Breaking a new substitutiondiffusion based image cipher using chaotic standard and logistic maps
Abstract
Recently, an image encryption scheme based on chaotic standard and logistic maps was proposed. This paper studies the security of the scheme and shows that it can be broken with only one chosenplaintext. Some other security defects of the scheme are also reported.
keywords:
cryptanalysis, chosenplaintext attack, encryption, imagesort&compress
URL]www.hooklee.com
1 Introduction
With the rapid development of information technology, multimedia data are transmitted over all kinds of wired/wireless networks more and more frequently. Consequently, the security of multimedia data becomes a serious concern of many people. However, the traditional text encryption schemes can not be used in a naive way to protect multimedia data efficiently in some applications, mainly due to the big differences between textual and multimedia data and some special requirements of the whole multimedia system. This challenge stirs the design of special multimedia encryption schemes to become a hot research topic in multimedia signal processing area in the past decade. Because of the subtle similarity between chaos and cryptography, a great number of multimedia encryption schemes based on chaos have been presented Chen&Yen:RCES:JSA2003 (); YaobinMao:CSF2004 (); Flores:EncryptLatticeChaos06 (); Tong:ImageCipher:IVC07 (). Unfortunately, many of them have been found to have security problems from the cryptographical point of view Li:AttackingMaoScheme2007 (); Li:AttackingRCES2008 (); David:AttackingChaos08 (); Goce:cryptanalysis:TM08 (); Li:BreakImageCipher:IVC09 (). Some general rules about evaluating security of chaosbased encryption schemes can be found in AlvarezLi:Rules:IJBC2006 (); Li:ChaosImageVideoEncryption:Handbook2004 ().
Since 2003, Pareek et al. have proposed a number of different encryption schemes based on one or more chaotic maps Pareek:PLA2003 (); Pareek:CNSNS2005 (); Pareek:ImageEncrypt:IVC2006 (); Pareek:CNSNS2009 (). Recent cryptanalytic results Alvarez:PLA2003 (); Li:AttackingCNSNS2008 (); Li:AttackingIVC2009 () have shown that all the three schemes proposed in Pareek:PLA2003 (); Pareek:CNSNS2005 (); Pareek:ImageEncrypt:IVC2006 () have security defects. In Pareek:CNSNS2009 (), a new image encryption scheme based on the Logistic and standard maps was proposed, where the two maps are used to generate a pseudorandom number sequence (PRNS) controlling two kinds of encryption operations. The present paper focuses on a reevaluation of the security of this new scheme, and reports the following findings: 1) the scheme can be broken with only one chosen image; 2) there are also some other security defects of the scheme.
2 The image encryption scheme under study
The plaintext encrypted by the image encryption scheme under study is a RGB truecolor image of size (heightwidth), which can be denoted by an matrix of 3tuple pixel values . Denoting the cipher image by , the image encryption scheme can be described as follows^{1}^{1}1To make the presentation more concise and complete, some notations in the original paper are modified..

Secret key: three floatingpoint numbers , , , and one integer , where , , , .

Initialization: prepare data for encryption/decryption by performing the following steps.

Generate four XORing keys as follows: , , , .

Iterate the standard map Eq. (1) from the initial conditions for times to obtain a new chaotic state . Then, further iterate it for more times to get chaotic states .
(1) 
Iterate the Logistic map Eq. (2) from the initial condition for times to get a new initial condition . Then, further iterate it for times to get chaotic states .
(2) 
Generate a chaotic key stream (CKS) image as follows: , and , where .


Encryption procedure: a simple concatenation of the following four encryption operations.

Confusion I: masking the plain pixel values by the four XORing keys .
For , do the following masking operations.
(3) (4) (5) where , .

Diffusion I: scanning all pixel values from the first one row by row (from top to bottom), and masking each pixel (except for the first scanned pixel) by its predecessor in the scan.
Set , , . For ,
(6) (7) (8) where , , and .

Diffusion II: scanning all pixel values from the last one column by column (from right to left), and masking each pixel (except for the first scanned pixel) by its predecessor in the scan.
Set , , . For ,
(9) (10) (11) where and , , .

Confusion II: masking the pixel values with the CKS image pixel by pixel.
For ,
(12) (13) (14) where , .


Decryption procedure: the simple reversion of the above encryption procedure.
3 Cryptanalysis
3.1 A chosenplaintext attack
In the chosenplaintext attack, the attacker can choose plaintexts arbitrarily and obtain the corresponding ciphertexts. The goal of the attack is to gain some further information which helps reveal the other plaintexts encrypted with the same secret key. For the image encryption scheme under study, an equivalent version of the secret key can be reconstructed easily from only one pair of chosenplaintext as shown in Proposition 1.
Lemma 1.
Let denote the encryption result of without performing the two confusion steps. Then, .
Proof.
After the first confusion step, , where is the pseudoimage composed of the four XORing keys. Observing the operations involved in the two diffusion steps, we can see both steps can be performed on and separately and XOR the results, which means that . Then, after performing the last confusion step, we have , which proves this lemma. ∎
Proposition 1.
If is a zero image, i.e., , then .
Proof.
This is a straightforward result of the fact . ∎
In case is known, the above proposition means that the plainimage can be recovered from by the following steps: 1) ; 2) perform the two diffusion steps on in an inverse order, which exactly recovers . In other words, by taking as a chosenimage, we can get an equivalent key to decrypt any cipherimage encrypted with the same secret key .
We have performed some experiments to verify the correctness of the above chosenplaintext attack. With the secret key , the equivalent key was constructed from the zero image, which are shown in Figs. 1a and b, respectively. Then, was used to recover the cipherimage shown in Fig. 1c, and successfully recovered the plainimage “Lenna” (Fig. 1d).
3.2 Some other security problems
3.2.1 Insufficient randomness of the PRNS
As illustrated in Li:AttackingBitshiftXOR2007 (), the randomness of the pseudorandom bit sequence derived from chaotic states generated by iterating Logistic map is very weak. To further verify the randomness of the PRNS generated via the Logistic map of fixed control parameter, the NIST statistical test suite Rukhin:TestPRNG:NIST () was employed to test the randomness of 100 PRNSes of length (the number of bytes used for encryption of a plain color image). Note that the 100 sequences were generated with randomly selected secret keys. For each test, the default significance level 0.01 was used. The results are shown in Table 1, from which one can see that the PRNS is not random enough.
Name of Test  Number of Passed Sequences 

Frequency  95 
Block Frequency ()  0 
Cumulative SumsForward  93 
Runs  0 
Rank  0 
Nonoverlapping Template (, )  10 
Serial ()  0 
Approximate Entropy ()  0 
FFT  0 
3.2.2 Insensitivity with respect to change of plaintext
In (Pareek:CNSNS2009, , Sec. 5.5), it is recognized that the sensitivity of cipherimage generated by an image encryption scheme with respect to change of plainimage is very important, but the image encryption scheme under study is actually very far from the desired property. As well known in cryptography, this property is termed as avalanche effect. Ideally, it requires the change of any single bit of plainimage will make every bit of cipherimage change with a probability of one half. However, the image encryption scheme under study can not satisfy this property due to the following points.

Only one kind of operation (XOR) is involved in the whole scheme;

Any bit of plainimage only influences the bits at the same level in the cipherimage;

Any pixel of plainimage does not influence other pixels in the cipherimage uniformly.
To show this defect clearly, we made an experiment by changing only one bit of the red channel of the plainimage shown in Fig. 1d. It is found that only some bits at the same level in the corresponding cipherimage were changed. The locations of the changed bits are shown in Fig. 2, in which the white dots denote changed locations and black ones denote unchanged ones.
4 Conclusion
In this paper, the security of a new image encryption scheme based on two chaotic maps is analyzed in detail. It is found that the scheme can be broken with only one chosen plainimage. In addition, some other security defects about randomness of a PRNS involved, and sensitivity with respect to change of plainimage are also reported. Due to such a low level of security, we recommend not to use the image encryption scheme under study in any serious applications.
Acknowledgement
Chengqing Li was supported by The Hong Kong Polytechnic University’s Postdoctoral Fellowships Scheme under grant no. GYX2L. Shujun Li was supported by a fellowship from the Zukunftskolleg of the Universität Konstanz, Germany, which is part of the “Exzellenzinitiative” Program of the DFG (German Research Foundation). The work of KowkTung Lo was supported by the Research Grant Council of the Hong Kong SAR Government under Project 523206 (PolyU 5232/06E).
References
 (1) H.C. Chen, J.C. Yen, A new cryptography system and its VLSI realization, Journal of Systems Architecture 49 (79) (2003) 355–367.
 (2) G. Chen, Y. Mao, C. K. Chui, A symmetric image encryption scheme based on 3d chaotic cat maps, Chaos, Solitons & Fractals 21 (3) (2004) 749–761.
 (3) N. J. FloresCarmona, M. CarpioValadez, Encryption and decryption of images with chaotic map lattices, Chaos 16 (3) (2006) art. no. 033118.
 (4) X. Tong, M. Cui, Image encryption with compound chaotic sequence cipher shifting dynamically, Image and Vision Computing 26 (6) (2008) 843–850.
 (5) C. Li, G. Chen, On the security of a class of image encryption schemes, in: Proceedings of 2008 IEEE Int. Symposium on Circuits and Systems, 2008, pp. 3290–3293.
 (6) S. Li, C. Li, G. Chen, K.T. Lo, Cryptanalysis of the RCES/RSES image encryption scheme, Journal of Systems and Software 81 (7) (2008) 1130–1143.
 (7) D. Arroyo, R. Rhouma, G. Alvarez, S. Li, V. Fernandez, On the security of a new image encryption scheme based on chaotic map lattices, Chaos 18 (3) (2008) art. no. 033112.
 (8) G. Jakimoski, K. Subbalakshmi, Cryptanalysis of some multimedia encryption schemes, IEEE Transactions on Multimedia 10 (3) (2008) 330–338.
 (9) C. Li, S. Li, G. Chen, W. A. Halang, Cryptanalysis of an image encryption scheme based on a compound chaotic sequence, Image and Vision Computing 27 (8) (2009) 1035–1039.
 (10) G. Álvarez, S. Li, Some basic cryptographic requirements for chaosbased cryptosystems, International Journal of Bifurcation and Chaos 16 (8) (2006) 2129–2151.
 (11) S. Li, G. Chen, X. Zheng, Chaosbased encryption for digital images and videos, in: B. Furht, D. Kirovski (Eds.), Multimedia Security Handbook, CRC Press, 2004, Ch. 4, pp. 133–167.
 (12) N. Pareek, V. Patidar, K. Sud, Discrete chaotic cryptography using external key, Physics Letters A 309 (12) (2003) 75–82.
 (13) N. Pareek, V. Patidar, K. Sud, Cryptography using multiple onedimensional chaotic maps, Communications in Nonlinear Science and Numerical Simulation 10 (7) (2005) 715–723.
 (14) N. Pareek, V. Patidar, K. Sud, Image encryption using chaotic logistic map, Image and Vision Computing 24 (9) (2006) 926–934.
 (15) V. Patidar, N. Pareek, K. Sud, A new substitutiondiffusion based image cipher using chaotic standard and logistic maps, Communications in Nonlinear Science and Numerical Simulation 14 (7) (2009) 3056–3075.
 (16) G. Álvarez, F. Montoya, M. Romera, G. Pastor, Cryptanalysis of a discrete chaotic cryptosystem using external key, Physics Letters A 319 (34) (2003) 334–339.
 (17) C. Li, S. Li, G. Álvarez, G. Chen, K.T. Lo, Cryptanalysis of a chaotic block cipher with external key and its improved version, Chaos, Solitons & Fractals 37 (1) (2008) 299–307.
 (18) C. Li, S. Li, M. Asim, J. Nunez, G. Alvarez, G. Chen, On the security defects of an image encryption scheme, Image and Vision Computing 27 (9) (2009) 1371–1381.
 (19) C. Li, S. Li, G. Álvarez, G. Chen, K.T. Lo, Cryptanalysis of two chaotic encryption schemes based on circular bit shift and XOR operations, Physics Letters A 369 (12) (2007) 23–30.
 (20) A. Rukhin, et al., A statistical test suite for random and pseudorandom number generators for cryptographic applications, NIST Special Publication 80022, available online at http://csrc.nist.gov/rng/rng2.html (2001).