Breaking a novel image encryption scheme based on ...

Multimed Tools Appl DOI 10.1007/s11042-015-3085-4

Breaking a novel image encryption scheme based on an improper fractional order chaotic system Benyamin Norouzi 1 & Sattar Mirzakuchaki 1

Received: 11 March 2015 / Revised: 28 September 2015 / Accepted: 17 November 2015 # Springer Science+Business Media New York 2015

Abstract In this paper, we analyze the security of a recent image encryption algorithm based on an improper fractional-order chaotic system suggested by Zhao et al. The fatal flaw in the cryptosystem is that the keystream generated depends on neither the plain-image nor the cipher-image. Another main issue with this algorithm is using the same key (the last key in the keystream) in all encryption equations. Based on these points, it is easy to recover the plainimage and the keystream by applying chosen plaintext attack in only one plain-image. Both mathematical analysis and experimental results confirm the feasibility of this attack. As a result, the cryptosystem under study is not suitable for cryptography. Keywords Image encryption algorithm . Cryptanalysis . Keystream . Chosen plaintext attack

1 Introduction Nowadays, cryptography plays a significant role in protecting systems and personal information. Cryptography is the art and science of encrypting and decrypting data to protect them while they are stored or transferred over insecure networks; this can be achieved by designing cryptographic techniques. On the other hand, cryptanalysis is the art and science of studying and analyzing cryptographic techniques to break them [4]. Cryptographers are people working to develop new cryptography algorithms to provide security services, while Cryptanalysts are people working to develop and find methodologies to break the cryptographic techniques. The chaos-based cryptographic methods have proposed some new ways to develop efficient image encryption algorithms [3, 7, 8, 10, 19]. Unfortunately, many of the schemes are insecure, especially on chosen-plaintext attack. For example, the encryption schemes proposed in [2, 9, 11, 14, 21] have been broken by [1, 13, 16–18], respectively.

* Benyamin Norouzi [email protected] Sattar Mirzakuchaki [email protected] 1

Electronic Research Center, School of Electrical Engineering, Iran University of Science and Technology, P.O. Box 16846-13114, Tehran, Iran

Multimed Tools Appl

Based on the Kerckhoffs’s principle in the cryptology science [12, 20], when cryptanalyzing an encryption algorithm, the general assumption made is that the attacker knows the algorithm under study and how it works, i.e., he knows all details of the encryption/decryption algorithm except the secret key. Thus, the objective of cryptanalysis is to determine the secret key or decrypt (all or partial) contents of any plaintext encrypted. The attacker performs a certain type of attack based on available information and resources. The more information an attacker can gather on plaintext/ciphertext pairs, the easier it would be to break the cryptographic algorithm. Thus, the four common attack methods can be categorized from the hardest (the least information resources) to easiest (the most information resources) as follows: 1. Ciphertext only: attackers can only access part of the ciphertext. The attack is considered successful if the attacker can retrieve the some information about the plaintext or the secret key. 2. Known plaintext: attackers can access some plaintexts and the corresponding ciphertexts. The attacker uses the pairs of plaintext and ciphertext to retrieve the secret key. 3. Chosen plaintext: attackers can select some plaintexts and obtain the corresponding ciphertexts. The attacker encrypts different plaintext and obtains the corresponding ciphertext to study and analyze these pairs in order to retrieve the secret key. Known/chosen-plaintext attacks are possible when an attacker can temporarily access the encryption machine. 4 Chosen ciphertext: attackers can select some ciphertexts and obtain the corresponding plaintexts. Chosen-ciphertext attack is possible when an attacker can have a temporary access to the decryption machine. It suffices that one of the attacks be successful to consider an algorithm insecure. In this study, we cryptanalyze the image cryptosystem recently proposed in Ref. [19] which is based on improper fractional-order chaotic system. In this algorithm, an original image is divided into four parts and encrypted by different encryption formulas. However, this is not enough to make the cryptosystem secure. The rest of the paper is organized as follows. In the next section the cryptosystem under study is described. In section 3, a chosen plaintext attack that reveals the equivalent keys is analyzed. After that, the experimental results are given in section 4. Finally, the last section summarizes the results of the previous sections and concludes the paper.

2 Description of the cryptosystem under study The encryption scheme described in [19] is based on the three-dimensional chaotic system given by 8 q1 d x > > ¼ aðy−xÞ > > q > < dtq2 1 d x ¼ xz−y > dtq2 > q3 > > d x > : ¼ b−xy−cz dtq3

ð1Þ

Multimed Tools Appl

The key stream is produced by initial state variables (x0, y0, z0), parameters (a, b, c), and fractional orders (q1, q2, q3) of the chaotic system. The state vectors (x, y, z) are obtained from all of iterations of system (1) to produce encryption sequence (to eliminate transient response, discard the first one thousand numbers of sequence). Then, parameter m=mod (abs(x+y+z), 4) is computed to generate the combination form of chaos sequences (where mod(a, b) returns the remainder after division and abs(x) returns the absolute value of x). Temporally, one blank matrix B is created. Then, B is assigned variably with respect to parameter m. The assignments of B are illustrated in Table 1. Suppose that Ki =10n(Bi −round(Bi)), where n=14 is a positive integer. For more details, the reader is referred to [19]. The original image of the encryption algorithm under study is a gray-scale image of size L= M×N, which can be represented as a one-dimensional vector P={p1, p2, …, pL}, where pi denotes the decimal gray level of the pixel. P is divided into four equal parts to modify the pixel values one by one. The ith pixel of the cipher-image is computed by the following formulas: c1 ¼ modðp1 þ k 1 ; 256Þ⊕modðpL þ k L ; 256Þ

ð2Þ

ci ¼ modðpi þ k i ; 256Þ⊕modðci−1 þ k L ; 256Þ ; i ¼ 2; 3; …; L=4

ð3Þ

  cL=4þ1 ¼ mod pL=4þ1 þ k L=4þ1 ; 256 ⊕modðpL þ k L ; 256Þ

ð4Þ

ci ¼ modðpi þ k i ; 256Þ⊕modð2  ci−1 þ k L ; 256Þ ; i ¼ L=4 þ 2; …; L=2

ð5Þ

  cL=2þ1 ¼ mod pL=2þ1 þ k L=2þ1 ; 256 ⊕modðpL þ k L ; 256Þ

ð6Þ

ci ¼ modðpi þ k i ; 256Þ⊕modð3  ci−1 þ k L ; 256Þ ; i ¼ L=2 þ 2; …; 3L=4

ð7Þ

  c3L=4þ1 ¼ mod p3L=4þ1 þ k 3L=4þ1 ; 256 ⊕modðpL þ k L ; 256Þ

ð8Þ

ci ¼ modðpi þ k i ; 256Þ⊕modð4  ci−1 þ k L ; 256Þ ; i ¼ 3L=4 þ 2; …; L

ð9Þ

Where the symbol⊕represents the exclusive OR operation bit-by-bit and mod (x, y) returns the remainder after division. By reshaping the sequence C={c1, c2, …, cL} into an M×N image, the cipher-image is obtained.

3 The cryptanalysis and attack As mentioned section 1, in a chosen plaintext attack, the cryptography algorithm is completely on hand and the aim is to retrieve the key. Therefore, an attacker can simply choose any image

Table 1 The combination form of chaotic sequences m=1 B={B, x, y, z}

m=2 B={B, z, x, y}

m=3 B={B, y, z, x}

m=4 B={B, x, z, y}

Multimed Tools Appl

to encrypt. According to our method, the Zhao’s algorithm can be easily broken by having a plaintext along with its ciphertext. The cryptanalysis and chosen plaintext attack for recovering the diffusion vector K are described below in detail. 0

p1 Step 1: we select a plain-image P = @ ⋮ ⋯ K={k1, k2, …, kL}. As a result, the 0 1 c1 … cN @ ⋮ ⋱ ⋮ A is obtained. Since, kL ⋯ ⋯ cL Eq. (9) and setting i=L; we have:

1 … pN ⋱ ⋮ A and encrypt P with the secret key ⋯ PL corresponding cipher image matrix C = is used in all cryptographic equations, using

(10)

The values of pL, cL, and cL-1 are all known and the only unknown is kL which is a value between 0 and 255. Examining all these values, a few kL values are obtained at the end. To find the exact value of kL, these few values for kL are replaced in Eqs. (2) through (9) (or only one of them). Only one kL value would result in matching of obtained image with the encrypted image. To find the rest of the keystream, Eqs. (2) through (9) are used in sequence. Step 2: In Eq. (2), the values of p1, pL, kL, and c1 are known to the attacker and the only unknown is k1 which can be simply found by the following equation.

(11)

Step 3: Using Eq. (3), ki (for i=2, 3, …, L/4) may be retrieved:

(12)

Multimed Tools Appl

Step 4: Eq. (4) can be used to retrieve kL/4+1 as follows:

(13)

Step 5: To retrieve kL/4+2 to kL/2, the following equations can be used:

(14)

Step 6: Following this procedure for second part of the keystream and substituting in Eqs. (6) through (9) we get:

(15)

(16)

(17)

(18)

Thus, the whole keystream can be retrieved by our suggested algorithm. The simplest case for this attack is encrypting an all-zero (black) image which is presented next.

Multimed Tools Appl

Suppose that in the chosen plaintext attack, we have the original image given as P1 = 1 0 … 0 @ ⋮ ⋱ ⋮ A with all pixels’ gray value of 0 (see Fig. 1a) and the encrypted image as 0 ⋯ 0 0 1 c1 … cN C = @ ⋮ ⋱ ⋮ A which is shown in Fig. 1b. ⋯ ⋯ cL According to Eq. (10), we obtain 0

cL ¼ modð0 þ k L ; 256Þ⊕modð4  cL−1 þ k L ; 256Þ ¼ k L ⊕modð4  cL−1 þ k L ; 256Þ

ð19Þ

cL-1 and cL are the (L-1)th and Lth pixels of the encrypted image which are known. There are different values for kL in Eq. (19). To reach at the correct value of KL, all KL values are inserted in one of the encryption equations, for instance Eq. (3), and then these encrypted images are compared with the real encrypted image. Only for one value of KL, this comparison is true. So, the exact value of KL is obtained. Knowing this correct value of KL, the plainimage P1 (with all pixels equal to zero), and its corresponding encrypted image, all of the keystream is recovered. Consequently, Eqs. 11 through 18 change to the following forms.

(20)

k i ¼ modfci ⊕modðci−1 þ k L ; 256Þ−0; 256g ⇒k i ¼ ci ⊕modðci−1 þ k L ; 256Þ ; i ¼ 2; 3; …; L=4

ð21Þ

k L=4þ1 ¼ cL=4þ1 ⊕k L

ð22Þ

k i ¼ ci ⊕modð2  ci−1 þ k L ; 256Þ ; i ¼ L=4 þ 2; …; L=2

ð23Þ

k L=2þ1 ¼ cL=2þ1 ⊕k L

ð24Þ

Fig. 1 Chosen plaintext attack: (a) Chosen plain-image P=zeros (M, N) and (b) Ciphered image C1

Multimed Tools Appl

k i ¼ ci ⊕modð3  ci−1 þ k L ; 256Þ ; i ¼ L=2 þ 2; …; 3L=4

ð25Þ

k 3L=4þ1 ¼ c3L=4þ1 ⊕k L

ð26Þ

k i ¼ ci ⊕modð4  ci−1 þ k L ; 256Þ ; i ¼ 3L=4 þ 2; …; L

ð27Þ

0

1 4 52 0 18 B 5 15 100 186 C C As an example, if the original image is given by P = B @ 75 16 200 249 A, and it is 10 15 128 255 encrypted by the keystream k={140, 36, 255, 187, 24, 25, 0, 201, 58, 87, 89, 239, 96, 10, 99, 0 1 165 131 70 177 B 40 174 246 161 C C 54} using Zhao’s algorithm, the encrypted image is given by C = B @ 176 33 184 182 A. 95 171 1 15 According to the analysis presented in the previous section, we start by a totally black image 0 1 0 0 0 0 B0 0 0 0C C P1 = B @ 0 0 0 0 A and encrypt it with the mentioned key and thus obtain the correspond0 0 0 0 0 1 186 212 245 144 B 46 139 76 7 C C. Then, using Eq. (19) (for KL, we obtain ing cipher-image C1 = B @ 12 13 4 173 A 86 132 37 252 eight values 52, 53, 54, 55, 180, 181, 182, and 183) and substituting the calculated KL’s in one of the encryption equation (for example, Eq. (3)), the exact value of KL (KL =54) is obtained. One of the main issues with this algorithm is using the same key (KL) in all encryption equations. Therefore, it is sufficient to replace the known KL value in Eqs. (20) through (27) to reach at the total keystream. For example, according to Eq. (20), the first key k1 =c1 ⊕kL = 186⊕54=140 is obtained. Having this keystream, the original image P is easily obtained from encrypted image C.

Fig. 2 Experimental results of our chosen plaintext attack: (a) Original image of Lena (b) Ciphered image, and (c) Recovered image of Lena (The cryptanalytic image for the encrypted image)

Multimed Tools Appl

Table 2 The results of MSE and PSNR values between original and recovered images

Image

MSE

PSNR

Lena Cameraman Baboon Peppers All zero

0 0 0 0 0

Inf Inf Inf Inf Inf

4 Experimental results We have encrypted an image of Lena with size (256×256) using Zhao’s algorithm, and then break it with our chosen plaintext attack described in previous section. Figure 2 demonstrates the experimental result using our chosen plaintext attack. Figure 2a is the original image, Fig. 2b is the cipher image, and Fig. 2c is the recovered image which is identical to the corresponding original image. As to performance analysis, usually two factors namely Mean Square Error (MSE) and Peak Signal-to-Noise Ratio (PSNR) are considered for evaluation of matching between the recovered and the original image [5, 6, 15]. These factors are given by Eqs. (28) and (29), respectively. MSE ¼

M N 1 XX ðaði; jÞ‐bði; jÞÞ2 M  N i¼1 j¼1

 PSNR ¼ 20 log10

ð28Þ

 255 pffiffiffiffiffiffiffiffiffiffi ðdbÞ MSE

ð29Þ

Where M and N are the width and the height of the test image, respectively. a(i, j) and b(i, j) are two pixel gray values of the original image and recovered image at the location (i, j), respectively. The effectiveness of the proposed method, evaluated in terms of MSE and PSNR for five standard images is tabulated in Table 2. According to Table 2, the value of MSE is zero and the value of PSNR is infinity. Therefore, a complete match is achieved here. In other words, each recovered image is identical to the corresponding original image. It is worth mentioning that we have run this chosen plaintext attack by Matlab 7.6.0.324 (R2008a) in a computer with a 2.4 GHz CPU, 4GB Memory, 640 GB hard-disk capacity, and the operating system being Microsoft Windows 7. Table 3, gives the time required for our cracking algorithm for increasing values of L (L=M×N). As shown in this Table, the overall speed is high and has an approximately linear relation with increasing the size of L. From the experimental results, we see that the cryptosystem proposed in [19] is not secure enough. So the new image encryption algorithm scheme based on an improper fractional-order chaotic system is not supposed to be used in the image transmission system. Table 3 Speed test results

Image size

Encryption time (ms)

64×64 128×128 256×256 512×512 1024×1024

6 28 117 483 1.7 s

Multimed Tools Appl

5 Conclusion In this paper, we analyze the image cryptosystem based on an improper fractional-order chaotic system proposed by Zhao et al. The main weakness is that the keystream generated especially the last key depends on neither the plain-image nor the ciphered image. Based on this drawback, we encrypt one arbitrary plain-image to reveal the equivalent keys. The chaotic system we cracked is equivalent to a one-time pad which, however, has the fatal flaw of being used more than once, and that there is only a finite number on such one-time pads, depending on L=MxN, thus if the chaotic sequence for images of a given L is cracked, the entire premise behind Zhao’s method falls apart. Experimental results by Matlab 7.6.0.324 (R2008a) show that our method can successfully break the cryptosystem. As a result, the use of Zhao’s image cryptosystem is not feasible for secure communications. Acknowledgments The authors would like to thank the Editor, the anonymous Referees, and Mrs.Shirin Saberian for their valuable comments and suggestions to improve this paper.

References 1. Jolfaei A, Wu XW, Muthukkumarasamy V (2014) Comments on the security of diffusion–substitution based gray image encryption scheme. Digit Signal Proc 32:34–36 2. Kadir A, Hamdulla A, Guo WQ (2014) Color image encryption using skew tent map and hyper chaotic system of 6th-order CNN. Optik 125:1671–1675 3. Liu Y, Wang J, Fan J, Gong L (2015) Image encryption algorithm based on chaotic system and dynamic Sboxes composed of DNA sequences. Multimed Tools Appl. doi:10.1007/s11042-015-2479-7 4. Mazloom S, Eftekhari-Moghadam AM (2009) Color image encryption based on coupled nonlinear chaotic map. Chaos Solitons & Fractals 42:1745–1754 5. Norouzi B, Mirzakuchaki S (2014) A fast color image encryption algorithm based on hyper-chaotic systems. Nonlinear Dyn 78:995–1015 6. Norouzi B, Mirzakuchaki S, Seyedzadeh SM, Mosavi MR (2014) A simple, sensitive and secure image encryption algorithm based on hyper-chaotic system with only one round diffusion process. Multimed Tools Appl 71:1469–1497 7. Norouzi B, Seyedzadeh SM, Mirzakuchaki S, Mosavi MR (2014) A novel image encryption based on hash function with only two-round diffusion process. Multimedia Systems 20(1):45–64 8. Norouzi B, Seyedzadeh SM, Mirzakuchaki S, Mosavi MR (2015) A novel image encryption based on rowcolumn, masking and main diffusion processes with hyper chaos. Multimed Tools Appl 74:781–811 9. Pareek NK, Patidar V, Sud KK (2013) Diffusion–substitution based gray image encryption scheme. Digit Signal Proc 23:894–901 10. Parvin Z, Seyedarabi H, Shamsi M (2014) A new secure and sensitive image encryption scheme based on new substitution with chaotic function. Multimed Tools Appl. doi:10.1007/s11042-014-2115-y 11. Patidar V, Pareek NK, Sud KK (2009) A new substitution diffusion based image cipher using chaotic standard and logistic maps. Commun Nonlinear Sci Numer Simulat 14:3056–3075 12. Rhouma R, Belghith S (2008) Cryptanalysis of a spatiotemporal chaotic image/video cryptosystem. Phys Lett A 372:5790–5794 13. Rhouma R, Solak E, Belghith S (2010) Cryptanalysis of a new substitution–diffusion based image cipher. Commun Nonlinear Sci Numer Simulat 15:1887–1892 14. Sam IS, Devaraj P, Bhuvaneswaran RS (2012) A novel image cipher based on mixed transformed logistic maps. Multimed Tools Appl 56:315–330 15. Seyedzadeh SM, Norouzi B, Mosavi MR, Mirzakuchaki S (2015) A novel color image encryption algorithm based on spatial permutation and quantum chaotic map. Nonlinear Dyn 81:511–529 16. Wen W (2015) Security analysis of a color image encryption scheme based on skew tent map and hyper chaotic system of 6th-order CNN against chosen-plaintext attack. Multimed Tools Appl. doi:10.1007/ s11042-015-2464-1

Multimed Tools Appl 17. Zhang YQ, Wang XY (2014) Analysis and improvement of a chaos-based symmetric image encryption scheme using a bit-level permutation. Nonlinear Dyn 77:687–698 18. Zhang Y, Xiao D, Wen W, Li M (2014) Cryptanalyzing a novel image cipher based on mixed transformed logistic maps. Multimed Tools Appl 73:1885–1896 19. Zhao J, Wang S, Chang Y, Li X (2015) A novel image encryption scheme based on an improper fractionalorder chaotic system. Nonlinear Dyn. doi:10.1007/s11071-015-1911-x 20. Zhu C, Liao C, Deng X (2013) Breaking and improving an image encryption scheme based on total shuffling scheme. Nonlinear Dyn 71:25–34 21. Zhu ZL, Zhang W, Wong KW, Yu H (2011) A chaos-based symmetric image encryption scheme using a bitlevel permutation. Inf Sci 181:1171–1186

Benyamin Norouzi (Corresponding Author) received the B.S and M.S degrees in electrical engineering from Hakim Sabzevari University and Iran University of Science & Technology in 2010 and 2012, respectively. He is currently a member of the Electronic Research Center of Electrical Engineering at the Iran University of Science and Technology as a PHD student. His research interest includes: Cryptography, Multimedia Security, and Image Processing. Email: [email protected].

Sattar Mirzakuchaki Received the B.S. degree in electrical engineering from University of Mississippi in USA in 1989 and the M.Sc and Ph.D also in Electrical Engineering from the University of Missouri in 1991 and 1996 respectively. He is currently an assistant professor in the electrical engineering department at IUST. His research interests include Cryptography, Image Processing, growth and characterization of semiconductor devices and VLSI design. Email: [email protected].