Cryptanalysis of a chaos-based cryptosystem on DSP

Commun Nonlinear Sci Numer Simulat 16 (2011) 876–884

Contents lists available at ScienceDirect

Commun Nonlinear Sci Numer Simulat journal homepage: www.elsevier.com/locate/cnsns

Cryptanalysis of a chaos-based cryptosystem on DSP Rhouma Rhouma *, Safya Belghith Syscom Laboratory, Ecole Nationale d’Ingénieurs de Tunis, Tunisia

a r t i c l e

i n f o

Article history: Received 20 September 2009 Received in revised form 11 May 2010 Accepted 20 May 2010 Available online 27 May 2010

a b s t r a c t In this work, we cryptanalyse a recently chaos-based cryptosystem on DSP by proposing three different attacks to break it. We report the weakness of this cryptosystem and hence demonstrate that in its actual design, it cannot be used in the real world applications and it needs to be first enhanced by avoiding the design drawbacks reported in this work. Ó 2010 Elsevier B.V. All rights reserved.

Keywords: Chaos-based cryptography Chosen plaintext attack Known plaintext attack DSP

1. Introduction Chaos is considered as a source of randomness, hence it can be incorporated in the design of cryptosystems. Recently, many chaos-based encryption algorithms have been published [1–7]. Most of them employ chaos to generate pseudorandom sequences that can be ultimately used in the confusion process of a given cryptosystem. All of them (except Ref. [1]) have been cryptanalysed and found to be insecure [8–12]. In a very new attempt [1], there has been a proposal of implementing a chaos-based cryptosystem in a DSP. This cryptosystem employs the cubic map to generate two sequences used as keystreams. These two real value keystreams are then transformed to two opposite (complementary) binary sequences. The binary sequences are mixed with the binary plaintext to generate the binary ciphertext. In this work, we show the weakness of this cryptosystem and propose three different attacks to break it. The rest of this paper is organized as follows: Section 2 gives a brief description of the cryptosystem under study. Section 3 demonstrates the weakness of the cryptosystem and presents three different attacks to break it. Section 4 proposes to reduce the complexity of the reported attacks by exploiting another weakness of the cryptosystem. Finally, in Section 5, we conclude the paper. 2. Description of the cryptosystem The cryptosystem in [1] is a symmetric encryption scheme encrypting a binary plaintext to a binary ciphertext. The keystreams are constituted by the trajectories of a chaotic attractor. The secret key is given by the initial conditions and the parameters of these trajectories. The algorithm is a stream cipher and the generation of the keystreams is independent of the plaintext and the ciphertext. The used keystreams are the sequences {sn} and {tn} generated by the cubic map defined by the following equation: * Corresponding author. E-mail address: [email protected] (R. Rhouma). 1007-5704/$ - see front matter Ó 2010 Elsevier B.V. All rights reserved. doi:10.1016/j.cnsns.2010.05.017

R. Rhouma, S. Belghith / Commun Nonlinear Sci Numer Simulat 16 (2011) 876–884

(

xnþ1 ¼ yn     ynþ1 ¼ a x3n þ xn þ b y3n þ yn

877

ð1Þ

Given a plaintext {pn}, the encryption steps leading to the ciphertext {cn} are described as follows: 1. Generate two different orbits {sn} and {tn} by iterating the map defined by Eq. (1) from two different initial conditions and two different parameters. 2. Each real value in these two sequences is coded in binary representation within N bits by applying the IEEE-754 floatingpoint format. Hence for a given n, sn = {sn,1, sn,2, . . ., sn,N} and tn = {tn,1, tn,2, . . ., tn,N}. 3. For each n, compare the two suites sn = {sn,1, sn,2, . . ., sn,N} and tn = {tn,1, tn,2, . . ., tn,N} to determine the position i of the first different bit between the two suites. The comparison begins with the bit of the weakest weight. 4. For each n, conserve only the ith bit sn,i of sn and the ith bit tn,i of tn. 5. For each n, the nth ciphertext value cn of the nth plaintext value is given by:

 cn ¼

sn;i

if pn ¼ 0

t n;i

if pn ¼ 1

ð2Þ

As mentioned above, this cryptosystem deals with binary plaintext/ciphertext. To seek clarity in this manuscript, we will deal with binary images the pixels of which take the values in {0, 1}. The images will be treated as a binary message of course after transforming them to a bitstream by the usual scan method (from left to right and from top to bottom). In Fig. 1, we show an example of encrypting a binary image using the algorithm under study.

3. Cryptanalysis The authors in [1] have concluded that their cryptosystem was secure against chosen plaintext and chosen ciphertext attacks. They have explained that the security of their cryptosystem is assured because of the non-invertibility and the nonpredictability of the sequences {sn} and {tn}. Our attacks described below are not main to break those real sequences but precisely, they break the binary sequences sn,i and tn,i with i and n as variables. These keystreams are binary and they are formed by the comparison between the binary representation of every sn and tn. The index i denotes the first position where the binary representation of sn and tn differ. Now to be clear in the description of the attacks, we will note the keystreams sn,i and tn,i as Ks and Kt, respectively, since our objective is to break these sequences not {sn} and {tn}. The proposed attacks are: chosen plaintext attack (CPA), chosen ciphertext attack (CCA) and known plaintext attack (KPA). And the goal is to reveal the keystreams Ks and Kt. 3.1. Chosen plaintext attack 3.1.1. Theoretical analysis Proposition 1. Given a plaintext P = p1p2. . .pn. . . and its corresponding ciphertext C = c1c2. . .cn. . .. The keystreams Ks and Kt can be determined as follows:



K s ðnÞ ¼ cn

if pn ¼ 0

K t ðnÞ ¼ cn

if pn ¼ 1

ð3Þ

Fig. 1. (a) Plain-image, (b) ciphered image, and (c) recovered image.

878

R. Rhouma, S. Belghith / Commun Nonlinear Sci Numer Simulat 16 (2011) 876–884

Proof. The demonstration is right forward from Eq. (2) where

cn ¼



K s ðnÞ if pn ¼ 0 K t ðnÞ

if pn ¼ 1



Proposition 2. 1. Only two pairs of plaintext/ciphertext (P1/C1 and P2/C2) are needed to break the keystreams Ks and Kt. 2. P1 and P2 should be complementary: P 2 ¼ P 1 . Proof. 1. By applying Eq. (4) for the first couple P1/C1, the positions of the determined bits in Ks (respectively, Kt) are when P1(n) = 0 (respectively, P1(n) = 1). The remaining positions in Ks can be determined by choosing another pair P2/C2. 2. The plaintext P2 should be complementary to P1 to fill the remained positions in Ks and Kt.  The remaining positions in Ks are those where P1(n) = 1, so in these positions P2(n) should have 0.  The remaining positions in Kt are those where P1(n) = 0, so in these positions P2(n) should have 1. Finally, P2 should be chosen as the complementary plaintext of P1. h An algorithm can be designed to perform the CPA attack in order to reveal the keystreams Ks and Kt as follows:

Here below, we summarize this attack: 1. Choose two pairs of plaintext/ciphertext (P1/C1 and P2/C2) where P2 ¼ P1 . 2. Apply Algorithm 1 having as inputs: P1 and C1. 3. Apply Algorithm 1 having as inputs: P2 and C2. 3.1.2. Simulations This attack needs exactly two plaintexts. Given an arbitrary chosen plaintext P1:

P1 ¼ 01000101011110010111 . . . and another plaintext P2 in such a way that P 2 ¼ P1 where P1 is the complementary of P1:

P2 ¼ 10111010100001101000 . . . In a scenario of a chosen plaintext attack, we request the corresponding ciphertexts C1 and C2. We found:

C 1 ¼ 00101001010110000101 . . . C 2 ¼ 11010110101001111010 . . . The keystreams Ks and Kt are first initialized in unknown values:

K s ¼ xxxxxxxxxxxxxxxxxxxx . . . K t ¼ xxxxxxxxxxxxxxxxxxxx . . . Now we will get these keystreams by applying Algorithm 1 or the inputs P1 and C1:

K s ¼ 0x101x0x0xxxx00x0xxx . . . K t ¼ x0xxx0x1x1011xx0x101 . . .

R. Rhouma, S. Belghith / Commun Nonlinear Sci Numer Simulat 16 (2011) 876–884

879

Fig. 2. Chosen plaintext attack. (a) Ciphered-image, (b) chosen image P1, (c) ciphered image C1 of P1, (d) chosen image P 2 ¼ P 1 , (e) ciphered image C2 of P2, and (f) recovered image.

These keystreams can be fully completed if we apply Algorithm 1 having as entries: P2 and C2. Doing so, we finally get:

K s ¼ 01101100001000010010 . . . K t ¼ 10010011110111101101 . . . We give also the implementation of the described algorithm of CPA working on the ciphered image in Fig. 1(b). Two chosen plain-images are needed. They are given in Fig. 2(b) and (d) and their corresponding ciphered-images in Fig. 2(c) and (e). The recovered image is given in Fig. 2(f). 3.2. Chosen ciphertext attack 3.2.1. Theoretical analysis Proposition 3. 1. Given a ciphertext C = c1c2. . .cn. . . and its corresponding plaintext. The keystreams Ks and Kt can be determined as follows:



K s ðnÞ ¼ cn

if pn ¼ 0

K t ðnÞ ¼ cn

if pn ¼ 1

2. Two complementary pairs of ciphertext/plaintext are sufficient to totally reveal the keystreams Ks and Kt. Proof. 1. By using Eq. (2) where

cn ¼



K s ðnÞ if pn ¼ 0 K t ðnÞ

if pn ¼ 1

the proof is right forward. 2. The proof is by analogy to Proposition 2. h

ð4Þ

880

R. Rhouma, S. Belghith / Commun Nonlinear Sci Numer Simulat 16 (2011) 876–884

Then, the following algorithm is applied to perform the CCA attack.

Here below is a summary of this attack applied in the simulations subsection: 1. Choose two pairs of plaintext/ciphertext (C1/C1 and C2/P2) where C 2 ¼ C 1 . 2. Apply Algorithm 2 having as inputs: P1 and P2. 3.2.2. Simulations We need exactly two chosen ciphertexts. The first ciphertext needed is C1 which has zeros as entry:

C 1 ¼ 00000000000000000000 . . . Another ciphertext is C2 which has ones as entry (because C 2 ¼ C 1 ):

C 2 ¼ 11111111111111111111 . . .

Fig. 3. Chosen ciphertext attack. (a) Ciphered-image, (b) chosen ciphered image C1 = zeros, (c) plain-image P1 of C1, (d) chosen ciphered image C2 = ones, (e) plain-image P2 of C2, and (f) recovered image.

R. Rhouma, S. Belghith / Commun Nonlinear Sci Numer Simulat 16 (2011) 876–884

881

In a scenario of a chosen ciphertext attack, we request their corresponding plaintexts P1 and P2:

P1 ¼ 01101100001000010010 . . . P2 ¼ 10010011110111101101 . . . After applying Algorithm 2 we will get these keystreams:

K s ¼ 01101100001000010010 . . . K t ¼ 10010011110111101101 . . . We give also the implementation of the described algorithm of CCA working on the ciphered image in Fig. 1(b) given also in Fig. 3(a). Two chosen ciphered-images were needed. They are given in Fig. 3(b) and (d) and their corresponding plainimages in Fig. 3(c) and (e). The recovered image is given in Fig. 3(f). 3.3. Known plaintext attack In a scenario of a known plaintext attack, the opponent cannot choose special plaintexts and generate their corresponding ciphertexts, but he has some already known pairs of plaintexts/ciphertexts. Hence, the break of the keystreams Ks and Kt is

Fig. 4. Known plaintext attack. (a) Known plain-image P1, (b) known plain-image P2, (c) known plain-image P3, (d) corresponding ciphered image C1 of P1, (e) corresponding ciphered image C2 of P2, (f) corresponding ciphered image C3 of P3, and (g) recovered image when (P1, C1) is used for the break. 68.7504% has been recovered (g) recovered image when (P1, C1) and (P2, C2) are used for the break. 81.46% has been recovered (i) recovered image when (P1, C1), (P2, C2) and (P3, C3) are used for the break. 93.0324% has been recovered.

882

R. Rhouma, S. Belghith / Commun Nonlinear Sci Numer Simulat 16 (2011) 876–884

partial. For every known pair of (plaintext/ciphertext), we apply Algorithm 1. For example assume that we have three known couples of (plaintext/ciphertext) (P1, C1), (P2, C2), (P3, C3). We will apply Algorithm 1 for every couple and show what have been revealed from the keystreams Ks and Kt. First we begin with (P1, C1)

P1 ¼ 01001011101111100100 . . . C 1 ¼ 00100111100111110110 . . . And by applying Algorithm 1 having as an entry (P1, C1), we found:

K s ¼ 0x10x1xxx0xxxxx10x10 . . . K t ¼ x0xx0x111x01111xx1xx . . . The percentage of the revealed bits from Ks is: 45%. The percentage of the revealed bits from Kt is: 55%. Now, we save the founded Ks and Kt and go to the next pair of (plaintext/ciphertext) and apply Algorithm 1 having as an entry (P2, C2):

P2 ¼ 00110010110001000000 . . . C 2 ¼ 01011110111001010010 . . . We found:

K s ¼ 011011x0x0100x010010 . . . K t ¼ x0010x111101111xx1xx . . . The percentage of the revealed bits from Ks is: 85%. The percentage of the revealed bits from Kt is: 70%. We do that again for (P3, C3):

P3 ¼ 11010011010111110010 . . . C 3 ¼ 10111111011111100000 . . . We found:

K s ¼ 011011x000100x010010 . . . K t ¼ 10010x1111011110x10x . . . The percentage of the revealed bits from Ks is: 90%. The percentage of the revealed bits from Kt is: 85%. We try to give a simulation of the described attack using images. We assume that we have three known pairs of (plainciphered) images. First, we use the pair of (plain-ciphered) images given in Fig. 4(a) and (d) to recover the ciphered image of Fig. 1(b) and the result is that only 68.7504% of the corresponding plain-image has been recovered. Now, By using two pairs which are: (1) the (plain-ciphered) images given in Fig. 4(a) and (d); (2) and the (plain-ciphered) images given in Fig. 4(b) and (e). As a result, we recover 81.46% of the corresponding plain-image. Finally, three pairs (the two first couples and the last couple which is given by Fig. 4(c) and (e)) were used to recover 93.0324% of the corresponding plain-image. As can be seen, the more couples we have, the more complete the recovery is.

4. Further analysis of the cryptosystem In the above section, three successful attacks on the cryptosystem in [1] have been presented. It should be noticed that these attacks can be more simplified and less resource-demanding knowing that the determination of the keystream Kt is dependant on the determination of Ks. By seeing step 3 of the cryptosystem [1] described in Section 2, we will see that K t ¼ K s . That means Kt is the complementary of Ks, more precisely, for every valid i we have:



K t ðiÞ ¼ 0 if K s ðiÞ ¼ 1 K t ðiÞ ¼ 1 if K s ðiÞ ¼ 0

ð5Þ

This fact will make the attacks simpler.  The chosen plaintext attack will need only one arbitrary pair of (plaintext/ciphertext) (P, C) and Algorithm 1 will be simplified to Algorithm 3.

R. Rhouma, S. Belghith / Commun Nonlinear Sci Numer Simulat 16 (2011) 876–884

883

 The chosen ciphertext attack will need also one couple of (plaintext/ciphertext) (P, C), with C is given by:

C ¼ 00000000000000000000 . . . After seeking the corresponding plaintext P of C, Algorithm 2 will be simplified to Algorithm 4.

 The known plaintext attack will be in this case total recovering. The break of Ks is 100% total. It needs one known pair of (plaintext/ciphertext) by applying Algorithm 3. 5. Conclusion Three attacks were proposed to break a recently proposed cryptosystem based on DSP. Propositions and proofs have been given to prove the validity and the correctness of the attacks. Algorithms describing how the CPA, CCA and KPA attacks should work have been also introduced. It has been found that the analysed cryptosystem is not proper for real world use. Acknowledgements The authors are thankful for the reviewer for his help in improving the quality of this paper. The first author is grateful to Zeinab Rhouma for her help in the English proofreading process. References [1] [2] [3] [4] [5] [6] [7] [8] [9]

Guglielmi V, Pinel P, Fournier-Prunaret D, Taha A-K. Chaos-based cryptosystem on DSP. Chaos Soliton Fract 2009;42:2135–44. Huang C, Nien H. Multi-chaotic systems based pixel shuffle for image encryption. Opt Commun 2009;282(11):2123–7. Ariffin M, Noorani M. Modified Baptista type chaotic cryptosystem via matrix secret key. Phys Lett A 2008;372:5427–30. Patidar V, Pareek NK, Sud KK. A new substitution–diffusion based image cipher using chaotic standard and logistic maps. Commun Nonlinear Sci Numer Simulat 2009;14:3056–75. Pisarchik AN, Flores-Carmona NJ, Carpio-Valadez M. Encryption and decryption of images with chaotic map lattices. Chaos 2006;16(3) [article no. 033118]. Gao T, Chen Z. Image encryption based on a new total shuffling algorithm. Chaos Soliton Fract 2008;38(1):213–20. Gao T, Chen Z. A new image encryption algorithm based on hyper-chaos. Phys Lett A 2008;372(4):394–400. Rhouma R, Solak E, Arroyo D, Li S, Alvarez G, Belghith S. Comments on ‘‘Modified Baptista type chaotic cryptosystem via matrix secret key”. Phys Lett A 2009. doi:10.1016/j.physleta.2009.07.035. Rhouma R, Solak E, Belghith S. Cryptanalysis of a new substitution–diffusion based image cipher. Commun Nonlinear Sci Numer Simulat 2009. doi:10.1016/j.cnsns.2009.07.007.

884

R. Rhouma, S. Belghith / Commun Nonlinear Sci Numer Simulat 16 (2011) 876–884

[10] Solak E, Çokal C. Comment on ‘‘Encryption and decryption of images with chaotic map lattices” [Chaos, 033118 (2006)]”. Chaos: Interdiscipl J Nonlinear Sci 2008;18(3):038101. [11] Arroyo D, Rhouma R, Alvarez G, Li S, Fernandez V. On the security of a new image encryption scheme based on chaotic map lattices. Chaos: Interdiscipl J Nonlinear Sci 2008;18:033112. 7 pages. [12] Rhouma R, Belghith S. Cryptanalysis of a new image encryption algorithm based on hyper-chaos. Phys Lett A 2008;372(38):5973–8.