Constructing Orthogonal Latin Squares from Linear Cellular Automata
aa r X i v : . [ c s . D M ] O c t Constructing Orthogonal Latin Squares from LinearCellular Automata
Luca Mariot , , Enrico Formenti and Alberto Leporati Dipartimento di Informatica, Sistemistica e Comunicazione, Università degli Studi diMilano-Bicocca, Viale Sarca 336, 20126 Milano, Italy {luca.mariot,alberto.leporati}@unimib.it Laboratoire I3S, Université Nice Sophia Antipolis, 2000 Route des Lucioles,06903 Sophia Antipolis, France {mariot,enrico.formenti}@i3s.unice.fr
Abstract.
We undertake an investigation of combinatorial designs engenderedby cellular automata (CA), focusing in particular on orthogonal Latin squares andorthogonal arrays. The motivation is of cryptographic nature. Indeed, we considerthe problem of employing CA to define threshold secret sharing schemes viaorthogonal Latin squares. We first show how to generate Latin squares throughbipermutive CA. Then, using a characterization based on Sylvester matrices, weprove that two linear CA induce a pair of orthogonal Latin squares if and only ifthe polynomials associated to their local rules are relatively prime.
Keywords: cellular automata · secret sharing schemes · Latin squares · orthogonal ar-rays · Sylvester matrices · bipermutivity · linearity Secret sharing schemes (SSS) are a cryptographic primitive underlying several proto-cols such as secure multiparty computation [2] and generalized oblivious transfer [11].The basic scenario addressed by SSS considers a dealer who wants to share a secret S among a set of n players, so that only certain authorized subsets of players specified inan access structure may reconstruct S . In a ( t , n )– threshold scheme , at least t out of n players must combine their shares in order to recover S , while coalitions with less than t participants learn nothing about the secret (in an information-theoretic sense).Recently, a SSS based on cellular automata (CA) has been described in [6], wherethe shares are represented by blocks of a CA configuration. The main drawback of suchproposal is that the access structure has a sequential threshold : in addition to having atleast t players, the shares of an authorized subset must also be adjacent blocks, sincethey are used to build a spatially periodic preimage of a CA.In order to design a CA-based SSS with an unrestricted threshold access structure,in this paper we take a di ff erent perspective that focuses on combinatorial designs .Indeed, it is known that threshold schemes are equivalent to orthogonal arrays (OA),and for t = mutually orthogonal Latin squares (MOLS).The aim of this work is to begin tackling the design of a CA-based threshold schemeby investigating which CA are able to generate orthogonal Latin squares. To this end, This work is a slightly modified version of an exploratory paper presented at AUTOMATA 2016.Original version available at: http://openit.disco.unimib.it/~mariot/mfl_short_paper_automata_2016.pdf e first show that every bipermutive cellular automaton of radius r and length 2 m in-duces a Latin square of order q m , where q is the cardinality of the CA state alphabetand m is any multiple of 2 r . We then investigate which pairs of bipermutive CA induceorthogonal Latin squares, by first observing through some experiments that only somepairs of linear CA seem to remain orthogonal upon iteration. We thus prove that theorthogonality condition holds if and only if the Sylvester matrix built by juxtaposingthe transition matrices of two linear CA is invertible, i.e. if and only if the polynomialsassociated to their local rules are relatively prime. Finally, we show what are the con-sequences of this result for the design of CA-based threshold schemes, remarking thatthe dealer can perform the sharing phase by evolving a set of linear CA.The remainder of this paper is organized as follows. Section 2 covers the prelimi-nary definitions and facts about cellular automata, Latin squares, orthogonal arrays andsecret sharing schemes necessary to describe our results. Section 3 presents the maincontributions of the paper, namely the proof that a pair of linear CA induce orthogonalLatin squares if and only if the associated polynomials are coprime. Finally, Section 4puts the results in perspective, and discusses some open problems for further researchon the topic.
In this work, we consider one-dimensional CA as finite compositions of functions , asthe next definition summarizes:
Definition 1.
Let n, r, t be positive integers such that t < j n r k , and let f : A r + → Abe a function of r + variables over a finite set A of q ∈ N elements. The cellularautomaton (CA) h n , r , t , f i is a map F : A n → A n − rt defined by the following compositionof functions: F = F t − ◦ F t − ◦ · · · ◦ F ◦ F , (1) where for i ∈ { , · · · , t − } function F i : A n − ri → A n − r ( i + is defined as:F i ( x ) = ( f ( x , · · · , x r ) , f ( x , · · · , x r + ) , · · · , f ( x n − r ( i + − , · · · , x n − ri − )) , (2) for all x = ( x , · · · , x n − ri − ) ∈ A n − ri . In particular n, r and f are respectively called the length , the radius and the local rule of the CA, while for all i ∈ { , · · · , t − } function F i is called the global rule of the CA at step i. In some of the results proved in this paper we assume that the state alphabet A is a finitefield , i.e. A = F q for q = p α where p is a prime number and α ∈ N .A local rule f : A r + → A is rightmost permutive (respectively, leftmost permutive )if, by fixing the value of the first (respectively, last) 2 r variables the resulting restrictionon the rightmost (respectively, leftmost) variable is a permutation over A . A local rulewhich is both leftmost and rightmost permutive is bipermutive , and a CA F whose localrule is bipermutive is a bipermutive CA . 2enoting by + and · respectively sum and multiplication over the finite field F q , alocal rule f : F r + q → F q is linear if there exist a , a , · · · , a r ∈ F q such that f ( x , x , · · · , x r ) = a x + a x + · · · + a r x r . (3)Analogously, a CA F whose local rule is linear is called a linear (or additive ) CA.Notice that a linear rule is bipermutive if and only if both a and a r are not null. Thepolynomial associated to a linear rule f : F r + q → F q with coe ffi cients a , · · · , a r isdefined as p f ( X ) = a + a X + · · · + a r X r ∈ F q [ X ] . (4)In a linear CA h n , r , t , f i with local rule f defined by the coe ffi cients a , · · · , a r ∈ F q , theglobal rule F i : F n − riq → F n − r ( i + q at step i ∈ { , · · · , t − } is a linear application definedby the following matrix of n − r ( i +
1) rows and n − ri columns: M F i = a · · · a r · · · · · · · · · · · · a · · · a r · · · · · · · · · ... ... ... . . . ... ... ... . . . ... · · · · · · · · · · · · a · · · a r . (5)Thus, the global rule F i is defined as F i ( x ) = M F i x ⊤ for all x ∈ F n − r ( i + q , and the com-position F corresponds to the multiplication of the matrices M F t − · · · M F .Consider now the case where n = rt +
1. The CA F maps vectors of 2 rt + A . We call this particular function the t–th iterate of rule f , and we denote it by f t . This leads to the following equivalence: Lemma 1.
Let F : A n → A m be a h n , r , t , f i CA with local rule f : A r + → A such thatn = mk and m = rs for k , s ∈ N + , and t = m ( k − / r. Then, F is equivalent to theiterated CA h n , rt , , f t i F ( t ) : A n → A m , i.e. for all x = ( x , · · · , x n − ) ∈ A n it holds that F ( x ) = F t ( x ) = ( f t ( x , · · · , x rt ) , f t ( x , · · · , x rt + ) , · · · , f t ( x n − rt − , · · · , x n − )) . (6)In particular, if f : F r + q → F q is linear with associated polynomial p f ( X ), one can show(see e.g. [4]) that f t : F rt + q → F q is linear for all t ∈ N , and its polynomial equals p f t ( X ) = [ p f ( X )] t . (7)Thus, the coe ffi cients of the iterated linear rule f t are simply the coe ffi cients of thepolynomial p f ( X ) t . We recall only some facts about Latin squares and orthogonal arrays which are relevantfor threshold schemes, following the notation of Stinson [10].
Definition 2 (Latin square).
Let X be a finite set of v ∈ N elements. A Latin square oforder v over X is a v × v matrix L with entries from X such that every row and everycolumn are permutations of X. Two Latin squares L and L of order v defined over X re orthogonal if ( L ( i , j ) , L ( i , j )) , ( L ( i , j ) , L ( i , j )) for all ( i , j ) , ( i , j ) . Inother words, L and L are orthogonal if by superposing them one obtains all pairs ofthe Cartesian product X × X. A collection of k Latin squares L , · · · , L k of order v whichare pairwise orthogonal is called a set of k mutually orthogonal Latin squares (MOLS). Definition 3 (Orthogonal array).
Let X be a finite set of v elements, and let t, k and λ be positive integers such that ≤ t ≤ k. A t– ( v , k , λ ) orthogonal array (t– ( v , k , λ ) –OA, forshort) is a λ v t × k rectangular matrix with entries from X such that, for any subset of tcolumns, every t–uple ( x , · · · , x t ) ∈ X t occurs in exactly λ rows. A t –( v , k , OA can be used to implement a ( t , n )– threshold scheme with n = k − P , · · · , P k − as follows. The dealer randomly chooses with uniform probability thesecret S from the support set X and a row A ( i , · ) in the OA such that the last compo-nent equals S . Next, for all j ∈ { , · · · , k − } the dealer distributes to player P j the share s j = A ( i , j ). Since the array is orthogonal with λ =
1, any subset of t players P j , · · · , P j t can recover the secret, the reason being that the shares ( s j , · · · , s j t ) form a t –uple whichuniquely identifies row A ( i , · ). Conversely, suppose that t − P i , · · · , P i t − tryto determine the secret. Then, the ( t − s = ( s j , · · · , s j t − ) occurs in the columns j , · · · , j t − in v rows of the array. By considering also the last column, one obtains a t –uple ( s j , · · · , s j t − , A ( i h , k )) for all 1 ≤ h ≤ v . Since λ =
1, it must be the case that allthese t –uples are distinct, and thus they must di ff er in the last component. Hence, the v rows where the ( t − s j , · · · , s j t − ) appears determine a permutation on the lastcolumn, and thus all the values for the secret are equally likely.When t = λ =
1, the resulting orthogonal array is a v × k matrix in whichevery pair of columns contains all ordered pairs of symbols from X . In this case, theorthogonal array is simply denoted as OA ( k , v ), and it is equivalent to a set of k − L , · · · , L k − are k − v . Withoutloss of generality, we can assume that X = { , · · · , v } . Then, consider a matrix A of size v × k defined as follows: – The first two columns are filled with all ordered pairs ( i , j ) ∈ X × X arranged inlexicographic order. – For all 1 ≤ i ≤ v and 3 ≤ h ≤ k , the entry ( i , h ) of A is defined as A ( i , h ) = L h − ( A ( i , , A ( i , . (8)In other words, column h is filled by reading the elements of the Latin square L h − from the top left down to the bottom right.The resulting array is a OA ( k , v ): indeed, let h , h be two of its columns. If h = h = X in lexicographic order. If h = h =
2) and h ≥
3, one obtains all pairs because the h -th row(respectively, column) of L h − is a permutation over X . Finally, for h ≥ h ≥ L h − and L h − are orthogonal.Due to lack of space, we omit the inverse direction from OA ( k , v ) to k − Main Results
We begin by showing that any bipermutive cellular automaton of radius r and length2 m induces a Latin square of order N = q m , under the condition that m is a multiple of2 r . To this end, we first need some additional notation and definitions.Given an alphabet A of q symbols, in what follows we assume that a total order ≤ is defined over the set of m –uples A m , and that φ : A m → [ N ] is a monotone one-to-onemapping between A m and [ N ] = { , · · · , q m } , where the order relation on [ N ] is the usualorder on natural numbers. We denote by ψ = φ − the inverse mapping of φ .The following definition introduces the notion of square associated to a CA: Definition 4.
Let m, r and t be positive integers such that m = rt, and let f : A r + → Abe a local rule of radius r over alphabet A with | A | = q. The square associated to the CA h m , r , t , f i with map F : A m → A m is the square matrix S F of size q m × q m with entriesfrom A m defined for all ≤ i , j ≤ q m as S F ( i , j ) = φ ( F ( ψ ( i ) || ψ ( j ))) , (9) where ψ ( i ) || ψ ( j ) ∈ A m denotes the concatenation of vectors ψ ( i ) , ψ ( j ) ∈ A m . Hence, the square S F is defined by encoding the first half of the CA configuration asthe row coordinate i , the second half as the column coordinate j and the output of theCA F ( ψ ( i ) || ψ ( j )) as the entry in cell ( i , j ).The next lemma shows that fixing the leftmost or rightmost 2 r input variables in theglobal rules of a bipermutive CA yields a permutation between the remaining variablesand the output: Lemma 2 ([6]).
Let F : A n → A n − rt be a bipermutive CA h n , r , t , f i defined by local rulef : A r + → A, and let F i : A n − ri → A n − r ( i + be its global rule at step i ∈ { , · · · , t − } .Then, by fixing at least d ≥ r leftmost or rightmost variables in x ∈ A n − ri to the values ˜ x = ( ˜ x , · · · , ˜ x d − ) , the resulting restriction F i | ˜ x : A n − r ( i + → A n − r ( i + is a permutation. On account of Lemma 2, we now prove that the squares associated to bipermutive CAare in fact Latin squares. The proof follows the argument laid out in Lemma 2 of [6].
Lemma 3.
Let f : A r + → A be a bipermutive local rule defined over A with | A | = q,and let m = rt where t ∈ N . Then, the square L F associated to the bipermutive CA h m , r , t , f i F : A m → A m is a Latin square of order q m over X = { , · · · , q m } .Proof. Let i ∈ { , · · · , q m } be a row of L F , and let ψ ( i ) = x = ( x , · · · , x m − ) ∈ A m be thevector associated to i with respect to the total order ≤ on A m . Consider now a vectorc ∈ A m whose first m coordinates coincide with x, and let c = F ( c ) be the imageof c under the global rule F . Then, by Lemma 2 there is a permutation π : A m → A m between the rightmost m variables of c and the rightmost m ones of c . Likewise, sincethe leftmost m − r coordinates of c are determined by applying the restriction of F to x, it follows that there exists a permutation π : A m → A m between the rightmostm variables of c and the rightmost m ones of c = F ( c ) . More in general, since mis a multiple of r, for all steps i ∈ { , · · · , t − } there are always at least r leftmostvariables of c i − determined, and thus by Lemma 2 there is a permutation π i : A m → A m etween the rightmost m variables of c i − = F i − ( c i − ) and the rightmost m variablesof c i = F i ( c i − ) . Consequently, there exists a permutation π : A m → A m between therightmost m variables of c and the output value of F ( c ) , defined as: π = π t − ◦ π t − ◦ · · · ◦ π ◦ π . (10) For all q m choices of the rightmost m variables of c , the values at L F ( i , · ) are deter-mined by computing φ ( F ( c )) . As a consequence, the i-th row of L F is a permutation ofX = { , · · · , q m } . A symmetric argument holds when considering a column j of L F with ≤ j ≤ q m , which fixes the rightmost m variables of F to the value ψ ( j ) . Hence, everycolumn of L F is also a permutation of X, and thus L F is a Latin square of order q m . ⊓⊔ As an example, for A = F and radius r =
1, Figure 1 reports the Latin square L F thebipermutive CA F : F → F with rule 150, defined as f ( x , x , x ) = x ⊕ x ⊕ x .We now aim at characterizing pairs of CA which generate orthogonal Latin squares.For alphabet A = F and radius r = f ( x , x , x ) = x ⊕ x . Both rules are linear, and for length n = r = m =
8, a com-puter search among all 256 bipermutive rules of radius 2 yields 426 pairs of CA whichgenerate orthogonal Latin squares of order 2 =
16, among which are both linear andnonlinear rules. However, for length 2 m =
16 only 21 pairs of linear rules still generateorthogonal Latin squares of order 2 = m = r , the following result gives a necessary andsu ffi cient condition on the CA matrices: Lemma 4.
Let F : F rq → F rq and G : F rq → F rq be linear CA of radius r, respectivelywith linear rules f ( x , · · · , x r ) = a x + · · · a r x r and g ( x , · · · , x r ) = b x + · · · b r x r ,where a , b , a r , b r , . Additionally, let M F and M G be the r × r matrices associated (a) Truth table of F (b) Associated Latin square L F Fig. 1: Example of Latin square of order 4 induced by rule 150. Mapping φ is definedas φ (00) φ (10) φ (01) φ (11) (a) Latin square of rule 150 (b) Latin square of rule 90 (c) Superposed square Fig. 2: Orthogonal Latin squares generated by bipermutive CA with rule 150 and 90. to the global rules F = F and G = G respectively, and define the r × r matrix M asM = M F M G ! = a · · · a r · · · · · · · · · · · · a · · · a r · · · · · · · · · ... ... ... . . . ... ... ... . . . ... · · · · · · · · · · · · a · · · a r b · · · b r · · · · · · · · · · · · b · · · b r · · · · · · · · · ... ... ... . . . ... ... ... . . . ... · · · · · · · · · · · · b · · · b r . (11) Then, the Latin squares L F and L G generated by F and G are orthogonal if and only ifthe determinant of M over F q is not null.Proof. Denote by z = x || y the concatenation of vectors x and y. We have to show thatthe function H : F rq × F rq → F rq × F rq , defined for all ( x , y ) ∈ F rq × F rq as H ( x , y ) = ( F ( z ) , G ( z )) = ( ˜ x , ˜ y ) (12) is bijective. Let us rewrite Equation (12) as a system of two equations: F ( z ) = M F z T = ˜ x G ( z ) = M G z T = ˜ y (13) As M consists of the juxtaposition of M F and M G , Equation (13) defines a linear sys-tem in r equations and r unknowns with associated matrix M. Thus, we have that H ( x , y ) = Mz T , and H is bijective if and only if the determinant of M is not null. ⊓⊔ Remark that matrix M in Equation (11) is a Sylvester matrix , and its determinant is the resultant of the two polynomials p f ( X ) and p g ( X ) associated to f and g respectively.The resultant of two polynomials is nonzero if and only if they are relatively prime(see [5]). Clearly, if p f ( X ) and p g ( X ) are relatively prime, then for any t ∈ N theirpowers p f ( X ) t and p g ( X ) t will be relatively prime as well. Additionally, p f ( X ) t and p g ( X ) t are the polynomials of the t -th iterates f t and g t . By Lemma 1, the linear CA h m , r , t , f i and h m , r , t , g i with maps F , G : A m → A m are equivalent to the linear CA h m , rt , , f t i and h m , rt , , g t i with maps F t , G t : A m → A m for any multiple m ∈ N of2 r . We thus have the following result: 7 heorem 1. Let f , g : F r + q → F q be linear bipermutive rules of radius r ∈ N . Then, forany t ∈ N and m = rt, the squares L F and L G of order q m respectively associated tothe linear CA h m , r , t , f i F : F mq → F mq and the linear CA h m , r , t , g i G : F mq → F mq areorthogonal if and only if the polynomials p f ( X ) and p g ( X ) are relatively prime. By Theorem 1, one can generate a set of n MOLS of order q m through linear CA ofradius r by finding n pairwise relatively prime polynomials of degree 2 r , where 2 r | m .The problem of counting the number of pairs of relatively prime polynomials over finitefields has been considered in several works (see for example [7,1,3]). However, noticethat determining the number of pairs of linear CA inducing orthogonal Latin squaresentails counting only specific pairs of polynomials, namely those whose constant termis not null. This is due to the requirement that the CA local rules must be bipermutive.As far as the authors know, this particular version of the counting problem for rela-tively prime polynomials has not been addressed in the literature, for which reason weformalize it below as an open problem for future investigation: Open Problem 1
Let f , g ∈ F q [ x ] be defined as follows:f ( x ) = a + a x + · · · + a n − x n − + x n , g ( x ) = b + b x + · · · + b n − x n − + x n , where a , and b , . Let P a , bn be the set of pairs ( f , g ) of all such polynomials, anddefine C a , bn as C a , bn = { ( f , g ) ∈ P a , bn : gcd( f , g ) = } Then, what is the cardinality of C a , bn ? Given the equivalence between MOLS and OA, Theorem 1 also gives some ad-ditional insights on how to design a CA-based secret sharing scheme with threshold t =
2. In particular, suppose that the secret S is a vector of F mq , and there are n players P , · · · , P n . The dealer picks n relatively prime polynomials of degree 2 r , and builds thecorresponding linear rules f , · · · , f n of radius r . For practical purposes, the dealer couldsettle for n irreducible polynomials, for which there exist several e ffi cient generation al-gorithms in the literature (see for instance [9]). Successively, the dealer concatenates thesecret S with a random vector R ∈ F mq , thus obtaining a configuration C ∈ F mq of length2 m . Adopting the point of view of OA, this step corresponds to the phase where thedealer chooses one of the rows of the array whose first component is the secret. In orderto determine the remaining components of the row, and thus the shares to distribute tothe players, for all i ∈ { , · · · , n } the dealer evolves the CA F i with rule f i starting fromconfiguration C . The value B i = F i ( C ) constitutes the share of player P i .For the recovery phase, suppose that two players P i and P j want to determine thesecret. Since the orthogonal array is assumed to be public, both P i and P j know theCA linear rules f i and f j used by the dealer to compute their shares. Hence, they invertthe corresponding Sylvester matrix, and multiply it for the concatenated vector ( B i || B j ).By Lemma 4, the result of this multiplication will be the concatenation of secret S andrandom vector R . 8 eferences
1. A.T. Benjamin, C.D. Bennett, The probability of relatively prime polynomials, Math. Mag.80 (2007) 196–2022. Chaum, D., Crépeau, C., Damgård, I.: Multiparty Unconditionally Secure Protocols. In: Pro-ceedings of STOC 1988, pp. 11–19. ACM (1988)3. Hou, X.-D., Mullen, G.D.: Number of irreducible polynomials and pairs of relatively primepolynomials in several variables over finite fields. Finite Fields Th. App. 15(3):304–331(2009)4. Ito, M., Osato, N., Nasu, M.: Linear Cellular Automata over Z m . J. Comput. Syst. Sci.27(1):125–140 (1983)5. Lidl, R., Niederreiter, H.: Introduction to finite fields and their applications. Cambridge Uni-versity Press, Cambridge (1994)6. Mariot, L., Leporati, A.: Sharing Secrets by Computing Preimages of Bipermutive CellularAutomata. In: Proceedings of ACRI 2014. LNCS vol. 8751, pp. 417–426. Springer (2014)7. A. Reifegerste, On an involution concerning pairs of polynomials in F , J. Combin. TheorySer. A 90 (2000) 216–2208. Shamir, A.: How to share a secret. Commun. ACM 22(11):612–613 (1979)9. Shoup, V.: Fast Construction of Irreducible Polynomials over Finite Fields. J. Symb. Comp.17(5):371–391 (1994)10. Stinson, D.R.: Combinatorial Designs: Constructions and Analysis. Springer (2004)11. Tassa, T.: Generalized oblivious transfer by secret sharing. Des. Codes Cryptogr. 58(1):11–21 (2011), J. Combin. TheorySer. A 90 (2000) 216–2208. Shamir, A.: How to share a secret. Commun. ACM 22(11):612–613 (1979)9. Shoup, V.: Fast Construction of Irreducible Polynomials over Finite Fields. J. Symb. Comp.17(5):371–391 (1994)10. Stinson, D.R.: Combinatorial Designs: Constructions and Analysis. Springer (2004)11. Tassa, T.: Generalized oblivious transfer by secret sharing. Des. Codes Cryptogr. 58(1):11–21 (2011)