On the Security Analysis of a Hopfield Chaotic Neural Network-Based Image Encryption Algorithm

In this paper, the security analysis of a color image encryption algorithm based on Hopfield chaotic neural network is given. -e original chaotic image encryption algorithm includes permutation encryption and diffusion encryption. -e result of cryptanalysis shows that the chaotic sequences generated by this algorithm are independent of plaintext image, and there exist equivalent permutation key and equivalent diffusion key.-erefore, according to chosen-plaintext attack, the equivalent diffusion key and the equivalent permutation key can be obtained by choosing two special plaintext images and the corresponding ciphertext images, respectively, and the plaintext image is further recovered from the ciphertext image. -eoretical analysis and numerical simulation experiment results verify the effectiveness of the analytical method. Finally, some improved suggestions for the original encryption algorithm are proposed to promote the security.


Introduction
With the rapid development of network technology, the security and privacy protection problems of multimedia information have become a hot subject. In order to promote the security of information transmission, scholars have proposed a large amount of image encryption algorithms based on different mechanisms and theories, such as chaotic map [1][2][3][4][5][6][7][8][9][10][11][12][13], neural network [14], DNA [15][16][17][18], and so on. e security performance of the image encryption algorithms mainly depends on statistical test indicators, such as key space, histogram, key sensitivity analysis, information entropy, differential attack, and so on. However, statistical test indicator is an essential condition and not a sufficient condition for measuring security presented in [19]; moreover, some of them are proven to be insecure due to their inherent pitfalls [20][21][22][23][24][25][26][27][28][29][30]. erefore, it is necessary to perform cryptanalysis in order to improve the security of the image encryption algorithms.
In recent years, many image encryption algorithms have been cryptanalyzed by the researchers. For example, in [20], the cryptanalysis of an image encryption cryptosystem based on binary bit planes extraction and multiple chaotic maps (IEC-BPMC) proposed in [1] is given; it is pointed out that IEC-BPMC is insecure against chosen-plaintext attack. In [21], the security analysis of an image chaotic encryption algorithm based on Latin cubes and bit cubes presented in [2] is proposed; it is reported that the generation of Latin cubes is independent of plain image, while in the diffusion stage, when any one bit in the plain image changes, the corresponding number of bits in the cipher image follows the change with obvious regularity. According to chosenplaintext attack, only a maximum of 2.5 × ����� w × h 3 √ + 6 plaintext images are needed to crack the ciphertext images of size w × h resolution. In [22], according to chosen-ciphertext attack, the security analysis for a self-synchronization and closed-loop feedback-based chaotic stream cipher proposed in [3] is given; it has shown that, under the condition that only one unknown key needs to be deciphered while the remaining keys are all known, most secret keys can be deciphered accurately. In addition, the attack complexity of the proposed method is lower than that of the exhaustive attack. In [23], the security performance for an 8D self-synchronous and feedback-based chaotic stream cipher with low 8 bits of state variables for encryption proposed in [4] is analysed, according to known-plaintext attack and divide-and-conquer attack, 49 secret keys can be obtained, and an improved chaotic stream cipher is proposed for improving the ability to resist divide-and-conquer attack and chosen-ciphertext attack. According to chosenplaintext attack, in [24], the security analysis of an image encryption algorithm based on 3D bit matrix permutation presented in [5] is given and proposes some improved suggestions in order to enhance security performance. e cryptanalysis of the image encryption algorithm proposed in [7] is presented in [25]; it is reported that the equivalent secret keys can be obtained by utilizing chosen-plaintext attack and further recover the original plaintext image from the ciphertext image. In [26], the security analysis of an image encryption algorithm based on improved hyperchaotic sequence presented in [8] is given; it is shown that only 1-pair known plaintext-ciphertext image can crack the original encryption algorithm by using known-plaintext attack. In [27], the cryptanalysis of an image encryption algorithm with one round diffusion structure proposed in [9] is reported to find that the original encryption algorithm has equivalent secret keys, so that it can be deciphered by known-plaintext and chosen-plaintext attack. In [28], it is pointed out that permutation-only encryption structure presented in [10] is insecure against known-plaintext attack and chosen-plaintext attack, respectively; for given image of size MN, the original encryption algorithm is cracked by only using log L (MN) plaintext-ciphertext images. e image encryption algorithm based on DNA encoding and spatiotemporal chaos is proposed in [15]; nevertheless, it is broken in [29] by using chosen-plaintext attack and chosenciphertext attack with lower computation complexity and data complexity, respectively. In [30], the security analysis of an image encryption algorithm based on 2D Henon-Sine map and DNA proposed in [17] is given; it is found that cipher image can be cracked by utilizing chosen-plaintext attack without known keys, and its attack complexity is O (18).
In 2019, a color image encryption algorithm based on Hopfield chaotic neural network (CIEA-HCNN) is given in [14]. CIEA-HCNN adopts permutation encryption-diffusion encryption structure; in the permutation encryption phase, firstly, the parameters of Arnold cat map are generated by chaotic sequence and then Arnold cat map is used to scramble the pixel positions of plaintext image. In the diffusion encryption stage, diffusion matrix is generated by utilizing Hopfield chaotic neural network, and then bitwise XOR operation is performed by using diffusion matrix on the scrambled image to obtain the ciphertext image. Some statistical test results are proposed in CIEA-HCNN, and it is claimed that the encryption algorithm has a higher security performance against various attacks. However, CIEA-HCNN has the following inherent defects from the view of cryptanalysis: (1) e chaotic sequences generated by key-streams are independent of plaintext image; for given secret key parameters and the size of the plaintext image, the chaotic sequences remain unchanged regardless of the plaintext image.
(2) e diffusion encryption structure is too simple, there is no ciphertext feedback mechanism, and there exists equivalent diffusion key. According to chosen-plaintext attack, the equivalent diffusion key is broken by choosing one special plaintext image and its corresponding ciphertext image without known keys. (3) e permutation encryption structure is a permutation-only encryption process. After deciphering the diffusion encryption structure, the original encryption algorithm becomes a permutation-only encryption structure; in [28], it is pointed out that permutation-only is insecure and cannot resist chosen-plaintext attack and known-plaintext attack. Moreover, parameters of Arnold cat map generated by chaotic sequence depend solely on the secret keys, and the position (0, 0) is always mapped into itself in Arnold cat map.
According to the above shortcomings, one obtains that CIEA-HCNN is insecure, and it is vulnerable to chosenplaintext attack or known-plaintext attack. An attacker can successfully crack the original encryption algorithm by using the equivalent diffusion key and the equivalent permutation key without knowing the secret keys. e rest of the paper is organized as follows. Section 2 briefly introduces CIEA-HCNN under study. Section 3 analyses the security performance of CIEA-HCNN by using chosen-plaintext attack. Section 4 gives the numerical simulation experiments and the suggestions for improvement. Section 5 concludes the paper.

Chaotic Encryption Algorithm under Study
In this section, Hopfield chaotic neural network and Staged composite chaotic map proposed in [14] are first given, and then CIEA-HCNN is introduced in detail.

Hopfield Chaotic Neural Network.
In 1982, American physicist Hopfield first proposed Hopfield chaotic neural network given in [31]. It is a fully connected neural network, mainly used providing model of simulation human memory. Simultaneously, Hopfield chaotic neural network is also a feedback neural network, and the output signal of each neuron in the network is usually fed back to itself by using other neurons. e iterative equation of Hopfield chaotic neural network is given by w � 2 −1 0 1.7 1.71 1.1 −2.5 −2.9 0.56

Description of CIEA-HCNN.
In [14], CIEA-HCNN consists of secret keys selection, chaotic sequences generation, permutation encryption, and diffusion encryption, as shown in Figure 1, where secret key parameters, X, Y, Z, Ware chaotic sequences generated by Staged composite chaotic map, α and β are parameters of Arnold cat map, T is a permutation matrix, H 1 , H 2 , H 3 are sequences generated by Hopfield chaotic neural network, D is a diffusion matrix, P is a color plaintext image, S is a temporary permutation encryption image of P, S ′ is a permutation encryption image of P, C ′ is a diffusion encryption image of S ′ , and C is a ciphertext image corresponding to the plaintext image P; the detailed encryption principles of CIEA-HCNN are presented as follows: (1) Choose secret key parameters. CIEA-HCNN includes eight secret key parameters (2) Generate chaotic sequences X, Y, Z, W. From equation (4), iterate Staged composite chaotic map m 0 times; one gets the chaotic sequence Actually, only four state variables x m 0 , y m r , z m g , w m b are used in the following encryption process. { } [14], and hereinafter referred to as the plaintext image. e ciphertext image of P is represented by Besides, the plaintext image P has Red, Green, and Blue channels; for the sake of convenience of expression, one simplifies the three channels to R, G, and B channels. e steps for CIEA-HCNN are shown as follows: Step 1: Permutation Encryption. First, F transform x m 0 of the chaotic sequence X; one obtains control parameters α andβ of Arnold cat map, given by where N is the width of the plaintext image P, mod represents a modular operation, and floor rounds a real number to the nearest integer. In Figure 1, scramble R, G, B channels of P by utilizing Arnold cat map, respectively, and get the corresponding temporary permutation encryption image denoted by S � S(i, j, k) M,N,3 i�1,j�1,k�1 ; the iterative equation of Arnold cat map is defined as where (x n , y n ) and (x n+1 , y n+1 ) represent the before and after coordinate of permutation encryption through using Arnold cat map; moreover, the default number of Arnold cat map iterations is set as 1 [14]. According to Figure 1 and equation (6), one gets Finally, scan R, G, B three channels of S in a raster order from left to right and up to down; one obtains the with the size of 3 × MN, given by Step 2: Diffusion Encryption. First, set the chaotic sequences y m r , z m g , and w m b as the initial values of Hopfield chaotic neural network, substitute them into equations (1)-(2), iterate MN times, and get three sequences defined by Complexity where round denotes a round-off function and abs is an absolute value function. In Figure 1, perform bitwise XOR operation on the permutation encryption image S ′ by utilizing diffusion matrix D, and then get the temporary ciphertext image C where notation ⊕ denotes a bitwise XOR operation. Finally, convert the temporary ciphertext image C ′ into the ciphertext image C. (4) Decrypt image by using chaotic decryption algorithm. Decryption is the inverse process of encryption. First, convert the ciphertext image C into the temporary ciphertext image C ′ , then perform bitwise XOR operation by using C ′ and the diffusion matrix D, and get the permutation encryption image S ′ . Second, transform S ′ into the temporary permutation encryption image S. Finally, implement anti-scramble encryption for S by means of Arnold cat map, and further recover the plaintext image P from the encrypted image C.

Preliminary Analysis of CIEA-HCNN. According to
Kerckhoff's assumptions [32], one gets that the cryptosystem is open and its security depends solely on the secret keys rather than the cryptosystem itself; that is, the attacker knows everything about the cryptosystem except for the secret keys. If the cryptosystem cannot resist various attacks, it is insecure. ere are generally four common attack types for cryptanalysis given in Table 1 from the hardest to the easiest types. In Table 1, ciphertext-only attack is the hardest type, and chosen-ciphertext attack is the easiest type. e adversary reveals secret keys or the equivalent keys to break the cryptosystem by using the four common attack types listed in Table 1. According to Figure 1, one obtains that CIEA-HCNN adopts permutation encryption-diffusion encryption structure. First, the diffusion encryption structure of CIEA-HCNN is too simple, and the diffusion matrix D is independent of plaintext image or ciphertext image. erefore, one gets that CIEA-HCNN has the equivalent diffusion key. According to chosen-plaintext attack, the equivalent diffusion key can be broken by just selecting one pure plaintext image and the corresponding ciphertext image.
After cracking the equivalent diffusion key, CIEA-HCNN is simplified to a permutation-only encryption algorithm. In [28], it is pointed out that permutation-only encryption algorithm is insecure. For given secret key parameters and the size of the plaintext image, the generated chaotic sequences remain unchanged which are unrelated to the plaintext image and the corresponding ciphertext image; therefore, the values of α and β in Arnold cat map are fixed, and further the permutation matrix T also remains unchanged. Indeed, the permutation matrix T is the equivalent permutation key of CIEA-HCNN. An attacker can break the permutation-only encryption algorithm by using the permutation matrix T. In addition, the position (0, 0) is always mapped into itself in Arnold cat map.
According to the above analysis, one gets that the security performance of CIEA-HCNN depends only on the diffusion matrix D and the permutation matrix T; indeed, it means that the equivalent diffusion key and the equivalent permutation key exist in CIEA-HCNN. e adversary can reveal the equivalent keys by using chosen-plaintext attack and further successfully break the original encryption algorithm.
erefore, the problem of cracking secret key parameters x 1 ′ , x 2 ′ , μ 1 , μ 2 , m 0 , m r , m g , m b in the original encryption algorithm can be solved by chosen-plaintext attack  Figure 2. In Figure 2, ET denotes the equivalent permutation key, and ED represents the equivalent diffusion key.

Cracking CIEA-HCNN by Using Chosen-Plaintext
Attack. e basic method of cracking the permutation encryption and the diffusion encryption structure shown in Figure 2 is that, according to chosen-plaintext attack, one adopts divide-and-conquer strategy to separate the permutation encryption from the diffusion encryption through choosing the plaintext that would be useful for breaking, on this basis, and further deciphering the equivalent permutation key ET and the equivalent diffusion key ED, respectively. e detailed procedures of cracking the equivalent permutation key ET and the equivalent diffusion key ED are presented as follows.

Deciphering the Equivalent Diffusion Key ED.
According to chosen-plaintext attack, choose a full zero image denoted by P 1 � P 1 (i, j, k) M,N,3 i�1,j�1,k�1 , and get the corresponding ciphertext image defined as i�1,j�1,k�1 . Next, using the obtained P 1 and C 1 as known conditions, one further gets the corresponding equivalent diffusion key ED. e specific approaches for cracking the equivalent diffusion key ED are given as follows.
Step 1. Choose a full zero plaintext image as P 1 , according to chosen-plaintext attack, and get its corresponding ciphertext image as C 1 . From Figure 1, one obtains the temporary ciphertext image Step 2. According to equation (11) and Figure 2, one has Since all pixels of P 1 are zero, after performing the permutation encryption operation for P 1 , Step

Deciphering the Equivalent Permutation Key ET.
After breaking the equivalent diffusion key ED, the original permutation encryption-diffusion encryption structure is simplified to permutation-only encryption structure. Besides, since the original image chaotic encryption algorithm adopts the same permutation matrix to the three channels of the plaintext image, the work of deciphering the equivalent permutation key ET sets the R channel of the plaintext image as an example as follows. First, choose a plaintext image defined as i�1,j�1,k�1 , and suppose the pixels of coordinates (i 1 , j 1 ) and (i 2 , j 2 ) in R channel are P 2 (i 1 , j 1 , 1) � ζ ≠ 0 and P 2 (i 2 , j 2 , 1) � λ ≠ 0, respectively. Moreover, (i 1 , j 1 ) ≠ (1, 1), (i 2 , j 2 ) ≠ (1, 1) and ζ ≠ λ, others are full zero, and let all pixels of G channel and B channel be full zero. One obtains the corresponding ciphertext image described by en using the obtained P 2 and C 2 as known conditions, one further gets the corresponding equivalent permutation key ET. Note that the equivalent permutation key ET is not affected by the number of Arnold cat map iterations. e specific steps for cracking the equivalent permutation key ET are presented as follows.
Step 1. According to chosen-plaintext attack, choose one plaintext image as P 2 , and get its ciphertext image defined as C 2 . en, the temporary ciphertext image as k�1,l�1 is obtained by using the ciphertext image C 2 .

Recover the Plaintext Image by Using the Equivalent Diffusion Key ED and the Equivalent Permutation Key ET.
First, convert the ciphertext image C into the temporary ciphertext image C ′ . According to equation (11) and the equivalent diffusion key ED, the permutation encryption image denoted by S ′ can be obtained from the temporary ciphertext image C ′ . Second, convert the permutation encryption image S ′ into the temporary permutation encryption image denoted by S. Finally, recover the plaintext image defined by P from the ciphertext image C by utilizing the equivalent permutation key ET.
According to the above security analysis, the process of cracking CIEA-HCNN by adopting chosen-plaintext attack is described in Algorithm 1.

The Numerical Simulation Experiments for
Breaking CIEA-HCNN Second, according to Section 3.2.1, construct a color image of size 512 × 512 defined by P 2 , let the pixels of the coordinates (2, 2) and (2, 3) be 1 and 2 in the R channel of the plaintext image P 2 , other pixels are set as 0, and all pixels of the G and B channels are defined as 0, as shown in Figure 4(a). According to chosen-plaintext attack, one can get the corresponding ciphertext image of P 2 denoted by C 2 , as shown in Figure 4(b). Recover the permutation encryption image represented by S 2 ′ from the ciphertext image C 2 by using the equivalent diffusion key ED, and then convert the permutation encryption image into the temporary permutation encryption image S 2 , as shown in Figure 4(c). Based on equation (15), and comparing P 2 with S 2 , one gets P 2 (2, 2, 1) � S 2 m 1 , n 1 , 1 � 1, According to equations (16) Finally, according to Section 3.2.3, the plaintext images of Lena, Baboon, and Pepper with the size of 512 × 512 are recovered by using the equivalent diffusion key ED and the equivalent permutation key ET; moreover, in order to verify that the recovered plaintext image is equal to the original plaintext image, performing the bitwise XOR operation on them, one gets a full zero image. e breaking results on CIEA-HCNN with RGB color Lena, Baboon, and Pepper are shown in Figure 5.

Attack Complexity Analysis.
e attack complexity consists of time complexity and data complexity. On the aspect of time complexity, according to chosen-plaintext attack, the cracking time of CIEA-HCNN is 11.164 seconds for the color image with the size of 512 × 512, and the encryption time is 5.813 seconds. Moreover, on the aspect of data complexity, given the same size of color image, the data complexity of breaking CIEA-HCNN is O (1). erefore, the experimental results verify that the attack method is both effective and efficient, meanwhile having lower attack complexity.

Suggestions for Improvement.
According to the security defects of CIEA-HCNN, the suggestions for improvement are given as follows: (1) In the permutation encryption structure, one can construct the combination of parameters of Arnold cat map and the characters of plaintext image such as all pixels sum and average and hash value of the plaintext information. One adopts multiple-round permutation encryption based on the encryption efficiency. Simultaneously, one suggests that using different permutation matrix performs the scrambling operation on the three R, G, B channels of the color image, respectively. Moreover, after the permutation encryption, exchange the pixel of coordinate (0, 0) to the other random pixel to improve the security of the original permutation encryption. (2) In the diffusion encryption structure, one could add some nonlinear diffusion encryption structure and ciphertext feedback mechanism to enhance the combination of plaintext, keys, and ciphertext and further promote the security of the original encryption algorithm. (3) One suggests that multiple-round encryption algorithm is proposed to improve the security based on the higher efficiency.

Conclusions
In this paper, the security analysis of a color image encryption algorithm based on Hopfield chaotic neural network called CIEA-HCNN is given. CIEA-HCNN adopts permutation encryption-diffusion encryption structure; from the view of cryptanalysis, it has the equivalent keys due to the inherent defects. erefore, one can obtain the equivalent permutation key and the equivalent diffusion key by utilizing the chosen-plaintext attack and further crack CIEA-HCNN. eoretical analysis and numerical simulation experiment results verify the effectiveness of the deciphering method; as for the color image of size M × N, the data complexity is O (1). Finally, some suggestions are proposed to improve the security of chaotic encryption algorithm. e reported results may help the designers of chaotic cryptography realize the importance of the essential structure of a color image encryption algorithm based on Hopfield chaotic neural network.

Data Availability
e data and code used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.