Use of chaotic dynamical systems in cryptography

Journal of the Franklin Institute 338 (2001) 429–441

Use of chaotic dynamical systems in cryptography Roland Schmitz Deutsche Telekom AG, Technologiezentrum D-64307 Darmstadt, Germany Received 27 March 2000; received in revised form 5 December 2000

Abstract In this paper, some of the mathematical properties relevant to the use of chaotic dynamical systems in cryptography are identified and reviewed. We evaluate these properties for some of the systems proposed in the literature and explain the consequences for the level of security offered by these systems. As a conclusion, it is proposed to use only those systems that are accessible to a mathematical analysis of their chaotic properties, and some open research questions are identified. # 2001 The Franklin Institute. Published by Elsevier Science Ltd. All rights reserved. Keywords: Cryptography; Chaos

1. Introduction It seems very attractive to use chaotic dynamical systems on an interval in cryptography. For example, their sensitivity to initial conditions and their spreading out of trajectories over the whole interval seems to be a model for the classic Shannon requirements of confusion and diffusion (cf. [1] or e.g [2], p. 20). Basically, two very different approaches to the use of chaotic can be found in the literature. One of these approaches uses hardware-based synchronized chaotic circuits (cf. [3]), where the cleartext message is hidden in the spectral domain of the chaotic signal (see e.g. [4–7] for practical implementations). On the theoretical side of that approach, Chua et al. have shown in [8] how to design chaotic circuits with a prescribed probability distribution of the generated chaotic signal. Since the main

E-mail address: [email protected] (R. Schmitz). 0016-0032/01/$20.00 # 2001 The Franklin Institute. Published by Elsevier Science Ltd. All rights reserved. PII: S 0 0 1 6 - 0 0 3 2 ( 0 0 ) 0 0 0 8 7 - 9

430

R. Schmitz / Journal of the Franklin Institute 338 (2001) 429–441

focus of the present paper is software-based encryption of data in digital form, we will not discuss these hardware-based techniques any further here. On the other hand, several attempts have been made in the past to utilize the simulation of chaotic discrete dynamical systems on a computer for encryption purposes, the first being perhaps by Matthews in [9]. The dynamical systems take the form xkþ1 ¼ f ðxk Þ;

x0 2 I;

ð1Þ

where I is either the unit interval (cf. [9–12]) or the unit square (cf. [13–15]) and f : I ! I is a nonlinear, continous function. We will focus our attention on the analysis of this second, software-based approach. The present paper is motivated by the fact that the mathematical properties of chaotic dynamical systems, that could serve to enhance trust in the security of these systems or rule out insecure systems, have often been neglected. For example, seldom care is taken that the proposed systems are really chaotic on a whole continous set I. Moreover, there seems to be some confusion about what it means for a dynamical system to be chaotic. In [16], a discussion of various alternative definitions of chaos can be found, together with some examples. The treatment in the present paper is based on the definition given by Devaney [17]. If a dynamical system is chaotic on I in this sense, the occurrence of periodic points is restricted to a set of measure zero on I. Further, it can be guaranteed that all the periodic points of a chaotic f are repelling (cf. e.g. [17]), meaning that even if a trajectory ðxk Þ happens to come close to a periodic cycle for some k, it will separate from it for indices greater than k. Therefore, the occurrence of periodic cycles in numerical simulation, which can undermine the security of a chaotic dynamical system used in cryptography, is not inherent to chaotic dynamical systems, but is entirely due to the finiteness of the computer memory. Apart from the knowledge about the periodic points, if we want to use the output of a chaotic dynamical system for encryption, it is of major importance to know how the output of the dynamical system is distributed. Fortunately, the mathematical techniques to answer this question have long been developed (cf. e.g. [18]). We will present this technique and derive the probability distributions for some example systems that already have been proposed in the literature for use in cryptography. We will also pay some attention to the Liapounov exponent of chaotic dynamical systems. The Liapounov exponent is a measure of how strong the sensitivity to initial conditions is; since it shows how strong the dynamical system confuses and diffuses its initial input, which may as well be the plaintext or the secret key of the corresponding cryptographic system, it can be interpreted as a measure of security in the cryptographic context, which seems to be a rather novel approach. Besides trying to review the past efforts of utilizing chaotic discrete dynamical systems, the purpose of the paper is therefore to identify some of the mathematical properties of chaotic systems that may serve to assess the security of these systems. It is proposed to investigate further the usefulness of chaotic dynamical systems in cryptography, but to look at only those systems, for which the chaoticity can be strictly established on an interval I  R or rectangle I  J  R2 . In order to give

R. Schmitz / Journal of the Franklin Institute 338 (2001) 429–441

431

some indication about the usefulness of these systems in cryptography, it is essential to calculate, at least numerically, the probability distributions and the Liapounov exponents of these systems. The organization of the paper is as follows: In Section 2, we recall Devaney’s definition of a chaotic dynamical system and give some illustrative examples. We also discuss the question how the chaoticity of a dynamical system is similar when simulating it on a computer. Section 3 shows how to determine important mathematical properties for a given chaotic dynamical system, which can be used as a measure for the cryptographic strength of a corresponding encryption system. Section 4 reviews how various chaotic dynamical systems from the literature are converted into block- or streamcipher algorithm and gives some assessment of their security. The paper closes by identifying some open research problems.

2. Chaos for discrete dynamical systems 2.1. Definition For one-dimensional dynamical systems of the form xkþ1 ¼ f ðxk Þ;

f : I ! I;

x0 2 I;

ð2Þ

where f is continuous, the following definition of chaotic behaviour given by Devaney in [17, p. 50], is widely accepted: Definition 1. A dynamical system of form (2) is said to be chaotic if the following conditions hold: (i) Sensitive dependence on initial conditions: 9d > 0 8x0 2 I; e > 0 9n 2 N; y0 2 I :jx0 y0 j 5e )j f n ðx0 Þ f n ðy0 Þ j 4d

ð3Þ

(ii) Topological transitivity: 8 I1 ; I2  I 9x0 2 I1 ; n 2 N : f n ðx0 Þ 2 I2

ð4Þ

(iii) Density of periodic points in I:

Let P ¼ fp 2 I j 9n 2 N : f n ðpÞ ¼ pg the set of periodic points of f . Then P is dense in I: P ¼ I ð5Þ Recently, it has been shown in [19], that this definition is redundant, since condition (i) follows from conditions (ii) and (iii). Moreover, it can be shown that

432

R. Schmitz / Journal of the Franklin Institute 338 (2001) 429–441

(ii) and (iii) are preserved under topological semiconjugacy (two maps f : I1 ! I1 and g: I2 ! I2 are called topologically semiconjugate if there is a continuous, surjective map h: I1 ! I2 such that h 8 f ¼ g 8 h, they are called topologically conjugate if h is a bijection and the inverse map h 1 is also continous; for more information see e.g. [20]). Summarizing, the following theorem holds: Theorem 1. If f constitutes a chaotic map and g is topologically semiconjugate to f , then g is also chaotic. This theorem is the main tool in establishing the chaotic properties of many dynamical systems. 2.2. Examples for chaotic discrete dynamical systems Example 1 (Maps on the circle). Consider the maps fn defined on the circle S1 ¼ fW j 04W42pg via fn : S1 ! S1 ;

fn ðWÞ ¼ nW mod 2p:

ð6Þ

For n52, the fn can be easily shown to fulfill conditions (i) and (ii) of Definition 1 (cf. [17]). Moreover, the periodic points of period k of the fn are those Wk with nk Wk mod 2p ¼ Wk ;

ð7Þ

meaning that the periodic points of period k of the fn are given by 2 jp mod 2p; j 2 N: ð8Þ nk 1 Thus, there is a one-to-one correspondence between the rational numbers in the interval ½0; 2p and the periodic points of the fn , which shows that the periodic points are dense on S1 . Therefore, we have seen that the fn are chaotic on S1 for n52. Wk; j ¼

Example 2 (Chebychev polynomials). The Chebychev polynomials Tn are polynomials of degree n defined on I ¼ ½ 1; 1 by Tn ðxÞ ¼ cosðn arccosðxÞÞ:

ð9Þ

The first three Chebychev polynomials are given by T0 ðxÞ ¼ 1; T1 ðxÞ ¼ x and T2 ðxÞ ¼ 2x2 1. Further Tn can be derived from the recursion relation Tnþ1 ðxÞ ¼ 2xTn ðxÞ Tn 1 ðxÞ:

ð10Þ

An explicit formula for the coefficients and many other mathematical properties and applications of the Tn can be found in [21]. For technical applications in the area of circuit design, see [22]. Considering h: S1 ! ½ 1; 1; hðWÞ ¼ cosðWÞ and noting that h 8 fn ¼ cosðnWÞ ¼ Tn 8 h;

ð11Þ

R. Schmitz / Journal of the Franklin Institute 338 (2001) 429–441

433

where the fn are the maps of the circle considered in example 1 we see that the dynamical systems xkþ1 ¼ Tn ðxk Þ;

x0 2 I ¼ ½ 1; 1;

ð12Þ

where Tn i the nth Chebychev polynomial, are chaotic for n52. Moreover, the periodic points of period p of the Tn are given by
 2jp xp; j ¼ cos p ; j 2 N: ð13Þ n 1 Example 3 (The logistic function). The well-known logistic function FðxÞ ¼ 4xð1 xÞ

ð14Þ

is topologically conjugate to T2 ðxÞ ¼ 2x2 1 via hðtÞ ¼ 12ð1 tÞ on I ¼ ½0; 1, therefore the dynamical system defined via xkþ1 ¼ 4xk ð1 xk Þ

ð15Þ

is chaotic on ½0; 1. Example 4 (The tent map). The tent map is described by the function ( 2x for 04x41=2; ZðxÞ ¼ 2ð1 xÞ for 1=24x41:

ð16Þ

As one can verify by a simple calculation, the tent map is topologically conjugate to the logistic function via hðtÞ ¼ sin2 ðpx=2Þ, therefore it is chaotic on ½0; 1. 2.3. Chaos on the computer When iterating the dynamical systems of the previous section on a computer, one has to bear in mind that a computer has only a finite memory and can thus represent only finitely many numbers. Therefore, e.g. condition (ii) of our definition of chaos can never be fulfilled on a computer, since the dynamical system on a computer is not situated in the real numbers, but in a finite number system instead. The problem of iterating a dynamical system in a discrete and finite context has been investigated by Robert [23]: Definition 2. Let X be a finite (generally very large) set and F be a map of X onto itself. The sequence defined by xnþ1 ¼ Fðxn Þ; n ¼ 0; 1; 2; . . . ; x0 2 X

ð17Þ

is called a discrete iteration. This is exactly the situation we are in when simulating a dynamical system on a computer. As Robert points out, discrete iterations either end at fixed points or in

434

R. Schmitz / Journal of the Franklin Institute 338 (2001) 429–441

cycles of a certain length; due to the finiteness of X (i.e. the computer memory) there is no other possibility. In particular, every chaotic system simulated on a computer will finally end up in a periodic cycle. It therefore remains an open problem how the definition of a chaotic dynamical system can be extended to these discrete iterations.1 However, numerical experiments carried out by [24]have shown that the mean cycle length L of the system discussed in Section 4.2 is O 2P=2 , where P is the number of bits precision. The estimate seems to be a good working assumption when working with chaotic systems on the computer, but should be verified in each case, as there are no mathematical results in this area yet. Still, there is another problem: Since the rounding errors made in each iteration will blow up due to the sensitivity on initial conditions of the systems, the ‘‘real’’ trajectory ðxk Þ and the calculated trajectory ðx~k Þ will considerably differ from each other soon. However, there is a mathematical result called the ‘‘Shadowing Lemma’’ due to Coven et al. [25], which guarantees that one can always find a ‘‘real’’ trajectory ðyk Þ that is arbitrarily near to the calculated trajectory ðx~k Þ. Therefore, at least statistical theoretical results as presented in the next section remain true for ‘‘chaotic’’ discrete iterations on the computer.

3. Liapounov exponents and probability distributions If we use a chaotic dynamical system for encrypting plaintext, either by using x0 as the secret key or as plaintext (cf. Section 4), two questions are of major importance: First, how strong is the sensitivity to the initial conditions. The stronger this dependency is, the less information on the key or the plaintext can be gained from a single xk . The second question is: How will the xk , from which the ciphertext is derived, be distributed on I? 3.1. The Liapounov exponent The Liapounov exponent provides an answer to the first of these questions. It is defined as follows (cf. e.g. [26]): Definition 3. For dynamical systems of form (2) and x0 2 I, T 1 1 X lðx0 Þ :¼ lim log j f 0 ðxk Þ j T!1 T k¼0

ð18Þ

is called the Liapounov exponent. For chaotic dynamical systems, the Liapounov exponent is independent of the initial value x0 , as long as x0 is not periodic. The Liapounov exponent shows, how strongly on average an initial displacement is increased by repeated application of f . 1

In what follows, we will call a discrete iteration on the computer ‘‘chaotic’’, if the underlying dynamical system is chaotic in a mathematically strict sense.

R. Schmitz / Journal of the Franklin Institute 338 (2001) 429–441

435

It is therefore an important measure of the strength of the sensitivity to the initial conditions of a dynamical system. Using the fact that the Liapounov exponent is invariant under topological conjugation [26], we can easily derive the Liapounov exponents of the example systems described in Section 2. Example 5. Using Definition 3, we immediately see that the Liapounov exponent for the maps of the circle of Example 1 is log n. By topological conjugacy, it follows that the nth Chebychev polynomial has Liapounov exponent log n as well, while the logistic function and the tent map have Liapounov exponent log 2.

3.2. Probability distributions If we start iterating a dynamical system on a computer, how can we know how the resulting xk are, at least in theory, distributed? In some cases, this probability distribution can be explicitly calculated. If a dynamical system (2) is chaotic, due to condition (ii) of Definition 1 the sequences ðxk Þ show ergodic behaviour, meaning that they come arbitrarily close to each point in I for some starting point x0 2 I. For these ergodic systems, Collet and Eckmann [18] show that the probability distribution nðyÞ of the ðxk Þ is the (up to a constant factor c) unique solution of the Frobenius–Perron equation nðyÞ ¼

X

nðxÞ : 0 ðxÞ j j f x 2 f 1 ðyÞ

ð19Þ

Remark 1. The constant factor c can be determined by requiring that Z nðxÞ dx ¼ 1:

ð20Þ

I

In cases where an explicit solution of the Frobenius–Perron equation is not possible, numerical techniques may be employed. Example 6 (Maps on the circle). The fn defined in Section 2 on the circle have the uniform distribution nðyÞ ¼ 1=2p. To see this, we have to show that n is a solution of (19). First, the set fn 1 ðyÞ is determined: fn 1 ðyÞ ¼ fW 2 S1 j fn ðxÞ ¼ yg ¼ fW 2 S1 j nW mod 2p ¼ yg  ¼

y þ 2ði 1Þp ; W2S jW¼ n 1

i ¼ 1; . . . ; n

ð21Þ

436

R. Schmitz / Journal of the Franklin Institute 338 (2001) 429–441

Thus, X

n X nðWÞ 1 1 ! ¼ ¼ ¼ nðyÞ: 0 ðWÞ j j f 2pn 2p n i¼1 f 1 ðyÞ

W 2

ð22Þ

n

nðxÞ ¼ 1=2p is a valid probability distribution over S1 , since we have RFinally, 2p 0 nðxÞ dx ¼ 1. Example 7 (Chebychev polynomials). Chebychev polynomials Tn all have the probability distribution pffiffiffiffiffiffiffiffiffiffiffiffiffi nðxÞ ¼ 1=p 1 x2 : ð23Þ This was shown for T2 by Ulam and von Neumann [27] and for all n52 by Adler and Rivlin [28]. To verify that n is indeed a solution of (19), as in Example 6, the first step is to determine the set Tn 1 ðyÞ for arbitrary y 2 I ¼ ð 1; 1Þ. From (21), we know that W þ 2ði 1Þp ; i ¼ 1; . . . ; n ð24Þ fn ðWi Þ ¼ W for Wi ¼ n By setting y ¼ cosðWÞ and xi ¼ cosðWi Þ, we arrive at 
 arccosðyÞ þ 2ði 1Þp Tn 1 ðyÞ ¼ xi ¼ cos ; i ¼ 1; . . . ; n : ð25Þ n Furthermore, 0

Tn ðxi Þ ¼

n sinðarccosðyÞ þ 2ði 1ÞpÞ n sinðarccosðyÞÞ pffiffiffiffiffiffiffiffiffiffiffiffiffi pffiffiffiffiffiffiffiffiffiffiffiffiffi ¼ 1 x2i 1 x2i

ð26Þ

This yields X

pffiffiffiffiffiffiffiffiffiffiffiffiffi n X nðxÞ 1=p 1 x2i pffiffiffiffiffiffiffiffiffiffiffiffiffi ¼ 2 jTn0 ðxÞj i¼1 jn sinðarccosðyÞÞj= 1 xi x2T 1 ðyÞ n

¼

1 1 ¼ qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi pjsinðarccosðyÞÞj 2 p sin ðarccosðyÞ

1 1 ! ¼ pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ¼ pffiffiffiffiffiffiffiffiffiffiffiffiffi ¼ nðyÞ p 1 cos2 ðarccosðyÞÞ p 1 y2 Remark 2. Using the same technique (i.e. ‘‘guessing’’ a distribution and then verifying that it is a solution of (19), one sees that the distribution p forffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi the tent ffi map is nðxÞ  1, while for the logistic function we have nðxÞ ¼ 1=p xð1 xÞ. These examples show that the probability distribution of a dynamical system is not invariant under topological conjugacy. Remark 3. Obviously, for the Chebychev polynomials, it is possible to increase the Liapounov exponent (by choosing a higher index n) without changing the probability distribution.

R. Schmitz / Journal of the Franklin Institute 338 (2001) 429–441

437

4. Applications in cryptography In this section, we will apply the theoretical results presented so far to the cryptological concepts of block and stream ciphers and briefly review some of the various attempts to use the dynamical systems introduced above for cryptographic purposes, that have appeared in the literature. 4.1. Blockciphers The general approach to use a dynamical system as a blockcipher is to use a parametrized map fa : I ! I or fa : I  I ! I  I, where the parameter a is the secret key and the initial value x0 is the plaintext. After a specified number n of iterations, the number fan ðx0 Þ is taken as ciphertext. Thus, the probability distribution of fa is at the same time the distribution of the ciphertext. The Liapounov exponent of fa is an indication of how big n should be chosen in order to offer the necessary security. Example 8. (i) Habutsu et al. in [10] have suggested to use a generalized form of the tent map, 8x > for 04x4a < a ð27Þ ZaðxÞ ¼ > : x 1 for a4x41: a 1 For a ¼ 0:5, we get the tent map of Example 4. Za has uniform probability distribution nðxÞ  1 and Liapounov exponent 1=2ðlogð1=aÞ þ logð1=ð1 aÞÞÞ. For encrypting a message block M, M has to be converted into a real number m between 0 and 1 and is then iterated n times. The secret key is the parameter a, and the ciphertext is the number Za n ðmÞ. Habutsu et al. suggest to choose a between 0.4 and 0.6 and n around 75. This cryptosystem was subsequently broken by Biham [29] by mounting a chosen ciphertext attack on the system and exploiting its piecewise linear structure. This kind of attack seems unavoidable for this type of cryptosystem, even if a different chaotic map is used for the encryption process. Moreover, one has to cope with the quantization errors which will inevitably occur and blow up in the course of calculation, which limits the Liapounov exponent of the functions that can be used and thus, the level of security. (ii) Fridrich, in [5] has proposed to utilize a generalized form Bðn1 ; ...; nk Þ of the original Baker map ( ð2x; y=2Þ for 04x51=2; Bðx; yÞ ¼ ð28Þ ð2x 1; y=2 þ 1=2Þ for 1=24x41; [30] on the unit square for encrypting two-dimensional images where again the parameters n1 ; . . . ; nk serve as (part of) the key. Fridrich also investigates the

438

R. Schmitz / Journal of the Franklin Institute 338 (2001) 429–441

cryptographic strength of the cipher by looking at known-plaintext and knownciphertext attacks. Fridrich’s approach deserves further attention since it seems to be both secure and also highly performant. (iii) Another two-dimensional system has been proposed by Kotulski et al. in [13,14]. Similar to Habutsu’s approach, the plaintext is encrypted into pre-images of non-invertible mappings during ciphering, where the proper selection of the preimage forms part of the key. Again, the piece-wise linear structure of the applied mapping can be exploited to mount known-plaintext-attacks on the system.

4.2. Streamciphers The general approach to use a chaotic dynamical system as a key stream generator is the following: Consider the chaotic dynamical system xkþ1 ¼ f ðxk Þ;

ð29Þ

where f : I ! I is chaotic on I or I  I and keep x0 2 I secret. There are two ways of deriving a running key sequence from the xk , cf. [31,11]: The first possibility is to use a threshold function ( 0 for x5c; yc ðxÞ ¼ ð30Þ 1 for x5c; to obtain a binary sequence ðyc ðxk ÞÞ ¼ ðyc ð f k ðx0 ÞÞÞ. If the probability distribution n of f : I ! I; I ¼ ½‘; r is known, one may choose c such that e.g. Z c prob½yc ðxk Þ ¼ 0 ¼ nðxÞ dx ð31Þ ‘

gives the desired value. The other possibility is to define a bit sequence bi ðxk Þ by taking the ith bit bi of j xk j in binary representation. The bit sequence can be written as the direct sum of 2i 1 binary sequences with thresholds cj ¼ j=2i , 14 j42i 1. In both cases, the initial value x0 serves as a key. In double-precision floating point format this yields a 64-bit key. If one needs a bigger key space, the parameter c of the threshold function can also be made part of the key. In this case, however, in order to avoid that an attacker can derive c from the statistics of the key sequence, one should use yc ðxk Þ  yc~ðxk Þ;

ð32Þ

where prob½yc~ðxk Þ ¼ 0 ¼

Z ‘

c~

1 nðxÞ dx ¼ ; 2

ð33Þ

as the running key instead, in order to conceal the statistics of the sequence generated by yc ðxk Þ.

R. Schmitz / Journal of the Franklin Institute 338 (2001) 429–441

439

There are several points that make cryptosystems of this type appealing: Even if an attacker knows a portion of the plaintext transmitted, for each xk of the underlying real-valued sequence, only one bit (even less, if the threshold c is a part of the key) of the binary representation is revealed to him. But since the dynamical system has the property of having sensitive dependence on initial conditions, knowing only a part of a sequence number brings the attacker very little information about what the next sequence number might be. The sensitivity on initial conditions, i.e. the degree of separation of trajectories which are initially very close to each other, is the stronger, the greater the Liapounov exponent (cf. Definition 3) of f is. Furthermore, as long as the underlying f is chaotic on I, one does not have to worry about periodic cycles of the xk : Due to property (iii) in Definition 1, the set of periodic points has measure zero on I, which means that the probability of starting with a periodic x0 is zero. Moreover, all the periodic points of a chaotic f are repelling (if the periodic cycles were not repelling, an essential condition for chaos (see condition (ii) of Definition 1) could not be fulfilled). Example 9. (i) The first attempt to use a chaotic dynamical system as a key stream generator was made by Matthews [9]. He suggests to use a generalized logistic equation gðxÞ ¼ ðb þ 1Þð1 þ 1=bÞb xð1 xÞb

ð34Þ

The starting value x0 of the sequence xkþ1 ¼ gðxk Þ generated by g and the parameter b are secret parameters of the system. Matthews suggests to take the two least significant digits of the xk , reduce them modulo 25 and then use this as a running key, which is added mod 25 to the plaintext. The problem with Matthews’s approach is that his g is rather complicated, so that we do not know where this function is actually chaotic. We do not have any theoretical results about where the periodic points of g may lie, nor do we know about the distribution of the resulting sequence xk . (ii) A much more promising approach is to use functions with well-understood chaotic properties as key stream generators as proposed in e.g. [11] for the Chebychev polynomials. Here we have complete knowledge about the periodic points (cf. (13)), we know about the probability distribution and even the correlation functions of the derived binary and bit sequences [31]. (iii) Alas, Hong and Xieting [12] construct binary chaotic sequences from a class of piecewise linear functions 8 > < 1 þ 2ðx ai Þ=ðaiþ1 ai Þ if x 2 ½ai ; aiþ1 Þ; Fp ðxÞ ¼ Fp ð xÞ if x 2 ½ 1; 0Þ; ð35Þ > : 1 if x ¼ 1; where the parameters fa1 ; . . . ; ap g divide ½0; 1 into p þ 1 arbitrary intervals. Here, chaoticity and probability distribution have been established in [8], while Hong and Xieting derive autocorrelation, crosscorrelation and linear complexity of the resulting binary sequence.

440

R. Schmitz / Journal of the Franklin Institute 338 (2001) 429–441

5. Conclusion In this contribution some of the mathematical properties that can help to assess the cryptographic security of a chaotic dynamical system are identified. We have investigated some proposed block cipher and stream cipher systems based on chaotic dynamical systems. A particularly interesting candidate for key stream generators are Chebychev polynomials, whose chaoticity can be established easily and whose other properties are also accessible to mathematical analysis. For further research in this direction, the following problems should be tackled: *

*

*

*

Investigate the impact of the Liapounov exponent on security and performance of the systems. Determine additional statistical properties of the keystream generated by a chaotic dynamical system. Strictly define the meaning of the term ‘‘chaotic’’ for a discrete iteration (cf. Definition 2). Determine the average mean cycle length of chaotic dynamical systems on the computer.

Acknowledgements I would like to thank my colleague Dr. Klaus Huber for his encouragement and helpful comments on this contribution. I am also indebted to Prof. Kohda of Kyushu University for valuable discussions and for pointing me to Refs. [28,21].

References [1] C.E. Shannon, Communication Theory of Secrecy Systems, Bell Systems Tech. J. 28 (1949) 656–715. [2] J.L. Massey, Contemporary cryptology: an introduction, in: G.J. Simmons (Ed.), Contemporary Cryptology, IEEE Press, New York, 1992. [3] L. Pecora, T. Caroll, Synchronization in chaotic systems, Phys. Rev. Lett. 64 (8) (1990) 821–824. [4] T. Yang, C. Wu, L. Chua, Cryptography based on chaotic systems, IEE Trans. Circuits Systems } I 44 (5) (1997) 469–472. [5] R. He, P. Vaidya, Implementation of chaotic cryptography with chaotic synchronization, Phys. Rev. E 57 (2) (1998) 1532–1535. [6] Y. Chu, S. Chang, Dynamical cryptography based on synchronised chaotic systems, Electron. Lett. 35 (12) (1999) 974–975. [7] S. Papadimitriou, A. Bezerianos, T. Bountis, Secure communication with chaotic systems of difference equations, IEEE Trans. Comput. 46 (1) (1997) 27–38. [8] L. Chua, Y. Yao, Q. Yang, Generating randomness from chaos and constructing chaos with desired randomness, Int. J. Circuit Theory Appl. 18 (1990) 215–240. [9] R. Matthews, On the derivation of a chaotic encryption algorithm, Cryptologia XIII 1 (1989) 29–41. [10] T. Habutsu, Y. Nishio, I. Sasase, S. Mori, A secret key cryptosystem by iterating a chaotic map, Proceedings of the EUROCRYPT ’91, Springer, Berlin, 1991, pp.127–140.

R. Schmitz / Journal of the Franklin Institute 338 (2001) 429–441

441

[11] T. Kohda, A. Tsuneda, Chaotic bit sequences for stream cipher cryptography and their correlation functions, SPIE Proc. 2612 (1995) 86–97. [12] Z. Hong, L. Xieting, Generating chaotic secure sequences with desired statistical properties and high security, Int. J. Bifurc. Chaos 7 (1) (1997) 205–213. [13] Z. Kotulski, J. Szczepanski, Discrete chaotic crytography, Ann. Phys. 6 (1997) 381–394. [14] Z. Kotulski, J. Szczepanski, K. Gorski, A. Paszkiewicz, A. Zugaj, Application of discrete chaotic dynamical systems in cryptography } DCC method, Int. J. Bifurc. Chaos 9 (6) (1999) 1121–1135. [15] J. Fridrich, Symmetric ciphers based on two-dimensional chaotic maps, Int. J. Bifurc. Chaos 8 (6) (1998) 1259–1284. [16] R. Brown, L. Chua, Clarifying chaos: examples and counter examples, Int. J. Bifurc. Chaos 6 (2) (1996) 219–249. [17] R.L. Devaney, An Introduction to Chaotic Dynamical Systems, 2nd Edition, Addison-Wesley Publishing Company, Reading, MA, 1989. [18] P. Collet, J.-P. Eckmann, Iterated maps of the interval as dynamical systems, Birkha¨user, Basel, 1980. [19] J. Banks, G. Cairns, G. Davis, P. Stacey, On Devaney’s definition of chaos, Am. Math. Monthly 99 4 (1992) 332–334. [20] H.O. Peitgen, H. Ju¨rgens, D. Saupe, Fractals for the Classroom, Part 2, Springer, New York, 1992. [21] T.J. Rivlin, Chebychev Polynomials, Wiley, New York, 1990. [22] K. Huber, U¨ber Anwendungen der Tschebyscheffschen Polynomen in der Schaltungstechnik, Frequenz 52 (1998) 11–13. [23] F. Robert, Discrete Iterations, Springer, Berlin, 1986. [24] R. Matthews, D. Wheeler, Supercomputer investigations of a chaotic encryption algorithm, Cryptologia XV 2 (1991) 140–152. [25] E. Coven, I. Kan, J.A. Yorke, Pseudo-orbit shadowing in the family of tent maps, Trans. Amer. Math. Soc. 308 1 (1988) 227–241. [26] H.G. Schuster, Deterministic Chaos, Wiley/VCH, 1995. [27] S. Ulam, J.v. Neumann, On combinations of stochastic and deterministic processes, Bull. Am. Math. Soc. 53 (1947) 1120. [28] R.L. Adler, T.J. Rivlin, Ergodic and mixing properties of Chebychev polynomials, Proc. Am. Math. Soc. 15 (1964) 794–796. [29] E. Biham, Cryptanalysis of the chaotic-map cryptosystem suggested at EUROCRYPT’91, Proceedings of the EUROCRYPT ’91, Springer, Berlin, 1991, pp. 532–534. [30] F. Pichler, J. Scharinger, Ciphering by Bernoulli shifts in finite abelian groups, in Contributions to General Algebra, Proceedings of the Linz-Conference, Vienna, pp. 465–476. [31] T. Kohda, A. Tsuneda, Explicit evaluation of correlation functions of Chebyshev binary and bit sequences based on Perron–Frobenius-operator, IEICE Trans. Fund. Electron. Comm. Comput. Sci. E77-A (11) (1994) 1794–1800.