Page 1

Boolean Functions: Cryptography and Applications

Fonctions Bool´ eennes: Cryptographie & Applications

BFCA’08

PSEUDO-RANDOM SEQUENCES, BOOLEAN

FUNCTIONS AND CELLULAR AUTOMATA

Patrick Lacharme1, Bruno Martin2and Patrick Sol´ e2

Abstract. Generation of pseudo-random binary sequences

by one-dimensional cellular automata is surveyed using both

uniform and hybrid automata. The updating function is a

Boolean function that must satisfy criteria of resilience and

nonlinearity for the sequence they generate to be secure for

a stream cipher application.

Keywords : Cellular automata, pseudo-random sequences,

resilience, nonlinearity.

Introduction

Cellular automata (CA) are models of finite state machines

used in many applications of computer science.

they are is employed for the generation of binary pseudo-random

sequences in cryptography. In the present work, we survey meth-

ods to generate binary pseudo-random sequences with cellular au-

tomata. We particularly focus on the search for good updating

functions.

Section 1 presents the different cellular automata for sequence

generation and a surveys their cryptographic applications. Sec-

tion 2 concentrates on uniform cellular automata, particularly on

the properties required for the updating function. An exhaustive

list of rules satisfying the properties is given. Section 3 surveys

In particular,

1IMATH, Universit´ e Toulon/Var, BP 132, F–83957 La Garde cedex.

2I3S, Universit´ e de Nice Sophia-Antipolis, CNRS, 2000 route des Lucioles,

BP 121, F–06903 Sophia–Antipolis Cedex.

J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08

hal-00305493, version 1 - 24 Jul 2008

Author manuscript, published in "Boolean Functions: Cryptography & Applications, Copenhague : Danemark (2008)"

Page 2

2

PATRICK LACHARME, BRUNO MARTIN, PATRICK SOL´E

the generation of pseudo-random sequences by hybrid cellular au-

tomata and proposes the generation of classical sequences by CA

synthesis. At last, cryptographic applications of hybrid cellular

automata are sketched.

1. Cellular automata and pseudo-random generation

1.1. Uniform cellular automata

One-dimensional binary cellular automata consist of a line of

cells with binary values. For practical implementations, the num-

ber of cells is finite. There are two cases: a CA is boundary if

the cells are arranged in a circular register and it is null-boundary

when both extremal cells are fed with zeroes. All the cells are

finite state machines with an updating function which gives the

new state of the cell according to its current state and the current

state of its nearest neighbors.

S. Wolfram proposes in [31] to use cellular automata to produce

pseudo-random sequences. He considers one-dimensional binary

cellular automata with ? cells with ? = 2N + 1. All the cells are

identical finite state machines with binary states. For an uniform

CA, the values of the cells at time t are updated synchronously

with a Boolean function f with n = r1+ r2+ 1 variables by the

rule

xi(t + 1) = f(xi−r1(t),...,xi(t),...,xi+r2(t)) .

For a fixed t, the sequence of the values xifor 1 ≤ i ≤ 2N + 1, is

the configuration at time t. It is a mapping c : [[1,2N + 1]] → F2

which assigns a state of F2to each cell of the cellular automaton.

The initial configuration (at time 0) x1(0),...,x?(0) is the seed of

the generator, the sequence (xN(t))tis the output sequence and,

when r1= r2= r, the number r denotes the radius of the rule.

For example, let us consider the following updating function f:

f(xi−1,xi,xi+1) = xi−1XOR (xiOR xi+1).

The truth table of the Boolean function f is

x3

x2

x1

0

0

0

0

1

0

0

1

0

1

0

1

1

1

0

1

0

0

1

1

1

0

1

0

0

1

1

0

1

1

1

0

f(x1,x2,x3)

J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08

hal-00305493, version 1 - 24 Jul 2008

Page 3

PRS, BOOLEAN FUNCTIONS AND CA

3

The binary sequence 00011110 is the binary representation of

the natural number 30 and allows to give a numbering of the rules

(rule (30) in this case). In this paper, this notation is kept to

describe a Boolean function. In the rest of this paper the additions

of integers in Z will be denoted by + and Σ and additions in F2will

be denoted by ⊕ and?. For simplicity and when there will be

If x and b are two binary vectors, we denote by x · b their usual

inner product x·b =?n

functions.

no ambiguity, we shall denote by + the addition of binary vectors.

i=1xibi. We also recall the definition of the

algebraic normal form as an alternative representation of Boolean

Definition 1.1. A Boolean function f with n variables is rep-

resented by a binary polynomial in n variables, called algebraic

normal form (ANF): f(x) =?

If we consider rule (30) again, its ANF is the polynomial x1⊕

x2⊕ x3⊕ x2x3.

The degree of the ANF denoted by d◦f is called the algebraic

degree of the function. This makes sense thanks to the existence

and uniqueness of the ANF. The Hamming weight wH(f) of f is

the number of vectors x in Fn

balanced if wH(f) = wH(1⊕f), i.e. wH(f) = 2n−1. The Hamming

distance between f and g is dH(f,g) = wH(f ⊕ g).

u∈Fn

2au(?n

i=1xui

i).

2such that f(x) = 1. A function is

1.2. Hybrid cellular automata

When the rules are not identical for all the cells, the automaton

is called non uniform, (or hybrid) and is denoted HCA. Moreover

if the rules are linear, the automaton is called linear hybrid cellular

automata (LHCA).

In [5,25], Muzio et al. consider linear hybrid cellular automata

using two different linear rules. They assume the CA null-boundary

and the linear updating rules are (90) and (150). A similarity

transform between LHCA and linear feedback shift register is pro-

posed in [6] and was recently improved in [12].

1.3. Cellular programming approach

Tomassini and Sipper [27] proposed to use hybrid cellular au-

tomata for generating better pseudo-random sequences. In this

J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08

hal-00305493, version 1 - 24 Jul 2008

Page 4

4

PATRICK LACHARME, BRUNO MARTIN, PATRICK SOL´E

model, the rules are obtained by an evolutionary approach (a ge-

netic algorithm). They have designed a cellular programming al-

gorithm for cellular automata to perform computations, and have

applied it to the evolution of pseudo-random sequence generators.

Their approach uses Koza’s entropy Eh = −?kh

tion, h a subsequence length and phjis a measured probability of

occurrence of a sequence hjin a pseudo-random sequence.

Tomassini and Sipper have selected four rules of radius r = 1 for

use in non-uniform cellular automata. The best rules selected by

the genetic algorithm were rules 90, 105, 150 and 165 (all linear).

A series of tests (including χ2test, serial correlation coefficient,

entropy and Monte Carlo, but no correlation-immunity analysis)

were made with good results, showing that co-evolving generators

are at least as good as the best available CA randomizer. The

authors also use elementary rules which were proved to be not

correlation-immune. This was further investigated in [24].

j=1phjlog2phj

where k denotes the number of possible values per sequence posi-

Following the same kind of approach, Seredynski et al. in [24]

have generalized the selection process to radius 2 rules. They use

then both radius 1 and radius 2 rules in hybrid cellular automata.

The rules selected by their genetic algorithm were 30, 86, 101 and

869020563, 1047380370, 1436194405, 1436965290, 1705400746,

1815843780, 2084275140 and 2592765285.

Their new set of rules was tested by a number of statistical tests

required by the FIPS 140-2 standard [28] and the Marsaglia tests

implemented in the Diehard program but no correlation-immunity

analysis was made either.

Moreover, the entropy calculation used in cellular programming

approach reduces the efficiency of the algorithm.

1.4. Cryptographic applications

In [30] Wolfram proposed to use cellular automata for a stream

cipher application. In this case, it must be hard to find the cur-

rent state (and the seed in particular) from the output sequence

(known plaintext attack). An exhaustive search can be done over

the 2?possible initial states, but for large ?, exhaustive search

becomes impossible. In [30], the cellular automaton is a simple

J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08

hal-00305493, version 1 - 24 Jul 2008

Page 5

PRS, BOOLEAN FUNCTIONS AND CA

5

one-dimensional uniform cellular automaton with a 3-variable up-

dating rule.

Next, cellular automata are used in many area in cryptogra-

phy. In symmetric cryptography, a block cipher proposed in [13]

has been broken in [3], using the linearity of the updating function

and the block cipher of [23] using linear and non linear rules has

been successfully cryptanalysed in [2]. Other propositions of block

ciphers are [21] and [11]. Some hash functions are proposed in [10]

(broken in [9]) and [19] and stream cipher in [18] [20].

For the design of cryptographic cellular automata, updating

rules should have an adapted radius and desired properties. In all

cases, the choice of the updating rules in the cellular automaton

is a fundamental criterion for the security of the crypto-system.

2. Uniform cellular automata

2.1. 3-variable updating function and rule (30)

The investigation of S. Wolfram [30] is concentrated on updat-

ing functions f with 3 variables, i.e. r1= r2= 1. In particular,

he considered rule (30) defined by

f(xi−1,xi,xi+1) = xi−1XOR (xiOR xi+1),

or equivalently

f(xi−1,xi,xi+1) = xi−1+ xi+ xi+1+ xixi+1mod 2.

S. Wolfram claims the sequence (xt

given i. He extensively studied this particular rule, demonstrating

its suitability as a high performance randomizer which can be effi-

ciently implemented in parallel; this is one of the pseudo-random

generators which was shipped with the connection machine CM2

and which is currently used in the Mathematica software.

i)t≥0 is pseudo-random for a

2.2. Attack of Meier and Staffelbach

The first attack on this pseudo-random generator is proposed

by W. Meier and O. Staffelbach in [17]. The output sequence

(xN(t))t is known for t = 0,...,N. The sequence (xN+1(t))t is

called right adjacent sequence. The principle is that if the right

J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08

hal-00305493, version 1 - 24 Jul 2008

Page 6

6

PATRICK LACHARME, BRUNO MARTIN, PATRICK SOL´E

adjacent sequence is known for t = 0,...,N − 1, then half of the

seed x0(0),...,xN−1(0) is known, using the partial linearity of f :

xi−1(t) = xi(t + 1) XOR (xi(t) OR xi+1(t)).

This attack is successfull if the right adjacent sequence is easily

constructed. Statistical experiments show that there are only few

possibilities for the right adjacent sequence. As noted in [15], this

phenomenon comes from the correlation between the inputs and

the outputs of rule (30). Indeed, we have

Pr(xi(t + 1) = 1 ⊕ xi−1(t)) =3

In order to counter this attack, the updating function must be

resilient. This concept is introduced by T. Siegenthaler, in relation

with correlation attacks on stream ciphers [26].

Definition 2.1 (Resilient functions). A Boolean function f map-

ping Fn

binary constant c1,...,ctand for all y ∈ F2,

Pr(f(x) = y | xi1= c1,...,xit= ct) =1

where xiwith i / ∈ {i1,...,it} verifies Pr(xi=1) = Pr(xi=0)=0.5.

For a Boolean function f with n variables, the Walsh transform

?f of f is defined over Fn

?f(u) =

The Walsh transform of f is related to the Hamming weight of

the function f ⊕ lb(where lb(x) = b · x) via the relation:?f(b) =

?

G.Z. Xiao and J.L. Massey give a spectral characterization of

resilient functions [33]

Theorem 2.2. A Boolean function in n variables is t-resilient iff

for all u whose Hamming weight verifies 0 ≤ wH(u) ≤ t, we have

?f(u) = 0.

4.

2to F2is t-resilient if for any coordinates i1,...it, for any

2,

2by

?

x∈Fn

2

(−1)f(x)⊕u·x.

2n− 2wH(f ⊕ lb). It satisfies Parseval’s relation:

b∈Fn

2

?f2(b) = 22n.

(1)

J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08

hal-00305493, version 1 - 24 Jul 2008

Page 7

PRS, BOOLEAN FUNCTIONS AND CA

7

Theorem 2.3. For a t-resilient (0 ≤ t < n−1) Boolean function

with n variables, there is an upper bound for its algebraic degree

d: d ≤ n − t − 1 if t < n − 1 and d = 1 if t = n − 1.

Theorem 2.3 shows that the algebraic degree of a 1-resilient

function with 3 variables is at most 1, i.e. the Boolean function

is linear. B. Martin has explored all the Boolean functions in 3

variables and concludes that there is no non linear function in 3

variables which is 1-resilient [15] which is also a consequence of

the Siegenthaler bound [26].

2.3. Attack of Ko¸ c and Apohan

The second attack against rule (30) is proposed by C.K. Ko¸ c

and A.M. Apohan [1].

The algorithm is based on the linear approximation of the up-

dating function. The resistance to this attack depends on the

distance between the updating function and the set of all linear

functions. Let l be the best linear approximation of the updating

function f with n variables and A the number of points such that

f(x) = l(x). Let α = A/2nbe the probability than f(x) = l(x).

Then the algorithm requires at most 2(n−1)(1−α)ltrials for arbi-

trary nonlinear functions and seed. Under these conditions, the

number α must be small.

Definition 2.4 (Nonlinearity). Let f be a Boolean function map-

ping Fn

2to F2. The nonlinearity Nfof f is defined by

Nf=min

(a0,...,an)∈{0,1}n+1dH(f(x),a0⊕ a1x1⊕ ··· ⊕ anxn) .

The relation between Walsh transform and nonlinearity comes

from W. Meier and O. Staffelbach [16].

Theorem 2.5. Let f be a function mapping Fn

2to F2. Then

Nf= 2n−1−1

2max

u∈Fn

2

|?f(u)| ,

and

Nf≤ 2n−1− 2

n

2−1.

(2)

A cellular automaton resists the attack of [1] if the nonlin-

earity of its updating function is high. Boolean functions where

J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08

hal-00305493, version 1 - 24 Jul 2008

Page 8

8

PATRICK LACHARME, BRUNO MARTIN, PATRICK SOL´E

nonlinearity meet the bound (2) are called bent functions. Bent

functions in an even number of variables exist but are never bal-

anced. Moreover, there is a tradeoff between resilience order and

nonlinearity [22] :

Theorem 2.6. Let f be a Boolean function t-resilient over Fn

Then there is an upper bound on the nonlinearity of f: Nf ≤

2n−1− 2t+1.

By [29] this bound is tight for t ≥ 0.6n.

2.

2.4. 4-variable updating functions

In this section, we investigate the 216= 65536 elementary CA

rules with 4 variables and give a complete classification of the

functions which have good resilience and nonlinearity properties.

These functions are used to get cellular automata for generating

cryptographic pseudorandom sequences.

An exhaustive search by the Walsh transform of all Boolean

functions with 4 variables is realized, to find a list of 1-resilient

functions, with high nonlinearity.

There are exactly 200 non linear balanced functions which are

1-resilient and all are quadratics (cubics balanced functions are

not resilient by Siegenthaler bound (Theorem 2.3)).

A Boolean function in 4 variables is defined by an integer be-

tween 0 and 65536, keeping Wolfram’s notation for CA rules with

3 variables. For example, the function (34680), with binary rep-

resentation 100001110111000 corresponds to the following truth

table:

x1

x2

x3

x4

0

0

0

0

0

1

0

0

0

0

0

1

0

0

0

1

1

0

0

1

0

0

1

0

1

1

0

1

0

1

0

1

1

0

1

1

1

1

0

0

0

0

0

1

1

1

0

0

1

1

0

1

0

1

1

1

1

0

1

0

0

0

1

1

0

1

0

1

1

0

0

1

1

1

0

1

1

1

1

1

f(x1,x2,x3,x4)

For classifying the functions, we use their algebraic normal form

(ANF). For instance the ANF of rule (280) (=100011000 in binary)

corresponds to the polynomial

f(x1,x2,x3,x4) = x1x2⊕ x3⊕ x4.

J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08

(3)

hal-00305493, version 1 - 24 Jul 2008

Page 9

PRS, BOOLEAN FUNCTIONS AND CA

9

For the classification of these functions, let σ denote a 4 by 4

permutation matrix. Two Boolean functions f and g are equiva-

lent if there exists a permutation σ such that f(x) = g(σ(x)) or

g(σ(x)) + 1.

The following table gives the set of all 1-resilient function, with

a representant of each class f, its corresponding ANF and the

cardinal of each class:

f

ANF

34680280

x1x2⊕ x3⊕ x4

6120 360

x4⊕ x1x2⊕ x1x3⊕ x2x3

7140 300

x2⊕ x4⊕ x1x2⊕ x1x3

11730282

x1⊕ x3⊕ x4⊕ x1x2

34740 1308

x2⊕ x3⊕ x4⊕ x1x2⊕ x4x2

393184374

x1⊕ x2⊕ x3⊕ x4⊕ x3x4

7128 5432

x3⊕ x4⊕ x1x2⊕ x3x1⊕ x4x2⊕ x4x3

11220380

x2⊕ x3⊕ x1x2⊕ x3x1⊕ x4x2

The nonlinearity of these functions is computed for an evalua-

tion of the resistance against the attack of [1]. The 200 1-resilient

Boolean functions with 4 variables have a nonlinearity equal to 4.

There exist some Boolean function with 4 variables with nonlin-

earity 6, but they are not resilient, according Theorem 2.6.

ANFcard.

12

8

48

24

48

12

24

24

Two classes of functions are more interesting because these

functions can be inplemented with only 3 logical gates. These

functions are (34680) and (39318) or equivalently

f(x1,x2,x3,x4) = x1⊕ x2⊕ (x3OR x4)

In this case, the two CA are described by the updating function

xi(t + 1) = xi−1(t) XOR xi(t) XOR (xi+1(t) AND xi+2(t)) ,

and

xi(t + 1) = xi−1(t) XOR xi(t) XOR (xi+1(t) OR xi+2(t)) .

If the resilience order of the updating function must be greater

than 1 (for example with a generalization of [17]), then Boolean

functions with 5 variables should be used.

J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08

hal-00305493, version 1 - 24 Jul 2008

Page 10

10

PATRICK LACHARME, BRUNO MARTIN, PATRICK SOL´E

3. Hybrid Cellular automata

3.1. Linear hybrid cellular automata

In the context of sequence generation, several authors consider

the case where different cells of the CA use different rules. This

model is called hybrid cellular automata. In [5,25], Muzio et al.

consider linear hybrid cellular automata using two different linear

rules. The automata are null-boundary and the linear updating

rules are (90) and (150). In [6], LHCA are proved equivalent to

linear feedback shift registers.

Let D = [d0,...,d?−1] be a binary vector with the following

properties : if di= 0 then cell i uses rule (90), else cell i uses rule

(150). In other terms,

xi(t + 1) = xi−1(t) + di.xi(t) + xi+1(t) mod 2 .

Using this rule, it is possible to give a matrix representation of the

transition between two consecutive states. Let the current state

be s(t) = (x0(t),...,x?−1(t)), then

s(t + 1) = A.s(t) ,

(4)

where the binary matrix A, called transition matrix, is defined by

d0

1

10

...

...

...

...

1

0

...

...

d1

1

1

0

...

0

d2

...

0

1

...dl−1

Let ∆ be the characteristic polynomial of A, that is ∆ = |xId−

A|. A polynomial is said to be a HCA polynomial if it is the

characteristic polynomial of some HCA. The following theorem

gives a property on HCA polynomial [5,8] :

Theorem 3.1. Let p ∈ F2[X] of degree n and p?its formal deriva-

tive. Then p is a HCA polynomial if and only if for some solution

q for y of the congruence

y2+ (x2+ x)p?y + 1 ≡ 0 mod p ,

(5)

J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08

hal-00305493, version 1 - 24 Jul 2008

Page 11

PRS, BOOLEAN FUNCTIONS AND CA

11

Euclid’s greatest division algorithm on p and q results in n degree

one quotients.

If the polynomial p is irreducible, then equation (5) has exactly

two solutions, both of which result in n degree one quotient :

Theorem 3.2. Let p ∈ F2[X] be an irreducible polynomial. Then

p has exactly two HCA realizations with one being the reversal of

the other.

Given a polynomial, the construction of the corresponding HCA

is called the synthesis approach. A detailed method is described

in [5] using this theorem to find HCA polynomial.

Moreover, given p and q two irreducible polynomials with cor-

responding transition matrix P and Q, the transition matrix cor-

responding to p.q is given by?P 0

0 Q

?. This operation corresponds

to concatenation of two LHCA [7].

3.2. Synthesis of classical sequences by LHCA

A semi-bent functions is a Boolean functions in an odd number

n of variables, the Walsh transform of which takes only three values

0,±2(n+1)/2. Some of these are traces of AB vectorial functions [4]

in the form f(x) = Tr(ax + bxs), where a,b are scalars of the

extension field F2n and Tr the trace function from F2n down to

F2. For monomial AB functions, the exponents s are in the list of

Gold, Kasami, Welch, Niho (see Table 1).

Name

Gold

Kasami

Welch

Niho

s

Conditions

i ∧ n = 1,1 ≤ i ≤ n/2

i ∧ n = 1,1 ≤ i ≤ n/2

2i+ 1

22i− 2i+ 1

2(n−1)/2+ 3

22r+ 2r− 1

r = t/2 for t even

r = (3t + 1)/2 for t odd

with 1 ≤ r ≤ n = 2t + 1

Table 1. Exponents of Almost Bent monomials

In all cases, for α a primitive element on F2n and mαthe mini-

mal polynomial of α, the polynomial mαmαs, is used to synthesize

HCA. Using these polynomials, sequences with good correlation

properties can be synthesized by linear hybrid cellular automata.

J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08

hal-00305493, version 1 - 24 Jul 2008

Page 12

12

PATRICK LACHARME, BRUNO MARTIN, PATRICK SOL´E

3.3. Cryptography with LHCA

Linear HCA cannot serve directly as pseudo-random sequence

generators for cryptography. Equation (4) is used to describe any

current state of the CA in terms of the initial state by the relation

s(t) = At.s(0) .

(6)

Let N be the index of the cell which gives the output sequence

(sN(t))tof the CA. Then

sN(t) = aN(t).s(0) ,

(7)

where aN(t) denotes the ?-bit vector corresponding to the row N

of the matrix At.

In this case, the initial state is known by the inversion of the bi-

nary linear system according to (7).

In these conditions, the binary vector D = [d0,...,d?−1] must

be non constant. If the vector D changes in function of s(t), e.g.

di(t) = si+2(t),

then

si(t + 1) = si−1(t) ⊕ si(t) ⊕ di(t).si+1(t) .

In this case, we get the non linear Boolean function (280) of sec-

tion 2 again.

In fact, if di(t) is a linear combination of bits of the current

state s(t), then the updating function corresponds to a quadratic

Boolean function.

(8)

An other possibility is to consider the vector [d0,..dn−1] =

[y0(t),..,yn−1(t)], where the bits yi(t) are the internal state of an

other CA. Generalizing this system, a cascade of n CA is con-

structed, where the state of the nth CA corresponds to the vector

D of the n + 1th CA. This cascade provides high quality pseudo

random sequence and a possibility for larger cycles.

We illustrate our previous proposition by an example: let CA1

be a uniform CA using rule (39318) of length ?. The internal state

of CA1corresponds to the binary vector D = [d0,...,d?−1] and the

rule of the second automaton CA2is described by equation (8).

J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08

hal-00305493, version 1 - 24 Jul 2008

Page 13

PRS, BOOLEAN FUNCTIONS AND CA

13

The output sequence of this generator is given by the sequence

(sN(t))twhere s is the internal state of CA2and ? = 2N + 1.

In this case, the cryptanalysis of the pseudo random generator

of [13] proposed in [3] is not possible because rules are non linear

and the output of the generator consists in just one bit.

As proposed in [18], it is suitable that the output sequence is not

directly one (or several) bit of the current state. In this case the

output sequence is filtered by a Boolean function. This scheme is

a variant of the classical filtered linear shift register. The Boolean

function must have the same properties as high nonlinearity or

resilience order.

Conclusion

We have used the synthesis approach to give an effective CA-

realization of classical sequences with good correlation properties.

We have also presented good and bad ways to construct pseudo-

random binary sequences for cryptographic applications with cel-

lular automata.

The main interest of this work concerns the hardware imple-

mentation. The target hardware model of CAs is the Field Pro-

grammable Gate Arrays (known as FPGAs).These devices consist

of an array of uncommitted logic gates whose function and inter-

connection is determined by downloading information to the de-

vice. When the programming configuration is held in static RAM,

the logic function implemented by those FPGAs can be dynami-

cally reconfigured in fractions of a second by rewriting the config-

uration memory contents. Thus, the use of FPGAs can speed up

the computation done by the cellular automata.

These results can be extended in many directions. If the num-

ber of variables of the Boolean function must be increased, the

research of good updating rules is a classical problem in symmet-

ric cryptography. Other applications of CA than pseudo random

generation (e.g. hash functions) can also be investigated.

Acknowledgements

The authors thank Sihem Mesnager for helpful comments.

J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08

hal-00305493, version 1 - 24 Jul 2008

Page 14

14

PATRICK LACHARME, BRUNO MARTIN, PATRICK SOL´E

References

[1] A.M. Apohan and C.K. Koc. Inversion of cellular automata iterations. In

Computer and Digital Techniques, volume 144, pages 279–284, 1997.

[2] F. Bao. Cryptanalysis of a new cellular automata cryptosystem. In

ACISP, pages 416–427, 2003.

[3] S.R. Blackburn, S. Murphy, and K.G. Paterson. Comments on “theory

and applications of cellular automata in cryptography”. IEEETC: IEEE

Transactions on Computers, 46, 1997.

[4] C. Carlet, P. Charpin, and V. Zinoviev. Codes, bent functions and per-

mutations suitable for DES-like cryptosystems. Designs Codes and Cryp-

tography, 15:125–156, 1998.

[5] K Cattell and J.C Muzio. Synthesis of one-dimensional linear hybrid cel-

lular automata. IEEE Trans. on Computer-aided design of integrated cir-

cuits and systems, 15(3):325–335, 1996.

[6] K Cattell and J.C Muzio. An explicit similarity transform between CA

and LFSR matrices. Finite fields and their applications, 4:239–251, 1998.

[7] K Cattell, S Zhang, X Sun, M Serra, J.C Muzio, and D.M Miller. One-

dimensional LHCA: their synthesis, properties and applications in VLSI

testing. Report, University of Victoria, B.C., Canada, 1998.

[8] S.J Cho, U.S Choi, H.D Kim, Y.H Hwang, J.G Kim, and S.H Heo.

New synthesis of one-dimensional 90/150 linear hybrid group CA. IEEE

Transactions on computer-aided design of integrated circuits and systems,

26(9):1720–1724, 2007.

[9] J. Daemen, R. Govaerts, and J. Vandewalle. A framework for the design

of one-way hash functions including cryptanalysis of damgard’s one-way

function based on a cellular automaton. In ASIACRYPT: Advances in

Cryptology. LNCS, Springer-Verlag, 1991.

[10] I.B. Damgard. Design principle for hash functions. In Advances in cryp-

tology CRYPTO 89, volume 435, pages 416–427, 1990.

[11] P. Joshi, D Mukhopadhyay, and D. RoyChowdhury. Design and analysis

of a robust and efficient block cipher using cellular automata. In Advanced

Information Networking and Applications. IEEE Computer Society, pages

67–71, 2006.

[12] D Kagaris. A similarity transform for linear finite state machines. Discrete

Applied Mathematics, 154:1570–1577, 2006.

[13] B. Kar, S. Nandi, and PalChaudhury P. Theory and applications of

cellular automata in cryptography. IEEE Transactions on Computer,

43(12):1346–1357, 1994.

[14] F.J. MacWilliams and N.J.A. Sloane. The theory of error correcting codes.

North-Holland, 1977.

[15] B. Martin. A Walsh exploration of elementary CA rules. Journal of Cel-

lular Automata, 2008. To appear.

[16] W. Meier and O. Staffelbach. Nonlinearity criteria for cryptographic func-

tions. In EUROCRYPT ’89, pages 549–562, Springer-Verlag, 1990.

[17] W. Meier and O. Staffelbach. Analysis of pseudo random sequences gener-

ated by cellular automata. In EUROCRYPT ’91, Lecture Notes in Com-

puter Science. Springer Verlag, 1991.

J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08

hal-00305493, version 1 - 24 Jul 2008

Page 15

PRS, BOOLEAN FUNCTIONS AND CA

15

[18] M. J. Mihaljevic. An improved key stream generator based on the pro-

grammable cellular automata. In ICICS ’97: Proceedings of the First

International Conference on Information and Communication Security,

pages 181–191, 1997. Springer-Verlag.

[19] M.J. Mihaljevic, Y. Zheng, and H. Imai. A cellular automaton based

fast one-way hash function suitable for hardware implementation. Lecture

Notes in Computer Science, 1431:217–??, 1998.

[20] M.J. Mihaljevic, Y. Zheng, and H. Imai. A fast and secure stream cipher

based on cellular automata over GF(q). In Global Telecommunications

Conference, 1998. GLOBECOM 98, volume 6, pages 3250–3255, 1998.

[21] D. Mukhopadhyay and D. RoyChowdhury. Cellular automata : an ideal

candidate for a block cipher. In First International Conference on Dis-

tribued Computing and Internet Technology ICDCIT 2004, volume 3347,

2004.

[22] P. Sarkar and S. Maitra. Nonlinearity bounds and constructions of re-

silient boolean functions. In CRYPTO ’00, pages 515–532, 2000. Springer-

Verlag.

[23] S. Sen, C. Shaw, D RoyChowdhury, N. Ganguly, and P. PalChaudhuri.

Cellular automata based cryptosystem (CAC). In ICICS, volume 2513

of Lecture Notes in Computer Science, pages 303–314. Springer Verlag,

2002.

[24] F. Seredynski, P. Bouvry, and A. Y. Zomaya. Cellular automata compu-

tations and secret key cryptography. Parallel Comput., 30(5-6):753–766,

2004.

[25] M. Serra, T. Slater, J.C. Muzio, and D.M. Miller. The analysis of one

dimensional cellular automata and their aliasing properties. IEEE Trans.

on Computer-aided design, 9:767–778, 1990.

[26] T. Siegenthaler. Correlation-immunity of nonlinear combining functions

for cryptographic applications. IEEE Transactions on Information The-

ory, 30(5):776–, 1984.

[27] M. Sipper and M. Tomassini. Co-evolving parallel random number genera-

tors. In Parallel Problem Solving from Nature – PPSN IV, pages 950–959,

1996. Springer Verlag.

[28] National Institute Of Standards Technology. FIPS publication 140-2, Se-

curity requirements for cryptographic modules. US Gov. Printing Office,

Washington, 1997.

[29] Yuriy V. Tarannikov: On resilient Boolean functions with maximal possi-

ble nonlinearity, Springer LNCS 1997 (2000) 19–30.

[30] S. Wolfram. Cryptography with cellular automata. In CRYPTO 85, Lec-

ture Notes in Computer Science. Springer Verlag, 1985.

[31] S. Wolfram. Random sequence generation by cellular automata. Advances

in applied mathematics, 7:123–169, 1986.

[32] S. Wolfram. A new kind of science. Wolfram Media Inc., Champaign,

Ilinois, US, United States, 2002.

[33] G-Z. Xiao and J. L. Massey. A spectral characterization of correlation-

immune combining functions. IEEE Trans. on Information Theory,

34(3):569–, 1988.

J-F. Michon, P. Valarcher, J-B. Yun` es (Eds.): BFCA’08

hal-00305493, version 1 - 24 Jul 2008