Discrete Lyapunov Exponent and Resistance to Differential Cryptanalysis José María Amigó, Ljupco Kocarev, and Janusz Szczepanski

Similar documents
Designing Self-Synchronizing Stream Ciphers with Flat Dynamical Systems

IN THIS PAPER, we consider a class of continuous-time recurrent

Minimal positive realizations of transfer functions with nonnegative multiple poles

Impulsive Stabilization for Control and Synchronization of Chaotic Systems: Theory and Application to Secure Communication

Breaking an encryption scheme based on chaotic Baker map

On the Cross-Correlation of a p-ary m-sequence of Period p 2m 1 and Its Decimated

CRYPTANALYSIS OF FRIDRICH S CHAOTIC IMAGE ENCRYPTION

-Cryptosystem: A Chaos Based Public Key Cryptosystem

arxiv: v1 [cs.cr] 18 Jul 2009

An efficient parallel pseudorandom bit generator based on an asymmetric coupled chaotic map lattice

FIBONACCI NUMBERS AND DECIMATION OF BINARY SEQUENCES

ONE of the main applications of wireless sensor networks

Comparison of Selected Fast Orthogonal Parametric Transforms in Data Encryption

NONLINEAR TIME SERIES ANALYSIS, WITH APPLICATIONS TO MEDICINE

Cryptanalysis of a computer cryptography scheme based on a filter bank

Maiorana-McFarland class: Degree optimization and algebraic properties

Implementation of the RSA algorithm and its cryptanalysis. Abstract. Introduction

Potential Design for Electron Transmission in Semiconductor Devices

PERIOD LENGTHS OF CHAOTIC PSEUDO-RANDOM NUMBER GENERATORS

Lyapunov Stability of Linear Predictor Feedback for Distributed Input Delays

Decomposing Bent Functions

Resistance to Statistical Attacks of Parastrophic Quasigroup Transformation

IN this paper, we consider the capacity of sticky channels, a

Multi-Map Orbit Hopping Chaotic Stream Cipher

Fast Cryptanalysis of the Matsumoto-Imai Public Key Scheme

A Fast Digital Chaotic Generator for Secure Communication

New Dynamical Key Dependent S-Box based on chaotic maps

Optimal Mean-Square Noise Benefits in Quantizer-Array Linear Estimation Ashok Patel and Bart Kosko

Stability of interval positive continuous-time linear systems

Aitken and Neville Inverse Interpolation Methods over Finite Fields

On bounded redundancy of universal codes

AN ELECTRIC circuit containing a switch controlled by

Differential properties of power functions

Accelerated Search for Gaussian Generator Based on Triple Prime Integers

Network Routing Capacity

Analysis of Some Quasigroup Transformations as Boolean Functions

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Further improving security of Vector Stream Cipher

Haar Spectrum of Bent Boolean Functions

Quantum algorithms for computing short discrete logarithms and factoring RSA integers

Chaotic Based Secure Hash Algorithm

On inverting the VMPC one-way function

Concurrent Error Detection in S-boxes 1

arxiv: v1 [cs.cr] 5 Dec 2007

THIS paper is aimed at designing efficient decoding algorithms

Smart Hill Climbing Finds Better Boolean Functions

Information and Communications Security: Encryption and Information Hiding

Binary Convolutional Codes of High Rate Øyvind Ytrehus

ONE can design optical filters using different filter architectures.

Performance Analysis and Code Optimization of Low Density Parity-Check Codes on Rayleigh Fading Channels

Comments and Corrections

Diagonal matrix solutions of a discrete-time Lyapunov inequality

Prevention of Exponential Equivalence in Simple Password Exponential Key Exchange (SPEKE)

Chaos and Cryptography

Type 1.x Generalized Feistel Structures

Synchronization and control in small networks of chaotic electronic circuits

THE problem of phase noise and its influence on oscillators

A Very Efficient Pseudo-Random Number Generator Based On Chaotic Maps and S-Box Tables M. Hamdi, R. Rhouma, S. Belghith

Statistical and Linear Independence of Binary Random Variables

New Chaotic Permutation Methods for Image Encryption

MODULAR ARITHMETIC KEITH CONRAD

Towards Provable Security of Substitution-Permutation Encryption Networks

Stability Analysis and Synthesis for Scalar Linear Systems With a Quantized Feedback

DATA receivers for digital transmission and storage systems

Three Theorems on odd degree Chebyshev polynomials and more generalized permutation polynomials over a ring of module 2 w

On the second smallest prime non-residue

FOR linear time-invariant systems with outputs, there are

4.1 Exponential Functions

On the mean connected induced subgraph order of cographs

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

Evaluation of the Maximum Productivity for Block Encryption Algorithms

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

1 Cryptographic hash functions

arxiv: v3 [cs.cr] 15 Jun 2017

The ϵ-capacity of a gain matrix and tolerable disturbances: Discrete-time perturbed linear systems

CHAPTER 3 CHAOTIC MAPS BASED PSEUDO RANDOM NUMBER GENERATORS

arxiv:nlin/ v1 [nlin.cd] 10 Aug 2006

Third-order nonlinearities of some biquadratic monomial Boolean functions

A Byte-Based Guess and Determine Attack on SOSEMANUK

1 Cryptographic hash functions

Linear Cellular Automata as Discrete Models for Generating Cryptographic Sequences

arxiv:cs/ v1 [cs.cr] 2 Feb 2004

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Constructing Explicit RIP Matrices and the Square-Root Bottleneck

Functions on Finite Fields, Boolean Functions, and S-Boxes

Secure Communication Using H Chaotic Synchronization and International Data Encryption Algorithm

IN this paper, we exploit the information given by the generalized

Stabilizing and Destabilizing Control for a Piecewise-Linear Circuit

Design and Hardware Implementation of a Chaotic Encryption Scheme for Real-time Embedded Systems

SIMPLE CONDITIONS FOR PRACTICAL STABILITY OF POSITIVE FRACTIONAL DISCRETE TIME LINEAR SYSTEMS

A Chaotic Encryption System Using PCA Neural Networks

Constructions of Resilient S-Boxes with Strictly Almost Optimal Nonlinearity Through Disjoint Linear Codes

A Generalized Uncertainty Principle and Sparse Representation in Pairs of Bases

Nonlinear Discrete-Time Observer Design with Linearizable Error Dynamics

A NEW ALGORITHM TO CONSTRUCT S-BOXES WITH HIGH DIFFUSION

On Cryptographic Properties of the Cosets of R(1;m)

Cryptanalysis of a Multistage Encryption System

CONTROLLABILITY AND OBSERVABILITY OF 2-D SYSTEMS. Klamka J. Institute of Automatic Control, Technical University, Gliwice, Poland

A Non-symmetric Digital Image Secure Communication Scheme Based on Generalized Chaos Synchronization System

Exercise Sheet Cryptography 1, 2011

Transcription:

882 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS II: EXPRESS BRIEFS, VOL. 54, NO. 10, OCTOBER 2007 Discrete Lyapunov Exponent and Resistance to Dferential Cryptanalysis José María Amigó, Ljupco Kocarev, and Janusz Szczepanski Abstract In a recent paper, Jakimoski and Subbalakshmi provided a nice connection between the so-called discrete Lyapunov exponent of a permutation defined on a finite lattice and its maximal dferential probability, a parameter that measures the complexity of a dferential cryptanalysis attack on the substitution defined by. In this brief, we take a second look at their result to find some practical shortcomings. We also discuss more general aspects. Index Terms Dferential cryptanalysis, discrete Lyapunov exponent (DLE), maximum dferential probability (). I. INTRODUCTION SET endowed with addition modulo and let be a bijection (also called -permutation or -substitution). The discrete Lyapunov exponent (DLE) of is then defined as holds, where Substitutions on sets of integers are important in chaotic cryptography [4] among other potential applications. For this reason, we have scrutinized the constraints (1) in search of further insights. We have found the following. (i) The upper bound in (1) can be optimized for even to render with (2) (3) (4) where for and. was introduced in [1] and further developed in [2] as a main tool of discrete chaos a framework for counterparts of standard dynamical concepts in finite-state systems. In [3], Jakimoski and Subbalakshmi make an interesting connection between and the resistance of (viewed as a substitution of a hypothetical cipher with alphabet ) to dferential cryptanalysis. This resistance or immunity is measured by the maximum dferential probability () Note that (just take ). According to [3, Th. 1], the relation (1) Manuscript received March 2, 2007; revised April 11, 2007. This work was supported in part by the Spanish Ministry of Education and Science under Grant MTM2005/049048, and by the European FEDER Funds. The work of L. Kocarev was supported in part by the National Science Foundation. This paper was recommended by Associate Editor Z. Galias. J. M. Amigó is with the Centro de Investigación Operativa, Universidad Miguel Hernández, 03202 Elche, Spain (e-mail: jm.amigo@umh.es). L. Kocarev is with the Macedonian Academy of Sciences and Arts, 1000 Skopje, Macedonia, New York University Skopje, 1000 Skopje, Macedonia, and Institute for Nonlinear Science, University of Calornia, San Diego, La Jolla, CA 92093-0402 USA (e-mail: lkocarev@ucsd.edu). J. Szczepanski is with the Institute for Fundamental Technological Research, Polish Academy of Sciences, PL-00-049 Warsaw, Poland (e-mail: jszczepa@ippt.gov.pl). Digital Object Identier 10.1109/TCSII.2007.901576 We will show that the new upper bound,,is reached (hence, it cannot be lowered) and, moreover (5) for all, i.e.,. (ii) Furthermore, one restricts to the optimal value (meaning maximal immunity to dferential cryptanalysis in the context of encryption mappings on ), so as (3) becomes then analytical and numerical calculations show that the constraints (6) are fulfilled by virtually all permutations. We conclude that even the improved interval (6) is too wide to filter in practice the most resistant substitutions to dferential cryptanalysis, thus making necessary a sharper lower constrain for practical cryptographic applications. We also elaborate below (in Section IV) on some more general aspects related to this result. II. UPPER BOUND First of all, we will prove that the permutation, defined as (6) 1549-7747/$25.00 2007 IEEE

AMIGÓ et al.: DISCRETE LYAPUNOV EXPONENT AND RESISTANCE TO DIFFERENTIAL CRYPTANALYSIS 883 has the largest possible DLE among all permutations on, namely, From (9) we know that the right-hand side maximizes the second sum on (7) [see (4)]. To prove this claim (Theorem II.2 below), we need the following lemma. Lemma II.1: For any permutation on the set,wehave As for the first sum in (10), set (11) where. Proof: If, then. Suppose now. The sum contains the term once, the terms twice and the term thrice, with altogether an equal number of signs 1 and 1. It is therefore obvious that this sum reaches its maximum when the signs are allotted to the largest entries ( ) and the signs to the smallest entries ( ). Then (8) for, so that and (see, e.g., [5, Lemma 1.4.1]) (12) Now, in the case of permutations on with (hence, maximizing the second term (11) of (10)), it is impossible that (13) thereby maximizing also the first term (12) of (10). The best we can do is to approximate the optimal solution (13) unormly from above and from below. For we have For the permutation ( terms) with (9) i.e., the upper bound in (8) is reached by. Theorem II.2: If is a permutation on the linear set, then holds. In this sense, e may say that is the most chaotic map on (see [2] for the relation between the Lyapunov exponent of a continuous map on a one-dimensional interval and its discrete counterpart). Proof: Let be the permutation,. By definition while ( terms) with (10) So far we have seen that, although -permutations cannot fulfill the optimality condition (13), does comply asymptotically with it in a unorm and centered way. An exhaustive search confirms that for all -permutations with. For higher values of, Monte Carlo simulation was used with the same result (see also Figs. 1 and 2). This completes the proof.

884 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS II: EXPRESS BRIEFS, VOL. 54, NO. 10, OCTOBER 2007 TABLE I SOME VALUES OF (M) AND B asymptotically. From (14) and (15),we get Fig. 1. Normalized histograms of the DLE or permutations F on Z and M = 8, 10, 12. This figure was made using exhaustive sampling. (16) for large enough. Explicit calculation of and for low values of confirms that (16) holds true for all. Table I gives and for, (for, the approximations (14),, and (15),, are already closing in on the correct second decimal digit). Lemma II.3: The inequality (17) holds for all possible values of. Proof: Set,, and Fig. 2. Normalized histograms of the DLE for permutations F on Z and M =16, 32, 64, 128, 256. This figure was made using Monte Carlo sampling. where. Then Observe for further reference [see (7)] that (14) Maximal immunity to dferential cryptanalysis is achieved when takes its minimum value, namely, when. For simplicity, we assume henceforth along with Jakimoski and Subbalakshmi that is a multiple of 4 so that. The upper bound (2) becomes then and, for Stirling s formula yields (15)

AMIGÓ et al.: DISCRETE LYAPUNOV EXPONENT AND RESISTANCE TO DIFFERENTIAL CRYPTANALYSIS 885 In order to prove that this dference is positive, set so that TABLE II VALUES OF 3(2 ) FOR 3 n 8 The following are also true. (a). (b). (c). Hence, [case (b)] up to corrections is. Note that the length of this interval because the average of the positive numbers,, is strictly greater than the average of the positive numbers. Lastly, [case (c)] i.e., up to terms. Table II lists for some powers of 2. Figs. 1 and 2 show the probability density functions of permutations on for moderate values of and for higher values of, respectively. As said before, the number of permutations for were estimated by means of Monte Carlo sampling. Note that the curves in both figures become more peaked as increases. From Table II and Figs. 1, 2 it is plain that practically all permutations comply with (19) for. for the same reason as before. Equations (16) and (17) substantiate our claim (5) that the upper bound in (1) can be replaced by the upper bound in (3), independently of. III. INTERVAL LENGTH Furthermore, the logarithmic Stirling s formula can be used to simply the lower bound in (3) and, in particular, in (6) (i.e., when ): If, then (18) Plugging now (14) and (18) into (6), it follows that the DLE of an (from the point of view of dferential cryptanalysis) ideally strong encryption mapping lies in the interval (19) IV. FURTHER CONSIDERATIONS Equation (1) is an interesting relation between the DLE of a substitution on elements (or an S-box on,in cryptographic parlance),, and its resistance to dferential cryptanalysis, measured by. Apart from its theoretical appealing, this relation looks also promising with respect to practical applications because has less computational complexity than and, hence, one could in principle disregard weak substitutions, solely on the base of their DLEs. The scope of this paper was precisely to clary this point. As it turns out, the relation (1) (or (6) for that matter) cannot help discriminate weak from strong substitutions, an upshot being the convenience of further improving (1). In accordance with this apparently negative result, it seems likely that most randomly chosen -substitutions (as those whose DLEs are shown in Fig. 2) will have maximum dferential probabilities close to the optimal value,, thus qualying for cryptographic applications after all. Let us mention in passing that there are algebraic methods for designing S-boxes with optimal properties against the standard attacks (which include dferential and linear cryptanalysis). V. CONCLUSION First, we have sharpened the constraints (1) to the (3), by replacing the upper bound by, and, second, we have shown that not even the latter ones, particularized to the optimal (constraints (6)), are sharp enough to

886 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS II: EXPRESS BRIEFS, VOL. 54, NO. 10, OCTOBER 2007 filter in practice the most resistant substitutions to dferential cryptanalysis. Specically, we have shown that the length of the interval defined by (6) increases monotonically to with, while the corresponding distributions of DLEs become more peaked, being almost wholly contained in the interval (6) from on. Since the new upper bound,, is already optimal (in fact, it is reachable and independent of ), we are left with the task of optimizing the lower bound. ACKNOWLEDGMENT The authors are thankful to the referees for their valuable comments. REFERENCES [1] L. Kocarev and J. Szczepanski, Finite-space lyapunov exponents and pseudochaos, Phys. Rev. Lett., vol. 93, p. 234101, 2004. [2] L. Kocarev, J. Szczepanski, J. M. Amigó, and I. Tomovski, Discrete chaos Part I: Theory, IEEE Trans. Circuits Syst. I, Reg. Papers, vol. 53, no. 6, pp. 1300 1309, Jun. 2006. [3] G. Jakimoski and K. P. Subbalakshmi, Discrete lyapunov exponent and dferential cryptanalysis, IEEE Trans. Circuits Syst. II, Exp. Briefs, vol. 54, no. 6, pp. 499 501, Jun. 2007. [4] J. M. Amigó, L. Kocarev, and J. Szczepanski, Theory and practice of chaotic cryptography, Phys. Lett. A, vol. 366, pp. 211 216, 2007. [5] R. Ash, Information Theory. New York: Dover, 1990.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback