Weak Key Analysis and Micro-controller Implementation of CA Stream Ciphers Pascal Bouvry 1, Gilbert Klein 1, and Franciszek Seredynski 2,3 1 Luxembourg University Faculty of Sciences, Communication and Technology 6, rue Coudenhove Kalergi L-1359 Luxembourg-Kirchberg, Luxembourg {pascal.bouvry,gilbert.klein}@uni.lu 2 Polish-Japanese Institute of Information Technologies Koszykowa 86, 02-008 Warsaw, Poland 3 Institute of Computer Science, Polish Academy of Sciences Ordona 21, 01-237 Warsaw, Poland sered@ipipan.waw.pl Abstract. In the paper we extend known results studying the application of CAs for stream ciphers. We illustrate the notion of weak keys in such a cryptosystem and describe the experiments related to its implementation on micro-controllers. 1 Introduction Two main cryptography systems are used today: symmetric systems, aka secret key systems, and public-key systems. An extensive overview of currently known or emerging cryptography techniques used in both type of systems can be found in [12]. One of such a promising cryptography techniques is applying cellular automata (CAs). The main concern of this paper is secret key systems. In such systems the encryption key and the decryption key are the same. The encryption process is based on generation of pseudorandom bit sequences, and CAs can be effectively used for this purpose. CAs for systems with a secrete key were first studied by Wolfram [17], and later by Habutsu et al. [3], Nandi et al. [10] and Gutowitz [2]. Recently they were a subject of study by Tomassini & Perrenoud [15], and Tomassini & Sipper [16], who considered one and two dimensional (2D) CAs for encryption scheme. In Seredynski et al[13], a 1-D cellular automa system has been proposed that shows strong statistical characteristics in terms of security. Indeed it passes classical tests as FIPS-140 and Marsaglia tests. The present article highlights some limitations of the proposed systems in terms of weakkeys and hardware implementations but also shows potential paths for solving these issues. Participation to KES has been financed by LIASIT (www.liasit.lu) R. Khosla et al. (Eds.): KES 2005, LNAI 3684, pp. 910 915, 2005. c Springer-Verlag Berlin Heidelberg 2005
Weak Key Analysis and Micro-controller Implementation 911 2 Cellular Automata and Cryptography Let P be a plain-text message consisting of m bits p 1 p 2...p m,andk 1 k 2...k m be a bit stream of a key k. Letc i be the i th bit of a cipher-text obtained by applying XOR (exclusive-or) enciphering operation: c i = p i XOR k i. The original bit p i of a message can be recovered by applying the same operation XOR on c i by using the same bit stream key k This enciphering algorithm is called the Vernam cipher and is known to be [8, 12] perfectly safe if the key stream is truly unpredictable and used only one time. It is assumed that a state q t+1 i of a cell i at the time t + 1 depends only on states of its neighborhood at the time t, i.e. q t+1 i = f(qi t,qt i1,qt i2,..., qt ni ), and a transition function f, called a rule, which defines a rule of updating a cell i. A length L of a rule and a number of neighborhood states for a binary uniform CAs is L =2 n,wheren = n i is a number of cells of a given neighborhood, and a number of such rules can be expressed as 2 L. For CAs with e.g. r =2the length of a rule is equal to L = 32, and a number of such rules is 2 32 and grows very fast with L. When the same rule is applied to update cells of CAs, such CAs are called uniform CAs, in contrast with nonuniform CAs when different rules are assigned to cells and used to update them. It is assumed that a state of a cell i at the time t + 1 depends only on states of its neighborhood at the time t, i.e. q t+1 i = f(qi t,qt i1,qt i2,..., qt ni ), and a transition function f, called a rule, which defines a rule of updating a cell i. AlengthL of a rule and a number of neighborhood states for a binary uniform CAs is L = 2 n,wheren = n i is a number of cells of a given neighborhood, and a number of such rules can be expressed as 2 L. For CAs with e.g. r = 2 the length of a rule is equal to L = 32, and a number of such rules is 2 32 and grows very fast with L. When the same rule is applied to update cells of CAs, such CAs are called uniform CAs, in contrast with nonuniform CAs when different rules are assigned to cells and used to update them. One dimensional CA is in a simpliest case a collection of two-state elementary automata arranged in a lattice of the length N, and locally interacted in a discrete time t. For each cell i called a central cell, a neighborhood of a radius r is defined, consisting of n i =2r + 1 cells, including the cell i. When considering a finite size of CAs a cyclic boundary condition is applied, resulting in a circular grid. For example, the rule definition presented on Fig. 1 implies that if three adjacent cells in the CA currently (step t) have the pattern 011, then the middle cell will become 1 on the next time step. Wolfram proposed a naming convention for the rules: the name derives from the binary representation of the step t+1 based on the rule definition. In Fig. 1, stept+1 is composed of bits 01001011, which is a binary representation of the number 75. When the same rule is applied to update cells of CAs, such CAs are called uniform CAs, in opposite to nonuniform CAs when different rules are assigned to cells and used to update them. q t+1 i
912 Pascal Bouvry, Gilbert Klein, and Franciszek Seredynski step t step t+1 1 111 110 1 0 1 1 00 0 11 01 0 001 000 0 1 0 0 1 0 1 1 Rule number: 0*2 7 + 1*2 6 + 0*2 5 + 0*2 4 + 1*2 3 + 0*2 2 + 1*2 1 + 1*2 0 = 75 Fig. 1. Elementary rule 75 In [13], 1D, nonuniform CAs are used with neighborhood of radius r =1and r = 2. In the result of combining rules into sets of rules and testing collective behavior of these sets working in nonuniform CAs the following set of rules has been selected: 86, 90, 101, 105, 150, 153, 165 (r = 1), and 1436194405 (r =2). 3 Weak Keys A weak key for a crypto-systems eases up its cryptanalysis. In terms of our Pseudo Random Number Generators (PRNG), it would mean the presence of repeated patterns and brings sequences of generated numbers for of complexity size O(log(L)), L being the original solution space. After running many variations of keys proposed in the [13] PRNG,it appeared that some pictures corresponding to CA snapshots do contain patterns. These patterns act like barriers hindering Shanon s diffusion of information. Indeed some of these patterns when appearing become permanent and can cause drastic cuts in the randomness of generated numbers. E.g. Let us simply consider that the chosen column for producing the random numbers corresponds to one of those included in the pattern: in this case the generator would be broken and produces always the same number. Fig. 2. Example of a weak key effect
Weak Key Analysis and Micro-controller Implementation 913 After analysis, it has been shown that such barriers happened when 2 times the long rule was applied to contiguous cells and when a predefined pattern arises. For instance, the barrier illustrated in 2 is defined by the following binary numbers: 1011 1011 1011 1011 1011 1011. In order to ease up the analysis of barriers, let us introduce the following notation: ρ n (abc), the application of the rule number n of radius 1 to the b bit given a and c neighbours and ρ n (abcde), the application of the rule number n of radius 2 to the b bit given a, b and d, e neighbours. In the process of defining precisely the CA behaviour in case of repeated patterns, we propose to illustrate the barrier effect for the following pattern (cf Fig 3):?1011ββ where 1011 is the core of the barrier (forever repeated),? is a binary value and β is a binary number repeated twice. The vector of rule applied to cells using Wolfram numbering is also provided in Fig 3. Itiseasy to demonstrate that this case study can happen in practice like any other case: indeed the initial CA configuration and the rule assignment are randomly chosen (based on the secret key). Bit Number 5 4 3 2 1 0 Bit value? 1 0 1 1 β β? Assigned rules? 101 86 105 1436194405 1436194405 101? Fig. 3. Instance of a barrier Figure 4 demonstrates the recurring character of such pattern bit per bit, given that a rule of radius 1 depends only of 1 neighbour on each side and rule of radius 2 (ie in our case rule of index 7) depends of 2 neighbours on each side. Every parameter (? and β) are instantiated and show that it is practically impossible to break this barrier: no configuration could lead to any modification of it. Let us also highlight the behaviour of the the βs that will flip synchronously after each step. Bit:ρ rule (neigbourhood) Binary Rule Result Bit 5: ρ 101(?10) 01100101 ρ 101(010)==ρ 101(110)==1 Bit 4: ρ 86(101) 01010110 0 Bit 3: ρ 105(011) 01101001 1 Bit 2: ρ 1436194405(011ββ)...1001011001100101 ρ(01100)==ρ(01111)==1 Bit 1: ρ 1436194405(1100?) 0101010110011010... not(?) (flipping bit) Bit 1: ρ 1436194405(1111?) 0101010110011010... not(?) (flipping bit) Bit 0: ρ 101(00?) 01100101 not(?) == Bit1 t+1 (flipping bit) Bit 0: ρ 101(11?) 01100101 not(?) == Bit1 t+1 (flipping bit) Fig. 4. Bit per bit analysis of a barrier effect One easy way to circumvent such pattern is to prevent the creation of such keys and in particular to avoid instantiating 2 long rules in contiguous cells. How-
914 Pascal Bouvry, Gilbert Klein, and Franciszek Seredynski ever there is no proof that other patterns might appear. Therefore a verification case by case of some criteria (e.g. entropy) might be the only way out. 4 Hardware Implementation Using Micro-controllers The chosen micro controller (M30245) is a 16-bit micro controller based on the RENESAS M16C family core technology that uses a high performance silicon gate CMOS process with an M16C/62 Series CPU core. This is a single-chip USB peripheral micro controller that operates at full speed (12 MHz) and is compliant with the USB version 2.0 specification. This micro controller can be found back on the EVBM16C/USB evaluation board. Additional information can be found on the Internet at www.m16c.de (select EVB-BOARDS ). The related development shows that is possible to implement such a Cellular Automata on an external USB device. However that, due to execution speed, the related implementation can only be used in a limited way in practice. The next table illustrates the execution time needed to generate a number of steps for CAs of different sizes: Picture dimensions Nbr of codes Nbr of CA iterations tusbca [s] tsoftca [s] 1010 100 800 7 >>1 2020 400 3200 21 >1 4040 1600 12800 81 1 6060 3600 28800 179 2 8080 6400 51200 311 4 100100 10000 80000 483 7 5 Conclusions In the paper we have extended the results reported in [13] on studying the application of CAs for stream ciphers. We illustrated the notion of weak keys in such a cryptosystem and described the experiments related to its implementation on micro-controllers. In terms of future work, we consider the implementation of this system on FPGA. We already have an alpha-version of the VHDL version of it. References 1. P. Guan, Cellular Automaton Public-Key Cryptosystem, Complex Systems 1, 1987, pp. 51-56 2. H. Gutowitz, Cryptography with Dynamical Systems, in E. Goles and N. Boccara (Eds.) Cellular Automata and Cooperative Phenomena, Kluwer Academic Press, 1993 3. T. Habutsu, Y. Nishio, I. Sasae, and S. Mori, A Secret Key Cryptosystem by Iterating a Chaotic Map, Proc. of Eurocrypt 91, 1991, pp. 127-140
Weak Key Analysis and Micro-controller Implementation 915 4. P. D. Hortensius, R. D. McLeod, and H. C. Card, Parallel random number generation for VLSI systems using cellular automata, IEEE Trans. on Computers 38, October 1989, pp. 1466-1473 5. J. Kari, Cryptosystems based on reversible cellular automata, personal communication, 1992 6. D. E. Knuth, The Art of Computer Programming, vol.1&2,seminumerical Algorithms, Addison-Wesley, 1981 7. G. Marsaglia, Diehard http://stat.fsu.edu/ geo/diehard.html, 1998 8. A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996 9. A. Mroczkowski, Application of Cellular Automata in Cryptography, Master Thesis (in Polish), Warsaw University of Technology, 2002 10. S. Nandi, B. K. Kar, and P. P. Chaudhuri, Theory and Applications of Cellular Automata in Cryptography, IEEE Trans. on Computers, v. 43, December 1994, pp. 1346-1357 11. National Institute of Standards and Technology, Federal Information Processing Standards Publication 140-2: Security Requirements for Cryptographic Modules, U.S. Government Printing Office, Washington 1999 12. B. Schneier, Applied Cryptography, Wiley, New York, 1996 13. Franciszek Seredynski, Pascal Bouvry, and Albert Y. Zomaya. Cellular automata computations and secret key cryptography. Parallel Computing Journal, 30(5-6):753 766, 2004. 14. M. Sipper and M. Tomassini, Generating parallel random number generators by cellular programming, Int. Journal of Modern Physics C, 7(2), 1996, pp. 181-190 15. M. Tomassini and M. Perrenoud, Stream Ciphers with One- and Two-Dimensional Cellular Automata, in M. Schoenauer at al. (Eds.) Parallel Problem Solving from Nature - PPSN VI, LNCS 1917, Springer, 2000, pp. 722-731 16. M. Tomassini and M. Sipper, On the Generation of High-Quality Random Numbers by Two-Dimensional Cellular Automata, IEEE Trans. on Computers, v. 49, No. 10, October 2000, pp. 1140-1151 17. S. Wolfram, Cryptography with Cellular Automata, in Advances in Cryptology: Crypto 85 Proceedings, LNCS 218, Springer, 1986, pp. 429-432