HAL Id: hal-00119370
https://hal.archives-ouvertes.fr/hal-00119370
Submitted on 8 Dec 2006
HAL
is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire
HAL, estdestinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
A connection between chaotic message-embedding and conventional self-synchronizing stream ciphers
Gilles Millérioux, Jose Maria Amigo, Jamal Daafouz
To cite this version:
Gilles Millérioux, Jose Maria Amigo, Jamal Daafouz. A connection between chaotic message-
embedding and conventional self-synchronizing stream ciphers. 2006 International Symposium on
Nonlinear Theory and its Applications, NOLTA 2006, Sep 2006, Bologna, Italy. pp.CDROM. �hal-
00119370�
A connection between chaotic message-embedding and conventional self-synchronizing stream ciphers
G. Mill´erioux
†, J.M Amig´o
‡and J. Daafouz
$†Universit´e Henri Poincar´e, France
Centre de Recherche en Automatique de Nancy (CRAN UMR CNRS 7039)
‡Universidad Miguel Hern´andez, Spain Centro de Investigaci´on Operativa
$ Institut National Polytechnique de Lorraine
Centre de Recherche en Automatique de Nancy (CRAN UMR CNRS 7039)
Emails: gilles.millerioux@esstin.uhp-nancy.fr, jm.amigo@umh.es, jamal.daafouz@ensem.inpl-nancy.fr Abstract—A lot of encryption methods involving
chaotic dynamics have been proposed in the literature since the 90’s. Most of them consists of “mixing” the informa- tion to be hidden with a chaotic sequence. In this paper, a connection between one of the most attractive chaotic schemes, namely, hybrid message-embedding and the con- ventional self-synchronizing stream cipher is carried out.
The main point can be stated as follows: hybrid message- embedding is strictly equivalent to a conventional self- synchronizing stream cipher under flatness conditions.
1. Introduction
Modern cryptography originates in the works of Feis- tel at IBM during the late 1960s and early 1970s. One of the key dates is 1977, when the symmetric (or private- key) algorithm called Data Encryption Standard (DES) was adopted by the U.S. National Bureau of Standards (now the National Institute of Standards and Technology —NIST), for encrypting unclassified information. DES is now in the process of being replaced by the Advanced Encryption Standard (AES), a new standard adopted by NIST in 2001.
Another milestone is 1978, marked by the publication of RSA, the first full-fledged public-key algorithm. In 1993 entered the scene “chaotic cryptography”, that takes ad- vantage of the complex behavior of chaotic dynamical sys- tems to ‘hide’ or ‘mask’ information. Chaotic behavior can be distinguished by its extreme sensitivity to initial con- ditions, leading to long-term unpredictability. Moreover, signals resulting from chaotic dynamics are broadband and present random-like statistical properties, albeit they are generated by deterministic systems. All this explains, why there is likely a connection between the random-looking behavior exhibited by chaotic systems and the properties of confusion and diffusion, required by Shannon for cryp- tosystems [9]. It also motivates the use of chaotic systems for secure communications, even though the terminology
“secure” is sometimes questionable. An overview of the different methods devised so far can be found, according to the chronology, in the papers [11][3][13][10]. Neverthe-
less, very few works have really established the connection between standard and chaos-based encryption algorithms, but see [2][6] for some interesting exceptions. In this pa- per, a connection between one of the most attractive chaotic schemes, namely, hybrid message-embedding and the con- ventional self-synchronizing stream cipher is carried out
Throughout the paper, the terminology synchronization between two dynamical systems with respective state vec- tors xk and ˆxk will mean that the following equalities are fulfilled:
k→∞limkT xk−ˆxkk=0 ∀ˆx0∈U (1) or
∃kf <∞, kT xk−ˆxkk=0 ∀ˆx0∈U and k≥kf (2) where T is a constant matrix of appropriate dimension and U is a non empty set of initial conditions. (1) corresponds to an asymptotic synchronization, while (2) corresponds to a finite time synchronization. Let us point out that in practice, since we deal with finite accuracy, the error of an asymptotical synchronization can be considered to be zero after a finite transient time.
2. Hybrid Message-embedding
The hybrid message-embedded technique (Fig. 1) was proposed in [14] and partially cryptanalyzed in [12]
wherein the term “hybrid” was first introduced. We dis- tinguish two distinct setups. The first one is governed by the state equations:
xk+1= fθ(xk,uk) yk=hθ(xk,uk) uk=νe(xk,mk)
, (3)
while the second class is governed by:
xk+1= fθ(xk,uk) yk=h0θ(xk) uk=νe(xk,mk)
. (4)
The systems (3) and (4) differ from each other by their relative degree.
Definition 1 ([4] P.139) The relative degree of a system with respect to the quantity ukis the required number r of iterations of the output yk so as yk+rdepends on ukwhich actually appears explicitly in the expression of yk+r.
Based on Definition 1, the relative degree of the system (3) is r =0. The system (4) has a relative degree r strictly greater than 0. It means that, after iterating r times the state vector xk, the output yk+rreads
yk+r=h0θ( fθr(xk,uk)) (5)
where
fθi(xk,uk) = xk when i=0
= fθ( fθi−1(xk,uk),uk+i−1) ∀i≥1.
and where ukappears explicitly in the sense that there ex- ists u0k,uksuch that yk+r =h0θ( fθr(xk,uk)),h0θ( fθr(xk,u0k)) whereas for all u0k , uk, yk+r0 = h0θ( fθr0(xk,uk)) = h0θ( fθr0(xk,u0k)) if r0 < r. Let us point out that ukis some- times called the “pre-ciphertext”.
The receiver system must be designed in such a way that both ukand xk can be recovered, given the only available data yk and its subsequent iterates. Once uk is recovered, the plaintext mk is correctly extracted by applying the de- cryption functionνd, provided that ˆxk is exactly synchro- nized with xk. The synchronization and the recovering of ukcan resort to an inverse system or to an unknown input observer of the form
ˆxk+1=f˜θ( ˆxk,yk, . . . ,yk+r) ˆuk=gθ( ˆxk,yk+r)
ˆ
mk=νd( ˆxk,ˆuk)
(6)
with g such that
ˆuk=gθˆ( ˆxk,yk+r)=ukwhen ˆxk=xk (7) and withνdsuch that
ˆ
mk=νd( ˆxk,ˆuk)=mkwhen ˆxk=xkand ˆuk=uk. (8) Unlike other classical methods, the hybrid message- embedded technique offers the advantages that only a sin- gle channel is needed and, moreover, that the synchroniza- tion can be guaranteed without restriction on the rate of variation of mk. Additionally, the scheme allows to intro- duce a highly nonlinear function νe which can make the state generator significantly resistant to algebraic attacks.
xk
xk
yk
xk νe mk
ˆxk
ˆ mk
hθ
fθ
νd uk
f˜θ
ˆuk
g
ˆxk
transmitter receiver
Figure 1: Hybrid message-embedding
3. The connection with self-synchronizing stream ci- phers
A major and obvious difference between chaotic ciphers and stream ciphers consists in that a chaotic generator is assumed to produce an aperiodic sequence{xk}ranging in a dense set, while the pseudo-random generators used in stream ciphers produce discrete sequences. Yet, observe that when chaotic generators are implemented in machines with finite accuracy (say, a computer), the sequences{xk} are not really chaotic. Indeed, since the set on which the xk’s take values has finite cardinality, such sequences will obviously get trapped in a loop, called cycle, of finite pe- riod. We can expect this period to be not too short and the degree of ‘randomness’ of the sequence to be high (as measured e.g. by standard statistical tests), but guarantee- ing the said properties requires some caution [5]. Important contributions to this issue and a definition of discrete chaos can be found in [7]. Henceforth we focus rather on the structure of the proposed setups for the comparative study, regardless of the dynamic involved.
3.1. Conventional self-synchronizing stream ciphers For stream ciphers, a special class of symmetric encryp- tion schemes, the plaintext is broken up into blocks of the same length, called symbols and denoted by mk. If mk is the kthsymbol of the plaintext at time k, each element ckof the ciphertext obeys at time k
ck=e(Kk,mk).
e is the encryption function which can change for each symbol because it depends on a time-varying key Kk. The sequence{Kk}is called the keystream. Self-Synchronous Stream Ciphers (SSSC) admits at the transmitter side, the recursions
( Kk+1=σθss(ck−l, . . . ,ck−l0)
ck=e(Kk,mk) , (9)
whereσθssis also a function parameterized byθ that gen- erates the keystream{Kk}. Kkactually depends on a fixed number of past values of ck; the quantity b = |l−l0+1|
is called the memory; most often one has l = 0. θ is the parameter vector of the functionσss. If the parameters are
identical at both sides, the respective keystreams synchro- nize automatically becauseσssθ operate, at both sides, on the same quantities, namely the past values of ck. The abil- ity to self-synchronizing constitutes one of the main ad- vantages of such cryptosystems. Indeed, they are resistant against bit slips on the transmission channel without any additional synchronization flags or interactive protocols for recovering lost synchronization.
3.2. Main result
First of all, we must recall the definition of flatness (see [8] for an introductory theory)
Definition 2 (Flatness) A system with dynamic f , parametrized by θ, of relative degree r, input ek and state vector zk of dimension n is said to be flat if there exists a set of independent variables yk, referred to as flat outputs, such that all system variables can be expressed as a function of the flat output and a finite number of its backward and/or forward iterates.
For Single Input Single Output systems, it means that there exist two functionsFθandGθwhich obey
zk = Fθ(yk+kFθ(r), . . . ,yk+k0Fθ(r))
ek = Gθ(yk+kGθ(r), . . . ,yk+k0Gθ(r)) . (10) where kFθ(r), kF0
θ(r), kGθ(r) and kG0
θ(r) areZ-valued integers depending on the relative degree r of the system.
Proposition 1 The hybrid message-embedding cryptosys- tem (3) (or (4)) is equivalent to a conventional self- synchronizing stream cipher if the nonlinear dynamic f with output ykand input ukis flat.
Proof 1 Flatness of (3), with relative degree r=0, means that there exist two functionsFθandGθand integers kFθ(0), k0F
θ(0), kGθ(0) and k0G
θ(0) such that xk = Fθ(yk+kFθ(0), . . . ,yk+kF0
θ(0)) uk = Gθ(yk+kGθ(0), . . . ,yk+k0G
θ(0)) . (11)
When iterating once forward the first equation of (11), it turns out that (3) is strictly equivalent to
( xk+1 = Fθ(yk+kFθ(0)+1, . . . ,yk+k0F
θ(0)+1)
yk = hθ(xk, νe(xk,mk)) . (12) Letting lh,νe(xk,mk)=hθ(xk, νe(xk,mk)) since ykdepends explicitly on xkand mk, identification of (12) with (9) leads then to the following result:
i) The system (3) is strictly equivalent to the transmitter part of a self-synchronizing stream cipher of the form (9) with key generator σθss = Fθ, running key Kk = xk, ciphertext ck = yk, encrypting function e = lh,νe, secret
static keyθand memory b=|kFθ(0)−k0F
θ(0)+1|.
Besides, flatness of (4), with relative degree r>0, means that there exist two functionsFθandGθand integers kFθ(r), k0F
θ(r), kGθ(r) and k0G
θ(r) such that
xk = Fθ(yk+kFθ(r), . . . ,yk+k0F
θ(r)) uk = Gθ(yk+kG
θ(r), . . . ,yk+k0G
θ(r)) . (13)
When iterating once forward the first equation of (13) and taking into account (5), it turns out that (4) is strictly equivalent to:
( xk+1 = Fθ(yk+kFθ(r)+1, . . . ,yk+k0Fθ(r)+1)
yk+r = h0θ( fθr(xk, νe(xk,mk))) . (14) Letting lh0,fr,νe(xk,mk)=hθ0( fθr(xk, νe(xk,mk))) since yk+r
depends explicitly on xkand mk, identification of (14) with (9) leads then to the following result:
ii) The system (4) is strictly equivalent to the transmitter part of a self-synchronizing stream cipher of the form (9) with key generatorσssθ =Fθ, running key Kk=xk, cipher- text ck=yk+r, encrypting function e=lh0,fr,νe, secret static keyθand memory b=|kFθ(r)−k0F
θ(r)+1|.
Remark 1 It is worthwhile noticing that the set of equa- tions (11) (resp. (13)) could be used at the receiver part to obtain both xkand ukwithout resorting to a state recon- struction through an inverse system or an Unknown Input Observer like (6). Even more is true: substituting xkand uk
of (11) (resp. (13)) into (8) gives mk=
νd(Fθ(yk+kFθ(r), . . . ,yk+k0Fθ(r)),Gθ(yk+kGθ(r), . . . ,yk+k0Gθ(r))).
(15) with r = 0 (resp. r > 0). So, the message mk can be re- trieved in finite time by and the knowledge of xkis no longer useful. However, given a system, the difficulty lies in find- ing out the quantities kFθ(r), k0F
θ(r), kGθ(r) and kG0
θ(r) and writing down explicitly the functionsFθandGθ. It can be shown (see [1] for the linear case) that resorting to a state space approach actually allows to achieve this computa- tion in an implicit and recursive way. Indeed, for flat sys- tems, only a finite number of iterations of (6) is needed to achieve ˆxk=xk. It turns out that the resulting state vector ˆxk =xkonly depends on past values of yk, which provides Fθin (10). Then, substituting ˆxk =xkinto (7) providesGθ
in (10).
4. Example
We consider a 3-dimensional linear congruential hybrid message-embedded cryptosystem like (4) with dynamic f and output function h0of the form:
xk+1 = Axk+Buk yk = C xk uk = νe(xk,mk)
. (16)
The entries of the matrices A, B and C are integers rang- ing between 0 and 255, the modulo being m = 256. All along this section, the operations are performed modulo m.
Numerically, the matrices read
A=
38 1 0
7 0 1
4 0 0
, B=
1 0 0
, C=[1 0 0]. It is recalled that, for linear systems written in a state space form, the relative degree corresponds to the smallest integer r such that CAr−1B is different from 0 ([4]). Here, since CB =1, the relative degree of the system is 1. The supposed secret static key is the vectorθ=[38 7 4] which actually corresponds to the first column of A written in a companion form. The functionνeis chosen to be a bitwise XOR (denoted⊕) between the components of xkdenoted x(i)k and the plaintext mk:
uk=x(1)k ⊕xk(2)⊕x(3)k ⊕mk.
where x(i)k and mk are meant here to be the corresponding 8-bit representation. It turns out that after iterating three times the inverse system of (16) (the structure is not pro- vided here but see for example [1] for details), as men- tioned in the Remark 1, we obtain the equations in the form (13) ) withFθobeying
x(1)k = yk
x(2)k = 7yk−1+4yk−2
x(3)k = 4yk−1
(17)
and the functionGθobeying
uk = yk+1−38yk−7yk−1−4yk−2 . (18) Equations (17) and (18) clearly corroborate that the system is flat. Besides, they provide the actual values kFθ(1)=0, k0F
θ(1) = −2, kGθ(1) = 1 and k0G
θ(1) = −2 The relative degree r of the system being 1, we must compute yk+1:
yk+1 = CAxk+CBνe(xk,mk)=lh0,f1,νe(xk,mk)
= 38x(1)k +x(2)k +xk(1)⊕x(2)k ⊕x(3)k ⊕mk
(19) Iteration of (17) once forward and consideration of (19) allow us to claim the result ii):
The system (16) is strictly equivalent to the transmitter part of a self-synchronizing stream cipher of the form (9) with key generatorσθss = Fθ corresponding to Eq. (17), running key Kk = xk, ciphertext ck = yk+1, encrypting function e=lh0,f1,νe corresponding to Eq. (19), secret static keyθ=[38 7 4] and memory b=2+1=3.
Retrieving mkrequires the computation (15). Here the functionνdis also an XOR between the components of xk and the (pre-)ciphertext uk=νe(xk,mk), that is,νd(xk,uk)= uk⊕x(1)k ⊕x(2)k ⊕x(3)k . Indeed, uk⊕x(1)k ⊕x(2)k ⊕x(3)k =mk⊕x(1)k ⊕
x(2)k ⊕x(3)k ⊕x(1)k ⊕x(2)k ⊕x(3)k =mk. The system being flat, x(i)k can be expressed in terms of delayed outputs as indicated by the functionFθ. Hence, one has
mk=(yk+1−38yk−7yk−1−4yk−2)⊕yk⊕(7yk−1+4yk−2)⊕4yk−1. 5. Conclusion
We conclude, based on the parallelism mentioned above, that digital hybrid message-embedding is able to provide the same security as any conventional self-synchronizing stream cipher, currently being used (e.g., RC4) in, say, in- ternet and mobile communications, under some suitable choice of functions f , h (or h0) andνe.
References
[1] J. Daafouz, M. Fliess, and G. Mill´erioux. Une approche in- trins`eque des observateurs lin´eaires `a entr´ees inconnues. In Proc. of the Conf´erence Internationale Francophone d’Automatique, Bor- deaux, May 2006.
[2] F. Dachselt, K. Kelber, J. Vandewalle, and W. Schwarz. Chaotic versus classical stream ciphers – a comparative study. In Proc. of Int. Symp. on Circuits and Systems ISCAS’98, volume IV, pages 518–521, Monterey, June 1998.
[3] M. Hasler. Synchronization of chaotic systems and transmission of information. International Journal of Bifurcation and Chaos, 8(4), April 1998.
[4] A. Isidori. Nonlinear control systems. Communications and control engineering series. Springer, 1995.
[5] D. E. Knuth. The Art of Computer Programming, Vol. 2. Addison- Wesley, Reading, MA, 1998.
[6] L. Kocarev. Chaos-based cryptography :a brief overview. IEEE Circuits and Systems Magazine, 1(3):6–21, 2001.
[7] L. Kocarev, J. Szczepanski, J. M Amigo, and I. Tomosvski. Dis- crete chaos: part i. IEEE Trans. on Circuits and Systems I, 2006.
in press.
[8] Fliess M., J. Levine, P. Martin, and P. Rouchon. Flatness and defect of non-linear systems: introductory theory and examples. Int. Jour.
of Control, 61(6):1327–1361, 1995.
[9] J.L. Massey. Contemporary cryptology: an introduction. G.J. Sim- mons, New York, ieee press edition, 1992.
[10] G. Mill´erioux, A. Hernandez, and J.M Amig ´o. Conventional cryp- tography and message-embedding. In Proc. of the 2005 Inter- national Symposium on Nonlinear Theory and its Applications (NOLTA 2005), Bruges, Belgium, 18-21 October 2005.
[11] M. J. Ogorzalek. Taming chaos - part: synchronization. IEEE Trans. Circuits. Syst. I: Fundamental Theo. Appl, 40(10):693–699, 1993.
[12] A. T. Parker and K. M. Short. Reconstructing the keystream from a chaotic encryption scheme. IEEE Trans. on Circ. and Syst., 48(5):624–630, May 2001.
[13] T. Yang. A survey of chaotic secure communication sys- tems. Int. J. of Computational Cognition, 2004. (available at http://www.YangSky.com/yangijcc.htm).
[14] T. Yang, C. W. Wu, and L. O. Chua. Cryptography based on chaotic systems. IEEE Trans. Circuits. Syst. I: Fundamental Theo. Appl, 44(5):469–472, May 1997.
