Breaking a new substitution-diffusion based image cipher using chaotic standard and logistic maps
Recently, an image encryption scheme based on chaotic standard and logistic maps was proposed. This paper studies the security of the scheme and shows that it can be broken with only one chosen-plaintext. Some other security defects of the scheme are also reported.
keywords:cryptanalysis, chosen-plaintext attack, encryption, image
With the rapid development of information technology, multimedia data are transmitted over all kinds of wired/wireless networks more and more frequently. Consequently, the security of multimedia data becomes a serious concern of many people. However, the traditional text encryption schemes can not be used in a naive way to protect multimedia data efficiently in some applications, mainly due to the big differences between textual and multimedia data and some special requirements of the whole multimedia system. This challenge stirs the design of special multimedia encryption schemes to become a hot research topic in multimedia signal processing area in the past decade. Because of the subtle similarity between chaos and cryptography, a great number of multimedia encryption schemes based on chaos have been presented Chen&Yen:RCES:JSA2003 (); YaobinMao:CSF2004 (); Flores:EncryptLatticeChaos06 (); Tong:ImageCipher:IVC07 (). Unfortunately, many of them have been found to have security problems from the cryptographical point of view Li:AttackingMaoScheme2007 (); Li:AttackingRCES2008 (); David:AttackingChaos08 (); Goce:cryptanalysis:TM08 (); Li:BreakImageCipher:IVC09 (). Some general rules about evaluating security of chaos-based encryption schemes can be found in AlvarezLi:Rules:IJBC2006 (); Li:ChaosImageVideoEncryption:Handbook2004 ().
Since 2003, Pareek et al. have proposed a number of different encryption schemes based on one or more chaotic maps Pareek:PLA2003 (); Pareek:CNSNS2005 (); Pareek:ImageEncrypt:IVC2006 (); Pareek:CNSNS2009 (). Recent cryptanalytic results Alvarez:PLA2003 (); Li:AttackingCNSNS2008 (); Li:AttackingIVC2009 () have shown that all the three schemes proposed in Pareek:PLA2003 (); Pareek:CNSNS2005 (); Pareek:ImageEncrypt:IVC2006 () have security defects. In Pareek:CNSNS2009 (), a new image encryption scheme based on the Logistic and standard maps was proposed, where the two maps are used to generate a pseudo-random number sequence (PRNS) controlling two kinds of encryption operations. The present paper focuses on a re-evaluation of the security of this new scheme, and reports the following findings: 1) the scheme can be broken with only one chosen image; 2) there are also some other security defects of the scheme.
2 The image encryption scheme under study
The plaintext encrypted by the image encryption scheme under study is a RGB true-color image of size (heightwidth), which can be denoted by an matrix of 3-tuple pixel values . Denoting the cipher image by , the image encryption scheme can be described as follows111To make the presentation more concise and complete, some notations in the original paper are modified..
Secret key: three floating-point numbers , , , and one integer , where , , , .
Initialization: prepare data for encryption/decryption by performing the following steps.
Generate four XORing keys as follows: , , , .
Iterate the standard map Eq. (1) from the initial conditions for times to obtain a new chaotic state . Then, further iterate it for more times to get chaotic states .
Iterate the Logistic map Eq. (2) from the initial condition for times to get a new initial condition . Then, further iterate it for times to get chaotic states .
Generate a chaotic key stream (CKS) image as follows: , and , where .
Encryption procedure: a simple concatenation of the following four encryption operations.
Confusion I: masking the plain pixel values by the four XORing keys .
For , do the following masking operations.
(3) (4) (5)
where , .
Diffusion I: scanning all pixel values from the first one row by row (from top to bottom), and masking each pixel (except for the first scanned pixel) by its predecessor in the scan.
Set , , . For ,
(6) (7) (8)
where , , and .
Diffusion II: scanning all pixel values from the last one column by column (from right to left), and masking each pixel (except for the first scanned pixel) by its predecessor in the scan.
Set , , . For ,
(9) (10) (11)
where and , , .
Confusion II: masking the pixel values with the CKS image pixel by pixel.
(12) (13) (14)
where , .
Decryption procedure: the simple reversion of the above encryption procedure.
3.1 A chosen-plaintext attack
In the chosen-plaintext attack, the attacker can choose plaintexts arbitrarily and obtain the corresponding ciphertexts. The goal of the attack is to gain some further information which helps reveal the other plaintexts encrypted with the same secret key. For the image encryption scheme under study, an equivalent version of the secret key can be reconstructed easily from only one pair of chosen-plaintext as shown in Proposition 1.
Let denote the encryption result of without performing the two confusion steps. Then, .
After the first confusion step, , where is the pseudo-image composed of the four XORing keys. Observing the operations involved in the two diffusion steps, we can see both steps can be performed on and separately and XOR the results, which means that . Then, after performing the last confusion step, we have , which proves this lemma. ∎
If is a zero image, i.e., , then .
This is a straightforward result of the fact . ∎
In case is known, the above proposition means that the plain-image can be recovered from by the following steps: 1) ; 2) perform the two diffusion steps on in an inverse order, which exactly recovers . In other words, by taking as a chosen-image, we can get an equivalent key to decrypt any cipher-image encrypted with the same secret key .
We have performed some experiments to verify the correctness of the above chosen-plaintext attack. With the secret key , the equivalent key was constructed from the zero image, which are shown in Figs. 1a and b, respectively. Then, was used to recover the cipher-image shown in Fig. 1c, and successfully recovered the plain-image “Lenna” (Fig. 1d).
3.2 Some other security problems
3.2.1 Insufficient randomness of the PRNS
As illustrated in Li:AttackingBitshiftXOR2007 (), the randomness of the pseudo-random bit sequence derived from chaotic states generated by iterating Logistic map is very weak. To further verify the randomness of the PRNS generated via the Logistic map of fixed control parameter, the NIST statistical test suite Rukhin:TestPRNG:NIST () was employed to test the randomness of 100 PRNSes of length (the number of bytes used for encryption of a plain color image). Note that the 100 sequences were generated with randomly selected secret keys. For each test, the default significance level 0.01 was used. The results are shown in Table 1, from which one can see that the PRNS is not random enough.
|Name of Test||Number of Passed Sequences|
|Block Frequency ()||0|
|Non-overlapping Template (, )||10|
|Approximate Entropy ()||0|
3.2.2 Insensitivity with respect to change of plaintext
In (Pareek:CNSNS2009, , Sec. 5.5), it is recognized that the sensitivity of cipher-image generated by an image encryption scheme with respect to change of plain-image is very important, but the image encryption scheme under study is actually very far from the desired property. As well known in cryptography, this property is termed as avalanche effect. Ideally, it requires the change of any single bit of plain-image will make every bit of cipher-image change with a probability of one half. However, the image encryption scheme under study can not satisfy this property due to the following points.
Only one kind of operation (XOR) is involved in the whole scheme;
Any bit of plain-image only influences the bits at the same level in the cipher-image;
Any pixel of plain-image does not influence other pixels in the cipher-image uniformly.
To show this defect clearly, we made an experiment by changing only one bit of the red channel of the plain-image shown in Fig. 1d. It is found that only some bits at the same level in the corresponding cipher-image were changed. The locations of the changed bits are shown in Fig. 2, in which the white dots denote changed locations and black ones denote unchanged ones.
In this paper, the security of a new image encryption scheme based on two chaotic maps is analyzed in detail. It is found that the scheme can be broken with only one chosen plain-image. In addition, some other security defects about randomness of a PRNS involved, and sensitivity with respect to change of plain-image are also reported. Due to such a low level of security, we recommend not to use the image encryption scheme under study in any serious applications.
Chengqing Li was supported by The Hong Kong Polytechnic University’s Postdoctoral Fellowships Scheme under grant no. G-YX2L. Shujun Li was supported by a fellowship from the Zukunftskolleg of the Universität Konstanz, Germany, which is part of the “Exzellenzinitiative” Program of the DFG (German Research Foundation). The work of Kowk-Tung Lo was supported by the Research Grant Council of the Hong Kong SAR Government under Project 523206 (PolyU 5232/06E).
- (1) H.-C. Chen, J.-C. Yen, A new cryptography system and its VLSI realization, Journal of Systems Architecture 49 (7-9) (2003) 355–367.
- (2) G. Chen, Y. Mao, C. K. Chui, A symmetric image encryption scheme based on 3d chaotic cat maps, Chaos, Solitons & Fractals 21 (3) (2004) 749–761.
- (3) N. J. Flores-Carmona, M. Carpio-Valadez, Encryption and decryption of images with chaotic map lattices, Chaos 16 (3) (2006) art. no. 033118.
- (4) X. Tong, M. Cui, Image encryption with compound chaotic sequence cipher shifting dynamically, Image and Vision Computing 26 (6) (2008) 843–850.
- (5) C. Li, G. Chen, On the security of a class of image encryption schemes, in: Proceedings of 2008 IEEE Int. Symposium on Circuits and Systems, 2008, pp. 3290–3293.
- (6) S. Li, C. Li, G. Chen, K.-T. Lo, Cryptanalysis of the RCES/RSES image encryption scheme, Journal of Systems and Software 81 (7) (2008) 1130–1143.
- (7) D. Arroyo, R. Rhouma, G. Alvarez, S. Li, V. Fernandez, On the security of a new image encryption scheme based on chaotic map lattices, Chaos 18 (3) (2008) art. no. 033112.
- (8) G. Jakimoski, K. Subbalakshmi, Cryptanalysis of some multimedia encryption schemes, IEEE Transactions on Multimedia 10 (3) (2008) 330–338.
- (9) C. Li, S. Li, G. Chen, W. A. Halang, Cryptanalysis of an image encryption scheme based on a compound chaotic sequence, Image and Vision Computing 27 (8) (2009) 1035–1039.
- (10) G. Álvarez, S. Li, Some basic cryptographic requirements for chaos-based cryptosystems, International Journal of Bifurcation and Chaos 16 (8) (2006) 2129–2151.
- (11) S. Li, G. Chen, X. Zheng, Chaos-based encryption for digital images and videos, in: B. Furht, D. Kirovski (Eds.), Multimedia Security Handbook, CRC Press, 2004, Ch. 4, pp. 133–167.
- (12) N. Pareek, V. Patidar, K. Sud, Discrete chaotic cryptography using external key, Physics Letters A 309 (1-2) (2003) 75–82.
- (13) N. Pareek, V. Patidar, K. Sud, Cryptography using multiple one-dimensional chaotic maps, Communications in Nonlinear Science and Numerical Simulation 10 (7) (2005) 715–723.
- (14) N. Pareek, V. Patidar, K. Sud, Image encryption using chaotic logistic map, Image and Vision Computing 24 (9) (2006) 926–934.
- (15) V. Patidar, N. Pareek, K. Sud, A new substitution-diffusion based image cipher using chaotic standard and logistic maps, Communications in Nonlinear Science and Numerical Simulation 14 (7) (2009) 3056–3075.
- (16) G. Álvarez, F. Montoya, M. Romera, G. Pastor, Cryptanalysis of a discrete chaotic cryptosystem using external key, Physics Letters A 319 (3-4) (2003) 334–339.
- (17) C. Li, S. Li, G. Álvarez, G. Chen, K.-T. Lo, Cryptanalysis of a chaotic block cipher with external key and its improved version, Chaos, Solitons & Fractals 37 (1) (2008) 299–307.
- (18) C. Li, S. Li, M. Asim, J. Nunez, G. Alvarez, G. Chen, On the security defects of an image encryption scheme, Image and Vision Computing 27 (9) (2009) 1371–1381.
- (19) C. Li, S. Li, G. Álvarez, G. Chen, K.-T. Lo, Cryptanalysis of two chaotic encryption schemes based on circular bit shift and XOR operations, Physics Letters A 369 (1-2) (2007) 23–30.
- (20) A. Rukhin, et al., A statistical test suite for random and pseudorandom number generators for cryptographic applications, NIST Special Publication 800-22, available online at http://csrc.nist.gov/rng/rng2.html (2001).