Cryptanalyzing two image encryption algorithms based on a first-order time-delay system

by   Sheng Liu, et al.

Security is a key problem for the transmission, interchange and storage process of multimedia systems and applications. In 2018, M. Li et al. proposed in-depth security analysis on an image encryption algorithm based on a first-order time-delay system (IEATD) and gave a specific chosen-plaintext attack on it. Moreover, an enhanced version called as IEACD was designed to fix the reported security defects. This paper analyzes the essential structures of the two algorithms and evaluates their real security performances: 1) no efficient nonlinear operations are adopted to assure the sensibility of keystream; 2) the equivalent secret key of IEATD can be efficiently recovered from one known plain-image and the corresponding cipher-image; 3) IEACD can still be efficiently cracked with a chosen-plaintext attack. Both rigorous theoretical analyses and detailed experimental results are provided to demonstrate effectiveness of the advanced cryptanalytic methods.



There are no comments yet.


page 5

page 8


Cryptanalysis of an Image Block Encryption Algorithm Based on Chaotic Maps

Recently, an image block encryption algorithm was proposed based on some...

Chosen-Plaintext Cryptanalysis of a Clipped-Neural-Network-Based Chaotic Cipher

In ISNN'04, a novel symmetric cipher was proposed, by combining a chaoti...

Cryptanalyzing an image encryption algorithm based on autoblocking and electrocardiography

This paper analyzes the security of an image encryption algorithm propos...

Combined Image Encryption and Steganography Algorithm in the Spatial Domain

In recent years, steganography has emerged as one of the main research a...

Cryptanalysis of a Chaos-Based Fast Image Encryption Algorithm for Embedded Systems

Fairly recently, a new encryption scheme for embedded systems based on c...

Universal chosen-ciphertext attack for a family of image encryption schemes

During the past decades, there is a great popularity employing nonlinear...

Key-dependent Security of Stream Ciphers

The control of the cryptography is more than ever a recurrent issue. As ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Social media not only drive product discovery and purchase, but also incur serious concern on the security and privacy of the images shared by the Internet users. Due to the special properties of multimedia information, the modern text encryption standards, such as AES and Triple DES, cannot efficiently protect them in general. To cope with the challenge, a number of special image encryption algorithms, e.g. joint encryption and compression together, were proposed every year Abu Dalhoum et al. (2012); Ye and Huang (2016); Li et al. (2019b). It is well known that cryptography (designing encryption algorithm) and cryptanalysis (security analysis of a given encryption algorithm) are two integral parts of cryptology. The cryptanalysis results facilitate the designers strengthen or replace flawed algorithms. Cryptanalysis of a given image encryption scheme also provides a special perspective for promoting some multimedia processing techniques, e.g. image recovery. Some image encryption algorithms like that proposed in Mannai et al. (2015); Ye and Huang (2016) are found to be insecure to different extents from the viewpoint of modern cryptology Jolfaei et al. (2016); Li et al. (2018a); Preishuber et al. (2018); Chen et al. (2021).

The complex dynamics of a chaotic system demonstrated in an infinite-precision domain is very similar to the expected properties of a secure encryption scheme outlined by Shannon in Shannon (1949). So, a large number of chaos-based encryption schemes were proposed in the past three decades Chai et al. (2019); Hua et al. (2021). In Ikeda et al. (1980), Ikeda adopted a one-variable differential-difference equation to model light going around a ring cavity containing a nonlinear dielectric medium and found “chaotic” phenomena in the transmitted field. In Mannai et al. (2015), Mannai et al. introduced the equation’s variant


as a chaos-based pseudorandom number generator (PRNG), where and are coefficients, and is the positive delay time. The evolution of the dynamics is dependent on not only the present value but also earlier one . To solve equation (1), it is discretized with the following way: 1) each interval is divided into subintervals and each subinterval is approximated with a scalar value, where ; 2) the samples of each interval are considered as an

-dimension vector. In

Mannai et al. (2015), an image encryption algorithm based on a time-delay Ikeda system (IEATD) was proposed. The designers of IEATD believed that utilizing the rich dynamics of a discretized Ikeda system and a new keystream generation mechanism associated with the average of all pixels of the plain-image can provide sufficient capacity to withstand known/chosen-plaintext attacks.

In reality, the security strength of IEATD is very weak as its equivalent secret key can be obtained with only two chosen plain-images Li et al. (2018b). Meanwhile, M. Li et al. pointed out that two security defects exist in IEATD: 1) the regularity of the keystream and absence of position scrambling; 2) incapacity to resist differential attack Li et al. (2018b). To remedy the defects, they adopted much more complex encryption operations: permutation and crossover diffusion phases. In short, we call the enhanced image encryption algorithm using the crossover diffusion as IEACD. This paper focuses on security analysis of the two image encryption algorithms, IEATD Mannai et al. (2015) and IEACD Li et al. (2018b). We found that the authors of Li et al. (2018b) did not notice a fatal drawback of the keystream generation mechanism: insensibility to minor change of a pixel. This leads to that IEACD still cannot withstand chosen-plaintext attack. Furthermore, there is improper keystream configuration in diffusion that almost discloses the whole keystream. The essential structures of the two algorithms cause that the equivalent secret key of IEATD and IEACD can be recovered with known-plaintext attack and chosen-plaintext attack, respectively.

The rest of this paper is organized as follows. Section 2 concisely describes the encryption procedures of the encryption algorithm IEATD and its enhanced version IEACD. Then, Sec. 3 and Sec. 4 present the detailed cryptanalysis results on the two encryption algorithms, respectively. The last section concludes the paper.

2 Description of two analyzed image encryption algorithms

The input of algorithm IEATD is an 8-bit gray-scale image of size . The plain-image is scanned in the raster order and then can be represented as a sequence . The corresponding cipher-image is denoted by . Then, IEATD and its enhanced version IEACD can be described in Sec. 2.1 and Sec. 2.2, respectively.

2.1 The framework of IEATD

  • The secret key: a positive integer , three control parameters of discretized Ikeda chaotic system


    and its initial condition , where , , and .

  • The confusion procedure:

    • Step 1: Divide into vectors, where the length of -th vector is , and the length of subsequent vector depends on the previous one:


      where , . Finally, assign the actual length of the last vector to . Obviously, the longest vector is either the last vector or the penultimate one .

    • Step 2: As for the -th vector , iterate Eq. (2) times from the initial condition and generate a chaotic sequence , and then obtain the quantized sequence via

      where . Finally, concatenate further into a sequence , where

      The longest vector among is either or , and let denote it. Note that every element of is a subsequence of .

    • Step 3: Perform confusion operations on sequence by


      for , where donates the bitwise XOR operation.

2.2 The enhanced elements of IEACD compared with IEATD

To enhance the security level of IEATD, some extra operations were appended to withstand the chosen-plaintext attack reported in Li et al. (2018b).

  • The added secret sub-keys: a positive integer , the initial condition and the control parameter of Logistic map

  • The modified encryption procedures:

    Step 1: Iterate Eq. (5) steps from , and obtain a chaotic sequence , which is used to produce permutation vector , where is the -th largest element in the sequence . Then, permute with the permutation vector and obtain a permuted intermediate image by performing


    for .

    Step 2: Divide into vectors and obtain a sequence like Step 1, 2 of IEATD, where the division size is determined by


    Then perform the confusion operation on via


    where .

    Step 3: Crossover diffusion:

    • Step 3a: Generate index array , where



    • Step 3b: Conduct the first round crossover diffusion with and sequence by


      for , where and .

    • Step 3c: Perform the second round of crossover diffusion via


      for , where .

    Step 4: Permute and obtain the ciphertext by performing


    for .

3 Cryptanalysis of IEATD

In Mannai et al. (2015), the authors claimed that the adopted intermediate keystream is dependent on the plaintext, so it can withstand the classic attacks, such as plain/chosen-plaintext attack and chosen-ciphertext attack. However, we argue that the statement is not always correct. In this section, the weak keys about are discussed. After briefly describing the chosen-plaintext attack on IEATD proposed in Li et al. (2018b), we present a known-plaintext attack on it.

3.1 Weak keys with respect to

In IEATD, the plaintext is first divided into some vectors, which is dependent on a given key and the plaintext itself. The scope of is not specifically given in the algorithm. However, should be less than from the security standpoint, where . If , it is observed that the keystream generation mechanics is futile since sequence generated from any plain-image is the same. In such case, a mask image, generated by XORing a plain-image and the corresponding cipher-image pixel by pixel, can be directly used as the equivalent secret key. As shown in Fig. 1, a cipher-image is fully decrypted with the mask image. As this is contrary to the original intention of the designers, it is assumed that in the subsequent analysis.

a) b) c)
Figure 1: The decrypted result using a mask image when : a) the mask image; b) a cipher-image; c) the decrypted result.

3.2 The chosen-plaintext attack proposed by M. Li et al.

To make the cryptanalysis of IEATD more complete, we briefly introduce the chosen-plaintext attack on IEATD proposed by M. Li et al. in Li et al. (2018b) and comment its performance:

  • Determining : Referring to Eq. (3), one can see that and for any if for . To ensure this condition exists, one can choose a plain-image of fixed value zero. Then, sequence can be obtained by . If one calculates the autocorrelation coefficients of , the maximum should be , where

    is the average of , and is lag.

  • Obtaining : Choose a plain-image of fixed value 255 and get the corresponding longest sequence from , where is the result by XORing and its cipher-image pixel by pixel.

Set and denote the length of by . The decryption procedure can be described as follows:

  • Step 1: Set , , .

  • Step 2: Do for , and then set .

  • Step 3: Set

    and calculate via Eq. (3). If


    and , go back to Step 2.

  • Step 4: Assign to , where returns the smaller element between and . Then do

    for .

In the above decryption process, the intermediate keystream corresponding to a cipher-image is gradually recovered. In other words, one can reconstruct the specific belonging to a cipher-image from and . Thus, they can be regarded as the equivalent secret key. The time complexity of the attack is instead of that claimed in Li et al. (2018b), .

3.3 Known-plaintext attack on IEATD

Known-plaintext attack can be considered as a stronger version of the chosen-plaintext attack as the former can recover the information with the secret key from some given plaintexts, instead of that specially constructed or selected. As for algorithm IEATD, even if only one plain-image and the corresponding cipher-image are available, one can obtain effortlessly and then derive a counterpart of , . They can be used to disclose some visual information of the other cipher-images encrypted with the same secret key.

According to Eq. (3), one can get after obtaining and . Then, as for two adjacent vectors and , one has for , where . Hence, the condition can be used to verify the search of . Since the scope of is relatively small as mentioned in Sec. 3.1, the confirmation of is feasible through brute-force searching:

  • Step 1: Produce sequence by XORing the plain-image and its corresponding cipher-image pixel by pixel.

  • Step 2: For , do the following operations:

    • Step 2a: If condition satisfies, set , , ; otherwise, go to the next loop.

    • Step 2b: Set and calculate using Eq. (3). If , set and terminate the attack.

    • Step 2c: If condition

      satisfies, set and go back to Step 2b.

After confirming , one can easily obtain from . Set and the decryption procedure is the same as that in Sec. 3.2. Once condition (13) does not exist during the decryption process, the following cipher-pixels are all decrypted incorrectly. Referring to Eq. (3), one can know a simple rule: the brighter a plain-image is, the fewer the divided vectors become (the corresponding gets longer). When the brightness of the plain-image corresponding to a cipher-image to be decrypted is higher than that of the known plain-image, condition (13) is not satisfied for smaller index . This means that more portion of the cipher-image cannot be decrypted correctly. As shown in Fig. 2b), the image with lower brightness than that in Fig. 2a) is even completely decrypted. By contrast, many consecutive pixels of two brighter plain-images cannot be recovered correctly (See Fig. 2c) and d)). As for the same plain-image to be decrypted, if brightness of the available known plain-image is lower, more consecutive pixels cannot be decrypted correctly. This point can be verified by comparing Fig. 2b), c) and d) with Fig. 2f), g) and h), respectively.

a) b) c) d)
e) f) g) h)
Figure 2: The result of known-plaintext attack on IEATD: a) a known plain-image; b)-d) the decrypted images with the equivalent secret key derived from Fig. a); e) a known plain-image with half brightness of that in Fig. 2a); f)-h) the decrypted images with the key obtained from Fig. 2e).

4 Cryptanalysis of IEACD

To cope with the insecurity problems of IEATD reported in Li et al. (2018b), multiple confusion and diffusion operations are appended, making the algorithm become another algorithm IEACD. In fact, the original keystream generation mechanism indeed exists a serious pitfall, which leads to that the patched algorithm IEACD still cannot withstand chosen-plaintext attack. In this section, three weaknesses of IEACD are first analyzed to facilitate description of the following chosen-plaintext attack.

4.1 Three weaknesses of IEACD

  • The real size of key space is much smaller than the expected one

    Due to the limitation of finite-precision presentation, dynamics of any chaotic system is definitely degraded when it is implemented in a digital device. As investigated in Fan and Ding (2019); Li et al. (2019a, 2021), the structure of the state-mapping network (SMN) of a digitized chaotic system implemented with fixed-point precision is largely dominated by that with precision . The short period problems of PRNG based on Logistic map (5

    ) implemented in a digital device (with fixed-point arithmetic or floating-point arithmetic) were comprehensively discussed in

    Li et al. (2019a). As shown in Fig. 3, discretized Ikeda system obeys this rule also. No matter what the precision is, the SMN of discretized Ikeda system follows the following rules: 1) an SMN is composed of some weakly connected components; 2) there are some self-loops (an edge connecting a node to itself); 3) As for each connected component, there is one and only one cycle (including special cycle, self-loop), and every node evolves to it via a transient process; 4) Many nodes have two and only two parent nodes. Generating a pseudo-random number sequence by the orbits determined by a chaotic map is actually walking along a path of an SMN. Now, one can see that the period of a sequence by solving the discretized Ikeda system may be very short (even only one). So, there are a number of equivalent secret keys and invalid secret keys as for the function of IEATD and IEACD. Note that such pitfall always exists no matter how large the precision gets.

    a) b)
    Figure 3: The State-Mapping Networks of the Ikeda map with under -bit fixed-point precision: a) ; b) .
  • Insensibility of keystream generation mechanics

    Although the permutation operations are performed before the confusion step to frustrate the predictability of keystream , the keystream is still insensitive to minor changes of some pixels of the plain-image. Referring to Eq. (7), one can see that the possibility that change is roughly when a pixel in vector is slightly changed with variation . More generally, when a randomly chosen pixel in one plain-image is slightly altered with variation

    , the probability that

    generated by the altered plain-image is different from the previous version is

    Taking a nature image of size as an example, and . Note that the more the average of the pixels of the image approaches 255, the smaller the probability is.

  • Improper configuration of keystream

    The two-round crossover diffusion is performed to resist chosen-plaintext attack and differential attack, but the keystream used in permutation is wrongly reused in the diffusion part, which makes the algorithm more insecure. From Eq. (6), (8) and (10), one has


    where and . Also, incorporating and Eq. (12) into Eq. (11), one has


    where and . Obviously, the keystream used in the diffusion is not private. Specifically, as for the plain-pixel in position , its corresponding random integer used in the modulo addition is actually .

4.2 Chosen-plaintext attack on IEACD

To conceal the relationship between the plain-image and keystream , one can generate a pair of plain-images , where is a nature image, , for and , and the index is any given integer. Denote the intermediate keystreams and cipher-images corresponding to by and , respectively. Define the bitwise XOR operation of two plain-images and as , where and are encrypted by the same secret key. For simplicity, define a sequence , where for .

4.2.1 Determining

As is known, one can obtain once is recovered. So, one can attempt to determine first. Assume and in the following analysis. Let denote . Based on the analysis in Sec. 4.1, one can assume that . From Eq. (3), one has


According to Eq. (16), if and , then . From , one can deduce , and then get for . Consequently, Eq. (16) can be represented as


Referring to Eq. (3) and XORing the two cipher-images, one has

Then, incorporating Eq. (17) into the above equation, one can get

when ; (18a)
when ; (18b)
when , (18c)

which is the key equation for the attack. As the above equation has three cases, sequence is likewise divided into three recovery parts: , , and , which are discussed separately in the following:

  • Determining

    Incorporating into Eq. (18a), one has


    Enumerating , one can obtain a set containing all possible values of via Eq. (19), where and . Adopting more known plain-images and the corresponding cipher-images, one can get more different sets and intersect them, which makes the probability is correctly determined approach one. Ideally, the probability is one if and only if the cardinality of the intersection of these sets is equal to one.

  • Determining

    Substituting with in Eq. (18b), one can get


    In the above equation, is determined and only is unknown. Similar to the recovery of , one can enumerate and verify it via Eq. (20), where and . As every element in is unique, the derived element should be recorded and not used in the following enumeration. Apparently, the elements before in can be likewise determined via Eq. (18b). Since is the first element, this process is naturally finished when no element can be found using Eq. (18b). After is obtained, is also determined by the way. In case of , is completely recovered. But in the other cases, the elements after in

    remain undetermined at this moment.

  • Determining

    Now, determine via Eq. (18c). When , Eq. (18c) becomes


    Besides , and are still unknown in Eq. (21). Since is obtained, they can be calculated via


    which is derived from Eq. (3). Similarly, and also can be calculated. Just as determining , can be confirmed through enumeration and verification via Eq. (21). Again, one can calculate and via Eq. (22), and then determine by Eq. (18c). By this way, the rest can also be determined one by one in turn.

In the process of determining , as for a known or given element , one attempts to find its neighbor by verifying whether the corresponding equation holds. Therefore, is reconstructed by seeking the relative positions of elements. As mentioned before, after constructing , the permutation vector can be restored via for .

Now, the attack in case of is discussed. In fact, the special cases of can be identified through Eq. (18a) and (18b). If , since is the first element in , no element can be found via Eq. (18b). Hence, one should determine via Eq. (18a) and then find the remainder of through Eq. (18c). If , the attack is failed. Since Eq. (18a) and (18b) both no longer hold, one would directly attempt to determine through

which is derived from Eq. (18c). Here, and are still unknown, and only can be obtained from Eq. (17). Apparently, the available information is insufficient to obtain and , and then the attack cannot proceed. Such case occurs with a low probability , which is when . So it does not impact the attack much. If it occurs, one just needs to choose a different index and generate the corresponding plain-images again.

Next, let us investigate how many plain-images are sufficient to recover exactly. As there is a strong correlation between and

, it is intractable to estimate it. Therefore, assume that each pixel in

pairs of cipher-images follows independently identical distribution in subsequent discussion. The retrieve process of is similar to the attack method on permutation-only ciphers given in Li and Lo (2011); Li et al. (2017), which attempts to find the sole exact permutation position from a set containing all possible positions. As discussed in Li and Lo (2011); Li et al. (2017), some minor error elements in permutation matrix have no much influence on the decryption performance. However, due to the two-round crossover diffusion, any wrong element in can incur that the decryption result has no any visual information. In other words, the error-tolerant rate of for decryption performance is zero.

When one attempts to determine via Eq. (18b) and is known, among 65536 combinations of and , only 256 ones satisfy the equation. And Eq. (18b) should satisfy for pairs of cipher-images. Thus, the possibility deriving a wrong value as the neighbor of a given element is . As for Eq. (18a) and (18c), the analysis is similar and the corresponding possibility is the same. Then, the probability that an element only has sole exact candidate after enumeration and verification is roughly

Determining exactly relies on three conditions: , , and the exact neighbor for each element can be obtained. Hence, the probability of recovering exactly can be calculated by . When and , the probability is about 0.993. So it is expected that can be always recovered exactly when . The possibility can also be regarded as the attacking success rate. Apparently, the time complexity of the whole recovering process is .

4.2.2 Determining , , and

Now , , and are known, only the confusion part is left. The unknown elements of and , and , can be calculated via

And the elements of can be recovered through

except (). Similar to Sec. 3.3, one can guess through brute-force searching and ignoring the influence of the unrecovered value in comparison (assuming ). Then, one can calculate

where . To decrypt cipher-images completely, choose a plain-image of fixed value 255 as Li et al. (2018b). Thus, one can calculate the corresponding sequence and extract the longest vector from the sequence. Finally, the equivalent secret key can be obtained.

Figure 4: Two similar plain-images and the corresponding cipher-images.

To test the real performance of the preceding chosen-plaintext attack, some experiments were performed. As Mannai et al. (2015); Li et al. (2018b), the typical secret key is set as , , , , , , and . The initial condition of the discretized Ikeda system is a randomly generated vector of length 50. Figure 4 demonstrates two plain-images used for determining and the corresponding cipher-images, where the index of the changed pixel is 46240. It is found that the sequence can be recovered with five pairs of plain-images and the corresponding cipher-images. After and are determined, is derived using a plain-image of fixed value 255. Two corresponding intermediate images and the final result decrypted using the equivalent secret key are shown in Fig. 5. To show the attack vividly, Table. 1 and 2 list the encryption process of a sample image of size and the corresponding attacking results, respectively.

a) b) c)
Figure 5: Two intermediate images and a decrypted image: a) the image removed crossover diffusion; b) the image removed confusion; c) the decrypted result.
Item 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
7 5 7 3 3 10 0 1 6 3 3 2 3 6 5 6
14 6 4 12 2 15 10 0 8 7 9 1 11 3 5 13
5 0 3 3 7 6 3 7 6 1 3 5 2 3 10 6
4 6 6
233 33 101 80 233 33 101 80 187 24 233 33 101 80 187 24
236 33 102 83 238 39 102 87 189 25 234 36 103 83 177 30
10 148 224 92 149 241 215 58 175 130 3 121 199 167 109 89
109 116 29 109 140 174 247 171 218 249 37 23 80 22 145 225
171 23 140 22 29 145 116 249 218 37 247 80 109 225 109 174
Table 1: Encryption process of an image of size by IEACD.
Items The corresponding value
Table 2: The items obtained in an attack.

5 Conclusion

This paper analyzed security performance of an image encryption algorithm based on a first-order time-delay system IEATD and the enhanced version IEACD. Although another research group proposed a chosen-plaintext attack on IEATD, we presented an enhanced attack using the correlation between adjacent vectors of one plain-image and the corresponding cipher-image. Although IEACD is designed by the attacking group with intention to fix the security defects of IEATD, there still exist some security pitfalls, such as invalid secret keys, insensibility of keystream generation mechanics, and improper configuration of keystream. Based on these, we designed an efficient chosen-plaintext attack and verified it with extensive experiments. The serious insecurity of the two algorithms cannot be improved by simple modifications. They can work as typical counterexamples to remind us to recast scenario-oriented image encryption algorithms following the guidelines and lessons summarized in Shannon (1949); Preishuber et al. (2018); Li et al. (2019b).


This work was supported by the National Natural Science Foundation of China (no. 61772447), Scientific Research Fund of Hunan Provincial Education Department (no. 20C1759), and Science and Technology Program of Changsha (no. kq2004021).


  • A. L. Abu Dalhoum, B. A. Mahafzah, A. A. Awwad, I. Aldamari, A. Ortega, and M. Alfonseca (2012) Digital image scrambling using 2D cellular automata. IEEE Multimedia 19 (4), pp. 28–36. External Links: Document Cited by: §1.
  • X. Chai, X. Fu, Z. Gan, Y. Lu, and Y. Chen (2019) A color image cryptosystem based on dynamic dna encryption and chaos. Signal Processing 155, pp. 44–62. External Links: Document Cited by: §1.
  • J. Chen, L. Chen, and Y. Zhou (2021) Cryptanalysis of image ciphers with permutation-substitution network and chaos. IEEE Transactions on Circuits and Systems for Video Technology 31 (6), pp. 2494–2508. External Links: Document Cited by: §1.
  • C. Fan and Q. Ding (2019) Analysing the dynamics of digital chaotic maps via a new period search algorithm. Nonlinear Dynamics 97 (1), pp. 831–841. External Links: Document Cited by: item 1.
  • Z. Hua, Z. Zhu, Y. Chen, and Y. Li (2021) Color image encryption using orthogonal latin squares and a new 2D chaotic system. Nonlinear Dynamics 104, pp. 4505–4522. Cited by: §1.
  • K. Ikeda, H. Daido, and O. Akimoto (1980) Optical turbulence: chaotic behavior of transmitted light from a ring cavity. Physical Review Letters 45 (9), pp. 709. External Links: Document Cited by: §1.
  • A. Jolfaei, X. Wu, and V. Muthukkumarasamy (2016) On the security of permutation-only image encryption schemes. IEEE Transactions on Information Forensics and Security 11 (2), pp. 235–246. External Links: Document Cited by: §1.
  • C. Li, B. Feng, S. Li, J. Kurths, and G. Chen (2019a) Dynamic analysis of digital chaotic maps via state-mapping networks. IEEE Transactions on Circuits and Systems I: Regular Papers 66 (6), pp. 2322–2335. External Links: Document Cited by: item 1.
  • C. Li, D. Lin, J. Lü, and F. Hao (2018a) Cryptanalyzing an image encryption algorithm based on autoblocking and electrocardiography. IEEE Multimedia 25 (4), pp. 46–56. External Links: Document Cited by: §1.
  • C. Li, D. Lin, and J. Lu (2017) Cryptanalyzing an image-scrambling encryption algorithm of pixel bits. IEEE Multimedia 24 (3), pp. 64–71. External Links: Document Cited by: §4.2.1.
  • C. Li and K. Lo (2011) Optimal quantitative cryptanalysis of permutation-only multimedia ciphers against plaintext attacks. Signal Processing 91 (4), pp. 949–954. External Links: Document Cited by: §4.2.1.
  • C. Li, K. Tan, B. Feng, and J. Lü (2021) The graph structure of the generalized discrete arnold cat map. IEEE Transactions on Computers (), pp. . External Links: Document Cited by: item 1.
  • C. Li, Y. Zhang, and E. Y. Xie (2019b) When an attacker meets a cipher-image in 2018: a year in review. Journal of Information Security and Applications 48 (), pp. art. no. 102361. External Links: Document Cited by: §1, §5.
  • M. Li, H. Fan, Y. Xiang, Y. Li, and Y. Zhang (2018b) Cryptanalysis and improvement of a chaotic image encryption by first-order time-delay system. IEEE Multimedia 25 (3), pp. 92–101. External Links: Document Cited by: §1, §2.2, §3.2, §3.2, §3, §4.2.2, §4.2.2,