A keyed hash function based on the modified coupled chaotic map lattice

Commun Nonlinear Sci Numer Simulat 17 (2012) 2579–2587

Contents lists available at SciVerse ScienceDirect

Commun Nonlinear Sci Numer Simulat journal homepage: www.elsevier.com/locate/cnsns

A keyed hash function based on the modified coupled chaotic map lattice Da Li a, Gang Hu b, Shihong Wang a,⇑ a b

School of Sciences, Beijing University of Posts and Telecommunications, Beijing 100876, China Department of Physics, Beijing Normal University, Beijing 100875, China

a r t i c l e

i n f o

Article history: Received 24 June 2011 Received in revised form 22 August 2011 Accepted 22 October 2011 Available online 4 November 2011 Keywords: Coupled map lattice Spatiotemporal chaos Hash function

a b s t r a c t In this paper, we propose a dedicated keyed hash algorithm based on the modified coupled chaotic map lattice. By using the nearest and long distance couplings, both the key and the message as the parameters of the coupled map lattice, the expansion key and the nonlinear transformation, the system has enough confusion and diffusion rate between the message and the key. The structure of the system provides strong collision resistance and high performance efficiency. Simulation results show that the system has a uniform and random distribution of hash value, and fast performance. Ó 2011 Elsevier B.V. All rights reserved.

1. Introduction In the field of information security, the problems of privacy and authentication of communication are two important parts; the latter is more serious while ecommerce is developing. Hash functions are functions that compress an input of arbitrary length into a string with a fixed length. The hash value of input is used as a digest or fingerprint to protect the authentication of information. There are two types of hash functions. One makes use of a secret key, the other does not. The keyed hash function is called as a message authentication codes (MAC). For a keyed hash function, it is difficult for any opponent to forge a new message which results in the same hash value as the message does if he does not know the secret key. In modern cryptography, there are few dedicated keyed algorithms and the known algorithms usually are constructed on a block cipher, a hash function, or families of universal hash functions [1,2], such as EMAC and HMAC. Due to the distinct property of chaotic dynamics, utilizing chaotic dynamics in cryptography is a promising development. Many chaos based cryptosystems are proposed, such as chaos-based encryption ciphers [3], chaos-based image encryption [4], and chaos-based hash functions [5]. Compared with simple chaotic systems, the systems of spatiotemporal chaos have the following optimal characteristics for designing secure cryptosystems: long periodicity of computer realizations of chaos [6], high complexity and high dimensionality. In recent years, some hash functions based on spatiotemporal chaos and complex chaotic systems are proposed and analyzed [7–18]. However, the algorithms of Refs. [11–18] have been found collision problems [19–23]. In Ref. [19], Guo et al. analyzed the algorithm [13], pointed out weak key problem and proposed the forgery attacks on it. In Ref. [20], Xiao et al. analyzed one kind of chaos-based hash function [11] and gave some suggestions for hash function construct based on chaos. In Ref. [21], Deng et al. analyzed the hash function [18] and suggested an improved one. In Refs. [22,23], Wang et al. analyzed the hash functions of Refs. [12,15] and the results showed that collisions existed in the two algorithms. The security analysis of the algorithms proposed in Refs. [14,16,17] is considered in our other works. Although the algorithms of Refs. [8,9] have not been found security problems until now, they have lower efficiency compared with the traditional hash functions. Therefore, further studies on chaos based hash functions are needed.

⇑ Corresponding author. E-mail address: [email protected] (S. Wang). 1007-5704/$ - see front matter Ó 2011 Elsevier B.V. All rights reserved. doi:10.1016/j.cnsns.2011.10.030

2580

D. Li et al. / Commun Nonlinear Sci Numer Simulat 17 (2012) 2579–2587

In this paper, we design a dedicated keyed algorithm, whose structure is based on spatiotemporal chaos, i.e., a modified coupled chaotic map lattice. The algorithm has strong collision resistance and fast performance efficiency. By utilizing local and long distance couplings, both the message and the key as the parameters of the chaotic system, the expansion key, and simple algebraic operations, the system can ensure the sensitivity of hash value to the input message and the key. The rest of this paper is arranged as follows. Section 2 introduces the modified coupled map lattice (CML) used in the proposed algorithm. In Section 3, the proposed hash algorithm is described in detail. Security analysis is given in Section 4. Finally, this paper is concluded in Section 5. 2. The coupled map lattice The one-dimension CML is defined as

xnþ1 ðjÞ ¼ f1 ðxn ðjÞÞ þ f1 ðxn ðj  1ÞÞ þ f1 ðxn ðj þ 1ÞÞ mod1;

j ¼ 1; 2; . . . ; L;

ð1Þ

where n is a time index, j is a site index and L is the lattice length. The periodic boundary conditions are used. f1(x) is a local map, f1(x) = ax(1  x), a 2 [0, 4], x 2 [0, 1]. If a > 3.57, the Logistic map is chaotic. For the different initial conditions, x0 and 1  x0, the Logistic map has the identical trajectories, i.e., f1(x0) = ax0(1  x0) and f1(1  x0) = a(1  x0)x0. To avoid this situation which may result in a local collision, we modify Eq. (1) and add a linear map item, f2(x) = ax + c. Then Eq. (1) becomes

xnþ1 ðjÞ ¼ f1 ðxn ðjÞÞ þ f1 ðxn ðj  1ÞÞ þ f1 ðxn ðj þ 1ÞÞ þ f2 ðxn ðj þ 3ÞÞ mod1;

j ¼ 1; 2; . . . ; L:

ð2Þ

The fourth term on the right-hand side represents the coupling of long distance and it also supplies fast confusion and diffusion among the maps. To compare the two systems of Eqs. (1) and (2), we compute the largest Lyapunov exponent (LLE) shown in Fig. 1(a) and (b) with L = 8, c = 0.1, respectively. From Fig. 1 we can find that the system (2) has the positive LLE if a > 2.0 and avoids the periodic windows in the system (1). 3. A keyed hash algorithm based on the modified CML system 3.1. Algorithm description Our keyed algorithm is an iterative construction and is based on a compression function with a fixed-size input; it processes every message block in the same way. The structure of message processing of the algorithm is shown in Fig. 2. The input M is padded to a multiple of the block size by adding ‘100 . . .’ bits, and the last padded 128 bits are used to represent the length of the message. The block of the input message is 1024 bits. The padded message is then divided into t blocks denoted M1 through Mt. Then the algorithm with the compression function f can be defined as:

H0 ¼ IV; Hi ¼ fK ðM i ; Hi1 Þ;

i ¼ 1; 2; . . . ; t;

ð3Þ

hðK; MÞ ¼ gðK; Ht Þ; where IV is the Initial Value and Hi the intermediate variables. fK denotes the compression function and g the output transformation. The secret key K is employed in the compression function and the output transformation. The sizes of the hash value, the secret key and IV are 256 bits. The compression function structure of the algorithm, Hi = fK(Mi, Hi1), is illustrated in Fig. 3. The secret key K and the block message Mi are defined as K = (k(1), k(2), . . . , k(8)), k(j) 2 [0, 232), Mi = (m(1), m(2), . . . , m(32)), m(j) 2 [0, 232). The compression function of the algorithm is described as

xnþ1 ðjÞ ¼ f1 ða1;j ; xn ðjÞÞ þ f1 ða2;jþ1 ; xn ðj þ 1ÞÞ þ f1 ða3;j1 ; xn ðj  1ÞÞ þ f2 ða4;jþ3 ; cjþ3 ; xn ðj þ 3ÞÞ mod1;

1

j ¼ 1; 2; . . . ; 8;

0.6

LLE

LLE

0 −1

0.55

−2 −3

(a) 2

2.5

3

a

3.5

4

0.5 2

(b) 2.5

3

a

3.5

4

Fig. 1. The largest Lyapunov exponent. (a) The system of Eq. (1) with L = 8. (b) The system of Eq. (2) with L = 8 and c = 0.1.

ð4Þ

D. Li et al. / Commun Nonlinear Sci Numer Simulat 17 (2012) 2579–2587

2581

Fig. 2. The structure of message processing of the hash algorithm.

H i −1

Mi

Initial condition x0 ( j) Nonlinear transformation

Parameters ai , j , bi , j

Modified CML

Expansion key ka( j )

x2 r ( j)

Key K

r =8

No

Yes r=4

No

Yes

Nonlinear transformation

Hi Fig. 3. The structure of the compression function of the hash algorithm.

xnþ2 ðjÞ ¼ f1 ðb1;j ; xnþ1 ðjÞÞ þ f1 ðb2;jþ1 ; xnþ1 ðj þ 1ÞÞ þ f1 ðb3;j1 ; xnþ1 ðj  1ÞÞ þ f2 ðb4;jþ3 ; cjþ3 ; xnþ1 ðj þ 3ÞÞ mod1; j ¼ 1; 2; . . . ; 8;

ð5Þ

where f1(a, x) = ax(1  x), f2(a, c, x) = ax + c. The periodic boundary conditions are used in the state and the parameters variables of Eqs. (4) and (5). c1 = 0.1, c4 = 0.2 and cj = 0 for the other js. For the ith message block the initial variables of Eq. (4) are defined as

x0 ðjÞ ¼ hi1 ðjÞ=232 ; j ¼ 1; 2; . . . ; 8

ð6Þ

with Hi1 = (hi1(1), hi1(2), . . . , hi1(8)), hi1(j) 2 [0, 232). For the first block H0 is IV, and we take 8 32-bit integers as IV, H0 = (h0(1), h0(2), . . . , h0(8)), h0(j) 2 [0, 232). The parameters of Eqs. (4) and (5), namely ai,j and bi,j, are controlled by the ith block message Mi and the expansion key ka(j), ka(j) 2 [0, 232), j = 1, 2, . . . , 32. The transformation forms of ai,j and bi,j are

bi;j ¼ 2:0 þ mðði  1Þ  8 þ jÞ=231 ;

j ¼ 1; 2; . . . ; 8;

i ¼ 1; 2; 3; 4

ð7Þ

and

ai;j ¼ 2:0 þ ðkaðði  1Þ  8 þ jÞ  ðmðði  1Þ  8 þ jÞo8ÞÞ=231 ;

j ¼ 1; 2; . . . ; 8;

i ¼ 1; 2; 3; 4;

ð8Þ

where the operations x o y and  denote the right rotation of x by y bits and bitwise XOR, respectively. Running Eqs. (4) and (5) r times, we attain the variables x2r(j), j = 1, 2, . . . , 8. If r = 4, the variables x2r(j) are processed by the following nonlinear transformation

x2r ðjÞ ¼ ðx2r ðjÞ  250 mod 232 Þ=232 ;

j ¼ 1; 2; . . . ; 8:

ð9Þ

If r = 8, the variables x2r(j) are processed by the following nonlinear transformation

hi ðjÞ ¼ x2r ðjÞ  250 mod 232 ;

j ¼ 1; 2; . . . ; 8;

i ¼ 1; 2; . . . ; t:

ð10Þ

The variables hi(j) represent the putout of the ith block, Hi = (hi(1), hi(2), . . . , hi(8)). After all the message blocks are processed, we obtain Ht = (ht(1), ht(2), . . . , ht(8)). The output transformation g(K, Ht) of Eq. (3) is defined as

hðjÞ ¼ kðjÞ þ ht ðjÞ;

j ¼ 1; 2; . . . ; 8;

ð11Þ

2582

D. Li et al. / Commun Nonlinear Sci Numer Simulat 17 (2012) 2579–2587

where the operation + is a modular 232 addition. The hash value of the algorithm is h(K, M) = (h(1), h(2), . . . , h(8)). In Fig. 3, the 1024-bit expansion key is produced from the 256-bit secret key of the algorithm. The key expansion is defined as

kkðjÞ ¼ kðjÞ;

j ¼ 1; 2; . . . ; 8;

ð12Þ

kkðjÞ ¼ kkðj  8Þ þ ðkkðj  8Þo12Þ  ðkkðj  5Þo11Þ þ ðkkðj  3Þn11Þ; kkðjÞ ¼ kkðj þ 8Þ þ kkð9  jÞ;

j ¼ 9; 10; . . . ; 16;

ð13Þ

j ¼ 1; 2; . . . ; 8:

ð14Þ

Here the operation + is a modular 232 addition. The operation x o (n)y stands for a right (left) rotation of x by y bits. Iterating Eqs. (13) and (14) three times produces the eight variables kk(j) as the expansion key ka(j), j = 1, 2, . . . , 8. We continuously run Eqs. (13) and (14) three times to produce another eight variables kk(j) as the expansion key ka(j), j = 9, 10, . . . , 16, and so on. Altogether running Eqs. (13) and (14) 12 times, we have 32 variables of the expansion key in Eq. (8), namely ka(j) 2 [0, 232), j = 1, 2, . . . , 32. 3.2. Characteristics of our algorithm The structure of the proposed algorithm has the four characteristics: the combination of the nearest and long distance couplings, the expansion key, both the key and message as the parameters of the CML, and the combination of multiple iterations and the extra nonlinear transformation. (1) Combination of the nearest and long distance couplings. The hash function operations are mainly based on the modified CML with the nearest and the long distance couplings. This coupling structure yields fast confusion and diffusion among the state variables xn(i). (2) Expansion key. The expansion of the secret key is usually utilized in cryptographic algorithms. In our algorithm, we adopt the expansion of the secret key, which makes a 256-bit key expand to 1024 bits. The expansion key is combined with the block message as the parameters of the compression function, and that realizes the confusion and diffusion between the key and the message before iterations of the compression function. (3) Both the key and message as the parameters of the CML. In Eqs. (4), (5), (7) and (8), we alternately take the expansion key and input message as the parameters of the CML, and that induces strong confusion and diffusion among the key and the block message through the state variables xn(i). The inequality of the expansion key and input message in Eqs. (7) and (8) can avoid the collisions from exchanging them. (4) Combination of multiple iterations and the extra nonlinear transformation. As we know, the complexity and randomness of chaotic systems result from long-time evolution due to the sensitivity of chaotic trajectories to the initial conditions and the parameters. To obtain the trade-off between the complexity and the efficiency of the system, the algorithm is added a nonlinear transformation during the multiple iterations of Eqs. (4) and (5), namely Eq. (9). That also yields fast confusion and diffusion. The remarkable characteristics above make the proposed algorithm have two advantages, strong security and high efficiency. The structural characteristics above effectively induce fast confusion and diffusion among the key and the block message, and that results in the sensitivity of output of the compression function to the message, the secret key and the initial variable. And it is difficult to find any collision and recover the key from the message and the hash value.

Table 1 The operations of some algorithms for one block message (PWLCM1 and PWLCM2 are 4 and 2 piecewise linear functions respectively). Size of key/bits

Size of message block/bytes

Number of iterating the local map

Multiplication

Division

Addition

Mod

XOR

Our algorithm

256

128

64

16

72

128

16

32

Xiao’s algorithm [15] Xiao’s algorithm [14] Xiao’s algorithm [16] Ren’s algorithm [12]

128

256

512

512

512

105

64

697

96

120

16

40

36

128

32

32

48

logic

Local map Logistic map PWLCM1

96

12

PWLCM1

20

44

2

PWLCM1

64

128

64

32

PWLCM2

D. Li et al. / Commun Nonlinear Sci Numer Simulat 17 (2012) 2579–2587

2583

Another advantage of our algorithm is high efficiency. Compared with the hash function standards based on block ciphers and hash algorithms, most of chaotic hash algorithms have slow performance speed [9]. Recently, the authors of [12] compare some chaotic algorithms and think that Ren’s algorithm has higher speed than others. We analyze some algorithms proposed recently, including Ren’s scheme, and represent the performance results of them in Table 1. From Table 1 we can observe that the number of iterating the local map per byte message in our algorithm is less than that in Ren’s. Table 2 shows the specific comparison of performance speed among our algorithm, Ren’s and SHA-1. The algorithms are implemented with Visual C/C++ on two personal computers. PC I and II stand for Intel Pentium IV 3.0 GHz and Intel Core Duo 2.8 GHz computers, respectively. Table 2 shows that the speed of our system is slower than that of SHA-1 and faster than that of Ren’s. 4. Security analysis In this section, we analyze the statistical properties of our algorithm and some collision attacks on our algorithm. Without loss of generality, here we only consider one block message (M1 = (m(1), m(2), . . . , m(8)) and the output of Eq. (10) is defined as H1 = h1h2h3 . . . h256, hj 2 {0, 1}, where h32(i1)+1h32(i1)+2 . . . h32i being the binary format of h1(i), i = 1, 2, . . . , 8. 4.1. Statistical analysis 4.1.1. Statistical analysis of the key We first investigate the sensitivity of the output of Eq. (10) to the key of the algorithm with r = 8. Under two different sets of key (K and K0 ), we compute Eq. (10) with the same input message and the initial variable IV and attain the two different 0 0 0 0 0 outputs, H1 = h1h2h3 . . . h256 and H01 ¼ h1 h2 h3 . . . h256 . Then we make the differences Dhi ¼ hi  hi ; i ¼ 1; 2; . . . ; 256, and calculate the average values of the differences

hDhi i ¼

T 1X Dh i ; T n¼1

i ¼ 1; 2; . . . ; 256;

ð15Þ

where the averages are calculated for the T different keys. To investigate the sensitivity of the key, we take identical key variables except that k(1) and k0 (1) have a small difference, k0 (1) = k(1)  1, k0 (i) = k(i) = k(1), i = 2, 3, . . . , 8. Without loss of gener0 ality, let h0 ðiÞ ¼ h0 ðiÞ ¼ 0, and m(i) = m0 (i) = 0, i = 1, 2, . . . , 8. k(1) is randomly chosen. In Fig. 4(a), we plot the averages hDhii for all the 256 bits of the output with T = 107. We find all the differences with small fluctuations are equal to 0.5. In Fig. 4(b), we plot Emax,min(T) = jhDhiimax,min  0.5j against T (hDhiimax and hDhiimin are the maximum and minimum over all 256 bits of hDhii, respectively), and Fig. 4(b) shows the fluctuations around 0.5 are proportional to p1ffiffiT . The circles and dots of Fig. 4(b) stand for the maximal and minimal fluctuations of hDhiis, respectively. In Fig. 4(a) and (b), we study the sensitivity of the output of Eq. (10) to the key with a fixed iteration number r = 8. To investigate the confusion and diffusion rates of the key, we plot Emax,min(T) vs. r in Fig. 4(c) with T = 107. From Fig. 4(c) it is clearly observed that all bits of hi have satisfactory randomness when r P 2. The circles and dots of Fig. 4(c) are the same as Fig. 4(b). We also use 15 types of NIST statistical testing to evaluate the differences Dh1Dh2 . . . Dh256 [24], and find that the data satisfactorily pass all the testing if r P 2. In the above simulation, we fix the difference between K and K0 , namely k0 (1) = k(1)  1. We test other cases, such as arbitrary differences between K and K0 , and find that the results also show good statistical properties. To show the sensitivity of the hash value to the key of the algorithm, we test the statistical properties of the outputs H1 = h1h2h3 . . . h256 by using 15 types of NIST statistical testing for arbitrary keys. Without loss of generality, let h0(i) = 0, m(i) = 0, i = 1, 2, . . . , 8. The results show that the outputs pass the statistical testing. 4.1.2. Statistical analysis of the input message In Fig. 5, we test the sensitivity of the output of Eq. (10) to the input message. Under the different sets of input message, we do the same curves as that of Fig. 4 with the same key and IV. We take the identical message except that m0 (1) = m(1)  1. 0 Let h0 ðiÞ ¼ h0 ðiÞ ¼ 0; and k(i) = k0 (i) = 0, i = 1, 2, . . . , 8, m0 (i) = m(i) = m(1), i = 2, 3, . . . , 8. Arbitrarily choosing message m(1), we calculate Eq. (15) and plot the same curves as Fig. 4 in Fig. 5. We can observe that the curves show satisfactory random properties in Fig. 5(a)–(c) with r P 4. We also use 15 types of NIST statistical testing to evaluate the differences Dh1Dh2 . . . Dh256, and find that the data pass all the testing if r P 4.

Table 2 Performance speed of our algorithm, SHA-1 and Ren’s on the two PCs. Algorithm

Output size (bits)

Block size (bits)

Speed (PC I) (Mbit/s) (Number of rounds)

Speed (PC II) (Mbit/s) (Number of rounds)

Our algorithm SHA-1 Ren’s scheme [12]

256 160 128

1024 512 256

150 (8) 250 (80) 32 (4)

230 (8) 440 (80) 98 (4)

2584

D. Li et al. / Commun Nonlinear Sci Numer Simulat 17 (2012) 2579–2587

0.5005

0

10

(a)

(b)

−1

(T)

max,min

0.5

−2

10

E

<Δhi>

10

−3

10 0.4995

−4

0

50

100

150

200

250

10

bit

0

2

10

4

10

6

10

10

8

10

T 0

10

(c)

−1

Emax,min(T)

10

−2

10

−3

10

−4

10

0

2

4

r

6

8

Fig. 4. Simulation results of Eqs. (10) and (15). The curves show the sensitivity of the output of Eq. (10) to the key of the system. hDhii are defined in Eq. (15). 0 h0 ðiÞ ¼ h0 ðiÞ ¼ 0 and m(i) = m0 (i) = 0, i = 1, 2, . . . , 8. k0 (i) = k(i) = k(1), i = 2, 3, . . . , 8. k0 (1) = k(1)  1. k(1) is arbitrarily chosen. (a) hDhii for all bits from i = 1 to 256. T = 107. (b) The test number dependence of Emax(T) and Emin(T) with r = 8. The circles and the dots correspond to Emax(T) and Emin(T), respectively. (c) Emax(T) and Emin(T) against r with T = 107.

To show the sensitivity of the hash value to the input message, we test the statistical properties of the outputs H1 = h1h2h3 . . . h256 by using 15 types of NIST statistical testing for arbitrary input messages. Without loss of generality, let h0(i) = 0, k(i) = 0, i = 1, 2, . . . , 8. The results show that the outputs pass the statistical testing. 4.1.3. Statistical analysis of IV In Fig. 6, we investigate the sensitivity of the output of Eq. (10) to IV. Let m(i) = m0 (i) = 0 and k(i) = k0 (i) = 0, i = 1, 2, . . . , 8. 0 0 Arbitrarily choosing message h0(1) and keeping h0 ðiÞ ¼ h0 ðiÞ ¼ h0 ð1Þ except that h0 ð1Þ ¼ h0 ð1Þ  1, we calculate Eq. (15) and plot the same curves in Fig. 6 as that in Fig. 4. From Fig. 6(a) and (b) we can observe that the outputs of our system have satisfactory random properties to the changed IV, and also observe the same results in Fig. 6(c) if r P 7. We also use 15 types of NIST statistical testing to evaluate the differences Dh1Dh2 . . . Dh256, and find that the data pass all the testing if r P 7. We test the statistical properties of the outputs H1 = h1h2h3 . . . h256 for arbitrary initial variables by using 15 types of NIST statistical testing. Let m(i) = 0, k(i) = 0, i = 1, 2, . . . , 8. The system passes all the testing. 4.2. Analysis of collision attacks The known methods of attack on hash functions are classified into two types: one independent of the algorithm and the other dependent on the nature of the algorithm. Birthday attack and exhaustive key search are two typical attacks independent of the algorithm. This class of attack only depends on the sizes of the hash value and the secret key. We suppose that the hash value of our algorithm is a uniformly distributed and independent random variable due to the statistical analysis of Section 4.1. In this section we focus on the following methods of attack against our algorithm: birthday attack, exhaustive key search and analytical-solution attack. 4.2.1. Birthday attack Birthday attack represents a statistical estimate for searching a collision. It is assumed that the hash value is a uniformly distributed and independent random variable. If the hash value length of an algorithm is q bits, any opponent needs to test 2q/2 on average to find a collision by birthday attack [1]. From the statistical analyses of IV and the input messages, the hash values of our algorithm are uniformly and randomly distributed. The size of the hash value of our algorithm is 256 bits, therefore total number of trials is up to 2128 to find a collision by birthday attack.

2585

D. Li et al. / Commun Nonlinear Sci Numer Simulat 17 (2012) 2579–2587 0

0.5005

10

(a)

(b)

Emax,min(T)

<Δhi>

−1

0.5

10

−2

10

−3

10 0.4995

−4

0

50

100

150

200

10

250

bit

0

2

10

4

10

10

6

T

10

8

10

0

10

(c)

−1

Emax,min(T)

10

−2

10

−3

10

−4

10

0

2

4

r

6

8

0

Fig. 5. The same curves as Fig. 4 by changing the input message. h0 ðiÞ ¼ h0 ðiÞ ¼ 0 and k(i) = k0 (i) = 0, i = 1, 2, . . . , 8. m0 (i) = m(i) = m(1), i = 2, 3, . . . , 8. m0 (1) = m(1)  1. Arbitrarily choose m(1).

4.2.2. Exhaustive key search The exhaustive key search is a known message attack, where an opponent knows M pairs of messages and hash values for a given key. She/he will calculate the hash values for every possible key to identify the unknown key. If the sizes of the key and the hash value are equal to k bits and q bits, respectively, the total number of trials to identify the key is up bounded by Preneel [1]

Mþ

2k  1 1  2q

ð16Þ

and the number of key that remains is expected to be

K exp ¼ 1 þ

2k  1 2Mq

:

ð17Þ

Due to q = 256 and k = 256 in our algorithm, the maximal number of trials to identify the key is equal to 2256 + 1 and the number of the expected key is Kexp = 1, if one knows two pairs of messages and hash values. The expense above totally determines the unknown key. 4.2.3. Analytical-solution attack For a secure keyed hash function, even when a large amount of pairs {Mi, h(K, Mi)} are known, it is ‘hard’ to determine the secret key K. We will consider to solve our system and determine the unknown key in this section. We do not consider the output transformation of Eq. (11) and only do a one-block message. From a pair of Mi and h(K, Mi) and the fixed H0, we may set up the following equations between the message and the variable x16(j):

ðx16 ð1Þ; x16 ð2Þ; . . . ; x16 ð8ÞÞT ¼ MMðai;j ; bi;j Þ  ðh0 ð1Þ; h0 ð2Þ; . . . ; h0 ð8ÞÞT ;

ð18Þ

where the matrix MM is determined by the known parameters bi,j and the unknown key parameters ai,j, i = 1, 2, 3, 4, and j = 1, 2, . . . , 8, i.e., 32 unknown parameters. Not considering the output transformation, we only know the 32 bits of the variable x16(j) in Eq. (18), i.e., h1(j) in Eq. (10). Thus, we need to test the unknown 20 bits of 52-bit of x16(j) in Eq. (18), altogether we need to test the total number of 2820. For 32 unknown key parameters ai,j in Eq. (18), we need the four equations above, i.e., four pairs of Mi and h(K, Mi), and that means the total number of trials is up to 28204 = 2640. The above expense is much

2586

D. Li et al. / Commun Nonlinear Sci Numer Simulat 17 (2012) 2579–2587 0

0.5005

10

(a)

(b)

−1

Emax.min(T)

<Δhi>

10 0.5

−2

10

−3

10 0.4995

−4

0

50

100

150

200

10

250

bit

0

10

2

4

10

10

6

T

10

8

10

0

10

(c)

−1

Emax,min(T)

10

−2

10

−3

10

−4

10

0

2

4

r

6

8

10 0

0

Fig. 6. The same curves as Fig. 4 by changing IV. m(i) = m0 (i) = 0 and k(i) = k0 (i) = 0, i = 1, 2, . . . , 8. h0 ðiÞ ¼ h0 ðiÞ ¼ h0 ð1Þ; i ¼ 2; 3; . . . ; 8. h0 ð1Þ ¼ h0 ð1Þ  1. Arbitrarily choose h0(1).

greater than that of the exhaustive key search (For exhausted key search, the total number of trials is up to 2256 + 3 for the four pairs of Mi and h(K, Mi)). In the above analysis, we do not consider the modulo operations of Eqs. (4) and (5). Considering them, because the unknown quotient of the modulo operation is equal to one of these values {7, 6, 5, 4, 3, 2, 1, 0}, the number of trials is about 8512 = 21536, where 512 is the number of the unknown quotients in Eqs. (4) and (5). Altogether, we need to test 21536+640 = 22176 to solve the four equations of Eq. (18). The expense of analytical solution is much greater than that of the exhaustive key search. 5. Conclusion In this paper, we have designed a keyed hash function based on the modified coupled map lattice. Compared with known chaos based hash functions, the proposed system has two advantages – strong collision resistance and high performance efficiency. Further studies on its security are needed in future. Compared with the hash function standard for a chaos based hash function, balancing its security and efficiency remains a challenge. Acknowledgment This work was supported by National Natural Science Foundation of China under No. 60973109. References [1] Preneel B. Analysis and Design of Cryptographic Hash Functions, doctoral thesis, 1993. [2] Preneel B et al. Final report of European project number IST-1999-12324 named new european schemes for signature, integrity and encryption, Available at: . [3] Cuomo LM, Oppenheim AV. Circuit implementation of synchronized chaos with applications to communications. Phys Rev Lett 1993;1:65–8. [4] Chen G, Mao Y, Chui CK. A symmetric image encryption scheme based on 3D chaotic cat maps. Chaos Soliton Fract 2003;21:749–61. [5] Wong KW. A combined chaotic cryptographic and hashing scheme. Phys Lett A 2003;307:292–8. [6] Wang SH, Lu HP, Hu G. Periodicity of chaotic trajectories in realizations of finite computer precisions and its implication in chaos communications. Int J Modern Phys B 2004;18:2617–22. [7] Wang SH, Hu G. Hash function based on chaotic map lattices. Chaos 2007;17:023119. [8] Wang Y, Liao XF, Xiao D, Wong KW. One-way hash function construction based on 2D coupled map lattices. Inform Sci 2008;178:1391–406.

D. Li et al. / Commun Nonlinear Sci Numer Simulat 17 (2012) 2579–2587

2587

[9] Zhang J, Wang X, Zhang W. Chaotic keyed hash function based on feedforward-feedback nonlinear digital filter. Phys Lett A 2007;362:439–48. [10] Akhshani A, Behnia S, Akhavan A, Jafarizadeh MA, Abu Hassan H, Hassan Z. Hash function based on hierarchy of 2D piecewise nonlinear chaotic maps. Chaos Soliton Fract 2009;42:2405–12. [11] Amin M, Faragallah OS, El-Latif AA. Chaos-based hash function (CBHF) for cryptographic applications. Chaos Soliton Fract 2009;42:767–72. [12] Ren HJ, Wang Y, Xie Q, Yang HQ. A novel method for one-way hash function construction based on spatiotemporal chaos. Chaos Soliton Fract 2009;42:2014–22. [13] Xiao D, Liao XF, Deng SJ. Parallel keyed hash function construction based on chaotic maps. Phys Lett A 2008;372:4682–8. [14] Xiao D, Liao XF, Wang Y. Parallel keyed hash function construction based on chaotic neural network. Neurocomputing 2009;72:2288–96. [15] Xiao D, Shih FY, Liao XF. A chaos-based hash function with both modification detection and localization capabilities. Commun Nonlinear Sci Numer Simulat 2010;15(9):2254–61. [16] Xiao D, Liao XF, Wang Y. Improving the security of a parallel keyed hash function based on chaotic maps. Phys Lett A 2009;373:4346–53. [17] Huang ZQ. A more secure parallel keyed hash function based on chaotic neural network. Commun Nonlinear Sci Numer Simulat 2011;16:3245–56. [18] Kwok HS, Tang WKS. A chaos-based cryptographic Hash function for message authentication. Int J Bifurcat Chaos 2005;15:4043–50. [19] Guo W, Wang XM, He D, Cao Y. Cryptanalysis on a parallel keyed hash function based on chaotic maps. Phys Lett A 2009;373:3201–6. [20] Xiao D, Peng W, Liao XF, Xiang T. Collision analysis of one kind of chaos-based hash function. Phys Lett A 2010;374:1228–31. [21] Deng SJ, Li YT, Xiao D. Analysis and improvement of a chaos-based Hash function construction. Commun Nonlinear Sci Numer Simulat 2010;15:1338–47. [22] Wang SH, Shan PY. Security analysis of a one-way hash function based on spatiotemporal chaos. Chin Phys B 2011;20:090504–7. [23] Wang SH, Li D, Zhou H. Collision analysis of a chaos-based hash function with both modification detection and localization capability. Commun Nonlinear Sci Numer Simulat 2012;17(2):780–4. [24] Rukhin A et al. A statistical test suite for random and pseudorandom number generators for cryptographic applications, Special Publication 800-22 Revision 1 August 2008.