1: \documentclass{elsart}

2: 

3: \usepackage{graphicx,color}

4: 

5: \usepackage{natbib}

6: \usepackage{amssymb,amsmath,bm}

7: 

8: \newtheorem{theorem}{Theorem}

9: \newenvironment{proof}{\noindent\textit{Proof}: }{\hfill$\blacksquare$\vskip 0.5\baselineskip}

10: 

11: \newlength\figwidth

12: \setlength\figwidth{0.4\textwidth}

13: 

14: \begin{document}

15: 

16: \begin{frontmatter}

17: 

18: \title{On the security of the Yen-Guo's domino signal encryption algorithm

19: (DSEA)}

20: \thanks{This paper has been published in \textit{Journal of Systems

21: and Software}, vol. 79, no. 2, pp. 253-258, 2006.}

22: 

23: \author[cn]{Chengqing Li},

24: \ead{zjulcq@hotmail.com}

25: \author[hk]{Shujun Li\corauthref{corr}}

26: \ead{hooklee@mail.com}

27: \author[tw]{Der-Chyuan Lou} and

28: \ead{dclou@ccit.edu.tw}

29: \author[cnn]{Dan Zhang}

30: \ead{zhangdan@etang.com}

31: 

32: \address[cn]{Department of Mathematics, Zhejiang University, Hangzhou 310027, China}

33: \address[hk]{Department of Electronic Engineering, City University of Hong Kong,

34: 83 Tat Chee Avenue, Kowloon Tong, Hong Kong, China}

35: \address[tw]{Department of Electrical Engineering, Chung

36: Cheng Institute of Technology, National Defense University,

37: Taiwan, China}

38: \address[cnn]{College of Computer Science, Zhejiang University, Hangzhou 310027, China}

39: 

40: \corauth[corr]{The corresponding author, personal web site:

41: \texttt{http://www.hooklee.com}.}

42: 

43: \begin{abstract}

44: Recently, a new domino signal encryption algorithm (DSEA) was

45: proposed for digital signal transmission, especially for digital

46: images and videos. This paper analyzes the security of DSEA, and

47: points out the following weaknesses: 1) its security against the

48: brute-force attack was overestimated; 2) it is not sufficiently

49: secure against ciphertext-only attacks, and only one ciphertext is

50: enough to get some information about the plaintext and to break

51: the value of a sub-key; 3) it is insecure against

52: known/chosen-plaintext attacks, in the sense that the secret key

53: can be recovered from a number of continuous bytes of only one

54: known/chosen plaintext and the corresponding ciphertext.

55: Experimental results are given to show the performance of the

56: proposed attacks, and some countermeasures are discussed to

57: improve DSEA.

58: \end{abstract}

59: \begin{keyword}

60: DSEA \sep dominos \sep cryptanalysis \sep encryption \sep

61: ciphertext-only attack \sep known-plaintext attack \sep

62: chosen-plaintext attack

63: \end{keyword}

64: 

65: \end{frontmatter}

66: 

67: \section{Introduction}

68: 

69: In today's networked world, the security issues become more and more

70: important, so various encryption algorithms have been developed to

71: fulfill the needs of different applications

72: \citep{Schneier:AppliedCryptography96}. In recent years, Yen and Guo

73: et al. proposed a series of chaos-based\footnote{Chaos is a

74: dynamical phenomenon demonstrated in many dynamical systems

75: \citep{Devaney:Chaos, HaoBailin:ChaoticDynamics}. Due to the tight

76: relationship between chaos and cryptography, chaotic systems have

77: been used to design encryption schemes since 1990s. For a survey of

78: digital chaotic ciphers, see \citep[Chap. 2]{Li:Dissertation2003}.}

79: signal/image encryption schemes \citep[Sec.

80: 4.4.3]{Li:ChaosImageVideoEncryption:Handbook2004}, some of which

81: have been broken according to the works reported in

82: \citep{ShujunLi:AttackCKBA:ISCAS2002, ShujunLi:AttackBRIE:ICIP2002,

83: Li:AttackingMES2004, Li:AttackingCNN2004, Li:AttackingRCES2004,

84: Li:AttackTDCEA2004}. The present paper gives the cryptanalysis

85: results on a new Yen-Guo encryption scheme called DSEA

86: \citep{Yen-Guo:DSEA:JCIEE2003}, which has not been cryptanalyzed

87: before.

88: 

89: DSEA encrypts the plaintext block by block, which is composed of

90: multiple bytes. The first byte of each block is masked by part of

91: the secret key, and other bytes are masked by the previous

92: cipher-byte, under the control of a chaotic pseudo-random bit

93: sequence (PRBS). That is to say, DSEA works like the dominos. This

94: paper analyzes the security of DSEA, and points out the following

95: defects: 1) its security against the brute-force attack was

96: overestimated; 2) it is not sufficiently secure against

97: ciphertext-only attacks, and only one ciphertext is enough to get

98: some information about the plaintext and to break the value of a

99: sub-key; 3) it is insecure against known/chosen-plaintext attacks,

100: in the sense that the secret key can be recovered from a number of

101: continuous bytes of only one known/chosen plaintext and the

102: corresponding ciphertext.

103: 

104: The rest of this paper is organized as follows. At first,

105: Sec.~\ref{sec:DSEA} gives a brief introduction to DSEA. Then, the

106: cryptanalysis results are presented in detail in

107: Sec.~\ref{sec:Cryptanalysis}, with some experimental results.

108: Section~\ref{sec:ImprovingDSEA} discusses how to improve DSEA. The

109: last section concludes the paper.

110: 

111: \section{Domino Signal Encryption Algorithm (DSEA)}

112: \label{sec:DSEA}

113: 

114: Assume that the plaintext is $g=\{g(n)\}_{n=0}^{M-1}$ and that the

115: ciphertext is $g'=\{g'(n)\}_{n=0}^{M-1}$, where $g(n)$ and $g'(n)$

116: denote the $n$-th plain-byte and cipher-byte, respectively. Then,

117: the encryption procedure of DSEA can be described as follows (see

118: also Fig.~\ref{figure:DSEA}).

119: 

120: \begin{itemize}

121: \item\emph{The secret key}: two integers, $L\in\{1,\cdots,M\}$,

122: $initial\_key\in\{0,\cdots,255\}$, the control parameter $\mu$ and

123: the initial condition $x(0)$ of the following chaotic Logistic

124: map\citep{Devaney:Chaos, HaoBailin:ChaoticDynamics}:

125: \begin{equation}

126: x(k+1)=\mu\cdot x(k)\cdot(1-x(k)).

127: \end{equation}

128: 

129: \item\emph{The initialization procedure}: under 8-bit finite

130: computing precision, run the Logistic map from $x(0)$ to generate a

131: chaotic sequence $\{x(k)\}_{k=0}^{\lceil M/8\rceil-1}$, and then

132: extract the 8 significant bits of $x(k)$ to yield a PRBS

133: $\{b(n)\}_{n=0}^{M-1}$, where $x(k)=\sum_{i=0}^7\left(b_{8k+i}\cdot

134: 2^{-(i+1)}\right)=0.b_{8k+0}\cdots b_{8k+7}$.

135: 

136: \item \emph{The encryption procedure}: for $n=0\sim M-1$, do

137: \[

138: g'(n)=

139: \begin{cases}

140: g(n)\oplus true\_key, & b(n)=1,\\

141: g(n)\oplus \overline{true\_key}, & b(n)=0,

142: \end{cases}

143: \]

144: where

145: \[ true\_key=

146: \begin{cases}

147: initial\_key, & n\bmod L=0,\\

148: g'(n-1), & n\bmod L\neq 0,

149: \end{cases}

150: \]

151: and $\oplus$ denotes the bitwise XOR operation.

152: \end{itemize}

153: 

154: \begin{figure}

155: \centering

156: \includegraphics[width=0.7\textwidth]{DSEA_Cipher}

157: \caption{The diagrammatic view of the encryption procedure of

158: DSEA.}\label{figure:DSEA}

159: \end{figure}

160: 

161: The decryption procedure is identical with the above encryption

162: procedure, since XOR is an invertible operation.

163: 

164: \section{Cryptanalysis}

165: \label{sec:Cryptanalysis}

166: 

167: \subsection{Brute-force attack}

168: 

169: The brute-force attack is the attack of exhaustively searching the

170: secret key from the set of all possible keys

171: \citep{Schneier:AppliedCryptography96}. Apparently, the attack

172: complexity is determined by the size of the key space and the

173: complexity of verifying each key. The secret key of DSEA is $(L,

174: initial\_key, \mu, x(0))$, which has $M\cdot 2^{3\cdot 8}=M\cdot

175: 2^{24}$ possible values. Taking the complexity of verifying each key

176: into consideration, the total complexity of searching for all

177: possible keys is $O\left(2^{24}\cdot M^2\right)$. When the plaintext

178: is selected as a typical image of size $256\times 256$, the

179: complexity will be $O(2^{56})$, which is much smaller than $O(2^M

180: \cdot M)=O(2^{65552})$, the complexity claimed in

181: \citep{Yen-Guo:DSEA:JCIEE2003}. Note that the real complexity is

182: even smaller since not all values of $\mu$ can ensure the chaoticity

183: of the Logistic map \citep{Devaney:Chaos,

184: HaoBailin:ChaoticDynamics}. That is, the security of DSEA against

185: brute-force attacks was over-estimated much in

186: \citep{Yen-Guo:DSEA:JCIEE2003}. In today's digitized and networked

187: world, the complexity of order $O(2^{128})$ is required for a

188: cryptographically-strong cipher

189: \citep{Schneier:AppliedCryptography96}, which means DSEA is not

190: practically secure.

191: 

192: \subsection{Ciphertext-only attacks}

193: \label{sec:CiphertextOnlyAttack}

194: 

195: Ciphertext-only attacks are such attacks in which one can access a

196: set of ciphertexts \citep{Schneier:AppliedCryptography96}. Since the

197: transmission channel is generally insecure, the security against

198: ciphertext-only attacks are required for any ciphers. However, it is

199: found that DSEA is not sufficiently secure against ciphertext-only

200: attacks, since much information about the plaintext and the secret

201: key can be found from even one ciphertext.

202: 

203: Given an observed ciphertext $g'$, generate two mask texts,

204: $g_0^*$ and $g_1^*$, as follows: $g_0^*(0)=0$, $g_1^*(0)=0,

205: \forall\; n=1\sim M-1$, $g_0^*(n)=g'(n)\oplus \overline{g'(n-1)}$,

206: $g_1^*(n)=g'(n)\oplus g'(n-1)$. From the encryption procedure of

207: DESA, it can be easily verified that the following result is true

208: when $n \bmod L\neq 0$:

209: \begin{equation}

210: g(n)=\begin{cases}

211: g_0^*(n), & b(n)=0,\\

212: g_1^*(n), & b(n)=1,

213: \end{cases}

214: \end{equation}

215: which means that $g(n)$ is equal to either $g_0^*(n)$ or

216: $g_1^*(n)$. Assuming that each chaotic bit distributes uniformly

217: over $\{0,1\}$, one can deduce that the percentage of right

218: plain-pixels in $g_0^*$ and $g_1^*$ is not less than

219: $\frac{L-1}{L}\cdot\frac{1}{2}=\frac{1}{2}-\frac{1}{2L}$. When $L$

220: is large, about half pixels in $g_0^*$ and $g_1^*$ are

221: plain-pixels in $g$, and it is expected that some visual

222: information of the plain-image can be distinguished from $g_0^*$

223: and $g_1^*$.

224: 

225: To verify the above idea, one $256\times 256$ image, ``Lenna", has

226: been encrypted to get $g_0^*$ and $g_1^*$, with the following

227: secret parameters: $L=15$, $initial\_key=170$, $\mu=251/2^6\approx

228: 3.9219$, $x(0)=69/2^8\approx 0.2695$. The experimental results are

229: shown in Fig.~\ref{figure:CiphertextOnlyAttack}. In $g_0^*$ there

230: are 27726 pixels that are identical with those in $g$, and in

231: $g_1^*$ there are 33461 such pixels. Observing

232: Figs.~\ref{figure:CiphertextOnlyAttack} c and d, one can see that

233: the plain-image roughly emerges from both $g_0^*$ and $g_1^*$.

234: 

235: \begin{figure}[!htb]

236: \centering

237: \begin{minipage}[t]{\figwidth}

238: \centering

239: \includegraphics[width=\textwidth]{lenna}

240: a) The plain-image $g$

241: \end{minipage}

242: \begin{minipage}[t]{\figwidth}

243: \centering

244: \includegraphics[width=\textwidth]{lenna_e}

245: b) The cipher-image $g'$

246: \end{minipage}\\

247: \begin{minipage}[t]{\figwidth}

248: \centering

249: \includegraphics[width=\textwidth]{lenna_d0}

250: c) The mask image $g_0^*$

251: \end{minipage}

252: \begin{minipage}[t]{\figwidth}

253: \centering

254: \includegraphics[width=\textwidth]{lenna_d1}

255: d) The mask image $g_1^*$

256: \end{minipage}

257: \caption{A ciphertext-only attack to DSEA.}

258: \label{figure:CiphertextOnlyAttack}

259: \end{figure}

260: 

261: In addition, from either $g_0^*$ or $g_1^*$, it is possible to

262: directly get the value of $L$, if there exists strong correlation

263: between adjacent bytes of the plaintext (speeches and natural

264: images are good examples). This is due to the probability

265: difference existing between the following two kinds of

266: plain-bytes:

267: \begin{itemize}

268: \item when $n\bmod L\neq 0$, $g_0^*(n)=g(n)$ and $g_1^*(n)=g(n)$

269: with a probability of $\frac{1}{2}$;

270: 

271: \item when $n\bmod L=0$, $g_0^*(n)=g(n)$ and $g_1^*(n)=g(n)$ with

272: a probability\footnote{Without loss of generality, it is assumed

273: that each cipher-byte distributes uniformly in $\{0,\cdots,255\}$.}

274: of $\frac{1}{256}$: $g_0^*(n)=g(n)$ if and only if

275: $g'(n-1)=\overline{initial\_key}$; $g_1^*(n)=g(n)$ if and only if

276: $g'(n-1)=initial\_key$.

277: \end{itemize}

278: When there exists strong correlation between adjacent bytes, the

279: above probability difference implies that there exists strong

280: discontinuity around each position satisfying $n\bmod L=0$ (with a

281: high probability). The fixed occurrence period of such discontinuous

282: bytes will generate periodically-occurring straight lines in the

283: mask text when it is an image or displayed in 2-D mode, as shown in

284: Figs.~\ref{figure:CiphertextOnlyAttack}c and d. Then, it is easy to

285: determine the occurrence period, i.e., the value of $L$, by checking

286: the horizontal distance between any two adjacent lines. To make the

287: straight line clearer, one can calculate the differential images of

288: $g_0^*$ and $g_1^*$, as shown in Fig.~\ref{figure:DifferenceImages},

289: where the differential image of an image $g=\{g(n)\}_{n=0}^{M-1}$ is

290: defined as follows: $g_d(0)=g(0)$ and $\forall\;n=1\sim M-1$,

291: $g_d(n)=|g(n)-g(n-1)|$. Note that the two differential images of

292: $g_0^*$ and $g_1^*$ are identical according to the following

293: theorem, from which one can get that

294: $|g_0^*(n)-g_0^*(n-1)|=|g'(n)\oplus\overline{g'(n-1)}-g'(n-1)\oplus\overline{g'(n-2)}|

295: =|g'(n)\oplus g'(n-1)-g'(n-1)\oplus g'(n-2)|=|g_1^*(n)-g_1^*(n-1)|$.

296: 

297: \begin{figure}

298: \centering

299: \begin{minipage}[t]{\figwidth}

300: \centering

301: \includegraphics[width=\textwidth]{lenna_d0_diff}

302: a) $g_{d,0}^*$

303: \end{minipage}

304: \begin{minipage}[t]{\figwidth}

305: \centering

306: \includegraphics[width=\textwidth]{lenna_d1_diff}

307: b) $g_{d,1}^*$

308: \end{minipage}

309: \caption{The differential images of $g_0^*$ and $g_1^*$.}

310: \label{figure:DifferenceImages}

311: \end{figure}

312: 

313: \begin{theorem}

314: For any three $s$-bit integers, $a,b,c$, it is true that

315: $|(a\oplus b)-(b\oplus c)|=|(a\oplus\bar{b})-(b\oplus\bar{c})|$.

316: \end{theorem}

317: \begin{proof}

318: Introduce four new variables, $A=a\oplus b$, $B=b\oplus c$,

319: $A'=a\oplus\bar{b}$, $B'=b\oplus\bar{c}$. It can be easily

320: verified that $A'=\overline{A}$ and $B'=\overline{B}$, since

321: $a\oplus\bar{b}=a\oplus b\oplus b\oplus\bar{b}=a\oplus b\oplus

322: (2^s-1)=\overline{a\oplus b}$. That is, $(a\oplus b)-(b\oplus c)=A-B$

323: and $(a\oplus\bar{b})-(b\oplus\bar{c})=\overline{A}-\overline{B}$.

324: Let $A=(A_0\cdots A_{s-1})_2=\sum_{i=0}^{s-1}A_i\cdot 2^i$,

325: $B=(B_0\cdots B_{s-1})_2=\sum_{i=0}^{s-1}B_i\cdot 2^i$. Since

326: $\forall\; A_i,B_i\in\{0,1\}$, $A_i-B_i=\bar{B_i}-\bar{A_i}$, it

327: is obvious that $A-B=\sum_{i=0}^{s-1}(A_i-B_i)\cdot

328: 2^i=\sum_{i=0}^{s-1}(\bar{B_i}-\bar{A_i})\cdot

329: 2^i=\overline{B}-\overline{A}$. As a result, $|(a\oplus

330: b)-(b\oplus

331: c)|=|A-B|=|\overline{B}-\overline{A}|=|\overline{A}-\overline{B}|=|(a\oplus\bar{b})-(b\oplus\bar{c})|$,

332: which completes the proof.

333: \end{proof}

334: 

335: \subsection{Known/chosen-plaintext attacks}

336: \label{subsec:KnownPlaintextAttacks}

337: 

338: Known/chosen-plaintext attacks are such attacks in which one can

339: access/choose a set of plaintexts and observe the corresponding

340: ciphertexts \citep{Schneier:AppliedCryptography96}. In today's

341: networked world, such attacks occur more and more frequently. For a

342: cipher with a high level of security, the security against both

343: known-plaintext and chosen-plaintext attacks are required. Although

344: it was claimed that DSEA can resist this kind of attacks \citep[Sec.

345: IV.B]{Yen-Guo:DSEA:JCIEE2003}, we found this claim is not true: with

346: a limited number of continuous plain-bytes of only one known/chosen

347: plaintext, one can completely break the secret key to decrypt other

348: unknown plain-bytes of the known/chosen plaintext and any new

349: ciphertexts encrypted with the same key. Apparently, even when the

350: secret key is changed for each plaintext (as mentioned in

351: \citep[Sec. IV.B]{Yen-Guo:DSEA:JCIEE2003}), DSEA is insecure against

352: known/chosen-plaintext attacks. In the following, let us discuss how

353: to break the four sub-keys, respectively.

354: 

355: \textit{1) Breaking the sub-key $L$:} as mentioned above, once one

356: gets a ciphertext, he can easily deduce the value of $L$ by

357: observing the periodically-occurring straight lines in the two

358: constructed mask texts, $g_0^*$ and $g_1^*$. Furthermore, since

359: the plaintext is also known, it is possible to generate an

360: enhanced differential image, $g_d^*$, as follows: $g_d^*(0)=0$,

361: and $\forall\; n=1\sim M-1$,

362: \begin{equation}

363: g_d^*(n)=\begin{cases} 0, & g(n)\in\{g_0^*(n), g_1^*(n)\},\\

364: 255, & g(n)\not\in\{g_0^*(n), g_1^*(n)\}.

365: \end{cases}

366: \end{equation}

367: See Fig.~\ref{figure:EnhancedDifferenceImage} for the enhanced

368: differential image corresponding the cipher-image shown in

369: Fig.~\ref{figure:CiphertextOnlyAttack}b. Compared with

370: Fig.~\ref{figure:DifferenceImages}, one can see that the straight

371: lines become clearer.

372: 

373: \begin{figure}

374: \centering

375: \includegraphics[width=\figwidth]{diff}

376: \caption{The enhanced differential image $g_d^*$.}

377: \label{figure:EnhancedDifferenceImage}

378: \end{figure}

379: 

380: \textit{2) Breaking the $initial\_key$:} for all values of $n$

381: that satisfy $n\bmod L=0$, it is obvious that

382: \begin{equation}\label{equation:GetInitialKey}

383: initial\_key=

384: \begin{cases}

385: g(n)\oplus g'(n), & b(n)=1,\\

386: \overline{g(n)\oplus g'(n)}, & b(n)=0.

387: \end{cases}

388: \end{equation}

389: 

390: Note that it is possible to uniquely determine the value of

391: $initial\_key$, when there may exist pixels satisfying $n\bmod

392: L=0$ and $g_d^*(n)=0$, i.e., $g(n)\in\{g_0^*(n),

393: g_1^*(n)\}=\left\{g'(n)\oplus \overline{g'(n-1)},g'(n)\oplus

394: g'(n-1)\right\}$. Considering $g'(n)=g(n)\oplus initial\_key$, one

395: can immediately deduce that

396: \begin{equation}\label{equation:GetInitialKey}

397: initial\_key=

398: \begin{cases}

399: g'(n-1), & g(n)=g_1^*(n),\\

400: \overline{g'(n-1)}, & g(n)=g_0^*(n).

401: \end{cases}

402: \end{equation}

403: 

404: \textit{3) Breaking the chaotic PRBS and the other two sub-keys:}

405: once $L$ and $initial\_key$ have been determined, the chaotic

406: PRBS, $\{b(n)\}_{n=0}^{M-1}$, can be immediately derived as

407: follows:

408: \begin{itemize}

409: \item when $n \bmod L\neq 0$: if $g(n)=g_0^*(n)$ then $b(n)=0$,

410: else $b(n)=1$;

411: 

412: \item when $n \bmod L=0$: if $initial\_key=g(n)\oplus g'(n)$ then

413: $b(n)=1$, else $b(n)=0$.

414: \end{itemize}

415: 

416: Once $\{b(n)\}_{n=0}^{M-1}$ is uniquely determined, $x(0)=0.b(0)\cdots b(7)$

417: can be immediately recovered.

418: 

419: With 16 consecutive chaotic bits, $b(8k+0)\sim b(8k+15)$, one can

420: further derive two consecutive chaotic states:

421: $x(k)=0.b(8k+0)\cdots b(8k+7)$ and $x(k+1)=0.b(8k+8)\cdots

422: b(8k+15)$, and then derive an estimation of the sub-key $\mu$ as

423: \begin{equation}

424: \widetilde{\mu}=\frac{x(k+1)}{x(k)\cdot(1-x(k))}.

425: \end{equation}

426: Due to the quantization errors introduced in the finite-precision

427: arithmetic, generally $x(k+1)\neq\mu\cdot x(k)\cdot(1-x(k))$, so

428: $\widetilde{\mu}\neq\mu$. Fortunately, following the error analysis

429: of $\widetilde{\mu}$ in \citep[Sec. 3.2]{Li:AttackingCNN2004}, the

430: following result has been obtained: when $x(k+1)\geq 2^{-n}\;(n=1\sim

431: 8)$, $|\widetilde{\mu}-\mu|<2^{n+3}\cdot 2^{-8}$. Specially, when

432: $x(k+1)\geq 2^{-1}=0.5$, $|\widetilde{\mu}-\mu|<2^4\cdot 2^{-8}$,

433: which means that one can exhaustively search for $2^4=16$ values in

434: the neighborhood of $\widetilde{\mu}$ to find the right value of

435: $\mu$. To verify which searched value is the right one, one can

436: iterate the Logistic map from $x(k+1)$ for some times to get some

437: new chaotic states and then check the coincidence between these

438: chaotic states and corresponding recovered chaotic bits.

439: 

440: With the above steps, the whole secret key

441: $(L,initial\_key,\mu,x(0))$ can be recovered, and then be used for

442: decryption. For the plain-image ``Lenna", a breaking result is

443: shown in Fig.~\ref{figure:KnownPlaintextAttack}. It can be

444: verified that the complexity of the known/chosen-plaintext attacks

445: is only $O(M)$, which means a perfect breaking of DSEA.

446: 

447: \begin{figure}[!htb]

448: \centering

449: \includegraphics[width=\figwidth]{lenna_e_d}

450: \caption{The recovered plain-image of ``Lenna" in a

451: known-plaintext attack.} \label{figure:KnownPlaintextAttack}

452: \end{figure}

453: 

454: \section{Improving DSEA}

455: \label{sec:ImprovingDSEA}

456: 

457: In this section, we study some possible remedies to DSEA to resist

458: the proposed attacks. It is concluded that DSEA cannot be simply

459: enhanced to resist known/chosen-plaintext attacks.

460: 

461: To ensure the complexity of the brute-force attack

462: cryptographically large, the simplest idea is to increase the

463: presentation precision of $x(0)$ and $\mu$. Binary presentations

464: of $x(0)$ and $\mu$ with 64-bit (long integers) are suggested to

465: provide a complexity not less than $O(2^{128})$ against the

466: brute-force attack.

467: 

468: Apparently, the insecurity of DSEA against ciphertext-only and

469: known/chosen-plaintext attacks is mainly due to the invertibility of

470: XOR operations. This is actually the weakness of all XOR-based

471: stream ciphers. To make DSEA securer, one has to change the

472: encryption structure and/or the basic masking operations, in other

473: words, one has to design a completely new cipher, instead of

474: enhancing DSEA to design a modified cipher.

475: 

476: In addition, there exists a special flaw in DSEA. According to

477: \citep[Sec. 2.5]{Li:Dissertation2003}, when a chaotic system is

478: implemented in $s$-bit finite computing precision, each chaotic

479: orbit will lead to a cycle whose length is smaller than $2^s$ (and

480: generally much smaller than $2^s$). Figure~\ref{figure:ChaoticBits}a

481: shows the pseudo-image of the chaotic PRBS recovered in a

482: known-plaintext attack. It is found that the cycle of the chaotic

483: PRBS is only $2^6=64$ and the period of the corresponding chaotic

484: orbit is only $2^3=8$. Such a small period of the chaotic PRBS will

485: make all attacks easier. To amend this defect, using a higher

486: implementation precision or floating-point arithmetic is suggested.

487: Figure~\ref{figure:ChaoticBits}b gives the pseudo-image of the

488: chaotic PRBS when the chaotic states are calculated under

489: double-precision floating-point arithmetic. It is obvious that the

490: short-period effect of the chaotic PRBS is effectively avoided.

491: 

492: \begin{figure}[!htb]

493: \centering

494: \begin{minipage}[t]{\figwidth}

495: \centering

496: \includegraphics[width=\figwidth]{bit}

497: a) 8-bit fixed-point arithmetic

498: \end{minipage}

499: \begin{minipage}[t]{\figwidth}

500: \centering

501: \includegraphics[width=\figwidth]{bit_f}

502: b) double-precision floating-point arithmetic

503: \end{minipage}

504: \caption{The pseudo-image of the chaotic PRBS, under two different

505: finite-precision arithmetics.} \label{figure:ChaoticBits}

506: \end{figure}

507: 

508: \section{Conclusion}

509: 

510: In this paper, the security of a recently-proposed signal security

511: system called DSEA \citep{Yen-Guo:DSEA:JCIEE2003} has been studied

512: in detail. It is pointed out that DSEA is not secure enough against

513: the following attacks: the brute-force attack, ciphertext-only

514: attacks, and known/chosen-plaintext attacks. Experimental results

515: are also given to support the theoretical analysis. Also, some

516: remedies of enhancing the performance of DSEA are discussed. As a

517: conclusion, DSEA is not suggested in serious applications requiring

518: a high level of security.

519: 

520: \section{Acknowledgements}

521: 

522: This research was partially supported by the National Natural

523: Science Foundation, China, under grant no. 60202002, and by the

524: Applied R\&D Centers of the City University of Hong Kong under

525: grants nos. 9410011 and 9620004.

526: 

527: %\nocite{*}

528: \bibliographystyle{elsart-harv}

529: \bibliography{DSEA}

530: 

531: \end{document}

532: