Cryptography with Dynamical Systems - CiteSeerX

Cryptography with Dynamical Systems Howard Gutowitz ESPCI Laboratoire d'Electronique 10 rue Vauquelin 75005 Paris, France February 28, 1995

Abstract

Dynamical systems are often described as \unpredictable" or \complex" as aspects of their behavior may bear a cryptic relationship with the simple evolution laws which de ne them. Some theorists work to quantify this complexity in various ways. Others try to turn the cryptic nature of dynamical systems to a practical end: encryption of messages to preserve their secrecy. Here some previous eorts to engineer cryptosystems based on dynamical systems are reviewed, leading up to a detailed proposal for a cellular automaton cryptosystem. Cryptosystems constructed from cellular automaton primitives can be implemented in simply constructed massively parallel hardware. They can be counted on to deliver high encryption/decryption rates at low cost. In addition to these practical features, cellular automaton cryptosystems may help illuminate some foundational issues in both dynamical systems theory and cryptology, since each of these disciplines rests heavily on the meanings given to the intuitive notion of complexity.

1

Contents

1 Introduction

3

1.1 Cryptology : : : : : : : : : : : : : : : : : : : : : : : : : : : : 3 1.2 Some Cryptosystems Based on Dynamical Systems : : : : : : 5

2 CA-Cryptosystems: Generalities

2.1 Cellular Automata : : : : : : : : : : : 2.1.1 Irreversible Rules : : : : : : : : 2.1.2 Reversible Rules : : : : : : : : 2.2 Overview of CA-1.0 : : : : : : : : : : : 2.2.1 Blocks, Links, and Chains : : : 2.2.2 Rounds, Subrounds, and Phases

3 CA-1.0: Speci cation Details 3.1 Diusion Phase : : : : : 3.1.1 Rule Generation : 3.1.2 Rule Application 3.2 Substitution Phase : : : 3.2.1 Rule Generation : 3.2.2 Rule Application 3.3 Link Encryption : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : :

: : : : : : : : : : : : :

: : : : : : : : : : : : :

: : : : : : : : : : : : :

: : : : : : : : : : : : :

: : : : : : : : : : : : :

: : : : : : : : : : : : :

: : : : : : : : : : : : :

: : : : : : : : : : : : :

: : : : : : : : : : : : :

: : : : : : : : : : : : :

: : : : : : : : : : : : :

: : : : : : : : : : : : :

: : : : : : : : : : : : :

8

9 10 12 16 17 20

20 20 20 21 21 21 23 24

4 A High-Aspect-Ratio Variant 5 Dierential Cryptanalysis

25 28

6 Discussion

32

5.1 Block Dierences : : : : : : : : : : : : : : : : : : : : : : : : : 28 5.2 Link Dierences : : : : : : : : : : : : : : : : : : : : : : : : : : 30

2

1 Introduction Unpredictability, and a related notion, complexity, are of major concern in the theory of dynamical systems. The most interesting unpredictability and complexity arise from simply built deterministic dynamical systems whose large-time behavior bears little evident connection with the equations which de ne them. One way to clarify the meaning of unpredictability in the context of dynamical systems is it compare it with similar notions in a neighboring scienti c discipline. Here the neighboring discipline is cryptology. Cryptology is the study of making and breaking codes meant to protect information from unintended use. Our bridge between dynamical systems and cryptology consists of making codes based on dynamical systems and using methods of cryptology to evaluate them. In this article introductory sections present some rudiments of cryptology, and quickly survey previous attempts to use dynamical systems in this domain. Then a detailed speci cation of a particular cryptosystem based on cellular automata is built up with reference to the cryptanalytic attacks it is meant to defend against. A nal discussion section speculates on the impact the new ideas embodied in this cryptosystem might have on basic questions in both cryptology and dynamical systems theory.

1.1 Cryptology

A cryptographer's ideal encryption scheme is an operation on a message which renders the message fully meaningless to anyone who does not possess a decryption key, yet in no way degrades the meaning extractable by anyone who does possess the key. An ideal practical code is in addition fast on both encryption and decryption, uses a key of manageable size, and produces no expansion of the data upon encryption. A provable ideal practical encryption method in this sense in not yet known. For the state of the art see [5]. What we will need to extract from the cryptographic literature for use here is only some general sense of the methods used by cryptanalysts to study and potentially break cryptographic systems. To break a cryptosystem means to discover the meaning of messages encrypted by the system without being handed the secret key. It is generally assumed in academic cryptology that the mechanism of encryption in all its detail is known to the cryptanalyst, the only information lacking 3

being the secret key. Typically breaking a cryptosystem means reconstructing the key through observations of the cryptosystem in operation. The type of observations on and manipulations of the cryptosystem which are allowed the cryptanalyst determine the mode of attack. The rst kind of attack is passive attack, in which the cryptanalyst can only make observations on the cryptosystem as it performs. In a ciphertext-only attack, the cryptanalyst has access only to a stream of ciphertext coming from a cryptosystem loaded with its secret key. The cryptanalysts attempts to nd statistical regularities in the stream of ciphertext, departures from randomness which might reveal the nature of the key. All but the most naive cryptosystems produce ciphertext with a high degree of randomness, so that a cryptosystem which falls prey to this kind of attack is considered very weak. A stronger passive attack allows the cryptanalyst observations both of a stream of ciphertext and the corresponding message stream which produced it. This is called a known-plaintext attack. Again, cryptology has progressed to the point where cryptosystems susceptible to a known-plaintext attack hold little interest. More important are the active attacks. Here cryptanalysts can opt to have plaintext of their choosing encrypted and see the ciphertext which results (a chosen-plaintext attack). Similarly, a chosen-ciphertext attack permits ciphertext of the cryptanalyst's design to be compared with the corresponding plaintext. By current cryptographic standards, a good cryptosystem must resist attacks which permit both plaintext and ciphertext to be chosen, and according to any strategy preferred by the cryptanalyst. The reader unfamiliar with these concepts should take a moment to consider the cryptanalysis of the so-called Caesar cipher, reputed to have been used by Caesar to communicate with his troops. It consists of a pair of concentric rings. On each ring the letters of the alphabet are written in order. The key of the system is the displacement of the outer ring with respect to the inner ring. To send an encrypted message, the sender emits in sequence the letters on the inner ring which correspond to the letters on the outer ring contained in the message. The receiver reverses the process, reading o from the outer ring letters which correspond to the letters on the inner ring received. While a fair amount of ciphertext might be required in a passive ciphertext-only attack before the key is guessed, a ciphertext-plaintext pair for a single letter reveals the key in any other attack. The area of activity in modern cryptology closest to dynamical systems theory concerns so-called iterated cryptosystems. An iterated cryptosystem 4

is one in which a cryptographically weak transformation is applied repeatedly to a message, so that the composed transformation is strong. The most well-known and well-used cryptosystem as of this writing is an iterated cryptosystem. It is known as the Data Encryption Standard, or DES. The DES encryption/decryption algorithm consists of 16 rounds of a transformation designed to fully mix message information together with random key information. The security of the DES has recently been seriously challenged using a technique known as dierential cryptanalysis (see section 5).

1.2 Some Cryptosystems Based on Dynamical Systems

The following thoughts on how to produce an ideal practical encryption scheme must be natural as they have occurred independently to a number of students of dynamical systems: The future state of a (chaotic) dynamical system depends sensitively on its initial state. After enough time has elapsed the initial condition is forgotten. Yet, since the system is deterministic, the same trajectory will always be traced out from the same initial condition. Thus, if the key of the cryptosystem is the initial state of a publically known dynamical system, a collection of users who share a secret key can send secret messages to each other by combining these messages in some way with some part of the trajectory traced out by the secret initial state under the action of the dynamical system. Anyone who does not know secret initial state would not be able to recreate the trajectory and thus would not be able to disentangle it from the encrypted message. At least two concrete proposals have been based on this idea, one using a continuous dynamical system, the other a discrete dynamical system. The continuous dynamical system version is patented[1]. This system uses the logistic map as the underlying dynamical system. The key of the system is the parameter  of the map and the initial state of the system. A thresholding scheme is used to convert the sequence of states resulting from iteration of the system to a sequence of 0-1 bits. These bits and then exclusive or'd (XOR'd) with the plaintext to produce a ciphertext. The receiver of the ciphertext, knowing the secret initial state and value of , can recover the plaintext by regenerating the bit string using the logistic map and XOR'ing it with the ciphertext. 5

The discrete dynamical system version of this idea[14] uses iteration of a cellular automaton (see section 2.1) to generate the bit string. The cellular automaton chosen, know as rule 30 (again see section 2.1), seems according to numerical evidence [15] to generate temporal sequences which have a high degree of randomness. As in the continuous dynamical system approach sketched above, the secret key is the initial state of the system, and a message can be encrypted and decrypted by combining it with the temporal sequences generated by the dynamical system using an XOR operation. For our purposes here, it is not necessary to enter into the detailed cryptanalysis of these systems. The logistic-map cryptosystem has not, to the author's knowledge, been analysed in the literature. It should be evident that that sequences generated by the logistic map in the described way will not be truly random so that an appropriate statistical approach could bring out the key from sucient known ciphertext. In addition the system is entirely vulnerable to chosen plaintext attack; consider the encryption of the string of all 0's. The CA-based system has been cryptanalyzed in detail [12]. The essential observation that is using a known-plaintext attack, the eective key space can be considerably reduced in size. The aspects of these system which should be retained are 1) the key is a state of the system, 2) the message is encrypted by combining it with an information stream generated by forward iteration of the system, and 3) the message is decrypted by combining the ciphertext with an information stream again generated by forward iteration of the system. Consideration of inverse as well as forward iteration of dynamical systems opens up some new ways to use dynamical systems for encryption. One possibility, which again has occurred independently to a number of investigators, is to concentrate on reversible dynamical systems. Using a reversible dynamical system, a message can be encrypted by encoding it as a state of the system and then running the system forward in time some distance. The resulting state is the ciphertext. To decrypt the ciphertext, the system is inverse iterated the same number of time steps as were used in encryption, recovering the plaintext as a state of the system. Note the contrast with the systems considered above in which only forward iteration is used. In those systems, the key is a state of the system and the system is xed. When forward and inverse iteration is used, the key is the dynamical system itself. The key operates directly on the message to encrypt and decrypt it, while in the previous systems the information generated by the dynamical system is 6

combined indirectly, so to speak, externally, with the message information. Let us brie y consider two systems which pursue this idea of using reversible dynamical systems, one by Guan[6], and one by Kari [10]. Each of these authors aims toward the production of public-key cryptosystems as opposed to the secret-key cryptosystems which are our main concern here. A public-key cryptosystem uses two keys, one key is used for encryption, the other for decryption. One key is held in private, the other rendered public. In the schemes of both Guan and Kari, the public key is a dynamical system inverse to the private key. Guan uses an inhomogeneous variant of cellular automata in which the rule which updates a site's value depends on the site. Kari, on the other hand, uses true, translationally invariant, cellular automata. The security of public-key cryptosystems depends on the diculty of nding the private key given knowledge of the public key and/or chosen plain and ciphertext. Guan's system relies on the diculty of inverting a complicated system of polynomial equations. Kari bases much of his reasoning on a result of his [11] which shows that even deciding whether a given cellular automaton in more than one dimension has an inverse is impossible. In general, the mathematical theory of cellular automata which is relevant to cryptology is more well-developed than the theory of irreversible cellular automata. In particular, one knows that if a cellular automaton has an inverse, that inverse is also a cellular automaton. Many practical problems remain, however, concerning how to choose good public-key/private-key pairs, how these should be applied to encrypt a message, etc. Before embarking on a discussion of the cryptosystem which is the main subject of this article, we consider the system proposed by Habutsu et. al. [9]. This system, like those of Kari and Guan, uses both forward and inverse iteration of a dynamical system. The very signi cant dierence here is that the dynamical system used by Habutsu et al. is irreversible. An irreversible system is one in which some states have none, or more than one, antecedent state. A very simple such map is the tent map. The (surjective) tent map is a map of the unit interval composed of two line segments, one beginning at (0,0) and running to (,1), the other beginning at (,1) and running to (1,0). The secret key of this system is the parameter  which speci es the location of the peak of the tent. Under the tent map, all points but one have two preimages. Habutsu et al. use this fact to encrypt by 1) encoding a message as a state of the system, and 2) running the system backward in time by choosing one of the two preimages of this state at random. This process is 7

repeated many times, resulting in a ciphertext. A receiver of the ciphertext who knows the secret key  can decrypt the message by running the tent map forward in time the same number of iterations as were used in encryption. This interesting system has a number of practical problems, some linked to the linearity of the tent map which have been cryptanalytically exploited by Biham [2], some linked to the continuity of the map which can lead to round-o errors. These round-o error problems do not occur in the cellular automaton based system to which we now turn.

2 CA-Cryptosystems: Generalities Having brie y surveyed the state of the art in dynamical systems cryptography, we now begin the main work of this paper: to engineer a cryptosystem based on cellular automata. This is done so as to best confront the ability of dynamical systems to generate complexity with the cryptanalyst's tools for cutting through such complexity. Cellular automata (CA) are discrete dynamical systems. They are also simple parallel computers. They consist of a lattice of sites and a rule which updates the state of each site according to the states of neighboring sites. All sites are updated in synchrony and according to the same local rule. CA are attractive candidates for next-generation DES-like cryptosystems since they are naturally adapted to massively parallel computation. The approach to using CA in cryptography taken here involves application of both reversible and irreversible cellular automaton rules, and has a unique block-link structure described below. The method of using cellular automata to build cryptosystems is exible and powerful; it can be used to solve a wide variety of practical cryptographic problems. These applications motivate careful investigation of the security properties of such systems. A example cryptosystem has been constructed on which to focus such investigations. This system will henceforth be referred to as CA-1.0. CA-1.0 will be introduced (in section 2.2 ) after some background material on cellular automata has been covered. The name CA-1.0 is chosen to underscore the newness of the ideas involved and the expectation that further investigations will bring maturity to the system. From a physicist's point of view, the level of detail used in the speci cation of this system may seem excessive, given the level of development of the 8

underlying theory. From the cryptanalyst's point of view, however, such detail is necessary. In its present state of development, cryptanalysis operates best on fully speci ed devices, not on principles for building such devices. By oering up a sequence of concrete devices for cryptanalysis, one can hope for increases both in theoretical understanding, and in communication security in practice.

2.1 Cellular Automata

A cellular automaton (CA) is speci ed by a regular lattice of sites or cells, a set of possible cell states, and a deterministic local rule which is used to update the state of each of the sites on the lattice. All cellular automata considered here operate on the 1-dimensional lattice. The cardinality of the set of states possible at each lattice site is a power of 2. A cellular automaton,  , can be described formally as follows. Let r be the radius of the cellular automaton rule. r gives the range of sites to the left and right of a given site whose values at time t could in uence the value of the given site at time t + 1. Let s be the array of values of all of the sites in the lattice at time t, and let i index the sites. Then, t

s +1 =  (s ? ; : : : ; s ; : : : ; s + ): t i

t i

t i

r

t i

r

(1)

For example, consider a nearest-neighbor 2-state per cell rule. The neighborhood of a state can be represented by a binary triple fleft neighbor, cell, right neighbor g. There are eight possibilities: f000g; f001g; : : : ; f111g. A cellular automaton rule table speci es the cell state at time t + 1 resulting from each possible neighborhood con guration at time t. There are 256 different rules of radius 1. One of them states that the neighborhoods f001g, f100g, f010g, and f101g lead to 1, and all other neighborhoods lead to 0. This rule is known in the CA literature as rule 54 [13] . The pattern generated by this rule starting from a random initial con guration is shown in gure 2.1. Its rule table is found in column 1 of table 1. The evolution of the nearest-neighbor rule 54. An initial 256-bit block was chosen randomly, and iterated for 256 generations, with periodic boundary conditions imposed. Time runs from top to bottom of the page. 9

Rule 54 is an irreversible rule. Under a general irreversible rule, some blocks have many preimages, while others have none. The irreversible rules used in CA-1.0 are such that all blocks have preimages. How this property is used to advantage in cryptography is explained in the next section.

2.1.1 Irreversible Rules

One of the most important ideas embodied in CA-1.0 is the use of inverse iteration of irreversible cellular automata for encryption coupled with forward iteration of the same rules for decryption. States under a reversible rule always have one and only one preimage. States under an irreversible rule, on the other hand, may have either many or no preimages. If states can have no preimages under a given cellular automaton, then the cellular automaton cannot always be inverse iterated. Such rules are to be avoided in applications to cryptography. If states always have more than one preimage, then any one of them can be used to inverse iterate the cellular automaton. Cryptography presents the challenge of nding irreversible rules under which all blocks have preimages, and such that the preimages can be constructed rapidly. In CA-1.0 the irreversible rules used have a property known as the toggle property. Cellular automata may be either left-toggle or right-toggle or both. A cellular automaton is a left-toggle cellular automaton if equation (1) holds and: 1 ? s +1 =  (1 ? s ? ; : : : ; s ; : : : ; s + ): t i

t i

t i

r

t i

r

(2)

Similarly, a cellular automaton is a right-toggle cellular automaton if equation (1) holds and: 1 ? s +1 =  (s ? ; : : : ; s ; : : : ; 1 ? s + ): t i

t i

t i

r

t i

r

(3)

These equations mean that rules are toggle rules if changing the value of the (either left or right) extreme site always changes the result of the function  . Changing the value of the extreme site thus toggles the value 10

of the central site at the next time step. All blocks have the same nonzero number of preimages under a toggle cellular automaton. Moreover, a preimage for any block can be rapidly constructed. The way inverse iteration of toggle rules is applied in cryptography is explained by using a particular cellular automaton rule as an example. This is the cellular automaton known as rule 30. Its rule table is found in column 2 of table 1. Rule 30 is a left-toggle rule. A preimage for a block can be constructed by 1) choosing the initial right-most bits arbitrarily, and 2) nding successive bits moving rightward, by reference to table 1, and using the two previous bits in the preimage. Table 2 shows how this process can be used to encrypt a block of information using rule 30. In each line of the top half of this table, the right-most two bits are chosen randomly, and then the rest of the line is constructed by reference to table 1. The bottom half of the table shows the cellular automaton applied to the ciphertext to recover the plaintext. Note that while decryption is parallel in the data, encryption can be performed parallel in the iterations. That is, in decryption there can be one processor for each bit of data whose task is to update the data bit by reference to the rule table. In encryption, however, a bit cannot be updated until bits to its right are updated. Still, if a processor is assigned to each iteration, each processor can begin working as soon as it is charged with its initial, arbitrary, two bits. All the processors can be charged initially at the same time. Each can begin immediately to construct its line of intermediate ciphertext, since the data it needs to do so are available from the processor below it, and so on down the chain until the plaintext is reached. Iteration-parallel encryption is possible not only with rule 30, but with any toggle rule. A variant of the display format used in table 2 allows the resistance of rule 30 to cryptanalytic attack to be easily studied. In this variant, two plaintexts which dier at only one site are encrypted, and an XOR all pairs of intermediate states taken. One member of the pair is the all-0 plaintext, the other, the all-but-0 plaintext in which one bit has been set to 1. The result of this procedure is shown in table 3. In this table, a dierence is represented by a \#" and no dierence by a symbol \ ". Note that the single bit error in the plaintext propagates across the ciphertext, albeit only to the left. When both left- and right-toggle rules are used as in CA-1.0, errors are spread in both directions. Dierence patterns for CA-1.0 are discussed in section 5. Table 4 is similar to table 3, though here the dierence is between a pair 11

Rule 54 30 149 index x ?1x x +1 x +1 x +1 x +1 0 000 0 0 1 1 001 1 1 0 2 010 1 1 1 3 011 0 1 0 4 100 1 1 1 5 101 1 0 0 6 110 0 0 0 7 111 0 0 1 Table 1: Lookup tables for iteration of cellular automaton rules 54 (a general rule), 30 (a left-toggle rule) and 149 (a right-toggle rule). t i

t i

t i

t i

t i

t i

of decryptions in which a single error has been introduced into one of the ciphertexts. Note that the single error propagates as decryption proceeds. If a sucient number of decryption steps are used, then the single error may provoke dierences across the entire plaintext.

2.1.2 Reversible Rules

As noted in the introduction, the use of reversible rules in cryptography has been championed by Kari[10]. Kari considers in particular public-key cryptosystems based on reversible cellular automata. In such systems security depends on the diculty of nding the inverse cellular automaton given the forward cellular automaton. An advantage of reversible cellular automata for cryptography is that both encryption and decryption can be performed in an entirely data-parallel fashion. CA-1.0 uses reversible rules for some phases of encryption, but for reasons rather dierent from those which motivate Kari's proposals. Here the reversible CA function 1) as a way to introduce full nonlinearity into the system, compensating for the partial linearity of the irreversible rules, and 2) as a way to globally broadcast the information in the link (see section 2.2.1) to the entire block and in a single iteration. These functions can be accomplished with reversible rules which are trivially inverted: permutations on the set of cell states. The set of cell states for the irreversible rules is f0,1g. n-site frames of such states are taken together 12

Step CA State Encrypt 0 111110000010011001010000000010 1 00100111111000011010111111111000 2 1110000100100000010110010010011101 3 100111101101111111000110111000010001 4 01110010001100100100000110011110111010 5 1100111000001101110000000110100110010110 6 001110011111010001000000000110000111000101 7 00001000010010111100000000000111110011101100 8 1111011110110101001111111111101001000010001101 9 010011001000101100001001001001011011111000001100 10 11000011011110001111011011011100010100100000001110 11 0100000010100111010010100011001110101101111111100111 12 101111110101110010110110000011100101010001001001110011 13 01100100101100110101000111111001101010111011100001000011 14 0001101101010000101100000100100001010110011001111011110100 Step CA State Decrypt 0 0001101101010000101100000100100001010110011001111011110100 1 01100100101100110101000111111001101010111011100001000011 2 101111110101110010110110000011100101010001001001110011 3 0100000010100111010010100011001110101101111111100111 4 11000011011110001111011011011100010100100000001110 5 010011001000101100001001001001011011111000001100 6 1111011110110101001111111111101001000010001101 7 00001000010010111100000000000111110011101100 8 001110011111010001000000000110000111000101 9 1100111000001101110000000110100110010110 10 01110010001100100100000110011110111010 11 100111101101111111000110111000010001 12 1110000100100000010110010010011101 13 00100111111000011010111111111000 14 111110000010011001010000000010 Table 2: This table shows encryption/decryption of a block using left-toggle rule 30. The plaintext is written at step 0 of encryption, and step 14 of decryption. The corresponding ciphertext 13 is written at step 14 of encryption and step 0 of decryption. The input link information is in the right-most two bits of each line.

Step Dierence Pattern Encrypt 0 # 1 ### # 2 ### ## ## ## 3 ## ## ## #### 4 ## ### ### # 5 # ### ## ## # 6 # # #### # ## 7 # # #### ## 8 # ####### # ## 9 # # # # ## 10 # # ## 11 #### # ### # # 12 # ## # # #### 13 ######### ### 14 ### ### # Table 3: Propagation of a single error introduced into the plaintext. \ " = site same as with no error \#"= site diers with error.

14

Step Dierence Pattern Decrypt 0 # 1 ### 2 # # 3 #### # 4 # ##### 5 # ### ## 6 # ##### 7 # # # 8 ###### # # 9 # ## ### 10 ## #### # # 11 # # ### # # 12 # # #### # ## 13 ## # # # # #### 14 ## # ## # # ## # Table 4: Propagation of a single error introduced into the ciphertext. \ " = site same as with no error \#"= site diers with error.

15

to form states for the reversible CA. The number of possible states per cell for the reversible CA is thus 2 . Block encryption uses 6-site frames, while link encryption uses 4-site frames. In CA-1.0 the block length is a multiple of the frame size. Periodic boundary conditions are imposed. In this way, there are several 1-1 transformation from the block for the 2-state CA to the block for the 2 -state CA. These transformations are indexed by a shift in the reading frame relative to to some xed reference. In CA-1.0 each reversible rule is applied for several iterations. In each iteration the reading frame shifts. Figure 2 shows the evolution of a con guration under a 24-state reversible CA such as used in link encryption in CA-1.0. Figure 2a shows the evolution of an initial random block of length 256 for 256 generations where the block is interpreted as composed of cells with 2 possible states. Figure 2b shows the same evolution viewed as the operation of a 16 state per cell CA. Shades of gray are assigned to the states in a arbitrary fashion. At each iteration the reading frame shifts by 1. For further details see section 3.2. n

n

2.2 Overview of CA-1.0

CA-1.0 is a cryptosystem designed to illustrate some of the principles underlying the use of cellular automata in cryptography. This section presents a brief overview of CA-1.0. Details are provided in succeeding sections. 1  CA-1.0 is designed to be implemented in integrated circuits which are massively parallel and use mainly short-range connections between processors.  CA-1.0 is a block-link cryptosystem. It uses 384-bit blocks and 320-bit links. Messages to be encrypted are encoded in the blocks, and the links are generated by a noise source within the encryption apparatus. Decryption recovers the blocks, and destroys the links.  CA-1.0 uses a 1088-bit key. This key has two parts, a block key and a link key. The block key contains 1024 bits and the link key contains 64 bits.

This document is intended to be a de nitive speci cation, containing all essential details of CA-1.0. If such is needed, a still fuller speci cation is in a CA-1.0 simulator which is written in C and available from the author. 1

16

 CA-1.0 is designed so that the link information is isolated from chosen      

plaintext attack. It is not even possible to know the initial link information (link plaintext). CA-1.0 uses both reversible and irreversible CA rules. The irreversible rules are speci ed by the key, and the reversible rules are generated from the link. CA-1.0 uses two rounds of encryption/decryption. Each round is composed of a left- and a right-subround. Each subround, in turn, has a diusion phase and a substitution phase. CA-1.0 uses irreversible toggle rules for the diusion phases and reversible rules for the substitution phases. CA-1.0 is a low-aspect-ratio cryptosystem. It uses 32 iterations of an irreversible CA in each subround of encryption of 384-bit blocks, yielding an aspect ratio of 121 . CA-1.0 features an embedded link-encryption system. Link encryption has the same format as block encryption, and some of the operations of the link-encryption system can be done in parallel with the operations of the block-encryption system. CA-1.0 allows for up to 100 blocks to be combined into a chain. Chain formation lowers the data-expansion rate. A chain of 100 blocks has a 1 . data-expansion rate of 120 CA-1.0 can functionally emulate DES in an appropriately secure environment, using 64-bit keys and (a multiple of) 64-bit blocks.

2.2.1 Blocks, Links, and Chains

A novel aspect of CA-1.0 is its block-link structure. A simple physical idea motivates the block-link construction. At each diusion subround random information is mixed into the message information. This random information diuses in alternately from the left or right through inverse iteration of a right- respectively left-toggle rule. The way this works is best understood by reference to gure 5. In this gure the hatched areas represent link information, and the unhatched areas represent block information. During block 17

encryption link bits are attached, 10 bits per iteration, to the end of the block. The hatched areas, then, represent either input link bits, or bits which are a function only of link bits inserted at previous iterations. The uppermost line in each link triangle becomes the input link for the next subround. In essence, the link information is \folded back" into the block encryption at the end of each subround. Before being folded, the link information undergoes link encryption (see gure 8, and for further details see sections 3.1 and 3.3). Both blocks and links are strings of bits. In general CA cryptosystems, both blocks and links can be used to carry message information. In CA1.0, however, message information is only inserted into blocks. The link bits are generated by a (in principle perfect) noise generator physically protected within the encryption apparatus. On the receiving end, the link bits appear during decryption in a physically protection portion of the apparatus and are destroyed there as soon as they are no longer needed. That is, the output of the decryption apparatus consists only of the decrypted block. In CA-1.0 the information in the plaintext block cannot in any way in uence the processing of the information in the link. The information in the link is thus sequestered from direct plaintext attack (see section 5). The link information, on the other hand, has a strong in uence on the way the block is processed. Since the processing of the link information does not depend on the message block, the link can be subjected to an independent set of encryption operations. In CA-1.0 blocks and links are encrypted in a recursive fashion. In each subround the link is encrypted rst under the link key and then under the block key. The link-key encryption follows the same format as the block-key encryption (see section 3.3). The dynamical system theorist will recognize in the block-link structure a combination of stretching and folding operations similar to the combination which gives rise to chaos in many dynamical systems. These operations are used here in a way intended to maximize their randomizing potential. In a block-link cryptosystem the encryption of each block of message information is controlled in part by information in the corresponding link. In CA-1.0 this control is exerted in two ways, 1) through the selection of the reversible CA to be used in the substitution phase, and 2) through the selection of preimages in the diusion phase. Many other aspects of encryption/decryption are in principle link-programmable. Link programming is limited in CA-1.0 to avoid unnecessary complications which might obscure 18

the basic CA cryptosystem design strategy. The block-link structure confers some DES compatibility on CA-1.0. Link encryption is controlled by a 64-bit key, as in the DES. In a hierarchical security environment CA-1.0 can be made to emulate DES. If, at some level of the hierarchy, authorization to access to the 1024-bit block key is ambient, then users at that level need only supply 64-bit link keys. The block size of CA-1.0 (384) is chosen as a multiple of the DES block size (64) to further enhance DES compatibility.

Chains. Links tie together the subrounds of encryption of a block. Links

can be used in the same way to tie together blocks into chains. The method is super cially similar to ciphertext chaining in DES, but, here again, the links between blocks do not depend on the message encrypted in the block. The way this works is shown in gure 6. This gure shows how link information is passed form one block to the next in a chain. The initial link is treated in the same way as described above for single blocks. The intermediate links never appear in either the ciphertext or plaintext streams. Blocks are decrypted in reverse order from the encryption order. When blocks are encrypted in chains, the substitution phase of the rst subround is suppressed for the rst block of the chain to be encrypted. In encryption of single blocks (1-chains) this rst substitution phase is always suppressed. This initial substitution phase is suppressed to limit the degree to which the content of the link can be inferred by its action on chosen plaintext. In the production of a chain, this is only a potential danger for the rst block in the chain. The structure of CA-1.0 allows an in nite number of blocks to be linked together in a chain. As more blocks are chained together the random initial link information is distributed across all of the blocks. This has the advantage of reducing the data-expansion rate. Long chains have two potential disadvantages, however: 1) an error anywhere during the transmission of the chain could garble the entire chain, and 2) excessive dilution of the link randomness could weaken the security of the system. For these reasons chains are limited to no more than 100 blocks using CA-1.0. For chains of 100 blocks 1 . the data-expansion rate is 120

19

Diusion Phase Substitution Phase irreversible CA reversible CA probabilistic deterministic partially linear fully nonlinear iteration parallel data parallel globally diusive locally diusive key speci ed link speci ed Table 5: Summary of dierences between diusion and substitution phases.

2.2.2 Rounds, Subrounds, and Phases

CA-1.0 performs encryption in two rounds. Each round is composed of two subrounds, a left-subround an a right-subround. Each subround, in turn, is divided into two phases: a substitution phase and a diusion phase. The relationship of these rounds, subrounds, and phases is shown in gure 5. In this gure the diusion phases are labeled D and the substitution phases are labeled S . A link label enclosed in a box in this gure indicates that the link has just undergone link encryption. Links labeled without a box must undergo link encryption before being used to drive the diusion phase of the next subround. The link areas are hatched, and the block areas unhatched. The bar representing the suppressed rst substitution phase is gray. The diusion phase is accomplished by iteration of an irreversible CA, while the substitution phase is accomplished by a reversible CA. These phases have complementary cryptographic functions. Their properties are summarized in table 5. For further details refer to the next section.

3 CA-1.0: Speci cation Details 3.1 Diusion Phase

3.1.1 Rule Generation

CA-1.0 uses radius-5 toggle cellular automata for its diusion phases. These toggle rules are speci ed by the 1024-bit block key. From these block key bits both a left- and a right-toggle rule are generated. The left-toggle rule is generated by reading the block key bits from the left, and the right-toggle 20

rule is generated by reading the block key from the right. Each key bit is used to set two bits in a CA rule table, in such a way as to enforce the toggle property. For left-toggle rules this means that the second half of the rule table is the bitwise complement of the rst half. For right-toggle rules, the result of every odd-numbered neighborhood is the complement of the even-numbered neighborhood one less. For example, for radius-1 rules, the key 0111 generates the left-toggle rule 30 of column 2, table 1, and the right-toggle rule 149 of column 3, table 1. The keys for CA-1.0 are completely arbitrary but for the imposition of a balance condition. A key is balanced if it has the same number of 0- and 1-bits. This condition is imposed to avoid weak encryption keys such as the rule which mearly shifts blocks. The balance condition is trivially imposed and reduces the number of independent bits in the key only slightly.

3.1.2 Rule Application

In each diusion phase a radius-5 toggle rule is inverse iterated 32 times. Each inverse iteration requires initialization with 10 bits. These come in leftto-right order from the link. The entire 320 bits of the link are thus consumed in each diusion phase. After each diusion phase the bits in the link region, i.e. on the right for left-diusion phases and on the left for right-diusion phases, are \folded back" into the encryption process by using them as the link for the next subround (see gures 5 and 8). Note that an alternative would be to randomly generate a new link for each subround. While possibly desirable from the point of view of data security, this would lead to a high data-expansion rate. Link encryption is meant to simulate the production of new random bits for each diusion phase.

3.2 Substitution Phase

3.2.1 Rule Generation

In CA-1.0, each encryption subround except the rst includes the application of an irreversible and a reversible cellular automaton. The irreversible rule for each subround is speci ed by information in the key, while the reversible rule for each subround is speci ed by information in the link. This section 21

provides details on how the link information is used to specify the reversible rule during both encryption and decryption. The reversible rules used in CA-1.0 are radius-0 rules which operate on cells which have 2 possible states. Such rules are mearly permutations on N = 2 objects. The problem addressed here is that of nding a good representation for permutations. In this context, a good representation is which one which allows an arbitrary bit string of sucient length to be associated with a permutation, and such that construction of the permutation from the bit string can be done quickly. Probably the simplest way to represent a permutation on N objects is as a list of images of the integers 0 : : : N ? 1. In this representation N log(N ) bits are required to specify a permutation. More compact representations capitalize on the fact that as images for the integers are speci ed in sequence, the number of remaining possible choices is reduced, so that such choices can be speci ed with fewer bits. Let N = 2 . At the beginning, each choice of an image under the permutation requires n bits to specify. However, after 2 ?1 images have been speci ed, the remaining choices require at most n ? 1 bits of information. After the rst half of these have been speci ed, the remaining choices require n ? 2 bits and so on. Thus by taking into account the order in which the speci cation of the permutation occurs, the number of bits can be reduced to P =1(n +1 ? i)2 ? . To take a concrete example, for the reversible rules used in encryption of a block in CA-1.0, n = 6; N = 64. In the simple representation 384 bits are required, while in the sequential representation only 321 bits are required. Further exploitation of sequential information leads to a still more compact representation. Consider labeling the leaves of a n-level binary tree with the integers 0 : : : N ? 1. Given an arbitrary bit string, a permutation can be extracted from the tree which corresponds to the bit string and uses a minimal number of bits. This is done as follows: beginning at the root of the tree, and the rst bit in the string, a step down is taken either to the left or right depending on whether the bit read is 0 or 1. The process continues until a leaf is reached, i.e. after n steps. The label of this leaf gives the image of the integer 0 under the permutation. The leaf is then dropped from the tree and the tree rebalanced as necessary so that the tree stays close to a binary tree. The process continues by reading more bits from the string to direct traversal of the tree to nd the image of the integer 1, etc. Rebalancing after each leaf is read can be avoided by maintaining information at each intermen

n

n

n

n i

n

i

22

diate node which indicates whether leaves remain to be read below the node to the left or right or both. Updating such information can in practice be less costly than rebalancing the tree. The total number of bits required to specify a permutation in this way is less than or equal to the number of bits computed for the sequential method above, and is typically signi cantly less (expect log(64!)= 296 bits/permutation on average). A simple example may help to understand this representation. Let us nd the permutation on 4 objects speci ed by the four bits 1110 (see gure 7). Starting from the root, the rst two 1 bits lead to the leaf labeled 3, thus 0 ! 3 under the permutation ( gure 7 a). The next 1 bit leads directly to the leaf label 2 in the rebalanced tree, this yields 1 ! 2 ( gure 7 b). The last bit read (0) leads to the integer 0, hence 2 ! 0 ( gure 7 c). Finally, 3 ! 1 by necessity. In CA-1.0, the block permutation is speci ed by the bits in the link reading from left to right. The permutation is speci ed by the information in the raw (non-link-key encrypted) link (see subsection 3.3). Note that one could in general construct many dierent permutations using the process described above and a key-scheduling algorithm. This is avoided here, however, since permutation generation from the link is necessarily sequential, and CA-1.0 is designed to maximize parallel operations.

3.2.2 Rule Application

Once a permutation has been generated from the link, its application to the block as a reversible cellular automaton follows directly. As mentioned above (section 2.1.2), block encryption uses a 6-cell frame to transform states of the irreversible cellular automaton of the diusion phase to states of the reversible cellular automaton for the substitution phase. The reversible cellular automaton is applied only to the 384 bits of ciphertext from the previous round which are a function of the block. Thus, when interpreted as the block for a 64-state reversible CA, the block contains but 64 cells. These 64 cells can be updated in parallel by 64 processors executing the permutation. After each update, the reading frame shifts by one (2-state) cell (to the right during encryption, and to the left during decryption). This permits the reversible rules to perform some local diusion in addition to its primary function of substitution. Decryption works exactly like encryption. Note that during decryption 23

the link is extracted in 10-bit pieces from the block during the diusion phase. The link must be link-decrypted before the permutation corresponding to the reversible rule for the subround substitution phase can be generated. This permutation must be inverted before it is applied to the block for the decryption substitution phase.

3.3 Link Encryption

CA-1.0 is a novel type of dynamical system which programs its own evolution. The information in the link is used in two dierent ways to program encryption during a subround 1) to specify a permutation for the substitution phase, and 2) to chose preimages during the diusion phase. The goal of link encryption is to separate these two uses by a level of encryption within the link itself. The block-link structure of CA-1.0 is designed to allow a stream of ciphertext to eectively carry along with it a pseudo-random number generator expressed in the operations on the link. Link encryption contributes randomizing operations at each subround of encryption of each block. Link encryption is essentially block encryption in miniature. The block size is smaller (128 vs. 384), the reversible rule is a permutation is on a smaller number of objects (24 vs. 26), and the irreversible rules generated from the link key have a smaller radius than the irreversible rules generated from the block key (3 vs. 5). Otherwise, block and link encryption proceed in the same fashion: each subround has a substitution and a diusion phase, link keys are balanced like block keys, etc. Note that in other CA cryptosystems the recursive structure of block and link encryption expressed in CA-1.0 could be continued for many levels, generally with increased computation time. There are some minor dierences between link and block encryption in CA-1.0. In block encryption the link for a given subround comes from a previous subround. In link encryption both block and link come from the same subround. The rst (left-most) 128 bits of the link are interpreted as the link-block and the last (right-most) 192 bits of the link are interpreted as the link-link (see gure 8). Note that while block encryption is designed so that block and link information do not mix, link-block and link-link information do mix, as they pass from one subround to the next. The link-block and the link-link are read out in opposite directions from the link ( gure 8). Since the radius of the link rule is 3, 6 bits are required to drive each inverse iteration of the link-key generated irreversible rules. Hence, the 192 bits in the link24

link drive 32 iterations. As in block encryption, left- and a right-toggle rules are applied at alternate subrounds. At a subround where a left-toggle rule is applied in block encryption, a right-toggle rule is applied in link encryption, and vice versa. In block encryption a permutation is generated from the link by reading bits from left to right, beginning at the left-most bit of the link. The permutation for link encryption is generated from the same link, but this time reading bits from right to left, and beginning at the 310th bit. Reading the information for the two permutations in opposite directions has the eect of maximizing the independence of the block and link permutations. The string of bits determining the block permutation overlaps with the string of bits determining the link permutation. However, this overlap occurs at the least-signi cant bits of each permutation-generating string. The link permutation generation is begun at the 310th rather then the 320th bit since the last 10 bits of the link at the last subround form part of link ciphertext, i.e. they are in view of cryptanalysts. The eect of these bits on processing is to be minimized. The various uses of the link in block and link encryption and the relationship between these uses is presented schematically in gure 8. Note that when properly scheduled, the processing the the link information can be done largely in parallel with the processing of the block information. Details are implementation dependent.

4 A High-Aspect-Ratio Variant A parameter characterizing a CA cryptosystem is its aspect ratio. The aspect ratio is the ratio between the number of iterations of an irreversible rule during a diusion phase and the block size. The aspect ratio determines both the relative speed of encryption and decryption and the relative size of the block and link. The higher the aspect ratio, the higher the encryption speed relative to the decryption speed. That is, given enough processors, there is no penalty in terms of computation time for increasing the number of encryption iterations, raising the aspect ratio. On the other hand, given enough processors, there is no penalty in terms of decryption computation time for increasing the size of the block, lowering the aspect ratio. 25

Via the aspect ratio, computation speed is related to the rate of data expansion for single-block (unchained) encryption. For xed block size, the higher the aspect ratio, the higher the number of iterations of an irreversible rule in the system. Consequently, a larger number of bits required in the link to inverse iterate during encryption. Thus the aspect ratio gives the relative importance of the block and link in the system. From the standpoint of security, a large number of encryption iterations, each driven by purely random bits from the link is desirable. This potentially has the undesirable side eect of high data expansion, which is aggravated when chain formation is not possible. Hence, the higher the aspect ratio, the more care required to achieve acceptable rates of data expansion. The optimal aspect ratio depends on the application. For instance, in digital television broadcast the broadcast station has much more computational power at its disposal for encryption of signal than the television sets have for decryption. Here one would choose a cryptosystem with a low aspect ratio, favoring parallelism at the decryption end. Encryption of messages from a satellite to a ground station, on the other hand, might call for a high-aspect-ratio cryptosystem. Note that CA-1.0 is a fairly low ratio system, in which only 32 encryption iterations are carried out in parallel in each subround, while the block size is 384, yielding an aspect ratio of 121 . In order to illustrate a strategy for constructing cryptosystems with high aspect ratio but low data expansion, a variant to CA-1.0 is now brie y described. The high aspect ratio/low data expansion problem is solved in the variant by building up a collection of bits to drive inverse iterations from encryption of part of the data block. One begins with a small piece of the block and a small radius rule. The smaller the radius of the rule, the more inverse iterations which can be performed for a given number of link bits. After a number of iterations have been performed with the small radius rule, the ciphertext produced can be used as link information to drive encryption of the next piece of plaintext, this time with a rule of larger radius. This process can be arbitrarily continued, at the price of requiring a continually larger key. In the hierarchical variant the data-expansion rate is held at 1/8th, while allowing an aspect ratio which increases at each round. The schedule of operations in this cryptosystem is summarized in table 6. The message is divided into 512-bit blocks. Pieces of the block are stirred into the encryption as it proceeds, much as one adds our to a mixing bowl. 26

round radius iterations key size block size link size 1 2 16 16 128 64 2 3 32 64 128 192 3 4 40 256 128 384 4 5 45 1024 128 450

total 192 384 448 578

Table 6: This table gives the rule radius, the number of iterations applied, and the number of bits in the block, link, and total block+link for the four rounds of encryption under the variant cryptosystem. The 64 link bits input at the rst round as well as 2 in the 4th round are generated randomly within the encryption apparatus. The rst 128-bit piece is encrypted with 16 inverse iterations of a radius-2 toggle rule, requiring 64 bits of random information to be input from the link. The resulting ciphertext is 192 bits, sucient to drive 32 inverse iterations of a radius-3 rule, applied to the next 128-bit piece of the message. In the same way, 384 bits become available to drive 40 iterations of a radius-4 rule, consuming the next 128-bit piece of the message. To drive the nal 45 iterations of a radius-5 rule, on the last 128-bit piece of the message, two more random bits need to be generated internally in the encryption apparatus to be added to the 448 bits of ciphertext from the radius-4 stage of encryption. Observe that in this cryptosystem the link, as well as the block, contains message information. This is not the case for CA-1.0. Encryption of message information in the link, combined with the performance of dierent stages of encryption with dierent rules, allows for a number of new cryptographic goals to be achieved. An example is the authorized postman problem. Here the address to which a message is to be sent should be encrypted into the message itself in such a way that an authorized postman can read the address, but not the message. This can be done by placing the address in the last 128bit piece of the block, and the message in the rest of the block. The sender and intended recipient of the message share in secret all the CA rules, radius 2-5, used in encryption. A postman can be authorized to deliver the message by giving him only the radius-5 rule used for the last stage of encryption, at which the address information was encrypted. The authorized postman decrypts the address, and then re-encrypts the message with the radius-5 rule. Many variations on this theme are possible [7]. 27

5 Dierential Cryptanalysis Dierential Cryptanalysis is a potent cryptanalytic technique introduced by Biham and Shamir [3]. Dierential cryptanalysis is designed for the study and attack of DES-like cryptosystems. A DES-like cryptosystem is an iterated cryptosystem which relies on conventional cryptographic techniques such as substitution and diusion. CA cryptosystems are clearly in this category, so one might expect them to yield to a dierential cryptanalytic attack. Yet, due to their probabilistic nature, CA cryptosystems resist automatic application of Biham and Shamir's techniques. Why this is so is explained in this section. Dierential cryptanalysis is a chosen-plaintext/chosen-ciphertext cryptanalytic attack. Cryptanalysts choose pairs of plaintexts such that there is a speci ed dierence between members of the pair. They then study the dierence between the members of the corresponding pair of ciphertexts. Statistics of the plaintext pair-ciphertext pair dierences can yield information about the key used in encryption. All of the cryptosystems thus far studied using dierential cryptanalysis are non-probabilistic cryptosystems in which each plaintext corresponds to a unique ciphertext, i.e. block vs. block-link cryptosystems. In a block-link cryptosystem dierences in the link as well as dierences in the block can be considered. We will rst consider xing the link and producing dierences in the block, and then consider xing the block and producing dierences in the link.

5.1 Block Dierences

The fate of a dierence in the plaintext block is explained in reference to gure 9. The top panel of this gure shows the dierence between two runs of CA-1.0, the rst applied to the all-0 plaintext and the second applied to the all-but-0 plaintext in which one bit has been set to 1. The link information is the same in the two runs. The bottom panel is similar, but here a single-bit dierence is made in a ciphertext resulting from applying CA-1.0 to the all-0 plaintext. In each panel, the ciphertext is the line at the top of the panel, and the plaintext is the line at the bottom of the panel. All intermediate-level ciphertexts for the block-encryption system are shown. A 1-bit is represented as a lled rectangle, and a 0-bit is represented by a blank. The steps of decryption are shown in order reading the panel from top to bottom, and the steps of encryption are in order bottom to top. Some important points to 28

note are 1) all positions in the intermediate ciphertexts to the left resp. right of the plaintext dierence can be aected during a left resp. right subround, and 2) the link information can never be aected by a dierence in the block plaintext.

Dierential cryptanalysis of rule 30. The toggle property has a clear

signature in dierential cryptanalysis. To see this, let us consider the differential cryptanalysis of the rule 30 cryptosystem introduced in section 3.1. We begin with 4-bit plaintext blocks, encrypted 4 iterations, and x the link at 00001110. All possible 4-bit blocks are encrypted, and the ciphertexts examined. The resulting pairs-XOR table is shown in gure 10. The rows are indexed by the plaintext XOR's, and the columns by the ciphertext XOR's. The table entries give the number of ways the given plaintext XOR/ciphertext XOR can be achieved. The non-uniformities in the table are potential handholds for cryptanalysts. In practice, dierential cryptanalysts are not permitted to x the link as was done to generate gure 10. The link is chosen, at random, by the encryption apparatus. If the cryptosystem is functioning correctly, all possible links have the same probability. For a block-link cryptosystem, then, the observable pairs-XOR table is an average over the pairs-XOR tables corresponding to xed link information, as in gure 10. This observable pairs-XOR table for the rule 30 cryptosystem is shown in gure 11. The entries in this table give the probability of the corresponding plaintext pair/ciphertext pair XOR's. The observable pairs-XOR table is again highly nonuniform. It has an evident fractal structure. This structure is the result of the toggle property. A plaintext dierence at a given position in the plaintext always produces a ciphertext dierence at position r  n away from the given position under a radius r toggle rule iterated n times. In CA-1.0 fully nonlinear cellular automata are used in addition to partially linear toggle rules in order to destroy this sort of structure in the pairs XOR-tables. Numerical evidence indicates that the fractal structure is fragile; it is easily destroyed by nonlinear substitutions such as performed in CA-1.0. Further numerical evidence suggests that if only toggle rules are used for encryption, but the radius of the toggle CA is suciently large, then the only signi cant structure in observable pairs-XOR tables is due the the toggle property. 29

5.2 Link Dierences

We now turn to the study of small dierences in the link, given a xed plaintext block. Figure 12 follows the format of gure 9. Here, however, a pair of encryptions is performed in which one member of the pair is initialized with a given link, and the other member of the pair is initialized with a link which diers from the given link in one and only one position. The all0 plaintext is used in both encryptions. Note that dierences in the link rapidly invade all of both the link and the block information. One possible strategy of attack on CA-1.0 would be to concentrate rst on discovering the link key, in the hope of subsequently mounting a knownlink-key attack on the block key. It is not possible to use chosen-plaintext methods on the encryption of the link. The \plaintext" is the set of random link bits generated within the encryption apparatus to begin encryption of the block. These bits are considered to be physically secure, no more open to inspection by the cryptanalyst than the bits of the secret key. Indeed, these bits may have a higher level of security than the key itself since even the legitimate users of the system do not have access to the link bits. Hence known-link-plaintext attacks are ruled out as well. Then there is the possibility of choosing block plaintext or ciphertext, and attempting to infer the operations in the link area from their eect on the block area. Again, the link operations are unaected by changes in the block area, indeed, the link operations would be carried out in exactly the same way were there no block encryption to drive. The cryptanalyst wishing to eectively manipulate the link is left with inventing strategies for choosing link ciphertext. Choosing link ciphertext is a very dicult way to acquire knowledge about the link key. The transformation which carries the link information from input to output of each subround is a permutation on 320-bit items. This permutation is the composition of two permutations, one determined by the block key, the other by the link key. In the properly functioning cryptosystem the inputs are chosen randomly, hence the outputs, the link ciphertexts, are random as well. To see this, consider rst the transformation on the link performed during the inverse iteration of the link-key determined toggle rule. This is obviously a permutation since it is deterministic and 1-1 onto. All 320-bit string in the domain of this transformation are possible by hypothesis. These are simply the 320-bit strings that are randomly generated to initialize encryption. The 30

320 bits include the 128-bit block and the 192-bit link for link encryption. The output of the link encryption is another 320-bit string. The process is deterministic so there is one and only one output for each input. So, to prove that the transformation is a permutation, we must show that there is an input for each possible output. To do so, we explicitly construct the input that is the preimage of an arbitrary output. Let c be an arbitrary but de nite link-encryption ciphertext. The following algorithm constructs the link input that enciphers to c under the link-key determined toggle rule  . Here, without loss of generality,  is assumed to be left-toggle. Sites in the ciphertext are numbered from right to left, beginning at 0. n iterations of  are used in the subround. l

l

l

1) Produce a ciphertext c0 by encrypting an arbitrary link-block and link-link using l . Set i to 1. 2) Find the rightmost site j at which ci?1 differs from c. If there are no differences, stop. 3) Flip the bit at position j in ci?1 , as well as all the bits which are directly determined by this bit under forward iteration of the rule. These bits are found at position j-((n-h)*rl) at the h-th iteration forward, where rl is the radius of the rule l . 4) Starting with the last position in which a change was produced in step 3), propagate this changes leftward using the rule l applied in the inverse direction. Continue inverse iterating until have produce a new n-iteration ciphertext. This new ciphertext agrees with the target ciphertext at all positions up to and including j. Increment i. 5) Return to step 2.

In essence, this algorithm works since in inverse iteration of a toggle rule changes propagate only in one direction, in this case, to the left. This means that once a bit to the right has been properly set, and the in uence of all resulting changes taken into account, the bit never needs to be revisited. By iterating the same argument on the encryption with the block key, we have the desired result that the transformation from input link to output link via the composition of link encryption and block encryption is a permutation. By hypothesis the statistics on the input are uniform, so the output statistics are as well. By the same reasoning and for xed link input, block encryption is also a permutation, but on 384-bit objects. The inputs are the block plaintexts and 31

the outputs are the block ciphertexts. Moreover, for xed link input, nonuniform distributions on the input plaintexts will be re ected in non-uniform distributions on the output ciphertexts. Cryptanalysts could produce such non-uniformities by choosing block plaintext. Still, these non-uniformities will not be seen in practice since they are averaged over all possible initial links. The number of possible initial links (2320) is too large to permit signi cant non-uniformities to be survive in the average.

6 Discussion We now turn to the central question of this enterprise, \Can study of CA cryptosystems teach anything fundamental about the nature of complexity in dynamical systems or the strength of cryptological methods?" The answer hinges on whether the physical reasoning underlying the construction of CA cryptosystems can be properly connected to the computer-science measures of complexity used in cryptology. Only a few general indications can be given here as to where this connection might come from. Cryptology has made strides over the last two decades toward founding its investigations on solid principles. These strides have been in the direction of attaching quantitative measures derived from computer science to the diculty of breaking cryptosystems using various attacks. That is, one no longer asks if a system is unbreakable in some absolute sense, but rather how long must a computer of a given type work to break the system, how much memory space will it take up in the process etc. A well-developed mathematical theory supports these investigations. Still, if one digs further into these foundations, one nds voids. It is mearly a conjecture that prime factorization is a hard problem, albeit a conjecture which has strongly resisted disproof. If it were to be disproved, then many well-studied cryptosystems based on number theory would collapse. Likewise, evaluation of cryptosystems in terms of computer-science notions of tractability depend on an assumption concerning the inequality of the classes P and NP. The eective measure of the quality of a cryptosystem remains in practice what it has always been. The longer a cryptosystem is in wide use in plain view of well-trained well-motivated and intelligent cryptanalysts without being broken, the better it is. 32

The competition between cryptosystem builders and cryptanalysts is a superb model of co-evolution. As the strength of one improves the destructive methods of the other improve as well. This advance is of course not always in even steps; relevant input from other elds touching at foundational issues could cause better progress than cryptology's internal dynamics would allow. The CA cryptosystem described in the text models a physical process which is the sum of random variables. We expect that if the sum contains a sucient number of terms, that is, if a sucient number of rounds are used in the encryption of each message block, then the ciphertext can be made as close to truly random as desired. The nal quality of randomness should not depend on the message encrypted. Thus, if the system is strong at all, it should be strong in the average case. Computer science measures of complexity for the most part deal with worst-case diculty of problems. Worst-case complexity is usually of little interest in physics, and should be of little interest in practical cryptology. Cryptosystems based on physical principles may push cryptology in this direction. Let us now pick up the question from the other end. \What can a dynamical systems theorist learn from an excursion into cryptology?" To start, that unpredictability is a concept meaningful only in relationship with with a speci cation of the set of prediction tools at ones disposal, and of how much force one is willing to use to apply them. Once the set of tools is speci ed, the issue is stated in a syntactic framework. Roughly, if the dynamics is represented in a highly coded fashion then for prediction our mechanism to expand the code into readability must be equal to the task. A new collection of tools, a shift in the semantic power available, may render an unpredictable system orderly. Unpredictability thus has as much to do with a level of comprehension of the correct representation of a system as it does with the distribution over the classes in a given representation( see Crutch eld [4] for a related discussion). A powerful tool well-adapted to the given system may pull out enough predictability from it that it would be considered \broken" by the cryptanalyst, even though worthwhile mysteries may remain for the physicist. Some cryptanalytic tools, sharpened to the demanding standards of cryptology, may nd new uses in dynamical systems theory. The best uses may consist of stripping o the purely \cryptic" aspects of a dynamical system's complex behavior, to reveal a central core of properties of real physical relevance. 33

Acknowledgements The idea of using toggle rules for cryptography came

from a discussion with P. Grassberger at the Institute for Scienti c Interchange, in Turin. I am grateful to him for the discussion and to the Institute for making the discussion possible. I would also like to thank J. Kari, L. Hurd, and A. Shamir for some very helpful input.

Figure Captions 1. 2. A reversible rule. A reversible rule on 24 states formed by breaking the block of a 2-state automaton into frames. a) shows the operation of the rule on 2-state/cell blocks, and b) shows the operation of the rule on 16-state/cell blocks. Shades of gray are assigned to the states arbitrarily. The frame shifts by 1 to the right at each time step. Periodic boundary conditions are imposed on the block. 3. Forward and reverse iteration of a toggle rule. The top panel shows how the state of a cell at time t + 1 depends on the states in a neighborhood at time t. The bottom panel shows how the state of a cell at time t + 1 and the states of cells in a 2r-partial neighborhood at time t determines the outermost cell state at time t under a toggle rule. 4. A balanced radius-5 toggle rule. The evolution of a balanced radius-5 toggle rule such as used in CA-1.0. The block is 256 bits, and periodic boundary conditions are imposed. 5. Overview of CA-1.0. The major stages of encryption/decryption of a single block under CA-1.0 are shown. The diusion phases are labeled D, and the substitution phases are labeled S. Cells which depend only on link information are hatched. The link-encrypted link information enters from the side into the diusion phase of each subround. The link for a subround is drawn from the top of the link triangle at the previous round. 6. Chain formation. Blocks can be linked together into chains in the same way that subrounds are linked together in the encryption of a single block. This gure shows how links are passed from one block to 34

the next. The initial link is generated within the encryption apparatus. It is destroyed within the decryption apparatus when decryption of the chain is complete. The bits which appear in the ciphertext stream are indicated by a patterned overbar. 7. Generation of a permutation from a bit string. Shown are three stages in the generation of the permutation 0123 ! 3201 from the bit string 1110. a) The rst two bits lead from the root to the leaf labeled 3. b) The next bit leads to the leaf labeled 2 in the rebalanced tree. c) The last bit leads to the leaf labeled 0 in the tree rebalanced from b). The last element of the permutation follows by necessity. 8. Block vs. link encryption. This gure shows schematically how link and block encryptions t together in a subround. A link from a subround is broken into two pieces: a link-block and a link-link. Link encryption is then performed. The link-key encrypted link is then fed into the diusion phase of the next subround. The output of this block diusion phase includes the link for the next subround. During link encryption, the block undergoes a substitution phase of encryption. Two permutations are generated from the link, one for the block substitution phase and one for the link substitution phase. The box shows how the information generating these permutations is drawn from the link. 9. Block dierence patterns. The top panel shows the dierence pattern for a pair of plaintexts which dier in only 1 position. One of the pair is the 0-plaintext, the other the all-but-0-plaintext. A site which diers between the pair is shown in black, no dierence in white. Note that by the second diusion phase the dierence has permeated the entire block. Note further that positions within the link are not changed as the initial link is the same for both members of the pair. The bottom panel shows the decryption of a pair one member of which is the ciphertext for the 0-plaintext, and the other member of the pair is the same ciphertext in which a 1 bit error has been made. By the second substitution phase dierences may be found throughout the intermediate ciphertexts. 35

10. Rule 30 pairs XOR table with a xed link. The plaintext pair/ciphertext pair XOR table for rule 30 applied to 4-bit blocks, and iterated 4 times is shown. The link is xed at 00001110. 11. Observable rule 30 pairs XOR table. This table is the sum over all tables which can be produced as in gure 10 by changing the link. This is the pairs XOR table which can be actually seen in cryptanalytic experiments. 12. Link dierence patterns. This gure follows the format of gure 9. Here the input block information is xed between the two runs, and a 1 bit error introduced in the link information, either the link plaintext (top) or the link ciphertext (bottom). Note that manipulation of the link plaintext is not possible in actual use of CA-1.0.

References [1] M. Bianco and D. Reed, US patent number 5,048,086. [2] E. Biham, Cryptanalysis of the Chaotic-Map Cryptosystem suggested at Eurocrypt '91 Proceedings of Eurocrypt '91, 532-534 (1991) [3] E. Biham and A. Shamir, Dierential Cryptanalysis of DES-like Cryptosystems, J. Cryptology 4:3-72 (1991) [4] J.P. Crutch eld, Semantics and Thermodynamics, and, Knowledge and Meaning...Chaos and Complexity, Santa Fe Institute preprints 91-09-033 and 91-09-035. (1991) [5] E. Denning, Cryptography and Data Security, (Addison-Wesley, 1982). [6] P. Guan, Cellular Automaton Public-Key Cryptosystems, Complex Systems Vol. 1, 1987. [7] H. Gutowitz, Method and Apparatus for Encryption, Decryption, and Authentication Using Dynamical Systems, U.S. Patent Pending. (1992) [8] H. Gutowitz, Ed.: Cellular Automata: Theory and Experiment, (MIT Press, Bradford Books 1991). 36

[9] T. Habutsu, Y. Nishio, I. Sasase, and S. Mori, A Secret Key Cryptosystem by Iterating a Chaotic Map, Proceedings of Eurocrypt '91 (127-140) (1991) [10] J. Kari, Cryptosystems based on reversible cellular automata University of Turku, Finland preprint. (April 1992). [11] J. Kari Reversibility of 2D Cellular Automata is Undecidable, Physica D, Vol 45:379-385 (1990) [12] W. Meier and O. Staelbach, Analysis of Pseudo Random Sequences Generated by Cellular Automata Proceedings of Eurocrypt '91, 186-199 (1991) [13] S. Wolfram, Statistical Mechanics of Cellular Automata, Rev. Mod. Phys. 55:601-644 (1983) [14] S. Wolfram, Cryptography with Cellular Automata, Proceedings of Crypto '85, pp. 429-432 (1985) [15] S. Wolfram, Random Sequence Generation by Cellular Automata Adv. Appl. Math 7:123 (1984)

37