Finite-Horizon Shield for Path Planning Ensuring Safety/Co-Safety Specifications and Security Policies

With the development of network technology, security in path planning problems has attracted widespread attention. We consider a path planning problem in which a planner computes a finite path that satisfies a specification. We assume that the specification includes mandatory safety/co-safety specifications. Moreover, we consider a security policy for this path. However, we assume that the information leaked to an intruder is not known beforehand. Then, we propose an enforcement mechanism referred to as a finite-horizon shield. This mechanism modifies the path computed by the planner as small as possible to satisfy the safety/co-safety specifications and security policy under the leaked information. We assume that the safety/co-safety specifications are described by LTL ${}_{f}$ formulas and the security policy by a hyperLTL ${}_{f}$ formula. Subsequently, we convert the formulas into quantified formulas and compute the modified path using a satisfiability modulo theories solver. As an example, we consider an opacity problem where there is another path whose leaked information is the same as that of the modified path. By simulations, it confirms that the output of shield depends on the leaked information and the modified path may have additional movements to ensure opacity. We also compare the computation time of the shield with that of a security-aware planning by simulation.


I. INTRODUCTION
Safety-critical automated systems have numerous practical applications. The specifications of these systems are complex, and they consist of mandatory and optional specifications. For example, it is mandatory for a synthesized system to satisfy safety properties, which ensure that system behaviors remain in a safe state set. Safety properties are characterized by the bad prefixes of infinite state sequences [1]. It is important to ensure that system behaviors always satisfy safety specifications under different environments. In recent years, shield synthesis [2], [3] has attracted widespread attention for the design of complex engineering systems because it is an efficient method for enforcing safety specifications at The associate editor coordinating the review of this manuscript and approving it for publication was Jiafeng Xie. runtime when the environment changes. A shield is attached to a system, as illustrated in FIGURE 1. It monitors the inputs and outputs of the system and modifies incorrect outputs to correct outputs. An advantage of shield synthesis is that the modification is minimized. If the system output satisfies a given safety specification, the shield does not make a modification, and its output is the same as the system output.
Otherwise, the shield modifies its output to satisfy the safety specification such that the modified output is as close to the system output as possible. Thus, the effect of the modification on optional specifications is minimized. Shield synthesis has been applied to several engineering problems. In [4], a shield was attached to a multiagent system to prevent congestion and collisions. In [5] and [6], shields were used to ensure the safety of human-interactive robotics. A shield that adapted to a changing environment was proposed and applied to traffic light controllers to maintain the correct traffic flow [7]. Safe reinforcement learning using shields was proposed in [8] and [9].
Specifications have become complex owing to recent advances in automated systems, and temporal logics are useful tools for their detailed descriptions [10], [11]. Linear temporal logic (LTL) formulas are typically used for logical specifications in synthesis problems [12], and numerous reactive synthesis problems for LTL specifications have been studied [13], [14], [15], [16], [17], [18], [19]. Signal temporal logic (STL) formulas can describe the dynamic properties of real-valued continuous signals [20], [21], and they have been applied to controller synthesis problems [22], [23], [24]. Furthermore, LTL and STL formulas are used to describe the safety specifications for shield synthesis [2], [25]. Shield synthesis with specifications described by quantified discrete-duration calculus logic formulas has been recently proposed [26]. In reactive synthesis, temporal logic formulas are evaluated over infinite sequences of states or transitions. In the path planning problem of a mobile robot to find a finite sequence of states (referred to as a path) from the initial state to a goal state while meeting specifications, the LTL formulas that describe specifications are evaluated over finite sequences. This logic is referred to as LTL f [27], [28], [29], [30], [31]. Moreover, safety and co-safety properties are important [32], [33]. A typical example of co-safety properties is that a robot reaches a goal state in a finite horizon. Co-safety properties are characterized by good prefixes. Thus, shield synthesis that satisfies safety and co-safety specifications is important in path planning problems.
Security in path planning problems has attracted considerable attention with the development of network technology [34], [35]. Malicious intruders observe partial information about a robot, which is referred to as leaked information, and estimate the secret about the robot. The secret about the robot is its location, action and so on. This is because it can lead to the identification of the entire path, which may reveal tasks or attributes of the robot. As example, for a mobile robot that transports a very valuable item, its current location is a secret to avoid being robbed of it by the intruder. Secure path planning, where an intruder cannot identify the secret, is an important issue that depends on leaked information. A security property is not a property of individual state sequences but a hyperproperty that is a set of the subsets of sequences. For example, opacity is a useful notion in the analysis of cryptographic protocols [36], and it is applied to multiple classes of systems such as discrete event systems [37], [38], [39] and cyber-physical systems [40], [41], [42]. Intuitively, opacity is defined such that, for each state sequence with a secret, there exists a different sequence without a secret whose leaked information is the same as that of the secret sequence. HyperLTL, which is an extension of LTL with trace variables, was proposed in [43], [44], and [45] to formally describe hyperproperties. It has been shown that several specifications of the path planning problems of mobile robots are described by hyperLTL formulas [46]. A unified framework that uses hyperLTL for specifying observational properties, including opacity, diagnosability, predictability, and detectability, has been proposed [47].
There is increasing demand for ensuring path security in robot path planning problems [34], [48], and this depends on the leaked information observed by an intruder. For example, when sensors send some (partial) information to an operator using a network and the vulnerability of the network is discovered, the operator modifies a path to guarantee a security policy under the assumption that the information may be leaked to a potential intruder. As another example, in the case where eavesdropping devices are set up and are detected while the robot works, it may be a good strategy against the intruder that, if the current plan is unsecure, the operator modifies the plan to be secure under the existence of the devices because the intruder does not notice the detection of the devices by the operator. To achieve the modification, the concept of shielding is applicable. Thus, in our scenario, a planner may generally not know about leaked information beforehand. Hence, it must compute a path that satisfies given specifications, including a safety and/or co-safety property, without considering a given security policy. When eavesdropping devices are detected, the corresponding leaked information is identified and the path is modified as small as possible such that the modified path satisfies safety/co-safety properties and the security policy. Therefore, it is important to provide a method for the modification.
In this study, we assume that a planner that computes the finite path of a robot is pre-designed. We will call the path a pre-planned path. We apply shield synthesis to an enforcement mechanism for the planner, whose objective is to satisfy safety and/or co-safety specifications and a security policy under the working environment of the robot. A conventional shield considers infinite sequences of inputs and outputs and modifies the outputs that satisfy safety specifications if necessary. However, in the path planning problem, the path is finite and satisfies safety and co-safety specifications and the security policy. Thus, we propose a shield-like enforcement mechanism, which is referred to as a finite-horizon shield, to modify the pre-planned path as small as possible while satisfying the safety/co-safety specifications and security policy under the working environment where the intruder exists. FIGURE 2 illustrates the proposed enforcement mechanism. While the robot moves along the pre-planned path, if leaked information is identified, it is sent to the finite-horizon shield. VOLUME 11, 2023 FIGURE 2. Enforcement mechanism with leaked information and a finite-horizon shield that modifies a finite path to satisfy safety and co-safety specifications and a security policy.

FIGURE 3.
Example of a workspace modeled by 6 × 6 grid plane, where obstacles exist in black grids. The initial and goal grids are colored red and green, respectively, and the blue arrows indicate a pre-planned path.
The shield checks whether the pre-planned path satisfies the security policy under the leaked information. If not, it modifies the path to satisfy the safety/co-safety specifications and security policy. Therefore, the path output by the finite-horizon shield is guaranteed to satisfy safety/co-safety specifications and the security policy.
The following example illustrates the problem we consider. The planner determines a path based on safety and/or co-safety specifications without taking into account the security policy because it does not know what information may be leaked. Suppose the planner determines the path that satisfies the specification of avoiding obstacles and eventually reaching the goal in the workstation represented by the grid shown in FIGURE 3. The red, green, and black locations in this figure indicate starts, goals, and obstacles, respectively. The blue arrows are the pre-planned path determined by the planner. Assume that at time 3, that is, when the mobile robot is on the grid with the gray circle, the leaked information is identified and the horizontal position of the robot is leaked. We consider the case where a secret is the initial state of the robot, that is, the initial state cannot be determined only from the leaked information. Such a policy is called initialstate opacity. See Section V for details. The pre-planned path does not satisfy the security policy. Then, we modify it after time 3 to satisfy the security policy. Shown in FIGURE 4 is an example of the modified path, where the red arrows indicate the modified path and the yellow arrows indicate a path that the intruder cannot distinguish from the modified path. Note that the initial states of the paths are different and the modified path satisfies the security policy.
We assume that the specification for which the planner computes a pre-planned path is described by an LTL f formula and that the safety/co-safety specifications are described as its subformulas. Moreover, the leaked information is represented by atomic propositions, and the security policy is represented by a hyperLTL f formula over the set of the atomic propositions. Then, we construct the finite-horizon shield using SATbased bounded model-checking approaches [49], [50], [51], [52]. As any hyperLTL f formula is converted into a quantified formula (QF) [53], the safety/co-safety specifications and security policy are encoded as QFs. Then, a modified path is computed using a satisfiability modulo theories (SMT) solver. While, in a security-aware planning problem, a path that satisfies a specification including a security policy is computed [42], [46], [48], we address a problem of modifying an unsecure path to be secure under the leaked information that is detected while the robot works, i.e., we extend a shield approach to secure path re-planning and the proposed shield modified a finite path if it does not satisfy the security policy under the identified leaked information. Such an approach is also different from supervisory control based approaches proposed in [38], [47], and [54], where the supervisor determines a set of events that satisfy the security policy under the assumption that the leaked information is known. The proposed approach is also different from the enforcement mechanism proposed in [55] because the finite-horizon shield receives a single sequence and modifies it to a single sequence, whereas the mechanism in [55] receives a set of sequences and modifies them.
In this study, as a comparative approach, we also consider a security-aware planning problem to compute a path satisfying a specification including a security policy (see Section VI for details). Since the security policy is encoded as a QF, the planning problem is converted into a quantified satisfiability (QSAT) problem, which is PSPACE-complete [56]. In other words, the comparative approach is a one-step approach. On the other hand, the proposed method can be regarded as a two-step approach to a security-aware planning problem with known leaked information, that is, the planner computes a pre-planned path by solving a SAT problem, which is NP-complete [57], since the security policy is not included in the specification for the planner and the finite-horizon shield computes a secure path by the modification of the preplanned path, which is a QSAT problem. Then, in the planner, we do not use Boolean variables that describe the security policy while, in the finite-horizon shield, we do not use those that describe the specification except the security policy. Thus, the numbers of the Boolean variables used in the planner and the finite-horizon shield are less than that in the security-aware planning problem. In other words, the proposed method computes a secure path by solving a SAT problem and a QSAT problem with fewer numbers of Boolean variables than that used in the QSAT problem of the one-step approach. By simulation, we show that the computation time of the proposed approach is less than that of the one-step approach when the number of the variables used in the encoding of the planning problems is large. Thus, the proposed method is practically useful for a security-aware planning problem under known leaked information.
The remainder of this paper is organized as follows: In Section II, we review hyperLTL, which is an extension of LTL. In Section III, we formulate a path planning problem in which a specification and security policy for a desired finite path are described by hyperLTL formulas. In Section IV, we propose a finite-horizon shield synthesis algorithm for the modification of a path planned by a planner to satisfy the hyperLTL f formulas that represent the safety/co-safety specifications and security policy. We demonstrate the application of the finite-horizon shield to the enforcement of opacity for mobile robot path planning in Section V. We compare a security-aware planner and the finite-horizon shield in Section VI. Section VII concludes the paper.

II. HyperLTL OVER FINITE TRACES
Let AP be a set of atomic propositions and 2 AP be the power set of AP. A finite trace over 2 AP is a finite sequence of the subsets of AP.
HyperLTL is an extension of LTL with trace quantifiers (∃, ∀) and trace variables. Numerous hyperproperties related to security policies are described by hyperLTL formulas.
Let be a set of trace variables. The hyperLTL formulas are recursively generated as follows: where ap ∈ AP is an atomic proposition and π ∈ is a trace variable. Subscript π indicates that ap should be checked over trace variable π. Some trace variables in the objectives are quantified by ∃ or ∀. The other Boolean operators (∨, →, and ≡) are defined as ϕ 1 ∨ ϕ 2 := ¬(¬ϕ 1 ∧ ¬ϕ 2 ), ϕ 1 → ϕ 2 := ¬ϕ 1 ∨ ϕ 2 , and ϕ 1 ≡ ϕ 2 := (ϕ 1 → ϕ 2 ) ∧ (ϕ 2 → ϕ 1 ). In addition, two temporal operators, i.e., eventually (♢) and always (□), are defined as follows: The hyperLTL formulas are interpreted over infinite and finite traces. The hyperLTL formulas interpreted over finite traces with length H are referred to as hyperLTL H f formulas. The syntax of hyperLTL H f formulas is the same as that of the hyperLTL formulas defined by (1) and (2), and their semantics is given by the satisfaction relation, | T , over a set of finite traces T ⊆ (2 AP ) H . Let V : → (2 AP ) H be an assignment function. The semantics is recursively defined as follows: Intuitively, ∃π.ψ holds if and only if there exists a trace in T such that ψ satisfies. ∀π.ψ holds if and only if all traces in T satisfy ψ.

III. PROBLEM FORMULATION
We consider a path planning problem of a mobile robot in a workspace that is partitioned into a finite number of regions. We assume that the transitions between the regions are given. Additionally, a specification for the path, which is referred to as a path specification, is given by an LTL formula. We assume that the path specification includes safety and/or co-safety subspecifications as mandatory requirements. Let AP p be the finite set of atomic propositions that are used to describe the path specification. We assume the existence of a planner that computes a path that satisfies the path specification described by an LTL f formula. Then, we consider a case where there is a security policy that specifies a secret of the path and an intruder who observes information about the behavior of the robot and attempts to reveal the secret. We assume that the leaked information is unknown when the planner computes the path. Let AP ob be a finite set of the atomic propositions that are used to describe the observation VOLUME 11, 2023 of the leaked information. Let AP := AP p ∪ AP ob . Then, the behavior of the mobile robot is modeled by a transition system P = (P, P 0 , I , δ, L p , L ob ), where • P is the set of states that represent regions in the workspace, • P 0 ⊆ P is the set of initial states, • I is the set of inputs, • δ : P × I → P is a partial transition function, where p ′ = δ(p, i) indicates that the robot moves from the state p to the state p ′ by the input i, : → 2 AP ob is the labeling function with respect to set AP ob . Intuitively, L ob (ℓ) ⊆ AP ob represents the information leaked by the occurrence of transition ℓ ∈ . We introduce the following labeling function, Then, we assume that P ∪ P ′ ⊆ AP, that is, each state and its primed symbol are atomic propositions, and for transition ( implies that it is a transition from state p to state q. For transition system P, a finite sequence of transitions ρ defined by (3) is referred to as a path.
where H is the length of the path, p[0] ∈ P 0 , and We extend the two labeling functions, L p and L, to L(H , P) for any positive integer H ≥ 2 as follows: For path ρℓ ∈ L(H , P) with ρ ∈ L(H − 1, P) and ℓ ∈ , be a set of traces with length H for P and L p (resp. L), that is, p and denote the sets of trace variables used for the path specification and the security policy, respectively. Without loss of generality, we set p = {π } because the path specification is described by an LTL formula that is equivalent to a quantifier-free hyperLTL formula with the trace variable π. Let V p : p → T p (H , P) and V : → T (H , P) be assignment functions.
The path specification is described by an LTL formula that is a quantifier-free hyperLTL H f formula ϕ p over AP p with trace variable π. The planner computes path ρ p ∈ L(H p , P), which is referred to as a pre-planned path, such that where H p is the length of ρ p and V p (π ) = L p (ρ p ). We assume that path specification ϕ p is partitioned into a mandatory and an optional specification, that is, ϕ p := ϕ s ∧ϕ o , where ϕ s and ϕ o represent the mandatory and the optional specification, respectively: a similar partition of the specification was proposed in [58] and [19]. The mandatory specification is related to safety or co-safety properties and it should be satisfied even after modification. In other words, it is considered to be the specification that does not want to be effected by the modification. For example, a safety property is that the mobile robot never enters a dangerous region such as a river, and a co-safety property is that the mobile robot reaches a target region in a finite horizon. The optional specification aims to increase the quality of service for the path such as passing a specified location if possible.
We consider the case where an intruder attempts to reveal the secret of the pre-planned path using the leaked information that is partially observed by the intruder's sensors. Then, the leaked information is identified, which is represented by a set of atomic propositions AP ob . A security policy is described by a hyperLTL formula ψ sp over AP as follows: where Q i ∈ {∃, ∀}(i = 2, . . . , n) is a trace quantifier and ϕ sp is a quantifier-free hyperLTL formula with trace variables π 1 , π 2 , . . . , π n . Path ρ ∈ L(H , P) satisfies security policy ψ sp if assignment function V with V (π 1 ) = L(ρ) satisfies Opacity is an example of a security policy of the mobile robot; this will be discussed in Section V.
If the pre-planned path does not satisfy the security policy, we modify the path such that it satisfies ϕ s and ϕ sp . The next section describes the method proposed for the modification.

IV. FINITE-HORIZON SHIELD
We consider a mobile robot whose workspace is modeled by transition system P = (P, P 0 , I , δ, L p , L ob ). For a given path specification ϕ p = ϕ s ∧ ϕ o , a planner computes a pre-planned path ρ p ∈ L(H p , P) such that (8) holds for V p (π) = L p (ρ p ). Note that the planner does not consider the security policy. Moreover, labeling function L ob is not determined beforehand because it depends on the leaked information (e.g., partial observation of the position of the mobile robot). While the mobile robot operates, if the leaked information is identified at time h ∈ [0, H p ], it is represented by set AP ob and labeling function L ob : → 2 AP ob . The leaked information at each transition ℓ ∈ is described by subset L ob (ℓ) ⊆ AP ob , and the security policy is described by a hyperLTL formula ϕ sp over AP = AP p ∪ AP ob . Then, we modify the pre-planned path as small as possible while satisfying mandatory specification ϕ s and security policy ϕ sp .
On the basis of shield synthesis [2], [3], we propose an enforcement mechanism referred to as a finite-horizon shield to achieve the modification. The finite-horizon shield is illustrated in FIGURE 2. Security policy ψ sp is given by (9). When the leaked information is identified, it informs the finite-horizon shield about labeling function L ob : → 2 AP ob . We require the following constraints: • The finite-horizon shield does nothing until the leaked information is detected, • When the leaked information is identified at time h ∈ [0, H p − 1], the remaining path in time interval [h + 1, H p ] is modified in such a way that the overall path in time interval [0, H p ] satisfies the security policy. The first constraint is based on the design policy of the shield. The second one is necessary to satisfy the security policy even if the leaked information is identified while the robot is moving. Then, the finite-horizon shield checks whether the pre-planned path ρ p satisfies ψ sp . If ρ p satisfies ψ sp , its output is ρ p ; that is, it does not modify the pre-planned path. Otherwise, it computes a path with the minimum modification while satisfying mandatory specification ϕ s and security policy ψ sp . The overall procedure for the computation of output ρ s ∈ L(H s , P) of the finite-horizon shield is illustrated in FIGURE 5, where H s ≥ H p is the length of ρ s . The method is described bellow.
If (11) is satisfied, the finite-horizon shield does not modify the path and outputs ρ p , that is, ρ s = ρ p (Process3). However, when (11) does not hold, we proceed to the next step.

B. SECOND STEP
The finite-horizon shield modifies ρ p such that the modified path is closest to ρ p among the paths that satisfy ϕ s and ψ sp . It should be noted that, in general, if ρ p does not satisfy the security policy, there may not exist a secure path with length H p that satisfies the mandatory specification. Then, the finite-horizon shield outputs secure path ρ s with length H s larger than H p . In this case, we evaluate the closeness of ρ s to ρ p by extending ρ p to pathρ p =ρ p [0]ρ p [1] .
The extension is an important issue that depends on the path planning problem. Therefore, it is beyond the scope of this study. An example of the extension is provided in the next section.
Let cls : L(H s , P) × L(H s , P) → N be a function that evaluates the effect of the modification. For extended pre-planned pathρ p and its modified path ρ s , the effect of the modification decreases with cls(ρ p , ρ s ). Note that cls(ρ, ρ) = 0 for any ρ ∈ L(H s , P). Examples of cls can be similarity between input strings (described in Section V for detail) and similarity between states.
Let V p : p → T p (H s , P) and V : → T (H s , P) be assignment functions. For k ∈ N and h ∈ [0, . . . , H p ], modified path ρ s starting from the same state as ρ p under the constraint that the effect of the modification is less than or equal to k is computed as follows: Determine ρ s subject to ρ s ∈ L(H s , P), where p 0 ∈ P 0 is the initial state of ρ p . The second condition in (12) indicates that the past path from the initial state to the current state cannot be modified. Intuitively, k represents the tolerance of the modification, and it should be as small as possible. However, the existence of the modified path depends on k. First, k is set to be sufficiently small to practically minimize the effect of the modification. If a modified path does not exist, then k is increased and the modified path is recomputed. This procedure is repeated until a modified path is obtained. For simplicity, in FIGURE 5, we initially set k = 1 (Process4). For each k, (12) is solved to find path ρ s (Process7). If it exists, the finite-horizon shield outputs ρ s as the modified path (Process8). Otherwise, k is increased (Process9). If k > K max , the finite-horizon shield outputs an error (Process6), where K max is a hyperparameter that ensures the termination of the computation.
In this study, to solve (11) and (12), we convert the constraints described by hyperLTL f formulas into QFs and solve the satisfiability problem of the QFs. The conversion is done in such a way that the hyperLTL f formulas are satisfiable if and only if the corresponding QFs are satisfiable. See Appendix A for the conversion of the hyperLTL f formulas into the QFs. Thus, (11) is satisfied if and only if the QF corresponding to (11) is satisfiable. For (12), the path ρ s exists if and only if the QF corresponding to the constraints of (12) is satisfiable. Then, the path is obtained by an instance satisfying the QF. The next section describes an example of this conversion. Algorithm 1 shows the entire procedure for the modification of ρ p . We encode (11) (Algorithm 1 line 1) and check whether (11) is true or false (line 2). If it is true, then ρ p satisfies ψ sp . Therefore, the finite-horizon VOLUME 11, 2023 shield outputs ρ s = ρ p and cls(ρ p , ρ s ) = 0 (line 5). If (11) is false (line 6), the for loop (line 7) iterates over parameter k ∈ {1, . . . , K max }. For each k, we encode (12) (line 8) and check the satisfiability of (12) (line 9). If it is satisfiable, the finite-horizon shield outputs ρ s and cls(ρ p , ρ s ) = k. If (12) has no solution until k = K max , then the finite-horizon shield outputs an error (line 15). Then, a possible counterplan is to complete the pre-planed path with giving up the security policy or to return to the initial state. However, it is beyond the scope of this paper because it depends on the system or the priority of specifications. return ρ s , cls 6: else 7: for k = 1 to K max do 8: Encode (12) 9: if (12) is satisfied then 10: cls ← k 11: return ρ s , cls 12: end if 13: end for 14: end if 15: return -1 The computational complexity of Algorithm 1 is PSPACE complete since it uses the satisfiability of quantified formulas [56]. We consider the number of variables used in Algorithm 1, which depends mainly on the number of subformulas in ϕ sp and the number of variables that encode paths. Let N f ,i be the number of different subformulas related to trace variable π i in formula f . For H s transitions and all subformulas in ϕ sp , n i=1 N ϕ sp ,i H s variables are needed, where n is the number of trace variables in . Variables that represent paths are also needed. For each transition, (|P| + |I | + |O|) variables are needed to store the states, inputs, outputs, where O is the set of partial observations. For H s transitions, we have H s times as many variables. Algorithm 1 requires n paths. In addition, we prepare variables that encode cls and let N cls be the number of them. Therefore, the total number N Alg1 of variables required for Algorithm 1 is as follows: In practice, we also have to consider the number of variables N pre needed for the SAT problem to find the pre-planned path and N pre is expressed as follows: where N ϕ p is the number of different subformulas in formula ϕ p .

V. APPLICATION TO OPAQUE PATH PLANNING PROBLEMS
In this section, we described the application of the finite-horizon shield to opaque path planning problems for a mobile robot.

A. PROBLEM SETTINGS
Opacity is an information flow security property, and several definitions of opacity have been proposed. We consider the case where an intruder can partially observe the behaviors of a mobile robot, and there is a secret for the path planning of the robot. Intuitively, a path is opaque if the intruder cannot expose the secret under the partial observation. We consider that the mobile robot moves in a 2-dimensional workspace, which is partitioned into N x × N y grid regions. Subsequently, the behavior of the robot is represented by a finite-state transition system, P = (P, P 0 , I , δ, L p , L ob ), where → 2 AP p is the labeling function for the safety and co-safety specifications and L ob : → 2 AP ob is that for opacity, where the set of transitions is given by , y), i)}. (15) Let G ⊂ P be a set of goal locations. We assume that there are obstacles in the workspace. Let D ⊂ P be a set of locations with obstacles. For simplicity, We assume Then, the path satisfies a mandatory specification such as safety/co-safety specifications. Let Labeling function L p is defined as follows: Let p = {π} be the set of trace variable π and let V p be an assignment function that assigns π to a trace over AP p . We consider a mandatory specification that describes a safety/co-safety property such that the mobile robot never enters locations where obstacles exist and eventually reaches a goal. This is described by ϕ s π over AP p , as follow: Then, for pre-planned path ρ p , we have where V p (π ) = L p (ρ p ).  If there is no opaque path with length H p that satisfies the mandatory specification, then the finite-horizon shield outputs an opaque path whose length is larger than H p . Let H s be the length of modified path ρ s . The determination of H s is an important issue in practice. There are several decision rules for obtaining H s . For example, there is a brute force approach in which the initial value of H s is set to be equal to H p and increased by one until an opaque path is obtained. However, this is out of the scope of this work, and we assume that H s is given. We extend ρ p to pathρ p =ρ p [0]ρ p [1] . . .ρ p [H s − 1] with length H s as follows.
Intuitively,ρ p is constructed by making the robot stay at the last reached location.
Forρ p , the finite-horizon shield computes modified path ρ s denoted by Recall that set AP ob represents the leaked information identified by the intruder detector. For labeling function L ob : → 2 AP ob , L ob (ℓ) denotes the set of atomic propositions observed by the intruder when transition ℓ occurs.
Recall that the finite-horizon shield modifies the pre-planned path such that the modified path satisfies the mandatory specification and security policy. Note that trace variable π 2 represents a path that is different from the modified path but also satisfies the mandatory specification. Thus, the formula for the security policy is obtained as given bellow. For state p ∈ P that represents the initial state of the preplanned path, let ϕ sp π 1 ,π 2 (p) := opac init π 1 ,π 2 (p) ∧ ϕ s π 2 for the initial-state opacity, opac curr π 1 ,π 2 (p) ∧ ϕ s π 2 for the current-state opacity.
(12) can be rewritten as follows: Determine ρ s subject to ρ s ∈ L(H s , P) Thus, the finite-horizon shield checks (31) to determine whether ρ p satisfies opacity. If this is true, then the finite-horizon shield outputs ρ p . Otherwise, k = 1 and (32) is repeatedly solved for k ∈ {1, . . . , K max } until there is a solution that provides modified path ρ s that has length H s ≥ H p , satisfies the mandatory specification and opacity, and is the closest to extended pre-planned path ρ p in terms of the Hamming distance. If there is no solution for k ∈ {1, . . . , K max }, the finite-horizon shield concludes that there is no opaque path whose Hamming distance from the extended pre-planned path is less than or equal to K max .

B. SMT-BASED APPROACH
We encode hyperLTL H f formulas using QFs and solve (31) and (32) as the satisfiable problems of the QFs using an SMT solver [53], [59].
We consider the initial-state opacity as a security policy.
(33) indicates that p H 1 is the path of transition system P. (34) and (35) correspond to the mandatory specification and security policy, respectively.
Then, recall that h ∈ [0, . . . , H p ] denotes the time when the leaked information observed by the intruder is identified and we have (36) indicates that the past motion of the robot up to the current state cannot be modified. Moreover, we express function cls as follows: where 11774 VOLUME 11, 2023 For simplicity, we define p The finite-horizon shield checks the satisfiability of (38) and (39) to determine output ρ s .

C. SIMULATIONS
Algorithm 1 is implemented in Python. We consider the following two cases of the leaked information: The intruder can observe the (i) horizontal and the (ii) vertical coordinate of the states. For each case, set AP ob is given by Labeling function L ob : → 2 AP ob is expressed as follows: For each ((x, y), i, (x,ŷ)) ∈ , L ob (((x, y), i, (x,ŷ))) := {x,x ′ } for case (i), {y,ŷ ′ } for case (ii). We use Z3 [60] as the SMT solver. The results shown in this section are obtained on a system with a 1.8 GHz quad-core processor with 16 GB RAM. N x = N y = 15, H = 25, and K max = 3.

1) SIMULATIONS FOR THE INITIAL-STATE OPACITY
The blue arrows in FIGURE 6 indicate the pre-planned path computed by the planner. We simulate the case where leaked information is turned out at time 3. The pre-planned path is the input of the finite-horizon shield. The output ρ s of the shield that ensures the initial-state opacity for the horizontal (resp. vertical) coordinates of the states is indicated by the red arrows in FIGURE 7 (resp. FIGURE 8). ρ s satisfies cls(ρ p , ρ s ) = 1 (resp. cls(ρ p , ρ s ) = 0). The yellow arrows in FIGURES 7 and 8 indicate that the path represented by the red arrows satisfies the initial-state opacity. Gray circles indicate the robot's position at time 3. The light red colored arrows indicate the past movements of the robot, which cannot be modified from the pre-planned path. The pre-planned path shown in FIGURE 6 does not satisfy the initial-state opacity if the intruder can observe the horizontal coordinates of the states. Therefore, the shield modifies the path. However, the initial-state opacity is satisfied if the intruder can observe the vertical coordinates of the states, and the shield does not modify the path. We confirm that the output of the finite-horizon shield depends on the information observed the intruder.

2) SIMULATIONS FOR THE CURRENT-STATE OPACITY
We consider the current-state opacity in case (ii) and the case where the leaked information is identified at time 6. A preplanned path is shown by the blue arrows in FIGURE 9. The output of the finite-horizon shield is shown in FIGURE 10. As the pre-planned path does not satisfy the current-state opacity, the output is modified by adding the input that the robot moves to the right at the end of path ρ p . Output ρ s satisfies cls(ρ p , ρ s ) = 1. In this case, we can not obtain a path that satisfies the current-state opacity for H s = H p .   We confirm that the finite-horizon shield outputs a modified path that has additional movement to ensure opacity.

VI. COMPARISON WITH SECURITY-AWARE PLANNING
If the leaked information is known when a pre-planned path is computed, the finite-horizon shield is applied with h = 0. But, in this case, we can compute a security-aware path directly without using the finite-horizon shield. Thus, in this section, we consider the case where the leaked information is identified beforehand and compare the finite-horizon shield with secure-aware planning.

A. SECURITY-AWARE PLANNING
We consider a security-aware planner that computes path ρ s that satisfy optional specification ϕ o as much as possible while satisfying safety/co-safety specification ϕ s and security policy ψ sp under the known leaked information. A securityaware planning problem has been considered in [34], but no optional specifications have been considered, which is different from our problem setting. The security-aware planner has the role of both the (non-secure) pre-planner to determine the pre-planed path and finite-horizon shield to guarantee the security policy. In other words, it finds path ρ p that satisfies path specification ϕ p = ϕ s ∧ ϕ o , and simultaneously determine path ρ s that is as close to ρ p as possible among paths that satisfy ϕ s and ψ sp . For k ∈ {0, . . . , K max − 1}, the security-aware planner determine if there exists path ρ s whose closeness to ρ p is less than or equal to k. If not, it recomputes for k + 1. Let p = {π, π ′ } and = {π 1 } be sets of trace variables. Let V p : p → T p (H s , P) and V : → T (H s , P) be assignment functions. Then the security-aware planner computes the following problem.
Determine ρ s subject to ρ p , ρ s ∈ L(H s , P), where ϕ π indicates that the subscript of all atomic propositions in ϕ is π. Algorithm 2 shows the procedure of computing path ρ s in the security-aware planner. We discuss the computation times of the finite-horizon shield (Algorithm 1) and the security-aware planning (Algorithm 2). Both algorithms are based on the satisfiability of quantified formulas and are PSAPCE-complete [56].
We discuss the numbers of variables used in both algorithms. While the number of variables used for the pre-planner and Algorithm 1 are N pre and N Alg1 , shown in (14), (13), that used for Algorithm 2 is N pre + N Alg1 . Algorithm 1 divides the problem into two parts and computes them sequentially. Since QSAT problems are PSPACEcomplete, it is expected that the computation time of Algorithm 2 will be longer than that of Algorithm 1 as the size of the problem increases.
On the other hands, both algorithms are sound, that is, paths that they return satisfy the mandatory specifications (the safety/co-safety specification and the security policy) and whose closeness to a path satisfying the optional specification is less than or equal to the parameter K max . Moreover, Algorithm 2 returns such a path whenever it exists, that is, Algorithm 2 is complete. However, Algorithm 1 computes a pre-planned path ρ p that satisfies the mandatory specifications and outputs a path whose closeness to ρ s is less than or equal to K max . Thus, there is no guarantee that the finite-horizon shield always outputs a desired path even if it exists, that is, Algorithm 1 is not complete.
From the above discussions, to reduce the computation time, Algorithm 1 is useful but may fail to find a desired path even if it exists.

C. SIMULATION
We investigate computation times for Algorithms 1 and 2 by simulation. Let task ⊂ P be a set of states and ϕ o = ♢task be an optional specification. TABLE 1 shows the times required to compute the paths that guarantee initial-state opacity when we use Algorithms 1 and 2, respectively. Simulation is performed with H p = H s for the same grid size. If the grid size is 6 × 6, 7 × 7, or 8 × 8, Algorithm 2 takes less computation times than Algorithm 1. However, If it is equal or larger than 9 × 9, Algorithm 1 takes less computation times. As the size of the problem increases, Algorithm 1 is more efficient in terms of computation time. TABLE 2 shows the satisfaction number of the optional specification. The notation x/y in TABLE 2 indicates that the optional specification is satisfied x times in y experiments. If there exists a path that satisfies safety/co-safety and optional specifications and security policy, Algorithm 2 always return it. Therefore, the probability of satisfying the optional specification is larger than that in Algorithm 1. TABLE 2 also shows the ratio defined by n 1 /n 2 , where n 1 (resp. n 2 ) is the number of experiments for which Algorithm 1 (resp. Algorithm 2) returns a path satisfying ϕ o . We confirm that the ratio is around 0.8 regardless of the grid size. The result shown in TABLES 1 and 2 are obtained on a computer with a 3.4 GHz 16-core processor with 128 GB RAM.

VII. CONCLUSION AND FUTURE WORK
We develop a finite-horizon shield that ensures that a finite trace satisfies hyperLTL H f specifications. This shield checks and modifies the finite trace. We express the requirement of the finite-horizon shield for hyperLTL H f formulas and propose an algorithm to compute the output of the shield using an SMT solver. Then, we consider an opaque path planning problem in which a pre-planned path that satisfies specifications, including safety/co-safety properties as mandatory specifications, is computed by a planner. This path is modified as small as possible while satisfying mandatory specifications and opacity. Simulations confirm that the modified path is suitable when an intruder exists.
Moreover, the finite-horizon shield is applicable for the case where the leaked information is known beforehand. Then, its computation time is less than that of the security-aware planning when the planning problems are sufficiently large.
In future work, we will extend the proposed finite-horizon shield for hyperproperties to other settings such as multiagent systems or model predictive control [61]. Moreover, extensions to an infinite-horizon planning problem such as a surveillance problem are also interesting future work and one research direction is a usage of a lasso-type infinite path. Another research direction is the construction of the shield using an automaton-game-based approach: by describing ωregular specifications, it is possible to construct a shield that guarantees security for non-terminating systems such as web servers.
We modified a pre-planned path in such a way that a distance between the modified path and pre-planned path is less than or equal to a given constant. But, there is a different modification such as the revision of the optional specification and it is a future work how to revise the specification such that an effect of the modification is as small as possible.

APPENDIX A ENCODING OF HyperLTL FORMULAS
In the bounded model checking for hyperLTL, a problem is converted into a satisfiability problem of the QFs that are the encodings of hyperLTL formulas [53]. We review the encodings of the hyperLTL formulas using QFs. Consider a set of trace variables, , and an assignment function, V :