Cryptanalytic methods in chaotic cryptosystems G. Álvarez, F. Montoya, M. Romera, and G. Pastor Instituto de Física Aplicada, Consejo Superior de Investigaciones Científicas Serrano, 144 — 28006 Madrid, Spain ABSTRACT In recent years, telecommunications networks have undergone an explosive growth. As a consequence, there has been a strong demand of information protection mechanisms. Many cryptosystems based on chaos have been proposed, although little or no critical analysis has been made about the security and cryptographic robustness of these algorithms. In this paper we present our tools to examine some of these algorithms from a cryptographic perspective, showing many vulnerabilities that can be exploited to successfully break them. We conclude that most of the chaotic cryptosystems are very insecure and cumbersome, thus, unreliable and impractical for real applications. Keywords: Chaotic Cryptosystems, Cryptanalysis, Gray Codes. 1. INTRODUCTION Modern telecommunications networks, and specially Internet, have increased the possibilities of user communications and information transmission to limits unimaginable a short time ago. There is a parallel growing cryptographic techniques demand, which has originated an intense research activity and the search of new directions in cryptography. As a result, a rich variety of chaotic cryptosystems for end to end communications have been put forward, whose robustness and privacy are equally diverse [1-9]. Up to date, little or no critical analysis has been made about the security and cryptographic robustness of these algorithms [10- 16]. We have detected that a systematic approach to cryptanalysis and security evaluation is missing. To fill this void, in this paper we examine some of these algorithms from a cryptographic perspective. First, in section 2, we propose some new analysis tools based on the theory of 1D quadratic maps, such as Gray codes [17], an extension of the Myrberg method [18] or the well known bifurcation diagrams and histograms. Second, in section 3, we make use of these tools to successfully attack the proposed cryptosystems. Depending on the cipher under study and its parameter configuration, some or all of the following attacks prove to be successful, usually with a surprisingly low number of texts: ciphertext-only, known- plaintext, chosen plaintext, and chosen ciphertext. After our cryptanalysis, we conclude that most of the chaotic cryptosystems are very insecure and, thus, unreliable for critical applications. 2. CRYPTANALYSIS TOOLS Chaotic cryptosystems, as any other cryptosystem, seek to offer three important properties to frustrate cryptanalytic efforts, namely [6]: i) Be sensitive with respect to keys: flipping one bit in a key creates completely different ciphertext when applied to the same plaintext. ii) Be sensitive with respect to plaintext: flipping one bit in the plaintext creates completely different ciphertext. iii) Map plaintext to random ciphertext: there should not be any patterns in the ciphertext, if the cryptosystem is good. These three properties can be easily related to three characteristics of chaotic systems, respectively: i) Parameter sensitivity: small variation in one of the system parameters is enough to make two trajectories, starting at the same initial point, separate at exponential rate. ii) Initial condition sensitivity: two trajectories starting at two different, though arbitrarily close, initial points separate from each other exponentially. iii) Ergodicity: the trajectories followed by points belonging to the phase space travel through the space with uniform distribution. Although chaotic systems satisfy all these properties, they are deterministic in nature after all. As a consequence, it is possible to detect patterns in their behaviour, which can be readily used by the cryptanalyst to find order within the apparent chaos. To serve this purpose, we make use of the following three tools, adapted from the well known chaos theory background: Gray codes [17], hyperbolic components centres determination using our extension of the Myrberg method [18], and bifurcation diagrams and histogramas. The field of application of these tools is restricted to unimodal maps, with one critical point. Gray codes A Gray code is a function G(i) of the integers i, that for each integer 0 ≥ N is one-to-one for 1 2 0 − ≤ ≤ N i , and that has the following remarkable property: The binary representation of G(i) and G(i+1) differ in exactly one bit. Let ) ( x f x c α be a family of 1-D quadratic maps, of parameter c, which transforms an interval I into itself. To represent symbolically the dynamics of the orbit followed by an initial point x 0 for a given parameter value c, we do not record the exact value of each iterate, but consider simply if it falls to the left (L), to the right (R), or on the critical point (C) of the map. Thus, from the orbit x 0 , x 1 = f k (x 0 ), x 2 = f k (x 1 ),…, x n = f k (x n –1),… one gets a symbolic sequence S = s 0 s 1 s 2 …s n … in one-to-one correspondence, where s i =      > = < C if R C if C C if L i i i x x x . In Fig. 1 we plotted the graph of the real Mandelbrot map, c x x n n + = + 2 1 , with 2 − = c . In the low part appears the order