Secure and Computationally-Efficient Cryptographic Primitive based on Cellular Automation

01/10/2019 ∙ by Rade Vuckovac, et al. ∙ 0

Mageto, a random number generator based on one-dimensional cellular automaton (CA) is presented. Three procedures of secure implementation using Mageto is proposed and discussed. Implementations are very efficient in a wide range of hardware and software scenarios. It includes the advanced application of the Internet of Things (IoT) and cyber-physical systems which are both needed for computationally-efficient cryptographic primitives. Furthermore, the proposed primitive is inherently resistant against the Side Channel Attack (SCA), where many currently available ciphers, such as AES, require additional hardware or software effort to prevent SCA line of attack.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 3

page 7

page 15

page 16

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Cellular automaton (CA) cryptographic use is limited. One significant reason is performance. A survey of CA stream ciphers [14] shows that encrypting one megabyte of data requires five seconds at best. One exception is MAG (My Array Generator) [5], which is a Mageto predecessor. It is a one-dimensional cellular automaton (CA). It belongs to a class of three complexity classification schemes p.12 [9]. That means, nearly every initial state evolves in pseudo-random or chaotic fashion. Two significant attributes which make MAG so exceptional are:

  • MAG is invariant to the cell size. Both 32-bit and 64-bit cells are investigated, and they show the same behaviour. That fact has a huge impact on performance.

  • MAG update rule is not entirely boolean and SAT solvers tools, which are generally better than brute force [14], could not be applied.

Apart from that, there are many more important reasons for revisiting MAG and build Mageto on MAG foundations:

  • MAG was the main building block for stream cipher entry (eSTREAM; ECRYPT Stream Cipher Project [16]). That entry did not progress to the second round because of the available analysis at that time. In the second round of decision making, the analysis consisted of two attacks [13, 10]. Other attacks [7, 6] are variants of the previous two. More analyses were published [12] after round two. Those cryptanalysis contest attacks from [13, 7]. In the same analysis, it suggests that the second type of attacks [10, 6] are avoidable using one minor alternation proposed in [15]. According to the published analysis, at least one MAG variant remains secure.

  • The second reason for the renewed interest in MAG is excellent software performance, see testing published on eSTREAM web page [11]. For a short set of results see Table 1. It compares MAG with some well-known stream cipher algorithms.

  • Another reason is MAG compactness. While Advanced Encryption Standard (AES) is widely used in symmetrical encryption, the emergence of IoT (The Internet of things), with constrained computation power, limits AES usability in that area. Therefore lightweight symmetrical encryption schemes are sought. MAG hardware footprint is a bytes of memory for automation state, plus a couple of variables. Operational cost is a cellular automation updating rule consisting of one conditional branching, a couple of exclusive or logical operation, one of one’s complement and one addition (five basic operations). That should match an extensive range of IoT hardware limited capabilities. See Listing A 1 for details.

  • MAG, like other cellular automata, has inherent resistance on side channel attacks (SCA) where AES and many other block ciphers implementations in that regard are relatively complex [1]. The lightweight cipher designs using S-boxes are affected by SCA as well [8].

Please note that the predecessor of our cryptographic primitive Mageto, namely, MAG, and its design choices for various parameters was never discussed or published before. Thus, in this paper, these issues will be addressed as well.

Primitive Stream (cycles per byte)
MAG-v3 2.20
TRIVIUM 4.14
Salsa20 7.64
RC4 14.52
AES-CTR 18.51
Table 1: An extract of eSTREAM software performance table [11].

The rest of paper is organised as follows: Section 2 introduces one dimensional CA and defines Mageto proposition. It also shows where Mageto improves over MAG making the Mageto proposition even simpler. Appendix A include C language general implementation. Section 3 shows three different ways to implement the proposed Mageto securely. Section 4 deals with an analysis of MAG known attacks and how they might impact the Mageto proposal. Section 5 discusses Mageto and its potential usage to a variety of applications, SCA and input flexibility.

2 Mageto Cellular Automation

Mageto is a one-dimensional CA. The concept of CA was first discovered in the 1940s by Stanislaw Ulam and John von Neumann. CA is used as a modelling tool in various scientific fields: computer and complexity science, mathematics, physics and biology. Stephen Wolfram is the first to propose the use of CA (rule 30) in cryptography [18].

Figure 1: Rule 30 one-dimensional CA example.

Figure 1 showing Wolfram’s rule 30 is used to explain the general working of one-dimensional CA. The particular example uses cells with two possible states (black and white). One-dimensional CA initial state is a row. For example, it is the binary string (row 1):

Row 2 is derived from row 1 and so on, with final row 16:

Rules to determine an update of a cell are shown as eight cases. Each case shows one combination of three cells on the top and the derivative cell on the bottom. Three cells from the row above (positioned above right, immediately above and above left) are looked at, and one of the cases are applied to create a cell. For example, a cell from row 2 column 14 is derived by case 8, cell from row 2 column 15 is acquired by case 7, cell from row 2 column 16 is obtained by case 6 and so on. Edge cells do not have above left or above right cells to choose a case. In that situation, the first or the last cell from the previous column are used for the ruling. For example, left edge cell from row 16 column 1 looks at cells from row 15, columns 31, 1, 2 and use case 7 to create the cell. The right edge cell from row 16 column 31 use the cells from row 15 columns 30, 31, 1 for lookup and case 4 for cell determination. Derived rows (rows ) are outputs of CA.

If a random stream of bits is required, column could be used:

A stream generated in this fashion passes many randomness statistical tests and it is used as a random number generator in Wolfram’s Mathematica software.

Mageto is also a one-dimensional CA, but it differs from the example by:

  • Cells are multi-bit words (32 or 64 bits in size).

  • The update of Mageto cells is serial, left to right, because the rule needs the outcome of the previous cell update (carry).

  • The Mageto rule also appears to be invariant to cell size because it shows the same random behaviour for and bit size cells.

Mageto CA is governed by the CA rule and the state of neighbouring cells. A row of cells, in a Mageto case array of elements, are updated from left to right. One evolution cycle is when all items in the array are updated. The next generation is another evolution cycle and so on. The original and modified parameters are shown in Table 2.

MAG Mageto
calculated
(HEX) (binary)
Table 2: MAG / Mageto parameters.

Mageto parameters definitions:

  • The number of cells is . That choice forces possible execution paths during one evolution cycle and assumes at least bit level security if the stream is used as a basis for the cipher.

  • The cell size is . The Mageto CA rule appears to be invariant concerning the cell size. is used and tested for randomness [17] and there are no biases, although the performance doubles because the same generating cost produces double the stream.

  • Instead of taking the carry value from the array element in the original version, it is initialised as (decimal). The value of was chosen, and there is no special meaning behind this choice.

  • The constant is now initialised as (). Again there is nothing special in the constant value. In MAG was described as an arbitrary value (which it is). Related to this, an initialisation attack [13, 7] where was proposed. It eliminates any adding procedure which simplifies the whole process significantly. The analysis [12] showed that any non zero value of is sufficient to prevent initialisation attacks.

  • In a modified version, the mixing period is four evolutions . It assures proper mixing because the original one and half evolutions occasionally produced biases in the first couple of generated rows. The same could be observed in the rule 30 case (Figure 1) where the first several rows still retain some patterns.

  • The seed is any binary string equal or smaller than a row of cells and meaning that the key , the salt and (IV, pepper and so on) are concatenated to form seed .

Mageto operation is divided into initialisation and update.
Mageto initialisation; Originally, the array of elements bits wide is initialised to . The seed is repeatedly concatenated until the resulting concatenation is equal or greater in size than the array. MAG array’s first elements are the initial row, and remaining elements becomes the carry . For example, the seed is and array is cells (one byte each), the resulting initial array will be:

In the Mageto modified version, the seed is simply copied to zero initialised array and the carry is given as an initial value . The pattern, with and array of bytes, looks like:

Mageto update; when initialised, the rows are created by updating cells from left to right. The edge cases ( happens to be on the array end) are handled as rule 30 edge cell cases. The rule elements are shown in Figure 2. The cell update consists of three steps:

  • 1st step is to create a new state of carry .

    (1)

    Carry is updated by (exclusive or) with previous value of and one state of the first element to the right , depending on the relation between the other two cells on the right (). States of are: current value () or it’s one complement (). In one evolution cycle (whole array is updated) each cell is changed once and carry is calculated for every cell transformation. Note that the first cell update uses the initial value of carry .

  • 2nd step is the actual change of element to .

    (2)
  • 3rd step is updating current value for next cell transformation.

    (3)
Figure 2: Mageto cell update rule.

3 Mageto as A Secure Stream Generator

Knowledge of the array state renders the Mageto algorithm cryptographically unsound. Three strategies for concealing CA state to make a secure stream from Mageto, are proposed and discussed.

3.1 Reducing output (Mageto-v1)

One of the concealing methods was already used by S. Wolfram on his cellular automata rule 30 (section 10.10[19]). For example, column 16 from Figure 1

is transformed by taking bits and producing secure stream

The similar approach was used in the MAG eSTREAM proposal. The small change in operation is added to achieve a secure stream property. Instead of copying every updated cell to the stream, only the first byte of the cell is added to the secure stream (now array of bytes).

Figure 3: Mageto evolution history; one pixel represents one byte (256 grey scale).

For example, Figure 3 shows updated cells as a stream of bytes where each pixel represents a byte and four bytes are an updated cell. To make a secure stream every 5th byte (every 5th pixel from left to right) is taken and fed to the secure stream. That is bytes:

Consequently bytes create a secure stream. This approach was found insecure, and details are shown in Section 4.
Again the small change in pattern avoids weaknesses from the previous design. If the series of bytes taken is changed to: from first cell first byte, second cell second byte, third cell third byte, fourth cell fourth byte, fifth cell first byte and so on…

The stream of bytes from Figure 3 will form a secure stream.

3.2 Combining streams (Mageto-v2)

One way of making a stream secure is to combine two or more streams. For example, LFSR (Linear-feedback shift register) outputs were combined to make a shrinking generator (planned to be used as a stream cipher [3]). The shrinking generator uses two streams, one is a source, and the other is used to decide which bits of the source stream is output.

In the Mageto case the idea is to apply exclusive or between two generated streams (stream and ) to produce a secure stream :

(4)
Mageto stream stream IV
stream 1234567890/3
stream 9876543210/3
stream
Table 3: Combined stream parameters.

One implementation attempt at combined MAG approach was published here [17]. It includes source code. The easiest way to implement combined Mageto is to initialise streams separately. Table 3 contains initial parameters. The seed for each stream now includes corresponding IV. For example, the seed for is where is the key, is the salt,

initialisation vector from Table 

3 and is the concatenation of strings.

3.3 Stream Masking (Mageto-v3)

The idea with masking is to combine (xor) Mageto output with a secret string. The original idea is to use a key as the secret string but Dr Daniel J. Bernstein and prof.dr.Tanja Lange noted that the same attacks ([10, 6]) apply for that proposal as well. Alternatively, the secret could be sourced from the execution path history. The branching from the previous evolution can generate string . In the case of elements array, there is branching in one evolution cycle making a bit string . Bits of are determined by branching; if branch will concatenate and else to the mask . From the four bit element mask array is created.

(5)

The secure stream is now obtained by exclusive or result from Mageto output cells () and mask array of four elements ():

(6)

The new mask is calculated for every evolution cycle and is used as a mask for next cycle.

4 Mageto Analysis

Mageto-v1; The eSTREAM proposal to strengthen CA MAG was to output just the first byte from the every updated cell. It did not work. CA can continue updating on just that part of the cell without information from the hidden part:

  • Since the first bytes of and are known the first byte of is known as well because:

    (7)
  • Knowing the first byte of , predicting the next unknown value of the carry takes guessing the branching outcome. That guess is even easier because of knowledge of the first byte which is compared.

Series of bytes used in the stream Status
Table 4: Mageto secure stream extraction patterns.

This kind of attack is detailed in [10, 6]. Two amendments are proposed in [15] to avoid this line of attack. The idea was to alternate extraction points because the original design did not hide the evolution of the first-byte cell. Table 4 shows various extraction patterns for the proposed MAG secure stream. The first amendment (second-row Table 4) is broken as well. The one gap between exposed bytes of the cell did not prevent the same attack although the guessing cost was increased [12]. The second amendment (third-row Figure 4) does have three gaps between visible bytes and is still resisting analysis.

Mageto-v2; The result from exclusive or of two Mageto streams is secure stream . The relevant relations of knowns and unknowns are shown below. Stream is known and streams and and carry are unknown.

Both relations are used to attack Mageto Subsection 3.1 [10, 6]. Additional streams could be included to strengthen two stream variant. The combination of three Mageto streams producing secure stream might look like:

(8)

Mageto-v3; The relations with known only are shown below concerning the Mageto attacks [10, 6].

5 Mageto Advantages

In this section a few important Mageto features are discussed. One highlight is applicability with the respect to various hardware platforms. There is also Mageto resistance to the side channel attack and Mageto flexibility to the inputs other than key.

5.1 Mageto Implementation and Performance

Three Mageto cipher variants are presented:

  • Mageto-v1 from subsection 3.1 is the simplest. For producing one byte, only the set of operations from Table 5 are needed plus the overhead of extracting byte from the cell and array navigation.

    Mageto single cell update
    Table 5: The operations needed for one step cell update.

    The array containing Mageto cells is only bytes in size and with the mentioned set of operation, lowers the entry hardware requirements bar significantly. That includes a wide array of IoT implementations. The Mageto-v1 performance, the same efficiency as mag-v1, is very comparable with AES, see Table 6.

    Crypto primitive Stream (cycles per byte)
    RC4 14.52
    AES-CTR 18.51
    MAG-v1 20.43
    Table 6: An extract of eSTREAM software performance table [11].
  • Mageto-v2 approach subsection 3.2, is a little bit more complex. On the other hand, efficiency is improved. By roughly doubling effort, output increases four times. That is bytes per CA steps comparing byte per CA step (subsection 3.1). There are other ways to improve performance. One way relies on the fact that combining streams could be created in parallel. By that technique performance is bytes / CA step ( steps in parallel). This technique also enables adding streams if needed without affecting performance. Another efficiency approach could be increasing the size of the CA cell from to bits producing bytes per step. For details see Table 7.

    MAG variants Performance
    Mageto-v1
    Mageto-v2
    Mageto-v2 parallel
    Mageto-v2 parallel 64 bit
    Mageto-v3
    Mageto-v3 64 bit
    Table 7: Various performance details.
  • Mageto-v3 from subsection 3.3 is a notch more complex than previous variants. Developing mask for each evolution step is the reason. This approach also improves performance concerning Mageto-v1. That improvement does not need parallelism. Although Mageto-v3 is relatively more complex, it is still significantly simpler than AES from a hardware and software point of view, delivering better performance. Table 1 shows mag-v3 (the same as Mageto-v3) 64-bit implementation versus AES and other primitives. Table 7 shows performances between various Mageto variants where one step from Table 5 produces towards secure stream depending on the variant used.

5.2 Side Channel Resistance

When discussing side channel attack on AES, the quite often cited work [2] cannot be avoided. There is an assertion mentioned in the abstract that attacks come from the AES design flaw rather than AES implementation. Furthermore, this report is also a call for research into functions with constant time execution. Mageto as CA appears to have the rule which runs in constant time, but some attention is still needed. When implementing Mageto in SCA resistant mode, the algorithm branching structure should be addressed. There are two issues:

  • The first one is to compare secret cells in constant time. By measuring comparing operations, some properties of the Mageto cells could be determined. For example, comparing the equal cells byte by byte will take the longest time to execute. The solution is to use constant time comparison functions. Some cases can be found here [4]. Note, the solutions are not entirely portable therefore finished program assemblies for particular hardware should be checked for correctness in any case.

  • The second Mageto issue is branching execution times. For example, Mageto timing for each branch differs, consequently the mask parity of Mageto-v3 3.3 could be readily determined. The solution is equal execution time for each branch. That is accomplished by introducing two pre-calculated intermediate variables and before branching. The update of Mageto carry with , and has equal execution of branches:

    (9)
    (10)
    (11)

5.3 Input Flexibility

Generally, there is a requirement of an initialisation vector (IV) in symmetrical encryption. For example, AES CBC (AES in Cipher Block Chaining) needs a unique IV for every message processing. If more than IV is required for some reason, the key derivation function (KDF) is necessary to deliver properly sized key and IV.

In that respect, Mageto allows an additional for a nonce, salt, pepper and so on… if needed. It can be used for resisting various repeat attacks for example. That can be accomplished without using KDF as it is the case with AES.

5.4 Conclusion

Mageto offers an entirely new cryptographic primitive. It has a straightforward and compact implementation. It also provides SCA resistance which is very important for not physically secured hardware such as IoT. Variant Mageto-v1 also benefits from the fact that its predecessor mag-v1 had in-depth analysis and remains secure [12].

References

Appendix A Mageto inplementation details

Implementation is written in C language and source code is in Listing 1.

1#include <stdio.h>
2#include <stdint.h>
3#include <string.h>
4#include <stdlib.h>
5
6void stir(uint32_t * array, uint32_t updates, int init)
7{
8 const uint32_t mixer = 1431655765;   //010101…
9 uint32_t carry = 987654321;
10 int a = 128;        //array size
11 uint32_t i;
12 for(i = 0; i < updates; i++)
13 {
14  if(array[(i+2)%a]>array[(i+3)%a])
15   carry ^= array[(i+1)%a];
16  else
17   carry ^= ~array[(i+1)%a];
18
19  array[i%a] ^= carry;
20  carry += mixer;
21
22  if(init == 1)
23   fwrite(&array[i%a] , sizeof (array[i]) ,1 , stdout );
24 }
25}
26
27int main(int argc, char **argv)
28{
29 uint32_t bytesfour;
30 uint32_t skip = 512;
31 uint32_t array[128] = {0};
32
33 size_t length = strlen (argv[2]) ;
34
35 bytesfour = atoi(argv[1]);
36 memcpy(array, argv[2], length);
37
38 stir(array, skip, 0);
39 stir(array, bytesfour, 1);
40
41 return 0;
42}
Listing 1: mageto.c

Lets assume that the Listing 1 is compiled to . The execution command might look like Figure 4:

Figure 4: How to run mageto.

Where the first argument represents how many cells are sent to the standard output . The second argument is the seed and redirects standard output to the file.

Figure 5 and 6 are showing graphical representations of the outputs when input differs by one bit only. The seeds are strings ”entropy0” and ”entropy1” respectively. Every pixel is one byte shown in 8-bit grayscale.

Figure 5: Seed ”entropy0”, (argv[2]).
Figure 6: Seed ”entropy1”, (argv[2]).