On the Effectivenes of a Common Attack to Chebyshev Chaotic Encryption Scheme

1. Introduction

The sequence ${\left(T_r\left(X\right)\right)}_{r\in \mathbb{N}}$ of Chebyshev polynomials provides a typical example of a chaotic system and it was used to obtain a well known and exhaustively analyzed public-key encryption scheme based on chaos [1,2,3]. For any index r, $T_r\left(X\right)$ has degree r and its restriction to the open real interval $I=(-1,+1)$ has as image this interval, namely it is an onto map $I\to I$, hence the corresponding cryptosystem has I as the space of both plaintexts and ciphertexts. Since the sequence of Chebyshev polynomials forms a semigroup, namely for any $r,s\in \mathbb{N}$, $T_r\circ T_s\left(X\right)=T_{rs}\left(X\right),$ the sequence has served as basis of several chaotic cryptosystems:

• for encryption, a public key has the form $(x,y)=(x,T_s\left(x\right))$ for $x\in I$ and $s\in {\mathbb{Z}}^{+}$ is the private key. Then for a message $\mu \in I$ the ciphertext is $(c_0,c_2)=(T_r\left(x\right),\mu ·T_r\left(y\right))$, where $r\in {\mathbb{Z}}^{+}$ is a random index selected by the sender of the message, and for decryption the owner of the private key calculates ${\displaystyle \frac{c_2}{T_s\left(c_0\right)}}$,
• for key agreement (KA), the classic Diffie-Hellman KA scheme can be translated quite directly by the semigroup property [4],
• for authentication, a general scheme is introduced in [5] in which servers should authenticate client using a central registry (RC). Each server has a key $s_j$ and each client an index $r_i$ and the corresponding Chebyshev polynomials are evaluated on secret numbers owned by the RC hence the servers and the clients just know the values of their polynomials at the secret points. Also there is an interesting application of the sequence of Chebyshev polynomials for Radio Frequency IDentification (RFID), where the index s is broadcasted by a transceiver and each transponder selects a particular index r and codifies it in order to form an identification label [6], and
• for image encryption the chaotic methods have been extensively used as well as some refinements of chaotic maps [7,8].

In [9] the behaviour Chebyshev sequence in modular arithmetic, as well as its impact on the security of cryptosystems have been analyzed within the context of Number Theory.

In 2005 the most common attack to this cryptosystem was introduced [10] (see [4,11] as well). The attack strategy is based in solving equations of the form $T_r\left(x\right)=c$ for $x,c\in I$ with respect to index r. To this end there are considered just real numbers in I with a finite length decimal representation. For any $m\in {\mathbb{Z}}^{+}$, let $I_m$ be the collection of numbers in I whose decimal representation consists of m digits. Thus, by multiplying the involved real numbers by the power ${10}^m$ the stated problem gives rise to congruence relations on the integers solvable by Number Theory techniques.

We performed several experiments in order to test Bergamo’s attack [10] using multiple precision arithmetic provided by the already conventional software tools gmp [12] and mpfr [13], we report here the results. We consider a length $\ell \in {\mathbb{Z}}^{+}$ for the specification of plaintexts and a precision$m\in {\mathbb{Z}}^{+}$, with $\ell \le m$, for the number of significant digits in decimal representation. The space of plaintexts is coded as the set of words of length ℓ with symbols in $\{0,1,\dots ,9\}$, with cardinality ${10}^{\ell }$, and the space of ciphertexts is the set of words of length m with symbols in $\{0,1,\dots ,9\}$.

Bergamo’s attack [10] is effective whenever ℓ is known by the attacker. This attack technique would produce several possible solutions for the recovering secret key depending on the assumed value of the length ℓ. An exhaustive search of the right secret key may be still rather costly. The length ℓ may be part of the private key in the chaotic crypto-scheme.

The purpose of the current report is to illustrate the importance to fix the length of the plaintexts ℓ and the precision m among the participants in the crypto scenario.

It is worth to mention that some similar remarks related to the difficulties in making effective the attack in [10] have been pointed out in [5] and there the authors consider attacks based on impersonation. In [14] it is pointed also the importance to limit the numerical domains of Chebyshev polynomials.

In section 2 we recall the Chebyshev polynomials and in section 3 we recall the corresponding chaotic cryptosystem and the attack in [10]. In section 4 we present the performed experiments. Our contribution consists in testing the effectiveness of Bergamo’s attack. We have concluded that it is essential for the attacker to know the length of plaintexts and certainly the arithmetical precision should be greater than this length.

2. Chebyshev Polynomials

Notation. 

We will write for any two integers $i,j\in \mathbb{Z}$, $i\le j$, $\left[\right[i,j\left]\right]=\{i,\dots ,j\}$. For any $a,b\in \mathbb{R}$, with $a<b$ we may consider open, semiclosed or closed intervals:

$$\begin{array}{ccccccc}\hfill (a,b)& =& \{x\in \mathbb{R}|a<x<b\}\hfill & ,& \hfill (a,b]& =& \{x\in \mathbb{R}|a<x\le b\},\hfill \\ \hfill [a,b)& =& \{x\in \mathbb{R}|a\le x<b\}\hfill & ,& \hfill [a,b]& =& \{x\in \mathbb{R}|a\le x\le b\}.\hfill \end{array}$$

For a radix $R\in {\mathbb{Z}}^{+}$, $R>1$, let $D_R=\left[[0,R-1]\right]$ be the collection of Rdigits, then for each $m\in {\mathbb{Z}}^{+}$, $D_R\left[R^{-m}\right]$ will denote the set of real numbers in $(-1,1)$ that can be written as polynomial expressions in terms of $R^{-m}$ with coefficients in $D_R$, in other words $D_R\left[R^{-m}\right]$ is the set of fractional numbers than can be written with exactly m digits in radix R.

As a very basic trigonometric identity we recall that for any $n\in {\mathbb{Z}}^{+}$ and any $z\in [0,\pi ]$:

$$cos\left(\right(n+1\left)z\right)+cos\left(\right(n-1\left)z\right)=2cos\left(z\right)cos\left(nz\right).$$

Besides, $cos\left(0z\right)=1$ and $cos\left(1z\right)=cos\left(z\right)$. With the change of variable $[0,\pi ]\to [-1,+1]$, $z\mapsto x=cos\left(z\right)$ (see Figure 1), the sequence of Chebyshev polynomials follows:

$$\begin{array}{ccc}\hfill T_0\left(X\right)=1& ;& T_1\left(X\right)=X\hfill \\ \hfill \forall n\ge 1:T_{n+1}\left(X\right)& =& 2X{T}_n\left(X\right)-T_{n-1}\left(X\right)\hfill \end{array}$$

Remark 1.

The sequence ${\left(T_n\right)}_{n\in \mathbb{N}}$ is asemigroup, namely $\forall n,m:T_n\circ T_m=T_{n·m}.$

Indeed, using the above mentioned change of variables, $\forall x\in [-1,1]$:

$$T_n\circ T_m\left(x\right)=T_n\left(T_m\left(x\right)\right)=T_n(cos\left(mz\right))=cos(narccos(cos\left(mz\right)))=cos\left(nmz\right)=T_{nm}\left(x\right).$$

From the definition of the Chebyshev polynomials,

$$\left[\begin{array}{c}{T}_{n-1}\left(X\right)\\ T_n\left(X\right)\end{array}\right]=\left[\begin{array}{cc}\hfill 0& 1\\ \hfill -1& 2X\end{array}\right]·\left[\begin{array}{c}\hfill T_{n-2}\left(X\right)\\ \hfill T_{n-1}\left(X\right)\end{array}\right]$$

hence

$${\mathbf{t}}_n\left(X\right)=M{\left(X\right)}^{n-1}{\mathbf{t}}_1\left(X\right)$$

where ${\mathbf{t}}_n\left(X\right)=\left[\begin{array}{c}{T}_{n-1}\left(X\right)\\ T_n\left(X\right)\end{array}\right]$ and $M\left(X\right)=\left[\begin{array}{cc}\hfill 0& 1\\ \hfill -1& 2X\end{array}\right].$

Let us write the powers of matrix $M\left(X\right)$ as

$$M{\left(X\right)}^n=\left[\begin{array}{cc}\hfill p_{00n}\left(X\right)& p_{01n}\left(X\right)\\ \hfill p_{10n}\left(X\right)& p_{11n}\left(X\right)\end{array}\right].$$

Then

$$\begin{array}{ccc}\hfill \left[\begin{array}{cc}\hfill p_{00,n+1}\left(X\right)& p_{01,n+1}\left(X\right)\\ \hfill p_{10,n+1}\left(X\right)& p_{11,n+1}\left(X\right)\end{array}\right]& =& M{\left(X\right)}^{n+1}\hfill \\ & =& M\left(X\right)·M{\left(X\right)}^n\hfill \\ & =& \left[\begin{array}{cc}\hfill 0& 1\\ \hfill -1& 2X\end{array}\right]·\left[\begin{array}{cc}\hfill p_{00n}\left(X\right)& p_{01n}\left(X\right)\\ \hfill p_{10n}\left(X\right)& p_{11n}\left(X\right)\end{array}\right]\hfill \\ & =& \left[\begin{array}{cc}{p}_{10n}\left(X\right)& p_{11n}\left(X\right)\\ -p_{00n}\left(X\right)+2X{p}_{10n}\left(X\right)& -p_{01n}\left(X\right)+2X{p}_{11n}\left(X\right)\end{array}\right]\hfill \end{array}$$

Hence,

$$\begin{array}{ccc}\hfill \left[\begin{array}{cc}\hfill p_{001}\left(X\right)& p_{011}\left(X\right)\\ \hfill p_{101}\left(X\right)& p_{111}\left(X\right)\end{array}\right]& =& \left[\begin{array}{cc}\hfill 0& 1\\ \hfill -1& 2X\end{array}\right],\hfill \end{array}$$

(1)

$$\begin{array}{ccc}\hfill \left[\begin{array}{cc}\hfill p_{00,n+1}\left(X\right)& p_{01,n+1}\left(X\right)\\ \hfill p_{10,n+1}\left(X\right)& p_{11,n+1}\left(X\right)\end{array}\right]& =& \left[\begin{array}{cc}{p}_{10n}\left(X\right)& p_{11n}\left(X\right)\\ -p_{00n}\left(X\right)+2X{p}_{10n}\left(X\right)& -p_{01n}\left(X\right)+2X{p}_{11n}\left(X\right)\end{array}\right].\hfill \end{array}$$

(2)

From here, it follows that $\forall n\in {\mathbb{Z}}^{+}$: $deg\left(p_{11n}\left(X\right)\right)=n$.

Algorithm 1. Square-and-product procedure

Algorithm 1. Square-and-product procedure

The powers of the matrix $M\left(X\right)$ can be calculated via square-and-product:

$$r=\sum _{i=0}^k{r}_i{2}^i⟹M{\left(X\right)}^r=\prod _{i=0}^k{\left(M{\left(X\right)}^{2^i}\right)}^{r_i},$$

namely, by the procedure sketched in Algorithm 1.

The Chebyshev polynomials are defined in the interval $[-1,+1]$, the absolute values of the points in this domain are in the unit interval $[0,1]$.

Consider the conventional decimal radix, $R=10$. Suppose that $x\in [-1,+1]$ is such that $x\in D_{10}\left[{10}^{-m}\right]$ for some $m\in {\mathbb{Z}}^{+}$, then there is an integer $x_m\in \left[[-{10}^m,+{10}^m]\right]$ such that $x={\displaystyle \frac{x_m}{{10}^m}}$, or $x_m={10}^{m}x$. Consequently, from relations (1) and (2) it follows that

$$\forall n\in {\mathbb{Z}}^{+}:p_{11n}\left(x\right)\in D_{10}\left[{10}^{-nm}\right].$$

Besides,

$${10}^{m}M\left(x\right)={10}^m\left[\begin{array}{cc}\hfill 0& 1\\ \hfill -1& 2x\end{array}\right]=\left[\begin{array}{cc}0& {10}^m\\ -{10}^m& 2x_m\end{array}\right]=:N_{x_m}\in {\mathbb{Z}}^{2\times 2}$$

and

$$\forall n\in {\mathbb{Z}}^{+}:M{\left(x\right)}^n={10}^{-nm}{N}_{x_m}^n.$$

On the other hand, from step 4(a) of the procedure in Table 1

$$SP={\displaystyle \frac{1}{{10}^{2m}}}\left({10}^{m}S\right)\left({10}^{m}P\right)$$

as well as, from step 4(b),

$$SS={\displaystyle \frac{1}{{10}^{2m}}}\left({10}^{m}S\right)\left({10}^{m}S\right).$$

Through these relations, the square-and-product algorithm can be performed within multiple precision arithmetic in $[-1,1]$ using a multiple precision arithmetic on the integers.

Remark 2.

In the current experiments we calculate the Chebyshev polynomials through the above “square-and-product” method in order to maintain the multiple precision of the calculations through additions and products and to avoid the dependency of implementations of the maps cos and arccos.

3. The Cryptosystem Based on Chebyshev Polynomials

3.1. The General Scheme

The following is a public-key encryption scheme where the plaintext space and the ciphertext space are both the real interval $[-1,1]$:

Key generation 

Choose $x\in [-1,1]$ and $s\in {\mathbb{Z}}^{+}$ large enough. The public key is $(x,y)=(x,T_s\left(x\right))$ and the private key is s.

Encryption 

For a plaintext $\mu \in [-1,1]$, choose a random index $r\in {\mathbb{Z}}^{+}$, and calculate $c_0=T_r\left(x\right)$, $c_1=T_r\left(y\right)$, $c_2=\mu c_1$. The ciphertext is $c=(c_0,c_2)$.

Decryption 

Given the ciphertext $c=(c_0,c_2)$ recover the message as $\mu ={\displaystyle \frac{c_2}{T_s\left(c_0\right)}}$.

Hence the time complexity of the encryption procedure is

$${time}_{Ch}(m,r)=O\left(M(m·r)rlogr\right)$$

(3)

where $M\left(k\right)$ is the time complexity of the chosen algorithm for multiplication in $D_R\left[R^{-m}\right]$, m is the precision of calculations and r is the chosen random number.

With respect to the Decryption Procedure let us make a remark:

Suppose that a number x in the open interval $(0,1)$ is written in radix R as $x={\sum }_{i=1}^{m_1}{x}_i{R}^{-i}$, with digits $x_i\in \left[[0,R-1]\right]$, namely $x\in D_R\left[R^{-m_1}\right]$. Then for any $m_0<m_1$:

$$x=\sum _{i=1}^{m_0}{x}_i{R}^{-i}+\sum _{i=m_0+1}^{m_1}{x}_i{R}^{-i}=:\overline{x_{m_0}}+\overline{x_{m_1-m_0}},$$

where $\overline{x_{m_0}}$ is the decimal number expressed by the first $m_0$ digits of x and $\overline{x_{m_1-m_0}}=x-\overline{x_{m_0}}$. Thus

$$\begin{array}{ccc}\hfill \overline{x_{m_1-m_0}}& =& \sum _{i=m_0+1}^{m_1}{x}_i{R}^{-i}\hfill \\ & =& R^{-(m_0+1)}\sum _{j=0}^{m_1-(m_0+1)}{x}_{m_0+1+j}{R}^{-j}\hfill \\ & <& R^{-(m_0+1)}\sum _{j=0}^{m_1-(m_0+1)}R{R}^{-j}\hfill \\ & =& R^{-m_0}{\displaystyle \frac{1}{1-R^{-1}}}\hfill \\ & =& {\displaystyle \frac{1}{R-1}}{R}^{-(m_0-1)}\hfill \end{array}$$

(4)

besides

$$R^{m_1}x=R^{m_1}\left(\overline{x_{m_0}}+\overline{x_{m_1-m_0}}\right)=R^{m_1-m_0}\left(R^{m_0}\overline{x_{m_0}}\right)+R^{m_1}\overline{x_{m_1-m_0}}\in \mathbb{Z}.$$

(5)

Assume now that there are given two numbers $a,b\in D_R\left[R^{-m_1}\right]$, $b\ne 0$. By expressing them as in (5),

$$\begin{array}{ccc}\hfill R^{m_1}a& =& R^{m_1-m_0}\left(R^{m_0}\overline{a_{m_0}}\right)+R^{m_1}\overline{a_{m_1-m_0}}\hfill \\ \hfill R^{m_1}b& =& R^{m_1-m_0}\left(R^{m_0}\overline{b_{m_0}}\right)+R^{m_1}\overline{b_{m_1-m_0}}\hfill \end{array}$$

thus by division there are quotients $q,q_{m_0}\in \mathbb{Z}$ and remainders $r\in \left[[0,R^{m_1}b-1]\right]$, $r_{m_0}\in \left[[0,R^{m_0}\overline{b_{m_0}}-1]\right]$ such that

$$\begin{array}{ccc}\hfill R^{m_1}a& =& q{R}^{m_1}b+r\hfill \end{array}$$

(6)

$$\begin{array}{ccc}\hfill R^{m_0}\overline{a_{m_0}}& =& q_{m_0}{R}^{m_0}\overline{b_{m_0}}+r_{m_0}\hfill \end{array}$$

(7)

From Equation (7),

$$\begin{array}{ccc}\hfill R^{m_1}\overline{a_{m_0}}& =& R^{m_1-m_0}{R}^{m_0}\overline{a_{m_0}}\hfill \\ & =& R^{m_1-m_0}{q}_{m_0}{R}^{m_0}\overline{b_{m_0}}+R^{m_1-m_0}{r}_{m_0}\hfill \\ & =& q_{m_0}{R}^{m_1}\overline{b_{m_0}}+R^{m_1-m_0}{r}_{m_0}\hfill \end{array}$$

(8)

by substracting (8) from (6)

$$R^{m_1}\overline{a_{m_1-m_0}}=R^{m_1}a-R^{m_1}\overline{a_{m_0}}=q{R}^{m_1}b+r-(q_{m_0}{R}^{m_1}\overline{b_{m_0}}+R^{m_1-m_0}{r}_{m_0})$$

hence from (4)

$$R^{m_1}\left(qb-q_{m_0}\overline{b_{m_0}}\right)+\left(r-R^{m_1-m_0}{r}_{m_0}\right)<R^{m_1}{\displaystyle \frac{1}{R-1}}{R}^{-(m_0-1)}={\displaystyle \frac{R}{R-1}}{R}^{m_1-m_0}$$

and this last inequality entails $q-R^{m_1-m_0}{q}_{m_0}<R^{m_0}$, consequently the radix-R expression of q and $q_{m_0}$ coincide up to the $(m_0-1)$-digit.

In summary:

Lemma 1.

If $a,b\in D_R\left[R^{-m_1}\right]$, $b\ne 0$, for any $m_0\in \left[[1,m_1-1]\right]$ the quotients ${\displaystyle \frac{a}{b}}$ and ${\displaystyle \frac{a_{m_0}}{b_{m_0}}}$ coincide up to the $(m_0-1)$-digit.

Thus, in Chebyshev encryption scheme the precision m, which is the number of significant digits in the arithmetical calculations within the interval $[-1,1]$, shall be greater than the length ℓ of plaintexts since in the decryption process a division is involved. However, due to Lemma 1, for any $m_0\in \left[[\ell +1,m]\right]$ the recovered plaintext is plaussible up to the $(m_0-1)$-th digit. In order to determine the original plaintext the decipherer should know ℓ.

In an attack to the cryptosystem, given a public key $(x,y)$ and the ciphertext $(c_0,c_1)$, the random index $r\in {\mathbb{Z}}^{+}$ such that $T_r\left(x\right)=c_0$ should be recovered and the plaintext should be ${\mu }_m={\displaystyle \frac{c_1}{T_r\left(y\right)}}$ consisting of m digits where m is the precision of calculations. The original plaintext shall be the ℓ-length prefix ${\mu }_{\ell }$ of ${\mu }_m$. Thus a bruteforce procedure to recover ℓ is to look for the first length ℓ such that $Encryption({\mu }_{\ell },r)=(c_0,c_1)$. According to (3) the cost in time of this procedure is

$$O\left(m·{time}_{Ch}(m,r)\right)=O\left(mM(m·r)rlogr\right).$$

It is worth to mention that in this consecutive search, for some tested lengths Bergamo’s attack, presented below, fails because the conditions stated in Section 3.2.1 are not satisfied.

3.2. Bergamo’s Attack

Let us recall first some basic facts of number theory.

3.2.1. Solving Linear Equations in Remainder Rings

Let $M\in {\mathbb{Z}}^{+}$ be a modulus greater than 1 and consider the equation $bx=amodM$, with $a,b\in {\mathbb{Z}}_M$.

• If $b\in {\mathbb{Z}}_M^{*}$ then the solution $x=a{b}^{-1}modM$ is unique.
• If $b\in {\mathbb{Z}}_M-\left\{0\right\}$ and $d=gcd(b,M)>1$, the equation has a solution if and only if $d|a$. In this case, express $d=c_{0}b+c_{1}M$, then for $x_0=c_0{\displaystyle \frac{a}{d}}$ we have

  $$b{x}_0=b{c}_0{\displaystyle \frac{a}{d}}=(d-c_{1}M){\displaystyle \frac{a}{d}}=\left(a-\left(c_1{\displaystyle \frac{a}{d}}\right)M\right)=amodM,$$

  hence $x_0$ is a solution and all residues of the form $x=x_0+j{\displaystyle \frac{M}{d}}$, $j\in \left[\right[0,d-1\left]\right]$ are solutions as well.

3.2.2. A number Theory Problem

Consider the following

$$\mathbf{Main}\mathbf{Problem}: \mathrm{G}\mathrm{i}\mathrm{v}\mathrm{e}\mathrm{n} a,b\in (0,1[\mathrm{f}\mathrm{i}\mathrm{n}\mathrm{d} k\in \mathbb{Z}:a+bk\in \mathbb{Z}\vee -a+bk\in \mathbb{Z}.$$

(9)

We consider in particular the case in which the following condition holds:

$$\begin{array}{c}a,b \mathrm{h}\mathrm{a}\mathrm{v}\mathrm{e} \mathrm{a} \mathrm{f}\mathrm{i}\mathrm{n}\mathrm{i}\mathrm{t}\mathrm{e}-\mathrm{l}\mathrm{e}\mathrm{n}\mathrm{g}\mathrm{t}\mathrm{h} \mathrm{r}\mathrm{e}\mathrm{p}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{e}\mathrm{n}\mathrm{t}\mathrm{a}\mathrm{t}\mathrm{i}\mathrm{o}\mathrm{n} \mathrm{i}\mathrm{n} \mathrm{a}\mathrm{r}\mathrm{a}\mathrm{d}\mathrm{i}\mathrm{x},\mathrm{s}\mathrm{a}\mathrm{y} R,\mathrm{n}\mathrm{a}\mathrm{m}\mathrm{e}\mathrm{l}\mathrm{y},\mathrm{f}\mathrm{o}\mathrm{r} \mathrm{a}\mathrm{n}\hfill \\ m\in {\mathbb{Z}}^{+},a,b\in D_R\left[R^{-m}\right].\hfill \end{array}$$

(10)

Assume that $a+bk=z$ with $z\in \mathbb{Z}$. Then $\left(a{R}^m\right)+\left(b{R}^m\right)k=z{R}^m$, and this last equation is stated over $\mathbb{Z}$. By writing $a_m=a{R}^m$ and $b_m=b{R}^m$ the equation is equivalent to

$$b_{m}k=-a_{m}mod{R}^m.$$

(11)

In fact:

$$b_{m}k=-a_{m}mod{R}^m⟺b_m(R^m-k)=a_{m}mod{R}^m.$$

Hence the sign in the right side of (11) is not relevant and just an equation in (9) may be considered.

As mentioned in Section 3.2.1, if $gcd(b_m,R^m)=1$ then the unique solution of (11) is $k=-a_m{b}_m^{-1}$ in ${\mathbb{Z}}_{R^m}^{*}$. If $d=gcd(b_m,R^m)>1$ and $d=c_0{b}_m+c_1{R}^m$, only when $d|a_m$ the Equation (11) can be solved and its d solutions are given as $-c_0{\displaystyle \frac{a_m}{d}}+j{\displaystyle \frac{R_m}{d}}$, $j\in \left[\right[0,d-1\left]\right]$.

In summary:

Remark 3.

With above notation, eq. (11) has solutions if $d|a_m$ where $d=gcd(b_m,R^m)$, and d is the number of solutions.

If we deal just with rational numbers in $[-1,+1]$ then for any radix $R\in {\mathbb{Z}}^{+}$ any such rational number has a periodic R-representation. But for any pair of rational numbers there is a radix such that those numbers have finite representations for that radix.

Remark 4.

Whenever $a,b\in \mathbb{Q}\cap (0,1[$, a radix R may be found such that for the main problem, $a,b\in D_R\left[R^{-m}\right]$ for some length $m\in {\mathbb{Z}}^{+}$.

Proof. 

For a rational number ${\displaystyle \frac{a}{b}}\in (0,1[$, with $a,b\in {\mathbb{Z}}^{+}$, $a<b$, and a radix $R\in \mathbb{Z}$, let ${\alpha }_0=a$ and $m_{-1}=0$. For any current index i let $k_i\in \mathbb{N}$ be the minimum power such that ${\alpha }_i{R}^{k_i}\ge b$ and $m_i=m_{i-1}+k_i$. Then ${\alpha }_i{R}^{k_i}=a_{i}b+{\alpha }_{i+1}$ with $a_i\in \left[[0,R-1]\right]$ and ${\alpha }_{i+1}\in \left[[0,b-1]\right]$. Thus, the radix-R expression of the rational number ${\displaystyle \frac{a}{b}}$ consists of 0’s except that at each entry $m_i$ there appears the digit $a_i$. Since the remainder sequence ${\left({\alpha }_i\right)}_i$ takes values on the finite set $\left[\right[0,b-1\left]\right]$, it is eventually periodic and so is the digit sequence ${\left(a_i\right)}_i$. Clearly, the length of the period will be bounded by the denominator b; and if there is an index i such that ${\alpha }_{i+1}=0$ then ${\displaystyle \frac{a}{b}}\in \mathbb{Z}\left[R^{m_i}\right]$. Obviously, for $R=b$ such an index exists.    □

3.2.3. The Attack

Each Chebyshev polynomial may be written as $T_n\left(x\right)=cos(narccos\left(x\right))$.

Given the public key $(x,y)$ of Alice, the attacker, Eve, looks for $r\in {\mathbb{Z}}^{+}$ such that $T_r\left(x\right)=c_0$, then she evaluates $c_1^{\prime }:=T_r\left(y\right)$ and she recovers the plaintext as $\mu ={\displaystyle \frac{c_2}{c_1^{\prime }}}$.

Consider the sequence

$$C_{x{c}_0}={\left({\displaystyle \frac{arccos\left(c_0\right)+2k\pi }{arccos\left(x\right)}}\right)}_{k\in \mathbb{Z}}\cup {\left({\displaystyle \frac{-arccos\left(c_0\right)+2k\pi }{arccos\left(x\right)}}\right)}_{k\in \mathbb{Z}}\subset \mathbb{R}.$$

Remark 5.

$\forall r\in {\mathbb{Z}}^{+}:\left[T_r\left(x\right)=c_0⟺r\in C_{x{c}_0}\right].$

Proof. 

Indeed, let $r\in {\mathbb{Z}}^{+}$.

$\Rightarrow )$ Assume $r\in C_{x{c}_0}$ and that for some $k\in \mathbb{Z}$, $r={\displaystyle \frac{arccos\left(c_0\right)+2k\pi }{arccos\left(x\right)}}$ (the case in which $r={\displaystyle \frac{-arccos\left(c_0\right)+2k\pi }{arccos\left(x\right)}}$ is similar because cos is an even function). Then

$$\begin{array}{ccc}\hfill cos(arccos(x\left)r\right)& =& cos\left(arccos\left(x\right){\displaystyle \frac{arccos\left(c_0\right)+2k\pi }{arccos\left(x\right)}}\right)\hfill \\ & =& cos\left(arccos\left(c_0\right)+2k\pi \right)\hfill \\ & =& cos\left(arccos\left(c_0\right)\right)\hfill \\ & =& c_0\hfill \end{array}$$

$\Leftarrow )$ Assume $T_r\left(x\right)=c_0$, then $rarccos\left(x\right)=arccos\left(c_0\right)$ and necessarily $r\in C_{x{c}_0}$.    □

Let $a={\displaystyle \frac{arccos\left(c_0\right)}{arccos\left(x\right)}}$ and $b={\displaystyle \frac{2k\pi }{arccos\left(x\right)}}$. We may calculate arccos by its Taylor series [15]:

$$\mathrm{F}\mathrm{o}\mathrm{r} \left|x\right|<1:arccos\left(x\right)={\displaystyle \frac{\pi }{2}}-\sum _{k=0}^{+\infty }{\displaystyle \frac{x}{1+2k}}\prod _{\kappa =0}^{k-1}\left(x^2{\displaystyle \frac{2\kappa +1}{2\kappa +2}}\right).$$

Eve’s goal consists in recovering $r\in {\mathbb{Z}}^{+}$ such that

$$\exists k\in \mathbb{Z}:a+bk=r\vee -a+bk=r,$$

(12)

or in an equivalent form we have:

$$\begin{array}{cc}{\mathbf{Eve}}^{\prime }\mathbf{s}\mathbf{goal}.\mathrm{F}\mathrm{i}\mathrm{n}\mathrm{d} k\in \mathbb{Z}:& \mathrm{e}\mathrm{i}\mathrm{t}\mathrm{h}\mathrm{e}\mathrm{r}(amod1)+k(bmod1)\in {\mathbb{Z}}^{+}\hfill \\ & \mathrm{o}\mathrm{r}-(amod1)+k(bmod1)\in {\mathbb{Z}}^{+}.\hfill \end{array}$$

(13)

Thus, Eve’s goal (13) is an instance of the main problem (9) and it can be solved, by the method seen in Section 3.2.2.

As a final remark in this section we point out that if $k,r$ are solutions of (12), then for a sign $\epsilon \in \{-1,+1\}$,

$$\epsilon arccos\left(c_0\right)=rarccos\left(x\right)-2k\pi .$$

(14)

4. Experiments

We have used the Multiple Precision Arithmetic provided by gmp: the gnu Multiple Precision Arithmetic Library, operating on signed integers, rational numbers, and floating-point numbers. The main used function categories and data structures are mpz, the high-level signed integer arithmetic structure, and mpf, the high-level floating-point arithmetic structure. The used version is gmp 6.3.0.

When dealing with Bergamo’s attack, we used the High Performed Trigonometric Function provided by mpfr: the gnu Multiple Precision Floating-Point Reliable Library. The used version is mpfr 4.2.1.

The platform was a computer with a processor intel(r) core(tm) i7-10750H cpu @ 2.60ghz 2.59 ghz and 64-bit operating system ubuntu 22.04.3 lts.

The precision of any mpf structure from gmp, namely the number of digits in the decimal part of floating numbers, can be fixed in advance. Since ${log}_2\left(10\right)\approx 3.2$, N digits precision shall be required by the built-in function mpf_set_default_prec($\lfloor 3.2·N\rfloor$), where the function only supports argument with N a multiple of 20. Alternatively, N digits precision may be required by the built-in function mpfr::mpreal::set_default_prec($\lfloor 3.33·N\rfloor$), for any integer N. Nevertheless, the arithmetic still loses digits beyond the specified precision.

In our experiments we use two precision parameters:

• ℓ: number of digits to codify plaintexts, we will refer to this parameter as length, and
• m: precision of arithmetical calculations in gmp and mpfr, we will refer to this parameter as precision by itself.

In order to get correct crypto operations, for any given length ℓ, the secret keys s and the random indices r shall be bounded from above and the precision m shall be bounded from below (see Table 1 below).

4.1. A Numerical Example for Symmetric Block Ciphering

Let $\mu$ be the ascii simple message:

                             Hi! I’m Xiaoqi.

                             Nice to meet you! ^_^

consisting of 38 characters (there is a Line Feed at the end of each row). We take $\ell =100$, and $m=120$ as we discussed above in this example. Since $\lfloor {\displaystyle \frac{100}{8}}\rfloor =12$, we can split the message into 4 sections, 3 consisting of 12 characters and the last of 2 characters. Each ascii symbol is a byte and we write it in bits. By concatenating these bit strings we codify the message by the following real numbers expressed in radix 10 with ${\ell }^{\prime }=96=12·8$ “significant digits”:

$$\begin{array}{ccc}\hfill x_0& =& \mathtt{0}.\mathtt{010010000110100100100001001000000100100100100111}\setminus \hfill \\ & & \mathtt{011011010010000001011000011010010110000101101111}\hfill \\ \hfill x_1& =& \mathtt{0}.\mathtt{011100010110100100101110000010100100111001101001}\setminus \hfill \\ & & \mathtt{0110001101100101001000000111010001101111001}\hfill \\ \hfill x_2& =& \mathtt{0}.\mathtt{011011010110010101100101011101000010000001111001}\setminus \hfill \\ & & \mathtt{011011110111010100100001001000000101111001011111}\hfill \\ \hfill x_3& =& \mathtt{0}.\mathtt{010111100000101}\hfill \end{array}$$

With secret key:

$$s=\mathtt{100000000}={10}^8$$

we calculate the public key $(x,y)=(x,T_s\left(x\right))$ where

$$\begin{array}{ccc}\hfill x& =& \mathtt{0}.\mathtt{111111111111111111111111111111111111111111111111111}\setminus \hfill \\ & & \mathtt{11111111111111111111111111111111111111111111111111}\setminus \hfill \\ & & \mathtt{1111111111111111}\hfill \\ \hfill y& =& -\mathtt{0}.\mathtt{18814040799950743365079853649690904592037149891015}\setminus \hfill \\ & & \mathtt{60025733572256087872987422552175312563914718206977}\setminus \hfill \\ & & \mathtt{01208500438767478}\hfill \end{array}$$

In order to cipher, we consider the index

$$r=50000000={\displaystyle \frac{{10}^8}{2}}$$

then

$$\begin{array}{ccc}\hfill c_0=T_r\left(x\right)& =& -\mathtt{0}.\mathtt{63712620099964989838379022273202966608309142004703}\setminus \hfill \\ & & \mathtt{95526936628991032039023673808752686692047258891779}\setminus \hfill \\ & & \mathtt{52974562960402237}\hfill \end{array}$$

and by making $c_{1j}=x_j·T_r\left(y\right)$, for $j\in \left[\right[0,3\left]\right]$, we obtain the following values for the second entries of the ciphertexts:

$$\begin{array}{ccc}\hfill c_{10}& =& \mathtt{0}.\mathtt{009445053383906845090333757525690843288709928928825}\setminus \hfill \\ & & \mathtt{01800250586160808163588618939290696190069021278695}\setminus \hfill \\ & & \mathtt{80364061056324859}\hfill \\ \hfill c_{11}& =& \mathtt{0}.\mathtt{010473545144721555820569852972432275743747523235501}\setminus \hfill \\ & & \mathtt{68388586972875746923277080577905161530296641668282}\setminus \hfill \\ & & \mathtt{3844352563913556}\hfill \\ \hfill c_{12}& =& \mathtt{0}.\mathtt{010389568147441647850994177502777150289696917683650}\setminus \hfill \\ & & \mathtt{71968973418687747841165698228908959059526383578938}\setminus \hfill \\ & & \mathtt{21486076187951678}\hfill \\ \hfill c_{13}& =& \mathtt{0}.\mathtt{009540447374682341741591475088180184070674785807833}\setminus \hfill \\ & & \mathtt{26051227973824647541225502961370205012402245410258}\setminus \hfill \\ & & \mathtt{799535033258606012}\hfill \end{array}$$

In order to decipher, we calculate the values $z_j={\displaystyle \frac{c_{1j}}{c_0}}$, for $j\in \left[\right[0,3\left]\right]$, and we obtain the following values:

$$\begin{array}{ccc}\hfill z_0& =& \mathtt{0}.\mathtt{010010000110100100100001001000000100100100100111011011}\setminus \hfill \\ & & \mathtt{01001000000101100001101001011000010110111100000000000}\setminus \hfill \\ & & \mathtt{02488501815}\hfill \\ \hfill z_1& =& \mathtt{0}.\mathtt{011100010110100100101110000010100100111001101001011000}\setminus \hfill \\ & & \mathtt{11011001010010000001110100011011110010000000000000000}\setminus \hfill \\ & & \mathtt{02759480021}\hfill \\ \hfill z_2& =& \mathtt{0}.\mathtt{011011010110010101100101011101000010000001111001011011}\setminus \hfill \\ & & \mathtt{11011101010010000100100000010111100101111100000000000}\setminus \hfill \\ & & \mathtt{0273735448}\hfill \\ \hfill z_3& =& \mathtt{0}.\mathtt{010111100000101000000000000000000000000000000000000000}\setminus \hfill \\ & & \mathtt{00000000000000000000000000000000000000000000000000000}\setminus \hfill \\ & & \mathtt{02513635408}\hfill \end{array}$$

The original plaintexts are obtained by cutting at length $\ell =96$.

Remark 6.

In the stated Cryptographic Scheme based on Chebyshev polynomials two parameters are essential: ℓ which is thelength, or the number of significant digits of plaintexts, and m which is theprecision, or the number of correct digits in arithmetical calculations.

A rough estimation from Table 1 is that for integer k and secret key $s\le {10}^k$, the precision m must be greater or equal than $\ell +5·k.$

4.2. Using an Enveloping Technique for Large Plaintexts

Evidently a block ciphering of long plaintexts by this method is excessively inefficient. We may compose symmetric block ciphering with this method through the OpenSSL library EVP in order to envelop large plaintexts. We take $\ell =100$, and $m=120$ in this example. For the private key:

$$s=\mathtt{100000000}={10}^8$$

we calculate the public key $(x,y)=(x,T_s\left(x\right))$ where

$$\begin{array}{ccc}\hfill x& =& \mathtt{0}.\mathtt{111111111111111111111111111111111111111111111111111}\setminus \hfill \\ & & \mathtt{11111111111111111111111111111111111111111111111111}\setminus \hfill \\ & & \mathtt{1111111111111111}\hfill \\ \hfill y& =& -\mathtt{0}.\mathtt{18814040799950743365079853649690904592037149891015}\setminus \hfill \\ & & \mathtt{60025733572256087872987422552175312563914718206977}\setminus \hfill \\ & & \mathtt{01208500438767478}\hfill \end{array}$$

and consider an envelope_key

$$\begin{array}{ccc}\hfill \mathtt{ek}& =& \mathtt{0}.\mathtt{010101010101010101010101010101010101010101010101010}\setminus \hfill \\ & & \mathtt{10101010101010101010101010101010101010101010101}\hfill \end{array}$$

Then by selecting

$$r=50000000={\displaystyle \frac{{10}^8}{2}}$$

we get the cipher of ek as $(c_0,c_1)$ with

$$\begin{array}{ccc}\hfill c_0& =& -\mathtt{0}.\mathtt{63712620099964989838379022273202966608309142004703}\setminus \hfill \\ & & \mathtt{95526936628991032039023673808752686692047258891779}\setminus \hfill \\ & & \mathtt{52974562960402237}\hfill \\ \hfill c_1& =& \mathtt{0}.\mathtt{009530926931674991853838857210166414106379469381218}\setminus \hfill \\ & & \mathtt{67286561147343567726511202587408257389424454157364}\setminus \hfill \\ & & \mathtt{058055848041956983}\hfill \end{array}$$

and effectively

$$\begin{array}{ccc}\hfill {\displaystyle \frac{c_1}{T_s\left(c_0\right)}}& =& \mathtt{0}.\mathtt{0101010101010101010101010101010101010101010101010101}\setminus \hfill \\ & & \mathtt{010101010101010101010101010101010101010101010101000}\setminus \hfill \\ & & \mathtt{000002511127043}\hfill \end{array}$$

The envelope key $\mathtt{ek}$ can be obtained by cutting the decimal representations up to the ℓ-th decimal digit.

4.3. A Numerical Example for Bergamo’s Attack

We try here the same example that illustrates the attack in [1]. It is proposed to take:

• Secret key.$s=106000$
• Public key. For ${\theta }_{\infty }={\displaystyle \frac{5}{18}}\pi$, take

  $$\begin{array}{ccc}\hfill x_{\infty }& =& cos\left({\theta }_{\infty }\right)=cos\left({\displaystyle \frac{5}{18}}\pi \right)and\hfill \\ \hfill y_{\infty }& =& T_s\left(x_{\infty }\right)=cos\left(s{\displaystyle \frac{5}{18}}\pi \right)=cos\left(\left(530000+{\displaystyle \frac{4}{9}}\right)\pi \right)=cos\left({\displaystyle \frac{4}{9}}\pi \right),\hfill \end{array}$$

  hence $(x_{\infty },y_{\infty })$ is the public key.
• Random exponent for ciphering.$r=81500$. Hence

  $$\begin{array}{ccc}\hfill T_r\left(x_{\infty }\right)& =& cos(rarccos\left(x_{\infty }\right))=cos\left(r{\displaystyle \frac{5}{18}}\pi \right)=cos\left(\left(22638+{\displaystyle \frac{8}{9}}\right)\pi \right)=cos\left({\displaystyle \frac{8}{9}}\pi \right)\hfill \\ \hfill T_r\left(y_{\infty }\right)& =& cos(rarccos\left(y_{\infty }\right))=cos\left(r{\displaystyle \frac{4}{9}}\pi \right)=cos\left(\left(36222+{\displaystyle \frac{2}{9}}\right)\pi \right)=cos\left({\displaystyle \frac{2}{9}}\pi \right)\hfill \end{array}$$
• Ciphertext. For any plaintext $\mu \in (-1,+1[$ the ciphertext is

  $$(c_0,c_1)=\left(cos\left({\displaystyle \frac{8}{9}}\pi \right),\mu cos\left({\displaystyle \frac{2}{9}}\pi \right)\right).$$

However these calculations are purely symbolic. All angles involved in above calculations are irrational numbers, hence when dealing with them with a computer we just have approximations to their values. For instance, up to 8 digits, we have

$$\begin{array}{ccc}\hfill {\displaystyle \frac{5}{18}}\pi & \approx & 0.87266462=:\theta \hfill \\ \hfill cos\left(\theta \right)& \approx & 0.64278761=:x\hfill \end{array}$$

then $|rs{\displaystyle \frac{5}{18}}\pi -rs\theta |\approx 3.53502559$ consequently $|rscos\left({\displaystyle \frac{5}{18}}\pi \right)-rsx|$ is comparable with $2\left|x\right|$. Indeed, for the current example

$$\begin{array}{ccc}\hfill T_{rs}\left(x_{\infty }\right)& =& cos\left(rscos\left({\displaystyle \frac{5}{18}}\pi \right)\right)\approx 0.76604444while\hfill \\ \hfill T_{rs}\left(x\right)& =& cos\left(rsx\right)\approx -0.95393723\hfill \end{array}$$

obviously the calculation of Chebyshev polynomials is highly sensitive to small errors, they are ill-conditioned. In this situation using the numerical approximations we have

• Secret key.$s=106000$
• Public key.$(x,y)=(x,T_r\left(x\right))=(0.64278760\dots ,0.17364817\dots )$
• Ciphering. Take $r=81500$. Then for any plaintext $\mu \in (-1,+1[$, the ciphertext is

  $$(c_0,c_1)=(T_r\left(x\right),\mu T_r\left(y\right))=(-0.93969262\dots ,\mu ·0.76604444\dots ).$$

Then the attacker Eve should solve the problem (13) with

$$\begin{array}{ccc}\hfill a& =& 3.2000000000\dots \mathrm{a}\mathrm{n}\mathrm{d}\hfill \end{array}$$

(15)

$$\begin{array}{ccc}\hfill b& =& 7.1999999999\dots \hfill \end{array}$$

(16)

in decimal representation, namely with radix $R=10$, where those coefficients are obtained according to the relations stated before problem (13).

Suppose that the values (15) and (16) are cut up to the m-th digit. According to the method described in Section 3.2.2, condition (10) does hold and consequently the problem is reduced to solve Equation (11), which, by Remark 3, has solutions only when

$$d|awhered=gcd(b,{10}^m).$$

(17)

We proposed 2 cases of different precision covering the 2 situations listed in the Bergamo’s algorithm that resulting the correct $r^{\prime }$, such that $T_{r^{\prime }}\left(x\right)=T_r{\left(x\right)}^{\prime }$

Case $m=20$. In this case the coefficients in Equation (11) are

$$\begin{array}{ccc}\hfill a_{20}& =& 0.20000000000000070759\hfill \\ \hfill b_{20}& =& 0.19999999999999999999\hfill \end{array}$$

and $gcd({10}^{20}{b}_{20},{10}^{20})=1$ with

$${\left({10}^{20}{b}_{20}\right)}^{-1}=79999999999999999999$$

The unique solution of the corresponding instance of Equation (11) is

$$k_{20}=\left({10}^{20}{a}_{20}\right){\left({10}^{20}{b}_{20}\right)}^{-1}mod{10}^{20}=70759$$

Hence, the corresponding iteration r such that $T_r\left(x\right)=c_0$ is

$$r_{20}=a+k_{20}·b=509468$$

Comparing with the original index $r=81500$, we get

$$\begin{array}{ccc}\hfill T_{r_{20}}\left(x\right)& =& -0.939692620785909704047\hfill \\ \hfill T_r\left(x\right)& =& -0.939692620785908595211\hfill \\ \hfill error& =& -1.1088359707509228942·{10}^{-15}\hfill \end{array}$$

Case $m=97$. In this case the coefficients in Equation (11) are

$$\begin{array}{ccc}\hfill a_{97}& =& 0.1999999999999999999999999999999999999999999999999\setminus \hfill \\ & & 999999999999999999999999999999999999999999884368\hfill \\ \hfill b_{97}& =& 0.1999999999999999999999999999999999999999999999999\setminus \hfill \\ & & 999999999999999999999999999999999999999999999996\hfill \end{array}$$

and $\left({10}^{97}{b}_{97}\right)x_{97}+{10}^{97}{y}_{97}=4=gcd({10}^{97}{b}_{97},{10}^{97})$ with

$$\begin{array}{ccc}\hfill x_{97}& =& 94999999999999999999999999999999999999999999999999\setminus \hfill \\ & & 99999999999999999999999999999999999999999999999\hfill \\ \hfill y_{97}& =& -18999999999999999999999999999999999999999999999999\setminus \hfill \\ & & 99999999999999999999999999999999999999999999996\hfill \end{array}$$

and the solutions of the corresponding instance of Equation (11) are

$$\begin{array}{ccc}\hfill k_{97,0}& =& x_{97}·{\displaystyle \frac{{10}^{97}{a}_{97}}{4}}mod{10}^{97}\hfill \\ & =& 39999999999999999999999999999999999999999999999999\setminus \hfill \\ & & 99999999999999999999999999999999999999999971092\hfill \end{array}$$

and $k_{97,i}=k_{97,0}+i·{\displaystyle \frac{{10}^{97}}{4}}$.

Hence, there are four corresponding iterations $r_{97,i}$ such that $T_{r_{97,i}}\left(x\right)=c_0$ and they are $r_{97,i}=a+k_{97,i}·b,i\in \left[[0,3]\right].$ Take

$$\begin{array}{ccc}\hfill r_{97,0}& =& a+k_{97,0}·b\hfill \\ & =& 87999999999999999999999999999999999999999999999999\setminus \hfill \\ & & 99999999999999999999999999999999999999999791864\hfill \end{array}$$

Comparing with the original index $r=81500$, we get

$$\begin{array}{ccc}\hfill T_{r_{97,0}}\left(x\right)& =& -0.798375679639044035429574245118989681891634222656\setminus \hfill \\ & & 3771425989271896557574773604459217627398202050981\hfill \\ \hfill T_r\left(x\right)& =& -0.939692620785908384054109277324731469936208134264\setminus \hfill \\ & & 4646330902866627742212109958894589497458898387058\hfill \\ \hfill error& =& 0.40738331968914697735\hfill \end{array}$$

While applying the symbolic compuation to $r_{97,0}$, yields it is indeed a correct solution:

$$\begin{array}{ccc}\hfill T_r\left(x\right)& =& cos(rarccos\left(x\right))=cos\left(r{\displaystyle \frac{5}{18}}\pi \right)\hfill \\ & =& cos\left(\left(22638+{\displaystyle \frac{8}{9}}\right)\pi \right)=cos\left({\displaystyle \frac{8}{9}}\pi \right)\hfill \\ \hfill T_{r_{97,0}}\left(x\right)& =& cos(r_{97,0}arccos\left(x\right))=cos\left(r_{97,0}{\displaystyle \frac{5}{18}}\pi \right)\hfill \\ & =& cos\left(\left(24444444444444444444444444444444444444\right)\right)\hfill \\ & & 44444444444444444444444444444444444444\hfill \\ & & 444444444444444386628+{\displaystyle \frac{8}{9}}\pi \hfill \\ & =& cos\left({\displaystyle \frac{8}{9}}\pi \right)\hfill \end{array}$$

Thus, for different values of m it may happen that either there are no solutions of Equation (11) ($d\neg \left|\right({10}^m{a}_m)$) or there are several solutions ($d>1$ and $d\left|\right({10}^m{a}_m)$). And as m increases, the solution $r^{\prime }$ increases as well. However, when $r^{\prime }$ is much larger than r, the calculations of Chebyshev polynomials may differ from that of the original index due to precision error propagation.

However, as reported in [10], Bergamo’s attack succeeds by considering symbolic, not numerical, calculations:

Suppose that for some rational number $q\in \mathbb{Q}$, $x=cos\left(q\pi \right)$. Then according to the selection of coefficients a, b, as in Equation (12), $a={\displaystyle \frac{r\epsilon q\pi }{q\pi }}=\epsilon r$, for a sign $\epsilon \in \{-1,+1\}$, and $b={\displaystyle \frac{2k\pi }{q\pi }}=2{\displaystyle \frac{k}{q}}$. Then by selecting a radix R such that both a and b have finite R-radix representation, as stated in Remark 4, Bergamo’s attack would succeed in recovering the index r.

Besides the above example in which Bargamo’s attack may fail to recover the original index r, which is the random index when ciphering in Chebyshev chaotic cryptosystem, we also remark the following:

By considering the relation (14), we have that the left side lies in the real interval $[0,\pi ]$ while the right side is the difference of two big numbers $rarccos\left(x\right),2k\pi$, of the same order of magnitude. Depending on the chosen precision m of the computing platform this difference can be great when the true values of the operands are approximated. Hence this difference may differ too much from the right side and that may provoke that for the alleged recovered index r, $c_0\ne cos(rarccos\left(x\right)-2k\pi )$ and consequently $c_0\ne T_r\left(x\right)$.

5. Conclusions

Due to the chaotic behaviour of Chebyshev polynomials, the breaking attack in [10] may fail if the length ℓ, the number of significant digits, in plaintexts is unknown. Hence, ℓ must be a part of the secret key. The precision m, the number of significant digits in arithmetical calculations, may be part of the public key.