Cryptanalysis of a spatiotemporal chaotic cryptosystem

Chaos, Solitons and Fractals 41 (2009) 1718–1722

Contents lists available at ScienceDirect

Chaos, Solitons and Fractals journal homepage: www.elsevier.com/locate/chaos

Cryptanalysis of a spatiotemporal chaotic cryptosystem Rhouma Rhouma *, Safya Belghith 6’com Laboratory, Ecole Nationale d’Ingénieurs de Tunis (ENIT), BP No. 50, Mtorech Gabes 6014, Tunisia

a r t i c l e

i n f o

a b s t r a c t

Article history: Accepted 14 July 2008

This paper proposes three different attacks on a recently proposed chaotic cryptosystem in [Li P, Li Z, Halang WA, Chen G. A stream cipher based on a spatiotemporal chaotic system. Chaos, Solitons & Fractals 2007;32:1867–76]. The cryptosystem under study displays weakness in the generation of the keystream. The encryption is made by generating a keystream mixed with blocks generated from the plaintext. The so obtained keystream remains unchanged for every encryption procedure. Moreover, its generation does neither depend on the plaintext nor on the ciphertext, that’s to say, the keystream remains unchangeable for every plaintext with the same length. Guessing the keystream leads to guessing the key. This paper presents three possible attacks able to break the whole cryptosystem based on this drawback in generating the keystream. Ó 2008 Elsevier Ltd. All rights reserved.

1. Introduction First, this paper gives a detailed introduction of the cryptosystem proposed by Li et al. [1], as a basis of the whole Letter. The cryptosystem use an CML (Coupled map lattice) given by:

xjnþ1 ¼ ð1  eÞf ðxjn Þ þ ef ðxj1 n Þ;

ð1Þ

xjn

where represents the state variable for the jth site (j ¼ 1; 2; . . . ; L, L ¼ 4, L is the number of all the sites in the CML) at time n ðn ¼ 1; 2; . . .Þ, e ¼ 0:95 is a coupling constant, and f ðx; rÞ ¼ rxð1  xÞ ðr 2 ½0; 4Þ. The periodic boundary condition, x0n ¼ xLn , is used in the CML. The encryption is described as

xjnþ1 ¼ ð1  eÞf ðxjn ; aj Þ þ ef ðxj1 n ; aj1 Þ;

ð2Þ

f ðxjn ; aj Þ ¼ ð3:9 þ 0:1aj Þxjn ð1  xjn Þ;

ð3Þ

K jn ¼ int½xjn  2u  mod 2t ;

ð4Þ

C jn

¼

M jn



K jn ;

ð5Þ K jn ; M jn ,

C jn

where u ¼ 32, t ¼ 52, and are the keystream, the plaintext and ciphertext, respectively,  is the bitwise XOR. Encryption keys are assumed as aj 2 ½0; 1, denoted as a ¼ fa1 ; a2 ; . . . ; aL g. The configuration and parameters of the decryption are the same as those of the encryption. When the CML parameters a of the transmitter and the transmitter are the same, the two system synchronize and will produce the same keystream, as a result, the plaintext is recovered.

* Corresponding author. Tel.: +216 98967423. E-mail addresses: [email protected] (R. Rhouma), [email protected] (S. Belghith). 0960-0779/$ - see front matter Ó 2008 Elsevier Ltd. All rights reserved. doi:10.1016/j.chaos.2008.07.016

R. Rhouma, S. Belghith / Chaos, Solitons and Fractals 41 (2009) 1718–1722

1719

2. Classical types of attacks When cryptanalyzing a cryptosystem, the general assumption made is that the cryptanalyst knows exactly the design and working of the cryptosystem under study, i.e., he knows everything about the cryptosystem except the secret key. This is an evident requirement in todays secure communications networks, usually referred to as Kerchoffs principle [2]. There are four classical types of attacks, we enumerate them ordered from the hardest types of attack to the easiest: (1) Ciphertext only: the opponent possesses a string of ciphertext. (2) Known plaintext: the opponent possesses a string of plaintext, P, and the corresponding ciphertext, S. (3) Chosen plaintext: the opponent has obtained temporary access to the encryption machinery. Hence he can choose a plaintext string, P, and construct the corresponding ciphertext string, S. (4) Chosen ciphertext: the opponent has obtained temporary access to the decryption machinery. Hence he can choose a ciphertext string, S, and construct the corresponding plaintext string, P. In each of these four attacks, the objective is to determine the key that was used. It suffices that one of the attacks is successful to consider an algorithm insecure. 3. Weakness of the cryptosystem The cipher under study behaves as a stream cipher [2]. The operation of the algorithm as a stream cipher can be explained as follows: suppose k is the key, given by a ¼ a1 ; a2 ; . . . ; aL and that M composed by M jn is the plaintext. For a given j, a keystream K ¼ K 1 K 2 . . . is generated using Eq. (4). This keystream is used to encrypt the plaintext according to the rule:

C ¼ eK 1 ðM1 ÞeK 2 ðM2 Þ . . . ¼ c1 c2 . . .

ð6Þ

Decrypting the ciphertext string C can be accomplished by computing the keystream K given the knowledge of the key k and undoing the operations eK n . The most serious problem of this cryptosystem is to make the generation of the keystream the same for every plaintext/ ciphertext. That’s can be avoided for example by changing the periodic boundary condition, x0n ¼ xLn to be dependant on the ciphertext and the plaintext, for example: x0n ¼ gðC Ln ; PLn Þ. With g is a function chosen to generate an output ðx0n Þ in a valid interval. Next, it is shown how to recover the keystream using chosen ciphertext, chosen plaintext, and known plaintext attacks. We note that knowing the keystream K jn generated by a certain key k ða ¼ a1 ; a2 ; . . . ; aL Þ is entirely equivalent to knowing the key [3]. Therefore, the following attacks focus on recovering the keystream K jn . 4. Breaking the cryptosystem using the keystream Suppose we have a ciphetext C composed by C jn , to decrypt without knowing the key k, and suppose that we have calculated the keystream K by maintaining one of the attacks described later in the subsections 4.1, 4.2 and 4.3. The recovered plaintext M composed by M jn can be obtained using the calculated keystream K and the ciphertext C:

Mjn ¼ C jn  K jn

ð7Þ

for every n ¼ 1; 2; . . .. and j ¼ 1; . . . ; L. And so, we can reconstruct the recovered plaintext M. The following subsections, will explain how to generate the keystream by means of three different attacks. 4.1. Chosen plaintext attack CPA We suppose that we have obtained temporary access to the encryption machinery. So we request the ciphertext of the plaintext P ¼ 00000 . . .: a plaintext of the same size of the ciphertext C constructed by the symbols Pjn ¼ 0 for every valid n and j. We obtain the ciphertext S composed by the symbols Sjn . The keystream K can be generated from P and S:

K jn ¼ Pjn  Sjn ¼ Sjn

ð8Þ

for every n ¼ 1; 2; . . .. and j ¼ 1; . . . ; L. The flowchart of this attack is given by Fig. 1. The Fig. 3c shows a total recovering of a ciphered image Jet of size 256  256 by the chosen plaintext attack. 4.2. Chosen ciphertext attack CCA We suppose that we have obtained temporary access to the decryption machinery. So we request the plaintext of the ciphertext S ¼ 00000 . . . of the same size of the ciphertext C constructed by the symbols Sjn ¼ 0 for every valid n and j. We obtain the plaintext P.

1720

R. Rhouma, S. Belghith / Chaos, Solitons and Fractals 41 (2009) 1718–1722

Fig. 1. Chosen plaintext attack.

Fig. 2. Chosen ciphertext attack.

The keystream K can be generated from S and P:

K jn ¼ Pjn  Sjn ¼ Pjn

ð9Þ

for every n ¼ 1; 2; . . .. and j ¼ 1; . . . ; L. The flowchart of this attack is given by Fig. 2. The Fig. 3d shows a total recovering of a ciphered image Jet of size 200  200 by the chosen ciphertext attack.

R. Rhouma, S. Belghith / Chaos, Solitons and Fractals 41 (2009) 1718–1722

1721

Fig. 3. (a) Plain image M; (b) ciphered image C; (c) recovered image M from the CPA; (d) recovered image M from the CCA.

Fig. 4. Known plaintext attack.

Fig. 5. (a) Plain image M; (b) ciphered image C; (c) know plain image P; (d) ciphered image S of P and (e) partial recovering of the image M from the KPA.

1722

R. Rhouma, S. Belghith / Chaos, Solitons and Fractals 41 (2009) 1718–1722

4.3. Known plaintext attack Knowing just one couple of plaintext/ciphertext of the same length of the ciphertext C leads to break totally the cryptosystem. (1) In case we possess a plaintext, P of the same size of C and its corresponding ciphertext S, the generation of the keystream is forward, it’s the rather the same like the chosen plaintext attack by:

K jn ¼ Pjn  Sjn

ð10Þ

for every n ¼ 1; 2; . . .. and j ¼ 1; . . . ; L. (2) If we do not have enough of couples plaintext/ciphetext to generate the keystream, this attack will break partially the cipher. And we can get the first symbols of the keystream (the number of guessed symbols is equal of the size of the known plaintext) applying the Eq. (10). The flowchart of this attack is given by Fig. 4. Fig. 5 shows the partial recovering of a ciphered image jet of size 256  256 by the known plaintext attack using a known couple plaintext/ciphertext of Lena of size 200  200. 5. Conclusion In this paper, three attacks were presented to break a recently chaotic cryptosystem based on a spatiotemporal system. It has been shown that the reuse of the keystream more than once makes it weak against chosen ciphertext, chosen plaintext and known plaintext attacks. The generated keystream neither depends on the plaintext nor does it depend on the ciphertext, which makes it unchangeable in every encryption process. References [1] Li P, Li Z, Halang WA, Chen G. A stream cipher based on a spatiotemporal chaotic system. Chaos, Solitons & Fractals 2007;32:1867–76. [2] Stinson DR. Cryptography: theory and practice. Boca Raton, FL: CRC Press; 1995. [3] Alvarez G, Montoya F, Romera M, Pastor G. Cryptanalysis of an ergodic chaotic cipher. Phys Lett A 2003;311(2–3):172–9.