The following thoughts on how to produce an ideal practical encryption scheme must be natural as they have occurred independently to a number of students of dynamical systems: The future state of a (chaotic) dynamical system depends sensitively on its initial state. After enough time has elapsed the initial condition is forgotten. Yet, since the system is deterministic, the same trajectory will always be traced out from the same initial condition. Thus, if the key of the cryptosystem is the initial state of a publically known dynamical system, a collection of users who share a secret key can send secret messages to each other by combining these messages in some way with some part of the trajectory traced out by the secret initial state under the action of the dynamical system. Anyone who does not know secret initial state would not be able to recreate the trajectory and thus would not be able to disentangle it from the encrypted message.
At least two concrete proposals have been based on this idea, one using a continuous dynamical system, the other a discrete dynamical system.
The continuous dynamical system version is patented[1].
This system uses the logistic map as the
underlying dynamical system. The key of the system is the
parameter 
of the map and the initial state of the
system. A thresholding scheme is used to convert the sequence
of states resulting from iteration of the system to a sequence
of 0-1 bits. These bits and then exclusive or'd (XOR'd) with
the plaintext to produce a ciphertext. The receiver of the
ciphertext, knowing the secret initial state and value of 
,
can recover the plaintext by regenerating the bit string using
the logistic map and XOR'ing it with the ciphertext.
The discrete dynamical system version of this idea[14] uses iteration of a cellular automaton (see section 2.1) to generate the bit string. The cellular automaton chosen, know as rule 30 (again see section 2.1), seems according to numerical evidence [15] to generate temporal sequences which have a high degree of randomness. As in the continuous dynamical system approach sketched above, the secret key is the initial state of the system, and a message can be encrypted and decrypted by combining it with the temporal sequences generated by the dynamical system using an XOR operation.
For our purposes here, it is not necessary to enter into the detailed cryptanalysis of these systems. The logistic-map cryptosystem has not, to the author's knowledge, been analysed in the literature. It should be evident that that sequences generated by the logistic map in the described way will not be truly random so that an appropriate statistical approach could bring out the key from sufficient known ciphertext. In addition the system is entirely vulnerable to chosen plaintext attack; consider the encryption of the string of all 0's. The CA-based system has been cryptanalyzed in detail [12]. The essential observation that is using a known-plaintext attack, the effective key space can be considerably reduced in size. The aspects of these system which should be retained are 1) the key is a state of the system, 2) the message is encrypted by combining it with an information stream generated by forward iteration of the system, and 3) the message is decrypted by combining the ciphertext with an information stream again generated by forward iteration of the system.
Consideration of inverse as well as forward iteration of dynamical systems opens up some new ways to use dynamical systems for encryption. One possibility, which again has occurred independently to a number of investigators, is to concentrate on reversible dynamical systems. Using a reversible dynamical system, a message can be encrypted by encoding it as a state of the system and then running the system forward in time some distance. The resulting state is the ciphertext. To decrypt the ciphertext, the system is inverse iterated the same number of time steps as were used in encryption, recovering the plaintext as a state of the system. Note the contrast with the systems considered above in which only forward iteration is used. In those systems, the key is a state of the system and the system is fixed. When forward and inverse iteration is used, the key is the dynamical system itself. The key operates directly on the message to encrypt and decrypt it, while in the previous systems the information generated by the dynamical system is combined indirectly, so to speak, externally, with the message information.
Let us briefly consider two systems which pursue this idea of using reversible dynamical systems, one by Guan[6], and one by Kari [10]. Each of these authors aims toward the production of public-key cryptosystems as opposed to the secret-key cryptosystems which are our main concern here. A public-key cryptosystem uses two keys, one key is used for encryption, the other for decryption. One key is held in private, the other rendered public. In the schemes of both Guan and Kari, the public key is a dynamical system inverse to the private key. Guan uses an inhomogeneous variant of cellular automata in which the rule which updates a site's value depends on the site. Kari, on the other hand, uses true, translationally invariant, cellular automata. The security of public-key cryptosystems depends on the difficulty of finding the private key given knowledge of the public key and/or chosen plain and ciphertext. Guan's system relies on the difficulty of inverting a complicated system of polynomial equations. Kari bases much of his reasoning on a result of his [11] which shows that even deciding whether a given cellular automaton in more than one dimension has an inverse is impossible. In general, the mathematical theory of cellular automata which is relevant to cryptology is more well-developed than the theory of irreversible cellular automata. In particular, one knows that if a cellular automaton has an inverse, that inverse is also a cellular automaton. Many practical problems remain, however, concerning how to choose good public-key/private-key pairs, how these should be applied to encrypt a message, etc.
Before embarking on a discussion
of the cryptosystem which is
the main subject of this article, we consider the system
proposed by Habutsu et. al. [9]. This
system, like those of Kari and Guan,
uses both forward and inverse iteration
of a dynamical system. The very significant difference
here is that the dynamical system used by Habutsu et al.
is irreversible. An irreversible system is one
in which some states have none, or more than one, antecedent
state. A very simple such map is the tent map. The (surjective)
tent map is a map of the unit interval composed of two line
segments, one beginning at (0,0) and running to (
,1), the
other beginning at (
,1) and running to (1,0). The
secret key of this system is the parameter 
which
specifies the location of the peak of the tent. Under the tent
map, all points but one have two preimages. Habutsu et al. use
this fact to encrypt
by 1) encoding a message as a state of the system, and 2)
running the system backward in time by choosing one of
the two preimages of this state at random. This process
is repeated many times, resulting in a ciphertext. A
receiver of the ciphertext who knows the secret key 
can decrypt the message by running the tent map forward
in time the same number of iterations as were used
in encryption. This interesting system has a number of practical
problems, some linked to the linearity of the tent map which
have been cryptanalytically exploited by Biham [2],
some linked to the continuity of the map which can lead
to round-off errors. These round-off error problems do
not occur in the cellular automaton based system to which
we now turn.