On Opacity Verification for Discrete-Event Systems

On Opacity V erification f or Discr ete-Event Systems Ji ˇ r´ ı Balun ∗ T om ´ a ˇ s Masopust ∗ , ∗∗ ∗ F aculty of Science, P alacky Universi ty in Olo mouc, Olomouc , Czechia ∗∗ Institute of Mathematics of th e Czech Academy of Scien ces, Brno, Czechia (e-mail: jiri.balun 01@upol. cz, masopust@math. c as.cz) Abstract: Opacity is an info rmation flo w property characterizing whether a system re veals its secret to an intruder . V erification of opacity for discrete-event sy stems mo deled by automata is in general a hard problem. W e discuss the question wheth er there a r e structur al restriction s on the system models for which the op acity verification is tractab le. W e consider two k inds of automata mod els: (i) acyclic automata, and ( ii) auto mata whe r e a ll cycles are only in th e fo r m of self-loo ps. In some sense, these models ar e th e simp lest mo dels o f (de a d lock-fr ee) system s. Altho ugh the expressi vity of such systems is weaker than the e xpressivity o f linear tem p oral logic, we show that the opacity verification for these systems is still hard. K e ywor d s: Discrete event sy stem s, finite auto mata, o pacity , com plexity 1. INTR ODUCTION In practical applications, it is desirable to k eep some infor- mation about a system secret. Such a requiremen t results in additional restrictions on the information flo w . S ev eral informa- tion flow prop erties studied in the literatu re include an onymity of Schneid er and Sidiropoulo s (1996 ), n oninterfer ence of Hadj- Alouane et al. (200 5), secrecy of Alur et al. (20 06), secu rity of Focardi and Go r rieri (1994 ), an d opacity of Ma z a r ´ e (2004). Opacity is the property whether a system prev ents an intruder from revealing the secret. The intr u der is mo deled as a passive observer with the comp lete knowledge of the structur e of the system but with only limited ob ser vation of its behavior . Based on its observation, the intru der estimates the behavior o f the system, an d the system is o paque if the intrude r’ s estimation never rev eals th e secret. In other words, for any secre t behavior of the system, there is a non -secret behavior that looks th e same to the intruder . If the secret is mod eled as a set of secret st ates, the opacity is referred to as state-based op acity . Bryans et a l. (20 05) intro- duced state-based o pacity for systems modele d by Petri nets, Saboori and Hadjico stis ( 2007) a dapted it to systems modeled by (stochastic) au tomata, an d Bryans et al. (2008) gen eralized it to tran sition systems. If the secret is modeled as a set o f secret behaviors, the opacity is referred to as lang uage-based opacity . La n guage- based opacity was intro duced by Bado uel et al. (2007) a nd Dubreil et al. (2 008). Many researche rs studied opacity from different perspectives, including its verification and the synthesis o f o pacity-ensu ring con trollers. For mor e de- tails, we refe r the reader to the overview by Jacob et al. (2 016). Sev eral notions of opacity have been d iscu ssed in the litera- ture, e.g . , current-state opacity , initial-state opacity , initial- and- final-state opacity , langua g e-based op acity , K -step opacity , or infinite-step opacity . Curren t-state opacity a sks wh ether the in- truder cannot, based o n its state estima tio n, in any instance of time dec ide whether the system is curren tly in a secret state. Initial-state opacity asks whether th e in tr uder can nev er reveal whether the comp utation started in a secret state. Initial- a n d- final-state opacity of W u and Lafortune (20 13) is a generaliza- tion of b oth current-state o p acity and initial-state opacity . The difference is that the secret is encod ed as a pair of an initial and a marked state. Consequently , initial-state opacity is a special case o f initial-and-final- state opacity wh ere the marked states do not play a role. Similarly , c u rrent-state opacity is a special case where the in itial states d o not play a role. While curren t- state opac ity is a prop erty to pr event the in truder from rev ealing wheth e r the current state o f the system is a secr et state, initial-state o pacity prevents the intruder from rev ealing whether the system started in a secret state, that is, at any time during the compu tatio n. In more detail, the difference between initial-state opacity and curren t-state opa city is that initial- state opacity re q uires th at the intruder c a nnot reveal the secret n e ither at the beginning of the computatio n n or in any state later during the computation, while cur rent-state o pacity only requires that the intrud er can not reveal the secre t in the curr ent state. It may , howe ver , happen tha t the intrud e r m ay rev eal th at the system was in a secret state in the future. For instance, a ssum e that th e intruder estimates that the system is in o n e of two states, and that the system procee d s in the next step by an observable ev ent that is po ssible only f rom o ne of th e states. Th e n, the intr uder reveals the state in which the system was one step ag o. This problem has been con sidered in the litera tu re an d led to the intro duction o f two notions: K -step opacity of Saboo ri and Hadjicostis (2007 ) and infinite-step opacity of Saboori and Had jicostis (2 009). While K -step opacity requ ir es th at th e intruder cannot reveal the secret in the current a n d K subsequen t states, infin ite- step opa city requires that the intrud er can n ever reveal that the system was in a secr et state. The complexity o f opacity v erification has widely b een in ves- tigated in the literature and is often based on the com putation of o bserver . Thus the pro blem belong s to P S PAC E . It is actually P S PAC E -com plete fo r most of the d iscussed notions. Ind eed, Cassez et al. (201 2) sh owed that the verification of current- state opacity is at least as hard as deciding uni versality , wh ich is P S P AC E - complete for nond eterministic automata as well as for determin istic au tomata with partial o b servation. Howe ver , P S PAC E - completen ess of universality req uires a non - trivial structur e of the model an d the ab ility to express all possible strings. T his gi ve rise to a question whether there are structurally simpler systems fo r which th e verification of opa c - ity is tractable. W e in vesti gate th e pro blem f or , in ou r o pinion , structurally the simplest sy stems: for acyclic auto mata (that do not ha ve the ability to express all strings, and actu a lly express only a finite nu mber of string s) and for autom ata where all cycles are in the for m of self-loops (which may still seem trivial in the stru c ture, becau se as soon as the system leaves a state, it can never retu rn to that state) . In this p aper, we study th e effect of those structur a l r estrictions on the verification of current-state op acity . Notice first that using the polyno m ial redu ctions of W u an d Laf ortune (2 013) among cur r ent-state op acity , initial-state opacity , initial-an d- final-state opacity , an d lang uage-b ased opacity , allows us to deduce im mediate consequen ces of our study f or other notio ns of opacity as well. W e discuss these co nsequence s in de tail in Section 6. Our c o ntribution is as follows. W e show that d eciding lan guage- based weak opacity fo r systems wh ere both the secr et and the non-secr e t lan guages are modeled by NF As is N L -comp le te (Theor e m 4). Then we show that decidin g cu rrent-state opacity for deterministic finite-state systems with only three ev ents, one of which is unob ser vable, is P S PAC E -co m plete ( Theorem 6). Considering systems with on ly o ne observable event, we show that the complexity decreases to C O N P-co m plete (The o rem 7). Then we stud y acyclic systems that have on ly a finite amou nt of different b ehaviors and show that deciding current-state opac- ity for acyclic systems with at least two observable events is C O N P -complete (The o rem 8), and that the com p lexity de- creases to N L -comp le te in th e case th e systems h ave a single observable event (T heorem 9). Finally , we invest igate th e sim- plest dead lock-fr ee systems, that is, system s where all cycles are self-lo o ps, and show that whereas d eciding cur rent-state opacity of such systems with a single observable event is N L - complete (Theorem 1 2 ), the problem for systems having three ev ents, one of which is unob servable, is P S PAC E -com plete (Theor e m 13) even for deterministic systems. 2. PRELIMINARIES W e assume that the r e a der is familiar with the basics of au- tomata th eory , see Cassand ras and Laf ortune (20 0 8) for details. For a set S , | S | d enotes the cardinality of S , and 2 S the power set of S . An alph a bet Σ is a finite non empty set of ev ents. A string over Σ is a seq uence of events from Σ . Let Σ ∗ denote the set of all finite strings over Σ ; the empty strin g is d enoted by ε . A languag e L over Σ is a subset of Σ ∗ . The set of all pr efixes of strings of L is the set L = { u | uv ∈ L } . For a string u ∈ Σ ∗ , | u | denotes its le n gth, and u the set of all prefixes of u . A non deterministic fin ite automato n (NF A) over an alphabet Σ is a structur e A = ( Q , Σ , δ , I , F ) , where Q is a finite set of states, I ⊆ Q is a set of initial states, F ⊆ Q is a set of marked states, and δ : Q × Σ → 2 Q is a transition fun ction that can be extended to the dom ain 2 Q × Σ ∗ by in duction. Equ iv alently , th e tran sition function is a relation δ ⊆ Q × Σ × Q , where, e.g., δ ( q , a ) = { s , t } denotes two transitions ( q , a , s ) and ( q , a , t ) . F or a state q ∈ Q , the languag e mar ked by A from q is the set L m ( A , q ) = { w ∈ Σ ∗ | δ ( q , w ) ∩ F 6 = / 0 } , and th e langu age gener ated by A from q is the set L ( A , q ) = { w ∈ Σ ∗ | δ ( q , w ) 6 = / 0 } . The la n guage marked by A is then the union S q 0 ∈ I L m ( A , q 0 ) ; similarly for the langu a ge ge n erated by A . The NF A A is deterministic (DF A) if | I | = 1 and | δ ( q , a ) | ≤ 1 for every q ∈ Q and a ∈ Σ . For DF As, we identify singletons with their elemen ts and simply write p instead o f { p } . Sp e c ifi- cally , we wr ite δ ( q , a ) = p instead of δ ( q , a ) = { p } . A discrete-e vent system (DES) G over Σ is an automato n (NF A or DF A) toge th er with the partition of the alphabet Σ into two disjoint subsets Σ o and Σ uo = Σ \ Σ o of observab le and unobserva b le events , respecti vely . In the case w h ere all states of the au tomaton are m arked, we simply write G = ( Q , Σ , δ , I ) without specifying the set of ma r ked states. The opacity pro perty of a DES is based on partial observation of events described by the pro jection P : Σ ∗ → Σ ∗ o , which is a morph ism defined by P ( a ) = ε for a ∈ Σ uo , a n d P ( a ) = a f or a ∈ Σ o . The action of P o n a string σ 1 σ 2 · · · σ n with σ i ∈ Σ for 1 ≤ i ≤ n is to er ase all events that d o not belong to Σ o ; namely , P ( σ 1 σ 2 · · · σ n ) = P ( σ 1 ) P ( σ 2 ) · · · P ( σ n ) . The defin ition can readily be exten ded to lang uages. A d ecision pr o blem is a y es-no question. A decision pr oblem is decidab le if ther e is an algorithm that solves it. Complexity the- ory classifies decidable problems to classes based on the time or space an a lgorithm requir es to so lve the problem. The com- plexity classes we consider are N L , P T I M E , N P , an d P S P AC E denoting the classes of problems solvable by a nond e te r minis- tic logarithmic - space, deterministic polyn omial-time, non deter- ministic polyno mial-time, and deter ministic polynomial- sp ace algorithm , respectively . The hierarchy of the classes is N L ⊆ P T I M E ⊆ N P ⊆ P S P AC E . Which of th e inclusions are strict is an ope n prob lem. The widely accep ted con jecture is that all are strict. A d ecision pro blem is N L-co mplete (re sp. N P- complete, P S PAC E -co mplete) if ( i) it belongs to N L (r e sp . N P, P S PAC E ) and (ii) every problem f rom N L (r esp. N P, P S PAC E ) can be red uced to it by a determin istic log arithmic-spa ce (resp . polyno mial-time) algorithm. Condition (i) is called membership and condition (ii) har dness . 3. OP ACITY As explained in the intro duction, up to one exception , we stud y in the sequel the complexity of verification o f curren t-state opacity , the d efinition of which we now recall. Definition 1. ( Cu rrent-state opacity) . Let G = ( Q , Σ , δ , I ) be a DES, P : Σ ∗ → Σ ∗ o a projection , Q S ⊆ Q a set of secret states, an d Q N S ⊆ Q a set of non-secret states. System G is curr ent-state opaqu e if for every string w such th at δ ( I , w ) ∩ Q S 6 = / 0, ther e exists a string w ′ such th at P ( w ) = P ( w ′ ) an d δ ( I , w ′ ) ∩ Q N S 6 = / 0. The exception is languag e -based weak opacity . Langu age- based (weak) opac ity is defin ed ov er a set of secret b ehaviors. W e recall the most general definitio n by Lin (2 011). Definition 2. ( L anguag e-based opacity) . Let G = ( Q , Σ , δ , I ) be a DES, P : Σ ∗ → Σ ∗ o a projection , L S ⊆ L ( G ) a secret langu age, and L N S ⊆ L ( G ) a non- secret language. Sy stem G is la n guage- based opaq ue if L S ⊆ P − 1 P ( L N S ) . Inform ally , the system is lan guage- based o p aque if for any string w in the secret lang uage, ther e is a string w ′ in the no n- secret lang uage with the same observation P ( w ) = P ( w ′ ) . In this c a se, the intrud er cannot conclude whether th e secret string w or the non-secre t string w ′ has occurr ed. The system is la n guage- based weakly opa q ue if some strings from the secret langu age are conf used with some strings from the non - secret language. Definition 3. ( L anguag e-based weak op acity). Let G = ( Q , Σ , δ , I ) be a DES, P a projection , L S ⊆ L ( G ) a secr et lan guage, and L N S ⊆ L ( G ) a non- secret languag e. System G is langu age- based weakly o paqu e if L S ∩ P − 1 P ( L N S ) 6 = / 0. It is worth m entioning that th e secret and n on-secre t lan guages are often conside r ed to be regular, since fo r n o n-regular lan- guages, e.g., f o r d e terministic co ntext-free lang uages, the in - clusion pro blem is u ndecidab le. Asveld and Nijholt (20 00) give a bro ader picture on (un )decidab ility of the in c lu sion pro blem. 4. LANGUA GE-BASED WEAK OP A CITY Lin (20 1 1) h a s shown that d eciding la n guage- based weak opacity is poly nomial for the secret an d no n-secret lang u ages giv en by finite autom ata. The idea is based o n the ob serva- tion that L S ∩ P − 1 P ( L N S ) 6 = / 0 if and o nly if P ( L S ) ∩ P ( L N S ) 6 = / 0, where the later can b e checked in p olynom ial ( quadra tic) time by repr esenting P ( L i ) , i ∈ { S , N S } , as an NF A (with ε - transitions), co mputing the p r oduct of such NF As, and d eciding non-em ptiness of the resulting a utomaton . Howe ver , is the prob lem the hard est p roblem in th e c lass of polyno mially solvable problems? Equivalently , is the prob lem of deciding lang uage-b a sed weak o pacity P T I M E -complete? If it were, its verificatio n would p robab ly not be p a rallelizable. Notice the word “prob ably” ref erring to th e long standing open problem from comp lexity theory similar to th e famou s p roblem whether P T I M E = N P. W e now show th a t the pro b lem is N L - complete and, consequ ently , can be efficiently solved on a parallel com p uter, see Arora and Barak ( 2009) . Theor em 4. Decidin g languag e-based weak opacity fo r a DE S where both the secret langua ge L S and the no n-secret lang uage L N S are mod e le d b y NF As is N L- complete. Proof. Lin (20 11) ha s shown th at L S ∩ P − 1 P ( L N S ) 6 = / 0 is equiv- alent to P ( L S ) ∩ P ( L N S ) 6 = / 0. Let L S and L N S be rep resented by NF As G 1 = ( Q 1 , Σ , δ 1 , Q 0 , 1 , Q m , 1 ) and G 2 = ( Q 2 , Σ , δ 2 , Q 0 , 2 , Q m , 2 ) , re spectiv ely . T o chec k that P ( L S ) ∩ P ( L N S ) 6 = / 0 is satis- fied, the NL a lg orithm g uesses two pairs of states ( q 0 , 1 , q 0 , 2 ) ∈ Q 0 , 1 × Q 0 , 2 and ( q m , 1 , q m , 2 ) ∈ Q m , 1 × Q m , 2 and verifies that the pair ( q m , 1 , q m , 2 ) is reachable fro m ( q 0 , 1 , q 0 , 2 ) in the prod uct automaton . For more details how to check rea c hability in NL , the reader is referr ed to Masopust (20 18). T o show N L -h ardness, we reduce the D A G r eachability p r ob - lem : given a directed acyclic graph G = ( V , E ) and two ver- tices s , t ∈ V , th e problem asks whether vertex t is reach- able f r om vertex s . Fro m G , we constru c t a n NF A A = ( V ∪ { t ′ } , { a , b } , δ , s , V ∪ { t ′ } ) , wh e re a is an observable and b an unobser vable event, and for every ed ge ( p , r ) ∈ E , we add the transition ( p , a , r ) to δ . M o reover , we add a new state t ′ and a new transition ( t , b , t ′ ) . Let L S be the language of the automaton ( V ∪ { t ′ } , { a , b } , δ , s , { t } ) and L N S the langu a ge of the autom a- ton ( V ∪ { t ′ } , { a , b } , δ , s , { t ′ } ) . Obviously , L S is nonempty if and only if L N S is no nempty , which is if and only if t is reach - able from s . Then, if a k is the label of transitions from s to t , then P ( a k ) = a k ∈ P ( L S ) and P ( a k b ) = a k ∈ P ( L N S ) . Hence P ( L S ) ∩ P ( L N S ) 6 = / 0 if and only if t is r e a chable from s . ✷ W e point o ut that u sing a unique obser vable ev ent for e very transition can show N L -h ardness for DESs modeled as DF As. 5. OP A CITY VERIFICA TION In the sectio n , we d iscuss se veral structural restrictions on th e systems an d the effect of these r e strictions on the complexity of verification of current-state opacity . Namely , we discuss the restriction o n the numb e r of o bservable and u nobservable ev ents, then we combin e this restriction with the req uirement on acyclicity of the system model, and finish the section by relaxing the restriction on acyclicity to allow deadlock freeness. T o simplify the pro ofs, we first r educe c urrent-state opacity to the language inclusion problem. T his reduction is similar to th at of W u and Lafortun e (2013) reducin g curren t-state opacity to languag e -based op acity . Lemma 5. Let G = ( Q , Σ , δ , I ) be a DES, P : Σ ∗ → Σ ∗ o a pro- jection, a n d Q S , Q N S ⊆ Q sets of secret and non -secret states, respectively . L e t L S denote the mar ked languag e of th e auto ma- ton G S = ( Q , Σ , δ , I , Q S ) an d L N S denote th e marked language of the automaton G N S = ( Q , Σ , δ , I , Q N S ) . Th en G is cu rrent-state opaqu e if an d only if P ( L S ) ⊆ P ( L N S ) . 1 Proof. Ass ume that w is such that δ ( I , w ) ∩ Q S 6 = / 0. This is if and only if P ( w ) ∈ P ( L S ) . Then, by d e fin ition, there is a string w ′ such that P ( w ) = P ( w ′ ) and δ ( I , w ′ ) ∩ Q N S 6 = / 0, which is if and only if P ( w ) ∈ P ( L N S ) . ✷ Furthermo re, Cassez et al. (2 012) poin ted out that the verifi- cation of cu rrent-state opacity is at least as hard as decid ing universality . Ind eed, for a DES G = ( Q , Σ , δ , I , F ) , L ( G ) = Σ ∗ if and only if G is cu r rent-state opaqu e with respect to Q S = Q \ F and Q N S = F . This ob servation and Lemma 5 tog e ther with the results on the complexity of deciding univ ersality and inclusion give us strong tools to show lower and upper complexity bou nds for decidin g (curren t-state) op acity . 5.1 Restriction on the numbe r o f events Our first restriction co n cerns th e numbe r of o bservable and unobser vable events in the system. The f o llowing result thus improves the general case in two ways: (i) comp ared to th e general setting s where more than a single initial state is allowed, although the transitions are all d eterministic, we allow only a single initial state, and henc e keep th e sy stem d eterministic, and, mainly , (ii) we restrict the nu mber of observable events to two and the n umber of u nobservable events to one. Theor em 6. Deciding curren t-state opacity for a DES modeled by a DF A with three events, one of wh ich is u nobservable, is P S PAC E -com plete. Proof. Membership in P S PAC E was shown by Saboori (201 1), and also fo llows direc tly from Lemma 5. T o show h ardness, we re d uce the DF A-union universality prob- lem sho wn to be P S PAC E -co mplete by K ozen ( 1 977) . Thus, let A 1 , . . . , A n be DF As over the alphabet Σ = { 0 , 1 } . W e let both events of Σ be obser vable. Wit hout loss of generality , we may assume th at the initial s tate of A i , for i = 1 , . . . , n , is not reachable f rom any oth er state. 2 Let G den ote the nond e te r- ministic u nion of all A i ’ s, that is, L ( G ) = S n i = 1 L ( A i ) . K oz en 1 Here, P ( L S ) is unde rstood as being represented by an NF A with ε -transit ions obtaine d from G S by repla cing transition ( p , a , q ) with ( p , P ( a ) , q ) ; anal ogously for P ( L N S ) . 2 Otherwise, we can modify A i by adding a new state q ′ 0 , i that is marked if and only if the init ial state q 0 , i is marke d, add, for ev ery transit ion ( q 0 , i , e , p ) , a (1977 ) showed th at deciding whether L ( G ) = Σ ∗ is a P S P AC E - hard pr oblem, and hen ce d e c iding cur r ent-state o pacity of G is P S PAC E -hard by the observation of Cass ez et al. (2012) formu late d below Lemma 5. Notice that althoug h the tra n sitions of G are deterministic, G may h av e m ore th an a sin g le initial state, say I = { q 1 , . . . , q n } . W e now fur th er modify G by adding a new uno bservable event a an d the transitions ( q i , a , q i + 1 ) , for i = 1 , . . . , n − 1 , and let q 1 be the sole initial state. Denoting the result by G ′ , we can see that G ′ is a DF A, an d that the observers of G and G ′ coincide; indeed, the initial state of the observer of G is I , be cause both ev ents of G are ob servable, and th e initial state of th e o bserver of G ′ is the set o f states r eachable from q 1 under the sequences of u nobservable ev ent a , that is, it is I as well. Notice tha t h e re we needed the assumption that the initial state of A i is not reachable from o ther states of A i ; otherwise, th e observers of G and G ′ could be different. Altog ether, G is opaque if and o nly if G ′ is o paque, which completes the proof. ✷ Notice th a t an un observable event in the p r evious theo r em is unav oidable becau se any DF A with all events ob servable is always in a uniq u e state, and therefo r e never opaq ue. However , the reader ma y wonder what hap pens if we further restrict the number of observable events to one. W e n ow show that having only one observable ev ent makes the problem compu tationally easier unle ss C O N P = P S PAC E . This result h olds ev en without any restriction on the num ber of unobservable e vents, and for nonde ter ministic au tomata. Theor em 7. Decidin g current-state opacity of a DE S modeled by an NF A with a sing le observable event is C O N P -comp lete. Proof. Membership in C O N P fo llows from Lemma 5 and the fact th a t inclusion f o r u nary NF As is C O N P- c o mplete, and hardne ss follows fro m the complexity of deciding uni versality for un ary NF As. For bo th the claims used her e , the r e ader is referred to Sto c kmeyer an d Meyer (1973 ). ✷ 5.2 Restriction on the structure – acyclic auto m a ta The previous results show that only restricting the n umber o f ev ents does not lead to tractab le complexity . But it giv es rise to another q uestion whether th ere ar e stru cturally simp le r systems for which the opacity verification proble m is tractable. Structurally the simplest systems we could think of are acyclic DF As with full observation, reco gnizing only fin ite lan guages. Howe ver , these systems are never op a q ue, since th ey ar e deter- ministic and fully observed. Nontrivial structur es to be consid- ered could th us be acyclic NF A s that still recognize on ly finite languag e s, and hence do not possess the ability to express all strings o ver the alphabet. W e combin e this restriction with the restriction on the numb er o f events. Theor em 8. Decidin g current-state opacity of a DE S modeled by an acyclic NF A with at least two observable events is C O N P- complete. Proof. Ass ume that the acyclic NF A has n states. Then any string from its la n guage is of leng th at m ost n − 1. Thus, to show that the sy stem is not o paque, an N P algorithm gu esses a subset of secret states a n d a string of len gth at most n − 1 and verifies, ne w transit ion ( q ′ 0 , i , e , p ) , and let q ′ 0 , i be the only initia l state. This modificat ion does not change the language of A i . Moreove r , we put q ′ 0 , i to the set Q S , Q N S or Q \ ( Q S ∪ Q N S ) to which q 0 , i belongs, which preserv es the opaci ty property . in polyno mial time, that the gu essed subset is re a c hable by th e guessed string. This shows th at verifying opacity is in C O N P. Notice that mem bership in C O N P can also be directly der iv ed from Lemma 5 and the comp lexity of in clusion for so-called rpoNF As of Kr ¨ otzsch et al. (2017) that are more gen eral than acyclic NF As. T o show C O N P-h ardness, we r educe the com plement of CNF satisfiability . 3 The proo f is based on the constructio n showing that non -equivalence for regular expressions with o perations union and co ncatenation is N P -co mplete even if one of them is of the for m Σ n for som e fixed n , see Hu n t I I I (19 73) or Stockmeyer and Meyer (1973 ). Let { x 1 , . . . , x n } be a set of variables and ϕ = ϕ 1 ∧ · · · ∧ ϕ m be a formu la in CNF , whe r e every ϕ i is a disjunctio n of literals. W ithout loss o f g enerality , we m ay assume that n o clau se ϕ i contains both x an d ¬ x . L e t ¬ ϕ be the negation of ϕ obtained by de Mo rgan’ s laws. The n ¬ ϕ = ¬ ϕ 1 ∨ · · · ∨ ¬ ϕ m is in disjunctive normal form . For every i = 1 , . . . , m , we d efine a r egular expression β i = β i , 1 β i , 2 · · · β i , n , wher e β i , j = ( ( 0 + 1 ) if neith er x j nor ¬ x j appear in ¬ ϕ i 0 if ¬ x j appears in ¬ ϕ i 1 if x j appears in ¬ ϕ i for j = 1 , . . . , n . Let β = S m i = 1 L ( β i ) be the u nion of language s defined by expr essions β i . Then we h av e th at w ∈ L ( β ) if and only if w satisfies some ¬ ϕ i . That is, we have that L ( β ) = { 0 , 1 } n if and only if ¬ ϕ is a tautology , which is if and only if ϕ is not satisfiable. No tice th at the length of every string recogn ize d by β i is exactly n . Let M b e an NF A c onsisting of m p aths o f length n , each correspo n ding to th e lang uage of β i , and make the last state of ea ch o f these paths n on-secret, that it, it is placed to Q N S . In addition, ad d a path co nsisting of n + 1 states { α 0 , α 1 , . . . , α n } and tr a nsitions ( α ℓ , a , α ℓ + 1 ) , f o r 0 ≤ ℓ < n , where a ∈ { 0 , 1 } . Let α n be the sole secret state, i.e. , Q S = { α n } . Notice that th e languag e of M mar ked b y the states in Q S is { 0 , 1 } n , whereas the langua ge ma rked by the states in Q N S is L ( β ) . By Lemma 5, M is cu rrent-state opaqu e if and only if { 0 , 1 } n ⊆ L ( β ) , which is if and only if ϕ is not satisfiable. This completes the proo f of C O N P -co mpleteness. ✷ Again, we can show that the situation is com putationally sim- pler if on ly one observable event is allowed. Theor em 9. Deciding cu rrent-state opacity of a DE S modeled by an acyclic NF A with a single ob servable e vent is N L - complete, and hen ce solvable in polynom ial time. Proof. Membership in N L follows from Lemma 5 and the complexity of inclusion for u nary languages, see Kr ¨ otzsch et al. (2017 ). T o prove N L-h ardness, we reduce the D AG-reachability p rob- lem. Let G be a dir e cted acyclic graph with n vertices, and let s an d t be two vertices of G . W e define an acyclic NF A A 3 A (boolean) formula consist s of vari ables, operators conjunc tion, disjunct ion and negation, and parentheses. A formula is satisfiable if there is an assigni ng of true and false to its v aria bles making it true . A lite ral is a va riable or its nega tion. A clause is a disjunction of literals. A formula is in conjunct i ve normal form (cnf) if it is a conjunc tion of clauses; e.g., ϕ = ( x ∨ y ∨ z ) ∧ ( ¬ x ∨ y ∨ z ) is a formula in cnf with two cla uses x ∨ y ∨ z and ¬ x ∨ y ∨ z . Gi ven a formula in cnf, the CNF satisfiabilit y pro blem asks whether the formula is satisfiable. The formula ϕ is satisfiabl e for , e.g., ( x , y , z ) = ( 0 , 1 , 0 ) . as f ollows. W ith each nod e of G , we associate a state in A . Whenever there is an edge f rom i to j in G , we add a transition ( i , a , j ) to A . T h e resultin g automa to n A is an acyclic NF A. Let t be the sole secret state, i.e., Q S = { t } , and let Q N S be empty . Obviously , A is not current-state op aque if and only if there is a string w ∈ { a } ∗ such that δ ( s , w ) ∩ Q S 6 = / 0 . Hence A is not cu rrent-state op aque if and o nly if t is reach able fro m s in G . ✷ Remark 10. Notice that the choice of Q N S = / 0 reduce s current- state op acity to non-r eachability of states from Q S . Sin ce this is in d epende n t on the a u tomata mo dels, rec e nt results b y Czer- winski et al. (20 1 9) on the lower-bound complexity of reac h - ability in Petri nets gi ves that deciding current-state o pacity is not elemen tary for Petri nets. 4 5.3 Restriction on the structure – deadlock-fr ee au tomata Above, we co nsidered systems gener ating only finitely many behaviors. Howe ver , re al-world systems a r e usually not th a t simple and often requ ire ad ditional properties, such as deadlock freeness. Therefore, we now consider a kind of au tomata wher e all cycles are only in the form of self-lo ops. Su ch automata are, in o ur opin io n, structurally the simplest de adlock-f ree DES. Their mark langu ages fo r m a subclass of regular langua g es strictly includ ed in star-fr ee langu ages , see Brzo zowski an d Fich (1980 ) and Sch wentick et al. (2001 ). Star -free languages are languages definable by linea r temporal logic that is often used as a specification langu age in automa ted verification . W e n ow forma lize our m odel. Let A = ( Q , Σ , δ , I , F ) be an NF A. The reachability r elation ≤ o n the state set Q is defined by p ≤ q if there is w ∈ Σ ∗ such th at q ∈ δ ( p , w ) . The NF A A is partially order ed (p o NF A ) if the reach ability relatio n ≤ is a partial order . I f A is a partially ord ered DF A, we use the notation poDF A . W e then immediately obtain the fo llowing resu lt fo r non deter- ministic partially o rdered automata. Theor em 11. Deciding cur rent-state opacity o f a DES modeled by a poNF A with only two events, both of wh ich are observable, is P S PAC E -co m plete. Proof. Membership in P S PAC E f ollows fr om Lemma 5 and the results on th e com plexity of inclusion for p o NF As, an d hardne ss fr om the fact th at decid ing universality for poNF As with on ly two events is P S P AC E - c omplete. For both claims see Kr ¨ otzsch et al. (2017 ). ✷ The situation is ag ain easier if the model h as only a single observable event. Theor em 12. Deciding cur rent-state opacity o f a DES modeled by a poNF A with a single o bservable event is N L -com plete. Proof. Membership in NL fo llows from Lemma 5 and the co r- respond in g comp lexity of inclusion, and h a rdness from the fact that decidin g universality for unary poNF As is N L -comp lete, see Kr ¨ otzsch et al. (20 17). ✷ W e no w conside r DES mod eled by poDF As. Since every DF A with all events observable is always in a unique state, and hen ce never opaque, som e un observable e vents are necessary to en- sure opacity . W e show that ev en one unobservable event makes the op acity verification P S PAC E -com plete. Con sequently , th e problem is h ard for b a sically all practical cases. 4 For the notion of eleme ntary complexity , we refer to the referenc ed pape r . p q r x x = ⇒ p p ′ q r x ′ x x Fig. 1. The ’ determinization’ ; x ′ and p ′ are a new e vent an d a new state p p ′ p ′′ x y = ⇒ p p 1 p ′ p ′′ a a a Fig. 2. Th e encoding enc ( x ) = aa an d enc ( y ) = aaa Theor em 13. Deciding curr ent-state opacity for systems mod- eld by poDF As over an a lp habet with three events, one of which is uno bservable, is P S PAC E -com plete. Proof. Membership in P S P AC E follows f r om Lemma 5 and the correspo n ding co mplexity o f inclusion. Let A = ( Q , { 0 , 1 } , δ , I , F ) be a poNF A. By Theorem 11, de- ciding current-state o pacity for p oNF As with two ev ents, b oth observable, is P S PAC E - complete. From A , we now construct a poDF A D = ( Q ∪ Q ′ , { 0 , 1 , a } , δ ′ , s , F ) by ’ determinizing’ it with the help of new events that we then en code in unary . In more detail, fo r e very state p with two transitions ( p , x , r ) an d ( p , x , q ) with p 6 = q , we rep lac e the transition ( p , x , q ) with two transitions ( p , x ′ , p ′ ) and ( p ′ , x , q ) , where x ′ is a ne w event and p ′ a new state (add ed to Q ′ ); see Fig. 1 for an illustration. In this w ay , we eliminate all nondeterministic tr ansitions. The automaton is now deterministic with th e set of initial states I . L et Γ be the set of all the new events we c r eated by the construction . Notice that the nu m ber of th ese events is bo unded by th e nu mber of edge s in the origin a l automaton , and h ence polyno mial. W e now sho w ho w to encod e th e ne w e vents as strings over a unary a lp habet { a } . L et m = | Γ | b e a numbe r of new events and enc : Γ → { a , aa , . . . , a m } be an arbitrary encodin g (injec- tion). W e r eplace ev ery transition ( p , x ′ , p ′ ) , for x ′ ∈ Γ , b y the sequence o f transitions ( p , en c ( x ′ ) , p ′ ) , which req u ires to add u p to m new states to Q ′ . For in stance, if ( p , x , p ′ ) and ( p , y , p ′′ ) ar e two transitions with x , y ∈ Γ , and enc ( x ) = aa and enc ( y ) = aaa , then ( p , x , p ′ ) is re placed b y transition s ( p , a , p 1 ) , ( p 1 , a , p ′ ) , where p 1 is a ne w state add ed to Q ′ , and ( p , y , p ′′ ) is replaced by transitions ( p , a , p 1 ) , ( p 1 , a , p ′ ) , ( p ′ , a , p ′′ ) ; see Fig. 2. No tice that we have not set the secret status o f states of Q ′ , and hence we have that th e states o f Q ′ are neither secret nor n on-secret. Assume that I = { q 1 , . . . , q n } . T o o btain a sin g le initial state (labeled b y q ′ 0 ), we add, f or i = 1 , . . . , n , a new state q ′ i and two transitions ( q ′ i − 1 , a , q ′ i ) and ( q ′ i , 0 , q i ) as depicted in Fig. 3. The resulting automaton , D , is a poDF A over the alphab et { 0 , 1 , a } with po lynomially many new events a nd states, and a single initial state q ′ 0 . Let P be th e pr ojection from { 0 , 1 , a } ∗ to { 0 , 1 } ∗ , and let P ( D ) denote th e poNF A o btained fr om D by replacing ev ery tran- sition ( p , a , q ) by ( p , P ( a ) , q ) . Then D is curren t- state opaque with respect to P if and on ly if P ( D ) is curren t-state o paque (with respect to th e identity m ap), which is if and only if A is current- state o paque (with respect to th e identity m ap). ✷ q ′ 0 q ′ 1 q ′ 2 q ′ 3 q ′ 4 q 1 q 2 q 3 q 4 a a a a 0 0 0 0 Fig. 3. Co n struction of an auto maton with a single initial state from an auto maton with fou r initial states 6. CONSEQUENCES W u an d Lafo rtune (201 3) provid ed polyno mial r eductions among several n otions of op a city , includin g cu r rent-state opac- ity , language-b ased opacity (fo r regular languages), initial-state opacity , a n d initial-a n d-final-state opacity . Insp ecting the re- ductions, it can be seen that they preserve both acyclicity and partial o r der . Moreover, eliminating th e unn ecessary T rim op - erations, we ob tain determin istic logarithmic- space re ductions, see Masopu st (2018 ) fo r more de tails. Consequently , the results for cu rrent-state opacity a lso ho ld for langua g e-based opac- ity (fo r regular langu a g es) and initial-and-fina l- state opacity . Moreover , the lower bou nds also hold for K -step op acity , since current- state o pacity is a sp ecial case ther eof. The o nly p roblema tic c o nstruction of W u and Lafor tune (2013 ) is the reduction from lan guage- based opa c ity (LBO) to in itial- state opacity (ISO) , which req uires that the lan g uages are prefix closed. W e briefly d e p ict a general red u ction fro m LBO to ISO. Let G = ( Q , Σ , δ , I ) be a DES, P : Σ ∗ → Σ ∗ o a pro jection, and Q S , Q N S ⊆ I sets of secret an d n on-secret in itial states. System G is initial-state opaqu e if for ev ery i ∈ Q S and ev ery w ∈ L ( G , i ) , there is j ∈ Q N S and w ′ ∈ L ( G , j ) such that P ( w ) = P ( w ′ ) . Let the langu ages L S and L N S of LBO be g iven b y non blocking automata G s and G ns , respectively . Let x s , x ns be two new states, and let @ be a ne w o bservable event. T o e very marked state r , we add a tr ansition ( r , @ , x s ) if r is in G s , and ( r , @ , x ns ) if r is in G ns . Then L ( G s ) = L S ∪ L S @ and L ( G ns ) = L N S ∪ L N S @. Let G denote G s and G ns considered as a single automa to n, and let Q S be the in itial states of G s , an d Q N S the initial states of G ns . Then, P ( L S ) ⊆ P ( L N S ) if and only if P ( L ( G s )) ⊆ P ( L ( G ns )) , which is if and only if G is ISO. Notice that the reductio n d oes not preserve the number of observable events. This could be solved by encoding the ev ents of G in bin ary , but then the red u ction may not preserve p a rtial order and the numb er of ev ents if the languages L S and L N S are unary . Ho we ver , adjusting th e results f or curren t-state opacity accordin g to the sug gested reductio n, we o btain similar results also fo r initial-state opacity . REFERENCES Alur , R., ˇ Cern ´ y, P ., a n d Z d ancewic, S. (2006). Preserving secrecy under refinemen t. I n ICALP , 10 7 –118 . Arora, S. and Bara k, B. (2009) . Computational Comp lexity – A Modern App r o a ch . Cambrid ge Univ ersity Press. Asveld, P .R.J. and Nijholt, A. (2000) . Th e inclusion pro blem for some subclasses o f context-free langu ages. Theor et. Comput. Sci. , 230(1-2 ), 247 – 256. Badouel, E., Bednarczyk, M., Bor zyszkowski, A., Caillaud, B., and Dar ondeau , P . (20 07). Concurren t secrets. Discr ete Event Dyn. S yst. , 17(4 ), 4 25–44 6. Bryans, J.W ., K outny , M., Mazar ´ e , L., and Ryan, P .Y .A. (2008). Opacity gen eralised to transition systems. Int. J. Inf. Sec. , 7(6), 421 –435 . Bryans, J.W ., Koutny , M., and Ryan , P .Y .A. (2005 ). Modellin g opacity using Petri nets. Electr onic Notes in Theor et. Com- put. Sci. , 12 1, 101–1 15. Brzozowski, J.A. and Fich, F .E. ( 1980) . Lang uages of R -trivial monoid s. J. Comput. System S ci. , 20(1) , 32 –49. Cassandras, C.G. and L afortun e , S. ( 2 008). Intr oduction to Discr ete Event Systems . Spr inger, 2nd edition. Cassez, F ., Dubr eil, J., and Marchand , H. (2012) . Synthesis of opaq ue systems with static and dy namic masks. F ormal Methods in S y stem Design , 40( 1), 8 8–11 5. Czerwinski, W ., Laso ta, S., Lazic, R., Leroux, J., an d Ma- zowiecki, F . ( 2019 ) . The reachability problem for petri nets is not elem entary . In STOC , 24–33 . Dubreil, J., Daro ndeau, P ., and March a nd, H. (2008 ) . Opacity enforcin g co ntrol synthesis. In WODES , 28–35 . Focardi, R. an d Gorrieri, R. (199 4). A taxono my of trace- based security pr operties fo r ccs. In Computer Security F ounda tio ns W orksho p VII , 126 –136 . Hadj-Alouan e, N. B., Lafrance, S., Lin, F ., M u llins, J., and Y eddes, M.M. (2 0 05). On the verification o f intransitive noninter ference in mulitlevel security . IEEE T ransactio ns on Systems, Man, a n d Cybernetics, P art B , 35 (5), 948– 958. Hunt III, H.B. (1 973). On the T ime and T a pe Comp lexity o f Languages . Ph.D . th esis, Departme n t of Com puter Science, Cornell University , Ith aca, NY . Jacob, R., Lesage, J., an d Faure, J. (201 6). Overview o f discrete ev ent systems o pacity: Models, validation, and quantifica- tion. Ann ual R eviews in Contr o l , 41, 13 5 –146 . K ozen, D. (19 77). Lower bound s for natur al pr o of systems. In FOCS , 254 –266. Kr ¨ otzsch, M., Masopust, T ., an d Thom a zo, M. (201 7). Co m - plexity of universality and related pr o blems fo r par tially or - dered NF As. Informa tion a nd Compu ta tion , 25 5(1), 1 77– 192. Lin, F . ( 2011) . Opacity of discrete event sy stem s and its applications. Automatica , 47(3), 496 –503 . Masopust, T . (2018) . Complexity of verifying nonblock ingness in modular supervisor y co ntrol. IEEE T rans. Automat. Con- tr ol , 63(2 ), 6 02–60 7. Mazar ´ e, L. (2 0 04). Decidability of opacity with no n-atomic keys. I n F ormal Aspects in Se c urity and T rust , 71– 84. Saboori, A. (20 11). V erification and enfo r cement of state-based notions of o pacity in discr ete event systems . Ph.D. thesis, University of Illino is at Urbana-Ch ampaign. Saboori, A. an d Hadjicostis, C.N. (2 007). Notions of security and opacity in discrete event systems. In CDC , 5 0 56–5 061. Saboori, A. an d Hadjicostis, C. (2009 ). V erification of K -step opacity and analysis of its complexity . In CDC/CCC , 205– 210. Schneider, S. and Sidiropoulo s, A. (1996) . CSP an d anonymity . In ESORI CS , volume 11 46 of LNCS , 1 98–2 18. Schwentick, T ., Th ´ erien, D., and V ollmer , H. (20 01). Partially- ordered two-way au tomata: A new char acterization of D A. In DLT , volume 2 295 of LNCS , 239–2 50. Stockmeyer, L.J. and M eyer , A.R. (1 973). W ord problems requirin g expo nential tim e: Prelimina ry repo rt. In STOC , 1– 9. W u, Y .C. an d Lafo r tune, S. (201 3). Comparative analysis of related notions of opacity in cen tralized and coordinated architecture s. Discr ete Even t Dyn . Syst. , 23 (3), 307– 339.