On Opacity Verification for Discrete-Event Systems

Opacity is an information flow property characterizing whether a system reveals its secret to an intruder. Verification of opacity for discrete-event systems modeled by automata is in general a hard problem. We discuss the question whether there are structural restrictions on the system models for which the opacity verification is tractable. We consider two kinds of automata models: (i) acyclic automata, and (ii) automata where all cycles are only in the form of self-loops. In some sense, these models are the simplest models of (deadlock-free) systems. Although the expressivity of such systems is weaker than the expressivity of linear temporal logic, we show that the opacity verification for these systems is still hard.

💡 Research Summary

The paper investigates the computational complexity of opacity verification in discrete‑event systems (DES) when the underlying automata are subjected to severe structural restrictions. Opacity, an information‑flow property, asks whether a passive intruder—who knows the system structure but observes only a subset of events—can infer that the system has visited a secret state (current‑state opacity) or performed a secret behavior (language‑based opacity). While opacity verification is known to be PSPACE‑complete in general, the authors ask whether the problem becomes tractable for the simplest possible models: (i) acyclic automata, which generate only a finite set of strings, and (ii) automata whose only cycles are self‑loops, i.e., dead‑lock‑free systems where a state, once left, can never be revisited.

The paper proceeds as follows. After recalling basic notions of nondeterministic and deterministic finite automata, the projection function that erases unobservable events, and the formal definitions of current‑state opacity, language‑based opacity, and language‑based weak opacity, the authors establish a key reduction: current‑state opacity can be expressed as an inclusion problem P(L_S) ⊆ P(L_NS), where L_S and L_NS are the marked languages of the automaton with secret and non‑secret states marked, respectively. This reduction mirrors earlier work by Wu and Lafortune (2013) and links opacity verification to classic language inclusion and universality problems.

The first major technical contribution is Theorem 4, which proves that deciding language‑based weak opacity when both the secret language L_S and the non‑secret language L_NS are given by NFAs is NL‑complete. The proof shows NL‑membership by guessing a pair of start and accepting states in the product automaton of the projected NFAs and checking reachability in nondeterministic logarithmic space. NL‑hardness is established via a reduction from the DAG reachability problem: given a directed acyclic graph, one constructs an NFA whose observable transitions correspond to graph edges and adds a single unobservable transition to distinguish secret from non‑secret runs. The existence of a common observation then exactly corresponds to reachability in the original graph.

Next, the paper studies how the number of observable and unobservable events influences complexity. Theorem 6 shows that for deterministic finite‑state systems with three events (two observable, one unobservable) the current‑state opacity problem is PSPACE‑complete. The proof adapts known PSPACE‑hardness constructions for universality to the opacity setting. When the system has only a single observable event, Theorem 7 drops the complexity to CONP‑complete, because the projection collapses most behavior to a single symbol and the problem reduces to checking the complement of a language inclusion.

The authors then focus on acyclic systems. Theorem 8 proves that for acyclic automata with at least two observable events, current‑state opacity remains CONP‑complete. The proof leverages the fact that even though the language is finite, the inclusion test still requires checking the non‑existence of a counterexample, which is co‑NP‑hard. Conversely, Theorem 9 shows that if there is only one observable event, the problem becomes NL‑complete, essentially reducing to a reachability test in a DAG.

Finally, the paper relaxes the acyclicity condition to allow only self‑loops as cycles, i.e., dead‑lock‑free systems. Theorem 12 establishes NL‑completeness for the case of a single observable event, while Theorem 13 demonstrates PSPACE‑completeness for deterministic systems with three events (two observable, one unobservable). The latter result indicates that the presence of even a single unobservable event together with multiple observable events restores the full expressive power needed to encode PSPACE‑hard problems.

Overall, the paper’s contributions are twofold. First, it maps out a fine‑grained complexity landscape for opacity verification under extreme structural restrictions, revealing that many seemingly simple models still inherit high complexity unless the observable alphabet is extremely limited. Second, by providing explicit reductions and tight upper bounds, the work offers a clear guide for system designers: structural simplicity alone does not guarantee tractable opacity analysis; careful control of the observable event set is essential. The results also suggest that similar complexity separations are likely to hold for other opacity variants (e.g., K‑step opacity) and for related security properties, motivating further research into efficient verification techniques for restricted classes of discrete‑event systems.