WO2001019015A2 - Application of automated models for the information protection - Google Patents

Abstract

A technique for automatic cryptography uses a status table as a lookup table to convert an incoming bit flow, bit by bit, into an outgoing bit flow. The device performing the cryptography is in a different status for the conversion of each bit. The status table is generated through random number generation and includes, for each possible value of the status, new values to which the status is to be reset depending on whether the incoming bit is '1' or '0' and a value of the outgoing bit for that status. Each incoming bit is converted in the following manner. The status is determined and then reset using the status table and the value of the incoming bit. Then the value of the outgoing bit corresponding to the new status is read out.

Description

AUTOCRIPTUM APPLICA TION OF A UTOMA TED MODELSFOR THE INFORMA TION PROTECTION

(General theses)

1 INTRODUCTION 3

1 1 Substantiation of the necessity 3

I 2 How does it look like nowadays 3

1 3 How can it be made better"? 4

2. MAIN PRINCIPLES AND APPLICATION OF THE AUTOMATED CRYPTOGRAPHY MODEL 5

2 1 What is this «an automatic cryptography model»? 5

2 2 Generation of coding and decoding devices 5

3 ALGORITHM DESCRIPTION 7

3 1 Base model 7

3 2 Discussion of the base model 8

3 3 N - extended model 11

3 4 Splitting of statuses 12

4 DECODING ALGORITHM 14

5. DISCUSSION OF APPLICATION FEATURES FOR THE OFFERED MODELS 14

6 THE CIRCUIT REALIZATION OF CODING-DECODING DEVICES 15

6 1 Base model 15

6 2 The extended model 19

7. USE OF CELL AUTOMATONS 22

7.1. Circuit implementation of cell automaton 25

8. PROTECTION OF THE INFORMATION INTERCHANGE BETWEEN THE DATABASE AND SUBSCRIBERS 29

8.1. . General concept 29

8.2. The structure of a smart-card 29 8.3. The structure of the database 30

9. PROTECTION OF COMPUTERS FROM UNAUTHORIZED USE 32

9.1. What should be a protection? 33

9 1 1 Structure of the protection unit in the computer database 33

9 1 2 Subscriber filing in the computer database 34

9 1 3 The block diagram of the computer protection 34

10 PROTECTION OF AUDIO- AND VIDEO DATA FROM UNAUTHORIZED ACCESS AND COPYING 35

10 1 Singularities of the audio-information presentation 35

102 Copyright and protection from the information copying 35

10 1 2 Copyright Problems 35

1022 ProtecUon from the unauthorized use 36 10 2 2 1 ProtecUon engineering 36 10 2 2 2 The possible directions of break g-in 37 10 2 2 3 Modes of the degree of the protection πse 37

11 APPLICATION OF THE FINITE-AUTOMATED MODEL OF CODING-DECODING FOR THE PROTECTION OF A MULTIMEDIA INFORMATION 38

12 THE CONCEPT OF FMD COMPACT DISCS PROTECTION FROM UNAUTHORIZED USAGE 39

12 1 Problem statement 39

122 Discussion of the application mode 40

122 1 Accepted assumptions 40

12 2 2 The requirements to the protection 41

12 2 3 The factors ensuring the requirements to the protection 41

12 2 4 Probable modes of "breaking-in" 41

12 3 Possibilities of the FMD protection. 43

12 3 1 Peculiaπues of the FMD information organization 43

12 3 2 Singularities of the player organization 43

13 PUBLIC-KEY DATA PROTECTION, BASED ON THE FINITE-AUTOMATION MODEL 45

13 1 Premises ⁵

13 1 1 Public-key technology - what is this? 45 13 1 2 The public-key technology on the basis of finite-automauon model 45

13 2

13

13 3 Discussion of the possibility to apply the pubhc-kev technology 50

13 3 1 Premises 50

13 3 2 Application of the pubhc-kev technology 50 14 COMPARATIVE ESTIMATION OF FINITE-AUTOMATED RATE AND SOME OTHER WIDELY-DISTRIBUTED CRYPTOGRAPHY SYSTEMS RATES 52

15 ESTIMATION OF DIFFICULTY OF VARIOUS CRYPTOGRAPHY AUTOMATED MODELS "BREAKING" 54

15 1 Coding model "one to one" 54

15 1 1 By-bit base model 54

15 2 Discussion of the possibility "to break" of bit-wise base model 56

15 2 1 Number of statuses in the table is known 56

15 2 2 The size of the table of states is unknown 56

15 3 The byte base model 59

153 1 The encoder is not accessible to the manipulation 61

154 Models of redundant coding 61

15 5 Comparison of the breakage difficulty of the finite-automaton model having working cryptography systems 61

1 Introduction

1 1 Substantiation of the necessity

The data protection is one of the most ancient problems and it has ansen together with the problem of intercourse (communication) organization In spite of the feet that this process provides for the presence of two mterlocutors, as a rule it does not exclude a participation of a third one, generally undesirable Possible versions of the dialogue are following

Version A Open connection, when all participants have identical possibilities for the involvement in the communication process This version does not require any comments

Version B Fully secured connection It provides for the usage of a "courier" for the information delivery It is obvious, that the «breakage» of this «channel of coπtact» requires the use of special organizational measures Such mode ensures a complete protecbon from an undesirable participant The negative aspect is a small «channel» capacity

Version C This mode is a modification of the previous one Thereby « the message» is encoded and transmitted by open connection, while the decoding method (key) is transmitted by the protected connection The difference from the version , is that the encoded message is accessible to «the thιrd» participant of the process of dialogue The problem of the «breakage» is reduced to the key determination and, if its size is less than that of the encoded text, the «breakage» of this channel is more probable, than the «breakage» of the encoded text

J 2 How does it look like nowadays

Nowadays the cryptography systems DES and RC-4 are the most spread ones First of them uses permutations and substitutions of encoded character bits For any encoded text the algorithm of coding does not vary, but the keyword changes For DES, it is a 56-bit word This system fulfills conversions in 16 steps, what defines the speed thereof The algorithm RC-4 is based on the application of permutations being given by the permutation table of this method, and the permutation order is defined by a randomly selected key It is implied that on the transmitting and receiving sides there is a synchronous work of generators of pseudorandom numbers started with the same keyword The system was enough effective until its algoπthm was published in the Internet There is a large number of other cryptography systems using one or another way of permutation and substitution, but it is common for them that their algoπthm is constant and the keyword vanes

1 3 How can it be made better

How it can be made better?

What an information is at hacker's disposal when breaking a cryptography system?

For existing systems, the system algoπthm is known for him and the keyword is not known Therefrom it follows that the main direction of breaking is a definition of the keyword It is not difficult to see that in the worse case it is bound with an exhaustive search However, the task is considerably facilitated if the coding algoπthm is known From the above said it follows, that it is more rational to build a system in which not only the keyword but also the coding algoπthm would vary at every coding session

2 Mam principles and application of the automated cryptography model

2 I What is this «an automatic cryptography model »?

The automatic cryptography model is a final automaton with one input, one output and N statuses If at the input of such automation, a bit flow of the source text is applied, the bit sequence at the exit will depends on the following factors

1 Incoming bit flow

2 Initial condition of the status table

3 Total number of statuses

4 Disposition of transitions in the status table

Structural diagram of the automated construction of the encoder and decoder

Implementation diagram crpyicrypHaa cxβua aBτonaτn βcκoro no rpoβmt i Koaepa n AoxoAβ a

CXeHnaR βΛJJMJΛUMP

πpσrpαtmHdn pea itMalWH ooovosαmA

1 - Generating the status table, 2 - Automated synthesis of the encoder adjustment and decoder status table, 3 - Automated synthesis of the decoder adjustment, 4 - Circuit or program implementation ^?, 5 - Circuit implementation, 6 - Program implementation, 7 - Coding-decoding program, 8 - Encoder, 9 - Decoder

Fig l

From the above factors, only the first one can not vary at the model generation The number of vaπous vaπants is so great, that a possibility appears for the generation of the status table for each communication session

22 Generation of coding and decoding devices

See Fig 1 for the algoπthm of the status table generation for two versions of coding and decoding devices implementation

• as hardware, and

• as software

Let us consider mam stages of the algorithm 1 Generation of the status table This stage is realized with a computer The program with the help of the generator of random numbers selects

• the statuses quantity in the status table,

• organization of transitions,

• the program checks the obtained table for errors

2 If an encoder and decoder are implemented as a circuit, the item 3 is fulfilled, otherwise the status table is recorded onto the earner and loaded into computer Thereby the computer contains the program of the encoder or decoder

3 Automated synthesis of the encoder adjustment and the decoder status table This stage is fulfilled on the computer, m which the program and status table are loaded

4 The automatic synthesis of the decoder adjustment, which, as well as encoder, can be earned out either with the application of readjustable logic arrays, or with the application of a field of homogeneous cell-like automata This stage is fulfilled by the same program, as the third stage, but with the decoder status table obtained at the previous stage

The following resources represent the final-automated model developed by us

• Program for the encoder status table generation The program uses random numbers generator for generating the encoder status table taking into account nontπvial reahzability of a final automaton

• Program of the circuit construction of the coding and decoding devices for the HW implementation as adjustable matπces, field of homogeneous cell-like automata and so on The circuit is obtained either as the table of connections between units or as adjusting signals

• Program of coding - decoding of an information bit stream The coding and decoding are fulfilled by means of the program of encoder and decoder, accordingly

• Program of coding - decoding of an information byte stream The coding and decoding are fulfilled by means of the program of encoder and decoder, accordingly

• Simulation program of the coding and decoding device operation The program simulates the circuit operation on the level of input and output signals of logical elements of the circuit

3 Algonthm descπption

complete model and its main properties and charactenstⁱcs

3 1 Base model

We accept, that x represents the bit stream, which enters the input 1-1 of the automaton, on wh_ich output the stream y is generated (Fig 1)

8=>10 and thereby y=l, and if x=0 there will be 8=>9 and y=0 Let us enter some definitions α Analog to the graph theory, we shall name as «the path from a status Si in a status Sj» such a sequence of statuses Si Sk Sj, for which there is an input sequence shifting the automaton from Si in Sj

Q We shall name as "deadlock status" such a status with an inner path but no outer paths α We shall name as "pending status" a status with no inner path

Assumption Let us accept, that for any automaton we can feed at the input such a sequence of units and zeros, which can be the basis to construct its complete mputs-outputs table Not every inputs-outputs table can be implemented with the automaton, and we shall formulate conditions of its rea zability with a final automaton

The statement If there is a path in the inputs-outputs table for any parr of statuses, such table can be implemented with the final automaton

Consequence 1 If the table is implemented with an automaton, for each status there is even one column from {1,0}, in which it is entered Let us admit opposite, 1 e there is a status Sv, which does not contain m any column { 1 ,0} It means, that there is no transition into the status Sv, so it is a pending status

Consequence 2 If the table is implemented with an automaton, it has no lme therein, in which the number of this line is wntten in both columns {1,0} Let us admit opposite, I e such a status St exists It means, that after the transition therein the automaton will be in it anyhow long and there will be no transition therefrom into any other status, l e St is a deadlock top

Consequence 3 The permutation between table lines does not cause the appearance of deadlock and pending statuses (thereby the algoπthm does not change) The proof is obvious, as the permutation of lines in the table does not change transitions therein

Consequence 4 The permutation mside any line does not cause the appearance of deadlock and pending statuses (however, the algoπthm implementing this table has changed)

The proof is obvious

Thus, not any filling of the input-output table makes it automaton-implemeπtable one

Let us formulate the algoπthm permitting to construct the automaton-implementable table

1 To set the number N of statuses and to construct the table containing 4 columns and (N+l) lines

2 To fill in any one cell in each line the number of a status distinct from line number and with the usage of all statuses

3 To fill in the fourth table column

4 To fill in empty cells in the second and third columns as follows

• in a table line it should not be entered the status with the number that is equal to the number of the line to be filled in (the lack of single cycles is guaranteed),

• in one line it should not be entered numbers of statuses to which equal output values coπespond (l e such automaton will be convertible)

3 2 Discussion of the base model

We shall consider possibilities of the base model application in the cryptography

Let us admit, that the sender uses for coding an automaton built according to the input-output table, created on the basis of the above mentioned algoπthm As it one can see from items 2 and 4 of this algorithm, for same N there can be versions of recording in the table If the number of such versions is not great, than the probability of breaking such cryptography system is close to unit

Let us estimate their amount Accordmg to item 2 of the algonthm, the amount of versions is here equal to the number of permutations from N, 1 e N' It is necessary to subtract from this number those permutations, in which a status number coincides with a line number Their amount is equal 2^N Thus, the number of vanants is here equal to N • - 2

According to the item 4 of the algoπthm, the amount of versions of filling in the second cells in each table line is equal to the number of combmations for the case, when each status can meet

0,1, , (N-1) times Their amount is equal to ['] N

According to the item 3, the amount of versions of filling in the fourth table column is equal to the number of combmations for the case, when each status can meet 0,1, ,N/2 times Their

N amount is equal to N ²

Thus, the total number of versions can be calculated by the formula

V = (N\ - 2^N )N"-^lN ² = (.VI - 2^N )N ²

The evaluations show that for the table of 10 statuses already this number is equal to 363* 10²⁰ , l e it is absolutely improbable event to determine the table version selected by the sender, by means of an exhaustive search of all versions The situation can only be aggravated in the case when the table size is unknown

Let us consider other mode of breakage

Let us admit that the table looks as shown on the Fig 3a

Let's accept, that when breaking there is a possibility to manipulate an entering stream e, l e to send on the mput of a encoder any combmations of "l"s and "0"s and m any amount, obtaining an encoded text The purpose of such experiment is to determine the algoπthm of coding, l e to restore the input-output table

See the Fig 3b for the fragment of a binary tree from the similar experiment (See the Fig 3b for the numbers coπesponding to status numbers in the table on the Fig 3a It is made only to show the connection between the table and tree In this experiment, the status numbers are unknown)

Let us admit that the sequence 0000000 is sent to the mput x, and the sequence 1001001 has appeared thereby on the output Let us analyze, what an information on the input-output table can be got from this experiment

♦ Any time the sequence 0000000 is sent into the mput in the initial status, it will appear

1001001 at the output

♦ This sequence generates a cycle with the length 3 • There is no any information concerning the sequence 0000001, 1 e with the other value at the end of the mput sequence General conclusion

• Any single experiment contains the information, which can not be obtained from any other experiment that does not contain given one

• Generating all possible mput sequences can create the input-output table

It is necessary to consider that the sequence 0000000 of length 7 allows revealmg the cycle of length 3 Thus, (2n+ 1 ) bits are needed to detect the cycle with the n bit length Let us return to the Fig 3b The sequence 0011 shifts the automaton from the status 1 into the status 5 in the same way as the sequence 00 does In this case, it is known because we have specified numbers of statuses in each top In the experiment the tops are numbered arbitrary (it was shown above, that any order of numbering is equivalent to the permutation of tops without changing the algoπthm) However, how to identify statuses obtained in experiments with 00 and 0011, l e to establish that they are identical ones'' If this not to do, the experiment should be earned out until the complete information on the table will be obtained How to establish, that the obtained information is sufficient"/ Obviously, it is possible if to wπte the experiment results into a memory and analyze the record to detect repeating output sequences It is shown below, that the data volume can exhaust the computer memory resource before we obtain a required result

Let us define a low bound of the bit amount for all testing sequences necessary to generate the input-output table

See the Fig 2c for the digraph coπespond ng to the table of the Fig 2b The green color in this figure mdicates a path gomg once through all tops The path which passes once each status of the table is a cycle (see item 2 of the algoπthm, m the table of the Fig 2c it is ]=>2=>3=>4=>5=>6=>7=>8=>9=>10=>1 and the set sequence coπesponding is 1 0 0 1 0 1 1 1 1 0 (see Fig 3)), and has a length N Let us designate it as follows t_x,t₂,-- - t_t " •'w-u'w _> where (t, e {0,1} / = (1, N} ) Such a path simplifies identification of tops

Let us admit that we have a complete path, and the set sequence 00 is sent in the status 1 of the automaton 1 If there was the transition mto the status 2, it is sufficient to enter the sequence 001011110 mto the status 1, if there was the transition mto the status 3, the sequence will be 01011110 etc , l e for the identification of one status in the presence of the simple path (l e the path in the digraph, which passes through all tops once) we need 1+2+ +Ν-l+Ν=(Ν+l)Ν/2 experiments of N length Thus, the total number of bits necessary m this case is equal to

N²(N + 1)

2 It remains to define a simple path It is obvious, that if it exists in the given digraph, it can be retπeved as a result of generating sequences with the length 2Ν+1 Among them, there should be a cycle with the length N, which can be a simple way It is easy to see that the necessary number of experiments is equal 2

Thereby each experiment has the length 2N+1 and the total bit number necessary for the construction of the simple path is equal to (2N + 1)2

Thus, the total bit number necessary to reahze the table construction can be obtained from the formula

N N + \) _N + (2N + \)2^N

In the Fig 3, this number is equal to 22054 It is obvious, that this number is less by many orders than the number 363*10 , obtained above This defines a direction, in which the breakage should be earned out This number shows, that by using an ordinary personal computer and for an acceptable time it is possible to decode by the non-authonzed way any sender message, if for encoding the automaton with 10 statuses was used However, the analysis of the mput-output table shows that the codmg rate does not depend on the number of statuses On the other hand the table with 255 statuses will contain 255*4 = 1020 = IK cells, that is admissible for resources of any modem computer Meanwhile the formula shows that in this case the length of experiment (total bit number) is equal to 295*10⁷⁹

This figure is so large, that its interpretation is of no interest from the point of breakage with the help of any existing computer, as well as of computers of the visible future From above mentioned it is possible to make following conclusions

• The estimation obtained represents a lower bound of complexity for the breakage realization for the following reasons l) For the effective realization of the experiment it is necessary, the appropnate digraph to have a Hamilton path (for the mput-output table it coπesponds to a simple path) From the graph theory we know, that not any digraph has the Hamilton path, which complicates the experiment considerably (It is shown below, that the model with sphtted statuses has a digraph without the Hamilton path) u) The experiment becomes considerably complicated, if the number of automaton statuses is unknown In conclusion, the offered base model of the algonthm with maximum operation rate (one beat irrespectively of the status number) is practically unbroken It is necessary to mark, that from the point of security from breakage the offered base model exceeds RC-4, because it requires permanent key change to ensure the same reliability, while exceeding it in the speed (RC-4 is considered now as most fast of known systems)

3 3 N - extended model

Let us introduce some modifications in the base model Let us admit (see Fig 4), that each time after the transition from the status 1, it is made a permutation 2=>3 therein (see Fig 4a, b) The table of the Fig 4 is a duplicate of the table of the Fig 3

XX

In the Fig 4, mput X receives the sequence equal to the simple path from the Fig 3 to Fig 4 The first ten bits generate the output values similar to the base model Due to the permutation (Fig 4b) after the transition from the first status (It is necessary to mention, that the table "b" is not an addition to the table "A" and is a new independent table ), the recuπence of the first 10 bits produces the other output sequence, I e 100111101 ceases to be a simple path (the largest cycle) Moreover, in the status 10 (Fig 4b) the device will pass not in the status 1 (Fig 4a), but in the status 11 (1 e the tables of the Fig 4 are not present, and there is a table of the Fig 4b) See Fig 4-II for the simple path of the model accordmg to the Fig 4a, b Really, after the transition mto status 11 there will be again the permutation 2<=>3 therein and there will be a transition similar to the status 1 in the Fig 4 In case of single permutation, the simple path has the length of 20 bits

The statement If it is admissible in the base model to have up to N permutations, the path length in this model is equal to 2 bits

The proof results from the known formula for counting the total number of permutations from N in l, ,N statuses • Definition The base model, in which it is admissible up to K (K = 1, N) permutations, we shall name the K-extended model

Consequence The total length of the experiment for the N-extended model is equal to

2²"-^,(2X l) + (2^M +l)2²" The formula is obtained after the substitution in the above mentioned one instead of N (length of the simple path) of the value 2

Thus, the complexity of the N-extended model breakage is equal to 0(2^{2 +N+i}) For the example of the Fig 4 (10 statuses) the estimation of the bit amount for the breakage will make up approximately 18*10³⁰⁸ bits, and the simple path length - 1024 The statement There is in the extended model a unique cycle, it is a simple path The proof results from the cycle definition Really, if we accept, that the cycle is a path, reapeating every time when a certain bit sequence is received at the input, so far the automaton gets mto the same status with the only way of cycle termination, in the extended model the said sequence will reduce an automaton in the status, in which the permutation took place, l e the absolutely other sequence will be produced It can cause that the identical output sequences will coπespond to different mput ones, that makes the breakage complicated in the greater extent Besides, the order of permutations will depend on the initial text, what considerably complicates the breakage procedure, if the hacker can not set itself the initial text, even if he has an access to the transmitted and encoded texts

Everything above mentioned allows to conclude, that the N-extended model for transmitted units with a size up to IK (the length of the simple path), approaches One-time pad on reliability

3 4 Splitting of statuses

The base and extended models have a common property the both hold the correspondence "one-to-one" (I e one output bit coπesponds to one mput bit) It allows getting some statistical information about the transfeπed message The model, in which the retπevmg of such information is complicated, seems to be more reliable one Let us consider the example shown in the Fig 5

8

In the table "a" the values y the statuses 1, 6 and 8 are equal by alternative mput values This makes it impossible to restore "x" by the known "y" even with the legal access Consequently it is necessary to modify the coding algoπthm in said statuses to contain enough codmg mformation m the output flow "y" at the legal access and no codmg information at illegal access

• Definition Statuses, in which the same output values coπespond to all mput values, are called non-alternative, otherwise they are called alternative

The idea is that contrary to alternative statuses two bits have to be outputted by the transition, the first of them be g the set one and the second - the mformation one In the Fig 5b the table fragment for the i-th non-alternative status (transitions into k* and j*) is shown and thereby Y_k and Y are equal In the Fig 5c the implementation of the transition into statuses k* and j* within two beats (as it is seen from this figure the next two beats take place at changes of t only) The first beat generates set output value, and the second beat - the mformation output value (In this case the term "simple path" is applied conditionally and it is more correct to name it as the minimum one because there is no the Hamilton path in the appropπate graph (see the Fig 5_j) This follows therefrom that it has a connective ("The course of discrete mathematics" V N Nephedov, V A Osipova, Moscow Aviation Institute, p 204, statement 4 32), for example with the top 1 elimination the graph disintegrates mto mdependent orgraphs In the same figure the top 1 splitting is shown and for other tops to be split the set bits with the symbol " and the mformation ones with the symbol ^Λ are marked As seen from the Fig 5d the set bits cause redundancy (8 bits of 37 ones are redundant), which depends on the amount of statuses to be splitted Their position m the output bit flow depends on the transmitted message (this circumstance disturbs the simple coπespondence between the mput and output bit flows and excludes obtaining of any statistical mformation about "x" and "y", including the initial text size) With the possibility to carry out the full experimental building of binary tree, the breakage complicity does not depend on the number of statuses to be split because the set and related mformation bits will appear every tune when the appropπate mput sequence "x" is generated However when using with the top splitting the breakage is practically impossible if one has no a possibility to manipulate with the entering flow in order to construct the mput-output table 4 Decoding algonthm

The algoπthm of the base model decodmg results from the way of the table of mputs-outputs organization See Fig 6 for a table fragment

P r

It is not hard to see that a reverse table coπesponds to it (it is possible under the condition that r and s have different values of y) (see Fig 7), the said table can be used for decoding

P

I^*

The N-expanded codmg model may perform the decoding accordmg to the same scheme because permutations in tables of the sender and receiver take place simultaneously It is the same for the model with the split states

5 Discussion of application features for the offered models

Let us consider features of the offered models application depending on the conditions when the unauthorized reading of messages may take place Methods of the illegal receipt can be divided mto four groups

I Conditions when we know only the encoded text

II Conditions when we know the initial and encoded texts

III Conditions when there is a possibility to create an initial text and deπve the encoded one For the first three cases, we assume the sender's access to technical means

IV Conditions when there is an access to the receiver technical means, l e there is a possibility to experiment with the decodmg device

What mformation is hacker interested in¹?

I) The text size The sizes of the initial and encoded texts are the same both for the base and extended models This is impossible m the model with the split states u) Frequency responses For the use of linguistic methods of investigation it may appear to be useful a repetition frequency of some symbols in the encoded text after its transformation mto a symbol form However, as it follows from point 3 of the algoπthm (see the section "The base model"), the encoder output number depends not only on the mput bit but also on the status of the said value and still more on the distπbution of units and zeros when filling up the table column "y" Thus, an output value depends on four factors, only one of which (x) depends on the mput bit directly and the remaining ones depend on previous bits in an indirect form Moreover, the repeating combmations of output values do not always coπespond to the same output values 6 The circuit realization of coding-decoding devices

It is known, that any algonthm can be implemented both

• as a program, 1 e it is possible to wnte the program, and in this case encoder or decoder (or both) can be realized with the help of the computer, and

• with the help of implementing of logical units' schemes, the so-called hardware

The choice of this or that mode depends on conditions of mamtenance If the task of mformation mterchange is one of the tasks of mformation processmg, for which the computer is necessary, it is rational to realize the selected model with the help of programs on the same computer However, such implementation is less protected from unauthorized interference in the program operation and the breakage If the mformation exchange is principal and requires high security from breakage (the existing technology allows producing devices with practically fully protection from unauthorized penetration), it is more rational to implement it as hardware because such implementation can result in maximum speed See below ways of circuit implementation of model

6 1 Base model

In the Fig 8a the table of inputs-exits and in the Fig 86 its algoπthm flow-chart (AFC) are shown

Fig 8

We shall pass to the AFC circuit implementation First, it is necessary to notice, that application of the above models for ensuring reliable communication is admissible, if the automated process of device development excludes any interference, especially unauthorized one, at all production phases, and the number of vaπants is sufficient to provide the need for an encoder with the confidence that it implements a unique algoπthm We shall formulate the requirements, which the algoπthm of the circuit implementation should meet

I The algoπthm should allow building the circuit, which does not require the debuggmg This excludes the mvolvement of men duπng the device creation, and consequently reduces the probability of the unauthonzed access

II The algoπthm shall include no operations of empincal choice, which are difficult to formalize, and in this case, the development process can be completely automotive Let us remind that, • "a circuit with races" is such a circuit, m which there are at least two chains, distnbutmg signals, which convert the automaton to be implemented mto different statuses "a circuit with competition" is a circuit with at least two chains, which change their statuses simultaneously (one switches on, and another is disabled) and this results in a short-term, not stipulated by the algoπthm, modification of the signal value on the output of a circuit element Sometimes this phenomenon is mentioned as chatter The circuit, m which races and competitions do not cause the algoπthm modification, is mentioned as the circuit not cπtical to races and competitions, and such circuit does not require a debugging • A combination circuit is such a device, which always forms an output value identical to the mput value To simplify the designmg process we shall accept, that the constructed circuit should consist of u ts, each of which unplements functions appropπate to one status The number of such units is equal to the number of statuses Each unit can be in active status, when it defines the output value "y", and in passive one, and should implement logical functions providing the fulfillment of the following conditions

1 The unit 1 (1 = 1, N) should pass into the active status, when the transition mto the Hh status is fulfilled

2 The unit i (1 = 1, N) should shift into the passive status the unit, which was active earlier and shifted the

Hh one mto the active status

3 The unit 1 (1 = 1, N) should generate an output value "y", appropnate to an i-th status of the table of mputs-outputs The statement the circuit built from such units and implementing the algoπthm given by the table of inputs-outputs is not cπtical to races and competitions, as m the circuit one unit can only be active Let us discuss the possibilities to fulfill the requirements to a circuit to be developed

As it follows from the Fig 8, the device to be created has one mput "e" and one output "y" as a function of "e" However, as it follows from AFC, for example, the transition from the status "1" at e=l it should appear "1" m the output, and at the transition from the status 4 the zero should appear It means that it is impossible to implement such device with a combination circuit See Fig 9 for the model of the device providing the properties enumerated above In the literature, similar devices are mentioned as circuits with feedbacks or circuits with memory

Oδpaiiwbie ctxrn • (tHxnφemue nepeMetua )

1 - combination circuit, 2 -feedbacks (inner variables)

As it is seen from the figure, the circuit contains the combination device, on inputs of which it is entered the vanable e and the set of vaπables Z, which are formed on outputs of the combination circuit These vaπables accept such values, that on combination device inputs different values of vaπables from Z coπespond to different statuses of AFC with identical "y" values at identical values of "e" Thus, the process of constructing the circuit of the device with a memory starts with determining the number of vanables from the set Z and logical conditions, at which they should accept unit or zero values Let's put in coπespondence to each AFC transition a vanable

where _j - number of the statement top, from which the transition is branched, and 1 - value the vanable "e" by this, and a vanable which is equal to 1, when the device is in a status 1

Fig 10

Let us consider the Fig 10, where the AFC fragment of the Fig 9 is appropnate to the second lme of the table of statuses (Fig 8) (transition from the status 2 mto the status 3) In this fragment, the shown aspect of the algoπthm will be fulfilled mconectly, as after the transition mto the status 3 it will transit at once mto the status 4, because the both logical conditions are identical (In the theory of finite automatons, such conditions are mentioned as non-orthogonal) Meanwhile the first and second conditions e=0 relate to different instants It means, that in the status 2, when the value e will be set m a zero (e=0), the device should transit mto the status 3 and mto the status 4 only by resetting e=0 For the fulfillment let us enter the synchronizing signal t (see Fig lib) so that at x=0 and t=l there was a transition mto the status 3* and mto the status 3 at t=0 In this case, after t becomes repeatedly equal to "1", and x=0, there will be a transition mto the status 4 In the Fxg 106, the Fig 10a fragment is conversed with the account of vanable t All remaining statuses of AFC on the Fig 10 should be similarly transformed

To simplify algoπthm of the circuit synthesis we shall accept, that each fragment of the algorithm, similar to one shown m the Fig 106, should be implemented by the unit 3, which unplements statuses 3 and 3* From this figure it is seen, that the function of status 3* activation looks like

Here it consists of two parts condition of switching on xttfr *M) and holding condition z z₅

Thus, after setting the vanable in "1" by the circuit of switchmg on it becomes equal to zero after setting

m "l"

With these formulas, the condition of switchmg on can be obtamed directly from the table Really, the number of vanables is equal to number of occuπences of the status 3, the lower dex of the vanable coπespondmg to a line number, in which the status 3 is indicated, the upper mdex coπespondmg to the column, in which this occuπence of the status 3 is located

The holding condition contains obligatory the eigenvalue of the vanable Z₃, and inverse value of the logical sum of vanables appropπate to statuses, in which the transition therefrom is possible In our case it is one transition from 3* to 3 The function for Z₃, is built similarly (The vanable D is entered for the convenience of the function reading-out and coπesponds to the condition of switching-out of the function Z3 ) In the Fig 10B the circuit implementation of the unit 3 is shown (In the figure, we see the implementation in the element base AND-OR-NO, however the circuit can be implemented m any functionally complete base )

Table of Connections

Λ3

In the table designations of mput and outputs are given in the first column accordmg to the Fig 10B In remaining columns outputs, l e sources of voltage, are marked with the sign * With the sign p+ the mputs appropπate to switching-on conώtions and with the sign d+ ones appropnate to switching-out conditions are marked Each table column of connections was filled accordmg to the logic given for the unit 3 (see above)

62 The extended model

As it follows from the description of the extended model, it differs from the base one in that after the transition fulfillment from the i-th status, there is a permutation of this status in the table of mputs-outputs For the execution of this operation at a circuit level it is used N tnggers with a counting mput

Fig 11

In this figure 10 flip-flops with countable mputs at the left are shown, each of which is controlled by a signal Z of the i-th unit formed on the unit output, when it was activated, and also signal t=0 In the Fig 11 it is Z₃ As it is seen from the figure, now (for example in the first status the unit 3 will be activated for the first tune with the signals Z° ) and t=l because the flip-flop is in the status "one" (ql=l, q\ - 0 ) At t=0 the signal Z, shifts the tngger 1 m the opposite status and the following transition from the status 1 mto 3 will be fulfilled by the signal Z etc See below the table of links of circuit implementation of the extended model

The tilde marks inverse values

(1) The tilde marks mverse values

1*.

7. Use of cell automatons

See Fig.l3A for a cell automaton example.

Jlorni* fic axo«u 0

IHTCHU aa trp TO π ©

/ - Løgic inputs; 2 - Adjustment buses.

Fig 12

As one can see from the figure, the cell automaton is a set of identical cell devices (Fig 12B) with four inputs (a, c, e, and g) and four outputs (b, d, f, h). Let us assume that each cell implements the logic function AND-NOT. Each cell (see Fig 12A), excluding peripheral, can exchange information with four adjacent ones. Only peripheral cells can send and receive external signals.

Each cell can perform the next operations:

• to connect any input with any output, and/or;

• to connect any input with input AND-NOT gate, and/or

• to connect any input with the AND-NOT gate output. (One cell pole (input or output) may have more than one connection, while only one connection is allowed for the output)

• to receive adjustment signals (see Fig 12 C) via adjustment buses. Each cell is sampled in the crossing of vertical and horizontal adjustment buses.

Fig 13

F(∑l) = xSzlOft + xtz4St + zl£(t + z2tz3)

F(∑2) = xtzltt 4- z2t(t + 3sϊ~6)

F(z3}= xt∑ltt + tz2it + xtz7tt + z3£ (t + zβfεT)

F(z4)- X*z3ft + xϋx9ft + 4C(t + XtxS) F(ε5) = x*z4tt + xtzβit + z5S(t + z4 z6) m • •

F(∑10)= xtzSit + xt.z9tt + zlOt (t + ΕllΕδ)

Fig 14 Let us consider now an implementation of the base model (see above). See Fig 13a for the status table, and Fig 13b for the algorithm flow-chart. See Fig 13c for an example of the top 1 splitting for using the synchronizing signal t necessary for the circuit implementation.

/ - Module zl; 2 - Fields of external connections. 3

Fig 15

Logical functions (Fig 14) and implementation of the function F(zl) out of gates AND, OR and NOT are put in correspondence with each operator vertex. The rest of modules are implemented similarly. See Fig 15 for the module implementation of F(zl). Around the module circuit there are cells, providing communication between cells on peripherals and with other modules. As seen from the figure, 5x6=30 cells (together with those providing communication) are needed to implement one module.

See Fig 16 for the circuit of modules connection, implementing the base model. CnTHa iii OTKJiKweHWH

/ - Table of transitions; 2 - Switching-off signals; 3 - Switching-in signals

Fig 16

As seen from Fig 16, the base model requires 32x7=224 cells. As shown in the Appendix, tuning of one cell requires 20 information bits. Consequently, it is necessary 224x20/8 = 560 byte for 224 cells. If to accept that a modern smart-card with medium possibilities has a memory of 1 Mbytes one can see that it is able to store information for adjusting about 2000 different algorithms for CD-ROM decoding.

Thus to fulfill protection functions considered above the base model must have one adjustable cell automaton with the size near 300 cells and memory 1 Mb in addition to executive (service) units.

7.1. Circuit implementation of cell automaton

l€

L 1 - Switching unit for the output b (SUb); 2 - Flip-flops of the unit states

Fig 17 See Fig 17 for the conventional designation of a separate cell in the cell automaton and a fragment of its circuit (all circuits below are developed by the author using the algorithm created by the author. Its particular feature is its complete formalization, i.e. it can be programmed, and the circuits, implemented on its bases, do not require debugging), implementing the switching unit for output b. Said unit consists of flip-flops which are set in the state "1" or "0" by the adjustment (see Fig 12) and AND-NOT gates, switching inputs a,e,g and output of the cell functional AND-NOT gate. Switching units of the rest of cell outputs are implemented similarly.

See Fig 18 for fragment of the cell circuit, providing the inputs switching for the cell functional gate.

/ - Switching unit for inputs of the AND-NOT gate (Su&)

Fig 18 See Fig 19 for the connection circuit of all inputs and outputs switching of one cell of the cell automaton.

Jlormecxaα cxβua OΛHOH κJieτ M aBτonaτa

Logic circuit of one automaton cell

Fig 19 See Fig 20 for a conventional designation of one cell of the cell automaton together with buses B and G.

/ - Adjustment buses.

Fig 20

KOKMyraptn b,d , f ,h ■ t

Cxβua HacrpoΛioi svβήiαi svoM va

/ - 20-digit shift register; 2 - flip-flop with a countable input to allow the adjustment of an automaton cell; 3 - flip-flops of switching units states b,df,h and i

Fig 21 Ad ustment circuit for the automaton cell

As seen from the Fig 21 Adjustment circuit for the automaton cell, the adjusting circuit contains the flip-flop with a countable input which is set to "1" by the first coincidence of values on the buses B and G, which are equal to one, and to "0" by the second coincidence. After setting the flip-flop in the single status, the adjustment signals are recorded into the register and transmitted by the bus G, while the bus B is set for "0". After adjustment, value "1" is set via buses B and G. The register signals set flip-plops of the switching units into corresponding states. Thus, one word with the length of 20 has to be stored on the smart card for any cell of the cell automaton.

8. Protection of the information interchange between the database and subscribers

8.1. . General concept

The protection of the information interchange between a subscriber and database is based on the following principles:

The information of each subscriber is stored in the database encoded by the code of the subscriber. i) Each subscriber has a smart card of a multipurpose type, in which the codes are stored for the encoder-decoder adjustment to provide the protected information interchange with the database, ii) The information interchange of the subscriber with the database begins with the transmission to the database of the subscriber's name with an open text.

The subsequent dialogue proceeds with the help of the code known to the subscriber smart-card and database.

8.2. The structure of a smart-card

Block, providing connection with the computer; 2- block, storing adjustment codes; 3 - cell automaton field (encoder-decoder); 4- processing

Fig 22 The structure of a smart-card is shown in the Fig 22. The basis of the smart-card is a field of cell-like automatons that can be adjusted by one of adjusting codes, which are stored in the storage unit for codes of adjustment. The smart-card is intended for the operation under the control of a computer, the interaction with which takes place with the help of the processor and unit for organising the interchange with the computer, said unit being located in the smart-card. The unit of storing adjustment codes represents the electronic STORAGE, which stores the information, written therein during interval between sessions. The entry of the code is made by the device of the Database during filing the subscriber's smartcard.

8.3. The structure of the database

The structure of the database is shown in the

1 —Block, realizing communication protocol; 2 — block, storing the users' "names"; 3 — block, storing the encoder-decoder adjustment variants; 4 — coding program; 5 — memory; 6 — structure of the data base protective block; 7 — processor. _____ =___=_===_«,

Fig 23. The database is in conditions excluding a direct physical access to it without special authorities. The algorithm of the control and storages of the database is implemented by the computer. The operation of the database with the subscriber has two modes: 1. Filing. For this purpose the smart card of the subscriber having defined authorities, is located in the reception unit of the database. The database assigns the unique name to the subscriber, generates the unique code and writes the adjustment code into the smart-card and writes the subscriber name and adjustment code in the unit for storage of subscribers names and unit for storage of adjustment codes, accordingly, and opens the subscriber database, which will be stored in a form encoded with the subscriber code.

The name of the subscriber is known to the subscriber, and the code is accessible only with the direct access to the database. Now the access to subscriber data is possible only when using his smart card

1 - Block, realizing communica ion protocol; 2 — block, storing the users ' "names"; 3 - block, storing t_he encoder-decoder adjustment variants; 4 - coding program; 5 - memory; 6 — structure of^" the data base protective block; 7 - processor.

Fig 23

2. Subscriber dialogue with the database. Thereby the subscriber reports to the database computer his "name". The database computer finds the adjustment code appropriate to the "name," adjusts its encoder and decoder and the further interchange with the subscriber smart-cart takes place in the encoded form. It means, that if the subscriber "name" will be used by the "third", his smart-card won't have a possibility to decode the messages of the database and the dialogue will be stopped

9. Protection of computers from unauthorized use See Fig 24 for the existing block diagram of computer protection.

1 -processor; 2 - eriphery devices; 3 - encoder-decoder, 4 —protective shell; 5 ■ places of "breakage".

Fig 24 As seen from the Figure, the shell, realized by the operating system, plays the principal part in the protection. It is possible to mark out two levels of the protection:

The interior level (see Fig 24, point A), providing user access (here, user is a person registered in the computer database and accessing it via local network of the company, where the computer is located) to various data accord ng to their authorization. For the user identification it is applied the name or password allocated to him when filing. Namely, this predetermines a direction of "breakage", because it is sufficient to break open the system of the password generation to receive the access to the computer database.

L Exterior level (see Fig 24, point B). This level ensures protection of the computer database from external unauthorized access, i.e. through an exterior network (Internet etc.). It is possible to judge on the effectiveness of existing methods of protection by that fact, that nowadays practically all organizations have closed (not protected, but closed) access to their working computers. The reason is that no existing protection systems can ensure absolute stability to breakage (we call "absolute stability to breakage" a protection system, which breakage can not be carried out in reasonable time). Meanwhile it considerably reduces an overall performance when designing.

The reason of unreliability is that the protection algorithm is the same for all users, while the keyword is a subject to breakage.

9.1. What should be a protection ? Let us formulate the requirements, which the protection system of the computer should meet?

• A unique algorithm of coding should encode the data of each user.

• The user external access to the computer is carried out using the same algorithm, but using his smart card.

9.1.1. Structure of the protection unit in the computer database

See Fig 25 for the structure of the protection unit for the computer databases. Said unit consists of:

• unit for storing subscriber names (keywords);

• unit for storing adjustment codes for the work with a subscriber.

1 - Unit for storing names of system subscribers; 2 — Unit for storing adjustment 3

codes; 3 - Program of coding; 4 - Memory

Fig 25

9.1.2. Subscriber filing in the computer database The subscriber filing takes place at his first addressing to the computer. For this purpose, he puts the smart card in the computer reception device. Thereafter the computer generates subscriber name, records it in the database and informs the subscriber. Then the computer generates the algorithm of coding-decoding, according to authorities of the subscriber. All these operations are fulfilled under the control of the person with appropriate authorization.

9.1.3. The block diagram of the computer protection See Fig 26 for the computer block diagram. The protection unit is marked out with a color. As seen from the diagram, this unit is connected to the common bus together with other computer devices. It allows to use the driver for organizing such interconnection with the processor, when all read or recorded information is decoded or encoded by the protection unit, previously adjusted to some definite code.

Fundamental parts of a microprocessor system I

1 - Protection unit; 2 - Input, output interface; 3 - display keyboard; 4 • disk unit; 5 - Input, output interface; 6 - disk controller and interface; 7 - memory; 8 - program data; 9 - microprocessor; 10 - bus

Fig 26 10 Protection of audio- and video data from unauthonzed access and copying

10 1 Singularities of the audio-information presentation

The feature of presentmg audio-information m digital form (bit sequence) is in its accordance to singularities of human ear perception, so the signal should vary m the range of 20 - 20 000 Hz Besides the reproduced sound should have "coloring" appropπate to a source (human speech, vocal, orchestra etc ) The common outline of the conversion looks as follows

• Any frequency range is divided in some bands (8 - 16) (The width of each band is established individually and heuπsUcally and depends greatly on the way of conversion)

• For every band, the filter defines values of Fourier-conversion factors accordmg to the accepted level of quantization in the range of 90 dB

The size of the obtamed informa on makes up, for example, for the three-mmute reproduction of a compact disc 1 - 2 Mbps by the order Considering the codmg and playback processes in realtime, using processors and communication links with widely vanable parameters, it is clear, how important it is to solve the problem of data formatting

In 1993 the work was started, and in 1995 the first stage of the development of MPEG - "Moving Picture Experts Group " - the standard for coding and transmission of pictonal and audio-information, working under the aegis of the International Standards Organization (ISO) and International Electrical-Technical Commission (IEC), was completed Since then, there appeared MPEG-1, MPEG-2, MPEG-3, MPEG-4 and MPEG-7, keeping the succession and distinguishing with the extension of possibilities Therefore, MPEG-7 provides a possibility of application for codmg and transmission of the television images (from meta-data to multimedia) Basing on these standards, there appeared such products as Layer-1, Layer-2 and Layer-3, which follow the requirements of the standard These developments have been laid in the basis of the great European project (mode html - "Description of the MODE", system html

Without gomg into details of these products implementation, we shall dwell on the modes of the security ensuring accepted in these projects

102 Copyright and protection from the information copying

In the «Fraunhover Institut fur Integnerte Schahung» in Erlangen MPP was developed - Multimedia Protection Protocol MPP is intended for the protection from the unauthonzed distribution of the audio- and video data and SysCoP (security of copynght)

10 1 2 Copyright Problems The copynght problem is a problem of security of the copynghts (property nghts) in video- and audio products The idea of the author's identification is similar to the idea of "watermarking" and supposes implementing into the protected information of the data, mentioning the author's nghts The size of such data makes n insignificant part of the total mformation content, and the mode of its inclusion is those, that a) it does not hinder to percept the main mformation, b) it can be easily detected and c) it is difficult to change this information without disturbing the quality of perception

Fig 27

It is shown from the above mentioned that SysCoP can identify the information affiliation, but it does not hinder an unauthorized usage of the information, including its copying. There is an idea that the play-back device (player) could check the reproduction's right (licensing) before reproducing, in case this information is written as a watermark code. Hence, there was no obstacle for reproducing information with the help of some other suitable reproducing device.

10.2.2. Protection from the unauthorized use

Attempt to solve the problem of the information protection from the unauthorized use was undertaken by the development of MMP (Multimedia Protection Protocol) in «Fraunhofer IIS» - Protection of Content Related Intellectual Property Right.htm. According to the intention, the user gains at the distributor the multimedia-file (« MMP-file») which is personalized, i.e. it can be reproduced on a specific user device («MMP-player»). See Fig 28 for the structure of the MMP-flle.

Fig 28

The file begins with a title, which contains the following information: αprovider and distributor; □user, for which the file is intended; □a mode of coding, and αadditional data: the author, copyright-holder etc. (The full enumeration of the title is given in the «Niels

Rump, Copyright Protection of "Multimedia Protection Protocol" (MPP), Fraunhofer Institut filer

Integrierte Schaltungen»

The source file is divided into blocks, their structure shown on Fig 28. So, according to ISO/MPEG Layer 3, the compact disc music file of three minutes duration (3 minutes X 112Kbps a 2.5 MB) is divided into blocks 512 KB each, with a title of 200 bytes, i.e. it makes up less than 0.04 %. As seen on the figure, a part of multimedia content is encoded. A distributor defines the size of this part, as the decipherability requires an additional time, which influences the implementation of the process in the real-time. If we encode eight bytes from every 1024 bytes, it is enough to protect the MMP-file. For encoding-decoding, the DES is used.

10.2.2.1. Protection engineering

The MMP-file is encoded with the help of several 64-bit keys. The key KI is app bed to the file header coding; the keys K2 and K3 are provided by distributor and user, accordingly, for coding contents. Thereby the key KI is "hardwired" in the decoding program by the producer of the MMP-player, and the keys K2 and K3 are introduced into the title by the file acquisition. Thus, when receiving the file with the help of KI there are defined K2 and K3 As K2 and K3, IDs of the distnbutor and user are used Thus, m MMP there are three levels of protection, which are installed by the producer, which is now the Fraunhofer Institut fur Intergπete Schaltungen, the distnbutor, which sells MMP-FILES, and the user The procedure of a guard looks like as follows

1 The distnbutor buys by the producer the program for playback MMP-FILES, m the data table of which the producer has wπtten a key KI Its application is possible at presentation to the program of the distnbutor's ID (the distπbutor's ID is given to him by the producer) Besides, ID of the distnbutor gives the nght to him to bπng the key K2 mto the program, having confened it the user ID when selling

2 The user gams the program customized by the distnbutor and places it mto its computer The program requests ID of the user and begins to install Thereby it happens the tuning of the program taking into account of the specific computer parameters Thereby the user introduces the key K3, which gives him a possibility to eliminate the unauthonzed usage of the program There is a possibility to apply these operations, instead of the computer, with a smart card In both cases it is proposed that the access to the data table is hampered so, that it is more difficult to fulfill, than to select a key Thus, it appears MMP-player by the user After that the user may gam MMP-file from the distnbutor adjusted its ID and play back the mformation in its player The player data table admits its filing in different distributors When copying the MMP-FILE the possibility of reproducing thereof in the other player is eliminated, as in its title contains the parameters of the definite player It results in that if you want to listen to the MMP-file at home or in your car, you have to gam two identical MMP-files

10 2 2 2 The possible directions of breakmg-m

The analysis of above mentioned allows selecting some points of breakmg-m

I Brute-force attack - it is the quite executable task for our tune as the key size does not exceed 40 bits Moreover the task is facilitated by that the small part of the file is encoded, thereby the structure of it is known, that facilitates breaking-in To increase the size of the encoded part is difficult, as it will result in a diminution of a velocity (DES fulfills operations m 16 rounds that means the approximate decrease in velocity)

II «Unseahng» of the player program The task is quite executable one and requires an appropnate qualification of a hacker, but if there is a stimulus (sports or commercial interest), there are no any difficulties It is clear, that the program becomes "hand-led" absolutely after such manipulations and can be circulated by any means

UI The program interception before its installation and duplication Thereby many programs are ready for the installation on any number of computers with the same ID

10 2 2 3 Modes of the degree of the protection nse

Let us consider methods of raising protection degree on the order

I The procedure of brute-force attack is facilitated not only in by sizing the key up to 40 bits, but by the very small size of the encoded part and the known codmg algonthm Therefore, the difficulty of breakage can be enlarged in this case provided that all the MMP-file will be encoded, and each file is encoded with its own algoπthm (it's clear that it is possible if the decodmg causes a minimum delay)

II The decodmg program should be implemented as HW It does not contradict the item A (the own algoπthm of codmg for each player) under the condition that HW is an adjustable device (preferably it is an adjustable field of cell-like automata possessing its own geometry - field sizes) The HW implementation makes it practically impossible the breakmg-m for technological reasons

III The program interception becomes useless, if it is transmitted the adjustment of the HW unit which is specific to each unit The HW-implementation can be fulfilled either as a smart card, or as a computer It is connected to the common bus of the processor 11 Application of the finite-automated model of coding-decoding for the protection of a multimedia information

The mechanism of the protection provides an interaction of two subjects

• The distnbutor, who has a set of multimedia files (MMF), a program generating encoding-decoding algorithm, with an adjusting code on the output which considers the "geometry" of a homogeneous medium to be adjusted, and database, storing users' IDs together with adjusting codes

• The user, who has a player with the adjustable HW The HW may be a reusable device and has a memory for the ID recording and adjusting signals of the distnbutor The algoπthm of the distnbutor and user interaction looks like

I The user gives a command for the connection with a distnbutor computer

II The distnbutor computer requests HW parameters and generates by a random way an algoπthm of coding-decoding and tuning codes, wπtes them in its database and sends them for the player adjusting UI The user smart card records the distnbutor ID and tuning code in its memory

IV Thereafter the distnbutor computer begins to transmit to the user the set of MMF encoded by its code

The distnbutor ID is written in the file header

V The user can either record the received MMF in a computer memory, or reproduce it in a real time, recording it in parallel mto the computer memory The MMF can be copied, however its reproduction is possible with the specific player only In spite of the feet that the adjustmg code is transmitted openly, it is impossible to restore the decodmg algoπthm with its help by two reasons

• The adjusting code is constructed based on the coding-decoding algoπthm generated by a random way and

"geometπcal" values that are specific for a given player

• The adjusting code dimension makes up some hundreds bytes and therefore a brute-force attack can not result in a positive outcome

12 The concept of FMD compact discs protection from unauthonzed usage

12 1 Problem statement

We understand unauthonzed usage of compact dⁱscs as

b oeeliouww

The task can be shortly formulated in the followⁱng way

/_{/ i}s necessary to find out such a mode of organizing information on compact dⁱsc, whⁱch allows readⁱng only on the range of players, set at its purchase

For example, _if the d_isk was purchased with the πght of its readmg with one player only, ⁱt means, that ⁱt can be used only on that player, with which it was read out for the first time

How can we organize it^*

Let us assume that the compact disc has mformation structure shown ⁱn the Fⁱg 29

As seen from the Figure, the information field consists of two parts

All players have umts hsted above and differ by

1 The order of words in BP-1 and one of corresponding codes in BP-2 are different and specific for each player

2 Geometπcal dimensions of cell automaton to be adjusted are specific to each player as well

3 It follows from the item 2, that the adjusting codes in BP-2 are also specific for each player

Smce all three units are microelectronic chips, the features of each player hsted above can not be determined either at the opening up the chip (existing technological procedures of protection ensure an erasure of the chip structure at any attempts to break its wholeness), or by manipulatmg signals on exteπor mputs, as it results in a full excess (It is possible to organize the process of player production in such a way, that these differences are selected randomly, so the manufacturer does not know parameters of every specific player) Let us consider, how the process from the compact disc production up to its usage by a purchaser is organized

1 The producer selects for each senes one of algoπthms of the mformation codmg, which are located in the

BP-2 of the player, that predetermines the keyword from BP-1 to be applied to codmg the keyword (see Fig 29)

2 The purchaser buys a compact disc and places it m his own player

3 The player reads out the keyword from the disc and tπes to decode it, looking over words from the list in the BP-1

4 After successful decodmg, the player erases the keyword from the disc and records instead its own seπal number and lme number from the BP-1 (it is necessary to mention, that there is no necessity to encode this mformation Even if such a disc will be physically copied, it can be read out with the one player only) The items 3 and 4 are earned out only once Thereafter the compact disc can be reproduced on the given player only

5 If there is a necessity to read out the content of the disc, the latter is placed in the player The player checks, whether it is registered in its database, l e reads out the disc and checks whether its senal number is recorded instead of the keyword If it is so, the adjustment code number is read out from BP-1 The adjustment code for the field of the cell-hke automaton is read out from BP-2 The field is adjusted and the player is ready to read out the mformation content of the disc

Let's consider, what problems should be solved for providing a reliable security of the information content on

1 The information content on the disk should be encoded using the onginal algoπthm that is specific to the given senes of discs This does not allow to apply existing cryptography systems, as the reliability of the protection therein is based on the difficulty of keyword determination, and the coding algoπthm by itself is known for all We have developed a cryptography system permitting to encode any information content by means of other algoπthm It is proved that the difficulty of its breaking is not inferior to existing cryptography systems, while it is simpler for hardware implementation

2 The adjustmg code for the cell-like automaton should be got by a formalized way with taking mto account that the device, obtamed after adjustmg, will not be sensitive to signal delays, which can be different for vaπous circuits We develop a method for obtaining codes with enumerated qualities

12 2 Discussion of the application mode

12 2 1 Accepted assumptions

1 As a subject of the protection from unauthonzed operations it is accepted CD-ROM (WORM - Wπte

Once, Read Many), made accordmg to the FMD-technology

2 Unauthonzed physical copying of the medium is so hampered, that it can be considered practically impossible

3 The player construction (playing back device) eliminates physical and electncal unauthonzed access to the inteπor anangement of its electronic modules 12 2 2 The requirements to the protection

1 Data recordmg on CD-ROM is to be made with its encodmg Thereby the code (it is supposed, that the coding mode can be selected either by manufacturer for sellmg mformation or by user at recording mformation for future storage) and the coding method should be intelligible for the player only

2 The CD-ROM read-out should be possible only with the help of a specialized player (The term "read-out" assumes here the playback by specialized devices of the mformation, which has been recorded on CD-ROM )

3 The CD-ROM operation has to consist of two stages l) The player checks, whether it has earlier been performed the readmg out of this disk on the other player If it has been, the readmg out of the disk stops If it has not been, it is checked, if this disk was registered in the player database If so, the mformation on the codmg mode is read out from the database and its playback starts u) If the disk is read out for the first time, the CD-ROM filing is made Thereby the player reads out the information on the decodmg mode from the CD-ROM This information is recorded in the player database, and the registration number of the disc in the player database is recorded on the disk instead of the decodmg mformation After that, the player begins to read out CD-ROM

1223 The factors ensuring the requirements to the protection

1 The player must have an electronic unit and electronic memory It makes it to be impossible to have an access to them when the player is in service, as the existing methods of a technological protection allow to delete the unit structure at any attempts to break its wholeness

2 Electronic memory has to store the adjustment code for the electronic unit to decode the information obtamed by the CD-ROM read-out The adjustment code is received at filing CD-ROM and is formed in the player with the specific adjustment parameters of the electronic unit, formed esclusively by its manufacture (see item 1) It makes it impossible to use this mformation, even if it will be obtamed by an unauthorized experimenting with the unit, for adjusting another player or developing the appropnate software

3 Electronic unit is a field of the adjustable cell-hke automaton, the geometrical parameters (breadth and length) of which can vary in a wide range It is known, that cell automata "geometry" can not be determined duπng experiments from outside, I e without breaking their wholeness

So the condition listed above should eliminate

1 The use of one CD-ROM in some players (if it was not stipulated when purchasing CD-ROM)

2 The read-out of the mformation from CD-ROM, obtamed, for example, by the "interception" of the mformation that has been read out and decoded

12 2 4 Probable modes of "breaking-m" See Fig 30 for the structures of the compact disc mformation fields and the player microelectronic units

Characters designate the fields

I Field for the entry of the encoded keyword (WORM)

II Field for the entry of the filing character for the compact disc in the player (WORM) HI Encoded content - information (ROM)

IV Field of the electronic memory for storing the list of the same keyword encoded by different modes

V Field of electronic memory for adjusting the field of a cell-like automaton (F)

VI Field of a cell-like automaton This field is characterized m "height", i e the number of cells in height, and "breadth" For each player w and h are different

Let us consider possibihties of "brealαng-in", 1 e an unauthorized denvmg the information on each of the components hsted above

The mformation m this field is encoded with the help of one of the existmg cryptography systems (for example RC-4) The mode of coding, 1 e a keyword is selected by the manufacturer of the compact disk dunng wπting the mformation from the list D onto the disc The list structure is identical for all players, but the order of elements in the list is individual for each player Thus, the determination of the mformation codmg mode in the field A gives little to a "hacker", while for the player this mode defines the number of an element in the list D, 1 e the mformation for adjustment of the cell automaton field when decodmg the mformation content of the compact disc That is, the decodmg of this mformation gives a little for "breaking-in", though it is connected to the large exhaustive search

The information of this field contams parameters of disc filmg with a player dunng its first readmg-out This mformation is specific for the player, does not carry any knowledge on its structure and can be an uncoded one III This field contains the mformation encoded using the algorithm, which adjusts the field of the player cell automaton There are two versions of this mformation codmg

1 The application of one of existmg cryptography systems The charactenstic feature of these systems is that for decodmg it is necessary to define "keyword" This is a sufficiently labor-consuming, but executable task and it can be solved efficiently with the usual computer, after that the content-information can be read out and reproduced by any appropπate technical means Thus, the necessity in a specialized player falls away

2 The possibility of breaking in the first case is facilitated by the fact that the codmg algoπthm is known, but the keyword is not known In our opinion that codmg mode is more effective, accordmg to which the own algoπthm is used for each code Such codmg mode is developed and it is not tπvial, so the breakage difficulty in this case coπesponds to the difficulty to determine the Turing's machine structure

IV This component consists of an electronic memory field located m the player D contams the list of

100-1000 coding modes of the same word To each unit from this list, the own code from E for the adjustment of the cell-like automaton coπesponds For each player the arrangement order of the units D and subsequently E is different After readmg the content from A the operational device of the player applies the codmg methods from D in turn until the conect result is obtamed The position number defines an element of the list from E The feet, that the fields D and E are microelectronic units, eliminates the physical penetration thereinside On the other hand, it is impossible to read out the mformation wπtten therein without their opening

V This field of the cell-like automaton contams parameters w and h For each player these parameters are different, and it means, that the adjustment codes recorded in E will be different for different players Thus, even if content of D and E becomes known at breaking, this will not allow using them for the adjustment of other player

Therefore, the offered technology allows to create a multilayer protection of the content-information

123 Possibilities of the FMD protection

12 3 1 Peculiarities of the FMD mformation organization

The disk made accordmg to the FMD-technology consists of two parts

1 "Labels" - these are data, which is necessary for the player adjustment when decodmg the information content The mformation on the disc is encoded with the help of one of known cryptography systems (for example RC-4)

2 The content-information This mformation is placed on FMD by traditional means At that, the information on its structure is encoded with an algoπthm Player starts to fulfill this algoπthm after readmg and decodmg the "label"

After the first readmg out the disk the player erases the "label" content and records the registration number of the disk mto its database As the disk is WORM (Write Once, Read Many), this operation can be earned out one tune only After that, the disc can be read out only on one player, what makes it inexpedient to copy it on other discs

123 2 Singularities of the player organization

The player for FMD reproduction consists of two parts mechanical, which organizes reading from FMD, and electronic, which converses this mformation mto the form, necessary for its reproducing by known technical facilities (TV and audio equipment, etc )

In turn, the electronic part unplements the following functions

• "Label" decoding The "label" mformation is encoded using the RC-4 system 100 - 1000 keywords are stored in the player database The same list is stored by the disc producer Each keyword m the player database coπesponds to the set of adjusting signals of its decoding unit Thereby the decodmg of the "label" consists m sequential application to its mformation of keywords from the database until the conect result will be obtamed After that the "label" contents are erased and the number of the keyword m the database used for coding of the "label" is recorded Thereafter, only the fixed player can read out the disk This procedure is earned out one time when placmg the disk in the player firstly • Information decodmg This procedure consists of several stages

1) Readmg and checking from the label, if the disk was registered in this player If the disk is registered in the other player, the message is dispayed and the disk reading stops u) By the filmg number it is defined the set of adjustmg signals of the information decoding unit in) Information decodmg

The features of the decoding unit organization consist in the following

1 The decodmg unit is a field of cell-like (adjustable) automata Topological parameters of this field are specific to an each player Therefore adjusting signals wdl be different for each player even with the same decodmg algonthm

2 The mformation coding on FDM can not be fulfilled with the help of any known cryptography systems, as it reduces substantially an extent of the protection Really, in this case it is enough to define the keyword (it can be obtamed by that or other way from the "label" mformation ), than the decodmg can be earned out by software developed for this purpose It is the most rational to use for this purpose the method of finite-automation codmg developed by us

13 Public-key data protection, based on the finite-automation model

13 1 Premises

13 1 1 Public-key technology - what is this?

Public-key technology is a process of data cryptography protection, when there are coding mode and key known to all participants of the process of information exchange (mcludmg not licensed ones), l e public-key and decodmg mode are known only to the initiator of mformation exchange (pnvate-key) Thereby it means that the pnvate-key construction based on the known public-key can not be practically executed in reasonable time The principal advantage of such a mode of the mformation protection is a solution of a problem of the keys protected mterchange, which anses when using symmetric cryptography systems such as DES More often pubhc-key technology is used for the key transmission It is based on operating with prune numbers and was never broken until now, contrary to DES, which has been broken several tunes in the last ten years The application of the existmg public-key technology for the mformation codmg is not expedient because the speed of such system 1000 tunes is less than the DES speed

13 1 2 The public-key technology on the basis of finite-automation model The above cryptography system based on the finite-automation model, is an asymmetric cryptography system, where encodmg and decodmg are fulfilled by different algoπthms, however, there is a possibility to construct the algonthm of decodmg accordmg to the algoπthm of encoding Therefrom it follows that it is inexpedient to use the table of encoder statuses of as a pubhc-key Therefore, the problem anses to represent the encoder in such an aspect, that the time of codmg algoπthm determination would exceed an admissible one What could be modes of application of the pubhc-key when using the finite-automation model?

• The implementation of the encoder as hardware Such implementation is technologically protected from the penetration inside by means of experiment for the analysis of the circuit structure Thus, there is a possibility of experiment realization by manipulating values of mput signals only It is known that with 50 mputs the experiment duration already exceeds admissible one Such a mode of protection is acceptable m the case, when the question of the encoder distnbution as hardware is of no problem

• The representation of the encoder statuses table as a function, which structure does not allow getting an information on the codmg algoπthm The first case was considered earlier, therefore this Invention offers construction for the second case

13 2 The solution of the problem

Before to formulate common conditions, let us consider an example

13 2 1 Example

Let the table of statuses of the encoder looks like in a Fig 31 (left part) It has X and Y as mput and output of the encoder <»6

The first column of the table contams numbers of statuses, and in the second and third columns contam numbers of those statuses, which the device passes at an appropnate mput value In the fourth column, there are values of the encoder output in each status (2) The πght part of the table coπesponds to the left one with the only difference, that status numbers are written there in a bmary code (2) The table was constructed with the help of a generation program Let us enter the transition function, which looks like π = ∑^2'*Z' (I) r«e m - Koji. pajpHΛOB, HeoδxoaHMbix Λ IH πpeβcτaBJieHHfi MaκcwvιajibHθro

HOMepa COCTOHHHH; Z, - JIOΓ. φyHKUHfl i - ro paspn^a Hotviepa COCTOHHHH.

Let us consider the construction of logical functions

13 2 1 2 Logical functions We shall return to a Fig 31 The first column contams numbers of statuses, and the columns X=l and X=0 contain bmary equivalents of statuses numbers, in which there will be a transition at defined values X on an mput of the encoder For example, in the line coπesponding to the status 3 (code 0011) at X=l there is a transition mto the status 7 (code 0111) and so on Similarly, when X=) there will be a transition from the status 3 mto the status 4 (code 0100) Let's enter four (accordmg to the number of binary code digits) logical

7- *- *- 7 functions ^Λ '*" ^{, , Λ} , which are realized by the unit shown in the Fig 32

<.

We accept that when the status code and X values are entered the unit mput, it appears m the exit the binary code of the status, in which encoder passes Each function Z' ( i e{0,. ,3} ) may be presented as follows

Z¹ =XZΪ +XZ$ where ^{l H} ° are logical functions of i-th digit, which are defined at X=l or X=0 accordmgly

See Fig 33 for the truth table of the function '

z = Z²Z¹Z° + ^{3 J}

Fig 33

The table 3 consists of two parts upper one concerns the statuses, in which z³ ' accepts values of one (see Fig

Z³

31), l e 7,8 and 9, and lower one shows statuses, in which ' accepts values of zero, I e 1,2,3,4,5,6 and 10

Below the table, there is a minimum disjunctive normal form (MDNF) (It is known that any logical function may be represented as a disjunctive normal form (DNF), with the conjunction number equal to the number of smgle statuses and any conjunction consists of n factors (four in our case) DNF can be reduced to one of minimum DNFs (MDNF), any of which can not be simplified by any logical transformation except the return to the initial truth table Any MDNF has its own number of conjunctions and that one, which has a minimum number thereof, is called an absolutely minimum disjunctive form (AMDNF) It is proved that AMDNF can

Z³ be produced by the complete exhaustive search of MDNF only) of the function ! is given The remaining functions for X=l are constructed by similar way

The corresponding functions for X=0 look like as follows zl ^z²!*!*

Z\ = Z²Z^ϊZ^{a j}r Z²ZⁱZ° +z²z¹z° + z³z¹z° z\ = ^{3 J}z° + z³z z° + z²z° z$ =z³z²z¹+z²z¹+z° 43

See Fig 34 for the operation table of the encoder implementing the constructed functions

Ta6jnma pa6oτbi κojepa

z^ z z^o +z³!¹ zt = z²Z'Z^β z zw+z^+z'z⁰ z zW +z z* +Z²Z¹Z⁸-rZ³ZⁱZ^ϋ z = z³z² + z³z^>z⁸ +z² z%=z³ z* + z³z²z^s +^■ Z²Z°

Fig 34

This example allows drawing the following conclusions

>The function truth table is an incompletely defined Really, the statuses 0,11,12,13,14 and 15 are not defined and this means, that the functions on these statuses will accept different values depending on the MDNF to be chosen See Fig 6 for a table of these statuses implementation As seen from the Figure, after constructing the truth table, additional statuses and transitions appear therem As a rule, these transitions represent "pendent" statuses, in which there is no any transition, however, this fact can be established after the construction and analysis of a complete truth table (l e the table containing 2 statuses) only At n, about 32 such table will have a dimension of 5 7e+ 18Mbyte (It means that the table has a structure of the Fig 1 In this case, it has ^l l es and line length 3*32) Mt is easy to prove that the algoπthm set by the status table is invanant not only to the status numbering order, but also to magnitudes of numbers used for numbering However, it should result in producing vaπous MDNF, l e the numerable set of MDNFs coπesponds to the same table of statuses See Fig 35 for the other status numeration of the status table in the Fig 31 «.3

1 - Transition codes, 2 - Initial statuses

Fig 36

Herein the numbers are used which can be represented by six-bit bmary codes In the Fig 7 the truth table of the function Z '⁵ and its MDNF As seen, this implementation depends on six vanables and has 54 uncertam statuses It is necessary to note, that any analysis does not allow to status that the functions from the first (Fig 31) and second (Fig 35) implementations realize the same algonthm

>The representation of the encoder as a system of logical functions allows easily to realize it either as hardware, earned out as a) a recustomized logic aπay, or a recustomized field of cell-like automata, or b) as a software

Z*, =ZV + Z⁴Z^:| l z*z'

Fig 37

13.3. Discussion of the possibility to apply the public-key technology

13.3.1. . Premises αThe finite-automated cryptography system is asymmetric one; i.e. algorithms of coding and decoding are various. αThe encoder can be given as a s

logical functions, where k >=0, N - number of statuses in the table of encoder statuses and k - whole random number. □If we accept N=30 and k=25, at M=100 (100 logical functions with fifty logical variables), the truth table of this system has 1.125e+17 lines and 150 columns, what requires 2.1e+7 Gbyte memory, i.e. not only analysis, but also the simple arrangement cause great difficulties. The experiment with such automaton (for base model) requires

N² (N + 1) - + (2N + 1)2^W operations, where N in this case is the status number if it is known. For N=30, minimum size of text to be entered has the order of 8 Gbyte - this magnitude is seven orders less than previous one, but large enough to make practically impossible not only the analysis of the encoded text, but also his simple arrangement.

13.3.2. . Application of the public-key technology

Let us assume that <A> has to transmit the information for <B>, but thereby <V> exists, which is interested in receiving this information. The process of the information transmission can be as follows.

1. <A> sends an inquiry to <B> about the necessity of connection.

2. After receiving the inquiry from <A>, <B> generates a system of logical functions of the encoder and transmits it to <A>. Simultaneously <B> generates the decoder. As this transmission is not protected, <y> receives logical functions of encoder too. <A> either customizes its hardware or records mto the software database of its encoder The same can be done by <V>

Thereafter <A> transmits the encoded text <B> accepts and decodes the text by means of its decoder Thus, both <A> and <V> can decode the text executing the exhaustive search, which is estimated It is necessary to pay attention, that each communication session starts (see item 2) with the generation of new algoπthm of coding-decoding, therefore results of the experiment on breaking <V> can not be used

14 Comparative estimation of finite-automated rate and some other widely-distnbuted cryptography systems rates

In the work «Crypto ++ 3 0 Benchmarks)) (http //www eskimo com/~weιdaι/benchmarks html) results are given of an expeπmental estimation of the most widely distπbuted cryptography systems See below the table of the expeπmental estunations for the two most widely used cryptography systems DES-2 and RC-4 The data is obtamed from the above-mentioned work

As seen from the table (column III), each system divides the encoded text mto words 8 bytes each Thereby the bytes of a word are processed simultaneously We have earned out the analytical and experimental check of the speed for the finite-automated cryptography system The experiment was made with the software version of the system for two vaπants a) the word of 1 bit length and b) the word of 1 byte length The analysis has shown

• The system for handling a one-bit stream differs from the one-byte system by the number of columns in

1 8 the status table In the first case there are two (2 ), and in the second case - 256 (2 )

• The speed of the system does not depend on the size of the table The reason is that the output signal is defined by the device status, while the number of operations, defining the next status, does not depend on the table size

• The speed of the finite-automated model decreases proportionally to appearance of redundant characters

However, the estimation of their number is difficult, as it depends on the text to be encoded

• The speed of the pubhc-key technology of the finite-automated model decreases proportionally to the number of coder logical functions The earned out experiment has shown, that when processing the text with the size of 1 Mbyte the processmg speed for one-bit and one-byte flows makes up 17 3 Mbit and 17 3 Mbyte accordingly Obviously, it remains the same by the operation with 8-byte flows The analysis of existmg systems shows, that their efficiency fells at the reduction of the word size In order to compare these systems with the finite-automated model, there is a rate per one byte in the column IV The addition of the table for finite-automated model is iven below

15 Estimation of difficulty of vaπous cryptography automated models "breaking"

15 1 Coding model "one to one"

15 1 1 By-bit base model We shall accept, that x represents a bit flow, which enters the mput 1-1 of the automaton, on which exit a flow y is outputted (see Fig 38a)

Fig 38

The mput-output table may descπbe operation of such automaton See Fig 38b for its possible filling (An oπented graph, shown in the Fig 38c, may be put in coπespondence with such table) In this graph the arc coπesponds to one transition and the transition direction is marked with a dot)

Beforehand we shall alter a definition □A state of an automaton is such a combination of its inner properties (7), which univalently puts mput value "x" in coπespondence with output value "y", appropnate to this status Therefore, different output values can conespond to the same mput value depending on the state The table in the Fig 38b descπbes the automaton with 10 states (first column), numbered from 1 up to 10 The second and third columns of this table contam the statuses, which are passed by automaton at unit "1" and zero "0" values of the mput signal x The fourth column coπesponds to the y value Thus, at x=l in statuses 1, 2, 6, 7, 8 and 10 we receive "1" at the output, and in statuses 3, 4, 5 and 9 we receive "0" So, if the automaton is in the state 4 (fifth table line), by x=l it will pass into the state 5 (4=>5), and by x=0 mto the state 1 (4=>1) Thereby in the first case it will be set the value y=0 at the output, and in the second one y=l (The definition above coπesponds to the Moor's automaton) If the automaton was in status 8, than by x=l the passage 8=>10 will be earned out and y=l, but if x=0, than 8=> 9 and y = 0 (Generally, there can be statuses, when the same output signal value coπesponds to different mput signal values)

Let us enter some definitions □Analogy to the graph theory, the way from the state Si into the state Sj such a sequence of states Si Sk S_j is called, for which there is an mput sequence converting the automaton from Si mto Sj αDeadlock status is a status with an inner path, but no outer paths αPending status is a status with no inner paths Assumption Let us accept, that for any automaton it is possible to carry out experiment, entering at the mput such a sequence of units and zeros, which gives the basis for construction of complete input-output table² Let us show, that not any table of mputs-outputs can be realized by the automaton, and formulate conditions of reahsability by means of the finite automaton

The statement If in the table of inputs-exits there is a path for any pair of states, such table can be realized by a finite automaton

The proof Let us admit, that there is an automaton, for which the experiment has been earned out and the mput-output table constructed Let us admit further, that there are in it at least one deadlock state St and one pending state Sv But, on definition, such table can not be constructed, smce if status St is the first to be reached, no other transition can happen As to the state Sv, it could not simply appear in the table, as a path does not exist therem by definition

Consequence 1 If the table is realized by an automaton, for each state there is if only one column from {1,0}, in which it is entered

Consequence 2 If the table is realized by the automaton, there is no a line, in which the number of this line is written in the both columns

Let us admit the mverse, that there is such a state St It means, that after the transition mto it the automaton will be therem anyhow long, l e there will be no transition into any other state and St is a deadlock top

Consequence 3 The permutation between table lines does not cause the appearance of deadlock and pendmg states (thereby the algoπthm does not vary) ³

The proof is obvious, as the line permutation in the table does not change transitions therem

Consequence 4 The permutation inside any line does not cause the appearance of deadlock and pending states

(however, it changes the algonthm implementing this table)

The proof is obvious

Thus, not any filling of the table of inputs-exits makes it automation-realizable one Let us formulate the algoπthm permitting to draw up the automation-realizable table

1 To set number N of states and to draw up the table containing 4 columns and N+l lines To remunerate lines and designate columns, as shown m the Fig 38b ⁴

2 To fill m any one cell in each line so that the conditions of a Consequence 1 were fulfilled⁵

3 To fill in the fourth column of the table⁶

4 To fill in empty cells in the second and third columns as follows

* In a table line it should not be entered the state with number equal to number of the line to be filled (this guarantees the absence of smgle cycles)

* Into one line numbers of states should not be entered to which equal output values coπespond (l e such an automaton will be convertible)

It is easy to show, that the constructed table will be automated-realizable) and every i-th line therem coπesponds to the alternative operation Tyi

² This statement is formulated as an assumption for the only reason that the similar experiment may be technically impracticable by a great number of states.

³ In other words, the table is invariant in relation to the lines permutation. Therefore, the algorithm implementing the table does not change when altering the order of lines enumeration and consequently altering transition numbers . As shown in the Consequence 3 the order of lines in the table does not change the automaton algorithm

⁵ Any filling accepted, in including randomized. It is not advised to use methods based on any logical constructions.

⁶ It is preferable to have a uniform distribution of unit and zero values. 152 Discussion of the possibility "to break" ofbit-wise base model

Let us consider a possibility «to break» the encoder implemented accordmg to the base model, and parameters, about which it is necessary to know when breakmg

1) Mode of generation of the states table One of «gold rules» of the cryptography says that the any secret becomes explicit earlier or later With the reference to our case it means, that estimating the breakage difficulty it is necessary to assume, that the status table generation mode is open u) Number of states in the table This magnitude is selected randomly ⁷ in) Filling m the table of states Filling in of the table is selected by a random way iv) Source text v) Encoded text

Let us estimate the difficulty of breakmg in dependence of the information, which a hacker has Let us arrange situations with difficulties of the raising order

15 2 1 Number of statuses in the table is known

Let us admit, that sender uses for codmg an automaton constructed on the base of the mputs-outputs table, created according to the above mentioned algoπthm As seen from items 2 and 4 of this algoπthm (see page 54), for same N there can be vanous vaπants of the table filling If the number of such vanants is not great, the probability of such cryptography system breakmg is close to one Let us estimate the amount of said vaπants

Accordmg to the item 2 of the algorithm, the amount of vaπants here is equal to the number of permutations from N, l e N' From this number it is necessary to subtract those permutations, in which the number of

NI - 2^W a state coincides with a line number Their amount is equal 2

Thus, the number of vaπants here is equal N' - 2

Accordmg to the item 4 of the algorithm, the amount of vanants of filling up second cells in each table line is equal to the number of combinations for the case, when each state can occur 0, 1 , (N- 1 ) times Their amount is equal to N^N'λ Accordmg to the item 3 of the algonthm, the amount of vaπants for filling up the fourth table column is equal to the number of combmations for the case, when each state can occur 0,1, N/2 times Their amount is equal to N ² Therefrom the total number of vanants can be calculated accordmg to the formula

N_ 3N_

V = (N\ - 2^N)N^N-^χN ² = (NI - 2" )N ^{2 ~}' Formula 1

The calculations show, that this number is already equal to 363*10²⁰ for the table from 10 states The situation can only be aggravated in the case when the table size is unknown

15 2 2 The size of the table of states is unknown As we can see, the direct exhaustive search of all vanants of the table at the arbitrary Ν, even in a known range of its values (if to take into account the form 1) is a completely hopeless procedure It is more realistic the approach, by which the hacker has a possibility to construct the encoded text, carrying out experiments with the encoded device The purpose of such experiment is a definition of parameters of the status table Let us consider such an experiment

Here and further, we suppose that random numbers generating carries out the random choice. Proceeding from the given "rule", we assume that said generator is also known.

Fig 39

Let us admit the status table looks like on the Fig 39 Let us accept, that at breakmg there is a possibihty to manipulate an mput flow "x", l e to send to an mput of the encoder any combmations of "1" and "0" and in any amount, obtaining the encoded text The purpose of such experiment is to define the algoπthm of codmg, l e to restore the table of mputs-outputs See Fig 39b for the fragment of a bmary tree of similar experiment

Let us admit, that the sequence 00000000 has been entered an mput "x" 0000000 and at the output the sequence 1001001 has appeared Let's analyze, what mformation on the table of mputs-outputs can be extracted from this experiment

♦ Each time, when the sequence 00000000 is received at the mput m the initial state, we receive 1001001 at the output

♦ This sequence generates a cycle with the length 3

♦ There is no mformation concerning sequence 0000001 with another value m the end of the entering sequence Common conclusion

■Each smgle experiment contains the information, which can not be obtamed by any other experiment not contaimng the given one ■The table of inputs-exits can be constructed by formulating all possible entering sequences

It is necessary to pay attention that the sequence 0000000 with the length of 7 has namely allowed revealing the cycle with the length of 3 It is seen therefrom, that 2n+l bits are needed for detecting a cycle with the length n

Let us return to the Fig 39b The sequence 0011 transfers the automaton from the state 1 in the state 5 so as the sequence 00 does In the given case, we know a due the defined status numbers at each top In the experiment the tops are numbered arbitrary (it was shown above, that any order of the numeration is equivalent to the permutation of tops and does not change the algoπthm) However, how one may identify states obtamed in experiments 00 and 0011, I e to state their identity? By a value on the output? However, we know that different statuses can have identical values on the output Without identifying statuses, the experiment should be earned out until we obtain complete mformation for the table, thus, until we pass through all statuses How to realize such experiment and to state, that the obtamed mformation is sufficient? Obviously it is possible if to record the experiment results mto a memory and analyze this record for the

Fig 39b shows numbers corresponding to the status numbers of the table in the Fig 39a. This is only to show the connection between the table and tree. In the experiment to be carried out the state numbers are not known. detection of repeating output sequences It is shown below, that the amount of data can exhaust the computer resources before the required result is obtamed

Let us define a low limit of the bit amount of all test sequences necessary for the construction of the mputs - exits table

We appeal to the Fig 8c, which shows the digraph coπesponding to the table of the Fig 8 The green color m this figure mdicates a path gomg once through all tops As seen, the path that passes once through each status of the table, is a cycle (see item 2 of the algonthm), and has the length N Let us designate it as

'ι X _>' ' ' ^f, , — 'w-i _N * (where ⁱ, ^e {0,1} ¹ = 0> N} ) Th^e knowledge of such paths allows simplifying the task of the status identification

Let us admit that we have a complete path and in the state 1 of the automaton, the setting sequence is 00 If there was the transition mto the state 2, it is sufficient to send the sequence 001011110 to pass mto the state 1 , if there was the transition mto the state 3, the sequence will be 01011110 etc So fer, for the identification of one status in the presence of a simple path we need 1+2+ +(N-1)+N = (N+l) N/2 experiments , each of them

N²(N + 1) with the length Ν Thus, the total number of bits necessary m this case is equal to

It leaves to define the simple path It is obvious, that if it exists in the given digraph, it can be retneved as a result of sequences generation with 2Ν+1 length Among them, there should be a cycle with the length N, which can be a simple way It is easy to see that the number of experiments necessary for this is equal to 2^N Thus, each experiment has length 2N+1 and the total number of bits necessary for the simple path construction is equal to (2N + 1)2

Thus, the total number of bits necessary for performing the experiment with the purpose of construction of the table by the known N can be obtamed from the formula

For the example of the Fig 39, this number is equal to 22054 It is obvious, that this number is many orders less than 363* 10²⁰ obtamed above, and this defines a direction, m which the breakage should be performed This number shows, that using an ordinary personal computer and duπng an acceptable time, when knowing N and having a possibility to generate the source text directly, it is possible to construct the encoder table of states At unknown N it is necessary to generate directly the text to be encoded, analyzing the code for the cycles selection The most long of them is twice that as N and thereafter it is possible to construct the status table The size of such text is defined by the formula

N f

At N=10 the size of the text is equal ² bit

The dimension of this number is so great, that for it is impossible to select an object in the universe, for which it could be a quantitative measure For the companson it is possible to give similar figures for DES ^ and

500 for RSA about ² This figure is not small, but 500 times is less than the above mentioned

As shows the analysis of the table of states, the speed of a encoder does not depend on number of states It means, that the dimension of the status table can be enlarged Thus, the table with 255 states will contam

255x4 = 1020 = IK of cells, that is admissible for resources of any modern computer Meanwhile, the formula shows in this case, that even at known N and possibility to generate the source text, the experiment length (total bit number) will be equal to 295*10 In summary, it is possible to draw a conclusion, that the

' Tax KaK t _N fΞ {0,1} tfic{01} mo apuήmemuHecKax pasHoam I- tN paβπa imβepcuu tfi offered base model of the algoπthm with maximum speed (one clock lπespectively of the number of states) practically can not be broken

153 The byte base model

The base model above considered was constructed on the basis of the states table of a finite automaton having one mput and one output (two columns, coπesponding to two values 1 and 0) As the signal on the output vanes by the transition from one state in another, the velocity of conversion of an entering signal does not depend on the number of states This circumstance was considered in the previous section, when it was offered to set N equal to 255 The same can be stated as fer as it concerns the increase in the number of columns m the status table However, the increase of the column number in ² times allows simultaneously to process n bit, l e to increase the processmg rate in n times The table of states of the encoder with 8 mputs for g processing 1 byte (Table 1) is given below As it is seen from the table it has 256 (² ) lines and columns Each column coπesponds to one byte value (000 000, 000 001 , and so on, up to 111 111), and each line - to a encoder state The table shows an example of such filling in lmes 1 and 2 In general, these lines mcluding the column of output values are filled randomly

3HaπeHHH BXOΛOB (6aftτ) 3naπeH

U

254 255 βbixodo β

177 54 35 43 201

204 38 89 128 34

255 256

53

3HaHemw BXOΛOB (6afiτ) 3naneH

U

Input values (byte) Output

254 255 Values

Ml 54 35 43 201

204 38 89 128 34

255

256

Table 1

Now let us estunate the complexity of «breakage» of a byte encoder First, we shall consider the following statement

• The byte table of states should contam equally 256 columns Let us admit that it contams a smaller number of columns It means, that there is such value of an enteπng byte, for which this value is not defined Let us now admit, that the table has 257 columns However, the entering byte has 256 values It means, that therem two columns have an identical byte value, I e the table can not be realized by a finite automaton • The byte table of states should contam 256 lines Let us admit that the state number is less than 256 But as the column number in the table is equal to 256, it means, that in each state there will be state numbers with identical output values, and this is in a contradiction with a condition of decodeabdity of the status table (see on page 61) The same will take place with the number of states that is more than 256

Consequently, with the byte codmg the table dimension is equal to 256x256 and known when «breakιng»

There are two versions of the «breakage» m this case

1 The encoder is accessible to the manipulation with the entered text and monitoring of the encoded text

2 The encoded text is accessible only

153 1 The encoder is not accessible to the manipulation

In this case, the encoded text is accessible only and the subject of the breakage is the table of states I e this coπesponds to the vanant, when the sizes of the table of states are known, but it has not known its fillmg It corresponds to the situation considered on page 5 In the formula 1 is as follows

Formula 2

15 4 Models of redundant coding

There above automatic encodmg - decodmg modules were considered, in which dimensions of the initial and encoded text coincide This feet gives an additional information when breakmg Really, by the keying with the encoded text it occurs a possibility to install a structural coπespondence between the enteπng and output texts, that gives an additional mformation concerning the mode of codmg The size of the initial state is defined by the length of the largest cycle, which is determmed by means of the analysis of the encoded text If the encoded text is accessible, the selection of cycles gives some mformation on the algorithm of codmg The mam idea of the redundant coding is a generation of additional bits (when bit-by-bit codmg) or bytes (when byte-by bite codmg) For generating additional characters mcludmg the table with N states there is a sequence of units and zeros R from N After transition to the next status the encoder analyses the appropπate R value If it is equal to one, the next enteπng signal is arbitrary generated (1 e the next signal is not read out) and the transition to the next status happens accordmg to this mput signal These results are encoded m the source text each time with different characters, a different number and location of the redundant characters At decoding, the decoder passes into the next status, checking appropnate R value If it is equal to one, a next value of the entering signal is not decoded, but is used for transition to the next status As seen from the said descnption, even if the manipulation by the encoded text is possible, the experiments with encoder do not allow receiving the mformation on the status table

Moreover, in this case each experiment, even with the same source text, will generate different inputs on the output Therefore it is possible to consider this algoπthm as practically unbreakable in this case Calculations concerned the situation, when the table parameters are known and the manipulation with the enteπng text is available Evidently there is no necessity to estimate the breakage difficulty for more complicated situations

15 5 Comparison of the breakage difficulty of the finite-automaton model having working cryptography systems

Below it is the table of compaπson of difficulties at breakmg the finite-automaton model and of the most applicable modem cryptography systems 6\

'G.Korn & T.Korn Manual after mathematician (For the science officers and engineers).1974.page 568

Claims

£3What is claimed is:

1. A method for automatic cryptography using a computing device, the method comprising:

(a) inputting to the computing device an incoming bit flow to be encrypted, the incoming bit flow comprising a plurality of incoming bits;

(b) generating a plurality of random number and generating a status table in accordance with said plurality of random numbers, the status table providing, for each possible status:

(i) a first value to which the status is to be reset when one of said plurality of incoming bits is "T^" and a second value to which the status is to be reset when another of said plurality of incoming bits is "0"; and

(ii) a value of an outgoing bit associated with said each possible status; and

(c) forming an outgoing bit flow from the incoming bit flow by using the status table as a lookup table to map each said incoming bit in the incoming bit flow to a coπesponding outgoing bit in the outgoing bit flow by:

(i) determining a cuπent value of the status;

(ii) applying the cuπent value of the status and the incoming bit to the status table to determine whether the status is to be reset to the first value or the second value and resetting the status accordingly; and

(iii) applying the reset status to the status table to determine the outgoing bit; whereby the incoming bit flow is encrypted into the outgoing bit flow.