Stochastic Condition Masking (SCM)

• SCM is a framework that designs dynamic, randomized masking policies to maximize uncertainty about a system’s sensitive final state.
• It employs a controlled Hidden Markov Model and a primal–dual policy-gradient algorithm to optimize conditional entropy under cost constraints.
• Empirical evaluations in seven-state HMMs and grid worlds demonstrate that SCM significantly increases opacity while adhering to masking budgets.

Stochastic Condition Masking (SCM) refers to the synthesis of dynamic, randomized masking policies in stochastic systems designed to limit information leakage to external observers. The core objective is to regulate the release of sensor output to maximize the observer’s uncertainty about whether a system’s trajectory ends in a sensitive or “secret” state. SCM addresses the quantitative notion of final-state opacity in stochastic settings, optimizing this measure under explicit constraints on masking resource usage, as recently formalized in information-theoretic terms (Udupa et al., 14 Feb 2025).

1. System Model and Secrecy Objective

SCM models the plant and its masking interface as a controlled Hidden Markov Model (HMM)

$M = (S, P, O, Σ, μ_0, σ_0, E)$

where $S$ is a finite set of plant states; $P(s'|s)$ the state transition kernel; $O$ a finite alphabet of possible sensor observations; $Σ$ a finite set of masking configurations (masking actions); $μ_0$ the initial state distribution; $σ_0$ the initial mask; $E(o|s,σ)$ the emission probability distribution over $O$ conditioned on the plant state $s$ and mask $S$0.

A dynamic mask is a (randomized, memoryless) masking policy $S$1, determining the next masking configuration $S$2 based on the current system state $S$3 and current mask $S$4. Executing this policy produces a trajectory $S$5 over states, masks, and observations.

A designated subset $S$6 identifies secret (goal) states. At terminal time $S$7, the secret-indicator variable $S$8 equals $S$9 if $P(s'|s)$0 and $P(s'|s)$1 otherwise. The operational opacity goal is to maximize the observer's uncertainty about $P(s'|s)$2 given access only to the public observation sequence $P(s'|s)$3.

2. Quantifying Opacity with Conditional Entropy

Opacity in SCM is measured as the conditional Shannon entropy

$P(s'|s)$4

This entropy quantifies information leakage: higher conditional entropy implies greater observer uncertainty as $P(s'|s)$5 and $P(s'|s)$6 approach $P(s'|s)$7 for all possible observation sequences. This transitions opacity analysis from qualitative notions to a rigorous, quantitative, information-theoretic framework.

3. Cost-Constrained Optimization of Masking Policies

Masking actions are associated with resource or privacy costs. For each state transition and mask change, an immediate cost $P(s'|s)$8 is incurred, and the expected, possibly discounted, total cost along a trajectory is

$P(s'|s)$9

where $O$0 is a discount factor. SCM poses the mask-synthesis problem as constrained optimization,

$O$1

where $O$2 is a cost budget. This framework ensures practical resource usage while maximizing final-state opacity.

4. Primal–Dual Policy-Gradient Solution

Masking policies are parameterized as a smooth family $O$3 (e.g., softmax), with $O$4 the parameter vector. Define

• $O$5 as the opacity objective,
• $O$6 as the associated cost.

The Lagrangian formulation is

$O$7

The solution seeks the saddle-point $O$8 that maximizes $O$9 and minimizes $Σ$0:

$Σ$1

Simultaneous gradient updates take the form:

• $Σ$2
• $Σ$3 where $Σ$4 are step sizes and $Σ$5 denotes projection onto $Σ$6.

Pseudocode:

$E(o|s,σ)$8

5. Gradient Computation via Observable Operators

The non-additive structure of $Σ$7 precludes standard temporal-difference methods. SCM instead computes $Σ$8 analytically using the observable-operator formalism for controlled HMMs.

Let $Σ$9 denote an observation sequence. Define the controlled transition matrix $μ_0$0 and emission matrices $μ_0$1. For each $μ_0$2:

$μ_0$3

with $μ_0$4. The total observation likelihood is

$μ_0$5

Gradients are:

• $μ_0$6
• For $μ_0$7 (secret reached): $μ_0$8 with gradient

$μ_0$9

where the numerators use the same observable-operator products. For $σ_0$0, $σ_0$1. The analytic expressions permit Monte Carlo estimation using batches of $σ_0$2.

6. Empirical Evaluation

SCM was empirically validated on two models:

Model	Masking Budget ($σ_0$3)	Observed $σ_0$4	Average Cost
Seven-state HMM	N/A	0.0895 (none)	—
Seven-state HMM	60	≈0.7132	≈42.6 ($σ_0$560)
Seven-state HMM	20	≈0.6580	≈18.9 ($σ_0$620)
Grid world ($σ_0$7)	None	≈0.168	—
Grid world	Final-state mask	≈0.1763	≈14–15
Grid world	70	≈0.6539	≈61.4 ($σ_0$870)
Grid world	35	≈0.5274	≈34.1 ($σ_0$935)

In the seven-state HMM example, the absence of masking results in low entropy ($E(o|s,σ)$0), indicating near-certain observer inference. SCM policies under cost budgets achieved higher entropies (e.g., $E(o|s,σ)$1 for $E(o|s,σ)$2), confirming the ability to reduce information leakage while respecting resource constraints.

For a $E(o|s,σ)$3 grid world with mobile robot and spatial sensors, SCM significantly increased final-state opacity compared to naive full or final-state masking at various sensor reliabilities. Under $E(o|s,σ)$4, SCM achieved $E(o|s,σ)$5 ($E(o|s,σ)$6), while final-state masks yielded $E(o|s,σ)$7; cost was maintained within specified budgets.

These results demonstrate that SCM produces nontrivial, state-dependent masking strategies that optimally trade off between masking overhead and information leakage, outperforming conventional masking approaches (Udupa et al., 14 Feb 2025).

7. Context and Significance

SCM formalizes the synthesis of dynamic masks for stochastic plants in a rigorous, information-theoretic fashion, advancing prior approaches that focused on qualitative or deterministic opacity criteria. The primal–dual policy-gradient algorithm, combined with closed-form conditional entropy gradients via observable operators, addresses the unique challenges of masking policy optimization in HMMs with secrecy goals. This development enables practitioners to tailor privacy and secrecy guarantees in stochastic control systems by directly optimizing observer uncertainty under explicit resource constraints.

The formalism and algorithms of SCM are directly applicable to privacy-preserving sensing, secure robotics, and supervisory control in cyber-physical systems where plausible deniability of final states is essential and masking costs are non-negligible.