Enforcement and validation (at runtime) of various notions of opacity

Abstract

We are interested in the validation of opacity. Opacity models the impossibility for an attacker to retrieve the value of a secret in a system of interest. Roughly speaking, ensuring opacity provides confidentiality of a secret on the system that must not leak to an attacker. More specifically, we study how we can model-check, verify and enforce at system runtime, several levels of opacity. Besides existing notions of opacity, we also introduce K-step strong opacity, a more practical notion of opacity that provides a stronger level of confidentiality.

Appendices

Appendix A: Proofs

A.1 Proofs of Section 4

Proposition 9

(p. 20 ). We shall prove that a secret \(S\subseteq Q^{\mathcal {G}}\) is \((\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},K)\) -weakly opaque if and only if

$$\forall \mu\in \mathcal{T}_{{{{\Sigma}_{\mathrm{o}}}}}(\mathcal{G}), \forall\mu^{\prime}\preceq\mu: |\mu-\mu^{\prime}| \leq K \Rightarrow [\![\mu^{\prime}/ \mu]\!]_{{{{\Sigma}_{\mathrm{o}}}}}\not\subseteq \mathcal{L}_{S}(\mathcal{G}). $$

Proof

We prove the equivalence by showing the implication in both ways.

(\(\Rightarrow \)) Let \(\mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G})\), \(\mu ^{\prime }\preceq \mu \) such that \(|\mu - \mu ^{\prime }|\leq K\). Let t∈[ [μ] ]_{Σ o} and \(t^{\prime }\preceq t\) such that \(t^{\prime }\in [\![\mu ^{\prime }]\!]_{{\Sigma }_{\mathrm {o}}}\). Then, we have \(|t-t^{\prime }|_{{{{\Sigma }_{\mathrm {o}}}}}\leq K\) and \(t^{\prime }\in [\![\mu ^{\prime }/ \mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\). If \(t^{\prime }\notin \mathcal {L}_{S}(\mathcal {G})\), then \([\![\mu ^{\prime }/ \mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\not \subseteq \mathcal {L}_{S}(\mathcal {G})\). Otherwise \(t^{\prime }\in \mathcal {L}_{S}(\mathcal {G})\) and as S is \((\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},K)\)-weakly opaque, there exist \(s,s^{\prime }\in \mathcal {L}(\mathcal {G})\) such that s≈_{Σ o} t, \(s^{\prime }\approx _{{{{\Sigma }_{\mathrm {o}}}}} t^{\prime }\), and \(s^{\prime }\notin \mathcal {L}_{S}(\mathcal {G})\). We thus have that \(s^{\prime }\in [\![\mu ^{\prime }/\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\) and finally \([\![\mu ^{\prime }/ \mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\not \subseteq \mathcal {L}_{S}(\mathcal {G})\).

(\(\Leftarrow \)) Reciprocally, let \(t\in \mathcal {L}(\mathcal {G})\), \(t^{\prime }\preceq t\) such that \(|t-t^{\prime }|_{{{{\Sigma }_{\mathrm {o}}}}}\leq K\) and \(t^{\prime }\in \mathcal {L}_{S}(\mathcal {G})\). Let μ=P _{Σ o}(t), \(\mu ^{\prime }=P_{{{{\Sigma }_{\mathrm {o}}}}}(t^{\prime })\). By definition, we have \(|\mu -\mu ^{\prime }|\leq K\). Now, by hypothesis we know that \([\![\mu ^{\prime }/ \mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\not \subseteq \mathcal {L}_{S}(\mathcal {G})\). So there exist s∈[ [μ] ], \(s^{\prime }\preceq s\), such that \(s^{\prime }\in [\![\mu ^{\prime }/ \mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\) and \(s^{\prime }\notin \mathcal {L}_{S}(\mathcal {G})\). Finally, we have found \(s\in \mathcal {L}(\mathcal {G})\), \(s^{\prime }\preceq s\) such that \(s\approx _{{{{\Sigma }_{\mathrm {o}}}}} t \wedge s^{\prime }\approx _{{{{\Sigma }_{\mathrm {o}}}}} t^{\prime } \wedge s^{\prime }\notin \mathcal {L}_{S}(\mathcal {G})\). Thus, S is \((\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},K)\)-weakly opaque.

Proposition 10

(p. 25 ) We shall prove that, on \(\mathcal {G}\) , \(S\subseteq Q^{\mathcal {G}}\) is \((\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},K)\) -strongly opaque if and only if

$$\forall \mu\in\mathcal{T}_{{{{\Sigma}_{\mathrm{o}}}}}(\mathcal{G}): [\![\mu]\!]_{{{{\Sigma}_{\mathrm{o}}}}}\cap {\text{Free}^{S}_{K}}(\mathcal{G})\neq \emptyset. $$

Proof

We prove the equivalence by showing the implication in both ways.

(\(\Leftarrow \)) Let \(t\in {\mathcal {L}}(\mathcal {G})\) and μ=P _{Σ o}(t), by hypothesis we have \([\![\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\cap {\text {Free}^{S}_{K}}(\mathcal {G})\) ≠∅. In particular, there exists s∈[ [μ] ]_{Σ o} (thus s≈_{Σ o} t) such that \(\forall s^{\prime }\preceq s: |s-s^{\prime }|_{{\Sigma }_{o}}\leq K\wedge s^{\prime }\notin \mathcal {L}_{S}(\mathcal {G})\), which entails that S is \((\mathcal {G},P_{{\Sigma }_{\mathrm {o}}},K)\)-strongly opaque.

(\(\Rightarrow \)) Let \(\mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G})\) and t∈[ [μ] ]_{Σ o}. As S is \((\mathcal {G},P_{{\Sigma }_{\mathrm {o}}},K)\)-strongly opaque, there exists \(s\in \mathcal {L}(\mathcal {G})\) such that s≈_{Σ o} t and \(\forall s^{\prime }\preceq s: |s-s^{\prime }|_{{\Sigma }_{o}}\leq K \Rightarrow s^{\prime }\notin \mathcal {L}_{S}(\mathcal {G})\). Obviously \(s\in \text {Free}^{S}_{K}(\mathcal {G})\), and, as s∈[ [μ] ]_{Σ o}, \([\![\mu ]\!]_{{\Sigma }_{\mathrm {o}}}\cap {\text {Free}^{S}_{K}}(\mathcal {G})\neq \emptyset \).

A.2 Proofs of Section 5

In the two following lemmas, let us recall that only the information about traversed states is considered.

3.1 A.2.1 Lemma 1 (p. 39)

Given a system \(\mathcal {G}\) modeled by an LTS \((Q^{\mathcal {G}}, {q_{{\text {init}}}^{\mathcal {G}}}, {\Sigma }, \delta _{\mathcal {G}})\) and the corresponding K-delay trajectory estimator \(D=(M^{D},q_{\text {init}}^{D},{\Sigma }_{\mathrm {o}},\delta _{D})\), then

$$\begin{array}{ll} \bullet & \forall \mu\in \mathcal{T}_{{{{\Sigma}_{\mathrm{o}}}}}(\mathcal{G})\mbox{ s.t. }|\mu|\geq K \wedge \mu=\mu^{\prime}\cdot\sigma_{1}\cdots\sigma_{K},\\ &\qquad \forall s\in[\![\mu]\!]_{{{{\Sigma}_{\mathrm{o}}}}}: (s=s^{\prime}\cdot s_{1}{\cdots} s_{K} \wedge \forall {i\in [1,K]}: P_{{\Sigma}_{\mathrm{o}}}(s_{i})=\sigma_{i})\\ &\qquad\qquad \exists (q_{0},\ldots,q_{K})\in\delta_{D}(m_{\text{init}}^{D},\mu) : q_{0}\stackrel{s_{1}}{\to}_{\mathcal{G}} q_{1}{\cdots} q_{K-1}\stackrel{s_{K}}{\to}_{\mathcal{G}} q_{K},\\ ~\\ \bullet & \forall \mu\in \mathcal{T}_{{{{\Sigma}_{\mathrm{o}}}}}(\mathcal{G})\mbox{ s.t. } n=|\mu|< K \wedge \mu=\sigma_{1}\cdots\sigma_{n},\\ &\quad\forall s\in[\![\mu]\!]_{{{{\Sigma}_{\mathrm{o}}}}}: (s= s^{\prime}\cdot s_{1}{\cdots} s_{n} \wedge \forall {i\in [1,n]}: P_{{\Sigma}_{\mathrm{o}}}(s_{i})=\sigma_{i}), \\ &\quad\quad\exists (q_{0},\ldots,q_{K})\in\delta_{D}({m_{{\text{init}}}^{D}},\mu): q_{K-n}\stackrel{s_{1}}{\to}_{\mathcal{G}} q_{K-n+1}{\cdots} \stackrel{s_{n-1}}{\to}_{\mathcal{G}} q_{K-1}\stackrel{s_{n}}{\to}_{\mathcal{G}} q_{K},\\ & \qquad \qquad \qquad\qquad \qquad\qquad \quad\quad \wedge\ {q_{{\text{init}}}^{\mathcal{G}}}\stackrel{s^{\prime}}{\to}_{\mathcal{G}} q_{K-n}. \end{array} $$

Proof

The proof is done by induction on |μ|. We consider only observation traces μ of length |μ|≥1 since for the empty observation trace, the information provided by a K-delay trajectory estimator reduces to the state estimate reachable with unobservable events from the system. This information is given in the initial state of the trajectory estimator and is trivially correct by definition.

• For |μ|=1, μ=σ ₁, by definition \({m_{{\text {init}}}^{D}}= \odot _{K+1}{\Delta }_{\mathcal {G}}(\{{q_{{\text {init}}}^{\mathcal {G}}}\}, [\![\epsilon ]\!]_{{\Sigma }_{\mathrm {o}}})\). In particular \((q,\ldots ,q)\in {m_{{\text {init}}}^{D}}\) for every \(q\in {\Delta }_{\mathcal {G}}(\{{q_{{ \text {init}}}^{\mathcal {G}}}\}, [\![\epsilon ]\!]_{{\Sigma }_{\mathrm {o}}})\). Let \(s^{\prime }\cdot s_{1}\in [\![\sigma _{1}]\!]_{{\Sigma }_{\mathrm {o}}}\) (with \(P_{{\Sigma }_{\mathrm {o}}}(s^{\prime })=\epsilon \) and P _{Σ o}(s ₁)=σ ₁) such that \(q\stackrel {s_{1}}{\to }_{\mathcal {G}} q_{1}\) for some \(q\in {\Delta }_{\mathcal {G}}(\{q_{\text {init}}^{\mathcal {G}}\}, [\![\epsilon ]\!]_{{\Sigma }_{\mathrm {o}}})\). By definition (q,q ₁)∈Obs(σ ₁) and thus \((q,\ldots ,q,q_{1})\in \delta _{D}(m_{\text {init}}^{D},\sigma _{1})\).

• Assume now that the property holds for any trace of \(\mathcal {G}\) of length strictly less than K. Let \(\mu \in \mathcal {T}_{{\Sigma }_{\mathrm {o}}}(\mathcal {G})\mbox { s.t. }n=|\mu |< K \wedge \mu =\sigma _{1}\cdots \sigma _{n}\) and s∈[ [μ] ]_{Σ o} s.t. \(s=s^{\prime }\cdot s_{1}{\cdots } s_{n}\wedge \forall {i\in [1,n]}: P_{{{{\Sigma }_{\mathrm {o}}}}}(s_{i})=\sigma _{i} \wedge P_{{\Sigma }_{\mathrm {o}}}(s^{\prime })=\epsilon \). We have \(s^{\prime }\cdot s_{1}{\cdots } s_{n-1}\in [\![\mu ^{\prime }]\!]_{{\Sigma }_{\mathrm {o}}}\) with \(\mu ^{\prime }= \sigma _{1}\cdots \sigma _{n-1}\). By induction hypothesis, \(\exists (q,q_{0},\ldots ,q_{K-1})\in m^{\prime }=\delta _{D}({m_{{\text {init}}}^{D}},\mu ^{\prime }): q_{K-n}\stackrel {s_{1}}{\to }_{\mathcal {G}} q_{K-n+1}\cdots \stackrel {s_{n-2}}{\to }_{\mathcal {G}} q_{K-2}\stackrel {s_{n-1}}{\to }_{\mathcal {G}} q_{K-1}\). Now, consider \(m=m^{\prime }\|\text {Obs}(\sigma _{n})\). As s∈[ [μ] ]_{Σ o}, we get that there exists \(q_{K}\in Q^{\mathcal {G}}\) such that \(q_{K-n}\stackrel {s_{1}}{\to }_{\mathcal {G}} q_{K-n+1}{\cdots } \stackrel {s_{n-2}}{\to }_{\mathcal {G}} q_{K-2}\stackrel {s_{n-1}}{\to }_{\mathcal {G}} q_{K-1}\stackrel {s_{n}}{\to }_{\mathcal {G}} q_{K}\) with P _{Σ o}(s _n )=σ _n . Now by definition of the function Obs, we have (q _K−1,q _K )∈Obs(σ _n ) and finally by definition of ∥, we have (q ₀,…,q _n )∈m.

• The case where |μ|≥K follows exactly the same pattern.

3.2 A.2.2. Lemma 2 (p. 40)

Given a system \(\mathcal {G}\) modelled by an LTS \((Q^{\mathcal {G}},{q_{{\text {init}}}^{\mathcal {G}}}, {\Sigma }, \delta _{\mathcal {G}})\) and the corresponding K-delay trajectory estimator \(D=(M^{D},m_{\text {init}}^{D},{\Sigma }_{\mathrm {o}},\delta _{D})\), then ∀m∈M ^D, ∀(q ₀,…,q _K )∈m, \(\forall \mu \in \mathcal {T}_{{\Sigma }_{\mathrm {o}}}(\mathcal {G}): \delta _{D}(m_{\text {init}}^{D},\mu )=m,\)

$$\begin{array}{ll} \bullet & |\mu|=0 \Rightarrow \forall (q,\ldots,q)\in m={m_{{\text{init}}}^{D}},\exists s\in [\![\mu]\!]_{{{{\Sigma}_{\mathrm{o}}}}}: {q_{{ \text{init}}}^{\mathcal{G}}}\stackrel{s}{\longrightarrow}_{\mathcal{G}} q\wedge P_{{\Sigma}_{\mathrm{o}}}(s) = \epsilon,\\ ~\\ \bullet & n=|\mu|< K \wedge \mu=\sigma_{1}\cdots\sigma_{n} \Rightarrow\\ & \quad\exists s^{\prime}\cdot s_{1}{\cdots} s_{n}\in[\![\mu]\!]_{{{{\Sigma}_{\mathrm{o}}}}}:\\ & \quad\quad {q_{{\text{init}}}^{\mathcal{G}}}\stackrel{s^{\prime}}{\to}_{\mathcal{G}}\ q_{K-n}\stackrel{s_{1}}{\to}_{\mathcal{G}} q_{K-n+1}{\cdots} q_{K-1}\stackrel{s_{n}}{\to}_{\mathcal{G}} q_{K} \wedge \forall {i\in [1,n]}:P_{{\Sigma}_{\mathrm{o}}}(s_{i})=\sigma_{i}\\ ~\\ \bullet & |\mu|\geq K \wedge \mu=\mu^{\prime}\cdot\sigma_{1}\cdots\sigma_{K} \Rightarrow\\ & \qquad\exists s^{\prime}\cdot s_{1}{\cdots} s_{K}\in[\![\mu]\!]_{{{{\Sigma}_{\mathrm{o}}}}} :\\ & \qquad\qquad{q_{{\text{init}}}^{\mathcal{G}}}\stackrel{s^{\prime}}{\to}_{\mathcal{G}} q_{0}\stackrel{s_{1}}{\to}_{\mathcal{G}} q_{1}{\cdots} \stackrel{s_{K}}{\to}_{\mathcal{G}} q_{K}\wedge \forall {i\in [1,K]}: P_{{\Sigma}_{\mathrm{o}}}(s_{i})=\sigma_{i}. \end{array} $$

Proof

Let us consider m∈M ^D, and \(\mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G}): \delta _{D}({m_{{\text {init}}}^{D}},\mu )=m\). The proof is done by induction on |σ|.

• If |μ|=0, then μ=𝜖 _{Σ o} and \(m=m_{\text {init}}^{D}=\odot _{K+1}({\Delta }_{\mathcal {G}}(\{q_{\text {init}}^{\mathcal {G}}\},[\![\epsilon ]\!]_{{\Sigma }_{\mathrm {o}}}))\). Then all state estimates \((q,\ldots ,q)\in m_{\text {init}}^{D}\) are s.t. \(q\in {\Delta }_{\mathcal {G}}(\{q_{\text {init}}^{\mathcal {G}}\}, [\![\epsilon ]\!]_{{\Sigma }_{\mathrm {o}}})\). Then, there exists \(s\in L(\mathcal {G})\) s.t. \(q_{\text {init}}^{\mathcal {G}} \stackrel {s}{\longrightarrow }_{\mathcal {G}} q\) and P _{Σ o}(s)=𝜖.

• Assume that the property holds for all \(\mu ^{\prime }\in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G})\) such that \(|\mu ^{\prime }|<n\) and consider \(\mu \in \mathcal {T}_{{\Sigma }_{\mathrm {o}}}(\mathcal {G})\) such that |μ|=n

  • If |μ|=n<K, μ can be written μ=σ ₁⋯σ _n . Consider now an element of m. It is of the form (q _K−n ,…,q _K−n ,q _K−n+1,…,q _K−1,q _K ). There exists m ₁∈M ^D s.t. δ _D (m ₁,σ _n )=m=m ₁∥Obs(σ _n ) such that (q _K−n ,…,q _K−n ,q _K−n+1,…,q _K−1)∈m ₁ and (q _K−1,q _K )∈Obs(σ _n ). Let \(\mu ^{\prime }=\sigma _{1}\cdots \sigma _{n-1}\), by induction hypothesis on m ₁ and \(\mu ^{\prime }\), there exists \(s^{\prime \prime }=s^{\prime }\cdot s_{1}{\cdots } s_{n-1}\) with \(P_{{{{\Sigma }_{\mathrm {o}}}}}(s^{\prime })=\epsilon \) and ∀i∈[1,n−1]:P _{Σ o}(s _i )=σ _i such that \({q_{{\text {init}}}^{\mathcal {G}}} \stackrel {s^{\prime }}{\longrightarrow }_{\mathcal {G}} q_{K-n}\stackrel {s_{1}}{\longrightarrow }_{\mathcal {G}} q_{K-n+1}\stackrel {s_{2}}{\longrightarrow }_{\mathcal {G}}\cdots \stackrel {s_{n-1}}{\longrightarrow }_{\mathcal {G}}q_{K-1}\). Now by definition of Obs, there exists \(s_{n}\in {\Sigma }^{*}\) with P _{Σ o}(s _n )=σ _n such that \(q_{K-1}\stackrel {s_{n}}{\longrightarrow }_{\mathcal {G}} q_{K}\). Finally \(s= s^{\prime \prime }\cdot s_{n}\) is such that \({q_{{\text {init}}}^{\mathcal {G}}} \stackrel {s^{\prime }}{\longrightarrow }_{\mathcal {G}}\, q_{K-n} \stackrel {s_{1}}{\longrightarrow }_{\mathcal {G}} q_{1}{\cdots } q_{K-1}\stackrel {s_{n}}{\longrightarrow }_{\mathcal {G}} q_{K}\) and s∈[ [μ] ]_{Σ o}.

  • If |μ|≥K, μ can be written \(\mu =\mu ^{\prime }\cdot \sigma _{1}\cdots \sigma _{K}\). There exists m ₁∈M ^D s.t. δ _D (m ₁,σ _K )=m=m ₁∥Obs(σ _K ). Furthermore, there exists \(q\in Q^{\mathcal {G}}\) s.t. (q,q ₀,…,q _K−1)∈m ₁ and (q _K−1,q _K )∈Obs(σ _K ). By induction hypothesis applied on (q,q ₀,…,q _K−1)∈m ₁, there exists \(s^{\prime \prime }=s^{\prime }\cdot s_{0}{\cdots } s_{K-1}\in [\![\mu ^{\prime }\cdot {\sigma _{0}}\cdots \sigma _{K-1}]\!]_{{\Sigma }_{\mathrm {o}}}\) with ∀i∈[0,K−1]:P _{Σ o}(s _i )=σ _i such that \(q\stackrel {s_{0}}{\longrightarrow }_{\mathcal {G}} q_{0}\stackrel {{s_{1}}}{\longrightarrow }_{\mathcal {G}}{\cdots } \stackrel {s_{K-1}}{\longrightarrow }_{\mathcal {G}}q_{K-1}\). Finally since (q _K−1,q _K )∈Obs(σ _K ), there exists \(s_{K}\in {\Sigma }^{*}\) with P _{Σ o}(s _K )=σ _K such that \(q_{K-1}\stackrel {s_{K}}{\longrightarrow }_{\mathcal {G}} q_{K}\). Overall \(s= s^{\prime \prime }\cdot s_{K}\) is such that \(q_{0}\stackrel {s_{1}}{\longrightarrow }_{\mathcal {G}} q_{1}{\cdots } q_{K-1}\stackrel {s_{K}}{\longrightarrow }_{\mathcal {G}} q_{K}\) and s∈[ [μ] ]_{Σ o}.

3.3 A.2.3 Proposition 4 (p. 42)

We shall prove the soundness and completeness of the synthesized R-Verifiers for K-weak opacity, as exposed in Definition 6. That is, we prove that \(\forall \mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G}),\forall l\in [0,K]:\)

$$\begin{array}{rrcl} &{\Gamma}^{\mathcal{V}}(\delta_{\mathcal{V}}({q_{{\text{init}}}^{\mathcal{V}}},\mu))= \text{leak}_{\mathrm{l}} &\Leftrightarrow & \mu\in \text{leak}(\mathcal{G},P_{{\Sigma}_{\mathrm{o}}},S,\mathsf{O{P_{K}^{W}}},l) \\ \wedge & {\Gamma}^{\mathcal{V}}(\delta_{\mathcal{V}}({q_{{\text{init}}}^{\mathcal{V}}},\mu))= \text{noleak} &\Leftrightarrow & \mu\notin \text{leak}(\mathcal{G},P_{{\Sigma}_{\mathrm{o}}},S,\mathsf{O{P_{K}^{W}}}). \end{array} $$

Proof

We consider \(\mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G})\) s.t. \(\delta _{D}({m_{{\text {init}}}^{D}},\mu )=m\).

\((\Rightarrow )\)

• If \({\Gamma }^{\mathcal {V}}(\delta _{\mathcal {V}}({q_{{\text {init}}}^{\mathcal {V}}},\mu )) = \text {noleak}\), we have \({\Gamma }^{\mathcal {V}}(m) = \text {noleak}\), that is ∀i∈[0,K]:m(i)∉2^S. Using Proposition 3, we have \(\forall i\in [0,\mathit {min}\{|\mu |,K\}]: m(i)=\delta _{\mathcal {G}}(q_{\text {init}}^{\mathcal {G}}, [\![\mu ^{{\cdots } |\mu |-i-1}/\mu ]\!]_{{\Sigma }_{\mathrm {o}}}) \notin 2^{S}\). That is, \(\forall \mu ^{\prime }\preceq \mu : |\mu -\mu ^{\prime }|_{{{{\Sigma }_{\mathrm {o}}}}} \leq K \Rightarrow [\![\mu /\mu ^{\prime }]\!]_{{\Sigma }_{\mathrm {o}}}\not \subseteq {\mathcal {L}}_{S}(\mathcal {G})\). According to Eq. (1) (p. 21), it means that \(\mu \notin \text {leak}(\mathcal {G}, P_{{\Sigma }_{\mathrm {o}}}, S, \mathsf {O{P_{K}^{W}}})\).

• If \({\Gamma }^{\mathcal {V}}(\delta _{\mathcal {V}}({q_{{\text {init}}}^{\mathcal {V}}},\mu )) = \text {leak}_{\mathrm {l}}\), we have \({\Gamma }^{D}(m) = \text {leak}_{\mathrm {l}}\), that is m(l)∈2^S and ∀i<l:m(i)∉2^S. Similarly, using Proposition 3 we have \([\![\mu ^{{\cdots } |\mu |-l-1}/\mu ]\!]_{{\Sigma }_{\mathrm {o}}} \subseteq {\mathcal {L}}_{S}(\mathcal {G})\) and \(\forall i<l: [\![\mu ^{{\cdots } |\mu |-i-1}/\mu ]\!]_{{\Sigma }_{\mathrm {o}}} \not \subseteq {\mathcal {L}}_{S}(\mathcal {G})\), i.e., according to Eq. (2) (p. 22) \(\mu \in \text {leak}(\mathcal {G}, P_{{\Sigma }_{\mathrm {o}}}, S, \mathsf {OP}^{W}_{K},l)\).

(\(\Leftarrow \))

• If \(\mu \notin \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {O{P_{K}^{W}}})\), that is \(\forall \mu ^{\prime }\preceq \mu : |\mu -\mu ^{\prime }| \leq K \Rightarrow [\![\mu ^{\prime }/\mu ]\!]_{{\Sigma }_{\mathrm {o}}} \not \subseteq {\mathcal {L}}_{S}(\mathcal {G})\). Then using Proposition 3, we have ∀i∈[0,m i n{|μ|,K}]:m(i)∉2^S. Following the definition of R-Verifiers construction, we have \({\Gamma }^{\mathcal {V}}(m) = \text {noleak}\).

• If \(\mu \in \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP}^{W}_{K},l)\), then according to Eq. (1), we have \([\![\mu ^{{\cdots } |\mu |-l-1}/\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}} \subseteq {\mathcal {L}}_{S}(\mathcal {G})\) and \(\forall i<l: [\![\mu ^{{\cdots } |\mu |-i-1}/\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}} \not \subseteq {\mathcal {L}}_{S}(\mathcal {G})\). Now, using Proposition 3, \(\forall i\in \left [0,l\left [:\right .\right . m(i)\notin 2^{S}\) and m(l)∈2^S. According to the definition of the construction of R-Verifiers for K-weak opacity (definitions of \(Q^{\mathcal {V}}\) and \({\Gamma }^{\mathcal {V}}\)), we deduce that \({\Gamma }^{\mathcal {V}}(m) = \text {leak}_{\mathrm {l}}\).

3.4 A.2.4 Proposition 5 (p. 48)

We shall prove the soundness and completeness of the synthesized R-Verifiers for K-strong opacity, as exposed in Definition 6. That is, we prove that \(\forall \mu \in \mathcal {T}_{{\Sigma }_{\mathrm {o}}}(\mathcal {G}),\forall l\in [0,K]:\)

$$\begin{array}{rrcl} &{\Gamma}^{\mathcal{V}}(\delta_{\mathcal{V}}({q_{{\text{init}}}^{\mathcal{V}}},\mu))= \text{leak}_{\mathrm{l}} &\Leftrightarrow & \mu\in \text{leak}(\mathcal{G},P_{{\Sigma}_{\mathrm{o}}},S,\mathsf{O{P_{K}^{S}}},l) \\ \wedge &{\Gamma}^{\mathcal{V}}(\delta_{\mathcal{V}}({q_{{\text{init}}}^{\mathcal{V}}},\mu))= \text{noleak} &\Leftrightarrow & \mu\notin \text{leak}(\mathcal{G},P_{{\Sigma}_{\mathrm{o}}},S,\mathsf{O{P_{K}^{S}}}). \end{array} $$

Proof

We consider \(\mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G})\) s.t. \(\delta _{D}({m_{{\text {init}}}^{D}},\mu )=m\).

\((\Rightarrow )\)

• If \({\Gamma }^{\mathcal {V}}(\delta _{\mathcal {V}}({q_{{ \text {init}}}^{\mathcal {V}}},\mu ))=\text {noleak}\), i.e., ∃((q _i )_0≤i≤K ,(b _i )_{0≤i≤K−1})∈m ↓ s.t. ∀i∈[0,K]:q _i ∉S, and ∀i∈[0,K−1]:b _i =t r u e. Let us consider \(\mu \in \mathcal {T}_{{\Sigma }_{\mathrm {o}}}(\mathcal {G})\), s.t. \(\delta _{\mathcal {V}}(q_{\text {init}}^{\mathcal {V}},\mu )=m\). If |μ|≥K and \(\mu ={\mu ^{\prime }\cdot \sigma _{0}\cdots \sigma _{K-1}}\), then according to Lemma 2, \(\exists s=s^{\prime }\cdot s_{0}{\cdots } s_{K-1}\in [\![\mu ]\!]_{{\Sigma }_{\mathrm {o}}}\) with \(\forall i\leq K-1: P_{{{{\Sigma }_{\mathrm {o}}}}}(s_{i})=\sigma _{i} \wedge q_{0}\stackrel {s_{0}}{\to }_{\mathcal {G}} q_{1} {\cdots } q_{K-1}\stackrel {s_{K-1}}{\to }_{\mathcal {G}} q_{K}\). Moreover, as ∀i∈[0,K−1]:b _i =t r u e, we can choose s such that \(\forall i\in [0,K-1]:s_{i}\in {\text {Free}^{S}_{1}}({\mathcal {G}(q_{i-1})})\). Consequently \(s_{0}{\cdots } s_{K-1} \in \text {Free}^{S}_{{K}}({\mathcal {G}(q_{0})})\). Let \(s^{\prime \prime }\) be the smallest prefix of \(s^{\prime }\) s.t. \(|s^{\prime \prime }|_{{\Sigma }_{\mathrm {o}}}=|s^{\prime }|_{{\Sigma }_{\mathrm {o}}}\). Necessarily we have \(s^{\prime }=s^{\prime \prime }\). Otherwise, because of the suitability of K-delay trajectory estimators, in m we would have \(((q^{\prime }_{i})_{0\leq i\leq K},(b^{\prime }_{i})_{0\leq i\leq K-1})\) where

  $$\text{redundant}\left(((q_{i})_{0\leq i\leq K},(b_{i})_{0\leq i\leq K-1}),((q^{\prime}_{i})_{0\leq i\leq K},(b^{\prime}_{i})_{0\leq i\leq K-1})\right) $$

  would hold, which is a contradiction with ((q _i )_0≤i≤K ,(b _i )_{0≤i≤K−1})∈m ↓. Overall \(s\in {\text {Free}^{S}_{K}}({\mathcal {G}})\) and \(s\in [\![\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\cap {\text {Free}^{S}_{K}}({\mathcal {G}})\) which means that \(\mu \notin \text {leak}(\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},S,\mathsf {OP}^{S}_{K})\) (the case where |μ|<K is similar).

• If \({\Gamma }^{\mathcal {V}}(\delta _{\mathcal {V}}({q_{{ \text {init}}}^{\mathcal {V}}},\mu ))=\text {leak}_{\mathrm {l}}\) for some l∈[1,K], i.e., \(l= {\min } \{l^{\prime }\in [1,K] \mid \forall ((q_{i})_{0\leq i\leq K},(b_{i})_{0\leq i\leq K-1})\in m, \exists i\leq l^{\prime }: q_{K-i}\in S \vee b_{K-i}={\mathit {false}}\}\). Let us suppose that |μ| ≥ K (the case where |μ|<K is similar), \(\mu =\mu ^{\prime }\cdot \sigma _{0}{\cdots } \sigma _{K-1}\). Now, let us consider \(s\in [\![\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}, s=s^{\prime }\cdot s_{0}{\cdots } s_{K-1}\) with ∀i≤K−1:P _{Σ o}(s _i )=σ _i . By definition, there exists (q _i )_0≤i≤K s.t. \(q_{\text {init}}^{\mathcal {G}}\stackrel {s^{\prime }}{\longrightarrow }_{\mathcal {G}} q_{0} \stackrel {s_{0}}{\longrightarrow }_{\mathcal {G}} q_{1} {\cdots } \stackrel {s_{K-1}}{\longrightarrow }_{\mathcal {G}} q_{K}\) and according to Lemma 1, there exists (b _i )_{0≤i≤K−1} s.t. ((q _i )_0≤i≤K ,(b _i )_{0≤i≤K−1})∈m. By hypothesis, there exists i≤l s.t. q _K−i ∈S or b _K−i =f a l s e.

  • If q _K−i ∈S then \(s^{\prime }\cdot s_{0} {\cdots } s_{K-i-1} \in \mathcal {L}_{S}(\mathcal {G})\). Moreover, we have \(|s - s^{\prime }\cdot s_{0} {\cdots } s_{K-i-1}|_{{\Sigma }_{\mathrm {o}}} \leq l\), which gives us the expected result.

  • If b _K−i =f a l s e, meaning that \(s_{K-i}{\notin \text {Free}_{1}^{S}}(\mathcal {G}(q_{K-i}))\), then there exists a prefix \(s_{K-i}^{\prime }\) of s _K−i s.t. \(s^{\prime \prime }=s^{\prime }\cdot s_{0}{\cdots } s_{K-i}^{\prime }\in \mathcal {L}_{S}(\mathcal {G})\). Moreover, we have either \(P_{{\Sigma }_{\mathrm {o}}}(s_{K-i}^{\prime })=\sigma _{K-i}\) or \(P_{{\Sigma }_{\mathrm {o}}}(s_{K-i}^{\prime })=\epsilon \). In both cases, we have \(|s-s^{\prime \prime }|_{{\Sigma }_{\mathrm {o}}}\leq l\), which gives us again the expected result.

  Consider now \(l^{\prime }<l\), then \(\exists ((q_{i})_{0\leq i\leq K},(b_{i})_{0\leq i\leq K-1})\in m, \forall i\leq l^{\prime }: q_{K-i}\notin S \wedge b_{K-i}={\mathit {true}}\), which entails that all the sequences that match the elements of m belong to \(\text {Free}^{S}_{l^{\prime }}(\mathcal {G})\) and thus \(\mu \in \text {leak}(\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},S,\mathsf {OP}^{S}_{K},l)\).

• If \({\Gamma }^{\mathcal {V}}(\delta _{\mathcal {V}}({q_{{ \text {init}}}^{\mathcal {V}}},\mu ))=\text {leak}_{0}\), then ∀((q _i )_0≤i≤K ,(b _i )_{0≤i≤K−1})∈m,q _K ∈S, which entails that \([\![\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\subset \mathcal {L}_{S}(\mathcal {G})\) and thus \(\mu \in \text {leak}(\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},S,\mathsf {OP}^{S}_{K},0)\).

\((\Leftarrow )\)

• If \(\mu \notin \text {leak}(\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},S,\mathsf {OP}^{S}_{K})\). It means that there exists \(s\in [\![\mu ]\!]_{{\Sigma }_{\mathrm {o}}}\cap {\text {Free}_{K}^{S}}(\mathcal {G})\). Let \(m=\delta _{D}({m_{{\text {init}}}^{D}},\mu )\). According to Lemma 1, there exist \(s^{\prime },s_{1},\ldots , s_{K}\in {\Sigma }^{*}\) s.t.:

  • \(s=s^{\prime }\cdot s_{1}{\cdots } s_{K}\),

  • ∀i≤K:P _{Σ o}(s _i )=σ _i ,

  Each trajectory ((q _i )_0≤i≤K ,(b _i )_{0≤i≤K−1}) in \(\delta _{D}({m_{{ \text {init}}}^{D}},\mu )\) are s.t. \(q_{0}\stackrel {s_{1}}{\to }_{\mathcal {G}} q_{1}{\cdots } q_{K-1}\stackrel {s_{K}}{\to }_{\mathcal {G}} q_{K}\). At least one trajectory in \(\delta _{D}(m_{\text {init}}^{D},\mu )\) is not redundant with the others. We have \(((q_{i})_{0\leq i\leq K},(b_{i})_{0\leq i\leq K-1}) \in \delta _{D}(m_{\text {init}}^{D},\mu )\downarrow \). Let us note ((q _i )_0≤i≤K ,(b _i )_{0≤i≤K−1}) this trajectory. Now as \(s\in {\text {Free}^{S}_{K}}(\mathcal {G})\), it is easy to see that ∀i∈[0,K−1]:b _i =t r u e. Finally \({\Gamma }^{\mathcal {V}}(\delta _{\mathcal {V}}(q_{\text {init}}^{\mathcal {V}},\mu ))={\Gamma }^{\mathcal {V}}(m)=\text {noleak}\).

• If \(\mu \in \text {leak}(\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},S,\mathsf {OP}^{S}_{K},l)\) for some l∈[1,K]. By hypothesis, we have \([\![\mu ]\!]_{{\Sigma }_{\mathrm {o}}} \cap {\text {Free}^{S}_{l}}(\mathcal {G}) = \emptyset \) and \(\forall l^{\prime }<l:[\![\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}} \cap {\text {Free}^{S}_{l}}(\mathcal {G}) \neq \emptyset \). Let \(\delta _{D}({m_{{\text {init}}}^{D}},\mu )=m\) and ((q _i )_0≤i≤K ,(b _i )_{0≤i≤K−1})∈m. According to Lemma 2, \(\exists s_{1},\ldots , s_{K}\in {\Sigma }^{*}: s=s^{\prime }\cdot s_{1}{\cdots } s_{K}\) such that ∀i≤K:P _{Σ o}(s _i )=σ _i , s∈[ [μ] ]_{Σ o} and \(q_{0}\stackrel {s_{1}}{\to }_{\mathcal {G}} q_{1}{\cdots } q_{K-1}\stackrel {s_{K}}{\to }_{\mathcal {G}} q_{K}\). As \(s\notin {\text {Free}^{S}_{l}}(\mathcal {G})\), there exists i≤l such that either q _K−i ∈S or \(s_{K-i}\notin {\text {Free}^{S}_{1}}(\mathcal {G}(q_{K-i}))\), which entails, by construction that b _K−i =f a l s e. Now for \(l^{\prime }<l\), there exists \(s\in [\![\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\cap \text {Free}^{S}_{l^{\prime }}(\mathcal {G})\). To this s, we can associate an element ((q _i )_0≤i≤K ,(b _i )_{0≤i≤K−1})∈m ↓ (among the non-redundant trajectories of m) s.t. \(\forall i\in [0,l^{\prime }]\): \(q_{K-i}\notin S \wedge \forall i\in [{1},l^{\prime }]: b_{K-i}=\mathit {true}\), which entails that l is the smallest number s.t. ∀((q _i )_0≤i≤K ,(b _i )_{0≤i≤K−1})∈m, ∃i≤l:q _K−i ∈S or b _K−i =f a l s e.

• If \(\mu \in \text {leak}(\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},S,\mathsf {OP}^{S}_{K},0)\), then by definition \([\![\mu ]\!]_{{{{\Sigma }_{\mathrm {o}}}}}\subseteq \mathcal {L}_{S}(\mathcal {G})\) and thus ∀((q _i )_0≤i≤K ,(b _i )_{0≤i≤K−1}) ∈m:q _K ∈S, which concludes the proof.

A.3 Proofs of Section 6

4.1 A.3.1 Proposition 6 (p. 73)

For a K-delay trajectory estimator \(D=(M^{D},{m_{{ \text {init}}}^{D}},{{{\Sigma }_{\mathrm {o}}}},\delta _{D})\) associated to a system \(\mathcal {G}\), we prove that the K-step based opacity \(\mathsf {OP_{K}}\in \{\mathsf {O{P_{K}^{W}}},\mathsf {O{P_{K}^{S}}}\}\) of the secret S is enforceable by an R-Enforcer with memory size T if and only if (9), i.e., if and only if

$$\max \{{\text{hold}}_{\mathsf{OP_{K}}}(m)\mid m\in M^{D}\} \leq T. $$

Proof

This is a direct consequence of Proposition 3 and the definition of \(\text {safe}_{\mathsf {OP}}(\mu ,\mu ^{\prime })\) (Definition 12). Indeed, (9) \(\Leftrightarrow \max \{K+1-l_{m}\mid m\in M^{D}\} \leq T \), with l _m s.t. \(\forall \mu \in \mathcal {T}_{{\Sigma }_{\mathrm {o}}}(\mathcal {G}): \delta _{D}(m_{\text {init}}^{D},\mu )= m\Rightarrow \mu \in \text {leak}(\mathcal {G},P_{{\Sigma }_{\mathrm {o}}},S,\mathsf {OP_{K}},l_{m})\). Furthermore, using Lemma 3, one can notice that the previous proposition is equivalent to

$$\max_{\mu\in\mathcal{T}_{{{{\Sigma}_{\mathrm{o}}}}}(\mathcal{G})} \left\{K+1-l_{m}\mid \delta_{D}({q_{{\text{init}}}^{D}},\mu)=m\wedge \mu\in\text{leak}(\mathcal{G},P_{{\Sigma}_{\mathrm{o}}},S,\mathsf{OP_{K}},l_{m})\right\}\leq T. $$

Moreover, from the definition of safe, for a trace \(\mu \in \text {leak}(\mathcal {G},P_{{{{\Sigma }_{\mathrm {o}}}}},S,\mathsf {OP_{K}},l)\), one can notice that \(K+1-l = \min \{|\mu ^{\prime }|-|\mu |\mid \mu \preceq \mu ^{\prime } \wedge \text {safe}_{\mathsf {OP_{K}}}(\mu ^{\prime },\mu )\}\) with the convention that l=K+1 when \(\mu \notin \text {leak}(\mathcal {G},P_{{\Sigma }_{\mathrm {o}}},S,\mathsf {OP_{K}})\). Then (9)\(\Leftrightarrow \max _{\mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G})}\left \{\min \{|\mu ^{\prime }|-|\mu |\mid \mu \preceq \mu ^{\prime } \wedge \text {safe}(\mu ^{\prime },\mu )\}\right \}\leq T\).

4.2 A.3.2 Proposition 7 (p. 77)

Proof

We shall prove that: \(\forall \mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G}), \exists o\preceq \mu : \mu \Downarrow _{\mathcal {E}} o \Rightarrow \)

$$\begin{array}{r} \mu\notin \text{leak}(\mathcal{G},P_{{{{\Sigma}_{\mathrm{o}}}}},S,\mathsf{OP_{0}}) \Rightarrow o = \mu \hspace{2em} \hspace{1em} \text{(5)}\\ \mu\in\text{leak}(\mathcal{G},P_{{{{\Sigma}_{\mathrm{o}}}}},S,\mathsf{OP_{0}}) \Rightarrow o = \max\{\mu^{\prime}\in\mathcal{T}_{{{{\Sigma}_{\mathrm{o}}}}}(\mathcal{G})\mid \mu^{\prime}\preceq\mu \wedge \text{safe}_{\mathsf{OP_{0}}}(\mu,\mu^{\prime})\} \hspace{1em} \text{(6)} \end{array} $$

Let us consider \(\mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G})\), the proof is conducted by induction on |μ|.

If |μ|=1, then ∃σ∈Σ_o:μ=σ. The run of μ on \({\mathcal {E}}\) can be expressed \(\text {run}(\mu ,{\mathcal {E}})= (q_{\text {init}}^{\mathcal {E}}, \sigma /\alpha , q_{1})\) with \(q_{1}\in Q^{\mathcal {E}}, {\Gamma }^{\mathcal {E}}(q_{1})= \alpha \). The R-Enforcer’s evolution of configurations is \((q_{\text {init}}^{\mathcal {E}}, \sigma , \epsilon _{\mathcal {M}}) \stackrel {o}{\hookrightarrow } (q,\epsilon _{{\Sigma }_{\mathrm {o}}},m)\) with \(\alpha (\sigma ,\epsilon _{\mathcal {M}})= (o,m)\). Let us distinguish according to whether \(\sigma \in \text {leak}(\mathcal {G}, P_{{\Sigma }_{\mathrm {o}}}, S, \mathsf {OP_{0}})\) or not.

• If \(\sigma \notin \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{0}})\), then we use the correctness of R-Verifiers synthesized from K-delay trajectory estimators (Proposition 4). The state m ₁ corresponding to q ₁ in the corresponding K-delay trajectory estimator is s.t. m ₁(0)∉2^S. Then, using the definition of R-Enforcers synthesis from K-delay trajectory estimators, we have α∈{dump,off}. Using the definition of enforcement operations, we have: \(\text {free}\circ \text {delay} (\epsilon _{\mathcal {M}}) = \epsilon _{\mathcal {M}}\), \(o=\sigma \cdot (\epsilon _{\mathcal {M}})_{\downarrow {\Sigma }_{\mathrm {o}}}=\sigma \), \(m=\epsilon _{\mathcal {M}}\). Thus, we find (5).

• If \(\sigma \in \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{0}})\), then, similarly following from the correctness of R-Verifier synthesized from K-delay trajectory estimators (Proposition 4), we have α=store₁. Similarly, we can find that o=𝜖 _{Σ o} and m=(σ,1). Furthermore, as \(\text {safe}_{\mathsf {OP_{0}}}(\sigma ,\epsilon _{{\Sigma }_{\mathrm {o}}})\), we have (6).

Let us consider \(\mu \in {{{\Sigma }_{\mathrm {o}}^{*}}}\) s.t. |μ|=n s.t. (5) and (6) hold. Let us note μ=σ ₀⋯σ _n−1, and consider μ⋅σ. The run of μ⋅σ on \({\mathcal {E}}\) can be expressed

$$\text{run}(\mu\cdot \sigma, {\mathcal{E}})= ({q_{{\text{init}}}^{\mathcal{E}}}, \sigma_{0}/\alpha_{0},q_{1}){\cdots} (q_{n-1},\sigma_{n-1}/\alpha_{n-1},q_{n})\cdot (q_{n},\sigma/\alpha,q_{n+1})</p><p class="noindent">$$

with \(\forall i\in [1,n+1]: q_{i}\in Q^{\mathcal {E}}, \alpha \in \{{\text {store}_1},\text {dump},\text {off}\}\), and ∀i∈[0,n−1]:α _i ∈{store₁,dump,off}. Let us distinguish again according to whether \(\mu \cdot \sigma \in \text {leak}(\mathcal {G}, P_{{\Sigma }_{\mathrm {o}}}, S, \mathsf {OP_{0}})\) or not.

• If \(\mu \cdot \sigma \notin \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{0}})\), then following the reasoning for the induction basis, we know that α∈{off,dump}. Using the induction hypothesis, there exists \(o\in \mathcal {T}_{{\Sigma }_{\mathrm {o}}}(\mathcal {G})\) s.t. \(\mu \Downarrow _{\mathcal {E}} o\) and the constraints (5) and (6) hold.

  Now we distinguish two cases according to whether \(\mu \in \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{0}})\) or not.

  • If \(\mu \notin \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{0}})\), from (5), we know that o=μ. Then, μ induces the following evolution of configurations for \({\mathcal {E}}\):

    $$({q_{{\text{init}}}^{\mathcal{E}}}, \sigma_{0}\cdots\sigma_{n-1}\cdot\sigma,\epsilon_{\mathcal{M}})\stackrel{o_{0}}{\hookrightarrow} (q_{1},\sigma_{1}{\cdots} \sigma_{n-1}\cdot\sigma,m_{1})\stackrel{o_{1}}{\hookrightarrow} {\cdots} \stackrel{o_{n-1}}{\hookrightarrow} (q_{{n}},\sigma,\epsilon_{\mathcal{M}}) $$

    with o ₀⋯o _n−1=o=σ ₀⋯σ _n−1. Since α∈{off,dump}, \(\alpha (\sigma ,\epsilon _{\mathcal {M}})= (\sigma ,\epsilon _{\mathcal {M}})\). Then, we deduce the following evolution of configurations:

    $$({q_{{\text{init}}}^{\mathcal{E}}}, \mu\cdot\sigma,\epsilon_{\mathcal{M}}) {\cdots} \stackrel{o_{n-1}}{\hookrightarrow} (q_{{n}},\sigma,\epsilon_{\mathcal{M}})\stackrel{\sigma}{\hookrightarrow} (q_{{n+1}},\epsilon_{{\Sigma}_{\mathrm{o}}},\epsilon_{\mathcal{M}}). $$

    Then, we deduce \(\mu \cdot \sigma \Downarrow _{\mathcal {E}} \mu \cdot \sigma \), which gives us (5).

  • Else (\(\mu \in \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{0}})\)), from (6), we know that \(o=\max \{\mu ^{\prime }\in \mathcal {T}_{{\Sigma }_{\mathrm {o}}}(\mathcal {G})\mid \mu ^{\prime }\preceq \mu \wedge \text {safe}_{\mathsf {OP_{0}}}(\mu ,\mu ^{\prime })\}\), i.e., using the definition of \(\text {safe}_{\mathsf {OP_{0}}}\), o=σ ₀⋯σ _n−2. Then, μ induces the following evolution of configurations for \({\mathcal {E}}\):

    $$({q_{{\text{init}}}^{\mathcal{E}}}, \mu\cdot\sigma,\epsilon_{\mathcal{M}})\stackrel{o_{0}}{\hookrightarrow} {\cdots} \stackrel{o_{n-1}}{\hookrightarrow} (q_{{n}},\sigma,(\sigma_{n-1},1)) $$

    with o ₀⋯o _n−1=o=σ ₀⋯σ _n−2, and o _n−1=𝜖 _{Σ o}. Since α∈{off,dump}, \(\alpha (\sigma ,(\sigma _{n-1},1))= (\sigma _{n-1}\cdot \sigma ,\epsilon _{\mathcal {M}})\). Then, we deduce the following evolution of configurations:

    $$({q_{{\text{init}}}^{\mathcal{E}}}, \mu\cdot\sigma,\epsilon_{\mathcal{M}}) {\cdots} \stackrel{{o_{n-1}}}{\hookrightarrow} (q_{{n}},\sigma,(\sigma_{n-1},1))\stackrel{\sigma_{n-1}\cdot\sigma}{\hookrightarrow} (q_{{n+1}},\epsilon_{{\Sigma}_{\mathrm{o}}}, {\epsilon_{\mathcal{M}}}). $$

    Then, we deduce \(\mu \cdot \sigma \Downarrow _{\mathcal {E}} \mu \cdot \sigma \), i.e., (5).

• Else (\(\mu \cdot \sigma \in \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{0}})\)), the same reasoning can be followed: we distinguish according to whether \(\mu \in \text {leak}(\mathcal {G}, P_{{\Sigma }_{\mathrm {o}}}, S, \mathsf {OP_{0}})\) or not, apply the induction hypothesis, and use the definition of enforcement operations.

4.3 A.3.3 Proposition 8 (p. 78)

Proof

We shall prove that, for \(\mathsf {OP_{K}}\in \{\mathsf {O{P_{K}^{W}}},\mathsf {O{P_{K}^{S}}}\}\): \(\forall \mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G}), \exists o\preceq \mu : \mu \Downarrow _{\mathcal {E}} o \Rightarrow \) (5) ∧ (6), where:

$$\begin{array}{r} \mu\notin \text{leak}(\mathcal{G},P_{{{{\Sigma}_{\mathrm{o}}}}},S,\mathsf{OP_{K}}) \Rightarrow o = \mu \hspace{2em} \text{(5)}\\ \mu\in\text{leak}(\mathcal{G},P_{{{{\Sigma}_{\mathrm{o}}}}},S,\mathsf{OP_{K}}) \Rightarrow o = \max\{\mu^{\prime}\in\mathcal{T}_{{{{\Sigma}_{\mathrm{o}}}}}(\mathcal{G})\mid \mu^{\prime}\preceq\mu \wedge \text{safe}_{\mathsf{OP_{K}}}(\mu,\mu^{\prime})\}. \hspace{1em} \text{(6)} \end{array} $$

Let us consider \(\mu \in \mathcal {T}_{{{{\Sigma }_{\mathrm {o}}}}}(\mathcal {G})\), the proof is conducted by induction on |μ|. Moreover, the proof is done for \(\mathsf {OP_{K}}\in \{\mathsf {O{P_{K}^{W}}},\mathsf {O{P_{K}^{S}}}\}\), a K-step based notion of opacity (independently from whether it is weak or strong), since we will use the function \(\text {hold}_{\mathsf {OP_{K}}}()\) for the state of the underlying trajectory estimator and the traces of the system.

If |μ|=1, then ∃σ∈Σ_o:μ=σ. The run of μ on \({\mathcal {E}}\) can be expressed \(\mathit {run}(\mu ,{\mathcal {E}})= (q_{\text {init}}^{\mathcal {E}}, \sigma /\alpha , q_{1})\) with \(q_{1}\in Q^{\mathcal {E}}, {\Gamma }^{\mathcal {E}}(q_{1})= \alpha \). The R-Enforcer’s evolution of configurations is \((q_{\text {init}}^{\mathcal {E}}, \sigma , \epsilon _{\mathcal {M}}) \stackrel {o}{\hookrightarrow } (q_{1},\epsilon _{{\Sigma }_{\mathrm {o}}},m)\) with \(\alpha (\sigma ,\epsilon _{\mathcal {M}})= (o,m)\). Let us distinguish two cases according to whether \(\sigma \in \text {leak}(\mathcal {G}, P_{{\Sigma }_{\mathrm {o}}}, S, \mathsf {OP_{K}})\) or not.

• If \(\sigma \notin \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{K}})\), then we use the correctness of R-Verifiers synthesized from K-delay trajectory estimators (Proposition 4). Using the definition and the properties of the function hold (Section 6.3, paragraph “When is the opacity of a secret enforceable on a system?”), the state m ₁ corresponding to q ₁ in the corresponding K-delay estimator is s.t. \(\text {hold}_{\mathsf {OP_{K}}}(\delta _{D}(m_{\text {init}}^{D},\sigma ))=\text {hold}_{\mathsf {OP_{K}}}(m_{1})= 0\). Then, using the definition of R-Enforcers synthesis, we have α∈{dump,off}. Using the definition of enforcement operations, we have: \(\text {free}\circ \text {delay} (\epsilon _{\mathcal {M}}) = \epsilon _{\mathcal {M}}\), \(o= (\epsilon _{\mathcal {M}})_{\downarrow {\Sigma }_{\mathrm {o}}} \cdot \sigma =\sigma \), \(m=\epsilon _{\mathcal {M}}\). Thus, we find (5).

• If \(\exists k\in [0,K]:\sigma \in \text {leak}(\mathcal {G}, P_{{{{\Sigma }_{\mathrm {o}}}}}, S, \mathsf {OP_{K}},k)\), then necessarily k∈{0,1}. Similarly, following from the correctness of R-Verifiers synthesized from K-delay trajectory estimators (Propositions 4 and 5) and the definition of \(\text {hold}_{\mathsf {OP_{K}}}\), we have \(\text {hold}_{\mathsf {OP_{K}}}(\delta _{D}(m_{\text {init}}^{D},\sigma ))=\text {hold}_{\mathsf {OP_{K}}}(m_{1})=K+1-k\). From the definition of R-Enforcer synthesis, it follows that α=store _d with d=K+1−k. Similarly, we can find that o=𝜖 _{Σ o} and m=(σ,d). Furthermore, as \(\text {safe}_{\mathsf {OP_{K}}}(\sigma ,\epsilon _{{\Sigma }_{\mathrm {o}}})\), we have (6).

The induction case is performed again by distinguishing according to the opacity leakage of μ⋅σ. Similarly to the induction basis, we use the links between \(\text {hold}_{\mathsf {OP_{K}}}\) applied to the states of the underlying trajectory estimator and the correctness of R-Verifiers. Then, one can easily show, using the definitions of enforcement operations, that the synthesized R-Enforcer is sound and transparent. Furthermore, one has to notice that, when an R-Enforcer produces a halt operation while reading a (partial) trace μ, no extension \(\mu ^{\prime }\) of μ s.t. \(|\mu ^{\prime }|-|\mu |\leq T\) can lead μ to be safely produced (i.e., \(\mu ^{\prime }\) s.t. \(\text {safe}_{\mathsf {OP_{K}}}(\mu ^{\prime },\mu )\)).