A Block Cipher Based on a Suitable Use of Chaotic Standard Map

Chaos, Solitons and Fractals 26 (2005) 117–129

www.elsevier.com/locate/chaos

A block cipher based on a suitable use of the chaoticstandard map

Shiguo Lian *, Jinsheng Sun, Zhiquan Wang

Department of Automation, Nanjing University of Science and Technology, Nanjing 210094, PR China

Accepted 29 November 2004

Abstract

Due to their features of ergodicity, sensitivity to initial conditions and sensitivity to control parameters, etc., chaotic

maps have good potential for information encryption. In this paper, a block cipher based on the chaotic standard map

is proposed, which is composed of three parts: a confusion process based on chaotic standard map, a diffusion function,

and a key generator. The parameter sensitivity of the standard map is analyzed, and the confusion process based on it is

proposed. A diffusion function with high diffusion speed is designed, and a key generator based on the chaotic skew tent

map is derived. Some cryptanalysis on the security of the designed cipher is carried out, and its computational complex-

ity is analyzed. Experimental results show that the new cipher has satisfactory security with a low cost, which makes it a

potential candidate for encryption of multimedia data such as images, audios and even videos.

� 2005 Elsevier Ltd. All rights reserved.

1. Introduction

With the desirable properties of ergodicity and high sensitivity to initial conditions and parameters [1], chaotic maps

are very suitable for various data encryption schemes. In particular, chaotic maps are easy to be implemented by micro-

processors and personal computers. Therefore, chaotic cryptosystems generally have high speed with low cost, which

makes them better candidates than many traditional ciphers for multimedia data encryption.

Early chaos-based cryptosystems, developed in the last decade, modulate messages with chaotic signals generated

from continuous-time chaotic dynamic systems. This kind of cryptosystems depends heavily on the synchronization

of two chaotic systems [2]. Although this approach can be directly used for analog devices such as walkie-talkies, it suf-

fers from its poor noise performance and weak synchronizability: if the synchronization of the cryptosystem is robust,

then it is vulnerable to controlled-synchronization type of attacks; but if not, then even the receiver may easily lose syn-

chronization thereby leading to the failure of message recovery [3,4].

There are some other types of chaotic cryptosystems, most of which transform plaintext directly. And they are

often classified into two types: chaotic stream cryptosystems and chaotic block cryptosystems. In chaotic stream cryp-

tosystems, a key stream is produced by a chaotic map, which is used to encrypt a plaintext bit by bit [5,6]. A chaotic

block cryptosystem, on the other hand, transforms a plaintext block by block with some chaotic maps. For example, a

0960-0779/$ - see front matter � 2005 Elsevier Ltd. All rights reserved.

doi:10.1016/j.chaos.2004.11.096

* Corresponding author.

E-mail address: [email protected] (S. Lian).

mailto:[email protected]

118 S. Lian et al. / Chaos, Solitons and Fractals 26 (2005) 117–129

cryptosystem based on the chaotic gradient tent map was constructed in [7], and the one based on the modified baker

map was suggested in [8]. These cryptosystems apply chaotic maps repeatedly, which guarantees the randomness of the

encrypted data. Their security is determined by the properties of the chaotic maps and the realization of the encryption

scheme. Notably, these cryptosystems often include digital data and analog data at the same time, which make them

rely heavily on the machine�s precision. Thus, the machine�s precision has to be considered in order to keep the decryp-

tion process symmetric to the encryption one, which decreases the speed of the encryption or decryption process.

In order to avoid the shortcomings of floating-point computing, some new cryptosystems based on discretized cha-

otic maps have been proposed. The core problem is how to obtain good discretized chaotic maps. Generally, chaotic

maps are discretized by rounding the floating data according to the computer�s resolution. As a result, these chaotic

cryptosystems depend on the mathematical properties of the corresponding continuous chaotic systems [9,10]. For

example, a cryptosystem was proposed in [10,11] by directly discretizing the 2-D baker map, and the relationship be-

tween the original map and the discretized map was then discussed in [12]. A cryptosystem based on the discretized tent

map was proposed in [13], in which, the discretization process avoids floating-point computing, increases the encryption

speed significantly and is therefore suitable for large-volume data encryption in real-time.

For cryptosystems, Shannon [14] defined the ideal security, perfect security and computational security, respectively.

A cryptosystem is regarded as having ideal security if the difficulty of ciphertext-only attack equals to the difficulty of

brute-force attack. In cryptosystems with ideal security, a ciphertext is uniformly and randomly distributed, which pre-

vents any attack. However, this kind of ideal cryptosystem does not exist in practice, so it is not useful for real design. A

cryptosystem is regarded as having perfect security if the ciphertext is independent of the plaintext, which means that the

ciphertext provides no help to attackers. Compared with the ideal security, perfect security is easier to be realized the-

oretically, but it is still difficult to be applied in practice. Shannon believed that, in practice, the security of a cryptosystem

depends on its computational complexity. If a cryptosystem is not ideally secure, but there is only one solution to it, and

any other solutions require very high computational complexity, then the cryptosystem is regarded as computationally

secure. Many cryptosystems are constructed based on high computational security, such as DES, IDEA, NSSU, etc.,

which are all implemented through confusion and diffusion processes, and are strengthened by increasing the loop time.

Based on the security defined by Shannon, some chaos-based block ciphers have been suggested [15–17]. An encryp-

tion scheme based on the discretized 2D chaotic maps, such as the cat map, the baker map and the standard map, was

proposed in [15]. It has been reported that some of the parameters of the cat map or baker map are not secure enough to

be used as encryption key. As a slight improvement, the 2D cat map and baker map were extended to 3D ones in

[16,17], respectively, based on which symmetric block ciphers were constructed and obtained improved applications.

For image encryption using the cat map, the image may be recovered by iterating the chaotic map for some rounds

under some control parameters. For image encryption using the baker map, the image may be kept unchanged after

some rounds of iteration under some control parameters. Therefore, these parameters should be excluded from encryp-

tion/decryption keys in order to obtain high security. Compared with the cat map and the baker map, the chaotic stan-

dard map has a larger parameter space, and there is no vulnerable parameters being reported to our knowledge. Thus, it

is worthy of being considered for better data encryption. In [15], only a discretization method was discussed for the

standard map, but its properties have not yet been fully analyzed. For this reason, the basic properties of the standard

map will be carefully analyzed in this paper, and some means will be proposed to improve its properties that are more

suitable for data encryption. Then, a symmetric block cipher based on the improved standard map will be designed,

which consists of three parts: a chaotic confusion process, a diffusion function, and a key generator. Finally, its security

and computational complexity will both be analyzed and tested.

The rest of this paper is organized as follows. In Section 2, a brief introduction to the chaotic standard map is given.

Its properties and some improvements are then analyzed and presented in Section 3. In Section 4, a new block cipher

based on the improved standard map is proposed, and its performances are analyzed and tested in Section 5. Finally,

some conclusions are drawn in Section 6.

2. Introduction to the standard map

The so-called standard map was introduced in [18,19], and is described by

aiþ1 ¼ ðai þ biÞmod2p;

biþ1 ¼ ðbi þ k sinðai þ biÞÞmod2p;

�ð1Þ

where k is the control parameter satisfying k > 0, and the ith states ai and bi both take real values in [0,2p) for all i. Thestandard map was discretized in a straightforward manner [15] by substituting x = aN/2p, y = bN/2p, K = kN/2p into

Eq. (1), which maps from [0,2p) · [0,2p) to N · N. After discretization, the map becomes

Table

Compa

Chaoti

Param

S. Lian et al. / Chaos, Solitons and Fractals 26 (2005) 117–129 119

xiþ1 ¼ ðxi þ yiÞmodN ;

yiþ1 ¼ yi þ K sin xiþ1N2p

� �modN ;

(ð2Þ

where K is a positive integer.

The properties of this discretized map may not be as good as the original one [19], but it can be implemented in the

integer domain, which reduces the computational complexity and is more suitable for real-time data encryption. In the

following content, the properties of this discretized standard map is firstly analyzed, then improved by introducing some

means, and finally used in data encryption.

3. Data confusion based on the standard map

3.1. Parameter sensitivity

In the discretized standard map (2), the control parameter K has a large space, and the confusion modes according to

these parameters are different from each other. Compared with the discretized cat map and baker map, this parameter

space is much larger, which is shown in Table 1. Where, the image�s size is N · N. For the cat map [15], its two param-

eters both range from 0 to N � 1, and each of the parameter pairs makes the according confusion mode different from

others. Thus, the parameter space of the cat map is N2. For the baker map, its parameter space is 2N�1 that is verified in

[15]. For the discretized standard map, its parameter K determines the confusion mode. Considering that the number of

the confusion modes of an N · N image is not larger than N2!, the parameter space of K is N2!. As can be seen, the

parameter space of standard map is the largest one among the three ones, which makes the discretized standard

map a good candidate for data encryption.

Recall that secure cryptosystem requires not only a large key space but also a high key sensitivity. That is, a slight

change in the key should cause some large changes in the ciphertext. This property makes the cryptosystem of high

security against statistical or differential attack. Here, if the standard map is used to permute the plaintext, then the

parameter K is used as the key. Thus, the key sensitivity is based on the parameter sensitivity that is in close relation

with the iteration time n and the plaintext size N. In the following, the parameter sensitivity of the discretized standard

map is tested, and a suggestion for selecting suitable parameters n and N will be proposed.

For the standard map is used to realize data permutation, the parameter sensitivity is defined as the position differ-

ence rate (Pdr) of the ciphertexts, which is computed according to the following procedures.

Firstly, the ciphertexts generated from different control parameters (K � 1, K and K + 1) are computed as

Y ¼ ½CðX ;KÞ�n;Y 1 ¼ ½CðX ;K � 1Þ�n;Y 2 ¼ ½CðX ;K þ 1Þ�n;

8><>: ð3Þ

where [C(X,K)]n means to iterate the chaotic map for n times, and the control parameter is K. Thus, the position dif-

ference rate (Pdr) is computed as

Pdrðn;NÞ ¼ DifðY ; Y 1Þ þDifðY ; Y 2Þ2N 2

� 100%; ð4Þ

where N is the size of the confused image, and Dif(A,B) is the number of different positions between permuted image A

and B. As can be seen from (3) and (4), Pdr is in relation with both n and N, which means that the parameter sensitivity

is in relation with both the iteration time and the image size.

Taking different parameters values, the relationships among the iteration time, the image size, and the position dif-

ference rate are tested and shown in Fig. 1. Where, Fig. 1(a) gives the relationship between the iteration time and the

position difference rate, and Fig. 1(b) gives the relationship between the image size and the position difference rate.

In Fig. 1(a), image size is N = 256 that is normal in practice, and the control parameter ranges from 0 to 50,000. Seen

from the figure, for the same iteration time, the sensitivities of different parameters are similar to each other; for the

1

rision of parameter spaces

c map Cat map Baker map Standard map

eter space N2 2N�1 N2!

Fig. 1. Parameter sensitivity test: (a) Pdr-parameter-n curve. (b) Pdr-parameter-size curve.


same parameter, the sensitivity increases as the iteration time increases. This shows that the standard map cannot keep

high parameter sensitivity always and big values should be selected for n in order to obtain high security. Thus, when

the standard map is used to realize the confusion process, the iteration time should be no smaller than 4 in order to keep

Pdr higher than 95%. If higher security is required, the iteration time with higher position difference rate (n > 4) is

preferred.

In Fig. 1(b), the iteration time is n = 4, and the parameter ranges from 0 to 50,000. As can be seen, for a certain

image size, Pdr keeps in a certain range that is named vibration range here; for different image size, the Pdr vibration

range decreases as the image size increases. For example, the vibration range corresponding to N = 32 is 93.8–99.7%;

the one corresponding to N = 64 is 94.3–98.9%; the one corresponding to N = 128 is 95.2–98.8%; and the one corre-

sponding to N = 256 is 97.2–98.9%. The lower limit of the vibration range increases as the image size increases. In order

to keep Pdr > 95%, the image size should satisfy NP 128. It means that when the standard map is used to permute

images, the image size should have a strict lower bound in order to keep high security. Here, N P 128 is recommended

when nP 4.

According to the above analysis, the control parameters have similar statistical properties, and can be used to obtain

high sensitivity if suitable iteration time and plaintext size are selected. Namely, the control parameters can be used as

encryption/decryption keys, and high key sensitivity can be guaranteed if the iteration time n and plaintext size N satisfy

the conditions: n P 4 and NP 128.

3.2. Corner-pixels confusion

In such chaotic maps as the standard map, cat map and baker map, the pixels at the corners of a square image have

some special properties. For example, in the cat map, the pixel at position (0,0) remains unchanged after any number of

iterations. That is, if (x0,y0) = (0,0), then ðxn0; yn0Þ ¼ ð0; 0Þ, where ðxni ; yni Þ (i = 0,1, . . . ,N � 1) denotes the position of pixel

(xi,yi) after n times of iterations. If the chaotic map is the baker map, the pixel at position (0,0) and (N � 1,N � 1) both

remain unchanged after any number of iterations. Similarly, for the standard map, the pixel at position (0,0) remains

unchanged after any number of iterations.

As can be seen, (0,0) is the first pixel�s position in a normal scan mode, but it cannot be permuted by any of the

chaotic maps mentioned above. This is actually a weakness of the permutation process based on such chaotic maps.

And it can do some help to the attackers although the permutation process is further strengthened by a diffusion pro-

cess. In order to avoid it, a simple method is proposed here to change the positions of the pixels at the corners ((0,0),

(0,N � 1), (N � 1,0) and (N � 1,N � 1)). That is, to change the normal scan order into a random one. After the iter-

ation of chaotic map, a random-couple (rx, ry) is generated, which represents the position of a randomly selected pixel in

the square image. Then, the whole image shifts in horizontal and vertical directions by rx and ry, respectively. That is,

the left-top pixel shifts from (0,0) to (rx, ry), which is shown in Fig. 2. Where, Fig. 2(a) is the normal scan mode, and Fig.

2(b) is the random-scan mode. Seen from Fig. 2(b), the image is shifted, and then the three outside parts (I, II and III)

are returned to the corresponding parts in the original image. The random shift process changes the normal scan mode

into a random one, so it is named a random-scan mode.

Fig. 2. Scan order in a square image: (a) normal scan mode, (b) random scan mode.


Here, the two parameters rx and ry both vary from 0 to N � 1. Thus, the random-scan process can be combined with

the chaotic permutation process, and the modified chaotic map becomes

xiþ1 ¼ ðxi þ rx þ yi þ ryÞmodN ;

yiþ1 ¼ yi þ ry þ K sin xiþ1N2p

� �modN :

(ð5Þ

Seen from (5), the modified map is still invertible, so the inverse-permutation process can be easily realized. This mod-

ified chaotic confusion process has two advantages: the random-couple can be generated under the control of keys,

which enlarges the cryptosystem�s key space; the random-scan process makes it difficult to break the diffusion key under

known-plaintext attacks. Referring to the first advantage, the key space for the random-couple is N2 (N is the width or

height of the image). As for the second advantage, the random-scan process confuses the position of the first pixel,

which makes attackers difficult to get the first pixel�s cipher-pixel, and thus increases the difficulty of breaking the dif-

fusion key. Clearly, this treatment indeed improves the security of the design.

3.3. Some means to reduce computational complexity

Generally, a chaotic map is iterated for several times in order to obtain high security when it is used to permute a

plaintext. According to the computation routine, the permutation process is often composed of two steps: position com-

puting and pixel moving. These two steps are repeated for n times, as shown in Fig. 3(a). In these two steps, position

computing is to get the destination position through Eq. (5), and pixel moving is to move the pixel from the original

position to the destination one. Thus, for each pixel, the permutation process makes up 7n times of multiplication/divi-

sion operations, 5n times of addition/subtraction operations, and n times of data moving operations. Suppose that the

Fig. 3. The permutation processes: (a) normal process, (b) improved method 1, (c) improved method 2.


operational times of multiplication/division, addition/subtraction and data moving are M, A and D, respectively. Then,

the operational time of pixel permutation satisfies

T 0 ¼ 7nM þ 5nAþ nD: ð6Þ

This is regarded as of high cost, especially when the plaintext is of large volume. So, it is necessary to reduce the com-

putational complexity.

Here, two kinds of methods are proposed to reduce the processing computational complexity, as shown in Fig. 3(b)

and (c), respectively. The first method is to compute the permutation mode firstly, which contains the pixels� positioninformation. Then the pixels are permuted according to the computed mode for n times. As is clear, this method com-

putes the permutation mode only once, and thus decreases the computational complexity. Now, the operational time is

reduced to

T 1 ¼ 7M þ 5Aþ nD: ð7Þ

In the second method, the computational efficiency for the permutation mode is reduced greatly. This is based on the

introduction of a sine table. Note that, in Eq. (5), the horizontal position of a pixel ranges from 0 to N � 1, thus the

function sin xnþ1N2p has only N different values. Although there are N2 pixels in an image, most of the sine values are com-

puted repeatedly. By constructing a sine table of size N, the computational complexity is decreased to

T 2 ¼ 3M þ 5Aþ I þ nD; ð8Þ

where I is the operational time of once table index. Considering that N is relatively small, the operational time of once

table index is often much less than the one of multiplication/division, that is,

I < 4M :

Thus, T2 is smaller than T1, and the following relationship is satisfied:

T 0 > T 1 > T 2: ð9Þ

In practice, N ranges from 64 to 1024. Taking 16-bit operations for example, the cost for table restoring is no bigger

than 2 kb, which has very little effect on other operations.

4. The cryptosystem based on the modified standard map

This cryptosystem is based on chaotic confusion and diffusion. The improved standard map is used here to realize

position confusion, while the diffusion function is used to realize data diffusion. And the operations are repeated several

times to strengthen the cryptosystem. The encryption process is shown in Fig. 4. Where, P and C are the plaintext and

Fig. 4. Encryption and decryption processes of the chaotic cipher: (a) encryption process, (b) decryption process.


ciphertext, respectively, Kc and Kd are the keys of the confusion process and diffusion process, respectively. The con-

fusion process Ce(Pi,Kci) is firstly repeated for n times, then together with the diffusion process De(Mi,Kdi), are repeated

for m times. Pi, Mi and Ci are the plaintext, mid-text and ciphertext of the ith encryption process, and m is the number

of repetitions. The decryption process is symmetric with the encryption one, and the decryption keys are the same as the

encryption ones.

Seen from Fig. 4, the encryption process is

P iþ1 ¼ CiðP 0 ¼ P ; i ¼ 0; 1; . . . ;m� 1Þ;Ci ¼ DeðMi;KdiÞ ¼ DeðCn

eðP i;KciÞ;KdiÞ

(ð10Þ

and this process is repeated for m times. Similarly, the decryption process is

Ciþ1 ¼ P iðC0 ¼ C; i ¼ 0; 1; . . . ;m� 1Þ;P i ¼ Cn

dðMi;KciÞ ¼ CndðDdðCi;KdiÞ;KciÞ

(; ð11Þ

where Kci and Kdi are the ith confusion key and diffusion key, respectively. Since the encryption process and the decryp-

tion process are symmetric in this cryptosystem, the encryption keys are the same as the decryption keys. For the con-

fusion process C(P,K) has been analyzed above, the following analysis emphasizes on the diffusion process D(M,K) and

the key generator.

4.1. Diffusion function

In the well-known DES algorithm, the diffusion function is realized by substitution. Here, the diffusion process De(-

Mi,Kdi) is realized by a diffusion function that spreads changes from one pixel to another under the control of key Kdi.

The diffusion function is defined as

c�1 ¼ Kdi;

ck ¼ pk � q½f ðck�1Þ; L�;

(ð12Þ

where pk is the kth pixel in mid-text Mi,ck is the kth diffused pixel, and L is the amplitude of each pixel. Here, c�1 is the

original value of the diffusion function, which acts as part of the key of the cryptosystem. And f(Æ) is the logistic map

that is defined as

f ðck�1Þ ¼ 4ck�1ð1� ck�1Þ: ð13Þ

And q[Æ] is the quantization process defined by

qðX ; LÞ ¼ 2L � X ; ð14Þ

where X = 0Æx0x1x2 � � �xL � � �, and xi is a binary number (0 or 1). The inverse diffusion function is

c�1 ¼ Kdi;

pk ¼ ck � q½f ðck�1Þ; L�;

(ð15Þ

where the parameters are the same as the ones defined in (12).

4.2. Key generation and distribution

The proposed cryptosystem is composed of multi-processes, so it is necessary to introduce a key generator to realize

sub-key generation and distribution. In the modified cryptosystem, the key space is composed of three parts: confusion

key, random-scan key and diffusion key. These keys are changed once after every n iterations. Thus, for the encryption

process with m-time repetition, m key-triples are generated in the encryption process that is symmetric with the decryp-

tion one. Here, a key generator is proposed based on the skew tent map, which is shown in Fig. 5. The key generation

process is applied both in encryption and in decryption processes, where the user key is divided into six parts:

X1,X2,X3,K1,K2,K3. Among them, Xi and Ki (i = 1,2,3) are used, respectively, as the initial value and the parameter

of the skew tent map, which are used to generate the keys of the confusion process, the random-scan process and

the diffusion process, respectively. The skew tent map is described by

xjþ1 ¼ f ðxj; hÞ ¼xjh 0 < xj 6 h;1�xj1�h h < xj 6 1;

(ð16Þ

Tent MapX1

K1

Tent MapK1

Tent MapX1

m-1

K1

...

Tent MapX2

K2

Tent MapK2

Tent MapX2

m-1

K2

...

Tent MapX3

K3

Tent MapK3

Tent MapX3

m-1

K3

...

X1m

X2m

X3m

Fig. 5. Key generation process.


where h is the chaotic map�s control parameter (ranging from 0 to 1), xj and xj+1 are the jth and the j + 1th states,

respectively. Let X ti (t = 1,2,3, . . . ,m) denote the key in the tth iteration, we define it as

X ti ¼ ½f ðX t�1

i ;KiÞ þ f ðX t�1ði�2Þmod3þ1;Kði�2Þmod3þ1Þ�mod1

¼ F ði; tÞmod1 ¼F ði; tÞ 1 P F ði; tÞ P 0;

F ði; tÞ � 1 F ði; tÞ > 1;

( ð17Þ

where X 0i ¼ X i (i = 1,2,3). Thus, X t

1 is the confusion key, X t2 is the random-scan key, and X t

3 is the diffusion key in the

tth iteration. The process is applied for m times, and the generated sub-keys are in close relation with the user key when

the iteration time m is not smaller than 3. Thus, a slight change in the user key will cause great changes in these sub-

keys, which gives the cryptosystem a high key sensitivity.

5. Performance analysis

5.1. Security analysis

5.1.1. Key space

As mentioned above, the key of the cryptosystem is composed of three parts: permutation parameter K, random-

scan key [rx, ry], and diffusion key c�1. Thus, for an N · N sized plaintext, the size of the space of permutations is

N2!, the one of random-scan is N2 and the one of diffusion is L (the gray level of each pixel). These three parts are inde-

pendent from each other. Therefore, for m iterations, the size of the space of the whole encryption process is

HðN ; L; n;mÞ ¼ ðN 2! � N 2 � LÞm: ð18Þ

Here, it is proposed to take n = 4, m = 4 and L = 256. If N P 128, and the total size satisfies H(N, 256,4,4) > 2256. That

is, if the user key has 256 bits, then there is no contradiction among these keys, which keeps the cryptosystem of high

security against brute-force attacks.

5.1.2. Confusion and diffusion

Confusion and diffusion [14] are two basic design criteria for secret-key encryption algorithms with high computa-

tional security. Confusion means that the ciphertext depends on the plaintext and the key in a complicated and involved

way. Diffusion requirement on a cipher means that each plaintext bit should influence every ciphertext bit and each key

bit should influence every ciphertext bit.

In the proposed cryptosystem, it is satisfied that

Ci ¼ DeðMi;KdiÞ ¼ DeðCneðP i;KciÞ;KdiÞ:

Here, Ce(Pi,Kci) is a chaotic map, so the relationship between Kci, Pi and Mi is nonlinear. Similarly, De(Mi,Kdi) is a

nonlinear function, which means that the relationship between Kdi, Mi and Ci is nonlinear. Therefore, the ciphertext

Ci is nonlinearly dependent on the plaintext Pi and the key Ki. Hence, the proposed cryptosystem satisfies the confusion

design criterion. What�s more, the chaotic map has a high parameter-sensitivity. That is, a one-bit change in the key

causes great changes in the ciphertext, which means that the ciphertext Ci depends on each bit of the key Ki. On the

other hand, the diffusion function has a high diffusion-speed. That is, a one-bit change in the plaintext causes great

Fig. 6. Image confusion test: (a) original image, (b) FD = 2.7288, (c) confused image, (d) FD = 2.9966.


changes in the ciphertext, which means that the ciphertext Ci depends on each bit of the plaintext Pi. Hence, the pro-

posed cryptosystem satisfies the diffusion design criterion.

5.1.3. Statistical attack

In the proposed cryptosystem, the chaotic standard map is used to permute the plaintext. Its parameters have similar

sensitivity, as shown in Fig. 1. This makes it difficult to break the cryptosystem through parameters analysis. Addition-

ally, the confusion process permutes the plaintext so greatly that the correlation between two adjacent pixels is very

small. Thus, it is difficult for a statistical attack to break it by analyzing the pixels� correlations. Taking 4 iterations

of chaotic confusion for example, the original and the confused images are shown in Fig. 6. Obviously, the confused

image looks more chaotic than the original one. Taking the fractal dimension (FD) as measurement [20], the FD of

the confused image is 2.9966 that is closer to 3 compared with the one of the original image. It means that the corre-

lation between adjacent pixels is greatly reduced.

Additionally, the diffusion process is realized by a 1-D chaotic map that generates chaotic sequences with good pseu-

do-random properties. Thus, the diffused images are randomly distributed, which makes it difficult for statistical at-

tacks. Taking a (256 · 256) sized Lena for example, the original image, the encrypted image and their histograms

are shown in Fig. 7. It is clear that the encrypted image is confused and cannot be understood. Moreover, the histogram

of the encrypted image is nearly uniformly distributed, which makes statistical attacks difficult. Experiments on various

images have shown similar results. These properties tell that the proposed cryptosystem has high security against sta-

tistical attacks.

5.1.4. Sensitivity-based attack

The proposed cryptosystem has high key sensitivity and plaintext sensitivity. This means that a slight change in the

key or in the plaintext will causes great changes in the ciphertext. These properties make various sensitivity-based (dif-

ferential) attacks difficult to break the cryptosystem.

The plaintext sensitivity of the cryptosystem is corresponding to both the chaotic map�s initial-value sensitivity and

the diffusion function�s diffusion speed. Here, the cryptosystem is used to encrypt images, and the experimental results

for Lena are shown in Fig. 8. Where, n = 4 and m = 4, The original image and encrypted image are shown in Fig. 8(a)

and (b), respectively, Fig. 8(c) is the encrypted image of the one with only one-bit change in the original image (a), while

Fig. 7. Statistical analysis of image encryption: (a) original image, (b) encrypted image, (c) histogram of the original image, (d)

histogram of the encrypted image.

Fig. 8. Plaintext sensitivity test: (a) original image, (b) encrypted image, (c) encrypted image, (d) difference between (b) and (c).


Fig. 9. Correlation test: (a) correlation between plaintext and ciphertext, (b) correlation between different ciphertexts.


(d) is the difference-image between the two encrypted images: (b) and (c). As can be seen, most of the pixels in Fig. 8(d)

are nonzero, which means that the difference between image (b) and image (c) is big enough. Thus, the cryptosystem has

high plaintext sensitivity.

The key sensitivity of the cryptosystem benefits from the chaotic map�s parameter sensitivity and the diffusion func-

tion�s initial-value sensitivity. Here, tests are performed on the correlation between the plaintexts and the ciphertexts

that are encrypted by different keys, and on the correlation between different ciphertexts that are encrypted by different

keys. Taking Lena for example, the correlation between Lena and different ciphertexts encrypted by keys ranging from

1 to 5000 are computed and shown in Fig. 9(a). Similarly, the correlation between the ciphertext encrypted by key 1600

and other ciphertexts encrypted by keys ranging from 1 to 5000 is computed and shown in Fig. 9(b). As can be seen, the

correlation curve between a plaintext and the corresponding ciphertext is a curve lying around zero, which shows that

the plaintext is nearly independent from the ciphertext. This is consistent with the perfect security defined by Shannon

[14]. Similarly, the correlation curve between different ciphertexts is an impulse-like curve, which shows that the cipher-

texts are independent from each other. This clearly shows its high key-sensitivity.

5.2. Computational and complexity analysis

Compared with traditional block ciphers [21] such as DES, IDEA and NSSU, the proposed chaos-based cryptosys-

tem has some distinct properties. Firstly, the plaintext size of the chaos-based cryptosystem is not fixed. The bigger the

size of the plaintext matrix, the more difficult the brute-force attack, and the more secure the cryptosystem. This advan-

tage makes it suitable for large-volume data encryption such as image, audio and perhaps also video data. Secondly, the

confusion process and diffusion process are controlled completely by the users (via the user keys), so they act more se-

curely as compared to the fixed confusion and fixed diffusion processes used in traditional ciphers. Thirdly, the confu-

sion and diffusion processes are known to all users, so the encryption process is clear to them without any possibility of

being trapped like the S-boxes in DES. What�s more, the encryption process and decryption process are symmetric, and

easy to be realized, which makes it suitable for multimedia encryption.

Here, tests are performed on the encryption speed of the proposed chaotic cryptosystem (with n = 4, m = 4, N > 64),

with a comparison to the DES algorithm. The source code proposed in [21] is used here. The computer used for con-

figuration is Pentium IV 1.7 GHz CPU with 256M memory. The resulting curves are shown in Fig. 10, which show the

relationship between the encryption speed and the plaintext size. Seen from the figure, both curves are increasing as the

plaintext size increases, that is, the encryption speed increases with the plaintext size. However, the curve of the chaotic

cryptosystem rises much slower than the one of DES. Moreover, with the increase of the block size N, the time differ-

ence becomes larger and larger. Therefore, for large-volume data, the chaotic cryptosystem proposed here is better

overall.

0 500 1000 1500 2000

100

101

102The Proposed AlgorithmDES

Plain text Size N (Byte)

Tim

e lg

/(s)

Fig. 10. Encryption speed test.


6. Conclusions

In this paper, the basic properties of the discretized chaotic standard map have been carefully analyzed, including the

parameter sensitivity and computational complexity. Some means to enhance the chaotic map�s performance in data

permutation have been suggested. Based on the improved standard map, a block cipher has been designed and pre-

sented for encrypting large-volume data sets. It is composed of improved chaotic confusion, diffusion, and key gener-

ation. Both theoretical analysis and experimental results show that the proposed cryptosystem has satisfactory security

and can be implemented efficiently, thus may provide a choice for multimedia encryption applications.

Acknowledgment

The authors thank Prof. Guanrong Chen for some important suggestions. This research was supported by the Na-

tional Natural Science Foundation of China through the grant number 60174005 and the Natural Science Foundation

of Jiangsu Province through the grant number BK2004132.

References

[1] Kotulski Z, Szczepariski J. Discrete chaotic cryptography (DCC). In: Proc NEEDS�97.[2] Kapitaniak T. Controlling chaos, theoretical and practical methods in non-linear dynamics. London: Academic Press; 1996.

[3] Alvarez G, Montoya F, Romera M, Pastor G. Breaking parameter modulated chaotic securecommunication system. Chaos,

Solitons & Fractals 2004;21:783–7.

[4] Yang T. A survey of chaotic secure communication systems. Int J Comput Cognit 2004;2:SI-130.

[5] Kohda T, Tsuneda A. Stream cipher systems based on chaotic binary sequences. SCIS96-11C, January 1996.

[6] Lu HP, Wang SH, Hu G. Pseudo-random number generator based on coupled map lattices. Int J Modern Phys B 2004;18(17–19):

2409–14.

[7] Habutsu T, Nishio Y, Sasase I, Mori S. A secret key cryptosystem by iterating chaotic map. Lect Notes Comput Sci

1991;547:127–40.

[8] Tsueike M, Ueta T, Nishio Y. An application of two-dimensional chaos cryptosystem. Technical Report of IEICE, NLP96-19,

May 1996 [in Japanese].

[9] Percival I, Vivaldi F. Arithmetical properties of strongly chaotic motions. Physica D 1987;25(1–3):105–30.

[10] Scharinger J. Kolmogorov systems: internal time, irreversibity and cryptographic applications. In: Dubois D, editor. Proc AIP

Conference on Computing Anticipatory Systems, vol. 437. Woodbury, NY: American Institute of Physics; 1998.

[11] Pichler F, Scharinger J. Finite dimensional generalized Baker dynamical systems for cryptographic applications. Lect Notes

Comput Sci 1996;1030:465–76.

[12] Kocarev L, Jakimoski G, Stojanovski T, Parlitz U. From chaotic maps to encryption schemes. In: Proc IEEE Int Symp ISCAS�98,vol. 4, May/June 1998, p. 514–7.


[13] Masuda N, Aihara K. Cryptosystems with discretized chaotic maps. IEEE Trans Circ Syst—I 2002;49(1).

[14] Shannon C. Communication theory of secrecy systems. Bell Syst Tech J 1949;28:656–715.

[15] Fridrich J. Symmetric ciphers based on two-dimensional chaotic maps. Int J Bifurcat Chaos 1998;8(6):1259–84.

[16] Chen G, Mao YB, Chui CK. A symmetric image encryption scheme based on 3D chaotic cat maps. Chaos, Solitons & Fractals

2004;12:749–61.

[17] Mao YB, Chen G, Lian SG. A novel fast image encryption scheme based on the 3D chaotic Baker map. Int J Bifurcat Chaos

2004;14(10):3613–24.

[18] Jackson EA. Perspectives in nonlinear dynamics. Cambridge: Cambridge University Press; 1991.

[19] Rannou F. Numerical study of discrete plane area-preserving map. Astron Astrophys 1974:289–301.

[20] Chen CC, Daponte JS, Fox MD. Fractal feature analysis and classification in medical imaging. lEEE Trans Med Imaging

1989;8(2):133–42.

[21] Vanstone SA, Menezes AJ, Oorschot PC. Handbook of applied cryptography. London: CRC Press; 1996.

A Block Cipher Based on a Suitable Use of Chaotic Standard Map

Documents

chaotic block cryptosystems

chaotic systems

chaotic stream cryptosystems

types of chaotic cryptosystems

chaotic mapsa block

chaotic standard mapis

chaotic skew tentmap

chaotic stream cryptosystems