0311:nlin0311042/CryptanalysisOscillator.tex

1: \documentclass[a4paper]{article}

2: \usepackage[dvips]{graphicx}

3: \usepackage{latexsym}

4: \usepackage{amssymb}

5: \usepackage{amsmath}

6: \usepackage{amsfonts}

7:

8:

9:

10: \begin{document}

11:

12: \title{Cryptanalysis of a novel cryptosystem based on chaotic oscillators and feedback inversion}

13: \author{

14: G. \'{A}lvarez Mara\~n\'on, L. Hern\'{a}ndez

15: Encinas\footnote{Corresponding author. Tel. (+34) 915 618 806

16: (Ext. 458), Fax: (+34) 914 117 651},\\

17: F. Montoya Vitini and J. Mu\~{n}oz Masqu\'e\\

18: \emph{Instituto F\'{\i}sica Aplicada}\\

19: \emph{Consejo Superior de Investigaciones Cient\'{\i}ficas}\\

20: \emph{C/ Serrano 144, 28006--Madrid, Spain}\\

21: \emph{Emails: \{gonzalo, luis, fausto, jaime\}@iec.csic.es}}

22:

23: \date{}

24: \maketitle

25:

26: \begin{abstract}

27: An analysis of a recently proposed cryptosystem based on chaotic

28: oscillators and feedback inversion is presented. It is shown how

29: the cryptosystem can be broken when Duffing's oscillator is

30: considered. Some implementation problems of the system are also

31: discussed.

32:

33: \end{abstract}

34:

35: \section{Introduction}

36:

37: In recent years, a growing number of cryptosystems based on chaos

38: have been proposed \cite{Yang}, many of them fundamentally flawed

39: by a lack of robustness and security. In the Letter~\cite{SPG02},

40: the authors have proposed a symmetric cryptosystem based on

41: chaotic oscillators. More precisely, let $N\colon L_{\infty

42: e}\left( \mathbb{R}_{+}\right)  \rightarrow L_{\infty e}\left(

43: \mathbb{R}_{+}\right) $ be a non-linear time-varying system, where

44: $L_{\infty e}\left( \mathbb{R}_{+}\right)  $ stands for the

45: extended $L_{\infty}$-space on $\mathbb{R}_{+}$, and let $S_{1}$

46: and $S_{2}$ be two signal generators which generate the time

47: functions $t\mapsto w_{1}(t)$ and $t\mapsto w_{2}(t)$,

48: respectively. The encryption process is defined by adding the

49: signal generator $S_{2}$ to the output of the dynamic evolution of

50: $N$. Explicitly, to encrypt a message defined by a train of pulses

51: $t\mapsto p(t)$, of suitable width and of amplitude zero or one,

52: is necessary to compute the function $u(t)=p(t)+w_{1}(t)$,

53: $\forall t\geq0$. Then, $u(t)$ is applied to the system $N$ and

54: its output is added to $w_{2}(t)$. The ciphertext is then defined

55: to be $c(t)=(Nu)(t)+w_{2}(t)$, $\forall t\geq0$.

56:

57: The decryption process consists of the two signal generators,

58: $S_{1}$ and $S_{2}$, and a feedback system $S(g,N)$, where $N$ is

59: the non-linear system used in the encryption protocol and $g$ is

60: the gain of the system. To decrypt a message $c(t)$, one subtracts

61: $w_{2}(t)$ from $c(t)$ and the result is the input to the system

62: $S(g,N)$. Its output, $\widetilde{u}(t)$, is a good, but noisy,

63: approximation of $u(t)$; also, the difference between $w_{1}(t)$

64: and $\widetilde{u}(t)$ gives $\widetilde{p}(t)$, which is a good,

65: but noisy, approximation of $p(t)$. Using a low-pass filter $L(s)$

66: and a quantizer $Q$, the original message is obtained. In order to

67: recover the original message exactly, $L(s)$ should be designed

68: carefully. Although the authors seem to base the security of their

69: cryptosystem on the chaotic behavior of the output of the non-linear

70: system $N$, no analysis of security is included.

71:

72: In the present Letter we discuss the weaknesses of this system in

73: Section~\ref{sec:attacks} and we analyze its practical implementation in

74: Section~\ref{sec:practical}.

75:

76: \section{Attacks to the cryptosystem}

77: \label{sec:attacks}

78:

79: In this section we show how to break the cryptosystem proposed

80: in~\cite{SPG02} when Duffing's oscillator is used as the non-linear

81: time-varying system~\cite[\S 3.1]{SPG02}, which, in fact, is

82: the first example explained in detail.

83: The main problem with this cryptosystem lies on the

84: fact that the ciphertext is an analog signal, whose waveform

85: depends on the system parameter values and the plaintext signal.

86: Likewise, the detected signal before the quantizer depends on

87: these same parameters. The study of these signals provides the

88: necessary information to recover a good estimation of the system

89: parameter values and the correct plaintext.

90:

91: We consider the first example in~\cite[\S 4.1]{SPG02}, for Duffing's

92: oscillator, represented by:

93: \begin{equation}\label{eq:duffing}

94:     N:\ddot x(t)+\delta\dot x(t)-\alpha x(t)+\beta

95:     x(t)^3=u(t),\;x(0)=0,\;\dot x(0)=0.

96: \end{equation}

97: In their example $w_1(t)=A\cos \omega t$ and $w_2(t)\equiv 0$. The

98: key of the system is made by the oscillator's parameters

99: $(\delta ,\alpha ,\beta)$, and the signal generator's parameters

100: $(A,\omega)$. Following the example given, we use a key formed by

101: the following set of parameters:

102: \begin{equation}\label{eq:realparameters}

103:     \alpha=10,\;\beta=100,\;\delta=1,\;A=1.5,\;\omega=3.76.

104: \end{equation}

105: Duffing's oscillator is used operating in the chaotic region.

106: This region is roughly characterized by the following values of

107: the parameters:

108: \begin{equation}\label{eq:chaotic}

109: 3\leq\alpha\leq 15,\;40\leq\beta\leq 250,\;0.5\leq\delta\leq 1.7,\;

110: 1\leq A\leq 2,\; 0.5\leq \omega \leq 7.

111: \end{equation}

112: The sensitivity to the parameter values is so low that the

113: original plaintext can be recovered from the ciphertext using a

114: receiver system with parameter values considerably different from

115: the ones used by the sender. As a consequence, it is very economic

116: to try different combinations of the parameters until a reasonable

117: approximation is reached. Although the parameter values can be

118: obtained with a very accurate precision, their knowledge is not

119: necessary to recover the plaintext.

120:

121: We have found that the message can be decrypted even when $\beta$

122: has an error of $\pm 5\%$; $\delta$ has an error from $-30\%$ to

123: $+60\%$ and $\alpha$ has an absolute error of $\pm 2$ integers;

124: with respect to the original set of

125: parameters~\eqref{eq:realparameters}.

126:

127: In Fig.~\ref{fig:spectrum} we show the power spectral analysis

128: of the example ciphertext signal. As is observed, the frequency of

129: the forced oscillator is totally evident. The spectrum highest

130: peak appears at the $S_{1}$ signal generator frequency of

131: $\omega=3.76$. Thus, by simply examining the ciphertext, one of

132: the elements of the key ($\omega$) is obtained.

133:

134: Next, the attacker uses a receiver for which $A=0$, and the rest of

135: the parameters takes values from the following sets:

136: \begin{align}

137:    \alpha&=\{5,9,13\}, \label{eq:alpha}\\

138:    \beta&=\{43,47,51,56,62,68,75,82,91,100,110,\nonumber\\

139:         &\quad \quad 120,130,145,160,180,200,220,240\}, \label{eq:beta}\\

140:    \delta&=\{0.7, 1.3\}.\label{eq:delta}

141: \end{align}

142: This makes a total of 114 possible combinations, which should be

143: tried one by one. To check whether the choice of the parameters is

144: good, we look at the output of the low-pass filter $L(s)$, which

145: we call $\hat p(t)$. When the parameter values are slightly

146: different from the right ones, then $\hat p(t)$ will look like a

147: square signal summed with a pure sine. The frequency of this sine

148: corresponds to the value of $\omega$ previously calculated from

149: the spectrum of the ciphertext. The amplitude of this sine

150: corresponds exactly to the value of $A$ used by the sender.

151:

152: Next, the value of $A$ just computed is used to regenerate the

153: plaintext. Due to the low sensitivity to the parameter values,

154: although the exact values are unknown, the deciphered plaintext

155: signal will be equal (or very close) to the original one. In

156: Fig.~\ref{fig:histories} the recovered plaintext is depicted for

157: the following parameter values:

158: \begin{equation}\label{eq:guessedparameters}

159:     \alpha=9,\;\beta=100,\;\delta=0.7,\;A=1.4,\;\omega=3.76.

160: \end{equation}

161: The first three values are taken from the

162: equations~\eqref{eq:alpha}--\eqref{eq:delta}. Although the parameter

163: errors are $10\%$, $0\%$, $30\%$, $6.66\%$, and $0\%$, respectively,

164: the plaintext is correctly recovered. These values could be further

165: refined by varying them in an effort to approximate $\hat p(t)$ to

166: a square wave.

167:

168: \section{Difficulties of practical implementation}

169: \label{sec:practical}

170:

171: In this section we discuss the difficulties that this cryptosystem

172: will face if it is practically implemented.

173:

174: \subsection{Analog transmission}

175:

176: The proposed cryptosystem seems to present serious problems in

177: a real transmission, because the

178: recovered signal at the receiving end of the transmission path

179: will be very difficult to decrypt.

180:

181: Apparently, the authors have only implemented a software

182: simulation of the complete encryption/decryption system, feeding

183: the ciphertext (the output generated by the encryption system)

184: directly as the input to the decryption system. The generators

185: $S_1$ and $S_2$, part of the system key, look to be connected

186: simultaneously and locally to both the encryption and decryption

187: systems.

188:

189: In real world applications, however, things happen in a very

190: different way. Ideal transmission lines introduce an unknown

191: amount of attenuation and delay in the transmitted signal.

192: Furthermore, real transmission lines introduce distortion and

193: noise too. Moreover, wireless communication systems exhibit

194: time-variable attenuation and delay.

195:

196: Thus, the input signal at the receiver end $c'(t)$ and the

197: transmitted signal $c(t)$ will differ. In the most favorable case,

198: if we assume that we are using an ideal line, the received signal

199: will be $c'(t)= k c(t+\tau)$, were $k$ and $\tau$ are the

200: attenuation and delay of the line.

201:

202: \subsubsection{Synchronization}

203:

204: As the authors point out, most continuous chaotic cryptosystems

205: described until now are based on the synchronization of two

206: chaotic systems. The claimed novelty of the present cryptosystem

207: relies on the lack of synchronization between encryption and

208: decryption; but this is an erroneous claim, because in the software

209: simulations the authors have used a hidden synchronization

210: mechanism consisting of the local and simultaneous connection of

211: generators $S_1$ and $S_2$ to both the encryption and decryption

212: systems.

213:

214: In real world applications, given that transmission lines have

215: limited bandwidth, when transmitting to a remote system, signal

216: delay will take place. The delay amount may vary for different

217: frequency components of the signal, depending on the line

218: impulsive response. Thus, the observed waveforms at sender and

219: receiver ends may differ and it will be very difficult to estimate

220: the right moment to start the receiving generators.

221:

222: Some measures should be taken to assure that both ends are using

223: signal generators $S_1$ and $S_2$ with exactly the same phase in

224: respect to the ciphertext. However, no mesure is considered by the

225: authors. Hence the receiver end's generators will never generate

226: the adequate signal.

227:

228: \subsubsection{Attenuation}

229:

230: Another factor to be considered is the line attenuation. No

231: continuous transmission or storage system (cable, optical,

232: magnetic or wireless) grants that the received or reproduced

233: signal amplitude preserves the original amplitude. If the signal

234: is transmitted over a switched network, the attenuation will change

235: each time that a new connection is made. If the signal is

236: transmitted over a wireless channel, the attenuation will vary

237: depending on changing atmospheric conditions, changing

238: reflections, and changing multipath.

239:

240: When transmitting a signal of known constant amplitude  (e.g.

241: square pulses or frequency modulated sinusoids) it is possible to

242: equalize the received signal, restoring the correct amplitude

243: level. But in the present case, as the signal is chaotic, its

244: amplitude is varying in an unpredictable fashion, so it is

245: impossible any level restoring.

246:

247: Therefore, it will be impossible to subtract exactly $w_2$ at the

248: receiver end. Hence, the signal $r$ at the input of the decryption

249: system feedback loop will be $r(t)= c'(t)-w_2(t)$, i.e.:

250: \begin{equation}\label{eq:r}

251: r(t)=k(Nu)(t+\epsilon)+kw_2(t+\epsilon)-w_2(t),

252: \end{equation}

253: where $\epsilon$ is the time inaccuracy in the determination of

254: the right moment to start the receiving generators.

255: Hence, the decrypted signal will be:

256: \begin{equation}\label{eq:y}

257: y(t)\approx(N^{-1}r)(t)=(N^{-1}(k(Nu)(t+\epsilon)+kw_2(t+\epsilon)

258: -w_2(t)))(t).

259: \end{equation}

260: As $N$ is a nonlinear chaotic map and due to the \emph{sensitive

261: dependence on the initial conditions} that characterize

262: chaos~\cite[p. 119]{Devaney92}, the decrypted signal

263: $y(t)$ will never match the plaintext $p(t)$.

264:

265: The recovered plaintext errors induced by the use of a real

266: communication channel with restricted bandwidth, attenuation

267: and/or noise are illustrated in Fig.~\ref{fig:channel}.

268:

269: Moreover, the authors seem to base the security of their

270: cryptosystem on the chaotic behavior of $N$, although no evidence

271: of that is shown. In any case, the chaotic profile of the output

272: $x(t)$ in Duffing's oscillator~\eqref{eq:duffing} is not always

273: guaranteed for every input $u(t)=p(t)+w_1(t)$, even in the chaotic

274: range~\eqref{eq:chaotic}, and the sensitive dependence on the

275: initial conditions is diminished as they are kept to be fixed,

276: $x(0)=0$, $\dot x(o)=0$, in Duffing's equation~\eqref{eq:duffing}.

277:

278: \subsection{Digital transmission}

279:

280: If a discretization of the ciphertext is sent instead of the

281: dynamic evolution of the system $N$, then there are two options.

282:

283: In the first one, the ciphertext is discretized only at the nodes

284: $i=0,\ldots,n$, where $n$ is the number of pulses of $p(t)$. Then,

285: the ciphertext sent by the sender must be the $3$-uples

286: $(x(t_{i}), \dot{x} (t_{i}),\ddot{x}(t_{i}))$, $i=0,\ldots,n$,

287: since the receiver needs to know these values---and not only the

288: $x(t_{i})$---in order to be able to decrypt the message, as the

289: usual methods of discretization do not allow to obtain the values

290: of the derivative at the nodes $t_{i}$ in terms of the values of

291: the function at such nodes. For example, if one uses the

292: Runge-Kutta method (see \cite[\S163]{Zwillinger89}) to solve

293: $\ddot{x}=f\left( t,x,\dot{x}\right)$, then the values of the

294: first derivative are given by

295: \begin{align}

296: \dot{x}(t_{0}+h) & =\dot{x}(t_{0})+\frac{1}{6}\left( k_{1}+2k_{2}

297: +2k_{3}+k_{4}\right) ,\\

298: k_{1} & =hf\left( t_{0},x\left( t_{0}\right) ,\dot{x}\left(

299: t_{0}\right)

300: \right) ,\\

301: k_{2} & =hf\left( t_{0}+\frac{1}{2}h,x(t_{0})+\frac{1}{2}h\dot{x}

302: (t_{0})+\frac{1}{8}hk_{1},\dot{x}(t_{0})+\frac{1}{2}k_{1}\right) ,\\

303: k_{3} & =hf\left( t_{0}+\frac{1}{2}h,x(t_{0})+\frac{1}{2}h\dot{x}

304: (t_{0})+\frac{1}{8}hk_{2},\dot{x}(t_{0})+\frac{1}{2}k_{2}\right) ,\\

305: k_{4} & =hf\left(

306: t_{0}+h,x(t_{0})+h\dot{x}(t_{0})+\frac{1}{2}hk_{3}, \dot

307: {x}(t_{0})+k_{3}\right) .

308: \end{align}

309: We remark on the fact that the values for the second derivative

310: should be computed from the formula

311: \begin{equation}

312: \ddot{x}(t_{i})=f\left( t_{i},x(t_{i}),\dot{x}(t_{i})\right) ,

313: \end{equation}

314: where $f$ is the function defining the dynamic system $N$. This

315: fact implies that the transmission has a high factor expansion as

316: every pulse of the original message is transmitted by means of a

317: $3$-uple of real numbers with a consistent number of decimals.

318:

319: The second option consists in computing a much more long list of

320: values $x(s_{i})$, $i=0,\ldots,m$, with $m\gg n$. In this case,

321: the values for the first derivative can be obtained from the

322: formulas above;\ but the second derivative should also be included

323: in the transmission. Hence, in this case the ciphertext is

324: $(x(s_{i}),\ddot{x}(s_{i}))$, $i=0,\ldots,m$. What is gained in

325: not sending the first derivative is lost by the greater number of

326: entries of the list.

327:

328: In any case, the values of the first and second derivatives cannot

329: be computed by the usual approximate formulas

330: \begin{align}

331: \dot{x}(t_{i}) & \approx\frac{x(t_{i+1})-x(t_{i})}{h},\\

332: \ddot{x}(t_{i}) &

333: \approx\frac{x(t_{i+2})-2x(t_{i+1})+x(t_{i})}{h^{2}},

334: \end{align}

335: as they produce considerable errors in the decryption process due

336: to the nonlinear terms in $N$.

337:

338: \section{Conclusion}

339: As a consequence of the previous analysis, the cryptosystem studied

340: cannot work in practice because it is not using any synchronization

341: mechanism and because it is not robust to real channel conditions.

342: On the other hand, the cryptosystem is rather weak, since it can

343: be broken by using a set of $114$ parameter values only. The total

344: lack of security, along with the lack of robustness, discourages

345: the use of this algorithm for secure applications.

346:

347: \vspace{0.5cm}

348: \noindent {\bf Acknowledgements} This work is supported by

349: \textit{Ministerio de Ciencia y Tecnolog\'{\i}a} of Spain,

350: research grant TIC2001-0586.

351:

352: \begin{thebibliography}{99}

353:

354: \bibitem{Yang} T. Yang, A Survey of Chaotic Secure Communication

355: Systems. \emph{International Journal of Computational Cognition}

356: \textbf{2} (2003), 81--130.

357:

358: \bibitem{SPG02}S. M. Shahruz, A. K.

359: Pradeep, R. Gurumoorthy, Design of a novel cryptosystem based on

360: chaotic oscillators and feedback inversion. \emph{Journal of Sound

361: and Vibration} \textbf{250} (2002), 762--771.

362:

363: \bibitem{Devaney92}R. L. Devaney,

364: \emph{A first course in chaotic dynamical systems},

365: Addison-Wesley, Reading, MA, 1992.

366:

367: \bibitem{Zwillinger89}D. Zwillinger

368: \emph{Handbook of differential equations},

369: Academic Press, Inc., Boston,  1989.

370: \end{thebibliography}

371:

372: \clearpage

373: \pagestyle{empty}

374:

375: \section*{Figure captions}

376:

377: \begin{figure}[h]

378:   \center

379:   \includegraphics{figure1}

380:   \caption{Power spectral analysis of the ciphertext

381:   signal. The highest peak corresponds to the frequency of $S_{1}$

382:   and lies at $\omega\approx 3.76$.}

383:   \label{fig:spectrum}

384: \end{figure}

385:

386: \clearpage

387:

388: \begin{figure}[h]

389:   \hspace{-1.5cm}

390:   \includegraphics{figure2}

391:   \caption{Plaintext recovery with inexact receiver

392:   parameter values. Time histories of: (a) plaintext; (b) recovered

393:   plaintext; (c) $\hat p(t)$.}

394:   \label{fig:histories}

395: \end{figure}

396:

397: \clearpage

398:

399: \begin{figure}[h]

400: \begin{center}

401:   \includegraphics{figure3}

402:   \caption{Effects of a real communication channel: (a) plaintext;

403:   (b) recovered plaintext with channel bandwidth restricted to

404:   $\omega=6.28$~rad/seg; (c) recovered plaintext with channel attenuation of

405:   $3$~dB; (d) recovered plaintext with channel noise of $-40$~dB;

406:   (e) recovered plaintext with channel bandwidth restricted to

407:   $\omega=9.42$~rad/seg, attenuation of $0.5$~dB and noise of $-50$~dB. The

408:   parameter values at the sender and receiver ends match exactly.

409: }

410:   \label{fig:channel}

411: \end{center}

412: \end{figure}

413:

414: \end{document}

415: