Beruflich Dokumente
Kultur Dokumente
www.elsevier.com/locate/pla
Received 6 February 2006; received in revised form 31 January 2007; accepted 2 February 2007
Available online 13 February 2007
Communicated by A.R. Bishop
Abstract
In this Letter we address some basic questions about chaotic cryptography, not least the very definition of chaos in discrete systems. We propose
a conceptual framework and illustrate it with different examples from private and public key cryptography. We elaborate also on possible limits
of chaotic cryptography.
© 2007 Elsevier B.V. All rights reserved.
0375-9601/$ – see front matter © 2007 Elsevier B.V. All rights reserved.
doi:10.1016/j.physleta.2007.02.021
212 J.M. Amigó et al. / Physics Letters A 366 (2007) 211–216
arithmetic libraries with which several hundreds of exact dec- Definition 2.1. Let X be a finite-measure space and f : X →
imal digits can be obtained. Notwithstanding, there are two X a map. Let X = {A1 , . . . , AN () } be a family of partitions
good reasons for not using floating-point arithmetic in chaos- of X, labelled by a parameter , say, the partition norm, such
based cryptography. First, ‘random’ floating-point numbers are that lim→0 X = E, the partition of X into separate points.
not uniformly distributed over any given interval of the real Furthermore, given a family of maps f : X → X, define the
axis (see [15, Section 4.2.4]). Furthermore, there exist redun- extensions f¯ : X → X as f¯ (x) = f (An ) if x ∈ An ∈ X .
dant number representations. Indeed, due to the normalized We say that (X , f ) is a discrete approximation of (X, f ) if,
calculations in floating-point arithmetic, different floating-point moreover, lim→0 f¯ = f in some relevant sense (depending
numbers can represent the same real signal value. Second—the on the structure we put on X).
most important reason—there are no analytical tools for under-
standing the periodic structure of the orbits in the floating-point This definition of discrete approximation is an idealization
implementation of chaotic maps. Consequently, we recommend of what actually happens when computing real functions with
to formulate the discrete chaotic dynamics on the integers, as computers, as the following example shows.
we do below.
The scope of this Letter is to formalize the concept of chaotic Example 2.2. Let X = [0, 1], X = {Ii : 0 i 10e − 1},
cryptography at the light of those principles that have stood the where Ii = [i10−e , (i + 1)10−e ) for 0 i 10e − 2, I10e −1 =
pass of time. Furthermore, it should be explained, what ‘chaos’ [1 − 10−e , 1] and = 10−e . Set
means in discrete systems. We propose a definition of discrete
chaos and show that discretization and truncation of chaotic or- f (Ii ) = f i10−e ,
bits cannot provide the most chaotic permutations in the limit
where f : [0, 1] → [0, 1] is a continuous function, and
of ever finer discretizations, what unveils some basic (though
asymptotic) shortcoming of this technique. Independently of
10e −1
the approach to discrete chaos, the cryptographic primitives f¯ (x) = f j 10−e χIj (x)
and ciphers considered in the literature share definitively some j =0
general properties that characterize them as chaotic. We have
tried to distilled them out of the great variety of such proposals (where χIj is the characteristic function of Ij , i.e., χIj (x) = 1 if
and hope that our present contribution will bring some unifying x ∈ Ij and 0 otherwise), so that f¯ (x) = f (i10−e ) iff i10−e
ideas into the picture. x < (i + 1)10−e . Because of continuity, |f (x) − f (y)| < ε if
|x − y| < δ. Choose now δ and i =
x10e to conclude that
|f (x) − f¯ (x)| = |f (x) − f (i10−e )| < ε. Hence, (X , f ) is
2. Chaotic cryptographic primitives a discrete approximation of (X, f ).
We have explained in the introduction how chaotic cryptog- Clearly, the intervals Ii of Example 2.2 consist of all real
raphy uses discrete approximations of chaotic maps, rather than numbers being internally represented by our ideal computer as
chaotic maps themselves. These approximations, in turn, can be i10−e . Equivalently, we could have defined f rather on a dis-
directly translated into maps on the integers—the kind of maps crete set S ⊂ [0, 1] as, e.g., f (i10−e ) =
f (i10−e )10e 10−e
used by conventional cryptography. We begin by formalizing on {0, 10−e , . . . , 1 − 10−e , 1}. We go from one to the other for-
the concept of discrete approximation. mulation by taking S to comprise, say, the left endpoints of X
The minimal framework we need is that of measure the- (except for the rightmost interval, where we take also the right
ory. We say that (X, A, μ) is a measure space if X is a non- endpoint) and restricting f from X to S or, in the other direc-
empty set, A is a sigma-algebra of subsets of X and μ is a tion, by extending f from S to X constantly on each element
measure on (X, A). If μ(X) < ∞, (X, A, μ) is called a finite- of X . But the formulation with partitions is technically more
measure space. Typically, X will be a compact topological convenient (especially in higher-dimensional intervals) since
or even metric space (think of a finite interval of Rn or of then f extends straightforwardly to f¯ and, in fact, both can
an n-torus). In this cases, A can be chosen to be the Borel be identified—as we will do wherever convenient.
sigma-algebra (generated by the open sets) and μ the corre- The next example may result less familiar.
sponding Lebesgue measure. By a chaotic map on X we will
understand a μ-invariant map f : X → X (i.e., f −1 A ∈ A and Example 2.3. (See [16].) Suppose f is an automorphism of the
μ(f −1 A) = μ(A) for all A ∈ A) that is strong mixing with re- finite-measure space (X, A, μ), i.e., f is a one-to-one map of
spect to μ (i.e., limn→∞ μ(A1 ∩ f −n A2 ) = μ(A1 )μ(A2 ) for X onto itself such that both f and f −1 are μ-invariant. We
all A1 , A2 ∈ A). Finally, we consider sequences of finite partitions {Pn } of the space X,
say that P = {A1 , . . . , AN } ⊂ (n)
A is a partition of X if N n=1 An = X and Ai ∩ Aj = ∅ Pn = {Pk : 1 k qn }, such that limn→∞ Pn = E (the parti-
for all i = j . A norm of P is any uniform measure of the tion of X into separate points) and sequences of automorphisms
size of its elements (e.g., maximal length, maximal diame- {fn } such that fn preserves Pn (i.e., fn sends every element of
ter, etc.). In order to streamline the notation, we will usually Pn into an element of the same partition). We say that an auto-
refer only to X, with the underlying A and μ being under- morphism f of the space (X, A, μ) possesses an approximation
stood. by periodic transformations with speed ϑ(n), if there exists a
J.M. Amigó et al. / Physics Letters A 366 (2007) 211–216 213
sequence of automorphisms fn preserving Pn such that would like to elaborate on chaotic cryptographic primitives
(ZM , FM ) from the point of view of discrete chaos [14].
qn
(n) (n)
μ f Pk fn Pk < ϑ(qn ), n = 1, 2, . . . ,
k=1
Definition 3.1. Let S = {ξ0 , ξ1 , . . . , ξM−1 } be a linearly or-
dered set by means of the order ≺, endowed with a metric
where stands for symmetric set difference and ϑ is a func- d(·,·), and let F : S → S be a bijection (or, equivalently, an M-
tion on the integers such that ϑ(n) → 0 monotonically. The permutation). We define the discrete Lyapunov exponent of f
sequence (Pn , fn ) is a discrete approximation of (X, f ) (with on (S, ≺, d), λF , as
the conventional label → 0 replaced here by n → ∞).
1 d(F (ξi ), F (ξi+1 ))
M−2
Before illustrating in the next section the concepts of chaotic such that limM→∞ λFM = ∞. On the other hand, given a fam-
cryptographic primitives and algorithms with examples, we ily of permutations (ZM , FM ) generated by a chaotic map f
214 J.M. Amigó et al. / Physics Letters A 366 (2007) 211–216
on, say, [0, 1], it is impossible, in general, to recover f since, where A takes integer values in {1, 2, . . . , M}. The inverse of
on the way from f to FM , essential information on f gets FA,M is calculated as
lost. Only in cases similar to Example 2.2, in which each FM ⎧ ξ M−ξ
has been gained via a uniform partition X = {Ii : 0 i ⎨ ξ1 if θ (η) = η, A1 > M−A2 ,
−1
N() − 1}, M N(), and the action of FM is known on FA,M (η) ≡ ξ2 if θ (η) = η, ξ1 M−ξ2 ,
⎩ A M−A
{0, 1, . . . , N() − 1} for a sequence N () → ∞, we can re- ξ1 if θ (η) = η + 1,
verse the recipe (1), where
nj A A
f (Ii ) = if FM (i) = j, ξ1 ≡ η , ξ2 ≡ −1 η+M
M M M
and reconstruct ([0, 1], f ) by means of the discrete approxima- and
tions (X , f ) in the usual way.
A A
θ (η) ≡ η + η − η + 1.
M M
Definition 3.4. We say that the family of permutations
n (ξ ) and
(ZM , FM ) is discretely chaotic if 0 < limM→∞ λFM < ∞. The encryption and decryption functions are FA,M
−n
FA,M (η), respectively, where n is the numbers of rounds.
This definition can be generalized to non-bijective maps on
ordered sets; see [14] for details. 4.2. Finite-state Chebyshev maps
It can be proven [14] that λFM λFMmax for all permutations
FM on ZM = {0, 1, . . . , M − 1} endowed with Euclidean dis- The Chebyshev polynomial maps Tn : R → R of degree n =
tance d(i, j ) = |i − j |. Thus, we may claim that FM max is the 0, 1, . . . are defined the recursion
‘most discretely chaotic’ map on (ZM , <, | · |) in the sense
Tn (x) = 2xTn−1 (x) − Tn−2 (x) for n 2,
that its discrete Lyapunov exponent takes the largest possible
max ) is not a chaotic cryptographic primitive
value—but (ZM , FM and T0 (x) = 1, T1 (x) = x. The interval [−1, 1] is invariant
because limM→∞ λFM = ∞. We come to the conclusion that under the action of the map Tn : Tn ([−1, 1]) = [−1, 1]. Alter-
discretization and truncation of chaotic orbits cannot deliver the natively, one can define
most discretely chaotic permutations—at least on (ZM , <, | · |).
This no-go result sets a kind of theoretical limit to the possibil- Tn (x) = cos(n arccos x), −1 x 1.
ities of chaotic cryptography. The Chebyshev polynomial Tn restricted to [−1, 1] is a well-
known chaotic map for all n 2: it has a unique absolutely
4. Examples of chaotic primitives continuous invariant measure,
1
In this section, we present some typical chaotic primitives μ(x) = √
that, furthermore, are used in ciphers proposed in the literature. π 1 − x2
and Lyapunov exponent ln n > 0 with respect to μ. For n = 2,
4.1. Finite-state tent map the Chebyshev map reduces to the logistic map.
It is straightforward to prove that Chebyshev polynomials
have the semi-group property:
For a positive integer M 2 and a ∈ R with 0 < a < M, let
fa : [0, M] → [0, M] be the rescaled skew tent map Tr Ts (x) = Ts Tr (x) = Trs (x).
x
(0 x a), The finite-state Chebyshev map Fn,M : {0, 1, . . . , M − 1} →
a
fa (x) = M−x {0, 1, . . . , M − 1}, M ∈ N, is defined as
M−a (a x M).
Fn,M (ξ ) = Tn (ξ ) (mod M).
The map fa is one-dimensional, exact, and therefore mixing
and ergodic. Its Lyapunov exponent λfa is given by The semi-group property of the finite-state Chebyshev maps
can be used in key-exchange protocols or even in public-key
a a M −a M −a algorithms [21].
λfa = − ln − ln .
M M M M
For a hash function based on the (discretization) of the tent map, 4.3. Finite-state n-dimensional torus automorphisms
see [20].
The finite-state tent map FA,M : {1, 2, . . . , M} → {1, 2, An automorphism of the n-torus Rn /Zn is implemented by
. . . , M} is the bijection defined as an n × n matrix Un with integer entries and determinant ±1.
The requirement that the matrix Un has integer entries ensures
M
ξ (1 ξ A), that Un maps the torus into itself. The requirement that the de-
FA,M (ξ ) ≡ AM
terminant of the matrix Un is ±1 guarantees invertibility. Un
M−A (M − ξ ) + 1 (A ξ M),
is strong mixing if none of its eigenvalues is a root of unity.
J.M. Amigó et al. / Physics Letters A 366 (2007) 211–216 215
The logarithm of the largest eigenvalue of Un coincides with 4.4. Substitutions based on the approximation of mixing maps
the Lyapunov exponent of the automorphism (with respect to
Lebesgue measure). Torus automorphisms are typically used in From the mathematical point of view, a block cipher is a
diffusion layers (i.e., to spread local changes). family of permutations on binary vectors, parameterized by the
The n-torus automorphism key. Alternatively, we may focus only on the permutations de-
fined by some components of the cipher like, most notably,
y = Un x (mod 1), square substitution boxes. Thus, let Fn be a permutation of n-bit
blocks (or an n × n ‘S-box’). Define the linear approximation
where x, y ∈ [0, 1]n , generates the finite-state n-torus map
probability of Fn (LPFn for short) as
η = Un ξ (mod M), LPFn = max LPFn (α, β),
α,β =0
where M ∈ N and ξ, η ∈ (ZM )n .
As an example, consider the
family of 2-dimensional cat maps where
1 2
η1 g+1 g ξ1 LPFn (α, β) = (2p − 1) = 4 p −
2
,
= (mod 256), 2
η2 1 1 ξ2
#{ξ ∈ Zn2 : ξ ◦ α = Fn (ξ ) ◦ β}
where ξ1 , ξ2 , η1 , η2 , g ∈ Z256 . The special case g = 1 is known p=
2n
as the pseudo-Hadamard transform (PHT),
and ξ ◦ α := ξ1 α1 ⊕ · · · ⊕ ξn αn is the parity of the bitwise prod-
2 1 uct of ξ and α (and analogously for Fn (ξ ) ◦ β). Next, define the
H2 = , differential approximation probability of Fn (DPFn for short) as
1 1
and it is used in various cryptosystems because it requires only DPF = max DPF (α, β),
two additions in a digital processor. α =0,β
Finite-state maps of the 2- and 4-torus have been proposed where α is the so-called input difference, β the output differ-
in the literature for the diffusion layers of, for instance, 8-byte ence and
Feistel ciphers whose half-round function acts on 4-byte blocks
[22]. A half-round consists of four chaotic 4 × 4 S-boxes, each #{ξ ∈ Zn2 : F (ξ ) ⊕ F (ξ ⊕ α) = β}
DPF (α, β) = .
one built by interleaving the PHT and the 4-byte Hadamard- 2n
type permutation Here ξ ⊕ α = (ξ1 ⊕ α1 , . . . , ξn ⊕ αn ) denotes the component-
⎛ ⎞ wise XOR (or vector addition modulo 2) of the n-bit blocks ξ
1 0 0 0
and α (and analogously for F (ξ ) ⊕ F (ξ ⊕ α)); see [24] for
⎜0 0 1 0⎟
R4 = ⎝ ⎠ details. LPFn and DPFn measure the immunity of the block
0 1 0 0
cipher Fn to attacks mounted on linear and differential crypt-
0 0 0 1
analysis, respectively, immunity being higher the smaller their
in the form values. In [24] we have shown that if Fn is a cyclic periodic
⎛ ⎞ ⎛ ⎞ approximation of a mixing automorphism F and some assump-
η1 ξ1
tions are fulfilled, then LPFn and DPFn get asymptotically close
⎜ η2 ⎟ ⎜ ξ2 ⎟ to their greatest lower bounds 1/2n and 1/2n−1 , respectively,
⎝ ⎠ = H4 R4 H4 ⎝ ⎠ (mod 256),
η3 ξ3
thus obtaining an arbitrarily close-to-optimal immunity to both
η4 ξ4
cryptanalyses—the faster the approximation of Fn to F , the
where higher the immunity of the permutation Fn [24]. Therefore, we
have proven, as suggested by Shannon, that, in principle, mix-
H2 0 ing transformations may indeed be used in encryption systems.
H4 = .
0 H2 Unfortunately, the proofs are non-constructive so that one has
The branch number and the minimal Euclidean stretching of to content oneself with heuristic implementations of the under-
this sort of mixing transformations (or layers) were studied in lying idea.
[22]. The branch number is the sum of the number of active As an example, consider the 2-torus automorphism U2 =
input S-boxes and the number of active output S-boxes, min- (tij ) with
imized over the input space; it is an important parameter in
t11 = 587943273, t12 = 185921552200509715,
differential cryptanalysis.
t21 = 2, t22 = 632447247.
Affine transformations on the n-torus in chaos synchro-
nization-based cryptography have been studied in [23]. As men- For this chaotic map, the corresponding (heuristic) periodic ap-
tioned in the introduction, these maps have the nice property proximation with n = 18 has the following values of DP and
that the precision of the initial point does not degrade along its LP: LP = 0.00002629 with |LP − 2−18 | = 2.25 × 10−5 , and
orbit. DP = 0.00003052 with |DP − 2−17 | = 2.29 × 10−5 [24].
216 J.M. Amigó et al. / Physics Letters A 366 (2007) 211–216
5. Final remarks and conclusions ish Ministry of Science and Education (Ref. MTM2005-04948)
and by European Funds FEDER.
In this Letter we have proposed some theoretical concepts
underlying digital chaos-based cryptography and presented
some basic implementations of chaotic cryptographic primi- References
tives. Needless to say, our exposition is far from exhaustive,
being rather meant as a general view of what is going on in a [1] K.M. Cuomo, A.V. Oppenheim, S.H. Strogatz, IEEE Trans. Circuits Sys-
field of rapid growth. Also for this reason, we have renounced tems II 40 (1993) 626.
to present here more recent developments in chaotic cryptology, [2] U. Parlitz, L.O. Chua, L. Kocarev, K.S. Halle, A. Shang, Int. J. Bifur.
Chaos 2 (1992) 973.
since time is needed to asses their security.
[3] Z.P. Jiang, IEEE Trans. Circuits Systems I 49 (2002) 92.
To complete the picture, some words of caution are in or- [4] G. Millerioux, J. Daafouz, IEEE Trans. Circuits Systems I 50 (2003) 1270.
der here. Although, at theoretical level, it seems that chaotic [5] G. Alvarez, S. Li, Int. J. Bifur. Chaos 16 (2006) 2129.
systems are ideal candidates for cryptographic primitives (re- [6] M.S. Baptista, Phys. Lett. A 240 (1998) 50.
member, for example, that periodic approximations of mixing [7] R. Schmitz, J. Franklin Inst. 338 (2001) 429.
[8] G. Jakimoski, L. Kocarev, IEEE Trans. Circuits Systems I 48 (2001) 163.
automorphisms have arbitrary close to optimal immunity to lin-
[9] L. Kocarev, IEEE Circuits Systems Magazine 1 (2001) 6.
ear and differential cryptanalysis, Section 4.4), at the practical [10] L. Kocarev, G. Jakimoski, IEEE Trans. Circuits Systems I 50 (2003) 123.
level, chaotic ciphers are still slower than the corresponding [11] R. Tenny, L.S. Tsimring, L. Larson, H.D.I. Abarbanel, Phys. Rev. Lett. 90
conventional ones. Thus, the public-key cipher proposed in (2003) 047903.
[21], based on the finite-state Chebyshev map, is slower than [12] R. Mislovaty, E. Klein, I. Kanter, W. Kinzel, Phys. Rev. Lett. 91 (2003)
118701.
RSA, and the 128-bit block cipher proposed in [22], that in-
[13] L. Kocarev, M. Sterjev, P. Amato, in: Proceeding of ISCAS 2004, vol. IV,
cludes sixteen 8 × 8 S-boxes (all the same) designed with the pp. 578–581.
finite-state tent map and a finite-state 4-dimensional torus map [14] L. Kocarev, J. Szczepanski, J.M. Amigó, I. Tomovski, IEEE Trans. Cir-
as chaotic mixing transformation, is also slower than the best cuits Systems I 53 (2006) 1300.
conventional algorithms, such as AES. In connection with this, [15] D.E. Knuth, The Art of Computer Programming, vol. 2, Addison–Wesley,
Reading, MA, 1998.
let us remind that we showed in Section 3 that chaotic cryp-
[16] I.P. Cornfeld, S.V. Fomin, Y.G. Sinai, Ergodic Theory, Springer, New
tographic primitives cannot be the most discretely chaotic per- York, 1982.
mutations in the sense of Definition 3.4. Since this result is of [17] J.M. Amigó, L. Kocarev, J. Szczepanski, Phys. Lett. A 355 (2006) 27.
asymptotic nature, we believe that it has no practical conse- [18] L. Kocarev, J. Szczepanski, Phys. Rev. Lett. 93 (2004) 234101.
quences but, nevertheless, it does put limits (if theoretical) to [19] J.M. Amigó, J. Szczepanski, Int. J. Bifur. Chaos 13 (2003) 1937.
[20] X. Yi, IEEE Trans. Circuits Systems II 52 (2005) 354.
chaotic cryptography.
[21] L. Kocarev, M. Sterjev, A. Fekete, G. Vattay, Chaos 14 (2004) 1078;
We may conclude that reaching the same standards of secu- L. Kocarev, J. Makraduli, P. Amato, Circuits Systems Signal Process. 24
rity and speed as in conventional cryptography, should be the (2005) 497.
priority of chaotic cryptography in the next future. [22] N. Masuda, G. Jakimoski, K. Aihara, L. Kocarev, IEEE Trans. Circuits
Systems I 53 (2006) 1341.
Acknowledgements [23] L. Rosier, G. Millerioux, G. Bloch, Systems Control Lett. 55 (2006) 223.
[24] J. Szczepanski, J.M. Amigó, T. Michalek, L. Kocarev, IEEE Trans. Cir-
cuits Systems I 52 (2005) 443.
The authors are very thankful to the referees for their con-
structive criticism. This work was partially funded by the Span-