0502:nlin0502026/manu.tex

1: \documentclass[aps,pre,twocolumn,superscriptaddress,showpacs]{revtex4}

2: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

3: \usepackage{epsfig}

4: \usepackage{amsmath}

5:

6: \setcounter{MaxMatrixCols}{10}

7:

8: \begin{document}

9:

10: \title{Construction of a secure cryptosystem based on spatiotemporal chaos

11: and its application in public channel cryptography}

12: \author{Xingang Wang}

13: \affiliation{Temasek Laboratories, National University of Singapore, 117508, Singapore}

14: \author{Meng Zhan}

15: \affiliation{Temasek Laboratories, National University of Singapore, 117508, Singapore}

16: \author{Xiaofeng Gong}

17: \affiliation{Temasek Laboratories, National University of Singapore, 117508, Singapore}

18: \author{Choy Heng Lai}

19: \affiliation{Department of Physics, National University of Singapore, 117542, Singapore}

20:

21: \begin{abstract}

22: By combining the one-way coupled chaotic map lattice system with a

23: bit-reverse operation, we construct a new cryptosystem which is extremely

24: sensitive to the system parameters even for low-dimensional systems. The

25: security of this new algorithm is investigated and mechanism of the

26: sensitivity is analyzed. We further apply this cryptosystem to the public

27: channel cryptography, based on "Merkle's puzzles", by employing it both as

28: pseudo-random-number (PN) generators and symmetric encryptor. With the

29: properties of spatiotemporal chaos, the new scheme is rich with new features

30: and shows some advantages in comparison with the conventional ones.

31: \end{abstract}

32:

33: \pacs{05.45.Vx}

34: \maketitle

35:

36: \textbf{One serious problem in chaos synchronization based encryptions is

37: that parameters close to the secret key can still synchronize systems to a

38: certain extent, and usually appears a regular structure in the key space

39: under the known-plaintext attack. In other words, there is always a key

40: basin of finite width around the secret key. The keys in this basin are

41: highly correlated, and the system security is broken once the location of

42: the key basin is located and explored. Although in some methods, like those

43: exploiting spatiotemporal chaos or the modulo operation, can complicate the

44: cryptanalysis, system security is still vulnerable because the basin width

45: increases monotonically with the amount of known plaintext. In this paper,

46: we incorporate a conventional bit operation, the bit-reverse operation, into

47: spatiotemporal chaos, and find that the basin width shrinks to zero in terms

48: of the computational precision. This approach not only extends the

49: definition of the secret key to the real domain and enlarges the capacity of

50: the key space accordingly, but also overcomes the problem of correlations in

51: key basin entirely. Using the proposed cryptosystem both as a set of

52: pseudo-random-number (PN) generators and a symmetric encryptor, we further

53: investigate the feasibility of public channel cryptography based on chaos,

54: and propose a prototype for application. In comparison with the conventional

55: methods, the new model is superior in many aspects: flexibility,

56: manageability, and simplicity. These new features, together with the

57: experimental progress in chaos-based communication, make this scheme a good

58: candidate for public channel cryptography both in software and hardware.}

59:

60: \section{Introduction}

61:

62: As an important application of chaos, chaos-based secure communication and

63: cryptography attracted continuous interest over the last decade \cite%

64: {pecora,Carroll-IEEE,kocarev,cuomo,algorithm,roy,spatioencryption,ocml-hu-1,

65: ocml-hu-2,ocml-hu-3,EFA,encoding}. For convenience and flexibility, most of

66: the proposed schemes are based on the phenomenon of chaos synchronization,

67: where two chaotic systems can be synchronized through driving or coupling

68: \cite{pecora,syn-rep}. While synchronization brings certain advantages for

69: practical applications, it also presents some drawbacks on the system

70: security \cite{attacks-1,attack-2,attack-3}. Later it is found that even for high

71: dimensional chaotic systems, which usually possess higher complexity and

72: multiple positive Lyapunov exponents, the system security is still

73: vulnerable under some sophisticated attacks \cite{EFA}. Besides the problem

74: of security, in comparison to those conventional schemes used widely in

75: engineering, the performance of chaos encryptions are also disappointing in

76: other aspects such as having low encryption speed and high bit error rate,

77: etc \cite{kocarev-ieee,Dachselt, Fraser}. How to design a secure while

78: efficient cryptosystem has always been a challenge for the chaos

79: cryptographer.

80:

81: More recently, the study of applying one-way coupled map lattices (OCML) for

82: encryption sheds some new light on this research \cite{ocml-hu-1}. One

83: significant point of this scheme is that two classical numerical operations,

84: namely integration and modulation, are incorporated into the chaotic

85: dynamics. With these operations, system security, as well as other

86: performance indicators, can be greatly improved to a comparable level with

87: those of the conventional ones, such as DES and AES \cite{ocml-hu-2}. In a

88: most recent study \cite{ocml-hu-3}, system security is further improved by

89: adding a S-box, another technique typically used in conventional

90: encryptions, to the coupled lattices. As a result the capacity of the key

91: space is further enlarged and the system becomes even more sensitive on the

92: parameters. However, these schemes still suffer from the problem of the

93: "continuity" of chaotic dynamics, i.e., correlations still exist between the

94: keys \cite{EFA}.

95:

96: In conventional cryptography, encryption schemes are divided into symmetric

97: and asymmetric methods \cite{bruce-book}. In contrast to the symmetric

98: methods, the keys in the asymmetric methods are generated in pairs, a public

99: key and a private key, and it is computationally not feasible to deduce the

100: private key from the public key. Anyone with the public key can encrypt a

101: message but not decrypt it. Only the person with the private key can decrypt

102: the message. Mathematically, the process is based on the trap-door one-way

103: functions, and encryption is the easy direction and decryption is the

104: difficult direction. Communication strategies that use asymmetric methods

105: for encryption have much greater inherent security than symmetric methods,

106: since they eliminate the problem of key distribution, which itself can pose

107: the most serious security risk. However, most of the proposed chaos-based

108: encryption schemes are within the branch of symmetric methods, and little

109: attention has been paid to asymmetric encryptions, or public-key

110: cryptography (PKC) \cite{PKC-chaos}. Whereas all known PKC algorithms are

111: based on some hard problems in number theory (factoriation, knapsack,

112: discrete logarithms, etc.), it is of great interest and challenge to

113: construct PKC algorithms based on dynamics.

114:

115: In the present work, we propose a new scheme of chaos-based symmetric

116: encryption and, using the proposed cryptosystem both as symmetric encryptor

117: and pseudo-random-number (PN) generators, design a prototype for public

118: channel cryptography. In the new cryptosystem, the outputs are extremely

119: sensitive to the secret key. Any detectable mismatch of the secret key, of

120: the order of the computer precision, will induces a totally different set of

121: outputs. Hence this scheme not only overcomes the basic problem of

122: "continuity" met in chaos-based encryptions, but also extends the definition

123: of the secret key to all real values in the key space. Borrowing the concept

124: of "Merkle's Puzzles" \cite{Merkle-puzzle}, we further construct a new model

125: for public channel cryptography where all blocks are endowed with

126: spatiotemporal chaos. In comparison with conventional methods, the new model

127: is found to be more efficient and flexible in some aspects.

128:

129: This paper is arranged as follows. In Section II we describe our new method

130: for constructing chaos-based cryptosystems and, in Section III, we give a

131: detailed discussion of its sensitivity and security. The prototype for PKC

132: is presented in Section IV, and the system security is analyzed in Section

133: V. We highlight the new features and advantages of the PKC in Section VI.

134:

135: \section{Constructing cryptosystem of high security}

136:

137: As cryptosystems based on low dimensional chaos have been shown \cite%

138: {attacks-1} to be vulnerable, there have been several efforts to improve the

139: security by employing spatiotemporal chaos \cite{spatioencryption}. Although

140: these cryptosystems perform well against some conventional attacks (like the

141: differential and linear attacks), and can even resist some classical

142: chaos-based attacks (like the return map and reconstruction attacks \cite%

143: {attacks-1}), they still suffer some inherent drawbacks from chaos dynamics

144: \cite{kocarev-ieee,EFA}. For example, when chaos synchronization is used for

145: encryption, the keys close to the secret key can still synchronize the

146: receiver system to a certain extent, thus forming a key basin around the

147: secret key. (For more details about the definition of key basin,

148: please refer Ref. \cite {ocml-hu-1, EFA}.)

149: Since the system security is directly connected with the

150: structure of this basin, it be broken down once the location of this basin

151: is explored. Based on this, an effective known-plaintext attack \cite%

152: {bruce-book}, the error function attack (EFA), has been proposed

153: specifically for cracking chaos synchronization based cryptosystems \cite%

154: {EFA}. It is found that, under EFA, most of the proposed cryptosystems are

155: vulnerable or not secure at all, and for some situations the higher

156: dimensionality does not help to improve system security.

157:

158: The underlying reason for this "continuity" is that the Lyapunov exponent

159: (LE) in conventional chaotic systems is not large enough to quickly diffuse

160: the nearby states in phase space. It is thus natural to look to the

161: exploration and construction of chaotic systems with large LE for chaos

162: cryptography, at least as far as EFA attack is concerned. Along this

163: direction, two methods have been proposed \cite{ocml-hu-2}: (1) using

164: several of the last significant digits as the output signals and, (2)

165: coupling lattices with a weak signal. Through these methods, system

166: sensitivity can be significantly improved, and the width of the key basin

167: shrinks accordingly. However, as pointed out in Ref. \cite{ocml-hu-3}, there

168: still exists a scaling between the amount of known plaintext and the width

169: of the key basin: the more plaintext is known, the wider the key basin will

170: be. In this respect, the problem of the key basin remains fundamentally

171: unsolved.

172:

173: We extend the study in Ref. \cite{ocml-hu-3} and aim to design cryptosystems

174: that are "truly"' secure. By this we mean cryptosystems with the property

175: that the sizes of the key basins are of the order of the computational

176: precision (or the measure precision in practice), and which remain

177: unchanged with the amount of plaintext known to the attacker. Instead of the

178: S-box, we construct the transmitter by incorporating a bit-reverse

179: operation, $F$, into the one-way lattice ring of $N$ coupled logistic maps,

180: and the dynamics of the transmitter can be formulated as

181:

182: \begin{eqnarray}

183: x_{0}(n) &=&S_{N}(n)/2^{\upsilon },  \notag \\

184: x_{1}(n+1) &=&(1-\varepsilon _{1})f[x_{1}(n)]+\varepsilon _{1}f[x_{0}(n)],

185: \notag \\

186: x_{2}(n+1) &=&(1-\varepsilon _{2})f[x_{2}(n)]+\varepsilon

187: _{2}f\{F[x_{1}(n)]/2^{\upsilon }\},  \label{trans} \\

188: x_{i}(n+1) &=&(1-\varepsilon _{i})f[x_{i}(n)]+\varepsilon _{i}f[x_{i-1}(n)],

189: \notag \\

190: f &=&4x(1-x),\text{ \ }i=3,4,...,N,  \notag

191: \end{eqnarray}%

192: with

193: \begin{eqnarray}

194: S_{N}(n) &=&\{\text{int}[x_{N}(n)\times 10^{h}]\}\text{ mod }2^{\upsilon },

195: \notag \\

196: F(x) &=&\text{Reverse}\{\text{int}[x\times 10^{h}]\text{ mod }2^{\upsilon

197: }\}.  \label{reverse}

198: \end{eqnarray}%

199: Reverse$\{$ $\}$ represents a bit-reverse operation which reverses the bit

200: string of an integer and generate another integer as the output. $%

201: 2^{\upsilon }$ is a large integer and $10^{-h}$ is the computer precision.

202:

203: The dynamics of the receiver (denoted by variables $y_{i}(n)$, $i=1,2,...,N$%

204: ) is identical to that of the transmitter except that the first lattice, $%

205: y_{1}(n)$, is driven by $x_{0}(n)$. It can be proved that the two systems

206: can be synchronized under the same driver signal, $x_{0}(n)$, given $%

207: \varepsilon _{i}>0.75$, $i=1,2,...,N$. In our model, we fix $%

208: \varepsilon_{i}=0.95$, $i=2,...,N$, and adopt $\varepsilon _{1}$ as the

209: secret key and define the key space as $\varepsilon _{1}\in \lbrack 0.95,1)$.

210:

211: For encryption, at the transmitter side, each lattice except the first one

212: can be regarded as an encryptor. To encrypt a message $P_{i}(n)$ in the $i$%

213: th channel, we simply perform an XOR (exclusive OR) operation on this

214: message with the last significant $\upsilon $ bits of the information of $%

215: x_{i}(n)$, and the output ciphertext reads%

216: \begin{eqnarray}

217: C_{i}(n) &=&\text{XOR }[P_{i}(n),X_{i}(n)],  \notag \\

218: X_{i}(n) &=&\{\text{int}[x_{i}(n)\times 10^{h}]\}\text{ mod }2^{\upsilon },%

219: \text{ \ }i=2,...,N  \label{integer}

220: \end{eqnarray}%

221: The ciphertexts, $C_{i}(n)$, and driver signal $x_{0}(n)$ are then

222: transmitted to the receiver. The receiver recovers the transmitted message

223: through the function%

224: \begin{equation}

225: P_{i}^{\prime }(n)=\text{XOR }[C_{i}(n),Y_{i}(n)],\text{ \ }i=2,...,N

226: \end{equation}%

227: with $Y_{i}(n)$ having the same definition as $X_{i}(n)$ but at the receiver

228: end. With the same secret key, $\varepsilon _{1}$, the two systems, $x$ and $%

229: y$, can be completely synchronized, and we finally have $P_{i}^{\prime

230: }(n)=P_{i}(n)$.

231:

232: \section{Security analysis}

233:

234: The key point of this cryptosystem is the bit-reverse operation adopted in

235: Eqs. \ref{trans}. Since the only secret of symmetric encryption is the key,

236: the central task of such a cryptosystem is to make the outputs, $X_{i}$, as

237: sensitive to the secret key as possible. In this scheme, any detectable

238: mismatch of $\varepsilon _{1}$ (of the order of computer precision) will

239: affect at least the value of the last bit in $X_{1}$. Due to the bit-reverse

240: function, this last significant bit becomes the most significant one when

241: coupled to $x_{2}$, and thus induces a large difference in $X_{2}$ and other

242: outputs as well. This is further reflected in the behavior of the LE: the

243: bit-reverse operation is equal to increasing the largest LE (LLE) with a

244: value of about $h\ln 10$. Thus, the LLE in the newly constructed cryptosystem is

245: estimated to be%

246: \begin{equation}

247: \lambda ^{\prime }\approx \lambda +h\ln 10,

248: \end{equation}%

249: with $\lambda $ being the original LLE\ of OCML. For computations with

250: double arithmetic precision, $h=16$, and with the last $\upsilon =30$ bits of

251: information adopted as the outputs, the value of the LLE\ for $N=5$ coupled

252: lattices is about $\lambda ^{\prime }\approx 45$, a value which can diffuse

253: any detectable mismatch of the secret key, $\varepsilon _{1}$, to the order

254: of its key space within a few iterations, and thus totally confuses the

255: "continuity" property in chaos dynamics.

256:

257: For an eavesdropper, it is easier to attack the $2$nd channel than the

258: others (studies show that the security of the encryption channel increases

259: exponentially with the size of the OCML \cite{ocml-hu-2}). We will thus focus on

260: evaluating the security of this channel in the following. Assuming that the

261: eavesdropper knows the whole dynamics of Eqs. \ref{trans} and can find an

262: large amount of plaintext-ciphertext pairs, all he/she needs is to explore

263: the secret key, $\varepsilon _{1}$, or the key basin where it is located

264: (we consider here the most common attack used in cryptanalysis: the

265: known-plaintext attack). By trying some test keys, $\varepsilon _{1}^{\prime

266: }$, the eavesdropper can study the structure of the key basin by the EFA

267: function \cite{EFA},%

268: \begin{equation}

269: e_{2}(\varepsilon _{1}^{\prime })=\frac{1}{T}\overset{T}{\underset{n=1}{\sum

270: }}\left\vert P_{2,\varepsilon _{1}^{\prime }}^{\prime }(n)-P_{2,\varepsilon

271: _{1}}(n)\right\vert ,

272: \end{equation}%

273: with $T$ the amount of known plaintext and $P_{2,\varepsilon _{1}^{\prime

274: }}^{\prime }$ is the test plaintext generated under the test key $\varepsilon _{1}^{\prime }$%

275: . Usually there will exist a key basin of a certain width around the secret

276: key, and the system security will be compromised once this basin is explored.

277:

278: \begin{figure}[tbp]

279: \epsfig{figure=fig1.eps,width=0.8\linewidth}

280: \caption{For OCMLs of size $N=5$ and $T=2 \times 10^{6}$ known plaintexts,

281: the EFA results of the second channel for encryption schemes: (a) proposed

282: in Ref. \protect\cite{ocml-hu-1}, and (b) proposed in Section II. The width

283: of the key basin in (b)\ is the same as the computer precision, $10^{-16}$,

284: and does not change as $T$ increases.}

285: \label{fig:EFA}

286: \end{figure}

287:

288: In Fig. 1(a), we plot the EFA result of the model used in Ref. \cite%

289: {ocml-hu-1} with respect to the mismatch between the test key and the secret

290: key, $\Delta \varepsilon =\varepsilon _{1}^{\prime }-\varepsilon _{1}$. It

291: can be found, around the secret key, that there exists a smooth basin at

292: least with a width of $10^{-7}$. With this basin structure, once the

293: location of the key basin be explored, one can easily get close to the

294: secret key, which is located at the bottom of the key basin, using only

295: several test keys by some optimized searching methods. As a comparison, we also plot

296: in Fig. 1(b) the EFA result of Eqs. \ref{trans}. It is found that the width

297: of the key basin is just the same as the computer precision $10^{-16}$. The

298: interesting feature is that, in Fig. 1(b), the width of the key basin does

299: not increase with $T$. We plot Figs. 1(a) and (b)\ using $T=2\times 10^{6}$

300: known plaintexts, and had also tested different values of $T$ up to $10^{9}$. The

301: results confirmed that there is no change for these structures, and that the

302: basin in Fig. 1(b)\ still has the width of the order of the computer

303: precision. This property can be immensely useful in preventing attempts to

304: undermine the system security by studying the key basin structure (according

305: to the study of Ref. \cite{ocml-hu-3}, even in systems where the modulo

306: operation is adopted, the relation between the key basin width, $W$, and the

307: amount of known plaintext, $T$, follows the scaling $W\propto T^{0.3}$).

308:

309: Two points make this new cryptosystem distinctive and advantage to other

310: schemes. Firstly, the capacity of the key space can be further extended.

311: Every real value in the key space can be regarded as an independent secret

312: key, and the number of independent keys in the key space is limited only by

313: the computer precision. Secondly, the inherent property of "continuity" in

314: chaotic systems is now avoided entirely at the level of computational

315: precision. This renders it hopeless for those attacks based on analyzing the

316: structure of the key basin. For other encryption performance indicators

317: (such as the properties of diffusion and confusion, correlations,

318: robustness, etc.), our numerical simulations \cite{spread-spectrum-STC}

319: confirmed that there is no difference between this new cryptosystem and the

320: former schemes (Ref. \cite{ocml-hu-1,ocml-hu-2}).

321:

322: \section{Applying chaos-based cryptosystem for public channel cryptography}

323:

324: Besides encryption, due to its excellence performance on statistical

325: properties, the proposed cryptosystem also can be used as a set of

326: pseudo-random-number (PN) generators. For this purpose, each lattice can be

327: regarded as an independent PN generator, and all these generators produce PN

328: sequences simultaneously. We have checked the random properties of these

329: sequences with different types of evaluations (such as the run distribution,

330: balance, power spectrum density, etc.) for arbitrary plaintexts, and they

331: passed all these checkings satisfactorily \cite{spread-spectrum-STC}. In

332: addition, in comparison with the conventional PN sequences, these new

333: sequences possess extremely long periods which increase exponentially both

334: with the system size and the computer precision. Another interesting observation is that although

335: there is no statistical correlation between these sequences, teh lattices are

336: still under the dynamical relation of generalized synchronization (GS) \cite%

337: {GS}. This special property can be of great use in certain situations where

338: a large number of independent PN generators are required to operate simultaneously,

339: and yet are to be kept in step in some sense.

340: The GS relation between lattices also makes it possible to

341: manipulate all these generators with only a few controllers. Rather than adjusting all

342: parameters in the generators, now we are able to generate a totally

343: different set of PN sequences through resetting only one or a few parameters.

344:

345: In the field of conventional cryptography, there is one type of PKC, namely

346: the "Merkle's Puzzles", whose security depends on the protocol rather than

347: number theory. Different to the other PKC schemes, where both the public key

348: and private key are predefined, in "Merkle's Puzzles", both keys are decided

349: by the receiver at random, and the keys will be destroyed after each

350: transmission. A set of independent PN generators and one efficient symmetric

351: encryptor are the basic blocks for this PKC.  In conventional methods,

352: usually it is difficult to manage (mainly store and compare) such a large number

353: of PNs; it is also not easy to find a symmetric encryptor whose security

354: can be adjusted flexibly so as to keep pace with the improving computer speed.

355: In this section, we will apply the above proposed cryptosystem on "Merkle's

356: Puzzles".

357:

358: \begin{figure}[tbp]

359: \epsfig{figure=fig2.eps,width=0.8\linewidth}

360: \caption{Prototype for public channel cryptography constructed by three

361: OCMLs. The dash lines represent feedback or driving signals, shadowed numbers represent

362: the identifying codes, and "//" means OCML "K" is triggered each time $%

363: T^{\prime }$.}

364: \label{fig:PKC}

365: \end{figure}

366:

367: The prototype of the PKC is plotted in Fig. 2. The transmitter is composed of

368: two OCMLs, OCML "K" ("K") used as PN generators and OCML "A" ("A") used as

369: symmetric encryptor. The receiver comprises the decryptor OCML "B" ("B").

370: All OCMLs follow Eqs. \ref{trans}. Without "K", the dynamics of the

371: transmitter is identical to that of the receiver, and it is just the

372: cryptosystem for symmetric encryption proposed in Section II. "S" represents

373: the bit-reverse operation in Eqs. \ref{reverse}. "K" has two functions: (1)

374: generating plaintext for "A" and, (2) modulating the coupling strength of

375: the first lattice (which is used as the session key for the symmetric

376: encryptions between "A" and "B"), $\varepsilon _{1,A}$, in "A". "K" is triggered for each time

377: interval $T^{\prime }$, a session during which both the plaintext and $%

378: \varepsilon _{1,A}$ remain constant.  Following that, in the next $T^{\prime }$

379: iterations, "A" encrypts the plaintext outputted from "K" repeatedly under the

380: session key $\varepsilon _{1,A}(j)$, with $j$ the iteration time of "K".

381:

382: For the transmitter, the only secret is the parameter $\varepsilon_{1,K}$.

383: Both the dynamics, "K" and "A", and the initial conditions of "K" are

384: public. The transmitter has two missions: producing a large number of

385: encryption sessions and deducing the private key chosen by the receiver. For

386: the receiver, the dynamics is public and, before deciding on the public keys,

387: the authorized receiver has no privilege over the eavesdropper. The task of

388: the receiver is to decrypt one of the transmitted sessions at random, and

389: returns the decrypted plaintexts - the public keys - to the transmitter

390: through the public channel.

391:

392: The details about how to transmit a private key through the public channel can

393: be described as follows (for OCMLs of size $N=5$):

394:

395: \begin{enumerate}

396: \item "K" generates $5$ integers, $X_{i,K}(j)$, $i=1,...,5$, by Eqs. \ref%

397: {integer}, and marks each of the later four integers with an identification code $%

398: I_{i,K}$. For instance, in Fig. 2, let us assume the binary format of the

399: generated integer by $x_{2,K}$ is $X_{2,K}(j)=$`$001$', and mark it with an

400: identification code $I_{2,K}=$`$000000$'. (For simplicity, the word lengths of the integer

401: and the identification code here are just used to illustrate the operations, and in

402: actual simulations both are with the word length of $\upsilon =30$.) The identification

403: code is only used for marking the channels and is also public. There is no

404: identification code for $X_{1,K}(j)$, which will be used to modulate the parameter

405: $\varepsilon _{1,A}$ in "A". After this, "K" will be dormant until triggered

406: again for the next session after time $T^{\prime }$.

407:

408: \item Treating all the marked integers as plaintext, each channel of "A",

409: according to Eqs. \ref{integer}, encrypts the same plaintext repeatedly for $%

410: T^{\prime}$ times under the same session key, $\varepsilon _{1,A}(j)$, which

411: is modulated by the integer $X_{1,K}(j)$ through function%

412: \begin{equation}

413: \varepsilon _{1,A}(j)=0.95+\frac{1}{20}X_{1,K}(j)/2^{\upsilon }.

414: \label{modu}

415: \end{equation}

416:

417: \item The transmitter repeats steps (1)\ and (2) until a large number, $L$,

418: of sessions are generated and transmitted to the receiver.

419:

420: \item "B" chooses one session at random and performs a brute-force attack to

421: recover the session key $\varepsilon _{1,A}(j)$ by checking the decrypted

422: channel identification codes (which are predefined and public) through

423: synchronization. ($T^{\prime }$ is set so as to ensure that "A" and "B"

424: can be synchronized for any random initial conditions. In this prototype, $%

425: T^{\prime }=100$ is large enough for this purpose.) This is a large, but still

426: manageable, amount of work.

427:

428: \item After being able to crack one of the sessions successfully, "B" keeps the last

429: recovered plaintext $X_{5,K}(j)$ as the private key and returns all other

430: recovered plaintexts, $X_{i,K}(j)$, $i=2,3,4$, to the transmitter together

431: with their identification codes. The return messages are transferred to "K" in the

432: form of plaintext and are public to everyone. These plaintexts make up the

433: set of public keys.

434:

435: \item After receiving the public keys, the transmitter runs "K" with the

436: predefined initial conditions (which is also public) and his secret key $%

437: \varepsilon _{1,K}$ (known only to the transmitter). Once the outputs of the

438: lattices match up the returned public keys in each corresponding channel

439: simultaneously, the transmitter will know that the output of the last

440: lattice, $X_{5,K}(j)$, is the private key which the receiver had chosen, and

441: which will be used for later communications.

442: \end{enumerate}

443:

444: \section{Security of public channel cryptography}

445:

446: The security of this PKC depends on the number of sessions transmitted. The

447: eavesdropper can break this system, but he has to do far more work than

448: either the transmitter or the receiver. To recover the private key $%

449: X_{5,K}(j)$ in steps (4) and (5), on average, he has to perform a brute-force attack

450: against about half of the transmitted sessions generated in step (3). Assuming that in total

451: there are $L$ sessions transmitted in the public channel, the attack of the

452: eavesdropper has a complexity of $L/2$ times that of the receiver. The public

453: keys, $X_{i,K}(j)$, $i=2,3,4$, will not help the eavesdropper either; they

454: are independent PNs generated by the cryptosystem Eqs. \ref{trans}. In

455: general, the eavesdropper has to expend approximately the square of the

456: effort that the receiver expends. This advantage is small by cryptographic

457: standards, but in some circumstances it may be enough. For instance, in

458: simulations (on a Pentium computer of 2GHZ CPU and 521M RAM, Fortran90 compiler), we set

459: the duration for each session as $T^{\prime }=100$ and the key space of the

460: range $\varepsilon _{1,A}\in \lbrack 0.95,0.95+1\times 10^{-8}]$, the

461: transmitter can generate about $L\approx 1\times 10^{8}$ sessions in one

462: minute, and the receiver needs another minute to explore one session key $%

463: \varepsilon _{1,A}(j)$. However, with the same computing facilities, it will

464: take the eavesdropper about two years to break the system, a time that is

465: likely to be longer than the useful lifetime of the secret message.

466:

467: The eavesdropper can of course attack only the private key $X_{5,K}$ used in

468: the later communications, without considering the problem of PKC. But with

469: the system under consideration, the private key can be combined randomly and

470: adjusted freely both in length and position. While this add no additional

471: cost to PKC, it will be a disaster for an eavesdropper and he/she finally

472: has to fall back on attacking the sessions. Meanwhile, the excellent

473: performance on correlations of the system prevents any attempt to deduce the

474: private key $X_{5,K}(j)$ from the public keys $X_{i,K}(j)$, $i=2,3,4$. The

475: knowledge of the initial conditions cannot help with predicting $\varepsilon

476: _{1,K}(j)$ or $X_{5,K}(j)$ either. With the bit-reverse operation, the

477: difference between two corresponding outputs, $\Delta X_{i,K}(j)=\left\vert

478: X_{i,K}(j)-X_{i,K^{\prime }}(j)\right\vert $, increases to the order of

479: attractor size within a few iterations, and after that the behavior of the

480: two systems are totally different. (For example, with $N=5$ and $\Delta

481: \varepsilon =\varepsilon _{1,K}-\varepsilon _{1,K^{\prime }}=10^{-16}$, it

482: needs only about $5$ iterations on average for $\Delta X>1/3$, a smiple criterion in testing randomness \cite{ocml-hu-1}.) So the only

483: thing the eavesdropper can do is to find out the secret key $\varepsilon

484: _{1,K}$. The problem of security returns to that of the symmetric

485: cryptography and, according to our security analysis in Section III, there

486: is no shortcut but to try all the possible values of $\varepsilon _{1,K}$ in

487: $[0.95,1)$ or an even larger range.

488:

489: In summary, the practical security of PKC only relies on that of the

490: symmetric encryption, both for the PN generators, "K", and the encryptor,

491: "A". Given that there is no systematic cryptanalysis developed for the new

492: cryptosystem, the proposed PKC will be secure.

493:

494: \section{Discussion and conclusion}

495:

496: While the incorporated bit-reverse operation improves the security of the

497: chaos-based cryptosystem to a new level, the adaptation of this cryptosystem

498: for PKC brings new features and advantages for other real applications as

499: well.

500:

501: \begin{itemize}

502: \item Unlike conventional approaches, the same cryptosystem, Eqs. \ref{trans}%

503: , can be used both as encryptor and PN generators. This feature can bring

504: certain convenience both for security analysis and model design.

505:

506: \item In conventional methods, the transmitter has to store all the PNs in a

507: group and find the private key which matches up the returned public keys by

508: a brute-force comparison, which usually involve large amounts of memory

509: space and computer resource. By adopting "K" as the PN generators, all

510: these keys can be automatically regenerated through the dynamics of OCML.

511: Since the security of PKC relies on the number of sessions transmitted, this

512: property also makes it possible to implement PKC in situations where memory

513: space is scarce and computer speed is limited.

514:

515: \item Although one could replace each lattice in "K" with a separate

516: conventional PN generator, in real applications it is usually hard to keep

517: them working in step. But this problem does not appear for OCML, where all

518: sequences are outputted simultaneously under the relation of GS.

519:

520: \item The process of recovering the private key $X_{5,K}(j)$ from the public

521: keys $X_{i,K}(j)$, $i=2,3,4$, is achieved by the trap-door $\varepsilon

522: _{1,K}$, the only secret of the transmitter. With the trap-door, it is easy

523: to recover all keys of the chosen session, but this fails for any detectable

524: mismatch. In this regard, the proposed OCML actually can be used as a

525: one-way function with the trap-door $\varepsilon _{1,K}$.

526: \end{itemize}

527:

528: The proposed PKC also enjoys all advantages of traditional chaotic systems.

529: The security of encryptor "A" can be updated easily either by enlarging its

530: key space or combining more couplings as the session key, which make this

531: scheme easily adjustable to different security requirements. In addition to

532: the implementations on software, the proposed scheme is expected to be

533: efficient on hardware as well, judging from the progress in chaos

534: experiments \cite{chaosexperiment}. The dynamics based cryptography makes it

535: not only easy to formulate and analyze system security in theory, but also

536: simple to design and operate the constructed cryptosystems in applications.

537: Meanwhile, the performance of PKC can be further enhanced by chaos-based

538: spread-spectrum communications \cite{spread-spectrum-STC}. Whereas the

539: security of PKC relies on the number of transmitted sessions, it is highly

540: recommended to transmit these data through a wide-band channel so as to

541: achieve a fast speed, and chaotic signals, with their excellent performance

542: on correlations, can be used for this purpose directly.

543:

544: In conclusion, we have proposed in this paper a way of improving the security of chaos-based

545: cryptosystem to the order of measure precision, and applied it to PKC by

546: using the system both as PN generators and symmetric encryptor.

547: Incorporating the conventional bit-reverse operation, we successfully

548: overcome the problem of "continuity" in chaotic systems, and equip the

549: conventional scheme of PKC with new characteristics of spatiotemporal chaos.

550:

551: \begin{thebibliography}{99}

552: \bibitem{pecora} L.M. Pecora, T.L. Carroll, Phys. Rev. Lett. \textbf{64} 821

553: (1990).

554:

555: \bibitem{Carroll-IEEE} T.L. Carroll and L.M. Pecora, IEEE Trans. Circuits

556: Syst. \textbf{38}, 453 (1991).

557:

558: \bibitem{kocarev} L. Kocarev, K.S. Halle, K. Eckert, L.O. Chua, and U.

559: Parlitz, Int. J. Bif Chaos\ Appl. Sci. Eng. \textbf{2}, 709 (1992).

560:

561: \bibitem{cuomo} L.M. Cuomo, A.V. Oppenheim, phys. Rev. Lett. \textbf{71}, 65

562: (1993).

563:

564: \bibitem{algorithm} S. Hayes, C. Grebogi, E. Ott, A. Mark, Phys. Rev. Lett.

565: \textbf{73}, 1781 (1994); D. Gligoroski, D. Dimovski, L. Kocarev, V. Urumov,

566: L.O. Chua, Int. J. Bif Chaos Appl. Sci. Eng. \textbf{6}, 2119 (1996); M.S.

567: Baptista, Phys. Letts. A \textbf{240}, 50 (1998).

568:

569: \bibitem{roy} G.D. Vanwiggeren and R. Roy, Science \textbf{279}, 1198

570: (1998); Phys. Rev. Lett. \textbf{81}, 3547 (1998); J. Garcia-Ojalvo and R.

571: Roy, \textit{ibid}. \textbf{86}, 5204 (2001).

572:

573: \bibitem{spatioencryption} L. Kocarev, U. Parlitz, Phys. Rev. Lett. \textbf{%

574: 74}, 5028 (1995); S. Papadimitriou, A. Bezerianos, and Tassos Bountis, IEEE

575: Trans. Comput. \textbf{48}, 27 (1997); M.C. Mackey, L. Glass, Science

576: \textbf{197}, 287 (1977); C.M. Kim, S. Rim, and W.H. Kye, Phys. Rev. Lett.

577: \textbf{88}, 14103 (2002).

578:

579: \bibitem{ocml-hu-1} S.H. Wang, J. Kuang, J. Li, Y. Luo, H. Lu, and G. Hu,

580: Phys. Rev. E \textbf{66}, 65202 (2002).

581:

582: \bibitem{ocml-hu-2} S. H. Wang, W. P. Ye, H.P. Lu, J.Y. Kuang, J.H. Li, Y.L.

583: Luo, G. Hu, Commun. Theor. Phys. \textbf{40}, 57 (2003).

584:

585: \bibitem{ocml-hu-3} G. Tang, S. Wang, H. L\"{u}, and G. Hu, Phys. Letts. A

586: \textbf{318}, 388 (2003).

587:

588: \bibitem{EFA} X.G. Wang, M. Zhan, C.-H. Lai, and G. Hu, Chaos \textbf{14},

589: 128 (2004).

590:

591: \bibitem{encoding} X.F. Gong, X.G. Wang, M. Zhan, and C.-H. Lai, Chaos

592: \textbf{14}, 358 (2004).

593:

594: \bibitem{syn-rep} S. Boccaletti, J. Kurths, G. Osipov, D.L. Valladares, and

595: C.S. Zhou, Phys. Rep. \textbf{366}, 1 (2002).

596:

597: \bibitem{attacks-1} G. Perez and H.A. Cerdeira, Phys. Rev. Lett. \textbf{74}%

598: , 1970 (1995); K.M. Short, A.T. Parker, Phys. Rev. E \textbf{58}, 1159

599: (1998); C. Zhou, and C.-H. Lai, \textit{ibid}. \textbf{60}, 320 (1999).

600:

601: \bibitem{attack-2} G.J. Hu, Z. Feng, R.L. Meng, IEEE Trans. Circuits Syst.,

602: I: Fundam. Theory Appl. \textbf{50}, 275 (2003).

603:

604: \bibitem{attack-3} G. ��lvarez, F. Montoya, G. Pastor, and M. Romera, Chaos \textbf{14},

605: 274 (2004).

606:

607: \bibitem{kocarev-ieee} L. Kocarev, IEEE Circuits syst magz., \textbf{1}, 6

608: (2001).

609:

610: \bibitem{Dachselt} F. Dachselt and W. Schwarz, IEEE Trans. Circuits Syst.,

611: I: Fundam. Theory Appl. \textbf{48}, 1498 (2001).

612:

613: \bibitem{Fraser} B. Fraser, P. Yu, and T. Lookman, Phys. Rev. E \textbf{66}

614: 17202 (2002).

615:

616: \bibitem{bruce-book} B. Scheneier, \textit{Applied Cryptography:\ Protocols,

617: Algorithms, and Source Code in C}, Wiley, New York (1996).

618:

619: \bibitem{PKC-chaos} R. Tenny, L.S. Tsimring, L. Larson, and H.D.I.

620: Abarbanel, Phys. Rev. Lett. \textbf{90}, 047903 (2003); R. Mislovaty, E.

621: Klein, I. Kanter, and W. Kinzel, \textit{ibid}. \textbf{91}, 118701 (2003).

622:

623: \bibitem{Merkle-puzzle} R.C. Merkle, \textit{Communications of the ACM},

624: \textbf{21}, 294 (1978).

625:

626: \bibitem{spread-spectrum-STC} X.G. Wang, M. Zhan, C.-H. Lai, and X.F. Gong,

627: (to appear).

628:

629: \bibitem{GS} N.F. Rulkov, M.M. Sushchik, L.S. Tsimring, and H.D.I.

630: Abarbanel, Phys. Rev. E \textbf{51}, 980 (1995).

631:

632: \bibitem{chaosexperiment} A.S. Dmitriev, B.E. Kyarginskii, A.I. Panas, D.Yu.

633: Puzikov, and S.O. Starkov, Tech. Phys. Lett. \textbf{29}, 72 (2003).

634: \end{thebibliography}

635:

636: \end{document}

637: