Cryptanalytic concept of finite automaton invertibility with finite delay Текст научной статьи по специальности «Математика»

2019 Математические методы криптографии №44

МАТЕМАТИЧЕСКИЕ МЕТОДЫ КРИПТОГРАФИИ

UDC 519.7 DOI 10.17223/20710410/44/3

CRYPTANALYTIC CONCEPT OF FINITE AUTOMATON INVERTIBILITY WITH FINITE DELAY1

G. P. Agibalov National Research Tomsk State University, Tomsk, Russia E-mail: agibalov@mail.tsu.ru

The automaton invertibility with a finite delay plays a very important role in the analysis and synthesis of finite automata cryptographic systems. The automaton cryptanalitic invertibility with a finite delay т is studied in the paper. From the cryptanalyst's point of view, this notion means the theoretical possibility for recovering, under some conditions, a prefix a of a length n in an unknown input sequence a5 of an automaton from its output sequence y of the length n + т and perhaps an additional information such as parameters т and n, initial (q), intermediate (0) or final (t) state of the automaton or the suffix 5 of the length т in the input sequence. The conditions imposed on the recovering algorithm require for prefix a to be arbitrary and may require for the initial state q and suffix 5 to be arbitrary or existent, that is, the variable a is always bound by the universal quantifier and each of variables q and 5 may be bound by any of quantifiers — universal (V) or existential (3) one. The variety of information, which can be known to a cryptanalyst, provides many different types of the automaton invertibility and, respectively, many different classes of invertible automata. Thus, in the paper, an invertibility with a finite delay т of a finite automaton A is the ability of this automaton to resist recovering or, on the contrary, to allow precise determining any input word a of a length n for the output word y being the result of transforming by the automaton A in its initial state q the input word a5 with the 5 of length т and with the known n, т, A, y and u С {5, q, 0, t} where q and 5 may be arbitrary or some elements in their sets and 0 and t are respectively intermediate and final states of A into which A comes from q under acting of input words a and a5 respectively. According to this, the automaton A is called invertible with a delay т if there exists a function f (y,u) and a triplet of quantifiers к e {Q^Q2x2Q3x3 : QiXi e {Vq, 3q, Va, V5, 35}, i = j ^ Xi = Xj} such that x[f(y, u) = a]; in this case f is called a recovering function, (к,u) — an invertibility type, к — an invertibility degree, u — an invertibility order of the automaton A and 3f K[f (y, u) = a] — an invertibility condition of type (к, u) for the automaton A. So, 208 different types of the automaton A invertibility are defined at all. The well known types of (strong) invertibility and weak invertibility described for finite automata earlier by scientists (D. A. Huffman, A. Gill, Sh. Even, A. A. Kurmit, Z. D. Dai, D. F. Ye, K. Y. Lam, R. Tao and many others) in our theory belong to types (VqVaV5,0) and (VqVaV5, {q}) respectively. For every invertibility type, we have defined a class of automata with this type of invertibility and described the inclusion relation on the set of all these classes. It has turned out that the graph of this relation is the union of twenty nine lattices with thirteen of them each containing sixteen

1The author is supported by the RFBR-grant no. 17-01-00354.

classes and sixteen lattices each containing thirteen classes. To solve the scientific problems (invertability tests, synthesis of inverse automata and so on) related to the different and concrete invertibility classes, we hope to continue these investigations.

Keywords: finite automata, information-lossless automata, automata invertibility, cryptanaiytic invertibility.

Introduction

In the theory of analysis and synthesis of finite automaton cryptosystems, the invertibility property of finite automata takes the most important place. From cryptanaiytic point of view, it means the theoretical possibility to recover a nonempty part of input word of an automaton using its output word and, possibly, some additional information about the automaton — about its transition and output functions, about its states — initial, intermediate or final, about its class, etc and about the rest of input word playing an auxiliary (often — official) role — about its length, value and location in the input word. A variety of this information kinds generates the different types of the automaton invertibility and, respectively, the different classes of the invertible automata. In this paper, we assume that the transition and output functions of the automata under consideration are completely known, a nonempty prefix of an input word need be recovered so that the length of the next part of the word following after the prefix and called the recovering or invertibility delay are also known.

So under the invertibility with a finite delay t of a finite automaton A, we understand the property of A which allows uniquely compute its any input word a using an output word y produced by the automaton A in an initial state q as its reaction to an input word a5 with 5 of the length t, with the known t, A, y, and with the unknown, possibly, some or all the values from the list u C {5, q, 9, t}, where q and 5 can be arbitrary or some elements of their sets, 9 and t are, respectively, intermediate and final states of the automaton A, into which it comes from q under the influence of input words a and a5 respectively.

According to this, the automaton A is called invertible with the delay t if there exist a function f (y,u) and a triplet of quantifiers k e {Q1x1Q2x2Q3x3 : QiXi E E {Vq, 3q, Va, V5, 35}, i = j ^ Xj = Xj} such that k(f (y, u) = a); in this case, f is called recovering function, (k, u) —invertibility type, k — invertibility degree, u — invertibility order of the automaton A and 3fk(f (y,u) = a) —invertibility condition for type (k, u).

In the automata theory, a notion of information lossless automaton (ILA) are often used as a synonym to a notion of an invertible automaton. For the first time, ILAs were investigated by D.A. Huffman [1, 2] (his results can be also found in the monograph by A. Gill [3]), later —by Sh. Even [4] and also by A. A. Kurmit, who has described his own results on ILA in the detailed monograph [5] where ILA with a finite delay is considered with the known initial or final state and is called there ILA of a finite order, respectively, of I or of II type. In 1959, A. D. Zakrevsky [6] has proposed a symmetric cipher on the base of a strongly connected ILA with zero delay (with an output function being bijective for every state). For the sake of fairness, we need to say that first the similar automata were used by the Japanese during World War Two in their ciphering machine known as Purple [7]. Recently, the automaton invertibility became a research subject for Chinese scientists headed by professor R. Tao. They have produced FAPKC — Finite Automaton Public Key Cryptosystems based on memory finite automata which are invertible with finite delay and with known initial state [7-9].

The main results of the works enumerated above and related to the automaton invertibility with a finite delay are in reality the definitions and constructive tests of two types of invertibility — strong and weak (our types (VqVaV5, 0) and (VqVaV5, {q}) respectively) and algorithms for synthesis of inverse automata for them. These types of invertibility are really defined in the mentioned works through the automaton properties (classes) and afterwards it is proved that if an automaton belongs to a certain class, then the recovering its input word prefixes is possible. This looks like "a cart ahead of horse".

In our paper, a general definition for an arbitrary type of finite automaton invertibility is introduced. Every particular type of invertibility is obtained from this definition by setting particular values of the definition parameters which are the degree k and the order u of the invertibility. So, formally, 208 types of finite automaton invertibility with a delay are introduced in all, including types of strong and weak invertibility mentioned above from [3, 5, 9]. For every type of automaton invertibility with a fixed delay, we define the class of all finite automata invertible of this type and show that the set of all these classes partially ordered by the inclusion relation is the union of 29 lattices. The definition of the arbitrary type as well as of each particular type of an automaton invertibility is given in a completely clear and natural way, namely through the existence of a function recovering the unknown prefix of an automaton input word by using another known information. As for constructive tests for automaton invertibility of each type, they are supposed to be formulated and proved in terms of the automaton itself properties. A consequence of this fact is that the definitions of strong and weak invertibilities in monographs [3, 5, 9] are theorems in our theory. Besides, we have succeeded in defining and researching many such automaton invertibility types and classes which are not studied by other scientists. Of course, we don't exclude that not all these classes are of high importance from science point of view, but the only existence of them induces people to thorough studying them for the purpose of solving some theoretical and applied problems, including establishment of necessary and sufficient conditions for automaton invertibility of each type; building up a constructive test for belonging a finite automaton to an invertibility class; algorithmic synthesis of the automata in a given invertibility class; characterization of the invertible automata, to which inverse automata exist, and algorithmic synthesis of the last; development of the effective algorithms for recovering word prefix on the input of an invertible automaton in a particular invertibility class; creation of private and public key cryptosystems on the basis of invertible automata of different invertibility classes; algorithmic cryptanalysis of these cryptosystems.

The solutions of these problems and their research in computer experiments are supposed to perform by the author and his colleagues for several future years with regular publications of the results in the journal "Prikladnaya Diskretnaya Matematika" and their presentation on the International Conference "Computer Security and Cryptography" — SIBECRYPT.

1. Agreements

An arbitrary finite automaton is presented as A = (X, Q,Y, where X, Q and Y

are its input alphabet, the set of states and the output alphabet respectively; and ^ — its functions, respectively, of transitions and outputs, : X x Q ^ Q and ^ : X x Q ^ Y. The functions, being defined for pairs xq E X x Q, we extend to pairs aq E X* x Q by induction on the length |a| of the word a E X*, namely the functions : X* x Q ^ Q and : X* x Q ^ Y* are defined as ^(A,q) = q, ^(a^,q) = ^(^,^(a,q)), <^(A,q) = A, <^(x,q) = <^(x, q) and </?(a^,q) = </?(a, q)</?(^, ^(a, q)). Here and everywhere further, the symbol A denotes the empty word in any alphabet.

Thus, ^(a, q) is a state, into which the automaton A comes from a state q under the influence of input word a, and </?(a, q) is an output word which the automaton produces this time. The function ^q : X ^ Y, defined as ^q(x) = <^(x, q) for all x G X, is called the output function of the automaton A in the state q G Q.

We don't exclude partially defined automata from the consideration. For presentation of the information in them, we use the symbol w, regarding it as any word of any length and over any alphabet. So the record w G Xn, for example, means that w is a word of a length n in the alphabet X and the record f (a) = w — that a function value f (x) is not defined for x = a. In comparison between two words in the same alphabet, we consider that the word w equals a word a iff |w| = |a|. In particular, two words w coincide iff their lengths are equal.

Further, we adopt the convention for any logical formula

F = QixiQ2x2... QnxnP(xi , x2, . . . , xn) ,

where Q1, Q2,..., Qn are the symbols of quantifiers V, 3 and the formula P doesn't contain quantifiers, to say that a n-tuple c1c2 ... cn of values of variables xi , x2 , . . . , xn satisfies F if, for each i = 1, 2,..., n, the value c is chosen in the range of the variable x^ in the following way: in case Qj = V — anyhow, in case Qj = 3 — (in dependence on already chosen Cj for j < i) so that P(c1,c2,..., cn) = true. By the definition of the truth of F, such a tuple exists if and only if F = true.

Finally, everywhere further, by the symbol t we denote a non-negative integer called a delay and, in the absence of additional remarks, it is supposed that a G X, b G X, a G X*, P G X*, 8 G XT, £ G XT, q G Q, s G Q.

2. Definition of invertibility with finite delay

Consider a finite automaton A = (X, Q,Y, Let q,a,8 be variables with values

in Q,X*,XT denoting, respectively, an initial state, a prefix (beginning) and suffix (ending) of an input word a8 of the automaton A and K = {Vq, Va, V8, 3q, 38} be the set of universal and existential quantifiers which bind these variables. In reality, the quantifiers in K are Vq G Q, Va G X*, V8 G XT, 3q G Q, 38 G XT without previously fixed symbols indicating ranges of variables in question and omitted in K for conciseness of record. Besides, notice that K doesn't contain the quantifier 3a. This is because, for a cryptanalyst, the input word a can be any one.

Also let B = ^(a,q), t = ^(a8, q) and V = {A, q, B, t, 8, qB, qt, q8, Bt, 68, t8, qBt, qB8, qt8, Bt8, qBt8}. It is seen that symbols B and t denote an intermediate and final states, into which the automaton A comes from the state q after having received on its input the words a and a8 respectively. The members of the set V are meant for describing what we call here an invertibility order of the automaton A. In fact, they are some functions in q, a, 8.

We say that the automaton A is invertible with the delay t if there exist quantifiers K1, K2, K3 in K with different variables from {q, a, 8} as well as a function f : Y* x V ^ X* and a tuple u(q, a, 8) G V such that the following formula is true

$ = K1K2K3(f (£(a8,q),u(q,a,8)) = a);

in this case, (K1K2K3,u) is called invertibility type of the automaton A, K1K2K3 — invertibility degree, v — invertibility order, f — recovering function (for input prefix), t — recovery delay, or invertibility delay and 3f [$] — invertibility condition of this type for the automaton A.

Taking into account the commutativity of the same type quantifiers, in the table for the automaton A, we present invertibility conditions of all possible invertibility types with the delay t. From this table, for an invertibility of a type (K1 K2K3,u), the invertibility condition is obtained by attaching the quantifier prefix 3fK1K2K3 from the left column to the (so called) underlying expression f (<^(a5, q), u(q, a, 5)) = a from the right column with the proper invertibility order u. Further, the invertibility condition with the quantifier prefix of a number i and its underlying expression of a number j in the table is denoted by Ui,j or (if you need to know t) Ui,j[t]. For example, U1,1[t] = 3fVqVaV5(f (<^(a5, q)) = a), U1,2[t] = = 3fVqVaV5(f (<^(a5, q),q) = a), Us,10[t] = 3f 3qVa35(f (</?(a5, q), ^(a, q), 5) = a) and so on. Thus, for any finite automaton, we have formally defined 208(= 13 • 16) invertibility types with any finite delay. But later, we will see that, for some of these types with different invertibility orders, the invertibility conditions can be equivalent and define the same type of invertible automata.

Conditions for different types of invertibility with a delay t of the automaton A

No Quantifier prefix 3/Q1x1Q2x2Q3X3 No Underlying expression /(-(aJ, q), u(q, a, J)) = a

1 / (-(aJ q)) = a

2 / (-5(aJ,q),q) = a

3 / q)) = a

1 3/VqVa VJ 4 / (-(aJ q^^ q)) = a

2 3/VqVa 3J 5 / J) = a

3 3/Vq3JVa 6 / (^(aJ,q),q,^(a,q)) = a

4 3/3qVa VJ 7 / ^a^q^q^Wq^ = a

5 3/3qVa 3J 8 / J) = a

6 3/3q3JVa 9 /(-(aJ, q), ^(a, q), ^(aJ, q)) = a

7 3/Va 3q VJ 10 /(-(aJ,q),^(a, q), J) = a

8 3/Va 3q 3J 11 /(-(aJ, q), ^(aJ, q), J) = a

9 3/Va VJ 3q 12 / (-(aJ q), q, q), q)) = a

10 3/Va 3J Vq 13 /(-(aJ, q), q, ^(a, q), J) = a

11 3/VJ3qVa 14 /(-(aJ, q), q, ^(aJ, q), J) = a

12 3/3JVqVa 15 /(-(aJ, q), ^(a, q), ^(aJ, q), J) = a

13 3/3JVa3q 16 /(-(aJ, q), q, ^(a, q), ^(aJ, q), J) = a

Having a function f : Y* x V ^ X*, we can define a function f' : Y* x V ^ X* so that f'(Yy,u) = f(y, u) for all y E Y*, y E Y and u E V. Since <^(a5x,q) = =</?(a5,q)^(x,-0(a5,q)), the equality f (<^(a5, q), u)=a implies the equality f'(<^(a5x, q), u) = = a. By the principle of mathematical induction, this implication proves that if, for a type of invertibility, a finite automaton is invertible with a finite delay, then, for the same type of invertibility, the automaton is invertible with any greater integer delay.

In this work, by the invertibility, we only understand an invertibility of a finite automaton, of a certain type, of a certain order, and of a finite delay and usually don't mention these its attributes without a particular need.

3. Invertibility classes

For any i E {1, 2,..., 13} and j E {1, 2,..., 16}, we say that an automaton A = = (X, Q,Y, belongs to an (invertibility) class Cj,j [t] if the condition Ui,j [t] is true; in this case, the condition Ui,j [t] is called the invertibility condition in the class Ci,j [t] of the automaton A. The purpose of this paragraph is the description of the inclusion relation on the set of all invertibility classes with a particular delay, following from the property: if Uitj [t] ^ Ufc^T], then Ci,j [t] C Ck,i[T]. There are two cases when the premise

Ui,j [t] ^ Uk,i [t] in this property takes place and this fact is recognized immediately by the invertibility types (K1K2K3,u) in Uj,j[t] and (K1K2K3, u') in U^,1[t]:

1) i = k, j = l and all the elements in v are contained in u';

2) i = k, j = l and K1K2K3P(q,a,8) ^ K1K2K3P(q,a,8) for any predicate P in three variables.

For instance, in the first case, Uj,5 ^ Uj,13 and therefore, Cj,5 C Ci,13 for all i and, in the second case, U7,j ^ U9,j and therefore, C7,j C C9,j for all j.

In the case 2, truth (or falsehood) of pointed out implication is easy established with the help of identically true formulas of predicate logic such as VxS(x) ^ 3xS(x), 3xVyR(x,y) ^ Vy3xR(x,y) and the like.

The implication Uj,j [t] ^ Uk,l [t], connecting the invertibility conditions for two automata, induces the inclusion relation Cj,j [t] C Ck,l [t] between the invertibility classes of these automata. On every of sets {Ci,j[t] : j = 1, 2,..., 16}, i = 1,..., 13, and {Ci,j[t] : i = = 1, 2,..., 13}, j = 1,..., 16, this relation defines a lattice — a partially ordered set, in which, for every pair of elements, there exist the least upper and the greatest lower bounds. These lattices are shown in the Figs. 1 and 2.

In the case t = 0, the sequence 8 in quantifier prefixes and underlying expressions in table is the empty word and, as a consequence, all these prefixes and expressions break

f Ci, 1 j

Fig. 1

Fig. 2

up the blocks of equal entities, namely: the first —up the blocks 1 = {1, 2, 3,10,12}, 4 = = {4,5, 6,11} h 1 = {7, 8, 9,13}; the second —up the blocks 1' = {1, 5}, 2' = {2,8}, 3' = {3, 4, 9,10,11,15} and 6' = {6, 7,12,13,14,16}. Hence Ci,j[0] = Ck,j[0] for all i, k e I, I =1,1, 7 and j = 1, 2,..., 16, as well Cy[0] = Ci,i[0] for all j, l e J, J =1', 2', 3', 6' and i = 1, 2,..., 13.

4. Automata invertibility problems

The automaton invertibility conditions which are contained in the definition of this notion for its different types are given in a non-constructive form and it is difficult to apply it in practice. Formulation and correct proof of constructive tests for invertibility of every type is the first in the row of problems related to the cryptanalytic notion of finite automaton invertibility.

From cryptographic point of view, in this row the problem of generating invertible automata of all possible types takes an important place. In different settings of this problem, many different requirements to automata under generation can present — with an equal probability in a certain class, with limited complexity, with great or, on the contrary, little invertibility delay and the like. Its solution seems to be impossible without a proper solution of the first problem.

The notion of finite automaton invertibility under consideration doesn't imply the obligatory existence of an inverse automaton to an invertible automaton. Moreover, it is possible that the function recovering an input prefix can not be finite-automated one for some types of automaton invertibility. In this case evidently the problem appears: given an invertible (of a certain type) automaton, find out whether it has an inverse automaton and if it has, then construct the inverse to it. The solution of this problem in turn implies the definition of inverse to any automaton of every invertibility class. In the absence of inverse automata to the automata of an invertibility class, we have the problem of constructing for them functions recovering prefixes of input sequences under known output sequences.

In subsequent investigations by the author and his colleagues, some of these problems are meant to be solved for some of invertibility classes defined.

5. Invertibility conditions

For investigating the properties of the automaton invertibility, the invertibility condition in its definition need to be re-formulated in a more constructive way and first of all to get out of request for explicit testing the existence of a recovering function. In this section, we present a test (Proposition 1) for automaton invertibility of any type (VqVaV8, u(q, a, 8)) and give some necessary conditions (Proposition 2) for an automaton to be invertible of any type (Q^Q2aQ38, u(q, a, 8)) both (test and necessary conditions) without explicit performance of a procedure of testing the existence of a recovering function. The propositions follow from the corresponding auxiliary lemmas about logical formulas. To formulate lemmas, we first introduce some needed symbols.

Let n be a positive integer; Q1,...,Qn be symbols of quantifiers, e {V, 3}, k e e {1,..., n}; x1,..., xn, y1,..., be different subject variables and D be the range of x^ and y for i e {1,..., n}. Also let g(x1,..., xn) be a function in variables x1,..., xn with a range , k0 e {1,..., n}, and Qko = V. Finally, let f : ^ Dko denotes an arbitrary function with the domain and the range Dko. Consider a logical formula

^1x1^2x2 .. .Qrax„(f (g(x1 ,x2,... ,x„)) = xfco)

(1)

in the normal form, that is, with the quantifier prefix Q1x1Q2x2 ... Qnxn and a underlying equality f (g(x1,x2,... , xn)) = xko without quantifiers.

Lemma 1. In the case Q1 = ... = Qn = V the function f with the property (1) exists if and only if

Vx1... Vx„Vy1... Vy„(xfco = yfco ^ g(x1,... ,xra) = g(y1,... ,yn)). (2)

Proof. Necessity. Take any x1,..., xn, y1,..., yn, where xko = yko. By the condition (1), f (g(x1, x2,..., xn)) = f (g(y1, y2,..., yn)). Therefore, in view of functionality of f, we obtain g(x1, ..., xra) = g(y^ ^ ..., yn).

Sufficiency. For any x1,...,xn, let f(g(x1 ,x2,...,xn)) = xko. This definition of f is correct since, by the condition (2), if for some x1,..., xn, y1,..., the equality g(x1 ,x2,... ,x„) = g(y1,y2,... ,yn) holds, then xfco = gfco. ■

Taking in lemma 1 n = 3, x1 = q, x2 = a, x3 = 8, y1 = s, y2 = P, y3 = e, g(x1,... , xn) = = (<!(a8,q),u(q,a,8)), g(g1,...,y„) = (<l(Pe, s), u(s, P, e)), and ko = 2, xfco = a, ^ = P, we get

Proposition 1. The automaton A is invertible of the type (VqVaV8, u(q, a, 8)), that

is,

3fVqVaV8(f (p(a8, q), u(q, a, 8)) = a)

if and only if

VqVaV8VsVPVe(a = P ^ (p(a8, q), u(q, a, 8)) = (p(Pe, s), u(s, P, e)).

Lemma 2. For any true quantifier logic formulas in a normal form

Q1Z1 . . . QmZmA(z1, . . . , zm) and R1Z1 . . . RTOZTOB (Z1, . . . , zm),

where Q^R e {V, 3} and QiRi = 33 for every i e {1,...,m}, there exist some values c1,..., cm of variables z1,..., respectively such that A(c1,..., cm) = B(c1,..., cm) = = true.

Proof. Applying the induction scheme by integer t ^ 1, we will show that for any such an integer t ^ m the equalities Qt+1zt+1 ...QmzmA(c1,..., ct, zt+1,..., zm) = = Rt+1zt+1... RmzmB(c1,..., ct, zt+1,..., zm) = true take place and under t = m we will obtain the state of the lemma.

For t = 0, the equality under proof is true by the condition. Assuming that it is true for any t ^ j where j is an integer and 0 ^ j < m, and taking as cj+1 any value of the variable zj+1 in the case Qj+1 = Rj+1 = V and a value of Zj+1 under which Qj+2zj+2 ... QmzmA(c1,..., cj+1, Zj+2,..., zm) = true or Rj+2Zj+2 ... RmzmB(c1,..., cj+1, zj+2,..., ) = true in the case Qj+1 = 3 or Rj+1 = 3 respectively, we obtain that it is also true for t = j + 1. ■

Lemma 3. For any function g, if there exists a function f with the property (1), then Q1x1 . . . QraxraQ1g1 . . . Q„y„(xfco = gfco ^ g(x1, . . . ,x„) = g(y1, . . . ,yn)). (3)

Proof. Formulas

Q1x1 . . . Qnxn (f (g(x1, . . . ,xn)) = xfco), Q1g1 . . .Qnyn(f (g(y1, . . . ,yn)) = yfco)

are equivalent. Therefore, by the condition (1)

Q1 x1 . . . Q«,xra (f (g(x1,...,xn)) = xfco) & Q1y1. ..Q«y«(f (g(y1,... ,yn)) = yfcc). Hence,

Q1 x1 ...Q„x„Q1y1 . ..Q«y«(f(g(x1,...,xn)) = xfco & f(g(y1,...,yn)) = yfco). (4) Suppose, the state (3) is false and its negation, that is, the following state is true:

Q1x1 . . . Qnxn Q1y1 ...Q^yn (xfco = yfco & g(x1,...,xn) = g(y1,... ,yn)), (5)

where, for any j E {1,...,n}, the symbol Qj is a dual quantifier, namely V' = 3 and 3' = V. By the lemma 2 related to the formulas (4) and (5), there exist values a1,..., an of the variables x1,..., xn and values b1,..., bn of variables y1,..., yn respectively such that f (g(a1,... ,a„)) = afco, f (g(&1,... ,bn)) = bfco and = bfco, #(0,..., On) = g(&1,... ,&„). A contradiction is obtained, namely: from one side, ako = bko, from another one, ako =

= f (g(a1, . . . , an)) = f (g(bb . . . , bn)) = bko. ■

Let x1 , x2 , x3 and y1,y2,y3 be the different variables from the sets {q,a,5} and {s,^,e} respectively such that if x^ is q, a or 5, then y^ is s, ^ or e respectively, Qj E {V, 3}, and if xj = a, then Qj = V, i = 1, 2, 3.

Proposition 2. If an automaton A is invertible of any type (Q1x1Q2x2Q3x3, u(q, a, 5)), that is, 3fQ1x1Q2x2Q3x3(f (<^(a5, q), u(q, a, 5)) = a), then

Q1x1Q2x2Q3x3Q1y1Q2y2Q3y3(a = p ^ (<^(a5,q),u(q,a,5)) = s),u(s,^,e)).

Proof. The Proposition 2 follows from the Lemma 3 in the same way as the Proposition 1 follows from the Lemma 1. ■

REFERENCES

1. Huffman D. A. Canonical forms for information-lossless finite-state logical machines. IRE Trans. Circuit Theory, 1959, vol.6, Spec. Suppl., pp. 41-59.

2. Huffman D. A. Notes on information-lossless finite-state automata. Nuovo Cimento, 1959, vol. 13, Suppl. 2, pp. 397-405.

3. Gill A. Introduction to the Theory of Finite-State Machines. N.Y., McGraw-Hill Book Company, 1962. 300 p.

4. Even Sh. On information-lossless automata of finite order. IEEE Trans. Electron. Comput., 1965, vol.14, no. 4, pp. 561-569.

5. Kurmit A. A. Information Lossless Automata of Finite Order. N.Y., John Wiley Publ., 1974.

6. Zakrevskiy A. D. Metod avtomaticheskoy shifratsii soobshcheniy [The method for messages automatic encryption]. Prikladnaya Diskretnaya Matematika, 2009, no.2(4), pp. 127-137. (in Russian)

7. Agibalov G. P. Konechnye avtomati v kriptografii [Finite automata in cryptography]. Prikladnaya Diskretnaya Matematika. Prilojenie, 2009, no. 2, pp. 43-73. (in Russian)

8. Dai Z. D., Ye D. F., and Lam K. Y. Weak invertibility of finite automata and cryptanalysis on FAPKC. LNCS, 1998, vol.1514, pp. 227-241.

9. Tao R. Finite Automata and Application to Cryptography. N.Y., Springer, 2009. 406 p.