Pseudo-random sequences, boolean functions and cellular automata

Page 1

Boolean Functions: Cryptography and Applications
Fonctions Bool´ eennes: Cryptographie & Applications
BFCA’08
PSEUDO-RANDOM SEQUENCES, BOOLEAN
FUNCTIONS AND CELLULAR AUTOMATA
Patrick Lacharme1, Bruno Martin2and Patrick Sol´ e2
Abstract. Generation of pseudo-random binary sequences
by one-dimensional cellular automata is surveyed using both
uniform and hybrid automata. The updating function is a
Boolean function that must satisfy criteria of resilience and
nonlinearity for the sequence they generate to be secure for
a stream cipher application.
Keywords : Cellular automata, pseudo-random sequences,
resilience, nonlinearity.
Introduction
Cellular automata (CA) are models of finite state machines
used in many applications of computer science.
they are is employed for the generation of binary pseudo-random
sequences in cryptography. In the present work, we survey meth-
ods to generate binary pseudo-random sequences with cellular au-
tomata. We particularly focus on the search for good updating
functions.
Section 1 presents the different cellular automata for sequence
generation and a surveys their cryptographic applications. Sec-
tion 2 concentrates on uniform cellular automata, particularly on
the properties required for the updating function. An exhaustive
list of rules satisfying the properties is given. Section 3 surveys
In particular,
1IMATH, Universit´ e Toulon/Var, BP 132, F–83957 La Garde cedex.
2I3S, Universit´ e de Nice Sophia-Antipolis, CNRS, 2000 route des Lucioles,
BP 121, F–06903 Sophia–Antipolis Cedex.
J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08
hal-00305493, version 1 - 24 Jul 2008
Author manuscript, published in "Boolean Functions: Cryptography & Applications, Copenhague : Danemark (2008)"

Page 2

2
PATRICK LACHARME, BRUNO MARTIN, PATRICK SOL´E
the generation of pseudo-random sequences by hybrid cellular au-
tomata and proposes the generation of classical sequences by CA
synthesis. At last, cryptographic applications of hybrid cellular
automata are sketched.
1. Cellular automata and pseudo-random generation
1.1. Uniform cellular automata
One-dimensional binary cellular automata consist of a line of
cells with binary values. For practical implementations, the num-
ber of cells is finite. There are two cases: a CA is boundary if
the cells are arranged in a circular register and it is null-boundary
when both extremal cells are fed with zeroes. All the cells are
finite state machines with an updating function which gives the
new state of the cell according to its current state and the current
state of its nearest neighbors.
S. Wolfram proposes in [31] to use cellular automata to produce
pseudo-random sequences. He considers one-dimensional binary
cellular automata with ? cells with ? = 2N + 1. All the cells are
identical finite state machines with binary states. For an uniform
CA, the values of the cells at time t are updated synchronously
with a Boolean function f with n = r1+ r2+ 1 variables by the
rule
xi(t + 1) = f(xi−r1(t),...,xi(t),...,xi+r2(t)) .
For a fixed t, the sequence of the values xifor 1 ≤ i ≤ 2N + 1, is
the configuration at time t. It is a mapping c : [[1,2N + 1]] → F2
which assigns a state of F2to each cell of the cellular automaton.
The initial configuration (at time 0) x1(0),...,x?(0) is the seed of
the generator, the sequence (xN(t))tis the output sequence and,
when r1= r2= r, the number r denotes the radius of the rule.
For example, let us consider the following updating function f:
f(xi−1,xi,xi+1) = xi−1XOR (xiOR xi+1).
The truth table of the Boolean function f is
x3
x2
x1
0
0
0
0
1
0
0
1
0
1
0
1
1
1
0
1
0
0
1
1
1
0
1
0
0
1
1
0
1
1
1
0
f(x1,x2,x3)
J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08
hal-00305493, version 1 - 24 Jul 2008

Page 3

PRS, BOOLEAN FUNCTIONS AND CA
3
The binary sequence 00011110 is the binary representation of
the natural number 30 and allows to give a numbering of the rules
(rule (30) in this case). In this paper, this notation is kept to
describe a Boolean function. In the rest of this paper the additions
of integers in Z will be denoted by + and Σ and additions in F2will
be denoted by ⊕ and?. For simplicity and when there will be
If x and b are two binary vectors, we denote by x · b their usual
inner product x·b =?n
functions.
no ambiguity, we shall denote by + the addition of binary vectors.
i=1xibi. We also recall the definition of the
algebraic normal form as an alternative representation of Boolean
Definition 1.1. A Boolean function f with n variables is rep-
resented by a binary polynomial in n variables, called algebraic
normal form (ANF): f(x) =?
If we consider rule (30) again, its ANF is the polynomial x1⊕
x2⊕ x3⊕ x2x3.
The degree of the ANF denoted by d◦f is called the algebraic
degree of the function. This makes sense thanks to the existence
and uniqueness of the ANF. The Hamming weight wH(f) of f is
the number of vectors x in Fn
balanced if wH(f) = wH(1⊕f), i.e. wH(f) = 2n−1. The Hamming
distance between f and g is dH(f,g) = wH(f ⊕ g).
u∈Fn
2au(?n
i=1xui
i).
2such that f(x) = 1. A function is
1.2. Hybrid cellular automata
When the rules are not identical for all the cells, the automaton
is called non uniform, (or hybrid) and is denoted HCA. Moreover
if the rules are linear, the automaton is called linear hybrid cellular
automata (LHCA).
In [5,25], Muzio et al. consider linear hybrid cellular automata
using two different linear rules. They assume the CA null-boundary
and the linear updating rules are (90) and (150). A similarity
transform between LHCA and linear feedback shift register is pro-
posed in [6] and was recently improved in [12].
1.3. Cellular programming approach
Tomassini and Sipper [27] proposed to use hybrid cellular au-
tomata for generating better pseudo-random sequences. In this
J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08
hal-00305493, version 1 - 24 Jul 2008

Page 4

4
PATRICK LACHARME, BRUNO MARTIN, PATRICK SOL´E
model, the rules are obtained by an evolutionary approach (a ge-
netic algorithm). They have designed a cellular programming al-
gorithm for cellular automata to perform computations, and have
applied it to the evolution of pseudo-random sequence generators.
Their approach uses Koza’s entropy Eh = −?kh
tion, h a subsequence length and phjis a measured probability of
occurrence of a sequence hjin a pseudo-random sequence.
Tomassini and Sipper have selected four rules of radius r = 1 for
use in non-uniform cellular automata. The best rules selected by
the genetic algorithm were rules 90, 105, 150 and 165 (all linear).
A series of tests (including χ2test, serial correlation coefficient,
entropy and Monte Carlo, but no correlation-immunity analysis)
were made with good results, showing that co-evolving generators
are at least as good as the best available CA randomizer. The
authors also use elementary rules which were proved to be not
correlation-immune. This was further investigated in [24].
j=1phjlog2phj
where k denotes the number of possible values per sequence posi-
Following the same kind of approach, Seredynski et al. in [24]
have generalized the selection process to radius 2 rules. They use
then both radius 1 and radius 2 rules in hybrid cellular automata.
The rules selected by their genetic algorithm were 30, 86, 101 and
869020563, 1047380370, 1436194405, 1436965290, 1705400746,
1815843780, 2084275140 and 2592765285.
Their new set of rules was tested by a number of statistical tests
required by the FIPS 140-2 standard [28] and the Marsaglia tests
implemented in the Diehard program but no correlation-immunity
analysis was made either.
Moreover, the entropy calculation used in cellular programming
approach reduces the efficiency of the algorithm.
1.4. Cryptographic applications
In [30] Wolfram proposed to use cellular automata for a stream
cipher application. In this case, it must be hard to find the cur-
rent state (and the seed in particular) from the output sequence
(known plaintext attack). An exhaustive search can be done over
the 2?possible initial states, but for large ?, exhaustive search
becomes impossible. In [30], the cellular automaton is a simple
J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08
hal-00305493, version 1 - 24 Jul 2008

Page 5

PRS, BOOLEAN FUNCTIONS AND CA
5
one-dimensional uniform cellular automaton with a 3-variable up-
dating rule.
Next, cellular automata are used in many area in cryptogra-
phy. In symmetric cryptography, a block cipher proposed in [13]
has been broken in [3], using the linearity of the updating function
and the block cipher of [23] using linear and non linear rules has
been successfully cryptanalysed in [2]. Other propositions of block
ciphers are [21] and [11]. Some hash functions are proposed in [10]
(broken in [9]) and [19] and stream cipher in [18] [20].
For the design of cryptographic cellular automata, updating
rules should have an adapted radius and desired properties. In all
cases, the choice of the updating rules in the cellular automaton
is a fundamental criterion for the security of the crypto-system.
2. Uniform cellular automata
2.1. 3-variable updating function and rule (30)
The investigation of S. Wolfram [30] is concentrated on updat-
ing functions f with 3 variables, i.e. r1= r2= 1. In particular,
he considered rule (30) defined by
f(xi−1,xi,xi+1) = xi−1XOR (xiOR xi+1),
or equivalently
f(xi−1,xi,xi+1) = xi−1+ xi+ xi+1+ xixi+1mod 2.
S. Wolfram claims the sequence (xt
given i. He extensively studied this particular rule, demonstrating
its suitability as a high performance randomizer which can be effi-
ciently implemented in parallel; this is one of the pseudo-random
generators which was shipped with the connection machine CM2
and which is currently used in the Mathematica software.
i)t≥0 is pseudo-random for a
2.2. Attack of Meier and Staffelbach
The first attack on this pseudo-random generator is proposed
by W. Meier and O. Staffelbach in [17]. The output sequence
(xN(t))t is known for t = 0,...,N. The sequence (xN+1(t))t is
called right adjacent sequence. The principle is that if the right
J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08
hal-00305493, version 1 - 24 Jul 2008

Page 6

6
PATRICK LACHARME, BRUNO MARTIN, PATRICK SOL´E
adjacent sequence is known for t = 0,...,N − 1, then half of the
seed x0(0),...,xN−1(0) is known, using the partial linearity of f :
xi−1(t) = xi(t + 1) XOR (xi(t) OR xi+1(t)).
This attack is successfull if the right adjacent sequence is easily
constructed. Statistical experiments show that there are only few
possibilities for the right adjacent sequence. As noted in [15], this
phenomenon comes from the correlation between the inputs and
the outputs of rule (30). Indeed, we have
Pr(xi(t + 1) = 1 ⊕ xi−1(t)) =3
In order to counter this attack, the updating function must be
resilient. This concept is introduced by T. Siegenthaler, in relation
with correlation attacks on stream ciphers [26].
Definition 2.1 (Resilient functions). A Boolean function f map-
ping Fn
binary constant c1,...,ctand for all y ∈ F2,
Pr(f(x) = y | xi1= c1,...,xit= ct) =1
where xiwith i / ∈ {i1,...,it} verifies Pr(xi=1) = Pr(xi=0)=0.5.
For a Boolean function f with n variables, the Walsh transform
?f of f is defined over Fn
?f(u) =
The Walsh transform of f is related to the Hamming weight of
the function f ⊕ lb(where lb(x) = b · x) via the relation:?f(b) =
?
G.Z. Xiao and J.L. Massey give a spectral characterization of
resilient functions [33]
Theorem 2.2. A Boolean function in n variables is t-resilient iff
for all u whose Hamming weight verifies 0 ≤ wH(u) ≤ t, we have
?f(u) = 0.
4.
2to F2is t-resilient if for any coordinates i1,...it, for any
2,
2by
?
x∈Fn
2
(−1)f(x)⊕u·x.
2n− 2wH(f ⊕ lb). It satisfies Parseval’s relation:
b∈Fn
2
?f2(b) = 22n.
(1)
J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08
hal-00305493, version 1 - 24 Jul 2008

Page 7

PRS, BOOLEAN FUNCTIONS AND CA
7
Theorem 2.3. For a t-resilient (0 ≤ t < n−1) Boolean function
with n variables, there is an upper bound for its algebraic degree
d: d ≤ n − t − 1 if t < n − 1 and d = 1 if t = n − 1.
Theorem 2.3 shows that the algebraic degree of a 1-resilient
function with 3 variables is at most 1, i.e. the Boolean function
is linear. B. Martin has explored all the Boolean functions in 3
variables and concludes that there is no non linear function in 3
variables which is 1-resilient [15] which is also a consequence of
the Siegenthaler bound [26].
2.3. Attack of Ko¸ c and Apohan
The second attack against rule (30) is proposed by C.K. Ko¸ c
and A.M. Apohan [1].
The algorithm is based on the linear approximation of the up-
dating function. The resistance to this attack depends on the
distance between the updating function and the set of all linear
functions. Let l be the best linear approximation of the updating
function f with n variables and A the number of points such that
f(x) = l(x). Let α = A/2nbe the probability than f(x) = l(x).
Then the algorithm requires at most 2(n−1)(1−α)ltrials for arbi-
trary nonlinear functions and seed. Under these conditions, the
number α must be small.
Definition 2.4 (Nonlinearity). Let f be a Boolean function map-
ping Fn
2to F2. The nonlinearity Nfof f is defined by
Nf=min
(a0,...,an)∈{0,1}n+1dH(f(x),a0⊕ a1x1⊕ ··· ⊕ anxn) .
The relation between Walsh transform and nonlinearity comes
from W. Meier and O. Staffelbach [16].
Theorem 2.5. Let f be a function mapping Fn
2to F2. Then
Nf= 2n−1−1
2max
u∈Fn
2
|?f(u)| ,
and
Nf≤ 2n−1− 2
n
2−1.
(2)
A cellular automaton resists the attack of [1] if the nonlin-
earity of its updating function is high. Boolean functions where
J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08
hal-00305493, version 1 - 24 Jul 2008

Page 8

8
PATRICK LACHARME, BRUNO MARTIN, PATRICK SOL´E
nonlinearity meet the bound (2) are called bent functions. Bent
functions in an even number of variables exist but are never bal-
anced. Moreover, there is a tradeoff between resilience order and
nonlinearity [22] :
Theorem 2.6. Let f be a Boolean function t-resilient over Fn
Then there is an upper bound on the nonlinearity of f: Nf ≤
2n−1− 2t+1.
By [29] this bound is tight for t ≥ 0.6n.
2.
2.4. 4-variable updating functions
In this section, we investigate the 216= 65536 elementary CA
rules with 4 variables and give a complete classification of the
functions which have good resilience and nonlinearity properties.
These functions are used to get cellular automata for generating
cryptographic pseudorandom sequences.
An exhaustive search by the Walsh transform of all Boolean
functions with 4 variables is realized, to find a list of 1-resilient
functions, with high nonlinearity.
There are exactly 200 non linear balanced functions which are
1-resilient and all are quadratics (cubics balanced functions are
not resilient by Siegenthaler bound (Theorem 2.3)).
A Boolean function in 4 variables is defined by an integer be-
tween 0 and 65536, keeping Wolfram’s notation for CA rules with
3 variables. For example, the function (34680), with binary rep-
resentation 100001110111000 corresponds to the following truth
table:
x1
x2
x3
x4
0
0
0
0
0
1
0
0
0
0
0
1
0
0
0
1
1
0
0
1
0
0
1
0
1
1
0
1
0
1
0
1
1
0
1
1
1
1
0
0
0
0
0
1
1
1
0
0
1
1
0
1
0
1
1
1
1
0
1
0
0
0
1
1
0
1
0
1
1
0
0
1
1
1
0
1
1
1
1
1
f(x1,x2,x3,x4)
For classifying the functions, we use their algebraic normal form
(ANF). For instance the ANF of rule (280) (=100011000 in binary)
corresponds to the polynomial
f(x1,x2,x3,x4) = x1x2⊕ x3⊕ x4.
J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08
(3)
hal-00305493, version 1 - 24 Jul 2008

Page 9

PRS, BOOLEAN FUNCTIONS AND CA
9
For the classification of these functions, let σ denote a 4 by 4
permutation matrix. Two Boolean functions f and g are equiva-
lent if there exists a permutation σ such that f(x) = g(σ(x)) or
g(σ(x)) + 1.
The following table gives the set of all 1-resilient function, with
a representant of each class f, its corresponding ANF and the
cardinal of each class:
f
ANF
34680280
x1x2⊕ x3⊕ x4
6120 360
x4⊕ x1x2⊕ x1x3⊕ x2x3
7140 300
x2⊕ x4⊕ x1x2⊕ x1x3
11730282
x1⊕ x3⊕ x4⊕ x1x2
34740 1308
x2⊕ x3⊕ x4⊕ x1x2⊕ x4x2
393184374
x1⊕ x2⊕ x3⊕ x4⊕ x3x4
7128 5432
x3⊕ x4⊕ x1x2⊕ x3x1⊕ x4x2⊕ x4x3
11220380
x2⊕ x3⊕ x1x2⊕ x3x1⊕ x4x2
The nonlinearity of these functions is computed for an evalua-
tion of the resistance against the attack of [1]. The 200 1-resilient
Boolean functions with 4 variables have a nonlinearity equal to 4.
There exist some Boolean function with 4 variables with nonlin-
earity 6, but they are not resilient, according Theorem 2.6.
ANFcard.
12
8
48
24
48
12
24
24
Two classes of functions are more interesting because these
functions can be inplemented with only 3 logical gates. These
functions are (34680) and (39318) or equivalently
f(x1,x2,x3,x4) = x1⊕ x2⊕ (x3OR x4)
In this case, the two CA are described by the updating function
xi(t + 1) = xi−1(t) XOR xi(t) XOR (xi+1(t) AND xi+2(t)) ,
and
xi(t + 1) = xi−1(t) XOR xi(t) XOR (xi+1(t) OR xi+2(t)) .
If the resilience order of the updating function must be greater
than 1 (for example with a generalization of [17]), then Boolean
functions with 5 variables should be used.
J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08
hal-00305493, version 1 - 24 Jul 2008

Page 10

10
PATRICK LACHARME, BRUNO MARTIN, PATRICK SOL´E
3. Hybrid Cellular automata
3.1. Linear hybrid cellular automata
In the context of sequence generation, several authors consider
the case where different cells of the CA use different rules. This
model is called hybrid cellular automata. In [5,25], Muzio et al.
consider linear hybrid cellular automata using two different linear
rules. The automata are null-boundary and the linear updating
rules are (90) and (150). In [6], LHCA are proved equivalent to
linear feedback shift registers.
Let D = [d0,...,d?−1] be a binary vector with the following
properties : if di= 0 then cell i uses rule (90), else cell i uses rule
(150). In other terms,
xi(t + 1) = xi−1(t) + di.xi(t) + xi+1(t) mod 2 .
Using this rule, it is possible to give a matrix representation of the
transition between two consecutive states. Let the current state
be s(t) = (x0(t),...,x?−1(t)), then
s(t + 1) = A.s(t) ,
(4)
where the binary matrix A, called transition matrix, is defined by








d0
1
10
...
...
...
...
1
0
...
...
d1
1
1
0
...
0
d2
...
0
1
...dl−1








Let ∆ be the characteristic polynomial of A, that is ∆ = |xId−
A|. A polynomial is said to be a HCA polynomial if it is the
characteristic polynomial of some HCA. The following theorem
gives a property on HCA polynomial [5,8] :
Theorem 3.1. Let p ∈ F2[X] of degree n and p?its formal deriva-
tive. Then p is a HCA polynomial if and only if for some solution
q for y of the congruence
y2+ (x2+ x)p?y + 1 ≡ 0 mod p ,
(5)
J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08
hal-00305493, version 1 - 24 Jul 2008

Page 11

PRS, BOOLEAN FUNCTIONS AND CA
11
Euclid’s greatest division algorithm on p and q results in n degree
one quotients.
If the polynomial p is irreducible, then equation (5) has exactly
two solutions, both of which result in n degree one quotient :
Theorem 3.2. Let p ∈ F2[X] be an irreducible polynomial. Then
p has exactly two HCA realizations with one being the reversal of
the other.
Given a polynomial, the construction of the corresponding HCA
is called the synthesis approach. A detailed method is described
in [5] using this theorem to find HCA polynomial.
Moreover, given p and q two irreducible polynomials with cor-
responding transition matrix P and Q, the transition matrix cor-
responding to p.q is given by?P 0
0 Q
?. This operation corresponds
to concatenation of two LHCA [7].
3.2. Synthesis of classical sequences by LHCA
A semi-bent functions is a Boolean functions in an odd number
n of variables, the Walsh transform of which takes only three values
0,±2(n+1)/2. Some of these are traces of AB vectorial functions [4]
in the form f(x) = Tr(ax + bxs), where a,b are scalars of the
extension field F2n and Tr the trace function from F2n down to
F2. For monomial AB functions, the exponents s are in the list of
Gold, Kasami, Welch, Niho (see Table 1).
Name
Gold
Kasami
Welch
Niho
s
Conditions
i ∧ n = 1,1 ≤ i ≤ n/2
i ∧ n = 1,1 ≤ i ≤ n/2
2i+ 1
22i− 2i+ 1
2(n−1)/2+ 3
22r+ 2r− 1
r = t/2 for t even
r = (3t + 1)/2 for t odd
with 1 ≤ r ≤ n = 2t + 1
Table 1. Exponents of Almost Bent monomials
In all cases, for α a primitive element on F2n and mαthe mini-
mal polynomial of α, the polynomial mαmαs, is used to synthesize
HCA. Using these polynomials, sequences with good correlation
properties can be synthesized by linear hybrid cellular automata.
J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08
hal-00305493, version 1 - 24 Jul 2008

Page 12

12
PATRICK LACHARME, BRUNO MARTIN, PATRICK SOL´E
3.3. Cryptography with LHCA
Linear HCA cannot serve directly as pseudo-random sequence
generators for cryptography. Equation (4) is used to describe any
current state of the CA in terms of the initial state by the relation
s(t) = At.s(0) .
(6)
Let N be the index of the cell which gives the output sequence
(sN(t))tof the CA. Then
sN(t) = aN(t).s(0) ,
(7)
where aN(t) denotes the ?-bit vector corresponding to the row N
of the matrix At.
In this case, the initial state is known by the inversion of the bi-
nary linear system according to (7).
In these conditions, the binary vector D = [d0,...,d?−1] must
be non constant. If the vector D changes in function of s(t), e.g.
di(t) = si+2(t),
then
si(t + 1) = si−1(t) ⊕ si(t) ⊕ di(t).si+1(t) .
In this case, we get the non linear Boolean function (280) of sec-
tion 2 again.
In fact, if di(t) is a linear combination of bits of the current
state s(t), then the updating function corresponds to a quadratic
Boolean function.
(8)
An other possibility is to consider the vector [d0,..dn−1] =
[y0(t),..,yn−1(t)], where the bits yi(t) are the internal state of an
other CA. Generalizing this system, a cascade of n CA is con-
structed, where the state of the nth CA corresponds to the vector
D of the n + 1th CA. This cascade provides high quality pseudo
random sequence and a possibility for larger cycles.
We illustrate our previous proposition by an example: let CA1
be a uniform CA using rule (39318) of length ?. The internal state
of CA1corresponds to the binary vector D = [d0,...,d?−1] and the
rule of the second automaton CA2is described by equation (8).
J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08
hal-00305493, version 1 - 24 Jul 2008

Page 13

PRS, BOOLEAN FUNCTIONS AND CA
13
The output sequence of this generator is given by the sequence
(sN(t))twhere s is the internal state of CA2and ? = 2N + 1.
In this case, the cryptanalysis of the pseudo random generator
of [13] proposed in [3] is not possible because rules are non linear
and the output of the generator consists in just one bit.
As proposed in [18], it is suitable that the output sequence is not
directly one (or several) bit of the current state. In this case the
output sequence is filtered by a Boolean function. This scheme is
a variant of the classical filtered linear shift register. The Boolean
function must have the same properties as high nonlinearity or
resilience order.
Conclusion
We have used the synthesis approach to give an effective CA-
realization of classical sequences with good correlation properties.
We have also presented good and bad ways to construct pseudo-
random binary sequences for cryptographic applications with cel-
lular automata.
The main interest of this work concerns the hardware imple-
mentation. The target hardware model of CAs is the Field Pro-
grammable Gate Arrays (known as FPGAs).These devices consist
of an array of uncommitted logic gates whose function and inter-
connection is determined by downloading information to the de-
vice. When the programming configuration is held in static RAM,
the logic function implemented by those FPGAs can be dynami-
cally reconfigured in fractions of a second by rewriting the config-
uration memory contents. Thus, the use of FPGAs can speed up
the computation done by the cellular automata.
These results can be extended in many directions. If the num-
ber of variables of the Boolean function must be increased, the
research of good updating rules is a classical problem in symmet-
ric cryptography. Other applications of CA than pseudo random
generation (e.g. hash functions) can also be investigated.
Acknowledgements
The authors thank Sihem Mesnager for helpful comments.
J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08
hal-00305493, version 1 - 24 Jul 2008

Page 14

14
PATRICK LACHARME, BRUNO MARTIN, PATRICK SOL´E
References
[1] A.M. Apohan and C.K. Koc. Inversion of cellular automata iterations. In
Computer and Digital Techniques, volume 144, pages 279–284, 1997.
[2] F. Bao. Cryptanalysis of a new cellular automata cryptosystem. In
ACISP, pages 416–427, 2003.
[3] S.R. Blackburn, S. Murphy, and K.G. Paterson. Comments on “theory
and applications of cellular automata in cryptography”. IEEETC: IEEE
Transactions on Computers, 46, 1997.
[4] C. Carlet, P. Charpin, and V. Zinoviev. Codes, bent functions and per-
mutations suitable for DES-like cryptosystems. Designs Codes and Cryp-
tography, 15:125–156, 1998.
[5] K Cattell and J.C Muzio. Synthesis of one-dimensional linear hybrid cel-
lular automata. IEEE Trans. on Computer-aided design of integrated cir-
cuits and systems, 15(3):325–335, 1996.
[6] K Cattell and J.C Muzio. An explicit similarity transform between CA
and LFSR matrices. Finite fields and their applications, 4:239–251, 1998.
[7] K Cattell, S Zhang, X Sun, M Serra, J.C Muzio, and D.M Miller. One-
dimensional LHCA: their synthesis, properties and applications in VLSI
testing. Report, University of Victoria, B.C., Canada, 1998.
[8] S.J Cho, U.S Choi, H.D Kim, Y.H Hwang, J.G Kim, and S.H Heo.
New synthesis of one-dimensional 90/150 linear hybrid group CA. IEEE
Transactions on computer-aided design of integrated circuits and systems,
26(9):1720–1724, 2007.
[9] J. Daemen, R. Govaerts, and J. Vandewalle. A framework for the design
of one-way hash functions including cryptanalysis of damgard’s one-way
function based on a cellular automaton. In ASIACRYPT: Advances in
Cryptology. LNCS, Springer-Verlag, 1991.
[10] I.B. Damgard. Design principle for hash functions. In Advances in cryp-
tology CRYPTO 89, volume 435, pages 416–427, 1990.
[11] P. Joshi, D Mukhopadhyay, and D. RoyChowdhury. Design and analysis
of a robust and efficient block cipher using cellular automata. In Advanced
Information Networking and Applications. IEEE Computer Society, pages
67–71, 2006.
[12] D Kagaris. A similarity transform for linear finite state machines. Discrete
Applied Mathematics, 154:1570–1577, 2006.
[13] B. Kar, S. Nandi, and PalChaudhury P. Theory and applications of
cellular automata in cryptography. IEEE Transactions on Computer,
43(12):1346–1357, 1994.
[14] F.J. MacWilliams and N.J.A. Sloane. The theory of error correcting codes.
North-Holland, 1977.
[15] B. Martin. A Walsh exploration of elementary CA rules. Journal of Cel-
lular Automata, 2008. To appear.
[16] W. Meier and O. Staffelbach. Nonlinearity criteria for cryptographic func-
tions. In EUROCRYPT ’89, pages 549–562, Springer-Verlag, 1990.
[17] W. Meier and O. Staffelbach. Analysis of pseudo random sequences gener-
ated by cellular automata. In EUROCRYPT ’91, Lecture Notes in Com-
puter Science. Springer Verlag, 1991.
J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08
hal-00305493, version 1 - 24 Jul 2008

Page 15

PRS, BOOLEAN FUNCTIONS AND CA
15
[18] M. J. Mihaljevic. An improved key stream generator based on the pro-
grammable cellular automata. In ICICS ’97: Proceedings of the First
International Conference on Information and Communication Security,
pages 181–191, 1997. Springer-Verlag.
[19] M.J. Mihaljevic, Y. Zheng, and H. Imai. A cellular automaton based
fast one-way hash function suitable for hardware implementation. Lecture
Notes in Computer Science, 1431:217–??, 1998.
[20] M.J. Mihaljevic, Y. Zheng, and H. Imai. A fast and secure stream cipher
based on cellular automata over GF(q). In Global Telecommunications
Conference, 1998. GLOBECOM 98, volume 6, pages 3250–3255, 1998.
[21] D. Mukhopadhyay and D. RoyChowdhury. Cellular automata : an ideal
candidate for a block cipher. In First International Conference on Dis-
tribued Computing and Internet Technology ICDCIT 2004, volume 3347,
2004.
[22] P. Sarkar and S. Maitra. Nonlinearity bounds and constructions of re-
silient boolean functions. In CRYPTO ’00, pages 515–532, 2000. Springer-
Verlag.
[23] S. Sen, C. Shaw, D RoyChowdhury, N. Ganguly, and P. PalChaudhuri.
Cellular automata based cryptosystem (CAC). In ICICS, volume 2513
of Lecture Notes in Computer Science, pages 303–314. Springer Verlag,
2002.
[24] F. Seredynski, P. Bouvry, and A. Y. Zomaya. Cellular automata compu-
tations and secret key cryptography. Parallel Comput., 30(5-6):753–766,
2004.
[25] M. Serra, T. Slater, J.C. Muzio, and D.M. Miller. The analysis of one
dimensional cellular automata and their aliasing properties. IEEE Trans.
on Computer-aided design, 9:767–778, 1990.
[26] T. Siegenthaler. Correlation-immunity of nonlinear combining functions
for cryptographic applications. IEEE Transactions on Information The-
ory, 30(5):776–, 1984.
[27] M. Sipper and M. Tomassini. Co-evolving parallel random number genera-
tors. In Parallel Problem Solving from Nature – PPSN IV, pages 950–959,
1996. Springer Verlag.
[28] National Institute Of Standards Technology. FIPS publication 140-2, Se-
curity requirements for cryptographic modules. US Gov. Printing Office,
Washington, 1997.
[29] Yuriy V. Tarannikov: On resilient Boolean functions with maximal possi-
ble nonlinearity, Springer LNCS 1997 (2000) 19–30.
[30] S. Wolfram. Cryptography with cellular automata. In CRYPTO 85, Lec-
ture Notes in Computer Science. Springer Verlag, 1985.
[31] S. Wolfram. Random sequence generation by cellular automata. Advances
in applied mathematics, 7:123–169, 1986.
[32] S. Wolfram. A new kind of science. Wolfram Media Inc., Champaign,
Ilinois, US, United States, 2002.
[33] G-Z. Xiao and J. L. Massey. A spectral characterization of correlation-
immune combining functions. IEEE Trans. on Information Theory,
34(3):569–, 1988.
J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08
hal-00305493, version 1 - 24 Jul 2008