Strong Finite Automata Public Key Cryptosystem

Siranush Chopuryan Gevorg Margarov

State Engineering University of Armenia State Engineering University of Armenia
siranush.ch@gmail.com gmargarov@gmail.com

Abstract automaton is the composition of M nl and M l ,

denoted by M = M nl M l that is also a nonlinear
Existing finite automata public key cryptosystems
WIFA with delay 0+τ=τ [4].
(FAPKC) are analyzed in this paper. Methods of
Figure 2 shows the decryption principle, where
breaking FAPKC by some known types of attacks are
introduced. As a result, an improved FAPKC is M −nl1 is the weak inverse of M nl with delay 0 and
designed in order to resist the presented types of M l−1 is the weak inverse of M l with delay τ.
attacks. Strong FAPKC is obtained by generating
The composite finite automaton M is the public key
invertible nonlinear and linear automata of the
suitable form. in FAPKC, and the private key is M l−1 and M −nl1
finite automata and their connection order.
1. Introduction
Public key cryptosystems, discussed in this paper,
plaintext ciphertext
are based on the automata theory. Public key in
FAPKC is the composition of nonlinear and linear Mnl Ml
finite automata, whose inverses are easily calculated.
Private key is a specific combination of those
inverses.
It is known that the general inversion of public M
key automaton is a hard problem [1,2]. On the other
hand, the public key automaton components and
their inverses can be efficiently discovered using the Figure 1. The encryption scheme
algebraic theory of automata [3].
Weakness of the cryptosystem against the chosen
plaintext attack, in case of non suitable nonlinear and ciphertext plaintext
-1 -1
linear automata usage, is investigated in this article. M l M nl
A method to generate suitable linear and nonlinear
automata is introduced to increase the stability of the
FAPKC. Figure 2. The decryption scheme
It is shown that FAPKC is vulnerable to the
exhaustive search attack as well, if the ending of the 2.1 Linear WIFA
plaintext is known to the attacker. A method to
prevent the exhaustive search attack is suggested in Linear automaton is of the
this article. M l =< X, Y, S l , ! l , l > form, where X is the input
alphabet, Y is the output alphabet, Sl is the state
2. Finite automata public key alphabet, ! l : Sl × X → Sl is the transition function
cryptosystem
and l : Sl × X → Y is the output function.
To design a FAPKC a pair of finite automata is X and Y are l-dimensional linear spaces over
offered. Encryption principle in FAPKC is shown in GF(2)={0,1}. If y(i)∈Y presents the output at time i,
Figure 1, where M nl is a nonlinear weakly invertible and x(i)∈X is a column vector, then the automaton
finite automaton (WIFA for short) with delay 0 and M l can be defined as follows:
M l is a linear WIFA with delay τ. The encryption y(i) = A 0 x(i) + A 1 x(i − 1) + ! + A " x(i − "),

978-1-4244-4457-1/09/$25.00 ©2009 IEEE 625

Authorized licensed use limited to: VSB Engineering College. Downloaded on July 14,2010 at 07:46:49 UTC from IEEE Xplore. Restrictions apply.
 i = 0,1,2, (1) −1
The r-output memory automaton M nl is a weak
Ml is an τ-input memory finite automaton, inverse with delay 0 of Mnl. For any initial state
where < x( −1), x(−2), , x(− ) > is the initial state. s= < x(−1), x(−2), , x(−r) > of Mnl there exists s′
−1
In equation (1) A j (j=0,1,2,…,τ) is a l × l linear of M nl such that !′nl (s′, ! nl (s, x)) = x , where s′ is
coefficient matrix, which uniquely determine the the match state of s and is also defined by
finite automaton M. Operations in (1) are usual < x(−1), x(−2), , x(−r) > .
addition and multiplication over GF(2).
The finite automaton M l is a WIFA with delay 2.3 FAPKC design principles
τ if and only if the collection of matrices,
~ ~ -1 ~ Finite automata public key cryptosystem works in
A -1 -1
0 , A1 , , A -1 , A -1
0 , A1 , , A -1 , can be derived
the following way:
from the collection of A j (j=0,1,2,…,τ) [3] such that 1. First construct two automata M nl and M l as
t defined above.
~
x(i) = A -j1 y(i + j) + A j x(i − j), i = 0,1,2, (2) 2. Construct the composition automaton
j= 0 j=1
M = M nl M l by substituting (1) into (3).
For any initial state The definition formula of M will be:
s= < x( −1), x(−2), , x(− ) > of M l and for any
# r
input sequence x(0), x(1), , x(n + ) ∈ X , if z(i) = At ! B j x(i − j − t) +
!
y(0)y(1)! y(n + ) = !(x(0)x(1) ! x(n + )) , then t =0 " j= 0
x(0), x(1), , x(n) can be calculated one by one r −1
~ &
from (2). + B j x(i − j − t) x(i − j − t − 1) $, i = 0,1,2... (5)
$
Hence, the automaton defined by the equation j =1 %
(2) specifies the weak inverse with delay τ of M l . Each state s =< x(−1), x( −2), ! , x(-r − ) > of
M = M nl M l , is equivalent to the state < s nl , s l > ,
2.2. Nonlinear WIFA where s nl =< x( −1), x(−2),..., x(−r) > is a state of
Nonlinear automaton is of the M nl and s l =< y(−1), y(−2),..., y(− ) > is a state of
M nl =< X, Y, Snl , " nl , ! nl > form, where X is the Ml .
input alphabet, Y is the output alphabet, Snl is the The equation (5) can be simplified as follows:
r+ r + −1
state alphabet, " nl : Snl × F(X) → Snl is the transition ~
z(i) = C j x(i − j) + C j x(i − j) x(i − j − 1) ,
function and ! nl : Snl × F(X) → Y is the output j= 0 j =1
function. X and Y are l-dimensional linear spaces i = 0,1,2... (6)
over GF(2)={0,1} and F(X) is a function introducing
a nonlinear operation ° defined over GF(2) [3]. The where
t= t=
definition formula of M nl is j= r j= r −1
~ ~
r r -1 Cj = AtBj, Cj = AtBj,
~
y(i) = B j x(i - j) + B j x(i - j) " x(i - j - 1), t =0 t =0
j=0 j=1
j= 0 j =1
are l × l -dimensional matrix polynomials over
i = 0,1,2, (3)
~ GF(2), uniquely determining the finite automaton M.
where B j (j = 0,1,2..., r) and B j (j = 1,2..., r - 1) The automaton M is made public.
are l × l coefficient matrices over GF(2), and B0 is 3. Construct the inverse automata M −nl1 , M l−1 as
an invertible matrix. defined above and keep them secret.
The M nl defined by equation (3) is an r-input 4. First chose a sequence x(m+1)x(m+2)…
x(m+τ) arbitrarily to encrypt the plaintext
memory finite automaton. As B-1
0 exists, then the
x(0)x(1)…x(m). Then input the plaintext
−1
definition formula of M nl will be x(0)x(1)…x(m+τ) into M = M nl M l with initial
r r -1 state s.
~
x(i) = B0−1 (y(i) + B j x(i − j) + B j x(i - j) " x(i - j - 1), The output z(0)z(1)…z(m+τ) is the ciphertext.
j= 0 j =1
5. To decrypt z(0)z(1)…z(m+τ), first M l−1 and
i = 0,1,2... (4)
the initial state sl are used to obtain y(0)y(1)… y(m).

626

Authorized licensed use limited to: VSB Engineering College. Downloaded on July 14,2010 at 07:46:49 UTC from IEEE Xplore. Restrictions apply.
Then y(0)y(1) … y(m) is supplied into M −nl1 with r+ r+2
~
z(i) = C j x(i − j) + C j x(i − j) ! x(i − j − ) ,
initial state snl to obtain x(0)x(1) … x(m) as the
j= 0 j =1
output.
Described FAPKC can be broken by i = 0,1,2... (8)
1) solving the nonlinear equation (4) over GF(2);
2) exhaustive searching from the end of the 3.2. Linear WIFA modification
plaintext to the beginning [5].
Breaking techniques and methods to prevent them New states can be added between any two states
are represented in the chapters below. to have a longer delay for the linear automaton M l .
The resultant automaton has to be equivalent to the
3. Chosen plaintext attack source automaton according to the Definition 1.
Definition 1. Let M1 =< X, Y, S1 , "1 , !1 > and
The weakness of FAPKC against chosen plaintext M 2 =< X, Y, S2 , " 2 , ! 2 > be a pair of automata.
attack is conditioned by usage of nonlinear WIFA
with delay 0 and linear WIFA with delay τ. States s1 ∈ S1 and s 2 ∈ S2 are said to be equivalent if
Chosen plaintext attack for FAPKC is reduced to for any x(0)x(1) … x(m), such that x(0)x(1) …
the problem of solving a system of nonlinear x(m)∈X,
equations (6) over GF(2), that is known to be very !1 (s1 , x(0), x(1),..., x(m)) = ! 2 (s 2 , x(0), x(1),..., x(m))
hard if the number of its arguments is large. Finite automata M1 and M 2 are said to be
To increase the number of arguments in (6), the
equivalent if for any state s1 ∈ S1 , there exists a state
delay τ of the encryption automaton is increased.
The delay τ of the encryption automaton is: s 2 ∈ S2 equivalent to s1 and for any s 2 ∈ S2 , there
τ=0+τ, where 0 is the delay value of the nonlinear exists s1 ∈ S1 equivalent to s2.
component automaton, and τ is the delay value of the Figure 3 shows a pair of equivalent automata with
linear component automaton. different number of states.
First way to increase the encryption automaton
0 (1)
delay τ is to change the nonlinear component
automaton into a WIFA with delay τ1. Second way is
to make the component linear WIFA automaton’s 1 (1) A B 1 (0)
delay longer by adding new states to its state
alphabet.
0 (0)

3.1. Nonlinear WIFA modification

x=0 A B x=1 A B
The definition formula of the automaton M nl is A 0 1 A 1 0
B 1 0 B 0 1
r r −1
~
y(i) = B j x(i − j) + B j x(i − j) x(i − j − 1) ,
j= 0 j =1 0 (0)
~
where B j (j = 0,1,2..., r) and B j (j = 1,2..., r - 1) are
l × l coefficient matrices over GF(2), and B0 is an 1 (1) A B 1 (0)
invertible matrix. The operation ° is defined to be a
nonlinear operation over GF(2). 0 (1)
To modify the nonlinear WIFA with delay 0 to a 1 (0`)
0 (0)
nonlinear WIFA with delay τ, we redefine the
operation ° such a way to get nonlinear WIFA with C
delay τ. Definition formula will be
r r+ x=0 A B C x=1 A B C
~ A 0 0 1 A 1 0 0
y(i) = B j x(i − j) + B j x(i − j) ! x(i − j − )
j= 0 j =1 B 1 0 0 B 0 1 0
C 1 0 0 C 0 1 0
i = 0,1,2... , (7)
Apparently, M nl now is a nonlinear WIFA with Figure 3. Graphical and tabular
representation of two equivalent
delay τ. The formula (6) now can be rewritten as automata.
follows:

627

Authorized licensed use limited to: VSB Engineering College. Downloaded on July 14,2010 at 07:46:49 UTC from IEEE Xplore. Restrictions apply.
 One can make sure that the same input supplied to
both automata produces the same output.
It is known that linear automaton is weak
invertible with delay at most
S ( S − 1)
= , (9)
2 Using this redefined encryption automaton makes
where S is the automaton state alphabet [6].
Equation (9) shows that with increasing |S| the
value of τ is being increased quadratically.
Thus, replacing the linear automaton M l by an
equivalent automaton with larger state alphabet, we
can obtain longer delay τ. The above mentioned
modification increases the resultant delay τ of the
encryption automaton.
4. Exhaustive search attack
FAPKC presented in Chapter 2 is vulnerable to an
attack where the attacker knows an ending part of the
plaintext.
Let the automata M l , M nl and M be as defined
in equations (1),(3) and (6) respectively.
If the attacker knows or guesses r+τ inputs
x(i-r-τ+1),…,x(i), then he knows a state
s(i + 1) =< x(i), x(i − 1),..., x(i − r − + 1) > of the
automaton M. This information allows to find a state
s(i), from which the automaton M goes to the state
s(i+1) and outputs z(i) if the input is x(i). Only the
input x(i-r-τ) is unknown for the state
s(i) =< x(i − 1), x(i − 2),..., x(i − r − ) > .
Using the public key and the ciphertext, a system
of equations can be generated from (6) such a way
that x(i-r-τ) can be uniquely determined.
To complicate the breaking by exhaustive search
from the end to the beginning, a nonlinear operation
over GF(2) for two successive inputs of the Ml is
defined.
The definition formula (1) of Ml is redefined as
follows:
−1
~ [6] R. Tao, Sh. Chen, X. Chen, “FAPKC3: a new
y(i) = A j x(i − j) + A j x(i − j) x(i − j − 1)
j= 0 j =1
i = 0,1,2... ,
Substituting formula (8) into (3) and simplifying
results in
r+ 2(r + )
~
z(i) = C j x(i − j) + C j x(i − j) x(i − j − 1) ,
j= 0 j =1
i = 0,1,2...
where
Authorized licensed use limited to: VSB Engineering College. Downloaded on July 14,2010 at 07:46:49 UTC from IEEE Xplore. Restrictions apply.
t= t = -1
j= r j= r −1
~ ~ ~
Cj = AtBj, Cj = AtBj,
t =0 t =1
j=0 j=1
i = 0,1,2...
the exhaustive search from the end of the plaintext to
the beginning as hard as from the beginning to the
end, which is designed to be hard.
5. Conclusion
The presented finite automata public key
cryptosystem is secure against the chosen plaintext
attack and the exhaustive search attack. Security of
FAPKC is mainly based on the growth of public key
size due to increasing delays of component automata.
The proposed modifications of both component
nonlinear and linear automata complicate the process
of breaking the cryptosystem allowing to design
stronger FAPKC.
6. References
[1] Garey, M.R., D.S. Johnson, Computer and
intractability ( a guide to the theory of NP-completeness),
W. H. Freeman and Co., San Francisco, 1979.
[2] Papadimitriou, C. H. Papadimitriou, Computational
Complexity, First Edition, Addison Wesley, 1993.
[3] Arbib, M. A., Theories of Abstract Automat, Prentice-
Hall, Englewood Cliffs, NJ, 1969.
[4] G. I. Margarov, S. H. Chopuryan, Y. Alaverdyan, “Fast
Public Key Algorithm Based on Finite Automata”, In
Proc. of the Int’ Conf. on Computer Science and
Information Technologies (CSIT’07), Yerevan, September
2007, pp. 112-115.
.
[5] F. Bao, Y. Igarashi, “Break Finite Automata Public
Key Cryptosystem”, ICALP, 1995, pp. 147-158.
automaton public key cryptosystem”, Technical Report No.
ISCAS-LCS-95-07, Laboratory for Computer Science,
(10) Institute of Software, Chinese Academy of Sciences,
Beijing, June 1995.
(11)
628