A dynamical systems approach to the discrimination of the modes of operation of cryptographic systems Jeaneth Machicao∗ Scientific Computing Group, S~aoCarlos Institute of Physics, University of S~aoPaulo (USP), PO Box 369, 13560-970, S~aoCarlos, SP, Brazil - www.scg.ifsc.usp.br Jan M. Baetensy KERMIT, Department of Mathematical Modeling, Statistics and Bioinformatics, Ghent University, Coupure links 653, 9000 Ghent, Belgium - www.kermit.ugent.be Anderson G. Marco Scientific Computing Group, S~aoCarlos Institute of Physics, University of S~aoPaulo (USP), PO Box 369, 13560-970, S~aoCarlos, SP, Brazil - www.scg.ifsc.usp.br Bernard De Baetsz KERMIT, Department of Mathematical Modeling, Statistics and Bioinformatics, Ghent University, Coupure links 653, 9000 Ghent, Belgium - www.kermit.ugent.be Odemir M. Brunox Scientific Computing Group, S~aoCarlos Institute of Physics, University of S~aoPaulo (USP), PO Box 369, 13560-970, S~aoCarlos, SP, Brazil - www.scg.ifsc.usp.br (Dated: September 12, 2018) Evidence of signatures associated with cryptographic modes of operation is established. Motivated by some analogies between cryptographic and dynamical systems, in particular with chaos theory, we propose an algorithm based on Lyapunov exponents of discrete dynamical systems to estimate the divergence among ciphertexts as the encryption algorithm is applied iteratively. The results allow to distinguish among six modes of operation, namely ECB, CBC, OFB, CFB, CTR and PCBC using DES, IDEA, TEA and XTEA block ciphers of 64 bits, as well as AES, RC6, Twofish, Seed, Serpent and Camellia block ciphers of 128 bits. Furthermore, the proposed methodology enables a classification of modes of operation of cryptographic systems according to their strength. I. INTRODUCTION particular [5]. Since this major breakthrough, the functioning of The propagation and continuous flow of information the industrial, financial and public sector has become are of utter importance for the development of stable strongly dependent on the advances of cryptography. For economies throughout the world as they are a prerequi- instance, while the availability of worldwide networks has site for successful business transactions, short- and long- enabled rapid dissemination of information, it has also range communication, and so on [1]. Often this infor- stimulated cryptographic innovations because a signifi- mation has to be encrypted in such a way that it can cant share of this information may only be available to a be safely transferred between the sender and recipient few parties. In this manner, technological progress dur- without allowing others to read the information that ing the last decades has increased the need for secured is present in such an encrypted message [2]. On the communication and transactions, information shielding, arXiv:1504.02549v1 [cs.CR] 10 Apr 2015 other hand, malicious persons and organizations, but also and so on [3, 4]. governmental organizations, are continuously striving to In the last few decades, modern cryptography replaced break the key with which messages were encrypted be- mechanical schemes with new computing models. This cause this might enable them to get those pieces of in- modern focus influenced the classical design of ciphers formation that are needed to achieve their criminal, pro- far beyond the original purpose. Nowadays, there are tective, or other goals [3, 4]. It is probably due to the two class of cryptographic algorithms depending on the impact of Turing's success in breaking the Enigma that key: symmetric and asymmetric. Symmetric encryption humanity became aware of the importance of cryptogra- algorithms use the same key for both encryption of plain- phy in general, and the vulnerability of ciphers more in text and decryption of ciphertext. This class of algorithm is also divided into two categories: stream ciphers and block ciphers. Block ciphers have gained wide popular- ∗ [email protected] ity since the introduction of the first adopted encryp- y [email protected] tion: The Data Encryption Standard (DES) [6], in the z [email protected] mid-1970s, yet nowadays this cipher is considered prone x [email protected] to brute force attacks. To overcome this shortcoming 2 the International Data Encryption Algorithm (IDEA) [7] or asymptotically stable, respectively, or the system is was designed in 1991 to replace DES. Ever since, there conservative, which means that the initial separation re- has been a pursuit for the development of new algo- mains. rithms that meet the rising security expectations. In As the fields of cryptography and dynamical systems 1997, the National Institute of Standards and Technol- are not yet strongly interwoven, the basic definitions and ogy (NIST) [8] selected the official Advanced Encryption concepts that relate to those systems and that are of Standard (AES) among many competitors, namely Ser- interest within the framework of this paper are presented pent [9], Twofish [10], RC6 [11], Rijndael [12], etc. in Section II, while the dynamical systems viewpoint on To date, block ciphers are the most important ele- cryptographic systems is presented in Section III together ments in many cryptographic systems [3]. A block ci- with the proposed method for identifying the underlying pher breaks a message into blocks of elements (bits) and mode of operation. Finally, the strengths of the proposed then encrypts one block (plaintext) at a time producing method are illustrated and discussed in Section IV by its corresponding output block (ciphertext). However, a means of computer experiments. block cipher by itself allows for the encryption of only one block, such that it is recommended to use a mode of operation in conjunction [13]. This mode of opera- II. PRELIMINARIES tion specifies a mechanism to improve the corresponding block cipher, while encrypting all of the blocks, one by In this section we introduce the specificities of both one, as it goes along. cryptographic and dynamical systems that are indispens- Motivated by the analogies between cryptographic and able for a clear understanding this paper. dynamical systems, on the one hand, and the lack of a means to discriminate between different modes of opera- tion that can be used to encrypt a message with a block A. Block ciphers and modes of operation cipher using a single key, on the other hand, we demon- strate in this paper how Lyapunov exponents can be re- Classically, an encryption system encloses three major lied upon for tackling this problem. More specifically, components, namely a cipher, a key, and finally, a cipher- by contemplating the whole of a cipher, ciphertext and text. The former constitutes a sequence of instructions key as an utter discrete dynamical system, i.e., a cellular that must be executed in order to encrypt a given plain- automaton (CA), and by resorting to the notion of Lya- text, which may be envisaged as a sequence of N bits, punov exponents as they have been conceived for such such that it can be represented as a Boolean vector P of systems [14, 15], we show how these measures can be ex- length N. The result of this encryption process using a ploited to identify the mode of operation that was used key K, which is a sequence of k bits, is a so-called cipher- during the encryption process. text, which may be represented in a similar fashion as a Although the cryptographic process of encrypting and Boolean vector C of length N [3]. decrypting information does not constitute a dynamical Of course, the real plaintext size varies and is mostly system as such, it has been reported that it is possible different from the length of the blocks for which a block to draw parallels between cryptographic and dynamical cipher is designed. Consequently, common ciphers can- systems [16{19]. Hence, drawing upon such parallels, we not be applied directly for the encryption of arbitrary- have a means to exploit similar tools as the ones that have length plaintext [28]. In order to overcome this issue, been conceived in the framework of dynamical systems in so-called block ciphers have been designed and imple- order to characterize cryptographic systems. Taking into mented. A block cipher slices the plaintext of length N account that the stability of a dynamical system is gen- into b blocks of n bits, after which each of these blocks is erally acknowledged as its main characteristic because it encrypted/decrypted by a block cipher, denoted as EK −1 gives insight into its intrinsic nature [20, 21], it is natural and EK , respectively. Mathematically, the encryption to verify whether the dynamical systems viewpoint of a of a plaintext P = (P1;P2;:::;Pb) of length n into a cryptographic system allows for a similar notion in order ciphertext of the same length can be formalized as C = k n n to better understand the latter. An exploration of this E(K; P) = EK (P), where E : 0; 1 0; 1 0; 1 . is further motivated by the fact that several researchers If the length N of the plaintextf isg not×f a wholeg ! multiple f g have noticed a close resemblance between a cryptographic of b, additional bits are padded to the last block of the system on the one hand, and a chaotic system, on the plaintext. other hand [22{25], and the large number of chaos-based These block ciphers encrypt a plaintext in accordance cryptosystems [26, 27]. with a well-defined procedure, which is commonly re- Classically, the stability of a dynamical system is as- ferred to as the mode of operation of a block cipher. A sessed by computing its so-called largest Lyapunov expo- block cipher encrypts one block at a time, and it is the nent that quantifies how it behaves if it is evolved from mode of operation that allows a block cipher to encrypt two different but close initial conditions [20].