Search Space Reduction of Asynchrony Immune Cellular Automata by Center Permutivity
aa r X i v : . [ n li n . C G ] J u l Search Space Reduction of Asynchrony ImmuneCellular Automata by Center Permutivity
Luca Mariot , Luca Manzoni , and Alberto Dennunzio Dipartimento di Informatica, Sistemistica e Comunicazione, Università degliStudi di Milano-Bicocca, Viale Sarca 336, 20126 Milano, Italy , {luca.mariot, alberto.dennunzio}@unimib.it Dipartimento di Matematica e Geoscienze, Università degli Studi di Trieste, ViaValerio 12/1, 34127 Trieste, Italy , [email protected] July 23, 2019
Abstract
We continue the study of asynchrony immunity in cellular automata (CA),which can be considered as a generalization of correlation immunity in thecase of vectorial Boolean functions. The property could have applications asa countermeasure for side-channel attacks in CA-based cryptographic prim-itives, such as S-boxes and pseudorandom number generators. We first givesome theoretical results on the properties that a CA rule must satisfy in orderto meet asynchrony immunity, like central permutivity. Next, we perform anexhaustive search of all asynchrony immune CA rules of neighborhood sizeup to 5, leveraging on the discovered theoretical properties to greatly reducethe size of the search space.
Keywords cellular automata, cryptography, asynchrony immunity, correlationimmunity, nonlinearity, side-channel attacks, permutivity
In the last years, research about cryptographic applications of cellular automata(CA) focused on the properties of the underlying local rules [14, 10, 8]. In fact,designing a CA-based cryptographic primitive using local rules that are not highlynonlinear and correlation immune could make certain attacks more efficient.The aim of this paper is to investigate a new property related to asynchronousCA called asynchrony immunity (AI), which could be of interest in the contextof side-channel attacks. This property can be described by a three-move game1etween a user and an adversary. Let ℓ, r , m ∈ N , n = m + ℓ + r and t ≤ m . Thegame works as follows:1. The user chooses a local rule f : F ℓ + r + → F of memory ℓ and anticipation r .2. The adversary chooses j ≤ t cells of the CA in the range { , · · · , m − } .3. The user evaluates the output distribution D of the CA F : F n → F m and thedistribution ˜ D of the asynchronous CA ˜ F : F n → F m where the j cells selectedby the adversary are not updated.4. Outcome : if both D and ˜ D equals the uniform distribution, the user wins.Otherwise, the adversary wins.A cellular automaton rule f : F ℓ + r + → F is called ( t , n ) –asynchrony immune if,for every subset I of at most t cells both the asynchronous CA ˜ F : F n → F m resultingfrom not updating on the subset I of cells and the corresponding synchronous CA F : F n → F m are balanced, that is, the cardinality of the counterimage of each m -bit configuration equals 2 ℓ + r . Thus, asynchrony immune CA rules represent thewinning strategies of the user in the game described above.Notice the difference between the asynchrony immunity game and the t-resilientfunctions game [5]: in the latter, generic vectorial Boolean functions F : F n → F m are considered instead of cellular automata, and the adversary selects both valuesand positions of the t input variables.The side-channel attack model motivating our work is the following. Supposethat a CA of length n is used as an S-box in a block cipher, and that an attacker isable to inject clock faults by making t cells not updating. If the CA is not ( t , n ) -AI,then the attacker could gain some information on the internal state of the cipherby analyzing the differences of the output distributions in the original CA and theasynchronous CA. Similar fault attacks have already been investigated on streamciphers based on clock-controlled Linear Feedback Shift Registers (LFSR), such asLILI-128 [7]. For further information on the topic, Hoch and Shamir [9] providemore references on clock fault attacks on stream ciphers.This paper is an extended version of [12]. In particular, the new contribution istwofold: from the theoretical side, we formally prove the necessity of central per-mutivity to have asynchrony immunity, which was conjectured in [12] accordingto the experimental results reported there. From the empirical point of view, weemploy this new theoretical result to consistently extend the experimental searchof asynchrony immune rules, by considering larger neighborhood sizes.In the remainder of this paper, we recall in Section 2 the necessary basic no-tions about Boolean functions and (asynchronous) CA, and we formally introducethe definition of asynchrony immunity in Section 3, giving some theoretical resultsregarding this property. In particular, we show that AI is invariant under the op-erations of reflection and complement and that, for high enough values of t (themaximum number of blocked cells), central permutivity is a necessary condition2or asynchrony immunity. We then perform in Section 4 an exhaustive search ofasynchrony immune CA having 8 output cells and neighborhood size up to 5, com-puting also their nonlinearity and algebraic normal form. Finally, we provide somepossible ways to generalize the notion of asynchrony immunity and how this prop-erty can be linked to existing CA models in Section 5, as well as pointing out otheravenues for future research on the subject. In this section, we cover all necessary background definitions about one-dimensionalCA, Boolean functions, and vectorial Boolean functions. In particular, we refer thereader to [2, 3] for an in-depth discussion of (vectorial) Boolean functions.Recall that a
Boolean function is a mapping f : F n → F , where F = { , } denotes the finite field of two elements. Once an ordering of the n -bit input vectorshas been fixed, each Boolean function f can be uniquely represented by the outputcolumn of its truth table , which is a vector Ω f of 2 n binary elements. Therefore, theset of all possible Boolean functions of n variables, denoted by B n , has cardinality2 n . The interpretation of the vector Ω f as a decimal number is also called the Wolfram code of the function f . Another common way of representing a Booleanfunction is through its Algebraic Normal Form (ANF), that is, as a sum of productsover its input variables. More formally, given f : F n → F and x ∈ F n , the ANF willbe of the form P f ( x ) = M I ∈ [ n ] a I ∏ i ∈ I x i ! , (1)where [ n ] is the initial segment of the natural numbers determined by n ∈ N , i.e., [ n ] = { , . . . , n − } , and the set I = { i , . . . , i t } ⊆ [ n ] is a subset of t indices andthus an element of 2 [ n ] , the power set of [ n ] . For all I ∈ [ n ] the coefficient a I ∈ F is determined through the Möbius transform [2]. A function f is called affine ifthe only non null coefficients a I are such that | I | ≤
1. In other words, the ANF iscomposed only of monomials of degree at most 1.Boolean functions used in the design of symmetric ciphers must satisfy a cer-tain number of properties in order to withstand particular cryptanalytic attacks.Two of the most important properties are balancedness and nonlinearity . A Booleanfunction f : F n → F is balanced if its output vector Ω f is composed of an equalnumber of zeros and ones. Unbalanced Boolean functions produce a statistical biasin the output of a symmetric cipher, which can be exploited by an attacker.The nonlinearity of f , on the other hand, is the minimum Hamming distanceof Ω f from the set of all affine functions. The value of nonlinearity of f can becomputed as Nl ( f ) = − ( n − W max ( f )) , where W max ( f ) is the maximum absolutevalue of the Walsh transform of f [2]. The nonlinearity of a Boolean function usedin a cipher should be as high as possible, in order to thwart linear cryptanalysis attacks. Nonetheless, there exist upper bounds on the nonlinearity achievable by3 Boolean function with respect to the number of its input variables. In particular,for n even it holds that Nl ( f ) ≤ n − − n − . Functions satisfying this bound withequality are called bent . On the other hand, for n odd the upper bound when n ≤ Nl ( f ) ≤ n − − n − , which is achieved by quadratic functions . For n >
7, theexact bound is still not known.Let n , m ∈ N . A vectorial Boolean function of n input variables and m outputvariables (also called an ( n , m ) -function) is a mapping F : F n → F m . In particular, a ( n , m ) -function is defined by m Boolean functions of the form f i : F n → F , called coordinate functions . Each 0 ≤ i < m , each f i specifies the i -th output bit of F .That is, for each x ∈ F n , we have F ( x ) i = f i ( x ) for 0 ≤ i < m .A one-dimensional cellular automaton (CA) can be seen as a particular caseof vectorial Boolean function by limiting the way the coordinate functions canbe defined. Let ℓ, m , r ∈ N be non-negative integers and let n = ℓ + m + r . Let f : F ℓ + r + → F be a Boolean function of ℓ + r + cellular automaton of length n with local rule f , memory ℓ and anticipation r is the ( n , m ) -function F : F n → F m defined for all i ∈ { , . . . , m − } and for all x = ( x − ℓ , . . . , x m + r ) ∈ F n as: F ( x − ℓ , . . . , x m + r − ) i = f ( x i − ℓ , . . . , c i + r ) . (2)Thus, a CA is the special case of a vector Boolean function where all coordinatefunctions are defined uniformly.A t-asynchronous CA , or t -ACA, induced by I is denoted by ˜ F I and it is definedby the following global function ˜ F I : F n → F m :˜ F I ( x − ℓ , . . . , x m + r − ) i = ( f i ( x i − ℓ , . . . , x i + r ) if i < Ix i if i ∈ I .We also recall that a local rule f : F ℓ + r + → F is said to be center permutive when for each u ∈ F ℓ , v ∈ F r , and y ∈ F there exists a unique x ∈ F such that f ( uyv ) = x . In the field F , center permutivity can also be expressed in another way.A local rule f : F ℓ + r → F is center permutive if there exists a function g : F ℓ + r → F such that for all x = ( x , . . . , x ℓ + r ) ∈ F ℓ + r + we have that: f ( x , . . . , x ℓ + r ) = x ℓ ⊕ g ( x , . . . , x ℓ − , x ℓ + , . . . , x ℓ + r ) . Recall that a CA F : F n → F m with n = ℓ + r + m is said to be balanced if for each y ∈ F m , the preimages of y , i.e., all x ∈ F n such that F ( x ) = y , denoted by F − ( y ) issuch that | F − ( y ) | = ℓ + r . Asynchrony immune CA can then be defined as follows: Definition 1.
Let n , m , r , ℓ, t ∈ N be non-negative integers, with n = ℓ + m + r, andF : F n → F m a balanced CA having local rule f : F ℓ + r + → F .The CA F is said to be ( t , n ) -asynchrony immune (for short, ( t , n ) -AI) if for allsets I ⊆ [ m ] with | I | ≤ t the resulting | I | -ACA ˜ F I is balanced. ℓ + r + rules of memory ℓ and anticipation r , we are in-terested in finding local rules that generates asynchrony immune CA satisfyingadditional useful cryptographic properties, such as high nonlinearity. As a conse-quence, proving necessary conditions for a rule to generate a ( t , n ) -AI is useful inreducing the size of the search space.We start by proving that, for large enough CA and for high enough values of t ,a necessary condition of f is central permutivity. Theorem 1.
Let F : F n → F m be a ( t , n ) -AI CA with memory ℓ and anticipationr. If t ≥ ℓ + r and n ≥ ℓ + r + then the local rule f : F ℓ + r + → F is centerpermutive .Proof. Suppose F to be ( t , n ) -AI with t and n as in the hypothesis. Let y = u au v ∈ F m be a configuration with u ∈ F ℓ , a ∈ F , u ∈ F r , and v ∈ F m − ℓ − r − . Let the set I ⊇ { , . . . , ℓ, ℓ + , . . . , r } be a set of indices to be blocked. It then follows that eachpreimage of y can be expressed in the form x = w u bu w with w ∈ F ℓ , b ∈ F ,and w ∈ F m + r − ℓ − . Notice that both u and u remain unchanged when applying˜ F I to x , since their indices are all contained in I . This situation is illustrated inFig. 1.Since the value of the cells in w cannot influence any cell in ˜ F I ( x ) (since allcells that can be influenced are blocked), if x = w u bu w is a preimage of y , also x ′ = w ′ u bu w for every w ′ ∈ F ℓ is a preimage of y . Hence, the first ℓ cells of theautomaton contribute a multiplicative factor of 2 ℓ for the number of preimages.We are now going to prove that the remaining factor of 2 r for the number ofpreimages is entirely due to the last m + r − w ).For the sake of argument, suppose that the multiplicative factor contributed bythe last m + r − ℓ − w in the preimages) is lessthan 2 r , since only a single other cell in the preimage can change (the one denotedby b ), it follows that, in that case the following two configurations are preimagesof y for some choice of w : x = w u u w x ′ = w u u w . Notice that the value of a in y is either 0 or 1 and it is influenced only by itsown value and the value of u and u . Without loss of generality, suppose that a =
0. Consider now the preimages of y ′ = u u v . To obtain 1 in the unblockedposition between u and u then, it must be f ( u u ) = f ( u u ) =
1, but byour previous assumption, both f ( u u ) and f ( u u ) are equal to 0, and y ′ hasno preimages. Hence, our hypothesis that the part denote by w in the preimagescontributes less than a factor of 2 r in the number or preimages is inconsistent withthe fact that ˜ F I must be balanced.Therefore, the parts w and w contribute, respectively, factors 2 ℓ and 2 r in thenumber of preimages, for a total of 2 ℓ + r preimages. It follows that, for each u ∈ F ℓ , u ∈ F r , and a ∈ F there should be only one value b ∈ F such that f ( u bu ) = a .This means that f is center permutive. (cid:3) u b u w u a u v Figure 1: The construction employed by the proof of Theorem 1. The patternedbackground denotes the blocked cells. Here is it is possible to see that the partlabeled with w cannot influence any of the output cells. The cell labeled b caninfluence only the cell labeled a in the output, thus forcing the local rule to becenter permutive. w u b u w u a u vF u , v Figure 2: The construction employed by the proof of Theorem 2. The patternedbackground denotes the blocked cells. For each value of u and v the function F u , v is a bijection from F k to F k where k is the length of b .The previous theorem can be generalized as follows: Theorem 2.
Let F : F n → F m be a ( t , n ) -AI CA with memory ℓ and anticipation rand k ∈ N be a non-negative integer. Then, if t ≥ ℓ + r and n ≥ ℓ + r + k, thefunction F u , v : F k → F k , which, for each u ∈ F ℓ and v ∈ F r , is defined as F u , v ( x ) = F ′ ( uxv ) where F ′ : F k + ℓ + r → F k is a CA with the same local rule as F, is a bijection.Proof. The proof of this theorem follows the same reasoning of the proof of Theo-rem 1. Let I be a set of indices to be blocked such that I ⊇ { , . . . , ℓ − , ℓ + k , ℓ + k + r } . Each element of F m can then be rewritten in the form y = u au v with u ∈ F ℓ , u ∈ F r , a ∈ F k , and v ∈ F m − ℓ − r − k . Similarly, a preimage of y can be expressedin the form x = w u au w with w ∈ F ℓ , w ∈ F m + r − ℓ − k , and a ∈ F k . Followingthe same reasoning of the proof of Theorem 1, it can be shown that the w part ofthe preimage contributes a factor 2 ℓ in the number of preimages and that the w part contributes a factor of 2 r . Hence, the part denoted by b in y can have only onepreimage. Therefore, when restricted to the k cells “surrounded” by u and u , theglobal function of the CA is a bijection, as desired. (cid:3) Recall that the reverse of a vector x = ( x , . . . , x n − ) is the vector x R = ( x n − , . . . , x ) with all components of x appearing in reverse order. Also, the complement of x isthe vector x C = ( ⊕ x , . . . , ⊕ x n − ) where all components of x appear negated.6iven a local rule f : F ℓ + r + → F it is possible to define its reverse f R : F ℓ + r + → F as f R ( x ) = f ( x R ) and its complement f C : F ℓ + r + → F as f C ( x ) = ⊕ f ( x ) forall x ∈ F ℓ + r + . The definition of reverse and complement can also be extended to aCA F : F n → F m in the following way: F R ( x ) i = ( F ( x R ) R ) i = f ( x i + r , . . . , x i − ℓ ) ∀ ≤ i < mF C ( x ) i = ⊕ F ( x ) i = ⊕ f ( x i − ℓ , . . . , x i + r ) ∀ ≤ i < m . We can now show that, for a given ( t , n ) -AI CA it is possible to obtain other(not necessarily distinct) ( t , n ) -AI by taking either its reverse or its complement. Proposition 1.
Let F : F n → F m be a ( t , n ) -AI CA for some n , m , t ∈ N with n = m + r + ℓ and r = ℓ . Then its reverse F R is also a ( t , n ) -AI CA.Proof. Starting with the reverse CA, by definition F R ( x ) is F ( x R ) R . Hence, givena set of indices I with | I | ≤ t , the reflection of the | I | -ACA ˜ F RI is:˜ F RI ( x ) i = ( ˜ F J ( x R ) R ) i = ( f ( x i + r , . . . , x i − ℓ ) if i < Jx i if i ∈ J (3)Where J ⊆ {− ℓ, . . . , m + r − } is defined as a “reverse” of the set I of indices, thatis J = { m + r − ℓ − − i : i ∈ I } . Notice that J ⊆ [ m ] in all cases only if ℓ = r . Thismeans that for every set I of indices for F R , the corresponding set J of indices in F is still a valid one (i.e., a subset of [ m ] ). Notice that since f generates a ( t , n ) -AICA and | J | = | I | ≤ t , the resulting ACA is still ( t , n ) -AI. (cid:3) Notice that, in general, if a ( t , n ) -AI CA has memory ℓ and anticipation r with ℓ , r , its reverse might not be a ( t , n ) -AI CA. In fact, since center permutivity ofthe local rule is not preserved, this negates a condition for asynchrony-immunitythat, by Theorem 1, is necessary for large enough values of t and n . Proposition 2.
Let F : F n → F m be a ( t , n ) -AI CA for some n , m , t ∈ N . Then itscomplement F C is also a ( t , n ) -AI CA.Proof. Let y ∈ F m be a configuration, I ⊆ [ m ] with | I | ≤ t , and let ( F CI ) − ( y ) bethe set of preimages of y under the function F CI . By definition, for each x ∈ F n , F C ( x ) = ⊕ F ( x ) . Hence, the set ( F CI ) − ( y ) is { x : 1 ⊕ F I ( x ) = y } , which is { x : F I ( x ) = ⊕ y } which corresponds to F − I ( ⊕ y ) . Since F is a ( t , n ) -AI CA, and all y ranges across all elements of F m (and thus 1 ⊕ y does the same), F − I is balancedand ( F CI ) − is also balanced. Since this holds for every set I of cardinality at most t , it follows that F C is also a ( t , n ) -AI CA, as required. (cid:3) Upper bounds on the size of the search space could be derived using techniquesfrom [4] w.r.t. to the set of transformations F R , F C , F RC , Id , where Id is the identitytransformation. 7 ℓ r t | B ℓ + r + | | C ℓ + r + |
10 1 1 2 256 1611 1 2 3 65536 25612 2 2 4 ≈ . · Table 1: CA parameters for m = Variables
In order to search for asynchrony immune rules having additional cryptographicproperties, by Theorem 1 and Propositions 1 and 2 we only need to explore center-permutive rules under the equivalence classes induced by reflection and comple-ment.In our experiments, we fixed the number of output bits in the CA to m = t satisfying the hypothesis of Theorem 1. The reason why we limited ouranalysis to these particular values is twofold. First, checking for asynchrony immu-nity is a computationally cumbersome task, since it requires to determine the outputdistribution of the t -ACA for all possible choices of at most t blocked cells. Sec-ond, the sizes of vectorial Boolean functions employed as nonlinear components inseveral real-world cryptographic primitives is limited. A concrete example is givenby AES [15], which employs a S-box with 8 output bits.Table 1 shows all CA parameters considered in our experiments from 3 to 5input variables of the local rules, while keeping the value of output bits fixed to m =
8. Recall that, since we need to consider only center permutive local rules, wedo not need to explore the entire B ℓ + r + space, but only the subset C ℓ + r + havingcardinality 2 ℓ + r .We started our investigation by performing an exhaustive search among all CArules with ℓ = r = elementary rules . Up to reflection and complement, and neglectingthe identity rule that is trivially AI for every length n and order t , out of the 2 =
256 elementary rules we found that only rule 60 is ( , ) –asynchrony immune.However, rule 60 is not interesting from the cryptographic standpoint, since it islinear (its ANF being x ⊕ x ).We thus extended the search by considering all local rules of 4 and 5 inputvariables, according to the values of ℓ and r reported in Table 1.For the case of 4 variables, the search returned a total of 18 rules satisfying ( , ) –asynchrony immunity, among which several of them were nonlinear. Ta-ble 2 reports the Wolfram codes of the discovered rules, along with their nonlinear-ity values and algebraic normal form. It can be observed that 12 rules out of 18 arenonlinear, but none of them is a bent function (since the nonlinearity value in thiscase would be 6).For 5 variables, Table 3 reports the list of ( , ) -AI CA. One can see that in8 ule Nl ( f ) f ( x , x , x , x ) Rule Nl ( f ) f ( x , x , x , x ) ⊕ x x ⊕ x x ⊕ x x ⊕ x x x x ⊕ x ⊕ x ⊕ x x ⊕ x ⊕ x x ⊕ x x x ⊕ x ⊕ x ⊕ x x ⊕ x x ⊕ x x x x ⊕ x ⊕ x x ⊕ x x x x ⊕ x x ⊕ x ⊕ x x x ⊕ x ⊕ x ⊕ x x ⊕ x ⊕ x x ⊕ x x x x ⊕ x x ⊕ x ⊕ x x ⊕ x ⊕ x x ⊕ x x x ⊕ x ⊕ x ⊕ x ⊕ x ⊕ x ⊕ x x x ⊕ x x x ⊕ x x ⊕ x ⊕ x ⊕ x ⊕ x x ⊕ x x ⊕ x x x ⊕ x ⊕ x ⊕ x Table 2: List of ( , ) –asynchrony immune CA rules of neighborhood size 4.this case most of the asynchrony immune functions are nonlinear, and moreovertwo of them achieve the maximum nonlinearity allowed by the quadratic bound,which in this case is 12. There are many possible research directions for exploring asynchrony immune CA,mainly related to generalizations and relations with other models.From the generalization point of view, we can relax the assumption that an at-tacker can control the updating of at most t cells on n cells CA. We can supposethat additional “anti-tamper” measures are present and, for example, that the at-tacker can only take control of non-consecutive cells. More in general, we candefine ( F , n ) -asynchrony immune CA where F ⊆ [ m ] is a family of subsets of { , . . . , m − } . The standard ( t , n ) -AI CA can be recovered by taking F as the setof all subsets of [ m ] with cardinality at most t . It would be interesting to understandfor what families of sets the theorems of this paper still hold. Also, what are somefamilies that are “plausible” from a real-world point of view? This study will alsorequire to explore the different methods that can be employed by an attacker to takecontrol of some cells and what physical limits restrict the patterns of blocked cellsthat can be generated.Another research direction is to find relations with already existing CA modelsthat can be used to implement AI CA. Take, for example, the Multiple UpdatingCycles CA (MUCCA) [11], where each cell has a speed 1 / k for a positive k ∈ N and a cell updates only if the current time step is a multiple of k . This means that,at different time steps, different cells might be active. If the current time step isnot known or if it is under the attacker’s control, then a CA that is ( t , n ) -AI canwithstand any situation in which the number of “slow” cells (i.e., with speed lessthan 1) is bounded by t . More generally, in what other models of ACA beingasynchrony immune can protect from an attacker that controls some variables (likethe time step in MUCCA)?Subsequently, we have found that for size n =
11 there are no ( , ) -AI CA9 ule Nl ( f ) f ( x , x , x , x , x ) Rule Nl ( f ) f ( x , x , x , x , x ) x ⊕ x ⊕ x x ⊕ x ⊕ x x ⊕ x ⊕ x x ⊕ x x x x x ⊕ x x ⊕ x x ⊕ x ⊕ x x ⊕ x x x ⊕ x x x ⊕ x x x x x ⊕ x ⊕ x x ⊕ x ⊕ x x ⊕ x ⊕ x x ⊕ x x x ⊕ x x x ⊕ x x x x x ⊕ x x ⊕ x x ⊕ x x x x ⊕ x x ⊕ x ⊕ x ⊕ x x ⊕ x x ⊕ x x x x ⊕ x ⊕ x x ⊕ x x x x ⊕ x x x ⊕ x x x x x ⊕ x x ⊕ x x ⊕ x ⊕ x x ⊕ x x x ⊕ x ⊕ x x ⊕ x x x ⊕ x x ⊕ x x x ⊕ x x x x x ⊕ x x x ⊕ x x ⊕ x x x x ⊕ x ⊕ x x ⊕ x x ⊕ x ⊕ x x ⊕ x x x ⊕ x x ⊕ x x x ⊕ x x x x x ⊕ x ⊕ x x ⊕ x ⊕ x x ⊕ x ⊕ x x ⊕ x x x ⊕ x x x ⊕ x x x x x x x x ⊕ x ⊕ x x ⊕ x x x x ⊕ x ⊕ x x ⊕ x x ⊕ x x x x ⊕ x x ⊕ x ⊕ x ⊕ x x ⊕ x ⊕ x x ⊕ x ⊕ x x x ⊕ x x x x x x x ⊕ x ⊕ x x ⊕ x ⊕ x x ⊕ x ⊕ x x ⊕ x x ⊕ x x x ⊕ x x x x x ⊕ x x x ⊕ x x x x x x ⊕ x ⊕ x ⊕ x x ⊕ x ⊕ x x ⊕ x x x x x ⊕ x x x x ⊕ x x x ⊕ x ⊕ x x ⊕ x ⊕ x ⊕ x x ⊕ x x ⊕ x x x x x x ⊕ x x ⊕ x x x ⊕ x x x x x ⊕ x ⊕ x x ⊕ x ⊕ x x ⊕ x x ⊕ x x x ⊕ x x ⊕ x x x ⊕ x x x ⊕ x x x x x ⊕ x x ⊕ x ⊕ x x x ⊕ x x x x x x ⊕ x x ⊕ x ⊕ x x ⊕ x x x Table 3: List of ( , ) –asynchrony immune CA rules of neighborhood size 5.rules reaching maximum nonlinearity, that is, none of them is a bent function.Hence, an interesting question would be if there exists at least one bent AI CArule of larger number of variables, and if it is possible to design an infinite familyof bent AI CA.Finally, from the cryptanalysis point of view, it would be interesting to analyzethe resistance to clock-fault attacks of cryptographic primitives and ciphers basedon cellular automata, such as the stream cipher CAR30 [6], the χ S-box employedin the Keccak sponge construction [1], or the CA-based S-boxes optimized through
Genetic Programming in [16, 13] and to verify if plugging in their design one ofthe AI CA rules found here decreases their possible vulnerability.10 eferences [1] Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: The
KECCAK reference (2008). URL http://keccak.team [2] Carlet, C.: Boolean functions for cryptography and error correcting codes.Boolean models and methods in mathematics, computer science, and engi-neering , 257–397 (2010)[3] Carlet, C.: Vectorial Boolean functions for cryptography. Boolean modelsand methods in mathematics, computer science, and engineering , 398–469 (2010)[4] Cattaneo, G., Formenti, E., Margara, L., Mauri, G.: Transformations of theone-dimensional cellular automata rule space. Parallel Computing (11),1593 – 1611 (1997)[5] Chor, B., Goldreich, O., Hasted, J., Freidmann, J., Rudich, S., Smolensky,R.: The bit extraction problem or t-resilient functions. In: Foundations ofComputer Science, 26th Annual Symposium on, pp. 396–407. IEEE (1985)[6] Das, S., Chowdhury, D.R.: CAR30: A new scalable stream cipher with rule30. Cryptography and Communications (2), 137–162 (2013)[7] Dawson, E., Clark, A., Golic, J., Millan, W., Penna, L., Simpson, L.: The lili-128 keystream generator. In: Proceedings of first NESSIE Workshop (2000)[8] Formenti, E., Imai, K., Martin, B., Yunès, J.B.: Advances on random se-quence generation by uniform cellular automata. In: Computing with NewResources, pp. 56–70. Springer (2014)[9] Hoch, J.J., Shamir, A.: Fault analysis of stream ciphers. In: CryptographicHardware and Embedded Systems - CHES 2004: 6th International Work-shop Cambridge, MA, USA, August 11-13, 2004. Proceedings, pp. 240–253(2004)[10] Leporati, A., Mariot, L.: Cryptographic properties of bipermutive cellularautomata rules. Journal of Cellular Automata , 437–475 (2014)[11] Manzoni, L., Porreca, A.E., Umeo, H.: The Firing Squad SynchronizationProblem on Higher-dimensional CA with Multiple Updating Cycles. In: 4thInternational Workshop on Applications and Fundamentals of Cellular Au-tomata - AFCA 2016. Hiroshima, Japan (2016)[12] Mariot, L.: Asynchrony immune cellular automata. In: Cellular Automata- 12th International Conference on Cellular Automata for Research and In-dustry, ACRI 2016, Fez, Morocco, September 5-8, 2016. Proceedings, pp.176–181 (2016) 1113] Mariot, L., Picek, S., Leporati, A., Jakobovic, D.: Cellular automata basedS-boxes. Cryptography and Communications (1), 41–62 (2019)[14] Martin, B.: A Walsh exploration of elementary CA rules. In: InternationalWorkshop on Cellular Automata, pp. 25–30. Hiroshima University (2006)[15] NIST/ITL/CSD: Advanced Encryption Standard (AES). FIPS PUB 197(2001). http://csrc.nist.gov/publications/fips/fips197/fips-197.pdfhttp://csrc.nist.gov/publications/fips/fips197/fips-197.pdf