Upload
csic
View
0
Download
0
Embed Size (px)
Citation preview
1
Cryptanalysis of a chaotic encryption system1
G. Alvarez2, F. Montoya, M. Romera, and G. Pastor
Insitituto de Física Aplicada, Consejo Superior de Investigaciones Científicas
Serrano, 144 — 28006 Madrid, Spain
Abstract
Recently a new chaotic encryption system has been proposed by E. Alvarez et al. In this paper,
several weaknesses of this cryptosystem are pointed out and four successful cryptanalytic
attacks are described.
Keywords: chaotic cryptosystem, encryption, cryptanalysis, tent map.
1. Introduction
The cryptosystem based on the iteration of a non-linear dynamical system
presented in [1] is a symmetric cipher algorithm which encrypts an arbitrary
long stream of bits, divided up into blocks of variable length, into a 3-tuple of
numbers, using as secret key the parameter of the dynamical system:
x f x x xn n n n d+ − − +=1 1( , ,..., )1
(1)
The encryption process can be described in the following way: choose a suitable
real number k, the parameter of the dynamical system (1), as the key of the
1 Published in Physics Letters A 276 (2000) 191-196. 2 Corresponding author: Tel. 34 915 631 284; Fax. 34 914 117 651; e-mail: [email protected]
2
system. Next, consider the first block of information bits to be transmitted, of
length b1, and start iterating (1) from arbitrary initial conditions ( ).
Choose a threshold U1 and construct a chain C1 of 0's and 1's according to the
convention: and . As this chain is being generated, keep
looking for the repetition in it of the bits of the first block b1. When this pattern
appears, record the value of x
x x xd d, ,...,−1 1
x Un ≤ →1 0 x Un > →1 1
n n n n dx x x1 1 1 11 1= − −( , ,..., )+ at which this pattern began
and stop iterating. The array of d + 2 real numbers (U b ) constitutes the
ciphertext of the first block of b1 bits of the plaintext. The encryption process
continues by selecting the next new b2-bit length block, a new threshold U2, and
iterating from a new initial value until the same pattern is generated by the
orbit of the dynamical system (1). The next ciphertext unit would be made up
by the threshold, the block length, and the value of the iterate at which the
pattern appeared: (U b ). This process goes ahead until the plaintext is
exhausted.
n1 1 1, ,x
n2 2 2, ,x
The decryption process is straightforward. The ciphertext units are decrypted
by iterating bi times the initial conditions x , and using the threshold Ui to
convert the sequence of real numbers thus obtained into the correct sequence of
bits. This is done repeatedly for every 3-tuple of values received. To recover the
correct sequence of bits the knowledge of the parameter value of the dynamical
system (1) is required.
ni
In [1], the authors give a sample implementation using the well known tent map
(also called triangular map), defined as:
⎩⎨⎧
−=
)1()(
xrrx
xf5.0 if5.0 if
≥≤
xx
(2)
with r = 199. and the threshold fixed at U = 05. . The maximum values used for
the block size and for the length of the chains Ci are stipulated to be b
and 104 respectively. max = 16
2. Security and cryptanalysis
When cryptanalyzing a cryptosystem, the general assumption made is that the
cryptanalist knows exactly the design and working of the cryptosystem under
study, i.e., he knows everything about the cryptosystem except the secret key.
3
This is an evident requirement in today's secure communications systems,
usually referred to as Kerchoff's principle. Every cryptosystem is characterized
by a five-tuple (P, C, K, E, D), where the following conditions are satisfied [2]:
1. P is a finite set of possible plaintexts.
2. C is a finite set of possible ciphertexts.
3. K, the keyspace, is a finite set of possible keys.
4. For each , there is an encryption rule Kk ∈ Eek ∈ and a corresponding
decryption rule . Each and are functions such
that d e
Ddk ∈ CPek →: PCdK →:
x xk k( ( )) = for every plaintext Px∈ .
According to [2], it is possible to differentiate between different levels of attacks
on cryptosystems. The ones used in this paper are enumerated as follows,
ordered from the hardest type of attack to the easiest:
1. Ciphertext-only: The opponent possesses a string of ciphertext, y.
2. Known-plaintext: The opponent possesses a string of plaintext, x, and the
corresponding ciphertext, y.
3. Chosen plaintext: The opponent has obtained temporary access to the
encryption machinery. Hence he can choose a plaintext string, x, and
construct the corresponding ciphertext string, y.
4. Chosen ciphertext: The opponent has obtained temporary access to the
encryption machinery. Hence he can choose a ciphertext string, y, and
construct the corresponding plaintext string, x.
In each case, the object is to determine the key that was used. Let us start with
the easiest attack.
2.1 Chosen ciphertext attack
We shall consider the sample cryptosystem described in [1], based on the
iteration of the dynamical system (2), with parameter r. In Fig. 1, we show a
representation of the first, second and third order iteration of . Below, we
represent the first letters of the symbolic sequence of the orbit described by any
initial point within the interval thus delimited. It is easy to observe that the
f x( )
4
leftmost interval for the i-th iteration is delimited by the origin and the first
peak of , whose coordinate can be calculated as . To
represent symbolically the dynamics of the orbit followed by an initial point x0
for a given parameter value r, we do not record the exact value of each iterate
, but consider simply if it falls to the left (L), or to the right (R), of the
critical point of the map (located at 0.5 for the tent map). Hence, for i , the
interval for which all initial points give rise to symbolic sequences of the form
L… is (0, 1/2); for i , symbolic sequences LL… are originated by initial
points in (0, 1/2r); for i , the interval corresponding to symbolic sequences
LLL… is (0,1/2r2); and so on. As a matter of fact, these sequences are ordered
according to a Gray code [3].
f xi( ) x rpi= −1 2 1/ ( )
ix
= 1
= 2= 3
Fig. 1. Graphic of tent map for r = 16. : upper part, , , and ; lower part,
first letters of the symbolic sequences followed by initial points within the indicated intervals,
delimited by the maxima of the successive peak values of . The subinterval LRL, for
instance, denotes the set of points x that satisfy x is in L, is in R, and is in L.
f x( ) f x2( ) f x3( )
f xi( )f x( ) f x2( )
5
The following chosen ciphertext attack finds r, looking for the value of the first
peak of the b-th iteration of : f x( )
1. Choose a ciphertext (0.5, b, x0), with x0 sufficiently close to the origin.
2. Request the decrypted plaintext.
3. Check the plaintext sequence: if it is made of all 0's, then choose a new
initial point slightly bigger; if it is all 0's but the last bit, then choose a new
initial point slightly smaller.
4. Repeat until the value of xp has been obtained with the desired precision and
then calculate the parameter value as r xpb= − 1 21 / ( )
Let us see with an example how our method of attack works. As in [1], let the
secret key be r = 199. and bmax = 16 . To begin with, we try the following
ciphertext: (0.5, 16, 10 ), obtaining the sequence 00…0. We try next (0.5, 16,
), obtaining 00…01. Therefore, we know that the correct value must lie
in between 10 and . We perform a binary search, trying (0.5, 16,
), from which we obtain 00…0. Next we try (0.5, 16, 17 ), whose
plaintext is 00…01. Continuing with this process we reach the exact value of
the secret key
5−
2 10 5× −
5− 2 10 5× −
15 10 5. × − 5 10 5. × −
r = 199. after having used 18 units of chosen ciphertext. As a
result from our several tests, we have checked that our method of attack
successfully retrieves the exact key in less than 20 steps.
2.2 Chosen plaintext attack
We shall generate plaintexts that will be fed to the encryption device and
compared with the resulting ciphertext, in order to gain knowledge about the
key r. First, in Fig. 2 we have depicted the 1000-bar histograms of three
100,000-point orbits, for parameter values r = 199. , r = 19. , and r = 18. . As can
easily be seen, as the parameter value decreases, there is an increasingly growing
interval at the left which never gets visited. As a consequence, there are
sequences that will never occur above a certain block length, which is an
important weakness of the cryptosystem.
6
Fig. 2. 1000-bar histograms of 100,000-point orbits of the tent map for different
values of the parameter: a) r = 199. ; b) r = 19. ; c) r = 18. .
This fact is very easy to understand if we look at the bifurcation diagram of the
tent map, depicted in Fig. 3. When moving to the left from r = 2 , the interval
visited by the orbits of (2) shrinks steadily, getting smaller as r decreases. The
shape of the curves in Fig. 3 can be computed from what we call the critical
7
polynomials [4] of (2), defined as P f r Pn+ n=1 ( , ) . Starting from , the
tent map's critical point, we obtain:
P x0 0 1 2= = /
P0 1 2= /
P r1 2= /
P r r2 1= 2)−( / (3)
…
Fig. 3. Bifurcation diagram of the tent map. The arrows indicate the intervals
visited by the orbits, as represented by the histograms of Fig. 2 for different
values of the parameter r.
Thus, as can be seen combining the histograms of Fig. 2 and the bifurcation
diagram of Fig. 3, the upper bound of the visited interval for any parameter
value is r / 2 , whereas the lower bound is r r( /1 2)− . Now we have the necessary
tools to carry out the following chosen plaintext attack which again finds the
exact value of the secret key r:
8
Fig. 4. 100-bar histogram of 975 different estimates of r. The rightmost value
corresponds to the exact value of r.
1. Starting with the maximum block size, request 1000 times the ciphertext of
the word 00…0, of length b bits. It will be of the form (0.5, bi, ). In
fact, the value of bi will be much lower, as r departs from 2.0. max xni
2. Using the following formula, derived from (3), compute the corresponding
values of the estimation of r:
~ri i= + −1 1 2xn (4)
The maximum value of all the 's thus computed corresponds to the exact
key.
~ri
We will show with an example how our method of attack works. Considering a
block size b as in [1], we request 1000 times the ciphertext of
0000000000000000. As we had already anticipated, bmax = 16
i = 6 in all the cases. We
have depicted in Fig. 4 the histogram of the values of computed from the
ciphertext values through the use of (4). The maximum value is
~rir = 199. , the
exact value of the key used to encrypt the plaintext units. We have empirically
verified that our method of attack works for any other key value and that 1000
plaintext units are enough to recover the exact key.
9
2.3 Known-plaintext attack
In this case, the method to recover r works in exactly the same way as above,
only that now we have to look for the appearance of that word in the plaintext
and check its corresponding ciphertext unit. Due to the continuous reduction of
the available interval as r decreases, in practice it is not mandatory to request
the ciphertext of long words. In the above example, 6-bit words would have
done. This attack would require more plaintext than the previous one, but
provided with it, it would be equally successful. In the case only a few plaintext
units were available, it would be possible to get a good guess of r, simply by
considering the highest values of all the available. ~ri
2.4 Ciphertext-only attack
When we consider the dynamical system (2) when r = 2 , there is a uniformity in
the lengths of subintervals corresponding to a given symbolic sequence (see Fig.
5). The set of points having sequence s1s2…sk has length 2–k, independent of the
sequence. As r departs from 2, the length of the subintervals starts varying
slightly, but still remains close enough to the uniform distribution as to give a
good hint on the orbit followed by initial points within those subintervals.
Under these circumstances, the following ciphertext-only attack finds the
plaintext by making simple guesses about the sequence of symbols originated by
those initial points:
1. Given the first ciphertext unit, (0.5, b, x0), divide up the unit interval in 2b
subintervals of equal length 2 . −b
2. Find in which of those subintervals the initial point x0 is located.
3. The plaintext will be the symbolic sequence associated to that interval (see
Fig. 5), changing L's into 0's and R's into 1's.
4. Proceed with the next ciphertext unit in the same way.
For instance, considering an 8-bit block size, the initial value of
the first ciphertext unit, lies in the 126-th subinterval. Any initial point in this
subinterval gives rise to a symbolic sequence LRLLLLLR… Simply translating
into binary code, we get the guess 01000001. Following with this process, we
xn1 0= .492690
10
construct Table 1, where we have listed the results of such guesses for a
sequence of 15 ciphertext units. It can be seen that almost all the bits are
guessed correctly, without any knowledge of the secret key! In the example, our
method of attack is able to recover correctly 117 bits out of 120. The closer the
value of the secret key r is to 2.0, the better this method works.
Plaintext
(binary)
Ciphertext Guess (binary)
C(01000011) 0.492690 A(01000001)
r(01110010) 0.363853 s(01110011)
i(01101001) 0.305905 i(01101001)
p(01110000) 0.374380 p(01110000)
t(01110100) 0.345842 t(01110100)
o(01101111) 0.292097 o(01101111)
l(01101100) 0.285359 m(01101101)
o(01101111) 0.290362 o(01101111)
g(01100111) 0.272265 g(01100111)
y(01111001) 0.318392 y(01111001)
i(01101001) 0.305906 i(01101001)
s(01110011) 0.365439 s(01110011)
t(01110100) 0.345434 t(01110100)
h(01101000) 0.311260 h(01101000)
e(01100101) 0.276883 e(01100101)
Table 1. Message recovered in a ciphertext-only attack. Differences appear in
bold face.
11
Fig. 5. Graphic of tent map for r = 2 0. : upper part, , , and ;
lower part, first letters of the symbolic sequences followed by initial points
within the indicated intervals.
f x( ) f x2( ) f x3( )
3. Further inconsistencies found
Obviously, after our four different successful methods of attack with different
levels of difficulty, it is not possible to talk about security with such a
cryptosystem. There are some other important weaknesses worth mentioning.
In the description of this cryptosystem there is no indication about the precision
being used. In [1], 6-digit precision is used for the encrypted message. This
means that an exhaustive search to perform a brute-force attack on the key
could be completed in 106 operations, clearly insufficient given today's
computing power. Furthermore, accuracy is a relevant issue which has been
neglected. When using a non linear dynamical system exhibiting sensitivity to
initial conditions and to parameter mismatch, both transmitter and receiver
12
need to use the same machine precision if the correct plaintext is to be
recovered. If not, after a certain number of iterations, the orbits followed by
both systems (transmitter and receiver), although starting from the same initial
point and with same parameter value, will diverge exponentially (this rate of
divergence can be estimated by computing the Lyapunov exponent of the
system).
Nothing is said about how to choose new initial points to encrypt new blocks of
plaintext, apart from "starting from arbitrary initial conditions" [1]. It should be
clearly stated whether these are generated randomly, which the best range of
initial conditions is, and how many digits are to be considered.
No indication is given about how to choose suitable keys. Good keys are those
giving rise to orbits of large period which visit the whole interval considered, so
that all possible binary sequences are generated in a reasonable time, without
need to resource to decreasing the block size. The behavior of the tent map is
rather poor in this sense. As can be observed in Figs. 2 and 3, depending on the
value of the secret key r, there can be large spans of the unit interval which are
never visited. In these cases, the maximum block size will be shorter and
shorter.
The decrypted text when the key is slightly varied is too similar to the original
plaintext. Looking at the example given in [1], when the secret key has an error
of , it can be checked even at first sight that the rate of coincidences is
extremely high (well above 70%). In a good cryptosystem, when a single bit of
the key is changed, 50% of the bits in the decrypted text should change.
10 4−
If different maps instead of the tent map were used, it would not be much
better. We are working on this and our results will be the subject of a
forthcoming paper.
4. Conclusions
We have showed that the chaotic cryptosystem proposed in [1] presents no
security at all, since we have devised many different ways to break it, as
explained in this paper. It is not clearly specified how to determine the
keyspace, how to generate the initial values, how much precision to use in the
13
computations and how to handle different machine accuracy. Furthermore,
when the secret key is slightly modified, the pair of plaintext and decrypted text
presents too many coincidences.
From every point of view, this system cannot be considered at all as a serious
cryptosystem, but at most as an information concealment method to frustrate
the casual eavesdropper, but in no case the determined attacker. It is so easily
broken and in such a short time that no secure application can be found for it.
Acknowledgements
This research was supported by CICYT, DGESIC and "Comunidad de Madrid",
Spain, under grants PB97-1151, TEL98-1020 and "Beca de Formación de
Personal Investigador" respectively.
References
[1] E. Alvarez, A. Fernández, P. García, J. Jiménez, A. Marcano, "New
approach to chaotic encryption", Phys. Lett. A 263 (1999) 373-375.
[2] D. R. Stinson, Cryptography: theory and practice, CRC Press, 1995.
[3] G. Alvarez, M. Romera, G. Pastor y F. Montoya, “Gray Codes in 1D
Quadratic Maps”, Electronics Letters 34 (1998) 1304-1306.
[4] M. Romera, G. Pastor, F. Montoya, "Misiurewicz points in one-
dimensional quadratic maps", Physica A 232 (1996) 517-535.