On the Cryptanalysis of Two Cryptographic Algorithms That Utilize Chaotic Neural Networks

This paper deals with the security and efficiency issues of two cipher algorithms which utilize the principles of Chaotic Neural Networks (CNNs). The two algorithms that we consider are (1) the CNN-Hash, which is a one-way hash function based on the Piece-Wise Linear Chaotic Map (PWLCM) and the One-Way Coupled Map Lattice (OCML), and (2) the Delayed CNN-Based Encryption (DCBE), which is an encryption algorithm based on the delayed CNN. Although both of these cipher algorithms have their own salient characteristics, our analysis shows that, unfortunately, the CNN-Hash is not secure because it is neither SecondPreimage resistant nor collision resistant. Indeed, one can find a collision with relative ease, demonstrating that its potential as a hash function is flawed. Similarly, we show that the DCBE is also not secure since it is not capable of resisting known plaintext, chosen plaintext, and chosen ciphertext attacks. Furthermore, unfortunately, both schemes are not efficient either, because of the large number of iteration steps involved in their respective implementations.


Introduction
Over the last few decades, the phenomenon of chaos has been widely investigated and applied in a variety of domains including social networks, control systems, and prediction.A chaotic system is characterized by salient phenomena such as its sensitivity to initial values, its pseudorandomness, and ergodicity, rendering it to be quite similar to a cryptographic system.The characteristics that render chaotic systems to be akin to cryptographic algorithms are listed below.
(1) Chaotic Maps versus Encryption/Decryption Algorithms.The form of a chaotic system is usually iterative, when the system is discrete, or it involves differential equations when it is continuous.As opposed to this, an encryption/decryption algorithm is usually a nonlinear mapping from the plaintext space to the ciphertext space, and this mapping is, often, not complex.The similarity between the two is that both of them can yield, as their outputs, results that appear to be random, by virtue of the underlying algorithm repeating certain steps.
(2) Iterations versus Rounds.For a chaotic system, each of the steps mentioned above that are "repeated" constitute a socalled "iteration."As opposed to this, a cryptographic system involves a sequence of "rounds."Only long-term chaotic iterations can yield sequences that appear to be random [1].
(3) Controlling Parameters versus Keys.If a chaotic system starts from a given initial value, different control parameters can yield different output sequences at each iteration.This, in turn, is analogous to the role of keys in a cryptographic system.The similarity between the two lies in the fact that it is computationally infeasible to deduce the initial input without knowing the controlling parameters or the keys, respectively.

(4) Sensitivity to Initial Values versus Diffusion and Confusion.
When it concerns a chaotic system, a slightly different initial value may result in a significant difference in the output generated after a sufficiently large number of iterations.Analogously, in a cryptographic system, the change of even a single bit (whether it is in the key or the plaintext) should affect most of the ciphertext bits.Furthermore, the statistics relating the plaintext and the key should be "as complicated as possible." Thus, if we regard the plaintext or the key as the initial value, the ciphertext should be highly sensitive to these.
(5) Pseudorandom and Ergodic.The sequence of outputs generated by a chaotic system should be able to fill the entire range in a random-like manner.Analogously, a good encryption algorithm requires that the ciphertexts be randomly distributed in the cipher space.
Brief Survey of the Field.As a result of the above observations, chaos has also been widely applied in the field of information security since Matthews proposed the first chaotic encryption algorithm [2] in 1984.Later, Baptista and Alvarez reported two cryptographic algorithms based on the phenomenon of chaotic searching in [3][4][5], respectively.While Erdmann and Murphy described a stream cipher based on the so-called Henon maps [6], Kanso and his coauthors illustrated a novel hash function [7] and showed how one could achieve digital image encryption based on chaotic maps [8].Kocarev and Tasev presented a public-key encryption [9] and random number generators [10] based on chaotic maps.A detailed list of articles that advocate the use of chaotic principles in cryptographic systems can also be found in [11,12], and systematic reviews about chaos-based ciphers are found in [13,14].Now that chaotic maps have been proven to be useful in encryption; researchers have attempted to use Chaotic Neural Networks (CNNs), which are characterized by much more complicated dynamics than chaotic maps, to develop cryptosystems.The authors of [15][16][17] proposed different oneway hash functions based on different CNNs.Similarly, Yu and Cao proposed an encryption algorithm based on delayed CNNs [18].Our present paper concerns some of these results.
Motivation of This Paper.Although the latter above-mentioned authors have affirmed that their schemes are secure and efficient, in this paper, we shall demonstrate that the security levels guaranteed by them are weak and that they are inefficient.For example, most chaos-based ciphers require an excessive number of iterations, without which the ciphertexts are not sensitive to plaintexts.As opposed to these, traditional ciphers, for example, the AES, only require a 10round calculation if one utilizes a key of 128 bits.Further, since chaotic equations are typically specified on the set of real numbers, the associated accuracy of implementing these schemes using digital computations is also problematic.Indeed, when we implement the associated computations numerically, we observe that some of the significant digits will be automatically truncated, and the consequence of this is that the original system which was chaotic within the domain of "real" numbers is no longer chaotic [13]!Also, the improvement brought about by increasing the accuracy using higher-precision software entails a larger computational cost.
In this paper, we analyze two typical CNN-based cipher systems, the first of which is a one-way hash function and the second is an encryption method.However, we believe that our analysis is also valid for other CNN-based schemes.

The CNN-Based Hash Function
2.1.The Description of the CNN-Based Hash Function.The authors of [15] proposed a novel one-way hash function based on a special CNN.The structure of the network (more details about PWLCM's dynamics and analysis can be found in [19] and omitted here to avoid repetition.) is shown in Figure 1.
In brief, we remark that the CNN compresses a 256-bit sequence to yield a 128-bit sequence: where () is the Logistic map and  is a coupling factor between 0 and 1.
We now present the process involved in the hash function as follows.
(1) Data Preparation.Divide the given plaintext into small blocks   , where each block is 4 × 8 bits long.All together, there are 8 such blocks.Thus, the network is able to accept a 256-bit length input sequence at a time.
(2) Data Formatting.Format the input integer numbers to be real number between [0, 1] by means of the PWLCM.To be specific, this is achieved by using   =   ( 1   , ), where  is the number of iterations that is enforced so as to yield the required "diffusion" and "confusion, " and  ∈ (0, 0.5) is the control parameter.The authors of [15] have suggested to set  = 40 and  = 1/3.
(5) Output Preparation.The output of each neuron is given by where  2  means the th row of  2 .
(6) Loop.Repeat the above steps until all message blocks have been processed.
(7) Assembling.Transform the output of each neuron of the last CNN to be a 32-bit sequence and then combine the four The CBC mode hashing process.
32-bit sequences to be the final 128-bit hash value, as shown in Figure 2.
Summary.The entire process of the CNN-Hash can be summarized by the following equations: where  2 , Θ,  are computed according to the CNN,  1 ,  are given constants, and   is transformed from the plaintext.

The Analysis of the CNN-Based Hash Function.
Although the authors of [15] claimed that this CNN-Hash has good properties such as its sensitivity to the plaintext and the key, its one-way computation power, and its anti-birthday attack, our analysis below proves that it is not secure.
As is well known, a good one-way hash function (both keyed or unkeyed) must satisfy the following conditions [20].
(1) Efficiency.For a given key  and message , it must be easy to compute the Message Authentication Code (MAC): (, ).
(2) Preimage Resistance.For a given value  * , it must be computationally infeasible to find  such that (, ) =  * .
(3) Second-Preimage Resistance.For a given message , it must be computationally infeasible to find a different message  such that (, ) = (, ).
(4) Collision Resistance.It must be computationally infeasible to find two different messages  and  such that (, ) = (, ), where the two inputs  and  can be freely chosen.
We now evaluate the properties of the CNN-Hash by using the above metrics.
(1) Analysis on Efficiency.As explained above, the computations needed for the CNN-Hash are done on the elements of the real numbers in [0, 1], which is, unarguably, much slower than the corresponding computations executed on the set of integers.Besides, according to Step (4), we have to do at least 300 iterations to compute the first output  0 , which is thereafter used as the input for hashing the second block.Therefore, for hashing a message of 1 MB, we need at least 1024 × 1024 × 8 × 300/256 = 9,830,400 iterations, which is a computationally intensive task.The authors of [15] have stated that their algorithm is not competitive against MD5 or SHA and said that it requires almost twice as much computation as both of them.Our analysis and experiments, however, show that the performance is even worse than they claimed.To confirm this, we mention that we conducted a simulation on an Intel Celeron CPU E1500 (2.20 GHz) with 4 G main memory and the time involved for the CNN-Hash for a 1 MB input of text was almost 59.83 s, which is much more expensive than the cost of both the MD5 and the SHA.
(2) Analysis on Preimage Resistance.Because chaotic maps have ergodic and stochastic properties, it is, indeed, not possible to find the inverse of a given value.This is especially true for the CNN-Hash which uses two different chaotic systems.From this perspective, we agree with the fact that the CNN-Hash is Preimage resistant even when the key  is known.
(3) Analysis on Second-Preimage Resistance.Although the CNN-Hash is Preimage resistant, it is not Second-Preimage resistant.The reason for this is quite straightforward.Consider (4) from which we see that the final hash value only depends on the initial value   and the key .Thus, if we are able to find another different  *  such that   ( 1  *  , ) =   ( 1   , ), we can conclude that the subsequent intermediate/final results are exactly the same if the system uses the same key.For example, consider (1) and the iteration trajectories of the PWLCM as shown in Figure 3. From examining these, we see that we can determine four different values: sharing the same iteration trajectories yielding the final result   () = 0.39887.Thus, if we let V =  1   and (V, ) =  (where  is some specified value), by examining (1), we see that we can have at least four solutions for {V}: We can thus have four different { *  } each of which is the solution of  1  *  = V  , whence we see that the CNN-Hash is not Second-Preimage resistant.
(4) Analysis on Collision Resistance.The analysis on collision resistance is quite similar to the analysis on Second-Preimage resistance and is omitted here in the interest of brevity.
Besides the above four conclusions, we can also claim the following.
(1) The OCML Component Has Many "Weak Keys." According to Step (3), the initial values of the OCML come from the initial key .Based on the above, one can see that those keys which lead to the four equal parts are necessarily weak keys.Further, the reader should observe that since the CNN is a fully connected network, if  0 =  1 =  2 =  3 , we can conclude that no matter how many iterations have been done, the condition  0 () =  1 () =  2 () =  3 () always holds, which implies that a message of length 256 bits compresses to ) and ends at (0.84, 0.40) (marked with a "square").The reader should note that associated with the line  = 0.75 (marked with dash-dot line), there are at least four starting points that share the same trajectory.These are, namely, the points (0.3, 0.75), (0.475, 0.75), (0.525, 0.75), and (0.7, 0.75), which, in turn, implies that there is a collision for at least four different initial inputs.
be 32 bits long instead of being 128 bits long.Thus, in this case, we see that it is feasible to find a collision since the ciphertext space is contracted.
(2) Hash Values Do Not Obey a Uniform Distribution.The OCML employs the Logistic chaotic map, whose values are not uniformly distributed in [0, 1].To demonstrate this, we have computed the statistics of the distribution, and these are shown in Figures 4(a) and 4(b).We can clearly see from the two figures that most of the values fall into the intervals close to unity.This will cause the distribution of the hash values to also be nonuniform, further implying that the probability of collision is high in certain parts of the interval [21].

The Description of the Delayed CNN-Based Cryptography.
Delayed CNNs have been widely investigated in the past decades.The authors of [18] proposed a cryptographic system based on a special type of the delayed CNN.The model used in [18] is also a Hopfield-like NN which exhibits chaotic phenomenon and which obeys the following equation: where (1)  denotes the number of units in the CNN,    (7).In this figure, the values of () and () are calculated by means of the fourth-order Runge-Kutta method.The time span is from 0 to 200 with a total of 30,000 steps.
The dynamics of ( 7) have been well studied and it is reported that it can exhibit rich chaotic phenomenona [22,23].As demonstrated in [18,23], if the parameters are the trajectories of ( 7) are shown in Figure 5.
The encryption and decryption schemes proposed in [18] are based on (7) and can be summarized as follows.
(i) Initialization.Obtain the starting point  0 from the last  0 transient time iterations as  0 =  1 ( 0 ℎ) where ℎ is the discretized time step.
(ii) Data Preparation.Divide the plaintext  into subsequences   of length  bytes, for example,  = 4.That is, any message  can be digitized as where   is an 8-bit binary string.Then combine four   to form a 32-bit binary block, implying that   =   ,  +1 ,  +2 ,  +3 .
The following steps constitute the core process of encryption.
(1) Dynamic Parameter Computing.Iterate the initial value   38 times and to yield  +1 ,  +2 , . . .,  +38 .Extract one bit from the 38 numbers and to obtain a 38-bit random binary sequence, where    =   (  ) is computed as per and where  and  are the upper and lower bounds of   , respectively, Denote Also, let   denote the decimal value of  1  .
(2) Permutation.Permute the message block   with left cyclic shift   bits and the message block   with right cyclic shift   bits, to obtain  *  and  *  .If  2  = 0, the () is used for the successive block iteration illustrated in Step (1).Otherwise, () is used as the initial value of the next iteration.
As for the decryption, the steps are very similar to the encryption process except in the case of Step (3), where The plaintext   can be recovered by performing inverse permutations with right cyclic shifts of   bits.

The Analysis of the Delayed CNN-Based Cryptography.
We now proceed to analyze the security and performance of the delayed CNN-based cryptography.Our goal is to demonstrate that this cryptography has several weaknesses as follows.
(1) Nonrandomness. and  are not uniformly distributed, which causes the "random" bits generated in Step (1) to be nonrandom.To illustrate this, we present the frequency statistics of the value of () and ().The parameters used here are exactly the same as those used in Figure 5.We categorize the combination of () and () into 4 classes: We can clearly see from the statistics that more than a half (52.06%) of the () and () gather in the first quadrant, while only 48.94% distribute in the other three quadrants.This phenomenon is confirmed from Figure 5. Furthermore, as demonstrated in Step (1), we can normalize () and () into [0, 1] by where  and  are the upper and lower bounds of , respectively.We can thus generate the "random" binary bits according to ().Indeed, the new counts are Clearly, the bits generated by (12) are not "random." (2) Trajectory Behavior.The authors of [18] did not use the trajectories as shown in Figure 5 directly.Instead, the random bits were generated according to the 38 successive iterations, as demonstrated in Step (1).We should thus carefully check the randomness of the corresponding sequences.According to Step (2) in Section 3.1, if  2  = 0, () is used for the successive iteration; otherwise, it is ().In this case, we swap the value of () and () every 38 iterations.As shown in Figure 6 we can see that the value of () and () is very close during the 38 iterations, which means the random bits  1   2  ⋅ ⋅ ⋅  38  are almost identical.In spite of the above, the authors of [18] attempted to use this sequence to achieve the goals of "diffusion" and "confusion."It is well known that a sequence possessing poor randomness properties cannot be used in any cryptographic algorithm [21], because it would otherwise lead to a more predictable ciphertext.Consequently, we argue that this algorithm is not secure.
(3) Resistance to Attacks.This cryptographic system cannot resist known plaintext attacks, chosen plaintext attacks, and chosen ciphertext attacks.To demonstrate this, assume that an attacker has some plaintext-ciphertext pairs ( 1 ,  1 ), ( 2 ,  2 ), and ( 3 ,  3 ), where {  } are the first 4 bytes of different plaintexts.If they are all encrypted by the same key, according to the algorithm, then  *  ,   and some other intermediate iteration results should be the same.Thus where ≪ denotes the cyclic left shift operation.Thus, Since ( 1 ,  1 ) and ( 2 ,  2 ) are known, it is quite easy to find the value of   .After that, we can solve the equation  1 ⊕  3 = ( 1 ⊕  3 ) ≪   and thereafter determine  3 successfully.
Observe that during the whole process, we did not need any knowledge about the delayed CNN.The reason why we are able to proceed with such attacks is that the authors did not introduce the concept of the Initial Vector to the scheme.
(4) Efficiency.Although the authors of [18] claimed that the algorithm is efficient, this is not really the case.Actually, this conclusion is also true for many other cryptosystems such as those algorithms presented in [8,24], which involve time delays in their equations.It is well known that the Runge-Kutta method is one of the best ways to solve differential equations where the initial values are provided.However, this method is still far too expensive when compared to traditional block ciphers such as the DES or AES.Indeed, the computation of these traditional ciphers involves a finite field and only makes use of simple operations such as permutation.As opposed to this, solving differential equations involves the set of real numbers.For example, to encrypt a plaintext with size 1 M bytes, we have to divide the message into 1024 × 1024/4 = 262,144 blocks, where each block is of length 4 bytes.According to the encryption phase, at least  0 + 38 iterations are involved to encrypt a single block.If we assume that  0 = 62, we see that we have to thus do approximately 262,144 × 100 = 26,214,400 iterations to encrypt the entire file, which is, really, prohibitively large.More specifically, on an Intel Celeron CPU E1500 (2.20 GHz) with 4 G main memory, this encryption time using Matlab was about 7 minutes, which is unacceptable when compared to the "real time" operation of traditional block ciphers.
(5) Statistical Attacks.The reader should take note of the fact that the block size was increased from 64 bits in DES to 128 bits in AES in order to avoid statistical attacks.Thus, it is not recommended that one uses blocks whose sizes are less than 128 bits in modern block ciphers [25].Consequently, the fact that the Delayed CNN-based cryptography still relies on Exclusion OR operations involving strings of length 32 bits renders it more susceptible to statistical attacks.

Conclusion
Chaotic Neural Networks have been widely used in various fields such as pattern recognition, dynamic associate memory, and optimization.Recently, cryptography based on chaos or CNNs has drawn great attention.In this paper, we present a detailed analysis of two typical cipher schemes: the CNN-Hash and Delayed CNN-Based Encryption.The former compresses a plaintext onto a 128-bit sequence, which is similar to MAC.The latter encrypts plaintext so that an eavesdropper will not be able to decrypt the message without the key, which is analogous to common cipher algorithms.
Although the authors have affirmed that their schemes are secure and efficient, our investigation proves that these claims are not valid.We have proven that the CNN-Hash is not Second-Preimage resistant and collision resistant.The DCBE has also been shown to not be secure since an attacker can partially recover the plaintext by using a known plaintext attack, a chosen plaintext attack, or chosen ciphertext attack.
We have also concluded that the two schemes are not computationally efficient.

Figure 1 :
Figure 1: The structure of the network used for the CNN-Hash.

Figure 3 :
Figure 3: An example of the PWLCM's iteration trajectories.The four red bold lines make up the image of the PWLCM.The line  =  and vertical and horizontal lines indicate the iteration process.In this figure, an iteration begins at starting point (0.3, 0.75) (marked with *) and ends at (0.84, 0.40) (marked with a "square").The reader should note that associated with the line  = 0.75 (marked with dash-dot line), there are at least four starting points that share the same trajectory.These are, namely, the points (0.3, 0.75), (0.475, 0.75), (0.525, 0.75), and (0.7, 0.75), which, in turn, implies that there is a collision for at least four different initial inputs.

Figure 6 :
Figure6: The controlled trajectories of(7).For a better view, we have used a larger step 0.05 yielding a lesser number of points.The points contained in rectangles are marked as 1 and 3, 2 and 4 are symmetric pairs along the axis given by the line  = .