Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
www.elsevier.com/locate/pla
Abstract
In [N.S. Philip, K.B. Joseph, Chaos for stream cipher, cs.CR/0102012] Philip and Joseph propose their own cipher algorithm. An efficient
attack on the values of the key of this cipher is presented in this Letter. Other weaknesses of this cipher are presented, and proposals of algorithm’s
improvement as well.
© 2006 Elsevier B.V. All rights reserved.
1.2. Implementation details With knowledge of α0 for a given key, the first 8-byte block of
a ciphertext can be deciphered by calculating
Although the authors in [1] assume a 16-bit long decimal y0 = α0 ⊕ C0 . (7)
format, it is more natural to use widely applicable standard
IEEE-754 of floating point number representation [3]. In fact The calculation of the second block requires the evaluation of
because of size of the double precision float, the algorithm is
also more secure against the brute force attack. During investi- α1 = f (x0 , λ) ⊕ f (x0 , λ). (8)
86 A. Skrobek / Physics Letters A 363 (2007) 84–90
range of (0, 1). After research has been made, it turned out that
the most significant 8 bits of the parameter P0 have value 0. The
8th bit has the value 1 with a 1% probability, whereas the 9th
bit with a 16% probability. The remaining bits have a random
distribution. Therefore, decryption of the first 10 bits according
to the formula y0 = C0 is feasible with high probability.
Ten first bits of the second block can be decrypted with
higher probability than in the case of the first block. Numbers
in the range of (0, 1) in a floating-point representation have the
9 first bits set to a known and fixed value. Bit 9 can be esti-
mated with approximately 90% probability. What follows from
the ciphering algorithm is this: y1 = P1 ⊕ C1 = x1 ⊕ x1 ⊕ C1 =
f (x0 , λ) ⊕ C0 ⊕ f (x0 , λ) ⊕ C1 . Researches have shown the
9 most significant bits can be uniquely estimated for the ex-
pression f (x0 , λ) ⊕ f (x0 , λ), however the 9th bit with a 90%
probability. It is possible then to decrypt the first 10 bits with
high probability, according to the formula y1 = C0 ⊕ C1 .
Table 1
Initializing the chosen ciphertext attack with C2 = (0, 0)
n xn xn Pn Cn yn f (xn ) f (xn )
0 x0 x0 x0 ⊕ x0 0 x0 ⊕ x0 f (x0 ) f (x0 )
1 f (x0 ) f (x0 ) f (x0 ) ⊕ f (x0 ) 0 f (x0 ) ⊕ f (x0 ) f 2 (x0 ) f 2 (x0 )
Table 2
Chosen plaintext attack with y3 = (β0 , β1 , 0)
n xn xn Pn Cn yn f (xn ) f (xn )
0 x0 x0 x0 ⊕ x0 Imax ⊕ 1.0 β0 f (x0 ) f (x0 )
1 Ilarge f (x0 ) Ilarge ⊕ f (x0 ) 0 β1 −∞ f 2 (x0 )
2 −∞ f 2 (x0 ) −∞ ⊕ f 2 (x0 ) −∞ ⊕ f 2 (x0 ) 0 −∞ f 3 (x0 )
3 f 2 (x0 ) f 3 (x0 ) f 2 (x0 ) ⊕ f 3 (x0 ) – – f 3 (x0 ) f 4 (x0 )
Table 3
Chosen plaintext attack with y4 = (β0 , β1 , f 2 (x0 , λ), 0)
n xn xn Pn Cn yn f (xn ) f (xn )
0 x0 x0 x0 ⊕ x0 Imax ⊕ 1.0 β0 f (x0 ) f (x0 )
1 Ilarge f (x0 ) Ilarge ⊕ f (x0 ) 0 β1 −∞ f 2 (x0 )
2 −∞ f 2 (x0 ) −∞ ⊕ f 2 (x0 ) −∞ f 2 (x0 ) −∞ f 3 (x0 )
3 0 f 3 (x0 ) f 3 (x0 ) f 3 (x0 ) 0 0 f 4 (x0 )
4 f 3 (x0 ) f 4 (x0 ) f 3 (x0 ) ⊕ f 4 (x0 ) – – f 4 (x0 ) f 5 (x0 )
According to [3], its floating-point representation is −21023 . than there is available for the binary representation, thus the
Additionally, let us mark mathematical package returns the value of infinity. Addition-
ally, the value C1 = 0, so it does not change any bits of the value
Ilarge = 0xff d2 d3 . . . d15 . (15) x2 . The zero value comes from the fact that C1 = y1 ⊕ P1 =
The value of Ilarge is a number which contains the value 0xff Imax ⊕ 1.0 ⊕ f (x0 , λ) ⊕ f (x0 , λ) ⊕ f (x0 , λ) ⊕ C0 ⊕ f (x0 , λ) =
as the most significant byte and the remaining digits (hexadeci- Imax ⊕ 1.0 ⊕ f (x0 , λ) ⊕ f (x0 , λ) ⊕ Imax ⊕ 1.0 ⊕ x0 ⊕ x0 ⊕ x0 ⊕
mal) are undetermined. Passing the value x0 = 0.
After performing the above step it is known that the current
β0 = Imax ⊕ 1.0 ⊕ x0 ⊕ x0 (16) orbit value is xn+1 = f (xn , λ) = −∞. This value has an ap-
propriate binary representation. Block y2 = 0 is supposed to be
to the encrypting function as the first block, x0 ⊕ x0 ob-
encrypted in the next step, so that C2 = −∞ ⊕ x2 is acquired.
tained from the first step will cause that x1 = β0 ⊕ x0 ⊕ x0 ⊕
The values of each variable and expression are shown in Ta-
f (x0 , λ) = Ilarge will be a large binary number (in accordance
ble 2. Finally, x2 is evaluated from formula (18)
with [3] in the floating-point representation of the value of Ilarge
is, with high probability, smaller than −21009 ). This comes from x2 ≡ f 2 (x0 , λ) = −∞ ⊕ C2 . (18)
the fact that the result of the operation on the logistic map itself
will have a binary representation with the most significant bit To obtain all essential values of the key (it is known that xn =
value of 0x3f , by which it eliminates value of 1.0 in a sig- xn ⊕ Pn , Pn was obtained from the first stage of cryptanalysis)
nificant degree. The value of P0 eliminates passing of itself the value of one of the next orbits is f (xn , λ) or f (xn , λ) is re-
(obtained from the first step) as a part of y0 . quired. To get it, the encryption of the first two blocks should be
The above operation will cause the system to run out of performed once more (after resetting the internal state of the en-
control. To get the first part of the key, which in this case is crypter) and encrypt the lately obtained value f 2 (x0 , λ) as the
f 2 (x0 , λ), the value of the expression third block, number 0 as the fourth. This will be the cause for
the value x3 = 0, and as an effect of encryption of a block with
β1 = Imax ⊕ 1.0 ⊕ f (x0 , λ) ⊕ f (x0 , λ) (17) 0 value we get C3 = x3 (C3 = P3 ⊕ 0 = x3 ⊕ 0 ⊕ 0 = x3 ). The
should be encrypted as the second block. Equally to the first parameters and expressions values are shown in Table 3. Know-
block, the value f (x0 , λ) ⊕ f (x0 , λ) is obtained from the stage ing the values of x2 and x3 , a control parameter λ is calculated
of the initial attack. Delivering this value for deciphering in the from formula (19)
second block will cause that x2 = −∞. This is the result of the x3
fact that the previous value of x1 was a large binary number, λ= . (19)
x2 · (1 − x2 )
stored in all bits of the binary representation of a floating-point
number. The logistic map is a quadratic function, so after rising The value of x1 can be calculated from the reverse logistic map
it to the second power, the function requires greater more space iteration formula referring to the logistic map defined by the
88 A. Skrobek / Physics Letters A 363 (2007) 84–90
6. An example of an attack on the key values Finally x2 = 0.83006331. According to the procedure de-
scribed in the previous point, the next thing to do is to encrypt
Assuming that the ciphering keys are: the block y4 = {β0 , β1 , x2 , 0}. Let us encrypt the sequence:
Table 4
Decrypter’s internal states in initialization phase
n xn xn (hex) xn xn (hex)
1 0.8568 0x3f eb6ae7d566cf 41 0.632247 0x3f e43b5e0f 7f cf c3
2 0.4380167232 0x3f dc08774b4f af 7b 0.83006331 0x3f ea8f e0ee102230
Table 5
Encrypter states during the out of control runs
n xn xn (hex) xn xn (hex)
1 −1.1562 × 10308 0xff e495182a9930be 0.632247 0x3f e43b5e0f 7f cf c3
2 −∞ 0xfff 0000000000000 0.83006331 0x3f ea8f e0ee102230
3 0.83006331 0x3f ea8f e0ee102230 0.50357782 0x3f e01d4f 391519b3
Table 6
Internal states of the encrypter while retrieving the x3 value
n xn xn (hex) xn xn (hex)
1 −1.1562 × 10308 0xff e495182a9930be 0.632247 0x3f e43b5e0f 7f cf c3
2 −∞ 0xfff 0000000000000 0.83006331 0x3f ea8f e0ee102230
3 0.0 0x0000000000000000 0.50357782 0x3f e01d4f 391519b3
4 0.50357782 0x3f e01d4f 391519b3 0.89245430 0x3f ec8ef c52a48605
With the values of λ, x3 and x2 now known, we calculate the (4) System is susceptible for running out of control.
value of x1 accordingly to formula (20):
The first inconvenience shows, that the key entropy which
x2
1− 1−4 λ 1 − 1 − 4 0.83006331
3.57 defines an upper bound of the cipher’s security [4] is weaker
x1 = = = 0.367753
2 2 than today’s security requirements [6]. This is because of fact,
(34) that initial values of chaotic systems depends of each other. This
or can be easily avoided by omitting the function that transforms
x2 one key into another and by defining explicitly all parts of the
1 + 1 − 4 1 + 1 − 4 0.83006331
3.57
x1 = λ
= = 0.632247. key. This way the key’s length will reach about 150 bits, what
2 2 can be treated as secure.
(35) A common feature of many ciphers (see e.g. cryptanalyses in
From the two possible results of the value of x1 , we calculate [7,8]) is a problem with encrypting blocks of plaintext with the
four potential x0 keys. One of them is correct. We use for- same keystream. The analyzed algorithm encrypts only the first
mula (20) analogically, but with input values of 0.367753 and two blocks with the same keystream. To prevent this, two first
0.632247. We then get four possible values of the key (some blocks can be passed as random numbers and can be omitted
values are rounded): 0.77, 0.23, 0.8833900, 0.1166099. The while decrypting. However it is better to pass a random number
correct key in this case is 0.77. To evaluate the x0 key, a xor as the first block (so-called “salt” value) to the encrypter, and
operation should be executed on the value of the x0 key and the send every following number as a result of xor operation of
first element of P2 sequence. Therefore: the first block with the block of plaintext. At the moment of
decryption the first block should be decrypted at first, then after
x0 = 0x3f e8a3d70a3d70a4 ⊕ 0x00313a4e93a4e93e
decrypting the following blocks, perform the xor operation of
= 0x3f d999999999999a. (36) the deciphered first block and the following deciphered blocks.
In result x0 = 0.4. This way to obtain all three numbers, which As it has been written in [5] and latter in [9], the security of
are the cipher’s key. a cipher must rely only on security of the key. So ability to gain
of any bit of the key reduces security of whole cipher. Chaotic
7. Improvement suggestions systems usually works within the real number domain. Further-
more, the range of those numbers is often limited within the
In consequence of the cryptanalysis the following weak- range of (0, 1). To minimize the predictability of the keystream
nesses of the encrypting algorithm have been noticed: bits and other variables of the encrypter’s state, the block should
be shortened to a number of bits which is less predictable (e.g.
(1) One part of the key depends on the other. to the 6 least significant bytes, if the binary representation of
(2) The first two blocks are always enciphered with the same a real number is 8-byte long). From researches made on the
key. keystream bits it results that the 6 least significant bytes have a
(3) Some of the keystream bits are predictable. random distribution and every bit is set with a 50% probability.
90 A. Skrobek / Physics Letters A 363 (2007) 84–90
In author’s opinion, a dangerous property of the described ber causes the system to pass to non-standard states, provid-
algorithm is the fact that arithmetic operations on floating-point ing some possible predictability of the ciphertext. It is recom-
numbers are mixed with bit operations on the binary represen- mended to use techniques which generate a different ciphertext
tation of these numbers. Chaotic systems works for orbits with for the same plaintext. This efficiently makes the cryptanalysis
values from (0, 1). Orbit values outside that range can cause harder to perform.
that system quickly reach orbit values equal to ∞ or −∞.
Because of the bitwise xor operation on the orbit and the ci- Acknowledgements
phertext, the orbit of the system can reach any value. To prevent
this, the floating-point modulo 1.0 operation can be used instead The author would like to thank Jerzy Pejaś, Ph.D. for his
of xor operation. The binary xor operation can also be left, but help in the preparation of this Letter.
with the condition that it can be only performed on the number
bits which are responsible for the value from range of (0, 1).
References
This can be achieved by performing the xor operation on the
subset of bits of mantissa only. Also one can use a fixed-point
[1] N.S. Philip, K.B. Joseph, cs.CR/0102012.
decimal format. I this case the xor operation should change only [2] H.-O. Peitgen, H. Jürgens, D. Saupe, Fractals for the Classroom, Springer-
a fraction part of the number. Verlag, New York, 1992.
The above observation was made only for cipher algorithm [3] S. Hollasch, IEEE Standard 754 Floating Point Numbers, IEEE, 2004.
described in [1]. A number of discrete time chaotic ciphers have [4] S. Vanstone, A. Menezes, P. van Oorschot, Handbook of Applied Cryp-
been examined (see e.g. [10–14]), but no one was designed in tography, CRC Press, 1997.
[5] A. Kerckhoffs (von Nieuwenhof), La cryptographie militaire, J. Sci. Mili-
the way that chaotic orbit (cipher’s internal state) was processed taires January (1883), (French) (Military cryptography).
by bitwise operation (although some cryptanalyses were per- [6] B. Schneier, N. Ferguson, Practical Cryptography, John Wiley & Sons,
formed successfully). Therefore, author claims not to mix the 2003.
bitwise and floating point operation in chaotic cipher’s design [7] G. Álvarez, F. Montoya, M. Romera, G. Pastor, Phys. Lett. A 311 (2003)
as a general rule, because of possibility the internal state of ci- 172.
[8] G. Jakimoski, L. Kocarev, Phys. Lett. A 291 (2001) 381.
pher to run out of control. [9] C.E. Shannon, Bell Syst. Tech. J. 28 (1949) 656.
[10] N.K. Pareek, V. Patidar, K.K. Sud, Phys. Lett. A 309 (2003) 75.
8. Summary [11] M.S. Baptista, Phys. Lett. A 240 (1998) 50.
[12] T. Habatsu, Y. Nishio, I. Sasase, S. Mori, A Secret Key Cryptosystem by
Iterating a Chaotic Map, Springer-Verlag, 1998.
The encrypting machine’s dependency on the generated ci-
[13] Z. Kotulski, J. Szczepanski, Ann. Phys. 6 (1997) 381.
phertext causes a possibility of the system to run out of control [14] E. Alvarez, A. Fernández, P. García, J. Jiménez, A. Marcano, Phys. Lett.
and getting predictable results. Moreover, combining binary A 263 (1999) 373.
representation of a floating-point number with a random num-