Obfuscator Synthesis for Privacy and Utility

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9690)


We consider the problem of synthesizing an obfuscation policy that enforces privacy while preserving utility with formal guarantees. Specifically, we consider plants modeled as finite automata with pre-defined secret behaviors. A given plant generates event strings for some useful computation, but meanwhile wants to hide its secret behaviors from any outside observer. We formally capture the privacy and utility specifications using the automaton model of the plant. To enforce both specifications, we propose an obfuscation mechanism where an edit function “edits” the plant’s output in a reactive manner. We develop algorithmic procedures that synthesize a correct-by-construction edit function satisfying both privacy and utility specifications. To address the state explosion problem, we encode the synthesis algorithm symbolically using Binary Decision Diagrams. We present EdiSyn, an implementation of our algorithms, along with experimental results demonstrating its performance on illustrative examples. This is the first work, to our knowledge, to successfully synthesize controllers satisfying both privacy and utility requirements.


Propositional Formula Binary Decision Diagram Secret State Utility Specification Differential Privacy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bryant, R.E.: Graph-based algorithms for Boolean function manipulation. IEEE Trans. Comput. C–35(8), 677–691 (1986)CrossRefzbMATHGoogle Scholar
  2. 2.
    Dwork, C.: Differential privacy. In: International Conference on Automata, Languages and Programming, pp. 1–12 (2006)Google Scholar
  3. 3.
    Emerson, E.A.: Model checking and the mu-calculus. DIMACS Ser. Discrete Math. 31, 185–214 (1997)MathSciNetzbMATHGoogle Scholar
  4. 4.
    Falcone, Y., Marchand, H.: Runtime enforcement of K-step opacity. In: 52nd IEEE Conference on Decision and Control (2013)Google Scholar
  5. 5.
  6. 6.
    Kozen, D.: Results on the propositional \(\mu \)-calculus. Theor. Comput. Sci. 27(3), 333–354 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Kupferman, O., Tamir, T.: Coping with selfish on-going behaviors. In: Clarke, E.M., Voronkov, A. (eds.) LPAR-16 2010. LNCS, vol. 6355, pp. 501–516. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    O’Kane, J.M., Shell, D.A.: Automatic design of discreet discrete filters. In: IEEE International Conference on Robotics and Automation (ICRA), pp. 353–360 (2015)Google Scholar
  9. 9.
    Ramadge, P.J., Wonham, W.M.: Supervisory control of a class of discrete event processes. SIAM J. Control Optim. 25(1), 206–230 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Saboori, A., Hadjicostis, C.N.: Opacity-enforcing supervisory strategies via state estimator constructions. IEEE Trans. Autom. Control 57(5), 1155–1165 (2012)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Somenzi, F.: CUDD: CU decision diagram package release 2.3.0. University of Colorado at Boulder (1998)Google Scholar
  12. 12.
    Wu, Y.-C., Lafortune, S.: Synthesis of insertion functions for enforcement of opacity security properties. Automatica 50(5), 1336–1348 (2014)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.UC BerkeleyBerkeleyUSA
  2. 2.University of MichiganAnn ArborUSA
  3. 3.United Technologies Research CenterBerkeleyUSA

Personalised recommendations