Cryptanalyzing an Image Cryptosystem Based on Circular Inter-Intra Pixels Bit-Level Permutation

,


I. INTRODUCTION
The image information security is closely related to people's daily life. In order to realize secure image transmission and storage on the internet and cloud, a large number of image encrypting and hiding systems have been proposed [1]- [8].
With the vigorous development of image crypto-graphy, the cryptanalysis researches on image encryption systems have also achieved fruitful results. The image encryption algorithms in [9]- [18] are cracked by the cryptographic analysis methods in [19]- [28], respectively. Among these image cryptanalysis methods, the known/chosen plain-image attacks are the most commonly used methods. Advances in image cryptanalysis technologies are prompting the researchers to continue to study more secure image encryption algorithms.
Several recent image encryption algorithms and their attack methods are itemized below.
An image encryption algorithm based on information entropy and chaotic system was proposed in [29]. In this algorithm, the pseudo-random matrices for image encryption were produced using the Sine map modulated by Logistic map. To make the encryption process relate to the plain images, the information entropy of plain image was used The associate editor coordinating the review of this manuscript and approving it for publication was Muhammad Imran Tariq . as the implicit control parameter of the chaotic system. The whole encryption process of the algorithm was composed of row permutation, column permutation, grayscale value transformation and weighted diffusion operations. However, all the merits of the algorithm claimed in [29] are negated in [30]. Especially, the image encryption algorithm in [29] was pointed out in [30] to have weak key sensitivity and weak plaintext sensitivity. By constructing plain images with the same information entropy, the algorithm in [29] can be deciphered by means of chosen plaintext attack.
A pseudo-random number generator based on multiple chaotic maps (i.e. Logistic map, Sine map and Chebyshev map) was proposed in [31]. Subsequently, a pseudo-random sequence, whose size is the same length as vectorized plain image, was produced by the generator. The index sequence obtained by sorting the pseudo-random sequence is used to shuffle the image vector, and the original pseudo-random sequence is used to diffuse the shuffled vector by the addition modulus operations. Then, the diffused vector is circularly left-shifted to get the ciphered image vector. However, not long after that, two crack comments on the algorithm [31] were independently proposed in [32] and [33]. Interestingly, the same method of chosen plaintext attack was employed in both [32] and [33]. It was pointed out in [33] that the algorithm in [31] can be cracked thoroughly by choosing at most 3MN pairs of plain-cipher images. Here, M and N are the height and width of the image, respectively. In addition, some defects of the algorithm in [31] were listed in [32], [33], and then an improvement of the algorithm was also suggested in [32], [33].
An image encryption algorithm based on Tent map was proposed in [34]. Firstly, the plain image is converted into a two-dimensional bit-image. Secondly, the bit-image is shuffled by the Line map (controlled by a pseudo-random sequence). Thirdly, the shuffled image is diffused based on row and column by XOR operation. Finally, the above steps are looped many times to get the ciphered image. This algorithm can be cracked by the chosen plaintext attack when its loop time is less than three [35]. When its loop time is greater than or equal to three, the algorithm can be cracked by the chosen plaintext attack based on codebooks [35]. The space complexity of this attack is O (MN), where, M × N is the size of the image.
A color image encryption algorithm based on DNA computing was presented in [36]. In this algorithm, the red, blue and green components of the color image are transformed into DNA encoding matrices respectively. Then, DNA addition operations are performed between different layers of DNA matrices. And circular shift operations controlled by secret key are carried out in each layer. After that, all the layers of DNA matrices are interleaved with each other. Now, each layer is separately shuffled by the key streams. Finally, another interleaving operation is executed on the different layers to get the ciphered DNA matrices. However, the shuffle operation of the image algorithm was found to be invalid for some special images [37]. Furthermore, a chosen plaintext attack method was also proposed in [37] to crack the algorithm in [36] successfully. For the plain image of size 256 × 256, only two pairs of plain-cipher images are needed to obtain the equivalent keys of the algorithm in [36].
Recently, a new image encryption algorithm based on chaos was proposed, which was claimed to be secure for communication systems [38]. The work of this paper is aimed at the cryptanalysis of the algorithm in [38]. The reset of the paper is organized as follows: In Section 2, the image encryption algorithm [38] was described in detail. Then some defects of this algorithm are discussed in Section 3. And two attack methods on the algorithm are suggested in Section 4. The conclusions are in Section 5
Step 3. Produce two bit sequences Step 4. Generate a matrix Col from {a i } by (4), and with the similar method generate a matrix Row from {b i }. Both Col and Row are of size M × M .
Here, the matrices Col and Row are the equivalent keys of the system. Now, the process of the image encryption is as follows: Step 1. Perform the following circular shift operation on each row of plain image I to get a new image, denoted by Q with the size of M × M . The algorithm is shown in Fig. 1.
Take the ith row of the image I as an example to introduce the circular shift operation. Firstly, produce a bit sequence T of length 8M from the elements of the ith row of I, satisfying T(8j to 8j + 7) = dec2bin(I(i, j)), j = 0, 1, 2, . . . , M − 1. Secondly, count the number of bit 1 in T as ns. Thirdly, let dir = mod(ns,2). If dir = 0, then circularly right-shift T for ns bits; if dir = 1, then circularly left-shift T for ns bits. Finally, produce the ith row of Q by T such that Q(i, j) = bin2dec(T(8j to 8j + 7)), j = 0, 1, 2, . . . , M − 1.
Step 2. Transform Q into a new matrix C with the equivalent keys of Col and Row as follows: Let C=Q, then And C is the ciphered image. As for the system, its decryption process is the inverse of its encryption process. For more details about the decryption process, please refer to [38].

III. SHORTCOMINGS OF THE SCHEME UNDER STUDY
According to Section II, the system in [38] consists of two steps. The first step is a row-based circular shift process, and the second step is a row-and-column-based XOR process. Both the steps have some defects. In the first step, if the plain image is an all-white or an all-black image, then the circular shift operation does not work for such images. In fact, if each row of the plain image satisfies one of the following conditions, the first step will not work.
Condition 1: The number of bit 1 is an integer multiple of 8k, and each k adjacent bytes are the same. Where, mod(M , 8k) = 0, and M is the width of the image. According to Kerckhoff's rule, it is assumed that one can use the encryption device at will. Therefore, the enemy can choose those images satisfying one of two above conditions as the plain images, thus bypassing the first step of the encryption system.
In the second step of the algorithm, there is no diffusion operation. The equivalent form of Step 2 in Section 2 is: where, each symbol comes from Section II. If let the matrix S = Row ⊕ transpose(Col), then C = Q ⊕ S. Here, S is the equivalent key that the enemy will attack.
According to its second step, the system has no diffusion function. So this system is plain-image insensitive. Here, take the image Lena of size 256×256 as the plain image (as shown in Fig. 2a), and take the secret key as (x 01 , x 02 , r 1 , r 2 ) = (0.68775492511773, −0.0134623354671, 5.938725025421, 10.257490188615) (partly from [38]). Then, use the encryption system to encrypt Lena to get its ciphered image (as shown in Fig. 2b). Use the decryption system to decrypt Fig. 2b to get its recovered image (as shown in Fig. 2c). Under these conditions, use the indexes of NPCR, UACI [2] and BACI [8] to test the plain-image sensitivity of the system. Here, conduct 1000 experiments to calculate the mean value of each index. In each experiment, randomly choose one pixel from the image Lena, and then randomly change one bit of the chosen pixel. And use the two images before and after the change as the plain test images. The experimental results of plain-image sensitivity are as shown in Table 1. From Table 1, one can see that the calculated value of each index deviates seriously from its respective theoretical value, indicating that the system is not plain-image sensitive.

IV. CRACK METHODS ON THE SYSTEM UNDER STUDY
According to the analysis in Sections II-III, the enemy only needs to attack the equivalent key S in Section III. This section will discuss two attack methods on the system in [38].

A. CHOSEN PLAIN-IMAGE ATTACK
If the enemy can freely use the encryption device of the system in [38], he can arbitrarily choose the plain image and get the corresponding ciphered image. According to Section III, if he chooses the all-black image as the plain image, he will get the corresponding ciphered image which is S, i.e. the equivalent key of the system.
The steps of chosen plain-image attack are as follows: Step 1. Assume that the ciphered image to be attacked is labeled by C 1 with the size of M × M .
Step 2. Choose the all-black image of size M × M as the input of the encryption device, and obtain the corresponding ciphered image, i.e. S.
Step 4. Execute the following circular shift operation on each row of the image Q 1 to get a new image, denoted by I 1 with the size of M × M .
The image I 1 is the recovered image obtained by attacking C 1 , and I 1 is exactly the same as the original input plain image.
Attacking Example 1: Assume that the plain image is a 4 × 4-sized matrix, denoted by I as shown in Fig. 3, and the secret key is set to K = (0.6878, −0.0135, 5.9387, 10.2575). Meanwhile, assume that the attacker can obtain the ciphered image of all-black image of size 4 × 4, which is denoted by S as shown in Fig. 3. According to the above steps of chosen plain-image attack, the ciphered image C 1 is XORed with S to get the matrix Q 1 , as shown in Fig. 3. Then, according to the inverse process of Fig. 1, Q 1 is converted into the matrix I 1 . From Fig. 3, one can see that I 1 is exactly the same as the original plain image I.
Attacking Example 2: Assume that there are three encryption devices, and their secret keys are K 1 = (0.6878, -0.0135, 5.9387, 10.2575), K 2 = (0.6006, −0.7162, 33.5067, 6.0334), and K 3 = (−0.1565, 0.8315, 18.1623, 27.9655), respectively. Use these three devices to encrypt the plain images (all of size 256 × 256, as shown in Figs. 4a-4c, respectively) separately to get their corresponding ciphered images (as shown in Figs.  4d-4f, respectively). Now, assume that the enemy can freely use these three encryption devices, and the enemy has intercepted the three ciphered images shown in Figs. 4d-4f. The enemy employs the above-mentioned method of chosen plain-image attack. And after he input the all-black image of size 256 × 256 into the three devices, he will get the ciphered image of each device, i.e. the equivalent key of each device (as shown in Figs. 5a-5c, respectively). Then, he can continue cracking the ciphered images in Figs. 4d-4f to get their recovered images, as shown in Figs. 5d-5f.
Comparing Figs. 4a-4c with Figs. 5d-5f, one can see that the attacker has succeeded in cracking the encryption system with only one all-black plain image and its ciphered image. In the computer equipped with Intel R Core TM i7-8650U@1.90GHz, 16GB RAM and MATLAB R2018a, the chosen plain-image attack time for cracking one ciphered image of size 256 × 256 is about 0.4581s.

B. KNOWN PLAIN-IMAGE ATTACK
Sometimes the enemy cannot address the encryption device of opposite party, so he cannot conduct the chosen plainimage attack. But in general, the enemy can get some pairs of plain-cipher images more easily. In this section, one can see that the system in [38] is unsecure confronting the known plain-image attack. Only one pair of known plain-cipher images can reveal the equivalent key S of the system.
The steps of known plain-image attack are as follows: Step 1. Denote the image to be attacked as C 1 with the size of M × M .  (e) Ciphered image of (b) using the device with the key K 2 ; (f) Ciphered image of (c) using the device with the key K 3 . Step 2. Assume that the enemy has known a plain image P 0 of size M × M and its corresponding ciphered image C 0 .
Step 3. Execute the following circular shift operation on each row of the image P 0 to get a new image, denoted by Q 0 with the size of M × M .
Step 4. Let S = C 0 ⊕ Q 0 . And S is the equivalent key of the encryption device.
Step 6. Execute the following circular shift operation on each row of the image Q 1 to get a new image, denoted by I 1 with the size of M × M . Take the ith row of the image Q 1 as an example to introduce the circular shift operation. Firstly, produce a bit sequence T of length 8M from the elements of the ith row of Q 1 , satisfying T(8j to 8j+7) = dec2bin(Q 1 (i, j)), j = 0, 1, 2, . . . , M −1. Secondly, count the number of bit 1 in T as ns. Thirdly, let dir = mod(ns,2). If dir = 1, then circularly right-shift T for ns bits; if dir = 0, then circularly left-shift T for ns bits. Finally, produce the ith row of I 1 by T such that I 1 (i, j) = bin2dec(T(8j to 8j + 7)), j = 0, 1, 2, . . . , M − 1.
The image I 1 is the recovered image obtained by attacking C 1 , and I 1 is exactly the same as the original plain image.
Attacking Example 3: Assume that the plain image is a 4 × 4-sized matrix, denoted by I as shown in Fig. 6, and the secret key is set to K=(-0.6263, -0.0205, 13.2808, 25.3911). Meanwhile, assume that the attacker can obtain the ciphered image C 0 of a known image P 0 of size 4 × 4. Both P 0 and C 0 are shown in Fig. 6. According to the above steps of known plain-image attack, P 0 is converted into Q 0 with the help of Fig. 1, and the ciphered image C 0 is XORed with Q 0 to get the matrix S, as shown in Fig. 6. Then, the ciphered image C 1 is XORed with S to get the matrix Q 1 . Finally, according to the inverse process of Fig. 1, Q 1 is converted into the matrix I 1 . From Fig. 6, one can see that I 1 is exactly the same as the original plain image I.
Attacking Example 4: Suppose that there are three encryption devices based on the algorithm in [38], whose secret keys are K 1 = (−0.6263, −0.0205, 13.2808, 25.3911), K 2 = (−0.1088, 0.2926, 24.6529, 9.8784), and K 3 = (0.4187, 0.5094, 8.5699, 19.9509), respectively. Employ these three devices in turn to encryption the images in Figs. 7a-7c separately to obtain their corresponding cipher images (as shown in Figs. 7d-7f, respectively). Then, employ these three devices in turn to encryption the images in Figs. 8a-8c separately to obtain their corresponding cipher images (as shown in Figs. 8d-8f, respectively). Now, assume that the enemy cannot address the three devices, but he intercepts three pairs of plain-cipher images as shown in Fig. 8, i.e. he obtains one pair of plain-cipher images for each device. Simultaneously, the enemy intercepts the ciphered images as shown in Figs. 7d-7f. According to the above-mentioned method of known plain-image attack, the enemy can reveal the equivalent key of each device (as shown in Figs. 9a-9c), then he can crack the ciphered images in Figs. 7d-7f to get their recovered images (as shown in Figs. 9d-9f, respectively).
Comparing Figs. 9d-9f with Figs. 7a-7c, one can see that the cracked images are separately identical to their original plain images, which means that only one pair of known plaincipher images are required to successfully crack the system in [38].
In the same computer used in Example 2, for the image of size 256 × 256, it will take about 0.6484s to crack the (d) Ciphered image of (a) using the device with the key K 1 ; (e) Ciphered image of (b) using the device with the key K 2 ; (f) Ciphered image of (c) using the device with the key K 3 . encryption system using MATLAB 2018a with the known plain-image attack method.

V. CONCLUSION
The image encryption algorithm in [38] was reviewed in detail in this paper. It was pointed out that there are some shortcomings in this scheme, such as the scrambling operation does not work on many special images, and the algorithm possesses no diffusion operations. Moreover, two crack methods on the system were proposed, and the crack time of both methods on the used computer is less than 1s for the image of size 256×256. The research work in this paper shows that the methods of both chosen plain-image attack and known plainimage attack can successfully crack the system in [38] with only one pair of plain-cipher images.
Furthermore, according to the crack methods in this paper, it is easy to know that if the enemy can freely use the decryption system in [38], then he can crack the decryption system with the method of chosen cipher-image attack, and get the equivalent key of the system with only one pair of cipherplain images. Therefore, the image cryptosystem based on the algorithm in [38] is insecure and cannot be applied to the actual image security system.