framework for the analysis and design of encryption strategies based on discrete-time chaotic...
TRANSCRIPT
Framework for the analysis and designof encryption strategies
based on discrete-timechaotic dynamical systems
David Arroyo Guardeno
From chaos to cryptography
1
Why?
2
How?
Criticalcontexts
3
Design Rules 3
Perfect secrecy
Good mixingproperties. . .
Hopf: doughrolling andfolding. . .
Sensitivity
Initial condition
Controlparameter
Diffusion
Mixing Ergodicity Confusion
ENCRYPTION
T = R
Chaos incontinuous time
T = Z
Chaos indiscrete time
Chaos incontinuous time
ENCRYPTION
T = R
Chaos incontinuous time
Synchronization
T = Z
Chaos indiscrete time
Chaos incontinuous time
ENCRYPTION
T = R
Chaos incontinuous time
Synchronization
Security problems
T = Z
Chaos indiscrete time
Chaos incontinuous time
ENCRYPTION
T = R
Chaos incontinuous time
Synchronization
Security problems
T = Z
Chaos indiscrete time
Chaos incontinuous time
DifferentialEquations
ENCRYPTION
T = R
Chaos incontinuous time
Synchronization
Security problems
T = Z
Chaos indiscrete time
Chaos incontinuous time
DifferentialEquations
Dimension > 2
ENCRYPTION
T = R
Chaos incontinuous time
Synchronization
Security problems
T = Z
Chaos indiscrete time
Chaos incontinuous time
DifferentialEquations
Dimension > 2
Efficiency problems
ENCRYPTION
T = R
Chaos incontinuous time
Synchronization
Security problems
T = Z
Chaos indiscrete time
Chaos incontinuous time
DifferentialEquations
Dimension > 2
Efficiency problems
How to design
secure digital
chaos-based cryptosystems
Avoid critical contexts
Conventional cryptography
Standards
Commitments
Conventional attacks
Chaos theory
Loss of chaoticity
Reconstruction of the
underlying dynamics
Avoid critical contexts
Conventional cryptography
Standards
Commitments
Conventional attacks
Chaos theory
Loss of chaoticity
Reconstruction of the
underlying dynamics
1
Why?
2
How?
Criticalcontexts
Loss of chaoticity
3
Design Rules 3
For xk+1 = f (λ ,xk) = fλ(xk)
it can not be assumed
chaos for all λ
C. Chee and D.Xu,“Chaotic encryption using discrete-time synchronous chaos,” Physics
Letters A, 2006, 348, 284-292
xk+1 =
[uk+1
vk+1
]=
[1−δ ·u2
k +vk
β ·vk
]
δ = ψ (pk) ·µ1 (vk)
β = µ2 (vk)
−0.4 −0.2 0 0.2 0.4
1.2
1.4
1.6
1.8
2
β
δ
Periodic
Unbounded
0 0.5 1 1.5 2 2.5 3
x 1014
−0.2
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
Plaintext block values
Asy
mpt
otic
val
ues
David Arroyo et al.,“Cryptanalysis of a discrete-time syn-chronous chaotic encryption system,”
Physics Letter A, 2008, 372, 1034-1039
1
Why?
2
How?
Criticalcontexts
Reconstruction of dynamics
3
Design Rules 3
Estimation of λ and/or x0 after applyingconventional attacks
1 Access to chaotic orbits2 We can measure the entropy of the
underlying chaotic map3 Access to samples of chaotic orbits4 Access to coarse-grained versions of
chaotic orbits
xi+1
xia bxc
xi+1 = f (xi)
Orbit : {x0,x1, . . .}f (a) = f (b), f (xc)≤ b
xc = Single turning point
f continuous in [a,b]
xi+1
xi
Logistic map: xi+1 = λxi(1−xi)
λ
0 1xc
xi+1
xi
Skew tent map: xi+1 =
{xi/λ 0 < xi < λ
(1−xi)/(1−λ ) λ ≥ xi < 1
λ
0 1
Access to chaotic orbits
Ciphertext is a function of a chaotic orbit
Access to chaotic orbits
Ciphertext is a function of a chaotic orbit
Only the chaotic orbit is secret
Access to chaotic orbits
Ciphertext is a function of a chaotic orbit
Only the chaotic orbit is secret
Kerckhoff’s principle:we know the function and
xn+1 = f (λ ,xn),xn ∈ Rm
Access to chaotic orbits
Ciphertext is a function of a chaotic orbit
Only the chaotic orbit is secret
Kerckhoff’s principle:we know the function and
xn+1 = f (λ ,xn),xn ∈ Rm
Estimation of λ from m +1 units of ciphertext
B. Ling et al.,“Chaotic filter bank for computercryptography,” Chaos, Solitons
and Fractals, 2007, 34, 817-824
Plaintext: {pn}
tn = K ∑∀j
pjh2n−j
t ′n = K ′∑∀j
pjh′2n−j
vn = tn + t ′n +sn
v ′n = t ′n−vn−s′n
Plaintext: {pn}
tn = K ∑∀j
pjh2n−j
t ′n = K ′∑∀j
pjh′2n−j
vn = tn + t ′n +sn
v ′n = t ′n−vn−s′nLogistic map
Plaintext: {pn}
tn = K ∑∀j
pjh2n−j
t ′n = K ′∑∀j
pjh′2n−j
vn = tn + t ′n +sn
v ′n = t ′n−vn−s′n
Ciphertext: {vn} ,{v ′n}, Key: λ ,λ ′,s0,s′0
Logistic map
Known-plaintext attack: {pn}, {vn}, {v ′n}
sn = vn− tn− t ′ns′n = t ′n−vn−v ′n
λ =sn+1
sn(1−sn)
λ′ =
s′n+1s′n(1−s′n)
David Arroyo et al., “Cryptanalysisof a computer cryptography schemebased on a filter bank,” Chaos, Soli-tons and Fractals, 2009, 41, 410-413
1
Why?
2
How?
Criticalcontexts
Entropy of the underlying chaotic map
3
Design Rules 3
Entropy
Orbit⇒ Probability distribution
Discretization ofthe phase space
Discretization in thefrequency domain
Relative energy ofresolution levels
Relative number ofvalues in subintervals
n-gram conditional entropySplit the phase space into J disjoint intervals
Convert chaotic orbits into sequences of symbols
Group the symbols into words of length n
pr (n)i : probability of i-th word, 0≤ i ≤ Jn
Hn =−∑Jn
i=1 pr (n)i logpr (n)
i
hn = Hn+1−Hn, h0 = H1
Conditional entropy of the logistic map
3.5 3.6 3.7 3.8 3.9 40
0.1
0.2
0.3
0.4
0.5
0.6
0.7
λ
h nn=4n=6n=8n=10n=12
Conditional entropy of the skew tent map
0 0.2 0.4 0.6 0.8 10
0.1
0.2
0.3
0.4
0.5
0.6
0.7
λ
h n
n=4n=6n=8n=10n=12
Multiresolution Entropy
1000 2000 3000 4000 5000 6000 7000 8000 90000
0.2
0.4
MR
ET
1
λ=3.5λ=3.8123λ variable
1000 2000 3000 4000 5000 6000 7000 8000 90000
0.2
0.4
MR
ET
2
λ=3.5λ=3.8123λ variable
1000 2000 3000 4000 5000 6000 7000 80000
0.2
0.4
Temporal variable
MR
ET
3
λ=3.5λ=3.8123λ variable
High level of entropy
without leaking
the values of λ
1
Why?
2
How?
Criticalcontexts
Samples of chaotic orbits
3
Design Rules 3
Shape of histogramsof chaotic orbitsdepending on λ
Sampling on chaotic orbits
Estimation of λ
A.N. Pisarchik et al. “Encryp-tion and decryption of images
with chaotic map lattices,” Chaos,2006, 16, Art. No. 033118
Logistic map, xmin = λ 2
4 (1− λ
4 ), xmax = λ
4 , plaintext {pi}Ji=1
r = 1,{
y0i
}= {pi}
x0 =
{y r−1
J if i = 1y r
i i .o.c
Iterate n times the logistic map from x0 to get xn
y ri = xn +y r−1
i and subtract xmax −xmin until y ri ∈ [xmin,xmax ]
x0 =
{y r−1
J if i = 1y r
i i .o.c
Iterate n times the logistic map from x0 to get xn
y ri = xn +y r−1
i and subtract xmax −xmin until y ri ∈ [xmin,xmax ]
r = r +1
r < R
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10
10
20
30
40
50
60
70
80
λ/4λ2(1−λ/4)
Ciphertext-only attack
xmax = max{
yRi
}
λ ≈ λ = 4 · xmax
David Arroyo et al., “On the securityof a new image encryption scheme
based on chaotic map lattices,”Chaos, 2008, 18, Art. No. 033112
1
Why?
2
How?
Criticalcontexts
Coarse-grained versions of chaotic orbits
3
Design Rules 3
Assign a partition to the phase space
1 Stream cipher2 Searching based chaotic ciphers
Stream cipherxi+1
xia bxcxL
i xRi
xi+1
Stream cipherxi+1
xia bxcx0
Stream cipherxi+1
xia bxcx0
L
Stream cipherxi+1
xia bxc
xi+1 = xi
x0 x1
L R
Stream cipherxi+1
xia bxc
xi+1 = xi
x0 x1x2
L R R
Stream cipherxi+1
xia bxc
xi+1 = xi
x0 x1x2
0 1 1 ... Binary sequence
A.P. Kurian and S. Puthusserypady,“Self-synchronizing chaoticstream ciphers,” Signal Pro-
cessing, 2008, 88, 2442-2452
Logistic map
Skew tent map
≥ xc
⊕Shuffler
Plaintext
CiphertextBks
Binit
Logistic map
Skew tent map
≥ xc
⊕Shuffler
0
Bsh = π(Binit||Bks) =Bsh(λ, x0)
Bks Bks
Binit
Chosen-plaintext attack
Bsh(λ ,x0)⇒ Pr1 ={
pr (1)j
}2N
j=1
Bks(λ i ,xk)⇒ Pr(i ,k) ={
pr (i ,k)j
}2N
j=1
Wootters’ distance
DW (Pr1,Pr(i ,k)) = cos−1
(2N
∑j=1
√pr (1)
j ·pr (i ,k)j
)
0 0.2 0.4 0.6 0.8 10
0.5
1
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
λ
Woo
tters
’ dis
tanc
e
x0
3.83.85
3.93.95
0.2
0.4
0.6
0.8
1
1.1
1.2
1.3
1.4
1.5
λ
x0
Woo
tters
’ dis
tanc
e
David Arroyo et al.,“Cryptanalysis of a family of self-
synchronizing chaotic streamciphers”, Submitted to Signal
Processing on 17 March, 2009
1
Why?
2
How?
Criticalcontexts
Coarse-grained versions of chaotic orbits
3
Design Rules 3
Searching based chaotic ciphersP
hase
spac
eP
laintextalphabet
a1
a2
ak
a|A|
Partition
Searching based chaotic ciphersP
hase
spac
eP
laintextalphabet
ak
f Mλ (x0 )
M=ciphertext
f (0)(x)
xa bxc
0 1
f (x)
x
xc
a bxc
00 01 11 10
f (2)(x)
x
xc
a bxc
000 001 011 010110 111 101 100
X. Wang et al.,“A new chaotic cryptography based
on ergodicity,” International Journal ofModern Physics B, 2008, 22, 901-908
Logistic map: x0 and λ secret key
pi is a word with w bits
Ciphertext: number ofiterations to find pi in the
binary sequence generatedfrom the logistic map
Symbolic dynamics of unimodal maps
Chosen-ciphertext attack
Gray Ordering NumberGM(λ ,x) = g0g1 · · ·gM−1, gi ∈ {0,1}gi = 0⇔ f (i)
λ(x) < xc
gi = 1⇔ f (i)λ
(x)≥ xc
g0 b0
b1g1
b2
bM−1
g2
gM−1
GON(GM(λ ,x)) = 2−1 ·b1 +2−2 ·b2 + . . .+2−(n−1) ·bn−1
GON for the logistic map
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1
x
GO
N(P
f λn(x
))
λ=3.4
GON for the logistic map
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1
x
GO
N(P
f λn(x
))
λ=3.6
GON for the logistic map
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1
x
GO
N(P
n f λ(x))
λ=3.8
GON for the logistic map
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1
x
GO
N(P
f λn(x
))
λ=4
GON for the logistic map and x0 = fλ(xc)
3 3.2 3.4 3.6 3.8 40.65
0.7
0.75
0.8
0.85
0.9
0.95
1G
ON
(Pf λn(f
λ(xc))
)
λ
GON for the logistic map and x0 = fλ(xc)
Binary sequence of length N
Sliding window of length M and compute GON
Estimation of λ through a binary search from the maximum GON
GONM(λ , λ
4 ) = GONmax
Estimation of x0 using the estimation of λ and the binary sequence
Chosen-ciphertext attack
Ask for the decryption of w · i
0 returns the first w bits,w the following w bits, . . .
GM(x0,λ )⇒ λ ,x0
Parameter estimation error
0 2 4 6 8 10
x 105
10−12
10−10
10−8
10−6
10−4
c es
timat
ion
erro
r (L
ogar
ithm
ic s
cale
)
M
Error in the estimation of the initialcondition
10 20 30 40 50 6010
−20
10−15
10−10
10−5
100
x 0 est
imat
ion
erro
r (L
ogar
ithm
ic s
cale
)
N
David Arroyo et al.,“Cryptanalysis of a new chaotic
cryptosystem based on ergodicity,”International Journal of ModernPhysics B, 2009, 23, 651-659
1
Why?
2
How?
Criticalcontexts
Searching based chaotic ciphers: unimodal maps
3
Design Rules 3
Previous attack only works if
GONM(λ , fλ(xc))
depends on
on the control parameter
Is the cryptosystem secure
if the logistic map
is replaced by
the skew tent map?
David Arroyo et al., “Estimationof the control parameter from
symbolic sequences: Unimodalmaps with variable critical point,”
Chaos, 2009, 19, Art. No. 023125
λ can be estimatedfrom the PDF oforder patterns
xi+i = f (xi)
[x0,x1,x2, . . . ,xL−1]
π(x0) = [π0,π1, . . . ,πL−1]
πi permutation |πi 7→ i
f π0(x0) < f π1(x0) < · · ·< f πL−1(x0)
xi+1
xi
f : [0,1]→ [0,1],xi+1 = f (xi) =
{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1
0 1
xi+1
xi
[0.31225,
f : [0,1]→ [0,1],xi+1 = f (xi) =
{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1
0 1
xi+1
xi
[0.31225,
f : [0,1]→ [0,1],xi+1 = f (xi) =
{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1
0 1
xi+1
xi
[0.31225,0.6245
f : [0,1]→ [0,1],xi+1 = f (xi) =
{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1
0 1
xi+1
xi
[0.31225,0.6245
f : [0,1]→ [0,1],xi+1 = f (xi) =
{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1
0 1
xi+1
xi
[0.31225,0.6245,0.751,
f : [0,1]→ [0,1],xi+1 = f (xi) =
{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1
0 1
xi+1
xi
[0.31225,0.6245,0.751,
f : [0,1]→ [0,1],xi+1 = f (xi) =
{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1
0 1
xi+1
xi
[0.31225,0.6245,0.751,0.498]
f : [0,1]→ [0,1],xi+1 = f (xi) =
{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1
0 1
xi+1
xi
[0.31225,0.6245,0.751,0.498]⇒ π(0.31225) = [0,3,1,2]
f : [0,1]→ [0,1],xi+1 = f (xi) =
{2xi , 0 < xi < 0.52(1−xi), 0.5≥ xi < 1
0 1
The intersections between
f 0(x), f 1(x), . . . , f L−1(x)
determine intervals
with initial conditions
leading to the same order pattern
0 0.2 0.4 0.6 0.8 10
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
f0(x)f1(x)
f2(x)f3(x)
Order patterns
can be used to assign a partition
to the definition domain
fλ : I→ I, I ⊂ R, λ ∈ J ⊂ R
Pπ = {x ∈ I : x generates the order pattern π}
Pπ depends on λ through fλ
xi+1
xi
Skew tent map: xi+1 =
{xi/λ , 0 < xi < λ
(1−xi)/(1−λ ), λ ≥ xi < 1
λ
0 1
0 0.2 0.4 0.6 0.8 10
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
λ
f λ (k) (x
)
fλ(1)(x)
fλ(2)(x)
fλ(3)(x)
fλ(0)(x)
[0,1,2,3]
�
[0,1,3,2]
�[0,3,1,2]
�[3,0,1,2]
�
[0,3,1,2]
�
[0,2,1,3]
�[2,3,0,1]
�
[2,0,3,1]
�
[2,0,1,3]
�[3,1,0,2]
�[1,3,2,0]
�
[1,2,3,0]
�
[1,2,0,3]
�[1,2,3,0]�
0 0.2 0.4 0.6 0.8 10
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
λ
f λ (k) (x
)
fλ(3)(x)
fλ(2)(x)
fλ(1)(x)
fλ(0)(x)
[0,1,2,3]
�
[0,1,3,2]
�
[0,3,1,2]
�[3,0,1,2]
�[0,3,1,2]
�
[0,2,1,3]
�
[2,0,3,1]
�[2,3,0,1]
�
[2,0,3,1]
�
[2,0,1,3]
�
[3,1,0,2]
�[1,3,2,0]
�[1,2,3,0]�[1,2,0,3]
[1,2,3,0]
�
Order pattern [0,1, . . . ,L−1]
determined by the
leftmost intersection
of the iterates f L−2λ
and f L−1λ
fλ ergodic with invariant measure µ
Ofλ (x) = {f n(x) : n ∈N∪{0}}
Ofλ (x) visits Pπ withrelative frequency µ(Pπ)
Orbit of length M
Sliding window of width L
M−L+1 order L-patterns
Compute the relative fre-quency of each order pattern
For some fλ(x)
1-to-1 relation between
the relative frequency
of some order pattern
and the control parameter λ
Skew tent map
f nλ(x) =
{x/λ n, if 0≤ x ≤ λ n
(λ n−1−x)/λ n−1(1−λ ), if λ n ≤ x ≤ λ n−1
P[0,1,...,L−1] = (0,φL(λ )), with
φL(λ ) =λ L−2
2−λ
L = 4⇒ φ4 = λ 2
2−λ
0 0.2 0.4 0.6 0.8 10
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
λ
Ord
er p
atte
rn fr
eque
ncy
Skew tent map
Unimodal map
x1 < x2⇒G(x1)≤G(x2)
Order patterns from “coarse-grained” orbits
Error in the estimation of λ
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 110
−4
10−3
10−2
λ
Mea
n er
ror
valu
e (L
ogar
ithm
ic s
cale
)
Finite precision arithmetics
Digital degradation of dynamics
Non-perfect recovery of λ
1
Why?
2
How?
Criticalcontexts
3
Design Rules 3
Digital chaos-based cryptosystem
Encryption architecture
Stream cipher
Linear complexity
Correlation attacks
. . .
Block cipher
Differential attack
Linear attacks
. . .
Chaotic map
Loss of chaoticity
Bijections in entropy measures
Leaking of the underlying order
Defective probability distribution
Design rules I
1 Assure the chaotic behavior of theunderlying dynamical systems
2 Guarantee avalanche effect3 High level of entropy without leaking of
the values of control parameters4 Definition of the ciphertext avoiding the
reconstruction of the underlying chaoticdynamics
Design rules II
5 Chaotic maps with flat histograms andwidth of the phase space independent ofthe control parameters
6 Selection of chaotic maps with highsensitivity to control parameter mismatch
7 The number of iterations of chaotic mapscan not be part of the key
0 50 1000
50
100
150Control parameter a=3.8204607418
Tim
e in
sec
onds
n × j
0 50 1000
50
100
150Control parameter a=3.8294707872
Tim
e in
sec
onds
n × j
0 50 1000
50
100
150Control parameter a=3.8743936381
Tim
e in
sec
onds
n × j0 50 100
0
50
100
150Control parameter a=3.9771765651
Tim
e in
sec
onds
n × j
j=1
j=2
j=3
David Arroyo et al.,“On the security of a new image
encryption scheme based onchaotic map lattices,” Chaos,2008, 18, Art. No. 033112
SCI
Chaos-basedcryptography 5
Unimodalmaps 7
CONFERENCES
International 8
National 8
Future work
Problems detected in unimodal maps
Multimodal maps
Discrete chaos
Other sources of chaos
Chaotic map
Encryptionarchitecture
Practicalimplementation
Design ofchaos-based cryptosystems
needs of cryptography+
analysis of chaotic dynamics
Framework for the analysis and designof encryption strategies
based on discrete-timechaotic dynamical systems
http://hdl.handle.net/10261/15668