In: Encryption: Methods, Software and Security
Editor: Editor Name, pp. 1-28
ISBN 0000000000
c 2010 Nova Science Publishers, Inc.
°
Chapter 1
C HAOTIC MAP CRYPTOGRAPHY AND SECURITY
Alexander N. Pisarchik∗
Centro de Investigaciones en Optica, Loma del Bosque 115, Lomas del
Campestre, 37150 Leon, Guanajuato, Mexico
Massimiliano Zanin
Universidad Autónoma de Madrid, 28049 Madrid, Spain
PACS 05.45.Gg, 89.20.Ff, 05.45.Vx
Keywords: Cryptography, iterative maps, chaos
∗
E-mail address: apisarch@cio.mx
2
A. N. Pisarchik and M. Zanin
ABSTRACT
In the last decade, chaos has emerged as a new promising candidate for cryptography because many chaos fundamental characteristics such as a broadband spectrum, ergodicity,
and high sensitivity to initial conditions are directly connected with two basic properties of
good ciphers: confusion and diffusion. In this chapter we recount some of the saga undergone by this field; we review the main achievements in the field of chaotic cryptography,
starting with the definition of chaotic systems and their properties and the difficulties it
has to outwit. According to their intrinsic dynamics, chaotic cryptosystems are classified
depending on whether the system is discrete or continuous. Due to their simplicity and
rapidity the discrete chaotic systems based on iterative maps have received a lot of attention. In spite of the significant achievements accomplished in this field, there are still many
problems, basically speed, that restrict the application of existing encoding/decoding algorithms to real systems. The major advantages and drawbacks of the most popular chaotic
map ciphers in terms of security and computational cost are analyzed. The most significant
cryptanalytic techniques are considered and applied for testing the security of some chaotic
algorithms. Finally, future trends in the development of this topic are discussed.
INTRODUCTION
In recent years, the transmission of a large amount of data over communication media, such
as computer networks, mobile phones, TV cable, etc. was highly developed, making it a
security problem in storage and transmission of confidential information and therefore research in this area is growing in importance to give the required solutions for pay TV, video
conferences, medical and military databases, etc. Most conventional secure ciphers, such
as Data Encryption Standard (DES), International Data Encryption Algorithm (IDEA), Advanced Encryption Standard (AES), linear feedback shift register (LFSR), etc. [1, 2] consider plaintext as either block cipher or data stream and are not suitable for fast encryption
of a large data volume (for example, color images and video) in real time. Their implementation, when they are realized by software, of traditional algorithms for image encryption is
even more complicated because of high correlation between image pixels. Therefore, there
is still a lot of work to be done for the development of nontraditional encryption methods.
Many researchers have pointed out the existence of a strong relationship between chaos
and cryptography. Actually, in real systems, chaos and noise are two natural irregular behaviors, therefore the utilization of these motions in cryptography is also natural. The
greatest advantage of a chaotic system over a noisy one is that the chaotic system is deterministic, so that the exact knowledge of initial conditions and system parameters enables
one to recover a message. This property of chaos significantly facilitates the decryption
process. The idea of chaotic cryptography can be traced back to Shanon [3] yet in 1949.
Although he did not explicitly use the word “chaos”, he did mention that well-mixing transformations in a good secrecy system can be constructed on the base of the stretch-and-fold
mechanism, which is really a chaotic motion. The two basic properties of a good cipher,
confusion and diffusion, are strongly related to the fundamental characteristics of chaos,
such as a broadband spectrum, ergodicity (almost all points of a chaotic attractor are eventually visited in infinitely long time), and high sensitivity to initial conditions, so that any
Chaotic map cryptography and security
3
good cryptosystem has to present properties of chaos or pseudo-randomness. In Shannon’s
original definitions [3], diffusion was associated with the dependence of the output on input
bits, i.e. it referred to the property that redundancy in the statistics of plaintext is dissipated
in the statistics of ciphertext, whereas confusion was guaranteed by making the relationship between the key and the ciphertext as complex and involved as possible, i.e. the data
sequence has to be permuted.
In the first scientific paper on chaotic cryptography that appeared in 1989, Matthews
[4] came up with the idea of a stream cipher based on one-dimensional chaotic map. One
year later, Pecora and Caroll [5] published the pioneer work on synchronization of chaotic
systems, a great tool for secure communications [6]. Afterwards, chaotic cryptography
has taken two distinct paths with almost no interaction between them: digital chaotic ciphers [7, 8, 9, 10] and chaos synchronization [11, 12, 13, 14, 15]. The principal difference
between these two approaches is that in the former case a cryptosystem requires a predetermined secret key(s), while the key in the latter is the system itself. Still, the main advantage
of chaotic synchronization schemes is its easy analog implementation for secure communication. Traditionally, encryption is based on discrete number theory, so that data has to
be digitized before any encryption process can take place. In order to encrypt a continuous
voice or a video in the old fashion way, digitalization and encryption can pose a heavy computational burden. Using chaotic communication enables to encrypt the message waveform
without a need to digitalize it. Furthermore, chaotic encryption can be implemented using
fast analog components (electric/optical).
A very important feature of any encryption scheme is its security. The traditional approach based on integer number theory has proven to be reliable, while the security of
chaotic encryption still poses some problems. The incorporation of chaotic dynamics in
cryptology, the science that puts together cryptography and cryptanalysis, is a relatively
new approach initiated only last decade. Different cryptanalytic techniques have been developed to estimate the security of proposed chaotic ciphers [16, 17, 18, 19, 20] and of most
chaotic synchronization schemes [21, 22, 23], many of which have already been broken.
Until now, the security of chaotic communication has often relied on a mixture of analytic
methods and intuition. However, we may positively state that no cryptosystem, with the
exception maybe of quantum systems [24], is forever secure; better ways to cryptanalyze
are always popping up. At present quantum cryptography is still unacceptable for modern
secure communication, because of serious drawbacks: first, it is too slow and second, it can
only be used over point-to-point connections and not through networks where data has to
be routed.
The goal of any cryptosystem is to convert plaintext to ciphertext with the use of a
secure algorithm. Generally, in any cryptosystem, the confusion and diffusion processes
are repeated several times, as schematically shown in Fig. 1, and described mathematically
as [25]
R = Dα (C β (P, KC ), KD ),
(1)
where P and R are respectively plaintext and ciphertext, C and D are the confusion and
diffusion functions, KC and KD are the confusion and diffusion keys, and α and β are
numbers of rounds for total encryption and for confusion, respectively. Equation (1) determines the cryptosystem’s security; the more sensitive the functions C and D are to their
4
A. N. Pisarchik and M. Zanin
α times
β times
Plaintext
Confusion
Diffusion
Confusion key
Diffusion key
Ciphertext
Cryptosystem
Figure 1. General scheme of a cryptosystem.
keys KC and KD and the larger the key space, the higher the security. The cryptosystem’s
key space in Fig. 1 is defined as
S = (SCβ SD )α ,
(2)
where SD and SC are key spaces of the confusion and diffusion keys, that are determined by
the key spaces for initial conditions and parameters in the confusion and diffusion processes.
As seen from Eq. (2), the higher the powers α and β, the bigger the key space and hence
the higher the security. However, the encryption+decryption time (EDT) also increases as
α and β are increased. Therefore, when designing new cryptosystems, cryptographs should
always balance security and speed.
A good chaotic cryptosystem should also comply with the two requirements mentioned
by Shannon [3]: diffusion and confusion, both processes should be based on chaotic systems whose high sensitivity to initial conditions and parameters make the cryptosystem
extremely secure and robust against cryptographic attacks. Although chaos is a irregular
motion, it is a deterministic phenomenon, and therefore the plaintext can be completely
recovered if the secret keys are exactly known. Moreover, EDT should be very short enabling the real-time application, this entails that the length of ciphertext must be the same
as the length of plaintext. In spite of the significant achievements already accomplished,
there are still too many problems to be solved in the field of chaotic cryptography, further
investigation is needed to develop new efficient algorithms for real applications.
Among various chaotic cryptosystems we can distinguish the ciphers based of discrete
systems (iterative maps) [8, 26, 27, 28], continuous systems (modeled by differential equations) [29, 30, 31, 32, 33, 34], and combined algorithms which use jointly discrete and
continuous systems [35, 36, 37, 38]. In this chapter we restrict our review to the first class
of chaotic cryptosystems, i.e. to the ciphers based on iterative maps. Even if they do not display generic behavior from a physical point of view, these systems are intrinsically interesting: they confirm the main assertion that dynamical instability is the root of irreversibility.
Furthermore, chaotic cryptography based on iterative maps is simple and fast.
An iterative map is specified by a dynamical law that determines how an initial point x0
evolves with time. The phase space dimension (the number of system variables) associated
with x may be higher than 1, e.g., for three-dimensional map x = {x, y, z}. The map
function describes the evolution after one time step, to obtain it after n steps we apply an
iterative procedure:
Chaotic map cryptography and security
xn = M(xn−1 ) = M(M(xn−2 )) = ... = Mn (x0 ),
5
(3)
where M is the vector map function that yields a discrete time series and a system trajectory
in phase space. The principal characterization of chaotic trajectory dynamics is given by
the values of the positive Lyapunov exponents, which determine the rate of exponential
divergence of nearby trajectories. The ergodic properties of chaos1 and its high sensitivity
to initial conditions and parameters are crucial for designing new chaotic algorithms with
good confusion and diffusion properties.
Many different iterative maps do generate chaotic series for certain parameters. Table 1
displays the list of the most popular ones. Note, that only few maps have been put to test in
cryptography so far.
The complex motion in chaotic systems naturally defines densities in phase space. An
initial nonequilibrium density may correspond to some uncertainty in the initial condition
specifications or may be thought of as representing an ensemble of systems with different
initial conditions. For cryptographic applications, a smooth density is desirable; since it can
be maintained on a finite region of phase space, whose evolution can shade a light on some
non-local information that otherwise will be missing in a point dynamical description. Thus,
the natural description for the time evolution in chaotic systems is, in terms of densities,
irreducible to phase space trajectories. This yields an intrinsically irreversible distribution
for systems that nevertheless have time-reversible trajectory dynamics.
To understand the basics of how a chaotic encryption algorithm works, let us choose
a number of iterations n that depends on the number of precision decimal points that are
carried through the computing iterations of M. Concretely, with a given decimal precision
d, the continuous interval of interest (0,1) (0 being fixed, and 1 being eventually fixed) is
transformed into a discrete set whose elements expressed with the same precision are also
in (0,1). So, if d decimal places are carried through computations, then n should be equal to
10d . In fact, due to the chaotic nature of the calculations, after a finite number of iterations
which carry more than d decimal places we will begin to see drastic deviations between the
more and less precise computations. It should be noted that for a given key length, there is
a minimum d that can be used, so that only keys of that size are available. For example, for
binary key length k, d has to satisfy the relation 10d ≥ 2k to give us the maximum possible
number of keys. While this indicates a lower bound for the desired d, increasing d will
provide better security but incurring in a higher computational cost. Simple computations
show that, to get all 64-bit keys, at least 20 decimal places should be carried out. Therefore,
before using a common chaotic map algorithm, sender and receiver must agree at least
on the following information: (i) initial values x0 , (ii) system parameters, (iii) a decimal
precision d to be used, and (iv) a number of iterations n. With this information at hand, one
can simply compute a key by selecting the k least significant digits of Mn (x0 ), expressed
as a binary code calculated with precision d. This key generation process is in itself fairly
secure for a sufficiently large n (in fact, not extremely large). A very small variation either in
x0 or in d will lead to a drastically different key, and of course, due to the strong divergence
of the chaotic trajectory a single extra (or fewer) iteration will also yield a completely
different key. In typical applications of symmetric key cryptography, it is wise to have a
1
In an ergodic system, long time averages may be replaced by phase space averages.
6
A. N. Pisarchik and M. Zanin
large number of secret keys.
Based on strengths and weaknesses of already existing algorithms, Kelber and Schwarz
[39] formulated ten general rules to design a good chaos-based cryptosystem:
1. Either use suitable chaotic maps which preserves important properties during discretization for block cipher or use a balanced combining function and a suitable key
stream generator for a stream cipher.
2. Use a large key space.
3. Do not use initial conditions of an inverse system as part of the key.
4. Avoid simple permutations of identical system parameters.
5. Use the same precision for subkey values and their corresponding system parameters.
6. Use a complex input key transformation.
7. Use a dynamical system.
8. Use complex nonlinearities.
9. Modify nonlinearities in terms of key and signal values.
10. Use several rounds of operation for block ciphers.
In the remainder of this chapter we review the most significant achievements in the history of chaotic encryption based on chaotic maps, a novel field of cryptography. In section
2 we consider the encryption of standard messages (text), while in section 3 we analyze
chaotic cryptosystems used for image and video. Section 4 describes major advantages and
drawbacks of the more popular chaotic ciphers in terms of security and computational cost
using the most important cryptanalytic techniques. Finally, in section 5 conclusions and
future trends in the development of this topic are presented.
ENCRYPTION OF STANDARD MESSAGES
ERGODICITY OF CHAOTIC LOGISTIC MAP
The logistic map is one of the simplest and thus more widely used chaotic maps. Introduced
first in 1845 by Verhulst [40, 41] as a model for the population growth of a species, it is
expressed as a recurrence equation:
xn+1 = rxn (1 − xn ),
(4)
where the parameter r belongs to the interval [0, 4] and determines the map behavior, while
n is the iteration number that discretizes time. Figure 2 shows the bifurcation diagram
where, starting at a certain initial value x0 , every iteration value xn of the map Eq. 4 is
plotted as a function of r. The right-hand side of the diagram clearly exhibits that for most
values of r between 3.57 and 4.0 the system is in a chaotic regime, i.e. the variable xn
Chaotic map cryptography and security
7
can take any value within a certain interval, where the system dynamics is very sensitive
to the initial condition. In Fig. 3 we plot two time series obtained for the same parameter
r = 3.995 but for two slightly different initial conditions (x = 0.500 and x′ = 0.501). One
can see that after only 25 iterations the two trajectories are completely different.
Figure 2. Bifurcation diagram of logistic map Eq. 4.
1.0
0.8
xn
0.6
0.4
0.2
0.0
0
5
10
15
20
25
30
n
Figure 3. Time series generated with the same parameter r = 3.995 but with slightly
different initial values (x0 = 0.5 and 0.501).
Baptista [8] was the first to explore the usefulness of the logistic map ergodicity in
the realm of digital cryptography. To encrypt a message, he assigned to every alphabetic
character a certain range of the variable xn . Starting from a particular initial value x0
(which was part of the secret key), he iterated the logistic map until xn fell within the region
corresponding to the first character of the plaintext. He then represented the corresponding
number of iterations as the first character of ciphertext. For the second character of the
message, this procedure was executed again taking xn as the new initial condition. Another
parameter η ∈ (0, 1) was chosen to define the probability of discarding a value xn : each
time xn falls within the range of the character to be encoded, a random number is drawn
from a uniform distribution between zero and one; if this number is less than η, then the
sender keeps iterating the map until xn falls again in the required range. Since η > 0, a
single initial character can be encoded in different ciphertexts, thus increasing the security
8
A. N. Pisarchik and M. Zanin
of the algorithm. Note that the receiver does not need to know the value of η, nor the value
of the random number generated by the sender; he/she needs only to iterate the chaotic
map according to the received value, and the result of such iterations will be the decoded
character, independently of how the sender did generate that value.
As many chaos-based cryptosystems, Baptista’s method [8] is both slow and insecure.
The computational cost problem was first tackled by Wong, et al. [42]. Instead of generating a random number each time xn falls in the target range, only a single random integer
number R is drawn; the logistic map is then iterated R times prior to the encryption process.
However, even with only one random number, this modified algorithm is still too slow to be
used in most applications. Wong, et al. [42] reported in 2001 that in order to encrypt with a
state-of-the-art PC 4 KB of information, 4 seconds were required, meaning 8 KB processed
processed every second in an up-to-date system, and therefore to encrypt the content of a
CD-ROM it would take almost a whole day.
The second attempt to take advantage of chaos ergodicity in cryptography was made by
Alvarez, et al. [10], who suggested to use a chaotic function of the form
xn+1 = f (xn , xn−1 , . . .),
(5)
as a construction block of the chaotic cryptosystem. The logistic map is then just a particular
case of Eq. 5 when the function f (x) = rx(1 − x). By iterating the map Eq. 5 and using a
threshold U , a sequence of bits bn is generated as follows
bn =
½
1, xn > U,
0, xn ≤ U.
(6)
When the bits sequence generated by the chaotic map is equal to the first part of the message to be transmitted, that part is encoded by the triplet (n, x0 , U ), i.e. by the number of
iterations n needed to generate the correct sequence, the initial value of the map x0 , and the
threshold U .
Both algorithms, the one proposed by Baptista [8] and the other by Álvarez [10] were
cryptoanalyzed some years later by Jakimoski and Kocarev [43]. They first noted that the
security of the second algorithm relies on the assumption that the attacker does not know the
actual chaotic function, i.e. the map Eq. 5 is secret. This assumption is contrary of one of
the fundamental principles of cryptography, known as the Kerckhoffs’ principle [44] which
states that the security of an encryption process should only be guaranteed by secret
key(s), and never by the algorithm itself. Jakimovski and Kocarev [43] also showed
that both algorithms are vulnerable to known-plaintext attacks. By feeding the systems
with a limited number of predefined messages (4000 for the Baptista’s and 1000000 for the
Álvarez’s algorithms), and by recording the output of the encryption process, an attacker
can construct an almost complete decryption vocabulary.
In the following years, many different modifications of the original Baptista’s algorithm
have been proposed (see, for example, [45, 46, 47, 48]), but all of them have been cryptanalyzed using similar techniques (e.g., [49]). Intuitively, a single logistic map cannot provide
a complex enough dynamics to be used in cryptographic applications; therefore, for chaotic
encryption, more sophisticated systems have to be conceived such as combinations of two
or more different chaotic maps.
Chaotic map cryptography and security
9
STREAM CIPHERS USING LOGISTIC MAP
The use of the chaotic logistic map in cryptography takes advantage of its ergodic property.
So do, other new interesting algorithms whose aim is to create stream ciphers. In these
encryption schemes, a plaintext is mixed with a keystream; when the mixing process is
performed by some suitable bitwise operators (such as XOR or XNOR) and the keystream
is a random sequence of bits, we expect that the encryption process to be completely secure.
The security problem is therefore reduced to the creation of a pseudo-random bit generator
with good statistical properties.
The first such method was proposed by Bianco, et al. [50, 51], who described the bit
generation process by the following equation
½
0, xn ∈ [xl , xm ] ,
b=
(7)
1, xn ∈ [xm , xr ] .
When the logistic map is iterated n times, a value xn is obtained, the algorithm has to
check whether xn falls within the interval [xl , xr ] to stop, otherwise the number is discarded
and another iteration of the map is executed. The previously defined interval is further
divided into two equal sub-intervals; if the accepted xn falls in the left sub-interval (i.e.,
xn ∈ [xl , xm ]) 0 is added to the output stream, 1 otherwise. This is a very slow process to
obtain a bit sequence that will pass the usual statistical randomness tests; to improve their
statistical characteristics, the interval [xl , xr ] should be quite narrow, leading to discard a
great part of the map’s iterations, and therefore slowing its velocity.
Another approach was developed later by Phatak, et al. [52], who introduced the following change of variable:
1 − cos θn
θn
= sin2 .
2
2
When applied to the logistic map for r = 4, Eq. 4 is transformed into
xn =
θn+1 = 2θn ,
θn < π/2,θn+1 = 2π − 2θn , θn > π/2.
(8)
(9)
In other words, the application of the logistic map is stretching a closed circle by a
factor of two and then collapsing it back to the original circle. This dynamics is periodic if
and only if the initial value θ0 is a rational fraction of π. In all other cases, the correlation
between values of the sequence θn , θn+τ , θn+2τ , . . . is lost for τ > 23.
Instead of discarding values from the series generated by the logistic map, Lee, et al.
[53] proposed to use just the lower bits of each obtained number, i.e. an integer number in
the range [0, S] is obtained at each iteration by means of the following transformation:
Bn = Axn mod S,
(10)
where A is an arbitrary constant. In spite of its efficiency, this approach is not very functional since it strongly relies on the computer internal binary representation of the number
generated by the logistic map; the obtained random sequence of Bn will depend on the
hardware used, so that two different processors will generate different outputs.
All these methods share a common drawback inherent to the logistic map: the main
secret key is a single parameter, i.e. r. Therefore, the resulting key space is small leaving
10
A. N. Pisarchik and M. Zanin
the door open to a brute force attack. To avoid this problem, Li, et al. [54] suggested to
build a coupled map lattice (CML) of different logistic maps, both the complexity of the
cryptosystem and the number of secret keys were ameliorated. Every map j = 1, . . . , L in
CML is defined by the following equation
xjn+1 = (1 − ε)f (xjn , aj ) + εf (xj−1
n , aj−a ),
(11)
where ε is a coupling coefficient between different maps and f (x, a) is the logistic map
function described by Eq. 4 with parameter a. All maps are finally combined sequentially
to create the output keystream
£
¤
Knj = int 2u xjn mod 2v ,
(12)
where u and v are arbitrary constants.
Rhouma and Belghith [55] recently criticized this approach with arguments that can
hold for all stream ciphers based on chaotic maps. Namely, since the keystream is just
a function of the system key(s) and does not vary when the plaintext changes, it is quite
easy to retrieve this keystream by getting temporary access to the encryption machine and
encrypting or decrypting an all zero message. For instance, if the keystream corresponding to a given keys combination is K = (1, 0, 0, 1, 0, 1), when combined through a XOR
operation with text M = (0, 0, 0, 0, 0, 0), the output will be C = (1, 0, 0, 1, 0, 1), i.e. the
keystream itself. Any subsequent message will be decrypted as long as the keys remain
unchanged. The algorithm security is thus totally violated.
OTHER APPROACHES USING CHAOTIC MAPS
As previously stated, all approaches to chaotic cryptography using only one logistic map
have proven to be insecure, mainly because the secret keys of the system are either the
parameter r or the number of iterations or both. In this context, the approach of Pareek,
et al. [26] has to be mentioned. They proposed to generate the system parameters in a
non-trivial way, namely, by using an external secret key.
The method starts with a secret key of 128 bits split into groups of 8 bits: K =
K1 K2 K3 . . . K16 . The initial conditions XS and the number of iterations XN are obtained
as follows
XS = (K1 ⊕ K2 ⊕ · · · ⊕ K16 )/256,
NS = (K1 + K2 + · · · + K16 ) mod 256.
(13)
The parameter r of the logistic map is also generated deterministically by a modified
linear congruent random number generator initialized with an initial secret key. The map
so defined is iterated and the output value Xnew is used to encrypt the first message symbol
P0 as
C0 = (P0 + ⌊256Xnew ⌋) mod 256.
(14)
Then, subsequent symbols of the message are codified in a similar way, using the obtained
Xnew as the seed for the next iteration.
Chaotic map cryptography and security
11
Unfortunately, in the same year Álvarez, et al. [56] managed to break down this algorithm. The generation of the parameter r of the map was the weakest point. According
to Pareek’s method, r can be taken among only 81 different values; and to make it worse,
some of these possible values correspond to period-3 orbits. These limitations narrow the
system dynamical range, allowing a very cheap brute-force attack: only three plaintexts of
the approximately 1000-symbol length are needed.
This last failure in creating a secure algorithm using only a single logistic map was
the trigger to change the paradigm; complexity had to be guaranteed in order to improve
security. Therefore, combinations of chaotic maps appeared as a possible solution of this
problem. Based on the previously published algorithm [26], Pareek et al. [57] constructed a
cryptosystem by putting together four different chaotic maps: logistic, tent, sine, and cubic
maps expressed, respectively, by the following four equations:
xn+1 = λxn (1 − xn ),
½
λxn ,
if xn > 0.5,
xn+1 =
λ(1 − xn ), if xn ≤ 0.5,
xn+1 = λ sin(πxn ),
xn+1 = λxn (1 −
x2n ).
(15)
(16)
(17)
(18)
The parameter λ for all maps is defined at the beginning of the encryption process, independently of the secret keys, and it is publicly shared with the receiver: in other words,
the security is not dependent on the maps’ parameters, but rather on their initial conditions
previously generated with a certain simple equation from the secret keys. Before encryption, the plaintext is divided into blocks of different lengths, which are calculated from the
secret keys with the help of a linear congruent random number generator, and are assigned
to each chaotic map with the help of the same generator. In this way, different fragments
of the plaintext are encoded with different chaotic maps; the receiver can easily undo the
operation, by also calculating the initial conditions and blocks lengths from the secret keys.
To overcome the security problem with known plaintext attack, Wei, et al. [58] proposed further modifications of this algorithm, nevertheless, even their improved version
was successfully cryptanalyzed one year later again by the Álvarez’s group [59]; only 120
plain-bytes in one known plaintext were needed to recover the secret key.
Furthermore, the speed of this class of algorithms still remains a big challenge. Although Pareek, et al. [26, 57] claimed that their methods are faster than other alternative
ciphers based on chaotic maps, to encrypt the content of a CD-ROM their algorithms use
up 132 [26] and 95 [57] minutes.
CHAOTIC MAPS FOR PUBLIC-KEY CRYPTOGRAPHY
Only recently, public-key encryption algorithms based on chaotic systems have taken an
important place back in the main stream of cryptography research. To illustrate how they
work, suppose that a user called Bob wants to transmit a private message to another user,
say Alice. Secret keys transmission is forbidden to insure security. Alice then creates a pair
of keys, say d and e, so that computing d from e is computationally infeasible. d is a private
12
A. N. Pisarchik and M. Zanin
key and Alice must keep it secret, while e is a public key that may be shared with everyone,
particularly with Bob. Anyone wishing to send a message to Alice should encrypt it with
the public key e, but the only way to decrypt it would be using the private key d, therefore
Alice is the only one capable to do it. Thus, the public key serves only for encryption, while
the private key serves only for decryption.
The first public-key chaotic algorithms implied neural networks coupled with chaotic
maps [60, 61]. Meaning, both sender and receiver have identical neural networks driven
by the same external sequence of random bits acting as the public key, while the internal
connections’ weight is used as the private key. The receiver uses the public key to synchronize his/her own network with the sender’s and the private key to decrypt the message.
When using chaotic synchronization, as the complexity of the neural networks increases,
so do both the security and the computational cost (the time needed to synchronize the two
networks grows up). While the system is apparently safe from an individual attack, it has
been shown that a breach in security can be brought about with a majority flipping attack,
that is, a group of attackers cooperate throughout the synchronization process [62].
Kocarev, et al. [63] proposed to put in the same category a wide class of chaotic encryption algorithms together with more classical approaches, such as RSA, ElGamal, or
Rabinusing, describing them with the generalized map:
Y = Tp (X) mod N,
(19)
where p and N are integer numbers and X ∈ {0, 1, . . . , N − 1}. Tp are the Chebyshev
polynomials of order p, defined by the following recurrent relation:
T0 (x) = 1,
(20)
T1 (x) = x,
(21)
2
T2 (x) = 2x − 1,
Tp+1 (x) = 2xTp (x) − Tp−1 (x).
(cuadmap)
(22)
Under this mapping, the interval [−1, 1] is invariant, furthermore, for p > 0 the map
is chaotic with an unique absolute continuous invariant measure with positive Lyapunov
exponent ln p. Moreover, for p = 1, the Chebyshev map reduces to the logistic map of
Eq. 4. Since the map Eq. cuadmap is used as a generalization of the RSA algorithm to
construct a public-key encryption algorithm [63], one might expect that, taking advantage of
the intractability of the integer factorization problem, it will inherit its security. However, as
was recently shown [64], the Chebyshev map alone cannot provide a good enough security.
Finally, one of the latest approaches to this class of problems was proposed in 2005 by
Wang, et al. [65] through so-called “Merkle’s puzzles” [66]. In this method the receiver
first generates a large number (for instance, one million) of puzzles (messages) in the form:
“This is puzzle number x and its secret key is y”, where x and y are just a random number
and a random secret key. All these messages are encrypted with a low security algorithm
(for instance, with 20-bit keys) and sent to other users. The receivers of all these messages
(including the one sending the secret message) chooses one of them at random, and performs a brute force attack on this message, in order to retrieve the pair (x, y). After that, he
encrypts the message with y and send it back to the original user along with x. The target
Chaotic map cryptography and security
13
receiver now can easily decrypt this communication by just remembering which key was associated to the random number x, whereas a nonautorized user should perform a brute-force
attack for each one of the original puzzles, thus facing an extremely high computational
cost. Here, the main drawback is that the receiver has to keep all transmitted messages, to
be able to retrieve the key once he gets the associated random number x. Security is only
maintained with a large enough number of puzzles. To circumvent this difficulty, Wang,
et al. [65] proposed to substitute the pair (x, y) by pseudo-random values generated with
a one-way coupled map lattice composed by chaotic logistic maps. So that the receiver
can instantaneously calculate the associated secret key from his knowledge of the puzzle
identification code. The memory and computation time needed are therefore considerably
reduced. One can keep its expectations high, since no attack has been successful so far.
ENCRYPTION OF IMAGES AND VIDEO
While classical cryptosystems (like IDEA, AES, DES or RSA) were originally designed to
encrypt standard messages, mainly text, in the last decade a new kind of content in great
need of attention (images, video, and multimedia information) has gained in importance.
Graphical contents have some intrinsic characteristics which require special considerations
when designing cryptographic algorithms. First of all, they are associated to large information quantities; as an extreme example, movies are stored in several GB of information,
and second, they have to be decrypted in real time for a smooth viewing experience, therefore, velocity is a major requirement. Furthermore, images are characterized by an high
redundancy of data, because of a strong correlation among adjacent pixels; the encryption
algorithm should therefore be efficient in destroying any original pattern, no matter how
broad, otherwise the human eye may be able to reconstruct part of the graphical information.
It is in this context that chaos-based cryptography has the most to offer, this is evident
from the growing number of works devoted to image encryption [25, 9, 73, 72, 35, 74]. In
chaotic block cryptosystems, chaotic maps are usually used to encrypt a plaintext2 block by
block, whereas chaotic stream cryptosystems utilize a chaotic map for bit-by-bit encryption.
Parameters and/or initial values of the diffusion function (chaotic map) normally serve as
diffusion and confusion keys to modify sequentially pixel values and change pixel positions.
Fridrich [9] was the first one to suggest a permutation of the pixel positions in a chaotic
fashion, using either the Baker map or the cat map for chaotic confusion. However, Lian, et
al. [25] pointed out that not all map parameters are secure enough to be used as encryption
keys. Therefore, they designed a symmetric block cipher based on the chaotic standard map
for a confusion process, plus a diffusion function and a key generator.
Since chaotic stream ciphers that utilize only one chaotic system to generate a pseudorandom sequence for image encryption, are not secure enough to withstand powerful cryptographic attacks, Guan, et al. [35] designed a more complex system which combines both
discrete and continuous chaotic systems. At the confusion stage, pixel positions are shuffled
by the Arnold cat map while at the diffusion stage, pixel values of the shuffled image are
2
In some works on image encryption, plaintext and ciphertext are referred to as “plain image” and “cipher
image” [25, 77].
14
A. N. Pisarchik and M. Zanin
encrypted by the continuos Chen’s chaotic system. Recently, Pareek, et al. [75] proposed
an image encryption scheme which exploits two chaotic logistic maps and an external 80bit key. The initial conditions for both logistic maps are derived from the external secret
key. The first logistic map is used to generate numbers in the range between 1 and 24 and
the initial condition of the second logistic map is modified by the numbers generated by the
first logistic map. The authors showed that by modifying the initial condition of the second
logistic map in this way, its dynamics becomes more unpredictable.
Unfortunately, in the majority of known algorithms based on a block cipher encryption
technique, plaintext files are represented as blocks of bits. The encryption speed of such
cryptosystems is relatively slow; the necessary number of iterations of the chaotic map
for encrypting an 8-bit symbol is at least 200 and can reach 29617 [47]. A large block of
plaintext, such as 128-bit, usually used in conventional cryptosystems, requires significantly
higher velocity [58]. Since the length of ciphertext is often larger than the plaintext length,
the size of encrypted multimedia files is enormous.
A completely different approach to image encryption has been proposed in Ref. [77].
Every image pixel is considered as a chaotic map on its own, in separating the colors (red,
green, blue) the whole image is now represented by three chaotic map lattices, one for
each color. Since the logistic map is noninvertible, to recuperate the original image all the
maps (pixels) of the plain image should be coupled, so that every encrypted pixel contains
some information on the original color of a neighboring pixel. In other words, all pixels are
somehow mixed. For example, in the algorithm developed in Ref. [77] all maps are coupled
(pixel by pixel) by initial conditions, providing a good diffusion property. Note, that the
main problem in modern communication technology is not the security of an encryption
algorithm, as much as its good dynamic properties, i.e. its robustness against noise or other
external disturbances. It is in this sense, that unidirectional coupling of all image pixels
worsens the dynamic properties, since the image cannot be recovered if even one pixel
undergoes a small error.
To overcome this drawback, the novel cryptosystem instead of neighboring pixel coupling utilizes chaotic coupling or chaotic mixing of pixel’s colors [79]. This allows a significant security enhancement, while decreasing the encryption time. From the topological
point of view, mixing in phase space means the system evolves over time in such a way
that any given region or open set will eventually overlap with any other given region; the
colored dyes mixing and turbulent fluids are prototypes of chaos.
2D AND 3D CHAOTIC MAPS
One of the first attempts to create an efficient cryptographic algorithm designed specifically
for images was made by Fridrich [67], followed by the works of Pichler and Scharinger
[68, 69]. The family of algorithms they proposed is based on bidimensional chaotic maps,
i.e. a square interval (usually, the unit square I × I, I = [0, 1]) maps onto itself in a one-toone manner. Among all 2D chaotic maps, the standard map, the cat map, and the Baker map
are most prevalent. When used on an N ×N image, these maps can be written, respectively,
in their discretized forms as:
Chaotic map cryptography and security
1
15
1
0.5
0
1
0.5
0
1
Figure 4. Graphical representation of the transformation performed by the 2D Baker map.
½
·
(
xj+1 =
yj+1 =
xj+1 = (xj + yj ) mod N,
x
N
yj+1 = (yj + k sin j+1
2π ) mod N,
xj+1
yj+1
¸
=
·
1
u
v uv + 1
N
N
ki (xj − Ni ) + yj mod ki ,
ki
N
N (yj − yj mod ki ) + Ni
¸·
xj
yj
¸
(mod N ) ,
k1 + k2 + ... + kt = N,
Ni = ki + ... + ki−1 ,
with
N ≤ x j < Ni + k i ,
i
0 ≤ yj < N.
(23)
(24)
(25)
Here, xj and yj are the coordinates of an image pixel at j iteration, u and v in the cat
map Eq. 24 and K = [k1 , k2 , . . . , kt ] in the Baker map Eq. 25 are the parameters to be used
as secret keys.
In the Fridrich’s encryption scheme [67] based on the Baker map Eq. 25, the transformation represented in Figure 4 divides the image into two (or, more generally, into n)
vertical strips, which are vertically stretched and horizontally compressed in order to be rearranged horizontally. The proposed encryption scheme, which has been widely used since,
can be summarized as follows:
1. Define a suitable 2D chaotic map, mapping the unit square I × I, I = [0, 1] onto
itself in a one-to-one manner; generalize that map by introducing some parameter
that alters its standard behavior and discretize it. At the end, what is obtained is a
map which takes each pixel and assigns it to some other pixel in a bijective manner
(the discretized version is a permutation of pixels).
2. Extend the previous 2D map to a 3D map, where the third dimension will be used to
permute the gray-scale value of each pixel. In this way, the actual color content of
each pixel is also changed. An efficient and secure cipher applied to a black square
should result in a uniform histogram.
3. Compose the previous map with a simple diffusion mechanism to spread the information of one pixel over different pixels.
4. Repeat steps 2 and 3 as many times as needed.
16
A. N. Pisarchik and M. Zanin
Figure 5. Image encryption scheme proposed by Fridrich [67].
Figure 6. Graphical representation of the transformation performed by the 3D Baker map.
This process is schematically represented in Figure 5.
Due to its extremely high efficiency, the method proposed by Fridrich [67] has been
widely explored afterward. It allows encoding more than 16 MB of information in one second with a standard 1GHz processor. Analyzing the security of the Fridrich’s algorithm,
Lian, et al. [25] found it relies mostly on the diffusion process, so that once broken, the remaining part (the confusion process) can be easily attacked with almost any known plaintext
strategy at a relatively low computational cost.
Later on, several modifications (evolutions) to the Fridrich’s approach have been proposed (see, for instance, Refs. [70, 71]). New algorithms for image encryption based on
3D chaotic maps have also been developed (see, e.g., Refs. [72, 73]). The previously introduced 2D Baker map was expanded to the third dimension [72], as shown in Figure 6.
Such 3D maps have at least two advantages: first, the third dimension is directly used in the
confusion phase computation, hence lowering the computational cost of the algorithm; and
second, the 3D map is a more complex system than the equivalent 2D map, if two of the
three dimensions have positive Lyapunov exponents, the system becomes hyper-chaotic.
IMAGE ENCRYPTION WITH MULTIPLE MAPS
In principle, a single map either 2D or 3D has a small key space dimension, to improve
security several attempts had to be made to use multiple unidimensional maps coupled
together. In a new effort Li, et al. [76] proposed a single chaotic map to generate two
vectors of 2n values to be iterated them 2 × 2n times. These two vectors are then used to
define the initial value and the control parameter of other 2n chaotic maps (called ECS(i),
i ∈ [1, 2n ]). In order to increase the computational speed of the system, as well as to
reduce the cost of the hardware implementation, all calculations are performed in fixed-
Chaotic map cryptography and security
17
point arithmetic with a precision of L bits.
However, some new problems arise, the most important being that there are only 2L
values available to represent any value in the chaotic orbits, and therefore the cycle length
of any chaotic orbit cannot be larger than 2L . In other words, the dynamics is no longer
chaotic, because it is being trapped in closed periodic orbits. The solution for this drawback
is to perturb the dynamics of the chaotic map with a small signal ξ(i) produced by a pseudorandom number generator. Once all the 2n chaotic maps have been initialized, the plaintext
is divided into groups of L bits; for each one of these groups, the main map is iterated and
the obtained value i gives the label of the map to be used (from the 2n possible maps). This
map is then also iterated, and the value obtained is used to encrypt the group of bits with
a bitwise XOR operation. After this operation, one last encryption step is performed: the
2n chaotic maps are sorted, and all indices of the sorted states and the original states are
used for a substitution process (S-Box). Due to the fixed-point arithmetic, this algorithm
is extremely fast; its final speed is about 1/10 of the CPU frequency, therefore a 2.0 GHz
processor can encrypt up to 200 MBytes each second [76].
A set of chaotic maps was also used in Ref. [77], where to each and every pixel a different logistic map is associated, these maps are then coupled in a sequential fashion. To
encode the i-pixel value xi , the algorithm takes the encrypted value xi−1 of the previous
pixel i − 1, applies the logistic map n times and sums the result of the iteration to the actual pixel value; the end result is the encrypted value for pixel i. Clearly this algorithm
has a great sensitivity to initial conditions: small changes in one pixel of the plain image
propagates through all the maps, changing completely the cipher image. The weak point
of this algorithm was highlighted two years after by Arroyo, et al. [78]; different maps of
the lattice, i.e. different pixels of the image, are coupled pixel-by-pixel, reducing the complexity of the algorithm. Moreover, some of the parameters, like the number of iterations
of the logistic map, may be obtained with a timing attack by measuring the time needed to
encrypt an image of known size.
The problem related with the unidirectional coupling was overruled in Ref. [79]; instead
of coupling a pixel i with pixel i − 1, a new logistic map is used to generate a number ki
for each pixel (k ∈ [0, m], where m is the total number of pixels in the image); pixel i is
now coupled with pixel ki . Moreover, it was shown that many operations, especially the
ones concerning the logistic map, can be pre-calculated and memory stored; and last but
not least, this is the fastest chaotic algorithm ever proposed: a 2.0 GHz processor allows a
velocity of about 280 MBytes of information per second.
Different chaotic maps have also been applied to two main stages of the encryption
process, that is, the permutation and substitution (P-Box and S-Box). In the following,
we will review several works where the design of both boxes calls for different chaotic
functions.
In this context, Zhang, et al. [80] tackled the creation of a P-Box algorithm suitable for
image encryption (with a low computational cost) with chaotic maps. The aim was, as in
the already described work [76], to avoid floating-point arithmetic. Their proposal was to
use a discrete exponential chaotic map defined as:
xn+1 = g(xn ) =
½
axn (mod 257) if xn+1 < 256,
0 if xn+1 = 256,
(26)
18
A. N. Pisarchik and M. Zanin
where x ∈ 0, 1, . . . , 255. Parameter a is chosen so that the map g does generate a multiplicative group of nonzero elements of the Galois field of order 257; for any of the 128
possible values of a fulfilling this condition, the associated map g performs a one-to-one
transformation.
A different approach was proposed by Gao, et al. [81], subsequently adopted by other
authors, like Xiao and Xia [82]. Since many cryptosystems based on the logistic map had
already been cryptanalyzed, they tried to design a custom made chaotic map that had to
fulfill certain requirements. First of all, this new map has to present a chaotic behavior in
the whole range of parameters, then it must also have a good balance between zeros and
ones, zero cross-correlations, and high nonlinearity. In other words, the output of this new
map should be as similar as possible to a random binary sequence. The recursive function
that gets the job done is the following:
¡
xn+1 = 1 − β
−4
¢
ctg
µ
α
1+β
¶µ
¶
1 β
1+
tg (αxn ) (1 − xn )β ,
β
(27)
where xn ∈ (0, 1). Three distinct chaotic regions in the (α, β)-parameter space can be
exploited: either α ∈ (0, 1.4], β ∈ [5, 43], or α ∈ (1.4, 1.5], β ∈ [9, 38], or α ∈ (1.5, 1.57],
β ∈ [3, 15]. The permutation process takes place as follows [82]. To exclude transitions
the map Eq. 27 is first iterated K times, and then N × N times to create an array X =
xK , xK+1 , . . . , xK+N 2 (N being the image size); finally, X is arranged in an ascending
order to form a permutation vector Y .
However, the function of Eq. 27 entails at least two distinct problems. First, too many
calculations are needed to compute each term of the array because of the use of powers
of fractional numbers and trigonometric functions whose implementation in standard hardware is not yet optimized. Second, there is a breach of security. Álvarez and Shujun Li
[83] have shown that the values distribution in the sequence of xn is not flat, as could be
expected from a pseudo-random number generator. The left-hand side of Figure 7 shows
the time series obtained from 1000 iterations of the map, and the right-hand side displays
the corresponding histogram. The clear asymmetric distribution does indeed invalidate the
security of any cryptosystem built upon it, because an attacker may infer some information
from the values with higher probability.
Later, to achieve a more complex permutation pattern Sun, et al. [84] devised another
strategy taking advantage of the inherent structure of any 2D image. To illustrate their
method, suppose we have a 2D m × n image, or data array in orthogonal Dekart coordinates with X and Y axes. The algorithm first creates two linear arrays M and N of
sizes m and n, respectively, and fills these arrays using a chaotic map; then, both columns
and rows are permuted, depending on the values originally stored in M and N , by applying a given rule. In their work Sun’s, et al. use the logistic map in order to fill both
arrays with unique integer numbers. As an example, suppose that the output of the logistic map is x = {0.1208, 0.8457, 0.1210, 0.4835, . . .}; these values are multiplied by the
array size (m or n) and rounded to the next integer (e.g., with m = 10), the result is
x′ = {2, 9, 2, 5, . . .}. Since no repeated values could be accepted, the third number is discarded, i.e. M = {2, 9, 5, . . .}. Although the process of permuting both rows and columns
does effectively improve security, the computational cost largely increases because repeated
values have to be discarded; each time a value is generated, it must be compared with all
Chaotic map cryptography and security
19
800
1.0
700
0.8
Number of points
600
xn
0.6
0.4
500
400
300
200
0.2
100
0.0
0
0
200
400
n
600
800
0.0
1000
0.2
0.4
xn
0.6
0.8
1.0
Figure 7. (Left) Time series of 1000 iterations of the chaotic map proposed by Gao et al.
[81], at parameters α = 0.7 and β = 10. (Right) Corresponding histogram showing that
the distribution of xn is not flat.
previous values. This is the main shortcoming of this approach.
The use of a simple digital function as a chaotic map can alleviate this problem [85].
Such a function is the Gray code named after Frank Gray [86]. It has the property that
the representation of two successive values differs in one bit only. To transform a binary
number into its Gray representation, it should be multiplied by Q = q × q matrix defined
as follows: (i) 1 in the main diagonal, (ii) 1 along the upper/minor diagonal, and (iii) 0
elsewhere, with every operation performed in mod 2. For example, the matrix Q for q = 4
bits would be
1
0
Q=
0
0
1
1
0
0
0
1
1
0
0
0
.
1
1
(28)
A more efficient conversion algorithm for a software or hardware implementation is given
by
G = B ⊕ (B ≫ 1),
(29)
where G is the resulting Gray number, B is the original number (in a binary representation),
⊕ is the binary XOR operation, and ≫ represents the binary right shift. Using this Gray
code, a simple nonlinear transformation T may be defined: given a binary number x in
a q-bits code, calculate its Gray representation with Eq. 29, and then read the result in
a standard binary representation. The proposed T -transformation has several advantages,
namely, it is a bijective map in the whole 2q space, the output is nonlinear, especially for
high values of q, and finally the software implementation is extremely fast, since it does not
require any floating-point calculation.
The ideas of many researchers discussed in this chapter are still the corner stone of many
publications, only in 2009 the most important Refs. [87, 88, 89, 90] should be mentioned.
In spite of all the efforts, many problems of chaotic cryptography still remain, and some of
these difficulties will be probed in the following section.
20
A. N. Pisarchik and M. Zanin
LIMITATIONS OF CHAOTIC CRYPTOGRAPHY
Even though, in recent years there is been a tremendous boom in chaos-based cryptography
research, there are still some limitations that prevent its wider application. Emphasizing, a
big drawback is its relatively slow speed. While many of the proposed chaotic algorithms
(see, for instance [8, 42]) can encrypt with as much speed as 10-50 Kbps (kilobits per
second), standard nonchaotic algorithms have velocities three order of magnitude higher
R
(AES ranges from 50 to 200 Mbps using a 1 GHz Pentium °
processor). Many factors
can explain such poor performance. First, chaotic maps usually operate with floating-point
numbers, i.e. with decimal numbers whose manipulation is never as efficient as integer or
bitwise representations. For instance, a 64-bits Intel processor uses 6 times more clocks
to add floating-point numbers than integer values [91]. To take full advantage of a chaotic
map ergodicity, a lot of iterations are required and many values have to be discarded, for
example, in his work [8] Baptista should perform around 30000 iterations for every encoded
symbol.
The use of floating-point variables not only generates a speed problem but also gives
birth to other issues related to the computer numbers representation. Clearly, the internal
precision cannot be infinite, and a convention about internal representation or a way to execute operations or roundings had to be defined. Such a convention does already exist, this
is a set of rules called IEEE 754 [92]. However, while most standard computer processors,
R
such as Intel Pentium IV or i7 °
, follow this set of rules, the use of some new, fast and
R
efficient processors like Cell BroadBand Engine °
system developed by IBM [93] that do
not adhere to these rules, is spreading for high demanding computational and multimedia
applications. The reason they do not obey the IEEE 754 rules is that the required way of
performing round-offs is very expensive, while the introduction of some small modifications to the process (leaving the final result practically unchanged) increases substantially
the computational power [94]. Nevertheless, these small differences become very important
when computing chaotic maps, because of their high sensitivity to small variations in their
parameters, and/or initial conditions.
Figure 8 shows the Mean Squared Error between two time series generated by the
same logistic map Eq. 4 (the same parameter r and the same initial value), but calcuR
lated with two different computers, the Pentium IV °
processor and the Cell BroadBand
R
°
Engine processor.
While high sensitivity to initial conditions is indeed a great theoretical asset for cryptographic applications, practically it is also its main weakness, since after as little as 30
iterations the series generated by two different processors have nothing in common. This
means that a message encoded with one processor cannot be correctly decoded by a different processor; thus chaotic cryptography is still very limited in real-world applications.
Even if the use of identical processors by both the sender and the receiver can be guaranteed, the differences in software implementation can provoke similar problems; such as the
calculation precision of the floating-point representation, i.e., the number of bits used to
characterize a number, for instance, standard processors offer 32-bits (called float), 64-bits
(double), and 80-bits (long double) representations.
Suppose we create a series with a logistic map and that the values are rounded at some
decimal digit. The important question is: How many significant digits can we trust, if
Chaotic map cryptography and security
21
0.012
Mean Squared Error
0.010
0.008
0.006
0.004
0.002
0.000
0
20
40
60
80
100
Number of iterations
Figure 8. Mean Squared Error between two time generated by the same logistic map in a
32 bits representation, calculated with the Intel chip-set and the IBM processor. Note, that
only for series smaller than 30 values, the different rounding algorithm does not affect the
final result.
the original floating-point precision is unknown? To answer this question, pairs of series
have been generated with the same initial value and parameter, but using different floatingpoint representations (32 and 64 bits). Afterward, values in both series of a pair have been
rounded at the same decimal digit, and the number of identical value has been calculated. In
Table 2 is represented the maximum, mean, and minimum of the number of identical values
in both series, when several realizations of the process are executed. Due to the internal
rounding, we may get different output values as soon as the first iteration; therefore, when
implementing a chaotic cryptosystem, a general requirement is to use identical calculation
engines. A similar result is obtained for the IBM Cell Broadband Engine microprocessor
(see Table 3) because of the difference in their rounding algorithms; the mean number of a
value is one order of magnitude higher when a high precision is required. Nevertheless, the
minimum number is still too low for any cryptographic purpose.
KEY-SPACE DETERMINATION
The fundamental tenet of any cryptographic algorithm lies in its secret key(s). As previously underlined according to Kerckhoffs’ principle [44], the security of an algorithm must
depend only on the key, never on its own secrecy. Therefore, it is of the upmost importance
to decide which keys are suitable and secure, and the number of keys available for a user.
In standard cryptosystems, all values in a given interval are suitable as secret keys,
for instance, in the 128-bits
£ 128AES¤standard, any integer number of 128 bits can be used,
i.e. within the range 0, 2 − 1 . In contrast, when choosing the secret key to modify
the behavior of a chaotic map, the designer of the algorithm has to take into account the
existence of periodic windows in chaotic regions and make sure that no parameter value in
the key set will result in a predictable behavior of the system. If the reader goes back to
the bifurcation diagram of the logistic map in Figure 2, he/she may recognize the ranges,
where only a few points are painted in black for some values of the parameter r. Although
22
A. N. Pisarchik and M. Zanin
these windows have been found analytically for many years, it is very important, in the
context of the encryption process, to localize them, because of the limited precision of the
numbers used in calculations, they strongly will depend on the standard used for handling
floating-point representations.
Table 4 shows the number of periodic windows for the logistic map when r is between
3.57 and 4, for 32 and 64 bits number representation, and with values xn rounded at a
different decimal digit. Moreover, the results are shown for different lengths of the periodic
windows; depending on the application at hand, a little periodicity may be tolerated, e.g.
when the logistic map is used to generate a small set of parameters. It is interesting to note
how the number of periodic windows grows higher when a 32-bits representation is used,
due to its low resolution.
When implementing a chaotic map in an encryption scheme, it is essential to know
exactly its key-space dimension, because the resistance of the algorithm against brute force
attacks depends only on it. Furthermore, we insist that not all parameter values are of use,
due to the presence of periodic windows.
In Table 5 the key space is measured in bits, according to the Shannon seminal formula
for information content assessment [95, 96]:
Dks = log2 (Nv − 1.5Npw ),
(30)
where Nv is the number of values the parameter can assume, and Npw is the number of
periodic windows according to Table 4. The number of periodic windows is multiplied by
a security factor of 1.5, in order to exclude parameters that may lead to time series with
periodic windows of length greater than 100; therefore, key space dimensions calculated
this way are to be considered as a conservative lower bound of the real value. Note, that
when the periodic windows are excluded, the original 64-bits space dimension is reduced
to a 25-bits key, that is too small to ensure any security. So, each algorithm has to specify a
sub-algorithm to help the user build a larger secret key more suitable for encryption.
CONCLUSIONS AND FUTURE TRENDS
In this chapter a broad selection of cryptographic algorithms based on chaotic maps was
presented; their latest successes as well as their many drawbacks were analyzed and perspectives were conjured up. In spite of some limitations, this new branch of cryptography
is indeed growing up very fast. New secure and fast chaotic algorithms are being created
endlessly. Even though it is really impossible to predict beforehand how well these systems
will stand up to a real attack because no matter the algorithm used, there will always be an
experienced attacker attempting to break it, we consider that chaotic cryptography will be
the solution for more complex applications as soon as the computer technology catches up.
Chaos-based cryptography has several advantages over the traditional one. (i) It provides a great assortment of chaotic functions and parameters to be used, thus diversifying
the ways the message can be encoded and increasing the key size as well. In contrast, traditional cryptosystems employ algorithms where diffusion and confusion are linear functions of the number of iterations and key lengths. (ii) As stated in many papers, chaotic
mapping functions are random-like without losing their deterministic properties, so that
Chaotic map cryptography and security
23
a well-designed encryption algorithm prevents any statistical analysis from revealing the
spectral characteristics of an encrypted signal. (iii) Last but not least, chaos cryptography
can be directly implemented in hardware without having to resort to digital-to-analogue
conversion, as traditionally done. Since any form of conversion implies a loss of precision
and slows down the encryption process, the build in of a continuous chaotic function (e.g.,
Chua, Lorenz, Rössler) or a discrete iterative map as part of a hardware circuit, increases
its efficiency. This process is not limited by current computer technology and allows working at full speed on a continuous analogue signal without major difficulties. Summarizing,
the principal advantages of chaos encryption are resistance to known typical attacks, diversity of possible algorithms, impossibility of frequency spectrum analysis, and suitability for
implementation in analog systems.
When designing any cryptosystem, one seeks both security and velocity. Future trends
in cryptography have to be directed to the search of new ways to fulfill the requirements
of a growing communication technology guaranteeing both. We believe that faster and
more powerful computers capable to encrypt a huge amount of data in real time will prove
to be an asset for chaotic cryptography. To enhance security, new encryption algorithms
will probably use families of chaotic multimodal maps, combine discrete and continuous
chaotic systems, implement complex dynamical networks as secret keys, and utilize chaos
synchronization. A high performance of new cryptosystems will most likely be achieved
by bringing together traditional and chaotic cryptographic approaches, as well as applying
some elements of quantum cryptography to send secret keys. Although quantum cryptography is the most secure, it is very slow, so that it will have to be used in combination with
fast chaotic algorithms to make it practical.
We acknowledge CONACYT (Mexico) for the financial support through the project No.
100429.
References
[1] Schneier, B., Applied Cryptography - Protocols, Algorithms, and Source Code, second ed., C. John Wiley & Sons, Inc., New York, 1996.
[2] Daemen, J.; Sand, B.; Rijmen, V. The Design of Rijndael: AES - The Advanced
Encryption Standard, Springer-Verlag, Berlin, 2002.
[3] Shanon, C. E. Bell. Syst. Tech. J. 1949, 28, 656–715.
[4] Matthews, R. Cryptologia 1989, XIII, 29–42.
[5] Pecora, L. M.; Carroll, T. L. Physical Review Letters, 1990, 64, 821–824.
[6] Kocarev, L.; Halle, K. S.; Eckert, K.; Chua, L. O.; Parlitz, U. Int. J. Bifurcation and
Chaos 1992, 2, 709–713.
[7] Habutsu, T.; Nishio, Y.; Sasase, I.; Mori, S., Advances in Cryptology - EuroCrypt’91,
Lecture Notes in Computer Science 0547, pp. 127-140, Spinger-Verlag, Berlin, 1991.
[8] Baptista, M. S. Phys. Lett. A 1998, 240, 50–54.
24
A. N. Pisarchik and M. Zanin
[9] Fridrich, J. Int. J. Bifurcation and Chaos 1998, 8, 1259–1284.
[10] Álvarez, E.; Fernández, A.; Garcı́a, P.; Jiménez, J.; Marcano, A. Physics Letters A
1999, 263, 373–375.
[11] Ashwin, P. Nature 2003, 422, 384–385.
[12] Argyris, A.; Syvridis, D.; Larger, L.; Annovazzi-Lodi, V.; Colet, P.; Fischer, I.;
Garcı́a-Ojalvo, J.; Mirasso, C. R.; Pesquera, L.; Shore, K. A. Nature, 2005, 438,
343–346.
[13] Tang, S.; Chen, H.-F.; Liu, J.-M., Digital Communications Using Chaos and Nonlinear Dynamics, Series: Institute for Nonlinear Science, L. E. Larson, J.-M. Liu, and
L. S. Tsimring, Eds. New York: Springer, 2006, 341–378.
[14] Shore, K. A.; Spencer, P. S.; Pierce, I., Recent Advances in Laser Dynamics: Control
and Synchronization, A. N. Pisarchik, Ed. Kerala: Research Singpost, 2008, 79–104.
[15] Pisarchik, A. N.; Ruiz-Oliveras, F. R. IEEE J. Quant. Electron. 2010, 46, 279–284.
[16] Wheeler, D. D. Cryptologia 1989, XIII, 243–250.
[17] Wheeler, D. D.; Matthews, R. Cryptologia 1991, XV, 140–151.
[18] Biham, E., Advances in Cryptology - EuroCrypt’91, Lecture Notes in Computer
Science 0547, 532–534, Spinger-Verlag, Berlin, 1991.
[19] Zhou, H.; Ling, X.-T. IEEE Trans. Circuits and Systems I 1997, 44, 268–271.
[20] Alvarez, G.; Montoya, F.; Romera, M.; Pastor, G. Physics Letters A 2000, 276, 191–
196.
[21] Hayes, S.; Grebogi, C.; Ott, E.; Mark, A. Phys. Rev. Lett. 1994, 73, 1781–1784.
[22] Short, K. M. Int. J. Bifurcation and Chaos 1997, 7, 1579–1597.
[23] Ogorzatek, M. J.; Dedieu, H. Proc. IEEE Int. Symposium Circuits and Systems 1998,
4, 522–525.
[24] Ekert, A. K. Phys. Rev. Lett. 1991, 67, 661–663.
[25] Lian, S. G.; Sun, J.; Wang, Z. Physica A 2005, 351, 645–661.
[26] Pareek, N. K.; Patidar, V.; Sud, K. K. Phys. Lett. A 2003, 309, 75–82.
[27] Huang, F.; Guan, Z. H. Chaos Solitons Fractals, 2005, 23, 851–855.
[28] Wei, J.; Liao, X.; Wong, K. W.; Xiang, T. Chaos Solitons Fractals, 2006, 30, 143–
152.
[29] Kocarev, L.; Parlitz, U. Phys. Rev. Lett. 1995, 74, 5028.
[30] Parlitz, U.; Kocarev, L.; Stojanovski, T.; Preckel, H. Phys. Rev. E 1996, 53, 4351.
Chaotic map cryptography and security
25
[31] Kocarev, L.; Parlitz, U.; Stojanovski, T. Phys. Lett. A 1996, 217, 280.
[32] Scharinger, J. J. Electronic Eng 1998, 7, 318–325.
[33] Klein, E.; Mislovaty, R.; Kanter, I.; Kinzel, W. Phys. Rev. E 2005, 72, 016214.
[34] Chien, T.-I.; Liao, T.-L. Chaos, Solitons and Fractals 2005, 24, 241–255.
[35] Guan, Z. H.; Huang, F. J.; Guan, W. J. Phys. Lett. A 2005, 346, 153–157.
[36] Gao, T.; Chen, Z. Chaos, Solitons & Fractals 2007, 38, 213–220.
[37] Gao, T.; Chen, Z. Physics Letters A 2008, 372, 394–400.
[38] Xiao, D.; Liao, X.; Wei, P. Chaos, Solitons and Fractals 2009, 40, 2191–2199.
[39] Kelber, K.; Schwarz, W. NOLTA 2005, Bruges.
[40] Verhulst, P.-F. Nouv. mém. de l’Academie Royale des Sci. et Belles-Lettres de Bruxelles 1845, 18, 1–41.
[41] Verhulst, P.-F. Mém. de l’Academie Royale des Sci. des Lettres et des Beaux-Arts de
Belgique 1847, 20, 1–32.
[42] Wong, W.-K., Lee, L.-P., Wong, K.-W. Computer physics communications 2001,
138, 234–236.
[43] Jakimoski, G., Kocarev, L. Phys. Lett. A 2001, 291, 381–384.
[44] Kerckhoffs, A. Journal des sciences militaires 1883, IX, 161–191.
[45] Wong, K.-W. Phys. Lett. A 2002, 298, 238–242.
[46] Palacios, A., Juarez, H. Phys. Lett. A 2002, 303, 345–351.
[47] Wong, K.-W. Phys. Lett. A 2003, 307, 292–298.
[48] Wong, K.-W., Ho, S. W., Yung, C. K. Phys. Lett. A 2003, 310, 67–73.
[49] Alvarez, G., Montoya, F., Romera, M., Pastor, G. Phys. Lett. A 2004, 326, 211-218.
[50] Bianco, M. E., Reed, D. A., Encryption System Based on Chaos theory, US Patent
No. 5048086, Sept. 10.A, 1991.
[51] Bianco, M. E., Mayhew, G. L., High Speed Encryption System and Method, US
Patent No. 5365588, Nov.15, 1994.
[52] Phatak, S. C., Rao, S. S. Phys. Rev. E 1995, 51.
[53] Lee, P. H., Pei, S.-C., Chen, Y.-Y. Chinese Journal of Physics 2003, 41.
[54] Li, P., Li, Z., Halang, W. A., Chen, G. A. Chaos, Solitons & Fractals 2007, 32,
1867–1876.
26
A. N. Pisarchik and M. Zanin
[55] Rhouma, R., Belghith, S. Chaos, Solitons & Fractals 2009, 41, 171–1722.
[56] Alvarez, G., Montoya, F., Romera, M., Pastor G. Phys. Lett. A 2003, 319, 334–339.
[57] Pareek, N. K., Patidar, V., Sud, K. K. Communications in Nonlinear Science and
Numerical Simulation 2005, 10, 715–723.
[58] Wei, J., Liao, X., Wong, K.-W., Zhou, T. Communications in Nonlinear Science and
Numerical Simulation 2007, 12, 814–822.
[59] Li, C., Li, S., Álvarez, G., Chen, G., Lo, K. T. Chaos, Solitons & Fractals 2008, 37,
299–307.
[60] Kanter, I., Kinzel, W., Kanter, E. Europhys. Lett. 2002, 57.
[61] Mislovaty, R., Klein, E., Kanter, I., Kinzel, W. Phys. Rev. Lett. 2003, 91.
[62] Shacham, L. N., Klein, E., Mislovaty, R., Kanter, I., Kinzel, W. Phys. Rev. E. 2004,
69.
[63] Kocarev, L., Sterjev, M., Fekete, A., Vattay, G. Chaos 2004, 14.
[64] Bergamo, P., Arco, P., De Santis, A. IEEE Transactions on Circuits and Systems
2005, 52, 1382–1393.
[65] Wang, X., Gong, X., Zhan, M., Lai, C. H. Chaos 2005, 15.
[66] Merkle, R. C. Commun. ACM 1978, 21.
[67] Fridrich, J. IEEE International Conference on Systems, Man, and Cybernetics, 1997.
[68] Pichler, F.; Scharinger, J. In: Contributions to General Algebra, Proc. of the LinzConference, June 2-5, 1994.
[69] Pichler, F.; Scharinger, J. Proceedings of the 20th workshop of the Austrian Association for Pattern Recognition (OAGM/AAPR) on Pattern recognition 1996.
[70] Salleh, M.; Ibrahim, S.; Isnin, I. F. Jurnal Teknologi 2003, 39, 1–12.
[71] Wong, K.-W.; Kwok, B. S.-H.; Law, W.-S. Phys. Lett. A 2008, 372, 2645–652.
[72] Mao, Y.; Chen, G.; Lian, S. Intern Journal of Bifurcation and Chaos 2004, 14, 3613–
3624.
[73] Chen, G.; Mao, Y.; Chui, C. K. Chaos, Solitons and Fractals 2004, 21, 749–761.
[74] Wang, K.; Pei, W. J. Phys. Lett. A 2005, 343, 432–439.
[75] Pareek, N. K., Patidar, V., Sud, K. K. Image and Vision Computing 2006, 24, 926–
934.
[76] Li, S.; Zheng, X.; Mou, X.; Cai, Y. Proc. SPIE 2002, 4666, 149–160.
Chaotic map cryptography and security
27
[77] Pisarchik, A. N.; Flores-Carmona, N. J.; Carpio-Valadez, M. Chaos 2006, 16,
033118.
[78] Arroyo, D.; Rhouma, R.; Alvarez, G.; Li, S.; Fernandez, V. Chaos 2008, 18, 033112.
[79] Pisarchik, A. N.; Zanin, M. Physica D 2008, 237, 2638–2648.
[80] Zhang, L.; Liao, X.; Wang, X. Chaos, Solitons and Fractals 2005, 24, 759–765.
[81] Gao, H.; Zhang, Y.; Liang, S.; Li, D. Chaos, Solitons and Fractals 2009, 29, 393–399.
[82] Xiao, Y-L.; Xia, L-M. Chaos, Commun. Theor. Phys. 2009, 52, 876–880.
[83] Alvarez, G.; Li, S. Communications in Nonlinear Science and Numerical Simulation
2009, 14, 3743–3749.
[84] Sun, F.; Liu, S.; Li, Z.; Lü, Z. Chaos Solitons Fractals, 2008, 38, 631–640.
[85] Zanin, M.; Pisarchik, A. N. Information Sciences, in press, 2010.
[86] Savage, C. SIAM Review, 1997, 39, 605–629.
[87] Patidar, V.; Pareek, N.K.; Sud, K. K. Communications in Nonlinear Science and
Numerical Simulation 2009, 14, 3056–3075.
[88] Huang, C. K.; Nien, H. H. Optics Communications 2009, 282, 2123-2127.
[89] Mazloom, S.; Eftekhari-Moghadam, A. M. Chaos, Solitons & Fractals 2009, 42,
1745-1754.
[90] Lian, S. Chaos, Solitons & Fractals 2009, 42, 2509–2519.
R
[91] Intel Corporation, Intel°
64 and IA-32 Architectures Optimization Reference Manual, 2009.
[92] ANSI/IEEE Std 754-1985, “IEEE Standard for Binary Floating-Point Arithmetic”,
Standards Committee of the IEEE Computer Society, 1985.
[93] IBM, “Cell Broadband Engine: Programming Handbook”, Version 1.1, (2007).
[94] IBM, “SIMD Math Library Specification for Cell Broadband Engine Architecture”,
Version 1.1, (2007).
[95] Shannon, C. E. The Bell System Technical Journal 1981, 27, 379–423.
[96] Cover, T. M.; Thomas, J. A. “Elements of Information Theory”, 2006, Wiley Interscience.
[97] Tsueike, M.; Ueta, T.; Nishio, Y., “An application of two-dimensional chaos cryptosystem”, Technical Report of IEICE, NLP96-19, May 1996.
[98] Tong, X.; Cui, M. Signal Processing 2009, 89, 480–491.
28
A. N. Pisarchik and M. Zanin
[99] Tsekeridou, S.; Solachidis, V.; Nikolaidis, N.; Nikolaidis, A.; Tefas, A.; Pitas, I.,
Proceedings of IEEE international conference on acoustics, speech and signal processing, 2001, 1989–1992.
[100] Nikolaidis, A.; Pitas, I., Proceedings of IEEE international symposium on circuits
and systems, Geneva, 2002, 509–512.
[101] Tefas, A.; Nikolaidis, A.; Nikolaidis, N.; Solachidis, V.; Tsekeridou, S.; Pitas, I.,
Proceedings of chaos, solitons and fractals, vol. 17, 2003, 567–73.
[102] Escribano, F. J.; López, L.; Sanjuán, M. A. F. Chaos 2006, 16, 013103.
[103] Hongjuna, L.; Xingyuan, W. Computers and Mathematics with Applications 2010,
59, 3320–3327.
[104] Khan, M. K.; Xie, L.; Zhang, J. Digital Signal Processing 2010, 20, 179–190.
[105] Chee, C. Y.; Xu, D. Physics Letters A 2006, 348, 284–292.
[106] Singh, N.; Sinha, A. Optics & Laser Technology 2010, 42, 724–731.
[107] Zhou, J.; Pei, W.; Wang, K.; Huang, J.; He, Z. Physics Letters A 2006, 358, 283–288.
[108] Matthews, R. Cryptologia 2984, VIII, 29–41.
[109] Masuda, N.; Aihara, K. IEEE Trans. Circ. Syst-I 2002, 49, 28–40.
[110] Sang, T.; Wang, R.; Yan, Y. Acta Eletronica Sinica 1999, 27, 47–50.
[111] Behnia, S.; Akhshani, A.; Ahadpour, S.; Mahmodi, H.; Akhavan, A. Phys. Lett. A
2007, 366, 391–396.
[112] Akhavan, A.; Mahmodi, H.; Akhshani, A. Lect. Notes Comput. Sci. 2006, 4263,
963–971.
[113] Kwok, H. S.; Tang, W. K. S. Chaos, Solitons and Fractals 2007, 32, 1518–1529.
[114] Wong, K.-W.; Kwok, B. S.-H.; Law, W.-S. Physics Letters A 2008, 372, 2645–2652.
[115] Behnia, S.; Akhshani, A.; Mahmodi, H. Int. J. of Bifurcation and Chaos 2008, 18,
251–261.
Chaotic map cryptography and security
Map name
Arnold cat
Baker
Bernoulli shift
Bit shift
Bogdanov
Circle
Complex squaring
Chebyshev
Chrossat-Golubitsky
Cubic
Curry-Yorke
Double rotor
Duffing
Dyadic transform
Exponential
Gauss
Gingerbreadman
Gumowski-Mira
Hénon
Hitzl-Zele
Horseshoe
Ikeda
Infinite Collapses
Interval exchange
Kaplan-Yorke
Lissajous
Logarithm
Logistic
Lozi
Markov
Tangent logistic
Nordmark
Piecewise linear
Piecewise nonlinear
Polynomial
Pomeau-Manneville
Rulkov
Sawtooth
Shobu-Ose-Mori
Sinai
Sine
Skew tent
Standard
Tangent
Tent
Tinkerbell
Torus automorphism
Trigonometric
”V”
Zaslavskii
Space dimension
2
2
1
1
2
1
1
1
2
1
2
2
2
1
1 and 2
1
2
2
2
3
1
2
1
1
2
2
1
1
2
1
1
2
1
1
1
1 and 2
2
1
1
2
1
1
2
1
1
2
2
1
1
2
Cryptosystem
[9, 35, 73, 74]
[9, 69, 72, 97, 98]
[99, 100, 101, 102]
[63, 103, 104]
[46, 57]
[105]
[106]
[104]
[106]
[107]
[8, 57, 63, 77, 79, 108]
[99, 100, 101]
[81]
[19, 27, 65, 80, 109]
[110, 111]
[111, 112]
[57]
[104, 109, 113]
[9, 25, 87, 114]
[7, 57, 106]
[63]
[115]
Table 1. List of most popular chaotic maps.
29
30
A. N. Pisarchik and M. Zanin
Number of decimal digits
1
2
3
4
5
Mean
37.801
14.434
4.436
2.235
1.124
Max
844
984
935
902
234
Min
7
1
1
1
1
Table 2. Mean, maximum, and minimum numbers of equal values obtained with two logistic maps; every map has the same initial value and the same parameter a, the only difference
is the floating-point precision, 32 and 64 bits. The series have been calculated with the Intel
processor.
Number of decimal digits
1
2
3
4
5
Mean
37.456
32.527
26.834
21.460
13.549
Max
801
984
990
885
267
Min
7
7
2
2
2
Table 3. Mean, maximum, and minimum numbers of equal values obtained with two logistic maps using 32 and 64 bits precision with the IBM Cell Broadband Engine.
Precision
32
64
Number of digits
5
6
7
8
5
6
7
8
Number of parameters
43000
430000
4300000
43000000
43000
430000
4300000
43000000
L = 10
2434
24518
245882
2459030
2296
23047
230173
2301677
L = 30
4161
41472
414972
4149830
3453
34459
344561
3446857
L = 100
5283
52768
526967
5270743
3600
36056
360495
3605303
Table 4. Number of periodic windows for a Intel TM processor, following IEEE standard, in
float (32 bits) and double (64 bits) representation.
Number of digits
5
6
7
8
Key-space (bits, Intel)
15.198
18.520
21.842
25.164
Key-space (bits, CBE)
15.198
18.520
21.841
25.163
Table 5. Key-space dimension for a 64 bits representation, excluding the periodic windows
of length L ≤ 100 multiplied by a security factor of 1.5.