Breaking a Chaotic Cryptographic Scheme Based on Composition Maps

Differential attack is an attack to recover the information about secret key and/or plaintext by analyzing the evolution of differences when some pairs of plaintexts are encrypted with the same secret key. In [Behnia:IJBC08, , Sec. 5.4], the authors claimed the encryption scheme under study can withstand differential attack effectively. However, we find that the scheme can be broken by this attack easily with the following steps.

• •

  Breaking Confusion I:

  If two plaintexts, $\bm{\mathrm{I}}_{1}=\{I_{1}(k)\}_{k=1}^{MN}$ and $\bm{\mathrm{I}}_{2}=\{I_{2}(k)\}_{k=1}^{MN}$, are encrypted by the same secret key, one has the following equality.

  	$\displaystyle I^{\prime}_{1}(k)\oplus I^{\prime}_{2}(k)$	$\displaystyle=$	$\displaystyle I_{1}^{\star}(k)\oplus\phi_{4}(k)\oplus I_{2}^{\star}(k)\oplus\phi_{4}(k)$
  		$\displaystyle=$	$\displaystyle I^{\star}_{1}(k)\oplus I^{\star}_{2}(k)$
  		$\displaystyle=$	$\displaystyle\phi_{3}(k)\oplus(I_{1}^{*}(k)\dotplus\phi_{3}(k))\oplus I^{\star}_{1}(k-1)\oplus$
  			$\displaystyle\phi_{3}(k)\oplus(I^{*}_{2}(k)\dotplus\phi_{3}(k))\oplus I^{\star}_{2}(k-1)$
  		$\displaystyle=$	$\displaystyle(I_{1}^{*}(k)\dotplus\phi_{3}(k))\oplus(I_{2}^{*}(k)\dotplus\phi_{3}(k))\oplus(I^{\star}_{1}(k-1)\oplus I^{\star}_{2}(k-1))$
  		$\displaystyle=$	$\displaystyle(I_{1}^{*}(k)\dotplus\phi_{3}(k))\oplus(I_{2}^{*}(k)\dotplus\phi_{3}(k))\oplus(I^{\prime}_{1}(k-1)\oplus I^{\prime}_{2}(k-1))$		(7)

  Furthermore, if the plaintexts, $\bm{\mathrm{I}}_{1}$ and $\bm{\mathrm{I}}_{2}$, are chosen of fixed value, one has

  $$(I^{\prime}_{1}(k)\oplus I^{\prime}_{2}(k))\oplus(I^{\prime}_{1}(k-1)\oplus I^{\prime}_{2}(k-1))=(I_{1}(k)\dotplus\phi_{3}(k))\oplus(I_{2}(k)\dotplus\phi_{3}(k))$$

  (8)

  Since the left part of the above equation, $I_{1}(k)$ and $I_{2}(k)$ are known, Eq. (8) can be simplified as the following equation.

  $$y=(a\dotplus x)\oplus(b\dotplus x),$$

  (9)

  where $a,b,x\in\{0,1,\cdots 255\}.$

  It has been verified by computer that a set $\{x,x\oplus 128\}$ can be determined uniquely with three different sets of $(a,b)$, e.g. (9, 127), (1, 52), (33, 65). From Fact 1, one can see that $\phi_{3}(k)$ and $\phi_{3}(k)\oplus 128$ are equivalent with respect to the encryption.

  Fact 1

  $\forall\ a,b\in\mathbb{Z}$, $(a\oplus 128)\dotplus b=(a\dotplus b)\oplus 128$.

• •

  Breaking Confusion II:

  After $\{\phi_{3}(k)\}_{k=1}^{MN}$ has been broken, only the step Confusion II is left for a plaintext of fixed value, $\bm{\mathrm{I}}_{1}$, $I_{1}^{\star}(k)$ can be determined. Then, one has

  $$\phi_{4}(k)=I_{1}^{\prime}(k)\oplus I_{1}^{\star}(k),$$

  (10)

  for $k=1\sim MN$.

• •

  Breaking Permutation:

  After the steps Confusion I and Confusion II have been broken, only the step permutation is left. As shown in Li:AttackingPOMC2004 , any permutation-only cryptographic scheme can be broken with only $O\left(\log_{L}(MN)\right)$ known/chosen plain-texts, where $L$ is the number of different element in plain-text.

To validate performance of the proposed attack, some experiments on some plain-images of size $512\times 512$ have been performed. Besides $S=33$, the same secret key used in [Behnia:IJBC08, , Sec. 3] was adopted: $(x_{0},\alpha_{1},\alpha_{2})=(25.687,2.10155,3.569221)$, $(x_{0}^{\prime},\alpha_{1}^{\prime},\alpha_{2}^{\prime})=(574.461,1.8874,4.23562)$, $(x_{0}^{*},\alpha_{1}^{*},\alpha_{2}^{*})=(814.217217,2.8912,3.89954)$, $(y_{0},\alpha_{3},\alpha_{4})=(79.82,61.522,257.26223)$. The step Confusion I can be broken with the six chosen plain-images of fixed values, 9, 127, 1, 52, 33 and 65, as shown in Fig. 1 and the corresponding cipher-images shown in Fig. 2. Then, the plain-image shown in Fig. 1a) and the corresponding cipher-images can break the step Confusion II. Finally, the step Permutation can be broken with $\lceil\log_{256}(512\cdot 512)\rceil=3$ special plain-images shown in Fig. 3. The obtained equivalent secret key was used to decrypt another cipher-image, as shown in Fig. 4a), and the result is shown in Fig. 4b).

• •

  Problems about Secret Key;

  As specified in [LiShujun:Rules:IJBC2006, , Rule 5], the key space of a secure encryption scheme should be precisely specified and avoid non-chaotic regions. However, even with the measure used in Behnia:IJBC08 , a great number of secret key should be excluded from the key space of the encryption scheme under study (see Fig. 5).

  

• •

  Insufficient Randomness of Pseudo-Random Number Sequences $\{\phi_{1}(k)\}$, $\{\phi_{2}(k)\}$, $\{\phi_{3}(k)\}$, and $\{\phi_{4}(k)\}$

  To study the dynamic property of the two equations $f(x)$ and $g(x)$, we drew the graph of the two equations under a greater of number of random parameters. Due to the similarity, only the graphs of $f(x)$ and $g(x)$ with $(\alpha_{1},\alpha_{2})=(2.10155,3.56922)$, $(\alpha_{3},\alpha_{4})=(61.522,257.26223)$ are shown in Fig. 6. Comparing the graphs of the two functions and $y=x$, one can assure that the states generated by iterating the two functions will approach zero soon after some iterations.

  

  a) $f(x)$

  

  b) $g(x)$

  To further test the randomness of the sequences generated by the two equations, we adopted the test suite proposed in Rukhin:TestPRNG:NIST . Since the three sequences $\{\phi_{1}(k)\}$, $\{\phi_{2}(k)\}$, and $\{\phi_{4}(k)\}$ are determined by the same equation, only the randomness of $\{\phi_{3}(k)\}$ and $\{\phi_{4}(k)\}$ was tested. For every sequence, 100 samples of length $512\cdot 512/8=32768$ (the number of bytes used for encryption of a gray-scale plain-image of size $512\times 512$) were generated by random secret keys. For each test, the default significance level 0.01 was adopted. The results are shown in Table 1, from which one can see that the two equations both cannot be used as a good random number generator.

  Name of Test	Number of Passed Sequences
  	$f(x)$	$g(x)$
  Frequency	6	2
  Block Frequency ($m=100$)	10	6
  Cumulative Sums-Forward	6	3
  Runs	8	3
  Rank	68	99
  Non-overlapping Template ($m=9$, $B=110001000$)	76	64
  Serial ($m=16$)	6	9
  Approximate Entropy ($m=10$)	8	6
  FFT	65	49

• •

  Insensitivity with Respect to Changes of Plaintext

  In [Behnia:IJBC08, , Sec.5.4], the importance of sensitivity with respect to changes of plaintext is recognized. However, the encryption scheme under study is actually very far away from the desired property. In cryptography, the most ideal situation about sensitivity is that the change of any single bit of plaintext will make every bit of the corresponding ciphertext change with a probability of one half. Obviously, the encryption scheme under study can not reach the desired state due to the following points.

  • –

    No nonlinear S-box is involved in the whole scheme;

  • –

    Any bit of plaintest only may influence the bits at the above levels in the ciphertext;

  • –

    Any pixel of plaintext does not influence other pixels in the corresponding ciphertext uniformly.

  To demonstrate this defect efficiently, we performed an experiment by changing a bit of the plain-image of size $512\times 512$ shown in Fig. 3c). It is found that only the bits of one level are changed. The locations of the changed bits are shown in Fig. 7, where the white dots denote changed locations and black ones denote unchanged ones.

  

  a) $0\sim 4$th

  

  b) 5th

  

  c) 6th

  

  c) 7th