Chaos, Solitons and Fractals 26 (2005) 117129

www.elsevier.com/locate/chaos

A block cipher based on a suitable use of the chaotic

standard map
Shiguo Lian *, Jinsheng Sun, Zhiquan Wang
Department of Automation, Nanjing University of Science and Technology, Nanjing 210094, PR China
Accepted 29 November 2004

Abstract
Due to their features of ergodicity, sensitivity to initial conditions and sensitivity to control parameters, etc., chaotic
maps have good potential for information encryption. In this paper, a block cipher based on the chaotic standard map
is proposed, which is composed of three parts: a confusion process based on chaotic standard map, a diusion function,
and a key generator. The parameter sensitivity of the standard map is analyzed, and the confusion process based on it is
proposed. A diusion function with high diusion speed is designed, and a key generator based on the chaotic skew tent
map is derived. Some cryptanalysis on the security of the designed cipher is carried out, and its computational complexity is analyzed. Experimental results show that the new cipher has satisfactory security with a low cost, which makes it a
potential candidate for encryption of multimedia data such as images, audios and even videos.

2005 Elsevier Ltd. All rights reserved.

1. Introduction
With the desirable properties of ergodicity and high sensitivity to initial conditions and parameters [1], chaotic maps
are very suitable for various data encryption schemes. In particular, chaotic maps are easy to be implemented by microprocessors and personal computers. Therefore, chaotic cryptosystems generally have high speed with low cost, which
makes them better candidates than many traditional ciphers for multimedia data encryption.
Early chaos-based cryptosystems, developed in the last decade, modulate messages with chaotic signals generated
from continuous-time chaotic dynamic systems. This kind of cryptosystems depends heavily on the synchronization
of two chaotic systems [2]. Although this approach can be directly used for analog devices such as walkie-talkies, it suffers from its poor noise performance and weak synchronizability: if the synchronization of the cryptosystem is robust,
then it is vulnerable to controlled-synchronization type of attacks; but if not, then even the receiver may easily lose synchronization thereby leading to the failure of message recovery [3,4].
There are some other types of chaotic cryptosystems, most of which transform plaintext directly. And they are
often classied into two types: chaotic stream cryptosystems and chaotic block cryptosystems. In chaotic stream cryptosystems, a key stream is produced by a chaotic map, which is used to encrypt a plaintext bit by bit [5,6]. A chaotic
block cryptosystem, on the other hand, transforms a plaintext block by block with some chaotic maps. For example, a
*

Corresponding author.
E-mail address: sg_lian@163.com (S. Lian).

0960-0779/$ - see front matter
2005 Elsevier Ltd. All rights reserved.
doi:10.1016/j.chaos.2004.11.096

118

S. Lian et al. / Chaos, Solitons and Fractals 26 (2005) 117129

cryptosystem based on the chaotic gradient tent map was constructed in [7], and the one based on the modied baker
map was suggested in [8]. These cryptosystems apply chaotic maps repeatedly, which guarantees the randomness of the
encrypted data. Their security is determined by the properties of the chaotic maps and the realization of the encryption
scheme. Notably, these cryptosystems often include digital data and analog data at the same time, which make them
rely heavily on the machine
s precision. Thus, the machine
s precision has to be considered in order to keep the decryption process symmetric to the encryption one, which decreases the speed of the encryption or decryption process.
In order to avoid the shortcomings of oating-point computing, some new cryptosystems based on discretized chaotic maps have been proposed. The core problem is how to obtain good discretized chaotic maps. Generally, chaotic
maps are discretized by rounding the oating data according to the computer
s resolution. As a result, these chaotic
cryptosystems depend on the mathematical properties of the corresponding continuous chaotic systems [9,10]. For
example, a cryptosystem was proposed in [10,11] by directly discretizing the 2-D baker map, and the relationship between the original map and the discretized map was then discussed in [12]. A cryptosystem based on the discretized tent
map was proposed in [13], in which, the discretization process avoids oating-point computing, increases the encryption
speed signicantly and is therefore suitable for large-volume data encryption in real-time.
For cryptosystems, Shannon [14] dened the ideal security, perfect security and computational security, respectively.
A cryptosystem is regarded as having ideal security if the diculty of ciphertext-only attack equals to the diculty of
brute-force attack. In cryptosystems with ideal security, a ciphertext is uniformly and randomly distributed, which prevents any attack. However, this kind of ideal cryptosystem does not exist in practice, so it is not useful for real design. A
cryptosystem is regarded as having perfect security if the ciphertext is independent of the plaintext, which means that the
ciphertext provides no help to attackers. Compared with the ideal security, perfect security is easier to be realized theoretically, but it is still dicult to be applied in practice. Shannon believed that, in practice, the security of a cryptosystem
depends on its computational complexity. If a cryptosystem is not ideally secure, but there is only one solution to it, and
any other solutions require very high computational complexity, then the cryptosystem is regarded as computationally
secure. Many cryptosystems are constructed based on high computational security, such as DES, IDEA, NSSU, etc.,
which are all implemented through confusion and diusion processes, and are strengthened by increasing the loop time.
Based on the security dened by Shannon, some chaos-based block ciphers have been suggested [1517]. An encryption scheme based on the discretized 2D chaotic maps, such as the cat map, the baker map and the standard map, was
proposed in [15]. It has been reported that some of the parameters of the cat map or baker map are not secure enough to
be used as encryption key. As a slight improvement, the 2D cat map and baker map were extended to 3D ones in
[16,17], respectively, based on which symmetric block ciphers were constructed and obtained improved applications.
For image encryption using the cat map, the image may be recovered by iterating the chaotic map for some rounds
under some control parameters. For image encryption using the baker map, the image may be kept unchanged after
some rounds of iteration under some control parameters. Therefore, these parameters should be excluded from encryption/decryption keys in order to obtain high security. Compared with the cat map and the baker map, the chaotic standard map has a larger parameter space, and there is no vulnerable parameters being reported to our knowledge. Thus, it
is worthy of being considered for better data encryption. In [15], only a discretization method was discussed for the
standard map, but its properties have not yet been fully analyzed. For this reason, the basic properties of the standard
map will be carefully analyzed in this paper, and some means will be proposed to improve its properties that are more
suitable for data encryption. Then, a symmetric block cipher based on the improved standard map will be designed,
which consists of three parts: a chaotic confusion process, a diusion function, and a key generator. Finally, its security
and computational complexity will both be analyzed and tested.
The rest of this paper is organized as follows. In Section 2, a brief introduction to the chaotic standard map is given.
Its properties and some improvements are then analyzed and presented in Section 3. In Section 4, a new block cipher
based on the improved standard map is proposed, and its performances are analyzed and tested in Section 5. Finally,
some conclusions are drawn in Section 6.

2. Introduction to the standard map

The so-called standard map was introduced in [18,19], and is described by


ai1 ai bi mod 2p;
bi1 bi k sinai bi mod 2p;

where k is the control parameter satisfying k > 0, and the ith states ai and bi both take real values in [0, 2p) for all i. The
standard map was discretized in a straightforward manner [15] by substituting x = aN/2p, y = bN/2p, K = kN/2p into
Eq. (1), which maps from [0,2p) [0,2p) to N N. After discretization, the map becomes

S. Lian et al. / Chaos, Solitons and Fractals 26 (2005) 117129

119

xi1 xi y i mod N ;


N
mod N ;
y i1 y i K sin xi1
2p

where K is a positive integer.

The properties of this discretized map may not be as good as the original one [19], but it can be implemented in the
integer domain, which reduces the computational complexity and is more suitable for real-time data encryption. In the
following content, the properties of this discretized standard map is rstly analyzed, then improved by introducing some
means, and nally used in data encryption.

3. Data confusion based on the standard map

3.1. Parameter sensitivity
In the discretized standard map (2), the control parameter K has a large space, and the confusion modes according to
these parameters are dierent from each other. Compared with the discretized cat map and baker map, this parameter
space is much larger, which is shown in Table 1. Where, the image
s size is N N. For the cat map [15], its two parameters both range from 0 to N
1, and each of the parameter pairs makes the according confusion mode dierent from
others. Thus, the parameter space of the cat map is N2. For the baker map, its parameter space is 2N
1 that is veried in
[15]. For the discretized standard map, its parameter K determines the confusion mode. Considering that the number of
the confusion modes of an N N image is not larger than N2!, the parameter space of K is N2!. As can be seen, the
parameter space of standard map is the largest one among the three ones, which makes the discretized standard
map a good candidate for data encryption.
Recall that secure cryptosystem requires not only a large key space but also a high key sensitivity. That is, a slight
change in the key should cause some large changes in the ciphertext. This property makes the cryptosystem of high
security against statistical or dierential attack. Here, if the standard map is used to permute the plaintext, then the
parameter K is used as the key. Thus, the key sensitivity is based on the parameter sensitivity that is in close relation
with the iteration time n and the plaintext size N. In the following, the parameter sensitivity of the discretized standard
map is tested, and a suggestion for selecting suitable parameters n and N will be proposed.
For the standard map is used to realize data permutation, the parameter sensitivity is dened as the position dierence rate (Pdr) of the ciphertexts, which is computed according to the following procedures.
Firstly, the ciphertexts generated from dierent control parameters (K
1, K and K + 1) are computed as
8
n
>
< Y CX ; K ;
3
Y 1 CX ; K
1n ;
>
:
Y 2 CX ; K 1n ;
where [C(X, K)]n means to iterate the chaotic map for n times, and the control parameter is K. Thus, the position difference rate (Pdr) is computed as
Pdrn; N

DifY ; Y 1 DifY ; Y 2
 100%;
2N 2

where N is the size of the confused image, and Dif(A, B) is the number of dierent positions between permuted image A
and B. As can be seen from (3) and (4), Pdr is in relation with both n and N, which means that the parameter sensitivity
is in relation with both the iteration time and the image size.
Taking dierent parameters values, the relationships among the iteration time, the image size, and the position difference rate are tested and shown in Fig. 1. Where, Fig. 1(a) gives the relationship between the iteration time and the
position dierence rate, and Fig. 1(b) gives the relationship between the image size and the position dierence rate.
In Fig. 1(a), image size is N = 256 that is normal in practice, and the control parameter ranges from 0 to 50,000. Seen
from the gure, for the same iteration time, the sensitivities of dierent parameters are similar to each other; for the

Table 1
Comparision of parameter spaces
Chaotic map
Parameter space

Cat map
2

Baker map
N
1

Standard map
N2!

120

S. Lian et al. / Chaos, Solitons and Fractals 26 (2005) 117129

Fig. 1. Parameter sensitivity test: (a) Pdr-parameter-n curve. (b) Pdr-parameter-size curve.

same parameter, the sensitivity increases as the iteration time increases. This shows that the standard map cannot keep
high parameter sensitivity always and big values should be selected for n in order to obtain high security. Thus, when
the standard map is used to realize the confusion process, the iteration time should be no smaller than 4 in order to keep
Pdr higher than 95%. If higher security is required, the iteration time with higher position dierence rate (n > 4) is
preferred.
In Fig. 1(b), the iteration time is n = 4, and the parameter ranges from 0 to 50,000. As can be seen, for a certain
image size, Pdr keeps in a certain range that is named vibration range here; for dierent image size, the Pdr vibration
range decreases as the image size increases. For example, the vibration range corresponding to N = 32 is 93.899.7%;
the one corresponding to N = 64 is 94.398.9%; the one corresponding to N = 128 is 95.298.8%; and the one corresponding to N = 256 is 97.298.9%. The lower limit of the vibration range increases as the image size increases. In order
to keep Pdr > 95%, the image size should satisfy N P 128. It means that when the standard map is used to permute
images, the image size should have a strict lower bound in order to keep high security. Here, N P 128 is recommended
when n P 4.
According to the above analysis, the control parameters have similar statistical properties, and can be used to obtain
high sensitivity if suitable iteration time and plaintext size are selected. Namely, the control parameters can be used as
encryption/decryption keys, and high key sensitivity can be guaranteed if the iteration time n and plaintext size N satisfy
the conditions: n P 4 and N P 128.
3.2. Corner-pixels confusion
In such chaotic maps as the standard map, cat map and baker map, the pixels at the corners of a square image have
some special properties. For example, in the cat map, the pixel at position (0, 0) remains unchanged after any number of
iterations. That is, if (x0, y0) = (0,0), then xn0 ; y n0 0; 0, where xni ; y ni (i = 0, 1, . . . , N
1) denotes the position of pixel
(xi, yi) after n times of iterations. If the chaotic map is the baker map, the pixel at position (0, 0) and (N
1,N
1) both
remain unchanged after any number of iterations. Similarly, for the standard map, the pixel at position (0, 0) remains
unchanged after any number of iterations.
As can be seen, (0, 0) is the rst pixel
s position in a normal scan mode, but it cannot be permuted by any of the
chaotic maps mentioned above. This is actually a weakness of the permutation process based on such chaotic maps.
And it can do some help to the attackers although the permutation process is further strengthened by a diusion process. In order to avoid it, a simple method is proposed here to change the positions of the pixels at the corners ((0, 0),
(0, N
1), (N
1, 0) and (N
1, N
1)). That is, to change the normal scan order into a random one. After the iteration of chaotic map, a random-couple (rx, ry) is generated, which represents the position of a randomly selected pixel in
the square image. Then, the whole image shifts in horizontal and vertical directions by rx and ry, respectively. That is,
the left-top pixel shifts from (0, 0) to (rx, ry), which is shown in Fig. 2. Where, Fig. 2(a) is the normal scan mode, and Fig.
2(b) is the random-scan mode. Seen from Fig. 2(b), the image is shifted, and then the three outside parts (I, II and III)
are returned to the corresponding parts in the original image. The random shift process changes the normal scan mode
into a random one, so it is named a random-scan mode.

S. Lian et al. / Chaos, Solitons and Fractals 26 (2005) 117129

121

Fig. 2. Scan order in a square image: (a) normal scan mode, (b) random scan mode.

Here, the two parameters rx and ry both vary from 0 to N
1. Thus, the random-scan process can be combined with
the chaotic permutation process, and the modied chaotic map becomes
(
xi1 xi rx y i ry mod N;


5
N
y i1 y i ry K sin xi1
mod N :
2p
Seen from (5), the modied map is still invertible, so the inverse-permutation process can be easily realized. This modied chaotic confusion process has two advantages: the random-couple can be generated under the control of keys,
which enlarges the cryptosystem
s key space; the random-scan process makes it dicult to break the diusion key under
known-plaintext attacks. Referring to the rst advantage, the key space for the random-couple is N2 (N is the width or
height of the image). As for the second advantage, the random-scan process confuses the position of the rst pixel,
which makes attackers dicult to get the rst pixel
s cipher-pixel, and thus increases the diculty of breaking the diffusion key. Clearly, this treatment indeed improves the security of the design.
3.3. Some means to reduce computational complexity
Generally, a chaotic map is iterated for several times in order to obtain high security when it is used to permute a
plaintext. According to the computation routine, the permutation process is often composed of two steps: position computing and pixel moving. These two steps are repeated for n times, as shown in Fig. 3(a). In these two steps, position
computing is to get the destination position through Eq. (5), and pixel moving is to move the pixel from the original
position to the destination one. Thus, for each pixel, the permutation process makes up 7n times of multiplication/division operations, 5n times of addition/subtraction operations, and n times of data moving operations. Suppose that the

Fig. 3. The permutation processes: (a) normal process, (b) improved method 1, (c) improved method 2.

122

S. Lian et al. / Chaos, Solitons and Fractals 26 (2005) 117129

operational times of multiplication/division, addition/subtraction and data moving are M, A and D, respectively. Then,
the operational time of pixel permutation satises
T 0 7nM 5nA nD:

This is regarded as of high cost, especially when the plaintext is of large volume. So, it is necessary to reduce the computational complexity.
Here, two kinds of methods are proposed to reduce the processing computational complexity, as shown in Fig. 3(b)
and (c), respectively. The rst method is to compute the permutation mode rstly, which contains the pixels
position
information. Then the pixels are permuted according to the computed mode for n times. As is clear, this method computes the permutation mode only once, and thus decreases the computational complexity. Now, the operational time is
reduced to
T 1 7M 5A nD:

In the second method, the computational eciency for the permutation mode is reduced greatly. This is based on the
introduction of a sine table. Note that, in Eq. (5), the horizontal position of a pixel ranges from 0 to N
1, thus the
N
function sin xn1
has only N dierent values. Although there are N2 pixels in an image, most of the sine values are com2p
puted repeatedly. By constructing a sine table of size N, the computational complexity is decreased to
T 2 3M 5A I nD;

where I is the operational time of once table index. Considering that N is relatively small, the operational time of once
table index is often much less than the one of multiplication/division, that is,
I < 4M:
Thus, T2 is smaller than T1, and the following relationship is satised:
T 0 > T 1 > T 2:

In practice, N ranges from 64 to 1024. Taking 16-bit operations for example, the cost for table restoring is no bigger
than 2 kb, which has very little eect on other operations.

4. The cryptosystem based on the modied standard map

This cryptosystem is based on chaotic confusion and diusion. The improved standard map is used here to realize
position confusion, while the diusion function is used to realize data diusion. And the operations are repeated several
times to strengthen the cryptosystem. The encryption process is shown in Fig. 4. Where, P and C are the plaintext and

Fig. 4. Encryption and decryption processes of the chaotic cipher: (a) encryption process, (b) decryption process.

S. Lian et al. / Chaos, Solitons and Fractals 26 (2005) 117129

123

ciphertext, respectively, Kc and Kd are the keys of the confusion process and diusion process, respectively. The confusion process Ce(Pi, Kci) is rstly repeated for n times, then together with the diusion process De(Mi, Kdi), are repeated
for m times. Pi, Mi and Ci are the plaintext, mid-text and ciphertext of the ith encryption process, and m is the number
of repetitions. The decryption process is symmetric with the encryption one, and the decryption keys are the same as the
encryption ones.
Seen from Fig. 4, the encryption process is
(
P i1 C i P 0 P ; i 0; 1; . . . ; m
1;
10
C i De M i ; K di De C ne P i ; K ci ; K di
and this process is repeated for m times. Similarly, the decryption process is
(
C i1 P i C 0 C; i 0; 1; . . . ; m
1;
;
P i C nd M i ; K ci C nd Dd C i ; K di ; K ci

11

where Kci and Kdi are the ith confusion key and diusion key, respectively. Since the encryption process and the decryption process are symmetric in this cryptosystem, the encryption keys are the same as the decryption keys. For the confusion process C(P, K) has been analyzed above, the following analysis emphasizes on the diusion process D(M, K) and
the key generator.
4.1. Diusion function
In the well-known DES algorithm, the diusion function is realized by substitution. Here, the diusion process De(Mi, Kdi) is realized by a diusion function that spreads changes from one pixel to another under the control of key Kdi.
The diusion function is dened as
(
c
1 K di ;
12
ck pk  qf ck
1 ; L;
where pk is the kth pixel in mid-text Mi, ck is the kth diused pixel, and L is the amplitude of each pixel. Here, c
1 is the
original value of the diusion function, which acts as part of the key of the cryptosystem. And f() is the logistic map
that is dened as
f ck
1 4ck
1 1
ck
1 :

13

And q[] is the quantization process dened by

qX ; L 2L  X ;
where X = 0x0x1x2    xL   , and xi is a binary number (0 or 1). The inverse diusion function is
(
c
1 K di ;
pk ck  qf ck
1 ; L;

14

15

where the parameters are the same as the ones dened in (12).
4.2. Key generation and distribution
The proposed cryptosystem is composed of multi-processes, so it is necessary to introduce a key generator to realize
sub-key generation and distribution. In the modied cryptosystem, the key space is composed of three parts: confusion
key, random-scan key and diusion key. These keys are changed once after every n iterations. Thus, for the encryption
process with m-time repetition, m key-triples are generated in the encryption process that is symmetric with the decryption one. Here, a key generator is proposed based on the skew tent map, which is shown in Fig. 5. The key generation
process is applied both in encryption and in decryption processes, where the user key is divided into six parts:
X1, X2, X3, K1, K2, K3. Among them, Xi and Ki (i = 1, 2, 3) are used, respectively, as the initial value and the parameter
of the skew tent map, which are used to generate the keys of the confusion process, the random-scan process and
the diusion process, respectively. The skew tent map is described by
( xj
0 < xj 6 h;
h
xj1 f xj ; h 1
xj
16
h < xj 6 1;
1
h

124

S. Lian et al. / Chaos, Solitons and Fractals 26 (2005) 117129

X1

Tent Map

K1
X2

... X1m-1

K1

K1

Tent Map

m-1

Tent Map

Tent Map

K2
X3

Tent Map

... X2

K2

K2
...
Tent Map

Tent Map

K3

K3

Tent Map

m-1

X3

K3

X1

X2

Tent Map

X3

Fig. 5. Key generation process.

where h is the chaotic map
s control parameter (ranging from 0 to 1), xj and xj+1 are the jth and the j + 1th states,
respectively. Let X ti (t = 1, 2, 3, . . . , m) denote the key in the tth iteration, we dene it as
X ti

t
1
f X t
1
i ; K i f X i
2mod31 ; K i
2mod31  mod 1
(
F i; t
1 P F i; t P 0;
F i; t mod 1
F i; t
1 F i; t > 1;

17

where X 0i X i (i = 1, 2, 3). Thus, X t1 is the confusion key, X t2 is the random-scan key, and X t3 is the diusion key in the
tth iteration. The process is applied for m times, and the generated sub-keys are in close relation with the user key when
the iteration time m is not smaller than 3. Thus, a slight change in the user key will cause great changes in these subkeys, which gives the cryptosystem a high key sensitivity.

5. Performance analysis
5.1. Security analysis
5.1.1. Key space
As mentioned above, the key of the cryptosystem is composed of three parts: permutation parameter K, randomscan key [rx, ry], and diusion key c
1. Thus, for an N N sized plaintext, the size of the space of permutations is
N2!, the one of random-scan is N2 and the one of diusion is L (the gray level of each pixel). These three parts are independent from each other. Therefore, for m iterations, the size of the space of the whole encryption process is
H N ; L; n; m N 2 !  N 2  Lm :

18
256

Here, it is proposed to take n = 4, m = 4 and L = 256. If N P 128, and the total size satises H(N, 256, 4, 4) > 2 . That
is, if the user key has 256 bits, then there is no contradiction among these keys, which keeps the cryptosystem of high
security against brute-force attacks.
5.1.2. Confusion and diusion
Confusion and diusion [14] are two basic design criteria for secret-key encryption algorithms with high computational security. Confusion means that the ciphertext depends on the plaintext and the key in a complicated and involved
way. Diusion requirement on a cipher means that each plaintext bit should inuence every ciphertext bit and each key
bit should inuence every ciphertext bit.
In the proposed cryptosystem, it is satised that
C i De M i ; K di De C ne P i ; K ci ; K di :
Here, Ce(Pi, Kci) is a chaotic map, so the relationship between Kci, Pi and Mi is nonlinear. Similarly, De(Mi, Kdi) is a
nonlinear function, which means that the relationship between Kdi, Mi and Ci is nonlinear. Therefore, the ciphertext
Ci is nonlinearly dependent on the plaintext Pi and the key Ki. Hence, the proposed cryptosystem satises the confusion
design criterion. What
s more, the chaotic map has a high parameter-sensitivity. That is, a one-bit change in the key
causes great changes in the ciphertext, which means that the ciphertext Ci depends on each bit of the key Ki. On the
other hand, the diusion function has a high diusion-speed. That is, a one-bit change in the plaintext causes great

S. Lian et al. / Chaos, Solitons and Fractals 26 (2005) 117129

125

Fig. 6. Image confusion test: (a) original image, (b) FD = 2.7288, (c) confused image, (d) FD = 2.9966.

changes in the ciphertext, which means that the ciphertext Ci depends on each bit of the plaintext Pi. Hence, the proposed cryptosystem satises the diusion design criterion.
5.1.3. Statistical attack
In the proposed cryptosystem, the chaotic standard map is used to permute the plaintext. Its parameters have similar
sensitivity, as shown in Fig. 1. This makes it dicult to break the cryptosystem through parameters analysis. Additionally, the confusion process permutes the plaintext so greatly that the correlation between two adjacent pixels is very
small. Thus, it is dicult for a statistical attack to break it by analyzing the pixels
correlations. Taking 4 iterations
of chaotic confusion for example, the original and the confused images are shown in Fig. 6. Obviously, the confused
image looks more chaotic than the original one. Taking the fractal dimension (FD) as measurement [20], the FD of
the confused image is 2.9966 that is closer to 3 compared with the one of the original image. It means that the correlation between adjacent pixels is greatly reduced.
Additionally, the diusion process is realized by a 1-D chaotic map that generates chaotic sequences with good pseudo-random properties. Thus, the diused images are randomly distributed, which makes it dicult for statistical attacks. Taking a (256 256) sized Lena for example, the original image, the encrypted image and their histograms
are shown in Fig. 7. It is clear that the encrypted image is confused and cannot be understood. Moreover, the histogram
of the encrypted image is nearly uniformly distributed, which makes statistical attacks dicult. Experiments on various
images have shown similar results. These properties tell that the proposed cryptosystem has high security against statistical attacks.
5.1.4. Sensitivity-based attack
The proposed cryptosystem has high key sensitivity and plaintext sensitivity. This means that a slight change in the
key or in the plaintext will causes great changes in the ciphertext. These properties make various sensitivity-based (differential) attacks dicult to break the cryptosystem.
The plaintext sensitivity of the cryptosystem is corresponding to both the chaotic map
s initial-value sensitivity and
the diusion function
s diusion speed. Here, the cryptosystem is used to encrypt images, and the experimental results
for Lena are shown in Fig. 8. Where, n = 4 and m = 4, The original image and encrypted image are shown in Fig. 8(a)
and (b), respectively, Fig. 8(c) is the encrypted image of the one with only one-bit change in the original image (a), while

126

S. Lian et al. / Chaos, Solitons and Fractals 26 (2005) 117129

Fig. 7. Statistical analysis of image encryption: (a) original image, (b) encrypted image, (c) histogram of the original image, (d)
histogram of the encrypted image.

Fig. 8. Plaintext sensitivity test: (a) original image, (b) encrypted image, (c) encrypted image, (d) dierence between (b) and (c).

S. Lian et al. / Chaos, Solitons and Fractals 26 (2005) 117129

127

Fig. 9. Correlation test: (a) correlation between plaintext and ciphertext, (b) correlation between dierent ciphertexts.

(d) is the dierence-image between the two encrypted images: (b) and (c). As can be seen, most of the pixels in Fig. 8(d)
are nonzero, which means that the dierence between image (b) and image (c) is big enough. Thus, the cryptosystem has
high plaintext sensitivity.
The key sensitivity of the cryptosystem benets from the chaotic map
s parameter sensitivity and the diusion function
s initial-value sensitivity. Here, tests are performed on the correlation between the plaintexts and the ciphertexts
that are encrypted by dierent keys, and on the correlation between dierent ciphertexts that are encrypted by dierent
keys. Taking Lena for example, the correlation between Lena and dierent ciphertexts encrypted by keys ranging from
1 to 5000 are computed and shown in Fig. 9(a). Similarly, the correlation between the ciphertext encrypted by key 1600
and other ciphertexts encrypted by keys ranging from 1 to 5000 is computed and shown in Fig. 9(b). As can be seen, the
correlation curve between a plaintext and the corresponding ciphertext is a curve lying around zero, which shows that
the plaintext is nearly independent from the ciphertext. This is consistent with the perfect security dened by Shannon
[14]. Similarly, the correlation curve between dierent ciphertexts is an impulse-like curve, which shows that the ciphertexts are independent from each other. This clearly shows its high key-sensitivity.
5.2. Computational and complexity analysis
Compared with traditional block ciphers [21] such as DES, IDEA and NSSU, the proposed chaos-based cryptosystem has some distinct properties. Firstly, the plaintext size of the chaos-based cryptosystem is not xed. The bigger the
size of the plaintext matrix, the more dicult the brute-force attack, and the more secure the cryptosystem. This advantage makes it suitable for large-volume data encryption such as image, audio and perhaps also video data. Secondly, the
confusion process and diusion process are controlled completely by the users (via the user keys), so they act more securely as compared to the xed confusion and xed diusion processes used in traditional ciphers. Thirdly, the confusion and diusion processes are known to all users, so the encryption process is clear to them without any possibility of
being trapped like the S-boxes in DES. What
s more, the encryption process and decryption process are symmetric, and
easy to be realized, which makes it suitable for multimedia encryption.
Here, tests are performed on the encryption speed of the proposed chaotic cryptosystem (with n = 4, m = 4, N > 64),
with a comparison to the DES algorithm. The source code proposed in [21] is used here. The computer used for conguration is Pentium IV 1.7 GHz CPU with 256M memory. The resulting curves are shown in Fig. 10, which show the
relationship between the encryption speed and the plaintext size. Seen from the gure, both curves are increasing as the
plaintext size increases, that is, the encryption speed increases with the plaintext size. However, the curve of the chaotic
cryptosystem rises much slower than the one of DES. Moreover, with the increase of the block size N, the time dierence becomes larger and larger. Therefore, for large-volume data, the chaotic cryptosystem proposed here is better
overall.

128

S. Lian et al. / Chaos, Solitons and Fractals 26 (2005) 117129

Time lg/(s)

102

The Proposed Algorithm

DES

101

100

500

1000

1500

2000

Plain text Size N (Byte)

Fig. 10. Encryption speed test.

6. Conclusions
In this paper, the basic properties of the discretized chaotic standard map have been carefully analyzed, including the
parameter sensitivity and computational complexity. Some means to enhance the chaotic map
s performance in data
permutation have been suggested. Based on the improved standard map, a block cipher has been designed and presented for encrypting large-volume data sets. It is composed of improved chaotic confusion, diusion, and key generation. Both theoretical analysis and experimental results show that the proposed cryptosystem has satisfactory security
and can be implemented eciently, thus may provide a choice for multimedia encryption applications.

Acknowledgment
The authors thank Prof. Guanrong Chen for some important suggestions. This research was supported by the National Natural Science Foundation of China through the grant number 60174005 and the Natural Science Foundation
of Jiangsu Province through the grant number BK2004132.

References
[1] Kotulski Z, Szczepariski J. Discrete chaotic cryptography (DCC). In: Proc NEEDS
97.
[2] Kapitaniak T. Controlling chaos, theoretical and practical methods in non-linear dynamics. London: Academic Press; 1996.
[3] Alvarez G, Montoya F, Romera M, Pastor G. Breaking parameter modulated chaotic securecommunication system. Chaos,
Solitons & Fractals 2004;21:7837.
[4] Yang T. A survey of chaotic secure communication systems. Int J Comput Cognit 2004;2:SI-130.
[5] Kohda T, Tsuneda A. Stream cipher systems based on chaotic binary sequences. SCIS96-11C, January 1996.
[6] Lu HP, Wang SH, Hu G. Pseudo-random number generator based on coupled map lattices. Int J Modern Phys B 2004;18(1719):
240914.
[7] Habutsu T, Nishio Y, Sasase I, Mori S. A secret key cryptosystem by iterating chaotic map. Lect Notes Comput Sci
1991;547:12740.
[8] Tsueike M, Ueta T, Nishio Y. An application of two-dimensional chaos cryptosystem. Technical Report of IEICE, NLP96-19,
May 1996 [in Japanese].
[9] Percival I, Vivaldi F. Arithmetical properties of strongly chaotic motions. Physica D 1987;25(13):10530.
[10] Scharinger J. Kolmogorov systems: internal time, irreversibity and cryptographic applications. In: Dubois D, editor. Proc AIP
Conference on Computing Anticipatory Systems, vol. 437. Woodbury, NY: American Institute of Physics; 1998.
[11] Pichler F, Scharinger J. Finite dimensional generalized Baker dynamical systems for cryptographic applications. Lect Notes
Comput Sci 1996;1030:46576.
[12] Kocarev L, Jakimoski G, Stojanovski T, Parlitz U. From chaotic maps to encryption schemes. In: Proc IEEE Int Symp ISCAS
98,
vol. 4, May/June 1998, p. 5147.

S. Lian et al. / Chaos, Solitons and Fractals 26 (2005) 117129

[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]

129

Masuda N, Aihara K. Cryptosystems with discretized chaotic maps. IEEE Trans Circ SystI 2002;49(1).
Shannon C. Communication theory of secrecy systems. Bell Syst Tech J 1949;28:656715.
Fridrich J. Symmetric ciphers based on two-dimensional chaotic maps. Int J Bifurcat Chaos 1998;8(6):125984.
Chen G, Mao YB, Chui CK. A symmetric image encryption scheme based on 3D chaotic cat maps. Chaos, Solitons & Fractals
2004;12:74961.
Mao YB, Chen G, Lian SG. A novel fast image encryption scheme based on the 3D chaotic Baker map. Int J Bifurcat Chaos
2004;14(10):361324.
Jackson EA. Perspectives in nonlinear dynamics. Cambridge: Cambridge University Press; 1991.
Rannou F. Numerical study of discrete plane area-preserving map. Astron Astrophys 1974:289301.
Chen CC, Daponte JS, Fox MD. Fractal feature analysis and classication in medical imaging. lEEE Trans Med Imaging
1989;8(2):13342.
Vanstone SA, Menezes AJ, Oorschot PC. Handbook of applied cryptography. London: CRC Press; 1996.