Self-Synchronizing Stream Ciphers and Dynamical Systems: State of the Art and Open Issues Gilles Millérioux, Philippe Guillot

Self-synchronizing stream ciphers and dynamical systems: state of the art and open issues Gilles Millérioux, Philippe Guillot

To cite this version:

Gilles Millérioux, Philippe Guillot. Self-synchronizing stream ciphers and dynamical systems: state of the art and open issues. International journal of bifurcation and chaos in applied sciences and engineering , World Scientific Publishing, 2010, 20 (9), pp.2979-2991. 10.1142/S0218127410027532. hal-00540986

HAL Id: hal-00540986 https://hal.archives-ouvertes.fr/hal-00540986 Submitted on 29 Nov 2010

HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. SELF-SYNCHRONIZING STREAM CIPHERS AND DYNAMICAL SYSTEMS: STATE OF THE ART AND OPEN ISSUES

G. MILLERIOUX Centre de Recherche en Automatique de Nancy (CRAN UMR 7039), Nancy University, CNRS E-mail: [email protected] P. GUILLOT Laboratoire Analyse, G´eom´etrie et Applications (LAGA UMR 7539) University of Paris 8, [email protected]

November 29, 2010

Dynamical systems play a central role in the design of symmetric cryptosystems. Their use has been widely investigated both in “chaos-based” private communications and in stream ciphers over finite fields. In the former case, they get the form of automata named as Moore or Mealy machines. The main charateristic of stream ciphers lies in that they require synchronization of complex sequences generated by the dynamical systems involved at the transmitter and the receiver part. In this paper, we focus on a special class of symmetric ciphers, namely the Self- Synchronizing Stream Ciphers. Indeed, such ciphers have not been seriously explored so far although they get interesting properties of synchronization which could make them very appeal- ing in practice. We review and compare different design approaches which have been proposed in the open literature and fully-specified algorithms are detailed for illustration purpose. Open issues related to the validation and the implementation of Self-Synchronizing Stream Ciphers are developped. We highlight the reason why some concepts borrowed from control theory appear to be useful to this end.

Keywords: dynamical systems, stream ciphers, control theory

1. Introduction Although these notions are intuitively understand- able, they are actually explicited through a precise formalism (see for example [Massey, J.L., 1992]). Nowadays, a huge amount of information ex- Among a wide variety of cryptographic techniques, change is carried out through public networks. two major classes can be typically distinguished: This being the case, guaranteeing privacy in the public-key ciphers (or asymmetric-key ciphers) communication is undoubtedly a great challenge. and secret-key ciphers (also called symmetric-key It turns out that cryptography is central in this ciphers). Public-key ciphers are largely based upon context. Indeed, it is highly based on the notions computationally very demanding mathematical of confusion and diﬀusion introduced by Shannon.

1 problems, for instance, integer factorization into one of the most central property characterizing primes. Two milestones are 1976 with the seminal chaos. It can roughly be described into the fact paper of Diffie and Hellmann [1976] that founded that a small change in the initial conditions can the public key cryptography and 1978, marked drastically change the long-term behavior of a by the publication of RSA, the first full-fledged system. Chaos has received considerable attention public-key algorithm. This discovery was impor- for some years. Actually, the terminology “chaos” tant notably because it solved the key-exchange has been really introduced for the first time in problem of symmetric cryptography. Modern the seminal paper of Li and Yorke “Period Three symmetric cryptography originates in the works Implies Chaos” [1975]. Complex dynamics had its of Feistel at IBM during the late 1960s and early beginnings in the work of the french mathematician 1970s. One of the key dates is 1977, when the sym- Henri Poincaré(1854-1912). Sensitive dependent metric cipher Data Encryption Standard (DES) phenomena have been highlighted by Edward was adopted by the U.S. National Bureau of Stan- Lorenz in 1963 while simulating a simplified model dards (now the National Institute of Standards and of convection. Since the 90’s, a huge number of Technology —NIST), for encrypting unclassified applications have been proposed over the fields of information. DES is now in the process of being circuits and systems, mechanics, physics, avionics, replaced by the Advanced Encryption Standard weather forecasting. Because the signals resulting (AES), a new standard adopted by NIST in 2001. from chaotic systems are broadband, noiselike and present random-like statistical properties, albeit Among symmetric-key ciphers, stream ciphers they are generated by deterministic systems, they are of special interest for high speed encryption are difficult to predict. All this motivated the use in satellite communications, private TV channels of such dynamical systems for privacy issues. The broadcasting, RFID, networked embedded systems. year 1990 is a milestone with a pioneering work They are mainly based on generators, precisely reported in [Carroll, T. L & Pecora, L. M., 1991]. in the form of dynamical systems, delivering Since then, many schemes have been proposed to complex sequences which must be synchronized scramble information with a complex sequence at the transmitter and receiver sides. Stream delivered by dynamical systems leading thereby ciphers have received increasing attention quite to cryptosystems which mimic symmetric ciphers recently. Two European projects have influenced (see [Ogorzalek, M. J., 1993][Hasler, M., 1998] on this evolution : the project NESSIE within the [Yang, T., 2004][Alvarez, G. & Li, S., 2006] Information Society Technologies Programme of [Millérioux G. et al., 2008b] for some surveys). the European Commission which had started in To highlight the fancy for this topic, let us stress 2000 and ended in 2004 followed by ECRYPT1 that many special issues in international journals launched on February 1st, 2004. Sponsored by have been published, numerous invited sessions ECRYPT, eSTREAM is a multi-year effort aim- in conferences have been organized as well. But ing at identifying promising both software and actually, it turns out that the chaos-based algo- hardware oriented symmetric cryptosystems with rithms proposed so far belong more to the field of proposals from industry to academia. steganography than to pure cryptography.

As it turns out, there is a connection between the properties of confusion and diffusion and the random-looking chaotic dynamics, or more gener- After this brief recall on the important events ally complex dynamics. This is the main reason which have marked the field of cryptography why in 1993 entered the scene “chaos-based pri- and the role played by the dynamical systems in vacy”. Indeed, chaotic behavior is one of the most this context, the following remark can be made. complex dynamics a nonlinear system can exhibit. Less attention has been paid on a special class of A formal definition of chaos is due to R.L. Devaney symmetric ciphers, namely the self-synchronizing [1989] and the sensitivity to initial conditions is stream ciphers. Indeed, when looking at the open literature and some substantial courses on symmet- 1website available at http://www.ecrypt.eu.org/stream/ ric cryptography proposed by, to mention a few,

2 M. Kiviharju2, S. Paul3, the web site PICSI4 on eavesdropper Cryptology and Information security, these ciphers e c d are just touched on but not really investigated (see m e(k ,m) d(k ,c) mˆ [Daemen, J. et al., 1992] for an exception). Even e k kd more is true, it is worth pointing out that within the eSTREAM project, a project of reference in the key source key source field of stream ciphers-based cryptography, over 34 transmitter receiver stream cipher primitives which had been submitted Fig. 1: General encryption mechanism for evaluation, only two of them belonged to the class of self-synchronizing stream ciphers. Never- theless, they turn out to be very useful in secure a plaintext (also called information or message) communications. Indeed, as it will be detailed later m ∈ M (M is called the message space) consisting in this paper, self-synchronizing stream ciphers of a string of symbols mk ∈ A is encrypted accord- offer serious advantages, the main one being the ing to an encryption function e which depends on ability to automatically achieve synchronization the key ke ∈ K (K is called the key space). The re- between the two parts of a communication setup. sulting ciphertext c ∈ C (C is called the ciphertext As a result, there is no need to call for resynchro- space), a string of symbols ck from an alphabet B nization protocols or synchronization flags. It is of usually (and assumed hereafter) identical to A, is first importance when one must be face for example conveyed through a public channel to the receiver. drastic constraints concerning the throughput. At the receiver side, the ciphertext c is decrypted according to a decryption function d which depends The main objective of this paper is to re- on the key kd ∈ K. For a prescribed ke, the func- view, compare and discuss the different design tion e must be invertible. In symmetric encryption, approaches devoted to Self-Synchronizing Stream the pair (e, d) is such that the key kd can be easily Ciphers while showing how dynamical systems are recovered from ke. Hence, not only kd must be kept used to confer them the interesting property of secret but the key ke as well. It is customary that self-synchronization. The layout is the following. both keys are identical, that is kd = ke. Another property of a symmetric encryption scheme is that e d After a recall of basic background on cryp- there must exist a unique pair (k , k ) such that d e tography with a special emphasis on symmetric d(k , c)= m where c = e(k ,m). cryptography (Section 2), the different approaches There are two classes of symmetric-key encryption which have been proposed in the open literature are schemes which are commonly distinguished: block detailed and illustrated through interesting fully- ciphers and stream ciphers. A block cipher is an en- specified algorithms (Section 3). Thus, we suggest cryption scheme that breaks up the plaintext mes- some open issues related to the design, the valida- sages into strings (called blocks) of a fixed length tion and the implementation of self-synchronizing over an alphabet and encrypts one block at a time. stream ciphers (Section 4). Block ciphers usually involve compositions of sub- stitution and transposition operations. Next we de- scribe stream ciphers in more detail. 2. Background on symmetric cryptography

2.1. Generalities 2.2. Stream ciphers A general encryption mechanism, also called cryp- In the case of stream ciphers, the encryption func- tosystem or cipher, is illustrated in Fig. 1. We are tion e can change for each symbol because it de- given an alphabet A, that is, a finite set of basic pends on a time-varying key zk also called running elements named symbols. On the transmitter part, key. The sequence {zk} is called the keystream. This being the case, stream ciphers are generally 2available at www.tcs.hut.fi/Studies/T-79.514/ 3available at http://homes.esat.kuleuven.be/ well appropriate and their use can even be com- psourady/stream cipher course-I.htm pulsory when buffering is limited or when only one 4available at www.picsi.org symbol can be processed at a time: the field of

3 telecommunications often include such constraints. The number of past values is most often bounded They benefit from smaller footprint (gates, power and equals M, the delay of memorization. consumption, . . . ) in low-end hardware implemen- Actually, many chaos-based encryption schemes tation, high encryption speed, small input/output proposed in the literature (see for example delay and simple protocols for handling variable [Millérioux G. et al., 2008b] and references therein sized inputs. They are efficient and compact in con- for a survey) involve observers. When the state strained devices. reconstruction is ensured asymptotically, such Stream ciphers require a keystream generator. It is cryptosystems can be considered as belonging to usual that the plaintext mk and the ciphertext ck the class of SSSC with M →∞. are binary words. If so, the most widely adopted It may be also considered SSSC for which M is function e is the bitwise XOR operation and if the a random variable with a probability law that generator delivers a truly random keystream {zk} decreases to zero as time grows to infinity. These which is never used again, the encryption scheme is SSSC are called statistical SSSC but have never called one-time pad —the only cipher known to be been investigated so far. A little bit more will be unconditionally secure so far. However, in order to told at the end of this paper in the Subsection 4.3 decrypt the ciphertext, the recipient party of a one- devoted to open issues. time pad encryption setup would have to know the Unless otherwise stated, only the case when M is random keystream and, thus, would require again bounded will be addressed in the sequel. a secure transmission of the key. Besides, for the one-time pad cipher, the key should be as long as Regardless the class of ciphers, synchronous or the plaintext and would drastically increase the dif- self-synchronizing, the ciphertext ck is worked out ficulty of the key distribution. As an alternative to through an encryption function e which must be such an ideal encryption scheme, one can resort to invertible for any prescribed zk. In the binary case, pseudo-random generators. Indeed, for such gen- one has A = B = {0, 1} and e(zk,mk) = zk ⊕ mk erators, the keystream is produced by a determin- where ⊕ denotes the modulo 2 addition on the 2- istic function (often involving feedback shift regis- element field. The decryption is performed through ters along with nonlinearities [Knuth, D. E., 1998]) a function d depending on the ciphertext ck and the while its statistical properties look random. There running keyz ˆk of the receiver’s generator. Such a are two classes of stream ciphers, the difference ly- function must obey the rule: ing in the way the keystream is generated: the synchronous stream ciphers and the self-synchronizing mˆ k := d(ck, zˆk)= mk ifz ˆk = zk (3) stream ciphers. Synchronous Stream Ciphers (written hereafter In the binary case, one has d(ˆzk, ck) =z ˆk ⊕ ck SSC for short) admit the equations: Synchronization issues s qk = σ (qk−1) For stream ciphers, the generators at both sides  zk = s(qk) (1) have same generator function and synchronization  ck = e(zk,mk) of keystreams {zk} and {zˆk} generated respectively

s  at the transmitter and receiver sides is a condition σ is the next-state transition function while s acts for proper decryption. as a ﬁlter and generates the keystream {zk}. For SSC, the generators are not coupled each other. Consequently, the only way to guarantee Self-Synchronizing Stream Ciphers (written synchronization of the keystreams is to share the hereafter SSSC for short) admit the equations: seed (the initial running key z0). This being the ss case, the secret key θ is nothing but the seed z0. zk = σ (ck−l−M ,...,ck−l) θ (2) For SSSC, since the generator function σss shares, ck = e(zk,mk) θ at the transmitter and receiver sides, the same ss σθ is the function that generates the keystream quantities, namely the past ciphertexts, it is clear {zk}. l is a nonnegative integer standing for a that the generators synchronize automatically after ss possible delay. σθ depends on past values of ck. a ﬁnite transient time of length M. The secret

4 key is some suitable (according to the security) block cipher output bits are retained, the selection ss parameters of the function σθ . being performed through a so-called filter function denoted h′ on the Fig. 2. Such a configuration is Advantages of self-synchronizing stream ci- often used in 1-bit CFB mode. In such a case, the phers encryption function e is a XOR (modulo 2 addition ss As far as SSSC are concerned, the ability to self- over {0, 1}). The keystream generator σθ of the synchronizing provides many advantages. First, if corresponding canonical form (2) results from the a ciphertext is deleted, inserted or flipped, the SSSC composition of three functions: the state transition will automatically resume proper decryption after a function of the shift register, the block cipher and short, finite and predictable transient time. Hence, the filter function h′. SSSC does not require any additional synchronization flags or interactive protocols for recovering lost This mode is quite inefficient in terms of en- synchronization. Secondly, the self-synchronizing cryption speed since one block cipher operation, mechanism also enables the receiver to switch at and so multiple rounds, are required for enciphering any time into an ongoing enciphered transmission. a single plaintext mk. Third, any modification of ciphertext symbols by shift an active eavesdropper causes incorrect decryption register for a fixed number of next symbols. As a result, an SSSC prevents active eavesdroppers from unde- tectable tampering with the plaintext: message au- thenticity is guaranteed. Finally, since each plain- block text symbol influences a fixed number of following h′ ciphertexts, the statistical properties of the plain- zk cipher text are thereby diffused through the ciphertext. Hence, SSSC are very efficient against attacks based on plaintext redundancy and the property of diffusion is structurally fulfilled. ck mk e 3. State of the art in the design of SSSC Fig. 2: Block cipher in CFB mode Actually, the model (2) of an SSSC is a conceptual model, called canonical representation, that can correspond to different architectures and that 3.2. Maurer’s approach result from different design approaches. In the open literature, few designs methods have been In [Maurer, U. M., 1991], it is suggested an al- proposed. They are detailed below in a way which ternate design approach exclusively dedicated to highlights the central role played by dynamical sys- SSSC. It includes two main ideas. tems and the reason why some concepts borrowed from control theory appear to be useful. The first idea consists in replacing the shift register, the block cipher and the output bit filter function of the CFB mode architecture by an automa- 3.1. Block ciphers in CFB mode ton. The automaton obeys the dynamics

This SSSC design approach resorts to a length M q = g (q , c ) k+1 θ k k (4) shift register and a block cipher (DES for instance) zk = hθ(qk) both inserted in a closed-loop architecture. It is a very special mode of operation involving The function gθ is called (next) state transition block ciphers naturally called Cipher FeedBack function while hθ is called output function. (CFB) mode. The block cipher’s input is the shift The automaton must have a ﬁnite input memory of register state. Usually a limited number of the size M meaning that the state qk must be expressed

5 shift shift by mean of a function lθ which depends on a ﬁnite register register number of past ciphertexts ck−i :

q = l (c − ,...,c − ) (5) k θ k M k 1 ss1 ss2 σθ σθ

Substituting the above expression of qk into the ss second equation of (4) gives the function σθ of the canonical form (2). One has the following ss composition : σ = hθ ◦ lθ. According to the shift shift θ register register discussion of Subsect. 2.2 on synchronization issues, self-synchronization is guaranteed.

ss3 ss4 Let us notice that the CFB mode can be σθ σθ rewritten into the form (4)-(5). The function lθ is very simple since it merely reduces to a shift. The output function hθ results from the composition of h˜ the block cipher (parametrized by its secret key θ) ′ zk and the filter function h . c m k k e In the Maurer’s approach, the SSSC is based on a cryptographically secure state-transition Fig. 3: Example of serial/parallel connection of function gθ as well as on a cryptographically secure four automata. The function h˜ combines output function hθ. Consequently, the resulting the accessible automata outputs to deliver SSSC can be secure unless both functions are the keystream zk simultaneously unsecure. That differs from the CFB mode for which the security relies entirely into account. As a matter of fact, only the first on the security of the output function hθ and so mostly on the block cipher function. idea of Maurer consisting in resorting to an automaton with finite input memory has been adopted The second idea of the Maurer’s principle con- throughout these two examples. Indeed, as it turns sists in increasing the complexity by combining out, the second idea is too general as is. These ex- several finite automata in serial or in parallel or amples are also interesting in that they give us a more generally by performing composition. As a better understanding in the way how the dynam- result, many components that are relatively simple ical systems are “shaped” to guarantee the self- in terms of implementation complexity and memory synchronization property. size can be combined to form an SSSC realizing a ss very complicated function σθ in the corresponding 3.2(A). SSS canonical representation (2). For a serial compo- SSS is a software bit oriented cryptosystem which sition of multiple automata, the resulting memory has been proposed in [Hawkes P et al., 2004]. The size equals the sum of the memory size of each au- corresponding block diagram is depicted on Fig. 4. tomaton. For a parallel composition of multiple au- The following notations are necessary to de- tomata, the resulting memory size equals the upper scribe SSS. memory size. When implemented in hardware, par- allelization leads to very high achievable encryption • x >>> n denoted the rotation of n bits to speed. An example of architecture involving four the right of the word x automata is depicted in Fig. 3. Throughout the eSTREAM project, two fully • Sθ(x) = SBOXθ(xH ) ⊕ x with xH the most specified algorithms have retained attention: SSS significant byte of the word x is the XOR op- and Moustique. They are shortly described to illus- eration between x and the result of SBOXθ trate how the general principle of Maurer is taken which is a combination of two S-boxes imple-

6 gθ and guarantees the self-synchronization property. The encryption function e and decryption func- (16) (15) (14) (12) ck q q q q(13) q q(6) q(1) q(0) k k k k k k k k tion d follow the classical rules described in Sub- section 2.2 where ⊕ is viewed in this case as a com-

hθ ponentwise addition over the 2-element ﬁeld.

zk 3.2(B). Moustique m ck k Another interesting SSSC, called Mous- tique, which follows the second idea in the Fig. 4: Block diagram of SSS Maurer’s approach, has been proposed in [Daemen, J. & Kitsos, P., 2005]. It is a revisited version of two former algorithms called menting nonlinear substitutions called Skip- Mosquito and Knoth. Unlike SSS, it is an hardware jack S-box and Q-box and parametrized by bit oriented algorithm. Furthermore, although the the secret key θ structure still relies on the automaton (4) which The keystream generator obeys (4). The dimen- must have a ﬁnite memory, a diﬀerent “shape” for sion of the state vector qk equals n = 17 that is the state transition function gθ is provided to guar- (j) antee self-synchronizing property. Moreover, the the number of shift registers. Each component qk assigned to a shift register obeys an independent output function is designed through the concept of j pipelining. Those two facts are explicited below. dynamics gθ :

(16) For Moustique, the dimension of the state qk+1 = ck (j) (j+1) vector qk in (4) equals n = 96. qk+1 = qk (j = 0, 2,..., 11, 13, 15) (14) (15) qk+1 = qk + Sθ(ck >>> 8) (12) (13) As far as the state transition function gθ is con- (j) qk+1 = Sθ(qk ) cerned, each component q obeys a dynamics gj in (1) (2) k θ qk+1 = qk >>> 8 the form: (6) (j) j (j−1) (j−2) (1) The initial state of the shift register number 16 qk+1 = gθ(qk ,qk , ..., qk , ck) j = 1,...,n (16) fulfills q = c0. Furthermore, insofar as the state (10) 1 th (j) The j component of qk+1 does no longer depend qk+1 (j = 1,..., 16), at time k + 1, depends on the (j+1) exclusively on one component of qk (as it is for SSS), state qk at time k, thus after 16 iterations, the but it depends actually on several components of internal state qk will depend exclusively on the 16 (l) qk, especially qk with l < j. The function gθ has a past ciphertexts ck−i. Hence for all k ≥ 16 there ”triangular” form and ensures qk to be independent exists a function lθ fulfilling of the initial condition q0 after n iterations. Simi- larly to SSS, there exists thereby a function lθ which qk = lθ(ck−16,...,ck−1) (7) enables (10) to be rewritten in a strictly equivalent The output function hθ delivering the keystream zk way for k ≥ n and depends exclusively on a finite is defined as: number of past ciphertexts ck−i

(0) − − zk = hθ(qk)= Aθ >>> 8 ⊕ qk (8) qk = lθ(ck n, ..., ck 1) (11)

(0) (16) (1) (6) (13) Besides, unlike SSS, the output function is pipelined with Aθ = Sθ Sθ(q + q )+ q + q + q k k k k k (see Fig. 5). The keystream is computed in a se- Finally, combining the equations (8) and (7), the keystream generator can be equivalently rewritten quential way and the computation involves bs = 9 in the SSSC canonical form (2): successive stages. Each stage corresponds to a spe- ciﬁc function si (i = 0,...,bs −1) depending on the zk = hθ(lθ(ck−16, .., ck−1)) result of the previous stage. For the function s0 one ss (9) = σθ (ck−16, .., ck−1) has s0(qk) = qk. The output function is made up

7 of a composition of bs functions. The keystream is 3.3. Message embedding computed from the state functions qk but is deliv- The message-embedded technique is derived ered at time k + bs: from cryptosystems which have been proposed

zk+bs = s8(s7(...(s0(qk)))) = h(qk) (12) first for “chaos-based” private communications. It is given different names in the literature: ss Combining (11) and (12) gives σθ direct chaotic modulation [Hasler, M., 1998], embedding [Lian K-Y. & Liu P., 2000] zk+bs = h(lθ(ck−n, ..., ck−1)) ss (13) [Millérioux, G. & Daafouz, J., 2004], non au- = σ (ck−n, ..., ck−1) θ tonomous modulation [Yang, T., 2004]. Different It’s a simple matter to see that the keystream gen- structures very similar to the message-embedding erator can be again equivalently rewritten in the was also been proposed in [Yang, T. et al., 1997 ] SSSC canonical form (2) and self-synchronization or [Parker, A. T. & Short, K. M., 2001]. is guaranteed. Very recently, it has been provided in The pipeline is interesting in that it enables to in- [Millérioux G. et al., 2008b] a general frame- crease the complexity of the output function while work, based on concepts borrowed from control a single clock cycle is still needed to deliver the run- theory, which allows to derive a self-synchronizing ning key. Indeed the computation of each function cryptosystem from the message-embedded struc- si is parallelized. That induces a delay bs between ture. This Subsection aims at recalling the the plaintext and the corresponding ciphertext. Let approach. us notice that none of the function si depend on the secret key θ. Actually, the output function hθ The equations governing a message-embedded in (4) should be rewritten as a non parametrized cryptosystem are given by the dynamical system: function h. Similarly to SSS, the encryption function e and de- xk = fθ(xk,mk) +1 (14) cryption function d follow the classical rules de- yk = hθ(xk,mk) scribed in Subsection 2.2. Such a dynamical system is described by the 5-tuple required past ciphertetxts to encipher 1 plaintext (A,B,X,fθ, hθ) where c k+bs c c c k+bs−1 k−1 k−n

lθ • A is the input alphabet, which is the ﬁnite set q Stage 0 (128 bits) k of input symbols mk

• B = A is the output alphabet, which is the ﬁnite set of output symbols yk

Stage 1 (53 bits) • X is the ﬁnite set of internal states xk also h called state vectors

• fθ : X × A −→ X is the (next) state transition function Stage 7 (3 bits)

z Stage 8 (1 bits) k+bs • hθ : X × A −→ B is the output function.

The ciphering consists of injecting (or, as it is also

mk usually said, embedding) the plaintext mk ∈ A (the input of the dynamical system) into a dynamics fθ. Fig. 5: Block diagram of Moustique. The functions The resulting system turns into a non autonomous si deliver a quantity of decreasing size: from one since the information to be encrypted acts as 128 bits for the stage 0 to a single bit for the an exogenous input. The ciphertext yk ∈ A of last stage 8 the dynamical system is worked out through an output function hθ of the plaintext mk and the

8 internal state xk ∈ X. θ parametrizes the dynam- • r> 0 if ical and output functions and acts as the secret key. ′ for 0 < i < r, ∀xk ∈ X, ∀mk · · · mk+i,mk · · · ′ i+1 Under special conditions, (14) can be rewritten mk+i ∈ A one has into the form (2) and is thereby structurally equiv- (i) (i) ′ ′ alent to a self-synchronizing stream cipher. The hθ (xk,mk · · · mk+i)= hθ (xk,mk · · · mk+i) correspondence is based on usual concepts of con- and trol theory. The basic background is recalled below. ′ for i = r, ∃xk ∈ X, ∃mk · · · mk+i,mk · · · ′ i+1 We ﬁrst deﬁne the so-called iterated functions mk+i ∈ A with associated respectively to fθ and hθ. (r) (r) ′ ′ hθ (xk,mk · · · mk+r) 6= hθ (xk,mk · · · mk+r)

Definition 3.1. The i-order iterated next-state In others words, for i < r, the iterated output function, f (i) : X × Ai −→ X describes the way (i) θ function hθ only depends on xk while for i ≥ r, it how the internal state xk+i ∈ X of (14) at time depends both on xk and on the sequence of i−r +1 k + i depends on the state xk ∈ X and on the se- input symbols mk · · · mk+i−r. In particular, for i = i − quence of i input symbols mk · · · mk+i 1 ∈ A . It is r, the iterated output function depends both on mk defined for i ≥ 1 and recursively obeys for k ≥ 0, and on xk, that is, there exists a state xk ∈ X and two distinct input symbols m ∈ A and m′ ∈ A (1) k k fθ (xk,mk)= fθ(xk,mk), that lead to different values of the output, for any  (i+1) fθ (xk,mk · · · mk+i)= sequence mk+1 · · · mk+r of input symbols.  (i) fθ fθ (xk,mk · · · mk+i−1),mk+i for i ≥ 1  Roughly speaking the relative degree of the Definition 3.2. The i-order iterated output func- dynamical system (14) is the minimum number of (i) i+1 iterations such that the output at time k + r is tion hθ : X × A −→ A describes the way how the output yk+i of (14) at time k + i depends on influenced by the input at time k. the state xk ∈ X and on the sequence of i +1 input i+1 symbols mk · · · mk+i ∈ A . It is defined for i ≥ 0 Consequently, for r > 0, the r-order output (r) and recursively obeys for k ≥ 0, function hθ may be considered as a function on X × A, and thus one has for r ≥ 0:

(0) (r) hθ (xk,mk)= hθ(xk,mk), yk+r = hθ (xk,mk) (15)  h(i)(x ,m ...m )=  θ k k k+i  (i) Definition 3.4. The dynamical system (14) is left hθ fθ (xk,mk · · · mk+i−1),mk+i for i ≥ 1 invertible if for any internal state x ∈ X, the map  k Then we recall, throughout the three following definitions, properties of dynamical systems which A −→ A hxk : (r) are central to our purpose. mk 7−→ hθ (xk,mk) is a permutation, where r ≥ 0 is the relative degree Definition 3.3. The relative degree of the dynam- of (14). ical system (14) is the quantity denoted r with The left invertibility property means that the • r = 0 if ∃x ∈ X, ∃m ,m′ ∈ A with k k k input mk is uniquely determined by the knowledge h (x ,m ) 6= h (x ,m′ ). θ k k θ k k of the state xk and the output yk+r. The output (r) function hθ may be considered as a family of In other words, there exists a state xk ∈ X permutations on A, indexed by the set X of the ′ and two distinct input symbols mk,mk ∈ A internal states, or at least by a subset. that lead to different values of the output,

9 Definition 3.5. An output for (14) is said to be Based on the previous result, the state (and so flat if all system variables of (14) can be expressed the running key) reads: as a function of yk and a finite number of its for-

ward/backward iterates. In particular, there exists xk = F (yk+t1 , · · · ,yk+t2 ) (17) two functions F and G and integers t1 < t2 and ′ ′ This expression of xk guarantees the self- t1

• it is flat with flat output yk and a flatness charac- (r) mk h (xk, mk) yk+r teristic number t2 − t1 + 1 (H3)

then it is equivalent, from a structural point of xk view, to the transmitter part of a self-synchronizing F stream cipher of the form (2) with the correspon- dences (explicited below for short by the symbol ↔) Fig. 6: Self-synchronizing Message Embedded Stream Cipher • a keystream generator (also named ciphering func- To conclude on this Section, the properties of tion) σss ↔ F θ invertibility and flatness, borrowed from control • a running key zk ↔ xk theory, define a general and flexible framework for the design of SSSC. • a ciphertext ck+r corresponding to the plaintext mk ↔ yk+r (r) 4. Issues • a ciphering function e ↔ hθ In this Section, it is discussed some perspectives regarding the design, the validation and the imple- This is the direct consequence of the as- mentation of SSSC. sumptions H1 − H3 since, if they are fulfilled, Equations (15) and (16) hold and identification 4.1. Hybrid dynamical systems as a rele- of (15) and the first equation of (16) with the vant class of ciphers respective equations (2) gives the correspondence. For obvious reasons, it is always aimed at providing Let us point out that H2 is a necessary condi- ciphers having high speed and low hardware or soft- tion for H3 ware complexity. To this end, it must be thought about suitable class of dynamical systems which

10 benefit from an ease of design without degrading equations over finite fields. Previous substantial their complexity regarding the security. A general works ([Fridrich, J., 1998][Schmitz, R., 2001] idea has been proposed in the literature from or [Szczepanski, J. et al., 2005] this perspective: mixing algebraic domains. For [Kocarev, L. et al., 2006]) have been already example, in [Lai, X. & Massey, J. M., 1991] the been conducted in the same spirit to design authors suggest a software/hardware oriented block permutations through discretization of chaotic cipher (called IDEA) which mixes three operations maps. These studies could be considered as a good with distinct algebraic domains: xor, modulo 216 guideline in the context under consideration here. addition and modulo 216 +1 multiplication. Shamir suggests in [Klimov A. & Shamir A., 2004] to use 4.2. Cryptanalysis primitives built from combinations of boolean and arithmetic operations. He defines the class An essential issue for the validation of cryptosys- of so-called T-functions which contains arbitrary tems is the cryptanalysis, that is the study of compositions of plus, minus, times, or, and, xor attacks against cryptographic schemes in order to operations on n-bit words. That confers to ciphers reveal their possible weakness. The consideration resistance against pure algebraic or bit-oriented in the design of the possible attacks and their attacks as linear and differential attacks. In others complexity dictates the way how the secret key words, it sounds relevant to introduce heterogene- involved in (14) must be defined. Let us review ity in the ciphers. some of cryptanalysis approaches which appear to be relevant in the context of the message-embedded approach and let us highlight the corresponding Issues: In automatic control, hybrid systems issues to be addressed. is a typical class of dynamical systems involving heterogeneity. Indeed, they involve several alge- 1. Algebraic attacks braic models called modes which are switched in It is worthwhile pointing out that the design of time according to a logical rule. Issues regarding a cryptographic scheme must take into account hybrid systems in conjunction with the special that the sets A, B, K and the pair (e, d) are context of cryptography, and more specifically known. Only the pair (ke, kd) can be assumed to self-synchronizing stream ciphering, has never been be secret in symmetric-key cryptography. This is a explored yet. That constitutes a very interesting fundamental premise in cryptanalysis, first stated and challenging problem. In particular, a major by A. Kerkhoff in 1883. Based on this principle, the specificity must be taken into account. In usual algebraic attack has been suggested by Shannon control theory, the variables are assumed to take and has recently been widely studied with some Rn values in a continuum (often or a subset of success on certain classes of synchronous stream Rn ) since they are related to physical quanti- ciphers. Its principle relies on the algebraic model ties. In the cryptographic context, variables take of the cipher. The objective of an algebraic attack values in finite cardinality sets (e.g. finite fields is to find out a set of algebraic equations which can Z Z F like /p of 2n ). As a result, many control- be solved efficiently. An efficient algebraic attack theoretical concepts involved especially in the is a one for which the complexity is below the com- message embedding approach must be definitively plexity of an exhaustive search. One of the main revisited. A first study has been addressed in tool for that purpose is the elimination technique [Millérioux, G. et al., 2008a] with a special class of in particular based on the use of Grobner basis. hybrid systems namely the piecewise linear systems. In general, the eavesdropper is assumed to control the input of the cipher or the decipher and is Others dynamical systems, in particular able to collect and to analyze plaintext/ciphertext chaotic ones, with the interesting properties of pairs to generate the equations and perform a confusion and diffusion, are defined with polyno- so-called chosen plaintext or ciphertext algebraic mial or rational next-state functions in (14). It attack. The security with respect to algebraic would be interesting to investigate properties of attack is directly related to the complexity of the the resulting dynamics after having transposed the parameters (secret key) recovering task.

11 The linear attack is a known plaintext attack Issues: The parameters recovering task in au- that belongs to the family of statistical attacks. tomatic control is nothing but identification. This It has been first published by Matsui [1993] for being the case, the security is related to the com- cryptanalyzing the DES. A variant of this attack plexity of the identification procedure required for may be applied to SSSC. This attack recovers retrieving the secret parameter θ of the dynamical the secret key θ. It is also based on a linear system (14) which are expected to act as the secret approximations of the ciphering function F . For key. An identification procedure has been provided a prescribed linear approximation, several pairs for switched linear self-synchronizing primitives in of input/output data of F are lumped together. [Vo Tan, P. et al., 2010]. As it turns out, neither They are accessible when a known plaintext attack bit-oriented algebraic attacks, nor classical identifi- is performed. The number of required known cation procedure apply if heterogeneity in the form plaintext depends on the quality of the linear of more general hybrid systems is thought. This approximation. This process is repeated with issue deserves thereby new approaches and tools. several other linear approximations. Then a simple linear algebra algorithm, eventually together with 2. Others attacks a remaining exhaustive search, retrieves the key θ.

Ciphering function reconstruction This attack may be extended to non linear ap- The core of an SSSC is the ciphering function F . proximations by dint of increasing the complexity Its complexity can be assessed through the “dis- of the key recovery. Assessing the complexity and tance” from a given function having low algebraic the efficiency of such an attack for hybrid systems degree. If the “distance” is not large enough, then would be of great interest. there exists decoding algorithms that are able to reconstruct the whole low degree approximation of F Side channel attacks and provide thereby an estimation of the plaintext. If the secret key is embedded in a device such as a Another way to reconstruct the ciphering smart card or an electronic component, an adver- function is to call for statistical learning with ar- sary who has temporarily access to the device may tificial neural networks as example of efficient tools. try to recover the secret key through physical mea- sures such as time, power consumption, glitch and These approaches deserve deeper investigation so on. These attacks is a modern topic of great in- for heterogeneous ciphering functions. terest at the moment. Cryptographic algorithms must be implemented with great care, either on Distinguisher hardware or software target, to resist these attacks. It can be proved that an SSSC is secure as long as the ciphering function F behaves like a random 4.3. Statistical Self-Synchronizing Stream function. Indeed, in this case, the cryptanalyst Ciphers has no information at all on the keystream {zk}. As a result, a sufficient condition for an SSSC to The actual synchronization delay of self- be secure is that the adversary cannot distinguish synchronizing stream ciphers is the number the ciphering function from a random one. The M of symbols required for the receiver to re- existence of a distinguisher is a weakness in the cover the same internal state as the transmitter ciphering function. (See Eq. (2)). The canonical representation of SSSC assumes that the synchronization delay is Checking for efficient distinguishers of hetero- bounded. This assumption limits the complexity geneous ciphering functions remains a challenging of the ciphering function, as in this case, it may issue. be represented as a memoryless function. This requirement is not mandatory in practice, and it is acceptable that the synchronization delay is not a constant value, but may be a random Linear attack variable with a probability law that decreases

12 to zero as time grows to inﬁnity. Regarding Devaney, R. L. [1989] An introduction to Chaotic cryptographic applications, it may be expected to Dynamical Systems (Addison-Wesley, Redwood bring in more complex dynamic. The way how to City, CA). introduce randomness in the synchronization is a challenging issue. A solution has been suggested in Diﬃe, W. & Hellman, M. [1976] “New directions [Burda, K., 2007] but deeper investigation and new in cryptography,” IEEE Trans. on Information alternative methods are really lacking. The tool to Theory 22, 644–654. control the probability law of the synchronization delay remains to be developed. It may be based Fliess, M., Levine, J., Martin, P. & Rouchon P. [1995] “Flatness and defect of non-linear sys- on spectral analysis, through discrete Fourier tems: introductory theory and examples,” Int. transform of the next-state iterated function. Jour. of Control 61, 1327–1361.

5. Conclusion Fridrich, J. [1998] “Symmetric ciphers based on two-dimensional chaotic maps,” International This paper aimed at surveying a special application Journal of Bifurcation and Chaos 8, 1259–1284. of dynamical systems in the context of cryptography. We hope that this paper has highlighted the Guillot P. & Mesnager S. [2005] “Nonlinearity and interest of self-synchronizing stream ciphers, a class security of self-synchronizing stream ciphers,” not really addressed so far, and has opened a new Proc. of the 2005 International Symposium on ﬁeld of investigation. The list of questions to be ad- Nonlinear Theory and its Applications (NOLTA dressed is undoubtedly not exhaustive but we hope 2005), Bruges, Belgium, October. that it will help any designer who would intend to Hasler M. [1998] “Synchronization of chaotic sys- provide new SSSC really competitive. tems and transmission of information,” Interna- tional Journal of Bifurcation and Chaos 8, 647– References 659.

Alvarez, G. & Li, S. [2006] “Some basic crypto- Hawkes P. , Paddon, M., Rose G. G. graphic requirements for chaos-based cryptosys- & Miriam W. V [2004] “Primitive tems,” Int. J. of Bifurcations and Chaos 16, speciﬁcation for sss, Technical re- 2129–2151. port,” e-Stream Project , Available at: http://www.ecrypt.eu.org/stream/ciphers/sss/sss.pdf. Burda, K. [2007] “Resynchronization interval of self-synchronizing modes of block ciphers,” Int. Isidori, A. [1995] Nonlinear control systems (Com- J. of Computer and Network Security 7, 8–13. munications and control engineering series, Springer). Carroll, T. L. & Pecora, L. M. [1991] “Synchroniz- Klimov A. & Shamir A. [2004] Fast Software En- ing chaotic circuits,” IEEE Trans. Circuits and cryption, Chapter 1, New cryptographic primi- Systems 38, 453–456. tives based on multiword T-functions (Springer Berlin / Heidelberg). Daemen, J., Govaerts, R. & Vandewalle, J. [1992] “On the design of high speed self-synchronizing Knuth, D. E. [1998] The Art of Computer Program- stream ciphers,” Proc. of the ICCS/ISITA’92 ming, Vol. 2 (Addison-Wesley, Reading, MA). conference 1, 279–283. Kocarev, L., Szczepanski, J., Amigo, J. M & To- Daemen, J. & Kitsos, P. [2005] “The mosvski, I. [2006] “Discrete chaos: part i,” IEEE self-synchronizing stream cipher mous- Trans. on Circuits and Systems I 53, 1300–1309. tique,” eSTREAM, ECRYPT Stream Cipher Project , Available online at Lai, X. & Massey, J. M. [1991] “A proposal for a http://www.ecrypt.eu.org/stream. new block encryption standard,” Lectures Notes

13 in Computer Science 473, Advances in Cryp- Ogorzalek, M. J. [1993] “Taming chaos - part i: tology (EUROCRYPT’90), Aarhus, Denmark, synchronization,” IEEE Trans. Circuits. Syst. I: Springer-Verlag, May. Fundamental Theo. Appl 40, 693–699.

Li T-Y. & Yorke J. A. [1975] “Period three implies Parker, A. T. & Short, K. M. [2001] “Reconstruct- chaos,” Amer. Math. Monthly 82, 985–992. ing the keystream from a chaotic encryption scheme,” IEEE Trans. on Circ. and Syst. 48, Lian K-Y. & Liu P. [2000] “Synchronization with 624–630. message embedded for generalized lorenz chaotic circuits and its error analysis,” IEEE Trans. Schmitz, R. [2001] “Use of chaotic dynamical sys- Circuits. Syst. I: Fundamental Theo. Appl 47, tems in cryptography,” Journal of the Franklin 1418–1424. Institute 338, 429–441.

Massey, J.L. [1992] Contemporary cryptology: an Sira-Ramirez, H. & Agrawal, S. K. [2004] Differen- introduction (G.J. Simmons, New York, ieee tially Flat Systems (Marcel Dekker, New York). press edition). Szczepanski, J., Amigó, J.M., Michalek, T. & Ko- Matsui, M. [1993] “Linear cryptanalysis method for carev L. [2005] “Crytographically secure sub- des cipher,” Advances in Cryptology - EURO- stitutions based on the approximation of mix- CRYPT’93, Lofthus, Norway, May. ing maps,” IEEE Trans. Circuits and Systems I : Regular Papers 52, 443–453. Maurer, U. M. [1991] “New approaches to the design of self-synchronizing stream cipher,” Lec- Vo Tan, P. Millérioux, G. and Daafouz, J. [2010] ture Notes in Computer Science, Advances “Left invertibility, flatness and identifiability of in Cryptography (EUROCRYPT’91), Brighton, switched linear dynamical systems: a frame- UK, April. work for cryptographic applications,” Interna- tional Journal of Control 1, 145–153. Menezes, A. J., Oorschot P. C. & Vanstone, S. A. [1996] Handbook of Applied Cryptography (CRC Yang, T. [2004] “A survey of chaotic se- Press). cure communication systems,” Int. J. of Computational Cognition , (available at Millérioux, G., Guillot P., Amigó, J. M. & Daafouz, http://www.YangSky.com/yangijcc.htm). J. [2008] “Flat dynamical systems and self- synchronizing stream ciphers,” In Proc. of the Yang, T., Wu, C. W. & Chua, L. O. [1997] Fourth Workshop on Boolean Functions : Cryp- “Cryptography based on chaotic systems,” IEEE tography and Applications (BFCA’08), Copen- Trans. Circuits. Syst. I: Fundamental Theo. hagen, Denmark, May. Appl 44, 469–472.

Mill´erioux G., Amigo J. M. & Daafouz J. [2008] “A connection between chaotic and conventional cryptography,” IEEE Trans. on Circuits and Systems I: Regular Papers 55, 1695–1703.

Mill´erioux, G. and Daafouz, J. [2004] “Unknown input observers for message-embedded chaos synchronization of discrete-time systems,” Inter- national Journal of Bifurcation and Chaos 14, 1357–1368.

National Bureau of Standards [1980] Des mode of operations, Technical report, Fed. Inform. Proc. Standards Publication, 81, Nat. Inform. Service ( Springﬁeld, VA).