Cryptanalytic concept of finite automaton invertibility with finite delay

The automaton invertibility with a finite delay plays a very important role in the analysis and synthesis of finite automata cryptographic systems. The automaton cryptanalitic invertibility with a finite delay т is studied in the paper. From the cryptanalyst's point of view, this notion means the theoretical possibility for recovering, under some conditions, a prefix a of a length n in an unknown input sequence ab of an automaton from its output sequence 7 of the length n + т and perhaps an additional information such as parameters т and n, initial (q), intermediate (в) or final (t) state of the automaton or the suffix b of the length т in the input sequence. The conditions imposed on the recovering algorithm require for prefix a to be arbitrary and may require for the initial state q and suffix b to be arbitrary or existent, that is, the variable a is always bound by the universal quantifier and each of variables q and b may be bound by any of quantifiers — universal (V) or existential (3) one. The variety of information, which can be known to a cryptanalyst, provides many different types of the automaton invertibility and, respectively, many different classes of invertible automata. Thus, in the paper, an invertibility with a finite delay т of a finite automaton A is the ability of this automaton to resist recovering or, on the contrary, to allow precise determining any input word a of a length n for the output word у being the result of transforming by the automaton A in its initial state q the input word ab with the b of length т and with the known n, т, A, 7 and и C {b, q, в, t} where q and b may be arbitrary or some elements in their sets and в and t are respectively intermediate and final states of A into which A comes from q under acting of input words a and ab respectively. According to this, the automaton A is called invertible with a delay т if there exists a function f (y,u) and a triplet of quantifiers к e {Q1x1Q2X2Q3X3 : QiXi e {Vq, 3q, Va, Vb, 3b}, i = j ^ Xi = Xj} such that x [f(y,u) = a]; in this case f is called a recovering function, (к, u) — an invertibility type, к — an invertibility degree, u — an invertibility order of the automaton A and 3f K[f (y, u) = a] — an invertibility condition of type (к, u) for the automaton A. So, 208 different types of the automaton A invertibility are defined at all. The well known types of (strong) invertibility and weak invertibility described for finite automata earlier by scientists (D. A. Huffman, A. Gill, Sh. Even, A. A. Kurmit, Z. D. Dai, D. F. Ye, K. Y. Lam, R. Tao and many others) in our theory belong to types (VqVaVb, 0 ) and (VqVaVb, {q}) respectively. For every invertibility type, we have defined a class of automata with this type of invertibility and described the inclusion relation on the set of all these classes. It has turned out that the graph of this relation is the union of twenty nine lattices with thirteen of them each containing sixteen classes and sixteen lattices each containing thirteen classes. To solve the scientific problems (invertability tests, synthesis of inverse automata and so on) related to the different and concrete invertibility classes, we hope to continue these investigations

Cryptanalytical finite automaton invertibility with finite delay

The paper continues an investigation of the cryptanalytical invertibility concept with a finite delay introduced by the author for finite automata. Here, we expound an algorithmic test for an automaton A to be cryptanalytically invertible with a finite delay, that is, to have a recovering function f which allows to calculate a prefix of a length m in an input sequence of the automaton A by using its output sequence of a length m + т and some additional information about A defining a type of its invertibility and known to cryptanalysts. The test finds out whether the automaton A has a recovering function f or not and if it has, determines some or, may be, all of such functions. The test algorithm simulates a backtracking method for searching a possibility to transform a binary relation to a function by shortening its domain to a set corresponding to the invertibility type under consideration

Cryptautomata: definition, cryptanalysis, example

This conference paper is an extended abstract of a recent article in Prikladnaya Diskretnaya Matematika (2017, No.36), where we presented the definition of the cryptautomata and described some cryptanalysis techniques for them. In cryptosystems, the cryptautomata are widely used as its primitives including cryptographic generators, s-boxes, filters, combiners, key hash functions as well as symmetric and public-key ciphers, and digital signature schemes. A cryptautomaton is defined as a class C of automata networks of a fixed structure N constructed by means of the series, parallel, and feedback connection operations over initial finite automata (finite state machines) with transition and output functions taken from some predetermined functional classes. A cryptautomaton key can include initial states, transition and output functions of some components in N. Choosing a certain key k produces a certain network Nk from C to be a new cryptographic algorithm. In case of invertibility of Nk, this algorithm can be used for encryption. The operation (functioning) of any network Nk in the discrete time is described by the canonical system of equations of its automaton. The structure of Nk is described by the union of canonical systems of equations of its components. The cryptanalysis problems for a cryptautomaton are considered as the problems of solving the operational or structural system of equations of Nk with the corresponding unknowns that are key k variables and (or) plaintexts (input sequences). For solving such a system E, the method DSS is used. It is the iteration of the following three actions: 1) E is Divided into subsystems E' and E ", where E' is easy solvable; 2) E' is Solved; 3) the solutions of E' are Substituted into E'' by turns. The definition and cryptanalysis of a cryptautomaton are illustrated by giving the example of the autonomous alternating control cryptautomaton. It is a generalization of the LFSR-based cryptographic alternating step generator. We present a number of attacks on this cryptautomaton with the states or output functions of its components as a key

Watermarking ciphers

In order to protect both data confidentiality and legality, a concept of a watermarking cipher (also called a w-cipher) is defined. The main idea of this cjncept is as follows: the transformation of a plaintext x by the composition of encryption and decryption operations using some encryption and decryption keys yields a proper text x containing a unique watermark w. The encryption and decryption keys in the w-cipher are connected with each other and with the given watermark w in some way. In contrast with the ciphers usually studied in cryptography, the encryption function in a w-cipher is not compulsorily invertible. Thus in fact w-ciphers are not ciphers in the known sense of the word, but the ciphers are w-ciphers of a certain partial type, and all terms, notions and notations related to ciphers are quite applicable to w-ciphers. It is shown how data watermarking can be performed by applying a w-cipher in such a way that the concealment of a watermark into a plaintext is accomplished by this w-cipher either in the encryption or in the decryption processes. Some examples of w-ciphers constructed on the basis of symmetric stream ciphers are presented in the paper

Substitution block ciphers with functional keys

We define a substitution block cipher C with the plaintext and ciphertext blocks in Fn and with the keyspace Ks0,n(g) that is the set { / (x) : f (x) = n2(ga2(ni(xCTl))); a,a2 e F /;n1,n2 e Sn}, where s0 is an integer, 1 ^ s0 ^ n; g : F/ ^ F/ is a bijective vector function g(x) = g1(x)g2(x) ...gn(x) such that every its coordinate function gi(x) essentially depends on some si ^ s0 variables in the string x = x1x2 ... xn; Sn is the set of all permutations of the row (12. . . n); ni and ai are the permutation and negation operations, that is, (n = (i1i2 ... in)) ^ (n(a1a2 ... an) = ailai2 ... ain), (a = b1b2 ... bn) ^ ((a1a2 ... an)a = a11 a22... a^1) and, for a and b in F2, ab = a if b = 1 and ab = —a if b = 0. Like g, any key / in Ks0,n(g) is a bijection on Fn, / (x) = f 1(x )/2(x) . . . fn(x), and every its coordinate function fi(x) essentially depends on not more than so variables in x. The encryption of a plaintext block x and the decryption of a ciphertext block y on the key f are defined in C as follows: У = f(x) and x = f -1(y). Here, we suggest a known plaintext attack on C with the threat of discovering the key f that was used. Let P1 ,P2,. .., Pm be some blocks of a plaintext, C1, C2, ..., Cm be the corresponding blocks of a ciphertext, i.e., Ci = f (Pi) for l = 1,2,... ,m, and Pi = P11P12 . . .Pin, C = C11C12 . . .С. The object is to determine the coordinate function fi(x) of f for each i e {1,2,...,n}. The suggested attack consists of two steps, namely we first determine the essential variables xil, . . . , x is of fi(x) and then compute a Boolean function h(xil, . . . , x is) such that h(ail, ...,a is) = f i(a1, ..., an) for all n-tuples (a1a2 ... an) e Fn. For determining the essential variables of fi, we construct a Boolean matrix inf D(fi) with the set of rows inf D(fi), where D(fi) = {Pi ® Pj : Cu = Cji; l,j = 1, 2,..., m}, l = 1,...,m, i = 1,...,n, and infD(fi) is the subset of all the minimal vectors in D(fi). Then the numbers of essential variables for fi are the numbers of columns in the intersection of all covers of inf D(fi) with the cardinalities not more than s0, where a cover of a Boolean matrix M is defined as a subset C of its columns such that each row in M has ’1’ in a column in C. For computing h(xil,... ,x is), we first set h(Piil,. .., Piis) = Cii for l = 1,..., m and then, if hi is not yet completely determined on F2, we increase the number m of known blocks (Pi,Ci) of plain- and ciphertexts or extend hi on F2 in such a way that the vector function h = h1h2 ... hn with the completely defined coordinate functions is a bijection on Fn. We also describe some special known plaintext attacks on substitution block ciphers with keyspaces being subsets of Ks0,n(g)

ElGamal cryptosystems on Boolean functions

Here is a description of ElGamal public-key encryption and digital signature schemes constructed on the base of bijective systems of Boolean functions. The description is illustrated with a simple example in which the used Boolean functions are written in logical notation. In our encryption and signature schemes on Boolean functions, every one ciphertext or message signature is a pair of values, as in the basic ElGamal cryptosystem on a group. In our case, these values are Boolean vectors. Each vector in the pair depends on the value of a function on a plaintext or on a message, and this function is typically obtained from a given bijective vector Boolean function g by applying some random and secret negation and permutation operations on the sets of variables and coordinate functions of g. For the pair of vectors in the ciphertext or in the message signature, the decryption algorithm produces the plaintext, and the signature verification algorithm accepts the signature, performing some computation on this pair. The signature is accepted for a message if and only if the computation results in this message. All the computations in the processes of encryption, decryption, signing and verification are logical and performed for Boolean values, promising their implementation efficiency to be more high than in the basic ElGamal schemes on groups

Asymmetric cryptosystems on Boolean functions

Here, we define an asymmetric substitution cryptosystem combining both a public key cipher and a signature scheme with the functional keys. A public key in the cryptosystem is a vector Boolean function f(x1,... ,xn) of a dimension n. This function is obtained by permutation and negation operations on variables and coordinate functions of a bijective vector Boolean function g(x1,... ,xn) == (g1(x1,... ,xn),... ,gn(x1,... ,xn)). The function g is called a generating function of the cryptosystem. For each i e {1,..., n}, its coordinate function g^(x1,..., xn) is assumed to be specified in a constructive way and to have a polynomial (in n) complexity. A private key of the cryptosystem is the function f-1, that is, the inverse of f. The existence of f-1 follows from the bijectiveness of g and preserving this property by permutation and negation operations. Function g and its coordinates g1,...,gn are public parameters of the cryptosystem. (A variant of the cryptosystem allows to include them into the private key). Of course, the permutation and negation operations by which a public key is computed from the generating function must be secret as private exponents in RSA and ElGamal cryptosystems. A block P of a plaintext is encrypted to a block C of a ciphertext by the rule C = f (P), and C is decrypted to P by the rule P = f-1(C). A signature on a message M is computed as S = f-1(P), and its validation is proved by verifying the equality M = f (S). This cryptosystem is believed to resist classical and quantum computers attacks. Its security is based on the difficulty of inverting large bijective vector Boolean functions. Cryptanalysis of the cryptosystem shows that its computational complexity can reach the value O(n!2n)

ElGamal cryptosystems on Boolean functions

Here is a description of ElGamal public-key encryption and digital signature schemes constructed on the base of bijective systems of Boolean functions. The description is illustrated with a simple example in which the used Boolean functions are written in logical notation. In our encryption and signature schemes on Boolean functions, every one ciphertext or message signature is a pair of values, as in the basic ElGamal cryptosystem on a group. In our case, these values are Boolean vectors. Each vector in the pair depends on the value of a function on a plaintext or on a message, and this function is typically obtained from a given bijective vector Boolean function g by applying some random and secret negation and permutation operations on the sets of variables and coordinate functions of g. For the pair of vectors in the ciphertext or in the message signature, the decryption algorithm produces the plaintext, and the signature verification algorithm accepts the signature, performing some computation on this pair. The signature is accepted for a message if and only if the computation results in this message. All the computations in the processes of encryption, decryption, signing and verification are logical and performed for Boolean values, promising their implementation efficiency to be more high than in the basic ElGamal schemes on groups