Chaos-Based Symmetric Key Cryptosystems

Transcription

1 1 Chaos-Based Symmetric Key Cryptosystems Christopher A. Wood Abstract Chaos theory is the study of dynamical systems that are highly sensitive to initial conditions and exhibit seemingly random behavior. From the perspective of cryptography and information security, randomness generated from entirely deterministic systems is a very appealing property. As such, the application of chaos in modern cryptography has been a topic of much research and debate for over a decade. This paper presents an overview of chaotic dynamics and their role in symmetric key chaos-based cryptosystems from both a theoretical and practical perspective. Index Terms Chaos Theory, Cryptography, Dynamical Systems, Symmetric Key Cryptosystems I. INTRODUCTION Ever since the discovery of chaotic behavior in the mathematical modeling of weather systems by Edward Lorenz in the early 1960s, chaos theory has found its way into many different fields of science, including physics, economics, biology, and even philosophy. In recent years, however, its influence has begun to spread into the science of cryptography. The sensitivity to initial conditions and seemingly random behavior produced from deterministic equations caught the eye of cryptographers throughout the science community as they tried to incorporate these properties into emerging cryptosystems, including symmetric key encryption, hashing, and pseudo-random number generators. The biggest problem that modern chaos-based symmetric key cryptosystems face is that they lack thorough and provable security properties and acceptable performance. Successful cryptosytems that are employed in commercial applications come from designs that emphasize both of these issues. As such, it is necessary to discuss both of these topics in the exploration of chaos-based symmetric key cryptosystems. This paper explores the connection between chaos theory and cryptography from both a theoretical and practical perspective. II. CHAOS DYNAMICS Chaos is best known as a sensitivity to initial conditions exhibited by dynamical systems described by differential equations or iterated mappings. This concept is similar to the butterfly effect, an idea first explored in a particular case of the three-body problem by Henri Poincare [1]. In the case of chaos-based symmetric key cryptosystems, we will focus on chaotic systems that are defined by iterated mappings as they are the more likely candidates for actual implementation. However, it is important to note that these iterated mappings are really just recurrence equations derived from the original differential equations. For such systems, a sequence of points created by recursive iterations of some initial value of the phase space, which is the domain of the chaotic map, is defined as a phase trajectory, or simply a trajectory. The elements of such trajectories and the elements of the phase space in general play a significant role in determining the chaotic behavior of a system. Furthermore, systems must have dense periodic trajectory orbits and must be topologically mixing in order to be deemed chaotic [2]. Periodic orbits are recurring sequences of elements in trajectories produced by chaotic systems. In dynamical systems, a periodic orbit is determined to be dense if at any point x X, where X is the phase space, either belongs to a subset A X or is a limit point of A. In other words, the set of periodic points in the phase space at any given iteration is countably infinite. One can see that if periodic orbits of a system are dense then all possible values in the phase space will eventually be reached given enough iterations by the map. Topological mixing is a form of mixing that may be defined without appeal to a measure (or size) of the system. Formally, however, a system F possesses the mixing property if, for any two measurable sets A and B there exists an integer N such that for all n 1 N the relationship in (1) is satisfied [3]. f n (A) B (1) Most chaotic systems exhibit these three properties. However, a proven characteristic of all truly chaotic systems is that they have positive Lyapunov exponents. In dynamical systems, the Lyapunov exponent is a quantity that is used to gauge the rate of separation of infinitesimally close initial trajectories. Specifically, two trajectories in a system s phase space with initial separation δx 0 diverge, as shown by equation (2). λ = δx(t) e λt δx 0 (2) ( ) 1 lim t, X 0 0 t ln X(X 0, t) 1 X 0 In other words, the difference between two initial trajectories will exponentially increase after a very short time depending on the magnitude of the Lyapunov exponent, λ. Based on this rate of separation, a system is deemed chaotic if λ > 0. Conversely, the system is deemed regular if λ 0. By graphing the value of the Lyapunov exponent for the logistic map, a chaotic system defined in the next section, it is easy to see this relationship, as shown in figure (1). One final important piece of chaotic dynamics is the notion of attractors and robust chaos. A chaotic attractor is a set of elements in the phase space of the system towards which trajectories of the system evolve around over time. In other words, the elements of trajectories produced by the system will remain in the bounds of the attractor as they are recursively (3)

2 2 Fig. 3. Trajectories of the logistic map generated by recursive mappings of some initial value, X 0. Fig. 1. Logistic bifurcation diagram and corresponding Lyapunov exponent values for varying values of r, the control parameter for the map. begin to diverge or separate, becoming very different after a short amount of iterations. Cryptographic primitives possess a similar property known as diffusion, which is defined as the process by which the influence of a single plaintext digit is spread out over many ciphertext digits in order to hide the statistical structure of the plaintext. This means that the ciphertext is highly dependent on the plaintext, just as the trajectories of a chaotic system are on their initial values. Another similarity between chaotic systems and cryptographic primitives lies in the relationship between discrete time-based system iterations and encryption rounds. Both of these properties serve to continuously transform and modify some initial value or plaintext. For example, consider the following discrete time-based system: x n+1 = rx n (1 (x n )) (4) Fig. 2. The Lorenz attractor plotted in the 3-dimensional plane. generated. This property can be seen in figure (2), an image of the famous 3-dimensional Lorenz attractor. Robust chaotic systems are those that have attractors even when parameters in the system undergo small changes. This is an ideal property for chaotic systems that are used for cryptography because any change in initial conditions will cause trajectories to remain in the same attractor set, thus making it difficult to predict any outcome without knowing the initial conditions of the system and the iteration count. III. MAPPING CHAOS THEORY TO CRYPTOGRAPHY At a theoretical level, the properties chaotic systems and cryptographic primitives have unique characteristics that have potential applications in cryptography. These properties of dynamical systems can be related and subsequently mapped to properties of cryptographic primitives. For example, consider the sensitive dependence of chaotic systems. As two relatively close initial values are recursively generated their values will This is the recurrence relationship for the logistic map, which is derived from the differential form of the logistic equation ( dx dt = rx(1 x)). The value r is a positive constant that is commonly referred to as the biotic potential or the control parameter [4]. It is one of the most common discrete time-based chaotic systems that was first popularized by Robert May, a biologist, in At first glance it might seem that this quadratic map is very simple. However, after further analysis one can see that it is capable of very complicated behavior given the initial parameters of the system. Figure (3) shows one chaotic trajectory of the logistic map. Each iteration of the logistic map is used to recursively produce new points in the phase space from some initial value x 0. Depending on the level of mixing within the chaotic map, this value will diverge and cover more elements in the phase space. These iterations are very similar to rounds in a cryptographic cipher, where each round serves to transform the internal state of the cipher towards the final ciphertext. The last most significant similarity between chaotic systems and cryptographic primitives is the relationship that exists between system parameters and cryptographic keys. In a general sense, the system parameters for a chaotic map and a cryptographic key serve the same purpose, which is to determine the functional output of the system or cipher. Since chaotic maps and cryptographic ciphers are both deterministic, the system parameters and keys determine exactly what the output will be in such a way that it is statistically infeasible

3 3 Fig. 4. A typical symmetric key block cipher structure based on the substitution-permutation network design. It contains the four fundamental operations of key addition, S-box substitution, permutation, and linear mixing. for an attacker to guess the output without knowledge of such values. Therefore, it is imperative that both the system parameters remain secret in order to maintain the security properties of the map. Although the properties of chaotic maps and cryptographic primitives have similar characteristics that make them appealing to work together, there is one significant property of chaotic behavior to take into account when considering its application in symmetric key cryptosystems. Encryption transformations traditionally operate on finite sets of integers. Conversely, the chaotic principles discussed above usually operate on a (sub)set of real numbers (continuum), as chaotic behavior only truly exists on intervals of real numbers. Therefore, the level of chaotic behavior exhibited by systems that operate on real numbers is closely tied to the amount of precision with which those numbers are represented. In reallife applications where the amount of numerical precision is limited, the configuration and choice of chaotic maps must be done carefully so as to not compromise the chaotic behavior of such systems. If the trajectories of the chaotic maps can be predicted then they would have no useful application in any cryptosystem. IV. CHAOTIC CIPHER DESIGN Modern symmetric key ciphers usually consist of four internal operations. These components are building blocks for most ciphers and are based on the common substitutionpermutation network design, transformations through S-boxes, and both linear and non-linear mixing transformations. The reader is referred to [5] for a thorough description of each of these stages. In summary, the design of efficient and realizable block ciphers adhere to the structure seen in figure (4). Chaotic ciphers attempt to replicate these four elements using space-discretized versions of chaotic maps that approximate real-valued systems. The term discretized is very important here. Chaotic systems work in two dimensions; time and space. For example, the logistic map is discretized in the time dimension (e.g. values occur at fixed points in time or at fixed iteration counts). This map still operates on the field of real numbers, meaning that it is continuous in the space dimension. As discussed earlier, chaotic behavior is most commonly observed over the set of real numbers. However, even in real intervals such as [0, 1], the number of elements x R is countably infinite. This implies that it is impossible to represent all possible values within this interval and, by induction, any real interval. In essence, this means that we must limit the numbers we can represent within intervals over a given set of numbers because we are unable to represent such infinite precision and cardinality in finite computing devices. Another reason for the discretization of chaotic maps is for performance. By limiting the amount of precision for chaotic map values we are effectively reducing the amount of data that has to be stored and computed by computers. It is well known that floating point operations (that is, arithmetic operations involving non-integer numbers) perform substantially slower than integer arithmetic primarily because of storage formats for such data. For instance, the IEEE standard of floating point storage dictates that data blocks contain the value s sign, exponential mantissa, and significand. Therefore, in order to perform arithmetic, this format must be interpreted by the processing unit before any actual computation is done, which introduces a great deal of overhead when done hundreds of thousands of times. How we define an approximation of a chaotic map is important in the design of chaotic ciphers. Given the computational and memory limitations of modern computing systems, there must be an efficient mapping scheme between elements on a continuum to elements of a finite set. The most common approach has been to partition the phase space of a continuum (e.g. the set of all elements in the system) into a finite number of blocks [6]. The size of such blocks relates to the level of precision available for implementation. The more accurate the representation can be, the smaller such partition blocks can become, which in turns increases the size of the phase space for the domain and range of the system. Additionally, the confusion and diffusion properties of these chaotic maps must be considered in terms of both the Euclidean geometry distance and the bit/byte spaces [5]. The practicality of predicting trajectories produced by the chaotic map must be considered from both the dynamical system and traditional cryptography sense. In other words, transformations should not only generate values that are far apart in Euclidean space (dynamical system perspective), but they must also generate values that differ in bit values (traditional cryptography perspective). This requirement goes back to the Lyapunov exponent measure of chaotic systems that gauge the rate of separation for trajectory points generated by a system. Although truly chaotic behavior is theoretically impossible to implement given the limitations of modern computers, approximated chaos must have a high rate of separation and input/output differences. Otherwise, information about the contents of the system parameters may be leaked if patterns begin to emerge through frequent periodic behavior exhibited by the map.

4 4 V. CIPHER EVALUATION The security of chaos-based ciphers is primarily based upon the measure of entropy of the underlying chaotic maps. In classic information theory, entropy is a measure of the amount of randomness of a system. In chaos-based cryptosystems, higher levels of entropy are better because they thwart forms of cryptanalysis that rely on patterns between input and output values. Therefore, cipher designs should strive to maximize entropy to increase the security of the cipher. One way to increase the entropy of chaos-based ciphers is to modify the order of the key and plaintext/ciphertext space. In such systems the size of these sets is directly proportional to the amount of entropy. Specifically, the entropy of a system with a key space K is approximately log 2 k. Clearly, as the order of the key space increases, then the entropy increases as well. The initial conditions of a chaotic system also play a significant role in its entropy. Consider, for example, the bifurcation diagram of the logistic map shown in figure (1). As the value of r is varied the number of unpredictable trajectories of a given initial value X 0 changes dramatically. In other words, the trajectory distribution for X 0, given varying initial conditions, seems random and unpredictable. It is important to note that these initial parameters must be chosen such that the map both exhibits chaotic behavior and has secure properties that allow it to avoid predictability and improve pseudo randomness of trajectories during the recursive mapping transformations. The number of iterations of a chaotic map also impact the security of chaos-based ciphers. Since chaotic maps are deterministic, the final value can be easily computed given the initial conditions. However, by randomizing the number of iterations for the map, determining the initial conditions based solely on the output trajectory element becomes more difficult. Therefore, by keeping the number of iterations secret and dynamic throughout the course of the cipher, a brute force attack becomes a matter of not only determining the initial conditions of the map, but also determining the number of iterations used to produce the final trajectory. One must also consider the size of the blocks of data encrypted and decrypted by chaotic cryptosystems. In effective ciphers larger data blocks means the attacker will have a harder time sifting through the data to find patterns and correlations. However, this improved security comes at the cost of performance, especially when considering chaotic cryptosystems. Given the complexity of floating point operations on traditional processors and the requirements for the cipher, it might not be feasible to support larger data blocks. Despite the advancements in modern CPU FLOPS, these operations will not be as fast as simple binary arithmetic, which is a major concern for those looking to implement practical cryptographic primitives. This leads to another aspect of chaotic maps to consider when implementing a chaos-based cipher: the set of elements in the system domain. For example, a direct translation of chaotic systems over the set of real numbers to a running cipher results in the use of floating point operations [7]. This results in very inefficient code, as floating point operations are well-known to be expensive operations due to the storage format of the data. In addition, different processor architectures might handle floating point operations differently depending on their capabilities. This makes them susceptible to reproducibility problems due to the inconsistency of FP operations between these different processor architectures. VI. SECURITY ANALYSIS Security, from a cryptography perspective, is measured both by the theoretical and practical levels of cryptographic primitives. At the theoretical level, cryptographic primitives are deemed secure if they possess randomness increasing and computationally unpredictable characteristics. A complete description of these properties is beyond the scope of this paper, but a brief discussion is necessary to make this paper self inclusive. By definition, randomness increasing implies that the cryptographic primitive must increase the entropy of the system over which it operates. However, it is impossible in classical information theory for a deterministic function or map applied to a probability distribution P to increase entropy [5]. In practical implementations, however, where computational power and resources are limited, an increase in entropy may be possible. The reason for this is that given the result of mapping a value X 1 to another value X 2 using G (e.g. G(X 1 )), the result G(X 1 ) may appear similar to another distribution Q. Due to the limits of modern computing power it may be infeasible to differentiate Q from P, and if the entropy of Q is greater than that of P, then we can say that the mapping G is computationally randomness increasing. This loophole is exploited during the construction of modern chaosbased ciphers so as to hinder the application of cryptanalysis techniques to break the primitive. The notion of computationally unpredictable is a bit more sophisticated and outside the scope of this paper as its roots lie in complexity theory. Therefore, the reader is referred to [6] for a more detailed discussion. From a practical perspective, cryptographic primitives are deemed secure if they are resistant to common attacks. The two forms of cryptanalysis attacks that are discussed in this paper are differential and linear cryptanalysis. Other forms of attacks specific to chaos-based ciphers, such as naive, trajectory-based, loss of information, and memory attacks, are also possible techniques that can be implemented. Differential cryptanalysis is a chosen plaintext attack that is used to find the secret key of an iterated block cipher. Specifically, it analyzes the effect of the difference between two pairs of plaintext values on the difference of the corresponding pair of ciphertext values. Differential cryptanalysis relies on the fact that a given input/output difference pattern only occurs for certain values of input. The effectiveness of such attacks depends on the design of the linear and non-linear transformations that make up the rounds of the chaos-based cipher. In terms of chaotic maps, the transformation map should have a good enough mixing property so as to mask any statistical correlation between input values and output trajectories. Linear cryptanalysis is a known plaintext attack in which the attacker approximates linear transformations of a cipher s

5 5 and security community, it is still important to understand the different ways in which chaos theory can be used to build symmetric key cryptosystems. This section is devoted to four different cipher designs; Namely, the Simple and Advanced ciphers, Baptista encryption cipher, Chaotic Feistel and Uniform ciphers, and Rabbit cipher. The internals for each of these cipher designs are discussed in addition to their relative security properties and performance metrics (where available). Fig. 5. PDF of the logistic map with two different initial values. The equal distributions are an indication of the dense periodic orbits and topological mixing behavior exhibited by the system. internal components. Such attacks try to take advantage of the correlation between plaintext and ciphertext bits. The general idea is to determine linear expressions comprised of XOR operations on combinations of plaintext and ciphertext bits such that the result is 0. Such expressions can then be applied to other sensitive ciphertext data to find bits of the plaintext using a manipulation of these linear expressions. The probability of a successful differential or linear cryptanalysis attack depends on the statistical attributes of the cipher, or in this case, the internal chaotic map. If it is easy to predict values of the map after any iteration then it is obvious that these attacks will be simple to implement. However, as with any chaotic map, it is computationally difficult to perform such accurate predictions. For example, consider the logistic map discussed earlier, as it is the most commonly used chaotic map in chaos-based ciphers. If we partition the phase space of the region of the attractor into M equal subsets and calculate the number of times a trajectory visits each subset m i for a large number of initial values and iterations we obtain a probability distribution of the map. The number of visits associated with each m i is the probability p i of that space in the phase space. It has been shown that the probability distribution of truly chaotic systems has no dependence on the system s initial value [8], which implies that the probability measure is unchanged by the dynamics of the system (e.g. invariant probability measure). If we build the logistic map with initial parameters such that its corresponding Lypaunov exponent λ = 4.0 the probability distribution is given by equation (5), and can be seen in figure (5). This is the ideal distribution for chaotic maps that are used in chaos-based cryptosystems, as the probability of each phase element occurring after an iteration of the map is the same as any other element. Clearly, this property increases the difficulty of an effective differential or linear cryptanalysis attack. 1 P (X) = π X(1 X) VII. CASE STUDIES Many different chaotic ciphers have been designed and proposed in recent years. Although the majority of such ciphers have faced criticism from the majority of the cryptography (5) A. The Simple and Advanced Ciphers The Simple and Advanced ciphers, proposed by Roskin and Casper [9], are two very basic applications of chaotic maps in block cipher designs. They are based around the unpredictability of the logistic map. The general idea in each of these ciphers is to encrypt bytes of plaintext as the final trajectory elements obtained by a variable number of iterations of the logistic map. In this application, both the initial value and the number of iterations of the chaotic map vary with the plaintext and secret key. The complete Simple cipher algorithm is outlined in (1). L is the logistic map with initial parameter r = 3.9 that is used to generate trajectories of some initial value X 0. M 1 is a mapping function between elements in the key space to the domain of elements in the logistic map (namely, the real interval [0, 1]). Similarly, M 2 is the inverse of M 1 in that it maps elements in the domain of L to the set of integers between 0 and 255. Algorithm 1 Simple cipher encryption -Generate the key schedule K, where k 0, k 1, k 2,..., k n are successive blocks of key data used in the cipher for each block of plaintext data p P (the set of plaintext data, where P = n 1) do -Map k i to an element in the phase space of the logistic map and use it as the initial value X 0 -Add 16 to k i+1 and use the result t as the number of iterators for the logistic map -Compute the final value x t of X 0 after t iterations using the logistic map -Map the final value of the logistic map back to an element in the key space -Add the p i to x t to generate c i, the i th block of the ciphertext end for The security of this cipher comes from the initialization of the chaotic map. Specifically, two successive values in the key schedule are used to generate the initial value for the map (X 0 ) and the number of iterations. If an attacker were to obtain the key schedule, decryption would be simple because every component of the cipher is a deterministic function based on the input value and the secret key. Clearly, if one does not know the key, it would be difficult to reconstruct the original plaintext from the ciphertext. To test the security of the cipher, the authors used it to encrypt image data so as to gather a visual measure of the amount of information leakage. They found that the cipher

6 6 Fig. 6. The first image is the original plainimage used by the authors of the Simple and Advanced ciphers for testing. The second and third images are the difference maps between the plainimage and cipherimage produced from the Simple cipher and Advanced cipher, respectively. Fig. 8. Histogram of pixel frequencies (color) for each pixel index in the original image. cipher encryption algorithms. Formally, the cipher algorithm is outlined in algorithm (2). Fig. 7. Block diagram of the Advanced cipher which clearly shows the feedback mechanism used to further randomize the chaotic mappings produced by the logistic map. generated data in a periodic fashion. In other words, the pads that are produced by the cipher formed a series that created a pattern of displacement in the ciphertext. The reason for this is that the pad depends entirely upon the key, thus giving the cipher a period equal to the size of the key. This periodic behavior is evidence alone that the cipher is not secure, and it can be clearly seen in the difference map shown in figure (6). To avoid the periodic behavior of the Simple cipher, the authors implemented a feedback mechanism into its design so as to vary the pad by both the key values and the output of the previous ciphertext byte. This created a feedback chaining model, as shown in figure (7), and gave the cipher very good statistical properties. The statistical spread of ciphertext data based on pixel indices and frequencies was greatly increased, as shown in the histogram of pixel frequencies in figure (8). Additionally, it was shown that a change in a single bit in the encryption key changed, on average, 49.6% of the bits in the corresponding ciphertext. Ideally, a change in a single key bit will change all of the corresponding ciphertext data, but approximately 50% is still acceptable in terms of security. B. Iteration-Based Encryption Cipher Another interesting application of chaotic maps in cryptography is Baptista s block cipher design proposed in 1998 [10]. Baptista s design encrypts bytes of plaintext as the integer number of iterations performed in the logistic map, which is quite different from the previous Simple and Advanced Algorithm 2 Baptista encryption algorithm -Choose a pair (r, X 0 ) and determine the interval of interest [X min, X max ]. In this case, the interval of interest is a subset of the phase space over which the chaotic attractor resides. -Partition the interval [X min, X max ] into n equal sets and assign each set a unique ASCII character for each character in the plaintext string s do -X 0 rx 0 (1 X 0 ) while X 0 is not at the site in the interval [X min, X max ] corresponding to the current plaintext character and random() > p do -X 0 rx 0 (1 X 0 ) end while end for Although this algorithm is very simple in design it has some weaknesses. Specifically, the performance depends on the implementation of the random() function. If the randomness of this PRNG is sub-par then periodic behavior will likely occur within a few runs of the cipher. Again, periodic behavior can result in an information leak in which attackers can deduce information about the secret key (or the coefficient p). Furthermore, depending on the behavior of the logistic map and its initial values, both encryption and decryption can take serious performance hits depending on how long it takes to reach the appropriate phase site. Another interesting result of this cipher is that the size of the coefficient p cannot be set too large for realistic implementations. If this is too large then the phase site may never be reached and both encryption and decryption would not be possible. C. Chaotic Feistel and Uniform Ciphers One recently proposed chaotic block cipher is the Chaotic Feistel cipher by Masuda et. al. [5]. Their cipher is designed

7 7 distinction is the structure of the cipher itself. Interestingly enough, however, even if the two ciphers used the same S-box and chaotic mixing transformation, the security properties of these ciphers would differ. Unfortunately, the authors did not present performance metrics for their ciphers. Their work was mainly focused on proofs of the mathematical properties of the cipher design and cryptographic transformations. The reader is encouraged to find more information at [5] regarding these proofs and what they entail. Fig. 9. Block diagram of the Chaotic Feistel cipher proposed in [5]. Each a i,k, 0 <= k <= 7 is a byte of plaintext that is fed into the cipher. for blocks of data that are 128-bits in length. The general structure of the cipher is shown in figure (9). For this cipher the authors propose a number of different options for the chaos-based one-to-one mixing transformation, including a 1-D chaotic map, 2-D cat map, and even 4-D torus map. The reader is referred to [5] for a description of these transformations and their security properties. The fact that any cryptographically secure chaotic map can be used as the nonlinear mixing transformation makes this cipher very modular. The most important design concept for this cipher is that both the S-box and mixing transformation are built upon the discretized chaotic maps, such as the discretized skew tent map. Also, the performance of the cipher is largely dependent on the internal operations of these chaotic maps. In the case of the Chaotic Feistel cipher which is based on the discretized skew tent map, the byte multiplications used by this map make the overall encryption and decryption runtime slower than modern block ciphers. Another chaos-based block cipher is the Chaotic Uniform cipher, first proposed by the same authors of the Chaotic Feistel cipher [5]. Similar to the Chaotic Feistel cipher, the data block size is 128 bits. However, the Uniform cipher is different from the Feistel cipher in a couple distinguishable ways. Firstly, all 128-bits of the plaintext are processed in one step within the round function. Sixteen bytes (a 0, a 1,..., a 15 ) are XOR d with the corresponding bytes of the secret key and then fed into sixteen S-boxes. The output bytes from these transformations are then fed into the mixing transformations, of which there are four total that have four inputs each, to generate the output state data for the round. It is important to note that in each of these cipher designs the output of each round, and ultimately the ciphertext, is a result of the trajectories of the internal chaotic map. This is unlike the previously discussed ciphers that used iteration counts and counter-like modes of operation to generate the ciphertext. Therefore, these ciphers require that the chaotic map is invertible. There is one significant similarity between the Chaotic Feistel cipher and Chaotic Uniform cipher. The components of the ciphers (that is, the S-box, mixing transformations, etc.) can be used interchangeably in each design. The only D. Rabbit Cipher Rabbit is a relatively new stream cipher that was inspired by the random behavior of chaotic maps. Briefly speaking, it is designed to work with 128-bit data sizes, as both the key and output data are 128-bits in length. Additionally, its internal data structures consist of eight state variables and eight counters. Its design is very similar to the counter mode of operation for traditional block ciphers in that the secret encrypted values can be precomputed and XOR d with the plaintext for encryption. This greatly increases the efficiency of the encryption and decryption schemes as the corresponding plaintext and ciphertext data can be streamed into the cryptosystem at runtime. The algorithm for the cipher can be broken down into the following four main components [7]: 1) Key setup 2) Next state (round) function 3) Counter system 4) Extraction scheme The first part of the Rabbit algorithm is the key setup scheme that initializes the eight individual state variables and counters of the cipher. The mapping between the state variables and counters is a one-to-one correspondence defined by splitting the bits of the key value into 8 individual partitions with some additional manipulations. In order to decrease any statistical correlation between the initial variables and the the key, the system is iterated four times using the following nextstate function: x 0,i+1 = g 0,i + (g 7,i <<< 16) + (g 6,i <<< 16) x 1,i+1 = g 1,i + (g 0,i <<< 16) + g 7,i x 2,i+1 = g 2,i + (g 1,i <<< 16) + (g 0,i <<< 16) x 3,i+1 = g 3,i + (g 2,i <<< 16) + g 1,i x 4,i+1 = g 4,i + (g 3,i <<< 16) + (g 2,i <<< 16) x 5,i+1 = g 5,i + (g 4,i <<< 16) + g 3,i x 6,i+1 = g 6,i + (g 5,i <<< 16) + (g 4,i <<< 16) x 7,i+1 = g 7,i + (g 6,i <<< 16) + g 5,i (6) where, g j,i is defined as: g j,i = ((x j,i + c j,i ) 2 ((x j,i + c j,i ) 2 >>> 32))mod2 32 (7)

8 8 Fig. 10. The next-state function used in the Rabbit cipher. This system of equations can be seen graphically in figure 10. This map simulates chaotic behavior over the finite domain of integers. However, the cardinality of the field of elements is 2 32, which is significantly larger than traditional block cipher fields (e.g. GF(2 8 ) used in AES). What is unique is that instead of operating over the domain of real numbers (meaning that implementation requires floating point operations), the domain is scaled up by 2 32 to translate decimal numbers into integers. This key modification to the phase space maintains the same precision as in the real interval while at the same time improving implementation performance. The counter dynamics are expressed using a system of equations similar to the state variable map. The phase space for the counters is the same as the state variables. The counter valus are incremented before each system iteration using predefined constants such as 0x4D34D34D and 0xD34D34D3 and carry-over bits from previous iterations. Just as with the next-state function, the addition done to increment the counters is modulus 2 32, so the counter space is just as large as the phase space. Note how the values of the g function that is used in the next-state function are directly dependent on the corresponding counter values. This implies that the domain of the g values cover the same space as the counters. It also provides an inherent mode of operation similar to the counter mode of operation for traditional block ciphers, which adds an extra layer of confusion to avoid the detection of any relation between bits of the plaintext and ciphertext. After each iteration of the system, the bits of the internal state are extracted and XOR d with the plaintext to encrypt (or ciphertext to decrypt) the data. This mode of operation is important because no inverse for the next-state function was defined, so it is treated as a one-way function as the cipher operates in a counter-mode. A thorough security analysis of the operations that actually generate the secret key (key expansion, system iteration, and counter modification) shows that Rabbit is quite promising. For a full description the reader is referred to [7]. However, perhaps the most interesting security property is that the nextstate system iteration function ensures that after only two iterations all of the state bits are affected by all key bits with a probability of approximately 0.5. As discussed earlier, this value is acceptable from a security perspective, but just to be safe the authors have chosen to give a safety margin of four iterations to increases this probability. Additionally, the counter modification process is very difficult to invert without knowledge of the internal state variables. However, there is the possibility that counter values will be repeated for different keys (periodic behavior exhibiting a pattern), which is detrimental to the overall security of the cipher. Since the counter space is very large, predicting values of the counter is relatively easy since the increment function is based on simple addition operations. In particular, the least significant bit of each counter value has a probability of 1.0 to change, whereas the most significant bit has a probability of of changing. Despite these drawbacks, the fact that the counter bits carry over into subsequent increment operations means that each bit will have an equal period length. Further analysis work revealed that the cipher held up well against algebraic and statistical attacks. Their algebraic analysis tested the relationship between input bytes and output bytes for the g function, since this is at the heart of the nextstate function. Through simple manipulation of the individual bytes for g, the authors were able to determine that each byte of y in g(y) has an entropy of approximately From these analysis efforts, the authors concluded that the existence of attacks better than exhaustive searches were not possible. Performance-wise, the Rabbit cipher obtained very promising results. Optimized versions of Rabbit were written in C with some inlined assembly that utilizes the target processor s MMX instructions (when available). For scalability, it was tested on both the Intel Pentium III (32-bit x86 CISC) and ARM7 (32-bit RISC) architectures. The code for the Intel processor was compiled using the Intel C compiler. The source code for the key setup and encryption/decryption routines was 617 bytes and 440 bytes, respectively. Additionally, the key setup and encryption/decryption routines only used a total of 32 bytes and 36 bytes of memory, respectively. Since the key setup scheme is only done once during the operation of the cipher, the execution time in terms of clock cycles was measured to be 350 cycles, which is relatively quick compared to other modern ciphers. Furthermore, the encryption/decryption schemes were able to operate at a speed of 3.7 cycles/byte of data. The ARM7 processor, being the less complicated RISC architecture, was implemented in less lines of code (most likely due to the lack of inline assembly to improve performance). The key setup and encryption/decryption schemes used a total of 516 and 424 bytes of code and 44 and 52 bytes of memory, respectively. In terms of execution time, the ARM7 implementation would obviously run slower, as it was clocked

9 9 at a rate of 679 cycles for key setup and 10.5 cycles/byte for encryption/decryption. VIII. FUTURE WORK Chaos theory is still an emerging field of science. Its application in cryptography is much more focused on dynamical systems, statistics, and probability theory than it is on number theory. Although there has been significant research done in the field of chaos-based cryptosystems, their acceptance in academic and commercial systems has been widely unsuccessful. Perhaps the most significant reason for this is that chaos behavior is only truly exhibited on intervals of real numbers. While it is possible to approximate chaotic behavior using discretized versions of chaotic maps, given enough time and effort, one can uncover the predictive patterns of the map. The limitations for computational power and finite representation are the boundary between chaos theory and cryptography. From a strictly implementation standpoint, operations on data that belong to the set of real numbers are very expensive. The IEEE standardized storage format for floating point numbers increases both the complexity of interpretation of data and of performing basic arithmetic operations on such data. Furthermore, it is impossible to represent a true interval of the real numbers on a computer. The real numbers are, by definition, infinite. Thus, their representation cannot be squeezed into a finite representation. The inherent space discretization of dynamical system phase spaces implemented on computers may significantly alter its chaotic behavior, perhaps even removing it altogether [11]. Additionally, chaos-based cryptosystems do not have their foundations in number theory. This makes mathematicians and cryptographers skeptical about using such systems, as proving the security and computational complexity becomes an increasingly difficult, if even possible task. [5] N. Masuda, G. Jakimoski, K. Aihara, and L. Kocarev, Chaotic block ciphers: From theory to practical algorithms, IEEE: Transactions on Circuits and Systems, vol. 53, pp , [6] L. Kocarev, Chaos-based cryptography: A brief overview, Circuits and Systems Magazine, IEEE, vol. 1, pp. 6 21, [7] M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, and O. Scavenius, Rabbit: A new high-performance stream cipher, Proc. Fast Software Encryption, vol. 2887, [8] L. Shujun, M. Xuanqin, and C. Yuanlong, Pseudo-random bit generator based on couple chaotic systems and its applications in stream-cipher cryptography, in Progress in Cryptology INDOCRYPT 2001, ser. Lecture Notes in Computer Science, C. Rangan and C. Ding, Eds. Springer Berlin / Heidelberg, 2001, vol. 2247, pp [9] K. Roskin and J. Casper, From chaos to cryptography. [10] M. S. Baptista, Cryptography with chaos, Physics Letters A, vol. 240, no. 1-2, pp , [11] N. Masuda and K. Aihara, Dynamical characteristics of discretized chaotic permutations, Int. J. Bifurc. Chaos, vol. 12, pp , IX. CONCLUSION There are certain elements of chaos theory that make it theoretically applicable to cryptography. For this reason, there has been significant research done in chaos-based cryptosystems. However, given the loose connection between these two fields it has been difficult to produce cryptographic primitive designs that are suitable for real-world use from both a theoretical and practical perspective. Perhaps as chaos theory evolves as a science in the 21st century this connection will become clearer and pave the way for more appropriate cryptography applications. Until then, however, traditional number theory cryptosystems will continue to lead the way into the future. REFERENCES [1] S. Wolfram, A New Kind of Science. Wolfram Media, [Online]. Available: [2] E. W. Weisstein. Chaos. From MathWorld, A Wolfram Web Resource. [Online]. Available: [3] I. P. Cornfeld, S. V. Fomin, and Y. G. Sinai, Ergodic theory, Springer, [4] E. W. Weisstein. Logistic map. From Math- World, A Wolfram Web Resource. [Online]. Available: