Break Finite Automata Public Key Cryptosystem - Semantic Scholar

1 downloads 0 Views 193KB Size Report
1.1 About FAPKC. Finite Automaton Public Key Cryptosystem, denoted by FAPKC, is a public key cryptosystem based on the invertibility theory of nite automata.
Break Finite Automata Public Key Cryptosystem Feng Bao and Yoshihide Igarashi Department of Computer Science, Gunma University, Kiryu, 376 Japan In this paper we break a 10-year's standing public key cryptosystem, Finite Automata Public Key Cryptosystem(FAPKC for short). The security of FAPKC was mainly based on the diculty of nding a special common left factor of two given matrix polynomials. We prove a simple but previously unknown property of the input-memory nite automata. By this property, we reduce the basis of the FAPKC's security to the same problem in module matrix polynomial rings. The problem turns out to be easily solved. Hence, we can break FAPKC by constructing decryption automata from the encryption automaton(public key). We describe a modi cation of FAPKC which can resist above attack. Abstract.

1 Introduction 1.1 About FAPKC

Finite Automaton Public Key Cryptosystem, denoted by FAPKC, is a public key cryptosystem based on the invertibility theory of nite automata. For the invertibility theory of nite automata, the reader may be referred to [1,3,59,11,17-19,22]. FAPKC is a 10-year's standing public key cryptosystem that rst appeared in [20], and its modi ed versions were given in the following year [21]. The identity-based nite automaton public key cryptosystem and digital signature schemes were proposed in CRYPTO-CHINA'92 [23]. Since FAPKC is a stream cipher, it possesses an advantageous property that plaintexts need not be divided into blocks. Its speed is very fast(much faster than RSA), and its key size is comparable with RSA's [12] [24]. FAPKC can be easily implemented. since it includes only logic operations. FAPKC was practically used in some local networks in China, and the product of digital signature based on FAPKC was developed for practical use. Although almost all the relevant references about FAPKC were published in China, the copies of [21] were distributed at ICALP'88 when Tao, the inventor of FAPKC, presented [22] at the conference. FAPKC was also mentioned in Section 5.3 of Salomaa's book [16].

1.2 Weakly Invertible Finite Automata

Since the relevant references are not conveniently accessed by the reader, we try to make this paper self-contained. Invertible nite automata were rst proposed by Hu man as \information-lossless nite state logical machines" [11]. Since then, they have been much studied [1,3,8,9,13-15,25]. In [8] and [9], \generalized nite automata" were used instead of \sequential machines" and \logic

machines". Reference [17] is a book on this subject, in which both invertible nite automata and weakly invertible nite automata have been intensively studied. Formally speaking, a nite automaton is a ve-tuple M =< X; Y; S; ;  >, where X is a nite input alphabet, Y is a nite output alphabet, S is a nite set of internal states,  is a next-state function,  : S 2 X ! S and  is an output function,  : S 2 X ! Y . We can naturally extend  to a mapping from S 2 X 3 to S , where X 3 denotes the set of all nite strings over X (including the empty string "): For any s 2 S , 2 X 3 and x 2 X , de ne  (s; ") = s and (s; x) = ((s; ); x). Similarly,  can be naturally extended to a mapping from S 2 (X 3 [ X ! ) to Y 3 [ Y ! , where X ! denotes the set of all in nite strings over X : For any s 2 S , 2 X 3 [ X ! and x 2 X , de ne (s; ") = " and (s; x ) = (s; x)( (s; x); ). Our nite automaton is a transducer converting a string over the input alphabet into a length-preserving string over the output alphabet, rather than just an acceptor.

De nition 1. Let M =< X; Y; S; ;  > be a nite automaton. If for any s 2 S and any ; 0 2 X ! , (s; ) = (s; 0 ) always implies = 0 , then M is said to be a weakly invertible finite automaton (WIFA for short). De nition 2. A nite automaton M =< X; Y; S; ;  > is said to be a WIFA with delay  if for any s 2 S , a; a0 2 X and ; 0 2 X  , (s; a ) = (s; a0 0 ) always implies a = a0 , where  is a non-negative integer and X  is the set of all strings of length  over X. Proposition 3. A nite automaton M is a WIFA if and only if M is a WIFA with delay  for some   n(n 0 1)=2, where n is the number of states of M . De nition 4. Let M =< X; Y; S; ;  > and M 0 =< Y; X; S 0 ; 0 ; 0 > be a pair of nite automata. If for any s 2 S there exists s0 2 S 0 such that for any 2 X ! , there exists 0 2 X  satisfying 0 (s0 ; (s; )) = 0 , then M is called a weak inverse with delay  of M . Such a state s0 is called the match state of s, and such a string 0 = x0 1 1 1 x01 the delay prefix. Proposition 5. A nite automaton M is a WIFA with delay  if and only if M has a weak inverse with delay  . For the proofs of above two propositions, the reader may be referred to [9] [17].

De nition 6. Let M1 =< X; Y; S1; 1; 1 > and M2 =< Y; Z; S2 ; 2 ; 2 > be a pair of nite automata. The composition of M1 and M2 is a new nite automaton M1 1 M2 = < X; Z; S1 2 S2; ;  >, where  (< s1 ; s2 >; x) = < 1 (s1 ; x); 2 (s2 ; 1 (s1 ; x)) > and (< s1 ; s2 >; x) = 2 (s2 ; 1 (s1 ; x)) for any x 2 X and < s1 ; s2 >2 S1 2 S2 . M1 1 M2 is the natural concatenation of M1 and M2 (i:e:, M2 takes the output of M1 as its input). it is not dicult to see that if M1 is a WIFA with delay 1 and M2 is a WIFA with delay 2 , then M1 1 M2 is a WIFA with delay 1 + 2 .

De nition 7. Let M1 =< X; Y; S1; 1; 1 > and M2 =< X; Y; S2; 2; 2 > be a pair of nite automata. States s1 2 S1 and s2 2 S2 are said to be equivalent if for any 2 X 3 , 1 (s1; ) = 2 (s2 ; ). Finite automata M1 and M2 are said to be equivalent if for any state s1 2 S1 , there exists a state s2 2 S2 equivalent to s1 , and for any s2 2 S2 , there exists s1 2 S1 equivalent to s2. 1.3 The Basic Idea of Breaking FAPKC

In FAPKC, the plaintext is encrypted by a nonlinear WIFA with delay  (typically  > 15) which is the composition of a nonlinear WIFA with delay 0 and a linear WIFA with delay  . The security of FAPKC depends on the following facts: (a) It is dicult to construct a weak inverse with delay  of any given nonlinear WIFA with delay  . (b) It is easy to construct a weak inverse with delay  of any given linear WIFA with delay  . (c) It is easy to construct a weak inverse with delay 0 of any given nonlinear WIFA with delay 0. The principle of FAPKC is as shown in Fig. 1, where M0 is a nonlinear WIFA with delay 0, M1 is a linear WIFA with delay  , M001 is a weak inverse with 1 delay 0 of M0 , M101 is a weak inverse with delay  of M1 , s0 0 is a match state 0 1 of s0 and s1 is a match state of s1 .

Fig. 1.

The principle of FAPKC.

In FAPKC, M0 and M1 are kept as the secret key, from which M001 and 0 M1 1 , the decryption automata, can be easily derived. The public key is a subautomaton of the composition of M0 and M1 (not exactly the M0 1M1 , see Section 3 for details). We call it the encryption automaton. To separate M0 and M1 from

the encryption automaton, we needed to nd a special left common factor of two given matrix polynomials. However, that is a very dicult problem. So far, no divisibility theory has been established for matrix polynomial rings. In this paper, we prove a previously unknown property of WIFAs. Then, by this property, we reduce the problem of separating M0 and M1 from the encryption automaton to a much easier problem: nding a special left common factor of two given matrix polynomials in module matrix polynomial rings. Hence, we can break FAPKC by successfully nding decryption automata from the public key.

2 Linear WIFAs Finite automata used in FAPKC are actually sequential machines. In order to keep consistent with the references, we still use the term \ nite automaton"(FA for short). Finite automata considered here are of the form M =< X; Y; S; ;  >, where X = Y = the l-dimensional linear space over GF (2) = f0; 1g (typically l = 8, so that FAPKC encrypts byte by byte), and  and  are speci ed by the following definition formula.

M : y(i) = f (x(i); x(i01); 1 1 1 ; x(i0r); y(i01); 1 1 1 ; y(i0t)); i = 0; 1; 2; 1 1 1 (1) In the de nition formula (1), x(i) represents the input at time i, y (i) represents the output at time i, and each of x(i) and y (i) is a binary l-dimensional vector. Obviously, S is the l (r + t)-dimensional linear space over GF (2). A nite automaton de ned by (1) is so-called r-input and t-output memory FA, where < x(01); 1 1 1 ; x(0r); y(01); 1 1 1 ; y(0t) > is the initial state. All nite automata used in FAPKC are of this type. The M de ned by (1) is called a linear FA, if f is a linear function. In this case, there exist l 2 l matrices over GF (2), A0 ; A1 ; 1 1 1 ; Ar , B1 ; B2 ; 1 1 1 ; Bt such that the de nition formula (1) can be written as

M:

y(i) =

r X j

=0

A j x (i 0 j ) +

t X j

=1

Bj y ( i 0 j ) ;

i = 0; 1; 2; 1 1 1 (2)

Here, each x(i) is regarded as a column vector, Aj x(i 0 j ) is the usual multiplication of a matrix and a column vector, and the addition is the usual addition of vectors. Next we consider only r -input linear FAs, de ned by (3).

y(i) = A0 x(i) + A1x(i 0 1) + 1 1 1 + Ar x(i 0 r);

M:

i = 0; 1; 2; 1 1 1 (3)

The linear coecients A0 ; A1 ; A2 ; 1 1 1 ; Ar uniquely determine the nite automaton M . We can decide from A0 ; A1 ; A2 ; 1 1 1 ; Ar whether M is a WIFA with delay r. Furthermore, if M is a WIFA with delay r, we can construct a weak inverse with delay r of M . Let s0 =< x(01); x(02); 1 1 1 ; x(0r) > be an arbitrarily given initial state of M . Let the time variate i take 0; 1; 2; 1 1 1 ; r in (3). Then we obtain

1 10 10 1 0 0 1 0 A1 1 1 1 Ar x(01) x(0) A0 (0) 1 1 1 (0) y(0) B B B B B .. .. .. C x(02) C x(1) C A1 A0 1 1 1 (0) C y(1) C B C B B C C B C B . . . C + = B B C C B C B C B . . . . . . A @ .. A @ .. .. . . .. A @ .. A @ Ar 1 1 1 (0) A @ ... C y (r )

Ar Ar01 1 1 1 A0

x (r )

(0) 1 1 1 (0)

where (0) denotes the zero l 2 l matrix over GF (2).

x (0 r )

(4)

Proposition 8. There exists a fast algorithm for nding an invertible (r + 1)l 2 (r + 1)l matrix P from A0 ; A1 ; A2 ; 1 1 1 ; Ar , such that

1 0 0 A0;0 (0) 1 1 1 A0 (0) 1 1 1 (0) B C B A A A 1 1 1 (0) 1 0 C B 1;1 A1. ;0 1 1 1 PB B .. .. . . .. C = B .. .. . . . @ . . . . A @ .

(0) (0) .. .

Ar;r Ar;r01 1 1 1 Ar;0

Ar Ar01 1 1 1 A0

1 C C C A

(5)

where Ai;j 's satisfy the following condition: for any 0  h  r,

8x1; x2 ; 1 1 1 ; xh 2 X; 9x0 2 X; Ah;1 x1 + Ah;2 x2 + Ah;h xh = Ah;0 x0

(6)

We explain how to nd P in Appendix.

Proposition 9. The nite automaton M is a WIFA with delay r if and only if A0;0 is an invertible matrix, i:e:, of full rank. If M is a WIFA with delay r , we can construct a weak inverse with delay r of M from P easily. Adding the time variate i into (4), we have

0 1 0 10 1 0 10 1 y(i) A0 (0) 1 1 1 (0) x(i) A 1 1 1 1 Ar x(i 0 1) B B B B B .. .. .. C y(i + 1) C A1 A0 1 1 1 (0) C x(i + 1) C x(i 0 2) C B C B C B C B B C, . . . C = + B C B C B C B C B . . . . . . @ .. A @ .. .. . . .. A @ .. A @ Ar 1 1 1 (0) A @ ... C A Ar Ar01 1 1 1 A0

y (i + r )

x (i + r )

(0) 1 1 1 (0)

x (i 0 r )

i = 0; 1; 2; 1 1 1

(7)

Multiply the the matrix P from left to (7), we obtain

0 1 0 y(i) A0;0 (0) 1 1 1 B C B y ( i + 1) A 1;1 A1;0 1 1 1 C B PB = B C B . .. . . @ .. A @ ... . .

(0) (0) .. .

Ar;r Ar;r01 1 1 1 Ar;0

y (i + r )

10 1 0 10 1 x(i) A1 1 1 1 Ar x(i 0 1) C B B B .. .. .. C x(i + 1) C x(i 0 2) C C B C B C B C, . . . + P C B C B C B A @ ... A @ Ar 1 1 1 (0) A @ ... C A x (i + r )

(0) 1 1 1 (0)

i = 0; 1; 2; 1 1 1

x (i 0 r ) (8)

1 0 1 0 1 0 Q0;1 Q0;2 1 1 1 Q0;r A1 1 1 1 Ar P0;0 P0;1 1 1 1 P0;r B B B P1;0 P1;1 1 1 1 P1;r C .. .. .. C Q1;1 Q1;2 1 1 1 Q1;r C C, B B C . . . C = and P Denote P = B B B C C B . . . . A @ Ar 1 1 1 (0) A @ ... ... ... ... C @ .. .. .. .. A where Pi;j

Qr;1 Qr;2 1 1 1 Qr;r (0) 1 1 1 (0) Pr;0 Pr;1 1 1 1 Pr;r and Qi;j are l 2 l matrices. Then from the rst line of (8), we have

X X x(i) = A00;10 P0;j y(i + j ) + A00;10 Q0;j x(i 0 j ); j =1 j =0 r

r

i = 0; 1; 2; 1 1 1

(9)

1 01 Denote Pj = A0 0;0 P0;j and Qj = A0;0 Q0;j for j = 0; 1; 2; 1 1 1 ; r. We can rewrite (9) as (10),

x(i) =

r X j

=0

P j y (i + j ) +

r X j

=1

Qj x(i 0 j );

i = 0; 1; 2; 1 1 1

(10)

For any initial state s =< x(01); x(02); 1 1 1 ; x(0r ) > of M and any x(0); x(1), 1 1 1 ; x(n + r) 2 X , if y(0)y(1) 1 1 1 y(n + r) = M (s; x(0)x(1) 1 1 1 x(n + r)) (i:e:, (2) holds for i = 0; 1; 1 1 1 ; n + r ). Then from (10) we can calculate x(0); x(1); 1 1 1 ; x(n) one by one. Hence, (10) speci es a weak inverse with delay r of M , although (10) itself is not a de nition formula.

3 FAPKC and Matrix Polynomials In this section, we explain FAPKC in detail. As introduced in Section 1.3, the secret key of FAPKC consists of a nonlinear WIFA with delay 0, M0 and a linear WIFA with delay  , M1 . The de nition formula of M0 is

M0 :

y(i) =

r X j

=0

Bj x(i 0 j )+

r 01 X  j

=1

Bj x(i 0 j ) 1 x(i 0 j 0 1);

i = 0; 1; 2; 1 1 1 (11)

where B0 ; B1; B2 ; 1 1 1 ; Br ; B1 ; B2 ; 1 1 1 ; Br01 are l 2 l matrices over GF (2), and B0 is an invertible matrix. The operation x 1 y is de ned to be (a1 b1; a2 b2 ; 1 1 1 ; al bl )T for x = (a1; a2 ; 1 1 1 ; al )T and y = (b1; b2 ; 1 1 1 ; bn )T . (It does not matter what the operation '1' is. Actually, we only need '1' to be a nonlinear operation from two vectors to one vector. The operation '1' de ned above is adopted in the practical FAPKC.) M0 is an r-input memory FA. It is easy to see that the r-output memory M001 is a weak inverse with delay 0 of M0 .

1 0 r01 r X X M001 : x(i) = B001 @y(i) + Bj x(i 0 j ) + Bj x(i 0 j ) 1 x(i 0 j 0 1)A j

=1

j

=1

(12) For any initial state s0 =< x(01); x(02); 1 1 1 ; x(0r ) > of M0 , its match state in M001 is also < x(01); x(02); 1 1 1 ; x(0r) >. The de nition formula of M1 is

M1 :

z (i) = A0 y(i) + A1y(i 0 1) + 1 1 1 + A y(i 0  )

i = 0; 1; 2; 1 1 1 (13)

The encrypt automaton is the composition of M0 and M1 , denoted by M = M0  M1 . The de nition formula of M is obtained by substituting (11) into (13).

M : z(i) =

 X t

=0

1 0 r01 r X X At @ Bj x(i 0 j 0 t) + Bj x(i 0 j 0 t) 1 x(i 0 j 0 t 0 1)A j

=0

j

=1

(14)

Actually, M = M0 M1 is not exactly the same as M0 1M1 , but it is equivalent to a sub-automaton of M0 1 M1 . That is, for any state s =< x(01); x(02); 1 1 1 ; x(0r 0  ) > of M = M0  M1 , s is equivalent to the state < s0 ; s1 > of M0 1 M1 , where s0 =< x(01); x(02); 1 1 1 ; x(0r) > and s1 =< y(01); y(02); 1 1 1 ; y(0 ) >, and

y(0h) =

r X j

=0

Bj x ( 0 h 0 j ) +

r01 X  j

=1

Bj x(0h 0 j ) 1 x(0h 0 j 0 1); h = 1; 2; 1 1 1 ;  (15)

Now let us look back at (14). It can be simpli ed as (16).

M : z (i) =

+ X r  j

Cj =

X +=

h t j

=0

C j x (i 0 j ) +

+X01

r  j

=1

Cj x(i 0 j ) 1 x(i 0 j 0 1); i = 0; 1; 2; 1 1 1 (16)

AhBt ; j = 0; 1; 1 1 1 ; r+ ; Cj =

X +=

h t j

Ah Bt ; j = 1; 2; 1 1 1 ; r+ 01 (17)

Hence, FAPKC works in the following way: 1. Choose M0 and M1 as de ned above. All the Aj , Bj and Bj are kept as secret key. (There are some criterions about the way how we choose Aj , Bj and Bj [2] [12] [24].) 2. Calculate Cj and Cj from Aj , Bj and Bj as de ned by (17), and arbitrarily choose s =< x(01); x(02); 1 1 1 ; x(0r 0  ) > as the initial state. Then Cj , Cj and s are made public. 3. From s =< x(01); x(02); 1 1 1 ; x(0r 0  ) >, get s0 and s1 as de ned in (15). 4. To encrypt plaintext x(0)x(1) 1 1 1 x(m), rst arbitrarily choose x(m +1)x(m + 2) 1 1 1 x(m+ ) 2 X  . Then, input x(0)x(1)x(2) 1 1 1 x(m+ ) into M = M0 M1 with initial state s. The output z (0)z (1)z (2) 1 1 1 z (m +  ) is the ciphertext. 5. To decrypt z (0)z (1)z (2) 1 1 1 z (m +  ), rst use M101 (as de ned in Section 2) and s1 to obtain y (0)y (1) 1 1 1 y (m). Then supply y (0)y (1) 1 1 1 y (m) into M001 with initial state s0 , and obtain x(0)x(1) 1 1 1 x(m) as the output. One of possible attacks to FAPKC is to reduce (16) to simultaneous quadratic equations over GF (2), and solve them. However, it is known that solving nonlinear equations over GF (2) is very dicult if the number of its arguments is large. Another way is the ciphertext attack through randomized searching. FAPKC can resist such a kind of attacks by taking  > 15 and choosing uniformly increasing ranks for M1 [2]. Now we consider the possibility of separating M0 and M1 from M = M0  M1. We denote the l2l matrix polynomial ring over GF (2) by MP(x). More precisely, MP(x) is the set of all the polynomials like G(x) = G0 + G1 x + 1 1 1 + Gn xn , where G0 ; G1 ; 1 1P 1 ; Gn are l 2 l matrices is the formal variable. P over GF (2) and xP 01 B xj 01, C(x) = (x) = jr=1 Let A(x) = j=0 Aj xj , B(x) = rj=0 Bj xj , B j P Pr+ j r+ 01  j 01  C x . Then from (17), we have C(x) = C x and C ( x ) = j j j =1 j =0  (x ) = A(x ) B  (x). A(x)B(x) and C

 (x) given above, nd A0 (x) = Pj=0 A0j xj , Problem 1: For C(x) and C P 01 B 0 xj01 in  0 (x) = Pjr=1 B0 (x) = rj=0 Bj0 xj (where B00 is invertible) and B j 0 0 0 0  (x ) = A (x ) B  (x). MP(x), such that C(x) = A (x)B (x) and C

If we could solve Problem 1 by a fast algorithm, then we could break FAPKC. This is because in such a case we could obtain a nonlinear WIFA with delay 0, M00 from B00 ; B10 ; 1 1 1 ; Br0 ; B1 ; B2 ; 1 1 1 ; Br01 , and a linear WIFA with delay  , M10 from A00 ; A01 ; 1 1 1 ; A0 , while M00  M10 = M0  M1 . Hence, we could break FAPKC by constructing M00 01 and M10 01 . However, it is very dicult to solve Problem 1. Since MP(x) is noncommunitive and contains divisors of zero, establishing divisibility theory for MP(x) seems to be dicult [10]. Although polynomial time algorithms for factorization of polynomials over a nite eld exist [4], any feasible algorithm for factoring matrix polynomials is not yet known. In the next section, we prove a simple but previously unknown property for the input memory WIFAs. By this property we can reduce the secure base of FAPKC to Problem 2, which is much easier than Problem 1.  (x) given above, nd A0 (x) = Pj=0 A0j xj , Problem 2: For C(x) and C P 01 B 0 xj01 in  0 (x) = Pjr=1 B0 (x) = rj=0 Bj0 xj (where B00 is invertible) and B j  (x) = A0 (x)B  0 (x ) MP(x), such that C(x) = A0 (x)B0 (x) (mod x +1 ) and C  0 1 (mod x ).

4 A Property of WIFAs In this section, we prove that only those terms related with x(i); x(i01); 1 1 1 ; x(i0  ) determine whether an FA is a WIFA with delay  . Let Mf and Mf +g be a pair of (r +  )-input memory FAs. Their de nition formulae are

Mf :

y(i) = f (x(i); x(i 0 1); 1 1 1 ; x(i 0 r 0  ));

i = 0; 1; 2; 1 1 1

(18)

Mf +g : y(i) = f (x(i); 1 1 1 ; x(i0r0 ))+g(x(i0 01); 1 1 1 ; x(i0r0 )); i = 0; 1; 2; 1 1 1 (19)

Theorem 10. The nite automaton Mf is a WIFA with delay  if and only if Mf +g is a WIFA with delay  . Proof. (=)) The proof is simply from the de nition of WIFA with delay  . For any state s =< x(01); x(02); 1 1 1 ; x(0r 0 ) > of Mf and any x(0); x(1); : : : ; x( ), x(0)0 ; x(1)0 ; : : : ; x( )0 2 X , Mf (s; x(0)x(1) 1 1 1 x( ))=Mf (s; x(0)0 x(1)0 1 1 1 x( )0 ) implies x(0) = x(0)0 , i:e:, 8 f (x(0); x(01); x(02); 1 1 1 ; x(0r 0  )) = f (x(0)0 ; x(01); x(02); 1 1 1 ; x(0r 0  )) > > > < f (x(1); x(0); x(01); 1 1 1 ; x(1 0 r 0  )) = f (x(1)0x(0)0; x(01); 1 1 1 ; x(1 0 r 0  )) .. > > : f (x( ); 1 1 1 ; x(0); x(01); 1 1 1 ; x(0r)) =. f (x( )0; 1 1 1 ; x(0)0; x(01); 1 1 1 ; x(0r)) implies x(0) = x(0)0 . Adding g (x(0 0 1); 1 1 1 ; x(0 0 r )), g (x(0 ); 1 1 1 ; x(1 0  0 r)), 1 1 1, g(x(01); x(02); 1 1 1 ; x(0r)) to both sides of equations above respectively, Mf +g (s; x(0)x(1) 1 1 1 x( ))=Mf +g (s; x(0)0 x(1)0 1 1 1 x( )0 ) implies x(0) = x(0)0 .

From the arbitrariness of s; x(0); x(1); : : : ; x( ), x(0)0 ; x(1)0 ; : : :, and x( )0 , Mf +G is a WIFA with delay  . ((=) The opposit direction can be proved similarly. 2 Next we show that we can construct a weak inverse with delay  of Mf +g from a weak inverse with delay  of Mf .

Theorem 11. If Mf01 is a weak inverse with delay  of Mf , then a weak inverse with delay  of Mf +g can be constructed from Mf01 . Proof. Let s =< x(01); x(02); 1 1 1 ; x(0r 0  ) > be an initial state of Mf and Mf +g , and let s01 be the match state of s of Mf01 . We replace the rst  output of Mf01 by x(0 ); x(1 0  ); 1 1 1 ; x(01). The principle of constructing Mf0+1g is

2

given in Fig. 2.

Fig. 2.

Mf +g

and its weak inverse with delay 

Mf0+1g .

5 Break FAPKC Let M be the encryption WIFA with delay  in FAPKC, as de ned by (16). Then M = M0  M1, where M0 and M1 are de ned by (11) and (13), respectively.

Theorem 12. If Problem 2 can be solved by a fast algorithm, then we can break

FAPKC.

P

P

Proof. Suppose that we can nd A0 (x) = j=0 A0j xj , B0 (x) = rj=0 Bj0 xj 01 B 0 xj01 in MP(x), such that C(x) =  0 (x) = Pjr=1 (where B00 is invertible) and B j  (x ) = A 0 (x ) B  0 (x) (mod x 01 ). We construct a A0 (x)B0 (x) (mod x +1 ) and C nonlinear WIFA with delay 0, M00 from B00 ; B10 ; 1 1 1 ; Br0 ; B1 ; B2 ; 1 1 1 ; Br01 , and a linear WIFA with delay  , M10 from A00; A01; 1 1 1 ; A0 . (M10 is a linear WIFA with delay  from Proposition 9 and Theorem 10.) It is easy to construct M00 01 and M10 01 from B00 ; B10 ; 1 1 1 ; Br0 ; B1 ; B2 ; 1 1 1 ; Br01 and A00 ; A01 ; 1 1 1 ; A0 respectively. Hence, we can construct a weak inverse with

delay  of M 0 = M00  M10 , denoted by M 0 01 .

M0 :

r+  01 + X X 0 Cj0 x(i0j )1x(i0j 01); z (i) = Cj x(i0j )+ r 

i = 0; 1; 2; 1 1 1 j =1 =0 P + 0 j + C 0 xj .  0 (x ) = A 0 (x ) B  0 (x) = Prj=0 Cj x and C Let C0 (x) = A0 (x)B0 (x) = rj =0 j  (x ) = C  0 (x) (mod x 01 ), from Theorem Since C(x) = C0 (x) (mod x +1 ) and C 11, we can construct the weak inverse with delay  of M , M 01 from M 0 01 . 2 j

P

Now we illustrate that Problem 2 can be easily solved. Let A(x) = j=0 Aj xj , P + 01 01 B xj01 , C(x) = Pr+ C xj , C  (x) = Prj=1  (x) = Pjr=1 B(x) = rj=0 Bj xj , B j j =0 j Cj xj 01, C(x) = A(x)B(x) and in Section 3. PC (x)0 =j A(0x)B (x),Pasr de ned 0  0 (x ) = Our aim is to nd A (x) = j =0 Aj x , B (x) = j =0 Bj0 xj and B Pr01  0 j01  (x ) = A 0 (x ) B  (x ) such that C(x) = A0 (x)B0 (x) (mod x +1 ), C j =1 Bj x  01 0 (mod x ), and B0 is invertible. P  0 (x ) Let B0 (x) = I (the l 2 l unit matrix), A0 (x) = j=0 Cj xj . We can nd B 0  0 1  (x) = A (x)B  (x) (mod x ), by solving a linear equation group such that C

0 B B B @

C0 C1 .. .

1 1 1 (0) 1 0 C0 1 1 1 (0) C CB B

(0) .. .

..

. . ..

C 02 C 03 1 1 1 C0

C AB @

1 0 B =B C A B @

B10 B20 C C .. .

B0 01

1

C1 C2 C C .. .

C 01

C A

(20)

The linear equation group (20) de nitely has solutions. Actually, one simple solution is 1 1 0 0 0 1 0 B0 (0) 1 1 1 (0) 01 B1 B1 B B B B2 C B1 B0 1 1 1 (0) C B20 C C B C B C B (21) = B C B C B . . . . .. . . . .. A @ ... C A @ .. A @ .. B 01 B 02 B 03 1 1 1 B0 B0 01

can only obtain B10 ; B20 ; 1 1 1 ; B0 01 by solving (20) since A(x) = Pr01  j 01 Pr j  are kept secret in j =1 Bj x j =0 Bj x and B(x) = j =0 Aj x , B(x) = FAPKC. However, we P  j

6 A Modi cation We have shown that FAPKC can be broken by constructing the decryption automata from the encryption automaton. The key point of insecure FAPKC is that M0 is a WIFA with delay 0, i:e:, B0 is an invertible matrix. A natural modi cation to FAPKC is to change M0 into a WIFA with delay  , based on Theorem 10 and Theorem 11.

M0 :

y(i) =

 X j

=0

Bj x(i 0 j )+

01 X 

 j

=1

Bj x(i 0  0 j ) 1 x(i 0  0 j 0 1);

i = 0; 1; 2; 1 1 1

Here B0 ; B1 ; 1 1 1 ; B are taken to be the linear coecients of a linear WIFA with delay  . Apparently, M0 is a nonlinear WIFA with delay  . M1 is the same as before. Let the encryption automaton be

M : z(i) =

2 X j

=0

C j x (i 0 j ) +

 X  j

=1

Cj x(i 0  0 j ) 1 x(i 0  0 j 0 1); i = 0; 1; 2; 1 1 1

P P 01 B xj01 , C(x) =  (x) = Pj =1 Let A(x) = j=0 Aj xj , B(x) = j=0 Bj xj , B j P P2  j 0 1 j   (x ) =  . Then C(x) = A(x)B(x) and C j =1 Cj x j =0 Cj x and C(x) =   (A(x)B(x) mod x ). This is also a variation of the version in [23]. This modi ed FAPKC can resist the attack described in this paper. To resist  0 (x ) the attack in which A0 (x) is taken to be C(x), B0 (x) is taken to be I and B is calculated by solving the linear equation group, we should choose A(x), B(x)  (x) carefully so that they satisfy some tradeo . However, further analyses and B are needed before we can give any de nite conclusion on its security.

References 1. F. Bao, \Limited error-propagation, self-synchronization and nite input memory FSMs as weak inverses", in Advances in Chinese Computer Science, Vol. 3, World Scienti c, Singapore, 1991, pp. 1-24. 2. F. Bao, Y. Igarashi, \A randomized algorithm to nite automata public key cryptosystem", in Proc. of ISAAC'94, LNCS 834, Springer-Verlag, 1994, pp. 678-686. 3. F. Bao, Y. Igarashi, X. Yu, \Some results on the decomposability of weakly invertible nite automata", IPSJ Technical Report, 94-AL, November, 1994, pp. 17-24. 4. E. Berlekamp, \Factoring polynomials over large nite eld", Math. Comp. Vol. 24, 1970, pp. 713-735. 5. S. Chen, \On the structure of nite automata of which M' is an (weak) inverse with delay  ", J. of Computer Science and Technology, Vol. 1, No. 2, 1986, pp. 54-59. 6. S. Chen, \On the structures of (weak) inverses of an (weakly) invertible nite automata", J. of Computer Science and Technology, Vol. 1, No. 3, 1986, pp. 92-100. 7. S. Chen, R. Tao, \The structure of weak inverses of a nite automaton with bounded error propagation", Kexue Tongbao, Vol. 32, No. 10, 1987, pp. 713-714. 8. S. Even, \Generalized automata and their information losslessness", in Switching Circuit Theory and Logic Design, 1962, pp. 144-147. 9. S. Even, \On Information lossless automata of nite order", IEEE Trans. on Electric Computer, Vol. 14, No. 4, 1965, pp. 561-569. 10. I. Gohberg, P. Lancaster, L. Rodman, Matrix Polynomials, Academic Press, New York. 11. D. A. Hu man, \Canonical forms for information-lossless nite-state logic machines", IRE Trans. on Circuit Theory, Vol. CT-6, Special Supplements, May, 1959, pp. 41-59. 12. J. Li, X. Gao, \Realization of nite automata public key cryptosystem and digital signature", in Proc. of the Second National Conference on Cryptography, CRYPTOCHINA'92, pp. 110-115. (in Chinese) 13. J. L. Massey, M. K. Sain, \Inverse of linear sequential circuits", IEEE Trans. on Computers, Vol. 17, No. 4, 1968, pp. 330-337.

14. J. L. Massey, A. Gubser, A. Fisger, et al., \A selfsynchronizing digital scrambler for cryptographic protection of data", in Proc. of International Zurich Seminar on Digital Communications, March, 1984. 15. R. R. Olson, \A note on feedforward inverses for linear sequential circuits", IEEE Trans. on Computers, Vol. 19, No. 12, 1970, pp. 1216-1221. 16. A. Salomaa, Public-Key Cryptography, EATCS Monographs on Theoretical Computer Science, Vol. 23, Springer-Verlag, 1990. 17. R. Tao, Invertibility of Finite Automata, Science Press, 1979, Beijing. (in Chinese) 18. R. Tao, \On the relation between bounded error propagation and feedforward inverse", Kexue Tongbao, Vol. 27, No. 7, 1982, pp. 406-408. (in Chinese) 19. R. Tao, \On the structure of feedforward inverse", Science in China, A, Vol. 26, No. 12, 1983, pp. 1073-1078. (in Chinese) 20. R. Tao, S. Chen, \Finite automata public key cryptosystem and digital signature", Computer Acta, Vol. 8, No. 6, 1985, pp. 401-409. (in Chinese) 21. R. Tao, S. Chen, \Two varieties of nite automata public key cryptosystem and digital signature", J. of Computer Science and Technology, Vol. 1, No. 1, pp. 9-18. 22. R. Tao, \Invertibility of linear nite automata over a ring", in Proc. of ICALP'88, LNCS 317, Springer-Verlag, 1988, pp. 489-501. 23. R. Tao, S. Chen, \An implementation of identity-based cryptosystems and signature schemes by nite automaton public key cryptosystems", in Proc. of the Second National Conference on Cryptography, CRYPTO-CHINA'92, pp. 87-104. (in Chinese) 24. H. Zhang, Z. Qin, et al., \The software implementation of FA public key cryptosystem", in Proc. of the Second National Conference on Cryptography, CRYPTOCHINA'92, pp. 105-109. (in Chinese) 25. X. Zhu, \On the structure of binary feedforward inverses with delay 2", J. of Computer Science and Technology, Vol. 4, No. 2, 1989, pp. 163-171.

Appendix

The algorithm for nding P was originally described in [17] as \Ra-Rb algorithm". P actually is a sequence of linear row transformations. We use the following example with r = 2 to show how the algorithm works. First operatea row transformation so that A0 is changed to a matrix B whose rst several rows are linear indepedent and the rest rows are all zero.

0   1 upperB allzero allzero 0 1 B 1 0 (1) B C  allzero   allzero   allzero  C A0 (0) (0) B (0) (0) B C upperC upperB allzero C @ A1 A0 (0) A ) @ C B (0) A = B B lowerC   allzero   allzero  C (2) B  A2 A1 A0 D C B @ upperD upperC upperB C A lowerD

lowerC

allzero

(3)

Then we operate the following row transformations to the above 0 0 matrix: shift 1 A0 (0) (0) (3) to (2), (2) to (1) and (1) to (3). Now we get a new matrix @ A01 A00 (0) A,

A2;2 A2;1 A2;0

where A2;2 , A2;1 and A2;0 satisfy(6) in Section 2. Next, we continue applying the 00 (0) (0)  A same procedure to the matrix A01 A00 (0) . Then we obtain the nal matrix we want.

This article was processed using the LaTEX macro package with LLNCS style