1 Introduction

A secret key is a sequence of bits that a cryptographic algorithm uses to convert plaintext into ciphertext and vice versa. A key is generally defined by its length in bits, n and the keyspace (number of possible keys) is normally derived as a function of the key length, \(2^{n}-1\). Symmetric encryption relies on a single key for both encryption and decryption while asymmetric or public-key encryption uses one for encryption and another for decryption. Communication between two parties is usually secured using symmetric encryption, with its secret key being distributed using asymmetric algorithms. The reason for this is that symmetric ciphers are significantly faster than their asymmetric counterparts. In practice, secret keys should be long enough to resist brute force attacks but short enough such that key management would not be costly. Since the focus of this paper is symmetric-key cryptography, the term cipher is used to refer to symmetric ciphers in the remainder of the paper.

Key schedule algorithms or key schedules are core components of symmetric-key ciphers, especially block ciphers. They take a secret or master key of a specified length (e.g. 128 or 256 bits) and generate round keys. These round keys are used in the round functions of a block cipher to iteratively transform a plaintext to a ciphertext. Despite their importance, key schedules or third-party cryptanalysis of key schedules receive comparatively less attention as compared to the encryption algorithm itself [1]. Generally, the key schedules of chaos-based ciphers leverage chaotic maps as a source of pseudo-randomness [2]. Most chaos-based ciphers have seemingly ad-hoc key schedules due to a lack of well-studied design paradigms.

Theoretically, we can express the computational security of an algorithm in terms of bits. A cipher is considered n-bit secure if the best attack requires about \(2^n\) operations to compromise its security. An n-bit secret key provides at most n-bit security since a brute force attack after \(2^n\) attempts will always succeed. In other words, the key size only provides an upper bound of a cipher’s security level. The security level may be lower than what has been implied by the key length if there exists an attack that breaks the cipher in fewer operations than expected. One straightforward example is DES, which takes in a 64-bit secret key but only 56 bits are actually in use (effective key length of 56 bits or effective keyspace of \(2^{56}\)). As such, simply designing a cipher to have longer secret keys does not guarantee security.

Unfortunately, the philosophy that longer keys are better seems to be a prevalent theme in chaos-based cryptography [3, 4], a field of study that explores the use of chaotic or dynamical systems in the design of cryptographic primitives. Chaos-based cryptography has been a heavily researched area in recent years [5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23], with the majority of them being image ciphers. The main reason given by these researchers for proposing image ciphers based on chaos is that conventional symmetric-key ciphers such as block ciphers and stream ciphers are not suitable for images. However, there is a lack of evidence to support this claim given that conventional block or stream ciphers are being used to encrypt images and other forms of multimedia by being embedded into security protocols such as TLS or IPSec. Additionally, chaos-based ciphers lacked proper security analysis, relying mainly on empirical evidence. Even an insecure chaos-based cipher can pass commonly adopted statistical tests [24]. Unlike conventional ciphers like block or stream ciphers, the majority of chaos-based cryptosystems are not subject to third-party cryptanalysis. Combined with other practical issues [4], it is unsurprising that chaos-based cryptography remains only of academic interest without real-world adoption, especially when newer chaos-based ciphers are still repeating the same mistakes of old [25,26,27,28,29]. To overcome this problem, chaos-based researchers need to first acknowledge the flaws in the current methodology and work towards designing primitives based on commonly accepted notions of security.

In this paper, we contribute towards the latter by diving deep into a largely overlooked problem of chaos-based cryptosystems – their unusually large keyspaces. Problems with keyspace definition have been noted by other researchers years ago [3, 4]. We first cryptanalyse the key schedules of five chaos-based ciphers that claim to have large keyspaces. Five of them were selected after examining 15 ciphers recently published in Tier 1 and Tier 2 journals (based on Journal Citation Reports indexing). We show that the effective keyspace is significantly smaller than the key size implies due to practical and theoretical problems related to their key schedules. We then highlight alternative solutions to how secret keys can be used in the context of chaos-based cryptography. Lastly, we provide an example of a key schedule for chaos-based ciphers that ensures the involvement of every bit of the secret key in the generation of round keys. The goal of this paper is to bring to light yet another problem of chaos-based cryptography that needs to be acknowledged in future research to advance the field in the right direction. The main contributions of this paper are summarised below:

  • Cryptanalysis results of the key schedules of recent chaos-based ciphers to provide more accurate security estimates.

  • Recommendations for how secret keys can be used in the context of chaos-based cryptography to maximise keyspace.

  • A new chaos-based key schedule that ensures that each key bit plays an equal role in providing security.

The remaining parts of the paper are divided into the following sections: Section 2 provides some preliminary information about chaotic maps, chaos-based encryption, and the assumptions used in our analysis of their keyspaces. Section 3 delves into the analysis of recent chaos-based cryptographic algorithms with keyspace issues. Section 4 then highlights approaches to address these issues, which includes the design of a new chaos-based key schedule that is aligned with our findings. Finally, Section 5 concludes the paper.

2 Preliminaries

2.1 Chaotic maps and chaos-based cryptography

According to Devaney’s definition [30], chaotic systems exhibit three primary properties: sensitivity to initial conditions, topological mixing, and density of periodic orbits. In the case of sensitivity to initial conditions, even slight alterations in the initial conditions eventually result in highly divergent chaotic behaviours. Topological mixing indicates that the trajectory, originating from any region within the phase space, gradually encompasses the entire phase space over its evolution. The concept of periodic orbit density signifies that within a chaotic trajectory, points can approach other points in the phase space due to the existence of a strange attractor. These properties are analogous to the security requirements of cryptographic algorithms, and as such, have led to the popularity of chaos-based cryptography as a research area.

Chaotic maps are iterative functions that have one or more initial states and control parameters. Iterating chaotic maps with small changes to these states or parameters can lead to entirely different trajectories. Researchers have used them to construct confusion and diffusion layers of cryptographic algorithms, leveraging their capability to produce random-like outputs that are difficult to predict or reverse engineer.

The logistic map is an example of a simple chaotic map with a single system state and control parameter. It is capable of producing chaotic behaviour with proper selection of the control parameter value (\(\approx 4\)). Its simplicity and relatively low complexity have led to its adoption in various cryptographic algorithms [15, 31, 32]. This map is mathematically defined as:

$$\begin{aligned} x_{n+1} = rx_{n}(1 - x_{n}), \end{aligned}$$
(1)

where \(x_{n}\) is the initial state variable at iteration n and r is the control parameter in the range of [0,4]. The lodistic map has chaotic behavior as r approaches 4 as shown in its bifurcation diagram in Fig. 1.

Fig. 1
figure 1

Bifurcation diagram of logistic map

Full size image

Apart from the logistic map, other well-known or popular chaotic maps that have been used in chaos-based cryptography including the tent map, Henon map and Arnold cat map. These chaotic maps have mainly been used in the design of multimedia ciphers [5, 33,34,35,36,37,38,39] and hash functions [40,41,42]. They have also seen applications in secure communication [34, 43,44,45], serving a role in pseudo-random number generators. The goal of using chaotic maps in these applications is supposedly to enhance randomness and complexity of cryptographic algorithms [46, 47]. Moreover, chaotic system or chaotic map have found applications in image watermarking schemes [48, 49].

Despite being an active research area, there has been a lack of real-world adoption of chaos-based primitives due to problems such as lack of detailed specification regarding the representation of real numbers, weak key handling, inaccurate justification regarding the keyspace, lack of proper security analysis through cryptanalysis, lack of comprehensive computational complexity analysis and comparison to cutting-edge cryptosystems. As other researchers [4, 50, 51] have noted, this problem has persisted over the years.

As highlighted in this section, the majority of work in chaos-based cryptography is on image encryption. Designers often justify the requirement for image-specific encryption algorithms by stating that conventional methods are inadequate for bulk data encryption or incapable of handling the substantial correlation among image pixels [44, 52,53,54]. However, conventional symmetric-key algorithms like block ciphers are the ones being used today to encrypt various types of data without any issues. Previous research has explicitly criticized the accuracy of such assertions [19].

2.2 Attack model and other assumptions

Attack model In this paper, we assume that the attacker operates in the known-plaintext attack model, whereby an attacker can observe ciphertexts and knows the associated plaintexts. This is the attack setting in which a brute force attack operates – an attacker guesses the secret key, submits a decryption query for a given ciphertext, and checks if the resulting plaintext matches the known plaintext. As such, schemes that rely on hashing the plaintext to generate the secret key or to modify the secret key [16, 25, 26, 55,56,57,58,59,60,61,62,63,64] will not be secure under this attack model since an attacker can generate these hash values themselves with knowledge of the plaintext. A known-plaintext attack is also one of the more realistic attack models since parts of certain messages could already be known to an attacker, such as the header or trailer information of a data packet or segment [65].

Even if we assume that an attacker operates in the ciphertext-only model, chaos-based ciphers that rely on hash functions to generate plaintext-dependent secret keys would need to communicate those keys to the recipient in a secure manner. Communication over the Internet takes place on various layers, which are secured using communication protocols such as Transport Layer Security (TLS) or Internet Protocol Security (IPsec). For TLS and IPsec, encryption keys are negotiated before setting up a communication session or a security association (SA), respectively, and will then be used throughout their agreed-upon lifetime. Therefore, a cipher that inherently requires a key exchange to occur for each message exchange would be highly impractical as the entire handshaking process would need to be repeated. Additionally, key exchange relies on asymmetric-key algorithms that are slower than symmetric-key, which would then impose significant computational overhead on communication.

Kerckhoff’s principle

Kerckhoff’s principle states that a cryptosystem should be secure even if everything about a system is known, except for its secret key. As stated by Claude E. Shannon, we need to assume that the enemy knows the system being used [66]. In contrast, keeping the entire algorithm or even part of the algorithm secret can be considered security through obscurity, a notion that is not recommended by standardization bodies. Unfortunately for some chaos-based cryptosystems, the supposed secret key also dictates basic operations such as the permutation pattern [25] or S-box [27]. Note that these ciphers have separate secret parameters for permutation and S-box, and these parameters were not derived from other parts of the secret key, and therefore akin to keeping these operations secret. If conventional ciphers adopt the same approach by keeping their permutation patterns or S-boxes secret, their effective keyspaces would also be larger but would no longer uphold Kerckhoff’s principle. As such, for some of these ciphers, we will also evaluate the effective keyspace if the parameters that determine these basic operations were to be made public. Then, comparisons with conventional cryptography can be made on a level playing field.

Number representation

Real numbers can be implemented on a computer using various formats. The most popular one is the 64-bit IEEE double-precision floating-point format. 1 bit is used as the sign, which is usually a constant since most chaotic maps used in chaos-based crypto operate on positive values, 11 bits to represent the exponent and 52 bits to represent the fraction. Most papers in literature usually estimate the keyspace based on computing precision, whereby the 64-bit IEEE representation has a computational precision of \(10^{-15}\approx 2^{-50}\), which implies a keyspace of 50 bits. This is derived from the fact that double-precision numbers have about 15 significant decimal digits [67]. We will adopt the same approach in our analysis.

3 Keyspace analysis of chaos-based encryption

Out of 15 reviewed recently proposed chaos-based algorithms [25,26,27,28,29, 55, 68,69,70,71,72,73,74,75,76] , we identified 5 ciphers with glaring keyspace issues for further analysis. We only cover ciphers whereby the keyspace reductions are obvious, rather than keyspace reductions based on the format of the floating point variable (e.g. fixed sign bits, value range) or the underlying properties of the chaotic map. The latter approaches may lead to further reductions and will be left for future work.

In the coming sections, we first introduce the design of each chaos-based cipher, focusing on how their secret keys are involved in encryption. We then perform a detailed numerical analysis based on the known-plaintext attack model, Kerckhoff’s principle and practical real number representation to better estimate the ciphers’ actual keyspaces and security margins.

3.1 Low energy interleaved chaotic secure image coding scheme for visual sensor networks using pascal’s triangle transform

3.1.1 Description

Suseela et al. [29] proposed a secure image coding scheme that uses a chaotic Pascal triangle transformation (PTT) that has two control parameters l and m and four seed values which we will denote as \(E_i\). It takes a pair of values (xy) as input and produces a new pair (ab). The plainimage P is first divided into \(2\times 2\) pixel blocks which are then permutated based on the sequence of numbers obtained from PTT. Then, three keys are generated denoted as \(C_1\), \(C_2\) and \(C_3\). \(C_1\) and \(C_2\) are 8-bit values due to the use of the \(\mod ~256\) operation while \(C_3\) is a 3-bit value since it is the hamming distance between 8-bit values \(C_1\) and \(C_2\). The pixel blocks are then circularly rotated based on \(C_3\). If \(C_3\) is even, pixels are rotated circularly to the left but if odd, they are rotated circularly to the right. This is considered the first diffusion phase of the cipher. The parameters l and m, which are kept secret, are used in this process. The resulting scrambled pixel blocks is denoted as D1x.

Next, a \(2\times 2\) matrix denoted by Gx is generated using two chosen prime numbers w and z and the current block position (ab). This matrix consists of four 8-bit numbers. As the final step of the encryption process, each pixel of Gx is XOR-ed with one of the elements of D1x. This produces the final cipher pixel block which is denoted as Cx, and the process is repeated for all remaining pixel blocks. The whole process is illustrated in Fig. 2

Fig. 2
figure 2

Flowchart of the encryption process for [29]

Full size image

3.1.2 Keyspace analysis

The authors claim that the encryption algorithm has \(2^{499}\) possible keys derived from the number of levels in Pascal’s triangle l, the rotation parameter m, the four seed values \(E_i\) of the PTT, and finally the diffusion keys (abwz) of each pixel block. It was also mentioned that the encryption algorithm uses the 64-bit double-precision numbers based on IEEE floating-point standard to represent all the keys used in the proposed encryption. Since there are 10 parameters that are supposedly part of the secret key, the keyspace is \(2^{50\times 10}\approx 2^{499}\) possible keys.

The designers point out that the PTT combines the first and second diagonal elements of level n and \(n+1\). Based on their cipher description, the original plainimage is divided into \(n\times n\) smaller pixel blocks, where n can be 2, 4 or 8. Knowledge of n would allow an attacker to determine the four seed values \(E_i\) of the PTT since Pascal’s triangle has a known structure. Even if n was kept secret, it would just be 2 bits of information since there are only 3 possibilities. Also, an attacker would not need to know l (the number of levels in Pascal’s triangle) since we need \(l>n\) for the encryption to be successful.

We also note that a and b can be generated if all parameters of the PTT are known. An attacker would just need to guess n and m to derive a and b from known values of x and y. As such, (abl) should not be considered part of the secret key. Parameters w and z (which are relatively prime numbers) were used to produce the 4-byte matrix Gx. Even though w and z are both 64-bit values, an attacker can instead opt to guess the contents Gx, which consists of four bytes in total (32 bits). Having Gx is sufficient to perform decryption.

Based on these observations, the effective keyspace of the proposed scheme should only include m, n and Gx, which is around \(2^{50 + 2 + 32} = 2^{84}\). Hence, the security margin has been reduced by a factor of \(2^{415}\). This keyspace includes possible weak keys whereby certain values of l and m would not permute the plainimage at all due to the PTT being periodic. The designers themselves provided one such example, whereby \((l,m)=(2,192)\) would not permute an image with \(512\times 512\) pixels.

3.2 Novel medical image encryption scheme based on chaos and DNA encoding

3.2.1 Description

Belazi et al. [25] proposed a cipher that uses combination of two chaotic maps – the logistic-Chebyshev and sine-Chebyshev map. These chaotic maps have one initial condition and control parameter each, denoted as \((x_0,\alpha _0)\) and \((x_1,\alpha _1)\) respectively. These parameters are kept secret and are part of the secret key, along with two prime numbers \(p_1\) and \(p_2\).

The proposed encryption algorithm begins by using the SHA-256 hash function to generate new key values from \((x_0, x_1,\alpha _0,\alpha _1)\). The first hash value, denoted by \(\kappa _1\) is obtained from the original image while a second hash value, \(\kappa _2\) is generated from the sum of the pixels of the original image. Both hash values are divided into 8-bit blocks and are used to generate two new sets of parameters, \((x'_0,\alpha '_0,x'_1,\alpha '_1)\) and \((x''_0,\alpha ''_0,x''_1,\alpha ''_1)\).

The plainimage is divided into \(m\times n\) blocks that are then permuted using \(p_1\). The permuted blocks are recombined to obtain the permuted image, \(P_1\). \(P_1\) is split into four smaller sub-blocks that are each transformed using four different S-boxes. These are dynamic S-boxes generated using logistic maps initialized with different sets of parameters \((y^i_0, \beta ^i_0)\) where \(i=\{1,2,3,4\}\). Each pixel in each sub-block is substituted using these S-boxes. The output of the substitution process is a new image \(P_2\). The binary representation of \(P_2\) is then encoded into a DNA matrix \(P_3\) using an encoding rule specified by a random integer \(k_1\in \{1,...,8\}\).

A new DNA matrix, \(P_4\), is obtained by creating a complementary version of \(P_3\) based on the values of a matrix, X generated using the logistic-Chebyshev map with parameters \((x'_0,\alpha '_0)\). \(P_4\) is decoded using a DNA decoding rule specified by another random integer \(k_2\in \{1,...,8\}\) to obtain \(P_5\). A keystream denoted by U is generated using sine-Chebyshev with parameters \((x'_1,\alpha '_1)\) and is XOR-ed with \(P_5\) to obtain \(P_6\). The entire process is repeated using \(p_2\), \((x'_0,\alpha '_0)\) and \((x'_1,\alpha '_1)\) to obtain the final cipherimage, C. The whole process is illustrated in Fig. 3.

Fig. 3
figure 3

Flowchart of the encryption process for [25]

Full size image

3.2.2 Keyspace analysis

The authors claimed that the keyspace of their cipher is greater than \(2^{716}\) when considering the initial conditions and control parameters of logistic-Chebyshev and sine-Chebyshev \((x_0,\alpha _0,x_1,\alpha _1)\), as well as the updated keys obtained from SHA-256 \((x'_0,\alpha '_0,x'_1,\alpha '_1,x''_0,\alpha ''_0,\) \(x''_1,\alpha ''_1)\). Integers m and n, the prime numbers \(p_1\) and \(p_2\) (with no length restrictions), the DNA encoding and decoding keys \(k_1\) and \(k_2\) respectively, and S-Box parameters \((y^i_0, \beta ^i_0)\) where \(i=\{1,2,3,4\}\) are all considered to be part of the secret key. The authors assume that each 64-bit double-precision number contributes 49 bits to the keyspace, or \(2^{49}\) possible values. It is not exactly clear how the authors arrived at \(2^{716}\) since there are at least 20 chaos-based parameters that are part of the key.

There are several parts of the key that can be easily guessed by an attacker. Integers m and n must satisfy \((M\times N)\mod (m\times n)=0\), which implies \((m\times n)\) divides \((M\times N)\). Additionally, we know that n is either 2, 4, or 8. Given a plainimage, we need to calculate the number of divisors of \((M\times N)\). For example, a \(1024\times 1024\) image has 1048576 pixel; 1048576 has 21 divisors. Then, the number of combinations of (mn) is less than three times the number of possible divisors, which is around 6 bits of information. Even an 80 Gigapixel image would lead to only around 8 bits of information that need to be guessed.

The permutation function based on primes \(p_1\) and \(p_2\) involve modular multiplication:

$$\begin{aligned} b = (p_i\times a) \mod ~l, \end{aligned}$$
(2)

for some integer l. Using a prime with i digits would lead to a computational complexity of around \(O(i\times j)\) for modular multiplication, where j is the number of digits of a. Thus using very large primes would be computationally inefficient. Let us assume conservatively that a prime number with at most 32-bit length (10 digits) is used.

This encryption algorithm is one of the examples of chaos-based ciphers that uses a hash function to increase the size of the key as mentioned in Section 2.2. Under the chosen-plaintext model, \((x'_0,\alpha '_0,x'_1,\alpha '_1,x''_0,\alpha ''_0,x''_1,\alpha ''_1)\) do not need to be guessed since they can be derived based on knowledge of the plainimage and \((x_0,\alpha _0,x_1,\alpha _1)\). We assume that each real number contributes \(2^{50}\) bits to the key, so \((x_0,\alpha _0,x_1,\alpha _1)\) contributes \(2^{50\times 4}=2^{200}\) to the keyspace. The keyspace also includes the eight parameters (400 bits) involved in generating the S-box, 64 bits of the prime numbers, 8 bits of (mn), and 6 bits of the decoding key. The overall keyspace is thus \(2^{678}\), a reduction by a factor of \(2^{121}\). Furthermore, if Kerchoff’s principle is to be upheld, the four S-boxes should at least be made known. This would reduce the keyspace to around \(2^{278}\).

3.3 New image encryption algorithm with nonlinear-diffusion based on multiple coupled map lattices

3.3.1 Description

Wang et al. [26] proposed a new image encryption algorithm that utilizes multiple coupled map lattices (MCML). The chaotic system of the proposed algorithm has \(b_1\), \(b_2\), and \(b_5\) as its initial conditions and \(b_3\) and \(b_4\) as its control parameters.

The encryption algorithm starts by generating a secret key, denoted by K, using SHA-512 from the original image P. The key K is then divided into 5 groups, with each group having 80 bits. These groups are converted into real numbers (\(b_1\), \(b_2\), \(b_3\), \(b_4\) and \(b_5\)) which constitute the secret key. Then a two-dimensional array R with 2 rows and r columns are created, where the first row is assigned a sequence of numbers from 1 to r and the second row of R is filled with r real numbers between 0 and 1 by iterating the logistic map r times using \(b_1\) as the initial condition and a constant parameter 3.99. The position of the first row in R is rearranged based on the sorted values in the second row, resulting in a shuffled array R1. The first row of this new array R1 is a sequence of shuffled row indices, denoted by \(D_r\).

A similar process is applied to another 2D array C, which is created by iterating the logistic map using \(b_2\) as the initial value. The first row of this new array C1 is a sequence of shuffled row indices, denoted by \(D_c\). Thus, \(D_r\) and \(D_c\) are indexes that are generated for each pixel.

Finally, an array S is obtained from MCML using \(b_5\) as its initial value. The array has the same dimensions as the cipherimage C. The values of cipherimage C at position \(D_c\) and \(D_r\), is determined by accessing each pixel elements in the plainimage P and then combine with the row and column sequences of array S using modular addition. The whole process is illustrated in Fig. 4. We note that the proposed cipher resembles a stream cipher whereby S is the keystream that is used to encrypt the plainimage using modular addition, and as such does not actually have diffusion (each pixel is encrypted independently and does not affect other pixels).

Fig. 4
figure 4

Flowchart of the encryption process for [26]

Full size image

3.3.2 Keyspace analysis

The authors of the proposed encryption algorithm claim that the keyspace of their cipher is around 400 bits. This estimation is made on the assumption that the secret key is composed of five parts (\(b_1\), \(b_2\), \(b_3\), \(b_4\), \(b_5\)) and each part is 80 bits in length. However, the authors did not specify how the 80 bits are converted to real numbers to be used as initial conditions and other parameters. It is likely that the authors are relying on an 80-bit extended precision format that is analogous to the IEEE 754 format [77] and has a precision of 64 bits. Thus, the effective keyspace should be \(64\times 5 = 320\) bits rather than 400 bits.

Unfortunately, not all devices would have a processor that supports 80-bit numeric data types. If a 64-bit double floating point number was used instead, then the effective keyspace is \(50\times 5= 250\) bits. In addition, we observed that a hash function was used to generate the entire secret key. As mentioned in Section 2.2, schemes that rely on hashing to generate or modify the secret key will not be secure in the known- or chosen-plaintext attack model.

3.4 A dynamic triple-image encryption scheme based on chaos, s-box and image compressing

3.4.1 Description

The proposed cipher utilizes two chaotic systems, a 2-dimensional logistic-sine-coupling map (2D-LSCM) and a sine-tent system (STS) [27]. The former chaotic system has one control parameter, \(\theta \) and two state variables x and y while the latter has one control parameter, \(\mu \) and one state variable, z. Later, we will see that the secret key comprises these parameters and state variables.

The proposed encryption algorithm first compresses three images based on a sequence of numbers obtained from 2D-LSCM. The control parameter and state variables involved are not part of the secret key but are made public. Notably, \(\theta \) is chosen randomly to ensure that the cipherimages are different even when the same plainimages are being encrypted. Thus, \(\theta \) can be viewed as some form of tweak [78]. After compression, the resulting image, denoted as C, is converted into a 1-dimensional vector and divided into four equal sub-blocks. These sub-blocks undergo a pixel-wise permutation based on another sequence of numbers obtained from 2D-LSCM. This time, the parameters involved, \(x_0\), \(y_0\) and \(\theta _1\) are kept secret and part of the secret key.

Finally, the shuffled blocks are combined into a single matrix \({img_p}\), which is then divided into \(16\times 16\) blocks. These blocks are modified in what is considered the diffusion phase of the cipher, whereby two more random number sequences were generated from STS and 2D-LSCM, both of which use a different set of parameters that are all kept secret. The random number sequence generated by STS using parameters \(z_0\) and \(\mu \) are used with another randomly selected odd integer d to generate what seems to be an 8-bit S-box. The diffusion phase then proceeds to perform modular addition between each pixel and the sequence generated from 2D-LSCM. After modular addition, each pixel is XOR-ed with one of the elements of the S-box selected using the position of the current pixel.

Therefore, the S-box does not actually contribute toward nonlinearity in the cipher since it is used in an entirely linear operation. It can be seen that there is no actual diffusion since the value of each pixel does not actually affect the other pixels. Figure 5 illustrated the encryption process.

Fig. 5
figure 5

Flowchart of the encryption process for [27]

Full size image

3.4.2 Keyspace analysis

The authors claim that the keyspace of their cipher is around \(2^{561}\). Although not mentioned specifically, it seems that four different S-boxes were generated by using the same d and \(\mu \) but with varying \(z_0\). As such, there are 12 parts of the secret key, \((x_0,y_0,\theta _1,x_1,y_1,\theta _2,z^1_0,z^2_0,z^3_0,z^4_0,\mu ,d)\), where \(d\in [1,10^4-1]\) is the randomly selected odd integer used to generate the S-box. Assuming that we use 50 bits to represent each of these non-negative real numbers (due to the use of 64-bit double floating point numbers), the effective keyspace would be approximately \(2^{11\times 50}\times 10^4\approx 2^{563}\), which supports the authors’ claim.

However, we note that the S-box used in the encryption process is derived from its own set of parameters rather than being derived from other parts of the key. As mentioned in Section 2.2, these parameters should ideally be made public if Kerckhoff’s principle is to be upheld. If this is the case, the keyspace will be effectively reduced to \(2^{6\times 50}=2^{300}\).

3.5 RGB image encryption through cellular automata, s-box and the lorenz system

3.5.1 Description

In 2022, Alexan et al. [68] proposed a scheme for encrypting color images using a combination of cellular automata, S-Box, and the Lorenz chaotic system. The chaotic system of the proposed cipher has \(\sigma \), \(\rho \), \(\beta \) as system parameters and x, y, z initial values.

The pixels of the image with (M \(\times \) N) size are first converted into a 1D bitstream denoted as d. The mean intensity of the image pixels denoted as \(P_{\mu }\) is calculated, and is multiplied by a magnifying factor \(f_M\) to get the value \(\mu \). Then each of the element of d are cyclically shifted to the right by \(\mu \) places. The resulting bitstream \(d_{\mu }\) is XORed with the first encryption key denoted as \(K_{CA}\), which is a bitstream of the same length as d and \(d_{\mu }\), and is made up of a repetition of the first \(N_{CA}\) bits resulting from the center column of Rule 30 Cellular Automata.

After the XOR operation, the resulting bitstream, \(C_0\), undergoes a substitution process utilizing an S-box generated based on the concepts of three operations: transformation, modular inverses, and a permutation, represented as \(S(C_0)\), to yield the resultant bitstream \(C_1\). The Lorenz system is then solved to obtain a 3D geometry, with x, y, and z coordinates of each point flattened into a single 1D array L. The values in L are plotted on a 2D plane, and a threshold value \(\lambda \) is chosen to generate a new bitstream v, where any values in L that are greaterthan \(\lambda \) are considered 1s, while any values that are less than or equal to \(\lambda \) are considered 0s.

Finaly, the bits in v of length \(N_L\) is repeated until they are of the same length as \(C_1\) to generate the second encryption key \(K_L\), and XOR it with \(C_1\) to obtain \(C_2\). Then \(C_2\) is reshaped into an image with the same dimensions (M x N) as the original image to obtain the encrypted image. The encryption process uses two encryption keys: \(K_{CA}\) and \(K_L\). \(K_{CA}\) is generated from the Rule 30 Cellular Automata, and \(K_L\) is generated from the Lorenz system. The whole process is described in Fig. 6.

Fig. 6
figure 6

Flowchart of the encryption process for [68]

Full size image
Table 1 Summary of keyspace reductions (measured in bits)
Full size table

3.5.2 Keyspace analysis

The authors claim that their cipher has a total keyspace of \(2^{425}\) drawing from the observation that there are eight parts of the secret key (\(P_{\mu },\sigma , \beta , \rho , N_{CA}, N_L, f_M\) and \(\lambda )\).

However, \(P_{\mu }\) and \(f_M\), which are both supposedly part of the secret key, are used to calculate a rotation constant called \(\mu \). The number of possible \(\mu \) values is limited by the number of pixels or the number of bits in an image. For instance, the largest known photograph in the world with 846 gigapixels would have a \(\mu \) value of no more than 32 bits since there is a maximum of \(\log _2(846\times 1024\times 1024\times 3)\approx 2^{32}\) RGB pixels. If the rotation was in terms of bits, then the keyspace of \(\mu \) is increased to \(2^{35}\). Similarly, the possible values of \(N_{CA}\) and \(N_L\) are also limited by the number of bits in the image.

Therefore, if we assume that the remaining parameters (\(\sigma , \beta , \rho , \lambda \)) can occupy the entire 50-bit space, then the key size would be around 50 + 50 + 50 + 50 + 35 + 35 + 35 = 305 bits, reducing the security margin by a factor of 120 bits. The keyspace would be even smaller for smaller images such as the \(256\times 256\) pixel images used for testing in the original paper. In this example, the keyspace would be reduced to just 260 bits (reduction of 165 bits).

4 Secret key recommendations

In this paper, we performed the keyspace analysis from a high-level perspective and we were able to reduce the keyspace of several chaos-based algorithms. A summary of our findings is shown in Table 1. Apart from keyspace reductions, our analysis also clearly depicts the lack of a standard way of designing chaos-based ciphers, with many of them having seemingly ad-hoc designs. It would be possible to reduce these keyspaces even further by considering how the control parameters and initial states (which are commonly used as part of the secret key) are represented using floating-point numbers. For example, the majority of parameters involved in these algorithms are positive values. If a technical standard for floating-point arithmetic such as the IEEE 754 representation is used, the sign bit will always be 0 and does not need to be guessed. Furthermore, some chaotic maps need to fix their control parameters to a certain range to avoid fixed or periodic behaviour. If these instances are not addressed, weak keys will exist that reduce the security of the cipher. On the other hand, restricting the parameter space would lead to secret key bits that are either constant or are biased.

Therefore, future designs should ensure that all bits of their secret key would play an equal role in the encryption process. Rather than using these keys to seed chaotic maps, they could instead be used to initialize registers [79] that are modified by the outputs generated by the maps. The modified registers can be used as round keys, whitening keys, feedback shift registers, or as the internal state of a sponge construction. Another option that designers can consider is the use of fixed-point arithmetic to represent real numbers as integers [80], which would further reduce ambiguity as to how the key bits are used in a cipher. Using fixed-point representation also contributes to the analyzability of a cipher, since all arithmetic operations on real numbers can be reduced to integer operations.

It was previously highlighted in [4] that the chaos-based cryptography community seems to regard having a longer key length as superior to a shorter one and highlighted the problem of having an unusually long key from the perspective of computational or conditional security. Unfortunately, this notion is still prevalent several years on as seen from some of the ciphers being analysed in this paper. Today, key sizes of 128 bits and 256 bits are still deemed efficient by many standards bodies and federal agencies. The German Federal Office for Information Security (also known as BSI) [81], ECRYPT-CSA [82], NIST [83] all recommend a minimum key size of 128 bits and up to 256 bits to assure long-term security. Even with the existence of quantum computers, the best-known quantum algorithm applicable to symmetric-key is Grover’s algorithm which can reduce the time required to brute force an N-bit key to \(\sqrt{N}\) time [84]. A 256-bit key would still provide 128 bits of security, which is more than sufficient. In contrast, it is not unusual for designers of chaos-based ciphers to claim that chaos-based ciphers having keys of 500 bits or more [5, 25, 28, 72, 73] is an advantage over classical encryption algorithms. Chaos-based ciphers should be designed to follow these internationally accepted standards not only to facilitate interoperability but also for easier key management.

Last but certainly not least, the hashing of the plaintext (or plainimage) to generate the secret key or parts of the secret key should be avoided in the design of newer ciphers. Not only is it impractical since it requires a fresh key exchange for each message, but these ciphers would also not be secure under the known or chosen plaintext attack model.

4.1 Key Schedule

In this section, we propose an example of a chaos-based key schedule that ensures that each bit of the secret key is involved in the generation of round keys. First, a 128-bit secret key is used to initialise four 32-bit registers. Then, the key schedule updates each register based on the output of a logistic map. For real number computation, we rely on a 48-bit fixed-point representation. Here, the leftmost two bits, known as the most significant bits (MSBs) represent integers, and the remaining 46 least significant bits (LSBs) represent fractions. The reason for having only two integer bits is that we will set the control parameter of the logistic map (1) to \(r=3.9999...\approx 4.0\), whereby the value of 3 only requires two bits.

The general idea is to take bits from the logistic map’s state variable (represented as fixed-point numbers) after each iteration and XOR them with the current value of each register. This process can be repeated as needed to generate multiple round keys or as a means to initialise an internal state. When iterating the logistic map, bits used to represent integers will only be used by the control parameter and not by the chaotic states. Since the chaotic state ranges from [0, 1), only fractional bits in its fixed-point representation will be modified each iteration. When selecting bits to update the key registers, we should then only consider the 46 LSBs representing fractions. Out of these 48, we opt for 32 LSBs to ensure that even the slightest changes to the chaotic state will be reflected.

Based on the bifurcation diagram of the logistic map in Fig. 1, we can see that the entire state space will be visited when the control parameter is close to 4. Therefore, the 32 least significant bits will be evenly distributed throughout the state space. These bits will be used to update the bits in the register, which can then be used to perturb the chaotic state to generate the next 32 bits. This process will ensure that each key bit stored in the 32-bit registers will be modified by evenly distributed bits. Figure 7 illustrates the overall flow of the proposed key scheduling algorithm.

Fig. 7
figure 7

Proposed key schedule

Full size image

We evaluate the randomness of the proposed key schedule using the NIST SP 800-22 test suite [85] and ENT [86]. After each iteration of the chaotic map, the four 32-bit words in the registers are taken as part of a keystream. We repeat the process until 100 keystreams of \(10^6\) bit length is generated for the test suite. The test was conducted according to NIST guidelines, where a significance level of \(\alpha \) = 0.01 was adopted [85]. Each binary sequence was assessed for every sub-test, where its \(P_{value}\) was computed and compared against the significance level. If the \(P_{value}\) is greater than or equal to \(\alpha \), the sequence passed the sub-test; otherwise, it failed. Tables 2 and 3 indicates that, despite its simplicity, the proposed key schedule successfully passes the entire NIST and ENT test suite.

Table 2 NIST SP 800-22 results
Full size table
Table 3 ENT test results
Full size table

5 Conclusion

In this paper, we have addressed a significant issue that has been largely overlooked in the design of chaos-based cryptographic algorithms – the secret key. By considering factors such as real number representation and conventional attack models, our cryptanalysis of five chaos-based ciphers has uncovered significantly lower key spaces (security margins) than what has been previously claimed, some by a factor of over \(2^{100}\). To address this issue, we have put forth a set of key schedule recommendations to ensure that each bit of the key plays an equal role in the encryption process and that the resulting key schedules are aligned with real-world applications. Additionally, we have proposed a simple chaos-based key schedule that incorporates all the aforementioned considerations and also provided theoretical justifications for its claimed keyspace. Experimentally, the proposed key schedule successfully passed both the NIST and ENT statistical test suites, indicating that highly complex designs are unnecessary to achieve desirable security properties. Moving forward, we recommend that future researchers take note of these issues and focus on rigorous security evaluations for chaos-based ciphers so that they will be better aligned with real-world security standards.