Skip to main content
SpringerLink
Log in

CAR30: A new scalable stream cipher with rule 30

  • Published:
Cryptography and Communications Aims and scope Submit manuscript

Abstract

CAR30 is a new stream cipher that uses classical Rule 30 of Cellular Automata (CA) along with a Maximum Length Linear Hybrid CA. This design can be implemented efficiently both in hardware and software. It has a fast initialization algorithm that makes it suitable for small messages. The generic design of the cipher enables to scale up for any length of Key and IV. This paper describes the cipher with 128-bit Key and 120-bit IV and evaluates the security and implementation aspects of it. The main advantages of the proposed cipher are the flexibility of its design, good hardware throughput in comparison with state-of-the-art hardware oriented ciphers like Grain and Trivium and better software speed than the software oriented stream cipher Rabbit.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

References

  1. Badel, S., et al.: ARMADILLO: a multi-purpose cryptographic primitive dedicated to hardware. In: Proceedings of Workshop on Cryptographic Hardware and Embedded Systems 2010 (CHES 2010). LNCS, vol. 6225, pp. 398–412. Springer (2010)

  2. Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Proceedings of ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer-Verlag (2000)

  3. Bjøstad, T.E.: Cryptanalysis of Grain using Time/Memory/Data Tradeoffs. http://www.ecrypt.eu.org/stream/papersdir/2008/012.pdf. Accessed 29 Jan 2013

  4. Boesgaard, M., Vesterager, M., Pedersen, T., Christiansen, J., Scavenius, O.: Rabbit: a high-performance stream cipher. In: Proc. FSE 2003. LNCS, vol. 2887, pp. 307–329. Springer (2003)

  5. De Canniere, C. Preneel, B.: Trivium Specification. http://www.ecrypt.eu.org/stream/triviump3.html. Accessed 29 Jan 2013

  6. De Canniere, C., Kücük, O., Preneel, B.: Analysis of Grain’s Initialization Algorithm. Presented in SAC2008. http://www.ecrypt.eu.org/stvl/sasc2008/. Accessed 29 Jan 2013

  7. Carlet, C.: On highly nonlinear S-boxes and their inability to thwart DPA attacks. Indocrypt 2005. LNCS, vol. 3797, pp. 49–62 (2005)

  8. Courtois, N., Meier, W.: Algebraic attacks on stream ciphers with linear feedback. In: Biham, E. (ed.) Advances in Cryptology-EUROCRYPT 2003, LNCS, vol. 2656, pp. 345–359. Springer-Verlag (2003)

  9. Diffie, W.: The first ten years of public key cryptography. Proc. I.E.E.E. 76, 5 (1988)

    Google Scholar 

  10. Dinur, I., Shamir, A.: Cube Attacks on Tweakable Black Box Polynomials, EUROCRYPT 2009. Also on Cryptology ePrint Archive, Report 2008/385.

  11. Fischer, W., Gammel, B.M., O. Kniffler, Velten, J.: Differential power analysis of stream ciphers. Lect. Notes Comput. Sci. 4377, 257–270 (2006). doi:10.1007/11967668_17

    Article  MathSciNet  Google Scholar 

  12. Gaj, K., Southern, G., Bachimanchi, R.: Comparison of hardware performance of selected Phase II eSTREAM candidates. http://www.ecrypt.eu.org/stream/papersdir/2007/026.pdf. Accessed 29 Jan 2013

  13. Golic, J.D.: On the security of nonlinear filter generators. In: Gollmann, D. (ed.) FSE ’96, LNCS, vol. 1039, pp. 173–188 (1996)

  14. Golic, J.D., Clark, A.J., Dawson, E.P.: Generalized inversion attack on nonlinear filter generators. IEEE Trans. Comput. 49(10), 1100–1109 (2000)

    Article  Google Scholar 

  15. Hawkes, P., Rose, G.: Guess-and-determine attacks on SNOW. In: Nyberg, K., Heys, H. (eds.) Selected Areas in Cryptography, SAC 2002, LNCS, vol. 2595, pp. 37–46. Springer-Verlag (2002)

  16. Hell, M., Johansson, T., Maximov, A., Meier, W.: A stream cipher proposal: grain-128. In: IEEE International Symposium on Information Theory, pp. 1614–1618 (2006). doi:10.1109/ISIT.2006.261549

  17. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) Advances in Cryptology—CRYPTO 1999, LNCS, vol. 1666, pp. 388–397. Springer-Verlag (1999)

  18. Akkar, M., Giraud, C.: An implementation of DES and AES, secure against some attacks. In: Koc, C., Naccache, D., Paar, C. (eds.) Proceedings of CHES’01, LNCS, vol. 2162, pp. 309–318. Springer-Verlag (2001)

  19. Maximov, A.: Cryptanalysis of the Grain family of stream ciphers. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS’06), pp. 283–288 (2006)

  20. Meier, W., Staffelbach, O.: Analysis of pseudo random sequences generated by cellular automata. In: Advances in Cryptology EUROCRYPT-91, LNCS, vol. 547, pp. 186–199. Springer (1991)

  21. NIST Statistical Test Suit. http://csrc.nist.gov/rng/. Accessed 29 Jan 2013

  22. PalChaudhury, P., RoyChowdhury, D., Nandi, S., Chattopadhay, S.: Additive Cellular Automata Theory and Application, vol. 1. IEEE Computer Society Press, Los Alamitos, CA (1997)

    Google Scholar 

  23. Prouff, E.: DPA attacks and S-boxes. In: FSE 2005, LNCS vol. 3557, pp. 424–441 (2005)

  24. Sarkar, P.: The filter-combiner model for memoryless synchronous stream ciphers. In: Yung, M. (ed.) Crypto, 2002, LNCS, vol. 2442, pp. 533–548. Springer (2002)

  25. The Estream Project. http://www.ecrypt.eu.org/stream/. Accessed 29 Jan 2013

  26. Wolfram, S.: Random sequence generation by cellular automata. Adv. Appl. Math. 7, 123–169 (1986)

    Article  MathSciNet  MATH  Google Scholar 

  27. Wolfram, S.: Cryptography with cellular automata. In: Advances in Cryptology, Crypto-85, Proceedings, LNCS, vol. 218, pp. 429–432. Springer-Verlag (1986)

Download references

Author information

Authors and Affiliations

  1. Alcatel-Lucent India Ltd, Bangalore, India

    Sourav Das

  2. Department of CSE, Indian Institute of Technology, Kharagpur, India

    Dipanwita RoyChowdhury

Authors
  1. Sourav Das
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dipanwita RoyChowdhury
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sourav Das.

Appendices

Appendices

1.1 Experimental evaluation of security on simplified CAR30

Since, CAR30 can be scaled up and scaled down easily, we have performed an experimental evaluation on simplified version of CAR30 with 12 bit Key size. This is another advantage of the cipher that it keeps nothing obscure in the design. It can be analyzed with a smaller Key size and the analysis can be extended for a larger Key size. In this experiment, the key-streams were generated and the cipher was initialized in the same way as shown in Figs. 1 and 2. We have used a 12-bit maximum length CA with rule 150 on position 3 and 7 and rule 90 on the rest of the bits. Rule 30 was used for the non-linear CA. We have fixed an IV (1234 in decimal) arbitrarily and checked the first 12-bit key stream block for each of the possible 12-bit Keys. Each of the CA blocks (both linear CA and non-linear CA) were run for 4 cycles. Then we defined an input/output relationship between the Key and the first key-stream generated and analyzed this input/output with respect to different security properties like algebraic normal form (ANF), algebraic degree (Alg Deg), linear and differential (Diff) cryptanalysis, strict avalanche criterion (SAC) and non-linearity (NL) etc. Since evaluation of these properties require exponential time, we evaluate it for 12 bits only.

We select 12-bit version for evaluation because the complexity of determining the above properties becomes high for higher number of input/output bits. We have evaluated the algebraic normal form for the 12-bit version of cipher generated in the above way. We found that all the output bits have the algebraic degree as eleven or twelve which is the maximum possible for a 12-bit boolean function. The number of terms was large with a very good distribution of the degrees. The maximum number of terms in ANF was 2,108 for bit number 6 and the minimum number of terms was 1,969 for the bit number 12. Note that, for a random boolean function it should be 2,048. The interaction of the algebraic normal form among the output bits was also checked. The number of terms not occurring at all in the algebraic normal form of all output bits was one. The number of terms occurring only once in the algebraic normal form of all the output bits was 10.

The check the immunity against differential attacks, difference distribution table was generated and the maximum value of in the difference distribution table was found to be 14, showing its immunity against differential attacks. To measure the resistance against fault attack or bit flipping, we have also checked the strict avalanche criterion for the cipher. The maximum value of SAC was 2,150 and the minimum value was 1,904, that proves that any bit flipping will spread well in this cipher. Finally, to check how much non-linearity the rule 30 based cipher can provide, we determined the non-linearity of the cipher. The maximum non-linearity was found to be 1,950 for bit number 8 and the minimum non-linearity was found to be 1,920 for bit number 12. This provides us an indication that the CAR30 generates highly non- linear key-stream bits.

Similarly, to evaluate the interactions among the key stream bits, we fixed the Key and the IV and produced 212 blocks of key stream bits. The input/output relationship is formed with iteration number and the key-stream of that iteration. We could see excellent algebraic properties of the key stream bits. The number of terms not occurring at all in the ANF of all the bits was 5. The number of terms occurring only once is 13. The maximum differential value was 16. We also got good non-linearity values and SAC values. The Table 2 summarizes the results obtained.

Table 2 Security properties for 12-bit version of the cipher
Full size table

Some of the bits in this analysis had the algebraic degree as 12. Hence, the relationship of Key and the first 12 bits of the cipher is not bijective. However, in a stream cipher the bijective property is not necessary with some particular bits of key stream because it is supposed to be random. But, the sequences of key stream produced for each Key when the IV is fixed, must be unique. We have checked each sequence with each Key and found that it is indeed unique. Period is another aspect that we verified in this experimental evaluation. We checked the period in the second experiment and there was no periodic sequences in the first 212 key stream bits.

It can be seen that excellent values of cryptographic properties were achieved in the simplified version of the cipher with 12-bit Key size. Since the cipher has a regular structure, the cipher can be extended by merely adding more cells to the linear and non-linear CA. The security properties found in this section will also be automatically extended to a larger version of the cipher if the number of cycles is also increased linearly. It is difficult to perform experimental evaluation for the larger version of the cipher, but still this evaluation along with the statistical tests on the 128-bit version of the cipher provide us the confidence on the security of the larger versions.

1.2 Pseudo-code

The pseudo-code for the cipher given in Algorithm 1. The 128-Bit non-linear states and the 128-Bit linear states can be stored in (4*2 =) eight 32-Bit integers, called NLCA0 ⋯ NLCA3 and LCA0 ⋯ LCA3. Four temporary variables, called TEMP0 ⋯ TEMP3, store the state bits temporarily for processing. The 128-bit Key (KEY0 ⋯ KEY3) and the extended IV (IV0 ⋯ IV3) are taken as inputs. Finally, the FEEDBACK0 ⋯ FEEDBACK3 variables store the feedback for the non-linear block. The integers RULE0 ⋯ RULE3 contains the rule vector of the 128-bit maximum length CA.

Test vectors

  1. 1.

    Key=0x00000000 00000000 00000000 00000000, IV=0x00010001 00010001 00010001 00010001 (including eight fixed 1s), KS= 0x256606be 816e094b 911084a3 a8b7015f

  2. 2.

    Key=0xa9b8c92d 56cad670 05ae2175 56d347a9, IV=0x56b17787 5331bd01 6391ac65 42619871 (including eight fixed 1s), KS= 0x7da160b6 1ef7b7f9 e419dc38 331f5531

Rights and permissions

Reprints and permissions

About this article

Cite this article

Das, S., RoyChowdhury, D. CAR30: A new scalable stream cipher with rule 30. Cryptogr. Commun. 5, 137–162 (2013). https://doi.org/10.1007/s12095-012-0079-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12095-012-0079-1

Keywords

Mathematics Subject Classification (2010)

Search

Navigation