Chaos and Cryptography

Vishaal Kapoor
December 4, 2003

In his paper on chaos and cryptography, Baptista says

”It is possible to encrypt a message (a text composed by some al-
phabet) using the ergodic property of the simple low-dimensional and
chaotic logistic equation. The basic idea is to encrypt each charac-
ter of the message as the integer number of iterations performed in
the logistic equation, in order to transfer the trajectory from an initial
condition towards an -interval inside the logistic chaotic attractor.”

In this exposition, we examine this cryptosystem proposed by Bap-

tista discuss a potential vulnerability.

1. Choose a pair (r, x0) and determine the interval of interest [xmin, xmax].
2. Subdivide the interval [xmin, xmax] into n ”sites” (subintervals), each corre-
sponding to an letter of the alphabet.
3. For each character in the plaintext string s
Do x0 := rx0(1 − x0)
Until x0 reaches the site corresponding to the current plaintext character
 and random() > p
The ciphertext is the number of iterations taken.
Here, random() is a function that generates a random number from 0 to 1
and p is a coefficient that can be arbitrarily chosen in (0, 1] with larger values
corresponding to higher security and longer encryption times. Note that p is
independent of the key and is not needed to decrypt the message.

Before After

Maple Code for Encryption and Decryption

# _s is the plaintext string
# (_x0,r) is the initial condition and parameter secret key
# xmin, xmax are the boundaries of the sites
# p is the randomization constant

encrypt := proc(_s, _x0, r, xmin, xmax, p)

local D, s, n, ep, x0, c,i, random;

D := Digits;
Digits := 16;

s := convert(_s, bytes); # Convert s to ASCII representation

n := length(_s);
ep := (xmax-xmin)/256;
x0 := _x0;
c := [seq(0,i=1..n)];

for i from 1 to 100 do # Ignore initial transient

x0 := r*x0*(1-x0);
od;

c[1] := 100;

# Main loop

for i from 1 to n do
while(true) do
if(trunc((x0-0.2)*256/0.6) = s[i] and rand()/10^12 > p)
then break; fi;
x0 := r*x0*(1-x0);
c[i] := 1 + c[i];
od;
od;

Digits := D;
RETURN(c);
end:
# c is the cipher text
# n length of plaintext string
# (_x0,r) is the initial condition and parameter secret key
# xmin, xmax are the boundaries of the sites

decrypt := proc(c, n, _x0, r, xmin, xmax)

local D, p, s, ep, x0,i;

D := Digits;
Digits := 16;

ep := (xmax-xmin)/256;
x0 := _x0;
p := [seq(0, i=1..n)];

# Main Loop

for i from 1 to n do
for j from 1 to c[i] do
x0 := r*x0*(1-x0);
od;
p[i] := trunc((x0-0.2)*256/0.6);

od;

s := "";
for i from 1 to n do
s := sprintf("%s%c", s,p[i]);
od; RETURN(s);
end:

There are several requirements of our secret key (r, x0) which we have yet to
mention. The most important such requirement is that r must be chosen so that
the map
xn+1 = rxn(1 − xn )
exhibits chaos.

Some definitions are in order: For an orbit x0, x1, x2, ..., we define the Lyapunov
exponent λ to be
n−1
1X
λ = limn→∞ ln|f 0 (xi)|,
n i=0
provided the limit exists. In the case of an aperiodic trajectory with a positive
Lyapunov exponent, we say the trajectory is a chaotic orbit. The system is said
to exhibit chaos if there is a regime with chaotic orbits.
 Jacobson [4] assures us that there is a non-zero probability that a randomly
chosen r in [r∞, 4] will be responsible for chaos. Here r∞ is approximately 3.57 -
an accumulation point of period doubling bifurcations. In practice, the diagram
below

shows us that values of r > r∞ will most likely work (note these are the domain
corresponding to positive range values above).

Moreover, the termination of this algorithm is dependent on our loop termi-

nating successfully for each plaintext character. We require a definition:
In a dynamical system, an orbit is said to be ergodic if for any δ > 0, and an
accessible state value x = a, there exists a value k such that

|xk − a| < δ.

In our case of the logistic equation with secret key (r, x0), this says that every
point in [xmin , xmax] should be approached arbitrarly closely by some iterate x k .
This condition is actually more than sufficient to ensure that every site is reachable
by x0 an infinite number of times.

Moreover, we require that every interval can be reached an infinite number of

different ways; so that each interval can be encrypted in an infinite number of
different ways.

Proving such assertions are satisfied for a given r is difficult in the general
case. We warm up by proving a special case for r = 4. In this case, we make a
substitution
πy 1
x = sin2( ) = (1 − cos(πy)),
2 2
where x, y ∈ [0, 1]. Substituting in the logistic equation, we obtain
sin2 (πyn+1/2) = 1 − cos2 (πyn ) = sin2(πyn ).
Continuing, we have (πyn+1/2) = ±(πyn ) + sπ where s is an integer. As y is
restricted in [0, 1], we must have yn+1 = 2yn for 0 ≤ yn ≤ 21 , and yn+1 = 2 − 2yn
for 12 ≤ yn ≤ 1. This is just the tent map. Since the tent map is chaotic, the
logistic equation for r = 4 must be as well.

In practice, the luxury of a nice substitution is no longer enjoyed, and so

numerical evidence is usually sought.

Let us consider the case for r = 3.78. The orbital densities of the logistic map
for this r numerically show that the attractor lies in the interval [x min , xmax] =
[0.2, 0.8].

Orbital Densities for the Logistic Map with r=3.78

0.035

0.03

0.025

0.02

0.015

0.01

0.005

0 0.2 0.4 0.6 0.8 1

y

As well, the figure indicates that each site is reachable with non-zero proba-
bility. Thus, we would expect each site to be approached an infinite number of
times in the trajectory of x0.

This attack is based on a weakness in the implementation of the cryptosystem

proposed in [1]. Because the system is implemented on a computer the map that
is apparent in the data will actually be of the form
x̃n+1 = rx̃n(1 − x̃n ),
where all operations are done in fixed point arithmetic (Baptista describes using
16 bit accuracy). This is a problem because chaos implies sensitive dependence
on initial conditions. Therefore
1. the long-term qualitative behavior of the system as implemented will be
much different than the the behavior of the logistic equation, and
2. there must be a periodic orbit of x̃n.
The latter results from there being only finitely many numbers of a certain
accuracy. In theory, this means that there must be a cycle of length at most
2d where d-bits are used. However, in practice, I have found this to be much
smaller.
Typically, there will be some number of iterations I before the cycle is reached,
and the cycle is of length T (we generalize saying a fixed point is a 0-cycle).
For x0 = .5, r = 3.78 we have the following values of I + T (an upperbound
on T ).
Digits of Accuracy I + T
1 3
2 5
3 9
4 65
5 150
6 537
7 1766
8 6021
9 21982
10 78262
11 113895
Given a periodic orbit of relatively small size presents us with an equivalent
cryptosystem of the following form:
1. Choose a positive integer T to represent the cycle length. Define x 0 := 0.
2. Associate each letter of the alphabet with at least one number from 0 to
T − 1 so that no two letters are associated with the same number. A site
corresponds to the subset of [0, T −1] that corresponds to a particular letter.
 3. For each character in the plaintext string s
Do x0 := x0 + 1
Until x0 reaches the site corresponding to the current plaintext character
and random() > p.
The encrypted character is the number x0.
Set x0 := 0.

For every letter li of the alphabet corresponding to a site Ci ⊂ [0, T − 1),

we are thus guaranteed an encryption of x + T k where x ∈ Ci and k ∈ N. In
the case of the originally proposed cryptosystem with no random pertubation,
k = 0, meaning we are left with a simple substitution cipher. In the case of
random perturbation, k is typically small (around 1 or 2) since encryption time
is important. Such encryption is more difficult to deal with, but clearly a step
down from the original system.

This discussion above shows that the security of the cryptosystem in [1] relies on
a small fraction of the many possible trajectories based on the secret key (r, x 0).
This problem could easily be worked around by using much larger fixed point pre-
cision; however, a full analysis is warrented. The author is currently developing a
practical attack on this cryptosystem.

Bibliography
[1] Baptista, M. S. Cryptography with Chaos. Physics Letters A 240 (1998): 50-54
[2] Ott, Edward. Chaos in dynamical systems. Cambridge University Press, 2002.
[3] Davies, Brian. Exploring chaos. Theory and experiment. Perseus Books, 1999.
[4] Jacobson, M. V. Topological and Metric Properties of One Dimensional Endomorphisms. Sov. Math.
Dokl. 19 (1978): 1452.
[5] http://home.hkstar.com/hmk409/research/ces/main.htm (Chaotic Encryption Standard)
[6] http://icg.harvard.edu/math118r/
[7] Strogatz, S. H. Nonlinear dynamics and chaos. With Applications to Physics, Biology, Chemistry,
and Engineering. Westview Press, 2000.