Cryptanalytic concept of finite automaton invertibility with finite delay

The automaton invertibility with a finite delay plays a very important role in the analysis and synthesis of finite automata cryptographic systems. The automaton cryptanalitic invertibility with a finite delay т is studied in the paper. From the cryptanalyst's point of view, this notion means the theoretical possibility for recovering, under some conditions, a prefix a of a length n in an unknown input sequence ab of an automaton from its output sequence 7 of the length n + т and perhaps an additional information such as parameters т and n, initial (q), intermediate (в) or final (t) state of the automaton or the suffix b of the length т in the input sequence. The conditions imposed on the recovering algorithm require for prefix a to be arbitrary and may require for the initial state q and suffix b to be arbitrary or existent, that is, the variable a is always bound by the universal quantifier and each of variables q and b may be bound by any of quantifiers — universal (V) or existential (3) one. The variety of information, which can be known to a cryptanalyst, provides many different types of the automaton invertibility and, respectively, many different classes of invertible automata. Thus, in the paper, an invertibility with a finite delay т of a finite automaton A is the ability of this automaton to resist recovering or, on the contrary, to allow precise determining any input word a of a length n for the output word у being the result of transforming by the automaton A in its initial state q the input word ab with the b of length т and with the known n, т, A, 7 and и C {b, q, в, t} where q and b may be arbitrary or some elements in their sets and в and t are respectively intermediate and final states of A into which A comes from q under acting of input words a and ab respectively. According to this, the automaton A is called invertible with a delay т if there exists a function f (y,u) and a triplet of quantifiers к e {Q1x1Q2X2Q3X3 : QiXi e {Vq, 3q, Va, Vb, 3b}, i = j ^ Xi = Xj} such that x [f(y,u) = a]; in this case f is called a recovering function, (к, u) — an invertibility type, к — an invertibility degree, u — an invertibility order of the automaton A and 3f K[f (y, u) = a] — an invertibility condition of type (к, u) for the automaton A. So, 208 different types of the automaton A invertibility are defined at all. The well known types of (strong) invertibility and weak invertibility described for finite automata earlier by scientists (D. A. Huffman, A. Gill, Sh. Even, A. A. Kurmit, Z. D. Dai, D. F. Ye, K. Y. Lam, R. Tao and many others) in our theory belong to types (VqVaVb, 0 ) and (VqVaVb, {q}) respectively. For every invertibility type, we have defined a class of automata with this type of invertibility and described the inclusion relation on the set of all these classes. It has turned out that the graph of this relation is the union of twenty nine lattices with thirteen of them each containing sixteen classes and sixteen lattices each containing thirteen classes. To solve the scientific problems (invertability tests, synthesis of inverse automata and so on) related to the different and concrete invertibility classes, we hope to continue these investigations

On the Complexity of the Equivalence Problem for Probabilistic Automata

Checking two probabilistic automata for equivalence has been shown to be a key problem for efficiently establishing various behavioural and anonymity properties of probabilistic systems. In recent experiments a randomised equivalence test based on polynomial identity testing outperformed deterministic algorithms. In this paper we show that polynomial identity testing yields efficient algorithms for various generalisations of the equivalence problem. First, we provide a randomized NC procedure that also outputs a counterexample trace in case of inequivalence. Second, we show how to check for equivalence two probabilistic automata with (cumulative) rewards. Our algorithm runs in deterministic polynomial time, if the number of reward counters is fixed. Finally we show that the equivalence problem for probabilistic visibly pushdown automata is logspace equivalent to the Arithmetic Circuit Identity Testing problem, which is to decide whether a polynomial represented by an arithmetic circuit is identically zero.Comment: technical report for a FoSSaCS'12 pape

An Experiment in Ping-Pong Protocol Verification by Nondeterministic Pushdown Automata

An experiment is described that confirms the security of a well-studied class of cryptographic protocols (Dolev-Yao intruder model) can be verified by two-way nondeterministic pushdown automata (2NPDA). A nondeterministic pushdown program checks whether the intersection of a regular language (the protocol to verify) and a given Dyck language containing all canceling words is empty. If it is not, an intruder can reveal secret messages sent between trusted users. The verification is guaranteed to terminate in cubic time at most on a 2NPDA-simulator. The interpretive approach used in this experiment simplifies the verification, by separating the nondeterministic pushdown logic and program control, and makes it more predictable. We describe the interpretive approach and the known transformational solutions, and show they share interesting features. Also noteworthy is how abstract results from automata theory can solve practical problems by programming language means.Comment: In Proceedings MARS/VPT 2018, arXiv:1803.0866

A side-channel attack against an automata theory based stream cipher (Logic, Language, Algebraic system and Related Areas in Computer Science)

In this paper we consider a finite automaton based stream cipher given by P. Dömösi and G. Horváth and we show its immunity in side-channel timing attack