1
APPLICATIONS OF CHAOS THEORY IN CRYPTOGRAPHY Eng. Bogdan CRISTEA, Std. Constantin CEHAN, Prof. Eng. Ph. D. Alexandru S¸erb˘anescu, Eng. Dan GRECU
Abstract In this article we analyze the possibility of using chaos theory in cryptography and we present two examples of cryptographic algorithms that utilize nonlinear dynamical systems with chaotic behavior.
I. I NTRODUCTION Chaos theory has been received in the last two decades a great deal of attention from the scientific community. Remarkable research efforts have been invested in recent years, trying to export concepts from physics and mathematics into real world engineering applications. Among the most promising applications of chaotic systems is their use in the field of chaotic encryption where the utilization of nonlinearities and the forcing of the dynamical system to a chaotic state will fulfill in our opinion the basic cryptographic requirements. Due to the nonlinear mechanisms that lead to a chaotic behavior, this one is too difficult to predict by analytical methods without the secret key (initial conditions and/or parameters) being known. This would reduce a potential attack to one category that of a brute force attack, in witch any attempt to crack the key depends directly upon how long the key is. Chaos is a particular state of a nonlinear dynamical system and appears only in certain conditions, e.g. for certain values of the system parameters and only in dynamical systems characterized by continuous values. The chaotic state can be observed in a first approach by the existence in the phase space of a chaotic attractor or fractal in which all the system trajectories evolve following a certain pattern (basin of attraction) but are never the same. In a more analytical approach the chaotic state can be very well studied by the Lyapunov exponents witch globally characterize the behavior of a dynamical systems. Chaos will be observed only when there is at least one positive Lyapunov exponent and the total sum of all exponents is negative, that is the dynamical system has a stable but random like state called chaotic state. II. C OMPARISON BETWEEN CLASSICAL AND CHAOTIC CRYPTOGRAPHY Classical cryptography works on discrete values and in discrete time while the crucial point in chaotic cryptography is the usage of continuous-value systems that may operate in continuous or discrete time. As a result, in order to ensure an appropriate design and analysis methods for chaotic cryptographic systems, some special considerations must be taken into account. TABLE I C OMPARISON BETWEEN CLASSICAL AND CHAOTIC CRYPTOGRAPHY Classical cryptography
Chaotic cryptography
- integer values on finite fields
- continuous values using fixed or floating point representation
- algebraic methods
- analytic methods
- digital realization by integer arithmetic
- digital realization by non integer arithmetic
In the following statements we will consider without loss of generality the case of discrete time chaotic systems whose states at certain moments are described by chaotic maps. Chaotic maps and cryptographic algorithms (or more generally maps defined on finite fields) have also some similar properties: sensitivity to initial conditions and parameters, random like behavior and unstable orbits with long periods, depending upon the precision of the numerical implementation. Encryption rounds of a cryptographic algorithm lead to the desired diffusion and confusion properties of the algorithm. In a similar manner, iterations of the chaotic map spread the initial region over the entire phase space while the parameters of the chaotic map may represent the key of the encryption algorithm. For example a block encryption algorithm can be re-written as a discrete time dynamical system: xn+1 = F (xn )
(1)
where the initial condition x0 is the plain text to be encrypted, and the final state xk is the ciphertext. Because the chaotic map can be expressed by a similar equation, the property of the map being chaotic implies spreading out the influence of a Bogdan Cristea and Dan Grecu are with the Military Equipment and Technologies Research Agency, Bucharest, ROMANIA Constantin Cehan and Alexandru Serbanescu are with the Military Technical Academy, Bucharest, ROMANIA
2
single plaintext digit over many ciphertext digits. In other words, any set of initial conditions of a chaotic map will eventually spread over the whole phase space as the system evolves. An important difference between chaos and cryptography is the fact that the encryption transformations are defined on finite fields, while chaos has meaning only on real numbers. On the other hand, according to several authors, an extension of the domain of a classical encryption algorithm from a finite field to a continuum will give rise to a chaotic map. If one realizes for example the domain extension for the round function of the international data encryption algorithm (IDEA) the newly obtained map was proved to be chaotic [1]. Positive Lyapunov exponents can characterize chaotic systems but mappings and/or discrete time chaotic systems that have been proposed for use in cryptography are defined on finite sets of finite precision arithmetic. In such systems the largest Lyapunov exponent is equal to zero, because every orbit is eventually periodic, so that the problem here will be to estimate the Lyapunov exponents only for a typical orbit for a time not exceeding its period. Nevertheless our goal in this article is not to find methods to prove the chaotic nature of a certain encryption algorithm but to present the possibility of using chaotic systems in cryptography so that we will check the cryptographic security of a chaos derived encryption algorithm by mean of crypto-tools such as randomness statistical tests. III. T YPES OF CRYPTOGRAPHIC ALGORITHMS OR CIPHERS The purpose of a cipher is to take unencrypted data (the plaintext) in order to produce an encrypted version of it called the ciphertext. There are to major classes of ciphers: stream ciphers and block ciphers. A. Chaotic stream cipher Stream ciphers work very well for real time data such as voice and video, where only small pieces of data are known at a time. The simplest example for a stream cipher is when a bit of data is “xor-ed” with another bit of a stream generated by a pseudorandom generator. To decrypt the message the same pseudorandom bit stream is generated and the inverse operation (another “xor”) is done. Our chaotic stream cipher is based on a chaotic pseudorandom generator with the main part represented by a discrete time chaotic map known as “Piecewise Affine Markov Map” (PWAM) [2]. x0
x0’
z-1
z-1
0
PWAM x1
Fig. 1.
x2-1
x2
M
x3
(xor)
Chaotic pseudorandom generator
The chaotic map is defined by the following equation: � B (D − |x|) , |x| < D , fM 1 (x) = B (|x| − 2D) , |x| ≥ D
(2)
where B = 3, D = 1, x0 = 0.1. The above equation is defined on the real number domain so that the initial condition (x0 ) and the output variable (x1 ) belong to the interval (−3, 3). Having in mind the fact that the above chaotic map must be implemented on a finite precision machine we represent the real numbers x0, x1 in floating point single precision arithmetic (sign 1 bit, exponent 8 bits, mantissa 23 bits). The second block stands for a selection logic so that only the values that lie in the subinterval (−1, 0) are selected. This must be done in order to select a subinterval with a good distribution of generated values by the PWAM, because some of the chaotic properties are lost after imposing the precision of the numerical representation. M is a mapping block described by the equation: � � x2 − a x3 = 255 · , (3) b−a where [] stands for integer part function; a = −1, b = 0 ′ ′ x0 , x3 ∈{0,1,. . . ,255} are integer numbers represented on 8 bits, x0 = 255. Thus each of the single precision real numbers (x2 ) is transformed into an 8 bit integer in order to generate the pseudorandom bit stream. The last transformation is applied on 8 bits once to ensure good statistical properties of the generated bit stream. The encryption key is represented in our implementation by the initial condition of PWAM x0 (32 bits) and the initial ′ condition of the final “xor” operation x0 (8 bits) that is a 40 bits key length is used. The key length can be easily increased by
3
several methods for example by increasing the precision of the representation and/or by breaking the initial key into several sub keys that are used sequentially. The chaotic pseudorandom generator described above was implemented on an 8 bit microcontroller and the generated bit stream was tested with a battery of randomness tests. As an example we present here the results obtained with the frequency test and the discrete Fourier transform test for a stream of 80000 bits length (Fig. 2 and 3).
Fig. 2.
Frequency test (nb. of zeros: 39890; nb. of ones: 40110)
Fig. 3.
Discrete Fourier transform test
The frequency test is the primary test in all randomness tests and shows the proportion of zeros and ones in the bit stream. If the number of zeros and ones is not almost the same there is no need to apply other tests. The discrete Fourier transform test is used to reveal possible sub periods of the pseudorandom bit stream in the form of strong peaks in the spectral representation. Even for greater lengths of the generated bit stream these peaks are not revealed and so this test is passed. We have done several statistical tests and our generator has passed all so that we have concluded that the bit stream generated with the above structure has very good statistical properties and therefore can be used in a stream cipher. B. Chaotic block cipher (Generalized Chaotic Encryption Method - GCEM) A block cipher operates on data blocks that are larger than one bit. Here the methods of encryption become much more sophisticated than a simple “xor”. As an example for such block ciphers are the well-known DES secret key algorithm and RHS public key algorithm. Here we present a chaos based secret key algorithm using the simple one-dimensional logistic map: xn+1 = r · xn · (1 − xn )
(4)
where xn ∈ (0, 1) and r ∈ (3.7, 4) is the control parameter set to make (4) have a chaotic behavior. The message to be transmitted is a text composed by some alphabet and we associate portions (e-intervals) of the attractor ((0, 1) domain) with alphabet characters. As proposed in [3] the ciphertext of some character (the plaintext) is the number of iterations applied in equation (4) to make its trajectory, departing from an initial condition x0 reach an e-interval associated with that character. If the attractor is divided into S intervals or sets, where S is also the character number of the alphabet, then each e-interval has the form: In = [xmin + (n − 1)e,min +ne]
(5)
where n ∈ {1, 2, ..., S}, e = (xmax − xmin )/S and [xmin , xmax ] represents the whole attractor or a portion of it. Concerning the number of iterations needed to reach a certain interval In we have numerically verified that this number can become quite large for certain initial conditions. So, in order to ensure a reasonably number of iterations in any situation, we have decided to divide first the whole attractor into f groups and then each group is divided into S e-intervals (Fig. 4).
4
Fig. 4.
Generalized association method
Fig. 5.
Generalized chaotic encryption method
A logic diagram of the above described generalized chaotic encryption method is given in Fig. 5. To decrypt the message, at the receiver side, equation (4) is iterated with the same initial condition as much times as indicated by the ciphertext. The position of the final point, with respect to the S e-intervals points out the original character to the receiver. The encryption key is represented by the initial condition x0 but also by the parameter r and the number of groups f . The key length directly depends upon the precision of the implementation of chaotic function (in our case we have used a double precision floating point representation on 64 bits). For comparison purposes we have computed the number of iterations needed to reach each e-interval for a given initial condition (x0 = 0.6197779), map parameter (r = 3.911260191971) and for two values of the parameter f (f = 1, f = 10).
Fig. 6.
Iterations distribution for f = 1
Fig. 7.
Iterations distribution for f = 10
In the first situation (f = 1) it can be easily seen that certain e-intervals need a greater number of iterations that all other and hence a statistical attack can be more easily developed. When f = 10 the number of iterations for all e-intervals is significantly reduced and thus also the speed of the encryption algorithm is improved. IV. C ONCLUSIONS We have shown that applications of chaotic maps to cryptography have some good fundamental properties such as a random like nature, mixing properties and sensitivity to changes in initial conditions and parameters. The two examples presented cover only a part of the possible applications of chaos theory to cryptography. Other possible applications could be autosynchronized cryptographic algorithms [4] or the implementation of nonlinear substitution boxes (S-boxes) using discretized versions of chaotic maps [5].
5
Is also worth to emphasize that chaos only is a necessary but not a sufficient property of encryption algorithms. For example our stream cipher has passed all statistical tests only after the final “xor” operation was introduced. So, it is our believe that the best results will be obtained by mixing the classical encryption methods with chaotic ones. Even if there is much work to do in this field of chaotic cryptographic algorithms we hope that with this article we have given some directions for future researches. R EFERENCES [1] Ljupco Kocarev, “Chaos-Based Cryptography: A Brief Overview”, IEEE CAS Newsletter, 2001, pp. 18-19 [2] Delgado-Restituto, M., Rodriguez-Vasquez, A., “Piecewise Affine Markov Maps for Chaos Generation in Chaotic Communication”, ECCTD’ 99, Stresa, Italy, 1999, pp. 1-5 [3] M. S. Baptista, “Cryptography with Chaos”, Physics Letters, March 1998, pp. 1-3 [4] Marco Gotz, Kristina Kelber, Wolfgang Schwarz, “Discrete Time Chaotic Encryption Systems”, IEEE transactions on circuits and systems, vol. 44, no. 10, 1997, pp. 1-2 [5] Ljupco Kocarev, Goce Jakimoski, “Logistic map as a block encryption algorithm”, Physics Letters, October 2001, pp. 202-205
