cryptanalysis of a cryptosystem using multiple one-dimensional chaotic maps

www.elsevier.com/locate/cnsns

Communications in Nonlinear Scienceand Numerical Simulation 12 (2007) 814–822

Cryptanalysis of a cryptosystem using multipleone-dimensional chaotic maps

Jun Wei a,b,*, Xiaofeng Liao a, Kwok-wo Wong c, Tsing Zhou a

a Department of Computer Science and Engineering, Chongqing University, Chongqing 400044, PR Chinab Zunyi Medical College, Zhunyi, 563000 Guizhou, PR China

c Department of Computer Engineering and Information Technology, City University of Hong Kong, Hong Kong

Received 25 May 2005; received in revised form 4 June 2005; accepted 6 June 2005Available online 19 September 2005

Abstract

Recently, a new chaotic cryptosystem using external 128-bit key and multiple chaotic maps has been pro-posed. In this paper, a fundamental flaw of this cryptosystem is pointed out and a known plaintext attack ispresented. Furthermore, a remedial modification is suggested, which avoids the flaw while keeping all themerits of the original cryptosystem.� 2005 Published by Elsevier B.V.

PACS: 05.45.Ac

Keywords: Chaotic cryptosystem; External key; Cryptanalysis; Remedial modification

1. Introduction

Recently, Pareek et al. presented a new chaotic cryptosystem using four one-dimensionalchaotic maps [1]. As a distinctive feature, the cryptosystem uses an external 128-bit secret keyK divided into sixteen 8-bit blocks to generate the initial conditions of the four chaotic maps.

1007-5704/$ - see front matter � 2005 Published by Elsevier B.V.doi:10.1016/j.cnsns.2005.06.001

* Corresponding author. Address: Department of Computer Science and Engineering, Chongqing University,Chongqing 400044, PR China. Tel./fax: +86 2365105149.

E-mail address: [email protected] (J. Wei).

mailto:[email protected]

J. Wei et al. / Communications in Nonlinear Science and Numerical Simulation 12 (2007) 814–822 815

K ¼ K1K2K3 � � �K16 ð1Þ
The plain text P and cipher text C are likewise composed of blocks of 8 bits. A variable number ofblocks form a group.
P ¼ P 1P 2P 3 � � � P n ð2ÞC ¼ C1C2C3 � � �Cn ð3Þ

Firstly, the same initial condition (IC) for the four chaotic maps is generated from the session key:

R ¼X16

i¼1

ðKi=256Þ ð4Þ

IC ¼ R� bRc ð5Þ

where Ki and bÆc are, respectively, the ith session key and the floor function.Next, two dynamic tables are created. The first table (DT1) is for saving the initial conditions

and indexes of the four maps. The second table (DT2) is composed of a number of rows equal tothe total number of session keys. There are three columns in the second table. The first one storesthe number of blocks (B) of each group of plaintext/ciphertext while the second one specifies themap index (N). The number of iterations (IT) required is stated in the last column. The values ofB, N and IT of the nth row in DT2 are determined by the following equations:

B ¼ Y n ð6ÞN ¼ Y n mod 4 ð7ÞIT ¼ decimal equivalent of the ððY n mod 16Þ þ 1Þth session key ð8Þ

where

Y n ¼ ð5� Y n�1 þ 1Þmod 16 ð9ÞY 0 ¼ bIC� 102c ð10Þ

A group of B blocks is encrypted/decrypted by iterating map N for IT times from initial con-dition IC, The values of B, N and IT are read from DT2 and the corresponding initial conditionIC for map N is obtained from DT1. Then the last value X i

new of map N is used for encryption/decryption as

Ci ¼ ðP i þ bX inew � 105cÞ mod 256 ð11Þ

P i ¼ ðCi þ 256� ðbX inew � 105c mod 256ÞÞ mod 256 ð12Þ

where Pi and Ci are the ith block of plaintext and ciphertext, respectively. Moreover, for theencryption/decryption of the next block, DT1 is updated by replacing the value of the IC formap N with X i

new after processed the ith block.When DT2 is completely exhausted, i.e., encryption/decryption of a total of U (sum of all the

values in the first column of DT2) blocks is finished, it has to be refilled according to Eqs. (6)–(10).This time, the X i

new value obtained during processing the Uth block is taken as the IC value ofEq. (10). For more details, we highly suggest a thorough reading of [1].

816 J. Wei et al. / Communications in Nonlinear Science and Numerical Simulation 12 (2007) 814–822

2. Classical attacks

Generally, we say that an encryption algorithm is secure if it is resistant to all known attacksunder the assumption that the cryptanalyst has the details of the algorithm [2, p. 24]. Further-more, four different levels of attacks are presented in [2, p. 25] to validate security of the algo-rithm. Ordered by hardness, they are, respectively, cipher text only attack, known plain textattack, chosen plain text attack, and chosen cipher text attack. (For further details, reader mayrefer to [2,3].) As long as the key is figured out through one of the attacks mentioned above,the algorithm is considered to be insure [3].

Although the cipher generated with the algorithm in [1] might look like a block cipher, it be-haves as a stream cipher indeed [2, p. 20]. The operation of the above algorithm as a stream ciphercan be explained as follows. Suppose P = P1P2. . . is the plaintext and K the external 128-bits se-cret key, four chaotic maps are used to generate a keystream S = S1S2. . . This keystream is usedto encrypt the plaintext according to the rule

C ¼ C1C2 � � � ¼ ES1ðP 1ÞES2

ðP 2Þ � � � ð13Þ
Decrypting the cipher text C can be accomplished by computing the keystream S given the knowl-edge of the external 128-bit secret key and undoing the operations ESi . From Eqs. (11) and (13),the keystream S is composed of the series of bX i
new · 105c mod 256 (i 2 {1,2,3, . . .}), i.e.S1 = bX 1

new · 105c mod 256, S2 = bX 2new · 105c mod 256 and so on. It is important to note

that knowing the keystream S generated by a certain secret key is just equal to knowing thesecret key [3]. The cryptosystem in [1] is claimed more efficient and secure as compared to otherexisting chaotic cryptosystems [4–10]. However, we show that a fundamental flaw leads to itsinsecurity.

3. A fundamental flaw in Pareek�s cryptographic algorithm

In the cryptographic algorithm presented in [1], although four different chaotic maps and anexternal 128-bit secret key are employed, a fundamental flaw is unaware, i.e. Eqs. (4)–(10) dependonly on the secret key, but not the plaintext.

To demonstrate the security loophole caused by this flaw, the detail procedures in encryptingtwo different plaintext sequences using the cryptosystem presented in [1] are shown step by stepas follows. The two plaintext sequences are arbitrarily generated as �38ty348thABh380t84-gh9yu690jh� and �kbj409uy80gu034g8mb5ponkln�. The key is chosen as �0123456789ABC-DEF1F2E3D4C5B6A7988�, expressed in hexadecimal format.

Step 1. According to Eqs. (4) and (5), the initial setting of DT1 is worked out using the secret key,as listed in Table 1.

Step 2. According to Eqs. (4)–(10), we fill in DT2 to encrypt the first 16 groups of plaintext usingthe secret key, as shown in Table 2.

Step 3. Encrypt the plaintext �38ty348thABh380t84gh9yu690jh� by reading IC from DT1 and B,N, IT from DT2 while updating DT1 and DT2 according to the rules described in Section1. A portion of this encryption process is illustrated in Table 3.

Table 1Dynamic table DT1 showing the map index (N) and the corresponding initial conditions (IC)

Map index (N) Initial condition (IC)

0 (Logistic map) 0.5859371 (Tent map) 0.5859372 (Sine map) 0.5859373 (Cubic map) 0.585937

Table 2Dynamic table DT2 showing number of blocks B in different groups of plaintext/ciphertext to be encrypted/decryptedusing map index N with number of iterations IT

Number of blocks (B) in a group Map index (N) Number of iterations for map N (IT)

3 3 1030 0 11 1 356 2 20515 3 13612 0 91. . . . . . . . .

Table 3Encryption of the plaintext �38ty348thABh380t84gh9yu690jh� using external secret key �0123456789ABCDEF1F2E-3D4C5B6A7988�

Plaintext blocknumber

Plaintextsymbol

Map index N IC for map N IT for map N Output of map(Xnew)

Pi Ci

1 3 3 0.58593 103 0.39554 51 1812 8 3 0.39554 103 0.88982 56 2063 t 3 0.88982 103 0.10871 116 2354 y 1 0.58593 35 0.48906 121 1315 3 2 0.58593 205 0.17836 51 2236 4 2 0.17836 205 0.81542 52 1867 8 2 0.81542 205 0.33359 56 1358 t 2 0.33359 205 0.36157 116 1779 h 2 0.36157 205 0.91745 104 20110 A 2 0.91745 205 0.03522 65 311 B 3 0.10871 136 0.11519 66 65– – – – – – – –


Step 4. Since Tables 1 and 2 are only dependent on the secret key, they are also suitable for theencryption of another plaintext �kbj409uy80gu034g8mb5ponkln�. A portion of thisencryption process is shown in Table 4.

Comparing Table 3 with Table 4, we discover that their sixth columns entirely have the samecontents, which, is not by coincidence, but an essential consequence resulted from the flawmentioned above. In short, the properties of the encryption algorithm presented in [1] can be

Table 4Encryption of the plaintext �kbj409uy80gu034g8mb5ponkln� using external secret key �0123456789ABCDEF1F2-E3D4C5B6A7988�

Plaintext blocknumber

Plaintextsymbol

Map index N IC for map N IT for map N Output of map(Xnew)

Pi Ci

1 k 3 0.58593 103 0.39554 107 2372 b 3 0.39554 103 0.88982 98 2483 j 3 0.88982 103 0.10871 106 2254 4 1 0.58593 35 0.48906 52 625 0 2 0.58593 205 0.17836 48 2206 9 2 0.17836 205 0.81542 57 1917 u 2 0.81542 205 0.33359 117 1968 y 2 0.33359 205 0.36157 121 1829 8 2 0.36157 205 0.91745 56 15310 0 2 0.91745 205 0.03522 48 24211 3 0.10871 136 0.11519 32 31– – – – – – – –


summarized as follows. Firstly, Eqs. (4)–(10) are dependent on the secret key only but not on theplaintext, which results in the initial contents of DT1 and DT2 exactly the same for different plain-text sequences as long as the secret key is fixed. Secondly, the value of the variable X i

new is deter-mined completely by the map index (N), number of blocks (B) in a group, initial condition (IC)and number of iterations (IT), all of which are given by DT1 and DT2. This value is in returnutilized to update DT1 and/or DT2 for encrypting the next plaintext block. Moreover, each plain-text block is encrypted with the last value of the variable X i

new according to Eq. (10).From these properties, it is easy to draw a conclusion that the initial contents of DT1 and DT2

as well as their updates are invariable for different plaintext sequences if the same key is used. Inother words, the sequence (bX 1

new · 105c), (bX 2new · 105c) . . . is constant for a fixed secret key

regardless of the plaintext.

4. Known plain text attack

The known plain text attack on the cryptosystem proposed in [1] is straightforward. If a pair ofplain text and cipher text with the desired length are obtained, then the corresponding keystreamS can be recovered by the following transformation of Eq. (11):

Si ¼ bX inew � 105c mod 256 ¼ ðCi � P iÞ mod 256 ð14Þ

Consequently, any cipher text generated with the same key will be effortlessly cryptanalyzed usingthe following formula:

P i ¼ ðCi � SiÞ mod 256 ð15Þ
For example, given a pair of plaintext and ciphertext with ASCII values {51,56,116,121,51,52,56, . . .} and {181,206,235,131,223,186,135, . . .}, respectively, we deduce the correspondingkeystream S according to Eq. (14):

TableEncry�01234

Plaintnumb

1234567891011–


S1 ¼ ð181� 51Þmod 256 ¼ 130; S2 ¼ ð206� 56Þ mod 256 ¼ 150

Similarly,

S3 ¼ 119; S4 ¼ 10; S5 ¼ 172; S6 ¼ 134; S7 ¼ 79; . . .

Possessing the keystream S = �130 150 119 10 172 134 79 . . .�, for any ciphertext generated fromthe same key such as C = {227,248,218,110,17,236,182}, we can recover the correspondingplaintext as follows:

P 1 ¼ ð227� 130Þ mod 256 ¼ 97; P 2 ¼ ð248� 150Þmod 256 ¼ 98

Similarly,

P 3 ¼ 99; P 4 ¼ 100; P 5 ¼ 101; P 6 ¼ 102; P 7 ¼ 103

Following this computationally inexpensive method, we can obtain as many Si of the keystream asdesired, which is equivalent to knowing the secret key.

5. A remedy for Pareek’s cryptographic algorithm

The plaintext-independent keystream S causes the encryption algorithm presented in [1] veryvulnerable to known plain text attack. In fact, any stream cipher algorithm whose keystream isindependent of plaintext, is breakable under known plaintext attack no matter how complicatedthe stream cipher algorithm is. Except this flaw, the cryptosystem is excellent in confusion, diffu-sion as well as efficiency. Therefore it is valuable to propose a modified cryptosystem to get rid ofthis flaw. For convenience, we call the cryptosystem proposed in [1] as the original cryptosystemof the modified one to be described in the remaining part.

5ption of the plaintext �38ty348thABh380t84gh9yu690jh� with the modified cryptosystem using external secret key56789ABCDEF1F2E3D4C5B6A7988�

ext blocker

Plaintextsymbol

Map index N Actual mapindex N*

IC for map N* IT Output of map(Xnew)

Pi Ci

3 3 3 0.58593 103 0.39554 51 1818 3 0 0.58593 103 0.83809 56 153t 3 0 0.83809 103 0.37779 116 7y 1 2 0.58593 35 0.50879 121 563 2 0 0.37779 205 0.51098 51 2054 2 3 0.39554 205 0.04204 52 1608 2 3 0.04204 205 0.41863 56 191t 2 3 0.41863 205 0.98636 116 192h 2 3 0.98636 205 0.99002 104 34A 2 3 0.99002 205 0.82858 65 235B 3 3 0.82858 136 0.23144 66 170– – – – – – –


A straightforward modification is to make the value of X inew dependent on both the key and the

plaintext. Herein, we introduce two equations:

TableEncry�01234

Plaintnumb

1234567891011–

Fig. 1crypto

f ðP iÞ ¼ P 0 � P 1 � P 2 � � � P i�1 mod 4 ð16ÞN � ¼ N � f ðP iÞ ð17Þ

where P0 = 0, Pi denotes the ith plaintext block (i 2 {1,2,3, . . . , i � 1}), N the map index, and �an XOR operation. For the encryption of the ith plaintext block Pi, we still obtain the values of B,N and IT from DT2. The only difference from the original cryptosystem lies in that the actual mapindex is N* instead of N, i.e., the map N* is iterated IT times from the IC of map N* to achieve thevalue of X i

new. This value will then be used to update the IC of map N* in DT1. Obviously, dif-ferent plaintext sequences result in different chaotic maps N* used, and eventually different se-quences of (bX 1

new · 105c), (bX 2new · 105c) . . . The difference between the seventh columns of

Tables 5 and 6 illustrates the effectiveness of this remedy.

6ption of the plaintext �kbj409uy80 gu034g8 mb5ponkln� with the modified cryptosystem using external secret key56789ABCDEF1F2E3D4C5B6A7988�

ext blocker

Plaintextsymbol

Map index N Actual mapindex N*

IC for map N* IT Output of map(Xnew)

Pi Ci

k 3 3 0.58593 103 0.39554 107 237b 3 0 0.58593 103 0.83809 98 195j 3 2 0.58593 103 0.97522 106 924 1 2 0.97522 35 0.50335 52 2110 2 1 0.58593 205 0.97185 48 2099 2 1 0.97185 205 0.63458 57 27u 2 0 0.83809 205 0.08686 117 99y 2 1 0.63458 205 0.54489 121 828 2 0 0.08686 205 0.99638 56 1100 2 0 0.99638 205 0.88048 48 32

3 1 0.54489 136 0.47738 32 154– – – – – – –

0 15 30 45 60 75 90 105 120 135 150 165 180 195 210 225 240 255

0

2000

4000

6000

8000

10000

Num

ber

of O

ccur

renc

e

Distribution of Plaintext

. Distribution of plaintext when encrypting a 170 KB file consists of all Chinese characters with the modifiedsystem.

0 15 30 45 60 75 90 105 120 135 150 165 180 195 210 225 240 255600

650

700

750

800N

umbe

r of

Occ

urre

nce

Distribution of Ciphertext

Fig. 2. Distribution of ciphertext when encrypting a 170 KB file consists of all Chinese characters with the modifiedcryptosystem using external secret key �0123456789ABCDEF1F2E3D4C5B6A7988�.


Both Eqs. (16) and (17) involve only simple computation. It is more important that they are alloutside the iteration cycle for encrypting each plaintext block. Therefore, our remedy is not atime-consuming operation and will not lead to a substantial loss of efficiency comparing withthe original cryptosystem. As far as the security is concerned, Figs. 1 and 2 show that the modifiedcryptosystem has balanced distribution of ciphertext, which is generally resistant to the attacksbased on statistical knowledge.

6. Conclusion

In spite of using multiple chaotic maps and external 128-bits key, the cryptosystem presented in[1] is successfully cryptanalyzed due to the flaw that the contents of DT1 and DT2 employed in thecryptosystem are completely independent of the plaintext. Except for this flaw, the cryptosystem isexcellent in confusion, diffusion and efficiency. The modified cryptosystem described in Section 5keeps all these excellent properties while avoids the flaw. Therefore, it is suitable for practical usesuch as the secure transmission of large multi-media files over the Internet.

Acknowledgements

The work described in this paper was supported by the National Natural Science Foundationof China (No. 60271019), the Doctorate Foundation Grants from the Ministry of Education ofChina (No. 20020611007), the Post-doctoral Science Foundation of China and the NaturalScience Foundation of Chongqing (No. 8509).

References

[1] Pareek NK, Patidar V, Sud KK. Cryptography using multiple one-dimensional chaotic maps. Commun NonlinearSci Numer Simul 2005;10:715–23.

[2] Stinson DR. Cryptography: theory and practice. Boca Raton, FL: CRC Press; 1995.


[3] Alvarez G, Montoya F, Romera M, Pastor G. Keystream cryptanalysis of a chaotic cryptographic method.Comput Phys Commun 2004;156:205–7.

[4] Baptista MS. Cryptography with chaos. Phys Lett A 1998;240(1–2):50–4.[5] Kotulski Z, Szczepanski J, Gorski K, Paszkiewicz A, Zugaj A. Application of discrete chaotic dynamical systems in

cryptography—DCC method. Int J Bifurcat Chaos 1999;9:1121–35.[6] Alvarez E, Fernandez A, Garcia P, Jimenez J, Marcano A. New approach to chaotic encryption. Phys Lett A

1999;263:373–5.[7] Wong WK, Lee LP, Wong KW. A modified chaotic cryptographic method. Comput Phys Commun

2000;138:234–6.[8] Wong KW. A fast chaotic cryptography scheme with dynamic look-up table. Phys Lett A 2002;298:238–42.[9] Wong KW, Ho SW, Yung CK. A chaotic cryptography scheme for generating short ciphertext. Phys Lett A

2003;310:67–73.[10] Pareek NK, Patidar V, Sud KK. Discrete chaotic cryptography using external key. Phys Lett A 2003;309:75–82.

cryptanalysis of a cryptosystem using multiple one-dimensional chaotic maps

Documents