1. Framework for the analysis and design
of encryption strategies
based on discrete-time
chaotic dynamical systems
˜
David Arroyo Guardeno

2. From chaos to cryptography
Why? How? Design Rules
Critical
1 2 3
contexts

3. Perfect secrecy
Good mixing
properties. . .
Hopf: dough
rolling and
folding. . .

4. Initial condition
Sensitivity Diffusion
Control
parameter
Mixing Ergodicity Confusion

5. ENCRYPTION
T=R T=Z
Chaos in Chaos in Chaos in
continuous time continuous time discrete time

6. ENCRYPTION
T=R T=Z
Chaos in Chaos in Chaos in
continuous time continuous time discrete time
Synchronization

7. ENCRYPTION
T=R T=Z
Chaos in Chaos in Chaos in
continuous time continuous time discrete time
Synchronization
Security problems

8. ENCRYPTION
T=R T=Z
Chaos in Chaos in Chaos in
continuous time continuous time discrete time
Synchronization Differential
Equations
Security problems

9. ENCRYPTION
T=R T=Z
Chaos in Chaos in Chaos in
continuous time continuous time discrete time
Synchronization Differential
Equations
Security problems Dimension > 2

10. ENCRYPTION
T=R T=Z
Chaos in Chaos in Chaos in
continuous time continuous time discrete time
Synchronization Differential
Equations
Security problems Dimension > 2
Efficiency problems

11. ENCRYPTION
T=R T=Z
Chaos in Chaos in Chaos in
continuous time continuous time discrete time
Synchronization Differential
Equations
Security problems Dimension > 2
Efficiency problems

12. How to design
secure digital
chaos-based cryptosystems

13. Avoid critical contexts
Conventional cryptography Chaos theory
Standards Loss of chaoticity
Commitments Reconstruction of the
underlying dynamics
Conventional attacks

14. Avoid critical contexts
Conventional cryptography Chaos theory
Standards Loss of chaoticity
Commitments Reconstruction of the
underlying dynamics
Conventional attacks

15. Loss of chaoticity
Why? How? Design Rules
Critical
1 2 3
contexts

16. For xk+1 = f (λ , xk ) = fλ (xk )
it can not be assumed
chaos for all λ

17. C. Chee and D.Xu,
“Chaotic encryption using discrete-
time synchronous chaos,” Physics
Letters A, 2006, 348, 284-292

18. 2
uk+1 1 − δ · uk + vk
xk+1 = =
vk+1 β · vk
δ = ψ (pk ) · µ1 (vk )
β = µ2 (vk )

19. 2
1.8
Unbounded
δ 1.6
1.4
Periodic
1.2
−0.4 −0.2 0 0.2 0.4
β

20. 1.6
1.4
1.2
1
Asymptotic values
0.8
0.6
0.4
0.2
0
−0.2
0 0.5 1 1.5 2 2.5 3
Plaintext block values 14
x 10

21. David Arroyo et al.,
“Cryptanalysis of a discrete-time syn-
chronous chaotic encryption system,”
Physics Letter A, 2008, 372, 1034-1039

22. Reconstruction of dynamics
Why? How? Design Rules
Critical
1 2 3
contexts

23. Estimation of λ and/or x0 after applying
conventional attacks
1 Access to chaotic orbits
2 We can measure the entropy of the
underlying chaotic map
3 Access to samples of chaotic orbits
4 Access to coarse-grained versions of
chaotic orbits

24. xi+1
xi+1 = f (xi )
Orbit : {x0, x1, . . .}
f (a) = f (b), f (xc ) ≤ b
xc = Single turning point
f continuous in [a, b]
xi
a xc b

25. Logistic map: xi+1 = λ xi (1 − xi )
xi+1
λ
xi
0 xc 1

26. xi /λ 0 < xi < λ
Skew tent map: xi+1 =
(1 − xi )/(1 − λ ) λ ≥ xi < 1
xi+1
λ
xi
0 1

27. Access to chaotic orbits
Ciphertext is a function of a chaotic orbit

28. Access to chaotic orbits
Ciphertext is a function of a chaotic orbit
Only the chaotic orbit is secret

29. Access to chaotic orbits
Ciphertext is a function of a chaotic orbit
Only the chaotic orbit is secret
Kerckhoff’s principle:
we know the function and
xn+1 = f (λ , xn ), xn ∈ Rm

30. Access to chaotic orbits
Ciphertext is a function of a chaotic orbit
Only the chaotic orbit is secret
Kerckhoff’s principle:
we know the function and
xn+1 = f (λ , xn ), xn ∈ Rm
Estimation of λ from m + 1 units of ciphertext

31. B. Ling et al.,
“Chaotic filter bank for computer
cryptography,” Chaos, Solitons
and Fractals, 2007, 34, 817-824

32. Plaintext: {pn }
tn = K ∑ pj h2n−j
∀j
tn = K ∑ pj h2n−j
∀j
vn = tn + tn + sn
vn = tn − vn − sn

33. Plaintext: {pn }
tn = K ∑ pj h2n−j
∀j
tn = K ∑ pj h2n−j
∀j
vn = tn + tn + sn
Logistic map
vn = tn − vn − sn

34. Plaintext: {pn }
tn = K ∑ pj h2n−j
∀j
tn = K ∑ pj h2n−j
∀j
vn = tn + tn + sn
Logistic map
vn = tn − vn − sn
Ciphertext: {vn } , {vn }, Key: λ , λ , s0 , s0

35. Known-plaintext attack: {pn }, {vn }, {vn }
sn = vn − tn − tn
sn = tn − vn − vn
sn+1
λ=
sn (1 − sn )
sn+1
λ =
sn (1 − sn )

36. David Arroyo et al., “Cryptanalysis
of a computer cryptography scheme
based on a filter bank,” Chaos, Soli-
tons and Fractals, 2009, 41, 410-413

37. Entropy of the underlying chaotic map
Why? How? Design Rules
Critical
1 2 3
contexts

38. Entropy
Orbit ⇒ Probability distribution
Discretization of Discretization in the
the phase space frequency domain
Relative number of Relative energy of
values in subintervals resolution levels

39. n-gram conditional entropy
Split the phase space into J disjoint intervals
Convert chaotic orbits into sequences of symbols
Group the symbols into words of length n
(n)
pri : probability of i-th word, 0 ≤ i ≤ J n
n (n) (n)
Hn = − ∑J pri
i=1 log pri
hn = Hn+1 − Hn , h0 = H1

40. Conditional entropy of the logistic map
0.7
n=4
0.6 n=6
n=8
n=10
0.5 n=12
0.4
hn
0.3
0.2
0.1
0
3.5 3.6 3.7 3.8 3.9 4
λ

41. Conditional entropy of the skew tent map
0.7
0.6
0.5
0.4
hn
0.3
n=4
0.2 n=6
n=8
n=10
0.1 n=12
0
0 0.2 0.4 0.6 0.8 1
λ

42. Multiresolution Entropy
0.4
λ=3.5
MRET1 λ=3.8123
0.2 λ variable
0
1000 2000 3000 4000 5000 6000 7000 8000 9000
0.4
λ=3.5
λ=3.8123
MRET2
0.2 λ variable
0
1000 2000 3000 4000 5000 6000 7000 8000 9000
0.4
λ=3.5
λ=3.8123
MRET3
0.2 λ variable
0
1000 2000 3000 4000 5000 6000 7000 8000
Temporal variable

43. High level of entropy
without leaking
the values of λ

44. Samples of chaotic orbits
Why? How? Design Rules
Critical
1 2 3
contexts

45. Shape of histograms
of chaotic orbits
depending on λ
Sampling on chaotic orbits
Estimation of λ

46. A.N. Pisarchik et al. “Encryp-
tion and decryption of images
with chaotic map lattices,” Chaos,
2006, 16, Art. No. 033118

47. λ2
Logistic map, xmin = 4 (1 − 4 ),
λ
xmax = λ , plaintext {pi }J
4 i=1
r = 1, yi0 = {pi }
yJ −1 if i = 1
r
x0 =
yir i.o.c
Iterate n times the logistic map from x0 to get xn
yir = xn + yir −1 and subtract xmax − xmin until yir ∈ [xmin , xmax ]

48. yJ −1 if i = 1
r
x0 =
yir i.o.c
Iterate n times the logistic map from x0 to get xn
yir = xn + yir −1 and subtract xmax − xmin until yir ∈ [xmin , xmax ]
r = r +1
r <R

49. 80
70
60
50
40
30
20
10
0
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
2
λ (1−λ/4) λ/4

50. Ciphertext-only attack
xmax = max yiR
ˆ
ˆ ˆ
λ ≈ λ = 4 · xmax

51. David Arroyo et al., “On the security
of a new image encryption scheme
based on chaotic map lattices,”
Chaos, 2008, 18, Art. No. 033112

52. Coarse-grained versions of chaotic orbits
Why? How? Design Rules
Critical
1 2 3
contexts

53. Assign a partition to the phase space
1 Stream cipher
2 Searching based chaotic ciphers

54. Stream cipher
xi+1
xi+1
xi
a xiL xc xiR b

55. Stream cipher
xi+1
xi
a x0 xc b

56. Stream cipher
xi+1
L
xi
a x0 xc b

57. Stream cipher
xi+1
L R
xi+1 = xi
xi
a x0 xc x1 b

58. Stream cipher
xi+1
L R R
xi+1 = xi
xi
a x0 xcx2x1 b

59. Stream cipher
xi+1
01 1 ... Binary sequence
xi+1 = xi
xi
a x0 xcx2x1 b

60. A.P. Kurian and S. Puthusserypady,
“Self-synchronizing chaotic
stream ciphers,” Signal Pro-
cessing, 2008, 88, 2442-2452

61. Binit
Logistic map
Bks
≥ xc Shuf f ler Ciphertext
Skew tent map
Plaintext

62. Binit
Logistic map
Bks Bks B sh = π(B init ||B ks) =
≥ xc Shuf f ler ˆ
B sh (λ, x0 )
Skew tent map
0

63. Chosen-plaintext attack
2N
ˆ
sh
B (λ , x0) ⇒ Pr1 = prj
(1)
j=1
2N
(i,k)
B ks (λ i , x k ) ⇒ Pr(i,k) = prj
j=1
Wootters’ distance
2N
−1 (1) (i,k)
DW (Pr1, Pr(i,k)) = cos ∑ prj · prj
j=1

64. 1.6
1.4
Wootters’ distance 1.2
1
0.8
0.6
0.4
0.2
0
1
x
0
0.5
0
0 0.2 0.4 0.6 0.8 1
λ

65. 1.5
Wootters’ distance
1.4
1.3
1.2
1.1
1
0.8
0.6
x
0 0.4
0.2
3.95
3.9
3.85
3.8 λ

66. David Arroyo et al.,
“Cryptanalysis of a family of self-
synchronizing chaotic stream
ciphers”, Submitted to Signal
Processing on 17 March, 2009

67. Coarse-grained versions of chaotic orbits
Why? How? Design Rules
Critical
1 2 3
contexts

68. Searching based chaotic ciphers
Plaintext alphabet
a1
Phase space
Partition a2
ak
a|A|

69. Searching based chaotic ciphers
Plaintext alphabet
fλ M
Phase space
M (x
=c 0)
iph
er
tex ak
t

70. f (0)(x)
0 1
x
a xc b

71. f (x) 00 01 11 10
xc
x
a xc b

72. f (2)(x) 0 0 0 011 110 101
001 010 111 100
xc
x
a xc b

73. X. Wang et al.,
“A new chaotic cryptography based
on ergodicity,” International Journal of
Modern Physics B, 2008, 22, 901-908

74. Logistic map: x0 and λ secret key
pi is a word with w bits
Ciphertext: number of
iterations to find pi in the
binary sequence generated
from the logistic map

75. Symbolic dynamics of unimodal maps
Chosen-ciphertext attack

76. Gray Ordering Number
GM (λ , x) = g0 g1 · · · gM−1 , gi ∈ {0, 1}
(i)
gi = 0 ⇔ fλ (x) < xc
(i)
gi = 1 ⇔ fλ (x) ≥ xc
g0 b0
g1 b1
g2 b2
gM−1 bM−1
GON(GM (λ , x)) = 2−1 · b1 + 2−2 · b2 + . . . + 2−(n−1) · bn−1

77. GON for the logistic map
1
0.8 λ=3.4
GON(Pn (x))
0.6
λ
f
0.4
0.2
0
0 0.2 0.4 0.6 0.8 1
x

78. GON for the logistic map
1
0.8 λ=3.6
GON(Pn (x))
0.6
λ
f
0.4
0.2
0
0 0.2 0.4 0.6 0.8 1
x

79. GON for the logistic map
1
0.8
λ=3.8
GON(Pn (x))
0.6
λ
f
0.4
0.2
0
0 0.2 0.4 0.6 0.8 1
x

80. GON for the logistic map
1
0.8
λ=4
GON(Pn (x))
0.6
λ
f
0.4
0.2
0
0 0.2 0.4 0.6 0.8 1
x

81. GON for the logistic map and x0 = fλ (xc )
1
0.95
0.9
GON(Pf (fλ(xc)))
0.85
λ
n
0.8
0.75
0.7
0.65
3 3.2 3.4 3.6 3.8 4
λ

82. GON for the logistic map and x0 = fλ (xc )

83. Binary sequence of length N
Sliding window of length M and compute GON
Estimation of λ through a binary search from the maximum GON
ˆ ˆ
GONM (λ , λ ) = GONmax
4
Estimation of x0 using the estimation of λ and the binary sequence

84. Chosen-ciphertext attack
Ask for the decryption of w · i
0 returns the first w bits,
w the following w bits, . . .
GM (x0, λ ) ⇒ λ , x0

85. Parameter estimation error
−4
c estimation error (Logarithmic scale) 10
−6
10
−8
10
−10
10
−12
10
0 2 4 6 8 10
M 5
x 10

86. Error in the estimation of the initial
condition
0
10
x0 estimation error (Logarithmic scale)
−5
10
−10
10
−15
10
−20
10
10 20 30 40 50 60
N

87. David Arroyo et al.,
“Cryptanalysis of a new chaotic
cryptosystem based on ergodicity,”
International Journal of Modern
Physics B, 2009, 23, 651-659

88. Searching based chaotic ciphers: unimodal maps
Why? How? Design Rules
Critical
1 2 3
contexts

89. Previous attack only works if
GONM (λ , fλ (xc ))
depends on
on the control parameter

90. Is the cryptosystem secure
if the logistic map
is replaced by
the skew tent map?

91. David Arroyo et al., “Estimation
of the control parameter from
symbolic sequences: Unimodal
maps with variable critical point,”
Chaos, 2009, 19, Art. No. 023125

92. λ can be estimated
from the PDF of
order patterns

93. xi+i = f (xi )
[x0, x1, x2, . . . , xL−1]
π(x0) = [π0, π1, . . . , πL−1]
πi permutation |πi → i
f π0 (x0) < f π1 (x0) < · · · < f πL−1 (x0)

94. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1

95. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1
[0.31225,

96. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1
[0.31225,

97. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1
[0.31225, 0.6245

98. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1
[0.31225, 0.6245

99. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1
[0.31225, 0.6245, 0.751,

100. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1
[0.31225, 0.6245, 0.751,

101. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1
[0.31225, 0.6245, 0.751, 0.498]

102. 2xi , 0 < xi < 0.5
f : [0, 1] → [0, 1], xi+1 = f (xi ) =
2(1 − xi ), 0.5 ≥ xi < 1
xi+1
xi
0 1
[0.31225, 0.6245, 0.751, 0.498] ⇒ π(0.31225) = [0, 3, 1, 2]

103. The intersections between
f 0(x), f 1(x), . . . , f L−1(x)
determine intervals
with initial conditions
leading to the same order pattern

104. 1
2
f (x)
3
0.9 f (x)
0.8
0.7
f1(x)
f0(x)
0.6
0.5
0.4
0.3
0.2
0.1
0
0 0.2 0.4 0.6 0.8 1

105. Order patterns
can be used to assign a partition
to the definition domain

106. fλ : I → I, I ⊂ R, λ ∈ J ⊂ R
Pπ = {x ∈ I : x generates the order pattern π}
Pπ depends on λ through fλ

107. xi /λ , 0 < xi < λ
Skew tent map: xi+1 =
(1 − xi )/(1 − λ ), λ ≥ xi < 1
xi+1
λ
xi
0 1

108. [0,1,2,3] [0,3,1,2] [2,0,3,1] [1,2,3,0]
[0,1,3,2] [0,2,1,3] [2,0,1,3] [1,2,0,3]
[0,3,1,2] [2,3,0,1] [3,1,0,2]
[3,0,1,2] [1,3,2,0] [1,2,3,0]
1
? ?? ? ? ? ?
? ? ? ? ? ?
?
f(2)(x)
λ
0.9
0.8
0.7
0.6 f(0)(x) f(1)(x)
λ λ
fλ (k)(x)
0.5
0.4
0.3
0.2
f(3)(x)
λ
0.1
0
0 0.2 0.4 0.6 0.8 1
λ

109. [2,0,3,1]
[0,1,2,3] [0,1,3,2] [0,2,1,3] [2,0,1,3] [1,2,3,0]
[0,3,1,2] [2,0,3,1] [3,1,0,2]
[3,0,1,2] [2,3,0,1] [1,3,2,0]
[0,3,1,2] [1,2,3,0]
1
? ?? ? ?
? ? ? ???
? ? ?
[1,2,0,3]
0.9
0.8
0.7 f(2)(x)
λ
f(3)(x)
λ
0.6
f(1)(x)
(x)
λ
0.5
(k)
λ
f
0.4
0.3
0.2
f(0)(x)
λ
0.1
0
0 0.2 0.4 0.6 0.8 1
λ

110. Order pattern [0, 1, . . . , L − 1]
determined by the
leftmost intersection
L−2 L−1
of the iterates fλ and fλ

111. fλ ergodic with invariant measure µ
Ofλ (x) = {f n (x) : n ∈ N ∪ {0}}
Ofλ (x) visits Pπ with
relative frequency µ(Pπ )

112. Orbit of length M
Sliding window of width L
M − L + 1 order L-patterns
Compute the relative fre-
quency of each order pattern

113. For some fλ (x)
1-to-1 relation between
the relative frequency
of some order pattern
and the control parameter λ

114. Skew tent map
n x/λ n , if 0 ≤ x ≤ λ n
fλ (x) =
(λ n−1 − x)/λ n−1 (1 − λ ), if λ n ≤ x ≤ λ n−1
P[0,1,...,L−1] = (0, φL (λ )), with
λ L−2
φL (λ ) =
2−λ

115. 2
L = 4 ⇒ φ4 = 2−λ
λ
1
0.9
0.8
0.7
Order pattern frequency
0.6
0.5
0.4
0.3
0.2
0.1
0
0 0.2 0.4 0.6 0.8 1
λ

116. Skew tent map
Unimodal map
x1 < x2 ⇒ G(x1) ≤ G(x2)
Order patterns from “coarse-grained” orbits

117. Error in the estimation of λ
−2
10
Mean error value (Logarithmic scale)
−3
10
−4
10
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
λ

118. Finite precision arithmetics
Digital degradation of dynamics
Non-perfect recovery of λ

119. Why? How? Design Rules
Critical
1 2 3
contexts

120. Digital chaos-based cryptosystem
Chaotic map Encryption architecture
Loss of chaoticity
Stream cipher Block cipher
Bijections in entropy measures
Linear complexity Differential attack
Leaking of the underlying order
Correlation attacks Linear attacks
Defective probability distribution
... ...

121. Design rules I
1 Assure the chaotic behavior of the
underlying dynamical systems
2 Guarantee avalanche effect
3 High level of entropy without leaking of
the values of control parameters
4 Definition of the ciphertext avoiding the
reconstruction of the underlying chaotic
dynamics

122. Design rules II
5 Chaotic maps with flat histograms and
width of the phase space independent of
the control parameters
6 Selection of chaotic maps with high
sensitivity to control parameter mismatch
7 The number of iterations of chaotic maps
can not be part of the key

123. Control parameter a=3.8204607418 Control parameter a=3.8294707872
150 150
j=1
j=2
Time in seconds
Time in seconds
100 j=3 100
50 50
0 0
0 50 100 0 50 100
n×j n×j
Control parameter a=3.8743936381 Control parameter a=3.9771765651
150 150
Time in seconds
Time in seconds
100 100
50 50
0 0
0 50 100 0 50 100
n×j n×j

124. David Arroyo et al.,
“On the security of a new image
encryption scheme based on
chaotic map lattices,” Chaos,
2008, 18, Art. No. 033112

125. Chaos-based
5
cryptography
SCI
Unimodal
7
maps
International 8
CONFERENCES
National 8

126. Future work

127. Problems detected in unimodal maps
Multimodal maps
Discrete chaos
Other sources of chaos

128. Chaotic map
Encryption Practical
architecture implementation

129. Design of
chaos-based cryptosystems
needs of cryptography
+
analysis of chaotic dynamics

130. Framework for the analysis and design
of encryption strategies
based on discrete-time
chaotic dynamical systems
david.arroyo@iec.csic.es
http://hdl.handle.net/10261/15668