1 Introduction
Social media not only drive product discovery and purchase, but also incur serious concern on the security and privacy of the images shared by the Internet users. Due to the special properties of multimedia information, the modern text encryption standards, such as AES and Triple DES, cannot efficiently protect them in general. To cope with the challenge, a number of special image encryption algorithms, e.g. joint encryption and compression together, were proposed every year Abu Dalhoum et al. (2012); Ye and Huang (2016); Li et al. (2019b). It is well known that cryptography (designing encryption algorithm) and cryptanalysis (security analysis of a given encryption algorithm) are two integral parts of cryptology. The cryptanalysis results facilitate the designers strengthen or replace flawed algorithms. Cryptanalysis of a given image encryption scheme also provides a special perspective for promoting some multimedia processing techniques, e.g. image recovery. Some image encryption algorithms like that proposed in Mannai et al. (2015); Ye and Huang (2016) are found to be insecure to different extents from the viewpoint of modern cryptology Jolfaei et al. (2016); Li et al. (2018a); Preishuber et al. (2018); Chen et al. (2021).
The complex dynamics of a chaotic system demonstrated in an infiniteprecision domain is very similar to the expected properties of a secure encryption scheme outlined by Shannon in Shannon (1949). So, a large number of chaosbased encryption schemes were proposed in the past three decades Chai et al. (2019); Hua et al. (2021). In Ikeda et al. (1980), Ikeda adopted a onevariable differentialdifference equation to model light going around a ring cavity containing a nonlinear dielectric medium and found “chaotic” phenomena in the transmitted field. In Mannai et al. (2015), Mannai et al. introduced the equation’s variant
(1) 
as a chaosbased pseudorandom number generator (PRNG), where and are coefficients, and is the positive delay time. The evolution of the dynamics is dependent on not only the present value but also earlier one . To solve equation (1), it is discretized with the following way: 1) each interval is divided into subintervals and each subinterval is approximated with a scalar value, where ; 2) the samples of each interval are considered as an
dimension vector. In
Mannai et al. (2015), an image encryption algorithm based on a timedelay Ikeda system (IEATD) was proposed. The designers of IEATD believed that utilizing the rich dynamics of a discretized Ikeda system and a new keystream generation mechanism associated with the average of all pixels of the plainimage can provide sufficient capacity to withstand known/chosenplaintext attacks.In reality, the security strength of IEATD is very weak as its equivalent secret key can be obtained with only two chosen plainimages Li et al. (2018b). Meanwhile, M. Li et al. pointed out that two security defects exist in IEATD: 1) the regularity of the keystream and absence of position scrambling; 2) incapacity to resist differential attack Li et al. (2018b). To remedy the defects, they adopted much more complex encryption operations: permutation and crossover diffusion phases. In short, we call the enhanced image encryption algorithm using the crossover diffusion as IEACD. This paper focuses on security analysis of the two image encryption algorithms, IEATD Mannai et al. (2015) and IEACD Li et al. (2018b). We found that the authors of Li et al. (2018b) did not notice a fatal drawback of the keystream generation mechanism: insensibility to minor change of a pixel. This leads to that IEACD still cannot withstand chosenplaintext attack. Furthermore, there is improper keystream configuration in diffusion that almost discloses the whole keystream. The essential structures of the two algorithms cause that the equivalent secret key of IEATD and IEACD can be recovered with knownplaintext attack and chosenplaintext attack, respectively.
The rest of this paper is organized as follows. Section 2 concisely describes the encryption procedures of the encryption algorithm IEATD and its enhanced version IEACD. Then, Sec. 3 and Sec. 4 present the detailed cryptanalysis results on the two encryption algorithms, respectively. The last section concludes the paper.
2 Description of two analyzed image encryption algorithms
The input of algorithm IEATD is an 8bit grayscale image of size . The plainimage is scanned in the raster order and then can be represented as a sequence . The corresponding cipherimage is denoted by . Then, IEATD and its enhanced version IEACD can be described in Sec. 2.1 and Sec. 2.2, respectively.
2.1 The framework of IEATD

The secret key: a positive integer , three control parameters of discretized Ikeda chaotic system
(2) and its initial condition , where , , and .

The confusion procedure:

Step 1: Divide into vectors, where the length of th vector is , and the length of subsequent vector depends on the previous one:
(3) where , . Finally, assign the actual length of the last vector to . Obviously, the longest vector is either the last vector or the penultimate one .

Step 2: As for the th vector , iterate Eq. (2) times from the initial condition and generate a chaotic sequence , and then obtain the quantized sequence via
where . Finally, concatenate further into a sequence , where
The longest vector among is either or , and let denote it. Note that every element of is a subsequence of .

Step 3: Perform confusion operations on sequence by
(4) for , where donates the bitwise XOR operation.

2.2 The enhanced elements of IEACD compared with IEATD
To enhance the security level of IEATD, some extra operations were appended to withstand the chosenplaintext attack reported in Li et al. (2018b).

The added secret subkeys: a positive integer , the initial condition and the control parameter of Logistic map
(5) 
The modified encryption procedures:
Step 1: Iterate Eq. (5) steps from , and obtain a chaotic sequence , which is used to produce permutation vector , where is the th largest element in the sequence . Then, permute with the permutation vector and obtain a permuted intermediate image by performing
(6) for .
Step 2: Divide into vectors and obtain a sequence like Step 1, 2 of IEATD, where the division size is determined by
(7) Then perform the confusion operation on via
(8) where .
Step 3: Crossover diffusion:

Step 3a: Generate index array , where
(9) .

Step 3b: Conduct the first round crossover diffusion with and sequence by
(10) for , where and .

Step 3c: Perform the second round of crossover diffusion via
(11) for , where .
Step 4: Permute and obtain the ciphertext by performing
(12) for .

3 Cryptanalysis of IEATD
In Mannai et al. (2015), the authors claimed that the adopted intermediate keystream is dependent on the plaintext, so it can withstand the classic attacks, such as plain/chosenplaintext attack and chosenciphertext attack. However, we argue that the statement is not always correct. In this section, the weak keys about are discussed. After briefly describing the chosenplaintext attack on IEATD proposed in Li et al. (2018b), we present a knownplaintext attack on it.
3.1 Weak keys with respect to
In IEATD, the plaintext is first divided into some vectors, which is dependent on a given key and the plaintext itself. The scope of is not specifically given in the algorithm. However, should be less than from the security standpoint, where . If , it is observed that the keystream generation mechanics is futile since sequence generated from any plainimage is the same. In such case, a mask image, generated by XORing a plainimage and the corresponding cipherimage pixel by pixel, can be directly used as the equivalent secret key. As shown in Fig. 1, a cipherimage is fully decrypted with the mask image. As this is contrary to the original intention of the designers, it is assumed that in the subsequent analysis.
3.2 The chosenplaintext attack proposed by M. Li et al.
To make the cryptanalysis of IEATD more complete, we briefly introduce the chosenplaintext attack on IEATD proposed by M. Li et al. in Li et al. (2018b) and comment its performance:

Determining : Referring to Eq. (3), one can see that and for any if for . To ensure this condition exists, one can choose a plainimage of fixed value zero. Then, sequence can be obtained by . If one calculates the autocorrelation coefficients of , the maximum should be , where
is the average of , and is lag.

Obtaining : Choose a plainimage of fixed value 255 and get the corresponding longest sequence from , where is the result by XORing and its cipherimage pixel by pixel.
Set and denote the length of by . The decryption procedure can be described as follows:

Step 1: Set , , .

Step 2: Do for , and then set .

Step 4: Assign to , where returns the smaller element between and . Then do
for .
In the above decryption process, the intermediate keystream corresponding to a cipherimage is gradually recovered. In other words, one can reconstruct the specific belonging to a cipherimage from and . Thus, they can be regarded as the equivalent secret key. The time complexity of the attack is instead of that claimed in Li et al. (2018b), .
3.3 Knownplaintext attack on IEATD
Knownplaintext attack can be considered as a stronger version of the chosenplaintext attack as the former can recover the information with the secret key from some given plaintexts, instead of that specially constructed or selected. As for algorithm IEATD, even if only one plainimage and the corresponding cipherimage are available, one can obtain effortlessly and then derive a counterpart of , . They can be used to disclose some visual information of the other cipherimages encrypted with the same secret key.
According to Eq. (3), one can get after obtaining and . Then, as for two adjacent vectors and , one has for , where . Hence, the condition can be used to verify the search of . Since the scope of is relatively small as mentioned in Sec. 3.1, the confirmation of is feasible through bruteforce searching:

Step 1: Produce sequence by XORing the plainimage and its corresponding cipherimage pixel by pixel.

Step 2: For , do the following operations:

Step 2a: If condition satisfies, set , , ; otherwise, go to the next loop.

Step 2b: Set and calculate using Eq. (3). If , set and terminate the attack.

Step 2c: If condition
satisfies, set and go back to Step 2b.

After confirming , one can easily obtain from . Set and the decryption procedure is the same as that in Sec. 3.2. Once condition (13) does not exist during the decryption process, the following cipherpixels are all decrypted incorrectly. Referring to Eq. (3), one can know a simple rule: the brighter a plainimage is, the fewer the divided vectors become (the corresponding gets longer). When the brightness of the plainimage corresponding to a cipherimage to be decrypted is higher than that of the known plainimage, condition (13) is not satisfied for smaller index . This means that more portion of the cipherimage cannot be decrypted correctly. As shown in Fig. 2b), the image with lower brightness than that in Fig. 2a) is even completely decrypted. By contrast, many consecutive pixels of two brighter plainimages cannot be recovered correctly (See Fig. 2c) and d)). As for the same plainimage to be decrypted, if brightness of the available known plainimage is lower, more consecutive pixels cannot be decrypted correctly. This point can be verified by comparing Fig. 2b), c) and d) with Fig. 2f), g) and h), respectively.
4 Cryptanalysis of IEACD
To cope with the insecurity problems of IEATD reported in Li et al. (2018b), multiple confusion and diffusion operations are appended, making the algorithm become another algorithm IEACD. In fact, the original keystream generation mechanism indeed exists a serious pitfall, which leads to that the patched algorithm IEACD still cannot withstand chosenplaintext attack. In this section, three weaknesses of IEACD are first analyzed to facilitate description of the following chosenplaintext attack.
4.1 Three weaknesses of IEACD

The real size of key space is much smaller than the expected one
Due to the limitation of finiteprecision presentation, dynamics of any chaotic system is definitely degraded when it is implemented in a digital device. As investigated in Fan and Ding (2019); Li et al. (2019a, 2021), the structure of the statemapping network (SMN) of a digitized chaotic system implemented with fixedpoint precision is largely dominated by that with precision . The short period problems of PRNG based on Logistic map (5
) implemented in a digital device (with fixedpoint arithmetic or floatingpoint arithmetic) were comprehensively discussed in
Li et al. (2019a). As shown in Fig. 3, discretized Ikeda system obeys this rule also. No matter what the precision is, the SMN of discretized Ikeda system follows the following rules: 1) an SMN is composed of some weakly connected components; 2) there are some selfloops (an edge connecting a node to itself); 3) As for each connected component, there is one and only one cycle (including special cycle, selfloop), and every node evolves to it via a transient process; 4) Many nodes have two and only two parent nodes. Generating a pseudorandom number sequence by the orbits determined by a chaotic map is actually walking along a path of an SMN. Now, one can see that the period of a sequence by solving the discretized Ikeda system may be very short (even only one). So, there are a number of equivalent secret keys and invalid secret keys as for the function of IEATD and IEACD. Note that such pitfall always exists no matter how large the precision gets. 
Insensibility of keystream generation mechanics
Although the permutation operations are performed before the confusion step to frustrate the predictability of keystream , the keystream is still insensitive to minor changes of some pixels of the plainimage. Referring to Eq. (7), one can see that the possibility that change is roughly when a pixel in vector is slightly changed with variation . More generally, when a randomly chosen pixel in one plainimage is slightly altered with variation
, the probability that
generated by the altered plainimage is different from the previous version isTaking a nature image of size as an example, and . Note that the more the average of the pixels of the image approaches 255, the smaller the probability is.

Improper configuration of keystream
The tworound crossover diffusion is performed to resist chosenplaintext attack and differential attack, but the keystream used in permutation is wrongly reused in the diffusion part, which makes the algorithm more insecure. From Eq. (6), (8) and (10), one has
(14) where and . Also, incorporating and Eq. (12) into Eq. (11), one has
(15) where and . Obviously, the keystream used in the diffusion is not private. Specifically, as for the plainpixel in position , its corresponding random integer used in the modulo addition is actually .
4.2 Chosenplaintext attack on IEACD
To conceal the relationship between the plainimage and keystream , one can generate a pair of plainimages , where is a nature image, , for and , and the index is any given integer. Denote the intermediate keystreams and cipherimages corresponding to by and , respectively. Define the bitwise XOR operation of two plainimages and as , where and are encrypted by the same secret key. For simplicity, define a sequence , where for .
4.2.1 Determining
As is known, one can obtain once is recovered. So, one can attempt to determine first. Assume and in the following analysis. Let denote . Based on the analysis in Sec. 4.1, one can assume that . From Eq. (3), one has
(16) 
According to Eq. (16), if and , then . From , one can deduce , and then get for . Consequently, Eq. (16) can be represented as
(17) 
Referring to Eq. (3) and XORing the two cipherimages, one has
Then, incorporating Eq. (17) into the above equation, one can get
when ;  (18a)  
when ;  (18b)  
when ,  (18c) 
which is the key equation for the attack. As the above equation has three cases, sequence is likewise divided into three recovery parts: , , and , which are discussed separately in the following:

Determining
Incorporating into Eq. (18a), one has
(19) Enumerating , one can obtain a set containing all possible values of via Eq. (19), where and . Adopting more known plainimages and the corresponding cipherimages, one can get more different sets and intersect them, which makes the probability is correctly determined approach one. Ideally, the probability is one if and only if the cardinality of the intersection of these sets is equal to one.

Determining
Substituting with in Eq. (18b), one can get
(20) In the above equation, is determined and only is unknown. Similar to the recovery of , one can enumerate and verify it via Eq. (20), where and . As every element in is unique, the derived element should be recorded and not used in the following enumeration. Apparently, the elements before in can be likewise determined via Eq. (18b). Since is the first element, this process is naturally finished when no element can be found using Eq. (18b). After is obtained, is also determined by the way. In case of , is completely recovered. But in the other cases, the elements after in
remain undetermined at this moment.

Determining
Now, determine via Eq. (18c). When , Eq. (18c) becomes
(21) Besides , and are still unknown in Eq. (21). Since is obtained, they can be calculated via
(22) which is derived from Eq. (3). Similarly, and also can be calculated. Just as determining , can be confirmed through enumeration and verification via Eq. (21). Again, one can calculate and via Eq. (22), and then determine by Eq. (18c). By this way, the rest can also be determined one by one in turn.
In the process of determining , as for a known or given element , one attempts to find its neighbor by verifying whether the corresponding equation holds. Therefore, is reconstructed by seeking the relative positions of elements. As mentioned before, after constructing , the permutation vector can be restored via for .
Now, the attack in case of is discussed. In fact, the special cases of can be identified through Eq. (18a) and (18b). If , since is the first element in , no element can be found via Eq. (18b). Hence, one should determine via Eq. (18a) and then find the remainder of through Eq. (18c). If , the attack is failed. Since Eq. (18a) and (18b) both no longer hold, one would directly attempt to determine through
which is derived from Eq. (18c). Here, and are still unknown, and only can be obtained from Eq. (17). Apparently, the available information is insufficient to obtain and , and then the attack cannot proceed. Such case occurs with a low probability , which is when . So it does not impact the attack much. If it occurs, one just needs to choose a different index and generate the corresponding plainimages again.
Next, let us investigate how many plainimages are sufficient to recover exactly. As there is a strong correlation between and
, it is intractable to estimate it. Therefore, assume that each pixel in
pairs of cipherimages follows independently identical distribution in subsequent discussion. The retrieve process of is similar to the attack method on permutationonly ciphers given in Li and Lo (2011); Li et al. (2017), which attempts to find the sole exact permutation position from a set containing all possible positions. As discussed in Li and Lo (2011); Li et al. (2017), some minor error elements in permutation matrix have no much influence on the decryption performance. However, due to the tworound crossover diffusion, any wrong element in can incur that the decryption result has no any visual information. In other words, the errortolerant rate of for decryption performance is zero.When one attempts to determine via Eq. (18b) and is known, among 65536 combinations of and , only 256 ones satisfy the equation. And Eq. (18b) should satisfy for pairs of cipherimages. Thus, the possibility deriving a wrong value as the neighbor of a given element is . As for Eq. (18a) and (18c), the analysis is similar and the corresponding possibility is the same. Then, the probability that an element only has sole exact candidate after enumeration and verification is roughly
Determining exactly relies on three conditions: , , and the exact neighbor for each element can be obtained. Hence, the probability of recovering exactly can be calculated by . When and , the probability is about 0.993. So it is expected that can be always recovered exactly when . The possibility can also be regarded as the attacking success rate. Apparently, the time complexity of the whole recovering process is .
4.2.2 Determining , , and
Now , , and are known, only the confusion part is left. The unknown elements of and , and , can be calculated via
And the elements of can be recovered through
except (). Similar to Sec. 3.3, one can guess through bruteforce searching and ignoring the influence of the unrecovered value in comparison (assuming ). Then, one can calculate
where . To decrypt cipherimages completely, choose a plainimage of fixed value 255 as Li et al. (2018b). Thus, one can calculate the corresponding sequence and extract the longest vector from the sequence. Finally, the equivalent secret key can be obtained.
To test the real performance of the preceding chosenplaintext attack, some experiments were performed. As Mannai et al. (2015); Li et al. (2018b), the typical secret key is set as , , , , , , and . The initial condition of the discretized Ikeda system is a randomly generated vector of length 50. Figure 4 demonstrates two plainimages used for determining and the corresponding cipherimages, where the index of the changed pixel is 46240. It is found that the sequence can be recovered with five pairs of plainimages and the corresponding cipherimages. After and are determined, is derived using a plainimage of fixed value 255. Two corresponding intermediate images and the final result decrypted using the equivalent secret key are shown in Fig. 5. To show the attack vividly, Table. 1 and 2 list the encryption process of a sample image of size and the corresponding attacking results, respectively.
Item  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16 

7  5  7  3  3  10  0  1  6  3  3  2  3  6  5  6  
14  6  4  12  2  15  10  0  8  7  9  1  11  3  5  13  
5  0  3  3  7  6  3  7  6  1  3  5  2  3  10  6  
4  6  6  
233  33  101  80  233  33  101  80  187  24  233  33  101  80  187  24  
236  33  102  83  238  39  102  87  189  25  234  36  103  83  177  30  
10  148  224  92  149  241  215  58  175  130  3  121  199  167  109  89  
109  116  29  109  140  174  247  171  218  249  37  23  80  22  145  225  
171  23  140  22  29  145  116  249  218  37  247  80  109  225  109  174 
Items  The corresponding value 

7  
6  
3  
4  
216  
5 Conclusion
This paper analyzed security performance of an image encryption algorithm based on a firstorder timedelay system IEATD and the enhanced version IEACD. Although another research group proposed a chosenplaintext attack on IEATD, we presented an enhanced attack using the correlation between adjacent vectors of one plainimage and the corresponding cipherimage. Although IEACD is designed by the attacking group with intention to fix the security defects of IEATD, there still exist some security pitfalls, such as invalid secret keys, insensibility of keystream generation mechanics, and improper configuration of keystream. Based on these, we designed an efficient chosenplaintext attack and verified it with extensive experiments. The serious insecurity of the two algorithms cannot be improved by simple modifications. They can work as typical counterexamples to remind us to recast scenariooriented image encryption algorithms following the guidelines and lessons summarized in Shannon (1949); Preishuber et al. (2018); Li et al. (2019b).
Acknowledgements
This work was supported by the National Natural Science Foundation of China (no. 61772447), Scientific Research Fund of Hunan Provincial Education Department (no. 20C1759), and Science and Technology Program of Changsha (no. kq2004021).
References
 Digital image scrambling using 2D cellular automata. IEEE Multimedia 19 (4), pp. 28–36. External Links: Document Cited by: §1.
 A color image cryptosystem based on dynamic dna encryption and chaos. Signal Processing 155, pp. 44–62. External Links: Document Cited by: §1.
 Cryptanalysis of image ciphers with permutationsubstitution network and chaos. IEEE Transactions on Circuits and Systems for Video Technology 31 (6), pp. 2494–2508. External Links: Document Cited by: §1.
 Analysing the dynamics of digital chaotic maps via a new period search algorithm. Nonlinear Dynamics 97 (1), pp. 831–841. External Links: Document Cited by: item 1.
 Color image encryption using orthogonal latin squares and a new 2D chaotic system. Nonlinear Dynamics 104, pp. 4505–4522. Cited by: §1.
 Optical turbulence: chaotic behavior of transmitted light from a ring cavity. Physical Review Letters 45 (9), pp. 709. External Links: Document Cited by: §1.
 On the security of permutationonly image encryption schemes. IEEE Transactions on Information Forensics and Security 11 (2), pp. 235–246. External Links: Document Cited by: §1.
 Dynamic analysis of digital chaotic maps via statemapping networks. IEEE Transactions on Circuits and Systems I: Regular Papers 66 (6), pp. 2322–2335. External Links: Document Cited by: item 1.
 Cryptanalyzing an image encryption algorithm based on autoblocking and electrocardiography. IEEE Multimedia 25 (4), pp. 46–56. External Links: Document Cited by: §1.
 Cryptanalyzing an imagescrambling encryption algorithm of pixel bits. IEEE Multimedia 24 (3), pp. 64–71. External Links: Document Cited by: §4.2.1.
 Optimal quantitative cryptanalysis of permutationonly multimedia ciphers against plaintext attacks. Signal Processing 91 (4), pp. 949–954. External Links: Document Cited by: §4.2.1.
 The graph structure of the generalized discrete arnold cat map. IEEE Transactions on Computers (), pp. . External Links: Document Cited by: item 1.
 When an attacker meets a cipherimage in 2018: a year in review. Journal of Information Security and Applications 48 (), pp. art. no. 102361. External Links: Document Cited by: §1, §5.
 Cryptanalysis and improvement of a chaotic image encryption by firstorder timedelay system. IEEE Multimedia 25 (3), pp. 92–101. External Links: Document Cited by: §1, §2.2, §3.2, §3.2, §3, §4.2.2, §4.2.2,
Comments
There are no comments yet.