Verification of Initial-State Opacity in Security Applications of DES Anooshiravan Saboori and Christoforos N. Hadjicostis Abstract— Motivated by security applications where the ini- tial state of a system needs to be kept secret (opaque) to outside observers (intruders), we formulate, analyze and verify the notion of initial-state opacity in discrete event systems. Specifically, a system is initial-state opaque if the membership of its true initial state to a set of secret states remains opaque to an intruder who is modeled as an observer of the system activity through some projection map. In other words, based on observations through this map, the observer is never certain that the initial state of the system is within the set of secret states. To verify initial-state opacity, we address the initial- state estimation problem in discrete event systems via the construction of an initial-state estimator. This estimator captures estimates of the initial state of the system which are consistent with all observations obtained so far. We also analyze the properties and complexity of the initial-state estimator. I. I NTRODUCTION The exchange of vital information over shared cyber- infrastructures in many application areas (ranging from de- fense and banking to health care and power distribution systems) has increased concerns about the vulnerability of such systems to intruders and other malicious entities. As a result, various notions of security and privacy have received considerable attention from researchers, and work pursued so far can be roughly classified into two main categories. The first approach focuses on carefully characterizing the intruder’s capabilities whereas the second one focuses on the information flow from the system to the intruder [1],[2]. Opacity is a security notion that falls in the second category and aims at determining whether a given system’s secret behavior (i.e., a subset of the behavior of the system that is considered critical and is usually represented by a predicate) is kept opaque to outsiders [3],[4]. More specifically, this requires that an intruder (modeled as an observer of the system’s behavior) is never able to establish the truth of the predicate. In our earlier work [4], we considered opacity with respect to predicates that are state-based. More specifically, assuming that the system under consideration can be modeled as a finite-state automaton with partial observation on its transi- tions, we defined the secret behavior of the system as the evolution of the system’s state to a set of secret states S. This material is based upon work supported in part by the National Sci- ence Foundation under NSF Career Award No 0092696 and NSF ITR Award No 0426831. Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the authors and do not necessarily reflect the views of NSF. The authors are with the Coordinated Science Laboratory, and the Department of Electrical and Computer Engineering, University of Illinois at Urbana-Champaign, IL 61801–2307, USA. Corresponding author: C. N. Hadjicostis, 357 CSL, 1308 West Main Street, Urbana, IL 61801–2307, USA (e-mail: chadjic@uiuc.edu). The intruder was assumed to have full knowledge of the system and able to observe the observable transitions in the system. Opacity in this context requires that the intruder can never be certain that the current state of the system is in the set of secret states S. This notion of opacity demands that the secret behavior of the system remain opaque until the system enters a state outside the set of secret states S. In [4], we also introduced the stronger notion of K-step opacity which requires opacity until K observations are made after the system’s state leaves the secret set. This stronger notion is suitable for situations where the secrecy of some states becomes unimportant only after the occurrence of a certain number of events (e.g., the passage of time). In both of these notions of opacity, the set of secret states S is a subset of the system states and is assumed to be constant over the length of the observation. In this paper, assuming that the initial state of the system is unknown, we consider a notion of opacity in which the secret behavior of the system is defined as the membership of its initial state to a set of secret states S. This notion is called initial-state opacity and requires that the intruder can never be certain that the initial state of the system was in the set of secret states S. Initial-state opacity can be useful in variety of applications including the modeling of various security properties in encryption, communication and secure protocols [3]. The following example motivates initial-state opacity in the context of cryptographic protocols. Example 1: In cryptography, a symmetric cipher com- bines plain text (original information) bits with a pseudo- random bit stream (key-stream), typically using an XOR operation. For example, message 1010 XOR-ed with key- stream 0100 results in the encrypted message 1110. Knowl- edge of the encrypted message does not reveal the plain text unless the key-stream is compromised. To create the key- stream, one often uses a linear feedback shift register (LFSR) as a pseudo-random number generator (Figure 1). An LFSR is an autonomous shift register whose input (leftmost or most significant) bit is obtained by XOR-ing some predefined combination of the bits that are stored in the shift register. This implies that the input bit is a linear function of the LFSR’s previous state. The initial state of the LFSR is called the seed, and the list of the bit positions that affect the next state is called the tap sequence. The taps are XOR- ed sequentially and then fed back into the register as the leftmost bit. Figure 1 shows an 8-bit LFSR with tapped bits 0,1,7 and seed 10010011. Because the operation of the register is deterministic, the sequence of values produced by the register (which is used as the key-stream for the stream cipher) is completely determined by its seed. For example,