Optimal Opacity-Enforcing Supervisory Control of Discrete Event Systems on Choosing Cost

1. Introduction

In modern society, when important information of enterprises is released online, it generally needs to be as complete as possible. In order to keep the security and opacity of important data transmission, it is necessary to use some unimportant data to confuse and make it difficult to distinguish for adversary. The more information is used to confuse important data, the better it is. Therefore, some papers [e.g. 1,2,3,4] discussed the issue of maximum opaque sublanguage. However, in reality, due to the cost involved in using data transmission, it is better to require less unimportant data and lower transmission costs. Therefore, this paper proposes an optimization mathematical model to find the most cost-effective information to confuse the important data to be released, and proposes an algorithm to obtain the optimal control strategy.

In 2004, opacity was first introduced to analyze cryptographic protocols in [5]. In 2005, the research modeled as Petri nets in [6] brought opacity to the field of discrete event systems (DES). Afterwards, the researches on opacity in DES were boomed up. In DES models, the definition of opacity was divided into two cases: language-based opacity([1,7,8] (e.g. strongly opacity([7], weakly opacity [7] and non-opacity [7]) and state-based opacity [6,9,10,11,12,13] (e.g. current-state opacity [6,9], Initial-state opacity [6], Initial-and-final-state opacity [13], K-step opacity [9,10,11], Infinite-step opacity [12,14]).[15] extended the works of [13] and showed that the various notions of opacity can be transformable to each other. Then, [16] unified the existing notions of opacity and provide a general framework. With the definition of opacity, the verification approach was investigated in the previous works. Once a system was not opaque, supervisory control theory [1,4,17] or the enforcement approach [18,19,20,21,22] was presented to ensure opacity in the system. In general, supervisory control theory restricts the behavior of the system to ensure the opacity, whereas the enforcement approach does not restrict, but modify the output of the system to ensure the opacity. For example, [1] used fix-point theory to check the opacity of the closed-system at every iterations to achieve the maximal permissive supervisor on condensed state estimates. [4] got the maximal permissive supervisor by using the refining of the plant and observer instead of condensed state estimates. [17] transformed strong infinite- and k-step opacity into a language and presents an algorithm to enforce infinite- and k-step opacity by supervisor. [18] extended the synthesis of insertion function from current-state opacity [23] to infinite-step opacity and K-step opacity. [19] inserted fictitious events at the output of the systems to enforce the opacity of the system. And some works [20,21] extended the method of [19], where [20] discussed a problem of opacity enforcement under energy constraints and [21] studied supervisory control under local mean payoff constraints. [22] verified and enforced the current-state opacity opacity based on an algebraic state space approach for partially-observed finite automaton.

To ensure opacity, [24] proposed some algorithms to design a controller to control information released to the public. And then, [25] extended the work of [24] and presented an algorithm for finding minimal information release policies for non-opacity. [26] assigned a reward for revealing the information of each transition and finds the maximum guaranteed payoff policy for the weighted DES. [27] proposed a dynamic information release mechanism to verify current-state opacity, where information is partially released and state-dependent.

To ensure opacity, the secret is preserved by enabling/disabling some events to restrict the behavior of the system. If cost functions are defined in DES, two types optimal supervisory control problem are developed: one is for event cost, and the other is for control cost. For example, [28] defined the cost of events to design a supervisor to minimize the total cost to reach the desired states. Then, [29] extended the framework to partial observation of the system. Afterwards, [30] investigated mean payoff supervisory control problem for a system where each event has an integer associated to it. In [31,32], the costs of choosing control input and occurring event were defined and two optimal problems to minimize the maximal discounted total cost among all possible strings generated in the systems were solved by using Markov decision processes.

In contrast to supremal opaque sublanguage of the plant in [1,2,3,4,8], we want to find a ’smallest’ closed controllable sublanguage of the plant, with respect to which the secret is not only opaque, but also ’largest’. Since the class of opaque languages is not closed under intersection [8], ’smallest’ is not in terms of set inclusion, but in terms of minimal discount total choosing cost. On the other hand, ’largest’ is in terms of set inclusion, where it means the union of all the elements of the class of confused secret. To describe the optimal problem, a non-linear optimal supervisory control model is proposed by introducing the concept of choosing cost.

The paper is organized as follows. Section 2 establishes the background on supervisory control theory, opacity and choosing cost of DES. In Section 3, we present an optimal supervisory control problem that are model by a non-linear programing with two constraint conditions. In Section 4, we consider two scenarios to compute the non-linear programing. Firstly, we suppose that the plant can ensure the secret is opaque. Then, a simply model on the non-linear programming is presented. Based on the structure of the secret’s closure, two algorithms and three theorems are put forward. Secondly, we suppose that the plant can not ensure the secret is opaque. A generalized algorithm and theorem are proposed to solve the non-linear programing. Finally, the main contribution of the work is discussed in Section 5.

2. Preliminary

2.1. Supervisory Control Theory

We consider a DES modeled by a determined finite transition system $G=(Q,\Sigma ,\delta ,q_0)$, where Q is a finite set of states, $\Sigma$ is a finite set of events labeled in the transition, a partial function $\delta :\Sigma \times Q\to Q$ is the transition function and $q_0\in Q$ is the initial state. A run of G is a finite non-empty sequence $q_0{\sigma }_1{q}_1{\sigma }_2\cdots q_{n-1}{\sigma }_n$, where $q_i\in Q,{\sigma }_{i+1}\in \Sigma$ and $q_{i+1}=\delta (q_i,{\sigma }_i)$ for $i=1\cdots n-1$. The trace $tr(\rho )$ of the run $\rho$ is ${\sigma }_1{\sigma }_2\cdots {\sigma }_n$. The languages of G is the set of all traces of runs of G, and it is denoted $L(G)=\{s\in {\Sigma }^{*}|\delta (s,q_0)!\}$. The event set $\Sigma$ is assumed to be partitioned into controllable event set ${\Sigma }_c$ and the uncontrollable event set ${\Sigma }_u$, where $\Sigma ={\Sigma }_c\dot{\cup }{\Sigma }_u$. Each subset of events is a control pattern, and the set of all control patterns is denoted by $\Gamma =\left\{\gamma \right|{\Sigma }_u\subseteq \gamma \subseteq \Sigma \}$. A supervisor for G is any map $f:L(G)\to \Gamma$. For system G, we denote ${\Gamma }^{L(G)}$ as the set of supervisors. The closed behavior of $f/G$, i.e. G under the supervision of f, is defined to be the language $L(f/G)\subseteq L(G)$ described as follows.

• $ϵ\in L(f/G)$;
• $s\sigma \in L(f/G)\iff s\in L(f/G),s\sigma \in L(G),\sigma \in f(s)$.

For a language $K\subseteq L(G)$, the notation $\overline{K}$ is said to be the prefix(-closure) of K. K is said to be (prefix-)closed if $\overline{K}=K$.

Definition 1 

([33]). Given a non-empty language K. Then, K is said to be controllable if $\overline{K}{\Sigma }_u\cap L(G)\subseteq \overline{K}$.

A necessary and sufficient condition for the existence of supervisor is given as follows.

Theorem 1 

([33]). Given a non-empty language $K\subseteq L(G)$. Then, there exists a supervisor f such that $L(f/G)=K$ if and only if K is a controllable and closed language.

2.2. Supervisory Control for Opacity

Assume that adversary can be aware of any supervisor’s control policy, a subset ${\Sigma }_a$ of the events can be seen by adversary through an observable function $\theta :{\Sigma }^{*}\to {\Sigma }_a^{*}$. An adversary’s observation of system is denoted by $obs(G)=\{Q_a,{\Sigma }_a,{\delta }_a,q_{0a}\}$, which is an observer of system G. If an observer of the system is unable to clearly determine some secret information, we give the following definition of opacity.

Definition 2 

([1,7]). Given system G and non-empty language K. For any $s\in K\cap L(G)$, if there exists $s^{\prime }\in L(G)-K$ such that $\theta (s)=\theta (s^{\prime })$, we say K is (strongly) opaque w.r.t. $L(G)$ and ${\Sigma }_a$.

If the condition of Definition 2 can not be met, we say K is not (strongly) opaque w.r.t. $L(G)$ and ${\Sigma }_a$. For the definition of non-opacity, it is different with that of [7].

In [8], since opaque language have a desirable property that it is closed under union, there exists supremal controllable closed and opaque sublanguages of the system [1,4]. In [1,4,8], different works about supremal controllable closed and opaque sublanguage has been computed.

2.3. The Definition of Choosing Cost

In [31,32], two optimal control models of DES are presented, based on the costs of choosing a control input and of occurring an event respectively. In this paper, the choosing cost is from the definition of the cost of choosing control input after some string of [31,32]. For a given DES G, we let $c(s,\gamma )$ be the cost of choosing control input $\gamma$ at string s, where $s\in L(G)$ and $\gamma \in \Gamma$. For any supervisor $f:L(G)\to \Gamma$, we call $c(s,f)=c(s,f(s))$ the cost of choosing $f(s)$ after s under the supervision of f. All in all, we simply call $c(s,\gamma )$ (or $c(s,f)$) the choosing cost.

3. Optimal Supervisory Control Model on Opacity

In the section, an optimal supervisory control model is constructed to minimize the choosing cost of the controlled system which is opaque. Given a system G and a secret $K\subseteq L(G)$, as shown in [1], secret K is a regular language. For secret K, we suppose there exists a set of secret states $Q_s\subseteq Q$ which can recognize secret K, i.e. $s\in K$ iff $\delta (q_0,s)\in Q_s$.

To show the cost of information released, we introduce the cost of choosing control input in [31,32] and give a definition of total choosing cost as follows.

Definition 3. 

Given a closed-loop behavior $L(f/G)$, the discount total choosing cost of $L(f/G)$ is defined as $V(L(f/G),f)={\displaystyle \sum _{s\in L(f/G)}^{ }}{\beta }^{\left|s\right|}c(s,f)$, where f is a supervisor controlling the system G and $\beta >0$ is a discount factor. For convenience, $V(L(f/G),f)$ is simplified as $V(L(f/G))$.

For system G, if there exist two supervisors $f_1$ and $f_2$ such that $L(f_1/G)\subseteq L(f_2/G)$, it is obvious that $V(L(f_1/G))\le V(L(f_2/G))$ by Definition 3.

To obtain the discount total choosing cost, we give a definition about discount cost by the sum of choosing cost after s under f.

Definition 4. 

$V_s(t_n)={\displaystyle \sum _{k=0}^n}{\beta }^{\left|s\right|+k}c(s{t}_k,f_{s{t}_n}$ is said to be the discount cost of choosing $t_n={\sigma }_1{\sigma }_2\cdots {\sigma }_n$ after s under f, where $f_{s{t}_n}(s{t}_k)=f(s{t}_k)\cap {\Sigma }_{s{t}_n}(s{t}_k)$ and $t_0=\epsilon$. Particularly, if $s=ϵ$, then $s{t}_n=t_n$ and $V_{ϵ}(t_n)={\displaystyle \sum _{k=0}^n}{\beta }^{k}c(t_k,f_{t_n}$.

In Definition 4, if some string can be divided into two pieces, a formula is formulated to simplify the computation of discount cost in the following theorem.

Theorem 2. 

Given $t=s{t}^{\prime }$. Then we have that $V_{ϵ}(t)=V_{ϵ}(s)+V_s(t^{\prime })$

Proof. 

For $t=s{t}^{\prime }$, we have proved the following formula, where $s={\sigma }_1{\sigma }_2\cdots {\sigma }_{\left|s\right|}$ and $t^{\prime }={\sigma }_{\left|s\right|+1}{\sigma }_{\left|s\right|+2}\cdots {\sigma }_{\left|s\right|+n}$.

$$\begin{array}{ccc}\hfill V_{ϵ}(t)& & =\sum _{k=0}^{\left|s\right|+n}{\beta }^{k}c(t_k,f_t)\hfill \\ & & =c(\epsilon ,f_s+\beta c({\sigma }_1,f_s)+\cdots +{\beta }^{\left|s\right|}c(s,f_s)+\sum _{k=0}^n{\beta }^{\left|s\right|+k}c(s{t}_k^{\prime },f_{s{t}^{\prime }}\hfill \\ & & =\sum _{k=0}^{\left|s\right|}{\beta }^{k}c({\sigma }_1\cdots {\sigma }_k,f_s)+\sum _{k=0}^n{\beta }^{\left|s\right|+k}c(s{t}_k^{\prime },f_{s{t}^{\prime }}\hfill \\ & & =V_{ϵ}(s)+V_s(t^{\prime })\hfill \end{array}$$

   □

To generalize the above Theorem 2, we have the following theorem as Theorem 3.

Theorem 3. 

Given that $s=s_1{s}_2\cdots s_k\in L(G)$. Then we have that $V_{ϵ}(s)=V_{ϵ}(s_1)+V_{s_1}(s_2)+\cdots +V_{s_1{s}_2\cdots s_{k-1}}(s_k)$.

Proof. 

The proof can be proceed by induction.

Base case: If $k=1$, then it holds that $V_{ϵ}(s)=V_{ϵ}(s_1)$.

Inductive hypothesis: Suppose that we have that $V_{ϵ}(s_1\cdots s_{j-1}{s}_j)=V_{ϵ}(s_1)+V_{s_1}(s_2)+\cdots +V_{s_1{s}_2\cdots s_{j-1}}(s_j)$ if $k=j$.

Inductive step: For $k=j+1$, then we will prove that $V_{ϵ}(s_1\cdots s_{j-1}{s}_j{s}_{j+1}=V_{ϵ}(s_1)+V_{s_1}(s_2)+\cdots +V_{s_1{s}_2\cdots s_{j-1}}(s_j+V_{s_1{s}_2\cdots s_j}(s_{j+1}$.

By the definition 4, we have the following, which completes the inductive step.

$$\begin{array}{ccc}\hfill V_{ϵ}(s)& & =V_{ϵ}(s_1\cdots s_{j-1}{s}_j{s}_{j+1}\hfill \\ & & =V_{ϵ}(s_1\cdots s_{j-1}{s}_j)+V_{s_1\cdots s_{j-1}{s}_j}(s_{j+1}\hfill \\ & & (\because \mathrm{Theorem}\hfill \\ & & =V_{ϵ}(s_1)+V_{s_1}(s_2)+\cdots +V_{s_1{s}_2\cdots s_{j-1}}(s_j)+V_{s_1\cdots s_{j-1}{s}_j}(s_{j+1}\hfill \\ & & (\because \mathrm{Hypothesis}k=j)\hfill \end{array}$$

   □

To obtain the discount total choosing cost, we formulate Algorithm 1 to get $V(L(f/G))$ by the computation of $V_s(s^{\prime })$.

As shown in Algorithm 1, the closed-system $f/G$ can be transformed into a tree automaton, where they are language-equivalent. In the tree automaton, the string from root to some node is the longest common prefix of strings from root to the leaves via the node.

To show the computational process of Algorithm 1, an example is given to get the discount total choosing cost.

Example 1. 

Suppose that $L(f/G)=\{\overline{s_1},\overline{s_2}\}$ and t is the longest common prefix of $s_1$ and $s_2$. To simplify the process of computation in Definition 3, we denote $t={\sigma }_1\cdots {\sigma }_l,t_1={\sigma }_{i_1}\cdots {\sigma }_{i_m}$ and $t_2={\sigma }_{j_1}\cdots {\sigma }_{j_n}$ such that $s_1=t{t}_1$ and $s_2=t{t}_2$. By Definition 3, we have the following equation.

$$\begin{array}{ccc}\hfill V(\{\overline{s_1},\overline{s_2}\}& =& \sum _{k=0}^l{\beta }^{k}c({\sigma }_1\cdots {\sigma }_k,f_{{\sigma }_1\cdots {\sigma }_l}+{\beta }^l\sum _{k=0}^m{\beta }^{k}c({\sigma }_1\cdots {\sigma }_l{\sigma }_{i_1}\cdots {\sigma }_{i_k},f_{{\sigma }_1\cdots {\sigma }_l{\sigma }_{i_1}\cdots {\sigma }_{i_m}}\hfill \\ & & +{\beta }^l\sum _{k=0}^n{\beta }^{k}c({\sigma }_1\cdots {\sigma }_l{\sigma }_{j_1}\cdots {\sigma }_{j_k},f_{{\sigma }_1\cdots {\sigma }_l{\sigma }_{j_1}\cdots {\sigma }_{j_n}}\hfill \\ & =& V_{\epsilon }(t)+V_t(t_1)+V_t(t_2)\hfill \\ & =& V_{\epsilon }(t{t}_1)+V_t(t_2)\hfill \\ & =& V_{\epsilon }(s_1)+V_t(t_2)\hfill \\ & =& V_{\epsilon }(s_2)+V_t(t_1)\hfill \end{array}$$

According to Algorithm 1, we transform $L(f/G)$ in Figure 1 into a tree automaton shown in Figure 2.

By Figure 2 and Algorithm 1, we have the formula:

$$\begin{array}{ccc}\hfill V(\{\overline{s_1},\overline{s_2}\}& =& V_{\epsilon }(t)+V_t(t_1)+V_t(t_2)\hfill \\ & =& V_{\epsilon }(t{t}_1)+V_t(t_2)\hfill \\ & =& V_{\epsilon }(s_1)+V_t(t_2)\hfill \\ & =& V_{\epsilon }(s_2)+V_t(t_1)\hfill \end{array}$$

If there exists a language K such that $\overline{K}\subseteq L(f/G)$, the discount total choosing cost of $\overline{K}$ can be denoted by $V(\overline{K}$, and be obtained as shown in Algorithm 1. If we denote $V(L(f/G)-\overline{K}$ by $V(L(f/g))-V(\overline{K}$, we also can get the discount cost by Definition 4. Obviously, $V(L(f/G)-\overline{K}$ means to compute the choosing cost outside of $\overline{K}$ in $L(f/G)$. Next, we will continue the above Example 1.

Example 2. 

In Figure 1, if there exists a state subset $Q_K=\{4,6\}$ such that $K=t({\sigma }_{i1}+{\sigma }_{j1}$. By Algorithm 1, we get a tree automaton based on $\overline{K}$ shown in Figure 3. So, it holds that $V(\overline{K}=V_{\epsilon }(t)+V_t({\sigma }_{i1}+V_t({\sigma }_{j1}$. According to the formulas of $V(L(f/G)$ and $V(\overline{K}$, we have the following equation).

$$\begin{array}{ccc}\hfill V(L(f/G)-\overline{K}& =& [V_{\epsilon }(t)+V_t(t_1)+V_t(t_2)]-[V_{\epsilon }(t)+V_t({\sigma }_{i1}+V_t({\sigma }_{j1}]\hfill \\ & =& V_t(t_1)-V_t({\sigma }_{i1}+V_t(t_2)-V_t({\sigma }_{j1}\hfill \\ & =& V_{t{\sigma }_{i1}}({\sigma }_{i2}\cdots {\sigma }_{im}+V_{t{\sigma }_{j1}}({\sigma }_{j2}\cdots {\sigma }_{jn}\hfill \end{array}$$

For the system and secret, we propose an optimal problem to synthesize a supervisor such that the discount total choosing cost of the controlled system is minimal.

Optimal opacity-enforcing problem Given system G and secret $K\subseteq L(G)$, find a supervisor f such that $L(f/G)$ satisfy the following conditions.

1.

K is opaque with respect to $L(f/G)$ and ${\Sigma }_a$;

2.

Secret K permitted by supervisor f is "the largest it can be";

3.

For the closed-loop behavior $L(f/G)$, the discount total choosing cost $V(L(f/G))$ is minimal.

In the condition 2 of the above problem, if denoted the supremal controllable and closed sublanguage of $L(G)$ by $L(g/G)$[4], the largest secret K permitted by supervisor f is $L(g/G)\cap K$.

Based on the above optimal problem, a non-linear optimal model is formulated as follows.

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill min& V(L(f/G))\hfill \\ \hfill s.t.& \theta (K\cap L(f/G))\subseteq \theta (L(f/G)-K)\hfill \\ & K\cap L(f/G)=K\cap L(g/G)\hfill \\ & f\in {\Gamma }^{L(G)}\hfill \end{array}\end{array}$$

(1)

For the above optimal model (1), the objection function means that the supervised system’s discount total choosing cost is minimal. And, the first constraint condition means that K is opaque w.r.t. the controlled system. The second implies that the most secret not to be disclosed is in the controlled system.

4. Solution of Optimal Model on Choosing Cost

In this section, the first thing is that we will make the following assumption.

Assumption *

If $s\in L(G)$ and $\gamma ={\Sigma }_u$, then we have $c(s,\gamma )=0$.

For Assumption *, we suppose that any uncontrollable event’s choosing cost is 0.

Under the assumption, we consider the following two scenarios to solve the optimal model (1) in the following subsections.

Scenario 1 

Secret K is opaque w.r.t. $L(G)$ and ${\Sigma }_a$.

Scenario 2 

Secret K is not opaque w.r.t. $L(G)$ and ${\Sigma }_a$.

4.1. Scenario 1: Secret K is opaque w.r.t. $L(G)$ and ${\Sigma }_a$.

Given language $L(G)$ and regular language (secret) $K\subseteq L(G)$. To maximize the secret under the control of supervisor f in scenario 1, we have $K\subseteq L(f/G)$, which implies that $\overline{K}\subseteq L(f/G)$. So, in model (1), the second constraint condition can be reduced to $\overline{K}\subseteq L(f/G)$. And then, the optimal model (1) can be transformed into the following model (2).

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill min& V(L(f/G))\hfill \\ \hfill s.t.& \theta (K\cap L(f/G))\subseteq \theta (L(f/G)-K)\hfill \\ & \overline{K}\subseteq L(f/G)\hfill \\ & f\in {\Gamma }^{L(G)}\hfill \end{array}\end{array}$$

(2)

To solve optimal model (2), we consider the following three cases.

4.1.1. Case 1: $\overline{K}=L(G)$.

Obviously, we have $L(G)\subseteq L(f/G)$ in the condition 2 of model (2). To assure the feasible region is not empty, we can obtain supervisor f such that $L(G)=L(f/G)$. So, we have the following theorem.

Theorem 4. 

Given system G and secret $K\subseteq L(G)$. In case 1 of scenario 1, then $L(G)=L(f/G)$ is an optimal solution of optimal model (2).

Proof. 

From the above analysis, it is obvious that $L(G)=L(f/G)$ is the unique solution of feasible set. So, $V(L(f/G))$ is minimal.    □

4.1.2. Case 2: $\overline{K}\subset L(G)$ and $\forall s\in K,\exists s^{\prime }\in \overline{K}-K$ such that $\theta (s)=\theta (s^{\prime })$.

In case 2, the condition means that any secret can not be distinguished from some non-secret in the closure $\overline{K}$.

For secret K and its closure $\overline{K}$, we have $\theta (K)\subseteq \theta (\overline{K}-K)\subset \theta (L(G)-K)$. If there exists a closed-loop system $f/G$ such that $\overline{K}\subseteq L(f/G)$, it obviously can ensure the opacity of secret K. So, the feasible region of model (2) is not empty.

To find supervisor f, we infer if $\overline{K}$ is controllable w.r.t. $L(G)$.

• If $\overline{K}$ is controllable w.r.t. $L(G)$, there exists supervisor f such that $L(f/G)=\overline{K}$. For the closed-loop behavior $L(f/G)$, it satisfies the two constraint conditions of model (2). So, the feasible region of model (2) is not empty.
• If $\overline{K}$ is not controllable w.r.t. $L(G)$, we can find a controllable and closed superlanguage ${\overline{K}}^{\downarrow }$ of $\overline{K}$. Obviously, the superlanguage ${\overline{K}}^{\downarrow }$ not only ensures the opacity of K(in Theorem A1 of Appendix), but also maximizes the secret K. So, the feasible region of model (2) is not empty.

According to the above analysis, the following Algorithm 2 returns a closed-loop behavior to solve model (2).

By theoretical proof, the following Theorem 5 states that Algorithm 2 can produce an optimal solution of model (2).

Theorem 5. 

Given system G and secret $K\subseteq L(G)$. In case 2 of scenario 1, the closed-loop $L(f/G)$ produced in Algorithm 2 is an optimal solution of model (2).

Proof. 

Firstly, we will prove that the closed-loop behavior $L(f/G)$ produced in Algorithm 2 is a feasible solution of optimal model (2).

At Line 1, M is a closed and controllable sublanguage of $L(G)$. At Line 5, it is obvious that $M\subseteq L(G)$ is the infimal closed and controllable superlanguage of $\overline{K}$. So, Line 3 and Line 6 can produce a supervisor f such that $L(f/G)=M$.

Therefore, we have $\overline{K}\subseteq L(f/G)$ which means constraint condition 2 of model (2) is true.

By Theorem A1 of Appendix, we conclude that $L(f/G)$ can ensure the opacity of K under case 2 of scenario1, which implies that constraint condition 1 of model (2) is true.

From the above points, it is true that $L(f/G)$ produced in Algorithm 2 is a feasible solution of model (2).

Nextly, we prove by contraction that the discount total choosing costs of $L(f/G)$ produced in Algorithm 2 is minimal. Assume that there exists a feasible solution $L(f^{\prime }/G)(\ne L(f/G))$ of model (2) such that $V(L(f^{\prime }/G))<V(L(f/G))$.

According to the constraint condition 2, we have $\overline{K}\subseteq L(f^{\prime }/G)$. Afterwards, we consider the controllability of $\overline{K}$.

If $\overline{K}$ is controllable, it holds that $L(f/G)=\overline{K}$ by Line 2-3, which means $L(f/G)\subseteq L(f^{\prime }/G)$. So, we have $V(L(f/G))\le V(L(f^{\prime }/G))$, which contracts with $V(L(f^{\prime }/G))<V(L(f/G))$.

If $\overline{K}$ is not controllable, it holds that $\overline{K}\subseteq L(f/G)=M$ by Line 5-6. For any $s\in M-\overline{K}$, there exists $t\le s$ such that $t\in \overline{K}$ and $s=t{\Sigma }_u^{*}$ hold. As shown in Theorem 3 and Assumption *, we have $V_{ϵ}(s)=V_{ϵ}(t)+V_t({\Sigma }_u^{*})=V_{ϵ}(t)$. So, it holds that $V(\overline{K}=V(M)=V(L(f/G))$.By the formula $\overline{K}\subseteq L(f^{\prime }/G)$, it is true that $V(L(f/G))\le V(L(f^{\prime }/G))$, which contracts with $V(L(f^{\prime }/G))<V(L(f/G))$.

In summary, it is true that $V(L(f/G))\le V(L(f^{\prime }/G))$, which means that the discount total choosing costs of $L(f/G)$ produced in Algorithm 2 is minimal.

   □

According to the proof of Theorem 5, we have the following corollaries.

Corollary 1. 

Given a language L. If a new language $L^{\prime }$ as the concatenation of any string of L with an uncontrollable string (i.e. ${\Sigma }_u^{*}$), then the discount total choosing costs of L and $L^{\prime }$ are the same, that is, $V(L)=V(L^{\prime })$.

Corollary 2. 

Given system G and secret $K\subseteq L(G)$. In case 2 of scenario 1, $V(\overline{K}=V({\overline{K}}^{\downarrow }=V(L(f/G))$ holds, where $L(f/G)$ is the closed-loop system produced in Algorithm 2.

Example 3. 

Given a finite transition system $G=(Q,\Sigma ,\delta ,q_0)$ shown in Figure 4, where ${\Sigma }_u=\{f,t\}$. Obviously, for system G, Assumption * is true. Suppose that secret $K=\{a,ab,aebgt\}$ which can be recognized by $Q_s=\{3,6,16\}$. To show choosing cost $c(s,\gamma )$, a label $p\underset{·|n}{\to }q$ means if there is a transition from p to q by ·, the notation n denotes the choosing cost $c(s,·)$. For control input Γ, the cost of choosing $\gamma \in \Gamma$ is defined as $c(s,\gamma )=\sum _{\sigma \in \gamma }c(s,\sigma )$.

Assume that adversary has complete knowledge of the supervisor’s control policy. From adversary’s view, adversary can see partial set of events, denoted by ${\Sigma }_a=\{a,b,d,f,g\}$. For secret K, it can be verified that K is opaque w.r.t. $L(G)$ and ${\Sigma }_a$(scenario 1). To reduce the choosing cost, a closed-loop system $L(f/G)$ can be obtained by Algorithm 2,where $L(f/G)=\{ϵ,t,a,ab,abt,abtf,ae,aeb,aeb,aebg,aebgt\}$ is shown in Figure 5.

By Definition 4 and Algorithm 1, $V(L(f/G))=V_{\epsilon }(t)+V_{\epsilon }(a)+V_a(ebgt)+V_a(btf)=1.726$ is minimal.

4.1.3. Case 3: $\overline{K}\subset L(G)$ and $\exists s\in K,\forall s^{\prime }\in \overline{K}-K$ such that $\theta (s)\ne \theta (s^{\prime })$

In case 3, the condition means that there exists some secret in K such that all the non-secret confused with them are outside of $\overline{K}$.

For $L(G)$, let $\underline{K}=\{s\in K|\forall s^{\prime }\in \overline{K}-K,\theta (s)\ne \theta (s^{\prime })\}$ be a set of some secret which can not be confused by any string in $\overline{K}-K$, and $L=\{s\in L(G)|\theta (s)\subseteq \theta (\underline{K}\}$ be a set of strings which can confuse the secret of $\underline{K}$. For language L, we call $\left[s\right]=\{s^{\prime }\in L|\theta (s)=\theta (s^{\prime })\}$ be the coset (or equivalence class) of s w.r.t. L and $\theta$, where $s^{\prime }$ is said to be equivalent string of s. And, $L/[·]$ is defined as the quotient set of L w.r.t. the coset $[·]$. For determined finite transition system, the number of strings in L is finite and the length of each string of L is finite too. Obviously, coset $[·]$ and quotient set $L/[·]$ are also finite.

To solve model (2), Algorithm 3 shown as follows is proposed by calling function 1 (seen in Algorithm 4) and function 2 (seen in Algorithm 5).

In Line 13 of Algorithm 3, function 1 (in Algorithm 4 shows how to compute the choosing cost outside of the closure of secret K. For a quotient set, take any string of some coset and get a prefix with a maximal length in the closure of secret. And then, we compute the discount cost of choosing the remaining string after the prefix. The specific process is shown in Algorithm 4.

In Line 14 of Algorithm 3, function 2 constructs a weighted directed diagram with multi-stages and produces a path with minimal discount total choosing cost. For the diagram, the elements of a set H are regarded as the stages, and the elements of $H_i$ are defined as the nodes of each stage. Based on dynamic programming, the optimal weight between different nodes of adjacent stages is obtained in function 3 (in Algorithm 6). Then, the weighted directed diagram is got. For every node of the diagram, an ordered pair is obtained by calling function 3 (in Algorithm 6). For the ordered pair, the first element is the set of shortest path with minimal discount total choosing cost from starting node to current node, and the second is the discount total choosing cost of the path. When the current node is ending node, the path with minimal discount total choosing cost is obtained. The specific processes are shown in Algorithms 5 and Algorithms 6.

According to the calculaton process of Algorithm 3, we have the following theorem to show the solution of model (2).

Theorem 6. 

Given system G and secret $K\subseteq L(G)$. In case 3 of scenario 1, the closed-loop behavior $L(f/G)$ produced in Algorithm 3 is an optimal solution of model (2).

Proof. 

We firstly show that closed-loop behavior $L(f/G)$ produced in Algorithm 3 is a feasible solution of optimal model (2).

1.

To prove the opacity (the first constraint condition).

As shown in case 3, the secret of $K-\underline{K}$ can be confused by the non-secret strings of $\overline{K}$. For $\underline{K}$, all the non-secret in $L(G)$ which can not be distinguished with the secret in $\underline{K}$ are in ${\cup }_j{H}_j$ of Line 12. At Lines 14 and 15, the string $s_i$ is from $H_i$, where $i=\{1,2,\cdots ,j-1\}$. At Lines 15 and 16, we have $\overline{K}\subseteq L(f/G)$ and $\{s_1,s_2,\cdots ,s_{j-1}\}\subseteq L(f/G)$. So, the closed-loop behavior $L(f/G)$ produced in Algorithm 3 can ensure the opacity of secret K.

2.

To prove the secret remained in the closed-loop system is maximal (the second constraint condition).

According to the Lines 15 and 16, it holds that $\overline{K}\subseteq L(f/G)$. So, the second constraint condition is true.

To sum up, the closed-loop behavior $L(f/G)$ obtained in Algorithm 3 is a feasible solution of optimal model (2).

Secondly, we will show that the discount total choosing cost of closed-loop behavior $L(f/G)$ produced by Algorithm 3 is minimal.

Since it holds that $\overline{K}\subseteq L(f/G)$, the discount total choosing cost of $L(f/G)$ can be computed as follows.

$$\begin{array}{c}\hfill \begin{array}{c}\hfill V(L(f/G))=V(\overline{K}+V(L(f/G)-\overline{K}.\end{array}\end{array}$$

(3)

Obviously, $V(\overline{K}$ is finite. To minimize the discount total choosing cost of $L(f/G)$, we need to show $V(L(f/G)-\overline{K}$ is minimal by formula (3). As shown at Line 1 of Algorithm 3, it is obvious that language L contains all the non-secret in $L(G)$, which can not distinguish with all the secret of $\underline{K}$. So, if we want to make $V(L(f/G)-\overline{K}$ is minimal, all the strings s in $L(f/G)-\overline{K}$ must come from L. And then $L(f/G)-\overline{K}\subseteq L$ holds. According to Lines 3-11 of Algorithm 3, we have $L={\cup }_j{H}_j$. And, all the strings in $H_j$ can confuse one secret of $\underline{K}$ and its equivalent secret. Obviously, only one string chosen in each set $H_j$ of H is the necessary condition to minimize $V(L(f/G)-\overline{K}$.

At Line 13 of Algorithm 3 (i.e. function 1 of Algorithm 4), all the strings $s=s_{i}t$ in L are traversed and the choosing cost $V_{s_i}(t)$ after $s_i\in \overline{K}$ can be obtained, where $t={\sigma }_{i+1}\cdots {\sigma }_n$ and $s_i{\sigma }_{i+1}\notin \overline{K}$.

At Line 14 of Algorithm 3, a diagram with multi-stages is constructed in ${\cup }_j{H}_j\cup \left\{t_s\right\}\cup \left\{t_t\right\}$, where initial node $t_s$ and ending node $t_t$ are virtual, $H_j$ are the set of nodes in j-th stage. To only pick a string in each $H_j$, we will find a path from $t_s$ to $t_t$. And then, Algorithm 6 is proposed to optimize the weight $a_{s^{\prime },s}$ of a transition from node $s^{\prime }$ to node s between adjacent stages. For the optimal weight, it is obvious that the discount total choosing cost of each node (i.e. string) of the path is equal to the total weight of the path (at Line 12 of Algorithm 5). At Lines 3-19 of Algorithm 5, the shortest path ${\mathrm{Lable}}_s$ and its minimal discount total choosing cost $V_{min}(s)$ of j-th stage can be obtained by ${\mathrm{Lable}}_{s^{\prime }}$ and $V_{min}(s^{\prime })$ of $(j-1)$-th stage based on dynamical programming. As shown in the above analysis about Line 14 of Algorithm 3(i.e. function 2 in Algorithm 5), the first element ${\mathrm{Lable}}_{s^{\prime }}$ of the ordered pair (${\mathrm{Lable}}_{s^{\prime }},V_{min}(s^{\prime })$) is the shorted path (i.e. the set of strings) with minimal discount total choosing cost from starting node $t_s$ to current node $s^{\prime }$, and the second $V_{min}(s^{\prime })$ is the discount total choosing cost of the path. When the current node is $t_t$(i.e. Line 20 of Algorithm 5), ${\mathrm{Lable}}_{t_t}$ is the shorted path from initial to ending node and $V_{min}(t_t)$ is the minimal discount total choosing cost of the path (see Lines 21-25 of Algorithm 5). So, ${\mathrm{Lable}}_{t_t}$ is the subset of L, whose discount total choosing cost is minimal and whose strings can confuse all the secret of $\underline{K}$.

At Lines 16 and 17 of Algorithm 3, the closed-loop behavior $L(f/G)$ can be ensured to be controllable and closed by Corollary 2. And the discount total choosing $L(f/G)$ is minimal as shown in above analysis.

All in all, the closed-loop behavior $L(f/G)$ produced in Algorithm 3 is an optimal solution of model (2).    □

Example 4. 

Given a finite transition system $G=(Q,\Sigma ,\delta ,q_0)$ and secret $K=\{a,ab,aebg,aebgt\}$ shown in Figure 6, where ${\Sigma }_u=\{f,t\}$ and K can be recognized by $Q_s=\{3,6,13,16\}$. Suppose that adversary has complete knowledge of the supervisor’s control policy, and the observed set of events by adversary is ${\Sigma }_a=\{a,d,f,g,t\}$. It is verified that K is opaque w.r.t. $L(G)$ and ${\Sigma }_a$. But, K is not opaque w.r.t. $\overline{K}$ and ${\Sigma }_a$, i.e. secret $aebg,aebgt$ can not be confused by any non-secret of $\overline{K}$. Obviously, case 3 of scenario 1 is fulfilled and Assumptions * are true. Nextly, we will construct a closed-loop behavior $L(f/G)$ by Algorithm 3.

For system G and secret K, we get a language $\underline{K}=\{aebg,aebgt\}$, where the strings in $\underline{K}$ can not be confused by any strings of $\overline{K}$. From the opacity of $L(G)$, we can find a sub-language $L=\{aebgte,aebgbt,aebgb,eabgt,eabg,eabeg,eabegt\}$, whose strings can not be distinguished with the secret in $\underline{K}$. For language L, we give the following computational process.

Take $aebg\in \underline{K}$, and then we have $\theta (aebg)=ag$ and $H_1=\left[aebg\right]=\{eabg,eabeg,aebgb\}$.

Take $aebgt\in \underline{K}$, and then we have $\theta (aebgt)=agt$ and $H_2\left[aebgt\right]=\{eabgt,eabegt,aebgte,aebgbt\}$.

So, the quotient set $L/[·]=\left\{\{eabg,eabeg,aebgb\},\{eabgt,eabegt,aebgte,aebgbt\}\right\}$ is a partition of L.

For coset $\left[aebg\right]$, we can compute the choosing cost of suffix of the non-secret string out of $\overline{K}$ in the first stage (seen in the function 1 of Algorithm 4.

If $s=eabg$, we have $ϵ\in \overline{K}$ and $V_{ϵ}(eabg)=5.126$.

If $s=eabeg$, we have $ϵ\in \overline{K}$ and $V_{ϵ}(eabeg)=5.1256$.

If $s=aebgb$, we have $aebg\in \overline{K}$ and $V_{aebg}(b)=0.0002$.

For coset $\left[aebgt\right]$, we can similarly get the following in the second stage.

If $s=eabgt$, we have $ϵ\in \overline{K}$ and $V_{ϵ}(eabgt)=5.126$.

If $s=eabegt$, we have $ϵ\in \overline{K}$ and $V_{ϵ}(eabegt)=5.1256$.

If $s=aebgte$, we have $aebgt\in \overline{K}$ and $V_{aebgt}(e)=0.00005$.

If $s=aebgbt$, we have $aebg\in \overline{K}$ and $V_{aebg}(bt)=0.0002$.

Based on $H_1,H_2$ and the choosing cost out of $\overline{K}$ above, a weighted directed diagram shown in Figure 7 is constructed by using Algorithm 5 calling Algorithm 6. In the diagram, every node denoted by ⊙ is shown as a fraction. For the fraction, its numerator is a non-secret string $s=s_i{\sigma }_{i+1}\cdots {\sigma }_{i+k}$ in ${\cup }_{j=1}^2{H}_j$, and its denominator is $V_{s_i}(t)$, where $s_i\in \overline{K}$ and $s_i{\sigma }_{i+1}\notin \overline{K}$.

To show the weight between nodes of adjacent stages, some weight is given as follows by Definition 4.

$V_{eabg}(t)=0,V_{eab}(egt)=0.0056,V_{eabeg}(t)=0,V_{eab}(gt)=0.006,V_{aebgb}(t)=0,V_{aebg}(te)=0.00005$.

By Algorithm 5, the label $Labe{l}_s$ and minimal choosing cost $V_{min}(s)$ of a path from initial node $t_s$ to current node s are computed in Table 1.

In Table 1, we have $Labe{l}_{t_t}=\{t_s,aebgb,aebgbt,t_t\}$ for the ending node $t_t$. From Line 16 of Algorithm 3, we know that shortest path is $t_s\to aebgb\to aebgbt\to t_t$. So, it holds that $minV(L(f/G)-\overline{K}=0.0002$.Since $V(\overline{K}=1.726$ (by Algorithm 1 is finite, $V(L(f/G))=1.726+0.0002=1.7262$. So, in Line 17, we have $L(f/G)=\{\overline{t},\overline{abtf},\overline{aebgt},\overline{aebgbt}\}$ shown in Figure 8.

In Figure 8, it is verified that $V(L(f/G))=1.7262$ by Algorithm 1.

4.2. Scenario 2: secret K is not opaque w.r.t. $L(G)$ and ${\Sigma }_a$.

For system G and secret $K\subseteq L(G)$, if K is not opaque w.r.t. $L(G)$ and ${\Sigma }_a$, we need to design a supervisor to prohibit all the secret disclosed. To get the supervisor, we can use the method of [1,4] to obtain the maximal permission sublanguage of $L(G)$, which can ensure the opacity of K. Then, scenario 1 is fulfilled. Nextly, we propose Algorithm 7 to solve model (1).

According to the above algorithm, we firstly construct a maximal permissive supervisor g to enforce the opacity of K. And then, it is obviously verified that the closed-loop behavior $L(g/G)$ and the restricted secret $K\cap L(g/G)$ meet scenario 1. As shown in Theorem 4, Theorem 5 and Theorem 6, we can conclude that Algorithm 7 can produce an optimal solution of model (1).

Theorem 7. 

Given system G and secret $K\subseteq L(G)$. In scenario2, the closed-loop behavior $L(f/G)$ obtained in Algorithm 7 is an optimal solution of model (1).

Proof. 

Firstly, we will prove that $L(f^{\prime }/G^{\prime })$ is controllable and closed sublanguage of $L(G)$. As shown at Lines 7, 10 and 12, $L(f^{\prime }/G^{\prime })$ is a closed sublanguage of $L(G)$. Nextly, we will prove $L(f^{\prime }/G^{\prime })$ is controllable w.r.t. $L(G)$.

$$\begin{array}{ccc}& & \forall s\in L(f^{\prime }/G^{\prime }),\sigma \in {\Sigma }_u,s\sigma \in L(G)\hfill \\ \hfill \Rightarrow & & s\in L(g/G),\sigma \in {\Sigma }_u,s\sigma \in L(G)\hfill \\ & & (\because L(f^{\prime }/G^{\prime })\subseteq L(G^{\prime })=L(f/G))\hfill \\ \hfill \Rightarrow & & s\sigma \in L(g/G)\hfill \\ & & (\because L(f/G)\mathrm{is}\mathrm{controllable}\mathrm{w}.\mathrm{r}.\mathrm{t}.L(G))\hfill \\ \hfill \Rightarrow & & s\sigma \in L(f^{\prime }/G^{\prime })\hfill \\ & & (\because L(f^{\prime }/G^{\prime })\mathrm{is}\mathrm{controllable}\mathrm{w}.\mathrm{r}.\mathrm{t}.L(g/G))\hfill \end{array}$$

So, $L(f^{\prime }/G^{\prime })$ is a controllable and closed sublanguage of $L(G)$. At Line 15, there exits supervisor f such that $L(f/G)=L(f^{\prime }/G^{\prime })$.

Secondly, we will show the closed-loop behavior $L(f/G)$ produced by Algorithm 7 is a feasible solution of model (1).

1.

To show the opacity of $L(f/G)$.

At Lines 3-5, it is obvious that $K^{\prime }$ is opaque w.r.t. $L(G^{\prime })$ and ${\Sigma }_a$. At Lines 6-14, by Theorems 4, 5 and 6, it holds that $K^{\prime }$ is opaque w.r.t. $L(f^{\prime }/G^{\prime })$ and ${\Sigma }_a$, which implies that $\theta (K^{\prime }\cap L(f^{\prime }/G^{\prime }))\subseteq \theta (L(f^{\prime }/G^{\prime })-K^{\prime })$. According to Lines 4, 5 and 15, we have $\theta (K\cap L(f/G))\subseteq \theta (L(f/G)-K\cap L(g/G))$. Since $L(f/G)\subseteq L(g/G)$, we have $\theta (L(f/G)-K\cap L(g/G))\subseteq \theta (L(f/G)-K\cap L(f/G))$. So, $\theta (K\cap L(f/G))\subseteq \theta (L(f/G)-K\cap L(f/G))$ holds, which means $\theta (K\cap L(f/G))\subseteq \theta (L(f/G)-K)$ is true. Therefore, K is opaque w.r.t. $L(f/G)$ and ${\Sigma }_a$.

2.

To show that the closed-loop behavior $L(f/G)$ can preserve the maximal secret information.

For system $G^{\prime }$ and secret $K^{\prime }$, at Lines 4-14, it is obvious that $L(f^{\prime }/G^{\prime })$ is a feasible solution of model (2), which implies that $\overline{K^{\prime }}\subseteq L(f^{\prime }/G^{\prime })$. Since $K\cap L(g/G)=K^{\prime }$ at line 5 and $L(f/G)=L(f^{\prime }/G^{\prime })$ at Line 15, it holds that $K\cap L(g/G)\subseteq L(f/G)$, which implies that $K\cap L(g/G)\subseteq K\cap L(f/G)$. Since $L(f^{\prime }/G^{\prime })\subseteq L(G^{\prime })$ holds, it is true that $L(f/G)\subseteq L(g/G)$. So, we have $K\cap L(f/G)\subseteq K\cap L(g/G)$. Therefore, we have $K\cap L(f/G)=K\cap L(g/G)$.

To conclude, the closed-loop behavior $L(f/G)$ produced by Algorithm 7 is a feasible solution of model (1).

Finally, we will show that the discount total choosing cost of $L(f/G)$ produced by Algorithm 7 is minimal for model (1).

Assume that the closed-loop behavior $L(f/G)$ produced by Algorithm 7 is not optimal solution of model (1). So, there exists a supervisor $f_1$ such that $L(f_1/G)$ is a feasible solution of model (1) and $V(L(f_1/G))<V(L(f/G))$ holds. For model (1), the two constrain conditions are satisfied for $L(f_1/G)$. The two conditions mean that $K\cap L(f_1/G)$ is opaque w.r.t. $L(f_1/G)$ and ${\Sigma }_a$, and $K\cap L(f_1/G)=K\cap L(g/G)$ holds. As shown at Line 5, we have $K^{\prime }=K\cap L(f_1/G)$. Taking $G_1=f_1/G$, it holds that $\overline{K^{\prime }}\subseteq L(G_1)$. Based on the assumption about $L(f_1/G)$ and $L(g/G)$, we have that $L(f_1/G)\subseteq L(g/G)$. Then, we will consider the following two cases.

Case 1 

If $L(f_1/G)=L(g/G)$, we will discuss the relation between $\overline{K^{\prime }}$ and $L(G_1)$.

1.1 

If $\overline{K^{\prime }}=L(G_1)$, it holds that $L(f_1/G)=L(f/G)$ at Lines 6-7, which contracts with the assumption that $V(L(f_1/G))<V(L(f/G))$.

1.2 

If $\overline{K^{\prime }}\subset L(G_1)$, it holds that $V(L(f/G))\le V(L(f_1/G))$ by Theorem 5 and 6 at Lines 9-13, which contracts with the assumption that $V(L(f_1/G))<V(L(f/G))$.

Case 2 

If $L(f_1/G)\subset L(g/G)$, it is true that $s\notin \overline{K^{\prime }}$ for any $s\in L(g/G)-L(f_1/G)$ because of the formulas $\overline{K^{\prime }}\subseteq L(G_1)$ and $L(f_1/G)=L(G_1)$, which implies that s is out of $\overline{K^{\prime }}$. Then, we will discuss the relation between $\overline{K^{\prime }}$ and $L(G_1)$ again.

2.1 

If $\overline{K^{\prime }}=L(G_1)$, there exists $s^{\prime }\in \overline{K^{\prime }}-K^{\prime }$ such that $\theta (s)=\theta (s^{\prime })$ for any $s\in K^{\prime }$, which means that all the secret string in $K^{\prime }$ can be confused by the non-secret string in $\overline{K^{\prime }}$. By Corollary 2, it holds that $V(L(f_1/G))=V(\overline{K^{\prime }}$. At Lines 9-10, it is true that $V(L(f/G))=V(\overline{K^{\prime }}$. So, it holds that $V(L(f/G))=V(L(f_1/G))$, which contracts with assumption that $V(L(f_1/G))<V(L(f/G))$.

2.2 

If $\overline{K^{\prime }}\subset L(G_1)$, we will discuss the following two sub-cases.

2.2.1 

If there exists $s^{\prime }\in \overline{K^{\prime }}-K^{\prime }$ such that $\theta (s)=\theta (s^{\prime })$ for any $s\in K^{\prime }$, it is obvious that $V(L(f_1/G))=V(\overline{K^{\prime }}$ by Corollary 2. At Lines 9, 10 and 15 of Algorithm 7, it holds that $V(L(f/G))=V(\overline{K^{\prime }}$. So, it is true that $V(L(f/G))=V(L(f_1/G))$, which contracts with assumption that $V(L(f_1/G))<V(L(f/G))$.

2.2.2 

If there exists $s\in K^{\prime }$ such that $\theta (s)\ne \theta (s^{\prime })$ for any $s^{\prime }\in \overline{K^{\prime }}-K^{\prime }$, we have the following formulas.

$$\begin{array}{c}\hfill V(L(f_1/G))=V(\overline{K^{\prime }},f_1)+V(L(f_1/G)-\overline{K^{\prime }}\end{array}$$

(4)

$$\begin{array}{c}\hfill V(L(f/G))=V(\overline{K^{\prime }},f)+V(L(f/G)-\overline{K^{\prime }}.\end{array}$$

(5)

Owing to the definition of feasible solution, we have $\overline{K^{\prime }}\subseteq L(f_1/G)$ and $\overline{K^{\prime }}\subseteq L(f/G)$. So, it holds that $V(\overline{K^{\prime }},f_1)=V(\overline{K^{\prime }},f)$. For the remaining part of formulas (4) and (5), we construct two weight directed diagrams $T_1$ and T, where $T_1$ (or T) is produced in Algorithm 5 (e.g. Line 14 of Algorithm 3 if $\left(f_1/G,K^{\prime },c(s,\gamma )\right)$ ( or $\left(g/G,K^{\prime },c(s,\gamma )\right)$) is inputed in Algorithm 3. By the constructions of L and H in Algorithm 3, it is obvious that $T_1⊑T$ (i.e. $T_1$ is a sub-diagram of T) and that $a_{s^{\prime },s}^{T_1}\ge a_{s^{\prime },s}^T$, where $a_{s^{\prime },s}^{T_1}$ (and $a_{s^{\prime },s}^T$) is the weight of arc $(s,s^{\prime })$ in diagram $T_1$ (and T respectively). So, the sum of weight of shortest path of T is less than that of $T_1$, which implies that $V(L(f/G)-\overline{K^{\prime }}\le V(L(f_1/G)-\overline{K^{\prime }}$. According to the formulas (4) and (5), we have that $V(L(f/G))\le V(L(f_1/G))$, which contracts with assumption that $V(L(f_1/G))<V(L(f/G))$.

To conclude, it is true that $V(L(f/G))\le V(L(f_1/G))$, which implies that the discount total choosing cost of the closed-loop behavior $L(f/G)$ produced by Algorithm 7 is minimal for optimal model (1). □

To show the effective of Algorithm 7, we introduce the model of [1] to compute the optimal choosing control strategy.

Example 5. 

Given a transition system G[1] shown in Figure 9, which models all sequences of possible moves of an agent in a three storey building with a south wing and a north wing, both equipped with lifts and both connected by a corridor at each floor. Moreover, there is a staircase that leads from the first floor in the south wing to the third floor in the north wing. The agent starts from the first floor in the south wing. He can walk up the stairs (s) or walk through the corridors (c) from south to north without any control. The lifts can be used serval times one floor upwards (u) and at most once on floor downwards (d) altogether. The moves of the lifts are controllable. Thus ${\Sigma }_c=\{u,d\}$ . The secret is that the agent is either at the second floor in the south wing or at the third floor in the north wing, i.e. $Q_s=\{1,5,7,11\}$ marked by double circle. The adversary may gather the exact subsequence of moves in ${\Sigma }_a=\{u,c,s\}$ from sensors, but he cannot observe the downwards moves of the lifts.

For every transition of system G, the choosing cost is shown in Figure 9. In [1], a unique supremal prefix-closed and controllable sublanguage $L(f/G)$ (shown in Figure 10 of $L(G)$ such that secret S is opaque w.r.t. $L(f/G)$ and ${\Sigma }_a$. So, $V(\overline{K^{\prime }}=V_{\epsilon }(s)+V_{\epsilon }(cuu)=0+0.55=0.55$ Supposed that choosing cost $c(s,\gamma )$ is inserted in G and $g/G$, shown in Figure 9 and Figure 10 respectively. According to Line 12 of Algorithm 7 (i.e. Algorithm 3, $\underline{K^{\prime }}=\{s,cuu\}$ and $L=\{sd,cuud\}$. By the process of Algorithm 3, we have $H_1=\left\{sd\right\}$ and $H_2=\left\{cuud\right\}$, which means there exists only one path (shown in Figure 11 from starting node to ending node. So, $\underset{f\in {\Gamma }^{L(G)}}{min}V(L(f/G)-\overline{K^{\prime }}=V_s(d)+V_{cuu}(d)=0.2+0.002=0.202$. At Lines 16 and 17 of Algorithm 3, it is obvious that $L(f/G)$ is shown in Figure 12, which has the minimal discount total choosing cost $V(f/G)=V(\overline{K^{\prime }},f)+V(L(f/G)-\overline{K^{\prime }}=0.55+0.202=0.752$. The optimal supervisory control defined by $L(f/G)$ prevents the agent from using the lift of the south wing, from using the lift of the north wing from the second floor to the third floor at any time after he has used this lift downwards, and from using the lift of the north wing downwards on the second floor.

5. Conclusions

To enforce opacity by supervisor with minimal discount total choosing cost, an optimal supervisory control model is formulated. In the model, the objection function is to minimize the discount total choosing cost of closed-loop behavior, and the two constraint conditions are given that one is to enforce the opacity of closed-loop behavior, the other is to preserve the maximal part of secret information for closed-loop behavior. To solve the above optimal model, some algorithms and theorems are formulated from simplicity to complexity. For the simple case, we suppose that the secret is opaque w.r.t. the behavior of the system. The complex case is that we suppose the secret is not opaque w.r.t. the behavior of the system. Based on the two cases, the algorithms and theorems are proved to be correct.