Opacity-Enforcing Supervisory Control
- Opacity-Enforcing Supervisory Control is a DES framework where a supervisor dynamically enables or disables events to prevent an intruder from verifying whether the system is or was in a secret state.
- It employs observer-based synthesis methods such as subobserver construction and information-state modeling to restrict the intruder’s estimation, ensuring safety over reachable information states.
- Key challenges include scalability, handling incomparable observations between supervisor and intruder, and extending methods to stochastic, timed, and hybrid systems.
Opacity-enforcing supervisory control is a class of synthesis problems in discrete-event systems (DES) in which a supervisor dynamically disables or enables controllable events so that an external observer or intruder cannot determine with certainty whether the system is, was, or will be in a secret state. In the standard DES setting, a plant is modeled as or, in deterministic formulations, , the intruder receives an observation generated by a mapping , and secrecy is specified either as a secret state set or a secret language. The unifying viewpoint is estimation: opacity is a property of reachable intruder information states, and enforcement is therefore a problem of preventing the closed-loop system from reaching secret-revealing information states (Yin, 26 Feb 2026).
1. Concept and opacity notions
Opacity in DES is a confidentiality notion requiring that an external observer should never be able to determine with certainty whether the system is, was, or will be in a secret state (Yin, 26 Feb 2026). In state-based form, secrets are given by a set or ; in language-based form they are given by a secret sublanguage . For regular specifications, language-based and state-based formulations are equivalent after suitable state refinement, and the state-based formulation is often used as the main supervisory-control model (Yin, 26 Feb 2026).
The most common synthesis target is current-state opacity. In one standard formulation, a plant is current-state opaque if whenever a run reaches a secret state, there exists another run with the same observation that reaches a non-secret state: In estimation terms, current-state opacity means that every reachable current-state estimate is not entirely secret; equivalently, the intruder can never know for sure that the current state belongs to (Moulton et al., 2021, Yin, 26 Feb 2026).
The literature surveyed for supervisory enforcement also includes initial-state opacity, initial-and-final-state opacity, -step opacity, infinite-step opacity, and pre-opacity (Yin, 26 Feb 2026). Infinite-step opacity requires that the intruder can never determine with certainty, even eventually, that the system was at a secret state. One formulation used in supervisory synthesis is
or equivalently
0
This makes delayed inference central to control design (Xie et al., 2021).
A stronger line of work studies strong state-based opacity. The paper on strong state-based opacity treats strong 1-step opacity, strong current-state opacity, strong initial-state opacity, and strong infinite-step opacity for partially observed nondeterministic finite-state automata, and its enforcement mechanism chooses a subset of controllable transitions to disable before an original system starts to run in order to cut off all its runs that violate a notion of strong SBO of interest (Han et al., 2024). This is explicitly distinguished from classical online supervisory control, but it remains a control-based opacity-enforcement mechanism.
2. Formal supervisory-control setting
The basic supervisory-control problem is defined over a plant with controllable and uncontrollable events, and with potentially different observation capabilities for the supervisor and the intruder (Yin, 26 Feb 2026). In a standard Ramadge–Wonham-style setting, some events 2 are controllable, and a partial-observation supervisor is
3
where 4 is the supervisor’s own information mapping, which may differ from the intruder’s mapping 5 (Yin, 26 Feb 2026). In a deterministic formulation used for current-state opacity synthesis, a supervisor is a pair 6, where 7 is a DFA and 8 maps each supervisor state to a control pattern
9
A 0 means enabled and 1 means disabled, with the usual requirement that uncontrollable events cannot be disabled (Moulton et al., 2021).
A decisive modeling split is whether the intruder knows the supervisor. If the intruder does not know the supervisor implementation, then for a secret closed-loop behavior 2, it is enough to exhibit a non-secret behavior
3
from the open-loop plant such that
4
If the intruder knows the supervisor implementation, then the witness must belong to the closed-loop system: 5 The survey states that the second setting is fundamentally harder because the intruder’s estimate is built on the controlled system, while the control law itself is what must be synthesized (Yin, 26 Feb 2026).
Several papers refine this split further. The current-state opacity paper using subobservers assumes a supervisor-aware adversary and emphasizes the realistic assumptions
6
then uses a reduction that allows synthesis to proceed as if 7 (Moulton et al., 2021). By contrast, the paper on a priori unknown supervisors studies an intermediate model in which the intruder does not know the supervisor policy in advance, but can eavesdrop online on control decisions as they are issued during execution. That paper gives sound and complete synthesis algorithms for enforcing opacity without any restrictions on 8, 9, or 0, even when the supervisor’s and intruder’s observations are incomparable (Cui et al., 5 Apr 2026).
The core control objective remains the same across these formulations: synthesize a supervisor such that the closed-loop language 1 satisfies the required opacity notion, often with a maximally permissive or supremal controllable and opaque solution as the target (Yin, 26 Feb 2026). The survey characterizes opacity as “essentially a safety problem concerning information,” meaning that classical safety control over plant states is replaced by safety control over reachable intruder information states (Yin, 26 Feb 2026).
3. Observer-based synthesis and supervisor-aware opacity enforcement
Observer construction is the canonical mechanism for turning the intruder’s partial observation into a finite information-state model. In current-state opacity synthesis, the observer 2 is computed by replacing unobservable events by 3-moves and performing subset construction. The standard NFA-to-DFA observer construction has worst-case exponential complexity in the number of plant states, and this becomes the bottleneck in opacity-enforcing supervisory synthesis because the controlled plant changes iteratively (Moulton et al., 2021).
The paper "Using Subobservers to Synthesize Opacity-Enforcing Supervisors" formalizes this difficulty for a supervisor-aware adversary. It uses the parallel composition
4
where a state 5 records the actual plant state 6 and the adversary’s current estimate 7. A state is marked if its estimate contains only secret states; equivalently, marked states satisfy
8
The synthesis loop is:
- compute the initial adversary observer 9;
- form 0;
- while 1 has marked states, let 2 be the set of marked states, run
3
and re-mark any state 4 with 5;
- return 6 as supervisor 7 (Moulton et al., 2021).
REFINE has three phases: backward uncontrollable closure, determination of estimate components to remove, and relabeling of surviving states by
8
Theorem 2 states that, given 9 and 0, if 1 is the automaton induced by making the states in 2 inaccessible, then REFINE produces 3 where 4 (Moulton et al., 2021). Theorem 3 states that the resulting supervisor is a correct and maximally-permissive opacity-enforcing supervisor (Moulton et al., 2021).
The central conceptual device supporting this iterative scheme is the subobserver relation. For automata 5 and 6,
7
Theorem 1 proves: 8 This captures the fact that when plant behavior is restricted, the adversary’s estimate can only become smaller, never larger. Under the realistic assumptions above, the practical consequence is that one can perform only one explicit observer construction on the original plant and then refine a combined plant–observer structure thereafter, instead of recomputing an observer after every modification of the plant (Moulton et al., 2021).
This observer-based synthesis theme also appears in earlier modular work. "Incremental Observer Reduction Applied to Opacity Verification and Synthesis" formulates current-state opacity enforcement as synthesis on the observer, where forbidden observer states are those satisfying
9
and the supervisor is obtained by removing forbidden states and their uncontrollable predecessors: 0 The paper states that this 1 is the maximally permissive and controllable supervisor (Noori-Hosseini et al., 2018).
4. Information-state, delayed inference, and complete synthesis beyond current-state opacity
For opacity notions stronger than current-state opacity, supervisory synthesis must represent not only the current estimate but also delayed inference. "Optimal Synthesis of Opacity-Enforcing Supervisors for Qualitative and Quantitative Specifications" gives a complete solution to the standard infinite-step opacity control problem without assumption on the relationship between controllable events and observable events (Xie et al., 2021).
Its key construction is an information-state
2
written as 3, where 4 is the current-state estimate and each 5 is a set of state pairs linking a past state to a current state. Given observable event 6 and new control decision 7,
8
The paper proves that 9 equals the set of all delayed state estimates 0 (Xie et al., 2021). This yields a bipartite transition system in which the supervisor chooses control patterns at 1-states and the environment chooses observable events at 2-states. Secret-revealing states are
3
and the qualitative synthesis problem reduces to a safety game on this structure (Xie et al., 2021).
The same paper introduces a quantitative extension using secret-revelation-time as a cost measure. By augmenting each delayed estimate with an age counter, it defines an augmented information-state and solves the resulting optimization problem by value iteration on an augmented bipartite transition system. Infinite-step opacity appears as the special case obtained by assigning infinite penalty to any revelation, while 4-step opacity and current-state opacity arise as finite-horizon special cases (Xie et al., 2021).
The more paper on a priori unknown supervisors also relies on a nested information-state construction. There the intruder does not know the supervisor offline, but observes online-issued control decisions. For the observation-triggered issuance mechanism, the intruder’s information-flow is
5
and the intruder’s controlled estimate is
6
The supervisor then maintains an information state
7
where each element is a set of triples 8 containing an actual plant state, an intruder estimate, and a current decision. The paper proves that if 9 and 0, then
1
and
2
Safe observation-states are those for which every 3 satisfies 4, and synthesis again becomes a safety game. The paper states that the resulting synthesis algorithms are sound and complete, and that the complexity is doubly exponential in the plant size (Cui et al., 5 Apr 2026).
A different strong-opacity line takes an offline transition-pruning route rather than runtime supervision. For strong 5-step opacity, strong current-state opacity, strong initial-state opacity, and strong infinite-step opacity, the paper on strong state-based opacity constructs concurrent-composition structures in which violations correspond to states of the form 6. Its enforcement mechanism computes a subset
7
such that the subsystem 8 satisfies the target strong opacity property (Han et al., 2024). The paper emphasizes that this approach disables a chosen set of controllable transitions before the original system starts to run, rather than synthesizing a classical dynamic supervisor.
5. Scalability and structural reduction
Scalability is a recurrent issue because observer construction, information-state construction, and synchronization all generate large state spaces. One direction is incremental observer generation and abstraction for modular systems. "Incremental Observer Reduction Applied to Opacity Verification and Synthesis" proves that when there are no shared unobservable events,
9
and more generally develops incremental local observer generation along with an abstraction method for verification and synthesis of current-state opacity (Noori-Hosseini et al., 2018). The paper also treats shared unobservable events by preserving them until synchronization makes them local, then performing observer generation and abstraction in an incremental sequence (Noori-Hosseini et al., 2018). In the building/elevator case study, the abstracted observer for 0 has 1 states and 2 transitions, versus 3 states and 4 transitions without abstraction (Noori-Hosseini et al., 2018).
A second direction is to avoid repeated observer recomputation in supervisor-aware synthesis. The REFINE algorithm introduced with subobservers has complexity
5
for input size 6, and the full synthesis implementation has asymptotic complexity
7
often treated as 8 when 9 is comparatively small (Moulton et al., 2021). The improvement is not that opacity synthesis becomes polynomial, but that the exponential observer construction is done once, not repeatedly (Moulton et al., 2021).
The general overview emphasizes that opacity verification is generally PSPACE-hard even under natural projection, that modular opacity verification may be EXPSPACE-hard, that opacity problems may become undecidable in richer models such as timed systems and Petri nets, and that nondeterministic supervisory enforcement can induce doubly exponential information structures (Yin, 26 Feb 2026). It also identifies scalability beyond worst-case complexity as an open challenge (Yin, 26 Feb 2026).
A related practical point concerns the observation relation between supervisor and intruder. The survey states that synthesis becomes especially difficult when the supervisor and intruder have incomparable observations, and presents this as one of the most fundamental unresolved questions for opacity-enforcing supervisory control in general form (Yin, 26 Feb 2026). The a priori unknown-supervisor result and the edit-function result under incomparable observations provide complete solutions in their respective models, but this does not remove the broader scalability difficulty (Cui et al., 5 Apr 2026, Duan et al., 2024).
6. Related enforcement paradigms, extensions, and open directions
Opacity-enforcing supervisory control is the most fundamental DES mechanism for opacity enforcement, but the current literature also contains several closely related enforcement paradigms that either supplement or replace disabling-based supervision (Yin, 26 Feb 2026). One prominent class uses edit functions. "Privacy-Preserving Supervisory Control of Discrete-Event Systems via Co-Synthesis of Edit Function and Supervisor for Opacity Enforcement and Requirement Satisfaction" studies co-synthesis of a supervisor and an edit function, with insertion, deletion, and replacement operations, bounded edit length, and explicit covertness requirements. The architecture is reduced to a distributed supervisor synthesis problem in the Ramadge–Wonham framework, and the paper proposes two incremental synthesis heuristics (Tai et al., 2021). A further extension against a sensor-actuator eavesdropping intruder co-synthesizes a dynamic mask, an edit function, and a supervisor, again as a distributed synthesis problem (Tai et al., 2021).
Another edit-based line addresses incomparable observations directly. "Opacity Enforcement by Edit Functions Under Incomparable Observations" introduces 00-enforceability and transforms the enforcement problem into a two-player game with imperfect information between the system and the defender. The paper shows that an 01-enforcing edit function exists if and only if it can be synthesized from a non-empty edit mechanism 02 (Duan et al., 2024). This is not a disabling supervisor, but it solves an opacity-enforcement problem under a harder observation asymmetry than the standard equal-observation case.
Output-padding mechanisms are another variant. "Extended Insertion Functions for Opacity Enforcement" enlarges the class of systems for which current-state opacity can be enforced by allowing insertion both before and after an actual system output, and gives necessary and sufficient conditions for checking opacity enforceability and constrained event-insertion enforceability (Li et al., 2020). The paper explicitly characterizes this as an output-editing enforcement interface rather than a classical supervisor.
Stochastic and optimization-based variants also exist. "Information-Theoretic Opacity-Enforcement in Markov Decision Processes" formulates opacity-enforcement control in an MDP as constrained policy optimization with conditional entropy objectives for last-state and initial-state opacity, solved by primal-dual policy gradient methods with HMM-based message passing (Shi et al., 2024). "Planning with Probabilistic Opacity and Transparency" replaces belief-based enforcement by an opaque-observations automaton and reduces policy synthesis to constrained planning on an augmented-state MDP (Udupa et al., 2024). These are quantitative analogues rather than hard supervisory guarantees, but they preserve the same structural idea: synthesize a controller that regulates behavior so an observer cannot infer the secret.
The overview situates these developments in a broader field that includes stochastic systems, timed systems, Petri nets, and continuous or hybrid dynamics (Yin, 26 Feb 2026). It also identifies three particularly important open directions: solvability under incomparable information, scalable methods beyond worst-case complexity, and opacity under intelligent or data-driven adversaries (Yin, 26 Feb 2026). A plausible implication is that opacity-enforcing supervisory control is no longer a single algorithmic template, but a family of enforcement mechanisms organized around a common principle: prevent the reachable information state of the observer from certifying secrecy.