share
1 Introduction
Encryption is an important tool for ensuring confidentiality of data. Recently, the ECCHC – a combination of elliptic-curve cryptography and Hill cipher – was proposed by Dawahdeh, Yaakob and bin Othman [1]. The proposal is specifically aimed at image encryption. The authors justify the security of the ECCHC by evaluating selected statistical properties on sample plaintext and ciphertext images. The properties are entropy, peak signal to noise ratio, and unified average changing intensity.
Our conribution.
We analyze the security of the ECCHC scheme and show its various weaknesses that render the scheme unusable for any security sensitive application. Evaluating some selected set of statistical properties is not an adequate replacement for analyzing how cryptanalytic attacks apply to an encryption scheme. In order to accentuate this point, we propose a toy example – the Deliberately Weak Cipher (DWC). The DWC is completely weak (with only bit key and other serious vulnerabilities), but it attains comparable or even better statistical parameters (depending on input image type) than the ECCHC.
2 The ECCHC scheme
The ECCHC scheme combines public key cryptography based on elliptic curves with symmetric encryption in a straightforward way. The authors tailored their proposal to encryption of -bit grayscale images of size pixels, although it can be easily extended to other image types. To keep our presentation simple, we also use this particular image type. The weaknesses identified in the scheme are relevant for possible extension as well.
2.1 Overview of the scheme
The ECC part of the scheme is basically a Diffie-Hellman key agreement. Let be a group of points on some elliptic curve, generated by a generator . Let be a prime. A user can generate his/her private key by randomly choosing from . The corresponding public key is .
Two users, and , can agree on a shared point by computing (for user ) or (for user ). The point is used to obtain a matrix :
Since the matrix is used for encrypting plaintexts with the alphabet of size (-bit grayscale) the elements are transformed mod .
The second part of the scheme is Hill cipher used in the ECB (Electronic Codebook) mode to sequentially encrypt vectors from a plaintext image. We denote by the sequence of vectors that the image is split into (for image we have ). The ciphertext is a sequence of blocks , where the -th block/vector is computed by simple matrix-vector multiplication: . Given that is self-invertible, a decryption uses the same multiplication: .
2.2 Weaknesses of the ECCHC scheme
We discuss some properties of the ECCHC that, in our opinion, make the scheme insecure and unsuitable for any security sensitive application.
Low entropy of the symmetric key.
The matrix is uniquely determined by any of its quadrants, e.g. elements of are sufficient to reconstruct . Hence the worst case complexity of brute-force attack is very low .
Known plaintext attack.
The proposal inherits the linearity of Hill cipher. This makes it vulnerable to known plaintext attack. For plaintext block and corresponding ciphertext block we obtain four linear equations with unknowns (values of the matrix
). For random plaintext block we can find a unique solution with high probability. Multiple distinct plaintext-ciphertext pairs of blocks yield the key with certainty.
Using the symmetric transformation in the ECB mode.
Opting for the ECB mode has a well known weakness: equal plaintext blocks are encrypted to equal ciphertext blocks, . This property can be particularly unfortunate for images containing patterns or drawings, where equal blocks are expected. It is certainly possible to modify the symmetric part of the ECCHC to employ a counter or using other modes, however the proposal does not address this issue in any way.
Fixed points.
The structure of self-invertible matrix guarantees that vectors of the form , for any , are fixed points regardless of actual values in :
Let us illustrate the ECB mode and the fixed points issues. A checkerboard image, see Figure 1, is an example of plaintext image that remains intact after encrypting with any . Encrypted drawing with uniform color areas might be comprehensible (only slightly distorted along edges). An example is shown in Figure 2.
 |
 |
Inadequate security analysis.
The security analysis included in the proposal contains evaluation of these three statistical properties on few sample images:
-
Entropy of the encrypted image considering frequencies of pixel values.
-
Peak Signal to Noise Ratio (PSNR) using original and encrypted images.
-
Unified Average Changing Intensity (UACI) using original and encrypted images.
Such analysis neglects other cryptographic properties the symmetric cipher is expected to satisfy. More importantly, it ignores all potential attacks (some weaknesses were discussed in previous paragraphs). To further illustrate this point we propose an intentionally weak cipher (weaker than the symmetric part of the ECCHC) and show that we can obtain comparable or even better values of above properties, see Section 3.
Unclear public key part of the ECCHC.
The elliptic curve key agreement part of the ECCHC is under-specified. The proposal does not define what kind of elliptic curves should be used, how large the parameters should be (small entropy of symmetric key indicates that using standardized elliptic curves is pointless), how exactly are and values transformed into matrix (when to apply mod operation), etc.
3 Deliberately weak cipher
We designed the Deliberately Weak Cipher (DWC for short) to illustrate the inadequacy of statistical measures for assessing the strength of encryption algorithms. Suitable values of statistical properties are necessary but by no means sufficient condition for secure encryption. We start by reviewing properties used in the ECCHC proposal.
3.1 Remarks on statistical properties
Entropy for -bit grayscale image is calculated as , where denotes a fraction of pixels with value . The maximum entropy in this case is , and we expect that random noise image has entropy close to .
The Peak Signal to Noise Ratio (PSNR) is used to measure quality between signal with a noise and the original signal. In our case, let and be two -bit grayscale images. The PSNR, expressed in decibels, is computed as follows:
where is the Mean Square Error between these two images. It is easy to calculate the expected value of the PSNR between all-black (or all-white) image and a random noise image – the MSE is , and the corresponding PSNR is . Similarly, the expected value of the PSNR between two random noise images is .
The Unified Average Changing Intensity (UACI) measures the average distance among pixel values using following formula:
Trivially, the UACI of all-black (or all-white) image and a random noise image is %. Calculating the expected value of the UACI for two random noise images yields %.
We are interested in two cases: (1) a pair of two random noise images, and (2) a pair of monochrome black (white) image and a random noise image. The distinction between these cases is important in the evaluation of encryption algorithms. Consider a cryptographically strong encryption algorithm and pair of plaintext and ciphertext images. We expect that a statistical properties for this pair are close to the first case if the plaintext is a photograph, painting, etc.; and close to the second case if the plaintext is a drawing, checkerboard, or simply an image with a vast majority of black/white pixels.
3.2 The DWC algorithm
The DWC encryption uses -bit key , obviously too short for any serious application. To make it similar to the ECCHC, a core transformation used in the DWC takes input vector. Let be an input vector of four bytes. The core transformation is defined as follows:
where is an -bit s-box and computes a fixed matrix multiplication, borrowed from the AES SubBytes and MixColumns transformations, respectively [3]. Please note that our matrix multiplication operates on a single vector (column), instead of four columns transformation MixColumns in the AES. The output of CT is again vector. The core transformation can be easily inverted by multiplying with inverse matrix and performing three lookups to the table representing . Although we do not care about the performance of the DWC, various enhancements in this area can be obtained from vast literature on the implementation of the AES.
To mimic the ECCHC we split an image into a sequence of vectors . The ciphertext is a sequence of blocks :
where denotes bitwise XOR operation, lsb returns the least significant byte, and shifts the byte to the left for position. Thus yields a 32-bit vector with the most significant byte being and other three bytes being . The decryption is straightforward: , for .
3.3 Properties of the DWC algorithm
The DWC algorithm is very weak. The most important vulnerability is small key space (overall, only keys), and thus being susceptible to brute-force attack. Another weaknesses follow from fact that the core transformation CT is fixed and does not depend on the key in any way. Therefore anyone can compute on ciphertext blocks and obtain . Since is known (it is just a counter) one can easily compute . This is the original plaintext block with the most significant byte XOR-ed with . Hence anyone can recover % of the image without knowing the key.
Design of the DWC is aimed at obtaining good values of statistical properties, such as the entropy, the PSNR and the UACI. We use four sample images – two standard photographs (lena, baboon), checkerboard, and drawing (both used in Section 2.2 as well). Figure 3 shows a visual overview of plaintext and corresponding ciphertext images. There are no fragments of original images, visible patterns or obvious regularities in the ciphertext images.
 |
 |
 |
 |
|
 |
|
 |
Table 1 compares the numerical values of the entropy, the PSNR and the UACI for the DWC and the ECCHC for our sample images. The results for lena and baboon images are very close, and we can consider the DWC and the ECCHC as equal in these types of images. Image types like checkerboard or drawings pose a problem for the ECCHC (as already discussed in Section 2.2). On the other hand, the DWC produces ciphertext images with much superior statistics – close to values we expect for those image types, see Section 3.1.
We can summarize – the DWC is very weak cipher that excels in the entropy, the PSNR, and the UACI properties.
| algorihtm | image | Entropy | PSNR | UACI [%] |
|---|---|---|---|---|
| ECCHC | lena | |||
| baboon | ||||
| checkerboard | ||||
| drawing | ||||
| DWC | lena | |||
| baboon | ||||
| checkerboard | ||||
| drawing |
Remarks. (1) The key length of the DWC could be even smaller.
We can fix to some constant and get an encoding scheme good statistical properties
and no security at all.
(2) The DWC is by no means a unique construction. Various approaches can be used to
fulfill the same goals. For example, many lightweight stream ciphers with
severely reduced key length would be similarly vulnerable, while still having
good values of the entropy, the PSNR and the UACI for image encryption.
4 Conclusion
We showed various weaknesses of the ECCHC image encryption scheme, despite good statistical properties published in the proposal [1]. More importantly, we illustrated insufficiency of such approach to analyzing the strength of encryption algorithm by proposing the Deliberately Weak Cipher. The DWC has comparable or even better statistical parameters (depending on input image type) than the ECCHC, while being completely weak.
For any encryption scheme proposal, the real cryptanalytic assessment of the scheme should be conducted. Evaluating some selected set of statistical properties is not an adequate replacement for analyzing how cryptanalytic attacks apply to the scheme.
The ECCHC should not be used for image (and other data) encryption. Use standard encryption techniques. In case of resource-constrained devices, the area of lightweight cryptography offers alternative algorithms with better security. For recent survey on lightweight cryptography, see [2].
References
- [1] Dawahdeh Z.E., Yaakob S.N., bin Othman R.R., A new image encryption technique combining Elliptic Curve Cryptosystem with Hill Cipher, Journal of King Saud University – Computer and Information Sciences, Volume 30, Issue 3, 2018, pp. 349-355. https://doi.org/10.1016/j.jksuci.2017.06.004
- [2] McKay K.A, Bassham L., Turan M.S., Mouha N., Report on Lightweight Cryptography, NISTIR 8114, 2017. https://doi.org/10.6028/NIST.IR.8114
- [3] National Institute of Standards and Technology (NIST), Advanced Encryption Standard (AES), Federal Information Processing Standard (FIPS PUB) #197, 2001.
Comments
There are no comments yet.