CHAOTIC MAP CRYPTOGRAPHY AND SECURITY

In: Encryption: Methods, Software and Security Editor: Editor Name, pp. 1-28 ISBN 0000000000 c 2010 Nova Science Publishers, Inc. ° Chapter 1 C HAOTIC MAP CRYPTOGRAPHY AND SECURITY Alexander N. Pisarchik∗ Centro de Investigaciones en Optica, Loma del Bosque 115, Lomas del Campestre, 37150 Leon, Guanajuato, Mexico Massimiliano Zanin Universidad Autónoma de Madrid, 28049 Madrid, Spain PACS 05.45.Gg, 89.20.Ff, 05.45.Vx Keywords: Cryptography, iterative maps, chaos ∗ E-mail address: apisarch@cio.mx 2 A. N. Pisarchik and M. Zanin ABSTRACT In the last decade, chaos has emerged as a new promising candidate for cryptography because many chaos fundamental characteristics such as a broadband spectrum, ergodicity, and high sensitivity to initial conditions are directly connected with two basic properties of good ciphers: confusion and diffusion. In this chapter we recount some of the saga undergone by this field; we review the main achievements in the field of chaotic cryptography, starting with the definition of chaotic systems and their properties and the difficulties it has to outwit. According to their intrinsic dynamics, chaotic cryptosystems are classified depending on whether the system is discrete or continuous. Due to their simplicity and rapidity the discrete chaotic systems based on iterative maps have received a lot of attention. In spite of the significant achievements accomplished in this field, there are still many problems, basically speed, that restrict the application of existing encoding/decoding algorithms to real systems. The major advantages and drawbacks of the most popular chaotic map ciphers in terms of security and computational cost are analyzed. The most significant cryptanalytic techniques are considered and applied for testing the security of some chaotic algorithms. Finally, future trends in the development of this topic are discussed. INTRODUCTION In recent years, the transmission of a large amount of data over communication media, such as computer networks, mobile phones, TV cable, etc. was highly developed, making it a security problem in storage and transmission of confidential information and therefore research in this area is growing in importance to give the required solutions for pay TV, video conferences, medical and military databases, etc. Most conventional secure ciphers, such as Data Encryption Standard (DES), International Data Encryption Algorithm (IDEA), Advanced Encryption Standard (AES), linear feedback shift register (LFSR), etc. [1, 2] consider plaintext as either block cipher or data stream and are not suitable for fast encryption of a large data volume (for example, color images and video) in real time. Their implementation, when they are realized by software, of traditional algorithms for image encryption is even more complicated because of high correlation between image pixels. Therefore, there is still a lot of work to be done for the development of nontraditional encryption methods. Many researchers have pointed out the existence of a strong relationship between chaos and cryptography. Actually, in real systems, chaos and noise are two natural irregular behaviors, therefore the utilization of these motions in cryptography is also natural. The greatest advantage of a chaotic system over a noisy one is that the chaotic system is deterministic, so that the exact knowledge of initial conditions and system parameters enables one to recover a message. This property of chaos significantly facilitates the decryption process. The idea of chaotic cryptography can be traced back to Shanon [3] yet in 1949. Although he did not explicitly use the word “chaos”, he did mention that well-mixing transformations in a good secrecy system can be constructed on the base of the stretch-and-fold mechanism, which is really a chaotic motion. The two basic properties of a good cipher, confusion and diffusion, are strongly related to the fundamental characteristics of chaos, such as a broadband spectrum, ergodicity (almost all points of a chaotic attractor are eventually visited in infinitely long time), and high sensitivity to initial conditions, so that any Chaotic map cryptography and security 3 good cryptosystem has to present properties of chaos or pseudo-randomness. In Shannon’s original definitions [3], diffusion was associated with the dependence of the output on input bits, i.e. it referred to the property that redundancy in the statistics of plaintext is dissipated in the statistics of ciphertext, whereas confusion was guaranteed by making the relationship between the key and the ciphertext as complex and involved as possible, i.e. the data sequence has to be permuted. In the first scientific paper on chaotic cryptography that appeared in 1989, Matthews [4] came up with the idea of a stream cipher based on one-dimensional chaotic map. One year later, Pecora and Caroll [5] published the pioneer work on synchronization of chaotic systems, a great tool for secure communications [6]. Afterwards, chaotic cryptography has taken two distinct paths with almost no interaction between them: digital chaotic ciphers [7, 8, 9, 10] and chaos synchronization [11, 12, 13, 14, 15]. The principal difference between these two approaches is that in the former case a cryptosystem requires a predetermined secret key(s), while the key in the latter is the system itself. Still, the main advantage of chaotic synchronization schemes is its easy analog implementation for secure communication. Traditionally, encryption is based on discrete number theory, so that data has to be digitized before any encryption process can take place. In order to encrypt a continuous voice or a video in the old fashion way, digitalization and encryption can pose a heavy computational burden. Using chaotic communication enables to encrypt the message waveform without a need to digitalize it. Furthermore, chaotic encryption can be implemented using fast analog components (electric/optical). A very important feature of any encryption scheme is its security. The traditional approach based on integer number theory has proven to be reliable, while the security of chaotic encryption still poses some problems. The incorporation of chaotic dynamics in cryptology, the science that puts together cryptography and cryptanalysis, is a relatively new approach initiated only last decade. Different cryptanalytic techniques have been developed to estimate the security of proposed chaotic ciphers [16, 17, 18, 19, 20] and of most chaotic synchronization schemes [21, 22, 23], many of which have already been broken. Until now, the security of chaotic communication has often relied on a mixture of analytic methods and intuition. However, we may positively state that no cryptosystem, with the exception maybe of quantum systems [24], is forever secure; better ways to cryptanalyze are always popping up. At present quantum cryptography is still unacceptable for modern secure communication, because of serious drawbacks: first, it is too slow and second, it can only be used over point-to-point connections and not through networks where data has to be routed. The goal of any cryptosystem is to convert plaintext to ciphertext with the use of a secure algorithm. Generally, in any cryptosystem, the confusion and diffusion processes are repeated several times, as schematically shown in Fig. 1, and described mathematically as [25] R = Dα (C β (P, KC ), KD ), (1) where P and R are respectively plaintext and ciphertext, C and D are the confusion and diffusion functions, KC and KD are the confusion and diffusion keys, and α and β are numbers of rounds for total encryption and for confusion, respectively. Equation (1) determines the cryptosystem’s security; the more sensitive the functions C and D are to their 4 A. N. Pisarchik and M. Zanin α times β times Plaintext Confusion Diffusion Confusion key Diffusion key Ciphertext Cryptosystem Figure 1. General scheme of a cryptosystem. keys KC and KD and the larger the key space, the higher the security. The cryptosystem’s key space in Fig. 1 is defined as S = (SCβ SD )α , (2) where SD and SC are key spaces of the confusion and diffusion keys, that are determined by the key spaces for initial conditions and parameters in the confusion and diffusion processes. As seen from Eq. (2), the higher the powers α and β, the bigger the key space and hence the higher the security. However, the encryption+decryption time (EDT) also increases as α and β are increased. Therefore, when designing new cryptosystems, cryptographs should always balance security and speed. A good chaotic cryptosystem should also comply with the two requirements mentioned by Shannon [3]: diffusion and confusion, both processes should be based on chaotic systems whose high sensitivity to initial conditions and parameters make the cryptosystem extremely secure and robust against cryptographic attacks. Although chaos is a irregular motion, it is a deterministic phenomenon, and therefore the plaintext can be completely recovered if the secret keys are exactly known. Moreover, EDT should be very short enabling the real-time application, this entails that the length of ciphertext must be the same as the length of plaintext. In spite of the significant achievements already accomplished, there are still too many problems to be solved in the field of chaotic cryptography, further investigation is needed to develop new efficient algorithms for real applications. Among various chaotic cryptosystems we can distinguish the ciphers based of discrete systems (iterative maps) [8, 26, 27, 28], continuous systems (modeled by differential equations) [29, 30, 31, 32, 33, 34], and combined algorithms which use jointly discrete and continuous systems [35, 36, 37, 38]. In this chapter we restrict our review to the first class of chaotic cryptosystems, i.e. to the ciphers based on iterative maps. Even if they do not display generic behavior from a physical point of view, these systems are intrinsically interesting: they confirm the main assertion that dynamical instability is the root of irreversibility. Furthermore, chaotic cryptography based on iterative maps is simple and fast. An iterative map is specified by a dynamical law that determines how an initial point x0 evolves with time. The phase space dimension (the number of system variables) associated with x may be higher than 1, e.g., for three-dimensional map x = {x, y, z}. The map function describes the evolution after one time step, to obtain it after n steps we apply an iterative procedure: Chaotic map cryptography and security xn = M(xn−1 ) = M(M(xn−2 )) = ... = Mn (x0 ), 5 (3) where M is the vector map function that yields a discrete time series and a system trajectory in phase space. The principal characterization of chaotic trajectory dynamics is given by the values of the positive Lyapunov exponents, which determine the rate of exponential divergence of nearby trajectories. The ergodic properties of chaos1 and its high sensitivity to initial conditions and parameters are crucial for designing new chaotic algorithms with good confusion and diffusion properties. Many different iterative maps do generate chaotic series for certain parameters. Table 1 displays the list of the most popular ones. Note, that only few maps have been put to test in cryptography so far. The complex motion in chaotic systems naturally defines densities in phase space. An initial nonequilibrium density may correspond to some uncertainty in the initial condition specifications or may be thought of as representing an ensemble of systems with different initial conditions. For cryptographic applications, a smooth density is desirable; since it can be maintained on a finite region of phase space, whose evolution can shade a light on some non-local information that otherwise will be missing in a point dynamical description. Thus, the natural description for the time evolution in chaotic systems is, in terms of densities, irreducible to phase space trajectories. This yields an intrinsically irreversible distribution for systems that nevertheless have time-reversible trajectory dynamics. To understand the basics of how a chaotic encryption algorithm works, let us choose a number of iterations n that depends on the number of precision decimal points that are carried through the computing iterations of M. Concretely, with a given decimal precision d, the continuous interval of interest (0,1) (0 being fixed, and 1 being eventually fixed) is transformed into a discrete set whose elements expressed with the same precision are also in (0,1). So, if d decimal places are carried through computations, then n should be equal to 10d . In fact, due to the chaotic nature of the calculations, after a finite number of iterations which carry more than d decimal places we will begin to see drastic deviations between the more and less precise computations. It should be noted that for a given key length, there is a minimum d that can be used, so that only keys of that size are available. For example, for binary key length k, d has to satisfy the relation 10d ≥ 2k to give us the maximum possible number of keys. While this indicates a lower bound for the desired d, increasing d will provide better security but incurring in a higher computational cost. Simple computations show that, to get all 64-bit keys, at least 20 decimal places should be carried out. Therefore, before using a common chaotic map algorithm, sender and receiver must agree at least on the following information: (i) initial values x0 , (ii) system parameters, (iii) a decimal precision d to be used, and (iv) a number of iterations n. With this information at hand, one can simply compute a key by selecting the k least significant digits of Mn (x0 ), expressed as a binary code calculated with precision d. This key generation process is in itself fairly secure for a sufficiently large n (in fact, not extremely large). A very small variation either in x0 or in d will lead to a drastically different key, and of course, due to the strong divergence of the chaotic trajectory a single extra (or fewer) iteration will also yield a completely different key. In typical applications of symmetric key cryptography, it is wise to have a 1 In an ergodic system, long time averages may be replaced by phase space averages. 6 A. N. Pisarchik and M. Zanin large number of secret keys. Based on strengths and weaknesses of already existing algorithms, Kelber and Schwarz [39] formulated ten general rules to design a good chaos-based cryptosystem: 1. Either use suitable chaotic maps which preserves important properties during discretization for block cipher or use a balanced combining function and a suitable key stream generator for a stream cipher. 2. Use a large key space. 3. Do not use initial conditions of an inverse system as part of the key. 4. Avoid simple permutations of identical system parameters. 5. Use the same precision for subkey values and their corresponding system parameters. 6. Use a complex input key transformation. 7. Use a dynamical system. 8. Use complex nonlinearities. 9. Modify nonlinearities in terms of key and signal values. 10. Use several rounds of operation for block ciphers. In the remainder of this chapter we review the most significant achievements in the history of chaotic encryption based on chaotic maps, a novel field of cryptography. In section 2 we consider the encryption of standard messages (text), while in section 3 we analyze chaotic cryptosystems used for image and video. Section 4 describes major advantages and drawbacks of the more popular chaotic ciphers in terms of security and computational cost using the most important cryptanalytic techniques. Finally, in section 5 conclusions and future trends in the development of this topic are presented. ENCRYPTION OF STANDARD MESSAGES ERGODICITY OF CHAOTIC LOGISTIC MAP The logistic map is one of the simplest and thus more widely used chaotic maps. Introduced first in 1845 by Verhulst [40, 41] as a model for the population growth of a species, it is expressed as a recurrence equation: xn+1 = rxn (1 − xn ), (4) where the parameter r belongs to the interval [0, 4] and determines the map behavior, while n is the iteration number that discretizes time. Figure 2 shows the bifurcation diagram where, starting at a certain initial value x0 , every iteration value xn of the map Eq. 4 is plotted as a function of r. The right-hand side of the diagram clearly exhibits that for most values of r between 3.57 and 4.0 the system is in a chaotic regime, i.e. the variable xn Chaotic map cryptography and security 7 can take any value within a certain interval, where the system dynamics is very sensitive to the initial condition. In Fig. 3 we plot two time series obtained for the same parameter r = 3.995 but for two slightly different initial conditions (x = 0.500 and x′ = 0.501). One can see that after only 25 iterations the two trajectories are completely different. Figure 2. Bifurcation diagram of logistic map Eq. 4. 1.0 0.8 xn 0.6 0.4 0.2 0.0 0 5 10 15 20 25 30 n Figure 3. Time series generated with the same parameter r = 3.995 but with slightly different initial values (x0 = 0.5 and 0.501). Baptista [8] was the first to explore the usefulness of the logistic map ergodicity in the realm of digital cryptography. To encrypt a message, he assigned to every alphabetic character a certain range of the variable xn . Starting from a particular initial value x0 (which was part of the secret key), he iterated the logistic map until xn fell within the region corresponding to the first character of the plaintext. He then represented the corresponding number of iterations as the first character of ciphertext. For the second character of the message, this procedure was executed again taking xn as the new initial condition. Another parameter η ∈ (0, 1) was chosen to define the probability of discarding a value xn : each time xn falls within the range of the character to be encoded, a random number is drawn from a uniform distribution between zero and one; if this number is less than η, then the sender keeps iterating the map until xn falls again in the required range. Since η > 0, a single initial character can be encoded in different ciphertexts, thus increasing the security 8 A. N. Pisarchik and M. Zanin of the algorithm. Note that the receiver does not need to know the value of η, nor the value of the random number generated by the sender; he/she needs only to iterate the chaotic map according to the received value, and the result of such iterations will be the decoded character, independently of how the sender did generate that value. As many chaos-based cryptosystems, Baptista’s method [8] is both slow and insecure. The computational cost problem was first tackled by Wong, et al. [42]. Instead of generating a random number each time xn falls in the target range, only a single random integer number R is drawn; the logistic map is then iterated R times prior to the encryption process. However, even with only one random number, this modified algorithm is still too slow to be used in most applications. Wong, et al. [42] reported in 2001 that in order to encrypt with a state-of-the-art PC 4 KB of information, 4 seconds were required, meaning 8 KB processed processed every second in an up-to-date system, and therefore to encrypt the content of a CD-ROM it would take almost a whole day. The second attempt to take advantage of chaos ergodicity in cryptography was made by Alvarez, et al. [10], who suggested to use a chaotic function of the form xn+1 = f (xn , xn−1 , . . .), (5) as a construction block of the chaotic cryptosystem. The logistic map is then just a particular case of Eq. 5 when the function f (x) = rx(1 − x). By iterating the map Eq. 5 and using a threshold U , a sequence of bits bn is generated as follows bn = ½ 1, xn > U, 0, xn ≤ U. (6) When the bits sequence generated by the chaotic map is equal to the first part of the message to be transmitted, that part is encoded by the triplet (n, x0 , U ), i.e. by the number of iterations n needed to generate the correct sequence, the initial value of the map x0 , and the threshold U . Both algorithms, the one proposed by Baptista [8] and the other by Álvarez [10] were cryptoanalyzed some years later by Jakimoski and Kocarev [43]. They first noted that the security of the second algorithm relies on the assumption that the attacker does not know the actual chaotic function, i.e. the map Eq. 5 is secret. This assumption is contrary of one of the fundamental principles of cryptography, known as the Kerckhoffs’ principle [44] which states that the security of an encryption process should only be guaranteed by secret key(s), and never by the algorithm itself. Jakimovski and Kocarev [43] also showed that both algorithms are vulnerable to known-plaintext attacks. By feeding the systems with a limited number of predefined messages (4000 for the Baptista’s and 1000000 for the Álvarez’s algorithms), and by recording the output of the encryption process, an attacker can construct an almost complete decryption vocabulary. In the following years, many different modifications of the original Baptista’s algorithm have been proposed (see, for example, [45, 46, 47, 48]), but all of them have been cryptanalyzed using similar techniques (e.g., [49]). Intuitively, a single logistic map cannot provide a complex enough dynamics to be used in cryptographic applications; therefore, for chaotic encryption, more sophisticated systems have to be conceived such as combinations of two or more different chaotic maps. Chaotic map cryptography and security 9 STREAM CIPHERS USING LOGISTIC MAP The use of the chaotic logistic map in cryptography takes advantage of its ergodic property. So do, other new interesting algorithms whose aim is to create stream ciphers. In these encryption schemes, a plaintext is mixed with a keystream; when the mixing process is performed by some suitable bitwise operators (such as XOR or XNOR) and the keystream is a random sequence of bits, we expect that the encryption process to be completely secure. The security problem is therefore reduced to the creation of a pseudo-random bit generator with good statistical properties. The first such method was proposed by Bianco, et al. [50, 51], who described the bit generation process by the following equation ½ 0, xn ∈ [xl , xm ] , b= (7) 1, xn ∈ [xm , xr ] . When the logistic map is iterated n times, a value xn is obtained, the algorithm has to check whether xn falls within the interval [xl , xr ] to stop, otherwise the number is discarded and another iteration of the map is executed. The previously defined interval is further divided into two equal sub-intervals; if the accepted xn falls in the left sub-interval (i.e., xn ∈ [xl , xm ]) 0 is added to the output stream, 1 otherwise. This is a very slow process to obtain a bit sequence that will pass the usual statistical randomness tests; to improve their statistical characteristics, the interval [xl , xr ] should be quite narrow, leading to discard a great part of the map’s iterations, and therefore slowing its velocity. Another approach was developed later by Phatak, et al. [52], who introduced the following change of variable: 1 − cos θn θn = sin2 . 2 2 When applied to the logistic map for r = 4, Eq. 4 is transformed into xn = θn+1 = 2θn , θn < π/2,θn+1 = 2π − 2θn , θn > π/2. (8) (9) In other words, the application of the logistic map is stretching a closed circle by a factor of two and then collapsing it back to the original circle. This dynamics is periodic if and only if the initial value θ0 is a rational fraction of π. In all other cases, the correlation between values of the sequence θn , θn+τ , θn+2τ , . . . is lost for τ > 23. Instead of discarding values from the series generated by the logistic map, Lee, et al. [53] proposed to use just the lower bits of each obtained number, i.e. an integer number in the range [0, S] is obtained at each iteration by means of the following transformation: Bn = Axn mod S, (10) where A is an arbitrary constant. In spite of its efficiency, this approach is not very functional since it strongly relies on the computer internal binary representation of the number generated by the logistic map; the obtained random sequence of Bn will depend on the hardware used, so that two different processors will generate different outputs. All these methods share a common drawback inherent to the logistic map: the main secret key is a single parameter, i.e. r. Therefore, the resulting key space is small leaving 10 A. N. Pisarchik and M. Zanin the door open to a brute force attack. To avoid this problem, Li, et al. [54] suggested to build a coupled map lattice (CML) of different logistic maps, both the complexity of the cryptosystem and the number of secret keys were ameliorated. Every map j = 1, . . . , L in CML is defined by the following equation xjn+1 = (1 − ε)f (xjn , aj ) + εf (xj−1 n , aj−a ), (11) where ε is a coupling coefficient between different maps and f (x, a) is the logistic map function described by Eq. 4 with parameter a. All maps are finally combined sequentially to create the output keystream £ ¤ Knj = int 2u xjn mod 2v , (12) where u and v are arbitrary constants. Rhouma and Belghith [55] recently criticized this approach with arguments that can hold for all stream ciphers based on chaotic maps. Namely, since the keystream is just a function of the system key(s) and does not vary when the plaintext changes, it is quite easy to retrieve this keystream by getting temporary access to the encryption machine and encrypting or decrypting an all zero message. For instance, if the keystream corresponding to a given keys combination is K = (1, 0, 0, 1, 0, 1), when combined through a XOR operation with text M = (0, 0, 0, 0, 0, 0), the output will be C = (1, 0, 0, 1, 0, 1), i.e. the keystream itself. Any subsequent message will be decrypted as long as the keys remain unchanged. The algorithm security is thus totally violated. OTHER APPROACHES USING CHAOTIC MAPS As previously stated, all approaches to chaotic cryptography using only one logistic map have proven to be insecure, mainly because the secret keys of the system are either the parameter r or the number of iterations or both. In this context, the approach of Pareek, et al. [26] has to be mentioned. They proposed to generate the system parameters in a non-trivial way, namely, by using an external secret key. The method starts with a secret key of 128 bits split into groups of 8 bits: K = K1 K2 K3 . . . K16 . The initial conditions XS and the number of iterations XN are obtained as follows XS = (K1 ⊕ K2 ⊕ · · · ⊕ K16 )/256, NS = (K1 + K2 + · · · + K16 ) mod 256. (13) The parameter r of the logistic map is also generated deterministically by a modified linear congruent random number generator initialized with an initial secret key. The map so defined is iterated and the output value Xnew is used to encrypt the first message symbol P0 as C0 = (P0 + ⌊256Xnew ⌋) mod 256. (14) Then, subsequent symbols of the message are codified in a similar way, using the obtained Xnew as the seed for the next iteration. Chaotic map cryptography and security 11 Unfortunately, in the same year Álvarez, et al. [56] managed to break down this algorithm. The generation of the parameter r of the map was the weakest point. According to Pareek’s method, r can be taken among only 81 different values; and to make it worse, some of these possible values correspond to period-3 orbits. These limitations narrow the system dynamical range, allowing a very cheap brute-force attack: only three plaintexts of the approximately 1000-symbol length are needed. This last failure in creating a secure algorithm using only a single logistic map was the trigger to change the paradigm; complexity had to be guaranteed in order to improve security. Therefore, combinations of chaotic maps appeared as a possible solution of this problem. Based on the previously published algorithm [26], Pareek et al. [57] constructed a cryptosystem by putting together four different chaotic maps: logistic, tent, sine, and cubic maps expressed, respectively, by the following four equations: xn+1 = λxn (1 − xn ), ½ λxn , if xn > 0.5, xn+1 = λ(1 − xn ), if xn ≤ 0.5, xn+1 = λ sin(πxn ), xn+1 = λxn (1 − x2n ). (15) (16) (17) (18) The parameter λ for all maps is defined at the beginning of the encryption process, independently of the secret keys, and it is publicly shared with the receiver: in other words, the security is not dependent on the maps’ parameters, but rather on their initial conditions previously generated with a certain simple equation from the secret keys. Before encryption, the plaintext is divided into blocks of different lengths, which are calculated from the secret keys with the help of a linear congruent random number generator, and are assigned to each chaotic map with the help of the same generator. In this way, different fragments of the plaintext are encoded with different chaotic maps; the receiver can easily undo the operation, by also calculating the initial conditions and blocks lengths from the secret keys. To overcome the security problem with known plaintext attack, Wei, et al. [58] proposed further modifications of this algorithm, nevertheless, even their improved version was successfully cryptanalyzed one year later again by the Álvarez’s group [59]; only 120 plain-bytes in one known plaintext were needed to recover the secret key. Furthermore, the speed of this class of algorithms still remains a big challenge. Although Pareek, et al. [26, 57] claimed that their methods are faster than other alternative ciphers based on chaotic maps, to encrypt the content of a CD-ROM their algorithms use up 132 [26] and 95 [57] minutes. CHAOTIC MAPS FOR PUBLIC-KEY CRYPTOGRAPHY Only recently, public-key encryption algorithms based on chaotic systems have taken an important place back in the main stream of cryptography research. To illustrate how they work, suppose that a user called Bob wants to transmit a private message to another user, say Alice. Secret keys transmission is forbidden to insure security. Alice then creates a pair of keys, say d and e, so that computing d from e is computationally infeasible. d is a private 12 A. N. Pisarchik and M. Zanin key and Alice must keep it secret, while e is a public key that may be shared with everyone, particularly with Bob. Anyone wishing to send a message to Alice should encrypt it with the public key e, but the only way to decrypt it would be using the private key d, therefore Alice is the only one capable to do it. Thus, the public key serves only for encryption, while the private key serves only for decryption. The first public-key chaotic algorithms implied neural networks coupled with chaotic maps [60, 61]. Meaning, both sender and receiver have identical neural networks driven by the same external sequence of random bits acting as the public key, while the internal connections’ weight is used as the private key. The receiver uses the public key to synchronize his/her own network with the sender’s and the private key to decrypt the message. When using chaotic synchronization, as the complexity of the neural networks increases, so do both the security and the computational cost (the time needed to synchronize the two networks grows up). While the system is apparently safe from an individual attack, it has been shown that a breach in security can be brought about with a majority flipping attack, that is, a group of attackers cooperate throughout the synchronization process [62]. Kocarev, et al. [63] proposed to put in the same category a wide class of chaotic encryption algorithms together with more classical approaches, such as RSA, ElGamal, or Rabinusing, describing them with the generalized map: Y = Tp (X) mod N, (19) where p and N are integer numbers and X ∈ {0, 1, . . . , N − 1}. Tp are the Chebyshev polynomials of order p, defined by the following recurrent relation: T0 (x) = 1, (20) T1 (x) = x, (21) 2 T2 (x) = 2x − 1, Tp+1 (x) = 2xTp (x) − Tp−1 (x). (cuadmap) (22) Under this mapping, the interval [−1, 1] is invariant, furthermore, for p > 0 the map is chaotic with an unique absolute continuous invariant measure with positive Lyapunov exponent ln p. Moreover, for p = 1, the Chebyshev map reduces to the logistic map of Eq. 4. Since the map Eq. cuadmap is used as a generalization of the RSA algorithm to construct a public-key encryption algorithm [63], one might expect that, taking advantage of the intractability of the integer factorization problem, it will inherit its security. However, as was recently shown [64], the Chebyshev map alone cannot provide a good enough security. Finally, one of the latest approaches to this class of problems was proposed in 2005 by Wang, et al. [65] through so-called “Merkle’s puzzles” [66]. In this method the receiver first generates a large number (for instance, one million) of puzzles (messages) in the form: “This is puzzle number x and its secret key is y”, where x and y are just a random number and a random secret key. All these messages are encrypted with a low security algorithm (for instance, with 20-bit keys) and sent to other users. The receivers of all these messages (including the one sending the secret message) chooses one of them at random, and performs a brute force attack on this message, in order to retrieve the pair (x, y). After that, he encrypts the message with y and send it back to the original user along with x. The target Chaotic map cryptography and security 13 receiver now can easily decrypt this communication by just remembering which key was associated to the random number x, whereas a nonautorized user should perform a brute-force attack for each one of the original puzzles, thus facing an extremely high computational cost. Here, the main drawback is that the receiver has to keep all transmitted messages, to be able to retrieve the key once he gets the associated random number x. Security is only maintained with a large enough number of puzzles. To circumvent this difficulty, Wang, et al. [65] proposed to substitute the pair (x, y) by pseudo-random values generated with a one-way coupled map lattice composed by chaotic logistic maps. So that the receiver can instantaneously calculate the associated secret key from his knowledge of the puzzle identification code. The memory and computation time needed are therefore considerably reduced. One can keep its expectations high, since no attack has been successful so far. ENCRYPTION OF IMAGES AND VIDEO While classical cryptosystems (like IDEA, AES, DES or RSA) were originally designed to encrypt standard messages, mainly text, in the last decade a new kind of content in great need of attention (images, video, and multimedia information) has gained in importance. Graphical contents have some intrinsic characteristics which require special considerations when designing cryptographic algorithms. First of all, they are associated to large information quantities; as an extreme example, movies are stored in several GB of information, and second, they have to be decrypted in real time for a smooth viewing experience, therefore, velocity is a major requirement. Furthermore, images are characterized by an high redundancy of data, because of a strong correlation among adjacent pixels; the encryption algorithm should therefore be efficient in destroying any original pattern, no matter how broad, otherwise the human eye may be able to reconstruct part of the graphical information. It is in this context that chaos-based cryptography has the most to offer, this is evident from the growing number of works devoted to image encryption [25, 9, 73, 72, 35, 74]. In chaotic block cryptosystems, chaotic maps are usually used to encrypt a plaintext2 block by block, whereas chaotic stream cryptosystems utilize a chaotic map for bit-by-bit encryption. Parameters and/or initial values of the diffusion function (chaotic map) normally serve as diffusion and confusion keys to modify sequentially pixel values and change pixel positions. Fridrich [9] was the first one to suggest a permutation of the pixel positions in a chaotic fashion, using either the Baker map or the cat map for chaotic confusion. However, Lian, et al. [25] pointed out that not all map parameters are secure enough to be used as encryption keys. Therefore, they designed a symmetric block cipher based on the chaotic standard map for a confusion process, plus a diffusion function and a key generator. Since chaotic stream ciphers that utilize only one chaotic system to generate a pseudorandom sequence for image encryption, are not secure enough to withstand powerful cryptographic attacks, Guan, et al. [35] designed a more complex system which combines both discrete and continuous chaotic systems. At the confusion stage, pixel positions are shuffled by the Arnold cat map while at the diffusion stage, pixel values of the shuffled image are 2 In some works on image encryption, plaintext and ciphertext are referred to as “plain image” and “cipher image” [25, 77]. 14 A. N. Pisarchik and M. Zanin encrypted by the continuos Chen’s chaotic system. Recently, Pareek, et al. [75] proposed an image encryption scheme which exploits two chaotic logistic maps and an external 80bit key. The initial conditions for both logistic maps are derived from the external secret key. The first logistic map is used to generate numbers in the range between 1 and 24 and the initial condition of the second logistic map is modified by the numbers generated by the first logistic map. The authors showed that by modifying the initial condition of the second logistic map in this way, its dynamics becomes more unpredictable. Unfortunately, in the majority of known algorithms based on a block cipher encryption technique, plaintext files are represented as blocks of bits. The encryption speed of such cryptosystems is relatively slow; the necessary number of iterations of the chaotic map for encrypting an 8-bit symbol is at least 200 and can reach 29617 [47]. A large block of plaintext, such as 128-bit, usually used in conventional cryptosystems, requires significantly higher velocity [58]. Since the length of ciphertext is often larger than the plaintext length, the size of encrypted multimedia files is enormous. A completely different approach to image encryption has been proposed in Ref. [77]. Every image pixel is considered as a chaotic map on its own, in separating the colors (red, green, blue) the whole image is now represented by three chaotic map lattices, one for each color. Since the logistic map is noninvertible, to recuperate the original image all the maps (pixels) of the plain image should be coupled, so that every encrypted pixel contains some information on the original color of a neighboring pixel. In other words, all pixels are somehow mixed. For example, in the algorithm developed in Ref. [77] all maps are coupled (pixel by pixel) by initial conditions, providing a good diffusion property. Note, that the main problem in modern communication technology is not the security of an encryption algorithm, as much as its good dynamic properties, i.e. its robustness against noise or other external disturbances. It is in this sense, that unidirectional coupling of all image pixels worsens the dynamic properties, since the image cannot be recovered if even one pixel undergoes a small error. To overcome this drawback, the novel cryptosystem instead of neighboring pixel coupling utilizes chaotic coupling or chaotic mixing of pixel’s colors [79]. This allows a significant security enhancement, while decreasing the encryption time. From the topological point of view, mixing in phase space means the system evolves over time in such a way that any given region or open set will eventually overlap with any other given region; the colored dyes mixing and turbulent fluids are prototypes of chaos. 2D AND 3D CHAOTIC MAPS One of the first attempts to create an efficient cryptographic algorithm designed specifically for images was made by Fridrich [67], followed by the works of Pichler and Scharinger [68, 69]. The family of algorithms they proposed is based on bidimensional chaotic maps, i.e. a square interval (usually, the unit square I × I, I = [0, 1]) maps onto itself in a one-toone manner. Among all 2D chaotic maps, the standard map, the cat map, and the Baker map are most prevalent. When used on an N ×N image, these maps can be written, respectively, in their discretized forms as: Chaotic map cryptography and security 1 15 1 0.5 0 1 0.5 0 1 Figure 4. Graphical representation of the transformation performed by the 2D Baker map. ½ · ( xj+1 = yj+1 = xj+1 = (xj + yj ) mod N, x N yj+1 = (yj + k sin j+1 2π ) mod N, xj+1 yj+1 ¸ = · 1 u v uv + 1 N N ki (xj − Ni ) + yj mod ki , ki N N (yj − yj mod ki ) + Ni ¸· xj yj ¸ (mod N ) ,  k1 + k2 + ... + kt = N,    Ni = ki + ... + ki−1 , with N ≤ x j < Ni + k i ,    i 0 ≤ yj < N. (23) (24) (25) Here, xj and yj are the coordinates of an image pixel at j iteration, u and v in the cat map Eq. 24 and K = [k1 , k2 , . . . , kt ] in the Baker map Eq. 25 are the parameters to be used as secret keys. In the Fridrich’s encryption scheme [67] based on the Baker map Eq. 25, the transformation represented in Figure 4 divides the image into two (or, more generally, into n) vertical strips, which are vertically stretched and horizontally compressed in order to be rearranged horizontally. The proposed encryption scheme, which has been widely used since, can be summarized as follows: 1. Define a suitable 2D chaotic map, mapping the unit square I × I, I = [0, 1] onto itself in a one-to-one manner; generalize that map by introducing some parameter that alters its standard behavior and discretize it. At the end, what is obtained is a map which takes each pixel and assigns it to some other pixel in a bijective manner (the discretized version is a permutation of pixels). 2. Extend the previous 2D map to a 3D map, where the third dimension will be used to permute the gray-scale value of each pixel. In this way, the actual color content of each pixel is also changed. An efficient and secure cipher applied to a black square should result in a uniform histogram. 3. Compose the previous map with a simple diffusion mechanism to spread the information of one pixel over different pixels. 4. Repeat steps 2 and 3 as many times as needed. 16 A. N. Pisarchik and M. Zanin Figure 5. Image encryption scheme proposed by Fridrich [67]. Figure 6. Graphical representation of the transformation performed by the 3D Baker map. This process is schematically represented in Figure 5. Due to its extremely high efficiency, the method proposed by Fridrich [67] has been widely explored afterward. It allows encoding more than 16 MB of information in one second with a standard 1GHz processor. Analyzing the security of the Fridrich’s algorithm, Lian, et al. [25] found it relies mostly on the diffusion process, so that once broken, the remaining part (the confusion process) can be easily attacked with almost any known plaintext strategy at a relatively low computational cost. Later on, several modifications (evolutions) to the Fridrich’s approach have been proposed (see, for instance, Refs. [70, 71]). New algorithms for image encryption based on 3D chaotic maps have also been developed (see, e.g., Refs. [72, 73]). The previously introduced 2D Baker map was expanded to the third dimension [72], as shown in Figure 6. Such 3D maps have at least two advantages: first, the third dimension is directly used in the confusion phase computation, hence lowering the computational cost of the algorithm; and second, the 3D map is a more complex system than the equivalent 2D map, if two of the three dimensions have positive Lyapunov exponents, the system becomes hyper-chaotic. IMAGE ENCRYPTION WITH MULTIPLE MAPS In principle, a single map either 2D or 3D has a small key space dimension, to improve security several attempts had to be made to use multiple unidimensional maps coupled together. In a new effort Li, et al. [76] proposed a single chaotic map to generate two vectors of 2n values to be iterated them 2 × 2n times. These two vectors are then used to define the initial value and the control parameter of other 2n chaotic maps (called ECS(i), i ∈ [1, 2n ]). In order to increase the computational speed of the system, as well as to reduce the cost of the hardware implementation, all calculations are performed in fixed- Chaotic map cryptography and security 17 point arithmetic with a precision of L bits. However, some new problems arise, the most important being that there are only 2L values available to represent any value in the chaotic orbits, and therefore the cycle length of any chaotic orbit cannot be larger than 2L . In other words, the dynamics is no longer chaotic, because it is being trapped in closed periodic orbits. The solution for this drawback is to perturb the dynamics of the chaotic map with a small signal ξ(i) produced by a pseudorandom number generator. Once all the 2n chaotic maps have been initialized, the plaintext is divided into groups of L bits; for each one of these groups, the main map is iterated and the obtained value i gives the label of the map to be used (from the 2n possible maps). This map is then also iterated, and the value obtained is used to encrypt the group of bits with a bitwise XOR operation. After this operation, one last encryption step is performed: the 2n chaotic maps are sorted, and all indices of the sorted states and the original states are used for a substitution process (S-Box). Due to the fixed-point arithmetic, this algorithm is extremely fast; its final speed is about 1/10 of the CPU frequency, therefore a 2.0 GHz processor can encrypt up to 200 MBytes each second [76]. A set of chaotic maps was also used in Ref. [77], where to each and every pixel a different logistic map is associated, these maps are then coupled in a sequential fashion. To encode the i-pixel value xi , the algorithm takes the encrypted value xi−1 of the previous pixel i − 1, applies the logistic map n times and sums the result of the iteration to the actual pixel value; the end result is the encrypted value for pixel i. Clearly this algorithm has a great sensitivity to initial conditions: small changes in one pixel of the plain image propagates through all the maps, changing completely the cipher image. The weak point of this algorithm was highlighted two years after by Arroyo, et al. [78]; different maps of the lattice, i.e. different pixels of the image, are coupled pixel-by-pixel, reducing the complexity of the algorithm. Moreover, some of the parameters, like the number of iterations of the logistic map, may be obtained with a timing attack by measuring the time needed to encrypt an image of known size. The problem related with the unidirectional coupling was overruled in Ref. [79]; instead of coupling a pixel i with pixel i − 1, a new logistic map is used to generate a number ki for each pixel (k ∈ [0, m], where m is the total number of pixels in the image); pixel i is now coupled with pixel ki . Moreover, it was shown that many operations, especially the ones concerning the logistic map, can be pre-calculated and memory stored; and last but not least, this is the fastest chaotic algorithm ever proposed: a 2.0 GHz processor allows a velocity of about 280 MBytes of information per second. Different chaotic maps have also been applied to two main stages of the encryption process, that is, the permutation and substitution (P-Box and S-Box). In the following, we will review several works where the design of both boxes calls for different chaotic functions. In this context, Zhang, et al. [80] tackled the creation of a P-Box algorithm suitable for image encryption (with a low computational cost) with chaotic maps. The aim was, as in the already described work [76], to avoid floating-point arithmetic. Their proposal was to use a discrete exponential chaotic map defined as: xn+1 = g(xn ) = ½ axn (mod 257) if xn+1 < 256, 0 if xn+1 = 256, (26) 18 A. N. Pisarchik and M. Zanin where x ∈ 0, 1, . . . , 255. Parameter a is chosen so that the map g does generate a multiplicative group of nonzero elements of the Galois field of order 257; for any of the 128 possible values of a fulfilling this condition, the associated map g performs a one-to-one transformation. A different approach was proposed by Gao, et al. [81], subsequently adopted by other authors, like Xiao and Xia [82]. Since many cryptosystems based on the logistic map had already been cryptanalyzed, they tried to design a custom made chaotic map that had to fulfill certain requirements. First of all, this new map has to present a chaotic behavior in the whole range of parameters, then it must also have a good balance between zeros and ones, zero cross-correlations, and high nonlinearity. In other words, the output of this new map should be as similar as possible to a random binary sequence. The recursive function that gets the job done is the following: ¡ xn+1 = 1 − β −4 ¢ ctg µ α 1+β ¶µ ¶ 1 β 1+ tg (αxn ) (1 − xn )β , β (27) where xn ∈ (0, 1). Three distinct chaotic regions in the (α, β)-parameter space can be exploited: either α ∈ (0, 1.4], β ∈ [5, 43], or α ∈ (1.4, 1.5], β ∈ [9, 38], or α ∈ (1.5, 1.57], β ∈ [3, 15]. The permutation process takes place as follows [82]. To exclude transitions the map Eq. 27 is first iterated K times, and then N × N times to create an array X = xK , xK+1 , . . . , xK+N 2 (N being the image size); finally, X is arranged in an ascending order to form a permutation vector Y . However, the function of Eq. 27 entails at least two distinct problems. First, too many calculations are needed to compute each term of the array because of the use of powers of fractional numbers and trigonometric functions whose implementation in standard hardware is not yet optimized. Second, there is a breach of security. Álvarez and Shujun Li [83] have shown that the values distribution in the sequence of xn is not flat, as could be expected from a pseudo-random number generator. The left-hand side of Figure 7 shows the time series obtained from 1000 iterations of the map, and the right-hand side displays the corresponding histogram. The clear asymmetric distribution does indeed invalidate the security of any cryptosystem built upon it, because an attacker may infer some information from the values with higher probability. Later, to achieve a more complex permutation pattern Sun, et al. [84] devised another strategy taking advantage of the inherent structure of any 2D image. To illustrate their method, suppose we have a 2D m × n image, or data array in orthogonal Dekart coordinates with X and Y axes. The algorithm first creates two linear arrays M and N of sizes m and n, respectively, and fills these arrays using a chaotic map; then, both columns and rows are permuted, depending on the values originally stored in M and N , by applying a given rule. In their work Sun’s, et al. use the logistic map in order to fill both arrays with unique integer numbers. As an example, suppose that the output of the logistic map is x = {0.1208, 0.8457, 0.1210, 0.4835, . . .}; these values are multiplied by the array size (m or n) and rounded to the next integer (e.g., with m = 10), the result is x′ = {2, 9, 2, 5, . . .}. Since no repeated values could be accepted, the third number is discarded, i.e. M = {2, 9, 5, . . .}. Although the process of permuting both rows and columns does effectively improve security, the computational cost largely increases because repeated values have to be discarded; each time a value is generated, it must be compared with all Chaotic map cryptography and security 19 800 1.0 700 0.8 Number of points 600 xn 0.6 0.4 500 400 300 200 0.2 100 0.0 0 0 200 400 n 600 800 0.0 1000 0.2 0.4 xn 0.6 0.8 1.0 Figure 7. (Left) Time series of 1000 iterations of the chaotic map proposed by Gao et al. [81], at parameters α = 0.7 and β = 10. (Right) Corresponding histogram showing that the distribution of xn is not flat. previous values. This is the main shortcoming of this approach. The use of a simple digital function as a chaotic map can alleviate this problem [85]. Such a function is the Gray code named after Frank Gray [86]. It has the property that the representation of two successive values differs in one bit only. To transform a binary number into its Gray representation, it should be multiplied by Q = q × q matrix defined as follows: (i) 1 in the main diagonal, (ii) 1 along the upper/minor diagonal, and (iii) 0 elsewhere, with every operation performed in mod 2. For example, the matrix Q for q = 4 bits would be  1  0 Q=  0 0 1 1 0 0 0 1 1 0  0 0  . 1  1 (28) A more efficient conversion algorithm for a software or hardware implementation is given by G = B ⊕ (B ≫ 1), (29) where G is the resulting Gray number, B is the original number (in a binary representation), ⊕ is the binary XOR operation, and ≫ represents the binary right shift. Using this Gray code, a simple nonlinear transformation T may be defined: given a binary number x in a q-bits code, calculate its Gray representation with Eq. 29, and then read the result in a standard binary representation. The proposed T -transformation has several advantages, namely, it is a bijective map in the whole 2q space, the output is nonlinear, especially for high values of q, and finally the software implementation is extremely fast, since it does not require any floating-point calculation. The ideas of many researchers discussed in this chapter are still the corner stone of many publications, only in 2009 the most important Refs. [87, 88, 89, 90] should be mentioned. In spite of all the efforts, many problems of chaotic cryptography still remain, and some of these difficulties will be probed in the following section. 20 A. N. Pisarchik and M. Zanin LIMITATIONS OF CHAOTIC CRYPTOGRAPHY Even though, in recent years there is been a tremendous boom in chaos-based cryptography research, there are still some limitations that prevent its wider application. Emphasizing, a big drawback is its relatively slow speed. While many of the proposed chaotic algorithms (see, for instance [8, 42]) can encrypt with as much speed as 10-50 Kbps (kilobits per second), standard nonchaotic algorithms have velocities three order of magnitude higher R (AES ranges from 50 to 200 Mbps using a 1 GHz Pentium ° processor). Many factors can explain such poor performance. First, chaotic maps usually operate with floating-point numbers, i.e. with decimal numbers whose manipulation is never as efficient as integer or bitwise representations. For instance, a 64-bits Intel processor uses 6 times more clocks to add floating-point numbers than integer values [91]. To take full advantage of a chaotic map ergodicity, a lot of iterations are required and many values have to be discarded, for example, in his work [8] Baptista should perform around 30000 iterations for every encoded symbol. The use of floating-point variables not only generates a speed problem but also gives birth to other issues related to the computer numbers representation. Clearly, the internal precision cannot be infinite, and a convention about internal representation or a way to execute operations or roundings had to be defined. Such a convention does already exist, this is a set of rules called IEEE 754 [92]. However, while most standard computer processors, R such as Intel Pentium IV or i7 ° , follow this set of rules, the use of some new, fast and R efficient processors like Cell BroadBand Engine ° system developed by IBM [93] that do not adhere to these rules, is spreading for high demanding computational and multimedia applications. The reason they do not obey the IEEE 754 rules is that the required way of performing round-offs is very expensive, while the introduction of some small modifications to the process (leaving the final result practically unchanged) increases substantially the computational power [94]. Nevertheless, these small differences become very important when computing chaotic maps, because of their high sensitivity to small variations in their parameters, and/or initial conditions. Figure 8 shows the Mean Squared Error between two time series generated by the same logistic map Eq. 4 (the same parameter r and the same initial value), but calcuR lated with two different computers, the Pentium IV ° processor and the Cell BroadBand R ° Engine processor. While high sensitivity to initial conditions is indeed a great theoretical asset for cryptographic applications, practically it is also its main weakness, since after as little as 30 iterations the series generated by two different processors have nothing in common. This means that a message encoded with one processor cannot be correctly decoded by a different processor; thus chaotic cryptography is still very limited in real-world applications. Even if the use of identical processors by both the sender and the receiver can be guaranteed, the differences in software implementation can provoke similar problems; such as the calculation precision of the floating-point representation, i.e., the number of bits used to characterize a number, for instance, standard processors offer 32-bits (called float), 64-bits (double), and 80-bits (long double) representations. Suppose we create a series with a logistic map and that the values are rounded at some decimal digit. The important question is: How many significant digits can we trust, if Chaotic map cryptography and security 21 0.012 Mean Squared Error 0.010 0.008 0.006 0.004 0.002 0.000 0 20 40 60 80 100 Number of iterations Figure 8. Mean Squared Error between two time generated by the same logistic map in a 32 bits representation, calculated with the Intel chip-set and the IBM processor. Note, that only for series smaller than 30 values, the different rounding algorithm does not affect the final result. the original floating-point precision is unknown? To answer this question, pairs of series have been generated with the same initial value and parameter, but using different floatingpoint representations (32 and 64 bits). Afterward, values in both series of a pair have been rounded at the same decimal digit, and the number of identical value has been calculated. In Table 2 is represented the maximum, mean, and minimum of the number of identical values in both series, when several realizations of the process are executed. Due to the internal rounding, we may get different output values as soon as the first iteration; therefore, when implementing a chaotic cryptosystem, a general requirement is to use identical calculation engines. A similar result is obtained for the IBM Cell Broadband Engine microprocessor (see Table 3) because of the difference in their rounding algorithms; the mean number of a value is one order of magnitude higher when a high precision is required. Nevertheless, the minimum number is still too low for any cryptographic purpose. KEY-SPACE DETERMINATION The fundamental tenet of any cryptographic algorithm lies in its secret key(s). As previously underlined according to Kerckhoffs’ principle [44], the security of an algorithm must depend only on the key, never on its own secrecy. Therefore, it is of the upmost importance to decide which keys are suitable and secure, and the number of keys available for a user. In standard cryptosystems, all values in a given interval are suitable as secret keys, for instance, in the 128-bits £ 128AES¤standard, any integer number of 128 bits can be used, i.e. within the range 0, 2 − 1 . In contrast, when choosing the secret key to modify the behavior of a chaotic map, the designer of the algorithm has to take into account the existence of periodic windows in chaotic regions and make sure that no parameter value in the key set will result in a predictable behavior of the system. If the reader goes back to the bifurcation diagram of the logistic map in Figure 2, he/she may recognize the ranges, where only a few points are painted in black for some values of the parameter r. Although 22 A. N. Pisarchik and M. Zanin these windows have been found analytically for many years, it is very important, in the context of the encryption process, to localize them, because of the limited precision of the numbers used in calculations, they strongly will depend on the standard used for handling floating-point representations. Table 4 shows the number of periodic windows for the logistic map when r is between 3.57 and 4, for 32 and 64 bits number representation, and with values xn rounded at a different decimal digit. Moreover, the results are shown for different lengths of the periodic windows; depending on the application at hand, a little periodicity may be tolerated, e.g. when the logistic map is used to generate a small set of parameters. It is interesting to note how the number of periodic windows grows higher when a 32-bits representation is used, due to its low resolution. When implementing a chaotic map in an encryption scheme, it is essential to know exactly its key-space dimension, because the resistance of the algorithm against brute force attacks depends only on it. Furthermore, we insist that not all parameter values are of use, due to the presence of periodic windows. In Table 5 the key space is measured in bits, according to the Shannon seminal formula for information content assessment [95, 96]: Dks = log2 (Nv − 1.5Npw ), (30) where Nv is the number of values the parameter can assume, and Npw is the number of periodic windows according to Table 4. The number of periodic windows is multiplied by a security factor of 1.5, in order to exclude parameters that may lead to time series with periodic windows of length greater than 100; therefore, key space dimensions calculated this way are to be considered as a conservative lower bound of the real value. Note, that when the periodic windows are excluded, the original 64-bits space dimension is reduced to a 25-bits key, that is too small to ensure any security. So, each algorithm has to specify a sub-algorithm to help the user build a larger secret key more suitable for encryption. CONCLUSIONS AND FUTURE TRENDS In this chapter a broad selection of cryptographic algorithms based on chaotic maps was presented; their latest successes as well as their many drawbacks were analyzed and perspectives were conjured up. In spite of some limitations, this new branch of cryptography is indeed growing up very fast. New secure and fast chaotic algorithms are being created endlessly. Even though it is really impossible to predict beforehand how well these systems will stand up to a real attack because no matter the algorithm used, there will always be an experienced attacker attempting to break it, we consider that chaotic cryptography will be the solution for more complex applications as soon as the computer technology catches up. Chaos-based cryptography has several advantages over the traditional one. (i) It provides a great assortment of chaotic functions and parameters to be used, thus diversifying the ways the message can be encoded and increasing the key size as well. In contrast, traditional cryptosystems employ algorithms where diffusion and confusion are linear functions of the number of iterations and key lengths. (ii) As stated in many papers, chaotic mapping functions are random-like without losing their deterministic properties, so that Chaotic map cryptography and security 23 a well-designed encryption algorithm prevents any statistical analysis from revealing the spectral characteristics of an encrypted signal. (iii) Last but not least, chaos cryptography can be directly implemented in hardware without having to resort to digital-to-analogue conversion, as traditionally done. Since any form of conversion implies a loss of precision and slows down the encryption process, the build in of a continuous chaotic function (e.g., Chua, Lorenz, Rössler) or a discrete iterative map as part of a hardware circuit, increases its efficiency. This process is not limited by current computer technology and allows working at full speed on a continuous analogue signal without major difficulties. Summarizing, the principal advantages of chaos encryption are resistance to known typical attacks, diversity of possible algorithms, impossibility of frequency spectrum analysis, and suitability for implementation in analog systems. When designing any cryptosystem, one seeks both security and velocity. Future trends in cryptography have to be directed to the search of new ways to fulfill the requirements of a growing communication technology guaranteeing both. We believe that faster and more powerful computers capable to encrypt a huge amount of data in real time will prove to be an asset for chaotic cryptography. To enhance security, new encryption algorithms will probably use families of chaotic multimodal maps, combine discrete and continuous chaotic systems, implement complex dynamical networks as secret keys, and utilize chaos synchronization. A high performance of new cryptosystems will most likely be achieved by bringing together traditional and chaotic cryptographic approaches, as well as applying some elements of quantum cryptography to send secret keys. Although quantum cryptography is the most secure, it is very slow, so that it will have to be used in combination with fast chaotic algorithms to make it practical. We acknowledge CONACYT (Mexico) for the financial support through the project No. 100429. References [1] Schneier, B., Applied Cryptography - Protocols, Algorithms, and Source Code, second ed., C. John Wiley & Sons, Inc., New York, 1996. [2] Daemen, J.; Sand, B.; Rijmen, V. The Design of Rijndael: AES - The Advanced Encryption Standard, Springer-Verlag, Berlin, 2002. [3] Shanon, C. E. Bell. Syst. Tech. J. 1949, 28, 656–715. [4] Matthews, R. Cryptologia 1989, XIII, 29–42. [5] Pecora, L. M.; Carroll, T. L. Physical Review Letters, 1990, 64, 821–824. [6] Kocarev, L.; Halle, K. S.; Eckert, K.; Chua, L. O.; Parlitz, U. Int. J. Bifurcation and Chaos 1992, 2, 709–713. [7] Habutsu, T.; Nishio, Y.; Sasase, I.; Mori, S., Advances in Cryptology - EuroCrypt’91, Lecture Notes in Computer Science 0547, pp. 127-140, Spinger-Verlag, Berlin, 1991. [8] Baptista, M. S. Phys. Lett. A 1998, 240, 50–54. 24 A. N. Pisarchik and M. Zanin [9] Fridrich, J. Int. J. Bifurcation and Chaos 1998, 8, 1259–1284. [10] Álvarez, E.; Fernández, A.; Garcı́a, P.; Jiménez, J.; Marcano, A. Physics Letters A 1999, 263, 373–375. [11] Ashwin, P. Nature 2003, 422, 384–385. [12] Argyris, A.; Syvridis, D.; Larger, L.; Annovazzi-Lodi, V.; Colet, P.; Fischer, I.; Garcı́a-Ojalvo, J.; Mirasso, C. R.; Pesquera, L.; Shore, K. A. Nature, 2005, 438, 343–346. [13] Tang, S.; Chen, H.-F.; Liu, J.-M., Digital Communications Using Chaos and Nonlinear Dynamics, Series: Institute for Nonlinear Science, L. E. Larson, J.-M. Liu, and L. S. Tsimring, Eds. New York: Springer, 2006, 341–378. [14] Shore, K. A.; Spencer, P. S.; Pierce, I., Recent Advances in Laser Dynamics: Control and Synchronization, A. N. Pisarchik, Ed. Kerala: Research Singpost, 2008, 79–104. [15] Pisarchik, A. N.; Ruiz-Oliveras, F. R. IEEE J. Quant. Electron. 2010, 46, 279–284. [16] Wheeler, D. D. Cryptologia 1989, XIII, 243–250. [17] Wheeler, D. D.; Matthews, R. Cryptologia 1991, XV, 140–151. [18] Biham, E., Advances in Cryptology - EuroCrypt’91, Lecture Notes in Computer Science 0547, 532–534, Spinger-Verlag, Berlin, 1991. [19] Zhou, H.; Ling, X.-T. IEEE Trans. Circuits and Systems I 1997, 44, 268–271. [20] Alvarez, G.; Montoya, F.; Romera, M.; Pastor, G. Physics Letters A 2000, 276, 191– 196. [21] Hayes, S.; Grebogi, C.; Ott, E.; Mark, A. Phys. Rev. Lett. 1994, 73, 1781–1784. [22] Short, K. M. Int. J. Bifurcation and Chaos 1997, 7, 1579–1597. [23] Ogorzatek, M. J.; Dedieu, H. Proc. IEEE Int. Symposium Circuits and Systems 1998, 4, 522–525. [24] Ekert, A. K. Phys. Rev. Lett. 1991, 67, 661–663. [25] Lian, S. G.; Sun, J.; Wang, Z. Physica A 2005, 351, 645–661. [26] Pareek, N. K.; Patidar, V.; Sud, K. K. Phys. Lett. A 2003, 309, 75–82. [27] Huang, F.; Guan, Z. H. Chaos Solitons Fractals, 2005, 23, 851–855. [28] Wei, J.; Liao, X.; Wong, K. W.; Xiang, T. Chaos Solitons Fractals, 2006, 30, 143– 152. [29] Kocarev, L.; Parlitz, U. Phys. Rev. Lett. 1995, 74, 5028. [30] Parlitz, U.; Kocarev, L.; Stojanovski, T.; Preckel, H. Phys. Rev. E 1996, 53, 4351. Chaotic map cryptography and security 25 [31] Kocarev, L.; Parlitz, U.; Stojanovski, T. Phys. Lett. A 1996, 217, 280. [32] Scharinger, J. J. Electronic Eng 1998, 7, 318–325. [33] Klein, E.; Mislovaty, R.; Kanter, I.; Kinzel, W. Phys. Rev. E 2005, 72, 016214. [34] Chien, T.-I.; Liao, T.-L. Chaos, Solitons and Fractals 2005, 24, 241–255. [35] Guan, Z. H.; Huang, F. J.; Guan, W. J. Phys. Lett. A 2005, 346, 153–157. [36] Gao, T.; Chen, Z. Chaos, Solitons & Fractals 2007, 38, 213–220. [37] Gao, T.; Chen, Z. Physics Letters A 2008, 372, 394–400. [38] Xiao, D.; Liao, X.; Wei, P. Chaos, Solitons and Fractals 2009, 40, 2191–2199. [39] Kelber, K.; Schwarz, W. NOLTA 2005, Bruges. [40] Verhulst, P.-F. Nouv. mém. de l’Academie Royale des Sci. et Belles-Lettres de Bruxelles 1845, 18, 1–41. [41] Verhulst, P.-F. Mém. de l’Academie Royale des Sci. des Lettres et des Beaux-Arts de Belgique 1847, 20, 1–32. [42] Wong, W.-K., Lee, L.-P., Wong, K.-W. Computer physics communications 2001, 138, 234–236. [43] Jakimoski, G., Kocarev, L. Phys. Lett. A 2001, 291, 381–384. [44] Kerckhoffs, A. Journal des sciences militaires 1883, IX, 161–191. [45] Wong, K.-W. Phys. Lett. A 2002, 298, 238–242. [46] Palacios, A., Juarez, H. Phys. Lett. A 2002, 303, 345–351. [47] Wong, K.-W. Phys. Lett. A 2003, 307, 292–298. [48] Wong, K.-W., Ho, S. W., Yung, C. K. Phys. Lett. A 2003, 310, 67–73. [49] Alvarez, G., Montoya, F., Romera, M., Pastor, G. Phys. Lett. A 2004, 326, 211-218. [50] Bianco, M. E., Reed, D. A., Encryption System Based on Chaos theory, US Patent No. 5048086, Sept. 10.A, 1991. [51] Bianco, M. E., Mayhew, G. L., High Speed Encryption System and Method, US Patent No. 5365588, Nov.15, 1994. [52] Phatak, S. C., Rao, S. S. Phys. Rev. E 1995, 51. [53] Lee, P. H., Pei, S.-C., Chen, Y.-Y. Chinese Journal of Physics 2003, 41. [54] Li, P., Li, Z., Halang, W. A., Chen, G. A. Chaos, Solitons & Fractals 2007, 32, 1867–1876. 26 A. N. Pisarchik and M. Zanin [55] Rhouma, R., Belghith, S. Chaos, Solitons & Fractals 2009, 41, 171–1722. [56] Alvarez, G., Montoya, F., Romera, M., Pastor G. Phys. Lett. A 2003, 319, 334–339. [57] Pareek, N. K., Patidar, V., Sud, K. K. Communications in Nonlinear Science and Numerical Simulation 2005, 10, 715–723. [58] Wei, J., Liao, X., Wong, K.-W., Zhou, T. Communications in Nonlinear Science and Numerical Simulation 2007, 12, 814–822. [59] Li, C., Li, S., Álvarez, G., Chen, G., Lo, K. T. Chaos, Solitons & Fractals 2008, 37, 299–307. [60] Kanter, I., Kinzel, W., Kanter, E. Europhys. Lett. 2002, 57. [61] Mislovaty, R., Klein, E., Kanter, I., Kinzel, W. Phys. Rev. Lett. 2003, 91. [62] Shacham, L. N., Klein, E., Mislovaty, R., Kanter, I., Kinzel, W. Phys. Rev. E. 2004, 69. [63] Kocarev, L., Sterjev, M., Fekete, A., Vattay, G. Chaos 2004, 14. [64] Bergamo, P., Arco, P., De Santis, A. IEEE Transactions on Circuits and Systems 2005, 52, 1382–1393. [65] Wang, X., Gong, X., Zhan, M., Lai, C. H. Chaos 2005, 15. [66] Merkle, R. C. Commun. ACM 1978, 21. [67] Fridrich, J. IEEE International Conference on Systems, Man, and Cybernetics, 1997. [68] Pichler, F.; Scharinger, J. In: Contributions to General Algebra, Proc. of the LinzConference, June 2-5, 1994. [69] Pichler, F.; Scharinger, J. Proceedings of the 20th workshop of the Austrian Association for Pattern Recognition (OAGM/AAPR) on Pattern recognition 1996. [70] Salleh, M.; Ibrahim, S.; Isnin, I. F. Jurnal Teknologi 2003, 39, 1–12. [71] Wong, K.-W.; Kwok, B. S.-H.; Law, W.-S. Phys. Lett. A 2008, 372, 2645–652. [72] Mao, Y.; Chen, G.; Lian, S. Intern Journal of Bifurcation and Chaos 2004, 14, 3613– 3624. [73] Chen, G.; Mao, Y.; Chui, C. K. Chaos, Solitons and Fractals 2004, 21, 749–761. [74] Wang, K.; Pei, W. J. Phys. Lett. A 2005, 343, 432–439. [75] Pareek, N. K., Patidar, V., Sud, K. K. Image and Vision Computing 2006, 24, 926– 934. [76] Li, S.; Zheng, X.; Mou, X.; Cai, Y. Proc. SPIE 2002, 4666, 149–160. Chaotic map cryptography and security 27 [77] Pisarchik, A. N.; Flores-Carmona, N. J.; Carpio-Valadez, M. Chaos 2006, 16, 033118. [78] Arroyo, D.; Rhouma, R.; Alvarez, G.; Li, S.; Fernandez, V. Chaos 2008, 18, 033112. [79] Pisarchik, A. N.; Zanin, M. Physica D 2008, 237, 2638–2648. [80] Zhang, L.; Liao, X.; Wang, X. Chaos, Solitons and Fractals 2005, 24, 759–765. [81] Gao, H.; Zhang, Y.; Liang, S.; Li, D. Chaos, Solitons and Fractals 2009, 29, 393–399. [82] Xiao, Y-L.; Xia, L-M. Chaos, Commun. Theor. Phys. 2009, 52, 876–880. [83] Alvarez, G.; Li, S. Communications in Nonlinear Science and Numerical Simulation 2009, 14, 3743–3749. [84] Sun, F.; Liu, S.; Li, Z.; Lü, Z. Chaos Solitons Fractals, 2008, 38, 631–640. [85] Zanin, M.; Pisarchik, A. N. Information Sciences, in press, 2010. [86] Savage, C. SIAM Review, 1997, 39, 605–629. [87] Patidar, V.; Pareek, N.K.; Sud, K. K. Communications in Nonlinear Science and Numerical Simulation 2009, 14, 3056–3075. [88] Huang, C. K.; Nien, H. H. Optics Communications 2009, 282, 2123-2127. [89] Mazloom, S.; Eftekhari-Moghadam, A. M. Chaos, Solitons & Fractals 2009, 42, 1745-1754. [90] Lian, S. Chaos, Solitons & Fractals 2009, 42, 2509–2519. R [91] Intel Corporation, Intel° 64 and IA-32 Architectures Optimization Reference Manual, 2009. [92] ANSI/IEEE Std 754-1985, “IEEE Standard for Binary Floating-Point Arithmetic”, Standards Committee of the IEEE Computer Society, 1985. [93] IBM, “Cell Broadband Engine: Programming Handbook”, Version 1.1, (2007). [94] IBM, “SIMD Math Library Specification for Cell Broadband Engine Architecture”, Version 1.1, (2007). [95] Shannon, C. E. The Bell System Technical Journal 1981, 27, 379–423. [96] Cover, T. M.; Thomas, J. A. “Elements of Information Theory”, 2006, Wiley Interscience. [97] Tsueike, M.; Ueta, T.; Nishio, Y., “An application of two-dimensional chaos cryptosystem”, Technical Report of IEICE, NLP96-19, May 1996. [98] Tong, X.; Cui, M. Signal Processing 2009, 89, 480–491. 28 A. N. Pisarchik and M. Zanin [99] Tsekeridou, S.; Solachidis, V.; Nikolaidis, N.; Nikolaidis, A.; Tefas, A.; Pitas, I., Proceedings of IEEE international conference on acoustics, speech and signal processing, 2001, 1989–1992. [100] Nikolaidis, A.; Pitas, I., Proceedings of IEEE international symposium on circuits and systems, Geneva, 2002, 509–512. [101] Tefas, A.; Nikolaidis, A.; Nikolaidis, N.; Solachidis, V.; Tsekeridou, S.; Pitas, I., Proceedings of chaos, solitons and fractals, vol. 17, 2003, 567–73. [102] Escribano, F. J.; López, L.; Sanjuán, M. A. F. Chaos 2006, 16, 013103. [103] Hongjuna, L.; Xingyuan, W. Computers and Mathematics with Applications 2010, 59, 3320–3327. [104] Khan, M. K.; Xie, L.; Zhang, J. Digital Signal Processing 2010, 20, 179–190. [105] Chee, C. Y.; Xu, D. Physics Letters A 2006, 348, 284–292. [106] Singh, N.; Sinha, A. Optics & Laser Technology 2010, 42, 724–731. [107] Zhou, J.; Pei, W.; Wang, K.; Huang, J.; He, Z. Physics Letters A 2006, 358, 283–288. [108] Matthews, R. Cryptologia 2984, VIII, 29–41. [109] Masuda, N.; Aihara, K. IEEE Trans. Circ. Syst-I 2002, 49, 28–40. [110] Sang, T.; Wang, R.; Yan, Y. Acta Eletronica Sinica 1999, 27, 47–50. [111] Behnia, S.; Akhshani, A.; Ahadpour, S.; Mahmodi, H.; Akhavan, A. Phys. Lett. A 2007, 366, 391–396. [112] Akhavan, A.; Mahmodi, H.; Akhshani, A. Lect. Notes Comput. Sci. 2006, 4263, 963–971. [113] Kwok, H. S.; Tang, W. K. S. Chaos, Solitons and Fractals 2007, 32, 1518–1529. [114] Wong, K.-W.; Kwok, B. S.-H.; Law, W.-S. Physics Letters A 2008, 372, 2645–2652. [115] Behnia, S.; Akhshani, A.; Mahmodi, H. Int. J. of Bifurcation and Chaos 2008, 18, 251–261. Chaotic map cryptography and security Map name Arnold cat Baker Bernoulli shift Bit shift Bogdanov Circle Complex squaring Chebyshev Chrossat-Golubitsky Cubic Curry-Yorke Double rotor Duffing Dyadic transform Exponential Gauss Gingerbreadman Gumowski-Mira Hénon Hitzl-Zele Horseshoe Ikeda Infinite Collapses Interval exchange Kaplan-Yorke Lissajous Logarithm Logistic Lozi Markov Tangent logistic Nordmark Piecewise linear Piecewise nonlinear Polynomial Pomeau-Manneville Rulkov Sawtooth Shobu-Ose-Mori Sinai Sine Skew tent Standard Tangent Tent Tinkerbell Torus automorphism Trigonometric ”V” Zaslavskii Space dimension 2 2 1 1 2 1 1 1 2 1 2 2 2 1 1 and 2 1 2 2 2 3 1 2 1 1 2 2 1 1 2 1 1 2 1 1 1 1 and 2 2 1 1 2 1 1 2 1 1 2 2 1 1 2 Cryptosystem [9, 35, 73, 74] [9, 69, 72, 97, 98] [99, 100, 101, 102] [63, 103, 104] [46, 57] [105] [106] [104] [106] [107] [8, 57, 63, 77, 79, 108] [99, 100, 101] [81] [19, 27, 65, 80, 109] [110, 111] [111, 112] [57] [104, 109, 113] [9, 25, 87, 114] [7, 57, 106] [63] [115] Table 1. List of most popular chaotic maps. 29 30 A. N. Pisarchik and M. Zanin Number of decimal digits 1 2 3 4 5 Mean 37.801 14.434 4.436 2.235 1.124 Max 844 984 935 902 234 Min 7 1 1 1 1 Table 2. Mean, maximum, and minimum numbers of equal values obtained with two logistic maps; every map has the same initial value and the same parameter a, the only difference is the floating-point precision, 32 and 64 bits. The series have been calculated with the Intel processor. Number of decimal digits 1 2 3 4 5 Mean 37.456 32.527 26.834 21.460 13.549 Max 801 984 990 885 267 Min 7 7 2 2 2 Table 3. Mean, maximum, and minimum numbers of equal values obtained with two logistic maps using 32 and 64 bits precision with the IBM Cell Broadband Engine. Precision 32 64 Number of digits 5 6 7 8 5 6 7 8 Number of parameters 43000 430000 4300000 43000000 43000 430000 4300000 43000000 L = 10 2434 24518 245882 2459030 2296 23047 230173 2301677 L = 30 4161 41472 414972 4149830 3453 34459 344561 3446857 L = 100 5283 52768 526967 5270743 3600 36056 360495 3605303 Table 4. Number of periodic windows for a Intel TM processor, following IEEE standard, in float (32 bits) and double (64 bits) representation. Number of digits 5 6 7 8 Key-space (bits, Intel) 15.198 18.520 21.842 25.164 Key-space (bits, CBE) 15.198 18.520 21.841 25.163 Table 5. Key-space dimension for a 64 bits representation, excluding the periodic windows of length L ≤ 100 multiplied by a security factor of 1.5.