arXiv:1912.07314v1 [cs.FL] 16 Dec 2019 ftesce smdlda e fsce tts h opacity the states, secret of set a as as to modeled referred is secret the If s the looks that intruder. behavior the non-secret beha to a estimatio secret is any intruder’s there for system, the words, the t other if of In of opaque secret. behavior the is reveals the system never estimates the intruder and the system, Ba the behavior. observation, its of its of structure observation on limited the only of passi with knowledge but a system as complete modeled the intrude is with an intruder prevents observer The system secret. the a revealing whether from property the is Opacity and (1994), Gorrieri and Focardi of lun ta.(2005), al. et Alouane include (1996), Sidiropoulos literature and in the Schneider in of results studied requirement info properties flow a some in Several tion flow. Such keep information the secret. to on restrictions system desirable additional a is about it mation applications, practical In hte h optto tre nasce tt.Initial- state. secret a state in r started secret never a computation can intruder in the the currently whether whether is asks instanc system opacity any the Initial-state in estimation, whether state decide its time on based cannot, whether truder asks opacity Current-state opacity. litera infinite-step opacity, the language-based in opacity, discussed opacity final-state initial-state been opacity, current-state have e.g., (201 opacity ture, al. of et Jacob notions by overview Several the to reader the mor refer For we verific controllers. tails, opacity-ensuring its of synthesis including the perspectives, and stu different of researchers Many from (2008). set al. opacity et a Dubreil and as (2007) al. as modeled et to is referred secret is opacity the opacity the If behaviors, generali systems. secret (2008) transition al. to et modele Bryans it systems and to nets automata, it Petri (stochastic) adapted by by (2007) modeled Hadjicostis systems and Saboori for opacity state-based duced agaebsdoaiywsitoue yBadouel by introduced was opacity Language-based . uoaa n i)atmt hr l ylsaeol ntef the systems. in (deadlock-free) only of are models cycles simplest all the consider are where We models automata tractable. stru (ii) is are and verification there automata, opacity whether the question which s the discrete-event for discuss for We opacity problem. of hard Verification intruder. an to Keywords: we logic, temporal hard. linear still of is expressivity systems the than weaker is Abstract: tt-ae opacity state-based .INTRODUCTION 1. secrecy pct sa nomto o rprycaatrzn whet characterizing property flow information an is Opacity iceeeetsses nt uoaa pct,complexi opacity, automata, finite systems, event Discrete nOaiyVrfiainfrDsrt-vn Systems Discrete-Event for Verification Opacity On ∗∗ ∗ nttt fMteaiso h zc cdm fSine,B Sciences, of Academy Czech the of Mathematics of Institute aut fSine aak nvriyi lmu,Olomouc Olomouc, in University Palacky Science, of Faculty fAu ta.(2006), al. et Alur of rase l 20)intro- (2005) al. et Bryans . opacity emi:jr.au0@plc,[email protected]) [email protected], (e-mail: noninterference fMazar´e (2004). of K se pct,or opacity, -step language-based Ji r´ı Balun ˇ initial-and- , anonymity fHadj- of security forma- h in- the eveal ation de- e and- ∗ died ame vior of e zed sed Tom 6). he ve is r- n d - r . , a ´ Masopust s ˇ o eemnsi uoaawt ata observation. partial with automata deterministic for tt pct sa es shr sdcdn nvraiy w universality, current- deciding of as verification hard as PS the least is that at is showed opacity (2012) state al. et Cassez iae nteltrtr n sotnbsdo h computati the PS on to based belongs problem often the is Thus inves observer. and of been literature widely the has in verification tigated opacity of complexity state. secret The a in was ca system intruder the the that that reveal requires opacity infinite-step states, nrdrcno eeltesce ntecretand current Saboori the in of secret the reveal opacity cannot intruder led infinite-step While (2009). and and Hadjicostis and literature (2007) notions: the Hadjicostis two in and of considered introduction the been to has ago. intrud step problem the one was This Then, system states. the the which of in state one an the eve from states, reveals observable only an two by possible of step is next one that the in in proceeds is that system assume system the instance, that the For system future. that the the estimates in that intruder state reveal secret may a I in intruder was state. the current the that in happen secret however, the reveal require cannot only intruder dur opacity the later current-state state any while in computation, nor the computation the of beginning secret the the reveal at cannot intruder in the that that requires is opacity t betw opacity any difference current-state at the and is, detail, opacity that initial-state more state, In secret computation. a the re during in started from system intruder the the whether se prevents a opacity is system initial-state the of state, int state the current prevent the whether to revealing property from a is role. opacity spe a current-state play a While not is do opacity states current-state initial the Similarly, where st role. case marked a play the sp not where a do opacity is initial-and-final-state initia opacity an of initial-state of case pair Consequently, a state. as marked encoded is a opaci secret initial-state the that and is generaliz opacity difference a current-state is both (2013) of Lafortune tion and Wu of opacity final-state PS PACE sesmdldb uoaai ngnrla general in is automata by modeled ystems PACE hwta h pct eicto o these for verification opacity the that show lhuhteepesvt fsc systems such of expressivity the Although w id fatmt oes i acyclic (i) models: automata of kinds two cmlt o oto h icse oin.Indeed, notions. discussed the of most for -complete trlrsrcin ntesse models system the on restrictions ctural r fsl-op.I oesne these sense, some In self-loops. of orm cmlt o odtriitcatmt swl as well as automata nondeterministic for -complete ∗ , ∗∗ ty e ytmrvasissecret its reveals system a her n,Czechia rno, Czechia , K se pct eursta the that requires opacity -step K se pct fSaboori of opacity -step PACE ti actually is It . K subsequent itial-state never n vealing y The ty. neither may, t that s ruder and l ecial hich ates ime cret cial een ing the on nt er a- d - However, PSPACE-completeness of universality requires a non- A L A ,q marked by is then the union q0∈I m( 0); similarly for trivial structure of the model and the ability to express all the language generated by A . S possible strings. This give rise to a question whether there are A structurally simpler systems for which the verification of opac- The NFA is deterministic (DFA) if |I| = 1 and |δ(q,a)|≤ 1 ity is tractable. We investigate the problem for, in our opinion, for every q ∈ Q and a ∈ Σ. For DFAs, we identify singletons structurally the simplest systems: for acyclic automata (that do with their elements and simply write p instead of {p}. Specifi- not have the ability to express all strings, and actually express cally, we write δ(q,a)= p instead of δ(q,a)= {p}. only a finite number of strings) and for automata where all A discrete-event system (DES) G over Σ is an automaton (NFA cycles are in the form of self-loops (which may still seem trivial or DFA) together with the partition of the alphabet Σ into in the structure, because as soon as the system leaves a state, it two disjoint subsets Σo and Σuo = Σ \ Σo of observable and can never return to that state). unobservable events, respectively. In the case where all states In this paper, we study the effect of those structural restrictions of the automaton are marked, we simply write G = (Q,Σ,δ,I) on the verification of current-state opacity. Notice first that without specifying the set of marked states. using the polynomial reductions of Wu and Lafortune (2013) The opacity property of a DES is based on partial observation ∗ ∗ among current-state opacity, initial-state opacity, initial-and- of events described by the projection P: Σ → Σo, which is a final-state opacity, and language-based opacity, allows us to morphism defined by P(a)= ε for a ∈ Σuo, and P(a)= a for deduce immediate consequences of our study for other notions a ∈ Σo. The action of P on a string σ1σ2 ···σn with σi ∈ Σ of opacity as well. We discuss these consequences in detail in for 1 ≤ i ≤ n is to erase all events that do not belong to Σo; Section 6. namely, P(σ1σ2 ···σn)= P(σ1)P(σ2)···P(σn). The definition Our contribution is as follows. We show that deciding language- can readily be extended to languages. based weak opacity for systems where both the secret and the A decision problem is a yes-no question. A decision problem is non-secret languages are modeled by NFAs is NL-complete decidable if there is an algorithm that solves it. Complexity the- (Theorem 4). Then we show that deciding current-state opacity ory classifies decidable problems to classes based on the time for deterministic finite-state systems with only three events, one or space an algorithm requires to solve the problem. The com- of which is unobservable, is PSPACE-complete (Theorem 6). plexity classes we consider are NL, PTIME, NP, and PSPACE Considering systems with only one observable event, we show denoting the classes of problems solvable by a nondeterminis- that the complexity decreases to CONP-complete (Theorem 7). tic logarithmic-space, deterministic polynomial-time, nondeter- Then we study acyclic systems that have only a finite amount of ministic polynomial-time, and deterministic polynomial-space different behaviors and show that deciding current-state opac- algorithm, respectively. The hierarchy of the classes is NL ⊆ ity for acyclic systems with at least two observable events PTIME ⊆ NP ⊆ PSPACE. Which of the inclusions are strict is CONP-complete (Theorem 8), and that the complexity de- is an open problem. The widely accepted conjecture is that creases to NL-complete in the case the systems have a single all are strict. A decision problem is NL-complete (resp. NP- observable event (Theorem 9). Finally, we investigate the sim- complete, PSPACE-complete) if (i) it belongs to NL (resp. NP, plest deadlock-free systems, that is, systems where all cycles PSPACE) and (ii) every problem from NL (resp. NP, PSPACE) are self-loops, and show that whereas deciding current-state can be reduced to it by a deterministic logarithmic-space (resp. opacity of such systems with a single observable event is NL- polynomial-time) algorithm. Condition (i) is called membership complete (Theorem 12), the problem for systems having three and condition (ii) hardness. events, one of which is unobservable, is PSPACE-complete (Theorem 13) even for deterministic systems. 3. OPACITY

2. PRELIMINARIES As explained in the introduction, up to one exception, we study in the sequel the complexity of verification of current-state We assume that the reader is familiar with the basics of au- opacity, the definition of which we now recall. tomata theory, see Cassandras and Lafortune (2008) for details. Definition 1. (Current-state opacity). Let G = (Q,Σ,δ,I) be a DES, P: Σ∗ → Σ∗ a projection, Q ⊆ Q a set of secret states, and For a set S, |S| denotes the cardinality of S,and2S the power set o S Q Q a set of non-secret states. System G is current-state of S. An alphabet Σ is a finite nonempty set of events. A string NS ⊆ opaque if for every string w such that δ I,w Q /0, there over Σ is a sequence of events from Σ. Let Σ∗ denote the set ( ) ∩ S 6= exists a string w′ such that P w P w′ and δ I,w′ Q /0. of all finite strings over Σ; the empty string is denoted by ε.A ( )= ( ) ( )∩ NS 6= language L over Σ is a subset of Σ∗. The set of all prefixes of ∗ The exception is language-based weak opacity. Language- strings of L is the set L = {u | uv ∈ L}. For a string u ∈ Σ , |u| based (weak) opacity is defined over a set of secret behaviors. denotes its length, and u the set of all prefixes of u. We recall the most general definition by Lin (2011). A nondeterministic finite automaton (NFA) over an alphabet Σ Definition 2. (Language-based opacity). Let G = (Q,Σ,δ,I) be A ∗ ∗ is a structure = (Q,Σ,δ,I,F), where Q is a finite set of states, a DES, P: Σ → Σo a projection, LS ⊆ L(G) a secret language, I ⊆ Q is a set of initial states, F ⊆ Q is a set of marked states, and LNS ⊆ L(G) a non-secret language. System G is language- Q −1 and δ : Q×Σ → 2 is a transition function that can be extended based opaque if LS ⊆ P P(LNS). to the domain 2Q ×Σ∗ by induction. Equivalently, the transition function is a relation δ ⊆ Q×Σ×Q, where, e.g., δ(q,a)= {s,t} Informally, the system is language-based opaque if for any denotes two transitions (q,a,s) and (q,a,t). For a state q ∈ Q, string w in the secret language, there is a string w′ in the non- ′ the language marked by A from q is the set Lm(A ,q)= {w ∈ secret language with the same observation P(w)= P(w ). In Σ∗ | δ(q,w) ∩ F 6= /0}, and the language generated by A from this case, the intruder cannot conclude whether the secret string q is the set L(A ,q)= {w ∈ Σ∗ | δ(q,w) 6= /0}. The language w or the non-secret string w′ has occurred. The system is language-based weakly opaque if some strings 5. OPACITY VERIFICATION from the secret language are confused with some strings from the non-secret language. In the section, we discuss several structural restrictions on the Definition 3. (Language-based weak opacity). Let G = (Q,Σ, systems and the effect of these restrictions on the complexity of verification of current-state opacity. Namely, we discuss δ,I) be a DES, P a projection, LS ⊆ L(G) a secret language, the restriction on the number of observable and unobservable and LNS ⊆ L(G) a non-secret language. System G is language- based weakly opaque if L ∩ P−1P(L ) 6= /0. events, then we combine this restriction with the requirement S NS on acyclicity of the system model, and finish the section by It is worth mentioning that the secret and non-secret languages relaxing the restriction on acyclicity to allow deadlock freeness. are often considered to be regular, since for non-regular lan- To simplify the proofs, we first reduce current-state opacity to guages, e.g., for deterministic context-free languages, the in- the language inclusion problem. This reduction is similar to that clusion problem is undecidable. Asveld and Nijholt (2000) give of Wu and Lafortune (2013) reducing current-state opacity to a broader picture on (un)decidability of the inclusion problem. language-based opacity. ∗ ∗ 4. LANGUAGE-BASED WEAK OPACITY Lemma 5. Let G = (Q,Σ,δ,I) be a DES, P: Σ → Σo a pro- jection, and QS,QNS ⊆ Q sets of secret and non-secret states, Lin (2011) has shown that deciding language-based weak respectively. Let LS denote the marked language of the automa- opacity is polynomial for the secret and non-secret languages ton GS = (Q,Σ,δ,I,QS) and LNS denote the marked language of given by finite automata. The idea is based on the observa- the automaton GNS = (Q,Σ,δ,I,QNS). Then G is current-state −1 1 tion that LS ∩ P P(LNS) 6= /0if and only if P(LS) ∩ P(LNS) 6= opaque if and only if P(LS) ⊆ P(LNS). /0, where the later can be checked in polynomial (quadratic) Proof. Assume that w is such that δ(I,w) ∩ Q 6= /0. This is if time by representing P(L ), i ∈{S,NS}, as an NFA (with ε- S i and only if P w P L . Then, by definition, there is a string transitions), computing the product of such NFAs, and deciding ( ) ∈ ( S) w′ such that P w P w′ and δ I,w′ Q /0, which is if non-emptiness of the resulting automaton. ( )= ( ) ( ) ∩ NS 6= and only if P(w) ∈ P(LNS). ✷ However, is the problem the hardest problem in the class of polynomially solvable problems? Equivalently, is the problem Furthermore, Cassez et al. (2012) pointed out that the verifi- of deciding language-based weak opacity PTIME-complete? If cation of current-state opacity is at least as hard as deciding ∗ it were, its verification would probably not be parallelizable. universality. Indeed, for a DES G = (Q,Σ,δ,I,F), L(G)= Σ if Notice the word “probably” referring to the longstanding open and only if G is current-state opaque with respect to QS = Q\F problem from complexity theory similar to the famous problem and QNS = F. whether PTIME = NP. We now show that the problem is NL- This observation and Lemma 5 together with the results on the complete and, consequently, can be efficiently solved on a complexity of deciding universality and inclusion give us strong parallel computer, see Arora and Barak (2009). tools to show lower and upper complexity bounds for deciding Theorem 4. Deciding language-based weak opacity for a DES (current-state) opacity. where both the secret language LS and the non-secret language LNS are modeled by NFAs is NL-complete. 5.1 Restriction on the number of events −1 Proof. Lin (2011)has shown that LS ∩P P(LNS) 6= /0is equiv- Our first restriction concerns the number of observable and alent to P(LS) ∩ P(LNS) 6= /0. Let LS and LNS be represented unobservable events in the system. The following result thus by NFAs G1 = (Q1,Σ,δ1,Q0,1,Qm,1) and G2 = (Q2,Σ,δ2,Q0,2, improves the general case in two ways: (i) compared to the Qm,2), respectively. To check that P(LS) ∩ P(LNS) 6= /0is satis- generalsettings where more than a single initial state is allowed, fied, the NL algorithm guesses two pairs of states (q0,1,q0,2) ∈ although the transitions are all deterministic, we allow only a Q0,1 × Q0,2 and (qm,1,qm,2) ∈ Qm,1 × Qm,2 and verifies that the single initial state, and hence keep the system deterministic, pair (qm,1,qm,2) is reachable from (q0,1,q0,2) in the product and, mainly, (ii) we restrict the number of observable events automaton. For more details how to check reachability in NL, to two and the number of unobservable events to one. the reader is referred to Masopust (2018). Theorem 6. Deciding current-state opacity for a DES modeled To show NL-hardness, we reduce the DAG reachability prob- by a DFA with three events, one of which is unobservable, is PSPACE-complete. lem: given a directed acyclic graph G = (V,E) and two ver- tices s,t ∈ V, the problem asks whether vertex t is reach- Proof. Membership in PSPACE was shown by Saboori (2011), able from vertex s. From G, we construct an NFA A = (V ∪ and also follows directly from Lemma 5. {t′},{a,b},δ,s,V ∪{t′}), where a is an observable and b an unobservable event, and for every edge (p,r) ∈ E, we add the To show hardness, we reduce the DFA-union universality prob- transition (p,a,r) to δ. Moreover, we add a new state t′ and a lem shown to be PSPACE-complete by Kozen (1977). Thus, ′ A A new transition (t,b,t ). Let LS be the language of the automaton let 1,..., n be DFAs over the alphabet Σ = {0,1}. We let ′ (V ∪{t },{a,b},δ,s,{t}) and LNS the language of the automa- both events of Σ be observable. Without loss of generality, we ′ ′ A ton (V ∪{t },{a,b},δ,s,{t }). Obviously, LS is nonempty if may assume that the initial state of i, for i = 1,...,n, is not 2 and only if LNS is nonempty, which is if and only if t is reach- reachable from any other state. Let G denote the nondeter- k A n A able from s. Then, if a is the label of transitions from s to ministic union of all i’s, that is, L(G)= i=1 L( i). Kozen k k k k t, then P(a )= a ∈ P(LS) and P(a b)= a ∈ P(LNS). Hence 1 Here, P L is understood as being represented by an NFA with ε-transitions ✷ ( S) S P(LS) ∩ P(LNS) 6= /0if and only if t is reachable from s. obtained from GS by replacing transition (p,a,q) with (p,P(a),q); analogously for P(LNS). 2 A ′ We point out that using a unique observable event for every Otherwise, we can modify i by adding a new state q0,i that is marked if transition can show NL-hardness for DESs modeled as DFAs. and only if the initial state q0,i is marked, add, for every transition (q0,i,e, p), a (1977) showed that deciding whether L(G)= Σ∗ is a PSPACE- in polynomial time, that the guessed subset is reachable by the hard problem, and hence deciding current-state opacity of G guessed string. This shows that verifying opacity is in CONP. is PSPACE-hard by the observation of Cassez et al. (2012) Notice that membership in CONP can also be directly derived formulated below Lemma 5. from Lemma 5 and the complexity of inclusion for so-called rpoNFAs of Kr¨otzsch et al. (2017) that are more general than Notice that although the transitions of G are deterministic, G acyclic NFAs. may have more than a single initial state, say I = {q1,...,qn}. We now further modify G by adding a new unobservable event To show CONP-hardness, we reduce the complement of CNF 3 a and the transitions (qi,a,qi+1), for i = 1,...,n − 1, and let q1 satisfiability. The proof is based on the construction showing be the sole initial state. Denoting the result by G′, we can see that non-equivalence for regular expressions with operations that G′ is a DFA, and that the observers of G and G′ coincide; union and concatenation is NP-complete even if one of them indeed, the initial state of the observer of G is I, because both is of the form Σn for some fixed n, see Hunt III (1973) or events of G are observable, and the initial state of the observer Stockmeyer and Meyer (1973). of G′ is the set of states reachable from q under the sequences 1 Let {x ,...,x } be a set of variables and ϕ = ϕ ∧···∧ ϕ be of unobservable event a, that is, it is I as well. Notice that here 1 n 1 m a formula in CNF, where every ϕ is a disjunction of literals. we needed the assumption that the initial state of A is not i i Without loss of generality, we may assume that no clause ϕ reachable from other states of A ; otherwise, the observers of i i contains both x and ¬x. Let ¬ϕ be the negationof ϕ obtained by G and G′ could be different. Altogether, G is opaqueif and only de Morgan’s laws. Then ¬ϕ = ¬ϕ ∨···∨¬ϕ is in disjunctive if G′ is opaque, which completes the proof. ✷ 1 m normal form.

Notice that an unobservable event in the previous theorem is For every i = 1,...,m, we define a regular expression βi = unavoidable because any DFA with all events observable is βi,1βi,2 ···βi,n, where always in a unique state, and therefore never opaque. However, the reader may wonder what happens if we further restrict the (0 + 1) if neither x j nor ¬x j appear in ¬ϕi number of observable events to one. We now show that having βi, j = 0 if ¬x j appears in ¬ϕi only one observable event makes the problem computationally ( 1 if x j appears in ¬ϕi m easier unless CONP = PSPACE. This result holds even without for j = 1,...,n. Let β = i=1 L(βi) be the union of languages any restriction on the number of unobservable events, and for defined by expressions βi. Then we have that w ∈ L(β) if and S nondeterministic automata. only if w satisfies some ¬ϕi. That is, we have that L(β) = n Theorem 7. Deciding current-state opacity of a DES modeled {0,1} if and only if ¬ϕ is a tautology, which is if and only by an NFA with a single observable event is CONP-complete. if ϕ is not satisfiable. Notice that the length of every string recognized by βi is exactly n. Proof. Membership in CONP follows from Lemma 5 and the Let M be an NFA consisting of m paths of length n, each fact that inclusion for unary NFAs is CONP-complete, and corresponding to the language of β , and make the last state hardness follows from the complexity of deciding universality i of each of these paths non-secret, that it, it is placed to Q . In for unary NFAs. For both the claims used here, the reader is NS addition, add a path consisting of n + 1 states {α ,α ,...,α } referred to Stockmeyer and Meyer (1973). ✷ 0 1 n and transitions (αℓ,a,αℓ+1), for 0 ≤ ℓ< n, where a ∈{0,1}. Let αn be the sole secret state, i.e., QS = {αn}. Notice that the 5.2 Restriction on the structure – acyclic automata n language of M marked by the states in QS is {0,1} , whereas the language marked by the states in QNS is L(β). By Lemma5, The previous results show that only restricting the number of M is current-state opaque if and only if {0,1}n ⊆ L(β), which events does not lead to tractable complexity. But it gives rise to is if and only if ϕ is not satisfiable. This completes the proof of another question whether there are structurally simpler systems CONP-completeness. ✷ for which the opacity verification problem is tractable. Again, we can show that the situation is computationally sim- Structurally the simplest systems we could think of are acyclic pler if only one observable event is allowed. DFAs with full observation, recognizing only finite languages. However, these systems are never opaque, since they are deter- Theorem 9. Deciding current-state opacity of a DES modeled ministic and fully observed. Nontrivial structures to be consid- by an acyclic NFA with a single observable event is NL- ered could thus be acyclic NFAs that still recognize only finite complete, and hence solvable in polynomial time. languages, and hence do not possess the ability to express all strings over the alphabet. We combine this restriction with the Proof. Membership in NL follows from Lemma 5 and the restriction on the number of events. complexity of inclusion for unary languages, see Kr¨otzsch et al. (2017). Theorem 8. Deciding current-state opacity of a DES modeled by an acyclic NFA with at least two observable events is CONP- To prove NL-hardness, we reduce the DAG-reachability prob- complete. lem. Let G be a directed acyclic graph with n vertices, and let s and t be two vertices of G. We define an acyclic NFA A Proof. Assume that the acyclic NFA has n states. Then any string from its language is of length at most n−1. Thus, to show 3 A (boolean) formula consists of variables, operators conjunction, disjunction that the system is not opaque, an NP algorithm guesses a subset and negation, and parentheses. A formula is satisfiable if there is an assigning of true and false to its variables making it true. A literal is a variable or its of secret states and a string of length at most n − 1 and verifies, negation. A clause is a disjunction of literals. A formula is in conjunctive normal form (cnf) if it is a conjunction of clauses; e.g., ϕ =(x∨y∨z)∧(¬x∨y∨ new transition (q′ ,e, p), and let q′ be the only initial state. This modification 0,i 0,i z) is a formula in cnf with two clauses x ∨ y ∨ z and ¬x ∨ y ∨ z. Given a formula A ′ does not change the language of i. Moreover, we put q0,i to the set QS, QNS in cnf, the CNF satisfiability problem asks whether the formula is satisfiable. or Q \ (QS ∪ QNS) to which q0,i belongs, which preserves the opacity property. The formula ϕ is satisfiable for, e.g., (x,y,z)=(0,1,0). as follows. With each node of G, we associate a state in A . x q ′ ′ q Whenever there is an edge from i to j in G, we add a transition x x p (i,a, j) to A . The resulting automaton A is an acyclic NFA. p x =⇒ p x Let t be the sole secret state, i.e., QS = {t}, and let QNS be r r empty. Obviously, A is not current-state opaque if and only if ∗ A there is a string w ∈{a} such that δ(s,w) ∩ QS 6= /0. Hence Fig. 1. The ’determinization’; x′ and p′ are a new event and a is not current-state opaque if and only if t is reachable from s in new state G. ✷ Remark 10. Notice that the choice of QNS = /0reduces current- ′ state opacity to non-reachability of states from Q . Since this x p S a a a is independent on the automata models, recent results by Czer- p y =⇒ p p1 p′ p′′ winski et al. (2019) on the lower-bound complexity of reach- p′′ ability in Petri nets gives that deciding current-state opacity is not elementary for Petri nets. 4 Fig. 2. The encoding enc(x)= aa and enc(y)= aaa 5.3 Restriction on the structure – deadlock-free automata Theorem 13. Deciding current-state opacity for systems mod- Above, we considered systems generating only finitely many eld by poDFAs over an alphabet with three events, one of which behaviors. However, real-world systems are usually not that is unobservable, is PSPACE-complete. simple and often require additional properties, such as deadlock freeness. Therefore, we now consider a kind of automata where Proof. Membership in PSPACE follows from Lemma 5 and the all cycles are only in the form of self-loops. Such automata are, corresponding complexity of inclusion. in our opinion, structurally the simplest deadlock-free DES. A Their mark languages form a subclass of regular languages Let = (Q,{0,1},δ,I,F) be a poNFA. By Theorem 11, de- strictly included in star-free languages, see Brzozowski and ciding current-state opacity for poNFAs with two events, both A Fich (1980) and Schwentick et al. (2001). Star-free languages observable, is PSPACE-complete. From , we now construct D ′ ′ are languages definable by linear temporal logic that is often a poDFA = (Q ∪ Q ,{0,1,a},δ ,s,F) by ’determinizing’ it used as a specification language in automated verification. with the help of new events that we then encode in unary. In more detail, for every state p with two transitions (p,x,r) and We now formalize our model. Let A = (Q,Σ,δ,I,F) be an (p,x,q) with p 6= q, we replace the transition (p,x,q) with two NFA. The reachability relation ≤ on the state set Q is defined transitions (p,x′, p′) and (p′,x,q), where x′ is a new event and by p ≤ q if there is w ∈ Σ∗ such that q ∈ δ(p,w). The NFA p′ a new state (added to Q′); see Fig. 1 for an illustration. A is partially ordered (poNFA) if the reachability relation ≤ is a partial order. If A is a partially ordered DFA, we use the In this way, we eliminate all nondeterministic transitions. The notation poDFA. automaton is now deterministic with the set of initial states I. Let Γ be the set of all the new events we created by the We then immediately obtain the following result for nondeter- construction. Notice that the number of these events is bounded ministic partially ordered automata. by the number of edges in the original automaton, and hence Theorem 11. Deciding current-state opacity of a DES modeled polynomial. by a poNFA with only two events, both of which are observable, We now show how to encode the new events as strings over a is PSPACE-complete. unary alphabet {a}. Let m = |Γ| be a number of new events m Proof. Membership in PSPACE follows from Lemma 5 and and enc: Γ →{a,aa,...,a } be an arbitrary encoding (injec- ′ ′ ′ the results on the complexity of inclusion for poNFAs, and tion). We replace every transition (p,x , p ), for x ∈ Γ, by the ′ ′ hardness from the fact that deciding universality for poNFAs sequence of transitions (p,enc(x ), p ), which requiresto add up ′ ′ ′′ with only two events is PSPACE-complete. For both claims see to m new states to Q . For instance, if (p,x, p ) and (p,y, p ) are Kr¨otzsch et al. (2017). ✷ two transitions with x,y ∈ Γ, andenc(x)= aa and enc(y)= aaa, ′ ′ then (p,x, p ) is replaced by transitions (p,a, p1),(p1,a, p ), ′ ′′ The situation is again easier if the model has only a single where p1 is a new state added to Q , and (p,y, p ) is replaced ′ ′ ′′ observable event. by transitions (p,a, p1),(p1,a, p ),(p ,a, p ); see Fig. 2. Notice Theorem 12. Deciding current-state opacity of a DES modeled that we have not set the secret status of states of Q′, and hence by a poNFA with a single observable event is NL-complete. we have that the states of Q′ are neither secret nor non-secret.

Assume that I = {q1,...,qn}. To obtain a single initial state Proof. Membership in NL follows from Lemma 5 and the cor- ′ ′ (labeled by q0), we add, for i = 1,...,n, a new state qi and two responding complexity of inclusion, and hardness from the fact ′ ′ ′ transitions (qi−1,a,qi) and (qi,0,qi) as depicted in Fig. 3. The that deciding universality for unary poNFAs is NL-complete, D see Kr¨otzsch et al. (2017). ✷ resulting automaton, , is a poDFA over the alphabet {0,1,a} with polynomially many new events and states, and a single ′ We now consider DES modeled by poDFAs. Since every DFA initial state q0. with all events observable is always in a unique state, and hence Let P be the projection from {0,1,a}∗ to {0,1}∗, and let P(D) never opaque, some unobservable events are necessary to en- denote the poNFA obtained from D by replacing every tran- sure opacity. We show that even one unobservable event makes sition (p,a,q) by (p,P(a),q). Then D is current-state opaque the opacity verification PSPACE-complete. Consequently, the with respect to P if and only if P(D) is current-state opaque problem is hard for basically all practical cases. (with respect to the identity map), which is if and only if A is 4 For the notion of elementary complexity, we refer to the referenced paper. current-state opaque (with respect to the identity map). ✷ ′ a ′ a ′ a ′ a ′ Bryans, J.W., Koutny, M., Mazar´e, L., and Ryan, P.Y.A. (2008). q0 q1 q2 q3 q4 Opacity generalised to transition systems. Int. J. Inf. Sec., 7(6), 421–435. 0 0 0 0 Bryans, J.W., Koutny, M., and Ryan, P.Y.A. (2005). Modelling opacity using Petri nets. Electronic Notes in Theoret. Com- q1 q2 q3 q4 put. Sci., 121, 101–115. Brzozowski, J.A. and Fich, F.E. (1980). Languages of R-trivial monoids. J. Comput. System Sci., 20(1), 32–49. Fig. 3. Construction of an automaton with a single initial state Cassandras, C.G. and Lafortune, S. (2008). Introduction to from an automaton with four initial states Discrete Event Systems. Springer, 2nd edition. Cassez, F., Dubreil, J., and Marchand, H. (2012). Synthesis 6. CONSEQUENCES of opaque systems with static and dynamic masks. Formal Methods in System Design, 40(1), 88–115. Wu and Lafortune (2013) provided polynomial reductions Czerwinski, W., Lasota, S., Lazic, R., Leroux, J., and Ma- among several notions of opacity, including current-state opac- zowiecki, F. (2019). The reachability problem for petri nets ity, language-based opacity (for regular languages), initial-state is not elementary. In STOC, 24–33. opacity, and initial-and-final-state opacity. Inspecting the re- Dubreil, J., Darondeau, P., and Marchand, H. (2008). Opacity ductions, it can be seen that they preserve both acyclicity and enforcing control synthesis. In WODES, 28–35. partial order. Moreover, eliminating the unnecessary Trim op- Focardi, R. and Gorrieri, R. (1994). A taxonomy of trace- erations, we obtain deterministic logarithmic-space reductions, based security properties for ccs. In Computer Security see Masopust (2018) for more details. Consequently, the results Foundations Workshop VII, 126–136. for current-state opacity also hold for language-based opac- Hadj-Alouane, N.B., Lafrance, S., Lin, F., Mullins, J., and ity (for regular languages) and initial-and-final-state opacity. Yeddes, M.M. (2005). On the verification of intransitive Moreover, the lower bounds also hold for K-step opacity, since noninterference in mulitlevel security. IEEE Transactions on current-state opacity is a special case thereof. Systems, Man, and Cybernetics, Part B, 35(5), 948–958. The only problematic construction of Wu and Lafortune (2013) Hunt III, H.B. (1973). On the Time and Tape Complexity of is the reduction from language-based opacity (LBO) to initial- Languages. Ph.D. thesis, Department of Computer Science, state opacity (ISO), which requires that the languages are prefix Cornell University, Ithaca, NY. closed. We briefly depict a general reduction from LBO to ISO. Jacob, R., Lesage, J., and Faure, J. (2016). Overview of discrete event systems opacity: Models, validation, and quantifica- ∗ ∗ Let G = (Q,Σ,δ,I) be a DES, P: Σ → Σo a projection, and tion. Annual Reviews in Control, 41, 135–146. QS,QNS ⊆ I sets of secret and non-secret initial states. System G Kozen, D. (1977). Lower bounds for natural proof systems. In is initial-state opaque if for every i ∈ QS and every w ∈ L(G,i), FOCS, 254–266. ′ ′ there is j ∈ QNS and w ∈ L(G, j) such that P(w)= P(w ). Kr¨otzsch, M., Masopust, T., and Thomazo, M. (2017). Com- plexity of universality and related problems for partially or- Let the languages L and L of LBO be given by nonblocking S NS dered NFAs. Information and Computation, 255(1), 177– automata G and G , respectively. Let x , x be two new states, s ns s ns 192. and let @ be a new observable event. To every marked state r, Lin, F. (2011). Opacity of discrete event systems and its we add a transition (r,@,x ) if r is in G , and (r,@,x ) if r is s s ns applications. Automatica, 47(3), 496–503. in G . Then L(G )= L ∪L @ and L(G )= L ∪L @. Let ns s S S ns NS NS Masopust, T. (2018). Complexity of verifying nonblockingness G denote G and G considered as a single automaton, and let s ns in modular supervisory control. IEEE Trans. Automat. Con- Q be the initial states of G , and Q the initial states of G . S s NS ns trol, 63(2), 602–607. Then, P(L ) ⊆ P(L ) if and only if P(L(G )) ⊆ P(L(G )), S NS s ns Mazar´e, L. (2004). Decidability of opacity with non-atomic which is if and only if G is ISO. keys. In Formal Aspects in Security and Trust, 71–84. Notice that the reduction does not preserve the number of Saboori, A. (2011). Verification and enforcement of state-based observable events. This could be solved by encoding the events notions of opacity in discrete event systems. Ph.D. thesis, of G in binary, but then the reduction may not preserve partial University of Illinois at Urbana-Champaign. order and the number of events if the languages LS and LNS are Saboori, A. and Hadjicostis, C.N. (2007). Notions of security unary. However, adjusting the results for current-state opacity and opacity in discrete event systems. In CDC, 5056–5061. according to the suggested reduction, we obtain similar results Saboori, A. and Hadjicostis, C. (2009). Verification of K-step also for initial-state opacity. opacity and analysis of its complexity. In CDC/CCC, 205– 210. REFERENCES Schneider, S. and Sidiropoulos, A. (1996). CSP and anonymity. In ESORICS, volume 1146 of LNCS, 198–218. ˇ Alur, R., Cern´y, P., and Zdancewic, S. (2006). Preserving Schwentick, T., Th´erien, D., and Vollmer, H. (2001). Partially- secrecy under refinement. In ICALP, 107–118. ordered two-way automata: A new characterization of DA. Arora, S. and Barak, B. (2009). Computational Complexity – A In DLT, volume 2295 of LNCS, 239–250. Modern Approach. Cambridge University Press. Stockmeyer, L.J. and Meyer, A.R. (1973). Word problems Asveld, P.R.J. and Nijholt, A. (2000). The inclusion problem requiring exponential time: Preliminary report. In STOC, 1– for some subclasses of context-free languages. Theoret. 9. Comput. Sci., 230(1-2), 247–256. Wu, Y.C. and Lafortune, S. (2013). Comparative analysis of Badouel, E., Bednarczyk, M., Borzyszkowski, A., Caillaud, B., related notions of opacity in centralized and coordinated and Darondeau, P. (2007). Concurrent secrets. Discrete architectures. Discrete Event Dyn. Syst., 23(3), 307–339. Event Dyn. Syst., 17(4), 425–446.