1: \documentclass{elsart}

2: \usepackage{amsfonts}

3: \usepackage{amssymb}

4: \usepackage{amsmath}

5: \usepackage[dvips]{graphicx}

6: 

7: \begin{document}

8: 

9: \begin{frontmatter}

10: 

11: \title{Breaking parameter modulated chaotic secure communication system}

12: 

13: \author{G. \'{A}lvarez\corauthref{corr}},

14: \author{F. Montoya},

15: \author{M. Romera},

16: \author{G. Pastor}

17: 

18: \corauth[corr]{Corresponding author: Email: gonzalo@iec.csic.es}

19: 

20: \address{Instituto de F\'{\i}sica Aplicada, Consejo Superior de

21: Investigaciones Cient\'{\i}ficas, Serrano 144---28006 Madrid,

22: Spain}

23: 

24: \begin{abstract}

25: This paper describes the security weakness of a recently proposed

26: secure communication method based on parameter modulation of a

27: chaotic system and adaptive observer-based synchronization scheme.

28: We show that the security is compromised even without precise

29: knowledge of the chaotic system used.

30: 

31: \end{abstract}

32: 

33: \end{frontmatter}

34: 

35: \section{Introduction}

36: 

37: In recent years, a growing number of cryptosystems based on chaos

38: have been proposed ~\cite{Yang}, many of them fundamentally flawed

39: by a lack of robustness and security. In \cite{Feki}, the author

40: proposes a symmetric secure communication system based on

41: parameter modulation of a chaotic oscillator acting as a

42: transmitter. The receiver is a chaotic system synchronized by

43: means of an adaptive observer.

44: 

45: In this paper we show how to break the proposed cryptosystem when

46: Lorenz's attractor is used as the non-linear time-varying

47: system~(\cite[\S 3.2]{Feki}), which, in fact, was the only example

48: explained in detail. Lorenz system is described by the following

49: equations:

50: \begin{align}

51:    \dot{x}_{1}&=-\sigma_{1}x_{1}+\sigma_{2}x_{2}, \label{eq:alpha}\\

52:    \dot{x}_{2}&=rx_{1}-x_{2}-x_{1}x_{3},  \label{eq:beta}\\

53:    \dot{x}_{3}&=x_{1}x_{2}-bx_{3}. \label{eq:delta}

54: \end{align}

55: 

56: In the example the system is implemented with the following

57: parameter values, $(\sigma_1, \sigma_2,r,b)=(10, 10, 28, 8/3)$.

58: The signal used for synchronization of the receiver is $x_1$. The

59: encryption process is defined by modulating the parameter

60: $\sigma_1$ with the binary encoded plaintext, so that it is

61: $\sigma_1+2.5$ if the plaintext bit is "1" and $\sigma_1-2.5$ if

62: the plaintext bit is "0". The duration of the plaintext bits must

63: be much larger than the convergence time of the adaption law.

64: Actually, in the example the bit rate is 0.2 bits/second. The

65: uncertain system can be rewritten in a compact form as:

66: 

67: \begin{equation}\label{eq:matrix1}

68: \left[ {\begin{array}{*{20}c}

69:    {\dot x_1 }  \\

70:    {\dot x_2 }  \\

71:    {\dot x_3 }  \\

72: \end{array}} \right] = \left[ {\begin{array}{*{20}c}

73:    { - \sigma_1} & {\sigma_2} & 0  \\

74:    {r} & { - 1} & 0  \\

75:    0 & 0 & -b  \\

76: \end{array}} \right]\left[ {\begin{array}{*{20}c}

77:    {x{}_1}  \\

78:    {x{}_2}  \\

79:    {x{}_3}  \\

80: \end{array}} \right] + \left( {\begin{array}{*{20}c}

81:    0  \\

82:    { - x{}_1x{}_3}  \\

83:    {x{}_1x{}_2}  \\

84: \end{array}} \right) + \left[ {\begin{array}{*{20}c}

85:    1  \\

86:    0  \\

87:    0  \\

88: \end{array}} \right]( - y)\theta

89: \end{equation}

90: 

91: \begin{equation}\label{eq:y}

92: y=C\cdot x=x_1

93: \end{equation}

94: \begin{equation}\label{eq:C}

95: C=[1~0~0]

96: \end{equation}

97: \begin{equation}\label{eq:teta}

98: \theta=\Delta\sigma_1=\pm 2.5

99: \end{equation}

100: 

101: The decryption process consists of a chaotic system synchronized

102: by means of an adaptive observer. The observer-based response

103: system is designed as:

104: 

105: \begin{equation}\label{eq:matrix2}

106: \left[ {\begin{array}{*{20}c}

107:    {\dot {\hat {x}}_1 }  \\

108:    {\dot {\hat {x}}_2 }  \\

109:    {\dot {\hat {x}}_3 }  \\

110: \end{array}} \right] = \left[ {\begin{array}{*{20}c}

111:    { - \sigma_1} & {\sigma_2} & 0  \\

112:    {r} & { - 1} & 0  \\

113:    0 & 0 & -b\\

114: \end{array}} \right]\left[ {\begin{array}{*{20}c}

115:    {\hat x{}_1}  \\

116:    {\hat x{}_2}  \\

117:    {\hat x{}_3}  \\

118: \end{array}} \right] + \left( {\begin{array}{*{20}c}

119:    0  \\

120:    { - \hat x{}_1\hat x{}_3}  \\

121:    {\hat x{}_1\hat x{}_2}  \\

122: \end{array}} \right) + LC(x_1  - \hat x_1 )

123: \end{equation}

124: \begin{equation}\label{eq:L}

125: L=[0~38~0]^{T}

126: \end{equation}

127: 

128: The plaintext can be retrieved from the first derivative of the

129: receiver uncertainty defined as:

130: \begin{equation}\label{eq:teta}

131: \dot{\hat{\theta}}=-5y(x_1  - \hat x_1 )

132: \end{equation}

133: 

134: The initial conditions of the transmitter and receiver are:

135: $(x_1(0),x_2(0),x_3(0))=(10,15,20)$ and

136: $(\hat{x}_1(0),\hat{x}_2(0),\hat{x}_3(0),\hat{\theta}(0))=(0,0,0,0)$.

137: 

138: Although the author seemed to base the security of its

139: cryptosystem on the chaotic behavior of the output of the Lorenz

140: non-linear system, no analysis of security was included. It was

141: not considered whether there should be a key in the proposed

142: system, what it should consist of, what the available key space

143: would be, and how it would be managed. We discuss the weaknesses

144: of this secure communication system in Sec.~\ref{sec:powerattack}

145: and in Sec.~\ref{sec:GSattack}.

146: 

147: 

148: 

149: \section{Power analysis attack}

150: \label{sec:powerattack} The main problem with this cryptosystem

151: lies on the fact that the ciphertext is an analog signal, whose

152: waveform depends on the system parameter values and therefore on

153: the plaintext signal, which modulates one parameter. Consequently,

154: the plaintext signal may be recovered from the transmitted signal

155: power. Fig.~\ref{fig:mariposas} shows the Lorenz chaotic attractor

156: for the different values of the parameter $\sigma_1$  proposed by

157: the author, making apparent the strong dependence of waveforms

158: from the plaintext. In Fig.~\ref{fig:mariposas} (a) and (b) the

159: attractor corresponding to $\sigma_{1}=7.5$ and to

160: $\sigma_{1}=12.5$ are shown, respectively. We can observe that the

161: signal amplitudes are quite different. In

162: Fig.~\ref{fig:mariposas}(c) the attractor trajectory corresponding

163: to a modulation of the $\sigma_{1}$ parameter between 7.5 and 12.5

164: is shown. We can observe that the resulting trajectory is the

165: superposition of the two preceding trajectories, although both are

166: clearly recognizable, allowing the easy separation of each other.

167: 

168: To break the system we have implemented the chaotic transmitter of

169: the author's example with the same parameters values and initial

170: conditions. The simulation is identical to the one employed in the

171: original example, a four order Runge-Kutta integration algorithm

172: in MATLAB 6. A step size of $0.001$ was used.

173: 

174: To recover the plaintext we used no chaotic receiver, instead we

175: computed the short time power analysis of the ciphertext. The

176: procedure is illustrated in Fig.~\ref{fig:power}. The first step

177: consists of squaring the ciphertext signal, $x_1$. Next, this

178: signal is low-pas filtered and, finally, binary quantized. The

179: low-pass filter employed is a four pole Butterworth with a

180: frequency cutoff of 0.5 Hz. The quantizer is an inverting

181: Smith-trigger with switch on point at 80 and switch off point at

182: 50.

183: 

184: The result is a good estimation of the plaintext, with tiny

185: inaccuracies consisting of small delays in some transitions. Note

186: that the short initial error was also present at the beginning of

187: the retrieved signal obtained with the authorized receiver

188: described in the author's example.

189: 

190: It should be emphasized that our analysis is a blind detection,

191: made without the least knowledge of what kind of non-linear

192: time-varying system was used for encryption, nor its parameters

193: values, and neither its keys, if any.

194: 

195: 

196: 

197: \section{Generalized Synchronization attack}

198: \label{sec:GSattack}

199: 

200: A more precise signal retrieving of the plaintext can be performed

201: if we know what kind of non-linear time-varying system was used

202: for encryption, but still without the knowledge of its parameter

203: and initial condition values.

204: 

205: We have implemented another attack by means of an intruder

206: receiver based on generalized synchronization \cite{Rulkov},

207: fairly simpler than the authorized receiver. We use the following

208: receiver:

209: 

210: \begin{equation}\label{eq:matrix3}

211: \left[ {\begin{array}{*{20}c}

212:    {\dot {\hat {x}}_1 }  \\

213:    {\dot {\hat {x}}_2 }  \\

214:    {\dot {\hat {x}}_3 }  \\

215: \end{array}} \right] = \left[ {\begin{array}{*{20}c}

216:    { - \sigma_1} & {\sigma_2} & 0  \\

217:    {0} & { - 1} & 0  \\

218:    0 & 0 & { - b}  \\

219: \end{array}} \right]\left[ {\begin{array}{*{20}c}

220:    {\hat x{}_1}  \\

221:    {\hat x{}_2}  \\

222:    {\hat x{}_3}  \\

223: \end{array}} \right] + \left( {\begin{array}{*{20}c}

224:    0  \\

225:    { rx_{1}-x{}_1\hat x{}_3}  \\

226:    {x{}_1\hat x{}_2}  \\

227: \end{array}} \right)

228: \end{equation}

229: 

230: The plaintext recovery procedure consists of the estimation of the

231: short time cross correlation between the ciphertext and the

232: recovery error. It is illustrated in Fig.~\ref{fig:GS}. The first

233: step consists of calculating the synchronization error of the

234: receiver $\Delta x_1=x_1  - \hat x_1$. Next the synchronization

235: error $\Delta x_1$ is multiplied by the ciphertext $x_1$. Then

236: this signal is low-pass filtered. Finally, a binary quantizer is

237: used to regenerate the plaintext. The low-pass filter employed is

238: a four pole Butterworth with a frequency cutoff of 0.5 Hz. The

239: binary quantizer is a Smith-trigger with switch on point at 11 and

240: switch off point at 9.

241: 

242: We have found that the sensitivity to the parameter values is so

243: low that the original plaintext can be recovered from the

244: ciphertext using a receiver system with parameter values

245: considerably different from the ones used by the sender. The

246: parameter values can be obtained with a very accurate precision by

247: means of the trial and error procedure varying them in an effort

248: to approximate the filter output signal to a square wave. However,

249: their exact knowledge is not necessary to recover the plaintext,

250: as already illustrated in Fig.~\ref{fig:GS}.

251: 

252: The approximate range of parameter values that causes a chaotic

253: behavior of the Lorenz oscillator is:

254: \begin{align}

255:    \sigma_1&=\{4,14\}, \label{eq:sigma1}\\

256:    \sigma_2&=\{8,30\}, \label{eq:sigma2}\\

257:    r&=\{24,90\},\label{eq:erre}\\

258:    b&=\{1.5,4.5\}.\label{eq:erre}

259: \end{align}

260: 

261: Actually, we have selected for our implementation, represented in

262: Fig.~\ref{fig:GS}, the central value of each of the preceding

263: parameter ranges, that is: $(\sigma_1, \sigma_2,r,b)=(9, 19, 66,

264: 3)$, with initial conditions

265: $(\hat{x}_1(0),\hat{x}_2(0),\hat{x}_3(0),\hat{\theta}(0))=(0,0,0,0)$.

266: 

267: 

268: \section{Conclusions}

269: The proposed cryptosystem is rather weak, since it can be broken

270: without knowing its parameter values and even without knowing the

271: transmitter precise structure. There is no mention about what the

272: key is, nor which is the key space, a fundamental aspect in every

273: secure communication system. The total lack of security

274: discourages the use of this algorithm for secure applications.

275: 

276: 

277: \ack{This work is supported by Ministerio de Ciencia y

278: Tecnolog\'{\i}a of Spain, research grant TIC2001-0586.}

279: 

280: 

281: \begin{thebibliography}{9}

282: 

283: \bibitem{Yang} T. Yang, A Survey of Chaotic Secure Communication

284: Systems. \emph{International Journal of Computational Cognition}

285: \textbf{2} (2004), 81--130.

286: 

287: \bibitem{Feki}Moez Feki, An adaptive chaos synchronization scheme

288: applied to secure communication. \emph{Chaos, Solitons and

289: Fractals} \textbf{18} (2003) 141--148.

290: 

291: \bibitem{Rulkov}N. F. Rulkov ,M. M. Sushckik, L. S. Tsimring and

292: H. D. I. Abarbanel, \emph{Generalized syncronization of chaos in

293: directionally coupled chaotic systems}\emph{Pys. Rev. E}

294: \textbf{51} (1995), 980--994.

295: 

296: 

297: \end{thebibliography}

298: 

299: \clearpage

300: \pagestyle{empty}

301: 

302: \section*{Figure captions}

303: 

304: \begin{center}

305: \begin{figure}[h]

306:   \includegraphics{figure1}

307:   \caption{Lorenz attractor with different parameter values: (a)

308: $\sigma_{1}=7.5$; (b) $\sigma_{1}=12.5$, (c) $\sigma_{1}$ is

309: switched between 7.5 and 12.5 by the plaintext.}

310:   \label{fig:mariposas}

311: \end{figure}

312: \end{center}

313: 

314: \clearpage

315: 

316: \begin{figure}[htbp]

317: %\begin{center}

318:   \includegraphics{figure2}

319:   \caption{Power signal attack: (a) plaintext; (b) ciphertext, $x_1$; (c) squared ciphertext signal, $x_1^2$; (d) low pass

320: filtered

321:    squared ciphertext signal; (e) recovered plaintext.}

322:   \label{fig:power}

323: %\end{center}

324: \end{figure}

325: 

326: \clearpage

327: 

328: \begin{figure}[htbp]

329: %\begin{center}

330:   \includegraphics{figure3}

331:   \caption{Generalized Synchronization attack: (a) plaintext;

332:   (b) ciphertext, $x_1$; (c) signal generated by the intruder's receiver, $\hat{x}_1$;

333:   (d) synchronization error of the intruder's receiver, $\Delta x_1=x_1-\hat{x}_1$;

334:   (e) ciphertext multiplied by synchronization error, $x_1\cdot\Delta x_1$;

335:   (f) low-pass filtering of (e); (g) recovered plaintext.}

336:   \label{fig:GS}

337: %\end{center}

338: \end{figure}

339: 

340: \end{document}

341: