- Email: [email protected]
A variant of the public key cryptosystem FAPKC3
Journal of Network and Computer Applications (1997) 20, 283–303
A variant of the public key cryptosystem FAPKC3∗ Renji Tao and Shihua Chen† Institute of Software, Academia Sinica, Beijing 100080, People’s Republic of China In this paper a public key cryptosystem based on automata theory, FAPKC4, is proposed which can be used both for encryption and implementation of digital signatures—this system is similar to FAPKC3 in every respect. 1997 Academic Press Limited
1. Introduction Diffie and Hellman [1] introduced the concept of public key cryptosystems. Many concrete schemes have been proposed and found important applications in the area of information security. Among others, there are several public key cryptosystems based on finite automata theory, such as FAPKC0 in Tao and Chen [2], FAPKC1 and FAPKC2 in Tao and Chen [3], FAPKC93 in Gao [4], FAPKC3 in Tao et al. [5] and a special case of FAPKC2 in Bao and Igarashi [6]. These finite automaton public key cryptosystems (FAPKCs) possess merits such as fast speed, relatively short public key, capability of digital signature, etc. FAPKCs have received extensive attention [4,6–16].1 A user’s public key of FAPKC consists of a compound of two finite automata which possess some invertibility and initial states. In FAPKC0, FAPKC1, FAPKC2 and FAPKC93, one of the finite automata is linear and the other is non-linear. In FAPKC0, FAPKC1 and FAPKC93, the delay step of non-linear finite automata is 0. Recently, it was discovered that FAPKC0, FAPKC1 and FAPKC93 are insecure with respect to digital signatures [17] as well as insecure with respect to encryption [6,13,17] In general, FAPKC2 is insecure against attacks [6,13,17], but Bao and Igarashi’s key-generating scheme of FAPKC2 [6] is insecure because it cannot resist linear Ra , Rb attack [18]. FAPKC3’s key generator selects automata in the user’s key by means of linear and/or non-linear Ra , Rb transformation and their reverse transformation, and sieves out such a key in which the compound automaton’s weak inverse can be found out by the linear Ra , Rb transformation method [5,18]. So FAPKC3 can resist linear Ra , Rb attack. It follows that FAPKC3 can resist the attack of the reduced echelon matrix from results in Tao [18] and Wang [19] and the attack of a canonical diagonal form of a k-matrix from results in Tao and Feng [20]. Notice that we may generate automata in the user’s ∗ Supported by the National Natural Science Foundation of China. † E-mail: [email protected] [email protected] 1 In Dai [15, p. 88], an equivalent definition of weak inverse with delay s of an input-memory finite automaton is mentioned without proof. It would seem that a proof of equivalence of the two definitions is non-existent, or at least non-trivial, from the viewpoint of mathematical logic. Correctness of several propositions depend on this equivalence. But no proof of any proposition is given in Dai [15]. Notice that the main result in Dai [15]—that both encryption and signature of a kind of weak keys of FAPKC3 are insecure—can be immediately deduced from Tao [18] using the result of Qin and Zhang [14].
1084–8045/97/030283+21 $25.00/0
ma970057
1997 Academic Press Limited
284 R. Tao and S. Chen key of FAPKC2 by the same method for FAPKC3, so that for such user’s keys FAPKC2 is secure as well. In this paper, we propose a finite automaton public key cryptosystem FAPKC4. FAPKC4 and FAPKC3 are similar in structure and their main difference is the choice of the second component automaton in public key. They may be considered as dual FAPKCs. We will see that in case of k0=0 for FAPKC4 some components of the initial state are free to assign values in encryption and signing. This provides some convenience in some applications. In the next section we first explain some basic concepts in automata theory and mention some results used later. In Section 3 we give a basic algorithm of a new variant of the finite automaton public key cryptosystem, FAPKC4, and prove its correctness for encryption and signing. The generation method of finite automata in FAPKC4 will be mentioned in Section 4. Finally, Section 5 discusses briefly the application of FAPKC.
2. Preliminary 2.1 Invertibility of finite automata Recall some definitions. A finite automaton (or sequential machine), M, is a quintuple οX, Y, S, d, kπ, where X is a non-empty finite set (the input alphabet of M), Y a nonempty finite set (the output alphabet of M), S a non-empty finite set (the state alphabet of M), d:S×X→S a single-valued mapping (the next state function of M) and k: S×X→Y a single-valued mapping (the output function of M). For any set A, by AN denote the set of all words (finite sequences) over A including the empty word e, and by Ax the set of all infinite-length words (infinite sequences) over A. Expand the domains of d and k to S×XN and S×(XNjXx), respectively, as follows. d(s, e)=s, d(s, ax)=d(d(s, a), x), k(s, e)=e, k(s, xa′)=k(s, x)k(d(s, x), a′), svS, xvX, avXN, a′vXNjXx. In other words, on an initial state s(0) of M an input sequence x(0), x(1), . . . of M causes a state sequence s(0), s(1), . . . of M and an output sequence y(0), y(1), . . . of M according to s(i+1)=d(s(i)x(i)), y(i)=k(s(i), x(i)), i=0, 1, . . . . Let M=οX, Y, S, d, kπ and M′=οY, X, S′, d′, k′π be two finite automata, and s a nonnegative integer. In his seminal paper [21] D. A. Huffman introduced the concept of s-order information lossless that we call weakly invertible with delay s [22]. M is said to be weakly invertible with delay s (or s-order information-lossless) if for any s in S and xi in X, i=0, 1, . . . , s, x0 can be uniquely determined by s and k(s, x0, . . . xs ). For any states svS and s′vS′, if for any avXx there exists a0vXN with length s such that k′(s′, k(s, a))=a0a, then (s′, s) is said to be a match pair with delay s or say that s′ matches s with delay s.
A variant of the public key cryptosystem FAPKC3 285 M′ is said to be a weak inverse with delay s of M if for any s in S there exists s′ in S′ such that (s′, s) is a match pair with delay s. It is well known that M is weakly invertible with delay s if and only if there exists a finite automaton M′ such that M′ is a weak inverse with delay s of M. 2.2 Compound finite automata If u is a mapping from Yk×Xh+1 to Y, and if a finite automaton M=οX, Y, Yk×Xh, d, kπ can be defined by y(i)=u(y(i−1), . . . , y(i−k), x(i), . . . , x(i−h)), i=0, 1, . . . , i.e. d(ο y−1, . . . , y−k, x−1, . . . , x−hπ, x0)=ο y0, . . . , y−k+1, x0, . . . , x−h+1π, k(ο y−1, . . . , y−k, x−1, . . . , x−hπ, x0)=y0, y0=u(y−1, . . . , y−k, x0, x−1, . . . , x−h), then M is said to be an (h, k)-order memory finite automaton, denoted by Mu . In case of k=0, Mu is said to be an h-order input memory finite automaton. For any two finite automata Mi=οXi , Yi , Si , di , ki π, i=1, 2 with Y1=X2, by C(M1, M2) denote the superposition of M1 and M2, i.e. the finite automaton οX1, Y2, S1×S2, d, kπ, where d(οs1, s2π, x)=οd1(s1, x), d2(s2, k1(s1, x))π, (οs1, s2π, x)=k2(s2, k1(s1, x)), s1vS1, s2vS2, xvX1. In Tao and Chen [2] another kind of combination of finite automata, C′(M1, M2), is defined. Let g be a mapping from Ur×Vp+1 to U, and f a mapping from Wt to V. C′(M f , Mg ) is a (p+t, r)-order memory finite automaton defined by u(i)=g(u(i−1), . . . , u(i−r), f(w(i), . . . , w(i−t)), . . . , f(w(i−p), . . . , w(i−p−t))), i=0, 1, . . . . For any two finite automata Mi=οXi , Yi , Si , di , kiπ, i=1, 2 with X1=X2, s1vS1 and s2vS2 are said to be equivalent, if k1(s1, a)=k2(s2, x) holds for any avXN1 . Theorem 1 [2] Let s=οu−1, . . . , u−r, w−1, . . . , w−p−tπ be a state of C′(M f , Mg ). Let s f=
286 R. Tao and S. Chen οw−1, . . . , w−tπ and sg=οu−1, . . . , u−r , v−1, . . . , v−pπ, where vi=f(wi , . . . , wi−t), i=−1, . . . , −p. Then the state οs f , sgπ of C(M f , Mg ) and s are equivalent.
3. Basic algorithm of FAPKC4 In this section, we will propose a public key cryptosystem called FAPKC4. This system is sequential. Each user in this system has a pair of keys in which one is public to all users and the other one is secret. The public key consists of a finite automaton and two initial states for encryption and for verification of signatures, respectively. The finite automaton in the public key is a compound of a memory finite automaton and an input memory finite automaton. The secret key consists of two memory finite automata and their initial states for decryption and signing. Each finite automaton produces a user’s public key and its corresponding weak inverse finite automaton produces the secret key. One can choose such finite automata and initial states according to methods or algorithms offered by the invertibility theory of finite automata [23]. In this system, plaintexts, ciphertexts and messages can be signed and signatures are sequences over an alphabet which consists of all l-tuples of some q-symbol set (for example, all 8-bit bytes for l=8 and for q=2) and is uniform for all users. The ciphertext of a plaintext is a few (the delay step) digits longer than the plaintext. The ciphertext transmitting to a user is the output of the finite automaton on the initial state, all in the public key of that user, feeding plaintext. For decryption, the receiver first computes an intermediate sequence by a finite automaton and the concerned initial state in their secret key from the ciphertext, then retrieves the plaintext from the intermediate sequence by another finite automaton and the concerned initial state in their secret key. Similarly, a user’s signature of a message can be obtained in a similar way through decryption, only the signer first expands the message some digits (its length equal to the delay step). And verifying validity of signature is similar to encryption. Take alphabets X and Y as the column vector spaces over GF(q) with dimensions l and m, respectively. To construct a public key cryptosystem, choose a common q and l, and take m=l for the sake of digital signature. In other words, all users use the same alphabet to communicate with each other. A user, say A, chooses their own public key and secret key as follows. (1) Construct an (h0, k0)-order memory finite automaton M∗ 0 =οY, X, S∗ 0 , d∗ 0 , k∗ 0 π and a (s0+k0, h0)-order memory finite automaton M0=οX, Y, S0, d0, k0π satisfying the following conditions: (a) For any state s0=ο y−1, . . . , y−h0, x′−1, . . . , x′−k0−s0π of M0 which is in {d0(s, y0 . . . ys0−1)|svS0, y0, . . . , ys0−1vY} in the case of k0>0, and for any x′0, x′1, . . . in X, if y0 y1 . . .=k0(s0, x′0 x′1 . . .), then k∗0 (s∗0 , ys0 ys0+1 . . .)=x′0 x′1 . . . ,
A variant of the public key cryptosystem FAPKC3 287 where s∗0 =οx′−1, . . . , x′−k0, ys0−1, . . . , ys0−h0π; (b) For any state s∗0 =οx′−1, . . . , x′−k0, . . . , y−1, . . . , y−h0π of M∗ 0 and for any y0, y1, . . . in Y, if x′0 x′1 . . .=k∗0 (s∗0 , y0 y1 . . .), then k0(s0, x′s0 x s 0+1 . . .)=y0 y1 . . . , where s0=ο y−1, . . . , y−h0, x′s0−1, . . . , x′−k0π. (2) Construct an h1-order input memory finite automaton M1=οX, X, S1, d1, k1π and a (s1, h1)-order memory finite automaton M∗ 1 =οX, X, S∗ 1 , d∗ 1 , k∗ 1 π satisfying the following conditions: ( a) For any state s1=οx−1, . . . , x−h1π of M1 and any x0, x1 . . . in X, if x′0 x′1 . . .=k1(s1, x0 x1 . . .), then k∗1 (s∗s 1, x′s1x′s1+1 . . .)=x0 x1 . . . , where s∗s 1=οx−1, . . . , x−h1, x′s1−1, . . . , x′0π. (b) For any state s∗1 =οx−1, . . . , x−h1, x′−1, . . . , ′ π of M∗ x−s 1 and for any x′0, x′1, . . . in X, if 1 x0 x1 . . .=k∗1 (s∗1 , x′0 x′1 . . .),
then k1(οxs1−1, . . . , xs1−h1π, xs1xs1+1 . . .)=x′0 x′1 . . . . (3) Construct the finite automaton C′(M1, M0)=οX, Y, S, d, kπ from M1 and M0. (4) Case k0>0: Choose arbitrary y−1,s, . . . , y−k0,9 in Y, and arbitrary states s0−k0=οx″−k0−1,s, . . . , x″−2k0, s, 1 y−k0−1,s, . . . , y−k0−h0,sπ of M∗ 0 and s−k0=οx−k0−1,s, . . . , x−k0−h1,s, . . . , x′−k0−1,s, . . . , x′−k0−s1,sπ of M∗ 1 . Compute x′−k0,s . . . x′−1,s=k∗0 (s0−k0, y−k0,s . . . y−1,s) and x−k0,s . . . x−1,s=k∗1 (s1−k0,s . . . x′−1,s). Put in sout v =ο y−1,s, .. . , y−h0,sπ, sv =οx−1,s, . . . , x−k0−h1+s1,sπ
and
288 R. Tao and S. Chen ′ sout 0,s =οx−1,s, . . . , x′−k0,sπ,
′ s1,s=οx−1,s, . . . , x−h1,s, x −1,s, . . . , x−s1,sπ
e
Choose arbitrary x−s0,e, . . . , x−1,e in X and arbitrary state s−s0=ο y−s0−1,e, . . . , y−s0−h0, , x−s0−1,e, . . . , x−2s0−k0−h1,eπ of C′(M1, M0). Compute y−s0,e . . . y−1,e=k(s−s0, x−s0,e . . . x−1,e),
and put out e
=ο y−1,e, . . . , y−h0,eπ, sine=οx−1,e, . . . , x−s0−k0−h1,eπ.
Compute x′−k0,e . . . x′−1,e=k1(οx−k0−1,e, . . . , x−k0−h1,eπ, x−k0,e . . . x−1,e). Put sout 0,d =οx′−1,e, . . . , x′− ,e k0π. Case k0=0: Choose arbitrary y−1,s, . . . , y−h0,s in Y and arbitrary x−1,s, . . . , x−h1+ss ,s in X. Put 1
in sout v =ο y−1,s, . . . , y−h0,sπ, sv =οx−1,s, . . . , x−h1+s1,sπ.
Choose arbitrary x−1,e, . . . , x−h1,e in X and arbitrary y−1,e . . . y−h0+s0me in Y. Put sout e =ο y−1,e, . . . , y−h e 0+s0,eπ, sin=οx−1,e, . . . , x−h1,eπ. (5) The public key of the user A is in out in C′(M1, M0), sout v , sv , se , se , s0+s1.
The secret key of the user AA is out out M∗ 0 , M∗ 1 , s0,s , s1,s, s0,d , s0, s1
in the case of k0>0, or M∗ 0 , M∗ 1 , s0, s1 in the case of k0=0. Encryption. Any user, say B, wants to send a plaintext x0 . . . xn to a user A in secret. B first suffixes any s0+s1 digits, say xn+1 . . . xn+s0s1, to the plaintext. Then using A’s in public key C′(M1, M0), sout e and se , B computes the ciphertext y0 . . . yn+s0+s1 as follows:
A variant of the public key cryptosystem FAPKC3 289 y0 . . . yn+s0+s1=k(se, x0 . . . xn+s0+s1), where se=ο y−1,e, . . . , y−h0,e, x−1,e, . . . , x−s0−k0−h1,eπ, and, in the case of k0=0, y−h0+s0−1,e, . . . , y−h0,e in Y and x−h1−1,e, . . . , x−s0−k0−h1,e in X are arbitrarily chosen. Decryption. From the ciphertext y0 . . . yn+s0+s1, A can retrieve the plaintext using out their secret key as follows. First, using M∗ 0 , and s0,d in the case of k0>0, in their secret key and y−1,e, . . . , y−h0+s0,e in their public key, A computes x′0 . . . x′n+s1=k∗0 (οx′−1,e, . . . , x′−k0,e, ys0−1, . . . , y0, y−1,e, . . . , y−h0+s0,eπ, ys0 . . . yn+s0+s1). Then using M∗ 1 in their secret key and x−1,e, . . . , x−h1,e in their public key, A retrieves the plaintext: x0 . . . xn=k∗1 (οx−1,e, . . . , x−h1,e, x′s1−1, . . . , x′0π, x′s1 . . . x′n+s1). Signing. The user A to sign a message y0 . . . yn , first suffixes any s0+s1 digits, say out yn+1 . . . yn+s0+s1, to the message. Then using their secret key M∗ 0 , M∗ 1 , s0,s and s1,s (in the case of k0>0), and public key computes the signature x0 . . . xn+s0+s1 as follows: x0 . . . xn+s0+s1=k∗1 (s1, k∗0 (s0, y0 . . . yn+s0+s1)), where s0=οx′−1,s, . . . , x′−k0,s, y−1,s, . . . , y−h0,sπ, s1=s1,s in the case of k0>0, and s0=ο y−1,s, . . . , y−h0,sπ, s1=οx−1,s, . . . , x−h1+s1,s, x¯−h1+s1−1, . . . , x¯−h1, x¯′−1, . . . , x¯′−s1π in the case of k0=0, and x—j , x¯′j are arbitrarily chosen. Validation. Any user, say B, can verify the validity of the signature x0 . . . xn+s0+s1 as in follows. Using C′(M1, M0), sout v and sv in A’s public key, B computes k(sv , xs0+s1 . . . xn+s0+s1) which would coincide with the message y0 . . . yn , where sv=ο y−1,s, . . . , y−h0,s, xs0+s1−1, . . . , x0, x−1,s, . . . , x−k0−h1+s1,sπ.
290 R. Tao and S. Chen The correctness of the above encryption/decryption is due to the following Theorem. Theorem 2 Let M0=οX, Y, S0, d0, k0π be an (s0+k0, h0)-order memory finite automaton and M∗ 0 =οY, X, S∗ 0 , d∗ 0 , k∗ 0 π a (h0, k0)-order memory finite automaton satisfying the following conditions: for any state s0=ο y−1, . . . , y−h0, x′−1, . . . , x′−k0−s0π of M0 which is in Ss0={d0(s, y0 . . . ys0−1)|svS0, y0, . . . , ys0−1vY} in the case of k0>0, and for any x′0, x′1, . . . in X, if y0y1 . . .=k0(s0, x′0 x′1 . . .), then k∗0 (s∗0 , ys0 ys0+1 . . .)=x′0 x′1 . . . , where s∗0 =οx −1, . . . , x′−k0, ys0−1, . . . , ys0−h0π. Let M1=οX, X, S1, d1, k1π be an h1-order input memory finite automaton and M∗ 1 =οX, X, S∗ 1 , d∗ 1 , k∗ 1 π a (s1, h1)-order memory finite automaton satisfying the condition: for any state s1=οx−1, . . . , x−h1π of M1 and any x0, x1, . . . in X, if x′0 x′1 . . .=k1(s1, x0 x1 . . .), then k∗1 (οx−1, . . . , x−h1, x s 1−1, . . . , x′0π, x′s1x′s1+1 . . .)=x0 x1 . . . Denote C′(M1, M0)=οX, Y, S, d, kπ. Let s=ο y−1, . . . , y−h0, x−1, . . . , x−s0−k0−h1π be a state of C′(M1, M0). Let ′ x′−s0−k0 . . . x−1 =k1(οx−s0−k0−1, . . . , x−s0−k0−h1π, x−s0−k0 . . . x−1).
(1)
Let the state s0=ο y−1, . . . , y−h0, x′−1, . . . , x′−k0−s0π is in Ss0 in the case of k0>0. For any x0, x1, . . .vX and y0, y1, . . .vY, if y0 y1 . . .=k(s, x0 x1 . . .), then k∗1 (οx−1, . . . , x−h1, x′s1−1, . . . , x′0π, x′s1+1 . . .)=x0 x1 . . . , where x′0 x′1 . . .=k∗0 (οx′−1, . . . , x′−k0, ys0−1, . . . , ys0−h0π, ys0 ys0+1 . . .). Proof. Since equation (1) holds, from Theorem 1, the state s of C′(M1, M0) is equivalent
A variant of the public key cryptosystem FAPKC3 291 to a state οs1, s0π of C(M1, M0), where s1=οx−1, . . . , x−h1π and s0=ο y−1, . . . , y−h0, x′−1, . . . , x′−k0−s0π. Denote x′0 x′1 . . .=k1(s1, x0 x1 . . .).
(2)
y0y1 . . .=k0(s0, x′0 x′1 . . .).
(3)
Then we have
From the hypothesis of M0 and M∗ 0 , equation (3) yields k∗0 (οx′−1, . . . , x′−k0, ys0−1, . . . , ys0−h0π, ys0 ys0+1 . . .)=x′0 x′1 . . . . From the hypothesis of M1 and M∗ 1 , using equation (2), we then have k∗1 (οx−1, . . . , x−h1, x′s1−1, . . . , x′0π, x′s1x′s1+1 . . .)=x0 x1 . . . . The correctness of signing/verification is due to the following Theorem. Theorem 3 Let M0=οX, Y, S0, d0, k0π be an (s0+k0, h0)-order memory finite automaton and M∗ 0 =οY, X, S∗ 0 , d∗ 0 , k∗ 0 π a (h0, K0)-order memory finite automaton satisfying the condition: for any state s∗0 =οx′−1, . . . , x′−k0, . . . , y−h0π of M∗ 0 and any y0, y1, ... in Y, if x′0 x′1 . . .=k∗0 (s∗0 , y0 y1 . . .), then k0(ο y−1, . . . , y−h0, x′s0−1, . . . , x′−k0π, x′s0x′s0+1 . . .)=y0 y1 . . . . Let M1=οX, X, S1, d1, k1π be an h1-order input memory finite automaton and M∗ 1 =οX, X, S∗1 , d∗1 , k∗1 π a (s1, h1)-order memory finite automaton satisfying the condition: for any state ′ π of M∗ s∗1 =οx−1, . . . , x−h1, x′−1, . . . , x−s 1 and any x′0, x′1, . . . in X, if 1 x0 x1 . . .=k∗1 (s∗1 , x′0 x′1 . . .), then k1(οxs1−1 . . . , xs1−h1π, xs1xs1+1 . . .)=x′0 x′1 . . . . Denote C′(M1, M0)=οX, Y, S, d, kπ. Let s0=ο y−1, . . . , y−h0 and s1=οx−1, . . . , x−s1+h1, x¯−s1+h1−1, . . . , x¯−h1, . . . , x¯′−1, . . . , x¯′−s1π be arbitrary states of M∗ 0 and M∗ 1 , respectively, in the case of k0=0. Let s0=οx′−1, . . . , x′−k0, y−1, . . . , y−h0π and s1=οx−1, . . . , x−h1, x′−1, . . . , ′ x−s π be arbitrary states of M∗ 0 andM∗ 1 , respectively, in the case of k0>0, where 1 s0=d∗0 (s0−k0, y−k0 . . . y−1) and
(4)
292 R. Tao and S. Chen s1=d∗1 (s1−k0, x′−k0 . . . x′−1),
(5)
for some y−1, . . . , y−k0 in Y, and states s0−k0=οx″−k0−1, . . . , x″−2k0, y−k0−1, . . . , y−k0−h0π of M∗ 0 and s1−k0=οx−k0−1, . . . , x−k0−h1, x′− −1 k0, . . . , x′−k0−s1π of M∗ 1 . For any x1, x1, . . .vX and y0, y1, . . .vY, if x0 x1 . . .=k∗1 (s1, k∗0 (s0, y0 y1 . . .)), then k(ο y−1, . . . , y−h0, xs0+s1−1, . . . , xs1−k0−h1π, xs0+s1xs0+s1+1 . . .) =y0 y1 . . . . Proof. Assume that x′0 x′1 . . .=k∗0 (s0, y0 y1 . . .)
(6)
and x0 x1 . . .=k∗1 (s1, x′0 x′1 . . .). In the case of k0=0, from the hypothesis of M1 and M∗ 1 , we have k1(οxs1−1, . . . , xs1−h1π, xs1xs1+1 . . .)=x′0 x′1 . . . .
(7)
It immediately follows that k1(s′1, xs0+s1xs0+s1+1 . . .)=x′s0x′s0+1 . . . ,
(8)
where s′1=οxs0+s1−1, . . . , xs0+s1−h1π. In the case of k0>0, from equations (4) and (5), we have x′−k0 . . . x′−1=k∗0 (s0−k0, 7−k0 . . . y−1), and x−k0 . . . x−1=k∗1 (s1−k0, x′−k0 . . . x′−7). It follows that x′−k0 . . . x′−1x′0 x′1 . . .=k∗0 (s0−s, y−k0 . . . y−1 y0 y1 . . .) and
(9)
A variant of the public key cryptosystem FAPKC3 293 x−k0 . . . x−1x0 x1 . . .=k∗1 (s1−s, x′−k0 . . . x′−1x′0 x′1 . . .).
(10)
From the hypothesis of M1 and M∗ 1 , using equation (10), we have . . .)=x′ . . . x′−1x′0 x′1 . . . . k1(οxs1−k0−1, . . . , xs −k −h π, xs1−k0xs−k 1−k 0 0+1 1
0
1
(11)
It immediately follows that k1(s′1, xs0+s1 xs0+s1+1 . . .)=x′s0x′s0+1 . . . .
(12)
From the hypothesis of M0 and M∗ 0 , using equation (6), we have k0(s′0, x′s0x′s0+1 . . .)=y0 y1 . . .
(13)
where s′0=ο y−1, . . . , y−h0, x′−s0−1, . . . , x′−k0π. On the other hand, from equations (7) and (11), we have k1(οxs1−k0−1, . . . , xs1−k0−h1π, xs1−k0 . . . xs1+s0−1) =x′−k0 . . . x′s0−1 for k0≥0. From Theorem 1, it follows that the state s′=ο y−1, . . . , y−h0, xs0+s1−1, . . . , xs1−k0−h1π of C′(M1, M0) is equivalent to the state οs′1, s′0π of C(M1, M0). From equations (8), (12) and (13), we have k(s′, xs0+s1xs0+s1+1 . . .)=y0 y1 . . . .
4. On generation of keys How to generate automata Mi and M∗ i satisfying conditions (a) and (b) in step (1) or (2) [22] gave a solution in the linear case, but this is a difficult problem in the nonlinear case. Fortunately, for the non-linear case, Tao and Chen [23] gave a generation method by Ra Rb transformation. We now give an introduction to this method. Let X and Y be column vector spaces over GF(q) of dimensions l and m, respectively. Let x(i) and y(i) be column vectors over GF(q) of dimensions l and m, respectively. Let s be a non-negative integer. Rule Ra: Let eqk (i) be an equation in the form of fk (x(i), . . . , x(i−r), y(i+k), . . . , y(i−t))=0,
(14)
294 R. Tao and S. Chen where fk is a single-valued mapping from Xr+1×Yk+t+1 to Y. Let uk be a transformation on eq(i) and eq′k(i) be the transformational result in the form of f′lzk (x(i), . . . , x(i−r), y(i+k), . . . , y(i−t))=0,
(15)
where f′k is a single-valued mapping from Xr+1×Yk+t+1 to Y. If eqk (i) and eq′k(i) are equivalent, then eq′k(i) is said to be obtained from eqk (i) by Rule Ra using uk , denoted by eqk (i)Ra[uk] > eq′k(i). Rule Rb: Assume that eq′k(i) is an equation in the form of f′k(x(i), . . . , x(i−r), y(i+k), . . . , y(i−t))=0 and that the last m−rk+1 components of the left side of eq′k(i) do not depend on x(i), where f′k is a single-valued mapping from Xr+1Yk+t+1 to Y. Let eqk+1(i) be the equation
C
D
E′k f′k(x(i), . . . , x(i−r), y(i+k), . . . , y9i−t)) =0, E″k f′k(x(i+1), . . . , x(i+1−r), y(i+1+k), . . . , y(i+1−t))
where E′k and E″k are submatrices of the first rk+1 rows and of the last m−rk+1 rows of the m×m identity matrix, respectively. Then eqk+1(i) is said to be obtained from eq′k(i) by Rule Rb , denoted by eq′k(i)Rb[rk+1] > eqk+1(i). Denote eqj(i)Ra{uj] > eq′j (i), eq′j (i)Rb[rj+1] > eqj+1(i), j=0, 1, . . . , k by eq0(i)Ra[u0] > eq′0(i)Rb[r1] > eq1(i)Ra[u1] > . . . Rb[rk] > eqk (i)Ra[uk] > eq′k(i)Rb[rk+1] > eqk+1(i). From Corollary 1 of Theorem 4 and Theorem 2 in Tao and Chen [23], we have: Theorem 4 Let M=οX, Y, Yt×Xr, d, kπ be a (r, t)-order memory finite automaton over GF(q) defined by y(i)=f(y(i−1), . . . , y(i−t), x(i), . . . , x(i−r)), i=0, 1, . . . with m=l. Let eq0(i) be the equation
(16)
A variant of the public key cryptosystem FAPKC3 295 −y(i)+f(y(i−1), . . . , y(i−t), x(i), . . . , x(i−r))=0
(17)
and eq0(i)Ra[u0] > eq′0(i)Rb[r1] > eq1(i)Ra[u1] > . . . Rb[rs−1] > eqs−1(i)Ra[us−1] > eq′s−1(i)Rb[rs] > eqs(i). Assume that for any parameters x(i−1), . . . , x(i−r), y(i+s), . . . , y(i−t), eqs(i) has a unique solution x(i) denoted by f∗s (x(i−1), . . . , x(i−r), y(i+s), . . . , y(i−t)). Let M∗= οY, X, Xr×Ys+t,Xd∗, k∗π be a (s+t, r)-order memory finite automaton defined by x(i)=f∗s (x(i−1), . . . , x(i−r), y′(i), . . . , y′(i−s−t)), i=0, 1, . . . .
(18)
Then we have: ( a) For any state s0=ο y(−1), . . . , y(−t), x(−1), . . . , x(−r)π of M and any x(0), x(1), . . . in X, if y(0)y(1) . . .=k(s0, x(0)x(1) . . .), then x(0)x(1) . . .=k∗(s∗s , y(s)y(s+1) . . .), where s∗s =οx(−1), . . . , x(−r), y(s−1), . . . , y(−t)π. (b) For any state s∗0 ∗=οx(−1), . . . , x(−r), y′(−1), . . . , y′(−s−t)π in {d∗(s∗, y0 . . . ys−1)|s∗vXr×Ys+t, y0, . . . , ys−1vY}, and for any y′(0), y′(1), . . . in Y, if x(0)x(1) . . .=k∗(s∗0 ∗, y′(0)y′(1) . . .), then y′(−s) . . . y′(−1)y′(0)y′(1) . . .=k(s0, x(0)x(1) . . .), where s0=ο y′(−s−1), . . . , y′(−s−t), x(−1), . . . , x(−r)π. In the case of input memory, from Theorem 5(b) and its Corollary 1 in Tao and Chen [23] we have: Theorem 5 Let M=οX, Y, Xr, d, kπ be a r-order input memory finite automaton over GF(q) defined by y(i)=f(x(i), . . . , x(i−r)), i=0, 1, . . .
(19)
with m=l. Let eq0(i) be the equation f(x(i), . . . , x(i−r))−y(i)=0 and eq0(i)Ra[u0] > eq′0(i)Rb[r1] > eq1(i)Ra[u1] > . . . Rb[rs−1] > eqs−1(i)Ra[us−1] > eq′s−1(i)Rb[rs] > eqs(i).
(20)
296 R. Tao and S. Chen Assume that for any parameters x(i−1), . . . , x(i−r), y(i+s), . . . , y(i), eqs(i) has unique solution x(i) denoted by f∗s (x(i−1), . . . , x(i−r), y(i+s), . . . , y(i)). Let M∗=οY, X, Xr×Ys, d∗, k∗π be a (s, r)-order memory finite automaton defined by x(i)=f∗s (x(i−1), . . . , x(i−r), y′(i), . . . , y′(i−s)), i=0, 1, . . . .
(21)
Then we have: ( a) For any state s0=οx(−1), . . . , x(−r)π and any infinite input sequence x(0)x(1) . . . of M, if y(0)y(1) . . .=k(s0, x(0)x(1) . . .), then k∗(οx(−1), . . . ,x(−r), y(s−1), . . . , x(0)π, y(s)y(s+1) . . .)=x(0)x(1) . . . . (b) For any state s∗0 =οx(−1), . . . , x(−r), y′(−1), . . . , y′(−s)π and any infinite input sequence y′(0)y′(1) . . . of M∗, if x(0)x(1) . . .=k∗(s∗0 , y′(0)y′(1) . . .), then y′(0)y′(1) . . .= k(οx(s−1), . . . , x(s−r)π, x(s)x(s+1) . . .). How to construct automata M for which there exists a Ra, Rb transformation sequence satisfying the condition in Theorem 4 (or Theorem 5)? The Method in Tao and Chen [23] −1 adopts R−1 transformation. a , Rb Let m and l be positive integers, s a non-negative integer and s≤r. Let t be a monomial of some components of x(i), . . . , x(i−r) and p≥0. If t contains components of x(i) and of x(i−p) but not of x(i−p−1), . . . , x(i−r), then t is said to have span p. For any p≥0, we use p(x(i), . . . , x(i−p)) to denote the column vector of dimension lp consisting of all distinct span p monomials with coefficient 1 of components of x(i), . . . , x(i−p) with exponents
r−p
]]F
=F0k (y(i+k), . . . , y(i−t))+
(y(i+k), . . . ,
pjk
p=0 j=0
y(i−t))p(x(i−j), . . . , x(i−j−p)),
(22)
where F0k (y(I+k), . . . , y(i−t)) is a column vector of dimension m, and Fpjk(y(i+k), . . . , y(i−t)) is an mlp matrix, 0≤p≤r, 0≤j≤r−p. Let G be an mn(s−1) incompletely specified matrix. Let 0≤k≤s. If there exist 0= r0≤r1≤. . .rk≤m such that whenever ri
A variant of the public key cryptosystem FAPKC3 297
G3=
C
D
G10
G11
G12
G13
G14
G15
G20
G21
G22
G23
G24
∗
G30
G31
G32
G33
∗
∗
G40
G41
G42
∗
∗
∗
is an (n, 3)-echelon matrix, where ∗ stands for ‘undefined’, Gij is a (ri−ri−1)×n completely specified matrix, i=1, 2, 3, 4, j=0, 1, 2, 3, 4, 5, and 0=r0≤r1≤r2≤r3≤m. Clearly, ri is the i--height of G3, 0≤i≤3. Rule R−1 a : Let G′pk(y(i+k−1), . . . , y(I−t)) be an m×lp(s+1) (lp , k)-echelon matrix polynomial over GF(q), 0≤p≤r−s, with the same j-height rj , 0≤j≤k, and 0≤k
=
C
Erk P′k1(y(i+k−1), . . . , y(i+k−t))
0 P′k2(y(i+k−1), . . . , y(i+k−t))
D
which is non-singular for any values of y(i+k−1), . . . , y(i+k−t, where rk is the rk×rk identity matrix. Let Gpk(y(i+k−1), . . . , y(i−t)) be the result matrix polynomial of multiplying G′pk(y(i+k−1), . . . , y(i−t)) by P′k(y(i+k−1), . . . , y(i+k−t)) on the left, that is, Gpk(y(i+k−1), . . . , y(i−t))=P′k(y(i+k−1), . . . , y(i+k−t)) G′pk(y(i+k−1), . . . , y(i−t)), 0≤p≤r−s. If the submatrix consisting of the rows rk+1 to m of Gpk(y(i+k−1), . . . , y(i−t)) only depends on y(i+k−1), . . . , y(i+k−t), then Gk (i) is said to be obtained using P′k denoted by from G′k(i) by Rule R−1 a G′k(i)R−1 a [P′k] Gk (i), > where G′k(i)={G′pk(y(i+k−1), . . . , y(i−t)), p=0, 1, . . . , r−s}, Gk (i)={Gpk(y(i+k−1), . . . , y(i−t)), p=0, 1, . . . , r−s}. Note In computing elements of P′kG′pk , we define x . u=u . x=u, 0 . u=u . 0=0 and
298 R. Tao and S. Chen y+u=u+y=u, where u stands for undefined symbol, x≠0 and y are any elements in GF(q). Rule R−1 b : Let Gp,k+1(y(i+k), . . . , y(i−t) be an m×lp(s+1) (lp , k+1)-echelon matrix polynomial over GF(q), 0≤p≤r−s, with the same heights r1, . . . , rk+1, and 0≤k where Gk+1(i)={Gp,k+1(y(i+k), . . . , y(i−t)), p=0, 1, . . . , r−s}, G′k(i)={G′pk(y(i+k−1), . . . , y(i−t)), p=0, 1, . . . , r−s}. Denote −1 j=k, k−1, . . . , 1, 0 Gj+1(i)R−1 b [rj+1] G′j (i), G′j (i)Ra [P′j ] Gj(i), > >
by −1 −1 Gk+1(i)R−1 . . . R−1 b [rk+1] G′k(i)Ra [P′k] Gk (i)Rb [rk] a [P′1] > > > >
−1 G1(i)R−1 b [r1] G′0(i)Ra [P′0] G0(i). > >
Theorem 6 [23] Let M be a finite automaton defined by equation (16). Assume that −y(i)+f(y(i−1), . . . , y(i−t), x(i), . . . , x(i−r)) r−s r−p
=F00(y(i), . . . , y(i−t/))+
]]F
(y(i−1), . . . , y(i−t))
pj0
p=0 j=0
p(x(i−j), . . . , x(i−j−p)) and G0(i)={F00(y(i), . . . , y(i−t)), Gp0(yIi−1), . . . , y(i−t)),
A variant of the public key cryptosystem FAPKC3 299
p=0, 1, . . . , r−s}, where Gp0(y(i−1), . . . , y(i−t))=[Fp00(y(i−1), . . . , y(i−t)), . . . , Fps0(y(i−1), . . . , y(i−t))], p=0, 1, . . . , r−s, Fpj0(y(i−1), . . . , y(i−t))o0 for r−p > > >
−1 G1(i)R−1 b [r1] G′0(i)Ra [P′0] G0(i) > >
(23)
such that for any parameters x(i−1), . . . , z(i−r), y(i+s−1), . . . , y(i+s−t), r−s
]F
(y(i+s−1), . . . , y(i+s−t))p(x(i), . . . , x(i−p))
p0s
(24)
p=0
is a surjection of x(i), then eq0(i)Ra[P0] > eq′0(i)Rb[r1] > eq1(i)Ra[P1] > . . . Rb[rs−1] > eqs−1(i)Ra[Ps−1] > eq′s−1(i)Rb[rs] > eqs(i).
(25)
and for any parameters x(i−1), . . . . , x(i−r), y(i+s), . . . , y(i−t), eqs(i), has a solution x(i), therefore, M is a weak inverse with delay s, where Fp0t(y(i+s−1), . . . , y(i+s−t)) is the first lp columns of Gps(y(i+s−1), . . . , y(i−t)), eq0(i) is defined by equation (17) and Pk (y(i+k−1), . . . , y(i+k−t))=(P′k(y(i+k−1), . . . , y(i+k−t)))−1, 0≤k≤s. (b) If there exist m×lp(s+1) (lp , s)-echelon matrices Gps(y(i+s−1), . . . , y(i−t)), ≤p≤r−s with the same j-height rj for 0≤j≤s, and a transformation sequence (equation (23)) such that for any parameters x(i−1), . . . , x(i−r), y(i+s−1), . . . , y(i+s−t), equation (24) is an injection of x(i), then we have equation (25) and for any parameters x(i−1), . . . , x(i−r), y(i+s), . . . , y(i−t), eqs(i) has at most one solution x(i), therefore, M is weakly invertible with delay s, where eq0(i) is defined by equation (17), and Pk (y(i+k−1), . . . , y(i+k−t))=(P′k(y(i+k−1), . . . , y(i+k−t))) −1,0≤k≤s. As pointed out in Remark 7 in Tao and Chen [23], the Theorem still holds if the left in rule R−1 which multiplying matrix is replaced by a non-linear transformation u−1 k a keeps the shape of each echelon matrix polynomially unchanged, that is, heights of each pair of corresponding echelon matrix polynomials are the same.
300 R. Tao and S. Chen As far as the security of FAPKC4 is concerned, similarly to FAPKC3, for a public key of moderate size, FAPKC4 is secure and can resist the attack of the general inversion method, the attack of decomposing matrix polynomials over a finite field, chosen plaintext attacks, exhaustive search attacks and stochastic search attacks. Similarly, the key-generator of FAPKC3, in order to secure against the attack of the transformation method of inversion (linear Ra Rb attack, reduced echelon matrix attack, canonical diagonal form of k-matrix attack, etc.), it is necessary to include a check process in the key-generator of FAPKC4 to sieve out such a C′(m1, M0) whose weak inverse can be obtained by the linear Ra, Rb transformation method based on Theorem 4 and Theorem 5.
5. Discussion on application of FAPKC Public key cryptosystems have found applications in the area of information security. An example is the Belgian Information System by Telephone. Among three kinds of cryptosystems, i.e. one-key system, public key distribution system and public key system, the last one was chosen, and RSA was selected as the public key algorithm [25]. While one key cryptosystems can be efficiently implemented by software, software implementations of RSA make it difficult to obtain a reasonable speed. A hardware implementation using ASIC had been built so that the speed of RSA calculation is over 9600 bit/second using the 672-bit modulus and exponent [26]. On the Internet, the most widely used cryptosystem is PGP, a hybrid cryptosystem. It uses the one key cipher IDEA for data encryption, RSA for key management and for digital signature. Before signing a message, it is compressed by the one-way hash MD5. So RSA software processes mainly short messages in PGP. However, FAPKCs have the following main features. • An FAPKC is a sequential system with a common alphabet for all users which consists of all l-tuples of some q-symbol set (usually, 8-bit bytes, that is, q=2 and ll=8). Plaintexts, ciphertexts, messages and signatures are sequences over this alphabet. It is easy to use. • Data expansion ratio approaches 0. The ciphertext (signature) of a plaintext (message) is s digits longer than the plaintext (message), where s is the delay step. • Systems can be used to implement digital signatures as well as encryption. Signed messages do not have to be ‘reblocked’. • The size of a user’s public key is rather small but longer than RSA [24]; about 3200 bits for a moderate size of public key in an implementation of FAPKC3 [5]. • Implementation of FAPKCs is easy. Only logical operations are involved. It seems suitable for smart card application. • Computation of FAPKCs is fast. Speeds of encryption/verification and decryption/ signing are 114,285 and 100,000 bit/second running a software, using C language, of FAPKC3 on SUN SPARCstation 10 for a moderate size public key. These speeds might be promoted if the programs are further optimized. • User’s keys are easy to generate; 256 key-generators may generate over 1012 keygroups, keys in different key-groups are different. • For a moderate size of public key, systems FAPKC2, FAPKC3 and FAPKC4 are secure.
A variant of the public key cryptosystem FAPKC3 301 In an open network environment such as the Internet, FAPKC appears to be a suitable basic algorithm for a security mechanism owing, among other things, to its fast speed and other advantages. FAPKC software can be used directly for data encryption and for digital signature. It is not necessary to include a one key cipher and a one-way hash. However, combining an error detecting code is useful and easy and does not seriously decrease the speed. In the paper by Feng [27], such a combination and work mode were proposed and problems of key management and standardizing the implementation of FAPKC were discussed which are important for further applications. Each user of a network has a pair of FAPKC keys. Messages are 8-bit binary symbol strings. When user A wants to send a signed message D in the network secretly, they run the FAPKC program. The FAPKC program first computes the check symbol string of D, say D4, generates a fixed length random symbol string Dh and a random symbol string Dt of length sA , then using user A’s secret key, signs the symbol string Dh ∀D∀D4 ∀D t and obtains D’s signature, say S, where ∀ means concatenation and sU is a parameter (delay step) in user U’s public key. To encrypt S, the FAPKC program first computes the check symbol string of S, say S4, generates a fixed length random symbol string Sh and a random symbol string St of length sb , then using user B’s public key encrypts the symbol string Sh ∀S∀S4 ∀St and obtains S’s ciphertext, say C, which is transmitted to user B by, for example, electronic mail. After receiving C, user B runs the FAPKC program, first using user B’s secret key to decrypt C and obtains symbol string S¯ ∀S¯4, then checks up whether S¯4 is S¯ ’s check symbol string, and gives a prompt on channel error, if not, S is otherwise S¯. To verify the signature S, the FAPKC ¯ ∀D ¯ 4, then checks up whether program using user A’s public key verifies S and obtains D ¯ ’s check symbol string, and gives a prompt on not valid signature, if not, D is ¯ 4 is D D ¯. otherwise D FAPKC was used to enhance security of the operating system UNIX. Feng used FAPKC to design a safer login scheme [27,28]. According to this scheme, the system has the users’ public keys. The user’s secret key is kept on the user’s smart card which has the function of signing. The login procedure is as follows. When a user wants to get access to a computer, they send their identity to the system. The system then generates a random message and sends it to the user. The user signs the message using their smart card and sends the signature to the system. The system using the user’s public key verifies the signature. If the verification is passed, the user will be given the admission to access, otherwise the user will be rejected. Feng [27,28] has implemented the FAPKC login scheme on a SUN workstation with an IC card reader. Programs include the local login program login, the remote one rlogin and the remote login daemon in.rlogind. Due to restriction on conditions, a memory IC card with a user’s identity and secret key instead of a smart card is used as the user’s identity card and the signing procedure is completed on the computer which the user is using. In the case of local login, a user types their identity and inserts their identity card into the computer’s IC card reader, the login program uses the secret key on the card to sign a random message and then verifies it using the user’s public key. For remote login, for example, if a user wants to log in host B from host A, the procedure is: (1) the user sends identity to host B; (2) host B sends a random message to host A; (3) host A requests the user to insert their identity card, signs the message using the user’s secret key and then sends the signature to host B; (4) host B uses the user’s public key to
302 R. Tao and S. Chen verify the signature; (5) if the verification is passed, the user will be given the admission to access host B, otherwise the user will be rejected.
References 1. W. Diffie and M. Hellman 1976. New directions in cryptography. IEEE Transactions on Information Theory, IT-22, 644–654. 2. Renji Tao and Shihua Chen 1985.A finite automaton public key cryptosystem and digital signatures. Chinese Journal of Computers, 8, 401–409 (in Chinese). 3. Renji Tao and Shihua Chen 1986. Two varieties of finite automaton public key cryptosystem and digital signatures. Journal of Computer Science and Technology, 1, 9–18. 4. Xiang Gao 1994. Finite automaton public key cryptosystems and digital signatures—analysis, design and implementation. Ph.D. Thesis, Institute of Software, Chinese Academy of Sciences, Beijing (in Chinese). 5. Renji Tao, Shihua Chen and Xuemei Chen 1995. FAPKC3: a new finite automaton public key cryptosystem, Technical Report No. ISCAS-LCS-95-07, Laboratory for Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing. 6. Feng Bao and Yoshihide Igarashi 1995. Break finite automata public key cryptosystem. ICALP’95, Automata, Languages and Programming. Berlin: Springer-Verlag, pp. 147–158. 7. A. Salomaa 1990. Public-key Cryptography. Berlin: Springer-Verlag. 8. H. Zhang, D. Dai, Z. Qin, K. Wu, B. Cui and H. Hai 1992. Implement of FA public key cryptosystem. Advances in Cryptology–CHINACRYPT’92. Beijing: Science Press, pp. 105–109 (in Chinese). 9. J. Li and X. Gao 1992. A software implementation for finite automaton public key cryptosystem and digital signatures. Advances in Cryptology—CHINACRYPT’92. Beijing: Science Press, pp. 110–114 (in Chinese). 10. Feng Bao 1994. Increasing ranks of linear finite automata and complexity of finite automaton public key cryptosystem. Science in China, Ser. A, 37, 504–5123; Science in China, Ser. A (Chinese edition), 23, 113–120. 11. Z. Qin and H. Zhang 1994. Enumeration of sequences in finite automata with application to cryptanalysis. Advances in Cryptology—CHINACRYPT’94. Beijing: Science Press, pp. 112–119 (in Chinese). 12. H. Guan 1994. Cryptanalytic for a finite automaton public key algorithm. Advances in Cryptology—CHINACRYPT’94. Beijing: Science Press, pp. 120–126 (in Chinese). 13. D. Dai, K. Wu and H. Zhang 1995. Cryptanalysis on a finite automaton public key cryptosystem. Science in China, Ser. A (Chinese edition), 25, 1226–1232. 14. Z. Qin and H. Zhang 1996. Cryptanalysis of finite automaton public key cryptosystems. Advances in Cryptology—CHINACRYPT’96. Beijing: Science Press, pp. 75–86 (in Chinese). 15. Z. Dai 1996. A class of separable nonlinear finite automata—and an analysis of a certain typed FA based public key encryption andsignature scheme. Advances in Cryptology—CHINACRYPT’96. Beijing: Science Press, pp. 87–94 (in Chinese). 16. Hao Wang 1996. On the invertibility of one kind of finite automata,. Advances in Cryptology—CHINACRYPT’96. Beijing: Science Press, pp. 95–102 (in Chinese). 17. Renji Tao 1995. On invertibility of some compound finite automata, Technical Report No. ISCAS-LCS-95-06, Laboratory for Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing. 18. Renji Tao 1995. OnRa Rb transformation and inversion of compound finite automata, Technical Report No. ISCAS-LCS-95-10, Laboratory for Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing. 19. Hao Wang 1995. Ra Rb representation of algorithm ALT, Technical Report No. ISCAS-LCS95-11, Laboratory for Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing (in Chinese). 20. Renji Tao and Peirong Feng 1997. On relations between Ra Rb transformation and canonical diagonal form of k-matrix. Science in China, Ser. E (in press).
A variant of the public key cryptosystem FAPKC3 303 21. D. A. Huffman 1959. Canonical forms for information-lossless finite-state logical machines. IRE Transactions on Circuit Theory, 6 (Suppl.), 41–59. 22. Renji Tao 1979. Invertibility of Finite Automata. Beijing: Science Press (in Chinese). 23. Renji Tao and Shihua Chen 1995. Generating a kind of nonlinear finite automata with invertibility by transformation method, Technical Report No. ISCAS-LCS-95-05, Laboratory for Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing. 24. R. Rivest, A. Shamir and L. Adleman 1978. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21, 120–126. 25. J. Vandewalle, R. Govaerts, W. De Becker, M. Decroos and G. Speybrouck 1985. Implementation study of public key cryptographic protection in an existing electronic mail and document handling system. Advances in Cryptology—EUROCRYPT’85. Berlin: SpringerVerlag, pp. 43–49. 26. F. Hoornaert, M. Decroos, J. Vandewalle and R. Govaerts 1988. Fast RSA-hardware: dream or reality? Advances in Cryptology—EUROCRYPT’88. Berlin: Springer-Verlag, pp. 257–264.. 27. Peirong Feng 1996. Finite automaton cryptosystems—theoretical research, application and implementation. PhD Thesis, Institute of Software, Chinese Academy of Sciences (in Chinese). 28. Peirong Feng and Youzhi Li 1996. Improving Login Scheme with FAPKC. Advances in Cryptology—CHINACRYPT’96. Beijing: Science Press, pp. 261–266.
Tao Renji graduated from the Peking University, China, in 1957 in mathematics. He joined the Institute of Mathematics, the Institute of Computing Technology, and the Institute of Software, the Chinese Academy of Sciences (CAS), in 1957, 1963 and 1985, respectively. His main fields of interest are computability theory, automata, complexity, coding theory, cryptography, combinatorics and information security. Professor Tao has published numerous papers and two books and received the 1987 National Natural Science Prize, as well as two Outstanding Achievements Awards from the CAS and the National Science Conference in 1978.
Chen Shihua graduated from the Sichuan University, China, in 1959 in mathematics. From 1959 to 1963, she had been with the Institute of Mathematics, the Chinese Academy of Sciences (CAS). From 1963 to 1985, she worked at the Institute of Computing Technology, CAS. Since 1985, she has been with the Institute of Software, CAS. She is currently a professor. Her research intrests include mathematical logic, finite automata, error-correcting code, cryptography and combinatorics. She has published numerous papers and received the 1987 National Natural Science Prize.
A variant of the public key cryptosystem FAPKC3∗ Renji Tao and Shihua Chen† Institute of Software, Academia Sinica, Beijing 100080, People’s Republic of China In this paper a public key cryptosystem based on automata theory, FAPKC4, is proposed which can be used both for encryption and implementation of digital signatures—this system is similar to FAPKC3 in every respect. 1997 Academic Press Limited
1. Introduction Diffie and Hellman [1] introduced the concept of public key cryptosystems. Many concrete schemes have been proposed and found important applications in the area of information security. Among others, there are several public key cryptosystems based on finite automata theory, such as FAPKC0 in Tao and Chen [2], FAPKC1 and FAPKC2 in Tao and Chen [3], FAPKC93 in Gao [4], FAPKC3 in Tao et al. [5] and a special case of FAPKC2 in Bao and Igarashi [6]. These finite automaton public key cryptosystems (FAPKCs) possess merits such as fast speed, relatively short public key, capability of digital signature, etc. FAPKCs have received extensive attention [4,6–16].1 A user’s public key of FAPKC consists of a compound of two finite automata which possess some invertibility and initial states. In FAPKC0, FAPKC1, FAPKC2 and FAPKC93, one of the finite automata is linear and the other is non-linear. In FAPKC0, FAPKC1 and FAPKC93, the delay step of non-linear finite automata is 0. Recently, it was discovered that FAPKC0, FAPKC1 and FAPKC93 are insecure with respect to digital signatures [17] as well as insecure with respect to encryption [6,13,17] In general, FAPKC2 is insecure against attacks [6,13,17], but Bao and Igarashi’s key-generating scheme of FAPKC2 [6] is insecure because it cannot resist linear Ra , Rb attack [18]. FAPKC3’s key generator selects automata in the user’s key by means of linear and/or non-linear Ra , Rb transformation and their reverse transformation, and sieves out such a key in which the compound automaton’s weak inverse can be found out by the linear Ra , Rb transformation method [5,18]. So FAPKC3 can resist linear Ra , Rb attack. It follows that FAPKC3 can resist the attack of the reduced echelon matrix from results in Tao [18] and Wang [19] and the attack of a canonical diagonal form of a k-matrix from results in Tao and Feng [20]. Notice that we may generate automata in the user’s ∗ Supported by the National Natural Science Foundation of China. † E-mail: [email protected] [email protected] 1 In Dai [15, p. 88], an equivalent definition of weak inverse with delay s of an input-memory finite automaton is mentioned without proof. It would seem that a proof of equivalence of the two definitions is non-existent, or at least non-trivial, from the viewpoint of mathematical logic. Correctness of several propositions depend on this equivalence. But no proof of any proposition is given in Dai [15]. Notice that the main result in Dai [15]—that both encryption and signature of a kind of weak keys of FAPKC3 are insecure—can be immediately deduced from Tao [18] using the result of Qin and Zhang [14].
1084–8045/97/030283+21 $25.00/0
ma970057
1997 Academic Press Limited
284 R. Tao and S. Chen key of FAPKC2 by the same method for FAPKC3, so that for such user’s keys FAPKC2 is secure as well. In this paper, we propose a finite automaton public key cryptosystem FAPKC4. FAPKC4 and FAPKC3 are similar in structure and their main difference is the choice of the second component automaton in public key. They may be considered as dual FAPKCs. We will see that in case of k0=0 for FAPKC4 some components of the initial state are free to assign values in encryption and signing. This provides some convenience in some applications. In the next section we first explain some basic concepts in automata theory and mention some results used later. In Section 3 we give a basic algorithm of a new variant of the finite automaton public key cryptosystem, FAPKC4, and prove its correctness for encryption and signing. The generation method of finite automata in FAPKC4 will be mentioned in Section 4. Finally, Section 5 discusses briefly the application of FAPKC.
2. Preliminary 2.1 Invertibility of finite automata Recall some definitions. A finite automaton (or sequential machine), M, is a quintuple οX, Y, S, d, kπ, where X is a non-empty finite set (the input alphabet of M), Y a nonempty finite set (the output alphabet of M), S a non-empty finite set (the state alphabet of M), d:S×X→S a single-valued mapping (the next state function of M) and k: S×X→Y a single-valued mapping (the output function of M). For any set A, by AN denote the set of all words (finite sequences) over A including the empty word e, and by Ax the set of all infinite-length words (infinite sequences) over A. Expand the domains of d and k to S×XN and S×(XNjXx), respectively, as follows. d(s, e)=s, d(s, ax)=d(d(s, a), x), k(s, e)=e, k(s, xa′)=k(s, x)k(d(s, x), a′), svS, xvX, avXN, a′vXNjXx. In other words, on an initial state s(0) of M an input sequence x(0), x(1), . . . of M causes a state sequence s(0), s(1), . . . of M and an output sequence y(0), y(1), . . . of M according to s(i+1)=d(s(i)x(i)), y(i)=k(s(i), x(i)), i=0, 1, . . . . Let M=οX, Y, S, d, kπ and M′=οY, X, S′, d′, k′π be two finite automata, and s a nonnegative integer. In his seminal paper [21] D. A. Huffman introduced the concept of s-order information lossless that we call weakly invertible with delay s [22]. M is said to be weakly invertible with delay s (or s-order information-lossless) if for any s in S and xi in X, i=0, 1, . . . , s, x0 can be uniquely determined by s and k(s, x0, . . . xs ). For any states svS and s′vS′, if for any avXx there exists a0vXN with length s such that k′(s′, k(s, a))=a0a, then (s′, s) is said to be a match pair with delay s or say that s′ matches s with delay s.
A variant of the public key cryptosystem FAPKC3 285 M′ is said to be a weak inverse with delay s of M if for any s in S there exists s′ in S′ such that (s′, s) is a match pair with delay s. It is well known that M is weakly invertible with delay s if and only if there exists a finite automaton M′ such that M′ is a weak inverse with delay s of M. 2.2 Compound finite automata If u is a mapping from Yk×Xh+1 to Y, and if a finite automaton M=οX, Y, Yk×Xh, d, kπ can be defined by y(i)=u(y(i−1), . . . , y(i−k), x(i), . . . , x(i−h)), i=0, 1, . . . , i.e. d(ο y−1, . . . , y−k, x−1, . . . , x−hπ, x0)=ο y0, . . . , y−k+1, x0, . . . , x−h+1π, k(ο y−1, . . . , y−k, x−1, . . . , x−hπ, x0)=y0, y0=u(y−1, . . . , y−k, x0, x−1, . . . , x−h), then M is said to be an (h, k)-order memory finite automaton, denoted by Mu . In case of k=0, Mu is said to be an h-order input memory finite automaton. For any two finite automata Mi=οXi , Yi , Si , di , ki π, i=1, 2 with Y1=X2, by C(M1, M2) denote the superposition of M1 and M2, i.e. the finite automaton οX1, Y2, S1×S2, d, kπ, where d(οs1, s2π, x)=οd1(s1, x), d2(s2, k1(s1, x))π, (οs1, s2π, x)=k2(s2, k1(s1, x)), s1vS1, s2vS2, xvX1. In Tao and Chen [2] another kind of combination of finite automata, C′(M1, M2), is defined. Let g be a mapping from Ur×Vp+1 to U, and f a mapping from Wt to V. C′(M f , Mg ) is a (p+t, r)-order memory finite automaton defined by u(i)=g(u(i−1), . . . , u(i−r), f(w(i), . . . , w(i−t)), . . . , f(w(i−p), . . . , w(i−p−t))), i=0, 1, . . . . For any two finite automata Mi=οXi , Yi , Si , di , kiπ, i=1, 2 with X1=X2, s1vS1 and s2vS2 are said to be equivalent, if k1(s1, a)=k2(s2, x) holds for any avXN1 . Theorem 1 [2] Let s=οu−1, . . . , u−r, w−1, . . . , w−p−tπ be a state of C′(M f , Mg ). Let s f=
286 R. Tao and S. Chen οw−1, . . . , w−tπ and sg=οu−1, . . . , u−r , v−1, . . . , v−pπ, where vi=f(wi , . . . , wi−t), i=−1, . . . , −p. Then the state οs f , sgπ of C(M f , Mg ) and s are equivalent.
3. Basic algorithm of FAPKC4 In this section, we will propose a public key cryptosystem called FAPKC4. This system is sequential. Each user in this system has a pair of keys in which one is public to all users and the other one is secret. The public key consists of a finite automaton and two initial states for encryption and for verification of signatures, respectively. The finite automaton in the public key is a compound of a memory finite automaton and an input memory finite automaton. The secret key consists of two memory finite automata and their initial states for decryption and signing. Each finite automaton produces a user’s public key and its corresponding weak inverse finite automaton produces the secret key. One can choose such finite automata and initial states according to methods or algorithms offered by the invertibility theory of finite automata [23]. In this system, plaintexts, ciphertexts and messages can be signed and signatures are sequences over an alphabet which consists of all l-tuples of some q-symbol set (for example, all 8-bit bytes for l=8 and for q=2) and is uniform for all users. The ciphertext of a plaintext is a few (the delay step) digits longer than the plaintext. The ciphertext transmitting to a user is the output of the finite automaton on the initial state, all in the public key of that user, feeding plaintext. For decryption, the receiver first computes an intermediate sequence by a finite automaton and the concerned initial state in their secret key from the ciphertext, then retrieves the plaintext from the intermediate sequence by another finite automaton and the concerned initial state in their secret key. Similarly, a user’s signature of a message can be obtained in a similar way through decryption, only the signer first expands the message some digits (its length equal to the delay step). And verifying validity of signature is similar to encryption. Take alphabets X and Y as the column vector spaces over GF(q) with dimensions l and m, respectively. To construct a public key cryptosystem, choose a common q and l, and take m=l for the sake of digital signature. In other words, all users use the same alphabet to communicate with each other. A user, say A, chooses their own public key and secret key as follows. (1) Construct an (h0, k0)-order memory finite automaton M∗ 0 =οY, X, S∗ 0 , d∗ 0 , k∗ 0 π and a (s0+k0, h0)-order memory finite automaton M0=οX, Y, S0, d0, k0π satisfying the following conditions: (a) For any state s0=ο y−1, . . . , y−h0, x′−1, . . . , x′−k0−s0π of M0 which is in {d0(s, y0 . . . ys0−1)|svS0, y0, . . . , ys0−1vY} in the case of k0>0, and for any x′0, x′1, . . . in X, if y0 y1 . . .=k0(s0, x′0 x′1 . . .), then k∗0 (s∗0 , ys0 ys0+1 . . .)=x′0 x′1 . . . ,
A variant of the public key cryptosystem FAPKC3 287 where s∗0 =οx′−1, . . . , x′−k0, ys0−1, . . . , ys0−h0π; (b) For any state s∗0 =οx′−1, . . . , x′−k0, . . . , y−1, . . . , y−h0π of M∗ 0 and for any y0, y1, . . . in Y, if x′0 x′1 . . .=k∗0 (s∗0 , y0 y1 . . .), then k0(s0, x′s0 x s 0+1 . . .)=y0 y1 . . . , where s0=ο y−1, . . . , y−h0, x′s0−1, . . . , x′−k0π. (2) Construct an h1-order input memory finite automaton M1=οX, X, S1, d1, k1π and a (s1, h1)-order memory finite automaton M∗ 1 =οX, X, S∗ 1 , d∗ 1 , k∗ 1 π satisfying the following conditions: ( a) For any state s1=οx−1, . . . , x−h1π of M1 and any x0, x1 . . . in X, if x′0 x′1 . . .=k1(s1, x0 x1 . . .), then k∗1 (s∗s 1, x′s1x′s1+1 . . .)=x0 x1 . . . , where s∗s 1=οx−1, . . . , x−h1, x′s1−1, . . . , x′0π. (b) For any state s∗1 =οx−1, . . . , x−h1, x′−1, . . . , ′ π of M∗ x−s 1 and for any x′0, x′1, . . . in X, if 1 x0 x1 . . .=k∗1 (s∗1 , x′0 x′1 . . .),
then k1(οxs1−1, . . . , xs1−h1π, xs1xs1+1 . . .)=x′0 x′1 . . . . (3) Construct the finite automaton C′(M1, M0)=οX, Y, S, d, kπ from M1 and M0. (4) Case k0>0: Choose arbitrary y−1,s, . . . , y−k0,9 in Y, and arbitrary states s0−k0=οx″−k0−1,s, . . . , x″−2k0, s, 1 y−k0−1,s, . . . , y−k0−h0,sπ of M∗ 0 and s−k0=οx−k0−1,s, . . . , x−k0−h1,s, . . . , x′−k0−1,s, . . . , x′−k0−s1,sπ of M∗ 1 . Compute x′−k0,s . . . x′−1,s=k∗0 (s0−k0, y−k0,s . . . y−1,s) and x−k0,s . . . x−1,s=k∗1 (s1−k0,s . . . x′−1,s). Put in sout v =ο y−1,s, .. . , y−h0,sπ, sv =οx−1,s, . . . , x−k0−h1+s1,sπ
and
288 R. Tao and S. Chen ′ sout 0,s =οx−1,s, . . . , x′−k0,sπ,
′ s1,s=οx−1,s, . . . , x−h1,s, x −1,s, . . . , x−s1,sπ
e
Choose arbitrary x−s0,e, . . . , x−1,e in X and arbitrary state s−s0=ο y−s0−1,e, . . . , y−s0−h0, , x−s0−1,e, . . . , x−2s0−k0−h1,eπ of C′(M1, M0). Compute y−s0,e . . . y−1,e=k(s−s0, x−s0,e . . . x−1,e),
and put out e
=ο y−1,e, . . . , y−h0,eπ, sine=οx−1,e, . . . , x−s0−k0−h1,eπ.
Compute x′−k0,e . . . x′−1,e=k1(οx−k0−1,e, . . . , x−k0−h1,eπ, x−k0,e . . . x−1,e). Put sout 0,d =οx′−1,e, . . . , x′− ,e k0π. Case k0=0: Choose arbitrary y−1,s, . . . , y−h0,s in Y and arbitrary x−1,s, . . . , x−h1+ss ,s in X. Put 1
in sout v =ο y−1,s, . . . , y−h0,sπ, sv =οx−1,s, . . . , x−h1+s1,sπ.
Choose arbitrary x−1,e, . . . , x−h1,e in X and arbitrary y−1,e . . . y−h0+s0me in Y. Put sout e =ο y−1,e, . . . , y−h e 0+s0,eπ, sin=οx−1,e, . . . , x−h1,eπ. (5) The public key of the user A is in out in C′(M1, M0), sout v , sv , se , se , s0+s1.
The secret key of the user AA is out out M∗ 0 , M∗ 1 , s0,s , s1,s, s0,d , s0, s1
in the case of k0>0, or M∗ 0 , M∗ 1 , s0, s1 in the case of k0=0. Encryption. Any user, say B, wants to send a plaintext x0 . . . xn to a user A in secret. B first suffixes any s0+s1 digits, say xn+1 . . . xn+s0s1, to the plaintext. Then using A’s in public key C′(M1, M0), sout e and se , B computes the ciphertext y0 . . . yn+s0+s1 as follows:
A variant of the public key cryptosystem FAPKC3 289 y0 . . . yn+s0+s1=k(se, x0 . . . xn+s0+s1), where se=ο y−1,e, . . . , y−h0,e, x−1,e, . . . , x−s0−k0−h1,eπ, and, in the case of k0=0, y−h0+s0−1,e, . . . , y−h0,e in Y and x−h1−1,e, . . . , x−s0−k0−h1,e in X are arbitrarily chosen. Decryption. From the ciphertext y0 . . . yn+s0+s1, A can retrieve the plaintext using out their secret key as follows. First, using M∗ 0 , and s0,d in the case of k0>0, in their secret key and y−1,e, . . . , y−h0+s0,e in their public key, A computes x′0 . . . x′n+s1=k∗0 (οx′−1,e, . . . , x′−k0,e, ys0−1, . . . , y0, y−1,e, . . . , y−h0+s0,eπ, ys0 . . . yn+s0+s1). Then using M∗ 1 in their secret key and x−1,e, . . . , x−h1,e in their public key, A retrieves the plaintext: x0 . . . xn=k∗1 (οx−1,e, . . . , x−h1,e, x′s1−1, . . . , x′0π, x′s1 . . . x′n+s1). Signing. The user A to sign a message y0 . . . yn , first suffixes any s0+s1 digits, say out yn+1 . . . yn+s0+s1, to the message. Then using their secret key M∗ 0 , M∗ 1 , s0,s and s1,s (in the case of k0>0), and public key computes the signature x0 . . . xn+s0+s1 as follows: x0 . . . xn+s0+s1=k∗1 (s1, k∗0 (s0, y0 . . . yn+s0+s1)), where s0=οx′−1,s, . . . , x′−k0,s, y−1,s, . . . , y−h0,sπ, s1=s1,s in the case of k0>0, and s0=ο y−1,s, . . . , y−h0,sπ, s1=οx−1,s, . . . , x−h1+s1,s, x¯−h1+s1−1, . . . , x¯−h1, x¯′−1, . . . , x¯′−s1π in the case of k0=0, and x—j , x¯′j are arbitrarily chosen. Validation. Any user, say B, can verify the validity of the signature x0 . . . xn+s0+s1 as in follows. Using C′(M1, M0), sout v and sv in A’s public key, B computes k(sv , xs0+s1 . . . xn+s0+s1) which would coincide with the message y0 . . . yn , where sv=ο y−1,s, . . . , y−h0,s, xs0+s1−1, . . . , x0, x−1,s, . . . , x−k0−h1+s1,sπ.
290 R. Tao and S. Chen The correctness of the above encryption/decryption is due to the following Theorem. Theorem 2 Let M0=οX, Y, S0, d0, k0π be an (s0+k0, h0)-order memory finite automaton and M∗ 0 =οY, X, S∗ 0 , d∗ 0 , k∗ 0 π a (h0, k0)-order memory finite automaton satisfying the following conditions: for any state s0=ο y−1, . . . , y−h0, x′−1, . . . , x′−k0−s0π of M0 which is in Ss0={d0(s, y0 . . . ys0−1)|svS0, y0, . . . , ys0−1vY} in the case of k0>0, and for any x′0, x′1, . . . in X, if y0y1 . . .=k0(s0, x′0 x′1 . . .), then k∗0 (s∗0 , ys0 ys0+1 . . .)=x′0 x′1 . . . , where s∗0 =οx −1, . . . , x′−k0, ys0−1, . . . , ys0−h0π. Let M1=οX, X, S1, d1, k1π be an h1-order input memory finite automaton and M∗ 1 =οX, X, S∗ 1 , d∗ 1 , k∗ 1 π a (s1, h1)-order memory finite automaton satisfying the condition: for any state s1=οx−1, . . . , x−h1π of M1 and any x0, x1, . . . in X, if x′0 x′1 . . .=k1(s1, x0 x1 . . .), then k∗1 (οx−1, . . . , x−h1, x s 1−1, . . . , x′0π, x′s1x′s1+1 . . .)=x0 x1 . . . Denote C′(M1, M0)=οX, Y, S, d, kπ. Let s=ο y−1, . . . , y−h0, x−1, . . . , x−s0−k0−h1π be a state of C′(M1, M0). Let ′ x′−s0−k0 . . . x−1 =k1(οx−s0−k0−1, . . . , x−s0−k0−h1π, x−s0−k0 . . . x−1).
(1)
Let the state s0=ο y−1, . . . , y−h0, x′−1, . . . , x′−k0−s0π is in Ss0 in the case of k0>0. For any x0, x1, . . .vX and y0, y1, . . .vY, if y0 y1 . . .=k(s, x0 x1 . . .), then k∗1 (οx−1, . . . , x−h1, x′s1−1, . . . , x′0π, x′s1+1 . . .)=x0 x1 . . . , where x′0 x′1 . . .=k∗0 (οx′−1, . . . , x′−k0, ys0−1, . . . , ys0−h0π, ys0 ys0+1 . . .). Proof. Since equation (1) holds, from Theorem 1, the state s of C′(M1, M0) is equivalent
A variant of the public key cryptosystem FAPKC3 291 to a state οs1, s0π of C(M1, M0), where s1=οx−1, . . . , x−h1π and s0=ο y−1, . . . , y−h0, x′−1, . . . , x′−k0−s0π. Denote x′0 x′1 . . .=k1(s1, x0 x1 . . .).
(2)
y0y1 . . .=k0(s0, x′0 x′1 . . .).
(3)
Then we have
From the hypothesis of M0 and M∗ 0 , equation (3) yields k∗0 (οx′−1, . . . , x′−k0, ys0−1, . . . , ys0−h0π, ys0 ys0+1 . . .)=x′0 x′1 . . . . From the hypothesis of M1 and M∗ 1 , using equation (2), we then have k∗1 (οx−1, . . . , x−h1, x′s1−1, . . . , x′0π, x′s1x′s1+1 . . .)=x0 x1 . . . . The correctness of signing/verification is due to the following Theorem. Theorem 3 Let M0=οX, Y, S0, d0, k0π be an (s0+k0, h0)-order memory finite automaton and M∗ 0 =οY, X, S∗ 0 , d∗ 0 , k∗ 0 π a (h0, K0)-order memory finite automaton satisfying the condition: for any state s∗0 =οx′−1, . . . , x′−k0, . . . , y−h0π of M∗ 0 and any y0, y1, ... in Y, if x′0 x′1 . . .=k∗0 (s∗0 , y0 y1 . . .), then k0(ο y−1, . . . , y−h0, x′s0−1, . . . , x′−k0π, x′s0x′s0+1 . . .)=y0 y1 . . . . Let M1=οX, X, S1, d1, k1π be an h1-order input memory finite automaton and M∗ 1 =οX, X, S∗1 , d∗1 , k∗1 π a (s1, h1)-order memory finite automaton satisfying the condition: for any state ′ π of M∗ s∗1 =οx−1, . . . , x−h1, x′−1, . . . , x−s 1 and any x′0, x′1, . . . in X, if 1 x0 x1 . . .=k∗1 (s∗1 , x′0 x′1 . . .), then k1(οxs1−1 . . . , xs1−h1π, xs1xs1+1 . . .)=x′0 x′1 . . . . Denote C′(M1, M0)=οX, Y, S, d, kπ. Let s0=ο y−1, . . . , y−h0 and s1=οx−1, . . . , x−s1+h1, x¯−s1+h1−1, . . . , x¯−h1, . . . , x¯′−1, . . . , x¯′−s1π be arbitrary states of M∗ 0 and M∗ 1 , respectively, in the case of k0=0. Let s0=οx′−1, . . . , x′−k0, y−1, . . . , y−h0π and s1=οx−1, . . . , x−h1, x′−1, . . . , ′ x−s π be arbitrary states of M∗ 0 andM∗ 1 , respectively, in the case of k0>0, where 1 s0=d∗0 (s0−k0, y−k0 . . . y−1) and
(4)
292 R. Tao and S. Chen s1=d∗1 (s1−k0, x′−k0 . . . x′−1),
(5)
for some y−1, . . . , y−k0 in Y, and states s0−k0=οx″−k0−1, . . . , x″−2k0, y−k0−1, . . . , y−k0−h0π of M∗ 0 and s1−k0=οx−k0−1, . . . , x−k0−h1, x′− −1 k0, . . . , x′−k0−s1π of M∗ 1 . For any x1, x1, . . .vX and y0, y1, . . .vY, if x0 x1 . . .=k∗1 (s1, k∗0 (s0, y0 y1 . . .)), then k(ο y−1, . . . , y−h0, xs0+s1−1, . . . , xs1−k0−h1π, xs0+s1xs0+s1+1 . . .) =y0 y1 . . . . Proof. Assume that x′0 x′1 . . .=k∗0 (s0, y0 y1 . . .)
(6)
and x0 x1 . . .=k∗1 (s1, x′0 x′1 . . .). In the case of k0=0, from the hypothesis of M1 and M∗ 1 , we have k1(οxs1−1, . . . , xs1−h1π, xs1xs1+1 . . .)=x′0 x′1 . . . .
(7)
It immediately follows that k1(s′1, xs0+s1xs0+s1+1 . . .)=x′s0x′s0+1 . . . ,
(8)
where s′1=οxs0+s1−1, . . . , xs0+s1−h1π. In the case of k0>0, from equations (4) and (5), we have x′−k0 . . . x′−1=k∗0 (s0−k0, 7−k0 . . . y−1), and x−k0 . . . x−1=k∗1 (s1−k0, x′−k0 . . . x′−7). It follows that x′−k0 . . . x′−1x′0 x′1 . . .=k∗0 (s0−s, y−k0 . . . y−1 y0 y1 . . .) and
(9)
A variant of the public key cryptosystem FAPKC3 293 x−k0 . . . x−1x0 x1 . . .=k∗1 (s1−s, x′−k0 . . . x′−1x′0 x′1 . . .).
(10)
From the hypothesis of M1 and M∗ 1 , using equation (10), we have . . .)=x′ . . . x′−1x′0 x′1 . . . . k1(οxs1−k0−1, . . . , xs −k −h π, xs1−k0xs−k 1−k 0 0+1 1
0
1
(11)
It immediately follows that k1(s′1, xs0+s1 xs0+s1+1 . . .)=x′s0x′s0+1 . . . .
(12)
From the hypothesis of M0 and M∗ 0 , using equation (6), we have k0(s′0, x′s0x′s0+1 . . .)=y0 y1 . . .
(13)
where s′0=ο y−1, . . . , y−h0, x′−s0−1, . . . , x′−k0π. On the other hand, from equations (7) and (11), we have k1(οxs1−k0−1, . . . , xs1−k0−h1π, xs1−k0 . . . xs1+s0−1) =x′−k0 . . . x′s0−1 for k0≥0. From Theorem 1, it follows that the state s′=ο y−1, . . . , y−h0, xs0+s1−1, . . . , xs1−k0−h1π of C′(M1, M0) is equivalent to the state οs′1, s′0π of C(M1, M0). From equations (8), (12) and (13), we have k(s′, xs0+s1xs0+s1+1 . . .)=y0 y1 . . . .
4. On generation of keys How to generate automata Mi and M∗ i satisfying conditions (a) and (b) in step (1) or (2) [22] gave a solution in the linear case, but this is a difficult problem in the nonlinear case. Fortunately, for the non-linear case, Tao and Chen [23] gave a generation method by Ra Rb transformation. We now give an introduction to this method. Let X and Y be column vector spaces over GF(q) of dimensions l and m, respectively. Let x(i) and y(i) be column vectors over GF(q) of dimensions l and m, respectively. Let s be a non-negative integer. Rule Ra: Let eqk (i) be an equation in the form of fk (x(i), . . . , x(i−r), y(i+k), . . . , y(i−t))=0,
(14)
294 R. Tao and S. Chen where fk is a single-valued mapping from Xr+1×Yk+t+1 to Y. Let uk be a transformation on eq(i) and eq′k(i) be the transformational result in the form of f′lzk (x(i), . . . , x(i−r), y(i+k), . . . , y(i−t))=0,
(15)
where f′k is a single-valued mapping from Xr+1×Yk+t+1 to Y. If eqk (i) and eq′k(i) are equivalent, then eq′k(i) is said to be obtained from eqk (i) by Rule Ra using uk , denoted by eqk (i)Ra[uk] > eq′k(i). Rule Rb: Assume that eq′k(i) is an equation in the form of f′k(x(i), . . . , x(i−r), y(i+k), . . . , y(i−t))=0 and that the last m−rk+1 components of the left side of eq′k(i) do not depend on x(i), where f′k is a single-valued mapping from Xr+1Yk+t+1 to Y. Let eqk+1(i) be the equation
C
D
E′k f′k(x(i), . . . , x(i−r), y(i+k), . . . , y9i−t)) =0, E″k f′k(x(i+1), . . . , x(i+1−r), y(i+1+k), . . . , y(i+1−t))
where E′k and E″k are submatrices of the first rk+1 rows and of the last m−rk+1 rows of the m×m identity matrix, respectively. Then eqk+1(i) is said to be obtained from eq′k(i) by Rule Rb , denoted by eq′k(i)Rb[rk+1] > eqk+1(i). Denote eqj(i)Ra{uj] > eq′j (i), eq′j (i)Rb[rj+1] > eqj+1(i), j=0, 1, . . . , k by eq0(i)Ra[u0] > eq′0(i)Rb[r1] > eq1(i)Ra[u1] > . . . Rb[rk] > eqk (i)Ra[uk] > eq′k(i)Rb[rk+1] > eqk+1(i). From Corollary 1 of Theorem 4 and Theorem 2 in Tao and Chen [23], we have: Theorem 4 Let M=οX, Y, Yt×Xr, d, kπ be a (r, t)-order memory finite automaton over GF(q) defined by y(i)=f(y(i−1), . . . , y(i−t), x(i), . . . , x(i−r)), i=0, 1, . . . with m=l. Let eq0(i) be the equation
(16)
A variant of the public key cryptosystem FAPKC3 295 −y(i)+f(y(i−1), . . . , y(i−t), x(i), . . . , x(i−r))=0
(17)
and eq0(i)Ra[u0] > eq′0(i)Rb[r1] > eq1(i)Ra[u1] > . . . Rb[rs−1] > eqs−1(i)Ra[us−1] > eq′s−1(i)Rb[rs] > eqs(i). Assume that for any parameters x(i−1), . . . , x(i−r), y(i+s), . . . , y(i−t), eqs(i) has a unique solution x(i) denoted by f∗s (x(i−1), . . . , x(i−r), y(i+s), . . . , y(i−t)). Let M∗= οY, X, Xr×Ys+t,Xd∗, k∗π be a (s+t, r)-order memory finite automaton defined by x(i)=f∗s (x(i−1), . . . , x(i−r), y′(i), . . . , y′(i−s−t)), i=0, 1, . . . .
(18)
Then we have: ( a) For any state s0=ο y(−1), . . . , y(−t), x(−1), . . . , x(−r)π of M and any x(0), x(1), . . . in X, if y(0)y(1) . . .=k(s0, x(0)x(1) . . .), then x(0)x(1) . . .=k∗(s∗s , y(s)y(s+1) . . .), where s∗s =οx(−1), . . . , x(−r), y(s−1), . . . , y(−t)π. (b) For any state s∗0 ∗=οx(−1), . . . , x(−r), y′(−1), . . . , y′(−s−t)π in {d∗(s∗, y0 . . . ys−1)|s∗vXr×Ys+t, y0, . . . , ys−1vY}, and for any y′(0), y′(1), . . . in Y, if x(0)x(1) . . .=k∗(s∗0 ∗, y′(0)y′(1) . . .), then y′(−s) . . . y′(−1)y′(0)y′(1) . . .=k(s0, x(0)x(1) . . .), where s0=ο y′(−s−1), . . . , y′(−s−t), x(−1), . . . , x(−r)π. In the case of input memory, from Theorem 5(b) and its Corollary 1 in Tao and Chen [23] we have: Theorem 5 Let M=οX, Y, Xr, d, kπ be a r-order input memory finite automaton over GF(q) defined by y(i)=f(x(i), . . . , x(i−r)), i=0, 1, . . .
(19)
with m=l. Let eq0(i) be the equation f(x(i), . . . , x(i−r))−y(i)=0 and eq0(i)Ra[u0] > eq′0(i)Rb[r1] > eq1(i)Ra[u1] > . . . Rb[rs−1] > eqs−1(i)Ra[us−1] > eq′s−1(i)Rb[rs] > eqs(i).
(20)
296 R. Tao and S. Chen Assume that for any parameters x(i−1), . . . , x(i−r), y(i+s), . . . , y(i), eqs(i) has unique solution x(i) denoted by f∗s (x(i−1), . . . , x(i−r), y(i+s), . . . , y(i)). Let M∗=οY, X, Xr×Ys, d∗, k∗π be a (s, r)-order memory finite automaton defined by x(i)=f∗s (x(i−1), . . . , x(i−r), y′(i), . . . , y′(i−s)), i=0, 1, . . . .
(21)
Then we have: ( a) For any state s0=οx(−1), . . . , x(−r)π and any infinite input sequence x(0)x(1) . . . of M, if y(0)y(1) . . .=k(s0, x(0)x(1) . . .), then k∗(οx(−1), . . . ,x(−r), y(s−1), . . . , x(0)π, y(s)y(s+1) . . .)=x(0)x(1) . . . . (b) For any state s∗0 =οx(−1), . . . , x(−r), y′(−1), . . . , y′(−s)π and any infinite input sequence y′(0)y′(1) . . . of M∗, if x(0)x(1) . . .=k∗(s∗0 , y′(0)y′(1) . . .), then y′(0)y′(1) . . .= k(οx(s−1), . . . , x(s−r)π, x(s)x(s+1) . . .). How to construct automata M for which there exists a Ra, Rb transformation sequence satisfying the condition in Theorem 4 (or Theorem 5)? The Method in Tao and Chen [23] −1 adopts R−1 transformation. a , Rb Let m and l be positive integers, s a non-negative integer and s≤r. Let t be a monomial of some components of x(i), . . . , x(i−r) and p≥0. If t contains components of x(i) and of x(i−p) but not of x(i−p−1), . . . , x(i−r), then t is said to have span p. For any p≥0, we use p(x(i), . . . , x(i−p)) to denote the column vector of dimension lp consisting of all distinct span p monomials with coefficient 1 of components of x(i), . . . , x(i−p) with exponents
r−p
]]F
=F0k (y(i+k), . . . , y(i−t))+
(y(i+k), . . . ,
pjk
p=0 j=0
y(i−t))p(x(i−j), . . . , x(i−j−p)),
(22)
where F0k (y(I+k), . . . , y(i−t)) is a column vector of dimension m, and Fpjk(y(i+k), . . . , y(i−t)) is an mlp matrix, 0≤p≤r, 0≤j≤r−p. Let G be an mn(s−1) incompletely specified matrix. Let 0≤k≤s. If there exist 0= r0≤r1≤. . .rk≤m such that whenever ri
A variant of the public key cryptosystem FAPKC3 297
G3=
C
D
G10
G11
G12
G13
G14
G15
G20
G21
G22
G23
G24
∗
G30
G31
G32
G33
∗
∗
G40
G41
G42
∗
∗
∗
is an (n, 3)-echelon matrix, where ∗ stands for ‘undefined’, Gij is a (ri−ri−1)×n completely specified matrix, i=1, 2, 3, 4, j=0, 1, 2, 3, 4, 5, and 0=r0≤r1≤r2≤r3≤m. Clearly, ri is the i--height of G3, 0≤i≤3. Rule R−1 a : Let G′pk(y(i+k−1), . . . , y(I−t)) be an m×lp(s+1) (lp , k)-echelon matrix polynomial over GF(q), 0≤p≤r−s, with the same j-height rj , 0≤j≤k, and 0≤k
=
C
Erk P′k1(y(i+k−1), . . . , y(i+k−t))
0 P′k2(y(i+k−1), . . . , y(i+k−t))
D
which is non-singular for any values of y(i+k−1), . . . , y(i+k−t, where rk is the rk×rk identity matrix. Let Gpk(y(i+k−1), . . . , y(i−t)) be the result matrix polynomial of multiplying G′pk(y(i+k−1), . . . , y(i−t)) by P′k(y(i+k−1), . . . , y(i+k−t)) on the left, that is, Gpk(y(i+k−1), . . . , y(i−t))=P′k(y(i+k−1), . . . , y(i+k−t)) G′pk(y(i+k−1), . . . , y(i−t)), 0≤p≤r−s. If the submatrix consisting of the rows rk+1 to m of Gpk(y(i+k−1), . . . , y(i−t)) only depends on y(i+k−1), . . . , y(i+k−t), then Gk (i) is said to be obtained using P′k denoted by from G′k(i) by Rule R−1 a G′k(i)R−1 a [P′k] Gk (i), > where G′k(i)={G′pk(y(i+k−1), . . . , y(i−t)), p=0, 1, . . . , r−s}, Gk (i)={Gpk(y(i+k−1), . . . , y(i−t)), p=0, 1, . . . , r−s}. Note In computing elements of P′kG′pk , we define x . u=u . x=u, 0 . u=u . 0=0 and
298 R. Tao and S. Chen y+u=u+y=u, where u stands for undefined symbol, x≠0 and y are any elements in GF(q). Rule R−1 b : Let Gp,k+1(y(i+k), . . . , y(i−t) be an m×lp(s+1) (lp , k+1)-echelon matrix polynomial over GF(q), 0≤p≤r−s, with the same heights r1, . . . , rk+1, and 0≤k
by −1 −1 Gk+1(i)R−1 . . . R−1 b [rk+1] G′k(i)Ra [P′k] Gk (i)Rb [rk] a [P′1] > > > >
−1 G1(i)R−1 b [r1] G′0(i)Ra [P′0] G0(i). > >
Theorem 6 [23] Let M be a finite automaton defined by equation (16). Assume that −y(i)+f(y(i−1), . . . , y(i−t), x(i), . . . , x(i−r)) r−s r−p
=F00(y(i), . . . , y(i−t/))+
]]F
(y(i−1), . . . , y(i−t))
pj0
p=0 j=0
p(x(i−j), . . . , x(i−j−p)) and G0(i)={F00(y(i), . . . , y(i−t)), Gp0(yIi−1), . . . , y(i−t)),
A variant of the public key cryptosystem FAPKC3 299
p=0, 1, . . . , r−s}, where Gp0(y(i−1), . . . , y(i−t))=[Fp00(y(i−1), . . . , y(i−t)), . . . , Fps0(y(i−1), . . . , y(i−t))], p=0, 1, . . . , r−s, Fpj0(y(i−1), . . . , y(i−t))o0 for r−p
−1 G1(i)R−1 b [r1] G′0(i)Ra [P′0] G0(i) > >
(23)
such that for any parameters x(i−1), . . . , z(i−r), y(i+s−1), . . . , y(i+s−t), r−s
]F
(y(i+s−1), . . . , y(i+s−t))p(x(i), . . . , x(i−p))
p0s
(24)
p=0
is a surjection of x(i), then eq0(i)Ra[P0] > eq′0(i)Rb[r1] > eq1(i)Ra[P1] > . . . Rb[rs−1] > eqs−1(i)Ra[Ps−1] > eq′s−1(i)Rb[rs] > eqs(i).
(25)
and for any parameters x(i−1), . . . . , x(i−r), y(i+s), . . . , y(i−t), eqs(i), has a solution x(i), therefore, M is a weak inverse with delay s, where Fp0t(y(i+s−1), . . . , y(i+s−t)) is the first lp columns of Gps(y(i+s−1), . . . , y(i−t)), eq0(i) is defined by equation (17) and Pk (y(i+k−1), . . . , y(i+k−t))=(P′k(y(i+k−1), . . . , y(i+k−t)))−1, 0≤k≤s. (b) If there exist m×lp(s+1) (lp , s)-echelon matrices Gps(y(i+s−1), . . . , y(i−t)), ≤p≤r−s with the same j-height rj for 0≤j≤s, and a transformation sequence (equation (23)) such that for any parameters x(i−1), . . . , x(i−r), y(i+s−1), . . . , y(i+s−t), equation (24) is an injection of x(i), then we have equation (25) and for any parameters x(i−1), . . . , x(i−r), y(i+s), . . . , y(i−t), eqs(i) has at most one solution x(i), therefore, M is weakly invertible with delay s, where eq0(i) is defined by equation (17), and Pk (y(i+k−1), . . . , y(i+k−t))=(P′k(y(i+k−1), . . . , y(i+k−t))) −1,0≤k≤s. As pointed out in Remark 7 in Tao and Chen [23], the Theorem still holds if the left in rule R−1 which multiplying matrix is replaced by a non-linear transformation u−1 k a keeps the shape of each echelon matrix polynomially unchanged, that is, heights of each pair of corresponding echelon matrix polynomials are the same.
300 R. Tao and S. Chen As far as the security of FAPKC4 is concerned, similarly to FAPKC3, for a public key of moderate size, FAPKC4 is secure and can resist the attack of the general inversion method, the attack of decomposing matrix polynomials over a finite field, chosen plaintext attacks, exhaustive search attacks and stochastic search attacks. Similarly, the key-generator of FAPKC3, in order to secure against the attack of the transformation method of inversion (linear Ra Rb attack, reduced echelon matrix attack, canonical diagonal form of k-matrix attack, etc.), it is necessary to include a check process in the key-generator of FAPKC4 to sieve out such a C′(m1, M0) whose weak inverse can be obtained by the linear Ra, Rb transformation method based on Theorem 4 and Theorem 5.
5. Discussion on application of FAPKC Public key cryptosystems have found applications in the area of information security. An example is the Belgian Information System by Telephone. Among three kinds of cryptosystems, i.e. one-key system, public key distribution system and public key system, the last one was chosen, and RSA was selected as the public key algorithm [25]. While one key cryptosystems can be efficiently implemented by software, software implementations of RSA make it difficult to obtain a reasonable speed. A hardware implementation using ASIC had been built so that the speed of RSA calculation is over 9600 bit/second using the 672-bit modulus and exponent [26]. On the Internet, the most widely used cryptosystem is PGP, a hybrid cryptosystem. It uses the one key cipher IDEA for data encryption, RSA for key management and for digital signature. Before signing a message, it is compressed by the one-way hash MD5. So RSA software processes mainly short messages in PGP. However, FAPKCs have the following main features. • An FAPKC is a sequential system with a common alphabet for all users which consists of all l-tuples of some q-symbol set (usually, 8-bit bytes, that is, q=2 and ll=8). Plaintexts, ciphertexts, messages and signatures are sequences over this alphabet. It is easy to use. • Data expansion ratio approaches 0. The ciphertext (signature) of a plaintext (message) is s digits longer than the plaintext (message), where s is the delay step. • Systems can be used to implement digital signatures as well as encryption. Signed messages do not have to be ‘reblocked’. • The size of a user’s public key is rather small but longer than RSA [24]; about 3200 bits for a moderate size of public key in an implementation of FAPKC3 [5]. • Implementation of FAPKCs is easy. Only logical operations are involved. It seems suitable for smart card application. • Computation of FAPKCs is fast. Speeds of encryption/verification and decryption/ signing are 114,285 and 100,000 bit/second running a software, using C language, of FAPKC3 on SUN SPARCstation 10 for a moderate size public key. These speeds might be promoted if the programs are further optimized. • User’s keys are easy to generate; 256 key-generators may generate over 1012 keygroups, keys in different key-groups are different. • For a moderate size of public key, systems FAPKC2, FAPKC3 and FAPKC4 are secure.
A variant of the public key cryptosystem FAPKC3 301 In an open network environment such as the Internet, FAPKC appears to be a suitable basic algorithm for a security mechanism owing, among other things, to its fast speed and other advantages. FAPKC software can be used directly for data encryption and for digital signature. It is not necessary to include a one key cipher and a one-way hash. However, combining an error detecting code is useful and easy and does not seriously decrease the speed. In the paper by Feng [27], such a combination and work mode were proposed and problems of key management and standardizing the implementation of FAPKC were discussed which are important for further applications. Each user of a network has a pair of FAPKC keys. Messages are 8-bit binary symbol strings. When user A wants to send a signed message D in the network secretly, they run the FAPKC program. The FAPKC program first computes the check symbol string of D, say D4, generates a fixed length random symbol string Dh and a random symbol string Dt of length sA , then using user A’s secret key, signs the symbol string Dh ∀D∀D4 ∀D t and obtains D’s signature, say S, where ∀ means concatenation and sU is a parameter (delay step) in user U’s public key. To encrypt S, the FAPKC program first computes the check symbol string of S, say S4, generates a fixed length random symbol string Sh and a random symbol string St of length sb , then using user B’s public key encrypts the symbol string Sh ∀S∀S4 ∀St and obtains S’s ciphertext, say C, which is transmitted to user B by, for example, electronic mail. After receiving C, user B runs the FAPKC program, first using user B’s secret key to decrypt C and obtains symbol string S¯ ∀S¯4, then checks up whether S¯4 is S¯ ’s check symbol string, and gives a prompt on channel error, if not, S is otherwise S¯. To verify the signature S, the FAPKC ¯ ∀D ¯ 4, then checks up whether program using user A’s public key verifies S and obtains D ¯ ’s check symbol string, and gives a prompt on not valid signature, if not, D is ¯ 4 is D D ¯. otherwise D FAPKC was used to enhance security of the operating system UNIX. Feng used FAPKC to design a safer login scheme [27,28]. According to this scheme, the system has the users’ public keys. The user’s secret key is kept on the user’s smart card which has the function of signing. The login procedure is as follows. When a user wants to get access to a computer, they send their identity to the system. The system then generates a random message and sends it to the user. The user signs the message using their smart card and sends the signature to the system. The system using the user’s public key verifies the signature. If the verification is passed, the user will be given the admission to access, otherwise the user will be rejected. Feng [27,28] has implemented the FAPKC login scheme on a SUN workstation with an IC card reader. Programs include the local login program login, the remote one rlogin and the remote login daemon in.rlogind. Due to restriction on conditions, a memory IC card with a user’s identity and secret key instead of a smart card is used as the user’s identity card and the signing procedure is completed on the computer which the user is using. In the case of local login, a user types their identity and inserts their identity card into the computer’s IC card reader, the login program uses the secret key on the card to sign a random message and then verifies it using the user’s public key. For remote login, for example, if a user wants to log in host B from host A, the procedure is: (1) the user sends identity to host B; (2) host B sends a random message to host A; (3) host A requests the user to insert their identity card, signs the message using the user’s secret key and then sends the signature to host B; (4) host B uses the user’s public key to
302 R. Tao and S. Chen verify the signature; (5) if the verification is passed, the user will be given the admission to access host B, otherwise the user will be rejected.
References 1. W. Diffie and M. Hellman 1976. New directions in cryptography. IEEE Transactions on Information Theory, IT-22, 644–654. 2. Renji Tao and Shihua Chen 1985.A finite automaton public key cryptosystem and digital signatures. Chinese Journal of Computers, 8, 401–409 (in Chinese). 3. Renji Tao and Shihua Chen 1986. Two varieties of finite automaton public key cryptosystem and digital signatures. Journal of Computer Science and Technology, 1, 9–18. 4. Xiang Gao 1994. Finite automaton public key cryptosystems and digital signatures—analysis, design and implementation. Ph.D. Thesis, Institute of Software, Chinese Academy of Sciences, Beijing (in Chinese). 5. Renji Tao, Shihua Chen and Xuemei Chen 1995. FAPKC3: a new finite automaton public key cryptosystem, Technical Report No. ISCAS-LCS-95-07, Laboratory for Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing. 6. Feng Bao and Yoshihide Igarashi 1995. Break finite automata public key cryptosystem. ICALP’95, Automata, Languages and Programming. Berlin: Springer-Verlag, pp. 147–158. 7. A. Salomaa 1990. Public-key Cryptography. Berlin: Springer-Verlag. 8. H. Zhang, D. Dai, Z. Qin, K. Wu, B. Cui and H. Hai 1992. Implement of FA public key cryptosystem. Advances in Cryptology–CHINACRYPT’92. Beijing: Science Press, pp. 105–109 (in Chinese). 9. J. Li and X. Gao 1992. A software implementation for finite automaton public key cryptosystem and digital signatures. Advances in Cryptology—CHINACRYPT’92. Beijing: Science Press, pp. 110–114 (in Chinese). 10. Feng Bao 1994. Increasing ranks of linear finite automata and complexity of finite automaton public key cryptosystem. Science in China, Ser. A, 37, 504–5123; Science in China, Ser. A (Chinese edition), 23, 113–120. 11. Z. Qin and H. Zhang 1994. Enumeration of sequences in finite automata with application to cryptanalysis. Advances in Cryptology—CHINACRYPT’94. Beijing: Science Press, pp. 112–119 (in Chinese). 12. H. Guan 1994. Cryptanalytic for a finite automaton public key algorithm. Advances in Cryptology—CHINACRYPT’94. Beijing: Science Press, pp. 120–126 (in Chinese). 13. D. Dai, K. Wu and H. Zhang 1995. Cryptanalysis on a finite automaton public key cryptosystem. Science in China, Ser. A (Chinese edition), 25, 1226–1232. 14. Z. Qin and H. Zhang 1996. Cryptanalysis of finite automaton public key cryptosystems. Advances in Cryptology—CHINACRYPT’96. Beijing: Science Press, pp. 75–86 (in Chinese). 15. Z. Dai 1996. A class of separable nonlinear finite automata—and an analysis of a certain typed FA based public key encryption andsignature scheme. Advances in Cryptology—CHINACRYPT’96. Beijing: Science Press, pp. 87–94 (in Chinese). 16. Hao Wang 1996. On the invertibility of one kind of finite automata,. Advances in Cryptology—CHINACRYPT’96. Beijing: Science Press, pp. 95–102 (in Chinese). 17. Renji Tao 1995. On invertibility of some compound finite automata, Technical Report No. ISCAS-LCS-95-06, Laboratory for Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing. 18. Renji Tao 1995. OnRa Rb transformation and inversion of compound finite automata, Technical Report No. ISCAS-LCS-95-10, Laboratory for Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing. 19. Hao Wang 1995. Ra Rb representation of algorithm ALT, Technical Report No. ISCAS-LCS95-11, Laboratory for Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing (in Chinese). 20. Renji Tao and Peirong Feng 1997. On relations between Ra Rb transformation and canonical diagonal form of k-matrix. Science in China, Ser. E (in press).
A variant of the public key cryptosystem FAPKC3 303 21. D. A. Huffman 1959. Canonical forms for information-lossless finite-state logical machines. IRE Transactions on Circuit Theory, 6 (Suppl.), 41–59. 22. Renji Tao 1979. Invertibility of Finite Automata. Beijing: Science Press (in Chinese). 23. Renji Tao and Shihua Chen 1995. Generating a kind of nonlinear finite automata with invertibility by transformation method, Technical Report No. ISCAS-LCS-95-05, Laboratory for Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing. 24. R. Rivest, A. Shamir and L. Adleman 1978. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21, 120–126. 25. J. Vandewalle, R. Govaerts, W. De Becker, M. Decroos and G. Speybrouck 1985. Implementation study of public key cryptographic protection in an existing electronic mail and document handling system. Advances in Cryptology—EUROCRYPT’85. Berlin: SpringerVerlag, pp. 43–49. 26. F. Hoornaert, M. Decroos, J. Vandewalle and R. Govaerts 1988. Fast RSA-hardware: dream or reality? Advances in Cryptology—EUROCRYPT’88. Berlin: Springer-Verlag, pp. 257–264.. 27. Peirong Feng 1996. Finite automaton cryptosystems—theoretical research, application and implementation. PhD Thesis, Institute of Software, Chinese Academy of Sciences (in Chinese). 28. Peirong Feng and Youzhi Li 1996. Improving Login Scheme with FAPKC. Advances in Cryptology—CHINACRYPT’96. Beijing: Science Press, pp. 261–266.
Tao Renji graduated from the Peking University, China, in 1957 in mathematics. He joined the Institute of Mathematics, the Institute of Computing Technology, and the Institute of Software, the Chinese Academy of Sciences (CAS), in 1957, 1963 and 1985, respectively. His main fields of interest are computability theory, automata, complexity, coding theory, cryptography, combinatorics and information security. Professor Tao has published numerous papers and two books and received the 1987 National Natural Science Prize, as well as two Outstanding Achievements Awards from the CAS and the National Science Conference in 1978.
Chen Shihua graduated from the Sichuan University, China, in 1959 in mathematics. From 1959 to 1963, she had been with the Institute of Mathematics, the Chinese Academy of Sciences (CAS). From 1963 to 1985, she worked at the Institute of Computing Technology, CAS. Since 1985, she has been with the Institute of Software, CAS. She is currently a professor. Her research intrests include mathematical logic, finite automata, error-correcting code, cryptography and combinatorics. She has published numerous papers and received the 1987 National Natural Science Prize.