xt

e look-upreduced.

text filesgraphicoriginal

message is

Physics Letters A 310 (2003) 67–73

www.elsevier.com/locate/pla

A chaotic cryptography scheme for generating short cipherte

Kwok-Wo Wong∗, Sun-Wah Ho, Ching-Ki Yung

Department of Computer Engineering and Information Technology, City University of Hong Kong, 83 Tat Chee Avenue,Kowloon Tong, Hong Kong

Received 3 October 2002; received in revised form 6 February 2003; accepted 6 February 2003

Communicated by A.R. Bishop

Abstract

Recently, we have proposed a chaotic cryptographic scheme based on iterating the logistic map and updating thtable dynamically. The encryption and decryption processes become faster as the number of iterations required isHowever, the length of the ciphertext is still at least twice that of the original message. This may result in huge cipherand hence long transmission time when encrypting large multimedia files. In this Letter, we modify the chaotic cryptoscheme proposed previously so as to reduce the length of the ciphertext to the level slightly longer than that of themessage. Moreover, a session key is introduced in the cryptographic scheme so that the ciphertext length for a givennot fixed. 2003 Elsevier Science B.V. All rights reserved.

PACS: 05.45.+b

Keywords: Chaos; Cryptography; Logistic map

nditalateasen-

theent

ersataw-xts

and

ightootheghveat-p-

ing a5].en-exthisk is

oticatas

The growing of research interest in chaos acryptography has resulted in a number of digchaotic cryptographic approaches that realize privkey cryptography with chaos [1–5]. A typical one wproposed by Baptista that each message block iscrypted as the number of iterations applied inchaotic map in order to reach the region correspondto that block [1]. The resultant ciphertexts are integand are suitable to be transmitted through public dcommunication networks. There are two major drabacks with Baptista’s approach. Firstly, the cipherteusually concentrate at small number of iterations

* Corresponding author.E-mail address: itkwwong@cityu.edu.hk (K.-W. Wong).

0375-9601/03/$ – see front matter 2003 Elsevier Science B.V. All rigdoi:10.1016/S0375-9601(03)00259-7

so their distribution is not flat enough to ensure hsecurity. Secondly, the cryptographic scheme isslow to make it suitable for practical use such assecure transmission of large multimedia files throuthe internet. To deal with the first drawback, we hamodified the original method so as to obtain a flter ciphertext distribution [4]. To increase the encrytion speed, we have proposed a fast approach ussmaller look-up table that is updated dynamically [

For the three chaotic cryptographic schemes mtioned above, the length of the resultant ciphertis at least twice that of the original message. Tis because the ciphertext for each message blocthe number of iterations required to make the chatrajectory fall into the region corresponding to thblock. This number should be sufficiently large so

hts reserved.

68 K.-W. Wong et al. / Physics Letters A 310 (2003) 67–73

sulttwoenen-

of

ticbe

nsingok-leritysednetheartg aondthele.

tedhe

h ast ishisheheand

p-’sne-

ng

in-r-

apbeof

tiling’s-

um

ponherge

noad-ent

re orBe-up-the

ed

le,erdify

hehe

ed

ate

ant is

iveing aionAnof

om

to achieve high security. A byte of message may rein several tens of thousands of iterations that needbytes to carry. This leads to huge ciphertext files whthe chaotic cryptographic approaches are used tocrypt large multimedia files typically in the rangemega bytes.

To solve this problem, we can modify the chaocryptographic schemes so that the ciphertext totransmitted is no longer the number of iteratiorequired in the chaotic map, but an index indicatthe location of the message block in the dynamic loup table. However, the solely utilization of this simptable look-up approach may result in a serious seculoophole as the look-up table can be easily guesafter a number of trials. A better way is to combithis approach with the traditional one so thatciphertext file is composed of two parts. The first pis the number of iterations obtained from encryptinsession key using the traditional approach. The secpart is formed by a sequence of indexes indicatinglocation of each message block in the look-up tabNotice that the look-up table is not fixed, but updadynamically based on the method proposed in [5]. Tsecond part of the ciphertext has the same lengtthe original message and so the overall ciphertexlonger than the message only by the first part. Textra length is negligible when compared with ttypical size of large multimedia files. As a result, tciphertext is only slightly longer than the messageis efficient for storage or transmission.

We first review the fast adaptive chaotic crytographic method proposed in [5]. As in Baptistamethod [1], the chaotic map chosen is the simple odimensional logistic map governed by the followiequation:

(1)xn+1 = bxn(1− xn),

whereb is the gain andxn ∈ [0,1]. An initial look-up table containing the mapping of each possibleput combination to equal-width regions in the inteval [xmin, xmax] of the phase space of the logistic mshould be set in advance. This initial mapping canin order or at an agreed setting. For the encryptiontheith input block, we let the logistic map iterate unthe trajectory first falls into the region correspondto the ASCII code of this block. Similar to Baptistamethod, the iteration will continue if the current number of iterations is smaller than a pre-defined minim

number of iterations. This prevents cryptanalysis uthe loophole of zero or just a few iterations. On tother hand, if the current number of iterations is laenough, it is sent immediately as the ciphertext andrandom numbers need to be generated. This is anvantage to resource-constraint computing environmsuch as smartcard because no additional hardwasoftware random number generators are required.fore encrypting the next message block, we have todate the look-up table dynamically by exchangingith entryei with another entryej . In Ref. [5], the in-tervalν between these two entries is solely determinby the current value ofx using the following formula:

(2)ν =(

x − xmin

xmax− xmin

)∗ N,

whereN is the total number of entries in the tabxmax is the maximum value ofx in the chosen phasspace region andxmin is the minimum value. To furtheenhance the security, here we propose to moEq. (2) to the following expression:

(3)ν =(

x − xmin

xmax− xmin

)∗ N + Ci modN.

This means that not only the current value ofx,but also the number of iterationsCi required for thecurrent input block are included in calculating tinterval. Notice that the sum of the two terms at tright-hand side of Eq. (3) may be larger thanN .Therefore a modulus operation should be performto makeν smaller thanN .

The interval obtained from Eq. (3) is used to locthe other entryej to be swapped withei as the valueof j is equal to the sum ofi and ν. This sum maybe larger thanN . In this case, we have to performmodulus operation again so that the index incremein a cyclic manner and the value ofj is still within N .As a result,

(4)j = i + ν modN.

In order to make the look-up tables for consecutmessage blocks as unlike as possible, just swappsingle pair of entries in the table during the encryptof a single message block is no longer enough.approach for achieving this is to swap more pairsentries, making use of the interval,ν, between twoswapping entries obtained from Eq. (3). Starting fr

K.-W. Wong et al. / Physics Letters A 310 (2003) 67–73 69

le.

spxt

fachngs onrmbyl.e

t-se

dting

ng

to

forws.

are

bys

ters orced.foranhe

. 2.thehehenichser.

ed,

bledsed

artis

Fig. 1. An illustration of the dynamic updating of the look-up tab

the current entryi, we swap the entries at locationi and (i + ν modN). Then we continue to swa(p − 1) pairs of entries starting from the entry neto the one last visited, i.e.,(i + ν + 1 modN) ↔(i + 2ν + 1 modN), (i + 2ν + 2 modN) ↔ (i + 3ν +2 modN), . . . , (i + (p − 1)ν + p − 1 modN) ↔ (i +pν + p − 1 modN), wherep is the total number opairs to be swapped during the encryption of eplaintext block. After that, the look-up table updatiprocess is completed and we can start the iterationthe logistic map for the next block. Then we perfothe p-pair swapping in the look-up table againincrementi and calculate a new value of intervaNotice that if the indexi reaches the bottom of thtable, it will start from the top again.

An illustration of this generalized dynamic updaing of the look-up table is given in Fig. 1. Suppothat the input block size is 8-bit. ThereforeN equalsto 256 and there are 256 entries in the table, frome0to e255. Moreover,xmin andxmax is chosen as 0.2 an0.8, respectively. Suppose that we are now encrypthe 4th 8-bit input block. The currentxvalue is 0.4355while the current number of iterations is 770. By usiEqs. (3) and (4), we obtainν = 100+ 770 mod256=102 andj = 4 + 102 mod256= 106. The entriese4is swapped withe106. If p is chosen as 3, we haveswap two more pairs, i.e.,e107↔ e209, e210↔ e56, asshown in Fig. 1.

The proposed chaotic cryptographic schemereducing the ciphertext length is described as follo

Fig. 2. The encryption process.

Both the transmitter and the receiver should first shthe same system parameterb, the initial x value(x0)

and the initial look-up table. This can be achievedsecure delivery or public key encryption algorithmsuch as RSA, ECC, etc. [6]. However, if the paramep can have different values for different messagetransmission sessions, the security will be enhanThis is possible as it is not a critical parameterinitializing the decryption process. Therefore it cbe encrypted and included in the ciphertext. Tproposed encryption sequence is shown in FigAs p is required for the subsequent updating oflook-up table, it should be encrypted first using tchaotic cryptographic scheme described above. Tthe transmitter should choose a session key, whcan be generated randomly or specified by the uThe lengthLk of the session key should be encryptfollowed by the encryption of the key itself.

After finished these processes, the look-up tabecomes totally different from the initial one anwe can start to encrypt the message. The propoencryption and decryption operations in this pare illustrated in Fig. 3. The first message block

70 K.-W. Wong et al. / Physics Letters A 310 (2003) 67–73

Fig. 3. Encryption and decryption operations for the message.

thehext.fterwillthegeok-the

startdink

ultl beingteding

forthetingion. As-up

des,d.on, as

. 2.readof

55.and

theger

r ofbe

bent

.eden-cehe

44

ghe

extracted and the look-up table is searched forentry that matches with this block. The index of tmatched entry will be sent directly as the cipherteAs the receiver reaches the same look-up table adecrypted the session key, the first message blockbe decrypted correctly. At the transmission side,iteration in the logistic map using the first messablock as well as the subsequent updating in the loup table is performed as usual. This completesoperations for the first message block and we canto read in the second block. It will first be XORewith the last index transmitted before searchingthe look-up table. This is a kind of cipher blocchaining (CBC) operation [6] so as to introduce errorpropagation during cryptanalysis. The XORed resis searched in the updated table and the index wiltransmitted. Then the logistic map is iterated usthe XORed result and the look-up table is updasubsequently. This sequence of operations, includXORed with the previous ciphertext, searchingmatched entry, transmitting the index, iteratingchaotic map using the XORed result and then updathe look-up table, continue at both the transmissand the receiving sides until the end of the messagethe same operations are done for updating the looktable at both the transmission and the receiving siperfect reconstruction of the message is guarantee

The length of the whole ciphertext dependsthe message length and the session key length

illustrated by the encryption process shown in FigIf both the session key and the message arein bytes andLk is smaller than 256, the numberbytes to be encrypted is(2 + Lk + Lm). The first twobytes specify the value ofp and the length of thesession key, respectively. Their range is from 0 to 2The remaining part consists of the session keythe message. If each byte of the parameters andsession key is encrypted to a 2-byte unsigned inte(ranged from 0 to 65535) representing the numbeiterations required, the total amount of ciphertext totransmitted is(4 + 2Lk + Lm) bytes. Notice that fora given message, the total amount of ciphertext totransmitted is different for session keys with differelength. This property further enhances the security

In order to test the efficiency of the proposchaotic cryptographic scheme, it is employed tocrypt and decrypt the following four types of sourfiles using different values of input block size and tparameterp.

File 1: audio (.mp3) file of size 98 304 bytes;File 2: Word document (.doc) file of size 210 9

bytes;File 3: executable (.exe) file of size 487 000 bytes;File 4: video clip (.avi) file of size 1 087 430 bytes.

The encryption and decryption time (includinthe time required for encrypting and decrypting t

K.-W. Wong et al. / Physics Letters A 310 (2003) 67–73 71

ytes

it input

Table 1Performance of the proposed chaotic cryptographic algorithms for reducing the length of ciphertext

Input block p File 1 (.mp3) File 2 (.doc) File 3 (.exe) File 4 (.avi)size 98 304 bytes 210 944 bytes 487 000 bytes 1 087 430 b

8-bit 3 2.50/2.50 5.36/5.52 12.38/12.39 27.59/27.538823-824 8797-823 11860-825 10091-825

17 2.63/2.63 5.58/5.55 12.97/12.92 28.95/30.137063-825 8011-821 8419-826 9449-825

91 3.27/3.19 6.98/6.80 16.09/16.59 37.08 /35.807062-824 9146-818 9325-825 9646-825

4-bit 3 0.36/0.36 0.77/0.77 1.84/1.83 4.13/4.00684-48 657-47 761-48 738-48

5 0.41/0.41 0.84/0.83 2.02/1.95 4.50/4.33704-48 687-47 762-48 838-48

7 0.44/0.42 0.92/0.89 2.20/2.14 4.91/4.70713-48 646-47 782-48 692-48

Upper line: encryption time (sec)/decryption time (sec) run on a Pentium IV 2 GHz PC with 512 MB RAM.Lower line: number of iterations in the form of max-mean. The minimum number of iterations is always 200 and 10 for 8-bit and 4-bblock size, respectively.

1.eding

a.of

d innsck

7.gth

.rlyans-andameu-theessionlts

go-y

tlye isre-f a

pt a

hictheedble

tione thel

ck.areey

e

xt,achnt

miningfromare

bleto

blem

is

session key) are measured and listed in TableThey are obtained by implementing the proposchaotic cryptographic approach using C programmlanguage running on a personal computer withPentium IV 2 GHz processor and 512 MB RAMMoreover, the maximum and the mean numberiterations for each message block are also includeTable 1. Notice that the minimum number of iteratiois always 200 and 10 for 8-bit and 4-bit input blosize, respectively. The value ofb in Eq. (1) is selectedas 3.9999995 whilex0 is chosen arbitrarily as 0.177The session key is generated randomly and its lenLk is also a random variable between 128 and 255

All the files are decrypted successfully. As neathe same operations are performed at both the trmission and the receiving sides, the encryptiondecryption processes require approximately the samount of time. However, the decryption time is usally a little bit shorter. This is because a search formatched entry is required in the encryption procwhile the corresponding operation in the decryptprocess is only a direct table look-up. The resushown in Table 1 indicate that the proposed alrithm is efficient in performing chaotic cryptographon large files. The ciphertext length is only slighlonger than the message and the encryption timshort. When the input block size is 4-bit, the timequired for encrypting a 100 KB file is less than hal

second while it takes less than 5 seconds to encry1 MB file.

The security of the proposed chaotic cryptograpmethod relies on the length of the session key andvalue ofp. A long session key leads to an increasnumber of swapping operations in the look-up tabefore encrypting the message while a largep resultsin more swapping operations between the encrypof successive message blocks. These in turn makcurrent look-up table totally different from the initiatable or the table for encrypting the previous bloTherefore the security is enhanced. However, theretradeoffs for the improved security. A long session kincreases the length of the ciphertext while a largpleads to a longer encryption time.

In order to analyze the distribution of the ciphertewe have recorded the number of occurrences of eciphertext block for the four input files using differevalues of input block size and parameterp. Theresults are listed in Table 2 using the max-mean-format. Notice that only the ciphertext correspondto the message is considered. Those generatedencrypting the parameters and the session keynot counted. For 4-bit inputs, the number of possiciphertext blocks is 16 and the block value is from 015. For 8-bit input block size, the number of possiciphertext blocks is 256 and the block value is fro0 to 255. A typical distribution of the ciphertext

72 K.-W. Wong et al. / Physics Letters A 310 (2003) 67–73

ize and

s

349193545635284

Table 2Number of occurrences of the ciphertexts in max-mean-min format for the four test files using different values of input block sparameterp

Input block p File 1 (.mp3) File 2 (.doc) File 3 (.exe) File 4 (.avi)size 98 304 bytes 210 944 bytes 487 000 bytes 1 087 430 byte

8-bit 3 438-384-334 910-824-754 2023-1902-1777 4502-4248-405617 443-384-327 905-824-736 2024-1902-1742 4458-4248-408891 442-384-320 925-824-748 2027-1902-1772 4438-4248-4071

4-bit 3 12477-12288-12159 32244-26368-24468 61210-60875-60482 136837-135929-15 12396-12288-12126 27118-26368-25101 61206-60875-60494 136574-135929-17 12412-12288-12099 27484-26368-24738 61422-60875-60431 136784-135929-1

Fig. 4. A typical distribution of the ciphertext. File 4 is used with 8-bit input block size and parameterp = 91.

iteumtheralofberin

to-teden-

f alud-heientles

p-).

shown in Fig. 4 of which File 4 is used with 8-binput block size andp = 91. The statistics and thgraph show that the difference between the maximand minimum occurrences is not substantial anddistribution is in general flat. There is not a genetrend that a particular ciphertext block or a groupciphertext blocks always has a higher or lower numof hits than the others. This property is desirableachieving secure cryptography.

In summary, we have proposed a chaotic crypgraphic scheme that looks up in a dynamically updatable and transmits only the index of the matched

try. As the length of the index is the same as that omessage block, the corresponding ciphertext, incing the session key, is only slightly longer than tmessage. As a result, the proposed method is efficin the secure transmission of large multi-media fiover the internet.

Acknowledgement

The work described in this Letter was fully suported by a grant from CityU (Project No. 7001131

K.-W. Wong et al. / Physics Letters A 310 (2003) 67–73 73

no,

-

.

References

[1] M.S. Baptista, Phys. Lett. A 240 (1998) 50.[2] E. Alvarez, A. Fernandez, P. Garcia, J. Jimenez, A. Marca

Phys. Lett. A 263 (1999) 373.[3] R. Schmitz, J. Franklin Inst. 338 (2001) 429.

[4] W.-K. Wong, L.-P. Lee, K.-W. Wong, Comput. Phys. Commun. 138 (2001) 234.

[5] K.-W. Wong, Phys. Lett. A 298 (2002) 238.[6] B. Schneier, Applied Cryptography, 2nd Edition, Wiley, 1996