Upload
david-arroyo
View
214
Download
1
Embed Size (px)
Citation preview
Available online at www.sciencedirect.com
Chaos, Solitons and Fractals 41 (2009) 410–413
www.elsevier.com/locate/chaos
Cryptanalysis of a computer cryptography scheme basedon a filter bank
David Arroyo a,*, Chengqing Li b, Shujun Li c, Gonzalo Alvarez a
a Instituto de Fısica Aplicada, Consejo Superior de Investigaciones Cientıficas, Serrano 144, 28006 Madrid, Spainb Department of Electronic Engineering, City University of Hong Kong, 83 Tat Chee Avenue, Kowloon Tong, Hong Kong SAR, China
c FernUniversitat in Hagen, Lehrgebiet Informationstechnik, Universitatsstraße 27, 58084 Hagen, Germany
Accepted 11 January 2008
Abstract
This paper analyzes the security of a recently-proposed signal encryption scheme based on a filter bank. A very crit-ical weakness of this new signal encryption procedure is exploited in order to successfully recover the associated secretkey.� 2008 Elsevier Ltd. All rights reserved.
1. Introduction
The application of chaotic systems to cryptographical issues has been a very important research topic since the 1990s[1–4]. This interest was motivated by the close similarities between some properties of chaotic systems and some char-acteristics of well-designed cryptosystems [5, Table 1]. Nevertheless, there exist security defects in some chaos-basedcryptosystems such that they can be partially or totally broken [6–11].
In [12] the encryption procedure is carried out by decomposing the input plaintext signal into two different subbandsand masking each of them with a pseudo-random number sequence generated by iterating the chaotic logistic map. Thedecomposition of the input plaintext signal x[n] is driven by
0960-0doi:10
* CoE-m
t0½n� ¼ K0
X8m
x½m�h0½2n� m�; ð1Þ
t1½n� ¼ K1
X8m
x½m�h1½2n� m�; ð2Þ
where h0,h1 are so-called ‘‘analysis filters” and K0,K1 are gain factors.Then, the masking stage generates the ciphertext signal (v0[n],v1[n]) according to the following equations:
v0½n� ¼ t0½n� þ a0ðt1½n�Þ; ð3Þv1½n� ¼ t1½n� � a1ðv0½n�Þ; ð4Þ
779/$ - see front matter � 2008 Elsevier Ltd. All rights reserved..1016/j.chaos.2008.01.020
rresponding author.ail address: [email protected] (D. Arroyo).
D. Arroyo et al. / Chaos, Solitons and Fractals 41 (2009) 410–413 411
where ai(u) = u + si[n] and si[n] is the state variable of a logistic map with control parameter ki 2 (3,4) defined asfollows1
1 In [the plathe for
si½n� ¼ kisi½n� 1�ð1� si½n� 1�Þ: ð5Þ
Substituting ai(u) = u + si[n] into Eqs. (3) and (4), we have
v0½n� ¼ ðt0½n� þ t1½n�Þ þ s0½n�; ð6Þv1½n� ¼ ðt1½n� � v0½n�Þ � s1½n�: ð7Þ
The secret key of the cryptosystem is composed of the initial conditions and the control parameters of the two logisticmaps involved, i.e., s0[0], s1[0], k0 and k1.
The decryption procedure is carried out by doing
t1½n� ¼ v1½n� þ a1ðv0½n�Þ; ð8Þt0½n� ¼ v0½n� � a0ðt1½n�Þ: ð9Þ
Then, the plaintext signal is recovered with the following filtering operations:
~x½n� ¼ 1
K0
X8m
t0½m�f0½n� 2m� þ 1
K1
X8m
t1½m�f1½n� 2m�; ð10Þ
where f0, f1 are so-called ‘‘synthesis filters”. To ensure the correct recovery of the plaintext signal, the analysis and syn-thesis filters must satisfy a certain requirement as shown in Eq. (8) of [12]. The reader is referred to [12] for more infor-mation about the inner working of the cryptosystem.
This paper focuses on the security analysis of the above cryptosystem. The next section points out a security problemabout the reduction of the key space. Section 3 discusses how to recover the secret key of the cryptosystem by a known-plaintext attack. In the last section the conclusion is given.
2. Reduction of the key space
As it is pointed out in [5, Rule 5], the key related to a chaotic cryptosystem should avoid non-chaotic areas. In [12] itis claimed that the key space of the cryptosystem under study is given by the set of values ki and si[0] satisfying 3 < ki < 4and 0 < si[0] < 1 for i = 0,1. However, when looking at the bifurcation diagram of the logistic map (Fig. 1), it is obviousthat not all candidate values of ki and si[0] are valid to ensure the chaoticity of the logistic map. There are periodic win-dows which have to be avoided by carefully choosing ki. As a consequence, the available key space is drasticallyreduced.
3. Known-plaintext attack
In a known-plaintext attack the cryptanalyst possesses a plaintext signal fx½n�g and its corresponding encryptedsubband signals fv0½n�g and fv1½n�g. Because fh0½n�g, fh1½n�g, K0 and K1 are public, we can get ft0½n�g and ft1½n�g fromfx½n�g. Then we can get the values of fs0½n�g and fs1½n�g as follows:
s0½n� ¼ v0½n� � t0½n� � t1½n�; ð11Þs1½n� ¼ t1½n� � v0½n� � v1½n�: ð12Þ
For n = 0, the values of the subkeys s0[0] and s1[0] have been obtained. Furthermore, we can obtain the control para-meters by just doing the following operations for i = 0,1:
ki ¼si½nþ 1�
si½n�ð1� si½n�Þ: ð13Þ
In [12], the authors did not give any discussion about the finite precision about the implementation of the cryptosystemin computers. If the floating-point precision is used, then the value of ki can be estimated very accurately. It was
12], the authors use xi to denote the state variable of the logistic map. However, this nomenclature may cause confusion becauseintext signal is denoted by x. Therefore, we turn to use another letter, s. In addition, we unify the representation of xi(k) to be inm si[n], because all other signals are in the latter form.
Fig. 1. Bifurcation diagram of the logistic map.
412 D. Arroyo et al. / Chaos, Solitons and Fractals 41 (2009) 410–413
experimentally verified that the error for the estimation of ki using Eq. (13), and working with floating-point precision,was never greater that 4 � 10�12. If the fixed-point precision is adopted, the deviation of the parameter ki estimatedexploiting Eq. (13) from the real ki may be very large. Fortunately, according to the following Proposition 1 [13, Prop-osition 2], the error is limited to 24/2L (which means only 24 possible candidate values to be further guessed) whens[n + 1] P 0.5.
Proposition 1. Assume that the logistic map s½nþ 1� ¼ k � s½n� � ð1� s½n�Þ is iterated with L-bit fixed-point arithmetic and
that s(n + 1) P 2�i, where 1 6 i 6 L. Then, the following inequality holds: jk� ekj 6 2iþ3=2L, where ek ¼ s½nþ1�s½n��ð1�s½n�Þ.
4. Conclusion
In this paper we have analyzed, the security properties of the cryptosystem proposed in [12]. It has been shown thatthere exists a great number of weak keys derived from the fact that the logistic map is not always chaotic. In addition,the cryptosystem is very weak against a known-plaintext attack in the sense that the secret key can be totally recoveredusing a very short plaintext. Consequently, the cryptosystem introduced by [12] should be discarded as a secure way ofexchanging information.
Acknowledgements
The work described in this paper was partially supported by Ministerio de Educacion y Ciencia of Spain, ResearchGrant No. SEG2004-02418. Shujun Li was supported by the Alexander von Humboldt Foundation, Germany.
References
[1] Li S. Analyses and new designs of digital chaotic ciphers. PhD thesis, School of Electronic and Information Engineering, Xi’anJiaotong University, Xi’an, China, available online at <http://www.hooklee.com/pub.html> (June 2003).
[2] Alvarez G, Montoya F, Romera M, Pastor G. Chaotic cryptosystems. In: Sanson LD, editor. Proceedings of the 33rd annual 1999international carnahan conference on security technology. IEEE; 1999. p. 332–8.
[3] Kocarev L. Chaos-based cryptography: a brief overview. IEEE Circ Syst Mag 2001;1:6–21.[4] Yang T. A survey of chaotic secure communication systems. Int J Comp Cogn 2004;2(2):81–130.[5] Alvarez G, Li S. Some basic cryptographic requirements for chaos-based cryptosystems. Int J Bifurc Chaos 2006;16(8):2129–51.[6] Alvarez G, Montoya F, Romera M, Pastor G. Cryptanalyzing a discrete-time chaos synchronization secure communication
system. Chaos, Solitons & Fractals 2004;21(3):689–94.[7] Alvarez G, Montoya F, Romera M, Pastor G. Breaking parameter modulated chaotic secure communication system. Chaos,
Solitons & Fractals 2004;21(4):783–7.
D. Arroyo et al. / Chaos, Solitons and Fractals 41 (2009) 410–413 413
[8] Alvarez G, Montoya F, Romera M, Pastor G. Cryptanalyzing an improved security modulated chaotic encryption scheme usingciphertext absolute value. Chaos, Solitons & Fractals 2004;23(5):1749–56.
[9] Alvarez G, Li S, Montoya F, Pastor G, Romera M. Breaking projective chaos synchronization secure communication usingfiltering and generalized synchronization. Chaos, Solitons & Fractals 2005;24(3):775–83.
[10] Li S, Alvarez G, Chen G. Breaking a chaos-based secure communication scheme designed by an improved modulation method.Chaos, Solitons & Fractals 2005;25(1):109–20.
[11] Alvarez G. Security problems with a chaos-based deniable authentication scheme. Chaos, Solitons & Fractals 2005;26(1):7–11.[12] Ling BW-K, Ho CY-F, Tam PK-S. Chaotic filter bank for computer cryptography. Chaos, Solitons & Fractals 2007;34:817–24.[13] Li S, Li C, Chen G, Lo K.-T. Cryptanalysis of the RCES/RSES image encryption scheme. J Syst Softw 2007. doi:10.1016/
j.jss.2007.07.037.