A new Cryptosystem based on Formal Language Theory

Transcription

1 A new Cryptosystem based on Formal Language Theory by Mircea Andrasiu, Adrian Atanasiu, Gheorghe Paun, Arto Salomaa Abstract. A classical cryptosystem and a public-key cryptosystem are proposed, based on the passing from a string of production labels (embedding in some way the message to be encrypted) to the string generated by the grammar by a (leftmost) derivation with that given control word (thus obtaining the cyphertext). Some problems of formal language theory appearing in this framework are discussed. 1 Introduction The ciphering - deciphering operations are, generally speaking, operations on strings over given alphabets, hence they can be considered to be formal language theory operations. Moreover, certain concrete steps and questions appearing in this framework have precise formal language theory counterparts (letter substitutions in Caesar systems are morphisms, even codings, the Richelieu systems are based on shuffle operations [2], the Cardano systems with an auto-modified key can be simulated by a gsm [1], the system can be context - free or context sensitive, the deciphering can be ambiguous or not, the complexity of cryptanalysis is often related to the membership complexity for given classes of languages and so on). In this context, it is somewhat surprising that the formal language theory is not more involved in this field. Of course, there are probably about a dozen of papers dealing with formal language theory and cryptography, but compared to the huge bibliography of number - theoretic cryptography, for instance, this seems to be unmotivatedly small. In short, we believe that formal language theory has rich unexplored resources, which could be used in cryptography (and conversely, by such applications new problems can appear, offering further developments of the theory). The aim of the present paper is to contribute to the strengthening of the bridge between formal language theory and cryptography, by proposing both a classical system (with secret enciphering - deciphering key and algorithms) and a public - key system. The starting point is the next two remarks: 1

2 1. Given a grammar G, with the rules labelled by symbols in a set Lab, and a given string x Lab, a derivation in G with the control word x is easy to construct (if exists); a string y in L(G) is found in this way, related to x. Conversely, given a string y L(G), to find a control word x associated to a derivation of y in G is a hard operation. 2. The parsing with respect to context - free grammars can be done in polynomial time (in O(n 3 )), but the membership is not decidable for 0 - type grammars and N P - complete for context sensitive grammars. The situation is similar in factorization: it is easy to multiply numbers, but it is hard to factor them. 2 Notations Before implementing the previous remarks in a cryptosystem, we specify some formal language theory notations. V the free monoid generated by the alphabet V ; λ the null element of V (V + = V \ {λ}); x the length of x V ; ( λ = 0); alph(x) the set of symbols appearing in x; G = (V N, V T, S, P ) a Chomsky grammar (V G = V N V T ); Sz(u v) the control word of the leftmost derivation u v; Sz left (G) the set of control words associated to all leftmost derivations in G; G left (x) the string generated by a leftmost derivation in G with control word x, if such derivation exists; undefined otherwise; Shuf(x, y) = {x 1 y 1 x 2 y 2... x n y n n 1, x i, y i V, x = x 1 x 2... x n, y = y 1 y 2... y n }. A context - free grammar G = (V N, V T, S, P ) is reduced if for all A V N there is a derivation S uav uwv, u, v, w VT. All grammars used in this paper are supposed to be reduced. Other notions and notations in formal language theory we shall use are supposed to be known, for instance, from [7]. 3 A classical cryptosystem Assume we have a context - free grammar G = (V N, V T, S, P ), known to be users of a cryptosystem, but kept secret from the illegal users. Let Lab be the set of labels of rules in P Lab = {r 1,..., r n }. The labelling mapping, φ : P Lab, is not necessarily one-to-one. Assume a string x (a phrase in English) is to be encrypted. By a given one-to-one coding (also known to the users of the system), h : V E lab; V E 2

3 the English alphabet (possibly including other symbols, punctuation marks, space, digits) we pass from x to x = h(x) Lab. (Clearly, we must have card(v E ) card(lab)). Construct the string y = G left (x ) if exists. This is the encryption of x; it is transmitted to the receiver. The receiver parses y with respect to G, thus finding a control word z associated to a leftmost derivation in G, then applies h 1 to z and finds z = h 1 (z). If the grammar G is unambiguous, then z = x, hence z = x and the deciphering is uniquely completed. In fact, for x an English phrase, when G is ambiguous, it is highly probable that only one control word x obtained by parsing y in G leads by h 1 to a correct English phrase and this must be the plaintext message x. The main problem in constructing such a system is to have a grammar G such that either, for all x Lab, there is an y L(G), y = G left (x), or at least, for x in a given large enough subset T of Lab, to have this property (all or at least a significantly large set of messages can be encrypted using a given grammar G). We say that such a grammar G is total (T - total respectively). When having such a grammar, the encryption is a very simple operation; it can be done in linear time. Also the deciphering is easy, as it can be done in at most cubic time (we can take G even LL, LR or other type of grammars, in order to make the work of receiver easier). What about the security of the system? The key consist of the grammar G, its labelling φ and the coding h. The coding simple renames symbols, hence is vulnerable to frequency based attacks; also φ, depending on the shape of rules, can be viewed as a somewhat simple substitution; if this is not the case, we can think that we have (card(lab)) card(p ) labelling possibilities. The main part of the key is the grammar G. Knowing the ciphering (type of) algorithm and a (long enough) ciphertext y, the cryptanalyst s intuitive strategy is to build systematically grammars until reaching the right one, G, thus finding the encrypted message. But, what means systematically? For instance, one can generate all grammars with increased cardinality of V N, starting from V N = {S}, with card(v T ) = alph(y), and in the increased order of the total number of symbols used when writing the set of productions (the parameter Symb in [3]). However, before reaching G, one has to check all grammars G, with Symb(G ) < Symb(G), hence at least (card(v G )) Symb(G) 1 grammars. The problem is (intuitively) intractable (in this way). Returning to the question of finding total grammars, as formulated before, the definition seems to be too restrictive (if the labelling is one-to-one, no grammar is total: bb, for b the label of a terminal rule, cannot be in Sz left (G)), but T total grammars are easy to find, for large sets T. For example, take a context - free grammar G = (V N, V T, S, P ) with V N = {S} and infinite L(G). Each string in Lab 1 where Lab 1 is the set of labels of nonterminal rules in P, can be the control word of a (partial) derivation in G; each such a derivation 3

4 can then be finished by using terminal rules in P. Such a separation of nonterminal and terminal rules in a leftmost derivation (we call it an NT - derivation) is, however, a very strong restriction, which, intuitively, decreases the safety of the system. Indeed, given a context - free grammar G, define L NT (G) = {x VT w 1 w 2 = x, where S w 1 is a leftmost derivation using only nonterminal rules, and w 2 uses only terminal rules } w 1 We have Proposition 1 1. L NT (G) L(G) for all context - free G; 2. L NT = L(G) for all linear G; 3. L NT (G) is linear language, for G context - free. Proof: Only (3) needs some arguments. Take G = (V N, V T, S, P ) and construct G = (V N, V T, S, P ), with P = {A x A x is linear rule in P } {A x 1 A 1 x 2 y 2 x 3... x n y n x n+1 A x 1 A 1 x 2 A 2 x 3... x n A n x n+1 P, n 2, A i V N, x VT for all i, and A i y i are terminal rules in P i, 1 i n}. We have L NT (G) = L(G ); indeed, given a nonterminal rule A x 1 A 1 x 2 A 2 x 3... x n A n x n+1, using it in leftmost manner and separated from terminal rules, only the first nonterminal in its right-hand member, A 1 can be rewritten by a nonterminal rule; the other symbols A 2,..., A n will be replaced by terminal strings, using terminal rules in P. On the other hand, this (intuitive) loss of safety when considering only NT - derivation is somewhat compensed by the fact that even for ambiguous context - free grammars G, the strings in L NT (G) can be generated unambiguously (we say that G is NT - unambiguous). Proposition 2 There are ambiguous context - free grammars which are NT - unambiguous. Proof: Consider, for example, the grammar G = ({S}, {a, b}, S, P ), with the rules SS SaS, S bss, S b It is ambiguous, as for the string bbab we have two leftmost derivations: S bss bbs bbsas bbbas bbbab S SaS bssas bbsas bbbas bbbab

5 Only the second derivation is a NT - derivation. In general, for each string in L NT (G) we have only one NT - derivation. Indeed, to each nonterminal leftmost derivation in G corresponds a nonterminal derivation in the associated linear grammar with the rules S Sab, S bsb, S b (see the previous assertion (3)) and this linear grammar is unambiguous (each nonterminal rule applied to some string xsy leads to a different terminal string). Remark 1 Observe that in each case the number of rules in the associated linear grammar equals the number of rules in the original grammar; this is due to the fact that there is only one terminal rule. Sometimes the language L NT (G) in much simpler than L(G). For instance, the Dyck language over two letters, D a,b is generated by the grammar ({S}, {a, b}, S, P ) with the rules S asb, S SS, S λ. The associated grammar G has the rules S asb, S S, S λ. Hence, L NT (G) = {a n b n n 0}. Both grammars are unambiguous if the redundant rule s S is removed. In general, (2) and (3) in Proposition 1 show that the family of languages of the form L NT (G) equals the family of linear languages. In fact, the following stronger result can be obtained: Proposition 3 The family of linear languages is equal to the family of languages L NT (G), for G context - free grammars with L(G) non - linear language. Proof: In view of Proposition 1, we have only one inclusion to prove. For, let G = (V N, V T, S, P ) be a linear grammar; take S 1, S 2 V N, a, b V T and consider the grammar with G = (V N {S 1, S 2 }, V T {a, b}, S 1, P ) P = P {S a SS 2, S 2 as 2 b, S 2 S 2 S 2, S 2 λ) Clearly, L(G ) is not linear (we have L(G ) = L(G)D a,b ) and L NT (G ) = L(G) (we start by S 1 SS 2, but S 2 can only produce the string λ). A useful modification of the previous cryptosystem is the next one. Start as above by the string x VE, encode it by h : V E Lab, but take G and Lab in such a way that card(lab) > card(v E ). For a string x 0 (Lab \ 5

6 h(v E )), consider the set Shuf(h(x), x 0 ), as well the morphism h : Lab Lab, h (r) = r, r h(v E ), h (r) = λ, r Lab \ h(v E ). Clearly, it is enough to find a string x Shuf(h(x), x 0 ) for which y = G left (x ) there exists.the receiver has to parse y, apply h in order to remove the dummy symbols in Lab \ h(v E ) and h 1 in order to find the message x. Now, we have more possibilities to find a derivation in G associated to a given string of labels and, moreover, we can take the dummy string x 0 in such way to increase these possibilities. The binary case Another interesting case, related to previous modification, is to have only binary messages to be encrypted (possibly as a first encoding of a message in a natural language). Starting from such a message x {0, 1}, we associate 0 with some label r 1 and 1 with some label r 2, then shuffle the obtained string with some x 0 (Lab \ {r 1, r 2 }) and proceed as above. (Possibly, 0 and 1 may be both associated to more labels). In this case, the message has no redundance, hence the decryption must be unique, that is the grammar G must be unambiguous (NT - unambiguous, when using only NT - derivations). Increased possibilities to find suitable grammar G are obtained in this case, as we need G to be only (0, 1) - total, that is to have G(Sz left (G)) {0, 1} + for g : Lab {0, 1} a morphism such that g(r 1 ) = 0, g(r 2 ) = 1, g(r) = λ, r Lab \ {r 1, r 2 }, for given r 1, r 2 Lab. Before considering an example, let us remark that the encrypted message is linearly bounded with respect to the plaintext, providing the message is shuffled with a dummy string x 0 of linearly bounded length with respect to x, x 0 c x ; indeed, y c ( x + x 0 ) c ( x + c x ), c = max{ z A z is a rule of G}. Example 1 Consider the grammar G = ({S, A, B}, {a, b, c}, S, P ) with the next rules (we also specify their labels): r 1 : S asb r 3 : A aab r 5 : B AB r 2 : S cab r : A c r 6 : B c This is a (0, 1) - total grammar as we can take g(r 3 ) = 0, g(r 5 ) = 1. Indeed, each string in the next set corresponds to a leftmost derivation in G: T = r1r 2 (r3r (r 5 r ) r 5 ) r3r r 6 and g(t ) = {0, 1} ; in fact, Sz left (G) = T, as the reader can verify, and L(G) = {a j ca i 1 cb i 1 a i 2 cb i 2... a i k cb i k j 0, k 1, i s 0 (1 s k)} 6

7 Consider now a message to be encrypted, say x = We choose a string x T such that g(x ) = x for g(r 1 0 = g(r 2 ) = g(r ) = g(r 6 ) = λ, g(r 3 ) = 0, g(r 5 ) = 1, for example x = r1r 3 2 r r 5 r 3 r 3 r r 2 r 5 r r 5 r 3 r r 5 r r 5 r r 6 (we have x Shuf(r 5 r 3 r 3 r 5 r 5 r 3 r 5 r 5, r1r 3 2 rr 6 6 )). According to x, we have the next derivation in G: S r 1 asb r 1 a 2 Sb 2 r 1 a 3 Sb 3 r 2 a 3 cabb 3 r a 3 ccbb 3 r 5 a 3 ccabb 3 r 3 a 3 ccaabbb 3 r 3 a 3 cca 2 Ab 2 Bb 3 r a 3 cca 2 cb 2 Bb 3 r 5 a 3 cca 2 cb 2 ABb 3 r a 3 cca 2 cb 2 cbb 3 r 5 a 3 cca 2 cb 2 cabb 3 r 3 a 3 cca 2 cb 2 caabbb 3 r a 3 cca 2 cb 2 cacbbb 3 r 5 a 3 cca 2 cb 2 cacbabb 3 r a 3 cca 2 cb 2 cacbcbb 3 r 5 a 3 cca 2 cb 2 cacbcabb 3 r a 3 cca 2 cb 2 cacbccbb 3 r 6 a 3 cca 2 cb 2 cacbcccb 3 = a 3 c 2 a 2 cb 2 cacbc 3 b 3 = y This string y is transmitted to the receiver. The receiver parses y according to G and, as G is unambiguous (easy to verify), recovers the string x ; applying g to x, one finds x, the message. More problems seem to be both practically and theoretically important in this framework: (Q 1 ) : It is decidable whether an arbitrary context - free grammar G (with labelled rules) is (0, 1) - total? (Q 2 ) : It is decidable whether for arbitrary x {0, 1} and arbitrary (not necessarily (0, 1) - total) context - free grammar G we have x g(sz left (G)), for some g : Lab {0, 1} as above? (Q 3 ) : Is there an algorithm such that, for given x {0, 1} and a (0, 1) - total grammar G, produces a string x Sz left (G) such that x = g(x )? We solve here these problems (the first one only partially). For (Q 1 ), we ave to decide whether g(sz left (G)) \ {λ} = {0, 1} + ; the equivalence of a context - free grammar with a regular grammar is undecidable for arbitrary grammars, but in our case we have: Proposition It is decidable whether a context - free grammar with one - to - one labelling of rules is (0, 1) - total. Proof: Let G = (V N, V T, S, P ) be a reduced context - free grammar with rules labelled in a one-to-one manner by symbols in a set Lab, let c 1, c 2 V T be two symbols and let r 1 : A 1 x 1, r 2 : A 2 x 2 be two rules in P. Consider the grammar (depending on r 1, r 2 ) G = (V N, V T, S, P ) with P = P {c 1, c 2 }, P = (P \ {A 1 x 1, A 2 x 2 }) {A 1 c 1 x 1, A 2 c 2 x 2 } We assume A 1 c 1 x 1, A 2 c 2 x 2 are also labelled by r 1, r 2 respectively. For given X V N define also the grammar G X = (V N, V T, X, P ). 7

8 We consider now the next six properties (predicates): P 1. L(G ) VT {c 1 }VT = P 2. L(G ) VT {c 2 }VT = P 3. L(G A 1 ) {c 1 }VT {c 1 }VT = P. L(G A 1 ) {c 1 }VT {c 2 }VT = P 5. L(G A 2 ) {c 2 }VT {c 2 }VT = P 6. L(G A 2 ) {c 2 }VT {c 1 }VT = All these properties are decidable (the emptiness is decidable for context - free languages). Take the morphism g : Lab {0, 1} defined by g(r 1 ) = 0, g(r 2 ) = 1, g(r) = λ, r Lab \ {r 1, r 2 }. Assertion: g(sz left (G)) {0, 1} + if and only if all predicates P 1 P 6 are false. Indeed, if P 1 is true, then 0 g(sz left (G)) (there is no derivation using one time r 1 and never using r 2 ); similarly, 1, 00, 01, 11, 10 are not in g(sz left (G)) when P 2, P 3, P, P 5 and P 6 are true, respectively. Conversely, assume all P 1 P 6 are false (hence the corresponding intersections are non-empty). Observe that Sz left (G) = Sz left (G ). We shall prove that g(sz left (G)) {0, 1} + The inclusion is obtained by induction. From P 1, P 2 being false, it follows that 0, 1 g(sz left (G)). Assume all z {0, 1} +, z k, k > 1 are in g(sz left (G)) and take z {0, 1} +, z = k + 1. Assume z = z 0; the case z = z 1 is analogous. From the induction hypothesis we have z g(sz left (G)). Case 1: z = z 0. There is a leftmost derivation in G of the form S u 1 A 1 u 2 u 1 c 1 x 1 u 2 u 1 c 1 wu 2 with u 1, w, u 2 V T, u 2 VG, g(sz(s u 1 A 1 u 2 )) = x, and g(sz(u 1 c 1 u 2 u 1 c 1 wu 2)) = λ. From P 3 being false, it follows that a derivation A 1 c 1 v 1 A 1 v 2 c 1 v 1 c 1 v 3 v 2 is possible in G, v 1, v 3, v 2 VT, v 2 VG, A 1 c 1 v 3, v 2 v 2. Thus we can construct the derivation S u 1 A 1 u 2 u 1 c 1 v 1 A 1 v 2 u 2 u 1 c 1 v 1 c 1 x 1 v 2 u 2 u 1 c 1 v 1 c 1 wv 2u 2 Clearly, the g - image of the control word of this derivation is z 00 = z 0 = z, hence z g(sz left (G)). 8

9 Case 2: z = z 1. There is a leftmost derivation in G of the form S u 1 A 2 u 2 u 1 c 2 x 2 u 2 u 1 c 2 wu 2 with u 1, w, u 2 V T, u 2 VG, g(sz(s u 1 A 2 u 2 )) = z, and g(sz(u 1 c 2 x 2 u 2 u 1 c 2 wu 2))λ. From P 6 being false, there is a derivation A 2 c 2 v 1 A 1 v 2 c 2 v 1 c 1 v 3 v 2 with v 1, v 3, v 2 VT, v 2 VG, A 1 c 1 v 3, v 2 v 2. Thus we can construct the derivation S u 1 A 2 u 2 u 1 c 2 v 1 A 1 v 3 v 2 u 1 c 2 v 1 c 1 v 3 v 2u 2 with the g - image of the control word z 10 = z 0 = z. Therefore, z g(sz left (G)). In conclusion, the grammar G is (0, 1) - total if and only if there are two rules r 1 : A 1 x 1, r 2 : A 2 x 2 in P, g(r 1 ) = 0, g(r 2) = 1, g(r) = λ, r Lab \ {r 1, r 2 }, for which all properties P 1 P 6 are false. The set P of rules in G is finite, hence the proposition follows. The case of arbitrary labelling remains open. Proposition 5 The answer to problem (Q 2 ) is affirmative. Proof: The language Sz left (G) is context - free (and a grammar to it can be effectively constructed starting from a context - free grammar G). Given a context - free grammar G, there are finitely many morphisms g : Lab {0, 1} with g(r 1 ) = 0, g(r 2 ) = 1, g(r) = λ for all r Lab \ {r 1, r 2 } (we have (card(lab)(card(lab) 1) such morphisms). For each morphism g of this type, consider the language g(sz left (G)). It is context - free, hence it is decidable whether a given x {0, 1} is in g(sz left (G)) or not (and this can be done in polynomial time). Proposition 6 The answer to problem Q 3 is affirmative. Proof: Let Lab be a set of labels for the rules in G = (V N, V T, S, P ) and let g : Lab {0, 1} be a given morphism associating 0, 1 with the rules in G. The language L 1 = g 1 ({x}) is regular and a finite automaton A 1 for L 1 can be effectively constructed. For the grammar G we can construct G = (V N, Lab, S, P ), with P = {B rh(x) r : B x P, B V N, x V G} 9

10 where h : V G V N is defined by h(x) = X X V N, h(a) = λ, a V T. We have L(G ) = Sz left (G) A grammar G for the intersection L 1 Sz left (G) can be effectively constructed starting from the automaton A and the grammar G (the classical triple construction). Having G, to find a derivation in G producing a non-empty string y is algorithmically possible (explore the finite set of non-recurrent derivations, for example); for the string y we have x = g(y), hence the construction works. Some further remarks about (0, 1) - totalness question are worth mentioning, taking into account the importance of this notion for the above type of cryptosystems. Proposition 7 For each infinite context - free language L there is a (0, 1) - total grammar G generating L. Proof: Take a grammar G = (V N, V T, S, P ) generating L. As L is infinite, there is A V N such that a (not necessarily leftmost) derivation A uav uwv is possible in G, u, v, w V T, uv λ. We construct the grammar G = (V N {B}, V T, S, P ) with P = P {A uav ubv w, B uav ubv w}. Clearly L(G) = L(G ) = L and G is (0, 1) - total taking r 1 : A uav, r 2 : B ubv, g(r 1 ) = 0, ; g(r 2 ) = 1, g(r) = λ for all r {r 1, r 2 }. Unfortunately, the previous construction leads to an ambiguous grammar G (for example A uav uwv and A ubv uwv). This drawback can be avoided if we modify the generated language too. Proposition 8 Let G be an unambiguous context - free grammar generating an infinite language. There is an unambiguous (0, 1) - total context - free grammar G generating a language L(G) Shuf(L(G ), {c, d} ) such that L(G ) = h(l(g)), with h the morphism erasing c, d (c, d are new symbols). Proof: Take G = (V N, V T, S, P ). As L(G ) is infinite, there are derivations A + uav, a + w, u, v, w VT, uv λ, as in previous proof. We construct G = (V N {B}, V T {c, d}, S, P ) P = P {A ucbcv, B udbdv, B db, B w}, the new rules being labelled by r 1, r 2, r 3, r respectively. Taking g(r 2 ) = 0, g(r 3 ) = 1, g(r) = λ, r {r 2, r 3 }, one can easily see that G is (0, 1) - total. The 10

11 grammar G is unambiguous. Indeed, G is unambiguous; no different derivation using rules r 1 r can generate the same string (assume, without loss of generality, that u λ; in a string generated by rules r 1 r, starting from A or from B, the occurrence of uc identifies the use of r 1, each occurrence of ud identifies the use of r 2, whereas a substring dd points to a use of r 3 ). No two different derivations using both rules in P and rules r 1 r can generate the same string (each pair of occurrences of the symbol c identifies a symbol A rewritten by r 1 ; a string in (V N V T ) has an unique derivation in G ; from each A we generate a string bounded by parentheses uc, cv etc). In conclusion, G is unambiguous (hence it can be incorporated in a cryptosystem as above). Remark 2 Before closing this section, let us remark that the previous cryptosystem is similar in some extent to that consider in [9], [10] and investigated in [], [5]: here we deal with a Chomsky grammar G with labelled rules, in [9], [10] one takes a T OL (or a DT OL) system which is used in a similar way, assuming its tables labelled (the tables are total by definition, hence the T OL/DT OL system is total, the backward determinism corresponds to unambiguity and so on). 5 A public - key cryptosystem How to design a public - key cryptosystem based on the previous enciphering algorithm? The problem is to publicize the grammar G and its labelling without compromising the secretness of the message. An idea could be to take G non-context - free grammar. Then the cryptanalysis will be either non-algorithmic or at least N P - complete. But it is similarly complex for the legal receiver too. We need a trapdoor, which could allow the receiver to parse easier the encrypted string (for example, at the context - free level). Thus the problem becomes: how to have a grammar of an arbitrary type of encrypting and a context - free one for decrypting? The arbitrary grammar will be publicized, the context - free one will be kept secret, as a trapdoor. The idea is the same as for systems based on hiding regular languages [6],[3], but the implementation is different, namely it is based on the existence of nice pairs of grammars, considered below (moreover, the enciphering is done by passing from a control word to the word generated by the associated leftmost derivation, not as in [6],[3]. Two grammars G i = (V N,i, V T,i, S i, P i ), i = 1, 2 with labelled rules φ i : P i Lab i, i = 1, 2 constitute a nice pair if there are morphisms h : V V T,2, h : Lab 1 Lab 2 with h (r) Lab 2 {λ} for each r Lab 1 and 1. h(l(g 1 )) L(G 2 ); 2. for each x Sz left (G 1 ) we have h(g 1,left (x)) = G 2,left (h (x)). T,1 11

12 A nice pair of grammars as above is called useful if: 3. G 1 is non-context - free, whereas G 2 is context - free and unambiguous;. both G 1 and G 2 are (0, 1) - total and r 1, r 2 Lab 1 are associated to symbols 0, 1 in G 2 (G 1, G 2 are (0, 1) - total with this assignment of 0, 1 to labels of their rules). Having a useful nice pair of grammars, G 1, G 2, with labelling mappings φ 1, φ 2, the morphisms h, h and the assignment mapping g : Lab 1 Lab 2 {0, 1, λ}, the public - key is constituted by G 1, φ 1, g Lab1 and the secret trapdoor by G 2, φ 2, h, h, g Lab2. To encrypt a message x {0, 1} we first encode it by g 1, shuffle it by a string in (Lab 1 \ g 1 ({0, 1})), construct a leftmost derivation in G 1 and consider the obtained string y as the ciphertext. The illegal cryptanalyst has to parse y with respect to G 1, a hard problem. The legal receiver takes the string h(y) and parses it with respect to the context - free grammar G 2 ; to the obtained control string one applies g and the message x is found. Surprisingly enough, there exist useful nice pairs of grammars. Example 2 Let be G 1 = ({S, B}, {a, b, c, d}, S, P 1 ) with the rules r 1 : S asbc r 3 : S ab r 5 : db Bd r 2 : S asbd r : cb Bc r 6 : bb bb whereas G 2 = ({S}, {a, c, d}, S, P 2 ) contains the rules r 1 : S asc r 2 : S asd r 3 : S a (we have also specified the labelling). Consider also defined by and h : {a, b, c, d} {a, c, d} h(a) = a, h(b) = λ h(c) = c, h(d) = d h : {r 1, r 2, r 3, r, r 5, r 6 } {r 1, r 2r 3} defined by h (r 1 ) = r 1, h (r 2 ) = r 2, h (r 3 ) = λ, (i =, 5, 6) Associate 0 to r 1 in G 1 and to r 1 in G 2 and 1 to r 2 in G 1 and to r 2 in G 2. Clearly, G 1 is context sensitive, G 2 is unambiguous context - free and L(G 1 ) = {a n b n x x {c, d}, x = n 1, n 1} L(G 2 ) = {a n x x {c, d}, x = n 1, n 1} hence h(l(g 1 )) = L(G 2 ). 12

13 0, 1 are associated to r 1, r 2 in G 1 and to h (r 1 ), h (r 2 ) in G 2 and if in a leftmost derivation in G 1 we ignore the rules r, r 5, r 6 then a derivation with a control word in {r 1, r 2, r 3 } is found corresponding to a derivation in G 2 producing a string obtained by applying h to the string obtained in G 1 (that is h(sz left (x)) = G 2,left (h (x))). Unfortunately, the above nice pair of grammars is not good for a real cryptosystem, as the parsing with respect to G 1 is similarly easy as that with respect to G 2 (the string x in the above writing of strings in G 1 and G 2, a n b n x, a n x respectively precisely identifies the rules used, r 1, r 2, r 1, r 2 respectively). It is a significant problem to find useful nice pairs of grammars with the parsing with respect to G 1 significantly harder than the parsing with respect to G 2. This example shows also that our definition of usefulness does not capture all the essential requirements. We hope to return to this issue in a forthcoming contribution. References [1] M. Andrasiu, Gh. Paun - A cryptosystem based on gsm mappings, manuscript, [2] M. Andrasiu, J. Dassow, Gh. Paun, A. Salomaa - Language - theoretic problems arising from Richelieu cryptosystems, Th. Computer Sci. [3] J. Gruska - Descriptional complexity of context - free languages, Proc. 2nd MFCS Symp, High Tatra, 1973, [] J. Kari - A cryptanalitic observation concerning systems based on language theory, Discr. Appl. Math., 21 (1988), [5] J. Kari - Observation concerning a public - key cryptosystem based on iterated homomorphisms, Th. Computer Sci., 66 (1989), [6] V. Niemi - Hiding regular language public - key cryptosystems, RAIRO/Th. Informatics, submitted [7] A. Salomaa - Formal languages, Academic Press, New York, [8] A. Salomaa - public - key cryptography, Springer - Verlag, Berlin, Heidelberg, [9] A. Salomaa, E. Welzi - A cryptographic trapdoor based on iterated morphisms, manuscript [10] A. Salomaa, S. Yu - On a public - key cryptosystem based on iterated morphisms and substitutions, Th. Computer Sci., 8 (1986),