1: \documentclass{article}

2: 

3: \usepackage{amsmath,amssymb,bm}

4: \usepackage{url}

5: \usepackage{wasysym}

6: 

7: \usepackage[a4paper,left=2.1cm,right=2.1cm,top=2.2cm,bottom=2.2cm]{geometry}

8: 

9: \usepackage{natbib}

10: \bibpunct{[}{]}{;}{a}{,}{,}

11: 

12: \usepackage{graphicx,color,overpic,psfrag}

13: \graphicspath{{Figures/}}

14: \newlength\figwidth

15: \setlength\figwidth{0.49\textwidth}

16: 

17: \newtheorem{theorem}{Theorem}

18: \newenvironment{proof}{\noindent\textit{Proof}: }{\hfill$\blacksquare$\vskip 0.5\baselineskip}

19: 

20: %\usepackage{endfloat}

21: 

22: \begin{document}

23: 

24: \title{Return-Map Cryptanalysis Revisited%

25: \thanks{%

26: This paper has been published in \textit{International Journal of

27: Bifurcation and Chaos}, vol. 16, no. 5, pp. 1157-1168, 2006. Shujun

28: Li is the corresponding author, contact him via his personal web

29: site: \texttt{http://www.hooklee.com}.}}

30: \author{Shujun Li\textsuperscript{1}, Guanrong

31: Chen\textsuperscript{2} and Gonzalo \'{A}lvarez\textsuperscript{3}}

32: \date{\textsuperscript{1} Department of Electronic and Information Engineering, The Hong Kong Polytechnic

33: University, Hung Hom, Kowloon, Hong Kong SAR, China\\[0.5em]

34: \textsuperscript{2} Department of Electronic Engineering, City

35: University of Hong Kong, 83 Tat Chee Avenue, Kowloon Tong, Hong Kong

36: SAR, China\\[0.5em]

37: \textsuperscript{3} Instituto de F\'{\i}sica Aplicada, Consejo

38: Superior de Investigaciones Cient\'{\i}ficas, Serrano 144---28006,

39: Madrid, Spain}

40: 

41: \maketitle

42: 

43: \begin{abstract}

44: As a powerful cryptanalysis tool, the method of return-map attacks

45: can be used to extract secret messages masked by chaos in secure

46: communication schemes. Recently, a simple defensive mechanism was

47: presented to enhance the security of chaotic parameter modulation

48: schemes against return-map attacks. Two techniques are combined in

49: the proposed defensive mechanism: multistep parameter modulation

50: and alternative driving of two different transmitter variables.

51: This paper re-studies the security of this proposed defensive

52: mechanism against return-map attacks, and points out that the

53: security was much over-estimated in the original publication for

54: both ciphertext-only attack and known/chosen-plaintext attacks. It

55: is found that a deterministic relationship exists between the

56: shape of the return map and the modulated parameter, and that such

57: a relationship can be used to dramatically enhance return-map

58: attacks thereby making them quite easy to break the defensive

59: mechanism.

60: \end{abstract}

61: 

62: \section{Introduction}

63: 

64: In the past two decades, chaotic systems have been extensively used

65: to construct cryptosystems in either analog

66: \citep{Alvarez:Survey:ICCST99, Yang:Survey:IJCC2004} or digital

67: \citep{ShujunLi:Dissertation2003} forms. Most analog implementations

68: are secure communication systems based on synchronization of the

69: sender and the receiver chaotic systems \citep{Pecora:CS:PRL90},

70: where the signal is transmitted over a public channel from the

71: sender to drive the receiver for achieving synchronization and

72: message decryption. Some different encryption structures have been

73: proposed: chaotic masking \citep{Kocarev:CM:IJBC92, Murali:CM:PRE94,

74: Feki:CM:PLA99}, chaotic switching or chaotic shift keying (CSK)

75: \citep{Parlitz:CSK:LIJBC92, Dedieu:CSK:IEEETCASII93,

76: Parlitz:DCSK:PLA94}, chaotic modulation \citep{WuChua:CDM:IJBC93,

77: Yang:CPM:IEEETCASI96, Parlitz:CDM:PRE96}, and the inverse system

78: approach \citep{Feldmann:ISA:IJCTA96}. At the same time, many

79: different cryptanalysis methods have also been developed to break

80: the proposed chaos-based secure communication systems: return-map

81: attacks \citep{Perez:ReturnMapCryptanalysis:PRL95,

82: Zhou:ExtractChaoticSignal:PLA97, Yang:ReturnMapCryptanalysis:PLA98,

83: Li:Chaos2005}, nonlinear prediction based attacks

84: \citep{Short:UnmaskingChaos:IJBC94,

85: Short:ChaoticSignalExtraction:IJBC97,

86: ZhouLai:ChaoticCryptanalysis:PRE99b}, spectral analysis attacks

87: \citep{Yang:SpectralCryptanalysis:PLA98, Alvarez-Li2004a},

88: generalized synchronization (GS) based attacks

89: \citep{Yang:GSCryptanalysis:IEEETCASI97,AlvarezLi:CSF2005,

90: Alvarez:BreakingCPM:CSF2004}, short-time period based attacks

91: \citep{Yang:STZCR:IJCTA95, Alvarez-Li2004b}, parameter

92: identification based attacks

93: \citep{Kocarev:BreakingParameters:IJBC96,

94: TaoDu:ChaoticCrytpanalysis:IJBC2003a,

95: Vaidya:DecodingChaoticSuperkey:CSF2003,Alvarez:PhaseSynchronization:CHAOS2004},

96: and so on.

97: 

98: Given the existence of so many different attacks, it has become a

99: real challenge to design highly secure chaos-based communication

100: systems against all known attacks. Three general countermeasures

101: have been proposed in the literature: 1) using more complex

102: dynamical systems, such as high-dimensional hyperchaotic systems

103: or multiple cascaded (heterogeneous) chaotic systems

104: \citep{Grassi:3CC:IJCTA99,

105: Murali:HeterogeneousChaosCryptography:PLA2000,

106: Yao:HyperChaos:DCDISB2003}; 2) introducing traditional ciphers

107: into the chaotic cryptosystems

108: \citep{Yang-Wu-Chua:ChaoticCryptography:IEEETCASI1997,

109: Grassi:3CC:IEEETCASI99, Lian:Fuzzy3CC:IJBC2003}; 3) introducing an

110: impulsive (also named sporadic) driving signal instead of a

111: continuous signal to realize synchronization

112: \citep{Yang-Chua:ImpulsiveChaos:IJBC1997, ZYHe:SCCS:IEEETCASI2000,

113: Khadra:IS:DCDISB2003}. The first countermeasure has been found

114: insecure against some attacks

115: \citep{Short:UnmaskingHyperchaos:PRE98,

116: ZhouLai:ChaoticCryptanalysis:PRE99b,

117: Huang:UnmaskingChaosWavlet:IJBC2001,

118: TaoDu:ChaoticCrytpanalysis:IJBC2003a}, and some security defects

119: of the second countermeasure have also been reported

120: \citep{Short:ChaoticCrptanalysis:IEEETCASI2001}, but the last one

121: has not yet been cryptanalyzed to date.

122: 

123: Besides the above three general countermeasures, there also exist

124: some specially-designed countermeasures that can be used to resist

125: certain attacks. This paper studies two such countermeasures,

126: recently proposed by \cite{Indian:MSCPM:IJBC2001}, against

127: return-map attacks. These two proposed countermeasures are

128: multistep parameter modulation and alternative driving of

129: transmitter variables, which have been combined to construct a new

130: secure communication scheme for binary signal transmissions. After

131: refining return-map attacks via a deterministic relationship

132: between the return map and a parameter $b_s$, we found that the

133: security of the first countermeasure was much over-estimated in

134: \citep{Indian:MSCPM:IJBC2001}, and that the combination of the two

135: countermeasures can be easily separated in some way so as to

136: disable the second countermeasure. The aforementioned

137: deterministic relationship between the return map and the

138: parameter $b_s$ is reported in this paper, for the first time in

139: the literature, which is useful not only for engineering studies

140: on chaos-based secure communications but also for theoretical

141: studies on the dynamics of chaotic systems.

142: 

143: The rest of this paper is organized as follows. In the next

144: section, a brief introduction to return-map attacks and related

145: countermeasures is given. Section \ref{section:BreakingMSPM}

146: re-evaluates the security of the multistep parameter modulation

147: scheme, by exploiting a deterministic relationship between the

148: shape of the return map and the modulated parameter $b_s$. The

149: original return-map attack proposed by

150: \cite{Perez:ReturnMapCryptanalysis:PRL95} will be enhanced. In

151: Sec. \ref{section:BreakingADTV}, cryptanalysis of the scheme of

152: alternative driving of transmitter variables is studied in detail.

153: The last section concludes the paper.

154: 

155: \section{Return-Map Attacks and Related Countermeasures}

156: 

157: The return-map attack method was first proposed by

158: \cite{Perez:ReturnMapCryptanalysis:PRL95} to break chaotic

159: switching (binary parameter modulation) and chaotic masking

160: schemes based on the Lorenz system, which was then studied by

161: \cite{Yang:ReturnMapCryptanalysis:PLA98} to break chaotic masking,

162: switching and non-autonomous modulation schemes based on Chua's

163: circuit. In \citep{Zhou:ExtractChaoticSignal:PLA97}, the

164: return-map attack method was also used to break a DCSK scheme

165: based on a discrete-time chaotic map \citep{Parlitz:DCSK:PLA94}.

166: Without loss of generality, this paper will focus on the attack

167: scheme of \citeauthor{Perez:ReturnMapCryptanalysis:PRL95} on the

168: Lorenz system thereby demonstrating how the return map is

169: constructed and how the attack works to break a typical chaotic

170: switching scheme proposed in \citep{Cuomo:CPM_CM:PRL93}.

171: 

172: Consider the following Lorenz system used as the sender:

173: \begin{eqnarray}

174: \dot{x}_s & = & \sigma(y_s-x_s),\nonumber\\

175: \dot{y}_s & = & r_sx_s-y_s-x_sz_s,\\

176: \dot{z}_s & = & x_sy_s-b_sz_s,\nonumber

177: \end{eqnarray}

178: where $\sigma,b_s,r$ are system parameters, and the value of $b_s$

179: is modulated by $m(t)$, the digital plain-signal for secure

180: transmission, as follows:

181: \[

182: b_s=\begin{cases}

183: b_0, & m(t)=0,\\

184: b_1, & m(t)=1.

185: \end{cases}

186: \]

187: To transmit $m(t)$ to the receiver end, a variable of the sender

188: system, such as $x_s$, is sent out, which will be used to induce

189: synchronization of the receiver system, resulting in:

190: \begin{eqnarray}

191: \dot{x}_r & = & \sigma(y_r-x_r),\nonumber\\

192: \dot{y}_r & = & r_rx_s-y_r-x_sz_r,\\

193: \dot{z}_r & = & x_sy_r-b_rz_r,\nonumber

194: \end{eqnarray}

195: where $b_r=b_0$. When $m(t)=0$, the intended synchronization can

196: be reached, while when $m(t)=1$, the synchronization error always

197: remains at a certain finite order. Then, it is easy to decode the

198: secret signal $m(t)$ by checking the power energy $(x_r-x_s)^2$

199: with a digital filter. Following \cite{Cuomo:CPM_CM:PRL93}, the

200: parameters are set as $\sigma=16$, $r=45.6$, $b_0=4.0$ and

201: $b_1=4.4$.

202: 

203: However, the above chaotic switching scheme can be easily broken

204: with the return map constructed from $x_s$ as pointed out in

205: \citep{Perez:ReturnMapCryptanalysis:PRL95}. Assuming that $X_m$ and

206: $Y_m$ are the $m$-th maxima and $m$-th minima of $x_s$,

207: respectively, define the following four variables:

208: $A_m=\frac{X_m+Y_m}{2}$, $B_m=X_m-Y_m$, $C_m=\frac{X_{m+1}+Y_m}{2}$,

209: $D_m=Y_m-X_{m+1}$, and then construct two return maps, ($A_m$ vs

210: $B_m$) and ($-C_m$ vs $-D_m$), as shown in Fig. \ref{figure:RM_CSK}.

211: The two maps are actually equivalent to each other, so we only

212: consider the map ($A_m$ vs $B_m$) in this paper. Note that there are

213: three segments in the return map, and each segment is further split

214: into two strips. It is obvious that the split of the map is caused

215: by the switching of the value of $b_s$ between $b_0$ and $b_1$.

216: Thus, by checking which strip the point $(A_m,B_m)$ falls on, one

217: can easily unmask the current value of the digital signal $m(t)$.

218: Since one has to assign either 0-bit or 1-bit to a strip in each

219: segment, it was claimed in

220: \citep{Perez:ReturnMapCryptanalysis:PRL95} that there are only seven

221: chances to make wrong assignments, which can be easily detected by

222: observing the waveform of the reconstructed digital signal $m(t)$.

223: 

224: \psfrag{Am}{$A_m$}\psfrag{Bm}{$B_m$}

225: 

226: \begin{figure}[!htb]

227: \centering

228: \psfrag{Am and -Cm}{$A_m$ and $-C_m$}%

229: \psfrag{Bm and -Dm}{$B_m$ and $-D_m$}%

230: \includegraphics[width=\figwidth]{RM_CSK}

231: \caption{The return maps constructed for a typical chaotic

232: switching scheme.}\label{figure:RM_CSK}

233: \end{figure}

234: 

235: In recent years, some different countermeasures have been proposed

236: to resist the above return-map attack. In \citep{BuWang:CSF2004},

237: a periodic signal $g_0(t)=A\cos(\omega t+\phi_0)$ is combined with

238: $z_s$ to modulate the transmitted signal $x_s$ so as to blur the

239: reconstructed return map in order to frustrate the attacker.

240: However, soon it was broken as reported in

241: \citep{CheeXuBishop:CSF2004, WuHuZhang:CSF2004, Alvarez:CSF2005}

242: via distinguishing the parameters $\omega,\phi_0$ and removing the

243: modulating signal. A modified scheme of the original method of

244: \cite{BuWang:CSF2004} was proposed in \citep{WuHuZhang:CSF2004} to

245: further improve its security. Our recent work shows that this

246: modified modulating scheme is still not secure enough

247: \citep{LiAlvarez:CSF2005} and that the modulating signal can still

248: be effectively removed via parameters estimation.

249: 

250: In \citep{Indian:MSCPM:IJBC2001}, two new countermeasures were

251: proposed and combined to enhance the security of chaotic switching

252: schemes against return-map attacks. The first countermeasure is to

253: increase the number of strips by modulating $b_s$ between $2n$

254: different values: $b_{0,1},\cdots,b_{0,n}$ and

255: $b_{1,1},\cdots,b_{1,n}$, where $b_{0,1},\cdots,b_{0,n}$

256: correspond to $m(t)=0$ and $b_{1,1},\cdots,b_{1,n}$ correspond to

257: $m(t)=1$. This countermeasure is called \textit{multistep

258: parameter modulation}, and accordingly the original two-valued

259: chaotic switching scheme is called \textit{single-step parameter

260: modulation}. It was claimed that the chances to make wrong

261: assignments become $(2^{2n}-2)^3-1\approx 2^{6n}$ and that the

262: security against return-map attacks is dramatically enhanced even

263: when $n$ is not too large. Figure \ref{figure:RM_MSPM} shows the

264: return map constructed from $x_s$ when the multistep parameter

265: modulation is used, where $n=5$ and

266: $b_{0,i}\in\{3.2,3.4,3.6,3.8,4.0\}$,

267: $b_{1,i}\in\{3.1,3.3,3.5,3.7,3.9\}$. It can be seen that each

268: segment is split into $2n=10$ strips. The second countermeasure is

269: to alternatively use $x_s$ and $y_s$ as the driving signal to

270: force the receiver system to synchronize with the sender, which

271: will further split the constructed return map into two parts: one

272: corresponds to the map from $x_s$ and another to the map from

273: $y_s$, as shown in Fig. \ref{figure:RM_MSPMAD}\footnote{Different

274: from $x_s$, there exist some small fluctuations in $y_s$. The

275: faked maxima and minima induced by the small fluctuations should

276: be removed from the return map; otherwise, the map will become

277: completely meaningless. For the return map plotted in Fig.

278: \ref{figure:RM_MSPMAD}, therefore, if the difference between two

279: consecutive maxima and minima is less than 1, they will be

280: omitted.}. It can be seen that two segments of the $x_s$-map and

281: the $y_s$-map largely overlap each other. In a multistep parameter

282: modulation system, the receiver contains $2n$ different driven

283: sub-systems, which are used to realize synchronization for the

284: $2n$ different values of $b_s$, respectively. When alternative

285: driving is also applied, the number of sub-systems is doubled to

286: be $4n$, among which $2n$ correspond to $x_s$-driving

287: synchronization and another $2n$ to $y_s$-driving synchronization.

288: For more details about the two countermeasures, see

289: \citep{Indian:MSCPM:IJBC2001}.

290: 

291: \begin{figure}[!htb]

292: \centering

293: \psfrag{Segment 1}{Segment 1}%

294: \psfrag{Segment 2}{Segment2}%

295: \psfrag{Segment 3}{Segment 3}

296: \begin{minipage}{\figwidth}

297: \centering

298: \includegraphics[width=\textwidth]{RM_MSPM}

299: a) a full view of the return map

300: \end{minipage}

301: \begin{minipage}{\figwidth}

302: \centering

303: \includegraphics[width=\textwidth]{RM_MSPM_S1}

304: b) a local view of Segment 1

305: \end{minipage}

306: \caption{The return map constructed from $x_s$ in multistep

307: parameter modulation.}\label{figure:RM_MSPM}

308: \end{figure}

309: 

310: \begin{figure}[!htb]

311: \centering

312: \begin{minipage}{\figwidth}

313: \centering

314: \includegraphics[width=\textwidth]{RM_MSPMAD}

315: a) a full view of the return map

316: \end{minipage}

317: \begin{minipage}{\figwidth}

318: \centering

319: \includegraphics[width=\textwidth]{RM_MSPMAD_S1}

320: b) a local view of Segment 1

321: \end{minipage}

322: \caption{The return map constructed in multistep parameter

323: modulation with alternative $x_s/y_s$

324: driving.}\label{figure:RM_MSPMAD}

325: \end{figure}

326: 

327: \section{Re-Evaluating the Security of Multistep Parameter Modulation}

328: \label{section:BreakingMSPM}

329: 

330: The security of multistep parameter modulation relies on the fact

331: that the attacker has to assign 0-bits or 1-bits for all strips in

332: the return map. Since there are $6n$ stripes in total, the success

333: probability to make a right assignment is $\frac{1}{2^{6n}}$,

334: i.e., the attack complexity is $2^{6n}$. Note that the above

335: analysis on the security is more rigorous, from the

336: cryptographical point of view, than the one given in

337: \citep{Indian:MSCPM:IJBC2001}, where the latter enumerated the

338: number of making wrong assignments under the assumption that the

339: first assignment is correct. Of course, the order of the estimated

340: attack complexity is the same.

341: 

342: The above security estimation is based on the assumption that all

343: $6n$ strips are independent of each other. However, we found that

344: this assumption is not true and that there exists a deterministic

345: relationship between the positions of the strips and the $2n$

346: different values of the modulated parameter $b_s$, and this

347: relationship will dramatically reduce the attack complexity in all

348: attacking scenarios. In Fig. \ref{figure:RM_bs}a, the two return

349: maps corresponding to $b_s=3$ and $b_s=4$ respectively are plotted

350: to show such a deterministic relationship. One can see that the

351: three segments corresponding to $b_s=3$ are closer to the origin,

352: while the three segments corresponding to $b_s=4$ are farther.

353: This means that there exist only two possibilities to assign the

354: 0/1-bits to all strips in the chaotic switching scheme (see Fig.

355: \ref{figure:RM_CSK}): for all three segments, assign 0-bit (or

356: 1-bit) to the strip closer to the origin and 1-bit (or 0-bit) to

357: the other one. If the relationship between $b_0$ and $b_1$ is also

358: known to the attacker, he can uniquely determine the right

359: assignment to completely break the plain-signal. Apparently, the

360: above analysis can be easily generalized to multistep parameter

361: modulation. Figure \ref{figure:RM_bs}b shows the return maps

362: corresponding to the 10 different values of $b_s$ used in

363: \citep{Indian:MSCPM:IJBC2001}. It can be seen that Fig.

364: \ref{figure:RM_bs}b is almost identical with the return map shown

365: in Fig. \ref{figure:RM_MSPM}a. Thus, it is easy to mark each strip

366: of the return map shown in Fig. \ref{figure:RM_MSPM}a with one of

367: the $2n=10$ possible values of $b_s$. For example, for Segment 1

368: shown in Fig. \ref{figure:RM_MSPM}b, the $i$-th strip corresponds

369: to $b_s=3.0+0.1i$. This means that the task of assigning 0/1-bits

370: to $6n$ strips is changed to another equivalent task of assigning

371: 0/1-bits to $2n$ different values of $b_s$. Considering that there

372: are $n$ values corresponding to 0-bits and other $n$ values to

373: 1-bits, one can easily deduce that the number of all possible bit

374: assignments is $2\cdot\binom{2n}{n}=2\cdot\frac{(2n)!}{(n!)^2}$,

375: which is $O\left(\frac{2^{2n}}{\sqrt{n}}\right)$ when $n\gg 1$

376: following Stirling's approximation \citep{StirlingApproximation}.

377: As a conclusion, the attack complexity is always much smaller than

378: $O\left(2^{6n}\right)$, the original complexity estimated in

379: \citep{Indian:MSCPM:IJBC2001}. Table \ref{table:Complexity} shows

380: a comparison of the two complexities. From the cryptographical

381: point of view, based on today's computer technology, a practically

382: secure cryptosystem should have a complexity of order

383: $O\left(2^{100}\right)$ \citep{Schneier:AppliedCryptography96},

384: which requires $n\geq 50$ following the data shown in Table

385: \ref{table:Complexity}. However, in this case, $4n\geq 200$

386: sub-systems have to be constructed to realize the decryption of

387: the transmitted digital signal $m(t)$, which makes the

388: implementation too costly for most practical applications. If the

389: security can be relaxed to order of $2^{50}$, $4n\geq 32$

390: sub-systems are enough to be practical in some applications

391: (though still much more costly than other chaos-based secure

392: communication systems). Note that the implementation cost will be

393: acceptable in practice, if all the sub-systems can be realized

394: with the same chaotic circuit.

395: 

396: \begin{figure}[!htb]

397: \centering

398: \begin{minipage}{\figwidth}

399: \centering \psfrag{bs=3}{$b_s=3$}\psfrag{bs=4}{$b_s=4$}

400: \includegraphics[width=\textwidth]{RM_2bs}

401: a) the return maps corresponding to $b_s=3$ and $b_s=4$

402: \end{minipage}

403: \begin{minipage}{\figwidth}

404: \centering \psfrag{bs=3.1}{$b_s=3.1$}\psfrag{bs=4.0}{$b_s=4.0$}

405: \includegraphics[width=\textwidth]{RM_10bs}

406: b) the return maps corresponding to $b_s=3.1,3.2,\cdots,3.9,4.0$

407: \end{minipage}

408: \caption{A deterministic relationship between the return map and

409: the modulated parameter $b_s$.}\label{figure:RM_bs}

410: \end{figure}

411: 

412: \begin{table}[!htb]

413: \centering \renewcommand\arraystretch{1.5} \caption{A comparison of

414: the real complexity $2\cdot\binom{2n}{n}$ and the over-estimated

415: complexity $2^{6n}$.}\label{table:Complexity}

416: %\vskip 0.5em

417: \begin{tabular}{c||*{12}{c|}c}

418: \hline $n$ & 8 & 10 & 12 & 14 & 16 & 18 & 20 & 25 & 30 & 35 & 40 & 45 & 50\\

419: \hline $2\cdot\binom{2n}{n}\approx$ & $2^{14.7}$ & $2^{18.5}$ &

420: $2^{22.4}$ & $2^{26.3}$ & $2^{30.2}$ & $2^{34.1}$ & $2^{38}$ &

421: $2^{47.8}$ & $2^{57.7}$ & $2^{67.6}$ & $2^{77.5}$ & $2^{87.4}$ & $2^{97.3}$\\

422: \hline $2^{6n}$ & $2^{48}$ & $2^{60}$ & $2^{72}$ & $2^{84}$ &

423: $2^{96}$ & $2^{108}$ & $2^{120}$ & $2^{150}$ & $2^{180}$ & $2^{210}$

424: & $2^{240}$ & $2^{270}$ & $2^{300}$\\\hline

425: \end{tabular}

426: \end{table}

427: 

428: Note that one can extract some right bits even with a wrong bit

429: assignment. For instance, for the example given in

430: \citep{Indian:MSCPM:IJBC2001}, 1-bits are assigned to

431: $b_s\in\{3.1,3.3,3.5,3.7,3.9\}$ and 0-bits to

432: $b_s\in\{3.2,3.4,3.6,3.8,4.0\}$, so one can get about 80\% of right

433: bits with the following bit assignment: 1-bits are assigned to

434: $b_s\in\{3.1,3.3,3.5,3.7,\bm{4.0}\}$, and 0-bits to

435: $b_s\in\{3.2,3.4,3.6,3.8,\bm{3.9}\}$, where the bold values

436: correspond to wrong bits. Generally speaking, if there are $2i$

437: values corresponding to wrong bits, the bit error ratio (BER) at the

438: attacker end will be $i/n$, i.e., the probability to get right bits

439: is $1-(i/n)$. Note that when $i<n/2$, the attacker can simply flip

440: all assigned bits to get a lower BER $(n-i)/n=1-(i/n)$. From such a

441: point of view, the worst bit assignment occurs when $i=\lfloor

442: n/2\rfloor$ or $\lceil n/2\rceil$. Considering that the bit

443: assignment can be regarded as an equivalent of the secret key, the

444: above fact means that the decryption of multistep parameter

445: modulation is insensitive to the mismatch of the secret key.

446: However, such an insensitivity does not reduce the attack complexity

447: by too much, since the number of wrong assignments corresponding to

448: $i=\lfloor n/2\rfloor$ or $\lceil n/2\rceil$ is in the same order as

449: the complexity $O\left(\frac{2^{2n}}{\sqrt{n}}\right)$ when $n\gg

450: 1$: the number is $2\cdot\binom{n}{\lfloor

451: n/2\rfloor}\cdot\binom{n}{n-\lfloor

452: n/2\rfloor}=2\cdot\binom{n}{\lfloor n/2\rfloor}\cdot\binom{n}{\lceil

453: n/2\rceil}\approx O\left(\frac{2^{2n}}{n}\right)$, which is not much

454: smaller than $O\left(\frac{2^{2n}}{\sqrt{n}}\right)$.

455: 

456: In cryptography, there are many different attacking scenarios

457: \citep{Schneier:AppliedCryptography96}. A cryptographically secure

458: cryptosystem should be immune to all kinds of attacks. The above

459: attack complexity of multistep parameter modulation is for the

460: simplest attack -- the ciphertext-only attack, where the attacker

461: can only observe some ciphertexts. When some other attacking

462: scenarios are available, the security of multistep parameter

463: modulation will be dramatically downgraded.

464: 

465: Now, let us consider the security against known-plaintext and

466: chosen-plaintext attacks, where the attacker can get or choose

467: some plaintexts to carry out the attacks. Such attacks are

468: feasible in some real applications and become more and more common

469: in the digital networked world today. In known/chosen-plaintext

470: attacks, it is obvious that the knowledge about some plaintexts

471: means the knowledge about the bit assignment of the $6n$ strips:

472: when $m(t)=0$ (or 1), one immediately knows that the strip on

473: which a point $(A_m,B_m)$ lies corresponds to a 0-bit (or 1-bit),

474: and then knows that other two strips marked with the same value of

475: $b_s$ also correspond to 0-bits (or 1-bits). That is, he can

476: assign a 0-bit (or 1-bit) to the value of $b_s$ corresponding to

477: the distinguished strip. Once $n$ 0-bits (or 1-bits) have been

478: assigned to $n$ different values of $b_s$, the attacker can

479: directly assign 1-bits (or 0-bits) to all other undetermined

480: values so as to complete the attack. For the number of required

481: known/chosen plain-bits in the above attack, we have the following

482: theoretical result.

483: \begin{theorem}

484: Assume that $b_s$ distributes uniformly over the set of $2n$

485: values and that any two values of $b_s$ are independent of each

486: other. Then, the average number of required known/chosen

487: plain-bits in the above known/chosen-plaintext attack is $3n$.

488: \end{theorem}

489: \begin{proof}

490: Denote the $k(\geq 1)$ known/chosen plain-bits by

491: $B_1,\cdots,B_k\in\{0,1\}$, and the corresponding values of $b_s$

492: by $b_s^{(1)},\cdots,b_s^{(k)}$. The condition that the attack is

493: completed for the $k$ known/chosen plain-bits equals to the

494: following term: $n-1$ values corresponding to 0-bits (or 1-bits)

495: have occurred in $b_s^{(1)},\cdots,b_s^{(k-1)}$, and $b_s^{(k)}$

496: is the first occurrence of the last value. Considering that each

497: value occurs with a uniform probability $p=\frac{1}{2n}$ and any

498: two values are independent of each other, it is easy to get the

499: probability that the attack stops with $k$ known/chosen

500: plain-bits, $P(k)$, as follows:

501: \begin{equation}

502: P(k)=\begin{cases}

503: 0, & k<n\\

504: p(1-p)^{k-n}, & k\geq n.

505: \end{cases}

506: \end{equation}

507: Substituting $k'=k-n$ into the above equation, one can get

508: $P(k')=p(1-p)^{k'},\forall k'\geq 0$. It is obvious that $P(k')$

509: obeys a geometric distribution, and one can immediately deduce

510: that $E(k')=p^{-1}=2n$ \citep{GeometricDistribution}. That is,

511: $E(k)=E(k'+n)=E(k')+n=3n$. The proof is thus completed.

512: \end{proof}

513: 

514: Since $n$ cannot be too large to make the cryptosystem practical

515: in real applications, the above theorem shows that multistep

516: parameter modulation is not sufficiently secure against

517: known/chosen-plaintext attacks. In Fig.

518: \ref{figure:RM_Attack_MSPM}, we give an example of

519: known/chosen-plaintext attacks. It can be seen that three

520: different values of $b_s$, i.e., nine strips in the return map,

521: are successfully distinguished with only three known/chosen

522: plain-bits.

523: 

524: \psfrag{time (sec)}{time (sec)}

525: 

526: \begin{figure}[!htb]

527: \centering

528: \begin{minipage}{\figwidth}

529: \centering

530: \begin{overpic}[width=\textwidth]{xs_mt_local}

531:     \put(10,52){$x_s(t)$}

532:     \put(10,10){$m(t)$}

533: \end{overpic}

534: a) $x_s(t)$ vs $m(t)$

535: \end{minipage}

536: \begin{minipage}{\figwidth}

537: \centering

538: \includegraphics[width=\textwidth]{RM_Attack_MSPM}

539: b) the points $(A_m,B_m)$ vs the return map

540: \end{minipage}

541: \begin{minipage}{\figwidth}

542: \centering

543: \includegraphics[width=\textwidth]{RM_Attack_MSPM_S2}

544: c) $(A_m,B_m)$ vs the return map: Segment 2

545: \end{minipage}

546: \begin{minipage}{\figwidth}

547: \centering

548: \includegraphics[width=\textwidth]{RM_Attack_MSPM_S3}

549: d) $(A_m,B_m)$ vs the return map: Segment 3

550: \end{minipage}

551: \caption{The known/chosen-plaintext attack to multistep parameter

552: modulation, when $10\leq t\leq 30$. Legend:

553: \textcolor{red}{$\Diamond$} -- $0\leq t\leq 10$, $m(t)=1$,

554: $b_s=3.5$; \textcolor{red}{$\ocircle$} -- $10\leq t\leq 20$,

555: $m(t)=1$, $b_s=3.3$; \textcolor{red}{$\Box$} -- $20\leq t\leq 30$,

556: $m(t)=0$, $b_s=3.4$.}\label{figure:RM_Attack_MSPM}

557: \end{figure}

558: 

559: \section{Breaking Alternative Driving of Transmitter Variables}

560: \label{section:BreakingADTV}

561: 

562: In this section, we consider how to break another countermeasure

563: -- alternative driving of transmitter variables. Following the

564: example given in \citep{Indian:MSCPM:IJBC2001}, we focus on the

565: $x$/$y$-driving of the Lorenz system. Although the alternative

566: driving can make the return map less clearer by introducing

567: overlaps of the $x_s$-map and the $y_s$-map, it is found that the

568: two overlapped sub-maps can be easily separated so that an attack

569: can be carried out on the two sub-maps separately.

570: 

571: Since there are only two possible driving signals, the separation

572: of the two driving signals can be simplified to the problem of

573: detecting the times at which the driving signal, denoted by $d_s$

574: here, changes from $x_s$ to $y_s$ or from $y_s$ to $x_s$. This can

575: be easily done by observing the differentiations of $d_s$, since

576: the alternative driving will introduce breaking points at each

577: switching time (i.e., discontinuities in $d_s$). Considering that

578: chaotic signals $x_s(t)$ and $y_s(t)$ are both continuous, the

579: switching times can be easily distinguished from sudden and large

580: differentiations of $d_s$, where the word ``sudden" means that the

581: differentiation at a time $t$ is much larger than the others

582: around it. In Fig. \ref{figure:differences_ds}, the first-order,

583: second-order, 4th-order and 8th-order discrete-time

584: differentiations of $d_s$ are shown for demonstration, where the

585: display range on the $y$-axis is always limited within $[-20,20]$

586: to emphasize some sudden and large changes of differentiations

587: with relatively small amplitudes. It can be seen that all

588: switching times are sufficiently prominent in the 8th-order

589: differentiations. Once the switching times are detected, one can

590: easily separate the $x_s$-map and the $y_s$-map to break the

591: multistep parameter modulation as discussed in the last section.

592: 

593: \begin{figure}[!htb]

594: \centering

595: \includegraphics[width=0.7\textwidth]{differences_ds}

596: \caption{The first-order, second-order, 4th-order and 8-th order

597: (from top to bottom) discrete-time differentiations of the

598: transmitted signal $d_s$, where $\Delta

599: t=0.01$.}\label{figure:differences_ds}

600: \end{figure}

601: 

602: In fact, it is even possible to directly separate the two sub-maps

603: without calculating differentiations of $d_s$. Observing Fig.

604: \ref{figure:RM_MSPMAD}, one can find that the overlaps of the two

605: sub-maps are not very significant, which makes it possible to

606: separate the two sub-maps directly from the alignment directions

607: of consecutive points $(A_m,B_m)$. When $x_s$-driving is used for

608: odd bits and $y_s$ for even bits,

609: Fig.~\ref{figure:RM_Attack_MSPMAD} shows the positions of the

610: points $(A_m,B_m)$ in the return map for $0\leq t\leq 30$. In

611: spite of the existence of a few error points and ambiguous points,

612: which are mainly introduced by the faked maxima and minima near

613: the switching times, it is still very easy to distinguish which

614: driving signal was used from the alignment direction of the points

615: $(A_m,B_m)$ corresponding to the current bit (i.e., to the current

616: value of $b_s$). The accidental errors and ambiguous points can be

617: easily removed by filtering techniques.

618: 

619: \begin{figure}[!htb]

620: \centering

621: \psfrag{error point}{error point}%

622: \psfrag{error points}{error points}%

623: \psfrag{ambiguous point}{ambiguous point}%

624: \begin{minipage}{\figwidth}

625: \centering

626: \begin{overpic}[width=\textwidth]{xs_mt_local2}

627:     \put(10,52){$x_s(t)$}

628:     \put(10,10){$m(t)$}

629: \end{overpic}

630: a) $x_s(t)$ vs $m(t)$

631: \end{minipage}

632: \begin{minipage}{\figwidth}

633: \centering

634: \includegraphics[width=\textwidth]{RM_Attack_MSPMAD}

635: b) the points $(A_m,B_m)$ vs the return map

636: \end{minipage}

637: \begin{minipage}{\figwidth}

638: \centering

639: \includegraphics[width=\textwidth]{RM_Attack_MSPMAD_S1}

640: c) $(A_m,B_m)$ vs the return map: Segment 1

641: \end{minipage}

642: \begin{minipage}{\figwidth}

643: \centering

644: \includegraphics[width=\textwidth]{RM_Attack_MSPMAD_S2}

645: d) $(A_m,B_m)$ vs the return map: Segment 2

646: \end{minipage}

647: \caption{The known/chosen-plaintext attack to multistep parameter

648: modulation, when $10\leq t\leq 30$. Legend:

649: \textcolor{red}{$\Diamond$} -- $0\leq t\leq 10$, $x_s$-driving,

650: $m(t)=1$, $b_s=3.9$; \textcolor{red}{$\ocircle$} -- $10\leq t\leq

651: 20$, $y_s$-driving, $m(t)=0$, $b_s=3.6$; \textcolor{red}{$\Box$}

652: -- $20\leq t\leq 30$, $x_s$-driving, $m(t)=0$,

653: $b_s=3.2$.}\label{figure:RM_Attack_MSPMAD}

654: \end{figure}

655: 

656: Finally, we examine the attack complexity when both

657: countermeasures are used in a secure communication system. Since

658: there exist $12n$ strips, the average number of plain-bits in

659: known/chosen-plaintexts attacks will be $2\cdot 3n=6n$, which

660: means that the security against known/chosen-plaintext attacks is

661: still rather weak. The security against ciphertext-only attacks is

662: relatively higher: $\left(2\cdot\binom{2n}{n}\right)^2$. However,

663: note that an attacker can extract 50\% of all plain-bits, even

664: when he only exhaustively guesses the right bit assignment

665: corresponding to the $x_s$-map or the $y_s$-map. Thus, strictly

666: speaking, the security against ciphertext-only attacks is still in

667: the order of $2\cdot\binom{2n}{n}$, i.e., the same as the one

668: under the condition that only the first countermeasure is used. As

669: mentioned above, to make the designed secure communication system

670: sufficiently secure, $n\geq 50$ is required.

671: 

672: \section{Conclusion}

673: 

674: To resist the return-map attack presented in

675: \citep{Perez:ReturnMapCryptanalysis:PRL95},

676: \cite{Indian:MSCPM:IJBC2001} proposed two countermeasures to

677: enhance the security of the chaotic switching (i.e., binary

678: parameter modulation) scheme. After refining the return-map attack

679: by exploiting a deterministic relationship between the return map

680: and the modulated parameter, this paper points out that these two

681: countermeasures are not secure enough against

682: known/chosen-plaintext attacks. Also, it is found that the

683: security against ciphertext-only attacks cannot be ensured if the

684: proposed secure communication system contains less than 200

685: sub-systems.

686: 

687: The cryptanalysis results given in this paper show that one has to

688: use more powerful techniques to effectively resist return-map

689: attacks. Recently, a new CSK scheme was proposed in

690: \citep{XuChee:CSKwFS:IJBC2004} by introducing many false switching

691: events. It is under study whether or not this new CSK scheme is

692: secure against the return-map attack described in this paper. At

693: present, it is still an open problem to design a chaos-based

694: secure communication system that is strong enough against all

695: known attacks, and to find more powerful cryptanalysis tools to

696: evaluate the security of various chaos-based cryptosystems.

697: 

698: \section*{Acknowledgements}

699: 

700: This research was partially supported by the Applied R\&D Centers

701: of the City University of Hong Kong under grants no. 9410011 and

702: no. 9620004, and by the Ministerio de Ciencia y Tecnolog\'{\i}a of

703: Spain, under research grants TIC2001-0586 and SEG2004-02418.

704: 

705: \begin{thebibliography}{54}

706: \newcommand{\enquote}[1]{``#1''}

707: \providecommand{\natexlab}[1]{#1}

708: 

709: \bibitem[{\'{A}lvarez \& Li(2004{\natexlab{a}})}]{Alvarez-Li2004a}

710: \'{A}lvarez, G. \& Li, S. [2004{\natexlab{a}}] \enquote{Breaking

711: network

712:   security based on synchronized chaos,} \emph{Computer Communications}

713:   \textbf{27}, 1679--1681.

714: 

715: \bibitem[{\'{A}lvarez \& Li(2004{\natexlab{b}})}]{Alvarez-Li2004b}

716: \'{A}lvarez, G. \& Li, S. [2004{\natexlab{b}}] \enquote{Estimating

717: short-time

718:   period to break different types of chaotic modulation based secure

719:   communications,} arXiv:nlin.CD/0406039.

720: 

721: \bibitem[{\'{A}lvarez \emph{et~al.}(2005{\natexlab{a}})\'{A}lvarez, Li,

722:   Montoya, Pastor \& Romera}]{AlvarezLi:CSF2005}

723: \'{A}lvarez, G., Li, S., Montoya, F., Pastor, G. \& Romera, M.

724:   [2005{\natexlab{a}}] \enquote{Breaking projective chaos synchronization

725:   secure communication using filtering and generalized synchronization,}

726:   \emph{Chaos, Solitons \& Fractals} \textbf{24}, 775--783.

727: 

728: \bibitem[{\'{A}lvarez \emph{et~al.}(1999)\'{A}lvarez, Montoya, Romera \&

729:   Pastor}]{Alvarez:Survey:ICCST99}

730: \'{A}lvarez, G., Montoya, F., Romera, M. \& Pastor, G. [1999]

731: \enquote{Chaotic

732:   cryptosystems,} in L.~D. Sanson, ed., \emph{33rd Annual 1999 International

733:   Carnahan Conference on Security Technology}, 332--338 (IEEE).

734: 

735: \bibitem[{\'{A}lvarez \emph{et~al.}(2004{\natexlab{a}})\'{A}lvarez, Montoya,

736:   Romera \& Pastor}]{Alvarez:PhaseSynchronization:CHAOS2004}

737: \'{A}lvarez, G., Montoya, F., Romera, M. \& Pastor, G.

738: [2004{\natexlab{a}}]

739:   \enquote{Breaking a secure communication scheme based on the phase

740:   synchronization of chaotic systems,} \emph{Chaos} \textbf{14}, 274--278.

741: 

742: \bibitem[{\'{A}lvarez \emph{et~al.}(2004{\natexlab{b}})\'{A}lvarez, Montoya,

743:   Romera \& Pastor}]{Alvarez:BreakingCPM:CSF2004}

744: \'{A}lvarez, G., Montoya, F., Romera, M. \& Pastor, G.

745: [2004{\natexlab{b}}]

746:   \enquote{Breaking parameter modulated chaotic secure communication system,}

747:   \emph{Chaos, Solitons and Fractals} \textbf{21}, 783--787.

748: 

749: \bibitem[{\'{A}lvarez \emph{et~al.}(2005{\natexlab{b}})\'{A}lvarez, Montoya,

750:   Romera \& Pastor}]{Alvarez:CSF2005}

751: \'{A}lvarez, G., Montoya, F., Romera, M. \& Pastor, G.

752: [2005{\natexlab{b}}]

753:   \enquote{Cryptanalyzing an improved security modulated chaotic encryption

754:   scheme using ciphertext absolute value,} \emph{Chaos, Solitons and Fractals}

755:   \textbf{23}, 1749--1756.

756: 

757: \bibitem[{Bu \& Wang(2004)}]{BuWang:CSF2004}

758: Bu, S. \& Wang, B.-H. [2004] \enquote{Improving the security of

759: chaotic

760:   encryption by using a simple modulating method,} \emph{Chaos, Solitons and

761:   Fractals} \textbf{19}, 919--924.

762: 

763: \bibitem[{Chee \emph{et~al.}(2004)Chee, Xu \& Bishop}]{CheeXuBishop:CSF2004}

764: Chee, C.~Y., Xu, D. \& Bishop, S.~R. [2004] \enquote{A

765: zero-crossing approach

766:   to uncover the mask by chaotic encryption with periodic modulation,}

767:   \emph{Chaos, Solitons and Fractals} \textbf{21}, 1129--1134.

768: 

769: \bibitem[{Cuomo \& Openheim(1993)}]{Cuomo:CPM_CM:PRL93}

770: Cuomo, K.~M. \& Openheim, A.~V. [1993] \enquote{Circuit

771: implementation of

772:   synchronized chaos with applications to communications,} \emph{Physical

773:   Review Letters} \textbf{71}, 65--68.

774: 

775: \bibitem[{Dedieu \emph{et~al.}(1993)Dedieu, Kennedy \&

776:   Hasler}]{Dedieu:CSK:IEEETCASII93}

777: Dedieu, H., Kennedy, M.~P. \& Hasler, M. [1993] \enquote{Chaos

778: shift keying:

779:   Modulation and demodulation of a chaotic carrier using self-synchronizing

780:   {Chua}'s circuits,} \emph{IEEE Trans. Circuits and Systems--II} \textbf{40},

781:   634--642.

782: 

783: \bibitem[{Feldmann \emph{et~al.}(1996)Feldmann, Hasler \&

784:   Schwarz}]{Feldmann:ISA:IJCTA96}

785: Feldmann, U., Hasler, M. \& Schwarz, W. [1996]

786: \enquote{Communication by

787:   chaotic signals: The inverse system approach,} \emph{Int. J. Circuit Theory

788:   and Applications} \textbf{24}, 551--579.

789: 

790: \bibitem[{Grassi \& Mascolo(1999{\natexlab{a}})}]{Grassi:3CC:IJCTA99}

791: Grassi, G. \& Mascolo, S. [1999{\natexlab{a}}]

792: \enquote{Synchronization of

793:   high-order oscillators by observer design with application to

794:   hyperchaos-based cryptography,} \emph{Int. J. Circuit Theory and

795:   Applications} \textbf{27}, 543--553.

796: 

797: \bibitem[{Grassi \& Mascolo(1999{\natexlab{b}})}]{Grassi:3CC:IEEETCASI99}

798: Grassi, G. \& Mascolo, S. [1999{\natexlab{b}}] \enquote{A system

799: theory

800:   approach for designing cryptosystems based on hyperchaos,} \emph{IEEE Trans.

801:   Circuits and Systems--I} \textbf{46}, 1135--1138.

802: 

803: \bibitem[{He \emph{et~al.}(2000)He, Li, Yang \& Shi}]{ZYHe:SCCS:IEEETCASI2000}

804: He, Z., Li, K., Yang, L. \& Shi, Y. [2000] \enquote{A robust

805: digital secure

806:   communication scheme based on sporadic coupling chaos synchronization,}

807:   \emph{IEEE Trans. Circuits and Systems--I} \textbf{47}, 397--403.

808: 

809: \bibitem[{Huang \emph{et~al.}(2001)Huang, Xu, Huang \&

810:   Lu}]{Huang:UnmaskingChaosWavlet:IJBC2001}

811: Huang, X., Xu, J., Huang, W. \& Lu, Z. [2001] \enquote{Unmasking

812: chaotic mask

813:   by a wavelet multiscale decomposition algorithm,} \emph{Int. J. Bifurcation

814:   and Chaos} \textbf{11}, 561--569.

815: 

816: \bibitem[{Khadra \emph{et~al.}(2003)Khadra, Liu \& Shen}]{Khadra:IS:DCDISB2003}

817: Khadra, A., Liu, X. \& Shen, X. [2003] \enquote{Robust impulsive

818:   synchronization and application to communication security,} \emph{Dynamics of

819:   Continuous Discrete and Impulsive Systems--Series B: Applications \&

820:   Algorithms} \textbf{10}, 403--416.

821: 

822: \bibitem[{Kocarev \emph{et~al.}(1992)Kocarev, Halle, Eckert, Chua \&

823:   Parlitz}]{Kocarev:CM:IJBC92}

824: Kocarev, L., Halle, K.~S., Eckert, K., Chua, L.~O. \& Parlitz, U.

825: [1992]

826:   \enquote{Experimental demonstration of secure communications via chaotic

827:   synchronization,} \emph{Int. J. Bifurcation and Chaos} \textbf{2}, 709--713.

828: 

829: \bibitem[{Li(2003)}]{ShujunLi:Dissertation2003}

830: Li, S. [2003] \emph{Analyses and New Designs of Digital Chaotic

831: Ciphers}, Ph.D. thesis, School of Electronics and Information

832: Engineering, Xi'an Jiaotong University, Xi'an, China, available

833: online at \url{http://www.hooklee.com/pub.html}.

834: 

835: \bibitem[{Li \emph{et~al.}(2005a)Li, \'{A}lvarez \& Chen}]{LiAlvarez:CSF2005}

836: Li, S., \'{A}lvarez, G. \& Chen, G. [2005a] \enquote{Breaking a

837: chaos-based

838:   secure communication scheme designed by an improved modulation method,}

839:   \emph{Chaos, Solitons \& Fractals} \textbf{25}, 109--120.

840: 

841: \bibitem[{Li \emph{et~al.}(2005b)Li, \'{A}lvarez, Chen \& Mou}]{Li:Chaos2005}

842: Li, S., \'{A}lvarez, G., Chen, G. \& Mou, X [2005b]

843: \enquote{Breaking a chaos-noise-based secure communication scheme,}

844:   \emph{Chaos} \textbf{15}, art. no. 013703.

845: 

846: \bibitem[{Lian \emph{et~al.}(2003)Lian, Liu, Chiu \&

847:   Chiang}]{Lian:Fuzzy3CC:IJBC2003}

848: Lian, K.-Y., Liu, P., Chiu, C.-S. \& Chiang, T.-S. [2003]

849: \enquote{Fuzzy

850:   model-based approach to chaotic encryption using synchronization,} \emph{Int.

851:   J. Bifurcation and Chaos} \textbf{13}, 215--225.

852: 

853: \bibitem[{Morgul \& Feki(1999)}]{Feki:CM:PLA99}

854: Morgul, O. \& Feki, M. [1999] \enquote{A chaotic masking scheme by

855: using

856:   synchronized chaotic systems,} \emph{Physics Letters A} \textbf{251},

857:   169--176.

858: 

859: \bibitem[{Murali(2000)}]{Murali:HeterogeneousChaosCryptography:PLA2000}

860: Murali, K. [2000] \enquote{Heterogeneous chaotic systems based

861: cryptography,}

862:   \emph{Physics Letters A} \textbf{272}, 184--192.

863: 

864: \bibitem[{Murali \& Lakshmanan(1994)}]{Murali:CM:PRE94}

865: Murali, K. \& Lakshmanan, M. [1994] \enquote{Drive-response

866: scenario of chaos

867:   synchronization in identical nonlinear systems,} \emph{Physical Review E}

868:   \textbf{49}, 4882--4885.

869: 

870: \bibitem[{Palaniyandi \& Lakshmanan(2001)}]{Indian:MSCPM:IJBC2001}

871: Palaniyandi, P. \& Lakshmanan, M. [2001] \enquote{Secure digital

872: signal

873:   transmission by multistep parameter modulation and alternative driving of

874:   transmitter variables,} \emph{Int. J. Bifurcation and Chaos} \textbf{11},

875:   2031--2036.

876: 

877: \bibitem[{Parker \& Short(2001)}]{Short:ChaoticCrptanalysis:IEEETCASI2001}

878: Parker, A.~T. \& Short, K.~M. [2001] \enquote{Reconstructing the

879: keystream from

880:   a chaotic encryption scheme,} \emph{IEEE Trans. Circuits and Systems--I}

881:   \textbf{48}, 624--630.

882: 

883: \bibitem[{Parlitz \emph{et~al.}(1992)Parlitz, Chua, Kocarev, Halle \&

884:   Shang}]{Parlitz:CSK:LIJBC92}

885: Parlitz, U., Chua, L.~O., Kocarev, L., Halle, K.~S. \& Shang, A.

886: [1992]

887:   \enquote{Transmission of digital signals by chaotic synchronization,}

888:   \emph{Int. J. Bifurcation and Chaos} \textbf{2}, 973--977.

889: 

890: \bibitem[{Parlitz \& Ergezinger(1994)}]{Parlitz:DCSK:PLA94}

891: Parlitz, U. \& Ergezinger, S. [1994] \enquote{Robust communication

892: based on

893:   chaotic spreading sequences,} \emph{Physics Letters A} \textbf{188},

894:   146--150.

895: 

896: \bibitem[{Parlitz \emph{et~al.}(1996)Parlitz, Kocarev, Stojanovski \&

897:   Preckel}]{Parlitz:CDM:PRE96}

898: Parlitz, U., Kocarev, L., Stojanovski, T. \& Preckel, H. [1996]

899:   \enquote{Encoding messages using chaotic synchronization,} \emph{Physical

900:   Review E} \textbf{53}, 4351--4361.

901: 

902: \bibitem[{Pecora \& Carroll(1990)}]{Pecora:CS:PRL90}

903: Pecora, L.~M. \& Carroll, T.~L. [1990] \enquote{Synchronization in

904: chaotic

905:   systems,} \emph{Physical Review Letters} \textbf{64}, 821--824.

906: 

907: \bibitem[{P\'{e}rez \& Cerdeira(1995)}]{Perez:ReturnMapCryptanalysis:PRL95}

908: P\'{e}rez, G. \& Cerdeira, H.~A. [1995] \enquote{Extracting

909: messages masked by

910:   chaos,} \emph{Physical Review Letters} \textbf{74}, 1970--1973.

911: 

912: \bibitem[{Schneier(1996)}]{Schneier:AppliedCryptography96}

913: Schneier, B. [1996] \emph{Applied Cryptography -- Protocols,

914: algorithms, and souce code in C}, 2nd edition (John Wiley \& Sons,

915: Inc., New York).

916: 

917: \bibitem[{Short(1994)}]{Short:UnmaskingChaos:IJBC94}

918: Short, K.~M. [1994] \enquote{Steps toward unmasking secure

919: communications,}

920:   \emph{Int. J. Bifurcation and Chaos} \textbf{4}, 959--977.

921: 

922: \bibitem[{Short(1997)}]{Short:ChaoticSignalExtraction:IJBC97}

923: Short, K.~M. [1997] \enquote{Signal extraction from chaotic

924: communications,}

925:   \emph{Int. J. Bifurcation and Chaos} \textbf{7}, 1579--1597.

926: 

927: \bibitem[{Short \& Parker(1998)}]{Short:UnmaskingHyperchaos:PRE98}

928: Short, K.~M. \& Parker, A.~T. [1998] \enquote{Unmasking a

929: hyperchaotic

930:   communication scheme,} \emph{Physical Review E} \textbf{58}, 1159--1162.

931: 

932: \bibitem[{Stojanovski \emph{et~al.}(1996)Stojanovski, Kocarev \&

933:   Parlitz}]{Kocarev:BreakingParameters:IJBC96}

934: Stojanovski, T., Kocarev, L. \& Parlitz, U. [1996] \enquote{A

935: simple method to

936:   reveal the parameters of the lorenz system,} \emph{Int. J. Bifurcation and

937:   Chaos} \textbf{6}, 2645--2652.

938: 

939: \bibitem[{Tao \emph{et~al.}(2003)Tao, Du \&

940:   Zhang}]{TaoDu:ChaoticCrytpanalysis:IJBC2003a}

941: Tao, C., Du, G. \& Zhang, Y. [2003] \enquote{Decoding digital

942: information from

943:   the cascaded heterogeneous chaotic systems,} \emph{Int. J. Bifurcation and

944:   Chaos} \textbf{13}, 1599--1608.

945: 

946: \bibitem[{Vaidya \& Angadi(2003)}]{Vaidya:DecodingChaoticSuperkey:CSF2003}

947: Vaidya, P.~G. \& Angadi, S. [2003] \enquote{Decoding chaotic

948: cryptography

949:   without access to the superkey,} \emph{Chaos, Solitons and Fractals}

950:   \textbf{17}, 379--386.

951: 

952: \bibitem[{Weisstein(2004{\natexlab{a}})}]{GeometricDistribution}

953: Weisstein, E.~W. [2004{\natexlab{a}}] \enquote{Geometric

954: distribution,} From

955:   MathWorld--A Wolfram Web Resource:

956:   \url{http://mathworld.wolfram.com/GeometricDistribution.html}.

957: 

958: \bibitem[{Weisstein(2004{\natexlab{b}})}]{StirlingApproximation}

959: Weisstein, E.~W. [2004{\natexlab{b}}] \enquote{Stirling's

960: approximation,} From

961:   MathWorld--A Wolfram Web Resource:

962:   \url{http://mathworld.wolfram.com/StirlingsApproximation.html}.

963: 

964: \bibitem[{Wu \& Chua(1993)}]{WuChua:CDM:IJBC93}

965: Wu, C.~W. \& Chua, L.~O. [1993] \enquote{A simple way to

966: synchronize chaotic

967:   systems with applications to secure communications systems,} \emph{Int. J.

968:   Bifurcation and Chaos} \textbf{3}, 1619--1627.

969: 

970: \bibitem[{Wu \emph{et~al.}(2004)Wu, Hu \& Zhang}]{WuHuZhang:CSF2004}

971: Wu, X., Hu, H. \& Zhang, B. [2004] \enquote{Analyzing and

972: improving a chaotic

973:   encryption method,} \emph{Chaos, Solitons and Fractals} \textbf{22},

974:   367--373.

975: 

976: \bibitem[{Xu \& Chee(2004)}]{XuChee:CSKwFS:IJBC2004}

977: Xu, D. \& Chee, C. [2004] \enquote{Chaotic encryption with

978: transient dynamics

979:   induced by pseudo-random switching keys,} \emph{Int. J. Bifurcation and

980:   Chaos} \textbf{14}, 3625--3631.

981: 

982: \bibitem[{Yang(1995)}]{Yang:STZCR:IJCTA95}

983: Yang, T. [1995] \enquote{Recovery of digital signals from chaotic

984: switching,}

985:   \emph{Int. J. Circuit Theory and Applications} \textbf{23}, 611--615.

986: 

987: \bibitem[{Yang(2004)}]{Yang:Survey:IJCC2004}

988: Yang, T. [2004] \enquote{A survey of chaotic secure communication

989: systems,} \emph{Int. J. Computational Cognition} \textbf{2},

990: 81--130.

991: 

992: \bibitem[{Yang \& Chua(1996)}]{Yang:CPM:IEEETCASI96}

993: Yang, T. \& Chua, L.~O. [1996] \enquote{Secure communication via

994: chaotic

995:   parameter modulation,} \emph{IEEE Trans. Circuits and Systems--I}

996:   \textbf{43}, 817--819.

997: 

998: \bibitem[{Yang \& Chua(1997)}]{Yang-Chua:ImpulsiveChaos:IJBC1997}

999: Yang, T. \& Chua, L.~O. [1997] \enquote{Impulsive control and

1000: synchronization

1001:   of nonlinear dynamical systems and application to secure communication,}

1002:   \emph{Int. J. Bifurcation and Chaos} \textbf{7}, 645--664.

1003: 

1004: \bibitem[{Yang \emph{et~al.}(1997)Yang, Wu \&

1005:   Chua}]{Yang-Wu-Chua:ChaoticCryptography:IEEETCASI1997}

1006: Yang, T., Wu, C.~W. \& Chua, L.~O. [1997] \enquote{Cryptography

1007: based on

1008:   chaotic systems,} \emph{IEEE Trans. Circuits and Systems--I} \textbf{44},

1009:   469--472.

1010: 

1011: \bibitem[{Yang \emph{et~al.}(1998{\natexlab{a}})Yang, Yang \&

1012:   Yang}]{Yang:SpectralCryptanalysis:PLA98}

1013: Yang, T., Yang, L.-B. \& Yang, C.-M. [1998{\natexlab{a}}]

1014: \enquote{Breaking

1015:   chaotic secure communications using a spectogram,} \emph{Physics Letters A}

1016:   \textbf{247}, 105--111.

1017: 

1018: \bibitem[{Yang \emph{et~al.}(1998{\natexlab{b}})Yang, Yang \&

1019:   Yang}]{Yang:GSCryptanalysis:IEEETCASI97}

1020: Yang, T., Yang, L.-B. \& Yang, C.-M. [1998{\natexlab{b}}]

1021: \enquote{Breaking

1022:   chaotic switching using generalized synchronization: Examples,} \emph{IEEE

1023:   Trans. Circuits and Systems--I} \textbf{45}, 1062--1067.

1024: 

1025: \bibitem[{Yang \emph{et~al.}(1998{\natexlab{c}})Yang, Yang \&

1026:   Yang}]{Yang:ReturnMapCryptanalysis:PLA98}

1027: Yang, T., Yang, L.-B. \& Yang, C.-M. [1998{\natexlab{c}}]

1028:   \enquote{Cryptanalyzing chaotic secure communications using return maps,}

1029:   \emph{Physics Letters A} \textbf{245}, 495--510.

1030: 

1031: \bibitem[{Yao \emph{et~al.}(2003)Yao, Essex \& Yu}]{Yao:HyperChaos:DCDISB2003}

1032: Yao, W., Essex, C. \& Yu, P. [2003] \enquote{A new chaotic system

1033: for better

1034:   secure communication,} \emph{Dynamics of Continuous Discrete and Impulsive

1035:   Systems--Series B: Applications \& Algorithms} \textbf{10}, 221--234.

1036: 

1037: \bibitem[{Zhou \& Lai(1999)}]{ZhouLai:ChaoticCryptanalysis:PRE99b}

1038: Zhou, C. \& Lai, C.-H. [1999] \enquote{Extracting messages masked

1039: by chaotic

1040:   signals of time-delay systems,} \emph{Physical Review E} \textbf{60},

1041:   320--323.

1042: 

1043: \bibitem[{Zhou \& Chen(1997)}]{Zhou:ExtractChaoticSignal:PLA97}

1044: Zhou, C.-S. \& Chen, T.-L. [1997] \enquote{Extracting information

1045: masked by

1046:   chaos and contaminated with noise: Some considerations on the security of

1047:   communication approaches using chaos,} \emph{Physics Letters A} \textbf{234},

1048:   429--435.

1049: 

1050: \end{thebibliography}

1051: 

1052: %\bibliographystyle{IJBC}

1053: %\bibliography{ref}

1054: 

1055: \iffalse

1056: 

1057: \clearpage

1058: 

1059: \center

1060: \begin{tabular}{lp{0.8\textwidth}}

1061: Fig. \ref{figure:RM_CSK} & The return maps constructed for a typical

1062: chaotic switching scheme.\\

1063: Fig. \ref{figure:RM_MSPM} & The return map constructed from $x_s$ in

1064: multistep parameter modulation.\\

1065: Fig. \ref{figure:RM_MSPMAD} & The return map constructed in

1066: multistep parameter modulation with alternative $x_s/y_s$ driving.\\

1067: Fig. \ref{figure:RM_bs} & A deterministic relationship between the

1068: return map and the modulated parameter $b_s$.\\

1069: Fig. \ref{figure:RM_Attack_MSPM} & The known/chosen-plaintext attack

1070: to multistep parameter modulation, when $10\leq t\leq 30$. Legend:

1071: \textcolor{red}{$\Diamond$} -- $0\leq t\leq 10$, $m(t)=1$,

1072: $b_s=3.5$; \textcolor{red}{$\ocircle$} -- $10\leq t\leq 20$,

1073: $m(t)=1$, $b_s=3.3$; \textcolor{red}{$\Box$} -- $20\leq t\leq 30$,

1074: $m(t)=0$, $b_s=3.4$.\\

1075: Fig. \ref{figure:differences_ds} & The first-order, second-order,

1076: 4th-order and 8-th order (from top to bottom) discrete-time

1077: differentiations of the transmitted signal $d_s$, where $\Delta

1078: t=0.01$.\\

1079: Fig. \ref{figure:RM_Attack_MSPMAD} & The known/chosen-plaintext

1080: attack to multistep parameter modulation, when $10\leq t\leq 30$.

1081: Legend: \textcolor{red}{$\Diamond$} -- $0\leq t\leq 10$,

1082: $x_s$-driving, $m(t)=1$, $b_s=3.9$; \textcolor{red}{$\ocircle$} --

1083: $10\leq t\leq 20$, $y_s$-driving, $m(t)=0$, $b_s=3.6$;

1084: \textcolor{red}{$\Box$} -- $20\leq t\leq 30$, $x_s$-driving,

1085: $m(t)=0$, $b_s=3.2$.

1086: \end{tabular}

1087: \fi

1088: 

1089: \end{document}

1090: