Weak Key Analysis and Micro-controller Implementation of CA Stream Ciphers

Similar documents
Image Encryption and Decryption Algorithm Using Two Dimensional Cellular Automata Rules In Cryptography

Probabilistic Analysis of Cellular Automata Rules and its Application in Pseudo Random Pattern Generation

PERIOD LENGTHS OF CHAOTIC PSEUDO-RANDOM NUMBER GENERATORS

Concurrent Error Detection in S-boxes 1

Weak key analysis for chaotic cipher based on randomness properties

On the Big Gap Between p and q in DSA

Pseudo-random sequences, boolean functions and cellular automata

Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages

Applications of Two Dimensional Cellular Automata rules for Block Cipher in Cryptography

One-way Hash Function Based on Neural Network

Multi-Map Orbit Hopping Chaotic Stream Cipher

Pseudo-random Sequences Generated by Cellular Automata

Pseudorandom number generators based on random covers for finite groups

Design of S-Box using Combination of Chaotic Functions

Topics. Probability Theory. Perfect Secrecy. Information Theory

Chaotic Encryption Method Based on Life-Like Cellular Automata

Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000

Design and Hardware Implementation of a Chaotic Encryption Scheme for Real-time Embedded Systems

All-Or-Nothing Transforms Using Quasigroups

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

Cryptanalysis of a Multistage Encryption System

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

Signature Attractor Based Pseudorandom Generation Algorithm

STREAM CIPHER. Chapter - 3

Optimization of 1D and 2D Cellular Automata for Pseudo Random Number Generator.

cells [20]. CAs exhibit three notable features, namely massive parallelism, locality of cellular interactions, and simplicity of basic components (cel

Cryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

New Possibilities for Cellular Automata in Cryptography

A Five-Round Algebraic Property of the Advanced Encryption Standard

Sorting Network Development Using Cellular Automata

Pseudo-random Number Generation. Qiuliang Tang

Computers and Mathematics with Applications

Analysis of SHA-1 in Encryption Mode

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

A Pseudo-Random Encryption Mode

Design of a New Stream Cipher: PALS

FPGA Implementation of Neighborhood-of-Four Cellular Automata Random Number Generators

Smart Hill Climbing Finds Better Boolean Functions

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Encryption And Decryption Algorithm Using Two Dimensional Cellular Automata Rules And 1D CA Based S-Box (1D Rule-30) In Cryptography

Improved Cascaded Stream Ciphers Using Feedback

... Assignment 3 - Cryptography. Information & Communication Security (WS 2018/19) Abtin Shahkarami, M.Sc.

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Cryptography 2017 Lecture 2

Fast Cryptanalysis of the Matsumoto-Imai Public Key Scheme

AN EFFICIENT PRNG FOR STREAM CIPHERS BASED ON HYBRID CELLULAR AUTOMATA WITH NONLINEAR FEEDBACK

Computers and Electrical Engineering

Towards Provable Security of Substitution-Permutation Encryption Networks

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Modified Alternating Step Generators

Future Generation Computer Systems 16 (1999) Accepted 17 March Draft

Pipelined Pseudo-Random Number Generator with the Efficient Post-Processing Method

Optimal Use of Montgomery Multiplication on Smart Cards

Breaking Plain ElGamal and Plain RSA Encryption

About Vigenere cipher modifications

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

Secure Communication Using H Chaotic Synchronization and International Data Encryption Algorithm

Hans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009. References. References

IEOR SEMINAR SERIES Cryptanalysis: Fast Correlation Attacks on LFSR-based Stream Ciphers

Information and Communications Security: Encryption and Information Hiding

Safer parameters for the Chor-Rivest cryptosystem

Security Implications of Quantum Technologies

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Distinguishing Stream Ciphers with Convolutional Filters

Weak key-iv Pairs in the A5/1 Stream Cipher

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

Chaotic Based Secure Hash Algorithm

A DPA attack on RSA in CRT mode

A block cipher enciphers each block with the same key.

Cellular Automata in Cryptography" Information Security Group,Royal Holloway, Abstract The cipher systems based on Cellular Automata proposed by Nandi

Lecture 4: DES and block ciphers

Stream Ciphers. Çetin Kaya Koç Winter / 20

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Network Security Based on Quantum Cryptography Multi-qubit Hadamard Matrices

Linear Cellular Automata as Discrete Models for Generating Cryptographic Sequences

ECE 646 Lecture 9. RSA: Genesis, operation & security

NON-LINEAR COMPLEXITY OF THE NAOR REINGOLD PSEUDO-RANDOM FUNCTION

Statistical Analysis of chi-square A. Author(s)ISOGAI, Norihisa; MIYAJI, Atsuko; NO

How Fast can be Algebraic Attacks on Block Ciphers?

Linear Cellular Automata as Discrete Models for Generating Cryptographic Sequences

Gurgen Khachatrian Martun Karapetyan

On the security of a chaotic encryption scheme: problems with computerized chaos in finite computing precision

VMPC One-Way Function and Stream Cipher

RSA ENCRYPTION USING THREE MERSENNE PRIMES

SELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION

Cryptanalysis of a computer cryptography scheme based on a filter bank

Modular Reduction without Pre-Computation for Special Moduli

Outline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad

Extended Criterion for Absence of Fixed Points

Building Secure and Fast Cryptographic Hash Functions Using Programmable Cellular Automata

Structural Cryptanalysis of SASAS

Research, Development and Simulation of Quantum Cryptographic Protocols

On Quasigroup Pseudo Random Sequence Generators

A novel pseudo-random number generator based on discrete chaotic iterations

New Attacks against Standardized MACs

Cryptanalysis of Achterbahn

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

Transcription:

Weak Key Analysis and Micro-controller Implementation of CA Stream Ciphers Pascal Bouvry 1, Gilbert Klein 1, and Franciszek Seredynski 2,3 1 Luxembourg University Faculty of Sciences, Communication and Technology 6, rue Coudenhove Kalergi L-1359 Luxembourg-Kirchberg, Luxembourg {pascal.bouvry,gilbert.klein}@uni.lu 2 Polish-Japanese Institute of Information Technologies Koszykowa 86, 02-008 Warsaw, Poland 3 Institute of Computer Science, Polish Academy of Sciences Ordona 21, 01-237 Warsaw, Poland sered@ipipan.waw.pl Abstract. In the paper we extend known results studying the application of CAs for stream ciphers. We illustrate the notion of weak keys in such a cryptosystem and describe the experiments related to its implementation on micro-controllers. 1 Introduction Two main cryptography systems are used today: symmetric systems, aka secret key systems, and public-key systems. An extensive overview of currently known or emerging cryptography techniques used in both type of systems can be found in [12]. One of such a promising cryptography techniques is applying cellular automata (CAs). The main concern of this paper is secret key systems. In such systems the encryption key and the decryption key are the same. The encryption process is based on generation of pseudorandom bit sequences, and CAs can be effectively used for this purpose. CAs for systems with a secrete key were first studied by Wolfram [17], and later by Habutsu et al. [3], Nandi et al. [10] and Gutowitz [2]. Recently they were a subject of study by Tomassini & Perrenoud [15], and Tomassini & Sipper [16], who considered one and two dimensional (2D) CAs for encryption scheme. In Seredynski et al[13], a 1-D cellular automa system has been proposed that shows strong statistical characteristics in terms of security. Indeed it passes classical tests as FIPS-140 and Marsaglia tests. The present article highlights some limitations of the proposed systems in terms of weakkeys and hardware implementations but also shows potential paths for solving these issues. Participation to KES has been financed by LIASIT (www.liasit.lu) R. Khosla et al. (Eds.): KES 2005, LNAI 3684, pp. 910 915, 2005. c Springer-Verlag Berlin Heidelberg 2005

Weak Key Analysis and Micro-controller Implementation 911 2 Cellular Automata and Cryptography Let P be a plain-text message consisting of m bits p 1 p 2...p m,andk 1 k 2...k m be a bit stream of a key k. Letc i be the i th bit of a cipher-text obtained by applying XOR (exclusive-or) enciphering operation: c i = p i XOR k i. The original bit p i of a message can be recovered by applying the same operation XOR on c i by using the same bit stream key k This enciphering algorithm is called the Vernam cipher and is known to be [8, 12] perfectly safe if the key stream is truly unpredictable and used only one time. It is assumed that a state q t+1 i of a cell i at the time t + 1 depends only on states of its neighborhood at the time t, i.e. q t+1 i = f(qi t,qt i1,qt i2,..., qt ni ), and a transition function f, called a rule, which defines a rule of updating a cell i. A length L of a rule and a number of neighborhood states for a binary uniform CAs is L =2 n,wheren = n i is a number of cells of a given neighborhood, and a number of such rules can be expressed as 2 L. For CAs with e.g. r =2the length of a rule is equal to L = 32, and a number of such rules is 2 32 and grows very fast with L. When the same rule is applied to update cells of CAs, such CAs are called uniform CAs, in contrast with nonuniform CAs when different rules are assigned to cells and used to update them. It is assumed that a state of a cell i at the time t + 1 depends only on states of its neighborhood at the time t, i.e. q t+1 i = f(qi t,qt i1,qt i2,..., qt ni ), and a transition function f, called a rule, which defines a rule of updating a cell i. AlengthL of a rule and a number of neighborhood states for a binary uniform CAs is L = 2 n,wheren = n i is a number of cells of a given neighborhood, and a number of such rules can be expressed as 2 L. For CAs with e.g. r = 2 the length of a rule is equal to L = 32, and a number of such rules is 2 32 and grows very fast with L. When the same rule is applied to update cells of CAs, such CAs are called uniform CAs, in contrast with nonuniform CAs when different rules are assigned to cells and used to update them. One dimensional CA is in a simpliest case a collection of two-state elementary automata arranged in a lattice of the length N, and locally interacted in a discrete time t. For each cell i called a central cell, a neighborhood of a radius r is defined, consisting of n i =2r + 1 cells, including the cell i. When considering a finite size of CAs a cyclic boundary condition is applied, resulting in a circular grid. For example, the rule definition presented on Fig. 1 implies that if three adjacent cells in the CA currently (step t) have the pattern 011, then the middle cell will become 1 on the next time step. Wolfram proposed a naming convention for the rules: the name derives from the binary representation of the step t+1 based on the rule definition. In Fig. 1, stept+1 is composed of bits 01001011, which is a binary representation of the number 75. When the same rule is applied to update cells of CAs, such CAs are called uniform CAs, in opposite to nonuniform CAs when different rules are assigned to cells and used to update them. q t+1 i

912 Pascal Bouvry, Gilbert Klein, and Franciszek Seredynski step t step t+1 1 111 110 1 0 1 1 00 0 11 01 0 001 000 0 1 0 0 1 0 1 1 Rule number: 0*2 7 + 1*2 6 + 0*2 5 + 0*2 4 + 1*2 3 + 0*2 2 + 1*2 1 + 1*2 0 = 75 Fig. 1. Elementary rule 75 In [13], 1D, nonuniform CAs are used with neighborhood of radius r =1and r = 2. In the result of combining rules into sets of rules and testing collective behavior of these sets working in nonuniform CAs the following set of rules has been selected: 86, 90, 101, 105, 150, 153, 165 (r = 1), and 1436194405 (r =2). 3 Weak Keys A weak key for a crypto-systems eases up its cryptanalysis. In terms of our Pseudo Random Number Generators (PRNG), it would mean the presence of repeated patterns and brings sequences of generated numbers for of complexity size O(log(L)), L being the original solution space. After running many variations of keys proposed in the [13] PRNG,it appeared that some pictures corresponding to CA snapshots do contain patterns. These patterns act like barriers hindering Shanon s diffusion of information. Indeed some of these patterns when appearing become permanent and can cause drastic cuts in the randomness of generated numbers. E.g. Let us simply consider that the chosen column for producing the random numbers corresponds to one of those included in the pattern: in this case the generator would be broken and produces always the same number. Fig. 2. Example of a weak key effect

Weak Key Analysis and Micro-controller Implementation 913 After analysis, it has been shown that such barriers happened when 2 times the long rule was applied to contiguous cells and when a predefined pattern arises. For instance, the barrier illustrated in 2 is defined by the following binary numbers: 1011 1011 1011 1011 1011 1011. In order to ease up the analysis of barriers, let us introduce the following notation: ρ n (abc), the application of the rule number n of radius 1 to the b bit given a and c neighbours and ρ n (abcde), the application of the rule number n of radius 2 to the b bit given a, b and d, e neighbours. In the process of defining precisely the CA behaviour in case of repeated patterns, we propose to illustrate the barrier effect for the following pattern (cf Fig 3):?1011ββ where 1011 is the core of the barrier (forever repeated),? is a binary value and β is a binary number repeated twice. The vector of rule applied to cells using Wolfram numbering is also provided in Fig 3. Itiseasy to demonstrate that this case study can happen in practice like any other case: indeed the initial CA configuration and the rule assignment are randomly chosen (based on the secret key). Bit Number 5 4 3 2 1 0 Bit value? 1 0 1 1 β β? Assigned rules? 101 86 105 1436194405 1436194405 101? Fig. 3. Instance of a barrier Figure 4 demonstrates the recurring character of such pattern bit per bit, given that a rule of radius 1 depends only of 1 neighbour on each side and rule of radius 2 (ie in our case rule of index 7) depends of 2 neighbours on each side. Every parameter (? and β) are instantiated and show that it is practically impossible to break this barrier: no configuration could lead to any modification of it. Let us also highlight the behaviour of the the βs that will flip synchronously after each step. Bit:ρ rule (neigbourhood) Binary Rule Result Bit 5: ρ 101(?10) 01100101 ρ 101(010)==ρ 101(110)==1 Bit 4: ρ 86(101) 01010110 0 Bit 3: ρ 105(011) 01101001 1 Bit 2: ρ 1436194405(011ββ)...1001011001100101 ρ(01100)==ρ(01111)==1 Bit 1: ρ 1436194405(1100?) 0101010110011010... not(?) (flipping bit) Bit 1: ρ 1436194405(1111?) 0101010110011010... not(?) (flipping bit) Bit 0: ρ 101(00?) 01100101 not(?) == Bit1 t+1 (flipping bit) Bit 0: ρ 101(11?) 01100101 not(?) == Bit1 t+1 (flipping bit) Fig. 4. Bit per bit analysis of a barrier effect One easy way to circumvent such pattern is to prevent the creation of such keys and in particular to avoid instantiating 2 long rules in contiguous cells. How-

914 Pascal Bouvry, Gilbert Klein, and Franciszek Seredynski ever there is no proof that other patterns might appear. Therefore a verification case by case of some criteria (e.g. entropy) might be the only way out. 4 Hardware Implementation Using Micro-controllers The chosen micro controller (M30245) is a 16-bit micro controller based on the RENESAS M16C family core technology that uses a high performance silicon gate CMOS process with an M16C/62 Series CPU core. This is a single-chip USB peripheral micro controller that operates at full speed (12 MHz) and is compliant with the USB version 2.0 specification. This micro controller can be found back on the EVBM16C/USB evaluation board. Additional information can be found on the Internet at www.m16c.de (select EVB-BOARDS ). The related development shows that is possible to implement such a Cellular Automata on an external USB device. However that, due to execution speed, the related implementation can only be used in a limited way in practice. The next table illustrates the execution time needed to generate a number of steps for CAs of different sizes: Picture dimensions Nbr of codes Nbr of CA iterations tusbca [s] tsoftca [s] 1010 100 800 7 >>1 2020 400 3200 21 >1 4040 1600 12800 81 1 6060 3600 28800 179 2 8080 6400 51200 311 4 100100 10000 80000 483 7 5 Conclusions In the paper we have extended the results reported in [13] on studying the application of CAs for stream ciphers. We illustrated the notion of weak keys in such a cryptosystem and described the experiments related to its implementation on micro-controllers. In terms of future work, we consider the implementation of this system on FPGA. We already have an alpha-version of the VHDL version of it. References 1. P. Guan, Cellular Automaton Public-Key Cryptosystem, Complex Systems 1, 1987, pp. 51-56 2. H. Gutowitz, Cryptography with Dynamical Systems, in E. Goles and N. Boccara (Eds.) Cellular Automata and Cooperative Phenomena, Kluwer Academic Press, 1993 3. T. Habutsu, Y. Nishio, I. Sasae, and S. Mori, A Secret Key Cryptosystem by Iterating a Chaotic Map, Proc. of Eurocrypt 91, 1991, pp. 127-140

Weak Key Analysis and Micro-controller Implementation 915 4. P. D. Hortensius, R. D. McLeod, and H. C. Card, Parallel random number generation for VLSI systems using cellular automata, IEEE Trans. on Computers 38, October 1989, pp. 1466-1473 5. J. Kari, Cryptosystems based on reversible cellular automata, personal communication, 1992 6. D. E. Knuth, The Art of Computer Programming, vol.1&2,seminumerical Algorithms, Addison-Wesley, 1981 7. G. Marsaglia, Diehard http://stat.fsu.edu/ geo/diehard.html, 1998 8. A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996 9. A. Mroczkowski, Application of Cellular Automata in Cryptography, Master Thesis (in Polish), Warsaw University of Technology, 2002 10. S. Nandi, B. K. Kar, and P. P. Chaudhuri, Theory and Applications of Cellular Automata in Cryptography, IEEE Trans. on Computers, v. 43, December 1994, pp. 1346-1357 11. National Institute of Standards and Technology, Federal Information Processing Standards Publication 140-2: Security Requirements for Cryptographic Modules, U.S. Government Printing Office, Washington 1999 12. B. Schneier, Applied Cryptography, Wiley, New York, 1996 13. Franciszek Seredynski, Pascal Bouvry, and Albert Y. Zomaya. Cellular automata computations and secret key cryptography. Parallel Computing Journal, 30(5-6):753 766, 2004. 14. M. Sipper and M. Tomassini, Generating parallel random number generators by cellular programming, Int. Journal of Modern Physics C, 7(2), 1996, pp. 181-190 15. M. Tomassini and M. Perrenoud, Stream Ciphers with One- and Two-Dimensional Cellular Automata, in M. Schoenauer at al. (Eds.) Parallel Problem Solving from Nature - PPSN VI, LNCS 1917, Springer, 2000, pp. 722-731 16. M. Tomassini and M. Sipper, On the Generation of High-Quality Random Numbers by Two-Dimensional Cellular Automata, IEEE Trans. on Computers, v. 49, No. 10, October 2000, pp. 1140-1151 17. S. Wolfram, Cryptography with Cellular Automata, in Advances in Cryptology: Crypto 85 Proceedings, LNCS 218, Springer, 1986, pp. 429-432

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback