FS-CES (Finite State - Chaotic Encryption System)
Cryptographic Techniques Specifications

Principle and Standard for the Design

In information-theoretical point of view, chaotic dynamical systems are those systems in which information is lost along orbits. Chaotic cryptosystems may develop in the future since their security and specification standards can be evaluated by dynamical system theory. FS-CES obtains a ciphertext by applying a modification of the one-dimensional skew tent map f_a to a plaintext. We can derive f_a by moving the critical point (a) of the tent map away from $\frac{1}{2}$; a is used as secret key. Intuitively, we would like to let f_aⁿ(x) (n is a sufficiently large integer) be the ciphertext corresponding to a plaintext $x\in [0,1]$. However, decryption uniqueness would be lost in this configuration since f_ais two-to-one. To overcome this improperness, we discretize the plaintext space, the ciphertext space, the key space, and the transformation, constructing a one-to-one map explicitly. The modified map is explicitly written by rounding, and computation time does not remarkably increase compared with the original skew tent map.

We have further analyzed its security using dynamical system theory (see Self Evaluation Reports), and cryptological strength has been assured based on information theory. The iteration number is determined by these investigations.

Encryption Algorithm

Specification

For simplicity, we stretch the domain and the range of the skew tent map from [0,1] to [0,M]. We denote this rescaled skew tent map by F_A. The integer M = 2¹²⁸ is equal to the cardinality of the plaintext space $P^{\prime}$, the ciphertext space $C^{\prime}$, and the key space $K^{\prime}$; these spaces are defined by

$$P^{\prime} = C^{\prime} = K^{\prime} = \{ 1, 2, \ldots M\}.$$ (1)

We define a discretized skew tent map $\tilde{F_A}: P^{\prime} \to P^{\prime}, A\in K^{\prime}$by

$$\tilde{F_A}(X) \equiv \left\vert \{ X^{\prime}\in P^{\prime} \vert F_A(X^{\prime}) < F_A(X)) \} \right\vert +1,$$

where $\vert\cdot \vert$ indicates the cardinality of a set. $\tilde{F_A}(X)$ is naturally interpreted as the ascending order of F_A(X) in all $F_A(X^{\prime})$'s, $(X^{\prime} \in P^{\prime})$. If F_A(X₁) = F_A(X₂), X₁ < A < X₂, then we define $\tilde{F_A}(X_1)$and $\tilde{F_A}(X_2)$ so that $\tilde{F_A}(X_1) + 1 = \tilde{F_A}(X_2)$. $\tilde{F_A}$ is a one-to-one mapping on $P^{\prime}$.

FS-CES is defined by the encryptor

$$e_A : P^{\prime} \to C^{\prime},\quad e_{A}(X) = \tilde{F_A}^n (X),$$

and the decryptor

$$d_A : C^{\prime} \to P^{\prime},\quad d_{A}(X) = \tilde{F_A}^{-n}(X).$$

The corresponding formulae are as follows:

$$\tilde{F_A}(X) =\left\{ \begin{array}{ll} \left\lceil \frac{M... ...M - X) \right\rfloor + 1, & (A < X \le M), \end{array}\right.$$

$$\tilde{F_A}^{-1}(Y) = \left\{ \begin{array}{ll} X_1, & (m(Y) ... ...c{M - X_2}{M - A}),\\ X_1, & (m(Y) = Y+1), \end{array}\right.$$

where

$$\begin{eqnarray*}m(Y) &\equiv& \left\lfloor \frac{AY}{M} \right\rfloor + \left( ... ...} \right\rfloor - \left\lceil \frac{(A-M)Y}{M} \right\rceil + 1. \end{eqnarray*}$$

Round-of and round-up are denoted by $\lfloor \rfloor$, $\lceil \rceil$, respectively.

Recommended Parameter Values

A key should satisfy 0.4M < A < 0.6M. If A were very far from 0.5M, information dissipation is slow per iteration, and consequently large n would be required. The security analysis below assumes this restriction.

A key should not be too close to A = 0.5M (avoid A such that $M/2-10^{23} \le A \le M/2+10^{23}$). The encryption functions for $A\cong0.5M$ would have structures similar to that of the shift map. Attackers might exploit this similarity.

Iteration number n should be larger than $1.30 \log_2 M = 166$. This requirement is on the basis of our security analysis (see Self Evaluation Reports).

Questions or comments regarding this service? Contact us. Copyright (C) 2000 R&D Team, AIHARA Electrical Engineering Co., Ltd.
All rights reserved.