5. ENCRYPTION
T=R T=Z
Chaos in Chaos in Chaos in
continuous time continuous time discrete time
6. ENCRYPTION
T=R T=Z
Chaos in Chaos in Chaos in
continuous time continuous time discrete time
Synchronization
7. ENCRYPTION
T=R T=Z
Chaos in Chaos in Chaos in
continuous time continuous time discrete time
Synchronization
Security problems
8. ENCRYPTION
T=R T=Z
Chaos in Chaos in Chaos in
continuous time continuous time discrete time
Synchronization Differential
Equations
Security problems
9. ENCRYPTION
T=R T=Z
Chaos in Chaos in Chaos in
continuous time continuous time discrete time
Synchronization Differential
Equations
Security problems Dimension > 2
10. ENCRYPTION
T=R T=Z
Chaos in Chaos in Chaos in
continuous time continuous time discrete time
Synchronization Differential
Equations
Security problems Dimension > 2
Efficiency problems
11. ENCRYPTION
T=R T=Z
Chaos in Chaos in Chaos in
continuous time continuous time discrete time
Synchronization Differential
Equations
Security problems Dimension > 2
Efficiency problems
12. How to design
secure digital
chaos-based cryptosystems
13. Avoid critical contexts
Conventional cryptography Chaos theory
Standards Loss of chaoticity
Commitments Reconstruction of the
underlying dynamics
Conventional attacks
14. Avoid critical contexts
Conventional cryptography Chaos theory
Standards Loss of chaoticity
Commitments Reconstruction of the
underlying dynamics
Conventional attacks
23. Estimation of λ and/or x0 after applying
conventional attacks
1 Access to chaotic orbits
2 We can measure the entropy of the
underlying chaotic map
3 Access to samples of chaotic orbits
4 Access to coarse-grained versions of
chaotic orbits
24. xi+1
xi+1 = f (xi )
Orbit : {x0, x1, . . .}
f (a) = f (b), f (xc ) ≤ b
xc = Single turning point
f continuous in [a, b]
xi
a xc b
26. xi /λ 0 < xi < λ
Skew tent map: xi+1 =
(1 − xi )/(1 − λ ) λ ≥ xi < 1
xi+1
λ
xi
0 1
27. Access to chaotic orbits
Ciphertext is a function of a chaotic orbit
28. Access to chaotic orbits
Ciphertext is a function of a chaotic orbit
Only the chaotic orbit is secret
29. Access to chaotic orbits
Ciphertext is a function of a chaotic orbit
Only the chaotic orbit is secret
Kerckhoff’s principle:
we know the function and
xn+1 = f (λ , xn ), xn ∈ Rm
30. Access to chaotic orbits
Ciphertext is a function of a chaotic orbit
Only the chaotic orbit is secret
Kerckhoff’s principle:
we know the function and
xn+1 = f (λ , xn ), xn ∈ Rm
Estimation of λ from m + 1 units of ciphertext
31. B. Ling et al.,
“Chaotic filter bank for computer
cryptography,” Chaos, Solitons
and Fractals, 2007, 34, 817-824
32. Plaintext: {pn }
tn = K ∑ pj h2n−j
∀j
tn = K ∑ pj h2n−j
∀j
vn = tn + tn + sn
vn = tn − vn − sn
33. Plaintext: {pn }
tn = K ∑ pj h2n−j
∀j
tn = K ∑ pj h2n−j
∀j
vn = tn + tn + sn
Logistic map
vn = tn − vn − sn
35. Known-plaintext attack: {pn }, {vn }, {vn }
sn = vn − tn − tn
sn = tn − vn − vn
sn+1
λ=
sn (1 − sn )
sn+1
λ =
sn (1 − sn )
36. David Arroyo et al., “Cryptanalysis
of a computer cryptography scheme
based on a filter bank,” Chaos, Soli-
tons and Fractals, 2009, 41, 410-413
37. Entropy of the underlying chaotic map
Why? How? Design Rules
Critical
1 2 3
contexts
38. Entropy
Orbit ⇒ Probability distribution
Discretization of Discretization in the
the phase space frequency domain
Relative number of Relative energy of
values in subintervals resolution levels
39. n-gram conditional entropy
Split the phase space into J disjoint intervals
Convert chaotic orbits into sequences of symbols
Group the symbols into words of length n
(n)
pri : probability of i-th word, 0 ≤ i ≤ J n
n (n) (n)
Hn = − ∑J pri
i=1 log pri
hn = Hn+1 − Hn , h0 = H1
45. Shape of histograms
of chaotic orbits
depending on λ
Sampling on chaotic orbits
Estimation of λ
46. A.N. Pisarchik et al. “Encryp-
tion and decryption of images
with chaotic map lattices,” Chaos,
2006, 16, Art. No. 033118
47. λ2
Logistic map, xmin = 4 (1 − 4 ),
λ
xmax = λ , plaintext {pi }J
4 i=1
r = 1, yi0 = {pi }
yJ −1 if i = 1
r
x0 =
yir i.o.c
Iterate n times the logistic map from x0 to get xn
yir = xn + yir −1 and subtract xmax − xmin until yir ∈ [xmin , xmax ]
48. yJ −1 if i = 1
r
x0 =
yir i.o.c
Iterate n times the logistic map from x0 to get xn
yir = xn + yir −1 and subtract xmax − xmin until yir ∈ [xmin , xmax ]
r = r +1
r <R
72. f (2)(x) 0 0 0 011 110 101
001 010 111 100
xc
x
a xc b
73. X. Wang et al.,
“A new chaotic cryptography based
on ergodicity,” International Journal of
Modern Physics B, 2008, 22, 901-908
74. Logistic map: x0 and λ secret key
pi is a word with w bits
Ciphertext: number of
iterations to find pi in the
binary sequence generated
from the logistic map
83. Binary sequence of length N
Sliding window of length M and compute GON
Estimation of λ through a binary search from the maximum GON
ˆ ˆ
GONM (λ , λ ) = GONmax
4
Estimation of x0 using the estimation of λ and the binary sequence
84. Chosen-ciphertext attack
Ask for the decryption of w · i
0 returns the first w bits,
w the following w bits, . . .
GM (x0, λ ) ⇒ λ , x0
85. Parameter estimation error
−4
c estimation error (Logarithmic scale) 10
−6
10
−8
10
−10
10
−12
10
0 2 4 6 8 10
M 5
x 10
86. Error in the estimation of the initial
condition
0
10
x0 estimation error (Logarithmic scale)
−5
10
−10
10
−15
10
−20
10
10 20 30 40 50 60
N
87. David Arroyo et al.,
“Cryptanalysis of a new chaotic
cryptosystem based on ergodicity,”
International Journal of Modern
Physics B, 2009, 23, 651-659
89. Previous attack only works if
GONM (λ , fλ (xc ))
depends on
on the control parameter
90. Is the cryptosystem secure
if the logistic map
is replaced by
the skew tent map?
91. David Arroyo et al., “Estimation
of the control parameter from
symbolic sequences: Unimodal
maps with variable critical point,”
Chaos, 2009, 19, Art. No. 023125
92. λ can be estimated
from the PDF of
order patterns
93. xi+i = f (xi )
[x0, x1, x2, . . . , xL−1]
π(x0) = [π0, π1, . . . , πL−1]
πi permutation |πi → i
f π0 (x0) < f π1 (x0) < · · · < f πL−1 (x0)
94. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1
95. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1
[0.31225,
96. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1
[0.31225,
97. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1
[0.31225, 0.6245
98. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1
[0.31225, 0.6245
99. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1
[0.31225, 0.6245, 0.751,
100. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1
[0.31225, 0.6245, 0.751,
101. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1
[0.31225, 0.6245, 0.751, 0.498]
102. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1
[0.31225, 0.6245, 0.751, 0.498] ⇒ π(0.31225) = [0, 3, 1, 2]
103. The intersections between
f 0(x), f 1(x), . . . , f L−1(x)
determine intervals
with initial conditions
leading to the same order pattern
120. Digital chaos-based cryptosystem
Chaotic map Encryption architecture
Loss of chaoticity
Stream cipher Block cipher
Bijections in entropy measures
Linear complexity Differential attack
Leaking of the underlying order
Correlation attacks Linear attacks
Defective probability distribution
... ...
121. Design rules I
1 Assure the chaotic behavior of the
underlying dynamical systems
2 Guarantee avalanche effect
3 High level of entropy without leaking of
the values of control parameters
4 Definition of the ciphertext avoiding the
reconstruction of the underlying chaotic
dynamics
122. Design rules II
5 Chaotic maps with flat histograms and
width of the phase space independent of
the control parameters
6 Selection of chaotic maps with high
sensitivity to control parameter mismatch
7 The number of iterations of chaotic maps
can not be part of the key
123. Control parameter a=3.8204607418 Control parameter a=3.8294707872
150 150
j=1
j=2
Time in seconds
Time in seconds
100 j=3 100
50 50
0 0
0 50 100 0 50 100
n×j n×j
Control parameter a=3.8743936381 Control parameter a=3.9771765651
150 150
Time in seconds
Time in seconds
100 100
50 50
0 0
0 50 100 0 50 100
n×j n×j
124. David Arroyo et al.,
“On the security of a new image
encryption scheme based on
chaotic map lattices,” Chaos,
2008, 18, Art. No. 033112
125. Chaos-based
5
cryptography
SCI
Unimodal
7
maps
International 8
CONFERENCES
National 8
130. Framework for the analysis and design
of encryption strategies
based on discrete-time
chaotic dynamical systems
david.arroyo@iec.csic.es
http://hdl.handle.net/10261/15668