On the semantic security of cellular automata based pseudo-random permutations using results from the Luby-Racko(cid:27) construction

(cid:21) This paper proposes a semantically secure construction of pseudo-random permutations using second-order reversible cellular automata. We show that the proposed construction is equivalent to the Luby-Racko(cid:27) model if it is built using non-uniform transition rules, and we prove that the construction is strongly secure if an adequate number of iterations is performed. Moreover, a corresponding symmetric block cipher is constructed and analysed experimentally in comparison with popular ciphers. Obtained results approve robustness and e(cid:30)cacy of the construction, while achieved performances overcome those of some existing block ciphers.

1 Introduction pseudo-random permutations (PRPs) gure as a central tools in designing secure cryptographic protocols, especially those for secret-key block ciphers.The term pseudorandom permutation, refers in cryptography to a function that cannot be distinguished from a permutation selected randomly with a uniform probability from the family of all permutations dened on the function's domain, whenever using any polynomially computable distinguisher.
Modeling block cipher using PRP's constructions enables a theoretically founded security analysis of such protocols, since well specied and formalized theory has been developed during the last decades for construction, validation and security analysis of PRPs [1,2,3].Most known and normalized block ciphers are generally built using such type of functions, especially by the means of the standardized Luby-Racko construction proposed initially in [4] that permits to build strong and secure PRPs using symmetric iterative structure named Feistel networks [5].Specically, it has been proved that using four rounds of the Feistel networks construction are sucient to build a strongly secure PRP that remains pseudo-random even to an adversary who can gets access to its inverse permutation [4].Such kind of provable security is named semantic security, and is considered as extremely strong when it is met.Precisely, if a crypto-system is semantically secure, then an adversary is not able to compute any information about a plain-text from its corresponding cipher-text.This may be posited as an adversary, given * kamel_mh@yahoo.frtwo plain-texts of equal length and their two respective cipher texts, cannot determine which cipher-text belongs to which plain-text.
Cellular automata (CAs) have been introduced rst by Von Neumann and later by Wolfram [6] as simple model for physics, biological and computational systems.The fact that simple CAs underlying rules with elementary transitions steps can be eciently implemented, and demonstrates complex and random-like behavior, has attracted researchers to use them for cryptographic protocols design.Since the rst attempt to build a CA-based stream-cipher by Wolfram [6], several cryptographic variants have been explored using dierent classes and types of CAs.The rst attempt to build a block cipher using CAs has been made by Nandi et al. [7] where the author implemented a crypto-system based on additive CAs with group properties.In [8], Kari proposed in a cryptosystem with reversible CA, and Zhang presented in [9] a dierent method of encryption based on RCAs that has a larger key space.Another RCA based encryption algorithm is proposed in [10] that satises the avalanche criteria, but trades o with additional communication overhead.In [11], a crypto-system (CAC) is proposed, where non-linearity is achieved by intermixing ane CA with non-ane transformations.Relatively recent works on block ciphers constructions using CAs can be found in [12, 13,14,15,16].
Many of the proposed CAs-based block ciphers have been successfully broken [17, 18,19], and only some of them have been commendably tested and crypt-analysed [20].Unfortunately, no formal theoretic model of such constructions has been established, and in the best case, security analyses have been performed using empirical and statistical measurements.In previously proposed works, we have tried to build secure cellular automata based block ciphers using several techniques and approaches: we used genetic algorithm to evolve optimal ciphers with respect to the avalanche criterion in [21], and we designed an ad-hoc parallel model of block ciphers for digital images in [22] that was enhanced later in [23].In contrast to the present work, no theoretic model has been used to prove security of the mentioned ciphers, and only experimental analysis has been performed to evaluate robustness and secrecy the designed solutions.
In the present work, we show that theoretic result drawn from Feistel networks and Luby-Racko constructions can be used to prove semantic security of a specic CAs-based PRP construction model.We establish a conditioned equivalence between Feistel networks and second-order reversible cellular automaton (RCAs), and we show that equivalence's conditions are met only when using non-uniform transition rules.The proposed PRP's RCAs-based construction is rstly shown to be semantically secure under the conditions mentioned above, then a simple block cipher scheme is derived and validated experimentally with respect to the strict avalanche criterion.The remaining of the paper is organized as follows: Section 2 gives preliminaries of pseudo-random permutations and Luby-Racko construction.Section 3 introduces the basic CAs elements with the secondorder reversibility mechanism.Section 4 exposes the RCAs-based proposed PRP's construction with the corresponding security conditions.Section 5 illustrates an application of the proposed model to build a semantically secure block cipher and gives corresponding experimental security analysis results.Finally, conclusions are drawn in Section 6.

Pseudo-random permutations denitions and security conditions
In this section we introduce some basic denitions about PRPs, and their corresponding security conditions and requirements.

Denition 1.
A function dened on the set of all binary blocks of length n into the same set Φ : {0, 1} n → {0, 1} n is said to be a permutation if and only if it is a bijection (i.e.Φ −1 exist and is eciently computable).A family of permutations Φ k is dened by: is said to be a pseudo-random permutation family if it verify the following properties [24]: (1) For any k ∈ {0, 1} m , Φ k is a bijection from {0, 1} n to {0, 1} n , (2) For any k ∈ {0, 1} m , there exist and ecient algorithm to evaluate Φ k (x), (3) For all probabilistic polynomial-time distinguishers where k ∈ {0, 1} n is chosen uniformly at random and f n is chosen uniformly at random from the set of permutations on n-bit strings.
The last property implies that the output of Φ k cannot be distinguished from a randomly permutation selected from the set of all permutations on functions domain for any value of k.Given the output of a PRP and the output of a truly random function, no polynomial algorithm that can distinguish between the two outputs must exit.Formally, a PRP is considered secure if the advantage of any distinguishing algorithm from a truly random permutation is negligible.
A pseudo-random permutation family can then be considered as a collection of pseudo-random permutations, where a specic one may be chosen using a key.In the following, we use the term PRP to refer to any pseudorandom permutation family Φ k .The notion of PRP is a rigorous formalization of the notion of block cipher from applied cryptography.As mentioned in section 1, the most known and used way to build secure PRPs is the standardized Luby-Racko construction based on Feistel networks.Related denition and security conditions are presented in the following.Denition 2. For a function f : {0, 1} n → {0, 1} n , the Feistel function D f : {0, 1} 2n → {0, 1} 2n is dened like the following: (2) where L and R are two n-bits blocks from {0, 1} n .It is clear from the above denition that the function D f is invertible and hence dene a bijection.Formally, the inverse D −1 f is dened by the composition φoD f oφ when φ(L, R) = (R, L).However, the function D f do not dene a PRP by itself, since L = Lef t(D(L, R)) = R for any L and R. To achieve the requirement of a PRP using the Feistel functions model, we should use a composition of multiple rounds.Using m-rounds Feistel network, the output (L m , R m ) is denes by the following : The function D f is iterated m times on the input (L, R) to give the desired output.This construction leads to the denition of an invertible function D (m)   f that can be considered as a PRP if the number of rounds is sucient.The number of rounds necessary to ensure the security of the constructed PRP is given by the following theorem [4]: Theorem 1. (Luby-Racko).Three rounds of the Feistel construction, each with a round function drawn independently from a pseudo-random function (PRF) family, yields a weak PRP family.Moreover, four rounds yield a semantically strong PRP family.
We conclude from the above theorem that building semantically strong and secure PRP using Feistel construction need at least the use of four rounds.Another important security condition is that the function f must be a PRF that is dened to be a not necessary invertible PRP.If instead we use a predictable function that can be distinguished from a random one, the resulting construction will be weak and vulnerable to cryptanalysis techniques.In standardized block ciphers, pseudo-random functions are generally built using substitution and permutation boxes (S-box and P-box).
Using Feistel construction, many secure and normalized block ciphers have been developed, such as DES, 3DES, Blowsh, Misty and many others.Semantic security of theses algorithms is proofed and guaranteed by the Luby-Racko theorem; even if some simplied versions has been successfully crypt-analysed, due to some weaknesses in the random behavior of their corresponding round functions (PRFs).In the following sections, we propose a novel RCA-based PRP construction scheme, and we show that it is semantically secure by establishing conditioned equivalence between the proposed construction and the Feistel networks one.
3 Second-order reversible cellular automata preliminaries A cellular automaton consists of a number of cells arranged in a regular lattice, each cell has its own state that change in a discrete time step.States of the whole CA's cells are updated synchronously using a local transition rule that denes each new cell's state using its old state, and the states of the corresponding neighbors.Neighbors are specic selection of cells relatively chosen with respect to a given cell's position, and can be dened for each cell using a radius r on the lattice, giving 2r+1 dierent neighbor including the cell itself.The boundaries cells of the lattice are concatenated together in a cyclic form to deal with nite size automaton.If the same update rule is used for all the cells then the resulting CA is named uniform.Otherwise, if a dierent transition rule is used each time the cell's position change, the resulting CA is named non-uniform.
Unlike standard uniform models of uniform CAs that apply the same transition rule in each lattice's position, applying non-uniform transition rules require to change the rule's value from one lattice position to another according to a predetermined conditions (that depends generally on a supplementary feedback of information).Such models relax the normal requirement of all nodes having the same update rule [25], and raises an advanced level of chaotic behavior with higher sensitivity to initial conguration's alterations.
Formally, when dening the state of a cell i at the time t by q t i , its state at time t + 1 (dened by q t+1 i ) depends only on states of corresponding neighborhood at time t, and is computed by applying a transition rule that denes the way states are updated.If the neighborhood radius is r, and if only two cell states are dened (0 or 1), then the length of each transition rule is equal to 2 2r+1 bit, and the number of possible rules is equal to 2 2 2r+1 .The transition rule of one dimensional binary CAs is generally coded using the integer value of the corresponding binary representation, while the dierent CA's congurations are represented by binary blocks.
Unlike elementary cellular automata, RCAs are specic case of CAs in which every conguration has only one unique predecessor.That is, RCAs are constructed in such a way that the state of each cell prior to an update can be determined uniquely from the updated states of all the cells.Several models are known to construct cellular automata rules that are reversible.The second-order cellular automaton method invented by [26], in which the update rule combines states from two previous steps of the automata, permits to turn any one-dimensional binary rule into a reversible one using the fact that the state of a cell at time t depends not only on its neighborhood at time t − 1, but also on its state at time t − 2. This is achieved by combining the i th cell state at time t with the state of the same cell in time t − 2 using the xor operator.
If we dene the conguration of a given CA at each time step t by C t , then we can build a second-order RCA using the following equation: (4) where the map F denote the global transition map of the used basic CA.Such dened RCA can then be reversed trivially using the following equation: (5) The RCAs dened using equations ( 4) are always reversible even if the basic used CA dened by the map F is not, so we can construct as mush RCAs as possible existing CAs.
Instead of using one initial conguration like standard one-dimensional CA, two initial congurations are required to evolve a second-order RCA.Starting from two congurations C 0 and C 1 we obtain after m time step two congurations C m and C m+1 .By running the RCA backward starting from C m and C m+1 as initial conguration, we recover the two congurations C 0 and C 1 after exactly m iteration using exactly the same transition rule.Reversion is performed using the same transition rule, raising qualitatively the same behaviour of one-order CAs as pointed by Wolfram [27].This makes the use of such dened RCAs very appropriate for crypto-systems building, when security of such RCAs based crypto-systems is assured by the impossibility to reconstruct initial congurations pair from any given pair of consecutive congurations without the knowledge of the transition rule used initially.4 PRPs construction using reversible cellular automata In the following, we present the proposed constructions of PRPs using second-order RCA.We establish a conditioned equivalence between the second-order RCA scheme and the Feistel construction, then we show that such equivalence do not hold when using uniform transition rules.In contrast, we show that a non-uniform RCA-based model can raises sucient conditions under which the construction of semantically secure PRPs becomes feasible.

Equivalence between RCA and Feistel rounds
Let's consider in the following that a second-order RCA is dened by a transition rule T , a global transition map F t (exclusively dened by T ), and a set of possible congurations C i for 0 ≤ i ≤ m, when assuming that each conguration is an n-bits block form {0, 1} n .Let's also consider that (C i ) j denotes the j th bit value of the i th conguration C i (the j t h cell state).A single iteration of such RCA on two consecutive congurations C i and C i−1 gives the next congurations C i like follows: (6) To obtain a new conguration C i+1 , a new iteration should be performed using the two congurations C i and C i−1 : (7) By combining equations ( 6) and ( 7), we dene the function G t permitting to derive two new successive congurations from two initial ones like the following: Starting from arbitrary two initial congurations C 0 and C 1 , a second-order RCA produces any desired number of successive conguration pairs using equation ( 8).This equation denes entirely two iterations of an RCA using a xed transition rule T if the RCA is uniform.
By comparing equation (8) with equation (2) from the denition 2.1, we easily conclude that if the global transition map F t is a pseudo-random function, then the function G t is equivalent to two successive rounds of the Feistel function D F T applied on two consecutive congurations C i−2 and C i−1 : Equation ( 9) is a proof of the following lemma that establishes equivalence between second-order RCAs and Feistel functions: Lemma 1.Any second-order reversible cellular automata dened by a transition rule T and a global transition map F t can be constructed using Feistel functions, such that two consecutive RCA's iterations are equivalent to two Feistel rounds, if and only if the global transition map F t is a pseudo-random function.
Figure 2 gives a pictorial illustration of the equivalence described by the above lemma.Note that L 1 and R 1 are temporary congurations, used for intermediate computation.
It result from this equivalence that all obtained security results on the Feistel construction can be used to deduce equivalent ones for the RCA's construction.The mains consequence derived by combining results of lemma 1 with the Luby-Racko theorem is formulated by the following lemma: Lemma 2. Four iterations of a second-order RCAbased construction, each with a global transition map F t yields a semantically strong PRP family, if and only if F t is a pseudo-random function.
The sucient and necessary condition of equivalence drawn by the lemma 1 is that the global transition map F t be a pseudo-random function for any possible transition rule T. We show in the following that this condition does not hold for uniform second-order RCA since the global transition map F t is not a PRF in this case.
Let's consider a uniform second-order RCA using transition rule T with a radius size r, when T is selected randomly form {0, 1} N and N = 2 2 2r+1 .According to the uniform second-order RCA scheme [25], the global transition map F t produces a new conguration C i+1 using the transition rule T, and determine each bit (C i+1 j ) according to its corresponding neighborhood in the conguration C i .The value of this j th bit is exactly equal to the bit of rule T at position p j dened by the binary representation of the neighborhood.Since the neighborhood of any selected bit (C i ) j is given by the binary conguration the position p j is computed by: It is clear that any given conguration C i that has all bits equals (all zeros or all ones), gives always the same neighborhood value for any bit's position.So produced conguration F t (C i ) have all bit's values identical whenever is the used transition rule T. If we denote by 0 n and 1 n the two n-bits congurations that have all bits positions at 0 or 1 respectively, the produced conguration F t (C i ) can have only two possible values F t (C i ) = 0 n or F t (C i ) = 1 n depending on the rule's bit value at the position computed by the two possible neighborhood 0 2r+1 or 1 2r+1 .We deduce that the global transition map F t cannot be considered as a PRF by itself since F t (0 n ) and F t (1 n ) can have only two possible values 0 n or 1 n whenever is the transition rule, which is extremely rare to be the case for a truly random PRF.According to the 2, we conclude that a uniform RCA-based PRP scheme cannot be semantically secure.However, we show in the next section that a construction using non-uniform RCA permits to turn the global transition map F t into a PRF, making the PRP's RCA-based model totally equivalent to the Feistel one, and as a result semantically secure.

4.2
Semantically secure RCA-based PRP construction When using non-uniform second-order RCA, the transition rule can change from one conguration's bit position to another.It has been shown in pervious works [27,28] that such class of cellular automata raises more complex and chaotic evolution behavior with respect to standard uniform model, and are consequently more suitable for cryptographic applications.Reversibility of the non-uniform model is always guaranteed by the secondorder composition principle and only the global transition map F R is aected by the introduced non-uniformity.
Let's consider a second-order RCA dened by a set of n dierent r-radius transition rule ), with a global transition map F S (exclusively dened by the set S), and a set of possible congurations Using this model, computation of a new conguration C i+1 from two prior ones C i−1 and C i performed similarly using equation (7), while the global transition map F S operate dierently from the uniform model : to compute the j th bit's value (F S (Ci)) j corresponding to the bit (C i ) j at the j th position of the conguration C i , the global transition map F S apply the position's corresponding transition rule T j from S on the corresponding neighbourhood extracted from the conguration C i that is uniquely dened by the binary sequence The value of (F S (C i )) j is exactly equal to the bit extracted from the rule T j at the neighbourhood's dependent position p j dened by equation (10).So bits of the new conguration C i+1 are computed like the following: Let's show in the following that such global transition map F S is a pseudo-random function.By denition, a function is considered as pseudo-random if its output cannot be distinguishable from a random function.If the global transition map F S is a PRF, then for any given produced conguration F F (C i ), each bit value at each position can be either 0 or 1 with same probability 1/2 (which is the denition of a randomly chosen binary string according to a uniform distribution).Hence, we must show that P r{(F S (C i ) j )} = 0 = P r{(F S (C i ) j )} = 1 = 1 2 ∀ 0 ≤ j ≤ n, for any conguration C i .In order to show that such property is veried, we rstly show that for any conguration C i , each two bits selected at two dierent positions j and j are equal with a probability When using a uniform model of second-order RCA, the bit's distribution of (F S (C i )) j reects exactly the distribution of the p j values computed from the set of corresponding neighborhoods extracted from C i .So the probability P r{(F S (C i ) j ) = (F S (C i ) j )} for two dierent positions j and j is equal to the probability P rp j = p j since the same unique rule is always used.As a result, if we choose a conguration C i that has same bit value in all positions, we get the same neighborhood at each position j and we obtain the following: ∀ 0 ≤ j ≤ n, 0 ≤ j ≤ n and j = j : Equation ( 12) is the proof that uniform transition maps are not pseudo-random functions.However, in the case of non-uniform transition rules, and since a dierent rule is used each time the position change, we deduce the following: ∀ 0 ≤ j ≤ n, 0 ≤ j ≤ n and j = j : P r{(F S (C i ) j ) = (F S (C i ) j )} = P r{(p j = p j ) and ((T j ) pj = (T j ) p j )} + P r{(p j <> p j ) and ((T j ) pj = (T j ) p j )} = P r{(T j ) pj = (T j ) p j } .(13) Equation ( 13) is justied by the fact that (F S (C i )) j and (F S (C i )) j are equal in two case: either the corresponding neighborhoods from C i are identical and the two rule T j and T j has the same bit value in the position p j and p j , or the two neighborhoods are dierent but the two rule T j and T j has randomly the same bit value in the two dierent positions p j and p j respectively.We note that even if a conguration C i has same bit value in all positions (C i is equal to 0 n or 1 n ) and then all neighborhoods are identical (P r{p j = p j } = 1), the probability that (F S (C i )) j and (F S (C i )) j be equal is independent form the neighborhoods values and corresponding positions p j and p j .
Since the rules T j are selected randomly, the probability that a cell at any position p j is equal to zero or one is So the probability that two dierent positions p j and p j from two dierent rules T j and T j be equal can be computed like the following: ∀ 0 ≤ j ≤ n , 0 ≤ j ≤ n and j = j : P r{(T j ) pj = (T j ) p j } = P r{((T j ) pj = 0) and ((T j ) p j = 0)} + P r{{((T j ) pj = 1) and ((T j ) p j = 1)}} = (P r{(T j ) pj = 0} • P r{(T j ) p j = 0}) + (P r{(T j ) pj = 1} • P r{(T j ) p j = 1}) , P r{(T j ) pj = (T j ) By combining equations ( 13) and ( 14), we conclude that for any given produced conguration C i , two random bits positions are equal with a probability 1 /2: ∀ i, ∀ 0 ≤ j ≤ n , 0 ≤ j ≤ n and j = j : Let's suppose that ∀ 0 ≤ j ≤ n, P r{(F S (C i )) j = 0} = α, and then show that α is equal to 1 /2.If we consider the following: then, by combining equation (17) and equation ( 16), we conclude that: As a result, equation ( 16) is always veried.Consequently, the global transition map F S is a pseudo-random function.According to equation ( 16), the output of F S is indistinguishable from a randomly selected bit string, even when the conguration C i is equal to 0 n or 1 n .Now since F S is shown to be a pseudo-random function, and using results from Lemma 1 and Lemma 2, we conclude the following theorem about security of non-uniform RCA-based PRPs construction model: Theorem 2. A non-uniform second-order RCA dened by a set of randomly selected transition rules S = {T 1 , T 2 , . . . ,T n } and a global transition map F S is equivalent to a Feistel construction, such that two iterations of such RCA are equivalent to two Feistel rounds.A construction with four non-uniform RCA's iterations, each with a global transition map F S , yields a semantically strong PRP family.
The above theorem denes a novel PRPs construction scheme using non-uniform RCA, and establishes the corresponding security conditions.In the following section, we propose the construction of a symmetric block cipher using this construction, which is as a result semantically secure.Several statistical experiments are also performed on the proposed scheme to show its robustness and ecacy with respect to some popular ones.

Cryptographic application of the proposed PRP construction
In the following, we use the proposed non-uniform RCA-based PRP's construction to build a symmetric block cipher.The cipher uses a 128-bit secret key K selected randomly from {0, 1} 128 to encipher a 128-bit plain-block PB into a ciphered one CB.Even if only four iterations are sucient to achieve semantic security according to the Theorem 2, we use sixteen successive iterations (equivalent to sixteen Feistel round) to ensure further robustness of the designed block cipher.

Details of the proposed Block cipher
According to the proposed non-uniform RCA-based PRP's construction, enciphering plain-blocks of size 2n require a set S of n randomly selected rules to build the global transition map F S .Furthermore, the global transition map F S should change from a ciphering iteration to another in order to ensure strong security of the cipher.To achieve the mentioned requirements, a key scheduling mechanism is used to derive sub-keys for dierent iterations (rounds) such that each iteration i for 1 ≤ i ≤ 16 uses a dierent sub-key K i .At each iteration, the rule's set S is constructed from the corresponding secret sub-key K i using a pseudo-random numbers generation scheme that is not necessarily secure, since security of the proposed block cipher relay only on randomness distribution of the rules neither on the predictability of their sequence.
In the present work, we used transition rules with radius r = 3, so each rule is a 128-bit random block from {0, 1} 128 .During the i th iteration, the secret sub-key K i is used to produce 64 dierent transition rule T 1 , T 2 , . . ., T 64 by the mean of a very simple and fast mechanism: each rule T j is equal to a left-cyclic rotation of K i by an amount of j position.Such produced rules are randomly distributed in {0, 1} 128 so they meet the security requirements of the proposed construction.Note that any other key expansion scheme can be used to perform rules derivation process if it ensures a random distribution, and the only motivation of the used one is speed and simplicity.
The set of sub-keys K i for 1 ≤ i ≤ 16 can be generated using any key scheduling mechanism similar to those used by several block ciphers, and it is sucient that a non-linear relation exist between the derived sub-keys.In the proposed block cipher, the derived sub-keys are generated with an elementary cellular automaton that use rule 30 having good random-like behavior according to the results obtained by of Wolfram [15].The key K is used as initial conguration, and then resulting consecutive congurations obtained by applying the rule 30 in a cycle boundary conditions mode are used as sub-keys K i .
Figure 3 illustrate pictorial description of the proposed block cipher with its dierent components.The deciphering scheme act exactly like the enciphering one, except that the sub-keys are used in reverse order: if the subkeys K 1 , K 2 , . . ., K 16 are used for iterations 1, 2, . . ., 16 of encryption then the sequence K 16 , K 15 . . . ., K 1 is used for iterations 1, 2, . . ., 16 of decryption.
The proposed block cipher is semantically secure according to theoretic results reported above.Moreover, we performed an experimental analysis in terms of speed and security.Dierent experimental results are presented in what follows.

Experimental Security analysis and results
A secure block cipher has to ensure certain number of statistical properties related to its robustness against common cryptanalysis techniques such as linear and differential ones.Non-linearity is one of such required properties that as randomness, has not a complete unique denition, but can be measured in a number of ways.We achieve a good approximation of such property by measuring a very specic mathematical property named avalanche eect [29].This property tries, to some extent, to reect the intuitive idea of high non-linearity: very small dierence in the input produces always high changes in the output, hence an avalanche of changes.Mathematically, let's consider the block cipher as a function (that is a pseudo-random permutation) Ψ K : {0, 1} m × {0, 1} n → {0, 1} n with m the length of the key and n the length of plain-blocks.The Ψ K function has the avalanche eect if the following is satised: (18) where H denotes the Hamming distance between two nbits blocks.According to equation (19), a minimum random input change (one single bit) should produces a maximum output change (half of the bits), on average.This denition reects also the general concept of independence between input and output.An ideal Ψ K will dene a perfect random function and then have a perfect avalanche eect.Another more accurate and demanding non-linearity measurement is the so called strict avalanche criterion [29] which, in particular, implies the avalanche eect, and that is described mathematically by: where B( 1 /2, n) denotes a binomial distribution of parameters 1 /2 and n.A block cipher dened by a function Ψ K satises the strict avalanche criterion if the bit-dierence between two ciphered blocks corresponding of two plain blocks that dier only on one bit follows a binomial distribution B( 1 /2, n).
This can be veried by measuring the amount of proximity between theoretic binomial distribution and experimental distribution computed for the block cipher using a suciently large samples set.Such measurement can be easily performed using χ 2 goodness-of-t tests.
In order to compute the experimental distribution of H(Ψ K (x), Ψ K (y)) corresponding to the proposed block cipher, we use a set of 10 5 randomly generated plain-blocks P i with a set of 10 5 randomly generated secret key K i .For each, pair (P i , K i ), we rst encipher P i using K i , then we ip each one of 128 bit of the plain-block to obtain P i and we encipher again to compute the hamming distance H(Ψ K (P i ), Ψ K (P i )).The set of obtained Hamming distances for all used samples is used to build an array D of 128 value, such that each value D[i] represents the number of obtained hamming distances that are equal to i.By dividing the elements of this array by the total number of experiment's samples equal to 10 5 •10 5 •128 = 128•10 10 , we obtain nally the desired experimental distribution.The chi-square test is performed by computing the χ 2 value: where O i is the obtained experimental value of the distance and E i is the theoretic expected one.
Using the probability α = 0.01 as critical threshold, the hypothesis of equivalence between the two distributions is accepted if the χ 2 value is less than the quantile χ 127,0.01= 166.99.After several experiments, the computed averaged χ 2 value is equal to 0.0023, that is negligible with respect to the quantile value.Hence the null hypothesis is accepted and the hamming distribution of the proposed block cipher is following a binomial distribution B( 1 /2, 128).As a result, the block cipher is satisfying the strict avalanche criterion.Table 1 lists dierent χ 2 values obtained when experimenting some standard popular 128-bit block ciphers using the procedure described above.
Figure 4 illustrate a plot of the obtained experimental distribution compared to the theoretic curve of the binomial B( 1 /2, 128), and to those of other experimented block ciphers.
In order to check the sensitivity of the proposed block cipher to small secret key variations, the experiment procedure described above is also performed using a set of randomly selected keys K i , while distribution of the output's Hamming distances with respect to elementary keybits ipping is computed.Such distribution is expected to be binomial B( 1 /2, 128) if the block cipher is highly sensitive to secret key variations.Using the chi-square test, we show that proposed block cipher satisfy the avalanche criterion with respect to elementary key variations.Results of keys sensitivity testing are listed in table 1, when gure 5 illustrates the plot of the corresponding experimental distribution.Results of Table 1 show that the proposed cipher provides good variation's sensitivity to both plainblocks and secret key.While the strict avalanche criterion is not a sucient security condition, it is however a necessary one that ensures robustness against dierential and linear cryptanalysis methods.We agree the proposed approach have to be submitted to further cryptanalysis techniques, which is the works we are planning for perspectives.Ecryption speed performance's resutls with comparison to popular block ciphers [30].

Speed Analysis and comparison
The proposed construction can be implemented easily and eciently in both hardware and software.Even if the inherent parallelisme of CAs is more suitable for hardware, we have realised a very fast and compact software implementation of the proposed block cipher using pure assembly and MMX instructions sets permitting the use of 128-bit CPU's registers.The simple key mixing and rules derivation schemes described in section 5.1 are favorable for a fast and reduced instruction implementation permitting to achieve high speed encryption/decryption rates.Table 2 summarize obtained performance's results for the proposed block cipher in comparison with some popular ones implemented by the Crypto++ 5.6.0Banchmarks [30].
It is clear that proposed approach provides very hight performances with respect to others due to the parallelized nature of CA's and to the optimality of the designed model with respect to assembly MMX instructions.6

Conclusions
In this work, we propose a PRP's construction model using reversible second order cellular automata.Using results from Feistel networks construction, we show that proposed construction semantically secure if non-uniform transition rules are used.Based on this construction, a simple and fast semantically secure block cipher is proposed and benchmarked with respect to the strict avalanche criterion.Obtained results show that the block cipher is highly sensitive to small variations of both plain blocks and secret key, since corresponding variations distribution computed using Hamming distance follow a binomial distribution B( 1 /2, 128).When compared to popular ciphers, performances analysis reveals that proposed one achieve high and competitive encryption/decryption rates with equivalent security requirements.The main contribution of this work is the establishment of possible theoretic framework for study,

Figure 1 .
Figure 1.Pictorial representation of the Feistel function D f construction.

Figure 1
Figure 1 gives a pictorial representation of a Feistel function construction.

Figure 3 .
Figure 3. Pictorial description of the proposed block cipher.