Cryptanalysis of Novel Image Encryption Scheme Based on Multiple Chaotic Substitution Boxes

In current years many chaos-based Substitution boxes (S-boxes) have been proposed. Recently, an image encryption technique based on multiple chaotic S-box was offered. This encryption method was based on the concept of confusion only produced by the implementation of the S-box. The concept of confusion utilized in the understudy technique can be smashed by using just one chosen-plaintext attack and a chosen-ciphertext attack. This article presents a detailed structure of two types of cryptographic attacks on the diffusion-based encryption scheme. The proposed attacks are successfully performed to retrieve the key with very little execution time by using just one chosen image which indicates the vulnerability of multiple chaotic S-boxes-based cryptosystems. The retrieved data is passed through some statistical analysis such as correlation, histogram, and entropy to check the correctness of recovered data.


I. INTRODUCTION
Data protection is considered to be one of the most important issues; it is an indispensable necessity, especially for data-based activities and transactions. In particular, before transmitting the data into the network, data encryption is required. Generally, cryptosystems are categorized into the two most significant classes. The first class comprises traditional and classical encryption schemes which involve Data Encryption Standard (DES), Advanced Encryption Standard (AES). These structures are theoretically easy whereas they show a robust resistance to conventional attacks. The prominent concerns with the execution of traditional systems are their reliance on numerous composite mathematical propositions which indicates having a protracted implementation period for encoding multimedia statistics. Conversely, the second class which has protected the algorithms is Shannon's confusion and diffusion theory [1]. The confusion procedure processes that how a modification in the private key shakes the output information, and the diffusion measures how a change in the input data affects the output.
The associate editor coordinating the review of this manuscript and approving it for publication was Jiafeng Xie. The Shannon confusion and diffusion design are further necessary for data encryption due to their strength compared to numerous assaults and being lower in execution time. The part of the nonlinear component of the block cipher (S-box) is of significance in secure communication and confusion. The design of the Substitution box was first introduced in 1949 by Shannon [1]. If the nonlinear component is not secure, it means that the encryption standard has to be compromised. The power of the S-box confirms the ability of block ciphers. To improve the quality of the S-box, many attempts have been made. Cryptographers have drained devotion to the literature to test the features of eminent Substitution boxes. The S-box is a significant nonlinear module utilized to obscure the relationship between ciphertext and private key in the block cipher structure architecture. The Substitution box can be viewed as vector Boolean functions from a mathematical perspective. Mathematical structures and random methods are generally utilized to construct S-box structures. A huge number of strong S-boxes need to be built. The protection of block ciphers is straightly related to their nonlinear components, while the best example is the Data Encryption Standard (DES). In renovating a plain text or intelligible message into an encoded form, the S-box plays a crucial role. A significant field of concern for security experts is the construction of powerful S-boxes.
The authors in [2] presented the Gray S-box for AES, which is created by adding the binary grey code conversion to the traditional AES S-box. To minimize the time complexity of AES, the authors in [3] changed the affine mapping of the AES S-box. In [4], to decrease the computational complexity of S-box design, the authors anticipated a new Substitution box design approach centered on single expression algebra. In [5], the authors suggested a new S-box based on the Galois field GF(2 8 ) fractional linear transformation, which can generate uncertainty in the results. The authors utilized the principles of group theory in [6] to suggest a new S-box structure. A secure S-box with around optimum characteristics was developed in [7]. For this purpose, the authors applied a systematic group theoretical approach. By executing chaotic maps and linear fractional mapping, Ullah et al. [8] created five powerful S-boxes. To produce 462,422,016 numbers of diverse AES-like Substitution boxes, Razaq, et al. [9] employed the behavior of symmetric groups S 4 and permutation groups of order 21,504. In [10], a novel genetic method for evolving Substitution boxes with high non-linearity was offered. They have implemented their system on various S-boxes successfully. The piecewise linear chaotic system and the traveling salesman problem were explored by Ahmad et al. [11] to construct a powerful S-box. An important algebraic procedure was suggested in [12] to build a robust Substitution box. The authors employed S 16 permutations and associative loops in their S-box design structure. Ahmad et al. [13] suggested a new methodology based on optimization of the artificial bee colony and chaotic system to construct an S-box with very efficient cryptographic features. To build an S-box with tremendous cryptographic characteristics, Javeed [14] used an innovative chaotic map and an acceptable element S 256 . An innovative Substitution box structure was proposed by Khan et al. [15] using Lorenz equations. Artuger and Özkaynak [16] are developing a new framework to strengthen the skills of Chaos-based Substitution boxes. Ahmad et al. [17] used Particle Swarm Optimization for secure nonlinear component development.
The S-boxes have also been used by many researchers in image encryption applications [18]- [26]. In [27] authors presented a 2D modular chaotification system for improving the complexity of chaos. Authors in [28] designed a 2D logistic tent map-based color image encryption technique. Hua et al. suggested a new 2D chaotic system and orthogonal Latin square-based color image encryption method. Shah et al. endorsed a common norm in [30] to test the specific forms of S-boxes and assess their proficiency for applications for image encryption. Wu et al. [31] proposed an innovative image encryption procedure centered on coupled-map lattices (CML) and a chaotic method of fractional order. However, all the encryption schemes utilizing S-box are not always secure [32]- [39]. The reason is the operation of S-box only which creates just confusion in data and the concept of diffusion is skipped that is a very important part of Shannon's theory [1].
In this study, we have presented cryptanalysis of Khan's cryptosystem [40] by only one chosen-plaintext attack and one chosen-ciphertext attack with very little computation. The scheme offered in [40] comprises the concept of confusion only and diffusion is being ignored. The encryption schemes based on confusion components only are not secure. The effectiveness of the proposed attack is carried out due to the vulnerabilities in the understudy scheme. We have also implemented some security analyses to verify the quality of retrieved data. Some common analyses such as histogram, correlation, and entropy are performed to ensure the exactness of recovered data by the proposed attacks. We have also suggested an improved encryption scheme to increase encryption security as well as time efficiency.
The remaining article is arranged as follows; In section 2 we have presented a brief description of the understudy cryptosystem; Section 3 presents two types of cryptographic attacks on Khan's scheme; Some security analyses of the recovered image are performed in section 4; Execution time analysis is depicted in section 5; In section 6 we have suggested a new cryptosystem to increase encryption security of Khan's cryptosystem; In the last section, we have drawn a conclusion.

II. BRIEF DESCRIPTION OF UNDERSTUDY SCHEME
In cryptography, chaotic systems are utilized for randomness due to their unpredictability and sensitivity to initial conditions. Khan [40] proposed a multi-parameter chaotic system-based encryption scheme by using a combination of Lorenz [41] and Rossler [42]. The system of equations for the proposed system is defined as: (1) The system (1) is highly non-linear and exhibits chaotic behavior by taking the parametric values as δ = 16, β = 45.2, r = 2, a = 0.2, b = 0.2, and c = 5.7. The subsequent stages were implemented for the image encryption mechanism: Step 1: The initial conditions and chaotic parameters were inserted in the structure (1) as the input of the chaotic map.
Step 2: The solution trajectories obtained from step 1 were stored in arrays known as x, y, and z.
Step 3: The attained trajectories are passed through some affine transformation and a single array was generated in the range from 0 to 255.
Step 4: Resultant entries attained from step 3 were reshaped into a 16 × 16 matrix and stored as the offered Substitution box.
Step 5: Image of size m × n was inserted as the input of encryption algorithm. Step 6: Obtained S-box from step 4 was employed in the input image and the resultant was stored as the cipher image.
The encryption structure of Khan's scheme by using the above suggested S-box is elaborated in Fig. 1.

III. CRYPTANALYSIS OF KHAN'S ENCRYPTIONS SCHEME [40]
Generally, we consider that the assailant identifies the detail of the cryptographic structure understudy, this supposition is known as Kirchhoff's hypothesis [43]. The attacker must be familiar with the encryption and decryption structure of the algorithm but does not own a private key for encryption and decryption. Cryptanalysis of the understudy scheme is performed by the chosen-plaintext attack and the chosen-ciphertext attack. With this regard, the attacker gets some short-term admittance to the encryption device and inserts some chosen-plain data, and encrypts the chosen plain images to get their respective cipher images. In this section, we have applied the chosen-plaintext attack and the chosen ciphertext attack on the encryption system under study.

A. CHOSEN-PLAINTEXT ATTACK
The chosen-plaintext attack is applied to get the encryption key of the algorithm. The encryption key utilized in Khan's cryptosystem is the Substitution-box. Consider that two parties Alice and Bob are communicating through an insecure channel of communication by Khan's cryptosystem. Some Trudy interrupts their communication by inserting some chosen-plain data and pretending to be Alice while communicating with Bob. The Trudy has short-term access to the encryption device and chose a special image to insert in the encryption algorithm defined as: The Trudy pass chosen image P through the Khan's encryption scheme and Bob encrypts P and the obtained resultant is where S is the implementation of the S-box on each pixel of the chosen image. The image retrieved after the implementation of the S-box is identified as the cipher image C.
The cipher image matrix received after the implementation of the chosen-plaintext attack gives the substitution box utilized in the encryption scheme. Each row in the cipher image C is the entries of the S-box in ascending order. Therefore, the Trudy gets S-box utilized in encryption by just one chosenplain image. The retrieved S-box after the chosen-plaintext attack is listed in Table 1. Astonishingly, the original Substitution box is retrieved with the help of just one chosen-plain image. This specifies that Khan's cryptosystem is vulnerable against the chosen-plaintext attacks.

B. CHOSEN-CIPHERTEXT ATTACK
The chosen-ciphertext attack is applied to get the decryption key of the algorithm. The decryption key utilized in Khan's cryptosystem is the inverse Substitution-box. Suppose that the attacker has short-term entrance to the decryption device and chose a special image to insert in the decryption algorithm defined as   The chosen image C is passed through the Khan's decryption algorithm and obtained resultant is where S −1 is the implementation of the inverse S-box on each pixel of the chosen cipher image. The image retrieved after the implementation of the inverse S-box is identified as the plain image P.
The plain image matrix received after the implementation of the chosen-ciphertext attack gives the inverse substitution box employed in the decryption process. Each row in the plain image P is the elements of the inverse S-box in ascending order. The retrieved inverse S-box after the chosen-ciphertext attack is depicted in Table 2.

IV. STATISTICAL ANALYSIS OF RECOVERED IMAGE
This section presents the efficiency of proposed attacks on Khan's encryption scheme. The analyses performed to evaluate the proficiency of implemented attacks are correlation, histogram, and entropy measure. Each analysis depicts that the recovered image exhibits the same properties as the original ones.

A. CORRELATION ANALYSIS
The neighboring pixels of the plain images are extremely correlated in the horizontal, vertical, and diagonal directions. Generally, the value of the correlation coefficient is high. An idyllic encryption scheme decreases the correlation between image pixels. Statistically, the correlation coefficient is determined as where E is the expected value, m represents mean deviation, and S shows standard deviation. This relation measures the value of the correlation among the adjacent pixels x and y in each direction.
Here we have determined the correlation coefficient for the original, encrypted, and recovered image. Correlation values of the Baboon image in horizontal, vertical, and diagonal directions are depicted in Table 3. From the enumerated values, we can distinguish that the value of the correlation of the original and recovered image in each direction is the same. This shows that the proposed attack retrieves the original image precisely.  Correlation diagrams for original, encrypted, and recovered images in horizontal, vertical, and diagonal directions are presented in Fig. 2. From depicted correlation diagrams we can visibly observe that the original and recovered images exhibit the same pixel distribution. The similarity in the correlation diagram reveals that original data is successfully retrieved by using a chosen-plaintext attack and a chosen-ciphertext attack.

B. HISTOGRAM ANALYSIS
The randomness of data is observed by histogram analysis. The histogram of an original image is irregularly dispersed and after some encryption process, the histogram becomes uniform. An idyllic encryption algorithm produces a cipher image that exhibits a uniformly distributed histogram. The 3D histograms of the plain Baboon image layers are displayed in Fig. 3 (i-iv), the encrypted image channels are depicted in Fig. 3 (v-viii), and the recovered image layers are presented in Fig. 3 (ix-xii). The visual results indicate that the recovered image is analogous to the plain image.

C. ENTROPY
Information entropy is measured by the quantity of uncertainty in a random variable. Mathematically information entropy is calculated by: where M represents the value of gray level and p is the percentage of pixels for which the value is equal to m. The ideal value of information entropy for a grayscale image with the data range [0, 255] is 8. Entropy values for Baboon original, encrypted, and recovered are listed in Table 4. From the presented results it is evident that the entropy values for the original and retrieved image are the same which designates that the plain image is recovered successfully by the proposed attacks.

V. EXECUTION TIME COMPLEXITY ANALYSIS
The execution time of a computational task is the highest interval of time the task could proceed to perform on a precise hardware board. The performance of the proposed attacks can be determined by the execution time to perform assaults. Execution time (in seconds) to retrieve Baboon image of different size by the chosen-plaintext attack and the chosen-ciphertext attack is listed in Table 5. From enumerated results, we can observe that the image of size 128×128, 256×256, 512×512

A. COMPARATIVE EXECUTION TIME ANALYSIS
The time for the execution of the chosen-plaintext attack is compared with the existing cryptanalysis scheme in Table 6. From the listed comparison we can observe that the proposed   attack retrieves a Baboon image of different sizes in less time as compared to the attacks offered in [39].
The comparison of chosen-ciphertext attack is depicted in Table 7. The comparative results reveal that the performance of offered attacks is much better than the attacks employed in Reference [39].

VI. THE PROPOSED IMPROVEMENT
A robust encryption scheme must adhere to Shannon's confusion-diffusion theory. The understudy encryption structure possesses confusion only and diffusion was being ignored. The confusion process can be attained by Substitution simply and permutation or XOR operation generates diffusion in ciphers and breaks the relationship between plaintext and ciphertext. To address the vulnerabilities in Khan's encryption scheme, an improvement is suggested and elaborated as follows: A. PERMUTATION PHASE The first step to construct a secure cryptosystem is to add diffusion to the algorithm. Suppose P R , P G and P B be the red, green, and blue channels of the plaintext to be encrypted. Here we suggest the shuffling of the array by using some key k 1 and bitwise addition by using some key k 2 . The mathematical steps of permutation are defined as follows: where C R 1 , C G 1 , and C B 1 are respective shuffled image layers of the plain images P R , P G and P B by using the private key k 1 . The shuffled cipher images are passed through the bit-wise addition operation by using a secret key k 2 .
where C R 2 , C G 2 , and C B 2 are the cipher channels attained after the bitwise addition operation.

B. CONFUSION PHASE
The cipher image obtained from the permutation phase is passed through the second phase of the proposed improvement that is the confusion phase. Suppose S be the substitution operation applied by using the S-box presented in Table 1. Mathematically, the confusion process is done as follows: where C R 3 , C G 3 , and C B 3 are the respective cipher components of plain layers P R , P G and P B . The combination of three operations, shuffling, bit-wise addition, and substitution gives a secure cryptosystem which can defeat all the cryptographic attack such as chosen-plaintext attack and chosen-ciphertext attacks.

C. SECURITY ANALYSIS
The suggested modified cipher comprises a mixture of three operations that are shuffling, bit-wise addition, and substitution instead of using substitution only. The improved encryption technique can resist chosen-plaintext attacks and chosen-ciphertext attacks. The failure of these attack can be elaborated by the following points: 1. The operation of shuffling and addition becomes invariant by inserting input consisting of all zeros, but Substitution produces cipher by unrevealing the mapping of elements. Consider P =0 be the input data. Mathematically, the performance of the algorithm is defined by: where k is the key utilized for bit-wise addition operation and C is the cipher image produced from improved image encryption technique. Therefore, we can observe that by inserting chosen plain data we cannot get information about plain data and the improved technique resists the linear attacks. 2. The Substitution can be retrieved by inserting the matrix with entries arranged in ascending order, but the operation of shuffling and bitwise addition fails this attack. Mathematically, the encryption of chosen-plaintext by modified cipher can be shown as: Shuffling      0 1 · · · 255 0 1 · · · 255 . . . . . . . . . . . .
where C 3 is the final cipher data produced from the modified encryption technique by inserting chosen-plaintext data. From the above mathematical steps, we can observe that the final cipher does not reveal any information about the secret key. Therefore, we can say that the improved encryption technique is secure against all possible attacks.

VII. CONCLUSION
In this study, we have exposed that the chaos-based encryption technique suggested in [40] grants weak security. We have devised two diverse kinds of assaults to break the understudy cryptosystem. It is specified that the keystream can be easily determined with the help of just one chosen-image which designates vulnerabilities of the cryptosystem. The data retrieved by proposed attacks are passed through different kinds of security analyses which possess that the recovered data is the same as the original ones. The similarity in retrieved and original data indicates the efficiency of performed attacks. Moreover, we have suggested a brief idea of an improved cryptosystem to enhance the robustness of Khan's encryption scheme. From every point of view, the encryption scheme in [40] cannot be considered a safe algorithm and is not recommended for secure encryption. VOLUME 9, 2021