Your SlideShare is downloading. ×
0
Framework for the analysis and design
               of encryption strategies
                  based on discrete-time
   ...
From chaos to cryptography

Why?       How?                Design Rules



                    Critical
 1           2    ...
Perfect secrecy

           Good mixing
           properties. . .



           Hopf: dough
            rolling and
     ...
Initial condition



Sensitivity                            Diffusion



               Control
              parameter


...
ENCRYPTION



    T=R                               T=Z



   Chaos in                Chaos in           Chaos in
continuo...
ENCRYPTION



    T=R                               T=Z



   Chaos in                Chaos in           Chaos in
continuo...
ENCRYPTION



     T=R                               T=Z



    Chaos in                Chaos in           Chaos in
 conti...
ENCRYPTION



     T=R                                  T=Z



    Chaos in                Chaos in              Chaos in
...
ENCRYPTION



     T=R                                  T=Z



    Chaos in                Chaos in              Chaos in
...
ENCRYPTION



     T=R                                   T=Z



    Chaos in                Chaos in               Chaos i...
ENCRYPTION



     T=R                                   T=Z



    Chaos in                Chaos in               Chaos i...
How to design

      secure digital

chaos-based cryptosystems
Avoid critical contexts


Conventional cryptography                 Chaos theory

            Standards                   ...
Avoid critical contexts


Conventional cryptography                 Chaos theory

            Standards                   ...
Loss of chaoticity


Why?   How?                   Design Rules



                   Critical
 1      2                  ...
For xk+1 = f (λ , xk ) = fλ (xk )

  it can not be assumed

       chaos for all λ
C. Chee and D.Xu,
“Chaotic encryption using discrete-
 time synchronous chaos,” Physics
   Letters A, 2006, 348, 284-292
2
          uk+1        1 − δ · uk + vk
xk+1 =            =
          vk+1        β · vk

         δ = ψ (pk ) · µ1 (vk )
...
2


    1.8
                               Unbounded
δ   1.6


    1.4

              Periodic
    1.2


     −0.4   −0.2 ...
1.6


                     1.4


                     1.2


                      1
Asymptotic values




                ...
David Arroyo et al.,
 “Cryptanalysis of a discrete-time syn-
 chronous chaotic encryption system,”
Physics Letter A, 2008,...
Reconstruction of dynamics


Why?   How?                 Design Rules



                 Critical
 1      2              ...
Estimation of λ and/or x0 after applying
         conventional attacks

 1   Access to chaotic orbits
 2   We can measure ...
xi+1
                        xi+1 = f (xi )
                 Orbit : {x0, x1, . . .}
                f (a) = f (b), f (xc ...
Logistic map: xi+1 = λ xi (1 − xi )
xi+1



                             λ




                                     xi
   ...
xi /λ              0 < xi < λ
Skew tent map: xi+1 =
                            (1 − xi )/(1 − λ ) λ ≥ xi < 1
       xi+1
...
Access to chaotic orbits

Ciphertext is a function of a chaotic orbit
Access to chaotic orbits

Ciphertext is a function of a chaotic orbit

     Only the chaotic orbit is secret
Access to chaotic orbits

Ciphertext is a function of a chaotic orbit

     Only the chaotic orbit is secret

         Ker...
Access to chaotic orbits

  Ciphertext is a function of a chaotic orbit

       Only the chaotic orbit is secret

        ...
B. Ling et al.,
“Chaotic filter bank for computer
 cryptography,” Chaos, Solitons
and Fractals, 2007, 34, 817-824
Plaintext: {pn }

tn = K ∑ pj h2n−j
         ∀j

tn = K   ∑ pj h2n−j
         ∀j


vn = tn + tn + sn
vn = tn − vn − sn
Plaintext: {pn }

tn = K ∑ pj h2n−j
         ∀j

tn = K   ∑ pj h2n−j
         ∀j


vn = tn + tn + sn
                     ...
Plaintext: {pn }

             tn = K ∑ pj h2n−j
                      ∀j

             tn = K   ∑ pj h2n−j
              ...
Known-plaintext attack: {pn }, {vn }, {vn }


             sn = vn − tn − tn
             sn = tn − vn − vn


            ...
David Arroyo et al., “Cryptanalysis
 of a computer cryptography scheme
 based on a filter bank,” Chaos, Soli-
tons and Frac...
Entropy of the underlying chaotic map



Why?     How?                    Design Rules



                      Critical
 ...
Entropy


       Orbit ⇒ Probability distribution

   Discretization of        Discretization in the
  the phase space    ...
n-gram conditional entropy
  Split the phase space into J disjoint intervals


Convert chaotic orbits into sequences of sy...
Conditional entropy of the logistic map

           0.7
                        n=4
           0.6          n=6
          ...
Conditional entropy of the skew tent map

           0.7

           0.6

           0.5

           0.4
      hn




    ...
Multiresolution Entropy
        0.4
                                                                      λ=3.5
MRET1     ...
High level of entropy

  without leaking

  the values of λ
Samples of chaotic orbits


Why?   How?                     Design Rules



                     Critical
 1      2       ...
Shape of histograms
    of chaotic orbits
    depending on λ


Sampling on chaotic orbits


     Estimation of λ
A.N. Pisarchik et al. “Encryp-
  tion and decryption of images
with chaotic map lattices,” Chaos,
    2006, 16, Art. No. 0...
λ2
 Logistic map, xmin =    4 (1 − 4 ),
                                λ
                                       xmax = λ ...
yJ −1 if i = 1
                                r
                     x0 =
                              yir      i.o.c


...
80


70


60


50


40


30


20


10


 0
 0.1        0.2   0.3   0.4   0.5   0.6   0.7   0.8   0.9         1
 2
λ (1−λ/4...
Ciphertext-only attack

  xmax = max yiR
  ˆ


      ˆ       ˆ
  λ ≈ λ = 4 · xmax
David Arroyo et al., “On the security
of a new image encryption scheme
  based on chaotic map lattices,”
Chaos, 2008, 18, ...
Coarse-grained versions of chaotic orbits



Why?      How?                     Design Rules



                        Cr...
Assign a partition to the phase space



1    Stream cipher
2    Searching based chaotic ciphers
Stream cipher
xi+1




             xi+1



                              xi
   a   xiL   xc     xiR   b
Stream cipher
xi+1




                       xi
   a    x0 xc      b
Stream cipher
xi+1
            L




                       xi
   a    x0 xc      b
Stream cipher
xi+1
            L R
                        xi+1 = xi




                           xi
   a     x0 xc x1  ...
Stream cipher
xi+1
            L R R
                         xi+1 = xi




                            xi
   a     x0 xcx...
Stream cipher
xi+1
   01 1      ... Binary sequence
                          xi+1 = xi




                             x...
A.P. Kurian and S. Puthusserypady,
     “Self-synchronizing chaotic
    stream ciphers,” Signal Pro-
   cessing, 2008, 88,...
Binit


Logistic map
                       Bks
                ≥ xc               Shuf f ler   Ciphertext

Skew tent map
...
Binit


Logistic map
                       Bks       Bks                B sh = π(B init ||B ks) =
                ≥ xc   ...
Chosen-plaintext attack

                                               2N
          ˆ
         sh
       B (λ , x0) ⇒ Pr1...
1.6

                         1.4

    Wootters’ distance   1.2

                             1

                         ...
1.5
Wootters’ distance
                     1.4
                     1.3
                     1.2
                     1.1...
David Arroyo et al.,
“Cryptanalysis of a family of self-
  synchronizing chaotic stream
  ciphers”, Submitted to Signal
 P...
Coarse-grained versions of chaotic orbits


Why?      How?                     Design Rules



                        Cri...
Searching based chaotic ciphers




                                            Plaintext alphabet
                       ...
Searching based chaotic ciphers




                                            Plaintext alphabet
                       ...
f (0)(x)




               0        1




                                x
           a       xc       b
f (x)       00   01        11   10




                                     xc




                                       ...
f (2)(x) 0 0 0         011         110         101
                 001         010         111         100



           ...
X. Wang et al.,
 “A new chaotic cryptography based
on ergodicity,” International Journal of
Modern Physics B, 2008, 22, 90...
Logistic map: x0 and λ secret key

     pi is a word with w bits

     Ciphertext: number of
   iterations to find pi in th...
Symbolic dynamics of unimodal maps



     Chosen-ciphertext attack
Gray Ordering Number
GM (λ , x) = g0 g1 · · · gM−1 , gi ∈ {0, 1}
            (i)
gi = 0 ⇔ fλ (x) < xc
            (i)
gi =...
GON for the logistic map

               1


              0.8             λ=3.4
GON(Pn (x))




              0.6
       ...
GON for the logistic map

               1


              0.8             λ=3.6
GON(Pn (x))




              0.6
       ...
GON for the logistic map

               1


              0.8
                              λ=3.8
GON(Pn (x))




       ...
GON for the logistic map

               1


              0.8
                              λ=4
GON(Pn (x))




         ...
GON for the logistic map and x0 = fλ (xc )

                            1


                          0.95


             ...
GON for the logistic map and x0 = fλ (xc )
Binary sequence of length N


         Sliding window of length M and compute GON


Estimation of λ through a binary searc...
Chosen-ciphertext attack

Ask for the decryption of w · i

 0 returns the first w bits,
 w the following w bits, . . .

   ...
Parameter estimation error

                                          −4
c estimation error (Logarithmic scale)   10


   ...
Error in the estimation of the initial
              condition
                                               0
          ...
David Arroyo et al.,
  “Cryptanalysis of a new chaotic
cryptosystem based on ergodicity,”
  International Journal of Moder...
Searching based chaotic ciphers: unimodal maps


Why?      How?                   Design Rules



                      Cr...
Previous attack only works if

      GONM (λ , fλ (xc ))

        depends on

  on the control parameter
Is the cryptosystem secure

    if the logistic map

      is replaced by

   the skew tent map?
David Arroyo et al., “Estimation
  of the control parameter from
 symbolic sequences: Unimodal
 maps with variable critica...
λ can be estimated
 from the PDF of
   order patterns
xi+i = f (xi )



         [x0, x1, x2, . . . , xL−1]


     π(x0) = [π0, π1, . . . , πL−1]
     πi permutation |πi → i


...
2xi ,       0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
                                        2(1 − xi ), 0.5 ≥ x...
2xi ,       0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
                                            2(1 − xi ), 0.5...
2xi ,       0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
                                            2(1 − xi ), 0.5...
2xi ,       0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
                                          2(1 − xi ), 0.5 ≥...
2xi ,       0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
                                          2(1 − xi ), 0.5 ≥...
2xi ,       0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
                                           2(1 − xi ), 0.5 ...
2xi ,       0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
                                           2(1 − xi ), 0.5 ...
2xi ,       0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
                                            2(1 − xi ), 0.5...
2xi ,       0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
                                               2(1 − xi ), ...
The intersections between

      f 0(x), f 1(x), . . . , f L−1(x)

      determine intervals

     with initial conditions...
1
                                            2
                                            f (x)
          3
0.9       f ...
Order patterns

can be used to assign a partition

    to the definition domain
fλ : I → I, I ⊂ R, λ ∈ J ⊂ R



Pπ = {x ∈ I : x generates the order pattern π}



        Pπ depends on λ through fλ
xi /λ ,             0 < xi < λ
Skew tent map: xi+1 =
                            (1 − xi )/(1 − λ ), λ ≥ xi < 1
       xi+...
[0,1,2,3]        [0,3,1,2] [2,0,3,1]                                 [1,2,3,0]
                  [0,1,3,2]        [0,2,1,3...
[2,0,3,1]
                      [0,1,2,3]               [0,1,3,2]    [0,2,1,3]        [2,0,1,3]     [1,2,3,0]
            ...
Order pattern [0, 1, . . . , L − 1]

     determined by the

    leftmost intersection
                 L−2    L−1
of the ...
fλ ergodic with invariant measure µ



   Ofλ (x) = {f n (x) : n ∈ N ∪ {0}}


       Ofλ (x) visits Pπ with
     relative ...
Orbit of length M



  Sliding window of width L



 M − L + 1 order L-patterns


  Compute the relative fre-
quency of ea...
For some fλ (x)

  1-to-1 relation between

   the relative frequency

   of some order pattern

and the control parameter...
Skew tent map


 n           x/λ n ,                     if 0 ≤ x ≤ λ n
fλ (x) =
             (λ n−1 − x)/λ n−1 (1 − λ ), ...
2
                                    L = 4 ⇒ φ4 = 2−λ
                                                  λ


             ...
Skew tent map


              Unimodal map


         x1 < x2 ⇒ G(x1) ≤ G(x2)


Order patterns from “coarse-grained” orbits
Error in the estimation of λ
                                        −2
                                       10
Mean err...
Finite precision arithmetics



Digital degradation of dynamics



  Non-perfect recovery of λ
Why?   How?              Design Rules



              Critical
 1      2                     3
              contexts
Digital chaos-based cryptosystem


  Chaotic map                               Encryption architecture

       Loss of cha...
Design rules I

1   Assure the chaotic behavior of the
    underlying dynamical systems
2   Guarantee avalanche effect
3  ...
Design rules II

5   Chaotic maps with flat histograms and
    width of the phase space independent of
    the control para...
Control parameter a=3.8204607418                            Control parameter a=3.8294707872
                  150        ...
David Arroyo et al.,
“On the security of a new image
 encryption scheme based on
 chaotic map lattices,” Chaos,
  2008, 18...
Chaos-based
                              5
              cryptography
    SCI

               Unimodal
                  ...
Future work
Problems detected in unimodal maps


         Multimodal maps


          Discrete chaos


      Other sources of chaos
Chaotic map




Encryption                      Practical
architecture                 implementation
Design of
chaos-based cryptosystems

   needs of cryptography
              +
analysis of chaotic dynamics
Framework for the analysis and design
               of encryption strategies
                  based on discrete-time
   ...
Upcoming SlideShare
Loading in...5
×

Framework for the analysis and design of encryption strategies based on discrete-time chaotic dynamical systems

1,320

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,320
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Framework for the analysis and design of encryption strategies based on discrete-time chaotic dynamical systems"

  1. 1. Framework for the analysis and design of encryption strategies based on discrete-time chaotic dynamical systems ˜ David Arroyo Guardeno
  2. 2. From chaos to cryptography Why? How? Design Rules Critical 1 2 3 contexts
  3. 3. Perfect secrecy Good mixing properties. . . Hopf: dough rolling and folding. . .
  4. 4. Initial condition Sensitivity Diffusion Control parameter Mixing Ergodicity Confusion
  5. 5. ENCRYPTION T=R T=Z Chaos in Chaos in Chaos in continuous time continuous time discrete time
  6. 6. ENCRYPTION T=R T=Z Chaos in Chaos in Chaos in continuous time continuous time discrete time Synchronization
  7. 7. ENCRYPTION T=R T=Z Chaos in Chaos in Chaos in continuous time continuous time discrete time Synchronization Security problems
  8. 8. ENCRYPTION T=R T=Z Chaos in Chaos in Chaos in continuous time continuous time discrete time Synchronization Differential Equations Security problems
  9. 9. ENCRYPTION T=R T=Z Chaos in Chaos in Chaos in continuous time continuous time discrete time Synchronization Differential Equations Security problems Dimension > 2
  10. 10. ENCRYPTION T=R T=Z Chaos in Chaos in Chaos in continuous time continuous time discrete time Synchronization Differential Equations Security problems Dimension > 2 Efficiency problems
  11. 11. ENCRYPTION T=R T=Z Chaos in Chaos in Chaos in continuous time continuous time discrete time Synchronization Differential Equations Security problems Dimension > 2 Efficiency problems
  12. 12. How to design secure digital chaos-based cryptosystems
  13. 13. Avoid critical contexts Conventional cryptography Chaos theory Standards Loss of chaoticity Commitments Reconstruction of the underlying dynamics Conventional attacks
  14. 14. Avoid critical contexts Conventional cryptography Chaos theory Standards Loss of chaoticity Commitments Reconstruction of the underlying dynamics Conventional attacks
  15. 15. Loss of chaoticity Why? How? Design Rules Critical 1 2 3 contexts
  16. 16. For xk+1 = f (λ , xk ) = fλ (xk ) it can not be assumed chaos for all λ
  17. 17. C. Chee and D.Xu, “Chaotic encryption using discrete- time synchronous chaos,” Physics Letters A, 2006, 348, 284-292
  18. 18. 2 uk+1 1 − δ · uk + vk xk+1 = = vk+1 β · vk δ = ψ (pk ) · µ1 (vk ) β = µ2 (vk )
  19. 19. 2 1.8 Unbounded δ 1.6 1.4 Periodic 1.2 −0.4 −0.2 0 0.2 0.4 β
  20. 20. 1.6 1.4 1.2 1 Asymptotic values 0.8 0.6 0.4 0.2 0 −0.2 0 0.5 1 1.5 2 2.5 3 Plaintext block values 14 x 10
  21. 21. David Arroyo et al., “Cryptanalysis of a discrete-time syn- chronous chaotic encryption system,” Physics Letter A, 2008, 372, 1034-1039
  22. 22. Reconstruction of dynamics Why? How? Design Rules Critical 1 2 3 contexts
  23. 23. Estimation of λ and/or x0 after applying conventional attacks 1 Access to chaotic orbits 2 We can measure the entropy of the underlying chaotic map 3 Access to samples of chaotic orbits 4 Access to coarse-grained versions of chaotic orbits
  24. 24. xi+1 xi+1 = f (xi ) Orbit : {x0, x1, . . .} f (a) = f (b), f (xc ) ≤ b xc = Single turning point f continuous in [a, b] xi a xc b
  25. 25. Logistic map: xi+1 = λ xi (1 − xi ) xi+1 λ xi 0 xc 1
  26. 26. xi /λ 0 < xi < λ Skew tent map: xi+1 = (1 − xi )/(1 − λ ) λ ≥ xi < 1 xi+1 λ xi 0 1
  27. 27. Access to chaotic orbits Ciphertext is a function of a chaotic orbit
  28. 28. Access to chaotic orbits Ciphertext is a function of a chaotic orbit Only the chaotic orbit is secret
  29. 29. Access to chaotic orbits Ciphertext is a function of a chaotic orbit Only the chaotic orbit is secret Kerckhoff’s principle: we know the function and xn+1 = f (λ , xn ), xn ∈ Rm
  30. 30. Access to chaotic orbits Ciphertext is a function of a chaotic orbit Only the chaotic orbit is secret Kerckhoff’s principle: we know the function and xn+1 = f (λ , xn ), xn ∈ Rm Estimation of λ from m + 1 units of ciphertext
  31. 31. B. Ling et al., “Chaotic filter bank for computer cryptography,” Chaos, Solitons and Fractals, 2007, 34, 817-824
  32. 32. Plaintext: {pn } tn = K ∑ pj h2n−j ∀j tn = K ∑ pj h2n−j ∀j vn = tn + tn + sn vn = tn − vn − sn
  33. 33. Plaintext: {pn } tn = K ∑ pj h2n−j ∀j tn = K ∑ pj h2n−j ∀j vn = tn + tn + sn Logistic map vn = tn − vn − sn
  34. 34. Plaintext: {pn } tn = K ∑ pj h2n−j ∀j tn = K ∑ pj h2n−j ∀j vn = tn + tn + sn Logistic map vn = tn − vn − sn Ciphertext: {vn } , {vn }, Key: λ , λ , s0 , s0
  35. 35. Known-plaintext attack: {pn }, {vn }, {vn } sn = vn − tn − tn sn = tn − vn − vn sn+1 λ= sn (1 − sn ) sn+1 λ = sn (1 − sn )
  36. 36. David Arroyo et al., “Cryptanalysis of a computer cryptography scheme based on a filter bank,” Chaos, Soli- tons and Fractals, 2009, 41, 410-413
  37. 37. Entropy of the underlying chaotic map Why? How? Design Rules Critical 1 2 3 contexts
  38. 38. Entropy Orbit ⇒ Probability distribution Discretization of Discretization in the the phase space frequency domain Relative number of Relative energy of values in subintervals resolution levels
  39. 39. n-gram conditional entropy Split the phase space into J disjoint intervals Convert chaotic orbits into sequences of symbols Group the symbols into words of length n (n) pri : probability of i-th word, 0 ≤ i ≤ J n n (n) (n) Hn = − ∑J pri i=1 log pri hn = Hn+1 − Hn , h0 = H1
  40. 40. Conditional entropy of the logistic map 0.7 n=4 0.6 n=6 n=8 n=10 0.5 n=12 0.4 hn 0.3 0.2 0.1 0 3.5 3.6 3.7 3.8 3.9 4 λ
  41. 41. Conditional entropy of the skew tent map 0.7 0.6 0.5 0.4 hn 0.3 n=4 0.2 n=6 n=8 n=10 0.1 n=12 0 0 0.2 0.4 0.6 0.8 1 λ
  42. 42. Multiresolution Entropy 0.4 λ=3.5 MRET1 λ=3.8123 0.2 λ variable 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 0.4 λ=3.5 λ=3.8123 MRET2 0.2 λ variable 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 0.4 λ=3.5 λ=3.8123 MRET3 0.2 λ variable 0 1000 2000 3000 4000 5000 6000 7000 8000 Temporal variable
  43. 43. High level of entropy without leaking the values of λ
  44. 44. Samples of chaotic orbits Why? How? Design Rules Critical 1 2 3 contexts
  45. 45. Shape of histograms of chaotic orbits depending on λ Sampling on chaotic orbits Estimation of λ
  46. 46. A.N. Pisarchik et al. “Encryp- tion and decryption of images with chaotic map lattices,” Chaos, 2006, 16, Art. No. 033118
  47. 47. λ2 Logistic map, xmin = 4 (1 − 4 ), λ xmax = λ , plaintext {pi }J 4 i=1 r = 1, yi0 = {pi } yJ −1 if i = 1 r x0 = yir i.o.c Iterate n times the logistic map from x0 to get xn yir = xn + yir −1 and subtract xmax − xmin until yir ∈ [xmin , xmax ]
  48. 48. yJ −1 if i = 1 r x0 = yir i.o.c Iterate n times the logistic map from x0 to get xn yir = xn + yir −1 and subtract xmax − xmin until yir ∈ [xmin , xmax ] r = r +1 r <R
  49. 49. 80 70 60 50 40 30 20 10 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 2 λ (1−λ/4) λ/4
  50. 50. Ciphertext-only attack xmax = max yiR ˆ ˆ ˆ λ ≈ λ = 4 · xmax
  51. 51. David Arroyo et al., “On the security of a new image encryption scheme based on chaotic map lattices,” Chaos, 2008, 18, Art. No. 033112
  52. 52. Coarse-grained versions of chaotic orbits Why? How? Design Rules Critical 1 2 3 contexts
  53. 53. Assign a partition to the phase space 1 Stream cipher 2 Searching based chaotic ciphers
  54. 54. Stream cipher xi+1 xi+1 xi a xiL xc xiR b
  55. 55. Stream cipher xi+1 xi a x0 xc b
  56. 56. Stream cipher xi+1 L xi a x0 xc b
  57. 57. Stream cipher xi+1 L R xi+1 = xi xi a x0 xc x1 b
  58. 58. Stream cipher xi+1 L R R xi+1 = xi xi a x0 xcx2x1 b
  59. 59. Stream cipher xi+1 01 1 ... Binary sequence xi+1 = xi xi a x0 xcx2x1 b
  60. 60. A.P. Kurian and S. Puthusserypady, “Self-synchronizing chaotic stream ciphers,” Signal Pro- cessing, 2008, 88, 2442-2452
  61. 61. Binit Logistic map Bks ≥ xc Shuf f ler Ciphertext Skew tent map Plaintext
  62. 62. Binit Logistic map Bks Bks B sh = π(B init ||B ks) = ≥ xc Shuf f ler ˆ B sh (λ, x0 ) Skew tent map 0
  63. 63. Chosen-plaintext attack 2N ˆ sh B (λ , x0) ⇒ Pr1 = prj (1) j=1 2N (i,k) B ks (λ i , x k ) ⇒ Pr(i,k) = prj j=1 Wootters’ distance 2N −1 (1) (i,k) DW (Pr1, Pr(i,k)) = cos ∑ prj · prj j=1
  64. 64. 1.6 1.4 Wootters’ distance 1.2 1 0.8 0.6 0.4 0.2 0 1 x 0 0.5 0 0 0.2 0.4 0.6 0.8 1 λ
  65. 65. 1.5 Wootters’ distance 1.4 1.3 1.2 1.1 1 0.8 0.6 x 0 0.4 0.2 3.95 3.9 3.85 3.8 λ
  66. 66. David Arroyo et al., “Cryptanalysis of a family of self- synchronizing chaotic stream ciphers”, Submitted to Signal Processing on 17 March, 2009
  67. 67. Coarse-grained versions of chaotic orbits Why? How? Design Rules Critical 1 2 3 contexts
  68. 68. Searching based chaotic ciphers Plaintext alphabet a1 Phase space Partition a2 ak a|A|
  69. 69. Searching based chaotic ciphers Plaintext alphabet fλ M Phase space M (x =c 0) iph er tex ak t
  70. 70. f (0)(x) 0 1 x a xc b
  71. 71. f (x) 00 01 11 10 xc x a xc b
  72. 72. f (2)(x) 0 0 0 011 110 101 001 010 111 100 xc x a xc b
  73. 73. X. Wang et al., “A new chaotic cryptography based on ergodicity,” International Journal of Modern Physics B, 2008, 22, 901-908
  74. 74. Logistic map: x0 and λ secret key pi is a word with w bits Ciphertext: number of iterations to find pi in the binary sequence generated from the logistic map
  75. 75. Symbolic dynamics of unimodal maps Chosen-ciphertext attack
  76. 76. Gray Ordering Number GM (λ , x) = g0 g1 · · · gM−1 , gi ∈ {0, 1} (i) gi = 0 ⇔ fλ (x) < xc (i) gi = 1 ⇔ fλ (x) ≥ xc g0 b0 g1 b1 g2 b2 gM−1 bM−1 GON(GM (λ , x)) = 2−1 · b1 + 2−2 · b2 + . . . + 2−(n−1) · bn−1
  77. 77. GON for the logistic map 1 0.8 λ=3.4 GON(Pn (x)) 0.6 λ f 0.4 0.2 0 0 0.2 0.4 0.6 0.8 1 x
  78. 78. GON for the logistic map 1 0.8 λ=3.6 GON(Pn (x)) 0.6 λ f 0.4 0.2 0 0 0.2 0.4 0.6 0.8 1 x
  79. 79. GON for the logistic map 1 0.8 λ=3.8 GON(Pn (x)) 0.6 λ f 0.4 0.2 0 0 0.2 0.4 0.6 0.8 1 x
  80. 80. GON for the logistic map 1 0.8 λ=4 GON(Pn (x)) 0.6 λ f 0.4 0.2 0 0 0.2 0.4 0.6 0.8 1 x
  81. 81. GON for the logistic map and x0 = fλ (xc ) 1 0.95 0.9 GON(Pf (fλ(xc))) 0.85 λ n 0.8 0.75 0.7 0.65 3 3.2 3.4 3.6 3.8 4 λ
  82. 82. GON for the logistic map and x0 = fλ (xc )
  83. 83. Binary sequence of length N Sliding window of length M and compute GON Estimation of λ through a binary search from the maximum GON ˆ ˆ GONM (λ , λ ) = GONmax 4 Estimation of x0 using the estimation of λ and the binary sequence
  84. 84. Chosen-ciphertext attack Ask for the decryption of w · i 0 returns the first w bits, w the following w bits, . . . GM (x0, λ ) ⇒ λ , x0
  85. 85. Parameter estimation error −4 c estimation error (Logarithmic scale) 10 −6 10 −8 10 −10 10 −12 10 0 2 4 6 8 10 M 5 x 10
  86. 86. Error in the estimation of the initial condition 0 10 x0 estimation error (Logarithmic scale) −5 10 −10 10 −15 10 −20 10 10 20 30 40 50 60 N
  87. 87. David Arroyo et al., “Cryptanalysis of a new chaotic cryptosystem based on ergodicity,” International Journal of Modern Physics B, 2009, 23, 651-659
  88. 88. Searching based chaotic ciphers: unimodal maps Why? How? Design Rules Critical 1 2 3 contexts
  89. 89. Previous attack only works if GONM (λ , fλ (xc )) depends on on the control parameter
  90. 90. Is the cryptosystem secure if the logistic map is replaced by the skew tent map?
  91. 91. David Arroyo et al., “Estimation of the control parameter from symbolic sequences: Unimodal maps with variable critical point,” Chaos, 2009, 19, Art. No. 023125
  92. 92. λ can be estimated from the PDF of order patterns
  93. 93. xi+i = f (xi ) [x0, x1, x2, . . . , xL−1] π(x0) = [π0, π1, . . . , πL−1] πi permutation |πi → i f π0 (x0) < f π1 (x0) < · · · < f πL−1 (x0)
  94. 94. 2xi , 0 < xi < 0.5 f : [0, 1] → [0, 1], xi+1 = f (xi ) = 2(1 − xi ), 0.5 ≥ xi < 1 xi+1 xi 0 1
  95. 95. 2xi , 0 < xi < 0.5 f : [0, 1] → [0, 1], xi+1 = f (xi ) = 2(1 − xi ), 0.5 ≥ xi < 1 xi+1 xi 0 1 [0.31225,
  96. 96. 2xi , 0 < xi < 0.5 f : [0, 1] → [0, 1], xi+1 = f (xi ) = 2(1 − xi ), 0.5 ≥ xi < 1 xi+1 xi 0 1 [0.31225,
  97. 97. 2xi , 0 < xi < 0.5 f : [0, 1] → [0, 1], xi+1 = f (xi ) = 2(1 − xi ), 0.5 ≥ xi < 1 xi+1 xi 0 1 [0.31225, 0.6245
  98. 98. 2xi , 0 < xi < 0.5 f : [0, 1] → [0, 1], xi+1 = f (xi ) = 2(1 − xi ), 0.5 ≥ xi < 1 xi+1 xi 0 1 [0.31225, 0.6245
  99. 99. 2xi , 0 < xi < 0.5 f : [0, 1] → [0, 1], xi+1 = f (xi ) = 2(1 − xi ), 0.5 ≥ xi < 1 xi+1 xi 0 1 [0.31225, 0.6245, 0.751,
  100. 100. 2xi , 0 < xi < 0.5 f : [0, 1] → [0, 1], xi+1 = f (xi ) = 2(1 − xi ), 0.5 ≥ xi < 1 xi+1 xi 0 1 [0.31225, 0.6245, 0.751,
  101. 101. 2xi , 0 < xi < 0.5 f : [0, 1] → [0, 1], xi+1 = f (xi ) = 2(1 − xi ), 0.5 ≥ xi < 1 xi+1 xi 0 1 [0.31225, 0.6245, 0.751, 0.498]
  102. 102. 2xi , 0 < xi < 0.5 f : [0, 1] → [0, 1], xi+1 = f (xi ) = 2(1 − xi ), 0.5 ≥ xi < 1 xi+1 xi 0 1 [0.31225, 0.6245, 0.751, 0.498] ⇒ π(0.31225) = [0, 3, 1, 2]
  103. 103. The intersections between f 0(x), f 1(x), . . . , f L−1(x) determine intervals with initial conditions leading to the same order pattern
  104. 104. 1 2 f (x) 3 0.9 f (x) 0.8 0.7 f1(x) f0(x) 0.6 0.5 0.4 0.3 0.2 0.1 0 0 0.2 0.4 0.6 0.8 1
  105. 105. Order patterns can be used to assign a partition to the definition domain
  106. 106. fλ : I → I, I ⊂ R, λ ∈ J ⊂ R Pπ = {x ∈ I : x generates the order pattern π} Pπ depends on λ through fλ
  107. 107. xi /λ , 0 < xi < λ Skew tent map: xi+1 = (1 − xi )/(1 − λ ), λ ≥ xi < 1 xi+1 λ xi 0 1
  108. 108. [0,1,2,3] [0,3,1,2] [2,0,3,1] [1,2,3,0] [0,1,3,2] [0,2,1,3] [2,0,1,3] [1,2,0,3] [0,3,1,2] [2,3,0,1] [3,1,0,2] [3,0,1,2] [1,3,2,0] [1,2,3,0] 1 ? ?? ? ? ? ? ? ? ? ? ? ? ? f(2)(x) λ 0.9 0.8 0.7 0.6 f(0)(x) f(1)(x) λ λ fλ (k)(x) 0.5 0.4 0.3 0.2 f(3)(x) λ 0.1 0 0 0.2 0.4 0.6 0.8 1 λ
  109. 109. [2,0,3,1] [0,1,2,3] [0,1,3,2] [0,2,1,3] [2,0,1,3] [1,2,3,0] [0,3,1,2] [2,0,3,1] [3,1,0,2] [3,0,1,2] [2,3,0,1] [1,3,2,0] [0,3,1,2] [1,2,3,0] 1 ? ?? ? ? ? ? ? ??? ? ? ? [1,2,0,3] 0.9 0.8 0.7 f(2)(x) λ f(3)(x) λ 0.6 f(1)(x) (x) λ 0.5 (k) λ f 0.4 0.3 0.2 f(0)(x) λ 0.1 0 0 0.2 0.4 0.6 0.8 1 λ
  110. 110. Order pattern [0, 1, . . . , L − 1] determined by the leftmost intersection L−2 L−1 of the iterates fλ and fλ
  111. 111. fλ ergodic with invariant measure µ Ofλ (x) = {f n (x) : n ∈ N ∪ {0}} Ofλ (x) visits Pπ with relative frequency µ(Pπ )
  112. 112. Orbit of length M Sliding window of width L M − L + 1 order L-patterns Compute the relative fre- quency of each order pattern
  113. 113. For some fλ (x) 1-to-1 relation between the relative frequency of some order pattern and the control parameter λ
  114. 114. Skew tent map n x/λ n , if 0 ≤ x ≤ λ n fλ (x) = (λ n−1 − x)/λ n−1 (1 − λ ), if λ n ≤ x ≤ λ n−1 P[0,1,...,L−1] = (0, φL (λ )), with λ L−2 φL (λ ) = 2−λ
  115. 115. 2 L = 4 ⇒ φ4 = 2−λ λ 1 0.9 0.8 0.7 Order pattern frequency 0.6 0.5 0.4 0.3 0.2 0.1 0 0 0.2 0.4 0.6 0.8 1 λ
  116. 116. Skew tent map Unimodal map x1 < x2 ⇒ G(x1) ≤ G(x2) Order patterns from “coarse-grained” orbits
  117. 117. Error in the estimation of λ −2 10 Mean error value (Logarithmic scale) −3 10 −4 10 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 λ
  118. 118. Finite precision arithmetics Digital degradation of dynamics Non-perfect recovery of λ
  119. 119. Why? How? Design Rules Critical 1 2 3 contexts
  120. 120. Digital chaos-based cryptosystem Chaotic map Encryption architecture Loss of chaoticity Stream cipher Block cipher Bijections in entropy measures Linear complexity Differential attack Leaking of the underlying order Correlation attacks Linear attacks Defective probability distribution ... ...
  121. 121. Design rules I 1 Assure the chaotic behavior of the underlying dynamical systems 2 Guarantee avalanche effect 3 High level of entropy without leaking of the values of control parameters 4 Definition of the ciphertext avoiding the reconstruction of the underlying chaotic dynamics
  122. 122. Design rules II 5 Chaotic maps with flat histograms and width of the phase space independent of the control parameters 6 Selection of chaotic maps with high sensitivity to control parameter mismatch 7 The number of iterations of chaotic maps can not be part of the key
  123. 123. Control parameter a=3.8204607418 Control parameter a=3.8294707872 150 150 j=1 j=2 Time in seconds Time in seconds 100 j=3 100 50 50 0 0 0 50 100 0 50 100 n×j n×j Control parameter a=3.8743936381 Control parameter a=3.9771765651 150 150 Time in seconds Time in seconds 100 100 50 50 0 0 0 50 100 0 50 100 n×j n×j
  124. 124. David Arroyo et al., “On the security of a new image encryption scheme based on chaotic map lattices,” Chaos, 2008, 18, Art. No. 033112
  125. 125. Chaos-based 5 cryptography SCI Unimodal 7 maps International 8 CONFERENCES National 8
  126. 126. Future work
  127. 127. Problems detected in unimodal maps Multimodal maps Discrete chaos Other sources of chaos
  128. 128. Chaotic map Encryption Practical architecture implementation
  129. 129. Design of chaos-based cryptosystems needs of cryptography + analysis of chaotic dynamics
  130. 130. Framework for the analysis and design of encryption strategies based on discrete-time chaotic dynamical systems david.arroyo@iec.csic.es http://hdl.handle.net/10261/15668
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×