Block Cipher based on Reversible Cellu- lar Automata

Block Cipher based on Reversible Cellular Automata

1

Block Cipher based on Reversible Cellular Automata Marcin SEREDYNSKI and Pascal BOUVRY Faculty of Science, Technology and Communication, University of Luxembourg 6, rue Coudenhove Kalergi, L-1359, Luxembourg-Kirchberg, LUXEMBOURG [email protected], [email protected]

Received 6 November 2004

Abstract

We introduce a new encryption algorithm based on reversible cellular automata (CA). Complexity of the behavior achieved by CA and its parallel nature makes them interesting from point of view of cryptography. The proposed algorithm belongs to the class of symmetric key systems based on block cipher. Keywords

§1

Cryptography, Reversible cellular automata, Block ciphers

Introduction

With fast development of computers and their interconnections via networks, information security has recently become a very important issue. One of the most important tools for network and communication security is encryption which satisfies the demand for privacy. Cryptography is a set of techniques designed to provide information security. One of the main aspects of information security is confidentiality (privacy). Its goal is to keep information secret from all but those who are authorized to see it. Demand for confidentiality can be satisfied by the means of various encryption techniques. By using an encryption algorithm a message is scrambled and as a result it is unreadable by the opponent. To decrypt the message some secret information called key is needed. This information should only be known by those who

2

Marcin SEREDYNSKI and Pascal BOUVRY

want to share some secret content. Encryption techniques are divided into two groups referred as symmetric-key and public-key techniques 1) . If both sender and receiver use the same key, or it is easy to deduce one from the other then the system is referred to as symmetric-key encryption. If the sender and receiver each uses different key, and it is computationally infeasible to determine one from the other without knowing additional (secret) information then the system is referred to as a public-key encryption. There are two classes of symmetric-key encryption schemes: block ciphers and stream ciphers. A block cipher breaks up the message into fixed length blocks and then encrypts one block at a time. A stream cipher is one that encrypts one bit at a time. Cellular Automata (CA) were invented in the 1940’s by the mathematicians John von Neumann and Stanislaw Ulam. They are dynamical systems which are discrete in space and time. Its behavior is characterized by simple “local” interactions. Despite the simplicity of the interactions, an impressive diversity of behavior is achieved. Some of the CA are reversible which means that the information they process is preserved. CA have been used so far in both symmetric-key and public-key cryptography. CA-based public-key cipher was proposed by Guan 3) . Security of this algorithm was based on difficulty of solving a system of nonlinear polynomial equations. Stream CA-based encryption algorithm was first proposed by Wolfram 8) . The idea was to use CA as a pseudo-random number generator. Generated sequence was combined using exclusive-or (XOR) operation with the plaintext and as a result a ciphertext was produced. The secret key was the initial state of CA. For the decryption the same pseudo-random sequence needed to be generated (using the secret key and CA) and then combined with the ciphertext. This algorithm was later developed by Tommassini et al. 6) , and recently by Seredynski et al. 4) . A block cipher using both reversible and irreversible rules was proposed by Gutowitz 9) . In this article we present a new symmetric-key block cipher based on a specific class of reversible CA.

3


Spy

Sender plaintext

Encryption algorithm

Receiver plaintext

ciphertext

Unsecured channel

Decryption algorithm

key

Secured channel

key source Fig. 1

§2

Symmetric key encryption scheme

Encryption using symmetric-key algorithms

Symmetric-key encryption scheme is shown on Fig. 1. It is composed of five elements: Plaintext, encryption algorithm, ciphertext, decryption algorithm and key. Plaintext is the original message that is going to be encrypted. The encryption algorithm describes operations to be performed on the plaintext. As a result of encryption a scrambled message called ciphertext is produced. The exact transformations performed on the plaintext during encryption are defined by the key. Changing the key will result in a different ciphertext produced by the algorithm. To convert ciphertext into plaintext a decryption algorithm is used. As an input it takes ciphertext and the key. Usually decryption algorithm is the encryption algorithm run in reverse order. Desirable property of any encryption algorithm is that a small change in either plaintext or the key should result in a significant change in the ciphertext. Changing value of one randomly chosen bit in the plaintext or in the key should produce change of nearly half of the values of the ciphertext. This is so called avalanche property. It was introduced by Feistel in 1973 10) . Later Kam and Davida gave the concept of completeness 11) . It says that for every possible key value, every output bit of the ciphertext must depend upon all input bits of the plaintext and not just a proper subset of the input bits. The concepts of completeness and the avalanche effect was combined by Webster and Tavares. They defined strict avalanche criterion (SAC) 12) . According to this property, each output bit should change with a probability of one half whenever a single input bit is complemented. Good overview of all major cryptography techniques

4


can be found in 2) .

§3

Cellular automata

A cellular automata consists of an infinite array of cells, each in one of a finite number of states. All cells update its value synchronously in discrete time steps. State of a cell at the time t+1 is a function of the state of a finite number of cells called the neighborhood at a step t. This function is called a rule. Neighborhood of a cell consists of the cell itself and its surrounding cells. Iterating CA means that some rule is applied to the whole array. As a result a new configuration is produced. Before CA can be iterated its initial state must be defined which means that some values must be assigned to all cells. In this paper we are using one-dimensional finite CA defined over binary state alphabet (cell can be either in state 0 or 1). Such CA is often called elementary CA (term introduced by Wolfram). Neighborhood is composed of a cell itself and r of its left and right neighbors. Parameter r is called a radius. Neighborhood consists of m=2r+1 cells. This makes n = 2m possible patterns of the neighborhood which means that the total number of rules is 2n . There are 256 radius one rules, 232 radius two rules and 2128 radius three rules etc. . An example of radius one rule definition is shown on Fig. 2 1

step t 111 110 101 100 011 010 001 000 0 1 0 0 1 step t+1 0 1 1 6

4

3

2

1

0

7 5 Rule number: 0*2 + 1*2 + 0*2 + 0*2 + 1*2 + 0*2 + 1*2 + 1*2 = 75

Fig. 2

Elementary rule 75

Radius 1 neighborhood is composed of 3 cells which means that there are 8 possible patterns. In order to define a rule a next step value (t+1 ) must be assigned to all patterns. For example, the rule definition presented on Fig. 2 says that if three adjacent cells in the CA currently (step t) have the pattern 011, then the middle cell will become 1 on the next time step. Rules are usually named using standard convention proposed by Wolfram. The name derives from the binary representation of the step t+1 from the definition of the rule. In the presented example step t+1 is composed of bits 01001011, which is a binary representation of the number 75. Usually finite CA is used with cyclic boundary conditions. Such CA can be treated as a ring. When each cell updates its state according to the same

5


rule, CA is said to be uniform, otherwise it is called non-uniform. In this paper we are using one-dimensional, uniform CA defined over binary state alphabet with neighborhood size two and three. For the elementary CA an initial state is composed of a single configuration. The example of a CA is shown on Fig. 3. Rule 751 1definition 1 1

CELLULAR AUTOMATA Initial state (q0) 10 Iterations

cells valu: 1 cells valu: 0

Fig. 3

CA iterated for 10 steps using rule 75

It is a 14 cell CA. The initial state is 10010100001000. It is iterated for 10 steps and rule 75 is used.

3.1

Using reversible cellular automata for encryption

Some of the rules have interesting property of being reversible which means that not only forward but also reverse iteration is possible. Using reversible rule it is always possible to return to an initial state of a CA at any point. One rule is used for forward iteration and another rule, reversible to the first one is used for backward iteration. The basic idea of using this kind of rules for encryption is shown on Fig. 4.

Ciphertext Fig. 4

Decryption

...

Secret key: rule R for encryption -1 rule R for decryption

q0 q1

Encryption

CELLULAR AUTOMATA

Plaintext

qn-1 qn

Encryption scheme using reversible CA

The plaintext can be encoded as an initial state of a CA. Encryption is done

6


by forward iteration of the CA. Final configuration is a ciphertext. Decryption is a reverse process: ciphertext is encoded as an initial state of the CA. It is then iterated backward for the same number of steps as during encryption. The secret key is composed of two rules. The first one is used for encryption. For the decryption, rule reverse to the one used for encryption must be used. Reversible rules in order to be useful for cryptography should meet the following criteria: they should be numerous and they should exhibit complex behavior. When analyzing elementary CA it turns out that only a small number of rules have the property of being reversible. For example, among all 256 radius one elementary CA only six are reversible. Additionally their behavior is very simple. Three examples are shown on Fig. 5.

rule 15 Fig. 5

rule 51

rule 204

Elementary reversible rules: 15, 51 and 204

The reverse for rule 15 is rule 85, while rules 51 and 204 are its own reverse. For the reasons described above elementary reversible rules cannot be used for encryption. The solution is to use classes of reversible rules specially designed to be reversible. Different reversible CA classes are presented in 5) . In this paper we propose to use for the first time the class described by Wolfram 7) for encryption. In this class, a rule depends not on one but on two steps back. Now cell has to look not only at its left and right neighbors in step t but also it should check its value in step t-1. This means that two cases must be considered while creating a new rule. The first one should define state transition in case when in step t-1 cell was in state 1 and the second one when the cell was in state 0. The example of a definition of such rule is given on Fig. 6.


Case 1

step t-1 1 1 1 1 1 1 1 1 1 step t 1 1 1 1 1 0 1 0 1 1 0 0 0 1 1 0 1 0 0 0 1 0 0 0 Elementary 0 1 0 0 1 rule 75 (R1) step t+1 0 1 1

Case 2

step t-1 0 0 0 0 0 0 0 0 step t 1 1 1 1 1 0 1 0 1 1 0 0 0 1 1 0 1 0 0 0 1 0 0 0 Elementary 1 1 0 0 0 0 rule 180 (R2) 1 step t+1 1 Fig. 6

7

Reversible rule 75/180 definition

Each rule that belongs to this class can be described by two elementary rules. The first one is defining state transition in case when in step t-1 cell was in state 1 (case 1), and the second one when the cell was in state 0 (case 2). These two rules depend on each other. Knowing one rule we can calculate the second one using the following formula: R2 = 2n − R1 − 1 To create a new reversible rule we can take any elementary rule and apply it in case when cells value in step t-1 was 1 (case 1). In order to find a rule for the case in which cells value in step t-1 was 0 (case 2) presented formula can be used. The interesting property of this class is that the same rule is used in both forward and backward iteration. Since a reversible rule depends now on two steps back, an initial state of a CA must be composed of two successive configurations labeled q0 and q1 .

§4 Basic idea for using class of reversible rules for encryption Due to the fact that an initial state of a CA is now composed of two successive configurations the encryption scheme from Fig. 4 must be modified. In our proposition plaintext is encoded as a second configuration, while the first configuration is filled with any random data. Just as before, encryption is done by forward iteration of the CA. But now the final result is composed of two configurations and both of them must be used during decryption. The first one is the ciphertext and the second one is called final data. During decryption the same operations are performed in reverse order. Encryption and decryption algorithms are shown on Fig. 7.

8


Encrypted final data q0 q1

Ciphertext Final data

qn-1 qn

Final data Ciphertext

q0 q1

...

Key

Plaintext

qn-1 qn

n-1 iterations

Key

n-1 iterations

Initial data Plaintext

...

RNG

Encrypted final data

Decryption

Encryption Fig. 7

New idea on how to apply a class of reversible rules for encryption

The rule used both in encryption and decryption is a secret key. The final configuration cannot be made public. This is because knowing two successive configurations (final data and ciphertext) makes finding the rule used for encryption an easy task. There are two options on how to treat the final data generated by the encryption process. The most secure one assumes that this information is kept secret, which means that it becomes a part of the key. The key would now be composed of a rule and a final configuration. The drawback of this option is that the key would change after each encryption and it has to be sent to the receiver of the message after encryption. In the second option the final configuration is encrypted using Vernam algorithm 1) . It is done by applying logical bitwise operation XOR operation on the final configuration and the key:

ef di = ki ⊕ f di where ki = i th binary digit of key f di = i th binary digit of final data ef di = i th binary digit of encrypted finaldata ⊕ = XOR operation XOR operation is defined as follows: 0 XOR 0 = 0, 0 XOR 1 = 1, 1 XOR 0 = 1, 1 XOR 1 = 0. Now encrypted final data no longer has to be kept secret, and can be added to the ciphertext.

§5

Block cipher based on class reversible CA

9


proposition The proposed algorithm is an extension of the new idea of encryption described in section 4.

5.1

Algorithm overview

The algorithm is composed of four one-dimensional CA labeled CAL , CAR , CAC and CAS . Both CAL and CAR are composed of 32 cells, CAC is composed of 64 cells and CAS is composed of 16 cells. There are two inputs to the encryption function: 64-bit plaintext and 224-bit key. Automata CAL , CAR , CAS are using radius 2 rules and CAC is using radius 3 rule. All rules belong to the class of reversible rules described in section 3.1. The encryption algorithm involves four functions: iteration in CAL , CAR , CAC and BitShift operation. Automaton CAS generates values used in BitShift operation. Encryption is composed of n rounds which means that all functions are applied n times on the plaintext. An overview of the algorithm is presented on Fig. 8.

CA L

CA R

BitShift

CA S

Round 1

plaintext

CA C

CA L

Round 2

CA R

BitShift

CA S

CA R

CA L CA S

BitShift CA C ciphertext

Fig. 8

Algorithm overview

Round n

...

CA C

10


First, the plaintext is divided into 64-bit blocks. Encryption of each block starts with two 64-bit values labeled q0 init and q1 init . The first block of the plaintext is encoded as a configuration q1 init . For the encryption of the first block q0 init (initial data) is generated randomly. For all other blocks this value is generated by the encryption of the previous block. After first round, two configurations labeled q0 f inal and q1 f inal are generated. They become initial values for the next round. This means that q0 f inal from i -th round becomes q0 init in round i+1 and similarly q1 f inal becomes q0 init . The encryption process is shown on Fig. 9.

11


Plaintext ...

RNG

Initial data

Plaintext block m1

Plaintext block mn

q0R q1R

qn-1L qnL

qn-1R qnR

qn-1R qnL'

qn-1L qnR '

CAC qn-1CL

qnL'

qn-1CR

qn-1CL

qnCR

qnCL

Round n

q0R q1R

BitShift

qn-1L qnR '

q0R q1R

...

CAR

qn-1L qnL

qn-1R qnR qn-1R

BitShift

qn-1CR

qn-1CL

qnCR

qnCL

BitShift

qn-1L qnR '

qn-1CL qnCL

qn-1CR qnCR

qnR '

qn-1CR qnCR

qnCL

q0final q1final

qnR

qn-1L

qn-1R qnL'

qnL'

q0R

q1R

q0L q1L

CAC qn-1CR qnCR

qn-1CL qnCL

q1L

qnR '

...

CAC qn-1CL

q0init q1init q0L

qnL

qnR

qn-1L

qn-1R qnL'

qnL'

qn-1CR qnCR

...

qn-1R qnR qn-1R

BitShift

qn-1CR qnCR

qn-1CL qnCL

CAL

...

...

CAR

qn-1L qnL

qnL

q0R

q1R

q0L q1L

CAL

qnR '

q0final q1final

q0init q1init q1L

BitShift

qn-1L qnR '

qnCL

q0final q1final

q0L

qnR

qn-1L

qn-1R qnL'

qnR '

CAC qn-1CR qnCR

qn-1CL qnCL

qn-1R qnR qn-1R

BitShift

BitShift

...

qnL'

CAR

qn-1L qnL

qnL

qnR

qn-1L

q0R q1R

Round n

qn-1R

q0R

q1R

q0L q1L

...

qnL BitShift

q1L

CAL

...

...

CAR

q0init q1init q0L

...

q0L q1L

CAL

q0R

q1R

...

q1L

...

q0init q1init q0L

Round 1

q0init q1init

Round 1

q0init q1init

q0final q1final q1final

Ciphertext block c1 Fig. 9

Ciphertext block cn

Final data

Encryption of successive plaintext blocks

Two configurations q0 f inal and q1

f inal

are produced after last round. The first

one is the ciphertext block while the second one is used as a configuration q0 init (initial data) for the encryption of the next plaintext block. After the encryption

12


of the last plaintext block configuration q1 f inal (called final data) is encrypted using XOR operation and selected bits form the key (explained later).

5.2

Details of a single round The details of the single round of encryption are shown on the Fig. 10.

q0R q1R q1R

q0L q1L q1L q0L q1L

q0R q1R

qn-1L qnL

qnL

qn-1R qnR qn-1R

BitShift

CAC qn-1CL

BitShift

qn-1L qnR '

qnR '

...

qnL'

qnR

qn-1L

qn-1R qnL'

Round transformations

...

CAR

...

CAL

q0R

qn-1CR qnCR

qn-1CL qnCL

qn-1CR qnCR

qnCL q0final q1final

Fig. 10

Next round initial data

q0L

Round initial data

q0init q1init

Single round of the algorithm

Each round starts with two 64-bit values labeled q0 init and q1

init .

The left

and right halves of each 64-bit value are divided into 32-bit quantities labeled q0L , q0R , q1L and q1R . Initial state of CAL is set up with values q0L , q1L and initial state of CAR with values q1L and q1R . Automata CAL and CAR are then iterated for n1 steps. Four configuration are produced: qn−1L , qnL (CAL ) and

13


qn−1R , qnR (CAR ). Next during BitShift operation configurations qnL and qnR are shifted for nS positions. Bits of the configuration qnL are shifted left while bits of the configuration qnR are shifted right. Value nS is obtained as a result of iteration of CAS which is shown on Fig. 11.

CAs Central cell

si0 si1 si2

...

ns1

si6 si7

...

si6 si7

...

ns2

RNG

...

si2

Initial state q0 q1

si11

...

si11

Fig. 11

Generation of the values used during BitShift operation

The automaton CAS is initialized only once, at the beginning of encryption. Its two initial configurations are obtained from any random data source. Set of n values is generated independently for the encryption of every plaintext block. In order to do so CAS is iterated for 5 steps before each round. Values produced by the central cell form 5-bit nS number. After BitShift operation values qn−1L and qn−1R switch place and then together with qnL0 and qnR0 they form the initial configuration of CAc. Finally CAc is iterated for n2 steps.

5.3

Key

Each CA is using its own reversible rule. The key is composed of 4 rules being used by each CA. There are three radius 2 rules (CAL , CAR , CAS ) and one radius 3 rule (CAC ). Each radius 2 rule is 32 bits in length while radius 3 rule is 128 bits in length. This makes the key size of 224 bits. The key structure is shown on Fig. 12. Bit positions:

0

31 32

191 192

63 64

CA L rule CAR rule Fig. 12

CAC rule

223

CAS rule

Key structure

The key should be generated randomly. Selected bits from the key are used for

14


the encryption of the final data generated by CAC and final state of CAS (last two configurations).

5.4

Final operations

After encryption of the last plaintext block, final data from CAc as well last two configurations of CAS must be encrypted using XOR operation and selected bits from the key. For the encryption of the final data bits 64-127 are used. For the encryption of the last two configurations of CAS bits 192-223 are used.

5.5

Algorithm parameters

Automata CAL and CAR should be iterated for at least 19 steps while number of iterations for CAc should be no less than 17. This will ensure that the strict avalanche effect is achieved for every CA directly used for the encryption. These values are based on experiments whose results are shown below. Random initial conditions were used, and each experiment was repeated for 20000 times. Next, average value was calculated. On Fig. 13 avalanche effect for CAL and CAR is shown.

Percentage of output cells with a changed value

50

40

30

One bit changed in plaintext One bit changed in key (rule)

20

10

0 5

10

15

Fig. 13

20 Cell number

25

30

35

40

Key structure

A change in one bit in the plaintext or one bit in the key will produce a change of about halve output bits after around 19 iterations. The same property for

15


CAc is shown on Fig.14.

Percentage of output cells with a changed value

50

40

30

One bit changed in plaintext One bit changed in key (rule)

20

10

0 5

10

15

Fig. 14

20 Cell number

25

30

35

40

Key structure

This time this property is achieved after around 17 iterations.

5.6

Decryption

During decryption the same operations are performed in reverse order. During BitShift operation configuration qnL is shifted right while configuration qnR is shifted left.

5.7

Cryptanalysis

There exist 2224 potential keys, which means that a brute-force (exhaustive search) attack appears practically impossible. The other attack assumes finding final configurations generated by CAC and CAS . There are 232 possible configuration for CAS and 264 for CAC . Knowledge of those configurations makes finding rules used in both CA an easy task. The next step is to find rules used in CAL and CAR . It can only be found by enumeration. There are 232 possible rules used in both CA. This attack practically appears impossible. The algorithm can easily be extended. Greater security can be achieved using larger block size. Changing block size from 64 bits into 128 makes 2128 possible values of the final configuration of CAC . This means greater security but

16


encryption/decryption speed is reduced.

§6

Cipher properties

There are five block cipher modes of operation recommended by NIST (National Institute of Standards and Technology, USA) in Special Publication 800-38A. Various encryption applications demand use of a particular mode. For example ECB (Electronic Code Book) mode is best suited for encryption of small amounts of data. This mode might not be secure with encryption of longer messages, since the same plaintext block that appears in the message more than once would produce the same ciphertext. This problem is overcome in CBC (Cipher Block Chaining) mode. Performing XOR operation on plaintext and cipher text from the previous block generates the input of the encryption block. This way the result of encryption of a single block depends on the ciphertext generated by the encryption of the previous block. Our reversible CA-based cipher works in a mode that is similar to CBC mode in terms of achieved result. The same plaintext block that appears in the whole plaintext more than once produces different block of ciphertext. This is because the encryption of each plaintext block starts with some initial data taken from the encryption of the previous block. In DES like ciphers there is still problem if we want to encrypt (using the same key) the same plaintext more than once, or when two encrypted plaintext begin with the same information. In the first case the same ciphertext will be produced, while in the second case both plaintexts will be encrypted the same way until the first difference is reached. It is possible to overcome this problem with encryption of some random data block (called initialization vector) first. In the proposed cipher encrypting the same plaintext with the same key will always result in a different ciphertext. This is achieved by using randomly generated data (initial data configuration) in the first phase of each encryption session. This data is not used during decryption. New initial data should be generated for each encryption.

§7

Conclusions

In this paper we have proposed a new symmetric-key block cipher based on reversible CA. The encryption algorithm is based on a particular class of reversible CA. One dimensional CA using radius 2 and radius 3 rules are used. The algorithm operates on 64-bit plaintext blocks. The same operations in reverse order are performed during encryption and decryption. Due to a huge

17


key space a brute-force attack appears practically impossible. The algorithm can be easily extended by using larger block size. Because of parallel nature of CA this algorithm can be implemented in massively parallel hardware. This ensures high encryption/decryption speed.

References 1)

Menezes, A., van Oorschot, P., Vanstone, S. Handbook of Applied Cryptography, CRC Press, 1996.

2)

Stallings, W., Cryptography and Network Security (Third Edition), Prentice Hall, 2003.

3)

Guan, P., ”Cellular Automaton Public-Key Cryptosystem,” Complex Systems 1, pp. 51-56, 1987.

4)

Seredynski, F., Bouvry, P., Zomaya, A.Y., ”Cellular Programming and Symmetric Key Cryptography Systems,” in Proceedings of the Genetic and Evolutionary Computation - GECCO 2003(E.Cant-Paz et al. eds.), Springer-Verlag LNCS 2724 , pp. 1369-1381, 2003.

5)

Toffoli, T., Margolus, N., ”Invertible cellular automata: a review,” Physica, Vol. D 45, pp. 229-253, 1990.

6)

Tomassini, M., Perrenoud, M., ”Stream Ciphers with One and TwoDimensional Cellular Automata,” in Proceedings of the Parallel Problem Solving from Nature - PPSN VI(M. Schoenauer at al. eds.), Springer-Verlag LNCS 1917, pp. 722-731, 2000.

7)

Wolfram, S., A New Kind of Science, Wolfram Media, 2002.

8)

Wolfram, S., ”Cryptography with Cellular Automata,” in Proceedings of the Advances in Cryptology : Crypto ’85(H.C. Williams ed.), Springer-Verlag LNCS 218, pp. 429-432, 1985.

9)

Gutowitz, H.A., ”Cryptography with Dynamical Systems,” in Cellular Automata and Cooperative Phenomena(E. Goles at al. eds.), Kluwer Academic Press, 1993.

10)

Feistel, H., ”Cryptography and Computer Privacy,” 228(5), pp. 15-23, 1973.

11)

Kam, J., Davida, G., ”Structured Design of Substitution-Permutation Encryption Networks” IEEE Transactions on Computers, C-28(10), pp. 747-753, 1979.

12)

Webster, A.F., Tavares, S.E., ”On the Design of S-Boxes,” in Proceedings of the Advances in Cryptology : Crypto ’85(H.C. Williams ed.), Springer-Verlag LNCS 218, pp. 523-534, 1985.

Scientific American