Framework for the analysis and designof encryption strategies

based on discrete-timechaotic dynamical systems

David Arroyo Guardeno

From chaos to cryptography

1

Why?

2

How?

Criticalcontexts

3

Design Rules 3

Perfect secrecy

Good mixingproperties. . .

Hopf: doughrolling andfolding. . .

Sensitivity

Initial condition

Controlparameter

Diffusion

Mixing Ergodicity Confusion

ENCRYPTION

T = R

Chaos incontinuous time

T = Z

Chaos indiscrete time

Chaos incontinuous time

ENCRYPTION

T = R

Chaos incontinuous time

Synchronization

T = Z

Chaos indiscrete time

Chaos incontinuous time

ENCRYPTION

T = R

Chaos incontinuous time

Synchronization

Security problems

T = Z

Chaos indiscrete time

Chaos incontinuous time

ENCRYPTION

T = R

Chaos incontinuous time

Synchronization

Security problems

T = Z

Chaos indiscrete time

Chaos incontinuous time

DifferentialEquations

ENCRYPTION

T = R

Chaos incontinuous time

Synchronization

Security problems

T = Z

Chaos indiscrete time

Chaos incontinuous time

DifferentialEquations

Dimension > 2

ENCRYPTION

T = R

Chaos incontinuous time

Synchronization

Security problems

T = Z

Chaos indiscrete time

Chaos incontinuous time

DifferentialEquations

Dimension > 2

Efficiency problems

ENCRYPTION

T = R

Chaos incontinuous time

Synchronization

Security problems

T = Z

Chaos indiscrete time

Chaos incontinuous time

DifferentialEquations

Dimension > 2

Efficiency problems

How to design

secure digital

chaos-based cryptosystems

Avoid critical contexts

Conventional cryptography

Standards

Commitments

Conventional attacks

Chaos theory

Loss of chaoticity

Reconstruction of the

underlying dynamics

Avoid critical contexts

Conventional cryptography

Standards

Commitments

Conventional attacks

Chaos theory

Loss of chaoticity

Reconstruction of the

underlying dynamics

1

Why?

2

How?

Criticalcontexts

Loss of chaoticity

3

Design Rules 3

For xk+1 = f (λ ,xk) = fλ(xk)

it can not be assumed

chaos for all λ

C. Chee and D.Xu,“Chaotic encryption using discrete-time synchronous chaos,” Physics

Letters A, 2006, 348, 284-292

xk+1 =

[uk+1

vk+1

]=

[1−δ ·u2

k +vk

β ·vk

]

δ = ψ (pk) ·µ1 (vk)

β = µ2 (vk)

−0.4 −0.2 0 0.2 0.4

1.2

1.4

1.6

1.8

2

β

δ

Periodic

Unbounded

0 0.5 1 1.5 2 2.5 3

x 1014

−0.2

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

Plaintext block values

Asy

mpt

otic

val

ues

David Arroyo et al.,“Cryptanalysis of a discrete-time syn-chronous chaotic encryption system,”

Physics Letter A, 2008, 372, 1034-1039

1

Why?

2

How?

Criticalcontexts

Reconstruction of dynamics

3

Design Rules 3

Estimation of λ and/or x0 after applyingconventional attacks

1 Access to chaotic orbits2 We can measure the entropy of the

underlying chaotic map3 Access to samples of chaotic orbits4 Access to coarse-grained versions of

chaotic orbits

xi+1

xia bxc

xi+1 = f (xi)

Orbit : {x0,x1, . . .}f (a) = f (b), f (xc)≤ b

xc = Single turning point

f continuous in [a,b]

xi+1

xi

Logistic map: xi+1 = λxi(1−xi)

λ

0 1xc

xi+1

xi

Skew tent map: xi+1 =

{xi/λ 0 < xi < λ

(1−xi)/(1−λ ) λ ≥ xi < 1

λ

0 1

Access to chaotic orbits

Ciphertext is a function of a chaotic orbit

Access to chaotic orbits

Ciphertext is a function of a chaotic orbit

Only the chaotic orbit is secret

Access to chaotic orbits

Ciphertext is a function of a chaotic orbit

Only the chaotic orbit is secret

Kerckhoff’s principle:we know the function and

xn+1 = f (λ ,xn),xn ∈ Rm

Access to chaotic orbits

Ciphertext is a function of a chaotic orbit

Only the chaotic orbit is secret

Kerckhoff’s principle:we know the function and

xn+1 = f (λ ,xn),xn ∈ Rm

Estimation of λ from m +1 units of ciphertext

B. Ling et al.,“Chaotic filter bank for computercryptography,” Chaos, Solitons

and Fractals, 2007, 34, 817-824

Plaintext: {pn}

tn = K ∑∀j

pjh2n−j

t ′n = K ′∑∀j

pjh′2n−j

vn = tn + t ′n +sn

v ′n = t ′n−vn−s′n

Plaintext: {pn}

tn = K ∑∀j

pjh2n−j

t ′n = K ′∑∀j

pjh′2n−j

vn = tn + t ′n +sn

v ′n = t ′n−vn−s′nLogistic map

Plaintext: {pn}

tn = K ∑∀j

pjh2n−j

t ′n = K ′∑∀j

pjh′2n−j

vn = tn + t ′n +sn

v ′n = t ′n−vn−s′n

Ciphertext: {vn} ,{v ′n}, Key: λ ,λ ′,s0,s′0

Logistic map

Known-plaintext attack: {pn}, {vn}, {v ′n}

sn = vn− tn− t ′ns′n = t ′n−vn−v ′n

λ =sn+1

sn(1−sn)

λ′ =

s′n+1s′n(1−s′n)

David Arroyo et al., “Cryptanalysisof a computer cryptography schemebased on a filter bank,” Chaos, Soli-tons and Fractals, 2009, 41, 410-413

1

Why?

2

How?

Criticalcontexts

Entropy of the underlying chaotic map

3

Design Rules 3

Entropy

Orbit⇒ Probability distribution

Discretization ofthe phase space

Discretization in thefrequency domain

Relative energy ofresolution levels

Relative number ofvalues in subintervals

n-gram conditional entropySplit the phase space into J disjoint intervals

Convert chaotic orbits into sequences of symbols

Group the symbols into words of length n

pr (n)i : probability of i-th word, 0≤ i ≤ Jn

Hn =−∑Jn

i=1 pr (n)i logpr (n)

i

hn = Hn+1−Hn, h0 = H1

Conditional entropy of the logistic map

3.5 3.6 3.7 3.8 3.9 40

0.1

0.2

0.3

0.4

0.5

0.6

0.7

λ

h nn=4n=6n=8n=10n=12

Conditional entropy of the skew tent map

0 0.2 0.4 0.6 0.8 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

λ

h n

n=4n=6n=8n=10n=12

Multiresolution Entropy

1000 2000 3000 4000 5000 6000 7000 8000 90000

0.2

0.4

MR

ET

1

λ=3.5λ=3.8123λ variable

1000 2000 3000 4000 5000 6000 7000 8000 90000

0.2

0.4

MR

ET

2

λ=3.5λ=3.8123λ variable

1000 2000 3000 4000 5000 6000 7000 80000

0.2

0.4

Temporal variable

MR

ET

3

λ=3.5λ=3.8123λ variable

High level of entropy

without leaking

the values of λ

1

Why?

2

How?

Criticalcontexts

Samples of chaotic orbits

3

Design Rules 3

Shape of histogramsof chaotic orbitsdepending on λ

Sampling on chaotic orbits

Estimation of λ

A.N. Pisarchik et al. “Encryp-tion and decryption of images

with chaotic map lattices,” Chaos,2006, 16, Art. No. 033118

Logistic map, xmin = λ 2

4 (1− λ

4 ), xmax = λ

4 , plaintext {pi}Ji=1

r = 1,{

y0i

}= {pi}

x0 =

{y r−1

J if i = 1y r

i i .o.c

Iterate n times the logistic map from x0 to get xn

y ri = xn +y r−1

i and subtract xmax −xmin until y ri ∈ [xmin,xmax ]

x0 =

{y r−1

J if i = 1y r

i i .o.c

Iterate n times the logistic map from x0 to get xn

y ri = xn +y r−1

i and subtract xmax −xmin until y ri ∈ [xmin,xmax ]

r = r +1

r < R

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10

10

20

30

40

50

60

70

80

λ/4λ2(1−λ/4)

Ciphertext-only attack

xmax = max{

yRi

}

λ ≈ λ = 4 · xmax

David Arroyo et al., “On the securityof a new image encryption scheme

based on chaotic map lattices,”Chaos, 2008, 18, Art. No. 033112

1

Why?

2

How?

Criticalcontexts

Coarse-grained versions of chaotic orbits

3

Design Rules 3

Assign a partition to the phase space

1 Stream cipher2 Searching based chaotic ciphers

Stream cipherxi+1

xia bxcxL

i xRi

xi+1

Stream cipherxi+1

xia bxcx0

Stream cipherxi+1

xia bxcx0

L

Stream cipherxi+1

xia bxc

xi+1 = xi

x0 x1

L R

Stream cipherxi+1

xia bxc

xi+1 = xi

x0 x1x2

L R R

Stream cipherxi+1

xia bxc

xi+1 = xi

x0 x1x2

0 1 1 ... Binary sequence

A.P. Kurian and S. Puthusserypady,“Self-synchronizing chaoticstream ciphers,” Signal Pro-

cessing, 2008, 88, 2442-2452

Logistic map

Skew tent map

≥ xc

⊕Shuffler

Plaintext

CiphertextBks

Binit

Logistic map

Skew tent map

≥ xc

⊕Shuffler

0

Bsh = π(Binit||Bks) =Bsh(λ, x0)

Bks Bks

Binit

Chosen-plaintext attack

Bsh(λ ,x0)⇒ Pr1 ={

pr (1)j

}2N

j=1

Bks(λ i ,xk)⇒ Pr(i ,k) ={

pr (i ,k)j

}2N

j=1

Wootters’ distance

DW (Pr1,Pr(i ,k)) = cos−1

(2N

∑j=1

√pr (1)

j ·pr (i ,k)j

)

0 0.2 0.4 0.6 0.8 10

0.5

1

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

λ

Woo

tters

’ dis

tanc

e

x0

3.83.85

3.93.95

0.2

0.4

0.6

0.8

1

1.1

1.2

1.3

1.4

1.5

λ

x0

Woo

tters

’ dis

tanc

e

David Arroyo et al.,“Cryptanalysis of a family of self-

synchronizing chaotic streamciphers”, Submitted to Signal

Processing on 17 March, 2009

1

Why?

2

How?

Criticalcontexts

Coarse-grained versions of chaotic orbits

3

Design Rules 3

Searching based chaotic ciphersP

hase

spac

eP

laintextalphabet

a1

a2

ak

a|A|

Partition

Searching based chaotic ciphersP

hase

spac

eP

laintextalphabet

ak

f Mλ (x0 )

M=ciphertext

f (0)(x)

xa bxc

0 1

f (x)

x

xc

a bxc

00 01 11 10

f (2)(x)

x

xc

a bxc

000 001 011 010110 111 101 100

X. Wang et al.,“A new chaotic cryptography based

on ergodicity,” International Journal ofModern Physics B, 2008, 22, 901-908

Logistic map: x0 and λ secret key

pi is a word with w bits

Ciphertext: number ofiterations to find pi in the

binary sequence generatedfrom the logistic map

Symbolic dynamics of unimodal maps

Chosen-ciphertext attack

Gray Ordering NumberGM(λ ,x) = g0g1 · · ·gM−1, gi ∈ {0,1}gi = 0⇔ f (i)

λ(x) < xc

gi = 1⇔ f (i)λ

(x)≥ xc

g0 b0

b1g1

b2

bM−1

g2

gM−1

GON(GM(λ ,x)) = 2−1 ·b1 +2−2 ·b2 + . . .+2−(n−1) ·bn−1

GON for the logistic map

0 0.2 0.4 0.6 0.8 10

0.2

0.4

0.6

0.8

1

x

GO

N(P

f λn(x

))

λ=3.4

GON for the logistic map

0 0.2 0.4 0.6 0.8 10

0.2

0.4

0.6

0.8

1

x

GO

N(P

f λn(x

))

λ=3.6

GON for the logistic map

0 0.2 0.4 0.6 0.8 10

0.2

0.4

0.6

0.8

1

x

GO

N(P

n f λ(x))

λ=3.8

GON for the logistic map

0 0.2 0.4 0.6 0.8 10

0.2

0.4

0.6

0.8

1

x

GO

N(P

f λn(x

))

λ=4

GON for the logistic map and x0 = fλ(xc)

3 3.2 3.4 3.6 3.8 40.65

0.7

0.75

0.8

0.85

0.9

0.95

1G

ON

(Pf λn(f

λ(xc))

)

λ

GON for the logistic map and x0 = fλ(xc)

Binary sequence of length N

Sliding window of length M and compute GON

Estimation of λ through a binary search from the maximum GON

GONM(λ , λ

4 ) = GONmax

Estimation of x0 using the estimation of λ and the binary sequence

Chosen-ciphertext attack

Ask for the decryption of w · i

0 returns the first w bits,w the following w bits, . . .

GM(x0,λ )⇒ λ ,x0

Parameter estimation error

0 2 4 6 8 10

x 105

10−12

10−10

10−8

10−6

10−4

c es

timat

ion

erro

r (L

ogar

ithm

ic s

cale

)

M

Error in the estimation of the initialcondition

10 20 30 40 50 6010

−20

10−15

10−10

10−5

100

x 0 est

imat

ion

erro

r (L

ogar

ithm

ic s

cale

)

N

David Arroyo et al.,“Cryptanalysis of a new chaotic

cryptosystem based on ergodicity,”International Journal of ModernPhysics B, 2009, 23, 651-659

1

Why?

2

How?

Criticalcontexts

Searching based chaotic ciphers: unimodal maps

3

Design Rules 3

Previous attack only works if

GONM(λ , fλ(xc))

depends on

on the control parameter

Is the cryptosystem secure

if the logistic map

is replaced by

the skew tent map?

David Arroyo et al., “Estimationof the control parameter from

symbolic sequences: Unimodalmaps with variable critical point,”

Chaos, 2009, 19, Art. No. 023125

λ can be estimatedfrom the PDF oforder patterns

xi+i = f (xi)

[x0,x1,x2, . . . ,xL−1]

π(x0) = [π0,π1, . . . ,πL−1]

πi permutation |πi 7→ i

f π0(x0) < f π1(x0) < · · ·< f πL−1(x0)

xi+1

xi

f : [0,1]→ [0,1],xi+1 = f (xi) =

{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1

0 1

xi+1

xi

[0.31225,

f : [0,1]→ [0,1],xi+1 = f (xi) =

{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1

0 1

xi+1

xi

[0.31225,

f : [0,1]→ [0,1],xi+1 = f (xi) =

{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1

0 1

xi+1

xi

[0.31225,0.6245

f : [0,1]→ [0,1],xi+1 = f (xi) =

{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1

0 1

xi+1

xi

[0.31225,0.6245

f : [0,1]→ [0,1],xi+1 = f (xi) =

{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1

0 1

xi+1

xi

[0.31225,0.6245,0.751,

f : [0,1]→ [0,1],xi+1 = f (xi) =

{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1

0 1

xi+1

xi

[0.31225,0.6245,0.751,

f : [0,1]→ [0,1],xi+1 = f (xi) =

{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1

0 1

xi+1

xi

[0.31225,0.6245,0.751,0.498]

f : [0,1]→ [0,1],xi+1 = f (xi) =

{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1

0 1

xi+1

xi

[0.31225,0.6245,0.751,0.498]⇒ π(0.31225) = [0,3,1,2]

f : [0,1]→ [0,1],xi+1 = f (xi) =

{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1

0 1

The intersections between

f 0(x), f 1(x), . . . , f L−1(x)

determine intervals

with initial conditions

leading to the same order pattern

0 0.2 0.4 0.6 0.8 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

f0(x)f1(x)

f2(x)f3(x)

Order patterns

can be used to assign a partition

to the definition domain

fλ : I→ I, I ⊂ R, λ ∈ J ⊂ R

Pπ = {x ∈ I : x generates the order pattern π}

Pπ depends on λ through fλ

xi+1

xi

Skew tent map: xi+1 =

{xi/λ , 0 < xi < λ

(1−xi)/(1−λ ), λ ≥ xi < 1

λ

0 1

0 0.2 0.4 0.6 0.8 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

λ

f λ (k) (x

)

fλ(1)(x)

fλ(2)(x)

fλ(3)(x)

fλ(0)(x)

[0,1,2,3]

�

[0,1,3,2]

�[0,3,1,2]

�[3,0,1,2]

�

[0,3,1,2]

�

[0,2,1,3]

�[2,3,0,1]

�

[2,0,3,1]

�

[2,0,1,3]

�[3,1,0,2]

�[1,3,2,0]

�

[1,2,3,0]

�

[1,2,0,3]

�[1,2,3,0]�

0 0.2 0.4 0.6 0.8 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

λ

f λ (k) (x

)

fλ(3)(x)

fλ(2)(x)

fλ(1)(x)

fλ(0)(x)

[0,1,2,3]

�

[0,1,3,2]

�

[0,3,1,2]

�[3,0,1,2]

�[0,3,1,2]

�

[0,2,1,3]

�

[2,0,3,1]

�[2,3,0,1]

�

[2,0,3,1]

�

[2,0,1,3]

�

[3,1,0,2]

�[1,3,2,0]

�[1,2,3,0]�[1,2,0,3]

[1,2,3,0]

�

Order pattern [0,1, . . . ,L−1]

determined by the

leftmost intersection

of the iterates f L−2λ

and f L−1λ

fλ ergodic with invariant measure µ

Ofλ (x) = {f n(x) : n ∈N∪{0}}

Ofλ (x) visits Pπ withrelative frequency µ(Pπ)

Orbit of length M

Sliding window of width L

M−L+1 order L-patterns

Compute the relative fre-quency of each order pattern

For some fλ(x)

1-to-1 relation between

the relative frequency

of some order pattern

and the control parameter λ

Skew tent map

f nλ(x) =

{x/λ n, if 0≤ x ≤ λ n

(λ n−1−x)/λ n−1(1−λ ), if λ n ≤ x ≤ λ n−1

P[0,1,...,L−1] = (0,φL(λ )), with

φL(λ ) =λ L−2

2−λ

L = 4⇒ φ4 = λ 2

2−λ

0 0.2 0.4 0.6 0.8 10

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

λ

Ord

er p

atte

rn fr

eque

ncy

Skew tent map

Unimodal map

x1 < x2⇒G(x1)≤G(x2)

Order patterns from “coarse-grained” orbits

Error in the estimation of λ

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 110

−4

10−3

10−2

λ

Mea

n er

ror

valu

e (L

ogar

ithm

ic s

cale

)

Finite precision arithmetics

Digital degradation of dynamics

Non-perfect recovery of λ

1

Why?

2

How?

Criticalcontexts

3

Design Rules 3

Digital chaos-based cryptosystem

Encryption architecture

Stream cipher

Linear complexity

Correlation attacks

. . .

Block cipher

Differential attack

Linear attacks

. . .

Chaotic map

Loss of chaoticity

Bijections in entropy measures

Leaking of the underlying order

Defective probability distribution

Design rules I

1 Assure the chaotic behavior of theunderlying dynamical systems

2 Guarantee avalanche effect3 High level of entropy without leaking of

the values of control parameters4 Definition of the ciphertext avoiding the

reconstruction of the underlying chaoticdynamics

Design rules II

5 Chaotic maps with flat histograms andwidth of the phase space independent ofthe control parameters

6 Selection of chaotic maps with highsensitivity to control parameter mismatch

7 The number of iterations of chaotic mapscan not be part of the key

0 50 1000

50

100

150Control parameter a=3.8204607418

Tim

e in

sec

onds

n × j

0 50 1000

50

100

150Control parameter a=3.8294707872

Tim

e in

sec

onds

n × j

0 50 1000

50

100

150Control parameter a=3.8743936381

Tim

e in

sec

onds

n × j0 50 100

0

50

100

150Control parameter a=3.9771765651

Tim

e in

sec

onds

n × j

j=1

j=2

j=3

David Arroyo et al.,“On the security of a new image

encryption scheme based onchaotic map lattices,” Chaos,2008, 18, Art. No. 033112

SCI

Chaos-basedcryptography 5

Unimodalmaps 7

CONFERENCES

International 8

National 8

Future work

Problems detected in unimodal maps

Multimodal maps

Discrete chaos

Other sources of chaos

Chaotic map

Encryptionarchitecture

Practicalimplementation

Design ofchaos-based cryptosystems

needs of cryptography+

analysis of chaotic dynamics

Framework for the analysis and designof encryption strategies

based on discrete-timechaotic dynamical systems

http://hdl.handle.net/10261/15668

david.arroyo@iec.csic.es