"Unbreakable" Encryption Almost Certainly Isn't

This headline is provocative: "Human biology inspires 'unbreakable' encryption."

The article is similarly nonsensical:

Researchers at Lancaster University, UK have taken a hint from the way the human lungs and heart constantly communicate with each other, to devise an innovative, highly flexible encryption algorithm that they claim can't be broken using the traditional methods of cyberattack.

Information can be encrypted with an array of different algorithms, but the question of which method is the most secure is far from trivial. Such algorithms need a "key" to encrypt and decrypt information; the algorithms typically generate their keys using a well-known set of rules that can only admit a very large, but nonetheless finite number of possible keys. This means that in principle, given enough time and computing power, prying eyes can always break the code eventually.

The researchers, led by Dr. Tomislav Stankovski, created an encryption mechanism that can generate a truly unlimited number of keys, which they say vastly increases the security of the communication. To do so, they took inspiration from the anatomy of the human body.

Regularly, someone from outside cryptography -- who has no idea how crypto works -- pops up and says "hey, I can solve their problems." Invariably, they make some trivial encryption scheme because they don't know better.

Remember: anyone can create a cryptosystem that he himself cannot break. And this advice from 15 years ago is still relevant.

Another article, and the paper.

Posted on April 8, 2014 at 6:16 AM • 51 Comments

Comments

RobApril 8, 2014 8:38 AM

I wondered how long it would be before this showed up here.

After seeing no cryptologist on the team, I wrote it off. Do you have any idea of how secure it really is?

ElizabethApril 8, 2014 8:44 AM

I skimmed through the paper a couple times. Maybe I missed it (It's still early and I'm not a physicist) , but it seemed like the paper was all about how to create a great, unbreakable key... but there was nothing about how to secretly distribute this key. I found it funny that they kept inferring that their algorithm could not be broken by "traditional methods of cyberattack", because it was impossible(?) to brute force. In this case, I think the "traditional" method of attack would be to steal the key somehow.

Mike KossApril 8, 2014 9:35 AM

In the spirit of the original RSA paper, I think the authors should offer a substantial financial bounty for decrypting a sample ciphertext.

JohnApril 8, 2014 9:41 AM

Unlimited number of keys... Too bad infinity doesn't translate well into binary ;)

MartinApril 8, 2014 9:50 AM

You don't treat all crypto research announcements the same. The researchers have to belong to 'the club' and
receive 'permission.' That doesn't work anymore so you can hammer on that button all you want. A lot has happened in 15 years and a lot of people are hard at work and I don't mean writing books and giving lectures.

Here's some advise for anyone involved in crypto R&D. Don't communicate with anyone in the media, ever, at all. No matter how much you think it will help you raise money. It will ALWAYS damage your credibility.

IngridApril 8, 2014 10:22 AM

@Martin if anyone were to say Einstein were wrong, then they'd better have proof to support it.

To say any encryption scheme is "unbreakable" is akin of saying there is such thing as perpetual motion. If you want to stand behind such grand claim, then you'd better have some great backing for that.

We don't need Schenier to write that off. Anyone with some basic idea of encryption will have some serious doubts behind such claim.

And what is "unlimited"? There are even finite number of hydrogen atoms in the universe. For something like encryption, I just can't wrap my head around that.

SimonApril 8, 2014 10:34 AM

Oh...now I know what the problem is. You people are illiterate. Let's see a raise of hands. How many commenters actually read the paper? Or did you just lazily read the post, or maybe just the hokey pop news article?

MartinApril 8, 2014 10:40 AM

Ingrid - can you show me in the paper where the researchers claim they built a system that was unbreakable? And are you claiming that there's no such thing as information theoretic security? Wow. You better have some big guns to back that up.

And who or what are you comparing to Einstein? The researchers are physicists, not magazine writers.

iReadThePaperApril 8, 2014 10:45 AM

The abstract for anyone who never read the paper:

"Secure encryption is an essential feature of modern communications, but rapid progress in illicit decryption brings a continuing need for new schemes that are harder and harder to break. Inspired by the time-varying nature of the cardiorespiratory interaction, here we introduce a new class of secure communications that is highly resistant to conventional attacks. Unlike all earlier encryption procedures, this cipher makes use of the coupling functions between interacting dynamical systems. It results in an unbounded number of encryption key possibilities, allows the transmission or reception of more than one signal simultaneously, and is robust against external noise. Thus, the information signals are encrypted as the time variations of linearly independent coupling functions. Using predetermined forms of coupling function, we apply Bayesian inference on the receiver side to detect and separate the information signals while simultaneously eliminating the effect of external noise. The scheme is highly modular and is readily extendable to support different communications applications within the same general framework."

Nick PApril 8, 2014 10:55 AM

I just skimmed the paper. It involves emergent properties, Bayesian inference, etc. It's very interesting work that goes in a different direction than standard crypto.

That said, I wouldn't trust it as it uses math that's much newer and with more potential for surprises than established crypto. We already know how to build symmetric systems that are nearly unbreakable so we might as well use those.

Of course, I'll be happy if more fundamental research in this crypto subfield leads to new public crypto algorithms. That's where we have fewest options and desparately need more algorithms.

Note: I plan to give the paper a more thorough read later. Might spot more possibilities.

JustinApril 8, 2014 10:58 AM

To be frank, I don't actually understand what they're doing. I'm at the point of "coupling between dynamical systems something-something unbounded number of encryption key possibilities", but I have no idea what that's actually supposed to mean.
It is notable that, while the title talks about "secure communication", they only appear to tackle noise-resistance; they don't seem to do any actual work on attack-resistance of any kind.

What am I missing?

x0089BAApril 8, 2014 10:59 AM

Most of the time, these sorts of outlandish claims actually come from some line that some idiot picked out of context from a section of the university press release that forms a nice attention-grabbing headline. The first time I saw this story, it also had a link to a previous story from the same author last summer claiming that a paper had disproved the "Shannon Theory of Information" and that crypto was broken. Obviously I was amazed - crypto has been broken for MONTHS and I didn't know about it?! Tracing it back, I found that the claim that was being repeated was that someone had said that (a certain subset of) crypto was "exponentially easier than we thought". The full quote, however, was "It's still exponentially hard, it's just exponentially easier than we thought".

What are the chances these serious scientists publishing in a peer reviewed journal made such ridiculous claims compared with the chances that someone along the chain of people making university press releases more attention-grabbing started to make the claims a bit more sensational?

SimonApril 8, 2014 11:02 AM

The word 'unbreakable' isn't even in the paper.

Here is the tone:

"We anticipate that coupling-function encryption—thus
far just a theoretical concept—will have great impact on a
diversity of experimental implementations, e.g., on those
mentioned above [14,18,20–22]."

This is a research paper. And an exceedingly interesting one. And I can tell you with absolute certainty that Bruce cannot explain their research. If you think hanging out on the blog makes you a cryptographer, or parroting what someone else says, you're going to get thrown under a bus just as fast as the researchers at Lancaster University. Wake up! If you want to be a cryptographer go break something, or build something and then break it.

AndrewApril 8, 2014 11:05 AM

Looks like some infinite RNG for some OTP, based on body signals.

I don't think that tons of amateur encryption algorithms out there is necessary a bad thing.... it will exhaust the time and resources of those too curious. :))

JoeApril 8, 2014 11:41 AM

From what I've read, the "key" consists of knowing which coupling functions are used and, with Bayesian Inference, arrive at the plaintext. Don't know how resilient the coupling functions are from brute-forcing (haven't read that deeply yet). But my sense is that if you do have the specific coupling functions used and access to all transmissions (ie, for Bayesian Inference to work) then it's easy to decrypt from there.

Clive RobinsonApril 8, 2014 12:43 PM

@ Justin,

    To be frank, I don't actually understand what they're doing. I'm at the point of "coupling between dynamical systems something-something unbounded number of encryption key possibilities", but I have no idea what that's actually supposed to mean

OK I'll try to sort it out by analagy...

Take two pendulums swinging on the same access but mechnicaly independent of each other except for the surface they stand on. When you put them close together they fall into synchronisation or stop dead over a period of time. This "lock up" or "injection locking" has been known since 1666 when the inventor of the clock driven pendulum Christiaan Huygens observed it [1].

This "injection locking" of pendulums is a simple form of "coupling between dynamic systems" which can be described by moderatly complex mathmatics.

A more complex system involves "jointed" or double pendulums where the behaviour of such a pendulum initialy looks (but is not always) chaotic [2]. Wether it behaves chaoticaly or not is dependent on the input conditions and repective weighted lengths of the two parts.

However if instead of using a traditional clock pendulum with the drive at the top, you drive it from the bottom in the same way as a metronome it behaves in a similar way to a pendulum (which it still is), but when you place a joint in the section above the drive point you have a cusp where the jointed part moves upwards and over / back due to gravity. It is thus remarkably sensitive not just to it's initial and other input conditions but the instability of the cusp. It is thus inherently chaotic.

With such chaotic behaviour you would thus not expect two such jointed metronomes/pendulums for synchronisation to occure but it does [3]. More importantly although synchronised to each other they still exhibit chaotic behaviour

Thus observation of only one pendulum appears not just chaotic but unpredictable, it is only on observing both that it can be seen from the synchronisation that prediction is possible if all conditions are known at all times...

[1] http://en.m.wikipedia.org/wiki/Entrainment_(physics)

[2] http://en.m.wikipedia.org/wiki/Double_pendulum

[3] http://en.m.wikipedia.org/wiki/Synchronization_of_chaos

[4] http://mw.concord.org/modeler1.3/mirror/mechanics/doubleinvertedpendulum.html

JimApril 8, 2014 12:58 PM

It seems to me that the current two-step authentication used by Paypal and others is pretty secure, because Paypal sends me a code via text message (i.e. via a totally separate medium than the medium by which I am logging in), and I have only a short time to put it in (i.e. it will expire shortly). Further, anytime anyone tries to log into my Paypal account, I receive a text message, notifying me that someone is making the attempt.

Although I haven't found where Paypal states it, I am sure that the code I receive also serves as an encryption key for my session.

In my opinion, all of this makes for excellent, if not unbreakable security, if in fact the code serves as an encryption key. In fact, I believe that the only way you can achieve "unbreakability" is to send the encryption code via a totally separate medium than the one you're logging in on.

GustavApril 8, 2014 1:08 PM

Security of the underlying mechanism notwithstanding, is there anything interesting in this proposal? Consider reproducing the claims here with proved systems as an exercise.

You could clearly create a cipher with variable key size/fixed block size and make the key arbitrarily large, claiming the space to be "infinite", but in reality some key size will be chosen and you brute force would simply require exhausting typical key sizes.

The "multiple streams" claim is also confusing -- doesn't increasing block size provide exactly that?

Finally, there's the "noise resistance". How does it compare to encode->encrypt? Given that we have very good codes already I don't really expect this joint encode+encrypt to have better performance than a separable method -- au contraire, it is usually acceptable to get a performance hit if you can put things into layers, layering is probably the most useful abstraction in communication systems.

Andrew2April 8, 2014 1:16 PM

The authors ignore quantization of the parameters of their coupling functions. For them, a key constitutes a choice of coupling functions between two or more dynamical systems. Because the space of possible continuous functions is an uncountable set, they assume that the number of possible keys for their protocol is infinite. In reality, two choices of coupling functions only correspond to different keys if they produce an observable difference at the inference engine within the observation time. For a finite observation time, the uncountable set of possible coupling functions will partition into a finite set of neighborhoods. Any two choices of coupling functions within the same neighborhood will produce identical observations at the inference engine. Thus, the number of possible keys is actually finite and determined by the time over which the dynamical systems are observed and the resolution with which the signals from the systems can be read.

The same effect is at play if a key consists of a choice of random number drawn uniformly from the set [0,1]. If I draw two numbers and start reading off their digits to you. You'll only be able to tell they are different if you wait long enough to hear the first digit at which the two numbers differ. As long as you're only willing to wait to hear a finite number N of digits, the number of distinguishable keys will be bounded by 2^N (assuming a binary expansion) even though [0,1] itself is uncountable.

aikimarkApril 8, 2014 1:47 PM

The cardio-vascular pump system is inherently chaotic. My take on this is that the researchers are trying to hide/pass information inside the chaos.

Clive RobinsonApril 8, 2014 1:53 PM

@ Gustav,

It depends on what you call "interesting" there is currently quite an interest in chaotic systems and unpredictability as a source of randomness etc.

Which has given rise to this paper,

http://m.bjps.oxfordjournals.org/content/60/1/195.full

Which gives a roundup of some of the issues.

@ Andrew2,

I'm glad that somebody else can see the difference between theoretical and practical ;-)

I guess someone will have to work out at which point the practical implementation is secure (if it ever can be).

Nick PApril 8, 2014 2:08 PM

For those wondering "why chaotic methods?", this paper mentions rationales in multimedia while giving references on specific methods.

One concern I have with these approaches is complexity. The standard ciphers, esp symmetric, are internally simple enough that some have been implemented with EAL7+ processes. It took a while for that to happen with RSA/ECC, which proved more difficult. Over time, we also developed easier ways to catch timing channels, aided by simplicity of algorithms.

So, as I looked at the paper, I'm seeing a complex and nonlinear design. I'm wondering how hard it will be to implement such cryptosystems without design, implementation, and configuration vulnerabilities. It's hard enough for developers, esp in FOSS circles, to get right a cryptosystem that can be described in one page. I'm not sure increasing the complexity of the crypto primitives is a good idea.

Of course, this is just a research paper exploring things so I'm not criticizing it necessarily. I'm just concerned that dynamic coupling systems are inherently harder to assure than a series of simple transformations on a data stream. I bet we're going to see attacks nobody has even had to worry about so far.

David in TorontoApril 8, 2014 2:38 PM

@crocodile Crux

Given that this and the fixing update to OpenSSL was announced yesterday, is this really big news?

David in TorontoApril 8, 2014 2:39 PM

@Clive Robinson :)

A friend of mine had a saying:

Q: What's the difference between theory and practice?
A: Nothing. In Theory.

jmApril 8, 2014 3:47 PM

I wonder if the cipher somehow differs from an ordinary stream cipher, where the random number generator is just based on a Lorenz or Rössler ODE system.

Chris SApril 8, 2014 4:00 PM

@Clive;

That's a very clear and succint description. And I think I grasp enough of it to try mapping it backwards. (I will likely be wrong.)

The initial conditions are the initial positions of the pendulums.

The next state of one pendulum is a function of the current state, but sufficiently chaotic that it is not predictable except via the chaotic progression.

Two parties can thus both start their pendulums, allow them to move into synchronization, and then use their own to know where the "other" pendulum is.

It would seem that they foresee using (we're still in metaphor-space here) using the positions of the pendulums as keys. I would assume that the idea is that they communicate via the synchronization mechanism, but each party cannot actually measure the other party's pendulum.

We have many of these features in current crypto-system components.

Initial pendulum positions are akin to an initialization vector.

A chaotic forward function can be a hash function. Running the hash function 1000 times over the previous state gives you the next state. This is metaphorically equivalent to letting the pendulums run.

I can propose a mechanism where "unsynchronized hashes" get out of sync because you use somewhere between 980 and 1020 repetitions of the hash between steps. You then communicate a fraction of the hash to the other party - like the last 20 bits - and they use that to bring their hashing into sync. Uncommunicated bits in the hash are the current key. The use of Bayesian inference suggests that you actually communicate not the last 20 bits, but the last 20 bits with 10 random bits flipped randomly. It is essential, therefore, to be 'close' with the hashing sequence in order to locate the next synchronization point.

You can tune the system but varying the number of hashes between cycles, the range of hashes allow for the next sync point, the number of bits communicated, and the number of bits randomly flipped.

As noted above, like many crypto systems, you still need to communicate the initial conditions. If it is like a shared key, that could be tricky. However, Diffie-Hellman might allow us to set an initial state in a known secure manner. Of course, Diffie-Hellman lets us regularly set to new states based on random values already - which may be part of Bruce's long-standing point about newcomers not having taken the time to understand the current landscape.

This strikes me as ingenious, but rather difficult to assess for strength.

In a metaphorically similar way, I'm likely wrong here, but I'm just not sure where or how.


BenniApril 8, 2014 6:52 PM

http://heartbleed.com/

The NSAhas a program codenamed "FlYING PIG" where they impersonate google in ssl connections http://goo.gl/fcm1ih. For this, they either need to steal ssl security certificates, or they must insert bugs in crypto libraries to make them either accept faulty certificates, or to allow the nsa to get the encryption keys.

At first, a bug for exactly this was found in Apple's Ios: http://goo.gl/Rqc0hh
Then, a similar bug was found in the open source library gnutls: http://goo.gl/8qRxLa

Therefore, it was really just a matter of time when a similar bug would be found in openssl that is used in open source browsers like firefox or chromium.

Now it happened: http://heartbleed.com/

Surely, NSA must get project "Flying Pig" to work somehow.

I would be interested in the dev's name that introduced this bug, and perhaps where he works now.

For example, according to:
http://www.heise.de/security/meldung/Mehr-Details-zur-Hintertuer-im-Zufallszahlengenerator-Dual-EC-DRBG-2159523.html

The developer who coded the extended random packet for RSA which makes cracking of their algorithms a thousand times more vulnerable, is now working for mozilla to "develop" the tls libraries of firefox browsers.

Nevertheless, it may even be that these bugs were mistakenly introduced. For example, the gnutls bug came from the developer who is still mainly responsible for the library.

The scary thing is that even if the bugs were there due to mistakes, the nsa might still be using them, since one can be sure there is some hacker employed by the nsa who does nothing than just trying to crack the one crypto library that you are using.


kodluApril 8, 2014 7:54 PM

It's just another chaotic dynamics based random number generator, with the university publicity department going into over the top advertising mode about its possible impact down the line. A veritable line of papers along these lines get published in the physics, and some in the engineering literature. This one seems to be novel--though I am not an expert--in terms of using biophysical properties to "seed" the thing.

BTW, I have seen crypto research projects based on chaotic oscillators and the like, supported by the US Defence establishment--Air Force supported it, I think, it's been a long time since I looked at such papers, a name like Friedrich has stuck in my head as one of the researchers--no idea whether crypto they may have developed has been implemented/used?

ThothApril 8, 2014 9:00 PM

I came up with a couple of ciphers last week and I can't break them ! Lol ... :D .

The truth is it can't be broken probably at the moment of inception in the minds of the creators but it can be broken by others later on. Just a matter of time.

(Biology != Cryptography). I remembered someone attempted to use some genetic sequence or some biology thing as "encryption" some time back a few years ago.

Even Schneier's MacGuffin cipher was quickly broken just shortly after it was introduced.

Reading Schneier's books on Cryptography or studying Cryptography subjects in school does not make someone a Cryptographer until they have actually made a name for themselves in Cryptography.

So much of "UNBREAKABLEs" that attempt to catch headlines but lacking of true substance.

Nick PApril 8, 2014 9:39 PM

@ kudlu

Most work I've seen in military is in Greece.

@ All

More papers on this kind of stuff. They include synchronization, encryption, an ongoing US Army attempt to build CRNG out of it, and so on.

Introduction to chaos-based communications and signal processing 2000 Silva and Young
http://fourier.eng.hmc.edu/e84/silva.pdf

Synchronization of chaos in coupled oscillators 2006 Gintautas
http://guava.physics.uiuc.edu/~nigel/courses/569/Essays_Spring2006/files/gintautas.pdf

Chaos synchronization and cryptography for secure communication - applications for encryption 2010 Banerjee
http://www.igi-global.com/book/chaos-synchronization-cryptography-secure-communications/40276

Image encryption scheme based on coupled chaotic systems Volos Greek Army
http://www.scienpress.com/Upload/JAMB/Vol%203_1_7.pdf

Ultrafast physical random number generation using chaos 2014 Army
http://www.zyn.com/sbir/sbres/sttr/dod/army/army14a-002.htm

Secure text encryption based on hardware chaotic noise generator 2014 Volos and Andreatos Greek Air Force & Army
http://t-h.wikispaces.com/file/view/Text%20Encryption%20w%20Chaotic%20Noise%20Generator.pdf/499811542/Text%20Encryption%20w%20Chaotic%20Noise%20Generator.pdf

By now, it should be clear what any opponents of Greece need to be breaking. ;)

anonymousApril 9, 2014 3:27 AM

benni:

Robin Seggelmann
T-Systems International GmbH
Fasanenweg 5
70771 Leinfelden-Echterdingen
DE

T-Systemns... honi soit qui mal y pense

Nick AlcockApril 9, 2014 6:37 AM

Benni, both Firefox and Chromium use Mozilla NSS, thus are unaffected. (Chromium bundles a copy of OpenSSL in its source tree, but it's only used for a few tests.)

B. D. JohnsonApril 9, 2014 10:36 AM

int key = 0;
while(true) {
cout << key;
key++;
}

There, an infinite number of keys. Of course, an infinite amount of keys doesn't mean anything if your scheme isn't secure and usable.

Nick PApril 9, 2014 11:22 AM

@ aikimark

That's pretty cool. Paper is paywalled, though. Clive, what do you think of that thing?

Meanwhile, if it's hardware, I'm sticking with the methods that are easy to build/verify and don't need degrees in quantum mechanics. Atmospheric noise, LavaRnd CCD trick, silicon TRNG's, and my own methods are fine esp when several are combined.

mooApril 9, 2014 8:24 PM

@Jim:

"It seems to me that the current two-step authentication used by Paypal and others is pretty secure, because Paypal sends me a code via text message (i.e. via a totally separate medium than the medium by which I am logging in), and I have only a short time to put it in (i.e. it will expire shortly)."

So let me summarize:
(1) The NSA captures the text message sent from Paypal to you, containing your code.
(2) The NSA captures some or all of the Internet traffic between Paypal and you during your "securely" encrypted session.
(3) You posit that the encryption key from your session is derived in some fashion from the code that was sent in the text message. The NSA, having bothered to spend a day or two digging into this, knows the algorithm used to derive it, and can independently produce the correct key and decrypt whatever part of the session they managed to capture.

...Yeah, I do hope there's a little more to this "pretty secure" system.

If you really want to be secure, don't use computers, don't use phones, don't use the Internet, don't travel to the USA, and don't associate with any of the "bad people" who the USA is afraid of (which seemingly includes a large fraction of their own citizens). Living in modern society currently means living under the all-seeing gaze of GCHQ,NSA,ASIO et al. I'm curious how long it will take to go from all-seeing gaze to jackboot-stomping-on-face. We're one small disaster away from a long and awful fling with totalitarianism.

Clive RobinsonApril 9, 2014 9:54 PM

@ moo,

    We're one small disaster away from a long and awful fling with totalitarianism

Twenty years ago this week an aircraft was downed killing all aboard that is seen as the opening spark that caused the genocide in Rwander. In the 100 days that followed the 6th of April 1994 close to a million people were raped/tourtured with the majority then being murdered with almost unimaginable barbarity.

A hundred years ago a single person shot another and World War One started (assasination of Arch Duke Ferdinand) with a resulting direct and indirect death toll that was thought to have been unimaginable.

In the intervening years most conflicts were started by at the time almost insignifigent events when considered in the totality of everyday living. For instance the man setting himself on fire that sparked the Arab Spring uprising, which has given rise to a number of conflicts not least being Syria.

We just don't know what these insignificant events are at the time that feed political instability to give not just a "small disaster" but major conflict.

For instance three recent events, MH370, the US assisted war games by South Korea and Russia invading Ukranian territory, all occuring in politicaly unstable areas could be trigger events, we just don't know yet. I'm fairly certain though that some will regard Putin as the new face of totalitinarism.

Dave HoweApril 10, 2014 6:06 AM

This looks to be in the same class as many other attempts to provide crypto via synched chaotic systems (as has been pointed out above) - nothing there seems particularly novel, so not sure how/why it is patent pending (unless they just rely on the US Patent office being its usual clueless self)

Full paper can be read for free at http://journals.aps.org/prx/pdf/10.1103/PhysRevX.4.011026

xApril 10, 2014 2:16 PM

Without reading the paper:

There is nothing new, chaotic systems have been suggested again and again.

The scheme is always the same, Alice and Bob have both a complex system that does its thing, and from that system they then derive a keystream.

An example would be for Alice and Bob to have identical billiard tables and hit a selected ball at a selected angle identically on both tables, then use the motion of the balls as the key.

Either some internal setting of the system serves as a key (here a coupling function), or the two systems are coupled together.

The last approach is often used with lasers that have some coupling.

Of course, this approach is highly flawed for many many reasons.

- As Andrew2 pointed out, the authors forget about quantization, in reality there are only a finite number of settings for the coupling function

- The systems will drift apart and need resynchronization, that opens up a side channel. The more sensitive the system is, i.e. the larger the space of coupling functions, the sooner this will happen.

- Even chaotic systems have very predictable properties that are extremely well studied. If the system was unpredictable, Alice and Bob could not replicate it.
As the system is predictable, in can be run in a simulation.

- The encryption fails in an insecure way without anyone noticing. In the case of the pendulums, just make both Alice's and Bob's secure communication center vibrate (pretend you are doing roadwork). This will lock the pendulums to your oscillation, but Alice and Bob will never notice.
In the case of vibrations, the effects are extremely subtle.
A few mechanical clocks that are mounted on the same wall will eventually synchronize from the vibration through the wall.

If both use a coupled single systems (two lasers sharing oscillators), it is even easier to break: Just add your own stronger pseudorandom signal into the channel, and make the lasers lock to your code. As this is a pseudorandom signal, Alice and Bob won't notice anything strange.

xApril 11, 2014 12:19 PM

OK, now I read the paper. Unfortunately it is completely underwhelming.


The general principle of chaos systems is always the same:

Alice and Bob share a differential equation that returns chaotic results.
A good example is the Rossler attractor
https://en.wikipedia.org/wiki/R%C3%B6ssler_attractor
x'=-y-z
y'=x+ay
z'=b+z(x-c)

This is a differential equation in x,y,z with the parameters a,b,c.
For a given a,b,c, you will get a stream of x,y,z that are chaotic.
Alice and Bob share a,b,c, and use x,y,z as a stream to encrypt their data.

Why are differential equations not used as a secure random number generator?
It is very simple, they are not, because they are not even good sources of pseudorandom numbers (without any claim to security).

Very simple, 'chaotic' does not mean 'random', and even less 'cryptographically secure random'.

If you look at the picture of the chaotic curve x,y,z, you'll see that it is highly structured.

https://upload.wikimedia.org/wikipedia/commons/thumb/7/75/Roessler_attractor.png/220px-Roessler_attractor.png

For a random system, the points would fill the space randomly.
Of course, the structure can be used to break the system.

All the pseudo-security is in the key a,b,c.
To make it even worse, there are tons of insecure keys. For example a=b=0.1 1 For this range of keys, the system is not even chaotic and totally insecure.
On the wikipedia page, the lower 6 pictures show now chaos.

The article now doesn't directly use one system, but two systems that are coupled.
The secret message are the coefficients. On the receiver side the most probable coefficients are then guessed.
Note 'most probable', this doesn't even guarantee that the message has been received correctly!

Of course, this cipher is highly vulnerable to all kinds of attack:

- Chosen plaintext: Choose your plaintext so that the system is not chaotic
For example '00000' might correspond to switching all coupling functions off.

- Known plaintext: Choose your plaintext and identify the coefficients of the system.
This is just great, you can even use real linear cryptanalyis, because the system can be linearized, all the functions are differentiable. Small changes in the input lead to small changes in the output!!!

- Ciphertext only attack: exploit the highly structured output of the chaotic oscillators, that have no random properties. A well studied area of research.

- Chosen ciphertext: Add your own data to the channel, Bob's chaotic system will then synchronize to your data.

- Adaptive chosen ciphertext: Couple the system with your own chaotic system that you control.

And all of that for a system that only makes a probabilistic guarantee of receiving the correct message.

I am not impressed.

Dave HoweApril 11, 2014 1:32 PM

It's possible they don't even care - this is the sort of thing that gets thrown into the pot to beef up someone's publication list and, preferably, get a patent issued in extremely broad terms that will then sit like a landmine in the system, awaiting someone actually to get a system right, when the "IP owners" will pounce and demand a royalty for work they weren't themselves capable of doing.

TApril 14, 2014 2:54 AM

I thought that if you wanted to make a random or chaotic string of information not you just add order, as adding order will make the system hard to decrypt, you add no order but you instead brute force search to find the entropy and subtract it from 100% random, assuming all place on the dart board will get equal fulled up of time, eg 100% with a brute force returning 78%, with a anchor of 0%, returns 22%, add that to chaotic message or keys, to make it 100%, then use trees inside trees inside trees, instead of waiting to the end of the universe, and find part patterns to find order.

True encryption is 50% order and 50% randomness, but you can never know if you found that, for obvious reason.

@X thanks for the links

TApril 14, 2014 3:11 AM

A eg how to crack it.

You have binary with one bit of information say it 1
you expand it to say 1000decimal
you pick a place for the anchor say 470
you use any linear function to go from 470 to 1000
you use the same linear function to go from 470 to 1
you have one bit of information, left or right
you set left to zero and add the left side to the right
you do the same with the right side, set it to zero and add it to the left side
the linear function has say 10 points and is any function
with adding flip the sides to match plus - plus, minus to minus
repeat tell you have all 1-1000 or 0-1000 values with different anchor points
brute force to find entropy of system, using false statistic if it shows 50 at a1 and 2 at a2 and 44 at a3 and 12 at b1, make a inverse, instead of waiting. the real system doesn't need to be used as close enought guess can be made.
add the inverse entropy data to the graphs above.

The data is the probability, which we all know is ZERO :)

Seth PApril 14, 2014 10:10 AM

I skimmed the paper and there was no cryptanalysis that I could see. If they think this was a meaningful paper, they sure fooled me.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.