On the Effectiveness of a Common Attack to Chebyshev Chaotic Encryption Scheme

Abstract

Chebyshev polynomials define a rather canonical chaotic cryptosystem and some strong attacks have been designed to that cryptosystem. We report the numerical experiments performed with multiple precision arithmetic using conventional software as gmp and mpfr to test the Chebyshev cryptosystem and Bergamo’s attack. As a conclusion, we point out the relevance in the cryptosystem robustness of the number of significant digits (length) of plaintexts and the number of correct digits (precision) of the arithmetical calculations. Furthermore, after the observed experimental results, we use techniques of Numerical Analysis to explain the occurrences of the observed results and to reinforce the importance of the above-mentioned parameters ℓ and m.

1. Introduction

The sequence ${\left(T_r\left(X\right)\right)}_{r\in \mathbb{N}}$ of Chebyshev polynomials provides a typical example of a chaotic system and it was used to obtain a well-known and exhaustively analyzed public-key encryption scheme based on chaos [1,2,3]. For any index r, $T_r\left(X\right)$ has degree r and its restriction to the open real interval $I=(-1,+1)$ has as an image this interval, namely it is an onto map $I\to I$; hence, the corresponding cryptosystem has I as the space of both plaintexts and ciphertexts. Since the sequence of Chebyshev polynomials forms a semigroup, namely for any $r,s\in \mathbb{N}$, $T_r\circ T_s\left(X\right)=T_{rs}\left(X\right),$ the sequence has served as the basis of several chaotic cryptosystems:

• For encryption, a public key has the form $(x,y)=(x,T_s\left(x\right))$ for $x\in I$ and $s\in {\mathbb{Z}}^{+}$ is the private key. Then, for a message $\mu \in I$ the ciphertext is $(c_0,c_2)=(T_r\left(x\right),\mu ·T_r\left(y\right))$, where $r\in {\mathbb{Z}}^{+}$ is a random index selected by the sender of the message, and for decryption, the owner of the private key calculates ${\displaystyle \frac{c_2}{T_s\left(c_0\right)}}$,
• For key agreement (KA), the classic Diffie–Hellman KA scheme can be translated quite directly by the semigroup property [4],
• For authentication, a general scheme is introduced in [5] in which servers should authenticate client using a central registry (RC). Each server has a key $s_j$ and each client an index $r_i$ and the corresponding Chebyshev polynomials are evaluated on secret numbers owned by the RC; hence, the servers and the clients just know the values of their polynomials at the secret points. Also, there is an interesting application of the sequence of Chebyshev polynomials for Radio Frequency IDentification (RFID), where the index s is broadcasted by a transceiver and each transponder selects a particular index r and codifies it in order to form an identification label [6],
• For image encryption the chaotic methods have been extensively used as well as some refinements of chaotic maps [7,8].

In [9] the behaviour Chebyshev sequence in modular arithmetic, as well as its impact on the security of cryptosystems have been analyzed within the context of Number Theory.

In 2005 the most common attack to this cryptosystem was introduced [10] (see [4,11] as well). The attack strategy is based on solving equations of the form $T_r\left(x\right)=c$ for $x,c\in I$ with respect to index r. To this end, they are considered just real numbers in I with a finite-length decimal representation. For any $m\in {\mathbb{Z}}^{+}$, let $I_m$ be the collection of numbers in I whose decimal representation consists of m digits. Thus, by multiplying the involved real numbers by the power ${10}^m$ the stated problem gives rise to congruence relations on the integers solvable by Number Theory techniques.

We performed several experiments in order to test Bergamo’s attack [10] using multiple precision arithmetic provided by the already conventional software tools gmp [12] and mpfr [13], we report here the results. We consider a length ℓ $\in {\mathbb{Z}}^{+}$ for the specification of plaintexts and a precision $m\in {\mathbb{Z}}^{+}$, with ℓ $\le m$, for the number of significant digits in decimal representation. The space of plaintexts is coded as the set of words of length ℓ with symbols in $\{0,1,\dots ,9\}$, with cardinality 10^ℓ, and the space of ciphertexts is the set of words of length m with symbols in $\{0,1,\dots ,9\}$.

Bergamo’s attack [10] is effective whenever ℓ is known by the attacker. This attack technique would produce several possible solutions for the recovering secret key depending on the assumed value of the length ℓ. An exhaustive search for the right secret key may still be rather costly. The length ℓ may be part of the private key in the chaotic crypto-scheme.

The purpose of the current report is to illustrate the importance of fixing the length of the plaintexts ℓ and the precision m among the participants in the crypto scenario.

It is worth mentioning that some similar remarks related to the difficulties in making the attack in [10] effective have been pointed out in [5] and the authors consider attacks based on impersonation. In [14], the importance of limiting the numerical domains of Chebyshev polynomials is also pointed out.

In Section 2, we recall the Chebyshev polynomials and in Section 3, we recall the corresponding chaotic cryptosystem and the attack in [10]. In Section 4, we present the performed experiments. Our contribution consists in testing the effectiveness of Bergamo’s attack. We have concluded that it is essential for the attacker to know the length of plaintexts and certainly the arithmetical precision should be greater than this length.

2. Chebyshev Polynomials

We use the following notation: we write for any $i,j\in \mathbb{Z}$, $i\le j$, $\left[\right[i,j\left]\right]=\{i,\dots ,j\}$, and for any $a,b\in \mathbb{R}$, with $a<b$ we may consider open, semiclosed or closed intervals:

$$\begin{array}{ccccccc}\hfill (a,b)& =& \{x\in \mathbb{R}|a<x<b\}\hfill & ,& \hfill (a,b]& =& \{x\in \mathbb{R}|a<x\le b\},\hfill \\ \hfill [a,b)& =& \{x\in \mathbb{R}|a\le x<b\}\hfill & ,& \hfill [a,b]& =& \{x\in \mathbb{R}|a\le x\le b\}.\hfill \end{array}$$

For a radix $R\in {\mathbb{Z}}^{+}$, $R>1$, let $D_R=\left[[0,R-1]\right]$ be the collection of R digits, then for each $m\in {\mathbb{Z}}^{+}$, $D_R\left[R^{-m}\right]$ will denote the set of real numbers in $(-1,1)$ that can be written as polynomial expressions in terms of $R^{-m}$ with coefficients in $D_R$, in other words $D_R\left[R^{-m}\right]$ is the set of fractional numbers than can be written with exactly m digits in radix R.

As a very basic trigonometric identity, we recall that for any $n\in {\mathbb{Z}}^{+}$ and any $z\in [0,\pi ]$:

$$cos\left(\right(n+1\left)z\right)+cos\left(\right(n-1\left)z\right)=2cos\left(z\right)cos\left(nz\right).$$

Furthermore, $cos\left(0z\right)=1$ and $cos\left(1z\right)=cos\left(z\right)$. With the change of variable $[0,\pi ]\to [-1,+1]$, $z\mapsto x=cos\left(z\right)$ (see Figure 1), the sequence of Chebyshev polynomials follows:

$$\begin{array}{ccc}\hfill T_0\left(X\right)=1& ;& T_1\left(X\right)=X\hfill \\ \hfill \forall n\ge 1:T_{n+1}\left(X\right)& =& 2X{T}_n\left(X\right)-T_{n-1}\left(X\right)\hfill \end{array}$$

Remark 1.

The sequence ${\left(T_n\right)}_{n\in \mathbb{N}}$ is a semigroup, namely $\forall n,m:T_n\circ T_m=T_{n·m}.$

Indeed, using the above-mentioned change of variables, $\forall x\in [-1,1]$:

$$T_n\circ T_m\left(x\right)=T_n\left(T_m\left(x\right)\right)=T_n(cos\left(mz\right))=cos(narccos(cos\left(mz\right)))=cos\left(nmz\right)=T_{nm}\left(x\right).$$

From the definition of the Chebyshev polynomials,

$$\left[\begin{array}{c}{T}_{n-1}\left(X\right)\\ T_n\left(X\right)\end{array}\right]=\left[\begin{array}{cc}\hfill 0& 1\\ \hfill -1& 2X\end{array}\right]·\left[\begin{array}{c}\hfill T_{n-2}\left(X\right)\\ \hfill T_{n-1}\left(X\right)\end{array}\right]$$

hence

$${\mathbf{t}}_n\left(X\right)=M{\left(X\right)}^{n-1}{\mathbf{t}}_1\left(X\right)$$

where ${\mathbf{t}}_n\left(X\right)=\left[\begin{array}{c}{T}_{n-1}\left(X\right)\\ T_n\left(X\right)\end{array}\right]$ and $M\left(X\right)=\left[\begin{array}{cc}\hfill 0& 1\\ \hfill -1& 2X\end{array}\right].$

   Let us write the powers of matrix $M\left(X\right)$ as

$$M{\left(X\right)}^n=\left[\begin{array}{cc}\hfill p_{00n}\left(X\right)& p_{01n}\left(X\right)\\ \hfill p_{10n}\left(X\right)& p_{11n}\left(X\right)\end{array}\right].$$

Then

$$\begin{array}{ccc}\hfill \left[\begin{array}{cc}\hfill p_{00,n+1}\left(X\right)& p_{01,n+1}\left(X\right)\\ \hfill p_{10,n+1}\left(X\right)& p_{11,n+1}\left(X\right)\end{array}\right]& =& M{\left(X\right)}^{n+1}\hfill \\ & =& M\left(X\right)·M{\left(X\right)}^n\hfill \\ & =& \left[\begin{array}{cc}\hfill 0& 1\\ \hfill -1& 2X\end{array}\right]·\left[\begin{array}{cc}\hfill p_{00n}\left(X\right)& p_{01n}\left(X\right)\\ \hfill p_{10n}\left(X\right)& p_{11n}\left(X\right)\end{array}\right]\hfill \\ & =& \left[\begin{array}{cc}{p}_{10n}\left(X\right)& p_{11n}\left(X\right)\\ -p_{00n}\left(X\right)+2X{p}_{10n}\left(X\right)& -p_{01n}\left(X\right)+2X{p}_{11n}\left(X\right)\end{array}\right]\hfill \end{array}$$

hence

$$\begin{array}{ccc}\hfill \left[\begin{array}{cc}\hfill p_{001}\left(X\right)& p_{011}\left(X\right)\\ \hfill p_{101}\left(X\right)& p_{111}\left(X\right)\end{array}\right]& =& \left[\begin{array}{cc}\hfill 0& 1\\ \hfill -1& 2X\end{array}\right],\hfill \end{array}$$

(1)

$$\begin{array}{ccc}\hfill \left[\begin{array}{cc}\hfill p_{00,n+1}\left(X\right)& p_{01,n+1}\left(X\right)\\ \hfill p_{10,n+1}\left(X\right)& p_{11,n+1}\left(X\right)\end{array}\right]& =& \left[\begin{array}{cc}{p}_{10n}\left(X\right)& p_{11n}\left(X\right)\\ -p_{00n}\left(X\right)+2X{p}_{10n}\left(X\right)& -p_{01n}\left(X\right)+2X{p}_{11n}\left(X\right)\end{array}\right].\hfill \end{array}$$

(2)

From here, it follows that $\forall n\in {\mathbb{Z}}^{+}$: $deg\left(p_{11n}\left(X\right)\right)=n$.

The powers of the matrix $M\left(X\right)$ can be calculated via square-and-product:

$$r=\sum _{i=0}^k{r}_i{2}^i⟹M{\left(X\right)}^r=\prod _{i=0}^k{\left(M{\left(X\right)}^{2^i}\right)}^{r_i},$$

namely, by the procedure sketched in Algorithm 1.

Algorithm 1 Square-and-product procedure

Input:  The matrix $M\left(X\right)$ and the integer $r\in {\mathbb{Z}}^{+}$

Output:  The power $M{\left(X\right)}^r$

1.   Express r in binary, $r={(r_k\cdots r_1{r}_0)}_2$; 2.   $P:=I_2$ (the identity matrix of order $2\times 2$); 3.   $S:=M\left(X\right)$ (this matrix will be squared at each step); 4.   for $i=0$ to k do   (a)   if $r_i==1$ then $P:=SP$;   (b)   $S:=SS$; 5.   output P

The Chebyshev polynomials are defined in the interval $[-1,+1]$, and the absolute values of the points in this domain are in the unit interval $[0,1]$.

Consider the conventional decimal radix, $R=10$. Suppose that $x\in [-1,+1]$ is such that $x\in D_{10}\left[{10}^{-m}\right]$ for some $m\in {\mathbb{Z}}^{+}$, then there is an integer $x_m\in \left[[-{10}^m,+{10}^m]\right]$ such that $x={\displaystyle \frac{x_m}{{10}^m}}$, or $x_m={10}^{m}x$. Consequently, from relations (1) and (2) it follows that

$$\forall n\in {\mathbb{Z}}^{+}:p_{11n}\left(x\right)\in D_{10}\left[{10}^{-nm}\right].$$

Furthermore,

$${10}^{m}M\left(x\right)={10}^m\left[\begin{array}{cc}\hfill 0& 1\\ \hfill -1& 2x\end{array}\right]=\left[\begin{array}{cc}0& {10}^m\\ -{10}^m& 2x_m\end{array}\right]=:N_{x_m}\in {\mathbb{Z}}^{2\times 2}$$

and

$$\forall n\in {\mathbb{Z}}^{+}:M{\left(x\right)}^n={10}^{-nm}{N}_{x_m}^n.$$

On the other hand, from step 4(a) of the procedure in Algorithm 1

$$SP={\displaystyle \frac{1}{{10}^{2m}}}\left({10}^{m}S\right)\left({10}^{m}P\right)$$

as well as, from step 4(b),

$$SS={\displaystyle \frac{1}{{10}^{2m}}}\left({10}^{m}S\right)\left({10}^{m}S\right).$$

Through these relations, the square-and-product algorithm can be performed within multiple precision arithmetic in $[-1,1]$ using a multiple precision arithmetic on the integers.

Remark 2.

In the current experiments, we calculate the Chebyshev polynomials through the above “square-and-product” method in order to maintain the multiple precision of the calculations through additions and products and to avoid the dependency of implementations of the maps cos and arccos.

3. The Cryptosystem Based on Chebyshev Polynomials

3.1. The General Scheme

The following is a public-key encryption scheme where the plaintext space and the ciphertext space are both the real interval $[-1,1]$:

Key generation

Choose $x\in [-1,1]$ and $s\in {\mathbb{Z}}^{+}$ large enough. The public key is $(x,y)=(x,T_s\left(x\right))$ and the private key is s. See Table 1 below to obtain an estimation of the order of s with respect to the number of exact digits of x and the precision of the used real arithmetic.

Encryption 

For a plaintext $\mu \in [-1,1]$, choose a random index $r\in {\mathbb{Z}}^{+}$, and calculate $c_0=T_r\left(x\right)$, $c_1=T_r\left(y\right)$, $c_2=\mu c_1$. The ciphertext is $c=(c_0,c_2)$.

Decryption 

Given the ciphertext $c=(c_0,c_2)$ recover the message as $\mu ={\displaystyle \frac{c_2}{T_s\left(c_0\right)}}$.

Hence, the time complexity of the encryption procedure is

$${\mathrm{time}}_{Ch}(m,r)=O\left(M(m·r)rlogr\right)$$

(3)

where $M\left(k\right)$ is the time complexity of the chosen algorithm for multiplication in $D_R\left[R^{-m}\right]$, m is the precision of calculations and r is the chosen random number.

Table 1. Relations between length ℓ, precision m and secret key s.

ℓ	m	s	NO	AvDisc	AvTime (s)
100	120	${10}^8$	1815	$2.969·{10}^{-108}$	0.00090
	140	${10}^{16}$	6306	$4.067·{10}^{-112}$	0.00335
	180	${10}^{32}$	24582	$1.167·{10}^{-117}$	0.01414
	240	${10}^{64}$	103427	$4.709·{10}^{-112}$	0.07522
	380	${10}^{128}$	380561	$5.433·{10}^{-119}$	0.46595
	640	${10}^{256}$	1589338	$1.865·{10}^{-113}$	3.92343
	1180	${10}^{512}$	6091120	$2.019·{10}^{-102}$	39.40116
200	220	${10}^8$	1815	$3.132·{10}^{-205}$	0.00113
	240	${10}^{16}$	6306	$8.434·{10}^{-208}$	0.00457
	280	${10}^{32}$	24582	$8.226·{10}^{-215}$	0.02075
	340	${10}^{64}$	103427	$1.024·{10}^{-208}$	0.11672
	480	${10}^{128}$	380561	$1.174·{10}^{-213}$	0.64108
	740	${10}^{256}$	1589338	$1.579·{10}^{-210}$	5.00373
	1280	${10}^{512}$	6091120	$3.132·{10}^{-218}$	43.47840
300	320	${10}^4$	418	$2.051·{10}^{-307}$	0.00045
	340	${10}^8$	1815	$2.314·{10}^{-320}$	0.00202
	340	${10}^{16}$	6306	$2.197·{10}^{-304}$	0.00696
	380	${10}^{32}$	24582	$3.078·{10}^{-311}$	0.03044
	440	${10}^{64}$	103427	$1.150·{10}^{-304}$	0.15059
	580	${10}^{128}$	380561	$4.789·{10}^{-311}$	0.78394
	840	${10}^{256}$	1589338	$8.638·{10}^{-305}$	6.22619
	1380	${10}^{512}$	6091120	$3.156·{10}^{-314}$	46.61281
400	420	${10}^4$	418	$1.079·{10}^{-403}$	0.00049
	440	${10}^8$	1815	$1.755·{10}^{-416}$	0.00259
	460	${10}^{16}$	6306	$2.497·{10}^{-420}$	0.00933
	480	${10}^{32}$	24582	$1.720·{10}^{-407}$	0.04019
	560	${10}^{64}$	103427	$7.364·{10}^{-421}$	0.20285
	680	${10}^{128}$	380561	$9.281·{10}^{-407}$	1.03725
	940	${10}^{256}$	1589338	$1.974·{10}^{-402}$	6.52374
	1480	${10}^{512}$	6091120	$6.663·{10}^{-411}$	50.79987

NO: Number of operations (multiplications); Disc: Discrepancy between plaintext and recovered text: Each row displays averaged statistics corresponding to 20 iterations for random selections of the index r in the interval $\left[\right[\frac{s}{2},s\left]\right]$.

Table 1. Relations between length ℓ, precision m and secret key s.

ℓ	m	s	NO	AvDisc	AvTime (s)
100	120	${10}^8$	1815	$2.969·{10}^{-108}$	0.00090
	140	${10}^{16}$	6306	$4.067·{10}^{-112}$	0.00335
	180	${10}^{32}$	24582	$1.167·{10}^{-117}$	0.01414
	240	${10}^{64}$	103427	$4.709·{10}^{-112}$	0.07522
	380	${10}^{128}$	380561	$5.433·{10}^{-119}$	0.46595
	640	${10}^{256}$	1589338	$1.865·{10}^{-113}$	3.92343
	1180	${10}^{512}$	6091120	$2.019·{10}^{-102}$	39.40116
200	220	${10}^8$	1815	$3.132·{10}^{-205}$	0.00113
	240	${10}^{16}$	6306	$8.434·{10}^{-208}$	0.00457
	280	${10}^{32}$	24582	$8.226·{10}^{-215}$	0.02075
	340	${10}^{64}$	103427	$1.024·{10}^{-208}$	0.11672
	480	${10}^{128}$	380561	$1.174·{10}^{-213}$	0.64108
	740	${10}^{256}$	1589338	$1.579·{10}^{-210}$	5.00373
	1280	${10}^{512}$	6091120	$3.132·{10}^{-218}$	43.47840
300	320	${10}^4$	418	$2.051·{10}^{-307}$	0.00045
	340	${10}^8$	1815	$2.314·{10}^{-320}$	0.00202
	340	${10}^{16}$	6306	$2.197·{10}^{-304}$	0.00696
	380	${10}^{32}$	24582	$3.078·{10}^{-311}$	0.03044
	440	${10}^{64}$	103427	$1.150·{10}^{-304}$	0.15059
	580	${10}^{128}$	380561	$4.789·{10}^{-311}$	0.78394
	840	${10}^{256}$	1589338	$8.638·{10}^{-305}$	6.22619
	1380	${10}^{512}$	6091120	$3.156·{10}^{-314}$	46.61281
400	420	${10}^4$	418	$1.079·{10}^{-403}$	0.00049
	440	${10}^8$	1815	$1.755·{10}^{-416}$	0.00259
	460	${10}^{16}$	6306	$2.497·{10}^{-420}$	0.00933
	480	${10}^{32}$	24582	$1.720·{10}^{-407}$	0.04019
	560	${10}^{64}$	103427	$7.364·{10}^{-421}$	0.20285
	680	${10}^{128}$	380561	$9.281·{10}^{-407}$	1.03725
	940	${10}^{256}$	1589338	$1.974·{10}^{-402}$	6.52374
	1480	${10}^{512}$	6091120	$6.663·{10}^{-411}$	50.79987

NO: Number of operations (multiplications); Disc: Discrepancy between plaintext and recovered text: Each row displays averaged statistics corresponding to 20 iterations for random selections of the index r in the interval $\left[\right[\frac{s}{2},s\left]\right]$.

With respect to the Decryption Procedure let us make a remark:

Suppose that a number x in the open interval $(0,1)$ is written in radix R as $x={\sum }_{i=1}^{m_1}{x}_i{R}^{-i}$, with digits $x_i\in \left[[0,R-1]\right]$, namely $x\in D_R\left[R^{-m_1}\right]$. Then, for any $m_0<m_1$:

$$x=\sum _{i=1}^{m_0}{x}_i{R}^{-i}+\sum _{i=m_0+1}^{m_1}{x}_i{R}^{-i}=:\overline{x_{m_0}}+\overline{x_{m_1-m_0}},$$

where $\overline{x_{m_0}}$ is the decimal number expressed by the first $m_0$ digits of x and $\overline{x_{m_1-m_0}}=x-\overline{x_{m_0}}$. Thus

$$\begin{array}{ccc}\hfill \overline{x_{m_1-m_0}}& =& \sum _{i=m_0+1}^{m_1}{x}_i{R}^{-i}\hfill \\ & =& R^{-(m_0+1)}\sum _{j=0}^{m_1-(m_0+1)}{x}_{m_0+1+j}{R}^{-j}\hfill \\ & <& R^{-(m_0+1)}\sum _{j=0}^{m_1-(m_0+1)}R{R}^{-j}\hfill \\ & =& R^{-m_0}{\displaystyle \frac{1}{1-R^{-1}}}\hfill \\ & =& {\displaystyle \frac{1}{R-1}}{R}^{-(m_0-1)}\hfill \end{array}$$

(4)

besides

$$R^{m_1}x=R^{m_1}\left(\overline{x_{m_0}}+\overline{x_{m_1-m_0}}\right)=R^{m_1-m_0}\left(R^{m_0}\overline{x_{m_0}}\right)+R^{m_1}\overline{x_{m_1-m_0}}\in \mathbb{Z}.$$

(5)

Assume now that there are given two numbers $a,b\in D_R\left[R^{-m_1}\right]$, $b\ne 0$. By expressing them as in (5),

$$\begin{array}{ccc}\hfill R^{m_1}a& =& R^{m_1-m_0}\left(R^{m_0}\overline{a_{m_0}}\right)+R^{m_1}\overline{a_{m_1-m_0}}\hfill \\ \hfill R^{m_1}b& =& R^{m_1-m_0}\left(R^{m_0}\overline{b_{m_0}}\right)+R^{m_1}\overline{b_{m_1-m_0}}\hfill \end{array}$$

thus by division there are quotients $q,q_{m_0}\in \mathbb{Z}$ and remainders $r\in \left[[0,R^{m_1}b-1]\right]$, $r_{m_0}\in \left[[0,R^{m_0}\overline{b_{m_0}}-1]\right]$ such that

$$\begin{array}{ccc}\hfill R^{m_1}a& =& q{R}^{m_1}b+r\hfill \end{array}$$

(6)

$$\begin{array}{ccc}\hfill R^{m_0}\overline{a_{m_0}}& =& q_{m_0}{R}^{m_0}\overline{b_{m_0}}+r_{m_0}\hfill \end{array}$$

(7)

From Equation (7),

$$\begin{array}{ccc}\hfill R^{m_1}\overline{a_{m_0}}& =& R^{m_1-m_0}{R}^{m_0}\overline{a_{m_0}}\hfill \\ & =& R^{m_1-m_0}{q}_{m_0}{R}^{m_0}\overline{b_{m_0}}+R^{m_1-m_0}{r}_{m_0}\hfill \\ & =& q_{m_0}{R}^{m_1}\overline{b_{m_0}}+R^{m_1-m_0}{r}_{m_0}\hfill \end{array}$$

(8)

by substracting (8) from (6)

$$R^{m_1}\overline{a_{m_1-m_0}}=R^{m_1}a-R^{m_1}\overline{a_{m_0}}=q{R}^{m_1}b+r-(q_{m_0}{R}^{m_1}\overline{b_{m_0}}+R^{m_1-m_0}{r}_{m_0})$$

hence from (4)

$$R^{m_1}\left(qb-q_{m_0}\overline{b_{m_0}}\right)+\left(r-R^{m_1-m_0}{r}_{m_0}\right)<R^{m_1}{\displaystyle \frac{1}{R-1}}{R}^{-(m_0-1)}={\displaystyle \frac{R}{R-1}}{R}^{m_1-m_0}$$

and this last inequality entails $q-R^{m_1-m_0}{q}_{m_0}<R^{m_0}$, consequently the radix-R expression of q and $q_{m_0}$ coincide up to the $(m_0-1)$-digit.

In summary:

Lemma 1.

If $a,b\in D_R\left[R^{-m_1}\right]$, $b\ne 0$, for any $m_0\in \left[[1,m_1-1]\right]$ the quotients ${\displaystyle \frac{a}{b}}$ and ${\displaystyle \frac{a_{m_0}}{b_{m_0}}}$ coincide up to the $(m_0-1)$-digit.

Thus, in the Chebyshev encryption scheme the precision m, which is the number of significant digits in the arithmetical calculations within the interval $[-1,1]$, shall be greater than the length ℓ of plaintexts since in the decryption process a division is involved. However, due to Lemma 1, for any $m_0\in \left[[\mathit{\ell }+1,m]\right]$ the recovered plaintext is plausible up to the $(m_0-1)$-th digit. In order to determine the original plaintext the decipherer should know ℓ.

In an attack on the cryptosystem, given a public key $(x,y)$ and the ciphertext $(c_0,c_1)$, the random index $r\in {\mathbb{Z}}^{+}$ such that $T_r\left(x\right)=c_0$ should be recovered and the plaintext should be ${\mu }_m={\displaystyle \frac{c_1}{T_r\left(y\right)}}$ consisting of m digits where m is the precision of calculations. The original plaintext shall be the ℓ-length prefix μ_ℓ of ${\mu }_m$. Thus, a brute force procedure to recover ℓ is to look for the first length ℓ such that $\mathrm{Encryption}({\mu }_{\mathit{\ell }},r)=(c_0,c_1)$. According to (3), the cost in time of this procedure is

$$O\left(m·{\mathrm{time}}_{Ch}(m,r)\right)=O\left(mM(m·r)rlogr\right).$$

It is worth mentioning that in this consecutive search, for some tested lengths Bergamo’s attack, presented below, fails because the conditions stated in Section 3.2.1 are not satisfied.

3.2. Bergamo’s Attack

Let us recall first some basic facts of number theory.

3.2.1. Solving Linear Equations in Remainder Rings

Let $M\in {\mathbb{Z}}^{+}$ be a modulus greater than 1 and consider the equation $bx=amodM$, with $a,b\in {\mathbb{Z}}_M$.

• If $b\in {\mathbb{Z}}_M^{*}$ then the solution $x=a{b}^{-1}modM$ is unique.
• If $b\in {\mathbb{Z}}_M-\left\{0\right\}$ and $d=gcd(b,M)>1$, the equation has a solution if and only if $d|a$. In this case, express $d=c_{0}b+c_{1}M$, then for $x_0=c_0{\displaystyle \frac{a}{d}}$ we have

  $$b{x}_0=b{c}_0{\displaystyle \frac{a}{d}}=(d-c_{1}M){\displaystyle \frac{a}{d}}=\left(a-\left(c_1{\displaystyle \frac{a}{d}}\right)M\right)=amodM,$$

  hence $x_0$ is a solution and all residues of the form $x=x_0+j{\displaystyle \frac{M}{d}}$, $j\in \left[\right[0,d-1\left]\right]$ are solutions as well.

3.2.2. A Number Theory Problem

Consider the following

$$\mathbf{Main}\mathbf{Problem}:\mathrm{Given} a,b\in (0,1[\mathrm{find} k\in \mathbb{Z}:a+bk\in \mathbb{Z}\vee -a+bk\in \mathbb{Z}.$$

(9)

We consider in particular the case in which the following condition holds:

$$\begin{array}{c}a,b \mathrm{have} \mathrm{a} \mathrm{finite}\text{-}\mathrm{length} \mathrm{representation} \mathrm{in} \mathrm{a} \mathrm{radix}, \mathrm{say} R, \mathrm{namely},\\ \mathrm{for} \mathrm{an} m\in {\mathbb{Z}}^{+},a,b\in D_R\left[R^{-m}\right].\end{array}$$

(10)

Assume that $a+bk=z$ with $z\in \mathbb{Z}$. Then, $\left(a{R}^m\right)+\left(b{R}^m\right)k=z{R}^m$, and this last equation is stated over $\mathbb{Z}$. By writing $a_m=a{R}^m$ and $b_m=b{R}^m$ the equation is equivalent to

$$b_{m}k=-a_{m}mod{R}^m.$$

(11)

In fact:

$$b_{m}k=-a_{m}mod{R}^m⟺b_m(R^m-k)=a_{m}mod{R}^m.$$

Hence, the sign in the right side of (11) is not relevant and just an equation in (9) may be considered.

As mentioned in Section 3.2.1, if $gcd(b_m,R^m)=1$ then the unique solution of (11) is $k=-a_m{b}_m^{-1}$ in ${\mathbb{Z}}_{R^m}^{*}$. If $d=gcd(b_m,R^m)>1$ and $d=c_0{b}_m+c_1{R}^m$, only when $d|a_m$ the equation (11) can be solved and its d solutions are given as $-c_0{\displaystyle \frac{a_m}{d}}+j{\displaystyle \frac{R_m}{d}}$, $j\in \left[\right[0,d-1\left]\right]$.

In summary:

Remark 3.

With the above notation, Equation (11) has solutions if $d|a_m$ where $d=gcd(b_m,R^m)$, and d is the number of solutions.

If we deal just with rational numbers in $[-1,+1]$ then for any radix $R\in {\mathbb{Z}}^{+}$ any such rational number has a periodic R-representation. But for any pair of rational numbers, there is a radix such that those numbers have finite representations for that radix.

Remark 4.

Whenever $a,b\in \mathbb{Q}\cap (0,1]$, a radix R may be found such that for the main problem, $a,b\in D_R\left[R^{-m}\right]$ for some length $m\in {\mathbb{Z}}^{+}$.

Proof. 

For a rational number ${\displaystyle \frac{a}{b}}\in (0,1]$, with $a,b\in {\mathbb{Z}}^{+}$, $a<b$, and a radix $R\in \mathbb{Z}$, let ${\alpha }_0=a$ and $m_{-1}=0$. For any current index i, let $k_i\in \mathbb{N}$ be the minimum power such that ${\alpha }_i{R}^{k_i}\ge b$ and $m_i=m_{i-1}+k_i$. Then, ${\alpha }_i{R}^{k_i}=a_{i}b+{\alpha }_{i+1}$ with $a_i\in \left[[0,R-1]\right]$ and ${\alpha }_{i+1}\in \left[[0,b-1]\right]$. Thus, the radix-R expression of the rational number ${\displaystyle \frac{a}{b}}$ consists of 0’s except that at each entry $m_i$ there appears the digit $a_i$. Since the remainder sequence ${\left({\alpha }_i\right)}_i$ takes values on the finite set $\left[\right[0,b-1\left]\right]$, it is eventually periodic and so is the digit sequence ${\left(a_i\right)}_i$. Clearly, the length of the period will be bounded by the denominator b; and if there is an index i such that ${\alpha }_{i+1}=0$ then ${\displaystyle \frac{a}{b}}\in \mathbb{Z}\left[R^{m_i}\right]$. Obviously, for $R=b$ such an index exists. □

3.2.3. The Attack

Each Chebyshev polynomial may be written as $T_n\left(x\right)=cos(narccos\left(x\right))$.

Given the public key $(x,y)$ of Alice, the attacker, Eve, looks for $r\in {\mathbb{Z}}^{+}$ such that $T_r\left(x\right)=c_0$, then she evaluates $c_1^{\prime }:=T_r\left(y\right)$ and she recovers the plaintext as $\mu ={\displaystyle \frac{c_2}{c_1^{\prime }}}$.

Consider the sequence

$$C_{x{c}_0}={\left({\displaystyle \frac{arccos\left(c_0\right)+2k\pi }{arccos\left(x\right)}}\right)}_{k\in \mathbb{Z}}\cup {\left({\displaystyle \frac{-arccos\left(c_0\right)+2k\pi }{arccos\left(x\right)}}\right)}_{k\in \mathbb{Z}}\subset \mathbb{R}.$$

Remark 5.

$\forall r\in {\mathbb{Z}}^{+}:\left[T_r\left(x\right)=c_0⟺r\in C_{x{c}_0}\right].$

Proof. 

Indeed, let $r\in {\mathbb{Z}}^{+}$.

⇒)

Assume $r\in C_{x{c}_0}$ and that for some $k\in \mathbb{Z}$, $r={\displaystyle \frac{arccos\left(c_0\right)+2k\pi }{arccos\left(x\right)}}$ (the case in which $r={\displaystyle \frac{-arccos\left(c_0\right)+2k\pi }{arccos\left(x\right)}}$ is similar because cos is an even function). Then

$$\begin{array}{ccc}\hfill cos(arccos(x\left)r\right)& =& cos\left(arccos\left(x\right){\displaystyle \frac{arccos\left(c_0\right)+2k\pi }{arccos\left(x\right)}}\right)\hfill \\ & =& cos\left(arccos\left(c_0\right)+2k\pi \right)\hfill \\ & =& cos\left(arccos\left(c_0\right)\right)\hfill \\ & =& c_0\hfill \end{array}$$

⇐)

Assume $T_r\left(x\right)=c_0$, then $rarccos\left(x\right)=arccos\left(c_0\right)$ and necessarily $r\in C_{x{c}_0}$.    □

Let $a={\displaystyle \frac{arccos\left(c_0\right)}{arccos\left(x\right)}}$ and $b={\displaystyle \frac{2k\pi }{arccos\left(x\right)}}$. We may calculate arccos by its Taylor series  [15]:

$$\mathrm{For}\left|x\right|<1:arccos\left(x\right)={\displaystyle \frac{\pi }{2}}-\sum _{k=0}^{+\infty }{\displaystyle \frac{x}{1+2k}}\prod _{\kappa =0}^{k-1}\left(x^2{\displaystyle \frac{2\kappa +1}{2\kappa +2}}\right).$$

Eve’s goal consists in recovering $r\in {\mathbb{Z}}^{+}$ such that

$$\exists k\in \mathbb{Z}:a+bk=r\vee -a+bk=r,$$

(12)

or in an equivalent form, we have:

$$\begin{array}{cc}\hfill \mathrm{Find} k\in \mathbb{Z}:& \mathrm{either}(amod1)+k(bmod1)\in {\mathbb{Z}}^{+}\hfill \\ & \mathrm{or}-(amod1)+k(bmod1)\in {\mathbb{Z}}^{+}.\end{array}$$

(13)

Thus, Eve’s goal (13) is an instance of the main problem (9) and it can be solved, by the method seen in Section 3.2.2.

As a final remark in this section we point out that if $k,r$ are solutions of (12), then for a sign $\epsilon \in \{-1,+1\}$,

$$\epsilon arccos\left(c_0\right)=rarccos\left(x\right)-2k\pi .$$

(14)

4. Experiments

We have used the Multiple Precision Arithmetic provided by gmp: the gnu Multiple Precision Arithmetic Library, operating on signed integers, rational numbers, and floating-point numbers. The main used function categories and data structures are mpz, the high-level signed integer arithmetic structure, and mpf, the high-level floating-point arithmetic structure. The used version is gmp 6.3.0.

When dealing with Bergamo’s attack, we used the High Performed Trigonometric Function provided by mpfr: the gnu Multiple Precision Floating-Point Reliable Library. The used version is mpfr 4.2.1.

The platform was a computer with a processor intel(r) core(tm) i7-10750h cpu @ 2.60 ghz and 64-bit operating system ubuntu 22.04.3 lts.

The precision of any mpf structure from gmp, namely the number of digits in the decimal part of floating numbers, can be fixed in advance. Since ${log}_2\left(10\right)\approx 3.2$, N digits precision shall be required by the built-in function mpf_set_default_prec($\lfloor 3.2·N\rfloor$), where the function only supports argument with N a multiple of 20. Alternatively, N digits precision may be required by the built-in function mpfr::mpreal::set_default_prec($\lfloor 3.33·N\rfloor$), for any integer N. Nevertheless, the arithmetic still loses digits beyond the specified precision.

In our experiments, we use two precision parameters:

• ℓ: number of digits to codify plaintexts, we will refer to this parameter as length,
• m: precision of arithmetical calculations in gmp and mpfr, we will refer to this parameter as precision by itself.

In order to obtain correct crypto operations, for any given length ℓ, the secret keys s and the random indices r shall be bounded from above and the precision m shall be bounded from below (see Table 1 below).

4.1. A Numerical Example for Symmetric Block Ciphering

Let $\mu$ be the ascii simple message:

Hi! I’m Xiaoqi.

Nice to meet you! ^_^

consisting of 38 characters (there is a Line Feed at the end of each row). We take ℓ = 100, and $m=120$ as we discussed above in this example. Since $\lfloor {\displaystyle \frac{100}{8}}\rfloor =12$, we can split the message into 4 sections, 3 consisting of 12 characters and the last of 2 characters. Each ascii symbol is a byte and we write it in bits. By concatenating these bit strings we codify the message by the following real numbers expressed in radix 10 with ℓ^′ = $96=12·8$ “significant digits”:

$$\begin{array}{ccc}\hfill x_0& =& \mathtt{0.010010000110100100100001001000000100100100100111}\setminus \hfill \\ & & \mathtt{011011010010000001011000011010010110000101101111},\hfill \\ \hfill x_1& =& \mathtt{0.011100010110100100101110000010100100111001101001}\setminus \hfill \\ & & \mathtt{0110001101100101001000000111010001101111001},\hfill \\ \hfill x_2& =& \mathtt{0.011011010110010101100101011101000010000001111001}\setminus \hfill \\ & & \mathtt{011011110111010100100001001000000101111001011111},\hfill \\ \hfill x_3& =& \mathtt{0.010111100000101}.\hfill \end{array}$$

With secret key:

$$s=\mathtt{100000000}={10}^8$$

we calculate the public key $(x,y)=(x,T_s\left(x\right))$ where

$$\begin{array}{ccc}\hfill x& =& \mathtt{0.111111111111111111111111111111111111111111111111111}\setminus \hfill \\ & & \mathtt{11111111111111111111111111111111111111111111111111}\setminus \hfill \\ & & \mathtt{1111111111111111},\hfill \\ \hfill y& =& -\mathtt{0.18814040799950743365079853649690904592037149891015}\setminus \hfill \\ & & \mathtt{60025733572256087872987422552175312563914718206977}\setminus \hfill \\ & & \mathtt{01208500438767478}.\hfill \end{array}$$

In order to cipher, we consider the index

$$r=50000000={\displaystyle \frac{{10}^8}{2}}$$

then

$$\begin{array}{ccc}\hfill c_0=T_r\left(x\right)& =& -\mathtt{0.63712620099964989838379022273202966608309142004703}\setminus \hfill \\ & & \mathtt{95526936628991032039023673808752686692047258891779}\setminus \hfill \\ & & \mathtt{52974562960402237}\hfill \end{array}$$

and by making $c_{1j}=x_j·T_r\left(y\right)$, for $j\in \left[\right[0,3\left]\right]$, we obtain the following values for the second entries of the ciphertexts:

$$\begin{array}{ccc}\hfill c_{10}& =& \mathtt{0.009445053383906845090333757525690843288709928928825}\setminus \hfill \\ & & \mathtt{01800250586160808163588618939290696190069021278695}\setminus \hfill \\ & & \mathtt{80364061056324859},\hfill \\ \hfill c_{11}& =& \mathtt{0.010473545144721555820569852972432275743747523235501}\setminus \hfill \\ & & \mathtt{68388586972875746923277080577905161530296641668282}\setminus \hfill \\ & & \mathtt{3844352563913556},\hfill \\ \hfill c_{12}& =& \mathtt{0.010389568147441647850994177502777150289696917683650}\setminus \hfill \\ & & \mathtt{71968973418687747841165698228908959059526383578938}\setminus \hfill \\ & & \mathtt{21486076187951678},\hfill \\ \hfill c_{13}& =& \mathtt{0.009540447374682341741591475088180184070674785807833}\setminus \hfill \\ & & \mathtt{26051227973824647541225502961370205012402245410258}\setminus \hfill \\ & & \mathtt{799535033258606012}.\hfill \end{array}$$

In order to decipher, we calculate the values $z_j={\displaystyle \frac{c_{1j}}{c_0}}$, for $j\in \left[\right[0,3\left]\right]$, and we obtain the following values:

$$\begin{array}{ccc}\hfill z_0& =& \mathtt{0.010010000110100100100001001000000100100100100111011011}\setminus \hfill \\ & & \mathtt{01001000000101100001101001011000010110111100000000000}\setminus \hfill \\ & & \mathtt{02488501815},\hfill \\ \hfill z_1& =& \mathtt{0.011100010110100100101110000010100100111001101001011000}\setminus \hfill \\ & & \mathtt{11011001010010000001110100011011110010000000000000000}\setminus \hfill \\ & & \mathtt{02759480021},\hfill \\ \hfill z_2& =& \mathtt{0.011011010110010101100101011101000010000001111001011011}\setminus \hfill \\ & & \mathtt{11011101010010000100100000010111100101111100000000000}\setminus \hfill \\ & & \mathtt{0273735448},\hfill \\ \hfill z_3& =& \mathtt{0.010111100000101000000000000000000000000000000000000000}\setminus \hfill \\ & & \mathtt{00000000000000000000000000000000000000000000000000000}\setminus \hfill \\ & & \mathtt{02513635408}.\hfill \end{array}$$

The original plaintexts are obtained by cutting at length ℓ = 96.

Remark 6.

In the stated Cryptographic Scheme based on Chebyshev polynomials, two parameters are essential: ℓ which is the length, or the number of significant digits of plaintexts, and m which is the precision, or the number of correct digits in arithmetical calculations.

A rough estimation from Table 1 is that for integer k and secret key $s\le {10}^k$, the precision m must be greater or equal than ℓ + 5 · k.

4.2. Using an Enveloping Technique for Large Plaintexts

Evidently, block ciphering of long plaintexts by this method is excessively inefficient. We may compose symmetric block ciphering with this method through the OpenSSL library EVP in order to envelop large plaintexts. We take ℓ = 100, and $m=120$ in this example. For the private key:

$$s=\mathtt{100000000}={10}^8$$

we calculate the public key $(x,y)=(x,T_s\left(x\right))$ where

$$\begin{array}{ccc}\hfill x& =& \mathtt{0.111111111111111111111111111111111111111111111111111}\setminus \hfill \\ & & \mathtt{11111111111111111111111111111111111111111111111111}\setminus \hfill \\ & & \mathtt{1111111111111111}\hfill \\ \hfill y& =& -\mathtt{0.18814040799950743365079853649690904592037149891015}\setminus \hfill \\ & & \mathtt{60025733572256087872987422552175312563914718206977}\setminus \hfill \\ & & \mathtt{01208500438767478}\hfill \end{array}$$

and consider an envelope_key

$$\begin{array}{ccc}\hfill \mathtt{ek}& =& \mathtt{0.010101010101010101010101010101010101010101010101010}\setminus \hfill \\ & & \mathtt{10101010101010101010101010101010101010101010101}\hfill \end{array}$$

Then by selecting

$$r=50000000={\displaystyle \frac{{10}^8}{2}}$$

we obtain the cipher of ek as $(c_0,c_1)$ with

$$\begin{array}{ccc}\hfill c_0& =& -\mathtt{0.63712620099964989838379022273202966608309142004703}\setminus \hfill \\ & & \mathtt{95526936628991032039023673808752686692047258891779}\setminus \hfill \\ & & \mathtt{52974562960402237}\hfill \\ \hfill c_1& =& \mathtt{0.009530926931674991853838857210166414106379469381218}\setminus \hfill \\ & & \mathtt{67286561147343567726511202587408257389424454157364}\setminus \hfill \\ & & \mathtt{058055848041956983}\hfill \end{array}$$

and effectively

$$\begin{array}{ccc}\hfill {\displaystyle \frac{c_1}{T_s\left(c_0\right)}}& =& \mathtt{0.0101010101010101010101010101010101010101010101010101}\setminus \hfill \\ & & \mathtt{010101010101010101010101010101010101010101010101000}\setminus \hfill \\ & & \mathtt{000002511127043}\hfill \end{array}$$

The envelope key $\mathtt{ek}$ can be obtained by cutting the decimal representations up to the ℓ-th decimal digit.

4.3. A Numerical Example for Bergamo’s Attack

We try here the same example that illustrates the attack in [1]. It is proposed to take:

• Secret key.$s=106000$
• Public key. For ${\theta }_{\infty }={\displaystyle \frac{5}{18}}\pi$, take

  $$\begin{array}{ccc}\hfill x_{\infty }& =& cos\left({\theta }_{\infty }\right)=cos\left({\displaystyle \frac{5}{18}}\pi \right)\mathrm{and}\hfill \\ \hfill y_{\infty }& =& T_s\left(x_{\infty }\right)=cos\left(s{\displaystyle \frac{5}{18}}\pi \right)=cos\left(\left(530000+{\displaystyle \frac{4}{9}}\right)\pi \right)=cos\left({\displaystyle \frac{4}{9}}\pi \right),\hfill \end{array}$$

  hence $(x_{\infty },y_{\infty })$ is the public key.
• Random exponent for ciphering. $r=81500$. Hence

  $$\begin{array}{ccc}\hfill T_r\left(x_{\infty }\right)& =& cos(rarccos\left(x_{\infty }\right))=cos\left(r{\displaystyle \frac{5}{18}}\pi \right)=cos\left(\left(22638+{\displaystyle \frac{8}{9}}\right)\pi \right)=cos\left({\displaystyle \frac{8}{9}}\pi \right)\hfill \\ \hfill T_r\left(y_{\infty }\right)& =& cos(rarccos\left(y_{\infty }\right))=cos\left(r{\displaystyle \frac{4}{9}}\pi \right)=cos\left(\left(36222+{\displaystyle \frac{2}{9}}\right)\pi \right)=cos\left({\displaystyle \frac{2}{9}}\pi \right)\hfill \end{array}$$
• Ciphertext. For any plaintext $\mu \in (-1,+1]$ the ciphertext is

  $$(c_0,c_1)=\left(cos\left({\displaystyle \frac{8}{9}}\pi \right),\mu cos\left({\displaystyle \frac{2}{9}}\pi \right)\right).$$

However, these calculations are purely symbolic. All angles involved in the above calculations are irrational numbers; hence, when dealing with them with a computer we just have approximations to their values. For instance, up to 8 digits, we have

$$\begin{array}{ccc}\hfill {\displaystyle \frac{5}{18}}\pi & \approx & 0.87266462=:\theta \hfill \\ \hfill cos\left(\theta \right)& \approx & 0.64278761=:x\hfill \end{array}$$

then $|rs{\displaystyle \frac{5}{18}}\pi -rs\theta |\approx 3.53502559$ consequently $|rscos\left({\displaystyle \frac{5}{18}}\pi \right)-rsx|$ is comparable with $2\left|x\right|$. Indeed, for the current example

$$\begin{array}{ccc}\hfill T_{rs}\left(x_{\infty }\right)& =& cos\left(rscos\left({\displaystyle \frac{5}{18}}\pi \right)\right)\approx 0.76604444\mathrm{while}\hfill \\ \hfill T_{rs}\left(x\right)& =& cos\left(rsx\right)\approx -0.95393723\hfill \end{array}$$

obviously the calculation of Chebyshev polynomials is highly sensitive to small errors, they are ill-conditioned. In this situation using numerical approximations we have

• Secret key.  $s=106000$
• Public key.  $(x,y)=(x,T_r\left(x\right))=(0.64278760\dots ,0.17364817\dots )$
• Ciphering. Take $r=81500$. Then, for any plaintext $\mu \in (-1,+1]$, the ciphertext is

  $$(c_0,c_1)=(T_r\left(x\right),\mu T_r\left(y\right))=(-0.93969262\dots ,\mu ·0.76604444\dots ).$$

Then, the attacker Eve should solve the problem (13) with

$$\begin{array}{ccc}\hfill a& =& 3.2000000000\dots \mathrm{and}\hfill \end{array}$$

(15)

$$\begin{array}{ccc}\hfill b& =& 7.1999999999\dots \hfill \end{array}$$

(16)

in decimal representation, namely with radix $R=10$, where those coefficients are obtained according to the relations stated before problem (13).

Suppose that the values (15) and (16) are cut up to the m-th digit. According to the method described in Section 3.2.2, condition (10) does hold and consequently the problem is reduced to solve Equation (11), which, by Remark 3, has solutions only when

$$d|a\mathrm{where}d=gcd(b,{10}^m).$$

(17)

We proposed two cases of different precision covering the two situations listed in Bergamo’s algorithm that result in the correct $r^{\prime }$, such that $T_{r^{\prime }}\left(x\right)=T_r{\left(x\right)}^{\prime }$

Case $m=20$. In this case, the coefficients in Equation (11) are

$$\begin{array}{ccc}\hfill a_{20}& =& 0.20000000000000070759,\hfill \\ \hfill b_{20}& =& 0.19999999999999999999\hfill \end{array}$$

and $gcd({10}^{20}{b}_{20},{10}^{20})=1$ with

$${\left({10}^{20}{b}_{20}\right)}^{-1}=79999999999999999999$$

The unique solution of the corresponding instance of Equation (11) is

$$k_{20}=\left({10}^{20}{a}_{20}\right){\left({10}^{20}{b}_{20}\right)}^{-1}mod{10}^{20}=70759.$$

Hence, the corresponding iteration r such that $T_r\left(x\right)=c_0$ is

$$r_{20}=a+k_{20}·b=509468.$$

Comparing with the original index $r=81500$, we obtain

$$\begin{array}{ccc}\hfill T_{r_{20}}\left(x\right)& =& -0.939692620785909704047,\hfill \\ \hfill T_r\left(x\right)& =& -0.939692620785908595211,\hfill \\ \hfill error& =& -1.1088359707509228942·{10}^{-15}.\hfill \end{array}$$

Case $m=97$. In this case, the coefficients in Equation (11) are

$$\begin{array}{ccc}\hfill a_{97}& =& 0.1999999999999999999999999999999999999999999999999\setminus \hfill \\ & & 999999999999999999999999999999999999999999884368,\hfill \\ \hfill b_{97}& =& 0.1999999999999999999999999999999999999999999999999\setminus \hfill \\ & & 999999999999999999999999999999999999999999999996,\hfill \end{array}$$

and $\left({10}^{97}{b}_{97}\right)x_{97}+{10}^{97}{y}_{97}=4=gcd({10}^{97}{b}_{97},{10}^{97})$ with

$$\begin{array}{ccc}\hfill x_{97}& =& 94999999999999999999999999999999999999999999999999\setminus \hfill \\ & & 99999999999999999999999999999999999999999999999,\hfill \\ \hfill y_{97}& =& -18999999999999999999999999999999999999999999999999\setminus \hfill \\ & & 99999999999999999999999999999999999999999999996,\hfill \end{array}$$

and the solutions of the corresponding instance of Equation (11) are

$$\begin{array}{ccc}\hfill k_{97,0}& =& x_{97}·{\displaystyle \frac{{10}^{97}{a}_{97}}{4}}mod{10}^{97}\hfill \\ & =& 39999999999999999999999999999999999999999999999999\setminus \hfill \\ & & 99999999999999999999999999999999999999999971092\hfill \end{array}$$

and $k_{97,i}=k_{97,0}+i·{\displaystyle \frac{{10}^{97}}{4}}$.

Hence, there are four corresponding iterations $r_{97,i}$ such that $T_{r_{97,i}}\left(x\right)=c_0$ and they are $r_{97,i}=a+k_{97,i}·b,i\in \left[[0,3]\right].$ Take

$$\begin{array}{ccc}\hfill r_{97,0}& =& a+k_{97,0}·b\hfill \\ & =& 879999999999999999999999999999999999999999999999\setminus \hfill \\ & & 9999999999999999999999999999999999999999999791864.\hfill \end{array}$$

Comparing with the original index $r=81500$, we obtain

$$\begin{array}{ccc}\hfill T_{r_{97,0}}\left(x\right)& =& -0.798375679639044035429574245118989681891634222656\setminus \hfill \\ & & 3771425989271896557574773604459217627398202050981,\hfill \\ \hfill T_r\left(x\right)& =& -0.939692620785908384054109277324731469936208134264\setminus \hfill \\ & & 4646330902866627742212109958894589497458898387058,\hfill \\ \hfill error& =& 0.40738331968914697735.\hfill \end{array}$$

While applying the symbolic computation to $r_{97,0}$, we get indeed a correct solution:

$$\begin{array}{ccc}\hfill T_r\left(x\right)& =& cos(rarccos\left(x\right))=cos\left(r{\displaystyle \frac{5}{18}}\pi \right)\hfill \\ & =& cos\left(\left(22638+{\displaystyle \frac{8}{9}}\right)\pi \right)=cos\left({\displaystyle \frac{8}{9}}\pi \right),\hfill \\ \hfill T_{r_{97,0}}\left(x\right)& =& cos(r_{97,0}arccos\left(x\right))=cos\left(r_{97,0}{\displaystyle \frac{5}{18}}\pi \right)\hfill \\ & =& cos\left(\left(24444444444444444444444444444444444444\right)\right)\hfill \\ & & 44444444444444444444444444444444444444\hfill \\ & & 444444444444444386628+{\displaystyle \frac{8}{9}}\pi \hfill \\ & =& cos\left({\displaystyle \frac{8}{9}}\pi \right).\hfill \end{array}$$

Thus, for different values of m it may happen that either there are no solutions of Equation (11) ($d/\left|\right({10}^m{a}_m)$) or there are several solutions ($d>1$ and $d\left|\right({10}^m{a}_m)$). And as m increases, the solution $r^{\prime }$ increases as well. However, when $r^{\prime }$ is much larger than r, the calculations of Chebyshev polynomials may differ from that of the original index due to precision error propagation.

However, as reported in [10], Bergamo’s attack succeeds by considering symbolic, not numerical, calculations:

Suppose that for some rational number $q\in \mathbb{Q}$, $x=cos\left(q\pi \right)$. Then, according to the selection of coefficients a, b, as in Equation (12), $a={\displaystyle \frac{r\epsilon q\pi }{q\pi }}=\epsilon r$, for a sign $\epsilon \in \{-1,+1\}$, and $b={\displaystyle \frac{2k\pi }{q\pi }}=2{\displaystyle \frac{k}{q}}$. Then, by selecting a radix R such that both a and b have finite R-radix representation, as stated in Remark 4, Bergamo’s attack would succeed in recovering the index r.

Besides the above example in which Bargamo’s attack may fail to recover the original index r, which is the random index when ciphering in Chebyshev’s chaotic cryptosystem, we also remark on the following:

By considering the relation (14), we have that the left side lies in the real interval $[0,\pi ]$ while the right side is the difference of two big numbers $rarccos\left(x\right),2k\pi$, of the same order of magnitude. Depending on the chosen precision m of the computing platform this difference can be great when the true values of the operands are approximated. Hence, this difference may differ too much from the right side and that may provoke that for the alleged recovered index r, $c_0\ne cos(rarccos\left(x\right)-2k\pi )$ and consequently $c_0\ne T_r\left(x\right)$.

5. Conclusions

Due to the chaotic behaviour of Chebyshev polynomials, the breaking attack in [10] may fail if the length ℓ, the number of significant digits, in plaintexts, is unknown. Hence, ℓ must be a part of the secret key. The precision m, the number of significant digits in arithmetical calculations, may be part of the public key.

In order to evaluate the effectiveness of Bergamo’s attack, we implemented numerical experiments utilizing GMP and MPFR. The square-and-product procedure is suitable for performing efficient calculations within the Chebyshev cryptographic scheme and the above-mentioned software packages manage efficiently the required multiple precision arithmetic. In Lemma 1 of the current paper, we emphasize the importance of knowing the length of plaintext in advance. The parameters ℓ (length of plaintexts) and m (precision in numerical calculations), influence greatly the effectiveness of both decryption and attack procedures. Due to the chaotic behaviour of Chebyshev polynomials, the breaking attack in [10] may fail if the length ℓ, the number of significant digits, in plaintexts is unknown. Hence, ℓ must be a part of the secret key. But also, the precision m, the number of significant digits in arithmetical calculations, should be part of the public key for effective decryption.