Complex Systems 1 (1987) 51- 57

Cellu lar Automaton

Public-Key C r y p t osy s t em

Puh u a G uan
Dep art m ent of Mat hematics, University of P uerto Rico,
Rio Piedras, PR 00931, USA

Abstract . A public-key cryptosystem based on inh omogeneous cellu -

lar automata is pr op osed . The running time of all known al gorithms
for br eaking t he system grows expon enti ally with the cipher block
length.

1. Introduction
A cryptograph ic system is a mat hematica l sys te m for encrypti ng or t ra ns-
forming infor mat ion so th at it a ppe ars useless to those who are not meant
t o h ave access to it . Any cryptographic t echni que , such as the substit ution
and transposit ion of symbo ls, that op er ates on a message wi thou t regard
t o its linguisti c st ructure is ca lled a ciphe r a nd is sa id to gen erat e a ci-
p her tex t. In a public-key c ryptosystem, a receiver , rather t han ag reeing
with each sender on how to operate on a message, simply generates two
d ist inct keys of his own : an enc ipher ing key E , wh ich is commu nicated t o
the public, se rves t he p urpose of enc rypt ion ; a decip hering key E, which is
kept by th e receiver h imself, serves to implemen t t he sys t em's dec iph ering
a lgorithm .
A crypto system shou ld sat isfy t he following three requirements:

Security. For people who do not know t he deciphering key, it sho uld
req uir e a n unrealistic amou nt of t ime to recover the plain infor ma t ion
from a cipher text, whe reas for the receiver who knows the deciphering
key, t he or iginal informat ion should be qui ckly recoverabl e from t he
cipher text.

In tegrity . If an enemy agent attemp t s t o co nfuse t he rec eiver by

inserti ng a corrupted message, the receiver should be ab le to detec t
it.

Authorization. If some one sends a message using a nothe r person's

key, the rece iver sho uld be able to det ect it.

© 1987 Co m plex Syst em s Publicati ons, Inc .

52 Puhua Guan

message source ciph er

plai n text text

sender receiver

Fi gure 1: Sche matic ar rangement of a public-key cr yptosys te m .

Sever al different public-key cryptosystems have b een proposed [t]; many

tec h niques for attacking them have also been deve lop ed [3]. This paper
pr esents a new pu blic-key cryptosystem th at satisfies all the requi rements
previously me nt ioned . The running times of all algorithms so far known
for br eaking our system grow exponentially with cipher block length.
Section 2 describes our sys tem from the point of view of t he sec urity
requ irem en t . The end of the section shows how the integri ty and the autho-
ri za tion requirements can also be sati sfied . Section 3 provid es an example.

2. Cellu lar a u t o m a t o n c ryp t osy stem

To t ran sform information by electronic means, a me ssage is usu ally rep-
resented by a st ring of binary bits. Th is rep resent a ti on is always do ne
according to some well known r ules (ASCII, etc .).
This st ri ng of binary bi t s is ca lled t he plain text . T he str ing of binary
bi ts is then cut int o blocks, with each blo ck co ntaining a cert ain number of
bi t s. The bit s in a block can be view ed as an elemen t of anot he r set S , for
examp le, every t hree b its represent an elem ent in a se t of size 8, et c. These
elem ents of S will b e the fundament al u nit s of our cry ptosys te m. Let S be
t he gro un d set of th e system. The blocks are th e ind epend ent units of the
cry ptosystem; in the cipher t ext, eac h blo ck is a rep lacement of a b lock in
the plain text.
Suppose each block is N bits long, repr esent ing m elements of S . In
order to m eet the sec ur ity req uir em ent , an inverti ble function is needed
that maps 8 m to S '" and satisfies the following con dit ions :

(a) It is easy to compute (for encipher ing) .

(b) It is hard to find its inverse (for deciphering by intruders).
(e) With some key informat ion, t he inverse image can be eas ily computed.
The co mp lexity of behavior seen in cellular automata sug gests t ha t in-
ver t ible ce llula r a ut omaton rules are promising candidates for our p urpose.
However, cellular automaton rules are usu ally represen ted by tab les, and
if the effect ive neigh borhood size is small, th en t he re is a danger that the
inver se image in an y par ti cular case can be found by a random a ttack. If
Cellular A utomaton P ublic-Key Cryptosystem 53

the effective neighbourhood size is large, th en the table will be t oo lar ge,
since its size grows exponentially with the number of neighbours.
To make ru les wh ich can be st at ed succ inct ly but wh ich h ave large effec-
t ive neighborhood sizes, each S is associated wi th a mathematical st ructure.
For example, we can t hink of S as a m at hemat ical ring or a field an d use
mult ivariate pol ynomials t o rep resent t he cellular automata rules. No te
t h at when lSI is a prime pow er, then every mult ivariate functio n ove r 8
is a poly nomial funct ion . When 181 is not a prime powe r, a large p ortion
of mul tiva riate funct ions ca n still be rep resente d as polynomial funct ion s.
When the degree of each pol ynomial function is bounded by a sma ll num-
ber d, th en t he size of each polynomial is b ounded by m d • wh ere m is th e
number of the variab les. So we can have cellu lar au tomat a rul es with lar ge
effective neighb orh ood sizes but with sho rt represe ntat ions. O n t he other
hand, multivariate polynomial fu nctio ns satisfy conditi on s (a) and (b) well,
sin ce polynomi als a re easy to comp ute. But the ti me needed t o so lve a
system of no nl inear po lynom ia l equa t ions in gen eral grows ex po nent ia lly
wth t he number of va riables 13,4,7] .
To obt ain a system th at satisfies all (a), (b), and (c), we first make th e
following de fin it ions.

D efini tion 1 . A finite cellular a ut omaton of size m is a dy na mical system

with m si tes (xL x~, .. . , x~) = x t , togeth er wit h a set of mappings {F/} at
each discrete tim e t , such that

Xi' +1 = F.i ( X "1'X 2' · · ·,X tm ) , (2.1)

where x assum es values in any set S an d the subscripts are calculated

modulo m.

Following the above defin it ions, if F/ = Fl for eac h i.i, t he n t he cellu lar
automaton is homogeneous, and if there exists i =1= i such that F/ =j:. Fl,
then the cellu lar automaton is inhomogeneous. If F/ = F/ for all t, s and i,
then t he cellular automaton is t ime stab le, an d if there exists t a nd s suc h
t hat F/ =j:. F/, t he n t he ce llula r automaton is t ime vary ing .
Not mu ch investigation h as been don e on time varyi ng or inhomoge-
neous r ules. For t he t ime stable and hom ogeneous r ules, the be h avior of
most cell ular automata ap pears unpred ictab le 16]. Complete descripti ons
have so far been found only for add it ive cell ula r automata.

Definition 2. A cellular automaton is partially lin ear at the time t if 8 is

a ring an d some F/ are linear function s. It is partially linear in vertible if
the coefficien ts of those linear functi ons together form an invert ible matrix.

Definition 3. A cellular automaton is s-fold linear invertible at the tim e t

jf S is a ring and the variables (x~ , x~ , ... ,x~) can be partit ioned into s parts
(xi i 1 •• • ' X~ .IJ l ' • • , (X~ l ' .. . , X~kJ such that for each i, there a re exactly k j
54 P uh ua G uan

fun ctions in the set {F/} that are lin ear functions in the variables of tbe j -
th p art. T he fun cti ons that are lin ear in th e variable of the j -th part can be
any functions of the variables in the prev ious parts. M oreover, the variables
of the lat ter parts can not appear in these [unctions , an d the coefficients of
the variables of the j -th part in these funct ions form an invert ible matrix.

Two examples of 2-fold lin ear inver t ib le cellular au tomata are given in
Sect ion 3.
For any system of size m with an in it ial state (Xl, X2, .. . , X m ), we can eas-
ily compute the state at t he next time (x~ , . . . , x~) under any s-Iold linear
inver t ib le rule. It is also eas y to t race back (Xl l ' . . ,xm) from (x~, . . . 1 x~).
However , if we compose several multifol d linear invertible ru les toget her ,
t he composite function is no longer partially linear. To find t he original
state fro m the final state ob tained by the action of the composed rules , it
is then necessary to so lve a syst em of nonlinear pol ynomial equations , if
on e k nows on ly the compos ite function. On t he other hand , t he designer
of t h e ru les, knowing how the compos ite func tion is constructed, ca n give a
proced ure for recovering t he ini t al va lues without so lving general equat ions .
Now ou r cryptograph ic scheme is clear. Let the ground set b e a comm u-
tati ve r ing . The enc iphering key E is a composition of several time-vary ing
inho mogeneous mult ifold linear inver t ible r ules , which is made pub lic. T he
deciphering key D, which is kep t private by the desig ner, is the set of the
in d ivid ual ru les in the composi te encipher ing function .
T he requirements of inte grity and authori ty can be sat isfied as follows .
After the sender sends th e cipher text M incl ud ing his own name enciphered
acc ording to t he public key of a receiver, he applies t he inverse of his own
p ublic key t o M, gets M', then sends M 1 as well. The receiver first deciphers
M and finds th e sender 's name, then applies the public key of the sender to
M '. If he gets M as given in t he first half of the cipher text, he ca n believe
th at t he signat ur e is authentic and t he info rmation not coded by an enemy
agent.

3. E xamples
Suppose we have a system with a blo ck length of 5 b its and assume t ha t
each bit t akes a value in t he field of 2 elemen t s. A user C publishe s t he
following public keys:

YI = XIX:;: + Xs
yz = X2X3 + X4
~ =XIX2X3 +XIX2X4 +XZ X 3XS+X4 XS+XZ (3.1)
Y4 = X2XI + XZX s + X3
Ys = Xl + Xz
If B wants to send C t he message 10110 , he first looks u p the above
rule under C 's n ame and applies t he rul e to 10110, then se nds 01011.
The r ule is act ua lly composed of
Cellular Automa ton P ublic-K ey Cryptosy stem 55

x~ = X2
x~ = I3
x~ = Xl (3.2)
x~ = IS + XI I 2
x~ = X4 + X 2X3
and

Yl = x~
Y2 = x~
Us = X'I + x~x~ (3.3)
Y4 = x~ + X'lX~
Ys = x~ + x~ .
C keeps (3.2) and (3.3) to himse lf. Upon receiving 01011 he can so lve
(3.3), to get 01101 for Xi a nd th en solve (3.2) , to get 10110.
In general, if t he length of t he block is n bits, an d to rep resent an element
of t he ground set needs k bits, then t he size of t he keys is bo und ed by (V' ,
whe re d is the maximum degree of t he keys. In fact , we can choose d to
be as small as 2 or 3. Known algorithms for solving systems of nonli nea r
syst em of equations take an expected t ime O(2 n ) . In particular, when t he
ground set is the field of two elements, t he genera l probl em of sol ving a
nonl inear syste m of equations known to be N P complet e [8J.

A ck now led g em en t s
I am gr atefu l to P rofesso rs Wolfram and Zassenhaus for t he ir va luable com-
ments a n d suggest ions for t he im p rovem en t of t h is pap er.

R efer en ces
III Martin E. Hellman , "An Overvie w of Public Key Cryptography", IEEE
Transact ions on Communications, 16 (1978)

12] R. Rivest , A. Shamir, a nd L. Adleman , "A Method For Obtaining Digital

Signatures and P ublic Key Cryp tosystems", Comm unications of the A CJvf,
21 (1978) 12G-126.

[3] R. Blakely and G . Blakely, "Security Of Number Theoreti c P ublic Key Cryp-
tosystems Aga inst Ran dom Attack I, II , III" , Cry ptologia, 2 (1978) 305·32 1;
3 ( 1979) 29-42; 3 (1979) 105-118.

14] G. E. Collins , "Q uantifier Elimination For Real Closed Field : A Gui de To
the Litera tu re" , Computer Algebra , ed ited by B. Buchb er ger, G. E. Collins,
R . Lao s, (Springer-Verla g, NY, 1982), 79-81.

151 M. J. F ishe r, and M. O. Rabin, "Super Exponential Complexity of Pres-

burg er Ar it hmetic" 1 in MIT MAC Technical Memo 43.
56 P uh ua Guan

[6] Stephen Wolfram (Editor), Theory and Applications of Cellular Automata,

(Wo rld Scientific, 1986).

[7] Pu hua Guan, "A nalysis Of Cellular Automata Public Key Cry ptography",
su bmitted to 1987 Symposium on Theor y of Computing.

[8] Puhua Guan and H. Zasse nhaus, "Solving Systems of Equations Over F init e
Fie lds". (t o be p u bl ished in Jo urnal of Number Theory, Feb r uary 1987) .

[9] Puh ua Guan, "Public-Key Cryptosystem Bas ed On Higher Order Cell ular
Automata" , submitted to IEEE Tmnsections on Information Theory, 1987.