Verification of Opacity Under a K-Delay Orwellian Observation Mechanism

Abstract

Opacity, an important property of the information flow in discrete-event systems (DESs), characterizes whether the secret information in a system is ambiguous to a passive observer (called an intruder). Observation models play a critical role in the analysis of opacity. In this paper, instead of adopting a fully static observation model or a fully dynamic observation model, we use a novel Orwellian-type observation model to study the verification of the current-state opacity (CSO), where the observability of an unobservable event can be re-interpreted once certain/several specific conditions are met. First, a K-delay Orwellian observation mechanism (KOOM) is proposed as a novel Orwellian-type observation mechanism for extending the existing Orwellian projection. The main characteristics of the KOOM are delaying the inevitable information release and narrowing the release range for historical information to protect the secrets in a system to a greater extent than with the existing Orwellian projection. Second, we formulate the definitions of standard and strong CSO under the KOOM. Finally, we address the verification problem for these two types of opacity by constructing two novel information structures called a standard K-delay verifier and a strong K-delay verifier, respectively. An analysis of the computational complexity and illustrative examples are also presented for the proposed results. Overall, the proposed notions of standard and strong CSO under the KOOM capture the security privacy requirements regarding a delayed release in applications, such as intelligent transportation systems, etc.

1. Introduction

Nowadays, concerns about privacy and information security are becoming increasingly prominent in cyber-physical systems, where undefendable malicious intrusions or physical-layer failures may lead to inevitable releases of information through the information flow. Opacity, one of the properties of information flow, portrays the ability of a system to make a secret in a system absolutely ambiguous to an intruder. The notion of opacity first appeared in [1] and was extended to labeled transition systems in [2,3] afterward. Since then, for different security and privacy requirements, multifarious notions of opacity have been proposed and investigated in discrete-event systems (DESs).

The underlying observation model is essential to modeling and analyzing opacity properties. The work in [3] first systematically summarized the three types of observation models as shown in

Table 1. Three types of observation models summarized in [3].

Observation Model Type	Assumption	Observation for Events
static	–	fixed at any time
dynamic	an intruder has potentially infinite memory	determined by the prefixes of actions observed so far
Orwellian	an intruder has potentially infinite memory	determined by both the prefixes and subsequent actions

. Lots of work on opacity uses static observation models, including current-state opacity (CSO) [4], initial-state opacity [5], initial-and-final-state opacity [6], K-step opacity [7,8], infinite-step opacity [9], pre-opacity [10], etc. Recently, to characterize higher-level security and privacy requirements, various strong versions of the aforementioned opacity have been studied in [11,12,13,14], including strong current-state opacity (SCSO), strong initial-state opacity, strong K-step opacity, and strong infinite-step opacity. Opacity properties are also categorized into state-based opacity [15] and language-based opacity [16] depending on the secret information defined in terms of states or event sequences [3]. It has been shown that regular language-based opacity, CSO, initial-state opacity, and initial-and-final-state opacity can be reduced to each other in polynomial time [6,17]. The enforcement of opacity can be considered if a system violates opacity. The studies in [18,19,20,21] report various techniques for opacity enforcement. Moreover, opacity has been investigated in various models, including Petri nets [3,22], stochastic DESs [23], and networked DESs [24]. For details, refer to the survey paper [25] and the references therein. In terms of the dynamic observation models used to study opacity, the authors in [26,27] considered the maximum information release and the synthesis of dynamic masks to ensure opacity, respectively.

In this paper, we take an interest in the above-mentioned Orwellian-type observation model. In [28,29,30], the authors adopt the Orwellian-type observation model to study the opacity properties under various security requirements. The Orwellian-type observation model characterizes the capability of an intruder to re-interpret previous actions with subsequent knowledge. Compared with the general Orwellian-type observation model, the m-Orwellian observation model restricts the last memory of the observer from infinity to a bounded value m [3]. Therefore, a static observation model can be regarded as a 1-Orwellian observation model. Both dynamic and m-Orwellian observation models are special cases of Orwellian-type observation models.

The work in [29] formally formulates a class of Orwellian observation functions called the Orwellian projection by introducing downgrading events. As the Orwellian projection defines, once a downgrading event happens, the intruder is given access to observing the whole trajectory. However, the release of historical information might be delayed for some time in a generalized context, rather than becoming immediately available after the occurrence of a downgrading event. The reason for this delay is that a system may need to prioritize emergency response tasks to avoid the immediate release of historical information, which could lead to information overload and thus affect the system’s stability and response efficiency. Once the delay has ended, the specific historical information is inevitably released/disclosed. In this case, the release range for the historical information covers the trajectory before the downgrading event, rather than the entire trajectory, where the downgrading event is first triggered and then followed by the run after the completed delay. 

For instance, within a traffic accident processing unit in intelligent transportation systems, the occurrence of a traffic accident can be viewed as a downgrading event that leads to the release of the historical information from prior to this traffic accident. The historical information may include information such as vehicle tracks, driver behavior, driver identities, etc. When an intelligent transportation system detects a traffic accident, it will prioritize the activation of emergency responses, such as notifying emergency centers and adjusting traffic signals, instead of immediately releasing historical information from prior to the accident. The historical information from before the accident is not released until certain emergency responses are completed. The delayed release also avoids letting an intruder know the historical information prematurely such that an intruder’s uncertainty about the state of the system will increase to meet the security and privacy requirements. The existing Orwellian projection cannot fully capture this general scenario with delays.

To characterize the Orwellian projection in a more general setting, we propose in this particular research a new Orwellian-type observation model named a K-delay Orwellian observation mechanism (KOOM) by relaxing the conditions in the Orwellian projection [29]. The critical features of the KOOM are delaying the timing of the inevitable information release until K observations are finished after a downgrading event occurs and narrowing the release range of the historical information so as to protect the secrets in the system to a greater extent than the Orwellian projection.

In this paper, we propose a generalized Orwellian-type observation model and study the verification of standard (For convenience, the notion originally referred to CSO in [4] is renamed standard CSO in this paper.) and strong CSO under this newly proposed observation mechanism. Specifically, we summarize the main contributions of this research as follows.

• We propose a novel Orwellian-type observation model called a K-delay Orwellian observation mechanism, which is a generalization of the traditional Orwellian projection [29]. In particular, the Orwellian projection is equivalent tp the proposed KOOM projection when $K=0$.
• We formulate the two notions of standard and strong CSO under the KOOM to characterize the different abilities of a system to hide secret information from an intruder even if some of the strings generated by the system are inevitably disclosed.
• To verify these two opacity notions under the KOOM, we construct two information structures called a standard K-delay verifier and a strong K-delay verifier, respectively. Based on the constructed information structures, necessary and sufficient conditions are provided to verify standard and strong CSO under the KOOM separately.

The remainder of this paper is structured as follows. The preliminaries used in this paper are presented in Section 2. Section 3 touches upon standard CSO under the KOOM and addresses its verification problem based on the constructed standard K-delay verifier. Section 4 focuses on strong CSO under the KOOM along with its verification using the designed strong K-delay verifier. Finally, Section 5 concludes this paper.

2. Preliminaries

2.1. The System Model

A deterministic finite-state automaton (DFA) is a quadruple

$$G=(X,\Sigma ,\delta ,x_0),$$

(1)

where

• X is a finite set of states;
• $\Sigma$ is a finite set of events;
• $\delta :X\times \Sigma \to X$ is the (partial) transition function, which characterizes the dynamics of G: $y=\delta (x,\sigma )$, which denotes that a transition exists, labeled by event $\sigma$ reaching state y from state x; 
• $x_0\in X$ is the initial state.

• The transition function can be extended to $\delta :X\times {\Sigma }^{*}\to X$ in the usual manner to describe the multi-step dynamic behavior of the system:
• (1) $\delta (x,ϵ)=x$;
• (2) $\delta (x,s\sigma )=\delta (\delta (x,s),\sigma )\mathrm{for}x\in X,s\in {\Sigma }^{*}, \mathrm{and}\sigma \in \Sigma$, where ${\Sigma }^{*}$ is the set of all finite strings over $\Sigma$, including the empty string $ϵ$. For any string $s={\sigma }_1{\sigma }_2\dots {\sigma }_n\in {\Sigma }^{*}$, we use $\left|s\right|$ to denote the length of the string s, i.e., $\left|s\right|=n$ and $\left|ϵ\right|=0$. The notation $Last\left(s\right)$ denotes the last event of the string s, i.e., $Last\left(s\right)={\sigma }_n$. The string $\overline{s}\in {\Sigma }^{*}$ is a prefix of $s\in {\Sigma }^{*}$ if $t\in {\Sigma }^{*}$ exists such that $s=\overline{s}t$, which is denoted by $\overline{s}⪯s$. We write $\delta (x,\sigma )!$ if $\delta (x,\sigma )$ is defined. $\mathcal{L}(G,x)$ is used to denote the language generated by G from the state x, i.e., $\mathcal{L}(G,x)=\{s\in {\Sigma }^{*}|\delta (x,s)!\}$. In this paper, we call an element of $\mathcal{L}(G,x_0)$ an internal string of system G. Consider the string $s={\sigma }_1{\sigma }_2\dots {\sigma }_n\in \mathcal{L}(G,x)$. We call $x\stackrel{{\sigma }_1}{\to }{x}_1\stackrel{{\sigma }_2}{\to }{x}_2\stackrel{{\sigma }_3}{\to }\dots \stackrel{{\sigma }_n}{\to }{x}_n$ a run of system G, which can be abbreviated as $x\stackrel{s}{\to }{x}_n$. In particular, if $s=ϵ$, then $x\stackrel{ϵ}{\to }x$ is called an empty run of G, as referred to in more detail in [31]. An illustrative example is provided to understand these concepts better.

Example 1.

Consider the system G, a DFA, as shown in Figure 1. The state set is $X=\{0,1,2,3,4,5\}$, and the event set is $\Sigma =\{a,h,u\}$. The initial state is $x_0=0$. The state transition includes $\delta (0,a)=1$, $\delta (1,u)=2$, $\delta (2,h)=3$, $\delta (3,u)=4$, $\delta (4,h)=5$, and $\delta (5,a)=5$. Let us take the internal string $s=auh\in \mathcal{L}(G,x_0)$ for instance, whose length is $\left|s\right|=3$ and $Last\left(s\right)=h$. Obviously, $\overline{s}=a$ is a prefix of the string s, denoted by $a\prec s$. The run $0\stackrel{a}{\to }1\stackrel{u}{\to }2\stackrel{h}{\to }3$ can be abbreviated as $0\stackrel{auh}{\to }5$.

2.2. The K-Delay Orwellian Observation Mechanism

In [29], the authors propose the notion of downgrading events in DESs. As usual, the event set $\Sigma$ is divided into two disjoint subsets ${\Sigma }_o$ and ${\Sigma }_{uo}$, denoting the set of observable events and the set of events that are initially unobservable, respectively. The notation ${\Sigma }_d\subseteq {\Sigma }_o$ is used to denote the set of downgrading events. In the evolution of a system, some events in ${\Sigma }_{uo}$ dynamically become observable upon the occurrence of a downgrading event in ${\Sigma }_d$. The Orwellian projection [29] is a mapping ${\pi }_{o,d}:{\Sigma }^{*}\to {\Sigma }^{*}$ defined by ${\pi }_{o,d}\left(ϵ\right)=ϵ \mathrm{and}$

$${\pi }_{o,d}\left(s\sigma \right)=\left\{\begin{array}{cc}s\sigma ,\hfill & \mathrm{if}\sigma \in {\Sigma }_d,\hfill \\ {\pi }_{o,d}\left(s\right)\sigma ,\hfill & \mathrm{if}\sigma \in {\Sigma }_o\setminus {\Sigma }_d,\hfill \\ {\pi }_{o,d}\left(s\right),\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

where $s\in {\Sigma }^{*}\mathrm{and}\sigma \in \Sigma$.

Let $\tilde{\Sigma }\subseteq \Sigma$. The projection operator $P_{\tilde{\Sigma }}:{\Sigma }^{*}\to {\tilde{\Sigma }}^{*}$ is recursively defined by $P_{\tilde{\Sigma }}\left(ϵ\right)=ϵ \mathrm{and}$

$$P_{\tilde{\Sigma }}\left(s\sigma \right)=\left\{\begin{array}{cc}{P}_{\tilde{\Sigma }}\left(s\right)\sigma ,\hfill & \mathrm{if}\sigma \in \tilde{\Sigma },\hfill \\ P_{\tilde{\Sigma }}\left(s\right),\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

where $s\in {\Sigma }^{*}\mathrm{and}\sigma \in \Sigma$.

Based on the above discussions, we now introduce a K-delay Orwellian observation mechanism (KOOM) projection. Let the event set $\Sigma$ be divided into two disjoint subsets ${\Sigma }_o$ and ${\Sigma }_{uo}$, i.e., $\Sigma ={\Sigma }_o\dot{\cup }{\Sigma }_{uo}$, where ${\Sigma }_o={\Sigma }_d\dot{\cup }{\Sigma }_{nd}$ is the set of observable events with ${\Sigma }_d$ being the set of downgrading events and ${\Sigma }_{nd}$ being that of observable events that are not downgrading. ${\Sigma }_{uo}$ is the set of events that are initially unobservable. However, some events in ${\Sigma }_{uo}$ may become observable, depending not only on the occurrence of a downgrading event but also the number of observable events followed by this downgrading event. Let the string $s={\omega }_1{d}_1\dots {\omega }_n{d}_n{\omega }_{n+1}\in {\Sigma }^{*}$, where ${\omega }_1,{\omega }_2,\dots ,{\omega }_{n+1}\in {({\Sigma }_{nd}\cup {\Sigma }_{uo})}^{*}$, $d_1,d_2,\dots ,d_n\in {\Sigma }_d$, and ${𝓁}_i\left(s\right)=\left|P_{{\Sigma }_o}({\omega }_i{d}_i\dots {\omega }_{n+1})\right|$. Given $K\in \mathbb{N}$ ($\mathbb{N}$ is the set of non-negative integers.), the KOOM projection $R_K:{\Sigma }^{*}\to {\Sigma }^{*}$ is defined by

$$R_K\left(s\right)=\left\{\begin{array}{c}{P}_{{\Sigma }_o}\left(s\right),\mathrm{if}s\in {({\Sigma }_{nd}\cup {\Sigma }_{uo})}^{*}\mathrm{or}{𝓁}_2\left(s\right)<K,\hfill \\ {\omega }_1{d}_1\dots {\omega }_j{d}_j{P}_{{\Sigma }_o}({\omega }_{j+1}{d}_{j+1}\dots {\omega }_{n+1}),\mathrm{otherwise}.\hfill \end{array}\right.$$

(2)

where $j=max\left\{k\right|{𝓁}_k\left(s\right)\ge K\}-1$.

According to the above definition, the proposed KOOM projection is an extension of the Orwellian projection in [29]. Specifically, the Orwellian projection is equivalent to the KOOM projection when $K=0$. In the Orwellian projection, once a downgrading event $\sigma \in {\Sigma }_d$ occurs, the intruder is allowed to observe the whole trajectory. Thus, the intruder can immediately and accurately discover the current state. However, in the proposed KOOM projection, the historical information is not released immediately once a downgrading event occurs but only when K observations have followed this downgrading event. In this case, the range of the inevitable information release is narrowed down to the trajectory before the downgrading event. We use a simple numerical example in

Table 2. A simple numerical example of the KOOM projection of the string s.

String s	${\mathit{R}}_0\left(\mathit{s}\right)$	${\mathit{R}}_1\left(\mathit{s}\right)$	${\mathit{R}}_2\left(\mathit{s}\right)$
a	a	a	a
$au$	a	a	a
$auh$	$auh$	$ah$	$ah$
$auhu$	$auh$	$ah$	$ah$
$auhuh$	$auhuh$	$auhh$	$ahh$

to show how the parameter K impacts the KOOM projection of the string s, where $a,h\in {\Sigma }_o$, $h\in {\Sigma }_d$, and $u\in {\Sigma }_{uo}$. From the table, one can see that the release of the same previous information occurs later as K becomes larger, which provides a degree of protection against premature access to the system information by intruders.

There are several differences between the KOOM and DIRM. First, the observability of the so-called “downgrading event” under the KOOM projection differs from the “release event” in the DIRM projection. Specifically, an event $\sigma \in {\Sigma }_d$ is always observable in the KOOM projection. However, in the DIRM projection, an event $\sigma \in {\Sigma }_r$ (${\Sigma }_r$ is a set of events that may not be immediately observable but can be released later.) is released and observable simultaneously until the system reaches a release state $x\in X_r$ ($X_r$ is a set of states where the events in ${\Sigma }_r$ that have occurred can be released). Second, different information is released under the KOOM and DIRM. The former releases the information in ${\Sigma }_{uo}$, while the latter releases the information in ${\Sigma }_r$. Third, the timing of the information release is also different. The KOOM depends on the occurrence of a downgrading event $\sigma \in {\Sigma }_d$ and the value of K, while the DIRM is determined by the arrival of a release state $x\in X_r$. In other words, the KOOM projection is both trajectory-dependent and K-dependent, while the DIRM projection is solely state-dependent. Next, we illustrate the KOOM projection defined by Equation (2) through an example.

Example 2.

Consider the system G shown in Figure 1, where ${\Sigma }_o=\{a,h\}$, ${\Sigma }_{uo}=\left\{u\right\}$, and ${\Sigma }_d=\left\{h\right\}$. Write $s=auhuh$ as $s={\omega }_1{d}_1{\omega }_2{d}_2{\omega }_3$, where ${\omega }_1=au$, $d_1=h$, ${\omega }_2=u$, $d_2=h$, and ${\omega }_3=ϵ$. We can obtain ${𝓁}_2\left(s\right)=\left|P_{{\Sigma }_o}\left(uhϵ\right)\right|=1$ and ${𝓁}_3\left(s\right)=\left|P_{{\Sigma }_o}\left(ϵ\right)\right|=0$. When $K=0$, the KOOM projection of the string s is $R_0\left(s\right)={\omega }_1{d}_1{\omega }_2{d}_2{P}_{{\Sigma }_o}\left({\omega }_3\right)=auhuh{P}_{{\Sigma }_o}\left(ϵ\right)=auhuh$, which is consistent with the Orwellian projection of string $s=auhuh$. Comparatively, when $K=1$, the KOOM projection of the string s corresponds to the second case in Equation (2). We have $R_1\left(s\right)={\omega }_1{d}_1{P}_{{\Sigma }_o}\left({\omega }_2{d}_2{\omega }_3\right)=auh{P}_{{\Sigma }_o}\left(uh\right)=auhh$.

3. Standard Current-State Opacity Under the KOOM

Weak CSO [32], standard CSO [4], and strong CSO [14] have been investigated in the literature. In this paper, we only focus on standard and strong CSO. This section formally defines standard CSO under the KOOM for a system. And then, we propose a standard K-delay verifier, a new information structure, to address its verification.

3.1. Standard Current-State Opacity Under the KOOM

In [29], the authors generalized opacity to the Orwellian projection in a language-based setting. The Orwellian projection requires the whole trajectory to be completely disclosed once a downgrading event $\sigma \in {\Sigma }_d$ appears, which discloses certain internal strings from the system immediately and weakens the ability of the system to protect secrets. As a generalization of the Orwellian projection, the proposed KOOM projection enhances the ability to protect the system to some extent since it delays the inevitable information release and restricts the range of the information released. Now, to portray the security and privacy requirements that the secret of a system should be ambiguous to an intruder when the release of information from inside the system is delayed, we extend the opacity under the Orwellian projection to the KOOM projection and formulate the standard CSO under the KOOM as follows.

Definition 1.

Given the system $G=(X,\Sigma ,\delta ,x_0)$ with the set ${\Sigma }_o$ of observable events, the set ${\Sigma }_{uo}$, the set ${\Sigma }_d$ of downgrading events, the set $S\subseteq X$ of secret states, and a KOOM projection $R_K$ with $K\in \mathbb{N}$, G is said to be standardly current-state opaque with relation to S and $R_K$ if for any string $s\in \mathcal{L}(G,x_0)$ such that $\delta (x_0,s)\in S$, the following holds:

$$(\exists t\in \mathcal{L}(G,x_0))[\delta (x_0,t)\notin S\wedge R_K\left(t\right)=R_K\left(s\right)].$$

Remark 1.

The relationship between standard CSO under the natural projection defined in [4] and standard CSO under the KOOM projection presented in Definition 1 is as follows. If a system G satisfies standard CSO under KOOM projections, then G also satisfies standard CSO under natural projections, but not vice versa.

Note that the standard CSO in Definition 1 requires the secret in the system to remain ambiguous to an intruder, though some internal strings may inevitably be released. When $K=0$, Definition 1 reduces to the standard CSO under the Orwellian projection [29]. Obviously, based on the KOOM projection, a system exposes less information under the KOOM than it does under Orwellian projection. Therefore, it is possible for G to satisfy standard CSO with relation S and $R_{K>0}$ but not standard CSO with relation to S and $R_{K=0}$. It is trivially true that G satisfies standard CSO with relation to S and $R_{K>0}$ if G satisfies standard CSO with relation to S and $R_{K=0}$. Now, let us consider a simple example.

Example 3.

Consider a traffic accident processing unit in an intelligent transportation system, as shown in Figure 2. As seen, this unit can be modeled using a DFA G, as shown in Figure 3. The specific meanings of all events and all states are listed in

Table 3. List of notations used for the subsequent verifier construction.

Event	Meanings of Events	State	Meanings of States
a	abnormal vehicle trajectory detected	0	the initial state of the system
b	notification of the emergency center	1	an abnormal state in terms of road conditions
c	the road conditions are back to normal	2	an abnormal state in terms of the vehicle trajectory
d	the vehicle’s trajectory is back to normal	3	an abnormal state in terms of the vehicle’s trajectory (based on abnormal road conditions)
h	a traffic accident is detected	4	an abnormal state in terms of road conditions (based on an abnormal vehicle trajectory)
u	abnormal road conditions are detected	5	car accident state
v	adjustment of the signal lights	6	the car drives off the road
		7	notification sent to the emergency center
		8	notification sent to the emergency center
		9	abnormal road conditions after notification
		10	a normal state

.

Case 1: Let $K=0$. Set the accident state 5 as the secret state, i.e., $S=\left\{5\right\}$. When a traffic accident is detected, the historical information from prior to the accident is immediately released, i.e., the release of the internal string “$uah$" is simultaneously triggered and truly released at the state 5. An intruder can accurately determine at the current moment that the system is in the secret accident state 5. G does not satisfy standard CSO with relation to $S=\left\{5\right\}$ and $R_{K=0}$ since the string $s=uah$ is the exclusive string that has the KOOM projection $R_0\left(uah\right)=uah$ and reaches the secret state 5. Comparatively, if $S=\left\{7\right\}$, then G satisfies standard CSO with relation to $S=\left\{7\right\}$ and $R_{K=0}$. For the string $s^{\prime }=uahb$ reaching the secret state 7, we can find another string $t^{\prime }=uahbu$ reaching the non-secret state 9 such that $R_0\left(t^{\prime }\right)=R_0\left(s^{\prime }\right)=uahb$.

Case 2: Let $K=1$. If $S=\left\{5\right\}$, when a traffic accident is detected, the system prioritizes notifying emergency centers, to prevent the immediate release of historical information, which may result in information overload, before releasing the historical information from prior to the accident; i.e., the release of the internal string “$uah$" is triggered at state 5 while it is truly released at state 7. G is standard current-state opaque with relation to $S=\left\{5\right\}$ and $R_{K=1}$ since a string $t=auh$ exists such that $R_1\left(t\right)=R_1\left(s\right)=ah$ reaches the non-secret state 6. This means that an intruder cannot infer whether the system is in a secret accident state 5 currently. Compared with the situation in Case 1, one sees that the delayed release also increases the uncertainty of the intruder’s estimation of the system state by not letting the intruder know the historical information prematurely. If $S=\left\{7\right\}$, a string $t^{\prime }=uahbu$ also exists such that $R_1\left(t^{\prime }\right)=R_1\left(s^{\prime }\right)=uahb$ reaches the non-secret state 9, suggesting that the intruder remains unsure about whether G is in a secret state even though the internal strings “$uah$" and “$auh$" of the system have been released. Thus, G satisfies standard CSO with relation to $S=\left\{7\right\}$ and $R_{K=1}$.

3.2. Verification of Standard Current-State Opacity Under the KOOM

To verify standard CSO under KOOM, some concepts and symbols used thereafter are introduced. Given a system $G=(X,\Sigma ,\delta ,x_0)$ and a non-negative integer $K\in \mathbb{N}$, let

$$X_T=\{x_t\in X|\exists x\in X,\exists \sigma \in {\Sigma }_d:\delta (x,\sigma )=x_t\}$$

be the set of trigger states. If a state $x_t\in X_T$, a string $s\in \mathcal{L}(G,x_t)$, and a state $x\in X$ exist such that $\delta (x_t,s)=x$, $|P_{{\Sigma }_o}\left(s\right)|=K$, and $Last\left(s\right)\in {\Sigma }_o\cup \left\{ϵ\right\}$, then $x_t\stackrel{s}{\to }x$ is said to be a K-delay run. The set

$$\Gamma =\left\{\begin{array}{c}(x_t,s,x)|\begin{array}{c}\exists x_t\in X_T,\exists s\in \mathcal{L}(G,x_t),\exists x\in X:\\ \delta (x_t,s)=x\wedge \left|P_{{\Sigma }_o}\left(s\right)\right|=K\wedge Last\left(s\right)\in {\Sigma }_o\cup \left\{ϵ\right\}\end{array}\end{array}\right\}$$

collects all triples for the starting states, K-delay strings, and final states of all K-delay runs under all trigger states of the system G. Let the string $s={\sigma }_1{\sigma }_2\dots {\sigma }_n\in {\Sigma }^{*}$. If $x_1\stackrel{{\sigma }_1}{\to }{x}_2\stackrel{{\sigma }_2}{\to }\dots \stackrel{{\sigma }_n}{\to }{x}_{n+1}$ is a K-delay run of G, and $x_i\stackrel{{\sigma }_i}{\to }{x}_{i+1}$ is called a 1-length sub-K-delay run for all $i=1,2,\dots ,n$. Additionally, the unobservable reach of set $q\in 2^X$ is defined by

$$UR\left(q\right)=\{x^{\prime }\in X|\exists x\in q,\exists s\in {\Sigma }_{uo}^{*}:\delta (x,s)=x^{\prime }\}.$$

The current-state estimates of a string $s\in \mathcal{L}(G,x_0)$ under the KOOM are defined by

$${\widehat{X}}_K\left(s\right)=\left\{\begin{array}{cc}{x}^{\prime }\in X|& \begin{array}{c}\exists t\in \mathcal{L}(G,x_0):\delta (x_0,t)=x^{\prime }\wedge R_K\left(s\right)=R_K\left(t\right)\end{array}\end{array}\right\}.$$

Note that there are two types of observations under the KOOM in G when an event $\sigma \in {\Sigma }_o$ occurs:

• The normal instant observation: This observation can be obtained when the conditions for the release of the KOOM are not fulfilled at this instant;
• The specific release observation: This observation can be obtained when the specific historical information (the internal string) is released, which implies that the conditions for the release of the KOOM are fulfilled simultaneously.

Example 4.

Consider again the DFA G shown in Figure 3. Let $K=0$. Suppose that G is currently at state 0. If event a occurs, then the intruder can obtain the normal instant observation “a". Comparatively, assume that G is now at state 3. If event h occurs, then the intruder can obtain the observation “$uah$", which is the specific release observation. Concurrent with the occurrence of the event h, the internal string $"uah"$ satisfies the release condition and is exposed.

We consider the evolution of a set of states $q\in 2^X$ under normal instant observations. If the conditions for the release of the KOOM are not fulfilled when an event $\sigma \in {\Sigma }_o$ occurs, then the set of states reached instantly with relation to q and $\sigma \in {\Sigma }_o$ is defined by

$$\widehat{Q}(q,\sigma )=\{\tilde{x}\in X|\exists x\in q:\delta (x,\sigma )=\tilde{x}\wedge \sigma \in {\Sigma }_o\}.$$

We now turn to the state estimates under specific release observations. First, the definition of the release position is given.

Definition 2.

Given a system $G=(X,\Sigma ,\delta ,x_0)$ with the set of observable events ${\Sigma }_o$, the set of downgrading events ${\Sigma }_d$, and a KOOM projection $R_K$ with $K\in \mathbb{N}$, let Γ be the set of triples of all K-delay runs. State x is said to be the release position with relation to $(x_t,s,x)\in \Gamma$ if state x is reached from a trigger state $x_t$ with a string $s\in \mathcal{L}(G,x_t)$ such that $(x_t,s,x)\in \Gamma$.

By definition, the conditions for the release of the KOOM are fulfilled once state x, the release position with relation to $(x_t,s,x)\in \Gamma$, is reached. In this case, the state estimate of the instant at which state x is reached is defined by

$$\overline{Q}(x_t,s,x)=\left\{\begin{array}{cc}\tilde{x}\in X|& \begin{array}{c}\exists t\in \mathcal{L}(G,x_t):\delta (x_t,t)=\tilde{x}\wedge P_{{\Sigma }_o}\left(t\right)=P_{{\Sigma }_o}\left(s\right)\end{array}\end{array}\right\}.$$

Recalling the above introduction of the notations related to verifying standard CSO under the KOOM, we summarize them in a table for greater clarity, as shown in

Table 4. The list of notations used for the subsequent verifier construction.

Notation	Meanings
$X_T$	set of trigger states
$\Gamma$	set of all K-delay runs
$UR\left(q\right)$	unobservable reach of q
${\widehat{X}}_K\left(s\right)$	current-state estimates of string s under KOOM
$UR\left(\widehat{Q}(q,\sigma )\right)$	state estimates under the normal instant observation
$\overline{Q}(x_t,s,x)$	state estimates under the specific release observation

.

Now, we concentrate on the computation of current-state estimates under the KOOM. The computation of current-state estimates under specific release observations is challenging and critical, where determining the release position accurately plays an important role. To accurately capture the release position and avoid a situation where the same state may have different properties when reached using different strings, we use a binary label $l\in \{N,R\}$ to denote that certain internal string will be released inevitably at some future instant if $l=R$ and $l=N$ otherwise. Note that the conventional observer cannot characterize the state estimates accurately under the KOOM. To this end, we construct a standard K-delay verifier, which is a novel information structure, as well as a DFA

$$V_K=(Q,\Sigma ,f,q_0)$$

(3)

where

• $Q:X\times \{N,R\}\times 2^X$ is a set of states.
• $\Sigma$ is a finite set of events.
• $q_0=(x_0,N,UR\left(\left\{x_0\right\}\right))$ is the initial state of $V_K$.
• $f:Q\times \Sigma \to Q$ is the (partial) transition function, defined as follows: For any $q=(x,l,\tilde{q})\in Q$ with $l\in \{N,R\}$ and $\sigma \in \Sigma$, $f(q,\sigma )$ is defined if and only if $\delta (x,\sigma )$ is defined. Further, we have $f((x,l,\tilde{q}),\sigma )=(x^{\prime },l^{\prime },\widetilde{q^{\prime }})$ if $f(q,\sigma )$ is defined, where

  $$\begin{array}{cc}& x^{\prime }=\delta (x,\sigma ),\hfill \\ \\ & l^{\prime }=\left\{\begin{array}{cc}R,\hfill & \mathrm{if}\sigma \in {\Sigma }_d \mathrm{or} x\stackrel{\sigma }{\to }{x}^{\prime }\mathrm{is} \mathrm{a} 1\text{-}\mathrm{length}\hfill \\ & \mathrm{sub}\text{-}K\text{-}\mathrm{delay} \mathrm{run},\hfill \\ N,\hfill & \mathrm{otherwise}.\hfill \end{array}\right.\hfill \\ \\ & \widetilde{q^{\prime }}=\left\{\begin{array}{cc}\tilde{q},\hfill & \mathrm{if}\sigma \in {\Sigma }_{uo},\hfill \\ \overline{Q}(x_t,s,x^{\prime }),\hfill & \mathrm{if}{x}^{\prime }\mathrm{is} \mathrm{the} \mathrm{release} \mathrm{position} \mathrm{with} \mathrm{relation} \mathrm{to}(x_t,s,x^{\prime })\in \Gamma ,\hfill \\ UR\left(\widehat{Q}(\tilde{q},\sigma )\right),\hfill & \mathrm{otherwise}.\hfill \end{array}\right.\hfill \end{array}$$

The form of any state in $V_K$ is $q=(x,l,\tilde{q})$, where the left component is the actual state of system G while the right component is the current-state estimate under the KOOM, as is shown later. The middle component is the binary label. The left, middle, and right components of any state $q\in Q$ are denoted as $L\left(q\right)$, $M\left(q\right)$, and $R\left(q\right)$, respectively. Next, we illustrate the construction of the standard K-delay verifier $V_K$ for a system G.

Example 5.

Reconsider system G shown in Figure 3. When $K=0$, the standard 0-delay verifier $V_{K=0}$ for G is shown in Figure 4. We illustrate the construction of $V_{K=0}$. The set $\Gamma =\left\{\right(5,ϵ,5),(6,ϵ,6\left)\right\}$ can be obtained from G and $K=0$. The initial state is $q_0=(0,N,\{0,1\})$ according to $UR\left(\right\{0\left\}\right)=\{0,1\}$.

If the event $"a"$ occurs at the initial state $q_0=(0,N,\{0,1\})$, we have $f(q_0,a)=(2,N,\{2,3,4\})$. Specifically, the left part is updated to $2=\delta (0,a)$. Since $a\notin {\Sigma }_d$ holds and $0\stackrel{a}{\to }2$ is not a 1-length sub-K-delay run, the middle part is still $"N"$. The right part is updated to $UR\left(\widehat{Q}(\{0,1\},a)\right)=\{2,3,4\}$ on account of $a\notin {\Sigma }_{uo}$ and state 2 not being a release position.

If the event $"u"$ occurs at the state $(2,N,\{2,3,4\left\}\right)$, the left component becomes $4=\delta (2,u)$. The middle component remains $"N"$ since $u\notin {\Sigma }_d$ holds and $2\stackrel{u}{\to }4$ is not a 1-length sub-K-delay run. The right component also stays unchanged thanks to $u\in {\Sigma }_{uo}$.

For the string $"auh"$, the left part is updated to $6=\delta (4,h)$. Due to $h\in {\Sigma }_d$ and $K=0$, one can see that state 6 is the release position with relation to $(6,ϵ,6)$. Thus, the middle component becomes $"R"$, and the right component is updated to $\overline{Q}(6,ϵ,6)=\left\{6\right\}$.

Now, we show that the right component of a state $q\in Q$ in the verifier $V_K=(Q,\Sigma ,f,q_0)$ can capture the current-state estimates of G under the KOOM.

Proposition 1.

Let $V_K=(Q,\Sigma ,f,q_0)$ be the standard K-delay verifier of system $G=(X,\Sigma ,\delta ,x_0)$. It holds

$$\forall s\in \mathcal{L}(G,x_0):R\left(f(q_0,s)\right)={\widehat{X}}_K\left(s\right).$$

Proof. 

We use mathematical induction on the length of the string s to prove this. The basis step: Assume that $\left|s\right|=0$, which implies that $s=ϵ$ and $R_K\left(ϵ\right)=ϵ$ hold. We have

$${\widehat{X}}_K\left(ϵ\right)=\left\{\begin{array}{c}{x}^{\prime }\in X|\begin{array}{c}\exists t\in \mathcal{L}(G,x_0):\delta (x_0,t)=x^{\prime }\wedge R_K\left(t\right)=ϵ\end{array}\end{array}\right\}.$$

According to the definition of $UR$ and the fact that $x_0$ is included in both ${\widehat{X}}_K\left(ϵ\right)$ and $UR\left(\left\{x_0\right\}\right)$, one has ${\widehat{X}}_K\left(ϵ\right)=UR\left(\left\{x_0\right\}\right)$; i.e., the basis holds.

The induction step: Suppose that $R\left(f(q_0,s)\right)={\widehat{X}}_K\left(s\right)$ for all strings $s\in \mathcal{L}(G,x_0)$ with $\left|s\right|=k$. Next, consider $s\sigma \in \mathcal{L}(G,x_0)$ for the following two cases, where $\sigma \in \Sigma$.

Case 1: State $\delta (x_0,s\sigma )$ is not a release position.

In this case, if $\sigma \in {\Sigma }_o$,

$$\begin{array}{cc}\hfill {\widehat{X}}_K\left(s\sigma \right)& =\left\{\begin{array}{c}\delta (x_0,s^{\prime })|s^{\prime }\in \mathcal{L}(G,x_0)\wedge R_K\left(s^{\prime }\right)=R_K\left(s\sigma \right)\end{array}\right\}\hfill \\ \hfill & =\left\{\begin{array}{c}\delta (x_0,s^{\prime })|\begin{array}{c}{s}^{\prime }=t\sigma {\sigma }_1\dots {\sigma }_n\in \mathcal{L}(G,x_0)\wedge \\ R_K\left(t\right)=R_K\left(s\right)\wedge {\sigma }_1\dots {\sigma }_n\in {\Sigma }_{uo}^{*}\end{array}\end{array}\right\}\hfill \\ \hfill & =\left\{\begin{array}{c}\delta (x,\sigma \omega )|\begin{array}{c}\omega ={\sigma }_1\dots {\sigma }_n\wedge x\in {\widehat{X}}_K\left(s\right)\wedge {\sigma }_1\dots {\sigma }_n\in {\Sigma }_{uo}^{*}\end{array}\end{array}\right\}\hfill \\ \hfill & =\left\{\begin{array}{c}\delta (x^{\prime },\omega )|\begin{array}{c}\omega ={\sigma }_1\dots {\sigma }_n\wedge x^{\prime }\in \widehat{Q}({\widehat{X}}_K\left(s\right),\sigma )\wedge {\sigma }_1\dots {\sigma }_n\in {\Sigma }_{uo}^{*}\end{array}\end{array}\right\}\hfill \\ \hfill & =UR\left(\widehat{Q}({\widehat{X}}_K\left(s\right),\sigma )\right).\hfill \end{array}$$

According to the definition of $\widetilde{q^{\prime }}$ and $R\left(f(q_0,s)\right)={\widehat{X}}_K\left(s\right)$, we have

$$R\left(f(q_0,s\sigma )\right)=UR\left(\widehat{Q}(R\left(f(q_0,s)\right),\sigma )\right)=UR\left(\widehat{Q}({\widehat{X}}_K\left(s\right),\sigma )\right)={\widehat{X}}_K\left(s\sigma \right).$$

If $\sigma \in {\Sigma }_{uo}$, then we have $R_K\left(s\sigma \right)=R_K\left(s\right)$, which implies ${\widehat{X}}_K\left(s\sigma \right)={\widehat{X}}_K\left(s\right)$. Thus, it holds that $R\left(f(q_0,s\sigma )\right)=R\left(f(q_0,s)\right)={\widehat{X}}_K\left(s\right)={\widehat{X}}_K\left(s\sigma \right).$

Case 2: State $\delta (x_0,s\sigma )$ is the release position with relation to $(x_t,v,\delta (x_0,s\sigma ))\in \Gamma$. In this case, we have either $\sigma \in {\Sigma }_o$ or $\sigma =ϵ$. If $\sigma \in {\Sigma }_o$,

$$\begin{array}{cc}\hfill {\widehat{X}}_K\left(s\sigma \right)& =\left\{\begin{array}{c}\delta (x_0,s^{\prime })|s^{\prime }\in \mathcal{L}(G,x_0)\wedge R_K\left(s^{\prime }\right)=R_K\left(s\sigma \right)\end{array}\right\}\hfill \\ \hfill & =\left\{\begin{array}{c}\delta (x_0,s^{\prime })|\begin{array}{c}\exists p\in \mathcal{L}(G,x_t):\delta (x_t,p)=\delta (x_0,s^{\prime })\wedge P_{{\Sigma }_o}\left(v\right)=P_{{\Sigma }_o}\left(p\right)\end{array}\end{array}\right\}\hfill \\ \hfill & =\overline{Q}(x_t,v,\delta (x_0,s\sigma )).\hfill \end{array}$$

If $\sigma =ϵ$, ${\widehat{X}}_K\left(s\sigma \right)=\overline{Q}(x_t,v,\delta (x_0,s\sigma ))$ is automatically true. Then, we have $R\left(f(q_0,s\sigma )\right)=\overline{Q}(x_t,v,\delta (x_0,s\sigma ))={\widehat{X}}_K\left(s\sigma \right).$    □

Remark 2.

Compared with the current-state estimates under normal instant observations, the specific release observations make the current-state estimates under the KOOM more accurate. This means that for a state $q^{\prime }=(x^{\prime },l^{\prime },\widetilde{q^{\prime }})\in Q$ in $V_K$ such that $f((x,l,\tilde{q}),\sigma )=q^{\prime }$ and $x^{\prime }$ is the release position with relation to $(x_t,s,x^{\prime })\in \Gamma$, we have $\widetilde{q^{\prime }}=\overline{Q}(x_t,s,x^{\prime })\subseteq UR\left(\widehat{Q}(\tilde{q},\sigma )\right)$.

Next, we provide the main result on the verification of standard CSO under the KOOM based on the constructed standard K-delay verifier $V_K$.

Theorem 1.

Given the system $G=(X,\Sigma ,\delta ,x_0)$, let $V_K=(Q,\Sigma ,f,q_0)$ be its standard K-delay verifier. G is standardly current-state opaque with relation to S and $R_K$ if and only if

$$\forall q\in Q:R\left(q\right)\cap S\ne \varnothing \Rightarrow R\left(q\right)\cap (X\setminus S)\ne \varnothing .$$

(4)

Proof. 

(if) Assume that condition (4) holds. Through the construction of $V_K$ and $\mathcal{L}(G,x_0)=\mathcal{L}(V_K,q_0)$, a state $x_{\alpha }\in R\left(q\right)\cap S$ (resp. $x_{\beta }\in R\left(q\right)\cap (X\setminus S)$) exists such that $\delta (x_0,s)=x_{\alpha }\in S$ (resp. $\delta (x_0,t)=x_{\beta }\notin S$) from $R\left(q\right)\cap S\ne \varnothing$ (resp. $R\left(q\right)\cap (X\setminus S)\ne \varnothing$). According to Proposition 1, a string $\omega \in \mathcal{L}(G,x_0)$ should exist to satisfy $R\left(q\right)={\widehat{X}}_K\left(\omega \right)$. Thus, we have $x_{\alpha },x_{\beta }\in {\widehat{X}}_K\left(\omega \right)$ and $R_K\left(s\right)=R_K\left(t\right)$. Since $q\in Q$ is arbitrary, $s\in \mathcal{L}(G,x_0)$ is also arbitrary. Therefore, we conclude that G satisfies standard CSO with relation to S and $R_K$.

(only if) Assume that G is standardly current-state opaque with relation to S and $R_K$. According to Definition 1, for any string $s\in \mathcal{L}(G,x_0)$ reaching a secret state, at least one string $t\in \mathcal{L}(G,x_0)$ should exist to reach a non-secret state and satisfy $R_K\left(t\right)$ = $R_K\left(s\right)$. Consequently, we have $\delta (x_0,s)=x_{\alpha }\in S$ and $\delta (x_0,t)=x_{\beta }\in (X\setminus S)$. According to the definition of current-state estimates under the KOOM, one has $x_{\alpha },x_{\beta }\in {\widehat{X}}_K\left(s\right)$. By Proposition 1 and $\mathcal{L}(G,x_0)=\mathcal{L}(V_K,q_0)$, a state $q=f(q_0,s)\in Q$ should exist to satisfy $R\left(q\right)={\widehat{X}}_K\left(s\right)$. Thus, we have $x_{\alpha },x_{\beta }\in R\left(q\right)$, leading to the truth of the predicate $R\left(q\right)\cap S\ne \varnothing \Rightarrow R\left(q\right)\cap (X\setminus S)\ne \varnothing$. In addition, the arbitrariness of $s\in \mathcal{L}(G,x_0)$ determines that $q\in Q$ is arbitrary. Therefore, condition (4) holds.    □

According to Theorem 1, we summarize an algorithm for verifying standard CSO under the KOOM as shown in Algorithm 1.

Algorithm 1 Verification of standard CSO under the KOOM

Require:  A DES $G=(X,\Sigma ,\delta ,x_0),{\Sigma }_o,{\Sigma }_{uo},{\Sigma }_d\subseteq \Sigma ,S\subseteq X$, and $K\in \mathbb{N}$. Ensure:  “YES” if G satisfies standard CSO with relation to S and $R_K$, and “NO” otherwise 1: Construct the standard K-delay verifier $V_K$ for G 2: for  $q\in Q$  do 3:        if $R\left(q\right)\cap S\ne \varnothing$ then 4:              if $R\left(q\right)\cap (X\setminus S)=\varnothing$ then 5:              return “NO” 6:              end if 7:        end if 8: end for 9: return “YES”

We analyze the computational complexity of using a standard K-delay verifier to verify the standard CSO under the KOOM. The maximum numbers of states and transitions in a standard K-delay verifier are $2·\left|X\right|·2^{\left|X\right|}$ and $2·|\Sigma |·\left|X\right|·2^{\left|X\right|}$, respectively. Thus, the complexity of line 1 is $\mathcal{O}\left(\right|\Sigma \left|\right|X\left|2^{\left|X\right|}\right)$. For lines 2–9, we can use “the Breadth-First Search Algorithm", whose complexity is polynomial. Consequently, the overall complexity is single-exponential in the size of the system G; i.e., $\mathcal{O}\left(\right|\Sigma \left|\right|X\left|2^{\left|X\right|}\right)$.

Example 6.

Reconsider system G in Example 3. Its standard K-delay verifiers $V_{K=0}$ and $V_{K=1}$ are shown in Figure 4 and Figure 5, respectively.

Case 1: $K=0$. If $S=\left\{5\right\}$, a state $q=(5,R,\{5\left\}\right)\in Q$ in $V_{K=0}$ exists such that $R\left(q\right)\cap S=\left\{5\right\}\ne \varnothing$ but $R\left(q\right)\cap (X\setminus S)=\varnothing$, which contradicts Theorem 1. Therefore, G does not satisfy standard CSO with relation to $S=\left\{5\right\}$ and $R_{K=0}$. If $S=\left\{7\right\}$, then G becomes opaque with relation to $S=\left\{7\right\}$ and $R_{K=0}$ since for any $q\in Q$ in $V_{K=0}$, $R\left(q\right)\cap (X\setminus S)\ne \varnothing$ always holds if $R\left(q\right)\cap S\ne \varnothing$.

Case 2: $K=1$. G satisfies standard CSO with relation to $S=\left\{5\right\}$ (resp. $S=\left\{7\right\}$) and $R_{K=1}$. Since for all $q\in Q$ in $V_{K=1}$, $R\left(q\right)\cap (X\setminus S)\ne \varnothing$ always holds if $R\left(q\right)\cap S\ne \varnothing$ whenever either $S=\left\{5\right\}$ or $S=\left\{7\right\}$. The verification results for Cases 1 and 2 are consistent with Example 3.

4. Strong Current-State Opacity Under the KOOM

In this section, we deal with SCSO under the KOOM and verify it. The properties of the proposed standard and strong CSO under the KOOM are articulated in detail.

To facilitate the description of the paths in SCSO, we define secret and non-secret paths. Given the system $G=(X,\Sigma ,\delta ,x_0)$ with $S\subseteq X$ being the set of secret states, let $x_0\stackrel{{\sigma }_1}{\to }{x}_1\stackrel{{\sigma }_2}{\to }{x}_2\stackrel{{\sigma }_3}{\to }\dots \stackrel{{\sigma }_n}{\to }{x}_n$ be a run of G. If $x_n\in S$, then string s is said to be a secret path of G. If $x_i\in (X\setminus S)$ for all $i=0,1,\dots ,n$, then string s is called a non-secret path of G.

4.1. Strong Current-State Opacity Under KOOM

For higher-level security and privacy requirements, a more rigorous opacity notion called SCSO is proposed under the natural projection, which is a stronger version of the standard CSO. Specifically, SCSO under the natural projection requires that for any secret path, a non-secret path that is indistinguishable from the secret path from an intruder’s perspective and that never enters any secret state should exist. Inspired by SCSO under the natural projection, we extend SCSO to the KOOM projection to characterize the higher security and privacy requirements than those with the standard CSO under the KOOM.

Definition 3.

Given system $G=(X,\Sigma ,\delta ,x_0)$ with a set ${\Sigma }_o$ of observable events, set ${\Sigma }_{uo}$, a set ${\Sigma }_d$ of downgrading events, a set $S\subseteq X$ of secret states, and a KOOM projection $R_K$ with $K\in \mathbb{N}$, G is said to be strongly current-state opaque with relation to S and $R_K$ if for any string $s\in \mathcal{L}(G,x_0)$ such that $\delta (x_0,s)\in S$, the following holds:

$$(\exists t\in \mathcal{L}(G,x_0))[R_K\left(t\right)=R_K\left(s\right)\wedge (\forall \overline{t}⪯t)\delta (x_0,\overline{t})\notin S].$$

The SCSO under the KOOM demands that even if some internal strings of a system are released to an intruder, for any secret path, i.e., a string generated by G from the initial state and capable of reaching a secret state, a non-secret path should exist, i.e., the string generated by G from the initial state that never passes through any secret state, that looks the same as the secret path under the KOOM projection to guarantee that the secret in the system is absolutely ambiguous. Obviously, according to Definitions 1 and 3, the SCSO is stronger than the standard CSO under the KOOM. In other words, if G satisfies SCSO with relation to S and $R_K$, then G satisfies standard CSO with relation to S and $R_K$, but not vice versa. A simple example is provided to illustrate this scenario.

Example 7.

Reconsider the system G shown in Figure 3. Assume that $S=\left\{7\right\}$. When $K=1$, according to Example 3, G satisfies standard CSO under the KOOM. However, G does not satisfy SCSO with relation to $S=\left\{7\right\}$ and $R_{K=1}$ since for the secret path $s=uahb$, a non-secret path that has the same KOOM projection as $s=uahb$ does not exist.

When $K=2$, for the secret path $s=uahb$, we can find a non-secret path $t=auhb$ that makes $R_2\left(s\right)=R_2\left(t\right)=ahb$ hold. According to Definition 3 (resp., Definition 1), G satisfies strong (resp., standard) CSO with relation to $S=\left\{7\right\}$ and $R_{K=2}$.

4.2. Verification of Strong Current-State Opacity Under the KOOM

To capture all non-secret paths of the system G, we construct a new DFA called a non-secret subautomaton $G_{ns}$, which is derived from G by deleting all secret states and all transitions attached to them. Formally,

$$G_{ns}=(X_{ns},{\Sigma }_{ns},{\delta }_{ns},x_{ns,0}),$$

(5)

where

• $X_{ns}\subseteq (X\setminus S)$ is a set of non-secret states;
• ${\Sigma }_{ns}=\{\sigma \in \Sigma |\exists x,x^{\prime }\in X_{ns}:x^{\prime }=\delta (x,\sigma )\}\subseteq \Sigma$ is a set of events;
• ${\delta }_{ns}:X_{ns}\times {\Sigma }_{ns}\to X_{ns}$ is the (partial) transition function, defined by us having $x^{\prime }={\delta }_{ns}(x,\sigma )$ if $x^{\prime }=\delta (x,\sigma )$ for all $x,x^{\prime }\in X_{ns}$ and all $\sigma \in {\Sigma }_{ns}$; 
• $x_{ns,0}=x_0\in (X\setminus S)$ (Note that, if $x_0\in S$, then $G_{ns}$ does not exist.) is the initial state.

Note that ${\Sigma }_{ns}={\Sigma }_{ns,o}\dot{\cup }{\Sigma }_{ns,uo}$, where ${\Sigma }_{ns,o}={\Sigma }_{ns,d}\dot{\cup }{\Sigma }_{ns,nd}$ is the set of observable events with ${\Sigma }_{ns,d}={\Sigma }_{ns}\cap {\Sigma }_d$ being the set of downgrading events and ${\Sigma }_{ns,nd}={\Sigma }_{ns}\cap {\Sigma }_{nd}$ being the set of observable events that are not downgrading. In particular, ${\Sigma }_{ns,o}={\Sigma }_{ns}\cap {\Sigma }_o$. ${\Sigma }_{ns,uo}={\Sigma }_{ns}\cap {\Sigma }_{uo}$ is the set of events that are initially unobservable. Since $G_{ns}$ is a subautomaton of G, we have $\mathcal{L}(G_{ns},x_{ns,0})\subseteq \mathcal{L}(G,x_0)$. The unobservable reach of set $q\in 2^{X_{ns}}$ in $G_{ns}$ is defined by

$${UR}^N\left(q\right)=\{x^{\prime }\in X_{ns}|\exists x\in q,\exists s\in {\Sigma }_{ns,uo}^{*}:{\delta }_{ns}(x,s)=x^{\prime }\}.$$

In addition, the non-secret current-state estimates of a string $s\in \mathcal{L}(G,x_0)$ under the KOOM are defined by

$${\widehat{X}}_{ns}^K\left(s\right)=\left\{\begin{array}{cc}{x}^{\prime }\in X_{ns}|& \begin{array}{c}\exists t\in \mathcal{L}(G_{ns},x_{ns,0}):{\delta }_{ns}(x_{ns,0},t)=x^{\prime }\wedge R_K\left(t\right)=R_K\left(s\right)\end{array}\end{array}\right\}.$$

Now, we consider how a set of non-secret states $q\in 2^{X_{ns}}$ evolves under normal instant observations. When an event $\sigma \in {\Sigma }_o$ occurs, if the conditions for the release of the KOOM are not met, then the set of non-secret states reached instantly with relation to q and $\sigma \in {\Sigma }_o$ is defined as

$${\widehat{Q}}_s(q,\sigma )=\{\overline{x}\in X_{ns}|\exists x\in q:{\delta }_{ns}(x,\sigma )=\overline{x}\wedge \sigma \in {\Sigma }_o\}.$$

Then, we discuss the acquisition of the non-secret state estimates under specific release observations. Assume that the system G reaches state x which is the release position with relation to $(x_t,s,x)\in \Gamma$. Then, the set of non-secret state estimates of the instant at which state x is reached is defined by

$${\overline{Q}}_s(x_t,s,x)=\left\{\begin{array}{cc}\overline{x}\in X_{ns}|& \begin{array}{c}\exists t\in \mathcal{L}(G_{ns},x_t):{\delta }_{ns}(x_t,t)=\overline{x}\wedge P_{{\Sigma }_o}\left(t\right)=P_{{\Sigma }_o}\left(s\right)\end{array}\end{array}\right\}.$$

To verify SCSO under the KOOM, we construct a new DFA called a strong K-delay verifier $V_K^S$. The binary label $l\in \{N,R\}$ is also used here to capture the release positions more accurately. Formally,

$$V_K^S=(Q^S,\Sigma ,f^S,q_0^S),$$

(6)

where

• $Q^S:X\times \{N,R\}\times 2^{X_{ns}}$ is a set of states;
• $\Sigma$ is a finite set of events;
• $q_0^S=(x_0,N,U{R}^N\left(\left\{x_{ns,0}\right\}\right))$ is the initial state;
• $f^S:Q^S\times \Sigma \to Q^S$ is the (partial) transition function, defined by us having $f^S(q_s,\sigma )$ defined if and only if $\delta (x,\sigma )$ is defined for any $q_s=(x,l,{\tilde{q}}_s)\in Q^S$ with $l\in \{N,R\}$ and $\sigma \in \Sigma$.
  Further, we have $f^S((x,l,{\tilde{q}}_s),\sigma )=(x^{\prime },l^{\prime },\widetilde{q_s^{\prime }})$ if $f^S(q_s,\sigma )$ is defined, where

  $$\begin{array}{cc}& x^{\prime }=\delta (x,\sigma )\hfill \\ \\ & l^{\prime }=\left\{\begin{array}{cc}R,\hfill & \mathrm{if}\sigma \in {\Sigma }_d \mathrm{or} x\stackrel{\sigma }{\to }{x}^{\prime } \mathrm{is} \mathrm{a}1\text{-}\mathrm{length}\hfill \\ & \mathrm{sub}\text{-}K\text{-}\mathrm{delay} \mathrm{run};\hfill \\ N,\hfill & \mathrm{otherwise}.\hfill \end{array}\right.\hfill \\ \\ & \widetilde{q_s^{\prime }}=\left\{\begin{array}{cc}{\tilde{q}}_s,\hfill & \mathrm{if}\sigma \in {\Sigma }_{uo};\hfill \\ {\overline{Q}}_s(x_t,s,x^{\prime }),\hfill & \mathrm{if}{x}^{\prime } \mathrm{is} \mathrm{the} \mathrm{release} \mathrm{position} \mathrm{with} \mathrm{relation} \mathrm{to} (x_t,s,x^{\prime })\in \Gamma ;\hfill \\ U{R}^N\left({\widehat{Q}}_s(\widetilde{q_s},\sigma )\right),\hfill & \mathrm{otherwise}.\hfill \end{array}\right.\hfill \end{array}$$

The notations $L\left(q_s\right)$ and $R\left(q_s\right)$ are used to denote the left and right components of $q_s\in Q^S$, respectively. The middle component is the binary label. The left component $L\left(q_s\right)$ describes the state of the system G, while the right component $R\left(q_s\right)$ captures the non-secret current-state estimates that are all the non-secret states reached by non-secret paths. For any state $(x,l,{\tilde{q}}_s)\in Q^S$, the intruder has access to the non-secret current-state estimates ${\tilde{q}}_s$ reached through non-secret paths that have the same KOOM projection as the string reaching the state x. Note that if the initial state of a system is a secret state, i.e., $x_0\in S$, then the strong K-delay verifier will not exist. Naturally, one concludes that this system does not satisfy SCSO under the KOOM. The following example illustrates the details of the construction of the strong K-delay verifier for a system G.

Example 8.

Consider the DFA G shown in Figure 3. Assume that $S=\left\{7\right\}$ and $K=1$. The non-secret subautomaton $G_{ns}$ and the strong 1-delay verifier $V_{K=1}^S$ are shown in Figure 6. We have $\Gamma =\left\{\right(5,b,7),(6,b,8\left)\right\}$ according to G and $K=1$. The initial state of $V_{K=1}^S$ is $q_0^S=(0,N,\{0,1\})$.

If the event $"u"$ occurs at the initial state, we have $f^S(q_0^S,u)=(1,N,\{0,1\})$. The left component is updated to $1=\delta (0,u)$. The middle component remains $"N"$ since $u\notin {\Sigma }_d$ holds and $0\stackrel{u}{\to }1$ is not a 1-length sub-K-delay run. The right component remains $\{0,1\}$ thanks to $u\in {\Sigma }_{uo}$.

If event $"a"$ occurs at state $(1,N,\{0,1\left\}\right)$, the left component is updated to $3=\delta (1,a)$. Since $a\notin {\Sigma }_d$ holds and $1\stackrel{a}{\to }3$ is not a 1-length sub-K-delay run, the middle component remains unchanged. Since state 3 is not a release position, the right component is updated to $U{R}^N\left({\widehat{Q}}_s(\{0,1\},a)\right)=\{2,3,4\}$.

For the string $"uah"$, the left component is updated to $5=\delta (3,h)$. Given $h\in {\Sigma }_d$, the middle part becomes $"R"$. The right part is updated to $U{R}^N\left({\widehat{Q}}_s(\{2,3,4\},h)\right)=\{5,6\}$ since state 5 is not a release position.

If the event $"b"$ occurs at state $(5,R,\{5,6\left\}\right)$, then the left component becomes $7=\delta (5,b)$. Since $5\stackrel{b}{\to }7$ is a 1-length sub-K-delay run, the middle component is still kept as $"R"$. The right part is updated to ${\overline{Q}}_s(5,b,7)=\varnothing$ since state 7 is the release position with relation to $(5,b,7)$.

Now, we show that the right component of a state $q_s\in Q^S$ in $V_K^S=(Q^S,\Sigma ,f^S,q_0^S)$ truly tracks the corresponding non-secret current-state estimates.

Proposition 2.

Let $V_K^S=(Q^S,\Sigma ,f^S,q_0^S)$ be the strong K-delay verifier of system $G=(X,\Sigma ,\delta ,x_0)$. It holds that

$$\forall s\in \mathcal{L}(G,x_0):R\left(f^S(q_0^S,s)\right)={\widehat{X}}_{ns}^K\left(s\right).$$

Proof. 

For economy of space, we present the proof in Appendix A, which is similar to the proof for Proposition 1.    □

Remark 3.

The non-secret current-state estimates can be refined when some internal strings are inevitably released to an intruder, i.e., under specific release observations. For a state $q_s=(x^{\prime },l^{\prime },\widetilde{q_s^{\prime }})\in Q^S$ in $V_K^S$ with $f^S((x,l,{\tilde{q}}_s),\sigma )=q_s$, where $x^{\prime }$ is the release position with relation to $(x_t,s,x^{\prime })\in \Gamma$, one has $\widetilde{q_s^{\prime }}={\overline{Q}}_s(x_t,s,x^{\prime })\subseteq U{R}^N\left({\widehat{Q}}_s({\tilde{q}}_s,\sigma )\right)$.

The main result for the verification of SCSO under the KOOM using the strong K-delay verifier $V_K^S$ is given.

Theorem 2.

Given the system $G=(X,\Sigma ,\delta ,x_0)$, let $V_K^S=(Q^S,\Sigma ,f^S,q_0^S)$ be its strong K-delay verifier. G is strongly current-state opaque with relation to S and $R_K$ if and only if

$$\forall q_s\in Q^S:L\left(q_s\right)\in S\Rightarrow R\left(q_s\right)\ne \varnothing .$$

(7)

Proof. 

(if) Assume that condition (7) holds. Let the string $s\in \mathcal{L}(V_K^S,q_0^S)$ with $f^S(q_0^S,s)=q_s$, where $L\left(q_s\right)\in S$. Through the construction of $V_K^S$ and $\mathcal{L}(G,x_0)=\mathcal{L}(V_K^S,q_0^S)$, $L\left(q_s\right)\in S$ means that a secret state $x_s=L\left(q_s\right)$ is reached via a string $s\in \mathcal{L}(G,x_0)$, i.e., $\delta (x_0,s)=x_s$. From $R\left(q_s\right)\ne \varnothing$, a state $x_{ns}\in R\left(q_s\right)$ exists. According to Proposition 2 and Definition 3, one has $x_{ns}\in {\widehat{X}}_{ns}^K\left(s\right)$, which implies that a non-secret path $t\in \mathcal{L}(G_{ns},x_{ns,0})$ should exist with $R_K\left(s\right)=R_K\left(t\right)$. According to the definition of the non-secret path and the construction of $G_{ns}$, we have $\delta (x_0,\overline{t})\notin S$ for all $\overline{t}⪯t$. Since $q_s\in Q^S$ is arbitrary, $s\in \mathcal{L}(G,x_0)$ is also arbitrary. According to Definition 3, the system G satisfies SCSO with relation to S and $R_K$.

(only if) Assume that G satisfies SCSO with relation to S and $R_K$. According to Definition 3 and the definition of a non-secret path, for any string $s\in \mathcal{L}(G,x_0)$ reaching a secret state, i.e., $\delta (x_0,s)=x_s\in S$, at least one non-secret path $t\in \mathcal{L}(G,x_0)$ should exist that satisfies both $\delta (x_0,\overline{t})\notin S$ for all $\overline{t}⪯t$ and $R_K\left(s\right)=R_K\left(t\right)$. Thus, we have $x_s\in S$ and $x_{ns}=\delta (x_0,t)\notin S$. According to the definition of the non-secret current-state estimate under the KOOM and the construction of $G_{ns}$, $x_{ns}\in {\widehat{X}}_{ns}^K\left(s\right)$ can be obtained. Based on Proposition 2 and the construction of $V_K^S$, a state $q_s=f^S(q_0^S,s)\in Q^S$ exists such that $x_s=L\left(q_s\right)\in S$ and $x_{ns}\in R\left(q_s\right)$, leading to $R\left(q_s\right)\ne \varnothing$. Since $s\in \mathcal{L}(G,x_0)$ is arbitrary, $q_s\in Q^S$ is also arbitrary, verifying the truth of condition (7).    □

Based on the above discussions, we shape the verification procedure for SCSO under the KOOM as shown in Algorithm 2. In line 1, the complexity of constructing $G_{ns}$ from G is polynomial, i.e., $\mathcal{O}\left(\right|\Sigma \left|\right|X\left|\right)$. The construction of $V_K^S$ suggests that its number of states and transitions could be as high as $\mathcal{O}\left(2\right|X\left|2^{\left|X\right|}\right)$ and $\mathcal{O}\left(2\right|X\left|\right|\Sigma \left|2^{\left|X\right|}\right)$, respectively. Thus, the complexity of line 2 is single-exponential. “The Breadth-First Search Algorithm” can be used for lines 3–10, whose complexity is polynomial. Overall, the complexity of Algorithm 2 is single-exponential in the size of the original system G, i.e., $\mathcal{O}\left(\right|\Sigma \left|\right|X\left|2^{\left|X\right|}\right)$.

Algorithm 2 Verification of SCSO under the KOOM

Require:  A DES $G=(X,\Sigma ,\delta ,x_0),{\Sigma }_o,{\Sigma }_{uo},{\Sigma }_d\subseteq \Sigma ,S\subseteq X$, and $K\in \mathbb{N}$. Ensure:  “YES” if G satisfies SCSO with relation to S, and $R_K$, “NO” otherwise 1: Construct the non-secret subautomaton $G_{ns}$ of G 2: Construct the strong K-delay verifier $V_K^S$ for G 3: for  $q_s\in Q^S$  do 4:        if $L\left(q_s\right)\in S$ then 5:              if $R\left(q_s\right)=\varnothing$ then 6:              return “NO” 7:              end if 8:        end if 9: end for 10: return “YES”

Example 9.

Let us still consider the system G in Example 7, where $S=\left\{7\right\}$. When $K=1$, the strong 1-delay verifier $V_{K=1}^S$ is shown in Figure 6. For the state $q_s=\{7,R,\varnothing \}$, we have $L\left(q_s\right)=7\in S$ and $R\left(q_s\right)=\varnothing$. According to Theorem 2, G does not satisfy SCSO with relation to $S=\left\{7\right\}$ and $R_{K=1}$.

When $K=2$, the strong 2-delay verifier $V_{K=2}^S$ is shown in Figure 7. In $V_{K=2}^S$, no such state whose left component is a secret state and right component is ∅ exists. G satisfies SCSO with relation to $S=\left\{7\right\}$ and $R_{K=2}$ according to Theorem 2. The verification results are consistent with Example 7.

Note that the standard (resp., strong) K-delay verifier $V_K$ (resp., $V_K^S$) may stay in some states in finite transitions due to K-delayed runs. We illustrate this situation with the example of a strong K-delay verifier. When $K=3$, the strong 3-delay verifier of G is shown in Figure 7. In $V_{K=3}^S$, we use $(10,R,\left\{8\right\})\stackrel{c}{\underset{➁}{⤏}}(10,N,\varnothing )$ to denote the run $(10,R,\left\{8\right\})\stackrel{c}{\to }(10,R,\left\{8\right\})\stackrel{c}{\to }(10,N,\varnothing )$ generated by $V_{K=3}^S$, where the event “c” and the circled number “➁” marked next to the dotted arrow indicate that $V_{K=3}^S$ transfers to a new state after the event “c” occurs twice.

4.3. The Properties of Standard and Strong Current-State Opacity Under the KOOM

In this subsection, we discuss the properties of the proposed standard and strong CSO under the KOOM. Intuitively, under the KOOM framework, the system discloses less information when K becomes larger. The following lemma shows this case from the viewpoint of current-state estimates and non-secret current-state estimates.

Lemma 1.

Given system $G=(X,\Sigma ,\delta ,x_0)$, let $K_1,K_2\in \mathbb{N}$ be two non-negative integers satisfying $0\le K_1<K_2$. It holds that

$$\forall s\in \mathcal{L}(G,x_0):{\widehat{X}}_{K_1}\left(s\right)\subseteq {\widehat{X}}_{K_2}\left(s\right)\wedge {\widehat{X}}_{ns}^{K_1}\left(s\right)\subseteq {\widehat{X}}_{ns}^{K_2}\left(s\right).$$

Proof. 

First, we show that for any $s\in \mathcal{L}(G,x_0),{\widehat{X}}_{K_1}\left(s\right)\subseteq {\widehat{X}}_{K_2}\left(s\right)$ holds. Let $V_{K_1}=(Q_1,\Sigma ,f_1,q_0)$ and $V_{K_2}=(Q_2,\Sigma ,f_2,q_0)$ be two standard K-delay verifiers of G. If no event $\sigma \in {\Sigma }_d$ in string $s\in \mathcal{L}(G,x_0)$ exists, i.e., $s\in {({\Sigma }_{nd}\cup {\Sigma }_{uo})}^{*}$, then we have $R_{K_1}\left(s\right)=R_{K_2}\left(s\right)$ for any string $s\in \mathcal{L}(G,x_0)$. This means that ${\widehat{X}}_{K_1}\left(s\right)={\widehat{X}}_{K_2}\left(s\right)$ always holds for any $s\in \mathcal{L}(G,x_0)$. Assume $s={\sigma }_1{\sigma }_2\dots {\sigma }_n\in {\Sigma }^{*}$, where ${\sigma }_i\in \Sigma$ for $1\le i\le n$. If event $\sigma \in {\Sigma }_d$ in string $s\in \mathcal{L}(G,x_0)$ exists, then we have two runs $q_1^0\stackrel{{\sigma }_1}{\to }{q}_1^1\dots \stackrel{{\sigma }_t}{\to }{q}_1^t\dots \stackrel{{\sigma }_r}{\to }{q}_1^r\dots \stackrel{{\sigma }_n}{\to }{q}_1^n$ and $q_2^0\stackrel{{\sigma }_1}{\to }{q}_2^1\dots \stackrel{{\sigma }_t}{\to }{q}_2^t\dots \stackrel{{\sigma }_r}{\to }{q}_2^r\dots \stackrel{{\sigma }_n}{\to }{q}_2^n$ in $V_{K_1}$ and $V_{K_2}$, respectively. According to the constructions of $V_{K_1}$ and $V_{K_2}$, one has $f_1(q_1^0,s)=q_1^n$ and $f_2(q_2^0,s)=q_2^n$, where $q_1^0=q_2^0=q_0$ and $L\left(q_1^i\right)=L\left(q_2^i\right)$, $0\le i\le n$. To determine the relationships between ${\widehat{X}}_{K_1}\left(s\right)$ and ${\widehat{X}}_{K_2}\left(s\right)$, we have the following cases:

Case 1: ${𝓁}_2\left(s\right)<K_1$. In this case, according to $0\le K_1<K_2$, ${𝓁}_2\left(s\right)<K_2$ is trivial. Thus, we have $R_{K_1}\left(s\right)=R_{K_2}\left(s\right)=P_{{\Sigma }_o}\left(s\right)$, and the conditions for release of the KOOM are not fulfilled. Furthermore, $R\left(q_1^j\right)=UR\left(\widehat{Q}({\tilde{q}}_1^{j-1},{\sigma }_j)\right)$ and $R\left(q_2^j\right)=UR\left(\widehat{Q}({\tilde{q}}_2^{j-1},{\sigma }_j)\right)$, $1\le j\le n$ can be obtained. From the definition of $UR\left(\widehat{Q}(q,\sigma )\right)$, we obtain $R\left(q_1^j\right)=R\left(q_2^j\right)$, $1\le j\le n$. Therefore, it holds that $R\left(q_1^n\right)=R\left(q_2^n\right)$. According to Proposition 1, one has ${\widehat{X}}_{K_1}\left(s\right)={\widehat{X}}_{K_2}\left(s\right)$.

Case 2: ${𝓁}_2\left(s\right)\ge K_1$. In this case, we have ${𝓁}_2\left(s\right)=\left|P_{{\Sigma }_o}({\sigma }_{t+1}\dots {\sigma }_n)\right|$, $(L\left(q_1^t\right),{\sigma }_{t+1}\dots {\sigma }_r,L\left(q_1^r\right))\in {\Gamma }_1$, and $L\left(q_1^r\right)$ is the release position with relation to $(L\left(q_1^t\right),{\sigma }_{t+1}\dots {\sigma }_r,L\left(q_1^r\right))$, while $L\left(q_2^r\right)$ is not a release position. Also, we have $R\left(q_1^r\right)=\overline{Q}(L\left(q_1^t\right),{\sigma }_{t+1}\dots {\sigma }_r,L\left(q_1^r\right))$ and $R\left(q_2^r\right)=UR\left(\widehat{Q}(R\left(q_2^{r-1}\right),{\sigma }_r)\right)$. According to $R\left(q_1^{r-1}\right)=R\left(q_2^{r-1}\right)$, one has $UR\left(\widehat{Q}(R\left(q_2^{r-1}\right),{\sigma }_r)\right)=UR\left(\widehat{Q}(R\left(q_1^{r-1}\right),{\sigma }_r)\right)$. According to Remark 2, $R\left(q_1^r\right)\subseteq R\left(q_2^r\right)$ is derived. Then, $R\left(q_1^n\right)\subseteq R\left(q_2^n\right)$ is trivially true. From Proposition 1, it holds that ${\widehat{X}}_{K_1}\left(s\right)\subseteq {\widehat{X}}_{K_2}\left(s\right)$.

Based on the above discussions, it follows that ${\widehat{X}}_{K_1}\left(s\right)\subseteq {\widehat{X}}_{K_2}\left(s\right)$ holds for any string $s\in \mathcal{L}(G,x_0)$. To save space, we omit the proof for ${\widehat{X}}_{ns}^{K_1}\left(s\right)\subseteq {\widehat{X}}_{ns}^{K_2}\left(s\right)$ for any string $s\in \mathcal{L}(G,x_0)$, which is similar to the aforementioned reasoning. □

Based on Lemma 1, given a system G with $S\subseteq X$ and two non-negative integers $K_1,K_2\in \mathbb{N}$ satisfying $0\le K_1<K_2$, we have the following result, which is visualized along with the results of Lemma 1 in Figure 8.

Proposition 3.

Given system $G=(X,\Sigma ,\delta ,x_0)$ with $S\subseteq X$ and non-negative integers $K_1,K_2\in \mathbb{N}$ satisfying $0\le K_1<K_2$, if G is standardly (resp., strongly) current-state opaque with relation to S and $R_{K_1}$, then G is standardly (resp., strongly) current-state opaque with relation to S and $R_{K_2}$.

Proof. 

First, we show that it holds for the case of standard CSO. Let $V_{K_1}=(Q_1,\Sigma ,f_1,q_0)$ and $V_{K_2}=(Q_2,\Sigma ,f_2,q_0)$ be two standard K-delay verifiers of G. According to Theorem 1, $R\left(q\right)\cap S\ne \varnothing \Rightarrow R\left(q\right)\cap (X\setminus S)\ne \varnothing$ holds for any $q\in Q_1$. According to Proposition 1, one concludes that ${\widehat{X}}_{K_1}\left(s\right)\cap S\ne \varnothing \Rightarrow {\widehat{X}}_{K_1}\left(s\right)\cap (X\setminus S)\ne \varnothing$ for any string $s\in \mathcal{L}(G,x_0)$. According to Lemma 1, ${\widehat{X}}_{K_2}\left(s\right)\cap S\ne \varnothing \Rightarrow {\widehat{X}}_{K_2}\left(s\right)\cap (X\setminus S)\ne \varnothing$ holds for any string $s\in \mathcal{L}(G,x_0)$, which implies that $R\left(q\right)\cap S\ne \varnothing \Rightarrow R\left(q\right)\cap (X\setminus S)\ne \varnothing$ is true for any $q\in Q_2$. According to Theorem 1, G satisfies standard CSO with relation to S and $R_{K_2}$.

Next, we show that it holds for strong current-state opacity. Let $V_{K_1}^S=(Q_1^S,\Sigma ,f_1^S,q_0^S)$ and $V_{K_2}^S=(Q_2^S,\Sigma ,f_2^S,q_0^S)$ be two strong K-delay verifiers of G. From Theorem 2, $L\left(q_s\right)\in S\Rightarrow R\left(q_s\right)\ne \varnothing$ holds for any state $q_s\in Q_1^S$. Proposition 2 leads to the fact that $L\left(f_1^S(q_0^S,s)\right)\in S\Rightarrow {\widehat{X}}_{ns}^{K_1}\left(s\right)\ne \varnothing$ for all strings $s\in \mathcal{L}(G,x_0)$. According to Lemma 1, we have $L\left(f_2^S(q_0^S,s)\right)\in S\Rightarrow {\widehat{X}}_{ns}^{K_2}\left(s\right)\ne \varnothing$ for all string $s\in \mathcal{L}(G,x_0)$ in terms of $L\left(f_1^S(q_0^S,s)\right)=L\left(f_2^S(q_0^S,s)\right)$. Thus, $L\left(q_s\right)\in S\Rightarrow R\left(q_s\right)\ne \varnothing$ is derived for any state $q_s\in Q_2^S$. From Theorem 2, we conclude that G satisfies SCSO with relation to S and $R_{K_2}$. □

In the standard CSO under the KOOM problem, we are interested in finding whether the current-state estimate under the KOOM is a member of the set of secret states. From the results in Proposition 1, one finds that the right component of a state in the verifier $V_K$ can capture the current-state estimates of G under the KOOM. Since the verifier $V_K$ has at most $2\left|X\right|·(2^{\left|X\right|}-1)$ states, we are guaranteed that for any reachable state in $V_K$, a string exists whose corresponding KOOM projection of the delayed observation sequence’s length does not exceed K when $K\ge 2\left|X\right|·(2^{\left|X\right|}-1)$. Therefore, an upper bound for K should exist in terms of the standard CSO under KOOM. A similar situation exists in terms of the SCSO under KOOM. The following proposition gives two different upper bounds on K in standard and strong CSO under the KOOM, respectively.

Proposition 4.

Given a system $G=(X,\Sigma ,\delta ,x_0)$, for any $\widehat{K}>K\ge 2\left|X\right|·(2^{\left|X\right|}-1)$ (resp., $2\left|X\right|2^{\left|X\right|}$), system G is standardly (resp., strongly) current-state opaque with relation to S and $R_{\widehat{K}}$ if and only if system G is standardly (resp., strongly) current-state opaque with relation to S and $R_K$.

Proof. 

(if) First, we derive the upper bound on K in standard CSO defined in Definition 1. Given Proposition 3, the fact that G satisfies standard CSO with relation to S and $R_K$ implies that G satisfies standard CSO with relation to S and $R_{\widehat{K}}$, which completes the “if” part of the proof.

(only if) Contrapositively, we assume that G is not standardly current-state opaque with relation to S and $R_K$. Let $V_K=(Q,\Sigma ,f,q_0)$ (resp., $V_{\widehat{K}}=(Q_{\widehat{K}},\Sigma ,f_{\widehat{K}},q_0)$) be the standard K-delay (resp., $\widehat{K}$-delay) verifier of system G.

Case 1: A string $s\in \mathcal{L}(G,x_0)$ satisfying $s\in {({\Sigma }_{nd}\cup {\Sigma }_{uo})}^{*}$ or ${𝓁}_2\left(s\right)<K$ makes ${\widehat{X}}_K\left(s\right)\subseteq S$ hold. In this case, we have $R_K\left(s\right)=R_{\widehat{K}}\left(s\right)$, implying ${\widehat{X}}_K\left(s\right)={\widehat{X}}_{\widehat{K}}\left(s\right)$. The maximum number of states in ${\widehat{X}}_K\left(s\right)$ (resp., ${\widehat{X}}_{\widehat{K}}\left(s\right))$ is $2\left|X\right|·(2^{\left|X\right|}-1)$. Thus, we have ${\widehat{X}}_{\widehat{K}}\left(s\right)\subseteq S$ based on ${\widehat{X}}_K\left(s\right)\subseteq S$, which further means that $R\left(f_{\widehat{K}}(q_0,s)\right)\cap S\ne \varnothing$ but $R\left(f_{\widehat{K}}(q_0,s)\right)\cap (X\setminus S)=\varnothing$. According to Theorem 1, G is not standardly current-state opaque with relation to S and $R_{\widehat{K}}$.

Case 2: A string $s\in \mathcal{L}(G,x_0)$ satisfying ${𝓁}_2\left(s\right)\ge K$ makes ${\widehat{X}}_K\left(s\right)\subseteq S$ hold. In this case, the maximum number of states in ${\widehat{X}}_K\left(t\right)$ is $2\left|X\right|·(2^{\left|X\right|}-1)$. Any string $t\in \mathcal{L}(G,x_0)$ satisfies ${𝓁}_2\left(t\right)<K$. This means that a string t necessarily exists that satisdies ${\widehat{X}}_K\left(s\right)={\widehat{X}}_K\left(t\right)$. Since string $t\in \mathcal{L}(G,x_0)$ also satisfies ${𝓁}_2\left(t\right)<\widehat{K}$, we conclude that ${\widehat{X}}_K\left(t\right)={\widehat{X}}_{\widehat{K}}\left(t\right)$. Then, ${\widehat{X}}_{\widehat{K}}\left(t\right)\subseteq S$ is true based on ${\widehat{X}}_K\left(s\right)\subseteq S$, implying $R\left(f_{\widehat{K}}(q_0,t)\right)\cap S\ne \varnothing$ but $R\left(f_{\widehat{K}}(q_0,t)\right)\cap (X\setminus S)=\varnothing$. According to Theorem 1, G is not standardly current-state opaque with relation to S and $R_{\widehat{K}}$. The “only if” part is completed.

The proof of the upper bound for SCSO under the KOOM is similar to that for standard CSO under yjr KOOM. We have omitted it here due to the limited space. □

On the basis of the above properties, we visualize the relationships among the CSO under the Orwellian projection and the proposed notions of standard and strong CSO under the KOOM in Figure 9.

5. Conclusions

This paper proposes a K-delay Orwellian observation mechanism (KOOM), a generalization of the existing Orwellian projection: upon a downgrading event, the KOOM delays the inevitable information release until K subsequent observations are finished while restricting the scope of the leak to the historical information from prior to the aforementioned degradation event (rather than the entire trajectories). This design strategically increases the uncertainty of an intruder’s state estimate by preventing the intruder from learning the release information prematurely. Furthermore, we formalize the notions of standard and strong CSO under the KOOM and design two novel information structures called the standard K-delay verifier and the strong K-delay verifier for their verification, respectively. Two algorithms and MATLAB R2024b tools [33] for verifying standard and strong CSO under the KOOM are presented, respectively.

Although the proposed KOOM provides a theoretical foundation for a delayed information release, some challenges persist in operationalizing and generalizing this framework, including (1) enforcing opacity when a system does not satisfy the security requirements (e.g., considering dynamic K-adjustment algorithms or runtime monitoring in smart grids), (2) adding a time factor (e.g., timed automata with bounded delays for autonomous vehicle platoons), etc. Further research is needed to optimize the delay parameter K for security–performance trade-offs, quantify the cost of delayed disclosure, and develop efficient online enforcement mechanisms.