Logistic map as a block encryption algorithm - Semantic Scholar

22 October 2001

Physics Letters A 289 (2001) 199–206 www.elsevier.com/locate/pla

Logistic map as a block encryption algorithm Ljupˇco Kocarev ∗ , Goce Jakimoski Institute for Nonlinear Science, University of California, San Diego, 9500 Gilman Drive, La Jolla, CA 92093-0402, USA Received 18 January 2001; received in revised form 7 September 2001; accepted 18 September 2001 Communicated by A.R. Bishop

Abstract We discuss the relationship between cryptography and chaos theory, and similarities of their crucial concepts such as mixing property and sensitivity to changes in initial conditions and parameters. A systematic procedure for design of encryption algorithms based on chaotic maps is suggested. We present an example based on logistic map.  2001 Elsevier Science B.V. All rights reserved.

1. Introduction The highly unpredictable and random-look nature of chaotic signals is the most attractive feature of deterministic chaotic systems that may lead to novel engineering applications. Chaos and cryptography have some common features, the most prominent being sensitivity to variables’ and parameters’ changes. Shannon in his seminal paper [1] wrote: “In a good mixing transformation . . . functions are complicated, involving all variables in a sensitive way. A small variation of any one (variable) changes (the outputs) considerably.” Although over the past decade there has been tremendous interest in both scientific disciplines, cryptography and chaos theory, to the best of authors’ knowledge, [2] is the first detailed comparison of chaos and cryptography. An important difference between chaos and cryptography lies on the fact that systems used in chaos are defined only on real numbers [3], while cryptography deals with systems defined on finite number of integers [4].

* Corresponding author.

E-mail address: [email protected] (L. Kocarev).

Chaos has already been used to design cryptographic systems. Thus, for example, in a series of papers [5], the authors propose a chaos derived pseudorandom number generator (PRNG). They numerically observe that the average cycle and transient lengths grow exponentially with the precision of implementation, and from this fact deduce that using highprecision arithmetic one can obtain PRNGs which are still of cryptographic interest. An encryption algorithm that uses the iterations of the chaotic tent map is proposed in [6] and cryptanalysed in [7]. In [8] the author encrypts each character of the message as the integer number of iterations performed in the logistic equation. While in conventional cryptographic ciphers the number of rounds (iterations) performed by an encryption transformation is usually less then 30, in [8] this number can be as large as 65536, and is always larger than 250. Another encryption algorithm based on synchronized chaotic systems is proposed in [9]. The authors suggest each byte (consists of n bits) of a message to correspond (to be encrypted) with a different chaotic attractor. In this Letter we present a block encryption cipher based on a chaotic map. Our approach differs from others in two ways. First, we use systematic procedure

0375-9601/01/$ – see front matter  2001 Elsevier Science B.V. All rights reserved. PII: S 0 3 7 5 - 9 6 0 1 ( 0 1 ) 0 0 6 0 9 - 0

200

L. Kocarev, G. Jakimoski / Physics Letters A 289 (2001) 199–206

to create chaos based ciphers. We show that with the proper choice of discretization and parameters, that may play role of the key, it is possible to design block encryption ciphers. Second, we cryptanalyse our ciphers, showing that they are resistant to known attacks.

2. Block encryption algorithms Encryption algorithms are usually written in form of transformations Y = EZ (X),

(1)

where plaintext X, cryptogram Y and secret key Z are sequences of letters in finite alphabets LX , LY , LZ , respectively, which are not necessarily equal to each other. Eq. (1) emphasizes that the cryptogram Y is a function EZ of only the plaintext X, the particular function being determined by the value of the secret key Z. EZ is called an encryption algorithm (transformation). In the following we consider a special case of encryption algorithms, called block-encryption algorithms, for which EZ is defined as a function FZ : FZ : X → X , where X = {0, 1, . . . , 2m − 1}, where m 64. We always assume that FZ is an 1-to-1 correspondence and, for simplicity, we write F instead of FZ . Each element of the set X corresponds to a data-block of m bits. If F describes a block-encryption algorithm (cipher), then the deciphering transformation is the map F −1 which goes back and recovers the plaintext X from the ciphertext Y = F (X). We can represent the situation schematically by the diagram F

confusion by means of round repetition. Repeating a single round contributes to cipher’s simplicity and ease of implementation. Assuming that X is an element of the set X , in other words, X is a data-block to be encrypted (plaintext): x0 = X, we write xi = f (xi−1 ), where f is a so called round transformation and i = 1, . . . , r. Encrypted data-block (ciphertext) is given by Y = xr = f r (X) = F (X). Therefore, the plaintext X is iterated r times to form the cryptogram Y : X = F (Y ), where F = f r . For more detail description on encryption algorithms we refer the reader to [4]. Here we only remark on two commonly mistakes made by chaos researchers in cryptography.

F −1

X→Y → X and call such set-up a block-encryption cryptosystem. Two general principles which guide the design of practical ciphers are diffusion and confusion. Diffusion means spreading out of the influence of a single plaintext digit over many ciphertext digits so as to hide the statistical structure of the plaintext. An extension of this idea is to spread the influence of a single key digit over many digits of ciphertext. Confusion means use of transformations which complicate dependence of the statistics of ciphertext on the statistics of plaintext. Most ciphers achieve the diffusion and the

Remark 1. Chaos is not enough for security. In accordance with Shannon’s prescriptions [1], every encryption algorithm possesses properties of confusion, diffusion, mixing and sensitivity to changes in plaintext and secret key. This almost guarantees that an extension of the domain of an encryption algorithm from a lattice to a continuum will give rise to a chaotic map. We have done the domain extension for the round function of IDEA (International Data Encryption Algorithm) [4], and have numerically confirmed that the newly obtained map is chaotic. A linear interpolation between the points of the lattice was used to extend definition of the round function to the continuum. The other way around, if a nonlinear map is chaotic when defined on a continuum, then it will exhibit properties of confusion, diffusion, mixing, and sensitivity to changes in variables. However, in addition a good encryption algorithm must also be irreducible to any other (simpler) form which makes its cryptanalysis tractable. An excellent example is IDEA whose basic designing principle is usage of three different algebraic groups. The groups are not mutually isomorphic, which Lai and Massey, the authors of IDEA, employ to prove that it is impossible to reduce IDEA to a simpler form [10,11]. Therefore, sensitivity to changes in initial conditions and parameters, and mixing property of a chaotic map do not guarantee that its discrete version is a good crypto-algorithm. It is a must that one proves its cryptographic security. At the time being, the notion of cryptographic security has no counterpart in chaos theory, and the cryptographic security of a chaos-derived encryption algorithm can be checked up only by means of cryptotools. Even in cryptography, there is no straightforward procedure to prove


that an encryption algorithm is secure. Still, the area of cryptanalysis provides us with certain cryptanalytic tools and attacks against which any encryption algorithm must be resistant.

Remark 2. Synchronization is necessary only in some cryptographic modes. The way how algorithms are used in cryptography is called cryptographic mode. A cryptographic mode combines the basic cipher (algorithm), sort of feedback and some simple operations. The security of the mode depends only on the underlying algorithm and not of the operations used. Moreover, the cipher mode should not compromise the security of the underlying algorithm. For example, in cipher block chaining mode [4], the plaintext Xi is XORed with the previous ciphertext Yi−1 block before it is encrypted, Yi = EZ (Xi ⊕ Yi−1 ). The first block Y0 of random data is called initialization vector, and the decryption process can be accomplished only after synchronization is maintained at the receiver. Y0 plays role of an initial point in dynamical systems. In most applications of chaos synchronization in cryptography, usually a novel synchronization scheme is proposed to ensure encryption of the information. Therefore, most of researchers, in fact, proposed new scheme for a cryptographic mode, rather than a new algorithm. Security of the scheme should depends only on the underlying algorithm, which, in this case, is typically a dynamical system described with map or even with differential equations. For a moment we neglect the fact that such systems (with continuous phase space) are not appropriate for software and hardware implementation and try to address their security issues. Cryptanalysis deals with recovering the plaintext of a message without access to the key. A fundamental assumption in cryptanalysis, first enunciated by A. Kerckhoffs in nineteenth century, is that the secrecy of the algorithm must reside entirely on the key [4]. Translated into the language of dynamical systems, this means that we assume that the cryptanalyst has complete details of the dynamical system and its implementation. Therefore, the main task of the cryptanalyst is to estimate, without the presence of noise (the encryption is error free process), the parameters of the system knowing the equations describing its time evolution. This is an easy task, as it is shown by many researchers, an example being [12].

201

3. From chaotic maps to block encryption schemes Recall first that a discrete dynamical system is a mapping G of a phase space Y ⊆ Rk to itself, or yi+1 = G(yi ). In the following we assume that G is a chaotic map on Y with mixing property [13]. The analogy between the mapping that performs the encryption round f and the chaotic map G is obvious. Iteration of f leads to the desired diffusion and confusion. Iteration of the chaotic map G spreads the initial region over the entire phase space. An important difference between the encryption round and the chaotic map is that the encryption round is defined on a finite set and depends on the key value Z. This is not the case with the chaotic map. A mapping defined on a finite set can be derived from a chaotic map by discretization, in which we substitute the continuous variables and the operations defined over real numbers with variables that take values from the finite set of integers and appropriate integer operations. We now suggest a systematic procedure to design block cipher algorithms based on chaotic maps. This procedure consists of four steps: choosing a chaotic map, discretization, key schedule and cryptanalysis. 3.1. Choosing a chaotic map First step in designing a block encryption algorithm is to choose a chaotic map. Choosing maps for encryption algorithms is not an easy task and one should consider only maps with following properties: mixing property, robust chaos and large parameter set. Mixing property. Mixing property of chaotic maps is closely related to property of diffusion in encryption transformations (algorithms). If we think of the set of possible (sensible) plaintexts as an initial region in the phase space of the map (transformation), then it is the mixing property (or in other terms, sensitivity to initial conditions) that implies “spreading out of the influence of a single plaintext digit over many ciphertext digits”. Robust chaos. A good encryption algorithm spreads also the influence of a single key digit over many digits of ciphertext. The keys of an encryption algorithm represent its parameters. Therefore, we should consider only such transformations in which both parameters and variables are involved in a sensitive way.

202


A dynamical system is structurally stable when small C 1 perturbations yield topologically equivalent system. In other words, a structurally stable or robust system retrains its qualitative properties under small perturbations. Robust or structurally stable chaotic attractors can, eventually, ensures the diffusion property in the key space. Algorithms based on nonrobust systems may have weak keys. However, majority of chaotic attractors are structurally unstable. Therefore, one should take great caution in choosing chaotic maps. Parameter set. One should consider only systems that have robust chaos for large set of parameters (keys). The entropy of a cryptosystem is the measure of the size of the key-space and is usually approximated by log2 K, where K is the number of keys. Therefore, larger parameter space of the dynamical system implies that its discretized version will have larger K. In this Letter we design ciphers using chaotic maps. We choose G(y) = ay(1 − y),

(2)

where y ∈ [0, 1] and a = 4. This is well known logistic map in the region of fully developed chaos (for a = 4). The logistic map is not structurally stable (in the space of the parameter a); therefore, we fix a = 4 and introduce the parameters by replacing y in (2) with y = y˜ + p(mod 1), where y˜ ∈ [0, 1] and p is a parameter (real number). The reason for this is twofold. First in the most of algorithms the keys are introduced in a similar way. Second, with respect to the parameter p logistic map has a robust chaos for all p. We stress that this procedure ensures that almost all chaotic map with mixing property can be used to design encryption algorithms. 3.2. Discretization Discretization is a process in which the map G : Y → Y is replaced with the map F : X → X . Discretization is not a unique process. However, in many cases one can identify “a natural way” in doing this. Thus, for example, if β = {C0 , . . . , C2m −1 } is a finite partition of the phase space Y, then X = {0, . . . , 2m − 1} and F is the restriction of G on X (assuming that such restriction exists). As an example, logistic

map can be discretized as floor[x(256 − x)/64] if x˜ < 256, F (x) = 255 if x˜ = 256,

(3)

where x˜ = floor[x(256 − x)/64] and x ∈ {0, . . . , 255}. The transformation is obtained from the logistic map (2) in two steps: first, the logistic map is scaled so that input and output values of the map are in the interval [0, 256]; second, the scaled logistic map is discretized.

4. An example In this Letter, our goal is to design fast software algorithm (which can also be implemented on the hardware); in other words, we design byte oriented block encryption algorithm. We start first with an assumption that each block consists of 8 bytes. This means that we are looking for 8-dimensional dynamical systems. Let B0 be a plaintext block of length 64 bits. We write xi,0 , . . . , xi,7 for the eight bytes of the block Bi , Bi = xi,0 , . . . , xi,7 . The cipher consists of r rounds of identical transformations applied in a sequence to the plaintext block. Encryption transformation is given with xi,2 = xi−1,1 ⊕ f0 , xi,3 = xi−1,2 ⊕ f1 , .. . xi,0 = xi−1,7 ⊕ f6 , xi,1 = xi−1,0 ⊕ f7 ,

(4)

where i = 1, . . . , r. The functions f1 , . . . , f7 have the following form: fj = f [xi−1,1 ⊕ · · · ⊕ xi−1,j ⊕ zi−1,j ], where j = 1, . . . , 7 and f : M → M, M = {0, . . . , 255}, is a map derived from a chaotic map. f0 = zi,0 and zi,0 , . . . , zi,7 are the eight bytes of the subkey zi which controls the ith round. The output block Bi = xi,0 , . . . , xi,7 is input in the next round, except in the last round. Therefore, Br = xr,0 , . . . , xr,7 is the ciphertext block (encrypted information). The length of the ciphertext block is 64 bits (8 bytes) and is equal to the length of the plaintext block. Each round i is controlled by one 8-byte subkey zi . There are r subkeys totally and they are derived from the key in a


procedure for generating round subkeys. In choosing the map f we follow the steps described in Section 3: f is obtained via discretization of the logistic map. The decrypting structure undoes the transformations of the encrypting structure: r decryption rounds are applied to the ciphertext block Br to produce the original plaintext block B0 . The round subkeys are applied now in a reverse order. The decryption round transformation is xi−1,k = xi,k+1 ⊕ fk−1 [xi,1 , . . . , xi,k−1 , zi,k−1 ],

(5)

with k = 1, . . . , 8, f0 = z0 , x8 ≡ x0 and x9 ≡ x1 . If we discretize logistic map as in Section 3, then the function f defined with (3) is not one-to-one mapping. There are distinct elements of the set {0, 1, . . . , 255} that are mapped to the same value. Thus, the cardinality of the set of all possible output values is less than 256. For example, the number of elements that are mapped to the value 255 is 17. This property implies that, when the input values are uniformly distributed, the output values are not uniformly distributed, i.e., the function f “spoils” the input uniform distribution. Actually, when all input values are equally likely, the probability of having output value 255 is 17/256. This is significantly greater than 1/256. We used this fact to amount a known plaintext attack. The complexity of the attack was not greater than 229 , which is far bellow the complexity of the brute force attack. The problem can be solved by replacing the discretization procedure. We propose the following procedure. 1. Divide the phase space into n + 1 intervals with equal length. Assign the numbers 0, . . . , n to the intervals so that one number is assigned to exactly one region. If a point is in the region i we say that its magnitude is i. 2. Randomly choose one starting point from each interval and determine its image after N iterations of a chaotic map. 3. Find the set S of starting points that have unique image. Choose a subset A that contains 256 elements of S and determine the set B of corresponding images. 4. Assign new magnitudes 0, . . . , 255 to the elements of A according to their old magnitudes. Do the same with the elements of B. If the new magnitude of the starting point in A is i and the new magnitude

203

of its image is j , then we say that f (i) = j . The map f is one-to-one. The finally constructed function depends on the way the magnitudes are assigned in the first step, the chaotic map that is iterated, the number of iterations and the starting points. By changing any one we can change the function f . We stress that, if the cardinality of the set S is less than 256, step 3 is impossible. The number of regions is chosen so that the average number of starting points that have unique image is slightly greater than 256, when the chaotic map used in step 2 is the logistic map. Let us now assume that the chaotic map has uniformly distributed ergodic invariant measure and the number of regions in step 1 is n + 1. The probability that given image is an image of exactly one starting point is n n n 1 n n = → 1/e n n+1 n+1 i=1

when n → ∞. Thus for large values of n the portion of images that correspond to exactly one starting point is 1/e. If we want to construct a map f : {0, . . . , k −1} → {0, . . . , k − 1} the number of regions should be slightly greater than ke for large values of k. Table 1 shows a function constructed using the previously described procedure. The numbering system used is hexadecimal. Thus f (00) = 62, f (10) = 92, f (20) = b7 and so on. The chaotic map, which was used in step 2, is the logistic map. We choose N = 1000 and n = 767. The cardinality of the set S is 259. Remark 3. Periodic orbits. Let us consider again the mapping F : X → X , where X = {0, 1, . . . , 2m − 1}, which describes a block encryption algorithm. Since F is finite 1-to-1 mapping, all its trajectories are periodic. What is the minimal, typical and maximal period of such orbits? Although such question is, in general, relevant for cryptography, it is, however, irrelevant and useless for the theory of block encryption ciphers. One of the goal in the design of block ciphers is to design a transformation that can be used for both encryption and decryption. In this case, F = F −1 and, obviously, all trajectories of F are periodic with period 2. An example of such cipher is DES (Data Encryption Standard) [4].

204


Table 1 The function f obtained from the logistic map using the procedure described in the text 0

1

2

3

4

5

6

7

8

9

a

b

c

d

e

f

0

60

c4

56

52

88

17

82

ac

28

96

4f

4a

ff

20

b5

6a

1

92

83

bc

a7

b2

9a

ee

70

35

e1

25

61

9d

a4

9c

47

2

b7

7d

2f

24

c7

7e

c5

c8

77

14

8d

cc

fd

8a

ef

36

3

76

2c

12

11

2a

29

a8

b8

22

84

c3

e9

e6

e2

15

57

4

e0

3c

69

ce

05

d4

cd

fa

30

f8

dd

75

cf

a0

0c

55

5

9f

41

f3

6f

ea

d2

a2

65

23

89

81

39

e4

93

ba

6b

6

a9

b0

1f

f7

34

43

1b

08

04

fc

0b

aa

73

94

eb

8e

7

c2

d6

53

48

18

27

8f

5b

5d

d0

ec

f4

f5

31

4b

ab

8

4e

97

79

bb

13

b6

5e

8b

10

50

49

1d

f6

99

00

68

9

3f

95

ad

e7

e8

87

8c

51

64

1e

d9

e5

5a

da

de

f0

a

0f

46

f1

1c

71

e3

09

a5

dc

9e

bf

40

80

3b

45

02

b

a6

42

d1

ed

d7

fe

16

9b

63

72

c0

78

b4

67

26

03

c

01

54

07

90

38

21

62

3d

d8

ca

7f

b1

0a

d5

44

a1

d

0d

c9

f2

2e

b9

59

6c

66

b3

74

32

bd

df

58

6d

37

e

3a

2d

db

6e

f9

1a

c6

06

5f

a3

2b

19

7c

fb

7b

af

f

be

0e

85

5c

33

7a

c1

4d

cb

86

91

4c

d3

ae

3e

98

4.1. Key schedule

4.2. Cryptanalysis

The key schedule is the means by which the key bits are turned into round keys that the cipher can use. The mapping that performs each round i depends on the value of the round subkey zi . The length of the round subkeys is 64 bits and they are derived from the 128bit key K0 in a procedure as follows. We denote the bytes of the keys Ki by Ki,j , j = 0, . . . , 15. The key generation procedure is given with

The central question in cryptography is what is security? This question can be answered at two different levels: theoretical and practical. At theoretical level, the basic properties characterizing a secure object are “randomness increasing” and “computationally unpredictable”. The rigorous definitions for “randomness increasing” and “computationally unpredictable” are far beyond the scope of this Letter and we refer the reader to [14]. At the practical level cryptographic security of a cryptographic object (for example, a block encryption algorithm) can be checked up only by means of proving its resistance to various kind of known attacks. Security evaluation consists of three steps [15]:

Ki,k+1 = Ki−1,k ⊕ fk−1 [Ki−1,1 , . . . , Ki−1,k−1 , ck−1 ], zi = RH(Ki ),

(6)

where i = 1, . . . , r, k = 1, . . . , 16, f0 = c0 , Ki,16 ≡ Ki,0 and Ki,17 ≡ Ki,1 . c0 , . . . , c15 are sixteen bytes of the constant c. The function RH assigns the 64-bit right half of the key Ki to the round subkey zi . The structure of the key generation procedure is similar to the encryption structure (4). The only difference is that the length of the block is 128 bits and the round subkeys are equal to the constant c. The value of the constant is c = 45f83fd1e01a638099c1d2f74ae61 d04h and it is randomly chosen.

• One should prove (or check very carefully) the resistance to differential and linear attacks. • One should check for the extensions and generalizations of differential and linear attacks. • Moreover, one should take into account several dedicated attacks applicable to cipher with a small number of rounds (8).


One should, however, keep in mind that provable security against one or two important attacks does not imply that the cipher is secure: other attacks may exist. On the other hand, provable security against certain attacks is certainly a first step in the right direction. We briefly summarize here the work in [16,17] assuming that r = 18. The differential approximation probability of the function f is 2−5 < DPf = 12/256 < 2−4 and the linear approximation probability is LPf = 2−4 [16]. In [17] we proved that every 18-round trail has at least [17 18 11 ] = 27 active bytes. Therefore, for all 18-round differential trails 27 DP 2−4.678 ≈ 2−126, and for all 18-round linear trails 27 LP 2−4 ≈ 2−108 . Thus the differential and linear attacks are impossible for the proposed cipher. Remark 4. Chaotic properties of encryption algorithms. After discretization a chaotic system is no longer chaotic: all trajectories of an encryption algorithm are periodic. What are the advantages of using chaotic systems to design encryption algorithms? An essential part of every block encryption algorithm is a nonlinear element usually called S-box. S-box is a table-driven nonlinear substitution operation; an example of the S-box is our f function, given in Table 1. S-boxes are created either randomly or algorithmically. Here we have proposed another way of creating S-boxes: by using chaotic maps. It turns out that very simple chaotic maps and very simple discretization procedure generate secure algorithms, which is the opposite to the case of randomly constructed Sboxes: encryption algorithms that use such S-boxes are unlikely to be secure [18].

205

erations that can be easily implemented on various processors and in hardware. We stress that our approach is applicable to all chaotic maps with mixing property. We close our Letter with some open problems that we believe are of importance for the future research on chaos and cryptography. • Chaos and cryptography. Although we have established some relationships between chaos and cryptography we believe that there are properties yet to be discovered. For example, we have numerically verified diffusion property in our algorithm: after r = 4 rounds a small cloud of initial points (plaintext) is spread uniformly through the whole space such that the average number of zeros (or ones) in the block of 64 bits is 32. This number r = 4 gives the strength of the diffusion property in an algorithm in a similar way as Lyapunov exponents measure the strength of the chaos in continuous systems. Do there exist measures for the confusion? What are the properties of chaotic systems relevant for cryptanalysis? Can chaos gain sight into the theory of design block ciphers? • A continuous model of cryptography. A central assumption in computer science is that the Turingmachine model is an appropriate model of a digital computer and computer simulation. However, it was recently argued that another model of computation based on real numbers [21,22] is also appropriate and in some cases more useful as a model of a computer. Both models are, of course, abstractions (Turing machine employs a type of unbounded (infinite) length, while it takes an infinite number of bits to represent a single real number). It seems to us that it is also appropriate, at least at the theoretical level, to consider continuous (real-number) model for solving some of the problems in cryptography. This model when used in cryptography would be inherently connected to chaos theory.

5. Conclusion In this Letter we have proposed a procedure for designing chaos based algorithms; this procedure consists of the following steps: choosing a chaotic map, discretization, key schedule, and cryptanalysis. As an example, we have presented encryption algorithm based on logistic map. The cipher uses only byte op-

Acknowledgement This work was supported in part by the ARO (grant DAAG55-98-1-0269, MURI Project “Digital Communication Devices Based on Nonlinear Dynamics and Chaos”), and the DOE (grant DE-FG03-95ER14516).

206


References [1] C.E. Shannon, Bell Syst. Tech. J. 28 (1949) 656. [2] L. Kocarev, G. Jakimoski, to be published. [3] J. Gickenheimer, P. Holmes, Nonlinear Oscillations, Dynamical Systems and Bifurcations of Vector Fields, Springer, Berlin, 1983. [4] B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, Wiley, New York, 1996. [5] R.A.J. Matthews, Cryptologia 13 (1989) 29; D.D. Wheeler, Cryptologia 13 (1989) 243; D.D. Wheeler, R.A.J. Matthews, Cryptologia 15 (2) (1991) 140. [6] T. Habutsu, Y. Nishio, I. Sasase, S. Mori, in: Advances in Cryptology—EUROCRYPT ’91, Springer, Berlin, 1991, pp. 127–140. [7] E. Biham, in: Advances in Cryptology—EUROCRYPT ’91, Springer, Berlin, 1991, pp. 532–534. [8] M.S. Baptista, Phys. Lett. A 240 (1998) 50. [9] Y.H. Chu, S. Chang, Electron. Lett. 35 (1999) 974. [10] X. Lai, J.L. Massey, in: Advances in Cryptology—EUROCRYPT ’90, Springer, Berlin, 1991, pp. 389–404. [11] X. Lai, J.L. Massey, S. Murphy, in: Advances in Cryptology— EUROCRYPT ’91, Springer, Berlin, 1991, pp. 17–38.

[12] H. Dedieu, M.J. Ogorzalek, IEEE Trans. Circuits Syst. I 44 (1997) 948. [13] I.P. Cornfeld, S.V. Fomin, Ya.G. Sinai, Ergodic Theory, Springer, Berlin, 1982. [14] A. Yao, in: IEEE 23rd Symposium on Foundations of Computer Science, 1982, pp. 80–91. [15] B. Preneel, V. Rijmen, A. Bosselears, Recent Development in the Design of Conventional Cryptographic Algorithms, Lecture Notes in Comput. Sci., Vol. 1528, Springer, 1998, pp. 105–130. [16] G. Jakimoski, L. Kocarev, IEEE Trans. Circuits Syst. I 48 (2) (2001) 163. [17] L. Kocarev, G. Jakimoski, IEEE Trans. Circuits Syst. I (2001), submitted. [18] For example, Khafre [19] uses random S-boxes and is vulnerable to differential cryptanalysis. DES variants with random fixed S-boxes are very likely to be week [20]. [19] R.C. Merkle, in: Advances in Cryptology—CRYPTO ’90, Springer, Berlin, 1991, pp. 476–501. [20] E. Biham, A. Shamir, Differential Cryptanalysis of Data Encryption Standard, Springer, Berlin, 1993. [21] L. Blum, F. Cucker, M. Shub, S. Smale, Complexity and Real Computation, Springer, New York, 1998. [22] J.F. Traub, Phys. Today (1999) 39.