Начиная с начала 2000 года осуществляется внедрение GHIS в здравоохранении, в рамках принятого проекта о реформирование информ Mathematical Problems of Computer Science 45, 77--89, 2016. Two-Party Regular Expression Matching Protocol without Asymmetric Cryptography Operations Gurgen H. Khachatryan1, Mihran M. Hovsepyan2, Aram H. Jivanyan3 1 American University of Armenia 2 Russian-Armenian (Slavonic) University 3 Onecryptor CJSC e-mail: gurgenkh@aua.am, hovsepyan.mihran@gmail.com, aram@skycryptor.com Abstract In this paper we describe a new protocol for secure evaluation of Deterministic Finite Automata (DFA) between two parties (client and server). The protocol has no restrictions on the DFA’s input alphabet and runs in a single client-server communication round. It uses 𝑂𝑂(𝑚𝑚𝑚𝑚) operations for client-side computations; 𝑂𝑂(𝑚𝑚𝑚𝑚|𝑄𝑄|) operations for server-side computations, and the network communication bandwidth is 𝑂𝑂(𝑚𝑚𝑚𝑚𝑚𝑚|𝑄𝑄|) bytes where 𝑚𝑚 is the security parameter of the protocol, 𝑚𝑚 is the size of the DFA’s input alphabet, 𝑚𝑚 is the length of the input text and |𝑄𝑄| is the number of the DFA states. As a building block our algorithm uses white-box based 1-out-of-n oblivious transfer protocol, which results that the protocol does no public-key operations. Apart from the description of the protocol the paper also contains results of efficiency benchmarks done on our implementation of the protocol. Keywords: Cryptography, Secure function evaluation, Secure pattern matching, Oblivious transfer. 1. Introduction The problem of two-party oblivious (secure) evaluation of DFA is a subproblem of more generic two-party secure function evaluation problem. In two-party secure function evaluation problem there is a known for two parties function 𝐹𝐹: 𝑈𝑈 × 𝑉𝑉 → 𝑍𝑍, the first party has an input argument 𝑢𝑢 ∈ 𝑈𝑈 and the second party has an input argument 𝑣𝑣 ∈ 𝑉𝑉 and the objective of these two parties to calculate 𝐹𝐹(𝑢𝑢, 𝑣𝑣) allowing one or both parties to learn the result, but none of them should learn any additional information about the other’s input. This problem has various real life applications. One such example is searching a number of appearances of a specific DNA pattern among people of some specific group (the FBI wants to 77 mailto:gurgenkh@aua.am mailto:hovsepyan.mihran@gmail.com mailto:aram@skycryptor.com Two-Party Regular Expression Matching Protocol without Asymmetric Cryptography Operations 78 allow biogenetical researchers (clients) to find the number of people among the criminals who have a specific (featured by the researchers) pattern in their DNAs without providing the entire list of DNAs of such people, and without learning which patterns have been searched). In this example the input argument of the first party is the pattern and the input of the second party is the database of DNAs. The next application is in banking: a person wants to take a credit from the bank. The bank needs to check whether he fits their requirements, particularly they want to check his credit history stored in Credit Report Agencies (CRA). But full credit report of a person may contain lots of private information as long as the criteria of the bank for giving a credit for the person also may be private. So the bank may want to check his criteria with the CRA without learning the full credit history and without providing the criteria to the CRA. The range of applications of the two-party secure function evaluation problem is not limited to the privacy-preserving genomic computations and credit checking, it can also be used in remote diagnostics, graph algorithms, data mining, medical diagnostics, face recognition, policy checking and in other areas. For more details see [3], it gives entire overview of the problem and its applications. Here we consider a problem where the first party (client) has a DFA (regular expression) Γ as long as the second party (server) has a text string 𝑋𝑋 which consists of the letters of the DFA’s input alphabet. Their objective is to check whether the string 𝑋𝑋 belongs to the language generated by the Γ or, in other words, whether the string 𝑋𝑋 matches Γ allowing both parties to learn the answer so that neither the client nor the server learned any additional information about the input of each other. This problem may have some variations: a) The client wants to hide the answer from the server. b) The client or both parties want to learn whether the string 𝑋𝑋 has a substring 𝑦𝑦 which matches Γ. c) The client or both parties want to learn positions of all substrings of the string 𝑋𝑋 which match Γ. d) The client or both parties want to learn the number of substrings of the string 𝑋𝑋 which match Γ. In this paper we describe a protocol which solves the initial problem and it is shown that after a little modification the protocol can be applied to these variations as well. Similar to the “Efficient Protocol for Oblivious DFA Evaluation” [1] construction our protocol runs in a single client-server communication round and in both client and server sides it has the same as the protocol from [1] complexity of symmetric operations when the input alphabet of the DFA is binary. But unlike [1], our protocol has no restriction on the DFAs input alphabet and it uses no asymmetric operations anymore. 2. Preliminaries 2.1 Notations We will assume that the client has a DFA Γ(𝑄𝑄; Σ; Δ; 𝑠𝑠1; 𝐹𝐹) with input alphabet Σ = �𝑏𝑏1, 𝑏𝑏2, … , 𝑏𝑏|Σ|�; set of states 𝑄𝑄 = {𝑞𝑞1, 𝑞𝑞2, … , 𝑞𝑞|𝑄𝑄|}; table of transitions Δ|𝑄𝑄|×|Σ|, where Δ[𝑞𝑞, 𝑏𝑏] ∈ 𝑄𝑄 is the state following after state 𝑞𝑞 through letter 𝑏𝑏; initial state 𝑠𝑠1 and set of accepting (or final) states 𝐹𝐹, while the server has an 𝑚𝑚 length string 𝑋𝑋 ∈ Σ𝑛𝑛. Saying the result of evaluation of Γ on the string 𝑋𝑋 (or simply Γ(𝑋𝑋)) we mean the Boolean value which is 1 (or 𝑡𝑡𝑡𝑡𝑢𝑢𝑡𝑡) if the state G. Khachatryan , M. Hovsepyan, A.Jivanyan 79 Δ�… Δ�Δ�𝑠𝑠1, 𝑋𝑋[1]�, 𝑋𝑋[2]� … , 𝑋𝑋[𝑚𝑚]�, is an accepting state (i.e., belongs to 𝐹𝐹) and 0 (or 𝑓𝑓𝑓𝑓𝑓𝑓𝑠𝑠𝑡𝑡), otherwise. By 𝑚𝑚 we denote the security parameter of the protocol. The pipe-sign | is used to denote concatenation of strings and the circled plus sign ⊕ is used to denote per-bit XOR operation. By ⌈𝑡𝑡⌉ we denote the ceiling of a real number 𝑡𝑡. In matrix indexing sometimes we use letters of the input alphabet Σ and states 𝑄𝑄 instead of their numbers (i.e., 𝑏𝑏𝑗𝑗 instead of 𝑗𝑗, 𝑞𝑞𝑗𝑗 instead of 𝑗𝑗). 2.2 Definitions: We will use the following concepts for describing the protocol and its security. One round 1-out-of-n Oblivious Transfer protocol (later OT): A protocol is intended for solving the following problem. The client has a number 𝑖𝑖 from 1 to 𝑚𝑚 and the server has a set of 𝑚𝑚 secrets {𝑠𝑠1, 𝑠𝑠2, … , 𝑠𝑠𝑛𝑛}. They should communicate and after that the client should learn the 𝑖𝑖-th secret 𝑠𝑠𝑖𝑖, but the server should not learn 𝑖𝑖 and the client should not learn any other secret apart from the 𝑠𝑠𝑖𝑖. There are various implementations of OT protocols, here we will use white box based 1-out-of-n oblivious transfer described in [2]. Secure Two-party Computation: Let 𝑓𝑓 = (𝑓𝑓1, 𝑓𝑓2) of form 𝑓𝑓: {0,1}∗ × {0,1}∗ → {0,1}∗ × {0,1}∗ be a two-party computation and 𝜋𝜋 be a two-party protocol for computing 𝑓𝑓 between the parties 𝑝𝑝1 and 𝑝𝑝2. The input of 𝑝𝑝1 is 𝑥𝑥 and the input of 𝑝𝑝2 is 𝑦𝑦. Here we will briefly define two notions of security. a) Full security (simulation-based security) against malicious adversaries: This security level is defined by requiring indistinguishability (perfect, statistical or computational) between a real execution of the protocol and an ideal execution in which there is a TTP (trusted third party) who receives the parties input, evaluates the function and outputs the results to them. b) Privacy against malicious adversaries: This level of security guarantees that a corrupted party will not learn any information about the honest parties input. However, this does not always guarantee that the joint outputs of the parties in the real world is simulatable in an ideal world. For more detailed discussion of these security notations refer to [12]. Looking ahead we want to note that in our protocol, we prove full-secure against one malicious party and private against the other. 3. The Protocol for Binary DFAs At first let us consider the case when the input alphabet of the DFA Σ = {0,1} is binary, we call such DFAs “binary DFA”. Brief description of the protocol: The main steps of the protocol are the following: a) Client: Create a special evaluation matrix (DFA matrix) 𝑀𝑀Γ of size 𝑚𝑚 × |𝑄𝑄| × 2 intended for evaluation of Γ on 𝑚𝑚-length binary strings. b) Client: Create garbled DFA matrix 𝐺𝐺𝑀𝑀Γ by permuting each row of the 𝑀𝑀Γ matrix, then encrypting each cell of the matrix using one time pad. As a result, to calculate Γ(𝑋𝑋) it will be enough for the server to have the garbled DFA matrix 𝐺𝐺𝑀𝑀Γ and a key for each position 𝑖𝑖; 1 ≤ 𝑖𝑖 ≤ 𝑚𝑚 of the string 𝑋𝑋 corresponding to the letter of that position. c) Server: For each letter of string 𝑋𝑋 create an OT query token [2] and send them all along with the OT initialization data to the client. Two-Party Regular Expression Matching Protocol without Asymmetric Cryptography Operations 80 d) Client: For each OT query token create an OT response token for the corresponding key [2] and send them together with the garbled DFA matrix 𝐺𝐺𝑀𝑀Γ to the Server. e) Server: From OT response tokens invoke the keys for positions of the string 𝑋𝑋, then compute Γ(𝑋𝑋) using those keys and 𝐺𝐺𝑀𝑀Γ garbled DFA matrix. Now let us look at these steps in more detail. Step a): For evaluating Γ on any 𝑚𝑚-length binary string we create a DFA matrix 𝑀𝑀Γ of size 𝑚𝑚 × |𝑄𝑄| × 2 such that for each state 𝑞𝑞 and letter 𝑏𝑏 𝑀𝑀Γ[𝑖𝑖, 𝑞𝑞, 𝑏𝑏] = Δ[𝑞𝑞, 𝑏𝑏] ∀𝑖𝑖; 1 ≤ 𝑖𝑖 ≤ 𝑚𝑚 − 1 and 𝑀𝑀Γ[𝑚𝑚, 𝑞𝑞, 𝑏𝑏] = 1 if Δ[𝑞𝑞, 𝑏𝑏] is a final state and 𝑀𝑀Γ[𝑚𝑚, 𝑞𝑞, 𝑏𝑏] = 0 if Δ[𝑞𝑞, 𝑏𝑏] is not final. It is easy to see that in such notation Γ(𝑋𝑋) is equal to 𝑀𝑀Γ �𝑚𝑚, … 𝑀𝑀Γ �2, 𝑀𝑀Γ�1, 𝑠𝑠1, 𝑋𝑋[1]�, 𝑋𝑋[2]� … , 𝑋𝑋[𝑚𝑚]�. Figure 1 (a, b) bellow illustrates an example of DFA with its DFA matrix. Step b): Here it is worth to note that for any permutation 𝑃𝑃: 𝑄𝑄 → 𝑄𝑄 the DFA Γ is equal (i.e., accepts the same set of strings) to the DFA Γ𝑃𝑃(𝑄𝑄; {0,1}; Δ𝑃𝑃; 𝑃𝑃[𝑠𝑠1]; 𝐹𝐹𝑃𝑃) (where for each state 𝑞𝑞 and letter Δ𝑃𝑃[𝑃𝑃[𝑞𝑞], 𝑏𝑏] = 𝑃𝑃�Δ[𝑞𝑞, 𝑏𝑏]�; and 𝐹𝐹𝑃𝑃 = {𝑞𝑞: 𝑃𝑃−1[𝑞𝑞] ∈ 𝐹𝐹}). The first stage of DFA matrix garbling is based on this fact. Namely, we first create 𝑚𝑚 random permutations of the DFA states 𝑄𝑄 and fill by them 𝑚𝑚 rows of an 𝑚𝑚 × |𝑄𝑄| permutations matrix 𝑃𝑃𝑃𝑃𝑃𝑃, then we create permuted DFA matrix 𝑃𝑃𝑀𝑀Γ such that for each state 𝑞𝑞 and letter 𝑏𝑏 𝑃𝑃𝑀𝑀Γ[𝑖𝑖, 𝑃𝑃𝑃𝑃𝑃𝑃[𝑖𝑖, 𝑞𝑞], 𝑏𝑏] = 𝑃𝑃𝑃𝑃𝑃𝑃�𝑖𝑖 + 1, 𝑀𝑀Γ[𝑖𝑖, 𝑞𝑞, 𝑏𝑏]�, for each 𝑖𝑖; 1 ≤ 𝑖𝑖 ≤ 𝑚𝑚 − 1 and 𝑃𝑃𝑀𝑀Γ[𝑚𝑚, 𝑃𝑃𝑃𝑃𝑃𝑃[𝑚𝑚, 𝑞𝑞], 𝑏𝑏] = 𝑀𝑀Γ[𝑚𝑚, 𝑞𝑞, 𝑏𝑏]. Figure 1 (c) bellow illustrates an example of a 𝑃𝑃𝑀𝑀Γ matrix. Here it is not hard to observe that in terms of 𝑃𝑃𝑀𝑀Γ matrix Γ(𝑋𝑋) is equal to 𝑃𝑃𝑀𝑀Γ �𝑚𝑚, … 𝑃𝑃𝑀𝑀Γ �2, 𝑃𝑃𝑀𝑀Γ�1, 𝑃𝑃𝑃𝑃𝑃𝑃[1, 𝑠𝑠1], 𝑋𝑋[1]�, 𝑋𝑋[2]� … , 𝑋𝑋[𝑚𝑚]�. For the second stage of DFA matrix garbling we generate an 𝑚𝑚 × 2 size matrix of random 𝑚𝑚-bit keys 𝐾𝐾 and an (𝑚𝑚 + 1) × |𝑄𝑄| size matrix of 𝑚𝑚′-bit pads 𝑃𝑃𝑃𝑃𝑃𝑃; where for each state 𝑞𝑞, and for each 𝑖𝑖; 1 ≤ 𝑖𝑖 ≤ 𝑚𝑚 the 𝑃𝑃𝑃𝑃𝑃𝑃[𝑖𝑖, 𝑞𝑞] is a random 𝑚𝑚′-bit string and 𝑃𝑃𝑃𝑃𝑃𝑃[𝑚𝑚 + 1, 𝑞𝑞] = 00 … 0��� 𝑘𝑘′ . Here by 𝑚𝑚′ we denote 𝑚𝑚 − ⌈log2|𝑄𝑄|⌉. For garbling the permuted DFA matrix we also need some CSPRNG (cryptographically secure pseudo-random number generator) 𝑃𝑃𝑃𝑃𝐺𝐺: {0,1}𝑘𝑘 ′ → {0,1}2𝑘𝑘. Since the 𝑃𝑃𝑃𝑃𝐺𝐺 receives a 𝑚𝑚′-bit string as an input and returns 2𝑚𝑚-bit string as an output by 𝑃𝑃𝑃𝑃𝐺𝐺(𝑌𝑌, 0) we denote the first 𝑚𝑚-bits of 𝑃𝑃𝑃𝑃𝐺𝐺(𝑌𝑌) and by 𝑃𝑃𝑃𝑃𝐺𝐺(𝑌𝑌, 1) we denote the second 𝑚𝑚-bits of 𝑃𝑃𝑃𝑃𝐺𝐺(𝑌𝑌). Having all these, we create the garbled DFA matrix 𝐺𝐺𝑀𝑀Γ such that 𝐺𝐺𝑀𝑀Γ[𝑖𝑖, 𝑞𝑞, 𝑏𝑏] = �𝑃𝑃𝑀𝑀Γ[𝑖𝑖, 𝑞𝑞, 𝑏𝑏] | 𝑃𝑃𝑃𝑃𝑃𝑃�𝑖𝑖 + 1, 𝑃𝑃𝑀𝑀Γ[𝑖𝑖, 𝑞𝑞, 𝑏𝑏]�� ⊕ 𝐾𝐾[𝑖𝑖, 𝑏𝑏] ⊕ 𝑃𝑃𝑃𝑃𝐺𝐺(𝑃𝑃𝑃𝑃𝑃𝑃[𝑖𝑖, 𝑞𝑞], 𝑏𝑏) for each 𝑖𝑖; 1 ≤ 𝑖𝑖 ≤ 𝑚𝑚, letter 𝑏𝑏 and state 𝑞𝑞. G. Khachatryan , M. Hovsepyan, A.Jivanyan 81 𝑠𝑠1 𝑠𝑠2 𝑠𝑠3 𝑠𝑠4 𝑠𝑠5 … … … Accepting State Non-Accepting State Start 0 1 1 0 1 2 n n-1 (0, 0) (1, 0) (2, 3) (5, 4) (2, 3) (5, 4) (2, 3) (5, 4) 1 2 |Q| … … … … … … … … … Accepted . . . . . . (b) 𝑀𝑀Γ (DFA Matrix of Γ) (a) A general binary DFA Γ 1 2 n n-1 Start Accepted . . . . . . (c) Permuted DFA Matrix 𝑃𝑃𝑀𝑀Γ … 1 … 𝐼𝐼2 − 1 … 1 … 𝐼𝐼1 − 1 … 1 … 𝐼𝐼𝑛𝑛−1 − 1 … 1 … 𝐼𝐼𝑛𝑛 − 1 (0, 0) 𝐼𝐼𝑛𝑛 = 𝑃𝑃𝑃𝑃𝑃𝑃[𝑚𝑚, 1] (𝐽𝐽𝑛𝑛, …) 𝐼𝐼𝑛𝑛−1 = 𝑃𝑃𝑃𝑃𝑃𝑃[𝑚𝑚 − 1,1] … 𝐼𝐼1 + 1 … 𝐽𝐽1 − 1 … 𝐽𝐽1 + 1 … |𝑄𝑄| … 𝐼𝐼2 + 1 … 𝐽𝐽2 − 1 … 𝐼𝐼𝑛𝑛 + 1 … 𝐽𝐽𝑛𝑛 − 1 … 𝐼𝐼𝑛𝑛−1 + 1 … 𝐽𝐽𝑛𝑛−1 − 1 … 𝐽𝐽𝑛𝑛 + 1 … |𝑄𝑄| … 𝐽𝐽𝑛𝑛−1 + 1 … |𝑄𝑄| … 𝐽𝐽2 + 1 … |𝑄𝑄| (𝐽𝐽3, …) 𝐼𝐼2 = 𝑃𝑃𝑃𝑃𝑃𝑃[2,1] (𝐽𝐽2, …) 𝐼𝐼1 = 𝑃𝑃𝑃𝑃𝑃𝑃[1,1] (1, 0) 𝐽𝐽𝑛𝑛 = 𝑃𝑃𝑃𝑃𝑃𝑃[𝑚𝑚, 2] (…, …) 𝐽𝐽𝑛𝑛−1 = 𝑃𝑃𝑃𝑃𝑃𝑃[𝑚𝑚 − 1,2] (…, …) 𝐽𝐽2 = 𝑃𝑃𝑃𝑃𝑃𝑃[2,2] (…, …) 𝐽𝐽1 = 𝑃𝑃𝑃𝑃𝑃𝑃[1,2] 𝑋𝑋 = 01 … 00 𝑋𝑋 = 01 … 00 Start Fig. 1. DFA Γ, DFA matrix 𝑀𝑀Γ, Permuted DFA matrix 𝑃𝑃𝑀𝑀Γ. Two-Party Regular Expression Matching Protocol without Asymmetric Cryptography Operations 82 Step c): Having the garbled DFA matrix 𝐺𝐺𝑀𝑀Γ and 𝐾𝐾�𝑖𝑖, 𝑋𝑋[𝑖𝑖]� for each 𝑖𝑖; 1 ≤ 𝑖𝑖 ≤ 𝑚𝑚 the server will be able to calculate Γ(𝑋𝑋) (we will see that in step e). Hence, here for each letter 𝑋𝑋[𝑖𝑖] of its input string the server generates an OT query token OT𝑄𝑄𝑄𝑄𝑄𝑄𝑄𝑄𝑄𝑄[𝑖𝑖] and along with OT initialization info OT𝐼𝐼𝑛𝑛𝑖𝑖𝐼𝐼 sends them to the client. For the details of OT initialization info and OT query token generation see [2]. Step d): For each OT query the token OT𝑄𝑄𝑄𝑄𝑄𝑄𝑄𝑄𝑄𝑄[𝑖𝑖] (1 ≤ 𝑖𝑖 ≤ 𝑚𝑚) the client, using OT initialization info OT𝐼𝐼𝑛𝑛𝑖𝑖𝐼𝐼 generates an OT response token OT𝑅𝑅𝑄𝑄𝑅𝑅𝑅𝑅𝑅𝑅𝑛𝑛𝑅𝑅𝑄𝑄[𝑖𝑖] which carries sufficient info to invoke 𝐾𝐾�𝑖𝑖, 𝑋𝑋[𝑖𝑖]� (see [2]). Then the client sends those response tokens, garbled DFA matrix 𝐺𝐺𝑀𝑀Γ, 𝑃𝑃𝑃𝑃𝑃𝑃[1, 𝑠𝑠1] and 𝑃𝑃𝑃𝑃𝑃𝑃�1, 𝑃𝑃𝑃𝑃𝑃𝑃[1, 𝑠𝑠1]� to the server. Step e): At this step first the server for each 𝑖𝑖; 1 ≤ 𝑖𝑖 ≤ 𝑚𝑚 invokes 𝐾𝐾�𝑖𝑖, 𝑋𝑋[𝑖𝑖]� key stored in the corresponding response token OT𝑅𝑅𝑄𝑄𝑅𝑅𝑅𝑅𝑅𝑅𝑛𝑛𝑅𝑅𝑄𝑄[𝑖𝑖] (see [2]). Then having the keys, garbled DFA matrix 𝐺𝐺𝑀𝑀Γ, 𝑃𝑃𝑃𝑃𝑃𝑃[1, 𝑠𝑠1] and 𝑃𝑃𝑃𝑃𝑃𝑃�1, 𝑃𝑃𝑃𝑃𝑃𝑃[1, 𝑠𝑠1]�, it runs the following algorithm to calculate Γ(𝑋𝑋): Evaluation of garbled DFA matrix 𝑐𝑐𝑢𝑢𝑡𝑡_𝑠𝑠𝑡𝑡𝑓𝑓𝑡𝑡𝑡𝑡_𝑖𝑖𝑖𝑖 ∶= 𝑃𝑃𝑃𝑃𝑃𝑃[1, 𝑠𝑠1]; 𝑐𝑐𝑢𝑢𝑡𝑡_𝑝𝑝𝑓𝑓𝑖𝑖 ∶= 𝑃𝑃𝑃𝑃𝑃𝑃[1, 𝑐𝑐𝑢𝑢𝑡𝑡_𝑠𝑠𝑡𝑡𝑓𝑓𝑡𝑡𝑡𝑡_𝑖𝑖𝑖𝑖]; for each row 𝑖𝑖 = 1 to 𝑚𝑚 do 𝑐𝑐𝑢𝑢𝑡𝑡_𝑠𝑠𝑡𝑡𝑓𝑓𝑡𝑡𝑡𝑡_𝑖𝑖𝑖𝑖|𝑐𝑐𝑢𝑢𝑡𝑡_𝑝𝑝𝑓𝑓𝑖𝑖 ∶= 𝐺𝐺𝑀𝑀Γ �𝑖𝑖, 𝑐𝑐𝑢𝑢𝑡𝑡𝑅𝑅𝐼𝐼𝑠𝑠𝐼𝐼𝑄𝑄𝑖𝑖𝑖𝑖, 𝑋𝑋[𝑖𝑖]� ⊕ 𝐾𝐾�𝑖𝑖, 𝑋𝑋[𝑖𝑖]� ⊕ 𝑃𝑃𝑃𝑃𝐺𝐺(𝑐𝑐𝑢𝑢𝑡𝑡_𝑝𝑝𝑓𝑓𝑖𝑖, 𝑋𝑋[𝑖𝑖]); end for return 𝑐𝑐𝑢𝑢𝑡𝑡_𝑠𝑠𝑡𝑡𝑓𝑓𝑡𝑡𝑡𝑡_𝑖𝑖𝑖𝑖 The step by step construction of the garbled DFA matrix implies that this algorithm will give the same result as evaluation of the initial DFA matrix, so no additional proof is required here. These were all steps of the protocol for binary DFAs, now let us move to the case where there is no restriction on the input alphabet of the DFA. 4. Case of Non-Binary DFAs Here again the protocol consists of 5 steps and they are almost the same as in the case of binary DFAs, the main difference is that the size of the third dimension of 𝑀𝑀Γ, 𝑃𝑃𝑀𝑀Γ and 𝐺𝐺𝑀𝑀Γ matrixes is |Σ| instead of 2. Let us look at these steps in detail. Step a): Create a DFA matrix 𝑀𝑀Γ of size 𝑚𝑚 × |𝑄𝑄| × |Σ| such that for each state 𝑞𝑞 and letter 𝑏𝑏 ∈ Σ 𝑀𝑀Γ[𝑖𝑖, 𝑞𝑞, 𝑏𝑏] = Δ[𝑞𝑞, 𝑏𝑏] ∀𝑖𝑖; 1 ≤ 𝑖𝑖 ≤ 𝑚𝑚 − 1 and 𝑀𝑀Γ[𝑚𝑚, 𝑞𝑞, 𝑏𝑏] is equal to 1 if Δ[𝑞𝑞, 𝑏𝑏] is a final state and it is 0, otherwise. In such notation Γ(𝑋𝑋) is equal to 𝑀𝑀Γ �𝑚𝑚, … 𝑀𝑀Γ �2, 𝑀𝑀Γ�1, 𝑠𝑠1, 𝑋𝑋[1]�, 𝑋𝑋[2]� … , 𝑋𝑋[𝑚𝑚]�. Figure 2 (a, b) bellow illustrates an example of DFA with its DFA matrix. Step b): Here again we create 𝑚𝑚 random permutations of the DFA states 𝑄𝑄 and fill by them 𝑚𝑚 rows of an 𝑚𝑚 × |𝑄𝑄| permutations matrix 𝑃𝑃𝑃𝑃𝑃𝑃, then we create permuted DFA matrix 𝑃𝑃𝑀𝑀Γ of size 𝑚𝑚 × |𝑄𝑄| × |Σ| such that for each state 𝑞𝑞 and letter 𝑏𝑏 ∈ Σ G. Khachatryan , M. Hovsepyan, A.Jivanyan 83 𝑃𝑃𝑀𝑀Γ[𝑖𝑖, 𝑃𝑃𝑃𝑃𝑃𝑃[𝑖𝑖, 𝑞𝑞], 𝑏𝑏] = 𝑃𝑃𝑃𝑃𝑃𝑃�𝑖𝑖 + 1, 𝑀𝑀Γ[𝑖𝑖, 𝑞𝑞, 𝑏𝑏]�, for each 𝑖𝑖; 1 ≤ 𝑖𝑖 ≤ 𝑚𝑚 − 1 and 𝑃𝑃𝑀𝑀Γ[𝑚𝑚, 𝑃𝑃𝑃𝑃𝑃𝑃[𝑚𝑚, 𝑞𝑞], 𝑏𝑏] = 𝑀𝑀Γ[𝑚𝑚, 𝑞𝑞, 𝑏𝑏] Figure 2 (c) bellow illustrates an example of a 𝑃𝑃𝑀𝑀Γ matrix. In terms of 𝑃𝑃𝑀𝑀Γ matrix Γ(𝑋𝑋) is equal to 𝑃𝑃𝑀𝑀Γ �𝑚𝑚, … 𝑃𝑃𝑀𝑀Γ �2, 𝑃𝑃𝑀𝑀Γ�1, 𝑃𝑃𝑃𝑃𝑃𝑃[1, 𝑠𝑠1], 𝑋𝑋[1]�, 𝑋𝑋[2]� … , 𝑋𝑋[𝑚𝑚]�. Then we create an 𝑚𝑚 × |Σ| size matrix of random 𝑚𝑚-bit keys 𝐾𝐾 and an (𝑚𝑚 + 1) × |𝑄𝑄| size matrix of 𝑚𝑚′-bit pads 𝑃𝑃𝑃𝑃𝑃𝑃; here again for each state 𝑞𝑞, and for each 𝑖𝑖; 1 ≤ 𝑖𝑖 ≤ 𝑚𝑚 the 𝑃𝑃𝑃𝑃𝑃𝑃[𝑖𝑖, 𝑞𝑞] is a random 𝑚𝑚′-bit string and 𝑃𝑃𝑃𝑃𝑃𝑃[𝑚𝑚 + 1, 𝑞𝑞] = 00 … 0��� 𝑘𝑘′ , where 𝑚𝑚′ is 𝑚𝑚 − ⌈log2|𝑄𝑄|⌉. We also need some CSPRNG 𝑃𝑃𝑃𝑃𝐺𝐺: {0,1}𝑘𝑘 ′ → {0,1}𝑘𝑘∙|Σ|, and by 𝑃𝑃𝑃𝑃𝐺𝐺(𝑌𝑌, 𝑗𝑗) we denote the 𝑗𝑗-th 𝑚𝑚-bits of 𝑃𝑃𝑃𝑃𝐺𝐺(𝑌𝑌) for each 𝑗𝑗; 1 ≤ 𝑗𝑗 ≤ |Σ|. After all, we create the garbled DFA matrix 𝐺𝐺𝑀𝑀Γ such that 𝐺𝐺𝑀𝑀Γ[𝑖𝑖, 𝑞𝑞, 𝑏𝑏] = �𝑃𝑃𝑀𝑀Γ[𝑖𝑖, 𝑞𝑞, 𝑏𝑏] | 𝑃𝑃𝑃𝑃𝑃𝑃�𝑖𝑖 + 1, 𝑃𝑃𝑀𝑀Γ[𝑖𝑖, 𝑞𝑞, 𝑏𝑏]�� ⊕ 𝐾𝐾[𝑖𝑖, 𝑏𝑏] ⊕ 𝑃𝑃𝑃𝑃𝐺𝐺(𝑃𝑃𝑃𝑃𝑃𝑃[𝑖𝑖, 𝑞𝑞], 𝑏𝑏) for each 𝑖𝑖; 1 ≤ 𝑖𝑖 ≤ 𝑚𝑚, letter 𝑏𝑏 ∈ Σ and state 𝑞𝑞 ∈ 𝑄𝑄. Step c): And again having the garbled DFA matrix 𝐺𝐺𝑀𝑀Γ and 𝐾𝐾�𝑖𝑖, 𝑋𝑋[𝑖𝑖]� for each 𝑖𝑖; 1 ≤ 𝑖𝑖 ≤ 𝑚𝑚 the server will be able to calculate Γ(𝑋𝑋). So here we start OT phase between the client and the server for transferring the corresponding keys and 𝐺𝐺𝑀𝑀Γ. For each letter 𝑋𝑋[𝑖𝑖] of its input string the server generates an OT query token OT𝑄𝑄𝑄𝑄𝑄𝑄𝑄𝑄𝑄𝑄[𝑖𝑖] and along with OT initialization info OT𝐼𝐼𝑛𝑛𝑖𝑖𝐼𝐼 sends them to the client [2]. Step d): For each OT query the token OT𝑄𝑄𝑄𝑄𝑄𝑄𝑄𝑄𝑄𝑄[𝑖𝑖] (1 ≤ 𝑖𝑖 ≤ 𝑚𝑚) the client, using OT initialization info OT𝐼𝐼𝑛𝑛𝑖𝑖𝐼𝐼 generates an OT response token OT𝑅𝑅𝑄𝑄𝑅𝑅𝑅𝑅𝑅𝑅𝑛𝑛𝑅𝑅𝑄𝑄[𝑖𝑖] which carries sufficient info to invoke 𝐾𝐾�𝑖𝑖, 𝑋𝑋[𝑖𝑖]� [2]. Then the client sends those response tokens, garbled DFA matrix 𝐺𝐺𝑀𝑀Γ, 𝑃𝑃𝑃𝑃𝑃𝑃[1, 𝑠𝑠1] and 𝑃𝑃𝑃𝑃𝑃𝑃�1, 𝑃𝑃𝑃𝑃𝑃𝑃[1, 𝑠𝑠1]� to the server. Step e): At this step firstly the server invokes 𝐾𝐾�𝑖𝑖, 𝑋𝑋[𝑖𝑖]� keys stored in the corresponding response token OT𝑅𝑅𝑄𝑄𝑅𝑅𝑅𝑅𝑅𝑅𝑛𝑛𝑅𝑅𝑄𝑄[𝑖𝑖] for each 𝑖𝑖; 1 ≤ 𝑖𝑖 ≤ 𝑚𝑚 [2]. Then having the keys, garbled DFA matrix 𝐺𝐺𝑀𝑀Γ, 𝑃𝑃𝑃𝑃𝑃𝑃[1, 𝑠𝑠1] and 𝑃𝑃𝑃𝑃𝑃𝑃�1, 𝑃𝑃𝑃𝑃𝑃𝑃[1, 𝑠𝑠1]�, it runs the following algorithm to calculate Γ(𝑋𝑋): Evaluation of garbled DFA matrix 𝑐𝑐𝑢𝑢𝑡𝑡_𝑠𝑠𝑡𝑡𝑓𝑓𝑡𝑡𝑡𝑡_𝑖𝑖𝑖𝑖 ∶= 𝑃𝑃𝑃𝑃𝑃𝑃[1, 𝑠𝑠1]; 𝑐𝑐𝑢𝑢𝑡𝑡_𝑝𝑝𝑓𝑓𝑖𝑖 ∶= 𝑃𝑃𝑃𝑃𝑃𝑃[1, 𝑐𝑐𝑢𝑢𝑡𝑡_𝑠𝑠𝑡𝑡𝑓𝑓𝑡𝑡𝑡𝑡_𝑖𝑖𝑖𝑖]; for each row 𝑖𝑖 = 1 to 𝑚𝑚 do 𝑐𝑐𝑢𝑢𝑡𝑡_𝑠𝑠𝑡𝑡𝑓𝑓𝑡𝑡𝑡𝑡_𝑖𝑖𝑖𝑖|𝑐𝑐𝑢𝑢𝑡𝑡_𝑝𝑝𝑓𝑓𝑖𝑖 ∶= 𝐺𝐺𝑀𝑀Γ �𝑖𝑖, 𝑐𝑐𝑢𝑢𝑡𝑡𝑅𝑅𝐼𝐼𝑠𝑠𝐼𝐼𝑄𝑄𝑖𝑖𝑖𝑖, 𝑋𝑋[𝑖𝑖]� ⊕ 𝐾𝐾�𝑖𝑖, 𝑋𝑋[𝑖𝑖]� ⊕ 𝑃𝑃𝑃𝑃𝐺𝐺(𝑐𝑐𝑢𝑢𝑡𝑡_𝑝𝑝𝑓𝑓𝑖𝑖, 𝑋𝑋[𝑖𝑖]); end for return 𝑐𝑐𝑢𝑢𝑡𝑡_𝑠𝑠𝑡𝑡𝑓𝑓𝑡𝑡𝑡𝑡_𝑖𝑖𝑖𝑖 Here again the step by step construction of the garbled DFA matrix implies that this algorithm will give the same result as evaluation of the initial DFA matrix. Two-Party Regular Expression Matching Protocol without Asymmetric Cryptography Operations 84 𝑠𝑠1 𝑠𝑠2 𝑠𝑠3 𝑠𝑠4 𝑠𝑠5 … … … Accepting State Non-Accepting State Start 1 2 n n-1 (0,0,0,0…0) 1 2 |Q| … … … … … … … … … Accepted . . . . . . (b) 𝑀𝑀Γ (DFA Matrix of Γ) (a) A general binary DFA Γ 1 2 n n-1 Start Accepted . . . . . . (c) Permuted DFA Matrix 𝑃𝑃𝑀𝑀Γ … 1 … 𝐼𝐼2 − 1 … 1 … 𝐼𝐼1 − 1 … 1 … 𝐼𝐼𝑛𝑛−1 − 1 … 1 … 𝐼𝐼𝑛𝑛 − 1 (0,0,0,0…0) 𝐼𝐼𝑛𝑛 = 𝑃𝑃𝑃𝑃𝑃𝑃[𝑚𝑚, 1] (𝐽𝐽𝑛𝑛, …) 𝐼𝐼𝑛𝑛−1 = 𝑃𝑃𝑃𝑃𝑃𝑃[𝑚𝑚 − 1,1] … 𝐼𝐼1 + 1 … 𝐽𝐽1 − 1 … 𝐽𝐽1 + 1 … |𝑄𝑄| … 𝐼𝐼2 + 1 … 𝐽𝐽2 − 1 … 𝐼𝐼𝑛𝑛 + 1 … 𝐽𝐽𝑛𝑛 − 1 … 𝐼𝐼𝑛𝑛−1 + 1 … 𝐽𝐽𝑛𝑛−1 − 1 … 𝐽𝐽𝑛𝑛 + 1 … |𝑄𝑄| … 𝐽𝐽𝑛𝑛−1 + 1 … |𝑄𝑄| … 𝐽𝐽2 + 1 … |𝑄𝑄| (𝐽𝐽3, …) 𝐼𝐼2 = 𝑃𝑃𝑃𝑃𝑃𝑃[2,1] (𝐽𝐽2, …) 𝐼𝐼1 = 𝑃𝑃𝑃𝑃𝑃𝑃[1,1] (1,0,0,0…0) 𝐽𝐽𝑛𝑛 = 𝑃𝑃𝑃𝑃𝑃𝑃[𝑚𝑚, 2] (…, …) 𝐽𝐽𝑛𝑛−1 = 𝑃𝑃𝑃𝑃𝑃𝑃[𝑚𝑚 − 1,2] (…, …) 𝐽𝐽2 = 𝑃𝑃𝑃𝑃𝑃𝑃[2,2] (…, …) 𝐽𝐽1 = 𝑃𝑃𝑃𝑃𝑃𝑃[1,2] 𝑋𝑋 = 𝑏𝑏1𝑏𝑏2 … 𝑏𝑏1𝑏𝑏1 𝑏𝑏2 𝑏𝑏3 𝑏𝑏1 𝑏𝑏3 𝑏𝑏4 … 𝑏𝑏|Σ| 𝑏𝑏1 𝑏𝑏2 𝑏𝑏4 … 𝑏𝑏|Σ| (2,3,4,1…1) (1,0,0,0…0) (5,4,3,2…2) (2,3,4,1…1) (2,3,4,1…1) (5,4,3,2…2) (5,4,3,2…2) 𝑋𝑋 = 𝑏𝑏1𝑏𝑏2 … 𝑏𝑏1𝑏𝑏1 Start Fig. 2. DFA Γ, DFA matrix 𝑀𝑀Γ, Permuted DFA matrix 𝑃𝑃𝑀𝑀Γ. G. Khachatryan , M. Hovsepyan, A.Jivanyan 85 5. Security In the protocol we use a white-box based 1-out-of-2 OT protocol. Such OT protocol is considered to be secure if the underlying white-box encryption schema is secure. In our case we use white-box encryption schema based on SAFER+ encryption schema. White-box scheme can be considered secure if no computationally bounded adversary is able to extract the master encryption key from the white-box encryption tables and no computationally bounded adversary is able to make decryption functionality with the help of only white-box encryption tables. So white-box scheme is considered to be secure if it is secure against key-recovery and reverse- engineering attacks. Taking into account this and security definitions from chapter 2 we see that according to the theorem 1 from [1] our protocol is fully-secure when only one party is malicious and it is private when both parties are malicious. 6. Implementation and Benchmarks 6.1 Implementation A C++ application has been created which implements the protocol. The implementation of the protocol is parameterized by the security parameter 𝑚𝑚 and by the CSPRNG 𝑃𝑃𝑃𝑃𝐺𝐺. The application acts as both a client and a server. As a server, it receives a text string as an input, and as a client, its input is a regular expression which it converts to the equivalent DFA using Thompson’s construction algorithm [8] to create NDFA equivalent to the regular expression, then using the subset construction algorithm [9] to convert the NDFA to the DFA. After all it runs the steps a) – e) of the protocol and calculates the result of evaluation of the DFA on the text string. During calculations it prints out time spent for different parts of computations. 6.2 Benchmarks Algorithm construction implies that overall number of computations depends on the security parameter 𝑚𝑚, the number of the DFA states |𝑄𝑄|, the length of the text string 𝑚𝑚 and the number of letters in the DFAs input alphabet |Σ|. Besides that, in the algorithm we have generation of random pads and keys, as well as usage of CSPRNG, and depending on the approach used for generation of random pads and keys and chosen CSPRNG the efficiency of the algorithm may differ for the same input data (𝑚𝑚, |𝑄𝑄|, |Σ| and |𝑋𝑋|). We did our benchmarks for 𝑚𝑚 = 128 and |Σ| = 2 on a 64-bit Windows 7 PC with Intel® Core™ 2 Quad Q6600 2.4 GHz processor and 4GB RAM, using SHA-256 as {0,1}𝑘𝑘 ′ → {0,1}𝑘𝑘∙|Σ| CSPRNG and C++ standard library’s rand() function for random pad/key generation. The method of garbled DFA matrix construction shows and our benchmarks confirmed that the number of operations, hence the spent time for garbled DFA matrix creation, is proportional to the |𝑄𝑄| ∙ |Σ| ∙ 𝑚𝑚 multiplication. The first table shows performance of garbled DFA matrix generation of our implementation on inputs of different sizes. The table contains averaged results from 10 runs for each pair of inputs. Two-Party Regular Expression Matching Protocol without Asymmetric Cryptography Operations 86 Table 1. Garbled DFA creation time when (sec). 𝑚𝑚 |𝑄𝑄| 10 100 1000 10000 100000 10 <0.001 0.002 0.017 0.17 1.7 100 0.002 0.017 0.17 1.7 17 1000 0.017 0.17 1.7 17 >100 10000 0.17 1.7 17 >100 >100 100000 1.7 17 >100 >100 >100 1000000 17 >100 >100 >100 >100 The second table shows the performance of the OT phase of the protocol and performance of the garbled DFA matrix evaluation by the server. Table 2. Time spent in OT phase when (sec). 𝑚𝑚 OT query generation and response extraction (server) OT response generation (client) Garbled DFA evaluation (server) 10 <0.001 <0.001 <0.001 100 0.002 <0.001 <0.001 1000 0.021 0.007 <0.001 10000 0.21 0.07 0.002 100000 2.1 0.7 0.02 1000000 21 7 0.2 The table shows only the dependency of efficiencies of the operations from 𝑚𝑚 since the number of OT queries/responses and the number of steps for garbled DFA matrix evaluation is equal to 𝑚𝑚 and do not depend on structure of DFA. 7. Conclusion Unlike other protocols for oblivious DFA evaluation published in recent years [3], our protocol is totally free from public-key operations, and it makes it somewhat unique among others. Table 3 below illustrates complexities of client and server computations and network communication bandwidth of our and other recent protocols. It is also worth to note that our protocol allows both parties to learn only Γ(𝑋𝑋), but in some applications it may be inconvenient or insufficient. In [1] it is shown that for each of the following modifications of the problem it is possible to solve it after modifying their protocol a little, and that those modifications have no security leakage. All those modifications of their protocol work for our protocol as well. a) The client wants to hide the answer from the server. b) The client or both parties want to learn whether the string 𝑥𝑥 has a substring 𝑦𝑦 which matches Γ. c) The client or both parties want to learn positions of all substrings of the string 𝑥𝑥 which match Γ. d) The client or both parties want to learn the number of substrings of the string 𝑥𝑥 which match Γ. G. Khachatryan , M. Hovsepyan, A.Jivanyan 87 Table 3. Complexity of protocols. Round Complexity Client Computations Server Computations Network Bandwidth Asymmetric Symmetric Asymmetric Symmetric Troncoso [4] 𝑂𝑂(𝑚𝑚) 𝑂𝑂(𝑚𝑚|𝑄𝑄|) None 𝑂𝑂(𝑚𝑚|𝑄𝑄|) 𝑂𝑂(𝑚𝑚|𝑄𝑄|) 𝑂𝑂(𝑚𝑚|𝑄𝑄|𝑚𝑚) Frikken [5] 2 𝑂𝑂(𝑚𝑚 + |𝑄𝑄|) 𝑂𝑂(𝑚𝑚|𝑄𝑄|) 𝑂𝑂(𝑚𝑚 + |𝑄𝑄|) 𝑂𝑂(𝑚𝑚|𝑄𝑄|) 𝑂𝑂(𝑚𝑚|𝑄𝑄|𝑚𝑚) Gennaro [6] 𝑂𝑂(min{|𝑄𝑄|, 𝑚𝑚} 𝑂𝑂(𝑚𝑚|𝑄𝑄|) None 𝑂𝑂(𝑚𝑚|𝑄𝑄|) None 𝑂𝑂(𝑚𝑚|𝑄𝑄|𝑚𝑚) Yao [10] 1 𝑂𝑂(𝑚𝑚) 𝑂𝑂(𝑚𝑚|𝑄𝑄| log|𝑄𝑄 𝑂𝑂(𝑚𝑚) 𝑂𝑂(𝑚𝑚|𝑄𝑄| log|𝑄𝑄 𝑂𝑂(𝑚𝑚𝑚𝑚2) Ishai [11] 1 𝑂𝑂(𝑚𝑚) None 𝑂𝑂(𝑚𝑚|𝑄𝑄|) None 𝑂𝑂(𝑚𝑚|𝑄𝑄|𝑚𝑚) Mohassel [1] 1 𝑂𝑂(𝑚𝑚) 𝑂𝑂(𝑚𝑚) 𝑂𝑂(𝑚𝑚) 𝑂𝑂(𝑚𝑚|𝑄𝑄|) 𝑂𝑂(𝑚𝑚|𝑄𝑄|𝑚𝑚) This Protocol |Σ| = 2 1 None 𝑂𝑂(𝑚𝑚|𝑄𝑄|) None 𝑂𝑂(𝑚𝑚) 𝑂𝑂(𝑚𝑚|𝑄𝑄|𝑚𝑚) References [1] P. Mohassel, S. Niksefat, S. Sadeghian and B. Sadeghiyan, “An efficient protocol for oblivious dfa evaluation and applications”, In Proceedings of Cryptographers' Track at the RSA Conference, pp. 398-415, 2012. [2] G. Khachatryan and A. Jivanyan, “Efficient oblivious transfer protocols based on white-box cryptography’, (submitted for publication). see more in http://cse.aua.am/applied-cryptography-laboratory/. [3] V. Kolesnikov, A.-R. Sadeghi and T. Schneider, “From Dust to Dawn: Practically Efficient Two-Party Secure Function Evaluation Protocols and their Modular Design”, Cryptology ePrint Archive, Report 2010/079 (2010), https://eprint.iacr.org/2010/079.pdf. [4] J.R. Troncoso-Pastoriza, S. Katzenbeisser and M. Celik, “Privacy preserving error resilient DNA searching through oblivious automata”, In Proceedings of the 14th ACM conference on Computer and communications security, pp. 519–528, 2007. [5] K. Frikken, “Practical private DNA string searching and matching through efficient oblivious automata evaluation’, Data and Applications Security XXIII, pp. 81–94, 2009. [6] R. Gennaro, C. Hazay and J. Sorensen, “Text search protocols with simulation based security”, Public Key Cryptography–PKC 2010, pp. 332–350, 2010. [7] C. Hazay and T. Toft, “Computationally secure pattern matching in the presence of malicious adversaries”, Advances in Cryptology-ASIACRYPT 2010, pp. 195–212, 2010. [8] K. Thompson, “Programming Techniques: Regular expression search algorithm”, Communications of the ACM , vol. 11, no. 6, pp. 419–422, 1968. [9] S. Michael, Introduction to the Theory of Computation, PWS Publishing Company, 1997. [10] A. C. Yao, “Protocols for secure computations”, In Proceedings of the 23rd Annual Symposium on Foundations of Computer Science, Citeseer, pp. 160–164, 1982. http://en.wikipedia.org/wiki/Michael_Sipser Two-Party Regular Expression Matching Protocol without Asymmetric Cryptography Operations 88 [11] Y. Ishai, J. Kilian, K. Nissim and E. Petrank, “Extending oblivious transfers efficiently”, Advances in Cryptology-CRYPTO 2003, pp. 145–161, 2003. [12] O. Goldreich, Foundations of cryptography: Basic applications, Cambridge Univ Pr, 2004. Submitted 04.08.2015, accepted 15.02.2016 Առանց գաղտնագրման ասիմետրիկ գործողությունների կիրառման կանոնավոր արտահայտության գաղտնի համապատասխանեցման երկկողմանի պրոտոկոլ Գ. Խաչատրյան, Մ. Հովսեփյան, Ա. Ջիվանյան Ամփոփում Այս հոդվածում նկարագրված է նոր երկկողմանի պրոտոկոլ, որը թույլ է տալիս առաջին կողմին՝ կլիենտին, գաղտնի կերպով ստուգել, արդյոք երկրորդ կողմի՝ սերվերի, մոտ եղած տողը համապատասխանում է իր մոտ եղած կանոնավոր արտահայտությանը: Պրոտոկոլը նախատեսված է կամայական այբբենարանով կանոնավոր արտահայտությունների համար և աշխատում է մի փուլով: Այն կատարում է 𝑂𝑂(𝑚𝑚𝑚𝑚) գործողություն կլիենտի կողմում և 𝑂𝑂(𝑚𝑚𝑚𝑚|𝑄𝑄|) գործողություն սերվերի կողմում, իսկ ցանցով տեղափոխվում է 𝑂𝑂(𝑚𝑚𝑚𝑚𝑚𝑚|𝑄𝑄|) բայթ ինֆորմացիա, որտեղ 𝑚𝑚-ն պրոտոկոլի անվտանգության պարամետրն է, 𝑚𝑚-ը կանոնավոր արտահայտության այբբենարանի տառերի քանակն է, 𝑚𝑚-ը սերվերի մոտ եղած տողի երկարությունն է՝ տառերի քանակը, իսկ |𝑄𝑄|-ն՝ կանոնավոր արտահայտությանը համապատասխանող մինիմալ դետերմինիստիկ վերջավոր ավտոմատի (ԴՎԱ) վիճակների քանակը: G. Khachatryan , M. Hovsepyan, A.Jivanyan 89 Двухсторонний протокол тайного сопоставления регулярных выражений без применения операций асимметричного шифрования Г. Хачатрян, M. Овсепян, А. Дживанян Аннотация В этой статье описан двухсторонний протокол, который позволяет первой стороне – клиенту, имеющего регулярное выражение, тайным образом проверять соответствует ли строка имеющееся у второй стороны – у сервера, его регулярному выражению. Протокол предназначен для регулярных выражений с произвольным алфавитом и работает за один раунд коммуникаций между клиентом и сервером. Протокол выполняет 𝑂𝑂(𝑚𝑚𝑚𝑚) операций на клиенте, 𝑂𝑂(𝑚𝑚𝑚𝑚|𝑄𝑄|) операций на сервере, а трафик сети 𝑂𝑂(𝑚𝑚𝑚𝑚𝑚𝑚|𝑄𝑄|) байтов, где 𝑚𝑚 это параметр безопасности протокола, 𝑚𝑚 количество букв в алфавите регулярного выражения, 𝑚𝑚 длина входной строки сервера, а |𝑄𝑄| количество состояний минимального детерминистического конечного автомата (ДКА) соответствующего регулярному выражению.