1

Cryptanalysis of a chaotic encryption system1

G. Alvarez2, F. Montoya, M. Romera, and G. Pastor

Insitituto de Física Aplicada, Consejo Superior de Investigaciones Científicas

Serrano, 144 — 28006 Madrid, Spain

Abstract

Recently a new chaotic encryption system has been proposed by E. Alvarez et al. In this paper,

several weaknesses of this cryptosystem are pointed out and four successful cryptanalytic

attacks are described.

Keywords: chaotic cryptosystem, encryption, cryptanalysis, tent map.

1. Introduction

The cryptosystem based on the iteration of a non-linear dynamical system

presented in [1] is a symmetric cipher algorithm which encrypts an arbitrary

long stream of bits, divided up into blocks of variable length, into a 3-tuple of

numbers, using as secret key the parameter of the dynamical system:

x f x x xn n n n d+ − − +=1 1( , ,..., )1

(1)

The encryption process can be described in the following way: choose a suitable

real number k, the parameter of the dynamical system (1), as the key of the

1 Published in Physics Letters A 276 (2000) 191-196. 2 Corresponding author: Tel. 34 915 631 284; Fax. 34 914 117 651; e-mail: gonzalo@iec.csic.es

2

system. Next, consider the first block of information bits to be transmitted, of

length b1, and start iterating (1) from arbitrary initial conditions ( ).

Choose a threshold U1 and construct a chain C1 of 0's and 1's according to the

convention: and . As this chain is being generated, keep

looking for the repetition in it of the bits of the first block b1. When this pattern

appears, record the value of x

x x xd d, ,...,−1 1

x Un ≤ →1 0 x Un > →1 1

n n n n dx x x1 1 1 11 1= − −( , ,..., )+ at which this pattern began

and stop iterating. The array of d + 2 real numbers (U b ) constitutes the

ciphertext of the first block of b1 bits of the plaintext. The encryption process

continues by selecting the next new b2-bit length block, a new threshold U2, and

iterating from a new initial value until the same pattern is generated by the

orbit of the dynamical system (1). The next ciphertext unit would be made up

by the threshold, the block length, and the value of the iterate at which the

pattern appeared: (U b ). This process goes ahead until the plaintext is

exhausted.

n1 1 1, ,x

n2 2 2, ,x

The decryption process is straightforward. The ciphertext units are decrypted

by iterating bi times the initial conditions x , and using the threshold Ui to

convert the sequence of real numbers thus obtained into the correct sequence of

bits. This is done repeatedly for every 3-tuple of values received. To recover the

correct sequence of bits the knowledge of the parameter value of the dynamical

system (1) is required.

ni

In [1], the authors give a sample implementation using the well known tent map

(also called triangular map), defined as:

⎩⎨⎧

−=

)1()(

xrrx

xf5.0 if5.0 if

≥≤

xx

(2)

with r = 199. and the threshold fixed at U = 05. . The maximum values used for

the block size and for the length of the chains Ci are stipulated to be b

and 104 respectively. max = 16

2. Security and cryptanalysis

When cryptanalyzing a cryptosystem, the general assumption made is that the

cryptanalist knows exactly the design and working of the cryptosystem under

study, i.e., he knows everything about the cryptosystem except the secret key.

3

This is an evident requirement in today's secure communications systems,

usually referred to as Kerchoff's principle. Every cryptosystem is characterized

by a five-tuple (P, C, K, E, D), where the following conditions are satisfied [2]:

1. P is a finite set of possible plaintexts.

2. C is a finite set of possible ciphertexts.

3. K, the keyspace, is a finite set of possible keys.

4. For each , there is an encryption rule Kk ∈ Eek ∈ and a corresponding

decryption rule . Each and are functions such

that d e

Ddk ∈ CPek →: PCdK →:

x xk k( ( )) = for every plaintext Px∈ .

According to [2], it is possible to differentiate between different levels of attacks

on cryptosystems. The ones used in this paper are enumerated as follows,

ordered from the hardest type of attack to the easiest:

1. Ciphertext-only: The opponent possesses a string of ciphertext, y.

2. Known-plaintext: The opponent possesses a string of plaintext, x, and the

corresponding ciphertext, y.

3. Chosen plaintext: The opponent has obtained temporary access to the

encryption machinery. Hence he can choose a plaintext string, x, and

construct the corresponding ciphertext string, y.

4. Chosen ciphertext: The opponent has obtained temporary access to the

encryption machinery. Hence he can choose a ciphertext string, y, and

construct the corresponding plaintext string, x.

In each case, the object is to determine the key that was used. Let us start with

the easiest attack.

2.1 Chosen ciphertext attack

We shall consider the sample cryptosystem described in [1], based on the

iteration of the dynamical system (2), with parameter r. In Fig. 1, we show a

representation of the first, second and third order iteration of . Below, we

represent the first letters of the symbolic sequence of the orbit described by any

initial point within the interval thus delimited. It is easy to observe that the

f x( )

4

leftmost interval for the i-th iteration is delimited by the origin and the first

peak of , whose coordinate can be calculated as . To

represent symbolically the dynamics of the orbit followed by an initial point x0

for a given parameter value r, we do not record the exact value of each iterate

, but consider simply if it falls to the left (L), or to the right (R), of the

critical point of the map (located at 0.5 for the tent map). Hence, for i , the

interval for which all initial points give rise to symbolic sequences of the form

L… is (0, 1/2); for i , symbolic sequences LL… are originated by initial

points in (0, 1/2r); for i , the interval corresponding to symbolic sequences

LLL… is (0,1/2r2); and so on. As a matter of fact, these sequences are ordered

according to a Gray code [3].

f xi( ) x rpi= −1 2 1/ ( )

ix

= 1

= 2= 3

Fig. 1. Graphic of tent map for r = 16. : upper part, , , and ; lower part,

first letters of the symbolic sequences followed by initial points within the indicated intervals,

delimited by the maxima of the successive peak values of . The subinterval LRL, for

instance, denotes the set of points x that satisfy x is in L, is in R, and is in L.

f x( ) f x2( ) f x3( )

f xi( )f x( ) f x2( )

5

The following chosen ciphertext attack finds r, looking for the value of the first

peak of the b-th iteration of : f x( )

1. Choose a ciphertext (0.5, b, x0), with x0 sufficiently close to the origin.

2. Request the decrypted plaintext.

3. Check the plaintext sequence: if it is made of all 0's, then choose a new

initial point slightly bigger; if it is all 0's but the last bit, then choose a new

initial point slightly smaller.

4. Repeat until the value of xp has been obtained with the desired precision and

then calculate the parameter value as r xpb= − 1 21 / ( )

Let us see with an example how our method of attack works. As in [1], let the

secret key be r = 199. and bmax = 16 . To begin with, we try the following

ciphertext: (0.5, 16, 10 ), obtaining the sequence 00…0. We try next (0.5, 16,

), obtaining 00…01. Therefore, we know that the correct value must lie

in between 10 and . We perform a binary search, trying (0.5, 16,

), from which we obtain 00…0. Next we try (0.5, 16, 17 ), whose

plaintext is 00…01. Continuing with this process we reach the exact value of

the secret key

5−

2 10 5× −

5− 2 10 5× −

15 10 5. × − 5 10 5. × −

r = 199. after having used 18 units of chosen ciphertext. As a

result from our several tests, we have checked that our method of attack

successfully retrieves the exact key in less than 20 steps.

2.2 Chosen plaintext attack

We shall generate plaintexts that will be fed to the encryption device and

compared with the resulting ciphertext, in order to gain knowledge about the

key r. First, in Fig. 2 we have depicted the 1000-bar histograms of three

100,000-point orbits, for parameter values r = 199. , r = 19. , and r = 18. . As can

easily be seen, as the parameter value decreases, there is an increasingly growing

interval at the left which never gets visited. As a consequence, there are

sequences that will never occur above a certain block length, which is an

important weakness of the cryptosystem.

6

Fig. 2. 1000-bar histograms of 100,000-point orbits of the tent map for different

values of the parameter: a) r = 199. ; b) r = 19. ; c) r = 18. .

This fact is very easy to understand if we look at the bifurcation diagram of the

tent map, depicted in Fig. 3. When moving to the left from r = 2 , the interval

visited by the orbits of (2) shrinks steadily, getting smaller as r decreases. The

shape of the curves in Fig. 3 can be computed from what we call the critical

7

polynomials [4] of (2), defined as P f r Pn+ n=1 ( , ) . Starting from , the

tent map's critical point, we obtain:

P x0 0 1 2= = /

P0 1 2= /

P r1 2= /

P r r2 1= 2)−( / (3)

…

Fig. 3. Bifurcation diagram of the tent map. The arrows indicate the intervals

visited by the orbits, as represented by the histograms of Fig. 2 for different

values of the parameter r.

Thus, as can be seen combining the histograms of Fig. 2 and the bifurcation

diagram of Fig. 3, the upper bound of the visited interval for any parameter

value is r / 2 , whereas the lower bound is r r( /1 2)− . Now we have the necessary

tools to carry out the following chosen plaintext attack which again finds the

exact value of the secret key r:

8

Fig. 4. 100-bar histogram of 975 different estimates of r. The rightmost value

corresponds to the exact value of r.

1. Starting with the maximum block size, request 1000 times the ciphertext of

the word 00…0, of length b bits. It will be of the form (0.5, bi, ). In

fact, the value of bi will be much lower, as r departs from 2.0. max xni

2. Using the following formula, derived from (3), compute the corresponding

values of the estimation of r:

~ri i= + −1 1 2xn (4)

The maximum value of all the 's thus computed corresponds to the exact

key.

~ri

We will show with an example how our method of attack works. Considering a

block size b as in [1], we request 1000 times the ciphertext of

0000000000000000. As we had already anticipated, bmax = 16

i = 6 in all the cases. We

have depicted in Fig. 4 the histogram of the values of computed from the

ciphertext values through the use of (4). The maximum value is

~rir = 199. , the

exact value of the key used to encrypt the plaintext units. We have empirically

verified that our method of attack works for any other key value and that 1000

plaintext units are enough to recover the exact key.

9

2.3 Known-plaintext attack

In this case, the method to recover r works in exactly the same way as above,

only that now we have to look for the appearance of that word in the plaintext

and check its corresponding ciphertext unit. Due to the continuous reduction of

the available interval as r decreases, in practice it is not mandatory to request

the ciphertext of long words. In the above example, 6-bit words would have

done. This attack would require more plaintext than the previous one, but

provided with it, it would be equally successful. In the case only a few plaintext

units were available, it would be possible to get a good guess of r, simply by

considering the highest values of all the available. ~ri

2.4 Ciphertext-only attack

When we consider the dynamical system (2) when r = 2 , there is a uniformity in

the lengths of subintervals corresponding to a given symbolic sequence (see Fig.

5). The set of points having sequence s1s2…sk has length 2–k, independent of the

sequence. As r departs from 2, the length of the subintervals starts varying

slightly, but still remains close enough to the uniform distribution as to give a

good hint on the orbit followed by initial points within those subintervals.

Under these circumstances, the following ciphertext-only attack finds the

plaintext by making simple guesses about the sequence of symbols originated by

those initial points:

1. Given the first ciphertext unit, (0.5, b, x0), divide up the unit interval in 2b

subintervals of equal length 2 . −b

2. Find in which of those subintervals the initial point x0 is located.

3. The plaintext will be the symbolic sequence associated to that interval (see

Fig. 5), changing L's into 0's and R's into 1's.

4. Proceed with the next ciphertext unit in the same way.

For instance, considering an 8-bit block size, the initial value of

the first ciphertext unit, lies in the 126-th subinterval. Any initial point in this

subinterval gives rise to a symbolic sequence LRLLLLLR… Simply translating

into binary code, we get the guess 01000001. Following with this process, we

xn1 0= .492690

10

construct Table 1, where we have listed the results of such guesses for a

sequence of 15 ciphertext units. It can be seen that almost all the bits are

guessed correctly, without any knowledge of the secret key! In the example, our

method of attack is able to recover correctly 117 bits out of 120. The closer the

value of the secret key r is to 2.0, the better this method works.

Plaintext

(binary)

Ciphertext Guess (binary)

C(01000011) 0.492690 A(01000001)

r(01110010) 0.363853 s(01110011)

i(01101001) 0.305905 i(01101001)

p(01110000) 0.374380 p(01110000)

t(01110100) 0.345842 t(01110100)

o(01101111) 0.292097 o(01101111)

l(01101100) 0.285359 m(01101101)

o(01101111) 0.290362 o(01101111)

g(01100111) 0.272265 g(01100111)

y(01111001) 0.318392 y(01111001)

i(01101001) 0.305906 i(01101001)

s(01110011) 0.365439 s(01110011)

t(01110100) 0.345434 t(01110100)

h(01101000) 0.311260 h(01101000)

e(01100101) 0.276883 e(01100101)

Table 1. Message recovered in a ciphertext-only attack. Differences appear in

bold face.

11

Fig. 5. Graphic of tent map for r = 2 0. : upper part, , , and ;

lower part, first letters of the symbolic sequences followed by initial points

within the indicated intervals.

f x( ) f x2( ) f x3( )

3. Further inconsistencies found

Obviously, after our four different successful methods of attack with different

levels of difficulty, it is not possible to talk about security with such a

cryptosystem. There are some other important weaknesses worth mentioning.

In the description of this cryptosystem there is no indication about the precision

being used. In [1], 6-digit precision is used for the encrypted message. This

means that an exhaustive search to perform a brute-force attack on the key

could be completed in 106 operations, clearly insufficient given today's

computing power. Furthermore, accuracy is a relevant issue which has been

neglected. When using a non linear dynamical system exhibiting sensitivity to

initial conditions and to parameter mismatch, both transmitter and receiver

12

need to use the same machine precision if the correct plaintext is to be

recovered. If not, after a certain number of iterations, the orbits followed by

both systems (transmitter and receiver), although starting from the same initial

point and with same parameter value, will diverge exponentially (this rate of

divergence can be estimated by computing the Lyapunov exponent of the

system).

Nothing is said about how to choose new initial points to encrypt new blocks of

plaintext, apart from "starting from arbitrary initial conditions" [1]. It should be

clearly stated whether these are generated randomly, which the best range of

initial conditions is, and how many digits are to be considered.

No indication is given about how to choose suitable keys. Good keys are those

giving rise to orbits of large period which visit the whole interval considered, so

that all possible binary sequences are generated in a reasonable time, without

need to resource to decreasing the block size. The behavior of the tent map is

rather poor in this sense. As can be observed in Figs. 2 and 3, depending on the

value of the secret key r, there can be large spans of the unit interval which are

never visited. In these cases, the maximum block size will be shorter and

shorter.

The decrypted text when the key is slightly varied is too similar to the original

plaintext. Looking at the example given in [1], when the secret key has an error

of , it can be checked even at first sight that the rate of coincidences is

extremely high (well above 70%). In a good cryptosystem, when a single bit of

the key is changed, 50% of the bits in the decrypted text should change.

10 4−

If different maps instead of the tent map were used, it would not be much

better. We are working on this and our results will be the subject of a

forthcoming paper.

4. Conclusions

We have showed that the chaotic cryptosystem proposed in [1] presents no

security at all, since we have devised many different ways to break it, as

explained in this paper. It is not clearly specified how to determine the

keyspace, how to generate the initial values, how much precision to use in the

13

computations and how to handle different machine accuracy. Furthermore,

when the secret key is slightly modified, the pair of plaintext and decrypted text

presents too many coincidences.

From every point of view, this system cannot be considered at all as a serious

cryptosystem, but at most as an information concealment method to frustrate

the casual eavesdropper, but in no case the determined attacker. It is so easily

broken and in such a short time that no secure application can be found for it.

Acknowledgements

This research was supported by CICYT, DGESIC and "Comunidad de Madrid",

Spain, under grants PB97-1151, TEL98-1020 and "Beca de Formación de

Personal Investigador" respectively.

References

[1] E. Alvarez, A. Fernández, P. García, J. Jiménez, A. Marcano, "New

approach to chaotic encryption", Phys. Lett. A 263 (1999) 373-375.

[2] D. R. Stinson, Cryptography: theory and practice, CRC Press, 1995.

[3] G. Alvarez, M. Romera, G. Pastor y F. Montoya, “Gray Codes in 1D

Quadratic Maps”, Electronics Letters 34 (1998) 1304-1306.

[4] M. Romera, G. Pastor, F. Montoya, "Misiurewicz points in one-

dimensional quadratic maps", Physica A 232 (1996) 517-535.