On the cryptanalysis of Fridrich’s chaotic image encryption scheme
Utilizing complex dynamics of chaotic maps and systems in encryption was studied comprehensively in the past two and a half decades. In 1989, Fridrich’s chaotic image encryption scheme was designed by iterating chaotic position permutation and value substitution some rounds, which received intensive attention in the field of chaos-based cryptography. In 2010, Solak et al. proposed a chosen-ciphertext attack on the Fridrich’s scheme utilizing influence network between cipher-pixels and the corresponding plain-pixels. Based on their creative work, this paper scrutinized some properties of Fridrich’s scheme with concise mathematical language. Then, some minor defects of the real performance of Solak’s attack method were given. The work provides some bases for further optimizing attack on the Fridrich’s scheme and its variants.
keywords:Chaotic encryption, chosen-ciphertext attack, cryptanalysis, differential attack.
The complex dynamics of chaotic systems attracts researchers to utilize them as a new way to design secure and efficient encryption schemes Xiangtao:Chaos:2007 (); LiuH:cat:OLT14 (); SYu:ARM:CASVT15 (); YCZhou:Chaotic:TC2015 (); Hua2016IS (); Latif:SPN:SP16 (). The first chaos-based encryption scheme was proposed in 1989 Matthews:derivation:Cryptologia89 (), where a chaotic equation
was derived to generate pseudo-random number sequence and then mask the plaintext with modulo addition. Soon after publication of Matthews:derivation:Cryptologia89 (), it was pointed out that period of the sequence generated by iterating Eq. (1) may be very short, especially when it is implemented with small computing precision, which may seriously compromise the security level of the scheme Wheeler:Problems:Cryptologia89 (). Some special defects and properties of chaotic systems may facilitate cryptanalysis of chaos-based encryption schemes, e.g. chaotic synchronization Beth:Chaos:Crypto94 (), chaotic ergodicity Arroyo:ergodicity:IJMP:2009 (), and parameter identification of chaotic system Solak:identification:CAS04 (). The inadequate combination of chaotic dynamics and encryption architectures makes the complexity of recovering its secret key from some pairs of plain-texts and the corresponding cipher-texts, encrypted with the same secret key, lower than that of brute-force attack Biham:Chaotic:Crypto91 (); Arroyo:Permutation:SP13 (); Li:hyperchaotic:ND2013 (); Yap:cryptanalysis:ND15 (). Some general rules on evaluating security of chaos-based encryption schemes can be found in AlvarezLi:Rules:IJBC2006 (); ShujunLi:ChaosBook2011 ().
As quantitatively analyzed in Lcq:Optimal:SP11 (); Licq:hierarchical:SP2016 (), any position permutation-only encryption scheme can be efficiently broken with only known/chosen plaintexts and the computational complexity of magnitude , where denotes the number of different gray-values of the plaintexts, and (heightwidth) is the size of the encryption scheme’s permutation domain , whose every element denotes the mapping relation between the relative position of a permuted element in the plaintext and that in the corresponding ciphertext. As suggested in Shannon:Entropy:BSTJ49 (), iterating position permutation and value substitution sufficient rounds can make an encryption scheme very strong against all kinds of attacks. Considering significant impact of the structure of Fridrich’s scheme on a great number of chaotic encryption schemes, Solak’s chosen-ciphertext attack method proposed in Solak:Fridrich:IJBC10 () can be considered as a breakthrough in the field of chaotic cryptanalysis.
According to the record of Web of Science, both papers Fridrich:IJBC98 () and YaobinMao:CSF2004 () have been cited more than 500 times up to Aug 2016. Inspired by using space network (function graph) for attacking hash function in Leurent:AttackMAC:ASIACRYPT2013 (), we re-summarized some properties of Fridrich’s chaotic image encryption scheme with the methodology of complex networks (binary matrix). Then, we further evaluated the real performance of Solak’s chosen-ciphertext attack method and found that it owns some minor defects. In addition, the performance of extension of the attack idea to Chen’s scheme proposed in YaobinMao:CSF2004 (); Mao:3Dbakermap:IJBC04 () was also briefly evaluated.
2 Fridrich’s chaotic image encryption scheme
The plaintext encrypted by Fridrich’s chaotic image encryption scheme is a gray-scale image of size 111For simplicity, use to denote ., which can be denoted by a sequence of length in domain , , by scanning it in the raster order. The corresponding cipher-image is . The framework of Fridrich’s scheme can be described as follows.
1) Position Permutation: for , do
where permutation matrix satisfies for any .
2) Value Substitution: for , carry out substitution function
where , : is a fixed nonlinear function, is a pseudo-random number sequence, and is a pre-defined parameter .
3) Repetition: set and repeat the above two steps for times, where is a predefined positive integer.
Decryption procedure: it is similar to the encryption procedure except that the two main encryption steps are carried out in a reverse order, the permutation matrix is replaced by its inverse, and Eq. (3) is replaced by equation
Since publication of Fridrich:IJBC98 (), a great number of methods have been proposed to modify some elements of the framework of Fridrich’s scheme from various aspects, such as using novel methods to generate the permutation matrix; defining new concrete function in Eq. (3); changing the involved operations in the substitution function.
To facilitate further security analysis of Fridrich’s scheme, we re-present some properties of Fridrich’s scheme reported in (Solak:Fridrich:IJBC10, , Sec. 3) with the methodology of matrix theory. Some critical details are appended to make their description complete, especially the conditions in Property 3 were found by us in the experiments.
3.1 Some properties of Fridrich’s scheme
There exists influence path between the -th pixel of and the -th one of (the value of the former may be influenced by that of the latter) if and only if
First, we consider the case when is equal to one. Observing Eq. (4), one can see that relation between and can be presented by the matrix : the value of the -th pixel of is influenced by that of the -th one of if and not otherwise, where
Permutation operation in Eq. (2) can be presented as multiplication of the permuted vector and an elementary matrix:
So, one can assure that the value of the -th pixel of may be influenced by that of the -th pixel of if and not otherwise. Note that the influence may be cancelled by the modulo operation in Eq. (6). If , one can easily derive that the value of -th pixel of is influenced by that of the -th one of if and only if
If , , difference of two sets of entries of is a subset of another similar set:
From the definition of matrix multiplication and matrix (7), one has
As when , one can get the following two points when :
if and only if or when ;
if and only if when .
This means that
Since , , one can deduce the following two sets of equations similarly:
For either case of the above equation, one can get
by observing the right part of Eq. (3.1). ∎
If , , then
If , for any satisfying , one has
where the -th row of is its row vector containing minimal number of non-zero element, i.e.,
As shown in Fig. 1, there exist and only exist three basic patterns for reducing the number of influencing cipher-pixels for a plain-pixel. If for any satisfying , the first two patterns in Fig. 1 can be excluded. Furthermore, the third one can be eliminated if . (A concrete counter example is shown in Fig. 2.) Under the given condition in this property, there is only one influence path between any pair of cipher-pixel and plain-pixel. So, the -th row of has non-zero elements while other rows all have non-zero elements. Then, one can correctly recover by checking condition (16). ∎
3.2 Description of Solak’s chosen-ciphertext attack
To facilitate the discuss in the next subsection, we concisely describe the process of Solak’s chosen-ciphertext attack method given in Solak:Fridrich:IJBC10 (). Let denote the estimated version of . After recovering the approximate version of the influence matrix between cipher-text and the corresponding plain-text, the Solak’s attack method prunes the search space of size (factorial of ) with the following steps:
Step 1) Set , where is the row number satisfying condition (16) itself.
Step 2) Let , where , is the right-hand set in condition (15) with , and .
Step 3) For , let , where , is the right-hand set in condition (9) with , , and . If is empty, one can assure that the current value of is wrong and process the search with its another candidate value.
Step 4) Repeat the above steps iteratively till variable reaches the maximal value, .
3.3 Real performance of Solak’s chosen-ciphertext attack
Observing Eq. (6), one can see that the -th plain-pixel can be only influenced by one cipher-pixel in each encryption round if . After accumulation of rounds of encryption, the number of cipher-pixels influencing the -th plain-pixel is smaller than that influencing other plain-pixels in a very high probability, which serves as the basis of Step 1). The scope of the former is . In contrast, the scope of the latter is , whose lower bound can be achieved when there exist and satisfying for . Observing the right part of Fig. 3, one can see that the number of cipher-pixels influencing the -th plain-pixel shifts from to monotonously when is increased from to . Property 3 only presents an extreme condition assuring the estimation in Step 1) is definitely right. Interestingly, the condition in Property 3 is very similar to the problem of neighbors remain neighbors after random rearrangements, discussed in Abramson:Permute:AMS1967 ().
Now, we give a counterexample to show deficiency of Solak’s chosen-ciphertext attack method. When , , the influence relation between the cipher-pixels and the corresponding plain-pixels is shown in Fig. 3. Its binary matrix form is presented in Fig. 4, which demonstrates that the 9-th row has least non-zero elements. According to Solak’s attack method, one can get , which is contradict with the real value. As the initial step has cascaded influence on the succeeding steps, the attack is totally failed under the given secret key.
As shown in (Solak:Fridrich:IJBC10, , Sec. 4), when permutation vector and , the permutation vector can be solely recovered with Solak’s chosen-ciphertext attack method. However, when it is slightly changed as , eight possible values are obtained by the attack (See Fig. 5). To verify this point further, we performed Solak’s attack on a plaintext of size with 1,000 randomly assigned and three possible encryption rounds. The following five cases, in terms of attacking results, were counted: 1) the right key is enclosed; 2) the sole result is the right key; 3) both right key and wrong key exist; 4) no any result is obtained; 5) all found results are wrong. Let , , , and denote the number of the five cases occurring among 1,000 times random experiments, respectively. The calculated results are shown in Table 1, which demonstrates that the attack results become more worse as approaches more, which agrees with analysis in the proof of Property 3.
3.4 Real performance of extension of Solak’s attack to Chen’s scheme
In (Solak:Fridrich:IJBC10, , Sec. 5), it was claimed that Solak’s chosen-plaintext attack method can be applied to Chen’s scheme easily and effectively due to similar structure. However, we found some differences caused by the different basic encryption operations.
Accordingly, Eq. (4) becomes
When , and , the number of different influence paths between a cipher-pixel and any plain-pixel is shown in Fig. 6. Due to the bitwise exclusive or (XOR) operation used in Eq. (17), the influence of a cipher-pixel on a influenced plain-pixel may be cancelled when there is multiple influence paths between them. So, some influence paths can not be recovered. Note that even error of one element of the influence matrix may fail a attacking step based on the sets comparison and disable the following steps due to the cascading influence. More discussions on composite function of modulo addition and XOR operation can be found in (Cqli:breakmodulo:IJBC13, , Sec. 3.1). Figure 7 shows the obtained influence matrix by changing every cipher-pixel with the fixed value one, which has six unrecovered influence paths. As the recovered influence matrix of sufficient accuracy is requisite condition for success of the Solak’s attack method, one has to improve its correct ratio by changing cipher-pixel with the other values (more cipher-images).
Note that equivalent version of position permutation and value substitution of 1-round version Chen’s scheme was successfully recovered with some chosen-plaintexts in Kaiwang:PLA2005 (). Its weak sensitivity with respect to changes of secret key and plaintext was demonstrated in detail in Li:AttackingMaoScheme2008 ().
Based on the work in Solak:Fridrich:IJBC10 (), this paper formulated some properties of Fridrich’s chaotic image encryption scheme with matrix theory and reported some minor defects of Solak’s chosen-ciphertext attack method on it. The work may help designers of chaotic encryption schemes to realize fundamental importance of the underlying encryption architecture for security performance Cqli:Logistic:IJBC15 (). The following problems on cryptanalyzing Fridrich’s chaotic image encryption scheme deserve further investigation: decreasing the required number of chosen-ciphertext with the special properties of the influence matrix between cipher-pixels and the corresponding plain-pixels; reducing computational complexity of the chosen-ciphertext attack; disclosing the influence matrix under the scenario of known/chosen-plainext attack.
This research was supported by Hunan Provincial Natural Science Foundation of China (No. 2015JJ1013), Scientific Research Fund of Hunan Provincial Education Department (No. 15A186), and the National Natural Science Foundation of China (No. 61532020).
- (1) T. Xiang, K.-W. Wong, X. Liao, Selective image encryption using a spatiotemporal chaotic system, Chaos 17 (2) (2007) art. no. 023115.
- (2) H. Liu, Y. Liu, Security assessment on block-cat-map based permutation applied to image encryption scheme, Optics & Laser Technology 56 (2014) 313–316. doi:10.1016/j.optlastec.2013.09.012.
- (3) Z. Lin, S. Yu, J. Lu, S. Cai, G. Chen, Design and ARM-embedded implementation of a chaotic map-based real-time secure video communication system, IEEE Transactions on Circuits and Systems for Video Technology 25 (7) (2015) 1203–1216.
- (4) Y. Zhou, Z. Hua, C.-M. Pun, C. L. P. Chen, Cascade chaotic system with applications, IEEE Transactions on Cybernetics 45 (9) (2015) 2001–2012.
- (5) Z. Hua, Y. Zhou, Image encryption using 2D Logistic-adjusted-Sine map, Information Sciences 339 (2016) 237–253.
- (6) A. Belazi, A. A. A. El-Latif, S. Belghith, A novel image encryption scheme based on substitution-permutation network and chaos, Signal Processing 128 (2016) 155–170.
- (7) R. Matthews, On the derivation of a “chaotic” encryption algorithm, Cryptologia 13 (1) (1989) 29–42.
- (8) D. D. Wheeler, Problems with chaotic cryptosystems, Cryptologia 13 (3) (1989) 243–250.
- (9) T. Beth, D. E. Lazic, A. Mathias, Cryptanalysis of cryptosystems based on remote chaos replication, in: Advances in Cryptology–Crypto’94, Vol. 839 of Lecture Notes in Computer Science, 1994, pp. 318–331.
- (10) D. Arroyo, G. Alvarez, S. Li, C. Li, V. Fernandez, Cryptanalysis of a new chaotic cryptosystem based on ergodicity, International Journal of Modern Physics B 23 (5) (2009) 651–659.
- (11) E. Solak, Partial identification of lorenz system and its application to key space reduction of chaotic cryptosystems, IEEE Transactions on Circuits and Systems II: Express Briefs 51 (10) (2004) 557–560.
- (12) E. Biham, Cryptanalysis of the chaotic-map cryptosystem suggested at Eurocrypt’91, in: Advances in Cryptology–Crypto’91, Vol. 547 of Lecture Notes in Computer Science, 1991, pp. 532–534.
- (13) D. Arroyo, J. Diaz, F. B. Rodriguez, Cryptanalysis of a one round chaos-based substitution permutation network, Signal Processing 93 (5) (2013) 1358–1364.
- (14) C. Li, Y. Liu, T. Xie, M. Z. Q. Chen, Breaking a novel image encryption scheme based on improved hyperchaotic sequences, Nonlinear Dynamics 73 (3) (2013) 2083–2089.
- (15) W.-S. Yap, R. C.-W. Phan, W.-C. Yau, S.-H. Heng, Cryptanalysis of a new image alternate encryption algorithm based on chaotic map, Nonlinear Dynamics 80 (3) (2015) 1483–1491.
- (16) G. Álvarez, S. Li, Some basic cryptographic requirements for chaos-based cryptosystems, International Journal of Bifurcation and Chaos 16 (8) (2006) 2129–2151.
- (17) G. Alvarez, J. M. Amigó, D. Arroyo, S. Li, Lessons learnt from the cryptanalysis of chaos-based ciphers, in: L. Kocarev, S. Lian (Eds.), Chaos-Based Cryptography: Theory, Algorithms and Applications, Vol. 354 of Studies in Computational Intelligence, Springer, 2011, pp. 257–295.
- (18) C. Li, K.-T. Lo, Optimal quantitative cryptanalysis of permutation-only multimedia ciphers against plaintext attacks, Signal Processing 91 (4) (2011) 949–954.
- (19) C. Li, Cracking a hierarchical chaotic image encryption algorithm based on permutation, Signal Processing 118 (2016) 203–210.
- (20) C. E. Shannon, Communication theory of secrecy systems, Bell System Technical Journal 28 (4) (1949) 656–715.
- (21) E. Solak, C. Cokal, O. T. Yildiz, T. Biyikoglu, Cryptanalysis of Fridrich’s chaotic image encryption, International Journal of Bifurcation and Chaos 20 (5) (2010) 1405–1413.
- (22) J. Fridrich, Symmetric ciphers based on two-dimensional chaotic maps, International Journal of Bifurcation and Chaos 8 (6) (1998) 1259–1284.
- (23) G. Chen, Y. Mao, C. K. Chui, A symmetric image encryption scheme based on 3D chaotic cat maps, Chaos, Solitons & Fractals 21 (3) (2004) 749–761.
- (24) G. Leurent, T. Peyrin, L. Wang, New generic attacks against hash-based macs, in: Advances in Cryptology–Asiacrypt 2013, Vol. 8270 of Lecture Notes in Computer Science, 2013, pp. 1–20.
- (25) Y. Mao, G. Chen, S. Lian, A novel fast image encryption scheme based on 3D chaotic baker maps, International Journal of Bifurcation and Chaos 14 (10) (2004) 3613–3624.
- (26) M. Abramson, W. O. J. Moser, Permutations without rising or falling -sequences, The Annals of Mathematical Statistics 38 (4) (1967) 1245–1254.
- (27) C. Li, Y. Liu, L. Y. Zhang, M. Z. Q. Chen, Breaking a chaotic image encryption algorithm based on modulo addition and XOR operation, International Journal of Bifurcation and Chaos 23 (4) (2013) art. no. 1350075.
- (28) K. Wang, W. Pei, L. Zou, A. Song, Z. He, On the security of 3D cat map based symmetric image encryption scheme, Physics Letters A 343 (6) (2005) 432–439.
- (29) C. Li, G. Chen, On the security of a class of image encryption schemes, in: Proceedings of 2008 IEEE International Symposium on Circuits and Systems, 2008, pp. 3290–3293.
- (30) Y. Liu, H. Fan, E. Y. Xie, G. Cheng, C. Li, Deciphering an image cipher based on mixed transformed logistic maps, International Journal of Bifurcation and Chaos 25 (13) (2015) Article number 1550188. doi:http://dx.doi.org/10.1142/S0218127415501886.