Secure and Computationally-Efficient Cryptographic Primitive based on Cellular Automation

Mageto, a random number generator based on one-dimensional cellular automaton (CA) is presented. Three procedures of secure implementation using Mageto is proposed and discussed. Implementations are very efficient in a wide range of hardware and software scenarios. It includes the advanced application of the Internet of Things (IoT) and cyber-physical systems which are both needed for computationally-efficient cryptographic primitives. Furthermore, the proposed primitive is inherently resistant against the Side Channel Attack (SCA), where many currently available ciphers, such as AES, require additional hardware or software effort to prevent SCA line of attack.


Introduction
Cellular automaton (CA) cryptographic use is limited. One significant reason is performance. A survey of CA stream ciphers [14] shows that encrypting one megabyte of data requires five seconds at best. One exception is MAG (My Array Generator) [5], which is a Mageto predecessor. It is a one-dimensional cellular automaton (CA). It belongs to a class of three complexity classification schemes p.12 [9]. That means, nearly every initial state evolves in pseudorandom or chaotic fashion. Two significant attributes which make MAG so exceptional are: • MAG is invariant to the cell size. Both 32-bit and 64-bit cells are investigated, and they show the same behaviour. That fact has a huge impact on performance.
• MAG update rule is not entirely boolean and SAT solvers tools, which are generally better than brute force [14], could not be applied.
Apart from that, there are many more important reasons for revisiting MAG and build Mageto on MAG foundations: • Another reason is MAG compactness. While Advanced Encryption Standard (AES) is widely used in symmetrical encryption, the emergence of IoT (The Internet of things), with constrained computation power, limits AES usability in that area. Therefore lightweight symmetrical encryption schemes are sought. MAG hardware footprint is a 512 bytes of memory for automation state, plus a couple of variables. Operational cost is a cellular automation updating rule consisting of one conditional branching, a couple of exclusive or logical operation, one of one's complement and one addition (five basic operations). That should match an extensive range of IoT hardware limited capabilities. See Listing A 1 for details.
• MAG, like other cellular automata, has inherent resistance on side channel attacks (SCA) where AES and many other block ciphers implementations in that regard are relatively complex [1]. The lightweight cipher designs using S-boxes are affected by SCA as well [8].
Please note that the predecessor of our cryptographic primitive Mageto, namely, MAG, and its design choices for various parameters was never discussed or published before. Thus, in this paper, these issues will be addressed as well.
The rest of paper is organised as follows: Section 2 introduces one dimensional CA and defines Mageto proposition. It also shows where Mageto improves over MAG making the Mageto proposition even simpler. Appendix A include C language general implementation. Section 3 shows three different ways to implement the proposed Mageto securely. Section 4 deals with an analysis of MAG known attacks and how they might impact the Mageto proposal. Section 5 discusses Mageto and its potential usage to a variety of applications, SCA and input flexibility.

Mageto Cellular Automation
Mageto is a one-dimensional CA. The concept of CA was first discovered in the 1940s by Stanislaw Ulam and John von Neumann. CA is used as a modelling tool in various scientific fields: computer and complexity science, mathematics, physics and biology. Stephen Wolfram is the first to propose the use of CA (rule 30) in cryptography [18].  showing Wolfram's rule 30 is used to explain the general working of one-dimensional CA. The particular example uses cells with two possible states (black and white). One-dimensional CA initial state is a row. For example, it is the binary string (row 1): 0000000000000001000000000000000 Row 2 is derived from row 1 and so on, with final row 16: 1101111001101001011111001111111 Rules to determine an update of a cell are shown as eight cases. Each case shows one combination of three cells on the top and the derivative cell on the bottom. Three cells from the row above (positioned above right, immediately above and above left) are looked at, and one of the cases are applied to create a cell. For example, a cell from row 2 column 14 is derived by case 8, cell from row 2 column 15 is acquired by case 7, cell from row 2 column 16 is obtained by case 6 and so on. Edge cells do not have above left or above right cells to choose a case. In that situation, the first or the last cell from the previous column are used for the ruling. If a random stream of bits is required, column 16 could be used:

1101110011000101...
A stream generated in this fashion passes many randomness statistical tests and it is used as a random number generator in Wolfram's Mathematica software.
Mageto is also a one-dimensional CA, but it differs from the example by: • Cells are multi-bit words (32 or 64 bits in size).
• The update of Mageto cells is serial, left to right, because the rule needs the outcome of the previous cell update (carry).
• The Mageto rule also appears to be invariant to cell size because it shows the same random behaviour for 32 and 64 bit size cells.
Mageto CA is governed by the CA rule and the state of neighbouring cells. A row of cells, in a Mageto case array of elements, are updated from left to right. One evolution cycle is when all items in the array are updated. The next generation is another evolution cycle and so on. The original and modified parameters are shown in Table 2.
Mageto parameters definitions: • The number of cells is a = 128. That choice forces 2 128 possible execution paths during one evolution cycle and assumes at least 128 bit level security if the stream is used as a basis for the cipher.
• The cell size is b = 32 bits. The Mageto CA rule appears to be invariant concerning the cell size. b = 64 bits is used and tested for randomness [17] and there are no biases, although the performance doubles because the same generating cost produces double the stream. • Instead of taking the carry value from the array element in the original version, it is initialised as c = 987654321 (decimal). The value of 987654321 was chosen, and there is no special meaning behind this choice.
• The constant d is now initialised as d = 01010101... (32 bitsbinary). Again there is nothing special in the constant value. In MAG d was described as an arbitrary value (which it is). Related to this, an initialisation attack [13,7] where d = 0 was proposed. It eliminates any adding procedure which simplifies the whole process significantly. The analysis [12] showed that any non zero value of d is sufficient to prevent initialisation attacks.
• In a modified version, the mixing period e is four evolutions e = 4 * a = 512. It assures proper mixing because the original one and half evolutions occasionally produced biases in the first couple of generated rows. The same could be observed in the rule 30 case ( Figure 1) where the first several rows still retain some patterns.
• The seed f is any binary string equal or smaller than a row of cells f size ≤ a * b and f = k + s + ... meaning that the key k, the salt s and ... (IV, pepper and so on) are concatenated to form seed f .
Mageto operation is divided into initialisation and update. Mageto initialisation; Originally, the array of 128 elements 32 bits wide is initialised to 0. The seed f is repeatedly concatenated until the resulting concatenation is equal or greater in size than the array. MAG array's first 127 elements are the initial row, and remaining elements becomes the carry c. For example, the seed is f = seed and array is 10 cells (one byte each), the resulting initial array will be: seedseedse In the Mageto modified version, the seed f is simply copied to zero initialised array and the carry is given as an initial value c = 987654321. The pattern, with f = seed and array of 10 bytes, looks like: • 1st step is to create a new state of carry c .
Carry c is updated by ⊕ (exclusive or) with previous value of c and one state of the first element to the right A i+1 , depending on the relation between the other two cells on the right (A i+2 , A i+3 ). States of A i+1 are: current value (A i+1 ) or it's one complement (A i+1 ). In one evolution cycle (whole array is updated) each cell is changed once and carry is calculated for every cell transformation. Note that the first cell update uses the initial value of carry c = 987654321.
• 2nd step is the actual change of element A i to A i .
• 3rd step is updating current c value for next cell transformation.

Mageto as A Secure Stream Generator
Knowledge of the array state renders the Mageto algorithm cryptographically unsound. Three strategies for concealing CA state to make a secure stream from Mageto, are proposed and discussed.

Reducing output (Mageto-v1)
One of the concealing methods was already used by S. Wolfram on his cellular automata rule 30 (section 10.10 [19]). For example, column 16 from Figure 1 1101110011000101...  For example, Figure 3 shows updated cells as a stream of bytes where each pixel represents a byte and four bytes are an updated cell. To make a secure stream every 5th byte (every 5th pixel from left to right) is taken and fed to the secure stream. That is bytes: 1, 5, 9, 13, 17, ...

Combining streams (Mageto-v2)
One way of making a stream secure is to combine two or more streams. For example, LFSR (Linear-feedback shift register) outputs were combined to make a shrinking generator (planned to be used as a stream cipher [3]). The shrinking generator uses two streams, one is a source, and the other is used to decide which bits of the source stream is output.
In the Mageto case the idea is to apply exclusive or between two generated streams (stream α and β) to produce a secure stream s: Mageto stream stream IV α stream 1234567890/3 β stream 9876543210/3 γ stream ... Table 3: Combined stream parameters.
One implementation attempt at combined MAG approach was published here [17]. It includes source code. The easiest way to implement combined Mageto is to initialise streams separately. Table 3 contains initial parameters. The seed f for each stream now includes corresponding IV. For example, the seed for α is f α = k + s + IV where k is the key, s is the salt, IV initialisation vector from Table 3 and + is the concatenation of strings.

Stream Masking (Mageto-v3)
The idea with masking is to combine (xor) Mageto output with a secret string. The original idea is to use a key as the secret string but Dr Daniel J. Bernstein and prof.dr.Tanja Lange noted that the same attacks ( [10,6]) apply for that proposal as well. Alternatively, the secret could be sourced from the execution path history. The branching from the previous evolution can generate string m. In the case of 128 elements array, there is 128 branching in one evolution cycle making a 128 bit string m. Bits of m are determined by branching; if branch will concatenate 0 and else 1 to the mask m. From m the four 32 bit element mask array M is created.
The secure stream s is now obtained by exclusive or result from Mageto output cells (A) and mask array of four elements (M ): The new mask M is calculated for every evolution cycle and is used as a mask for next cycle.

Mageto Analysis
Mageto-v1; The eSTREAM proposal to strengthen CA MAG was to output just the first byte from the every updated cell. It did not work. CA can continue updating on just that part of the cell without information from the hidden part: • Since the first bytes of A i%a and A i%a are known the first byte of c is known as well because: • Knowing the first byte of c, predicting the next unknown value of the carry c takes guessing the branching outcome. That guess is even easier because of knowledge of the first byte which is compared. This kind of attack is detailed in [10,6]. Two amendments are proposed in [15] to avoid this line of attack. The idea was to alternate extraction points because the original design did not hide the evolution of the first-byte cell. Table 4 shows various extraction patterns for the proposed MAG secure stream. The first amendment (second-row Table 4) is broken as well. The one gap between exposed bytes of the cell did not prevent the same attack although the guessing cost was increased [12]. The second amendment (third-row Figure 4) does have three gaps between visible bytes and is still resisting analysis.

Series of bytes used in the stream
Mageto-v2; The result from exclusive or of two Mageto streams is secure stream s. The relevant relations of knowns and unknowns are shown below. Stream s is known and streams α and β and carry c are unknown.
Both relations are used to attack Mageto Subsection 3.1 [10,6]. Additional streams could be included to strengthen two stream variant. The combination of three Mageto streams producing secure stream might look like: Mageto-v3; The relations with known s only are shown below concerning the Mageto attacks [10,6].

Mageto Advantages
In this section a few important Mageto features are discussed. One highlight is applicability with the respect to various hardware platforms. There is also Mageto resistance to the side channel attack and Mageto flexibility to the inputs other than key.

Mageto Implementation and Performance
Three Mageto cipher variants are presented: • Mageto-v1 from subsection 3.1 is the simplest. For producing one byte, only the set of operations from Table 5 are needed plus the overhead of extracting byte from the cell A and array navigation. The array containing Mageto cells is only 512 bytes in size and with the mentioned set of operation, lowers the entry hardware requirements bar significantly. That includes a wide array of IoT implementations. The Mageto-v1 performance, the same efficiency as mag-v1, is very comparable with AES, see Table 6.
• Mageto-v2 approach subsection 3.2, is a little bit more complex. On the other hand, efficiency is improved. By roughly doubling effort, output Mageto single cell update  Table 6: An extract of eSTREAM software performance table [11].
increases four times. That is 4 bytes per 2 CA steps comparing 1 byte per 1 CA step (subsection 3.1). There are other ways to improve performance. One way relies on the fact that combining streams could be created in parallel. By that technique performance is 4 bytes / 1 CA step (2 steps in parallel). This technique also enables adding streams if needed without affecting performance. Another efficiency approach could be increasing the size of the CA cell from 32 to 64 bits producing 8 bytes per step. For details see Table 7.  • Mageto-v3 from subsection 3.3 is a notch more complex than previous variants. Developing mask for each evolution step is the reason. This approach also improves performance concerning Mageto-v1. That improvement does not need parallelism. Although Mageto-v3 is relatively more complex, it is still significantly simpler than AES from a hardware and software point of view, delivering better performance. Table 1 shows mag-v3 (the same as Mageto-v3) 64-bit implementation versus AES and other primitives. Table 7 shows performances between various Mageto variants where one step from Table 5 produces 1 − 8 bytes towards secure stream depending on the variant used.

Side Channel Resistance
When discussing side channel attack on AES, the quite often cited work [2] cannot be avoided. There is an assertion mentioned in the abstract that attacks come from the AES design flaw rather than AES implementation. Furthermore, this report is also a call for research into functions with constant time execution.
Mageto as CA appears to have the rule which runs in constant time, but some attention is still needed. When implementing Mageto in SCA resistant mode, the algorithm branching structure should be addressed. There are two issues: • The first one is to compare secret cells in constant time. By measuring comparing operations, some properties of the Mageto cells could be determined. For example, comparing the equal cells byte by byte will take the longest time to execute. The solution is to use constant time comparison functions. Some cases can be found here [4]. Note, the solutions are not entirely portable therefore finished program assemblies for particular hardware should be checked for correctness in any case. •

Input Flexibility
Generally, there is a requirement of an initialisation vector (IV) in symmetrical encryption. For example, AES CBC (AES in Cipher Block Chaining) needs a unique 128 bit IV for every message processing. If more than 128 bit IV is required for some reason, the key derivation function (KDF) is necessary to deliver properly sized key and IV.
In that respect, Mageto allows an additional 480 bytes for a nonce, salt, pepper and so on... if needed. It can be used for resisting various repeat attacks for example. That can be accomplished without using KDF as it is the case with AES.

Conclusion
Mageto offers an entirely new cryptographic primitive. It has a straightforward and compact implementation. It also provides SCA resistance which is very important for not physically secured hardware such as IoT. Variant Mageto-v1 also benefits from the fact that its predecessor mag-v1 had in-depth analysis and remains secure [12]. Where the first argument 1024 represents how many cells are sent to the standard output (4096 bytes). The second argument is the seed entropy0 and > entropy0.raw redirects standard output to the file. Figure 5 and 6 are showing graphical representations of the outputs when input differs by one bit only. The seeds are strings "entropy0" and "entropy1" respectively. Every pixel is one byte shown in 8-bit grayscale.