Asymmetric Key Encryption Using Distributed Chaotic Nonlinear Dynamics

Home , Coupled map lattice

Proceedings of the lASTED International Conference COMMUNICATIONS, INTERNET, & INFORMATION TECHNOLOGY November 18-20, 2002, St. Thomas, US Virgin Islands

ASYMMETRIC KEY ENCRYPTION USING DISTRIBUTED CHAOTIC NONLINEAR DYNAMICS

Roy Tennyl,2, Lev S. Tsirnringl,Henry D.I.Abarbanell,3, Larry Larson2 1 Institute for Nonlinear Science, University of California, San Diego, La Jolla, CA 92093-0402 2 Dept. of Electrical and Computer Engineering, University of California, San Diego, La Jolla, CA 92093-0354 3 Department of Physics Department and Marine Physical Laboratory (Scripps Institution of Oceanography), University of California, San Diego, La Jolla, CA 92093-0402

ABSTRACT was introduced in 1978 and is currently the most widely In this paper we introduce a new method for public key used public key cryptosystem. Other methods for pub- encryption by using continuous nonlinear dynamics. We lic key encryption that are based on discrete number the- distribute a high-dimensional dissipative nonlinear dynam- ory are: Elliptic curves [2], EIGamal discrete logarithm ical system between transmitter and receiver, so we call problem based crypt~system [3], McElliece Coding theory the method: Distributed Dynamics Encryption (DDE). One based system [4], and Chor-Rivest knapsack based system part is a transmitter with public dynamics and the other part [5]. is a receiver with secret dynamics. The transmitter and re- During the last decade a new class of secret (symmetric) ceiver are coupled using bi-directional signals that are pub- key encryption schemes using chaotic non linear dynam- lic. A message is encoded by modulating the dynamics of ics was developed. Most of the proposed schemes are the transmitter which results in a shift in the position of the based on the following methods: chaos synchronization system's attractor. An unauthorized receiver who does not ([6],[7],[8], [9]), controlling chaos ([10],[11]) chaotic shift know the secret dynamics of the receiver does not know keying [12]. Unlike classical encryption schemes, chaotic the position of the attractor and can not decode the mes- dynamics encryption schemes have a continuous state and sage. We show that the security of DDE can be enhanced either continuous or discrete time represented by differen- by modulating the secret dynamics of the receiver and initial equations or discrete maps ([13] [14] [15]). Crypt- tializing the transmitter state with a random value at the analysis of such methods is discussed in ([16] [17] [18]). beginning of each transmitted bit. We implemented and Encryption schemes are usually embedded in a commu- cryptanalyzed DDE using the dynamics of a coupled map nication system that transfer data through a channel and lattice. therefore not only the security level should be considered but also communication efficiency aspects such as power KEY WORDS efficiency, bandwidth efficiency and spectral shape: Effi- Nonlinear dynamics, Chaos, Public Key Encryption, Cou- cient modulation schemes such as Chaotic Pulse Position pled Map Lattice Modulation (CPPM) [19] and chaotic Frequency Modu- lation (CFM) [20] can be used to send the signals that couple between the transmitter and receiver in the pres- 1 Introduction ence of channel distortions. Transmission of chaotic signals through a bandlimited channel was studied in [21]. Encryption schemes for public key encryption and secret High speed secure communication by synchronization of key encryption have been thoroughly studied during the high-dimensional chaotic optical ring dynamics described past decades. In a secret (synlIDetric) key encryption in [22]. scheme, a secret key which is known only to the transmit- In this paper we introduce a new method for public key en- ter and the receiver is used to encrypt and decrypt a mes- cryption using a Distributed Dynamics Encryption scheme sage. In a public (asymmetric) key encryption a public key (DDE). In Section 2 we introduce DDE and overview the is used at the transmitter to encrypt a message. It is as- encryption and decryption algorithms. In Section 3 we dis- sumed that the public key is known to both an authorized cuss various cryptanalysis attacks on the system and sug- receiver and an unauthorized receiver. The message is de- gest methods to protect against those attacks. Simulation coded by a secret key which is different from the public key of DDE is described in Section 4. Summary and sugges- and is assumed to be known only by the authorized receiver. tions for future research are presented in Section 5. Decoding the message using the public key which was used to encrypt the message is made computationally infeasible. Classical cryptography is founded mainly on discrete number theory. The RSA public encryption scheme [1], named after it's inventors (R.L.Rivest, A.Shanrir and L.Adleman)

376-803 338 sr(n)

S,W

Signal

~ r(n+l) =FR (r(n),s, (n» t(n+l) =FT(t(n),sr (n),m) 5r(n) =GR (r(n» s, (n) =GT (t(n»

Receiver Transmitter Receiver Transmitter Data

Figure 1. Nonlinear dissipative dynamical system with an Figure 2. Distributed nonlinear dynamics.Private: attractor is split into two parts: Transmitter (public dynam- F R(. ),GR(. ),r(n). Public: FT(. ),GT(. ),sr(n),St(n). ics) and receiver (secret dynamics). Bi-directional signal Known only to transmitter: t(n),m. (public) is used to couple between transmitter and receiver.

with multi-dimensional coupling signals. 2 DDE General overview The structure of DDE is illustrated In Fig. 2. The receiver state r(n) = h(n),..., rDR(n)]hasdimension DR and is controlled by the map The principle of DDE is illustrated in Fig. 1. A nonlinear dissipative dynamical system is split into two parts: one r(n + 1) = FR(r(n),st(n)). (1) part is placed in a receiver and the other in a transmitter. The transmitter and receiver are coupled through a channel The receiver state r( n) and the receiver dynamics using bi-directional signal. F R(.) are kept secret (known only to the authorized re- The dynamical systemis represented by a state which ceiver) and serve as a part of the secret key. The scalar sig- is a complete set of system variables, and by the dynamics nal Sr(n) transmitted from the receiver to the transmitter is which specify the roles governing the transition from one defined as state to another (differential equations or maps). Data is transmitted by modulating one parameter of the transmitter (2) part and thereby shifting the attractor of the overall system. For simplicity we only consider binary information The signal sr(n) can be observed by both authorized signals, so the parameter switches between two possible and unauthorized receivers and is a part of the public key, values. The method relies on the assumption that the dis- however the function GR(.) is kept secret (known only to tributed dynamical system which is comprised of the trans- the authorized receiver) and is a part of the secret key. The mitter, receiver, and the coupling bidirectional signals, con- transmitterstate t(n) = [t1(n),..., tDT(n)}hasdimen-. verges to a single attractor for each value of the modulation sion DT and is given by parameter, independent of the initial conditions. Shifting chaotic attractors as a method of information transmission t(n + 1) = FT(t(n), sr(n), m(n)). (3) has been proposed by Dedieu et al [12] as a method for The transmitter state t(n) and the transmitted bit m(n) are symmetric (secret key) communication. Here we show that explicitly known only to the transmitter. Both authorized a similar principle can be used for the asymmetric (public and unauthorized receivers need to estimateboth quantities. key) encryption as well. The dynamics of the transmitter state, FT(.)' is known to The key idea is that the receiver has the full knowl- all and is a part of the public key. Data is sent by switch- edge of the dynamics and therefore knows the positions of ing the parameter m( n) at the transmitter which results in the attractors corresponding to the two values of the modu- a change in the position of the attractor of the dynamical lation parameter, soit can decode the message. Meanwhile, system. Without losing generality,in this paper we assume unauthorized recipients only know the transmitter part of binary transmission where the parameter m( n) can have the full dynamics, and the protocol of communication is values '0' or '1'. chosen in such a way that the attractor can not be recon- The scalar signal St(n) transmitted from the transmit- structed based on the transmitted signals. The attractor can ter to the receiver is given by take the form of a limit cycle, a high dimensional hyper- surface, or a chaotic attractor. The nonlinear dynamical (4) system is continuous in the state space and can be either continuous or discrete in time. The public key encryption Both the signal St(n) and the function GT (.) are known to scheme discussed in this Letter is discrete in time and the all and are a part of the public key. An authorized receiver coupling signals are scalars, however the concept can be who knows the full dynamics of the system can simulate applied to continuous time dynamical systems and systems the system off line and find the position of the attractors

339 sin) i ----- +

/' 1 random initial I state '1' attractor I I ,/ I I I Transmitter I 1 1 1_____-.

Figure 3. A trajectory in the reconstructed embedding Figure 4. Eavesdropper attempts to estimate message m phase space E starts at a random initial state and converges and hidden initial state of transmitter t (0) without knowing to one of two attractors that correspond to transmitted '0' secret dynamics and secret state of receiver. or' 1'.

that correspond to the transmission of '0' or ' 1'. Like an unauthorized receiver, the authorized receiver cannot ob- serve the transmitter state t (n) , so it has to replace the "missing" state variables by the time-delay embedding [23] "1" of the incoming signal s(n) = (St(n), ..., St(n- (d-l» in order to detect the attractor in the reconstructed phase space "0" e(n) = (r(n), s(n»). At the beginning of each transmitted bit the initial state of the transmitter, t (n = 0), is set to a random value, in order to make the reconstruction of the Figure 5. An unauthorized receiver attempts to reconstruct secret transmitter state by an unauthorized receiver more trajectories that correspond to transmitted '0' and transmit- difficult. The combined dynamical system is iterated long ted' l' by interpolating end points of trajectories that lie on enough to ensure that the system converges from the ran- the attractors. . dom initial state to one of the two attractors that correspond to the transmission of '0' or ' l' as illustrated in Fig.3. The transmitted bit is decoded by the authorized receiver by choosing the attractor that is closer to the converged end- ods that do not rely on knowledge of the receiver dynamics points of the trajectory. as illustrated in Fig.4 An unauthorized receiver does not know the secret dynamics of the receiver, and therefore the position of the 3.1 Plain text attack: Attractor reconstruc- attractors. So it is forced to use other decoding methods tion using trajectory ends that as will be illustrated below can be made computationally infeasible. As in all public key encryption schemes, the Attack: advantage of the authorized receiver over an unauthorized An eavesdropper can get a sample of a transmitted secret receiver is a computational advantage and not information theoretic one. message (plaintext) and the corresponding transmitted signals st(n), sr(n) (ciphertext) and may attempts to reconstruct the attractors that correspond to the transmission of 3 Cryptanalysis '0' and ' 1'. Although the trajectories for each transmitted bit starts at a random initial state, the trajectories endpoints In this section we discuss several cryptanalysis methods lie on the attractor. The attractors can be estimated by in- that can be used to attack the DDE and suggest methods terpolating the end points of the trajectories as ahown in to protect against those attacks. We focus our cryptanaly- Fig.S. sis on ciphertext attacks and plaintext attacks. A ciphertext Protection: attack is an attempt to break an encryption scheme by us- Altering the secret dynamics of the receiver will shift the ing only the cyphertext (In DDE -the coupling transmitted position of the attractors. Therefore an endpoint of a tra- signals St (n), Sr(n) ). In a plaintextattackanunauthorized jectory that lies on the attractor that corresponds to the receiver attempts to break an encryption scheme using a transmission of '0' for one receiver dynamics can lie on sample of both a ciphertext and the corresponding plain- the attractor that correspond to the transmission of ' l' for a text (In DDE - St(n), sr(n), m(n) ). Since an unauthorized different transmitter dynamics. Since the unauthorized re- receiver does not know the dynamics of the receiver he may ceiver can not assume that close trajectory endpoints will attempt to decode the secret message m( n) by using meth- always correspond to transmission of the same bit he can

340 not interpolate a set of endpoints and find the attractor position corresponding to the transmission of '0' or ' I '.

3.2 Cyphertext attack: Solving transmitter public dynamics equations for transmitter state and message -! Attack: An eavesdropper can monitor the receiver's public input and output signals (st(n), sr(n), and by using the public Figure 6. The space of the transmitter state ten) is larger dynamics FT( e), GT( e) solve the following set of equa- or at least equal to a cube of dimension DT and size LT' tions for the transmitted bit m( n) and Initial state t (0) : The transmitter continuous state is quantized into discrete cubes of dimension DT and size Lq.

= GT(t(O),m) St (1) St (2) St (3) St (T&,°t) t(l) = FT(t(O),Sr(O),m) (5) : f f f t---;

1 tNs ! = I ...... - I : ;: ;:;: ;: : GT(t(DT),m) I I t3 : t(DT + 1) = ,: - .. I FT (t(DT)' Sr(DT), m) : : , t2.~ .. . I Protection: :I tl. .. . ,: :, n=l n=2 n=3 t=T :I Use transmitterdynamicsFT(e) which dependson the ~ I powerof orderp of the transmitterstate componentsti: FT( e) = f ((ti)P), The term t(DTr) in Eq. (5) will have Figure 7. A Hidden Markov Model (HMM) is used to DT components of the form: [ti)(O)jP . By choosing large model the dynamics of the quantized transmitter state ten). transmitter state dimension DT Eq. (5) become computa- tionaIly unfeasible. For example, by choosing transmitter dynamicswhichis polynomialwithp = 4 anddimension the transmitter public dynamics FT( e) and the public sig- of transmitter state DT = 10 the term t(DT) in Eq. (5) . . 1 048 576 ' . WI11 depen d on the term (ti ) ' '. Furth er 10crease 10 nal Sr . The observation probability p (St (n) I ti) which DT and p will make solution of Eq. (5) unfeasible. is the probability of observing the signal St(n) transmitted from transmitter to receiver given the transmitter quantized state ti can be estimated using the transmitter public func- 3.3 Ciphertext attack: State quantization tion GT(e). The state transitionprobabilityp(ti ~ tj) and Maximum Likelihood estimation and the observation probability p(St(n) I ti) are used to Attack: construct a Hidden Markov Models (HMM) for the quan- An unauthorized receiver can quantize the continuous state tized dynamics of the receiver (Fig. 7). Two HMM mod- space of the transmitter ten), calculate a Hidden Markov els are constructed, one for each transmitter dynamics that Model (HMM) for the transmitter dynamics and obtain a correspond to the transmission of either '0' or 'I'. Once Maximum Likelihood (ML) estimation of the secret trans- the unauthorized receiver monitors a transmitted sequences mitter message men) and the initial transmitter state t(O). S;bit = (Sr(O), ..., Sr(Tbit)), Sibit = (St(O), ..., St(Tbit)) We assume that the space of the transmitter state ten) is he can use the HMMs to calculate the conditional proba- larger or at least equal to a cube of dimension DT and size bilities p(Sibit I m = 0) and p(Sibit I m = 1) which LT as illustrated in Fig. 6. This assumption can be guar- are the probabilities of observing the transmitted sequence anteed by initializing the transmitter state at the beginning sibit given the transmission of either '0' or' I'. The estima- of each transmitted bit with a random value t(O) which is tion of the transmitted bit mM L is the one that maximizes taken from a uniform distribution with the shape of a cube the likelihood of the observations: with dimension DT and size LT. The transmitter state m = max p sibit Im . (6) space t is quantized into Ns cubes ti, i = 1...Ns of dimen- mE(O,I) ( ) sion DT and size Lq. The transition probability p(ti ~ tj) which is the probability of transition from the quantized Protection: state ti to the quantized state tj can be estimated using The encryption scheme can be protected by forcing the

341 '1' altractor '1' altractor ,ei,curr(n), has uniform distribution: '" U _bL bL ei,curr(n) [ 2 ' 2 ] !d. (11) = 12 Var (ei,curr(n)) The dynamics of the transmitter remains nonlinear since Decision FT(.) is nonlinear. The quantization error components '0' aUractor Decision '0' aUraetO!' surface surface ei,curr(n), ej,curr(n) of state components ti(n), tj(n) are independent for i =I- j. The mean and covariance matrix of Figure 8. Left: Small noise, attractors can be separated. the quantization noise ecurr (n) are given by: Right: Larger noise, attractors overlap results in larger decoding error = 0 Mean (ecurr(n)) L 2 ... 12 0 0 eavesdropper to use an impractically large number of states . 0 for the HMM model. The number of cubes of size Lq that = are contained in a cube of size LT of dimension DT is Var (ecurr (n) ) given by : o DT LT o o !d. (7) 12 Ns = (Lq ) . (12) In order to simplify the analysis we choose GT (.) to be a We can make Ns large by choosing transmitter dynamics linear function of the state t (n) and the modulated data m with large state dimension DT and large cube size LT. By choosing attractors for transmission of '0' and ' l' that are = GT(t(n),Sr(n),m(n)) as close as possible we force the eavesdropper to use small = CT .t(n)+A.m (13) quantization size Lq. Large Lq will result in quantization where CT = w . [1,1,. ..,1] noise that will prevent separation between the two close We will now assume that an unauthorized receiver lmows attractors as shown if Fig. 8. We will now obtain an up- the quantized hidden state of the transmitter t(n) and the per bound for the the state quantization size Lq that corre- error he makes in estimating m is due to the quantization of sponds to a lower bound for the HMM states number Ns in t(n). This assumption will result in a lower bound for the Eq. (7). The use of quantized transmitter state t(n) instead message decoding error rate since in practice the unautho- of the accurate transmitter state t(n) results in quantization rized receiver does not lmowthe quantized transmitter state error e(n): t(n) and its estimation will result in additional error. Us- (8) e(n) = t(n) - t(n). ing Eq. (13) the unauthorized receiver can obtain an estima- The quantization error e( n) is comprised from two tion m( n) for the transmitted bit m using the observation components: St(n) while the quantized transmitter state t(n) is assumed to be lmown. Also, it is assumed that the transmitted signal e(n) = eprev(n) + ecurr(n), (9) St (n) is measured by the eavesdropper accurately without any noise: Where eprev(n) is the error in the current state t (n) caused by quantization of the transmitter state in previous = states t(n - 1),t(n - 2),. .. due to memoryof the dy- m(n) ~ St (n) - fz (t (n), m = 0)] . (14) namics. ecurr(n) is the error caused by quantization of the 1 T' = A [st(n) - C . t(n) ] current state t(n). eprev(n), ecurr(n) are independent and therefore uncorrelated. We obtain a lower bound for the Using Eq. (14) and Eq. (12) the mean and variance of the variance of the quantization error of transmitter state t (n) : estimator m( n) are given by: = m Mean = Var (eprev (n)) + V ar (ecurr (n) ) (m(n)) var( m(n)) = :b' CT. var( ecurr(n)) . C ;::: Var (ecurr (n) ) 2 L 2 (10) = ~. DT . .:n- (15) We now calculate var( ecurr(n)). The quantiza- The estimatorm(n) dependson the sum of DT random tion error of the i'th component of the transmitter state i.i.d. errorcomponentsei,curr(n)andby usingthe central

342 limit theorem we can estimate its probability density func- ...... ,.i., ..>' . tionas gaussian: -0.9-. . .~.. ..~.. "'>.. -1~...... ;.. . N"-1.1 . . .& ..,.. . :. ..." ...... ,'. ~ "';l-1.2.... '...... , . ....~..~ , ; -1.3~. m(n) (16) '. -1.4 1 ..~;~#:~~=:::.,.,l . ':.,:: -0.8

o -1.4 Assuming that each transmitted bit length is nit sam- s,ln-1 ] ples the unauthorized receiver can improve the decoding performance by averaging Tbit estimations of m(n): Figure 9. An enlargement of part of the O-attractor, in the reconstructed phase space, (St(n), St(n - 1), 8t(n - 2)) , 1 Tbit (17) m = Tbit n=lL m(n) 4 Simulation m distribution is given by: We simulated an experimental encryption scheme using the 2 w2 .DT . Lq dynamics of a coupled map lattice (CML). The receiver dy- (18) namics F R(.) is controlled by the map m rv Normal (m, 12. Tbit' A2 ) . = ai,i-l' rr-l (n) + ai,i . rr(n) A Maximum Likelihood (ML) estimation of the trans- . +ai,i+1 . rr+1 (n) + bi . s;(n) + Ci , mitted bit m (assuming that the quantized state t is known) i = 1,..,DR is: (23) and transmitter dynamics FT(.) by

= dj,j-l' tJ-l (n) + dj,j . t;(n) max P mIm mE{O,l} ( ) +dj,j+1 . t;H (n) + ej,j 'Itj(n)1 + h . s;(n) + gj = 0, if m:::; t (19) j = 1,..,DT { 1, if m > 2 (24) The ~ansmitted signal Sr (n) is given by The error rate ,Pu>encountered by an unauthorized receiver is given by: DR 8r(n) = L hi, rr(n) (25) (20) i=l and St (n) is given by where Q(x) = vkJ~ooe-4dz . The quantization size Dtr Lq must be smaller than an upper bound L;;,ax in order to st(n) = w. L Itj(n)I+ A. m . (26) maintain classification error rate below a level Pu: j=l

We used DT = 12, DR = 2 and chose the parameters a, b,c, d, e, f, g, h, q and A, such that the system attractors are chaotic for both m = 0,1. All detailsof our simulation may be found in [24]. During the transmission of The lower bound for the number of states Ns is obtain by each bit we allowed the system to converge to its attrac- substituting Eq. (21) into Eq. (7): tor (Fig. 9) for a period of nit = 50 iterations. The bit was decoded using the last 10 endpoints of the converging trajectory (Fig. 3). The decoding Bit Error Rate (BER) Pa encountered by the authorized receiver, depends on the modulation parameter A in Eq. (26) which determines the separation be- In Section 4 we will show that the number of states tween the attractors that correspond to the transmission of Ns can be made large enough to make decoding using '0' and '1'. Larger A results in lower Pa, as shown in Fig. quantization of transmitter state computationally unfeasi- 10. The Bit Error Rate encountered by the authorized re- ble. Large Ns can be achieved by choosing small modula- ceiver was obtained by simulating the experimental encryption parameter A and large transmitter dimension DT. tion scheme for each value of A. Larger A results in larger

343 -0.6 18.5-.

-0.8~. 18 -1 17.5 cr-1.2 'U;" UJ :z a> <5"-1.4 ~ 17

:§' -1.6 j 16.6 -1.8 16 -2

15.6 -2.8.6 1.5 2.6 3 -5.5 A X 10-3 log10(V)

Figure 10. Authorized receiver Bit Error Rate versus mod- Figure 11. Unauthorized receiver Viterbi states number Ns versus transmitter noise variance V ulation parameter A.

be found by simulating the dynamical system and message. separation between the attractorsand therefore in smaller An authorized receiver can decode a message based on the decoding error rate Pa. However, from Eq. (7) larger sep- positions of the attractors that correspond to the transmis- aration between the attractorswill resultin smaller Ns (or sion of '0' and' 1'. An unauthorized receiver does not know lower error rate ,Pu, encountered by the unauthorized re- the full dynamics, can not simulate the system and does not ceiver) and reduce the security of the encryption scheme. know the position of the attractors. He is forced to use de- The choice of A is determined by two contradicting re- . codingmethods that can be made computationally unfeasi- quirements: A should be as small as possible to ensure the ble. The security of the encryption scheme can be provided largest possible number of states required by the unautho- by taking the following steps: rized receiver, however it should be kept large enough in order to ensure a low decoding error rate encountered by . Use high dimension DT for transmitter state ten). the authorized receiver. We used the smallest A that was . Start each transmitted bit with random initial state large enough to ensure decoding error rate encountered by the authorized receiver Pa :::;0.01. We calculate Ns using t(O). Eq. (7), requiring Pu :::;0.2, and obtained Ns ~ 1016. . Change secret dynamics of receiver frequently. Implementation of DDE transmitter using analog electrical or optical hardware will add noise to the dynam- . Choose attractors for transmitted '0' and ' l' that are ics of the transmitter and blur the separation between the as close as possible. attractors that correspond to transmission of '0' and 'I'. We simulated an implementation of DDE using discrete Therefore, in the presence of noise larger A will be required time maps. States were represented using double precision in order to increase the separation between the attractors numbers. The bidirectional signals that couple the trans- and maintain low decoding error Pa encountered by the authorized receiver. However, from Eq. (7) larger.A allows mitter and receiver through the transmission channel were the unauthorized receiver to use lower number of states Ns scalars. However DDE can be defined by continuous time differential equations and implemented using analog hard- which implies lower security. We simulated component ac- ware. The bidirectional signals that couple between the curacy by adding zero mean gaussian noise with variance transmitter and receiver are not limited to scalars and can be V to each transmitter state component ti. We calculate Ns, requiring Pu :::;0.2 and Pa :::;0.01. From (Fig.1 I). itis vectors of higher dimension. A promising future direction for DDE may be implementation using dynamics of very evident that the use of more accurate analog components at high dimension. High dimensional Coupled Map Lattices the transmitterresultsin higher security(largerNs)' (CML) which contains hundreds or even thousands of cells have been studied in [25]. Concepts from Coupled Map 5 Discussion Lattice theory can be used to develop encryption schemes with very large state dimension and very high level of secu- In this paper we introduced a new scheme for public key rity (probably at the expense of bitrate). Such implemen- encryption using a distributed nonlinear dynamical system. tations may be appealingfor applications which requires The encryption scheme is based on splitting a nonlinear dy- very high level of security, yet transmission bandwidth and namical system intotwo parts:A transmitterwith public power efficiency are not crucial factors. dynamics and a receiverwith secret dynamics. The trans- Finally, it is possible that the specific implementation we mitter and receiver are coupled using bidirectional signals used in this paper can be broken as it happened to many that are public. A message bit is encoded by modulating other encryption schemes. However, we believe that the the dynamics of the transmitter which in return changes the general concept proposed in this paper is robust, and it is position of the dynamical system attractor. The position likely that a large set of dynamical systems that are robust of the attractors corresponding to transmitted '0' or ' l' can to system-specific attacks, exists.

344 Acknowledgement [13] Ljupyco Kocarev and Goce Jakimoski. Logistic map This work was partially supported by the Army Research as a block encryption algorithm. Physics Lett. A, Office under MURI grant DAAG55-98-1-0269,by the U.S. 289:199-206,2001. Department of Energy, Office of Basic Energy Sciences, [14] Chai Wah Tao Yang and Leon O.Chua. Cryptogra- Division of Engineering and Geosciences, under Grants No. DE-FG03-90ERI4138, No. DE-FG03-95ERI4516, phy based on chaotic systems. IEEE Transactions on and No. DE-FG03-96ER14592, by a grant from the Na- Circuits and systems-I:Fundamental theory and ap- tional Science Foundation, NSF PHy0097134, and by a plications,44:469-472,1997. grant from the Office of Naval Research, NOOOI4-00-1- [15] Kristina kelber Marco Gatz and Wolfgang Schwarz. 0181. Discrete-time chaotic encryption sytems part 1: Sta- tistical design approach. IEEE Transactions on Cir- References cuits and systems-I:Fundamental theory and applications, 44 No.10:963-970, 1997. [1] AShamir RL.Rivest and L.Adleman. A method for [16] Lin-Bao YangTao Yang and Chun-Mei Yang. Break- obtaining digital signatures and public-key cryptosys- terns. Comm. ACM, 21:120-126, 1978. ing chaotic secure communication using a spectro- gram. Physics Lett. A, 247:105-111,1998. [2] V.S.Miller.Use of elliptic curves in cryptography.Ad- [17] Lin-Bao YangTao Yang and Chun-Mei Yang. Break- vances in Cryptology, Crypto 85:417-426,1978. ing chaotic switching using generalized synchroniza- [3] T. ElGamal. A public-key cryptosystem and a signa- tion: Examples. IEEE Transactions on Circuits and ture scheme based on discrete logarithms. Advances systems-I:Fundamental theory and applications, 45 in Cryptology: Proc. ofCrypto 84,196:10-18,1985. No.10:1062-1067, 1998. [4] McEliece. A public-key cryptosystem based on al- [18] Lin-Bao YangTao Yang and Chun-Mei Yang. Crypt- gebric coding theory. JPL DSN Progress report, 42- analyzing chaotic secure communications using re- 44:114-116, Jan-Feb 1978. turn maps. Physics Lett. A, 245:495-510,1998. [5] B.Chor and RL. Rivest. A knapsack type public key [19] L.S.Tsimring N.F.Rulkov, M.M.Sushchik and cryptosystem based on arithmetic in finite fields. Ad- ARVolkovskii. Digital communication using vances in cryptography: Proc. of Crypto 84, 196:54- chaotic pulse position modulation. IEEE Transac- 65, 1985. tions on circuits and systems,??:??,?? [6] T.L. Carroll and L.M. Pecora. Cascading synchro- [20] RVolkovskii L.S.Tsimring. Synchronization and nized chaotic systems. Physica D, 67:126-140,1993. communication using chaotic frequency modulation. International journal of circuit theory and applica- [7] A R Volkovskii and N. Rulkov. Synchronouns' tions, 27:569-576, 1999. chaotic response of a nonlinear ocsillating system as a principle for the detection of the information com- [21] L.S. Rulkov, N.F.; Tsimrlng. Synchronization meth- ponent of chaos. Tech.Phys. Lett., 19:97-99, 1993. ods for communication with chaos over band-limited channels. International Journal of Circuit Theory and [8] K. M. Cuomo and A V. Oppenheim. Circuit imple- Applications, 27,(no.6):555-567, 1999. mentation of synchronized chaos with applications to communications. Phys. Rev. Lett., 71:65-68,1993. [22] H.D.I.Abarbanel and M.B.Kennei. Synchroniz- ing high-dimensional chaotic optical ring dynamics. [9] T. Stojanovski U. Parlitz, L. Kocarev and H. Preckel. Physical Rev. Lett., 80 No.14:3153-3156, 1998. Encoding messages using chaotic synchronization. Phys. Rev. E, 53:4351-4361, 1996. [23] J.J.Sidorowich H.D.I.Abarbanel, RBrown and [10] E. Ott S. Hayes, C. Grebogi and A Mark. Exper- L.S.Tsimring. The analysis of observed chaotic data imental control of chaos for communication. Phys. in physical systems. Rev. Mod. Phys., 64:1331,1993. Rev. Lett., 73:1781,1994. [24] All the details of our simulation may be found at: http://inls.ucsd.edu/"-'roy/DDE/MainPage/. [11] C. Grebogi Y. Lai, E. Bollt. Communicating with chaos using two-dimensional symbolic dynamics. [25] K. Kaneko. Theory and Applications of Coupled Map Phys. Lett. A, 255:75, 1999. Lattices, Nonlinear Science Theory and Applications. [12] M. Hasler H. Dedieu, M. P. Kennedy. Chaos shift Wiley, 1993. keying: Modulation and demodulation of a chaotic carrier using self-synchronizing chua's circuits. IEEE Trans. Circuits and Systems II, 40(10):634, 1993.

345