1. Introduction

The stream cipher belongs to the symmetric cryptosystem in modern cryptography. It is close to the “one-time pad” (OTP) cryptosystem. In theory, Shannon proved that the OTP is absolutely secure in 1949 [1]. However, a keystream with the same length as the plaintext should be transmitted through a secure channel in the OTP. It is unpractical and wasteful in general. Moreover, the key management of the OTP is difficult. Hence, the stream cipher has gradually been used as a substitute for the OTP [2]. The core of a stream cipher is the keystream generator. A secret key with an acceptable length is employed as the input of the keystream generator to generate a keystream. Meanwhile, the keystream generated by a qualified stream cipher is difficult to be distinguished from a real random sequence. It means that the keystream should be provided with good pseudo-randomness, including long period, high linear complexity, uniform statistical property, etc. [3] Accordingly, the stream cipher possesses many advantages, such as offering good security and being lightweight and efficient. It is widely used in secret communication, especially in the military, government, etc. [4]. Thus, it is meaningful to design a qualified stream cipher.

The traditional stream cipher is based on the linear feedback shift register (LFSR). The sequence with the longest period generated by the LFSR is the m-sequence, which possesses good statistical properties [5]. However, the period of the m-sequence is limited by the series and taps of the LFSR. Meanwhile, the state values and structure of the LFSR are easily recovered by the Berlekamp–Massey (B–M) synthesis. Hence, the security of the stream cipher based on the LFSR is weak. It cannot be used in building a stream cipher directly. Subsequently, many improvement schemes consisting of the driving part (LFSR) and the nonlinear part were proposed [6]. The keystream generators of the stream cipher based on this structure can be divided into three kinds according to the nonlinear part: nonlinear-combiner generator [7], such as E0 used in Bluetooth [8]; nonlinear-filter generator [9], for example, ISO/IEC international standard stream cipher SNOW 2.0 [10]; clock-controlled generator [11], for instance, the stream cipher A5/1 [12]. The above schemes utilize the nonlinear part to break or cover up the linearity of the LFSR. Accordingly, the resistance of these improved stream ciphers for the linear analysis is enhanced, especially the analysis based on the B–M synthesis. Nevertheless, cryptanalysis is also developed with the improvement of the stream cipher. Din et al. proposed a novel cryptanalysis based on binary particle swarm optimization (BPSO) and the divide-and-conquer approach. It reduces the number of exhaust searches significantly. They also successfully acquired the initial states of the LFSR in the Geffe generator based on the nonlinear combiner [13]. As for the nonlinear-filter generator, the generalized filter state guessing attacks (GFSGAs) were designed by Hodzic [14]. This method can recover the secret states in the filter and LFSR effectively. Cao et al. proposed a straightforward guess-and-determine attack (SGDA) based on a genetic algorithm. This method can reduce the time consumption of attacks to the small-scale SNOW2.0 [15]. Moreover, the guess-and-determine analysis [16] and algebraic attack [17] also apply to the stream cipher based on the clock-controlled generator. Thus, although the stream ciphers based on the LFSR and nonlinear part are easily implemented, and possess good statistical properties, lots of cryptanalyses are proposed to recover the internal states in the LFSR because the LFSR is a mature technology that can be regarded as the Boolean function. Meanwhile, the Boolean function’s correlation and algebraic immunity were proposed to estimate the resistance of the stream cipher for the correlation and algebraic attack [18]. Hence, they can be used not only for designing the stream cipher based on the LFSR but also to crack the stream cipher [2].

Currently, the stream ciphers without the LFSR sprang up. This kind of stream ciphers can be available against the traditional cryptanalysis for the LFSR. The stream cipher Trivium is based on three nonlinear feedback shift registers (NFSRs) [19]. The linear cryptanalysis is difficult to break the Trivium. However, some novel methods, such as guess-and-determine attacks (GDAs) [15] and cube attacks [20], can easily acquire the internal states of the NFSR or distinguish the keystream generated by the NFSR from the true random sequence. Moreover, the stream cipher Espresso for 5G wireless communication systems is also based on the NFSR [21]. Subsequently, Sinha [22] reduces the complexities of the time–memory–data tradeoff (TMDTO) attack for Espresso based on the conditional BSW-sampling resistance of Espresso. The stream cipher based on the mode of block cipher was also proposed by the researchers, such as the ciphertext feedback (CFB) [23] mode and output feedback (OFB) mode [24]. The security of the block cipher in this stream cipher can be proved theoretically. However, the time and space consumption of it is too much. In addition, the widely used stream cipher RC4 is based on the state table driver and permutation. Klein has proved that RC4 possesses a secure flaw [25]. Hence, lots of improved stream ciphers based on RC4 are proposed [26,27], such as combining with chaotic mapping or other ciphers. However, the inherent security flaw always exists in RC4 [28]. In general, the emergence of the novel attacks, such as GDA, TMDTO, deep learning [29], etc., creates enormous challenges for the stream cipher. Accordingly, a more secure and efficient stream cipher is urgently needed.

The elementary cellular automaton (ECA) is the simplest cellular automaton (CA), which was proposed by Stanislaw M. Ulam et al. in 1948 [30]. The ECA with the chaotic transition rule can be considered a nonlinear dynamical system [31]. It possesses some special properties, including long periods, parallel computing, etc. Thus, the ECA is widely utilized to build a random number generator [32,33,34]. However, the period of the ECA is limited by the number of cells. Meanwhile, the randomness of the sequences generated by the ECA directly is unqualified. It cannot pass the randomness test proposed by the National Institute of Standards and Technology (NIST) [35]. In addition, the diffusion of the ECA is weak. Hence, relatively few studies use the ECA to construct the stream cipher. Although the stream ciphers combining the chaotic system and CA are proposed [36,37], the keystream is generated by the chaotic system, not the ECA. The computation complexity of these schemes increases significantly because of the nonlinearity in the chaotic system.

Our previous work also proposed a stream cipher based on the spatiotemporal chaotic system and ECA [38]. However, in this scheme, the ECA is only utilized to provide perturbation and is used in coupling. Moreover, only one ECA with a certain chaotic rule is employed in this scheme, and the period is limited. Subsequently, we design a hybrid ECA (HECA) with two different chaotic rules in image encryption [39], which consists of two different ECAs in series. The period is extended significantly in the HECA, but the number of cells always limits its period. The HECA is also only used in perturbation and coupling. The keystream is not generated by the HECA directly because the randomness of the sequences generated by it is weak.

Based on the above research, we designed a novel structure based on the HECA, the HECA with dynamic mask (HECA-M), which means that the mask can effectually hide the ECA’s iteration patterns of the driving part and change with the iteration of the ECA. Then, we combined the HECA-M with the HASH function to construct a stream cipher. Our main contributions in this paper are listed as follows:

Firstly, the HECA-M consisting of the driving and mask part is designed. The driving part includes two ECAs with different chaotic rules, r1 and r0, and the mask part is a chaotic ECA with the rule rm. It should be emphasized that r1, r0, and rm belong to the global chaotic rules, and the total number is 34. The choice of the cell’s transition rule (r1 or r0) in the driving part is determined by the state value of the cell at the same position in the mask part. The HECA-Ms with different rule groups (r1, r0, and rm) exhibit different dynamical properties. Hence, the information entropy (IE), a powerful tool in information theory that quantifies the uncertainty or information content of a system, is introduced to analyze the HECA-Ms with different group rules, the number of which reaches 34 × 34 × 34 (39304). Then, we select 17 rule groups with outstanding IE and statistical properties from them to establish the look-up table (LUT).

Secondly, a novel stream cipher based on HECA-M and the HASH function is proposed in this paper. Moreover, a buffer used for controlling the output of the keystream is also included in the proposed stream cipher. A secret key called seed and a constant binary vector IV are used as the input of the stream cipher. The SHA-512 belonging to the provable secure HASH function is chosen for acquiring the initial value of the HECA-M from the input. The existence of IV and the HASH function can avoid the weak key effectively. Meanwhile, good diffusion can be provided by the SHA-512. Furthermore, the Hamming weight of the input is utilized to choose the rule group for the HECA-M from LUT, enhancing the stream cipher’s security. Then, the original keystream is generated by the iteration of the HECA-M. The buffer related to the initial value of the HECA-M determines the initially removed iteration and the final keystream generated by the cells with odd or even indexes. This design can hide the initial state values of the HECA-M and resist the GDA.

Lastly, plenty of statistics and secure analyses are introduced in this paper. The NIST test estimates the randomness and other statistical properties of the keystream generated by the proposed stream cipher. The traditional cryptanalyses, such as B–M synthesis, distinguishing attack, and correlation analysis, are included in this paper. In addition to the conventional cryptanalyses, some novel attacks to the proposed stream cipher are discussed thoroughly, including time–memory–data tradeoff and guess-and-determine attacks. The results show that the proposed stream cipher possesses good randomness and can resist the abovementioned cryptanalyses.

The remaining part of this paper is organized as follows. Section 2 introduces preliminary knowledge about the ECA and HECA. The HECA-M and its properties are presented in Section 3. Subsequently, the proposed stream cipher based on the HECA-M and SHA-512 is described in Section 4. Meanwhile, the statistical and secure analyses of the proposed stream cipher are also listed in Section 4. Finally, the conclusion is drawn in Section 5.

2. Preliminaries

2.1. Elementary Cellular Automaton

The cellular automaton (CA) proposed by Stanislaw M. Ulam and John von Neumann in 1948 [30,37] was originally employed to depict the self-reproduction of a bio-system. A CA consists of four parts: cell, cell space, cell neighbor, and cell rule. The mathematical expression of it is given as follows:

(1)$CA=(A^N,\Sigma ,f,E),$

(2)$S_i^{t+1}=f_r(S_{i-1}^t,S_i^t,S_{i+1}^t),$

There are 256 rules classified into null rules, fixed-point rules, periodic rules, locally chaotic rules, and global chaotic rules [40,42]. Moreover, the global chaotic rules with a long period are listed in Table 2.

In Table 2, those inside the parenthesis are rules equivalent to the representative rule. For example, we assign the number of cells l = 200 and the iterations n = 200. The iterative results of ECAs with rules No. 126 and No. 129 are shown in Figure 1.

The X-axis and Y-axis represent the indexes of cells and counts of iterations in Figure 1, respectively. The status values between Figure 1a,b are mutually inverse. Additionally, the sequence generated by any cell is a long cycle [38].

2.2. Hybrid ECA

Although the chaotic ECA possesses a long period, the period is still limited and cannot meet the requirement of pseudo-randomness. Thus, we designed the hybrid ECA (HECA) in our previous work [39]. The HECA consists of two ECAs with different rules. The structure of a HECA is shown in Figure 2.

In Figure 2, l indicates the total number of cells in the HECA. According to the analysis in Ref. [39], the period of the HECA with this structure is prolonged effectively. However, it is always below 2^l. Moreover, the randomness of sequences generated by the HECA is poor and cannot pass the test of NIST [35]. Thus, it is unable to construct a stream cipher directly.

3. HECA with Dynamic Mask and Its Properties

3.1. Introduction of the Novel HECA with Dynamic Mask

The proposed HECA with dynamic mask (HECA-M) consists of the driving and mask parts. The driving part is based on the HECA, and the mask part is essentially an ECA with global chaotic rules. The rule of cell ith in the driving part is determined by the status value of cell ith in the mask part. Furthermore, the cell rule in the driving part is changed with the iteration of the mask part, and this process is dynamic. The status values of the driving part are the output of the HECA-M. The structure of the HECA-M is shown in Figure 3.

In Figure 3, the mask is iterated under the cell rule rm, which is a constant. The cell rule rd in the driving part is changed with the status value of the cell in the mask. As for cell C_i in the driving part, the index d of the cell rule is determined by the status value of cell C_i in the mask. Furthermore, the mathematical expression of the iterative process in the driving part is shown in Equation (3).

(3)$x_i^{t+1}=(f_{r1}(x_{i-1}^t,x_i^t,x_{i+1}^t)•f_{rm}(y_{i-1}^t,y_i^t,y_{i+1}^t))\oplus (f_{r0}(x_{i-1}^t,x_i^t,x_{i+1}^t)•\overline{f_{rm}(y_{i-1}^t,y_i^t,y_{i+1}^t)}),$

Abstractly, the longest periods of the driving and mask part are both related to the number of cells l in each other. The theoretically longest period of the HECA or ECA reaches 2^l. Thus, the longest period of HECA-M can reach 2^2l in theory, which is 2^l times as long as the HECA’s or ECA’s. In conclusion, the period is further prolonged in the HECA-M.

3.2. Properties Analyses of the HECA-M

The randomness of the sequence generated by the HECA-M is a significant property determining the security of the stream cipher. However, we found that not all HECA-Ms under a certain rule group (rm, r0, r1) can meet randomness requirements. Moreover, the number of cells in the HECA-M is crucial for the period. Meanwhile, it is also related to the randomness of the sequence generated by the HECA-M. In order to find the rule groups under which the HECA-M possesses good randomness, the information entropy (IE) is introduced to analyze sequences generated by HECA-Ms with different rule groups and the number of cells. The status values of eight cells in the middle position in the driving part are regarded as binary numbers with eight bits chosen as the outputs of the HECA-M. Thus, the ideal IE of these outputs is eight. Furthermore, the closer to eight the IE is, the better uncertainty the outputs possess.

We assign the number of cells to 100 in the driving or mask parts. Two binary numbers with 100 bits generated randomly are utilized to initialize the HECA-M. Moreover, we select three global chaotic rules from Table 3 to compose the rule group. Thus, there are 39,304 (34 × 34 × 34) groups. The IEs of each rule group are shown in Figure 4.

In Figure 4, the titles of each subfigure denote the rules of the mask part rm. The X-axis and Y-axis indicate the index of r1 and r0 in Table 3, respectively. The Z-axis represents the IE under a certainty rule group (rm, r1, r0). Moreover, the red points in Figure 4 are the highest IEs in each subfigure, and the corresponding rule groups are listed in Table 4.

In Table 4, not all IEs of the sequences generated by the HECA-Ms with these rule groups are close to the ideal value 8. Furthermore, the HECA-Ms under these rule groups with different numbers of cells are analyzed using IE. The results are shown in Figure 5.

In Figure 5, the title of each figure denotes the rule groups of this HECA-M. The X-axis represents the number of cells, also called the length of the cell space, in the mask part or driving part. The Y-axis indicates the IEs of sequences generated by the HECA-M with different lengths under a certain rule group. According to Figure 5, it is easy to know that the results of HECA-Ms under the rule groups (18,60,105), (183,105,60), (146,102,105), and (182,105,60) are sensitive to the length of the cell space, even though the length reaches 1000. Moreover, the IEs of HECA-M with rule groups (151,135,169), (102,75,149), and (153,86,151) are farther from the ideal value 8 than others. The uncertainty of sequences generated by these HECA-Ms under the above seven rule groups is unstable and defective. Thus, we select HECA-Ms under chaotic rule groups except these seven to construct the stream cipher as shown in LUT (Table 5).

4. Stream Cipher Based on HECA-M

4.1. Description of Proposed Stream Cipher

The proposed stream cipher consists of a HECA-M, a HASH function (SHA-512 algorithm), and a buffer with the output controller. The HASH function is utilized to initialize the status value of HECA-M, including the driving part, the mask part, and the rule groups. The HECA-M is operated to generate the original keystream. Meanwhile, the length of the cell space in this HECA-M is 256. A constant IV generated randomly and a secret key with 512 or 256 bits are the input. Moreover, the original keystream is processed by the buffer to output the final keystream. The result of the HASH function controls the buffer. The structure of the proposed stream cipher is depicted in Figure 6.

The procedure of the proposed stream cipher (Algorithm 1) is listed as follows:

1. Give a secret key and get a constant vector IV

The secret key K with 256 bits or 512 bits is given by the user. The constant IV with 256 bits is generated randomly by the computer, and it is utilized to avoid the initial null value of the HECA-M, such as zeros or ones with 512 bits. Meanwhile, IV can be employed in the handshake between two sides of the communication.

• 2.. Get a chaotic rule group and initialize the HECA-M

The choice of a chaotic rule group is determined by the Hamming weight of K and IV, which is represented as follows:

(4)$idx=\mathrm{Hamming}(\mathit{K},\mathit{I}\mathit{V})\mathrm{mod}27+1,$

The initial value of HECA-M is the output of the HASH function SHA-512, which is calculated as follows:

(5)$\left\{\begin{array}{l}\mathit{i}\mathit{n}\mathit{v}=\mathrm{SHA}512(\mathit{K},\mathit{I}\mathit{V})\\ \mathit{i}\mathit{n}\mathit{v}\mathbf{\_}\mathit{d}\mathbf{=}\mathit{i}\mathit{n}\mathit{v}(1:256)\\ \mathit{i}\mathit{n}\mathit{v}\mathbf{\_}\mathit{m}\mathbf{=}\mathit{i}\mathit{n}\mathit{v}(257:512)\end{array}\right.,$

• 3.. Generate original keystream

The initial value and chaotic rule group of the HECA-M have been acquired after Step 2. Then, the HECA-M is iterated to generate the original keystream. There are 256 cells in the driving part. Thus, the HECA-M can generate 256 sequences with the same length simultaneously.

• 4.. Process the original keystream by the buffer and generate the final keystream

The buffer is controlled by the initial value of the HECA-M, which is the HASH function’s result. The buffer serves two purposes: intercept initial iterations and select sequences from the original keystream to form the final keystream.

The number of initial iterations is determined by 10 bits in the middle of the inv in Equation (5) and represented as follows:

(6)$n_0=\mathrm{bin}2dec(\mathit{i}\mathit{n}\mathit{v}(252:261))+500,$

The output of the buffer is determined by the Hamming weight of inv, which is described as the following:

(7)$flag=\mathrm{Hamming}(\mathit{i}\mathit{n}\mathit{v})\mathrm{mod}2,$

4.2. Statistic and Secure Analyses

1. NIST test

The randomness of the keystream is an important statistic property for a stream cipher. Without the loss of generality, the test suite SP800-22 of the National Institute of Standards and Technology (NIST) [35] is employed to prove the randomness of the sequences generated by the HECA-M under all chaotic rule groups in the LUT (Table 5). There are 15 sub-tests in this test suite, and the p-value of each test estimates the randomness of the sequence. In this paper, the significance level α is set to 0.01. If p-value ≥ α, the sequence appears to be random, which means that the sequence would be considered to be random with a confidence of 99%.

We assign the number of iterations as 1 × 10⁶, and the length of each HECA-M is 256. A total of 27 HECA-Ms under different chaotic rule groups are iterated to generate sequences. Furthermore, 128 binary sequences with 1 × 10⁶ bits generated by each HECA-M’s odd cells are selected to be tested. According to Ref. [35], the minimum pass rate for each statistical test with the exception of the random excursion (variant) test is approximately 123 for a sample with 128 binary sequences. The test results of 27 HECA-Ms with different chaotic rule groups are listed in Table 6.

There is no doubt that the randomness of all sequences generated by the HECA-M under 27 different chaotic rule groups can pass the NIST test, according to Table 6. Additionally, it means the keystream generated by the proposed scheme with any chaotic rule group in the LUT (Table 5) can meet the randomness requirement.

The p-value of the proposed stream cipher is always above 0.01 in any test. Moreover, in comparison to other lightweight stream ciphers [43] listed in Table 7, the proposed scheme exhibits stronger randomness due to its superior performance in universal tests. Thus, the randomness of the proposed stream is the strongest among these lightweight stream ciphers.

• 2.. Berlekamp–Massey synthesis

The linear complexity is an important security property for a stream cipher. The Berlekamp–Massey synthesis [44] is widely used in estimating the linear complexity of a binary keystream generated by a stream cipher. As for a keystream, the ideal linear complexity l equals N/2. N represents the length of the keystream. The keystreams generated by the proposed stream ciphers with different HECA-Ms are chosen to be analyzed by the B–M synthesis. Specifically, these HECA-Ms are under varying chaotic rule groups. Thus, there are 27 keystreams. Moreover, the length of them is 2000 bits. The B–M synthesis results of different keystreams are depicted in Figure 7.

In Figure 7, X-axis and Y-axis denote the length of the keystream N and the linear complexity l, respectively. Apparently, the linear complexity of any keystream coincides with the ideal line l = N/2. In conclusion, the proposed stream cipher possesses qualified linear complexity. Furthermore, it can resist linear algebraic attacks such as the B–M synthesis.

• 3.. Linear analysis (distinguishing attack)

The minimal polynomial of the keystream can be acquired by the B–M synthesis. Furthermore, an equation of linear regression is deduced from the minimal polynomial, which can be used for implementing the distinguishing attack. The process is described as follows:

(8)$\begin{array}{l}f(x)=1+c_{1}x+c_2{x}^2+\dots +c_{n-1}{x}^{n-1}+x^n\\ \Rightarrow s_t=c_1{s}_{t-1}+c_2{s}_{t-2}+\dots +c_{n-1}{s}_{t-n+1}+s_{t-n}\end{array},$

Compare the derived sequence from Equation (8) and the practical sequence. If the forecast accuracy of the derived sequence is far from 0.5, the distinguishing attack is successful. It means that the keystream generated by the stream cipher is significantly different from the randomness sequence, and the stream cipher possesses the concealed defect.

The keystreams with length n = 1, 2, 3, …, 2000 bits generated by the proposed stream ciphers under different chaotic rule groups are analyzed by the B–M synthesis. Then, the pairs <l₁, f₁>, <l₂, f₂>, <l₃, f₃>, …, <l₂₀₀₀, f₂₀₀₀> are acquired. The minimal polynomial f₄, f₈, f₁₂, …, f₂₀₀₀ is utilized to predict subsequent keystreams. The forecast accuracy for the keystream is shown in Figure 8.

In Figure 8, the X-axis indicates the keystream length from which a minimal polynomial is deduced. The Y-axis represents the forecast accuracy under the above minimal polynomial. As shown in Figure 8, the accuracy is close to 0.5 under any chaotic rule group, no matter how long the keystream for the B–M synthesis is. Thus, it can be preliminarily judged that the proposed cipher can resist the distinguishing attack. In order to confirm this judgment, the t-test is introduced to determine whether the randomness of the keystream generated by the proposed scheme can be distinguished from the true random sequence. We assign the mathematical expectation equal to the ideal value 0.5, and the significance level α is 0.01. If p-value > 0.01, the t-test does not reject the null hypothesis that the accuracy comes from a normal distribution with a mean of 0.5 at the 1% significance level. The test results are listed in Table 8.

In Table 8, no matter what the chaotic rule group is, the forecast accuracy is regarded as the data come from a normal distribution with a mean of 0.5, which is an ideal value for a truly random sequence. Thus, the distinguishing attack proves ineffective in analyzing the proposed stream cipher.

• 4.. Key space and period

The length of a secret key given by the user is 256 or 512 bits. Furthermore, the SHA-512 possesses good diffusion. Specifically, if one bit of the input is flipped, close to 50% bits of the output will change in the SHA-512. Hence, the existence of the constant vector can avoid the weak initial value of the HECA-M. In other words, if a weak initial value is acquired by the secret key, we can flip any bit of the constant vector IV to change the output of the SHA-512, which is the initial value of the HECA-M. In summary, there is no weak key in the proposed stream cipher. Thus, the key space of it is 2²⁵⁶ or 2⁵¹². It means that the proposed stream cipher can resist the brute force attack.

The number of cells in the HECA-M reaches 512, so the maximum period of the keystream is 2⁵¹². This amount far exceeds the computational capacity of modern computers. Moreover, the theoretical period of RC4 is only 10¹⁰⁰. In conclusion, the period of the proposed stream cipher is long enough for security.

• 5.. Autocorrelation and cross-correlation

A qualified stream cipher’s autocorrelation and cross-correlation coefficients should be close to zero. The value of constant vector IV and secret key SK with 512 and 256 bits are set as follows:

(9)$\begin{array}{ll}\mathit{I}\mathit{V}=& 4\mathrm{F}44\_7\mathrm{B}96\_\mathrm{F}877\_\mathrm{BDF}4\_8\mathrm{AA}2\_4\mathrm{EAA}\_1902\_4\mathrm{D}5\mathrm{E}\\ & 4\mathrm{D}9\mathrm{C}\_\mathrm{A}988\_\mathrm{A}153\_700\mathrm{E}\_\mathrm{BA}80\_582\mathrm{D}\_8\mathrm{EAF}\_\mathrm{EC}02\\ \mathit{S}\mathit{K}=& 99\mathrm{DC}\_8\mathrm{EC}3\_20\mathrm{B}3\_\mathrm{AA}64\_1246\_23\mathrm{E}9\_0855\_429\mathrm{F}\\ & \mathrm{E}7\mathrm{AF}\_61\mathrm{E}3\_4\mathrm{BB}3\_5\mathrm{B}32\_\mathrm{FD}07\_0\mathrm{F}81\_1\mathrm{B}3\mathrm{E}\_\mathrm{E}3\mathrm{A}8\\ & 9\mathrm{E}96\_0\mathrm{DEB}\_\mathrm{DDBA}\_41\mathrm{E}0\_\mathrm{BEF}8\_8\mathrm{BB}1\_9\mathrm{F}03\_\mathrm{CA}36\\ & 2786\_\mathrm{F}5\mathrm{EE}\_8\mathrm{E}6\mathrm{F}\_\mathrm{D}29\mathrm{E}\_7449\_\mathrm{D}32\mathrm{D}\_\mathrm{F}4\mathrm{EA}\_1294\left(512\mathrm{bits}\right)\end{array},$

(10)$\begin{array}{ll}\mathit{I}\mathit{V}=& 9\mathrm{F}0\mathrm{E}\_0\mathrm{DDA}\_\mathrm{DA}99\_\mathrm{CA}57\_\mathrm{C}9\mathrm{BB}\_\mathrm{C}976\_\mathrm{A}16\mathrm{E}\_8\mathrm{DF}0\\ & \mathrm{F}655\_306\mathrm{A}\_1\mathrm{E}6\mathrm{E}\_\mathrm{ADF}7\_652\mathrm{A}\_4157\_3470\_83\mathrm{A}2\\ \mathit{S}\mathit{K}=& 7232\_6\mathrm{E}5\mathrm{F}\_\mathrm{C}294\_951\mathrm{D}\_34\mathrm{C}4\_78\mathrm{FC}\_\mathrm{C}8\mathrm{EB}\_\mathrm{F}46\mathrm{F}\\ & \mathrm{ECB}0\_7\mathrm{FE}5\_\mathrm{EA}53\_\mathrm{B}9\mathrm{D}8\_\mathrm{DBCB}\_8984\_6\mathrm{F}6\mathrm{C}\_\mathrm{E}0\mathrm{B}2\left(256\mathrm{bits}\right)\end{array}$

We change one bit of SK to acquire SK*. Moreover, the inverse of SK, ~SK, is also obtained. Then, SK, SK*, and ~SK are regarded as the secret keys, and the keystreams KS, KS*, ~KS with 10,000 bits are generated by the proposed stream cipher correspondingly. The autocorrelation coefficient of KS and the cross-correlation coefficients between KS and KS*, ~KS, are shown in Figure 9 (512 bits) and Figure 10 (256 bits).

In Figure 9 and Figure 10, the X-axis and Y-axis represent the lags and correlation coefficient, respectively. As shown in Figure 9a,b and Figure 10a,b, no matter how long the secret key is, the cross-correlation coefficients between KS and KS*, ~KS, are close to zero. Moreover, in Figure 9c and Figure 10c, the autocorrelations of KS are approximately equal to zero. Hence, the keystream generated by the proposed stream cipher is sensitive to the secret key. A slight change in the secret key can lead to a completely different keystream. Furthermore, the keystream generated by the inverse of the secret key is also independent of the original keystream KS. In other words, it is difficult for the enemy to find the laws of the secret key from the different keystreams.

In addition, correlation analysis is an effective method to deduce the relationship between the keystream and secret key of the stream cipher. The enemy can utilize this method to restore the initial value of the keystream generator, that is, the secret key. Hence, the keystream should be independent of its secret key. We calculated the correlation coefficient between the secret key SK and the corresponding keystream KS. The correlation coefficient between the secret key SK and the truly random sequence (TRS) is also acquired for comparison analysis. The above correlation coefficients are depicted in Figure 11 (512 bits) and Figure 12 (256 bits).

The X-axis and Y-axis denote the lags and the correlation coefficient, respectively, in Figure 11 and Figure 12. These two figures show that the correlation coefficient between the secret key SK and the corresponding keystream KS is similar to the correlation coefficient between SK and the true random sequence TRS. In order to prove the similarity between the above two correlation coefficients further, the t-test is utilized to determine whether these two coefficients possess the same statistical characteristics. The significance level α is set to 0.05, and the mean is zero. The test is operated five times with different SKs. The results of the t-test are listed in Table 9.

As shown in Table 9, p-values are always above 0.9. Hence, we accept the null hypothesis that the correlation coefficient between SK and KS is indistinguishable from SK and TRS no matter how long the secret key SK is. It means that the correlation analysis is useless for the proposed stream cipher.

• 6.. Time–memory–data tradeoff

Time–memory–data tradeoff attack is a novel cryptanalysis method. The core of this method is increasing space consumption to reduce time consumption for cryptanalysis. In this attack, a lookup table (LUT), including the state transition of the keystream generator, is pre-generated. The enemy can search the LUT to find the initial state of the key generator according to the current state.

In the proposed stream cipher, the keystream is generated by the driving part of the HECA-M. We assign the current state of the driving part as S_n acquired by the keystream. It should be noted that only half of S_n can be obtained directly because the keystream is generated by the even or odd cells in the driving part. Another half of S_n has to be speculated. Thus, there are 2¹²⁸ possible current states. Moreover, the state transition of the driving part is determined by the mask part with 256 cells. It means that there are 2²⁵⁶ different initial values in the mask part. Furthermore, there are 27 rule groups in the LUT (Table 5). As for 2²⁵⁶ initial values in the driving part, the total number of state transitions can reach 2^256×2 × 27. It is an unacceptable quantity for the enemy. In addition, the probability of finding possible current states in these state transitions is 1/(2³⁸⁴ × 27), below 10⁻¹¹⁷. Meanwhile, the initial iteration n₀ is determined by the secret key unknown to the enemy. Hence, the enemy has to find which one is the real initial value in these initial iterations. It increases the difficulty of the time–memory–data tradeoff attack further. In summary, the proposed stream cipher can resist the time–memory–data tradeoff attack.

• 7.. Guess-and-determine attack

The guess-and-determine attack (GDA) is proposed to analyze the stream cipher RC4 by Knudsen in ASIACRYPT 1998. The GDA belongs to the known-plaintext attack, which is effective for the stream cipher. The enemy can acquire a portion of the keystream. Then, some portions of the internal state in the keystream generator can be guessed. Additionally, other portions of the internal state can be derived from this guess and the portion of the keystream. Finally, the enemy can recover the internal state of the keystream generator. Moreover, the secret key can be acquired by the enemy further.

To estimate whether the proposed stream cipher can resist the GDA, the most unsecure scenarios need to be taken into account. We assume the enemy can get keystream with enough length and has acquired the iterations of HECA-M. Firstly, we assign that the keystream is generated by all the cells, including odd and even, in the driving part, though it is different from the proposed stream cipher. The length of this keystream is L bits, which is divisible by 256. Then, the enemy can easily recover the internal states of the driving part in L/256 iterations, as shown in Figure 13.

In Figure 13, S_x,y indicates the state value of cell yth at iteration xth. If the state groups {S_x,y−1, S_x,y, S_x,y+1} in S can cover all the elements in {000, 001, 010, …, 111}, and the corresponding iterative result S_x+1,y is also in S, the enemy can acquire a state transition table as Table 10.

In Table 10, the results b₇, b₆, …, b₀ and $b_7^{*},b_6^{*},\dots ,b_0^{*}$ with binary can be converted to the decimal numbers r and r*, which can be regarded as the rule pair (r0, r1) in the LUT (Table 5). If no rule pair (r0, r1) in Table 5 is equal to (r, r*), the enemy can switch the state values of b_n and $b_n^{*}$ until the rule pair (r, r*) can be found in Table 5, where n belongs to {0, 1, 2, …, 7}. The total number of switches in Table 9 is 2⁸, which is acceptable for the enemy to guess. Once the rule pair (r0, r1) of the HECA-M is acquired, the enemy can also deduce the rule of the mask part rm easily. Furthermore, if $b_n^{*}\ne b_n$, the state value of the mask part can be determined. For instance, if S_x,y−1, S_x,y, S_x,y+1 = 011, (r, r*) = (r0, r1), and S_x+1,y = b₃ ($b_3^{*}$), the corresponding state M_x,y in the mask part can be determined to be 1 (0). However, if $b_n^{*}=b_n$, M_x,y is uncertain. Hence, the enemy should guess these states in the mask. Moreover, the enemy can always find an iteration in S with the least occurrence of $b_n^{*}=b_n$. Then, guess these states of the mask part in this iteration and verify the correctness of this guess according to subsequent iterations in S. Change the states of the guess until this guess is correct. Once one iteration of the mask part is recovered, the enemy can generate the subsequent keystream at any length. In conclusion, the enemy can easily crack the keystream generated by all the cells in the driving part.

Fortunately, as for the proposed stream cipher, only odd (or even) cells in the driving part generate the keystream. This design can avoid the above GDA effectively. The enemy can acquire the keystream generated by the even or odd cells. Thus, the internal states of the driving part cannot be recovered completely as S in Figure 13. Only the odd or even column can be recovered. It means that only two states in {S_x,y−1, S_x,y, S_x,y+1, S_x+1,y}, such as (S_x,y−1, S_x,y+1) or (S_x,y, S_x+1,y), can be determined. Hence, Table 10 cannot be acquired by the enemy. The enemy has to guess the states of other columns, and the states of {S_x,y−1, S_x,y, S_x,y+1} must cover the states in Table 10 after the guess. As for any row in S, half of the cells have to be guessed. In other words, there are 2¹²⁸ possibilities in a row. However, more than one row should be guessed to derive Table 10. The difficulty is unacceptable for the enemy. To sum up, the proposed stream cipher can resist the GDA.

4.3. Time and Space Consumption

The time and space consumption is essential for estimating the feasibility and efficiency of a stream cipher. We implement the proposed stream cipher in MATLAB R2018a with CPU AMD Ryzen 7 5800H (3.20 GHz) under Windows 11. Meanwhile, no matter how long the secret key is (256 bits or 512 bits), the number of the cells in the driving or mask part of HECA-M is always 256. Thus, the time and space consumption of the keystream generators under the secret keys with 256 bits and 512 bits are the same as each other. We utilize the proposed stream cipher to generate the keystream with a length of 1 MB. The average time consumption of one iteration in HECA-M is 2.3966 × 10⁻⁵ s. Owing to the parallel iteration of the cells in the HECA-M, one iteration can generate the keystream with 128 bits (16 bytes). Furthermore, the maximum length of the secret key is 512 bits. It is a very small amount of data for the HASH function to process, so the time consumption of this process is negligible. Moreover, the initial value of the HECA-M can be pre-generated by the HASH function before the start of the keystream generation. Hence, the efficiency of the proposed stream cipher is acceptable for the user.

In addition to the low time consumption, the space consumption of the proposed scheme is also light. As the core of the keystream generator, the HECA-M consists of the driving and mask parts. These two parts include 256 cells, and each one occupies one bit. Meanwhile, each part requires two storage spaces. One is used in storing the current states of the cells. Another is utilized to store the next states of the cells. Thus, the size of the required space of the HECA-M is 128 bytes. Additionally, the LUT of the chaotic rule groups only needs 27 × 3 (81) bytes. This means the keystream generator only occupies 209 bytes, which is smaller than the size of the noted stream cipher RC4 (256 bytes).

5. Conclusions

We utilized three elementary cellular automata (ECAs) with different global chaotic rules to construct hybrid elementary cellular automata with the mask (HECA-M). The HECA-M consists of two parts: the driving and mask parts. The number of cells in these two parts is equal to each other. Moreover, the driving part possesses two ECAs with different rules, r0 and r1. Additionally, the rule of the cell in the driving part is determined by the state value of the corresponding cell in the mask part with the rule rm. The HECA-Ms exhibit different properties under different rule groups (r0, r1, rm). Thus, the information entropy (IE) is introduced to test the randomness of the sequences generated by the different HECA-Ms. The HECA-Ms with 27 chaotic rule groups stand out in this test, which are selected to build the stream cipher. The proposed stream cipher comprises the HASH function, HECA-M, and a buffer. The HASH function provides good diffusion and initial sensitivity. Meanwhile, the weak initial value of the HECA-M can be avoided effectively through the HASH function and a constant vector. The HECA-M can generate the original keystream with good randomness that has passed the NIST test. The buffer can control the output of the keystream, including intercepting initial iterations and selecting sequences from the original keystream to form the final keystream. The security analyses prove that the proposed stream cipher can resist traditional attacks, such as B–M synthesis, linear analysis, and correlation analysis. In addition, it also possesses good resistance to the novel attack, including the time–memory–data tradeoff attack and the guess-and-determine attack. The proposed stream cipher is highly efficient and feasible in terms of its time and space consumption, making it suitable for multimedia encryption applications that involve large amounts of data. In the future, a valuable research direction would be to optimize the stream cipher further and integrate it into hardware in a lightweight form.

Footnotes

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Bu görüntüyü büyüt.

Figure 1. The iterative results of ECAs with rules (a) No. 126 and (b) No. 129. The black (white) lattice represents the cell with the status value “1” (“0”).

Bu görüntüyü büyüt.

Figure 2. The structure of a HECA. The yellow (blue) lattices denote the cells under global chaotic rule r1(r2) and r1 ≠ r2.

Bu görüntüyü büyüt.

Figure 3. The structure of the HECA-M. The dotted (solid) cycle represents the cell with the value of “0” (“1”) in the mask part, and the blue (yellow) cycle denotes the cell with the value of “0” (“1”) in the driving part. rm = 45, r1 = 60, and r0 = 105.

Bu görüntüyü büyüt.

Figure 4. The IEs of sequences generated by the HECA-M under different rule groups.

Bu görüntüyü büyüt.

Figure 5. The IEs of sequences generated by HECA-Ms under different rule groups with varying numbers of cells.

Bu görüntüyü büyüt.

Figure 6. The structure of the proposed stream cipher.

Bu görüntüyü büyüt.

Figure 7. The linear complexity of keystreams generated by the proposed stream ciphers under different HECA-Ms. The lines with different colors denote the ciphers with varying chaotic rule groups. The numbers in the legend represent the indexes of the chaotic rule groups in LUT (Table 5).

Bu görüntüyü büyüt.

Figure 8. The forecast accuracy for the keystreams generated by the proposed stream ciphers. The lines with different colors denote the ciphers with different chaotic rule groups. The numbers in the legend represent the indexes of the chaotic rule groups in LUT (Table 5).

Bu görüntüyü büyüt.

Figure 9. The correlation coefficients of the keystreams generated by the proposed stream cipher under the secret keys with 512 bits. (a) The cross-correlation coefficient between KS and KS*. (b) The cross-correlation coefficient between KS and ~KS. (c) The autocorrelation coefficient of KS.

Bu görüntüyü büyüt.

Figure 10. The correlation coefficients of the keystreams generated by the proposed stream cipher under the secret keys with 256 bits. (a) The cross-correlation coefficient between KS and KS*. (b) The cross-correlation coefficient between KS and ~KS. (c) The autocorrelation coefficient of KS.

Bu görüntüyü büyüt.

Figure 11. The correlation coefficients between (a) the secret key and corresponding keystream and (b) the secret key and true random sequence. The length of the secret key is 512 bits.

Bu görüntüyü büyüt.

Figure 12. The correlation coefficients between (a) the secret key and corresponding keystream and (b) the secret key and true random sequence. The length of the secret key is 256 bits.

Bu görüntüyü büyüt.

Figure 13. The process of recovering the internal states of the driving part. KS indicates the keystream, and S denotes the state values of the driving part. A green lattice represents one bit in the keystream, and a blue cycle is one cell in the driving part.

References

1. Zolfaghari, B.; Bibak, K.; Koshiba, T. The Odyssey of Entropy: Cryptography. Entropy; 2022; 24, 266. [DOI: https://dx.doi.org/10.3390/e24020266]

2. Zhang, B.; Xu, C.; Feng, D. Design and Analysis of Stream Ciphers: Past, Present and Future Directions. J. Cryptologic Res.; 2016; 3, pp. 527-545.

3. Menezes, A.J.; Oorschot, P.; Vanstone, S.A. Handbook of Applied Cryptography; CRC Press: Boca Raton, FL, USA, 1997.

4. Devipriya, M.; Brindha, M. Image encryption using modified perfect shuffle-based bit level permutation and learning with errors based diffusion for IoT. Comput. Electr. Eng.; 2022; 100, 107954.

5. Garcia, J.E.; Cotrina, G.; Peinado, A.; Ortiz, A. Security and Efficiency of Linear Feedback Shift Registers in GF(2(n)) Using n-Bit Grouped Operations. Mathematics; 2022; 10, 996. [DOI: https://dx.doi.org/10.3390/math10060996]

6. Rainer, R.A. Analysis and Design of Stream Ciphers; Springer: New York, NY, USA, 1986.

7. Maitra, S.; Gupta, K.C.; Venkateswarlu, A. Multiples of primitive polynomials and their products over GF(2). Proceedings of the 9th Annual International Workshop on Selected Areas in Cryptography; St. John’s, NF, Canada, 15–16 August 2003; pp. 214-231.

8. Zhang, B.; Xu, C.; Feng, D.G. Practical Cryptanalysis of Bluetooth Encryption with Condition Masking. J. Cryptol.; 2018; 31, pp. 394-433. [DOI: https://dx.doi.org/10.1007/s00145-017-9260-1]

9. Deb, S.; Bhuyan, B. Chaos-based medical image encryption scheme using special nonlinear filtering function based LFSR. Multimed. Tools Appl.; 2021; 80, pp. 19803-19826. [DOI: https://dx.doi.org/10.1007/s11042-020-10308-7]

10. Nandi, S.; Krishnaswamy, S.; Zolfaghari, B.; Mitra, P. Key-Dependent Feedback Configuration Matrix of Primitive sigma-LFSR and Resistance to Some Known Plaintext Attacks. IEEE Access; 2022; 10, pp. 44840-44854. [DOI: https://dx.doi.org/10.1109/ACCESS.2022.3141434]

11. Chetry, M.K.; Bishoi, S.K.; Matyas, V. When Lagged Fibonacci Generators jump. Discrete Appl. Math.; 2019; 267, pp. 64-72. [DOI: https://dx.doi.org/10.1016/j.dam.2019.06.022]

12. Prajapat, R.P.; Bhadada, R.; Sharma, G. Implementation of Enhanced A5/1 Stream Cipher and its Randomness Analysis by NIST Test Suite. Proceedings of the 2021 IEEE International Symposium on Smart Electronic Systems (ISES 2021), 7th IEEE International Symposium on Smart Electronic Systems (IEEE-iSES); Jaipur, India, 20–22 December 2021; pp. 426-431.

13. Din, M.; Pal, S.K.; Muttoo, S.K. Applying PSO Based Technique for Analysis of Geffe Generator Cryptosystem. Harmony Search and Nature Inspired Optimization Algorithms, 4th International Conference on Harmony Search, Soft Computing and Applications (ICHSA), Gurgaon, India, 7–9 February 2018; Yadav, N.; Yadav, A.; Bansal, J.C.; Deep, K.; Kim, J.H. Springer: Singapore, 2019; pp. 741-749.

14. Hodzic, S.; Pasalic, E.; Wei, Y.Z. Guess and determine cryptanalysis with variable sampling and its applications. IET Inform. Secur.; 2019; 13, pp. 559-569. [DOI: https://dx.doi.org/10.1049/iet-ifs.2018.5233]

15. Cao, C.P.; Cen, Z.; Feng, X.T.; Wang, Z.Y.; Zhu, Y.M. Straightforward Guess and Determine Analysis Based on Genetic Algorithm. J. Syst. Sci. Complex.; 2022; 35, pp. 1988-2003. [DOI: https://dx.doi.org/10.1007/s11424-022-1031-x]

16. Kiyomoto, S.; Tanaka, T.; Sakurai, K. Experimental analysis of guess-and-determine attacks on clock-controlled stream ciphers. IEICE Trans. Fund. Electr.; 2005; E88A, pp. 2778-2791. [DOI: https://dx.doi.org/10.1093/ietfec/e88-a.10.2778]

17. Afzal, M.; Masood, A. Algebraic attack on A5-type irregularly clocked key stream generator, IMECS 2007: International Multiconference of Engineers and Computer Scientists, Vols I and II. Proceedings of the International MultiConference of Engineers and Computer Scientists 2007, IMECS 2007; Hong Kong, China, 21–23 March 2007; pp. 670-674.

18. Siegenthaler, T. Correlation-immunity of nonlinear combining functions for cryptographic applications (Corresp.). IEEE Trans. Inform. Theory; 1984; 30, pp. 776-780. [DOI: https://dx.doi.org/10.1109/TIT.1984.1056949]

19. Li, B.H.; Liu, M.C.; Lin, D.D. FPGA implementations of Grain v1, Mickey 2.0, Trivium, Lizard and Plantlet. Microprocess Microsy; 2020; 78, 103210. [DOI: https://dx.doi.org/10.1016/j.micpro.2020.103210]

20. Hao, Y.L.; Leander, G.; Meier, W.; Todo, Y.; Wang, Q.J. Modeling for Three-Subset Division Property without Unknown Subset Improved Cube Attacks Against Trivium and Grain-128AEAD. Advances in Cryptology—Eurocrypt 2020, PT I, 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT), Zagreb, Croatia, 10–14 May 2020; Canteaut, A.; Ishai, Y. Springer: Cham, Switzerland, 2020; pp. 466-495.

21. Dubrova, E.; Hell, M. Espresso: A stream cipher for 5G wireless communication systems. Cryptogr. Commun.; 2017; 9, pp. 273-289. [DOI: https://dx.doi.org/10.1007/s12095-015-0173-2]

22. Sinha, N. Internal State Recovery of Espresso Stream Cipher Using Conditional Sampling Resistance and Tmdto Attack. Adv. Math. Commun.; 2021; 15, pp. 539-556. [DOI: https://dx.doi.org/10.3934/amc.2020081]

23. Liang, X.N.; Xiao, Y.; Ozdemir, S.; Vasilakos, A.V.; Deng, H.M. Cipher feedback mode under go-back-N and selective-reject protocols in error channels. Secur. Commun. Netw.; 2013; 6, pp. 942-954. [DOI: https://dx.doi.org/10.1002/sec.638]

24. Good, T.; Benaissa, M. AES as stream cipher on a small FPGA. Proceedings of the 2006 IEEE International Symposium on Circuits and Systems; Kos, Greece, 21–24 May 2006; Volume 1–11, pp. 529-+.

25. Klein, A. Attacks on the RC4 stream cipher. Design Code Cryptogr.; 2008; 48, pp. 269-286. [DOI: https://dx.doi.org/10.1007/s10623-008-9206-6]

26. El Batouty, A.S.; Farag, H.H.; Mokhtar, A.A.; El-Badawy, E.A.; Aly, M.H. Improvement of Radio Frequency Identification Security Using New Hybrid Advanced Encryption Standard Substitution Box by Chaotic Maps. Electronics; 2020; 9, 1168. [DOI: https://dx.doi.org/10.3390/electronics9071168]

27. Paul, R.; Mitra, J.; Dey, H.; Sau, S.; Baidya, P.; Ghosh, R.; Chakrabrti, A. Secure multi-gigabit optical link design for high energy physics experiment with acceleration of more secure RC4 variant in reconfigurable platform. J. Instrum.; 2020; 15, P10024. [DOI: https://dx.doi.org/10.1088/1748-0221/15/10/P10024]

28. Vanhoef, M.; Piessens, F.; USENIX, A. All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS. Proceedings of the 24th Usenix Security Symposium; Washington, DC, USA, 12–14 August 2015; pp. 97-112.

29. Mishra, G.; Gupta, I.; Murthy, S.; Pal, S.K. Deep Learning based Cryptanalysis of Stream Ciphers. Defence Sci. J.; 2021; 71, pp. 499-506. [DOI: https://dx.doi.org/10.14429/dsj.71.16209]

30. Neumann, J.; Burks, A.W. Theory of Self-Reproducing Automata; University of Illinois Press: Urbana, IL, USA, 1966.

31. Zhang, F.; Chen, X.P.; Zhang, X.H. Parallel thinning and skeletonization algorithm based on cellular automaton. Multimed. Tools Appl.; 2020; 79, pp. 33215-33232. [DOI: https://dx.doi.org/10.1007/s11042-020-09660-5]

32. Trevisi, M.; Akbari, A.; Trocan, M.; Rodriguez-Vazquez, A.; Carmona-Galan, R. Compressive Imaging Using RIP-Compliant CMOS Imager Architecture and Landweber Reconstruction. IEEE Trans. Circ. Syst. Vid.; 2020; 30, pp. 387-399. [DOI: https://dx.doi.org/10.1109/TCSVT.2019.2892178]

33. Adak, S.; Bhattacharjee, K.; Das, S. Maximal length cellular automata in GF(q) and pseudo-random number generation. Int. J. Mod. Phys. C; 2020; 31, 2050037. [DOI: https://dx.doi.org/10.1142/S0129183120500370]

34. Palchaudhuri, A.; Dhar, A.S. Speed-area optimized VLSI architecture of multi-bit cellular automaton cell based random number generator on FPGA with testable logic support. J. Parallel. Distr. Com.; 2021; 151, pp. 13-23. [DOI: https://dx.doi.org/10.1016/j.jpdc.2021.01.005]

35. Rukhin, A.; Soto, J.; Nechvatal, J.; Smid, M.; Barker, E. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications; NIST Special Publication 800-22 National Institute of Standards and Technology: Gaithersburg, MD, USA, 2001.

36. Liu, Z.; Wang, Y.; Zhao, Y.; Zhang, L.Y. A stream cipher algorithm based on 2D coupled map lattice and partitioned cellular automata. Nonlinear Dynam.; 2020; 101, pp. 1383-1396. [DOI: https://dx.doi.org/10.1007/s11071-020-05804-2]

37. Naskar, P.K.; Bhattacharyya, S.; Nandy, D.; Chaudhuri, A. A robust image encryption scheme using chaotic tent map and cellular automata. Nonlinear Dynam.; 2020; 100, pp. 2877-2898. [DOI: https://dx.doi.org/10.1007/s11071-020-05625-3]

38. Dong, Y.; Zhao, G. A spatiotemporal chaotic system based on pseudo-random coupled map lattices and elementary cellular automata. Chaos Solitons Fractals; 2021; 151, 111217. [DOI: https://dx.doi.org/10.1016/j.chaos.2021.111217]

39. Dong, Y.; Zhao, G.; Ma, Y.; Pan, Z.; Wu, R. A novel image encryption scheme based on pseudo-random coupled map lattices with hybrid elementary cellular automata. Inf. Sci.; 2022; 593, pp. 121-154. [DOI: https://dx.doi.org/10.1016/j.ins.2022.01.031]

40. Wolfram, S.; Mallinckrodt, A.J. Cellular Automata and Complexity. Comput. Phys.; 1995; 9, 55. [DOI: https://dx.doi.org/10.1063/1.4823369]

41. Wolfram, Stephen, Cellular automata as models of complexity. Nature; 1998; 311, pp. 419-424.

42. Li, W.; Packard, N. The Structure of the Elementary Cellular Automata Rule Space. Complex Syst.; 2000; 4, pp. 281-297.

43. Subhrajyoti, D.; Bhuyan, B. Performance analysis of current lightweight stream ciphers for constrained environments. Sādhanā; 2020; 45, 256.

44. Feng, G.L.; Tzeng, K.K. A generalization of the Berlekamp-Massey algorithm for multisequence shift-register synthesis with applications to decoding cyclic codes. IEEE Trans. Inf. Theory; 1991; 37, pp. 1274-1287. [DOI: https://dx.doi.org/10.1109/18.133246]