Cryptanalysis of an image encryption scheme based on a new total shuffling algorithm

Cryptanalysis of an image encryptio n sc heme based on a new total sh uffling algorithm Da vid Arroy o a , ∗ , Chengqi ng Li b , Sh ujun Li c , Gonzalo Alv arez a and W olfga ng A. Halang c a Instituto de F ´ ısic a Aplic ada, Consejo Sup erior de Investigaciones Cient ´ ıfic as, Serr ano 144, 28006 Madrid, Sp ain b Dep artment of Ele ctr onic Engine ering, City University of H ong K ong, 83 T at Che e Avenue, Kow lo on T ong, Hong Kong SA R, China c F ernUniversit¨ at in Hagen, Chair of Computer E ngine ering, Universit¨ atsstr aße 27, 58084 Hagen, Germany Abstract Chaotic systems ha v e b een broadly exploited through the last t wo decades to build encryption metho ds. Recentl y , t wo new image en cr y p tion sc hemes hav e been pro- p osed, where the encryption pro cess in v olv es a p erm utation oper ation and an X OR- lik e transform ation of the sh uffled pixels, w h ic h are con trolled by three c haotic sys- tems. This pap er discusses some d efects of th e sc hemes and h o w to br eak them with a c hosen-plain text attac k. Key wor ds: Chaotic en cryption, Loren z system, Chen’s sy s tem, h yp er-chao s, logistic map, c hosen-plain text attac k, p erm utation-only encryption algorithms, cryptanalysis P ACS: 05.45.Ac, 47.20.Ky . 1 In tro duction When w e t hink ab out exc hanging information w e are ve ry inte rested in find- ing a w a y to make it fast and secure. Mo dern telecomm unications technolo- gies allo w to send and receiv e files, images, and data in a relativ ely short time dep ending on the bandwidth a v a ilable. Now ada ys, the use of traditional ∗ Corresp ond ing author: Da vid Arro y o (david.arro y o@iec.c sic.es). Preprint submitted to Ph ysics Letter A 2 No v em b er 2018 symmetric and asymmetric cryptography is the wa y to secure the info rma- tion exc hange [1 , 2]. How ev er, applications in v olving digita l images and videos demand other encryption sc hemes . Indeed, the b ulky size and the large re- dundancy of uncompres sed videos/images make it nec essary to lo ok for new metho ds to deal with those features in order to facilitate the in tegration o f the encryption in the whole pro cessing pro cedure. F or recen t surv eys on image and video encryption, please refer to [3–6]. The main features of c haotic systems (sensitivit y to initial conditions, ergo d- icit y , mixing prop ert y , simple analytic desc ription and high complex b eha vior) mak e them v ery in teresting to design new cryptosystems. Image encryption is an area where c haos has b een bro adly exploited. In fact, c haotic systems ha v e b een used to mask plain-imag es through XOR-lik e substitution op era- tions [7], spatial p ermutation [8] or the com bination of b ot h tec hniques [9]. This pap er is fo cused o n t w o image encryption sche mes prop osed in [1 0 , 11]. In b oth pap ers the image encryption is based on a secret p erm utation deriv ed from the logistic map, and a masking of the gray-scale v a lues of the sh uffled pixels with a k eystream generated from one or tw o c haotic systems. The only difference b etw een the t w o encryption sc hemes is that in [10] tw o c haotic sys- tems (Lorenz and Chen’s systems) are used to generate the key stream, while in [11] only one h yp er-c haotic system is used. Because suc h a difference is indep enden t of the securit y , w e only fo cus on the cryptanalysis of the sc heme prop osed in [10]. The rest of this pap er is organized as follo ws. The sc heme under study is described briefly in the next section. In Sec. 3 some imp ortan t problems of the cryptosystem are remark ed. Then, a ch osen-plainte xt at tac k is describ ed in Sec. 4 along with some experimental results. In the last section the conclusion is g iven. 2 The encryption sc heme Assuming that the size o f t he plain-imag e I is M × N and the cipher-image is I ′ , the encryption sc heme proposed in [1 0] can be describ ed b y the f o llo wing t w o pro cedures. Please note that w e use different notations from the original ones in [10] to get a simpler a nd clearer description. • Shuffling pr o c e dur e In this pro cedure, the plain- ima g e I is p erm uted to form an in termedi- ate image I ∗ according to a tot a l sh uffling matrix P ∗ , whic h is deriv ed b y pseudo-randomly p erm uting the rows and columns of the original p osition matrix P = [( i, j )]. The pseudo-random r ow and column p erm utations are generated by iterating the logistic map x n +1 = 4 x n (1 − x n ) from a giv en 2 initial condition x 0 . • Masking p r o c e dur e In this pro cedure, the in termediate image I ∗ is further mask ed b y a k eystream { B ( i ) } M N i =1 as follo ws: ∀ i = 1 ∼ M N , I ′ ( i ) = I ∗ ( i ) ⊕ B ( i ) ⊕ I ′ ( i − 1), where I ( i ), I ′ ( i ) denote the i -th pixels of I ∗ and I ′ (coun ted from left to right and from top to b ottom), respective ly , and I ′ (0) = 128. The k eystream { B ( i ) } M N i =1 is generated b y it era t ing the Lorenz and Chen’s systems and doing some p ostpro cessing on all the 6 c hao t ic v aria bles (the first N 0 iterations of Lo renz system a nd the first M 0 iterations of Chen’s systems are discarded to enhance t he securit y). Because our cryptanalysis succeeds regardless of the k eystream’s generation p ro cess, w e ignore this part and readers are referred to Sec. 2.3 of [10] fo r details. In [1 0], it is claimed that the secret ke y includes the initia l v alues of t he Lo r enz and Chen’s systems and the n um b er of initial iterations N 0 , M 0 . It is quite strange wh y the initial condition of the logistic map is not claimed to b e part of the k ey , since t he image encryption sc heme is based on “a new to t al sh uffling algorithm” (a s can b e seen in the title of [1 0]). In this cryptanalysis pap er, w e assume that the initial condition of the log istic map is also part o f the key . W e b eliev e it is also the original in ten tion of the authors of [10]. In addition, note that b oth P ∗ and { B ( i ) } M N i =1 are indep enden t of the plaintext and ciphertext, so they can b e used as an equiv alent key . 3 Design weaknesse s In t his section, w e discuss some defects of the sc heme under study . 3.1 L ow sensi tivity to the change of plain-image It is we ll know n that the ciphe rtext o f a secure encryption sc heme should b e v ery sensitiv e to the c hange of plain text [1 2 , Rule 9]. Unfortunately , the encryption sc heme under study fails to satisfy this req uiremen t. Giv en t w o plain-images I 0 and I 1 with only one pixel differenc e at the position ( i, j ), the difference will b e p erm uted to a new p osition ( i ∗ , j ∗ ) according to the sh uffling matr ix P ∗ . Then, b ecause all plain-pixels b efore ( i ∗ , j ∗ ) are iden tical for the t w o plain-images, the ciphertexts will also b e ide n tical. This show s the low sensitivit y o f the image encryption sch eme to changes in the plain- image. Fig ure 1 giv es an ex ample of this problem. It can b e seen ho w the differen tial cipher-image is equal to zero for any pixel b efore ( i ∗ , j ∗ ) and equal to a constant v a lue after that p osition. 3 (a) (b) (c) Fig. 1. Illu s tration of the lo w sensitivit y to the c hange of the plain-image: (a) the first plain-image I 0 ; (b) the second plain-image I 1 (only the cen ter pixel is different from I 0 ); (c) the d ifferen tial cipher-image I ′ 0 ⊕ I ′ 1 . 3.2 R e duc e d Key sp ac e As claimed in [10], N 0 and M 0 are also part of the k ey . Ho w ev er, from an attac k er’s p o in t of view, he/she only needs to guess the chaotic states after the N 0 and M 0 c haotic iterations as the initial conditions o f the L o renz a nd Chen’s systems. In this w a y , N 0 and M 0 are remo v ed from the k ey and the k ey space is reduced. 4 3.3 Pr oblem with chaotic iter ations o f L or enz and Ch en ’s systems In [10], the a utho rs did not sa y an ything ab out the time step τ of iterating the Lorenz and Chen’s systems. Ho w ev er, the randomness of the key stream { B ( i ) } M N i =1 is tightly dep enden t on the v a lue of time step. As an extreme exam- ple, if τ = 10 − 20 , w e will get a k eystream of identical elemen ts (according to the algorithm describ ed in Sec. 2.3 o f [10]) . As a matter of fact, the v alue o f τ is de- p enden t o n the m ultiplication facto r 10 13 o ccurring in Step 4 of the encryption pro cess (see Sec. 2.3 of [10]): x i = mo d ((abs( x i ) − Flo or(abs( x i ))) × 1 0 13 , 2 56). 3.4 L ow encryption sp e e d Because the chaotic iterations of Lorenz and Chen’s sys tems in v o lv e compli- cated numerical differential functions, the encryption sp eed is expected to b e v ery slo w compared with other traditional ciphers. T o asses this fact, w e de- riv ed a mo dified enc ryption sc heme from the original one b y replacing the Lorenz and Chen’s systems with the logistic map, and then compared the encryption sp eeds of the tw o cryptosystems . Both cryptosys tems w ere im- plemen ted using MA TLAB on a PC with a 1.6GHz pro cessor and 512MB of RAM. F or images of size 2 56 × 256, the t ypical encryption time f or the original cryptosystem in [10] w as around 5.8 sec onds, while t he mo dified cryptosystem based on the logistic map required in av erage around 1.2 se conds to encrypt an image. The exp erimen ts hav e clearly sho wn that using con tin uous c haotic systems can dr a stically reduce the encryption speed. Since there are also no other obv ious merits in using contin uous c haotic systems rather than a simple discrete-time c haotic map, the use o f the Lorenz and Chen’s sy stems in the image encryption sc heme under study is unnecessary . Inste ad, these con tin u- ous c haotic sys tems can b e replaced b y a simpler disc rete-time chaotic map without compromising the security . 4 Chosen-plain text att ac k When a v aria tion of stream cipher is created, as in the case under study , obtaining the k eystream is totally equiv alen t to obtaining the k ey whenev er differen t plain-images are encrypted using the same k ey . In this section, w e presen t a c hosen-plain text atta c k whic h a llo ws to reco v er b oth the k eystream and the shufflin g mat rix. Let us c ho ose a plain-image I 1 suc h tha t ∀ i, j = 1 ∼ M N , I 1 ( i ) = I 1 ( j ) = a . In this case, the sh uffling part does not w ork, so w e ha v e I ∗ 1 = I 1 . Then, w e can 5 reco v er the k eystream as follows : ∀ i = 1 ∼ M N , B ( i ) = I 1 ( i ) ⊕ I ′ 1 ( i ) ⊕ I ′ 1 ( i − 1). After remo ving the masking part, we can try to reco v er the sh uffling matrix. According to the general cryptanalysis on p ermutation-only ciphers in [13], only ⌈ log 256 ( M N ) ⌉ c hosen plain-images are needed to recov er the sh uffling matrix P ∗ . In total w e need ⌈ log 256 ( M N ) ⌉ + 1 c hosen plain-images to p erform this chose n-plaintext attac k. With the aim of v erifying t he prop osed attack , sev eral exp erimen ts hav e b een done. One o f the examples is shown in Fig. 2, where the images are of size 256 × 256 and the secret k ey in v olv ed is sho wn in T able 1. As it was mentioned ab ov e, the sh uffling pro cess is brok en usin g log 256 ( M N ) = 2 c hosen plain-images, while the masking pro cedure cryptanalysis requires one c hosen plain-image. The three c hosen plain-images allow to decipher the cipher-image included in Fig. 2(a) and thus to get the corresp onding plain- image (Fig. 2(b)), ev en when the secret ke y is unkno wn. T able 1 Key v alue used in the exp erimen t. x 1 (0) x 2 (0) x 3 (0) x 4 (0) x 5 (0) x 6 (0) N 0 M 0 x 0 0 . 3 − 0 . 4 1 . 2 10 . 2 − 3 . 5 4 . 4 3000 2000 0 . 4 (a) (b) Fig. 2. The resu lt of the c hosen-plaint ext attac k: (a) a cipher-image encrypted with the ke y as sh o wn in T able 1; (b) the decryp ted plain-image using the equiv alen t k ey  P ∗ , { B ( i ) } M N i =1  obtained via the chosen-plain text attac k. 5 Conclusions The securit y o f the image enc ryption sc heme prop o sed in [10] has b een ana- lyzed in detail. The cryptanalytic results are also v alid f o r the other sche me prop osed in [11]. It has b een sho wn that the equiv alent secret key can b e re- co v ered in a chosen-plain text attac k with only ⌈ log 256 ( M N ) ⌉ + 1 chosen pla in- images. In addition, some other defects ha v e also b een distinguished in the sc heme under study . Among those defects, it is necessary to emphasize the one 6 concerning the encryption sp eed, since it informs ab o ut the non-con v enience of con tin uous-time chaotic systems for implemen ting fa st encryption pro cedures. The w eak securit y pro p erties frustrate the usage of the sc heme in practice. Ac kno wledgmen ts The w or k described is this le tter w as partially supp orted by Ministerio de Educaci´ on y Ciencia of Spain, Researc h Grant SEG2004-024 1 8. Shujun Li w as supp orted b y the Alexander v on Humboldt F oundation, G erman y . References [1] S. V. A.J. Menezes, P .C. v an Oorsc hot, Hand b o ok of Applied Cryptograph y , CR C Press, 1997. [2] B. Sc hneier, App lied Cr yptograph y , John Wiley , NY, USA, 1996. [3] S. Li, G. Chen, X. Zheng, Ch aos-based encryption for d igital images and videos, in: B. F ur ht, D. Kiro vski (Eds .), Multimedia Security Handb o ok, CR C Press, LLC, 200 4, Ch . 4, pp. 133–1 67, preprint a v alaible at h ttp://www.ho oklee.com/pub.h tml. [4] A. Uh l, A. P omm er , F r om Digital Ri ght s Manag emen t to Secured P ersonal Comm unication, Sp ringer, 2005. [5] B. F uhrt, E. Muharemagic, D. Socek, Image encryption a lgorithms, in: Multimedia Encryp tion and W atermarking, Spr inger, 2005, Ch. 5, pp. 79–120. [6] W. Zeng, H.Y u, C.-Y. Lin (Eds.), Multimedia Security T ec hnologies for Digital Righ ts Managemen t, Academic Press, 2006. [7] H.-C. Chen, J.-C. Y en, A new cryptograph y system and its VLSI r ealization, Journal of Systems Arc hitecture 49 (7-9) (2003 ) 355–36 7. [8] J.-C. Y en, J.-I. Guo, Efficien t hierarchica l c haotic image encryption algorithm and its VLSI realisation, IEE Pro ceedings - Vision, Image an d S ignal Pro cessing 147 (2) (2000) 167–175. [9] G. Chen, Y. Mao, C. K. Chui, A symm etric image encr y p tion sc heme based on 3d c haotic cat maps, Chaos, S olitons an d F ractals 21 (3) (2004 ) 749–76 1. [10] T . Gao, Z . Ch en, Image encryption based on a new total shuffling algorithm, Chaos, Solitons and F ractals 0 (2007) doi:10.101 6/j.c haos.2006.1 1.009. [11] T . Gao, Q. Gu, Z. C hen, A new image encryption alg orithm b ased on h ye r- c haos, Phys. Lett. A 0 (200 7) doi:10.10 16/j.ph ysleta.2007.07.040. 7 [12] G. Alv arez, S. Li, Some basic cryptographic requ iremen ts for c haos-based cryptosystems, Inte rnational Journ al of Bifurcatio n an d Ch aos 16 (8) (2006) 2129– 2151. [13] S . Li, C. Li, G. Chen, N. G. Bourbakis, K.-T. Lo, A general cryptanalysis of p ermutatio n-only multimedia encryption algorithms, Cr yptology ePrint Arc hiv e, Rep ort 2004/37 4, http ://eprint .iacr.or g/2004/374 (2004). 8