The state diagram of $$\chi $$

Abstract

AbstractIn symmetric cryptography, block ciphers, stream ciphers and permutations often make use of a round function and many round functions consist of a linear and a non-linear layer. One that is often used is based on the cellular automaton that is denoted by $$\chi $$ χ as a Boolean map on bi-infinite sequences, $${\mathbb {F}}_2^{{\mathbb {Z}}}$$ F 2 Z . It is defined by $$\sigma \mapsto \nu $$ σ ↦ ν where each $$\nu _i = \sigma _i + (\sigma _{i+1}+1)\sigma _{i+2}$$ ν i = σ i + ( σ i + 1 + 1 ) σ i + 2 . A map $$\chi _n$$ χ n is a map that operates on n-bit arrays with periodic boundary conditions. This corresponds with $$\chi $$ χ restricted to periodic infinite sequences with period that divides n. This map $$\chi _n$$ χ n is used in various permutations, e.g., Keccak-f (the permutation in SHA-3), ASCON (the NIST standard for lightweight cryptography), Xoodoo, Rasta and Subterranean (2.0). In this paper, we characterize the graph of $$\chi $$ χ on periodic sequences. It turns out that $$\chi $$ χ is surjective on the set of all periodic sequences. We will show what sequences will give collisions after one application of $$\chi $$ χ . We prove that, for odd n, the order of $$\chi _n$$ χ n (in the group of bijective maps on $${\mathbb {F}}_2^n$$ F 2 n ) is $$2^{\lceil {\text {lg}}(\frac{n+1}{2})\rceil }$$ 2 ⌈ lg ( n + 1 2 ) ⌉ . A given periodic sequence lies on a cycle in the graph of $$\chi $$ χ , or it can be represented as a polynomial. By regarding the divisors of such a polynomial one can see whether it lies in a cycle, or after how many iterations of $$\chi $$ χ it will. Furthermore, we can see, for a given $$\sigma $$ σ , the length of the cycle in its component in the state diagram. Finally, we extend the surjectivity of $$\chi $$ χ to $${\mathbb {F}}_2^{{\mathbb {Z}}}$$ F 2 Z , thus to include non-periodic sequences.