arxiv:cs/ v1 [cs.cr] 2 Feb 2004

Similar documents
On the security of a chaotic encryption scheme: problems with computerized chaos in finite computing precision

Cryptanalysis of a computer cryptography scheme based on a filter bank

Breaking an encryption scheme based on chaotic Baker map

Cryptanalysis of a Multistage Encryption System

arxiv:nlin/ v1 [nlin.cd] 10 Aug 2006

arxiv: v1 [cs.cr] 18 Jul 2009

arxiv: v2 [cs.cr] 13 Oct 2016

Chaos and Cryptography

Pseudo-Random Bit Generator Based on Couple Chaotic Systems and its Applications in Stream-Cipher Cryptography

Secure Communication Using H Chaotic Synchronization and International Data Encryption Algorithm

Multi-Map Orbit Hopping Chaotic Stream Cipher

Weak key analysis for chaotic cipher based on randomness properties

Design and Hardware Implementation of a Chaotic Encryption Scheme for Real-time Embedded Systems

Cryptanalysis of a data security protection scheme for VoIP

Chaos-Based Symmetric Key Cryptosystems

arxiv: v1 [cs.cr] 5 Dec 2007

-Cryptosystem: A Chaos Based Public Key Cryptosystem

A novel pseudo-random number generator based on discrete chaotic iterations

A Chaotic Encryption System Using PCA Neural Networks

Cryptanalyses of Some Multimedia Encryption Schemes

New communication schemes based on adaptive synchronization

A Very Efficient Pseudo-Random Number Generator Based On Chaotic Maps and S-Box Tables M. Hamdi, R. Rhouma, S. Belghith

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Lorenz System Parameter Determination and Application to Break the Security of Two-channel Chaotic Cryptosystems

Cryptanalysis of a discrete-time synchronous chaotic encryption system

Lecture Notes. Advanced Discrete Structures COT S

Cryptanalyzing a nonlinear chaotic algorithm (NCA) for image encryption

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

CRYPTOGRAPHY AND NUMBER THEORY

Impossible Differential Attacks on 13-Round CLEFIA-128

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

A new simple technique for improving the random properties of chaos-based cryptosystems

CHAPTER 3 CHAOTIC MAPS BASED PSEUDO RANDOM NUMBER GENERATORS

STREAM CIPHER. Chapter - 3

Improved Cascaded Stream Ciphers Using Feedback

Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages

Implementation of the RSA algorithm and its cryptanalysis. Abstract. Introduction

Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields

Classical Cryptography

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Information and Communications Security: Encryption and Information Hiding

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Lecture 4: DES and block ciphers

A Novel Image Encryption Scheme Using the Composite Discrete Chaotic System

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Security Implications of Quantum Technologies

PERIOD LENGTHS OF CHAOTIC PSEUDO-RANDOM NUMBER GENERATORS

Further improving security of Vector Stream Cipher

New Dynamical Key Dependent S-Box based on chaotic maps

A NOVEL MULTIPLE PSEUDO RANDOM BITS GENERATOR BASED ON SPATIOTEMPORAL CHAOS. Ping Li,1 Zhong Li Wolfgang. A. Halang Guanrong Chen

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

An efficient parallel pseudorandom bit generator based on an asymmetric coupled chaotic map lattice

All-Or-Nothing Transforms Using Quasigroups

One-way Hash Function Based on Neural Network

A Unified Method for Finding Impossible Differentials of Block Cipher Structures

Math-Net.Ru All Russian mathematical portal

CSc 466/566. Computer Security. 5 : Cryptography Basics

Cryptography. P. Danziger. Transmit...Bob...

arxiv: v2 [cs.cr] 6 Aug 2017

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Analysis and Comparison of One Dimensional Chaotic Map Functions

A Non-symmetric Digital Image Secure Communication Scheme Based on Generalized Chaos Synchronization System

Lecture 1: Introduction to Public key cryptography

Design of S-Box using Combination of Chaotic Functions

Exercise Sheet Cryptography 1, 2011

CRYPTOGRAPHY USING CHAOTIC NEURAL NETWORK

A chaotic encryption scheme for real-time embedded systems: design and implementation

Cryptography Lecture 4 Block ciphers, DES, breaking DES

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Cryptography and Number Theory

Fast Cryptanalysis of the Matsumoto-Imai Public Key Scheme

Computers and Mathematics with Applications

New Chaotic Permutation Methods for Image Encryption

Algebraic Attack Against Trivium

A Hybrid Method with Lorenz attractor based Cryptography and LSB Steganography

Cryptography 2017 Lecture 2

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

CPSC 467b: Cryptography and Computer Security

Public-Key Cryptosystems CHAPTER 4

Maximum Correlation Analysis of Nonlinear S-boxes in Stream Ciphers

Impact of Extending Side Channel Attack on Cipher Variants: A Case Study with the HC Series of Stream Ciphers

CPSC 467b: Cryptography and Computer Security

Gurgen Khachatrian Martun Karapetyan

Image encryption based on a delayed fractional-order chaotic logistic system

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Thesis Research Notes

Jay Daigle Occidental College Math 401: Cryptology

Discrete chaotic cryptography (DCC).

Lecture 5, CPA Secure Encryption from PRFs

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

S-box (Substitution box) is a basic component of symmetric

Transcription:

Problems of Baptista s chaotic cryptosystems and countermeasures for enhancement of their overall performances arxiv:cs/0402004v1 [cs.cr] 2 Feb 2004 Shujun Li, Guanrong Chen Department of Electronic Engineering, City University of Hong Kong, 83 Tat Chee Avenue, Kowloon Toon, Hong Kong, China Kwok-Wo Wong Department of Computer Engineering and Information Technology, City University of Hong Kong, 83 Tat Chee Avenue, Kowloon Toon, Hong Kong, China Xuanqin Mou and Yuanlong Cai School of Electronics and Information Engineering, Xi an Jiaotong University, Xi an, Shaanxi 710049, China Abstract In 1998, M. S. Baptista proposed a chaotic cryptosystem, which has attracted much attention from the chaotic cryptography community: some of its modifications and also attacks have been reported in recent years. In [Phys. Lett. A 307 (2003) 22], we suggested a method to enhance the security of Baptista s cryptosystem, which can successfully resist all proposed attacks. However, the enhanced Baptista s cryptosystem has a nontrivial defect, which produces errors in the decrypted data with a generally small but nonzero probability, and the consequent error propagation exists. In this Letter, we analyze this defect and discuss how to rectify it. Additionally, this Letter discusses some new problems of Baptista s cryptosystems and their corresponding countermeasures. It will be shown that Baptista s chaotic cryptosystem can be effectively enhanced to achieve an acceptable overall performance in practice. Key words: chaos, encryption, cryptanalysis, Baptista s chaotic cryptosystem PACS: 05.45.Ac/Vx/Pq Preprint submitted to Elsevier Science 26 February 2008

1 Introduction In [1], M. S. Baptista proposed a chaotic cryptosystem based on partitioning the visiting interval of chaotic orbits of the Logistic map. After its publication, several modified versions have been proposed [2 7]. On the other hand, some cryptanalytic works have been reported [8,9]. In this section, we firstly give a comprehensive introduction to Baptista s chaotic cryptosystem, its modified versions and proposed attacks. In the following sections, we will show some problems of this class of cryptosystems and then propose some countermeasures to enhance its performance. 1.1 Baptista s chaotic cryptosystem: the original version Here, to make the introduction and the following description simpler and clearer, differing from [1], a new presentation is given to describe how the cryptosystem works. Given a one-dimensional chaotic map F : X X and an interval X = [x min, x max ) X, divide X into S ǫ-intervals: i = 1 S, X i = [x min + (i 1)ε, x min + iε), where ε = (x max x min )/S. Assume that plain messages are composed by S different characters α 1, α 2,, α S, and then use a bijective map f S : X ǫ = {X 1,, X i,, X S } A = {α 1,, α i,, α S } (1) to associate the S different ǫ-intervals with the S different characters. By introducing an extra character β, different from any α i, we can define a new function f S : X A {β} as follows: f S (x) = f S (X i ), x X i, β, x / X.. (2) Based on the above notations, for a plain-message M = {m 1, m 2,, m i, } (m i A), the original Baptista s cryptosystem can be described as follows. The employed chaotic system: Logistic map F(x) = bx(1 x). The secret key: the association map S, the initial condition x 0 and the control parameter b of the Logistic map. Encryption procedure: For the first plain-character m 1 : Iterate the chaotic system starting from x 0 to find a chaotic state x that satisfies f S (x) = m 1, and record the iteration number C 1 as the first cipher-message unit and x (1) 0 = F C 1 (x 0 ); 2

For the i th plain-character m i : Iterate the chaotic system from x (i 1) 0 = F C 1+C 2 + +C i 1 (x 0 ) to find a chaotic state x satisfying f S (x) = m i, record the ( x (i 1) 0 iteration number C i as the i th cipher-message unit and x (i) 0 = F C i Decryption procedure: For each ciphertext unit C i, iterate the chaotic system for C i times starting from the last chaotic state x (i 1) 0 = F C 1+C 2 + +C i 1 (x 0 ), and then use x (i) ( ) 0 = F C (i 1) i x 0 to derive the current plain-character as ( ) ( ( )) follows: m i = f S (i) x 0 = f S F C i (i 1) x 0. Constraints of C i : Each cipher-message unit C i should be constrained by N 0 C 1 N max (N 0 = 250 and N max = 65532 in [1]). Since there exist many options for each C i in [N 0, N max ], an extra coefficient η [0, 1] is used to choose the right number: if η = 0, C i is chosen as the minimal number satisfying f S(x) = m i ; if η 0, C i is chosen as the minimal number satisfying f S (x) = m i and κ η simultaneously, where κ is a pseudo-random number with a normal distribution within the interval [0, 1]. The original Baptista s chaotic cryptosystem has two obvious defects: 1) the distribution of the ciphertext is non-uniform, and the occurrence probability decays exponentially as C i increases from N 0 to N max (see Fig. 3 of [1] and also Fig. 1 of [2]); 2) at least N 0 chaotic iterations are needed to encrypt a plain-character, which makes the encryption speed very slow as compared with most conventional ciphers. In addition, all proposed attacks show a third defect of this cryptosystem: the existence of the number of chaotic iterations C i in the ciphertext stream, which makes the cryptosystem insecure. ). 1.2 Proposed attacks to Baptista s chaotic cryptosystem In [8], G. Jakimoski and L. Kocarev proposed a known-plaintext attack to break the original Baptista s chaotic cipher. This attack is based on the following fact: one can establish an association table between the moment of interest and the plain-character by observing a number of plaintext/ciphertext pairs, where the moment of interest corresponding to a ciphertext unit C i is defined as n i = i j=1 C j, i.e., the total number of chaotic iterations from x 0 to the current chaotic state. The association table can be used to decrypt the corresponding plain-character if any moment of interest n i re-occurs in the ciphertext stream. Apparently, the more plaintext/ciphertext pairs are known, the more associations this table will contain and the more ciphertexts can be decrypted using the table. The Jakimoski-Kocarev attack mainly depends on the existence of C i in the ciphertext, so it is possible to use it to break all modified versions of Baptista s cryptosystem as well as the improved version of E. Alvarez et al. s chaotic cryptosystem that we proposed in [10]. In [9], G. Alvarez et al. proposed another set of four different attacks based on symbolic dynamics. All four attacks utilize the same defect as the Jakimoski- 3

Kocarev attack: the existence of C i in the ciphertext stream, which makes it possible to analyze symbolic dynamics of the chaotic system employed in the cryptosystem. The first attack, the one-time pad attack, is actually an extended version of the Jakimoski-Kocarev attack. The second attack, the entropy attack, also depends on the first defect of the original Baptista s cryptosystem: the non-uniform distribution of the ciphertext. The other two attacks are not very practical but reflect the usefulness of the correlation information existing between the two subkeys b and x 0. 1.3 Enhanced versions of Baptista s cryptosystem with better performances In [2], W.-K. Wong et al. modified the original Baptista s cryptosystem as follows: for each plain-character m i, firstly generate a pseudo-random number r distributed uniformly between 0 and a pre-defined maximum r max, iterate the chaotic system for at least r times until a chaotic state x satisfying f S (x) = m i is found, record the iteration number as the cipher-message unit C i. Such a modified cryptosystem can efficiently avoid the first defect of the original cryptosystem, but makes the second defect worse: averagely much more chaotic iterations are needed, which causes a much slower encryption speed. In [3], K.-W. Wong suggested dynamically updating the association map f S (called a look-up-table) to dramatically increase the encryption speed. However, since a number of chaotic iterations are needed, the encryption speed is still much lower than most conventional ciphers. Further studies are required for a better solution to this problem. A very recent progress was made, again by K.-W. Wong s group, in [5]. In this study, a session key is introduced to realize synchronization between the sender and the receiver, and the encryption/decryption procedure starts after a synchronization period with multiple iterations. The main contribution of this work is to make the ciphertext shorter by replacing C i with the index of each plaintext block in the look-up-table. In [7], we re-studied the performance of the Jakimoski-Kocarev attack in detail and reached the following conclusion: this attack is not efficient enough to break the corresponding chaotic cryptosystems, and therefore a simple remedy can be used to effectively resist it. In the suggested remedy, the original ciphertext stream {C i } will be masked with a pseudo-random stream and then be output as the final ciphertext stream. With the masking, it becomes impossible to get the number of chaotic iterations C i so that all proposed attacks (not only the Jakimoski-Kocarev attack) will fail. However, we also notice that there exists a nontrivial defect in this remedy we proposed, which makes the enhanced Baptista s cryptosystem problematic. In the next section, we give 4

more details on this problem and discuss how to rectify it. 2 Rectifying our early-proposed remedy of Baptista s chaotic cryptosystem what can resist all proposed attacks 2.1 A brief introduction of the enhanced Baptista s cryptosystem Since the occurrence of C i in the ciphertext stream is the prerequisite of all proposed attacks, we can by pass it by concealing C i in the ciphertext stream. A natural idea is to secretly mask C i with a pseudo-random number stream. It is easy to generate the pseudo-random number stream from the chaotic system itself. Given a pseudo-random number generation function f be ( ), using to denote the masking operation, the enhanced Baptista s cryptosystem proposed in [7] can be described as follows (without changing other details of the original cryptosystem, such as the constraints of C i ): Encryption procedure: For the i th plain-character m i, iterate the chaotic system starting from x (i 1) 0 to find a suitable chaotic state x satisfying f S(x) = m i, record the number of chaotic iterations starting from x (i 1) 0 to x as C i and x (i) ( ) 0 = x = F C i (i 1) x 0. Then, the i th cipher-message unit of m i is C i = C ( ) (i) i f be x 0. Decryption procedure: For each ciphertext unit C i, firstly iterate the chaotic system for N 0 times and set C i = N 0, then perform the following operations: if C i f be (x) = C i then use the current chaotic state x to derive the plaincharacter m i and goto the next ciphertext unit C i+1 ; otherwise, iterate the chaotic system once and C i + +, until the above condition is satisfied. The selection of f be ( ): Because of the non-uniformity of the ciphertext, it has been shown that f be ( ) cannot be freely selected to avoid information leaking. For example, the simplest function f be (x) = x is not secure. Two classes of such functions are suggested in [7], and both can make information leaking impossible. Actually, if the distribution of C i is modified to be uniform 1, then f be ( ) can freely selected. 2.2 A defect in the above modified Baptista s cryptosystem Although in [7] we have shown that the above remedy can resist the Jakimoski- Kocarev attack successfully, considering C i f be (x) = C i f be(x ) is possible 1 As mentioned in [7], two methods are available: the modification proposed in [2] and the entropy-based lossless compression technique [11]. 5

for C i C i, erroneous plain-characters may be decrypted with a generally small but nonzero probability: at the decipher side, when C i f be (x) = C i, the restored C i may not be the real C i at the encipher side, so that the restored chaotic state x is wrong and then the decrypted plain-character is wrong. At first, let us see how serious this defect is. We can estimate the error probability at the encipher side as follows. Apparently, the decryption is correct if and only if the real C i never occur before the first x satisfying f S (x) = m is found. That is, for a specific C i, the probability to successfully restore C i (i.e. the probability to get the correct decryption) via the above decryption procedure is P c ( C i ) = P = P C i 1 k=n 0 C i 1 k=n 0 ( ( ( k fbe F k x (i 1) )) ) 0 Ci ( ( ( fbe F k x (i 1) )) ) 0 k Ci. (3) Generally, assume the bit size of C i is n (for the original Baptista s cryptosystem n = 16) and the chaotic orbit { F ( k x (i 1) )} 0 has a uniform distribution, we have: C i, P { ( f ( be F k x (i 1) )) } 0 = Ci = 2 n, i.e., P { ( f ( be F k x (i 1) )) } 0 k Ci = 1 2 n. (4) ( Assume f ( be F k x (i 1) )) 0 = k Ci (k = N 0 C i 1) are independent events. Then we can deduce P c ( C i ) = (1 2 n ) C i N 0. It is obvious that P c ( C i ) 0 as C i, which means any decryption behaves like a random guess after a sufficiently long period of time. Considering the non-uniform distribution of C i, for the first plain-character m 1, from the total probability rule we can calculate 2 the final probability P c,1 : N max P c,1 = P { C i = k} P c (k) k=n 0 N max = P { C i = k} (1 2 n ) k N0. (5) k=n 0 To simplify calculation without loss of generality, assume F(x) visits each ǫ- 2 Here, assume P {C i > N max } = 0, see Sec. 3.4 for an explanation. 6

interval with the same probability 3 p = 1/S. Then, we have P { C i = k} = p(1 p) k N 0, so that N max P c,1 = p(1 p) k N0 (1 2 n ) k N0 k=n 0 N max N 0 = k =0 p q k = p 1 qnmax N 0, (6) 1 q where q = (1 p) (1 2 n ). When S = 256, n = 16, N 0 = 250, N max = 65532 (values in the original Baptista s cryptosystem), P c,1 0.9961240899211138. Considering 1/(1 P c,1 ) 258, we expect that one plaintext with wrong leading plain-character will occur averagely in 258 plaintexts. Here, note that all plain-bytes after a a wrong plain-character will be wrong with a high probability close to 1, i.e., there exists error propagation. It is obvious that the error propagation makes things worse for i > 1: i 1 P c,i = P c,j p ( ) 1 q Nmax N 0 i 1 = P c,j P c,1 = P i 1 q c,1. (7) j=1 For the above calculated P c,1, P c,i with respect to i is shown in Fig. 1. As i increases, the probability decreases exponentially. Once P c,i goes below 1/S, a random guess process will replace the role of the designed decipher. 1 0.9 0.8 0.7 j=1 Pc,i 0.6 0.5 0.4 0.3 0.2 0.1 0 100 200 300 400 500 600 700 800 900 1000 i Fig. 1. P c,i with respect to the position of the plain-character i 2.3 Rectification to the existing defect Now, we try to rectify the above-discussed encryption/decryption scheme to avoid this existing defect. To do so, we have to ensure P c,i 1, i. 3 Logistic map does not satisfy this requirement, so we suggest using PWLCM to replace the Logistic map in Sec. 3.1. 7

With a memory unit allocated to store N max N 0 + 1 variables B[N 0 ] B[N max ] representing C i = N 0 C i = N max respectively, we propose to change the encryption/decryption procedure as follows: Encryption procedure: For the j th plain-character m i, firstly reset all B[j](j = N 0 N max ) to zero, and iterate the chaotic system starting from x (i 1) 0 for N 0 times, set C i = N 0, and then perform the following operations: C i = C i f be (x), B[C i ] + +, if the current chaotic state x satisfying f S (x) = m i, then a 2-tuple ciphertext (C i, B[C i ]) is generated and set x (i) 0 = x and then goto the next plain-character m i+1 ; otherwise, repeat this procedure until a ciphertext is generated. Decryption procedure: For each ciphertext unit (C i, B i ), firstly iterate the chaotic system for N 0 times and set C i = N 0, then perform the following operations: if C i f be (x) = C i for the Bj th times then use the current chaotic state x to derive the plain-character m i and goto the next ciphertext unit (C i+1, B i+1 ); otherwise iterate the chaotic system and C i ++ for 1 iteration, until the above condition is satisfied. In Figure 2 we give flow charts of the above rectified encryption and decryption procedures, in which B[j] = 0 denotes resetting all B[j] to zero, C i = N 0 denotes N 0 chaotic iterations and C i = N 0, and C i + + denotes one chaotic iteration and C i + +. Compared with the original Baptista s cryptosystem, this rectified cryptosystem manages to solve the above-discussed defect with a cost of adding implementation complexity: (1) Extra memory is needed to store N max N 0 +1 variables B[j]. When each B[j] is stored as a 2-byte integer, the memory size is 2 (N max N 0 +1) bytes. When N max = 65532 and N 0 = 250, it is not greater than 128 KB. (2) The encryption speed becomes lower since N max N 0 + 1 variables B[j] should be set to zero for each plain-character; (3) The size of the ciphertext is made even longer: B[C i ] is added into each ciphertext unit. Fortunately, the requirement on extra memory is acceptable in all digital computers nowadays (128 KB is not so much for a computer with over tens or hundreds MB memory), and the encryption speed will not be influenced much when this rectified cipher is implemented in hardware with parallel support: all N max N 0 + 1 variables B[j] can be reset to zero within a clock cycle simultaneously, which eliminates the negative effect on the encryption speed. In addition, chaotic iteration can be run in parallel with C i = C i f be (x), 8

(C i, B i ) m i B[j] = 0 b = 0 C i N 0 Cɶ i = N 0 Ci C ( ) i fbe x B[C i ] ++ C i Ci = C ɶ ( )? i fbe x Yes No C ɶ i + + f S (x) = m i? No b ++ Yes x (i) 0 = x (C i, B[C i ]) a) Encryption procedure b = B i? No Yes m i = f S (x) b) Decryption procedure Fig. 2. Decryption/decryption procedures of the rectified Baptista s cryptosystem B[C i ] + + and f S (x) = m i? with pre-calculation and delay design. Therefore, we think the above rectification is still practical to enhance the performance of Baptista s cryptosystem. Moreover, the enlargement of the ciphertext size can be effectively minimized by some methods, which will be discussed in the next subsection. 2.4 Minimizing the enlargement of the ciphertext size In the rectified cryptosystem, the ciphertext size is prolonged. Some methods can be used to overcome this problem. Here, we introduce two of them. The first method is to use variable-length ciphertext. In the above-developed rectified cryptosystem, we can change the ciphertext as follows: When B[C i ] = 1 and N 0 C i < N max, output C i as the ciphertext; When B[C i ] = 1 and C i = N max, output (N max, 0) as the ciphertext; When B[C i ] > 1, output (N max, B[C i ], C i ) as the ciphertext. 9

Assume the size of C i is n. We can calculate the mathematical expectation of the ciphertext size corresponding to one plain-character, as follows: (1 P c,1 ) (P { N 0 C i < N max } n + P { C i = N max } 2n ) + Pc,1 3n. (8) Since P { C i = N max } P { N0 C i < N max }, it can be approximately reduced to: (1 P c,1 ) n + P c,1 3n = (1 + 2P c,2 ) n. (9) Generally 0 P c,1 1, so it is only a little bit greater than n, which is the ciphertext size of the original Baptista s cryptosystem. Another method is to use the compression algorithm suggested in [7,10]. Since both C i and B[C i ] have exponentially decreasing distributions, it is natural to use lossless entropy-based compression algorithms to make the ciphertext size shorter. Following the deduction given in [10], assuming the bit size of C i is n, we know that the average size of the compressed C i will be n/2. Since generally 0 P c,1 1, it is obvious that the average size of a compressed B[C i ] will be close to 1 from a probabilistic point of view. That is, the average ciphertext size corresponding to one plaintext will be close to n + 1. Actually, we can also combine the above two methods to obtain a better solution. Using a compressed C i in the first method can successfully reduce the average ciphertext size to about n/2. 3 Some new problems of Baptista s chaotic cryptosystems and their corresponding countermeasures 3.1 Problems of the Logistic map In the original Baptista s chaotic cryptosystem and all its modifications proposed thus far, the Logistic map is used as the employed chaotic system. But the Logistic map is not a good chaotic system for encryption for the following reasons: Non-uniform visit probability of each ǫ-interval. As we know, the Logistic map has a non-uniform invariant density function, which cause the visit probability to each ǫ-interval theoretically different. Experimental data given in Fig. 2 of [1] have shown such a disadvantage, but M. S. Baptista [1] did not consider it as a negative factor to security. From a cryptographical point of view, this issue indeed is not desirable and may be vulnerable to some subtle statistics-based attacks. In fact, such a disadvantage has been successfully utilized to design an entropy-based attack by G. Alvarez et al. in [9]. 10

Limits on the control parameter b. It is well-known that the Logistic map is chaotic when b > 3.5699 and is completely chaotic only when b = 4. To ensure that the generated orbit is sufficiently chaotic, the sub-key b must be sufficiently close to 4, which limits the key space to be a small set near 4. In addition, dynamics of the Logistic map with different values of control parameter b are different, which may be utilized to develop some new attacks. In [10], we have shown a similar risk existing in E. Alvarez et al. s chaotic cryptosystem. To avoid the above problems of the Logistic map, we suggest using the following piecewise linear chaotic maps (PWLCM) with the onto property to replace the Logistic map. Given a real interval X = [α, β] R, consider the following PWLCM, F : X X: i = 1 m, F(x) C i = F i (x) = a i x + b i, (10) where {C i } m i=1 is a partition of X, satisfying m i=1 C i = X and i j, C i C j =. We say the above PWLCM satisfies the piecewise onto property if each linear segment is mapped onto X by F i : i = 1 m, F i (C i ) = X. A typical example of PWLCM with the onto property is the following skew tent map with a single control parameter p (0, 1): x/p, x [0, p], F(x) = (1 x)/(1 p), x (p, 1]. (11) A PWLCM with the onto property is generally chaotic and has the following good dynamical properties on its defining interval X [12,13]: (1) Its Lyapunov exponent λ = m i=1 C i ln C i satisfying 0 < λ < ln m; (2) It is exact, mixing and ergodic; (3) It has a uniform invariant density function, f(x) = 1/ X = 1/(β α); (4) Its auto-correlation function τ(n) = 1 N 1 σ 2 lim 1 N N (x i x)(x i+n x) approaches zero as n, where x, σ are the mean value and the variance i=0 of x, respectively; if m sign(a i ) C i 2 = 0, τ(n) = δ(n). i=1 Besides the above properties, PWLCM are also the simplest chaotic maps from a realization point of view. In addition, some theoretical results on a direct digital realization of such maps has been rigorously established [14, Chap. 3], which are useful for optimizing the implementation of Baptista s chaotic cryptosystem. 11

3.2 Problems of the secret key In the original Baptista s cryptosystem, the association map f S also serves as part of the whole secret key. But we believe that f S should not be included in the secret key from an implementation consideration: it is too long for most humans to remember. If a secret algorithm is used to generate f S, then the secret key will be changed from f S to the key of the secret algorithm, which is easier to implement. In [9], the correlation between sub-key b and x 0 has been used to develop some theoretical attacks. To avoid potential dangers, it is advisable to use only control parameter(s) as the secret key. 3.3 Dynamical degradation of digital chaotic systems In all versions of Baptista s chaotic cryptosystems, dynamical degradation of digital chaotic systems is neglected. However, it has been found that dynamics of chaotic systems can easily collapse in the digital world, and the dynamical degradation may make some negative influences on the performance of digital chaos-based applications [14, 2.5]. Also, dynamical degradation may enlarge differences among different visiting probabilities of different ǫ-intervals. Therefore, some methods should be used to improve such dynamical degradation of the employed chaotic system in Baptista s chaotic cryptosystems, which will ensure the visit probability of each ǫ-interval be close enough to the theoretical value. As we discussed in [7, 2.5.2 and 3.4.1], a pseudorandom perturbation algorithm is desirable and hence is recommended: use a simple pseudo-random number generator (PRNG) to generate a small signal, to perturb the concerned chaotic orbit every 1 iterations. 3.4 A trivial problem when C i > N max The original Baptista s cryptosystem did not consider what one should do if C i > N max. It seems presumes that C i will never be greater than N max. However, this is obviously not true. Here, assume F(x) visits each ǫ-interval with the same probability, p = 1/S. We can deduce P {C i > N max } = P {C i N 0 > N max N 0 } = (1 p) Nmax N 0. (12) Calculations show that when N max N 0 > 10000 this probability goes to zero (in IEEE double precision floating-point arithmetic). Although this probability is very small when N max is large enough, it is nevertheless non-zero. 12

To make the cryptosystem rigorously complete, we can use the following (n + n {}}{ 1)-tuple data to replace C i when C i N max : ( N max,, N max, c i ), where the number of total chaotic iterations is equal to C i = N max n + c i. Apparently, n {}}{ ( N max,, N max, c i ) can be represented in a more brief format: (N max, n, c i ). When C i = N max, the 3-tuple ciphertext (N max, n, c i ) can be further reduced to (N max, 0). In fact, it is also acceptable to modify the original cryptosystem as follows: once C i = N max occurs, immediately output a 2-tuple data (N max, m i ) instead of C i. Considering P {C i > N max } is very small, such a tiny information leaking does no harm on the security of the cryptosystem overall. Acknowledgements The authors would like to thank Prof. L. Kocarev for his e-mails to the first author, which motivated the authors to carefully review their previous work reported in [7] thereby leading to the discovery of the defect described in Sec. 2.2 of this Letter. THis research was partially supported by the Applied R&D Centers of the City University of Hong Kong under grants no. 9410011 and no. 9620004. References [1] M. S. Baptista, Cryptography with chaos, Physics Letters A 240 (1-2) (1998) 50 54. [2] W.-K. Wong, L.-P. Lee, K.-W. Wong, A modified chaotic cryptographic method, Computer Physics Communications 138 (3) (2001) 234 236. [3] K.-W. Wong, A fast chaotic cryptographic scheme with dynamic look-up table, Physics Letters A 298 (4) (2002) 238 242. [4] K.-W. Wong, A combined chaotic cryptographic and hashing scheme, Physics Letters A 307 (5-6) (2003) 292 298. [5] K.-W. Wong, S.-W. Ho, C.-K. Yung, A chaotic cryptography scheme for generating short ciphertext, Physics Letters A 310 (1) (2003) 67 73. [6] A. Palacios, H. Juarez, Cryptography with cycling chaos, Physics Letters A 303 (5-6) (2002) 345 351. 13

[7] S. Li, X. Mou, Z. Ji, J. Zhang, Y. Cai, Performance analysis of Jakimoski- Kocarev attack on a class of chaotic cryptosystems, Physics Letters A 307 (1) (2003) 22 28. [8] G. Jakimoski, L. Kocarev, Analysis of some recently proposed chaos-based encryption algorithms, Physics Letters A 291 (6) (2001) 381 384. [9] G. Alvarez, F. Montoya, M. Romera, G. Pastor, Cryptanalysis of an ergodic chaotic cipher, Physics Letters A 311 (2-3) (2003) 172 179. [10] S. Li, X. Mou, Y. Cai, Improving security of a chaotic encryption approach, Physics Letters A 290 (3-4) (2001) 127 133. [11] K. R. Castleman, Digital Image Processing, Prentice Hall Inc., New York, 1996. [12] A. Baranovsky, D. Daems, Design of one-dimensional chaotic maps with prescribed statistical properties, Int. J. Bifurcation and Chaos 5 (6) (1995) 1585 1598. [13] A. Lasota, M. C. Mackey, Chaos, Fractals, and Noise - Stochastic Aspects of Dynamics, 2nd Edition, Springer-Verlag, New York, 1997. [14] S. Li, Analyses and new designs of digital chaotic ciphers, Ph.D. thesis, School of Electronics & Information Engineering, Xi an Jiaotong University, Xi an, China, available online at http://www.hooklee.com/pub.html (June 2003). 14

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback