Chaotic Cryptography in Digital World: State-of-the-Art, Problems and Solutions Shujun Li∗, Xuanqin Mou and Yuanlong Cai Institute of Image Processing, School of Electronics and Information Engineering Xi’an Jiaotong University, Xi’an, Shaanxi 710049, P. R. China (Modified on January 22, 2003)
Abstract Since 1989, many contributions have been devoted to the methods of using chaos to construct digital ciphers. Although some chaotic ciphers have been known insecure and several defects have been found, a large number of chaotic ciphers still remain secure till now. Furthermore, in the past few years, some novel chaotic ciphers have been proposed, which avoid some weaknesses in previous chaotic ciphers and seem to have stronger cryptographic properties. In this paper, we first review the progress of the digital chaotic ciphers nowadays from 1989 till now (2002), and then discuss some problems in the general design of digital chaotic ciphers and possible solutions. Some suggestions are given on the future directions in chaotic cryptography. We believe that the research on chaotic cryptography will be helpful to benefit the conventional cryptology and open a broader road to more perfect ciphers.
1
Introduction
Chaotic cryptography has attracted much attention in recent years, both digital and analog chaotic cryptosystems have been proposed and analyzed [1–55]. The analog chaotic encryption systems are chiefly secure communication approaches through noisy channel based on chaotic synchronization technique [6] of analog circuits, which cannot be extended to design modern cryptographic algorithms that are implemented with digital techniques [56]. Thus, in this paper, we will only focus on digital chaotic ciphers and use “chaotic cryptography” to denote all digital chaotic ciphers without chaotic synchronization. Chaos theory is established since 1970s with the efforts from many different research areas, such as physics, mathematics, nonlinear mechanics, biology, chemistry and electrical engineering, etc. [57, 58]. The most well-known characteristics of chaos are the so-called “butterfly-effect” (the sensitivity to the initial conditions and/or control parameters), and the “unpredictable” pseudo-random orbits generated by deterministic equations. Some researchers have pointed out that there exists tight relationship between chaos and cryptography [6–8, 22, 28, 59]. Many fundamental characteristics of chaos, such as the ergodicity, mixing and exactness property and the sensitivity to initial conditions, can be connected with the “confusion” and “diffusion” property in good ciphers. Since chaos theory has developed well in recent decades, and numerous chaotic systems can be employed to construct chaotic ciphers, chaos may be and is to be a new rich source of cryptography. Interestingly, the idea of using chaos in cryptography can be traced back to Shanon’s classic paper titled “Communication Theory of Secrecy Systems” published in 1949 [60]. Of course, he could ∗
Contact e-mail:
[email protected], home page: http://www.hooklee.com.
1
not use the unborn word “chaos”; he just mentioned that the good mixing transformations used in a good secrecy systems can be constructed by the basic rolled-out and folded-over operations, which really implies “chaos” (consider the stretch-and-fold mechanism in the well-known Baker transformation) [57, 58]. In fact, any good cipher can be regraded as a chaotic or pseudo-chaotic system, since perfect cryptographic properties are ensured by pseudo-random disorder generated from deterministic encryption operations (such as the nonlinear S-Boxes and P-Boxes in conventional block ciphers), which is just like chaos generated from chaotic systems [56, 59]. Marco G¨otz et al. have shown some conventional stream ciphers can exhibit chaotic behaviors [8]. In [7], Ljupˇco Kocarev et al. demonstrate how to construct a DES-like block cipher using chaotic maps. We believe that the research on chaotic cryptography will be helpful to benefit the conventional cryptology and open a broader road to more perfect ciphers. However, only a small number of results on chaotic cryptography are published in the conferences proceedings and journals in pure cryptology and computer security [1, 10, 22–24, 37–39, 45, 50], and most others are made in other areas. This paper tries to bridge the gap between conventional cryptography and chaotic cryptography. In the past few years, some review papers about chaotic cryptography have been published [3–8, 61], but only limited digital chaotic ciphers are mentioned and all new contributions made after the year of 2000 [21, 22, 27, 32–34, 36, 44, 45] are not discussed at all. This paper will give a much more comprehensive review of today’s chaotic cryptography (only digital ciphers), including the progress in the last decade, the related problems and possible solutions. This paper is organized as follows. In Sect. 2 we give a comprehensive review of digital chaotic ciphers nowadays. Some problems in the design of digital chaotic ciphers and possible solutions are discussed in Sect. 3. Some suggestions to the future research on chaotic cryptography are given in Sect. 4. The last section concludes this paper.
2
An Overview
The first paper about chaotic ciphers was published in 1989 [1], in which the author suggested a novel stream cipher based on a one-dimensional chaotic map. In the next year, L. M. Pecora and T. L. Carroll reported the chaos synchronization technique and proposed a secure communication approach via chaos synchronization [2]. From then on, chaotic cryptography attracted much attention of many researchers from different areas, such as physics and electrical engineering [3–55]. At the same time, the cryptanalytic works also have been developed, and most analog chaotic secure communication approaches [50–55] and some chaotic encryption systems [37–43, 46, 48] have been found not secure enough. Basically, there are two general ways to design digital chaotic ciphers: 1) using chaotic systems to generate pseudo-random keystream, which is used to mask the plaintexts; 2) using the plaintext and/or the secret key(s) as the initial conditions and/or control parameters, iterating/counteriterating chaotic systems multiple times to obtain ciphertext. The first way corresponds to the stream ciphers and the second to the block ciphers. Besides the above two general ways, some other chaotic encryption schemes also have been proposed [16, 17, 20, 21, 31–34, 36, 47]. In this section, we will give a comprehensive review of the digital chaotic ciphers from 1989 till now (2002).
2.1
Chaotic Stream ciphers
1) Stream Ciphers Based on Chaotic PRNG-s Because the chaotic systems can generate “unpredictable” pseudo-random orbits, many researchers have paid their attention on the algorithms and performance estimation of PRNG-s (Pseudo-Random Number Generator) based on chaos [59, 62–67]. For continuous-valued chaotic 2
systems, many chaotic pseudo-random sequences have been proved to have perfect statistical properties. The kernels of most known chaotic stream ciphers [1,10–15,18,19,22] are chaotic PRNG-s, whose outputs are the keystreams to mask the plaintexts. Two chief algorithms generating chaotic pseudorandom numbers are: C1) Extracting one or more binary bits from the chaotic orbit [1,13,14,18,19]; C2) Dividing the chaotic interval into m parts and labeling each part with a unique number between 0 ∼ m − 1, and generating pseudo-random numbers by which part the chaotic orbit arrives in [10–12,14,15]. Please note that there exist mutual relation between the first two classes algorithms: all PRNG-s in C1 can be regarded as the special cases in C2, and some PRNG-s in C2 [11, 12, 15] can be considered as the special cases in C1. Many different chaotic systems have been employed to construct the chaotic PRNG-s: Logistic map [11,13] and its generalized version [1], 2-D H´enon attractor [10], Chebyshev map [14], piecewise linear chaotic maps [13, 15, 18, 19], and first-order non-uniformly sampling DPLL (Digital PhaseLocked Loop) circuits [12]. In [13, 22], two different chaotic systems are used to make chaotic PRNG-s. In [13], the outputs of the chaotic systems are XOR-ed, then mask the plaintexts with XOR operations. The Bernoulli shift and Logistic map are used for demonstration. In [22], the outputs of two chaotic systems {x1 (i)}, {x2 (i)} are compared to generate pseudo-random bits {k(i)}: if x1 (i) > x2 (i), k(i) = 1, if x1 (i) < x2 (i), k(i) = 0, and if x1 (i) = x2 (i), no output (such a chaotic PRBG is called CCS-PRBG in [22]). When some requirements are satisfied, the generated bits sequence have perfect properties. Some ciphers based on CCS-PRBG are given to show its potential applications in stream-cipher cryptography. From the works in [37, 38, 40], it has been known that two chaotic stream ciphers [1, 10] are not secure enough. The security of the cipher in [1] can be improved by using higher finite precision (but not essentially). Further research is needed to estimate the security of other chaotic PRNG-based stream ciphers. 2) Stream Ciphers via Chaotic Inverse System Approach As a general model for the design of chaotic secure communication systems, chaotic inverse system approach is presented by U. Feldmann et al. [49]. Many previously proposed chaotic secure communications can be described by this model. Actually, chaotic inverse system approach can also be used to design digital chaotic ciphers. In [8,9], a general structure of such ciphers (also including some conventional stream ciphers) is detailedly investigated. In [16, 17], two ciphers based on chaotic inverse system approach are presented. They are both stream ciphers with the feedback of the previous ciphertext(s): y(t) = fe (u(t), y(t − 1), · · · , y(t − k)) mod 1, where fe (·) is a nonlinear invertible function, and u(t), y(t) represent the plaintext and ciphertext respectively. In [16], fe (t) = u(t) + a · y(t − 1) + b · y(t − 2); in [17], fe (t) = u(t) + T m (y(t − 1), p), where T (x, p) is a piecewise linear chaotic map realized in finite precision L < m:
T (x, p) =
x/p, (x − p)/(0.5 − p), F (1 − x, p),
x ∈ [0, p) x ∈ [p, 0.5] . x ∈ [0.5, 1)
(1)
The cipher in [16] has been known insecure to the known/chosen-plaintext attack [41], but the one in [17] has not been attacked till now.
2.2
Chaotic Block ciphers
1) Block Ciphers Based on Inverse Chaotic Systems The idea of using inverse chaotic system to construct block cipher was firstly proposed by T. Habutsu et al. in [23, 24]. To facilitate the following discussion, we call it HNSM cipher in this 3
paper, named after the initials of the authors’ family names. Given the secret key α and the inverse tent map F −1 (x, α) = αx or (α − 1)x + 1, the cipher encrypts the plaintext as follows: setting the initial condition of F −1 to be the plaintext p ∈ (0, 1), calculating the ciphertext C by iterating F −1 for n times: C = F −n (p), where n random bits are used to select one of two equations of F −1 . The plaintext can be recovered from the ciphertext by calculating p = F n (C) = F n (F −n (p)). Because quantization errors exist in the chaotic iterations, much more significant bits are needed for the ciphertext than the plaintext to ensure the correctness of decryption results (considering the sensitivity of chaos to initial conditions). Because of some weaknesses about the piecewise linearity of the tent map, E. Biham presented a chosen-ciphertext attack and a known-plaintext attack to break the above HNSM cipher [39]. It is a well-known “evidence” of the insecurity of chaotic cryptography and cited widely in literature [4–6,22,27,28,33,34,36,56]. However, S. Li et al. pointed out that the original HNSM cipher can be easily enhanced to resist Biham’s attacks with some simple modifications, such as using nonlinear chaotic maps instead of tent map or introduce perturbation mechanism [44]. In fact, several modified ciphers of HNSM cipher have been proposed in [25–27]. Two-dimensional dynamical systems defined on [0, 1] × [0, 1] are suggested in [25], and the one on [0, L) × (0, π) (a chaotic system obeying particle reflection law) in [26]. In [27], a one-to-one chaotic map f˜a defined on {1/M, 2/M, · · · , M/M } (called finite-state Baker’s map) and its extension F˜A on integer space {1, 2, · · · , M } are proposed to construct block ciphers, in which n random bits can be cancelled since f˜a and F˜A are one-to-one functions. All the modified ciphers can resist Biham’s attacks. 2) Block Ciphers by Iterating 2-D Chaotic Maps Another structure of chaotic block ciphers is proposed in [28–30]. All the three ciphers are based on 2-D chaotic maps and used to encrypt 2-D digital images. The basic procedure of the three ciphers can be described as follows: iterate a 2-D map to pseudo-randomly permutate the pixels in the plain-image, use some substitution algorithm to flatten the histogram of the plainimage; repeat the above two procedures for n times to obtain the final cipher-image. In order to employ the 2-D chaotic map to permutate the plain-images with different (and finite) sizes, the map should be defined on a lattice of many discrete points, such as the discretized Baker map in [28], the discrete Kolmogorov Flow in [29] and the truncated Baker transformation in [30]. Till now, no attacks have been reported to break the above ciphers. In fact, the product of the pseudo-random permutation and the substitution makes the cryptanalysis much difficult. 3) Other Block Ciphers The proposed cipher in [35] is a probabilistic block cipher. A chaotic system, which is composed of K coupled difference equations with K variables, is used to generate 2d virtual attractors containing 2e states 1, 2, · · · , 2e , where e > d. Given a permutation matrix P2d ×1 , the ciphertext is randomly selected from all the states allocated into the P[MC ]th virtual space, where MC is the plaintext. Although the authors of [35] stated that their cipher has high security, we find some serious problems of the ciphers: a) Because more than 2e + 2d d-bit memory units are needed to store the virtual state table and at least 2e chaotic iterations are needed in the initialization procedure, d, e must be small enough (generally smaller than 20), which means one eavesdropper can re-construct the virtual state table using 2e known/chosen plaintexts (or 2e chosen ciphertexts) within practical computation; b) The security is over-estimated because the number of all possible virtual state table is much smaller than (K!)M · K N −K·M obtained in [35]. The detailed analysis can be found in our paper [46]. Following the design criterion of conventional block ciphers, L. Kocarev et al. have suggested construct chaotic block ciphers by introducing chaotic systems to construct S-Boxes (nonlinear round functions) [6, 33, 34]. L. Kocarev et al. proposed several algorithms making S-Boxes: a) defining a specific discretized one-to-one map from a chaotic map, such as the discret version of the map (4) in [7] and the map (12) in [33]; b) iterating a chaotic map to generate a shuffled 4
sequence of 2n integers 1, 2, · · · , 2n , which can be used as a n × n S-Box (for the procedure to get the shuffled sequence, see [33, 34] for details). It has been shown that the generated S-Boxes can resist differential and linear cryptanalysis. In fact, there exist many other algorithms to generate S-Boxes by digital chaos besides the ones proposed by L. Kocarev et al. in [6,33,34]. In [35], the algorithm to generate the shuffled 2e integers is really can be directly used to generate S-Box. In [36], S. Li et al. suggested sorting 2n chaotic orbits with the same distributions to generate pseudo-random S-Boxes substituting plaintexts. In comparison with the algorithm presented in [34] (the algorithm C in [33]), the two algorithms have two merits: a) The consuming computation can be exactly deduced; b) They can be realized and optimized in practice more easily. Compared with pervious chaotic encryption schemes, generating S-Boxes via digital chaos may be a more promising and essential way to connect chaos with conventional cryptography.
2.3
Other Chaotic Ciphers
1) Searching-Based Chaotic Ciphers In [20, 31], chaotic ciphers based on searching plaintexts in pseudo-random sequences are proposed. In this paper, such ciphers are called searching-based chaotic ciphers. Because of the special design of the two ciphers, it is somewhat difficult to classify them into stream ciphers or block ciphers. For the cipher in [20], the pseudo-random sequence is the chaotic orbit itself. The encryption procedure can be described as follows: splitting the chaotic interval into S units representing different plaintexts, iterating the chaotic system until the orbit arrives in the unit representing the current plaintext and Cn > N0 and the output of a PRNG κ ≥ η (here κ, η ∈ [0, 1]), and recording the number of chaotic iterations Cn as the ciphertext. Logistic map is used for demonstration in [20], other chaotic systems may be available, too. The cipher has the features of both stream cipher and block cipher. For the cipher in [31], the sequence is generated with the following threshold algorithm: xn ≤ U → 0, xn > U → 1, where U can be different for different plaintexts. For one plaintext whose bits number is bi , the cipher runs as follows: arbitrarily selecting an initial condition of a chaotic system, running the chaotic system and generating the pseudo-random sequence C, searching the current plaintext in C until it is found; then recording the current states of the chaotic system, the current threshold Ui and bi as the ciphertext. Tent map is used to show the performance of the cipher. Essentially speaking, this cipher is a “strange” block cipher with data expansion and time-variant block size. Just several months after the proposal of the cipher in [31], G. Alvarez pointed out that it is rather weak and can be easily broken by four attacks [42], if tent map is used. G. Jakimoski et al. also independently presented a known-plaintext attack in [43]. In [32], S. Li et al. suggested a improved encryption scheme to avoid the known attacks: selecting the initial condition and the control parameter(s) of the chaotic system as the secret keys, iterating the chaotic system to generate the pseudo-random sequence C, searching the plaintext in C and recording the iteration number as the ciphertext. The improved scheme is similar to the cipher in [20]. In [43], G. Jakimoski et al. also claimed the cipher in [20] can be broken by a known-plaintext attack. It seems that the Jakimoski’s attack can also be used to break the cipher in [32]. But we think the Jakimoski’s attack is not so effective as claimed in [43], and some remedies can be used to resist the attack. Some further investigations can be found in our paper [47]. In [21], a modified version of the cipher in [20] is given, which enhances the distribution of the ciphertext. 2) A Fast Chaotic Product Cipher In [36], S. Li et al. proposed a fast product cipher containing a chaotic stream sub-cipher and 5
a chaotic block sub-cipher. 2n + 1 piecewise linear chaotic systems are employed in this cipher, in which 2n ones are used for encryption (called ECS – Encryption Chaotic System) and another one is used for controller (called CCS – Control Chaotic System). In the stream sub-cipher, the 2n chaotic systems are iterated to generate the signals masking the plaintexts. In the block subcipher, a pseudo-random S-Box is generated by sorting the 2n chaotic orbits of the 2n ECS-es, and then the S-Box is used to substitute the pre-masked plaintexts by the stream sub-cipher. Both the sub-ciphers are controlled by the CCS. The authors investigated the speed, the security and the realization complexity of the cipher in details. The ideas demonstrated in [36] can be extended to construct chaotic block cipher like the ones in [33, 34], and to design fast chaotic ciphers without loss of high security.
3
Problems and Solutions
In the design of the digital chaotic ciphers, many problems should be carefully considered to avoid possible weaknesses in the obtained ciphers. For the chaotic ciphers proposed before year 2000, many problems are not settled suitably. Although several researchers have noticed some problems, but no explicit suggestions about how to solve them are given [3–5]. In this section, we will discuss all known problems (to the best of our knowledge) and investigate how to solve them with theoretical or experimental methods.
3.1
Dynamical Properties of Digital Chaos
When chaotic systems are realized in discrete space with finite computing precision (such chaotic system is called discrete-value chaotic system by some researchers [4], we call them digital chaotic systems in this paper), their dynamical properties will be far different from the theoretical properties of continuous-value systems. Some severe degradation will arise, such as short cycle-length, nonideal distribution and correlation, etc. This phenomena has been firstly noticed by J. Palmore & C. Herring [68] and D. Wheeler [37, 38], and then Ghobad Heidari-Bateni [67]. Up till now, there is not an established theory to measure the dynamical properties of digital chaos exactly, and to indicate how to improve such degradation (some useful but still limited theoretical results about piecewise linear chaotic maps are obtained in [45] recently). Why digital chaos behaves so different from continuous chaos? To answer this question, let us consider a one-dimensional chaotic map F (x) defined on the real interval [0,1), which is realized in finite precision L (fixed-point arithmetic is adopted to represent the discrete space). It is the following reasons to cause such difference: 1) The chaotic iterations are constrained into a discrete space whose size is 2L , i.e., all chaotic states are binary decimals formulated as a/2L (a = 0 ∼ 2L −1). As a result, any chaotic orbits will go to a fixed point or a cycle with limited length smaller than 2L (generally much smaller than 2L ). 2) The quantization errors, which are introduced into the discrete iterations of digital chaotic systems, will make the chaotic orbits depart from the theoretical ones with uncontrolled manners (it is impossible to know the exact errors). 3) The Lebesgue measure of all the decimals in the discrete space is zero, they cannot represent the right dynamical behaviors of the chaotic systems defined on a real interval with positive measure. A representative example is the tent map f (x) = 1 − 2|x − 1/2|: for the binary decimals with infinite significant bits (such decimals have the same Lebesgue measure as the real interval), the chaotic orbits are infinite; for other decimals with n finite bits, the chaotic orbits will converge at zero after at most n iterations. Apparently, the chaotic behaviors of tent map cannot be shown on the discrete space in finite precision. In Figure 1, we give the diagrammatic view of the discrete iterations of digital chaotic systems. A digital chaotic orbit includes two parts: x0 , x1 , · · · , xl−1 and xl , xl+1 , · · · , xl+n , which are called 6
branch and cycle respectively in this paper [69]. Accordingly, the length l and n + 1 are respectively called branch length and cycle length. Most researcher don’t distinguish the two lengths and take l + n + 1 as the “cycle length” of the chaotic orbit. Experimental results about the length of digital chaotic systems have been obtained in [38, 70]: the average length is O(2L/2 ) ¿ 2L , for a digital chaotic system in finite precision L. Please note O(2L/2 ) is just the “average” length of all possible chaotic orbits from different initial conditions, there exist many orbits whose length is even much smaller than 2L/2 . For example, for the tent map f (x) = 1 − 2|x − 1/2|, the branch length of any orbit will be smaller than L (the finite precision) and the cycle length is always 1 (xl ≡ 0). x l+1
x0
x1
......
......
xl
x l+ n
Figure 1: Discrete Iterations of a Digital Chaotic System Although no systematic theory can be used, several engineering remedies have been proposed to avoid such a problem: using higher finite precision [37, 38], cascading multiple chaotic systems [67], and the perturbation-based algorithm [18, 19, 71, 72]. Generally speaking, the perturbation-based algorithm is a general solution with considerable performance, which can be described as follows: run a simple PRNG with uniform distribution to generate a small perturbing signal, which is then used to perturb the chaotic orbit every ∆ iterations, where ∆ is an integer not smaller than 1. In [18], it has been shown that the length of the chaotic orbit T 0 can be controlled by the cycle length of the perturbing PRNG T : T 0 = σ · ∆ · T , where σ is a positive integer. If the PRNG is chosen as a maximal length LFSR with degree L (the finite precision), the length of any chaotic orbit will be σ · ∆ · 2L−1 . Another alternative solution is to define the discrete versions for the employed chaotic systems. The use of such an idea can be seen in [7,28–30, 33]. But no strict mathematical proofs are given to investigate the dynamical (cryptographic) properties of the discrete chaotic maps. The mathematics of discrete chaos should be made to provide theoretical tools for this problem, such as the work done in [73].
3.2
Employed Chaotic Systems
It is desired that a digital chaotic cipher can work well with a large number of chaotic systems; such a property is called chaotic-system-free in this paper. Of course, it is rather difficult to ensure the use of any chaotic system in a cipher, but corresponding requirements should be given to tell the users which chaotic systems are suitable. However, for most digital chaotic ciphers, only a few chaotic systems are discussed, and no analytic works are given to extend the ciphers to other chaotic systems. The most focused systems are Logistic map F (x) = rx(1 − x) [1, 11, 13, 20, 21, 33, 34] and piecewise linear chaotic maps [13, 15, 17–19, 22–24, 27, 31, 32, 35, 36] (especially the tent map [13, 23, 24, 27, 31, 32]). The use of Logistic map is based on the following fact: it is the most well-known, well-studied and one of the simplest chaotic system. But Logistic map has the following weaknesses for the use in cryptography: a) Its invariant density function is not uniform, so that the generated orbits cannot satisfy the balance property of a good cipher; b) Only when r = 4, the map is a surjective function on the interval [0,1] and exhibits perfect chaotic behaviors. The dynamical properties of Logistic map are different 7
if the control parameter r is different, which may be used by an eavesdropper to collect useful information to lessen attack complexity. The use of piecewise linear chaotic maps is based on the following perfect properties [74]: 1) uniform invariant density function; 2) exactness, mixing and ergodicity; 3) desired correlation function; 4) simple realization by both hardware and software. Although it seems that piecewise linear chaotic maps are rather good to construct ciphers, there still exist some weaknesses, which should be carefully considered by the designers [39, 42, 44, 45]. Actually, many chaotic ciphers are essentially chaotic-system-free to some extent since they are not so sensitive to the exact dynamical properties of the employed systems [7,11–13,20,20–22,25,31– 35], but only one paper detailedly investigate the requirements of the suitable chaotic systems [22]. Further research should be made to indicate how the performance will be if other chaotic systems are employed.
3.3
Encryption Speed
It is rather strange that many researchers omitted the issues about encryption speed of their chaotic ciphers, except a few ones [13, 22, 28, 32, 35, 36]. It is an obvious fact that any new chaotic ciphers with perfect cryptographic properties will be somewhat useless if they can only run with limited speed, since there exist so many good ciphers with both high security and fast speed in conventional cryptography. Fortunately, some chaotic ciphers with both security and security considerations have been proposed after the year of 2001 [22, 35, 36]. In fact, the encryption speed of some previous chaotic ciphers can also be promoted, if some other chaotic systems and special optimization techniques are introduced. Investigate currently known digital chaotic ciphers, we can find the following facts about the encryption speed: 1) Generally, chaotic stream ciphers run much faster than chaotic block ciphers. 2) Many ciphers need multiple chaotic iterations to generate one ciphertext [11–13, 17, 20, 21, 24–26, 28–32], which will markedly reduce the encryption speed. 3) The encryption speed of the chaotic stream ciphers are chiefly determined by the time consuming on the chaotic iterations. Consequently, the simpler the chaotic system is, the faster the encryption speed will be. Generally, the piecewise linear chaotic maps and Logistic map are the simplest chaotic systems, since only one or two multiplications/divisions and several additions/comparisons are needed for one chaotic iteration. 4) To enhance the security, some ciphers [20,21,31,32] have time-variant speed, so they cannot encrypt plaintexts with restricted bits rate. 5) While the chaotic systems are running in finite precision, the floating-point or fixed-point arithmetic must be employed. Since the floating-point arithmetic is much slower than the fixed-point one, we suggest using fixed-point arithmetic as possible. But several chaotic systems defined by some complicated functions [1, 7, 14, 25] must run under floatingpoint arithmetic, they should be avoided in fast chaotic ciphers. 6) Many known chaotic ciphers are only designed for hardware (software) realization and cannot provide equivalent speed under software (hardware) realization.
3.4
Practical Security
Almost all digital chaotic ciphers are claimed to be secure by the authors when they are proposed, but many of them are actually not. Then what about the security of other “secure” chaotic ciphers? It is rather difficult to give an exact answer. But the following facts will be useful to answer it: 1) Because chaotic systems are really deterministic systems, there still exist some theoretical and experimental tools in chaos theory to discern chaos. Once an intruder finds some information about the chaotic systems from their orbits, he might use such information to lessen the complexity of finding the secure key. For almost all digital chaotic ciphers (especially chaotic stream ciphers), the ciphertexts directly depend on the chaotic orbit of a single chaotic system, so the extraction of
8
such information may be possible. In fact, based on such a fact, many cryptanalysis methods have been developed to break some chaotic secure communication approaches [50–55]. 2) The dynamical properties of all digital chaotic systems cannot be strictly proved now. Although it may be more difficult to analyze digital chaotic systems using the tools for continuous-value ones, some possible cryptanalytic methods still may be developed, such as the results obtained in [45]. Because of the lack of related theory, no perfect solutions can be found now. Here, we only give two useful suggestions: 1) Try to avoid all known weaknesses in the previous digital chaotic ciphers. 2) Use multiple chaotic systems instead of a single chaotic system, since the combination of multiple chaotic systems “should” make the cryptanalysis much more difficult, especially when each chaotic system has different equation and/or different initial condition (and control parameters). Such an idea has been used in some chaotic cipher [13, 22, 36, 67], it seems that more perfect performance can be obtained. The further investigations are needed to support such a result.
3.5
Realization Issues
Simple realization by hardware and software at low cost is a very important requirement for a good digital cipher. In fact, problems of realization are the crucial factors influencing the use of a cipher in many final applications, since there are so many ciphers that can provide enough security with considerable costs. The following three facts about realization should be concerned in the design of a digital chaotic cipher: 1) The simpler the employed chaotic system is, the simpler the realization will be and the smaller the cost will be. The piecewise linear chaotic maps are suggested as the best candidates. 2) The fixed-point arithmetic is better than the floating-point one since the latter needs much more cost and computation complexity. 3) Another desired requirement is the extensible security and functions with considerably extra cost and complexity. The examples of such ciphers can be found in [22, 36].
4
Future Directions in Chaotic Cryptography
After the initial boom of chaotic cryptography near the year of 1990 [1, 2, 10–12, 23, 24, 37–40]1 , the proposals of some entirely new chaotic ciphers [7, 15, 17–22, 25–36, 41–44] and some review works [3–9, 61] since the year of 1997 opens a new boom in the 21th century2 . Some discusses on the future research in chaotic cryptography have been given in [3–5]. L. Kocarev suggest that the future research should focus on the essential relationships between the chaos and cryptography, not ad hoc designs of more novel chaotic encryption schemes [3]. W. Schwarz et al. have made some research connecting conventional ciphers with chaos [4, 8]. In this section, we will give our opinions on the future chaotic cryptography, based on the discussions of other researchers.
4.1
Suggestions for the Design of a Good Chaotic Cipher
Based on the review to the state-of-the-art of today’s chaotic cryptography, the problems and the solutions of digital chaotic ciphers, we give some fundamental suggestions for the design of a “good” chaotic cipher, where the term “good” means high practical security, fast encryption speed and simple realization. Suggestion 1 – Realizing digital chaotic systems via pseudo-random perturbation, or using discretized chaotic systems whose dynamical properties have been proven. 1
Three papers [1, 37, 38] appeared in a same journal Cryptologia and another three papers [10, 24, 39] appeared in a same conference – EuroCrypt’91. 2 As we know, twelve papers [3–5, 21, 22, 27, 32–35, 43] have been published since 2001.
9
As we have mentioned in the Sect. 3.1, there exists degradation on the dynamical properties of digital chaotic systems realized in finite precision. Under the situation that no systematic theory to measure such degradation, some remedies must be adopted to improve the dynamical properties of digital chaos. The perturbation algorithm by a simple PRNG is suggested by us, since it has considerable practical performance. The discretized versions of some continuous-value chaotic maps may be also OK, but it is desired that the designers prove (at least “explain with some experimental evidences”) their dynamical (cryptographic) properties. Suggestion 2 – Using fixed-point arithmetic instead of floating-point arithmetic. In Sect. 3, it has been shown that floating-point arithmetic will lower the encryption speed and increase the realization complexity and cost. Thus, fixed-point arithmetic is suggested. In addition, the fixedpoint arithmetic is also helpful to improve the portability between different software platforms or hardware structures. There are another defect about floating-point arithmetic: the floatingpoint decimals are not distributed uniformly in the discrete space, which will make it much more complicated and difficult to control the degradation of digital dynamical properties. Suggestion 3 – Using the simplest chaotic systems, such as piecewise linear chaotic maps. More complicated chaotic systems are usually suggested being used to ensure the security of developed chaotic ciphers. But the use of complicated chaotic systems will lower the encryption speed twofold: i) the more complicated the chaotic maps, the more time the chaotic iterations will consume; ii) many complicated chaotic systems must run with floating-point arithmetic, which makes the iterations further slower. For a chaotic-system-free cipher, we suggest using piecewise linear chaotic maps, from the considerations of security, speed, and realization. If piecewise linear chaotic maps cannot be used in some applications (we think such applications are seldom), choose the simplest chaotic systems that are available. Suggestion 4 – Avoiding the use of multiple iterations for one ciphertext in chaotic block ciphers. The slow encryption speed of most chaotic block cipher is chiefly determined by the use of multiple iterations for one ciphertext. Most known chaotic block ciphers do not yield this suggestion. Several new chaotic block cipher [33–36] overcome this problem and can be used for reference. Suggestion 5 – Using multiple chaotic systems instead of one single one in chaotic stream ciphers. We have mentioned this suggestion in Sect. 3.4.
4.2
Some Suggested Schemes
In this subsection, we will give three suggested schemes selected from all known chaotic ciphers. All the three schemes can be easily extended to design more new chaotic ciphers. Suggested Scheme 1 – Block cipher with chaotic S-Boxes. As we have mentioned in Sect. 2.2, G. Jakimoski and L. Kocarev proposed a general encryption scheme for chaotic block ciphers in [33, 34]. The kernel of the scheme is the nonlinear S-Boxes generated by digital chaotic systems. Apparently, we can extend Jakimoski-Kocarev block cipher by using the S-Boxes in general structure of conventional block ciphers, such as Feistel network or SP-networks [56]. Here, digital chaos is used as a new source of nonlinear S-Boxes in conventional block ciphers. Suggested Scheme 2 – Multiple chaotic systems based stream cipher. We have suggested that multiple chaotic systems will be useful to enhance the security of the chaotic stream ciphers. Of course, the use of multiple chaotic systems may slower the encryption speed of software ciphers, but the hardware ciphers will not be influenced much if parallel technique is used. In fact, even under software realization, some special designs may be employed to overcome the defect of low encryption speed. One example is the Cipher 3 in [22]. Suggested Scheme 3 – LZMC product cipher. It is the cipher proposed by S. Li et al. in [36]. The most important features of the cipher are the combination of a simple chaotic stream 10
sub-cipher and a simple chaotic block cipher, and a large number (2n ) of chaotic systems used in the two sub-ciphers. In addition, there are some interesting features about this cipher, which are useful to enhance the security and obtain fast encryption speed: 1) In the stream sub-cipher and the block sub-cipher, the plaintext size is different. 2) The block sub-cipher uses pseudo-randomly generated n × n S-Box by sorting the 2n chaotic states. 3) The plaintexts are divided into different clusters, and the S-Box used in the block sub-cipher will be re-generated by the new 2n chaotic states. The LZMC cipher can run with rather high speed, even in software realization. We think the new ideas used in LZMC cipher will benefit the designers of new chaotic ciphers.
4.3
Open Topics in Chaotic Cryptography
L. Kocarev suggested that the future research in chaotic cryptography should focus on the relationships between chaos and cryptography, not the ad hoc design of new chaotic ciphers. Basically, we agree to their opinion. The following are some open topics in chaotic cryptography. Of course, new structures of chaotic ciphers may still be useful, if some really novel ideas are introduced and much better performance is provided. Theory about chaos in discrete space. To estimate the dynamical properties of digital chaotic systems, a systematic theory about chaos in discrete space is needed. However, there are only a few efforts made in this direction. In [73], H. Waelbroeck et al. tried to translate the definitions of deterministic chaos to the context of discrete state space (called “discrete chaos”). Some results on the dynamical properties of digital piecewise linear chaotic maps are given in [45]. Unpredictability of the pseudo-randomness generated by digital chaos. The pseudorandom sequences generated by digital chaos are kernel parts in many chaotic ciphers. How to measure the unpredictability of the pseudo-random sequences is a unsolved problem. In continuous chaos theory, information entropy can be used to depict the rate of the information loss as the chaotic iterations go [75]. Similar concept may be also used to qualitatively explain the unpredictability, the idea is used in [12, 22]. Chaos in conventional ciphers. We have mentioned any conventional cipher can be considered as a chaotic or pseudo-chaotic cipher in Sect. 1. Some chaotic behaviors hiding in conventional ciphers have been reported by W. Schwarz et al. [8]. In the future research, the following investigations will be useful for the design of conventional ciphers and chaotic ciphers: 1) Can we use chaos theory to explain the nonlinear functions and operations used in conventional ciphers? For example, can the mod function defined on finite filed be considered as a discretized chaotic map3 ? 2) Can we re-define the confusion and diffusion with chaos theory? Can we find a way to connect the security measurement (such as linear complexity in stream-cipher cryptography) in conventional cryptography with the measurements (such as the information entropy) in chaos theory? General models for the design of digital chaotic ciphers. Since several general models have been proposed (recall the last subsection), further efforts on the proposed models will be helpful to exploit the relationship between chaos and cryptography. Of course, new general models are also wanted. Cryptanalytic works on known digital chaotic ciphers. As we know, the recent advances in block-cipher cryptology are promoted by the emergence of the differential and linear cryptanalysis, which shows the importance of the cryptanalysis in cryptology [56]. We believe any new attacks of some chaotic ciphers will impulse the progress of chaotic cryptography. 3
Consider the digital tent map realized in fixed-point discrete space.
11
5
Conclusion
Digital chaotic systems may be a new source of new ciphers, because some dynamical properties can be used to realize the cryptographic properties of good ciphers. In this paper, we give a comprehensive review of the progress in chaotic cryptography from 1989 till now. Most known chaotic ciphers are classified, discussed and compared. Some problems in the design of chaotic ciphers are detailedly analyzed, and some possible solutions are given. Finally, we give some suggestions on the future research of chaotic cryptography. Consider some new chaotic ciphers can provide perfect cryptographic properties, we believe that the chaotic cryptography will be helpful to understand the essence of security.
References [1] R. Matthews. On the derivation of a “chaotic” encryption algorithm. Cryptologia, XIII(1):29–42, 1989. [2] L. M. Pecora and T. L. Carroll. Synchronization in chaotic systems. Physical Review Letters, 64(8):821– 824, 1990. [3] Ljupˇco Kocarev. Chaos-based cryptography: A brief overview. IEEE Circuits and Systems Maganize, 1(3):6–21, 2001. [4] Frank Dachselt and Wolfgang Schwarz. Chaos and cryptography. IEEE Trans. Circuits and Systems–I, 48(12):1498–1509, 2001. [5] Roland Schmitz. Use of chaotic dynamical systems in cryptography. J. Franklin Institute, 338(4):429– 441, 2001. [6] G. Alvarez, G. Pastor F. Monotoya, and M. Romera. Chaotic cryptosystems. In Proc. IEEE Int. Carnahan Conf. Security Technology, pages 332–338. IEEE, 1998. [7] Ljupˇco Kocarev, Goce Jakimoski, Toni Stojanovski, and Ulrich Parlitz. From chaotic maps to encryption schemes. In Proc. IEEE Int. Symposium Circuits and Systems, volume 4, pages 514–517. IEEE, 1998. [8] Marco G¨otz, Kristina Kelber, and Wolfgang Schwarz. Discrete-time chaotic encryption systems–Part I: Statistical design approach. IEEE Trans. Circuits and Systems–I, 44(10):963–970, 1997. [9] Frank Dachselt, Kristina Kelber, and Wolfgang Schwarz. Discrete-time chaotic encryption systems–Part III: Cryptographical analysis. IEEE Trans. Circuits and Systems–I, 45(9):983–988, 1998. [10] R. Forr´e. The H´enon attractor as a keystream generator. In Advances in Cryptology – EuroCrypt’91, Lecture Notes in Computer Science vol. 0547, pages 76–81. Spinger-Verlag, Berlin, 1991. [11] M. E. Bianco and D. A. Reed. Encryption system based on chaos theory. US Patent No. 5048086, 1991. [12] G. M. Bernstein and M. A. Lieberman. Secure random number generation using chaotic circuits. IEEE Trans. Circuits and Systems, 37(9):1157–1164, 1990. [13] V. A. Protopopescu, R. T. Santoro, and J. S. Tollover. Fast and secure encryption – decryption method based on chaotic dynamics. US Patent No. 5479513, 1995. [14] Tohru Kohda and Akio Tsuneda. Chaotic bit sequences for stream cipher cryptography and their correlation functions. In Chaotic Circuits for Communication, Proceedings of SPIE vol. 2612, pages 86–97, 1995. [15] Zhou Hong and Ling Xieting. Generating chaotic secure sequences with desired statistical properties and high security. Int. J. Bifurcation and Chaos, 7(1):205–213, 1997. [16] D. R. Frey. Chaotic digital encoding: An approach to secure communication. IEEE Trans. Circuits and Systems–II, 40(10):660–666, 1993. [17] Hong Zhou and Xie-Ting Ling. Problems with the chaotic inverse system encryption approach. IEEE Trans. Circuits and Systems–I, 44(3):268–271, 1997.
12
[18] Sang Tao, Wang Ruili, and Yan Yixun. Perturbance-based algorithm to expand cycle length of chaotic key stream. Electronics Letters, 34(9):873–874, 1998. [19] Sang Tao, Wang Ruili, and Yan Yixun. Clock-controlled chaotic keystream generators. Electronics Letters, 34(20):1932–1934, 1998. [20] M. S. Baptista. Cryptography with chaos. Physics Letters A, 240:50–54, 1998. [21] Wai kit Wong, Lap piu Lee, and Kwok wo Wong. A modified chaotic cryptographic method. Computer Physics Communications, 138:234–236, 2001. [22] Li Shujun, Mou Xuanqin, and Cai Yuanlong. Pseudo-random bit generator based on couple chaotic systems and its application in stream-ciphers cryptography. In Progress in Cryptology – INDOCRYPT 2001, Lecture Notes in Computer Science vol. 2247, pages 316–329. Springer-Verlag, Berlin, 2001. [23] T. Habutsu, Y. Nishio, I. Sasase, and S. Mori. A secret key cryptosystem using a chaotic map. Trans. IEICE, E 73(7):1041–1044, 1990. [24] T. Habutsu, Y. Nishio, I. Sasase, and S. Mori. A secret key cryptosystem by iterating a chaotic map. In Advances in Cryptology – EuroCrypt’91, Lecture Notes in Computer Science vol. 0547, pages 127–140. Spinger-Verlag, Berlin, 1991. [25] Zbigniew Kotulski and Janusz Szczepanski. Discrete chaotic cryptography. Annalen der Physik, 6(5):381– 394, 1997. [26] Zbigniew Kotulski and Janusz Szczepanski. Application of discrete chaotic dynamical systems in cryptography – dcc method. Int. J. Bifurcation and Chaos, 9(6):1121–1135, 1999. [27] Naoki Masuda and Kazuyuki Aihara. Cryptosystems with discretized chaotic maps. IEEE Trans. Circuits and Systems–I, 49(1):28–40, 2002. [28] Jiri Fridrich. Symmetric ciphers based on two-dimensional chaotic maps. Int. J. Bifurcation and Chaos, 8(6):1259–1284, 1998. [29] Josef Scharinger. Fast encryption of image data using chaotic kolmogrov flows. J. Electronic Imaging, 7(2):318–325, 1998. [30] Masaki Miyamoto, Kiyoshi Tanaka, and Tatsuo Sugimura. Truncated baker transformation and its extension to image encryption. In Mathematics of Data/Image Coding, Compression, and Encryption II, Proceedings of SPIE vol. 3814, pages 13–25, 1999. [31] E. Alvarez, A. Fern´andez, P. Garc´ıa, J. Jim´enez, and A. Marcano. New approach to chaotic encryption. Physics Letters A, 263:373–375, 1999. [32] Shujun Li, Xuanqin Mou, and Yuanlong Cai. Improving security of a chaotic encryption approach. Physics Letters A, 290(3-4):127–133, 2001. [33] Goce Jakimoski and Ljupˇco Kocarev. Chaos and cryptography: Block encryption ciphers based on chaotic maps. IEEE Trans. Circuits and Systems–I, 48(2):163–169, 2001. [34] Ljupˇco Kocarev and Goce Jakimoski. Logistic map as a block encryption algorithm. Physics Letters A, 289(4-5):199–206, 2001. [35] Stergios Papadimitriou, Tassos Bountis, Seferina Mavaroudi, and Anastassions Bezerianos. A probabilistic symmetric encryption scheme for very fast secure communications based on chaotic systems of difference equations. Int. J. Bifurcation and Chaos, 11(12):3107–3115, 2001. [36] Shujun Li, Xuan Zheng, Xuanqin Mou, and Yuanlong Cai. Chaotic encryption scheme for real-time digital video. In Real-Time Imaging VI, Proceedings of SPIE vol. 4666, pages 149–160, 2002. [37] D. D. Wheeler. Problems with chaotic cryptosystems. Cryptologia, XIII(3):243–250, 1989. [38] D. D. Wheeler and R. Matthews. Supercomputer investigations of a chaotic encryption algorithm. Cryptologia, XV(2):140–151, 1991.
13
[39] E. Biham. Cryptoanalysis of the chaotic-map cryptosystem suggested at EuroCrypt’91. In Advances in Cryptology – EuroCrypt’91, Lecture Notes in Computer Science vol. 0547, pages 532–534. Spinger-Verlag, Berlin, 1991. [40] D. Erdmann and S. Murphy. H´enon stream cipher. Electronics Letters, 28(9):893–895, 1992. [41] W. G. Chambers. Comments on “Chaotic digital encoding: An approach to secure communication”. IEEE Trans. Circuits and Systems–II, 46(11):1445–1447, 1999. [42] G. Alvarez, F. Montoya, M. Romera, and G. Pastor. Cryptanalysis of a chaotic encryption system. Physics Letters A, 276:191–196, 2000. [43] Goce Jakimoski and Ljupˇco Kocarev. Analysis of some recently proposed chaos-based encryption algorithms. Physics Letters A, 291(6):381–384, 2001. [44] Shujun Li, Xuanqin Mou, Luhua Gong, and Yuanlong Cai. On the security of a chaotic cipher to Biham’s attacks. submitted in 2002. [45] Shujun Li, Qi Li, Wenmin Li, Xuanqin Mou, and Yuanlong Cai. Statistical properties of digital piecewise linear chaotic maps and their roles in cryptography and pseudo-random coding. In Cryptography and Coding – 8th IMA Int. Conf. Proc., Lecture Notes in Computer Science vol. 2260, pages 205–221. Springer-Verlag, Berlin, 2001. [46] Shujun Li, Xuanqin Mou, Boliya L. Yang, Zhen Ji, and Jihong Zhang. Problems with a probabilistic encryption scheme based on chaotic systems. accepted by Int. J. Bifurcation and Chaos, initially scheduled to be published in vol. 13, no. 10, 2003, preprint available online at http://www.hooklee.com/pub.html. [47] Shujun Li, Xuanqin Mou, Zhen Ji, Jihong Zhang, and Yuanlong Cai. Performance analysis of JakimoskiKocarev attack on a class of chaotic cryptosystems. Physics Letters A, 307(1):22–28, 2003. [48] Shujun Li, Xuanqin Mou, Yuanlong Cai, Zhen Ji, and Jihong Zhang. On the security of a chaotic encryption scheme: problems with computerized chaos in finite computing precision. accepted by Computer Physics Communications in Dec. 2002, to be published in 2003, preprint available online at http://www.hooklee.com/pub.html. [49] Ute Feldmann, Martin Hasler, and Wolfgang Schwarz. Communication by chaotic signals: The inverse system approach. Int. J. Circuit Theory and Applications, 24(5):551–579, 1996. [50] Th. Beth, D. E. Lazic, and A. Mathias. Cryptanalysis of cryptosystems based on remote chaos replication. In Advances in Cryptology – EuroCrypt’94, Lecture Notes in Computer Science vol. 0950, pages 318–331. Spinger-Verlag, Berlin, 1994. [51] Kevin M. Short. Signal extraction from chaotic communications. 7(7):1579–1597, 1997.
Int. J. Bifurcation and Chaos,
[52] Chang-Song Zhou and Tian-Lun Chen. Extracting information masked by chaos and contaminated with noise: Some considerations on the security of communication approaches using chaos. Physics Letters A, 234:429–435, 1997. [53] Tao Yang, Lin-Bao Yang, and Chun-Mei Yang. Cryptanalyzing chaotic secure communications using return maps. Physics Letters A, 245:495–510, 1998. [54] Maciej J. Ogorzatek and Herv´e Dedieu. Some tools for attacking secure communication systems employing chaotic carriers. In Proc. IEEE Int. Symposium Circuits and Systems 1998, volume 4, pages 522–525. IEEE, 1998. [55] Andrew T. Parker and Kevin M. Short. Reconstructing the keystream from a chaotic encryption scheme. IEEE Trans. Circuits and Systems–I, 48(5):104–112, 2001. [56] Bruce Schneier. Applied Cryptography – Protocols, algorithms, and souce code in C. John Wiley & Sons, Inc., New York, second edition, 1996. [57] James Gleick. Chaos: Making a New Science. Viking Penguin, New York, 1987. [58] Ian Stewart. Does God Play Dice?: The Mathematics of Chaos. Blackwell Publishers, Oxford, UK, 1990.
14
[59] R. Brown and L. O. Chua. Clarifying chaos: Examples and counterexamples. Int. J. Bifurcation and Chaos, 6(2):219–249, 1996. [60] C. E. Shanon. Communication theory of secrecy systems. Bell Sys. Tech. J., 28(4):656–715, 1949. [61] Christopher P. Silva and Albert M. Young. Introduction to chaos-based communications and signal processing. In Proc. IEEE Aerospace Conf., pages 279–299. IEEE, 2000. [62] Tohru Kohda and Akio Tsuneda. Statistics of chaotic binary sequences. IEEE Trans. Information Theory, 43(1):104–112, 1997. [63] Shin’ichi Oishi and Hajime Inoue. Pseudo-random number generators and chaos. Trans. IECE Japan, E 65(9):534–541, 1982. [64] Jorge A. Gonz´alez and Ramiro Pino. A random number generator based on unpredictable chaotic functions. Computer Physics Communications, 120:109–114, 1999. [65] Agner Fog. Chaotic random number generators with random cycle lengths. http://www.agner.org/random/theory/chaosran.doc, Nov. 2001.
downloadable at
[66] Ling Cong and Li Shaoqian. Chaotic spreading sequences with multiple access performance better than random sequences. IEEE Trans. Circuits and Systems–I, 47(3):394–397, 2000. [67] Ghobad Heidari-Bateni and Clare D. McGillem. A chaotic direct-sequence spread-spectrum communication system. IEEE Trans. Communications, 42(2/3/4):1524–1527, 1994. [68] Julian Palmore and Charles Herring. Computer arithmetic, chaos and fractals. Physica D, 42:99–110, 1990. [69] Francois Robert. Discrete Iterations: A Metric Study. Springer Series in Computational Mathematics vol. 6. Springer-Verlag, Berlin, 1986. [70] P. M. Binder and R. V. Jensen. Simulating chaotic behavior with finite-state machines. Physical Review A, 34:4460–4463, 1986. ˇ [71] J. Cerm´ ak. Digital generators of chaos. Physics Letters A, 214(3-4):151–160, 1996. [72] Zhou Hong and Ling Xieting. Realizing finite precision chaotic systems via perturbation of m-sequences. Acta Eletronica Sinica (In Chinese), 25(7):95–97, 1997. [73] Henri Waelbroeck and Federico Zertuche. Discrete chaos. J. Physics A, 32:175–189, 1999. [74] A. Baranovsky and D. Daems. Design of one-dimensional chaotic maps with prescribed statistical properties. Int. J. Bifurcation and Chaos, 5(6):1585–1598, 1995. [75] Tohru Kohda and Kazuyuki Aihara. Chaos in discrete systems and diagnosis of experimental chaos. Trans. IEICE, E 73(6):772–783, 1990. [76] Andrzej Lasota and Michael C. Mackey. Chaos, Fractals, and Noise - Stochastic Aspects of Dynamics. Springer-Verlag, New York, second edition, 1997.
15