You are on page 1of 7

Physics Letters A 363 (2007) 84–90

www.elsevier.com/locate/pla

Cryptanalysis of chaotic stream cipher


Adrian Skrobek
Szczecin University of Technology, 71-210 Szczecin, Poland
Received 17 May 2006; accepted 21 October 2006
Available online 7 November 2006
Communicated by A.P. Fordy

Abstract
In [N.S. Philip, K.B. Joseph, Chaos for stream cipher, cs.CR/0102012] Philip and Joseph propose their own cipher algorithm. An efficient
attack on the values of the key of this cipher is presented in this Letter. Other weaknesses of this cipher are presented, and proposals of algorithm’s
improvement as well.
© 2006 Elsevier B.V. All rights reserved.

Keywords: Cryptanalysis; Chaos; Stream cipher

1. Introduction approximation of an analog system [2]. Currently most of the


cryptographic algorithms call for discrete approach.
In [1] Philip and Joseph present the proposal of a cipher al- In the case of a logistic map
gorithm based on a couple of logistic maps and bitwise “xor” xn+1 = λxn (1 − xn ), 0λ4 (1)
operation. Most of the stream ciphers are based on pseudoran-
dom number generator. The sending party adds secret informa- the state xn+1 is entirely determined by the state xn . Although
tion to the carrying signal. The secret information is removed at the formed chaotic orbit looks as it was random, it is completely
the receiver side (this way the message is recovered; it is neces- predictable. A system based only on a logistic map is not safe
sary that the receiver can generate an identical carrying signal). from the cryptographic point of view. Two chaotic systems have
A good pseudorandom number generator must have a long cy- been considered, with orbits specified as {xn } and {xn } (both
cle length. systems share the λ system parameter).
Chaotic systems are characterized by properties, which are
promising for the designers of stream ciphers. They are char- 1.1. Cipher’s algorithm description
acterized by irregular run, though they are necessitarian. The
chaotic systems are well-used in analog systems, however in After some simplification of the original description, the
discrete systems the main problem is the finite precision of cal- cryptographic algorithm is described as below (the block dia-
culation. What makes it worse, is the fact that chaotic systems gram of this algorithm is shown on Fig. 1):
are expotentially sensitive to the initial conditions. None the Pn = xn ⊕ xn , (2)
less, it was observed that a combination of few chaotic systems
gives a sequence with a complicated structure. The research was Cn = Pn ⊕ yn , (3)
focused on the linear systems. In [1] the amplification of this xn+1 = f (xn , λ) ⊕ Cn , (4)

approach for non-linear systems is described. xn+1 = f (xn , λ), (5)
The discrete realization of chaotic systems is different in re-
lation to the analog realization, but it is still a good enough where, yn is plaintext stream, Cn is a ciphertext, ⊕ means
a bitwise xor operation. x0 , x0 and λ are the cipher’s key.
f (x, λ) = λx(1 − x) is the logistic map. The value of x0 is cal-
E-mail address: askrobek@wi.ps.pl (A. Skrobek). culated from the value of x0 , but the way to do it is not given
0375-9601/$ – see front matter © 2006 Elsevier B.V. All rights reserved.
doi:10.1016/j.physleta.2006.10.081
A. Skrobek / Physics Letters A 363 (2007) 84–90 85

gation of the proposed algorithm we use a 64-bit representation


of float number. As it has been mentioned in Section 1.1, the x0
value does not belong to the key. However, even if we have a
128-bit long key (λ and x0 ), the key entropy is lower because
some of its bits are constant. The key entropy could be esti-
mated at the level of 96 bits.

2. Classic types of attack

While examining the encrypting algorithm, the cryptanalyst


knows all the implementation details, the variables value range,
initial states and so on. The only unknown is the value of the
key, but its value range is known. This approach is consistent
to Kerckhoff’s principle, which states that the safety of a cipher
Fig. 1. Block diagram of the Philip–Joseph algorithm.
must rely only on the key safety [4,5].
Currently the classic types of attack are as follows (from the
in [1]. This transformation cannot be secret if the process of most complicated to the most simple one):
decryption is supposed to be possible. An assumption can be
made that x0 does not belong to the key. However, this does not (1) Ciphertext-only attack;
change the further cryptanalitycall deliberation. (2) Known plaintext attack;
In the proposed algorithm a value of x0 and the calculation (3) Chosen plaintext attack;
of x0 from x0 is sent to the recipient. Such an approach is not (4) Chosen ciphertext attack.
recommended: This transformation must be known, therefore it
decreases the key space by one parameter. The sense of using attacks other than ciphertext-only attack is
A stream cipher needs a pseudorandom number generator. shown when considering a cipher as one built into a crypto-
Linear shift registries (LFSR) are often used in classic ciphers. graphic device or, for example, during setting an SSL session.
These are generally linear systems. A non-linear transforma- In that situation, although the keys themselves are hidden, the
tion (xor operation), which causes a jump between trajectories attacker has a possibility to send any messages to the device or
(those leads to perturbations in the chaotic system) was used in the server.
the given example. A system like this is still necessitarian, how- A combination of attacks with chosen plaintext and chosen
ever its attractor is far more chaotic. The sequences generated ciphertext have been used in the Letter. This method is known
by the system are identical only in case, where the same plain- under the name of adaptive chosen plaintext attack and adap-
text is enciphered and the parameters x0 , x0 and λ are equal. It tive chosen ciphertext attack. It is based on the selection of a
was proposed to use a random number as a value of the x0 pa- plaintext based on previously acquired results.
rameter, using the current system time as the seed. This is not a
good idea because time can be estimated with a certain proba-
3. An attack on the first two blocks
bility.
The resistance to the brute force attack was estimated in [1]
An uncovered weakness of investigated cipher is a problem
by specifying a number of the significant bits of the key (xn ,
with encrypting blocks of plaintext with the same keystream. As
xn and λ) as a value of 2m + k, which gives 22m+k of combi-
it is described below, the analyzed algorithm encrypts the first
nations. With the assumption that k = m = 16 bits, the number
two blocks with the same keystream. This information could be
of combinations equals 248 . However, 248 is a way too small
usefull to decrypt the first two blocks of ciphertext when an at-
number. The case gets worse because of the fact, that xn comes
tacker obtains a temporary access to the encryption machinery.
from xn , so the number of combinations will be even smaller.
It uniquely results from the encryption algorithm that for a
Increasing the number of the significant bits of parameters or
given key x0 , x0 and λ, the value of P0 is always the same.
multiple encryption was proposed to improve the immunity to
Therefore, using a chosen or known plaintext attack, it can be
brute force attack. In the second case, a cryptanalyst has to con-
calculated that
sider the previous enciphered value or do 2n(2m+k) calculations.
The cipher, however, will be slower. α0 = P0 = C0 ⊕ y0 . (6)

1.2. Implementation details With knowledge of α0 for a given key, the first 8-byte block of
a ciphertext can be deciphered by calculating
Although the authors in [1] assume a 16-bit long decimal y0 = α0 ⊕ C0 . (7)
format, it is more natural to use widely applicable standard
IEEE-754 of floating point number representation [3]. In fact The calculation of the second block requires the evaluation of
because of size of the double precision float, the algorithm is
also more secure against the brute force attack. During investi- α1 = f (x0 , λ) ⊕ f (x0 , λ). (8)
86 A. Skrobek / Physics Letters A 363 (2007) 84–90

range of (0, 1). After research has been made, it turned out that
the most significant 8 bits of the parameter P0 have value 0. The
8th bit has the value 1 with a 1% probability, whereas the 9th
bit with a 16% probability. The remaining bits have a random
distribution. Therefore, decryption of the first 10 bits according
to the formula y0 = C0 is feasible with high probability.
Ten first bits of the second block can be decrypted with
higher probability than in the case of the first block. Numbers
in the range of (0, 1) in a floating-point representation have the
9 first bits set to a known and fixed value. Bit 9 can be esti-
mated with approximately 90% probability. What follows from
the ciphering algorithm is this: y1 = P1 ⊕ C1 = x1 ⊕ x1 ⊕ C1 =
f (x0 , λ) ⊕ C0 ⊕ f (x0 , λ) ⊕ C1 . Researches have shown the
9 most significant bits can be uniquely estimated for the ex-
pression f (x0 , λ) ⊕ f (x0 , λ), however the 9th bit with a 90%
probability. It is possible then to decrypt the first 10 bits with
high probability, according to the formula y1 = C0 ⊕ C1 .

5. An attack on the parameters of the key

The most efficient attack on the cipher algorithm is shown


below. It allows to get all the values of the key. This attack
is a combination of attacks with chosen ciphertext and cho-
sen plaintext attacks. The idea is to make a chaotic system
run out of control, so that one of the systems enters a for-
bidden area. It is best for the next orbit value to be a “NaN”
(Not a Number) or infinity. This is impossible for the system
Fig. 2. Algorithm of an attack on first two blocks. 
xn+1 = f (xn , λ), because the value of the control parameter
λ ∈ (3.57, 4). The initial value also will probably be selected
It is a constant value, dependent of the key, but independent of correctly, so x0 , x0 ∈ (0, 1). Although the involvement of the
the plaintext. As it turns out, the value of α1 can be calculated xor operation into the function of the system xn+1 = f (xn , λ)
from the ciphertext and the plaintext, using a known or chosen prevented previous attacks, in this case it gave a possibility of
plaintext attack. The value of α1 = C1 ⊕ C0 ⊕ y1 . an efficient attack on the algorithm.
Proof: To execute an attack, the values of x0 ⊕ x0 and f (x0 , λ) ⊕
C1 = P1 ⊕ y1 , (9) f (x0 , λ) have to be defined first. They can be acquired by deci-
phering the ciphertext specified by the sequence C2 = (0, 0). In
C1 = x1 ⊕ x1 ⊕ y1 , (10) accordance with the decrypting algorithm, we will get the se-
C1 = f (x0 , λ) ⊕ C0 ⊕ f (x0 , λ) ⊕ y1 , (11) quence P2 = (x0 ⊕ x0 ⊕ 0, f (x0 , λ) ⊕ f (x0 , λ) ⊕ 0) = (x0 ⊕
x0 , f (x0 , λ) ⊕ f (x0 , λ)) (details listed in Table 1). This se-
f (x0 , λ) ⊕ f (x0 , λ) = C1 ⊕ C0 ⊕ y1 = α1 . (12)
quence will be used to prepare a special plaintext sequence,
Knowing the value of α1 , the second block of the plaintext can which will then make the system run out of control to a for-
be calculated for any ciphertext, according to the formula bidden area. The chaotic system xn+1 = f (xn , λ) will run out
of control when its argument (previous orbit value) will be a
y1 = α1 ⊕ C0 ⊕ C1 . (13) large binary number. This effect cannot be obtained in the first
The above description has been shown on Fig. 2. step: The orbit value is dependent on x0 . It is known though,
that every orbit value of the logistic function is in the range
4. An attack on the constant bits of the ciphertext of (0, 1). In accordance with [3] the binary representation of a
normalized floating-point number ranging in (0, 1) contains the
The involvement of a non-linear transformation (i.e. opera- value 0x3f in the most significant byte. Let introduce constant
tions on numbers using floating-point arithmetic) to a logistic Imax (the maximum value of an integer without the sign and a
function makes the cryptanalysis of consecutive blocks more binary length equal to the length of a binary representation of a
complicated. Other weaknesses of the algorithm is explained floating-point number):
later. A cryptanalysis of at least a part of the ciphertext can be
done with a ciphertext only. According to the shown algorithm,
y0 = C0 ⊕ x0 ⊕ x0 . The values of x0 and x0 must enclose in the Imax = 0xffffffffffffffff. (14)
A. Skrobek / Physics Letters A 363 (2007) 84–90 87

Table 1
Initializing the chosen ciphertext attack with C2 = (0, 0)
n xn xn Pn Cn yn f (xn ) f (xn )
0 x0 x0 x0 ⊕ x0 0 x0 ⊕ x0 f (x0 ) f (x0 )
1 f (x0 ) f (x0 ) f (x0 ) ⊕ f (x0 ) 0 f (x0 ) ⊕ f (x0 ) f 2 (x0 ) f 2 (x0 )

Table 2
Chosen plaintext attack with y3 = (β0 , β1 , 0)
n xn xn Pn Cn yn f (xn ) f (xn )
0 x0 x0 x0 ⊕ x0 Imax ⊕ 1.0 β0 f (x0 ) f (x0 )
1 Ilarge f (x0 ) Ilarge ⊕ f (x0 ) 0 β1 −∞ f 2 (x0 )
2 −∞ f 2 (x0 ) −∞ ⊕ f 2 (x0 ) −∞ ⊕ f 2 (x0 ) 0 −∞ f 3 (x0 )
3 f 2 (x0 ) f 3 (x0 ) f 2 (x0 ) ⊕ f 3 (x0 ) – – f 3 (x0 ) f 4 (x0 )

Table 3
Chosen plaintext attack with y4 = (β0 , β1 , f 2 (x0 , λ), 0)
n xn xn Pn Cn yn f (xn ) f (xn )
0 x0 x0 x0 ⊕ x0 Imax ⊕ 1.0 β0 f (x0 ) f (x0 )
1 Ilarge f (x0 ) Ilarge ⊕ f (x0 ) 0 β1 −∞ f 2 (x0 )
2 −∞ f 2 (x0 ) −∞ ⊕ f 2 (x0 ) −∞ f 2 (x0 ) −∞ f 3 (x0 )
3 0 f 3 (x0 ) f 3 (x0 ) f 3 (x0 ) 0 0 f 4 (x0 )
4 f 3 (x0 ) f 4 (x0 ) f 3 (x0 ) ⊕ f 4 (x0 ) – – f 4 (x0 ) f 5 (x0 )

According to [3], its floating-point representation is −21023 . than there is available for the binary representation, thus the
Additionally, let us mark mathematical package returns the value of infinity. Addition-
ally, the value C1 = 0, so it does not change any bits of the value
Ilarge = 0xff d2 d3 . . . d15 . (15) x2 . The zero value comes from the fact that C1 = y1 ⊕ P1 =
The value of Ilarge is a number which contains the value 0xff Imax ⊕ 1.0 ⊕ f (x0 , λ) ⊕ f (x0 , λ) ⊕ f (x0 , λ) ⊕ C0 ⊕ f (x0 , λ) =
as the most significant byte and the remaining digits (hexadeci- Imax ⊕ 1.0 ⊕ f (x0 , λ) ⊕ f (x0 , λ) ⊕ Imax ⊕ 1.0 ⊕ x0 ⊕ x0 ⊕ x0 ⊕
mal) are undetermined. Passing the value x0 = 0.
After performing the above step it is known that the current
β0 = Imax ⊕ 1.0 ⊕ x0 ⊕ x0 (16) orbit value is xn+1 = f (xn , λ) = −∞. This value has an ap-
propriate binary representation. Block y2 = 0 is supposed to be
to the encrypting function as the first block, x0 ⊕ x0 ob-
encrypted in the next step, so that C2 = −∞ ⊕ x2 is acquired.
tained from the first step will cause that x1 = β0 ⊕ x0 ⊕ x0 ⊕
The values of each variable and expression are shown in Ta-
f (x0 , λ) = Ilarge will be a large binary number (in accordance
ble 2. Finally, x2 is evaluated from formula (18)
with [3] in the floating-point representation of the value of Ilarge
is, with high probability, smaller than −21009 ). This comes from x2 ≡ f 2 (x0 , λ) = −∞ ⊕ C2 . (18)
the fact that the result of the operation on the logistic map itself
will have a binary representation with the most significant bit To obtain all essential values of the key (it is known that xn =
value of 0x3f , by which it eliminates value of 1.0 in a sig- xn ⊕ Pn , Pn was obtained from the first stage of cryptanalysis)
nificant degree. The value of P0 eliminates passing of itself the value of one of the next orbits is f (xn , λ) or f (xn , λ) is re-
(obtained from the first step) as a part of y0 . quired. To get it, the encryption of the first two blocks should be
The above operation will cause the system to run out of performed once more (after resetting the internal state of the en-
control. To get the first part of the key, which in this case is crypter) and encrypt the lately obtained value f 2 (x0 , λ) as the
f 2 (x0 , λ), the value of the expression third block, number 0 as the fourth. This will be the cause for
the value x3 = 0, and as an effect of encryption of a block with
β1 = Imax ⊕ 1.0 ⊕ f (x0 , λ) ⊕ f (x0 , λ) (17) 0 value we get C3 = x3 (C3 = P3 ⊕ 0 = x3 ⊕ 0 ⊕ 0 = x3 ). The
should be encrypted as the second block. Equally to the first parameters and expressions values are shown in Table 3. Know-
block, the value f (x0 , λ) ⊕ f (x0 , λ) is obtained from the stage ing the values of x2 and x3 , a control parameter λ is calculated
of the initial attack. Delivering this value for deciphering in the from formula (19)
second block will cause that x2 = −∞. This is the result of the x3
fact that the previous value of x1 was a large binary number, λ= . (19)
x2 · (1 − x2 )
stored in all bits of the binary representation of a floating-point
number. The logistic map is a quadratic function, so after rising The value of x1 can be calculated from the reverse logistic map
it to the second power, the function requires greater more space iteration formula referring to the logistic map defined by the
88 A. Skrobek / Physics Letters A 363 (2007) 84–90

Therefore β0 = 0xc03ec5b16c5b16c1. According to [3], the


value 0x3ff 0000000000000 is a binary representation of a real
number 1.0, and 0xffffffffffffffff is a value earlier de-
fined as Imax . Similarly, we evaluate

β1 = 0xffffffffffffffff ⊕ 0x3ff 0000000000000


⊕ 0x000f 51b9da190082. (27)
After calculation β1 = 0xc000ae4625e6ff 7d. Afterwards we
encrypt the sequence y3 = {β0 , β1 , 0}, which gives us:

y3 = {0xc03ec5b16c5b16c1, 0xc000ae4625e6ff 7d,


0x0000000000000000}. (28)
The sequent states of the encrypter are shown in Table 5 (deci-
mal representation is rounded). As it can be seen, the value x1 =
0xff e495182a9930be is the value earlier defined as Ilarge . It
is unknown exactly what value will that be (it depends on the
argument, which depends on the encrypter’s keys), but it will
surely be a value outside the valid range of (0, 1) (in this exam-
ple Ilarge = −1.1562 × 10308 ) causing the chaotic system to run
out of control in the next step. Indeed, the value of x2 = −∞.
As an additional effect it can be observed that the system’s state
x  ‘jumped’ to system x in the third step. This results directly
from the construction of the sequence passed for encryption.
As a result of enciphering the y3 sequence we get the se-
quence
Fig. 3. Algorithm of an attack on parameters of the key.
C3 = {0xc00fffffffffffff, 0x0000000000000000,
formulas (20) 0xc01a8f e0ee102230} (29)
⎧ 
xn

⎨ 1− 1−4 λ in which the last element is −∞ ⊕ x2 (as appears in Table 2).

or
xn−1 = 
2
(20) From the specification [3], confirmed by Table 5, it is known
⎪ 
⎩ 1+ 1−4 xλn that −∞ = 0xfff 0000000000000, so x2 = −∞ ⊕ C3 (2):
2 .
A step by step algorithm of the cryptanalytic process is shown x2 = 0xfff 0000000000000 ⊕ 0xc01a8f e0ee102230
at Fig. 3. = 0x3f ea8f e0ee102230. (30)

6. An example of an attack on the key values Finally x2 = 0.83006331. According to the procedure de-
scribed in the previous point, the next thing to do is to encrypt
Assuming that the ciphering keys are: the block y4 = {β0 , β1 , x2 , 0}. Let us encrypt the sequence:

λ = 3.57, (21) y4 = {0xc03ec5b16c5b16c1, 0xc000ae4625e6ff 7d,


x0 = 0.4 = 0x3f d999999999999a, (22) 0x3f ea8f e0ee102230, 0x0000000000000000}. (31)
x0 = 0.77 = 0x3f e8a3d70a3d70a4. (23) The internal states of the encrypter are specified in Table 6 (dec-
Let us decipher the sequence imal values are rounded). As the result of encryption we get the
sequence:
C2 = {0x0000000000000000, 0x0000000000000000}. (24)
The sequent values of the decoder’s chaotic systems are stated C4 = {0xc00fffffffffffff, 0x0000000000000000,
in Table 4 (decimal representation is rounded). As a result of 0xfff 0000000000000, 0x3f e01d4f 391519b3}. (32)
deciphering we get the sequence
The last value of the sequence is x3 = 0.50357782. The value of
P2 = {0x00313a4e93a4e93e, 0x000f 51b9da190082}. (25) the key λ can be calculated, accordingly to formula (19), when
Next, we evaluate knowing the values of x3 and x2 . After the end of calculation:

β0 = 0xffffffffffffffff ⊕ 0x3ff 0000000000000 x3 0.50357782


λ=   = = 3.57.
⊕ 0x00313a4e93a4e93e. (26) x2 · (1 − x2 ) 0.83006331 · (1 − 0.83006331)
(33)
A. Skrobek / Physics Letters A 363 (2007) 84–90 89

Table 4
Decrypter’s internal states in initialization phase
n xn xn (hex) xn xn (hex)
1 0.8568 0x3f eb6ae7d566cf 41 0.632247 0x3f e43b5e0f 7f cf c3
2 0.4380167232 0x3f dc08774b4f af 7b 0.83006331 0x3f ea8f e0ee102230

Table 5
Encrypter states during the out of control runs
n xn xn (hex) xn xn (hex)
1 −1.1562 × 10308 0xff e495182a9930be 0.632247 0x3f e43b5e0f 7f cf c3
2 −∞ 0xfff 0000000000000 0.83006331 0x3f ea8f e0ee102230
3 0.83006331 0x3f ea8f e0ee102230 0.50357782 0x3f e01d4f 391519b3

Table 6
Internal states of the encrypter while retrieving the x3 value
n xn xn (hex) xn xn (hex)
1 −1.1562 × 10308 0xff e495182a9930be 0.632247 0x3f e43b5e0f 7f cf c3
2 −∞ 0xfff 0000000000000 0.83006331 0x3f ea8f e0ee102230
3 0.0 0x0000000000000000 0.50357782 0x3f e01d4f 391519b3
4 0.50357782 0x3f e01d4f 391519b3 0.89245430 0x3f ec8ef c52a48605

With the values of λ, x3 and x2 now known, we calculate the (4) System is susceptible for running out of control.
value of x1 accordingly to formula (20):
  The first inconvenience shows, that the key entropy which
x2
1− 1−4 λ 1 − 1 − 4 0.83006331
3.57 defines an upper bound of the cipher’s security [4] is weaker

x1 = = = 0.367753
2 2 than today’s security requirements [6]. This is because of fact,
(34) that initial values of chaotic systems depends of each other. This
or can be easily avoided by omitting the function that transforms
 
x2 one key into another and by defining explicitly all parts of the
1 + 1 − 4 1 + 1 − 4 0.83006331
3.57
x1 = λ
= = 0.632247. key. This way the key’s length will reach about 150 bits, what
2 2 can be treated as secure.
(35) A common feature of many ciphers (see e.g. cryptanalyses in

From the two possible results of the value of x1 , we calculate [7,8]) is a problem with encrypting blocks of plaintext with the
four potential x0 keys. One of them is correct. We use for- same keystream. The analyzed algorithm encrypts only the first
mula (20) analogically, but with input values of 0.367753 and two blocks with the same keystream. To prevent this, two first
0.632247. We then get four possible values of the key (some blocks can be passed as random numbers and can be omitted
values are rounded): 0.77, 0.23, 0.8833900, 0.1166099. The while decrypting. However it is better to pass a random number
correct key in this case is 0.77. To evaluate the x0 key, a xor as the first block (so-called “salt” value) to the encrypter, and
operation should be executed on the value of the x0 key and the send every following number as a result of xor operation of
first element of P2 sequence. Therefore: the first block with the block of plaintext. At the moment of
decryption the first block should be decrypted at first, then after
x0 = 0x3f e8a3d70a3d70a4 ⊕ 0x00313a4e93a4e93e
decrypting the following blocks, perform the xor operation of
= 0x3f d999999999999a. (36) the deciphered first block and the following deciphered blocks.
In result x0 = 0.4. This way to obtain all three numbers, which As it has been written in [5] and latter in [9], the security of
are the cipher’s key. a cipher must rely only on security of the key. So ability to gain
of any bit of the key reduces security of whole cipher. Chaotic
7. Improvement suggestions systems usually works within the real number domain. Further-
more, the range of those numbers is often limited within the
In consequence of the cryptanalysis the following weak- range of (0, 1). To minimize the predictability of the keystream
nesses of the encrypting algorithm have been noticed: bits and other variables of the encrypter’s state, the block should
be shortened to a number of bits which is less predictable (e.g.
(1) One part of the key depends on the other. to the 6 least significant bytes, if the binary representation of
(2) The first two blocks are always enciphered with the same a real number is 8-byte long). From researches made on the
key. keystream bits it results that the 6 least significant bytes have a
(3) Some of the keystream bits are predictable. random distribution and every bit is set with a 50% probability.
90 A. Skrobek / Physics Letters A 363 (2007) 84–90

In author’s opinion, a dangerous property of the described ber causes the system to pass to non-standard states, provid-
algorithm is the fact that arithmetic operations on floating-point ing some possible predictability of the ciphertext. It is recom-
numbers are mixed with bit operations on the binary represen- mended to use techniques which generate a different ciphertext
tation of these numbers. Chaotic systems works for orbits with for the same plaintext. This efficiently makes the cryptanalysis
values from (0, 1). Orbit values outside that range can cause harder to perform.
that system quickly reach orbit values equal to ∞ or −∞.
Because of the bitwise xor operation on the orbit and the ci- Acknowledgements
phertext, the orbit of the system can reach any value. To prevent
this, the floating-point modulo 1.0 operation can be used instead The author would like to thank Jerzy Pejaś, Ph.D. for his
of xor operation. The binary xor operation can also be left, but help in the preparation of this Letter.
with the condition that it can be only performed on the number
bits which are responsible for the value from range of (0, 1).
References
This can be achieved by performing the xor operation on the
subset of bits of mantissa only. Also one can use a fixed-point
[1] N.S. Philip, K.B. Joseph, cs.CR/0102012.
decimal format. I this case the xor operation should change only [2] H.-O. Peitgen, H. Jürgens, D. Saupe, Fractals for the Classroom, Springer-
a fraction part of the number. Verlag, New York, 1992.
The above observation was made only for cipher algorithm [3] S. Hollasch, IEEE Standard 754 Floating Point Numbers, IEEE, 2004.
described in [1]. A number of discrete time chaotic ciphers have [4] S. Vanstone, A. Menezes, P. van Oorschot, Handbook of Applied Cryp-
been examined (see e.g. [10–14]), but no one was designed in tography, CRC Press, 1997.
[5] A. Kerckhoffs (von Nieuwenhof), La cryptographie militaire, J. Sci. Mili-
the way that chaotic orbit (cipher’s internal state) was processed taires January (1883), (French) (Military cryptography).
by bitwise operation (although some cryptanalyses were per- [6] B. Schneier, N. Ferguson, Practical Cryptography, John Wiley & Sons,
formed successfully). Therefore, author claims not to mix the 2003.
bitwise and floating point operation in chaotic cipher’s design [7] G. Álvarez, F. Montoya, M. Romera, G. Pastor, Phys. Lett. A 311 (2003)
as a general rule, because of possibility the internal state of ci- 172.
[8] G. Jakimoski, L. Kocarev, Phys. Lett. A 291 (2001) 381.
pher to run out of control. [9] C.E. Shannon, Bell Syst. Tech. J. 28 (1949) 656.
[10] N.K. Pareek, V. Patidar, K.K. Sud, Phys. Lett. A 309 (2003) 75.
8. Summary [11] M.S. Baptista, Phys. Lett. A 240 (1998) 50.
[12] T. Habatsu, Y. Nishio, I. Sasase, S. Mori, A Secret Key Cryptosystem by
Iterating a Chaotic Map, Springer-Verlag, 1998.
The encrypting machine’s dependency on the generated ci-
[13] Z. Kotulski, J. Szczepanski, Ann. Phys. 6 (1997) 381.
phertext causes a possibility of the system to run out of control [14] E. Alvarez, A. Fernández, P. García, J. Jiménez, A. Marcano, Phys. Lett.
and getting predictable results. Moreover, combining binary A 263 (1999) 373.
representation of a floating-point number with a random num-