Breaking a modified substitution-diffusion image cipher based on chaotic standard and logistic maps

Breaki n g a mo dified substituti o n-diffusion imag e cipher based on chaotic standar d and logisti c maps Chengqing Li ∗ ,a , Sh ujun Li ∗ ,b , Kw ok-T ung Lo a a Dep artment of Ele ctr onic and I nf ormat ion Engine ering, The Hong Kong Polyte chnic University, Hong Kong, China b F achb er eich Informatik und I nformationswisse nschaft, U ni ve rsit¨ at Konstanz, F ach M697, Universit¨ atsstr aße 10, 78457 Konstanz, Germany Abstract Recen tly , an image encry p tio n sc heme b a sed on c haotic standard and logistic maps was prop osed b y Patidar et al. It was later rep orted b y Rhouma et al. that an equiv alent secret ke y can b e reconstructed with only one kn o wn/c hosen-plaintext and the corresp onding ciphertext. Pa tidar et al. so on mo dified the original sc h e me and claimed that the mo dified sc heme is secure against Rhouma et al.’s attac k. In this pap er, we p oin t out that th e modifi ed sc heme is still in sec ure against the same kn o wn/c hosen-plainte xt attac k. In add iti on, some other securit y defects existing in b oth the original and the mo dified schemes are also r eported. Key wor ds: cryptanalysis, kno wn-plaintext attac k, c h o sen-plainte xt attac k, encryp t ion, image, c haos 1. In tro duction With the rapid dev elopmen t of inform a tion tec hnology , m ultimedia data are transmitted o v er all kinds of wired/wireless net w orks m o re and more frequently . Consequently , s e curity of multimedia data b ecomes a serious concern in man y applications. Ho we ve r, traditional text encryption schemes cannot b e used in a naiv e wa y to protect multimedia d ata efficien tly in some app lic ations, mainly due to some sp ecial requir e ments of the w hole multimedia system. This chall enge stirs the design of sp eci al m ultimedia encryption sc hemes to b ecome a hot researc h topic in the past t wo decades. Because of the subtle similarit y b et w een c haos and cryptograph y , a great num b er of m ultimedia encryption sc hemes based on c haos h a v e b een presented [1, 2 , 3, 4]. Unfortunately , many of th e m ha v e b ee n foun d to ha v e securit y p r o blems fr om the cryptographical p oin t of view [5, 6, 7, 8, 9]. Some general rules ab out ev aluating securit y of c haos-based encryption schemes can b e found in [10, 11]. Since 20 03, P areek et al. h av e pr oposed a num b er of different encryption sc hemes based on one or more c haotic maps [12, 13, 14, 15]. Recen t cryptanalytic results [16, 17, 18] ha v e sho w n that all the three s c hemes prop osed in [12, 13, 14] ha v e securit y defects. In [15], a new image encryption sc heme based on the logistic and standard maps w as prop osed, where the t w o maps are u sed to ∗ Corresponding authors. Email addr ess: zjulcq@gmail.com (Chengqing Li) URL: www.hooklee.co m (Shujun Li) Pr eprint submitte d to Communic ations in Nonline ar Scienc e and Num e ric al Simul at ion July 30, 2018 generate a pseudo-random n umb er sequen c e (PRNS ) con tr olling t w o kinds of encryp ti on op erations. In [19], R h ouma et al. rep orted that the sc heme is not secure in the sense that an equiv alent k ey can b e obtained from only one known/c hosen p la in-image and the corresp onding cipher-image. T o resist Rhouma et al.’s attac k, a mo dified ve rsion of the original sc heme was prop osed in [20]. The present pap er rep orts the follo wing fi ndings: 1) the m odified image encryp tio n sc heme can still b e brok en by the same kno wn/c hosen-plain text attac k under th e same cond it ion; 2) there are some other securit y defects existing in b oth the mo dified and the original sc h e mes. The rest of this pap er is orga nized as follo ws . Section 2 briefly in tro duces the image encryption sc hemes un der stud y and the known/c hosen-plainte xt attac k rep orted in [19]. Our cr y p ta nalytic results are presen ted in Sec. 3 in detail. The last section concludes the pap er. 2. The image encryption sc hemes under study and Rhouma et al.’s attac k F or b oth schemes, we make the follo wing assumptions to ea se our description 1 . The plainte xt is a RGB true-color image of size H × W (h e ight × width ), w hic h can b e denoted by an H × W matrix of 3-tuple pixel v alues I = { I ( i , j ) } 0 ≤ i ≤ H − 1 0 ≤ j ≤ W − 1 = { ( R ( i, j ) , G ( i, j ) , B ( i, j )) } 0 ≤ i ≤ H − 1 0 ≤ j ≤ W − 1 . Similarly , the ci- phertext corresp onding to I is denoted by I ′ = { I ′ ( i, j ) } 0 ≤ i ≤ H − 1 0 ≤ j ≤ W − 1 = { ( R ′ ( i, j ) , G ′ ( i, j ) , B ′ ( i, j )) } 0 ≤ i ≤ H − 1 0 ≤ j ≤ W − 1 . T o fu rther fac ilitate our discussion, we adopt the terms in [20]: the original image encryption sc heme is calle d PPS09 and the mod ified one mPPS09. 2.1. The original image encryption scheme PPS09 [15] • Se cr et key : three floating-p oin t n umb e rs x 0 , y 0 , K , and one intege r N , where x 0 , y 0 ∈ (0 , 2 π ), K > 18, 100 < N < 1100. • Initializatio n : prepare data for encryption/decryption b y p erforming the follo wing steps. – Generate four X ORing k eys as follo w s: Xkey (1) = ⌊ 25 6 x 0 / (2 π ) ⌋ , Xke y (2) = ⌊ 256 y 0 / (2 π ) ⌋ , Xkey (3) = ⌊ K mo d 256 ⌋ , X key (4 ) = ( N mo d 256). Then, generate a pseudo-image I Xkey = { ( R Xkey ( i, j ) , G Xkey ( i, j ) , B Xkey ( i, j )) } 0 ≤ i ≤ H − 1 0 ≤ j ≤ W − 1 b y filling an H × W matrix with the four X ORing k eys rep eatedly: R Xkey ( i, j ) = Xkey ((3 k mod 4) + 1), G Xkey ( i, j ) = Xkey (((3 k + 1) mo d 4) + 1), B Xkey ( i, j ) = Xkey ((( 3 k + 2) m o d 4) + 1), where k = iW + j . – Iterate the standard map Eq. (1) from the initial conditions ( x 0 , y 0 ) for N times to obtain a n ew c haotic s tate ( x ′ 0 , y ′ 0 ). Then, further iterate it for H W more times to get H W c haotic states { ( x i , y i ) } H W i =1 . ( x = ( x + K sin( y )) mo d (2 π ) , y = ( y + x + K sin( y )) mo d (2 π ) , (1) – Iterate the logistic map Eq. (2) from the initial condition z 0 = (( x ′ 0 + y ′ 0 ) m o d 1) for N times to get a new initial condition z ′ 0 . Th en , fu rther iterate it for H W times to get H W c haotic states { z i } H W i =1 . z = 4 z (1 − z ) . (2) 1 T o make the presentation more concise and more consistent, some notations in the original papers [15, 20] are also mo dified. 2 – Generate a ps e ud o-image I CKS = { ( R CKS ( i, j ) , G CKS ( i, j ) , B CKS ( i, j )) } 0 ≤ i ≤ H − 1 0 ≤ j ≤ W − 1 b y filling its R, G an d B c hannels with the three chao tic key streams (CK S ) { x k } H W k =1 , { y k } H W k =1 and { z k } H W k =1 : R CKS ( i, j ) = ⌊ 256 x k / (2 π ) ⌋ , G CKS ( i, j ) = ⌊ 256 y k / (2 π ) ⌋ , B CKS ( i, j ) = ⌊ 256 z k ⌋ , where k = iW + j + 1. • Encryption pr o c e dur e : a simp le concatenation of the follo wing four encry p tio n op erations. – Confusion I : Mask th e plain-image I by I Xkey to obtain I ⋆ , i.e., I ⋆ = I ⊕ I Xkey . – Horizonta l Diffu si on (HD) : Scan I ⋆ = { I ⋆ ( i, j ) } 0 ≤ i ≤ H − 1 0 ≤ j ≤ W − 1 ro wwise from th e upp er-left pixel to th e b ottom-righ t one, and m a sk eac h pixel v alue (except for the fir st one) b y its predecessor in the scan. Denoting the output of this step by I ∗ = { I ∗ ( i, j ) } 0 ≤ i ≤ H − 1 0 ≤ j ≤ W − 1 , the HD pro cedure is describ ed as follo ws: 1) I ∗ (0 , 0) = I ⋆ (0 , 0); 2) for k = 1 , . . . , H W − 1, I ∗ ( i, j ) = I ⋆ ( i, j ) ⊕ I ∗ ( i ′ , j ′ ) , (3) where i = ⌊ k/W ⌋ , j = ( k mo d W ), i ′ = ⌊ ( k − 1) /W ⌋ , j ′ = (( k − 1) mo d W ). – V ertic al Diffusion (VD) : S can I ∗ column wise from the b ottom-righ t pixel to the upp er- left one, and mask eac h pixel v alue (except for the fir s t one) b y its predecessor in th e scan. Denoting the output of this step b y I ∗∗ = { R ∗∗ ( i, j ) , G ∗∗ ( i, j ) , B ∗∗ ( i, j ) } 0 ≤ i ≤ H − 1 0 ≤ j ≤ W − 1 , the VD pro cedure ca n b e describ ed as follo ws: 1) I ∗∗ ( H − 1 , W − 1) = I ∗ ( H − 1 , W − 1); 2) for k = H W − 2 , . . . , 0, I ∗∗ ( i, j ) = I ∗ ( i, j ) ⊕ I ∗∗ ( i ′ , j ′ ) , (4) where i = ( k mod H ), j = ⌊ k / H ⌋ , i ′ = (( k + 1) mod H ), j ′ = ⌊ ( k + 1) /H ⌋ , and I ∗∗ ( i ′ , j ′ ) = ( G ∗∗ ( i ′ , j ′ ) ⊕ B ∗∗ ( i ′ , j ′ ) , R ∗∗ ( i ′ , j ′ ) ⊕ B ∗∗ ( i ′ , j ′ ) , R ∗∗ ( i ′ , j ′ ) ⊕ G ∗∗ ( i ′ , j ′ )) . – Confusion II : Mask the pixel v alues in I ∗∗ with I CKS to get the ciphertext I ′ , i.e., I ′ = I ∗∗ ⊕ I CKS . • De cryption pr o c e dur e : the simple rev ersion of the ab o ve encryption pro cedure. 2.2. R houma et al.’s attack [19] Denoting the horizon tal and v ertical d iffusion pro cesses by HD and VD, resp ectiv ely , the en- cryption pro cedure of PPS 0 9 can b e rep resen ted as follo ws: I ′ = VD(HD ( I ⊕ I Xkey )) ⊕ I CKS . (5) In [19], Rhoum a et al. sho w ed that the HD and VD pr ocesses are comm utativ e with X O R op eratio ns: HD( X ⊕ Y ) = HD ( X ) ⊕ HD( Y ) , VD( X ⊕ Y ) = VD ( X ) ⊕ VD( Y ) . Therefore, Eq. (5) is equ iv alen t to the follo wing one: I ′ = VD(HD ( I )) ⊕ VD(HD( I Xkey )) ⊕ I CKS . (6) Assuming I key = VD(HD( I Xkey )) ⊕ I CKS , w e can observ e the follo win g t wo imp ortan t f a cts: 3 1. neither HD n or VD dep ends on the key; 2. I key do es not dep end on the plain text I or the ciphertext I ′ . The ab ov e facts immediately lead to a conclusion: I key can b e used as an equiv alen t k ey to en cr y p t an y plain text of the same size H × W and decryp t an y ciphertext of size H × W . A kno wn/c hosen- plain text attac k can b e easily mounte d to deriv e I key from a kno wn/c hosen plain text I and its corresp onding ciphertext I ′ : I key = VD(HD ( I )) ⊕ I ′ . (7) 2.3. The mo difie d image encryption scheme mPPS09 [20] T o enhan ce the security of P PS09 against Rh ou m a et al.’s attac k , in [20 ] P atidar et al. prop osed a m odified edition of PPS09 by making b oth HD and VD d ep endent on the secret k ey . The mod ified k ey-dep endent HD and VD p rocesses are denoted b y mHD and mVD in [20]. Both mHD an d m VD are based on 16 diffusion k eys derived from the secret ke y ( x 0 , y 0 , K , N ): • for i = 1 , . . . , 5, Dkey ( i ) = P 2 j =0 a 3 · ( i − 1)+ j · 10 2 − j mo d 256, where x 0 = a 1 .a 2 . . . a 15 . . . and a i are decimal digits represen ting x 0 ; • for i = 6 , . . . , 10, Dkey ( i ) = P 2 j =0 b 3 · ( i − 6)+ j · 10 2 − j mo d 256, where y 0 = b 1 .b 2 . . . b 15 . . . and b i are decimal digits represen ting y 0 ; • for i = 11 , . . . , 15, Dkey ( i ) = P 2 j =0 c 3 · ( i − 11)+ j · 10 2 − j mo d 256, where K = . . . c 1 .c 2 . . . c 15 . . . and c i are decimal digits representing K ; • Dkey (16 ) = ( N mo d 256). The mHD pro ce ss is mo dified from HD b y replacing Eq. (3) with the follo wing equ a tion: I ∗ ( i, j ) = I ⋆ ( i, j ) ⊕ I ∗ ( i ′ , j ′ ) ⊕ Dkey ∗ ( k − 1) , (8) where Dkey ∗ ( k ) = ( Dkey (( k mod 16) + 1) , D key (( k mo d 16) + 1) , Dkey (( k mod 16) + 1)) . The mVD pro ce ss is mo dified from VD b y replacing Eq. (4) with the follo wing equ a tion: I ∗∗ ( i, j ) = I ∗ ( i, j ) ⊕ I ∗∗ ( i ′ , j ′ ) ⊕ D key ∗∗ ( k ′ ) , (9) where k ′ = H W − 2 − k and Dkey ∗∗ ( k ′ ) = ( Dkey (3 k ′ mo d 16) + 1) , Dkey (((3 k ′ + 1) m od 16 ) + 1) , Dk e y ( ((3 k ′ + 2) mo d 16) + 1)) . 3. Cryptanalysis In this section, we first sho w that th e key-depend en t h orizonta l and v ertical diffusion steps mHD and mVD do not increase th e securit y of mPPS09 against Rhouma et al.’s attac k. Th en w e p oin t out some common securit y wea knesses in b oth PPS09 and mPPS09. 4 3.1. Inse curity of mPPS09 against Rhouma et al.’s attack Although b oth mHD and mVD are dep enden t on the secret k ey , we noticed that they can b e represent ed in an equiv alent form whic h renders the key- dep endence useless. Assumin g X is the input matrix and Θ is a zero matrix of th e same size as X , w e ha v e the follo wing tw o lemmas. Lemma 1. mHD( X ) = HD( X ) ⊕ mHD( Θ ) . Pr o of. This lemma can b e easily p ro ve d w it h mathematical induction on k . F or k = 0, i.e., i = j = 0, we hav e mHD( X (0 , 0)) = X (0 , 0) and HD( X (0 , 0)) ⊕ mHD (Θ(0 , 0)) = X (0 , 0) ⊕ (0 , 0 , 0) = X (0 , 0). This lemma h ol ds. Then, assume the lemma is true for k ≥ 0, let us pro v e the case of k + 1. F or k + 1, i.e., i = ⌊ ( k + 1) /W ⌋ , j = (( k + 1) mo d W ), i ′ = ⌊ k /W ⌋ and j ′ = ( k mo d W ), mHD( X ( i, j )) = X ( i, j ) ⊕ mHD( X ( i ′ , j ′ )) ⊕ Dk e y ∗ ( k ). A ccording to the assumption on k , we ha ve mHD( X ( i ′ , j ′ )) = HD ( X ( i ′ , j ′ )) ⊕ mHD(Θ( i ′ , j ′ )). Thus, mHD( X ( i, j )) = X ( i, j ) ⊕ HD( X ( i ′ , j ′ )) ⊕ mHD(Θ( i ′ , j ′ )) ⊕ Dkey ∗ ( k ). Noting that HD ( X ( i, j )) = X ( i, j ) ⊕ HD( X ( i ′ , j ′ )), we get mHD ( X ( i, j )) = HD ( X ( i, j )) ⊕ mHD(Θ( i ′ , j ′ )) ⊕ Dkey ∗ ( k ). F urther n ot e that mHD(Θ( i, j )) = Θ( i, j ) ⊕ mHD(Θ( i ′ , j ′ )) ⊕ Dk ey ∗ ( k ) = mHD(Θ( i ′ , j ′ )) ⊕ Dk ey ∗ ( k ). This immed iately leads to mHD( X ( i, j )) = HD( X ( i, j )) ⊕ m HD(Θ( i, j )). Lemma 2. mVD( X ) = VD( X ) ⊕ mVD( Θ ) . Pr o of. This lemma can b e pro v ed in a similar wa y to Lemma 1, bu t the mathematical induction should b e made in descending order on k (starting from k = H W − 1 and end ing at k = 0) . The ab o ve tw o lemmas lead to the follo wing prop osition. Prop o sition 1. The encryption pr o c e dur e of mPPS09 is e quivalent to the fol lowing e quation: I ′ = VD(HD( I )) ⊕ ˜ I key , (10) wher e ˜ I key = VD(HD ( I Xkey )) ⊕ VD ( mHD(Θ)) ⊕ mVD(Θ) ⊕ I CKS . Pr o of. F rom the prop erties of HD & VD and Lemmas 1 & 2, we can mak e the follo wing d eductio n: I ′ = mVD(mHD( I ⊕ I Xkey )) ⊕ I CKS , = mVD(HD( I ⊕ I Xkey ) ⊕ m HD (Θ)) ⊕ I CKS , = VD(HD( I ⊕ I Xkey ) ⊕ mHD(Θ)) ⊕ mVD(Θ) ⊕ I CKS , = VD(HD( I ⊕ I Xkey )) ⊕ VD(mHD(Θ)) ⊕ mVD(Θ) ⊕ I CKS , = VD(HD( I )) ⊕ VD(HD( I Xkey )) ⊕ VD ( mHD(Θ)) ⊕ mVD(Θ) ⊕ I CKS , = VD(HD( I )) ⊕ ˜ I key . This pro v es the prop osition. Since mHD(Θ) and m VD(Θ) are b oth indep endent of the plainte xt and the ciphertext, they are uniquely determined b y the key ( x 0 , y 0 , K , N ). Th is means that ˜ I key is also u n iquely determined b y the ke y ( x 0 , y 0 , K , N ). Therefore, ˜ I key can b e used as an equiv alen t k ey of mPPS09 exactly in the same w a y as I key in PPS09. In fact, even the determination pro cess of the equiv alen t k ey is also the same: ˜ I key = VD(HD ( I )) ⊕ I ′ . 5 This means that the same kno w n/c hosen-plaint ext attac k can b e app li ed to mPPS09 w it hout any c hange to the program. In other w ords, the security of mPPS09 against Rhouma et al.’s attac k remains the same as that of the original scheme PPS 09 . W e ha v e p erformed some exp erimen ts to verify the correctness of the conclusion. With the secret key ( x 0 , y 0 , K , N ) = (3 . 9823 5562892 545 , 1 . 34 5363565 38912 , 108 . 5436 5761256745 , 110), the equiv alen t k ey ˜ I key w as constructed from a kno wn plain-image “Lenna” and th e corresp onding cipher-image, wh ic h are shown in Figs. 1a) and b), resp ectiv ely . Then, ˜ I key w as u sed to reco ver a cipher-image sho wn in Fig. 1c, and the plain-image “Pepp e rs” (Fig. 1 d ) was successfully reco vered. a) b) c) d) Figure 1: An exp erimen tal result of the p ro p osed known-plain text attack: a) th e known p lain-image “Lenna”; b) th e correspondin g ciph er-imag e; c) a cipher-image en crypted with the same key; d) the recov ered plain-image “Pepp ers”. 3.2. Other se curity we aknesses of PPS09 and mPPS09 3.2.1. Insufficient r andomness of the PRN S { B CKS ( i, j ) } As illustrated in [21], the r a ndomn ess of pseudo-rand o m bit sequences deriv ed from c haotic orbits of the logistic map is v ery w eak. T o further v erify the r an d omness of the PRNS { B CKS ( i, j ) } generated via the logistic map with con trol parameter 4.0, we tested 100 PRNSs of length 512 × 512 = 26 2144 (the num b er of byte s used for encry p tio n of a 512 × 512 plain color image) b y using the NIST statistical test suite [22]. The 100 sequences were generated with randomly selected secret keys, and transformed to 1-D bit sequences by concat enating the b its of all the elemen ts. 6 F or eac h test, the default significance leve l 0.01 w as used. The results are sh o wn in T able 1, from whic h one can see that the PRNS { B CKS ( i, j ) } is not random enough. T able 1: The performed tests with respect to a significance level 0.01 and the number of sequences passing eac h test in 100 randomly generated sequences. Name of T est Num b er of P assed Sequences F requency 95 Block F requency ( m = 100) 0 Cumulat ive Su ms-F o rward 93 Runs 0 Rank 0 Non-o verlapping T emplate ( m = 9, B = 010000 111) 10 Serial ( m = 16) 0 Appro ximate Entrop y ( m = 10) 0 FFT 0 3.2.2. Insufficient sensitivity with r esp e ct to change of plaintext In [15, 20], P atidar et al. recognized that the s en sit ivit y of cipher-image with resp ect to c hange of plain-image is v ery imp ortan t. Ho wev er, b oth PPS 0 9 and mPPS09 are actually very far from the desired prop ert y . As we ll kno wn in cryptography , this prop ert y is termed as a v alanc he effect. Ideally , it requires the change of an y single bit of plain-image will mak e ev ery bit of cipher-image c hange with a probabilit y of one half. F or b oth PP S 09 and mPPS09, the follo wing equation holds for tw o plain-images I and J = I ⊕ I ∆ : I ′ ⊕ J ′ = (VD(HD( I ))) ⊕ (VD(HD( J ))) , = VD(HD( I ⊕ J )) , = VD(HD( I ∆ )) . The ab o ve equation implies the f o llo wing t wo facts: • an y c h ange in a single bitplane will not c hange any other b it planes in the cipher-image; • a c hange in p lain-image I ∆ will cause a change p attern determin ed by VD(HD( I ∆ )), whic h is far from a r a nd o m pattern. T o sho w this defect clearly , w e made an experiment by c hanging only one b it of th e red c han n el of a plain-image . It is found that only some b it s on the same bitplane in the corresp ondin g cipher-image were c hanged. The lo catio ns of the c hanged b its can b e s e en from the differen tial cipher-image VD(HD( I ∆ )) and its three color c hannels as s h o wn in Fig. 2. App arently , the c hange pattern is f a r f r om random and balanced. 4. Conclusion In this pap er, the security of the image encryption sc h eme prop osed in [20] (a mo dified v ersion of the one p roposed in [15]) is re-ev aluated. It is foun d that the scheme is s till in sec ure against 7 a) b) c) d) Figure 2: The d iffere ntial cipher-image and its three color channels, when the MSB (i.e., the 8- t h b it) of R (127 , 127) in a plain-image was changed: a) the differential cipher-image; b) red channel; c) green c hannel; d) blue channel. a kno w n/c hosen-plaint ext attac k w hic h can break the original s c heme in [19]. I n addition, t wo more securit y w eaknesses of b oth the original and the mod ified image encryption sc hemes are rep orted: insufficien t randomness of a PRNS inv olved, and insu ffici ent sensitivit y with resp ect to c hange of plain-image. Due to su c h a lo w lev el of security , we recommend n ot to use the image encryption schemes under study unless their securit y is fu rther enh a nced with more complicated coun termeasures. Ac kno wledgemen t Chengqing Li w as sup ported by The Hong K o ng P olytec hnic Universit y’s Post do ctoral F el- lo w ships Sc heme un d er grant no. G-YX2L. Shujun L i w as supp orted by a fello wship from the Zukun ftsk olleg of the Univ ersit¨ at Konstanz, German y , wh ic h is part of the “Exzellenziniti ativ e” Program of the DFG (German Researc h F oundation). References [1] H.-C. Chen, J.-C. Y en, A new cryptography system and its VLS I realization, Journal of Systems Architecture 49 (7-9) (2003) 355 –367. 8 [2] G. Chen, Y. Mao, C. K. Ch ui, A symmetric image encryption sc heme based on 3D chao tic cat maps, Chaos, Solitons & F ractals 21 (3) ( 2 004) 749–76 1. [3] N. J. Flores-Carmona, M. Carpio-V aladez, Encryption and decryption of images with chao tic map lattices, Chaos 16 (3) (2006) art. no. 033118. [4] K.-W. W ong, C.-H. Y uen, Embedd ing compression in chaos-based cry ptogra phy , IEEE T ransactions on Circuits and Sy stems I I: Exp res s Brief 55 (11) (2008) 1193–1 197. [5] K. W ang, W. P ei, L. Zou, A. Song, Z. He, On the securit y of 3D cat map based symmetric image encryption sc heme, Ph ysics Letters A 343 (6) (200 5) 432–439. [6] C. Li, G. Chen, On the security of a class of image encryption schemes, in: Proceedin gs of 2008 IEEE Int. Symp osium on Circuits and Sy stems, 2008, pp. 329 0–3293. [7] S. Li, C. Li, G. Chen, K.-T. Lo, Cryptanalysis of the RCE S/RS ES image encryption scheme, Journal of Systems and Softw are 81 (7) (2008) 1130–1143. [8] D. Arro yo, R. Rhouma, G. Alv arez, S. Li, V. F ernandez, O n the security of a new image encryption sc heme based on c haotic map lattices, Chaos 18 (3) (2008) art. no. 033112. [9] C. Li, S. Li, G. Chen, W. A. Halang, Crypt a nalysis of an image encryp tio n scheme based on a comp ound chao tic sequence, Image and Visio n Computing 27 (8) (200 9) 1035–103 9. [10] G. ´ Alv arez, S. Li, Some b asic cryptographic requirements for chaos-based crypt o systems, International Journal of Bifurcation and Chaos 16 (8) (2006) 2129–2151 . [11] S. Li, G. Chen, X. Zheng, Chaos-based encryp tio n for digital images and videos, in : B. F urht, D. Kirovski (Eds.), Multimedia Security H andbo ok, CRC Press, 2004 , Ch. 4, pp. 133 –167. [12] N. P areek, V. Patidar, K. Sud, Discrete c haotic cryptograph y using external k ey , Physics Letters A 309 (1-2) (2003) 75–82. [13] N. Pareek, V. Patidar, K. Sud, Cryptograph y using m ultiple one-dimensional chao tic maps, Communications in Nonlinear Science and Numerical Sim ulation 10 (7) (2005 ) 715–723. [14] N. P areek, V. Patidar, K . S ud, Image encryp tio n u si ng chaotic logistic map, Image and Vision Computing 24 (9) (2006) 926–934. [15] V. Patidar, N. Pareek, K. Su d, A new substitution-diffusion based image cipher using c haotic standard and logistic maps, Comm unications in N o nlinear Science and Numerical Sim ulation 14 (7) (200 9) 3056–307 5. [16] G. ´ Alv arez, F. Monto ya, M. Romera, G. Pastor, Cryptanalysis of a discrete chaotic cryp tos ystem using external key , Physics Letters A 319 (3-4) (2003) 334–339 . [17] C. Li, S. Li, G. ´ Alv arez, G. Chen, K.-T. Lo, Cryptanalysis of a chao tic block cipher with external key and its impro ved version, Chaos, Solitons & F ractals 37 (1) (2008) 29 9–307. [18] C. Li, S. Li, M. Asim, J. Nunez, G. Alv arez, G. Chen, On the securit y defects of an image encryption sc heme, Image and Vision Computing 27 (9) (2009) 137 1–1381. [19] R. Rhouma, E. Solak, S. Belghith, Crypt a nalysis of a n ew sub stitution-diffusion based image cipher, Comm u- nications in Nonlinear Science and Numerical Simulation, in press, d oi:10.1016/j. cnsns.2009.07.007 (2009). [20] V. Patidar, N. Pa reek, K . Sud, Mo dified substitution-d iffu si on image cipher u s ing chaotic stand a rd and log istic maps, Comm u nicatio ns in N o nlinear Science and Numerical Simulation, in press, doi:10.101 6/j.cnsns.2009.11.010 (2009). [21] C. Li, S. Li, G. ´ Alv arez, G. Chen , K.-T. Lo, Cryp t a nalysis of tw o c haotic en cryption schemes based on circular bit shift and X OR op erations, Physics Letters A 369 (1-2) ( 2 007) 23–30. [22] A. Rukhin, et al., A statistical test suite for random and pseudorandom number generators for cryp tog raphic ap- plications, NIST Sp ecial Publication 800-22, av ailable online at http://csr c.nist.gov/rng /rng2.html (2001). 9