Secure digital communication using controlled projective synchronisation of chaos

Chaos, Solitons and Fractals 23 (2005) 1063–1070 www.elsevier.com/locate/chaos

Secure digital communication using controlled projective synchronisation of chaos Chin Yi Chee *, Daolin Xu School of Mechanical & Production Engineering, Nanyang Technological University, Singapore 639798, Singapore Accepted 8 June 2004

Abstract A new approach to chaos communication is proposed to encrypt digital information using controlled projective synchronisation. The scheme encrypts a binary sequence by manipulating the scaling feature of synchronisation from the coupled system. The transmitted signal therefore embeds only a single set of statistical properties. This prevents cryptanalysts from breaking the chaotic encryption scheme by using characteristic cryptanalysis that aims to detect switching of statistical properties in the intercepted information carrier signal. Pseudo-random switching key is incorporated into the scheme to masked out the deterministic nature of the underlying coupled system. Ó 2004 Elsevier Ltd. All rights reserved.

1. Introduction In chaotic encryption, apart from the chaotic masking [1,2] and chaotic modulation [3] used to encrypt analogue signal, chaotic shift keying [2,4] is developed to encrypt digital signal. Encryption schemes based on chaotic shift keying (CSK) employ the basic concept of chaos synchronisation [5] in the process. The communication setup consists of two identical chaotic systems with one system (drive system) at the transmitter end driving the other system (driven system) at the receiver end using a state variable of the drive system, which is refers to as a coupling variable. To transmit digital signal, the coupling variable, which is the information carrier signal, is produced at the drive system by slightly shifting a parameter according to the binary sequence. CSK has its security flaws since the binary message is encrypted by shifting the parameter sets between two fixed sets of values. This will inevitably causes the transmitted signal to possess two sets of statistical properties that correspond to bit 0 and bit 1. Hence the encrypted information could be easily revealed by detecting switches of statistical properties along the intercepted information carrier signal. The detection techniques which are collectively refers to as characteristic cryptanalysis include constructing return maps [6], using a spectrogram [7], observing the density of localized dynamics about a test trajectory [8] and measuring the errors from generalised synchronisation transformations [9]. Another weakness found in CSK schemes is the deterministic nature of the transmitted signal. Although the transmitted signal exhibited chaotic behaviour that appeared to be random, it is always governed by an underlying deterministic rule. Cryptanalysts thus exploit the deterministic nature of chaos by using reconstruction methods to recover the

*

Corresponding author. E-mail address: [email protected] (C.Y. Chee).

0960-0779/$ - see front matter Ó 2004 Elsevier Ltd. All rights reserved. doi:10.1016/j.chaos.2004.06.017

1064

C.Y. Chee, D. Xu / Chaos, Solitons and Fractals 23 (2005) 1063–1070

governing rule and then extract the encrypted information from the transmitted signal without prior knowledge of the underlying system. Those methods include parameter detection [10], neural networks analysis [11], wavelet multi-scale decomposition [12] and delay-coordinate reconstruction [13]. These explored security flaws weaken the confidence on the use of the CSK scheme. In spite of this, we continue to see extensions of CSK being made to enhance the security. The derivation for higher security include the utilisation of multi-channel communications to achieve higher complexity [14] and the application of phase synchronisation to chaos communication by using the mean value of two corresponding variables to obtain the instantaneous phase and operating it as the transmitted signal [15]. However in the strictest sense, these schemes which are based on the original idea of CSK still require two chaotic attractors to encrypt the binary sequence and therefore a probable attack from characteristic cryptanalysis remains. In this paper we wish to propose a new approach to chaos communication for transmitting digital signal using controlled projective synchronisation. This new technique, which is different from CSK, does not require shifting of parameter values but transmits digital signal by manipulating the scaling feature of projective synchronisation [16]. In projective synchronisation, two identical systems are employed with one system (drive system) at the transmitter end driving the other system (driven system) at the receiver end with the information carrier signal. The evolution of the driven system is asymptotically a scalar multiple of the evolution of the drive system [16] with the dynamics of the driven system converging to the required state to fulfil the desired scalar multiple. Therefore in a projective synchronisation scheme the transmitter uses only a single attractor to encrypt a binary sequence by manipulating the scaling feature of the coupled system with control [17]. The receiver then retrieves the information by observing changes in the scalar multiple between the transmitted signal and the corresponding variable of the driven system. This is a desirable feature since the characteristic cryptanalysis [6–9] will be rendered ineffective to reveal the encrypted information from the intercepted signal. On top of this we incorporate pseudo-random switching key [18] into the scheme to prevent reconstruction methods [10–13] from uncovering the underlying governing rule of the coupled system. The layout of the paper is as follows. In Section 2, we describe the working mechanism of projective synchronisation. In Section 3, we give a brief description on pseudo-random switching key and how this feature is used as a countermeasure against reconstruction cryptanalysis [10–13]. In Section 4, we set up the communication scheme and we discuss the shortcoming of this scheme and how it can be overcome. In Section 5, we carried out security analysis on the scheme. The conclusion is provided in Section 6.

2. Projective synchronisation Projective synchronisation is the result of coupling two partially linear systems with a nonlinear variable. During projective synchronisation the states of two systems synchronize up to a constant ratio known as the scaling factor [16] that is denoted by a(t) = kusk/kumk. The ultimate value of the scaling factor, which depends on the parameter set and the initial conditions, is unpredictable without control. The development of a control algorithm [17] recently enables us to direct the scaling factor to any desired values using only a tiny control input. We therefore employ this control algorithm in the encryption scheme to encrypt binary sequence by manipulating the scaling factor accordingly between two predestined values that we use to represent the binary bit 0 and bit 1. Here a partially linear system refers to an autonomous system in which the state vector u associates linearly with its time derivatives u_ through its Jacobian matrix M(z), where MðzÞ 2 Rnn contains a variable z that is nonlinearly related to the state vector u. Projective synchronisation occurs when the two systems are coupled through the variable z. The mathematical expression of a coupled partially linear system is given a

u_ m ¼ Mðzm Þum þ n u_ s ¼ Mðzm Þus Drive system; Driven system ð1Þ z_ s ¼ f ðus ; zs Þ z_ m ¼ f ðum ; zm Þ In the coupled system (1), the subscript m and s are used to denote the states of the drive and driven systems respectively. The state vectors um = (x1,x2, . . . , xn)T and us = (y1, y2, . . . , yn)T. Each element of the control vector n = (n1,n2, . . . , nn)T is given as [17] ni ¼ ½mi e þ k i ei =a

where i ¼ 1; . . . ; n

ð2Þ

Here mi is the ith row of the Jacobian matrix M(z). The error vector e = (e1,e2, . . . , en)T is given as a*um  us. The symbol a* is the desired scaling factor, which is the desired ratio between the state vectors given as limt!1[a(t)] = a* and ki is the slack constant that takes any positive real value. The slack constant affects the convergence rate of the control with a larger value bringing about a higher convergence rate.

C.Y. Chee, D. Xu / Chaos, Solitons and Fractals 23 (2005) 1063–1070

1065

3. Pseudo-random switching key The next necessary step to further ensure that the projective synchronisation scheme is secure against reconstruction cryptanalysis is to incorporate pseudo-random switching key [18] into the scheme. The coupled system (1) is re-expressed as u_ m ¼ Mðzm Þum þ n; u_ s ¼ Mðzm Þus z_ m ¼ f ðum ; zm Þ; z_ s ¼ f ðus ; zs Þ lx ¼ gðum Þ; ly ¼ gðus Þ

ð3Þ

Here lc = (lc,1,lc,2, . . . , lc,m)T is the system parameter set, which can be assigned as a function of the state vectors, where c = (c1, c2, . . . , cn)T being used to denote the variables for both the state vectors um and us. The function g(c) acts as a secret key in chaos communication. The secret key g(c) = (g1(c),g2 (c), . . . , gm(c))T is constructed according to the following rule gk ðci Þ ¼ bk;j

for ak;j < jci j 6 ak;jþ1

ð4Þ

where ak,j and bk,j are the constants pre-defined for k = 1, . . . , m, j = 1, . . . , L with L > 1. The rule states that the kth parameter lc,k will be switched to the value of bk,j when a selected state variable ci falls in a range defined by ak,j < jcij < ak,j + 1. The design of this secret key refers to as pseudo-random switching key produces pseudo-random switching events rapidly, irregularly and discontinuously, inducing a transient evolution in the variables of both the drive and the driven systems. As a result, a chaotic trajectory never rests on any manifolds of attractors before the next switching event happens. Thus one cannot see a clear topological structure reconstructed from the time series of the transmitted signals. This feature effectively diffuses the deterministic nature of chaos and prevents reconstruction cryptanalysis [10–13] from uncovering the underlying governing rules [18]. This is because to identify a parameter set that switches rapidly in a discontinuous and irregular manner will be very difficult as compare to a constant parameter set. Fig. 1 shows an example on how the transient signal obscured the attractor reconstructed by return maps [6].

4. Secure communication scheme From (3) we can see that the control algorithm requires feedback from the driven system. However by sending out feedback signals from the driven system will breach the security of our proposed scheme. This is because once

Fig. 1. Attractors of the return map formed by extracting extremals of the transmitted signal generated using a Lorenz oscillator [6]. (a) Return map constructed from the transmitted signal without pseudo-random shifting key. The formation of three solid lines that is independent of the initial conditions and parameter set indicates the presence of a governing rule. (b) Return map constructed from the transmitted signal with pseudo-random shifting key incorporated. The segments of the attractor are diffused by numerous pseudorandom switching events.

1066

C.Y. Chee, D. Xu / Chaos, Solitons and Fractals 23 (2005) 1063–1070

the feedback signals, which respond to the changes in the desired scaling factor are intercepted, the information could easily be revealed. In order to overcome this problem, we design our chaotic encryption scheme as 9 u_ m;1 ¼ Mðfm Þum;1 ; u_ m;2 ¼ Mðzm;2 Þum;2 þ n > = z_ m;1 ¼ f ðum;1 ; zm;1 Þ; z_ m;2 ¼ f ðum;2 ; zm;2 Þ Transmitter end > ; lx ¼ gðum;1 Þ; lx ¼ gðum;1 Þ 9 ð5Þ u_ s ¼ Mðfs Þus > = z_ s ¼ f ðus ; zs Þ Receiver end > l ¼ gðu Þ ; y

s

The transmitter now consists of two systems denoted by subscripts m,1 and m,2 with the state vectors given as um,1 = (x1,1, x1,2, . . . , x1,n)T and um,2 = (x2,1,x2,2, . . . , x2,n)T. The state vector um,1 serves as a reference state for the control n to eliminate the dependency on feedback signals from the driven system. For time t < Tc, we set fm = zm,1, fs = zs and a variable from the state vector um,1 is used to couple the driven system at the receiver end such that yi is replaced by x1,i to achieve identical synchronisation [5]. The initiation time span before the actual transmission of the information is carried out is denoted by Tc which must be sufficiently large in order for limt!Tcjum,1  usj = 0. At t = Tc, the coupling between the drive and driven systems through x1,i ceases and will be replaced with zm,2 such that fm = fs = zm,2 to achieve projective synchronisation. Note that once identical synchronisation is achieved between the drive system m,1 and the driven system through the coupling variable x1,i, the future time evolutions of the two systems will always remain identical even with x1,i being replaced back by yi in the driven system. Hence at the instant t = Tc when these two systems are coupled simultaneously to system m,2 through zm,2, they will projectively synchronise in a similar manner with respect to system m,2. Thus this allows we to redesign the control function as ni ¼ ½mi em þ k i em;i =a

ð6Þ T

*

with e in (2) being replaced by the error vector em = (em,1,em,2, . . . , em,n) = a um,2  um,1 and i = 1, . . . , n. This allows us to manipulate the scaling factor with feedback signals directly obtained within the transmitter end. By doing so, the drive system at the transmitter end no longer requires feedback signals from the driven system. This eliminated the risk of the information being revealed if the feedback signals from the driven system are intercepted in the communication channel. We wish to illustrate the projective synchronisation scheme using the Lorenz system, 9 x_ 1;1 ¼ rðx1;2  x1;1 Þ; x_ 2;1 ¼ rðx2;2  x2;1 Þ þ n1 > > > x_ 1;2 ¼ ðlx;1  fm Þx1;1  x1;2 ; x_ 2;2 ¼ ðlx;1  zm;2 Þx2;1  x2;2 þ n2 = Transmitter end > z_ m;1 ¼ x1;1 x1;2  qzm;1 ; z_ m;2 ¼ x2;1 x2;2  qzm;2 > > ; lx;1 ¼ g1 ðx1;1 Þ; lx;1 ¼ g1 ðx1;1 Þ ð7Þ 9 y_ 1 ¼ rðy 2  y 1 Þ > > > y_ 2 ¼ ðly;1  fs Þw1  y 2 = Receiver end > z_ s ¼ w1 y 2  qzs > > ; ly;1 ¼ g1 ðw1 Þ In this scheme, when t < Tc, we set fm = zm,1fs = zs and in the driven system, w1 = x1,1. Thus the transmitted signal /(t) is equals to x1,1. At the instant when t P Tc, we set fm = fs = zm,2, w1 = y1 and the transmitted signal /(t) = zm,2. An initiation time span of Tc = 10 time-units will be sufficiently long enough to achieve identical synchronisation between system m,1 and system s. The system parameters are set as r = 10 and q = 2. The pseudo-random switching key is designed as b1;1

for a1;1 < jc1 j < a1;2

b1;2 g1 ðc1 Þ ¼ b1;3 b1;4 b1;5

for a1;3 < jc1 j < a1;4 for a1;5 < jc1 j < a1;6 for a1;7 < jc1 j < a1;8 otherwise

ð8Þ

We let [a1,1, . . . , a1,8] = [0,5,10,16,23,27,30,34], [b1,1, . . . , b1,5] = [60,60.5,59.5,49,49.5]. Fig. 2(a) shows the transmitted signal /(t) = x1,1 for t < 10 and /(t) = zm,2 for t P 10, which exhibits chaotic behaviour coated with pseudo-random switching key. The information signal m(t) is in an alternate sequence of bit 0 and bit 1 as shown in Fig. 2(b). In

C.Y. Chee, D. Xu / Chaos, Solitons and Fractals 23 (2005) 1063–1070

1067

Fig. 2. Demonstration of the chaotic encryption scheme based on projective synchronisation with a pseudo-random switching key incorporated. (a) The transmitted signal /(t) = x1,1 for t < 10 and /(t) = zm,2 for t P 10. (b) A binary sequence to be transmitted m(t). (c) The time evolution of the scaling factor az(t) = zs/zm,2 observed at the receiver end with az(t) = 0.998 representing bit 0 and az(t) = 1 representing bit 1. (d) The rapid and irregular changes of the parameter lx,1 defined by the pseudo-random switching key (8) for (20 6 t 6 30).

the control function ni =  [miem + kiem,i]/a*, the slack constant is set as ki = 10. The desired scaling factor is pre-assigned as a* = 0.999 to represent bit 0 and a* = 1 to represent bit 1. Fig. 2(c) shows the evolution of the scaling factor az(t) = zs/zm,2 that is observed at the receiver end. For Lorenz system under projective synchronisation, the scaling factor az, which is the ratio between zm,2 and zs, is equals to the square of a(t) = kusk/kum,2k such that limt!1az = (a*)2. Therefore at the receiver end, bit 0 is received when az(t) = 0.998 is observed and bit 1 is received when az(t) = 1 is observed. Fig. 2(d) shows the time evolution of the switching events generated by the secret key lx,1 for (20 6 t 6 30). The switching events appeared to be irregular and densely distributed.

5. Security analysis In this section, we wish to prove that the projective synchronisation scheme is secure against characteristic cryptanalysis. The security analysis is carried out by first demonstrating how characteristic cryptanalysis could be employed to break CSK scheme. A similar demonstration will then be carried out on the projective synchronisation scheme to prove that the fundamental basis of characteristic cryptanalysis is ineffective against the proposed approach. Here we employed a characteristic cryptanalysis technique proposed by Yang et al. [9] to carry out the demonstration. The technique uses the intercepted information carrier signal to couple an arbitrary system. As a result, synchronisation error E(t) may arises since the arbitrary system would probably not be identical to the drive system. However given that the information carrier signal in CSK scheme is generated by shifting a parameter of the drive system, the error measured from the generalized synchronisation transformation [9] will inevitably possesses two sets of statistical properties according to the binary sequence. The intruder could thenR reveal these two sets of statistical properties by tþT w 2 simply measuring the moving average of the error, given as dðtÞ ¼ T 1 E ðtÞ dt where Tw is the window length. This w t characteristic cryptanalysis technique [9] is chosen for demonstration here because it is simple in implementation and very effective in breaking CSK schemes operating on both low and high dimensional systems.

1068

C.Y. Chee, D. Xu / Chaos, Solitons and Fractals 23 (2005) 1063–1070

Let us consider the drive, driven and arbitrary systems in a CSK setup given as 9 9 x_ 1 ¼ rðx2  x1 Þ y_ 1 ¼ 10ðy 2  y 1 Þ > > = = x_ 2 ¼ ðl  zm Þx1  x2 Drive system y_ 2 ¼ ð60  zs Þx1  y 2 Driven system > > ; ; z_ m ¼ x1 x2  qzm z_ s ¼ y 1 y 2  2zs 9 y_ a;1 ¼ 11ðy a;2  y a;1 Þ > = y_ a;2 ¼ ð60  za Þx1  y a;2 Arbitrary system > ; z_ a ¼ x1 y a;2  1:7za

ð9Þ

The intruder intercepted the transmitted signal /(t) = x1(t) and used it the coupled the arbitrary system in the second and third equation. The parameter set of the drive system is given as [r, l, q] = [10, 60, 2] when bit 1 is to be sent and [10, 62, 2] when bit 0 is to be sent. Fig. 3(a) and (b) show the binary information m(t) and the information carrier signal /(t) = x1(t) respectively. Based on the parameter assignment of the drive and driven systems, the receiver will observe no synchronisation error, E(t) = x1(t)  y1(t) = 0 when bit 1 is received and synchronisation error when bit 0 is received as shown in Fig. 3(c). On the other hand, given that the parameter setting of the arbitrary system is always non-identical to the drive system, the intruder will always observe synchronisation error E(t) = x1(t)  ya,1(t) throughout the transmission as shown in Fig. 3(d). However the intruder could reveal two sets of statistical properties that correspond to the binary information, see Fig. 3(e), by measuring the moving average d(t) of the synchronisation error in Fig. 3(d). Hence we have demonstrated that the cryptanalysis technique [9] like all others characteristic cryptanalysis [6–8] which aims to reveal two different sets of statistical properties could be effectively used to break CSK schemes. However the fundamental basis of characteristic cryptanalysis is irrelevant when employed against projective synchronisation scheme. This is because in this approach, the transmitter does not use two attractors to encrypt the binary symbols but rather it uses the scaling features of the coupled system. Although the effect of pseudo-random switching

Fig. 3. Security analysis on chaotic shift keying scheme under attack from characteristic cryptanalysis that measures the synchronisation error [9] from the setup shown in (9). (a) The binary sequence to be transmitted m(t). (b) The transmitted signal / (t) = x1. (c) The synchronisation error observed at the intended receiver end that correspond to the binary sequence in (a). (d) The synchronisation error observed at the intruder end that does not reveal any useful information. (e) The moving average of the synchronisation error shown in (d) that correspond to the binary sequence shown in (a). The window length, Tw, employed here is 2.3 time units.

C.Y. Chee, D. Xu / Chaos, Solitons and Fractals 23 (2005) 1063–1070

1069

key would generate numerous attractors but these attractors do not contain any digital information. Therefore it would be reasonable to consider that the transmitted signal possesses only one set of statistical properties where a single attractor resides. To demonstrate that the characteristic cryptanalysis is ineffective against the projective synchronisation scheme let us consider the following setup. 9 x_ 1;1 ¼ 10ðx1;2  x1;1 Þ; x_ 2;1 ¼ 10ðx2;2  x2;1 Þ þ n1 > = x_ 1;2 ¼ ð60  zm;2 Þx1;1  x1;2 ; x_ 2;2 ¼ ð60  zm;2 Þx2;1  x2;2 þ n2 Drive system > ; z_ m;1 ¼ x1;1 x1;2  2zm;1 ; z_ m;2 ¼ x2;1 x2;2  2zm;2 9 ð10Þ y_ a;1 ¼ 11ðy a;2  y a;1 Þ > = y_ a;2 ¼ ð60  zm;2 Þy a;1  y a;2 Arbitrary system > ; z_ a ¼ y a;1 y a;2  1:7za Pseudo-random switching key is left out in (10) as we wish to show that the utilisation of projective synchronisation alone could be employed effectively against characteristic cryptanalysis. Assume that the intruder intercepted the transmitted signal /(t) = zm,2(t) and used it to couple the arbitrary system in the second equation. Using this setup, the intruder could carry out cryptanalysis on the information carrier signal zm,2(t) by measuring error from the generalised synchronisation transformation [9]. Fig. 4(a) shows the binary information m(t). Fig. 4(b) shows the measured scaling pffiffiffiffiffiffiffiffiffiffiffiffiffi factor aðtÞ ¼ za =zm;2 , which does not correspond to the binary information in (a). This is because the parameter set of the arbitrary system is non-identical to the drive system. Fig. 4(c) shows the moving average da(t) of the scaling factor in Fig. 4(b). It can be seen that the moving average here does not reveal any information. Fig. 4(d) and (e) presented a further analysis on the intercepted information carrier. Fig. 4(d) shows the synchronisation error E(t) = zm,2(t)  za(t). The moving average shown in Fig. 4(e) of the synchronisation error again does not reveal any information. Hence we

Fig. 4. Security analysis on projective synchronisation based scheme under attack from characteristic cryptanalysis that measures the synchronisation pffiffiffiffiffiffiffiffiffiffiffiffiffi error [9] from the setup shown in (10). (a) A binary sequence to be transmitted m(t). (b) The scaling factor aðtÞ ¼ za =zm;2 observed at the intruder end. (c) The moving average of the scaling factor shown in (d). (d) The synchronisation error E(t) = zm,2(t)  za(t) observed at the intruder end. (e) The moving average of the synchronisation error shown in (d). It is observed from the analysis that no useful information is revealed. The window length, Tw, employed here is 2.3 time units.

1070

C.Y. Chee, D. Xu / Chaos, Solitons and Fractals 23 (2005) 1063–1070

state that the projective synchronisation scheme is secure against the characteristic cryptanalysis as its fundamental basis would be irrelevant.

6. Conclusions In conclusion, we have introduced a new approach to transmit digital signal using controlled projective synchronisation of chaos. This approach eliminates the need to use two attractors to encrypt digital signal in the context of chaotic shift keying. Thus characteristic cryptanalysis [6–9], which aim to detect switching of statistical properties in the intercepted information carrier signal would be rendered ineffective when used against future schemes developed based on projective synchronisation. We have also proposed a scheme developed from this approach and successfully incorporated pseudo-random switching key to further enhance the security against reconstruction methods [10–13]. Security analysis carried out proved that the scheme is secure against characteristic cryptanalysis attacks.

References [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18]

Kocarev L, Halle KS, Eckert K, Chua LO, Parlitz U. Int J Bifurcat Chaos 1992;2:709. Cuomo KM, Oppenheim AV. Phys Rev Lett 1993;71:65. Halle KS, Wu CW, Itoh M, Chua LO. Int J Bifurcat Chaos 1993;3:469. Parlitz U, Chua LO, Kocarev L, Halle KS, Shang A. Int J Bifurcat Chaos 1992;2:973. Pecora LM, Carroll TL. Phys Rev Lett 1990;64:821. Pe´rez G, Cerdeira HA. Phys Rev Lett 1995;74:1970. Yang T, Yang L-B, Yang C-M. Phys Lett A 1998;247:105. Storm C, Freeman WJ. Phys Rev E 2002;66:057202. Yang T, Yang L-B, Yang C-M. IEEE Trans Circuits Syst I 1998;45(10):1062. Stojanovski T, Kocarev L, Parlitz U. Int J Bifurcat Chaos 1996;6:2645. Yang T, Yang L-B, Yang C-M. Physica D 1998;124:248. Huang X, Xu J, Huang W, Lu Z. Int J Bifurcat Chaos 2001;11:561. Ponomarenko VI, Prokhorov MD. Phys Rev E 2002;66:026215. Sundar S, Minai AA. Phys Rev Lett 2002;85:5456. Chen JY, Wong KW, Cheng LM, Shuai JW. Chaos 2003;13:508. Mainieri R, Rehacek J. Phys Rev Lett 1999;82:3042. Xu D, Chee CY. Phys Rev E 2002;66:046218. Xu D, Chee CY. Int J Bifurcat Chaos, in press.