Quick viewing(Text Mode)

A Dynamical Systems Approach to the Discrimination of the Modes of Operation of Cryptographic Systems

A Dynamical Systems Approach to the Discrimination of the Modes of Operation of Cryptographic Systems

A dynamical systems approach to the discrimination of the modes of operation of cryptographic systems

Jeaneth Machicao∗ Scientific Computing Group, S˜aoCarlos Institute of Physics, University of S˜aoPaulo (USP), PO Box 369, 13560-970, S˜aoCarlos, SP, Brazil - www.scg.ifsc.usp.br

Jan M. Baetens† KERMIT, Department of Mathematical Modeling, Statistics and Bioinformatics, Ghent University, Coupure links 653, 9000 Ghent, - www.kermit.ugent.be

Anderson G. Marco Scientific Computing Group, S˜aoCarlos Institute of Physics, University of S˜aoPaulo (USP), PO Box 369, 13560-970, S˜aoCarlos, SP, Brazil - www.scg.ifsc.usp.br

Bernard De Baets‡ KERMIT, Department of Mathematical Modeling, Statistics and Bioinformatics, Ghent University, Coupure links 653, 9000 Ghent, Belgium - www.kermit.ugent.be

Odemir M. Bruno§ Scientific Computing Group, S˜aoCarlos Institute of Physics, University of S˜aoPaulo (USP), PO Box 369, 13560-970, S˜aoCarlos, SP, Brazil - www.scg.ifsc.usp.br (Dated: September 12, 2018) Evidence of signatures associated with cryptographic modes of operation is established. Motivated by some analogies between cryptographic and dynamical systems, in particular with chaos theory, we propose an algorithm based on Lyapunov exponents of discrete dynamical systems to estimate the divergence among as the algorithm is applied iteratively. The results allow to distinguish among six modes of operation, namely ECB, CBC, OFB, CFB, CTR and PCBC using DES, IDEA, TEA and XTEA block of 64 bits, as well as AES, RC6, Twofish, , and block ciphers of 128 bits. Furthermore, the proposed methodology enables a classification of modes of operation of cryptographic systems according to their strength.

I. INTRODUCTION particular [5]. Since this major breakthrough, the functioning of The propagation and continuous flow of information the industrial, financial and public sector has become are of utter importance for the development of stable strongly dependent on the advances of . For economies throughout the world as they are a prerequi- instance, while the availability of worldwide networks has site for successful business transactions, short- and long- enabled rapid dissemination of information, it has also range communication, and so on [1]. Often this infor- stimulated cryptographic innovations because a signifi- mation has to be encrypted in such a way that it can cant share of this information may only be available to a be safely transferred between the sender and recipient few parties. In this manner, technological progress dur- without allowing others to read the information that ing the last decades has increased the need for secured is in such an encrypted message [2]. On the communication and transactions, information shielding, arXiv:1504.02549v1 [cs.CR] 10 Apr 2015 other hand, malicious persons and organizations, but also and so on [3, 4]. governmental organizations, are continuously striving to In the last few decades, modern cryptography replaced break the with which messages were encrypted be- mechanical schemes with new computing models. This cause this might enable them to get those pieces of in- modern focus influenced the classical design of ciphers formation that are needed to achieve their criminal, pro- far beyond the original purpose. Nowadays, there are tective, or other goals [3, 4]. It is probably due to the two class of cryptographic algorithms depending on the impact of Turing’s success in breaking the Enigma that key: symmetric and asymmetric. Symmetric encryption humanity became aware of the importance of cryptogra- algorithms use the same key for both encryption of plain- phy in general, and the vulnerability of ciphers more in text and decryption of . This class of algorithm is also divided into two categories: stream ciphers and block ciphers. Block ciphers have gained wide popular- ∗ [email protected] ity since the introduction of the first adopted encryp- † [email protected] tion: The (DES) [6], in the ‡ [email protected] mid-1970s, yet nowadays this is considered prone § [email protected] to brute force attacks. To overcome this shortcoming 2 the International Data Encryption Algorithm (IDEA) [7] or asymptotically stable, respectively, or the system is was designed in 1991 to replace DES. Ever since, there conservative, which means that the initial separation re- has been a pursuit for the development of new algo- mains. rithms that meet the rising security expectations. In As the fields of cryptography and dynamical systems 1997, the National Institute of Standards and Technol- are not yet strongly interwoven, the basic definitions and ogy (NIST) [8] selected the official Advanced Encryption concepts that relate to those systems and that are of Standard (AES) among many competitors, namely Ser- interest within the framework of this paper are presented pent [9], Twofish [10], RC6 [11], Rijndael [12], etc. in Section II, while the dynamical systems viewpoint on To date, block ciphers are the most important ele- cryptographic systems is presented in Section III together ments in many cryptographic systems [3]. A block ci- with the proposed method for identifying the underlying pher breaks a message into blocks of elements (bits) and mode of operation. Finally, the strengths of the proposed then encrypts one block () at a time producing method are illustrated and discussed in Section IV by its corresponding output block (ciphertext). However, a means of computer experiments. by itself allows for the encryption of only one block, such that it is recommended to use a mode of operation in conjunction [13]. This mode of opera- II. PRELIMINARIES tion specifies a mechanism to improve the corresponding block cipher, while encrypting all of the blocks, one by In this section we introduce the specificities of both one, as it goes along. cryptographic and dynamical systems that are indispens- Motivated by the analogies between cryptographic and able for a clear understanding this paper. dynamical systems, on the one hand, and the lack of a means to discriminate between different modes of opera- tion that can be used to encrypt a message with a block A. Block ciphers and modes of operation cipher using a single key, on the other hand, we demon- strate in this paper how Lyapunov exponents can be re- Classically, an encryption system encloses three major lied upon for tackling this problem. More specifically, components, namely a cipher, a key, and finally, a cipher- by contemplating the whole of a cipher, ciphertext and text. The former constitutes a sequence of instructions key as an utter discrete dynamical system, i.e., a cellular that must be executed in order to encrypt a given plain- automaton (CA), and by resorting to the notion of Lya- text, which may be envisaged as a sequence of N bits, punov exponents as they have been conceived for such such that it can be represented as a Boolean vector P of systems [14, 15], we show how these measures can be ex- length N. The result of this encryption process using a ploited to identify the mode of operation that was used key K, which is a sequence of k bits, is a so-called cipher- during the encryption process. text, which may be represented in a similar fashion as a Although the cryptographic process of encrypting and Boolean vector C of length N [3]. decrypting information does not constitute a dynamical Of course, the real plaintext size varies and is mostly system as such, it has been reported that it is possible different from the length of the blocks for which a block to draw parallels between cryptographic and dynamical cipher is designed. Consequently, common ciphers can- systems [16–19]. Hence, drawing upon such parallels, we not be applied directly for the encryption of arbitrary- have a means to exploit similar tools as the ones that have length plaintext [28]. In order to overcome this issue, been conceived in the framework of dynamical systems in so-called block ciphers have been designed and imple- order to characterize cryptographic systems. Taking into mented. A block cipher slices the plaintext of length N account that the stability of a dynamical system is gen- into b blocks of n bits, after which each of these blocks is erally acknowledged as its main characteristic because it encrypted/decrypted by a block cipher, denoted as EK −1 gives insight into its intrinsic nature [20, 21], it is natural and EK , respectively. Mathematically, the encryption to verify whether the dynamical systems viewpoint of a of a plaintext P = (P1,P2,...,Pb) of length n into a cryptographic system allows for a similar notion in order ciphertext of the same length can be formalized as C = k n n to better understand the latter. An exploration of this E(K, P) = EK (P), where E : 0, 1 0, 1 0, 1 . is further motivated by the fact that several researchers If the length N of the plaintext{ is} not×{ a whole} → multiple { } have noticed a close resemblance between a cryptographic of b, additional bits are padded to the last block of the system on the one hand, and a chaotic system, on the plaintext. other hand [22–25], and the large number of chaos-based These block ciphers encrypt a plaintext in accordance [26, 27]. with a well-defined procedure, which is commonly re- Classically, the stability of a dynamical system is as- ferred to as the mode of operation of a block cipher. A sessed by computing its so-called largest Lyapunov expo- block cipher encrypts one block at a time, and it is the nent that quantifies how it behaves if it is evolved from mode of operation that allows a block cipher to encrypt two different but close initial conditions [20]. Either the blocks consecutively in a secure way. Most of them use corresponding phase space trajectories diverge or con- an (IV), denoted γ, which adds ran- verge in which case we refer to the system as unstable domness to the encryption process [3]. For instance, the 3 counter mode uses a special method for generating coun- uses the CBC mode of operation. We consider an ex- ters in order to guarantee that each block in the sequence emplary plaintext P = (P1,P2), for which it holds that is different from every other block [13]. P1 = 010, P2 = 001 and γ = 101. Note that the outputs From the many block ciphers currently available, we generated by EK are chosen only for illustration, e.g., will focus on the well-studied ones, being DES [6] (n = C1 = EK (C0 P1) = EK (111) = 100. We can see clearly ⊕ 64, k = 56), IDEA [7], TEA [29] and XTEA [30] (n = 64, that a single application of the function MEK consists of k = 128), as well as AES [12], RC6 [11], Twofish [10], Ser- b applications of EK since the latter has to be applied to pent [9], Seed [31] and Camellia [32] (n = 128, k = 128). each of the plaintext blocks Pj in order to construct the The specifications of these block ciphers and the modes ciphertext C. of operation are public, so they can be implemented [13]. In 2001 the NIST compiled and recommended five t = 0 t = 1 modes of operation—most of them were developed 30 years ago—to be used with a block cipher, namely C0 = γ = [ 101 ] C1 = EK ( 101 ⊕ 010) = 100 the Electronic Codebook (ECB), Cipher Block Chain- P = [010, 001] C2 = EK (100 ⊕ 001) = 000 ing (CBC), Cipher Feedback (CFB), Output Feedback C = M (P) = [100, 000] (OFB), and Counter (CTR) modes [13]. In addition to EK these NIST modes, there are many others, among which the Propagating Cipher-Block Chaining (PCBC) [3] mode will be considered in this paper. FIG. 1: Example of the CBC mode of operation with Mathematically, the encryption of an arbitrary-length b = 2 blocks, n = 3 bits and block cipher EK . plaintext by means of a block cipher in combination with the ECB mode of operation can be formulated as:

Cj = EK (Pj) , j = 1, 2, . . . , b, (1) B. Analogies between cryptographic and dynamical systems where Cj represents the encrypted counterpart of the j- th block of plaintext Pj. Similarly, the formalism for the Although cryptographic systems, as the ones given by CBC mode is given by Eqs. (1)–(3) and those listed in Table I, do not constitute dynamical systems, we can draw some parallels between Cj = EK (Cj−1 Pj) , j = 1, 2, . . . , b, (2) ⊕ both types of system, which might enable us to gain a deeper understanding of the former [16, 17, 22, 24]. More where is the mod 2 operator and C0 = γ. For the OFB mode one⊕ may write: specifically, we may envisage such a cryptographic system as a one-dimensional CA, which can be represented by Cj = Pj Oj−1 , j = 1, 2, . . . , b, (3) means of a triplet , S, Ψ . The first element of this ⊕ hT i triplet refers to a one-dimensional array of ‘cells’ ci, each where Oj = EK (Oj−1) with O0 = EK (γ) and γ is ran- of which bears one of the states enclosed in the finite domly selected from 0, 1 n. Table I lists the formulas { } set S = 0, 1 , and which are updated at discrete time for the other modes of operation that are considered in steps by{ means} of a global transition function Ψ. The this paper. state of the i-th cell in at the t-th time step will be In the remainder, a mode of operation of a block ci- T N N denoted as s(ci, t). Essentially, upon putting Ψ MEK , pher is denoted as MEK : 0, 1 0, 1 , which ≡ { } → { } a mode of operation MEK may be envisaged as such a maps a given plaintext P of length N to a correspond- global transition function. ing ciphertext C of equal length, so that we may write Finally, we identify a given plaintext P with s( , 0) in C P · = MEK ( ). In order to clarify the functioning of such a way that the i-th bit of the j-th block in P is a cryptographic system, we show in Fig. 1 a crypto- j denoted as s(ci , 0). The transition function MEK may graphic system with b = 2 blocks of n = 3 bits that be applied iteratively so that a distinct ciphertext Ct is evolved at every time step t. As such, a cryptographic TABLE I: Mathematical representation of the CFB, system can be transformed into a CA, and we may write CTR and PCBC modes.

s( , t + 1) = ME (s( , t)) , (4) CFB CTR PCBC · K · t+1 t 1 or equivalently, C = ME (C ), where C = ME (P). C = P O K K j j ⊕ j In Fig. 2 we show an illustration of the CBC mode of Cj = Pj EK (Cj 1) Oj = EK (αj) Cj = EK (Pj Pj 1 Cj 1) ⊕ − ⊕ − ⊕ − operation by using Eq. (4) for the first two time steps C1 = P1 EK (γ) αj = rand(αj 1) C1 = EK (P1 γ) ⊕ − ⊕ in the evolution of its corresponding CA. Note that text α = γ 1 styling has been added to make the effect of the mode of operation tractable, and also, that the same plaintext

1 4

t = 0 t = 1 t = 2

1 2 1 C0 = γ = [ 101 ] C0 = γ = [ 101 ] γ = C0 = C2 = [000] 1 1 P = [010, 001] C1 = EK ( 101 ⊕ 010) = 100 C1 = EK (000 ⊕ 100) = 011 1 1 C2 = EK (100 ⊕ 001) = 000 C2 = EK (011 ⊕ 000) = 111

1 1 C = MEK (P) = [100, 000] C = MEK (P) = [011, 111]

FIG. 2: Example of the CBC mode of operation evolving over time with b = 2 blocks, n = 3 bits and block cipher EK .

and γ values are used as the ones given in Fig. 1. As the contains only one non-zero element. In the remainder, a j j mode of operation is applied iteratively, at every con- cell ci for which holds that h(ci , 0) = 1 will be referred t secutive time step γ is put equal to Cb because one has to as a defective cell. After pinning down a plaintext to select a new point in phase space that is the closest P and its perturbed version P∗ that fulfills the latter to the reference direction, which basically constitutes an criterion, we can evolve the equivalent CA from both t+1 ∗ ∗ C orientation of the new initial configuration C0 into the s( , 0) = P and s ( , 0) = P for one time step in order t · · ∗ direction of Cb. For reasons of uniformity, γ is the only to obtain s( , 1) and s ( , 1). Here, it should be recalled parameter that can contain this initial configuration. that one time· step in the· evolution of a CA corresponds

Recently, sundry methods have been developed to un- to one application of the mode of operation MEK , which ravel the dynamical properties of utter discrete dynam- involves the update of several blocks. Having updated ical systems such as CA [14, 15, 33–35]. As such, by all the blocks, we can compute the damage vector at the relying on these for grasping the dynamics of a crypto- first time step graphic system’s corresponding CA, we might be able to gain deeper insight into the dynamics of the former. ( ∗ j j More specifically, we will show in the remainder of this j 1 if s (c , 1) = s(c , 1), h(c , 1) = i 6 i paper how Lyapunov exponents of CAs may be relied i 0, else. upon for identifying the mode of operation of the under- lying cryptographic systems, in the same way as these Consequently, the total number of defects at the first measures have shown their usefulness for characterizing time step can be computed as utter discrete dynamical systems [14, 15, 36, 37]. b n X X j 1 = h(ci , 1) . (5) j=1 i=1 III. A CELLULAR AUTOMATON VIEW ON CRYPTOGRAPHIC SYSTEMS At this point, the reader might think that the damage vector during subsequent time steps should be computed Suppose that the CA counterpart of a given crypto- similarly, but this is certainly not the case because one graphic system G = C, P,MEK is denoted as . We can would then neglect the fact that the defects can cancel investigate the dynamicsh of the formeri in general,C and its out each other due to the discrete nature of the CA’s state stability more in particular, by computing its so-called space [14, 15]. The discrepancy between the number of Lyapunov exponent, which quantifies how the dynami- defective cells and the number of defects is not yet clear cal system behaves in the long run if it is evolved from after the first time step because every defective cell at two close initial conditions. Clearly, in our setting, this t = 1 traces back to the same initial defective cell. means that we will assess the sensitivity of the equivalent However, as soon as the CA is evolved one more time CA to a small perturbation of the plaintext since we step, a discrepancy emerges between these quantities. put sC( , 0) = P. Hence, this should yield insights into the This can be understood by explicitly tracking all possible behaviour· of the cryptographic system if the plaintext is pathways along which defects at t = 1 may propagate and perturbed. accumulate during one subsequent time step (see Fig. 3). Taking into account that the smallest possible pertur- It is interesting to have a closer look at how nine defects bation in such a two-state setting boils down to flipping can arise at the second time step in the evolution of the one bit of the first block of the plaintext P, P1 constitutes CA notwithstanding there are only five defective cells, the most influential block (initial condition) to the mode which should be contributed to the fact that several of of operation. Besides, it holds that the initial damage them may enclose multiple defects due to the existence vector h( , 0) = P P∗, where is the mod 2 operator, of several pathways along which defects can propagate. · ⊕ ⊕ 5

After computing the number of defects t at every con- secutive time step t, the rate of divergence/convergence of initially close phase space trajectories λ(t) of a CA can be obtained from: C   Time step Time 1  λ(t) = log t , (7) t 0 Number ofseeds defect with its limit value FIG. 3: Maximal propagation of defects (black) in λ = lim λ(t) , (8) evolution space of a CA together with all possible t→∞ pathways along which defects can propagate (arrows). generally referred to as the maximum Lyapunov expo- nent (MLE) of . In the framework of cryptographic sys- tems, λ(t) quantifiesC how ciphertexts, which are obtained Taking into consideration this reasoning, the correct by iteratively encrypting two close P and P∗, number of defects at the t-th time step, denoted t, should behave (converge/diverge) as the number of time steps be computed in accordance with the following six-step grows. As indicated in papers on the LE of CAs, one can procedure. derive a theoretical upper bound on these LEs, which has shown to depend on the number of neighbours [14, 15]. 1. Let the cryptographic system evolve for one time Calling to mind Shannon’s idea of diffusion, which is 1 step, i.e., C = MEK (P), and analogously for its related to the avalanche effect and states that a slight 1∗ ∗ perturbed version C = MEK (P ), both using the change of the plaintext gives in worst case rise an entirely same initialization vector γ. different ciphertext, we are able to derive a theoretical upper bound on the MLE of cryptographic systems. For 2. Calculate the damage vector h1 given by Eq. (5) instance, consider the plaintext P = 10101101 and its and set the initialization vector as the last block perturbed version P∗ = 10101100, as well as their en- 1 ∗ ∗ calculated for both versions, i.e., γ = Cb and γ = cryption EK (P) = 10101000 and EK (P ) = 01010111, 1 Cb , as explained in Section II B. respectively. In the worst case scenario, the number of differences may be at most 8, which is the length of the j j j 3. For every ci for which h(ci , 1) = 1, create a replica plaintext N. This means that a defect in ci at the t-th j j j ∗ j j Ri such that Ri (ci , 1) = s (ci , 1) = s(ci , 1), where time step can at most propagate to N bits at the subse- j j quent time step. Therefore, a mean-field approximation s(ci , 1) is the Boolean complement of s(ci , 1), and Rj(cj , 1) = s(cj , 1), for every cj = cj. Use the set of the upper bound λm for the cryptographic systems i q q 6 i becomes A1 to store these replicas.

4. Let the cryptographic system evolve one more time 1 t step, i.e., compute s( , 2) and R( , 2), which boils λm = log(λ ) = log(N) = log(bn). (9) · j · ∗ t down to evaluating MEK (Ri ) with the same γ for all replicas R A1. Obviously, the higher the number of blocks b, the higher ∈ the upper bound becomes. 5. Calculate the total number of defects at the second Before turning to the experimental section of this pa- time step as follows: per, we illustrate in Fig. 4 the procedure by which the LE

of a mode of operation MEK can be assessed. Note that b n X X X j we employed the same plaintext as in Fig. 2. By mov- 2 = h(ci , 2) (6) ing along this table’s rows, we see the plaintexts that j j=1 i=1 Ri ∈A1 are encrypted by repeatedly applying the mode of opera-

tion MEK . Note that some replicas are repeated as soon and set the initialization vector as the last block as the system is evolved for one time step, which is in 2 ∗ calculated for both versions, i.e., γ = Cb and γ = agreement with the findings reported in Fig. 3. 2 Cb . In order to avoid having to keep track of all path- ways individually, one can optimize the algorithm by just j j 6. For every ci and R A1 for which R(ci , 2) = counting every unique replica once and keeping track of j ∈ j j j 6 1 s(ci , 2), create a replica Ri such that Ri (ci , 2) = its multiplicity. For example, at t = 2 the replica R2 s(cj, 2) and Rj(cj , 2) = s(cj , 2) for every cj = cj. would be repeated twice, then at the subsequent time i i q q q 6 i Use a multiset A2 to store these replicas. step this replica has two cell defects, which means four pathways in total at t = 3. As such, by tracking the mul- 7. Repeat steps (4)–(6) in every subsequent time step tiplicity of every defect rather than every defect itself, t + 1 in order to assemble h( , t + 1) and At+1. the efficiency of the algorithm increases substantially. · 6

Time Original plaintext Perturbed version * # defects steps P P

* C0 =[10=1 ] C0 = = [101] * P= [010, 001] P = [011, 001] 0 = 1

C1 = M (P)[1=00, 000] C1*=(PM * ) =[111 , 010] EK EK

1 1 2 R2 =[110,000] R3 =[101,000] R2 =[100,010] = 3 1 FIG. 4: Illustration of the

1 calculation of the LE for a 1 R =[001,111] 2 M ()R =[00 1, 101] 2 ˟ EK 2 2 = 1 2 generic mode of operation and C ME (C )= [011, 111] R 2 =[011,101] K M ()R =1 [00 1, 111] EK 3 2 = 5 block cipher with b = 2 blocks R1 =[010,111] 2 3 and n = 3 bits. M ()R =2 [010 , 110] EK 2 R3 =[011,110]

1 1 R1 =[110,011] ˟ 2 M ( R ) E 2 = [110,010] 2 3 M 2 K R =[010,010] 2 C =(CEK )[=010,011] 2 3 ˟ M ( R2 ) = [011,011] 3 = 2˟2+1+2 = 7 EK R1 =[011,011] 3

… 1 M ( R3 ) = [010,101] EK R2 =[010,111] M ( R2 ) = [010,011] 3 EK 3 2 R2 =[010,001]

If the cryptographic system is sensitive to the plain- on the specific algorithm [3]. We considered eight rounds text from which it is evolved, the number of defects t for IDEA, eighteen for DES, and thirty-two rounds for increases exponentially during its evolution, such that both TEA and XTEA. Further, ten rounds for AES, t > 0, and consequently, λ > 0. On the other hand, sixteen for both Twofish and Seed, eighteen for Camel- the system should be referred to as insensitive to the lia and thirty-two for Serpent. Finally, we implemented underlying plaintext if the initial defect vanishes as the the modes of operation in accordance with the formalism number of time steps increases. Such a situation implies given by Eqs. (1)–(3) for ECB, CBC and OFB, and in that λ = owing to the discrete nature of a CA’s Table I for CFB, CTR and PCBC. state space.−∞ Since cryptographic systems are designed in such a way that small changes in the plaintext give rise to substantially differing ciphertexts, it should not come A. The dataset as a surprise if λ would be positive for all the modes of operation at stake in this paper. Still, the numerically To ensure the representativity of the computed Lya- assessed values of λ(t) might differ significantly among punov exponents, we computed the average λ-values that different block ciphers and/or underlying modes of oper- were obtained when the CAs were evolved from differ- ation, such that they may still be used to discriminate ent plaintexts. Hence, the λ-values reported in the re- between different modes of operation. This usage will be mainder represent averages calculated over an ensemble illustrated in the following section. E = eP e = 1,..., 200 of 200 randomly generated { | } ∗ plaintexts eP and their perturbed versions eP , which were obtained by flipping only one bit in the first block IV. EXPERIMENTAL RESULTS AND of eP. DISCUSSION Since such an ensemble was constructed for each of the concerned cryptographic systems, by mutually combining To demonstrate the effectivity of the above method- the underlying block cipher and the mode of operation, ology, we considered two groups of block ciphers on the we considered a total of 60 combinations, i.e., ten block basis of their block length n. The first group encloses the ciphers and six modes of operation. Consequently, a total 64-block ciphers, namely DES [6], IDEA [7], TEA [29] of 12000 plaintexts were generated randomly. and XTEA [30], which all use a k = 64 key except for Similarly, the key K and the initialization vector γ DES that uses a key of length of k = 56 bits. The sec- were generated randomly in order to avoid both key rep- ond group of block ciphers is composed of 128-block ci- etitions and weak keys, which is a recommendation in phers with key of k = 128 bits: AES [12], RC6 [11], cryptography [38]. In the remainder, we refer to the as- Twofish [10], Serpent [9], Seed [31] and Camellia [32]. sembly of the 200 randomly generated plaintexts, keys These ten block ciphers were adapted in such a way and initialization vectors as the cryptographic dataset that they took the plaintext P, the key K and the ini- per cipher and mode of operation. Given that the block tialization vector γ as input variables. Moreover, these ciphers encrypt a plaintext by splitting it into a num- block ciphers were implemented with a predefined num- ber of blocks and subsequently transcribing every block, ber of rounds, each of which consist of several inner steps the plaintexts were generated in such a way that they in the course of an encryption process and they depend were composed of the same number of b blocks, irrespec- 7 tive of the type of block cipher. Note that this implies IDEA and AES as representative members of the fami- a plaintext containing N = b 64 bits in case of the lies of 64- and 128-block ciphers (see Fig. 6), respectively, 64-block ciphers and N = b ×128 bits in case of the since similar results were obtained for the other block ci- 128-block ciphers. Thus, in order× to compare λ-values of phers in the same families (see Fig. 7). These figures de- 64- and 128-block ciphers, we normalized the numerically pict the LE curves for all the modes of operation versus obtained λ with respect to λm obtained from Eq. (9), the number of time steps—note that the standard devia- tion of each curve is not shown since they are very small. Taking into account Eq. (9), the upper bound for the B. Lyapunov exponents for the modes of operation 64-block ciphers is λm = log(N) = log(320) 5.76832, ≈ while it is λm = log(640) 6.46147 for the 128-block ≈ We assessed λ(t) for the CA counterpart of each of ciphers were employed to normalize the λ-values, respec- the concerned cryptographic systems. For that purpose, tively. the equivalent CAs were evolved for t = 200 time steps, IDEA which was sufficiently long because λ(t) showed conver- −4 gence in such a way that λ(t) λ(t + 1) < 1.19 10 , 1.00 being the maximum discrepancy| − between|λ(t) and×λ(t+1) 0.80

at the end of the simulation. t Furthermore the consistency of the λ-values across the members of the different ensembles is also demonstrated 0.60 in Fig. 5 (a), which depicts the frequency distribution of ECB 0.40 OFB the standard deviation σλ (base 10 logarithm) of λ200 cal- CBC CTR culated for the 60 cryptographic systems at stake. This 0.20 CFB histogram shows the similarity of λ across the different PCBC L y a p u n o v E x e t λ plaintexts, as the standard deviation that comes along 0.00 020406080100120140160180200 with the average MLE for the different cryptographic sys- Iterationst tems is obviously small. AES (a)IDEA 15 16


12 PCBC 10 CTR OFB 0.80


0.60 Frequency 5 Frequency 4

0.40 0 0 −5.2 −4.7 −4.2 −3.7 −3.2 0 1 2 3 4 5 (a) (b) log 1 0 (σλ ) Δ 0.20

CFB FIG. 5: (a) Frequency distribution of the standard 0.00 020406080100120140160180200 deviation σλ (base 10 logarithm) of λ200 calculated over Iterationst the 60 combinations of cryptographic systems. (b) (b)AES Frequency distribution of ∆ = max( eP e = { | 1,..., 200 ) min( eP e = 1,..., 200 ). } − { | } FIG. 6: Lyapunov exponent versus the number of time steps for different modes of operation, being ECB, CBC, OFB, CFB, CTR and PCBC, using the (a) IDEA Fig. 5 (b) shows a histogram of the discrepancies 64-block cipher and (b) AES 128-block cipher. The between the maximum and minimum observed MLE curves represent the average LE λ over 200 initial among the members of the ensemble E, denoted by ∆ = plaintexts during t = 200 times steps, which are max( P e = 1,..., 200 ) min( P e = 1,..., 200 ). e e normalized with respect to λ obtained from Eq. (9). The{ ∆-values| obtained} for− the{ investigated| datasets} m lie between 3.99 10−5 and 4.79 10−3. The maxi- mum and minimum× ∆ correspond,× respectively, to the From both figures, it is quite easy to discriminate be- pairs of modes of operation with underlying block cipher: tween the modes of operation, except for the overlapping IDEA-OFB and Serpent-CFB. All together, these small curves of CTR and OFB. It is interesting to have a closer discrepancies demonstrate once more that the λ-values look at how their corresponding LE increases almost ex- are highly consistent across the different plaintexts within ponentially during the first few time steps. This be- the ensemble E, such that we may draw conclusions on haviour can be explained by reconsidering the equations their average values. in Table I. Indeed, CTR uses an inner pseudo-random For simplicity, we mainly restrict our attention to number generator and OFB uses a new initialization vec- 8

DES TEA 1.00 1.00


0.80 0.80 CTR OFB t

CBC ECB 0.60 0.60

ECB 0.40 OFB 0.40 CBC CTR 0.20 CFB 0.20

L y a p u n o v E x e t λ PCBC CFB

0.00 0.00 020406080100120140160180200 020406080100120140160180200 Iterationst Iterationst XTEA RC6 1.00 1.00


0.80 CTR OFB 0.80 CTR OFB t

CBC CBC ECB ECB 0.60 0.60

0.40 0.40 FIG. 7: Lyapunov exponent versus the number of time steps for different

0.20 0.20 modes of operation, being ECB, CBC,

L y a p u n o v E x e t λ CFB CFB OFB, CFB, CTR and PCBC using

0.00 0.00 020406080100120140160180200 020406080100120140160180200 64-block ciphers: DES, TEA and Iterationst Iterationst XTEA, and 128-block ciphers: RC6, Twofish, Seed, Serpent and Camellia Seed 1.00 1.00 with b = 5 blocks and n = 64 bits. The PCBC PCBC curves represent the average LE λ over OFB OFB 0.80 CTR 0.80 CTR t 200 initial plaintexts during t = 200 CBC CBC ECB ECB 0.60 0.60 time steps, which are normalized with respect to λm obtained from Eq. (9)

0.40 0.40

0.20 0.20

L y a p u n o v E x e t λ CFB CFB

0.00 0.00 020406080100120140160180200 020406080100120140160180200 Iterationst Iterationst Serpent Camellia 1.00 1.00 PCBC PCBC

OFB OFB 0.80 CTR 0.80 CTR t

CBC CBC ECB ECB 0.60 0.60

0.40 0.40

0.20 0.20

L y a p u n o v E x e t λ CFB CFB

0.00 0.00 020406080100120140160180200 020406080100120140160180200 Iterationst Iterationst

−3 tor at every time step, such that the number of defective tains λ200 = 3.46565 1.35 10 with the IDEA cells will not only increase due to discrepancies natu- block cipher, which means± that× the number of defects (λ200) −2 rally emerging between the plaintexts, but also due to t = e = 31.99728 4.32 10 equals approxi- the additional defects introduced through these random mately n/2, being almost± 50% of× the block length. The processes. In contrast, CFB displays the opposite effect, same behaviour occurs for the AES block cipher, where i.e., its curve decays exponentially. e(λ200) = 63.994055 4.29 10−2. ± × Further, the Lyapunov exponents of ECB and PCBC The original values of the exponents and standard devi- are constant, since the number of defective cells grows ation found at the end of the simulation are summarized proportionally through time. For instance, this be- in Table II. Furthermore, we can discriminate between haviour can be explained by considering that ECB at- modes of operation in families of block ciphers not only 9

−3 TABLE II: MLE λ200 and standard deviation ( 10 ) for the (a) 64- and (b) 128-block ciphers. ×


λ200 IDEA DES TEA XTEA ECB 3.46565 ± 1.35 3.46570 ± 1.27 3.46554 ± 1.23 3.46564 ± 1.25 OFB 5.04796 ± 4.00 5.04800 ± 3.89 5.04817 ± 3.87 5.04816 ± 3.68 CBC 3.55597 ± 0.96 3.55598 ± 0.93 3.55596 ± 0.81 3.55598 ± 0.88 CTR 5.04817 ± 3.55 5.04818 ± 3.81 5.04853 ± 4.14 5.04787 ± 4.15 CFB 0.15925 ± 0.07 0.15925 ± 0.07 0.15926 ± 0.06 0.15925 ± 0.07 PCBC 5.07496 ± 1.91 5.07465 ± 2.01 5.07467 ± 1.91 5.07451 ± 1.87


λ200 AES RC6 Twofish Seed Serpent Camellia ECB 4.15879 ± 0.67 4.15885 ± 0.75 4.15876 ± 0.68 4.15887 ± 0.7 4.15887 ± 0.75 4.15884 ± 0.76 OFB 5.73875 ± 2.82 5.73879 ± 2.96 5.73869 ± 2.86 5.73860 ± 2.84 5.73840 ± 2.82 5.73885 ± 3.02 CBC 4.24921 ± 0.52 4.24913 ± 0.56 4.24920 ± 0.56 4.24915 ± 0.51 4.24919 ± 0.56 4.24920 ± 0.55 CTR 5.73891 ± 2.83 5.73876 ± 2.70 5.73882 ± 2.79 5.73904 ± 2.78 5.73866 ± 2.74 5.73871 ± 2.81 CFB 0.17311 ± 0.05 0.17311 ± 0.05 0.17311 ± 0.05 0.17311 ± 0.05 0.17311 ± 0.05 0.17311 ± 0.05 PCBC 5.76812 ± 1.31 5.76815 ± 1.27 5.76792 ± 1.37 5.76816 ± 1.40 5.76792 ± 1.38 5.76806 ± 1.30

by visual inspection of the graphs, but also by means ing the CA evolution from two initial configurations for of statistical tests to demonstrate it. Paired t-tests re- which it holds that h( , 0) = P P∗ and given the fact vealed that there are statistically significant differences that we are dealing with· Booleans,⊕ the smallest possi- between ECB, CBC, CFB and PCBC mutually at the ble perturbation in such a setting implies flipping the 5% significance level. However, no statistically signifi- right-most bit of the plaintext. However, we observed cant difference was found between CTR and OFB. These that the position of the flipped bit does not affect the observations were found in both families of 64- and 128- numerical value of the Lyapunov exponent, which can be block ciphers, which also allows the proposed method to understood by recalling the theoretical upper bound on discriminate between modes of operation of different fam- the Lyapunov exponent of cryptographic systems. In- ilies, for instance, IDEA-CTR can be distinguished from deed, the encryption of the plaintext with a bit flipped AES-CTR. at an arbitrary x position at the first plaintext block Moreover, by means of the washer method [39], we an- (1 x n) may, in the worst case, affect all the bits of ≤ ≤ alyzed statistically whether a curve (for one of the ensem- the ciphertext. ble’s members) for a given mode falls within the envelope b. Cryptographic signatures From Figs. 6–7 it of curves obtained for the entire ensemble for another should be noticed that the normalized λ-values do not mode of operation. This procedure was repeated for all attain 1, because none of the cryptographic systems at the curves within the given mode of operation at the stake is attaining the worst case scenario mentioned in 5% significance level, which indicated that at most 6.4% Section III. This can be explained by the fact that this and 11.1% of the observations of the 64- and 128-block is an ideal and desirable “scenario” for cryptographic ciphers constituted outliers. These outliers exist at the systems and that the block ciphers at stake have their beginning of the simulation. We can also notice that the limitations. Furthermore, we found an unexpected phe- CFB curve behaves completely different from the other nomenon with regard to the families of 64- and 128-block ones (non overlapping and not too close), which means ciphers. A closer look at the curves tied up with these that the CFB falls outside of the range of the LE for the families shows that, in fact, we can also differentiate be- other modes of operation. tween block cipher families. c. Number of blocks In order to investigate the importance of the number of blocks b, we computed the C. Analysis of the LE of cryptographic systems Lyapunov exponents for the same cryptographic systems but with 2, 4, 8,..., 20 blocks. In Fig. 8 one can see the In this section, we will examine and discuss the pre- LE curves for each mode of operation using the IDEA ceding results in more detail. block cipher as a function of b. From this figure it is a. Initial conditions P and P∗ Recalling that clear that each curve is somehow lifted upwards with the an assessment of the Lyapunov exponent involves track- number of blocks b. 10

CTR OFB b = 20 6.0 6.0 b = 8

t 5.0 5.0

b = 2 4.0 4.0

3.0 3.0

2.0 2.0

L y a p u n o v E x e t λ 1.0 1.0

0.0 0.0 0 40 80 120 160 200 0 40 80 120 160 200 Iterationst Iterationst CBC CFB

6.4 6.0

t 5.8 4.8

5.2 3.6

4.6 2.4

b = 20 4.0 1.2 b = 20

L y a p u n o v E x e t λ b = 8 b = 8 b = 2 b = 2 3.4 0.0 0 40 80 120 160 200 0 40 80 120 160 200 Iterationst Iterationst ECB PCBC 3.468 6.4 b = 20 3.464 t 3.460 5.8 b = 8 3.456

5.2 3.452

3.448 4.6

L y a p u n o v E x e t λ 3.444 b = 2

3.440 4.0 0 40 80 120 160 200 0 40 80 120 160 200 Iterationst Iterationst

FIG. 8: Comparison of the LE for different modes of operation with 2, 4, 8,..., 20 blocks using IDEA. Each plot contains curves which represent the average LE λ over 200 initial plaintexts during t = 200 time steps of the IDEA 64-block cipher.

From Eq. (9), it is expected to get higher λ-values when mode of operation is an important limitation remaining. the length of the plaintext increases. In fact, this occurs Perhaps, this limitation may seem contradictious to cryp- for all the modes of operation at stake, except for ECB. In tography aims, because it indicates to find an analytical particular, this indicates that irrespective of the number way to obtain the essence of a cryptographic system that of blocks b of the plaintext, the ECB’s number of defects is designed to avoid this gap. will attain approximately n/2, which demonstrates that Here, we opted for an alternative approach, i.e., an the first block is the only one affected by the initial condi- empirical estimation of the upper bound for the modes tions, while the other blocks do not spread defects. Fur- of operation as a function of the number of blocks, based thermore, we obtained the same results with both groups on a multiple regression analysis, to gain a deeper insight of 64- and 128-block ciphers and the six modes of opera- into the behaviour of the LE curves. In Fig. 9 we show tion. the MLE λ obtained as a function of b for the IDEA and d. Empirical MLE In Section III we provided the corresponding regression curves (see also Fig. 10 for some mathematical foundations to obtain the theoreti- the AES block cipher). The coefficients of determination cal upper bound λm for cryptographic systems. How- also demonstrate the strong influence by the number of ever, the lack of an analytical upper bound for a specific blocks b. CTR OFB 6.5 6.5

6.0 6.0

5.5 5.5

5.0 5.0 MLE 4.5 4.5

4.0 4.0

3.5 3.5

3.0 3.0 0 4 8 12 16 20 0 4 8 12 16 20 Number of blocks Number of blocks

CBC CFB 3.80 0.7

3.75 0.6

3.70 0.5

3.65 0.4

MLE 3.60 0.3

3.55 0.2

3.50 0.1

MLE 3.45 0.0 0 4 8 12 16 20 0 4 8 12 16 20 Number of blocks Number of blocks ECB PCBC 5.5 6.5

5.0 6.0

4.5 5.5

4.0 5.0

MLE 3.5 4.5

3.0 4.0

2.5 3.5

2.0 3.0 0 4 8 12 16 200 4 8 12 16 20 Number of blocks Number of blocks

FIG. 9: An empirical analysis of the upper bound for the modes of operation based on IDEA λ200 with different number of blocks (R2 = 0.99). 12

CTR OFB 6.5 6.5

6.0 6.0

5.5 5.5 MLE 5.0 5.0

4.5 4.5

4.0 4.0 0 2 4 6 8 10 0 2 4 6 8 10 Number of blocks Number of blocks

CBC CFB 4.35 0.4

4.30 0.3

4.25 0.2 MLE

4.20 0.1

MLE 4.15 0.0 0 2 4 6 8 10 0 2 4 6 8 10 Number of blocks Number of blocks ECB PCBC 5.5 6.5

5.0 6.0

4.5 5.5

4.0 5.0

MLE 3.5 4.5

3.0 4.0

2.5 3.5

2.0 3.0 0 2 4 6 8 10 0 2 4 6 8 10 Number of blocks Number of blocks

FIG. 10: An empirical analysis of the upper bound for the modes of operation based on AES λ200 with different number of blocks (R2 = 0.99).

e. Computational considerations Although the have outlined an approach to envisage a cryptographic algorithm has been enhanced with different strategies to system as an equivalent one-dimensional CA in order to avoid tracking each individual defect, somehow the com- assess its stability characteristics by computing the Lya- putational cost of the proposed methodology is very high, punov exponent of the cryptographic system. The pro- since the computational time dramatically increases as posed method was capable of distinguishing six crypto- the number of blocks of the plaintext P grows. graphic modes of operation, namely ECB, CBC, OFB, CFB, CTR and PCBC using two families of block ci- phers DES, IDEA, TEA and XTEA of 64 bits, as well as AES, RC6, Twofish, Seed, Serpent and Camellia of V. CONCLUSIONS 128 bits. Moreover, the proposed method is also capa- ble of distinguishing between the two families of 64- and There is a strong relationship between cryptographic 128-block ciphers. The results showed that the Lyapunov systems and discrete dynamical systems. In this work we exponent evolution pattern is maintained for each mode 13 of operation and this is independent of the block cipher ACKNOWLEDGEMENTS used. We also provided a mathematical basis to obtain the theoretical upper bound λm for the cryptographic sys- tems. However, further work is required to theoretically analyze the upper bound on the LE for each of the modes of operation. Here we only used an empirical assessment J. M. acknowledges support from FAPESP (The to fit the curves. Finally, our results suggest that even State of S˜aoPaulo Research Foundation) (2011/05461- modern and contemporary algorithms yield patterns that 0). O. M. B. acknowledges support from CNPq (Grant should be explored. Thus, our theoretical framework may #307797/2014-7 and #484312/2013-8) and FAPESP offer a novel alternative to explore the weakness of these (Grant # 2011/01523-1). This work has benefited from cryptographic systems and may ultimately lead to a clas- the cooperation agreement that has been established be- sification of these systems according to their strength. tween Universidade de S˜aoPaulo and Ghent University.

[1] C. Shannon, A mathematical theory of communication, [16] J. Amig´o, L. Kocarev, J. Szczepanski, Discrete Lya- Tech. rep., Bell System Technical Journal (1949). punov exponent and resistance to differential cryptanal- [2] W. Stallings, Cryptography and network security: Prin- ysis, IEEE Transactions on Circuits and Systems–II: Ex- ciples and Practice, 5th Edition, Prentice Hall, 2002. press Briefs 54 (10) (2007) 882–886. [3] A. Menezes, S. Vanstone, P. V. Oorschot, Handbook of [17] G. Jakimoski, K. Subbalakshmi, Discrete Lyapunov ex- applied cryptography, CRC Press, Inc., 1996. ponent and differential , IEEE Transactions [4] S. Singh, The code book: the evolution of secrecy from on Circuits and Systems–II: Express Briefs 54 (6) (2007) Mary, Queen of Scots, to , Dou- 499–501. bleday, NY, USA, 1999. [18] J. Machicao, A. Marco, O. M. Bruno, Lyapunov expo- [5] A. Hodges, Alan Turing: the enigma, Walker & Com- nent: a qualitative ranking of block cipher mode of op- pany, 2000. eration, in: T. Gilbert, M. Kirkilionis, G. Nicolis (Eds.), [6] National Institute of Standards and Technology, FIPS Proceedings of the European conference on Complex sys- PUB 46-3 data encryption standard (DES), Pub-NIST, tems, Springer Proceedings in Complexity, Springer In- 1999. ternational Publishing, Bruxelles, Belgium, 2012, pp. [7] J. Massey, X. Lai, Device for the conversion of a digital 979–985. block and use of same, US5214703 A, 25. (May 1993). [19] N. Nagaraj, One-time pad as a nonlinear dynamical sys- [8] J. Nechvatal, E. Barker, L. Bassham, W. Burr, tem, Communications in Nonlinear Science and Numeri- M. Dworkin, J. Foti, E. Roback, Report on the develop- cal Simulation 17 (2012) 4029–4036. ment of the advanced encryption standard (AES), Tech. [20] J.-P. Eckmann, D. Ruelle, Ergodic theory of chaos and rep., National Institute of Standards and Technology strange attractors, Reviews of Modern Physics 57 (1985) (2000). 617–656. [9] R. Anderson, E. Biham, L. Knudsen, A candidate block [21] C. Robinson, Dynamical systems: stability, symbolic dy- cipher for the advanced encryption standard, http:// namics, and chaos, CRC Press, Boca Raton, United www.cl.cam.ac.uk/~rja14/serpent.html (1998). States, 1998. [10] B. Schneier, Twofish, http://www.schneier.com/ [22]G. Alvarez,´ S. Li, Some basic cryptographic requirements twofish.html (1998). doi:http://www.schneier.com/ for chaos-based cryptosystems, International Journal of twofish.html. Bifurcation and Chaos 16 (2006) 2129–2151. [11] R. Rivest, M. Robshaw, R. Sidney, Y. L. Yin, The [23] J. Amig´o,J. Szczepanski, L. Kocarev, Discrete chaos and block cipher, Tech. rep., RSA Laboratories and M.I.T. cryptography, in: International Symposium on Nonlin- Laboratory for Computer Science (1998). doi:http:// Theory and its Applications (NOLTA2005), 2005, pp. people.csail.mit.edu/rivest/Rc6.pdf. 461–464. URL http://people.csail.mit.edu/rivest/Rc6.pdf [24] J. Blackledge, N. Ptitsyn, Encryption using determinis- [12] National Institute of Standards and Technology, FIPS tic chaos, ISAST Transactions on Electronics and Signal PUB 197 advanced encryption standard, Pub-NIST, Processing 4 (2010) 6–17. 2001. [25] R. Schmitz, Public key cryptography: a dynamical sys- [13] M. Dworkin, Recommendation for block cipher modes tems perspective, in: Second International Conference of operation, Tech. rep., National Institute of Standards on Emerging Security Information, Systems and Tech- and Technology (2001). nologies, SECURWARE ’08, Esterel, France, 2008, pp. [14] J. Baetens, B. De Baets, Phenomenological study of ir- 209–212. regular cellular automata based on Lyapunov exponents [26] J. Machicao, A. Marco, O. M. Bruno, Chaotic encryp- and Jacobians, Chaos 20 (3) (2010) 033112. tion method based on life-like cellular automata, Expert [15] F. Bagnoli, R. Rechtman, S. Ruffo, Damage spreading Systems with Applications 39 (2012) 12626–12635. and Lyapunov exponents in cellular automata, Phys. [27] A. Marco, A. Martinez, O. Bruno, Fast, parallel and se- Lett. A 172 (1992) 34–38. cure cryptography algorithm using Lorenz’s attractor, In- ternational Journal of Modern Physics C 21 (2010) 265– 14

382. [33] M. Courbage, B. Kami´nski,Space-time directional Lya- [28] W. Stallings, NIST block cipher modes of operation for punov exponents for cellular automata, Journal of Sta- confidentiality, Cryptologia 34 (2) (2010) 163–175. tistical Physics 124 (2006) 1499–1509. [29] D. Wheeler, R. Needham, TEA, a tiny encryption al- [34] C. Langton, Computation at the edge of chaos, Physica gorithm, in: Lecture Notes in Computer Science (Leu- D 42 (1990) 12–37. ven, Belgium: Fast Software Encryption: Second Inter- [35] S. Wolfram, Universality and complexity in cellular au- national Workshop), Vol. 1008, 1994, pp. 363–366. tomata, Physica D 10 (1–2) (1984) 1–35. [30] R. Needham, D. Wheeler, Extended tiny encryption al- [36] C. Li, G. Chen, Estimating the Lyapunov exponents of gorithm, Tech. rep., Computer Laboratory Cambridge discrete systems, Chaos 14 (2) (2004) 343–346. University, Cambridge, UK (1997). [37] B. Luque, R. Sol´e, Lyapunov exponents in random [31] Korea Information Security Agency, A design and anal- Boolean networks, Physica A: Statistical Mechanics and ysis of 128-bit symmetric block cipher (SEED), http: its Applications 284 (1-4) (2000) 33–45. //tools.ietf.org/pdf/rfc4009.pdf (1999). [38] W. Barker, E. Barker, Recommendation for the triple [32] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, data encryption algorithm (TDEA) block cipher, Tech. J. Nakajima, T. Tokita, Camellia: a 128-bit block cipher rep., National Institute of Standards and Technology suitable for multiple platforms - design and analysis, in: (2012). Proceedings of the 7th Annual International Workshop [39] A. Venturini, Time series outlier detection: a new non on Selected Areas in Cryptography, SAC ’00, Springer- parametric methodology (washer), Statistica 71 (2011) Verlag, London, UK, 2000, pp. 39–56. 329–344.