Cryptanalysis on a modified Baptista-type cryptosystem with chaotic masking algorithm

Abstract

Based on chaotic masking algorithm, an enhanced Baptista-type cryptosystem is proposed by Li et al. to resist all known attacks [S. Li, X. Mou, Z. Ji, J. Zhang, Y. Cai, Phys. Lett. A 307 (2003) 22; S. Li, G. Chen, K.-W. Wong, X. Mou, Y. Cai, Phys. Lett. A 332 (2004) 368]. In this Letter, we show that the second class bit extracting function in [S. Li, X. Mou, Z. Ji, J. Zhang, Y. Cai, Phys. Lett. A 307 (2003) 22] still leak partial information on the current chaotic state and reduce the security of cryptosystem. So, this type bit extracting function is not a good candidate for the masking algorithm.

Introduction

Since a novel chaotic cryptosystem was proposed by Baptista in [1], many modified schemes have been presented in recent years [2], [3], [4], [5], [6], [7], [8].

To enhance the security of the original Baptista-type cryptosystem, a modification and its rectified version are proposed by Li et al. in [7], [8], respectively. In their cryptosystem, for defeating all known attacks on Baptista-type cryptosystem [9], [10], [11], [12], the chaotic masking algorithm is used to prevent an attacker to get the number of chaotic iterations from the cipher text. The chaotic masking algorithm is based on the masking operation XOR and the bit extracting function, which extracts 16 bits from the current chaotic state. The cryptosystem is briefly introduced as follows.

In this cryptosystem, the employed chaotic map is Logistic map

$$F(b,x)=bx(1-x),x\in [0,1].$$

Assume $X_{\varepsilon }=\{X_i|X_i=[x_{\min }+(i-1)\varepsilon ,x_{\min }+i\varepsilon ,i=1,2,\dots ,S)\}$ is an equivalent partitions of $[x_{\min },x_{\max })\subset [0,1]$, where $\varepsilon =\frac{x_{\max }-x_{\min }}{S}$. The set of plain message is denoted as A, which has S different characters $A=\{{\alpha }_1,{\alpha }_2,\dots ,{\alpha }_s\}$. Then association map $f_s$ is defined as a bijection

$$f_s:X_{\varepsilon }=\{X_1,X_2,\dots ,X_s\}\to A=\{{\alpha }_1,{\alpha }_2,\dots ,{\alpha }_s\}.$$

By use of another character $\beta \notin A$, a new bijection can be defined as follows:

$$f_s^{\prime }(x)=\{\begin{array}{cc}{f}_s(X_i),\hfill & x\in X_i,\hfill \\ \beta ,\hfill & x\in [0,1]-[x_{\min },x_{\max }].\hfill \end{array}$$

Let $N_0$ and $N_{\max }$ denote the minimum and the maximum iteration time, respectively. A memory unit allocated to store $N_{\max }-N_0+1$ variable $B[N_0]\sim B[N_{\max }]$, representing $C=N_0\sim C=N_{\max }$, respectively.

In this cryptosystem, the secret key is composed of the initial value $x_0$, the parameter b and the association map $f_s^{\prime }$. In the next section, our cryptanalysis is independent of $f_s^{\prime }$, so we neglect it.

With the above notations, given the plain-message $M=\{m_1,m_2,\dots ,m_i,\dots \}$, the encryption and decryption procedures are presented as follows [8].

The encryption procedure:

• Initialize $x_0^{(0)}=x_0$;

• For the ith plain character $m_i$, iterate the chaotic system from $x^{(i-1)}$ for $N_0$ times, set ${\tilde{C}}_i=N_0$ and then perform the following operations: $C_i={\tilde{C}}_i\oplus f_{\mathrm{be}}(x)$, $B[C_i]=B[C_i]+1$, if the current chaotic state x satisfying $f_s^{\prime }(x)=m_i$, let $B_i=B[C_i]$, then a 2-tuple cipher text $(C_i,B_i)$ is generated and set $x_0^{(i)}=x$ and then go to the next plain-character $m_{i+1}$; otherwise, repeat this procedure until a cipher text is generated.

The decryption procedure:

For each cipher text unit $(C_i,B_i)$, first, we iterate the chaotic system for $N_0$ times and set ${\tilde{C}}_i=N_0$, then we perform the following operations: if ${\tilde{C}}_i\oplus f_{\mathrm{be}}(x)=C_i$ for the $B_i$ th times, then the current chaotic state x is used to derive the plain-character $m_i$ and go to the next cipher text unit $(C_{i+1},B_{i+1})$; otherwise we iterate the chaotic system and let $\tilde{C}=\tilde{C}+1$ for 1 iteration, until the above condition is satisfied…

…Where ⊕ means bit XOR operation and $f_{\mathrm{be}}(\cdot )$ is a bit extracting function. Two classes of such functions are suggested in [7], but the first class is not explicitly given. In the next section, our cryptanalysis only focuses on the second class, which is denoted as

$$f_{\mathrm{be}}\left(x_0^{(i)}\right)=\sum _{j=0}^{15}{2}^{j}b(F^j\left(x_0^{(i)}\right),\lfloor F^{j+m}\left(x_0^{(i)}\right)2^n\rfloor \text{mod }16),$$

where $m⩾1$, $n⩾4$ and $b(x,j)=\lfloor x\cdot 2^j\rfloor \text{mod }2$.