A Differential Cryptanalysis of YenChenWu Multimedia Cryptography System (MCS)^{†}^{†}thanks: Chengqing Li was supported by The Hong Kong Polytechnic University’s Postdoctoral Fellowships Scheme under grant no. GYX2L. Shujun Li was supported by a fellowship from the Zukunftskolleg of the Universität Konstanz, Germany, which is part of the “Exzellenzinitiative” Program of the DFG (German Research Foundation). The work of KowkTung Lo was supported by the Research Grant Council of the Hong Kong SAR Government under Project 523206 (PolyU 5232/06E).
Abstract
At ISCAS’2005, Yen et al. presented a new chaosbased cryptosystem for multimedia transmission named “Multimedia Cryptography System” (MCS). No cryptanalytic results have been reported so far. This paper presents a differential attack to break MCS, which requires only seven chosen plaintexts. The complexity of the attack is , where is the size of plaintext. Experimental results are also given to show the real performance of the proposed attack.
chaos, cryptanalysis, differential attack, encryption, multimedia, security
I Introduction
The prevalence of multimedia data makes its security become more and more important. However, traditional cryptosystems can not protect multimedia data efficiently due to the big differences between texts and multimedia data, such as the bulky sizes and strong correlation between neighboring elements of uncompressed multimedia data. In addition, multimedia encryption schemes have some special requirements like high bitrate and easy concatenation of different components of the whole multimedia processing system. So, designing special encryption schemes protecting multimedia data becomes necessary. To meet this challenge, a great number of multimedia encryption schemes have been proposed in the past two decades [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11]. Due to the subtle similarity between chaos and cryptography, some of multimedia encryption schemes were designed based on one or more chaotic systems [3, 4, 5, 8, 9, 11]. Meanwhile, a lot of cryptanalytic work has also been reported, showing that many encryption schemes were not designed carefully and are prone to various kinds of attacks [12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23].
In the past decade, a series of encryption schemes were proposed by Yen and Guo’s research group [24, 25, 26, 27, 28]. The main idea of these schemes is to combine some basic encryption operations, under the control of a pseudorandom bit sequence (PRBS) generated by iterating a chaotic system. Unfortunately, most of YenGuo multimedia encryption schemes have been successfully cryptanalyzed [29, 30, 31, 32, 33].
This paper reports a security analysis of MCS (Multimedia Cryptography System) – the latest multimedia encryption scheme proposed by Yen et al. [28]. Another hardware implementation of MCS was proposed in [34]. Compared with other earlier designs, such as RCES [26] and TDCEA [27], which have been cryptanalyzed in [33, 29], MCS combines more encryption operations of different kinds in a more complicated manner, in the hope that the security can be effectively enhanced. This paper shows that MCS is still vulnerable to a differential chosenplaintext attack. Only seven chosen plaintexts (or six specific plaintext differentials) are enough to break MCS, with a divideandconquer (DAC) strategy.
Ii Multimedia Cryptography System (MCS)
MCS encrypts the plaintext block by block, and each block contains 15 bytes. As the first step of the encryption process, each 15byte plainblock is expanded to a 16byte one by adding a secretly selected byte. Then, the expanded block is encrypted with the following four different operations: byte swapping (permutation), value masking, horizontal and vertical bit rotations, which are all controlled by a secret PRBS.
Denote the plaintext by , where denotes the th plainbyte. Without loss of generality, assume that can be exactly divided by 15. Then, the plaintext has blocks: , where . Similarly, denote the ciphertext by , where denotes the expanded cipherblock. With the above notations, MCS can be described as follows.

The secret key includes five integers , , , , , and a binary fraction , where , ,^{1}^{1}1In [28] Yen et al. didn’t exclude the possibility of and , but to achieve the effect of encryption they should not be equal to 0. and , .

A PRBG (pseudorandom bit generator)
A pseudorandom number sequence is generated by iterating the following equation from :
(1) where , , and denotes bitwise XOR. Then, the controlling PRBG is derived from by extracting the 129 bits from each . The above PRBG is a special case of the second class of chaosbased PRBG proposed in [35], with the parameters , , .

The initialization process
1) run the above PRBG to generate the controlling PRBS ; 2) set .

The encryption procedure
For each plainblock , do the following operations consecutively:

Step a) Data expansion
Add to the 15byte plainblock to get an expanded 16byte block
and then set , where .

Step b) Byte swapping
Define a pseudorandom byte swapping operation, , which swaps and when . Then, perform the byte swapping operation for the following 32 values of one after another: (0,8,4), (1,9,5), (2,10,6), (3,11,7), (4,12,8), (5,13,9), (6,14,10), (7,15,11), (0,4,12), (1,5,13), (2,6,14), (3,7,15), (8,12,16), (9,13,17), (10,14,18), (11,15,19), (0,2,20), (1,3,21), (4,6,22), (5,7,23), (8,10,24), (9,11,25), (12,14,26), (13,15,27), (0,1,28), (2,3,29), (4,5,30), (6,7,31), (8,9,32), (10,11,33), (12,13,34), (14,15,35). Denote the permuted 16byte block by .

Step c) Value masking
Determine two pseudorandom variables, and , and then do the following masking operation for :
(2) where and are composed of the th bits of the 16 elements of and , respectively,
(3) and .

Step d) Horizontal bit rotation
Construct an matrix by assigning as the th bit of . Then, perform the following horizontal bit rotation operations for to get a new matrix :
which shifts (the th row of ) by elements (bits) to the left when and to the right when . The values of the two parameters are as follows: , . Equivalently, the above process can be rewritten in the following way:
where
In the following, we will use the latter form to simplify our further discussion.
In a similar way, construct another matrix by assigning as the th bit of . Then, perform similar horizontal bit rotation operations on to get a new matrix :
where
After the above horizontal bit rotation operations, represent the th byte in the 16byte block as follows

Step e) Vertical bit rotation
For , do the following vertical bit rotation operations on to get
which shifts (the th column of ) by elements (bits) downwards. The value of the parameter is as follows:
Similar vertical bit rotations are performed on to get as follows:
where
Finally, the cipherblock is derived from and as follows:


The decryption procedure is simply the inverse of the above encryption procedure.
Iii Cryptanalysis
First of all, we point out that the subkey has no influence on the decryption process. It is because is only used to determine the expanded byte, and never used to change the value of any other byte in the plaintext. In fact, if we use a different value of for the decryption process, the plaintext can still be correctly recovered. Furthermore, the probability that becomes the expanded byte of is , which decreases very exponentially. This means that has no influence on the encryption process after become sufficiently large. As a whole, should be excluded from the key. In the rest of this paper, we will not consider as a subkey.
Iiia Some properties of MCS
Define the XORdifferential (“differential” in short hereinafter) of two plaintexts and as . When and are encrypted with the same secret key, it is easy to prove the following three properties of MES, which will be the basis of the proposed attack.
Property 1
The random masking in Step c) cannot change the differential value, i.e., , .
It is a straightforward result of the following property of XOR: .
Property 2
Each expanded plainblock is independent of the subkey .
This can be proved with mathematical induction on . When and , i.e., for the th byte of the first 16byte block,
which is obviously independent of the value of . Now assume the property holds for the first blocks. Then, for the th 16byte block,
which is also independent from according to the assumption. Thus, this property is proved.
Property 3
The byte swapping in Step b) cannot change each differential value, but its position in the 16byte block.
Property 4
Both the horizontal bit rotation in Step d) and the vertical bit rotation in Step e) cannot change each differential bit itself, but its position in the binary presentation of the 8byte block.
The proofs of the above two properties are straightforward, so we omit them here.
IiiB The differential attack
Based on the above properties of MCS, the data expansion in Step a), the first eight byte swapping operations in Step b), the vertical bit rotation in Step e), the horizontal bit rotation in Step d), the other unkown byte swapping operations in Step b) and the value masking in Step c) can be broken in order with a number of chosen plaintext differentials.
IiiB1 Breaking the secret data expansion in Step a)
To facilitate the following discussion, let us denote the Hamming weight of a byte or a block , i.e., the number of 1bits in , by . From Property 2, one can see that there are binary bits of come from and other eight bits come from for (the eight expanded bits are all 0bits when ). Since all the other steps do not change the Hamming weight of each 16byte block, we can get . In case is unique in the last 15byte block , we can uniquely determine the value of . Considering but , at least two plainbytes in each 15byte block have the same Hamming weight. So, the value of may not be uniquely determined sometimes. To make the unique determination of possible, we can choose two plaintext differentials and (i.e., differentials of three chosen plaintexts , and ) to fulfill the following two requirements: 1) , ; 2) , . For example, the two plaintext differentials can be chosen to have the following Hamming weights:
With the above chosen plaintexts, it is obvious that the value of can always be uniquely determined, except when
(4) 
We can calculate the occurrence probability of the above equation is less than . For a image, this means that we will not be able to uniquely determine the value of for less than blocks in an average sense. In other words, the value of can be uniquely determined for almost all blocks. Note that breaking implies breaking 4 controlling bits .
IiiB2 Breaking the first eight byteswapping operations in Step b)
From Properties 3, 4, one can see that all the bits of each 16byte expanded plainblock are the same as the ones of the corresponding 16byte cipherblock , except that their locations may change. Observing how the bit locations are changed in the whole encryption process, we can see the following eight byteswapping operations are the only encryption operations moving bits from one 8byte halfblock to another: , when . Apparently, when the controlling bit is 1, each byteswapping operation swaps the locations of one byte in the first halfblock and the other byte in another halfblock. This fact means that, by choosing the differences between the Hamming weights of the eight bytes in the two halfblocks properly, we will be able to derive the values of the controlling bits . The simplest tactic is to choose such that each halfblock has only one byte with a different Hamming weight from the corresponding byte in the other halfblock. If we assume all the values of have been recovered, which happens with high probability as we shown in the previous subsection, the first 15 bytes in can be freely chosen by choosing . The last byte in each 16byte block may not be chosen, if it is equal to . Fortunately, this has no influence on the process of breaking the first eight byteswapping operations, because what is chosen for the last byte is . Although we may not be able to choose , we can always choose to have a different Hamming weight from that of . One chosenblock will be able to derive the value of one controlling bit, which controls the possible swapping of the two bytes (in two halfblocks, respectively) with different Hamming weights. We need eight chosen plainblocks (thus eight chosen plaintext differentials) to determine the values of all the eight controlling bits.
While eight chosen plaintext differentials are enough to recover all the bits controlling the first eight byteswapping operations, we actually need only two chosen plaintext differentials to achieve this goal. To see how it is possible, denote the difference between the Hamming weights of the two halfblocks of the th cipherblock by . Then, we have the following equation:
where
By choosing the values of to be a set of numbers such that every nonzero number can not be represented as a linear combination of other numbers in the set, the controlling bits corresponding to the nonzero numbers can be determined uniquely. For instance, to determine the values of , we can choose a plaintext differential such that

for , respectively;

for .
The above chosen plaintext differential leads to the following result:
The 16 possible values of correspond to the 16 possible values of . Choosing another plaintext differential such that

for ;

for , respectively,
we will be able to uniquely determine the other four controlling bits . As a whole, with only two chosen plaintext differentials, we can uniquely determine all the eight controlling bits .
IiiB3 Breaking the other part of MCS
For the th block, denote the intermediate result of the first eight byteswapping operations by . Knowing allows us to choose by manipulating . The other encryption operations to be further broken include the 9th to 35th byteswapping operations, the value masking, and the horizontal/vertical bit rotations.
Different from the first 8 byteswapping operations, the 9th to 35th ones in Step b) only shuffle the locations of the eight bytes inside each halfblock. We found these byteswapping operations cannot be uniquely determined, because some equivalent but different encryption operations exist. Roughly speaking, if we add an overall circularly byte shift operation to Step b) and all the other steps afterwards, we will get an encryption scheme equivalent to but different from the real one. Therefore, in this subsubsection we turn to find such an equivalent encryption scheme. To facilitate our discussion, in the following, we use the acronym “EES” to denote the equivalent encryption scheme that has the same encryption performance as all the four kinds of encryption operations to be further broken. The EES is also composed of four parts, which correspond to the four different kinds of encryption operations, respectively. Once again, we use a divideandconquer tactic to get all the four pars of an EES.
Obtaining the vertical bitrotation part of the EES
To get the vertical bitrotation part, we need to cancel the horizontal bitrotation part and the byteswapping part. The horizontal bit rotations can be done by choosing all bytes in to be either 0 or 255, i.e., all the bits in and are identical (either 0 or 1). The byteswapping operations cannot be fully canceled. To minimize its interference with the vertical bitrotation part, we can choose each halfblock such that there is only one 0 or one 255. Without loss of generality, we choose one plaintext differential such that both halfblocks of each 16byte block contains only one 255byte but seven 0bytes, i.e.,
After the byteswapping operations, assume is moved to and to , where . Since the horizontal bit rotations are canceled, by comparing and , we can observe that is performed for the th bit of . Similarly, for the second halfblock, we can observe that is performed for the th bit of .
Obtaining the horizontal bitrotation part of the EES
Now, we need to cancel the byteswapping operations and the vertical bit rotations. The byteswapping operations can be canceled by choosing a second plaintext differential such that all the bytes in each halfblock are identical. To distinguish the horizontal bit shifts, we should choose the byte to satisfy the following property: , or equivalently, . The simplest choice of is , where . When , either or will always be 0, so it will not be possible to obtain the horizontal bitrotation part for this byte. Fortunately, this does not influence the decryption process, because the expanded byte is actually redundant and will be finally discarded. The vertical bit rotations cannot be canceled, since they are performed after the horizontal bit rotations. Since we have obtained the vertical bitrotation part of the EES, we can apply it to to get , where denotes addition modulus 8. Then, compare with , one can observe that is performed for . Similarly, we can observe is performed for .
Obtaining the byteswapping part of the EES
After obtaining the horizontal/vertical bitrotation parts of the EES, we can apply the inverse horizontal/vertical bit rotations to to get and . If we choose such that all the eight bytes of each halfblock are different from each other, we will be able to obtain the following byteswapping part of the EES. For the first halfblock, the real byteswapping operation moves to , the one we obtained for the EES will move it to , where denotes subtraction modulus 8. Similarly, for the second halfblock, the real byteswapping operation moves to , the one we obtained for the EES will move it to .
Obtaining the valuemasking part of the EES
After obtaining the byteswapping part of the EES, we can get and from any known plaintext. In addition, after obtaining both the horizontal and vertical bitrotation parts, we can get and from any known ciphertext. We do not need to choose more plaintexts, but can simply reuse any chosen plaintext used in previous steps. Note that the value masking performed in Step c) can be rewritten as the equivalent form: for ,
(5) 
where and is the th bit of . Then, by XORing and , we can get . Similarly, by XORing and , we can get .
Observing the above four results, we can see all the fours parts of the ESS are related to the unknown parameters and . If we choose different value of in Sec. IIIB3, we may have different ESS. All the possible EESs are equivalent to each other (and to the real encryption scheme), so we can use any of them to decrypt any ciphertext encrypted with the same key, as long as the size of the ciphertext is not larger than . In the next subsection, we will show the values of and can be uniquely determined if the subkeys , , and satisfy some requirements.
IiiB4 Performance of the differential attack
To sum up, the differential attack outputs the following items as an equivalent key:

for data expansion: , which is equivalent to ;

for the first eight byteswapping operations: ;

for the 9th to 35th byteswapping operations: and ;

for the value masking: and ;

for the horizontal bit rotations: and ;

for the vertical bit rotations: and .
All the above items form an encryption system equivalent to MCS and can be used to decrypt any ciphertexts encrypted with the same secret key. The (equivalent) encryption operations performed on some expanded bytes may not be recovered, but which does not influence the effectiveness of the differential attack, since those expanded bytes will finally be discarded.
The total number of chosen plaintexts is the sum of the following: a) two differentials for breaking the data expansion; b) two differentials for breaking the first eight byteswapping operations; c) four differentials for obtaining the EES. Note that the plaintext differential needed in Sec. IIIB3 can be replaced by the two differentials in Sec. IIIB1. So, we only need two more differentials for obtaining the EES. As a whole, the differential attack requires plaintext differentials, or seven plaintexts, to break MCS.
The complexity of the differential attack is also very small, since we do not have any exhaustive search process in all the steps described above. With 6 chosen plaintext differentials, the computational complexity of the attack is just , which is the same as that of the normal encryption/decryption process of MCS.
IiiC Breaking some subkeys and more controlling bits
The differential attack described in the previous subsection outputs an equivalent key, which include some controlling bits