Discrete Versus Continuous Maps A Cryptographical Comparison

Loading....

Loading....

Loading....

Loading....

Loading....

Full text

(1)

Discrete Versus Continuous Maps – A Cryptographical Comparison

Frank Dachselt and Wolfgang Schwarz

Technical University of Dresden

Institute for Fundamentals of Electrical Engineering and Electronics Mommsenstraße 13, 01062 Dresden, Germany

E-mail:dachselt@iee.et.tu-dresden.de

Abstract— Discrete-value and continuous-value

maps are compared with respect to their cryptograph-ical properties. In order to provide a more rigid evaluation of nonlinear chaotic encryption systems information-theoretic measures are derived that al-low a comparison with classical discrete-value sys-tems. Furthermore the consideration gives some in-sight about the general limitations of continuous-value operations in cryptographic applications. The application of these evaluation measures is illustrated by some examples.

I. INTRODUCTION

The application of chaotic systems in communi-cations for cryptographic purposes has attracted a lot of attention in recent years. However, in most cases a serious performance evaluation is missing and claims about the achieved security levels are not rigidly proved. The reason for this may be some in-compatibilities of measures that are used in the clas-sical discrete-value cryptography with the inherent continuous-value nature of chaotic systems.

In this paper we use the term continuous-value system synonymously for nonlinear chaotic systems and with discrete-value systems we refer to classical and presently used cryptographical systems. By that we state explicitly the significant difference between these system classes.

The information-theoretic treatment of discrete-value systems in cryptography is almost exclusively based upon the Shannon measure of uncertainty and information [1]. Unfortunately, a straightforward gen-eralization of Shannon’s entropy for continuous-value variables does not lead to a compatible notation in that sense that the continuous entropy can be viewed as limit value obtained by discretizing a continuous in-terval on the real axis into equally-spaced subinin-tervals and letting their number tend to infinity. However, there exist various attempts for an unified approach to discrete and continuous entropy notations [4], which will also influence the following results.

II. INFORMATION CONTENT IN MAPS

A. Maps in cryptographical systems

Static maps as depicted in figure 1 are the central element in all cryptographical systems. This applies to static systems (i.e. block ciphers) as well as to dy-namical systems (i.e. stream ciphers). From the view-point of cryptoanalysis they contain all of the uncer-tainty (about the key parameters) that is involved in the encryption process and that an attacker tries to reveal. Especially the analysis of continuous-value systems can be transformed into a pure static prob-lem, which is due to the inherent selfsynchonization requirement [5], [7].

Fig. 1. The static map.

B. Map space

We consider the endomorphic map

!"$#% &(') +*,

(1) where

is the symbol range on which the system operates. In the discrete case

is the finite set of symbols -/.103254

7676768

2!9;: whereas in the contin-uous case we consider

as the compact interval

<

. =>

@?7&BA(C

on the real axis. For simplicity we restrict our consideration here to scalar maps, but all derivations may easily be extended to vector sig-nals. In the following the term continuous map actu-ally refers to the slightly more general term piecewise continuous map as it is shown in figure 2.

A particular map

that is chosen from the set D of all possible maps can be considered as the key in a cryptosystem. Then the uncertainty about the map

coincide with the key uncertaintyE #GF&

where the keyspace H describes in some form the setD of pos-sible maps. This uncertainty is an important perfor-mance measure for cryptosystems since it is the goal of almost all attacks to determine the key.

(2)

2 2I4J2LK28M2!NO28P $# 2 & 2 K 2 P 2 M 2 4 2 K Q RTSVU+W QYX Z [ [ Z (a) (b)

Fig. 2. Examples of a discrete and a continuous map .

C. Uncertainty

In the discrete case the set of all one-to-one maps onto a set of\ elements is given by the family of per-mutations] 9 of order \ . If all elements^ * ] 9 have the same probability_

#

^

`&

.

4

9 a, then the uncertainty of a particular map is given by

E #Gb 9 & .c 9 d fe 4 d g e 4 h i jfklh i . jfk \5m 6 (2) If the one-to-one requirement is released the entropy

E #G8n3& .c 9 d oe 4 9 d g e 4 h \ jk h \ .p\ jfk \ (3)

describes the uncertainty about a particular

from the set D

n

of all possible mappings given by (1), where the relationE #Gqn3&sr E #Gb 9 & holds.

In continuous-value cryptosystems it is necessary to discretize the keyspace which is naturally given continuously. This due to the requirement of a certain key distance [6] to ensure some elementary level of se-curity. Furthermore we suppose that Kerckhoff’s Prin-ciple [2], [3] holds, i.e. the system structure and thus the structure of the involved maps is known. Then the only uncertainty is again due to the key which parametrizes the continuous map. Let the parameter vectort *lu be given as tv. #Gw 4 7676768xw 9 &

with wy+*zu{|~}o}u{x}o} .p | (4) whereu i . h 767676L

\ are given by the component-wise decomposition of the discretized parameter spaceu

. If the elements oft can be chosen indepen-dently with_ #Gwy%€ g & . 4 ƒ‚ ,„…. h 76o6o6o  , then, assum-ing the knowledge†ˆ‡ about the map parametrization, the uncertainty of a particular map*

D ‡ is E #G ‡ } †ˆ‡ & .c 9 d fe 4 V‚ d g e 4 h  jfk‰h  . jfk 9 Š fe 4  |6 (5) The significant difference between the discrete and the continuous case is that the uncertainty (3) of the dis-crete map is fully determined and upper-bounded by

the cardinality\ of the symbol set- whereas the un-certainty (5) of the continuous map does not depend on the structure of the symbol range and has no cor-responding upper bound (i.e. the parametrization and thusE #G ‡ } †ˆ‡ &

can be extended arbitrarily). D. Iterated maps

As an example for the application of the uncer-tainty measure we consider the‹ -times iterated map which is often suggested for simple chaotic block ci-pher schemes Œ #Ž& . #%‘+#Ž&’&“ (6) where

is some continuous map parametrized by t . The idea of these systems is to exploit the sensitiv-ity to initial conditions in chaotic systems to raise the encryption security. But in terms of the above derived measure, there is no gain of uncertainty about the map

since the amount of parametrization remains un-changed, i.e. E #G ‡ } †ˆ‡ & .”E #G  ‡ } †ˆ‡ &“ (7) where D 

‡ describes the set of all

‹ -times iterated maps

. However, the iterated map certainly has a higher topological complexity which can be charac-terized by other measures (as it is proposed in sec-tion III-B) and which, nevertheless, may have perfor-mance advantages.

III. EXTENDED MEASURES

The uncertainty measure considered in the previous section is closely related to Shannon’s entropy nota-tion since it still operates on variables of discrete na-ture. This has the advantage that the measures for the discrete and the continuous case can by directly com-pared. A more profound evaluation also needs to con-sider the map properties induced by the differences between the discrete and the continuous case.

A. An observation-driven measure

It is common use in cryptography to define perfor-mance measures not only by the amount of uncertain knowledge but also in terms of its observability. Such a measure corresponds more closely to the amount of output values…#%‘•&

or input-output-pairs#%‘8x…#%‘ˆ&’& that are necessary to determine the parameters of the map

and thus can be a measure for the observation time. For the discrete case it could be determined as

E…– #Gqn3& .c 9 d fe 4 _ # 2 & jk h \ _ # 2 `&“ (8)

(3)

where_ 2 denotes the probability of symbol2 . In the continuous case such a measure may be de-scribed by E$– #G ‡ } †ˆ‡ & .˜c 9 d fe 4 _ #Gwy`& jfk h  Y_ #Gwy&“ (9) where_ #Gwy—&

describes the probability that the partic-ular parameter component w“

has an influence on the observation$#%‘ˆ& . It is given by _ #Gw & .š™œ›ž ‡ ‚ Ÿ¢¡ #%‘•& d‘ (10) with £ #Gwy—&¤¥

being the influence interval of wy and

¡

#%‘ˆ&

being the probability density of the input signal‘

.

The information of each parameter component wy that is summed up in equations (8) and (8) can be in-terpreted as the segment average of the ordinary un-certainty about the values w

due to its value range plus a certain amount that describes the probability by which an observer can collect information about wy

. Note that the measures (8) and (8) are not com-parable with (3) and (5), respectively, since they do not converge for a certain set of probabilities_

#Gwy`& . The observation-driven measure designed above im-plies the obvious fact that a parameter component with a small influence probability has a higher uncertainty than a component with a high probability, because the first one needs a longer observation time to col-lect according data. However, a smaller probability

_

#Gw &

of a certain parameter component w

also de-creases its overall influence on the encryption process and thus the knowledge that is obtained by determin-ing the value of this component. The followdetermin-ing ex-ample demonstrates which of these opposite effects dominates the behaviour of this measure.

Example 1: Consider the two continuous onto maps depicted in figure 3. They operate on the unit in-terval

.¦=§ h &

and consist of four piecewise lin-ear segments ¡  € g #%‘•& .¨> %€ g ‘©”?@%€ g , i * 0 h @ª@«’¬ : , „ * 0 h @ª

: , (with interval index

i

and map index„ ) each of them defined on one of the disjoint intervals < %€ g . We assume that > %€ g *p­ %€ g and ? %€ g *¯® %€ g are the parameters of these maps, where for simplicity all parameter subspaces have the same cardinality, i.e.

}o}­T%€ g }o} . }o}®°%€ g }o}

.± . The actual values are not of interest here and may be different for all intervals and both maps. They can be chosen according to other re-quirements. The maps differ in their segment interval

lengths, where we assume }< 4 € 4 } . }< K € 4 } . }< M € 4 } . h ² ~}< N € 4 } . h ª }<³%€ K } . h ¬ 6

The input signal ‘

is supposed to have a uniform

´ µ·¶¹¸ºf´¼» ½¿¾ ½¿À ½¿Á ½ÃÂ Ä Å Æ Æ Å ´ µÇ¶,¸˜º´¼» Æ Å Å Æ ½¾ ½¿À ½¿Á ½ÃÂ È (a) (b)

Fig. 3. Two piecewise linear maps with different domain segmentation.

probability density on =§ h &

. Thus, the probability

_ # >  € g & .É_ #?“%€ g &

that a particular segment

¡ %€ g with its parameters> %€ g and?“%€ g

influences the output

g

#%‘•& is equal to the interval length

}<³%€

g

}

. With these assump-tions the measure E$–

€

g

for each map can be deter-mined: E…– € 4Ê. ª jfk  © jfk ² © jfk ª . ª jfk  ©žª6¿¬œË E…– € K. ª jfk  ©·ª jfk ¬ . ª jfk  ©Çª6ÃÌÊÌ 6 Map

K yields a higher measure than map

4 . In fact, equal influence intervals give the maximum value of theE$– measure for uniquely distributed input signals

‘

. Additionally, a design criterion may derived: In or-der to maximize the E$– measure, the segment inter-vals

<

of piecewise continuous maps should be cho-sen according to the probability distribution of ‘

in such a way that

™Í ‚ ¡ #%‘•& d‘ . h Î for i . h 76o6o6o@Î (11) holds, where Î

denotes the number of segments. Then, each parameter component has the same signifi-cance to the encryption transformation and the knowl-edge of one of these components can not be more valuable than that of another one. While this require-ment can be fulfilled easily for continuous maps, in the discrete case there can be obtained at most a rough approximation.

If the map

is distribution preserving with respect to

¡

#%‘ˆ&

, then E…– is also iteration-invariant, i.e. the measure of the iterated map



is the same as for .

(4)

B. A correlation-driven measure

In order to take into account the (piecewise) con-tinuous character of maps in concon-tinuous systems and evaluate its effect on the encryption transformation a measure would be needed that deals with topological properties of the involved signals.

While the continuous signal already has its natu-rally given metric we have to provide a suitable one for the discrete signal to allow a comparison. There-fore we correspond the symbols >

*

- to equally spaced real numbers on the interval<

.˜=> @?7& : 2 > ©”# i c h & ? c> \ for i . h 76o6o6o \ (12)

Now the input and the output signal of the discrete map as well as of the continuous map is a real-valued sequence ‘ .Ï0 ‘q# h &“’‘+#ª¢&“’‘q#«¢&“76o6o6 : . We define the two distancesÐ ‘ . }‘q#Ž& c ‘q#© h &7}à (13) Ð …#%‘ˆ& . }…#%‘q#Ž&’& c …#%‘+#© h &’&7}à (14) which describe the positive distances between two ad-jacent input values and between the corresponding output values, respectively. The measure Ñ

# Ð ‘ˆ& is defined as Ñ # Ð ‘•& . h }o} D ‡ }o}ʙ ҎÓ;Ô # Ð …#%‘•&’& dt 6 (15) It describes the expectation of

Ð

…#%‘•&

as a function of

Ð

‘

for the function space DՇ which is parametrized by t . This measure is closely related to the corre-lation between the input and output distance, but the function (15) gives a more illustrative measure. We will discuss its properties by considering the follow-ing examples:

Example 2: As the reference for the comparison with continuous maps we consider the family of per-mutations]V9 for a sufficiently large \ . Figure 4 (a) shows an example for \¨.

Ì

, where this permuta-tion is embedded in a metric space using (12) with

<

."=§ h &

. For a typical permutation with uniquely distributed input signal the average output difference for two input values‘

and‘T©

Ð

‘

for all possible

Ð ‘ ish c¯Ö hØ× ª , except for Ð ‘

.š§ . The same holds for the averageÑ

#

Ð

‘ˆ&

of all permutations of a certain or-der, which is depicted for the example in figure 4 (b). The value of Ñ # Ð ‘•& for Ð ‘Ùr

§ results from the uniquely distributed and independent values$#%‘ˆ&

and $#%‘©

Ð

‘ˆ&

. This means that the permutation trans-formation completely hides any distance intrans-formation of the input signal in the output.

Ú ÛÜ ÚØÝ Þ ß ß Þ Þ ß ß Þ Ú ∆ àJÜ ÚØÝ ∆ áãâåäæ æ æ æ ç á è (a) (b)

Fig. 4. A permutation functionf{ embedded in a metric

space and the expected output distance酠êT for the

complete permutation family.

The behaviour of Ñ

#

Ð

‘•&

as given in figure 4 (b) can be regarded as perfect in the cryptographic sense, because it does not allow to exploit any a priori in-formation about

Ð

‘

, such as its probability distribu-tion, for a cryptoanalysis. Of course, this only applies for the given metric-based measure. There may exist other second-order characteristics of‘

which make a cryptoanalysis possible.

Example 3: For the continuous case we consider now the piecewise linear map given in figure 5. This map is parametrized by the single variable w

4 which determines the shift from the origin. The output

dis-ë)ì í îðï íØñ ò ò ó ó ë)ì ôõ …#%‘ˆ& .pöŽ÷÷Êø #%‘ù©žw 4 &

Fig. 5. One-parametric piecewise linear map of example 3.

tance

Ð

…#%‘ˆ&

can show two different values with dif-ferent probabilities depending on the value of

Ð ‘ : Ð …#%‘•& .±ú Ð ‘ with _L4V. b…# Ð ‘•& . h c Ð ‘ h c Ð ‘ with _ K . b…# h c Ð ‘ˆ& . Ð ‘

The expected output distanceÑ

# Ð ‘ˆ& is then given by Ñ # Ð ‘ˆ& . ª Ð ‘ c ªû# Ð ‘ˆ& K (16) which is plotted in figure 6. The inherent continuous shape ofÑ

#

Ð

‘•&

makes it impossible to show perfect behaviour as it can be obtained for the discrete case in figure 4. Moreover, the map family used in this exam-ple does not even approach asymptotically the perfect

(5)

shape for large ‘

. This implies a strong correlation between the used second-order statistics of the input and the output sequence. An a priori knowledge about

Ð

‘

thus may be used for a cryptoanalysis of the sys-tem that involves

. 0 0.2 0.4 0.6 0.8 1 0 0.2 0.4 0.6 0.8 1 D(Delta x) ü Delta x

Fig. 6. Expected output distance酠êT for the map of

example 3.

Example 4: The final example is intended to show the dependence of the measureÑ

#

Ð

‘•&

on the param-eter value for the well-known and often-used ý -adic shift map as depicted in figure 7. The one-parametric

þ ÿ þ …#%‘•& .pöŽ÷÷Êø # ý ‘ˆ&

Fig. 7. The -adic shift map. family is generated by the parameterý

*

0

h @ª@«76o6o6 : . For a particular parameter valueý the expected output distanceÔ

#

Ð

…#%‘•&’&

consists ofý function segments

Ô # Ð $#%‘ˆ&“ i & . # h c i © ý Ð ‘ˆ& (17) # i K © i c ª i ýc # i c ª ý & ý Ð ‘ c h & ý # Ð ‘ c h & for i c h ý Ð ‘ i ý i . h 76o6o6o ý For ý . h @ª@« the functions Ô # Ð …#%‘ˆ&’& are plotted in figure 8. These curves show a notable dependence ofÔ

#

Ð

$#%‘ˆ&’&

on the parameterý . Again, this depen-dence provides approaches for cryptoanalytic attacks.

0 0.2 0.4 0.6 0.8 1 0 0.2 0.4 0.6 0.8 1 E(Delta F(x)) Delta x 1-adic 2-adic 3-adic

Fig. 8. Expected output distanceI%êTY for the -adic

shift map ( ).

IV. CONCLUSIONS

The paper presented some measures which may allow a more rigid evaluation of continuous-value encryption systems in comparison with classical discrete-value systems.

Of course, the comparison of discrete and contin-uous maps in the above examples is biased, since we used the most perfect map family in the discrete case and only very simple continuous maps. This was done for the simplicity of representation. Nevertheless, the examples show the generic property of continuous maps to preserve a considerable amount of metric in-formation of the input signal, while this drawback is not present in discrete-value systems.

REFERENCES

[1] Shannon, C.E.: Communication theory of secrecy sys-tems, Bell Sys. Tech. J., vol. 28, pp. 656-715, 1949. [2] Stinson, D.R.: Cryptography - Theory and Practice,

CRC Press, 1995.

[3] Simmons, G.J. (Editor): Contemporary Cryptogra-phy, IEEE Press, 1992.

[4] Jumarie, G.: Relative Information, Springer Verlag, 1990.

[5] G¨otz, M.; Kelber, K.; Schwarz, W.: Discrete-time chaotic encryption systems – Part I: Statistical Design Approach. IEEE Trans. Circ. & Syst., vol. 44, pp. 963-970, 1997.

[6] Dachselt, F.; Kelber, K.; Schwarz, W.: Discrete-time chaotic encryption systems – Part III: Cryptographical analysis. IEEE Trans. Circ. & Syst., vol. 45, pp. 883-888, 1998.

[7] Dachselt, F.; Kelber, K.; Vandewalle, J.; Schwarz, W.: Chaotic versus classical stream ciphers – A compara-tive study. Proc. of Int. Symp. on Circuits and Systems ISCAS’98, vol. IV, pp. 518-521, Monterey, June 1998.

Figure

Updating...

References

Updating...

Related subjects :