1 Introduction

A pseudo-random number generator (PRNG) produces sequences which resembles to a sequence of true random numbers, but they are computed from an initial seed value by some algorithm, and therefore they are completely deterministic [1]. Recently, chaos have been widely used for secure communications and encryption [2], and chaotic systems are often used as the core component of PRNG [3]. A cryptographically secure PRNG, in addition to common requirements, should be highly unpredictable, and it should be computationally unfeasible to compute any preceding bits based on some known part of output sequence [1].

However, great number of existing PRNGs suffer from serious security problems, and therefore they are not safe for the use in cryptographic systems. A problem that is very often encountered in chaos-based PRNGs is problem with weak keys and equivalent keys. In great number of chaos-based PRNGs, the control parameters of the used chaotic systems are based on the secret key. In the case when the process of obtaining the control parameters from the secret key have certain shortcomings, there is a possibility that chaotic system used in PRNG could evolve in an non-chaotic way [4]. In this situation, PRNG cannot produce pseudo-random numbers required by the cryptosystem.

For example, in pseudo-random number generator based on pseudorandomly enhanced logistic map [5], initial condition and control parameter are calculated on the basis of secret key. However, approximately \(2^{50}\) different secret keys produce the same initial condition and control parameter of enhanced logistic map, which makes this PRNG non-resistant to brute-force attack [6]. Above example indicate that there is a need for a thorough security analysis of key space of existing PRNGs.

Another problem that is very often encountered in PRNG design is predictability. Although cryptographically secure PRNG should be highly unpredictable, it is often very easy to compute preceding bits based on some known part of output sequence. For example, Mersenne Twister is very fast PRNG which is considered unsafe for the use in cryptographic systems because only 624 iterations is required in order to determine all of the parameters needed to predict its next output bit [7]. For this reason, serious security analysis of predictability of existing PRNGs is needed in order to determine which PRNG could be used in cryptographic systems.

PRNGs are very important part of image encryption algorithms. Security of image encryption algorithms depends largely on quality and security of its underlying PRNG. For example, PRNG presented in paper [8] have equivalent secret keys which can be used for decryption of cipher-images of certain size [9, 10]. Image encryption algorithm proposed in paper [11] use PRNG, however, presence of weak keys and equivalent keys was established [12]. Image encryption algorithm based on nonlinear chaotic algorithm is breakable through different attacks of variable complexity because chaotic map used for generation of pseudo-random numbers has a non-uniform distribution [13]. Chosen-ciphertext attack can be used in order to obtain the equivalent version of the secret key of an image encryption algorithm with compound chaotic stream cipher based on perturbation [14]. Image encryption algorithm based on chaos and line map is vulnerable to differential cryptanalysis which demonstrates that the security of the scheme depends only on the permutation key [15]. Besides these, there are many other examples of cryptanalyzed image encryption algorithms.

In [1] the pseudo-random bit generator based on multi-modal maps is proposed. This PRNG is proposed as a cryptographically secure PRNG which should be able to resist the chosen-plaintext attack. Unfortunately, security analysis revealed existence of serious security problems. In analyzed PRNG, initial values of chaotic map are used as a secret key. Security analysis revealed that many values of multi-modal map lead to non-chaotic behavior, causing the existence of a certain number of weak keys. Therefore, it is not safe to choose secret key in completely random manner.

Also, based on certain number of consecutive output bits, an attacker can recover the initial values of this PRNG with attack which complexity is significantly less than estimated key space. It is considered that some cipher or PRNG is broken if attacker can exploit perceived weaknesses with a complexity lower than a estimated key space [16]. Cipher or PRNG must have more than \(2^{128}\) different secret keys in order to resist brute-force attack [17]. Although the example of cipher based on this PRNG (when \(k=3\)) should be able to resist the chosen-plaintext attack, it is possible to carry out successful known-plaintext attack with the complexity less than \(2^{128}\).

The rest of this paper is organized as follows. In Sect. 2, the analyzed PRNG and gray-scale image cryptosystem based on this PRNG are described. Security analysis of analyzed PRNG and cipher based on this PRNG is presented in Sect. 3. In Sect. 4, the conclusions are drawn.

2 Description of the analyzed PRNG

In paper [1] PRNG is presented, which use k-modal map and a combination of its k-time series. This PRNG can be used for \(k>0\), and in the paper [1] example for \(k=3\) is presented and analyzed. In this paper, we will, for purposes of clarity, present only the case in which \(k=3\). For general case of the analyzed PRNG, please see reference [1].

An example of the k-modal map when \(k=3\) have 3 subintervals, and it is presented by the following equation:

$$\begin{aligned} f_{\beta }(x) = \beta {\left\{ \begin{array}{ll} {(\frac{1}{3}-x)\cdot x,} &{}\quad {\hbox {for} x\in [0,\frac{1}{3});}\\ {(\frac{2}{3}-x)\cdot (x-\frac{1}{3}),} &{}\quad {\hbox {for} x\in [\frac{1}{3},\frac{2}{3});} \\ {(1-x)\cdot (x-\frac{2}{3}),} &{}\quad {\hbox {for} x\in [\frac{2}{3},1];}\\ \end{array}\right. } \end{aligned}$$
(1)

where \(\beta \in [0,36]\). Depending on the value of this parameter the system can be unimodal, bi-modal, or tri-modal. In general case map have k subintervals and \(\beta \in [0, 4\cdot k^2]\).

The example of PRNG proposed in [1] for \(k=3\) is described by following steps.

  • Step 1: Set the value of \(k>0\). In this example \(k=3\).

  • Step 2: Compute the values of \(\beta _j\), for \(j=1,\ldots ,k\), by following formulas: \(\beta _1=4\cdot k\); \(\beta _j=j\cdot \beta _1\); for \(j\ge 2\). For \(k=3\), \(\beta _1=4\cdot 3=12\), \(\beta _2=2\cdot 12=24\) and \(\beta _3=3\cdot 12=36\).

  • Step 3: For each \(j\le k\), split the domains of functions \(f_{\beta _j}(x)\) into \(2\cdot j\) regions \(\delta _{1}^j,\ldots ,\delta _{2\cdot j}^j\) which are separated by the values \(a_{1}^j,\ldots a_{2\cdot j-1}^j\). For \(k=3\), there are three functions \(f_{\beta _j}(x)\). Function \(f_{\beta _1}(x)\) is defined in interval \(x\in [0,\frac{1}{3})\) which is divided into two regions \(\delta _{1}^1\) and \(\delta _{2}^1\) split by \(a_{1}^1=\frac{1}{6}\). For each \(x_{i+1}^1=f_{\beta _1}(x_{i}^1)\) corresponding value of \(\zeta _{i+1}^1\) is obtained in following way. If \(x_{i+1}^1\in \delta _{1}^1\) (\(x_{i+1}^1<a_{1}^1\)), then \(\zeta _{i+1}^1=0\). If \(x_{i+1}^1\in \delta _{2}^1\) (\(x_{i+1}^1>a_{1}^1\)) then \(\zeta _{i+1}^1=1\). Intervals for the other two functions are divided in a similar way. Function \(f_{\beta _2}(x)\) is defined in interval \(x\in [0,\frac{2}{3})\) which is divided into four regions \(\delta _{1}^2,\delta _{2}^2,\delta _{3}^2,\delta _{4}^2\) separated by \(a_{1}^2=0.1521, a_{2}^2=0.40174, a_{3}^2=0.5954\). If \(x_{i}^2\in (\delta _{1}^2\cup \delta _{3}^2)\), then \(\zeta _{i}^2=0\), otherwise \(\zeta _{i}^2=1\). Function \(f_{\beta _3}(x)\) is defined in interval \(x\in [0,1]\) which is divided into six regions \(\delta _{1}^3,\ldots ,\delta _{6}^3\) separated by \(a_{1}^3=0.1465, a_{2}^3=0.396, a_{3}^3=0.639, a_{4}^3=0.8335, a_{5}^3=0.9572\). If \(x_{i}^3\in (\delta _{1}^3\cup \delta _{3}^3\cup \delta _{5}^3)\), then \(\zeta _{i}^3=0\), and otherwise \(\zeta _{i}^3=1\).

  • Step 4: A k chaotic sequences, based on initial values \(x_{0}^1,\ldots ,x_{0}^k\), are generated by \(x_{i+1}^j=f_{\beta _j}(x_{i}^j)\). Each sequence \(x^j\) is used to produce binary sequence \(\zeta ^j\) by following procedure described in Step 3. When \(k=3\), initial values \(x_{0}^1,x_{0}^2,x_{0}^3\) are used to obtain binary sequences \(\zeta ^1,\zeta ^2,\zeta ^3\). Finally, output bits of the analyzed PRNG Z are obtained by \(Z_i=\zeta _{i}^1\oplus \zeta _{i}^2\oplus \zeta _{i}^3\).

2.1 Gray-scale image cryptosystem based on the analyzed PRNG

In paper [1], a stream cipher algorithm for gray-scale images is presented, in order to demonstrate the application and quality of the proposed PRNG. Secret key of this cipher consist of initial conditions \(x_{0}^1,\ldots ,x_{0}^k\) of the k-modal chaotic map. According to the IEEE floating-point standard, the computational precision of the 64-bit double-precision number is \(2^{53}\). Key space depends on the number of initial conditions k. In analyzed example, \(k=3\), so the key space is estimated at \(2^{53}\cdot 2^{53}\cdot 2^{53}=2^{159}\)  [1].

This stream cipher is used for encryption of images represented with \(N\times M\) pixels. First, one column of random values \(R(l,1)\in \{0,1,\ldots ,255\}\) is added to the image where \(l=1,\ldots ,N\). This image is called augmented image and its size is \(N\times (M+1)\) pixels. Denote by \(P_i\) bits of augmented image. Then cipher image bits are calculated by:

$$\begin{aligned} C_i = {\left\{ \begin{array}{ll} {P_i\oplus Z_i\oplus IV_i,} &{}\quad {\hbox {for}\quad 0\le i<8;}\\ {P_i\oplus Z_i\oplus C_{i-8},} &{}\quad {\hbox {for}\quad i\ge 8;} \\ \end{array}\right. } \end{aligned}$$
(2)

where \(C_i\) is the ith bit of cipher image, \(Z_i\) is the ith bit produced by analyzed PRNG and IV is an initialization vector of 8 bits.

3 Security analysis

All identified shortcomings of the analyzed PRNG will be shown on the example for \(k=3\) which is presented in detail in paper [1], but these shortcomings exist in the general case as well.

3.1 Weak keys

In analyzed PRNG, initial values of chaotic map are used as a secret key. It is very important that the secret key is selected in a random manner. Therefore, initial values \(x_{0}^1,\ldots ,x_{0}^k\) should be random in order to prevent attacks on the secret key. On the other hand, if initial values of chaotic map are not selected carefully, then it is possible that chaotic map evolves in an non-chaotic way. This problem is especially important in hardware realizations of chaotic maps, because chaotic behavior could be degraded or even lost due to variation in the values of the circuit elements such as capacitance or transconductance ratios [18, 19].

Chaotic k-modal map have certain number of fixed points (\(f_{\beta }(x)=x\)) depending on values of k and \(\beta _j\). When \(k=3\), function \(f_{\beta _1}(x)\) have two fixed points 0 and \(\frac{1}{4}\). If some \(x_{i}^1\) is equal to one of these fixed points, then all subsequent states of \(f_{\beta _1}(x)\) will be equal to each other and therefore all values of \(\zeta _{i+s}^1\), for \(s>0\) will have same value (zero or one). For that reason, instead of three functions, only two functions will have output bits based on chaotic behavior, which reduces security of the analyzed PRNG.

Due to the fact that the chaotic k-modal map is quadratic function, each of these two fixed points can be obtained on the basis of two values, for example \(f_{\beta _1}(0)=f_{\beta _1}(\frac{1}{3})=0\) and \(f_{\beta _1}(\frac{1}{12})=f_{\beta _1}(\frac{1}{4})=\frac{1}{4}\). Each value \(0,\frac{1}{3},\frac{1}{12},\frac{1}{4}\) can be obtained on the basis of two values (8 values in total), and so on. Therefore, if we consider I iterations required to obtain I output bits of analyzed PRNG, there is \(2^I\) values of \(x_{0}^1\) which lead to one of these two fixed points. However, due to constraints caused by discretization of real numbers, the vast majority of these values will be found in the same intervals of length \(\frac{1}{2^{53}}\) which is why a greater number of real values will be represented with the same discretized values.

When we consider functions \(f_{\beta _2}(x)\) and \(f_{\beta _3}(x)\), the number of fixed points is even greater. Function \(f_{\beta _2}(x)\) is piecewise function composed of two quadratic functions and have four fixed points \(0,\frac{7}{24},\frac{69-\sqrt{153}}{144},\frac{69+\sqrt{153}}{144}\) and each of these fixed points can be obtained on the basis of four values, except for 0. Therefore, there is approximately \(4^I\) values of \(x_{0}^2\) which lead to one of these fixed points in I iterations. Function \(f_{\beta _3}(x)\) is piecewise function composed of three quadratic functions and have six fixed points \(0,\frac{11}{36},\frac{35-\sqrt{73}}{72},\frac{35+\sqrt{73}}{72},\frac{54}{72},\frac{64}{72}\) and each of these fixed points can be obtained on the basis of six values, except for 0. Therefore, there is approximately \(6^I\) values of \(x_{0}^3\) which lead to some of these fixed points in I iterations.

If all three initial conditions \(x_{0}^1,x_{0}^2,x_{0}^3\) are equal to some appropriate fixed point, then the analyzed PRNG would generate a sequence in which all bits would be equal to each other. There are \(2\cdot 4\cdot 6=48\) such weak keys. It is not such a big number compared to the total key space of \(2^{159}\) different keys. However, the question is how many keys will lead to a situation where all three values \(x_{i}^1,x_{i}^2,x_{i}^3\) are equal to some of the fixed points. Great number of real values \(x_{0}^1,x_{0}^2,x_{0}^3\) lead to some fixed point; however, the vast majority of these values is lost in the process of discretization. On the other hand, there are some examples of quadratic functions in literature, in which 89% of initial points lead to fixed points [20].

Piecewise chaotic map could guarantee chaotic behavior under the condition that certain guidelines on selecting the initial conditions are followed [21]. However, if initial conditions, which are used as secret key, are chosen by method which is not completely random, then the secret key is susceptible to cryptographic attacks. Because certain number of weak keys exists, analyzed PRNG [1] should be used with caution.

3.2 Cryptanalysis of the analyzed PRNG

Basic property of a cryptographically secure PRNG is unpredictability [1]. PRNG is considered unpredictable if an attacker cannot predict value of next output bit with a probability greater than 50%, based on n consecutive output bits of some PRNG. Also, if PRNG is cryptographically secure, it is computationally unfeasible to compute any preceding bits, based on n consecutive output bits. In this section, we will show that initial values of chaotic k-modal map can be obtained with attacks which complexity is significantly less than estimated key space.

First, we will present attack 1. Assume that the attacker knows the values of the first n output bits of the analyzed PRNG \(Z_0,\ldots Z_{n-1}\). First, attacker should guess values of all \(\zeta _{i}^j\) for \(i<n\) and \(j\le k\). For each i there are \(2^k\) possibilities. However, because attacker know value of \(Z_i\) and \(Z_i=\zeta _{i}^1\oplus \ldots \oplus \zeta _{i}^k\), only \(2^{k-1}\) guesses are needed in order to obtain values of \(\zeta _{i}^j\) for some particular i. For example, when \(k=3\) and attacker try to guess values of \((\zeta _{i}^1,\zeta _{i}^2,\zeta _{i}^3)\), there are 8 possibilities (0,0,0), (0,0,1), (0,1,0), (0,1,1), (1,0,0), (1,0,1), (1,1,0), (1,1,1). However, based on known value \(Z_i\), the number of possible values is reduced to 4. For example, if \(Z_i=0\), then \((\zeta _{i}^1,\zeta _{i}^2,\zeta _{i}^3)\) can have only some of the values (0,0,0), (0,1,1), (1,0,1), (1,1,0). Therefore, instead of \((2^k)^n\) guesses, only \((2^{k-1})^n\) guesses are needed in order to obtain all \(\zeta _{i}^j\).

When the values \(\zeta _{0}^j,\ldots ,\zeta _{n-1}^j\) are known, by using reverse interval mapping [22], attacker can narrow the interval in which the \(x_{0}^j\) is located for approximately \(2^n\) times (up to a precision limit). Example of this process will be shown on function \(f_{\beta _1}(x)\) when \(k=3\). According to Eq. 1, \(f_{\beta _1}(x)=\beta _1\cdot (\frac{1}{3}-x)\cdot x=-12x^2+4x\) which is defined in interval \(x\in [0,\frac{1}{3})\) divided into two regions \(\delta _{1}^1\) and \(\delta _{2}^1\) split by \(a_{1}^1=\frac{1}{6}\). Assume that the attacker knows the first 3 values of \(\zeta _{i}^1\) which will in this example be \(\zeta _{0}^1=0\), \(\zeta _{1}^1=0\) and \(\zeta _{2}^1=1\). Therefore, \(x_{0}^1\in \delta _{1}^1\), \(x_{1}^1\in \delta _{1}^1\) and \(x_{2}^1\in \delta _{2}^1\). Based on \(x_{1}^1=f_{\beta _1}(x_{0}^1)\in \delta _{1}^1\), attacker can determine in which part of interval \(\delta _{1}^1=[0,\frac{1}{6})\) is \(x_{0}^1\) located by solving equation \(\frac{1}{6}=f_{\beta _1}(x)\). There are two solutions of this quadratic equation \(\frac{4+2\sqrt{2}}{24}\) and \(\frac{4-2\sqrt{2}}{24}\), and because only \(\frac{4-2\sqrt{2}}{24}\in [0,\frac{1}{6})\), attacker now knows that \(x_{0}^1\) is located in interval \([0,\frac{4-2\sqrt{2}}{24})\).

Based on \(x_{2}^1=f_{\beta _1}(f_{\beta _1}(x_{0}^1))\in \delta _{2}^1\), attacker can further reduce the interval in which \(x_{0}^1\) is located by solving equation \(\frac{4-2\sqrt{2}}{24}=f_{\beta _1}(x)\). Only one solution of this quadratic equation \(\frac{4-\sqrt{8+4\sqrt{2}}}{24}\in [0,\frac{4-2\sqrt{2}}{24})\) so attacker now knows that \(x_{0}^1\) is located in interval \((\frac{4-\sqrt{8+4\sqrt{2}}}{24},\frac{4-2\sqrt{2}}{24})\). In this way, on the basis of only three known values of \(\zeta _{i}^1\), search interval for \(x_{0}^1\) was reduced from \([0,\frac{1}{3})\) to \((\frac{4-\sqrt{8+4\sqrt{2}}}{24},\frac{4-2\sqrt{2}}{24})\) and therefore search for \(x_{0}^1\) is about 9 times shorter. A similar procedure can be applied on functions \(f_{\beta _2}(x)\) and \(f_{\beta _3}(x)\) in order to narrow the intervals in which \(x_{0}^2\) and \(x_{0}^3\) are located.

When \(k=3\), there are three initial values \(x_{0}^1,x_{0}^2,x_{0}^3\) for which key space is estimated at \(2^{53}\cdot 2^{53}\cdot 2^{53}=2^{159}\) [1]. By knowing n consecutive output bits of analyzed PRNG, attacker needs only \((2^{2})^n\) guesses in order to find all \(\zeta _{i}^j\) for \(i<n\) and \(j\le 3\) which enables reduction in search interval for each \(x_{0}^j\) for approximately \(2^{n} < 2^{53}\) times. Reduction in search interval for some \(x_{0}^j\) by more than \(2^{53}\) times is not possible, because precision of \(2^{53}\) is used. Therefore, if values of 53 consecutive output bits of analyzed PRNG are known, complexity of only \(2^{106}\) is needed in order to recover initial values \(x_{0}^1,x_{0}^2,x_{0}^3\) (or \(x_{i}^1,x_{i}^2,x_{i}^3\)). If value of some \(x_{i}^j\) is recovered, it is very easy to calculate value of \(x_{0}^j\). Complexity of \(2^{106}\) is drastically less than \(2^{159}\) reported in [1] or \(2^{128}\) recommended in [17], so example of analyzed PRNG (when \(k=3\)) cannot be considered safe for the use in cryptographic systems.

Also, there is another approach that can exploit the previously described weakness of the analyzed PRNG, which will be called attack 2. Assume that the attacker knows the values of the first n output bits of the analyzed PRNG \(Z_0,\ldots Z_{n-1}\). In this version of the attack, attacker should guess values of all \(x_{0}^j\) for \(1<j\le k\). When \(k=3\), attacker only need to guess values of \(x_{0}^2,x_{0}^3\). Based on \(x_{0}^2,x_{0}^3\) attacker can produce binary sequences \(\zeta _{i}^2,\zeta _{i}^3\) (for \(i<n\)) by following procedure described in Step 3 of the analyzed PRNG. After that, attacker can calculate values of sequence \(\zeta _{i}^1\) by using \(\zeta _{i}^1=Z_i\oplus \zeta _{i}^2\oplus \zeta _{i}^3\). When the values \(\zeta _{i}^1\) are known, by using reverse interval mapping procedure described in attack 1, attacker can narrow the interval in which the \(x_{0}^1\) is located for approximately \(2^n\) times. If \(n=53\), then the complexity of only \(2^{106}\) is needed in order to recover initial values \(x_{0}^1,x_{0}^2,x_{0}^3\), because attacker need to guess only two values \(x_{0}^2,x_{0}^3\) in order to calculate value of \(x_{0}^1\).

3.3 Example 1 of cryptanalysis of the analyzed PRNG

In this section example of the attack 1 will be described. Assume that user of the analyzed PRNG randomly selected initial values \(x_{0}^1=0.149284547945563\), \(x_{0}^2=0.519067023060468\), \(x_{0}^3=0.881509362057897\) which will be considered as a secret key. Based on this initial values, user generate sequence of 53 bits \(Z=001101011000\) \(01110001111011010011011001101010011110110\) by using analyzed PRNG for \(k=3\). Assume that the attacker knows the values of the first 53 output bits Z, but do not know initial values \(x_{0}^1,x_{0}^2,x_{0}^3\).

First, attacker should guess values of \(\zeta _{i}^1,\zeta _{i}^2,\zeta _{i}^3\) for all \(i<53\). Because \(Z_0=0\), \((\zeta _{0}^1,\zeta _{0}^2,\zeta _{0}^3)\) can have only some of the four values (0,0,0), (0,1,1), (1,0,1), (1,1,0). Also, because \(Z_2=1\), \((\zeta _{2}^1,\zeta _{2}^2,\zeta _{2}^3)\) can have only some of the four values (0,0,1), (0,1,0), (1,0,0), (1,1,1). Therefore, instead of \(2^{159}\) guesses, only \(2^{106}\) guesses are needed in order to obtain all \(\zeta _{i}^1,\zeta _{i}^2,\zeta _{i}^3\) for \(i<53\). Guessed values of \(\zeta _{i}^1,\zeta _{i}^2,\zeta _{i}^3\) are shown in Table 1.

Table 1 Values of \(\zeta _{i}^1,\zeta _{i}^2,\zeta _{i}^3\)
Full size table

Based on the values of \(\zeta _{i}^1,\zeta _{i}^2,\zeta _{i}^3\), attacker can narrow the interval \([a_i, b_i]\) in which the \(x_{i}^j\) is located by using reverse interval mapping. This process will be shown in detail for \(x_{i}^1\) which are calculated by function \(f_{\beta _1}(x)=\beta _1\cdot (\frac{1}{3}-x)\cdot x=-12x^2+4x\). Function \(f_{\beta _1}(x)\) is defined in interval \(x\in [0,\frac{1}{3})\) divided into two regions \(\delta _{1}^1\) and \(\delta _{2}^1\) split by \(a_{1}^1=\frac{1}{6}\).

Based on values of \(\zeta _{i}^1\) shown in Table 2, we can determine in which region of interval \([0,\frac{1}{3})\) is each \(x_{i}^1\) located. We will begin with \(x_{52}^1\) which is located in interval [0, 0.166666666666667] (\(\frac{1}{6}\) is represented with 0.166666666666667 when precision of \(2^{53}\) is used) because \(\zeta _{52}^1=0\). Bounds of interval in which next value \(x_{51}^1\) is located can be obtained by using reverse interval mapping. If \(\zeta _{i}^1=0\), we can calculate \(a_i\) by solving equation \(a_{i+1}=f_{\beta _1}(a_i)\) and calculate \(b_i\) by solving equation \(b_{i+1}=f_{\beta _1}(b_i)\). If \(\zeta _{i}^1=1\), we can calculate \(a_i\) by solving equation \(b_{i+1}=f_{\beta _1}(a_i)\) and calculate \(b_i\) by solving equation \(a_{i+1}=f_{\beta _1}(b_i)\).

Value of \(a_{52}=0\) and because \(\zeta _{51}^1=0\), value of \(a_{51}\) is calculated by solving equation \(0=f_{\beta _1}(a_{51})=-12(a_{51})^2+4\cdot a_{51}\). There are two solutions of this quadratic equation \(a_{51}=0\) and \(a_{51}=\frac{1}{3}\). Because of \(\zeta _{51}^1=0\), attacker know that \(x_{51}^1\in \delta _{1}^1\) and therefore only \(0\in [0,\frac{1}{6}]\) will be used as bound \(a_{51}\). Value of \(b_{52}=0.166666666666667\) so value of \(b_{51}\) is calculated by solving equation \(0.166666666666667=-12(b_{51})^2+4\cdot b_{51}\). Only one solution \(b_{51}=0.048815536468909\) of this quadratic equation is from interval \(\delta _{1}^1\) so attacker knows that \(x_{51}\) is located in interval [0, 0.048815536468909]. Bounds of interval in which \(x_{i}^1\) is located is calculated in same manner based on values of \(\zeta _{i}^1\), \(a_{i+1}, b_{i+1}\) for all i from 50 down to 0. All values of \(a_{i}, b_{i}\) for \(i<53\) are shown in Table 2.

In Table 2, we can see that the interval \([a_i, b_i]\) is shorter for smaller i, for all \(i>5\). For \(i=5\) we have \(a_5=b_5\) which means that attacker found exact value of \(x_{5}^1\) represented by precision of \(2^{53}\). Therefore, attacker can easily calculate all remaining values of \(x_{i}^1\) and obtain initial secret value \(x_{0}^1=0.149284547945563\). A similar procedure is applied on functions \(f_{\beta _2}(x)\) and \(f_{\beta _3}(x)\) in order to obtain secret values \(x_{0}^2=0.519067023060468\), \(x_{0}^3=0.881509362057897\). Therefore, when values of 53 consecutive output bits of analyzed PRNG are known, complexity of only \(2^{106}\) is needed in order to recover initial values \(x_{0}^1,x_{0}^2,x_{0}^3\).

Table 2 Reverse interval mapping for \(x_{0}^1\)
Full size table

3.4 Example 2 of cryptanalysis of the analyzed PRNG

In this section, example of the attack 2 will be described. Parameters of the analyzed PRNG will be the same as in previous example, \(k=3\), \(x_{0}^1=0.149284547945563\), \(x_{0}^2=0.519067023060468\), \(x_{0}^3=0.881509362057897\). Consequently, user generates same sequence of 53 bits \(Z=001101011000011100011110110100110110011010100111\) 10110 as in previous example.

Assume that the attacker knows the values of the first 53 output bits Z, but do not know initial values \(x_{0}^1,x_{0}^2,x_{0}^3\). In this attack, attacker guesses values of \(x_{0}^2,x_{0}^3\) and generates corresponding binary sequences \(\zeta _{i}^2,\zeta _{i}^3\) (for \(i<53\)). If the attacker tries all possible values of \(x_{0}^2,x_{0}^3\), he will need a maximum of \(2^{106}\) guesses in order to obtain initial values used for generation of sequence Z. When the search reaches the values of the users secret key \(x_{0}^2=0.519067023060468\), \(x_{0}^3=0.881509362057897\), attacker can generate corresponding binary sequences \(\zeta _{i}^2,\zeta _{i}^3\) which are shown in Table 1. After that, attacker can calculate values of sequence \(\zeta _{i}^1\) (shown in Tables 1, 2) by using \(\zeta _{i}^1=Z_i\oplus \zeta _{i}^2\oplus \zeta _{i}^3\).

Based on the values of \(\zeta _{i}^1\) for \(i<53\), attacker can calculate value of \(x_{0}^1=0.149284547945563\) by using reverse interval mapping procedure described in Example 1. Because \(x_{0}^1\) can be calculated on the basis of \(x_{0}^2,x_{0}^3\) and known Z, this attack requires complexity of only \(2^{106}\) in order to recover initial values (secret key) \(x_{0}^1,x_{0}^2,x_{0}^3\).

3.5 Cryptanalysis of the gray-scale image cryptosystem based on the analyzed PRNG

In paper [1] a stream cipher algorithm for gray-scale images, based on analyzed PRNG, is proposed. The proposed cipher should be able to resist the chosen-plaintext attack. However, in this section, vulnerability of this cipher to known-plaintext attack will be demonstrated on example when \(k=3\). Consequently, analyzed cipher is vulnerable to chosen-plaintext attack as well.

If attacker know 53 consecutive plaintext bits \(P_i,\ldots ,P_{i+52}\) for some \(i\ge 8\), then it is simple to obtain values of \(Z_i,\ldots ,Z_{i+52}\) by using Eq. 2. Based on Eq. 2, \(Z_i=P_i\oplus C_{i-8}\oplus C_i\). When attacker know 53 consecutive output bits of analyzed PRNG, by applying one of the attacks from previous subsections, initial values (secret key) \(x_{0}^1,x_{0}^2,x_{0}^3\) can be obtained with attack which complexity is only \(2^{106}\). One column of random values \(R(l,1)\in \{0,1,\ldots ,255\}\) which is added to the plaintext image can to a lesser extent slow down this attack. Attacker can simply guess value of corresponding \(R(l,1)\in \{0,1,\ldots ,255\}\), and ordinal number of byte of augmented image in which it is located. Because there are only 53 output bits that attacker try to reconstruct, there are only \(\frac{53}{8}\) options for the location of this byte. Therefore, complexity of this attack, when only 53 bits of plaintext are known, is approximately \(2^{106}\cdot 2^8\cdot 2^3=2^{117}\) which is less than \(2^{159}\) reported in [1] or \(2^{128}\) recommended in [17]. Therefore, the example of analyzed cipher (when \(k=3\)) cannot be considered safe.

Complexity of this attack for some \(k>0\) is \((2^{k-1})^n\). By using some \(k>3\), required complexity of this attack would reach over \(2^{159}\). However, for larger k, the number of weak keys significantly increases because there are \(2\cdot 4\cdot \ldots \cdot 2(k-1)\cdot 2k\) combinations of fixed points for which analyzed PRNG would generate a sequence in which all bits would be equal to each other. The number of keys leading to this non-chaotic behavior is much greater. Therefore, there is no value of k for which analyzed cipher can be considered completely safe.

4 Conclusion

In this paper, a security analysis of the pseudo-random bit generator based on multi-modal maps [1] is presented. Unfortunately, some serious security problems are found. Depending on parameter k, there are certain number of fixed points and much greater number of values which lead to these fixed points of chaotic k-modal map, which can be considered as weak keys. Also, based on certain number of consecutive output bits, the initial values of this PRNG can be obtained with attack which complexity is significantly less than estimated key space. Although the assumed safety of the example of cipher based on this PRNG (when \(k=3\)) is estimated at \(2^{159}\), it is possible to carry out successful known-plaintext attack with the complexity less than \(2^{128}\). For above-mentioned reasons, analyzed PRNG cannot be considered safe for the use in cryptographic systems.