A Differential Cryptanalysis of Yen-Chen-Wu Multimedia Cryptography System (MCS)††thanks: Chengqing Li was supported by The Hong Kong Polytechnic University’s Postdoctoral Fellowships Scheme under grant no. G-YX2L. Shujun Li was supported by a fellowship from the Zukunftskolleg of the Universität Konstanz, Germany, which is part of the “Exzellenzinitiative” Program of the DFG (German Research Foundation). The work of Kowk-Tung Lo was supported by the Research Grant Council of the Hong Kong SAR Government under Project 523206 (PolyU 5232/06E).
At ISCAS’2005, Yen et al. presented a new chaos-based cryptosystem for multimedia transmission named “Multimedia Cryptography System” (MCS). No cryptanalytic results have been reported so far. This paper presents a differential attack to break MCS, which requires only seven chosen plaintexts. The complexity of the attack is , where is the size of plaintext. Experimental results are also given to show the real performance of the proposed attack.
chaos, cryptanalysis, differential attack, encryption, multimedia, security
The prevalence of multimedia data makes its security become more and more important. However, traditional cryptosystems can not protect multimedia data efficiently due to the big differences between texts and multimedia data, such as the bulky sizes and strong correlation between neighboring elements of uncompressed multimedia data. In addition, multimedia encryption schemes have some special requirements like high bitrate and easy concatenation of different components of the whole multimedia processing system. So, designing special encryption schemes protecting multimedia data becomes necessary. To meet this challenge, a great number of multimedia encryption schemes have been proposed in the past two decades [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11]. Due to the subtle similarity between chaos and cryptography, some of multimedia encryption schemes were designed based on one or more chaotic systems [3, 4, 5, 8, 9, 11]. Meanwhile, a lot of cryptanalytic work has also been reported, showing that many encryption schemes were not designed carefully and are prone to various kinds of attacks [12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23].
In the past decade, a series of encryption schemes were proposed by Yen and Guo’s research group [24, 25, 26, 27, 28]. The main idea of these schemes is to combine some basic encryption operations, under the control of a pseudorandom bit sequence (PRBS) generated by iterating a chaotic system. Unfortunately, most of Yen-Guo multimedia encryption schemes have been successfully cryptanalyzed [29, 30, 31, 32, 33].
This paper reports a security analysis of MCS (Multimedia Cryptography System) – the latest multimedia encryption scheme proposed by Yen et al. . Another hardware implementation of MCS was proposed in . Compared with other earlier designs, such as RCES  and TDCEA , which have been cryptanalyzed in [33, 29], MCS combines more encryption operations of different kinds in a more complicated manner, in the hope that the security can be effectively enhanced. This paper shows that MCS is still vulnerable to a differential chosen-plaintext attack. Only seven chosen plaintexts (or six specific plaintext differentials) are enough to break MCS, with a divide-and-conquer (DAC) strategy.
Ii Multimedia Cryptography System (MCS)
MCS encrypts the plaintext block by block, and each block contains 15 bytes. As the first step of the encryption process, each 15-byte plain-block is expanded to a 16-byte one by adding a secretly selected byte. Then, the expanded block is encrypted with the following four different operations: byte swapping (permutation), value masking, horizontal and vertical bit rotations, which are all controlled by a secret PRBS.
Denote the plaintext by , where denotes the -th plain-byte. Without loss of generality, assume that can be exactly divided by 15. Then, the plaintext has blocks: , where . Similarly, denote the ciphertext by , where denotes the expanded cipher-block. With the above notations, MCS can be described as follows.
The secret key includes five integers , , , , , and a binary fraction , where , ,111In  Yen et al. didn’t exclude the possibility of and , but to achieve the effect of encryption they should not be equal to 0. and , .
A PRBG (pseudorandom bit generator)
A pseudorandom number sequence is generated by iterating the following equation from :
where , , and denotes bitwise XOR. Then, the controlling PRBG is derived from by extracting the 129 bits from each . The above PRBG is a special case of the second class of chaos-based PRBG proposed in , with the parameters , , .
The initialization process
1) run the above PRBG to generate the controlling PRBS ; 2) set .
The encryption procedure
For each plain-block , do the following operations consecutively:
Step a) Data expansion
Add to the 15-byte plain-block to get an expanded 16-byte block
and then set , where .
Step b) Byte swapping
Define a pseudorandom byte swapping operation, , which swaps and when . Then, perform the byte swapping operation for the following 32 values of one after another: (0,8,4), (1,9,5), (2,10,6), (3,11,7), (4,12,8), (5,13,9), (6,14,10), (7,15,11), (0,4,12), (1,5,13), (2,6,14), (3,7,15), (8,12,16), (9,13,17), (10,14,18), (11,15,19), (0,2,20), (1,3,21), (4,6,22), (5,7,23), (8,10,24), (9,11,25), (12,14,26), (13,15,27), (0,1,28), (2,3,29), (4,5,30), (6,7,31), (8,9,32), (10,11,33), (12,13,34), (14,15,35). Denote the permuted 16-byte block by .
Step c) Value masking
Determine two pseudo-random variables, and , and then do the following masking operation for :
where and are composed of the -th bits of the 16 elements of and , respectively,
Step d) Horizontal bit rotation
Construct an matrix by assigning as the -th bit of . Then, perform the following horizontal bit rotation operations for to get a new matrix :
which shifts (the -th row of ) by elements (bits) to the left when and to the right when . The values of the two parameters are as follows: , . Equivalently, the above process can be rewritten in the following way:
In the following, we will use the latter form to simplify our further discussion.
In a similar way, construct another matrix by assigning as the -th bit of . Then, perform similar horizontal bit rotation operations on to get a new matrix :
After the above horizontal bit rotation operations, represent the -th byte in the 16-byte block as follows
Step e) Vertical bit rotation
For , do the following vertical bit rotation operations on to get
which shifts (the -th column of ) by elements (bits) downwards. The value of the parameter is as follows:
Similar vertical bit rotations are performed on to get as follows:
Finally, the cipher-block is derived from and as follows:
The decryption procedure is simply the inverse of the above encryption procedure.
First of all, we point out that the subkey has no influence on the decryption process. It is because is only used to determine the expanded byte, and never used to change the value of any other byte in the plaintext. In fact, if we use a different value of for the decryption process, the plaintext can still be correctly recovered. Furthermore, the probability that becomes the expanded byte of is , which decreases very exponentially. This means that has no influence on the encryption process after become sufficiently large. As a whole, should be excluded from the key. In the rest of this paper, we will not consider as a subkey.
Iii-a Some properties of MCS
Define the XOR-differential (“differential” in short hereinafter) of two plaintexts and as . When and are encrypted with the same secret key, it is easy to prove the following three properties of MES, which will be the basis of the proposed attack.
The random masking in Step c) cannot change the differential value, i.e., , .
It is a straightforward result of the following property of XOR: .
Each expanded plain-block is independent of the sub-key .
This can be proved with mathematical induction on . When and , i.e., for the -th byte of the first 16-byte block,
which is obviously independent of the value of . Now assume the property holds for the first blocks. Then, for the -th 16-byte block,
which is also independent from according to the assumption. Thus, this property is proved.
The byte swapping in Step b) cannot change each differential value, but its position in the 16-byte block.
Both the horizontal bit rotation in Step d) and the vertical bit rotation in Step e) cannot change each differential bit itself, but its position in the binary presentation of the 8-byte block.
The proofs of the above two properties are straightforward, so we omit them here.
Iii-B The differential attack
Based on the above properties of MCS, the data expansion in Step a), the first eight byte swapping operations in Step b), the vertical bit rotation in Step e), the horizontal bit rotation in Step d), the other unkown byte swapping operations in Step b) and the value masking in Step c) can be broken in order with a number of chosen plaintext differentials.
Iii-B1 Breaking the secret data expansion in Step a)
To facilitate the following discussion, let us denote the Hamming weight of a byte or a block , i.e., the number of 1-bits in , by . From Property 2, one can see that there are binary bits of come from and other eight bits come from for (the eight expanded bits are all 0-bits when ). Since all the other steps do not change the Hamming weight of each 16-byte block, we can get . In case is unique in the last 15-byte block , we can uniquely determine the value of . Considering but , at least two plain-bytes in each 15-byte block have the same Hamming weight. So, the value of may not be uniquely determined sometimes. To make the unique determination of possible, we can choose two plaintext differentials and (i.e., differentials of three chosen plaintexts , and ) to fulfill the following two requirements: 1) , ; 2) , . For example, the two plaintext differentials can be chosen to have the following Hamming weights:
With the above chosen plaintexts, it is obvious that the value of can always be uniquely determined, except when
We can calculate the occurrence probability of the above equation is less than . For a image, this means that we will not be able to uniquely determine the value of for less than blocks in an average sense. In other words, the value of can be uniquely determined for almost all blocks. Note that breaking implies breaking 4 controlling bits .
Iii-B2 Breaking the first eight byte-swapping operations in Step b)
From Properties 3, 4, one can see that all the bits of each 16-byte expanded plain-block are the same as the ones of the corresponding 16-byte cipher-block , except that their locations may change. Observing how the bit locations are changed in the whole encryption process, we can see the following eight byte-swapping operations are the only encryption operations moving bits from one 8-byte half-block to another: , when . Apparently, when the controlling bit is 1, each byte-swapping operation swaps the locations of one byte in the first half-block and the other byte in another half-block. This fact means that, by choosing the differences between the Hamming weights of the eight bytes in the two half-blocks properly, we will be able to derive the values of the controlling bits . The simplest tactic is to choose such that each half-block has only one byte with a different Hamming weight from the corresponding byte in the other half-block. If we assume all the values of have been recovered, which happens with high probability as we shown in the previous subsection, the first 15 bytes in can be freely chosen by choosing . The last byte in each 16-byte block may not be chosen, if it is equal to . Fortunately, this has no influence on the process of breaking the first eight byte-swapping operations, because what is chosen for the last byte is . Although we may not be able to choose , we can always choose to have a different Hamming weight from that of . One chosen-block will be able to derive the value of one controlling bit, which controls the possible swapping of the two bytes (in two half-blocks, respectively) with different Hamming weights. We need eight chosen plain-blocks (thus eight chosen plaintext differentials) to determine the values of all the eight controlling bits.
While eight chosen plaintext differentials are enough to recover all the bits controlling the first eight byte-swapping operations, we actually need only two chosen plaintext differentials to achieve this goal. To see how it is possible, denote the difference between the Hamming weights of the two half-blocks of the -th cipher-block by . Then, we have the following equation:
By choosing the values of to be a set of numbers such that every nonzero number can not be represented as a linear combination of other numbers in the set, the controlling bits corresponding to the nonzero numbers can be determined uniquely. For instance, to determine the values of , we can choose a plaintext differential such that
for , respectively;
The above chosen plaintext differential leads to the following result:
The 16 possible values of correspond to the 16 possible values of . Choosing another plaintext differential such that
for , respectively,
we will be able to uniquely determine the other four controlling bits . As a whole, with only two chosen plaintext differentials, we can uniquely determine all the eight controlling bits .
Iii-B3 Breaking the other part of MCS
For the -th block, denote the intermediate result of the first eight byte-swapping operations by . Knowing allows us to choose by manipulating . The other encryption operations to be further broken include the 9th to 35th byte-swapping operations, the value masking, and the horizontal/vertical bit rotations.
Different from the first 8 byte-swapping operations, the 9th to 35th ones in Step b) only shuffle the locations of the eight bytes inside each half-block. We found these byte-swapping operations cannot be uniquely determined, because some equivalent but different encryption operations exist. Roughly speaking, if we add an overall circularly byte shift operation to Step b) and all the other steps afterwards, we will get an encryption scheme equivalent to but different from the real one. Therefore, in this sub-subsection we turn to find such an equivalent encryption scheme. To facilitate our discussion, in the following, we use the acronym “EES” to denote the equivalent encryption scheme that has the same encryption performance as all the four kinds of encryption operations to be further broken. The EES is also composed of four parts, which correspond to the four different kinds of encryption operations, respectively. Once again, we use a divide-and-conquer tactic to get all the four pars of an EES.
Obtaining the vertical bit-rotation part of the EES
To get the vertical bit-rotation part, we need to cancel the horizontal bit-rotation part and the byte-swapping part. The horizontal bit rotations can be done by choosing all bytes in to be either 0 or 255, i.e., all the bits in and are identical (either 0 or 1). The byte-swapping operations cannot be fully canceled. To minimize its interference with the vertical bit-rotation part, we can choose each half-block such that there is only one 0 or one 255. Without loss of generality, we choose one plaintext differential such that both half-blocks of each 16-byte block contains only one 255-byte but seven 0-bytes, i.e.,
After the byte-swapping operations, assume is moved to and to , where . Since the horizontal bit rotations are canceled, by comparing and , we can observe that is performed for the -th bit of . Similarly, for the second half-block, we can observe that is performed for the -th bit of .
Obtaining the horizontal bit-rotation part of the EES
Now, we need to cancel the byte-swapping operations and the vertical bit rotations. The byte-swapping operations can be canceled by choosing a second plaintext differential such that all the bytes in each half-block are identical. To distinguish the horizontal bit shifts, we should choose the byte to satisfy the following property: , or equivalently, . The simplest choice of is , where . When , either or will always be 0, so it will not be possible to obtain the horizontal bit-rotation part for this byte. Fortunately, this does not influence the decryption process, because the expanded byte is actually redundant and will be finally discarded. The vertical bit rotations cannot be canceled, since they are performed after the horizontal bit rotations. Since we have obtained the vertical bit-rotation part of the EES, we can apply it to to get , where denotes addition modulus 8. Then, compare with , one can observe that is performed for . Similarly, we can observe is performed for .
Obtaining the byte-swapping part of the EES
After obtaining the horizontal/vertical bit-rotation parts of the EES, we can apply the inverse horizontal/vertical bit rotations to to get and . If we choose such that all the eight bytes of each half-block are different from each other, we will be able to obtain the following byte-swapping part of the EES. For the first half-block, the real byte-swapping operation moves to , the one we obtained for the EES will move it to , where denotes subtraction modulus 8. Similarly, for the second half-block, the real byte-swapping operation moves to , the one we obtained for the EES will move it to .
Obtaining the value-masking part of the EES
After obtaining the byte-swapping part of the EES, we can get and from any known plaintext. In addition, after obtaining both the horizontal and vertical bit-rotation parts, we can get and from any known ciphertext. We do not need to choose more plaintexts, but can simply reuse any chosen plaintext used in previous steps. Note that the value masking performed in Step c) can be rewritten as the equivalent form: for ,
where and is the -th bit of . Then, by XORing and , we can get . Similarly, by XORing and , we can get .
Observing the above four results, we can see all the fours parts of the ESS are related to the unknown parameters and . If we choose different value of in Sec. III-B3, we may have different ESS. All the possible EESs are equivalent to each other (and to the real encryption scheme), so we can use any of them to decrypt any ciphertext encrypted with the same key, as long as the size of the ciphertext is not larger than . In the next subsection, we will show the values of and can be uniquely determined if the sub-keys , , and satisfy some requirements.
Iii-B4 Performance of the differential attack
To sum up, the differential attack outputs the following items as an equivalent key:
for data expansion: , which is equivalent to ;
for the first eight byte-swapping operations: ;
for the 9th to 35th byte-swapping operations: and ;
for the value masking: and ;
for the horizontal bit rotations: and ;
for the vertical bit rotations: and .
All the above items form an encryption system equivalent to MCS and can be used to decrypt any ciphertexts encrypted with the same secret key. The (equivalent) encryption operations performed on some expanded bytes may not be recovered, but which does not influence the effectiveness of the differential attack, since those expanded bytes will finally be discarded.
The total number of chosen plaintexts is the sum of the following: a) two differentials for breaking the data expansion; b) two differentials for breaking the first eight byte-swapping operations; c) four differentials for obtaining the EES. Note that the plaintext differential needed in Sec. III-B3 can be replaced by the two differentials in Sec. III-B1. So, we only need two more differentials for obtaining the EES. As a whole, the differential attack requires plaintext differentials, or seven plaintexts, to break MCS.
The complexity of the differential attack is also very small, since we do not have any exhaustive search process in all the steps described above. With 6 chosen plaintext differentials, the computational complexity of the attack is just , which is the same as that of the normal encryption/decryption process of MCS.
Iii-C Breaking some sub-keys and more controlling bits
The differential attack described in the previous subsection outputs an equivalent key, which include some controlling bits