A Novel Hybrid Elementary Cellular Automata and Its Application in a Stream Cipher

Abstract

The elementary cellular automata (ECAs) under the chaotic rule possess long periodicity and are widely used in pseudo-random number generators. However, their period is limited, related to the rule and the number of cells. Meanwhile, the Boolean functions of some ECAs are linear and vulnerable to linear analysis. Thus, the ECA cannot be directly implemented in the stream cipher. In this paper, a hybrid ECA (HECA) with dynamic mask (HECA-M) is designed. The HECA-M consists of two parts: the driving and mask parts. The driving part based on a HECA is used in generating the keystream, and the mask part based on a chaotic ECA is utilized to determine the iterative rule of the driving part. Subsequently, a stream cipher based on the HECA-M and SHA-512 is proposed. The statistic and secure analyses indicate that the proposed stream cipher possesses good randomness and can resist stream cipher analyses, such as exhaustive search, Berlekamp–Massey synthesis, guess and determine attack, time–memory–data tradeoff attack, etc. Hence, the proposed scheme can meet security requirements. Moreover, the time and space consumption of the proposed stream cipher is qualified.

1. Introduction

The stream cipher belongs to the symmetric cryptosystem in modern cryptography. It is close to the “one-time pad” (OTP) cryptosystem. In theory, Shannon proved that the OTP is absolutely secure in 1949 [1]. However, a keystream with the same length as the plaintext should be transmitted through a secure channel in the OTP. It is unpractical and wasteful in general. Moreover, the key management of the OTP is difficult. Hence, the stream cipher has gradually been used as a substitute for the OTP [2]. The core of a stream cipher is the keystream generator. A secret key with an acceptable length is employed as the input of the keystream generator to generate a keystream. Meanwhile, the keystream generated by a qualified stream cipher is difficult to be distinguished from a real random sequence. It means that the keystream should be provided with good pseudo-randomness, including long period, high linear complexity, uniform statistical property, etc. [3] Accordingly, the stream cipher possesses many advantages, such as offering good security and being lightweight and efficient. It is widely used in secret communication, especially in the military, government, etc. [4]. Thus, it is meaningful to design a qualified stream cipher.

The traditional stream cipher is based on the linear feedback shift register (LFSR). The sequence with the longest period generated by the LFSR is the m-sequence, which possesses good statistical properties [5]. However, the period of the m-sequence is limited by the series and taps of the LFSR. Meanwhile, the state values and structure of the LFSR are easily recovered by the Berlekamp–Massey (B–M) synthesis. Hence, the security of the stream cipher based on the LFSR is weak. It cannot be used in building a stream cipher directly. Subsequently, many improvement schemes consisting of the driving part (LFSR) and the nonlinear part were proposed [6]. The keystream generators of the stream cipher based on this structure can be divided into three kinds according to the nonlinear part: nonlinear-combiner generator [7], such as E0 used in Bluetooth [8]; nonlinear-filter generator [9], for example, ISO/IEC international standard stream cipher SNOW 2.0 [10]; clock-controlled generator [11], for instance, the stream cipher A5/1 [12]. The above schemes utilize the nonlinear part to break or cover up the linearity of the LFSR. Accordingly, the resistance of these improved stream ciphers for the linear analysis is enhanced, especially the analysis based on the B–M synthesis. Nevertheless, cryptanalysis is also developed with the improvement of the stream cipher. Din et al. proposed a novel cryptanalysis based on binary particle swarm optimization (BPSO) and the divide-and-conquer approach. It reduces the number of exhaust searches significantly. They also successfully acquired the initial states of the LFSR in the Geffe generator based on the nonlinear combiner [13]. As for the nonlinear-filter generator, the generalized filter state guessing attacks (GFSGAs) were designed by Hodzic [14]. This method can recover the secret states in the filter and LFSR effectively. Cao et al. proposed a straightforward guess-and-determine attack (SGDA) based on a genetic algorithm. This method can reduce the time consumption of attacks to the small-scale SNOW2.0 [15]. Moreover, the guess-and-determine analysis [16] and algebraic attack [17] also apply to the stream cipher based on the clock-controlled generator. Thus, although the stream ciphers based on the LFSR and nonlinear part are easily implemented, and possess good statistical properties, lots of cryptanalyses are proposed to recover the internal states in the LFSR because the LFSR is a mature technology that can be regarded as the Boolean function. Meanwhile, the Boolean function’s correlation and algebraic immunity were proposed to estimate the resistance of the stream cipher for the correlation and algebraic attack [18]. Hence, they can be used not only for designing the stream cipher based on the LFSR but also to crack the stream cipher [2].

Currently, the stream ciphers without the LFSR sprang up. This kind of stream ciphers can be available against the traditional cryptanalysis for the LFSR. The stream cipher Trivium is based on three nonlinear feedback shift registers (NFSRs) [19]. The linear cryptanalysis is difficult to break the Trivium. However, some novel methods, such as guess-and-determine attacks (GDAs) [15] and cube attacks [20], can easily acquire the internal states of the NFSR or distinguish the keystream generated by the NFSR from the true random sequence. Moreover, the stream cipher Espresso for 5G wireless communication systems is also based on the NFSR [21]. Subsequently, Sinha [22] reduces the complexities of the time–memory–data tradeoff (TMDTO) attack for Espresso based on the conditional BSW-sampling resistance of Espresso. The stream cipher based on the mode of block cipher was also proposed by the researchers, such as the ciphertext feedback (CFB) [23] mode and output feedback (OFB) mode [24]. The security of the block cipher in this stream cipher can be proved theoretically. However, the time and space consumption of it is too much. In addition, the widely used stream cipher RC4 is based on the state table driver and permutation. Klein has proved that RC4 possesses a secure flaw [25]. Hence, lots of improved stream ciphers based on RC4 are proposed [26,27], such as combining with chaotic mapping or other ciphers. However, the inherent security flaw always exists in RC4 [28]. In general, the emergence of the novel attacks, such as GDA, TMDTO, deep learning [29], etc., creates enormous challenges for the stream cipher. Accordingly, a more secure and efficient stream cipher is urgently needed.

The elementary cellular automaton (ECA) is the simplest cellular automaton (CA), which was proposed by Stanislaw M. Ulam et al. in 1948 [30]. The ECA with the chaotic transition rule can be considered a nonlinear dynamical system [31]. It possesses some special properties, including long periods, parallel computing, etc. Thus, the ECA is widely utilized to build a random number generator [32,33,34]. However, the period of the ECA is limited by the number of cells. Meanwhile, the randomness of the sequences generated by the ECA directly is unqualified. It cannot pass the randomness test proposed by the National Institute of Standards and Technology (NIST) [35]. In addition, the diffusion of the ECA is weak. Hence, relatively few studies use the ECA to construct the stream cipher. Although the stream ciphers combining the chaotic system and CA are proposed [36,37], the keystream is generated by the chaotic system, not the ECA. The computation complexity of these schemes increases significantly because of the nonlinearity in the chaotic system.

Our previous work also proposed a stream cipher based on the spatiotemporal chaotic system and ECA [38]. However, in this scheme, the ECA is only utilized to provide perturbation and is used in coupling. Moreover, only one ECA with a certain chaotic rule is employed in this scheme, and the period is limited. Subsequently, we design a hybrid ECA (HECA) with two different chaotic rules in image encryption [39], which consists of two different ECAs in series. The period is extended significantly in the HECA, but the number of cells always limits its period. The HECA is also only used in perturbation and coupling. The keystream is not generated by the HECA directly because the randomness of the sequences generated by it is weak.

Based on the above research, we designed a novel structure based on the HECA, the HECA with dynamic mask (HECA-M), which means that the mask can effectually hide the ECA’s iteration patterns of the driving part and change with the iteration of the ECA. Then, we combined the HECA-M with the HASH function to construct a stream cipher. Our main contributions in this paper are listed as follows:

Firstly, the HECA-M consisting of the driving and mask part is designed. The driving part includes two ECAs with different chaotic rules, r1 and r0, and the mask part is a chaotic ECA with the rule rm. It should be emphasized that r1, r0, and rm belong to the global chaotic rules, and the total number is 34. The choice of the cell’s transition rule (r1 or r0) in the driving part is determined by the state value of the cell at the same position in the mask part. The HECA-Ms with different rule groups (r1, r0, and rm) exhibit different dynamical properties. Hence, the information entropy (IE), a powerful tool in information theory that quantifies the uncertainty or information content of a system, is introduced to analyze the HECA-Ms with different group rules, the number of which reaches 34 × 34 × 34 (39304). Then, we select 17 rule groups with outstanding IE and statistical properties from them to establish the look-up table (LUT).

Secondly, a novel stream cipher based on HECA-M and the HASH function is proposed in this paper. Moreover, a buffer used for controlling the output of the keystream is also included in the proposed stream cipher. A secret key called seed and a constant binary vector IV are used as the input of the stream cipher. The SHA-512 belonging to the provable secure HASH function is chosen for acquiring the initial value of the HECA-M from the input. The existence of IV and the HASH function can avoid the weak key effectively. Meanwhile, good diffusion can be provided by the SHA-512. Furthermore, the Hamming weight of the input is utilized to choose the rule group for the HECA-M from LUT, enhancing the stream cipher’s security. Then, the original keystream is generated by the iteration of the HECA-M. The buffer related to the initial value of the HECA-M determines the initially removed iteration and the final keystream generated by the cells with odd or even indexes. This design can hide the initial state values of the HECA-M and resist the GDA.

Lastly, plenty of statistics and secure analyses are introduced in this paper. The NIST test estimates the randomness and other statistical properties of the keystream generated by the proposed stream cipher. The traditional cryptanalyses, such as B–M synthesis, distinguishing attack, and correlation analysis, are included in this paper. In addition to the conventional cryptanalyses, some novel attacks to the proposed stream cipher are discussed thoroughly, including time–memory–data tradeoff and guess-and-determine attacks. The results show that the proposed stream cipher possesses good randomness and can resist the abovementioned cryptanalyses.

The remaining part of this paper is organized as follows. Section 2 introduces preliminary knowledge about the ECA and HECA. The HECA-M and its properties are presented in Section 3. Subsequently, the proposed stream cipher based on the HECA-M and SHA-512 is described in Section 4. Meanwhile, the statistical and secure analyses of the proposed stream cipher are also listed in Section 4. Finally, the conclusion is drawn in Section 5.

2. Preliminaries

2.1. Elementary Cellular Automaton

The cellular automaton (CA) proposed by Stanislaw M. Ulam and John von Neumann in 1948 [30,37] was originally employed to depict the self-reproduction of a bio-system. A CA consists of four parts: cell, cell space, cell neighbor, and cell rule. The mathematical expression of it is given as follows:

$$CA=(A^N,\Sigma ,f,E),$$

(1)

where A^N is cell space, and N denotes the dimension of the CA. $\Sigma$ indicates the set of status values. f is the transition function under the cell rule. E represents the boundary condition of CA. Moreover, Stephen Wolfram [40,41] simplified the CA and proposed the elementary cellular automaton (ECA), which only possesses two status values and a neighbor radius of one. In the ECA, the next status value of a cell is determined by the current status value of itself and its two neighbors. The transition function of an ECA is defined as follows:

$$S_i^{t+1}=f_r(S_{i-1}^t,S_i^t,S_{i+1}^t),$$

(2)

where i (i = 1, 2, 3, …, l) and t (t = 1, 2, 3, …, n) denote space and time dimension, respectively. l is the total number of cells in the ECA. n indicates the total number of iterations. Meanwhile, the boundary of the ECA is periodic. That means the cell 1st is the neighbor of cell lth. $S_i^t$ represents the status value of the cell ith at t times, which belongs to the set {0,1}. R is the rule of the transition function f, which is a mapping from {000, 001, 010, …, 111} to {0, 1}. For instance, the transition of function f under rule No. 183 can be depicted by a truth table such as

Table 1. The transition of function f under rule No. 183.

$S_{i-1}^t,S_i^t,S_{i+1}^t$	111	110	101	100	011	010	001	000
$S_i^{t+1}$	1	0	1	1	0	1	1	1

.

There are 256 rules classified into null rules, fixed-point rules, periodic rules, locally chaotic rules, and global chaotic rules [40,42]. Moreover, the global chaotic rules with a long period are listed in

Table 2. The global chaotic rules [42].

Class	Rule Number
Global chaotic	18(183), 22(151), 30(86, 135, 149), 45(75, 89, 101), 60(102, 153, 195), 90(165), 105, 106(120, 169, 225), 129(126), 137(110, 124, 193), 146(182), 150, 161(122)

.

In Table 2, those inside the parenthesis are rules equivalent to the representative rule. For example, we assign the number of cells l = 200 and the iterations n = 200. The iterative results of ECAs with rules No. 126 and No. 129 are shown in Figure 1.

The X-axis and Y-axis represent the indexes of cells and counts of iterations in Figure 1, respectively. The status values between Figure 1a,b are mutually inverse. Additionally, the sequence generated by any cell is a long cycle [38].

2.2. Hybrid ECA

Although the chaotic ECA possesses a long period, the period is still limited and cannot meet the requirement of pseudo-randomness. Thus, we designed the hybrid ECA (HECA) in our previous work [39]. The HECA consists of two ECAs with different rules. The structure of a HECA is shown in Figure 2.

In Figure 2, l indicates the total number of cells in the HECA. According to the analysis in Ref. [39], the period of the HECA with this structure is prolonged effectively. However, it is always below 2^l. Moreover, the randomness of sequences generated by the HECA is poor and cannot pass the test of NIST [35]. Thus, it is unable to construct a stream cipher directly.

3. HECA with Dynamic Mask and Its Properties

3.1. Introduction of the Novel HECA with Dynamic Mask

The proposed HECA with dynamic mask (HECA-M) consists of the driving and mask parts. The driving part is based on the HECA, and the mask part is essentially an ECA with global chaotic rules. The rule of cell ith in the driving part is determined by the status value of cell ith in the mask part. Furthermore, the cell rule in the driving part is changed with the iteration of the mask part, and this process is dynamic. The status values of the driving part are the output of the HECA-M. The structure of the HECA-M is shown in Figure 3.

In Figure 3, the mask is iterated under the cell rule rm, which is a constant. The cell rule rd in the driving part is changed with the status value of the cell in the mask. As for cell C_i in the driving part, the index d of the cell rule is determined by the status value of cell C_i in the mask. Furthermore, the mathematical expression of the iterative process in the driving part is shown in Equation (3).

$$x_i^{t+1}=(f_{r1}(x_{i-1}^t,x_i^t,x_{i+1}^t)•f_{rm}(y_{i-1}^t,y_i^t,y_{i+1}^t))\oplus (f_{r0}(x_{i-1}^t,x_i^t,x_{i+1}^t)•\overline{f_{rm}(y_{i-1}^t,y_i^t,y_{i+1}^t)}),$$

(3)

where $x_i^t$ ($y_i^t$) indicates the status value of cell C_i in the driving (mask) part at t iteration. i (i = 1, 2, 3, …, l) and t (t = 1, 2, 3, …, n) denote space and time dimension. r1 and r0 are the cell rules of HECA in the driving part, and rm is the cell rule of the ECA in the mask part. Moreover, the boundary of these two parts is periodic. f_r denotes the transition function under the cell rule r. $\oplus$ and $•$ denote operation XOR and AND, respectively. $\overline{x}$ represents the inverse of x.

Abstractly, the longest periods of the driving and mask part are both related to the number of cells l in each other. The theoretically longest period of the HECA or ECA reaches 2^l. Thus, the longest period of HECA-M can reach 2^2l in theory, which is 2^l times as long as the HECA’s or ECA’s. In conclusion, the period is further prolonged in the HECA-M.

3.2. Properties Analyses of the HECA-M

The randomness of the sequence generated by the HECA-M is a significant property determining the security of the stream cipher. However, we found that not all HECA-Ms under a certain rule group (rm, r0, r1) can meet randomness requirements. Moreover, the number of cells in the HECA-M is crucial for the period. Meanwhile, it is also related to the randomness of the sequence generated by the HECA-M. In order to find the rule groups under which the HECA-M possesses good randomness, the information entropy (IE) is introduced to analyze sequences generated by HECA-Ms with different rule groups and the number of cells. The status values of eight cells in the middle position in the driving part are regarded as binary numbers with eight bits chosen as the outputs of the HECA-M. Thus, the ideal IE of these outputs is eight. Furthermore, the closer to eight the IE is, the better uncertainty the outputs possess.

We assign the number of cells to 100 in the driving or mask parts. Two binary numbers with 100 bits generated randomly are utilized to initialize the HECA-M. Moreover, we select three global chaotic rules from

Table 3. The look-up table (LUT) of global chaotic rules. No. indicates the index of the rule.

No.	1	2	3	4	5	6	7	8	9
Rule	18	183	22	151	30	86	135	149	45
No.	10	11	12	13	14	15	16	17	18
Rule	75	89	101	60	102	153	195	90	165
No.	19	20	21	22	23	24	25	26	27
Rule	105	106	120	169	225	129	126	137	110
No.	28	29	30	31	32	33	34
Rule	193	146	182	150	161	122	193

to compose the rule group. Thus, there are 39,304 (34 × 34 × 34) groups. The IEs of each rule group are shown in Figure 4.

In Figure 4, the titles of each subfigure denote the rules of the mask part rm. The X-axis and Y-axis indicate the index of r1 and r0 in Table 3, respectively. The Z-axis represents the IE under a certainty rule group (rm, r1, r0). Moreover, the red points in Figure 4 are the highest IEs in each subfigure, and the corresponding rule groups are listed in

Table 4. The rule groups with the highest IEs under different mask parts when the number of cells is 100.

rm	18	183	22	151	30	86	135	149	45
r1	60	105	60	135	105	105	165	165	60
r0	105	60	165	169	90	90	105	105	105
IE	7.86	7.86	7.52	5.34	7.89	7.89	7.89	7.89	7.95
rm	75	89	101	60	102	153	195	90	165
r1	150	102	90	102	75	86	135	89	30
r0	101	89	153	86	149	151	150	86	135
IE	7.51	7.83	7.74	5.34	5.37	5.34	5.34	5.33	5.34
rm	105	106	120	169	225	129	126	137	110
r1	90	60	102	165	165	169	105	150	195
r0	105	165	165	60	86	105	120	60	105
IE	7.78	7.58	7.58	7.58	7.00	7.27	7.27	7.84	7.84
rm	124	193	146	182	150	161	122
r1	102	105	102	105	153	106	105
r0	105	153	105	60	105	105	120
IE	7.84	7.84	7.86	7.86	7.40	7.27	7.27

.

In Table 4, not all IEs of the sequences generated by the HECA-Ms with these rule groups are close to the ideal value 8. Furthermore, the HECA-Ms under these rule groups with different numbers of cells are analyzed using IE. The results are shown in Figure 5.

In Figure 5, the title of each figure denotes the rule groups of this HECA-M. The X-axis represents the number of cells, also called the length of the cell space, in the mask part or driving part. The Y-axis indicates the IEs of sequences generated by the HECA-M with different lengths under a certain rule group. According to Figure 5, it is easy to know that the results of HECA-Ms under the rule groups (18,60,105), (183,105,60), (146,102,105), and (182,105,60) are sensitive to the length of the cell space, even though the length reaches 1000. Moreover, the IEs of HECA-M with rule groups (151,135,169), (102,75,149), and (153,86,151) are farther from the ideal value 8 than others. The uncertainty of sequences generated by these HECA-Ms under the above seven rule groups is unstable and defective. Thus, we select HECA-Ms under chaotic rule groups except these seven to construct the stream cipher as shown in LUT (

Table 5. The chaotic rule groups.

No.	1	2	3	4	5	6	7	8	9	10	11	12	13	14
rm	22	30	86	135	149	45	75	89	101	60	195	90	165	105
r1	60	105	105	165	165	60	150	102	90	102	135	89	30	90
r0	165	90	90	105	105	105	101	89	153	86	150	86	135	105
No.	15	16	17	18	19	20	21	22	23	24	25	26	27
rm	106	120	169	225	129	126	137	110	124	193	150	161	122
r1	60	102	165	165	169	105	150	195	102	105	153	106	105
r0	165	165	60	86	105	120	60	105	105	153	105	105	120

).

4. Stream Cipher Based on HECA-M

4.1. Description of Proposed Stream Cipher

The proposed stream cipher consists of a HECA-M, a HASH function (SHA-512 algorithm), and a buffer with the output controller. The HASH function is utilized to initialize the status value of HECA-M, including the driving part, the mask part, and the rule groups. The HECA-M is operated to generate the original keystream. Meanwhile, the length of the cell space in this HECA-M is 256. A constant IV generated randomly and a secret key with 512 or 256 bits are the input. Moreover, the original keystream is processed by the buffer to output the final keystream. The result of the HASH function controls the buffer. The structure of the proposed stream cipher is depicted in Figure 6.

The procedure of the proposed stream cipher (Algorithm 1) is listed as follows:

Algorithm 1. The pseudocode of the proposed stream cipher

Step 1: Initialize variables    Input: secret_key K (256 bits or 512 bits), constant_vector IV (256 bits) Step 2: Determine chaotic rule group and initialize HECA-M    idx = Hamming (K, IV)    chaotic_rule_group (rm, r1, r0) = LUT (idx) (From Table 5)    inv = SHA512 (K, IV)    (inv_d, inv_m) = inv Step 3: Initialize HECA-M    The ECA of driver part ← inv_d,r1,r0    The ECA of MASK part ← inv_m,rm Step 4: Generate original keystream    Iterate HECA-M to generate the original_keystream Step 5: Using buffer to generate final keystream    n0 = bin2dec(middle_10_bits_of(inv))    Remove first n0 iterations from original_keystream    flag = Hamming(inv) % 2    If flag == 0:      final_keystream←Select sequences generated by cells with even indexes from original_keystream    Else:      final_keystream ← Select sequences generated by cells with odd indexes from original_keystream Output: final_keystream

• Give a secret key and get a constant vector IV

The secret key K with 256 bits or 512 bits is given by the user. The constant IV with 256 bits is generated randomly by the computer, and it is utilized to avoid the initial null value of the HECA-M, such as zeros or ones with 512 bits. Meanwhile, IV can be employed in the handshake between two sides of the communication.

2.

Get a chaotic rule group and initialize the HECA-M

The choice of a chaotic rule group is determined by the Hamming weight of K and IV, which is represented as follows:

$$idx=\mathrm{Hamming}(\mathit{K},\mathit{I}\mathit{V})\mathrm{mod}27+1,$$

(4)

where idx represents the index of the chaotic rule group. The function Hamming(K, IV) is to acquire the Hamming weight of the binary vector consisting of K and IV. Then, a chaotic rule group (rm, r1, r0) with index idx can be obtained from LUT (Table 5).

The initial value of HECA-M is the output of the HASH function SHA-512, which is calculated as follows:

$$\left\{\begin{array}{l}\mathit{i}\mathit{n}\mathit{v}=\mathrm{SHA}512(\mathit{K},\mathit{I}\mathit{V})\\ \mathit{i}\mathit{n}\mathit{v}\mathbf{\_}\mathit{d}\mathbf{=}\mathit{i}\mathit{n}\mathit{v}(1:256)\\ \mathit{i}\mathit{n}\mathit{v}\mathbf{\_}\mathit{m}\mathbf{=}\mathit{i}\mathit{n}\mathit{v}(257:512)\end{array}\right.,$$

(5)

where SHA512(●) indicates the HASH function. inv represents the HASH of (K, IV), that is, the initial value of the HECA-M with a length of 512 bits. Meanwhile, inv is divided into two parts: inv_d and inv_m. Additionally, they are regarded as the initial values of the driving and mask parts, respectively.

3.

Generate original keystream

The initial value and chaotic rule group of the HECA-M have been acquired after Step 2. Then, the HECA-M is iterated to generate the original keystream. There are 256 cells in the driving part. Thus, the HECA-M can generate 256 sequences with the same length simultaneously.

4.

Process the original keystream by the buffer and generate the final keystream

The buffer is controlled by the initial value of the HECA-M, which is the HASH function’s result. The buffer serves two purposes: intercept initial iterations and select sequences from the original keystream to form the final keystream.

The number of initial iterations is determined by 10 bits in the middle of the inv in Equation (5) and represented as follows:

$$n_0=\mathrm{bin}2dec(\mathit{i}\mathit{n}\mathit{v}(252:261))+500,$$

(6)

where n₀ denotes the initial iterations. The beginning of the sequences with length n₀ will be removed in the original keystream. The function bin2dec(●) is to transform a binary number into a decimal. The purpose of the above process is to effectively hide the initial value of the HECA-M and practical iterations.

The output of the buffer is determined by the Hamming weight of inv, which is described as the following:

$$flag=\mathrm{Hamming}(\mathit{i}\mathit{n}\mathit{v})\mathrm{mod}2,$$

(7)

where flag is utilized to control the output of the buffer. The output of cells with even (odd) indexes is regarded as the final keystream if the flag is zero (one). For instance, if the flag is zero, the final keystream is generated by the cells 2nd, 4th, …, 256th.

4.2. Statistic and Secure Analyses

• NIST test

The randomness of the keystream is an important statistic property for a stream cipher. Without the loss of generality, the test suite SP800-22 of the National Institute of Standards and Technology (NIST) [35] is employed to prove the randomness of the sequences generated by the HECA-M under all chaotic rule groups in the LUT (Table 5). There are 15 sub-tests in this test suite, and the p-value of each test estimates the randomness of the sequence. In this paper, the significance level α is set to 0.01. If p-value ≥ α, the sequence appears to be random, which means that the sequence would be considered to be random with a confidence of 99%.

We assign the number of iterations as 1 × 10⁶, and the length of each HECA-M is 256. A total of 27 HECA-Ms under different chaotic rule groups are iterated to generate sequences. Furthermore, 128 binary sequences with 1 × 10⁶ bits generated by each HECA-M’s odd cells are selected to be tested. According to Ref. [35], the minimum pass rate for each statistical test with the exception of the random excursion (variant) test is approximately 123 for a sample with 128 binary sequences. The test results of 27 HECA-Ms with different chaotic rule groups are listed in

Table 6. Results of the NIST test for HECA-Ms with different chaotic rule groups.

No.	The Index of the Sub-Test in the Test Suite SP800-22
	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
1	125	126	Pass	128	126	127	127	Pass	127	126	127	Pass	Pass	Pass	128
2	126	128	Pass	127	127	126	124	Pass	126	127	127	Pass	Pass	Pass	128
3	127	128	Pass	127	127	126	128	Pass	128	127	125	Pass	Pass	Pass	125
4	128	127	Pass	128	126	127	128	Pass	128	126	128	Pass	Pass	Pass	125
5	128	124	Pass	126	126	127	126	Pass	128	126	127	Pass	Pass	Pass	127
6	125	127	Pass	126	127	127	126	Pass	125	125	126	Pass	Pass	Pass	128
7	127	125	Pass	126	126	124	128	Pass	123	126	127	Pass	Pass	Pass	126
8	128	126	Pass	128	128	128	125	Pass	125	128	126	Pass	Pass	Pass	128
9	128	128	Pass	125	127	128	127	Pass	126	128	125	Pass	Pass	Pass	125
10	128	126	Pass	127	125	125	126	Pass	123	126	127	Pass	Pass	Pass	127
11	127	128	Pass	128	128	126	127	Pass	127	127	128	Pass	Pass	Pass	127
12	126	127	Pass	124	128	123	126	Pass	125	127	127	Pass	Pass	Pass	127
13	123	128	Pass	125	126	125	127	Pass	127	127	128	Pass	Pass	Pass	127
14	127	127	Pass	128	127	128	127	Pass	125	127	127	Pass	Pass	Pass	126
15	128	127	Pass	124	126	126	125	Pass	127	127	127	Pass	Pass	Pass	127
16	127	126	Pass	125	127	128	124	Pass	128	128	127	Pass	Pass	Pass	126
17	125	128	Pass	126	128	128	125	Pass	126	127	127	Pass	Pass	Pass	128
18	127	127	Pass	128	126	126	128	Pass	127	127	127	Pass	Pass	Pass	126
19	128	127	Pass	128	128	126	126	Pass	127	128	125	Pass	Pass	Pass	127
20	128	127	Pass	126	127	128	126	Pass	126	127	128	Pass	Pass	Pass	128
21	128	128	Pass	127	125	127	126	Pass	128	124	127	Pass	Pass	Pass	125
22	128	128	Pass	127	127	128	128	Pass	127	126	127	Pass	Pass	Pass	125
23	128	128	Pass	126	128	127	127	Pass	125	127	126	Pass	Pass	Pass	128
24	126	125	Pass	128	124	127	128	Pass	126	127	128	Pass	Pass	Pass	127
25	128	126	Pass	125	128	126	127	Pass	126	127	128	Pass	Pass	Pass	125
26	126	126	Pass	125	126	128	127	Pass	127	127	126	Pass	Pass	Pass	128
27	127	127	Pass	126	128	127	125	Pass	127	125	128	Pass	Pass	Pass	128
1. Frequency					2. Block frequency							3. Cumulative sums *
4. Runs					5. Longest runs							6. Rank
7. FFT					8. Non-overlapping template *							9. Overlapping template
10. Universal					11. Approximate entropy							12. Random excursions *
13. Random excursions variant *					14. Serial *							15. Linear complexity

Notes: No. indicates the index of the chaotic rule group in the LUT (Table 5). The number in the first row represents the index of the sub-test in the test suite SP800-22. * denotes that there are multiple tests in this sub-test. “Pass” means that the sequences can pass all of these multiple tests.

.

There is no doubt that the randomness of all sequences generated by the HECA-M under 27 different chaotic rule groups can pass the NIST test, according to Table 6. Additionally, it means the keystream generated by the proposed scheme with any chaotic rule group in the LUT (Table 5) can meet the randomness requirement.

The p-value of the proposed stream cipher is always above 0.01 in any test. Moreover, in comparison to other lightweight stream ciphers [43] listed in

Table 7. NIST SP800-22 test results of different stream ciphers (the red number is below 0.01).

Test	Lizard	Fruit	Plantlet	Sprout	Grain V1	Espresso	Proposed
Frequency	0.350485	0.122325	0.924076	0.032923	0.122325	0.304126	0.551026
Block frequency	0.008879	0.350485	0.637119	0.897763	0.455937	0.739918	0.602458
Cumulative sums	0.350485	0.739918	0.514124	0.401199	0.122325	0.162606	0.232760
Runs	0.534146	0.911413	0.181557	0.574903	0.834308	0.834308	0.534146
Longest runs	0.350485	0.574903	0.739918	0.637119	0.883171	0.739918	0.242986
Rank	0.534146	0.213309	0.000070	0.000233	0.011791	0.010988	0.078086
FFT	0.991468	0.739918	0.004301	0.171867	0.045675	0.171867	0.468595
Non-overlapping template	0.550133	0.474986	0.657933	0.236810	0.616305	0.455937	0.637119
Overlapping template	0.350485	0.350485	0.851383	0.289667	0.236810	0.108791	0.819544
Universal	0.000621	0.000513	0.015826	0.000079	0.007315	0.002347	0.931952
Approximate entropy	0.350485	0.739918	0.191687	0.213309	0.439621	0.426931	0.392456
Random excursions *	0.028181	0.179539	0.080519	0.090936	0.012071	0.139921	0.031064
Random excursions variant *	0.031894	0.016717	0.041890	0.021505	0.077290	0.017912	0.117948
Serial *	0.137154	0.12911	0.262249	0.554420	0.000474	0.171867	0.105618
Linear complexity	0.035174	0.031254	0.383827	0.637119	0.040108	0.045675	0.468595

* denotes that there are multiple tests in this sub-test. It means that the p-value is the minimum in these multiple tests.

, the proposed scheme exhibits stronger randomness due to its superior performance in universal tests. Thus, the randomness of the proposed stream is the strongest among these lightweight stream ciphers.

2.

Berlekamp–Massey synthesis

The linear complexity is an important security property for a stream cipher. The Berlekamp–Massey synthesis [44] is widely used in estimating the linear complexity of a binary keystream generated by a stream cipher. As for a keystream, the ideal linear complexity l equals N/2. N represents the length of the keystream. The keystreams generated by the proposed stream ciphers with different HECA-Ms are chosen to be analyzed by the B–M synthesis. Specifically, these HECA-Ms are under varying chaotic rule groups. Thus, there are 27 keystreams. Moreover, the length of them is 2000 bits. The B–M synthesis results of different keystreams are depicted in Figure 7.

In Figure 7, X-axis and Y-axis denote the length of the keystream N and the linear complexity l, respectively. Apparently, the linear complexity of any keystream coincides with the ideal line l = N/2. In conclusion, the proposed stream cipher possesses qualified linear complexity. Furthermore, it can resist linear algebraic attacks such as the B–M synthesis.

3.

Linear analysis (distinguishing attack)

The minimal polynomial of the keystream can be acquired by the B–M synthesis. Furthermore, an equation of linear regression is deduced from the minimal polynomial, which can be used for implementing the distinguishing attack. The process is described as follows:

$$\begin{array}{l}f(x)=1+c_{1}x+c_2{x}^2+\dots +c_{n-1}{x}^{n-1}+x^n\\ \Rightarrow s_t=c_1{s}_{t-1}+c_2{s}_{t-2}+\dots +c_{n-1}{s}_{t-n+1}+s_{t-n}\end{array},$$

(8)

where f(x) represents the minimal polynomial of the sequences (s₀, s₁, s₂, …, s_t−n, s_t−n+1, s_t−2, s_t−1, …). Meanwhile, f(x) is acquired by the B–M synthesis. t represents the time dimension. The equation of linear regression in Equation (8) is employed to deduce subsequent sequence (s_t, s_t+1, s_t+2, s_t+3, …) in the keystream. The sequence’s linear complexity and minimal polynomial with n bits can be expressed as <l_n, f_n>.

Compare the derived sequence from Equation (8) and the practical sequence. If the forecast accuracy of the derived sequence is far from 0.5, the distinguishing attack is successful. It means that the keystream generated by the stream cipher is significantly different from the randomness sequence, and the stream cipher possesses the concealed defect.

The keystreams with length n = 1, 2, 3, …, 2000 bits generated by the proposed stream ciphers under different chaotic rule groups are analyzed by the B–M synthesis. Then, the pairs <l₁, f₁>, <l₂, f₂>, <l₃, f₃>, …, <l₂₀₀₀, f₂₀₀₀> are acquired. The minimal polynomial f₄, f₈, f₁₂, …, f₂₀₀₀ is utilized to predict subsequent keystreams. The forecast accuracy for the keystream is shown in Figure 8.

In Figure 8, the X-axis indicates the keystream length from which a minimal polynomial is deduced. The Y-axis represents the forecast accuracy under the above minimal polynomial. As shown in Figure 8, the accuracy is close to 0.5 under any chaotic rule group, no matter how long the keystream for the B–M synthesis is. Thus, it can be preliminarily judged that the proposed cipher can resist the distinguishing attack. In order to confirm this judgment, the t-test is introduced to determine whether the randomness of the keystream generated by the proposed scheme can be distinguished from the true random sequence. We assign the mathematical expectation equal to the ideal value 0.5, and the significance level α is 0.01. If p-value > 0.01, the t-test does not reject the null hypothesis that the accuracy comes from a normal distribution with a mean of 0.5 at the 1% significance level. The test results are listed in

Table 8. t-test results of the forecast accuracy under the minimal polynomial acquired by the B–M synthesis.

Index of the Chaotic Rule Group	p-Value (>0.01)	PASS or NOT
1	0.9658	PASS
2	0.7527	PASS
3	0.0208	PASS
4	0.1732	PASS
5	0.1690	PASS
6	0.0159	PASS
7	0.7002	PASS
8	0.8940	PASS
9	0.8162	PASS
10	0.6187	PASS
11	0.3112	PASS
12	0.2944	PASS
13	0.9400	PASS
14	0.2361	PASS
15	0.8033	PASS
16	0.8391	PASS
17	0.8818	PASS
18	0.7311	PASS
19	0.7231	PASS
20	0.7743	PASS
21	0.2715	PASS
22	0.0440	PASS
23	0.5938	PASS
24	0.4436	PASS
25	0.0178	PASS
26	0.9695	PASS
27	0.4292	PASS

.

In Table 8, no matter what the chaotic rule group is, the forecast accuracy is regarded as the data come from a normal distribution with a mean of 0.5, which is an ideal value for a truly random sequence. Thus, the distinguishing attack proves ineffective in analyzing the proposed stream cipher.

4.

Key space and period

The length of a secret key given by the user is 256 or 512 bits. Furthermore, the SHA-512 possesses good diffusion. Specifically, if one bit of the input is flipped, close to 50% bits of the output will change in the SHA-512. Hence, the existence of the constant vector can avoid the weak initial value of the HECA-M. In other words, if a weak initial value is acquired by the secret key, we can flip any bit of the constant vector IV to change the output of the SHA-512, which is the initial value of the HECA-M. In summary, there is no weak key in the proposed stream cipher. Thus, the key space of it is 2²⁵⁶ or 2⁵¹². It means that the proposed stream cipher can resist the brute force attack.

The number of cells in the HECA-M reaches 512, so the maximum period of the keystream is 2⁵¹². This amount far exceeds the computational capacity of modern computers. Moreover, the theoretical period of RC4 is only 10¹⁰⁰. In conclusion, the period of the proposed stream cipher is long enough for security.

5.

Autocorrelation and cross-correlation

A qualified stream cipher’s autocorrelation and cross-correlation coefficients should be close to zero. The value of constant vector IV and secret key SK with 512 and 256 bits are set as follows:

$$\begin{array}{ll}\mathit{I}\mathit{V}=& 4\mathrm{F}44\_7\mathrm{B}96\_\mathrm{F}877\_\mathrm{BDF}4\_8\mathrm{AA}2\_4\mathrm{EAA}\_1902\_4\mathrm{D}5\mathrm{E}\\ & 4\mathrm{D}9\mathrm{C}\_\mathrm{A}988\_\mathrm{A}153\_700\mathrm{E}\_\mathrm{BA}80\_582\mathrm{D}\_8\mathrm{EAF}\_\mathrm{EC}02\\ \mathit{S}\mathit{K}=& 99\mathrm{DC}\_8\mathrm{EC}3\_20\mathrm{B}3\_\mathrm{AA}64\_1246\_23\mathrm{E}9\_0855\_429\mathrm{F}\\ & \mathrm{E}7\mathrm{AF}\_61\mathrm{E}3\_4\mathrm{BB}3\_5\mathrm{B}32\_\mathrm{FD}07\_0\mathrm{F}81\_1\mathrm{B}3\mathrm{E}\_\mathrm{E}3\mathrm{A}8\\ & 9\mathrm{E}96\_0\mathrm{DEB}\_\mathrm{DDBA}\_41\mathrm{E}0\_\mathrm{BEF}8\_8\mathrm{BB}1\_9\mathrm{F}03\_\mathrm{CA}36\\ & 2786\_\mathrm{F}5\mathrm{EE}\_8\mathrm{E}6\mathrm{F}\_\mathrm{D}29\mathrm{E}\_7449\_\mathrm{D}32\mathrm{D}\_\mathrm{F}4\mathrm{EA}\_1294\left(512\mathrm{bits}\right)\end{array},$$

(9)

$$\begin{array}{ll}\mathit{I}\mathit{V}=& 9\mathrm{F}0\mathrm{E}\_0\mathrm{DDA}\_\mathrm{DA}99\_\mathrm{CA}57\_\mathrm{C}9\mathrm{BB}\_\mathrm{C}976\_\mathrm{A}16\mathrm{E}\_8\mathrm{DF}0\\ & \mathrm{F}655\_306\mathrm{A}\_1\mathrm{E}6\mathrm{E}\_\mathrm{ADF}7\_652\mathrm{A}\_4157\_3470\_83\mathrm{A}2\\ \mathit{S}\mathit{K}=& 7232\_6\mathrm{E}5\mathrm{F}\_\mathrm{C}294\_951\mathrm{D}\_34\mathrm{C}4\_78\mathrm{FC}\_\mathrm{C}8\mathrm{EB}\_\mathrm{F}46\mathrm{F}\\ & \mathrm{ECB}0\_7\mathrm{FE}5\_\mathrm{EA}53\_\mathrm{B}9\mathrm{D}8\_\mathrm{DBCB}\_8984\_6\mathrm{F}6\mathrm{C}\_\mathrm{E}0\mathrm{B}2\left(256\mathrm{bits}\right)\end{array}$$

(10)

We change one bit of SK to acquire SK*. Moreover, the inverse of SK, ~SK, is also obtained. Then, SK, SK*, and ~SK are regarded as the secret keys, and the keystreams KS, KS*, ~KS with 10,000 bits are generated by the proposed stream cipher correspondingly. The autocorrelation coefficient of KS and the cross-correlation coefficients between KS and KS*, ~KS, are shown in Figure 9 (512 bits) and Figure 10 (256 bits).

In Figure 9 and Figure 10, the X-axis and Y-axis represent the lags and correlation coefficient, respectively. As shown in Figure 9a,b and Figure 10a,b, no matter how long the secret key is, the cross-correlation coefficients between KS and KS*, ~KS, are close to zero. Moreover, in Figure 9c and Figure 10c, the autocorrelations of KS are approximately equal to zero. Hence, the keystream generated by the proposed stream cipher is sensitive to the secret key. A slight change in the secret key can lead to a completely different keystream. Furthermore, the keystream generated by the inverse of the secret key is also independent of the original keystream KS. In other words, it is difficult for the enemy to find the laws of the secret key from the different keystreams.

In addition, correlation analysis is an effective method to deduce the relationship between the keystream and secret key of the stream cipher. The enemy can utilize this method to restore the initial value of the keystream generator, that is, the secret key. Hence, the keystream should be independent of its secret key. We calculated the correlation coefficient between the secret key SK and the corresponding keystream KS. The correlation coefficient between the secret key SK and the truly random sequence (TRS) is also acquired for comparison analysis. The above correlation coefficients are depicted in Figure 11 (512 bits) and Figure 12 (256 bits).

The X-axis and Y-axis denote the lags and the correlation coefficient, respectively, in Figure 11 and Figure 12. These two figures show that the correlation coefficient between the secret key SK and the corresponding keystream KS is similar to the correlation coefficient between SK and the true random sequence TRS. In order to prove the similarity between the above two correlation coefficients further, the t-test is utilized to determine whether these two coefficients possess the same statistical characteristics. The significance level α is set to 0.05, and the mean is zero. The test is operated five times with different SKs. The results of the t-test are listed in

Table 9. The t-test of the two correlation coefficients between SK and KS and SK and TRS.

512 bits	p-value	0.9572	0.9009	0.9427	0.9570	0.9557
	Pass or Not	Pass	Pass	Pass	Pass	Pass
256 bits	p-value	0.9629	0.9576	0.9545	0.9754	0.9411
	Pass or Not	Pass	Pass	Pass	Pass	Pass

.

As shown in Table 9, p-values are always above 0.9. Hence, we accept the null hypothesis that the correlation coefficient between SK and KS is indistinguishable from SK and TRS no matter how long the secret key SK is. It means that the correlation analysis is useless for the proposed stream cipher.

6.

Time–memory–data tradeoff

Time–memory–data tradeoff attack is a novel cryptanalysis method. The core of this method is increasing space consumption to reduce time consumption for cryptanalysis. In this attack, a lookup table (LUT), including the state transition of the keystream generator, is pre-generated. The enemy can search the LUT to find the initial state of the key generator according to the current state.

In the proposed stream cipher, the keystream is generated by the driving part of the HECA-M. We assign the current state of the driving part as S_n acquired by the keystream. It should be noted that only half of S_n can be obtained directly because the keystream is generated by the even or odd cells in the driving part. Another half of S_n has to be speculated. Thus, there are 2¹²⁸ possible current states. Moreover, the state transition of the driving part is determined by the mask part with 256 cells. It means that there are 2²⁵⁶ different initial values in the mask part. Furthermore, there are 27 rule groups in the LUT (Table 5). As for 2²⁵⁶ initial values in the driving part, the total number of state transitions can reach 2^256×2 × 27. It is an unacceptable quantity for the enemy. In addition, the probability of finding possible current states in these state transitions is 1/(2³⁸⁴ × 27), below 10⁻¹¹⁷. Meanwhile, the initial iteration n₀ is determined by the secret key unknown to the enemy. Hence, the enemy has to find which one is the real initial value in these initial iterations. It increases the difficulty of the time–memory–data tradeoff attack further. In summary, the proposed stream cipher can resist the time–memory–data tradeoff attack.

7.

Guess-and-determine attack

The guess-and-determine attack (GDA) is proposed to analyze the stream cipher RC4 by Knudsen in ASIACRYPT 1998. The GDA belongs to the known-plaintext attack, which is effective for the stream cipher. The enemy can acquire a portion of the keystream. Then, some portions of the internal state in the keystream generator can be guessed. Additionally, other portions of the internal state can be derived from this guess and the portion of the keystream. Finally, the enemy can recover the internal state of the keystream generator. Moreover, the secret key can be acquired by the enemy further.

To estimate whether the proposed stream cipher can resist the GDA, the most unsecure scenarios need to be taken into account. We assume the enemy can get keystream with enough length and has acquired the iterations of HECA-M. Firstly, we assign that the keystream is generated by all the cells, including odd and even, in the driving part, though it is different from the proposed stream cipher. The length of this keystream is L bits, which is divisible by 256. Then, the enemy can easily recover the internal states of the driving part in L/256 iterations, as shown in Figure 13.

In Figure 13, S_x,y indicates the state value of cell yth at iteration xth. If the state groups {S_x,y−1, S_x,y, S_x,y+1} in S can cover all the elements in {000, 001, 010, …, 111}, and the corresponding iterative result S_x+1,y is also in S, the enemy can acquire a state transition table as

Table 10. The state transition table acquired by the enemy according to the internal state of the driving part.

Sx,y−1, Sx,y, Sx,y+1	111	110	101	100	011	010	001	000
$S_{x+1,y}$	$b_7$	$b_6$	$b_5$	$b_4$	$b_3$	$b_2$	$b_1$	$b_0$
$S_{x+1,y}^{*}$	$b_7^{*}$	$b_6^{*}$	$b_5^{*}$	$b_4^{*}$	$b_3^{*}$	$b_2^{*}$	$b_1^{*}$	$b_0^{*}$

.

In Table 10, the results b₇, b₆, …, b₀ and $b_7^{*},b_6^{*},\dots ,b_0^{*}$ with binary can be converted to the decimal numbers r and r*, which can be regarded as the rule pair (r0, r1) in the LUT (Table 5). If no rule pair (r0, r1) in Table 5 is equal to (r, r*), the enemy can switch the state values of b_n and $b_n^{*}$ until the rule pair (r, r*) can be found in Table 5, where n belongs to {0, 1, 2, …, 7}. The total number of switches in Table 9 is 2⁸, which is acceptable for the enemy to guess. Once the rule pair (r0, r1) of the HECA-M is acquired, the enemy can also deduce the rule of the mask part rm easily. Furthermore, if $b_n^{*}\ne b_n$, the state value of the mask part can be determined. For instance, if S_x,y−1, S_x,y, S_x,y+1 = 011, (r, r*) = (r0, r1), and S_x+1,y = b₃ ($b_3^{*}$), the corresponding state M_x,y in the mask part can be determined to be 1 (0). However, if $b_n^{*}=b_n$, M_x,y is uncertain. Hence, the enemy should guess these states in the mask. Moreover, the enemy can always find an iteration in S with the least occurrence of $b_n^{*}=b_n$. Then, guess these states of the mask part in this iteration and verify the correctness of this guess according to subsequent iterations in S. Change the states of the guess until this guess is correct. Once one iteration of the mask part is recovered, the enemy can generate the subsequent keystream at any length. In conclusion, the enemy can easily crack the keystream generated by all the cells in the driving part.

Fortunately, as for the proposed stream cipher, only odd (or even) cells in the driving part generate the keystream. This design can avoid the above GDA effectively. The enemy can acquire the keystream generated by the even or odd cells. Thus, the internal states of the driving part cannot be recovered completely as S in Figure 13. Only the odd or even column can be recovered. It means that only two states in {S_x,y−1, S_x,y, S_x,y+1, S_x+1,y}, such as (S_x,y−1, S_x,y+1) or (S_x,y, S_x+1,y), can be determined. Hence, Table 10 cannot be acquired by the enemy. The enemy has to guess the states of other columns, and the states of {S_x,y−1, S_x,y, S_x,y+1} must cover the states in Table 10 after the guess. As for any row in S, half of the cells have to be guessed. In other words, there are 2¹²⁸ possibilities in a row. However, more than one row should be guessed to derive Table 10. The difficulty is unacceptable for the enemy. To sum up, the proposed stream cipher can resist the GDA.

4.3. Time and Space Consumption

The time and space consumption is essential for estimating the feasibility and efficiency of a stream cipher. We implement the proposed stream cipher in MATLAB R2018a with CPU AMD Ryzen 7 5800H (3.20 GHz) under Windows 11. Meanwhile, no matter how long the secret key is (256 bits or 512 bits), the number of the cells in the driving or mask part of HECA-M is always 256. Thus, the time and space consumption of the keystream generators under the secret keys with 256 bits and 512 bits are the same as each other. We utilize the proposed stream cipher to generate the keystream with a length of 1 MB. The average time consumption of one iteration in HECA-M is 2.3966 × 10⁻⁵ s. Owing to the parallel iteration of the cells in the HECA-M, one iteration can generate the keystream with 128 bits (16 bytes). Furthermore, the maximum length of the secret key is 512 bits. It is a very small amount of data for the HASH function to process, so the time consumption of this process is negligible. Moreover, the initial value of the HECA-M can be pre-generated by the HASH function before the start of the keystream generation. Hence, the efficiency of the proposed stream cipher is acceptable for the user.

In addition to the low time consumption, the space consumption of the proposed scheme is also light. As the core of the keystream generator, the HECA-M consists of the driving and mask parts. These two parts include 256 cells, and each one occupies one bit. Meanwhile, each part requires two storage spaces. One is used in storing the current states of the cells. Another is utilized to store the next states of the cells. Thus, the size of the required space of the HECA-M is 128 bytes. Additionally, the LUT of the chaotic rule groups only needs 27 × 3 (81) bytes. This means the keystream generator only occupies 209 bytes, which is smaller than the size of the noted stream cipher RC4 (256 bytes).

5. Conclusions

We utilized three elementary cellular automata (ECAs) with different global chaotic rules to construct hybrid elementary cellular automata with the mask (HECA-M). The HECA-M consists of two parts: the driving and mask parts. The number of cells in these two parts is equal to each other. Moreover, the driving part possesses two ECAs with different rules, r0 and r1. Additionally, the rule of the cell in the driving part is determined by the state value of the corresponding cell in the mask part with the rule rm. The HECA-Ms exhibit different properties under different rule groups (r0, r1, rm). Thus, the information entropy (IE) is introduced to test the randomness of the sequences generated by the different HECA-Ms. The HECA-Ms with 27 chaotic rule groups stand out in this test, which are selected to build the stream cipher. The proposed stream cipher comprises the HASH function, HECA-M, and a buffer. The HASH function provides good diffusion and initial sensitivity. Meanwhile, the weak initial value of the HECA-M can be avoided effectively through the HASH function and a constant vector. The HECA-M can generate the original keystream with good randomness that has passed the NIST test. The buffer can control the output of the keystream, including intercepting initial iterations and selecting sequences from the original keystream to form the final keystream. The security analyses prove that the proposed stream cipher can resist traditional attacks, such as B–M synthesis, linear analysis, and correlation analysis. In addition, it also possesses good resistance to the novel attack, including the time–memory–data tradeoff attack and the guess-and-determine attack. The proposed stream cipher is highly efficient and feasible in terms of its time and space consumption, making it suitable for multimedia encryption applications that involve large amounts of data. In the future, a valuable research direction would be to optimize the stream cipher further and integrate it into hardware in a lightweight form.