Initial-Value Privacy of Linear Dynamical Systems

We consider the following linear time-invariant (LTI) system

$${\begin{array}[]{rcl}\mathbf{x}_{t+1}&=&\mathbf{A}\,\mathbf{x}_{t}+\bm{\nu}_{t}\\ \mathbf{y}_{t}&=&\mathbf{C}\,\mathbf{x}_{t}+\bm{\omega}_{t}\end{array}}$$

(1)

for $t=0,1,\ldots$, where $\mathbf{x}_{t}\in\mathbb{R}^{n}$ is state, $\mathbf{y}_{t}\in\mathbb{R}^{m}$ is output, $\bm{\nu}_{t}\in\mathbb{R}^{n}$ is process noise, and $\bm{\omega}_{t}\in\mathbb{R}^{m}$ is measurement noise. Throughout this paper, we assume that $\bm{\nu}_{t}$ and $\bm{\omega}_{t}$ are random variables according to some zero-mean distributions, and $\textnormal{rank}\;(\mathbf{C})>0$.

In this paper, we suppose that initial values $\mathbf{x}_{0}$ are privacy-sensitive information for the system. Eavesdroppers having access to the output trajectory $(\mathbf{y}_{t})_{t=0}^{T}$ with $T\geq n-1$ attempt to infer the private initial values. To facilitate subsequent analysis, we denote the measurement vector $\mathbf{Y}_{t}=[\mathbf{y}_{T-t};\mathbf{y}_{T-t+1};\ldots;\mathbf{y}_{T}]$, the noise vectors $\mathbf{V}_{t}=[\bm{\nu}_{T-t};\bm{\nu}_{T-t+1};\ldots;\bm{\nu}_{T-1}]$ and $\mathbf{W}_{t}=[\bm{\omega}_{T-t};\bm{\omega}_{T-t+1};\ldots;\bm{\omega}_{T}]$, and let

$$\begin{array}[]{l}\mathbf{O}_{\textnormal{o}b}=\begin{bmatrix}\mathbf{C}\\ \mathbf{C}\mathbf{A}\\ \vdots\\ \mathbf{C}\mathbf{A}^{n-1}\end{bmatrix}\,,\quad\mathbf{O}_{t}=\begin{bmatrix}\mathbf{C}\\ \mathbf{C}\mathbf{A}\\ \vdots\\ \mathbf{C}\mathbf{A}^{t}\end{bmatrix}\,,\\ \mathbf{H}_{t}=\begin{bmatrix}0&0&\cdots&0&0\\ \mathbf{C}&0&\ddots&0&0\\ \mathbf{C}\mathbf{A}&\mathbf{C}&\ddots&0&0\\ \vdots&\ddots&\ddots&\ddots&\vdots\\ \mathbf{C}\mathbf{A}^{t-2}&\mathbf{C}\mathbf{A}^{t-3}&\ddots&\mathbf{C}&0\\ \mathbf{C}\mathbf{A}^{t-1}&\mathbf{C}\mathbf{A}^{t-2}&\cdots&\mathbf{C}\mathbf{A}&\mathbf{C}\end{bmatrix}\,.\end{array}$$

Here $\mathbf{O}_{\textnormal{o}b}$ is observability matrix, and $\mathbf{O}_{t}$ denotes extended observability matrix for $t\geq n$ and $\mathbf{H}_{t}$ is a lower block triangular Toeplitz matrix. Thus, the mapping from initial state $\mathbf{x}_{0}$ to the output trajectory $\mathbf{Y}_{T}$ as $\mathcal{M}:\mathbb{R}^{n}\rightarrow\mathbb{R}^{m(T+1)}$ can be described by

$${\mathbf{Y}_{T}=\mathcal{M}(\mathbf{x}_{0}):=\mathbf{O}_{T}\mathbf{x}_{0}+\mathbf{H}_{T}\mathbf{V}_{T}+\mathbf{W}_{T}\,.}$$

(2)

The system (1) may be implemented or run independently for multiple times with the same initial state $\mathbf{x}_{0}$. When all resulting output trajectories are eavesdropped, the eavesdropper may derive an estimate of $\mathbf{x}_{0}$ by statistical inference methods such as maximum likelihood estimation (MLE). The resulting estimate accuracy may converge to zero as the number of eavesdropped output trajectories converges to infinity, leading to initial-value privacy risks. In view of this, we consider a requirement that

• (R1)

  the initial values should not be uniquely recoverable by an eavesdropper having an infinite number of output trajectories.

To address the requirement (R1), we define intrinsic initial-value privacy as below.

In Definition 1, equality (3) indicates that there exist other values $\mathbf{x}^{\prime}_{0}$, yielding the same output trajectory distribution as that of the initial value $\mathbf{x}_{0}$. This in turn guarantees that the system preserving the intrinsic initial-value privacy satisfies the requirement (R1).

On the other hand, when a finite $N$ output trajectories are eavesdropped, the eavesdroppers may infer the initial values under which there is a probability of generating these output trajectories. In view of this, we consider a requirement that

• (R2)

  any inference about the true initial value from the eavesdroppers can be denied by supplying any value within a range to the inference with a similar probability of generating the eavesdropped $N$ output trajectories.

This property is referred to as plausible deniability in the literature [27]. With this in mind, we denote the eavesdropped output trajectories as $\mathbf{Y}_{T}^{1},\ldots,\mathbf{Y}_{T}^{N}$. The mapping from initial state $\mathbf{x}_{0}$ to $\mathbf{Y}_{T}^{1},\ldots,\mathbf{Y}_{T}^{N}$ is a concatenation of $N$ mappings $\mathcal{M}(\mathbf{x}_{0})$, i.e.,

$${\begin{bmatrix}\mathbf{Y}_{T}^{1}\cr\vdots\cr\mathbf{Y}_{T}^{N}\end{bmatrix}=\mathcal{M}^{N}(\mathbf{x}_{0}):=\begin{bmatrix}\mathcal{M}(\mathbf{x}_{0})\cr\vdots\cr\mathcal{M}(\mathbf{x}_{0})\end{bmatrix}\,.}$$

(4)

We then define differential initial-value privacy as below [9, 10].

In Definition 2, inequality (5) indicates that the system can plausibly deny any guess from the eavesdroppers having $N$ output trajectories, using any value from its $d$-adjacency. Namely, the system preserving the differential initial-value privacy satisfies the requirement (R2).

In this subsection, an illustrative example is presented to demonstrate the relation and practical difference between the above two types of privacy metrics.

• (a)

  Let output $\mathbf{y}_{t}=\mathbf{C}_{1}\mathbf{x}_{t}$ with $\mathbf{C}_{1}=\begin{bmatrix}1&1\end{bmatrix}$, and $\sigma_{2}=0$. We then obtain that

  $$\begin{array}[]{l}\mathbf{y}_{0}=x_{1,0}+x_{2,0}\,,\\ \mathbf{y}_{1}=\begin{bmatrix}1&1\end{bmatrix}\bm{\nu}_{0}\,.\end{array}$$

For system with the output in Case (a), it is clear that $\textnormal{pdf}\left(\mathbf{Y}_{T}|\mathbf{x}_{0}\right)=\textnormal{pdf}\left(\mathbf{Y}_{T}|\mathbf{x}^{\prime}_{0}\right)$ for all $\mathbf{x}_{0}^{\prime}=[x_{1,0}^{\prime};x_{2,0}^{\prime}]$ satisfying $x_{1,0}^{\prime}+x_{2,0}^{\prime}=x_{1,0}+x_{2,0}$. This indicates that intrinsic initial-value privacy is preserved.

Regarding the differential privacy of initial values, we observe that $\mathbf{y}_{0}$ is deterministic. By choosing any $\mathbf{x}_{0}^{\prime}$ from $1$-adjacency of $\mathbf{x}_{0}$ such that $x_{1,0}^{\prime}+x_{2,0}^{\prime}\neq x_{1,0}+x_{2,0}$, the inequality (5) is not satisfied for any $\epsilon>0,0.5>\delta>0$, which implies that the system does not preserve the differential privacy.

• (b)

  Let output $\mathbf{y}_{t}=\mathbf{C}_{2}\mathbf{x}_{t}$ with $\mathbf{C}_{2}=\begin{bmatrix}1&0\end{bmatrix}$, and $\sigma_{1}=\sigma_{2}=1$. We then obtain that

  $$\begin{array}[]{l}\mathbf{y}_{0}=x_{1,0}+\bm{\omega}_{0}\,,\\ \mathbf{y}_{1}=x_{2,0}+\begin{bmatrix}1&0\end{bmatrix}\bm{\nu}_{0}+\bm{\omega}_{1}\,.\end{array}$$

If an infinite number of output trajectories were eavesdropped, then the eavesdroppers could obtain the expectations of $\mathbf{y}_{0},\mathbf{y}_{1}$, denoted by $\mathbb{E}(\mathbf{y}_{0}),\mathbb{E}(\mathbf{y}_{1})$. The initial values $x_{1,0},x_{2,0}$ then can be uniquely recovered by $x_{1,0}=\mathbb{E}(\mathbf{y}_{0})$ and $x_{2,0}=\mathbb{E}(\mathbf{y}_{1})$, leading to loss of intrinsic initial-value privacy. Though it is impossible to eavesdrop an infinite number of output trajectories, we note that the eavesdroppers may obtain a large number of output trajectories, by which the initial values can be accurately inferred. To address this issue, we realize the system for $10^{4}$ times and use the MLE method. The resulting estimate of $\mathbf{x}_{0}$ is $[2.0038;0.9920]$, leading to loss of the intrinsic initial-value privacy as well. In view of this, the privacy requirement (R1) and Definition 1 are of practical significance.

Regarding the differential privacy, we let $\mathbf{y}_{1}=2,\mathbf{y}_{2}=2$ be the eavesdropped output trajectory, and $\hat{\mathbf{x}}_{0}=[1.5;1.8]$ be a guess from the eavesdroppers. The system then denies this guess by stating that for example $\|\mathbf{x}_{0}-\hat{\mathbf{x}}_{0}\|>0.5$. To verify whether this deny is plausible, the eavesdroppers thus compute $\textnormal{pdf}(\mathbf{Y}_{T}|\mathbf{x}_{0})$ and $\textnormal{pdf}(\mathbf{Y}_{T}|\mathbf{x}_{0}^{\prime})$ with any value $\mathbf{x}_{0}^{\prime}=[1;1.2]$ satisfying $\|\mathbf{x}_{0}^{\prime}-\hat{\mathbf{x}}_{0}\|>0.5$, and find $\textnormal{pdf}(\mathbf{Y}_{T}|\mathbf{x}_{0})\leq e^{0.6}\textnormal{pdf}(\mathbf{Y}_{T}|\mathbf{x}_{0}^{\prime})$. In this way, the system has gained plausible deniability measured by $\delta=0.48$ and $\epsilon=0.6$. On the other hand, we randomly choose four adjacent initial values $\bar{\mathbf{x}}_{0}=[1.4;1.7],\bar{\mathbf{x}}_{0}^{\prime}=[1.6;1.8],\hat{\mathbf{x}}_{0}=[1.5;1.9],\hat{\mathbf{x}}_{0}^{\prime}=[1.3;2]$. The resulting distributions of $\mathbf{y}_{0},\mathbf{y}_{1}$ under these initial values $\bar{\mathbf{x}}_{0},\bar{\mathbf{x}}_{0}^{\prime},\hat{\mathbf{x}}_{0},\hat{\mathbf{x}}_{0}^{\prime}$ are presented in Figures 1 and 2. From Figures 1 and 2, it can be seen that the resulting probabilities of output trajectory $\mathbf{Y}_{T}$ at any set are similar. This thus can imply that the system in Case (b) preserves the differential privacy of initial values.

In view of the previous analysis for Cases (a) and (b), we can see that neither the intrinsic initial-value privacy implies the differential initial-value privacy, nor the differential initial-value privacy implies the intrinsic initial-value privacy. Therefore, both privacy metrics in Definitions 1 and 2 are mutually neither inclusive nor exclusive. $\blacksquare$

Of relevance to our paper are recent works [15, 17, 16]. In [15], the considered linear dynamical systems take the form

$$\begin{array}[]{rcl}\mathbf{x}_{t+1}&=&\mathbf{A}\,\mathbf{x}_{t}+\mathbf{B}\bm{\omega}_{t}\\ \mathbf{y}_{t}&=&\mathbf{C}\,\mathbf{x}_{t}+\mathbf{D}\bm{\omega}_{t}\\ \mathbf{z}_{t}&=&\mathbf{L}\,\mathbf{x}_{t}\end{array}$$

where $\mathbf{z}_{t}$ is a signal to be estimated, and the problem is to design a filter

$${\begin{array}[]{rcl}\hat{\mathbf{x}}_{t+1}&=&\mathbf{F}\,\hat{\mathbf{x}}_{t}+\mathbf{G}\,\mathbf{y}_{t}\\ \hat{\mathbf{z}}_{t}&=&\mathbf{H}\,\hat{\mathbf{x}}_{t}+\mathbf{K}\,\mathbf{y}_{t}+\bm{\nu}_{t}\end{array}}$$

(7)

with filter output $\hat{\mathbf{z}}_{t}$, for the purpose of obtaining an optimal mean squared error between $\mathbf{z}_{t}$ and $\hat{\mathbf{z}}_{t}$, while preserving the differential privacy of system state trajectory $\mathbf{X}_{T}=(x_{t})_{t=0}^{T}$, with the initial state considered in this paper as a particular case. Despite of this, we note that our framework can be extended to the scenario where $\mathbf{X}_{T}$ are sensitive, which will be explicitly addressed in Remark 5. On the other hand, in [15], the eavesdropped information is a filter output trajectory $\widehat{\mathbf{Z}}_{T}=(\hat{\mathbf{z}}_{t})_{t=0}^{T}$, that is different from our paper where the eavesdroppers can directly measure system outputs. To address the desired privacy concerns, [15] studies the differential privacy of a composite mapping $\widehat{\mathbf{Z}}_{T}=\mathcal{M}_{f}(\mathbf{X}_{T}):=\mathcal{M}_{2}\circ\mathcal{M}_{1}(\mathbf{X}_{T})$, the mapping $\mathbf{Y}_{T}=(\mathbf{I}_{T+1}\otimes C)\mathbf{X}_{T}+\mathbf{W}_{T}$ and the mapping $\widehat{\mathbf{Z}}_{T}=\mathcal{M}_{2}(\mathbf{Y}_{T})$ is defined over the filter dynamics (7). This is different mechanism compared to our mapping (4).

In [17] a cloud-based linear quadratic regulation problem is studied for systems of the form

$$\begin{array}[]{rcl}\mathbf{x}_{t+1}&=&\mathbf{A}\,\mathbf{x}_{t}+\mathbf{B}\,\mathbf{u}_{t}+\bm{\nu}_{t}\\ \mathbf{y}_{t}&=&\mathbf{C}\,\mathbf{x}_{t}+\bm{\omega}_{t}\\ \end{array}$$

where the outputs $\mathbf{y}_{t}$ are transmitted to the cloud for an optimal control, having the form

$$\begin{array}[]{rcl}\bar{\mathbf{x}}_{t+1}&=&\mathbf{F}\,\bar{\mathbf{x}}_{t}+\mathbf{G}\,\mathbf{y}_{t}\\ \mathbf{u}_{t}&=&\mathbf{H}\,\bar{\mathbf{x}}_{t}\,.\end{array}$$

The privacy issue of interest is to protect privacy of the state trajectory $\mathbf{X}_{T}$, against the eavesdroppers having access to the transmitted information consisting of $\mathbf{y}_{t},\mathbf{u}_{t}$ by cyber attack. To address the state-trajectory privacy, [17] studies the differential privacy of the mapping $\mathbf{Y}_{T}=\mathcal{M}_{y}(\mathbf{X}_{T}):=(\mathbf{I}_{T+1}\otimes C)\mathbf{X}_{T}+\mathbf{W}_{T}$. Therefore, again this is different mechanism compared to our mapping (4).

In [16], the authors consider a control system

$$\begin{array}[]{rcl}\mathbf{x}_{t+1}&=&\mathbf{A}\,\mathbf{x}_{t}+\mathbf{B}\,(\mathbf{u}_{t}+\bm{\nu}_{t})\\ \mathbf{y}_{t}&=&\mathbf{C}\,\mathbf{x}_{t}+\mathbf{D}\,(\mathbf{u}_{t}+\bm{\nu}_{t})+\bm{\omega}_{t}\,,\end{array}$$

where $\bm{\nu}_{t},\bm{\omega}_{t}$ are injected input and measurement noise for privacy protection, and to achieve the desired control objective, the control input $\mathbf{u}_{t}$ is designed as a form

$${\begin{array}[]{rcl}\bar{\mathbf{x}}_{t+1}&=&\mathbf{F}\,\bar{\mathbf{x}}_{t}+\mathbf{G}\,\mathbf{y}_{t}\\ \mathbf{u}_{t}&=&\mathbf{H}\,\bar{\mathbf{x}}_{t}+\mathbf{L}\,\mathbf{y}_{t}\,.\end{array}}$$

(8)

The eavesdroppers having access to an output trajectory $\mathbf{Y}_{T}$ through cyber attack attempt to infer control inputs $\mathbf{u}_{t}$ and initial values $\mathbf{x}_{0}$. In this setting, [16] studies the differential privacy of a mapping from $\big{(}(\mathbf{u}_{t})_{t=0}^{T},x_{0}\big{)}$ to $\mathbf{Y}_{T}$ over the $\mathbf{x}_{t}$-dynamics. Compared to our mapping (4), the considered mapping in [16] is similar in the sense that both are established over the $\mathbf{x}_{t}$-dynamics, while is different in the sense that there are $N$ output trajectories and no control input in our mapping (4).

In addition to the previous distinctions, we note that this paper also studies privacy issues when an infinite number of output trajectories are eavesdropped, while it is absent in [15, 17, 16]. This extra study benefits us to understand whether the initial-value privacy can be preserved if the eavesdroppers have obtained a large number of output trajectories.

It is noted that in Definition 1 regarding intrinsic initial-value privacy, the initial state vector $\mathbf{x}_{0}$ is considered as a whole, and we suppose that the eavesdroppers have no prior knowledge of any individual initial values. In the following, we present several definitions that refine the notion in Definition 1 to dynamical networked systems (1) by studying intrinsic privacy of individual initial values, i.e., $x_{i,0}$, against eavesdroppers having knowledge of the whole sensor measurements (i.e., $\mathbf{y}_{t}$) and initial values of some network nodes. For convenience, we term the set of nodes whose initial values are prior knowledge to eavesdroppers as a public disclosure set.

Let $l=|{\mathrm{P}}|$ and ${\mathrm{P}}=\{p_{1},\ldots,p_{l}\}\subset\mathrm{V}$. Define $\bar{{\mathrm{P}}}:=\{\bar{p}_{1},\ldots,\bar{p}_{n-l}\}=\mathrm{V}\backslash{\mathrm{P}}$. For convenience, we further let $\mathbf{E}_{\mathrm{P}}=[\mathbf{e}_{p_{1}},\ldots,\mathbf{e}_{p_{l}}]\in\mathbb{R}^{n\times l}$ and $\mathbf{E}_{\bar{{\mathrm{P}}}}=[\mathbf{e}_{\bar{p}_{1}},\ldots,\mathbf{e}_{\bar{p}_{n-l}}]\in\mathbb{R}^{n\times(n-l)}$, and $\mathbf{K}_{j}^{ob}$ be the $j$-the column of matrix $\mathbf{O}_{ob}$.

In Theorem 2, explicit rank conditions are proposed to determine whether the intrinsic initial-value privacy of individual nodes is preserved, with respect to any given public disclosure set ${\mathrm{P}}$. On the other hand, for a networked system, one may naturally ask what is the maximum allowable disclosure such that there always exists at least one node whose initial-value privacy is preserved. To address this issue, the network privacy index is introduced below.

Firstly, suppose the eavesdroppers have no prior knowledge of initial values of any nodes, i.e., ${\mathrm{P}}=\emptyset$. We observe that $\textnormal{rank}\;(\mathbf{O}_{ob})=17$. According to Proposition 2, this indicates that the network privacy index ${\mathbf{I}_{rp}}=2$. Moreover, for all $i\in\mathrm{V}\backslash\{8,18\}$, there holds

$$\textnormal{rank}\;\left(\begin{bmatrix}\mathbf{O}_{ob}\cr\mathbf{e}_{i}^{\top}\end{bmatrix}\right)=18\,.$$

According to Theorem 2, this indicates that the networked system preserves intrinsic initial-value privacy of all $i\in\mathrm{V}\backslash\{8,18\}$.

Let the public disclosure set ${\mathrm{P}}=\{1,2,7\}$. Taking into account the intrinsic initial-value privacy of individual nodes, we note that

$$\textnormal{rank}\;\left(\begin{bmatrix}\mathbf{O}_{ob}\cr\mathbf{E}_{{\mathrm{P}}}\end{bmatrix}\right)=19\,,\quad\textnormal{rank}\;\left(\begin{bmatrix}\mathbf{O}_{ob}\cr\mathbf{E}_{{\mathrm{P}}}\cr\mathbf{e}_{i}^{\top}\end{bmatrix}\right)=20\,$$

for all $i\in\{3,5,6,9,10,11,12,13,14,16,17\}$. This verifies statement $c)$ and thus indicates that the networked system preserves intrinsic initial-value privacy of all nodes $i\in\{3,5,6,9,10,11,12,13,14,16,17\}$, even if the initial states of nodes $1,2,7$ are public. $\blacksquare$

In the previous subsection, the intrinsic initial-value privacy of individual nodes w.r.t. the public disclosure set ${{\mathrm{P}}}$ of networked systems (1) is studied, and a network privacy index $\mathbf{I}_{rp}$ is proposed to quantify the privacy of networked system (1). In the following, we turn to study the effect of network structure $(\mathrm{G},\mathrm{G}_{\textnormal{S}})$ to the intrinsic privacy and the network privacy index. To be precise, we demonstrate that these properties are indeed generic, i.e., are fulfilled for almost all edge weights under any network structure $(\mathrm{G},\mathrm{G}_{\textnormal{S}})$.

Theorem 3 demonstrates that given any network structure $(\mathrm{G},\mathrm{G}_{\textnormal{S}})$ and ${{\mathrm{P}}}\subset\mathrm{V}$, the intrinsic initial-value privacy of node $i$ is either preserved or lost generically. We note that if there exists a configuration $(\mathbf{A},\mathbf{C})$ complying with $(\mathrm{G},\mathrm{G}_{\textnormal{S}})$ such that the intrinsic initial-value privacy of node $i$ is preserved (or lost), there is no guarantee that such property is preserved (or lost) generically. This is different from other common generic properties like structural controllability [34], for which if there exists a configuration such that a linear system is controllable, then it must be controllable for almost all configurations, i.e., structurally controllable. To have a better view of this, the following examples are formulated.

However, by letting the configuration $(\mathbf{A},\mathbf{C})$ be such that $c_{11}a_{23}=c_{13}a_{21}$, simple calculations show that $\textnormal{pdf}\left(\mathbf{Y}_{T}|\mathbf{x}_{0}\right)=\textnormal{pdf}\left(\mathbf{Y}_{T}|\mathbf{x}^{\prime}_{0}\right)$ holds for any $\mathbf{x}_{0},\mathbf{x}_{0}^{\prime}$ with $x_{1,0}\neq x_{1,0}^{\prime}$ and $c_{13}(x_{3,0}^{\prime}-x_{3,0})=c_{11}(x_{1,0}-x_{1,0}^{\prime})$. According to Definition 3, this indicates that the intrinsic initial-value privacy of node 1 is preserved under the configuration $(\mathbf{A},\mathbf{C})$ satisfying $c_{11}a_{23}=c_{13}a_{21}$.

Thus, even if there exists a configuration such that the intrinsic initial-value privacy of node $i$ is preserved, this property may still be lost generically. This validates the statement (i) of Theorem 3. $\blacksquare$

However, by letting the configuration $(\mathbf{A},\mathbf{C})$ be such that $c_{13}a_{11}a_{22}+c_{11}a_{12}a_{23}=0$ and $c_{11}a_{14}a_{22}\neq 0$, it can be seen that there exists no $\eta_{j}$’s such that the matrix equations (12) holds for any $x_{4,0}\neq x_{4,0}^{\prime}$, and

$$(a_{22}+a_{11})\mathbf{y}_{1}-a_{11}a_{22}\mathbf{y}_{0}-\mathbf{y}_{2}=c_{11}a_{14}a_{22}x_{4,0}+g(\mathbf{W}_{T},\mathbf{V}_{T})$$

with $g(\mathbf{W}_{T},\mathbf{V}_{T})$ being some function of noise vectors $\mathbf{W}_{T},\mathbf{V}_{T}$. This immediately yields $\textnormal{pdf}\left(\mathbf{Y}_{T}|\mathbf{x}_{0}\right)\neq\textnormal{pdf}\left(\mathbf{Y}_{T}|\mathbf{x}^{\prime}_{0}\right)$ for all $\mathbf{x}_{0},\mathbf{x}_{0}^{\prime}$ with $x_{4,0}\neq x_{4,0}^{\prime}$. By Definition 3, this indicates that the intrinsic initial-value privacy of node 4 is lost under the configuration $(\mathbf{A},\mathbf{C})$ satisfying $c_{13}a_{11}a_{22}+c_{11}a_{12}a_{23}=0$ and $c_{11}a_{14}a_{22}\neq 0$.

Thus, even if there exists a configuration such that the intrinsic initial-value privacy of node $i$ is lost, such property may still be preserved generically. This is consistent with the statement (ii) of Theorem 3. $\blacksquare$

Denote the maximal rank of $\mathbf{O}_{ob}\mathbf{E}_{\bar{{\mathrm{P}}}}$ over the matrix pairs $(\mathbf{A},\mathbf{C})$ that comply with the network structure $(\mathrm{G},\mathrm{G}_{\textnormal{S}})$ as $n_{\rm P}^{ob}$. By Lemma 2 in Appendix E, it is noted that $\textnormal{rank}\;(\mathbf{O}_{ob}\mathbf{E}_{\bar{{\mathrm{P}}}})=n_{\rm P}^{ob}$ holds for almost all configurations $(\mathbf{A},\mathbf{C})$ complying with the network structure $(\mathrm{G},\mathrm{G}_{\textnormal{S}})$. We now present a practical verification approach of the intrinsic initial-value privacy of a node $i$ over the network structure $(\mathrm{G},\mathrm{G}_{\textnormal{S}})$.

Let the entries of $\mathbf{A}$ and $\mathbf{C}$ be generated independently and randomly according to the uniform distribution over the interval $[0,1]$, and complying with the structure $(\mathrm{G},\mathrm{G}_{\textnormal{S}})$. We introduce the following three conditions:

• ($C1$)

  $\textnormal{rank}\;\left(\begin{bmatrix}\mathbf{O}_{ob}\cr\mathbf{e}_{i}^{\top}\end{bmatrix}\mathbf{E}_{\bar{{\mathrm{P}}}}\right)=n_{\rm P}^{ob}+1$.

• ($C2$)

  $\textnormal{rank}\;\left([\mathbf{K}_{i_{1}}^{\textnormal{o}b},\mathbf{K}_{i_{2}}^{\textnormal{o}b},\ldots,\mathbf{K}_{i_{n-l-1}}^{\textnormal{o}b}]\right)=n_{\rm P}^{ob}$ with $\{i_{1},i_{2},\ldots,i_{n-l-1}\}=\mathrm{V}\backslash({\mathrm{P}}\cup\{i\})$.

• ($C3$)

  $\textnormal{rank}\;\left(\begin{bmatrix}\mathbf{O}_{ob}\cr\mathbf{E}_{\mathrm{P}}^{\top}\cr\mathbf{e}_{i}^{\top}\end{bmatrix}\right)=n_{\rm P}^{ob}+l+1.$