Log In Sign Up

Cryptanalysis of a Chaotic Image Encryption Algorithm Based on Information Entropy

by   Chengqing Li, et al.
Tencent QQ

Recently, a chaotic image encryption algorithm based on information entropy (IEAIE) was proposed. This paper scrutinizes security properties of the algorithm and evaluates validity of the used quantifiable security metrics. Some common insecurity problems in the field of chaotic image encryption are found in IEAIE, e.g. the short orbits of digital chaotic system and invalid sensitivity mechanism built on information entropy of the plain-image. What's worse, each security metric is obviously questionable, undermining the security credibility of IEAIE. So, IEAIE can only serve as a counterexample for the secure and effective communication method for image data.


An Image Encryption Algorithm Based on Chaotic Maps and Discrete Linear Chirp Transform

In this paper, a novel image encryption algorithm, which involves a chao...

A new chaotic image encryption algorithm based on transversals in a Latin square

There are some good combinatorial structures suitable for image encrypti...

A Novel Data Encryption Algorithm Design and Implementation in Information Security Scope

Today, the protection of information, ensuring of the safety and the rec...

Image Encryption using Fractional Integral transforms: Vulnerabilities, Threats and Future scope

This paper presents a review on various image encryption schemes based o...

Combined Image Encryption and Steganography Algorithm in the Spatial Domain

In recent years, steganography has emerged as one of the main research a...

Insufficient properties of image encryption algorithms

We analyze the security of recently proposed image encryption scheme [1]...

I Introduction

With the popularity of imaging sensors in smartphones and various video recording scenarios, e.g. dashboard camera and closed-circuit television (CCTV), a vast volume of multimedia data are recorded every day [1, 2]. Meanwhile, the fast network transmission technique allows them to be transmitted among cloud servers, social media platforms, and personal cellphones with ever-growing speed and scope. Once a multimedia file containing some personal privacy information leaves the original control scope, they may threaten the owner and the related persons very quickly. So, the security and privacy of multimedia data have become the concerns of everyone living in the cyberspace. To respond to such a challenge, a large number of multimedia privacy protections and preservation schemes were proposed in the past two decades [3, 4].

One of the well-known features of chaos is the so-called butterfly effect: if a butterfly flips its wings in Brazil, tomorrow Texas, USA will have a storm. In a more scientific term, we say a system is very sensitive to the initial condition, i.e., a small change at the very beginning will eventually lead to a completely different result. This implies unpredictability because an accurate measurement of the initial condition is in principle impossible. As the sensitivity and unpredictability are some good features we want to have in applications like secure communications and (pseudo-) random number generation, many researchers around the world have tried to apply chaos to build various cryptographic primitives: permutation relation [5], pseudo-random number generator [6, 7], hash function [8], private-key encryption scheme [9, 10], public-key encryption scheme [11], authentication [4], secure communication based on synchronization [12], secret-key share (agreement) algorithm [13], data hiding [14], and privacy protection [15]. The main objective of chaotic cryptanalysis is to disclose the information about the secret key of a chaotic encryption (or secure communication) scheme under all kinds of security models: ciphertext-only attack [5], known-plaintext attack [16, 17], chosen-plaintext attack [18, 19], chosen-ciphertext attack [20], and impossible differential attack [21]. Meanwhile, chaotic cryptanalysis also provides a novel perspective to study the dynamical properties of the underlying chaotic system. As degradation of any chaotic system definitely happens in a digital domain [22, 23], a chaos-based encryption scheme may own some special security defects that do not exist in the non-chaotic encryption schemes [24, 25, 26].

In [27], a chaotic image encryption algorithm was proposed using information entropy value calculated from the plain-image, which is named as IEAIE in this paper. In the algorithm, a pseudo-random number sequence generated by the two-dimensional Logistic-adjusted-Sine map (2D-LASM) proposed in [6] is used to control a combination of some basic operations, including position permutation and modulo addition. Especially, the information entropy of the plain-image is used to build up a sensitivity mechanism of the encryption result of IEAIE on the plain-image. This paper reports security defects of the chaos-based pseudo-random number generator and the sensitivity mechanism. As for one round version of IEAIE, its three basic parts can be broken with a strategy of the divide-and-conquer technique in the scenario of differential attack. In addition, each used security metric is questioned from the perspective of modern cryptanalysis.

The rest of the paper is organized as follows. Section II briefly introduces the algorithm IEAIE. Section III presents cryptanalysis of IEAIE by disproving security metrics used for IEAIE. The last section concludes the paper.

Ii Concise description of IEAIE

IEAIE ignores any special storage format of image data and just treats it as text data, which is represented as a 8-bit matrix 111The transform (5) in [27] can not always generate bijective (one-to-one) permutation mapping and should be corrected to assure successful decryption of IEAIE.

  • The secret key is composed of two sets of initial conditions of 2D-LASM


    and , where .

  • Keystream generation procedure: 1) iterate 2D-LASM (1) from initial condition


    times, and from the 201-th iteration, assign the obtained sequence into an matrix in the raster order, where


    is the information entropy value of image block , namely


    is the pixel of value in , and denotes the ratio between the number of in and . In this paper, , where denotes the floor function.

    3) set


    where is the -th row of , is the -th column of

    (scalar multiplication and addition are performed if a matrix or vector is involved, the same hereinafter),


    and denotes the ceil function. Separately conduct the two vectors and with the following way: if there are elements of the same value, change one as the least number that does not exist in the updated vector.

    3) iterate 2D-LASM (1) from initial condition


    times; starting from the 201-th iteration, transform every element of the generated sequence by


    and set the results into an matrix in the raster order.

  • Encryption procedure:

    • Horizontal permutation: for , move the -th column of to the -th one of , namely .

    • Vertical permutation: for , move the -th row of to the row of , i.e. .

    • Changing gray distribution with a constant matrix : for , , do


      where .

    • Diffusion encryption: for , , set


      where ,


      and .

  • Repeation: Repeat the above four steps one more round.

  • Decryption procedure is similar to the encryption one except the following points: 1) the order of the above four main steps is reversed; 2) every operation in each main step is replaced by its inverse version.

The horizontal and vertical permutations on the plain-image controlled by and can be equivalently represented by a permutation matrix as [17], namely


where , and .

a) b) c)
Fig. 1: The functional graph of 2D-LASM under 3-bit fixed-point precision for different quantization strategies: a) floor; b) round; c) ceil, where the pair of numbers in each node denotes coordinate .

[!htb](topskip=0pt, botskip=0pt, midskip=0pt)s1_e3_m2_d2_re_index3 The functional graph of 2D-LASM with 6-bit floating-point precision and round quantization, where the length of mantissa fraction is 3.

Iii Cryptanalysis

In [27], various aspects of IEAIE were analyzed to conclude that it owns superior security performance. However, we try to demonstrate that all the arguments are groundless.

Iii-a Some security defects of IEAIE

In [24, 18], some rules and suggestions for designing secure and efficient image encryption schemes were concluded. Some concrete steps for evaluating security performances of a chaotic image encryption schemes were given in [25]. Unfortunately, IEAIE did not follow the lessons summarized in [24, 18, 25]. To attract the attention of designers of image encryption schemes on cryptanalysis, we check the security of every aspect of IEAIE and its test given in [27] as follows.

a) b) c)
Fig. 2: Two images with the same flat histogram: a) “Peppers”; b) “Lenna”; c) histogram of the images shown in Fig. 2a), b).
  • [topsep=0pt,parsep=0pt,partopsep=0pt,leftmargin=10pt,labelwidth=6pt,labelsep=4pt]

  • Underlying chaotic map:

    In [6], a new two-dimensional chaotic map 2D-LASM was constructed by ‘adjusting’ Logistic map and Sine map with three strategies: cascading output of the former as the input of the latter; extending dimension of the phase plane from 1D to 2D; adopting one more multiplication variable with a constant delay parameter. It was proved that 2D-LASM can demonstrate much more complex chaotic behaviors than the two original 1D maps [28]. As shown in Fig. 1, any orbit will definitely enter a cycle after a transient process. Rigorous theoretical analyses given in [29] prove that the functional graph of any digital chaotic map is highly correlated with that in a domain with arithmetic precision as small as 3. As shown in Figs. 1, 1, the cycle length of the functional graph of 2D-LASM is very small for either arithmetic format. In [27], it was stated that “previously iterated values were discarded to avoid transient effects”. Actually, the differences between neighboring states change exponentially along an orbit of any iterated map, which is different from the case for chaotic flow. The real purpose of discarding some initial iterated values is to avoid recovering the control parameters of the corresponding chaotic map from them, which is demonstrated in [16]. As shown in [29], some cycles of short period (even self-loop) always exist no matter which enhancement method is adopted, e.g. increasing the arithmetic precision, perturbing states, perturbing the control parameters, switching among multiple chaotic maps, and cascading among multiple chaotic maps. If the initial state is located in a small-scale connected component or a cycle of short period in the functional graph of the used chaotic map, there are not enough available states (200 states specified in [27, Sec. 3.1]) to be discarded. So, an adaptive threshold should be set to avoid this problem. But, it would cost additional computation.

  • Key sensitivity:

    In [27], “a small change of is shifted in keys , , , ” to check their influence on the decryption results. Although is small in itself as for our daily lives, the shift may cause a dramatic change of binary presentation of a number. Let’s illustrate this problem with arithmetic format binary32 (single-precision floating-point format), where (stored as binary string “”). As for number (“”), (“”). It can be calculated that 11 bits among the 23 fraction bits (underlined parts) of the subtracted number are changed. So, the four cases given in [27, Fig. 4] are far not enough to convince us anything. Now, we can see that a small decimal number should not be used to measure the change degree of initial condition in a binary computer.

    Observing Eq. (1), one can see that and are equivalent if 2D-LASM is implemented in a fixed-point arithmetic domain. Due to the modulo addition and division operation in Eq. (5), there may exist even much more equivalent secret keys. Besides these, quantization effects of the digital chaotic map may generate the same iteration orbit for different initial conditions (See Figs. 1, 1). So, the sensitivity of encryption results of IEAIE with respect to the change of its secret key is very weak.

  • Key space analysis:

    In [27, Sec. 3.2.1], the precision of the secret key of IEAIE is fixed as . In digital world, the precision can only be precisely specified by a power of two. If a floating-point number format (binary32 or binary64) is adopted, the distances between neighboring representable numbers are not uniform, which requires setting the length of mantissa fraction, and that of exponent, elaborately [29]. As shown in Fig. 1 and [28], there exists a number of nonchaotic regions of . The initial conditions falling in such regions may compose invalid or weak secret keys. So, we can conclude that the specification of IEAIE seriously violates Rule 5 suggested in [24], “The key space , from which valid keys are to be chosen, should be precisely specified and avoid nonchaotic regions.” In addition, the computational complexity of checking each secret key and the valid time of the protected plain-image are not considered in [27]. In all, the statement “the brute-force attack is impossible to successfully execute” is unconvincing.

  • Histogram:

    In [27], it was emphasized that “the histogram of the cipher-image should be or near uniform and be different from that of the plain-image after encryption”. In fact, what counted for the security of IEAIE should be the matching degree between secret-key (or plain-image) and the histogram of the corresponding cipher-image. As shown in[19], an attacker can recover some statistical information of the plain-image by changing the counting objects of the histogram from pixel to bit. In addition, the spatial information of pixels may play a dominant role for the visual effect of the composed image. To show this point, Fig. 2 presents two images with the same flat (exactly uniform) histogram, whose number of pixels for each tonal value is . Figure 3 gives the encryption results of the two images shown in Fig. 2 with the position permutation-only scheme HCIE cryptanalyzed in [17]. Although histograms of the two encrypted images kept unchanged, the scheme is secure enough for some application scenario, e.g. surveillance and protection of pay-TV from illegal users. Anyway, the three histograms calculated in terms of pixel shown in [27, Fig. 5] are not far enough to prove “the proposed algorithm has a good ability to frustrate the attack” based on the histogram.

    a) b) c)
    Fig. 3: Three cipher-images encrypted by HCIE: a) “Peppers” with blocks; b) “Lenna” with blocks; c) “Lenna” with blocks
  • Variance of histogram:

    To further measure the uniformity degree of a cipher-image, the variance of its histogram was calculated in [27]. Actually, the variance of a histogram cannot measure the number of different possible histograms generated by a tested encryption scheme. For example, the variances of two histograms “2, 2, 3, 4, 7” and “2, 2, 3, 5, 6” are different, but their number of different combinations are the same. But, the histogram variances of four cipher-images given in [27, Table 4] are far not sufficient to demonstrate existence of any rule. In addition, even some insecure encryption schemes can also make the obtained cipher-image own very low variance of histogram [30]. Moreover, visual security indexes of the three cipher-images shown in Fig. 3 are different, but the variances of the histogram of them are fixed to zero. In all, the statement “a lower variance represents higher uniformity” in [27] is not right.

  • Information entropy:

    Information entropy is a quantitative metric measuring the disorder or randomness in a closed system. From Eq. (4), one can see that the entropy value of a message kept unchanged with respect to the following two kinds of changes: 1) permuting the position of every element within the message; 2) changing the elements of a given value as another one that does not exist in the message (if there is) [31]. In each case, the changes compose a bijection between specific domain and the corresponding codomain (See Fact 1). In all, there are a huge number of different images owning the same information entropy as a given image when its size is relatively large. For example, the five different images shown in Fig. 2, 3 share the same value of information entropy. Embedding Eq. (12) into Eq. (9), one can see that is determined by the two matrixes and for a given plain-image , where . From the definition of and , one can deduce that every column of should be of fixed value to assure that the modulo addition in Eq. (9) has the same effect on , namely every column of (the difference between and ), for different plain-images. To satisfy such condition, should hold. Even this, the statement “the value of the information entropy is very sensitive to the message” given in [27, Sec. 2.1] is still baseless. Note that the tiny differences of entropy given in [27, Table 7] are only bounded by 0.01 and the cipher-image of “Lenna” encrypted by the analyzed bit-level permutation-only scheme cryptanalyzed in [5] can also reach as high as 7.978.

    Fact 1

    For any function , entropy function (Eq. (4)) satisfies that and the equality holds if and only if is a bijection.

  • Plaintext sensitivity:

    Plaintext sensitivity is very important for high-strength image encryption schemes as a plain-image and its slightly modified version (embedded by a watermark or some hiding messages) are often encrypted at the same time. If the used encryption scheme does not satisfy the sensitivity requirement, leakage of the cipher-image corresponding to one of the two similar plain-image may disclose the visual information of the other. In the field of image security, two metrics UACI (unified averaged changed intensity) and NPCR (number of pixels changing rate) are widely used to measure plaintext sensitivity. Unfortunately, the validity of the two metrics has been questioned in [30] by statistical information of the outputs of some insecure encryption schemes. Here, we emphasize that the internal structure of IEAIE cannot perform well to achieve the expected plaintext sensitivity. Observing the encryption procedure of IEAIE, one can see that all involved operations can make every operated bit ‘run’ from the least significant bit (LSB) to the most significant bit (MSB), not the opposite order. Concretely, the change of a bit in the -th bit-plane (counted from the LSB to MSB) can only influence the bits in the -th ones. So, the influence scope of every bit of the plaintext on the corresponding cipher-text is dramatically different. No matter how many round numbers are repeated, this problem remains to exist [32]. The designers of IEAIE claimed that “the keystreams are different with respect to different plain-images” based on the assumption of high sensitivity of information entropy on change of the plain-image. However, as we have explained above, this assumption is not correct. In all, the statement “a slight change in the plain-image leads to a completely different cipher-image” in [27, Sec. 3.2.2] is incorrect.

    Fig. 4: The model of differential attack.
  • Coefficient correlation:

    Just like most chaos-based image encryption schemes, [27] adopted the coefficient correlation of neighboring pixels of cipher-images encrypted by IEAIE to demonstrate its good security performance. As mentioned in [30, Fig. 3], there is “no clear (statistical) decision criterion for passing this test”. Furthermore, three insecure encryption schemes deliberately constructed in [30] can perform very well in terms of fulfilling the metric. Actually, this metric can be calculated only from image encryption schemes working in the spatial domain. Reasonable security index of image data should consider the characteristics of the human visual system and the distribution of compressing coefficients of image data [33].

  • Efficiency analysis:

    The authors of [27] claimed that IEAIE is suitable for real-time secure communication by comparing it with the image encryption scheme proposed in [6]. In fact, the fast running speed of IEAIE comes from less computation operations, namely the obtained efficiency is built on sacrificing security instead of better structure. In Eqs. (5), (6), (8), (11), IEAIE uses integer conversion functions following the general form


    where and are positive integers, is a quantization function, e.g. ceil and round. In processors, multiplication by a constant is implemented using a sequence of bit-wise shift and addition operations, e.g.


    , and is the arithmetic precision. So the computational complexity of the conversion (13) is proportional to [19]. In Eqs. (5), (6), (8), (11), is set as 7 or 14. Only bits are useful for IEAIE, the computation spent on generating the other bits are wasted. Taking Eq. (8) as an example, the utilization percentage of the computation cost on iterating 2D-LASM (1) is only . In addition, the test on speed analysis in [27] was performed in the idea laboratory environment instead of resource-limiting real environments.

Iii-B Differential cryptanalysis

As shown in Fig. 4, an attacker can arbitrarily choose some plaintexts, , and the corresponding ciphertexts, , encrypted by the same secret key in the scenario of chosen-plaintext attack. As for differences between plaintexts and , , one can observe the corresponding differences between ciphertexts and , . The differences are defined in terms of an invertible operation used in the encryption scheme, e.g. bitwise OR and modulo subtraction. So differential cryptanalysis can be considered as a chosen-plaintext attack on a weakened version of the analyzed encryption scheme for some differences selected from possible ones. In the broadest sense, differential cryptanalysis is a cryptanalytic method studying how particular differences in plaintext pairs affect the resultant differences, which is also called differential, of the corresponding ciphertext pairs. Considering the public structure of the analyzed encryption scheme, some basic parts can be deliberately canceled and the remaining part can be broken with much less resources. By repeating the process, the equivalent secret key of the whole encryption scheme can be recovered, which is then used to decrypt another ciphertext , encrypted by the same secret key.

From the above introduction of the chosen-plaintext attack, one can see that the attack model relies on repeating usage of the secret key. So the designers of IEAIE use the information entropy of the plain-image to “affect the usage of the keystream and frustrate the chosen-plaintext and known-plaintext attacks” in [27, Sec. 2.2]. However, based on the analysis on the insensitivity of information entropy in above sub-section, it is very easy to construct some plain-images possessing the same keystream during the encryption process of IEAIE. Observing the encryption procedure of IEAIE, one can see that its real operations are solely determined by parameters, and . Note that even when two plain-images generate different entropy values in the encryption process, their corresponding key steams are still maybe the same due to the following reasons: 1) the modulo addition and division in Eq. (2) may make different sets of result in the same value of ; 2) the quantization error of calculating in computer may make different combinations of generate the same value of ; 3) Eq. (11) only extract bits of intermediate computing result of , and may output the same value of for different inputs of . Once the dependability mechanism of the key stream of IEAIE on the plain-image is concealed, the structure of Eq. (10) becomes the same as that of the main function of the image encryption scheme cryptanalyzed in [19]. Then, the differential cryptanalysis on IEAIE can be performed similarly.

Assume two plain-images and own the same set of and in the encryption process of IEAIE. As for their difference in terms of modulo subtraction , IEAIE is degenerated to


where , , is the difference of the corresponding cipher-images of and in terms of the operator (some components in Eq. (10) are eliminated by the modulo subtraction), and . Observing Eq. (14), one can assure that


if has only one non-zero element at entry , where is the entry of the first non-zero element in differential (counted in the scan order).

Based on the above analysis, the differential cryptanalysis on one round version of IEAIE can be described as follows.

  • Step 1: Choose two plain-images of size , and , satisfying

    where are non-negative integers and , , and denotes the cardinality of a set. Note that is initialized as .

  • Step 2: Let and pass through the encryption process of IEAIE with an unknown secret key and obtain the corresponding cipher-images, and .

  • Step 3: Get the value of via Eq. (15).

  • Step 4: Repeat the above procedure for (selected in the scan order of a matrix of size ) and get the value of . The value of can be identified as the sole unused location.

  • Step 5: Recover by Eq. (12) and calculate

    for and .

Fig. 5: The process of revealing the permutation procedure of IEAIE with a differential attack.

Observing Eq. (10), one can see that can work as the equivalent version of the secret key for decryption on the diffusion encryption part. In all, two matrixes and can work as the equivalent secret key of IEAIE.

A number of experiment were performed to verify performance of the above attacking steps. A concrete case of revealing the permutation relationship of IEAIE on a plain-image of size is shown in Fig. 5, where , , , and , and . In this case, the same set of and are generated for the two toy plain-images due to the quantization effect. From Fig. 5, we can see that the new permuted location of the sole non-zero element at entry in the differential plain-image can be observed by searching for the first different elements of the two cipher-images.

In [27], two rounds of the basic operations are suggested. Here, we skip the cryptanalysis of the full version of IEAIE based on the following considerations: 1) existence of the security defects presented in the above sub-section is not related with the round number; 2) cryptanalysis of the two rounds of IEAIE involves very complex deduction and presentation; 3) the reported security defects of IEAIE are far enough to demonstrate that it cannot be fixed by simple modifications.

Iv Conclusion

This paper analyzed the security of a chaotic image encryption algorithm based on information entropy, IEAIE. The claimed superiorities of its structure are analyzed in detail and are found incorrect. Furthermore, every used security metric is incapable to testify real security performance. To design a secure and efficient multimedia encryption scheme, the related critical factors, e.g. the special properties of multimedia data, the concrete application scenario with specified constraints, computation load, should be considered comprehensively. Much cryptanalytic works need to be done to bridge the gap between the field of nonlinear dynamics and that of modern cryptography.