Cryptanalysis and Improvement of Chaos-Based Image Encryption Scheme with Circular Inter-Intra-Pixels Bit-Level Permutation

A novel chaos-based image encryption scheme has been proposed recently. In this scheme, redundancies of the Fridrich’s structure were reduced significantly via a new circular inter-intra-pixels bit-level permutation strategy. However, we proved that the original encryption scheme is vulnerable to the known/chosen-plaintext attacks. Both the permutation and diffusion phases have been improved to enhance the security of the original scheme. By shifting each row of the plain image randomly, known-plaintext attacks could be resisted. Furthermore, by appending double crossover diffusion to the end of the original scheme, chosen-plaintext attacks lost their efficacies. Simulation results demonstrated that the improved encryption scheme outperforms the original one.


Introduction
With the development of Internet technology, image data has been widely applied in many fields, such as military systems, government agencies, medical imaging systems, and online trade and business.However, digital images are also vulnerable to security risks; that is, sensitive information can be destroyed in the case of unauthorized access, such as interception, tampering, illegal copy, and dissemination.Encryption is a widely employed tool to minimize the potential security risks.However, in most cases, traditional encryption techniques, such as DES, RSA, AES, and IDEA, are specifically made for text data.For image data with different intrinsic characteristics, such as large data storage requirements, high redundancy, and strong correlation among adjacent pixels [1,2], traditional encryption techniques demonstrate limited performance at best.Therefore, chaos-based image encryption schemes have been developed specifically for images.Benefiting from the inherent properties of chaotic sequences, such as ergodicity, pseudo-randomness, and sensitivity to initial conditions and control parameters [3], these chaosbased image encryption schemes have exhibited excellent properties, including complexity, security, and computational efficiency.
To date, a variety of chaos-based schemes have been proposed.However, most [4][5][6] are based on Fridrich's permutation-substitution model [7] and demonstrate statistical correlations among the plain image, the cipher image, and the key.Previous studies [8,9] proved that 96.7% of the bit values were unchanged using Fridrich's encryption structure.To reduce redundancy and statistical links, many bit-level-based techniques have been proposed [10][11][12][13][14][15][16].However, these techniques also have some limitations.For example, the permutation phase has repetitive patterns [14] and the operations require significant computation time [15,16].In 2016, Diaconu proposed a circular inter-intra-pixels bit-level permutation-confusion strategy [17].This strategy takes advantage of Fridrich's structure; however, employing the confusion strategy reduces the redundancy significantly.Bit-level circular shifting of each row demonstrates three strong characteristics, that is, no repetitive patterns, uniform bits distribution, and reduced correlation between adjacent higher bit-planes.
To improve the security of existing cryptosystems, many cryptanalytic methods have been proposed [18,19].Such processes can render the existing cryptographic mechanisms insecure.In this study, we assessed Diaconu's strategy [17] and found a dangerous vulnerability in the circular shift procedure.In addition, the secret matrix, that is, the equivalent of the keys, can be revealed through known-plaintext attacks.To overcome these security problems, we propose two improvements/changes to the scheme; that is, we improve the permutation phase to resist known-plaintext attacks and improve the diffusion phase to resist chosen-plaintext and differential attacks [20], respectively.
The remainder of this paper is organized as follows.Section 2 presents an overview of Diaconu's encryption scheme [17].Section 3 discusses cryptanalysis using a knownplaintext attack.Improvements to the original algorithm are described in Section 4. Simulation results are provided and they are evaluated in Section 5, and the conclusions are presented in Section 6.

Original Encryption Scheme
In this section, we describe the original scheme, which is composed of permutation and diffusion phases.The permutation phase scrambles pixels by bit-level circular shift, which updates the pixel positions and generates new pixel values.In the diffusion phase, the permutated image is encrypted using two ciphering matrices.
Step 2. Compute the circular shift steps  shifts and direction  shifts of each row.
where  shifts is the number of 1s of each row.
Each vector I 0 is right circular-shifted with  shifts steps if  shifts equals 0 and left circular-shifted if  shifts equals 1.
Step 3.Each group of 8 bits of vector I 0 is converted to a decimal number step by step; thus, the permuted image I  = {  (, )} ,  =1,=1 can be obtained: where I  (, :) denotes the th row of the permuted image and the function bin2dec converts the binary number to a decimal number.

Diffusion. The final cipher image
is obtained as follows.

Computing Ciphering Matrices.
Two ciphering matrices are computed by the pseudorandom number generator PRNG (8), which has been proven to have attractor's fractal structure, ergodicity, and an enormous key space [24].

Cryptanalysis of the Original Scheme
The original algorithm proposed circular inter-intra-pixels bit-level permutation.Within this algorithm, the chaotic map is highly sensitive to the four parameters and a large key space can be obtained.However, the circular shift process has a dangerous vulnerability.Equations ( 6) and ( 7) can be transformed into the following expressions: According to Kerckhoff 's principle, the security of a cryptosystem should only depend on the secrecy of the key; that is, everything else in the system can be public knowledge.In other words, the original scheme is assumed to be known, but the key is unknown.Obviously, it is nearly impossible to obtain the key used in Section 2.3.Fortunately, the chaotic secret matrix Ι cipher_row_col in ( 14) is unchanged if the key is fixed.Thus, our goal is to obtain this matrix, which can be realized by a known-plaintext attack.
Known-plaintext attacks assume that the plaintext and corresponding cipher are known.If a known-plaintext attack is used to break the original scheme, we must first obtain the scrambled image of a known plain image.Fortunately, the scrambled image can be computed easily by circular shifting.
Here, consider a known plain image I  , whose corresponding scrambled image and cipher image are S  and C  , respectively.The scrambled image S  can be computed easily using the procedure described in Section 2.1.With the cipher image C  and the computed S  , the secret matrix Ι cipher_row_col can be obtained using because If the secret matrix Ι cipher_row_col is available, any given cipher image to be decrypted can be restored into the scrambled image S  .Since the number of 1s in each row of the scrambled image is the same as that of the plain image, the permutation can be reversed easily, and the deciphering image can be obtained.
The steps of a known-plaintext attack are as follows.
Step 1. Obtain the secret matrix.
Step 1.1.Calculate S  (Section 2.1) with the known plain image I  .
Step 2. Decrypt the given cipher image.
Step 2.1.With the given cipher image I ENC , calculate the scrambled image I  using (17).
Step 2.2.Obtain the deciphering image I 0 by applying the opposite circular shift to I  ; that is, if  shifts = 0, then each row of I  should be left circular-shifted, and if  shifts = 1, then each row of I  should be right circular-shifted.
To further demonstrate this idea, experimental results are shown in Figures 1 and 2. Figure 1 illustrates how to obtain the secret matrix.Assume that a known plain image is Lena (Figure 1(a)).The cipher image corresponding to Figure 1(a) is shown in Figure 1(b).The circular-shifted image, that is, the permutated image S  , is shown in Figure 1(c).The secret matrix Ι cipher_row_col computed by ( 16) is shown in Figure 1(d).The deciphering process of the given cipher image is shown in Figure 2. Here, Figure 2(a) is the plain image and its corresponding cipher image to be deciphered is shown in Figure 2(b).The scrambled image, which is obtained by an XOR operation between the secret matrix Ι cipher_row_col (Figure 1(d)) and the cipher image (Figure 2(b)), is shown in Figure 2(c).Then, after inverse circular shifting, the deciphering image is obtained which is shown in Figure 2(d).Note that the deciphering image is the same as the plain image.

Analysis, Discussion, and Improvement
4.1.Improving Permutation 4.1.1.Vulnerability to Known-Plaintext Attack.In the original scheme, the shift steps and direction are decided by the number of 1s of each row.After permutation, the number of 1s of each row remains unchanged.Therefore, the scrambled image for any known plain image can be computed, which is the primary vulnerability of the original encryption scheme.

Improvement.
Randomizing the shift steps and direction of each row can remove this vulnerability.Here, a secret sequence must be introduced to satisfy this requirement.For simplicity, the chaos map based on ( 8) and ( 9) is used.If the plain image has  rows, the number of pairs of steps and directions is .The permutation phase is improved as follows.First, a random sequence of length  *  is generated by iterations, where the parameter  is computed by (18) and 8 is the bits of each row of the plain image.
Then, the sequence is discretized into dibits using four thresholds.The high and low bits of the dibits are arranged into vectors h  = {ℎ  ()}  *  =1 and l  = {  ()}  *  =1 , separately.Assume that d  = {  ()}  =1 denotes the shift direction (left or right) and p  = {  ()}  =1 denotes the steps of shift.Based on the definition above, the two vectors can be computed as follows.
Step 1. Initialize the vectors d  and p  and the counter variable , Step 2. (a) Take  consecutive bits separately from h  and l  in turn, (b) Obtain the th pair of elements of the vectors d  and p  , (c) Update the variable , The permutation process is similar to the process described in Section 2.1.Here, vector I 0 is right circularshifted with   () steps if   () equals 0 and left circularshifted if   () equals 1.
Since the scrambled image cannot be computed directly from the plain image, the known-plaintext attack would not break the original encryption scheme.However, the following analysis shows that it is insufficient to improve the permutation phase solely.

Vulnerability to Chosen-Plaintext Attack.
After improving permutation, there are two secret sequences.One sequence generates the matrix Ι cipher_row_col used in the diffusion phase and the other generates h  and l  used in the permutation phase.Compared to the original algorithm, security is increased; however, the improved encryption scheme can still be broken by a chosen-plaintext attack.
If I  is a matrix where all elements are zero, the permutation phase has no influence on the I  .Then, the encrypted image Ι _ENC can be expressed as follows: Here, we find that the secret matrix Ι cipher_row_col is equal to the encryption output Ι _ENC .Next, random vectors h  and l  used in the permutation phase can be computed by using a matrix Ι 1 , which is defined as follows: The cipher and scrambled images corresponding to Ι 1 are denoted as Ι 1_ENC in (25) and I 1s , respectively: The secret matrix Ι cipher_row_col is calculated based on (23).Then, we obtain the scrambled image I 1s by applying an XOR operation between the cipher image Ι 1_ENC and the secret matrix Ι cipher_row_col .
By transforming each element of I 1s into an 8-bit binary number, we can obtain a matrix I  1s of size  × 8, which has only one "1" in each row.Note that we must obtain the column position of "1."For example, if the element "1" in the th row is located at the th column, we can conclude that the th row of Ι 1 has been right circular-shifted with  steps.Assume that all the shift steps are saved in a vector l  = {  ()}  =1 , where   () =  can be obtained easily.
The deciphering steps are described as follows.
Step 1. Obtain Ι cipher_row_col via the chosen plain image I  .
Step 2. Obtain the scrambled image I s by an XOR operation between Ι ENC and Ι cipher_row_col based on (17).
Step 3. Obtain the permutation steps vector l  using the chosen plain image Ι 1 .
Step 4. Perform opposite circular shift on I  ; that is, the th row of the scrambled image I  is circularly shifted towards the left direction with   () steps.

Improvement.
The deciphering algorithm (Section 4.2.1) is performed successfully because it is easy to calculate the secret matrix Ι cipher_row_col .If we design a method to prevent an attacker from obtaining this matrix, the encryption would be secure.Therefore, the diffusion phase should also be improved.An operation, called double crossover diffusion (DCD) [20], is added to the end of the original scheme.Assume that I V = {()}  2 =1 is a stretched vector of cipher image I ENC .The DCD mechanism requires a random sequence, which is generated by the logistic map.
If parameter  is chosen in the range [3.5699456, 4] and the initial value  0 is in the range [0, 1], the system is in a chaotic state.We can run the logistic map from  0 to generate a chaotic sequence u = {()}  2 =1 .Then, by sorting this vector, a vector q = {()}  2 =1 is obtained, where (()) is the th largest element of the chaotic sequence u.
The general structure of the improved procedure is presented in Algorithms 1 and 2. As shown in Algorithm 1, the cipher image is first reshaped to a vector I V and ordered by random sequence q.As shown in Algorithm 2, the sorted vector I V is divided into two blocks and encrypted sequentially by the left and right parts.The key vector key in one block (Algorithm 2) is connected to the vector q and the prior encrypted pixels of the other block.

Performance of the Improved Cryptosystem
This section presents experimental results and analyzes the performance of the improved cryptosystem.Here, we obtained plain images from the USC-SIPI image database [25].Note that images of other sizes can also be encrypted effectively by the proposed algorithm.The PRNG parameters are  1 0 = 0.68775492511773,  2 0 = −0.0134623354671, 1 = 5.938725025421, and  2 = 1.257490188615.The logistic map parameters are  = 3.99 and  0 = 0.2113.However, the parameter  0 in crossover diffusion is 52, which is not considered as the key in this paper.Thus, there are six parameters in the key vector K 1 = [ 1 0 ,  2 0 ,  1 ,  2 , ,  0 ], where ,  1 ,  2 are the control parameters and  1 0 ,  2 0 ,  0 are the initial parameters.All experiments were implemented by using MATLAB R2010b and were executed on a personal computer (Intel Core i5-5300U 2.3 GHz CPU, 4 GB memory).

Key Space.
Key space is a significant index to measure the ability to resist brute-force attacks and an effective key space must contain very large and unique keys.Considering the type of PRNG and the logistic map, the six parameters can be expressed by double-real precision (15 decimals).Thus, the key space can achieve (10 15 ) 6 = 10 90 , which is nearly 299 bits.As a result, the size of the key space in the improved algorithm is sufficient to resist exhaustive attacks.

Key
Sensitivity.An important security indicator for an image encryption system is the sensitivity to the key; that is, small changes to the key lead to significant changes in the cipher image.Assume that a new key K 2 can be Read the cipher image I ENC , the vector q from input.Reshape I ENC into a vector I V .for  = 1 :  2 I V () = I V (()).end I V = double_crossover_diffusion (I V , q). for  = 1 :  2 I V (()) = I V ().end Reshape I V into a new matrix I ENC of size  × .
Algorithm 1: Overall structure of DCD.
obtained by transforming K 1 (adding 10 −15 to  1 and leaving the other parameters unchanged).Figures 3 and 4 represent the improved algorithm's sensitivity to the key.The contrasts before and after adding 10 −15 to  1 are presented in Figure 3, and it shows that small changes to the key generate an entirely different cipher images.Figure 4 shows that a correct secret key can achieve a completely accurate decryption, while a key with a small change cannot.
Likewise, let represent two cipher images using different keys K 1 (the initial key) and K 2 (adding 10 −15 to  0 ).To evaluate quantitatively the sensitivity to the key, the percentage of different pixels of the two cipher images is computed.Simulation results are shown in Table 1.As shown in Table 1, over 99.5% of the pixels of one encrypted image differ from the pixels of the other image.Thus, the improved encryption scheme is highly sensitive to the secret key.

Differential Attack Analysis.
The ability to resist differential attacks depends on the "sensitivity to the changes" in plain image.Stronger sensitivity affords greater resistance to differential attacks.Let P 1 = { 1 (, )} ,  =1,=1 denote a plain image.After selecting a pixel of this plain image randomly and flipping its least significant bit, we can obtain a new plain image P 2 = { 2 (, )} ,  =1,=1 .The corresponding cipher images are E 1 = { 1 (, )} ,  =1,=1 and E 2 = { 2 (, )} ,  =1,=1 , respectively.To represent the sensitivity of the encryption scheme to plain image, two parameters, the Number of Pixels Change Rate (NPCR) and the Unified Average Changing Intensity (UACI), are introduced and defined by where  is the bits of the pixels and  and  represent the width and height of the test images, respectively.If  1 (, ) is equal to  2 (, ), then (, ) = 0; otherwise, (, ) = 1.Ideal NPCR and UACI values can be calculated by the following equations, respectively.
The NPCR and UACI values of the five images are shown in Table 2. To demonstrate the broad applicability of the improved scheme, we used different natural plain images and selected pixel multiple times randomly to obtain the average values.Note that our improved scheme requires only oneround encryption process and ideal values of NPCR and   Table 2: NPCR and UACI values of different images by different algorithms.
Image NPCR (%) Ref. [21] Ref. [22] Ref. [23]  UACI have been achieved without encrypting more than one round.As shown in Table 2, the NPCR values are close to the ideal value (i.e., 99.6094%), and the UACI values range from 33.3% to 33.6%.Relative to the NPCR, the proposed scheme is better than [22] and comparable to [17,21,23].For UACI, the improved scheme demonstrates the best performance.Hence, changing one pixel of plain image influences nearly all pixels of the cipher image with the improved scheme, and this demonstrates the better security property of the proposed scheme against differential attacks.

Computational and Complexity
Analysis.The permutation phase of the improved scheme is the same as that of the original scheme.As a result, the total complexity of the permutation phase is approximate to Θ(8 ×  × ).The time complexity of the diffusion process is Θ(×), which is similar to that of the original algorithm.Therefore, the total time complexity of the proposed algorithm is Θ(8 ×  × ).The execution time of the improved scheme, the original scheme, and other algorithms are given in Table 3.For accuracy, we encrypted different natural images multiple times to obtain the average value by using different algorithms.As shown in Table 3, the operating speed of the improved scheme is better  than those in [17,21,22] but less than that in [23].Moreover, the execution efficiency of the improved scheme is somewhat higher than that of the original scheme.It is because the shift steps and the direction of each row are determined by the available key vectors d  and p  in our permutation phase.In contrast, in the original scheme, they are computed row by row.Besides, the execution time of the improved algorithm would be at least an order of magnitude slower than those reported in [17,[21][22][23] when they were executed in a different environment without optimization.5, and the corresponding histograms are shown in Figure 6.In Figure 5(b), it retains more information of plain image than the one in Figure 5(d), because the original permutation is based on the certain numbers of 1s of each row, while the improved scheme is based on a secret sequence.If two adjacent rows are with equal numbers of 1s, they would be circular-shifted with the same steps along with the same direction.In Figures 6(c) and 6(e), one can deduce that the distributions of the two cipher images are nearly uniform.Therefore, both algorithms can resist statistical attack.

Correlation Analysis.
A plain image typically has high neighbor correlation among pixels that can be weakened by an encryption algorithm.Note that better algorithms lead to weaker correlation.The correlations of adjacent pixels of plain image are compared to those of the cipher image, and the results are shown in Figures 7-9.Relative to the correlation, the improved algorithm is comparable to the original algorithm.The correlation coefficients are computed by where   and   denote the ith pair of neighboring pixels of the image and  is the total number of pairs.The correlative coefficients of different algorithms are shown in Tables 4  and 5.As shown in Table 4, all correlation coefficients of the plain images are close to 1, and those of the cipher images are close to 0. Based on the data shown in Table 5, it can be concluded that the coefficients of the improved algorithm in the horizontal, vertical, and diagonal directions are less than those of algorithms found in [21][22][23], and the improved algorithm's coefficients in the horizontal and vertical directions (but not the diagonal direction) are less than those of the original algorithm.By using the original algorithm, coefficients in the horizontal direction are greater than those in the vertical and diagonal directions.It is because two adjacent rows with equal numbers of 1s are circular-shifted with the same steps in the same direction, which increases the correlation coefficient in the horizontal direction.This shortcoming of the original algorithm has been remedied by the proposed improved algorithm.The analysis above demonstrates that the improved algorithm can effectively break the correlation between adjacent pixels.

Information Entropy Analysis.
Information entropy is an important indicator reflecting the randomness of information.A secure cipher image demonstrates large statistical randomness and large information entropy.The information entropy of an image can be computed as follows: where (  ) denotes the probability of pixel value   and 2  is the total status number of x.The signal source of entropy

Figure 3 :
Figure 3: Sensitivity to small changes in the key: (a) image encrypted by key K 1 ; (b) image encrypted by key K 2 ; and (c) difference image between (a) and (b).

Figure 4 :
Figure 4: Image decryption using correct and incorrect keys: (a) image encrypted by key K 1 ; (b) deciphering image by correct key K 1 ; and (c) deciphering image by incorrect key K 2 .

Table 1 :
Percentage difference between two cipher images before and after adding 10 −15 to  0 (%).