n≥0, i.e, XR∘=X0σ1σ2…σnXn=X in det(GR) if (X1,R∘,X2,R∘)=(X10,X20)σ1σ2…σn(X1n,X2n)=(X1,X2) in det(G1,R)∥det(G2,R), and (x1,x2)∈Xk if (x1,x2)∈X1k×X2k for all 0≤k<n. It must be shown that if X=Xnσn+1Y in det(GR), then (X1,X2)=(X1n,X2n)σn+1(Y1,Y2) in det(G1,R)∥det(G2,R), and if (x1,x2)∈X, then (x1,x2)∈X1×X2.
Let det(GR)σ1…σnXn=Xσn+1Y in det(GR) and (x1,x2)∈X. Then based on UR(x) it follows that (x1,x2)=(x11,x21)⇒τ(x1r,x2t)σn+1(y1,y2) in GR. Since (y1,y2) is a reachable state in GR, it holds that there exists s∈(Σ1∪Σ2)∗ such that G1∥G2⇒s(y1,y2)σn+1(x1r,x2t)⇒τ(x11,x21). Based on Def. 2, it holds that G1⟹P1(s)y1P1(σn+1)x1r⇒τx11 in G1 and G2⟹P2(s)y2P2(σn+1)x2t⇒τx21 in G2. This means that x11⇒τx1rP1(σn+1)y1 in G1,R and x21⇒τx2tP2(σn+1)y2 in G2,R. Then based on UR(x) and the inductive hypothesis, it holds that det(G1,R)P1(σ1σ2…σn)X1P1(σn+1)Y1 and det(G2,R)P2(σ1σ2…σn)X2P2(σn+1)Y2. Moreover, based on UR(x) it holds that x1∈X1 and x2∈X2. Then based on Def. 2 it holds that det(G1,R)∥det(G2,R)σ1σ2…σn(X1,X2)σn+1(Y1,Y2). Thus, (X1,X2)σn+1(Y1,Y2) in det(G1,R)∥det(G2,R) and (x1,x2)∈X1×X2. ■
Proposition 13 only establishes that the monolithic two-way observer of a modular system is a subautomaton of the synchronous product of the individual two-way observers but in contrast to Proposition 6 the isomorphism does not hold in general. The reason is when the monolithic representation of the system is built some combinations of states become unreachable, or some transitions become disabled. However, those unreachable states may become reachable when individual reverse automata are composed. This happens because in the reversed automaton all the states are considered as initial state and consequently reachable states. This over approximation may cause some unreachable states that are violating the infinite-step opacity to become reachable. Therefore, the verification results may return incorrect violation of infinite-step opacity. This is shown in Example 6.
Theorem 14
*Let G={G1,…,Gn} be a nondeterministic system with ∥∨ for interaction, where each automaton has the set of secret states QiS. Then the set of secret states of the system is QS=Q∖QNS, where QNS=Q1NS×…×QnNS.
Let Δ:Σ→Σ×{ϵ} and ΔR:Σ→{ϵ}×Σ and let Hi=⟨ΣH,QH,→H,QH∘⟩, where ΣHi=Δ(Σi)∪ΔR(Σi), be the two-way observer of Gi for 1≤i≤n.
If
*
[TABLE]
then G is infinite-step opaque.
Proof:
First, based on Proposition 6, Proposition 13 and Lemma 26 it holds that H=Δ(det(G))∥ΔR(det(GR))⊑[Δ(det(G1)∥…∥det(Gn))∥ΔR(det(G1,R)∥…∥det(Gn,R))=Δ(det(G1))∥…∥Δ(det(Gn))∥ΔR(det(G1,R))∥…∥Δ(det(Gn,R))=Δ(det(G1))∥ΔR(det(G1,R))∥…∥Δ(det(Gn))∥ΔR(det(Gn,R))=H1∥…∥Hn].
Assume that
[TABLE]
Since ∥∨ is used for interaction, from (Xi∩XRi)⊆QiS or (Xi∩XRi)=∅ for all 1≤i≤n it follows that ((X1∩XR1)×…×(Xn∩XRn))⊆QS or ((X1∩XR1)×…×(Xn∩XRn))=∅. Therefore, equation (7) can be rewritten as
[TABLE]
Based on Prop. 13 if H→s(X,XR) it holds that H1∥…∥Hn→s((X1,XR1),…,(Xn,XRn)) and XR⊆XR1×…×XRn and based on Prop. 6 it holds that X=X1×…×Xn. This implies (X∩XR)⊆(X1×…×Xn)∩(XR1×…×XRn).
Consider the system G={G~1,G2}, where G~1 and G2 are shown in Figure 1 and Figure 3 respectively. The set of secret states of G~1 is Q~1S={[s1]} and G2 is Q2S=∅. Assume ∥∨ is used for interaction. The two-way observer of G1~ is H~1 and the two-way observer of G2 is H2. Automaton H~1 is similar to H1 shown in Figure 1, where
The monolithic approach to verify infinite-step opacity of the system is to build G=G~1∥∨G2 and then build the two-way observer of the system G, which is shown in Figure 5 as H. In the automaton H the states are:
Let Wi=(qi,pi) for automaton H. As it can be seen, qi∩pi={(s0,t0)}⊆QS when i=1,3, and qi∩pi=∅ when i=4,5, and qi∩pi={([s1],t1),([s2],t1)}⊆QS when i=2,6. Therefore, the system is infinite-step opaque. The modular two-way observer of the system is H1∥H2 shown in Figure 5. The condition of Theorem 14 does not hold for the state (F,F′) in H1∥H2 since for the state F in H1 we have {[s1],[s2]}∩{[s1]}⊆Q1S. Therefore, from H1∥H2 it can not be concluded that the system is infinite-step opaque.
Corollary 15
Let G=G1∥∧…∥∧Gn be a nondeterministic system, with the set of secret states QGS=Q1S×⋯×QnS. Let Δ:Σ→Σ×{ϵ} and ΔR:Σ→{ϵ}×Σ and let Hi=⟨ΣH,QH,→H,QH∘⟩, where ΣHi=Δ(Σi)∪ΔR(Σi), be the two-way observer of Gi for 1≤i≤n.
*If
*
[TABLE]
then G is infinite-step opaque.
Proof:
First, based on Proposition 6, Proposition 13 and Lemma 26 it holds that H=Δ(det(G))∥ΔR(det(GR))⊑[Δ(det(G1)∥…∥det(Gn))∥ΔR(det(G1,R)∥…∥det(Gn,R))=Δ(det(G1))∥…∥Δ(det(Gn))∥ΔR(det(G1,R))∥…∥Δ(det(Gn,R))=Δ(det(G1))∥ΔR(det(G1,R))∥…∥Δ(det(Gn))∥ΔR(det(Gn,R))=H1∥…∥Hn].
Assume that
[TABLE]
Since ∥∧ is used for interaction, from there exist (Xi,XRi) such that (Xi∩XRi)⊆QiS or (Xi∩XRi)=∅ it follows that ((X1∩XR1)×…×(Xn∩XRn))⊆QS or ((X1∩XR1)×…×(Xn∩XRn))=∅. Therefore, equation (6.2) can be rewritten as
[TABLE]
Based on Prop. 13 if H→s(X,XR) it holds that H1∥…∥Hn→s((X1,XR1),…,(Xn,XRn)) and XR⊆XR1×…×XRn and based on Prop. 6 it holds that X=X1×…×Xn. This implies (X∩XR)⊆(X1×…×Xn)∩(XR1×…×XRn). Therefore, equation (6.2) can be rewritten as
[TABLE]
Thus, the system is infinite-step opaque. ■
Example 7
Consider again the system G={G~1,G2}, where G~1 and G2 are shown in Figure 1 and Figure 3 respectively. The set of secret states of G~1 is Q~1S={[s1]} and G2 is Q2S=∅. Now, assume ∥∧ is used for interaction. The problematic state (F,F′) in H1∥H2 is no longer violating the condition of Corollary 15 since for F′ we have ({t0}∩{t1})=∅. Therefore, the condition of Corollary 15 holds for all the state of H1∥H2. Thus, by analyzing the states of H1∥H2, it can be concluded that the system is infinite-step opaque.
6.3 Infinite-step opacity to nonblocking verification
The main idea of this paper is to transform the opacity verification problem to nonblocking verification and use the existing verification algorithms. To do so, the ψ-automata of the two-way observers of the system components need to be generated. In the following, Theorem 16 and Corollary 17 show how ψ-automaton can be generated when ∥∨ and ∥∧ are used for interaction, respectively.
Theorem 16
Let G=G1∥∨…∥∨Gn be a nondeterministic system, with the set of non-secret states QGNS=Q1NS×⋯×QnNS and the set of secret states QS=Q∖QNS. Let Δ:Σ→Σ×{ϵ} and ΔR:Σ→{ϵ}×Σ and let Hi=⟨ΣH,QH,→H,QH∘⟩, where ΣHi=Δ(Σi)∪ΔR(Σi), be the two-way observer of Gi for 1≤i≤n.
If H1,ψ1∥…∥Hn,ψn is noblocking, where Xψ,ii={(Xi,XRi)∈XHi∣(Xi∩XRi)⊆QiS}, then the system G is infinite-step opaque.
Proof:
Assume H1,ψ1∥…∥Hn,ψn is nonblocking. As all the states of Hi,ψi for all 1≤i≤n except ⊥ are marked this means there does not exist s∈(Δ(Σ)∪ΔR(Σ))∗ such that H1,ψ1∥…∥Hn,ψn→s((X1,XR1),⋯,(Xn,XRn))→ψi⊥, which implies (Xi,XRi)∈Xψi for all 1≤i≤n. Thus, for all s∈(Δ(Σ)∪ΔR(Σ))∗ it holds that
Δ(det(G1))∥ΔR(det(G1,R))∥…∥Δ(det(Gn))∥ΔR(det(Gn,R))→s((X1,XR1),⋯,(Xn,XRn)), where (Xi∩XRi)⊆QiS or Xi∩XRi=∅ for all 1≤i≤n. Therefore, based on Theorem 14 the system is infinite-step opaque. ■
To generate ψ-automata of individual two-way observers, at the states of the two-way observers in which infinite-step opacity is violated the ψi-transition to blocking states are added. This transforms verification of infinite-step opacity to nonblocking problem. If the results of the verification is nonblocking then the system is infinite-step opaque. However, if the results is blocking the verification software tools like Supremica [18] will return a counter example. By the help of the counter example it is possible to verify if the blocking is caused due to the over approximation. If this is the case, the problematic state can be removed and the system can be verified again, otherwise it can be concluded that the system is not infinite-step opaque.
Example 8
Consider the system G={G1,G2}, where G1 and G2 are shown in Figure 1 and Figure 3 respectively. The set of secret states of G1 is Q1S={s1,s3} and G2 is Q2S=∅. Assume ∥∨ is used for interaction. At the first step of the compositional approach individual components are abstracted using opaque observation equivalence. This results in the abstracted system G~={G~1,G2} with Q~1S={[s1]}. G~1 is shown in Figure 1. After that, the two-way observers of the abstracted components are generated. As explained in Example 6 the two-way observer of G1~ is H~1 and the two-way observer of G2 is H2 shown Figures 1 and 5. Next, the infinite-step opacity verification is transformed to nonblocking verification by generating ψi-automaton for each Hi. For the two-way observer H1 we have Xψ11={F} since for the state F it holds that {[s1],[s2]}∩{[s1]}⊆Q1S. For the two-way observer H2 we have Xψ22=∅. Figure 6 shows the H1,ψ1. The system H1,ψ1∥H2,ψ2 is blocking since H1,ψ1∥H2,ψ2(α,ϵ)(ϵ,β)(F,F′)→ψ1⊥. Thus, no conclusion can be drawn about the infinite-step opacity of the system. The problem of over approximation is caused by the reverse automata of the two-way observer. From Δ(det(G1))∥ΔR(det(G1,R))∥Δ(det(G2))∥ΔR(det(G2,R))(α,ϵ)(ϵ,β)(F,F′)=(({[s1],[s2]},{[s1]}),({t1},{t0})) it follows that ΔR(G1,R)∥ΔR(G2,R)(ϵ,β)({[s1]},{t0}). Thus, to verify if this is a valid violation of opacity, it needs to be analyzed if state ([s1],t0) is a reachable state in G1∥G2. Since G1→α[s1] and G2→αt0 it can be concluded that ([s1],t0) is not a reachable state in G1∥G2. Thus, it can be concluded that the violation is due to the over approximation. Thus, the system is finite-step opaque.
Corollary 17
Let G=G1∥∧…∥∧Gn be a nondeterministic system, with the set of secret states QGS=Q1S×⋯×QnS. Let Δ:Σ→Σ×{ϵ} and ΔR:Σ→{ϵ}×Σ and let Hi=⟨ΣH,QH,→H,QH∘⟩, where ΣHi=Δ(Σi)∪ΔR(Σi), be the two-way observer of Gi for 1≤i≤n.
If H1,ψ∥…∥Hn,ψ is nonblocking, where Xψ,ii={(Xi,XRi)∈XHi∣(Xi∩XRi)⊆QiS}, then the system G is infinite-step opaque.
Proof:
Assume H1,ψ∥…∥Hn,ψ is nonblocking. As all the sates of Hi for all 1≤i≤n are marked this means there does not exist s∈(Δ(Σ)∪ΔR(Σ))∗ such that H1,ψ∥…∥Hn,ψ→s((X1,Y1),⋯,(Xn,Yn))→ψ⊥, which implies there exists (Xi,Yi) such that (Xi,Yi)∈Xψi. Thus, for all s∈(Δ(Σ)∪ΔR(Σ))∗ it holds that
Δ(det(G1))∥ΔR(det(G1,R))∥…∥Δ(det(Gn))∥ΔR(det(Gn,R))→s((X1,XR1),⋯,(Xn,XRn)), where (Xi∩XRi)⊆QiS or (Xi∩XRi)=∅ for some 1≤i≤n. Based on Corollary 15 it holds that the system is infinite-step opaque. ■
7 Compositional K-step opacity verification
This section discusses the compositional approach for K-step opacity verification.
Since infinite-step opacity is a special case of K-step opacity, in this section we mainly focus on K-step opacity and we discuss throughout how the results can be extended to handle infinite-step opacity verification.
As in the case of current-state opacity, the first step of compositional K-step opacity verification is to abstract the individual components. This is described in Sect. 7.1.
Next, Sect. 7.2 presents the construction of two-way observers of individual components and Sect. 7.3 shows how K-step opacity verification can be transformed to nonblocking verification.
7.1 Opaque observation equivalence
The idea of K-step opacity is that the intruder cannot determine if the secret state was reached within K-step prior to the current state. As opaque observation equivalence only merges states with the same secrecy property and the same future behavior, K-step opacity is preserved by opaque observation equivalence, step (i) in Fig. 2. This is shown in Theorem 18.
Theorem 18
Let G={G1,…,Gn} be a non-deterministic system with ∥∨ for interaction, where each automaton has set of secret states QiS. Hence, the set of secret states of the system is QS=Q∖QNS, where QNS=Q1NS×…×QnNS. Let ∼ be an opaque observation equivalence on G1 such that G~={G1~,G2,…,Gn}. Then G is K-step opaque if and only if G~ is K-step opaque.
Proof:
Consider G2∥…∥Gn=T=⟨ΣT,QT,→,QT∘⟩ with the set of secret states QTS=Q2S×…×QnT and non secret states QTNS=QT∖QTS. It suffices to show that if G1∥∨T is not K-step opaque then G~1∥∨T is not K-step opaque either and vice versa.
(i)
First assume that G1∥∨T is not K-step opaque. Then there exists (xG10,xT0)∈QG1∘×QT∘ and st∈L(G1∥∨T,(xG10,xT0)) such that (xG10,xT0)⇒s(x1,xT), and x1∈Q1S or xT∈QTS and ∣t∣≤K, and one of the following holds.
•
For all (x1′,xT′)∈Q1NS×QTNS such that G1∥∨T⇒s(x1′,xT′) then G1∥∨T⇒s(x1′,xT′)⇒t.
•
There does not exist (x1′,xT′)∈Q1NS×QTNS such that G1∥∨T⇒s(x1′,xT′).
Since G1∼G~1 it holds that G~1∥∨T∼G1∥∨T. This means, if G1∥∨T⇒s(x1′,xT′)⇒t then G~1∥∨T⇒s([x1′],xT′)⇒t, where x1′∈[x1′] and (x1′,xT′)∈Q1NS×QTNS if and only if ([x1′],xT′)∈Q~1NS×QTNS. Thus, G~1∥∨T is not K-step opaque either.
Now consider the case where G1∥∨T is not K-step opaque because (xG0,xT0)⇒s(x1,xT), and x1∈Q1S or xT∈QTS and there does not exist (x1′,xT′)∈Q1NS×QTNS such that G1∥∨T⇒s(x1′,xT′).
The proof for this part is the same as the proof for Theorem 4 in Sect. 5.1, proof of opaque observation equivalence preserves current-state opacity, and consequently omitted.
2. (ii)
If G~1∥∨T is not K-step opaque. Then there exists ([xG10],xT0)∈Q~G1∘×QT∘ and st∈L(G~1∥∨T,([xG10],xT0)) such that ([xG10],xT0)⇒s([x1],xT), and [x1]∈Q~1S or xT∈QTS and ∣t∣≤K, and one of the following cases holds.
•
For all ([x1′],xT′)∈Q~1NS×QTNS such that G~1∥∨T⇒s([x1′],xT′) then G~1∥∨T⇒s([x1′],xT′)⇒t.
•
There does not exist ([x1′],xT′)∈Q~1NS×QTNS such that G~1∥∨T⇒s([x1′],xT′).
Since G1∼G~1 it holds that G~1∥∨T∼G1∥∨T. This means, if G~1∥∨T⇒s([x1′],xT′)⇒t then G1∥∨T⇒s(x1′,xT′)⇒t, where x1′∈[x1′] and (x1′,xT′)∈Q1NS×QTNS if and only if ([x1′],xT′)∈Q~1NS×QTNS. Thus, G1∥∨T is not K-step opaque either.
Now consider the case when G~1∥∨T is not K-step opaque because ([xG10],xT0)⇒s([x1],xT), and [x1]∈Q~1S or xT∈QTS and there does not exist ([x1′],xT′)∈Q~1NS×QTNS such that G~1∥∨T⇒s([x1′],xT′).
The proof for this part is the same as the proof for Theorem 4 in Sect. 5.1, proof of opaque observation equivalence preserves current-state opacity, and consequently omitted. ■
Theorem 18 shows that if x⇒s in G, then [x]⇒s in G~. As opaque observation equivalence only merges states with the same future behavior, the lengths of the strings remain consistent after abstraction. Therefore, K-step opacity is preserved by opaque observation equivalence.
Corollary 19
Let G={G1,…,Gn} be a non-deterministic system with ∥∧ for interaction and with the set of secret states QS=Q1S×…×QnS. Let ∼ be an opaque observation equivalence on G1 such that G~={G1~,G2,…,Gn}. Then G is K-step opaque if and only if G~ is K-step opaque.
Proof:
Consider G2∥…∥Gn=T=⟨ΣT,QT,→,QT∘⟩. It suffices to show that if G1∥∧T is not K-step opaque then G~1∥∧T is not K-step opaque either and vice versa.
(i)
First assume that G1∥∧T is not K-step opaque. Then there exists (xG10,xT0)∈QG1∘×QT∘ and st∈L(G1∥∧T,(xG10,xT0)) such that (xG10,xT0)⇒s(x1,xT), (x1,xT)∈Q1S×QTS and ∣t∣≤K, and one of the following holds.
•
For all (x1′,xT′) such that x1′∈Q1NS or xT′∈QTNS and G1∥∧T⇒s(x1′,xT′) then G1∥∧T⇒s(x1′,xT′)⇒t.
•
There does not exist x1′∈Q1NS or xT′∈QTNS such that G1∥∧T⇒s(x1′,xT′).
Since G1∼G~1 it holds that G~1∥∧T∼G1∥∧T. This means, if G1∥∧T⇒s(x1′,xT′)⇒t then G~1∥∧T⇒s([x1′],xT′)⇒t, where x1′∈[x1′] and x1′∈Q1NS if and only if [x1′]∈Q~1NS. Thus, G~1∥∧T is not K-step opaque either.
Now consider the case, where (x1,xT)∈QG1×QT such that G1∥∧T⇒s(x1,xT) and (x1,xT)∈Q1S×QTS, and there does not exist x1′∈Q1NS or xT′∈QTNS such that G1∥∧T⇒s(x1′,xT′). The proof for this part is the same as the proof for Corollary 5, proof of opaque observation equivalence preserves current-state opacity, and consequently omitted.
Therefore, it can be concluded that G~1∥∧T is not K-step opaque.
2. (ii)
If G~1∥∧T is not K-step opaque. Then there exists ([xG10],xT0)∈Q~G1∘×QT∘ and st∈L(G~1∥∧T,([xG0],xT0)) such that ([xG0],xT0)⇒s([x1],xT), ([x1],xT)∈Q~G1S×QTS and ∣t∣≤K, and one of the following cases holds.
•
For all ([x1′],xT′)∈Q~G1×QT such that [x1′]∈Q~NS or xT′∈QTNS and G~1∥∧T⇒s([x1′],xT′) then G~1∥∧T⇒s([x1′],xT′)⇒t.
•
There does not exist ([x1′],xT′)∈Q~1NS×QTNS such that G~1∥∧T⇒s([x1′],xT′).
Since G1∼G~1 it holds that G~1∥∧T∼G1∥∨T. This means, if G~1∥∧T⇒s([x1′],xT′)⇒t then G1∥∧T⇒s(x1′,xT′)⇒t, where x1′∈[x1′] and x1′∈Q1NS if and only if [x1′]∈Q~1NS. Thus, G∥∧T is not K-step opaque either.
Again the proof for this part is the same as the proof for Corollary 5, proof of opaque observation equivalence preserves current-state opacity, and consequently omitted.
Therefore, it can be concluded that the G∥∧T is not K-step opaque. ■
7.2 Synchronization of two-way observers
To verify K-step opacity similar to infinite-step opacity the two-way observers of the system components need to be generated. As explained in Section 6.2 synchronization of the two-way observers of individual components provides an over approximation of the state space of the monolithic two-way observer of the system. Thus, if the verification of the over approximated two-way observer results in K-step opacity it can be concluded that the original system is also K-step opaque. However, if the result shows violation of the K-step opacity it needs to be investigated to confirm that the violation is not the result of reaching an unreachable state due to over approximation.
Theorem 20
Let G=G1∥∨…∥∨Gn be a non-deterministic system, where each automaton has set of secret states QiS. Hence, the set of secret states of the system is QS=Q∖QNS, where QNS=Q1NS×…×QnNS. Let Δ:Σ→Σ×{ϵ} and ΔR:Σ→{ϵ}×Σ and let Hi=⟨ΣH,QH,→H,QH∘⟩, where ΣHi=Δ(Σi)∪ΔR(Σi), be the two-way observer of Gi and let H=H1∥…∥Hn. Let PΔ:ΣH→ΔR(Σ). If for any string s∈L(H1∥…∥Hn) such that H1∥…∥Hn→s((X1,XR1),…,(Xn,XRn)) we have
[TABLE]
then the system G is K-step opaque.
Proof:
First, based on Proposition 6, Proposition 13 and Lemma 26 it holds that Δ(det(G))∥ΔR(det(GR))⊑[Δ(det(G1)∥…∥det(Gn))∥ΔR(det(G1,R)∥…∥det(Gn,R))=Δ(det(G1))∥…∥Δ(det(Gn))∥ΔR(det(G1,R))∥…∥Δ(det(Gn,R))=Δ(det(G1))∥ΔR(det(G1,R))∥…∥Δ(det(Gn))∥ΔR(det(Gn,R))=H1∥…∥Hn].
Assume that for any string s∈L(H1∥…∥Hn) such that H1∥…∥Hn→s((X1,Y1),…,(Xn,Yn)) we have
[TABLE]
Since ∥∨ is used for interaction, from [∃(Xi∩XRi):(Xi∩XRi)⊆QiS∧(Xi∩XRi)=∅] it holds that [((X1∩XR1)×…×(Xn∩XRn))⊆QS∧((X1∩XR1)×…×(Xn∩XRn))=∅]. Since ((X1∩XR1)×…×(Xn∩XRn))=((X1×…×Xn)∩(XR1×…×XRn)) equation 7.2 can be rewritten as
[TABLE]
Based on Prop. 13 if H→s(X,XR) it holds that H1∥…∥Hn→s((X1,XR1),…,(Xn,XRn)) and XR⊆XR1×…×XRn and based on Prop. 6 it holds that X=X1×…×Xn. This implies (X∩XR)⊆(X1×…×Xn)∩(XR1×…×XRn). Thus, there are two possibilities for (X∩XR):
•
If (X∩XR)=∅ then it can be concluded that the system is K-step opaque.
•
If (X∩XR)=∅ then as ((X1×…×Xn)∩(XR1×…×XRn))⊆QS and (X∩XR)⊆((X1×…×Xn)∩(XR1×…×XRn)) it follows that (X∩XR)⊆QS. Thus, we have
[TABLE]
which means the system is K-step opaque. ■
Theorem 20 establishes a sufficient condition for K-step opacity verification when ∥∨ is used for synchronization. Essentially, the theorem looks at all reachable states of the modular two-way observer, which contain states in which the (non-empty) intersection of the two components lies entirely in the set of secret states. If such states are reached after up to K observations, then the system is K-step opaque.
Example 9
Consider the system G={G~1,G2}, where G~1 and G2 are shown in Fig. 1 and Fig. 3, respectively. The set of secret states of G~1 is Q~1S={[s1]} and that of G2 is Q2S=∅. The modular two-way observer of the system is {H1,H2} and the monolithic two-way observer of the system is H, shown in Fig. 5. Assume ∥∨ is used for interaction and 1-step opacity needs to be verified. Let Wi=(qi,pi) for automaton H. As it can be seen, qi∩pi={(s0,t0)}⊆QS when i=1,3, and qi∩pi=∅ when i=4,5, and qi∩pi={([s1],t1),([s2],t1)}⊆QS when i=2,6. Therefore, the system is 1-step opaque and in fact infinite-step opaque. However, the condition of Theorem 20 does not hold for the state (F,F′) since H1∥H2(α,ϵ)(ϵ,β)(F,F′) and for state F in H1 we have that {[s1],[s2]}∩{[s1]}⊆Q1S but ∣PΔ((α,ϵ)(ϵ,β))∣=1>1. Therefore, from H1∥H2, it cannot be concluded that the system is 1-step opaque.
Corollary 21 provides a similar result as Theorem 20 when interaction is done using ∥∧.
Corollary 21
Let G=G1∥∧…∥∧Gn be a non-deterministic system, where each automaton has set of secret states QiS. Hence, the set of secret states of the system is QS=Q1S×…×QnS. Let Δ:Σ→Σ×{ϵ} and ΔR:Σ→{ϵ}×Σ and let Hi=⟨ΣH,QH,→H,QH∘⟩, where ΣHi=Δ(Σi)∪ΔR(Σi), be the two-way observer of Gi and let H=H1∥…∥Hn. Let PΔ:ΣH→ΔR(Σ). If for any string s∈L(H1∥…∥Hn) such that H1∥…∥Hn→s((X1,Y1),…,(Xn,Yn)) we have
[TABLE]
then the system G is K-step opaque.
Proof:
First, based on Prop. 6, Prop. 13 and Lemma 26 it holds that Δ(det(G))∥ΔR(det(GR))⊑[Δ(det(G1)∥…∥det(Gn))∥ΔR(det(G1,R)∥…∥det(Gn,R))=Δ(det(G1))∥…∥Δ(det(Gn))∥ΔR(det(G1,R))∥…∥Δ(det(Gn,R))=Δ(det(G1))∥ΔR(det(G1,R))∥…∥Δ(det(Gn))∥ΔR(det(Gn,R))=H1∥…∥Hn].
Assume that for any string s∈L(H1∥…∥Hn) such that H1∥…∥Hn→s((X1,Y1),…,(Xn,Yn))
[TABLE]
Since ∥∧ is used for interaction, from (Xi∩XRi)⊆QiS and (Xi∩XRi)=∅ for all 1≤i≤n it holds that (X1∩XR1)×…×(Xn∩XRn)⊆QS and (X1∩XR1)×…×(Xn∩XRn)=∅. Since (X1∩XR1)×…×(Xn∩XRn)=(X1×…×Xn)∩(XR1×…×XRn) equation 7.2 can be rewritten as [(X1×…×Xn)∩(XR1×…×XRn)⊆QS∧(X1×…×Xn)∩(XR1×…×XRn)=∅]⇒∣PΔ(s)∣>K.
Based on Prop. 13 if H→s(X,XR) it holds that H1∥…∥Hn→s((X1,XR1),…,(Xn,XRn)) and XR⊆XR1×…×XRn and based on Prop. 6 it holds that X=X1×…×Xn. This implies (X∩XR)⊆(X1×…×Xn)∩(XR1×…×XRn).
Thus, there are two possibilities for (X∩XR):
•
If (X∩XR)=∅ then it can be concluded that the system is K-step opaque.
•
If (X∩XR)=∅ then from (X1×…×Xn)∩(XR1×…×XRn)⊆QS and (X∩XR)⊆(X1×…×Xn)∩(XR1×…×XRn) it follows that (X∩XR)⊆QS. Thus, we have
[TABLE]
which means the system is K-step opaque. ■
Example 10
Consider the system G={G~1,G2}, where G~1 and G2 are shown in Fig. 1 and Fig. 3, respectively. The set of secret states of G~1 is Q~1S={[s1]} and that of G2 is Q2S=∅. The modular two-way observer of the system is {H1,H2} and the monolithic two-way observer of the system is H, shown in Fig. 5. Assume ∥∧ is used for interaction and 1-step opacity needs to be verified. 333Since Q2S=∅ and ∥∧ is used for interaction the system is trivially infinite-step opaque and also 1-step opaque. However, it is used to explain the condition of Corollary 21. The condition of Corollary 21 holds for all states of H1∥H2 including state (F,F′). Even though for state F in H1 we have that {[s1],[s2]}∩{[s1]}⊆Q1S but since for F′ we have t1∩t0=∅, state (F,F′) does not violate the condition of Corollary 21. Therefore, in contrast to Example 9 from H1∥H2, it can be concluded that the system is 1-step opaque.
7.3 K-step opacity to nonblocking verification
The main idea of this paper is to transform opacity verification to nonblocking verification and use existing nonblocking verification algorithms.
To transform K-step opacity verification to nonblocking verification, the ψ-automata of the two-way observers need to be built. First, the states of the two-way observers that violate K-step opacity are identified and from them transitions to blocking states are added, step (iii) and (iv) in Fig. 2.
Theorem 22
Let G=G1∥∨…∥∨Gn be a non-deterministic system, with set of non-secret states QGNS=Q1NS×⋯×QnNS. Let Δ:Σ→Σ×{ϵ} and ΔR:Σ→{ϵ}×Σ and let Hi=⟨ΣH,QH,→H,QH∘⟩, where ΣHi=Δ(Σi)∪ΔR(Σi), be the two-way observer of Gi for 1≤i≤n. Let Pi,Δ:ΣHi→ΔR(Σi).
If H1,ψ1∥…∥Hn,ψn is nonblocking then G is k-step opaque, where Xψii={Hi→s(Xi,XRi)∣(Xi∩XRi)⊆QiS∧(Xi∩XRi)=∅∧∣Pi,Δ(s)∣≤K}.
Proof:
If H1,ψ1∥…∥Hn,ψn is nonblocking it means that for all s∈(Δ(Σ)∪ΔR(Σ))∗ such that H1,ψ1∥…∥Hn,ψn→s((X1,XR1),…,(Xn,XRn)) there does not exist ψi such that ((X1,XR1),…,(Xn,XRn))→ψi⊥. This means (Xi,XRi)∈Xψii for all 1≤i≤n. If (Xi,XRi)∈Xψii, there are two possibilities:
•
(Xi∩XRi)⊆QiS for all 1≤i≤n. This means for all s∈(Δ(Σ)∪ΔR(Σ))∗ such that H1∥…∥Hn→s((X1,XR1),…,(Xn,XRn)) it holds that (Xi∩XRi)⊆QiS for all 1≤i≤n. This means there does not exist (Xi∩XRi) such that (Xi∩XRi)⊆QiS and (Xi∩XRi)=∅. Thus, based on Theorem 20 it holds that the system is K-step opaque.
•
[(Xi∩XRi)⊆QiS∧(Xi∩XRi)=∅]⇒∣Pi,Δ(Pi(s))∣>K for all 1≤i≤n.
Since ∣PΔ(s)∣≥∣Pi,Δ(Pi(s))∣ and ∣Pi,Δ(Pi(s))∣>K it holds that ∣PΔ(s)∣>K. This means if there exists (Xi,XRi) such that (Xi∩XRi)⊆QiS and (Xi,XRi)=∅ then ∣PΔ(s)∣>K. Thus, based on Theorem 20 it follows that the system G is K-step opaque. ■
Theorem 22 establishes that when the transformed system is nonblocking, we can conclude that the original system is K-step opaque.
However, if the result of nonblocking verification is negative (blocking), then the system could still be K-step opaque. This problem arises for two reasons.
First, it can be caused by the over-approximation of the state space of the two-way observer, as was explained in Sect. 7.2.
Second, it may also be caused by over-approximation of Xψii.
The latter may happen because Xψii can contain states that are not fulfilling the condition on the length of strings, ∣PΔ(s)∣>K, in Def. 3.
However, the length of the strings are unknown before the synchronization and synchronization may add to the length of s, causing fulfillment of the condition.
The following example illustrates all the steps of modular K-step verification.
Example 11
Consider the system G={G1,G2}, where G1 and G2 are shown in Fig. 1 and Fig. 3, respectively. The set of secret states of G1 is Q1S={s1,s3} and that of G2 is Q2S=∅. Assume ∥∨ is used for interaction and 1-step opacity needs be verified. At the first step of the compositional approach, individual components are abstracted using opaque observation equivalence, step (i) in Fig. 2. This results in the abstracted system G~={G~1,G2} with Q~1S={[s1]}. G~1 is shown in Fig. 1. Next, the two-way observers of the abstracted components are generated, step (ii) in Fig. 2. As explained in Example 6, the two-way observer of G1~ is H~1 and the two-way observer of G2 is H2; shown in Figs 1 and 5. Next, 1-step opacity verification is transformed to nonblocking verification by generating the ψi-automaton for each Hi, step (iii) in Fig. 2. For the two-way observer H1 we have that Xψ11={F}, since for the state F it holds that {[s1],[s2]}∩{[s1]}⊆Q1S and ∣P1,Δ((α,ϵ)(ϵ,β))∣=1. For the two-way observer H2 we have that Xψ22=∅. Fig. 6 shows H1,ψ1. The system H1,ψ1∥H2,ψ2 is blocking since H1,ψ1∥H2,ψ2(α,ϵ)(ϵ,β)(F,F′)→ψ1⊥. Thus, no conclusion can be drawn about the 1-step opacity of the system, step (iv) in Fig. 2.
However, as explained in Example 6 state (F,F′) is reachable due to over approximation. Thus, it can be concluded that the system is 1-step opaque.
Finally, Corollary 23 shows how K-step opacity can be verified when ∥∧ is used for interaction.
Corollary 23
Let G=G1∥∧…∥∧Gn be a non-deterministic system, with set of secret states QGS=Q1S×⋯×QnS. Let Δ:Σ→Σ×{ϵ} and ΔR:Σ→{ϵ}×Σ and let Hi=⟨ΣH,QH,→H,QH∘⟩, where ΣHi=Δ(Σi)∪ΔR(Σi), be the two-way observer of Gi for 1≤i≤n. Let Pi,Δ:ΣHi→ΔR(Σi).
If H1,ψ∥…∥Hn,ψ is nonblocking then G is K-step opaque, where where Xψi={Hi→s(Xi,XRi)∣(Xi∩XRi)⊆QiS∧(Xi∩XRi)=∅∧∣Pi,Δ(s)∣≤K}.
Proof:
If H1,ψ∥…∥Hn,ψ is nonblocking it means that for all s∈(Δ(Σ)∪ΔR(Σ))∗ such that H1,ψ∥…∥Hn,ψ→s((X1,XR1),…,(Xn,XRn))→ψ.
This means there exists (Xi,XRi) such that (Xi,XRi)∈Xψi. If (Xi,XRi)∈Xψi then there are two following possibilities.
(i)
(Xi∩XRi)⊆QiS. This means for all s∈(Δ(Σ)∪ΔR(Σ))∗ such that H1∥…∥Hn→s((X1,XR1),…,(Xn,XRn)) it holds that there exists (Xi,XRi) such that (Xi∩XRi)⊆QiS, which based on Corollary 21 it holds that the system is K-step opaque.
2. (ii)
[(Xi∩XRi)⊆QiS∧(Xi∩XRi)=∅]⇒∣Pi,Δ(Pi(s))∣>K. Since ∣PΔ(s)∣≥∣Pi,Δ(Pi(s))∣ and ∣Pi,Δ(Pi(s))∣>K it holds that ∣PΔ(s)∣>K. This means if [(Xj∩XRj)⊆QjS∧(Xj∩XRj)=∅] for all 1≤j≤n then ∣PΔ(s)∣>K. Thus, based on Corollary 21 it follows that the system G is K-step opaque. ■
Example 12
Consider the system G={G~1,G2}, where G~1 and G2 are shown in Fig. 1 and Fig. 3, respectively. The set of secret states of G~1 is Q~1S={[s1]} and that of G2 is Q2S=∅. Assume that ∥∧ is used for interaction and that 1-step opacity needs to be verified. The two-way observer of G1~ is H~1 and the two-way observer of G2 is H2. Automaton H~1 is shown in Fig. 1 as H1 and H2 is shown in Fig. 5. To transform 1-step opacity verification to nonblocking verification, the ψ-automaton for each Hi needs to be generated. For the two-way observer H~1 we have that H~1(ϵ,β),(α,ϵ)F={[s1],[s2]},{[s1]} and {[s1],[s2]}∩{[s1]}⊆Q1S and ∣P1,Δ((ϵ,β),(α,ϵ))∣=1. Thus, Xψ1={F} and for the two-way observer H2 we have that Xψ2=∅. Automaton H1,ψ is similar to H1,ψ1 shown in Fig. 6,
but the transition F→ψ1⊥ is instead replaced by F→ψ⊥.
The system H1,ψ∥H2,ψ is trivially nonblocking. Thus, we can conclude that the system is 1-step opaque.
8 Experimental Results
In this section, compositional current-state opacity verification is tested on a scalable example.
The example consists of two players, A and B, that are moving in a house.
To enter each room of the house the players need to use the corresponding key.
One of the rooms is a “two-person rule” room, which means that to open that room the presence of the two players is required. Fig. 7 shows the model of the players.
In the model of the players, event ui,j means that player i has unlocked room j.
Player A starts at room R1, from which the player can go to room R2.
Room R3 is the two-person rule room and event u3 is a shared event between the two players.
This shows that both players can enter room R3 only if they are at room R2 simultaneously.
After entering room R3, player A can either unobservably go to room R4, which is a secret room for player A, and then return to room R3, or it can go to room R5. From room R5, player A can return to the initial room R1. Player B can start either at room R1 or R2. From room R3, player B can go back to the initial room R1 or it can go to room R5 and from there go back to the initial room R1.
However, room R5 is a secret room for B.
The example can be scaled up by adding serially connected houses or increasing the number of players.
We have used Supremica [18] to test the scalability of our compositional methodology for current-state opacity verification on the above example.
The model is scaled up by adding up to 2,000 players or having up to 2,000 serially connected houses (using ∣∣∨).
All tests were run on a standard laptop using a quad core CPU at 2.6 GHz.
Our methodology does not use any prior knowledge about the system.
Table 1 shows the results of the experiments.
For each model, the table shows the number of automata (Aut.) and whether the system is current-state opaque (Opaque).
The table also shows the runtime for calculating opaque observation equivalence, the runtime for constructing the current-state estimator of all the components, and finally the runtime for nonblocking verification.
Even though the compositional approach has no prior knowledge about the system, the models can be verified in few seconds or minutes.
9 Conclusion
We introduced a novel methodology for verification of current-state and K-step opacity in modular discrete event systems.
The methodology supports compositional reasoning using the notion of opaque observation equivalence that we defined, which guarantees that current-state and K-step opacity are preserved properties.
After abstracting the components, the opacity verification problem is then transformed to a nonblocking verification problem.
This makes it possible to use existing compositional methods for nonblocking verification of modular systems.
Under our methodology, the system is current-state opaque if and only if the transformed system is nonblocking.
In addition, it can be concluded that the system is infinite-step opaque or K-step opaque if the transformed system is nonblocking.
Our experimental results suggest that the compositional approach that we have presented can lead to significant computational gains over a monolithic approach.
It would be of interest to study in the future how compositional approaches could be used to enforce opacity for a non-opaque system, either via supervisory control or via the use of output edit functions.
Bibliography22
The reference list from the paper itself. Each links out to its DOI / PubMed record.
1[1] J.W. Bryans, M. Koutny, and P.Y. Ryan. Modelling opacity using petri nets. 121:101–115, 2005.
2[2] Anooshiravan Saboori and Christoforos N. Hadjicostis. Notions of security and opacity in discrete event systems. In 46th ’07 , pages 5056–5061, December 2007.
3[3] Anooshiravan Sabooria and Christoforos N.Hadjicostis. Verification of initial-state opacity in security applications of discrete event systems. 246:115–132, 2013.
4[4] Yi-Chin Wu and Stacuteephane Lafortune. Comparative analysis of related notions of opacity in centralized and coordinated architectures. 23(3):307–339, 2013.
5[5] Anooshiravan Saboori and Christoforos N. Hadjicostis. Verification of k-step opacity and analysis of its complexity. 8(3):549–559, July 2011.
6[6] Yliès Falcone and Hervé Marchand. A framework for compositional nonblocking verification of extended finite-state machines. 2015.
7[7] Anooshiravan Saboori and Christoforos Hadjicostis. Verification of infinite-step opacity and complexity considerations. 57(5):1265–1269, May 2012.
8[8] Feng Lin. Opacity of discrete event systems and its applications. 47:496–503, March 2011.