Fast Stream Cipher based Chaos Neural Network for Data Security in CAN Bus

Article history: Received: 02 July, 2020 Accepted: 24 August, 2020 Online: 09 September, 2020


Introduction
This paper is an extension of work originally presented at the IEEE 10th International Conference on Awareness Science and Technology [1]. In that work, we found that a chaos neural network (CNN) is able to generate pseudo-random numbers (PRNs) at high speed, 49% faster than that produced with the Advanced Encryption Standard (AES) [2], [3], and it can be easily implemented even for embedded devices.
Generally, electronic devices embedded in vehicles to control vehicle systems are called electronic control units (ECUs). A modern vehicle is usually equipped with more than 70 ECUs [4]. To share information and control the subsystems, those ECUs are connected together with network protocols, such as a Controller Area Network (CAN), Local Interconnect Network (LIN), Media Oriented Systems Transport (MOST), or FlexRay.
The CAN is a broadcast serial communications bus that is widely introduced because of its fault tolerance. The CAN identifier (ID) (see Sec. 2 and Fig. 1) is used for prioritizing messages on the bus and avoids collisions by design. However, security issues were ignored during designing since people took it for granted that a vehicle would be a closed system [5], [6]. Unfortunately, messages are broadcast on the CAN bus, and external devices, such as onboard diagnostics readers, are able to access the CAN bus in modern vehicles.
A pseudo-random number generation (PRNG) is crucial to a stream cipher in information security field. We have reported various PRNG methods [7]- [11] and the property of PRNs from a CNN [9] has been confirmed [10] by National Institute of Standards and Technology (NIST) Special Publication 800-22 [12]. An ultra-long period PRNs that has reached 10 22432 [11] can be generated with the chaotic time series from the CNNs. The chaotic time series is hard to predict because it is sensitive to tiny change of the initial status.
In this paper, we propose a fast stream cipher based on a CNN to protect CAN messages by encrypting them. The remainder of this paper is organized as follows: Section 2 introduces CAN and security issues and surveys some related work. Section 3 describes our CNN and discusses some of its characteristics. Section 4 presents the CNN stream cipher, including sharing of the symmetric key and the procedure for encryption and decryption of the stream cipher. A performance evaluation of the proposed CNN stream cipher is given in Section 5. Finally, Section 6 concludes this paper.

Related Work
A CAN is a serial communications bus defined by the International Organization for Standardization (ISO) and originally developed for the automotive industry to replace the complex wiring harness with a two-wire bus [13]. Balanced differential signaling reduces noise coupling and enables high noise immunity in the CAN bus. The CAN communication protocol is a carrier-sense multiple access protocol with collision detection and arbitration on message priority. A CAN message contains a unique ID field that represents the priority and function of the message. The CAN protocol supports four different message types: overload, error, remote, and data frame. The CAN data frame begins with a start-of-frame (SOF) bit and is followed by the ID, a control field (6 bits), 4-bit data length code (DLC), 0-64 bits of data, a cyclic redundancy check (CRC) sequence (15 bits), a 2-bit acknowledgment (ACK), and a 7-bit end of frame (EOF) sequence that marks the end of the frame. Between CAN frames, a 7-bit inter-frame space (IFS) is required by the CAN controller to provide time for moving a received frame to a message buffer area (see Fig. 1).
The CAN was subsequently adopted as ISO standards. ISO 11519 (low-speed CAN) is for applications up to 125 kbps with a standard 11-bit ID, while ISO 11898 (high-speed CAN) provides for signaling rates from 125 kbps to 1 Mbps. Furthermore, high-speed CAN supports two data frame formats, where the standard frame consists of an 11-bit ID, while the extended format contains a 29-bit ID.
Unfortunately, security issues were ignored during designing because people took it for granted that CANs would be a closed system in automobiles [5], [6]. Security issues with CANs relate mainly to authentication and encryption at the present time.
Authentication: To identify whether an ECU is authorized, several authentication proposals based on message authentication codes (MACs) have been released. Key sharing is a matter of grave concern. CANAuth [14] implements a backward-compatible message authentication protocol on the CAN bus. One or more pre-shared 128-bit MAC keys are to be available on each CANAuth node. CANAuth assumes that the keys are intended to be stored in tamper-proof storage that cannot be queried by anything but the node itself. LiBrA-CAN [15] splits authentication keys between groups of multiple nodes, rather than achieving authentication independently for each node.
Encryption: A CAN frame is broadcast over the bus. In modern vehicles, external devices, such as on-board diagnostics readers, are able to access the CAN bus, making it is easy to intercept a CAN message. Cryptographic approaches based on the AES have been proposed to guard against such interception. The problem is the computation load of the AES, which might have an undue influence on the response of the ECU. Wolf and Gendrullis [16] and the EVITA Project [17], [18] implemented a hardware security module (HSM) to accelerate the AES measures. However, even if a HSM is used, the cryptographic measure requires 60 clock cycles (at 100 MHz) for the encryption of one AES block [18]. This is insufficient for dealing with the real-time response required of an ECU. Also, the additional hardware increases the cost of the ECU.
In this study, we focused on the encryption issues in CANs. We propose a fast stream cipher based on a CNN that does not need the additional HSM hardware.

Chaos Neural Network
As a chaos generator the CNN consisted of 4 neurons in a discrete time system (see Fig. 2). An output from the jth neuron at time t + 1 is defined as: Here, An activation-function f (see Fig. 3) is an asymmetric piecewise-linear function (APLF).
For the jth neuron, the total value of inputs at time t is defined as : I j is an external input of the jth neuron. x i (t) is an input from the ith neuron at time t, and w i j is a synaptic. Generally, the start value of x i is set as 0, and the synaptic weights are set as follows: w 12 = −12.60001, w 14 = 4.511, w 23 = 5.951, w 34 = −4.7004 and w 41 = −7.345007. The synaptic weights adjust the input values www.astesj.com from other neurons. If extreme synaptic weights were set, the output range of neurons would be limited [19]. The external inputs I 1 and I 4 share a common value (I 1 = I 4 ), and I 2 and I 3 are set as 0 (I 2 = I 3 = 0). Thus, a different CNN would be obtained if a different value for I 1 and I 4 were set. An activation-function APLF can avoid a periodic window corresponding to a non-chaotic periodic orbit. The activation-function APLF composed of linear functions by connecting five points. Those points can be changed as independent parameters. In a cipher system, the points of APLF can be selected as secret keys [9], [10], [20]. Generally, discrete time system of the CNN is implemented with floating-point arithmetic [9]. But many embedded devices do not support 64-bit floating-point arithmetic. In this paper, the CNN is computed by 32-bit fixed-point arithmetic (Q5.26) and it allows overflow and underflow of variables. Comparing to 32-bit floating-point arithmetic, the fractional part of Q5.26 has enough long bit length. PRNs are extracted by the method presented in Figure 4. With regard to the CNN output, the lowest 3 bits of the fraction are discarded [8] and the lower 8 bits of the fraction are extracted as a PRN. Those PRNs from the CNN are applied to the proposed stream cipher .

Chaotic Orbit
A chaotic orbit is hard to predict because it is sensitive to tiny changes of the initial status. Here, Figure 5 shows time series from a CNN (Q5.26). Corresponding to all external inputs, output time series in the diagram present no bifurcation pattern but chaotic characteristics. It suggests that all external inputs can be used for chaos generation. In fact, the CNN generates the same time series on the ARM CPU and X86 CPU when the same parameters are set. Therefore the CNN is portable between different machines. Moreover, the Lyapunov exponents λ are computed per time series. The maximum Lyapunov exponents is about 2.5 and all of value is λ > 0. The Kolmogorov-Sinai entropy [21] is also computed by use of Lyapunov exponents, it is about 4.2. Those results demonstrate that the time series from the CNN has chaotic orbit and a high degree of randomness.

Randomness
Randomness of the PRNs that were extracted from the CNN was confirmed by NIST Special Publication 800-22 statistical test suite [12]. Since NIST test has a couple of trouble (asymptotic approximation, etc.) even the test suite is updated [22], [23], NIST test method presented in the literature [24] was adopted.
We performed the NIST test for 1,000 times. And 10 6 × 1, 000 bits of PRNs were generated by the method shown in Fig. 4 for per test. NIST test results are presented in Table 1. The failure ratio for the proportion is under 1%, and the failure ratio for the P-values that check for uniformity of distribution is less than 0.1%. All of those results suggest that all of tests passed these criteria, and the tested PRNs from the CNN have good statistical properties.

CNN Stream Cipher
The proposed stream cipher has two phases: an ID-based encryption (IBE) phase and a stream phase (see Fig. 6). Each phase uses different CAN IDs; that is, the CAN ID associates a CAN frame with a specific phase. In the advance IBE phase, the symmetric key is shared with IBE [25], [26] among authorized ECUs. Subsequently, an authorized ECU sends encrypted data frames to other authorized ECUs and those ECUs can decrypt data using the symmetric key in the stream phase. www.astesj.com

IBE phase
It is an important step for the stream cipher to create, manage, and share the symmetric key. A public key infrastructure is used in the Internet to ensure secure communication generally. With this infrastructure, an on-line certificate authority (CA) is necessary, and the cost for issuing digital certificates may become prohibitive [27]. In the proposed stream cipher, we use IBE [26] to create, manage, and share the symmetric key. Fig. 7 shows how the symmetric key is shared among authorized ECUs. The private key generator (PKG) can be offline and does not need to use digital certificates instead of a CA. The PKG initially defines which CAN IDs are used in the IBE phase. For each valid CAN ID, the PKG outputs a public and private key pair that is issued to authorized ECUs. Thus, an ECU can use the public key to encrypt the symmetric key that is used in the stream phase and send it over the CAN bus. When an ECU receives a CAN frame, it checks the CAN ID to confirm the phase and decrypts the data in the CAN frame to obtain the symmetric key in the IBE phase.

Stream phase
In the stream phase, authorized ECUs use the symmetric key that was obtained during the IBE phase to encrypt and decrypt CAN frames (see Fig. 8). The CNN implemented in authorized ECUs generates a stream of pseudo-random bits: R 1 , R 2 , R 3 , ..., R i with the symmetric key. This stream is XORed with a stream of bits, D 1 , D 2 , D 3 , ..., D i , which are from the data in a CAN frame, to produce the stream of cipher text bits. Then each cipher text character is given by C i = D i ⊕ R i , which is loaded into a CAN frame and translated with the CAN bus. The procedure of decryption is almost the same: when an authorized ECU has received a CAN data frame, the CNN in the ECU generates the same stream of pseudo-random bits R i and the original data is obtained by D i = C i ⊕ R i .

Evaluation
It is most important to ensure the safety of the vehicle and its passengers. Therefore, the embedded software of the ECU must run quickly to deal with the constraints of a real-time response. This section describes the performance evaluation of the CNN stream cipher with two embedded CAN boards (listed as Board A and B in Table 2) that were provided by P&A Technologies Inc. These CPUs have a different architecture, where Board A was implemented with a SH2A CPU, while Board B used an ARM CPU. Those boards are connected by a length of about 80cm twisted pair cable with D-sub connector.

Experimental setup
In our experiments, we tested only the high-speed CAN whose bit rate is typically 500 Kbps, up to 1 Mbps. In fact, another CAN standard specifies low-speed CAN (see Sec. 2) at transmission rates above 40 Kbps up to 125 Kbps. It is more difficult to deal with realtime constraints at the high-speed CAN bit rate. Thus, we assumed that our stream cipher would work well at the low-speed CAN bit rate if it successfully ran with the high-speed CAN. The PKG can be performed offline. Thus, we assume that Boards A and B are two authorized ECUs and they have already gained the symmetric key. Then we implemented the CNN on Boards A and B. According to the symmetric key, the same stream of pseudo-random numbers was generated in both boards and used to encrypt the data part of a CAN frame in one board and decrypt it in the other board.

Experimental Results
One thousand CAN message frames were sent between Boards A and B to confirm the validity of the CNN stream cipher and measure the encryption and decryption time. We tested with 500-Kbps and 1-Mbps bit rates. The CAN bus was loaded with over 60% higher-priority traffic. We confirmed the CAN log data of Boards A and B, which showed that each board encrypted and decrypted CAN data frames successfully. With Board A, the procedure for encryption or decryption was performed within 44 µs on average. With Board B, the procedure only took 4 µs on average (see Table 3). The results suggest that the performance of the CNN stream cipher is adequate for real-time requirements of an ECU without additional HSM hardware.

Conclusions
In this paper, we have proposed and evaluated a fast stream cipher based on a CNN to provide security for the ECUs on a CAN bus. We have shown that the CNN is chaotic and have strong randomness, and that PRNs with a high degree of randomness can be generated from a CNN. In the proposed stream cipher, IBE is used to create, manage, and share the symmetric key. The PKG can be performed offline and does not need to use digital certificates. The stream cipher was evaluated with embedded CAN boards. The performance test results suggested that our method is efficient for software embedded in an ECU and has no need for a HSM to accelerate the encryption process.
As future work, we will design a new activation-function APLF to extend randomness of the CNN and improve the performance of the stream cipher based on the CNN.