On the cryptanalysis of Fridrich's chaotic image encryption scheme
Abstract
Utilizing complex dynamics of chaotic maps and systems in encryption was studied comprehensively in the past two and a half decades. In 1989, Fridrich’s chaotic image encryption scheme was designed by iterating chaotic position permutation and value substitution some rounds, which received intensive attention in the field of chaosbased cryptography. In 2010, Solak et al. proposed a chosenciphertext attack on the Fridrich’s scheme utilizing influence network between cipherpixels and the corresponding plainpixels. Based on their creative work, this paper scrutinized some properties of Fridrich’s scheme with concise mathematical language. Then, some minor defects of the real performance of Solak’s attack method were given. The work provides some bases for further optimizing attack on the Fridrich’s scheme and its variants.
keywords:
Chaotic encryption, chosenciphertext attack, cryptanalysis, differential attack.[corr]Corresponding author.
1 Introduction
The complex dynamics of chaotic systems attracts researchers to utilize them as a new way to design secure and efficient encryption schemes (1); (2); (3); (4); (5); (6). The first chaosbased encryption scheme was proposed in 1989 (7), where a chaotic equation
(1) 
was derived to generate pseudorandom number sequence and then mask the plaintext with modulo addition. Soon after publication of (7), it was pointed out that period of the sequence generated by iterating Eq. (1) may be very short, especially when it is implemented with small computing precision, which may seriously compromise the security level of the scheme (8). Some special defects and properties of chaotic systems may facilitate cryptanalysis of chaosbased encryption schemes, e.g. chaotic synchronization (9), chaotic ergodicity (10), and parameter identification of chaotic system (11). The inadequate combination of chaotic dynamics and encryption architectures makes the complexity of recovering its secret key from some pairs of plaintexts and the corresponding ciphertexts, encrypted with the same secret key, lower than that of bruteforce attack (12); (13); (14); (15). Some general rules on evaluating security of chaosbased encryption schemes can be found in (16); (17).
As quantitatively analyzed in (18); (19), any position permutationonly encryption scheme can be efficiently broken with only known/chosen plaintexts and the computational complexity of magnitude , where denotes the number of different grayvalues of the plaintexts, and (heightwidth) is the size of the encryption scheme’s permutation domain , whose every element denotes the mapping relation between the relative position of a permuted element in the plaintext and that in the corresponding ciphertext. As suggested in (20), iterating position permutation and value substitution sufficient rounds can make an encryption scheme very strong against all kinds of attacks. Considering significant impact of the structure of Fridrich’s scheme on a great number of chaotic encryption schemes, Solak’s chosenciphertext attack method proposed in (21) can be considered as a breakthrough in the field of chaotic cryptanalysis.
According to the record of Web of Science, both papers (22) and (23) have been cited more than 500 times up to Aug 2016. Inspired by using space network (function graph) for attacking hash function in (24), we resummarized some properties of Fridrich’s chaotic image encryption scheme with the methodology of complex networks (binary matrix). Then, we further evaluated the real performance of Solak’s chosenciphertext attack method and found that it owns some minor defects. In addition, the performance of extension of the attack idea to Chen’s scheme proposed in (23); (25) was also briefly evaluated.
2 Fridrich’s chaotic image encryption scheme
The plaintext encrypted by Fridrich’s chaotic image encryption scheme is a grayscale image of size

Encryption procedure:
1) Position Permutation: for , do
(2) where permutation matrix satisfies for any .
2) Value Substitution: for , carry out substitution function
(3) where , : is a fixed nonlinear function, is a pseudorandom number sequence, and is a predefined parameter .
3) Repetition: set and repeat the above two steps for times, where is a predefined positive integer.

Decryption procedure: it is similar to the encryption procedure except that the two main encryption steps are carried out in a reverse order, the permutation matrix is replaced by its inverse, and Eq. (3) is replaced by equation
(4) where .
Incorporating Eq. (2) into Eq. (3), one can get
(5) 
where is the inverse of . Combining Eq. (2) and Eq. (4), one has
(6) 
Since publication of (22), a great number of methods have been proposed to modify some elements of the framework of Fridrich’s scheme from various aspects, such as using novel methods to generate the permutation matrix; defining new concrete function in Eq. (3); changing the involved operations in the substitution function.
3 Cryptanalysis
To facilitate further security analysis of Fridrich’s scheme, we represent some properties of Fridrich’s scheme reported in ((21), Sec. 3) with the methodology of matrix theory. Some critical details are appended to make their description complete, especially the conditions in Property 12 were found by us in the experiments.
3.1 Some properties of Fridrich’s scheme
Property 1.
There exists influence path between the th pixel of and the th one of (the value of the former may be influenced by that of the latter) if and only if
where ,
and
Proof.
First, we consider the case when is equal to one. Observing Eq. (4), one can see that relation between and can be presented by the matrix : the value of the th pixel of is influenced by that of the th one of if and not otherwise, where
(7) 
Permutation operation in Eq. (2) can be presented as multiplication of the permuted vector and an elementary matrix:
(8) 
So, one can assure that the value of the th pixel of may be influenced by that of the th pixel of if and not otherwise. Note that the influence may be cancelled by the modulo operation in Eq. (6). If , one can easily derive that the value of th pixel of is influenced by that of the th one of if and only if
∎
Property 2.
If , , difference of two sets of entries of is a subset of another similar set:
(9) 
where .
Proof.
From the definition of matrix multiplication and matrix (7), one has
{IEEEeqnarray}rCl
\IEEEeqnarraymulticol3l
(^T)^r(x, j)
& = & ∑_k=1^HW ^T(x , k) ⋅(^T)^r1(k, j)
& = & ∑_k=1^HW ∑_l=1^HW P(x, l) ⋅T(l, k) ⋅(^T)^r1(k, j)
& = & ∑_k=1^HW P(x, w(x)) ⋅T(w(x), k) ⋅(^T)^r1(k, j)
& = & ∑_k=1^HW T(w(x), k) ⋅(^T)^r1(k, j)
.
As when , one can get the following two points when :

if and only if or when ;

if and only if when .
This means that
{IEEEeqnarray}rCl
\IEEEeqnarraymulticol3l
{j — (^T)^r(x, j)¿0}
& = &
{{j — (^T)r1(w(x), j)¿0}if w(x)=0;{j — (^T)r1(w(x), j)¿0}∪{j — (^T)r1(w(x)1, j)¿0}otherwise.
Since , , one can deduce the following two sets of equations similarly:
{IEEEeqnarray}rCl
\IEEEeqnarraymulticol3l
{j — (^T)^r(y, j)¿0}
& = & {j — (^T)^r1(w(y), j)¿0}∪
& & {j — (^T)^r1(w(y)1, j)¿0},
& = & {j — (^T)^r1(w(y), j)¿0}∪
& & {j — (^T)^r1(w(x), j)¿0},
and
{IEEEeqnarray}rCl
\IEEEeqnarraymulticol3l
{j — (^T)^r(z, j)¿0}
&=&{j — (^T)^r1(w(z), j)¿0}∪
& & {j — (^T)^r1(w(z)1, j)¿0},
&=&{j — (^T)^r1(w(z), j)¿0}∪
& & {j — (^T)^r1(w(y), j)¿0 }.
Using relation between absolute complement and relative complement of a set, one can
obtain difference of the left parts of Eq. (2) and Eq. (2),
{IEEEeqnarray*}rCl
\IEEEeqnarraymulticol3l
{j — (^T)^r(y, j)¿0} \{j — (^T)^r(x, j)¿0}
& = &
{{j — (^T)r1(w(y), j)¿0}∩{j — (^T)r(x, j)=0}if w(x)=0;\IEEEeqnarraynumspace{j — (^T)r1(w(y), j)¿0}∩{j — (^T)r1(w(x), j)=0}∩{j — (^T)r1(w(x)1, j)=0}otherwise.
For either case of the above equation, one can get
(10) 
by observing the right part of Eq. (2). ∎
Corollary 1.
If , , then
(11) 
Property 3.
If , for any satisfying , one has
where the th row of is its row vector containing minimal number of nonzero element, i.e.,
(12) 
and .
Proof.
As shown in Fig. 1, there exist and only exist three basic patterns for reducing the number of influencing cipherpixels for a plainpixel. If for any satisfying , the first two patterns in Fig. 1 can be excluded. Furthermore, the third one can be eliminated if . (A concrete counter example is shown in Fig. 2.) Under the given condition in this property, there is only one influence path between any pair of cipherpixel and plainpixel. So, the th row of has nonzero elements while other rows all have nonzero elements. Then, one can correctly recover by checking condition (12). ∎
3.2 Description of Solak’s chosenciphertext attack
To facilitate the discuss in the next subsection, we concisely describe the process of Solak’s chosenciphertext attack method given in (21). Let denote the estimated version of . After recovering the approximate version of the influence matrix between ciphertext and the corresponding plaintext, the Solak’s attack method prunes the search space of size (factorial of ) with the following steps:

Step 1) Set , where is the row number satisfying condition (12) itself.

Step 2) Let , where , is the righthand set in condition (11) with , and .

Step 3) For , let , where , is the righthand set in condition (9) with , , and . If is empty, one can assure that the current value of is wrong and process the search with its another candidate value.

Step 4) Repeat the above steps iteratively till variable reaches the maximal value, .
3.3 Real performance of Solak’s chosenciphertext attack
Observing Eq. (6), one can see that the th plainpixel can be only influenced by one cipherpixel in each encryption round if . After accumulation of rounds of encryption, the number of cipherpixels influencing the th plainpixel is smaller than that influencing other plainpixels in a very high probability, which serves as the basis of Step 1). The scope of the former is . In contrast, the scope of the latter is , whose lower bound can be achieved when there exist and satisfying for . Observing the right part of Fig. 3, one can see that the number of cipherpixels influencing the th plainpixel shifts from to monotonously when is increased from to . Property 12 only presents an extreme condition assuring the estimation in Step 1) is definitely right. Interestingly, the condition in Property 12 is very similar to the problem of neighbors remain neighbors after random rearrangements, discussed in (26).
Now, we give a counterexample to show deficiency of Solak’s chosenciphertext attack method. When , , the influence relation between the cipherpixels and the corresponding plainpixels is shown in Fig. 3. Its binary matrix form is presented in Fig. 4, which demonstrates that the 9th row has least nonzero elements. According to Solak’s attack method, one can get , which is contradict with the real value. As the initial step has cascaded influence on the succeeding steps, the attack is totally failed under the given secret key.
As shown in ((21), Sec. 4), when permutation vector and , the permutation vector can be solely recovered with Solak’s chosenciphertext attack method. However, when it is slightly changed as , eight possible values are obtained by the attack (See Fig. 5). To verify this point further, we performed Solak’s attack on a plaintext of size with 1,000 randomly assigned and three possible encryption rounds. The following five cases, in terms of attacking results, were counted: 1) the right key is enclosed; 2) the sole result is the right key; 3) both right key and wrong key exist; 4) no any result is obtained; 5) all found results are wrong. Let , , , and denote the number of the five cases occurring among 1,000 times random experiments, respectively. The calculated results are shown in Table 1, which demonstrates that the attack results become more worse as approaches more, which agrees with analysis in the proof of Property 12.
2  3  4  

1000  957  814  
964  867  571  
36  90  243  
0  43  180  
0  0  6 
3.4 Real performance of extension of Solak’s attack to Chen’s scheme
In ((21), Sec. 5), it was claimed that Solak’s chosenplaintext attack method can be applied to Chen’s scheme easily and effectively due to similar structure. However, we found some differences caused by the different basic encryption operations.
In (23); (25), Chen’s scheme changes Eq. (3) as
Accordingly, Eq. (4) becomes
(13) 
Combing Eq. (2) and Eq. (13), one has
(14) 
When , and , the number of different influence paths between a cipherpixel and any plainpixel is shown in Fig. 6. Due to the bitwise exclusive or (XOR) operation used in Eq. (13), the influence of a cipherpixel on a influenced plainpixel may be cancelled when there is multiple influence paths between them. So, some influence paths can not be recovered. Note that even error of one element of the influence matrix may fail a attacking step based on the sets comparison and disable the following steps due to the cascading influence. More discussions on composite function of modulo addition and XOR operation can be found in ((27), Sec. 3.1). Figure 7 shows the obtained influence matrix by changing every cipherpixel with the fixed value one, which has six unrecovered influence paths. As the recovered influence matrix of sufficient accuracy is requisite condition for success of the Solak’s attack method, one has to improve its correct ratio by changing cipherpixel with the other values (more cipherimages).
4 Conclusion
Based on the work in (21), this paper formulated some properties of Fridrich’s chaotic image encryption scheme with matrix theory and reported some minor defects of Solak’s chosenciphertext attack method on it. The work may help designers of chaotic encryption schemes to realize fundamental importance of the underlying encryption architecture for security performance (30). The following problems on cryptanalyzing Fridrich’s chaotic image encryption scheme deserve further investigation: decreasing the required number of chosenciphertext with the special properties of the influence matrix between cipherpixels and the corresponding plainpixels; reducing computational complexity of the chosenciphertext attack; disclosing the influence matrix under the scenario of known/chosenplainext attack.
Acknowledgement
This research was supported by Hunan Provincial Natural Science Foundation of China (No. 2015JJ1013), Scientific Research Fund of Hunan Provincial Education Department (No. 15A186), and the National Natural Science Foundation of China (No. 61532020).
Footnotes
 For simplicity, use to denote .
References
 T. Xiang, K.W. Wong, X. Liao, Selective image encryption using a spatiotemporal chaotic system, Chaos 17 (2) (2007) art. no. 023115.
 H. Liu, Y. Liu, Security assessment on blockcatmap based permutation applied to image encryption scheme, Optics & Laser Technology 56 (2014) 313–316. doi:10.1016/j.optlastec.2013.09.012.
 Z. Lin, S. Yu, J. Lu, S. Cai, G. Chen, Design and ARMembedded implementation of a chaotic mapbased realtime secure video communication system, IEEE Transactions on Circuits and Systems for Video Technology 25 (7) (2015) 1203–1216.
 Y. Zhou, Z. Hua, C.M. Pun, C. L. P. Chen, Cascade chaotic system with applications, IEEE Transactions on Cybernetics 45 (9) (2015) 2001–2012.
 Z. Hua, Y. Zhou, Image encryption using 2D LogisticadjustedSine map, Information Sciences 339 (2016) 237–253.
 A. Belazi, A. A. A. ElLatif, S. Belghith, A novel image encryption scheme based on substitutionpermutation network and chaos, Signal Processing 128 (2016) 155–170.
 R. Matthews, On the derivation of a “chaotic” encryption algorithm, Cryptologia 13 (1) (1989) 29–42.
 D. D. Wheeler, Problems with chaotic cryptosystems, Cryptologia 13 (3) (1989) 243–250.
 T. Beth, D. E. Lazic, A. Mathias, Cryptanalysis of cryptosystems based on remote chaos replication, in: Advances in Cryptology–Crypto’94, Vol. 839 of Lecture Notes in Computer Science, 1994, pp. 318–331.
 D. Arroyo, G. Alvarez, S. Li, C. Li, V. Fernandez, Cryptanalysis of a new chaotic cryptosystem based on ergodicity, International Journal of Modern Physics B 23 (5) (2009) 651–659.
 E. Solak, Partial identification of lorenz system and its application to key space reduction of chaotic cryptosystems, IEEE Transactions on Circuits and Systems II: Express Briefs 51 (10) (2004) 557–560.
 E. Biham, Cryptanalysis of the chaoticmap cryptosystem suggested at Eurocrypt’91, in: Advances in Cryptology–Crypto’91, Vol. 547 of Lecture Notes in Computer Science, 1991, pp. 532–534.
 D. Arroyo, J. Diaz, F. B. Rodriguez, Cryptanalysis of a one round chaosbased substitution permutation network, Signal Processing 93 (5) (2013) 1358–1364.
 C. Li, Y. Liu, T. Xie, M. Z. Q. Chen, Breaking a novel image encryption scheme based on improved hyperchaotic sequences, Nonlinear Dynamics 73 (3) (2013) 2083–2089.
 W.S. Yap, R. C.W. Phan, W.C. Yau, S.H. Heng, Cryptanalysis of a new image alternate encryption algorithm based on chaotic map, Nonlinear Dynamics 80 (3) (2015) 1483–1491.
 G. Álvarez, S. Li, Some basic cryptographic requirements for chaosbased cryptosystems, International Journal of Bifurcation and Chaos 16 (8) (2006) 2129–2151.
 G. Alvarez, J. M. Amigó, D. Arroyo, S. Li, Lessons learnt from the cryptanalysis of chaosbased ciphers, in: L. Kocarev, S. Lian (Eds.), ChaosBased Cryptography: Theory, Algorithms and Applications, Vol. 354 of Studies in Computational Intelligence, Springer, 2011, pp. 257–295.
 C. Li, K.T. Lo, Optimal quantitative cryptanalysis of permutationonly multimedia ciphers against plaintext attacks, Signal Processing 91 (4) (2011) 949–954.
 C. Li, Cracking a hierarchical chaotic image encryption algorithm based on permutation, Signal Processing 118 (2016) 203–210.
 C. E. Shannon, Communication theory of secrecy systems, Bell System Technical Journal 28 (4) (1949) 656–715.
 E. Solak, C. Cokal, O. T. Yildiz, T. Biyikoglu, Cryptanalysis of Fridrich’s chaotic image encryption, International Journal of Bifurcation and Chaos 20 (5) (2010) 1405–1413.
 J. Fridrich, Symmetric ciphers based on twodimensional chaotic maps, International Journal of Bifurcation and Chaos 8 (6) (1998) 1259–1284.
 G. Chen, Y. Mao, C. K. Chui, A symmetric image encryption scheme based on 3D chaotic cat maps, Chaos, Solitons & Fractals 21 (3) (2004) 749–761.
 G. Leurent, T. Peyrin, L. Wang, New generic attacks against hashbased macs, in: Advances in Cryptology–Asiacrypt 2013, Vol. 8270 of Lecture Notes in Computer Science, 2013, pp. 1–20.
 Y. Mao, G. Chen, S. Lian, A novel fast image encryption scheme based on 3D chaotic baker maps, International Journal of Bifurcation and Chaos 14 (10) (2004) 3613–3624.
 M. Abramson, W. O. J. Moser, Permutations without rising or falling sequences, The Annals of Mathematical Statistics 38 (4) (1967) 1245–1254.
 C. Li, Y. Liu, L. Y. Zhang, M. Z. Q. Chen, Breaking a chaotic image encryption algorithm based on modulo addition and XOR operation, International Journal of Bifurcation and Chaos 23 (4) (2013) art. no. 1350075.
 K. Wang, W. Pei, L. Zou, A. Song, Z. He, On the security of 3D cat map based symmetric image encryption scheme, Physics Letters A 343 (6) (2005) 432–439.
 C. Li, G. Chen, On the security of a class of image encryption schemes, in: Proceedings of 2008 IEEE International Symposium on Circuits and Systems, 2008, pp. 3290–3293.
 Y. Liu, H. Fan, E. Y. Xie, G. Cheng, C. Li, Deciphering an image cipher based on mixed transformed logistic maps, International Journal of Bifurcation and Chaos 25 (13) (2015) Article number 1550188. doi:http://dx.doi.org/10.1142/S0218127415501886.