Weak key analysis for chaotic cipher based on randomness properties

Transcription

1 . RESEARCH PAPER. SCIENCE CHINA Information Sciences May 01 Vol. 55 No. 5: doi: /s x Weak key analysis for chaotic cipher based on randomness properties YIN RuMing, WANG Jian, YUAN Jian, SHAN XiuMing & WANG XiQin Department of Electronic Engineering, Tsinghua University, Beijing , China Received January 14, 010; accepted July 1, 010; published online February 8, 01 Abstract Weak key analysis is a key issue in the design of chaotic ciphers. While most of the existing research focusing on the degradation of the chaotic sequences which causes weak keys, we point out that the parameters for which the chaotic sequences do not degrade are still possible to be weak keys. In this paper, we propose a new approach based on the rigorous statistical test to improve the weak key analysis. The weak keys of a specific chaotic cipher are investigated by using our method and a large number of new weak keys are detected. These results verify that our method is more effective. On the other hand, although statistical tests are now widely adopted to test the chaos-based bit sequences, there are few reports of analysis results on the weak keys or weak sequences of chaotic cipher. Thus our work may be helpful for current research on statistical tests of chaotic cipher. Keywords chaos, cryptography, statistical test, weak keys, sequence randomness Citation Yin R M, Wang J, Yuan J, et al. Weak key analysis for chaotic cipher based on randomness properties. Sci China Inf Sci, 01, 55: , doi: /s x 1 Introduction Chaos is characterized by sensitive dependence on initial conditions and parameters. By selecting the parameters as the keys, chaos can be used to design cryptosystem [1 3]. In cryptosystem, the plaintexts are transformed into the ciphertexts under the control of the secret keys. For enhanced security, the cryptosystem should be very sensitive to the keys, which makes it difficult to determine the encryption transformation without the right keys. Weak key analysis is a key issue in the design of chaotic ciphers [3 8]. Generally a key is considered weak if it is relatively easy to break the cipher with this key in comparison with some other keys [9]. The strength of chaotic cipher is usually determined by the properties of the sequence generated by the cipher. The period of chaotic sequence is extremely short with some parameters, which cause weak keys [10]. These kinds of weak keys were investigated in [3, 8]. On the other hand, the parameters with which chaotic sequence has a very long period can still be weak. In most chaotic ciphers, the chaotic sequence is transformed to bit sequence to encrypt the plaintext. The strength of the cipher is thus determined by the properties of the bit sequence. While the chaotic sequence has good properties, the produced bit sequence can be far from random and thus cause weak keys [11, 1]. To avoid this kind of weak keys, Corresponding author ( jyuan@tsinghua.edu.cn) c Science China Press and Springer-Verlag Berlin Heidelberg 01 info.scichina.com

2 Yin R M, et al. Sci China Inf Sci May 01 Vol. 55 No statistical tests can be used to analyze the bit sequence. There have been some research papers on using statistical tests to investigate the properties of chaotic bit sequence. However some problems still exist. Some statistical tests used in chaotic cipher design are not rigorous such that they can not effectively detect the weak keys, e.g., the correlation function between bit sequences and the tests specified in FIPS 140- [1 16]. The correlation function is just an intuitive measure of the randomness of the bit sequence and the tests specified in FIPS 140- have not been recommended for use [17]. Recently some rigorous tests, e.g., the NIST statistical tests, have been used to ensure the good randomness properties of chaotic bit sequence [11, 18]. However, there are few reports on using these rigorous tests to detect the weak keys or weak sequences of chaotic cipher [11]. In this paper, we propose a new approach to improve the weak key analysis of chaotic ciphers. Our new approach uses the rigorous statistical tests to detect the weak randomness of chaotic bit sequence and thus the weak keys of chaotic ciphers. The weak keys of a specific chaotic cipher are investigated by using our method. We find a large number of new weak keys and carefully analyze the reasons that these weak keys are caused. These results verify that our new method is more effective in comparison with the existing method, which is based on analyzing the properties of chaotic sequence. On the other hand, since there are few research reports on using the rigorous tests to analyze the weak keys of chaotic ciphers, our work may also be helpful for current research on statistical tests of chaotic ciphers. The rests of our papers are organized as follows. Section first briefly describes the existing weak keys analysis and then proposes our new approach. Section 3 investigates the weak keys of a specific chaotic cipher by using our method. In section 4, we discuss the current research on statistical tests of chaotic ciphers and highlight the importance of rigorous statistical tests in chaotic cipher design. Section 5 concludes the paper. A new approach to analyze the weak keys.1 Existing method For chaotic systems, some given parameter originates very short periodic orbits. These parameters may cause weak keys [5]. Alvarez et al. investigate these kinds of weak keys of chaotic ciphers and provide two suggestions to avoid the weak keys [3]. The first suggestion is to avoid using the parameters which give rise to the short periodic windows. As a second suggestion, it is preferred to select the chaotic map for which all parameter values can retain complete chaoticity. A simple map satisfying this expectation is the skew tent map.. New weak key analysis The existing method can avoid some obvious weak keys of chaotic ciphers. However some potential weak keys may still exist. In most chaotic ciphers, the chaotic sequence is transformed to bit sequence to encrypt the plaintext. The strength of the cipher is thus determined by the properties of the bit sequence. While the chaotic sequence has good properties, the produced bit sequence can be far from random and thus cause weak keys [11, 1]. In this paper, we propose a new approach based on the rigorous statistical test to improve the weak key analysis. For a specific key of chaotic cipher, we test the randomness of the produced bit sequence by using statistical tests. If the bit sequence is far from random, then the corresponding key is considered to be weak. After finding the weak keys, we can theoretically analyze the reasons that these weak keys are produced and propose some methods to avoid the weak keys. In statistical tests, some predefined randomness statistics are first computed and then compared with their theoretical distributions. If a systematic deviation is observed, the sequence is assumed to nonrandom. For enhanced security, the sequence produced by chaotic ciphers must pass the statistical tests. The statistical tests play a very important role in the modern stream cipher design. They are adopted to evaluate the candidate algorithms of the famous AES (advanced encryption standard) and the estream project [19 1]. To avoid missing the potential weak keys, we should select rigorous statistical tests. In

3 1164 Yin R M, et al. Sci China Inf Sci May 01 Vol. 55 No. 5 this paper, we choose the NIST tests suite which is widely used in cipher design []. The NIST tests suite requires m sequences successively produced by the cipher, each of which consists of n bits. For each sequence, a test result P -value is obtained. Thus we can get m P-values corresponding to all the m sequences. With these mp-values, two approaches can be adopted to determine whether or not the sequences finally pass the test. The first one is to calculate the proportion of sequences passing the test, which is denoted by Proportion. Assume that the significance level is α. A sequence is considered to pass the test when P -value> α. Then if Proportion> T, the sequences finally pass the test. Where T is a threshold value, which is determined by the significance level α and the number of sequence m. Inthis paper, we select α =0.01, m=100, then T = The second approach is to examine the distribution of P -values to obtain a new test result P -value T.IfP -value T >0.0001, then the sequences are considered to finally pass the test. The NIST tests suite consists of fifteen effective tests. For compactness, we just list the results of the following four tests: frequency test, frequency test within a block, runs test and test for the longest run of ones in a block. In fact, we have used all the fifteen tests to examine the randomness of binary sequences produced by chaotic ciphers in this paper. The results show that the above four tests can represent the total fifteen tests. That is to say, on one hand, if the sequence can not pass these four tests, it can not pass most of other tests either. On the other hand, the sequence passing these four tests can pass all the other eleven tests. 3 Weak key analysis of a specific chaotic cipher In this section, the weak keys of a specific chaotic cipher are investigated by using our method. We find a large number of new weak keys, which were not detected by using the original lax tests. These results verify that our method is more effective. We also make some improvements to the cipher to avoid the new weak keys. 3.1 The chaotic pseudorandom sequence generator This section briefly describes the pseudorandom sequence generator to be analyzed, which was proposed in [13]. This generator consists of three parts: the discretized piecewise linear chaotic map, module addition and bit extraction scheme. Here we briefly describe these three parts respectively. For more details, the reader is referred to [13]. The original piecewise linear chaotic map is defined as x(k)/p, 0 x(k) <p; (x(k) p)/(0.5 p), p x(k) < 0.5; x(k +1)=f(x(k),p)= (1 p x(k))/(0.5 p), 0.5 x(k) < 1 p; (1 x(k))/p, 1 p x(k) < 1; where the parameter p (0, 0.5) and the initial value x(0) [0, 1]. By discretizing this map, we obtain the discretized map as follows: n0 X(k), 0 X(k) <P; P n0 (X(k) P ) n0 1, P X(k) < n0 1 ; P X(k +1)=F (X(k),P)= () n0 ( n0 X(k) P ) n0 1, n0 1 x(k) < n0 P ; P n0 ( n0 X(k)), n0 P x(k) < n0 ; P where x denotes the floor of x, X(k) [0, n0 1] is the discretized state. P is the discretized parameter satisfying P (0, n0 1 ), n 0 = 3 denotes the computer word length. The relationships between the (1)

4 Yin R M, et al. Sci China Inf Sci May 01 Vol. 55 No discretized parameters X(k), P and the original continuous parameters x(k), p are as follows: x(k) = X(k), p = P. (3) n0 n0 1 In the generator, two different discretized chaotic maps are adopted to generate two different state variables X 1 (k) andx (k). The initial conditions of these two discretized maps are denoted by X 1 (0) and X (0), the parameters are denoted by P 1 and P respectively. Then X 1 (k) andx (k) are added module n0 to obtain Y (k): Y (k) =(X 1 (k)+x (k)) mod n0. (4) Finally several bits are extracted from the integer Y (k) according to the following equation, which means that the l = 4 most significant bits and l = 4 least significant bits in Y (k) are discarded. S(k) =b l b l+1 b n0 l 1, if Y (k) =b 0 b 1 b n0 1. (5) The keys of the generator are composed of the initial values and the control parameters, i.e., [P 1 P X 1 (0) X (0)]. The discretized chaotic maps in the generator make it difficult to theoretically analyze the weak keys. To facilitate the analysis of weak keys, we give a generator with the continuous chaotic maps, which is equivalent to the original generator. The equivalent generator with the continuous chaotic maps is shown in Figure 1. In the figure, f(x, p) is the original piecewise linear chaotic map. The bit extraction scheme is as follows: S(k) =b l b l+1 b n0 l 1, if y(k) =0.b 0 b 1 b n0 1. (6) In the following descriptions, to avoid confusion, we call x(0) and p the continuous key parameters. X(0) and P are called the discretized key parameters. 3. Weak key analysis of the generator The generator proposed in [13] has two kinds of weak keys. One kind of weak keys is generated because of the strong correlation between consecutive bits, and the other kind is due to the extremely short period length of the chaotic sequence. In the following section, we analyze these two kinds of weak keys respectively Weak keys due to strong correlation between consecutive bits With some selected keys, the bit sequences produced by the generator have been tested in [13]. The results show that the produced binary sequence has good randomness properties. However by using our method to test the sequence, we find that the keys with which the bit sequence is proved to be of good randomness are weak keys. By further analysis, we find a large number of similar weak keys, which are due to the strong correlation between consecutive bits. We make some improvements to the cipher to avoid these weak keys. The bit sequence of the chaotic generator is tested by using the NIST tests suite. The results are shown in Table 1. In the tables * denotes that the sequence has failed the corresponding test. The keys are chosen as [P 1 P X 1 (0) X (0)] = [ ], which are the original test parameters adopted in [13]. The corresponding continuous key parameters are p 1 p Our test results in the table show that the sequence with these parameters fail to pass most of the NIST tests. Therefore these parameters are weak keys. We theoretically analyze the cause of the weak keys with the continuous equivalent generator shown in Figure 1. The continuous key parameters adopted in Table 1 are p 1 p ,which 3 are close to zero. In this case the continuous piecewise linear map is very close to the standard tent map, which can be formulated as follows. Therefore, to facilitate analysis, we can use the tent map to theoretically investigate the weak keys of the generator. { x(k), 0 x(k) < 0.5; x(k +1)=f tent (x(k)) = (1 x(k)), 0.5 x(k) < 1. (7)

5 1166 Yin R M, et al. Sci China Inf Sci May 01 Vol. 55 No. 5 Figure 1 The equivalent generator with the continuous chaotic maps. Table 1 The test results for the generator with the parameters [ ] Test name Proportion P -value T Frequency Block-Frequency * Runs * * Longest-Run * * denotes that the sequence has failed the corresponding test. For the continuous equivalent generator, assume that the two state variables at time k are x 1 (k) and x (k), then x 1 (k) andx (k) are added module 1 to obtain y(k) =x 1 (k) +x (k) mod1. Considerthe state variables at time k+1, according to (7), we can get Consequently we have (x 1 (k)+x (k)) mod 1, 0 x 1 (k),x (k) < 0.5; (1 + x 1 (k) x (k)) mod 1, 0 x 1 (k) < 0.5, 0.5 x (k) < 1; y(k +1)= (1 + x (k) x 1 (k)) mod 1, 0.5 x 1 (k) < 1, 0 x (k) < 0.05; (1 (x 1 k)+x (k)) mod 1, 0.5 x 1 (k),x (k) < 1. (8) { y(k) mod1, 0 x1 (k),x (k) < 0.5; y(k +1)= ( y(k)) mod 1, 0.5 x 1 (k),x (k) < 1. (9) Assume that y(k) can be approximately represented as a binary sequence y(k) =0.b k 0b k 1 b k n 1, where n stands for a certain precision. Similarly, y(k +1)=0.b k+1 0 b k+1 1 b k+1 n 1.Whenx 1(k)x (k) [0, 0.5) or x 1 (k)x (k) [0.5, 1), according to (9), we obtain b k+1 i = b k i+1, 0 i n, b k+1 n 1 =0, if 0 x 1 (k),x (k) < 0.5; (10) b k+1 i = b k i+1, 0 i<i, b k+1 i = b k i+1,i i n, if 0.5 x 1 (k),x (k) < 1. (11) b k+1 n 1 =0, where I denotes the last bit position in y(k) = 0.b k 0b k 1 b k n 1 having the value 1. That is to say, b k I =1,bk i =0,I <i n 1. After obtaining the relations between bits in y(k) andy(k + 1), the bit extraction scheme has to be considered to analyze the correlation between consecutive bits. According to equation (6), Figure intuitively describes the bit extraction scheme adopted in the continuous generator. In the figure, y(k),y(k + 1),...,y(k + t) arethet + 1 consecutive results obtained after the module addition operation. S(k),S(k +1),...,S(k +t) denote the corresponding extracted bit sequences. The generatorconcatenates these t + 1 bit sequences to get the final bit sequence S. According to the results in equation (10) and (11), the bit sequence S(k) ands(k + 1) in the sequence S are strong correlated. A large number of

6 Yin R M, et al. Sci China Inf Sci May 01 Vol. 55 No Figure The bit extraction scheme adopted in the generator. consecutive bits in S(k) are equal or complemented to the consecutive bits in S(k + 1) with very high probability. Therefore the bit sequence S are far from random and fail to pass most of the NIST tests. A specific bit sequence produced by the original generator is computed to confirm our analysis. In the computation, the discretized key parameters are selected as [P 1 P X 1 (0) X (0)] = [ ] and the corresponding continuous key parameters are p 1 p ,whicharecloseto 3 zero. This is just the case considered in the theoretical analysis. We can find that a large number of consecutive bits in S(k) are equal or complemented to the consecutive bits in S(k + 1). These results confirm our theoretical analysis. We have analyzed the cause of the weak keys, which are close to zero. In fact many similar weak keys exist. When the continuous key parameters p 1 and p are both close to 1 (m>1), the bits in the m sequence can still be correlated with some large probability. Therefore these parameters may still be the weak keys. We give some improvements to avoid the above weak keys. On one hand, we can avoid using these weak parameters as the keys in the generator. Since this method will decrease the total number of possible keys that can be used, the security of the generator may be weakened. Additionally it is not convenient to detect these weak keys in the practical use of the generator. On the other hand, we can improve the design of the generator to remove the weak keys. Since many consecutive bits are extracted each time from the results of the module addition operation, the bits in the final sequence are strong correlated and thus cause weak keys. With this consideration, we can decrease the number of the extracted bits each time to remove the high correlation between consecutive bits. Assume this number is denoted by L. With different values of L, the produced bit sequences are tested by using the NIST tests. We find that the produced bit sequence can not pass some tests for some key values when L>1. Therefore to remove weak keys we can just extract one bit each time, i.e., the value of L can just be selected as 1. With L=1, the produced bit sequence is tested. For the discretized chaotic map shown in Eq. (), the parameters are chosen as X(0) = 1000,P = 33. The bit b k r,r [0,n 0 1] is extracted from the state variable X(k) =b k 0 bk 1 bk n 0 1 each time to form the bit sequence. We test the sequence with the parameter r = 16. We find that the bit sequence can pass the NIST tests. Therefore the original weak keys are removed for the improved generator. 3.. Weak keys due to the short period of chaotic orbit The discretized chaotic map can generate orbit with extremely short period length or even a fixed point for some parameters, which cause weak keys. Two different chaotic maps are added in the generator in order to increase the period length. While this design improves the period properties to some degree, the period length of some generator sequences are still extremely short. (1) Fixed points. The possible fixed points of the discretized chaotic map are computed. In Eq. (), we select X(k+1) = X(k) and omit the floor function. Thus the possible nonzero fixed points can be obtained as follows: P X fix1 = n0 0.5 n0 +P, X fix = (P n0 ) n0 P 1.5, and X n0 fix3 = n0 n0 +P. When the state variable of discretized chaotic map takes the value close to one of the above three values, the chaotic orbit may fall to a fixed point. For example, for the discretized parameter P =34, two fixed point of discretized chaotic map can be obtained: X fix1 = 68, X fix = For the discretized parameter P =33, one fixed point can be obtained: X fix1 = 66. Therefore when the discretized key parameters of the generator

7 1168 Yin R M, et al. Sci China Inf Sci May 01 Vol. 55 No. 5 [P 1 P X 1 (0) X (0)] = [ ] or [ ], the generator will produce one fixed state value all the time. These two key parameters are obviously the weak keys. With the similar analysis, for all possible values of P 1 and P, the weak keys due to the fixed point may exist. These kinds of weak keys can be calculated by using the above equations. In addition, another kind of weak keys can be caused by the fixed point of the chaotic map. Since computers can just represent numbers with limited precision, the chaotic orbits of the piecewise linear chaotic maps will converge to zero within a few number of iterations for all initial values when the parameter p = 1 4 [3]. Therefore when [P 1 P ]=[ ], the generator will produce sequence consisting of only zero bits for all possible X 1 (0) and X (0) values. Thus these key parameters are also the weak keys. Note that the weak keys due to the fixed points can be computed in advance. Therefore we can examine these weak keys and avoid using them in the practical use of the generator. () Short period of chaotic orbit. The discretized chaotic map in Eq. () can generate sequence with extremely short period [4]. The typical values of the period length of the chaotic map are shown in Table. In the table, we randomly select the parameter and initial value for the discretized chaotic map, and calculate the period length of the chaotic orbit. We find that the period length is less than 10 5 for about 40 percent of the key parameters. Since two different chaotic maps are added in the generator, the period length of the sequence produced by the generator will be less than for about 16 percent of the key parameters. Note that the period length of about is too small to satisfy most cryptographic use [9]. The short period of bit sequence obviously suggests that the sequence is far from random. It can also be detected by using proper statistical tests. We examine a bit sequence of short period by using the NIST tests. The results are shown in Table 3. In the table, the key of the generator are selected as [P 1 P X 1 (0) X (0)] = [ ]. With this key, the period length of the two discretized chaotic maps are both less than 100. Additionally, we adopt the improved bit extraction scheme discussed in subsection This is to remove the correlation between consecutive bits, which makes the sequence fail to pass the test. We find that in this case the sequence can not pass most of the tests. In this way, the nonrandom properties caused by the short period length are effectively detected by using the NIST tests. As is shown Table 3, when the two chaotic maps adopted in the generator simultaneously produce short period orbits, the short period sequence of the generator may be caused. To solve this problem, we can use a pseudorandom sequence with a fixed long period to perturb the chaotic orbit. This method can guarantee the lower bound of the extended cycle length [5]. Here, we use the perturbing algorithm in [5] to expand the period length of the generator. The improved generator is shown in Figure 3. Note that the improved bit extraction scheme is also adopted. That is to say, the bit b k r(r = 16) is extracted from the state variable Y (k) =b k 0b k 1 b k n 0 1 each time to form the bit sequence. In the improved generator, the linear congruential generator (LCG) is used to produce the perturbing sequence. The linear congruential generator is as follows: Z(m +1)=A Z(m) modm, m =0, 1,,..., (1) where the parameters A = 16807,M = Z(0) [1,M 1] is the initial value of the LCG. The sequence produced by LCG has a fixed lower bound of cycle length M 1 [6]. In Figure 3, the LCG sequence is used to perturb the chaotic orbit every Δ iterations, where Δ is a positive integer. The perturbing operation is the modular addition function. The perturbing algorithm can be formulated as follows: Y (k) =X(k), k mδ,m=0, 1,,...; Y (k) =(X(k)+Z(m)) mod n0, k = mδ,m=0, 1,,... (13) With this perturbing algorithm, the lower bound of the cycle length of the improved generator can be proved to be (M 1) Δ [5]. Here we select Δ = 500, then the cycle length of the improved generator is at least M Δ =( 31 ) , which is much larger than the cycle length of the original generator. The improved generator is also examined by using the NIST tests. For the parameters selected as P =33,

8 Yin R M, et al. Sci China Inf Sci May 01 Vol. 55 No Table Typical values of the period length of the discretized chaotic map Period length Less than 10 3 Less than 10 4 Less than 10 5 Percentage of keys Table 3 The test results for a short period sequence produced by the generator Test name Proportion P -value T Frequency * Block-Frequency * Runs * * Longest-Run * * denotes that the sequence has failed the corresponding test. Figure 3 The improved chaotic sequence generator. X 0 = 1000, Δ = 500 and Z 0 = 3, we find that the improved generator can pass the NIST tests and has good randomness properties. 4 Discussion of statistical analysis of chaotic ciphers In this paper, we use the rigorous statistical tests to improve the weak key analysis of chaotic ciphers. Some research works have already used the statistical methods to investigate the properties of chaotic bit sequence. In this section, we discuss the current research on statistical analysis of chaotic ciphers. We first consider the theoretical analysis and then discuss the application of statistical tests. The real-valued states of chaotic systems can be properly quantified to generate binary sequence. Currently the randomness properties of this kind of chaotic sequence have been theoretically analyzed [7 30]. The existing theoretical analysis focuses on using the invariant measures to investigate the correlation function of the chaotic bit sequence. For the ergodic chaotic map with some symmetric property, Kohda first gave a sufficient condition to produce a sequence of independent and identically distributed (i.i.d.) binary random variables [7]. After that, in the extended work [8], he gave the applications of such sequence to the stream cipher and the CDMA communication systems. Recently the run statistics of the chaotic bit sequence were theoretically analyzed in [9]. Note that the ergodic property and invariant measures are the basis of this kind of theoretical analysis. However they may be affected by the parameter perturbations in the implementation of chaotic systems. This problem was theoretically studied in [30]. While the above theoretical analysis guarantees some good randomness properties of chaotic bit sequence, it is of limited use in chaotic cipher design [8]. The reasons are as follows. First, while the good correlation property is the main quantity that the existing analysis focuses on, it is just a basic requirement for the chaotic bit sequence to be used in cryptography. More rigorous requirements need to be satisfied. For example, the large period length, the low linear complexity. Second, the good properties of real-valued chaotic systems may be seriously degraded when the systems are realized with finite precision in digital computers [3, 4]. Typically for the tent map and the Bernoulli shift map, all chaotic orbits will converge to zero within a limited number of iterations due to finite precision. In addition, the bit sequence obtained by quantifying the real-valued states of chaotic systems has some more disadvantages in practical use. The operations on real numbers are usually realized by using floating

9 1170 Yin R M, et al. Sci China Inf Sci May 01 Vol. 55 No. 5 point arithmetic, which may decrease the efficiency of cryptosystems. Some chaotic cryptosystems may be incapable of fully utilizing the sensitive dependence on initial conditions property due to the analog circuit implementation. While the existing theoretical statistical analysis is of limited use in chaotic cipher design, the statistical tests can be adopted to extensively examine the randomness property of the chaotic bit sequence. The commonly used tests include the tests specified in FIPS 140-, the NIST tests suite and the DIEHARD statistical tests. These tests have already been well used in the design of chaotic true random bit generator [31 33]. Recently they are also adopted to examine the chaotic pseudorandom bit generator [11, 13, 14, 16, 18]. However some problem still exists in the use of these statistical tests. On one hand, since some statistical tests used in chaotic cipher design are not rigorous, they may lead to some incorrect test results. In this paper, our analysis of the chaotic sequence generator in Section 3 has given an example. Another example can be found in [1, 15]. While the chaotic bit sequence proposed in [15] has passed a simple test named information entropy, its randomness is shown to be insufficient when the rigorous NIST tests are employed [1]. On the other hand, although some rigorous statistical tests have been adopted to examine pseudorandom chaotic sequence, they are still not well used. The control parameters of the chaotic bit generator are usually randomly selected when the generator are tested [11, 18]. This makes that the produced sequence can easily pass the rigorous statistical tests. However this kind of test method can not improve the chaotic bit generator effectively, since the chaotic bit sequence is required to have good randomness properties for all the possible values of control parameters. Some weak control parameters may still exist. In addition, most current research works use the rigorous tests to ensure the good randomness of chaotic bit sequence. There are few reports on using these rigorous tests to detect the weak keys or weak sequences of chaotic ciphers. As far as we know, the insufficient randomness properties of chaotic sequence were just briefly mentioned in [11, 1]. This means that the rigorous statistical tests are still not well used to improve the design of chaotic cipher. Note that the rigorous statistical tests have effectively improved the conventional cipher design [19 1]. Therefore the use of statistical tests in chaotic cipher design should be further explored. In this paper, we investigate a specific chaotic cipher by using the rigorous NIST tests and detect a large number of new weak keys, which were not found by using the lax tests [13]. Additionally from the results in Table 1, it is found that the weak keys may not be detected if the NIST tests are inappropriately used. For example, when the control parameter is randomly selected, the chaotic sequence can always easily pass the tests. In this way we highlight the importance of rigorous statistical tests in chaotic cipher design. Our work may be helpful for current research on statistical tests of chaotic cipher. 5 Conclusions In this paper, we propose a new approach based on the rigorous statistical test to improve the weak key analysis of chaotic ciphers. The weak keys of a specific chaotic cipher are investigated by using our method and a large number of new weak keys are detected. These results verify that our method is more effective. Since there are few research reports on using the rigorous tests to analyze the weak keys of chaotic ciphers, our work may also be helpful for current research on statistical tests of chaotic cipher. On the other hand, we should also realize the limitation of the weak key analysis by using statistical tests. Since the key space of chaotic cryptosystem is usually very large, we can not exhaustively examine all the possible keys. Therefore some theoretical methods are needed to guarantee the good properties of chaotic sequence, e.g., the fixed large period length, the high linear complexity, and so on. Additionally we think that more theoretical analysis should be performed for the discretized chaotic cryptosystems, which have many advantages in practical implementation. These problems will be the subject of our future work. Acknowledgements This work was supported by National Natural Science Foundation of China (Grant No ).

10 Yin R M, et al. Sci China Inf Sci May 01 Vol. 55 No References 1 Kocarev L. Chaos-based cryptography: a brief overview. IEEE Circ Syst Mag, 001, 1: 6 1 Zhang Y W, Wang Y M, Shen X B. Chaos-based image encryption algorithm using alternate structure. Sci China Ser F-Inf Sci, 007, 50: Alvarez G, Li S. Some basic cryptographic requirements for chaos-based cryptosystems. Int J Bifurcat Chaos, 006, 16: Biham E. Cryptanalysis of the chaotic-map cryptosystem suggested at EuroCrypt 91. In: Advances in Cryptology - EuroCrypt 91. Berlin: Springer, Alvarez G, Montoya F, Romera M, et al. Cryptanalysis of a discrete chaotic cryptosystem using external key. Phys Lett A, 003, 319: Skrobek A. Cryptanalysis of chaotic stream cipher. Phys Lett A, 007, 363: Li S, Alvarez G, Chen G, et al. Breaking a chaos-noise-based secure communication scheme. Chaos, 005, 15: Li C, Li S, Alvarez G, et al. Cryptanalysis of a chaotic block cipher with external key and its improved version. Chaos Soliton Fract, 008, 37: Schneier B. Applied Cryptography: Protocols, Algorithms, and Source Code in C. nd ed. Brisbane: John Wiley and Sons, Robinson R C. An introduction to Dynamical Systems: Continuous and Discrete. New Jersey: Pearson Prentice Hall, Tang K W, Tang K S, Man K F. A chaos-based pseudo-random number generator and its application in voice communications. Int J Bifurcat Chaos, 007, 17: Li C, Li S, Alvarez G, et al. Cryptanalysis of two chaotic encryption schemes based on circular bit shift and XOR operations. Phys Lett A, 007, 369: Lian S, Sun J, Wang J, et al. A chaotic stream cipher and the usage in video protection. Chaos Soliton Fract, 007, 34: Li P, Li Z, Halang W A, et al. Analysis of a multiple-output pseudo-random-bit generator based on a spatiotemporal chaotic system. Int J Bifurcat Chaos, 006, 16: Xiang T, Liao X, Tang G, et al. A novel block cryptosystem based on iterating a chaotic map. Phys Lett A, 006, 349: Li P, Li Z, Halang W A, et al. A multiple pseudorandom-bit generator based on a spatiotemporal chaotic map. Phys Lett A, 006, 349: National Institute of Standards and Technology (NIST). Security Requirements for Cryptographic Modules. Federal Information Processing Standards Publication Patidar V, Sud K K, Pareek N K. A pseudo random bit generator based on chaotic logistic map and its statistical testing. Informatica, 009, 33: Soto J. Randomness Testing of the AES Candidate Algorithms. NIST Interagency Reports Soto J, Bassham L. Randomness Testing of the Advanced Encryption Standard Finalist Candidates. NIST Interagency Reports Turan M S, Doganaksoy A, Calik C. Detailed Statistical Analysis of Synchronous Stream Ciphers. estream report 006/ Rukhin A, Soto J, Nechvatal J, et al. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. NIST Special Publication Li S. When chaos meets computers. arxiv: nlin.cd/ Li S, Chen G, Mou X. On the dynamical degradation of digital piecewise linear chaotic maps. Int J Bifurcat Chaos, 005, 15: Sang T, Wang R, Yan Y. Perturbance-based algorithm to expand cycle length of chaotic key stream. Electron Lett, 1998, 34: Park S K, Miller K W. Random number generators: good ones are hard to find. Commun ACM, 1988, 31: Kohda T, Tsuneda A. Statistics of chaotic binary sequences. IEEE Trans Inform Theory, 1997, 43: Kohda T. Information sources using chaotic dynamics. Proc IEEE, 00, 90: Tsuneda A. Design of binary sequences with tunable exponential autocorrelations and run statistics based on onedimensional chaotic maps. IEEE Trans Circ Syst-I, 005, 5: Addabbo T, Fort A, Papini D, et al. Invariant measures of tunable chaotic sources: robustness analysis and efficient estimation. IEEE Trans Circ Syst-I, 009, 56: Ergun S, Ozoguz S. Truly random number generators based on a non-autonomous chaotic oscillator. Int J Electron Commun, 007, 61: Tomassini M, Sipper M, Perrenoud M. On the generation of high-quality random numbers by two-dimensional cellular automata. IEEE Trans Comput, 000, 49: Addabbo T, Alioto M, Fort A, et al. A feedback strategy to improve the entropy of a chaos-based random bit generator. IEEE Trans Circ Syst-I, 006, 53: