Block Encryption Using Reversible Cellular Automata

Marcin Seredynski and Pascal Bouvry

1

1,2

Polish-Japanese Institute of Information Technology, Research Center Koszykowa 86, 02-008 Warsaw, Poland seredynski@acn.waw.pl 2 Luxembourg University of Applied Sciences 6, rue Coudenhove Kalergi, L-1359, Luxembourg-Kirchberg, Luxembourg pascal.bouvry@univ.lu

Abstract. Cellular automata (CA) are highly parallel and discrete dynamical systems, whose behavior is completely specified in terms of a local relation. They were successfully applied for simulation of biological systems and physical phenomena and recently to design parallel and distributed algorithms for solving task density and synchronization problems. In this paper CA are applied to construct cryptography algorithms. A new encryption concept based on one dimensional, uniform and reversible CA is proposed. A class of CA with rules specifically constructed to be reversible is used.

1 Introduction
Since the development of computers there has been strong demand for means to protect information and to provide various security services. The main aspects of information security are privacy, data integrity, authentication, and non-repudiation. This paper deals with encryption that is transformation of the message (plaintext) in to ciphertext and the opposite process that is decryption. These two complementary operations satisfy the demand of privacy. Cryptographic techniques are divided into two categories [5]: symmetric-key and public key. If both sender and receiver use the same key, or it is easy to obtain one form another then the system is referred to as symmetric key encryption. If the sender and receiver each uses different key, ant it is computationally infeasible to determine one form another without knowing some additional secret information then the system is referred to as a public key encryption. There are two classes of symmetric-key encryption schemes: block ciphers and stream ciphers. A block cipher breaks up the message into blocks of the fixed length and encrypts one block at a time. A stream cipher is one that encrypts data stream one bit or one byte at a time. Good overview of all major cryptography techniques can be found in [5]. Description of block ciphers including AES cipher is presented in [8]. This paper deals with symmetric-key block encryption. CA have been used so far in both symmetric-key and public-key cryptography. CA-based public cipher was proposed by Guan [2]. Stream CA-based encryption algorithm was first proposed by Wolfram [13] and later it was developed by Tommassini et al. [10], and recently by Seredynski et al. [6]. Block cipher using reversible and irreversible rules was proposed by Gutowitz [3].

P.M.A. Sloot, B. Chopard, and A.G. Hoekstra (Eds.): ACRI 2004, LNCS 3305, pp. 785792, 2004. Springer-Verlag Berlin Heidelberg 2004

786

M. Seredynski and P. Bouvry

This paper presents a new encryption concept based on a class of reversible rules specially designed to be reversible. The paper is organized as follows. The next section defines elementary and reversible CA. Section 3 presents the idea how a particular class of reversible CA can be used for block encryption. Experiment results are presented in section 4. Section 5 concludes the paper.

2 Cellular Automata
2.1 Elementary Cellular Automata One-dimensional CA is an array of cells. Each cell is assigned a value over some state alphabet. CA is defined by four parameters: size, initial state, neighborhood, rule and boundary conditions. Size defines number of cells. All cells update its value synchronously in discrete time steps accordingly to some rule. Such rule is based on the state of the cell itself and its neighborhood:

sit +1 = R ( sit r ,..., sit1 , sit , sit+1 ,..., sit+ r ),

t

(1)

where si is a value of i-th cell (the state of a cell) in step t and r is a radius of the neighborhood. When dealing with finite CA, cyclic boundary conditions are usually applied which means that CA can be treated as a ring. Changing values of all cells in step t is called CA iteration. Before the first iteration can take place some initial values must be assigned to all cells. This is called the initial state of CA. By updating values in all cells, the initial state is transformed into a new configuration. When each cell updates its state according to the same rule, CA is said to be uniform. Otherwise it is called non-uniform CA. The total number of rules for radius r neighborhood is

2n , where n = 2 2*r +1 . In this paper one-dimensional, uniform CA defined over

binary state alphabet (cells can be either in state 0 or 1) with neighborhood size two and three is used. 2.2 Reversible Cellular Automata By applying a rule to each cell

s i of the configuration qt a new configuration qt +1 is

obtained. This transformation can also be defined by a global transition function, which as an input takes configuration qt and results in a successive configuration

qt +1 . A CA is reversible if and only if the global transition function is one-to-one that

is if every configuration not only has one successor but also has one predecessor. Reversible rules that could by useful in cryptography should meet the following criteria: they should be numerous and they should exhibit complex behavior. When analyzing elementary CA it turns out that only a small number of rules have the property of being reversible. For example, among all 256 radius 1 CA of only six are

Block Encryption Using Reversible Cellular Automata

787

reversible. This is why class of CA with rules specially created to be reversible is considered. Different reversible CA classes are presented in [9]. This paper presents the idea of using reversible CA class presented by Wolfram [12]. In this class rule depends not on one but on two steps back:

sit +1 = R ( sitr ,..., sit1 , sit , sit 1 , sit+1 ,..., sit+r ).

In the elementary CA value

(2)

sit +1 of i-th cell in configuration t+1 depends on the value sit 1 in step t-1 is con-

of the state of itself and r of its neighbors in configuration t. In this reversible class additional dependency is added: the value of the central cell sidered. Such a rule can be simply constructed by taking elementary CA rule and adding dependency on two steps back. Example of such rule definition is shown on Fig. 1.

Fig. 1. Reversible rule 236/19

Definition of the rule is now composed of two elementary rules. The first one is defining state transition in case when in step t-1 cell was in a state 1, and the second one when the cell was in the state 0. Figure 1 gives an example of two elementary rules: 236 and rule 19. These two rules are complementary to each other. Knowing one value it is possible to calculate the second one using the following formula:

R2 = 2d R1 1 ,
2*r +1

(3)

, and r is radius of the neighborhood. Since a reversible rule dewhere d = 2 pends now on two steps back, an initial configuration must be composed of two successive configurations q 0 and q1 . The same rule is used in forward and backward iteration.

3 The Idea of Using Reversible CA for Encryption

First encryption and decryption algorithm of a single plaintext block is shown. When using reversible CA described in the previous section, plaintext is encoded as part of

788

M. Seredynski and P. Bouvry

initial state of a CA ( q1 ). Configuration

q0 is set up with some random data. Both

configurations form an initial state of CA. Encryption is done by forward iteration of CA by fixed number of steps according to some reversible rule. This process is shown on Fig. 2.

Fig. 2. Single block encryption using reversible cellular automata

q n1 is a ciphertext. The rule used during encryption is a secret key of that transformation. There are two options on how to treat configuration q n (called
Configuration final data) generated by the encryption process. The most secure one assumes that this information is kept secret, which means that configuration q n becomes a part of the key. The disadvantage of this option is that the key changes with each encryption. This is because now the key is a function of a rule, plaintext and some initial data (Rid). In the second option the final configuration qn is encrypted using Vernam encryption algorithm. This is done by applying logical bitwise operation XOR ( ) on the final configuration qn and selected bits of the key.

Fig. 3. Single block decryption using reversible cellular automata

Decryption algorithm is shown on Fig. 3. The same operations as in encryption are used in reverse order. Initial state is composed of the final data and the ciphertext. To obtain final data for the decryption, XOR operation must be applied first to encrypted final data and the key. Next, CA is iterated for the same number of steps as during encryption with use of the same secret rule.

Block Encryption Using Reversible Cellular Automata

789

In practice plaintext is divided into many fixed size blocks. Each block is encrypted separately. Typical block size for encryption algorithms is 64 or 128 bits. The algorithm for successive blocks encryption is shown on the Fig. 4.

Fig. 4. Multiple block encryption scheme

Plaintext is divided into n fixed size blocks. For the encryption of the first plaintext block random initial data is used. For the blocks number 2..n initial data is taken from the encryption of the previous block. Final data generated by the encryption of the ith plaintext block is used for the encryption of the i+1 block. Final data produced by the encryption of the last plaintext block can be either encrypted using XOR operation or kept secret.

4 Experiments
Desirable property of any encryption algorithm is that a small change in either plaintext or the key should result in a significant change in the ciphertext. Changing value of one randomly chosen bit in the plaintext or in the key should produce change of nearly half of the values of the ciphertext. This is so called avalanche property. It was introduced by H. Feistel in 1973 [1]. Later Kam and Davida gave the concept of completeness [4]. It says that for every possible key value, every output bit of the ciphertext must depends upon all input bits of the plaintext and not just a proper subset of the input bits. The concepts of completeness and the avalanche effect was combined by Webster and Tavares. They defined so called strict avalanche criterion (SAC) [11]. According to this property, each output bit should change with a probability of one half whenever a single input bit is complemented.

790

M. Seredynski and P. Bouvry

Number of iterations needed to achieve this property depends on the radius of the rule and the size of CA. We have tested 32 and 64 cell CA. For each size radius 2 and radius 3 rules were used. The following results are based on 10000 experiments for each parameters set (CA size/radius/iteration number). For each experiment random initial conditions and random rules were used. The following figures show dependency between number of iterations and percentage of states changed after one bit was changed either in the plaintext or in the ciphertext. Fig. 5 shows that dependency for 32 cell radius 2 CA while Fig. 6 shows it for 64 cell radius 3 CA.
Avalanche property for 32 cell CA when using radius 2 rule

50

Percentage of states changed

40

30 One bit changed in plaintext One bit changed in key 20

10

0 0 5 10 15 Iteration number 20 25 30

Fig. 5. Avalanche property for 32 cell CA and radius 2 rule

Avalanche property for 64 cell CA when using radius 3 rule

50

Percentage of states changed

40

30 One bit changed in plaintext One bit changed in key 20

10

0 0 5 10 15 Iteration number 20 25 30

Fig. 6. Avalanche property for 64 cell CA and radius 3 rule

Block Encryption Using Reversible Cellular Automata Table 1. Result for one random bit changed in the plaintext

791

32 cells CA 64 cells CA

radius 2 19 38

radius 3 8 17

Table 2. Result for one random bit changed in the ciphertext

32 cells CA 64 cells CA

radius 2 12 11

radius 3 20 16

Table 1 shows number of iteration needed to achieve the state in which over 49 % of cells change its value after changing one bit in the plaintext. Results are shown for 32 and 64 cell CA with neighborhood size 2 and 3. Number of iteration needed to achieve the same result after changing one bit in the ciphertext is shown in Table 2. After iterating CA for number of steps given in Table 1 and Table 2 strict avalanche effect is achieved. On average nearly half of cells are changed. The probability that a single cell is going to change its value after that number of iterations is around 0.5. The example for 64 cell CA with radius 3 neighborhood is shown on the Fig. 7. For the other parameters the result is similar (0.48 - 0.52 interval).
0.6 0.58 0.56 One bit changed in plaintext 0.54 0.52 Probability 0.5 0.48 0.46 0.44 0.42 0.4 0 10 20 30 Cell number 40 50 60 One bit changed in key

Fig. 7. Probability of cell state value change

5 Algorithm Properties
Our reversible CA-based algorithm works in a mode that is similar to CBC mode in terms of achieved result. The same plaintext block that appears in the whole plaintext more than once produces different block of ciphertext. This is because encryption of each plaintext block starts with some initial data from the encryption of the previous

792

M. Seredynski and P. Bouvry

block. In DES like ciphers there is still problem with encryption (using the same key) of the same plaintext more than once, or when two encrypted plaintext begin with the same information. In the first case the same ciphertext will be produced, while in the second case both plaintext will be encrypted the same way until the first difference is reached. It is possible to overcome this problem with encryption of some random data block (called initialization vector) first. In the proposed cipher encrypting the same plaintext with the same key will always result in a different ciphertext. This is achieved because of use of randomly generated data in the first phase of each encryption session. This data needs not to be remembered.

6 Conclusions
In this paper we have proposed a new encryption concept based on reversible CA. It ensures that strict avalanche criterion is achieved. Encryption using a single reversible CA does not provide enough security. Multiple reversible CA should be used for encryption of a single plaintext block. Detailed description of a block cipher based on this concept can be found in [7].

References
1. 2. 3. 4. 5. 6. Feistel, H.: Cryptography and Computer Privacy, Scientific American 228(5). (1973) 1523 Guan, P.: Cellular Automaton Public-Key Cryptosystem. Complex Systems 1 (1987) 5156 Gutowitz, H.: Cryptography with Dynamical Systems, manuscript Kam, J., Davida, G.: Structured Design of Substitution-Permutation Encryption Networks, IEEE Transactions on Computers. C-28(10). (1979) 747-753 Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography, CRC Press (1996) Seredynski, F., Bouvry, P., Zomaya, A.Y.: Cellular Programming and Symmetric Key Cryptography Systems. In: E.Cant-Paz et al. (eds.): Genetic and Evolutionary Computation GECCO 2003. LNCS 2724. Part II. Springer (2003) 1369-1381 Seredynski, M., Pienkosz, K., Bouvry, P.: Reversible Cellular Automata Based Encryption, IFIP International Conference on Network and Parallel Computing (NPC 2004), Wuhan, China, 18-20.10.2004. LNCS. Springer, (2004) (to appear) Stallings, W.: Cryptography and Network Security, 3rd ed, Prentice Hall. (2003) Toffoli, T., Margolus, N.: Invertible cellular automata: a review. Physica D 666. NorthHolland, Amsterdam (1997) Tomassini, M., Perrenoud, M.: Stream Ciphers with One and Two-Dimensional Cellular Automata. In: M. Schoenauer et al. (eds.): Parallel Problem Solving from Nature PPSN VI. LNCS 1917. Springer (2000) 722-731 Webster, A.F., Tavares, S.E.: On the Design of S-Boxes, Advances in Cryptology : Crypto 85 Proceedings. Springer. LNCS 218. Springer (1985) 523-534 Wolfram, S.: A New Kind of Science, Wolfram Media (2002) 435-441 Wolfram, S.: Cryptography with Cellular Automata in Advances in Cryptology : Crypto 85Proceedings. LNCS 218. Springer (1985) 429-432

7.

8. 9. 10.

11. 12. 13.