Physics Letters A 363 (2007) 84–90

www.elsevier.com/locate/pla

Cryptanalysis of chaotic stream cipher

Adrian Skrobek
Szczecin University of Technology, 71-210 Szczecin, Poland
Received 17 May 2006; accepted 21 October 2006
Available online 7 November 2006
Communicated by A.P. Fordy

Abstract
In [N.S. Philip, K.B. Joseph, Chaos for stream cipher, cs.CR/0102012] Philip and Joseph propose their own cipher algorithm. An efficient
attack on the values of the key of this cipher is presented in this Letter. Other weaknesses of this cipher are presented, and proposals of algorithm’s
improvement as well.
© 2006 Elsevier B.V. All rights reserved.

Keywords: Cryptanalysis; Chaos; Stream cipher

1. Introduction approximation of an analog system [2]. Currently most of the

cryptographic algorithms call for discrete approach.
In [1] Philip and Joseph present the proposal of a cipher al- In the case of a logistic map
gorithm based on a couple of logistic maps and bitwise “xor” xn+1 = λxn (1 − xn ), 0λ4 (1)
operation. Most of the stream ciphers are based on pseudoran-
dom number generator. The sending party adds secret informa- the state xn+1 is entirely determined by the state xn . Although
tion to the carrying signal. The secret information is removed at the formed chaotic orbit looks as it was random, it is completely
the receiver side (this way the message is recovered; it is neces- predictable. A system based only on a logistic map is not safe
sary that the receiver can generate an identical carrying signal). from the cryptographic point of view. Two chaotic systems have
A good pseudorandom number generator must have a long cy- been considered, with orbits specified as {xn } and {xn } (both
cle length. systems share the λ system parameter).
Chaotic systems are characterized by properties, which are
promising for the designers of stream ciphers. They are char- 1.1. Cipher’s algorithm description
acterized by irregular run, though they are necessitarian. The
chaotic systems are well-used in analog systems, however in After some simplification of the original description, the
discrete systems the main problem is the finite precision of cal- cryptographic algorithm is described as below (the block dia-
culation. What makes it worse, is the fact that chaotic systems gram of this algorithm is shown on Fig. 1):
are expotentially sensitive to the initial conditions. None the Pn = xn ⊕ xn , (2)
less, it was observed that a combination of few chaotic systems
gives a sequence with a complicated structure. The research was Cn = Pn ⊕ yn , (3)
focused on the linear systems. In [1] the amplification of this xn+1 = f (xn , λ) ⊕ Cn , (4)

approach for non-linear systems is described. xn+1 = f (xn , λ), (5)
The discrete realization of chaotic systems is different in re-
lation to the analog realization, but it is still a good enough where, yn is plaintext stream, Cn is a ciphertext, ⊕ means
a bitwise xor operation. x0 , x0 and λ are the cipher’s key.
f (x, λ) = λx(1 − x) is the logistic map. The value of x0 is cal-
E-mail address: askrobek@wi.ps.pl (A. Skrobek). culated from the value of x0 , but the way to do it is not given
0375-9601/$ – see front matter © 2006 Elsevier B.V. All rights reserved.
doi:10.1016/j.physleta.2006.10.081
 A. Skrobek / Physics Letters A 363 (2007) 84–90
Fig. 1. Block diagram of the Philip–Joseph algorithm.
in [1]. This transformation cannot be secret if the process of
decryption is supposed to be possible. An assumption can be
made that x0 does not belong to the key. However, this does not
change the further cryptanalitycall deliberation.
In the proposed algorithm a value of x0 and the calculation
of x0 from x0 is sent to the recipient. Such an approach is not
recommended: This transformation must be known, therefore it
decreases the key space by one parameter.
A stream cipher needs a pseudorandom number generator.
Linear shift registries (LFSR) are often used in classic ciphers.
These are generally linear systems. A non-linear transforma-
tion (xor operation), which causes a jump between trajectories
(those leads to perturbations in the chaotic system) was used in
the given example. A system like this is still necessitarian, how-
ever its attractor is far more chaotic. The sequences generated
by the system are identical only in case, where the same plain-
text is enciphered and the parameters x0 , x0 and λ are equal. It
was proposed to use a random number as a value of the x0 pa-
rameter, using the current system time as the seed. This is not a
good idea because time can be estimated with a certain proba-
bility.
The resistance to the brute force attack was estimated in [1]
by specifying a number of the significant bits of the key (xn ,
xn and λ) as a value of 2m + k, which gives 22m+k of combi-
nations. With the assumption that k = m = 16 bits, the number
of combinations equals 248 . However, 248 is a way too small
number. The case gets worse because of the fact, that xn comes
from xn , so the number of combinations will be even smaller.
Increasing the number of the significant bits of parameters or
multiple encryption was proposed to improve the immunity to
brute force attack. In the second case, a cryptanalyst has to con-
sider the previous enciphered value or do 2n(2m+k) calculations.
The cipher, however, will be slower.
1.2. Implementation details
Although the authors in [1] assume a 16-bit long decimal
format, it is more natural to use widely applicable standard
IEEE-754 of floating point number representation [3]. In fact
because of size of the double precision float, the algorithm is
also more secure against the brute force attack. During investi-
85
gation of the proposed algorithm we use a 64-bit representation
of float number. As it has been mentioned in Section 1.1, the x0
value does not belong to the key. However, even if we have a
128-bit long key (λ and x0 ), the key entropy is lower because
some of its bits are constant. The key entropy could be esti-
mated at the level of 96 bits.
2. Classic types of attack
While examining the encrypting algorithm, the cryptanalyst
knows all the implementation details, the variables value range,
initial states and so on. The only unknown is the value of the
key, but its value range is known. This approach is consistent
to Kerckhoff’s principle, which states that the safety of a cipher
must rely only on the key safety [4,5].
Currently the classic types of attack are as follows (from the
most complicated to the most simple one):
(1) Ciphertext-only attack;
(2) Known plaintext attack;
(3) Chosen plaintext attack;
(4) Chosen ciphertext attack.
The sense of using attacks other than ciphertext-only attack is
shown when considering a cipher as one built into a crypto-
graphic device or, for example, during setting an SSL session.
In that situation, although the keys themselves are hidden, the
attacker has a possibility to send any messages to the device or
the server.
A combination of attacks with chosen plaintext and chosen
ciphertext have been used in the Letter. This method is known
under the name of adaptive chosen plaintext attack and adap-
tive chosen ciphertext attack. It is based on the selection of a
plaintext based on previously acquired results.
3. An attack on the first two blocks
An uncovered weakness of investigated cipher is a problem
with encrypting blocks of plaintext with the same keystream. As
it is described below, the analyzed algorithm encrypts the first
two blocks with the same keystream. This information could be
usefull to decrypt the first two blocks of ciphertext when an at-
tacker obtains a temporary access to the encryption machinery.
It uniquely results from the encryption algorithm that for a
given key x0 , x0 and λ, the value of P0 is always the same.
Therefore, using a chosen or known plaintext attack, it can be
calculated that
α0 = P0 = C0 ⊕ y0 . (6)
With knowledge of α0 for a given key, the first 8-byte block of
a ciphertext can be deciphered by calculating
y0 = α0 ⊕ C0 . (7)
The calculation of the second block requires the evaluation of
α1 = f (x0 , λ) ⊕ f (x0 , λ). (8)
86 A. Skrobek / Physics Letters A 363 (2007) 84–90
Fig. 2. Algorithm of an attack on first two blocks.
It is a constant value, dependent of the key, but independent of
the plaintext. As it turns out, the value of α1 can be calculated
from the ciphertext and the plaintext, using a known or chosen
plaintext attack. The value of α1 = C1 ⊕ C0 ⊕ y1 .
Proof:
C1 = P1 ⊕ y1 ,
C1 = x1 ⊕ x1 ⊕ y1 ,
C1 = f (x0 , λ) ⊕ C0 ⊕ f (x0 , λ) ⊕ y1 ,
f (x0 , λ) ⊕ f (x0 , λ) = C1 ⊕ C0 ⊕ y1 = α1 .
Knowing the value of α1 , the second block of the plaintext can
be calculated for any ciphertext, according to the formula
y1 = α1 ⊕ C0 ⊕ C1 .
The above description has been shown on Fig. 2.
4. An attack on the constant bits of the ciphertext
The involvement of a non-linear transformation (i.e. opera-
tions on numbers using floating-point arithmetic) to a logistic
function makes the cryptanalysis of consecutive blocks more
complicated. Other weaknesses of the algorithm is explained
later. A cryptanalysis of at least a part of the ciphertext can be
done with a ciphertext only. According to the shown algorithm,
y0 = C0 ⊕ x0 ⊕ x0 . The values of x0 and x0 must enclose in the
range of (0, 1). After research has been made, it turned out that
the most significant 8 bits of the parameter P0 have value 0. The
8th bit has the value 1 with a 1% probability, whereas the 9th
bit with a 16% probability. The remaining bits have a random
distribution. Therefore, decryption of the first 10 bits according
to the formula y0 = C0 is feasible with high probability.
Ten first bits of the second block can be decrypted with
higher probability than in the case of the first block. Numbers
in the range of (0, 1) in a floating-point representation have the
9 first bits set to a known and fixed value. Bit 9 can be esti-
mated with approximately 90% probability. What follows from
the ciphering algorithm is this: y1 = P1 ⊕ C1 = x1 ⊕ x1 ⊕ C1 =
f (x0 , λ) ⊕ C0 ⊕ f (x0 , λ) ⊕ C1 . Researches have shown the
9 most significant bits can be uniquely estimated for the ex-
pression f (x0 , λ) ⊕ f (x0 , λ), however the 9th bit with a 90%
probability. It is possible then to decrypt the first 10 bits with
high probability, according to the formula y1 = C0 ⊕ C1 .
5. An attack on the parameters of the key
The most efficient attack on the cipher algorithm is shown
below. It allows to get all the values of the key. This attack
is a combination of attacks with chosen ciphertext and cho-
sen plaintext attacks. The idea is to make a chaotic system
run out of control, so that one of the systems enters a for-
bidden area. It is best for the next orbit value to be a “NaN”
(Not a Number) or infinity. This is impossible for the system

xn+1 = f (xn , λ), because the value of the control parameter
λ ∈ (3.57, 4). The initial value also will probably be selected
correctly, so x0 , x0 ∈ (0, 1). Although the involvement of the
xor operation into the function of the system xn+1 = f (xn , λ)
prevented previous attacks, in this case it gave a possibility of
an efficient attack on the algorithm.
To execute an attack, the values of x0 ⊕ x0 and f (x0 , λ) ⊕
(9) f (x0 , λ) have to be defined first. They can be acquired by deci-
phering the ciphertext specified by the sequence C2 = (0, 0). In
(10) accordance with the decrypting algorithm, we will get the se-
(11) quence P2 = (x0 ⊕ x0 ⊕ 0, f (x0 , λ) ⊕ f (x0 , λ) ⊕ 0) = (x0 ⊕
x0 , f (x0 , λ) ⊕ f (x0 , λ)) (details listed in Table 1). This se-
(12)
quence will be used to prepare a special plaintext sequence,
which will then make the system run out of control to a for-
bidden area. The chaotic system xn+1 = f (xn , λ) will run out
of control when its argument (previous orbit value) will be a
(13) large binary number. This effect cannot be obtained in the first
step: The orbit value is dependent on x0 . It is known though,
that every orbit value of the logistic function is in the range
of (0, 1). In accordance with [3] the binary representation of a
normalized floating-point number ranging in (0, 1) contains the
value 0x3f in the most significant byte. Let introduce constant
Imax (the maximum value of an integer without the sign and a
binary length equal to the length of a binary representation of a
floating-point number):
Imax = 0xffffffffffffffff. (14)
 A. Skrobek / Physics Letters A 363 (2007) 84–90 87

Table 1
Initializing the chosen ciphertext attack with C2 = (0, 0)
n xn xn Pn Cn yn f (xn ) f (xn )
0 x0 x0 x0 ⊕ x0 0 x0 ⊕ x0 f (x0 ) f (x0 )
1 f (x0 ) f (x0 ) f (x0 ) ⊕ f (x0 ) 0 f (x0 ) ⊕ f (x0 ) f 2 (x0 ) f 2 (x0 )

Table 2
Chosen plaintext attack with y3 = (β0 , β1 , 0)
n xn xn Pn Cn yn f (xn ) f (xn )
0 x0 x0 x0 ⊕ x0 Imax ⊕ 1.0 β0 f (x0 ) f (x0 )
1 Ilarge f (x0 ) Ilarge ⊕ f (x0 ) 0 β1 −∞ f 2 (x0 )
2 −∞ f 2 (x0 ) −∞ ⊕ f 2 (x0 ) −∞ ⊕ f 2 (x0 ) 0 −∞ f 3 (x0 )
3 f 2 (x0 ) f 3 (x0 ) f 2 (x0 ) ⊕ f 3 (x0 ) – – f 3 (x0 ) f 4 (x0 )

Table 3
Chosen plaintext attack with y4 = (β0 , β1 , f 2 (x0 , λ), 0)
n xn xn Pn Cn yn f (xn ) f (xn )
0 x0 x0 x0 ⊕ x0 Imax ⊕ 1.0 β0 f (x0 ) f (x0 )
1 Ilarge f (x0 ) Ilarge ⊕ f (x0 ) 0 β1 −∞ f 2 (x0 )
2 −∞ f 2 (x0 ) −∞ ⊕ f 2 (x0 ) −∞ f 2 (x0 ) −∞ f 3 (x0 )
3 0 f 3 (x0 ) f 3 (x0 ) f 3 (x0 ) 0 0 f 4 (x0 )
4 f 3 (x0 ) f 4 (x0 ) f 3 (x0 ) ⊕ f 4 (x0 ) – – f 4 (x0 ) f 5 (x0 )

According to [3], its floating-point representation is −21023 .
Additionally, let us mark
Ilarge = 0xff d2 d3 . . . d15 .
The value of Ilarge is a number which contains the value 0xff
as the most significant byte and the remaining digits (hexadeci-
mal) are undetermined. Passing the value
β0 = Imax ⊕ 1.0 ⊕ x0 ⊕ x0
to the encrypting function as the first block, x0 ⊕ x0 ob-
tained from the first step will cause that x1 = β0 ⊕ x0 ⊕ x0 ⊕
f (x0 , λ) = Ilarge will be a large binary number (in accordance
with [3] in the floating-point representation of the value of Ilarge
is, with high probability, smaller than −21009 ). This comes from
the fact that the result of the operation on the logistic map itself
will have a binary representation with the most significant bit
value of 0x3f , by which it eliminates value of 1.0 in a sig-
nificant degree. The value of P0 eliminates passing of itself
(obtained from the first step) as a part of y0 .
The above operation will cause the system to run out of
control. To get the first part of the key, which in this case is
f 2 (x0 , λ), the value of the expression
β1 = Imax ⊕ 1.0 ⊕ f (x0 , λ) ⊕ f (x0 , λ)
should be encrypted as the second block. Equally to the first
block, the value f (x0 , λ) ⊕ f (x0 , λ) is obtained from the stage
of the initial attack. Delivering this value for deciphering in the
second block will cause that x2 = −∞. This is the result of the
fact that the previous value of x1 was a large binary number,
stored in all bits of the binary representation of a floating-point
number. The logistic map is a quadratic function, so after rising
it to the second power, the function requires greater more space
than there is available for the binary representation, thus the
mathematical package returns the value of infinity. Addition-
ally, the value C1 = 0, so it does not change any bits of the value
(15) x2 . The zero value comes from the fact that C1 = y1 ⊕ P1 =
Imax ⊕ 1.0 ⊕ f (x0 , λ) ⊕ f (x0 , λ) ⊕ f (x0 , λ) ⊕ C0 ⊕ f (x0 , λ) =
Imax ⊕ 1.0 ⊕ f (x0 , λ) ⊕ f (x0 , λ) ⊕ Imax ⊕ 1.0 ⊕ x0 ⊕ x0 ⊕ x0 ⊕
x0 = 0.
After performing the above step it is known that the current
(16) orbit value is xn+1 = f (xn , λ) = −∞. This value has an ap-
propriate binary representation. Block y2 = 0 is supposed to be
encrypted in the next step, so that C2 = −∞ ⊕ x2 is acquired.
The values of each variable and expression are shown in Ta-
ble 2. Finally, x2 is evaluated from formula (18)
x2 ≡ f 2 (x0 , λ) = −∞ ⊕ C2 . (18)
To obtain all essential values of the key (it is known that xn =
xn ⊕ Pn , Pn was obtained from the first stage of cryptanalysis)
the value of one of the next orbits is f (xn , λ) or f (xn , λ) is re-
quired. To get it, the encryption of the first two blocks should be
performed once more (after resetting the internal state of the en-
crypter) and encrypt the lately obtained value f 2 (x0 , λ) as the
third block, number 0 as the fourth. This will be the cause for
the value x3 = 0, and as an effect of encryption of a block with
(17) 0 value we get C3 = x3 (C3 = P3 ⊕ 0 = x3 ⊕ 0 ⊕ 0 = x3 ). The
parameters and expressions values are shown in Table 3. Know-
ing the values of x2 and x3 , a control parameter λ is calculated
from formula (19)
x3
λ= . (19)
x2 · (1 − x2 )
The value of x1 can be calculated from the reverse logistic map
iteration formula referring to the logistic map defined by the
88 A. Skrobek / Physics Letters A 363 (2007) 84–90

Therefore β0 = 0xc03ec5b16c5b16c1. According to [3], the

value 0x3ff 0000000000000 is a binary representation of a real
number 1.0, and 0xffffffffffffffff is a value earlier de-
fined as Imax . Similarly, we evaluate

β1 = 0xffffffffffffffff ⊕ 0x3ff 0000000000000

⊕ 0x000f 51b9da190082. (27)
After calculation β1 = 0xc000ae4625e6ff 7d. Afterwards we
encrypt the sequence y3 = {β0 , β1 , 0}, which gives us:

y3 = {0xc03ec5b16c5b16c1, 0xc000ae4625e6ff 7d,

0x0000000000000000}. (28)
The sequent states of the encrypter are shown in Table 5 (deci-
mal representation is rounded). As it can be seen, the value x1 =
0xff e495182a9930be is the value earlier defined as Ilarge . It
is unknown exactly what value will that be (it depends on the
argument, which depends on the encrypter’s keys), but it will
surely be a value outside the valid range of (0, 1) (in this exam-
ple Ilarge = −1.1562 × 10308 ) causing the chaotic system to run
out of control in the next step. Indeed, the value of x2 = −∞.
As an additional effect it can be observed that the system’s state
x  ‘jumped’ to system x in the third step. This results directly
from the construction of the sequence passed for encryption.
As a result of enciphering the y3 sequence we get the se-
quence
Fig. 3. Algorithm of an attack on parameters of the key.
C3 = {0xc00fffffffffffff, 0x0000000000000000,
formulas (20) 0xc01a8f e0ee102230} (29)
⎧ 
xn
⎪
⎨ 1− 1−4 λ in which the last element is −∞ ⊕ x2 (as appears in Table 2).

or
xn−1 = 
2
(20) From the specification [3], confirmed by Table 5, it is known
⎪ 
⎩ 1+ 1−4 xλn that −∞ = 0xfff 0000000000000, so x2 = −∞ ⊕ C3 (2):
2 .
A step by step algorithm of the cryptanalytic process is shown x2 = 0xfff 0000000000000 ⊕ 0xc01a8f e0ee102230
at Fig. 3. = 0x3f ea8f e0ee102230. (30)

6. An example of an attack on the key values Finally x2 = 0.83006331. According to the procedure de-
scribed in the previous point, the next thing to do is to encrypt
Assuming that the ciphering keys are: the block y4 = {β0 , β1 , x2 , 0}. Let us encrypt the sequence:

λ = 3.57, (21) y4 = {0xc03ec5b16c5b16c1, 0xc000ae4625e6ff 7d,

x0 = 0.4 = 0x3f d999999999999a, (22) 0x3f ea8f e0ee102230, 0x0000000000000000}. (31)
x0 = 0.77 = 0x3f e8a3d70a3d70a4. (23) The internal states of the encrypter are specified in Table 6 (dec-
Let us decipher the sequence imal values are rounded). As the result of encryption we get the
sequence:
C2 = {0x0000000000000000, 0x0000000000000000}. (24)
The sequent values of the decoder’s chaotic systems are stated C4 = {0xc00fffffffffffff, 0x0000000000000000,
in Table 4 (decimal representation is rounded). As a result of 0xfff 0000000000000, 0x3f e01d4f 391519b3}. (32)
deciphering we get the sequence
The last value of the sequence is x3 = 0.50357782. The value of
P2 = {0x00313a4e93a4e93e, 0x000f 51b9da190082}. (25) the key λ can be calculated, accordingly to formula (19), when
Next, we evaluate knowing the values of x3 and x2 . After the end of calculation:

β0 = 0xffffffffffffffff ⊕ 0x3ff 0000000000000 x3 0.50357782

λ=   = = 3.57.
⊕ 0x00313a4e93a4e93e. (26) x2 · (1 − x2 ) 0.83006331 · (1 − 0.83006331)
(33)
 A. Skrobek / Physics Letters A 363 (2007) 84–90 89

Table 4
Decrypter’s internal states in initialization phase
n xn xn (hex) xn xn (hex)
1 0.8568 0x3f eb6ae7d566cf 41 0.632247 0x3f e43b5e0f 7f cf c3
2 0.4380167232 0x3f dc08774b4f af 7b 0.83006331 0x3f ea8f e0ee102230

Table 5
Encrypter states during the out of control runs
n xn xn (hex) xn xn (hex)
1 −1.1562 × 10308 0xff e495182a9930be 0.632247 0x3f e43b5e0f 7f cf c3
2 −∞ 0xfff 0000000000000 0.83006331 0x3f ea8f e0ee102230
3 0.83006331 0x3f ea8f e0ee102230 0.50357782 0x3f e01d4f 391519b3

Table 6
Internal states of the encrypter while retrieving the x3 value
n xn xn (hex) xn xn (hex)
1 −1.1562 × 10308 0xff e495182a9930be 0.632247 0x3f e43b5e0f 7f cf c3
2 −∞ 0xfff 0000000000000 0.83006331 0x3f ea8f e0ee102230
3 0.0 0x0000000000000000 0.50357782 0x3f e01d4f 391519b3
4 0.50357782 0x3f e01d4f 391519b3 0.89245430 0x3f ec8ef c52a48605

With the values of λ, x3 and x2 now known, we calculate the (4) System is susceptible for running out of control.
value of x1 accordingly to formula (20):
  The first inconvenience shows, that the key entropy which
x2
1− 1−4 λ 1 − 1 − 4 0.83006331
3.57 defines an upper bound of the cipher’s security [4] is weaker

x1 = = = 0.367753
2 2 than today’s security requirements [6]. This is because of fact,
(34) that initial values of chaotic systems depends of each other. This
or can be easily avoided by omitting the function that transforms
 
x2 one key into another and by defining explicitly all parts of the
1 + 1 − 4 1 + 1 − 4 0.83006331
3.57
x1 = λ
= = 0.632247. key. This way the key’s length will reach about 150 bits, what
2 2 can be treated as secure.
(35) A common feature of many ciphers (see e.g. cryptanalyses in

From the two possible results of the value of x1 , we calculate [7,8]) is a problem with encrypting blocks of plaintext with the
four potential x0 keys. One of them is correct. We use for- same keystream. The analyzed algorithm encrypts only the first
mula (20) analogically, but with input values of 0.367753 and two blocks with the same keystream. To prevent this, two first
0.632247. We then get four possible values of the key (some blocks can be passed as random numbers and can be omitted
values are rounded): 0.77, 0.23, 0.8833900, 0.1166099. The while decrypting. However it is better to pass a random number
correct key in this case is 0.77. To evaluate the x0 key, a xor as the first block (so-called “salt” value) to the encrypter, and
operation should be executed on the value of the x0 key and the send every following number as a result of xor operation of
first element of P2 sequence. Therefore: the first block with the block of plaintext. At the moment of
decryption the first block should be decrypted at first, then after
x0 = 0x3f e8a3d70a3d70a4 ⊕ 0x00313a4e93a4e93e
decrypting the following blocks, perform the xor operation of
= 0x3f d999999999999a. (36) the deciphered first block and the following deciphered blocks.
In result x0 = 0.4. This way to obtain all three numbers, which As it has been written in [5] and latter in [9], the security of
are the cipher’s key. a cipher must rely only on security of the key. So ability to gain
of any bit of the key reduces security of whole cipher. Chaotic
7. Improvement suggestions systems usually works within the real number domain. Further-
more, the range of those numbers is often limited within the
In consequence of the cryptanalysis the following weak- range of (0, 1). To minimize the predictability of the keystream
nesses of the encrypting algorithm have been noticed: bits and other variables of the encrypter’s state, the block should
be shortened to a number of bits which is less predictable (e.g.
(1) One part of the key depends on the other. to the 6 least significant bytes, if the binary representation of
(2) The first two blocks are always enciphered with the same a real number is 8-byte long). From researches made on the
key. keystream bits it results that the 6 least significant bytes have a
(3) Some of the keystream bits are predictable. random distribution and every bit is set with a 50% probability.
90 A. Skrobek / Physics Letters A 363 (2007) 84–90
In author’s opinion, a dangerous property of the described
algorithm is the fact that arithmetic operations on floating-point
numbers are mixed with bit operations on the binary represen-
tation of these numbers. Chaotic systems works for orbits with
values from (0, 1). Orbit values outside that range can cause
that system quickly reach orbit values equal to ∞ or −∞.
Because of the bitwise xor operation on the orbit and the ci-
phertext, the orbit of the system can reach any value. To prevent
this, the floating-point modulo 1.0 operation can be used instead
of xor operation. The binary xor operation can also be left, but
with the condition that it can be only performed on the number
bits which are responsible for the value from range of (0, 1).
This can be achieved by performing the xor operation on the
subset of bits of mantissa only. Also one can use a fixed-point
decimal format. I this case the xor operation should change only
a fraction part of the number.
The above observation was made only for cipher algorithm
described in [1]. A number of discrete time chaotic ciphers have
been examined (see e.g. [10–14]), but no one was designed in
the way that chaotic orbit (cipher’s internal state) was processed
by bitwise operation (although some cryptanalyses were per-
formed successfully). Therefore, author claims not to mix the
bitwise and floating point operation in chaotic cipher’s design
as a general rule, because of possibility the internal state of ci-
pher to run out of control.
8. Summary
The encrypting machine’s dependency on the generated ci-
phertext causes a possibility of the system to run out of control
and getting predictable results. Moreover, combining binary
representation of a floating-point number with a random num-
ber causes the system to pass to non-standard states, provid-
ing some possible predictability of the ciphertext. It is recom-
mended to use techniques which generate a different ciphertext
for the same plaintext. This efficiently makes the cryptanalysis
harder to perform.
Acknowledgements
The author would like to thank Jerzy Pejaś, Ph.D. for his
help in the preparation of this Letter.
References
[1] N.S. Philip, K.B. Joseph, cs.CR/0102012.
[2] H.-O. Peitgen, H. Jürgens, D. Saupe, Fractals for the Classroom, Springer-
Verlag, New York, 1992.
[3] S. Hollasch, IEEE Standard 754 Floating Point Numbers, IEEE, 2004.
[4] S. Vanstone, A. Menezes, P. van Oorschot, Handbook of Applied Cryp-
tography, CRC Press, 1997.
[5] A. Kerckhoffs (von Nieuwenhof), La cryptographie militaire, J. Sci. Mili-
taires January (1883), (French) (Military cryptography).
[6] B. Schneier, N. Ferguson, Practical Cryptography, John Wiley & Sons,
2003.
[7] G. Álvarez, F. Montoya, M. Romera, G. Pastor, Phys. Lett. A 311 (2003)
172.
[8] G. Jakimoski, L. Kocarev, Phys. Lett. A 291 (2001) 381.
[9] C.E. Shannon, Bell Syst. Tech. J. 28 (1949) 656.
[10] N.K. Pareek, V. Patidar, K.K. Sud, Phys. Lett. A 309 (2003) 75.
[11] M.S. Baptista, Phys. Lett. A 240 (1998) 50.
[12] T. Habatsu, Y. Nishio, I. Sasase, S. Mori, A Secret Key Cryptosystem by
Iterating a Chaotic Map, Springer-Verlag, 1998.
[13] Z. Kotulski, J. Szczepanski, Ann. Phys. 6 (1997) 381.
[14] E. Alvarez, A. Fernández, P. García, J. Jiménez, A. Marcano, Phys. Lett.
A 263 (1999) 373.