Resilient Functions and Cyclic Codes from CA ACRI 2016 Fez Luca - PowerPoint PPT Presentation

Resilient Functions and Cyclic Codes from CA ACRI 2016 – Fez Luca Mariot 1 , 2 , Alberto Leporati 1 1 DISCo, Università degli Studi Milano - Bicocca, Italy 2 I3S, Université Nice Sophia Antipolis, France luca.mariot@disco.unimib.it September 5, 2016

One-Dimensional Cellular Automata (CA) Definition (One-dimensional cellular automaton) One-dimensional array of n ∈ N cells, equipped with a local rule f : { 0 , 1 } 2 r + 1 → { 0 , 1 } of radius r ∈ N . Example: n = 8, r = 1, f ( s i − 1 , s i , s i + 1 ) = s i − 1 ⊕ s i ⊕ s i + 1 (Rule 150) ··· 0 ··· 0 1 1 0 1 0 0 0 0 1 0 1 ⇓ Parallel update Global rule F ↓ f ( 1 , 1 , 0 ) = 1 ⊕ 1 ⊕ 0 0 1 0 0 1 1 0 Remark : No boundary conditions ⇒ The array “shrinks” Luca Mariot Resilient Functions and Cyclic Codes from CA

CA-Based Cryptography: Motivations ◮ General Idea: exploit the emergent complexity of CA to design cryptosystems satisfying confusion and diffusion criteria ◮ CA-based Pseudorandom Generator (PRG) [Wolfram86]: central cell of rule 30 CA used as a stream cipher keystream K K Seed K CA CA Keystream z z z � � PT CT CT PT Encryption Decryption Luca Mariot Resilient Functions and Cyclic Codes from CA

Our Contribution at a Glance CA-based stream cipher design, up to now: ◮ Focus on CA local rules, ··· 0 ··· 0 1 1 0 viewed as Boolean functions ↓ f : { 0 , 1 } 2 r + 1 → { 0 , 1 } ◮ Rationale: choose rule f 0 with best crypto properties Our approach: ◮ Some attacks cannot be formalized in a local way 0 0 0 0 0 1 1 1 ◮ Idea: Analyse the crypto ⇓ F : { 0 , 1 } n → { 0 , 1 } m properties of the CA global 1 0 0 1 1 0 rule as a vectorial Boolean function Luca Mariot Resilient Functions and Cyclic Codes from CA

Resiliency: Basic Definitions Let F : { 0 , 1 } n → { 0 , 1 } m be a n -inputs, m -outputs Boolean function. Then: ◮ F is balanced if | F − 1 ( y ) | = 2 m for all y ∈ { 0 , 1 } m ◮ F is t -resilient if, fixing any t < n coordinates, the restricted map F | t : { 0 , 1 } n − t → { 0 , 1 } is balanced Example: Rule 150, n = 3, m = 1, f ( x 1 , x 2 , x 3 ) = x 1 ⊕ x 2 ⊕ x 3 ( x 1 , x 2 , x 3 ) 000 100 010 110 001 101 011 111 f ( x 1 , x 2 , x 3 ) 0 1 1 0 1 0 0 1 Luca Mariot Resilient Functions and Cyclic Codes from CA

The Resiliency Game [Chor85] 1. The player chooses a function F : { 0 , 1 } n → { 0 , 1 } m x = y = Example: CA F : { 0 , 1 } 8 → { 0 , 1 } 6 induced by rule 150, f ( x 1 , x 2 , x 3 ) = x 1 ⊕ x 2 ⊕ x 3 Luca Mariot Resilient Functions and Cyclic Codes from CA

The Resiliency Game [Chor85] 2. The adversary chooses the values of t input variables ↓ ↓ x = 1 0 y = Example: CA F : { 0 , 1 } 8 → { 0 , 1 } 6 induced by rule 150, f ( x 1 , x 2 , x 3 ) = x 1 ⊕ x 2 ⊕ x 3 Luca Mariot Resilient Functions and Cyclic Codes from CA

The Resiliency Game [Chor85] 2. The values for the remaining variables are randomly chosen ↓ ↓ x = ? ? 1 ? ? 0 ? ? y = Example: CA F : { 0 , 1 } 8 → { 0 , 1 } 6 induced by rule 150, f ( x 1 , x 2 , x 3 ) = x 1 ⊕ x 2 ⊕ x 3 Luca Mariot Resilient Functions and Cyclic Codes from CA

The Resiliency Game [Chor85] 2. The values for the remaining variables are randomly chosen ↓ ↓ x = 0 1 1 0 0 0 1 1 y = Example: CA F : { 0 , 1 } 8 → { 0 , 1 } 6 induced by rule 150, f ( x 1 , x 2 , x 3 ) = x 1 ⊕ x 2 ⊕ x 3 Luca Mariot Resilient Functions and Cyclic Codes from CA

The Resiliency Game [Chor85] 3. The player applies function F ↓ ↓ x = 0 1 1 0 0 0 1 1 ⇓ F y = 0 0 1 0 1 0 Example: CA F : { 0 , 1 } 8 → { 0 , 1 } 6 induced by rule 150, f ( x 1 , x 2 , x 3 ) = x 1 ⊕ x 2 ⊕ x 3 Luca Mariot Resilient Functions and Cyclic Codes from CA

The Resiliency Game [Chor85] ◮ Outcome: if F ( x ) is uniformly distributed over F m 2 , then the player wins. Otherwise, the adversary wins ↓ ↓ x = 0 1 1 0 0 0 1 1 ⇓ F y = 0 0 1 0 1 0 Example: CA F : { 0 , 1 } 8 → { 0 , 1 } 6 induced by rule 150, f ( x 1 , x 2 , x 3 ) = x 1 ⊕ x 2 ⊕ x 3 Winning Strategy for the Player: choose a t -resilient function Luca Mariot Resilient Functions and Cyclic Codes from CA

Bipermutive Cellular Automata Definition (Bipermutivity) A single-output Boolean function f : { 0 , 1 } n → { 0 , 1 } is bipermutive if, fixing either the leftmost or the rightmost n − 1 variables, the resulting restriction f | n − 1 : { 0 , 1 } → { 0 , 1 } is a permutation Equivalently, f is bipermutive if f ( x 1 , x 2 , ··· , x n − 1 , x n ) = x 1 ⊕ g ( x 2 , ··· , x n − 1 ) ⊕ x n where g : { 0 , 1 } n → { 0 , 1 } Example: Rule 150, f ( x 1 , x 2 , x 3 ) = x 1 ⊕ x 2 ⊕ x 3 , with g ( x 2 ) = x 2 Luca Mariot Resilient Functions and Cyclic Codes from CA

Main Result In [Leporati13], the following result was proved: Theorem Let f : { 0 , 1 } n → { 0 , 1 } be bipermutive. Then, f is 1 -resilient We generalized this result to CA global rules: Theorem Given a CA with n cells and bipermutive local rule f : { 0 , 1 } 2 r + 1 → { 0 , 1 } , the global rule F : { 0 , 1 } n → { 0 , 1 } n − 2 r induced by f is 1 -resilient Luca Mariot Resilient Functions and Cyclic Codes from CA

Error-Correcting Codes – Communication Model Noise e µ µ c z Alice Encoder Channel Decoder Bob ◮ µ ∈ { 0 , 1 } m : message ◮ e ∈ { 0 , 1 } n : error pattern ◮ c ∈ { 0 , 1 } n : codeword ( n > m ) ◮ z = c ⊕ e (received word) Luca Mariot Resilient Functions and Cyclic Codes from CA

Linear Codes Definition A ( n , m , d ) binary linear code C of minimum distance d is an m -dimensional subspace of F n 2 = { 0 , 1 } n , such that for all c 1 , c 2 ∈ C d H ( c 1 , c 2 ) ≥ d where d H denotes the Hamming distance  g 1      .   g 1 , ··· , g m ∈ F n  .  2 basis of C ⇔ G = m × n generator matrix of C   .            g m  Encoding : vector-matrix multiplication µ �→ c = µ G Luca Mariot Resilient Functions and Cyclic Codes from CA

Error Correction – Syndrome Decoding ◮ Parity Check Matrix: a ( n − m ) × n matrix H such that s = Hz ⊤ = 0 ⇔ z ∈ C s : Syndrome of z ◮ Suppose z = c ⊕ e , c ∈ C and e ∈ F n 2 . Then Hz ⊤ = H ( c ⊕ e ) ⊤ = ✟✟ Hc ⊤ ⊕ He ⊤ = He ⊤ ✟ Syndrome Decoding : find e ∈ F n 2 and return c = z ⊕ e Luca Mariot Resilient Functions and Cyclic Codes from CA

Cyclic Codes Definition A ( n , m , d ) linear code is cyclic if for all c = ( c 0 , c 1 , ··· , c n − 1 ) ∈ C σ ( c ) = ( c 1 , ··· , c n − 1 , c 0 ) ∈ C ◮ Generator Matrix: g 0 g n − m 0 0  ··· ··· ··· ··· ···       0 g 0 ··· g n − m 0 ··· ··· ··· 0        G =    . . . . . . .  ... ...   . . . . . . .     . . . . . . .           0 ··· ··· ··· ··· 0 g 0 ··· g n − m ◮ Parity-check Matrix:  h m ··· h 0 0 ··· ··· ··· ··· 0       0 h m h 0 0 0  ··· ··· ··· ···       H =    . . . . . . .  ... ...   . . . . . . .    . . . . . . .            0 ··· ··· ··· ··· 0 h m ··· h 0 Luca Mariot Resilient Functions and Cyclic Codes from CA

Linear CA ◮ Local rule: linear combination of the neighborhood cells f ( x 0 , ··· , x 2 r ) = a 0 x 0 ⊕···⊕ a 2 r x 2 r , a i ∈ F 2 ◮ Global rule: m × ( m + 2 r ) 2 r + 1-diagonal transition matrix a 0 a 2 r 0 0  ··· ··· ··· ··· ···        0 a 0 ··· a 2 r 0 ··· ··· ··· 0       M F =    . . . . . . .  ... ...   . . . . . . .     . . . . . . .           0 ··· ··· ··· ··· 0 a 0 ··· a 2 r x = ( x 0 , ··· , x n − 1 ) �→ M F x ⊤ Luca Mariot Resilient Functions and Cyclic Codes from CA

Linear CA are Cyclic Codes a 0 ··· a 2 r 0 ··· ··· ··· ··· 0         0 a 0 ··· a 2 r 0 ··· ··· ··· 0       M F =   . . . . . . .  ... ...    . . . . . . .    . . . . . . .           0 0 a 0 ··· a 2 r  ··· ··· ··· ···  g 0 ··· g n − m 0 ··· ··· ··· ··· 0       0 g 0 g n − m 0 0  ··· ··· ··· ···       G =    . . . . . . .  ... ...   . . . . . . .    . . . . . . .            0 ··· ··· ··· ··· 0 g 0 ··· g n − m Linear CA ⇔ Cyclic codes Question : How is encoding/decoding performed? Luca Mariot Resilient Functions and Cyclic Codes from CA