Within a responder, the NLBs may differ from one another, and this can even be exploited to guarantee a unique transformation. The delay and gains reside on a Digilent Nexys II field programmable gate array FPGA platform, which also provides storage memory for the measured signals. It is clear from Fig. Intuitively, because of the unimodal character of f , most output values can originate from two input values, i. Cascading n such static functions then leads to 2 n possible input values for each output value. Input-output responses for a two, b four, c six and d eight cascaded NLBs when slowly scanned.

Figure 5 shows an experimentally obtained bifurcation diagram of the driver. For a wide range of loop gains G d , as programmed in the FPGA based delay line, the driver signal is clearly chaotic. We note that the driver dynamics takes several hundred delay times to reach a steady-state dynamical regime. All subsequent results are measured after this warm-up period. It is clear that while the responders show nearly identical signals, there is little or no resemblance between the signals of the driver and the responders.

To quantize the difference between driver and responder signals, we calculate the normalized root mean square error NRMSE :. We further characterize the dis similarity of these signals by looking at the auto- and cross-correlations. The means of the signals are removed, since they convey no information. Then these values are averaged to obtain the cross-correlation:. Here it is assumed that the processes from which the signals stem are wide sense stationary WSS , so that. In what follows, we normalize the correlations to:. Although derived from a deterministic system, this is close to the auto-correlation of white noise.

We located this optimal gain value by plotting the magnitude of the first four peaks of the normalized auto-correlation as a function of the loop gain G d , in Fig.

- Yale Professors Race Google and IBM to the First Quantum Computer.
- Join Kobo & start eReading today?
- The Indian Challenge!
- The Next Tech Talent Shortage: Quantum Computing Researchers?
- Street Cryptography!

In this way, periodic components of the driver signal are almost completely suppressed. This is important because any self-similarity in the driver signal might lead to correlations in the responder signals, which are derived from the driver. The bitstreams that are derived from these time series might then also show similarities and fail to appear random.

The largest peak is below 0. The situation for responder 2 is similar. As before and shown in Fig. Conversely, as shown in Fig. The auto-correlation of responder 2, R r 2 r 2 , is very similar to that of responder 1, and therefore is not shown. Normalized cross-correlations of the responders a and auto-correlation of responder 1 b at optimal gains G d and G r. To summarize, because the responder signals are nearly identical, the bitstreams derived thereof will also be nearly identical.

The bitstream derived from the driver signal will inherit its very low long-term auto-correlations. More so, the low cross-correlation between the driver and the responders will result in nearly uncorrelated bitstreams. To be able to adequately suppress the cross-correlation between the driver and the responders, the responder branches need to have a sufficient number of nonlinear nodes.

## Encryption key distribution via chaos synchronization

In similar experiments in photonics, where each responder consisted of only one laser, driven by a random phase light source, the residual cross-correlation was as high as 0. These systems are based on synchronized semiconductor lasers. In a cascade of unidirectionally coupled semiconductor lasers the synchronization is likely to be intermittently lost in a process called bubbling In a related work, for a mutually coupled laser arrangement using zero lag synchronization, an extensive reconciliation post procedure was needed to transform the merely correlated bitstreams to truely identical bitstreams usable as key over a public channel In addition, over the last decade, a number of classical private key distribution systems have been proposed using diverse physical systems either in electronics or photonics hardware 21 , 22 , Here, we introduce a scheme for generating bits from the driver and responder signals that we call the delayed comparison method DCM.

The method automatically delivers balanced bit series. For this method to work, it is only required that the driver and responder signals, interpreted as random processes, are wide sense stationary WSS If we compare two instances of such a process X t at times t 1 and t 2 , the probability that the first measurement is smaller than the second one is:. We proceed as follows to obtain the bits from the timeseries. First the timeseries x n are downsampled over a factor r , where r is chosen larger than the width of the central auto-correlation peak.

- Trusted Ecosystem?
- The Fantastic Encounters of the Unknown (The Kaplan and Dylan saga Book 3);
- Practice Of Osteopathy - Its Practical Application To The Various Diseases Of The Human Body.
- The Christian Soul, An Immortal Destiny?

This is the decorrelation step, used to avoid long successions of the same bit value. Then the resulting timeseries x rn is transformed into a series of bits b n as follows:.

Note that because the time series samples are discretized, there is a small probability that two samples are equal, such that Eq. This can be resolved by choosing alternating values for the bits resulting from these equal samples. However, we found this to be unnecessary, and used Eq. Lastly, every other bit of b n is discarded, yielding the final bit series B n :. Without this last step, one sample of the time series would be used for the generation of two bits. This repetition would eventually show up in the frequency tests to evaluate randomness. Figure 10 gives a schematic outline of the process.

Since choosing a different r -interval results in a different bit series, it is clear that the process outlined in Fig.

### See a Problem?

For multiple intervals r i , the bitrate is given by:. Using r -intervals 81, , , and , we obtained 22 million bits. The probabilities between the driver and responder 2 are similar to those between the driver and responder 1. The random bits were divided in 55 sequences of We tested these sequences with the National Institute of standards test suite for random bit streams In Table 1 , we shows the results.

### Trusted Ecosystem

Where a test has more than one result, the worst result is shown. The results file states that the minimum pass rate for each statistical test, with the exception of the random excursion variant test, is approximately 52 for a sample size of 55 binary sequences.

The minimum pass rate for the random excursion variant test is approximately 21 for a sample size of 23 binary sequences. We conclude that the bits generated by the delay comparison method show no signs of deviation from randomness. This is equivalent to a modulo-2 addition. The exclusive-or based encryption is known to be vulnerable to a plaintext-attack. If the message is longer than the key and the same key is used repetitively, a known plaintext together with the encrypted message can readily reveal the key.

However, in our case the key is generated on-the-fly and used only once, such that this scheme is equivalent to a Vernam cypher or one-time-pad encryption. Full scale images are found in Fig. Thus the encrypted message is a seemingly random bitseries, showing no information about the message or the key. The encrypted message and the key are both transmitted to the receiver over the public channel.

It is important that the relative phases of the key and message remain the same, once these signals reach the receiver side. In practice, this is straightforward to achieve by using established telecommunication techniques such as digitization and framing or packaging. The driver or key signal drives responder 2 in synchronization with responder 1. Some small artefacts are visible in the decrypted image, because the synchronization between the responder signals in this proof-of-concept demonstration is not perfect.

Since the bit error rate is close to 0. However, not all bit errors will result in visible pixel errors. Apart from extra error correction, we suggest methods for further improvement on this figure in the discussions section of this paper. Close ups of the encrypted and decrypted messages of Fig. A possible first step in an attack on this encryption method would be to try to perform a system identification, using a set of known driver and responder signals. Note that for this method to work, an attacker needs to somehow obtain the responder signal which is not present in the channel.

An up to date method for finding generalized synchronization between signals, i. Here the input x would be the driver signal and the output y the responder signal, with F the transformation performed by the responder system. The estimated output signal y E t is a sum of Volterra functionals.

In ref. Once a knot sequence is chosen, the spline functions are fully specified and can be built using the de Boor algorithm If the knots are uniformly spaced, the b-splines are simply shifted copies of each other and called cardinal b-splines. The final model is linear with respect to the coefficients that make up the sum of the covariates.

This can be solved by any number of methods. This method seeks the coefficients for which:. The evaluation of the model is applied on a separate validation data set.

## Cipher | Decipher Travelling Exhibition | Communications Security Establishment

Table 2 states the parameters we used, and the resulting Pearson correlation coefficient. Figure 13a shows the input and desired output signal. Figure 13b shows a scatter plot of the FSM estimated signal vs. This also indicates that a single MG-like transformation is not safe for encryption purposes. We applied the FSM methodology, with the sampled driver signal v d as input and the responder signal v r 1 as output, in an attempt to characterize Eq.

The responder signals decay in about one millisecond or samples at the chosen sampling rate. Therefore, we chose the spline window to be samples to cover this interval. Table 3 states the parameters for the best results we could obtain, while keeping the computation time reasonable. We applied a nonuniform knot sequence, where the knots support the highest maxima of the cross-correlation of the driver and responder signals in the given window. Using a third-order approach results in covariates.

The 25 b-splines are shown in Fig. As is clear from the scatter plot, Fig. The time needed to determine the coefficients from a training time series of samples and building the testing time series of 1 million samples, was well over ten hours on an Intel dual-core laptop working at 2. A fourth order FSM with 25 b-splines would have covariates. We estimate that the training alone would take several days and, as suggested in ref. The parameters are stated in Table 3.

Even if the responder signal could be effectively predicted from the driver signal, an attacker would somehow still need to obtain the r -intervals used in the delayed comparison method to calculate the bit series. Note these intervals may be hardwired in the responders before deployment to the field and made to be even unknown to the manufacturer. We have generated the bit series resulting from the estimated responder time series, under the assumption that the attacker somehow got hold of these intervals and compared these to the bit series generated from the actual responder signal.

The resulting conditional probabilities show little correlation:. A new method for distributing encryption keys based on synchronization of driven chaotic systems has been presented. The resulting keys have passed the NIST test suite, showing no distinction from a true random bit series.

## Crypto 2018

The keys have the same length as the message and the encryption is done by using an exclusive-or operation. The key is used only once and has the same length as the message. We have demonstrated a proof-of-concept setup, based on an analog electronic system. The responder-responder synchronization is not perfect, as expected for a circuit that is made with discrete components. Nevertheless, the viability of the concept has clearly been shown.

More sophisticated implementations could use delay coupled driven digital iterated maps. These can be directly implemented on a field programmable gate array or application specific integrated circuit. However this was found to be insufficient to obtain the near-noise like auto-correlation in the driver. A fully digital implementation could easily contain even more NLBs.

Another method to obtain closely matched responder signals is to construct the analog responder circuits on a single integrated circuit wafer, which is cut after production. In this way, naturally occurring or deliberately induced process variations can be harnessed to produce truly unique systems. All submissions will be blind-reviewed. Papers must be anonymous, with no author names, affiliations, acknowledgements, or obvious references.

Submissions should begin with a cover page containing title, a short abstract, and a list of keywords. The body of the paper should be at most 14 pages, excluding the title page with abstract, the bibliography, and clearly marked appendices. Committee members are not required to review appendices, so the paper should be intelligible and self-contained within this length.

Submissions not meeting these guidelines risk rejection without consideration of their merits. Presentations are welcome on any cryptographic or coding-theoretic topic including, but not limited to: — Foundational theory and mathematics; — The design, proposal, and analysis of cryptographic or coding primitives and protocols — Secure implementation and optimisation in hardware or software; and — Applied aspects of cryptography and coding. The main criteria for acceptance are whether the committee believes that the proposed talk will be of interest and of appropriate quality to present to the IMACC audience:.

Submissions must comply with the following rules: — Submissions can be full papers maximum 10 pages , abstracts maximum 2 pages , or the expected presentation slides. As these presentations do not enter the formal proceedings see accompanying Call for Papers , we accept and encourage contributed talk proposals which correspond to papers that are under submission or already published elsewhere. The Early bird fees are available until 18 November Sign In.

Access provided by: anon Sign Out. Resolution variant visual cryptography for street view of Google Maps Abstract: Resolution variant visual cryptography takes the idea of using a single share of visual cryptography VC to recover a secret from an image at multiple resolutions. That means, viewing the image on a one-to-one basis and superimposing the share will recover the secret.

However, if the image is zoomed, using that same share we can recover other secrets at different levels. The same share is used at these varying resolutions in order to recover a large amount of hidden secrets.