Differential cryptanalysis of image cipher using block-based scrambling and image filtering

by   Feng Yu, et al.

Recently, an image encryption algorithm using block-based scrambling and image filtering has been proposed by Hua et al. In this paper, we analyze the security problems of the encryption algorithm in detail and break the encryption by a codebook attack. We construct an linear relation between plain-images and cipher-images by differential cryptanalysis. With this linear relation, we build a codebook containing (M × N + 1) pairs of plain-images and cipher-images, where M× N is the size of images. The proposed codebook attack indicates that the encryption scheme is insecure. To resist the codebook attack, an improved algorithm is proposed. Experimental results show that the improved algorithm not only inherits the merits of the original scheme, but also has stronger security against the differential cryptanalysis.



There are no comments yet.


page 9


Cryptanalysis of a Chaos-Based Fast Image Encryption Algorithm for Embedded Systems

Fairly recently, a new encryption scheme for embedded systems based on c...

An Image Encryption Algorithm Based on Chaotic Maps and Discrete Linear Chirp Transform

In this paper, a novel image encryption algorithm, which involves a chao...

Cryptanalysis of a Chaotic Key based Image Encryption Scheme

Security of multimedia data is a major concern due to its widespread tra...

Intelligent Systems for Information Security

This thesis aims to use intelligent systems to extend and improve perfor...

INRU: A Quasigroup Based Lightweight Block Cipher

In this paper, we propose a quasigroup based block cipher design. The ro...

Cryptanalyzing an image encryption algorithm based on autoblocking and electrocardiography

This paper analyzes the security of an image encryption algorithm propos...

A Deep Learning Based Attack for The Chaos-based Image Encryption

In this letter, as a proof of concept, we propose a deep learning-based ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

With the rapid development of computer networks and communication technology, protecting digital image transmission and storage in open network environment has become more and more important Katz12 . To cope with this problem, a number of image encryption algorithms have been proposed in recent years, especially chaos-based algorithms AdamsChaos1 ; EIChaos1 ; ChenChaos1 ; HuangChaos1 ; PareekChaos1 ; YoonChaos1 . Chaotic dynamics is suitable for cryptography due to its properties, such as pseudo randomness, ergodicity, sensitivity to initial values and control parameters. Since Matthews Matt16 proposed a chaos-based cipher, chaos-based cryptography has developed into a new branch of cryptography. Since Fridrich Fridrich7 first applied permutation-diffusion structure in design of image encryption, image encryption has been developing these years BelazPD2 ; AminaPD2 ; AhmadPD2 ; KhanPD2 ; PingPD2 . Chaos-based image encryption schemes utilizing various approaches have been proposed, such as improved diffusion ZhangD6 , variant keystream generation ChenKey7 , bit-level permutation CaoBL4 ; LiBL4 and plaintext-related permutation ZhangPR5 ; ChenPR5 .

However, some of the proposed schemes have been shown to be insecure. Li et al. point out that any permutation-only image encryption methods are unable to resist known/chosen plaintext attacks and only known/chosen plain-images can break the ciphers Li3 , where is the size of images and the number of different pixel values. Li et al. break a diffusion-only image cipher with only one or two known plain-images Li2013 . Solak et al. analyze Fridrich’s encryption algorithm by a chosen-ciphertext attack solak2010 , but the analysis method is useless while the algorithm has enough rounds of encryption. In Ref. Chen24 , Chen et al. analyze a medical image encryption algorithm Fu22 by using differential cryptanalysis. chosen plain-images can reveal equivalent permutation key for 1-round and 2-round encryption. They propose a novel analysis method called double differential cryptanalysis comparison breaking multi-round encryption with chosen plain-images, where is the size of the images. Basing on differential cryptanalysis, in Ref. Chen4 Chen et al. propose a codebook attack under chosen-ciphertext conditions and totally break multi-round cryptosystem Zhou23 .

Recently, Hua et al. propose an image cipher using block-based scrambling and image filtering (IC-BSIF) Hua1 , which is also permutation-diffusion type. It is well known that filtering is a common method in image processing and selecting appropriate filtering can deblur images. In Ref. Hua1 , IC-BSIF has been evaluated by all kinds of analysis methods. However, we find it insecure. We can construct a linear relation between plain-images and cipher-images by differential cryptanalysis and break the cryptosystem by a codebook attack.

The rest of the paper is organized as follows. Section 2 briefly describes the original image encryption algorithm. In Sect.3, we give some derivation of preparatory formulas. In Sect.4, we analyze IC-BSIF by using differential cryptanalysis and construct a linear relation between plain-images and cipher-images. In Sect.5, based on the linear relation, we propose a codebook attack and simulation results verify our theoretical analysis. In Sect.6, we give an improved approach to enhance the security and the last section summarizes the paper.

2 Description of IC-BSIF

The architecture of the original image encryption algorithm IC-BSIF is shown in Fig.1. In Fig.1, and are plain-image and its cipher-image, respectively. The encryption process has four modules: block-based scrambling, image rotation, image normalization and image filtering; , , and are the output images of four implementation modules, respectively, where is the th round, =1,2,3,4. Sub-key generates a scrambling box

for block-based scrambling, a random matrix

for image normalization and a matrix for image filtering. In this paper, a uppercase letter stands for an image or a matrix and a lowercase letter a pixel of the image or an element of the matrix, for example, an plain-image and a pixel value at the position .

To better understand cryptanalysis in Section 3, we will introduce block-based scrambling, image rotation, image normalization and image filtering in detail, and how to generate , and refers to the original algorithm Hua1 .

Figure 1: The encryption process of IC-BSIF

Block-based scrambling. This is a block-based permutation process and is designed to weakness the strong correlation between the neighboring pixels of plain-images. For an image of size , the block size can be calculated by


The block-based scrambling is performed within range . The image of size is divided into blocks and each block is of the size . All pixels in a block can be permutated by using a scrambling Latin box of size . In cryptanalysis, only permutation operation cannot resist differential cryptanalysis.

Image rotation. For a plain-image of size , because the block-based scrambling only shuffles its pixel positions within range randomly, the rest pixels still locate at the unchanged positions. To shuffle all the pixel position totally, the original algorithm takes image rotation by clockwise after the block-based scrambling. Through four rounds encryption, the image is rotated by . In cryptanalysis, only rotation operation cannot resist differential cryptanalysis.

Image normalization. The normalization operation to the rotated image using a random matrix is defined as


where denotes the grayscale level of the image. if the pixels of images are represented by 8 bits. In this paper, we take .

Image filtering. The image filtering can change the pixel values randomly and spread little change of the plain-image to the entire pixels of the output image to achieve the diffusion effect. A mask matrix of size is used to filter the normalized image. As shown in Fig.2, the 2-dimensional (2D) filtering operation of is defined as


where and other elements of are produced by the sub-key . The inverse operation of image filtering is written as

Figure 2: An example of filtering operation and its inverse operation. Omit all superscript symbols of Eqs. (3) and (4).

Here two points must be emphasized. (i) The upper and left adjacent pixels are introduced to diffuse and confuse the current pixel in Fig.2. Therefore, the filtering operation begins from the upper and left pixels of an image while its inverse operation does from the lower and right pixels. (ii) For the border pixels of an image in the leftmost column and the uppermost row, filtering operations need two expanded columns and two expanded rows, respectively. Taking the rightmost and lowermost border pixels as the expanded border pixels in the leftmost column and uppermost row, this strategy of expanding border pixels not only masks all pixels, but also ensures the inverse filtering operations.

3 The preparatory work

Proposition 1. Define , . A differential equality is constructed by the following expression .


Proposition 2. According to Propositon 1, a generally differential equality is constructed by the following expression .


4 Differential cryptanalysis

In this section, first we construct theoretically an linear relation between plain-images and cipher-images for the original algorithm by using differential cryptanalysis, then we give simulation results of gray images.

4.1 Differential cryptanalysis of one-round encryption algorithm

First considering one-round encryption, we take three plain-images , . The four specific operations, block-based scrambling, image rotation, image normalization and image filtering, have been defined as


Block-based scrambling. Assume that the pixel at is mapped to through block-based scrambling, we write this transformation by the following expression


We construct an input differential and calculate their output differential expressed by the following forms


Taking the differential as the input, due to the characteristic of permutation operation, we get the following equality:


Therefore, through block-based scrambling we construct the differential equality of two images expressed by


Image rotation. Same as block-based scrambling, given any images, the rotation operation cannot change the relative position of a fixed pixel of these images, thus we have the following equality:


Combining Eqs.(9) and (10), we obtain the following differential equality:


Image normalization using the matrix . Image normalization of the original algorithm is the modular addition operation of Eq.(2). Due to Proposition 1, we have the following form


Especially, in Eq.(12) we choose three images as the input of modular addition operation for eliminating the unknown matrix of Eq. (2).

Image filtering. By using differential cryptanalysis, the filtering operation of Eq.(3) is transformed to


where and . Based on the equation above, we can obtain , further acquire , , . Therefor for the filtering operation, we have the following linear relationship:


Considering one-round encryption, through block-based scrambling, image rotation, image normalization, and image filtering, we have the following differential relationship for the three image


4.2 Differential cryptanalysis of IC-BSIF and simulation experiments

Although IC-BSIF undergoes four rounds of encryption, and the sub-key of each round is different, our differential analysis of Eq.(15) is still effective. Considering four-round encryption, Eq.(15) is expanded to the following form


where denotes all the encryption operations of IC-BSIF.

Given any three plain-images, we can build Eq. (16) about the plain-images and the corresponding cipher-images. Eq.(16) presents a good linear relation. Next, we will verify Eq.(16) by using simulation experiments.

Choose three plain-images of size , , and a blank image. Encrypt , and by using the original algorithm, and obtain the corresponding cipher-images , and , shown in Fig. 3. To test Eq.(16), we calculate a differential image and then encrypt it. The plain-image and its cipher-image are shown in Fig. 3. We compute the differential of the three cipher-images and compare and . We find that . The simulation results confirm our theoretical analysis: Given any three plain-images, we can build a differential relation between the three plain-images and their cipher-images.

Figure 3: Simulation results for testing Eq.(16)

5 Codebook attack

5.1 Theoretical analysis

Select a blank cipher-image all pixel values of which are zero and cipher-images with only a nonzero pixel , . Through decryption machine, we get the corresponding pairs of cipher-image/plain-image, i.e., , , . These pairs of cipher-image/plain-image are used for building a codebook and recovering any plain-images.

For given any cipher-image , we first transform into the following form


where .

We further transform the above expression into the following form


and based on the differential cryptanalysis of Eq.(16) and Proposition 2, we naturally recover the plain-image expressed by the form


5.2 Simulation results

Without loss of generality, we choose a image size of as an example to represent the codebook attack. Algorithms 1 and 2 are two pseudocodes illustrating how to build the codebook and recover the plain-image. In Fig.4, we observe the plain-image , the corresponding cipher-image and the recovered image by using the codebook attack.

1:image size , a blank image with all-zero pixels and images with only a nonzero pixel value “1”.
2: decrypted images. Construct codebook ( pairs of cipher-image/plain-image).
4:for  do
5:     for  do
7:     end for
8:end for
9:for  do
11:end for
Algorithm 1 Construct the codebook
1:cipher-image , the grayscale , and codebook
5:for  do
6:     for  do
7:         if  then
9:              ;
10:         end if
11:     end for
12:end for
Algorithm 2 Codebook attack
Figure 4: Results of the codebook attack. , its cipher-image and the recovered image by the codebook attack proposed.

6 Improvements of IC-BSIF

Using differential cryptanalysis, we construct a linear relation between plain-images and cipher-images for IC-BSIF. Based on Eq.(16), we can break IC-BSIF by the codebook attack. To resist differential cryptanalysis, we introduce image random rotations that are controlled by both plain-images and intermediate images in IC-BSIF. The improved approach is shown in Fig. 5. The block-based scrambling and image random rotation make up a group. In this group the scrambling and rotation operations have been alternately carried out four times. Then all modules including image normalization and image filtering are executed sequentially rounds, .

In the original algorithm, the image rotation is a regular rotation, i.e, 90 degrees clockwise. Through four times of rotation, the image is a return to original state. Here we propose image rotation controlled by a random index . The angle of rotation of the th time is equal to degrees, where . Rotate the image clockwise if the angle of rotation is greater than zero; otherwise, rotate counterclockwise. For example, . For the first rotation, the image is rotated by degrees clockwise; for the third time, rotate degrees counterclockwise. The random index is related to the plain-image , intermediate images and the subkey . We calculate the sum of pixel value of , and take as the initial value of logistic map , , , is set according to the size of images, here . A chaotic sequence is produced by the form , and by taking a segment with and sorting the four variables a random index is generated.

In Figs. 6 and 7, we present the simulation results of the improved algorithm by using differential analysis. Same as in Fig.3, we encrypt four plain-images, , , and by using the improved algorithm, and obtain the corresponding cipher-images , , and , respectively. We calculate the differential image , and , which are shown in Fig. 6. We observe that and illustrates random characteristic well. Compared with the original algorithm, the improved approach resist the differential cryptanalysis of Eq.(16). Because the image rotation controlled by a random index is introduced, the efficiency of the improved algorithm decreases about for four-round encryption () and increases about for three-round encryption ().

Let’s see the differential results for three-round encryption. Encrypt two images, and a changed with the last two pixels exchanged, and compute the differentials of cipher-images, , , shown in Fig. 7. The results demonstrate that the randomness of differential images increases while the number of encryption rounds increases and the improved system has a good randomness with .

We continue to do statistical test by National Institute of Standards an Technology (NIST) SP800-22 Statistical Test Suite Rukhin2015A ; Pareschi2012On . The significance level is set as 0.01 and the number of binary sequences is set as 120. We choose 120 images from BOWS-2 image database and encrypt them by the improved algorithm. The cipher-images obtained are then decomposed into binary sequences. All the images are of size , thus the length of a binary sequence is . The results show that 120 cipher-images encrypted by the improved algorithm can pass all the 15 sub-tests.

We also check the randomness of differential cipher-images. Same as in , we encrypt the three plain-images using the improved algorithm, and obtain cipher-image and the differential image . Then, we compute the differential image . The test results show that the differential cipher-image of the improved algorithm can pass all the 15 sub-tests, whereas of IC-BSIF does not due to . This demonstrates that the improved approach can resist the differential cryptanalysis proposed by us.

Figure 5: The encryption process of the improved algorithm
Figure 6: Differential analysis of the improved algorithm for , , and . (a) . (b). (c) .
Figure 7: Differential analysis of the improved algorithm for (a) and the changed (b) with the last two pixels exchanged. (b)-(d) The differential cipher-images of and the changed from 1 to 3 encryption rounds.

7 Conclusion

This paper analyzes an image encryption algorithm using block-based scrambling and image filtering. We construct a linear relation between plain-images and cipher-images by differential cryptanalysis, although the encryption process is complex and nonlinear. Based on the linear relation, we build a codebook that contains pairs of plain-images and cipher-images, where is the size of images. The proposed differential cryptanalysis and the codebook attack can be applied in analyzing a medical image encryption algorithm Hua2 . Enhancing the security of image encryption algorithms has been a challenge and we hope our analysis method will promote the research of image encryption to some extent.



  • (1) A. A. A. El-Latif, L. Li, X. Niu, A new image encryption scheme based on cyclic elliptic curve and chaotic system, Multimedia Tools & Applications 70 (2014) 1559–1584.
  • (2) C. Adams, S. Tavares, The structured design of cryptographically good s-boxes, Journal of Cryptology 3 (1990) 27–41.
  • (3) J. Ahmad, M. A. Khan, S. O. Hwang, J. S. Khan, A compression sensing and noise-tolerant image encryption scheme based on chaotic maps and orthogonal matrices, Neural Computing & Applications 28 (2016) 1–15.
  • (4) S. Amina, F. K. Mohamed, An efficient and secure chaotic cipher algorithm for image content preservation, Communications in Nonlinear Science & Numerical Simulation 60 (2017) 12–32.
  • (5) A. Belazi, A. A. A. El-Latif, S. Belghith, A novel image encryption scheme based on substitution-permutation network and chaos, Signal Processing 128 (2016) 155–170.
  • (6) J. Katz, Y. Lindell, Introduction to Modern Cryptography, 2007.
  • (7) L. Chen, B. Ma, X. Zhao, S. Wang, Differential cryptanalysis of a novel image encryption algorithm based on chaos and line map, Nonlinear Dynamics 87 (2016) 1–11.
  • (8) X. Chen, C. J. Hu, Adaptive medical image encryption algorithm based on multiple chaotic mapping, Saudi Journal of Biological Sciences 24 (2017) 1821–1827.
  • (9) C. Cao, K. Sun, W. Liu, A novel bit-level image encryption algorithm based on 2d-licm hyperchaotic map, Signal Processing 143 (2017) 122–133.
  • (10) J. Chen, Z. L. Zhu, L. B. Zhang, Y. Zhang, B. Q. Yang, Exploiting self-adaptive permutation–diffusion and dna random encoding for secure and efficient image encryption, Signal Processing 142 (2018) 340–353.
  • (11) L. Chen, S. Wang, Differential cryptanalysis of a medical image cryptosystem with multiple rounds, Pergamon Press, Inc., 2015.
  • (12) C. Cao, K. Sun, W. Liu, A novel bit-level image encryption algorithm based on 2d-licm hyperchaotic map, Signal Processing 143 (2017) 122–123.
  • (13) J. Fridrich, Image encryption based on chaotic maps, in: IEEE International Conference on Systems, Man, and Cybernetics, 1997. Computational Cybernetics and Simulation, 1997, pp. 1105–1110 vol.2.
  • (14) C. Fu, W. H. Meng, Y. F. Zhan, Z. L. Zhu, F. C. Lau, C. K. Tse, H. F. Ma, An efficient and secure medical image protection scheme based on chaotic maps., Computers in Biology & Medicine 43 (2013) 1000–1010.
  • (15)

    P. Fabio, R. Riccardo, S. Gianluca, On statistical tests for randomness included in the nist sp800-22 test suite and based on the binomial distribution, IEEE Transactions on Information Forensics & Security 7 (2012) 491–505.

  • (16) X. Ge, B. Lu, F. Liu, X. Luo, Cryptanalyzing an image encryption algorithm with compound chaotic stream cipher based on perturbation, Nonlinear Dynamics 90 (2017) 1–10.
  • (17) X. Huang, Image encryption algorithm using chaotic chebyshev generator, Nonlinear Dynamics 67 (2012) 2411–2417.
  • (18) Z. Hua, Y. Zhou, Design of image cipher using block-based scrambling and image filtering, Elsevier Science Inc., 2017.
  • (19) Z. Hua, S. Yi, Y. Zhou, Medical image encryption using high-speed scrambling and pixel adaptive diffusion, Signal Processing 144 (2017) 134–144.
  • (20) W. Y. Ji, H. Kim, An image encryption scheme with a pseudorandom permutation based on chaotic maps, Communications in Nonlinear Science & Numerical Simulation 15 (2010) 3998–4006.
  • (21) M. Khan, A novel image encryption scheme based on multiple chaotic s-boxes, Nonlinear Dynamics 82 (2015) 527–533.
  • (22) Y. Li, C. Wang, H. Chen, A hyper-chaos-based image encryption algorithm using pixel-level permutation and bit-level permutation, Optics & Lasers in Engineering 90 (2017) 238–246.
  • (23) S. Li, C. Li, G. Chen, N. G. Bourbakis, K. T. Lo, A general quantitative cryptanalysis of permutation-only multimedia ciphers against plaintext attacks, Signal Processing Image Communication 23 (2008) 212–223.
  • (24) C. Li, Y. Liu, T. Xie, M. Z. Q. Chen, Breaking a novel image encryption scheme based on improved hyperchaotic sequences, Nonlinear Dynamics 73 (2013) 2083–2089.
  • (25) R. Matthews, On the derivation of a “chaotic” encryption algorithm, Cryptologia 8 (1989) 29–41.
  • (26) N. K. Pareek, V. Patidar, K. K. Sud, Image encryption using chaotic logistic map, Image & Vision Computing 24 (2006) 926–934.
  • (27) P. Ping, F. Xu, Y. Mao, Z. Wang, Designing permutation-substitution image encryption networks with henon map, Neurocomputing 283 (2018) 53–63.
  • (28) A. Rukhin, J. Soto, J. Nechvatal, S. Miles, E. Barker, S. Leigh, M. Levenson, M. Vangel, D. Banks, A. Heckert, A statistical test suite for random and pseudorandom number generators for cryptographic applications, Applied Physics Letters 22 (2015) 1645–179.
  • (29) E. SOLAK, O. T. YILDIZ, Cryptanalysis of fridrich’s chaotic image encryption, International Journal of Bifurcation & Chaos 20 (2010) 1405–1413.
  • (30) X. Tong, M. Cui, Image encryption scheme based on 3d baker with dynamical compound chaotic sequence cipher generator, Signal Processing 89 (2009) 480–491.
  • (31) L. Y. Zhang, Y. Liu, F. Pareschi, Y. Zhang, K. W. Wong, R. Rovatti, G. Setti, On the security of a class of diffusion mechanisms for image encryption, IEEE Transactions on Cybernetics PP (2015) 1–13.
  • (32) X. Zhang, W. Nie, Y. Ma, Q. Tian, Cryptanalysis and improvement of an image encryption algorithm based on hyper-chaotic system and dynamic s-box, Multimedia Tools & Applications 76 (2017) 1–19.
  • (33) G. Zhou, D. Zhang, Y. Liu, Y. Yuan, Q. Liu, A novel image encryption algorithm based on chaos and line map, Neurocomputing 169 (2015) 150–157.