1,2
Polish-Japanese Institute of Information Technology, Research Center Koszykowa 86, 02-008 Warsaw, Poland seredynski@acn.waw.pl 2 Luxembourg University of Applied Sciences 6, rue Coudenhove Kalergi, L-1359, Luxembourg-Kirchberg, Luxembourg pascal.bouvry@univ.lu
Abstract. Cellular automata (CA) are highly parallel and discrete dynamical systems, whose behavior is completely specified in terms of a local relation. They were successfully applied for simulation of biological systems and physical phenomena and recently to design parallel and distributed algorithms for solving task density and synchronization problems. In this paper CA are applied to construct cryptography algorithms. A new encryption concept based on one dimensional, uniform and reversible CA is proposed. A class of CA with rules specifically constructed to be reversible is used.
1 Introduction
Since the development of computers there has been strong demand for means to protect information and to provide various security services. The main aspects of information security are privacy, data integrity, authentication, and non-repudiation. This paper deals with encryption that is transformation of the message (plaintext) in to ciphertext and the opposite process that is decryption. These two complementary operations satisfy the demand of privacy. Cryptographic techniques are divided into two categories [5]: symmetric-key and public key. If both sender and receiver use the same key, or it is easy to obtain one form another then the system is referred to as symmetric key encryption. If the sender and receiver each uses different key, ant it is computationally infeasible to determine one form another without knowing some additional secret information then the system is referred to as a public key encryption. There are two classes of symmetric-key encryption schemes: block ciphers and stream ciphers. A block cipher breaks up the message into blocks of the fixed length and encrypts one block at a time. A stream cipher is one that encrypts data stream one bit or one byte at a time. Good overview of all major cryptography techniques can be found in [5]. Description of block ciphers including AES cipher is presented in [8]. This paper deals with symmetric-key block encryption. CA have been used so far in both symmetric-key and public-key cryptography. CA-based public cipher was proposed by Guan [2]. Stream CA-based encryption algorithm was first proposed by Wolfram [13] and later it was developed by Tommassini et al. [10], and recently by Seredynski et al. [6]. Block cipher using reversible and irreversible rules was proposed by Gutowitz [3].
P.M.A. Sloot, B. Chopard, and A.G. Hoekstra (Eds.): ACRI 2004, LNCS 3305, pp. 785792, 2004. Springer-Verlag Berlin Heidelberg 2004
786
This paper presents a new encryption concept based on a class of reversible rules specially designed to be reversible. The paper is organized as follows. The next section defines elementary and reversible CA. Section 3 presents the idea how a particular class of reversible CA can be used for block encryption. Experiment results are presented in section 4. Section 5 concludes the paper.
2 Cellular Automata
2.1 Elementary Cellular Automata One-dimensional CA is an array of cells. Each cell is assigned a value over some state alphabet. CA is defined by four parameters: size, initial state, neighborhood, rule and boundary conditions. Size defines number of cells. All cells update its value synchronously in discrete time steps accordingly to some rule. Such rule is based on the state of the cell itself and its neighborhood:
(1)
where si is a value of i-th cell (the state of a cell) in step t and r is a radius of the neighborhood. When dealing with finite CA, cyclic boundary conditions are usually applied which means that CA can be treated as a ring. Changing values of all cells in step t is called CA iteration. Before the first iteration can take place some initial values must be assigned to all cells. This is called the initial state of CA. By updating values in all cells, the initial state is transformed into a new configuration. When each cell updates its state according to the same rule, CA is said to be uniform. Otherwise it is called non-uniform CA. The total number of rules for radius r neighborhood is
obtained. This transformation can also be defined by a global transition function, which as an input takes configuration qt and results in a successive configuration
787
reversible. This is why class of CA with rules specially created to be reversible is considered. Different reversible CA classes are presented in [9]. This paper presents the idea of using reversible CA class presented by Wolfram [12]. In this class rule depends not on one but on two steps back:
(2)
sit +1 of i-th cell in configuration t+1 depends on the value sit 1 in step t-1 is con-
of the state of itself and r of its neighbors in configuration t. In this reversible class additional dependency is added: the value of the central cell sidered. Such a rule can be simply constructed by taking elementary CA rule and adding dependency on two steps back. Example of such rule definition is shown on Fig. 1.
Definition of the rule is now composed of two elementary rules. The first one is defining state transition in case when in step t-1 cell was in a state 1, and the second one when the cell was in the state 0. Figure 1 gives an example of two elementary rules: 236 and rule 19. These two rules are complementary to each other. Knowing one value it is possible to calculate the second one using the following formula:
R2 = 2d R1 1 ,
2*r +1
(3)
, and r is radius of the neighborhood. Since a reversible rule dewhere d = 2 pends now on two steps back, an initial configuration must be composed of two successive configurations q 0 and q1 . The same rule is used in forward and backward iteration.
788
configurations form an initial state of CA. Encryption is done by forward iteration of CA by fixed number of steps according to some reversible rule. This process is shown on Fig. 2.
q n1 is a ciphertext. The rule used during encryption is a secret key of that transformation. There are two options on how to treat configuration q n (called
Configuration final data) generated by the encryption process. The most secure one assumes that this information is kept secret, which means that configuration q n becomes a part of the key. The disadvantage of this option is that the key changes with each encryption. This is because now the key is a function of a rule, plaintext and some initial data (Rid). In the second option the final configuration qn is encrypted using Vernam encryption algorithm. This is done by applying logical bitwise operation XOR ( ) on the final configuration qn and selected bits of the key.
Decryption algorithm is shown on Fig. 3. The same operations as in encryption are used in reverse order. Initial state is composed of the final data and the ciphertext. To obtain final data for the decryption, XOR operation must be applied first to encrypted final data and the key. Next, CA is iterated for the same number of steps as during encryption with use of the same secret rule.
789
In practice plaintext is divided into many fixed size blocks. Each block is encrypted separately. Typical block size for encryption algorithms is 64 or 128 bits. The algorithm for successive blocks encryption is shown on the Fig. 4.
Plaintext is divided into n fixed size blocks. For the encryption of the first plaintext block random initial data is used. For the blocks number 2..n initial data is taken from the encryption of the previous block. Final data generated by the encryption of the ith plaintext block is used for the encryption of the i+1 block. Final data produced by the encryption of the last plaintext block can be either encrypted using XOR operation or kept secret.
4 Experiments
Desirable property of any encryption algorithm is that a small change in either plaintext or the key should result in a significant change in the ciphertext. Changing value of one randomly chosen bit in the plaintext or in the key should produce change of nearly half of the values of the ciphertext. This is so called avalanche property. It was introduced by H. Feistel in 1973 [1]. Later Kam and Davida gave the concept of completeness [4]. It says that for every possible key value, every output bit of the ciphertext must depends upon all input bits of the plaintext and not just a proper subset of the input bits. The concepts of completeness and the avalanche effect was combined by Webster and Tavares. They defined so called strict avalanche criterion (SAC) [11]. According to this property, each output bit should change with a probability of one half whenever a single input bit is complemented.
790
Number of iterations needed to achieve this property depends on the radius of the rule and the size of CA. We have tested 32 and 64 cell CA. For each size radius 2 and radius 3 rules were used. The following results are based on 10000 experiments for each parameters set (CA size/radius/iteration number). For each experiment random initial conditions and random rules were used. The following figures show dependency between number of iterations and percentage of states changed after one bit was changed either in the plaintext or in the ciphertext. Fig. 5 shows that dependency for 32 cell radius 2 CA while Fig. 6 shows it for 64 cell radius 3 CA.
Avalanche property for 32 cell CA when using radius 2 rule
50
40
10
0 0 5 10 15 Iteration number 20 25 30
50
40
10
0 0 5 10 15 Iteration number 20 25 30
Block Encryption Using Reversible Cellular Automata Table 1. Result for one random bit changed in the plaintext
791
32 cells CA 64 cells CA
radius 2 19 38
radius 3 8 17
32 cells CA 64 cells CA
radius 2 12 11
radius 3 20 16
Table 1 shows number of iteration needed to achieve the state in which over 49 % of cells change its value after changing one bit in the plaintext. Results are shown for 32 and 64 cell CA with neighborhood size 2 and 3. Number of iteration needed to achieve the same result after changing one bit in the ciphertext is shown in Table 2. After iterating CA for number of steps given in Table 1 and Table 2 strict avalanche effect is achieved. On average nearly half of cells are changed. The probability that a single cell is going to change its value after that number of iterations is around 0.5. The example for 64 cell CA with radius 3 neighborhood is shown on the Fig. 7. For the other parameters the result is similar (0.48 - 0.52 interval).
0.6 0.58 0.56 One bit changed in plaintext 0.54 0.52 Probability 0.5 0.48 0.46 0.44 0.42 0.4 0 10 20 30 Cell number 40 50 60 One bit changed in key
5 Algorithm Properties
Our reversible CA-based algorithm works in a mode that is similar to CBC mode in terms of achieved result. The same plaintext block that appears in the whole plaintext more than once produces different block of ciphertext. This is because encryption of each plaintext block starts with some initial data from the encryption of the previous
792
block. In DES like ciphers there is still problem with encryption (using the same key) of the same plaintext more than once, or when two encrypted plaintext begin with the same information. In the first case the same ciphertext will be produced, while in the second case both plaintext will be encrypted the same way until the first difference is reached. It is possible to overcome this problem with encryption of some random data block (called initialization vector) first. In the proposed cipher encrypting the same plaintext with the same key will always result in a different ciphertext. This is achieved because of use of randomly generated data in the first phase of each encryption session. This data needs not to be remembered.
6 Conclusions
In this paper we have proposed a new encryption concept based on reversible CA. It ensures that strict avalanche criterion is achieved. Encryption using a single reversible CA does not provide enough security. Multiple reversible CA should be used for encryption of a single plaintext block. Detailed description of a block cipher based on this concept can be found in [7].
References
1. 2. 3. 4. 5. 6. Feistel, H.: Cryptography and Computer Privacy, Scientific American 228(5). (1973) 1523 Guan, P.: Cellular Automaton Public-Key Cryptosystem. Complex Systems 1 (1987) 5156 Gutowitz, H.: Cryptography with Dynamical Systems, manuscript Kam, J., Davida, G.: Structured Design of Substitution-Permutation Encryption Networks, IEEE Transactions on Computers. C-28(10). (1979) 747-753 Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography, CRC Press (1996) Seredynski, F., Bouvry, P., Zomaya, A.Y.: Cellular Programming and Symmetric Key Cryptography Systems. In: E.Cant-Paz et al. (eds.): Genetic and Evolutionary Computation GECCO 2003. LNCS 2724. Part II. Springer (2003) 1369-1381 Seredynski, M., Pienkosz, K., Bouvry, P.: Reversible Cellular Automata Based Encryption, IFIP International Conference on Network and Parallel Computing (NPC 2004), Wuhan, China, 18-20.10.2004. LNCS. Springer, (2004) (to appear) Stallings, W.: Cryptography and Network Security, 3rd ed, Prentice Hall. (2003) Toffoli, T., Margolus, N.: Invertible cellular automata: a review. Physica D 666. NorthHolland, Amsterdam (1997) Tomassini, M., Perrenoud, M.: Stream Ciphers with One and Two-Dimensional Cellular Automata. In: M. Schoenauer et al. (eds.): Parallel Problem Solving from Nature PPSN VI. LNCS 1917. Springer (2000) 722-731 Webster, A.F., Tavares, S.E.: On the Design of S-Boxes, Advances in Cryptology : Crypto 85 Proceedings. Springer. LNCS 218. Springer (1985) 523-534 Wolfram, S.: A New Kind of Science, Wolfram Media (2002) 435-441 Wolfram, S.: Cryptography with Cellular Automata in Advances in Cryptology : Crypto 85Proceedings. LNCS 218. Springer (1985) 429-432
7.
8. 9. 10.