1: \documentclass{elsart}

2: \usepackage{amsfonts}

3: \usepackage{amssymb}

4: \usepackage{amsmath}

5: \usepackage[dvips]{graphicx}

6: 

7: \begin{document}

8: 

9: \begin{frontmatter}

10: 

11: \title{Cryptanalyzing a discrete-time chaos synchronization secure communication system}

12: 

13: \author{G. \'{A}lvarez\corauthref{corr}},

14: \author{F. Montoya},

15: \author{M. Romera},

16: \author{G. Pastor}

17: 

18: \corauth[corr]{Corresponding author: Email: gonzalo@iec.csic.es}

19: 

20: \address{Instituto de F\'{\i}sica Aplicada, Consejo Superior de

21: Investigaciones Cient\'{\i}ficas, Serrano 144---28006 Madrid,

22: Spain}

23: 

24: \begin{abstract}

25: This paper describes the security weakness of a recently proposed

26: secure communication method based on discrete-time chaos

27: synchronization. We show that the security is compromised even

28: without precise knowledge of the chaotic system used. We also make

29: many suggestions to improve its security in future versions.

30: 

31: \end{abstract}

32: 

33: \end{frontmatter}

34: 

35: \section{Introduction}

36: 

37: In recent years, a growing number of cryptosystems based on chaos

38: have been proposed \cite{asocscs,cc}, many of them fundamentally

39: flawed by a lack of robustness and security

40: \cite{stusc,cocborcr,emmbc,uamccs,pwtcisea,bcsugse,bcscuas,ccscurm,coaces,coacscs,coaecc,otsoacespwccifcp,coadccuek}.

41: In~\cite{sdcudtcs}, a secure communication system based on chaotic

42: modulation using discrete-time chaos synchronization is proposed.

43: Two different schemes of message encoding are presented. In the

44: first scheme, the binary message ($m(i)=\pm 1$) is multiplied by

45: the chaotic output signal of the transmitter and then sent to

46: drive the receiver system. In the second scheme, the binary

47: message is modulated by multiplication with the chaotic output

48: signal and then is fed back to the transmitter system and

49: simultaneously sent to the receiver system.

50: 

51: Discrete-time chaotic systems are generally described by a set of

52: nonlinear difference equations. The first communication system

53: based on modulation by multiplication can be described by:

54: 

55: \begin{equation}\label{eq:modmultr}

56: \rm transmitter\left\{ \begin{array}{l}

57:  x_1(i + 1) = 1-\alpha x_1^2(i) + x_2(i) \\

58:  x_2(i + 1) = \beta x_1(i) \\

59:  s(i) = x_1(i) \cdot m(i) \\

60:  \end{array} \right.

61: \end{equation}

62: 

63: \begin{equation}\label{eq:modmulrc}

64: \rm receiver\left\{ \begin{array}{l}

65:  \hat{x}_1(i + 1) = 1-\alpha s^2(i) + \hat{x}_2(i) \\

66:  \hat{x}_2(i + 1) = \beta \hat{x}_1(i) \\

67:  \hat{m}(i)=s(i)/\hat{x}_1(i)

68:  \end{array} \right.

69: \end{equation}

70: 

71: The communication scheme using modulation by multiplication and

72: feedback, with a modification to avoid divergence due to feedback,

73: is described by:

74: 

75: \begin{equation}\label{eq:modmulfbtr}

76: \rm transmitter\left\{ \begin{array}{l}

77:  x_1(i + 1) = 1-\alpha (s(i)- \left\lfloor{\frac{s(i)+P}{2P}}\right\rfloor 2P)^2 + x_2(i) \\

78:  x_2(i + 1) = \beta x_1(i) + 0.05x_1(i)(m(i)-1) \\

79:  s(i) = x_1(i) \cdot m(i) \\

80:  \end{array} \right.

81: \end{equation}

82: 

83: \begin{equation}\label{eq:modmulfbrc}

84: \rm receiver\left\{ \begin{array}{l}

85:  \hat{x}_1(i + 1) = 1-\alpha (s(i)- \left\lfloor{\frac{s(i)+P}{2P}}\right\rfloor 2P)^2 + \hat{x}_2(i) \\

86:  \hat{x}_2(i + 1) =\beta \hat{x}_1(i)+0.05(s(i)-\hat{x}_1(i)) \\

87:  \hat{m}(i)=s(i)/\hat{x}_1(i)

88:  \end{array} \right.

89: \end{equation}

90: 

91: with $P=(1+\sqrt{6.6})/2.8$.

92: 

93: Although the authors seemed to base the security of their

94: cryptosystems on the chaotic behavior of the output of the Henon

95: non-linear dynamical system, no analysis of security was included.

96: It was not considered whether there should be a key in the

97: proposed system, what it should consist of, what the available key

98: space would be, what precision to use, and how the key would be

99: managed.

100: 

101: In the next section we discuss the weaknesses of this secure

102: communication system using the Henon attractor and make some

103: suggestions to improve its security.

104: 

105: \section{Attacks on the proposed system}

106: \label{sec:attack}

107: 

108: \subsection{The key space}

109: 

110: Although it is not explicitly stated in \cite{sdcudtcs}, it is

111: assumed that the key is formed by the two parameters of the map,

112: $\alpha$ and $\beta$. Thus, in \cite{sdcudtcs}, the key is fixed

113: to $k=\{\alpha,\beta\}=\{1.4,0.3\}$. However, in \cite{sdcudtcs}

114: there is no information given about what the key space is. The key

115: space is defined by all the possible valid keys. The size of the

116: key space $r$ is the number of encryption/decryption key pairs

117: that are available in the cipher system.

118: 

119: In this chaotic scheme the key space is nonlinear because all the

120: keys are not equally strong. We say that a key is \emph{weak} or

121: \emph{degenerated} if it is easier to break a ciphertext encrypted

122: with this key than breaking a ciphertext encrypted with another

123: key from the key space.

124: 

125: The study of the chaotic regions of the parameter space from which

126: valid keys, i.e., parameter values leading to chaotic behavior,

127: can be chosen is missing in \cite{sdcudtcs}. A possible way to

128: describe the key space might be in terms of positive Lyapunov

129: exponents. According to \cite[p. 196]{caitds}, let $\mathbf{f}$ be

130: a map of ${\mathbb{R}}^m$, $m\geq 1$, and

131: $\{{\mathbf{x}}_0,{\mathbf{x}}_1, {\mathbf{x}}_2,\dots\}$ be a

132: bounded orbit of $\mathbf{f}$. The orbit is chaotic if

133: 

134: \begin{enumerate}

135:     \item it is not asymptotically periodic,

136:     \item no Lyapunov exponent is exactly zero, and

137:     \item the largest Lyapunov exponent is positive.

138: \end{enumerate}

139: 

140: The largest Lyapunov exponent can be computed for different

141: combinations of the parameters. If it is positive, then the

142: combination can be used as a valid key. In Fig.~\ref{fig:lyap},

143: the chaotic region for the Henon attractor used in \cite{sdcudtcs}

144: has been plotted. This region corresponds to the keyspace. In

145: general, parameters chosen from the lower white region give rise

146: to periodic orbits, undesirable because the ciphertext is easily

147: predictable. Parameters chosen from the upper white region give

148: rise to unbounded orbits diverging to infinity, and hence the

149: system can not work. Therefore, both regions should be avoided to

150: get suitable keys. Only keys within the black region are good. And

151: even within this region, there exist periodic windows, unsuitable

152: for robust keys.

153: 

154: This type of irregular and often fractal chaotic region shared by

155: most secure communication systems proposed in the literature is

156: inadequate for cryptographic purposes because there is no easy way

157: to define its boundary. And if the boundary is not mathematically

158: and easily defined, then it is hard to find suitable keys within

159: the key space. This difficulty in defining the key space

160: discourages the use of the Henon map. Instead, complete chaoticity

161: for any parameter value should be preferred. Piecewise linear

162: (PWL) maps are a good choice because they behave chaotically for

163: any parameter value in the useful interval

164: \cite{spodplcmatricaprc}.

165: 

166: \subsection{Insensitivity to parameter mismatch}

167: 

168: Both communication systems, the one based on modulation by

169: multiplication and the one using modulation by multiplication and

170: feedback, can only have valid keys carefully chosen from the

171: chaotic region plotted in Fig.~\ref{fig:lyap} to avoid periodic

172: windows and divergence. Due to low sensitivity to parameter

173: mismatch, if the system key is fixed to

174: $k=\{\alpha,\beta\}=\{1.4,0.3\}$ as in \cite{sdcudtcs}, then any

175: key $k'$ chosen from the same key space will decrypt the

176: ciphertext into a message $m'$ with an error rate which is well

177: below 50\%. Fig.~\ref{fig:error} plots the bit error rate (BER)

178: when the ciphertext encrypted with

179: $k=\{\alpha,\beta\}=\{1.4,0.3\}$ is decrypted using keys $k'$ from

180: the valid key space at a distance $d$ from $k$. For this

181: experiment the Euclidean distance was chosen:

182: 

183: \begin{equation}\label{eq:d}

184: d=\sqrt{(\alpha-\alpha\,')^2+(\beta-\beta\,')^2}

185: \end{equation}

186: 

187: This insensitivity to parameter mismatch due to the coupling

188: between transmitter and receiver renders the system totally

189: insecure when the Henon map is used. A different map more

190: sensitive to small differences in the parameter values should be

191: used to grant security.

192: 

193: \subsection{Brute force attacks}

194: 

195: A brute force attack is the method of breaking a cipher by trying

196: every possible key. The quicker the brute force attack, the weaker

197: the cipher. Feasibility of brute force attacks depends on the key

198: space size $r$ of the cipher and on the amount of computational

199: power available to the attacker. Given today's computer speed, it

200: is generally agreed that a key space of size $r<2^{100}$ is

201: insecure.

202: 

203: However, this requirement might be very difficult to meet by this

204: cipher because the key space does not allow for such a big number

205: of different strong keys. For instance, Fig.~\ref{fig:lyap} was

206: created using a resolution of $10^{-3}$, i.e., there are

207: $1400\times 3000$ different points. To get a number of keys

208: $r>2^{100}\simeq 10^{30}$, the resolution should be $10^{-15}$.

209: However, with that resolution, thousands of keys would be

210: equivalent, unless there is a strong sensitivity to parameter

211: mismatch, which is usually lost by synchronization, even when

212: using a different chaotic map.

213: 

214: \subsection{Statistical analysis}

215: 

216: Fig.~\ref{fig:error}a shows that the error is upper bounded:

217: BER$\leq0.33$. This is a consequence of the fact that the orbit

218: followed by any initial point in the Henon attractor is not

219: uniformly distributed, because in average it spends two thirds of

220: the time above $x=0$. As a consequence, mixing the cleartext with

221: the output of a function whose probability density is not uniform

222: will result in a weak cryptosystem. In Fig.~\ref{fig:map} the

223: Henon attractor is plotted. It can be observed that the

224: distribution is far from flat because the orbit visits more often

225: the region $x>0$. In average, two thirds of the iterates lie to

226: the right of $x=0$ (depicted as a dashed line). This fact allows

227: the attacker to guess in average two thirds of the encrypted bits,

228: even with no knowledge about the transmitter/receiver structure.

229: 

230: To get a balanced distribution, the threshold should be moved to

231: the right \cite{thaaakg}. Let $x_m$ denote the real value such

232: that

233: 

234: \begin{equation}\label{eq:media}

235:     P(x_i\leq x_m)=P(x_i>x_m)=0.5.

236: \end{equation}

237: 

238: A good estimation presented in \cite{thaaakg} is

239: $\hat{x}_m=0.39912$, depicted as a dotted line in

240: Fig.~\ref{fig:map}. However, this result is difficult to apply

241: provided the way in which the Henon attractor is used by the

242: cryptosystem. Therefore, it is seen again that the Henon map is a

243: bad choice as a chaotic map for this communication scheme. A

244: different map with a balanced distribution, i.e., whose orbit

245: visits with equal frequency the regions above and below a certain

246: level $x=0$, should be chosen to prevent statistical attacks.

247: 

248: \subsection{Plaintext attacks}

249: 

250: In the previous sections we showed that the use of the Henon map

251: is not advisable because of its inability to define a good key

252: space, of its low sensitivity to parameter mismatch, and of its

253: non uniformly distributed orbits. We are to show next that if a

254: different map is used, the security of the communication system

255: will not improve if the same key is used repeatedly for successive

256: encryptions.

257: 

258: According to \cite[p. 25]{ctap}, it is possible to differentiate

259: between different levels of attacks on cryptosystems. In a known

260: plaintext attack, the opponent possesses a string of plaintext,

261: $p$, and the corresponding ciphertext, $c$. In a chosen plain

262: text, the opponent has obtained temporary access to the encryption

263: machinery, and hence he can choose a plain text string, $p$, and

264: construct the corresponding cipher text string, $c$.

265: 

266: The cipher under study behaves as a modified version of the

267: one-time pad \cite[p. 50]{ctap}. The one-time pad uses a randomly

268: generated key of the same length as the message. To encrypt a

269: message $m$, it is combined with the random key $k$ using the

270: exclusive-OR operation bitwise. Mathematically,

271: 

272: \begin{equation}\label{eq:pad}

273: c(i)=m(i)+k(i)\mod2,

274: \end{equation}

275: 

276: where $c$ represents the encrypted message or ciphertext. This

277: method of encryption is perfectly secure because the encrypted

278: message, formed by XORing the message and the random secret key,

279: is itself totally random. It is crucial to the security of the

280: one-time pad that the key be as long as the message and never

281: reused, thus preventing two different messages encrypted with the

282: same portion of the key being intercepted or generated by an

283: attacker.

284: 

285: Eq.~(\ref{eq:modmultr}) and Eq.~(\ref{eq:modmulfbtr}) are used to

286: generate a keystream

287: $\{x_1(1)=k(1),x_1(2)=k(2),x_1(3)=k(3),\ldots\}$. This keystream

288: is used to encrypt the plain text string according to the rule

289: 

290: \begin{equation}\label{eq:rule}

291: c(i)=k(i)\cdot m(i)

292: \end{equation}

293: 

294: Therefore, if the attacker possesses the plaintext $m(i)$ and its

295: corresponding ciphertext $c(i)$, he will be able to obtain $k(i)$.

296: If the same key, i.e. the same parameter values, is used to

297: encrypt any subsequent message in the future, it will generate an

298: identical chaotic orbit, which is already known. As a consequence,

299: when $c(i)$ and $k(i)$ are known in Eq.~(\ref{eq:rule}), $m(i)$ is

300: readily obtained by the attacker.

301: 

302: Obviously, when using this cryptosystem, regardless of the choice

303: of the chaotic map, the key can never be reused. A slight

304: improvement to partially enhance security even when the key is

305: reused consists of randomly setting the initial point of the

306: chaotic orbit at the transmitter end. Synchronization will

307: guarantee that the message is correctly decrypted by the

308: authorized receiver. However, an eavesdropper would have more

309: difficulty in using past chaotic orbits because they will diverge

310: due to sensitivity to initial conditions.

311: 

312: \section{Conclusions}

313: \label{sec:conclusion}

314: 

315: The proposed cryptosystem using the Henon map is rather weak,

316: since it can be broken without knowing its parameter values and

317: even without knowing the transmitter precise structure. However,

318: the overall security might be highly improved if a different

319: chaotic map with higher number of parameters is used. The

320: inclusion of feedback makes it possible to use many different

321: systems with non symmetric nonlinearity as far as the whole space

322: is folded into a bounded domain to avoid divergence. However, to

323: rigorously present future improvements, it would be desirable to

324: explicitly mention what the key is, how the key space is

325: characterized, what precision to use, how to generate valid keys,

326: and also to perform a basic security analysis. For the present

327: work \cite{sdcudtcs}, the total lack of security discourages the

328: use of this algorithm as is for secure applications.

329: 

330: \ack{This work is supported by Ministerio de Ciencia y

331: Tecnolog\'{\i}a of Spain, research grant TIC2001-0586. Our thanks

332: to Moez Feki for his comments and source code.}

333: 

334: \begin{thebibliography}{10}

335: 

336: \bibitem{asocscs}

337: T.~Yang.

338: \newblock A survey of chaotic secure communication systems.

339: \newblock {\em Int. J. Comp. Cognition}, 2:81--130, 2004.

340: 

341: \bibitem{cc}

342: G.~\'{A}lvarez, F.~Montoya, M.~Romera, and G.~Pastor.

343: \newblock Chaotic cryptosystems.

344: \newblock In Larry~D. Sanson, editor, {\em 33rd Annual 1999 International

345:   Carnahan Conference on Security Technology}, pages 332--338. IEEE, 1999.

346: 

347: \bibitem{stusc}

348: K.~M. Short.

349: \newblock Steps toward unmasking secure communications.

350: \newblock {\em Int. J. Bifurc. Chaos}, 4:959--977, 1994.

351: 

352: \bibitem{cocborcr}

353: T.~Beth, D.~E. Lazic, and A.~Mathias.

354: \newblock Cryptanalysis of cryptosystems based on remote chaos replication.

355: \newblock In Yvo~G. Desmedt, editor, {\em Advances in Cryptology - CRYPTO '94},

356:   volume 839 of {\em Lecture Notes in Computer Science}, pages 318--331.

357:   Springer-Verlag, 1994.

358: 

359: \bibitem{emmbc}

360: G.~P\'{e}rez and H.~A. Cerdeira.

361: \newblock Extracting messages masked by chaos.

362: \newblock {\em Phys. Rev. Lett.}, 74:1970--1973, 1995.

363: 

364: \bibitem{uamccs}

365: K.~M. Short.

366: \newblock Unmasking a modulated chaotic communications scheme.

367: \newblock {\em Int. J. Bifurc. Chaos}, 6:367--375, 1996.

368: 

369: \bibitem{pwtcisea}

370: H.~Zhou and X.~Ling.

371: \newblock Problems with the chaotic inverse system encryption approach.

372: \newblock {\em IEEE Trans. Circuits Syst -- I}, 44:268--271, 1997.

373: 

374: \bibitem{bcsugse}

375: T.~Yang, L.~B. Yang, and C.~M. Yang.

376: \newblock Breaking chaotic switching using generalized synchronization:

377:   Examples.

378: \newblock {\em IEEE Trans. Circuits Syst -- I}, 45:1062--1067, 1998.

379: 

380: \bibitem{bcscuas}

381: T.~Yang, L.~B. Yang, and C.~M. Yang.

382: \newblock Breaking chaotic secure communications using a spectogram.

383: \newblock {\em Phys. Lett. A}, 247:105--111, 1998.

384: 

385: \bibitem{ccscurm}

386: T.~Yang, L.~B. Yang, and C.~M. Yang.

387: \newblock Cryptanalyzing chaotic secure communications using return maps.

388: \newblock {\em Phys. Lett. A}, 245:495--510, 1998.

389: 

390: \bibitem{coaces}

391: G.~\'{A}lvarez, F.~Montoya, M.~Romera, and G.~Pastor.

392: \newblock Cryptanalysis of a chaotic encryption system.

393: \newblock {\em Phys. Lett. A}, 276:191--196, 2000.

394: 

395: \bibitem{coacscs}

396: G.~\'{A}lvarez, F.~Montoya, M.~Romera, and G.~Pastor.

397: \newblock Cryptanalysis of a chaotic secure communication system.

398: \newblock {\em Phys. Lett. A}, 306:200--205, 2003.

399: 

400: \bibitem{coaecc}

401: G.~\'{A}lvarez, F.~Montoya, M.~Romera, and G.~Pastor.

402: \newblock Cryptanalysis of an ergodic chaotic cipher.

403: \newblock {\em Phys. Lett. A}, 311:172--179, 2003.

404: 

405: \bibitem{otsoacespwccifcp}

406: S.~Li, X.~Mou, Y.~Cai, Z.~Ji, and J.~Zhang.

407: \newblock On the security of a chaotic encryption scheme: problems with

408:   computerized chaos in finite computing precision.

409: \newblock {\em Comp. Phys. Comm.}, 153:52--58, 2003.

410: 

411: \bibitem{coadccuek}

412: G.~\'{A}lvarez, F.~Montoya, M.~Romera, and G.~Pastor.

413: \newblock Cryptanalysis of a discrete chaotic cryptosystem using external key.

414: \newblock {\em Phys. Lett. A}, 319:334--339, 2003.

415: 

416: \bibitem{sdcudtcs}

417: Moez Feki, Bruno Robert, Guillaume Gelle, and Maxime Colas.

418: \newblock Secure digital communication using discrete-time chaos

419:   synchronization.

420: \newblock {\em Chaos, Solitons and Fractals}, 18:881--890, 2003.

421: 

422: \bibitem{caitds}

423: K.~Alligood, T.~Sauer, and J.~Yorke.

424: \newblock {\em Chaos -- An introduction to dynamical systems}.

425: \newblock Springer, 1997.

426: 

427: \bibitem{spodplcmatricaprc}

428: S.~Li, Q.~Li, W.~Li, X.~Mou, and Y.~Cai.

429: \newblock Statistical properties of digital piecewise linear chaotic maps and

430:   their roles in cryptography and pseudo-random coding.

431: \newblock In {\em Cryptography and Coding - 8th IMA International Conference

432:   Proceedings}, volume 2260 of {\em Lecture Notes in Computer Science}, pages

433:   205--221. Springer-Verlag, 2001.

434: 

435: \bibitem{thaaakg}

436: R.~Forr\'{e}.

437: \newblock The henon attractor as a keystream generator.

438: \newblock In {\em Advances in Cryptology -- EuroCrypt'91}, volume 0547 of {\em

439:   Lecture Notes in Computer Science}, pages 76--81. Springer-Verlag, 1991.

440: 

441: \bibitem{ctap}

442: D.~R. Stinson.

443: \newblock {\em Cryptography: theory and practice}.

444: \newblock CRC Press, 1995.

445: 

446: \end{thebibliography}

447: 

448: 

449: \clearpage \pagestyle{empty}

450: 

451: \section*{Figures}

452: 

453: \begin{figure}[h]

454: \center \includegraphics{figure1} \caption{\label{fig:lyap}Chaotic

455: region for the Henon attractor.}

456: \end{figure}

457: 

458: \clearpage

459: 

460: \begin{figure}[h]

461: \center \includegraphics{figure2} \caption{\label{fig:error}BER

462: when decrypting the ciphertext with a key at a distance $d$ from

463: the real encryption key, $k=\{\alpha,\beta\}=\{1.4,0.3\}$: (a)

464: modulation by multiplication; (b) modulation by multiplication and

465: feedback. Note the difference in scale.}

466: \end{figure}

467: 

468: \clearpage

469: 

470: \begin{figure}[h]

471: \center \includegraphics{figure3} \caption{\label{fig:map}100,000

472: successive points obtained by iteration of the Henon map for

473: $\{\alpha,\beta\}=\{1.4,0.3\}$.}

474: \end{figure}

475: 

476: \end{document}

477: