Framework for the analysis and design of encryption strategies based on discrete-time chaotic dynamical systems

Framework for the analysis and design of encryption strategies based on discrete-time chaotic dynamical systems ˜ David Arroyo Guardeno

From chaos to cryptography Why? How? Design Rules Critical 1 2 3 contexts

Perfect secrecy Good mixing properties. . . Hopf: dough rolling and folding. . .

Initial condition Sensitivity Diffusion Control parameter Mixing Ergodicity Confusion

ENCRYPTION T=R T=Z Chaos in Chaos in Chaos in continuous time continuous time discrete time

ENCRYPTION T=R T=Z Chaos in Chaos in Chaos in continuous time continuous time discrete time Synchronization

ENCRYPTION T=R T=Z Chaos in Chaos in Chaos in continuous time continuous time discrete time Synchronization Security problems

ENCRYPTION T=R T=Z Chaos in Chaos in Chaos in continuous time continuous time discrete time Synchronization Differential Equations Security problems

ENCRYPTION T=R T=Z Chaos in Chaos in Chaos in continuous time continuous time discrete time Synchronization Differential Equations Security problems Dimension > 2

ENCRYPTION T=R T=Z Chaos in Chaos in Chaos in continuous time continuous time discrete time Synchronization Differential Equations Security problems Dimension > 2 Efﬁciency problems

How to design secure digital chaos-based cryptosystems

Avoid critical contexts Conventional cryptography Chaos theory Standards Loss of chaoticity Commitments Reconstruction of the underlying dynamics Conventional attacks

Loss of chaoticity Why? How? Design Rules Critical 1 2 3 contexts

For xk+1 = f (λ , xk ) = fλ (xk ) it can not be assumed chaos for all λ

C. Chee and D.Xu, “Chaotic encryption using discrete- time synchronous chaos,” Physics Letters A, 2006, 348, 284-292

2 uk+1 1 − δ · uk + vk xk+1 = = vk+1 β · vk δ = ψ (pk ) · µ1 (vk ) β = µ2 (vk )

2 1.8 Unbounded δ 1.6 1.4 Periodic 1.2 −0.4 −0.2 0 0.2 0.4 β

1.6 1.4 1.2 1 Asymptotic values 0.8 0.6 0.4 0.2 0 −0.2 0 0.5 1 1.5 2 2.5 3 Plaintext block values 14 x 10

David Arroyo et al., “Cryptanalysis of a discrete-time synchronous chaotic encryption system,” Physics Letter A, 2008, 372, 1034-1039

Reconstruction of dynamics Why? How? Design Rules Critical 1 2 3 contexts

Estimation of λ and/or x0 after applying conventional attacks 1 Access to chaotic orbits 2 We can measure the entropy of the underlying chaotic map 3 Access to samples of chaotic orbits 4 Access to coarse-grained versions of chaotic orbits

xi+1 xi+1 = f (xi ) Orbit : {x0, x1, . . .} f (a) = f (b), f (xc ) ≤ b xc = Single turning point f continuous in [a, b] xi a xc b

Logistic map: xi+1 = λ xi (1 − xi ) xi+1 λ xi 0 xc 1

xi /λ 0 < xi < λ Skew tent map: xi+1 = (1 − xi )/(1 − λ ) λ ≥ xi < 1 xi+1 λ xi 0 1

Access to chaotic orbits Ciphertext is a function of a chaotic orbit

Access to chaotic orbits Ciphertext is a function of a chaotic orbit Only the chaotic orbit is secret

Access to chaotic orbits Ciphertext is a function of a chaotic orbit Only the chaotic orbit is secret Kerckhoff’s principle: we know the function and xn+1 = f (λ , xn ), xn ∈ Rm

Access to chaotic orbits Ciphertext is a function of a chaotic orbit Only the chaotic orbit is secret Kerckhoff’s principle: we know the function and xn+1 = f (λ , xn ), xn ∈ Rm Estimation of λ from m + 1 units of ciphertext

B. Ling et al., “Chaotic ﬁlter bank for computer cryptography,” Chaos, Solitons and Fractals, 2007, 34, 817-824

Plaintext: {pn } tn = K ∑ pj h2n−j ∀j tn = K ∑ pj h2n−j ∀j vn = tn + tn + sn vn = tn − vn − sn

Plaintext: {pn } tn = K ∑ pj h2n−j ∀j tn = K ∑ pj h2n−j ∀j vn = tn + tn + sn Logistic map vn = tn − vn − sn

Plaintext: {pn } tn = K ∑ pj h2n−j ∀j tn = K ∑ pj h2n−j ∀j vn = tn + tn + sn Logistic map vn = tn − vn − sn Ciphertext: {vn } , {vn }, Key: λ , λ , s0 , s0

Known-plaintext attack: {pn }, {vn }, {vn } sn = vn − tn − tn sn = tn − vn − vn sn+1 λ= sn (1 − sn ) sn+1 λ = sn (1 − sn )

David Arroyo et al., “Cryptanalysis of a computer cryptography scheme based on a ﬁlter bank,” Chaos, Soli- tons and Fractals, 2009, 41, 410-413

Entropy of the underlying chaotic map Why? How? Design Rules Critical 1 2 3 contexts

Entropy Orbit ⇒ Probability distribution Discretization of Discretization in the the phase space frequency domain Relative number of Relative energy of values in subintervals resolution levels

n-gram conditional entropy Split the phase space into J disjoint intervals Convert chaotic orbits into sequences of symbols Group the symbols into words of length n (n) pri : probability of i-th word, 0 ≤ i ≤ J n n (n) (n) Hn = − ∑J pri i=1 log pri hn = Hn+1 − Hn , h0 = H1

Conditional entropy of the logistic map 0.7 n=4 0.6 n=6 n=8 n=10 0.5 n=12 0.4 hn 0.3 0.2 0.1 0 3.5 3.6 3.7 3.8 3.9 4 λ

Conditional entropy of the skew tent map 0.7 0.6 0.5 0.4 hn 0.3 n=4 0.2 n=6 n=8 n=10 0.1 n=12 0 0 0.2 0.4 0.6 0.8 1 λ

Multiresolution Entropy 0.4 λ=3.5 MRET1 λ=3.8123 0.2 λ variable 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 0.4 λ=3.5 λ=3.8123 MRET2 0.2 λ variable 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 0.4 λ=3.5 λ=3.8123 MRET3 0.2 λ variable 0 1000 2000 3000 4000 5000 6000 7000 8000 Temporal variable

High level of entropy without leaking the values of λ

Samples of chaotic orbits Why? How? Design Rules Critical 1 2 3 contexts

Shape of histograms of chaotic orbits depending on λ Sampling on chaotic orbits Estimation of λ

A.N. Pisarchik et al. “Encryp- tion and decryption of images with chaotic map lattices,” Chaos, 2006, 16, Art. No. 033118

λ2 Logistic map, xmin = 4 (1 − 4 ), λ xmax = λ , plaintext {pi }J 4 i=1 r = 1, yi0 = {pi } yJ −1 if i = 1 r x0 = yir i.o.c Iterate n times the logistic map from x0 to get xn yir = xn + yir −1 and subtract xmax − xmin until yir ∈ [xmin , xmax ]

yJ −1 if i = 1 r x0 = yir i.o.c Iterate n times the logistic map from x0 to get xn yir = xn + yir −1 and subtract xmax − xmin until yir ∈ [xmin , xmax ] r = r +1 r <R

80 70 60 50 40 30 20 10 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 2 λ (1−λ/4) λ/4

Ciphertext-only attack xmax = max yiR ˆ ˆ ˆ λ ≈ λ = 4 · xmax

David Arroyo et al., “On the security of a new image encryption scheme based on chaotic map lattices,” Chaos, 2008, 18, Art. No. 033112

Coarse-grained versions of chaotic orbits Why? How? Design Rules Critical 1 2 3 contexts

Assign a partition to the phase space 1 Stream cipher 2 Searching based chaotic ciphers

Stream cipher xi+1 xi+1 xi a xiL xc xiR b

Stream cipher xi+1 xi a x0 xc b

Stream cipher xi+1 L xi a x0 xc b

Stream cipher xi+1 L R xi+1 = xi xi a x0 xc x1 b

Stream cipher xi+1 L R R xi+1 = xi xi a x0 xcx2x1 b

Stream cipher xi+1 01 1 ... Binary sequence xi+1 = xi xi a x0 xcx2x1 b

A.P. Kurian and S. Puthusserypady, “Self-synchronizing chaotic stream ciphers,” Signal Pro- cessing, 2008, 88, 2442-2452

Binit Logistic map Bks ≥ xc Shuf f ler Ciphertext Skew tent map Plaintext

Binit Logistic map Bks Bks B sh = π(B init ||B ks) = ≥ xc Shuf f ler ˆ B sh (λ, x0 ) Skew tent map 0

Chosen-plaintext attack 2N ˆ sh B (λ , x0) ⇒ Pr1 = prj (1) j=1 2N (i,k) B ks (λ i , x k ) ⇒ Pr(i,k) = prj j=1 Wootters’ distance 2N −1 (1) (i,k) DW (Pr1, Pr(i,k)) = cos ∑ prj · prj j=1

1.6 1.4 Wootters’ distance 1.2 1 0.8 0.6 0.4 0.2 0 1 x 0 0.5 0 0 0.2 0.4 0.6 0.8 1 λ

1.5 Wootters’ distance 1.4 1.3 1.2 1.1 1 0.8 0.6 x 0 0.4 0.2 3.95 3.9 3.85 3.8 λ

David Arroyo et al., “Cryptanalysis of a family of self- synchronizing chaotic stream ciphers”, Submitted to Signal Processing on 17 March, 2009

Coarse-grained versions of chaotic orbits Why? How? Design Rules Critical 1 2 3 contexts

Searching based chaotic ciphers Plaintext alphabet a1 Phase space Partition a2 ak a|A|

Searching based chaotic ciphers Plaintext alphabet fλ M Phase space M (x =c 0) iph er tex ak t

f (0)(x) 0 1 x a xc b

f (x) 00 01 11 10 xc x a xc b

f (2)(x) 0 0 0 011 110 101 001 010 111 100 xc x a xc b

X. Wang et al., “A new chaotic cryptography based on ergodicity,” International Journal of Modern Physics B, 2008, 22, 901-908

Logistic map: x0 and λ secret key pi is a word with w bits Ciphertext: number of iterations to ﬁnd pi in the binary sequence generated from the logistic map

Symbolic dynamics of unimodal maps Chosen-ciphertext attack

Gray Ordering Number GM (λ , x) = g0 g1 · · · gM−1 , gi ∈ {0, 1} (i) gi = 0 ⇔ fλ (x) < xc (i) gi = 1 ⇔ fλ (x) ≥ xc g0 b0 g1 b1 g2 b2 gM−1 bM−1 GON(GM (λ , x)) = 2−1 · b1 + 2−2 · b2 + . . . + 2−(n−1) · bn−1

GON for the logistic map 1 0.8 λ=3.4 GON(Pn (x)) 0.6 λ f 0.4 0.2 0 0 0.2 0.4 0.6 0.8 1 x

GON for the logistic map 1 0.8 λ=4 GON(Pn (x)) 0.6 λ f 0.4 0.2 0 0 0.2 0.4 0.6 0.8 1 x

GON for the logistic map and x0 = fλ (xc ) 1 0.95 0.9 GON(Pf (fλ(xc))) 0.85 λ n 0.8 0.75 0.7 0.65 3 3.2 3.4 3.6 3.8 4 λ

GON for the logistic map and x0 = fλ (xc )

Binary sequence of length N Sliding window of length M and compute GON Estimation of λ through a binary search from the maximum GON ˆ ˆ GONM (λ , λ ) = GONmax 4 Estimation of x0 using the estimation of λ and the binary sequence

Chosen-ciphertext attack Ask for the decryption of w · i 0 returns the ﬁrst w bits, w the following w bits, . . . GM (x0, λ ) ⇒ λ , x0

Parameter estimation error −4 c estimation error (Logarithmic scale) 10 −6 10 −8 10 −10 10 −12 10 0 2 4 6 8 10 M 5 x 10

Error in the estimation of the initial condition 0 10 x0 estimation error (Logarithmic scale) −5 10 −10 10 −15 10 −20 10 10 20 30 40 50 60 N

David Arroyo et al., “Cryptanalysis of a new chaotic cryptosystem based on ergodicity,” International Journal of Modern Physics B, 2009, 23, 651-659

Searching based chaotic ciphers: unimodal maps Why? How? Design Rules Critical 1 2 3 contexts

Previous attack only works if GONM (λ , fλ (xc )) depends on on the control parameter

Is the cryptosystem secure if the logistic map is replaced by the skew tent map?

David Arroyo et al., “Estimation of the control parameter from symbolic sequences: Unimodal maps with variable critical point,” Chaos, 2009, 19, Art. No. 023125

λ can be estimated from the PDF of order patterns

xi+i = f (xi ) [x0, x1, x2, . . . , xL−1] π(x0) = [π0, π1, . . . , πL−1] πi permutation |πi → i f π0 (x0) < f π1 (x0) < · · · < f πL−1 (x0)

2xi , 0 < xi < 0.5 f : [0, 1] → [0, 1], xi+1 = f (xi ) = 2(1 − xi ), 0.5 ≥ xi < 1 xi+1 xi 0 1

2xi , 0 < xi < 0.5 f : [0, 1] → [0, 1], xi+1 = f (xi ) = 2(1 − xi ), 0.5 ≥ xi < 1 xi+1 xi 0 1 [0.31225,

2xi , 0 < xi < 0.5 f : [0, 1] → [0, 1], xi+1 = f (xi ) = 2(1 − xi ), 0.5 ≥ xi < 1 xi+1 xi 0 1 [0.31225, 0.6245

2xi , 0 < xi < 0.5 f : [0, 1] → [0, 1], xi+1 = f (xi ) = 2(1 − xi ), 0.5 ≥ xi < 1 xi+1 xi 0 1 [0.31225, 0.6245, 0.751,

2xi , 0 < xi < 0.5 f : [0, 1] → [0, 1], xi+1 = f (xi ) = 2(1 − xi ), 0.5 ≥ xi < 1 xi+1 xi 0 1 [0.31225, 0.6245, 0.751, 0.498]

2xi , 0 < xi < 0.5 f : [0, 1] → [0, 1], xi+1 = f (xi ) = 2(1 − xi ), 0.5 ≥ xi < 1 xi+1 xi 0 1 [0.31225, 0.6245, 0.751, 0.498] ⇒ π(0.31225) = [0, 3, 1, 2]

The intersections between f 0(x), f 1(x), . . . , f L−1(x) determine intervals with initial conditions leading to the same order pattern

1 2 f (x) 3 0.9 f (x) 0.8 0.7 f1(x) f0(x) 0.6 0.5 0.4 0.3 0.2 0.1 0 0 0.2 0.4 0.6 0.8 1

Order patterns can be used to assign a partition to the deﬁnition domain

fλ : I → I, I ⊂ R, λ ∈ J ⊂ R Pπ = {x ∈ I : x generates the order pattern π} Pπ depends on λ through fλ

xi /λ , 0 < xi < λ Skew tent map: xi+1 = (1 − xi )/(1 − λ ), λ ≥ xi < 1 xi+1 λ xi 0 1

[0,1,2,3] [0,3,1,2] [2,0,3,1] [1,2,3,0] [0,1,3,2] [0,2,1,3] [2,0,1,3] [1,2,0,3] [0,3,1,2] [2,3,0,1] [3,1,0,2] [3,0,1,2] [1,3,2,0] [1,2,3,0] 1 ? ?? ? ? ? ? ? ? ? ? ? ? ? f(2)(x) λ 0.9 0.8 0.7 0.6 f(0)(x) f(1)(x) λ λ fλ (k)(x) 0.5 0.4 0.3 0.2 f(3)(x) λ 0.1 0 0 0.2 0.4 0.6 0.8 1 λ

[2,0,3,1] [0,1,2,3] [0,1,3,2] [0,2,1,3] [2,0,1,3] [1,2,3,0] [0,3,1,2] [2,0,3,1] [3,1,0,2] [3,0,1,2] [2,3,0,1] [1,3,2,0] [0,3,1,2] [1,2,3,0] 1 ? ?? ? ? ? ? ? ??? ? ? ? [1,2,0,3] 0.9 0.8 0.7 f(2)(x) λ f(3)(x) λ 0.6 f(1)(x) (x) λ 0.5 (k) λ f 0.4 0.3 0.2 f(0)(x) λ 0.1 0 0 0.2 0.4 0.6 0.8 1 λ

Order pattern [0, 1, . . . , L − 1] determined by the leftmost intersection L−2 L−1 of the iterates fλ and fλ

fλ ergodic with invariant measure µ Ofλ (x) = {f n (x) : n ∈ N ∪ {0}} Ofλ (x) visits Pπ with relative frequency µ(Pπ )

Orbit of length M Sliding window of width L M − L + 1 order L-patterns Compute the relative frequency of each order pattern

For some fλ (x) 1-to-1 relation between the relative frequency of some order pattern and the control parameter λ

Skew tent map n x/λ n , if 0 ≤ x ≤ λ n fλ (x) = (λ n−1 − x)/λ n−1 (1 − λ ), if λ n ≤ x ≤ λ n−1 P[0,1,...,L−1] = (0, φL (λ )), with λ L−2 φL (λ ) = 2−λ

2 L = 4 ⇒ φ4 = 2−λ λ 1 0.9 0.8 0.7 Order pattern frequency 0.6 0.5 0.4 0.3 0.2 0.1 0 0 0.2 0.4 0.6 0.8 1 λ

Skew tent map Unimodal map x1 < x2 ⇒ G(x1) ≤ G(x2) Order patterns from “coarse-grained” orbits

Error in the estimation of λ −2 10 Mean error value (Logarithmic scale) −3 10 −4 10 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 λ

Finite precision arithmetics Digital degradation of dynamics Non-perfect recovery of λ

Why? How? Design Rules Critical 1 2 3 contexts

Digital chaos-based cryptosystem Chaotic map Encryption architecture Loss of chaoticity Stream cipher Block cipher Bijections in entropy measures Linear complexity Differential attack Leaking of the underlying order Correlation attacks Linear attacks Defective probability distribution ... ...

Design rules I 1 Assure the chaotic behavior of the underlying dynamical systems 2 Guarantee avalanche effect 3 High level of entropy without leaking of the values of control parameters 4 Deﬁnition of the ciphertext avoiding the reconstruction of the underlying chaotic dynamics

Design rules II 5 Chaotic maps with ﬂat histograms and width of the phase space independent of the control parameters 6 Selection of chaotic maps with high sensitivity to control parameter mismatch 7 The number of iterations of chaotic maps can not be part of the key

Control parameter a=3.8204607418 Control parameter a=3.8294707872 150 150 j=1 j=2 Time in seconds Time in seconds 100 j=3 100 50 50 0 0 0 50 100 0 50 100 n×j n×j Control parameter a=3.8743936381 Control parameter a=3.9771765651 150 150 Time in seconds Time in seconds 100 100 50 50 0 0 0 50 100 0 50 100 n×j n×j

David Arroyo et al., “On the security of a new image encryption scheme based on chaotic map lattices,” Chaos, 2008, 18, Art. No. 033112

Chaos-based 5 cryptography SCI Unimodal 7 maps International 8 CONFERENCES National 8

Future work

Problems detected in unimodal maps Multimodal maps Discrete chaos Other sources of chaos

Chaotic map Encryption Practical architecture implementation

Design of chaos-based cryptosystems needs of cryptography + analysis of chaotic dynamics

Framework for the analysis and design of encryption strategies based on discrete-time chaotic dynamical systems david.arroyo@iec.csic.es http://hdl.handle.net/10261/15668

Framework for the analysis and design of encryption strategies based on discrete-time chaotic dynamical systems

0 comments

Notes on slide 1

Favorites, Groups & Events