1: \documentclass{elsart}

2: \usepackage{amsfonts}

3: \usepackage{amssymb}

4: \usepackage{amsmath}

5: \usepackage{graphicx,color,psfrag}

6: \usepackage{url}

7: 

8: \definecolor{dgreen}{rgb}{0,.6,0}

9: \newcommand\hookleeb[1]{\textcolor{blue}{#1}}% my comments

10: \newcommand\hookleer[1]{\textcolor{red}{#1}} % your original texts commented by me

11: \newcommand\hookleeg[1]{\textcolor{dgreen}{#1}} % added or modified texts

12: 

13: \usepackage[normalem]{ulem}

14: 

15: \begin{document}

16: 

17: \begin{frontmatter}

18: 

19: \title{Breaking an encryption scheme based on chaotic Baker map}

20: 

21: \author[Spain]{Gonzalo Alvarez\corauthref{corr}} and

22: \author[China]{Shujun Li}

23: \address[Spain]{Instituto de F\'{\i}sica Aplicada, Consejo Superior de

24: Investigaciones Cient\'{\i}ficas, Serrano 144---28006 Madrid,

25: Spain}

26: \address[China]{Department of Electronic and Information Engineering,

27: The Hong Kong Polytechnic University, Hung Hom, Kowloon, Hong Kong

28: SAR, China} \corauth[corr]{The corresponding author, email

29: address: gonzalo@iec.csic.es.}

30: 

31: \begin{abstract}

32: In recent years, a growing number of cryptosystems based on chaos

33: have been proposed, many of them fundamentally flawed by a lack of

34: robustness and security. This paper describes the security

35: weaknesses of a recently proposed cryptographic algorithm with

36: chaos at the physical level. It is shown that the security is

37: trivially compromised for practical implementations of the

38: cryptosystem with finite computing precision and for the use of

39: the iteration number $n$ as the secret key. Some possible

40: countermeasures to enhance the security of the chaos-based

41: cryptographic algorithm are also discussed.

42: 

43: \begin{keyword}

44: Chaotic cryptosystems, Baker map, Cryptanalysis, Finite precision

45: computing

46: 

47: \PACS 05.45.Ac, 47.20.Ky.

48: \end{keyword}

49: 

50: \end{abstract}

51: 

52: \end{frontmatter}

53: 

54: \section{Introduction}

55: 

56: In a world where digital communications are becoming ever more

57: prevalent, there are still services working in analog form. Some

58: examples of analog communications systems widely used today

59: include voice communications over telephone lines, TV and radio

60: broadcasting and radio communications (see

61: Table~\ref{tab:analog}). Although most of these services are also

62: being gradually replaced by their digital counterparts, they will

63: remain with us for a long time. Usually the need to protect the

64: confidentiality of the information transmitted by these means

65: might arise. Thus, there is a growing demand for technologies and

66: methods to encrypt the information so that it is only available in

67: inteligible form to the authorized users.

68: 

69: In a recent paper \cite{machado04}, a secure communication system

70: based on the chaotic Baker map was presented, which is a scheme

71: that encrypts wave signals. First, the analog signal limited in

72: the bandwidth $W$ is sampled at a frequency $f\geq 2W$ to avoid

73: aliasing. At the end of the sampling process, the signal is

74: converted to a sequence

75: $s^0=\left\{s_1^0,s_2^0,\dots,s_l^0\right\}$ of real values. Next,

76: the signal is quantized: the amplitude of the signal is divided

77: into $N$ subintervals and every interval is assigned a real

78: amplitude value $q_k$, $k=1,\dots,N$, its middle point for

79: example. Thus, a new sequence is generated by replacing each

80: $s_i^0$ by the $q_k$ associated to the subinterval it belongs to:

81: $y^0=\left\{y_1^0,y_2^0,\dots,y_l^0\right\}$, where each $y_i^0$

82: takes its value from the set $\left\{q_1,\dots,q_N\right\}$. Once

83: the original wave signal is sampled and quantized, and restricted

84: to the unit interval, a chaotic encryption signal

85: $\left\{x_i^0\right\}_{i=1}^l$, $0<x_i^0<1$, is used to generate

86: the ciphertext. This signal is obtained by either sampling a

87: chaotic one or by a chaotic mapping. For the purposes of our

88: analysis, the process to generate the chaotic signal is irrelevant

89: since our results apply equally to any signal. Finally, an ordered

90: pair $\left(x_i^0,y_i^0\right)$ is constructed, localizing a point

91: in the unit square. In order to encrypt $y_i^0$, the Baker map is

92: applied $n$ times to the point $\left(x_i^0,y_i^0\right)$ to

93: obtain:

94: \begin{equation}\label{BakerMap}

95: \left(x_i^n,y_i^n\right)=\left(2x_i^{n-1} \bmod

96: 1,0.5\left(y_i^{n-1}+\left\lfloor

97: 2x_i^{n-1}\right\rfloor\right)\right).

98: \end{equation}

99: The encrypted signal is given by $y_i^n$, where $n$ is considered as

100: the secret key of the cryptosystem. As a result, a plaintext signal

101: with values $y_i^0 \in \{q_1,\dots,q_N\}$, is encrypted into a

102: signal which can take $2^nN$ different values. For a more complete

103: explanation of this cryptosystem, it is highly recommended the

104: thorough reading of \cite{machado04}.

105: 

106: In the following two sections, the security defects caused by the

107: Baker map realized in finite precision are discussed, and then the

108: fact that the secret key $n$ can be directly deduced from the

109: ciphertext is pointed out. After the cryptanalysis results, which

110: constitute the main focus of our paper, some countermeasures are

111: discussed on how to improve the security of the chaotic

112: cryptosystem. The last section concludes the paper.

113: 

114: \section{Convergence to zero of the digital Baker map}

115: 

116: The proposed cryptosystem uses the Baker map as a mixing function.

117: The Baker map is an idealized one in the sense that it can only be

118: implemented with finite precision in digital computers and, as a

119: consequence, in this case it has a stable attractor at $(0,0)$.

120: This is easy to see when the value of $x$ is represented in binary

121: form with $L$ significant bits. Assuming $x^0=0.b_1b_2\cdots

122: b_j\cdots b_{L-1}b_L$ ($b_j\in\{0,1\}$), the Baker map runs as

123: follows:

124: \begin{equation}

125: x^1=2x^0\bmod 1=x^0\ll1=0.b_2b_3\cdots b_j\cdots

126: b_{L-1}b_L0,\label{equation:BakerMap}

127: \end{equation}

128: where $\ll$ denotes the left bit-shifting operation. Apparently,

129: the most significant bit $b_1$ is dropped during the current

130: iteration. As a result, after $m\geq L$ iterations, $x^m\equiv0$.

131: Once $x^m\equiv0$, it is obvious that $y^j$ will exponentially

132: converge to zero within a finite number of iterations, i.e., the

133: digital Baker map will eventually converge to the stable

134: attractive point at $(0,0)$, as shown in Fig.~\ref{fig:map}. It is

135: important to note that this result does not depend on the real

136: number representation method, on the precision, or on the

137: rounding-off algorithm used, since the quantization errors induced

138: in Eq. (\ref{equation:BakerMap}) are always zeros in any case.

139: 

140: Considering that in today's digital computers real values are

141: generally stored following the IEEE floating-point standard

142: \cite{IEEEStandard754:Floating-Point}, let us see what will happen

143: when the chaotic iterations run with 64-bit double-precision

144: floating-point numbers. Following the IEEE floating-point

145: standard, most 64-bit double-precision numbers are stored in a

146: normalized form as follows:

147: \begin{equation}

148: (-1)^{b_{63}}\times(1.b_{51}\cdots b_0)_2\times 2^{(b_{62}\cdots

149: b_{52})_2-1023}, \label{equation:Normalized}

150: \end{equation}

151: where $b_i$ represent the number bits, $(\cdot)_2$ means a binary

152: number and the first mantissa bit occurring before the radix dot

153: is always assumed to be 1 (except for a special value, zero) and

154: not explicitly stored in $b_{63}\cdots b_0$. When $x^0\in(0,1)$,

155: assume it is represented in the following format:

156: \begin{equation}

157: (1.b_{51}\cdots b_{i+1}1\overbrace{0\cdots 0}^i)_2\times

158: 2^{-e}=(0.\overbrace{0\cdots 0}^{e-1}\overbrace{1b_{51}\cdots

159: b_{i+1}1}^{53-i})_2,

160: \end{equation}

161: where $1\leq e\leq 1022$. Apparently, it is easily to deduce

162: $L=(e-1)+(53-i)=e+(52-i)$. Considering $0\leq i\leq 52$, $L\leq

163: 1022+52=1074$. When $x^0$ is generated uniformly with the standard

164: C \texttt{rand()} function in the space of all valid

165: double-precision floating-point numbers, both $e$ and $i$ will

166: approximately satisfy an exponentially decreasing distribution,

167: and then it can be easily proved that the mathematical expectation

168: of $L$ is about 53 \cite{LiShujun:DigitalChaos2004}.

169: 

170: This means that the value of the secret key $n$ must not be

171: greater than 53. In other words, it is expected that each

172: plaintext sample $y_i^0$ cannot be correctly decrypted when $n$ is

173: greater than 53 (or even smaller but close to 53), since the

174: counter-iterating process is unable to get $x_i^0$ from $x_i^n=0$

175: due to the loss of precision during the forward iterations.

176: Figure~\ref{fig:ber} plots the recovery error obtained for

177: different values of the secret key $n$ when a 100-sample

178: ciphertext is decrypted. It can be appreciated how the plaintext

179: is correctly recovered only when $n\leq 45$. For $n\geq 52$, the

180: system does not work at all. As a consequence, only $n=45$ secret

181: keys have to be tried to break a ciphertext encrypted with this

182: cryptosystem. This takes a modern desktop computer less than a

183: second for moderated lengths of the plaintext. This attack is

184: called a brute force attack, which breaks a cipher by trying every

185: possible key. The feasibility of a brute force attack depends on

186: the size of the cipher's key space and on the amount of

187: computational power available to the attacker. With today's

188: computer technology, it is generally agreed in the cryptography

189: community that a size of the key space $K<2^{100}\approx 10^{30}$

190: is insecure \cite{ctap}. Compare this figure with the key space

191: $K=45$ of the cipher under study.

192: 

193: If the value of $n$ could be arbitrarily enlarged, then the

194: encryption process would slow down until it would be unusable in

195: practice. Thus, from any point of view, this is an impractical

196: encryption method because it is either totally insecure or

197: infinitely slow, without any reasonable tradeoff possible. In

198: \cite{machado04} it is said that the encryption is applied to the

199: wave signal instead of the symbolic sequence. Therefore, in

200: Table~\ref{tab:analog} a review of some widely used multimedia

201: communications systems with their bandwidth and sampling

202: frequencies is given. These are the kind of signals that might be

203: encrypted by the system proposed in \cite{machado04}. Consider for

204: example TV broadcasting, which transmits 12,000,000 samples per

205: second. It is impossible to iterate the Baker map billions of

206: times for 12,000,000 samples in one second with average computing

207: power.

208: 

209: Finally, another physical limitation of the cryptosystem is that

210: when $n$ is very large, each encrypted sample $y_i^n$ would

211: require a vast amount of bits to be transmitted, which would

212: require in turn a transmission channel with infinite capacity,

213: meaning that the system cannot work in practice.

214: 

215: \section{Determinism of the ciphertext}

216: 

217: Even assuming that the messages are encrypted with an imaginary

218: computer with infinite precision and infinite speed, using an

219: infinite-bandwidth channel, and an idealized version of the Baker

220: map, the cryptosystem would be broken as well because the secret

221: key $n$ can still be derived from only one amplitude value of the

222: ciphertext. To begin with, let us assume that two quantization

223: levels are used, that is, $N=2$. During the encryption process a

224: binary tree is generated in the following way:

225: \begin{equation}\label{Eq:tree}

226:   y_i^0=\left\{\begin{array}{l}

227:  0.25\;(0.01)_2\rightarrow y_i^1=\left\{ \begin{array}{l}

228:  0.125\;(0.001)_2 \rightarrow y_i^2=\left\{ \begin{array}{l}

229:  0.0625\;(0.0001)_2\\

230:  0.5625\;(0.1001)_2 \\

231:  \end{array} \right. \\

232:  0.625\;(0.101)_2\rightarrow y_i^2=\left\{ \begin{array}{l}

233:  0.3125\;(0.0101)_2\\

234:  0.8125\;(0.1101)_2 \\

235:  \end{array} \right. \\

236:  \end{array} \right. \\

237:  0.75\;(0.11)_2\rightarrow y_i^1=\left\{ \begin{array}{l}

238:  0.375\;(0.011)_2\rightarrow y_i^2=\left\{ \begin{array}{l}

239:  0.1875\;(0.0011)_2 \\

240:  0.6875\;(0.1011)_2 \\

241:  \end{array} \right. \\

242:  0.875\;(0.111)_2\rightarrow y_i^2=\left\{ \begin{array}{l}

243:  0.4375\;(0.0111)_2 \\

244:  0.9375\;(0.1111)_2 \\

245:  \end{array} \right. \\

246:  \end{array} \right. \\

247:  \end{array} \right.,

248: \end{equation}

249: where $(\cdot)_2$ following the decimal number denotes its binary

250: format. The fact that the ciphertext uses $2^nN$ discrete

251: amplitudes constitutes its weakest point. It is possible to

252: directly get the value of $n$ with only one known amplitude. In

253: Eq.~(\ref{Eq:tree}), it is obvious that $y_i^n$ is always one

254: value in the set

255: \begin{equation}\label{eq:set}

256: \left\{\dfrac{2j+1}{2^{n+2}}\right\}_{j=0}^{j=2^{n+1}-1}=\left\{\dfrac{1}{2^{n+2}},\cdots,

257: \dfrac{2^{n+2}-1}{2^{n+2}}\right\}.

258: \end{equation}

259: As mentioned above, in the case that the real values are stored in

260: the IEEE-standard floating-point format

261: \cite{IEEEStandard754:Floating-Point}, any amplitude value $y_i^n$

262: will be represented in the following form:

263: \begin{equation}

264: y_i^n=+1.b_1b_2\cdots b_l\times 2^{-e}=0.\overbrace{0\cdots

265: 0}^{e-1}1b_1b_2\cdots b_l,

266: \end{equation}

267: where $b_l=1$. From Eq.~(\ref{eq:set}), one can see that

268: $l+e=n+2$. Therefore, we can directly derive $n=(l+e)-2$, by

269: checking which bit is the least significant bit (i.e., the least

270: significant 1-bit) in all bits of $y_i^n$.

271: 

272: A more intuitive way to compute $n$ from a single amplitude value,

273: $y_i^n$, consists of two steps: i) represent this amplitude value

274: in fixed-point binary form; ii) count the bits in the fixed-point

275: format of $y_i^n$ to determine the value of an integer $B$, which

276: is the number of bits after the radix dot and before the least

277: significant bit, i.e., $y_i^n=0.\underbrace{\overbrace{0\cdots

278: 0}^{e-1}1b_1b_2\cdots b_l}_{B=l+e}0\cdots 0$. Obviously, $n =

279: B-2$. Similarly, for other values of $N=2^v$, one can easily

280: deduce that $n=(l+e)-(v+1)=B-(v+1)$; and for $N\neq 2^v$, the

281: value of $n$ can still be derived easily, but the calculation

282: algorithm depends on how the binary tree shown in

283: Eq.~(\ref{Eq:tree}) is re-designed.

284: 

285: Although in \cite{machado04} it is hinted that the value of $n$

286: could be changed dynamically based on some information of the

287: encrypted trajectory, this idea would not further increase the

288: security of the cryptosystem as long as $2^nN$ different

289: amplitudes are still possible for each different $n$ value. This

290: means that the ciphertext value $y_i^{n_i}$, whatever $n_i$, can

291: only take values from the finite set defined in Eq.~(\ref{eq:set})

292: for the given $n_i$. Hence, for each $y_i^{n_i}$ the value of

293: $n_i$ can be computed as described above and the security is again

294: compromised.

295: 

296: \section{Some possible countermeasures of enhancing the cryptosystem}

297: 

298: There are many ways to improve the security of the attacked

299: cryptosystem. This section introduces three possible ones:

300: changing the key, changing the 2-D chaotic map, and masking the

301: ciphertext with a secret signal. Note that only the basic ideas

302: are given, and the concrete designs and detailed security analysis

303: are omitted because this is not the main focus of our paper.

304: 

305: \subsection{Changing the key}

306: 

307: As mentioned above, in addition to the above-discussed security

308: defects of the secret key $n$, using $n$ as the secret key has

309: another obvious paradox: from the point of view of the security,

310: $n$ should be as large as possible; while from the point of view

311: of the encryption speed, $n$ should be as small as possible.

312: Apparently, $n$ is not a good option as the secret key.

313: 

314: Instead of using $n$, better candidates for the secret key must be

315: chosen, such as the control parameter of the 2-D chaotic map and

316: the generation parameter of the encryption signal $x$. If the

317: former is chosen, the Baker map has to be modified to introduce

318: some secret control parameters, as described in the following

319: section.

320: 

321: \subsection{Changing the 2-D chaotic map}

322: 

323: As shown above, the multiplication factor 2 in the original Baker

324: map is the essential reason of its convergence to $(0,0)$ in the

325: digital domain, so the Baker map has to be modified to cancel this

326: problem, or another 2-D chaotic map without this problem has to be

327: used.

328: 

329: A possible way is to generalize the original Baker map to a

330: discretized version over a $M\times N$ lattice of the unit plane.

331: For example, when $M=N=2$, the lattice is composed of the

332: following four points: $(0.125,0.125)$, $(0.125,0.725)$,

333: $(0.725,0.125)$ and $(0.725,0.725)$. A typical example of Baker

334: map discretized in this way can be found in

335: \cite{Fridrich:IJBC98}, reproduced next for convenience.

336: 

337: First, the standard Baker map is generalized by dividing the unit

338: square into $k$ vertical rectangles, $[F_{i-1},F_i)\times [0,1)$,

339: $i=1,\dots,k$, $F_i=p_1+p_2+\dots+p_i$, $F_0=0$, such that

340: $p_1+\dots+p_k=1$. The lower right corner of the $i$th rectangle

341: is located at $F_i=p_1+\dots+p_i$. Formally the generalized map is

342: defined by:

343: \begin{equation}\label{GeneralizedBaker}

344:     B_c(x,y)=\left(\frac{1}{p_i}(x-F_i),p_iy+F_i\right),

345: \end{equation}

346: for $(x,y)\in[F_i,F_i+p_i)\times[0,1)$.

347: 

348: The next step consists of discretizing the generalized map. If one

349: divides an $N\times N$ square into vertical rectangles with $N$

350: pixels high and $N_i$ pixels wide, then the discretized Baker map

351: can be expressed as follows:

352: \begin{equation}\label{DiscretizedBaker}

353: B_d(r,s)=\left(\frac{N}{n_i}(r-N_i)+\left(s\bmod\frac{N}{n_i}\right),\frac{n_i}{N}\left(s-\left(s\bmod\frac{N}{n_i}\right)\right)+N_i\right),

354: \end{equation}

355: where the pixel $(r,s)$ is with $N_i\leq r<N_i+n_i$, $0\leq s<N$.

356: The sequence of $k$ integers, $n_1,n_2,\dots,n_k$, is chosen such

357: that each integer $n_i$ divides $N$, and $N_i=n_1+n_2+\dots+n_k$.

358: The formula can be extended for $M\times N$ rectangles (see

359: \cite{Fridrich:IJBC98}).

360: 

361: With such a discretization, the negative convergence to zero can

362: be removed. However, another negative digital effect, the

363: recurrence of the orbit, arises in this case, since any orbit will

364: eventually become periodic within $MN$ iterations. This means that

365: the security defect caused by the small key space is not

366: essentially improved. Thus, the discretized Baker map must be used

367: when the key is changed to be its discretization parameters.

368: 

369: Another way is to use entirely different 2-D chaotic maps with one

370: or more adjustable parameters, which can be used as the secret key

371: instead of $n$.

372: 

373: \subsection{Masking the ciphertext with a secret pseudo-random signal}

374: 

375: An easy way to enhance the security of the cryptosystem is to mask

376: the ciphertext with a \textit{secret} pseudo-random signal, which

377: can efficiently eliminate the possibility to derive the estimated

378: value of $n$ from one amplitude of the ciphertext. The secret

379: masking sequence can be the chaotic encryption signal $\{x_i^0\}$,

380: and the parameters of controlling the generation process of

381: $\{x_i^0\}$ should be added as part of the secret key. In this

382: case, the ciphertext is changed from $\{y_i^n\}$ into

383: $\{y_i^n+x_i^0\}$. Note that the masking can be considered as an

384: added stream cipher to the original system. This is a common

385: technique to achieve stronger ciphers \cite{LiShujun:PLA2003}.

386: 

387: \section{Conclusions}

388: \label{sec:conclusion}

389: 

390: In summary, the new cryptosystem proposed in \cite{machado04} can

391: be broken due to the limitation of computers to represent real

392: numbers. Even if an ideal computer with infinite precision were

393: used to encrypt the messages, the cipher can still be broken due

394: to the fact that the number and value of possible amplitude values

395: in the ciphertext depend directly on the secret key $n$.

396: Furthermore, for the cryptosystem to work with large values of

397: $n$, an ideal computer with infinite computing speed, infinite

398: storage capacity, and infinite transmission speed would be

399: required. As a consequence, we consider that this cryptosystem

400: should not be used in secure applications. Some possible

401: countermeasures are also discussed on how to improve the security

402: of the cryptosystem under study. An important conclusion of our

403: work is that an idealized map cannot be used in a practical

404: implementation of a chaos-based cipher.

405: 

406: \ack{This work is supported by Ministerio de Ciencia y

407: Tecnolog\'{\i}a of Spain, research grant TIC2001-0586 and

408: SEG2004-02418. We also thank the anonymous reviewers for their

409: valuable suggestions.}

410: 

411: \begin{thebibliography}{1}

412: 

413: \bibitem{machado04}

414: R.~F. Machado, M.~S. Baptista, and C.~Grebogi.

415: \newblock Cryptography with chaos at the physical level.

416: \newblock {\em Chaos, Solitons and Fractals}, 21(5):1265--1269, 2004.

417: 

418: \bibitem{IEEEStandard754:Floating-Point}

419: IEEE~Computer Society.

420: \newblock {IEEE} standard for binary floating-point arithmetic.

421: \newblock ANSI/IEEE Std. 754-1985, August 1985.

422: 

423: \bibitem{LiShujun:DigitalChaos2004}

424: S. Li.

425: \newblock When chaos meets computers.

426: \newblock arXiv:nlin.CD/0405038, available online at

427: \url{http://arxiv.org/abs/nlin/0405038}, May 2004.

428: 

429: \bibitem{ctap}

430: D.~R. Stinson.

431: \newblock {\em Cryptography: Theory and Practice}.

432: \newblock CRC Press, 1995.

433: 

434: \bibitem{Fridrich:IJBC98}

435: J.~Fridrich.

436: \newblock Symmetric ciphers based on two-dimensional chaotic maps.

437: \newblock {\em Int. J. Bifurcation and Chaos}, 8(6):1259--1284, 1998.

438: 

439: \bibitem{LiShujun:PLA2003}

440: S.~Li, X.~Mou, Z.~Ji, J.~Zhang, and Y.~Cai.

441: \newblock Performance analysis of {Jakimoski-Kocarev} attack on a class of

442:   chaotic cryptosystems.

443: \newblock {\em Physics Letters A}, 307(1):22--28, 2003.

444: 

445: \end{thebibliography}

446: 

447: \clearpage \pagestyle{empty}

448: 

449: \section*{Tables}

450: 

451: \begin{table}[h]

452:   \centering

453:   \caption{Multimedia communication systems and their bandwidth.}

454:   \label{tab:analog}

455:   \begin{tabular}{lrr}

456:   \hline

457:     Communication system & Bandwidth (KHz) & Sampling frequency (Ksamples/s) \\

458:   \hline

459:     Voice over telephone & 3.3 & 8 \\

460:     Radio communications & 3.3 & 8 \\

461:     Radio Broadcast (AM) & 5 & 10 \\

462:     Radio Broadcast (FM) & 15 & 30 \\

463:     TV & 5500 & 12000 \\

464:   \hline

465:   \end{tabular}

466: \end{table}

467: 

468: \clearpage

469: 

470: \section*{Figures}

471: 

472: \begin{figure}[h]

473: \center

474: \includegraphics[width=\textwidth]{fig1}

475: \caption{\label{fig:map}Orbits followed by $x$ and $y$ in a

476: practical implementation of the Baker map. As can be observed,

477: $(0,0)$ constitutes a fixed point. The number of iterations

478: required to converge to the origin depends on the precision used,

479: but is always finite in a computer.}

480: \end{figure}

481: 

482: 

483: \begin{figure}[h]

484: \center

485: \psfrag{Error}{Error}\psfrag{n}{$n$}\includegraphics[width=\textwidth]{fig2}

486: \caption{\label{fig:ber}Number of errors when decrypting a

487: 100-sample signal for different values of the secret key $n$ using

488: double-precision floating-point arithmetic.}

489: \end{figure}

490: 

491: \end{document}

492: