Professional Documents
Culture Documents
Chaotic Cryptosystems Cryptanalysis and
Chaotic Cryptosystems Cryptanalysis and
Authorized licensed use limited to: Jesus Leyva-Ramos. Downloaded on March 23,2010 at 20:05:52 EDT from IEEE Xplore. Restrictions apply.
2674 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS, VOL. 53, NO. 12, DECEMBER 2006
system is transformed, by eliminating the state variables, into Having in mind the encryption purposes, we only consider
a system depending only on the information, the output, their the practical case where the system has a single input
derivatives and the parameters. The resulting system is solved and a single output but the following results can be extended
in the parameters. This approach has been also applied to a to the case of multiple inputs and multiple outputs.
chaotic cryptosystem based on the Henon map, in [22] and has We assume that the cryptosystem must face the most basic
been extended to a class of chaotic discrete-time systems in attack, i.e., the brute force attack. This attack consists in trying
[23]. In this case, the derivatives are replaced by the iterates. exhaustively every possible parameter value in the parameter
All these works deal with some identification techniques for space (which is in practice a finite space), in order to retrieve
reconstructing the parameters and most often on some special the secret key [32]. The brute force attack is the most expensive
cases. In this paper, a general framework based on the identifi- one, owing to the exhaustive search. The quicker the brute force
ability concept for the cryptanalysis of a large class of chaotic attack succeeds, the weaker the cryptosystem is. The worst sit-
cryptosystems is proposed. It is provided a systematic method- uation for the eavesdropper, and the best for the security, is that
ology for testing, a priori, during the design stage, whether there exists a unique solution. In this case, the probability of
the parameters of a chaotic cryptosystem may play the role of finding the actual parameter value is the lowest. The key idea
the secret key or not. Besides, a connection between robust- is that the uniqueness of the parameters is directly linked to the
ness against brute force attacks, uniqueness in the parameters parametric identifiability concept [33]. Some basic backgrounds
and identifiability is pointed out. Some preliminary results have are recalled below.
been presented in [25]. Let us stress that the methodology is
independent of the approach one may resort to reconstruct the B. Identifiability
parameters (adaptive, …). The following definitions are borrowed from [34].
The paper is organized as follows. In Section II, a connection Definition 1: An input sequence over a window of iterations
between uniqueness in the secret parameters and identifiability , denoted by , is called an admissible input on
is pointed out. Two approaches, the outputs equality approach if the difference equation (1) admits a unique local solution.
and the input/output relation approach, are presented to test the Definition 2: The system is locally strongly -identifi-
identifiability of the system parameters. Then, in Section III, able at through the admissible input sequence if there
a cryptanalytic procedure, based on the identifiability concept, exists an open neighborhood of , , such that for any
is carried out on some specific examples. It is shown that and for any
cryptosystems with polynomial nonlinearities are unfortunately
weak against known plaintext attacks. Throughout the manu- (2)
script, we only consider discrete-time systems but the results
still hold in the continuous case. Definition 3: The system is structurally identifiable if
there exist , an open subset and some dense sub-
II. PROBLEM STATEMENT AND IDENTIFIABILITY sets and , such that, for every ,
and , the system is locally strongly
A. Problem Statement -identifiable at through the admissible input sequence .
In the following, we will equally say that the system or its
Among the different usual methods for hiding an informa- parameters are structurally identifiable.
tion, additive masking, chaotic switching, parameter modula- Remark 1: In the definitions above, the subset is open in
tion, message embedding, we focus on the last one because all order to avoid considering an atypical set of zero measure which
the results given here can be easily transposed to the others. leads to singularities and where no conclusion about identifia-
We recall the message embedding scheme, in the discrete- bility is possible. Moreover, these definitions are given for the
time case, which involves the transmitter system given by initial condition taken at the particular time step . How-
the general form ever, we can consider any time step because the system (1) is
shift-invariant.
(1) Remark 2: The Definition 3 is a direct discrete-time coun-
terpart of that of the structural identifiability of continuous-time
where is the state vector, the systems, given in [35] and is equivalent to the definition of ra-
measured, and so available, output, the in- tional identifiability of [36].
formation signal, is a nonlinear chaotic function and a To test the identifiability of system parameters, two ap-
(possibly) nonlinear function, both parameterized by , proaches, the outputs equality approach and the input/output
, the parameter vector. The most relation approach can be performed.
common nonlinearities are of polynomial type (Henon map
[26], Logistic map [27], Mandelbrot map [28], Arnold’s cat map C. Outputs Equality Approach
[29], …). means that can depend on but not nec- The outputs equality approach is directly based on Definition
essary. The initial condition of will be denoted . At the 3. The trajectories contain information about the unknown
receiver side, the information recovering requires a synchro- parameter vector . The approach consists in testing whether the
nization mechanism. Details of chaos-based synchronization are equality of the output trajectories of systems and , over an
described in [30], [31]. iteration window , implies the equality of the parameter
Authorized licensed use limited to: Jesus Leyva-Ramos. Downloaded on March 23,2010 at 20:05:52 EDT from IEEE Xplore. Restrictions apply.
ANSTETT et al.: CHAOTIC CRYPTOSYSTEMS 2675
vectors and . So, the following theorem states a sufficient To obtain (4), we must first eliminate the variable and its
condition for structural identifiability of system (1). iterates in (1), considered as indeterminates. That leads to a re-
Theorem 1: The system (1) is structurally identifiable if lation depending only on the parameter vector , the output ,
the set of equations the input and their iterates, called the input/output relation
(3) (6)
Authorized licensed use limited to: Jesus Leyva-Ramos. Downloaded on March 23,2010 at 20:05:52 EDT from IEEE Xplore. Restrictions apply.
2676 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS, VOL. 53, NO. 12, DECEMBER 2006
Authorized licensed use limited to: Jesus Leyva-Ramos. Downloaded on March 23,2010 at 20:05:52 EDT from IEEE Xplore. Restrictions apply.
ANSTETT et al.: CHAOTIC CRYPTOSYSTEMS 2677
Since is not directly transmitted through the signal , it So, only is identifiable and thus could play the role of
is chosen to be the greatest and the corresponding lexicographic the secret key in the context of brute force attack. At the op-
order is posite, since there exist at least numerous pairs or
verifying the relations (12) and (13), the parameters
(10) , and are unidentifiable and cannot play the role of
the secret key.
It can be shown that the observability index of system (9) is As stressed in the important remarks in Section II-D, ac-
equal to the dimension of the system, . cording to (5) and here (14), it is clear that, performing a known
For obtaining the input/output relation, that is , the plaintext attack, the parameter can be easily reconstructed
system (9) is first iterated twice with and in (15). Hence, cannot finally play the role
of the secret key.
As a result, this cryptosystem will be weak against a known
plaintext attack.
(11) B. Example 2
Consider the message embedding scheme (1) where the in-
formation is embedded in the Burgers map [43]
(13) (17)
From the set of (12) and (13), it can be shown, for example by The condition (3) gives here
using the function solve of Maxima, that the relation (4) is only
fulfilled for
(18)
(19)
(14)
with
(20)
Authorized licensed use limited to: Jesus Leyva-Ramos. Downloaded on March 23,2010 at 20:05:52 EDT from IEEE Xplore. Restrictions apply.
2678 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS, VOL. 53, NO. 12, DECEMBER 2006
(21)
(26)
The other expressions of the basis are useless for our purpose
since they involve the state vector. Then, the input/output rela-
tion (23) is iterated and yields
(28)
(25)
(29)
Authorized licensed use limited to: Jesus Leyva-Ramos. Downloaded on March 23,2010 at 20:05:52 EDT from IEEE Xplore. Restrictions apply.
ANSTETT et al.: CHAOTIC CRYPTOSYSTEMS 2679
REFERENCES
[1] T. L. Carroll and L. M. Pecora, “Synchronizing chaotic circuits,” IEEE
Trans. Circuits Syst., vol. 38, no. 4, pp. 453–456, Apr. 1991.
[2] M. J. Ogorzalek, “Taming chaos – Part I: Synchronization,” IEEE
Trans. Circuits Syst. I, Fundam. Theory Appl., vol. 40, no. 10, pp.
693–699, Oct. 1993.
[3] M. Hasler, “Synchronization of chaotic systems and transmission of
information,” Int. J. Bifurc. Chaos, vol. 8, no. 4, pp. 647–659, Apr.
1998.
[4] T. Yang, “A survey of chaotic secure communication systems,” Int. J.
(30) Comput. Cogn., vol. 2, no. 2, pp. 81–130, 2004.
[5] G. Millérioux, A. Hernandez, and J. Amigó, “Conventional cryptog-
raphy and message-embedding,” in Proc. 2005 Int. Symp. Nonlinear
In the characteristic set (30), represents the input/output Theory and its Applications (NOLTA 2005), Bruges, Belgium, Oct.
relation and is identical to (23) given by the Gröbner basis ap- 18–21, 2005.
[6] G. Alvarez and S. Li, “Some basic cryptographic requirements for
proach. Hence, Theorem 2 is fulfilled and the parameters chaos-based cryptosystems,” Int. J. Bifurc. Chaos, 2006.
and are structurally identifiable. [7] H. Delfs and H. Knebl, Introduction to Cryptography. Berlin, Ger-
In the context of brute force attack, since the parameters many: Springer-Verlag, 2002.
and are identifiable, they could play the role of the secret [8] X. Wang, M. Zhan, and C. H. Lai, “Error function attack of chaos
synchronization based encryption schemes,” Chaos, vol. 14, no. 1, pp.
key. 128–137, 2004.
However, it is clear that, performing a known plaintext at- [9] S. Li, G. Alvarez, G. Chen, and X. Mou, “Breaking a chaos-noise-based
tack, the parameters and can be easily reconstructed. secure communication scheme,” Chaos, vol. 15, no. 1, 2005.
[10] G. Alvarez, F. Montoya, M. Romera, and G. Pastor, “Cryptanalyzing
Hence, this cryptosystem is weak against known plaintext alge- a discrete-time chaos synchronization secure communication system,”
braic attack. Chaos, Solitons, Fractals, vol. 21, pp. 689–694, 2004.
[11] G. Alvarez, S. Li, F. Montoya, G. Pastor, and M. Romera, “Breaking
IV. CONCLUSION projective chaos synchronization secure communication using filtering
and generalized synchronization,” Chaos, Solitons, Fractals, vol. 24,
In this paper, a general framework based on identifiability for pp. 775–783, 2005.
the cryptanalysis of a large class of chaotic cryptosystems is pro- [12] R. Marino and P. Tomei, “Global adaptive observers for nonlinear sys-
tems via filtered transformations,” IEEE Trans. Autom. Contr., vol. 37,
posed. More precisely, it is provided a systematic methodology no. 8, pp. 1239–1245, 1992.
to test, a priori, during the design stage, whether the parameters [13] A. Fradkov, H. Nijmeijer, and A. Markov, “Adaptive observer-based
of a chaotic cryptosystem may play the role of the secret key or synchronization for communication,” Int. J. Bifurc. Chaos, vol. 10, no.
not. From a cryptanalysis point of view, this paper leads to the 12, pp. 2807–2813, 2000.
[14] Q. Zhang and A. Xu, “Global adaptive observer for a class of nonlinear
following conclusions. systems,” in Proc. 40th IEEE Conf. Decision and Control, Orlando, FL,
Firstly, if the parameter vector of the transmitter is identifi- Dec. 4–7, 2001, vol. 4, pp. 3360–3365.
able, it is more difficult for the eavesdropper to find it by a brute [15] A. Guyader and Q. Zhang, “Adaptive observer for discrete time linear
time varying systems,” in Proc. 3rd IFAC/IFORS Symp. Identification
force attack (exhaustive search). Consequently, this parameter
and System Parameter Estimation, SYSID’2003, Rotterdam, The
vector may be a good candidate to play the role of the secret Netherlands, Aug. 2003.
key against a brute force attack. [16] F. Anstett, G. Millerioux, and G. Bloch, “Global adaptive synchroniza-
If the parameter vector is not identifiable, the eavesdropper tion based upon polytopic observers,” in Proc. IEEE Int. Symp. Circuits
Syst., Vancouver, BC, Canada, May 2004, pp. 728–731.
has a higher favorable chance to find it by a brute force attack. [17] G. Millerioux, F. Anstett, and G. Bloch, “Considering the attractor
Thus, this parameter vector is a bad candidate to play the role structure of chaotic maps for observer-based synchronization prob-
of the secret key against a brute force attack. lems,” Math. Comput. Simulation, vol. 68, no. 1, pp. 67–85, 2005.
Secondly, if the parameters are identifiable, which is a neces- [18] H. Dedieu and M. Ogorzalek, “Identifiability and identification of
chaotic systems based on adaptative synchronization,” IEEE Trans.
sary condition for the security against brute force attack, obvi- Circuits Syst. I, Fundam. Theory Appl., vol. 44, no. 10, pp. 948–962,
ously not sufficient since sensitivity or specific statistical prop- Oct. 1997.
erties are also required, an explicit form of each parameter can [19] H. Guojie, F. Zhengjin, and M. Ruiling, “Chosen ciphertext attack on
chaos communication based on chaotic synchronization,” IEEE Trans.
be established. For cryptosystems involving polynomial nonlin- Circuits Syst. I, Fundam. Theory Appl., vol. 50, no. 2, pp. 275–279,
earities of low order, it is an easy task and thus, the parameters Feb. 2003.
can be easily retrieved by a known plaintext attack. [20] H. Guojie, F. Zhengjin, and W. Lin, “Analysis of a type digital chaotic
As a consequence, all these cryptosystems are weak against cryptosystem,” in Proc. IEEE Int. Symp. Circuits Syst. , Scottsdale, AZ,
May 26–29, 2002, vol. 3, pp. III–473–III–475.
algebraic attacks. Let us point out that this weakness is indepen- [21] P. G. Vaidya and S. Angadi, “Decoding chaotic cryptography without
dent of the motion exhibited by the system, chaotic or not. All access to the superkey,” Chaos, Solitons, Fractals, vol. 17, pp. 379–386,
these results can be easily extended to the case of continuous- 2003.
[22] E. Solak, “On the security of a class of discrete-time chaotic cryptosys-
time chaotic systems and can be transposed to the other usual
tems,” Phys. Lett. A, no. 320, pp. 389–395, 2004.
methods for hiding an information, additive masking, chaotic [23] ——, “Cryptanalysis of observer based discrete-time chaotic encryp-
switching and parameter modulation. tion schemes,” Int. J. Bifurc. Chaos, vol. 15, no. 2, pp. 653–658, 2005.
Authorized licensed use limited to: Jesus Leyva-Ramos. Downloaded on March 23,2010 at 20:05:52 EDT from IEEE Xplore. Restrictions apply.
2680 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS, VOL. 53, NO. 12, DECEMBER 2006
[24] T. Beth, D. E. Lazic, and A. Mathias, Cryptanalysis of Cryptosystems Floriane Anstett received the Engineer’s degree
Based on Remote Chaos Replication. New York: Springer-Verlag, in automatic control engineering from the École
1994. Supérieure des Sciences et Technologies de l’In-
[25] F. Anstett, G. Millerioux, and G. Bloch, “Message-embedded cryp- génieur de Nancy (ESSTIN), University Henri
tosystems: Cryptanalysis and identifiability,” in Proc. 44th IEEE Conf. Poincaré (UHP), Nancy, France, in 2003, and the
Decision and Control, Sevilla, Spain, Dec. 12–15, 2005. Ph.D. degree in automatic control theory from UHP,
[26] M. Hénon, “A two-dimensional mapping with a strange attractor,” Nancy, France, in 2006.
Commun. Math. Phys., vol. 50, pp. 69–77, 1976. Her research interests include chaotic systems,
[27] R. May, “Simple mathematical models with complicated dynamics,” polytopic observers, identifiability and cryptanalysis.
Nature, vol. 261, pp. 459–470, 1976.
[28] B. Mandelbrot, Les Objets Fractals: Forme, Hasard et Dimension.
Paris, France: Flammarion, 1975.
[29] H. G. Schuster, Deterministic Chaos. New York: Wiley-VCH, 1988.
[30] G. Millerioux and J. Daafouz, “Unknown input observers for mes- Gilles Millerioux received the Engineer’s degree in
sage-embedded chaos synchronization of discrete-time systems,” Int. electrical engineering and the Ph.D. degree in auto-
J. Bifurc. Chaos, vol. 14, no. 4, pp. 1357–1368, Apr. 2004. matic control theory from the National Institute for
[31] ——, “Input independent chaos synchronization of switched systems,” Applied Sciences of Toulouse, Toulouse, France, in
IEEE Trans. Autom. Contr., vol. 49, no. 7, pp. 1182–1187, Jul. 2004. September 1993 and 1997, respectively.
[32] A. Menezes, P. V. Oorschot, and S. Vanstone, Handbook of Applied Since 2005, he has been a Professor at the Uni-
Cryptography. Boca Raton, FL: CRC, 1996. versity Henri Poincaré (UHP), Nancy, France. He
[33] E. Walter and L. Pronzato, Identification of Parametric Models From is with the Centre de Recherche en Automatique de
Experimental Data. New York: Springer-Verlag, 1997. Nancy (CRAN) and his research interests include
[34] S. Nõmm and C. H. Moog, “Identifiability of discrete-time non- chaotic systems, chaos synchronization, cryptog-
linear systems,” in Proc. 6th IFAC Symp. Nonlinear Control Systems, raphy, nonlinear observers. He is vice-chair of the
NOLCOS, Stuttgart, Germany, Sep. 1–3, 2004, pp. 477–489. Action Group “Chaos, Synchronization and Control.” This Group is under the
[35] L. Ljung and T. Glad, “On global identifiability for arbitrary model aegis of the IEEE Control Systems Society Technical Committee on Computer
parametrizations,” Automatica, vol. 30, no. 2, pp. 265–276, 1994. Aided Control System Design and aims at making visible research activities
related to chaos synchronization and control.
[36] S. Diop and M. Fliess, “Nonlinear observability, identifiability and
persistent trajectories,” in Proc. 30th Conf. Decision and Control,
Brighton, U.K., Dec. 1991, pp. 714–718.
[37] H. Pohjanpalo, “System identifiability based on the power series ex-
pansion of the solution,” Math. Biosci., vol. 41, pp. 21–33, 1978. Gérard Bloch received the Ph.D. degree in automatic
[38] H. Nijmeijer and A. J. van der Schaft, Nonlinear Dynamical Control control from the University Henri Poincaré (UHP),
Systems. New York: Springer, 1990. Nancy, France, in 1988.
[39] B. Buchberger, “An algorithm for finding a basis for the residue class He is with the École Supérieure des Sciences et
Technologies de l’Ingénieur de Nancy (ESSTIN),
ring of zero-dimensional polynomial ideal,” Ph.D. dissertation, Dept.
UHP, and affiliated with the Centre de Recherche
of Math., Math. Inst. Univ. of Innsbrück, Innsbrück, Austria, 1965.
en Automatique de Nancy (CRAN, UMR CNRS
[40] E. Kolchin, Differential Algebra and Algebraic Groups. New York: 7039), Nancy, France. His research interests include
Academic, 1973. nonlinear system identification and observation,
[41] E. Frisk, “Residual generation for fault diagnosis,” Ph.D. dissertation, process diagnosis, machine learning and application
Dept. of Elect. Eng., Linköpings Universitet, Linköping, Sweden, of neural networks to automatic control problems.
2001. He has supervised 11 doctoral and 20 Master’s graduates and has been the
[42] J. F. Ritt, Differential Algebra. Providence, RI: American Mathemat- principal investigator of several industrial/government research contracts,
ical Society, 1950. particularly in the applied fields of steel industry, guided transports, automobile
[43] J.-P. Barbot, “Observability bifurcations: Application to cryptog- engine control. He has co-authored one book, about 30 papers in international
raphy,” in Proc. 4ème Ecole Internationale d’Automatique de Lille, journals and more than 50 papers in conference proceedings.
2003, pp. 1–19.
Authorized licensed use limited to: Jesus Leyva-Ramos. Downloaded on March 23,2010 at 20:05:52 EDT from IEEE Xplore. Restrictions apply.