Abstract
We present a novel encryption scheme, wherein an encryption key is generated by two distant complex nonlinear units, forced into synchronization by a chaotic driver. The concept is sufficiently generic to be implemented on either photonic, optoelectronic or electronic platforms. The method for generating the key bitstream from the chaotic signals is reconfigurable. Although derived from a deterministic process, the obtained bit series fulfill the randomness conditions as defined by the National Institute of Standards test suite. We demonstrate the feasibility of our concept on an electronic delay oscillator circuit and test the robustness against attacks using a stateoftheart system identification method.
Introduction
The development of new strategies to protect sensitive information from interception and eavesdropping has been receiving significant attention, especially in our presentday worldwide communication networks. The aim of this work is the development and implementation of a novel random key distribution system based on the concept of generalized synchronization between distant elements in large networks. Such a random key synchronization system successfully realized in photonics would have significant impact in the field of physical layer based encryption techniques, offering not only high confidentiality but also potential highspeed realtime encryption and decryption. Implemented in photonic systems, it would be fully compatible with present and future telecommunication networks. For the purpose of demonstrating the viability of the concept, we here put our focus to on an electronic system implementation.
Nowadays, confidentiality and the authenticity of information are mostly ensured through mathematical algorithms. Algorithmic keybased encryption systems usually take a digital data stream and convolute it with a given binary pattern, which we refer to as the key. The resulting encrypted binary string can then be transmitted through a public communication channel. A classic example of this type of encryption is the Vernam cipher^{1}, where the recipient decodes the message using the same keystring code as used for encryption. In this case, the key is agreed via another secure channel. This algorithm has been mathematically proven to be totally secure if the key is fully random, has the same length as the message and is used only once. Onetime pad cryptography is, however, not suited for secure communications between two parties who have not been able to exchange encryption keys beforehand. To circumvent this drawback, other software cryptosystems relying on asymmetrickey algorithms (publickey cryptography such as RSA) have been developed^{2}. However, asymmetric algorithms use significant computational resources in comparison with their symmetric counterparts and therefore are generally not used to encrypt bulk data streams. Also, the effectiveness of these encryption techniques relies on the fact that it is computationally hard (but not impossible) to decrypt a message only knowing the public key^{3}. Therefore, the growing computational power and the fact that a key is used more than once remains a latent threat for current algorithmic cryptography. Recently, although the asymmetric key algorithm itself was not broken, the Heartbleed bug in OpenSSL allowed for harvesting private keys from server communications^{4}.
In order to strengthen the process of securely exchanging a private key other hardware oriented approaches have been proposed such as quantum cryptography. However, quantum cryptography, while secure in theory if operating at the quantum level, cannot encrypt information in real time and its key generation rate and transmission distance is limited due to noise and attenuation in the quantum channel^{5}. Also, it is not compatible with standard fiber optic networks because standard telecom components such as optical amplifiers would disrupt its workings^{6}. An interesting alternative electronic approach, similar to the idea of quantum entanglement but limited to wired communications, is presented by Kish^{7}.
A complementary way to improve the confidentiality of an encrypted message can be realized by additionally encoding at the physical layer using chaotic carriers. Chaos based encryption systems rely on two spatially separated chaotic systems to synchronize with each other. Once the two systems are synchronized, the chaotic output of the sender can be used as the carrier in which the message is hidden as a small modulation. The receiver can extract the message by comparing the incoming signal with the synchronized one^{8}. Multigigabit information transmission in real installed optical networks over several tens of kilometers have been demonstrated using this paradigm^{9}. However, the necessity of sharing a chaotic carrier signal over a public channel reveals information on the specifics of the system used. Therefore, these chaos based communication systems offer confidentiality but cannot, for the moment, guarantee security. Such chaos based encryption schemes could augment the security by operating in a bidirectional fashion, whereby the modulating messages from both communicating parties involved perturb the shared synchronization inducing signal. Since both parties have exact a priori knowledge of their own respective modulating signal, they are able to deduce the message imposed on the carrier by the other party^{9,10}. However, an optimized hardware solution (compatible with software methods) for confidential data transmission, possibly operating at the high bit rates that photonics offers, is currently lacking and highly desired.
Encryption Key Distribution Via Chaos Synchronization
The goal of our work is to demonstrate a system which can encrypt data in a new way, with a high level of security and which can be built using current offtheshelf components. We propose a concept, built here in electronics, that later can be developed in photonics. We refer to the scheme as key distribution based on synchronized random bit generation. It relies on the synchronization between a transmitter and a distant receiver through an uncorrelated chaotic driver signal. From the synchronized chaotic signals, a random key can be distilled that would be extremely difficult to be reconstructed from the information shared in the public channel. Figure 1 shows the conceptual scheme, with a transmitter module on the left hand side and a receiver module on the right. Transmitter and receiver can communicate with each other over a public channel. The transmitter module contains an autonomous chaotic driver and a chaotic responder system, while the receiver module has a chaotic responder system identical to the chaotic responder of the sender module. Both driver and responder consist of several interacting/networked nonlinear elements. The driver generates a broadband chaotic signal, which is sent to both responders via a public channel. If both responders are practically identical, synchronization between the responders of the transmitter and receiver modules can be established through the signal of the chaotic driver. To this end, the responder systems need to react consistently to the chaotic driver, meaning that given identical inputs, regardless of their respective initial internal states, the responder states eventually synchronize to each other^{11,12}.
If the driver and responders generate sufficiently complex dynamics (typically if these signals originate from a large network or highdimensional nonlinear system), the generalized synchronization allows that the driver signal can have low to zero correlation and mutual information with the responder’s signal^{13}. This has been proven to be the case for many other interdependence indicators^{14}. From the broadband chaos at the output of the sender module’s responder, random bits can be generated by sampling the chaotic time evolution and by converting analog signals to digital. These bits will form the private key that is used to encrypt a message. The encrypted message as well as the driver’s signal are transmitted through the public channel. At the receiver module, the synchronized responder generates the same random bit sequence as was used for the encryption, allowing for immediate message decryption. Note that the proposed system, which we experimentally prove the viability of in this paper, differs significantly from standard chaosbased communications. In such systems, the message is either hidden as a lowpower perturbation of the chaotic carrier or the chaotic carrier itself is used as the key. In our proposed system, an eavesdropper cannot derive information regarding the decryption key from just eavesdropping in the public channel, due to the unknown transformation that the driver signal undergoes in the responders.
This approach has several advantages compared to asymmetric keyalgorithms, standard chaosbased communications and quantum key distribution systems. While the onetime pad key, that has the same length as the total message, is being generated bit per bit, the message can be encrypted in realtime, meaning without a computationally expensive operation. Because the key is derived from a chaotic signal, the same key will not be generated twice. These properties lead to a very attractive encryption protocol.
The proposed method hinges upon the identical properties of the receivers, such that we see a hardware implementation being deployed between largevolume data exchange facilities, where control over the physical access to the devices is guaranteed. The security is offered by the difficulty to access the hardware so that there is no chance to extract its dynamical signal transformation. Practically speaking, the method we present can be fully translated to the digital domain by being implemented as delaycoupled iterated maps using a field programmable gate array (FPGA) or application specific integrated circuit ASIC). The parameters of the delay coupled maps that control the dynamical behavior of the system can then be seen as a preshared key.
One obvious attack vector would be to duplicate the exact system that is used on the receiver’s side. However, synchronization can only be achieved when the responder system is build with devices having very similar parameters (within tolerances of a few percent or less). For an electronic implementation (as demonstrated below) the receivers could be made almost identical and truly unique by pairwise growing them sidebyside on a single wafer and/or by pairwise lasertrimming the onchip resistors. Consequently, a bruteforce attack by stepping hardware devices would be overly time consuming.
A second attack vector is a brute force one with an eavesdropper measuring the signals locally at either the sender or receiver site and reconstructing the highdimensional, nonlinear transformation function connecting the driver’s and responder’s signals. Note that for this attack vector to succeed, physical access to a receiver is a prerequisite, that given the application site, may be easily blocked. We will discuss this issue further in the text.
Hence, to ensure high confidentiality of the message two challenging requirements remain. First, the key needs to be indistinguishable from a random bitstream. This will depend on the properties of both the chaotic driver and the responders. Second, information on the generated random key cannot be retrieved from the chaotic driver signal and its properties. Therefore, to achieve random key synchronization, we need to demonstrate chaos synchronization through a driving signal that has almost zero correlation with the responder signals. The chaotic signals should be broadband enough to support fully random bit extraction. Moreover, the system must be built in such a way that noise cannot disrupt its operation.
As seen from Fig. 1, it is a necessity that the driver signal and the encrypted message remain in synchrony. We assume that the branches of the public channel delay the driver and encrypted message signals equally, such that the signals remain synchronized in time. In an analog implementation, this requires the same group velocity over the transmission media. In a practical telecom setup, the analog driver signal is likely to be digitized first and put into numbered frames, before being transported over the same physical medium as the digital encrypted message. Thus synchronization would be guaranteed by the higher layers of the communication protocol.
Experimental Setup
In the following, we describe the experimental electronic system that we have constructed to demonstrate the concept. The system uses several first order nonlinear blocks (NLBs) as depicted in Fig. 2. A single NLB consists of a nonlinear unimodal function, built around a bipolar transistor. The nonlinear function is followed by an RC network, acting as a lowpass filter with a characterisitc time of 33 μs, and a noninverting × 2 amplifier. The dynamical behavior of an NLB is adequately modeled by:
where the nonlinearity f is described by the MackeyGlass^{15} function Eq. (2):
with parameters A = 1.99, B = 0.466 V^{−1}, and exponent n = 8.38. The purpose of the amplifier is to map the input and output dynamic ranges, roughly 0 … 3 V, onto each other. It also acts as a buffer, such that NLBs can be cascaded. The resistor of the RC network is chosen much larger than the output resistance of the nonlinearity. In Fig. 3, we show a diagram of the complete system, which consists of a chaotic signal source, called the driver, and two ideally identical responder branches. The driver has eight NLBs, placed in a ring with a delay τ and programmable gain G_{d}. Labeling v_{d,i} for i = 1 … 8, the output voltages of the NLBs, the driver is described by:
and is the output of the driver. The MackeyGlass nonlinearity with delay belongs to the class of highdimensional dynamical systems^{16}.
Because the delay and the NLBs are commutable, the driver circuit is equivalent to eight NLBs, each coupled with delay τ/8 in between. This is reminiscent of an eightfold MackeyGlass system. The driver signal passes a programmable gain G_{r}, and drives two responder branches, each consisting of four NLBs. The signals of the first responder branch v_{r1,i}, i = 1 … 4 are described by:
and . Similar equations describe the signals of the second responder branch. Much care was taken to match the corresponding components of both responders as closely as possible, in order to obtain a near identical response to the driver signal. This is achieved by using resistors with one percent tolerance, and matching the transistors and capacitors of corresponding placement in the branches. A more practical integrated circuit approach, where both responders are manufactured on a single wafer which is sliced afterwards, would yield even better matching. Note only the pairwise NLBs of the responders require matching. Within a responder, the NLBs may differ from one another, and this can even be exploited to guarantee a unique transformation. The delay and gains reside on a Digilent Nexys II field programmable gate array (FPGA) platform, which also provides storage memory for the measured signals. It is programmed to sample at f_{s} = 250 kHz. The delay line has a length of N = 10000 samples, corresponding to τ = 40 ms ≈ 1212RC.
Results
In Fig. 4, we show the nonlinear inputoutput characteristics for several cascaded NLBs, when scanned slowly, i.e. v_{O} = f ^{(n)}(v_{I}). It is clear from Fig. 4, that each nonlinear transformation adds complexity to the dynamical behavior of the responder and driver signals. Intuitively, because of the unimodal character of f, most output values can originate from two input values, i.e. f^{−1}(y) = {x_{1}, x_{2}}, such that f(x_{1}) = f(x_{2}) = y. Cascading n such (static) functions then leads to 2^{n} possible input values for each output value. Also, the resulting function f^{(n)} has 2^{n−1} local maxima, of which the abscissa, in the limit n → ∞, form a Cantor set.
Figure 5 shows an experimentally obtained bifurcation diagram of the driver. For a wide range of loop gains G_{d}, as programmed in the FPGA based delay line, the driver signal is clearly chaotic. We note that the driver dynamics takes several hundred delay times to reach a steadystate dynamical regime. All subsequent results are measured after this warmup period. In turn, the responders are fully synchronized after a transient period of about 2 ms (linked to the RC time of the NLBs), when started from any initial condition. In Fig. 6, we show measured timeseries of the driver and responders. It is clear that while the responders show nearly identical signals, there is little or no resemblance between the signals of the driver and the responders. To quantize the difference between driver and responder signals, we calculate the normalized root mean square error (NRMSE):
From a measurement of 2 × 10^{6} samples, we obtain: NRMSE(driver, responder1) = 1.419,
NRMSE(driver, responder2) = 1.427, NRMSE(responder1, responder2) = 0.0852, showing that the two responder signals are very much alike, while there is a large difference between the responder and driver. We further characterize the (dis)similarity of these signals by looking at the auto and crosscorrelations. For sampled realvalued signals x(i) and y(i), with i = −n, …, n, the timeaveraged crosscorrelation of a single realization of the signals is calculated as:
with k being the shift between the signals (The signals are zeropadded if an index extends outside [−n, …, n].). The means of the signals are removed, since they convey no information. This process is repeated for many (typically m = 50 … 100) different realizations of the signals to obtain . Then these values are averaged to obtain the crosscorrelation:
Here it is assumed that the processes from which the signals stem are wide sense stationary (WSS), so that . The autocorrelation of x(i) is calculated as above, by taking y(i) = x(i). In what follows, we normalize the correlations to:
since the maximum of the autocorrelation is found at zero shift.
The normalized autocorrelation of the driver, R_{dd}, has extrema at multiples of the delay τ. We plot the autocorrelation for the gain value of G_{d} = 0.8743 in Fig. 7a. The shift is expressed in units of τ. The largest residual peaks, found at ± τ, are below 0.015, as seen in the inset. Although derived from a deterministic system, this is close to the autocorrelation of white noise. We located this optimal gain value by plotting the magnitude of the first four peaks of the normalized autocorrelation as a function of the loop gain G_{d}, in Fig. 7b. For shifts of 5τ and higher, these peaks were found to be negligibly small. From these results, we determined that a gain value of G_{d} = 0.8743 is optimal to minimize the sum of the absolute values of these peaks. In this way, periodic components of the driver signal are almost completely suppressed. This is important because any selfsimilarity in the driver signal might lead to correlations in the responder signals, which are derived from the driver. The bitstreams that are derived from these time series might then also show similarities and fail to appear random. Likewise, the crosscorrelations of the driver and responder signals, R_{dr1} and R_{dr2}, show peaks at or close to multiples of τ. In Fig. 8, we show the crosscorrelation between the driver and responder 1 for gain G_{r} = 1.1811. The largest peak is below 0.03. The situation for responder 2 is similar. As before and shown in Fig. 8b this optimal gain value was determined such that the absolute sum of the peaks is as low as possible. Conversely, as shown in Fig. 9a, the responders have a near perfect correlation, as was already indicated by their low NRMSE. In Fig. 9b, the autocorrelation of responder 1, R_{r1r1} is shown, indicating that the noise like behavior is inherited from the driver signal. The autocorrelation of responder 2, R_{r2r2}, is very similar to that of responder 1, and therefore is not shown.
To summarize, because the responder signals are nearly identical, the bitstreams derived thereof will also be nearly identical. The bitstream derived from the driver signal will inherit its very low longterm autocorrelations. More so, the low crosscorrelation between the driver and the responders will result in nearly uncorrelated bitstreams. To be able to adequately suppress the crosscorrelation between the driver and the responders, the responder branches need to have a sufficient number of nonlinear nodes. In similar experiments in photonics, where each responder consisted of only one laser, driven by a random phase light source, the residual crosscorrelation was as high as 0.2 and the driver signal was noiselike, implying higher correlation within the relevant bandwidth^{17,18}. These systems are based on synchronized semiconductor lasers. In a cascade of unidirectionally coupled semiconductor lasers the synchronization is likely to be intermittently lost in a process called bubbling^{19}. In a related work, for a mutually coupled laser arrangement using zero lag synchronization, an extensive reconciliation post procedure was needed to transform the merely correlated bitstreams to truely identical bitstreams usable as key over a public channel^{20}. In addition, over the last decade, a number of classical private key distribution systems have been proposed using diverse physical systems either in electronics or photonics hardware^{21,22,23}.
Bit Generation
Here, we introduce a scheme for generating bits from the driver and responder signals that we call the delayed comparison method (DCM). The method automatically delivers balanced bit series. For this method to work, it is only required that the driver and responder signals, interpreted as random processes, are wide sense stationary (WSS)^{24}. If we compare two instances of such a process X(t) at times t_{1} and t_{2}, the probability that the first measurement is smaller than the second one is:
Because X(t) is WSS, its mean μ_{X} and variance σ_{X} are constant. Defining Y(t_{1}, t_{2}) = X(t_{1}) − X(t_{2}) as the random process of the difference, it follows that μ_{Y} = 0. Also, the probability density function of Y only depends on the time difference τ = t_{1} − t_{2} and can be written as f_{Y}(y; τ). Thus:
and likewise:
Note that Y(t) also has zero skew, assuming that X(t) has a constant median ν_{X} besides a fixed mean and variance:
with ν_{Y} the median of Y. Thus the probability density function f_{Y}(y, τ) must be symmetric around the origin. Hence P{Y ≤ 0} = P{Y ≥ 0} = 1/2, or:
We proceed as follows to obtain the bits from the timeseries. First the timeseries x(n) are downsampled over a factor r, where r is chosen larger than the width of the central autocorrelation peak. This is the decorrelation step, used to avoid long successions of the same bit value. Then the resulting timeseries x(rn) is transformed into a series of bits b(n) as follows:
which is the deskewing step. Note that because the time series samples are discretized, there is a small probability that two samples are equal, such that Eq. (14) introduces a small bias. This can be resolved by choosing alternating values for the bits resulting from these equal samples. However, we found this to be unnecessary, and used Eq. (14) as is. Lastly, every other bit of b(n) is discarded, yielding the final bit series B(n):
Without this last step, one sample of the time series would be used for the generation of two bits. This repetition would eventually show up in the frequency tests to evaluate randomness. Figure 10 gives a schematic outline of the process. Since choosing a different rinterval results in a different bit series, it is clear that the process outlined in Fig. 10 can be applied in parallel to produce multiple bit series from one time series, thus showing an advantage in speed. For multiple intervals r_{i}, the bitrate is given by:
with f_{s} being the sample speed of the responder timeseries. Using rintervals 81, 123, 234, 441 and 619, we obtained 22 million bits. The probability to obtain a ‘one’ for the driver and responders bitstreams are:
resulting in nearly maximal entropies of respectively:
The conditional probability matrix of the resulting bit series for the responders, P_{r1,r2}(i, j) = P{r1 = ir2 = j} with i, j ∈ {0, 1}, is:
and between driver and responder 1:
The probabilities between the driver and responder 2 are similar to those between the driver and responder 1. The mutual information between the driver and responder 1 calculates as I_{r1;d} = 7.3 · 10^{−7}, showing that in the event an eavesdropper is able to obtain the rintervals, still very little information can be obtained from the inchannel key about the responder key.
The random bits were divided in 55 sequences of 400.000 bits each. We tested these sequences with the National Institute of standards test suite for random bit streams^{25}. In Table 1, we shows the results. Where a test has more than one result, the worst result is shown. The results file states that the minimum pass rate for each statistical test, with the exception of the random excursion (variant) test, is approximately 52 for a sample size of 55 binary sequences. The minimum pass rate for the random excursion (variant) test is approximately 21 for a sample size of 23 binary sequences. We conclude that the bits generated by the delay comparison method show no signs of deviation from randomness.
Demonstration On Lena
We demonstrate our encryption scheme on the “Lena” test image, as shown in Fig. 11. This grayscale version of the image consists of 512 × 512 8bit pixels. The source image ① is encrypted with the signal of responder 1 transformed to a bitstream as described before, using an exclusiveor operation, indicated by the symbol ⊗ in the figure. This is equivalent to a modulo2 addition. The exclusiveor based encryption is known to be vulnerable to a plaintextattack. If the message is longer than the key and the same key is used repetitively, a known plaintext together with the encrypted message can readily reveal the key. However, in our case the key is generated onthefly and used only once, such that this scheme is equivalent to a Vernam cypher or onetimepad encryption. Since the bits of the message and the key are independent random variables, the probability of a ‘1’bit occurring in the encrypted message is:
and likewise P{encrypted = 0} = 1/2. Thus the encrypted message is a seemingly random bitseries, showing no information about the message or the key. The encrypted message and the key are both transmitted to the receiver over the public channel. It is important that the relative phases of the key and message remain the same, once these signals reach the receiver side. In practice, this is straightforward to achieve by using established telecommunication techniques such as digitization and framing or packaging. The driver or key signal drives responder 2 in synchronization with responder 1. The bitstream derived from the signal of responder 2 is then used to decrypt the message ②, again by means of an exclusiveor operation. Some small artefacts are visible in the decrypted image, because the synchronization between the responder signals in this proofofconcept demonstration is not perfect. Since the bit error rate is close to 0.025, an 8bit pixel will have a probability of (1–0.025)^{8} ≈ 0.82 to be flawless. However, not all bit errors will result in visible pixel errors. Apart from extra error correction, we suggest methods for further improvement on this figure in the discussions section of this paper. Due to the unencrypted message and the responder’s bitstream being statistically independent, the encrypted message ③ is also a balanced bitstream with the same properties as the key. The message cannot be decrypted properly by an eavesdropper using the key found in the public channel, due to the uncorrelated nature of these bitstreams ④. In Fig. 12, we show the encrypted and decrypted messages again in a larger format for reference.
A Possible Attack Using A Basis Splines Volterra Series
A possible first step in an attack on this encryption method would be to try to perform a system identification, using a set of known driver and responder signals. Note that for this method to work, an attacker needs to somehow obtain the responder signal which is not present in the channel. An up to date method for finding generalized synchronization between signals, i.e. showing how one signal is in some deterministic way derived from another, is given in ref. 26. The method is called the Functional Synchrony Model (FSM). Within the framework of FSM, a system F which transforms an input signal x(t) for t = 1 … N to an output signal y(t) = F[x](t) is modeled as a Volterra series of order n. Here the input x would be the driver signal and the output y the responder signal, with F the transformation performed by the responder system. The estimated output signal y_{E}(t) is a sum of Volterra functionals. In ref. 26, the basis B consists of M cubic bsplines. These span a vector space of thirdorder piecewise polynomials with smooth nonlinearities, uniquely determined by a knot sequence τ_{M} on the memory interval [0, M]. Once a knot sequence is chosen, the spline functions are fully specified and can be built using the de Boor algorithm^{27}. If the knots are uniformly spaced, the bsplines are simply shifted copies of each other and called cardinal bsplines. In ref. 26 both uniformly and nonuniformly spaced knots are used, the latter chosen to support maxima in the crosscorrelation of the timeseries x and y.
The final model is linear with respect to the coefficients that make up the sum of the covariates. This can be solved by any number of methods. In ref. 26, elastic net regularization is used, which is further explained in ref. 28. This method seeks the coefficients for which:
with ·_{1} the L_{1}norm and ·_{2} the L_{2}norm. For β = 0 this is a ridge regression, placing a penalty on large coefficients to avoid overfitting. Choosing β = 1 yields a lasso regression, resulting into a sparse set of nonzero coefficients. With a β parameter between one and zero, both properties can be obtained, resulting in the selection of the most important features in the data, while at the same time assuring the model generalizes well. Parameter λ regulates the severity of the penalty. The level of accuracy of the resulting model is measured using the NRMSE Eq. (5) and the Pearson correlation coefficient :
with , the covariance between the ideal and the estimated model output. The evaluation of the model is applied on a separate validation data set.
We implemented the above FSM scheme in a Python script, which was verified using the following MackeyGlass system:
as in ref. 26, where it is shown that a single transformation x(t) = ξ(t − τ) → y = ξ(t) can be predicted with Pearson correlation coefficient that is close to unity. Table 2 states the parameters we used, and the resulting Pearson correlation coefficient. Figure 13a shows the input and desired output signal. Figure 13b shows a scatter plot of the FSM estimated signal vs. the desired signal, which is very much in line with what is found in ref. 26. This also indicates that a single MGlike transformation is not safe for encryption purposes.
We applied the FSM methodology, with the sampled driver signal v_{d} as input and the responder signal v_{r1} as output, in an attempt to characterize Eq. (4). The responder signals decay in about one millisecond or 250 samples at the chosen sampling rate. Therefore, we chose the spline window to be 400 samples to cover this interval. Table 3 states the parameters for the best results we could obtain, while keeping the computation time reasonable. We applied a nonuniform knot sequence, where the knots support the highest maxima of the crosscorrelation of the driver and responder signals in the given window. Using a thirdorder approach results in 3276 covariates. The 25 bsplines are shown in Fig. 14a. As is clear from the scatter plot, Fig. 14b, the estimated responder signal v_{r1,E} bears little resemblance to the actual signal v_{r1}. The time needed to determine the coefficients from a training time series of 30000 samples and building the testing time series of 1 million samples, was well over ten hours on an Intel dualcore laptop working at 2.4 GHz. A fourth order FSM with 25 bsplines would have 23751 covariates. We estimate that the training alone would take several days and, as suggested in ref. 26, any gain in information is easily negated by increasing the number of NLBs in the responders.
Even if the responder signal could be effectively predicted from the driver signal, an attacker would somehow still need to obtain the rintervals used in the delayed comparison method to calculate the bit series. Note these intervals may be hardwired in the responders before deployment to the field and made to be even unknown to the manufacturer. We have generated the bit series resulting from the estimated responder time series, under the assumption that the attacker somehow got hold of these intervals and compared these to the bit series generated from the actual responder signal. The sample size was 14318 bits. The resulting conditional probabilities show little correlation:
which is what we expected, given the low correlation between the estimated and real responder signal.
Discussion
A new method for distributing encryption keys based on synchronization of driven chaotic systems has been presented. The resulting keys have passed the NIST test suite, showing no distinction from a true random bit series. The keys have the same length as the message and the encryption is done by using an exclusiveor operation. Therefore, the encryption/decryption scheme is similar to a Vernam cipher, which is proven to be unbreakable, given that the eavesdropper has no information about the key. The key is used only once and has the same length as the message.
We have demonstrated a proofofconcept setup, based on an analog electronic system. The responderresponder synchronization is not perfect, as expected for a circuit that is made with discrete components. Nevertheless, the viability of the concept has clearly been shown. More sophisticated implementations could use delay coupled driven digital iterated maps. These can be directly implemented on a field programmable gate array or application specific integrated circuit. In previous unpublished experiments, we used six NLBs in the driver and three NLBs in each responder. However this was found to be insufficient to obtain the nearnoise like autocorrelation in the driver. A fully digital implementation could easily contain even more NLBs.
Another method to obtain closely matched responder signals is to construct the analog responder circuits on a single integrated circuit wafer, which is cut after production. In this way, naturally occurring or deliberately induced process variations can be harnessed to produce truly unique systems. The driver signal can then be transmitted over a digital network, utilizing the error correction facilities already present, and converted back to analog right before entering the responder circuits. The downside of this setup would be that failure of a device on one end necessitates replacement on both ends.
A possible attack using a stateoftheart synchronization detection method aimed at mimicking the responder system has been shown to be ineffective. In addition, the delayed comparison method for generating random bits inherently offers a second layer of safety through the unknown values and number of rintervals. An attacker would need an estimate of the rintervals close to the number of samples equalling the width of central peak in the driver autocorrelation. It is clear that increasing the number of NLBs and rfactors beyond what has been demonstrated here, leads to an increasingly complex signal transformation and thus a higher degree of confidentiality against these kind of attacks. The connection between the difference of two rintervals and the resulting difference in bitstreams is still to be investigated. Note that since the rvalues are easily reconfigured at runtime, this system could provide addressable decryption capabilities to multiple connected receivers. The concept and method presented in this manuscript is suitable for photonic implementations, compatible with current telecom infrastructures. As optical implementations, the system can e.g. be developed using electrooptical systems, which were originally proposed by Neyer and Voges^{29}. A good overview of these systems is given by Larger^{30}. The first application of an electrooptical system to chaos encryption was shown by Goedgebuer et al.^{31}. This system uses a nonlinear delay feedback loop illuminated by a CW semiconductor laser. The nonlinearity is implemented through a MachZehnder modulator, which is a customized integrated optics telecom device. While having good stability and controllability in real conditions, it also has architectural flexibility so that some components can be replaced to change speed, noise, efficiency etc. or to modify the architecture (additional delays, transformations etc.). An alternative setup used for generating phase chaos can also be used. In this system, the intensity modulator MZM is replaced by two other devices, namely a fast phase modulator (PM) and an imbalanced passive MachZehnder interferometer (MZI), with the time imbalance longer than the characteristic time of the phase modulation. The dynamics of both systems are Ikedalike and exhibit similar synchronization properties to the electronic circuits studied here^{13}.
Additional Information
How to cite this article: Keuninckx, L. et al. Encryption key distribution via chaos synchronization. Sci. Rep. 7, 43428; doi: 10.1038/srep43428 (2017).
Publisher's note: Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
References
 1
Vernam, G. S. Cipher Printing Telegraph Systems For Secret Wire and Radio Telegraphic Communications. Journal of the IEEE 55, 109–115 (1926).
 2
Rivest, R. L., Shamir, A. & Adleman, L. A method for obtaining digital signatures and publickey cryptosystems. Commun. ACM 21, 120–126 (1978). http://doi.acm.org/10.1145/359340.359342.
 3
Atkins, D., Graff, M., Lenstra, A. & Leyland, P. The Magic Words are Squeamish Ossifrage. In Proceedings of Asiacrypt ‘94 263–277 (SpringerVerlag, 1994).
 4
The openSSL Heartbleed bug. http://heartbleed.com/ (2014) [Online; accessed 2July2015].
 5
Bennett, C. H. & Brassard, G. Quantum cryptography: public key distribution and coin tossing. In Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India, (IEEE, New York, 1984).
 6
Gerhardt, I. et al. Fullfield implementation of a perfect eavesdropper on a quantum cryptography system. Nature Commun 2 (2011).
 7
Kish, L. B. Totally secure classical communication utilizing Johnson(like) noise and Kirchoff’s law Phys. Lett. A 352, 178–182 (2006).
 8
Cuomo, K. M., Oppenheim, A. V. & Strogatz, S. H. Synchronization of Lorenzbased chaotic circuits with applications to communications. IEEE TCAS II: Express Briefs 40, 626–633 (1993).
 9
Argyris, A. et al. Chaosbased communications at high bit rates using commercial fiberoptic links. Nature 438, 343–346 (2005).
 10
Porte, X., Soriano, M. C., Brunner, D. & Fischer, I. Bidirectional private key exchange using delaycoupled semiconductor lasers. Opt. Lett. 41 (2016).
 11
Uchida, A., McAllister, R. & Roy, R. Consistency of nonlinear system response to complex drive signals. Phys. Rev. Lett. 93 (2004).
 12
Soriano, M. C., Van der Sande, G., Fischer, I. & Mirasso, C. R. Synchronization in simple network motifs with negligible correlation and mutual information measures. Phys. Rev. Lett. 108 (2012).
 13
Van der Sande, G., Soriano, M. C., Fischer, I. & Mirasso, C. R. Dynamics, correlation scaling, and synchronization behavior in rings of delaycoupled oscillators. Phys. Rev. E 77 (2008).
 14
Kato, H., Soriano, M. C., Pereda, E., Fischer, I. & Mirasso, C. R. Limits to detection of generalized synchronization in delaycoupled chaotic oscillators. Phys. Rev. E 88 (2013).
 15
Mackey, M. C. & Glass, L. Oscillation and chaos in physiological control systems. Science 197, 287–289 (1977).
 16
Farmer, J. D. Chaotic attractors of an infinitedimensional dynamical system. Physica D: Nonlinear Phenomena 4, 366–393 (1982).
 17
Aida, H. et al. Experiment on synchronization of semiconductor lasers by common injection of constantamplitude randomphase light. Opt. Express 20, 11813–11829 (2012).
 18
Koizumi, H. et al. Informationtheoretic secure key distribution based on common randomsignal induced synchronization in unidirectionallycoupled cascades of semiconductor lasers. Opt. Express 21, 17869–17893 (2013).
 19
Flunkert, V., D’Huys, O., Danckaert, J., Fischer, I. & Schöll, E. Bubbling in delaycoupled lasers. Phys. Rev. E 79 (2009).
 20
Kanter, I. et al. Synchronization of random bit generators based on coupled chaotic lasers and application to cryptography. Opt. Express 18, 18292–18302 (2010).
 21
Scheuer, J. & Yariv, A. Giant Fiber Lasers: A New Paradigm for Secure Key Distribution. Phys. Rev. Lett. 97 (140502) (2006).
 22
Yoshimura, K. et al. Secure Key Distribution Using Correlated Randomness in Lasers Driven by Common Random Light. Phys. Rev. Lett. 198 (070602) (2012).
 23
Tonello, A. et al. Secret key exchange in ultralong lasers by radiofrequency spectrum coding. Light Sci. Appl. 4 (e276) (2015).
 24
Hsu, H. Schaum’s outlines analog and digital communication 2nd edn. (McGrawHill, 2003).
 25
Bassham, L. E. et al. A statistical test suite for random and pseudorandom number generators for cryptographic applications. Tech. Rep., National Institute of Standards & Technology, Gaithersburg, MD, US (2010) http://csrc.nist.gov/groups/ST/toolkit/rng/index.html.
 26
Schumacher, J., Haslinger, R. & Pipa, G. Statistical modelling approach for detecting generalized synchronization. Phys. Rev. E 85 5 Pt 2 (2012).
 27
de Boor, C. A practical guide to splines 1st edn. (SpringerVerlag, New York, 2001).
 28
Zou, H. & Hastie, T. Regularisation and variable selection via the elastic net. Journal of the Royal Statistical Society B 67, Part 2, 301–320 (2005).
 29
Neyer, A. & Voges, E. Dynamics of electrooptic bistable devices with delayed feedback IEEE Journal of Quantum Electronics 18 (12), 2009–2015 (1982).
 30
Larger, L., Complexity in electrooptic delay dynamics: modelling, design and applications Philosophical Transactions of the Royal Society A 371 (1999) (2013).
 31
Goedgebuer, J. P. et al. Optical communication with synchronized hyperchaos generated electrooptically IEEE Journal of Quantum Electronics 38 (9), 1178–1183 (2002).
Acknowledgements
MCS was supported by the Conselleria d’Innovació, Recerca i Turisme del Govern de les Illes Balears and the European Social Fund. The work of MCS has also been supported by the Spanish Ministerio de Economia, Industria y Competitividad through a “Ramon y Cajal” Fellowship (RYC201518140). LK and GVDS were partly supported by the Belgian Science Policy Office under Grant No IAP7/35 “Photonics@be” and by the Science Foundation  Flanders (FWO). RMN acknowledges the support of the FNRS (Belgium). GVDS thanks the Research Council of the VUB.
Author information
Affiliations
Contributions
The proposed concept originated from discussions between G.V.D.S., M.S., I.F. and C.M. L.K. designed, built and performed the experiment. All authors contributed to the manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare no competing financial interests.
Rights and permissions
This work is licensed under a Creative Commons Attribution 4.0 International License. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in the credit line; if the material is not included under the Creative Commons license, users will need to obtain permission from the license holder to reproduce the material. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/
About this article
Cite this article
Keuninckx, L., Soriano, M., Fischer, I. et al. Encryption key distribution via chaos synchronization. Sci Rep 7, 43428 (2017). https://doi.org/10.1038/srep43428
Received:
Accepted:
Published:
Further reading

Pattern generation and symbolic dynamics in a nanocontact vortex oscillator
Nature Communications (2020)

Stable HighSpeed Encryption Key Distribution via Synchronization of Chaotic Optoelectronic Oscillators
Physical Review Applied (2020)

Numerical study of optical feedback coherence in semiconductor laser dynamics
Optics Letters (2019)

Chaotic PolarizationAssisted ${L}$ DPSKMPPM Modulation for FreeSpace Optical Communications
IEEE Transactions on Wireless Communications (2019)

A parallelizable chaosbased true random number generator based on mobile device cameras for the Android platform
Multimedia Tools and Applications (2019)
Comments
By submitting a comment you agree to abide by our Terms and Community Guidelines. If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.