12 November 2001

Physics Letters A 290 (2001) 127–133www.elsevier.com/locate/pla

Improving security of a chaotic encryption approach

Shujun Li∗, Xuanqin Mou, Yuanlong CaiInstitute of Image Processing, School of Electronics and Information Engineering, Xi’an Jiaotong University, Xi’an, Shaanxi 710049,

PR China

Received 23 July 2001; accepted 18 September 2001Communicated by A.R. Bishop

Abstract

E. Alvarez et al. presented a new chaotic encryption approach recently. But soon G. Alvarez et al. broke it with fourcryptanalytic methods and found some other weaknesses. In this Letter we point out why the original scheme is so vulnerableto the proposed four attacks. The chief reasons are two essential defects existing in the original scheme. Based on such a fact,we present an improved encryption scheme to obtain higher security. The cryptographic properties of the improved scheme arestudied theoretically and experimentally in detail. 2001 Elsevier Science B.V. All rights reserved.

Keywords: Chaotic cryptosystem; Encryption; Cryptanalysis

1. Introduction

E. Alvarez et al. presented a new cryptosystembased on the iteration of a chaotic system [1]. It isa symmetric block cipher and encrypts every plain-block into a 3-tuple cipher-block. Different from otherconventional block ciphers, its block size is variable.Based on ad-dimensional chaotic systemxn+1 =f (xn, xn−1, . . . , xn−d+1), the encryption and decryp-tion procedure can be depicted as follows. Firstly, se-lect the control parameter of the system as the se-cret key, and an integerbmax as the maximal blocksize of plaintext. For one plain-block, whose size isbi = bmax, choose a thresholdUi to generate a bitchainCi from the chaotic orbit{xn} according to sucha rule:xn � Ui → 0 andxn > Ui → 1. Find the posi-tion at which the plain-block appears inCi and record

* Corresponding author.E-mail address: hooklee@mail.com (S. Li).

(Ui, bi,Xi ) as the cipher-block corresponding to theplain-block, whereXi = (xi, xi−1, . . . , xi−d+1) is thestate of the chaotic map at the position. If the plain-block cannot be found in a large enough catalogCi ,bi = bi − 1 and the search is restarted. The tent map isused to demonstrate the performance of such a chaoticcipher.

However, only some months later after the proposalof this cipher, G. Alvarez et al. pointed out that it isvery easy to be broken when the tent map is used [2].In their paper, they presented four kinds of attacks,which are chosen-ciphertext attack, chosen-plaintextattack, known-plaintext attack and ciphertext-only at-tack. They also pointed out some other weaknesses ofthe chaotic encryption system. As the result, the au-thors claimed that the new chaotic cipher is not secureat all, even if other chaotic systems are used instead ofthe tent map.

In this Letter, we study why the new chaotic cipheris vulnerable to so many attacks, and propose a solu-tion to improve its security. We find that two essential

0375-9601/01/$ – see front matter 2001 Elsevier Science B.V. All rights reserved.PII: S0375-9601(01)00612-0

128 S. Li et al. / Physics Letters A 290 (2001) 127–133

cryptographic defects existing in the original scheme,which make the four attacks available. If the two de-fects are avoided, the four attacks proposed in [2] willbe infeasible, and the chaotic cryptosystem will bestronger from the cryptographic viewpoint. Our pro-posed encryption scheme is based on the above fact.Further theoretical and experimental analyses showthat the new encryption system has perfect crypto-graphic properties, so it also can resist some potentialattacks in the future.

2. Two essential defects and other weaknesses

2.1. The occurrence of Xi in ciphertext

The first essential defect lies in the occurrence ofXi in ciphertext. Considering the dynamics of the em-ployed chaotic system relies not only on the secret key(control parameter) but also on the initial conditions,an eavesdropper may obtain some useful informationfrom Xi to lessen attack complexity of the encryptionsystem.

Actually, there does exist information leaking inthe chaotic encryption system, which is not less thanE(1/bi), whereE(x) represents the mean value ofx.Apparently,bi � bmax → E(1/bi) � 1/bmax. Givenone cipher-block(Ui, bi,Xi ), let us consider howthe bi bits of the plain-blockPi = Pi,0Pi,1 . . .Pi,bi−1is deciphered from it. Since the legal users knowthe secret key (control parameter), they can calculatethe bi iterating values{xi+j }bi−1

j=0 from Xi . Then theplain-blockPi can be obtained from{xi+j } and thethresholdUi as follows:

for j = 0 tobi − 1 do

if xi+j � Ui thenPi,j = 0

elsePi,j = 1

end

Obviously,b0 can be obtained fromXi just by com-paring the two valuesxi andUi , without the secret key.Therefore, an illegal user can obtainb0 in each plain-block under ciphertext-only attack. That is to say, atleast 1/bi information of the plain-block leaks fromthe cipher-block. As a whole, the information leak-

ing will be not less thanE(1/bi) � 1/bmax. Generallyspeaking,bmax cannot be too large, or the encryptionspeed will be rather slow. Then the information leak-ing is relatively large to make the cryptosystem inse-cure in many serious applications.

Furthermore, if one knows the approximate value(r ′) of the secret key, he can guess the plain-block bythe symbolic dynamics of the chaotic system from theinitial conditionXi . The closer the secret key is tor ′,the better such a guess works. This fact means that theencryption system is not sensitive to secret key, whichis undesired for a good cryptosystem [3]. The authorsof [2] employed such a fact to develop a ciphertext-only attack whenr ′ = 2. It is found that such a guesscan conceal the plain-block with high possibility whenthe secret key is close to 2. Of course, the successratio will decrease as the right key departs from 2,but bear in mind that the information leaking of thischaotic cryptosystem will not be less than 1/bmax forall available keys.

In addition, the chosen-ciphertext attack describedin [2] is also based on the fact thatXi in ciphertextcan expose some useful information about the secretkey. By choosingXi sufficiently close to zero andobserving the corresponding plaintext, one can get thesecret key in a small number of steps.

2.2. Different dynamics with different keys

For the tent map used in [1], the dynamics with dif-ferent secret keys (control parameters) is much differ-ent, such as different visited interval of the orbit, dif-ferent Lyapunov exponent, different Kolmogorov en-tropy and the occurrence of periodic window at manycontrol parameters [4]. Since such difference can beextracted fromXi , it can be used to develop someavailable attacks. It is the second essential defect.

The different visited interval of the orbit with dif-ferent key is easily used to realize chosen-plaintext at-tack and known-plaintext attack as described in [2].When control parameter isr, the visited interval willbe[r(1−r/2), r/2]. By the statistics of enough cipher-texts one can get the approximate lower (upper) boundof the visited interval, then obtain the secret keyr ap-proximately. As we have mentioned above, the chaoticencryption system is not sensitive to the secret key, sothe approximate secret key is enough to decrypt the ci-

S. Li et al. / Physics Letters A 290 (2001) 127–133 129

phertext with high success possibility. Of course, onecan find the exact value of the secret key by searchingit in a small neighbor area of the approximate value,which will need much less computation complexitythan searching it in the whole key space.

SinceXi must be known to make such statistics,the known-plaintext attack and chosen-plaintext attackin [2] depend on the both defects. Hence, if the first de-fect is avoided, all the four attacks in [2] are infeasible.But in order to avoid other possible attacks in the fu-ture, both defects should be mended. We will do so inthe improved scheme.

2.3. Other weaknesses

There are also some other weaknesses pointed outin [2]. They are the use of too low computing preci-sion, the lack of exact directions about how to choosethe initial condition and the secret key, and the non-sensitivity of ciphertext to the secret key. The lastweakness has been discussed in the last two subsec-tions. Others are not crucial for the original encryptionscheme, and can be solved by carefully re-consider therealization of original scheme.

Besides the above weaknesses, there still existsanother serious problem in the original scheme, whichis about the slow encryption speed. It is obviousthat the encryption speed is chiefly determined bythe search for the occurrence of plain-block inCi .AssumeCi is balanced on{0,1}, then the probabilityof the occurrence of every plain-block is 1/2bi , sothe search procedure can be regarded as Bernoulliexperiments with probabilityp = 1/2bi . The numberof experiments satisfies geometric distribution, andits mathematical expectation is 2bi [5]. If Ci is notbalanced, the average number of experiments will belarger than 2bi . Becausebi cannot be very small toavoid the brute-force attack, the encryption speed willbe much slower as compared with other conventionalciphers. On the other hand,bi will not be too largesince the search will be restarted withbi = bi − 1 ifthe plain-block cannot be found for a long time. Sucha paradox will make the selection ofbmax very difficultto obtain both considerable security and encryptionspeed. In [1],bmax = 16 is adopted, which makesthe chaotic cipher insecure and the encryption speedrelatively slow.

3. The improved scheme

3.1. Description

An improved scheme is proposed in this Letter. Itcan avoid the two existent defects and other weak-nesses of the original one, and has higher security.

Without loss of generality, we employ a one-dimen-sional chaotic map to construct the new cryptosystem.Assume a chaotic map defined on the intervalI =[a, b] is given: xn+1 = f (xn,p), where p is thecontrol parameter. The following requirement shouldbe satisfied: the chaotic map is ergodic onI withunique invariant density function [6]. This requirementis needed to avoid the second essential defect, and canmake the statistical cryptanalysis impossible.

We can give some examples of such chaotic maps.It has been known that the piecewise linear chaoticmaps are ergodic and have uniform invariant densityfunction on their definition intervals [7]. Moreover, thepiecewise linear maps are the simplest kind of chaoticmaps in practice (only several additions and onedivision are needed). So they are the best candidatesfor our scheme. Among them the simplest one can bedenoted by Eq. (1), which is similar to but essentiallydifferent from the tent map used in [1]:

(1)F(x,p) ={

x/p, x ∈ [0,p),

(1− x)/(1− p), x ∈ [p,1].Another example is the chaotic map used in [8], whichis also rather simple and a little more complex than themap above:

(2)F(x,p) =

x/p, x ∈ [0,p),

(x − p)/(1/2− p), x ∈ [p,1/2],F (1− x,p), x ∈ [1/2,1].

Based on such a chaotic map, the improved schemecan be described as follows:

• The secret key: K = (x0,p), wherex0 is the initialcondition of the chaotic map.

• The input—plaintext: P1P2 . . .Pi . . . , where thesize ofPi is bi � bmax.

• The encryption procedure is quite similar to theoriginal scheme. For the first plain-blockP1 whosesize is b1 = bmax, run the chaotic map fromx0,and select a thresholdU1 to generate a bit chainC1 as the same rule in the original scheme. Findthe position at whichP1 appears inC1, and record

130 S. Li et al. / Physics Letters A 290 (2001) 127–133

(U1, b1, n1) as the cipher-block, wheren1 is thenumber of iterations of the chaotic map fromx0.If P1 cannot be found in a large enough catalogC1,b1 = b1 − 1 and the search restarts. For the secondand the following plain-blocks, the encryption pro-cedure is just like above, except that the chaotic mapruns from the position after the last plain-block isencrypted, notx0.

• The output—ciphertext: (U1, b1, n1)(U2, b2, n2) . . .

(Ui, bi, ni) . . . . In fact, the thresholdUi can be fixedfor all plain-blocks, then the ciphertext will be sim-plified to (b1, n1)(b2, n2) . . . (bi, ni) . . . . Generallyspeaking, the threshold should be selected to makeCi balanced on{0,1}, i.e.,P {Ci = 0} = P {Ci = 1}.It can be derived from the invariant density func-tion of the chaotic map. For the two chaotic mapsabove-mentioned, the threshold is 0.5, the midpointof I = [0,1].

• For the legal users knowing the secret key,the de-cryption procedure is easy to be realized by re-generatingCi for each cipher-block.

We can see the both defects in original scheme areavoided in the above scheme. What is more, differentfrom the original scheme, the improved one is a streamcipher, not a block cipher. Such a fact means thatsmallerbmax can be used and the paradox between thesecurity and the encryption speed will be overcome tosome extent.

3.2. Discussion

In our scheme, one important problem should beconsidered carefully, since it can cause weak keys inthe whole key space of the chaotic cryptosystem. It isabout the statistical degradation of the digital chaoticmap. In the recent years, many researchers have found:when chaotic systems are discretely realized in finiteprecision, some serious problems will arise, such asshort cycle length, nonideal distribution and correla-tion functions [9–16]. Among these problems, shortcycle length is very crucial. When the finite computingprecision isL (bits), the cycle length of the chaotic or-bit will be much smaller than 2L for many control pa-rameters and initial conditions. What is worse, thereare many control parameters and initial conditionsmaking the chaotic orbit converge on fixed value after

some iterations. For the chaotic map defined by (1), anextreme example is as follows: assumep = 1/2, foreachx0, both the chaotic orbit andCi will lead to zeroafter L iterations. Such a fact will make the encryp-tion procedure stop, and make the encryption systeminfeasible.

Apparently, we must remedy this problem in ourscheme. While, in fact, there is yet not an estab-lished theory to measure the statistical properties ofdiscrete-time chaotic maps and direct how to improvethem. Only several engineering methods are proposedto escape from such a problem: using higher finiteprecision [10,11], perturbation-based algorithm bypseudo-random number [12,13], and cascading mul-tiple chaotic systems [15]. In our scheme, the pertur-bation-based algorithm proposed in [13] is suggested,which can be briefly depicted as follows.

Use a PRNG (pseudo-random number generator) togenerate a signal to perturb the orbit of the chaoticmap at regular intervals. Assume the cycle lengthof the sequence generated by the PRNG isT andthe perturbing interval is∆, the cycle length of theperturbed chaotic orbit will beσ∆T , whereσ is apositive integer. Generally, the maximal length LFSR(linear feedback shift register [3]) is used as theperturbing PRNG, when its degree equals to the finitecomputing precisionL, the cycle length of the per-turbed chaotic orbit will beσ∆(2L − 1) > 2L. Such along length can improve the discrete ergodicity of thechaotic map in the finite precision. For the piecewiselinear chaotic maps, it hints the uniform distribution ofthe chaotic orbit in the discrete space, which is desiredfor a good cipher.

As argued in [13], the amplitude of the perturb-ing signal should be much smaller than the one ofchaotic signal. But our experiments show that: thelarger the perturbing signal is, the better the results co-incide with the theoretical analyses and the faster theencryption system runs. It is because the chaotic or-bit will be more uniformly with larger perturbing sig-nal. So we suggest using larger perturbing signal in-stead of smaller one, then the perturbed chaotic systemcan be considered as a compound system of nonlin-ear dynamics and pseudo-randomness of the perturb-ing PRNG. Here, the nonlinearity of the chaotic sys-tems ensures the security and the PRNG mends the de-graded digital statistical properties of discrete chaoticsystems.

S. Li et al. / Physics Letters A 290 (2001) 127–133 131

3.3. Cryptographic properties

In this section, we give the following statementfirstly. Sincebi in ciphertext just indicates the blocksize of the corresponding plain-block, we will only re-gardni as the “real” ciphertext.

As we know, two chief cryptographic propertiesof a good cipher are confusion and diffusion, whichare commonly ensured by the balance and avalancheproperties of the ciphertext in conventional cryptog-raphy [3]. But our chaotic cipher has rather differ-ent property: the ciphertext is not balanced, since thelargerni , the smaller the possibility of its occurrencein the ciphertext. AssumeCi is a balanced i.i.d. bitsequence, the search procedure can be considered asBernoulli experiments with probability 1/2bi ; then wecan deduce the discrete distribution ofni ,

(3)P {ni = k} = 1

2bi

(1− 1

2bi

)k−1

,

which is independent and identical for different secretkeys and plaintexts theoretically.

Actually, there are four corresponding facts on thedistribution of the ciphertext: (1) for different plain-texts, the ciphertext has the same distribution function;(2) for different secret keys (control parameters andinitial conditions), the ciphertext has the same distribu-tion function; (3) for two plaintexts even with only onebit difference, the ciphertext is rather different; (4) fortwo secret keys even with only one bit difference, theciphertext is rather different. The first two facts denoteconfusion, and the other two denote diffusion.

Because our improved scheme avoids the two es-sential defects, and satisfies the confusion and diffu-sion properties, we can use smallerbmax compared tothe original scheme. Thus the encryption speed willbe faster. However, since the time-consuming searchprocedure is still used, the encryption speed is stillslower than most conventional ciphers. Assume thespeed of iterating the chaotic map iss iterations persecond; the average encryption speed will not be fasterthan sbmax/2bmax bps (bits per second). Hence, sucha chaotic encryption scheme only can be used innonreal-time applications, such as the secure transmis-sion of short messages over network or the secure stor-age of small files in computers.

At last, let us discuss the key entropy of the im-proved scheme. When the finite computing finite isL

(bits), the control parameter and initial conditions arerepresented as a fixed-point binary decimal. So thekey entropy of the improved scheme is 2L. In mostcomputersL = 32 or 64, then the key entropy is 64or 128, which is enough as a secure cipher. If highersecurity is wanted, largerL is suggested being used.

3.4. Compression after encryption

There is a notable problem in the chaotic cipher: theblock size of ciphertext is much (>2 times) larger thanthe one of plaintext. Compressing ciphertext can solveit. Since the ciphertext is not balanced, it can be con-sequently compressed with lossless statistical encod-ing methods, such as Huffman coding algorithm [17].Firstly, divide the ciphertext into two bit streams:b1b2 . . . bi . . . and n1n2 . . .ni . . . . Then compress thetwo sub-streams with Huffman coding separately. Forthe streamn1n2 . . .ni . . . , the average size of com-pressed cipher-block will bebmax according to Eq. (3).For the streamb1b2 . . . bi . . . , the average size of com-pressed cipher-block will be close to 1 since eachbi inciphertext trends to bebmax. Hence, the average sizeof compressed cipher-block will be close tobmax+ 1,only 1 bit more than the maximal size of plain-block.

3.5. Experimental results

Based on the chaotic map defined in Eq. (1), weconstruct an experimental cryptosystem and test itscryptographic properties. Here the computing preci-sion is L = 32 (bits), bmax = 8, and the perturbingPRNG is a maximal length LFSR (m-LFSR), whosedegree isL and primitive polynomial is 1+ x +x27 + x28 + x32. The perturbing interval∆ is L (notegcd(L,2L − 1) = 1), and all bits of the m-LFSR areused to perturb the chaotic orbit.

As we have mentioned above, the discrete distrib-ution of ni is denoted by Eq. (3) theoretically. Whenthe plaintext is distributed uniformly, the experimentalresult coincides with the theoretical curve as shownin Fig. 1. When the plaintext is 59 59. . .59. . . , theexperimental result is shown in Fig. 2. The numberof encrypted plain-block is 50,000. When the secretkeys (control parameters and initial conditions) are se-lected as different values randomly, similar results areobtained. So the confusion property is confirmed.

132 S. Li et al. / Physics Letters A 290 (2001) 127–133

Fig. 1. The distribution ofni with uniformly distributed plaintext.

Fig. 2. The distribution ofni with fixed plaintext 5959. . . 59. . . .

Some other experiments are made to verify the dif-fusion property. The difference ofni in two cipher-texts is shown in Figs. 3–5, with the least differentplain-texts, control parameters and initial conditions,respectively. The different parameters are listed as fol-lows:

• The least different plaintexts (see Fig. 3):195 195. . .195. . . and196 195. . .195. . . .

• The least different control parameters (see Fig. 4):p1 = 31849/232 andp2 = 31848/232.

Fig. 3. The difference ofni with two least different plaintexts.

Fig. 4. The difference ofni with two control parameters having 2−L

difference.

• The least different initial conditions (see Fig. 5):x0,1 = 40332/232 andx0,2 = 40333/232.

4. Conclusion

In this Letter, we point out two essential defectsexisting in the chaotic encryption scheme proposedin [1], and propose a new scheme to improve its se-curity by avoiding the two defects and solving otherweaknesses. Our scheme is immune to the four attacks

S. Li et al. / Physics Letters A 290 (2001) 127–133 133

Fig. 5. The difference ofni with two initial conditions having 2−L

difference.

presented in [2] and has desired cryptographic proper-ties.

Although the security of the original scheme can beimproved, its encryption speed cannot be essentiallyimproved much because of the time-consuming searchprocedure. Therefore, its encryption speed is stillrather slower than most conventional ciphers. It is aremained weakness in our improve scheme. We willtry to find the solution to this problem in the future,but perhaps any possible solution will lead to entirelydifferent chaotic cryptosystem from the original oneproposed in [1].

In addition, as we know, the public-key cryptosys-tem is generally used to encrypt the secret keys of sym-metric ciphers, which are used to encrypt the plain-text transmitted via public channel. Apparently, theyare not so sensitive to the encryption speed. Anotheropen research in the future is extending this symmet-ric chaotic cipher to a public-key one.

Acknowledgement

The authors would like to thank Miss Han Lu atXi’an Foreign Language University for her help in thepreparation of this Letter.

References

[1] E. Alvarez, A. Fernández, P. García, J. Jiménez, A. Marcano,Phys. Lett. A 263 (1999) 373.

[2] G. Alvarez, F. Montoya, M. Romera, G. Pastor, Phys. Lett.A 276 (2000) 191.

[3] B. Schneier, Applied Cryptography—Protocols, Algorithms,and Source Code in C, 2nd ed., Wiley, New York, 1996.

[4] Hao Bai-Lin, Starting with Parabolas: An Introduction toChaotic Dynamics, Shanghai Scientific and Technological Ed-ucation Publishing House, Shanghai, 1993.

[5] The Committee of Modern Applied Mathematics Handbook,Modern Applied Mathematics Handbook—Probability Theoryand Stochastic Process, Tsinghua University Press, Beijing,2000.

[6] A. Lasota, M.C. Mackey, Chaos, Fractals, and Noise—Sto-chastic Aspects of Dynamics, 2nd ed., Springer, New York,1997.

[7] A. Baranovsky, D. Daems, Int. J. Bifurc. Chaos 5 (1995) 1585.[8] H. Zhou, X.-T. Ling, IEEE Trans. Circuits Syst. I 44 (3) (1997)

268.[9] J. Palmore, C. Herring, Physica D 42 (1990) 99.

[10] D.D. Wheeler, Cryptologia XIII (1989) 243.[11] D.D. Wheeler, R. Matthews, Cryptologia XV (1991) 140.[12] Zhou Hong, Ling Xieting, Acta Eletron. Sinica 25 (1997) 95,

in Chinese.[13] Sang Tao, Wang Ruili, Yan Yixun, Electron. Lett. 34 (1998)

873.[14] Li Shujun, Li Qi, Li Wenmin, Mou Xuanqin, Cai Yuanlong, in:

Cryptography and Coding—8th IMA Int. Conf. Proc., LectureNotes in Computer Science, Springer, Berlin, 2001, to bepublished.

[15] G. Heidari-Bateni, C.D. McGillem, IEEE Trans. Comm. 42(1994) 1524.

[16] J. Fridrich, Int. J. Bifurc. Chaos 8 (1998) 1259.[17] K.R. Castleman, Digital Image Processing, Prentice-Hall, New

York, 1996.