一個基於混沌映射且採用明文關聯置換與擴散之影像加密系統的分析與改進

(1)

國立臺灣大學電機資訊學院資訊網路與多媒體研究所碩士論文

Graduate Institute of Networking and Multimedia College of Electrical Engineering and Computer Science

National Taiwan University Master Thesis

一個基於混沌映射且採用明文關聯置換與擴散之影像加密系統的分析與改進

Cryptanalysis and Improvement of a Simple Chaotic Map-Based Image Encryption System Using Both

Plaintext Related Permutation and Diffusion

林承億 Cheng-Yi Lin

指導教授：吳家麟博士 Advisor: Ja-Ling Wu, Ph.D.

中華民國 108 年 7 月

July, 2019

(2)

(3)

摘要

去年七月，Huang 等人提出了一個基於混沌映射且採用明文關聯置換與擴散之影像加密系統 (CIES-UBPRPD)。在 CIES-UBPRPD 中，

置換與擴散都是與明文產生關連的操作。儘管 Huang 等人宣稱 CIES- UBPRPD 有著高度的明文敏感性，我們依然發現其設計上的缺陷使得它無法抵抗選擇明文攻擊。本篇論文分析了 CIES-UBPRPD 中的安全缺陷，且提出一種選擇明文攻擊破解它。我們也提供了一種改進過後的加密演算法，克服了 CIES-UBPRPD 原先的缺陷。

關鍵字：影像加密、渾沌映射、明文關連、密碼分析、選擇明文攻擊

(4)

Abstract

Recently, a simple chaotic map-based image encryption system using both plaintext related permutation and diffusion (CIES-UBPRPD) has been proposed by Huang et al. In CIES-UBPRPD, both the permutation operation and the diffusion operation are related to plain images. Despite the claim that CIES-UBPRPD has high plaintext sensitivity, we have found that it still vulnerable to chosen-plaintext attack. In this thesis, we analyze the security flaws of CIES-UBPRPD and propose a chosen-plaintext attack to break it.

Furthermore, we present an improved encryption algorithm to remedy those flaws of CIES-UBPRPD.

Keywords: Image Encryption, Chaotic Map, Plaintext Related, Cryptanaly- sis, Chosen-Plaintext Attack

(5)

List of Figures

3.1 An example of equivalent keys problem . . . 8

3.2 An example of low sensitivity to the change of plaintext . . . 9

3.3 Simulation result of proposed attack . . . 14

5.1 Plain images, cipher images and decrypted images . . . 21

6.1 Original/encrypted/decrypted image of Lena and their histograms . . . . 23

6.2 Original/encrypted/decrypted image of baboon and their histograms . . . 24

6.3 Correlation distribution of adjacent pixels . . . 26

6.4 Plain image, cipher image and decrypted image of Lena . . . 27

6.5 Images encrypted with 1-bit difference key groups . . . 27

6.6 The differential results . . . 28

6.7 Decrypted images with 1-bit difference key groups . . . 28

(8)

List of Tables

3.1 NPCR and UACI values between the two cipher images . . . 9 6.1 Correlation coefficients . . . 25 6.2 Evaluation results of plaintext sensitivity . . . 29

(9)

Chapter 1 Introduction

With the rapid development of technology, people produce more and more digital information in recent years, most of them are multimedia data such as images and videos.

The problem of protecting privacy arises, and researchers have proposed many encryption algorithms to prevent unauthorized access for those generated media.

Chaotic systems have some good properties like ergodic, highly sensitive to initial conditions and pseudo-randomness, they are often used in cryptosystem[1]. However, hasty designing flaws make encryption algorithms vulnerable even if they are chaotic- based[2].

Recently, Huang et al. proposed a simple Chaotic map-based Image Encryption Sys- tem Using Both Plaintext Related Permutation and Diffusion (CIES-UBPRPD)[3]. In CIES-UBPRPD, permutation and diffusion are related to plain images, and each of them is performed only once during the encryption process. Despite CIES-UBPRPD showing lots of advantages, some designing flaws have been found by us. In this thesis, we make a deeper cryptanalysis on CIES-UBPRPD and break it with a chosen-plaintext attack.

The rest of the thesis is organized as follows. Chapter 2 briefly describes CIES- UBPRPD. In Chapter 3, we demonstrate some flaws of UBPRPD and propose a chosen- plaintext attack against it. Then, we provide an improved encryption algorithm in Chapter 4. The experimental results of the improved algorithm are presented in Chapter 5, and the corresponding security analysis is illustrated in Chapter 6. The final chapter concludes this thesis.

(10)

Chapter 2 Description of the Original Algorithm

In the original CIES-UBPRPD, all arrays start with index 1. In this Section, we use an equivalent description but that all arrays start with index 0 to keep natations consistent.

2.1 The Preparatory Work

2.1.1 Generalized Arnold’s Cat Map

Arnold’s Cat Map is a well-known two-dimensional chaotic system proposed by Rus- sian mathematician Vladimir I. Arnold [4]. In order to achieve higher security and higher randomness, Arnold’s Cat Map now is usually replaced by its generalized form described

as follows: 

x^′ y^′



 =



1 a b ab + 1







x y



 mod



M N



, (2.1)

where (x, y) and (x^′, y^′) are respectively the original pixel and the target pixel positions, aand b are the system parameters, and M and N are respectively the image’s height and width. After obtaining the target position (x^′, y^′), two pixels located in (x, y) and (x^′, y^′) change places.

(11)

2.1.2 Chebyshev Map

The Chebyshev map is a one-dimensional chaotic system which defined as follows:

x_n+1= T_a(x_n) = cos(a× arccosxn) (2.2)

where xn∈ [−1,1] and a ∈ N is another system parameter. For a ≥ 2, chaotic behavior holds. The initial value x₀is considered as part of the secret key. In CIES-UBPRPD, a is fixed at 4.

2.2 Image Encryption Algorithm

2.2.1 Permutation Stage

Step 1 Iterate the Chebyshev map in Equation 2.2 (M× N + n0+ 9) times, discard the first n₀ elements to avoid harmful effect and obtain chaotic sequences x_n which contain (M× N + 9) elements.

x_n={x0, x₁,··· ,xM×N+8}. (2.3)

Obtain another sequence x_nqby

x_nq(i) = (k₁⊗ k2⊗ k3)⊗⌊

x_n(i)× 10¹⁵⌋

(2.4)

where i∈ {0,1,··· ,8} and ⊗ is bitwise XOR operator.

Step 2 Calculate sum_r, sum_gand sum_bby following equations:

sumr=

M−1 i=0

∑

N−1

∑

j=0

PR(i, j), (2.5)

sumg=

M−1

∑

i=0 N−1

∑

j=0

P_G(i, j), (2.6)

sum_b=

M−1

∑

i=0 N−1

∑

j=0

P_B(i, j), (2.7)

(12)

where PR, P_G and PB represent the R, G and B channel of plain image P, respec- tively.

Step 3 Calculate the parameters by following equations:









br= mod (x_nq(0)⊗ sumr+ x_nq(1)⊗ sumg+ x_nq(2)⊗ sumb, 256) ar= mod ((b_r+ 1)× (k1⊗ k2⊗ k3), 65536) + 1

(2.8)









bg= mod (x_nq(3)⊗ sumr+ x_nq(4)⊗ sumg+ x_nq(5)⊗ sumb, 256) ag= mod ((b_g+ 1)× (k1⊗ k2⊗ k3), 65536) + 1

(2.9)









b_b= mod (x_nq(6)⊗ sumr+ x_nq(7)⊗ sumg+ x_nq(8)⊗ sumb, 256) a_b= mod ((b_b+ 1)× (k1⊗ k2⊗ k3), 65536) + 1

(2.10)

where (b_r, a_r), (b_g, a_g) and (b_b, a_b) are used to permute P_R, P_Gand P_Brespectively.

Step 4 Permute P_R, P_Gand P_Busing the following modified Cat Map with corresponding parameters:



x^′ y^′



 =



 1 a

b + 1 a(b + 1) + 1







x + 1 y + 1



 mod



M N



, (2.11)

where x∈ {0,1,··· ,M − 1} and y ∈ {0,1,··· ,N − 1}. The scanning sequence is from left to right and from top to bottom. After P_R, P_Gand P_Bare shuffled, we get the permuted image P^∗.

2.2.2 Diffusion Stage

Step 1 Transform C_R, C_Gand C_B into three 1D arrays CR_P, C_{G_P} and CB_P respectively by row major ordering.

Step 2 Calculate the diffusion matrix D by

D(i) = mod (⌊xn(i + 9)× (k1⊗ k2⊗ k3)⌋, 256), (2.12)

(13)

where i∈ {0,1,··· ,M × N − 1}.

Step 3 Calculate C_{R_P}, C_{G_P}and C_{B_P}by











CR(0) = (b_r+ k₁) mod 256 C_G(0) = (b_g+ k₂) mod 256 CB(0) = (b_b+ k₃) mod 256

(2.13)











CR(i) = mod (P_{R_P}^∗ (i)⊗ D(i) + num, 256) ⊗CR(i− 1) C_G(i) = mod (P_{G_P}^∗ (i)⊗ D(i) + num, 256) ⊗CG(i− 1) C_B(i) = mod (P_{B_P}^∗ (i)⊗ D(i) + num, 256) ⊗CB(i− 1)

(2.14)

where num = (a_r×br+ a_g×bg+ a_b×bb)⊗(k1+ k₂+ k₃), and i∈ {1,2,··· ,M × N− 1}.

Step 4 Transform C_{R_P}, C_{G_P}and C_{B_P}into three grayscale images with size M×N, then merge them into color cipher image C with size M× N × 3.

2.3 Image Decryption Algorithm

Step 1 Transform C_R, C_Gand C_Ginto three 1D arrays C_{R_P}, C_{G_P}and C_{B_P} respectively by row major ordering.

Step 2 Calculate the diffusion matrix D ={d0, d₁,··· ,dM×N−1} according to Equation 2.12.

(14)

Step 3 Calculate the parameters as follows:











b_r= (CR_P(0)− k1) mod 256 b_g= (C_{G_P}(0)− k2) mod 256 b_b= (C_{B_P}(0)− k3) mod 256

(2.15)











a_r = mod ((b_r+ 1)× (k1⊗ k2⊗ k3), 65536) + 1 a_g= mod ((b_g+ 1)× (k1⊗ k2⊗ k3), 65536) + 1 a_b= mod ((b_b+ 1)× (k1⊗ k2⊗ k3), 65536) + 1

(2.16)

Step 4 Reconstruct P_{R_P}^∗ , P_{G_P}^∗ and P_{B_P}^∗ by











P_{R_P}^∗ = mod ((C_{R_P}(i)⊗CR_P(i− 1)) − num, 256) ⊗ D(i) P_{G_P}^∗ = mod ((C_{G_P}(i)⊗CG_P(i− 1)) − num, 256) ⊗ D(i) P_{B_P}^∗ = mod ((C_{B_P}(i)⊗CB_P(i− 1)) − num, 256) ⊗ D(i)

(2.17)

where

num = (a_r× br+ a_g× bg+ a_b× bb)⊗ (k1+ k₂+ k₃), (2.18) and i∈ {1,2,··· ,M × N − 1}. Then transform these three arrays into 2D arrays P_R^∗, P_G^∗ and P_B^∗respectively.

Step 5 Reconstruct P_R, P_Gand P_Bby using Cat Maps in Equation 2.11 , but the scanning sequence is form right to left and form bottom to top.

(15)

Chapter 3 Cryptanalysis

3.1 Security Flaws

3.1.1 Equivalent Keys Problem

After careful analyzing CIES-UBPRPD, we found that two secret key groups key₁= (x₀, k₁, k₂, k₃, n₀) and key₂= (x^′₀, k₁^′, k^′₂, k^′₃, n^′₀) are equivalent in the original cryptosystem if they satisfy the following conditions:











n₀= n^′₀ x₀= x^′₀

k₁⊗ k2⊗ k3= k^′₁⊗ k₂^′⊗ k^′₃ k₁≡ k₁^′ (mod 256) k₂≡ k₂^′ (mod 256) k₃≡ k₃^′ (mod 256)

. (3.1)

For demonstration, here we choose key₁= (0.7, 784533, 763092, 777777, 1500) and key₂= (0.7, 353173, 676820, 307761, 1500) which satisfy all the above conditions. First, we use key₁to encrypt Lena and obtain the corresponding cipher image. Then, we use key₂ to decrypt the above-obtained cipher image and obtain the recovered image. The results are shown in Figure 3.1.

(16)

(a) Plain image (b) Encrypted image with key1 (c) Decrypted image with key2

Figure 3.1: An example of equivalent keys problem

Similarly, we can split the set of all keys into equivalence classes based on the conditions mentioned above, keys belonging to the same equivalence class are indistinguish- able from each other in CIES-UBPRPD. This property shrinks the effective key space from (10¹⁶× (10¹²− 10⁵)³× 1500) ≈ 2¹⁸³ to (10¹⁶× 2⁸× 2⁸× 2⁸× 2³²× 1500) ≈ 2¹²⁰ (since 10¹² ≈ 2⁴⁰, we can assume k₁, k₂and k₃are of 40-bit long), which is far less than it originally claimed.

3.1.2 Low Sensitivity to the Change of Plaintext

Once we fixed the secret key group and the summation of pixel value in each channel, the parameters used in the Cat Map are always identical. Having same parameters means the permutation mapping will be fixed no matter what the image is. Furthermore, there is no cross-channel interaction during permutation and diffusion stages in the original CIES-UBPRPD, which suggests that errors inside one channel will not propagate to other channels.

Therefore, we can construct two similar plain images where only their R channels are different but their sum of R channel remains the same, the corresponding cipher images of these two images will have no difference in G and B channels. This is clearly violating the diffusion property[5].

For demonstration, we modify standard Lena by increasing the first value by 1 and decreasing the second value by 1 in R channel, then compare the corresponding cipher image with that of the standard Lena Image. The results are shown in Figure 3.2 and

(17)

Table 3.1, the details of two widely used measures NPCR and UACI will be given in Section 6.5.

(a) Original Lena and its cipher image c1 (b) Modified Lena and its cipher image c2

(c) |c1− c2| and its histograms

Figure 3.2: An example of low sensitivity to the change of plaintext

R G B

NPCR (%) 86.5371 0 0 UACI (%) 4.8464 0 0

Table 3.1: NPCR and UACI values between the two cipher images

3.2 Chosen-Plaintext Attack

Now, we present a chosen-plaintext attack[6] that works if the size of all images equals to 256× 256 × 3.

(18)

3.2.1 Extract k

₁

mod 256, k

₂

mod 256 and k

₃

mod 256

Step 1 Construct a special plain image P such that

P_R= P_G= P_B=







1 1 ··· 1 1 1 ··· 1 ... ... . .. ...

1 1 ··· 1







256×256

. (3.2)

Encrypt P using CIES-UBPRPD to obtain its cipher image C. We denote the image after permutation stage as P^∗(an intermediate product during applying the whole encryption process).

Step 2 Here we use R channel as an example, select two different positions (a, b) and (x, y) where a, b, x, y∈ {0,1,··· ,255} and construct another special plain image P^′such that

P_R^′ = [ f (i, j)]_256×256, (3.3)

P_G^′ = P_B^′ =







1 1 ··· 1 1 1 ··· 1 ... ... . .. ...

1 1 ··· 1







256×256

(3.4)

where

f (i, j) =











0, i f (i, j) = (a, b) 2, i f (i, j) = (x, y) 1, else

. (3.5)

Encrypt P^′and obtain its cipher image C^′. From Section 3.1.2 we know that P and P^′share the same parameters used in Cat Map, thus they have same permutation mapping. We denote the position of first different value occurred between C_R and C_R^′ in raster scan order as∆C. It hints that P_R^′∗(∆C) ̸= P_R^∗(∆C) = 1 such that

(19)

C_R^′(∆C) ̸= CR(∆C), which means either P_R^′(a, b) = 0 or P_R^′(x, y) = 2 will be moved to position∆C after permutation stage. This property reveals some information of the permutation behavior. We define ((a, b), (x, y),∆C) as a constrain tuple.

Step 3 Choose different (a, b) or (x, y), then repeat Step 2 several times and collect all constrain tuples and define the associated collection as a set S.

Step 4 Construct a 256×256 matrix Z, by setting each position (a,b) and (x,y) used in Step 2 with different positive integer and all other positions with 0. For example, as- sume there are two constrain tuples ((0, 0), (0, 1), (8, 8)) and ((0, 0), (0, 2), (6, 9)) in S, we can set Z(0, 0) = 1 , Z(0, 1) = 2 , Z(0, 2) = 3 and Z(i, j) = 0 ∀(i, j) /∈

{(0,0),(0,1),(0,2)}.

Step 5 Using the following brute-force searching algorithm to find b_rand ˆa_r of all above chosen plain images, where a^′_r= a_r mod 256. In the considered special case that all images are of size 256× 256 × 3, ar and ˆa_r are equivalent in the permutation stage. Actually, we don’t need to know what a_r exactly is, only need its last 8 bits are enough. If the algorithm outputs more than one candidate pair, go back to Step 2 to collect more constrain tuples and repeat this step until only one pair left.

Step 6 Making changes to G and B channels, repeat Step 2 to Step 4 and obtain b_g, â_g, b_b and â_b, where â_g= a_g mod 256 and â_b= a_bmod 256.

Step 7 Extract k₁ mod 256, k₂ mod 256 and k₃ mod 256 by











k₁ mod 256 = (C_R(0, 0)− br) mod 256 k₂ mod 256 = (C_G(0, 0)− bg) mod 256 k₃ mod 256 = (C_B(0, 0)− bb) mod 256

. (3.6)

We denote these three values as ˆk1, ˆk2and ˆk3respectively for convenience.

(20)

Algorithm 1: Brute-Force Search

Input: matrix Z, set of constrain tuples S Output: set of parameter pairs r

r← ∅ ;

for br= 0→ 255 do foraˆ_r = 0→ 255 do

Z^∗← permute(Z, ˆar, b_r);

if Check(Z^∗, Z, S) then r← r ∪ ( ˆar, b_r);

return r;

Algorithm 2: Check(Z^∗, Z, S)

Input: permuted matrix Z^∗, original matrix Z, set of constrain tuples S Output: True or False

result ← true;

for every constrain tuple ((a, b), (x, y),∆C) ∈ S do

temp← (Z^∗(∆C) == Z(a,b)) ∨ (Z^∗(∆C) == Z(x,y));

result← result ∧ temp;

return result;

3.2.2 Extract Diffusion Matrix D

First, we convert C_R into 1D array C_{R_P} by row major ordering. We can obtain the diffusion matrix D by

D(i) = mod ((C_{R_P}(i)⊗CR_P(i− 1)) − num^′, 256)⊗ PR_P^∗ (i)

= mod ((C_{R_P}(i)⊗CR_P(i− 1)) − num^′, 256)⊗ 1

(3.7)

where

num^′= ( âr∗ br+ âg∗ bg+ â_b∗ bb)⊗ ( ˆk1+ ˆk2+ ˆk3), (3.8) i∈ {1,2,··· ,M × N − 1}, and PR_P^∗ is a 1D array transformed from P_R^∗ by row major ordering. Notice that the first element of diffusion matrix is not used in the cryptosystem, so we can just assign D(0) = 0.

So far, we have already extracted ˆk₁, ˆk₂, ˆk₃ and diffusion matrix D, which are all necessary information for decrypting the cipher image.

(21)

3.2.3 Recover the Original Plain Image

Assume that the cipher image is ¯C with the size 256× 256 × 3, and attacker already extracts ˆk₁, ˆk₂, ˆk₃and diffusion matrix D according to analyses given above. The attacker can decrypt ¯Cby the following steps:

Step 1 Transform ¯C_R, ¯C_Gand ¯C_Ginto three 1D arraysCR_P¯ ,C_{G_P}¯ andCB_P¯ respectively by row major ordering.

Step 2 Calculate the parameters as follows:











b_r= ( ¯C_{R_P}(0)− ˆk1) mod 256 bg= ( ¯CG_P(0)− ˆk2) mod 256 b_b= ( ¯CB_P(0)− ˆk3) mod 256

(3.9)









 ˆ

ar= mod ((b_r+ 1)× ( ˆk1⊗ ˆk2⊗ ˆk3), 256) + 1 ˆ

ag= mod ((b_g+ 1)× ( ˆk1⊗ ˆk2⊗ ˆk3), 256) + 1 ˆ

a_b= mod ((b_b+ 1)× ( ˆk1⊗ ˆk2⊗ ˆk3), 256) + 1

(3.10)

Step 3 ReconstructP_{R_P}^∗¯ ,P_{G_P}^∗¯ andP_{B_P}^∗¯ by











P_{R_P}^∗¯ = mod (( ¯C_{R_P}(i)⊗ ¯C_{R_P}(i− 1)) − num^′, 256)⊗ D(i) P_{G_P}^∗¯ = mod (( ¯C_{G_P}(i)⊗ ¯C_{G_P}(i− 1)) − num^′, 256)⊗ D(i) P_{B_P}^∗¯ = mod (( ¯C_{B_P}(i)⊗ ¯C_{B_P}(i− 1)) − num^′, 256)⊗ D(i)

(3.11)

where

num^′= ( âr∗ br+ âg∗ bg+ â_b∗ bb)⊗ ( ˆk1+ ˆk₂+ ˆk₃), (3.12) and i∈ {1,2,··· ,M × N − 1}. Then transform these three arrays into 2D arrays P¯_R^∗, ¯P_G^∗ and ¯P_B^∗respectively.

Step 4 Reconstruct ¯P_R, ¯P_Gand ¯P_B by using Cat Maps, but the scanning sequence is form right to left and from bottom to top.

(22)

We rescale the standard Lena to 256× 256 × 3 and encrypt it with CIES-UBPRPD, then crack the cipher image with proposed chosen-plaintext attack. Figure 3.3 shows the simulation result.

(a) Plain image (b) Cipher image (c) Recovered image

Figure 3.3: Simulation result of proposed attack

(23)

Chapter 4 Improved Algorithm

4.1 The Weaknesses of CIES-UBPRPD

We can crack CIES-UBPRPD by chosen-plaintext attack due to the following weaknesses:

1. Misuse the modulo operation. A value’s remainder divided by 256 is equal to its last 8 bits in binary representation. This operation makes the last 8 bits of the value more important than the rest parts. That’s why we can easily find some equivalent parameters in CIES-UBPRPD.

2. Parameters used in Cat Map are not very sensitive to plain images. As we point out in Section 3.1.2, images that have same sum_r, sum_gand sum_bshare the same parameters.

Thus, it is vulnerable to differential attacks.

3. Diffusion matrix depends only on secret keys but not on plain images. Once we crack one cipher image and extract the diffusion matrix, we can use it to decrypt other cipher images.

In our improved encryption algorithm, we use the hash value of SHA-256 instead of summation of each channel as the feature of plain image, and make diffusion matrix plaintext-related. SHA-256 is a cryptographic hash that belongs to SHA-2 family. The hash value served as an external secret key, and it is dangerous to reuse the same external

(24)

key when encrypting the same image. We add a random number with the precision of 10⁻¹⁶ as additional input to SHA-256 each time we calculate the hash value, so we can use the output result as a one-time key.

4.2 Secret Key Formulation

There are six secret keys in the proposed improved algorithm including the external secret key H generated from SHA-256, the initial value x₀ of Chebyshev map and four positive integers k₁, k₂, k₃ and n₀, where H is a 256-bit binary number, x₀∈ (0,1),k1∈ [10⁵..10¹²], k₂∈ [10⁵..10¹²], k₃∈ [10⁵..10¹²] and n₀∈ [1000 .. 2500]. H is then divided into 32 8-bit blocks as H = h₀, h₁,··· ,h31.

4.3 Image Encryption Algorithm

4.3.1 Permutation Stage

Step 1 Use x₀as the initial value and iterate the Chebyshev map (n₀+ 131) times, discard the first n₀elements to avoid harmful effect and obtain chaotic sequences x_nwhich contain 131 elements.

xn={x0, x₁,··· ,x130}. (4.1) Obtain another sequence x_nqby

x_nq(i) =⌊xi× ki mod 3× coshi mod 32⌋ mod 256 (4.2)

where i∈ {0,1,··· ,130}.

(25)

Step 2 Calculate the parameters by following equations:

a = (

∑

31 i=0

h_i× xnq(i)) mod 65536 (4.3)

b = (

∑

31 i=0

h_i× xnq(i + 32)) mod 65536 (4.4)

c = (

∑

31 i=0

h_i× xnq(i + 64)) mod 65536 (4.5)

d = (

∑

31 i=0

h_i× xnq(i + 96)) mod 65536 (4.6)

Step 3 Permute P using the following 3D cat map[7]:





 i^′

j^′ k^′





=







1 a 0

b ab + 1 0

c d 1











 i

j k





mod





 M N 3





 (4.7)

where i∈ {0,1,··· ,M − 1} , j ∈ {0,1,··· ,N − 1} and k ∈ {0,1,2} is the color channel. The scanning sequence is from R channel to B channel, from left to right and from top to bottom. After this step, we get the permuted image P^∗.

4.3.2 Diffusion Stage

Step 1 Transform P_R^∗, P_G^∗ and P_B^∗into three 1D arrays P_{R_P}^∗ , P_{G_P}^∗ and P_{B_P}^∗ by row major ordering.

Step 2 Use y₀ = cos a+cos b+cos c+cos d+x0

5 as new initial value and iterate the Chebyshev map (3× M × N + n0) times, discard the first n0 elements and obtain another chaotic sequences y_nwhich contain 3× M × N elements.

y_n={x0, x₁,··· ,x3×M×N−1}. (4.8)

(26)

Calculate the diffusion matrices DR, D_Gand DBby:











D_R(i) =⌊yi× (k2⊗ k3)⌋ mod 256 D_G(i) =⌊

y_(i+MN)× (k1⊗ k3)⌋

mod 256 D_B(i) =⌊

y_(i+2MN)× (k1⊗ k2)⌋

mod 256

(4.9)

where i∈ {0,1,··· ,M × N − 1}.

Step 3 Calculate C_{R_P}, C_{G_P}and C_{B_P}by











C_{R_P}(0) = mod (P_{R_P}^∗ (0)⊗ DR(0) + num, 256)⊗ xnq(128) C_{G_P}(0) = mod (P_{G_P}^∗ (0)⊗ DG(0) + num, 256)⊗ xnq(129) C_{B_P}(0) = mod (P_{B_P}^∗ (0)⊗ DB(0) + num, 256)⊗ xnq(130)

(4.10)











C_{R_P}(i) = mod (P_{R_P}^∗ (i)⊗ DR(i) + num, 256)⊗CB(i− 1) C_{G_P}(i) = mod (P_{G_P}^∗ (i)⊗ DG(i) + num, 256)⊗CR(i) C_{B_P}(i) = mod (P_{B_P}^∗ (i)⊗ DB(i) + num, 256)⊗CG(i)

(4.11)

where num = ((a + b + c + d)⊗ (k1+ k₂+ k₃)) mod 256, and i∈ {1,2,··· ,M × N− 1}.

Step 4 Transform C_{R_P}, C_{G_P}and C_{B_P}into three grayscale images with size M×N, then merge them into color cipher image C with size M× N × 3.

4.4 Image Decryption Algorithm

Step 1 Transform C_R, C_Gand C_Ginto three 1D arrays C_{R_P}, C_{G_P}and C_{B_P} respectively by row major ordering.

Step 2 Calculate the chaotic sequence x_nq with the same way in encryption process.

Step 3 Calculate the parameters a, b, c, d the same way in encryption process.

(27)

Step 4 Calculate the diffusion matrices DR, D_Gand DBwith the same way in encryption process.

Step 5 Reconstruct P_{R_P}^∗ , P_{G_P}^∗ and P_{B_P}^∗ by











P_{R_P}^∗ (0) = mod ((C_{R_P}(0)⊗ xnq(128))− num, 256) ⊗ DR(0) P_{G_P}^∗ (0) = mod ((C_{G_P}(0)⊗ xnq(129))− num, 256) ⊗ DG(0) P_{B_P}^∗ (0) = mod ((C_{B_P}(0)⊗ xnq(130))− num, 256) ⊗ DB(0)

(4.12)











P_{R_P}^∗ (i) = mod ((C_{R_P}(i)⊗CR_P(i− 1)) − num, 256) ⊗ DR(i) P_{G_P}^∗ (i) = mod ((C_{G_P}(i)⊗CG_P(i− 1)) − num, 256) ⊗ DG(i) P_{B_P}^∗ (i) = mod ((C_{B_P}(i)⊗CB_P(i− 1)) − num, 256) ⊗ DB(i)

(4.13)

where num = ((a + b + c + d)⊗(k1+ k₂+ k₃)) mod 256 and i∈ {1,2,··· ,M ×N − 1}. Then transform these three arrays into 2D arrays P_R^∗, P_G^∗ and P_B^∗respectively.

Step 6 Reconstruct P_R, P_Gand P_Bby using 3D cat map in Equation 4.7, but the scanning sequence is from B channel to R channel, from right to left and from bottom to top.

(28)

Chapter 5 Experimental Results

We apply the proposed algorithm on several test images (all 512×512×3) to demon- strate its performance. The secret keys are set as follows: x₀= 0.3, k₁= 111111, k₂= 222222, k₃= 333333 and n₀= 1000. Figure 5.1 shows the encryption and decryption results. From the results we can tell that the cipher images are noise-like and irrelevant to the plain images.

(29)

Figure 5.1: Plain images, cipher images and decrypted images

(30)

Chapter 6 Security Analysis

6.1 Key Space Analysis

Key space is the cardinality of the set of all possible keys. Having large key space is important for an encryption system to resist brute force attack. The complexity of SHA- 256 for the best attack is 2¹²⁸. The range of the rest keys are that x₀∈ (0,1),k1, k₂, k₃∈ [10⁵..10¹²] and n₀ ∈ [1000 .. 2500]. If x0 has the precision of 10⁻¹⁶, the key space of proposed scheme can reach 2¹²⁸× 10¹⁶× (10¹²− 10⁵)× (10¹²− 10⁵)× (10¹²− 10⁵)× 1500≈ 2³¹¹, which is larger than 2¹⁰⁰and enough to make brute force attack infeasible[6].

6.2 Histogram Analysis

An image histogram reflects the distribution of pixels’ intensity, which reveals some statistical information of the image to attackers. To against statistical attacks, histogram of cipher image generated from a secure encryption system should be flat. As we can see in Figure 6.1 and 6.2, the distribution of histograms of cipher images are close to uniformly, indicating that the cipher images are nearly noises and it’s extremely hard to retrieve any useful statistical information from them.

(31)

(a) The plain image of Lena and its histograms

(b) The cipher image of Lena and its histograms

(c) The decrypted image of Lena and its histograms

Figure 6.1: Original/encrypted/decrypted image of Lena and their histograms

(32)

(a) The plain image of baboon and its histograms

(b) The cipher image of baboon and its histograms

(c) The decrypted image of baboon and its histograms

Figure 6.2: Original/encrypted/decrypted image of baboon and their histograms

(33)

6.3 Correlation Analysis

In a natural image (plain image), two adjacent pixels usually have strong correlation.

In contrast, the correlation coefficient of cipher image should be decreased to zero to prevent statistical attacks. We use the following equation to calculate the correlation coefficients of all adjacent pixels at horizontal, vertical, diagonal and anti-diagonal directions:

r_xy= cov(x, y)

√D(x)√

D(y), (6.1)

where

cov(x, y) = 1 N

∑

N i=1

(x_i− E(x))(yi− E(y)), (6.2)

D(x) = 1 N

∑

N i=1

(x_i− E(x))², (6.3)

E(x) = 1 N

∑

N i=1

x_i, (6.4)

xand y are two adjacent pixel values, and N is the number of pairs of adjacent pixels.

As shown in Table 6.1, the correlation coefficients of plain images are close to 1, while those of cipher images are nearly 0. Furthermore, we randomly select 2000 pairs of adjacent pixel at four directions from R channel of standard Lena and its corresponding cipher image, then plot the scatter diagram in Figure 6.3.

Plain Image Cipher Image

R G B R G B

Lena

V 0.9893 0.9823 0.9574 0.0015 -0.0017 -0.0023 H 0.9797 0.9689 0.9325 -0.0008 -0.0014 -0.0013 D 0.9696 0.9554 0.9180 -0.0003 -0.0011 -0.0011 A 0.9777 0.9652 0.9252 -0.0006 -0.0005 -0.0002

baboon

V 0.8659 0.7650 0.8808 0.0004 -0.0017 0.0006 H 0.9230 0.8654 0.9073 0.0005 0.0027 0.0019 D 0.8543 0.7347 0.8398 0.0004 -0.0026 0.0014 A 0.8518 0.7249 0.8424 -0.0015 -0.0017 0.0002

Table 6.1: Correlation coefficients

(34)

(a) Plain image of Lena in R channel

(b) Cipher image of Lena in R channel

Figure 6.3: Correlation distribution of adjacent pixels

6.4 Key Sensitivity Analysis

A cryptosystem may suffer differential attack if cipher images generated from different keys are similar. Thus, a secure encryption algorithm should be highly sensitive to all keys, which means even a tiny change in secret key will lead to a completely different cipher image.

Figure 6.4 shows the plain image, cipher image and decrypted image of standard Lena.

Then we change H, x₀, k₁, k₂, k₃amd n₀by one bit (i.e., 10⁻¹⁶for x₀and 1 for H, k₁, k₂, k₃ and n₀) to obtain six new cipher images, the results are shown in Figure 6.5. The differential results between these six cipher images and Figure 6.4(b) are shown in Figure 6.6.

Furthermore, we use the six 1-bit difference key groups to decrypt Figure 6.4(b), and the decrypting results are shown in Figure 6.7.

6.5 Plaintext Sensitivity Analysis

Similar to key sensitivity, a secure encryption algorithm also should be very sensitive to plain images. We use NPCR (number of pixels change rate) and UACI (unified average changing intensity) to measure difference between two cipher images[8], which are

(35)

(a) plain image (b) cipher image c (c) decrypted image

Figure 6.4: Plain image, cipher image and decrypted image of Lena

(a) c1with key H + 1 (b) c2with key x0+ 10⁻¹⁶ (c) c3with key k1+ 1

(d) c4with key k2+ 1 (e) c5with key k3+ 1 (f) c6with key n0+ 1

Figure 6.5: Images encrypted with 1-bit difference key groups

(36)

(a)|c − c1| (b) |c − c2| (c) |c − c3|

(d) |c − c4| (e) |c − c5| (f) |c − c6|

Figure 6.6: The differential results

(a) decrypt c with key H + 1 (b) decrypt c with key x0+ 10⁻¹⁶ (c) decrypt c with key k1+ 1

(d) decrypt c with key k2+ 1 (e) decrypt c with key k3+ 1 (f) decrypt c with key n0+ 1

Figure 6.7: Decrypted images with 1-bit difference key groups

(37)

defined as follow:

NPCR = 1 M× N

M−1 i=0

∑

N−1

∑

j=0

D(i, j)× 100%, (6.5)

UACI = 1 M× N

M−1 i=0

∑

N−1 j=0

∑

|c1(i, j)− c2(i, j)|

255 × 100%, (6.6)

where

D(i, j) =









0, i f c₁(i, j) = c₂(i, j) 1, i f c₁(i, j)̸= c2(i, j)

, (6.7)

and c₁and c₂are two cipher images.The theoretical values of NPCR and UACI between two different cipher images are 99.6094% and 33.4635% respectively.

We evaluate plaintext sensitivity as follows. First, we randomly select x₀, k₁, k₂, k₃, n₀ from key space and encrypt test image p₁ with it to obtain cipher image c₁. Second, we randomly select a position in p₁, increasing each channel’s value by 1 at the position to obtain a modified image p₂. Next, encrypt p₂and obtain cipher image c₂. Then calculate the NPCR and UACI values between c₁and c₂. Repeat this process 200 times, the average NPCR and UACI values are listed in Table 6.2.

NPCR(%) UACI(%)

R G B R G B

Lena 99.6094 99.6084 99.6096 33.4673 33.4630 33.4662 baboon 99.6075 99.6081 99.6086 33.4606 33.4646 33.4684 fruits 99.6081 99.6103 99.6095 33.4612 33.4620 33.4689 airplane 99.6094 99.6071 99.6101 33.4669 33.4595 33.4564 peppers 99.6099 99.6109 99.6092 33.4649 33.4641 33.4702

Table 6.2: Evaluation results of plaintext sensitivity

(38)

Chapter 7 Conclusion and Discussion

In this thesis, we make cryptanalyses on a simple chaotic map-based image encryption system using both plaintext related permutation and diffusion. We show that some designing flaws make it vulnerable against chosen-plaintext attack, and then we propose an improved algorithm to overcome those flaws.

Since the proposed chosen-plaintext attack can be applied if the size of all images is 256×256×3, finding an attack that can be applied to general cases is one of the possible future extensions.

We hope that this thesis will help researchers building chaotic-based image encryption algorithm more secure in the future.

(39)

Bibliography

[1] R. Matthews, “On the derivation of a“chaotic”encryption algorithm,” Cryptologia, vol. 13, pp. 29–42, 1989.

[2] T. M. Hoang and H. X. Thanh, “Cryptanalysis and security improvement for a sym- metric color image encryption algorithm,” Optik, vol. 155, pp. 366–383, 2018.

[3] L. Huang, S. Cai, M. Xiao, and X. Xiong, “A simple chaotic map-based image encryp- tion system using both plaintext related permutation and diffusion,” Entropy, vol. 20, no. 7, p. 535, 2018.

[4] V. I. Arnold and A. Avez, Ergodic Problems of Classical Mechanics. Benjamin, 1968.

[5] V. Alvarez, J. M. Amigó, D. Arroyo, and S. Li, Chaos-Based Cryptography. Springer, 2011.

[6] G. Alvarez and S. Li, “Some basic cryptographic requirements for chaos-based cryp- tosystems,” International Journal of Bifurcation and Chaos, vol. 16, no. 8, pp. 2129–

2151, 2006.

[7] H. Liu, Z. Zhu, H. Jiang, and B. Wang, “A novel image encryption algorithm based on improved 3d chaotic cat map,” in The 9th International Conference for Young Com- puter Scientists, p. 3016–3021, IEEE, 2008.

[8] Y. Wu, “NPCR and UACI randomness tests for image encryption,” Cyber Journals:

Journal of Selected Areas in Telecommunications, pp. 31–38, April 2011.

一個基於混沌映射且採用明文關聯置換與擴散之影像加密系統的分析與改進

國立臺灣大學電機資訊學院資訊網路與多媒體研究所 碩士論文

Graduate Institute of Networking and Multimedia College of Electrical Engineering and Computer Science

National Taiwan University Master Thesis

一個基於混沌映射且採用明文關聯置換與擴散之 影像加密系統的分析與改進

Cryptanalysis and Improvement of a Simple Chaotic Map-Based Image Encryption System Using Both

Plaintext Related Permutation and Diffusion

林承億 Cheng-Yi Lin

指導教授：吳家麟博士 Advisor: Ja-Ling Wu, Ph.D.

中華民國 108 年 7 月

July, 2019

摘要

Abstract

Contents

List of Figures

List of Tables

Chapter 1 Introduction

Chapter 2

Description of the Original Algorithm

2.1 The Preparatory Work

2.1.1 Generalized Arnold’s Cat Map

2.1.2 Chebyshev Map

2.2 Image Encryption Algorithm

2.2.1 Permutation Stage

∑

∑

∑

∑

∑

∑

2.2.2 Diffusion Stage

2.3 Image Decryption Algorithm

Chapter 3

Cryptanalysis

3.1 Security Flaws

3.1.1 Equivalent Keys Problem

3.1.2 Low Sensitivity to the Change of Plaintext

3.2 Chosen-Plaintext Attack

3.2.1 Extract k

mod 256, k

mod 256 and k

mod 256

3.2.2 Extract Diffusion Matrix D

3.2.3 Recover the Original Plain Image

Chapter 4

Improved Algorithm

4.1 The Weaknesses of CIES-UBPRPD

4.2 Secret Key Formulation

4.3 Image Encryption Algorithm

4.3.1 Permutation Stage

∑

∑

∑

∑

4.3.2 Diffusion Stage

4.4 Image Decryption Algorithm

Chapter 5

Experimental Results

Chapter 6

Security Analysis

6.1 Key Space Analysis

6.2 Histogram Analysis

6.3 Correlation Analysis

∑

∑

∑

6.4 Key Sensitivity Analysis

6.5 Plaintext Sensitivity Analysis

∑

∑

∑

∑

Chapter 7

Conclusion and Discussion

Bibliography

國立臺灣大學電機資訊學院資訊網路與多媒體研究所碩士論文

一個基於混沌映射且採用明文關聯置換與擴散之影像加密系統的分析與改進