Opacity for linear constraint Markov chains

Abstract

On a partially observed system, a secret φ is opaque if an observer cannot ascertain that its trace belongs to φ. We consider specifications given as Constraint Markov Chains (CMC), which are underspecified Markov chains where probabilities on edges are required to belong to some set. The nondeterminism is resolved by a scheduler, and opacity on this model is defined as a worst case measure over all implementations obtained by scheduling. This measures the information obtained by a passive observer when the system is controlled by the smartest scheduler in coalition with the observer. When restricting to the subclass of Linear CMC, we compute (or approximate) this measure and prove that refinement of a specification can only improve opacity.

Appendix: Proof of Proposition 4

Assume by induction that the proposition holds for every word of length n. Let \(w \in {\mathit {FTr}}({\mathcal {A}}_1) = {\mathit {FTr}}({\mathcal {A}}_2)\) (recall Proposition 3) of length n + 1 with w = w ₀ a for some a ∈ Σ. A run \(\rho ^{\prime }\) of \({\mathcal {A}}_2\) that produces w can be assumed to be of the form \(\rho ^{\prime } = \rho _0^{\prime } s_2^{\prime }\) with \({\text {tr}}(\rho _0^{\prime }) = w_0\) and \(\lambda (s_2^{\prime }) = a\). Then \({\mathbf {P}}_{{\mathcal {A}}_2}(C_{\rho ^{\prime }}) = {\mathbf {P}}_{{\mathcal {A}}_2}(C_{\rho _0^{\prime }}) {\Delta}_2(s_2)(s_2^{\prime })\) where \(s_2 = {\text {lst}}(\rho _0^{\prime })\) and hence

$$\begin{array}{@{}rcl@{}} {\mathbf{P}}_{{\mathcal{A}}_2}(C_w) &=& \sum\limits_{\begin{array}{cccccccc}\rho^{\prime} \in \mathit{FRuns}({\mathcal{A}}_2)\\{\text{tr}}(\rho^{\prime})=w \end{array}} {\mathbf{P}}_{{\mathcal{A}}_2}(C_{\rho^{\prime}}) \\\end{array} $$

$$\begin{array}{@{}rcl@{}} &=& \sum\limits_{\begin{array}{cccccccc}s_2,s_2^{\prime}\in S_2 \end{array}} \sum\limits_{\begin{array}{cccccccc}\rho_0^{\prime} \in \mathit{FRuns}({\mathcal{A}}_2)\\{\text{tr}}(\rho_0^{\prime})=w_0,\\ {\text{lst}}(\rho_0^{\prime})=s_2, {\text{lst}}(\rho^{\prime})=s_2^{\prime} \end{array}} {\mathbf{P}}_{{\mathcal{A}}_2}(C_{\rho_0^{\prime}})\cdot {\Delta}_2(s_2)(s_2^{\prime}) \\ \end{array} $$

Now let \({\mathcal {A}}_1\) s.t. \({\mathcal {A}}_2\) simulates \({\mathcal {A}}_1\) then, as

$$ \sum\limits_{\begin{array}{cccccccc}\rho_0 \in \mathit{FRuns}({\mathcal{A}}_1)\\\rho_0 \sim \rho_0^{\prime}\\{\text{lst}}(\rho_0)=s_1 \end{array}} \mu_{\rho_0^{\prime}}(\rho_0) = \sum\limits_{s_1 \in S_1} \sum\limits_{\begin{array}{cccccccc}\rho_0 \in \mathit{FRuns}(\mathcal{A}_1)\\\rho_0 \sim \rho_0^{\prime}\\\text{lst}(\rho_0)=s_1 \end{array}} \mu_{\rho_0^{\prime}}(\rho_0) = 1 $$

we get

$$\begin{array}{@{}rcl@{}} {\mathbf{P}}_{{\mathcal{A}}_2}(C_w) &=& \sum\limits_{\begin{array}{cccccccc}s_2,s_2^{\prime}\in S_2 \end{array}} \sum\limits_{\begin{array}{cccccccc}\rho_0^{\prime} \in \mathit{FRuns}({\mathcal{A}}_2)\\{\text{tr}}(\rho_0^{\prime})=w_0,\\ {\text{lst}}(\rho_0^{\prime})=s_2, {\text{lst}}(\rho^{\prime})=s_2^{\prime} \end{array}}{\mathbf{P}}_{{\mathcal{A}}_2}(C_{\rho_0^{\prime}}) \cdot {\Delta}_2(s_2)(s_2^{\prime}) \cdot \sum\limits_{s_1 \in S_1} \sum\limits_{\begin{array}{cccccccc}\rho_0 \in \mathit{FRuns}(\mathcal{A}_1)\\\rho_0 \sim \rho_0^{\prime}\\\text{lst}(\rho_0)=s_1 \end{array}}\mu_{\rho_0^{\prime}}(\rho_0) \\ &=& \sum\limits_{\begin{array}{cccccccc}s_1 \in S_1\\s_2,s_2^{\prime}\in S_2 \end{array}}\sum\limits_{\begin{array}{cccccccc}\rho_0^{\prime} \in \mathit{FRuns}({\mathcal{A}}_2)\\{\text{tr}}(\rho_0^{\prime})=w_0,\\ {\text{lst}}(\rho_0^{\prime})=s_2, {\text{lst}}(\rho^{\prime})=s_2^{\prime} \end{array}} {\mathbf{P}}_{{\mathcal{A}}_2}(C_{\rho_0^{\prime}}) \cdot {\Delta}_2(s_2)(s_2^{\prime}) \sum\limits_{\begin{array}{cccccccc}\rho_0 \in \mathit{FRuns}({\mathcal{A}}_1)\\\rho_0 \sim \rho_0^{\prime}\\\text{lst}(\rho_0)=s_1 \end{array}} \mu_{\rho_0^{\prime}}(\rho_0) \\ & & \text{As the terms are null if it is not the case that}\, s_1 {\mathcal{R}} s_2, \text{we have:} \\ &=& \sum\limits_{\begin{array}{cccccccc}s_1 \in S_1\\s_2,s_2^{\prime}\in S_2 \end{array}} \sum\limits_{\begin{array}{cccccccc}\rho_0^{\prime} \in \mathit{FRuns}({\mathcal{A}}_2)\\{\text{tr}}(\rho_0^{\prime})=w_0,\\ {\text{lst}}(\rho_0^{\prime})=s_2, {\text{lst}}(\rho^{\prime})=s_2^{\prime} \end{array}} {\mathbf{P}}_{{\mathcal{A}}_2}(C_{\rho_0^{\prime}}) \cdot\\&&\left( \sum\limits_{s^{\prime}_1 \in S_1} {\Delta}_1(s_1)(s^{\prime}_1)\cdot \delta_{s_1,s_2} (s^{\prime}_1)(s^{\prime}_2) \sum\limits_{\begin{array}{cccccccc}\rho_0 \in \mathit{FRuns}(\mathcal{A}_1)\\\rho_0 \sim \rho_0^{\prime}\\\text{lst}(\rho_0)=s_1 \end{array}} \mu_{\rho_0^{\prime}}(\rho_0)\right)\\ & & \text{And as the terms are null if}\, \lambda(s_1^{\prime}) \neq \lambda(s_2^{\prime}) = \lambda({\text{lst}}(\rho)),\, \text{we have:}\\ &=& \sum\limits_{\begin{array}{cccccccc}s_1 \in S_1\\s_2,s_2^{\prime}\in S_2 \end{array}}\sum\limits_{\begin{array}{cccccccc}\rho_0^{\prime} \in \mathit{FRuns}({\mathcal{A}}_2)\\{\text{tr}}(\rho_0^{\prime})=w_0,\\ {\text{lst}}(\rho_0^{\prime})=s_2, {\text{lst}}(\rho^{\prime})=s_2^{\prime} \end{array}} {\mathbf{P}}_{{\mathcal{A}}_2}(C_{\rho_0^{\prime}}) \sum\limits_{\begin{array}{cccccccc}s^{\prime}_1 \in S_1\\\lambda(s_1) = \lambda(\text{lst}(\rho)) \end{array}} {\Delta}_1(s_1)(s^{\prime}_1)\cdot\\&&\left( \delta_{s_1,s_2} (s^{\prime}_1)(s^{\prime}_2) \sum\limits_{\begin{array}{cccccccc}\rho_0 \in \mathit{FRuns}(\mathcal{A}_1)\\\rho_0 \sim \rho_0^{\prime}\\\text{lst}(\rho_0)=s_1 \end{array}} \mu_{\rho_0^{\prime}}(\rho_0)\right) \end{array} $$

$$\begin{array}{@{}rcl@{}} {\mathbf{P}}_{{\mathcal{A}}_2}(C_w) &=& \sum\limits_{s_1 \in S_1} \sum\limits_{\begin{array}{cccccccc}s^{\prime}_1 \in S_1\\\lambda(s_1) = \lambda({\text{lst}}(\rho)) \end{array}} \sum\limits_{\begin{array}{cccccccc}s_2\in S_2\\s_2^{\prime}\in S_2 \end{array}} \delta_{s_1,s_2} (s^{\prime}_1)(s^{\prime}_2) \cdot \\&&\left( \sum\limits_{\begin{array}{cccccccc}\rho_0^{\prime} \in \mathit{FRuns}(\mathcal{A}_2)\\\text{tr}(\rho_0^{\prime})=w_0,\\ \text{lst}(\rho_0^{\prime})=s_2, \text{lst}(\rho^{\prime})=s_2^{\prime} \end{array}} \mathbf{P}_{\mathcal{A}_2}(C_{\rho_0^{\prime}}) {\Delta}_1(s_1)(s^{\prime}_1) \right. \cdot\left.\sum\limits_{\begin{array}{cccccccc}\rho_0 \in \mathit{FRuns}(\mathcal{A}_1)\\\rho_0 \sim \rho_0^{\prime}\\\text{lst}(\rho_0)=s_1 \end{array}} \mu_{\rho_0^{\prime}}(\rho_0)\right) \\ & & \text{And since}\, \sum\limits_{s_2^{\prime}\in S_2} \delta_{s_1,s_2} (s^{\prime}_1)(s^{\prime}_2) = 1: \\ &=& \sum\limits_{s_1 \in S_1} \sum\limits_{\begin{array}{cccccccc}s^{\prime}_1 \in S_1\\\lambda(s_1) = \lambda(\text{lst}(\rho)) \end{array}} \sum\limits_{s_2\in S_2} \sum\limits_{\begin{array}{cccccccc}\rho_0^{\prime} \in \mathit{FRuns}(\mathcal{A}_2)\\\text{tr}(\rho_0^{\prime})=w_0,\\ \text{lst}(\rho_0^{\prime})=s_2 \end{array}} \mathbf{P}_{\mathcal{A}_2}(C_{\rho_0^{\prime}}) \cdot {\Delta}_1(s_1)(s^{\prime}_1) \sum\limits_{\begin{array}{cccccccc}\rho_0 \in \mathit{FRuns}(\mathcal{A}_1)\\\rho_0 \sim \rho_0^{\prime}\\\text{lst}(\rho_0)=s_1 \end{array}} \mu_{\rho_0^{\prime}}(\rho_0) \\ &=& \sum\limits_{s_1 \in S_1} \sum\limits_{\begin{array}{cccccccc}s^{\prime}_1 \in S_1\\\lambda(s_1) = \lambda(\text{lst}(\rho)) \end{array}} \sum\limits_{\begin{array}{cccccccc}\rho_0^{\prime} \in \mathit{FRuns}(\mathcal{A}_2)\\\text{tr}(\rho_0^{\prime})=w_0 \end{array}} \mathbf{P}_{\mathcal{A}_2}(C_{\rho_0^{\prime}}) \cdot {\Delta}_1(s_1)(s^{\prime}) \sum\limits_{\begin{array}{cccccccc}\rho_0 \in \mathit{FRuns}(\mathcal{A}_1)\\\rho_0 \sim \rho_0^{\prime}\\\text{lst}(\rho_0)=s_1 \end{array}} \mu_{\rho_0^{\prime}}(\rho_0) \\ &=& \sum\limits_{s_1 \in S_1} \sum\limits_{\begin{array}{cccccccc}s^{\prime}_1 \in S_1\\\lambda(s_1) = \lambda(\text{lst}(\rho)) \end{array}} {\Delta}_1(s_1)(s^{\prime}_1) \cdot \sum\limits_{\begin{array}{cccccccc}\rho_0^{\prime} \in \mathit{FRuns}(\mathcal{A}_2)\\\text{tr}(\rho_0^{\prime})=w_0 \end{array}} \sum\limits_{\begin{array}{cccccccc}\rho_0 \in \mathit{FRuns}(\mathcal{A}_1)\\\rho_0 \sim \rho_0^{\prime}\\\text{lst}(\rho_0)=s_1 \end{array}} \mathbf{P}_{\mathcal{A}_2}(C_{\rho_0^{\prime}}) \mu_{\rho_0^{\prime}}(\rho_0) \\ &=& \sum\limits_{s_1 \in S_1} \sum\limits_{\begin{array}{cccccccc}s^{\prime}_1 \in S_1\\\lambda(s_1) = \lambda(\text{lst}(\rho)) \end{array}} {\Delta}_1(s_1)(s^{\prime}_1) \sum\limits_{\begin{array}{cccccccc}\rho_0^{\prime} \in \mathit{FRuns}(\mathcal{A}_2)\\\text{tr}(\rho_0^{\prime})=w_0 \end{array}} \cdot \sum\limits_{\begin{array}{cccccccc}\rho_0 \in \mathit{FRuns}(\mathcal{A}_1)\\\rho_0 \sim \rho_0^{\prime}\\\text{lst}(\rho_0)=s_1 \end{array}} \mathbf{P}_{\mathcal{A}_2}(C_{\rho_0^{\prime}}) \frac{\mathbf{P}_{\mathcal{A}_1}(C_{\rho_0})}{\mathbf{P}_{\mathcal{A}_1}(sim(\rho_0^{\prime}))} \\ &=& \sum\limits_{s_1 \in S_1} \sum\limits_{\begin{array}{cccccccc}s^{\prime}_1 \in S_1\\\lambda(s_1) = \lambda(\text{lst}(\rho)) \end{array}} {\Delta}_1(s_1)(s^{\prime}_1) \sum\limits_{\begin{array}{cccccccc}\rho_0 \in \mathit{FRuns}(\mathcal{A}_1)\\\text{tr}(\rho_0)=w_0\\\text{lst}(\rho_0)=s_1 \end{array}} \frac{\mathbf{P}_{\mathcal{A}_1}(C_{\rho_0})}{\mathbf{P}_{\mathcal{A}_1}(sim(\rho_0^{\prime}))} \sum\limits_{\begin{array}{cccccccc}\rho_0^{\prime} \in \mathit{FRuns}(\mathcal{A}_2)\\\text{tr}(\rho_0^{\prime})=w_0 \end{array}} \mathbf{P}_{\mathcal{A}_2}(C_{\rho_0^{\prime}}) \\ &=& \sum\limits_{s_1 \in S_1} \sum\limits_{\begin{array}{cccccccc}s^{\prime}_1 \in S_1\\\lambda(s_1) = \lambda(\text{lst}(\rho)) \end{array}} {\Delta}_1(s_1)(s^{\prime}_1) \cdot \sum\limits_{\begin{array}{cccccccc}\rho_0 \in \mathit{FRuns}(\mathcal{A}_1)\\\text{tr}(\rho_0)=w_0\\\text{lst}(\rho_0)=s_1 \end{array}} \frac{\mathbf{P}_{\mathcal{A}_1}(C_{\rho_0})}{\mathbf{P}_{\mathcal{A}_1}(sim(\rho_0^{\prime}))} \cdot \mathbf{P}_{\mathcal{A}_2}(C_{w_0}) \\ &&\text{and by induction hypothesis, } {\mathbf{P}}_{{\mathcal{A}}_2}(C_{w_0}) = {\mathbf{P}}_{{\mathcal{A}}_1}(C_{w_0}) \text{, hence:}\\ &=& \sum\limits_{s_1 \in S_1} \sum\limits_{\begin{array}{cccccccc}s^{\prime}_1 \in S_1\\\lambda(s_1) = \lambda(\text{lst}(\rho)) \end{array}} {\Delta}_1(s_1)(s^{\prime}_1) \cdot \sum\limits_{\begin{array}{cccccccc}\rho_0 \in \mathit{FRuns}(\mathcal{A}_1)\\\text{tr}(\rho_0)=w_0\\\text{lst}(\rho_0)=s_1 \end{array}} \frac{\mathbf{P}_{\mathcal{A}_1}(C_{\rho_0})}{\mathbf{P}_{\mathcal{A}_1}(sim(\rho_0^{\prime}))} \cdot \mathbf{P}_{\mathcal{A}_1}(C_{w_0}) \\ \end{array} $$

$$\begin{array}{@{}rcl@{}} &&\text{and since } {\mathbf{P}}_{{\mathcal{A}}_1}(sim(\rho_0^{\prime})) = {\mathbf{P}}_{{\mathcal{A}}_1}(C_{w_0}) \text{:}\\ &=& \sum\limits_{s_1 \in S_1} \sum\limits_{\begin{array}{cccccccc}s^{\prime}_1 \in S_1\\\lambda(s_1) = \lambda(\text{lst}(\rho)) \end{array}} {\Delta}_1(s_1)(s^{\prime}_1) \cdot \sum\limits_{\begin{array}{cccccccc}\rho_0 \in \mathit{FRuns}(\mathcal{A}_1)\\\text{tr}(\rho_0)=w_0\\\text{lst}(\rho_0)=s_1 \end{array}} \mathbf{P}_{\mathcal{A}_1}(C_{\rho_0}) \\ &=& \sum\limits_{s_1 \in S_1} \sum\limits_{\begin{array}{cccccccc}\rho_0 \in \mathit{FRuns}({\mathcal{A}}_1)\\{\text{tr}}(\rho_0)=w_0\\{\text{lst}}(\rho_0)=s_1 \end{array}} \mathbf{P}_{\mathcal{A}_1}(C_{\rho_0}) \cdot\sum\limits_{\begin{array}{cccccccc}s^{\prime}_1 \in S_1\\\lambda(s_1) = \lambda(\text{lst}(\rho)) \end{array}} {\Delta}_1(s_1)(s^{\prime}_1)\\ &=& \sum\limits_{\begin{array}{cccccccc}\rho_0 \in \mathit{FRuns}({\mathcal{A}}_1)\\{\text{tr}}(\rho_0)=w_0 \end{array}} {\mathbf{P}}_{{\mathcal{A}}_1}(C_{\rho_0}) {\Delta}_1({\text{lst}}(\rho_0))({\text{lst}}(\rho)) \ =\ {\mathbf{P}}_{{\mathcal{A}}_1}(C_w) \end{array} $$