CHAOS
VOLUME 14, NUMBER 4
DECEMBER 2004
Public-key encryption with chaos Ljupco Kocareva) and Marjan Sterjevb) Institute for Nonlinear Science, University of California, San Diego, 9500 Gilman Drive, La Jolla, California 92093-0402
Attila Feketec) and Gabor Vattayd) Department of Physics of Complex Systems of the Eotvos Lorand University, Budapest, Hungary
(Received 22 June 2004; accepted 2 October 2004; published online 15 November 2004) We propose public-key encryption algorithms based on chaotic maps, which are generalization of well-known and commercially used algorithms: Rivest–Shamir–Adleman (RSA), ElGamal, and Rabin. For the case of generalized RSA algorithm we discuss in detail its software implementation and properties. We show that our algorithm is as secure as RSA algorithm. © 2004 American Institute of Physics. [DOI: 10.1063/1.1821671] no systematic method with which to extract it analytically. Properties of the periodic orbits in chaotic systems may be investigated by seeking “typical” behavior of either individual orbits or families of them (i.e., properties which are common to all such systems). In this way general information concerning, for example, their density in phase space and the distribution of their periods can be obtained. An alternative approach is to study in detail those chaotic systems for which a complete classification of the periodic orbits may be constructed. This approach was carried out in detail for torus automorphisms in Refs. 3 and 4. Some recent work on torus automorphisms and quantum cat map can be found in Ref. 5. Public-key algorithms,6 also called asymmetric algorithms, are designed so that (i) the encryption key is different from the decryption key, (ii) the encryption key can be made public, and (iii) the decryption key cannot, at least in any reasonable amount of time, be calculated from the encryption key. There are many public-key algorithms: Only a few of them are both secure and practical, of which only three work well for both encryption and digital signature: RSA, ElGamal, and Rabin.6 In this communication we propose publickey encryption algorithms based on chaotic maps,7 which are (i) both secure and practical, and (ii) can be used for both encryption and digital signature.
Chaotic systems are characterized by sensitive dependence on initial conditions, similarity to random behavior, and continuous broad-band power spectrum. The possibility for self-synchronization of chaotic oscillations has sparked an avalanche of works on application of chaos in cryptography. Here we propose public-key encryption algorithms based on chaotic maps, which are generalization of well-known and commercially used algorithms: Rivest–Shamir–Adleman (RSA), ElGamal, and Rabin. The proof that the encryption algorithms work is based on the semi-group property of Chebyshev maps and detail analysis of the periodic structure of torus automorphisms. For the case of generalized RSA algorithm we discuss in its detail software implementation. We show that the algorithm is as secure as RSA algorithm.
I. INTRODUCTION
Over the past decade, there has been tremendous interest in studying the behavior of chaotic systems. They are characterized by sensitive dependence on initial conditions, similarity to random behavior, and continuous broad-band power spectrum. Chaos has potential applications in several functional blocks of a digital communication system: Compression, encryption and modulation. The possibility for selfsynchronization of chaotic oscillations1 has sparked an avalanche of works on application of chaos in cryptography. An attempt only to mention all related papers on chaos and cryptography in this short presentation, will result in prohibitively long list, and therefore, we refer the reader to some recent work.2 Chebyshev maps and torus automorphisms play a crucial role in the study of chaos. A central problem in the study of chaotic motion is the calculation and classification of the periodic orbits. Detailed information about these orbits is buried so deep in the structure of a given system that there is
II. PUBLIC-KEY ENCRYPTION
Cryptography has come to be understood to be the science of secure communication. The publication in 1949 by Shannon of the paper “Communication theory of secrecy systems”8 ushered in the era of scientific secret-key cryptography. However, Shannon’s 1949 paper did not lead to the same explosion of research in cryptography that his 1948 paper had triggered in information theory.9 The real explosion came with the publication in 1976 by Diffie and Hellman of their paper, “New directions in cryptography.”10 Diffie and Hellman showed for the first time that secret communication was possible without any transfer of a secret key between sender and receiver, thus establishing the turbulent epoch of public-key cryptography. Moreover, they sug-
a)
Electronic addres:
[email protected] Electronic addres:
[email protected] c) Electronic addres:
[email protected] d) Electronic addres:
[email protected] b)
1054-1500/2004/14(4)/1078/5/$22.00
1078
© 2004 American Institute of Physics
Chaos, Vol. 14, No. 4, 2004
Public-key encryption with chaos
gested that computational complexity theory might serve as a basis for future research in cryptography. In a public-key encryption system6 each entity A has a public key e and a corresponding private key d. In secure systems, the task of computing d given e is computationally infeasible. The public key defines an encryption transformation Ee, while the private key defines the associated decryption transformation Dd. Any entity B wishing to send a message M to A obtains an authentic copy of A’s public key e, uses the encryption transformation to obtain the cyphertext c = Ee共M兲, and transmits c to A. To decrypt c, A applies the decryption transformation to obtain the original message M = Dd共c兲. Since 1976, numerous public-key algorithms have been proposed; three most widely used public-key crypto-systems are: RSA, Rabin and ElGamal. The security of the RSA system, named after its inventors Rivest, Shamir, and Adleman, is based on the intractability of the integer factorization problem. In the Rabin public-key encryption scheme, the problem faced by a passive adversary is computationally equivalent to factoring. The security of the ElGamal public-key system is based on the intractability of the discrete logarithm problem. Public-key encryption schemes are typically substantially slower than symmetric-key encryption algorithms. For this reason, public-key encryption is most commonly used in practice for encryption small data items and/or for transport of keys, subsequently used for data encryption by symmetric-key algorithms. From a dynamical point of view, all three encryption algorithms RSA, ElGamal, and Rabin6 employ one single system Xn+1 = 共Xn兲 p 共mod N兲,
共1兲
where X is an integer, 0 艋 X 艋 N − 1, and, X0, p, and N are properly chosen integers. For example, in the ElGamal public-key scheme, one uses (1), where N is a prime, X0 is a generator of the multiplicative group ZN* of integers modulo N, and 1 艋 p 艋 N − 2. In the RSA algorithm, N = PQ, where P and Q are two random distinct primes, p is an integer 1 ⬍ p ⬍ , where = 共P − 1兲共Q − 1兲, such that gcd共p , 兲 = 1, and X0 is the message to be encrypted. Rabin public-key encryption scheme uses (1) with p = 2, N = PQ, where P and Q primes both congruent to 3(mod4), and X0 is the message to be encrypted. In the ElGamal public-key scheme, the entity A generates a large random prime N and a generator X0 of the multiplicative group ZN* of integers modulo N and also generates a random integer s 艋 N − 2 and compute A = Xs0共mod N兲. A’s pubic key is 共X0 , A , N兲; A’s private key is s. To encrypt a message m, the entity B selects a random integer r 艋 N − 2, computes B = Xr0共mod N兲 and X = mAr共mod N兲, and sends the cipher-text c = 共B , X兲 to A. To recover the message m from c, A uses the private key s to recover m by computing m = B−sX共mod N兲. From the dynamical point of view all three schemes use the following property of (1): 共X p兲q = X pq 共mod N兲.
1079
namical system be used in public-key encryption algorithms? In this paper we affirmatively answer this question; although we present an example of generalized RSA algorithm, torus automorphisms can also be used in generalized versions of ElGamal and Rabin encryption schemes. III. CHAOTIC MAPS
In this section we discuss two well-known examples of chaotic maps: One-dimensional Chebyshev maps and twodimensional torus automorphisms. The public-key encryption algorithm proposed in this paper uses the following map: Y = T p共X兲 共mod N兲, where X 苸 兵0 , 1 , . . . , N − 1其, N and p are integers, and T p is Chebyshev map of order p. Below we show the following two properties: (i) Chebyshev maps commute, that is T p共Tq共X兲兲 = T pq共X兲, which is a generalization of (2), and (ii) the period of the sequence X , T2共X兲 共mod N兲 , T3共X兲 共mod N兲 , . . . can be determined from the known results of the periodic structure of torus automorphisms. Both these results are crucial in proving that our encryption method works. A. Chebyshev maps
Chebyshev polynomial maps T p : R → R of degree p is defined using the following recurrent relation: T p+1共x兲 = 2xT p共x兲 + T p−1共x兲,
共3兲
with T0 = 1 and T1 = x. The interval 关−1 , 1兴 is invariant under the action of the map T p : T p共关−1 , 1兴兲 = 关−1 , 1兴. Therefore, the Chebyshev polynomial restricted to the interval 关−1 , 1兴 is a well-know chaotic map for all p ⬎ 1: It has a unique absolutely continuous invariant measure with positive Lyapunov exponent ln p. For p = 2, the Chebyshev map reduces to the well-know logistic map. One of the most important properties of Chebyshev polynomials is the so called semigroup property which establishes that Tr共Ts共x兲兲 = Tr·s共x兲.
共4兲
An immediate consequence of this property is that Chebyshev polynomials commute under composition Tr共Ts共x兲兲 = Ts共Tr共x兲兲. Equation (3) can be rewritten as
冋 册冋
0 1 Tp = − 1 2x T p+1
册冋 册
T p−1 , Tp
共5兲
or, after some algebra, as
冋 册冋
0 1 Tp = − 1 2x T p+1
册冋 册 p
T0 , T1
共6兲
with T0 = 1 and T1 = x. Therefore, for a given x, the properties of the sequence 1 , x , T2共x兲 , T3共x兲 , . . . depend on the last two equations (5) and (6), which are, in fact, nothing but a twotorus automorphism.
共2兲
In addition, RSA algorithm and Rabin public-key encryption scheme use some properties of (1) related to the period of the sequence X , X2 共mod N兲 , X3 共mod N兲 , . . .. Can another dy-
B. Torus automorphisms
Another prototype of a chaotic map is a torus automorphism. An automorphism of the two-torus is implemented by
1080
Kocarev et al.
Chaos, Vol. 14, No. 4, 2004
2 ⫻ 2 matrix M with integer entities and determinant ±1. The requirement that the matrix M has integer entities ensures that M maps torus into itself. The requirement that the determinant of the matrix M is ±1 guarantees invertibility. Here we consider only strictly unimodular automorphisms, for which det M = 1. Let M be a 2-torus automorphism
冋 册 冋册 x⬘
y⬘
=M
x y
共mod 1兲,
共7兲
where x , y 苸 关0 , 1兴. Let 2k be the trace (which is an integer) of the automorphism M. It is well-known that for k ⬎ 1 (we will consider only positive k) that the automorphism M has strong chaotic properties, and in particular, it has a dense set of unstable periodic orbits. The structure of periodic orbits of the 2-torus automorphisms has been studied by Percival and Vivaldi.3 Periodic orbits of a two-torus automorphism consist of points which have rational coordinates = p1 / q1, = p2 / q2, where pi, qi are integers, i = 1 , 2. Let pi, qi be co-primes (their greatest common divisor is 1) and g be the least common multiple of q1 and q2. Clearing denominators, we let M act on Z2, the lattice of integral vectors. Taking into account the periodicity of the torus by identifying points whose coordinates differ with multiplies of q, we consider the factor group Z2 / gZ2. Thus, the dynamics of periodic orbits is dynamics over a finite set of integers. The work3 illustrates the close link existing between arithmetic in algebraic number fields and strongly chaotic dynamics. Main conclusions of Ref. 3 may be summarized as follows: • A 2-torus automorphism has three different types of (periodic) orbit structure, according to the classification of rational primes: Inert, split, and ramified primes.11 • The orbits which correspond to inert primes are almost without structure. The split primes have two distinct ideal factors, which correspond to orbits confined to invariant sublattices. For this reason, two ideal orbits which exist on split prime lattices are the “most ergodic” orbits, and thus, equilibrium averages computed with them minimize statistical fluctuations. • Both inert and split prime lattices are found infinitely often, and moreover with the same frequency in both cases. These are consequences of Dirichelet’s theorem on the existence of infinity many primes in any arithmetic progression.12 • The ramified prime lattices support orbits which are exceptionally regular. However, there is only a finite number of ramified primes, so that this apparently contradictory phenomenon of regularity in chaos is in fact very rare.
IV. FLOATING-POINT VERSUS INTEGER ARITHMETIC
Chaotic systems are defined on real numbers. Any encryption algorithm which uses chaotic maps when implemented on a computer (finite-state machine) becomes a transformation from a finite set onto itself. Because of its wide dynamic range, the floating-point implementation
seems to be the most appropriate for software realizations (implementation) of chaotic maps. However, there are at least two reasons for not using floating-point arithmetic in public-key encryption. First, floating-point numbers are not uniformly distributed over any given interval of the real axis.13 Furthermore, one may observe the existence of redundant number representations. Indeed, due to the normalized calculations in floating-point arithmetic, more than one floating-point number may represent the same real numerical value. Second, there are no analytical tools for understanding the periodic structure of the periodic orbits in the floatingpoint implementation of chaotic maps (when implemented on a computer chaotic maps are always periodic: All trajectories are eventually periodic). On the other hand, when using integers one may, applying the tools from number theory as in the case of the torus automorphisms, understand the structure of the orbits. V. RSA PUBLIC-KEY ENCRYPTION
The RSA crypto-system is the most widely used publickey crypto-system. It may be used to provide both secrecy and digital signatures and its security is based on the intractability of the integer factorization problem. We now describe the generalization of RSA encryption scheme for chaotic maps. As in the case the RSA crypto-system, our system can be used for both encryption and digital signature and its security is based on the intractability of the integer factorization problem. Without loss of generality in what follows we consider the following form of a torus automorphism:
冋 册冋 xn+1
y n+1
=
0
1
− 1 2k
册冋 册 xn
yn
共mod 1兲.
共8兲
The determinant of the matrix is 1 and its trace is 2k (torus automorphisms are parameterized only with one parameter, the trace of the corresponding matrix). Since we will implement our algorithm using integers, one can rewrite (8) as follows:
冋 册冋
0 1 Xn+1 = − 1 2k Y n+1
册冋 册 Xn Yn
共mod N兲,
共9兲
where X , Y, and N are integers. We now describe the algorithm. As mentioned previously, in a public-key encryption system6 an entity, called Alice, has a public key e and a corresponding private key d. The public key defines an encryption transformation Ee, while the private key defines the associated decryption transformation Dd. An entity, called Bob, wishing to send a message M to Alice obtains an authentic copy of Alice’s public key e, uses the encryption transformation to obtain the cypher-text c = Ee共M兲, and transmits c to Alice. To decrypt c, Alice applies the decryption transformation to obtain the original message M = Dd共c兲. The RSA public key cryptographic system consists of two algorithms: Algorithm for key generation and algorithm for encryption. Algorithm for key generation. Alice should do the following:
Chaos, Vol. 14, No. 4, 2004
Public-key encryption with chaos
(1) Generate two large random (and distinct) primes p and q, each roughly the same size; (2) compute N = pq and = 共p2 − 1兲共q2 − 1兲; (3) select a random integer e, 1 ⬍ e ⬍ , such that gcd共e , 兲 = 1; (4) compute the unique integer d, 1 ⬍ d ⬍ , such that ed ⬅ 1mod ; (5) Alice’s public key is 共N , e兲; Alice’s private key is d. Algorithm for encryption. 1.
Encryption. To encrypt a message m, Bob should do the following:
(a) (b)
Obtain Alice’s authentic public key 共N , e兲; represent the message m as an integer in the interval 关0 , N − 1兴; compute
(c)
冋册冋 Xe Ye
(d) 2.
(a)
=
0
− 1 2m
1
m
共mod N兲,
共10兲
send c = Xe to Alice. Decryption. To recover the message m from c, Alice should do the following: Use the private key d to compute
冋册冋
0 1 Xd = − 1 2c Yd
(b)
册冋 册 e
1
册冋 册 d
1 c
共mod N兲,
共11兲
recover the message as m = Xd.
1081
exponent An is An = I; for共i = n . numBits共兲 ; i ⬎ 0 ; i − −兲 { An = 共An兲2; if共n . bitAt共i兲 = = 1兲 An = AnA; } Bit positions are enumerated starting at 1. The algorithm represents the matrix version of the number exponentiation algorithm that is used in the commercial asymmetric encryption algorithms. The calculation speed is tested on Intel Pentium 1700 MHz processor with 512 MB RAM. The test includes Java14 and GNU multiple precision library15 implementation. For N and d , e of order 1024 bits, calculating (10) [or (11)] takes ⬃700 ms for JAVA and ⬃70 ms for GNU library. Example—We now present an example with artificially small parameters. Alice chooses the primes p = 21 787 and q = 3793 and computes N = 82 638 091 and = 6 829 053 595 064 064. Alice chooses e = 65 537 and, using the extended Euclidean algorithm, finds d = 2 150 406 320 724 737. Alice’s public key is the pair (N = 82 638 091, e = 65 537), while her private key is d = 2 150 406 320 724 737. To encrypt a message m = 11 223 344, Bob computes (10) for e = 65 537 and N = 82 638 091. He sends c = 12 355 612 to Alice. To decrypt c, Alice computes (11) with her private key d = 2 150 406 320 724 737 and recovers the message as Xd = 11 223 344. VII. OUTLINE OF THE PROOF THAT DECRYPTION WORKS
The integers e and d in RSA key generation are called the encryption exponent and the decryption exponent, respectively, while N is called the modulus. In the original RSA algorithm step 2 in the algorithm for key generation reads: Compute N = pq and = 共p − 1兲共q − 1兲. Comparing with the original RSA algorithm, our algorithm for encryption has two different steps. Thus, steps 1(c) and 2(a) in the original algorithm for encryption read c = me共mod N兲 and m = cd共mod N兲, respectively. In order words, we have replaced powers with matrix powers, choosing the matrix to be a matrix which defines a two-torus automorphism, an example of strongly chaotic system, for which the link with the number theory has already been established.
We give only a sketch of the proof. The full proof will be given elsewhere. Let T be a period of the map (9). Then, if N is an odd prime number, then the period T is always a divisor of N2 − 1. If N is a inert prime, then T is a divisor of N + 1. For split primes, T is a divisor of N − 1. Therefore, in both cases T is a divisor of N2 − 1. The proof of all above facts essentially follows from the work of Percival and Vivaldi.3 For example for N = 19, X0 = 1 and k = Y 0 苸 兵0 , 1 , . . . 18其 the periods of the map are
VI. SOFTWARE IMPLEMENTATION
respectively. They are always divisors of 18⫻ 20= 23325. From (10) it follows that one can write
In a public-key algorithm encryption, decryption, signing, and verifying signatures all involve multiplying with a large number. We now present an algorithm for computing (10) and (11) when e , d and N are large numbers. Equation (9) can be rewritten as
冋册冋
0 1 Xn = − 1 2k Yn
册冋 册 冋 册 n
X0 X0 = An Y0 Y0
共mod N兲.
共12兲
Matrix exponentiation can be done effectively by the square and multiply algorithm. Let I be the identity matrix. Then the pseudo-code algorithm for calculating the matrix
4,1,5,20,20,18,18,5,18,3,6,9,10,9,9,20,20,10,2,
Xe = F共m,e兲, where F is a function which can be computed even analytically.16 If T is a period of (9), then AT = I, and therefore,
冋 册 冋册 冋册 X1+T X0 X0 = A1+T =A Y 1+T Y0 Y0
共mod N兲.
共13兲
Thus X1 = F共m , 1兲 = m and also X1+T = F共m , 1 + T兲 = F共m , 1兲 = m. Next step in proving that our algorithm works is to prove that
1082
Kocarev et al.
Chaos, Vol. 14, No. 4, 2004
Xd = F共c,d兲 = F共F共m,e兲,d兲 = F共m,ed兲, which in fact follows from the semigroup property of Chebyshev polynomials, Eq. (4). Since ed⬅ 1 mod , there exists integers k, k⬘ such that ed= 1 + k = 1 + k⬘T. Thus, we find Xd = F共m , ed兲 = F共m , 1 + k⬘T兲 = F共m , 1兲 = m共mod p兲. By the same argument, Xd = F共m , ed兲 = F共m , 1 + k⬘T兲 = F共m , 1兲 = m共mod q兲. Finally, since p and q are distinct primes, we may use Chinese remainder theorem to show that Xd = F共m , ed兲 = F共m , 1 + k⬘T兲 = F共m , 1兲 = m共mod N兲.
VIII. CONCLUSION
In conclusion, in this paper we have suggested publickey encryption algorithms based on Chebyshev polynomial maps and torus automorphisms. We have generalized conventional algorithms replacing powers with matrix powers, choosing the matrix to be a matrix which defines a two-torus automorphism, an example of strongly chaotic system. The proposed encryption schemes are (i) both secure and practical, and (ii) can be used for both encryption and digital signature. Although we have only presented an example of RSA algorithm, it is straightforward to show that torus automorphisms can also be used for ElGamal and Rabin public-key algorithms. The security of the proposed RSA algorithm is based on the intractability of the integer factorization problem, therefore our public-key algorithm is as secure as RSA algorithm.
ACKNOWLEDGMENTS
We thank G. Jakimovski for discussions. L.K. thanks NSF for support. G.V. thanks the support of the Hungarian Scientific Research Fund OTKA T03793. 1
L. M. Pecora and T. L. Carroll, Phys. Rev. Lett. 64, 821 (1990). S. Sundar and A. A. Minai, Phys. Rev. Lett. 85, 5456 (2000); L. Kocarev, IEEE Circuits Syst. Mag. 1, 6 (2001); L. Kocarev and G. Jakimovski, Phys. Lett. A 289, 199 (2001); G. Jakimovski and L. Kocarev, IEEE Trans. Circuits Syst., I: Fundam. Theory Appl. 48, 163 (2001); S. Wang, J. Kuang, J. Li, Y. Luo, H. Lu, and G. Hu, Phys. Rev. E 66, 065202 (2002); P. Garcia, A. Parravano, M. G. Cosenza, J. Jiménez, and A. Marcano, ibid. 65, 045201 (2002). 3 I. Percival and F. Vivaldi, Physica D 25, 105 (1987). 4 J. P. Kenting, Nonlinearity 4, 277, 309 (1991). 5 G. Blum and O. Agam, Phys. Rev. E 62, 1977 (2000); I. Dana and V. E. Chernov, ibid. 67, 046203 (2003); A. K. Pattanayak and P. Brumer, Phys. Rev. Lett. 79, 4131 (1997); A. K. Pattanayak, B. Sundaram, and B. D. Greenbaum, ibid. 90, 014103 (2003). 6 A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography (CRC, Boca Raton, 1997). 7 L. Kocarev and Z. Tasev, Proc. ISCAS 3, 28 (2003). 8 C. E. Shannon, Bell Syst. Tech. J. 28, 656 (1949). 9 C. E. Shannon, Bell Syst. Tech. J. 27, 379 (1948); 27, 623 (1948). 10 W. Diffie and M. E. Hellman, IEEE Trans. Inf. Theory 22, 644 (1976). 11 H. Cohn, A Second Course in Number Theory (Wiley, New York, 1962). 12 H. Hasse, Number Theory (Springer-Verlag, Berlin, 2002). 13 D. E. Knuth, The Art of Computer Programming (Addison Wesley, Reading, MA, 1998), Vol. 2. 14 http://java. sun. com 15 www. swox. com/gmp/ 16 The matrix An can be computed as 2
An =
冋
册
n−1 n−1 n2 − n1 1 1 − 2 , n+1 n n 2 − 1 1 − 2 2 − n+1 1
where 1,2 = k ± 冑k2 − 1. Then, the computation of F is straightforward.
