IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING, VOL. 12, NO. 3, JULY 2015
1067
Maximum Information Release While Ensuring Opacity in Discrete Event Systems Bo Zhang, Shaolong Shu, Member, IEEE, and Feng Lin, Fellow, IEEE
Abstract—Opacity is important in investigating secrecy, privacy, and other properties in general systems that can be modeled as discrete event systems. To ensure opacity, a controller may be used to control information released to the public. For transparency and other reasons, it is often desired that the information released to the public be maximum, as long as opacity is not violated. In this paper, we investigate how to release the maximum information while ensuring opacity. We find a necessary and sufficient condition for an information release policy to ensure opacity. We also develop methods and algorithms to design a controller that releases maximum information. We consider both strong opacity and weak opacity. We apply the results to the dining cryptographers problem. Note to Practitioners—Nowadays, networks and computers make the collection, storage and dissemination of information much easier. This brings us a lot of convenience, but at the same time, also brings us the worry that some private information may be released to the public undesirably. The problem of how to control the release of information thus becomes very important. In this paper, we propose a discrete-event-system approach to investigate the information release problem. The solution can ensure the opacity of private information while releasing the maximum information to the public. We believe that the practitioners both in the field of system and control and in the field of information science will benefit from the results. Index Terms—Computer science, discrete event system, opacity, security.
I. INTRODUCTION
O
PACITY is an important property to be investigated in many practical systems such as computer systems, communication networks, and database systems in which information flow must be controlled to ensure secrecy, security, privacy, anonymity, and non-interference. Because of its importance, opacity has been studied in the framework of discrete event systems. In particular, [4] uses the model of labeled transition systems to study opacity. A generalized definition of opacity is Manuscript received June 10, 2014; revised October 15, 2014; accepted November 15, 2014. Date of publication January 22, 2015; date of current version July 17, 2015. This paper was recommended for publication by Associate Editor C. Seatzu and Editor L. Shi upon evaluation of the reviewers’ comments. This work was supported in part by the National Natural Science Foundation of China under Grants 60904019, 61143006 and 71071116. B. Zhang and S. Shu are with the School of Electronics and Information Engineering, Tongji University, Shanghai 201804, China (e-mail: super_26@163. com;
[email protected]). F. Lin is with the Department of Electrical and Computer Engineering, Wayne State University, Detroit, MI 48202 USA, and also with the School of Electronics and Information Engineering, Tongji University, Shanghai 201804, China (e-mail: fl
[email protected]). Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org. Digital Object Identifier 10.1109/TASE.2014.2379623
proposed. It establishes links between opacity and the information flow concepts of anonymity and non-inference. In [15], two -opaque notions of opacity are investigated. A system is if the evolution of the system through a set of secret states remains opaque to an observer who observes activity in the -opaque system through the projection . A system is -opacity remains true for observations following the if departure of the system's state from the set . In [16], [17], the problems of checking opacity and synthesizing opaque systems by selecting the set of observable events are addressed. It shows that checking whether a system is opaque and computing an optimal static observer ensuring -complete problems. opacity are both To ensure opacity, [18] investigates the problem of constructing a minimally restrictive opacity-enforcing supervisory, which restricts system within some legal behaviors while enforcing initial-state opacity. In [9] and [10], the problem of computing a controller that enforces the opacity of a predicate against an attacker is addressed. It shows that an optimal control always exists. It also provides sufficient conditions under which the solution is regular and can be effectively computed. We investigate opacity of discrete event systems in [12]. Unlike the previous works, we define opacity of a language with respect to another language. This two-language approach give us more flexibility in applying opacity in practical problem. Using our definition in [12], opacity can not only be used to study security and privacy problems, but also other information flow problems such as observability [13], diagnosability [19], and detectability [20]. While most previous works define opacity in its strong sense, we define both strong opacity and weak opacity [12]. We say that a language is strongly opaque with respect to if all strings in are confused with some another language from an external agent's point of view. We say strings in that a language is weakly opaque with respect to another language if some strings in are confused with some strings in . The negation of weak opacity is called no opacity or transparency. Strong opacity, weak opacity and transparency can be used in different applications to solve different problems. For example, the dining cryptographers problem [8] involves both strong opacity and weak opacity. Checking weak opacity (and hence no opacity) can be done in polynomial complexity [24]. We further investigate opaque superlanguages and sublanguages in [1] and supervisory control to ensure opacity in [2]. In this paper, we investigate the problem of maximum information release while ensuring opacity (weak or strong) of discrete event systems. The rational for the investigation is as follows. When an authority wants to decide what information can be released to the public, two objectives are often considered: 1) for security reasons, certain things must be kept secret,
1545-5955 © 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
1068
IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING, VOL. 12, NO. 3, JULY 2015
which means either strong opacity or weak opacity must be ensured; and 2) for transparency reasons, the more information is released to the public, the better. For example, in USA, the Freedom of Information Act (FOIA) requires that certain information and records of government agencies to be released to the public upon request, unless such release will harm national security or be covered under other nine specific exemptions. Since national security can be modeled as an opacity problem, what information can be released can be determined by solving a maximum information release problem. The maximum information release problem can be formulated as follows. An external agent is trying to get as much information as possible in order to distinguish strings in and . What information will be released or communicated to the external agent is controlled by an internal controller (or internal agent). The objective of the internal controller is to ensure that opacity (either strong opacity or weak opacity) is preserved. Under this condition, the internal controller is also required to release or communicate as much information as possible for the sake of transparency, fairness or other purposes. In the framework of discrete event systems, the maximum information release problem is for the internal controller to communicate/release as many occurrences of observable transitions to the external agent while ensure either strong opacity or weak opacity. The maximum information release problem can be solved either on-line or off-line. In this paper, we focus on off-line approach. We derive a necessary and sufficient condition for an information release policy to ensure strong opacity. We then propose an algorithm to synthesize an information release policy for strong opacity off-line. The computational complexity of the algorithm is also analyzed. We then do the same for weak opacity. Our approach is new and innovative. It is different from the approaches existed in the literature. The results that are most closely related to ours are those published in [6], [7]. The main differences between [6], [7] and this paper are as follows. 1) The definitions of opacity are different. The opacity defined in [6], [7] (and most other papers on opacity) is a special case of our strong opacity. Weak opacity is not discussed in [6], [7]. 2) The mechanisms of control are different. The dynamic mask in [6], [7]requires that if an occurrence of an event is hidden, then it cannot change the state of the dynamic mask. We do not need this assumption. This makes our controller more flexible and realistic. 3) We develop algorithms to solve the maximum information release problem for both strong opacity and weak opacity. Another approach is presented in [22]. Instead of “deleting” occurrences of events as in [6], [7] and this paper, [22] uses insertion function to ensure opacity. This is a very interesting approach but obviously different from our approach. The remaining sections of this paper are organized as follows. Section II introduces the basic notations of discrete event systems and the definitions of opacity. Section III defines maximum information release problem for strong opacity. Section IV presents the off-line solutions to maximum information release problem for strong opacity. Section V tackles the problem of maximum information release problem for
weak opacity. In Section VI, we apply the results to a practical problem, the dining cryptographers problem. II. OPACITY OF DISCRETE EVENT SYSTEMS In this paper, we model a discrete event system by a deterministic automaton [5]
where is the set of state, the set of events, the transition function, and the initial state. The (partial) transition function describes the system dynamics: given states and event , if the execution of from state takes the system to state . Note that is undefined whenever the event cannot be executed from the state . The transition function is extended to in the usual way. We also use to denote the set of transitions: . The behavior of discrete event system is described by the language generated by defined as
where means is defined. Each string in represents a possible execution or trajectory of the system. describes all possible strings that can be generated by the system. A subset of is a language that describes a particular behavior or property of the system. A language is (prefix) closed if any prefix of any string of also belongs to . Opacity is defined with respect to two languages and . Without loss of generality, we assume that and are marked by and respectively [24], that is,
For convenience, we extend lows:
by adding
and
as fol-
To study opacity of discrete event systems, we consider a general observation mapping
is interpreted as follows: If a string of events occurs in the system, an external agent or public will see . The natural projection used in [5], where is a subset of observable events, is a special case of observation mapping. In general, however, can be any observation mapping, not restricted to the natural projection. An observation mapping can be extended from strings to languages as follows. For a language , its mapping is defined as
ZHANG et al.: MAXIMUM INFORMATION RELEASE WHILE ENSURING OPACITY IN DISCRETE EVENT SYSTEMS
For a language
1069
, its inverse mapping is defined as
Two versions of opacities, strong opacity and weak opacity, are defined in [12] as follows. Given two languages , is strongly opaque with respect to and , if
is weakly opaque with respect to
From the above results, we conclude that the key to check and ensure strong or weak opacity is to calculate state estimates. If the observation mapping is the natural projection given by
and , if
Since and are marked by and respectively, we can check strong opacity and weak opacity by calculating state estimates. After observing a string , the state estimate, denoted by , is the set of all possible states that the system may be in. Formally
Proposition 1: if and only if
is strongly opaque with respect to
if if then the state estimates can be obtained by constructing an observer as follows. Suppose that the discrete event system is currently in a set of possible states , then the set of all possible states which the system may visit after observing is denoted by
and In particular, the unobservable reach of
Proof: We show that is not true if and only if opaque with respect to and as follows:
is defined as
The observer is a deterministic automaton is not strongly where
denotes the accessible part and the initial state is the unobservable reach of . Note that a state is a subset of . The transition function is defined, for and , as
If the above set is empty, then is undefined. We extend to in the usual way. State estimates are characterized by the observer as stated in the following proposition. Proposition 3: For the natural projection , the state estimates are given by
Proposition 2: if and only if
is weakly opaque with respect to
Proof: We show that is not true if and only if opaque with respect to and as follows:
and
Proof: See, for example, [20]. With these preparations, we investigate the maximum information release problem for opacity in the rest of the paper. III. MAXIMUM INFORMATION RELEASE PROBLEM STRONG OPACITY
is not weakly
FOR
Let us consider the following situation: The public (or an external agent) requests information of the system. What information can be release to the public is controlled by a controller. The situation is illustrated in Fig. 1. The objective of the controller is to release as much information as possible to the public under the constraint that is strongly opaque with respect to . (We will consider weak opacity in Section V.) The controller can observe the set of observable events .Its control is based on
1070
IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING, VOL. 12, NO. 3, JULY 2015
assume that has a finite implementation finite automaton
. Here,
is a
Fig. 1. Information release to the public.
this observation. Formally, the information release policy implemented by the controller is described by a mapping
When the system generates a string , the controller will see . Its control decision is the set of events whose occurrences will be released to the public (that is, the public knows when the event occurs). Hence, its external observation is described by a mapping
where is the set of states, represents the observable events, the transition function, and the initial state. must satisfy the condition that . is a feedback mapping,
The information release policy from and as follows:
Note that a sufficient condition for such a that is a right-congruence, that is,
is obtained
to exist is
which is defined as follows: If
if if Since the goal is to achieve maximum information release, let us define an order on as follows. Given two information release policies , , we say that if
can be implemented by , we denote it as . For , we can calculate state estimate , which will be abbreviated as in the rest of the paper, as follows. Let
where In other words, that if
releases no less information than
denotes the parallel composition. Note that since
. We say
We now formally state the problem to be solved as follows. Maximum Information Release Problem for Strong Opacity (MIRPSO) Find an information release policy that satisfies the following two conditions. 1) The observation mapping corresponding to ensures strong opacity, that is,
A state of is a pair . The set of events that the public or external agent can observe at state is given by . Replace the transitions in that cannot be observed by the public by as follows:
where
2) For any other information release policy such that , the corresponding observation mapping does not ensure strong opacity, that is,
To make the problem nontrivial, let us assume that if all information is released, then strong opacity is not satisfied. In other words
Note that, if all information is released, that is, for all , , then . To investigate the solution to MIRPSO, we note that, without further constraints, MIRPSO is difficult to solve, because there are simply too many choices for . For practical reasons, we
is a nondeterministic automaton with -transitions. We convert it to a deterministic automaton (observer) as described before:
The state estimates of the public under information release policy can be obtained as follows. Theorem 1: Given an information release policy . After the public observers a string , the state estimate of the public is given by
ZHANG et al.: MAXIMUM INFORMATION RELEASE WHILE ENSURING OPACITY IN DISCRETE EVENT SYSTEMS
1071
Fig. 2. Discrete event system G of Example 1. Fig. 3. Information release policy
Proof: By the definition of
.
, we have
Therefore, we need to prove
We proceed as follows. By the definition of , an event is not observed by the public after if and only if Fig. 4. Parallel composition
Let us denote the definition of only if
if
,
, is replaced by in
Therefore, is replaced by in at is not observed by the public. Since , we have
, at
.
. By if and
if and only is an observer of
Hence
Example 1: Let us consider the system modeled by automaton shown in Fig. 2. The initial state is 1. The event set is and is unobservable (that is, ). We have the following information release policy. Initially, the controller will release the information on the occurrence of . After the controller observes either or , it will release the information as follows. If the last event it observes is , then it will release the information on the occurrences of both and ; if the last event observes is , then it will release the information on the occurrence of only . This information release policy can be implemented by shown in Fig. 3. can be obtained by parallel composition of and as shown in Fig. 4. The states of are pairs . The
Fig. 5. Observer
.
set of events that the public can observe at state is given by . For instance, in state , the information on the occurrence of is released, but not the information on the occurrence of . Therefore, the transitions will be replaced by an -transition in . Similarly, the following two transitions will also be replaced by -transition in and (the event is not observable). Renaming the states as and converting into a deterministic automaton, we obtained shown in Fig. 5,which gives us the state estimates of the public after observing a string. For instance, after observing , the state estimate is {2, 4}; and after observing , the state estimate is {1}. Using observer , we can check whether an information release policy ensures strong opacity as stated in the following theorem. Theorem 2: Consider an information release policy . The corresponding observation mapping ensures strong opacity, that is, , if and only if in the observer ,
to
Proof: By Proposition 1, and if and only if
is strongly opaque with respect
1072
IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING, VOL. 12, NO. 3, JULY 2015
By Theorem 1, we have
Fig. 6. Discrete event system G of Example 2.
Since all states in then
is accessible by the definition of
,
IV. OFF-LINE ALGORITHM FOR MAXIMUM INFORMATION RELEASE FOR STRONG OPACITY In the previous section, we investigate how to check whether a given information release policy ensures strong opacity or not. In this section, we investigate how to design an information release policy for maximum information release while ensures strong opacity using an off-line approach. To do this, we need to make a further assumption on information release policy . We assume that is state-estimate-based, that is, depends only on the current state estimate. Formally, state-estimate-based information release policy means that , that is, is implemented by for some . For two feedback mapping and , define and in the way similar to that for and . It is not difficult to show that for , , 2,
Fig. 7. Observer
Fig. 8. Observer
by
For an information release policy implemented by , we can check whether it ensures strong opacity using Theorem 2. However, since the information release policy is state-estimatebased, there is a simpler way to do the checking, which is as follows. First, we replace the transitions in that cannot be observed by the public by :
where
is a nondeterministic automaton with -transitions. Convert it to a deterministic automaton in the usual way as follows:
Then, we have the following theorem.
.
.
Theorem 3: For an information release policy implemented , automaton is isomorphic to automaton , denoted by
Before we prove Theorem 3, let us first illustrate the result of the theorem in the following example. Example 2: Consider the system modeled by automaton shown in Fig. 6. The initial state is 1. The event set is and is unobservable. The observer can be constructed as shown in Fig. 7. The states are renamed as , , , , and . Let us consider the following state-estimate-based information release policy: The information on the occurrence of event at state will not be released. Therefore, can be obtained by replacing the transition by an -transiton. The observer is constructed as shown in Fig. 8. Let us now construct . First, is obtained by parallel composition between and , which is shown in Fig. 9. Since the information on the occurrence of event at state will not be released, we replace the transitions and by -transiton. The resulting automaton is .
ZHANG et al.: MAXIMUM INFORMATION RELEASE WHILE ENSURING OPACITY IN DISCRETE EVENT SYSTEMS
1073
Proof: The results follow from the definition of Lemma 3: The language generated by
and
.
is given by
Proof: The result is true because, by the definitions of and , we obtain
Fig. 9. Parallel composition
Lemma 4: Let be a nondeterministic automaton with -transitions, then the observer is the minimum-state deterministic automaton such that . Proof: See [3]. Lemma 5: All minimum-state deterministic automata of a given language are isomorphic. Proof: See [23]. Using the above five lemmas, we can now prove Theorem 3 as follows. Proof: By Lemmas 1, 2, and 3, we have
.
By Lemmas 4 and 5, we have
Fig. 10. The observer
.
Finally, we construct the observer as shown in Fig. 10. It is obvious that automaton is isomorphic to . We now prove Theorem 3. The proof requests the following five lemmas. Lemma 1: The language generated by is given by
We can now derive the following simpler condition for an state-estimate-based information release policy to ensure strong opacity. Theorem 4: Consider an state-estimate-based information release policy . The corresponding observation mapping ensures strong opacity, that is, , if and only if in the observer ,
Proof: Because is the observer for information release policy , the state estimate of the public after observing a string is given by
Proof: We can prove
by induction on the length of string . Since an information release policy is described by a mapping , we can define a mapping
of
Since all states in as
is accessible by the definition
as follows: if if The relation between and is as follows. Lemma 2: For any , denotes functional composition. In particular,
, where
Based on the above results, we propose the following algorithm to synthesize a controller that solves the maximum information release problem for strong opacity. The idea is to find all possible information release policies and determine the set of “good policies”. Then find a maximum element in the set of “good policies”. The algorithm is as follows.
1074
IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING, VOL. 12, NO. 3, JULY 2015
Algorithm 1. (Off-line Algorithm for Strong Opacity) Input:
,
Output:
; ,
;
1: with
;
Fig. 11. Observer rence of at state
in Example 3 when information on the occuris released.
;
2: 3:
; , do begin
4: for all policy
with
4.1:
; 4.2: with
Fig. 12. Observer occurrence of at state
;
in Example 3 when all information except the is released.
4.3: if is true, then ; 4.4: End; 5: Find a maximal element in 5.1: Pick
.
;
5.2: Compare it with other policy If
, then set
in
.
;
5.3: Repeat 5.2 until there are no updates for ; 5.4: Set
;
6: End. Since there are at most transitions in the observer , hence there are at most possible policies. We , hence the computational need to check every policies to get complexity is double exponential with respect to the state space of . Note that the maximum control policy is not unique. Algorithm 1 finds one of the maximum policies. In fact, it is not difficult to modify the algorithm so that it can find all maximum policies. However, since we do not assign costs to information release, it is not meaningful to discuss which maximum policy is the best. Theorem 5: The state-estimate-based information release obtained in Algorithm policy 1 is a solution to the maximum information release problem for strong opacity. , the information release policy Proof: Since obtained in Algorithm 1 is state-estimate-based. By Step 4.3, the condition
is satisfied. By Theorem 4, any information release policy obtained in Algorithm 1 ensures strong opacity, that is, . The information release policy obtained in Algorithm 1 is maximum because Step 5 compares it with all the other policies to ensure it is maximal. Example 3: Let us consider the same discrete event system as in Example 2 (shown in Fig. 6). We assume that and are marked by and respectively. From the observer shown in Fig. 7, we conclude that, if all information is released, then is not strongly opaque with respect to , because in , but . Therefore, to ensure opacity, some information must be withheld. Let us use algorithm 1 to find a maximum information release policy as follows. 1) Construct the observer as shown in Fig. 7. 2) Let . 3) We find a policy in which we release information on the occurrence of at state , that is, , then the corresponding is shown in Fig. 11. From Fig. 11, it is clear that strong opacity is satisfied. However, the information release is not maximum because more information can be released. Using Algorithm 1, we can find the following maximum information release policy. Release all information except the occurrence of at state . The corresponding is shown in Fig. 12. By Theorem 4, the information release policy ensures strong opacity. It is also maximum because adding the occurrence of at state will violate strong opacity. V. MAXIMUM INFORMATION RELEASE FOR WEAK OPACITY Starting from this section, we consider weak opacity. Therefore, the objective of the controller is to release as much information as possible to the public under the constraint that is weakly opaque with respect to . Formally, we want to solve the following problem.
ZHANG et al.: MAXIMUM INFORMATION RELEASE WHILE ENSURING OPACITY IN DISCRETE EVENT SYSTEMS
Maximum Information Release Problem for Weak Opacity (MIRPWO) Find an information release policy that satisfies the following two conditions. 1) The observation mapping corresponding to ensures weak opacity, that is,
1075
mapping ensures weak opacity, that is, if and only if in the observer
, , then
Proof: Because is the observer for information release policy , the state estimate of the public after observing a string is given by
2) For any other information release policy such that , the corresponding observation mapping does not ensure weak opacity, that is, of
Since all states in ,
are accessible by the definition
To make the problem nontrivial, let us assume that if all information is released, then weak opacity is not satisfied, that is,
As before, we assume that the information release policy has a finite implementation , that is, . By Proposition 2 and Theorem 1, we have the following necessary and sufficient condition for an information release policy to ensure weak opacity. Theorem 6: Consider an information release policy . The corresponding observation mapping ensures weak opacity, that is, , if and only if in the observer ,
Using Theorem 7, the following algorithm can be used to synthesize a controller with the information release policy that solves the maximum information release problem for weak opacity. Algorithm 2. (Off-Line Algorithm for Weak Opacity) Input:
,
Output:
; ,
;
1: with
; ;
2: to
Proof: By Proposition 2, and if and only if
is weakly opaque with respect
;
3:
, do begin
4: for all policy
with
4.1: By Theorem 1, we have ; 4.2: with
; 4.3: if is true, then Since all states in
is accessible by the definition of
;
, 4.4: End;
5: Find a maximal element in 5.1: Pick
.
;
5.2: Compare it with other policy As in the case of strong opacity, if an information release policy is implemented by , then automaton and are isomorphic: . Therefore, we have the following theorem. Theorem 7: Consider a state-estimate-based information release policy . The corresponding observation
If
, then set
in
.
;
5.3: Repeat 5.2 until there are no updates for ; 5.4: Set 6: End.
;
1076
IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING, VOL. 12, NO. 3, JULY 2015
Fig. 13. Observer the occurrence of the event
of Example 3 when all the information except at state is released.
The same as Algorithm 1, the computational complexity of Algorithm 2 is also double exponential. Theorem 8: The state-estimate-based information release policy obtained in Algorithm 2 is a solution to the maximum information release problem for weak opacity. Proof: Since , the information release policy obtained in Algorithm 2 is state-estimate-based. By Step 4.3, the condition
is satisfied. By Theorem 7, the information release policy obtained in Algorithm 2 ensures weak opacity, that is, . The information release policy obtained in Algorithm 2 is maximum because the algorithm checks all the other policies to ensure it is maximal. Example 4: Let us consider the same discrete event system as in Example 2 (shown in Fig. 6). We assume that and are marked by and respectively. Using Algorithm 2, we first calculate the observer as shown in Fig. 7. We then find a policy in which we add all the events into , except the occurrence of the event at state . The corresponding is shown in Fig. 13. For this , we have is true. Hence, the controller can release all the information except the occurrence of the event at state while ensuring week opacity. Clearly, this policy is maximal.
Fig. 14. Dining cryptographers topology.
Such a protocol is proposed in [8] as follows. After the dinner, each cryptographer flips an unbiased coin behind his menu, between him and the cryptographer on his left, so that only the two of them can see the outcome as shown in Fig. 14. The can see only the and , the can see only and , and the can see only the and . Each cryptographer will then say agree or disagree based on the sides of the coins. If a cryptographer is not paying, he will state disagree if the tow sides are not the same and agree if they are. If a cryptographer is paying, he will state the opposite. If the number of disagrees is even then the boss is paying. Otherwise, one of the cryptographers is paying. However, no one except the payer knows who is paying. To model the dining cryptographers as a discrete event system, we designate the following events (see [1]). the event that the 2, 3.
is paying, for
the event that the , 2, 3.
is not paying, for
the event that the , 2, 3.
states agree, for
the event that the , 2, 3.
states disagree, for
VI. DINING CRYPTOGRAPHERS PROBLEM
the event that the outcome of the
is a head.
As an example and application, we consider the Dining Cryptographers Problem. The problem is proposed in [8]and can be described as follows. Three cryptographers have a dinner at a round table as shown in Fig. 14. The expense will be paid by either one of the cryptographers or by their boss, who is not present at the table. The mechanism of deciding who will pay the dinner is unmodelled and unknown. Each cryptographer will be informed privately whether he needs to pay or not. A protocol is designed to achieve the following objectives: 1) if one of the cryptographers is paying, then he wants to remain anonymous (strong opacity) and 2) if their boss is paying, then all three cryptographers want to know this fact (not weakly opaque, that is, totally transparent).
the event that the outcome of the
is a tail.
,
Therefore, the event set is
The complete behavior (all possible strings) of the system without protocol is given by the automaton in Fig. 15. The set of events that are observable to is given by
The correspondence observation mapping is denoted by are defined similarly.
.
ZHANG et al.: MAXIMUM INFORMATION RELEASE WHILE ENSURING OPACITY IN DISCRETE EVENT SYSTEMS
Fig. 15. Dining cryptographers automaton
is not paying.
Fig. 17.
is paying.
.
Under the protocol, the behavior of cryptographer when he is not the payer is described by language . The automaton for is shown in Fig. 16. The languages , and their automata can be defined similarly. The behavior of when he is the payer under the protocol is described by language . The automaton for is shown in Fig. 17. The languages and their automata can be defined similarly. In [1], the protocol is verified using strong opacity and no opacity as follows. We show that if no cryptographer is paying, then all three cryptographers know. In other words, the language (no cryptographer is paying) is not opaque with respect to (one of cryptographer is paying) and , , 2, 3, that is,
We also show that if nor In other words, for strongly opaque with respect to with respect to , that is,
Fig. 16.
1077
is paying, then neither knows who is the payer. (with respect to ), is and is strongly opaque
In the remainder of this paper, we solve the following problem using maximum information release for strong opacity. If is paying, what is the maximal information that can be released to such that does not know who ( or ) is paying. To formalize this problem as an information release problem for strong opacity, let , , and . Then the extended is shown in Fig. 18,
1078
Fig. 18. Extended
IEEE TRANSACTIONS ON AUTOMATION SCIENCE AND ENGINEERING, VOL. 12, NO. 3, JULY 2015
.
Fig. 19.
with no information released.
Fig. 20.
with
released.
where not all states are shown. For simplicity, only the parts relevant to and are shown. Since , , , and . The condition is obviously satisfied. Furthermore, we have . Applying Algorithm 1, we can calculate different information release policies. Three policies are listed below. Policy 1: We release no information, that is, cannot see any event. In this case, is shown in Fig. 19, which has only one state. Clearly, holds. Policy 2: The information on the occurrences of is release to , then is shown in Fig. 20. It is easy to check that is satisfied. In the same manner, we can show that all transitions from the bottom, up to but not including can be released to . Policy 3: We release the information on the occurrences of to , then is shown in Fig. 21. At the state after , the condition
Fig. 21. to
with the information released on the occurrences of .
is not satisfied. Hence the information on the occurrences of cannot be released. Similarly, we can show that the information on the occurrences of cannot be released. The above results show that we can actually synthesize the set of events observable to systematically using our theory. VII. CONCLUSION In this paper, we investigated the Maximum Information Release Problem for Strong Opacity and Weak Opacity. The main contributions of the paper are as follows: 1) we defined a control mechanism for information release; 2) we found a necessary and sufficient condition for a controller to ensure strong opacity; 3) we formulated the maximum information release problem for strong opacity; 4) we developed an algorithm to solve the maximum information release problem for strong opacity; 5) we found a necessary and sufficient condition for a controller
ZHANG et al.: MAXIMUM INFORMATION RELEASE WHILE ENSURING OPACITY IN DISCRETE EVENT SYSTEMS
to ensure weak opacity; 6) we formulated the maximum information release problem for weak opacity; 7) we developed an algorithm to solve the maximum information release problem for weak opacity; and 8) we showed that the dining cryptographers problem can be solved using the results of this paper. For the future work, we note that Algorithms 1 and 2 are rather complex in computation. They are both double exponential. Since online algorithms do not need to calculate all the policies for all the observable event sequences at one time, much less computational complexity is expected. In the future, we will investigate online algorithms to calculate the maximal information release policy.
ACKNOWLEDGMENT The authors would like to thank an anonymous reviewer for pointing out mistakes in Algorithms 1 and 2 in an early version of the paper.
REFERENCES [1] M. Ben-Kalefa and F. Lin, “Opaque superlanguages and sublanguages in discrete event systems,” in Proc. 48th IEEE Conf. Decision and Control, 2009, pp. 199–204. [2] “Supervisory control for opacity of discrete event systems,” in Proc. 49th Annu. Allerton Conf. Commun., Control, Computing, , 2011, 1992, pp. 1113–1119. [3] A. Briiggemann-Klein and D. Wood, “Deterministic regular language,” Lecture Notes in Comput. Sci., vol. 577, pp. 173–182, 1992. [4] J. W. Bryans, M. Koutny, L. Mazare, and P. Y. A. Ryan, “Opacity generalised to transition systems,” in Proc. FAST 2005, LNCS 2860, 2006, pp. 81–95. [5] C. G. Cassandras and S. Lafortune, Introduction to Discrete Event Systems. Berlin, Germany: Springer, 2008. [6] F. Cassez, J. Dubreil, and H. Marchand, “Dynamic observers for the synthesis of opaque systems,” in Proc. ATVA 2009, LNCS 5799, 2009, pp. 352–367. [7] F. Cassez, J. Dubreil, and H. Marchand, “Synthesis of opaque system with static and dynamic masks,” Formal Methods in System Design, vol. 40, pp. 88–115, 2012. [8] D. Chaum, “The dining cryptographers problem: Unconditional sender and recipient untraceabilitym,” J. Cryptology, vol. 1, pp. 65–75, 1988. [9] J. Dubreil, P. Darondeau, and H. Marchand, “Opacity enforcing control synthesis,” in Proc. 9th Int. Workshop Discrete Event Syst., 2008, pp. 28–35. [10] J. Dubreil, P. Darondeau, and H. Marchand, “Supervisory control for opacity,” IEEE Trans. Autom. Control, vol. 55, no. 5, pp. 1089–1100, May 2010. [11] M. Heymann and F. Lin, “On-line control of partially observed discrete event systems,” Discrete Event Dynamic Syst.: Theory and Applications, vol. 4, no. 3, pp. 221–236, 1994. [12] F. Lin, “Opacity of discrete event systems and its applications,” Automatica, vol. 47, pp. 496–503, 2011. [13] F. Lin and W. M. Wonham, “On observability of discrete-event systems,” Inf. Sci., vol. 44, pp. 173–198, 1988. [14] M. K. Reiter and A. D. Rubin, “Crowds: Anonymity for Web transactions,” ACM Trans. Inf. Syst. Security, vol. 1, no. 1, pp. 66–92, 1998. [15] A. Saboori and C. Hadjicostis, “Notions of security and opacity in discrete event systems,” in Proc. 46th IEEE Conf. Decision and Control, 2007, pp. 5056–5061. [16] A. Saboori and C. Hadjicostis, “Verification of initial-state opacity in security applications of DES,” in Proc. 9th Int. Workshop on Discrete Event Syst., 2008, pp. 328–333. [17] A. Saboori and C. Hadjicostis, “Verification of infinite-step opacity and complexity considerations,” IEEE Trans. Autom. Control, vol. 57, no. 5, pp. 1265–1269, May 2012.
1079
[18] A. Saboori and C. Hadjicostis, “Opacity-enforcing supervisory strategies via state estimator constructions,” IEEE Trans. Autom. Control, vol. 57, no. 5, pp. 1155–1165, May 2012. [19] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and D. Teneketzis, “Diagnosability of discrete event systems,” IEEE Trans. Autom. Control, vol. 40, no. 9, pp. 1555–1575, Sep. 1995. [20] S. Shu and F. Lin, “Detectability of discrete event systems with dynamic event observation,” Syst. Control Lett., vol. 59, no. 1, pp. 9–17, 2010. [21] S. Shu and F. Lin, “Online sensor activation for detectability of discrete event systems,” IEEE Trans. Autom. Sci. Eng., vol. 10, no. 2, pp. 457–461, Feb. 2013. [22] Y. Wu and S. Lafortune, “Enforcement of opacity properties using insertion functions,” in Proc. 51st IEEE Conf. Decision and Control, 2012, pp. 6722–6728. [23] R. T. Yeh, “Structural equivalence of automata,” Math. Syst. Theory, vol. 4, no. 2, pp. 405–412, 1970. [24] B. Zhang, S. Shu, and F. Lin, “Polynomial algorithm to check opacity in discrete event system,” in Proc. 24th Chinese Control Decision Conf., , 2012, 2006, pp. 763–769. Bo Zhang was born in Gansu, China, in 1983. He received the B.Eng. degree in electrical engineering and M.Eng in control theory and control engineering from Lanzhou Jiao-Tong University, Lanzhou, China, in 2006 and 2010, respectively. He is currently working toward the Ph.D. degree in control theory and control engineering at Tongji University, Shanghai, China. From October, 2011 to October, 2012, he was a Visiting Scholar at Wayne State University, Detroit, MI, USA. His research interests include discrete-event systems, embedded system, computer control, can-bus and their applications.
Shaolong Shu (M’12) was born in Hubei, China, in 1980. He received the B.Eng. degree in automatic control and Ph.D. degree in control theory and control engineering from Tongji University, Shanghai, China, in 2003 and 2008, respectively. From August 2007 to February 2008, he was a Visiting Scholar at Wayne State University, Detroit, MI, USA. Since July, 2008, He has been with the School of Electronics and Information Engineering, Tongji University, Shanghai, China, where he is currently an Associate Professor. His main research interests include state event estimation and control of discrete event systems.
Feng Lin (S'85–M'88–SM'07–F'09) received the B.Eng. degree from Shanghai Jiao-Tong University, Shanghai, China, in 1982, and the M.A.Sc. and Ph.D. degrees from the University of Toronto, Toronto, ON, Canada, in 1984 and 1988, respectively, all in electrical engineering. From 1987 to 1988, he was a Postdoctoral Fellow with Harvard University, Cambridge, MA, USA. Since 1988, he has been with the Department of Electrical and Computer Engineering, Wayne State University, Detroit, MI, USA, where he is currently a Professor. His research interests include discrete-event systems, hybrid systems, robust control, and their applications in alternative energy, biomedical systems, and automotive control. He is the author of a book entitled Robust Control Design: An Optimal Control Approach (Wiley, 2007). He was a consultant for GM, Ford, Hitachi and other auto companies. Dr. Lin was corecipient of a George Axelby outstanding paper award from the IEEE Control Systems Society. He was also a recipient of a research initiation award from the National Science Foundation, an outstanding teaching award from Wayne State University, a faculty research award from ANR Pipeline Company, and a research award from Ford. He was an associate editor of the IEEE TRANSACTIONS ON AUTOMATIC CONTROL.
