Cryptanalyzing an image encryption scheme using reverse 2-dimensional chaotic map and dependent diffusion

Abstract

In the recent literature, many research studies have proven that Known and Chosen plaintext attacks are very efficient tools that are widely used to cryptanalyze partially or completely some chaos-based and non-chaos cryptosystems. In this paper, we addressed some weaknesses in the first Zhang et al., cryptosystem “An image encryption scheme using reverse 2-dimensional chaotic map and dependent diffusion”. First, we analyzed the encryption process of Zhang et al., and we found that the non-linear diffusion process can be removed because its argument is present in the ciphered image. Then, based on this observation we derived a partial cryptanalysis equation that removes the effect of the diffusion function and accordingly permits to recover the permuted version of the ciphered image. As a result of the previous operation, the brute-force attack became more suitable. In addition, we mounted a chosen plaintext attack based on a proposed chosen plain image. Consequently, the encryption key space is reduced or recovered for one round, also, the average values of NPCR and UCAI randomness parameters become small compared to the optimal values, and moreover, they are very low for specific pixel position attacks.

Appendix A: Numerical example on chosen plaintext attack of the first Zhang et al., cryptosystem

The Justification of (15) is given as: (15) is used to decrease the number of possible column positions (i.e., the range of the encryption key q₁). Using the chosen plain image P matrix, the row of the arr(3, 3q₁) is 3.

Firstly, assume that arr(3, 3q₁) = 0, then, this value is skipped. Secondly, assume that arr(3, 3q₁) = 1, then, this value can be located in one of two column positions in row number 3 [(3, 253) or (3, 508)] (see the chosen plain P matrix for more details). Thirdly, assume that arr(3, 3q₁) = 2, then, this value can be located in one of two column positions in row number 3 [(3, 254) or (3, 509)]. Fourthly, assume that arr(3, 3q₁) = 3, then, this value can be located in one of three column positions in row number 3 [(3, 0), (3, 255) or (3, 510)]. Fifthly, assume that arr(3, 3q₁) = 4, this value can be located in one of three column positions in row number 3 [(3, 1), (3, 256) or (3, 511)]. Finally, for all arr(1, q₁) > 4, these values can be located in one of two column positions in row number 3 [(3, arr(3, 3q₁) − 3) or (1, arr(1, q₁) + 252)]. Now, let us take the case when the arr(3, 3q₁) = 4 as an example, without loss of generality, i.e., 3q₁ ∈{1, 256, 511}.

Firstly, the equality equation 3q₁ = 1; to solve this equation, which contains the module operation, the encryption key value q₁ is calculated as:

$$q_{1} = \text{ the integer value of } \left( \frac{1}{3}, \frac{1 + 512}{3}, \frac{1 + 512+ 512}{3}\right) \implies q_{1}= 171. $$

Secondly, the equality equation 3q₁ = 256, then the encryption key q₁ = the integer value of \(\left (\frac {256}{3}, \frac {256 + 512}{3}, \frac {256 + 512+ 512}{3}\right ) \implies q_{1}= 256\).

Finally, the equality equation 3q₁ = 511, then the encryption key q₁ = the integer value of \(\left (\frac {511}{3}, \frac {511 + 512}{3}, \frac {511 + 512+ 512}{3}\right ) \implies q_{1}= 341\).

For all other values (arr(3, 3q₁) > 4), there is a general scheme to calculate the range of the encryption key q₁ values (i.e., a and b parameters in (15)). Now, let us take arr(3, 3q₁) = 5 as another example. i.e., 3q₁ ∈{2, 257}.

Firstly, the equality equation 3q₁ = 2, then: the encryption key q₁ = the integer value of \(\left (\frac {2}{3}, \frac {2 + 512}{3}, \frac {2 + 512+ 512}{3}\right ) \implies q_{1}= 342\).

Secondly, the equality equation 3q₁ = 257.

The encryption key q₁ = the integer value of \(\left (\frac {257}{3}, \frac {257 + 512}{3}, \frac {257 + 512+ 512}{3}\right ) \implies q_{1}= 427\).

From previous developments, we can deduce the following rules for (15):

1. 1.

   In the case where arr(3, 3q₁) ∈{1, 2}, then we have two positions given by: arr(3, 3q₁) + 252 or arr(3, 3q₁) + 507.

2. 2.

   In the case where arr(3, 3q₁) ∈{3, 4}, then we have three positions given by: arr(3, 3q₁) − 3, arr(3, 3q₁) + 252 or arr(3, 3q₁) + 507.

3. 3.

   In the case where arr(3, 3q₁) > 4, then we have two positions given by: arr(3, 3q₁) − 3 or arr(3, 3q₁) + 252.

To justify (20), assume that the ciphered pixel value is one (i.e., T = 1 in (20)). From the chosen plain image P, the value 1, is located in five rows, actually in positions [0, 1, 3, 4, 511], and so: 3p₁ ∈{0, 1, 3, 4}.

Firstly, the equality equation 3p₁ = 0; to solve this equation, which contains the module operation, the encryption key p₁ is calculated as: the encryption key p₁ =the integer value of \(\left (\frac {0}{3}, \frac {0 + 512}{3}, \frac {0 + 512+ 512}{3}\right ) \implies p_{1}= 0\).

Secondly, the equality equation 3p₁ = 1.

The encryption key p₁ = the integer value of \(\left (\frac {1}{3}, \frac {1 + 512}{3}, \frac {1 + 512+ 512}{3}\right ) \implies p_{1}= 171\).

Thirdly, the equality equation 3p₁ = 3.

The encryption key p₁ =the integer value of \(\left (\frac {3}{3}, \frac {3 + 512}{3}, \frac {3 + 512+ 512}{3}\right ) \implies p_{1}= 1\). Fourthly, the equality equation 3p₁ = 4, then the encryption key p₁ =the integer value of \(\left (\frac {4}{3}, \frac {4 + 512}{3}, \frac {4 + 512+ 512}{3}\right ) \implies p_{1}= 172\).

Finally, the equality equation 3p₁ = 511.

The encryption key p₁ = the integer value of \(\left (\frac {511}{3}, \frac {511 + 512}{3}, \frac {511 + 512+ 512}{3}\right ) \implies p_{1}= 341\), p₁ ∈{0, 1, 171, 172, 341}. The same analysis is used for the other values of the variable T, where for T = 2, there are only three possible rows, and for T > 2, there are four possible rows.

Example 1

Calculation of the encryption keys p₁and q₁.

A chosen plain image P is encrypted using 3 randomvalues of the secret key of the Logistic map, namely:[x_− 1, SQ₁], [x_− 1, SQ₂],[key_d, t_− 1]. The following values are obtained from the Lena encrypted image for:[n = 1, m = 1],

$$\begin{array}{@{}rcl@{}} && \mathbf{ciph}(\mathbf{1},\ \mathbf{0})=\mathbf{190},\\ && \mathbf{ciph}(\mathbf{0},\ \mathbf{511})=\mathbf{27},\\ && \mathbf{ciph}(\mathbf{3},\ \mathbf{0})=\mathbf{149},\\ && \mathbf{ciph}(\mathbf{2},\ \mathbf{511})=\mathbf{159},\\ && \mathbf{ciph}(\mathbf{0},\ \mathbf{1})=\mathbf{132},\\ && \mathbf{ciph}(\mathbf{0},\ \mathbf{0})=\mathbf{165},\\ && \mathbf{ciph}(\mathbf{0},\ \mathbf{2})=\mathbf{140},\\ && \mathbf{ciph}(\mathbf{0},\ \mathbf{1})=\mathbf{132}. \end{array} $$

For the first decrypted pixel, using (12) we obtain:

$$\begin{array}{@{}rcl@{}} arr(1,\ q_{1}) &=& ciph(1,\ 0) \oplus f(ciph(0,\ 511)),\\ arr(1,\ q_{1}) &=& 190 \oplus f(27),\\ arr(1,\ q_{1}) &=& 190 \oplus 105,\\ arr(1,\ q_{1}) &=& 215. \end{array} $$

Using (14), the encryption key q₁values are restricted to:

$$q_{1} \in \{215-1,\ 215 + 254\} \implies q_{1} \in \{214,\ 469\}. $$

For thesecond decrypted pixel, using (12) we obtain:

$$\begin{array}{@{}rcl@{}} && arr(3,\ 3q_{1})=ciph(3,\ 0) \oplus f(ciph(2,\ 511)),\\ && arr(3,\ 3q_{1})= 149 \oplus f(159),\\ && arr(3,\ 3q_{1})= 149 \oplus 22,\\ && arr(3,\ 3q_{1})= 131. \end{array} $$

Using (15), the encryption key value q₁ ∈{a, b}.

To find the value of the parameter a of (15), the following conditions are met:

$$\begin{array}{@{}rcl@{}} && ((131-3)\ MOD\ 3)= 2,\\ && ((131 + 509)\ MOD\ 3)= 1,\\ && ((131 + 1021)\ MOD\ 3)= 0. \end{array} $$

The last condition allows us to calculate the value of parametera:

$$a=\frac{arr(3,\ 3q_{1})+ 1021}{3} \implies a = 384. $$

To findthe value of the parameter b in (15), the following conditions are met:

$$\begin{array}{@{}rcl@{}} && ((131 + 252)\ MOD\ 3)= 2,\\ && ((131 + 764)\ MOD\ 3)= 1,\\ && ((131 + 1276)\ MOD\ 3)= 0. \end{array} $$

The last condition allows us to calculate the value of parameter b:

$$b = 469,\text{ so}, q_{1} \in \{384,\ 469\}. $$

The overlap between thefirst range {214, 469}and the second{384, 469}range gives the exact valueof the encryption key q₁:q₁ = 469.

To calculate the exact value of the encryption keyp₁, weconsider the third decrypted pixel and (12), then:

$$\begin{array}{@{}rcl@{}} && arr(p_{1},\ p_{1}q_{1}+ 1)=ciph(0,\ 1) \oplus f(ciph(0,\ 0)),\\ && arr(p_{1},\ p_{1}q_{1}+ 1)= 132 \oplus f(165),\\ && arr(p_{1},\ p_{1}q_{1}+ 1)= 132 \oplus 39,\\ && arr(p_{1},\ p_{1}q_{1}+ 1)= 163. \end{array} $$

Now by using (18), the encryption key p₁valuesare restricted to:

$$p_{1} \in \{1,\ 3,\ 163\times 2-1,\ 163\times 2\}\implies p_{1} \in \{1,\ 3,\ 325,\ 326\}. $$

Finally, the exact valueof the encryption key p₁is obtained by using the fourth decrypted pixel and (12), as follows:

$$\begin{array}{@{}rcl@{}} && arr(2p_{1},\ 2p_{1}q_{1}+ 2)=ciph(0,\ 2) \oplus f(ciph(0,\ 1)),\\ && arr(2p_{1},\ 2p_{1}q_{1}+ 2)= 140 \oplus f(132),\\ && arr(2p_{1},\ 2p_{1}q_{1}+ 2)= 140 \oplus 202,\\ && arr(2p_{1},\ 2p_{1}q_{1}+ 2)= 70. \end{array} $$

Using (19):

$$p_{1} \in \{70,\ 326\}. $$

The overlap between thefirst range ({1, 3, 325, 326}) and the secondrange ({70, 326}) gives the exactvalue of the encryption key p₁:p₁ = 326.

Remark 1

The above procedure can be used to find any encryption keysp₁andq₁parameters.

Example 2

The original image P is encrypted using new random values ofkey_dand x_− 1, where x_− 1 for SQ₁is differed from the value for SQ₂. Also, Lena image of the same size is encrypted using the same dynamic keys, The followingvalues are obtained from the encrypted image of P:

$$\begin{array}{@{}rcl@{}} && \mathbf{ciph}(\mathbf{1},\mathbf{0})=\mathbf{226}\\ && \mathbf{ciph}(\mathbf{0},\mathbf{511})=\mathbf{166}\\ && \mathbf{ciph}(\mathbf{3},\mathbf{0})=\mathbf{142}\\ && \mathbf{ciph}(\mathbf{2},\mathbf{511})=\mathbf{64}\\ && \mathbf{ciph}(\mathbf{0},\mathbf{1})=\mathbf{87}\\ && \mathbf{ciph}(\mathbf{0},\mathbf{0})=\mathbf{45}\\ && \mathbf{ciph}(\mathbf{0},\mathbf{2})=\mathbf{202}\\ && \mathbf{ciph}(\mathbf{0},\mathbf{1})=\mathbf{87}\\ && arr(1,q_{1})=ciph(1,0) \oplus f(ciph(0,511))\\ && arr(1,q_{1})= 226 \oplus f(166)\\ && arr(1,q_{1})= 190 \oplus 41\\ && arr(1,q_{1})= 203\\ && q_{1} \in \{203-1,203 + 254\}\\ && q_{1} \in \{202,457\} \end{array} $$

$$\begin{array}{@{}rcl@{}} && arr(3,3q_{1})=ciph(3,0) \oplus f(ciph(2,511))\\ && arr(3,3q_{1})= 142 \oplus f(64)\\ && arr(3,3q_{1})= 142 \oplus 239\\ && arr(3,3q_{1})= 97\\ && ((97-3)\ MOD\ 3)= 1\\ && ((97 + 509)\ MOD\ 3)= 0\\ && ((97 + 1021)\ MOD\ 3)= 2 \end{array} $$

Then

$$\begin{array}{@{}rcl@{}} && a = 202\\ && ((97 + 252)\ MOD\ 3)= 1\\ && ((97 + 764)\ MOD\ 3)= 0\\ && ((97 + 1276)\ MOD\ 3)= 2\\ && b = 287\\ && q_{1} \in \{202,287\} \end{array} $$

The overlap of the first and the second solutions is at

$$\mathbf{q}_{\mathbf{1}}=\mathbf{202} $$

To calculate the exactvalue of the dynamic key p₁,for the third decrypted pixel, using (12):

$$\begin{array}{@{}rcl@{}} && arr(p_{1},p_{1}q_{1}+ 1) = ciph(0,1) \oplus f(ciph(0,0))\\ && arr(p_{1},p_{1}q_{1}+ 1) = 87 \oplus f(45)\\ && arr(p_{1},p_{1}q_{1}+ 1) = 87 \oplus 171\\ && arr(p_{1},p_{1}q_{1}+ 1) = 252\\ && p_{1} \in \{1,3,252\times 2-1,252\times 2\}\\ && p_{1} \in \{1,3,503,504\} \end{array} $$

For p₁ = 1

$$arr(1,203)= 204 $$

So this value is rejected Forp₁ = 3

$$arr(3,202\times 3 + 1)=arr(3,95)=Mod(Mod(95,255)+ 3,255)= 98 $$

also,this value is rejected

$$\begin{array}{@{}rcl@{}} && arr(2p_{1},2p_{1}q_{1}+ 2)=ciph(0,2) \oplus f(ciph(0,1))\\ && arr(2p_{1},2p_{1}q_{1}+ 2)= 202 \oplus f(87)\\ && arr(2p_{1},2p_{1}q_{1}+ 2)= 202 \oplus 61\\ && arr(2p_{1},2p_{1}q_{1}+ 2)= 247\\ && p_{1} \in \{247,503\} \end{array} $$

The overlap of the first and the second solutions is at

$$\mathbf{p}_{\mathbf{1}}=\mathbf{503} $$

Now, the encrypted Lena image is decrypted using these dynamicvalues(q₁ = 202, p₁ = 503).