1: \documentclass{elsart}

2: 

3: \usepackage{graphicx,color}

4: 

5: \usepackage{amssymb,amsmath,bm}

6: \usepackage{cite}

7: \usepackage{url}

8: 

9: \newtheorem{proposition}{Proposition}

10: 

11: \begin{document}

12: 

13: \newlength\figwidth

14: \setlength\figwidth{0.5\columnwidth}

15: \newlength\imgwidth

16: \setlength\imgwidth{0.3\columnwidth}

17: 

18: \begin{frontmatter}

19: \title{Cryptanalysis of a computer cryptography scheme based on a filter bank}

20: \author[Spain]{David Arroyo\corauthref{corr}},

21: \author[hk-cityu]{Chengqing Li},

22: \author[germany]{Shujun Li} and

23: \author[Spain]{Gonzalo Alvarez}

24: \corauth[corr]{Corresponding author: David Arroyo

25: (david.arroyo@iec.csic.es).}

26: \address[Spain]{Instituto de F\'{\i}sica Aplicada, Consejo Superior de

27: Investigaciones Cient\'{\i}ficas, Serrano 144, 28006 Madrid,

28: Spain}

29: \address[hk-cityu]{Department of Electronic Engineering, City University of Hong Kong,

30: 83 Tat Chee Avenue, Kowloon Tong, Hong Kong SAR, China}

31: \address[germany]{FernUniversit\"{a}t in Hagen, Lehrgebiet Informationstechnik, Universit\"{a}tsstra{\ss}e 27, 58084 Hagen, Germany}

32: 

33: \begin{abstract}

34: This paper analyzes the security of a recently-proposed signal

35: encryption scheme based on a filter bank. A very critical weakness

36: of this new signal encryption procedure is exploited in order to

37: successfully recover the associated secret key.

38: \begin{keyword}

39: Chaotic encryption, logistic map, known-plaintext attack,

40: cryptanalysis \PACS 05.45.Ac, 47.20.Ky.

41: \end{keyword}

42: \end{abstract}

43: \end{frontmatter}

44: 

45: \section{Introduction}

46: 

47: The application of chaotic systems to cryptographical issues has

48: been a very important research topic since the 1990s

49: \cite{liThesis,Alvarez:Survey:ICCST99,kocarev2001a,yang04}. This

50: interest was motivated by the close similarities between some

51: properties of chaotic systems and some characteristics of

52: well-designed cryptosystems \cite[Table~1]{Alvarez06a}.

53: Nevertheless, there exist security defects in some chaos-based

54: cryptosystems such that they can be partially or totally broken

55: \cite{Alvarez:BreakingHenon:CSF2004,Alvarez:BreakingCPM:CSF2004,Alvarez:Improved:CSF2004,AlvarezLi:BreakingPS:2005,Li:BreakingBuWang:CSF2005,Alvarez:DeniableAuthentication:CSF2005}.

56: 

57: In \cite{ling07} the encryption procedure is carried out by

58: decomposing the input plaintext signal into two different subbands

59: and masking each of them with a pseudo-random number sequence

60: generated by iterating the chaotic logistic map. The decomposition

61: of the input plaintext signal $x[n]$ is driven by

62: 

63: \begin{eqnarray}

64: t_0[n]&=&K_0\sum_{\forall m}x[m]h_0[2n-m],\\

65: t_1[n]&=&K_1\sum_{\forall m}x[m]h_1[2n-m],

66: \end{eqnarray}

67: where $h_0, h_1$ are so-called ``analysis filters'' and $K_0$, $K_1$

68: are gain factors.

69: 

70: Then, the masking stage generates the ciphertext signal

71: $(v_0[n],v_1[n])$ according to the following equations:

72: \begin{eqnarray}

73: v_0[n] &=& t_0[n]+\alpha_0(t_1[n]),\label{equation:v0}\\

74: v_1[n] &=& t_1[n] -\alpha_1(v_0[n]),\label{equation:v1}

75: \end{eqnarray}

76: where $\alpha_i(u)=u+s_i[n]$ and $s_i[n]$ is the state variable of a

77: logistic map with control parameter $\lambda_i\in(3,4)$ defined as

78: follows\footnote{In \cite{ling07}, the authors use $x_i$ to denote

79: the state variable of the logistic map. However, this nomenclature

80: may cause confusion because the plaintext signal is denoted by $x$.

81: Therefore, we turn to use another letter, $s$. In addition, we unify

82: the representation of $x_i(k)$ to be in the form $s_i[n]$ because

83: all other signals are in the latter form.}

84: \begin{equation}

85: s_i[n]=\lambda_i s_i[n-1](1-s_i[n-1]).\label{equation:alfa}

86: \end{equation}

87: Substituting $\alpha_i(u)=u+s_i[n]$ into Eqs.~(\ref{equation:v0})

88: and (\ref{equation:v1}), we have

89: \begin{eqnarray}

90: v_0[n] &=& (t_0[n]+t_1[n])+s_0[n],\label{equation:v0b}\\

91: v_1[n] &=& (t_1[n]-v_0[n])-s_1[n].\label{equation:v1b}

92: \end{eqnarray}

93: 

94: The secret key of the cryptosystem is composed of the initial

95: conditions and the control parameters of the two logistic maps

96: involved, i.e., $s_0[0]$, $s_1[0]$, $\lambda_0$ and $\lambda_1$.

97: 

98: The decryption procedure is carried out by doing

99: \begin{eqnarray}

100:     t_1[n] &=& v_1[n] + \alpha_1(v_0[n]),\\

101:     t_0[n] &=& v_0[n] - \alpha_0(t_1[n]).

102: \end{eqnarray}

103: Then, the plaintext signal is recovered with the following filtering

104: operations:

105: \begin{equation}

106: \tilde{x}[n]=\frac{1}{K_0}\sum_{\forall

107: m}t_0[m]f_0[n-2m]+\frac{1}{K_1}\sum_{\forall m}t_1[m]f_1[n-2m],

108: \end{equation}

109: where $f_0,f_1$ are so-called ``synthesis filters''. To ensure the

110: correct recovery of the plaintext signal, the analysis and synthesis

111: filters must satisfy a certain requirement as shown in Eq.~(8) of

112: \cite{ling07}. The reader is referred to \cite{ling07} for more

113: information about the inner working of the cryptosystem.

114: 

115: This paper focuses on the security analysis of the above

116: cryptosystem. The next section points out a security problem about

117: the reduction of the key space. Section~\ref{section:attack}

118: discusses how to recover the secret key of the cryptosystem by a

119: known-plaintext attack. In the last section the conclusion is given.

120: 

121: \section{Reduction of the key space}

122: \label{section:considerations}

123: 

124: As it is pointed out in \cite[Rule 5]{Alvarez06a}, the key related

125: to a chaotic cryptosystem should avoid non-chaotic areas. In

126: \cite{ling07} it is claimed that the key space of the cryptosystem

127: under study is given by the set of values $\lambda_i$ and $s_i[0]$

128: satisfying $3<\lambda_i<4$ and $0<s_i[0]<1$ for $i=0,1$. However,

129: when looking at the bifurcation diagram of the logistic map (Fig.

130: \ref{figure:logBif}), it is obvious that not all candidate values of

131: $\lambda_i$ and $s_i[0]$ are valid to ensure the chaoticity of the

132: logistic map. There are periodic windows which have to be avoided by

133: carefully choosing $\lambda_i$. As a consequence, the available key

134: space is drastically reduced.

135: 

136: \begin{figure}

137:     \centering

138:     \includegraphics{logBif.eps}

139:     \caption{Bifurcation diagram of the logistic map}

140:     \label{figure:logBif}

141: \end{figure}

142: 

143: \section{Known-plaintext attack}

144: \label{section:attack}

145: 

146: In a known-plaintext attack the cryptanalyst possesses a plaintext

147: signal $\{x[n]\}$ and its corresponding encrypted subband signals

148: $\{v_0[n]\}$ and $\{v_1[n]\}$. Because $\{h_0[n]\}$, $\{h_1[n]\}$,

149: $K_0$ and $K_1$ are public, we can get $\{t_0[n]\}$ and $\{t_1[n]\}$

150: from $\{x[n]\}$. Then we can get the values of $\{s_0[n]\}$ and

151: $\{s_1[n]\}$ as follows:

152: \begin{eqnarray}

153:     s_0[n] & = & v_0[n]-t_0[n]-t_1[n],\\

154:     s_1[n] & = & t_1[n]-v_0[n]-v_1[n].

155: \end{eqnarray}

156: 

157: For $n=0$, the values of the subkeys $s_0[0]$ and $s_1[0]$ have been

158: obtained. Furthermore, we can obtain the control parameters by just

159: doing the following operations for $i=0,1$:

160: \begin{equation}

161: \lambda_i=\frac{s_i[n+1]}{s_i[n](1-s_i[n])}.\label{eq:RecoverParameter}

162: \end{equation}

163: 

164: 

165: 

166: In \cite{ling07}, the authors did not give any discussion about the

167: finite precision about the implementation of the cryptosystem in

168: computers. If the floating-point precision is used, then the value

169: of $\lambda_i$ can be estimated very accurately. It was

170: experimentally verified that the error for the estimation of

171: $\lambda_i$ using (\ref{eq:RecoverParameter}), and working with

172: floating-point precision, was never greater that $4\cdot 10^{-12}$.

173: If the fixed-point precision is adopted, the deviation of the

174: parameter $\lambda_i$ estimated exploiting

175: Eq.~(\ref{eq:RecoverParameter}) from the real $\lambda_i$ may be

176: very large. Fortunately, according to the following Proposition

177: \ref{proposition} \cite[Proposition 2]{Li:AttackingRCES2007}, the

178: error is limited to $2^4/2^L$ (which means only $2^4$ possible

179: candidate values to be further guessed) when $s[n+1]\geq 0.5$.

180: 

181: \begin{proposition}\label{proposition}

182: Assume that the logistic map $s[n+1]=\lambda\cdot s[n]\cdot(1-s[n])$

183: is iterated with $L$-bit fixed-point arithmetic and that $s(n+1)\geq

184: 2^{-i}$, where $1\leq i\leq L$. Then, the following inequality

185: holds: $|\lambda-\widetilde{\lambda}|\leq 2^{i+3}/2^L$, where

186: $\widetilde{\lambda}=\dfrac{s[n+1]}{s[n]\cdot(1-s[n])}$.

187: \end{proposition}

188: 

189: \section{Conclusion}

190: \label{section:conclusions}

191: 

192: In this paper we have analyzed the security properties of the

193: cryptosystem proposed in \cite{ling07}. It has been shown that there

194: exists a great number of weak keys derived from the fact that the

195: logistic map is not always chaotic. In addition, the cryptosystem is

196: very weak against a known-plaintext attack in the sense that the

197: secret key can be totally recovered using a very short plaintext.

198: Consequently, the cryptosystem introduced by \cite{ling07} should be

199: discarded as a secure way of exchanging information.

200: 

201: \section*{Acknowledgments}

202: The work described in this paper was partially supported by

203: Minis\-terio de Educaci\'on y Ciencia of Spain, Research Grant

204: SEG2004-02418. Shujun Li was supported by the Alexander von Humboldt

205: Foundation, Germany.

206: 

207: \bibliographystyle{elsart-num}

208: \bibliography{database}

209: \end{document}

210: