Binomial Representation of Cryptographic Binary Sequences and Its Relation to Cellular Automata

Cardell, Sara D.; Fúster-Sabater, Amparo

doi:https://doi.org/10.1155/2019/2108014

Complexity

On this page

Abstract Introduction Preliminaries Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Boolean Networks and Their Applications in Science and Engineering

View this Special Issue

Research Article | Open Access

Volume 2019 | Article ID 2108014 | https://doi.org/10.1155/2019/2108014

Binomial Representation of Cryptographic Binary Sequences and Its Relation to Cellular Automata

Sara D. Cardell¹and Amparo Fúster-Sabater²

Academic Editor: Jose C. Valverde

Received23 Dec 2018

Accepted13 Feb 2019

Published24 Mar 2019

Abstract

The binomial sequences are binary sequences that correspond to the diagonals of the binary Sierpinski’s triangle. They have fancy properties such that all the sequences with period equal to a power of 2 can be represented as the sum of a finite set of binomial sequences. Other structural properties of these sequences (period, linear complexity, construction rules, or relations among the different binomial sequences) have been analyzed in detail. Furthermore, this work enhances the close relation between the binomial sequences and a kind of Boolean networks, known as linear cellular automata. In this sense, the binomial sequences exhibit the same behavior as that of particular Boolean networks. Consequently, the binomial sequences can be considered as primary tools for generating other more complex Boolean networks with applications in communication systems and cryptography.

1. Introduction

Pseudorandom binary sequences are simple successions of bits with applications in fields so different as spread-spectrum communications, circuit testing, error-correcting codes, numerical simulations, or cryptography (stream cipher). Most generators producing such sequences are based on Boolean functions and Linear Feedback Shift Registers (LFSRs) [1]. Desirable characteristics for pseudorandom binary sequences are long period, good statistical properties or large linear complexity. Different LFSR-based sequence generators can be found in the literature [2, Chapter 5]. In most of them, the output sequence is a binary sequence generated as the image of a nonlinear Boolean function in the shift register binary stages.

On the other hand, the binomial sequences are a family of binary sequences whose terms are binomial numbers reduced modulo 2. More precisely, the binomial sequences correspond to the diagonals of the Sierpinski’s triangle modulo 2. In this way, the binomial sequences exhibit many attractive properties that can be very useful in the analysis and generation of cryptographic sequences. In this work, it is shown that every binary sequence with period , being a positive integer, can be written as a bit-wise XOR of binomial sequences.

Since many of the cryptographic sequences have period [3–6], then the binomial sequences can be considered as a fundamental tool to analyze the structural properties of all these classes of sequences. In addition, it can be checked that the behavior of some binomial sequence combinations is the same as that of a kind of Boolean networks (namely, one-dimensional cellular automata). In fact, cellular automata with two-state cells is a special kind of Boolean network where all the nodes use the same function and the links are all arranged in a regular bounded integer lattice structure. Boolean networks have attracted great attention in many different areas such as bioinformatics [7], computational processes [8], graph dynamical systems [9], and parallel discrete dynamical systems [10, 11]. This paper shows the subtle relation between binomial sequences and cellular automata. In brief, the binomial sequences and the linear cellular automata make visible the linearity inherent to many cryptographic generators paradoxically designed as strong nonlinear generators.

The paper is organized as follows: In Section 2, we introduce the basic concepts and definitions needed for the rest of this work. Section 3 studies the characterization and main properties of the binomial sequences. In Section 4, the relation between binomial sequences and linear cellular automata is analyzed. A simple method of recovering the binomial representation of a sequence is developed in Section 5 with an example. Finally, conclusions in Section 6 end the paper.

2. Preliminaries

In this section, we present some basic concepts about sequences that we need to know before introducing the main results.

2.1. Binary Sequences

Let be the Galois field of two elements. We say is a binary sequence if its terms , for . The sequence is periodic if and only if there exists an integer such that , for all . In the sequel, all the sequences considered will be binary sequences and the XOR operation among sequences will be denoted by + instead of the symbol .

Let be a positive integer, and let be constant coefficients with . A binary sequence satisfying the relationis called a (-th order) linear recurring sequence in . The terms are referred to as the initial values (or initial state) and determine the rest of the sequence uniquely. A relation of the form given by (1) is called a (-th order) linear recurrence relationship.

The monic polynomialis called the characteristic polynomial of the linear recurring sequence and is said to be generated by .

The generation of linear recurring sequences can be implemented on LFSRs [1]. These structures handle information in the form of binary elements and they are based on shifts and linear feedback. In fact, an LFSR is an electronic device with memory cells (stages) with binary contents. At each time instant, each element is shifted to the adjacent stage and a new element is computed via a linear feedback to fill the empty stage (see Figure 1). If the characteristic polynomial of the linear recurring sequence is primitive [1], then the LFSR is a maximal-length LFSR and its output sequence, the so-called PN-sequence, has period .

The linear complexity, , of a sequence is defined as the length of the shortest LFSR that generates such a sequence or, equivalently, as the lowest order linear recurrence relationship that generates such a sequence.

In cryptographic terms, the linear complexity must be as large as possible. The recommended value is approximately half the period .

Let be the shifting operator that acts on the terms of a sequence ; that is, The linear recurrence relationship given in (1) can be written in terms of the operator as a linear difference equation:If the characteristic polynomial is a primitive polynomial of degree and is one of its roots, then are the roots of such a polynomial. In this case, the binary solutions of (4) are a linear combination of the roots of the form that is, is the -th term of a PN-sequence with characteristic polynomial and whose initial values are determined by the coefficient .

Next, let us consider a bit more complex difference equation of the formwhose characteristic polynomial is , being a positive integer. Now, the roots of are the same as those of but with multiplicity . Therefore, the binary solutions of (6) are given bywhere the coefficients and are binomial coefficients reduced modulo 2 (see [12]). Sinceis the -th term of a PN-sequence with characteristic polynomial and initial values determined by , then is the sum of terms of a unique PN-sequence starting at different points and where each one of these terms is weighted by a binary binomial coefficient .

3. Binomial Sequences

Previous to the introduction of the binomial sequence concept, let us consider some general features of the binomial coefficients.

The binomial coefficient is the coefficient of the power in the polynomial expansion of . For every positive integer , it is a well-known fact that and for . Moreover, it is worth noticing that if we arrange these binomial coefficients into rows for successive values of , then the generated structure is the Pascal’s triangle (see Figure 2(a)). The most-left diagonal is the identically 1 sequence, the next diagonal is the sequence of natural numbers , the next one is the sequence of triangular numbers , etc. Other fascinating sequences (tetrahedral numbers, pentatope numbers, hexagonal numbers, Fibonacci sequence, etc.) can be found in the diagonals of this triangle. On the other hand, if we color the odd numbers of the Pascal’s triangle and shade the even numbers, then we get the Sierpinski’s triangle (see Figure 2(b)).

(a) Pascal’s triangle

(b) Sierpinski’s triangle

(c) Sierpinski’s triangle mod 2

The binomial coefficients reduced modulo 2 allow us to introduce the concept of binomial sequence.

Definition 1. Given a fixed integer , the sequence given by is known as the binary -th binomial sequence.

Table 1 shows the binomial sequences and their corresponding periods and linear complexities, denoted by and , respectively, for the first 8 binomial coefficients , ; see [12]. The linear complexities of the binomial sequences are defined in Theorem 13 (Section 4). Recall that the successive binomial sequences correspond to shifted versions of the successive diagonals in the Sierpinski’s triangle reduced modulo 2 (see Figure 2(c)).

Next, the relation between binomial sequences and binary sequences with period which is a power of 2 is defined in the following result.

Theorem 2. Let be a binary sequence with period , being a positive integer. Then, every binary sequence can be written as a linear combination of binomial sequences.

Proof. Since the period of is a power of 2, then the next equation holds:which is a simplified version of (6) with and the characteristic polynomial . Therefore, its binary solutions are given by (7), which has now the following simplified form: where 1 is the unique root of the polynomial with multiplicity , the coefficients and are binomial coefficients modulo 2. When takes successive values , then each binomial coefficient modulo 2 defines a different binomial sequence. Thus, the sequence is just the bit-wise XOR of such binomial sequences weighted by binary coefficients .

Different choices of will produce different sequences with distinct characteristics and properties, but all of them with period , .

4. Properties of the Binomial Sequences

From now on, we denote the -th binomial sequence as or simply , while denotes a binomial coefficient.

In this section we study the properties of this family of binomial sequences.

Next result shows that the binomial sequences can be obtained one from another.

Proposition 3. Given the sequence , with , we have that (a)the sequence has period ;(b)the first period of the sequence has the following structure:

Proof. (b) We consider the first bits of the sequence .
We know that when . Then, the first bits are 0s; in particular, this means that the first elements of the sequence are zero.
If , then is of the form , for . We want to prove that the other bits are the first bits of . This idea is illustrated in Figure 3.
In order to prove that the other bits are the first bits of , it is enough to prove that .
Thus, we compute both binomial coefficients Let be the maximum power of 2 in the prime factorization of , with and the odd number such that . Notice that when is odd, then and .
Then, we haveSince , then and, as a consequence, . Now, the inequality implies that is always an odd number. Finally, since both (14) and (15) have the same denominator, then they exhibit the same powers of two. Thus, (14) is odd (even) iff (15) is odd (even) and the previous congruence holds.
(a) It is enough to prove now thatWe consider both binomial coefficients: Consider the maximum power of 2 in the prime factorization of , with and the odd number such that . Notice that when is odd, then and . With this new notation, we have thatNote that and then is always an odd number. Now, since both expressions (18) and (19) have the same denominator and the same powers of two in the prime factorization of the numerator, we know that (18) is odd (even) iff (19) is odd (even).
We have proven that , for . Then we know that the period divides . Since the first bits of the sequence are 0s (item b), then the period must be .

In Figure 8, we can see the structure of the first 32 binomial sequences. It is easy to observe the pattern and the periods mentioned in Proposition 3.

It is worth noticing that the binomial sequences match exactly with the diagonals of the binary Sierpinski’s triangle (see Figure 4) but starting in a different bit (shifted versions of such diagonals). For example, the encircled sequence in Figure 4 corresponds to the shifted binomial sequence .

We know that the sequence is a solution of the difference equation of the form (10). Therefore, every sequence of period can be obtained by XORing diagonals of the binary Sierpinski’s triangle.

Corollary 4. The sequences have period and the following structure:

Corollary 5. The sequences are balanced; that is to say, they contain the same number of 1s and 0s.

Remark 6. (a) The sequences of the form have the following structure:(b) The sequences of the form have the following structure:According to Theorem 2, a binary sequence of period power of 2 is the bit-wise XOR of binomial sequences. Therefore, we introduce the following definition.

Definition 7. The set of binomial sequences necessary to obtain a binary sequence of period power of 2 is called the binomial representation of such a sequence.

The binomial representation of a sequence is of the form , with and an integer such that .

Since our sequences are periodic, they can start in different points. Next we see that, depending on the starting point, the binomial representations of the same sequence will be different.

Lemma 8. Given two positive integers and with , we have the following:

Proof.

Lemma 9. Given the binomial sequence , , if we shift cyclically such a sequence one bit to the left, then we obtain the sequence . If , the sequence remains the same (in this case the sequence is the identically 1 sequence).

Proof. According to the construction rule for binomial sequences given in Definition 1, the sequences and are the same but starting in different points.
Now, according to Lemma 8, we know that , then the sequence equals the sequence . Therefore, the sequences and are the same but starting in different bits.

Example 10. Consider the following sequences: Both sequences and are the same, but starting in different positions. We can check that the starting point of the sequence (bit in bold) is the second bit of sequence .

In order to prove the linear complexity of the binomial sequences, we need to introduce the following results.

Proposition 11. Given the binomial sequence , with a fixed , the sequence represented by can be also represented by . If , the sequence is the identically zero sequence.

Proof. According to Lemma 8, we know that . Since we are working over the binary field, we have that the sequence can be also represented by .

Theorem 12 ([13], Theorem 1). Let be a binary sequence whose characteristic polynomial is . Then, the characteristic polynomial of the sequence , where , is .

Now, we are ready to study the linear complexity of the binomial sequences.

Theorem 13. The linear complexity of the sequence is .

Proof. We prove this result by induction.
For , the sequence has and the characteristic polynomial is .
For , the sequence represented by has and the characteristic polynomial is .
Let us suppose that the sequence has and the characteristic polynomial is .
According to Proposition 11, we have that . Now, according to Theorem 12, the characteristic polynomial of is and, thus, .

As a consequence of the previous theorem, we have the following result.

Corollary 14. Given a sequence with binomial representation , where are integer indices, then the linear complexity of such a sequence is .

As a consequence of Lemma 9, we obtain the following result.

Theorem 15. Let with be the binomial representation of a sequence. If we shift cyclically such a sequence one bit to the left, then its binomial representation is

Corollary 16. Binary sequences with period have different binomial representations.

Proof. Since the period of the sequence is , we can perform left shifts before getting the same starting point of the sequence. Therefore, we can obtain different binomial representations.

Example 17. Consider the sequence with binomial representation . In Figure 5, we can see graphically the method followed to obtain the different binomial representations of this sequence. From one representation and via Theorem 15, we obtain the next representation corresponding to the same sequence left-shifted one bit. Finally, we have 4 different representations (the ones in bold contained in the grey boxes) including the initial one: Since the period of this sequence is 4, we can obtain 4 different binary representations. Furthermore, one can observe that after four steps we obtain again the initial representation .

Now, consider again Figure 4. We know that the binomial sequence showed in the binary Sierpinski’s triangle starts in a different bit compared with the sequence given in Table 1. In particular, in the binary Sierpinski’s triangle the sequences start in the first nonzero bit; thus their binomial representations are different. For instance, consider Table 3 where we can observe the different representations of a unique binomial sequence . Each row represents the coefficients of each different binomial representation. The binomial representation of the sequence in the binary Sierpinski’s triangle is the last row of Table 3: , with , for .

5. Cellular Automata

Cellular automata (CA) are discrete structures composed of a finite number of cells whose content is updated according to a rule or function with variables [14]. The state of the cell in position at time , notated , depends on the state of the neighbour cells at time . If these rules are composed exclusively of XOR operations, then the CA are linear. Here, the CA we consider are regular (every cell follows the same rule), cyclic (extreme cells are adjacent), and one-dimensional. For , rules 102 and 60 are given in Table 2.

The number 01100110 (00111100) is the binary representation of the decimal number 102 (60). In Figure 6, these rules are depicted according to Wolfram terminology [15]: a white square represents the digit 0 and a black square represents the digit 1.

Consider again Table 3. If we color the 1s, the general structure of the set of characterizations is the same as that one of the CA-image generated by rule 102 after having applied 15 iterations to the one-dimensional cellular automata (see Figure 7). In general, due to the observed form of the binomial sequences (see Figure 8 and Proposition 3), it can be assured that the complete set of binomial representations of coincides with the 102-CA of length and and initial state . This is due to the fact that the recursive method to obtain the different binomial representations of a sequence matches with the generation rule of 102-CA (depicted in Table 2).

As a consequence, we can introduce the following result.

Theorem 18. Consider a sequence with binomial representation If we put this sequence in the leftmost column of a 102-CA (rightmost column of a 60-CA), then the binomial representation of the next sequence in the CA is

Proof. Let us denote the binomial sequence by Then, we have that According to Proposition 11, Then, is represented by .

Remark 19. If the term is included in the binomial representation, it is discarded for the next sequence. See, for example, Table 4. In this table, we have two examples of one-dimensional linear CAs. The first one is a 102-CA. At the bottom of the CA, we can observe the binomial representations of the generated vertical sequences. We can check that the binomial representations of the sequences can be obtained following the process mentioned in Theorem 18. It is worth noticing that the given 60-CA generates exactly the same sequences, but they appear in reverse order.

Finally, observe that the set of binomial representations of a sequence follows the same pattern as the 102-CA.

Theorem 20 ([13], Theorem 4). Given a sequence with period and linear complexity LC, then the CA that generates this sequence using the rule 102 has (i)one sequence of period 1 (the identically 1 sequence),(ii) sequences of period , for ,(iii) sequences of period .

Consider, for example, the sequence represented by . This sequence has period . In Table 5, we can observe the 16 different representations of this sequence. The rows of the table represent the coefficients that accompany each binomial coefficient, for each representation. That means, the column represents the coefficients that accompany for each one of the 16 representations.

If we observe the behavior of the coefficients in the columns, we can check that the columns follow the same structure proposed in Theorem 20:(i)One sequence of period 1 (rightmost sequence).(ii)One sequences of period 2.(iii)Two sequences of period 4.(iv)Four sequences of period 8.(v)Five sequences of period 16.

Furthermore, it is possible to check that Table 5 is a 102-CA. This is due to the formation rule of the binomial representations given in (26), which coincides with the formation procedure of Rule 102.

6. Recovering the Binomial Representation

Given intercepted bits of a sequence of period , Algorithm 1 introduces a method to recover a part of the binomial representation of such a sequence depending on the number . Let us denote by the set of intercepted bits. In round , the algorithm compares with the corresponding bit in the sequence represented by . If they match, then is part of the binomial representation. Otherwise, the term is discarded and the algorithm continues. This method is based on the fact that the first bits of the sequence represented by are 0s.

Input:
: Intercepted bits
01:;
02:;
03:for to do
04:if then
05:;
06:endif
07:endfor
Output:
: Binomial representation of the intercepted bits

Let us introduce now an illustrative example.

Example 21. Consider the set of intercepted bits . The first two bits and match with the first two bits of the sequence . This means that one of the binomial representations of the sequence starts with .
The bit matches with the corresponding bit of the sequence : Then, the binomial representation we are considering starts with .
Finally, the bits , , and match with the corresponding bits of the sequence : Therefore, we have that the first part of the considered binomial representation is with coefficients as in Table 6. In case of having more intercepted bits and proceeding in the same way, we would complete the whole representation.

Next, we introduce a result on the number of bits required to recover the binomial representation of a sequence. Notice that if we know the binomial representation of a sequence, we can recover the whole sequence.

Proposition 22. Given intercepted bits of a sequence with linear complexity and period , it is possible to recover the complete the binomial representation of the sequence.

Proof. According to Corollary 14, the binomial representation of a sequence with linear complexity and period is of the form , with . Now, according to the method explained in Algorithm 1, we need bits to recover each one of the coefficients , .

At any rate, the application of the traditional Berlekamp-Massey algorithm [16] needs intercepted bits to recover the whole sequence. Thus, the method here developed makes use of half the bits needed by the Berlekamp-Massey algorithm. Consequently, the amount of intercepted bits has been reduced by a factor 2, which is quite favorable in terms of cryptanalysis.

7. Conclusions

The family of binary sequences considered in this work, sequences whose period is a power of 2, has good cryptographic properties such as long period and large linear complexity. However, we have seen that such sequences are simple solutions of linear difference equations with constant coefficients and can be obtained by XORing binomial binary sequences corresponding to diagonals of Sierpinski’s triangle reduced modulo 2. Although different nonlinear procedures, e.g., irregular decimation, are introduced to break the linearity of the LFSR-based sequence generators, this linearity is still visible in their output sequences. Consequently, such linearity makes the generators producing the previous sequences vulnerable against cryptanalysis and makes them not suitable as part of more complex cryptographic structures. In this sense, we conjecture that given a sequence there exists a minimal binomial representation, that is, a representation with a minimum number of binomial terms.

On the other hand, we showed that there exists a close relation between one-dimensional linear cellular automata (102-CAs or 60-CAs) and the binomial sequences. Furthermore, there exists another family of cellular automata (150/90-CAs) that also generate sequences of period with good cryptographic properties. Therefore, in order to complete this study, the analysis of the relation of this family of cellular automata with binomial sequences is proposed as future work.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research has been partially supported by Ministerio de Economía, Industria y Competitividad (MINECO), Agencia Estatal de Investigación (AEI), and Fondo Europeo de Desarrollo Regional (FEDER, UE) under Project COPCIS, Reference TIN2017-84844-C2-1-R, and by Comunidad de Madrid (Spain) under Project Reference CYNAMON (P2018/TCS-4566) and also cofunded by European Union FEDER funds. The first author was supported by CAPES (Brazil). Finally, we would also like to thank Dr. Verónica Requena for her useful comments and suggestions.

References

S. W. Golomb, Shift Register-Sequences, Aegean Park Press, Laguna Hill, California, USA, 1982.
View at: MathSciNet
A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography, CRC Press, Boca Raton, FL, USA, 1996.
View at: MathSciNet
W. Meier and O. Staffelbach, “The self-shrinking generator,” in Advances in cryptology -EUROCRYPT '94 (Perugia), A. De Santis, Ed., vol. 950 of Lecture Notes in Computer Science, pp. 205–214, Springer, Berlin, Heidelberg, Germany, 1995.
View at: Publisher Site | Google Scholar | MathSciNet
Y. Hu and G. Xiao, “Generalized self-shrinking generator,” Institute of Electrical and Electronics Engineers Transactions on Information Theory, vol. 50, no. 4, pp. 714–719, 2004.
View at: Publisher Site | Google Scholar | MathSciNet
A. Kanso, “Modified self-shrinking generator,” Computers and Electrical Engineering, vol. 36, no. 5, pp. 993–1001, 2010.
View at: Publisher Site | Google Scholar
S. D. Cardell and A. Fúster-Sabater, “The t-modified self-shrinking generator,” in Computational Science – ICCS 2018, Y. Shi, H. Fu, and Y. Tian, Eds., vol. 10860 of Lecture Notes in Computer Science, pp. 653–663, Springer International Publishing, Cham, 2018.
View at: Publisher Site | Google Scholar | MathSciNet
A. Fauré, A. Naldi, C. Chaouiya, and D. Thieffry, “Dynamical analysis of a generic Boolean model for the control of the mammalian cell cycle,” Bioinformatics, vol. 22, no. 14, pp. e124–e131, 2006.
View at: Publisher Site | Google Scholar
D. Zheng, G. Yang, X. Li, Z. Wang, F. Liu, and L. He, “An efficient algorithm for computing attractors of synchronous and asynchronous boolean networks,” Plos One, vol. 8, no. 4, Article ID e60593, 2013.
View at: Google Scholar
J. A. Aledo, S. Martínez, and J. C. Valverde, “Graph dynamical systems with general boolean states,” Applied Mathematics Information Sciences, vol. 9, no. 4, pp. 1803–1808, 2015.
View at: Google Scholar
J. A. Aledo, S. Martínez, F. L. Pelayo, and J. C. Valverde, “Parallel discrete dynamical systems on maxterm and minterm boolean functions,” Mathematical and Computer Modelling, vol. 55, no. 3-4, pp. 666–671, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
J. A. Aledo, S. Martínez, and J. C. Valverde, “Parallel dynamical systems over graphs and related topics: a survey,” Journal of Applied Mathematics, vol. 2015, Article ID 594294, 14 pages, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
A. Fúster-Sabater and P. Caballero-Gil, “Linear cellular automata as discrete models for generating cryptographic sequences,” Journal of Research and Practice in Information Technology, vol. 40, no. 4, pp. 47–52, 2008.
View at: Google Scholar
S. D. Cardell and A. Fúster-Sabater, “Linear models for the self-shrinking generator based on CA,” Journal of Cellular Automata, vol. 11, no. 2-3, pp. 195–211, 2016.
View at: Google Scholar | MathSciNet
A. K. Das, A. Ganguly, A. Dasgupta, S. Bhawmik, and P. P. Chaudhuri, “Efficient characterisation of cellular automata,” IEE Proceedings Part E Computers and Digital Techniques, vol. 137, no. 1, pp. 81–87, 1990.
View at: Publisher Site | Google Scholar
S. Wolfram, “Cellular automata as simple self-organizing system,” Caltrech preprint CALT, pp. 68–938, 1982.
View at: Google Scholar
J. L. Massey, “Shift-register synthesis and BCH decoding,” IEEE Transactions on Information Theory, vol. 15, no. 1, pp. 122–127, 1969.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2019 Sara D. Cardell and Amparo Fúster-Sabater. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

2320

Downloads

1237

Citations