1 Introduction
With the rapid development of computer networks and communication technology, protecting digital image transmission and storage in open network environment has become more and more important Katz12 . To cope with this problem, a number of image encryption algorithms have been proposed in recent years, especially chaosbased algorithms AdamsChaos1 ; EIChaos1 ; ChenChaos1 ; HuangChaos1 ; PareekChaos1 ; YoonChaos1 . Chaotic dynamics is suitable for cryptography due to its properties, such as pseudo randomness, ergodicity, sensitivity to initial values and control parameters. Since Matthews Matt16 proposed a chaosbased cipher, chaosbased cryptography has developed into a new branch of cryptography. Since Fridrich Fridrich7 first applied permutationdiffusion structure in design of image encryption, image encryption has been developing these years BelazPD2 ; AminaPD2 ; AhmadPD2 ; KhanPD2 ; PingPD2 . Chaosbased image encryption schemes utilizing various approaches have been proposed, such as improved diffusion ZhangD6 , variant keystream generation ChenKey7 , bitlevel permutation CaoBL4 ; LiBL4 and plaintextrelated permutation ZhangPR5 ; ChenPR5 .
However, some of the proposed schemes have been shown to be insecure. Li et al. point out that any permutationonly image encryption methods are unable to resist known/chosen plaintext attacks and only known/chosen plainimages can break the ciphers Li3 , where is the size of images and the number of different pixel values. Li et al. break a diffusiononly image cipher with only one or two known plainimages Li2013 . Solak et al. analyze Fridrich’s encryption algorithm by a chosenciphertext attack solak2010 , but the analysis method is useless while the algorithm has enough rounds of encryption. In Ref. Chen24 , Chen et al. analyze a medical image encryption algorithm Fu22 by using differential cryptanalysis. chosen plainimages can reveal equivalent permutation key for 1round and 2round encryption. They propose a novel analysis method called double differential cryptanalysis comparison breaking multiround encryption with chosen plainimages, where is the size of the images. Basing on differential cryptanalysis, in Ref. Chen4 Chen et al. propose a codebook attack under chosenciphertext conditions and totally break multiround cryptosystem Zhou23 .
Recently, Hua et al. propose an image cipher using blockbased scrambling and image filtering (ICBSIF) Hua1 , which is also permutationdiffusion type. It is well known that filtering is a common method in image processing and selecting appropriate filtering can deblur images. In Ref. Hua1 , ICBSIF has been evaluated by all kinds of analysis methods. However, we find it insecure. We can construct a linear relation between plainimages and cipherimages by differential cryptanalysis and break the cryptosystem by a codebook attack.
The rest of the paper is organized as follows. Section 2 briefly describes the original image encryption algorithm. In Sect.3, we give some derivation of preparatory formulas. In Sect.4, we analyze ICBSIF by using differential cryptanalysis and construct a linear relation between plainimages and cipherimages. In Sect.5, based on the linear relation, we propose a codebook attack and simulation results verify our theoretical analysis. In Sect.6, we give an improved approach to enhance the security and the last section summarizes the paper.
2 Description of ICBSIF
The architecture of the original image encryption algorithm ICBSIF is shown in Fig.1. In Fig.1, and are plainimage and its cipherimage, respectively. The encryption process has four modules: blockbased scrambling, image rotation, image normalization and image filtering; , , and are the output images of four implementation modules, respectively, where is the th round, =1,2,3,4. Subkey generates a scrambling box
for blockbased scrambling, a random matrix
for image normalization and a matrix for image filtering. In this paper, a uppercase letter stands for an image or a matrix and a lowercase letter a pixel of the image or an element of the matrix, for example, an plainimage and a pixel value at the position .To better understand cryptanalysis in Section 3, we will introduce blockbased scrambling, image rotation, image normalization and image filtering in detail, and how to generate , and refers to the original algorithm Hua1 .
Blockbased scrambling. This is a blockbased permutation process and is designed to weakness the strong correlation between the neighboring pixels of plainimages. For an image of size , the block size can be calculated by
(1) 
The blockbased scrambling is performed within range . The image of size is divided into blocks and each block is of the size . All pixels in a block can be permutated by using a scrambling Latin box of size . In cryptanalysis, only permutation operation cannot resist differential cryptanalysis.
Image rotation. For a plainimage of size , because the blockbased scrambling only shuffles its pixel positions within range randomly, the rest pixels still locate at the unchanged positions. To shuffle all the pixel position totally, the original algorithm takes image rotation by clockwise after the blockbased scrambling. Through four rounds encryption, the image is rotated by . In cryptanalysis, only rotation operation cannot resist differential cryptanalysis.
Image normalization. The normalization operation to the rotated image using a random matrix is defined as
(2) 
where denotes the grayscale level of the image. if the pixels of images are represented by 8 bits. In this paper, we take .
Image filtering. The image filtering can change the pixel values randomly and spread little change of the plainimage to the entire pixels of the output image to achieve the diffusion effect. A mask matrix of size is used to filter the normalized image. As shown in Fig.2, the 2dimensional (2D) filtering operation of is defined as
(3) 
where and other elements of are produced by the subkey . The inverse operation of image filtering is written as
(4) 
Here two points must be emphasized. (i) The upper and left adjacent pixels are introduced to diffuse and confuse the current pixel in Fig.2. Therefore, the filtering operation begins from the upper and left pixels of an image while its inverse operation does from the lower and right pixels. (ii) For the border pixels of an image in the leftmost column and the uppermost row, filtering operations need two expanded columns and two expanded rows, respectively. Taking the rightmost and lowermost border pixels as the expanded border pixels in the leftmost column and uppermost row, this strategy of expanding border pixels not only masks all pixels, but also ensures the inverse filtering operations.
3 The preparatory work
Proposition 1. Define , . A differential equality is constructed by the following expression .
Proof.
Proposition 2. According to Propositon 1, a generally differential equality is constructed by the following expression .
Proof.
4 Differential cryptanalysis
In this section, first we construct theoretically an linear relation between plainimages and cipherimages for the original algorithm by using differential cryptanalysis, then we give simulation results of gray images.
4.1 Differential cryptanalysis of oneround encryption algorithm
First considering oneround encryption, we take three plainimages , . The four specific operations, blockbased scrambling, image rotation, image normalization and image filtering, have been defined as
(5) 
Blockbased scrambling. Assume that the pixel at is mapped to through blockbased scrambling, we write this transformation by the following expression
(6) 
We construct an input differential and calculate their output differential expressed by the following forms
(7a)  
(7b) 
Taking the differential as the input, due to the characteristic of permutation operation, we get the following equality:
(8) 
Therefore, through blockbased scrambling we construct the differential equality of two images expressed by
(9) 
Image rotation. Same as blockbased scrambling, given any images, the rotation operation cannot change the relative position of a fixed pixel of these images, thus we have the following equality:
(10) 
Combining Eqs.(9) and (10), we obtain the following differential equality:
(11) 
Image normalization using the matrix . Image normalization of the original algorithm is the modular addition operation of Eq.(2). Due to Proposition 1, we have the following form
(12) 
Especially, in Eq.(12) we choose three images as the input of modular addition operation for eliminating the unknown matrix of Eq. (2).
Image filtering. By using differential cryptanalysis, the filtering operation of Eq.(3) is transformed to
(13) 
where and . Based on the equation above, we can obtain , further acquire , , . Therefor for the filtering operation, we have the following linear relationship:
(14) 
Considering oneround encryption, through blockbased scrambling, image rotation, image normalization, and image filtering, we have the following differential relationship for the three image
(15) 
4.2 Differential cryptanalysis of ICBSIF and simulation experiments
Although ICBSIF undergoes four rounds of encryption, and the subkey of each round is different, our differential analysis of Eq.(15) is still effective. Considering fourround encryption, Eq.(15) is expanded to the following form
(16) 
where denotes all the encryption operations of ICBSIF.
Given any three plainimages, we can build Eq. (16) about the plainimages and the corresponding cipherimages. Eq.(16) presents a good linear relation. Next, we will verify Eq.(16) by using simulation experiments.
Choose three plainimages of size , , and a blank image. Encrypt , and by using the original algorithm, and obtain the corresponding cipherimages , and , shown in Fig. 3. To test Eq.(16), we calculate a differential image and then encrypt it. The plainimage and its cipherimage are shown in Fig. 3. We compute the differential of the three cipherimages and compare and . We find that . The simulation results confirm our theoretical analysis: Given any three plainimages, we can build a differential relation between the three plainimages and their cipherimages.
5 Codebook attack
5.1 Theoretical analysis
Select a blank cipherimage all pixel values of which are zero and cipherimages with only a nonzero pixel , . Through decryption machine, we get the corresponding pairs of cipherimage/plainimage, i.e., , , . These pairs of cipherimage/plainimage are used for building a codebook and recovering any plainimages.
For given any cipherimage , we first transform into the following form
(17) 
where .
We further transform the above expression into the following form
(18) 
and based on the differential cryptanalysis of Eq.(16) and Proposition 2, we naturally recover the plainimage expressed by the form
(19) 
5.2 Simulation results
Without loss of generality, we choose a image size of as an example to represent the codebook attack. Algorithms 1 and 2 are two pseudocodes illustrating how to build the codebook and recover the plainimage. In Fig.4, we observe the plainimage , the corresponding cipherimage and the recovered image by using the codebook attack.
6 Improvements of ICBSIF
Using differential cryptanalysis, we construct a linear relation between plainimages and cipherimages for ICBSIF. Based on Eq.(16), we can break ICBSIF by the codebook attack. To resist differential cryptanalysis, we introduce image random rotations that are controlled by both plainimages and intermediate images in ICBSIF. The improved approach is shown in Fig. 5. The blockbased scrambling and image random rotation make up a group. In this group the scrambling and rotation operations have been alternately carried out four times. Then all modules including image normalization and image filtering are executed sequentially rounds, .
In the original algorithm, the image rotation is a regular rotation, i.e, 90 degrees clockwise. Through four times of rotation, the image is a return to original state. Here we propose image rotation controlled by a random index . The angle of rotation of the th time is equal to degrees, where . Rotate the image clockwise if the angle of rotation is greater than zero; otherwise, rotate counterclockwise. For example, . For the first rotation, the image is rotated by degrees clockwise; for the third time, rotate degrees counterclockwise. The random index is related to the plainimage , intermediate images and the subkey . We calculate the sum of pixel value of , and take as the initial value of logistic map , , , is set according to the size of images, here . A chaotic sequence is produced by the form , and by taking a segment with and sorting the four variables a random index is generated.
In Figs. 6 and 7, we present the simulation results of the improved algorithm by using differential analysis. Same as in Fig.3, we encrypt four plainimages, , , and by using the improved algorithm, and obtain the corresponding cipherimages , , and , respectively. We calculate the differential image , and , which are shown in Fig. 6. We observe that and illustrates random characteristic well. Compared with the original algorithm, the improved approach resist the differential cryptanalysis of Eq.(16). Because the image rotation controlled by a random index is introduced, the efficiency of the improved algorithm decreases about for fourround encryption () and increases about for threeround encryption ().
Let’s see the differential results for threeround encryption. Encrypt two images, and a changed with the last two pixels exchanged, and compute the differentials of cipherimages, , , shown in Fig. 7. The results demonstrate that the randomness of differential images increases while the number of encryption rounds increases and the improved system has a good randomness with .
We continue to do statistical test by National Institute of Standards an Technology (NIST) SP80022 Statistical Test Suite Rukhin2015A ; Pareschi2012On . The significance level is set as 0.01 and the number of binary sequences is set as 120. We choose 120 images from BOWS2 image database and encrypt them by the improved algorithm. The cipherimages obtained are then decomposed into binary sequences. All the images are of size , thus the length of a binary sequence is . The results show that 120 cipherimages encrypted by the improved algorithm can pass all the 15 subtests.
We also check the randomness of differential cipherimages. Same as in , we encrypt the three plainimages using the improved algorithm, and obtain cipherimage and the differential image . Then, we compute the differential image . The test results show that the differential cipherimage of the improved algorithm can pass all the 15 subtests, whereas of ICBSIF does not due to . This demonstrates that the improved approach can resist the differential cryptanalysis proposed by us.
7 Conclusion
This paper analyzes an image encryption algorithm using blockbased scrambling and image filtering. We construct a linear relation between plainimages and cipherimages by differential cryptanalysis, although the encryption process is complex and nonlinear. Based on the linear relation, we build a codebook that contains pairs of plainimages and cipherimages, where is the size of images. The proposed differential cryptanalysis and the codebook attack can be applied in analyzing a medical image encryption algorithm Hua2 . Enhancing the security of image encryption algorithms has been a challenge and we hope our analysis method will promote the research of image encryption to some extent.
References
References
 (1) A. A. A. ElLatif, L. Li, X. Niu, A new image encryption scheme based on cyclic elliptic curve and chaotic system, Multimedia Tools & Applications 70 (2014) 1559–1584.
 (2) C. Adams, S. Tavares, The structured design of cryptographically good sboxes, Journal of Cryptology 3 (1990) 27–41.
 (3) J. Ahmad, M. A. Khan, S. O. Hwang, J. S. Khan, A compression sensing and noisetolerant image encryption scheme based on chaotic maps and orthogonal matrices, Neural Computing & Applications 28 (2016) 1–15.
 (4) S. Amina, F. K. Mohamed, An efficient and secure chaotic cipher algorithm for image content preservation, Communications in Nonlinear Science & Numerical Simulation 60 (2017) 12–32.
 (5) A. Belazi, A. A. A. ElLatif, S. Belghith, A novel image encryption scheme based on substitutionpermutation network and chaos, Signal Processing 128 (2016) 155–170.
 (6) J. Katz, Y. Lindell, Introduction to Modern Cryptography, 2007.
 (7) L. Chen, B. Ma, X. Zhao, S. Wang, Differential cryptanalysis of a novel image encryption algorithm based on chaos and line map, Nonlinear Dynamics 87 (2016) 1–11.
 (8) X. Chen, C. J. Hu, Adaptive medical image encryption algorithm based on multiple chaotic mapping, Saudi Journal of Biological Sciences 24 (2017) 1821–1827.
 (9) C. Cao, K. Sun, W. Liu, A novel bitlevel image encryption algorithm based on 2dlicm hyperchaotic map, Signal Processing 143 (2017) 122–133.
 (10) J. Chen, Z. L. Zhu, L. B. Zhang, Y. Zhang, B. Q. Yang, Exploiting selfadaptive permutation–diffusion and dna random encoding for secure and efficient image encryption, Signal Processing 142 (2018) 340–353.
 (11) L. Chen, S. Wang, Differential cryptanalysis of a medical image cryptosystem with multiple rounds, Pergamon Press, Inc., 2015.
 (12) C. Cao, K. Sun, W. Liu, A novel bitlevel image encryption algorithm based on 2dlicm hyperchaotic map, Signal Processing 143 (2017) 122–123.
 (13) J. Fridrich, Image encryption based on chaotic maps, in: IEEE International Conference on Systems, Man, and Cybernetics, 1997. Computational Cybernetics and Simulation, 1997, pp. 1105–1110 vol.2.
 (14) C. Fu, W. H. Meng, Y. F. Zhan, Z. L. Zhu, F. C. Lau, C. K. Tse, H. F. Ma, An efficient and secure medical image protection scheme based on chaotic maps., Computers in Biology & Medicine 43 (2013) 1000–1010.

(15)
P. Fabio, R. Riccardo, S. Gianluca, On statistical tests for randomness included in the nist sp80022 test suite and based on the binomial distribution, IEEE Transactions on Information Forensics & Security 7 (2012) 491–505.
 (16) X. Ge, B. Lu, F. Liu, X. Luo, Cryptanalyzing an image encryption algorithm with compound chaotic stream cipher based on perturbation, Nonlinear Dynamics 90 (2017) 1–10.
 (17) X. Huang, Image encryption algorithm using chaotic chebyshev generator, Nonlinear Dynamics 67 (2012) 2411–2417.
 (18) Z. Hua, Y. Zhou, Design of image cipher using blockbased scrambling and image filtering, Elsevier Science Inc., 2017.
 (19) Z. Hua, S. Yi, Y. Zhou, Medical image encryption using highspeed scrambling and pixel adaptive diffusion, Signal Processing 144 (2017) 134–144.
 (20) W. Y. Ji, H. Kim, An image encryption scheme with a pseudorandom permutation based on chaotic maps, Communications in Nonlinear Science & Numerical Simulation 15 (2010) 3998–4006.
 (21) M. Khan, A novel image encryption scheme based on multiple chaotic sboxes, Nonlinear Dynamics 82 (2015) 527–533.
 (22) Y. Li, C. Wang, H. Chen, A hyperchaosbased image encryption algorithm using pixellevel permutation and bitlevel permutation, Optics & Lasers in Engineering 90 (2017) 238–246.
 (23) S. Li, C. Li, G. Chen, N. G. Bourbakis, K. T. Lo, A general quantitative cryptanalysis of permutationonly multimedia ciphers against plaintext attacks, Signal Processing Image Communication 23 (2008) 212–223.
 (24) C. Li, Y. Liu, T. Xie, M. Z. Q. Chen, Breaking a novel image encryption scheme based on improved hyperchaotic sequences, Nonlinear Dynamics 73 (2013) 2083–2089.
 (25) R. Matthews, On the derivation of a “chaotic” encryption algorithm, Cryptologia 8 (1989) 29–41.
 (26) N. K. Pareek, V. Patidar, K. K. Sud, Image encryption using chaotic logistic map, Image & Vision Computing 24 (2006) 926–934.
 (27) P. Ping, F. Xu, Y. Mao, Z. Wang, Designing permutationsubstitution image encryption networks with henon map, Neurocomputing 283 (2018) 53–63.
 (28) A. Rukhin, J. Soto, J. Nechvatal, S. Miles, E. Barker, S. Leigh, M. Levenson, M. Vangel, D. Banks, A. Heckert, A statistical test suite for random and pseudorandom number generators for cryptographic applications, Applied Physics Letters 22 (2015) 1645–179.
 (29) E. SOLAK, O. T. YILDIZ, Cryptanalysis of fridrich’s chaotic image encryption, International Journal of Bifurcation & Chaos 20 (2010) 1405–1413.
 (30) X. Tong, M. Cui, Image encryption scheme based on 3d baker with dynamical compound chaotic sequence cipher generator, Signal Processing 89 (2009) 480–491.
 (31) L. Y. Zhang, Y. Liu, F. Pareschi, Y. Zhang, K. W. Wong, R. Rovatti, G. Setti, On the security of a class of diffusion mechanisms for image encryption, IEEE Transactions on Cybernetics PP (2015) 1–13.
 (32) X. Zhang, W. Nie, Y. Ma, Q. Tian, Cryptanalysis and improvement of an image encryption algorithm based on hyperchaotic system and dynamic sbox, Multimedia Tools & Applications 76 (2017) 1–19.
 (33) G. Zhou, D. Zhang, Y. Liu, Y. Yuan, Q. Liu, A novel image encryption algorithm based on chaos and line map, Neurocomputing 169 (2015) 150–157.
Comments
There are no comments yet.