Академический Документы
Профессиональный Документы
Культура Документы
Authorized licensed use limited to: VSB Engineering College. Downloaded on July 14,2010 at 07:46:49 UTC from IEEE Xplore. Restrictions apply.
i = 0,1,2, (1) −1
The r-output memory automaton M nl is a weak
Ml is an τ-input memory finite automaton, inverse with delay 0 of Mnl. For any initial state
where < x( −1), x(−2), , x(− ) > is the initial state. s= < x(−1), x(−2), , x(−r) > of Mnl there exists s′
−1
In equation (1) A j (j=0,1,2,…,τ) is a l × l linear of M nl such that !′nl (s′, ! nl (s, x)) = x , where s′ is
coefficient matrix, which uniquely determine the the match state of s and is also defined by
finite automaton M. Operations in (1) are usual < x(−1), x(−2), , x(−r) > .
addition and multiplication over GF(2).
The finite automaton M l is a WIFA with delay 2.3 FAPKC design principles
τ if and only if the collection of matrices,
~ ~ -1 ~ Finite automata public key cryptosystem works in
A -1 -1
0 , A1 , , A -1 , A -1
0 , A1 , , A -1 , can be derived
the following way:
from the collection of A j (j=0,1,2,…,τ) [3] such that 1. First construct two automata M nl and M l as
t defined above.
~
x(i) = A -j1 y(i + j) + A j x(i − j), i = 0,1,2, (2) 2. Construct the composition automaton
j= 0 j=1
M = M nl M l by substituting (1) into (3).
For any initial state The definition formula of M will be:
s= < x( −1), x(−2), , x(− ) > of M l and for any
# r
input sequence x(0), x(1), , x(n + ) ∈ X , if z(i) = At ! B j x(i − j − t) +
!
y(0)y(1)! y(n + ) = !(x(0)x(1) ! x(n + )) , then t =0 " j= 0
x(0), x(1), , x(n) can be calculated one by one r −1
~ &
from (2). + B j x(i − j − t) x(i − j − t − 1) $, i = 0,1,2... (5)
$
Hence, the automaton defined by the equation j =1 %
(2) specifies the weak inverse with delay τ of M l . Each state s =< x(−1), x( −2), ! , x(-r − ) > of
M = M nl M l , is equivalent to the state < s nl , s l > ,
2.2. Nonlinear WIFA where s nl =< x( −1), x(−2),..., x(−r) > is a state of
Nonlinear automaton is of the M nl and s l =< y(−1), y(−2),..., y(− ) > is a state of
M nl =< X, Y, Snl , " nl , ! nl > form, where X is the Ml .
input alphabet, Y is the output alphabet, Snl is the The equation (5) can be simplified as follows:
r+ r + −1
state alphabet, " nl : Snl × F(X) → Snl is the transition ~
z(i) = C j x(i − j) + C j x(i − j) x(i − j − 1) ,
function and ! nl : Snl × F(X) → Y is the output j= 0 j =1
function. X and Y are l-dimensional linear spaces i = 0,1,2... (6)
over GF(2)={0,1} and F(X) is a function introducing
a nonlinear operation ° defined over GF(2) [3]. The where
t= t=
definition formula of M nl is j= r j= r −1
~ ~
r r -1 Cj = AtBj, Cj = AtBj,
~
y(i) = B j x(i - j) + B j x(i - j) " x(i - j - 1), t =0 t =0
j=0 j=1
j= 0 j =1
are l × l -dimensional matrix polynomials over
i = 0,1,2, (3)
~ GF(2), uniquely determining the finite automaton M.
where B j (j = 0,1,2..., r) and B j (j = 1,2..., r - 1) The automaton M is made public.
are l × l coefficient matrices over GF(2), and B0 is 3. Construct the inverse automata M −nl1 , M l−1 as
an invertible matrix. defined above and keep them secret.
The M nl defined by equation (3) is an r-input 4. First chose a sequence x(m+1)x(m+2)…
x(m+τ) arbitrarily to encrypt the plaintext
memory finite automaton. As B-1
0 exists, then the
x(0)x(1)…x(m). Then input the plaintext
−1
definition formula of M nl will be x(0)x(1)…x(m+τ) into M = M nl M l with initial
r r -1 state s.
~
x(i) = B0−1 (y(i) + B j x(i − j) + B j x(i - j) " x(i - j - 1), The output z(0)z(1)…z(m+τ) is the ciphertext.
j= 0 j =1
5. To decrypt z(0)z(1)…z(m+τ), first M l−1 and
i = 0,1,2... (4)
the initial state sl are used to obtain y(0)y(1)… y(m).
626
Authorized licensed use limited to: VSB Engineering College. Downloaded on July 14,2010 at 07:46:49 UTC from IEEE Xplore. Restrictions apply.
Then y(0)y(1) … y(m) is supplied into M −nl1 with r+ r+2
~
z(i) = C j x(i − j) + C j x(i − j) ! x(i − j − ) ,
initial state snl to obtain x(0)x(1) … x(m) as the
j= 0 j =1
output.
Described FAPKC can be broken by i = 0,1,2... (8)
1) solving the nonlinear equation (4) over GF(2);
2) exhaustive searching from the end of the 3.2. Linear WIFA modification
plaintext to the beginning [5].
Breaking techniques and methods to prevent them New states can be added between any two states
are represented in the chapters below. to have a longer delay for the linear automaton M l .
The resultant automaton has to be equivalent to the
3. Chosen plaintext attack source automaton according to the Definition 1.
Definition 1. Let M1 =< X, Y, S1 , "1 , !1 > and
The weakness of FAPKC against chosen plaintext M 2 =< X, Y, S2 , " 2 , ! 2 > be a pair of automata.
attack is conditioned by usage of nonlinear WIFA
with delay 0 and linear WIFA with delay τ. States s1 ∈ S1 and s 2 ∈ S2 are said to be equivalent if
Chosen plaintext attack for FAPKC is reduced to for any x(0)x(1) … x(m), such that x(0)x(1) …
the problem of solving a system of nonlinear x(m)∈X,
equations (6) over GF(2), that is known to be very !1 (s1 , x(0), x(1),..., x(m)) = ! 2 (s 2 , x(0), x(1),..., x(m))
hard if the number of its arguments is large. Finite automata M1 and M 2 are said to be
To increase the number of arguments in (6), the
equivalent if for any state s1 ∈ S1 , there exists a state
delay τ of the encryption automaton is increased.
The delay τ of the encryption automaton is: s 2 ∈ S2 equivalent to s1 and for any s 2 ∈ S2 , there
τ=0+τ, where 0 is the delay value of the nonlinear exists s1 ∈ S1 equivalent to s2.
component automaton, and τ is the delay value of the Figure 3 shows a pair of equivalent automata with
linear component automaton. different number of states.
First way to increase the encryption automaton
0 (1)
delay τ is to change the nonlinear component
automaton into a WIFA with delay τ1. Second way is
to make the component linear WIFA automaton’s 1 (1) A B 1 (0)
delay longer by adding new states to its state
alphabet.
0 (0)
627
Authorized licensed use limited to: VSB Engineering College. Downloaded on July 14,2010 at 07:46:49 UTC from IEEE Xplore. Restrictions apply.
One can make sure that the same input supplied to t= t = -1
j= r j= r −1
both automata produces the same output. ~ ~ ~
Cj = AtBj, Cj = AtBj,
It is known that linear automaton is weak
t =0 t =1
invertible with delay at most j=0 j=1
S ( S − 1) i = 0,1,2...
= , (9)
2 Using this redefined encryption automaton makes
where S is the automaton state alphabet [6]. the exhaustive search from the end of the plaintext to
Equation (9) shows that with increasing |S| the the beginning as hard as from the beginning to the
value of τ is being increased quadratically. end, which is designed to be hard.
Thus, replacing the linear automaton M l by an
equivalent automaton with larger state alphabet, we 5. Conclusion
can obtain longer delay τ. The above mentioned
modification increases the resultant delay τ of the The presented finite automata public key
encryption automaton. cryptosystem is secure against the chosen plaintext
attack and the exhaustive search attack. Security of
4. Exhaustive search attack FAPKC is mainly based on the growth of public key
size due to increasing delays of component automata.
FAPKC presented in Chapter 2 is vulnerable to an The proposed modifications of both component
attack where the attacker knows an ending part of the nonlinear and linear automata complicate the process
plaintext. of breaking the cryptosystem allowing to design
Let the automata M l , M nl and M be as defined stronger FAPKC.
in equations (1),(3) and (6) respectively.
If the attacker knows or guesses r+τ inputs 6. References
x(i-r-τ+1),…,x(i), then he knows a state
[1] Garey, M.R., D.S. Johnson, Computer and
s(i + 1) =< x(i), x(i − 1),..., x(i − r − + 1) > of the intractability ( a guide to the theory of NP-completeness),
automaton M. This information allows to find a state W. H. Freeman and Co., San Francisco, 1979.
s(i), from which the automaton M goes to the state
s(i+1) and outputs z(i) if the input is x(i). Only the [2] Papadimitriou, C. H. Papadimitriou, Computational
input x(i-r-τ) is unknown for the state Complexity, First Edition, Addison Wesley, 1993.
s(i) =< x(i − 1), x(i − 2),..., x(i − r − ) > . [3] Arbib, M. A., Theories of Abstract Automat, Prentice-
Using the public key and the ciphertext, a system Hall, Englewood Cliffs, NJ, 1969.
of equations can be generated from (6) such a way
that x(i-r-τ) can be uniquely determined. [4] G. I. Margarov, S. H. Chopuryan, Y. Alaverdyan, “Fast
To complicate the breaking by exhaustive search Public Key Algorithm Based on Finite Automata”, In
Proc. of the Int’ Conf. on Computer Science and
from the end to the beginning, a nonlinear operation
Information Technologies (CSIT’07), Yerevan, September
over GF(2) for two successive inputs of the Ml is 2007, pp. 112-115.
defined. .
The definition formula (1) of Ml is redefined as [5] F. Bao, Y. Igarashi, “Break Finite Automata Public
follows: Key Cryptosystem”, ICALP, 1995, pp. 147-158.
−1
~ [6] R. Tao, Sh. Chen, X. Chen, “FAPKC3: a new
y(i) = A j x(i − j) + A j x(i − j) x(i − j − 1)
automaton public key cryptosystem”, Technical Report No.
j= 0 j =1
ISCAS-LCS-95-07, Laboratory for Computer Science,
i = 0,1,2... , (10) Institute of Software, Chinese Academy of Sciences,
Beijing, June 1995.
Substituting formula (8) into (3) and simplifying
results in
r+ 2(r + )
~
z(i) = C j x(i − j) + C j x(i − j) x(i − j − 1) ,
j= 0 j =1
i = 0,1,2... (11)
where
628
Authorized licensed use limited to: VSB Engineering College. Downloaded on July 14,2010 at 07:46:49 UTC from IEEE Xplore. Restrictions apply.