Tao R. Finite Automata and Application to Cryptography

Подождите немного. Документ загружается.

264 7. Linear Autonomous Finite Automata

(1)

(s, z)=



∞

i=0

, β

=0whenever τ  l

,andψ is deﬁned by (7.72)

and (7.73).

For a linear backward autonomous ﬁnite automaton M



= Y,S, δ



,λ





over GF (q) of which the state transition matrix A



is not in the form of (7.78),

we can transform it to the form of (7.78) by similarity transformation, that

is, we can ﬁnd a nonsingular matrix P over GF (q) such that A = P

−1



can be expressed in the form of (7.78). Let M = Y, S, δ,λ,whereδ(s)=As,

λ(s)=λ



(Ps). Then M is a linear backward autonomous ﬁnite automaton

over GF (q). It is easy to verify that M and M



areisomorphicandthestate



of M



and the state P

−1



of M are equivalent.

Notice that if the (ε

,...,ε

)rootcoordinateofaperiodicΩ in Φ

is β,

then the linear complexity of Ω equals to



i=1

,wherel

=minh[h  0,

i1k

=0 if h<k l

], i =1,...,r, the linear complexity of Ω means the

minimal state space dimension of linear shift registers over GF (q)which

generate Ω.

We ﬁnish this section by the following theorem.

Theorem 7.4.4. For any autonomous ﬁnite automaton M = Y,S, δ,λ,if

Y is a column vector space over GF (q), then there exists a linear autonomous

ﬁnite automaton

M = Y,

δ,

λ over GF (q) such that the dimension of

S 

|S| and M is isomorphic to a ﬁnite subautomaton of

Proof.LetS = {s

,...,s

} and

δ(s

)=s

λ(s

⎡

⎢

⎣

⎤

⎥

⎦

, (7.86)

i =1,...,n,

where y

∈ GF (q), i =1,...,n, j =1,...,m.Let

S be the column vector

space over GF (q) of dimension n.Let¯γ

be the column vector of dimension

n of which the i-th component is 1 and 0 elsewhere, i =1,...,n. Deﬁne

δ(¯s)=

A¯s,

λ(¯s)=

C¯s, ¯s ∈

S, (7.87)

where

A =[¯γ

,...,¯γ

C =

⎡

⎢

⎣

... y

⎤

⎥

⎦

. (7.88)

7.5 Decimation 265

Take

S = {¯γ

,...,¯γ

From (7.87) and (7.88),

δ(¯γ

)=¯γ

, i =1,...,n. Therefore,

S is closed in

M. It follows that

M = Y,

δ,

λ is a ﬁnite subautomaton of

M,where

δ(¯s)=

δ(¯s),

λ(¯s)=

λ(¯s), for ¯s ∈

S.Let

ϕ(s

)=¯γ

,i=1,...,n.

Clearly, ϕ is a bijection from S to

S.From

δ(ϕ(s

)) =

δ(¯γ

)=¯γ

= ϕ(s

ϕ(δ(s

)), we have

δ(ϕ(s)) = ϕ(δ(s)),s∈ S.

Since

λ(ϕ(s

)) =

λ(¯γ

)=[y

,...,y

]

= λ(s

), we have

λ(ϕ(s)) = λ(s),s∈ S.

Thus ϕ is an isomorphism from M to

M. We conclude that M and

M are

isomorphic. 

7.5 Decimation

For any sequence ω =[w

,...,w

,...] and any positive integer u,the

sequence [w

,...,w

uτ

,...] is called the u-decimation of ω.

Let M be a linear shift register over GF (q) with structure parameters m,

n and structure matrices A, C.Letf (z) be the characteristic polynomial of

Assume that GF (q

∗

) is a splitting ﬁeld of f(z). Let M

∗

be the natural

extension of M over GF (q

∗

). Take an (ε

,...,ε

) root basis of Ψ

(1)

∗

(z), where

f(z)=z



i=1



j=1

(z − ε

j−1

)

Given a positive integer u,letR be a relation on {1,...,r},whereiRj

if and only if ε

and ε

are conjugate on GF (q), i.e., ε

=(ε

)

for some

nonnegative integer k . Clearly, the relation R is reﬂexive, symmetric and

transitive. Let

,...,P

¯r

(7.89)

be the equivalence classes of R.Foreachh,1 h  ¯r, ﬁx an integer m

.Let

266 7. Linear Autonomous Finite Automata

¯ε

= ε

. (7.90)

From the deﬁnition of P

, for any i in P

, ε

and ε

are conjugate on

GF (q); therefore, there exists k  0 such that ε

= ε

, i.e., ε

=¯ε

.Let

=mink(k  0&ε

=¯ε

), (7.91)

i ∈ P

,h=1,...,¯r.

We use ¯n

to denote the degree of the minimal polynomial over GF (q)of¯ε

Then ¯ε

¯n

=¯ε

.Thus

< ¯n

,i∈ P

,h=1,...,¯r. (7.92)

Let i ∈ P

. Then the minimal polynomials over GF (q)ofε

and ¯ε

are the

same. Thus ¯n

=mink(k>0&ε

= ε

). Since ε

=(ε

)

= ε

,we

have ¯n

.Let

= n

/¯n

,i∈ P

,h=1,...,¯r. (7.93)

Then q

is a positive integer. Let u = p



,whereu



and p are coprime. Take

=min k ( ku  l

=max k ( k − 1=(l

− 1)/p

,i∈ P

), (7.94)

h =1,...,¯r.

Let

f(z)=z

¯r



h=1

¯n



j=1

(z − ¯ε

j−1

)

. (7.95)

It is easy to show that

f(z) is a polynomial over GF (q) with leading coeﬃcient

1. Let

M be a linear autonomous shift register over GF (q) with characteristic

polynomial

f(z). Let

∗

be the natural extension of

M over GF (q

∗

). Then

¯ε

,...,¯ε

¯r

determine an (¯ε

,...,¯ε

¯r)

root basis of Ψ

(1)

∗

Assume that Ω =[s

,...,s

,...]isinΨ

(1)

and its (ε

,...,ε

)root

coordinate is β.Then

= β



i=1



j=1



k=1

ijk



τ+k−1

k−1



τq

j−1

τ =0, 1,...,

x stands for the maximal integer  x.

7.5 Decimation 267

where β

= 0 whenever τ  l

.Let

Ω =[¯s

, ¯s

,...,¯s

,...]betheu-

decimation of Ω.Then

¯s

= s

uτ

= β

uτ



i=1



j=1



k=1

ijk



uτ+k−1

k−1



uτq

j−1

= β

uτ

¯r



h=1



i∈P



j=1



k=1

ijk



uτ+k−1

k−1



¯ε

τq

+j−1

= β

uτ

¯r



h=1



i∈P

¯n



j=1

−1



c=0



k=1

i,c¯n

+j,k



uτ+k−1

k−1



¯ε

τq

+c¯n

+j−1

= β

uτ

¯r



h=1



i∈P

¯n



j=1

−1



c=0



k=1

i,c¯n

+j,k



uτ+k−1

k−1



¯ε

τq

+j−1

(7.96)

= β

uτ

¯r



h=1



i∈P

+¯n



j=v

−1



c=0



k=1

i,c¯n

+j−v



uτ+k−1

k−1



¯ε

τq

j−1

= β

uτ

¯r



h=1



i∈P

¯n



j=1

−1



c=0



k=1

i,c¯n

+(j−v

)( mod ¯n

),k



uτ+k−1

k−1



¯ε

τq

j−1

= β



¯r



h=1

¯n



j=1



k=1



hjk



uτ+k−1

k−1



¯ε

τq

j−1

τ =0, 1,...,

where a(mod ¯n

)=min b(b>0&a = b (mod ¯n

)),

=max{l

,i ∈ P

h =1,...,¯r,



=0, if τ 



= β

uτ

,τ=0,...,

− 1, (7.97)



hjk



i∈P

−1



c=0

i,c¯n

+(j−v

)( mod ¯n

),k

h =1,...,¯r, j =1,...,¯n

,k =1,...,

and β

ijk

=0fori ∈ P

, h =1,...,¯r, j =1,...,n

, k = l

+1,...,

.Weuse

θ(c) to denote c/p

. From Theorem 7.1.3, it is easy to show that



uτ+k−1

k−1







τ+θ(k−1))+ν

θ(k−1)+ν







τ+θ(k−1)

θ(k−1)





(mod p)





τ+θ(k−1)

θ(k−1)



(mod p),

where 0  ν<p

and ν = k − 1(mod p

). From (7.11), for any k,wehave

268 7. Linear Autonomous Finite Automata





τ+k−1

k−1





a=1

c(u



,k− 1,a− 1)



τ+a−1

a−1



c(u



,k− 1,a− 1) =

a−1



i=1

(−1)



a−1



−u



(i+1)+k−1

k−1



a =1,...,k.

Thus





τ+θ(k−1)

θ(k−1)



θ(k−1)+1



a=1

c(u



,θ(k − 1),a− 1)



τ+a−1

a−1



It follows that



uτ+k−1

k−1



θ(k−1)+1



a=1

c(u



,θ(k − 1),a− 1)



τ+a−1

a−1



(mod p).

Replacing the leftside by the rightside of the above equation in (7.96), letting

c(u



,a)=0fora>k



,wehave

¯s

= β



¯r



h=1

¯n



j=1



k=1



hjk

θ(k−1)+1



a=1

c(u



,θ(k − 1),a− 1)



τ+a−1

a−1



¯ε

τq

j−1

= β



¯r



h=1

¯n



j=1



k=1



hjk



a=1

c(u



,θ(k − 1),a− 1)



τ+a−1

a−1



¯ε

τq

j−1

= β



¯r



h=1

¯n



j=1



a=1





k=a

c(u



,θ(k − 1),a− 1)β



hjk



τ+a−1

a−1



¯ε

τq

j−1

(7.98)

= β



¯r



h=1

¯n



j=1

θ(

−1)+1



a=1





k=a

c(u



,θ(k − 1),a− 1)β



hjk



τ+a−1

a−1



¯ε

τq

j−1

τ =0, 1,...

Since

=max{l

,i ∈ P

}, from (7.94), we have

= θ(

− 1) + 1, h =

1,...,¯r.Let

= β



,τ=0,...,

− 1,

hja



k=a

c(u



,θ(k − 1),a− 1)β



hjk

, (7.99)

h =1,...,¯r, j =1,...,¯n

,a=1,...,

Then (7.98) can be written as

7.5 Decimation 269

¯s

¯r



h=1

¯n



j=1



a=1

hja



τ+a−1

a−1



¯ε

τq

j−1

τ =0, 1,...,

where

= 0 whenever τ 

. Therefore,

Ω is a sequence in Ψ

(1)

of which

the (¯ε

,...,¯ε

¯r

)rootcoordinateis

β.

(7.97) and (7.99) can be written in matrix form. We use E

to denote the

i × i identity matrix, 0

to denote the i × j zero matrix; and the leftmost

j columnsandtherightmosti − j columns of E

are denoted by E

(j)and

(−j), respectively. Let

(i)=[E

¯n

(−v

),E

¯n

,...,E

¯n

! "# $

/¯n

−1

¯n

)],i∈ P

,h=1,...,¯r,

⎡

⎢

⎣

(0)

DIA

(1),l

DIA

(r),l

⎤

⎥

⎦

hkic



¯n

, if i ∈ P

,k = c,

¯n



, if i ∈ P



,h= h



or k = c,

h =1,...,¯r, k =1,...,

,i=1,...,r, c=1,...,l

, (7.100)

=[I

hk11

... I

hk1l

... I

hkr1

... I

hkrl

],h=1,...,¯r, k =1,...,



⎡

⎢

⎣

¯r1

¯r

⎤

⎥

⎦







(h)=

⎡

⎢

⎣

c(0, 0) c(1, 0) ... c(

− 1, 0) ... c(

− 1, 0)

0 c(1, 1) ... c(

− 1, 1) ... c(

− 1, 1)

00 ... c(

− 1,

− 1) ... c(

− 1,

− 1)

⎤

⎥

⎦

h =1,...,¯r,

270 7. Linear Autonomous Finite Automata

⎡

⎢

⎣

(1)

(2)

(¯r)

⎤

⎥

⎦

where the deﬁnition of the symbol DIA is in Sect. 4.1 of Chap. 4, I

(0) is

× l

matrix of which the element at row i and column u(i − 1) + 1 is

1 and 0 elsewhere, and c(i, j) stands for c(u



,θ(i),j)E

¯n

.Itiseasytoverify

that (7.97) can be written as β



= I

β and that (7.99) can be written as

β = I



. Therefore,

β = I

β. We complete the proof of the following

theorem.

Theorem 7.5.1. Let Ω be a sequence in Ψ

(1)

,andβ the (ε

,...,ε

) root

coordinate of Ω.If

Ω is the u-decimation of Ω,then

Ω is in Ψ

(1)

and its

(¯ε

,...,¯ε

¯r

) root coordinate

β is determined by

β = I

β.

Corollary 7.5.1. Let

J = D(¯ε

,...,¯ε

¯r

M)I

D(ε

,...,ε

,M)

−1

where D(·) is deﬁned by (7.35).ThenΨ

(1)

(¯s) is the u-decimation of Ψ

(1)

(s)

if and only if ¯s = Js;therefore,J is a matrix over GF (q).

By the way, if the characteristic polynomial f(z)ofM has no nonzero

repeated root, then

=1,h =1,...,¯r.ThusI

(h) in (7.100) equals

¯n

; therefore I

is the identity matrix.

Theorem 7.5.2. Each sequence in Ψ

(1)

is u-decimations of q

n−¯n

sequences

in Ψ

(1)

,andu-decimations of Ψ

(1)

) and Ψ

(1)

) are the same if and only

if Js

= Js

,where¯n =



¯r

h=1

¯n

Proof. It is easy to see that the rank of I

is n



¯r

h=1



i∈P

¯n

and the rank of I

is ˜n =



¯r

h=1

¯n

.Sinceu



and p are coprime, we have

c(u



,a,a)=(u



)

=0(modp). Using this fact, noticing c(u



,a)=0for



<a, we can prove that the rank of I

(h)is¯n

; therefore, the rank of I

¯n. Clearly, D(¯ε

,...,¯ε

¯r

M)andD(ε

,...,ε

,M) are nonsingular matrices.

Using Sylvester inequality, that is, “the rank of G + the rank of H − the

number of rows of H  the rank of GH  the rank of G, the rank of H”, it is

easy to see that the rank of J is ¯n.Since¯n isthenumberofrowsofJ, for any

state ¯s of

M, the equation ¯s = Js has q

n−¯n

solutions. From Corollary 7.5.1,

(1)

(¯s)isu-decimations of q

n−¯n

sequences in Ψ

(1)

, i.e., Ψ

(1)

(s), s ∈ S,¯s = Js.

From Corollary 7.5.1, u-decimations of Ψ

(1)

)andΨ

(1)

)arethesame

if and only if Js

= Js

. 

Historical Notes 271

Corollary 7.5.2. If ¯n = n, then each sequence in Ψ

(1)

is the u-decimation

of one sequence in Ψ

(1)

; therefore, the u-decimation of any nonzero sequence

in Ψ

(1)

is nonzero.

It is easy to prove that in the case of u>1, ¯n = n holds if and only if the

following conditions hold: ε

,...,ε

are not conjugate on GF (q)witheach

other, degrees of minimal polynomials of ε

and ε

are the same, i =1,...,r,

0isnotarepeatedrootoff(z), f(z) has no nonzero repeated root or u and

p are coprime. In particular, whenever u>1andf(z) is irreducible other

than z,¯n = n holds if and only if degrees of minimal polynomials of ε

and

are the same.

Historical Notes

Each component sequence of an output sequence of a linear autonomous

ﬁnite automaton over a ﬁnite ﬁeld is equivalent to a linear shift register

sequence over a ﬁnite ﬁeld. A great deal of work has been done on linear shift

dimensional output), see [51] and its references for example. In particular, a

root representation for linear shift register sequences is found in [54], pp. 20–

22. References [97, 98] devote mainly to general (viz. the output dimension

 1) linear autonomous ﬁnite automata over ﬁnite ﬁelds. The material of this

chapter is taken out from Appendix III and Chap. 3 of [98], but Theorem 7.3.2

is narrowed and its proof is slightly simpliﬁed.

8. One Key Cryptosystems and Latin Arrays

Renji Tao

Institute of Software, Chinese Academy of Sciences

Beijing 100080, China trj@ios.ac.cn

Summary.

In the ﬁrst seven chapters, theory of ﬁnite automata is developed. From

now on, some applications to cryptography are presented. This chapter

proposes a canonical form for one key cryptosystems in the sense: for any

one key cryptosystem without data expansion and with bounded error

propagation implementable by a ﬁnite automaton, we always ﬁnd a one

key cryptosystem in canonical form such that they are equivalent in be-

havior. This assertion is aﬃrmative by results concerned on feedforward

invertibility in Sects. 1.5 and 5.2. Under the framework of the canonical

form, the next is to study its three components: an autonomous ﬁnite au-

tomaton, a family of permutations, and a nonlinear transformation. The-

ory of autonomous ﬁnite automata has been discussed in the preceding

chapter. As to permutational family, theory of Latin arrays, a topic on

combinatory theory, is presented in this chapter also.

Key words: one key cryptosystem, canonical form, Latin array

In the ﬁrst seven chapters, theory of ﬁnite automata is developed. From now

on, some applications to cryptography are presented. This chapter proposes

a canonical form for one key cryptosystems in the sense: for any one key

cryptosystem without data expansion and with bounded error propagation

implementable by a ﬁnite automaton, we always ﬁnd a one key cryptosystem

in canonical form such that they are equivalent in behavior. This assertion is

aﬃrmative by results concerned on feedforward invertibility in Sects. 1.5 and

5.2. Under the framework of the canonical form, the next is to study its three

components: an autonomous ﬁnite automaton, a family of permutations, and

a nonlinear transformation. Theory of autonomous ﬁnite automata has been

discussed in the preceding chapter. As to permutational family, theory of

Latin arrays, a topic on combinatory theory, is presented in this chapter

also.

274 8. One Key Cryptosystems and Latin Arrays

8.1 Canonical Form for Finite Automaton One Key

Cryptosystems

From a mathematical viewpoint, a cryptographic system,orcryptosystem for

short, is a family of transformations {f

,k ∈ K} depended on a parameter k

called the key,whereK is called the key space, f

is called the cryptographic

transformation which is an injective mapping from a set P (the plaintext

space) to a set C (the ciphertext space). For sending a message α which is re-

ferred to as plaintext through an insecure channel, where it may be tapped by

an adversary, using this cryptosystem, the sender ﬁrst encrypts α by applying

to it and then sends the result f

(α) which is referred to as ciphertext

over the channel. The receiver decrypts the ciphertext f

(α) by applying f

−1

to it and retrieves the plaintext α,wheref

−1

is an inverse transformation of

. The receiver and the sender share the key k; this cryptosystem is referred

to as a one key cryptosysyem.

An example of cryptosystems is the stream cipher of which the key string

is a pseudorandom sequence generated by a binary shift register of order n.

The key space is the vector space of dimension n over GF (2), the plaintext

space and the ciphertext space consist of all words over GF (2), and the cryp-

tographic transformation f

is deﬁned by f

...x

l−1

)=y

...y

l−1

where y

= s

⊕ x

, i =0, 1,...,l− 1, and the key string s

...s

l−1

is the

ﬁrst l digits of the output of the shift register for the initial state k.Itis

well known that shift register sequences have received extensive attentions in

cryptology community since the 1950s. Although shift registers are impor-

tant sequence generators in stream ciphers, they are merely a special kind of

autonomous ﬁnite automata. Finite automata have been regarded as a nat-

ural mathematical model of cryptosystems from an implementing viewpoint,

where the plaintext space and the ciphertext space consist of all words over

some ﬁnite sets, and the cryptographic transformation f

(α)equalsλ(k, α),

λ being the output function of some weakly invertible ﬁnite automaton, and

the key space is a set of weakly invertible ﬁnite automata and their initial

states.

Assume that a ﬁnite automaton M = X, Y, S, δ,λ is chosen as an en-

coder to implement encryption. Then M must satisfy some conditions on

invertibility. In the case where M is invertible with delay τ,wemaychoose

its inverse ﬁnite automaton with delay τ,sayaτ-order input-memory ﬁnite

automaton M



= Y, X, S



,δ



,λ



, as the corresponding decoder to imple-

ment decryption. To encrypt a plaintext x

...x

l−1

in X

∗

,weﬁrstexpand

randomly τ letters x

,...,x

l+τ−1

in X to its end and choose randomly a state

s of M, then compute