CELLULAR AUTOMATA BASED KEY AGREEMENT

Debdeep Mukhopadhyay

Department of Computer Science and Engineering

Indian Institute of Technology, Kharagpur, India

Dipanwita RoyChowdhury

Department of Computer Science and Engineering

Indian Institute of Technology, Kharagpur, India

Keywords:

Cellular Automata, Key Agreement, Random Oracles, one-way function.

Abstract:

This paper proposes a new key agreement protocol using Cellular Automata (CA). The primitives on which the

protocol is based has been developed using specially designed CA structures. The paper aims at developing a

key agreement technique which is not based on the Difﬁe-Hellman problem. The removal of exponentiations

makes the protocol fast and have a linear time complexity. The protocol has been found to resist known forms

of attacks. Indeed the initial review promises the development of a key agreement protocol which meets nicely

the conﬂicting ends of security and efﬁciency.

1 INTRODUCTION

Authentication and key establishment are fundamen-

tal building blocks for securing electronic commu-

nication. Cryptographic algorithms, for encryption

and decryption cannot perform their speciﬁed func-

tions unless secure keys have been established. Key

establishment (A.Menezes and Vanstone, 1996) is

a process or protocol whereby a shared secret be-

comes available to two or more parties, for subse-

quent cryptographic use. Key agreement mechanism

is a key establishment technique in which a shared

secret is derived by two or more parties as a func-

tion of information contributed by or associated with

each of these (ideally) such that no party can predeter-

mine the resulting value. Since the seminal paper of

Difﬁe and Hellman (W.Difﬁe and M.Hellman, 1976)

in 1976, several solutions have been proposed for key

agreement whose security lies on the Difﬁe-Hellman

problem (either computational or decisional) in ﬁnite

groups. However modular exponentiation is an ex-

pensive operation. Despite the increase in availabil-

ity of computational resources considerable demand

exists in the development of protocols that can be

implemented on devices with limited computational

power. Applications of such type being mobile hand-

sets, handheld devices, embedded hardware and smart

cards.

In this paper we propose a Cellular Automata (CA)

based key agreement protocol. Cellular Automaton

has a regular, cascadable and modular structure thus

giving scope to efﬁcient implementation(Chaudhuri

et al., 1997). The paper shows a CA based technique

to implement a k-bit to k-bit trapdoor permutation f

which is used to build an encryption function which

is secured under the Random Oracle (RO) model (Mi-

hir Bellare and Phillip Rogaway, 1994). The en-

cryption function is used in combination with a spe-

cially designed Cellular Automaton called Two Pre-

decessor Single Attractor Cellular Automata (TPSA-

CA) to derive a common secret key K

. Comple-

mented Cellular Automaton has been characterized

in (Mukhopadhyay and RoyChowdhury, 2004). This

characterization has been extended in the present pa-

per where the complemented CA has been used to de-

velop a technique to vary the key at a very fast rate.

As a matter of general principle it is not possible

to establish an authenticated session key without ex-

isting secure channel already being available. In fact

this statement has been stated formally and proved to

be correct(Boyd, 1993). The proposed protocol also

assumes the existence of an ofﬂine server which pro-

vides certiﬁed long term keys to the principals. It

may be noted that these long term keys are used to

encrypt random bit strings and are also used only in

the key-establishment phase. But the resultant of the

agreement protocol is a session-key which is used to

encrypt ﬁles of ﬁxed formats (like bmp ﬁles or jpeg

ﬁles). Also they are used for bulk encryption and

so are more amenable to cryptanalysis. Thus they

262

Mukhopadhyay D. and RoyChowdhury D. (2005).

CELLULAR AUTOMATA BASED KEY AGREEMENT.

In Proceedings of the Second International Conference on e-Business and Telecommunication Networks, pages 262-267

DOI: 10.5220/0001412402620267

 SciTePress

are required to be altered frequently(Boyd and Math-

uria, 2003). The complemented CA rules and the one

way function provide a way to vary the key frequently

which is presented in the paper. The proposed proto-

col has been shown to be secured in the face of known

attacks. The removal of the exponentiation opera-

tion leads to huge computational savings. Keys can

be guaranteed to be random even if one of the inputs

become known - a property lacking in D-H based pro-

tocols(Boyd and Mathuria, 2003).

The outline of the paper is as follows: Section 2 de-

velops the CA based primitives for the key agreement

protocol. Section 3 proposes the key agreement proto-

col using the CA based primitives. Section 4 discusses

the security of the scheme and the work is concluded

in section 5.

2 CA BASED PRIMITIVES FOR

THE KEY AGREEMENT

PROTOCOL

Key agreement protocols require the strength of their

underlying primitives. The basic components (prim-

itives) on which the present agreement protocol de-

pends are enumerated below:

1. A CA based Encryption function

2. A CA based Agreement function which uses the

information contributed by the two principles

3. A CA based function for varying the session key at

a very fast rate

In the following subsections the cryptographic primi-

tives are explained.

2.1 CA based encryption function

In (Mihir Bellare and Phillip Rogaway, 1994) Bellare

and Rogaway have proved that under the Random Or-

acle (RO) model the following encryption is semanti-

cally secured.

G,H

(x)=f(x + G(r)||r + H(x + G(r))

Here, + indicates the bitwise exor operation and || in-

dicates the string concatenation. The message to be

encrypted is a k bit binary sequence and r is a ran-

dom k bit number. In the above expression H and G

are random oracles and f is a trapdoor permutation.

In the RO model it is assumed that H and G are func-

tions truly returning random values each time, except

that it always return the same output when the input

is same. They are a k bits → k bits pseudo-random

permutations. In our construction f is chosen as a CA

based one-way permutation which operates on 2k bits

and produces a 2k bits output. The functions H and

G are realised using CA based structures which are

known to be excellent pseudo-random number gener-

ators(Chaudhuri et al., 1997; Hortensius et al., 1989).

Security is based on the reasoning that if an adver-

sary A can break the encryption scheme with some

success probability, then there is an algorithm M

which can invert the underlying trapdoor permuta-

tion f with comparable probability and time. So, ﬁrst

we outline the CA based one way function, which is

based on simple rules, thus leading to efﬁcient imple-

mentations.

2.1.1 One Way function based on Simple Rules

A function f is one-way if

1. It is polynomial time computable

2. It is hard to invert i,e no polynomial time algorithm

can ﬁnd any pre-image of f(x).

Let the input of the one way function be X =

n−1

n−2

,...,x

} and the output is Y =

n−1

n−2

,...,y

We deﬁne a state transition by the following func-

tion:

= x

n+1

+(x



n−1

)

Here, the bar symbol indicates the bitwise comple-

ment,



indicates the bitwise or operator and + indi-

cates the bitwise exor operator. The cellular automa-

ton has a zero boundary condition, i,e x

−1

= x

=0.

Thus the output Y can be easily constructed from X

but the inverse is hard. A mapping x → φ(x) is called

invertible if φ(x)=φ(y) iff x = y. According to that

deﬁnition the present function is not invertible.

However, the function (state transition) can be eas-

ily inverted if the value of x

is known. Thus depend-

ing on x

there can be two values (pre-images) of Y .

If such a transformation is used 2 times any output

state can have 2

pre-images with equal probability

if the last bits of the transformation are random to

an adversary. Thus if the transformation is repeated

n number of times there can be 2

pre-images with

equal probability. Inorder to decrypt we have a key r

(which is a long term key in our algorithm). The bits

of r are exored to the 0

bit slices of all the stages of

the transformation. The information is sent as a part

of the encrypted message. The part of the message is

called the trap-pad (denoted by P ). The application

of the above transition one time is denoted by N (X)

and for n times by N

(X). Thus we construct the

one-way function with the trapdoor as follows:

Y = N

(X)=N

n−1

n−2

,...,x

)

The 0

bit slices at all the stages of the transfor-

mation are stored in an n bit register. Thus P =

([N(X)]

+ r

, [N

(X)]

+ r

,...,[N

n−1

(X)]

n−1

). Thus the one way permutation is denoted by

{P, Y } = {P, N

(X)}

CELLULAR AUTOMATA BASED KEY AGREEMENT

263

Thus any principal (party) with a valid long term

key (r) can easily decrypt the sequence and obtain X

while for an adversary all the pre-images are equally

probable.

2.2 Two Predecessor Single

Attractor Cellular Automata

(TPSA-CA) Based Function

TPSA CA are a special class of non-group CA in

which the state transition graph forms a single in-

verted binary routed tree at all zero state. The CA

has been characterized in (Chaudhuri et al., 1997) and

has been used in the current protocol to develop an

efﬁcient technique to agree on the key for the ﬁrst

time. These CA are characterized by the fact that

every reachable state in the state transition graph has

exactly two predecessors. The only cyclic state is the

all zero state (for a non-complemented TPSA CA),

which is an attractor (or graveyard). Corresponding

to a TPSA CA M

and a state S, there exists a com-

plemented CA M

with state S as an attractor. If the

characteristic matrix M

be indicated by T

and it is

required to build a complemented TPSA CA such that

S is the graveyard (attractor) then the characteristic

matrix of the complemented CA, T

is related to T

(X)=T

(X)+(I + T

where X is the seed to the CA.

2.2.1 How TPSA CA provides key freshness?

The state transition graph of an n bit TPSA Cellular

Automaton is shown in ﬁgure 1. Given two inputs

A and B the path between the points are noted. The

path between A and B, with both ends included give a

list of indices that forms a set. For a given TPSA CA

we have a unique path between A and B. However

the path depends on the graveyard state, which can

be changed as already mentioned. The elements of

the path is used to return the modulo-2 sum of the se-

lected numbers which form elements of the list. Since

the state transition depends on the graveyard state and

all the states can be made the graveyard, all the paths

and ﬁnal sum are possible for a given pair of A and

B. It may be noted that for an n bit TPSA Cellu-

lar Automaton the path between A and B has atmost

2n elements i,e twice the depth of the inverted binary

tree. So, the computation of the output sum can take

place in linear time (O(n)).

The ﬁnal sum of the path is the agreed key K

which is the output of the contributions of the two

parties, say N

and N

. Mathematically, K

TPSA(N

), where TPSA is the TPSA CA

based function explained. Since the transition char-

acteristic T of the TPSA CA is not invertible (note

the graph) if the ﬁnal path sum and one of the inputs

say N

is known then it is not possible to calculate

the other element N

without exhaustive search. This

prevents a principal B to calculate the value of N

that he can force the value of N

and N

to output

an old key (old sum). Such type of function provides

key-freshness to the key.

2.3 CA based function for varying

the key

In this subsection we provide the properties of a spe-

cial type of complemented Cellular Automaton which

is used to vary the key at a fast rate.

One of the rules of Cellular Automata (

T ) is rule

153, (Chaudhuri et al., 1997). The present section

characterizes the CA with rule 153. It is known that if

a cellular automaton with rule 153 is fed with an ini-

tial seed of X, then the cellular automaton produces

an output

T (X)=T (X)+IF, where I is a unit ma-

trix and F is all one vector. Hence, we have X,

T (X)

and

(X) members of the same cycle. Physically,

an n-cell uniform CA having rule 153 evolves with

equal number of cyclic states. The CA has some re-

markable properties. The CA evolves equal lengths

and the length for an n-cell CA grows linearly with

the number of cells.

The following theorem characterizes a CA based

on the rule

T .

Theorem 1

(Mukhopadhyay and RoyChowdhury,

2004) The length of cycle for an n-cell CA, having

rule

,is

l =

logn+1

≥

(1)

2.3.1 Generalisation of 153 CA

The above characterization for the Cellular Automa-

ton is for rule 153. Similarly, it may be proved that

the same characterization holds for generalised Cel-

lular Automata with characteristic matrix, T

where

= A.(T ).A

−1

. In order to relate the state spaces of

the generalised CA, we deﬁne two rules:

R1(X)=X +

(X)+T

(X)

and, R2(X)=X +

(X)+T

(X)

It may be proved that for a and b randomly cho-

sen indices,

R1R2(T

(X)) = T

R2R1(T

(X)).

Every element, X of a cyclic subspace when mapped

by the rule R1 (or R2) gives another cycle. The rules

or the properties of the CA are used to migrate from

one cyclic subspace generated by T

to another. The

inter-relations promise the development of CA-based

algorithms used to develop an agreement property,

which is illustrated in ﬁgure 2.

ICETE 2005 - SECURITY AND RELIABILITY IN INFORMATION SYSTEMS AND NETWORKS

264

.............

n/2

Attractor (Graveyard)

Figure 1: The state transition graph of a TPSA CA

2.3.2 Regeneneration of session keys

Key freshness is important, that is the key should

change frequently. Thus less data is encrypted by the

same key, so that the eavesdropper has lesser proba-

bility of success. Further the amount of damage done

due to the revelation of a key is reduced if the key is

frequently changed.

The class of the group CA characterized with the

matrix T

exhibit an interesting agreement property.

Figure 2 shows the state space cycles. P1 is an ini-

tial point of agreement of two parties. After the ini-

tial agreement both takes up different paths (as shown

by the dashed and the solid lines). It is certain from

the above results both the paths converge again at P2

which is the second point of collision or agreement.

This property promises the development of an efﬁ-

cient agreement protocol using Cellular Automata.

3 ESSENTIALS OF THE

PROTOCOL

The Cellular Automata based key agreement protocol

is presented in this section. The two parties A and B

exchange messages to derive a ﬁnal key K

Message 1: A → B , E

(A, N

,Z)

Message 2: A ← B , E

(B,N

),x

Message 3: A → B , x

The terms used in the protocol are explained next.

• Principal A uses the CA based encryption scheme

(proposed in section 2.1) to encrypt the identiﬁer A

i,e E

, the nonce N

and the secret graveyard state

Z on which the state transition graph of the TPSA

CA is dependent. The encrypted text has a trappad

P which in combination with B’s long term key is

used by B to decrypt the ciphertext and obtain the

secret graveyard (explained in section 2.1.1).

• B then sends his contribution N

to A using the

CA based encryption function (i,e E

). Mean-

while, B computes the shared key K

by using

the TPSA CA based on the secret graveyard state.

The values of N

and N

are as outlined in sec-

tion 2.2. B also generates a random number r

and

computes a value x

= R2[T

+f(K

)],

where f is the CA based one way function and T

the generalised Cellular Automaton characterized

in section 2.3.2. B then sends back x

to A who

also uses the values of N

and Z to compute

the value of K

• A also generates a random number r

and calcu-

lates x

= R2[T

+ f (K

)]. The value

of x

is then sent to B.

Using the following theorem (agreement property)

both A and B can continnue to generate new keys at

a very fast rate.

Theorem 2 A

computes

from the knowledge of

(the public information),

(the private informa-

tion) and the initially agreed key

computes

from the knowledge of

(the public informa-

tion),

(the private information) and the initially

agreed key

. Then

, thus they both agree

on a new derived key.

CELLULAR AUTOMATA BASED KEY AGREEMENT

265

R1R2

P1 (Agreement

P2 (Agreement 2)

Figure 2: Agreement Property of the State Spaces

Proof: The proof follows directly from the char-

acterization presented in the previous section. A cal-

culates K

= T

[R1{R2[T

+ f (K

))}]

and B computes K

= T

[R2{R1[T

f(K

))}]. From the property of the generalised au-

tomata, K

= K

. Thus they both agree on a new key.



4 SECURITY ASPECTS OF THE

PROTOCOL

The key agreement protocol’s security is dependent

on the security of CA based encryption and the

pseudo-randomness of the CA based functions x

and x

(generated using T

The CA based encryption is secured under the Ran-

dom Oracle method (Mihir Bellare and Phillip Rog-

away, 1994). The security of the encryption is based

on the security of the underlying CA based one way

function. For an adversry who does not have the se-

cret information (long-term key) all the elements can

be preimages of the output f (x) with equal probabil-

ity.

A TPSA CA based function is used to derive the

agreed key K

. Since the graveyard state Z is kept

secret from the adversary this function helps in de-

riving the key with freshness property (explained in

subsection 2.2).

Finally the pseudo-randomness of x

and x

has

been veriﬁed using standard tests for randomness. In

ﬁgure 3 the results of the avalanche analysis has been

presented. The Avalanche Test is based upon the fact

that a 1-bit change in the plain text should produce a

radical change in the ciphered text (Stallings, 2003).

A pair of input sequences have been taken and the

function is applied upon both of them. The number of

bit-differences in the output sequence are noted. The

mean of the distribution should be n/2 and the stan-

dard deviation,

√

npq, where n is the block-size and

p=q=1/2 (binomial probability). The key-agreement

protocol has been simulated on large number of data

and derived keys have been observed pairwise. The

results have been found to comply with the expected.

The randomness of the values x

and x

can also

be proved if it is assumed that r

and r

are ran-

dom. The randomness of the values are further en-

hanced by the use of the CA based one way func-

tion which is a slight variant of rule 30 CA (which

is known to be a powerful random sequence genera-

tor (Wolfram, 1983). Also the generalisation of the

153 CA shows how the randomness can be varied by

constructing various T

’s where the characterization

and agreement properties are still valid. It has been

checked that the protocol prevents known attacks like

replay attacks, known key attacks and triangle attacks.

5 CONCLUSION

The paper proposes a Cellular Automata based key

agreement protocol. The protocol is based on CA

based primitives which have been developed in the

paper. The security of the key agreement protocol

is based on the security of a CA based encryption

scheme which is secured under the Random Oracle

Method. Since the protocol does not have any expo-

nentiation operation and is based on simple rules the

technique can be used to generate session keys at a

very fast rate. It has been checked that the protocol

prevents known attacks like replay attacks, known key

ICETE 2005 - SECURITY AND RELIABILITY IN INFORMATION SYSTEMS AND NETWORKS

266

Figure 3: Avalancle Test Results

attacks and triangle attacks. However the history of

agreement protocols obviates the necessity of formal

proofs of such protocols and is currently underway.

REFERENCES

A.Menezes, P. V. O. and Vanstone, S. (1996). Handbook

of Applied Cryptography, chapter 12, pages 489–541.

CRC Press.

Boyd, C. (1993). Hidden assumptions in cryptographic pro-

tocols. IEEE Journal of Selected Areas in Communi-

cations, 11(5):694–701.

Boyd, C. and Mathuria, A. (2003). Protocols for Authenti-

cation and Key Establishment, chapter 5, pages 138–

199. Springer.

Chaudhuri, P. P., Chowdhury, D., Nandi, S., and Chattopad-

hyay, S. (1997). Additive Cellular Automata Theory

and its Application, volume 1, chapter 4. IEEE Com-

puter Society Press.

Hortensius, P. D. et al. (1989). Cellular automata based

pseudo-random number generators for built-in self-

test. 8(8):842–859.

Mihir Bellare and Phillip Rogaway (1994). Optimal Assy-

metric Encryption-How to Encrypt with RSA. In Ad-

vances in Cryptology-Eurocrypt 1994. Lecture Notes

in Computer Science, Vol. 950, Springer Verlag.

Mukhopadhyay, D. and RoyChowdhury, D. (2004). Char-

acterization of a class of complemented group cellular

automata. In In the Proceedings of ACRI 2004, LNCS

3305. University of Amsterdam, Science Park Ams-

terdam, The Netherlands.

Stallings, W. (2003). Cryptography and Network Security.

Prentice Hall.

W.Difﬁe and M.Hellman (1976). New Directions in Cryp-

tography. In IEEE Transactions on Information The-

ory (22), pages 644–654. IEEE.

Wolfram, S. (1983). Statistical mechanics of cellular au-

tomata. Rev. Mod. Phys., 55(3):601–644.

CELLULAR AUTOMATA BASED KEY AGREEMENT

267