Information Processing Letters 26 (1987/88) 95-97 North-Holland

19 October 1987

A DOL-TOL PUBLIC KEY CRYPT0SYSTEM

KG. SUBRAMANIAN, Rani SIROMONEY and P. Jeyanthi ABISHA

Department of Mathematics, Madras Christian College, Tambaram, Madras 600 059, India

Communicated by L. Boasson Received December 1986

Keywords: Cryptography, formal language, L system

A public key cryptosystem, based on the theory of L systems, is discussed in [2] as an interesting application of formal language theory to cryptography. The public encryption key is a TOL system obtained from an underlying DTOL system. The trapdoor information kept secret is concerned with how the DTOL system can be recovered from the TOL system. The cryptosystem requires that the DTOL system is unambiguous. But, it is pointed out in [l] that this requirement is undecidable.

We discuss here a public key cryptosystem where the public encryption key involves a TOL system based on a DOE system. The advantage is that the unambiguity requirement in [2] is avoided. The decryption based on the trapdoor information is very straightforward and much simpler than that of [2] but cryptanaljsis is hard. In fact, without the trapdoor information, cryptanalysis is essentially an NP-complete problem, namely, the membership problem for TOL systems.

2. The public key cryptosystem

Let T be an alphabet, T = (a,, a2,. . _ ,a,) say, let ui, u 2, . . . , u n be n nonempty words in T * and let f:T*+T* bea X-freemorphismstchthat,fori=1,2,..., n, Alph(u i) c Alph(f(u i)) and there exists an a i in Alph(u& with 1 f(ai) 1 2 2. Let V be another alphabet of cardinality much greater than that of T and let g:V* +T* be a morphism such that g(d) = X, for d E V and g(a) z fl, for all a E T. Define substitutions t i, i = 1, 2,. . . , m for some m > 1, on V* such that t;(d) is a finite, nonempty subset of g- ‘(f(g(d))), for all d E V.

Let x1, x2,. . . ,x, be any n words in g-‘(u,), ge1(u2), . . . , g-‘(u,), respectively. The (m + n + P)-tuple (V, t ~,*..,t~, xi,.*., x,) is the public encryption key. The encryption of a plaintext w = pl . . . pn, Pj E T, for 1 < j < r is done as follows: A word z is obtained from w by replacing each pj, by x, if pj G ae for & (1, 2,..., n). The cryptotext is obtained by choosing an arbitrary word from

tjk( l l * (tj2(tj,(z))). l *), k > 1, (0

where jr, j, ,... ,j,E (1,2 ,..., m). The secret decryption key consists of T, f, u1 9 u 2, . . . , u n, g. In fact, g is the main trapdoor information. We note that if s is a cryptotext obttined from (1) then g(s) = f k(~,), where WI =ui, ...Uik4 for some k >, 1, such that, for j = 1, 2 ,..., k, ui,=u/ if ij =a(, for some /E

(1 2 9 , . . . , n). Thus, the plaintext can easily be recovered from g(s) using T, f, u 1, u 2,. . . , u “.

0020-0190/87/$3.50 0 1987, Elsevier Science Publishers B,V. (North-Holland) 95

Volume 26, Number 2 INFORMATION PROCESSING LETTERS 19 October 1987

3. An example

Let T= (p, q} and u1 =qp,u2=pqP9 f(p)=pq, fW=q* Let V = {a” b, c, d, e> and t,(a) = g(e) = I’, g(c) = 9, g(b) = g(d) = A.

Define t,, t2, t3 by

t,=(a+bec,a+adc,b+d,c+ddc,d+db,e+abcb),

t, = (a+acd,b+bd,c+dc,d+d,e+ebc},

t3 = (a + bdec, b + b, c + cd, d + b, e + ecd, e + bdec).

Let x1 = cda, x2 = ace. The encryption key is (V, ti, t2, t3, xi, x2). We illustrate encryption and decryption of a p!aintext w = pqp. First, we obtain z = xix 2xl, on

replacing p by xi and q by x2. One possible encryption is:

z - cdbbdecbdeccdbdeccdbbdec

2 ddcdbdddbabcbddcddbabcbddcddcdbddbabcbddcddcdbdddbabcbddc

2 dddcdbddddbdacdbddabddddcddbdacdbddcbddddcdddcdbdddbdacdbddcbddd 12

dcdddcdbddddbdacdbddcbddddc = zi, say.

The word z’ constitutes an encryption of the plaintext w = pqp. The decryption of z’ proceeds as follows: First, we obtain

w4 = fdz’ ) = W999p999W9999p999~

Clearly, w3 = qpqrqpqqqpqqqpqq is such that f(w3) = w4; w, = qpqpqqpqqpq is such that f(w2) = w3; and w1 = qppqpqp is such that f(w, ) = w2, i.e., w4 = f 3(w1 ).

Thus, w1 = ulu2ul and so we conclude that the plaintext is pqp.

4. Algorithms for encryption and decryption

Both encryption and decryption can be done in a mechanical way. Encryption of a plaintext is randomized by choosing a table randomly and applying productions in a table choosing them randomly also. It can be seen that encryption of a word takes polynomial time only.

In the case of decryption, the application of q to cryptotext zi takes time linear in the length of zl. Since f is a prefix-free, X-free morphism, the step (PARSING, w) takes time linear in the length of w. Hence, decryption is done in iinear time.

. 4.1. Algorithm for encryption

Input: A TOL system over an alphabet V containing m tables t , , t 2,. . . , t ,,., and n words x1, x2,. . . , x ,, . .

over V. A word w = i,i z . . . i, over T = (a,, a2,. ..,a.}.

Froeedure(APPLY RULES, z)

Let m’ be a random number < m; iet z = zl.. .

j = 1,2,. . . , r z, where each Zj is a letter in V, for each

begin

replace in z, Zj by CY where Zj + (Y is a rule in t m

return z end.

96

Volume 26, Number 2 INFORMATLON PROCESSING LETTERS 19 October 1987

Pmcedure(ENcRYmoN, w = i 1 i 2 . . _ i k )

begin for j = 1 to k do

if ij = ai then ij = xi z=w let s be a positive integer for 8= 1 to s do (APPLY RULES, z)

cryptstext = z end.

4.2. Algorithm for decryption Input:Awordz’overV,amapg:V+Til (X),ahomomorphismf:T+T* andnwordsu,, u~,...,u,,.

hxedure(PARASING, w)

begin find the decomposition w = wiw, . . . w, where Wi = f(a) for some a E T, i = 1, 2,. . . , s

for i = 1 to s do wi = a in w where Wi = f(a), a E T

end.

hxedure(DEcRYPTION, z’)

begin for i = 1 to lz’ 1 do zi = g(zi) w=z

I

repeat (PARASING, w) until w = w1 . . . w,.,, where each wj is one of u 1, u 2, . . . , u n

for j = 1 to m do if Wj = ui then Wj = ai

plaintext = w end.

The encryption key is made public. Hence, the cryptanalysis attack on this system is the ‘encryption key only’ [2] attack. This involves with the preprocessing of the key, i.e., finding the trapdoor function g so that the DQL system can be obtained. In order to do this, first T should be found, but this is an intractable problem. Qn the other hand, without g, decrypting the cryptotext using the TOL system amounts to the membership problem for TOL systems, which is NP-complete.

References

[I] J. Dassow, A note on DTOL systems, Bull. EATCS 22 (1984) 11-14.

[2] A. Salomaa, Computation and Automata (Cambridge Uni- versity’s Press, 1985).

97