Robustness and Security of H∞-Synchronizer in Chaotic Communication System

In recent years, a large amount of work on chaos-based cryptosystems has been published (Kocarev (2001); Millerioux et al. (2008)). A general methodology for designing chaotic and hyperchaotic cryptosystems has been developed using the control systems theory (Grassi et al. (1999); Liao et al. (1999); Yang et al. (1997a;b)). The chaotic communication system is closely related to the concept of chaos synchronization. An overview of chaotic secure communication systems can be found in (Yang (2004)). He classified the continuous-time chaotic secure communication systems into four generations. In the third generation, the combination of the classical cryptographic technique and chaotic synchronization is used to enhance the degree of security. Specifically, Yang et al. proposed a new chaos-based secure communication scheme in an attempt to thwart the attacks (Yang et al. (1997a;b)). They have combined both conventional cryptographic method and synchronization of chaotic systems. Their cryptographic method consists of an encryption function (the multi-shift cipher), a decryption function (the inverse of the encryption function), a chaotic encrypter that generates the key signal for the encryption function, and a decrypter that estimates the key signal. The approach has a limitation since the cryptosystem design may fail if different chaotic circuits are utilized. So far, this generation has the highest security in all the chaotic communication systems had been proposed and has not yet broken. From the control theoretic perspective, the transmitter and the receiver in the chaotic communication system can be considered as the nonlinear plant and its observer, respectively. Grassi et al. proposed a nonlinear-observer-based decrypter to reconstruct the state of the encrypter (Grassi et al. (1999); Liao et al. (1999)). They extended the Chua’s oscillator to the observer-based decrypter. The cryptosystem does not require initial conditions of the encrypter and the decrypter belonging to the same basin of attraction. If we can design a decrypter without the knowledge of the parameters of the encrypter, the chaos-based secure communication systems are not secure, because the parameters of the encrypter is selected as static secret keys in the cryptosystem. Parameter identification and adaptive synchronization methods may be effective for intruders in building reconstruction mechanisms, even when a synchronizing system is not available. Therefore, it is important for secure issues to investigate whether adaptive identifiers without the system information of encrypter can be constructed or not. We have recently designed an observer-based chaotic communication system combining the cryptosystems proposed by Grassi et al. (Grassi et al. (1999)) and by Liao et al. (Liao et al. (1999)) that allows us to assign the relative degree and the zeros of its encrypter system (Matsuo et al. (2004)). Specifically, we constructed three cryptosystems based on a Chua’s circuit by assigning its relative degree and zeros. The cryptosystem consists of 20

an encryption function (the multi-shift cipher), a decryption function (the inverse of the encryption function), a chaotic encrypter that generates the key signal for the encryption function, and a decrypter that estimates the key signal. The proposed cryptosystem allows us to assign the relative degree and the zeros of the encrypter dynamics by selecting an output vector that generates a transmitted signal as partial states of the encrypter. As in (Fradkov et al. (1997;2000)), we can design an adaptive decrypter for minimum-phase systems with its relative degree 1. Therefore, the encrypter dynamics should be design such that its relative degree is more than two and its zeros are unstable so as to fail to synchronize the cryptosystem adaptively. At the same time, the designed cryptosystem should be robust with respect to uncertainties of the transmission lines such as a time delay, and noises. Suykens et al. (Suykens et al. (1997a;b)) presented a nonlinear H ∞ synchronization method for chaotic Lur'e systems based on the dissipativity of nonlinear systems to minimize the influence of the exogenous input such as the message signal and channel noises. However, many proposed systems with robustness against parameter uncertainties and signal uncertainties are difficult to implement in practice with a reasonable degree of security. The basic difference between the conventional cryptography and the chaos cryptography is that the conventional encryption is defined discrete sets and the chaos encryption is defined on continuous sets. This makes the keyspace behavior of chaotic systems vary different that of conventional systems. Due to the continuous-value property, keys in chaotic cryptosystems form a key basin around the actual secret key. When one key is very close to the real one, it could decrypt part or all of the ciphertext (Alvarez et al. (2006)). To avoid brute-force attacks, a secret parameter should be sensitive enough to guarantee the so-called avalanche property: even when the smallest change occurs in the parameter, the ciphertext will change dramatically (Alvarez et al. (2006)). Various attacks such as the nonlinear forecasting, the return map, the adaptive parameter estimation, the error function attack (EFA), and inverse computation based on the chosen cipher attack, are proposed to recover messages from the chaotic ciphers (Zhou (2005)). Short (Parke et al. (2001); Short (1994;1996)) and Guojie et al. (Guojie et al. (2003)) have proposed the attack strategies against chaotic communication systems. Short analyzed only the encrypter by using the nonlinear forecasting method that belongs to ciphertext-only attack when the attacker does not know the structure of the encryption system. They discussed the secure property of chaos communication based on chaotic parameter modulation from the chosen-ciphertext attack under the Kerckhoff principle (Guojie et al. (2003)). Guojie et al. discussed the secure property of chaos communication based on chaotic parameter modulation from the chosen-ciphertext attack under the Kerckhoff principle. We proposed chaotic communication systems using the adaptive control and robust control technologies (Matsuo et al. (2004;). Wang et al. (Wang et al. (2004)) presented the error function attack to evaluate system security as an efficient cryptanalysis tool based on the public-structure and known-plaintext cryptanalysis. By defining the EFA function, an eavesdropper can scan the whole keyspace to find out the proper key that satisfies the EFA function with zero value. Since keys that are not identical with but are very close to the real one can be used to synchronize the two systems very well, a key basin around the actual secret key is formed. Once the eavesdropper knows the key basin, the correct key can be easily obtained through some optimization algorithms. To evaluate the security performance, Wang et al. also defined the key basin width by the distance between two trial keys located on the two sides of the key basin. The narrower than the whole keyspace the key basin width is, the higher the security of the cryptosysytem is. However, a systematic approach to get the key basin width is lacking. The brute-force-like calculations are needed to draw the shape of the EFA function. Thus, a considerable computing time is needed 444 Challenges and Paradigms in Applied Robust Control www.intechopen.com  to get the key basin width. If the EFA function has numerous minima and a needle-like basin, the security level of the cryptosystem is high. In this case, the evolutionary optimization techniques such as the particle swarm optimization cannot find the secret key using the EFA function (Nomura et al. (2011)). Anstett et al. proposed a general framework based on identifiability for the cryptanalysis of chaotic cryptosystems (Anstett et al. (2006)). They also pointed out that cryptosystems involving polynomial nonlinearities are weak against a known plaintext attack. In this chapter, we propose an H ∞ synchronizer in order to improve the robustness of chaotic communication systems with respect to delays in the transmission line based on the standard linear H ∞ control theory. To begin with, we derive an error system between the encrypter and the decrypter and reduce the design problem of the cryptosystem to the stabilization problem of a generalized plant in the robust control theory. Next, we give a synchronizer parameterization and an H ∞ synchronizer based on the robust control theory. Furthermore, the decrypter dynamics is designed via the linear controller parameterization to make the decrypter robust against disturbances in transmission line and/or sensitive to modeling errors of the decrypter. We present two design requirements on the robustness and the security. We need to design the free parameter such that both the requirements are satisfied. Since we cannot get this solution simultaneously, we design the dynamical compensator so as to satisfy the robustness requirement and then check the sensitivity to the key parameter mismatches whether the parameters in encrypter may play the role of the secret key or not, numerically. Finally, the proposed system is compared with that proposed by Grassi et al. using MATLAB simulations. The following notation is used (Doyle et al. (1989)) :

Observer-based chaotic communication system with free dynamics
Grassi et al. (Grassi et al. (1999)) proposed a nonlinear-observer-based cryptosystem that is an extension of the cryptosystem proposed by Yang et al. (Yang et al. (1997b)). The cryptographic method consists of an encryption function (the multi-shift cipher), a decryption function (the inverse of the encryption function), a chaotic encrypter that generates the key signal for the encryption function, and a decrypter that estimates the key signal. The transmitted signal through a public channel contains the nonlinear function that is equivalent to that of the encrypter. We add a dynamic compensator in the transmitted signal to the observer-based chaotic communication system proposed by Grassi et al. Figure 1 shows the relationship among the encrypter, the observer-based decrypter and the adaptive decrypter where we use the adaptive decrypter as a tool for ciphertext-only attacks. The cryptosystem consists of an encryption function (the multi-shift cipher), a decryption function (the inverse of the encryption function), a chaotic encrypter that generates the key signal for the encryption function, and a decrypter that estimates the key signal.
• Part 1 : dynamic encrypter The chaotic encrypter is described by the following equations:  where y is the transmitted signal that includes the nonlinear function, P(s) is a transfer function that lets a decrypter synchronize the encrypter, and s = d dt . We call this transfer function P(s) asynchronizer .

• Part 2 : encryption function
Given a plaintext signal p(t),theciphertexte n (t) is given by where K(t) is a stream key signal that is generated by the encrypter dynamics and is given by the following equation: The signal e n is a generic encryption function that makes use of the key signal and we choose a encryption function as the following n-shift cipher: • Part 3 : dynamic decrypter with free dynamics Given the encrypter, the decrypter used by an authorized user is the following observer:x

446
Challenges and Paradigms in Applied Robust Control

www.intechopen.com
Robustness and Security of H∞ -Synchronizer in Chaotic Communication System 5 whereê n is a recovered signal of the plain text.
• Part 4 : decryption function Using the estimated signalsK(t) andê n (t) by the decrypter, the estimate of the plaintext p(t) can be recovered by the following equations: whereK is an estimate of the stream key signal and d is the decryption function given bŷ

Error equations and generalized system
If the transmitted signal is disturbed by an additional disturbance w(t), the signal is rewritten byỹ When some of parameters of the dynamic encrypter are unknown, the dynamic decrypter constructed by a receiver based on the information of the encrypter has parametric uncertainties. The decrypter used by any receivers including intruders is given bẏx Denoting the uncertainties ofÃ,b 2 in the encrypter dynamics as ∆, the perturbed nonlinear function of f (x) asf (x), and the perturbation of the H ∞ synchronizer asP( * ), we assume that the decrypter with the uncertainties is given bẏ A decrypter used by an authorized user satisfies ∆(t)=0, f (·)=f (·), P(s)=P(s) since he knows all parameters of the encrypter. On the other hand, a decrypter used by an intruder has uncertainties in the encrypter dynamics, the nonlinear function, and the synchronizer.
In this chapter, we assume that the intruder knows the H ∞ synchronizer, P(s)=P(s) but does not know the values of A, b 2 , i.e. ∆(t) = 0, and the nonlinear function, i.e. f (·) =f (·).
Defining the estimation error of the decrypter as e(t)=x(t) − x(t), we have the following error system:ė We assign the estimation error of the key signal e K or that of cipher textẽ n to the controlled output as follows: , then the plaintext can be recovered by the decrypter ,lim t→∞ (e n (t) −ê n (t)) = 0.
Since f (·)=f (·) for authorized users, we have Thus, if lim t→∞ w(t)=0 and lim t→∞ e(t)=0, then we attain the recover the plaintext, i.e. lim t→∞ (e n (t) −ê n (t)) = 0. For each controlled output, the generalized plant in Fig. 2 is defined as: • When the controlled output is e K , the generalize plant is • When the controlled output is the upper bound of |ẽ n |, the generalize plant is

Synchronizer parameterization
To design the synchronizer based on the static output-feedback-based controller, we rewrite the generalized plant as in Fig.2. Since we can select the input of the synchronizer as arbitrary scalar signal, the signal in Eq.
(2) is chosen as w h e r ec is an arbitrary vector. We call a stabilizing compensator P o (s) for the generalized plant G(s) the synchronizer of the chaotic cryptosystem. The design problem of the synchronizer is summarized as follows: Given a generalized plant G(s) as in Fig. 2, parameterize all synchronizer P(s) that internally stabilize G(s).
We consider the n-th order generalized plant in Fig.3 and the p-th order dynamic stabilizing compensator, For any choice of K 0 , we can obtain the parameterization of K(s) as follows (Matsuo et al. (1998)): Since P o (s) is a stabilizing compensator for each Q(s) ∈ RH ∞ , (25) is one of the parameterization of stabilizing compensators. This LFT form is equal to the Youla parameterization when the static output feedback gain, K 0 , is selected as zero. When the generalized plant can be stabilized by a static output feedback gain, i.e. there exists an output feedback gain K 0 such that A K is stable, we can set H 0 = 0, F 0 = 0. In this case, the parameterization of all stabilizing compensators is as follows (Matsuo et al. (1998)): In Fig. 2, since C 2 is replace to c T ,wherec T can be selected as an arbitrary vector, there exists ascalark 0 such that A k = A − b 2 k 0 c T is stable, as long as (A, b 2 ) is stabilizable. In this case, we can set H 0 = 0, F 0 = 0. The parameterization of all synchronizers in Fig. 2 is obtained as follows (Matsuo et al. (1998)): where We call this parameterization a synchronizer parameterization. By selecting P o (s) as constant gain k 0 i.e. Q(s)=0, the proposed cryptosystem is equivalent to that proposed by Grassi et al.

Design problem of H ∞ synchronizer
The input-output relation of the generalized plant G(s)=G 1 (s) or G 2 (s) from the exogenous input [∆ w] to the controlled output z is given by The free dynamics Q(s) is designed to make the decrypter robust against the disturbances in the transmission line of sensitive to the modeling errors of the decrypter by intruders. We present two design specifications: 1. Robustness requirement: The proposed decrypter can recover the plain text by the transmitted signals when the generalized plant with the synchronizer is internally stable. Moreover, the H ∞ synchronizer has an additional synchronization property with respect to plant uncertainties. To recover plain texts, the decrypter should be robust with respect to time delay uncertainties in the transmission line. Design the free parameter Q(s) such that for a given γ 2 , 2. Security requirement: To attain the secure cryptosystem, the decrypter of the intruder should not synchronize the encrypter. Therefore, The free parameter Q(s) is designed to 450 Challenges and Paradigms in Applied Robust Control www.intechopen.com the error system sensitive to ∆. Design the free parameter Q(s) such that for a given γ 1 , However, since the generalized plant does not have a direct term from the uncertainty ∆ to the transmitted signalỹ, (35) cannot be hold for all ω ∈ [0, ∞). Therefore, to satisfy the security requirement, we change the transmitted signalỹ and the feedback term in the decrypter e y asỹ In this case, the estimation error of the cipher text includes the direct term from the uncertainty to the transmitted signal as follows: In particular, when there is a perturbation in the nonlinear function, f (x) =f (x) generates the direct term from the uncertainty to the transmitted signal.
We need to design the free parameter such that both the requirements are satisfied. Since we cannot get this solution, we design the dynamical compensator so as to satisfy the robustness requirement, and then check the security requirement whether the error system is sensitive to the modeling errors of the decrypter, i.e. the designed cryptosystem is secure against to attacks by intruders.

Simulations
We design a robust cryptosystem via Chua's circuits as in Yang et al. (Yang et al. (1997b)) and in Fradkov et al. (Fradkov et al. (2000)), and carry out simulations using MATLAB/Simulink.

Encrypter based on Chua's circuit
The chaotic encrypter based on the Chua's circuit is given bẏ We select the parameters in the Chua's circuit given by Liao et al. (Liao et al. (1999)) as p 1 = 10,p 2 = 13.14,p 3 = 0.07727,G a = −1.28, and G b = −0.69. The initial conditions are given by

Robustness and Security of H ∞ -Synchronizer in Chaotic Communication System
www.intechopen.com The encryption function is 30-shift cipher, the parameter h is equal to 1 and the key signal K(t) is the second state variable x 2 , i.e.

K(t)= 010 x(t).
Moreover, we select c T = − 011 . MATLAB has a built-in music file, handel.mat, with a short segment of Handel's Messiah.
We use it as the plaintext signal.

Grassi-type system
In the encrypter presented by Grassi et al. (Grassi et al. (1999)), the dynamic synchronizer is simplified as P o (s)=k 0 = 0.8.

Design of H ∞ -synchronizer
The generalized plant G 1 (s) in designing the H ∞ synchronizer is shown in Fig. 4. The weighting function W(s) in the exogenous signal is selected as W(s)=10 × 2.1Ls Ls+1 , L = 1 × 10 −3 and γ = 0.75 so as to stabilize the error system with time delay uncertainties. The H ∞ synchronizer is obtained by using MATLAB LMI toolbox as follows:

Robustness of H ∞ -synchronizer against time delay in transmission line
Figs. 6 and 7 show the responses of the Grassi-type decrypter and the H ∞ -type decrypter for the generalized plant G 1 (s)in the presence of the time delay L = 0.1 in the transmission line, respectively. The responses of the H ∞ -type decrypter for the generalized plant G 2 (s) in the presence of the time delay L = 0.1 in the transmission line is almost same as that for the generalized plant G 1 (s).T h eH ∞ -type decrypter has a better robust performance to the time delay than the Grassi-type.

Security performance of H ∞ -synchronizer
We assume that intruders have parameter mismatches in the decrypter. In this simulation, we consider the following parameter mismatches:  In this simulation, we select the candidates of the static secret keys as the parameters p 2 ,G a ,G b , and P(s). Intruder A has the following parameter mismatch: Intruder B has the following parameter mismatches: Figs. 11,12,and 13 show the responses of the H ∞ -type decrypter used by the intruders A and B, respectively. The proposed synchronizer is sensitive to the parameter mismatches caused by Intruder A. The parameters in the dynamic encrypter may play the role of the secret key. However, Intruder A can identify the recovered wav file as the Handel's Messiah in spite of noisy sound. Fig. 14 shows the EFA function of the proposed H ∞ -type decrypter. Since the width of the key basin in EFA function is not so narrow, the cryptosystem is not so secure.    To improve the security of the H ∞ synchronizer, we select the secret key as a element of P(s). Intruder C has the following parameter mismatch in the H ∞ synchronizer: p 2 = p 2 = 13.14 G a = G a = −1.28,G b = G b = −0.69 The parameter mismatch of the element a k (1, 1) is about 0.51%, because a k (1, 1)=−0.8762 × 10 5 . Figs. 15,16,and 17 show the responses of the H ∞ -type decrypter used by Intruder C. In this case, the decrypter with the parameter mismatch causes instability. The parameters in the H ∞ synchronizerP(s) may play the role of the secret key.

Conclusion
In this chapter, we added an observer-based chaotic communication system proposed by Grassi et al. to a dynamical compensator in its transmitted signal to improve the robustness of the cryptosystem with respect to delays in the transmission line. The proposed chaotic system has a good robust performance with respect to the time delay in the transmission line. Moreover, we checked the security in a point of parameters mismatch by an intruder.