882 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS II: EXPRESS BRIEFS, VOL. 54, NO. 10, OCTOBER 2007 Discrete Lyapunov Exponent and Resistance to Dferential Cryptanalysis José María Amigó, Ljupco Kocarev, and Janusz Szczepanski Abstract In a recent paper, Jakimoski and Subbalakshmi provided a nice connection between the so-called discrete Lyapunov exponent of a permutation defined on a finite lattice and its maximal dferential probability, a parameter that measures the complexity of a dferential cryptanalysis attack on the substitution defined by. In this brief, we take a second look at their result to find some practical shortcomings. We also discuss more general aspects. Index Terms Dferential cryptanalysis, discrete Lyapunov exponent (DLE), maximum dferential probability (). I. INTRODUCTION SET endowed with addition modulo and let be a bijection (also called -permutation or -substitution). The discrete Lyapunov exponent (DLE) of is then defined as holds, where Substitutions on sets of integers are important in chaotic cryptography [4] among other potential applications. For this reason, we have scrutinized the constraints (1) in search of further insights. We have found the following. (i) The upper bound in (1) can be optimized for even to render with (2) (3) (4) where for and. was introduced in [1] and further developed in [2] as a main tool of discrete chaos a framework for counterparts of standard dynamical concepts in finite-state systems. In [3], Jakimoski and Subbalakshmi make an interesting connection between and the resistance of (viewed as a substitution of a hypothetical cipher with alphabet ) to dferential cryptanalysis. This resistance or immunity is measured by the maximum dferential probability () Note that (just take ). According to [3, Th. 1], the relation (1) Manuscript received March 2, 2007; revised April 11, 2007. This work was supported in part by the Spanish Ministry of Education and Science under Grant MTM2005/049048, and by the European FEDER Funds. The work of L. Kocarev was supported in part by the National Science Foundation. This paper was recommended by Associate Editor Z. Galias. J. M. Amigó is with the Centro de Investigación Operativa, Universidad Miguel Hernández, 03202 Elche, Spain (e-mail: jm.amigo@umh.es). L. Kocarev is with the Macedonian Academy of Sciences and Arts, 1000 Skopje, Macedonia, New York University Skopje, 1000 Skopje, Macedonia, and Institute for Nonlinear Science, University of Calornia, San Diego, La Jolla, CA 92093-0402 USA (e-mail: lkocarev@ucsd.edu). J. Szczepanski is with the Institute for Fundamental Technological Research, Polish Academy of Sciences, PL-00-049 Warsaw, Poland (e-mail: jszczepa@ippt.gov.pl). Digital Object Identier 10.1109/TCSII.2007.901576 We will show that the new upper bound,,is reached (hence, it cannot be lowered) and, moreover (5) for all, i.e.,. (ii) Furthermore, one restricts to the optimal value (meaning maximal immunity to dferential cryptanalysis in the context of encryption mappings on ), so as (3) becomes then analytical and numerical calculations show that the constraints (6) are fulfilled by virtually all permutations. We conclude that even the improved interval (6) is too wide to filter in practice the most resistant substitutions to dferential cryptanalysis, thus making necessary a sharper lower constrain for practical cryptographic applications. We also elaborate below (in Section IV) on some more general aspects related to this result. II. UPPER BOUND First of all, we will prove that the permutation, defined as (6) 1549-7747/$25.00 2007 IEEE
AMIGÓ et al.: DISCRETE LYAPUNOV EXPONENT AND RESISTANCE TO DIFFERENTIAL CRYPTANALYSIS 883 has the largest possible DLE among all permutations on, namely, From (9) we know that the right-hand side maximizes the second sum on (7) [see (4)]. To prove this claim (Theorem II.2 below), we need the following lemma. Lemma II.1: For any permutation on the set,wehave As for the first sum in (10), set (11) where. Proof: If, then. Suppose now. The sum contains the term once, the terms twice and the term thrice, with altogether an equal number of signs 1 and 1. It is therefore obvious that this sum reaches its maximum when the signs are allotted to the largest entries ( ) and the signs to the smallest entries ( ). Then (8) for, so that and (see, e.g., [5, Lemma 1.4.1]) (12) Now, in the case of permutations on with (hence, maximizing the second term (11) of (10)), it is impossible that (13) thereby maximizing also the first term (12) of (10). The best we can do is to approximate the optimal solution (13) unormly from above and from below. For we have For the permutation ( terms) with (9) i.e., the upper bound in (8) is reached by. Theorem II.2: If is a permutation on the linear set, then holds. In this sense, e may say that is the most chaotic map on (see [2] for the relation between the Lyapunov exponent of a continuous map on a one-dimensional interval and its discrete counterpart). Proof: Let be the permutation,. By definition while ( terms) with (10) So far we have seen that, although -permutations cannot fulfill the optimality condition (13), does comply asymptotically with it in a unorm and centered way. An exhaustive search confirms that for all -permutations with. For higher values of, Monte Carlo simulation was used with the same result (see also Figs. 1 and 2). This completes the proof.
884 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS II: EXPRESS BRIEFS, VOL. 54, NO. 10, OCTOBER 2007 TABLE I SOME VALUES OF (M) AND B asymptotically. From (14) and (15),we get Fig. 1. Normalized histograms of the DLE or permutations F on Z and M = 8, 10, 12. This figure was made using exhaustive sampling. (16) for large enough. Explicit calculation of and for low values of confirms that (16) holds true for all. Table I gives and for, (for, the approximations (14),, and (15),, are already closing in on the correct second decimal digit). Lemma II.3: The inequality (17) holds for all possible values of. Proof: Set,, and Fig. 2. Normalized histograms of the DLE for permutations F on Z and M =16, 32, 64, 128, 256. This figure was made using Monte Carlo sampling. where. Then Observe for further reference [see (7)] that (14) Maximal immunity to dferential cryptanalysis is achieved when takes its minimum value, namely, when. For simplicity, we assume henceforth along with Jakimoski and Subbalakshmi that is a multiple of 4 so that. The upper bound (2) becomes then and, for Stirling s formula yields (15)
AMIGÓ et al.: DISCRETE LYAPUNOV EXPONENT AND RESISTANCE TO DIFFERENTIAL CRYPTANALYSIS 885 In order to prove that this dference is positive, set so that TABLE II VALUES OF 3(2 ) FOR 3 n 8 The following are also true. (a). (b). (c). Hence, [case (b)] up to corrections is. Note that the length of this interval because the average of the positive numbers,, is strictly greater than the average of the positive numbers. Lastly, [case (c)] i.e., up to terms. Table II lists for some powers of 2. Figs. 1 and 2 show the probability density functions of permutations on for moderate values of and for higher values of, respectively. As said before, the number of permutations for were estimated by means of Monte Carlo sampling. Note that the curves in both figures become more peaked as increases. From Table II and Figs. 1, 2 it is plain that practically all permutations comply with (19) for. for the same reason as before. Equations (16) and (17) substantiate our claim (5) that the upper bound in (1) can be replaced by the upper bound in (3), independently of. III. INTERVAL LENGTH Furthermore, the logarithmic Stirling s formula can be used to simply the lower bound in (3) and, in particular, in (6) (i.e., when ): If, then (18) Plugging now (14) and (18) into (6), it follows that the DLE of an (from the point of view of dferential cryptanalysis) ideally strong encryption mapping lies in the interval (19) IV. FURTHER CONSIDERATIONS Equation (1) is an interesting relation between the DLE of a substitution on elements (or an S-box on,in cryptographic parlance),, and its resistance to dferential cryptanalysis, measured by. Apart from its theoretical appealing, this relation looks also promising with respect to practical applications because has less computational complexity than and, hence, one could in principle disregard weak substitutions, solely on the base of their DLEs. The scope of this paper was precisely to clary this point. As it turns out, the relation (1) (or (6) for that matter) cannot help discriminate weak from strong substitutions, an upshot being the convenience of further improving (1). In accordance with this apparently negative result, it seems likely that most randomly chosen -substitutions (as those whose DLEs are shown in Fig. 2) will have maximum dferential probabilities close to the optimal value,, thus qualying for cryptographic applications after all. Let us mention in passing that there are algebraic methods for designing S-boxes with optimal properties against the standard attacks (which include dferential and linear cryptanalysis). V. CONCLUSION First, we have sharpened the constraints (1) to the (3), by replacing the upper bound by, and, second, we have shown that not even the latter ones, particularized to the optimal (constraints (6)), are sharp enough to
886 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS II: EXPRESS BRIEFS, VOL. 54, NO. 10, OCTOBER 2007 filter in practice the most resistant substitutions to dferential cryptanalysis. Specically, we have shown that the length of the interval defined by (6) increases monotonically to with, while the corresponding distributions of DLEs become more peaked, being almost wholly contained in the interval (6) from on. Since the new upper bound,, is already optimal (in fact, it is reachable and independent of ), we are left with the task of optimizing the lower bound. ACKNOWLEDGMENT The authors are thankful to the referees for their valuable comments. REFERENCES [1] L. Kocarev and J. Szczepanski, Finite-space lyapunov exponents and pseudochaos, Phys. Rev. Lett., vol. 93, p. 234101, 2004. [2] L. Kocarev, J. Szczepanski, J. M. Amigó, and I. Tomovski, Discrete chaos Part I: Theory, IEEE Trans. Circuits Syst. I, Reg. Papers, vol. 53, no. 6, pp. 1300 1309, Jun. 2006. [3] G. Jakimoski and K. P. Subbalakshmi, Discrete lyapunov exponent and dferential cryptanalysis, IEEE Trans. Circuits Syst. II, Exp. Briefs, vol. 54, no. 6, pp. 499 501, Jun. 2007. [4] J. M. Amigó, L. Kocarev, and J. Szczepanski, Theory and practice of chaotic cryptography, Phys. Lett. A, vol. 366, pp. 211 216, 2007. [5] R. Ash, Information Theory. New York: Dover, 1990.