Cryptosystems with discretized chaotic maps - IEEE Xplore

1 downloads 0 Views 332KB Size Report
Index Terms—Chaotic cryptosystem, discretization, exponential information decay, skew tent map. I. INTRODUCTION. CHAOS theory deals with dynamical ...
28

IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: FUNDAMENTAL THEORY AND APPLICATIONS, VOL. 49, NO. 1, JANUARY 2002

Cryptosystems With Discretized Chaotic Maps Naoki Masuda and Kazuyuki Aihara

Abstract—Many kinds of chaotic cryptosystems have been proposed so far. Chaotic systems dissipate information due to orbital instability with positive Lyapunov exponents and ergodicity. If these properties are appropriately utilized, chaotic cryptosystems are supposed to realize high security. However, most of the existing secure communication techniques using chaos do not have enough security. For example, secure communication protocols based on chaos synchronization require robustness which gives useful information to attackers. The cryptosystems based on direct applications of chaotic maps have been weak against linear and differential cryptoanalysis. In this paper, a new kind of chaotic cryptosystem which overcomes these difficulties to some extents is proposed. The cryptosystem is based on a discretization of the skew tent map. We also show some of the desirable properties of the proposed cryptosystem using dynamical characteristics. These properties regarding ciphertext randomness may be closely related to the cryptological security. Our new cryptosystem shall be one step to connect the theory of commonly used cryptosystems and dynamical system theory. Index Terms—Chaotic cryptosystem, discretization, exponential information decay, skew tent map.

I. INTRODUCTION

C

HAOS theory deals with dynamical systems with loss of information along the orbits. As an application of chaos theory, secure communications have been studied since the early 1990s. Such chaotic properties as ergodicity and sensitive dependence on initial conditions and on system parameters are quite advantageous to construct secure communication schemes including cryptosystems, where irregularity in code sequences, sensitive dependence on plaintexts and keys are required. There are a number of implementations so far, most of which have the structure of private-key cryptosystems. However, they are not equipped with sufficient security, or too complicated to evaluate. Theoretical connections among various chaotic secure communication techniques and the comprehensive understanding of them are also missing. Secure communication protocols based on chaotic switching and chaotic modulation are most prevalent among chaotic communication techniques. In both of them, the consistency between the transmitter system and the receiver system is ascribed to chaos synchronization. Manuscript received June 2, 2000; revised February 3, 2001 and September 6, 2001. This paper was recommended by Associate Editor C. K. Tse. N. Masuda is with the Department of Mathematical Engineering and Information Physics, Graduate School of Engineering, the University of Tokyo, Tokyo 113-8656, Japan and also withthe Japan Society for the promotion of Science, Tokyo 102-8471, Japan (e-mail: [email protected]). K. Aihara is with the Department of Mathematical Engineering and Information Physics, Graduate School of Engineering, the University of Tokyo, Tokyo 113-8656, Japan, and also with also with CREST, Japan Science of Technology Corporation, Saitama 332-0012, Japan (e-mail: [email protected]). Publisher Item Identifier S 1057-7122(02)00278-7.

In chaotic switching [1]–[4], we first prepare two chaotic systems and corresponding to the binary symbols ‘0’ and ‘1’, respectively. The system parameters are shared as the secret key. The transmitter generates a concatenation of pieces of chaotic signal. Each piece has a prescribed length , and is driven by a dynamical system (resp. ) when the input symbol is ‘0’ (resp. ‘1’). The receiver decrypts the signal with chaos synchronization technique. If the processed part of the transmitted signal synchronizes with , the receiver considers that ‘0’ is sent, and if it synchronizes with , ‘1’ is sent. In chaotic modulation [1], [2], [5], chaotic signals are used as information carriers. The transmitter’s system works as a master part, and the receiver’s system as a slave part. The transmitter sends the superposition of the information signal and the chaotic carrier. Then, the receiver estimates the carrier by chaos synchronization technique. Subtraction of the reconstructed carrier from the transmitted superposed signal enables the receiver to extract the secret message. This can be regarded as a continuous version of a stream cipher; chaotic carriers play the role of continuous key streams. There are some extensions such as ones based on neural networks [6] and coupled difference equations [7]. To explore guaranteed security levels, systematic approaches have been provided to construct synchronization-based chaotic encryption systems [8] and cryptoanalysis of them based on correlation attacks [9]. In spite of extensive investigations of secure communication protocols using chaotic modulation, they suffer from the following problems, most of which are shared by those based on chaotic switching. • The synchronization timing is difficult to determine. • Information signals play a role of synchronization noises in a synchronization process. In general, the synchronization noise intensity should be small enough to achieve synchronization [3]. It may be difficult to distinguish tiny signals from transmission noise if we use tiny signals as one described above. Furthermore, if the signal-to-noise ratio at the transmitter is smaller than that of the channel, such a system does not make sense [10]. • Two matched analog chaotic systems are required at remote locations. It is not easy to prepare such systems since they are subject to significant influence of varying temperature and technological discrepancy on analog elements [10]. • Some robustness must be allowed for two chaotic subsystems to synchronize. This robustness might enable attackers to decode the keys by adaptive methods [10]. Some cryptoanalyzes on these encryption systems were presented by utilizing these weak points [11]–[13]. They are based on partial reconstruction of the attractor of transmitted signals.

1057–7122/02$17.00 © 2002 IEEE

MASUDA AND AIHARA: CRYPTOSYSTEMS WITH DISCRETIZED CHAOTIC MAPS

In contrast to synchronization-based techniques, there are other types of chaos-based cryptosystems. Many of them are based on direct applications of chaotic transformations to plaintexts. Though both chaotic stream ciphers [14], [15] and chaotic block ciphers have been developed, we concentrate on block ciphers in this paper. Chaotic block ciphers transform blocks by directly applying chaotic maps. The chaotic map is usually applied iteratively to guarantee entire randomness of the encipher. The properties of the chaotic transform and the way of implementation determine the security level. There are both digital and analog block ciphers. Habutsu et al. [16] used the skew tent map, and Tsueike et al. [17] constructed digital chaotic block ciphers using the two dimensional modified baker’s map. The critical points of the employed maps are the secret keys in both cryptosystems. In [17], the modification is made on the pair of critical values of the baker’s transformation; they are moved off the middle point. can be written in the form The modified baker’s transform

where the pair of the values of critical points is used as the secret key. The transmitter and the receiver must share the secret key with 25 significant digits to share and are both one-to-one and an identical map. onto in the unit square, and the cryptosystem is defined by and where and are the plaintext and the ciphertext, and respectively. Based on numerical evidence, are required for sufficient security. Although this construction are intuitive and natural, it has already been decoded by linear cryptoanalysis [18]. The pieceand have wise linearity and contractive property of been utilized in the cryptoanalysis. A one-dimensional version [16] and an analog version were also decoded by similar techniques by Biham [19] and Beth [20], respectively. The introduction of quadratic maps [21] results in nonlinear encryptors avoiding piecewise linearity. This modification enhances the security, however, it makes unique decryption impossible instead. Though generalized constructions of these types of cryptosystems were proposed [22], the essential defects explained in the following have not been remedied. In these extensions [21], [22], the computation time would also increase. We can deduce the following properties of the cryptosystems in [16], [17] through our cryptoanalysis [18]. • Though an expanding transformation is used along the coordinate, a contracting transformation with a negative coordinate. expansion exponent is used along the Encryption by the skew cut map with only one expanding direction is desirable to realize the sensitive dependence on initial conditions. The skew cut map is, however,

29

Fig. 1. The information flow of the chaotic cryptosystem based on the skew baker’s map.

two-to-one, which would make unique decryption impossible. Actually the second contracting direction was introduced for unique decryption, and it gave a hint to cryptoanalysis. • High precision is required for ciphertexts to ensure the decryption uniqueness under a contracting transformation. and have piecewise linearity, and therefore this • cryptosystem is weak against linear and differential cryptoanalysis. • We can regard this cryptosystem as a Bernoulli shift [23]. A schematic information flow through encryption is and denote the information stored shown in Fig. 1. and , respectively. These in the fractional part of pieces of information are linearly transformed into and stored in . consists of redundant information than , and initially contained in the lower digits of comes from nonessential computation error or truncation. does not have to be transmitted. This Accordingly, insight tells us in which part of the ciphertext the secret is kept information is stored. Furthermore, even if secret, can be estimated by the prescribed precision of (25 digits here) since prescribed digits for

prescribed digits for

• Digital and analog representations are used in a mixed manner in these cryptosystems. These cryptosystems are machine-dependent, and detailed analysis on machine precision must be involved. The discretizations are realized by rounding the chaotic maps according to the computer arithmetic in these cryptosystems. In contrast to these implicit discretizations, there are other approaches to digital chaotic block ciphers from a purely discrete point of view. The construction and security level of these kinds of cryptosystems are relative to the algebraic properties of discrete chaotic maps [24], [25]. Pichler & Scharinger [25], [26] proposed cryptosystems based on chaotic permutations constructed by explicitly discretizing the two dimensional baker’s map. Fridrich [27] extended their ideas to chaotic permutations on any size of two dimensional lattices. His permutations benefit from the expanding property along one axis, technically avoiding the contracting property along the other axis. The relation between the original chaotic maps and the discretized maps has been also discussed [28]. In this paper, we construct a new chaotic cryptosystem operating in a discrete-state space. Although we have pointed

30

IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: FUNDAMENTAL THEORY AND APPLICATIONS, VOL. 49, NO. 1, JANUARY 2002

The inverse cannot be defined because mapping, but we can formally write

is a two-to-one

or This map is exact, and therefore mixing and ergodic. The in, and variant measure is the Lebesgue measure restricted in the Lyapunov exponent is (1) Fig. 2.

The skew tent map: x

=f

(x ).

out that the cryptosystems derived from discretized one-dimensional maps [16], [17] are weak, our cryptosystem exploits important chaotic properties such as the sensitive dependence on initial conditions and the exponential information decay. We will explore the cryptological security using such dynamical characteristics as the Lyapunov exponents, the autocorrelation function, the mixing property and the KS entropy. It is shown that the proposed cryptosystem has some desirable properties such as the sensitive dependence on plaintexts and keys, uniformity of ciphertexts starting from a bundle of plaintexts, and independence of plaintexts and ciphertexts. These properties may be relevant to the security in the cryptological sense [28]. This paper is organized as follows. On the basis of the insights into the cryptosystems in [16], [17], we first propose a new chaotic cryptosystem in Section II which overcomes these problems. The new cryptosystem is based on a discretized skew tent map. Some properties of this cryptosystem related to the cryptological security are examined in Section III. Analysis is done by observing the time evolution of two close plaintexts, by examining the exponential information decay and the bitwise tests. The generalization independence, and by performing and the justification of approximating the discretized map by the original continuous map are discussed in Section IV.

as an encryption If we would simply use the iteration of function, the uniqueness in decryption would be lost because is a two-to-one mapping. The plaintext space and the ciphertext space would be also obscure. Accordingly, we discretize both the phase space and the transformation to derive the plaintext space , the ciphertext space and the one-to-one transforma, we set and to be the set of tion . For an integer with denominator , that is, rationals included in (2) is defined by

A modification of

where indicates the cardinality of a set. We call the finiteis the state baker’s map. This function is defined so that th smallest in . for , then we define If and so that (3) is a one-to-one mapping on . stretches As a result, to and to , and merge the two intervals in a particular way. achieves a baker’s map in this sense. is given by s.t.

II. A NEW CHAOTIC CRYPTOSYSTEM BASED FINITE-STATE BAKER’S MAP

ON THE

We describe the cryptosystem which is a generalization of what we proposed in [18], [29]. The insight in the last section tells us that the sensitive dependence on initial conditions of chaos can result in randomness of ciphertexts only when we make use of the expanding property of expanding maps in a strict sense. Contracting directions should not be introduced in encryptors. At the same time, the uniqueness of the encryption and the decryption is desired. To this end, we use modifications of the skew tent map as an encryption function. The skew tent is a modified tent map whose critical point is different map from 0.5 (Fig. 2). The value of the critical point will be used as is defined by the secret key.

is the

th smallest

in A chaotic cryptosystem based on the finite-state baker’s map and the decipher . We is defined by the encipher define the key space by

We require this key precision since does not change even if is determined more precisely. can be written in the following formula:

(4)

and denote floor and ceiling of , respectively. where , we put To derive an explicit expression for (5) (6)

MASUDA AND AIHARA: CRYPTOSYSTEMS WITH DISCRETIZED CHAOTIC MAPS

It follows that

31

TABLE I AN EXAMPLE OF ENCRYPTION BY THE FINITE-STATE BAKER’S MAP. F~ WITH M = 371 AND A = 205. THE NUMBERS IN THE TOP ROW DENOTE THE ITERATION NUMBER n.

We define

Since

We note that lently,

is an integer, , it follows that

or

. When

when

(or equiva) on the basis of (3). When . As a result, we have owing to (3) and . Next, we redefine the spaces and the transform on an integer space for practical use. We write , and (7) (8)

and denote the redefined plaintext space, the where ciphertext space and the key space, respectively. The scaled and its inverse are given by chaotic permutation

and (9)

where

evaluated from various points of view. In fact, there is no known sequences generated by an algorithm which pass all the randomness tests [30]. In this section, we elucidate some aspects of randomness; we apply theoretical and statistical randomness tests to determine the valid ranges of and . These random to properties may be closely related to cryptological security. In all the analyses except the statistical analysis, we approximate by those of . It should be the dynamical characteristics of noted that the following inequality holds:

(10) if and only if is divisible by Accordingly, . Table I shows how the encryption proceeds. We can observe keeping the the exponential information diffusion by one-to-one correspondence.

(11) (or equivalently and ) differs by Accordingly, and as small amplitude as the rounding error. The justification of approximating by will be discussed in more detail in Section IV.D. As a remark, eliminating zero from the domain of and including 1 in enabled any to enjoy exponential expansion avoiding truncation effects.

III. SECURITY ANALYSIS The security is the central issue of cryptology, and the randomness of the ciphertexts generated by encryptors has been discussed in literatures. The randomness of the transform can be

A. Sensitive Dependence on Plaintexts We will evaluate the iteration number such that a pair of adjacent plaintexts is transformed into a pair of independent ci-

32

IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: FUNDAMENTAL THEORY AND APPLICATIONS, VOL. 49, NO. 1, JANUARY 2002

phertexts. The minimum difference ( the unity in the integer notation) between adjacent plaintexts expands in the following three subprocesses [18]. iter1) The distance of the unity increases to be twice in ations. grows exponentially to the order of 2) The distance in the subsequent iterations. is furthermore iterated times to ensure almost inde3) pendent behavior of ciphertexts from two close plaintexts. within for We first restrict the key simplicity. . If 1) We suppose

Using (1), we have (17) is almost the The effect of the approximation same as (1). 3) The conditions (1) and (2) are satisfied after performing . We require more iterations to drive out possibly remaining plaintext information in upper bits . information bits are of . This subprocess is heuristically dedriven out by fined and asymptotically trivial. iterations As a whole, are required. B. Sensitive Dependence on Keys

(12) As a result, (13) is sufficient for the condition (1) to be satisfied. Considleads to eration on the worst case s.t.

and , the discrepancy For two adjacent keys and grows through similar three subbetween processes to the plaintext case [18]. The difference is that (1) is decomposed into two smaller subprocesses: (1-a) The difference arises to be unity. (1-b) The unity of distance becomes two. iterations are required for (1-a). If We assume , a sufficient condition for to satisfy (1-a) is given by

(14) that is,

If we use (11), we have (15) The approximation in (14) since (11) yields

is not good only for small ’s

Similarly

is sufficient for

. Accordingly

since

(16) . Though the error is significant for small for , it contributes little to the determination of . , the distance of 2) Since between two points grows to be at least after applying . Once the discrepancy be. comes two, it exponentially grows under iterations of , the expansion rate of is almost equal to If , and if , it is about . The condition (1) assures that a point wanders in an ergodic iterations. Therefore, we determine manner after from

(18) If

satisfies (19)

; we can put using then, that satisfies (18), but not (19), slightly (13). For such increases. This difference is, however, negligible, hence . The conditions (2) and (3) are analyzed similarly to the plaintext case. In the end, the required iteration number becomes the same as one obtained by the plaintext sensitivity analysis: .

MASUDA AND AIHARA: CRYPTOSYSTEMS WITH DISCRETIZED CHAOTIC MAPS

33

The symmetrical argument with respect to brings . In this case, a few about the same for might be fixed points around the nontrivial fixed point of or might be nonexpanding. Nevertheless, these points of is large. points are exceptional when C. Relatively Prime Conditions In this section, we explore possibility to decrease . To this . We next assign end, we consider a sequence in the sequence if and symbol to symbol if . The minimal period of the is determined by symbol sequence containing and . Larger implies better security of the crypare relatively prime. tosystem. It is desirable that and In this case, we can also reduce . Generally speaking, the unit distance between adjacent plaintexts does not diverge in a . For example, in Table I, few iterations for some pairs in the distances between 5 and 6, 10 and 11, 199, and 200 do iterations, respectively. There are not diverge in pairs in for which the distances do not exonce. These pairs are positioned with pand after applying equal intervals. For simplicity, we assume that such pairs are . Since at , it is desirable that

in order to avoid pathological cases where adjacent plaintexts . This requireremain adjacent after many iterations of . ment leads to If this condition is satisfied, then every operation of reduces the number of adjacent pairs with the unit distance . Consequently, has to in the ratio , leading to satisfy and . , we can simplify . In As a remark, if in this case we do not need to consider the case . This is because is not divisible by (9) unless [see (10)]. D. Exponential Decay of Information . We assume uniform distribution of plaintexts in The correlation between plaintexts and ciphertexts after iterations can be calculated analytically using piecewise linearity of [31] (20) . Equation (20) guarantees exponential where decay of information. Especially, information decays faster as is closer to 0.5. The results of numerically obtained correlation , the numeric results coefficients are shown in Fig. 3. Up to with . For agree with (20) in spite of the replacement of larger , the difference between the two maps grows to be of the order of 1. Consequently, we see the discrepancy between the two correlation coefficients whereas both of them are small.

Fig. 3. The numerically obtained correlation coefficients between plaintexts 1 073 741 824 = 2 ; A = 854 433 691. A large value and ciphertexts. M of A is used to demonstrate the correlation decay more clearly. 10 randomly chosen points are used in the calculation of the numeric correlation coefficients. The theoretical correlation coefficients ( (20)) are also shown.

=

We also perform a theoretical permutation test [30] to show exponential information decay. We consider a sequence of ci. is dephertexts . If the sequence fined to be the probability that is the probability is random, must be equal to 0.5. . We assume uniform plaintext distribution that with . Under this condition, and and replace . Since is ergodic, the set consists of disjoint intervals in is linear and monotonically increasing and each of which . Owing to the linearity of in , we have

Consequently (21) This result shows that exponentially converges to the optimal value 0.5. Equation (21) is expected to be in good agreement up to that satisfies with the actually obtained branch width in Fig. 4 with respect to

This is because is qualitatively similar to when ; monotone increasing branches and monothey both have tone decreasing branches each of which has a dynamic range (Fig. 4). (almost) equal to E. Bitwise Independence with the We have implicitly supposed a topology in Euclidean distance, and discussed information loss in the Euclidean space. In cryptological arguments, however, the distance change must be evaluated in terms of the Hamming

34

IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: FUNDAMENTAL THEORY AND APPLICATIONS, VOL. 49, NO. 1, JANUARY 2002

where

. Since

is mixing

(23) Similarly, the probabilities and are equal to in the limit as . Consequently, two bits distribute uniformly and independently . when to obtain a conAs a remark, if we linearly interpolate is mixing except a small region . tinuous map and are Furthermore, Fig. 4 shows that except when , that qualitatively similar up to is, when is large. Accordingly, the following key equation:

distance because binary sequences are dealt with. According to [32], if is expressed in the binary expression

is supposed to hold for not large ’s and ’s even if we replace with . As a result, (22) and (23) guarantee the bitwise independence of upper bits. On the other hand, the bitwise independence of lower bits has been guaranteed in Section III-A and III-B. bits If we would like to evaluate the independence of

then, the th bit

property of

Fig. 4. (a) f~ (x), and (b) f (x). M = 1024 = 2

and A = 571.

, then we can apply the -mixing , or a generalized notion of the mixing property. indicates how independent the two involved bits are. The convergence of this quantity to zero is assured. A natural supposition is that this quantity approaches . Evaluating to zero exponentially with the factor of this quantity, however, requires more arguments.

can be expressed as

where the threshold function is

is defined by

F. Statistical Security Analysis The th bit

of a plaintext and the th bit of the corresponding ciphertext must be independent to guarantee the independence between plaintexts and ciwith in the following. The probaphertexts. We replace is equal to bility

(22)

We numerically examine the uniformity and the independence of the ciphertext distribution [29]. The uniformity in the statistical sense is strongly related to the diffusive property of the cryptosystem, and the independence is related to sensitive dependence on a plaintext-value or a key-value. The statistical uniformity and independence tests are designed based on tests [16], [17], [30]. We examine the the conventional uniformity and the independence in terms of both plaintexts (tests U-P and I-P) and keys (tests U-K and I-K). These tests are designed as follows [29]. 1) The uniformity test (U-P, U-K) into consecutive bins a) Divide the interval with the same width. The th bin is denoted by . ciphertexts b) Compute for U-P (or for U-K)

MASUDA AND AIHARA: CRYPTOSYSTEMS WITH DISCRETIZED CHAOTIC MAPS

Fig. 5. The result for the uniformity test in terms of plaintexts (U-P, (a)) and keys (U-K, (b)). M 10 ; S = 2000 and b = 100. Three pairs of an initial plaintext and a key are used: (X ; A ) =

=

; ; ;

; X ;A X ;A

) = (85483497692351461897 54 364 810 590 829 182 407) ( (38267471053192397610 51 238 969 610 352 216 109) and ( ) = (60821277239516496944 59494 081 732 494 216 993). The significance level of 0.01 ( (0 01) = 134 7) is also shown.



:

:

and count the frequency that ciphertexts are included in . statistics given by (24) under the c) Evaluate the null hypothesis that ciphertexts distribute unistatistics formly; the degree of freedom for the is (24)

35

Fig. 6. The result for the independence test in terms of plaintexts (I-P, (a)) and keys (I-K, (b)). M = 10 ; S = 2000 and b = 15. The same three pairs as in U-P and U-K in Fig. 5 are used. The significance level of 0.01 ( (0:01) = 245:0) is also shown.

dent; the degree of freedom for the

statistics is

(25) The results for these tests are shown in Figs. 5 and 6. The simulation results indicate that the uniformity and the in. dependence can be expected for is much smaller than estimated by the analytical investigations. IV. DISCUSSIONS

2) The independence test (I-P, I-K) a) Generate bins in the same way as the uniformity test. pairs of ciphertexts b) Compute for I-P (or for I-K) and make a contingency table. denotes the number of pairs included in . statistics given by (25) under the c) Evaluate the null hypothesis that the ciphertexts originating from adjacent two plaintexts (keys) are indepen-

A. Characteristics of the Proposed Cryptosystem Characteristics of our cryptosystem are summarized as follows [18]. • The employed map is simple. Especially, rounding is tractable for digital computers. At the same time, the far from piecewise linear; special rounding makes may be analytically complex. Consequently, cryptoanasuch as linear lyzes based on piecewise linearity of cryptoanalysis and differential cryptoanalysis seem difficult. However, it is to be noted that facility in hardware implementation is another matter.

36

IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: FUNDAMENTAL THEORY AND APPLICATIONS, VOL. 49, NO. 1, JANUARY 2002

Fig. 7. The schematic information flow of the chaotic cryptosystem based on the finite-state baker’s map.

• Encryption needs comparisons, multiplications and divisions, and decryption needs comparisons and multiplications (and no divisions). If and are relatively prime, decryption needs only comparisons and multiplications. All the divisions can be converted into the same number of multiplications because all the divisors are constant. if we could say • We are utilizing chaotic properties of that chaos can be observed in computer simulations. This is because the slight modification of the skew tent map is is almost equivalent to ceiling or floor. Nevertheless, not identical to , and the discrepancy between the two maps grows exponentially in the course of iterations; we will discuss this point in Section IV.D. • Ciphertexts for the cryptosystem in [17] is longer than plaintexts, and the transmission rate is . Our cryptosystem achieves the transmission rate 1 with the equal lengths of plaintexts and ciphertexts. • We show the information flow of our cryptosystem schematically in Fig. 7 (compare with Fig. 1). represents the fractional part of . The information in is seemingly lost in encryption, and random-looking is stored in ciphertexts. consists of the information . information on the merging through nonlinear or is automatically se• In the operation of ’s or only ’s lected. The probability that the only is are always chosen in operations of . Then, those who intend differential or linear cryptoanalysis must exhaustively solve nonlinear pairs of plainequations for each of . This attack is not texts and ciphertexts . practical when, for example, has a fixed point , then . By (12), • If must be a repeller of if . is also repelling except only a few neighboring points when . Accordingly, our cryptosystem is strong against cryptoanalysis utilizing fixed points; should be exhaustive in the plaintext space. searching For the same reason, cryptoanalysis based on cycles of is also difficult. iterations are required. If • and are relatively prime, can be reduced to . The results for tests implies is practically sufficient. Another that way to reduce is to generalize the transformation, as explained in Section IV-B. • Possible cryptoanalysis can be based on symbolic dynamics [23] of the continuous map constructed by interpolating . Nevertheless, cryptoanalysis based on symbolic dynamics is difficult because is highly irregular despite its piecewise monotonicity. It needs a huge

amount of computation to construct symbolic dynamics actually. For simplicity, let us first think of symbolic dynamics for the skew Bernoulli map. A skew Bernoulli map is defined by shifting the critical value of the . We attach ‘0’ for Bernoulli map off from and ‘1’ for . In the symbolic representation of 0’s appear before the first 1 if and only if

After the first 1 at the next 1 if

th bit,

zeros follow before

Then, the second 1 comes at the th bit, and the positions of the succeeding 1’s can be determined can be uniquely exrepeatedly. Consequently, panded in the form:

Then, the binary expansion of for where if and example,

is otherwise. For

where

and . To obtain the symbolic representation of for the skew tent map, we can follow the standard method to obtain the symbolic representation of the tent map [33]. and . for a longer binary sequence We define is defined similarly. Then, using

the symbolic representation for is 0.001 011 11, and attackers are supposed to use this representation for the cryptoanalysis. However, performing this expansion requires exhaustive expansion of . • Although we have used the same key through all the rounds, it should be better to apply key scheduling to strengthen the cryptosystem against key-related attacks such as slide attacks [34]. • We can use as a part of the secret key as long as is not too small. This generalization scales up the key space with the order of 100 times.

B. Generalizations of Encryption Functions The encryption functions can be generalized. For example, we can use piecewise linear maps with more critical points or nonlinear maps such as logistic maps. Introducing nonlinearity by nonlinear maps apparently enhances the security, however, calculations of roots must be involved, which significantly slow down the encoding. In addition, our discretization is based on counting the ascending orders. This counting procedure cancels

MASUDA AND AIHARA: CRYPTOSYSTEMS WITH DISCRETIZED CHAOTIC MAPS

37

If

, then

(31)

Fig. 8. A piecewise-linear map with two critical points a and a .

out much of the nonlinearity of the maps. For these reasons, we consider only the class of piecewise linear maps here. We start with piecewise linear maps with two critical points given in Fig. 8 and in (26) (26) as secret keys. The We use the values of two critical points the integer corresponding generalized finite-state map notation is given by (27) shown at the bottom of the page. , we set To calculate

(28) Equation (28) leads to , then

or

. If

is excluded from since . Characare summarized as follows: teristics of encryption by • Since the secret keys consist of two values of critical points, the key space is enlarged. We put the following restrictions on the key values:

to achieve efficient merging processes. Accordingly, . Genis a necessary erally speaking, condition for security standard where denotes the conditional is required for complete entropy. As a result, secrecy. In contrast to the original cryptosystem with , the cryptosystem derived from has much larger than for large . This enlarged key space enhances security against exhaustive attacks. is • The Lyapunov exponent of

This Lyapunov exponent is larger than that for for most cases. To evaluate the required iteration number , we deand as in Section III.A. In the compose into and can be evaluated as current case,

(29) If

, then

(30)

Ignoring trivial , we have . We can make smaller since the information decays more rapidly than with . per iteration with if and are relatively prime. • We can decrease and are relatively We assume that

(27)

38

IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: FUNDAMENTAL THEORY AND APPLICATIONS, VOL. 49, NO. 1, JANUARY 2002

prime, and also without losing generality. Following the technique used in Section III.C, must be chosen so that

Consequently, and . Compared with the cryptosystem based on , we can better suppress pathological cases where the unit distance is reluctant to stretch before exponential growing of distances. Furthermore, we have only to consider the cases or in this case. Consequently, the conditioning in (29) can be omitted. • Computational complexity per iteration increases. comparisons, multiplications and divisions are . Decryption by required for encryption by needs comparisons and multiplications (and no divisions). There is a tradeoff; if information dissipates rapidly with small , then computational complexity per operation increases. We compared the encryption with . According to our speed of , the encryption with simulation results with is 20% faster than that with .

study chaotic cryptosystem composed of a discretized generalized baker’s map in the unit square [27]. A generalized baker’s map is defined as

where the set of is the secret key . The satisfying pixels so unit square is then discretized as a lattice with is an integer. The chaotic permutathat , and the tion is constructed on this lattice by discretizing encryption is done by iterating this permutation [27]. We re-interpret the underlying continuous map as a many-to-one map rather than

where is to one in . The complexity of the permutation comes from this quasimany-to-one property is of . The KS entropy for

C. Entropy-Based Analysis We can evaluate the information loss of chaotic maps by the KS entropy. Though the KS entropy is equivalent to the Lyapunov exponent in the one-dimensional map, it has more to do with global feature of dynamical systems than the Lyapunov exponents. We utilize the KS entropy to understand the plaintext information dissipation by analogy with the Shannon entropy. However, the KS entropy can be used only for continuous-state maps by its definition; it evaluates the information dissipation is one-to-one on a finite lattice. The of many-to-one maps. KS entropy of a one-to-one map is zero. To use the KS entropy as a measure of plaintext information dissipation, we postulate and (defined in (5) and (6)) cannot be distinguished that by any effective algorithm. The security of our cryptosystem heavily relies on this quasitwo-to-one property of . Then, we must choose and such that

Consequently, we have ( is explained in (17)). This is a natural consequence of exponential informaiterations. This iteration number tion decay in the course of is much less than derived from orbital evaluations in Sections III.A, III.B and III.C. It is rather close to given by the statistical analysis. The KS entropy is helpful also to determine ; it theoretically supports the intuitive avoidance of those ’s close to 0 or 1 [16], [17]. The analysis using the KS entropy provides some design criteria related to the cryptological security although the relation between the two must be explored more rigorously. The KS entropy can be also used to evaluate the required iteration number of other chaotic cryptosystems. As an example, we

and it is equal to the positive Lyapunov exponent of coordinate. The choice of [27] for

along is

reasonable since

.

D. Finite-State Dynamics and Continuous-State Dynamics We have analyzed several aspects of randomness of our cryptosystem using dynamical characteristics. The Lyapunov exponents, the autocorrelation function, the mixing property and the KS entropy were employed to measure the information decay in the course of iterations. However, we must be careful in interpreting these results. The replacement of with is nontrivial because the slight discrepancy between these maps grows exponentially. This problem has widely been studied in the context of computer arithmetic of chaotic orbits. A main result is that for the discretized tent maps, where denotes the mean cycle period of the discretized tent map with states [35]. Rannou [36] also studied a chaotic permutation constructed from a standard chaotic map on a torus, and showed . These results that the maximum cycle period is about are consistent with the property of the random permutation: [36], [37]. The numerical result for of is shown in Fig. 9 accompanied with the standard and the theoretical values for the random deviation , which is permutation [36]. We can observe for the discretized tent map and the random same as permutation. The position of the critical point a does not have a vital effect unless it is extremely far from 0.5. typically generates cycles whose lengths are As a result, of the order of . The points on these long cycles occupy most

MASUDA AND AIHARA: CRYPTOSYSTEMS WITH DISCRETIZED CHAOTIC MAPS

Fig. 9. Normalized L(M ) and std (M ) (dots), together with theoretical values for a random permutation (lines). Statistics are taken using 120 samples of a equi-distantly distributing in [0.481, 0.589] for each M .

points in the domain. Then, we can consider typical orbits in ‘ergodic’. This ‘ergodicity’ is based on the periodic orbit skeletonization [38] which states that the empirical measure obtained from typical long cycles converges to the theoretical invariant . Here, we mean by ergodicity that a measure when points in the typical orbit (cycle) uniformly covers about discrete phase space . The qualitative similarity between and shown in Fig. 4 also implies the ‘ergodic’ property and the ‘mixing’ property of . Equation (11) indicates that the difference in the expansion exponents of and can be ignored if the initial difference is large enough. We have carefully treated the case of tiny initial when deriving the required . Though difference of order and are different, we can expect the qualitathe orbits of iterations. As a remark, tive similarity of the two maps up to iterawe do not have to worry about cycle formation in . The evidence explained here tions since in the security analysis in the supports the validity of using seems a random permutation. In low regime. For this situation combinatorial arguments may be more useful than the arguments in the Euclidean space. V. CONCLUSION On the basis of analysis on the former chaotic cryptosystems, we have constructed a new chaotic cryptosystem by discretizing the skew tent map. Then, some properties on randomness have been examined using the Lyapunov exponents along individual orbits, the autocorrelation function, the ergodicity, the mixing property, and the KS entropy, together with some numerical evidence. They are useful in specifying the iteration number and the key value. The generalization and the difference between the discretized map and the original map have been discussed, suggesting the ergodic and chaotic properties of the discretized map. We can not directly compile our security arguments into cryptological security which is based on Shannon’s information theory and the topology related to binary sequences. Particularly, our security analysis has the crucial limitation that it can be applied only for small . As gets larger, the encipher

39

has less relevance to dynamical systems. However, we expect that they are closely related to the cryptological security. It is an important future problem to explore the relations between them as well as to sophisticate our cryptosystem. The applications of the dynamical characteristics to other cryptosystems are also included in our future studies. The topological entropy may play an important role for cryptosystems with artificial permutations which are not derived by discretizing continuous maps. In this case, we cannot calculate the KS entropy since we do not have underlying continuous maps. Nevertheless, we can calculate the topological entropy by dividing the state space into bins. At the same time, it is necessary to compare performances of chaotic cryptosystems with commonly used ones with high performances. Chaotic cryptosystems with generalized Baker’s maps [25]–[27], [39] are closely related to the number theory, which might be a key to connect chaotic cryptosystems and conventional ones. Our chaotic permutation is easy to construct, and possible application includes chaotic stream ciphers and chaotic random number generators. ACKNOWLEDGMENT The authors wish to thank Dr. K. Umeno from the Communications Research Laboratory, and H. Shimokawa from the University of Tokyo for helpful discussions and suggestions during this work. REFERENCES [1] K. M. Cuomo and A. V. Oppenheim, “Circuit implementation of synchronized chaos with applications to communications,” Phys. Rev. Lett., vol. 71, no. 1, pp. 65–68, 1993. [2] K. M. Cuomo, A. V. Oppenheim, and S. H. Strogatz, “Synchronization of Lorenz-based chaotic circuits with applications to communications,” IEEE Trans. Circuits Syst. II, vol. 40, pp. 626–633, Oct. 1993. [3] H. Dedieu, M. P. Kennedy, and M. Hasler, “Chaos shift keying: Modulation and demodulation of a chaotic carrier using self-synchronizing Chua’s circuits,” IEEE Trans. Circuits Syst. II, vol. 40, pp. 634–642, Oct. 1993. [4] T. Yang and L. O. Chua, “Channel-independent chaotic secure communication,” Int. J. Bifurcation and Chaos, vol. 6, no. 12B, pp. 2653–2660, 1996. [5] Lj. Kocarev, K. S. Halle, K. Eckert, L. O. Chua, and U. Parlitz, “Experimental demonstration of secure communications via chaotic synchronization,” Int. J. Bifurcation and Chaos, vol. 2, no. 3, pp. 709–713, 1992. [6] A. G. de Oliveira and A. J. Jones, “Synchronization of chaotic maps by feedback control and application to secure communications using chaotic neural networks,” Int. J. Bifurcation and Chaos, vol. 8, no. 11, pp. 2225–2237, 1998. [7] S. Papadimitriou, A. Bezerianos, and T. Bountis, “Secure communication with chaotic systems of difference equations,” IEEE Trans. Comput., vol. 46, pp. 27–38, Jan. 1997. [8] M. Göetz, K. Kelber, and W. Schwarz, “Discrete-time chaotic encryption systems—Part I: Statistical design approach,” IEEE Trans. Circuits Syst. I, vol. 44, pp. 963–970, Oct. 1997. [9] F. Dachselt, K. Kelber, and W. Schwarz, “Discrete-time chaotic encryption systems—Part III: Cryptographical analysis,” IEEE Trans. Circuits Syst. I, vol. 45, pp. 983–988, Sept. 1998. [10] D. R. Frey, “Chaotic digital encoding: An approach to secure communication,” IEEE Trans. Circuits Syst. II, vol. 40, pp. 660–666, Oct. 1993. [11] G. Pérez and H. A. Cerdeira, “Extracting messages masked by chaos,” Phys. Rev. Lett., vol. 74, no. 11, pp. 1970–1973, 1995. [12] K. M. Short, “Steps toward unmasking secure communications,” Int. J. Bifurcation and Chaos, vol. 4, no. 4, pp. 959–977, 1994. [13] , “Unmasking a modulated chaotic communications scheme,” Int. J. Bifurcation and Chaos, vol. 6, no. 2, pp. 367–375, 1996. [14] T. Kohda and A. Tsuneda, “Stream Cipher Systems Based on Chaotic Binary Sequences,”, SCIS96-11C, Jan. 1996.

40

IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: FUNDAMENTAL THEORY AND APPLICATIONS, VOL. 49, NO. 1, JANUARY 2002

[15] T. Kohda and H. Soh, “Pseudorandom-Teste of BBS Generator and Discrete Chaos Generator Based on i.i.d. Property,”, SCIS98-5.1.A, Jan. 1998. in Japanese. [16] T. Habutsu, Y. Nishio, I. Sasase, and S. Mori, “A secret key cryptosystem by iterating chaotic map,” Lect. Notes Comput. Sci., vol. 547, pp. 127–140, 1991. [17] M. Tsueike, T. Ueta, and Y. Nishio, “An Application of Two-Dimensional Chaos Cryptosystem,”, Tech. Rep. of IEICE, NLP96-19, May 1996. in Japanese. [18] N. Masuda and K. Aihara, “Chaotic cipher by finite-state Baker’s map,” Trans. of IEICE, vol. J82-A, no. 7, pp. 1038–1046, 1999. in Japanese. [19] E. Biham, “Cryptanalysis of the chaotic-map cryptosystem suggested at EUROCRYPT’91,” Lect. Notes in Comput. Sci., vol. 547, pp. 532–534, 1991. [20] Th. Beth, D. E. Lazic, and A. Mathias, “Cryptanalysis of cryptosystems based on remote chaos replication,” in Proc. Crypto’94, Aug. 1994, pp. 318–331. [21] M. Harada, Y. Nishio, and A. Ushida, “A cryptosystem using two chaotic maps,” in Proc. NOLTA’99, Dec. 1999, pp. 609–612. [22] Z. Kotulski and J. Szczepanski, “Discrete chaotic cryptography,” Ann. Physik, vol. 6, no. 5, pp. 381–394, 1997. [23] B. L. Hao, Chaos II, Singapore: World Scientific, 1990, pp. 27–34. [24] I. Percival and F. Vivaldi, “Arithmetical properties of strongly chaotic motions,” Physica D, vol. 25, no. 1–3, pp. 105–130, 1987. [25] J. Scharinger, “Kolmogorov systems: Internal time, irreversibity and cryptographic applications,” in Proceedings of the AIP Conference on Computing Anticipatory Systems, vol. 437 , D. Dubois, Ed. Woodbury, NY: Amer. Inst. of Phys., 1998. [26] F. Pichler and J. Scharinger, “Finite dimensional generalized Baker dynamical systems for cryptographic applications,” Lect. Notes in Comput. Sci., vol. 1030, pp. 465–476, 1996. [27] J. Fridrich, “Symmetric ciphers based on two-dimensional chaotic maps,” Int. J. Bifurcation and Chaos, vol. 8, no. 6, pp. 1259–1284, 1998. [28] L. Kocarev, G. Jakimoski, T. Stojanovski, and U. Parlitz, “From chaotic maps to encryption schemes,” in Proc. IEEE Int. Symp. ISCAS’98, vol. 4, May/June 1998, pp. 514–517. [29] N. Masuda and K. Aihara, “A chaotic cryptosystem based on a finitestate Baker’s map and its security analysis,” in Proc. NOLTA’99, Dec. 1999, pp. 613–616. [30] D. E. Knuth, The Art of Computer Programming, vol. 2. Seminumerical Algorithms, 3rd ed. Reading, MA: Addison-Wesley, 1998. [31] A. Baranovsky and D. Daems, “Design of one-dimensional chaotic maps with prescribed statistical properties,” Int. J. Bifuracation and Chaos, vol. 5, no. 6, pp. 1585–1598, 1995. [32] T. Kohda and A. Tsuneda, “Statistics of chaotic binary sequences,” IEEE Trans. Inform. Theory, vol. 43, pp. 104–112, Jan. 1997.

[33] H. E. Nusse and J. A. Yorke, “Is every approximate trajectory of some process near an exact trajectory of a nearby process?,” Commun. Math. Phys., vol. 114, pp. 363–379, 1988. [34] F. Hoshino, Cryptanalysis of finite state-chaotic encryption system, (in Japanese), in SCIS2001, 2001. [35] C. Beck and G. Roepstroff, “Effects of phase space discretization on the long-time behavior of dynamical systems,” Physica D, vol. 25, no. 1–3, pp. 173–180, 1987. [36] F. Rannou, “Numerical study of discrete plain area-preserving mappings,” Astron. Astrophys, vol. 31, pp. 289–301, 1974. [37] N. Masuda and K. Aihara, “Dynamical characteristics of discretized chaotic permutations,” J. Bifurcation Chaos, submitted for publication. [38] R. Bowen, “Periodic points and measures for Axiom A diffeomorphisms,” Trans. Amer. Math. Soc., vol. 154, pp. 377–397, 1971. [39] J. Scharinger, “Irreversibility aspects of Kolmogorov systems,” in Cybernetics and Systems 98, R. Trappl, Ed. Vienna, Austria: Austrian Society for Cybernetic Studies, 1998, vol. 1, pp. 71–76.

Naoki Masuda received the B.E. and the Master’s degrees in mathematical engineering and information physics, respectively, from the University of Tokyo, Tokyo, Japan, in 1998, and 2000, respectively. Currently, he is pursuing the doctoral degree in the Department of Mathematical Engineering and Information Physics, the University of Tokyo. His research interests include chaotic cryptosystems, time series analysis using the wavelet transformations, and information processing in biological and model neurons.

Kazuyuki Aihara received the B.E. degree in electrical engineering in 1977, and the Ph.D. degree in electronic engineering in 1982, both from the University of Tokyo, Tokyo, Japan. Currently, he is Professor in the Department of Complexity Science and Engineering and the Department of Mathematical Engineering and Information Physics, the University of Tokyo. His research interests include mathematical modeling of biological neurons, parallel distributed processing with chaotic neural networks, and time series analysis of chaotic data.