Chaos and Cryptography Vishaal Kapoor December 4, 2003 In his paper on chaos and cryptography, Baptista says It is possible to encrypt a message (a text composed by some alphabet) using the ergodic property of the simple low-dimensional and chaotic logistic equation. The basic idea is to encrypt each character of the message as the integer number of iterations performed in the logistic equation, in order to transfer the trajectory from an initial condition towards an ɛ-interval inside the logistic chaotic attractor. In this exposition, we examine this cryptosystem proposed by Baptista discuss a potential vulnerability. 1. Choose a pair (r, x 0 ) and determine the interval of interest [x min, x max ]. 2. Subdivide the interval [x min, x max ] into n sites (subintervals), each corresponding to an letter of the alphabet. 3. For each character in the plaintext string s Do x 0 := rx 0 (1 x 0 ) Until x 0 reaches the site corresponding to the current plaintext character
and random() > p The ciphertext is the number of iterations taken. Here, random() is a function that generates a random number from 0 to 1 and p is a coefficient that can be arbitrarily chosen in (0, 1] with larger values corresponding to higher security and longer encryption times. Note that p is independent of the key and is not needed to decrypt the message. Before After Maple Code for Encryption and Decryption # _s is the plaintext string # (_x0,r) is the initial condition and parameter secret key # xmin, xmax are the boundaries of the sites # p is the randomization constant encrypt := proc(_s, _x0, r, xmin, xmax, p) local D, s, n, ep, x0, c,i, random; D := Digits; Digits := 16; s := convert(_s, bytes); # Convert s to ASCII representation n := length(_s); ep := (xmax-xmin)/256;
x0 := _x0; c := [seq(0,i=1..n)]; for i from 1 to 100 do x0 := r*x0*(1-x0); # Ignore initial transient c[1] := 100; # Main loop for i from 1 to n do while(true) do if(trunc((x0-0.2)*256/0.6) = s[i] and rand()/10^12 > p) then break; fi; x0 := r*x0*(1-x0); c[i] := 1 + c[i]; Digits := D; RETURN(c); end: # c is the cipher text # n length of plaintext string # (_x0,r) is the initial condition and parameter secret key # xmin, xmax are the boundaries of the sites decrypt := proc(c, n, _x0, r, xmin, xmax) local D, p, s, ep, x0,i; D := Digits; Digits := 16; ep := (xmax-xmin)/256;
x0 := _x0; p := [seq(0, i=1..n)]; # Main Loop for i from 1 to n do for j from 1 to c[i] do x0 := r*x0*(1-x0); p[i] := trunc((x0-0.2)*256/0.6); s := ""; for i from 1 to n do s := sprintf("%s%c", s,p[i]); RETURN(s); end: There are several requirements of our secret key (r, x 0 ) which we have yet to mention. The most important such requirement is that r must be chosen so that the map x n+1 = rx n (1 x n ) exhibits chaos. Some definitions are in order: For an orbit x 0, x 1, x 2,..., we define the Lyapunov exponent λ to be 1 n 1 λ = lim n ln f (x i ), n provided the limit exists. In the case of an aperiodic trajectory with a positive Lyapunov exponent, we say the trajectory is a chaotic orbit. The system is said to exhibit chaos if there is a regime with chaotic orbits. i=0
Jacobson [4] assures us that there is a non-zero probability that a randomly chosen r in [r, 4] will be responsible for chaos. Here r is approximately 3.57 - an accumulation point of period doubling bifurcations. In practice, the diagram below shows us that values of r > r will most likely work (note these are the domain corresponding to positive range values above). Moreover, the termination of this algorithm is dependent on our loop terminating successfully for each plaintext character. We require a definition: In a dynamical system, an orbit is said to be ergodic if for any δ > 0, and an accessible state value x = a, there exists a value k such that x k a < δ. In our case of the logistic equation with secret key (r, x 0 ), this says that every point in [x min, x max ] should be approached arbitrarly closely by some iterate x k. This condition is actually more than sufficient to ensure that every site is reachable by x 0 an infinite number of times. Moreover, we require that every interval can be reached an infinite number of different ways; so that each interval can be encrypted in an infinite number of different ways. Proving such assertions are satisfied for a given r is difficult in the general case. We warm up by proving a special case for r = 4. In this case, we make a substitution x = sin 2 ( πy 2 ) = 1 (1 cos(πy)), 2
where x, y [0, 1]. Substituting in the logistic equation, we obtain sin 2 (πy n+1 /2) = 1 cos 2 (πy n ) = sin 2 (πy n ). Continuing, we have (πy n+1 /2) = ±(πy n ) + sπ where s is an integer. As y is restricted in [0, 1], we must have y n+1 = 2y n for 0 y n 1 2, and y n+1 = 2 2y n for 1 2 y n 1. This is just the tent map. Since the tent map is chaotic, the logistic equation for r = 4 must be as well. In practice, the luxury of a nice substitution is no longer enjoyed, and so numerical evidence is usually sought. Let us consider the case for r = 3.78. The orbital densities of the logistic map for this r numerically show that the attractor lies in the interval [x min, x max ] = [0.2, 0.8]. 0.035 Orbital Densities for the Logistic Map with r=3.78 0.03 0.025 0.02 0.015 0.01 0.005 0 0.2 0.4 0.6 0.8 1 y As well, the figure indicates that each site is reachable with non-zero probability. Thus, we would expect each site to be approached an infinite number of times in the trajectory of x 0. This attack is based on a weakness in the implementation of the cryptosystem proposed in [1]. Because the system is implemented on a computer the map that is apparent in the data will actually be of the form x n+1 = r x n (1 x n ),
where all operations are done in fixed point arithmetic (Baptista describes using 16 bit accuracy). This is a problem because chaos implies sensitive dependence on initial conditions. Therefore 1. the long-term qualitative behavior of the system as implemented will be much different than the the behavior of the logistic equation, and 2. there must be a periodic orbit of x n. The latter results from there being only finitely many numbers of a certain accuracy. In theory, this means that there must be a cycle of length at most 2 d where d-bits are used. However, in practice, I have found this to be much smaller. Typically, there will be some number of iterations I before the cycle is reached, and the cycle is of length T (we generalize saying a fixed point is a 0-cycle). For x 0 =.5, r = 3.78 we have the following values of I + T (an upperbound on T ). Digits of Accuracy I + T 1 3 2 5 3 9 4 65 5 150 6 537 7 1766 8 6021 9 21982 10 78262 11 113895 Given a periodic orbit of relatively small size presents us with an equivalent cryptosystem of the following form: 1. Choose a positive integer T to represent the cycle length. Define x 0 := 0. 2. Associate each letter of the alphabet with at least one number from 0 to T 1 so that no two letters are associated with the same number. A site corresponds to the subset of [0, T 1] that corresponds to a particular letter.
3. For each character in the plaintext string s Do x 0 := x 0 + 1 Until x 0 reaches the site corresponding to the current plaintext character and random() > p. The encrypted character is the number x 0. Set x 0 := 0. For every letter l i of the alphabet corresponding to a site C i [0, T 1), we are thus guaranteed an encryption of x + T k where x C i and k N. In the case of the originally proposed cryptosystem with no random pertubation, k = 0, meaning we are left with a simple substitution cipher. In the case of random perturbation, k is typically small (around 1 or 2) since encryption time is important. Such encryption is more difficult to deal with, but clearly a step down from the original system. This discussion above shows that the security of the cryptosystem in [1] relies on a small fraction of the many possible trajectories based on the secret key (r, x 0 ). This problem could easily be worked around by using much larger fixed point precision; however, a full analysis is warrented. The author is currently developing a practical attack on this cryptosystem. Bibliography [1] Baptista, M. S. Cryptography with Chaos. Physics Letters A 240 (1998): 50-54 [2] Ott, Edward. Chaos in dynamical systems. Cambridge University Press, 2002. [3] Davies, Brian. Exploring chaos. Theory and experiment. Perseus Books, 1999. [4] Jacobson, M. V. Topological and Metric Properties of One Dimensional Endomorphisms. Sov. Math. Dokl. 19 (1978): 1452. [5] http://home.hkstar.com/hmk409/research/ces/main.htm (Chaotic Encryption Standard) [6] http://icg.harvard.edu/math118r/ [7] Strogatz, S. H. Nonlinear dynamics and chaos. With Applications to Physics, Biology, Chemistry, and Engineering. Westview Press, 2000.